3 * Catcrypt key-encapsulation
5 * (c) 2004 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
30 #define _FILE_OFFSET_BITS 64
34 #include <mLib/alloc.h>
35 #include <mLib/dstr.h>
36 #include <mLib/report.h>
50 #include "blowfish-cbc.h"
57 /*----- Bulk crypto -------------------------------------------------------*/
59 /* --- NaCl `secretbox' --- */
61 typedef struct naclbox_encctx {
67 static bulk *naclbox_init(key *k, const char *calg, const char *halg)
69 naclbox_encctx *ctx = CREATE(naclbox_encctx);
75 if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
76 if (!calg || strcmp(calg, "salsa20") == 0) ctx->cc = &salsa20;
77 else if (strcmp(calg, "salsa20/12") == 0) ctx->cc = &salsa2012;
78 else if (strcmp(calg, "salsa20/8") == 0) ctx->cc = &salsa208;
79 else if (strcmp(calg, "chacha20") == 0) ctx->cc = &chacha20;
80 else if (strcmp(calg, "chacha12") == 0) ctx->cc = &chacha12;
81 else if (strcmp(calg, "chacha8") == 0) ctx->cc = &chacha8;
84 "unknown or inappropriate encryption scheme `%s' in key `%s'",
92 static int naclbox_setup(bulk *b, gcipher *cx)
94 naclbox_encctx *ctx = (naclbox_encctx *)b;
95 octet k[SALSA20_KEYSZ];
97 GC_ENCRYPT(cx, 0, k, sizeof(k));
98 ctx->c = GC_INIT(ctx->cc, k, sizeof(k));
102 static size_t naclbox_overhead(bulk *b) { return (POLY1305_TAGSZ); }
104 static void naclbox_destroy(bulk *b)
106 naclbox_encctx *ctx = (naclbox_encctx *)b;
112 static const char *naclbox_encdoit(bulk *b, uint32 seq, buf *bb,
113 const void *p, size_t sz)
115 naclbox_encctx *ctx = (naclbox_encctx *)b;
121 STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
122 GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
123 poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
124 poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
126 tag = buf_get(bb, POLY1305_TAGSZ); assert(tag);
127 ct = buf_get(bb, sz); assert(ct);
128 GC_ENCRYPT(ctx->c, p, ct, sz);
129 poly1305_hash(&a, ct, sz);
130 poly1305_done(&a, tag);
134 static const char *naclbox_decdoit(bulk *b, uint32 seq, buf *bb,
135 const void *p, size_t sz)
137 naclbox_encctx *ctx = (naclbox_encctx *)b;
142 octet *tag, *ct, *pt;
144 STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
145 GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
146 poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
147 poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
149 buf_init(&bin, (/*unconst*/ void *)p, sz);
150 if ((tag = buf_get(&bin, POLY1305_TAGSZ)) == 0) return ("no tag");
151 ct = BCUR(&bin); sz = BLEFT(&bin);
152 poly1305_hash(&a, ct, sz);
153 poly1305_done(&a, t);
154 if (!ct_memeq(t, tag, POLY1305_TAGSZ)) return ("authentication failure");
155 pt = buf_get(bb, sz); assert(pt);
156 GC_DECRYPT(ctx->c, ct, pt, sz);
160 static const bulkops naclbox_encops = {
161 naclbox_init, naclbox_setup, naclbox_overhead,
162 naclbox_encdoit, naclbox_destroy
163 }, naclbox_decops = {
164 naclbox_init, naclbox_setup, naclbox_overhead,
165 naclbox_decdoit, naclbox_destroy
168 /* --- Generic composition --- */
170 typedef struct gencomp_encctx {
176 octet *t; size_t tsz;
179 static bulk *gencomp_init(key *k, const char *calg, const char *halg)
181 gencomp_encctx *ctx = CREATE(gencomp_encctx);
183 dstr d = DSTR_INIT, t = DSTR_INIT;
187 if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
188 if (!calg) ctx->cc = &blowfish_cbc;
189 else if ((ctx->cc = gcipher_byname(calg)) == 0) {
190 die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'",
195 if ((q = key_getattr(0, k, "mac")) == 0) {
196 dstr_putf(&d, "%s-hmac", halg);
199 if ((ctx->mc = gmac_byname(q)) == 0) {
201 "message authentication code `%s' not found in key `%s'",
208 static int gencomp_setup(bulk *b, gcipher *cx)
210 gencomp_encctx *ctx = (gencomp_encctx *)b;
216 cn = keysz(0, ctx->cc->keysz); if (cn > n) n = cn;
217 mn = keysz(0, ctx->mc->keysz); if (mn > n) n = mn;
218 ctx->t = kd = xmalloc(n); ctx->tsz = n;
219 GC_ENCRYPT(cx, 0, kd, cn);
220 ctx->c = GC_INIT(ctx->cc, kd, cn);
221 GC_ENCRYPT(cx, 0, kd, mn);
222 ctx->m = GM_KEY(ctx->mc, kd, mn);
226 static size_t gencomp_overhead(bulk *b)
228 gencomp_encctx *ctx = (gencomp_encctx *)b;
229 return (ctx->cc->blksz + ctx->mc->hashsz); }
231 static void gencomp_destroy(bulk *b)
233 gencomp_encctx *ctx = (gencomp_encctx *)b;
241 static const char *gencomp_encdoit(bulk *b, uint32 seq, buf *bb,
242 const void *p, size_t sz)
244 gencomp_encctx *ctx = (gencomp_encctx *)b;
246 ghash *h = GM_INIT(ctx->m);
249 if (ctx->cc->blksz) {
250 GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
251 GC_SETIV(ctx->c, ctx->t);
253 tag = buf_get(bb, ctx->mc->hashsz); assert(tag);
254 ct = buf_get(bb, sz); assert(ct);
255 GC_ENCRYPT(ctx->c, p, ct, sz);
262 static const char *gencomp_decdoit(bulk *b, uint32 seq, buf *bb,
263 const void *p, size_t sz)
265 gencomp_encctx *ctx = (gencomp_encctx *)b;
267 const octet *tag, *ct;
272 buf_init(&bin, (/*unconst*/ void *)p, sz);
273 if ((tag = buf_get(&bin, ctx->mc->hashsz)) == 0) return ("no tag");
274 ct = BCUR(&bin); sz = BLEFT(&bin);
275 pt = buf_get(bb, sz); assert(pt);
280 ok = ct_memeq(tag, GH_DONE(h, 0), ctx->mc->hashsz);
282 if (!ok) return ("authentication failure");
284 if (ctx->cc->blksz) {
285 GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
286 GC_SETIV(ctx->c, ctx->t);
288 GC_DECRYPT(ctx->c, ct, pt, sz);
292 static const bulkops gencomp_encops = {
293 gencomp_init, gencomp_setup, gencomp_overhead,
294 gencomp_encdoit, gencomp_destroy
295 }, gencomp_decops = {
296 gencomp_init, gencomp_setup, gencomp_overhead,
297 gencomp_decdoit, gencomp_destroy
300 const struct bulktab bulktab[] = {
301 { "gencomp", &gencomp_encops, &gencomp_decops },
302 { "naclbox", &naclbox_encops, &naclbox_decops },
306 /*----- Key encapsulation -------------------------------------------------*/
310 typedef struct rsa_encctx {
315 static kem *rsa_encinit(key *k, void *kd)
317 rsa_encctx *re = CREATE(rsa_encctx);
318 rsa_pubcreate(&re->rp, kd);
322 static int rsa_encdoit(kem *k, dstr *d, ghash *h)
324 rsa_encctx *re = (rsa_encctx *)k;
325 mp *x = mprand_range(MP_NEW, re->rp.rp->n, &rand_global, 0);
326 mp *y = rsa_pubop(&re->rp, MP_NEW, x);
327 size_t n = mp_octets(re->rp.rp->n);
329 mp_storeb(x, d->buf, n);
330 GH_HASH(h, d->buf, n);
331 mp_storeb(y, d->buf, n);
338 static const char *rsa_lengthcheck(mp *n)
340 if (mp_bits(n) < 1020) return ("key too short");
344 static const char *rsa_enccheck(kem *k)
346 rsa_encctx *re = (rsa_encctx *)k;
348 if ((e = rsa_lengthcheck(re->rp.rp->n)) != 0) return (e);
352 static void rsa_encdestroy(kem *k)
354 rsa_encctx *re = (rsa_encctx *)k;
355 rsa_pubdestroy(&re->rp);
359 static const kemops rsa_encops = {
360 rsa_pubfetch, sizeof(rsa_pub),
361 rsa_encinit, rsa_encdoit, rsa_enccheck, rsa_encdestroy
364 typedef struct rsa_decctx {
369 static kem *rsa_decinit(key *k, void *kd)
371 rsa_decctx *rd = CREATE(rsa_decctx);
372 rsa_privcreate(&rd->rp, kd, &rand_global);
376 static int rsa_decdoit(kem *k, dstr *d, ghash *h)
378 rsa_decctx *rd = (rsa_decctx *)k;
379 mp *x = mp_loadb(MP_NEW, d->buf, d->len);
383 if (MP_CMP(x, >=, rd->rp.rp->n)) {
387 n = mp_octets(rd->rp.rp->n);
389 x = rsa_privop(&rd->rp, x, x);
397 static const char *rsa_deccheck(kem *k)
399 rsa_decctx *rd = (rsa_decctx *)k;
401 if ((e = rsa_lengthcheck(rd->rp.rp->n)) != 0) return (e);
405 static void rsa_decdestroy(kem *k)
407 rsa_decctx *rd = (rsa_decctx *)k;
408 rsa_privdestroy(&rd->rp);
412 static const kemops rsa_decops = {
413 rsa_privfetch, sizeof(rsa_priv),
414 rsa_decinit, rsa_decdoit, rsa_deccheck, rsa_decdestroy
417 /* --- DH and EC --- */
419 typedef struct dh_encctx {
426 static dh_encctx *dh_doinit(key *k, const gprime_param *gp, mp *y,
427 group *(*makegroup)(const gprime_param *),
430 dh_encctx *de = CREATE(dh_encctx);
434 if ((de->g = makegroup(gp)) == 0)
435 die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf);
437 de->y = G_CREATE(de->g);
438 if (G_FROMINT(de->g, de->y, y))
439 die(EXIT_FAILURE, "bad public key `%s'", t.buf);
444 static dh_encctx *ec_doinit(key *k, const char *cstr, const ec *y)
446 dh_encctx *de = CREATE(dh_encctx);
452 if ((e = ec_getinfo(&ei, cstr)) != 0 ||
453 (de->g = group_ec(&ei)) == 0)
454 die(EXIT_FAILURE, "bad elliptic curve spec in key `%s': %s", t.buf, e);
456 de->y = G_CREATE(de->g);
457 if (G_FROMEC(de->g, de->y, y))
458 die(EXIT_FAILURE, "bad public curve point `%s'", t.buf);
463 static kem *dh_encinit(key *k, void *kd)
466 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
470 static kem *bindh_encinit(key *k, void *kd)
473 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
477 static kem *ec_encinit(key *k, void *kd)
480 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
484 static int dh_encdoit(kem *k, dstr *d, ghash *h)
486 dh_encctx *de = (dh_encctx *)k;
487 mp *r = mprand_range(MP_NEW, de->g->r, &rand_global, 0);
488 ge *x = G_CREATE(de->g);
489 ge *y = G_CREATE(de->g);
490 size_t n = de->g->noctets;
493 G_EXP(de->g, x, de->g->g, r);
494 G_EXP(de->g, y, de->y, r);
496 buf_init(&b, d->buf, n);
497 G_TORAW(de->g, &b, y);
498 GH_HASH(h, BBASE(&b), BLEN(&b));
499 buf_init(&b, d->buf, n);
500 G_TORAW(de->g, &b, x);
501 GH_HASH(h, BBASE(&b), BLEN(&b));
509 static const char *dh_enccheck(kem *k)
511 dh_encctx *de = (dh_encctx *)k;
513 if ((e = G_CHECK(de->g, &rand_global)) != 0)
515 if (group_check(de->g, de->y))
516 return ("public key not in subgroup");
520 static void dh_encdestroy(kem *k)
522 dh_encctx *de = (dh_encctx *)k;
523 G_DESTROY(de->g, de->y);
525 G_DESTROYGROUP(de->g);
529 static const kemops dh_encops = {
530 dh_pubfetch, sizeof(dh_pub),
531 dh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
534 static const kemops bindh_encops = {
535 dh_pubfetch, sizeof(dh_pub),
536 bindh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
539 static const kemops ec_encops = {
540 ec_pubfetch, sizeof(ec_pub),
541 ec_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
544 static kem *dh_decinit(key *k, void *kd)
547 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
548 de->x = MP_COPY(dp->x);
552 static kem *bindh_decinit(key *k, void *kd)
555 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
556 de->x = MP_COPY(dp->x);
560 static kem *ec_decinit(key *k, void *kd)
563 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
564 de->x = MP_COPY(ep->x);
568 static int dh_decdoit(kem *k, dstr *d, ghash *h)
570 dh_encctx *de = (dh_encctx *)k;
571 ge *x = G_CREATE(de->g);
572 size_t n = de->g->noctets;
573 void *p = xmalloc(n);
577 buf_init(&b, d->buf, d->len);
578 if (G_FROMRAW(de->g, &b, x) || group_check(de->g, x))
580 G_EXP(de->g, x, x, de->x);
582 G_TORAW(de->g, &b, x);
583 GH_HASH(h, BBASE(&b), BLEN(&b));
584 GH_HASH(h, d->buf, d->len);
592 static const kemops dh_decops = {
593 dh_privfetch, sizeof(dh_priv),
594 dh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
597 static const kemops bindh_decops = {
598 dh_privfetch, sizeof(dh_priv),
599 bindh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
602 static const kemops ec_decops = {
603 ec_privfetch, sizeof(ec_priv),
604 ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
607 /* --- X25519 and similar schemes --- */
613 #define XDHDEF(xdh, XDH) \
615 static kem *xdh##_encinit(key *k, void *kd) { return (CREATE(kem)); } \
616 static void xdh##_encdestroy(kem *k) { DESTROY(k); } \
618 static const char *xdh##_enccheck(kem *k) \
620 xdh##_pub *kd = k->kd; \
622 if (kd->pub.sz != XDH##_PUBSZ) \
623 return ("incorrect " #XDH "public key length"); \
627 static int xdh##_encdoit(kem *k, dstr *d, ghash *h) \
629 octet t[XDH##_KEYSZ], z[XDH##_OUTSZ]; \
630 xdh##_pub *kd = k->kd; \
632 rand_get(RAND_GLOBAL, t, sizeof(t)); \
633 dstr_ensure(d, XDH##_PUBSZ); \
634 xdh((octet *)d->buf, t, xdh##_base); \
635 xdh(z, t, kd->pub.k); \
636 d->len += XDH##_PUBSZ; \
637 GH_HASH(h, d->buf, XDH##_PUBSZ); \
638 GH_HASH(h, z, XDH##_OUTSZ); \
642 static const char *xdh##_deccheck(kem *k) \
644 xdh##_priv *kd = k->kd; \
646 if (kd->priv.sz != XDH##_KEYSZ) \
647 return ("incorrect " #XDH " private key length"); \
648 if (kd->pub.sz != XDH##_PUBSZ) \
649 return ("incorrect " #XDH " public key length"); \
653 static int xdh##_decdoit(kem *k, dstr *d, ghash *h) \
655 octet z[XDH##_OUTSZ]; \
656 xdh##_priv *kd = k->kd; \
659 if (d->len != XDH##_PUBSZ) goto done; \
660 xdh(z, kd->priv.k, (const octet *)d->buf); \
661 GH_HASH(h, d->buf, XDH##_PUBSZ); \
662 GH_HASH(h, z, XDH##_OUTSZ); \
668 static const kemops xdh##_encops = { \
669 xdh##_pubfetch, sizeof(xdh##_pub), \
670 xdh##_encinit, xdh##_encdoit, xdh##_enccheck, xdh##_encdestroy \
673 static const kemops xdh##_decops = { \
674 xdh##_privfetch, sizeof(xdh##_priv), \
675 xdh##_encinit, xdh##_decdoit, xdh##_deccheck, xdh##_encdestroy \
681 /* --- Symmetric --- */
683 typedef struct symm_ctx {
689 static kem *symm_init(key *k, void *kd)
695 s = CREATE(symm_ctx);
698 s->kp.e = KENC_BINARY;
702 if ((err = key_unpack(&s->kp, kd, &d)) != 0) {
703 die(EXIT_FAILURE, "failed to unpack symmetric key `%s': %s",
704 d.buf, key_strerror(err));
710 static int symm_decdoit(kem *k, dstr *d, ghash *h)
712 symm_ctx *s = (symm_ctx *)k;
714 GH_HASH(h, s->kb.k, s->kb.sz);
715 GH_HASH(h, d->buf, d->len);
719 static int symm_encdoit(kem *k, dstr *d, ghash *h)
721 dstr_ensure(d, h->ops->c->hashsz);
722 d->len += h->ops->c->hashsz;
723 rand_get(RAND_GLOBAL, d->buf, d->len);
724 return (symm_decdoit(k, d, h));
727 static const char *symm_check(kem *k) { return (0); }
729 static void symm_destroy(kem *k)
730 { symm_ctx *s = (symm_ctx *)k; key_unpackdone(&s->kp); }
732 static const kemops symm_encops = {
734 symm_init, symm_encdoit, symm_check, symm_destroy
737 static const kemops symm_decops = {
739 symm_init, symm_decdoit, symm_check, symm_destroy
742 /* --- The switch table --- */
744 const struct kemtab kemtab[] = {
745 { "rsa", &rsa_encops, &rsa_decops },
746 { "dh", &dh_encops, &dh_decops },
747 { "bindh", &bindh_encops, &bindh_decops },
748 { "ec", &ec_encops, &ec_decops },
749 #define XDHTAB(xdh, XDH) \
750 { #xdh, &xdh##_encops, &xdh##_decops },
753 { "symm", &symm_encops, &symm_decops },
757 /* --- @getkem@ --- *
759 * Arguments: @key *k@ = the key to load
760 * @const char *app@ = application name
761 * @int wantpriv@ = nonzero if we want to decrypt
762 * @bulk **bc@ = bulk crypto context to set up
764 * Returns: A key-encapsulating thing.
769 kem *getkem(key *k, const char *app, int wantpriv, bulk **bc)
771 const char *kalg, *halg = 0, *balg = 0;
778 const struct kemtab *kt;
780 const struct bulktab *bt;
786 /* --- Setup stuff --- */
790 /* --- Get the KEM name --- *
792 * Take the attribute if it's there; otherwise use the key type.
796 if ((q = key_getattr(0, k, "kem")) != 0) {
799 } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
800 dstr_puts(&d, k->type);
803 die(EXIT_FAILURE, "no KEM for key `%s'", t.buf);
806 /* --- Grab the bulk encryption scheme --- *
808 * Grab it from the KEM if it's there, but override it from the attribute.
811 if (p && (p = strchr(p, '/')) != 0) {
815 if ((q = key_getattr(0, k, "bulk")) != 0)
818 /* --- Grab the hash function --- */
820 if (p && (p = strchr(p, '/')) != 0) {
824 if ((q = key_getattr(0, k, "hash")) != 0)
827 /* --- Instantiate the KEM --- */
829 for (kt = kemtab; kt->name; kt++) {
830 if (strcmp(kt->name, kalg) == 0)
833 die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'",
836 ko = wantpriv ? kt->decops : kt->encops;
842 kd = xmalloc(ko->kdsz);
843 kp = key_fetchinit(ko->kf, 0, kd);
844 if ((e = key_fetch(kp, k)) != 0) {
845 die(EXIT_FAILURE, "error fetching key `%s': %s",
846 t.buf, key_strerror(e));
849 kk = ko->init(k, kd);
854 /* --- Set up the bulk crypto --- */
858 else if ((kk->hc = ghash_byname(halg)) == 0) {
859 die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'",
864 if ((q = key_getattr(0, k, "kdf")) == 0) {
865 dstr_putf(&d, "%s-mgf", kk->hc->name);
868 if ((kk->cxc = gcipher_byname(q)) == 0) {
869 die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'",
876 for (bt = bulktab, bo = 0; bt->name; bt++) {
877 if (strcmp(balg, bt->name) == 0)
878 { balg = 0; goto b_found; }
879 n = strlen(bt->name);
880 if (strncmp(balg, bt->name, n) == 0 && balg[n] == '-')
881 { balg += n + 1; goto b_found; }
886 bo = wantpriv ? bt->decops : bt->encops;
887 *bc = bo->init(k, balg, kk->hc->name);
890 /* --- Tidy up --- */
897 /* --- @setupkem@ --- *
899 * Arguments: @kem *k@ = key-encapsulation thing
900 * @dstr *d@ = key-encapsulation data
901 * @bulk *bc@ = bulk crypto context to set up
903 * Returns: Zero on success, nonzero on failure.
905 * Use: Initializes all the various symmetric things from a KEM.
908 int setupkem(kem *k, dstr *d, bulk *bc)
916 if (k->ops->doit(k, d, h))
918 n = keysz(GH_CLASS(h)->hashsz, k->cxc->keysz);
922 k->cx = GC_INIT(k->cxc, kd, n);
923 bc->ops->setup(bc, k->cx);
931 /* --- @freekem@ --- *
933 * Arguments: @kem *k@ = key-encapsulation thing
937 * Use: Frees up a key-encapsulation thing.
945 key_fetchdone(k->kp);
952 /*----- That's all, folks -------------------------------------------------*/