3 * Catcrypt key-encapsulation
5 * (c) 2004 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
30 #define _FILE_OFFSET_BITS 64
34 #include <mLib/alloc.h>
35 #include <mLib/dstr.h>
36 #include <mLib/report.h>
48 #include "blowfish-cbc.h"
52 /*----- Bulk crypto -------------------------------------------------------*/
54 /* --- Generic composition --- */
56 typedef struct gencomp_encctx {
65 static bulk *gencomp_init(key *k, const char *calg, const char *halg)
67 gencomp_encctx *ctx = CREATE(gencomp_encctx);
69 dstr d = DSTR_INIT, t = DSTR_INIT;
73 if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
74 if (!calg) ctx->cc = &blowfish_cbc;
75 else if ((ctx->cc = gcipher_byname(calg)) == 0) {
76 die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'",
81 if ((q = key_getattr(0, k, "mac")) == 0) {
82 dstr_putf(&d, "%s-hmac", halg);
85 if ((ctx->mc = gmac_byname(q)) == 0) {
87 "message authentication code `%s' not found in key `%s'",
94 static int gencomp_setup(bulk *b, gcipher *cx)
96 gencomp_encctx *ctx = (gencomp_encctx *)b;
102 cn = keysz(0, ctx->cc->keysz); if (cn > n) n = cn;
103 mn = keysz(0, ctx->mc->keysz); if (mn > n) n = mn;
104 ctx->t = kd = xmalloc(n); ctx->tsz = n;
105 GC_ENCRYPT(cx, 0, kd, cn);
106 ctx->c = GC_INIT(ctx->cc, kd, cn);
107 GC_ENCRYPT(cx, 0, kd, mn);
108 ctx->m = GM_KEY(ctx->mc, kd, mn);
112 static size_t gencomp_overhead(bulk *b)
114 gencomp_encctx *ctx = (gencomp_encctx *)b;
115 return (ctx->cc->blksz + ctx->mc->hashsz); }
117 static void gencomp_destroy(bulk *b)
119 gencomp_encctx *ctx = (gencomp_encctx *)b;
127 static const char *gencomp_encdoit(bulk *b, uint32 seq, buf *bb,
128 const void *p, size_t sz)
130 gencomp_encctx *ctx = (gencomp_encctx *)b;
132 ghash *h = GM_INIT(ctx->m);
135 if (ctx->cc->blksz) {
136 GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
137 GC_SETIV(ctx->c, ctx->t);
139 tag = buf_get(bb, ctx->mc->hashsz); assert(tag);
140 ct = buf_get(bb, sz); assert(ct);
141 GC_ENCRYPT(ctx->c, p, ct, sz);
148 static const char *gencomp_decdoit(bulk *b, uint32 seq, buf *bb,
149 const void *p, size_t sz)
151 gencomp_encctx *ctx = (gencomp_encctx *)b;
153 const octet *tag, *ct;
158 buf_init(&bin, (/*unconst*/ void *)p, sz);
159 if ((tag = buf_get(&bin, ctx->mc->hashsz)) == 0) return ("no tag");
160 ct = BCUR(&bin); sz = BLEFT(&bin);
161 pt = buf_get(bb, sz); assert(pt);
166 ok = ct_memeq(tag, GH_DONE(h, 0), ctx->mc->hashsz);
168 if (!ok) return ("authentication failure");
170 if (ctx->cc->blksz) {
171 GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
172 GC_SETIV(ctx->c, ctx->t);
174 GC_DECRYPT(ctx->c, ct, pt, sz);
178 static const bulkops gencomp_encops = {
179 gencomp_init, gencomp_setup, gencomp_overhead,
180 gencomp_encdoit, gencomp_destroy
181 }, gencomp_decops = {
182 gencomp_init, gencomp_setup, gencomp_overhead,
183 gencomp_decdoit, gencomp_destroy
186 const struct bulktab bulktab[] = {
187 { "gencomp", &gencomp_encops, &gencomp_decops },
191 /*----- Key encapsulation -------------------------------------------------*/
195 typedef struct rsa_encctx {
200 static kem *rsa_encinit(key *k, void *kd)
202 rsa_encctx *re = CREATE(rsa_encctx);
203 rsa_pubcreate(&re->rp, kd);
207 static int rsa_encdoit(kem *k, dstr *d, ghash *h)
209 rsa_encctx *re = (rsa_encctx *)k;
210 mp *x = mprand_range(MP_NEW, re->rp.rp->n, &rand_global, 0);
211 mp *y = rsa_pubop(&re->rp, MP_NEW, x);
212 size_t n = mp_octets(re->rp.rp->n);
214 mp_storeb(x, d->buf, n);
215 GH_HASH(h, d->buf, n);
216 mp_storeb(y, d->buf, n);
223 static const char *rsa_lengthcheck(mp *n)
225 if (mp_bits(n) < 1020) return ("key too short");
229 static const char *rsa_enccheck(kem *k)
231 rsa_encctx *re = (rsa_encctx *)k;
233 if ((e = rsa_lengthcheck(re->rp.rp->n)) != 0) return (e);
237 static void rsa_encdestroy(kem *k)
239 rsa_encctx *re = (rsa_encctx *)k;
240 rsa_pubdestroy(&re->rp);
244 static const kemops rsa_encops = {
245 rsa_pubfetch, sizeof(rsa_pub),
246 rsa_encinit, rsa_encdoit, rsa_enccheck, rsa_encdestroy
249 typedef struct rsa_decctx {
254 static kem *rsa_decinit(key *k, void *kd)
256 rsa_decctx *rd = CREATE(rsa_decctx);
257 rsa_privcreate(&rd->rp, kd, &rand_global);
261 static int rsa_decdoit(kem *k, dstr *d, ghash *h)
263 rsa_decctx *rd = (rsa_decctx *)k;
264 mp *x = mp_loadb(MP_NEW, d->buf, d->len);
268 if (MP_CMP(x, >=, rd->rp.rp->n)) {
272 n = mp_octets(rd->rp.rp->n);
274 x = rsa_privop(&rd->rp, x, x);
282 static const char *rsa_deccheck(kem *k)
284 rsa_decctx *rd = (rsa_decctx *)k;
286 if ((e = rsa_lengthcheck(rd->rp.rp->n)) != 0) return (e);
290 static void rsa_decdestroy(kem *k)
292 rsa_decctx *rd = (rsa_decctx *)k;
293 rsa_privdestroy(&rd->rp);
297 static const kemops rsa_decops = {
298 rsa_privfetch, sizeof(rsa_priv),
299 rsa_decinit, rsa_decdoit, rsa_deccheck, rsa_decdestroy
302 /* --- DH and EC --- */
304 typedef struct dh_encctx {
311 static dh_encctx *dh_doinit(key *k, const gprime_param *gp, mp *y,
312 group *(*makegroup)(const gprime_param *),
315 dh_encctx *de = CREATE(dh_encctx);
319 if ((de->g = makegroup(gp)) == 0)
320 die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf);
322 de->y = G_CREATE(de->g);
323 if (G_FROMINT(de->g, de->y, y))
324 die(EXIT_FAILURE, "bad public key `%s'", t.buf);
329 static dh_encctx *ec_doinit(key *k, const char *cstr, const ec *y)
331 dh_encctx *de = CREATE(dh_encctx);
337 if ((e = ec_getinfo(&ei, cstr)) != 0 ||
338 (de->g = group_ec(&ei)) == 0)
339 die(EXIT_FAILURE, "bad elliptic curve spec in key `%s': %s", t.buf, e);
341 de->y = G_CREATE(de->g);
342 if (G_FROMEC(de->g, de->y, y))
343 die(EXIT_FAILURE, "bad public curve point `%s'", t.buf);
348 static kem *dh_encinit(key *k, void *kd)
351 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
355 static kem *bindh_encinit(key *k, void *kd)
358 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
362 static kem *ec_encinit(key *k, void *kd)
365 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
369 static int dh_encdoit(kem *k, dstr *d, ghash *h)
371 dh_encctx *de = (dh_encctx *)k;
372 mp *r = mprand_range(MP_NEW, de->g->r, &rand_global, 0);
373 ge *x = G_CREATE(de->g);
374 ge *y = G_CREATE(de->g);
375 size_t n = de->g->noctets;
378 G_EXP(de->g, x, de->g->g, r);
379 G_EXP(de->g, y, de->y, r);
381 buf_init(&b, d->buf, n);
382 G_TORAW(de->g, &b, y);
383 GH_HASH(h, BBASE(&b), BLEN(&b));
384 buf_init(&b, d->buf, n);
385 G_TORAW(de->g, &b, x);
386 GH_HASH(h, BBASE(&b), BLEN(&b));
394 static const char *dh_enccheck(kem *k)
396 dh_encctx *de = (dh_encctx *)k;
398 if ((e = G_CHECK(de->g, &rand_global)) != 0)
400 if (group_check(de->g, de->y))
401 return ("public key not in subgroup");
405 static void dh_encdestroy(kem *k)
407 dh_encctx *de = (dh_encctx *)k;
408 G_DESTROY(de->g, de->y);
410 G_DESTROYGROUP(de->g);
414 static const kemops dh_encops = {
415 dh_pubfetch, sizeof(dh_pub),
416 dh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
419 static const kemops bindh_encops = {
420 dh_pubfetch, sizeof(dh_pub),
421 bindh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
424 static const kemops ec_encops = {
425 ec_pubfetch, sizeof(ec_pub),
426 ec_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
429 static kem *dh_decinit(key *k, void *kd)
432 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
433 de->x = MP_COPY(dp->x);
437 static kem *bindh_decinit(key *k, void *kd)
440 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
441 de->x = MP_COPY(dp->x);
445 static kem *ec_decinit(key *k, void *kd)
448 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
449 de->x = MP_COPY(ep->x);
453 static int dh_decdoit(kem *k, dstr *d, ghash *h)
455 dh_encctx *de = (dh_encctx *)k;
456 ge *x = G_CREATE(de->g);
457 size_t n = de->g->noctets;
458 void *p = xmalloc(n);
462 buf_init(&b, d->buf, d->len);
463 if (G_FROMRAW(de->g, &b, x) || group_check(de->g, x))
465 G_EXP(de->g, x, x, de->x);
467 G_TORAW(de->g, &b, x);
468 GH_HASH(h, BBASE(&b), BLEN(&b));
469 GH_HASH(h, d->buf, d->len);
477 static const kemops dh_decops = {
478 dh_privfetch, sizeof(dh_priv),
479 dh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
482 static const kemops bindh_decops = {
483 dh_privfetch, sizeof(dh_priv),
484 bindh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
487 static const kemops ec_decops = {
488 ec_privfetch, sizeof(ec_priv),
489 ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
492 /* --- Symmetric --- */
494 typedef struct symm_ctx {
500 static kem *symm_init(key *k, void *kd)
506 s = CREATE(symm_ctx);
509 s->kp.e = KENC_BINARY;
513 if ((err = key_unpack(&s->kp, kd, &d)) != 0) {
514 die(EXIT_FAILURE, "failed to unpack symmetric key `%s': %s",
515 d.buf, key_strerror(err));
521 static int symm_decdoit(kem *k, dstr *d, ghash *h)
523 symm_ctx *s = (symm_ctx *)k;
525 GH_HASH(h, s->kb.k, s->kb.sz);
526 GH_HASH(h, d->buf, d->len);
530 static int symm_encdoit(kem *k, dstr *d, ghash *h)
532 dstr_ensure(d, h->ops->c->hashsz);
533 d->len += h->ops->c->hashsz;
534 rand_get(RAND_GLOBAL, d->buf, d->len);
535 return (symm_decdoit(k, d, h));
538 static const char *symm_check(kem *k) { return (0); }
540 static void symm_destroy(kem *k)
541 { symm_ctx *s = (symm_ctx *)k; key_unpackdone(&s->kp); }
543 static const kemops symm_encops = {
545 symm_init, symm_encdoit, symm_check, symm_destroy
548 static const kemops symm_decops = {
550 symm_init, symm_decdoit, symm_check, symm_destroy
553 /* --- The switch table --- */
555 const struct kemtab kemtab[] = {
556 { "rsa", &rsa_encops, &rsa_decops },
557 { "dh", &dh_encops, &dh_decops },
558 { "bindh", &bindh_encops, &bindh_decops },
559 { "ec", &ec_encops, &ec_decops },
560 { "symm", &symm_encops, &symm_decops },
564 /* --- @getkem@ --- *
566 * Arguments: @key *k@ = the key to load
567 * @const char *app@ = application name
568 * @int wantpriv@ = nonzero if we want to decrypt
569 * @bulk **bc@ = bulk crypto context to set up
571 * Returns: A key-encapsulating thing.
576 kem *getkem(key *k, const char *app, int wantpriv, bulk **bc)
578 const char *kalg, *halg = 0, *balg = 0;
585 const struct kemtab *kt;
587 const struct bulktab *bt;
593 /* --- Setup stuff --- */
597 /* --- Get the KEM name --- *
599 * Take the attribute if it's there; otherwise use the key type.
603 if ((q = key_getattr(0, k, "kem")) != 0) {
606 } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
607 dstr_puts(&d, k->type);
610 die(EXIT_FAILURE, "no KEM for key `%s'", t.buf);
613 /* --- Grab the bulk encryption scheme --- *
615 * Grab it from the KEM if it's there, but override it from the attribute.
618 if (p && (p = strchr(p, '/')) != 0) {
622 if ((q = key_getattr(0, k, "bulk")) != 0)
625 /* --- Grab the hash function --- */
627 if (p && (p = strchr(p, '/')) != 0) {
631 if ((q = key_getattr(0, k, "hash")) != 0)
634 /* --- Instantiate the KEM --- */
636 for (kt = kemtab; kt->name; kt++) {
637 if (strcmp(kt->name, kalg) == 0)
640 die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'",
643 ko = wantpriv ? kt->decops : kt->encops;
649 kd = xmalloc(ko->kdsz);
650 kp = key_fetchinit(ko->kf, 0, kd);
651 if ((e = key_fetch(kp, k)) != 0) {
652 die(EXIT_FAILURE, "error fetching key `%s': %s",
653 t.buf, key_strerror(e));
656 kk = ko->init(k, kd);
661 /* --- Set up the bulk crypto --- */
665 else if ((kk->hc = ghash_byname(halg)) == 0) {
666 die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'",
671 if ((q = key_getattr(0, k, "kdf")) == 0) {
672 dstr_putf(&d, "%s-mgf", kk->hc->name);
675 if ((kk->cxc = gcipher_byname(q)) == 0) {
676 die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'",
683 for (bt = bulktab, bo = 0; bt->name; bt++) {
684 if (strcmp(balg, bt->name) == 0)
685 { balg = 0; goto b_found; }
686 n = strlen(bt->name);
687 if (strncmp(balg, bt->name, n) == 0 && balg[n] == '-')
688 { balg += n + 1; goto b_found; }
693 bo = wantpriv ? bt->decops : bt->encops;
694 *bc = bo->init(k, balg, kk->hc->name);
697 /* --- Tidy up --- */
704 /* --- @setupkem@ --- *
706 * Arguments: @kem *k@ = key-encapsulation thing
707 * @dstr *d@ = key-encapsulation data
708 * @bulk *bc@ = bulk crypto context to set up
710 * Returns: Zero on success, nonzero on failure.
712 * Use: Initializes all the various symmetric things from a KEM.
715 int setupkem(kem *k, dstr *d, bulk *bc)
723 if (k->ops->doit(k, d, h))
725 n = keysz(GH_CLASS(h)->hashsz, k->cxc->keysz);
729 k->cx = GC_INIT(k->cxc, kd, n);
730 bc->ops->setup(bc, k->cx);
738 /* --- @freekem@ --- *
740 * Arguments: @kem *k@ = key-encapsulation thing
744 * Use: Frees up a key-encapsulation thing.
752 key_fetchdone(k->kp);
759 /*----- That's all, folks -------------------------------------------------*/