5 * (c) 2004 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
30 #define _FILE_OFFSET_BITS 64
34 #include <mLib/report.h>
49 /*----- Main code ---------------------------------------------------------*/
51 /* --- RSA PKCS1 --- */
53 typedef struct rsap1_sigctx {
59 static sig *rsap1_siginit(key *k, void *kd, const gchash *hc)
61 rsap1_sigctx *rs = CREATE(rsap1_sigctx);
62 rsa_privcreate(&rs->rp, kd, &rand_global);
63 rs->p1.r = &rand_global;
65 rs->p1.epsz = strlen(hc->name) + 1;
70 static int rsap1_sigdoit(sig *s, dstr *d)
72 rsap1_sigctx *rs = (rsap1_sigctx *)s;
74 mp *m = rsa_sign(&rs->rp, MP_NEW,
75 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz,
76 pkcs1_sigencode, &rs->p1);
78 n = mp_octets(rs->rp.rp->n); dstr_ensure(d, n); mp_storeb(m, d->buf, n);
79 d->len += n; mp_drop(m);
83 static const char *rsa_lengthcheck(mp *n)
85 if (mp_bits(n) < 1024) return ("key too short");
89 static const char *rsap1_sigcheck(sig *s)
91 rsap1_sigctx *rs = (rsap1_sigctx *)s;
93 if ((e = rsa_lengthcheck(rs->rp.rp->n)) != 0) return (e);
97 static void rsap1_sigdestroy(sig *s)
99 rsap1_sigctx *rs = (rsap1_sigctx *)s;
100 rsa_privdestroy(&rs->rp);
104 static const sigops rsap1_sig = {
105 rsa_privfetch, sizeof(rsa_priv),
106 rsap1_siginit, rsap1_sigdoit, rsap1_sigcheck, rsap1_sigdestroy
109 typedef struct rsap1_vrfctx {
115 static sig *rsap1_vrfinit(key *k, void *kd, const gchash *hc)
117 rsap1_vrfctx *rv = CREATE(rsap1_vrfctx);
118 rsa_pubcreate(&rv->rp, kd);
119 rv->p1.r = &rand_global;
120 rv->p1.ep = hc->name;
121 rv->p1.epsz = strlen(hc->name) + 1;
126 static int rsap1_vrfdoit(sig *s, dstr *d)
128 rsap1_vrfctx *rv = (rsap1_vrfctx *)s;
129 mp *m = mp_loadb(MP_NEW, d->buf, d->len);
130 int rc = rsa_verify(&rv->rp, m,
131 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz,
132 0, pkcs1_sigdecode, &rv->p1);
137 static const char *rsap1_vrfcheck(sig *s)
139 rsap1_vrfctx *rv = (rsap1_vrfctx *)s;
141 if ((e = rsa_lengthcheck(rv->rp.rp->n)) != 0) return (e);
145 static void rsap1_vrfdestroy(sig *s)
147 rsap1_vrfctx *rv = (rsap1_vrfctx *)s;
148 rsa_pubdestroy(&rv->rp);
152 static const sigops rsap1_vrf = {
153 rsa_pubfetch, sizeof(rsa_pub),
154 rsap1_vrfinit, rsap1_vrfdoit, rsap1_vrfcheck, rsap1_vrfdestroy
157 /* --- RSA PSS --- */
159 static const gccipher *getmgf(key *k, const gchash *hc)
165 if ((mm = key_getattr(0, k, "mgf")) == 0) {
166 dstr_putf(&d, "%s-mgf", hc->name);
169 if ((gc = gcipher_byname(mm)) == 0)
170 die(EXIT_FAILURE, "unknown encryption scheme `%s'", mm);
175 typedef struct rsapss_sigctx {
181 static sig *rsapss_siginit(key *k, void *kd, const gchash *hc)
183 rsapss_sigctx *rs = CREATE(rsapss_sigctx);
184 rsa_privcreate(&rs->rp, kd, &rand_global);
185 rs->p.r = &rand_global;
186 rs->p.cc = getmgf(k, hc);
188 rs->p.ssz = hc->hashsz;
192 static int rsapss_sigdoit(sig *s, dstr *d)
194 rsapss_sigctx *rs = (rsapss_sigctx *)s;
196 mp *m = rsa_sign(&rs->rp, MP_NEW,
197 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz,
200 n = mp_octets(rs->rp.rp->n); dstr_ensure(d, n); mp_storeb(m, d->buf, n);
201 d->len += n; mp_drop(m);
205 static const char *rsapss_sigcheck(sig *s)
207 rsapss_sigctx *rs = (rsapss_sigctx *)s;
209 if ((e = rsa_lengthcheck(rs->rp.rp->n)) != 0) return (e);
213 static void rsapss_sigdestroy(sig *s)
215 rsapss_sigctx *rs = (rsapss_sigctx *)s;
216 rsa_privdestroy(&rs->rp);
220 static const sigops rsapss_sig = {
221 rsa_privfetch, sizeof(rsa_priv),
222 rsapss_siginit, rsapss_sigdoit, rsapss_sigcheck, rsapss_sigdestroy
225 typedef struct rsapss_vrfctx {
231 static sig *rsapss_vrfinit(key *k, void *kd, const gchash *hc)
233 rsapss_vrfctx *rv = CREATE(rsapss_vrfctx);
234 rsa_pubcreate(&rv->rp, kd);
235 rv->p.r = &rand_global;
236 rv->p.cc = getmgf(k, hc);
238 rv->p.ssz = hc->hashsz;
242 static int rsapss_vrfdoit(sig *s, dstr *d)
244 rsapss_vrfctx *rv = (rsapss_vrfctx *)s;
245 mp *m = mp_loadb(MP_NEW, d->buf, d->len);
246 int rc = rsa_verify(&rv->rp, m,
247 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz,
248 0, pss_decode, &rv->p);
253 static const char *rsapss_vrfcheck(sig *s)
255 rsapss_vrfctx *rv = (rsapss_vrfctx *)s;
257 if ((e = rsa_lengthcheck(rv->rp.rp->n)) != 0) return (e);
261 static void rsapss_vrfdestroy(sig *s)
263 rsapss_vrfctx *rv = (rsapss_vrfctx *)s;
264 rsa_pubdestroy(&rv->rp);
268 static const sigops rsapss_vrf = {
269 rsa_pubfetch, sizeof(rsa_pub),
270 rsapss_vrfinit, rsapss_vrfdoit, rsapss_vrfcheck, rsapss_vrfdestroy
273 /* --- DSA and ECDSA --- */
275 typedef struct dsa_sigctx {
280 static void dsa_initcommon(dsa_sigctx *ds, const gchash *hc,
283 ds->g.r = &rand_global;
289 static dsa_sigctx *dsa_doinit(key *k, const gprime_param *gp,
290 mp *y, const gchash *hc,
291 group *(*makegroup)(const gprime_param *),
294 dsa_sigctx *ds = CREATE(dsa_sigctx);
298 if ((ds->g.g = makegroup(gp)) == 0)
299 die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf);
300 ds->g.p = G_CREATE(ds->g.g);
301 if (G_FROMINT(ds->g.g, ds->g.p, y))
302 die(EXIT_FAILURE, "bad public key in key `%s'", t.buf);
303 dsa_initcommon(ds, hc, t.buf);
308 static dsa_sigctx *ecdsa_doinit(key *k, const char *cstr,
309 ec *y, const gchash *hc)
311 dsa_sigctx *ds = CREATE(dsa_sigctx);
317 if ((e = ec_getinfo(&ei, cstr)) != 0)
318 die(EXIT_FAILURE, "bad curve in key `%s': %s", t.buf, e);
319 ds->g.g = group_ec(&ei);
320 ds->g.p = G_CREATE(ds->g.g);
321 if (G_FROMEC(ds->g.g, ds->g.p, y))
322 die(EXIT_FAILURE, "bad public key in key `%s'", t.buf);
323 dsa_initcommon(ds, hc, t.buf);
328 static sig *dsa_siginit(key *k, void *kd, const gchash *hc)
331 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime");
332 ds->g.u = MP_COPY(dp->x);
336 static sig *bindsa_siginit(key *k, void *kd, const gchash *hc)
339 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary");
340 ds->g.u = MP_COPY(dp->x);
344 static sig *ecdsa_siginit(key *k, void *kd, const gchash *hc)
347 dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc);
348 ds->g.u = MP_COPY(ep->x);
352 static int dsa_sigdoit(sig *s, dstr *d)
354 dsa_sigctx *ds = (dsa_sigctx *)s;
355 gdsa_sig ss = GDSA_SIG_INIT;
356 size_t n = mp_octets(ds->g.g->r);
358 gdsa_sign(&ds->g, &ss, GH_DONE(ds->s.h, 0), 0);
359 dstr_ensure(d, 2 * n);
360 mp_storeb(ss.r, d->buf, n);
361 mp_storeb(ss.s, d->buf + n, n);
363 mp_drop(ss.r); mp_drop(ss.s);
367 static const char *dsa_sigcheck(sig *s)
369 dsa_sigctx *ds = (dsa_sigctx *)s;
371 if ((e = G_CHECK(ds->g.g, &rand_global)) != 0)
373 if (group_check(ds->g.g, ds->g.p))
374 return ("public key not in subgroup");
378 static void dsa_sigdestroy(sig *s)
380 dsa_sigctx *ds = (dsa_sigctx *)s;
381 G_DESTROY(ds->g.g, ds->g.p);
383 G_DESTROYGROUP(ds->g.g);
387 static const sigops dsa_sig = {
388 dh_privfetch, sizeof(dh_priv),
389 dsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
392 static const sigops bindsa_sig = {
393 dh_privfetch, sizeof(dh_priv),
394 bindsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
397 static const sigops ecdsa_sig = {
398 ec_privfetch, sizeof(ec_priv),
399 ecdsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
402 static sig *dsa_vrfinit(key *k, void *kd, const gchash *hc)
405 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime");
409 static sig *bindsa_vrfinit(key *k, void *kd, const gchash *hc)
412 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary");
416 static sig *ecdsa_vrfinit(key *k, void *kd, const gchash *hc)
419 dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc);
423 static int dsa_vrfdoit(sig *s, dstr *d)
425 dsa_sigctx *ds = (dsa_sigctx *)s;
430 ss.r = mp_loadb(MP_NEW, d->buf, n);
431 ss.s = mp_loadb(MP_NEW, d->buf + n, d->len - n);
432 rc = gdsa_verify(&ds->g, &ss, GH_DONE(ds->s.h, 0));
433 mp_drop(ss.r); mp_drop(ss.s);
437 static const sigops dsa_vrf = {
438 dh_pubfetch, sizeof(dh_pub),
439 dsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
442 static const sigops bindsa_vrf = {
443 dh_pubfetch, sizeof(dh_pub),
444 bindsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
447 static const sigops ecdsa_vrf = {
448 ec_pubfetch, sizeof(ec_pub),
449 ecdsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
452 /* --- KCDSA and ECKCDSA --- */
454 static void kcdsa_privkey(dsa_sigctx *ds, mp *x)
455 { ds->g.u = mp_modinv(MP_NEW, x, ds->g.g->r); }
457 static void kcdsa_sethash(dsa_sigctx *ds, const gchash *hc)
458 { ds->s.h = gkcdsa_beginhash(&ds->g); }
460 static sig *kcdsa_siginit(key *k, void *kd, const gchash *hc)
463 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime");
464 kcdsa_privkey(ds, dp->x);
465 kcdsa_sethash(ds, hc);
469 static sig *binkcdsa_siginit(key *k, void *kd, const gchash *hc)
472 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary");
473 kcdsa_privkey(ds, dp->x);
474 kcdsa_sethash(ds, hc);
478 static sig *eckcdsa_siginit(key *k, void *kd, const gchash *hc)
481 dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc);
482 kcdsa_privkey(ds, ep->x);
483 kcdsa_sethash(ds, hc);
487 static int kcdsa_sigdoit(sig *s, dstr *d)
489 dsa_sigctx *ds = (dsa_sigctx *)s;
490 gkcdsa_sig ss = GKCDSA_SIG_INIT;
491 size_t hsz = ds->g.h->hashsz, n = mp_octets(ds->g.g->r);
493 gkcdsa_sign(&ds->g, &ss, GH_DONE(ds->s.h, 0), 0);
494 dstr_ensure(d, hsz + n);
495 memcpy(d->buf, ss.r, hsz);
496 mp_storeb(ss.s, d->buf + hsz, n);
498 xfree(ss.r); mp_drop(ss.s);
502 static const sigops kcdsa_sig = {
503 dh_privfetch, sizeof(dh_priv),
504 kcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
507 static const sigops binkcdsa_sig = {
508 dh_privfetch, sizeof(dh_priv),
509 binkcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
512 static const sigops eckcdsa_sig = {
513 ec_privfetch, sizeof(ec_priv),
514 eckcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
517 static sig *kcdsa_vrfinit(key *k, void *kd, const gchash *hc)
520 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime");
521 kcdsa_sethash(ds, hc);
525 static sig *binkcdsa_vrfinit(key *k, void *kd, const gchash *hc)
528 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary");
529 kcdsa_sethash(ds, hc);
533 static sig *eckcdsa_vrfinit(key *k, void *kd, const gchash *hc)
536 dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc);
537 kcdsa_sethash(ds, hc);
541 static int kcdsa_vrfdoit(sig *s, dstr *d)
543 dsa_sigctx *ds = (dsa_sigctx *)s;
545 size_t hsz = ds->g.h->hashsz, n = d->len - hsz;
550 ss.r = (octet *)d->buf;
551 ss.s = mp_loadb(MP_NEW, d->buf + hsz, n);
552 rc = gkcdsa_verify(&ds->g, &ss, GH_DONE(ds->s.h, 0));
557 static const sigops kcdsa_vrf = {
558 dh_pubfetch, sizeof(dh_pub),
559 kcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
562 static const sigops binkcdsa_vrf = {
563 dh_pubfetch, sizeof(dh_pub),
564 binkcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
567 static const sigops eckcdsa_vrf = {
568 ec_pubfetch, sizeof(ec_pub),
569 eckcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
572 /* --- Symmetric message authentication --- */
574 typedef struct mac_ctx {
582 static sig *mac_init(key *k, void *kd, const gchash *hc)
592 m->kp.e = KENC_BINARY;
596 if ((mm = key_getattr(0 /*yik*/, k, "mac")) == 0) {
597 dstr_putf(&d, "%s-hmac", hc->name);
600 if ((m->mc = gmac_byname(mm)) == 0)
601 die(EXIT_FAILURE, "unknown message authentication scheme `%s'", mm);
604 if ((err = key_unpack(&m->kp, kd, &d)) != 0) {
605 die(EXIT_FAILURE, "failed to unpack symmetric key `%s': %s",
606 d.buf, key_strerror(err));
610 if (keysz(m->kb.sz, m->mc->keysz) != m->kb.sz) {
611 die(EXIT_FAILURE, "bad key size %lu for `%s'",
612 (unsigned long)m->kb.sz, m->mc->name);
614 m->m = GM_KEY(m->mc, m->kb.k, m->kb.sz);
615 m->s.h = GM_INIT(m->m);
619 static int mac_sigdoit(sig *s, dstr *d)
621 mac_ctx *m = (mac_ctx *)s;
623 dstr_ensure(d, m->mc->hashsz);
624 GH_DONE(m->s.h, d->buf);
625 d->len += m->mc->hashsz;
629 static int mac_vrfdoit(sig *s, dstr *d)
631 mac_ctx *m = (mac_ctx *)s;
634 t = GH_DONE(m->s.h, 0);
635 if (d->len != m->mc->hashsz || memcmp(d->buf, t, d->len) != 0)
640 static const char *mac_check(sig *s) { return (0); }
642 static void mac_destroy(sig *s)
644 mac_ctx *m = (mac_ctx *)s;
646 key_unpackdone(&m->kp);
649 static const sigops mac_sig = {
651 mac_init, mac_sigdoit, mac_check, mac_destroy
654 static const sigops mac_vrf = {
656 mac_init, mac_vrfdoit, mac_check, mac_destroy
659 /* --- The switch table --- */
661 const struct sigtab sigtab[] = {
662 { "rsapkcs1", &rsap1_sig, &rsap1_vrf, &sha },
663 { "rsapss", &rsapss_sig, &rsapss_vrf, &sha },
664 { "dsa", &dsa_sig, &dsa_vrf, &sha },
665 { "bindsa", &bindsa_sig, &bindsa_vrf, &sha },
666 { "ecdsa", &ecdsa_sig, &ecdsa_vrf, &sha },
667 { "kcdsa", &kcdsa_sig, &kcdsa_vrf, &has160 },
668 { "binkcdsa", &binkcdsa_sig, &binkcdsa_vrf, &has160 },
669 { "eckcdsa", &eckcdsa_sig, &eckcdsa_vrf, &has160 },
670 { "mac", &mac_sig, &mac_vrf, &rmd160 },
674 /* --- @getsig@ --- *
676 * Arguments: @key *k@ = the key to load
677 * @const char *app@ = application name
678 * @int wantpriv@ = nonzero if we want to sign
680 * Returns: A signature-making thing.
682 * Use: Loads a key and starts hashing.
685 sig *getsig(key *k, const char *app, int wantpriv)
687 const char *salg, *halg = 0;
694 const struct sigtab *st;
701 /* --- Setup stuff --- */
705 /* --- Get the signature algorithm --- *
707 * Take the attribute if it's there; otherwise use the key type.
711 if ((q = key_getattr(0, k, "sig")) != 0) {
714 } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
715 dstr_puts(&d, k->type);
718 die(EXIT_FAILURE, "no signature algorithm for key `%s'", t.buf);
720 /* --- Grab the hash algorithm --- *
722 * Grab it from the signature algorithm if it's there. But override that
723 * from the attribute.
727 if ((p = strchr(p, '/')) != 0) {
731 if ((q = key_getattr(0, k, "hash")) != 0)
734 /* --- Look up the algorithms in the table --- */
736 for (st = sigtab; st->name; st++) {
737 if (strcmp(st->name, salg) == 0)
740 die(EXIT_FAILURE, "signature algorithm `%s' not found in key `%s'",
746 if ((ch = ghash_byname(halg)) == 0) {
747 die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'",
751 so = wantpriv ? st->signops : st->verifyops;
753 /* --- Load the key --- */
760 kd = xmalloc(so->kdsz);
761 kp = key_fetchinit(so->kf, 0, kd);
762 if ((e = key_fetch(kp, k)) != 0) {
763 die(EXIT_FAILURE, "error fetching key `%s': %s",
764 t.buf, key_strerror(e));
767 s = so->init(k, kd, ch);
775 /* --- Free stuff up --- */
782 /* --- @freesig@ --- *
784 * Arguments: @sig *s@ = signature-making thing
788 * Use: Frees up a signature-making thing
797 key_fetchdone(s->kp);
803 /*----- That's all, folks -------------------------------------------------*/