chiark / gitweb /
~mdw / tripe / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
debian/control: Only require Wireshark things for binary-indep build.
[tripe] / server / dh.c
CommitLineData
5b9f3d37
MW		 1/* -*-c-*-
2 *
3 * Diffie--Hellman groups
4 *
5 * (c) 2017 Straylight/Edgeware
6 */
7
8/*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 */
26
27/*----- Header files ------------------------------------------------------*/
28
29#include "tripe.h"
30
31/*----- Common utilities --------------------------------------------------*/
32
33/* --- @KLOAD@ --- *
34 *
35 * Arguments: @pre@ = prefix for defined functions
36 * @ty@, @TY@ = key type name (lower- and upper-case)
37 * @setgroup@ = code to initialize @kd->g@
38 * @setpriv@ = code to initialize @kd->kpriv@
39 * @setpub@ = code to initialize @kd->kpub@
40 *
41 * Use: Generates the body of one of the (rather tedious) key loading
42 * functions. See the description of @KEYTYPES@ below for the
43 * details.
44 */
45
46#define KLOAD_HALF(pre, ty, TY, which, WHICH, setgroup, setpriv, setpub) \
47static int pre##_ld##which(key_file *kf, key *k, key_data *d, \
48 kdata *kd, dstr *t, dstr *e) \
49{ \
50 key_packstruct kps[TY##_##WHICH##FETCHSZ]; \
51 key_packdef *kp; \
52 ty##_##which p; \
53 int rc; \
54 \
55 /* --- Initialize things we've not set up yet --- */ \
56 \
57 kd->grp = 0; kd->k = 0; kd->K = 0; \
58 \
59 /* --- Unpack the key --- */ \
60 \
61 kp = key_fetchinit(ty##_##which##fetch, kps, &p); \
62 if ((rc = key_unpack(kp, d, t)) != 0) { \
63 a_format(e, "unpack-failed", "%s", key_strerror(rc), A_END); \
64 goto fail; \
65 } \
66 \
67 /* --- Extract the pieces of the key --- */ \
68 \
69 setgroup; \
70 setpriv; \
71 setpub; \
72 \
73 /* --- We win --- */ \
74 \
75 rc = 0; \
76 goto done; \
77 \
78fail: \
79 if (kd->grp) { \
80 if (kd->K) pre##_freege(kd->grp, kd->K); \
81 if (kd->k) pre##_freesc(kd->grp, kd->k); \
82 pre##_freegrp(kd->grp); \
83 } \
84 rc = -1; \
85 \
86done: \
87 key_fetchdone(kp); \
88 return (rc); \
89}
90
91#define KLOAD(pre, ty, TY, setgroup, setpriv, setpub) \
92static void pre##_freegrp(dhgrp *); \
93static void pre##_freesc(const dhgrp *, dhsc *); \
94static void pre##_freege(const dhgrp *, dhge *); \
95 KLOAD_HALF(pre, ty, TY, priv, PRIV, setgroup, setpriv, setpub) \
96 KLOAD_HALF(pre, ty, TY, pub, PUB, setgroup, { kd->k = 0; }, setpub)
97
07bdda1f
MW		 98enum { DHSER_V0, DHSER_CONSTLEN };
99
100static int get_serialization(key_file *kf, key *k, dstr *e)
101{
102 const char *p = key_getattr(kf, k, "serialization");
103 if (!p || strcmp(p, "v0") == 0) return (DHSER_V0);
104 else if (strcmp(p, "constlen") == 0) return (DHSER_CONSTLEN);
105 else {
106 a_format(e, "unknown-serialization-format", "%s", p, A_END);
107 return (-1);
108 }
109}
110
5b9f3d37
MW		 111#ifndef NTRACE
112static void setupstr(mptext_stringctx *sc)
113 { sc->buf = (char *)buf_u; sc->lim = sc->buf + sizeof(buf_u); }
114
115static const char *donestr(mptext_stringctx *sc)
116 { *sc->buf = 0; return ((const char *)buf_u); }
117
118static void addlitstr(const char *p, mptext_stringctx *sc)
119 { mptext_stringops.put(p, strlen(p), sc); }
120
121static void addmpstr(mp *x, int radix, mptext_stringctx *sc)
122{
123 char b[12];
124
125 if (radix == 16) addlitstr("0x", sc);
126 else if (radix == 8) addlitstr("0", sc);
127 else if (radix != 10) { sprintf(b, "%d#", radix); addlitstr(b, sc); }
128 mp_write(x, radix, &mptext_stringops, sc);
129}
130
131static const char *mpstr(mp *x, int radix)
132{
133 mptext_stringctx sc;
134
135 setupstr(&sc);
136 addmpstr(x, radix, &sc);
137 return (donestr(&sc));
138}
139#endif
140
141/*----- Schnorr groups ----------------------------------------------------*/
142
143typedef struct intdh_grp {
144 dhgrp _g;
145 mpmont mm;
146 mp *q, *G;
147 size_t gesz;
07bdda1f 148 int ser;
5b9f3d37
MW		 149} intdh_grp;
150
151typedef struct intdh_sc { mp *x; } intdh_sc;
152typedef struct intdh_ge { mp *X; } intdh_ge;
153
07bdda1f
MW		 154static dhgrp *intdh_mkgroup(key_file *kf, key *k,
155 const dh_param *dp, dstr *e)
5b9f3d37 156{
07bdda1f
MW		 157 intdh_grp *g;
158 int ser;
159
160 if ((ser = get_serialization(kf, k, e)) < 0) return (0);
161 g = CREATE(intdh_grp);
162 g->ser = ser;
5b9f3d37
MW		 163 g->_g.scsz = mp_octets(dp->q);
164 g->gesz = mp_octets(dp->p);
165 mpmont_create(&g->mm, dp->p);
166 g->q = MP_COPY(dp->q);
167 g->G = mpmont_mul(&g->mm, MP_NEW, dp->g, g->mm.r2);
168 return (&g->_g);
169}
170
171static dhsc *intdh_mptosc(const dhgrp *gg, mp *z)
172{
173 const intdh_grp *g = (const intdh_grp *)gg;
174 intdh_sc *x = CREATE(intdh_sc);
175 x->x = MP_NEW; mp_div(0, &x->x, z, g->q);
176 return ((dhsc *)x);
177}
178
179static dhge *intdh_mptoge(const dhgrp *gg, mp *z)
180{
181 const intdh_grp *g = (const intdh_grp *)gg;
182 intdh_ge *Y = CREATE(intdh_ge);
183 mp *t = MP_NEW; mp_div(0, &t, z, g->mm.m);
184 Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2);
185 return ((dhge *)Y);
186}
187
188KLOAD(intdh, dh, DH,
07bdda1f 189 { if ((kd->grp = intdh_mkgroup(kf, k, &p.dp, e)) == 0) goto fail; },
5b9f3d37
MW		 190 { kd->k = intdh_mptosc(kd->grp, p.x); },
191 { kd->K = intdh_mptoge(kd->grp, p.y); })
192
193static const char *intdh_checkgrp(const dhgrp *gg)
194{
195 const intdh_grp *g = (const intdh_grp *)gg;
196 mp *t = MP_NEW;
197
198 if (!pgen_primep(g->mm.m, &rand_global)) return ("p is not prime");
199 if (!pgen_primep(g->q, &rand_global)) return ("q is not prime");
200 mp_div(0, &t, g->mm.m, g->q);
201 if (!MP_EQ(t, MP_ONE)) return ("q is not a subgroup order");
202 t = mpmont_expr(&g->mm, t, g->G, g->q);
203 if (!MP_EQ(t, g->mm.r)) return ("g not in the subgroup");
204 return (0);
205}
206
207static void intdh_grpinfo(const dhgrp *gg, admin *adm)
208{
209 const intdh_grp *g = (const intdh_grp *)gg;
210 a_info(adm,
211 "kx-group=prime",
212 "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->q),
213 "kx-group-elt-bits=%lu", (unsigned long)mp_bits(g->mm.m),
214 A_END);
215}
216
217#ifndef NTRACE
218static void intdh_tracegrp(const dhgrp *gg)
219{
220 const intdh_grp *g = (const intdh_grp *)gg;
221 mp *t = MP_NEW;
222 trace(T_CRYPTO, "crypto: group type `dh'");
223 trace(T_CRYPTO, "crypto: p = %s", mpstr(g->mm.m, 10));
224 trace(T_CRYPTO, "crypto: q = %s", mpstr(g->q, 10));
225 t = mpmont_reduce(&g->mm, t, g->G);
226 trace(T_CRYPTO, "crypto: g = %s", mpstr(t, 10));
227 MP_DROP(t);
228}
229#endif
230
231static int intdh_samegrpp(const dhgrp *gg, const dhgrp *hh)
232{
233 const intdh_grp *g = (const intdh_grp *)gg, *h = (const intdh_grp *)hh;
07bdda1f
MW		 234 return (MP_EQ(g->mm.m, h->mm.m) &&
235 MP_EQ(g->q, h->q) && MP_EQ(g->G, h->G) &&
236 g->ser == h->ser);
5b9f3d37
MW		 237}
238
239static void intdh_freegrp(dhgrp *gg)
240{
241 intdh_grp *g = (intdh_grp *)gg;
242 mpmont_destroy(&g->mm); MP_DROP(g->q); MP_DROP(g->G);
243 DESTROY(g);
244}
245
246static dhsc *intdh_ldsc(const dhgrp *gg, const void *p, size_t sz)
247{ const intdh_grp *g = (const intdh_grp *)gg;
248 intdh_sc *x = CREATE(intdh_sc);
249 mp *t = mp_loadb(MP_NEW, p, sz);
250 mp_div(0, &t, t, g->q); x->x = t;
251 return ((dhsc *)x);
252}
253
254static int intdh_stsc(const dhgrp *gg, void *p, size_t sz, const dhsc *xx)
255{
256 const intdh_sc *x = (const intdh_sc *)xx;
257 mp_storeb(x->x, p, sz);
258 return (0);
259}
260
261static dhsc *intdh_randsc(const dhgrp *gg)
262{
263 const intdh_grp *g = (const intdh_grp *)gg;
264 intdh_sc *x = CREATE(intdh_sc);
265 x->x = mprand_range(MP_NEW, g->q, &rand_global, 0);
266 return ((dhsc *)x);
267}
268
269#ifndef NTRACE
270static const char *intdh_scstr(const dhgrp *gg, const dhsc *xx)
271 { const intdh_sc *x = (const intdh_sc *)xx; return (mpstr(x->x, 10)); }
272#endif
273
274static void intdh_freesc(const dhgrp *gg, dhsc *xx)
275{
276 intdh_sc *x = (intdh_sc *)xx;
277 MP_DROP(x->x); DESTROY(x);
278}
279
280static dhge *intdh_ldge(const dhgrp *gg, buf *b, int fmt)
281{
282 const intdh_grp *g = (const intdh_grp *)gg;
283 intdh_ge *Y;
284 mp *t;
285 const octet *p;
286
287 switch (fmt) {
07bdda1f
MW		 288 case DHFMT_HASH: if (g->ser == DHSER_CONSTLEN) goto std;
289 case DHFMT_VAR:
5b9f3d37
MW		 290 if ((t = buf_getmp(b)) == 0) return (0);
291 break;
07bdda1f 292 case DHFMT_STD: std:
5b9f3d37
MW		 293 if ((p = buf_get(b, g->gesz)) == 0) return (0);
294 t = mp_loadb(MP_NEW, p, g->gesz);
295 break;
296 default:
297 abort();
298 }
299 Y = CREATE(intdh_ge);
300 mp_div(0, &t, t, g->mm.m);
301 Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2);
302 return ((dhge *)Y);
303}
304
305static int intdh_stge(const dhgrp *gg, buf *b, const dhge *YY, int fmt)
306{
307 const intdh_grp *g = (const intdh_grp *)gg;
308 const intdh_ge *Y = (const intdh_ge *)YY;
309 octet *p;
310 mp *t;
311 int rc;
312
313 t = mpmont_reduce(&g->mm, MP_NEW, Y->X);
314 switch (fmt) {
07bdda1f
MW		 315 case DHFMT_HASH: if (g->ser == DHSER_CONSTLEN) goto std;
316 case DHFMT_VAR:
5b9f3d37
MW		 317 rc = buf_putmp(b, t);
318 break;
07bdda1f 319 case DHFMT_STD: std:
5b9f3d37
MW		 320 if ((p = buf_get(b, g->gesz)) == 0)
321 rc = -1;
322 else {
323 mp_storeb(t, p, g->gesz);
324 rc = 0;
325 }
326 break;
327 default:
328 abort();
329 }
330 MP_DROP(t);
331 return (rc);
332}
333
334static int intdh_checkge(const dhgrp *gg, const dhge *YY)
335{
336 const intdh_grp *g = (const intdh_grp *)gg;
337 const intdh_ge *Y = (const intdh_ge *)YY;
338 mp *T;
339 int rc = 0;
340
341 if (MP_EQ(Y->X, g->mm.r)) rc = -1;
342 T = mpmont_expr(&g->mm, MP_NEW, Y->X, g->q);
343 if (!MP_EQ(T, g->mm.r)) rc = -1;
344 MP_DROP(T);
345 return (rc);
346}
347
348static int intdh_eq(const dhgrp *gg, const dhge *YY, const dhge *ZZ)
349{
350 const intdh_ge *Y = (const intdh_ge *)YY, *Z = (const intdh_ge *)ZZ;
351 return (MP_EQ(Y->X, Z->X));
352}
353
354static dhge *intdh_mul(const dhgrp *gg, const dhsc *xx, const dhge *YY)
355{
356 const intdh_grp *g = (const intdh_grp *)gg;
357 const intdh_sc *x = (const intdh_sc *)xx;
358 const intdh_ge *Y = (const intdh_ge *)YY;
359 intdh_ge *Z = CREATE(intdh_ge);
360
361 Z->X = mpmont_expr(&g->mm, MP_NEW, Y ? Y->X : g->G, x->x);
362 return ((dhge *)Z);
363}
364
365#ifndef NTRACE
366static const char *intdh_gestr(const dhgrp *gg, const dhge *YY)
367{
368 const intdh_grp *g = (const intdh_grp *)gg;
369 const intdh_ge *Y = (const intdh_ge *)YY;
370 mp *t = mpmont_reduce(&g->mm, MP_NEW, Y->X);
371 const char *p = mpstr(t, 10);
372 MP_DROP(t);
373 return (p);
374}
375#endif
376
377static void intdh_freege(const dhgrp *gg, dhge *YY)
378 { intdh_ge *Y = (intdh_ge *)YY; MP_DROP(Y->X); DESTROY(Y); }
379
380/*----- Elliptic curve groups ---------------------------------------------*/
381
382typedef struct ecdh_grp {
383 dhgrp _g;
384 ec_info ei;
385 ec P;
07bdda1f 386 int ser;
5b9f3d37
MW		 387} ecdh_grp;
388
389typedef struct ecdh_sc { mp *x; } ecdh_sc;
390typedef struct ecdh_ge { ec Q; } ecdh_ge;
391
07bdda1f 392static dhgrp *ecdh_mkgroup(key_file *kf, key *k, const char *cstr, dstr *e)
5b9f3d37
MW		 393{
394 ecdh_grp *g;
395 ec_info ei;
07bdda1f 396 int ser;
5b9f3d37
MW		 397 const char *err;
398
07bdda1f 399 if ((ser = get_serialization(kf, k, e)) < 0) return (0);
5b9f3d37
MW		 400 if ((err = ec_getinfo(&ei, cstr)) != 0) {
401 a_format(e, "decode-failed", "%s", err, A_END);
402 return (0);
403 }
404 g = CREATE(ecdh_grp);
07bdda1f 405 g->ser = ser;
5b9f3d37
MW		 406 g->ei = ei;
407 EC_CREATE(&g->P); EC_IN(g->ei.c, &g->P, &g->ei.g);
408 g->_g.scsz = mp_octets(g->ei.r);
409 return (&g->_g);
410}
411
412static dhsc *ecdh_mptosc(const dhgrp *gg, mp *z)
413{
414 const ecdh_grp *g = (const ecdh_grp *)gg;
415 ecdh_sc *x = CREATE(ecdh_sc);
416 x->x = MP_NEW; mp_div(0, &x->x, z, g->ei.r);
417 return ((dhsc *)x);
418}
419
420static dhge *ecdh_ectoge(const dhgrp *gg, ec *Q)
421{
422 const ecdh_grp *g = (const ecdh_grp *)gg;
423 ecdh_ge *Y = CREATE(ecdh_ge); EC_CREATE(&Y->Q);
424 EC_IN(g->ei.c, &Y->Q, Q);
425 if (EC_CHECK(g->ei.c, &Y->Q))
426 { EC_DESTROY(&Y->Q); DESTROY(Y); return (0); }
427 return ((dhge *)Y);
428}
429
430KLOAD(ecdh, ec, EC,
07bdda1f 431 { if ((kd->grp = ecdh_mkgroup(kf, k, p.cstr, e)) == 0) goto fail; },
5b9f3d37
MW		 432 { kd->k = ecdh_mptosc(kd->grp, p.x); },
433 { if ((kd->K = ecdh_ectoge(kd->grp, &p.p)) == 0) {
434 a_format(e, "bad-public-vector", A_END);
435 goto fail;
436 }
437 })
438
439static const char *ecdh_checkgrp(const dhgrp *gg)
440{
441 const ecdh_grp *g = (const ecdh_grp *)gg;
442 return (ec_checkinfo(&g->ei, &rand_global));
443}
444
445static void ecdh_grpinfo(const dhgrp *gg, admin *adm)
446{
447 const ecdh_grp *g = (const ecdh_grp *)gg;
448 a_info(adm,
449 "kx-group=ec",
450 "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->ei.r),
451 "kx-group-elt-bits=%lu", (unsigned long)2*g->ei.c->f->nbits,
452 A_END);
453}
454
455#ifndef NTRACE
456static void addfestr(field *f, mp *x, mptext_stringctx *sc)
457 { addmpstr(x, F_TYPE(f) == FTY_PRIME ? 10 : 16, sc); }
458
459static void addintfestr(field *f, mp *x, mptext_stringctx *sc)
460 { mp *t = F_OUT(f, MP_NEW, x); addfestr(f, x, sc); MP_DROP(t); }
461
462static const char *intfestr(field *f, mp *x)
463{
464 mptext_stringctx sc;
465 setupstr(&sc);
466 addintfestr(f, x, &sc);
467 return (donestr(&sc));
468}
469
470static void ecdh_tracegrp(const dhgrp *gg)
471{
472 const ecdh_grp *g = (const ecdh_grp *)gg;
473 const ec_curve *c = g->ei.c;
474 field *f = c->f;
475
476 trace(T_CRYPTO, "crypto: group type `ec'");
477 switch (F_TYPE(f)) {
478 case FTY_PRIME:
479 trace(T_CRYPTO, "crypto: prime field `%s'", F_NAME(f));
480 trace(T_CRYPTO, "crypto: p = %s", mpstr(f->q, 10));
481 break;
482 case FTY_BINARY:
483 trace(T_CRYPTO, "crypto: binary field `%s'", F_NAME(f));
484 trace(T_CRYPTO, "crypto: degree = %lu", f->nbits - 1);
485 break;
486 default:
487 trace(T_CRYPTO, "crypto: unknown field type! `%s'", F_NAME(f));
488 break;
489 }
490 trace(T_CRYPTO, "crypto: curve type `%s'", EC_NAME(c));
491 trace(T_CRYPTO, "crypto: curve a = %s", intfestr(f, c->a));
492 trace(T_CRYPTO, "crypto: curve b = %s", intfestr(f, c->b));
493 trace(T_CRYPTO, "crypto: n = %s", mpstr(g->ei.r, 10));
494 trace(T_CRYPTO, "crypto: h = %s", mpstr(g->ei.h, 10));
495}
496#endif
497
498static int ecdh_samegrpp(const dhgrp *gg, const dhgrp *hh)
499{
500 const ecdh_grp *g = (const ecdh_grp *)gg, *h = (const ecdh_grp *)hh;
07bdda1f
MW		 501 return (ec_sameinfop(&g->ei, &h->ei) &&
502 g->ser == h->ser);
5b9f3d37
MW		 503}
504
505static void ecdh_freegrp(dhgrp *gg)
506{
507 ecdh_grp *g = (ecdh_grp *)gg;
508 EC_DESTROY(&g->P); ec_freeinfo(&g->ei);
509 DESTROY(g);
510}
511
512static dhsc *ecdh_ldsc(const dhgrp *gg, const void *p, size_t sz)
513{
514 const ecdh_grp *g = (const ecdh_grp *)gg;
515 ecdh_sc *x = CREATE(ecdh_sc);
516 mp *t = mp_loadb(MP_NEW, p, sz);
517 mp_div(0, &t, t, g->ei.r); x->x = t;
518 return ((dhsc *)x);
519}
520
521static int ecdh_stsc(const dhgrp *gg, void *p, size_t sz, const dhsc *xx)
522{
523 const ecdh_sc *x = (const ecdh_sc *)xx;
524 mp_storeb(x->x, p, sz);
525 return (0);
526}
527
528static dhsc *ecdh_randsc(const dhgrp *gg)
529{
530 const ecdh_grp *g = (const ecdh_grp *)gg;
531 ecdh_sc *x = CREATE(ecdh_sc);
532 x->x = mprand_range(MP_NEW, g->ei.r, &rand_global, 0);
533 return ((dhsc *)x);
534}
535
536#ifndef NTRACE
537static const char *ecdh_scstr(const dhgrp *gg, const dhsc *xx)
538{
539 const ecdh_sc *x = (const ecdh_sc *)xx;
540 return (mpstr(x->x, 10));
541}
542#endif
543
544static void ecdh_freesc(const dhgrp *gg, dhsc *xx)
545 { ecdh_sc *x = (ecdh_sc *)xx; MP_DROP(x->x); DESTROY(x); }
546
547static dhge *ecdh_ldge(const dhgrp *gg, buf *b, int fmt)
548{
549 const ecdh_grp *g = (const ecdh_grp *)gg;
550 ecdh_ge *Y;
551 ec T = EC_INIT;
552
553 switch (fmt) {
07bdda1f
MW		 554 case DHFMT_HASH: if (g->ser == DHSER_CONSTLEN) goto std;
555 case DHFMT_VAR: if (buf_getec(b, &T)) return (0); break;
556 case DHFMT_STD: std: if (ec_getraw(g->ei.c, b, &T)) return (0); break;
5b9f3d37
MW		 557 default:
558 abort();
559 }
560 EC_IN(g->ei.c, &T, &T);
561 Y = CREATE(ecdh_ge); Y->Q = T;
562 return ((dhge *)Y);
563}
564
565static int ecdh_stge(const dhgrp *gg, buf *b, const dhge *YY, int fmt)
566{
567 const ecdh_grp *g = (const ecdh_grp *)gg;
568 const ecdh_ge *Y = (const ecdh_ge *)YY;
569 ec T = EC_INIT;
570 int rc;
571
572 EC_OUT(g->ei.c, &T, &Y->Q);
573 switch (fmt) {
07bdda1f
MW		 574 case DHFMT_HASH: if (g->ser == DHSER_CONSTLEN) goto std;
575 case DHFMT_VAR: rc = buf_putec(b, &T); break;
576 case DHFMT_STD: std: rc = ec_putraw(g->ei.c, b, &T); break;
5b9f3d37
MW		 577 default: abort();
578 }
579 EC_DESTROY(&T);
580 return (rc);
581}
582
583static int ecdh_checkge(const dhgrp *gg, const dhge *YY)
584{
585 const ecdh_grp *g = (const ecdh_grp *)gg;
586 const ecdh_ge *Y = (const ecdh_ge *)YY;
587 ec T = EC_INIT;
588 int rc = 0;
589
590 if (EC_ATINF(&Y->Q)) rc = -1;
591 ec_imul(g->ei.c, &T, &Y->Q, g->ei.r);
592 if (!EC_ATINF(&T)) rc = -1;
593 EC_DESTROY(&T);
594 return (rc);
595}
596
597static int ecdh_eq(const dhgrp *gg, const dhge *YY, const dhge *ZZ)
598{
599 const ecdh_grp *g = (const ecdh_grp *)gg;
600 const ecdh_ge *Y = (const ecdh_ge *)YY, *Z = (const ecdh_ge *)ZZ;
601 ec T = EC_INIT, U = EC_INIT; int rc;
602 EC_FIX(g->ei.c, &T, &Y->Q); EC_FIX(g->ei.c, &U, &Z->Q);
603 rc = EC_EQ(&T, &U);
604 EC_DESTROY(&T); EC_DESTROY(&U);
605 return (rc);
606}
607
608static dhge *ecdh_mul(const dhgrp *gg, const dhsc *xx, const dhge *YY)
609{
610 const ecdh_grp *g = (const ecdh_grp *)gg;
611 const ecdh_sc *x = (const ecdh_sc *)xx;
612 const ecdh_ge *Y = (const ecdh_ge *)YY;
613 ecdh_ge *Z = CREATE(ecdh_ge); EC_CREATE(&Z->Q);
614
615 ec_imul(g->ei.c, &Z->Q, Y ? &Y->Q : &g->P, x->x);
616 return ((dhge *)Z);
617}
618
619#ifndef NTRACE
620static const char *ecdh_gestr(const dhgrp *gg, const dhge *YY)
621{
622 const ecdh_grp *g = (const ecdh_grp *)gg;
623 const ecdh_ge *Y = (const ecdh_ge *)YY;
624 ec T = EC_INIT;
625 field *f = g->ei.c->f;
626 mptext_stringctx sc;
627
628 if (EC_ATINF(&Y->Q)) return ("inf");
629 setupstr(&sc);
630 EC_OUT(g->ei.c, &T, &Y->Q);
631 addfestr(f, T.x, &sc);
632 addlitstr(", ", &sc);
633 addfestr(f, T.y, &sc);
634 EC_DESTROY(&T);
635 return (donestr(&sc));
636}
637#endif
638
639static void ecdh_freege(const dhgrp *gg, dhge *YY)
640 { ecdh_ge *Y = (ecdh_ge *)YY; EC_DESTROY(&Y->Q); DESTROY(Y); }
641
26936c83
MW		 642/*----- The X25519 and similar groups -------------------------------------*/
643
644#define XDHS(_) \
645 _(x25519, X25519, "curve25519", 252, 255) \
646 _(x448, X448, "ed448-goldilocks", 446, 448)
647
648#ifdef NTRACE
649# define XDHTRACE(xdh, XDH, gname)
650#else
651
652 static const char *binstr(const octet *p, size_t sz)
653 {
654 char *q;
655
656 for (q = (char *)buf_u; sz--; p++, q += 2) sprintf(q, "%02x", *p);
657 return ((const char *)buf_u);
658 }
659
660# define XDHTRACE(xdh, XDH, gname) \
661 static void xdh##_tracegrp(const dhgrp *g) \
662 { trace(T_CRYPTO, "crypto: group type `" gname "'"); } \
663 \
664 static const char *xdh##_scstr(const dhgrp *g, const dhsc *xx) \
665 { \
666 const xdh##_sc *x = (const xdh##_sc *)xx; \
667 return (binstr(x->x, XDH##_KEYSZ)); \
668 } \
669 \
670 static const char *xdh##_gestr(const dhgrp *g, const dhge *YY) \
671 { \
672 const xdh##_ge *Y = (const xdh##_ge *)YY; \
673 return (binstr(Y->X, XDH##_PUBSZ)); \
674 }
675#endif
676
677#define XDHDEF(xdh, XDH, gname, groupbits, fieldbits) \
678 \
679 typedef struct xdh##_sc { octet x[XDH##_KEYSZ]; } xdh##_sc; \
680 typedef struct xdh##_ge { octet X[XDH##_PUBSZ]; } xdh##_ge; \
681 \
682 XDHTRACE(xdh, XDH, gname) \
683 \
684 static dhsc *xdh##_bintosc(const key_bin *b) \
685 { \
686 xdh##_sc *x; \
687 \
688 if (b->sz != XDH##_KEYSZ) return (0); \
689 x = CREATE(xdh##_sc); \
690 memcpy(x->x, b->k, XDH##_KEYSZ); \
691 return ((dhsc *)x); \
692 } \
693 \
694 static dhge *xdh##_bintoge(const key_bin *b) \
695 { \
696 xdh##_ge *Y; \
697 \
698 if (b->sz != XDH##_PUBSZ) return (0); \
699 Y = CREATE(xdh##_ge); \
700 memcpy(Y->X, b->k, XDH##_PUBSZ); \
701 return ((dhge *)Y); \
702 } \
703 \
704 KLOAD(xdh, xdh, XDH, \
9dd1db76
MW		 705 { kd->grp = CREATE(dhgrp); \
706 kd->grp->scsz = XDH##_KEYSZ; \
707 }, \
26936c83
MW		 708 { if ((kd->k = xdh##_bintosc(&p.priv)) == 0) { \
709 a_format(e, "bad-private-key", A_END); \
710 goto fail; \
711 } \
712 }, \
713 { if ((kd->K = xdh##_bintoge(&p.pub)) == 0) { \
714 a_format(e, "bad-public-vector", A_END); \
715 goto fail; \
716 } \
717 }) \
718 \
719 static const char *xdh##_checkgrp(const dhgrp *g) \
720 { return (0); } \
721 \
722 static void xdh##_grpinfo(const dhgrp *g, admin *adm) \
723 { \
724 a_info(adm, \
725 "kx-group=" gname, \
726 "kx-group-order-bits=%d", (groupbits), \
727 "kx-group-elt-bits=%d", (fieldbits), \
728 A_END); \
729 } \
730 \
731 static int xdh##_samegrpp(const dhgrp *g, const dhgrp *hh) \
732 { return (1); } \
733 \
734 static void xdh##_freegrp(dhgrp *g) \
735 { DESTROY(g); } \
736 \
737 static dhsc *xdh##_ldsc(const dhgrp *g, const void *p, size_t sz) \
738 { \
739 xdh##_sc *x; \
740 if (sz != XDH##_KEYSZ) return (0); \
741 x = CREATE(xdh##_sc); \
742 memcpy(x->x, p, XDH##_KEYSZ); \
743 return ((dhsc *)x); \
744 } \
745 \
746 static int xdh##_stsc(const dhgrp *g, void *p, size_t sz, \
747 const dhsc *xx) \
748 { \
749 const xdh##_sc *x = (const xdh##_sc *)xx; \
750 if (sz != XDH##_KEYSZ) return (-1); \
751 memcpy(p, x->x, XDH##_KEYSZ); \
752 return (0); \
753 } \
754 \
755 static dhsc *xdh##_randsc(const dhgrp *g) \
756 { \
757 xdh##_sc *x = CREATE(xdh##_sc); \
758 rand_get(RAND_GLOBAL, x->x, XDH##_KEYSZ); \
759 return ((dhsc *)x); \
760 } \
761 \
762 static void xdh##_freesc(const dhgrp *g, dhsc *xx) \
763 { xdh##_sc *x = (xdh##_sc *)xx; DESTROY(x); } \
764 \
765 static dhge *xdh##_ldge(const dhgrp *g, buf *b, int fmt) \
766 { \
767 xdh##_ge *Y; \
768 const octet *p; \
769 \
770 if ((p = buf_get(b, XDH##_PUBSZ)) == 0) return (0); \
771 Y = CREATE(xdh##_ge); memcpy(Y->X, p, XDH##_PUBSZ); \
772 return ((dhge *)Y); \
773 } \
774 \
775 static int xdh##_stge(const dhgrp *g, buf *b, \
776 const dhge *YY, int fmt) \
777 { \
778 const xdh##_ge *Y = (const xdh##_ge *)YY; \
779 return (buf_put(b, Y->X, XDH##_PUBSZ)); \
780 } \
781 \
782 static int xdh##_checkge(const dhgrp *g, const dhge *YY) \
783 { return (0); } \
784 \
785 static int xdh##_eq(const dhgrp *g, const dhge *YY, const dhge *ZZ) \
786 { \
787 const xdh##_ge \
788 *Y = (const xdh##_ge *)YY, *Z = (const xdh##_ge *)ZZ; \
789 return (ct_memeq(Y->X, Z->X, XDH##_PUBSZ)); \
790 } \
791 \
792 static dhge *xdh##_mul(const dhgrp *g, \
793 const dhsc *xx, const dhge *YY) \
794 { \
795 const xdh##_sc *x = (const xdh##_sc *)xx; \
796 const xdh##_ge *Y = (const xdh##_ge *)YY; \
797 xdh##_ge *Z = CREATE(xdh##_ge); \
798 \
799 xdh(Z->X, x->x, Y ? Y->X : xdh##_base); \
800 return ((dhge *)Z); \
801 } \
802 \
803 static void xdh##_freege(const dhgrp *g, dhge *YY) \
804 { xdh##_ge *Y = (xdh##_ge *)YY; DESTROY(Y); }
805
806XDHS(XDHDEF)
807
808#undef XDHDEF
809
5b9f3d37
MW		 810/*----- Diffie--Hellman group table ---------------------------------------*/
811
812const dhops dhtab[] = {
813
814#define COMMA ,
815
816#define DH(name, pre) \
817 { name, pre##_ldpriv, pre##_ldpub, pre##_checkgrp, \
818 pre##_grpinfo, T( pre##_tracegrp COMMA ) pre##_samegrpp, \
819 pre##_freegrp, \
820 pre##_ldsc, pre##_stsc, pre##_randsc, T( pre##_scstr COMMA ) \
821 pre##_freesc, \
822 pre##_ldge, pre##_stge, pre##_checkge, pre##_eq, pre##_mul, \
823 T( pre##_gestr COMMA ) pre##_freege }, \
824
825 DH("dh", intdh)
826 DH("ec", ecdh)
827
26936c83
MW		 828#define XDHDH(xdh, XDH, gname, groupbits, fieldbits) DH(#xdh, xdh)
829 XDHS(XDHDH)
830#undef XDHDH
831
5b9f3d37
MW		 832#undef DH
833
834 { 0 }
835};
836
837/*----- That's all, folks -------------------------------------------------*/
Trivial IP Encryption: a simple VPN