[tripe] / server / dh.c

/* -*-c-*-
 *
 * Diffie--Hellman groups
 *
 * (c) 2017 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Trivial IP Encryption (TrIPE).
 *
 * TrIPE is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * TrIPE is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with TrIPE; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "tripe.h"

/*----- Common utilities --------------------------------------------------*/

/* --- @KLOAD@ --- *
 *
 * Arguments:	@pre@ = prefix for defined functions
 *		@ty@, @TY@ = key type name (lower- and upper-case)
 *		@setgroup@ = code to initialize @kd->g@
 *		@setpriv@ = code to initialize @kd->kpriv@
 *		@setpub@ = code to initialize @kd->kpub@
 *
 * Use:		Generates the body of one of the (rather tedious) key loading
 *		functions.  See the description of @KEYTYPES@ below for the
 *		details.
 */

#define KLOAD_HALF(pre, ty, TY, which, WHICH, setgroup, setpriv, setpub) \
static int pre##_ld##which(key_file *kf, key *k, key_data *d,		\
			   kdata *kd, dstr *t, dstr *e)			\
{									\
  key_packstruct kps[TY##_##WHICH##FETCHSZ];				\
  key_packdef *kp;							\
  ty##_##which p;							\
  int rc;								\
									\
  /* --- Initialize things we've not set up yet --- */			\
									\
  kd->grp = 0; kd->k = 0; kd->K = 0;					\
									\
  /* --- Unpack the key --- */						\
									\
  kp = key_fetchinit(ty##_##which##fetch, kps, &p);			\
  if ((rc = key_unpack(kp, d, t)) != 0) {				\
    a_format(e, "unpack-failed", "%s", key_strerror(rc), A_END);	\
    goto fail;								\
  }									\
									\
  /* --- Extract the pieces of the key --- */				\
									\
  setgroup;								\
  setpriv;								\
  setpub;								\
									\
  /* --- We win --- */							\
									\
  rc = 0;								\
  goto done;								\
									\
fail:									\
  if (kd->grp) {							\
    if (kd->K) pre##_freege(kd->grp, kd->K);				\
    if (kd->k) pre##_freesc(kd->grp, kd->k);				\
    pre##_freegrp(kd->grp);						\
  }									\
  rc = -1;								\
									\
done:									\
  key_fetchdone(kp);							\
  return (rc);								\
}

#define KLOAD(pre, ty, TY, setgroup, setpriv, setpub)			\
static void pre##_freegrp(dhgrp *); \
static void pre##_freesc(const dhgrp *, dhsc *); \
static void pre##_freege(const dhgrp *, dhge *); \
  KLOAD_HALF(pre, ty, TY, priv, PRIV, setgroup, setpriv, setpub)	\
  KLOAD_HALF(pre, ty, TY, pub, PUB, setgroup, { kd->k = 0; }, setpub)

#ifndef NTRACE
static void setupstr(mptext_stringctx *sc)
  { sc->buf = (char *)buf_u; sc->lim = sc->buf + sizeof(buf_u); }

static const char *donestr(mptext_stringctx *sc)
  { *sc->buf = 0; return ((const char *)buf_u); }

static void addlitstr(const char *p, mptext_stringctx *sc)
  { mptext_stringops.put(p, strlen(p), sc); }

static void addmpstr(mp *x, int radix, mptext_stringctx *sc)
{
  char b[12];

  if (radix == 16) addlitstr("0x", sc);
  else if (radix == 8) addlitstr("0", sc);
  else if (radix != 10) { sprintf(b, "%d#", radix); addlitstr(b, sc); }
  mp_write(x, radix, &mptext_stringops, sc);
}

static const char *mpstr(mp *x, int radix)
{
  mptext_stringctx sc;

  setupstr(&sc);
  addmpstr(x, radix, &sc);
  return (donestr(&sc));
}
#endif

/*----- Schnorr groups ----------------------------------------------------*/

typedef struct intdh_grp {
  dhgrp _g;
  mpmont mm;
  mp *q, *G;
  size_t gesz;
} intdh_grp;

typedef struct intdh_sc { mp *x; } intdh_sc;
typedef struct intdh_ge { mp *X; } intdh_ge;

static dhgrp *intdh_mkgroup(const dh_param *dp)
{
  intdh_grp *g = CREATE(intdh_grp);
  g->_g.scsz = mp_octets(dp->q);
  g->gesz = mp_octets(dp->p);
  mpmont_create(&g->mm, dp->p);
  g->q = MP_COPY(dp->q);
  g->G = mpmont_mul(&g->mm, MP_NEW, dp->g, g->mm.r2);
  return (&g->_g);
}

static dhsc *intdh_mptosc(const dhgrp *gg, mp *z)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  intdh_sc *x = CREATE(intdh_sc);
  x->x = MP_NEW; mp_div(0, &x->x, z, g->q);
  return ((dhsc *)x);
}

static dhge *intdh_mptoge(const dhgrp *gg, mp *z)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  intdh_ge *Y = CREATE(intdh_ge);
  mp *t = MP_NEW; mp_div(0, &t, z, g->mm.m);
  Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2);
  return ((dhge *)Y);
}

KLOAD(intdh, dh, DH,
      { kd->grp = intdh_mkgroup(&p.dp); },
      { kd->k = intdh_mptosc(kd->grp, p.x); },
      { kd->K = intdh_mptoge(kd->grp, p.y); })

static const char *intdh_checkgrp(const dhgrp *gg)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  mp *t = MP_NEW;

  if (!pgen_primep(g->mm.m, &rand_global)) return ("p is not prime");
  if (!pgen_primep(g->q, &rand_global)) return ("q is not prime");
  mp_div(0, &t, g->mm.m, g->q);
  if (!MP_EQ(t, MP_ONE)) return ("q is not a subgroup order");
  t = mpmont_expr(&g->mm, t, g->G, g->q);
  if (!MP_EQ(t, g->mm.r)) return ("g not in the subgroup");
  return (0);
}

static void intdh_grpinfo(const dhgrp *gg, admin *adm)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  a_info(adm,
	 "kx-group=prime",
	 "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->q),
	 "kx-group-elt-bits=%lu", (unsigned long)mp_bits(g->mm.m),
	 A_END);
}

#ifndef NTRACE
static void intdh_tracegrp(const dhgrp *gg)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  mp *t = MP_NEW;
  trace(T_CRYPTO, "crypto: group type `dh'");
  trace(T_CRYPTO, "crypto: p = %s", mpstr(g->mm.m, 10));
  trace(T_CRYPTO, "crypto: q = %s", mpstr(g->q, 10));
  t = mpmont_reduce(&g->mm, t, g->G);
  trace(T_CRYPTO, "crypto: g = %s", mpstr(t, 10));
  MP_DROP(t);
}
#endif

static int intdh_samegrpp(const dhgrp *gg, const dhgrp *hh)
{
  const intdh_grp *g = (const intdh_grp *)gg, *h = (const intdh_grp *)hh;
  return (MP_EQ(g->mm.m, h->mm.m) && MP_EQ(g->q, h->q) && MP_EQ(g->G, h->G));
}

static void intdh_freegrp(dhgrp *gg)
{
  intdh_grp *g = (intdh_grp *)gg;
  mpmont_destroy(&g->mm); MP_DROP(g->q); MP_DROP(g->G);
  DESTROY(g);
}

static dhsc *intdh_ldsc(const dhgrp *gg, const void *p, size_t sz)
{ const intdh_grp *g = (const intdh_grp *)gg;
  intdh_sc *x = CREATE(intdh_sc);
  mp *t = mp_loadb(MP_NEW, p, sz);
  mp_div(0, &t, t, g->q); x->x = t;
  return ((dhsc *)x);
}

static int intdh_stsc(const dhgrp *gg, void *p, size_t sz, const dhsc *xx)
{
  const intdh_sc *x = (const intdh_sc *)xx;
  mp_storeb(x->x, p, sz);
  return (0);
}

static dhsc *intdh_randsc(const dhgrp *gg)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  intdh_sc *x = CREATE(intdh_sc);
  x->x = mprand_range(MP_NEW, g->q, &rand_global, 0);
  return ((dhsc *)x);
}

#ifndef NTRACE
static const char *intdh_scstr(const dhgrp *gg, const dhsc *xx)
  { const intdh_sc *x = (const intdh_sc *)xx; return (mpstr(x->x, 10)); }
#endif

static void intdh_freesc(const dhgrp *gg, dhsc *xx)
{
  intdh_sc *x = (intdh_sc *)xx;
  MP_DROP(x->x); DESTROY(x);
}

static dhge *intdh_ldge(const dhgrp *gg, buf *b, int fmt)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  intdh_ge *Y;
  mp *t;
  const octet *p;

  switch (fmt) {
    case DHFMT_VAR: case DHFMT_HASH:
      if ((t = buf_getmp(b)) == 0) return (0);
      break;
    case DHFMT_STD:
      if ((p = buf_get(b, g->gesz)) == 0) return (0);
      t = mp_loadb(MP_NEW, p, g->gesz);
      break;
    default:
      abort();
  }
  Y = CREATE(intdh_ge);
  mp_div(0, &t, t, g->mm.m);
  Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2);
  return ((dhge *)Y);
}

static int intdh_stge(const dhgrp *gg, buf *b, const dhge *YY, int fmt)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  const intdh_ge *Y = (const intdh_ge *)YY;
  octet *p;
  mp *t;
  int rc;

  t = mpmont_reduce(&g->mm, MP_NEW, Y->X);
  switch (fmt) {
    case DHFMT_VAR: case DHFMT_HASH:
      rc = buf_putmp(b, t);
      break;
    case DHFMT_STD:
      if ((p = buf_get(b, g->gesz)) == 0)
	rc = -1;
      else {
	mp_storeb(t, p, g->gesz);
	rc = 0;
      }
      break;
    default:
      abort();
  }
  MP_DROP(t);
  return (rc);
}

static int intdh_checkge(const dhgrp *gg, const dhge *YY)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  const intdh_ge *Y = (const intdh_ge *)YY;
  mp *T;
  int rc = 0;

  if (MP_EQ(Y->X, g->mm.r)) rc = -1;
  T = mpmont_expr(&g->mm, MP_NEW, Y->X, g->q);
  if (!MP_EQ(T, g->mm.r)) rc = -1;
  MP_DROP(T);
  return (rc);
}

static int intdh_eq(const dhgrp *gg, const dhge *YY, const dhge *ZZ)
{
  const intdh_ge *Y = (const intdh_ge *)YY, *Z = (const intdh_ge *)ZZ;
  return (MP_EQ(Y->X, Z->X));
}

static dhge *intdh_mul(const dhgrp *gg, const dhsc *xx, const dhge *YY)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  const intdh_sc *x = (const intdh_sc *)xx;
  const intdh_ge *Y = (const intdh_ge *)YY;
  intdh_ge *Z = CREATE(intdh_ge);

  Z->X = mpmont_expr(&g->mm, MP_NEW, Y ? Y->X : g->G, x->x);
  return ((dhge *)Z);
}

#ifndef NTRACE
static const char *intdh_gestr(const dhgrp *gg, const dhge *YY)
{
  const intdh_grp *g = (const intdh_grp *)gg;
  const intdh_ge *Y = (const intdh_ge *)YY;
  mp *t = mpmont_reduce(&g->mm, MP_NEW, Y->X);
  const char *p = mpstr(t, 10);
  MP_DROP(t);
  return (p);
}
#endif

static void intdh_freege(const dhgrp *gg, dhge *YY)
  { intdh_ge *Y = (intdh_ge *)YY; MP_DROP(Y->X); DESTROY(Y); }

/*----- Elliptic curve groups ---------------------------------------------*/

typedef struct ecdh_grp {
  dhgrp _g;
  ec_info ei;
  ec P;
} ecdh_grp;

typedef struct ecdh_sc { mp *x; } ecdh_sc;
typedef struct ecdh_ge { ec Q; } ecdh_ge;

static dhgrp *ecdh_mkgroup(const char *cstr, dstr *e)
{
  ecdh_grp *g;
  ec_info ei;
  const char *err;

  if ((err = ec_getinfo(&ei, cstr)) != 0) {
    a_format(e, "decode-failed", "%s", err, A_END);
    return (0);
  }
  g = CREATE(ecdh_grp);
  g->ei = ei;
  EC_CREATE(&g->P); EC_IN(g->ei.c, &g->P, &g->ei.g);
  g->_g.scsz = mp_octets(g->ei.r);
  return (&g->_g);
}

static dhsc *ecdh_mptosc(const dhgrp *gg, mp *z)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  ecdh_sc *x = CREATE(ecdh_sc);
  x->x = MP_NEW; mp_div(0, &x->x, z, g->ei.r);
  return ((dhsc *)x);
}

static dhge *ecdh_ectoge(const dhgrp *gg, ec *Q)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  ecdh_ge *Y = CREATE(ecdh_ge); EC_CREATE(&Y->Q);
  EC_IN(g->ei.c, &Y->Q, Q);
  if (EC_CHECK(g->ei.c, &Y->Q))
    { EC_DESTROY(&Y->Q); DESTROY(Y); return (0); }
  return ((dhge *)Y);
}

KLOAD(ecdh, ec, EC,
      { if ((kd->grp = ecdh_mkgroup(p.cstr, e)) == 0) goto fail; },
      { kd->k = ecdh_mptosc(kd->grp, p.x); },
      { if ((kd->K = ecdh_ectoge(kd->grp, &p.p)) == 0) {
	  a_format(e, "bad-public-vector", A_END);
	  goto fail;
	}
      })

static const char *ecdh_checkgrp(const dhgrp *gg)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  return (ec_checkinfo(&g->ei, &rand_global));
}

static void ecdh_grpinfo(const dhgrp *gg, admin *adm)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  a_info(adm,
	 "kx-group=ec",
	 "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->ei.r),
	 "kx-group-elt-bits=%lu", (unsigned long)2*g->ei.c->f->nbits,
	 A_END);
}

#ifndef NTRACE
static void addfestr(field *f, mp *x, mptext_stringctx *sc)
  { addmpstr(x, F_TYPE(f) == FTY_PRIME ? 10 : 16, sc); }

static void addintfestr(field *f, mp *x, mptext_stringctx *sc)
  { mp *t = F_OUT(f, MP_NEW, x); addfestr(f, x, sc); MP_DROP(t); }

static const char *intfestr(field *f, mp *x)
{
  mptext_stringctx sc;
  setupstr(&sc);
  addintfestr(f, x, &sc);
  return (donestr(&sc));
}

static void ecdh_tracegrp(const dhgrp *gg)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  const ec_curve *c = g->ei.c;
  field *f = c->f;

  trace(T_CRYPTO, "crypto: group type `ec'");
  switch (F_TYPE(f)) {
    case FTY_PRIME:
      trace(T_CRYPTO, "crypto: prime field `%s'", F_NAME(f));
      trace(T_CRYPTO, "crypto: p = %s", mpstr(f->q, 10));
      break;
    case FTY_BINARY:
      trace(T_CRYPTO, "crypto: binary field `%s'", F_NAME(f));
      trace(T_CRYPTO, "crypto: degree = %lu", f->nbits - 1);
      break;
    default:
      trace(T_CRYPTO, "crypto: unknown field type! `%s'", F_NAME(f));
      break;
  }
  trace(T_CRYPTO, "crypto: curve type `%s'", EC_NAME(c));
  trace(T_CRYPTO, "crypto: curve a = %s", intfestr(f, c->a));
  trace(T_CRYPTO, "crypto: curve b = %s", intfestr(f, c->b));
  trace(T_CRYPTO, "crypto: n = %s", mpstr(g->ei.r, 10));
  trace(T_CRYPTO, "crypto: h = %s", mpstr(g->ei.h, 10));
}
#endif

static int ecdh_samegrpp(const dhgrp *gg, const dhgrp *hh)
{
  const ecdh_grp *g = (const ecdh_grp *)gg, *h = (const ecdh_grp *)hh;
  return (ec_sameinfop(&g->ei, &h->ei));
}

static void ecdh_freegrp(dhgrp *gg)
{
  ecdh_grp *g = (ecdh_grp *)gg;
  EC_DESTROY(&g->P); ec_freeinfo(&g->ei);
  DESTROY(g);
}

static dhsc *ecdh_ldsc(const dhgrp *gg, const void *p, size_t sz)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  ecdh_sc *x = CREATE(ecdh_sc);
  mp *t = mp_loadb(MP_NEW, p, sz);
  mp_div(0, &t, t, g->ei.r); x->x = t;
  return ((dhsc *)x);
}

static int ecdh_stsc(const dhgrp *gg, void *p, size_t sz, const dhsc *xx)
{
  const ecdh_sc *x = (const ecdh_sc *)xx;
  mp_storeb(x->x, p, sz);
  return (0);
}

static dhsc *ecdh_randsc(const dhgrp *gg)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  ecdh_sc *x = CREATE(ecdh_sc);
  x->x = mprand_range(MP_NEW, g->ei.r, &rand_global, 0);
  return ((dhsc *)x);
}

#ifndef NTRACE
static const char *ecdh_scstr(const dhgrp *gg, const dhsc *xx)
{
  const ecdh_sc *x = (const ecdh_sc *)xx;
  return (mpstr(x->x, 10));
}
#endif

static void ecdh_freesc(const dhgrp *gg, dhsc *xx)
  { ecdh_sc *x = (ecdh_sc *)xx; MP_DROP(x->x); DESTROY(x); }

static dhge *ecdh_ldge(const dhgrp *gg, buf *b, int fmt)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  ecdh_ge *Y;
  ec T = EC_INIT;

  switch (fmt) {
    case DHFMT_VAR: case DHFMT_HASH: if (buf_getec(b, &T)) return (0); break;
    case DHFMT_STD: if (ec_getraw(g->ei.c, b, &T)) return (0); break;
    default:
      abort();
  }
  EC_IN(g->ei.c, &T, &T);
  Y = CREATE(ecdh_ge); Y->Q = T;
  return ((dhge *)Y);
}

static int ecdh_stge(const dhgrp *gg, buf *b, const dhge *YY, int fmt)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  const ecdh_ge *Y = (const ecdh_ge *)YY;
  ec T = EC_INIT;
  int rc;

  EC_OUT(g->ei.c, &T, &Y->Q);
  switch (fmt) {
    case DHFMT_VAR: case DHFMT_HASH: rc = buf_putec(b, &T); break;
    case DHFMT_STD: rc = ec_putraw(g->ei.c, b, &T); break;
    default: abort();
  }
  EC_DESTROY(&T);
  return (rc);
}

static int ecdh_checkge(const dhgrp *gg, const dhge *YY)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  const ecdh_ge *Y = (const ecdh_ge *)YY;
  ec T = EC_INIT;
  int rc = 0;

  if (EC_ATINF(&Y->Q)) rc = -1;
  ec_imul(g->ei.c, &T, &Y->Q, g->ei.r);
  if (!EC_ATINF(&T)) rc = -1;
  EC_DESTROY(&T);
  return (rc);
}

static int ecdh_eq(const dhgrp *gg, const dhge *YY, const dhge *ZZ)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  const ecdh_ge *Y = (const ecdh_ge *)YY, *Z = (const ecdh_ge *)ZZ;
  ec T = EC_INIT, U = EC_INIT; int rc;
  EC_FIX(g->ei.c, &T, &Y->Q); EC_FIX(g->ei.c, &U, &Z->Q);
  rc = EC_EQ(&T, &U);
  EC_DESTROY(&T); EC_DESTROY(&U);
  return (rc);
}

static dhge *ecdh_mul(const dhgrp *gg, const dhsc *xx, const dhge *YY)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  const ecdh_sc *x = (const ecdh_sc *)xx;
  const ecdh_ge *Y = (const ecdh_ge *)YY;
  ecdh_ge *Z = CREATE(ecdh_ge); EC_CREATE(&Z->Q);

  ec_imul(g->ei.c, &Z->Q, Y ? &Y->Q : &g->P, x->x);
  return ((dhge *)Z);
}

#ifndef NTRACE
static const char *ecdh_gestr(const dhgrp *gg, const dhge *YY)
{
  const ecdh_grp *g = (const ecdh_grp *)gg;
  const ecdh_ge *Y = (const ecdh_ge *)YY;
  ec T = EC_INIT;
  field *f = g->ei.c->f;
  mptext_stringctx sc;

  if (EC_ATINF(&Y->Q)) return ("inf");
  setupstr(&sc);
  EC_OUT(g->ei.c, &T, &Y->Q);
  addfestr(f, T.x, &sc);
  addlitstr(", ", &sc);
  addfestr(f, T.y, &sc);
  EC_DESTROY(&T);
  return (donestr(&sc));
}
#endif

static void ecdh_freege(const dhgrp *gg, dhge *YY)
  { ecdh_ge *Y = (ecdh_ge *)YY; EC_DESTROY(&Y->Q); DESTROY(Y); }

/*----- Diffie--Hellman group table ---------------------------------------*/

const dhops dhtab[] = {

#define COMMA ,

#define DH(name, pre)							\
  { name, pre##_ldpriv, pre##_ldpub, pre##_checkgrp,			\
    pre##_grpinfo, T( pre##_tracegrp COMMA ) pre##_samegrpp,		\
    pre##_freegrp,							\
    pre##_ldsc, pre##_stsc, pre##_randsc, T( pre##_scstr COMMA )	\
    pre##_freesc,							\
    pre##_ldge, pre##_stge, pre##_checkge, pre##_eq, pre##_mul,		\
    T( pre##_gestr COMMA ) pre##_freege },				\

  DH("dh", intdh)
  DH("ec", ecdh)

#undef DH

  { 0 }
};

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
5b9f3d37 MW	1	/* --c--
	2	*
	3	* Diffie--Hellman groups
	4	*
	5	* (c) 2017 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of Trivial IP Encryption (TrIPE).
	11	*
	12	* TrIPE is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU General Public License as published by
	14	* the Free Software Foundation; either version 2 of the License, or
	15	* (at your option) any later version.
	16	*
	17	* TrIPE is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU General Public License for more details.
	21	*
	22	* You should have received a copy of the GNU General Public License
	23	* along with TrIPE; if not, write to the Free Software Foundation,
	24	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	25	*/
	26
	27	/----- Header files ------------------------------------------------------/
	28
	29	#include "tripe.h"
	30
	31	/----- Common utilities --------------------------------------------------/
	32
	33	/* --- @KLOAD@ --- *
	34	*
	35	* Arguments: @pre@ = prefix for defined functions
	36	* @ty@, @TY@ = key type name (lower- and upper-case)
	37	* @setgroup@ = code to initialize @kd->g@
	38	* @setpriv@ = code to initialize @kd->kpriv@
	39	* @setpub@ = code to initialize @kd->kpub@
	40	*
	41	* Use: Generates the body of one of the (rather tedious) key loading
	42	* functions. See the description of @KEYTYPES@ below for the
	43	* details.
	44	*/
	45
	46	#define KLOAD_HALF(pre, ty, TY, which, WHICH, setgroup, setpriv, setpub) \
	47	static int pre##_ld##which(key_file kf, key k, key_data *d, \
	48	kdata kd, dstr t, dstr *e) \
	49	{ \
	50	key_packstruct kps[TY##_##WHICH##FETCHSZ]; \
	51	key_packdef *kp; \
	52	ty##_##which p; \
	53	int rc; \
	54	\
	55	/* --- Initialize things we've not set up yet --- */ \
	56	\
	57	kd->grp = 0; kd->k = 0; kd->K = 0; \
	58	\
	59	/* --- Unpack the key --- */ \
	60	\
	61	kp = key_fetchinit(ty##_##which##fetch, kps, &p); \
	62	if ((rc = key_unpack(kp, d, t)) != 0) { \
	63	a_format(e, "unpack-failed", "%s", key_strerror(rc), A_END); \
	64	goto fail; \
65	} \
66	\
67	/* --- Extract the pieces of the key --- */ \
68	\
69	setgroup; \
70	setpriv; \
71	setpub; \
72	\
73	/* --- We win --- */ \
74	\
75	rc = 0; \
76	goto done; \
77	\
78	fail: \
79	if (kd->grp) { \
80	if (kd->K) pre##_freege(kd->grp, kd->K); \
81	if (kd->k) pre##_freesc(kd->grp, kd->k); \
82	pre##_freegrp(kd->grp); \
83	} \
84	rc = -1; \
85	\
86	done: \
87	key_fetchdone(kp); \
88	return (rc); \
89	}
90
91	#define KLOAD(pre, ty, TY, setgroup, setpriv, setpub) \
92	static void pre##_freegrp(dhgrp *); \
93	static void pre##_freesc(const dhgrp , dhsc ); \
94	static void pre##_freege(const dhgrp , dhge ); \
95	KLOAD_HALF(pre, ty, TY, priv, PRIV, setgroup, setpriv, setpub) \
96	KLOAD_HALF(pre, ty, TY, pub, PUB, setgroup, { kd->k = 0; }, setpub)
97
98	#ifndef NTRACE
99	static void setupstr(mptext_stringctx *sc)
100	{ sc->buf = (char *)buf_u; sc->lim = sc->buf + sizeof(buf_u); }
101
102	static const char donestr(mptext_stringctx sc)
103	{ sc->buf = 0; return ((const char )buf_u); }
104
105	static void addlitstr(const char p, mptext_stringctx sc)
106	{ mptext_stringops.put(p, strlen(p), sc); }
107
108	static void addmpstr(mp x, int radix, mptext_stringctx sc)
109	{
110	char b[12];
111
112	if (radix == 16) addlitstr("0x", sc);
113	else if (radix == 8) addlitstr("0", sc);
114	else if (radix != 10) { sprintf(b, "%d#", radix); addlitstr(b, sc); }
115	mp_write(x, radix, &mptext_stringops, sc);
116	}
117
118	static const char mpstr(mp x, int radix)
119	{
120	mptext_stringctx sc;
121
122	setupstr(&sc);
123	addmpstr(x, radix, &sc);
124	return (donestr(&sc));
125	}
126	#endif
127
128	/----- Schnorr groups ----------------------------------------------------/
129
130	typedef struct intdh_grp {
131	dhgrp _g;
132	mpmont mm;
133	mp q, G;
134	size_t gesz;
135	} intdh_grp;
136
137	typedef struct intdh_sc { mp *x; } intdh_sc;
138	typedef struct intdh_ge { mp *X; } intdh_ge;
139
140	static dhgrp intdh_mkgroup(const dh_param dp)
141	{
142	intdh_grp *g = CREATE(intdh_grp);
143	g->_g.scsz = mp_octets(dp->q);
144	g->gesz = mp_octets(dp->p);
145	mpmont_create(&g->mm, dp->p);
146	g->q = MP_COPY(dp->q);
147	g->G = mpmont_mul(&g->mm, MP_NEW, dp->g, g->mm.r2);
148	return (&g->_g);
149	}
150
151	static dhsc intdh_mptosc(const dhgrp gg, mp *z)
152	{
153	const intdh_grp g = (const intdh_grp )gg;
154	intdh_sc *x = CREATE(intdh_sc);
155	x->x = MP_NEW; mp_div(0, &x->x, z, g->q);
156	return ((dhsc *)x);
157	}
158
159	static dhge intdh_mptoge(const dhgrp gg, mp *z)
160	{
161	const intdh_grp g = (const intdh_grp )gg;
162	intdh_ge *Y = CREATE(intdh_ge);
163	mp *t = MP_NEW; mp_div(0, &t, z, g->mm.m);
164	Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2);
165	return ((dhge *)Y);
166	}
167
168	KLOAD(intdh, dh, DH,
169	{ kd->grp = intdh_mkgroup(&p.dp); },
170	{ kd->k = intdh_mptosc(kd->grp, p.x); },
171	{ kd->K = intdh_mptoge(kd->grp, p.y); })
172
173	static const char intdh_checkgrp(const dhgrp gg)
174	{
175	const intdh_grp g = (const intdh_grp )gg;
176	mp *t = MP_NEW;
177
178	if (!pgen_primep(g->mm.m, &rand_global)) return ("p is not prime");
179	if (!pgen_primep(g->q, &rand_global)) return ("q is not prime");
180	mp_div(0, &t, g->mm.m, g->q);
181	if (!MP_EQ(t, MP_ONE)) return ("q is not a subgroup order");
182	t = mpmont_expr(&g->mm, t, g->G, g->q);
183	if (!MP_EQ(t, g->mm.r)) return ("g not in the subgroup");
184	return (0);
185	}
186
187	static void intdh_grpinfo(const dhgrp gg, admin adm)
188	{
189	const intdh_grp g = (const intdh_grp )gg;
190	a_info(adm,
191	"kx-group=prime",
192	"kx-group-order-bits=%lu", (unsigned long)mp_bits(g->q),
193	"kx-group-elt-bits=%lu", (unsigned long)mp_bits(g->mm.m),
194	A_END);
195	}
196
197	#ifndef NTRACE
198	static void intdh_tracegrp(const dhgrp *gg)
199	{
200	const intdh_grp g = (const intdh_grp )gg;
201	mp *t = MP_NEW;
202	trace(T_CRYPTO, "crypto: group type `dh'");
203	trace(T_CRYPTO, "crypto: p = %s", mpstr(g->mm.m, 10));
204	trace(T_CRYPTO, "crypto: q = %s", mpstr(g->q, 10));
205	t = mpmont_reduce(&g->mm, t, g->G);
206	trace(T_CRYPTO, "crypto: g = %s", mpstr(t, 10));
207	MP_DROP(t);
208	}
209	#endif
210
211	static int intdh_samegrpp(const dhgrp gg, const dhgrp hh)
212	{
213	const intdh_grp g = (const intdh_grp )gg, h = (const intdh_grp )hh;
214	return (MP_EQ(g->mm.m, h->mm.m) && MP_EQ(g->q, h->q) && MP_EQ(g->G, h->G));
215	}
216
217	static void intdh_freegrp(dhgrp *gg)
218	{
219	intdh_grp g = (intdh_grp )gg;
220	mpmont_destroy(&g->mm); MP_DROP(g->q); MP_DROP(g->G);
221	DESTROY(g);
222	}
223
224	static dhsc intdh_ldsc(const dhgrp gg, const void *p, size_t sz)
225	{ const intdh_grp g = (const intdh_grp )gg;
226	intdh_sc *x = CREATE(intdh_sc);
227	mp *t = mp_loadb(MP_NEW, p, sz);
228	mp_div(0, &t, t, g->q); x->x = t;
229	return ((dhsc *)x);
230	}
231
232	static int intdh_stsc(const dhgrp gg, void p, size_t sz, const dhsc *xx)
233	{
234	const intdh_sc x = (const intdh_sc )xx;
235	mp_storeb(x->x, p, sz);
236	return (0);
237	}
238
239	static dhsc intdh_randsc(const dhgrp gg)
240	{
241	const intdh_grp g = (const intdh_grp )gg;
242	intdh_sc *x = CREATE(intdh_sc);
243	x->x = mprand_range(MP_NEW, g->q, &rand_global, 0);
244	return ((dhsc *)x);
245	}
246
247	#ifndef NTRACE
248	static const char intdh_scstr(const dhgrp gg, const dhsc *xx)
249	{ const intdh_sc x = (const intdh_sc )xx; return (mpstr(x->x, 10)); }
250	#endif
251
252	static void intdh_freesc(const dhgrp gg, dhsc xx)
253	{
254	intdh_sc x = (intdh_sc )xx;
255	MP_DROP(x->x); DESTROY(x);
256	}
257
258	static dhge intdh_ldge(const dhgrp gg, buf *b, int fmt)
259	{
260	const intdh_grp g = (const intdh_grp )gg;
261	intdh_ge *Y;
262	mp *t;
263	const octet *p;
264
265	switch (fmt) {
266	case DHFMT_VAR: case DHFMT_HASH:
267	if ((t = buf_getmp(b)) == 0) return (0);
268	break;
269	case DHFMT_STD:
270	if ((p = buf_get(b, g->gesz)) == 0) return (0);
271	t = mp_loadb(MP_NEW, p, g->gesz);
272	break;
273	default:
274	abort();
275	}
276	Y = CREATE(intdh_ge);
277	mp_div(0, &t, t, g->mm.m);
278	Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2);
279	return ((dhge *)Y);
280	}
281
282	static int intdh_stge(const dhgrp gg, buf b, const dhge *YY, int fmt)
283	{
284	const intdh_grp g = (const intdh_grp )gg;
285	const intdh_ge Y = (const intdh_ge )YY;
286	octet *p;
287	mp *t;
288	int rc;
289
290	t = mpmont_reduce(&g->mm, MP_NEW, Y->X);
291	switch (fmt) {
292	case DHFMT_VAR: case DHFMT_HASH:
293	rc = buf_putmp(b, t);
294	break;
295	case DHFMT_STD:
296	if ((p = buf_get(b, g->gesz)) == 0)
297	rc = -1;
298	else {
299	mp_storeb(t, p, g->gesz);
300	rc = 0;
301	}
302	break;
303	default:
304	abort();
305	}
306	MP_DROP(t);
307	return (rc);
308	}
309
310	static int intdh_checkge(const dhgrp gg, const dhge YY)
311	{
312	const intdh_grp g = (const intdh_grp )gg;
313	const intdh_ge Y = (const intdh_ge )YY;
314	mp *T;
315	int rc = 0;
316
317	if (MP_EQ(Y->X, g->mm.r)) rc = -1;
318	T = mpmont_expr(&g->mm, MP_NEW, Y->X, g->q);
319	if (!MP_EQ(T, g->mm.r)) rc = -1;
320	MP_DROP(T);
321	return (rc);
322	}
323
324	static int intdh_eq(const dhgrp gg, const dhge YY, const dhge *ZZ)
325	{
326	const intdh_ge Y = (const intdh_ge )YY, Z = (const intdh_ge )ZZ;
327	return (MP_EQ(Y->X, Z->X));
328	}
329
330	static dhge intdh_mul(const dhgrp gg, const dhsc xx, const dhge YY)
331	{
332	const intdh_grp g = (const intdh_grp )gg;
333	const intdh_sc x = (const intdh_sc )xx;
334	const intdh_ge Y = (const intdh_ge )YY;
335	intdh_ge *Z = CREATE(intdh_ge);
336
337	Z->X = mpmont_expr(&g->mm, MP_NEW, Y ? Y->X : g->G, x->x);
338	return ((dhge *)Z);
339	}
340
341	#ifndef NTRACE
342	static const char intdh_gestr(const dhgrp gg, const dhge *YY)
343	{
344	const intdh_grp g = (const intdh_grp )gg;
345	const intdh_ge Y = (const intdh_ge )YY;
346	mp *t = mpmont_reduce(&g->mm, MP_NEW, Y->X);
347	const char *p = mpstr(t, 10);
348	MP_DROP(t);
349	return (p);
350	}
351	#endif
352
353	static void intdh_freege(const dhgrp gg, dhge YY)
354	{ intdh_ge Y = (intdh_ge )YY; MP_DROP(Y->X); DESTROY(Y); }
355
356	/----- Elliptic curve groups ---------------------------------------------/
357
358	typedef struct ecdh_grp {
359	dhgrp _g;
360	ec_info ei;
361	ec P;
362	} ecdh_grp;
363
364	typedef struct ecdh_sc { mp *x; } ecdh_sc;
365	typedef struct ecdh_ge { ec Q; } ecdh_ge;
366
367	static dhgrp ecdh_mkgroup(const char cstr, dstr *e)
368	{
369	ecdh_grp *g;
370	ec_info ei;
371	const char *err;
372
373	if ((err = ec_getinfo(&ei, cstr)) != 0) {
374	a_format(e, "decode-failed", "%s", err, A_END);
375	return (0);
376	}
377	g = CREATE(ecdh_grp);
378	g->ei = ei;
379	EC_CREATE(&g->P); EC_IN(g->ei.c, &g->P, &g->ei.g);
380	g->_g.scsz = mp_octets(g->ei.r);
381	return (&g->_g);
382	}
383
384	static dhsc ecdh_mptosc(const dhgrp gg, mp *z)
385	{
386	const ecdh_grp g = (const ecdh_grp )gg;
387	ecdh_sc *x = CREATE(ecdh_sc);
388	x->x = MP_NEW; mp_div(0, &x->x, z, g->ei.r);
389	return ((dhsc *)x);
390	}
391
392	static dhge ecdh_ectoge(const dhgrp gg, ec *Q)
393	{
394	const ecdh_grp g = (const ecdh_grp )gg;
395	ecdh_ge *Y = CREATE(ecdh_ge); EC_CREATE(&Y->Q);
396	EC_IN(g->ei.c, &Y->Q, Q);
397	if (EC_CHECK(g->ei.c, &Y->Q))
398	{ EC_DESTROY(&Y->Q); DESTROY(Y); return (0); }
399	return ((dhge *)Y);
400	}
401
402	KLOAD(ecdh, ec, EC,
403	{ if ((kd->grp = ecdh_mkgroup(p.cstr, e)) == 0) goto fail; },
404	{ kd->k = ecdh_mptosc(kd->grp, p.x); },
405	{ if ((kd->K = ecdh_ectoge(kd->grp, &p.p)) == 0) {
406	a_format(e, "bad-public-vector", A_END);
407	goto fail;
408	}
409	})
410
411	static const char ecdh_checkgrp(const dhgrp gg)
412	{
413	const ecdh_grp g = (const ecdh_grp )gg;
414	return (ec_checkinfo(&g->ei, &rand_global));
415	}
416
417	static void ecdh_grpinfo(const dhgrp gg, admin adm)
418	{
419	const ecdh_grp g = (const ecdh_grp )gg;
420	a_info(adm,
421	"kx-group=ec",
422	"kx-group-order-bits=%lu", (unsigned long)mp_bits(g->ei.r),
423	"kx-group-elt-bits=%lu", (unsigned long)2*g->ei.c->f->nbits,
424	A_END);
425	}
426
427	#ifndef NTRACE
428	static void addfestr(field f, mp x, mptext_stringctx *sc)
429	{ addmpstr(x, F_TYPE(f) == FTY_PRIME ? 10 : 16, sc); }
430
431	static void addintfestr(field f, mp x, mptext_stringctx *sc)
432	{ mp *t = F_OUT(f, MP_NEW, x); addfestr(f, x, sc); MP_DROP(t); }
433
434	static const char intfestr(field f, mp *x)
435	{
436	mptext_stringctx sc;
437	setupstr(&sc);
438	addintfestr(f, x, &sc);
439	return (donestr(&sc));
440	}
441
442	static void ecdh_tracegrp(const dhgrp *gg)
443	{
444	const ecdh_grp g = (const ecdh_grp )gg;
445	const ec_curve *c = g->ei.c;
446	field *f = c->f;
447
448	trace(T_CRYPTO, "crypto: group type `ec'");
449	switch (F_TYPE(f)) {
450	case FTY_PRIME:
451	trace(T_CRYPTO, "crypto: prime field `%s'", F_NAME(f));
452	trace(T_CRYPTO, "crypto: p = %s", mpstr(f->q, 10));
453	break;
454	case FTY_BINARY:
455	trace(T_CRYPTO, "crypto: binary field `%s'", F_NAME(f));
456	trace(T_CRYPTO, "crypto: degree = %lu", f->nbits - 1);
457	break;
458	default:
459	trace(T_CRYPTO, "crypto: unknown field type! `%s'", F_NAME(f));
460	break;
461	}
462	trace(T_CRYPTO, "crypto: curve type `%s'", EC_NAME(c));
463	trace(T_CRYPTO, "crypto: curve a = %s", intfestr(f, c->a));
464	trace(T_CRYPTO, "crypto: curve b = %s", intfestr(f, c->b));
465	trace(T_CRYPTO, "crypto: n = %s", mpstr(g->ei.r, 10));
466	trace(T_CRYPTO, "crypto: h = %s", mpstr(g->ei.h, 10));
467	}
468	#endif
469
470	static int ecdh_samegrpp(const dhgrp gg, const dhgrp hh)
471	{
472	const ecdh_grp g = (const ecdh_grp )gg, h = (const ecdh_grp )hh;
473	return (ec_sameinfop(&g->ei, &h->ei));
474	}
475
476	static void ecdh_freegrp(dhgrp *gg)
477	{
478	ecdh_grp g = (ecdh_grp )gg;
479	EC_DESTROY(&g->P); ec_freeinfo(&g->ei);
480	DESTROY(g);
481	}
482
483	static dhsc ecdh_ldsc(const dhgrp gg, const void *p, size_t sz)
484	{
485	const ecdh_grp g = (const ecdh_grp )gg;
486	ecdh_sc *x = CREATE(ecdh_sc);
487	mp *t = mp_loadb(MP_NEW, p, sz);
488	mp_div(0, &t, t, g->ei.r); x->x = t;
489	return ((dhsc *)x);
490	}
491
492	static int ecdh_stsc(const dhgrp gg, void p, size_t sz, const dhsc *xx)
493	{
494	const ecdh_sc x = (const ecdh_sc )xx;
495	mp_storeb(x->x, p, sz);
496	return (0);
497	}
498
499	static dhsc ecdh_randsc(const dhgrp gg)
500	{
501	const ecdh_grp g = (const ecdh_grp )gg;
502	ecdh_sc *x = CREATE(ecdh_sc);
503	x->x = mprand_range(MP_NEW, g->ei.r, &rand_global, 0);
504	return ((dhsc *)x);
505	}
506
507	#ifndef NTRACE
508	static const char ecdh_scstr(const dhgrp gg, const dhsc *xx)
509	{
510	const ecdh_sc x = (const ecdh_sc )xx;
511	return (mpstr(x->x, 10));
512	}
513	#endif
514
515	static void ecdh_freesc(const dhgrp gg, dhsc xx)
516	{ ecdh_sc x = (ecdh_sc )xx; MP_DROP(x->x); DESTROY(x); }
517
518	static dhge ecdh_ldge(const dhgrp gg, buf *b, int fmt)
519	{
520	const ecdh_grp g = (const ecdh_grp )gg;
521	ecdh_ge *Y;
522	ec T = EC_INIT;
523
524	switch (fmt) {
525	case DHFMT_VAR: case DHFMT_HASH: if (buf_getec(b, &T)) return (0); break;
526	case DHFMT_STD: if (ec_getraw(g->ei.c, b, &T)) return (0); break;
527	default:
528	abort();
529	}
530	EC_IN(g->ei.c, &T, &T);
531	Y = CREATE(ecdh_ge); Y->Q = T;
532	return ((dhge *)Y);
533	}
534
535	static int ecdh_stge(const dhgrp gg, buf b, const dhge *YY, int fmt)
536	{
537	const ecdh_grp g = (const ecdh_grp )gg;
538	const ecdh_ge Y = (const ecdh_ge )YY;
539	ec T = EC_INIT;
540	int rc;
541
542	EC_OUT(g->ei.c, &T, &Y->Q);
543	switch (fmt) {
544	case DHFMT_VAR: case DHFMT_HASH: rc = buf_putec(b, &T); break;
545	case DHFMT_STD: rc = ec_putraw(g->ei.c, b, &T); break;
546	default: abort();
547	}
548	EC_DESTROY(&T);
549	return (rc);
550	}
551
552	static int ecdh_checkge(const dhgrp gg, const dhge YY)
553	{
554	const ecdh_grp g = (const ecdh_grp )gg;
555	const ecdh_ge Y = (const ecdh_ge )YY;
556	ec T = EC_INIT;
557	int rc = 0;
558
559	if (EC_ATINF(&Y->Q)) rc = -1;
560	ec_imul(g->ei.c, &T, &Y->Q, g->ei.r);
561	if (!EC_ATINF(&T)) rc = -1;
562	EC_DESTROY(&T);
563	return (rc);
564	}
565
566	static int ecdh_eq(const dhgrp gg, const dhge YY, const dhge *ZZ)
567	{
568	const ecdh_grp g = (const ecdh_grp )gg;
569	const ecdh_ge Y = (const ecdh_ge )YY, Z = (const ecdh_ge )ZZ;
570	ec T = EC_INIT, U = EC_INIT; int rc;
571	EC_FIX(g->ei.c, &T, &Y->Q); EC_FIX(g->ei.c, &U, &Z->Q);
572	rc = EC_EQ(&T, &U);
573	EC_DESTROY(&T); EC_DESTROY(&U);
574	return (rc);
575	}
576
577	static dhge ecdh_mul(const dhgrp gg, const dhsc xx, const dhge YY)
578	{
579	const ecdh_grp g = (const ecdh_grp )gg;
580	const ecdh_sc x = (const ecdh_sc )xx;
581	const ecdh_ge Y = (const ecdh_ge )YY;
582	ecdh_ge *Z = CREATE(ecdh_ge); EC_CREATE(&Z->Q);
583
584	ec_imul(g->ei.c, &Z->Q, Y ? &Y->Q : &g->P, x->x);
585	return ((dhge *)Z);
586	}
587
588	#ifndef NTRACE
589	static const char ecdh_gestr(const dhgrp gg, const dhge *YY)
590	{
591	const ecdh_grp g = (const ecdh_grp )gg;
592	const ecdh_ge Y = (const ecdh_ge )YY;
593	ec T = EC_INIT;
594	field *f = g->ei.c->f;
595	mptext_stringctx sc;
596
597	if (EC_ATINF(&Y->Q)) return ("inf");
598	setupstr(&sc);
599	EC_OUT(g->ei.c, &T, &Y->Q);
600	addfestr(f, T.x, &sc);
601	addlitstr(", ", &sc);
602	addfestr(f, T.y, &sc);
603	EC_DESTROY(&T);
604	return (donestr(&sc));
605	}
606	#endif
607
608	static void ecdh_freege(const dhgrp gg, dhge YY)
609	{ ecdh_ge Y = (ecdh_ge )YY; EC_DESTROY(&Y->Q); DESTROY(Y); }
610
611	/----- Diffie--Hellman group table ---------------------------------------/
612
613	const dhops dhtab[] = {
614
615	#define COMMA ,
616
617	#define DH(name, pre) \
618	{ name, pre##_ldpriv, pre##_ldpub, pre##_checkgrp, \
619	pre##_grpinfo, T( pre##_tracegrp COMMA ) pre##_samegrpp, \
620	pre##_freegrp, \
621	pre##_ldsc, pre##_stsc, pre##_randsc, T( pre##_scstr COMMA ) \
622	pre##_freesc, \
623	pre##_ldge, pre##_stge, pre##_checkge, pre##_eq, pre##_mul, \
624	T( pre##_gestr COMMA ) pre##_freege }, \
625
626	DH("dh", intdh)
627	DH("ec", ecdh)
628
629	#undef DH
630
631	{ 0 }
632	};
633
634	/----- That's all, folks -------------------------------------------------/