3 * Bulk crypto transformations
5 * (c) 2014 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Trivial IP Encryption (TrIPE).
12 * TrIPE is free software: you can redistribute it and/or modify it under
13 * the terms of the GNU General Public License as published by the Free
14 * Software Foundation; either version 3 of the License, or (at your
15 * option) any later version.
17 * TrIPE is distributed in the hope that it will be useful, but WITHOUT
18 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
26 /*----- Header files ------------------------------------------------------*/
30 /*----- Utilities ---------------------------------------------------------*/
32 #define SEQSZ 4 /* Size of sequence number packet */
34 #define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, { \
35 trace_block(T_CRYPTO, "crypto: initialization vector", \
39 #define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, { \
40 trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz)); \
43 #define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, { \
44 trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
47 #define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, { \
48 trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
49 trace_block(T_CRYPTO, "crypto: expected MAC", (pmac), (tagsz)); \
52 /* --- @derivekey@ --- *
54 * Arguments: @octet *k@ = pointer to an output buffer of at least
56 * @size_t ksz@ = actual size wanted (for tracing)
57 * @const deriveargs@ = derivation parameters, as passed into
59 * @int dir@ = direction for the key (@DIR_IN@ or @DIR_OUT@)
60 * @const char *what@ = label for the key (input to derivation)
64 * Use: Derives a session key, for use on incoming or outgoing data.
67 static void derivekey(octet *k, size_t ksz, const deriveargs *a,
68 int dir, const char *what)
70 const gchash *hc = a->hc;
73 assert(ksz <= hc->hashsz);
74 assert(hc->hashsz <= MAXHASHSZ);
76 GH_HASH(h, a->what, strlen(a->what)); GH_HASH(h, what, strlen(what) + 1);
79 if (a->x) GH_HASH(h, a->k, a->x);
80 if (a->y != a->x) GH_HASH(h, a->k + a->x, a->y - a->x);
83 if (a->y != a->x) GH_HASH(h, a->k + a->x, a->y - a->x);
84 if (a->x) GH_HASH(h, a->k, a->x);
89 GH_HASH(h, a->k + a->y, a->z - a->y);
92 IF_TRACING(T_KEYSET, { IF_TRACING(T_CRYPTO, {
94 sprintf(_buf, "crypto: %s key %s", dir ? "outgoing" : "incoming", what);
95 trace_block(T_CRYPTO, _buf, k, ksz);
99 /*----- Common functionality for generic-composition transforms -----------*/
101 #define CHECK_MAC(h, pmac, tagsz) do { \
103 const octet *_pmac = (pmac); \
104 size_t _tagsz = (tagsz); \
105 octet *_mac = GH_DONE(_h, 0); \
106 int _eq = ct_memeq(_mac, _pmac, _tagsz); \
107 TRACE_MAC(_mac, _tagsz); \
110 TRACE_MACERR(_pmac, _tagsz); \
111 return (KSERR_DECRYPT); \
115 typedef struct gencomp_algs {
116 const gccipher *c; size_t cksz;
117 const gcmac *m; size_t mksz; size_t tagsz;
120 typedef struct gencomp_chal {
125 static int gencomp_getalgs(gencomp_algs *a, const algswitch *asw,
126 dstr *e, key_file *kf, key *k)
134 /* --- Symmetric encryption --- */
136 if ((p = key_getattr(kf, k, "cipher")) == 0) p = "blowfish-cbc";
137 if ((a->c = gcipher_byname(p)) == 0) {
138 a_format(e, "unknown-cipher", "%s", p, A_END);
142 /* --- Message authentication --- */
144 if ((p = key_getattr(kf, k, "mac")) != 0) {
147 if ((q = strrchr(d.buf, '/')) != 0)
149 if ((a->m = gmac_byname(d.buf)) == 0) {
150 a_format(e, "unknown-mac", "%s", d.buf, A_END);
154 a->tagsz = a->m->hashsz;
156 n = strtoul(q, &qq, 0);
158 a_format(e, "bad-tag-length-string", "%s", q, A_END);
161 if (n%8 || n/8 > a->m->hashsz) {
162 a_format(e, "bad-tag-length", "%lu", n, A_END);
169 dstr_putf(&d, "%s-hmac", asw->h->name);
170 if ((a->m = gmac_byname(d.buf)) == 0) {
171 a_format(e, "no-hmac-for-hash", "%s", asw->h->name, A_END);
174 a->tagsz = asw->h->hashsz/2;
184 static void gencomp_tracealgs(const gencomp_algs *a)
186 trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
187 trace(T_CRYPTO, "crypto: mac = %s/%lu",
188 a->m->name, (unsigned long)a->tagsz * 8);
192 static int gencomp_checkalgs(gencomp_algs *a, const algswitch *asw, dstr *e)
194 /* --- Derive the key sizes --- *
196 * Must ensure that we have non-empty keys. This isn't ideal, but it
197 * provides a handy sanity check. Also must be based on a 64- or 128-bit
198 * block cipher or we can't do the data expiry properly.
201 if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
202 a_format(e, "cipher", "%s", a->c->name,
203 "no-key-size", "%lu", (unsigned long)asw->hashsz,
207 if ((a->mksz = keysz(asw->hashsz, a->m->keysz)) == 0) {
208 a_format(e, "mac", "%s", a->m->name,
209 "no-key-size", "%lu", (unsigned long)asw->hashsz,
217 static void gencomp_alginfo(const gencomp_algs *a, admin *adm)
220 "cipher=%s", a->c->name,
221 "cipher-keysz=%lu", (unsigned long)a->cksz,
222 "cipher-blksz=%lu", (unsigned long)a->c->blksz,
225 "mac=%s", a->m->name,
226 "mac-keysz=%lu", (unsigned long)a->mksz,
227 "mac-tagsz=%lu", (unsigned long)a->tagsz,
231 static int gencomp_samealgsp(const gencomp_algs *a, const gencomp_algs *aa)
233 return (a->c == aa->c &&
234 a->m == aa->m && a->tagsz == aa->tagsz);
237 static size_t gencomp_expsz(const gencomp_algs *a)
238 { return (a->c->blksz < 16 ? MEG(64) : MEG(2048)); }
240 static bulkchal *gencomp_genchal(const gencomp_algs *a)
242 gencomp_chal *gc = CREATE(gencomp_chal);
244 rand_get(RAND_GLOBAL, buf_t, a->mksz);
245 gc->m = GM_KEY(a->m, buf_t, a->mksz);
246 gc->_b.tagsz = a->tagsz;
248 trace(T_CHAL, "chal: generated new challenge key");
249 trace_block(T_CRYPTO, "chal: new key", buf_t, a->mksz);
254 static int gencomp_chaltag(bulkchal *bc, const void *m, size_t msz,
257 gencomp_chal *gc = (gencomp_chal *)bc;
258 ghash *h = GM_INIT(gc->m);
260 GH_HASHU32(h, seq); if (msz) GH_HASH(h, m, msz);
261 memcpy(t, GH_DONE(h, 0), bc->tagsz);
266 static int gencomp_chalvrf(bulkchal *bc, const void *m, size_t msz,
267 uint32 seq, const void *t)
269 gencomp_chal *gc = (gencomp_chal *)bc;
270 ghash *h = GM_INIT(gc->m);
273 GH_HASHU32(h, seq); if (msz) GH_HASH(h, m, msz);
274 ok = ct_memeq(GH_DONE(h, 0), t, gc->_b.tagsz);
276 return (ok ? 0 : -1);
279 static void gencomp_freechal(bulkchal *bc)
280 { gencomp_chal *gc = (gencomp_chal *)bc; GM_DESTROY(gc->m); DESTROY(gc); }
282 /*----- The original transform --------------------------------------------*
284 * We generate a random initialization vector (if the cipher needs one). We
285 * encrypt the input message with the cipher, and format the type, sequence
286 * number, IV, and ciphertext as follows.
288 * +------+ +------+---...---+------...------+
289 * | type | | seq | iv | ciphertext |
290 * +------+ +------+---...---+------...------+
293 * All of this is fed into the MAC to compute a tag. The type is not
294 * transmitted: the other end knows what type of message it expects, and the
295 * type is only here to prevent us from being confused because some other
296 * kind of ciphertext has been substituted. The tag is prepended to the
297 * remainder, to yield the finished cryptogram, as follows.
299 * +---...---+------+---...---+------...------+
300 * | tag | seq | iv | ciphertext |
301 * +---...---+------+---...---+------...------+
304 * Decryption: checks the overall size, verifies the tag, then decrypts the
305 * ciphertext and extracts the sequence number.
308 typedef struct v0_algs {
313 typedef struct v0_ctx {
322 static bulkalgs *v0_getalgs(const algswitch *asw, dstr *e,
323 key_file *kf, key *k)
325 v0_algs *a = CREATE(v0_algs);
326 if (gencomp_getalgs(&a->ga, asw, e, kf, k)) { DESTROY(a); return (0); }
331 static void v0_tracealgs(const bulkalgs *aa)
332 { const v0_algs *a = (const v0_algs *)aa; gencomp_tracealgs(&a->ga); }
335 static int v0_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
337 v0_algs *a = (v0_algs *)aa;
338 if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);
342 static int v0_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
344 const v0_algs *a = (const v0_algs *)aa, *b = (const v0_algs *)bb;
345 return (gencomp_samealgsp(&a->ga, &b->ga));
348 static void v0_alginfo(const bulkalgs *aa, admin *adm)
349 { const v0_algs *a = (const v0_algs *)aa; gencomp_alginfo(&a->ga, adm); }
351 static size_t v0_overhead(const bulkalgs *aa)
353 const v0_algs *a = (const v0_algs *)aa;
354 return (a->ga.tagsz + SEQSZ + a->ga.c->blksz);
357 static size_t v0_expsz(const bulkalgs *aa)
358 { const v0_algs *a = (const v0_algs *)aa; return (gencomp_expsz(&a->ga)); }
360 static bulkctx *v0_genkeys(const bulkalgs *aa, const deriveargs *da)
362 const v0_algs *a = (const v0_algs *)aa;
363 v0_ctx *bc = CREATE(v0_ctx);
367 bc->tagsz = a->ga.tagsz;
368 for (i = 0; i < NDIR; i++) {
369 if (!(da->f&(1 << i))) { bc->d[i].c = 0; bc->d[i].m = 0; continue; }
370 derivekey(k, a->ga.cksz, da, i, "encryption");
371 bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
372 derivekey(k, a->ga.mksz, da, i, "integrity");
373 bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
378 static bulkchal *v0_genchal(const bulkalgs *aa)
380 const v0_algs *a = (const v0_algs *)aa;
381 return (gencomp_genchal(&a->ga));
383 #define v0_chaltag gencomp_chaltag
384 #define v0_chalvrf gencomp_chalvrf
385 #define v0_freechal gencomp_freechal
387 static void v0_freealgs(bulkalgs *aa)
388 { v0_algs *a = (v0_algs *)aa; DESTROY(a); }
390 static void v0_freectx(bulkctx *bbc)
392 v0_ctx *bc = (v0_ctx *)bbc;
395 for (i = 0; i < NDIR; i++) {
396 if (bc->d[i].c) GC_DESTROY(bc->d[i].c);
397 if (bc->d[i].m) GM_DESTROY(bc->d[i].m);
402 static int v0_encrypt(bulkctx *bbc, unsigned ty,
403 buf *b, buf *bb, uint32 seq)
405 v0_ctx *bc = (v0_ctx *)bbc;
407 gcipher *c = bc->d[DIR_OUT].c;
408 const octet *p = BCUR(b);
409 size_t sz = BLEFT(b);
410 octet *qmac, *qseq, *qiv, *qpk;
412 size_t tagsz = bc->tagsz;
416 ivsz = GC_CLASS(c)->blksz;
418 /* --- Determine the ciphertext layout --- */
420 if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
421 qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz;
422 BSTEP(bb, tagsz + SEQSZ + ivsz + sz);
424 /* --- Store the type --- *
426 * This isn't transmitted, but it's covered by the MAC.
431 /* --- Store the sequence number --- */
435 /* --- Establish an initialization vector if necessary --- */
438 rand_get(RAND_GLOBAL, qiv, ivsz);
443 /* --- Encrypt the packet --- */
445 GC_ENCRYPT(c, p, qpk, sz);
448 /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
451 h = GM_INIT(bc->d[DIR_OUT].m);
452 GH_HASH(h, t, sizeof(t));
453 GH_HASH(h, qseq, SEQSZ + ivsz + sz);
454 memcpy(qmac, GH_DONE(h, 0), tagsz);
456 TRACE_MAC(qmac, tagsz);
459 /* --- We're done --- */
464 static int v0_decrypt(bulkctx *bbc, unsigned ty,
465 buf *b, buf *bb, uint32 *seq)
467 v0_ctx *bc = (v0_ctx *)bbc;
468 const octet *pmac, *piv, *pseq, *ppk;
469 size_t psz = BLEFT(b);
473 gcipher *c = bc->d[DIR_IN].c;
475 size_t tagsz = bc->tagsz;
479 ivsz = GC_CLASS(c)->blksz;
481 /* --- Break up the packet into its components --- */
483 if (psz < ivsz + SEQSZ + tagsz) {
484 T( trace(T_KEYSET, "keyset: block too small for keyset"); )
485 return (KSERR_MALFORMED);
487 sz = psz - ivsz - SEQSZ - tagsz;
488 pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz;
491 /* --- Verify the MAC on the packet --- */
494 h = GM_INIT(bc->d[DIR_IN].m);
495 GH_HASH(h, t, sizeof(t));
496 GH_HASH(h, pseq, SEQSZ + ivsz + sz);
497 CHECK_MAC(h, pmac, tagsz);
500 /* --- Decrypt the packet --- */
506 GC_DECRYPT(c, ppk, q, sz);
508 /* --- Finished --- */
515 /*----- The implicit-IV transform -----------------------------------------*
517 * The v0 transform makes everything explicit. There's an IV because the
518 * cipher needs an IV; there's a sequence number because replay prevention
519 * needs a sequence number.
521 * This new transform works rather differently. We make use of a block
522 * cipher to encrypt the sequence number, and use that as the IV. We
523 * transmit the sequence number in the clear, as before. This reduces
524 * overhead; and it's not a significant privacy leak because the adversary
525 * can see the order in which the messages are transmitted -- i.e., the
526 * sequence numbers are almost completely predictable anyway.
528 * So, a MAC is computed over
530 * +------+ +------+------...------+
531 * | type | | seq | ciphertext |
532 * +------+ +------+------...------+
535 * and we actually transmit the following as the cryptogram.
537 * +---...---+------+------...------+
538 * | tag | seq | ciphertext |
539 * +---...---+------+------...------+
543 typedef struct iiv_algs {
546 const gccipher *b; size_t bksz;
549 typedef struct iiv_ctx {
559 static bulkalgs *iiv_getalgs(const algswitch *asw, dstr *e,
560 key_file *kf, key *k)
562 iiv_algs *a = CREATE(iiv_algs);
563 dstr d = DSTR_INIT, dd = DSTR_INIT;
567 if (gencomp_getalgs(&a->ga, asw, e, kf, k)) goto fail;
569 if ((p = key_getattr(kf, k, "blkc")) == 0) {
570 dstr_puts(&dd, a->ga.c->name);
571 if ((q = strrchr(dd.buf, '-')) != 0) *q = 0;
574 dstr_putf(&d, "%s-ecb", p);
575 if ((a->b = gcipher_byname(d.buf)) == 0) {
576 a_format(e, "unknown-blkc", "%s", p, A_END);
580 dstr_destroy(&d); dstr_destroy(&dd);
583 dstr_destroy(&d); dstr_destroy(&dd);
589 static void iiv_tracealgs(const bulkalgs *aa)
591 const iiv_algs *a = (const iiv_algs *)aa;
593 gencomp_tracealgs(&a->ga);
595 "crypto: blkc = %.*s", (int)strlen(a->b->name) - 4, a->b->name);
599 static int iiv_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
601 iiv_algs *a = (iiv_algs *)aa;
603 if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);
605 if ((a->bksz = keysz(asw->hashsz, a->b->keysz)) == 0) {
606 a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
607 "no-key-size", "%lu", (unsigned long)asw->hashsz,
611 if (a->b->blksz < a->ga.c->blksz) {
612 a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
613 "blksz-insufficient", A_END);
619 static int iiv_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
621 const iiv_algs *a = (const iiv_algs *)aa, *b = (const iiv_algs *)bb;
622 return (gencomp_samealgsp(&a->ga, &b->ga) && a->b == b->b);
625 static void iiv_alginfo(const bulkalgs *aa, admin *adm)
627 const iiv_algs *a = (const iiv_algs *)aa;
628 gencomp_alginfo(&a->ga, adm);
630 "blkc=%.*s", strlen(a->b->name) - 4, a->b->name,
631 "blkc-keysz=%lu", (unsigned long)a->bksz,
632 "blkc-blksz=%lu", (unsigned long)a->b->blksz,
636 static size_t iiv_overhead(const bulkalgs *aa)
637 { const iiv_algs *a = (const iiv_algs *)aa; return (a->ga.tagsz + SEQSZ); }
639 static size_t iiv_expsz(const bulkalgs *aa)
641 const iiv_algs *a = (const iiv_algs *)aa;
642 return (gencomp_expsz(&a->ga));
645 static bulkctx *iiv_genkeys(const bulkalgs *aa, const deriveargs *da)
647 const iiv_algs *a = (const iiv_algs *)aa;
648 iiv_ctx *bc = CREATE(iiv_ctx);
652 bc->tagsz = a->ga.tagsz;
653 for (i = 0; i < NDIR; i++) {
654 if (!(da->f&(1 << i)))
655 { bc->d[i].c = 0; bc->d[i].b = 0; bc->d[i].m = 0; continue; }
656 derivekey(k, a->ga.cksz, da, i, "encryption");
657 bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
658 derivekey(k, a->bksz, da, i, "blkc");
659 bc->d[i].b = GC_INIT(a->b, k, a->bksz);
660 derivekey(k, a->ga.mksz, da, i, "integrity");
661 bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
666 static bulkchal *iiv_genchal(const bulkalgs *aa)
668 const iiv_algs *a = (const iiv_algs *)aa;
669 return (gencomp_genchal(&a->ga));
671 #define iiv_chaltag gencomp_chaltag
672 #define iiv_chalvrf gencomp_chalvrf
673 #define iiv_freechal gencomp_freechal
675 static void iiv_freealgs(bulkalgs *aa)
676 { iiv_algs *a = (iiv_algs *)aa; DESTROY(a); }
678 static void iiv_freectx(bulkctx *bbc)
680 iiv_ctx *bc = (iiv_ctx *)bbc;
683 for (i = 0; i < NDIR; i++) {
684 if (bc->d[i].c) GC_DESTROY(bc->d[i].c);
685 if (bc->d[i].b) GC_DESTROY(bc->d[i].b);
686 if (bc->d[i].m) GM_DESTROY(bc->d[i].m);
691 #define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
692 trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
695 static int iiv_encrypt(bulkctx *bbc, unsigned ty,
696 buf *b, buf *bb, uint32 seq)
698 iiv_ctx *bc = (iiv_ctx *)bbc;
700 gcipher *c = bc->d[DIR_OUT].c, *blkc = bc->d[DIR_OUT].b;
701 const octet *p = BCUR(b);
702 size_t sz = BLEFT(b);
703 octet *qmac, *qseq, *qpk;
705 size_t tagsz = bc->tagsz;
708 assert(c); assert(blkc);
709 ivsz = GC_CLASS(c)->blksz;
710 blkcsz = GC_CLASS(blkc)->blksz;
712 /* --- Determine the ciphertext layout --- */
714 if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
715 qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
716 BSTEP(bb, tagsz + SEQSZ + sz);
718 /* --- Store the type --- *
720 * This isn't transmitted, but it's covered by the MAC.
725 /* --- Store the sequence number --- */
729 /* --- Establish an initialization vector if necessary --- */
732 memset(buf_u, 0, blkcsz - SEQSZ);
733 memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
734 TRACE_PRESEQ(buf_u, ivsz);
735 GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
737 TRACE_IV(buf_u, ivsz);
740 /* --- Encrypt the packet --- */
742 GC_ENCRYPT(c, p, qpk, sz);
745 /* --- Compute a MAC over type, sequence number, and ciphertext --- */
748 h = GM_INIT(bc->d[DIR_OUT].m);
749 GH_HASH(h, t, sizeof(t));
750 GH_HASH(h, qseq, SEQSZ + sz);
751 memcpy(qmac, GH_DONE(h, 0), tagsz);
753 TRACE_MAC(qmac, tagsz);
756 /* --- We're done --- */
761 static int iiv_decrypt(bulkctx *bbc, unsigned ty,
762 buf *b, buf *bb, uint32 *seq)
764 iiv_ctx *bc = (iiv_ctx *)bbc;
765 const octet *pmac, *pseq, *ppk;
766 size_t psz = BLEFT(b);
770 gcipher *c = bc->d[DIR_IN].c, *blkc = bc->d[DIR_IN].b;
772 size_t tagsz = bc->tagsz;
775 assert(c); assert(blkc);
776 ivsz = GC_CLASS(c)->blksz;
777 blkcsz = GC_CLASS(blkc)->blksz;
779 /* --- Break up the packet into its components --- */
781 if (psz < SEQSZ + tagsz) {
782 T( trace(T_KEYSET, "keyset: block too small for keyset"); )
783 return (KSERR_MALFORMED);
785 sz = psz - SEQSZ - tagsz;
786 pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
789 /* --- Verify the MAC on the packet --- */
792 h = GM_INIT(bc->d[DIR_IN].m);
793 GH_HASH(h, t, sizeof(t));
794 GH_HASH(h, pseq, SEQSZ + sz);
795 CHECK_MAC(h, pmac, tagsz);
798 /* --- Decrypt the packet --- */
801 memset(buf_u, 0, blkcsz - SEQSZ);
802 memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
803 TRACE_PRESEQ(buf_u, ivsz);
804 GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
806 TRACE_IV(buf_u, ivsz);
808 GC_DECRYPT(c, ppk, q, sz);
810 /* --- Finished --- */
817 /*----- The NaCl box transform --------------------------------------------*
819 * This transform is very similar to the NaCl `crypto_secretbox' transform
820 * described in Bernstein, `Cryptography in NaCl', with the difference that,
821 * rather than using XSalsa20, we use either Salsa20/r or ChaChar, because we
822 * have no need of XSalsa20's extended nonce. The default cipher is Salsa20.
824 * Salsa20 and ChaCha accept a 64-bit nonce. The low 32 bits are the
825 * sequence number, and the high 32 bits are the type, both big-endian.
832 * A stream is generated by concatenating the raw output blocks generated
833 * with this nonce and successive counter values starting from zero. The
834 * first 32 bytes of the stream are used as a key for Poly1305: the first 16
835 * bytes are the universal hash key r, and the second 16 bytes are the mask
838 * +------+------+ +------...------+
839 * | r | s | | keystream |
840 * +------+------+ +------...------+
843 * The remainder of the stream is XORed with the incoming plaintext to form a
844 * ciphertext with the same length. The ciphertext (only) is then tagged
845 * using Poly1305. The tag, sequence number, and ciphertext are concatenated
846 * in this order, and transmitted.
849 * +---...---+------+------...------+
850 * | tag | seq | ciphertext |
851 * +---...---+------+------...------+
854 * Note that there is no need to authenticate the type separately, since it
855 * was used to select the cipher nonce, and hence the Poly1305 key. The
856 * Poly1305 tag length is fixed.
859 typedef struct naclbox_algs {
861 const gccipher *c; size_t cksz;
864 typedef struct naclbox_ctx {
866 struct { gcipher *c; } d[NDIR];
870 static bulkalgs *naclbox_getalgs(const algswitch *asw, dstr *e,
871 key_file *kf, key *k)
873 naclbox_algs *a = CREATE(naclbox_algs);
878 /* --- Collect the selected cipher and check that it's supported --- */
880 p = key_getattr(kf, k, "cipher");
881 if (!p || strcmp(p, "salsa20") == 0) a->c = &salsa20;
882 else if (strcmp(p, "salsa20/12") == 0) a->c = &salsa2012;
883 else if (strcmp(p, "salsa20/8") == 0) a->c = &salsa208;
884 else if (strcmp(p, "chacha20") == 0) a->c = &chacha20;
885 else if (strcmp(p, "chacha12") == 0) a->c = &chacha12;
886 else if (strcmp(p, "chacha8") == 0) a->c = &chacha8;
888 a_format(e, "unknown-cipher", "%s", p, A_END);
892 /* --- Collect the selected MAC, and check the tag length --- */
894 p = key_getattr(kf, k, "mac");
897 else if (strncmp(p, "poly1305", 8) != 0 || (p[8] && p[8] != '/')) {
898 a_format(e, "unknown-mac", "%s", p, A_END);
900 } else if (p[8] == '/') {
901 n = strtoul(p + 9, &qq, 0);
903 a_format(e, "bad-tag-length-string", "%s", p + 9, A_END);
907 a_format(e, "bad-tag-length", "%lu", n, A_END);
919 static void naclbox_tracealgs(const bulkalgs *aa)
921 const naclbox_algs *a = (const naclbox_algs *)aa;
923 trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
924 trace(T_CRYPTO, "crypto: mac = poly1305/128");
928 static int naclbox_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
930 naclbox_algs *a = (naclbox_algs *)aa;
932 if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
933 a_format(e, "cipher", "%s", a->c->name,
934 "no-key-size", "%lu", (unsigned long)asw->hashsz,
941 static int naclbox_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
943 const naclbox_algs *a = (const naclbox_algs *)aa,
944 *b = (const naclbox_algs *)bb;
945 return (a->c == b->c);
948 static void naclbox_alginfo(const bulkalgs *aa, admin *adm)
950 const naclbox_algs *a = (const naclbox_algs *)aa;
951 a_info(adm, "cipher=%s", a->c->name, "cipher-keysz=32", A_END);
952 a_info(adm, "mac=poly1305", "mac-tagsz=16", A_END);
955 static size_t naclbox_overhead(const bulkalgs *aa)
956 { return (POLY1305_TAGSZ + SEQSZ); }
958 static size_t naclbox_expsz(const bulkalgs *aa)
959 { return (MEG(2048)); }
961 static bulkctx *naclbox_genkeys(const bulkalgs *aa, const deriveargs *da)
963 const naclbox_algs *a = (const naclbox_algs *)aa;
964 naclbox_ctx *bc = CREATE(naclbox_ctx);
968 for (i = 0; i < NDIR; i++) {
969 if (!(da->f&(1 << i))) { bc->d[i].c = 0; continue; }
970 derivekey(k, a->cksz, da, i, "encryption");
971 bc->d[i].c = GC_INIT(a->c, k, a->cksz);
976 typedef struct naclbox_chal {
981 static bulkchal *naclbox_genchal(const bulkalgs *aa)
983 const naclbox_algs *a = (const naclbox_algs *)aa;
984 naclbox_chal *c = CREATE(naclbox_chal);
985 rand_get(RAND_GLOBAL, buf_t, a->cksz);
986 c->c = GC_INIT(a->c, buf_t, a->cksz);
988 trace(T_CHAL, "chal: generated new challenge key");
989 trace_block(T_CRYPTO, "chal: new key", buf_t, a->cksz);
991 c->_b.tagsz = POLY1305_TAGSZ;
995 static int naclbox_chaltag(bulkchal *bc, const void *m, size_t msz,
998 naclbox_chal *c = (naclbox_chal *)bc;
1001 octet b[POLY1305_KEYSZ + POLY1305_MASKSZ];
1003 assert(SALSA20_NONCESZ <= sizeof(b));
1004 memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq);
1005 GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b));
1006 poly1305_keyinit(&pk, b, POLY1305_KEYSZ);
1007 poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ);
1008 if (msz) poly1305_hash(&pm, m, msz);
1009 poly1305_done(&pm, t);
1013 static int naclbox_chalvrf(bulkchal *bc, const void *m, size_t msz,
1014 uint32 seq, const void *t)
1016 naclbox_chal *c = (naclbox_chal *)bc;
1019 octet b[POLY1305_KEYSZ + POLY1305_MASKSZ];
1021 assert(SALSA20_NONCESZ <= sizeof(b));
1022 memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq);
1023 GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b));
1024 poly1305_keyinit(&pk, b, POLY1305_KEYSZ);
1025 poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ);
1026 if (msz) poly1305_hash(&pm, m, msz);
1027 assert(POLY1305_TAGSZ <= sizeof(b)); poly1305_done(&pm, b);
1028 return (ct_memeq(t, b, POLY1305_TAGSZ) ? 0 : -1);
1031 static void naclbox_freechal(bulkchal *bc)
1032 { naclbox_chal *c = (naclbox_chal *)bc; GC_DESTROY(c->c); DESTROY(c); }
1034 static void naclbox_freealgs(bulkalgs *aa)
1035 { naclbox_algs *a = (naclbox_algs *)aa; DESTROY(a); }
1037 static void naclbox_freectx(bulkctx *bbc)
1039 naclbox_ctx *bc = (naclbox_ctx *)bbc;
1042 for (i = 0; i < NDIR; i++) { if (bc->d[i].c) GC_DESTROY(bc->d[i].c); }
1046 static int naclbox_encrypt(bulkctx *bbc, unsigned ty,
1047 buf *b, buf *bb, uint32 seq)
1049 naclbox_ctx *bc = (naclbox_ctx *)bbc;
1050 gcipher *c = bc->d[DIR_OUT].c;
1053 const octet *p = BCUR(b);
1054 size_t sz = BLEFT(b);
1055 octet *qmac, *qseq, *qpk;
1059 /* --- Determine the ciphertext layout --- */
1061 if (buf_ensure(bb, POLY1305_TAGSZ + SEQSZ + sz)) return (0);
1062 qmac = BCUR(bb); qseq = qmac + POLY1305_TAGSZ; qpk = qseq + SEQSZ;
1063 BSTEP(bb, POLY1305_TAGSZ + SEQSZ + sz);
1065 /* --- Construct and set the nonce --- */
1068 memcpy(buf_u, qseq, SEQSZ); STORE32(buf_u + SEQSZ, ty);
1070 TRACE_IV(buf_u, SALSA20_NONCESZ);
1072 /* --- Determine the MAC key --- */
1074 GC_ENCRYPT(c, 0, buf_u, POLY1305_KEYSZ + POLY1305_MASKSZ);
1075 poly1305_keyinit(&polyk, buf_u, POLY1305_KEYSZ);
1076 poly1305_macinit(&poly, &polyk, buf_u + POLY1305_KEYSZ);
1078 /* --- Encrypt the message --- */
1080 GC_ENCRYPT(c, p, qpk, sz);
1083 /* --- Compute the MAC --- */
1085 poly1305_hash(&poly, qpk, sz);
1086 poly1305_done(&poly, qmac);
1087 TRACE_MAC(qmac, POLY1305_TAGSZ);
1089 /* --- We're done --- */
1094 static int naclbox_decrypt(bulkctx *bbc, unsigned ty,
1095 buf *b, buf *bb, uint32 *seq)
1097 naclbox_ctx *bc = (naclbox_ctx *)bbc;
1098 gcipher *c = bc->d[DIR_IN].c;
1101 const octet *pmac, *pseq, *ppk;
1102 size_t psz = BLEFT(b);
1104 octet *q = BCUR(bb);
1108 /* --- Break up the packet into its components --- */
1110 if (psz < SEQSZ + POLY1305_TAGSZ) {
1111 T( trace(T_KEYSET, "keyset: block too small for keyset"); )
1112 return (KSERR_MALFORMED);
1114 sz = psz - SEQSZ - POLY1305_TAGSZ;
1115 pmac = BCUR(b); pseq = pmac + POLY1305_TAGSZ; ppk = pseq + SEQSZ;
1117 /* --- Construct and set the nonce --- */
1119 memcpy(buf_u, pseq, SEQSZ); STORE32(buf_u + SEQSZ, ty);
1121 TRACE_IV(buf_u, SALSA20_NONCESZ);
1123 /* --- Determine the MAC key --- */
1125 GC_ENCRYPT(c, 0, buf_u, POLY1305_KEYSZ + POLY1305_MASKSZ);
1126 poly1305_keyinit(&polyk, buf_u, POLY1305_KEYSZ);
1127 poly1305_macinit(&poly, &polyk, buf_u + POLY1305_KEYSZ);
1129 /* --- Verify the MAC on the packet --- */
1131 poly1305_hash(&poly, ppk, sz);
1132 poly1305_done(&poly, buf_u);
1133 TRACE_MAC(buf_u, POLY1305_TAGSZ);
1134 if (!ct_memeq(buf_u, pmac, POLY1305_TAGSZ)) {
1135 TRACE_MACERR(pmac, POLY1305_TAGSZ);
1136 return (KSERR_DECRYPT);
1139 /* --- Decrypt the packet --- */
1141 GC_DECRYPT(c, ppk, q, sz);
1143 /* --- Finished --- */
1145 *seq = LOAD32(pseq);
1150 /*----- Bulk crypto transform table ---------------------------------------*/
1152 const bulkops bulktab[] = {
1156 #define BULK(name, pre) \
1157 { name, pre##_getalgs, T( pre##_tracealgs COMMA ) \
1158 pre##_checkalgs, pre##_samealgsp, \
1159 pre##_alginfo, pre##_overhead, pre##_expsz, \
1160 pre##_genkeys, pre##_genchal, pre##_freealgs, \
1161 pre##_encrypt, pre##_decrypt, pre##_freectx, \
1162 pre##_chaltag, pre##_chalvrf, pre##_freechal }
1166 BULK("naclbox", naclbox),
1172 /*----- That's all, folks -------------------------------------------------*/