return (0);
}
+/*----- Rate limiting -----------------------------------------------------*/
+
+/* --- @ratelim_init@ --- *
+ *
+ * Arguments: @ratelim *r@ = rate-limiting state to fill in
+ * @unsigned persec@ = credit to accumulate per second
+ * @unsigned max@ = maximum credit to retain
+ *
+ * Returns: ---
+ *
+ * Use: Initialize a rate-limiting state.
+ */
+
+void ratelim_init(ratelim *r, unsigned persec, unsigned max)
+{
+ r->n = r->max = max;
+ r->persec = persec;
+ gettimeofday(&r->when, 0);
+}
+
+/* --- @ratelim_withdraw@ --- *
+ *
+ * Arguments: @ratelim *r@ = rate-limiting state
+ * @unsigned n@ = credit to withdraw
+ *
+ * Returns: Zero if successful; @-1@ if there is unsufficient credit
+ *
+ * Use: Updates the state with any accumulated credit. Then, if
+ * there there are more than @n@ credits available, withdraw @n@
+ * and return successfully; otherwise, report failure.
+ */
+
+int ratelim_withdraw(ratelim *r, unsigned n)
+{
+ struct timeval now, delta;
+ unsigned long d;
+
+ gettimeofday(&now, 0);
+ TV_SUB(&delta, &now, &r->when);
+ d = (unsigned long)r->persec*delta.tv_sec +
+ (unsigned long)r->persec*delta.tv_usec/MILLION;
+ if (d < r->max - r->n) r->n += d;
+ else r->n = r->max;
+ r->when = now;
+
+ if (n > r->n) return (-1);
+ else { r->n -= n; return (0); }
+}
+
+/*----- Crypto ------------------------------------------------------------*/
+
+/* --- @ies_encrypt@ --- *
+ *
+ * Arguments: @kdata *kpub@ = recipient's public key
+ * @unsigned ty@ = message type octet
+ * @buf *b@ = input message buffer
+ * @buf *bb@ = output buffer for the ciphertext
+ *
+ * Returns: On error, returns a @KSERR_...@ code or breaks the buffer;
+ * on success, returns zero and the buffer is good.
+ *
+ * Use: Encrypts a message for a recipient, given their public key.
+ * This does not (by itself) provide forward secrecy or sender
+ * authenticity. The ciphertext is self-delimiting (unlike
+ * @ks_encrypt@).
+ */
+
+int ies_encrypt(kdata *kpub, unsigned ty, buf *b, buf *bb)
+{
+ dhgrp *g = kpub->grp;
+ dhsc *u = g->ops->randsc(g);
+ dhge *U = g->ops->mul(g, u, 0), *Z = g->ops->mul(g, u, kpub->K);
+ bulkalgs *algs = kpub->algs.bulk;
+ octet *len;
+ bulkctx *bulk;
+ deriveargs a;
+ size_t n;
+ buf bk;
+ int rc = 0;
+
+ IF_TRACING(T_CRYPTO, {
+ trace(T_CRYPTO,
+ "crypto: encrypting IES message (type 0x%02x) for recipient `%s'",
+ ty, kpub->tag);
+ trace_block(T_CRYPTO, "crypto: plaintext message", BCUR(b), BLEFT(b));
+ })
+
+ a.hc = kpub->algs.h; a.what = "tripe:ecies-"; a.f = DF_OUT;
+ buf_init(&bk, buf_u, sizeof(buf_u)); a.k = BBASE(&bk);
+ g->ops->stge(g, &bk, U, DHFMT_HASH); a.x = a.y = BLEN(&bk);
+ g->ops->stge(g, &bk, Z, DHFMT_HASH); a.z = BLEN(&bk);
+ assert(BOK(&bk));
+ T( trace_block(T_CRYPTO, "crypto: KEM clue", a.k, a.x);
+ trace_block(T_CRYPTO, "crypto: shared secret", a.k + a.y, a.z - a.y); )
+
+ len = BCUR(bb); buf_get(bb, 2);
+ bulk = algs->ops->genkeys(algs, &a);
+ bulk->ops = algs->ops;
+ g->ops->stge(g, bb, U, DHFMT_VAR); if (BBAD(bb)) goto end;
+ rc = bulk->ops->encrypt(bulk, ty, b, bb, 0);
+ if (rc || BBAD(bb)) goto end;
+ n = BCUR(bb) - len - 2; assert(n <= MASK16); STORE16(len, n);
+
+end:
+ bulk->ops->freectx(bulk);
+ g->ops->freesc(g, u);
+ g->ops->freege(g, U);
+ g->ops->freege(g, Z);
+ return (rc);
+}
+
+/* --- @ies_decrypt@ --- *
+ *
+ * Arguments: @kdata *kpub@ = private key key
+ * @unsigned ty@ = message type octet
+ * @buf *b@ = input ciphertext buffer
+ * @buf *bb@ = output buffer for the message
+ *
+ * Returns: On error, returns a @KSERR_...@ code; on success, returns
+ * zero and the buffer is good.
+ *
+ * Use: Decrypts a message encrypted using @ies_encrypt@, given our
+ * private key.
+ */
+
+int ies_decrypt(kdata *kpriv, unsigned ty, buf *b, buf *bb)
+{
+ dhgrp *g = kpriv->grp;
+ bulkalgs *algs = kpriv->algs.bulk;
+ bulkctx *bulk = 0;
+ T( const octet *m; )
+ dhge *U = 0, *Z = 0;
+ deriveargs a;
+ uint32 seq;
+ buf bk, bc;
+ int rc;
+
+ IF_TRACING(T_CRYPTO, {
+ trace(T_CRYPTO,
+ "crypto: decrypting IES message (type 0x%02x) to recipient `%s'",
+ ty, kpriv->tag);
+ trace_block(T_CRYPTO, "crypto: ciphertext message", BCUR(b), BLEFT(b));
+ })
+
+ if (buf_getbuf16(b, &bc) ||
+ (U = g->ops->ldge(g, &bc, DHFMT_VAR)) == 0 ||
+ g->ops->checkge(g, U))
+ { rc = KSERR_MALFORMED; goto end; }
+ Z = g->ops->mul(g, kpriv->k, U);
+
+ a.hc = kpriv->algs.h; a.what = "tripe:ecies-"; a.f = DF_IN;
+ buf_init(&bk, buf_u, sizeof(buf_u)); a.k = BBASE(&bk); a.x = 0;
+ g->ops->stge(g, &bk, U, DHFMT_HASH); a.y = BLEN(&bk);
+ g->ops->stge(g, &bk, Z, DHFMT_HASH); a.z = BLEN(&bk);
+ T( trace_block(T_CRYPTO, "crypto: KEM clue", a.k + a.x, a.y - a.x);
+ trace_block(T_CRYPTO, "crypto: shared secret", a.k + a.y, a.z - a.y); )
+ assert(BOK(&bk));
+
+ bulk = algs->ops->genkeys(algs, &a);
+ bulk->ops = algs->ops;
+ T( m = BCUR(bb); )
+ rc = bulk->ops->decrypt(bulk, ty, &bc, bb, &seq);
+ if (rc) goto end;
+ if (seq) { rc = KSERR_SEQ; goto end; }
+ assert(BOK(bb));
+ T( trace_block(T_CRYPTO, "crypto: decrypted message", m, BCUR(bb) - m); )
+
+end:
+ if (bulk) bulk->ops->freectx(bulk);
+ g->ops->freege(g, U);
+ g->ops->freege(g, Z);
+ return (rc);
+}
+
/*----- Random odds and sods ----------------------------------------------*/
/* --- @timestr@ --- *
~mdw / tripe / blobdiff