5 * Catcrypt key-encapsulation
7 * (c) 2004 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Header files ------------------------------------------------------*/
34 #include <mLib/alloc.h>
35 #include <mLib/dstr.h>
36 #include <mLib/report.h>
48 #include "blowfish-cbc.h"
52 /*----- Key encapsulation -------------------------------------------------*/
56 typedef struct rsa_encctx {
61 static kem *rsa_encinit(key *k, void *kd)
63 rsa_encctx *re = CREATE(rsa_encctx);
64 rsa_pubcreate(&re->rp, kd);
68 static int rsa_encdoit(kem *k, dstr *d, ghash *h)
70 rsa_encctx *re = (rsa_encctx *)k;
71 mp *x = mprand_range(MP_NEW, re->rp.rp->n, &rand_global, 0);
72 mp *y = rsa_pubop(&re->rp, MP_NEW, x);
73 size_t n = mp_octets(re->rp.rp->n);
75 mp_storeb(x, d->buf, n);
76 GH_HASH(h, d->buf, n);
77 mp_storeb(y, d->buf, n);
84 static const char *rsa_lengthcheck(mp *n)
86 if (mp_bits(n) < 1020) return ("key too short");
90 static const char *rsa_enccheck(kem *k)
92 rsa_encctx *re = (rsa_encctx *)k;
94 if ((e = rsa_lengthcheck(re->rp.rp->n)) != 0) return (e);
98 static void rsa_encdestroy(kem *k)
100 rsa_encctx *re = (rsa_encctx *)k;
101 rsa_pubdestroy(&re->rp);
105 static const kemops rsa_encops = {
106 rsa_pubfetch, sizeof(rsa_pub),
107 rsa_encinit, rsa_encdoit, rsa_enccheck, rsa_encdestroy
110 typedef struct rsa_decctx {
115 static kem *rsa_decinit(key *k, void *kd)
117 rsa_decctx *rd = CREATE(rsa_decctx);
118 rsa_privcreate(&rd->rp, kd, &rand_global);
122 static int rsa_decdoit(kem *k, dstr *d, ghash *h)
124 rsa_decctx *rd = (rsa_decctx *)k;
125 mp *x = mp_loadb(MP_NEW, d->buf, d->len);
129 if (MP_CMP(x, >=, rd->rp.rp->n)) {
133 n = mp_octets(rd->rp.rp->n);
135 x = rsa_privop(&rd->rp, x, x);
143 static const char *rsa_deccheck(kem *k)
145 rsa_decctx *rd = (rsa_decctx *)k;
147 if ((e = rsa_lengthcheck(rd->rp.rp->n)) != 0) return (e);
151 static void rsa_decdestroy(kem *k)
153 rsa_decctx *rd = (rsa_decctx *)k;
154 rsa_privdestroy(&rd->rp);
158 static const kemops rsa_decops = {
159 rsa_privfetch, sizeof(rsa_priv),
160 rsa_decinit, rsa_decdoit, rsa_deccheck, rsa_decdestroy
163 /* --- DH and EC --- */
165 typedef struct dh_encctx {
172 static dh_encctx *dh_doinit(key *k, const gprime_param *gp, mp *y,
173 group *(*makegroup)(const gprime_param *),
176 dh_encctx *de = CREATE(dh_encctx);
180 if ((de->g = makegroup(gp)) == 0)
181 die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf);
183 de->y = G_CREATE(de->g);
184 if (G_FROMINT(de->g, de->y, y))
185 die(EXIT_FAILURE, "bad public key `%s'", t.buf);
190 static dh_encctx *ec_doinit(key *k, const char *cstr, const ec *y)
192 dh_encctx *de = CREATE(dh_encctx);
198 if ((e = ec_getinfo(&ei, cstr)) != 0 ||
199 (de->g = group_ec(&ei)) == 0)
200 die(EXIT_FAILURE, "bad elliptic curve spec in key `%s': %s", t.buf, e);
202 de->y = G_CREATE(de->g);
203 if (G_FROMEC(de->g, de->y, y))
204 die(EXIT_FAILURE, "bad public curve point `%s'", t.buf);
209 static kem *dh_encinit(key *k, void *kd)
212 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
216 static kem *bindh_encinit(key *k, void *kd)
219 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
223 static kem *ec_encinit(key *k, void *kd)
226 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
230 static int dh_encdoit(kem *k, dstr *d, ghash *h)
232 dh_encctx *de = (dh_encctx *)k;
233 mp *r = mprand_range(MP_NEW, de->g->r, &rand_global, 0);
234 ge *x = G_CREATE(de->g);
235 ge *y = G_CREATE(de->g);
236 size_t n = de->g->noctets;
239 G_EXP(de->g, x, de->g->g, r);
240 G_EXP(de->g, y, de->y, r);
242 buf_init(&b, d->buf, n);
243 G_TORAW(de->g, &b, y);
244 GH_HASH(h, BBASE(&b), BLEN(&b));
245 buf_init(&b, d->buf, n);
246 G_TORAW(de->g, &b, x);
247 GH_HASH(h, BBASE(&b), BLEN(&b));
255 static const char *dh_enccheck(kem *k)
257 dh_encctx *de = (dh_encctx *)k;
259 if ((e = G_CHECK(de->g, &rand_global)) != 0)
261 if (group_check(de->g, de->y))
262 return ("public key not in subgroup");
266 static void dh_encdestroy(kem *k)
268 dh_encctx *de = (dh_encctx *)k;
269 G_DESTROY(de->g, de->y);
271 G_DESTROYGROUP(de->g);
274 static const kemops dh_encops = {
275 dh_pubfetch, sizeof(dh_pub),
276 dh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
279 static const kemops bindh_encops = {
280 dh_pubfetch, sizeof(dh_pub),
281 bindh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
284 static const kemops ec_encops = {
285 ec_pubfetch, sizeof(ec_pub),
286 ec_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
289 static kem *dh_decinit(key *k, void *kd)
292 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
293 de->x = MP_COPY(dp->x);
297 static kem *bindh_decinit(key *k, void *kd)
300 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
301 de->x = MP_COPY(dp->x);
305 static kem *ec_decinit(key *k, void *kd)
308 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
309 de->x = MP_COPY(ep->x);
313 static int dh_decdoit(kem *k, dstr *d, ghash *h)
315 dh_encctx *de = (dh_encctx *)k;
316 ge *x = G_CREATE(de->g);
317 size_t n = de->g->noctets;
318 void *p = xmalloc(n);
322 buf_init(&b, d->buf, d->len);
323 if (G_FROMRAW(de->g, &b, x) || group_check(de->g, x))
325 G_EXP(de->g, x, x, de->x);
327 G_TORAW(de->g, &b, x);
328 GH_HASH(h, BBASE(&b), BLEN(&b));
329 GH_HASH(h, d->buf, d->len);
337 static const kemops dh_decops = {
338 dh_privfetch, sizeof(dh_priv),
339 dh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
342 static const kemops bindh_decops = {
343 dh_privfetch, sizeof(dh_priv),
344 bindh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
347 static const kemops ec_decops = {
348 ec_privfetch, sizeof(ec_priv),
349 ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
352 /* --- The switch table --- */
354 const struct kemtab kemtab[] = {
355 { "rsa", &rsa_encops, &rsa_decops },
356 { "dh", &dh_encops, &dh_decops },
357 { "bindh", &bindh_encops, &bindh_decops },
358 { "ec", &ec_encops, &ec_decops },
362 /* --- @getkem@ --- *
364 * Arguments: @key *k@ = the key to load
365 * @const char *app@ = application name
366 * @int wantpriv@ = nonzero if we want to decrypt
368 * Returns: A key-encapsulating thing.
373 kem *getkem(key *k, const char *app, int wantpriv)
375 const char *kalg, *halg = 0, *calg = 0;
382 const struct kemtab *kt;
388 /* --- Setup stuff --- */
392 /* --- Get the KEM name --- *
394 * Take the attribute if it's there; otherwise use the key type.
398 if ((q = key_getattr(0, k, "kem")) != 0) {
401 } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
402 dstr_puts(&d, k->type);
405 die(EXIT_FAILURE, "no KEM for key `%s'", t.buf);
408 /* --- Grab the encryption scheme --- *
410 * Grab it from the KEM if it's there, but override it from the attribute.
413 if (p && (p = strchr(p, '/')) != 0) {
417 if ((q = key_getattr(0, k, "cipher")) != 0)
420 /* --- Grab the hash function --- */
422 if (p && (p = strchr(p, '/')) != 0) {
426 if ((q = key_getattr(0, k, "hash")) != 0)
429 /* --- Instantiate the KEM --- */
431 for (kt = kemtab; kt->name; kt++) {
432 if (strcmp(kt->name, kalg) == 0)
435 die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'",
438 ko = wantpriv ? kt->decops : kt->encops;
439 kd = xmalloc(ko->kdsz);
440 kp = key_fetchinit(ko->kf, 0, kd);
441 if ((e = key_fetch(kp, k)) != 0)
442 die(EXIT_FAILURE, "error fetching key `%s': %s", t.buf, key_strerror(e));
443 kk = ko->init(k, kd);
448 /* --- Set up the algorithms --- */
452 else if ((kk->h = ghash_byname(halg)) == 0) {
453 die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'",
458 kk->c = &blowfish_cbc;
459 else if ((kk->c = gcipher_byname(calg)) == 0) {
460 die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'",
465 if ((q = key_getattr(0, k, "kdf")) == 0) {
466 dstr_putf(&d, "%s-mgf", kk->h->name);
469 if ((kk->cx = gcipher_byname(q)) == 0) {
470 die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'",
475 if ((q = key_getattr(0, k, "mac")) == 0) {
476 dstr_putf(&d, "%s-hmac", kk->h->name);
479 if ((kk->m = gmac_byname(q)) == 0) {
481 "message authentication code `%s' not found in key `%s'",
485 /* --- Tidy up --- */
492 /* --- @setupkem@ --- *
494 * Arguments: @kem *k@ = key-encapsulation thing
495 * @dstr *d@ = key-encapsulation data
496 * @gcipher **cx@ = key-expansion function (for IVs)
497 * @gcipher **c@ = where to put initialized encryption scheme
498 * @gmac **m@ = where to put initialized MAC
500 * Returns: Zero on success, nonzero on failure.
502 * Use: Initializes all the various symmetric things from a KEM.
505 int setupkem(kem *k, dstr *d, gcipher **cx, gcipher **c, gmac **m)
513 if (k->ops->doit(k, d, h))
515 n = keysz(GH_CLASS(h)->hashsz, k->cx->keysz);
519 *cx = GC_INIT(k->cx, kd, n);
521 cn = keysz(0, k->c->keysz); n = cn;
522 mn = keysz(0, k->m->keysz); if (mn > n) n = mn;
524 GC_ENCRYPT(*cx, 0, kd, cn);
525 *c = GC_INIT(k->c, kd, cn);
526 GC_ENCRYPT(*cx, 0, kd, mn);
527 *m = GM_KEY(k->m, kd, mn);
536 /* --- @freekem@ --- *
538 * Arguments: @kem *k@ = key-encapsulation thing
542 * Use: Frees up a key-encapsulation thing.
547 key_fetchdone(k->kp);
552 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob