1
/* LibTomCrypt, modular cryptographic library -- Tom St Denis
3
* LibTomCrypt is a library that provides various cryptographic
4
* algorithms in a highly modular and flexible manner.
6
* The library is free for all purposes without any express
9
* Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.org
14
DH Crypto, Tom St Denis
18
Encrypt a short symmetric key with a public DH key
19
@param in The symmetric key to encrypt
20
@param inlen The length of the key (octets)
21
@param out [out] The ciphertext
22
@param outlen [in/out] The max size and resulting size of the ciphertext
23
@param prng An active PRNG state
24
@param wprng The index of the PRNG desired
25
@param hash The index of the hash desired (must produce a digest of size >= the size of the plaintext)
26
@param key The public key you wish to encrypt with.
27
@return CRYPT_OK if successful
29
int dh_encrypt_key(const unsigned char *in, unsigned long inlen,
30
unsigned char *out, unsigned long *outlen,
31
prng_state *prng, int wprng, int hash,
34
unsigned char *pub_expt, *dh_shared, *skey;
36
unsigned long x, y, z, hashsize, pubkeysize;
39
LTC_ARGCHK(in != NULL);
40
LTC_ARGCHK(out != NULL);
41
LTC_ARGCHK(outlen != NULL);
42
LTC_ARGCHK(key != NULL);
44
/* check that wprng/hash are not invalid */
45
if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
49
if ((err = hash_is_valid(hash)) != CRYPT_OK) {
53
if (inlen > hash_descriptor[hash].hashsize) {
54
return CRYPT_INVALID_HASH;
58
pub_expt = XMALLOC(DH_BUF_SIZE);
59
dh_shared = XMALLOC(DH_BUF_SIZE);
60
skey = XMALLOC(MAXBLOCKSIZE);
61
if (pub_expt == NULL || dh_shared == NULL || skey == NULL) {
62
if (pub_expt != NULL) {
65
if (dh_shared != NULL) {
74
/* make a random key and export the public copy */
75
if ((err = dh_make_key(prng, wprng, dh_get_size(key), &pubkey)) != CRYPT_OK) {
79
pubkeysize = DH_BUF_SIZE;
80
if ((err = dh_export(pub_expt, &pubkeysize, PK_PUBLIC, &pubkey)) != CRYPT_OK) {
85
/* now check if the out buffer is big enough */
86
if (*outlen < (1 + 4 + 4 + PACKET_SIZE + pubkeysize + inlen)) {
88
err = CRYPT_BUFFER_OVERFLOW;
93
hashsize = hash_descriptor[hash].hashsize;
96
if ((err = dh_shared_secret(&pubkey, key, dh_shared, &x)) != CRYPT_OK) {
103
if ((err = hash_memory(hash, dh_shared, x, skey, &z)) != CRYPT_OK) {
108
packet_store_header(out, PACKET_SECT_DH, PACKET_SUB_ENC_KEY);
113
/* size of hash name and the name itself */
114
out[y++] = hash_descriptor[hash].ID;
116
/* length of DH pubkey and the key itself */
117
STORE32L(pubkeysize, out+y);
119
for (x = 0; x < pubkeysize; x++, y++) {
120
out[y] = pub_expt[x];
123
/* Store the encrypted key */
124
STORE32L(inlen, out+y);
127
for (x = 0; x < inlen; x++, y++) {
128
out[y] = skey[x] ^ in[x];
134
#ifdef LTC_CLEAN_STACK
136
zeromem(pub_expt, DH_BUF_SIZE);
137
zeromem(dh_shared, DH_BUF_SIZE);
138
zeromem(skey, MAXBLOCKSIZE);
148
Decrypt a DH encrypted symmetric key
149
@param in The DH encrypted packet
150
@param inlen The length of the DH encrypted packet
151
@param out The plaintext
152
@param outlen [in/out] The max size and resulting size of the plaintext
153
@param key The private DH key corresponding to the public key that encrypted the plaintext
154
@return CRYPT_OK if successful
156
int dh_decrypt_key(const unsigned char *in, unsigned long inlen,
157
unsigned char *out, unsigned long *outlen,
160
unsigned char *shared_secret, *skey;
161
unsigned long x, y, z, hashsize, keysize;
165
LTC_ARGCHK(in != NULL);
166
LTC_ARGCHK(out != NULL);
167
LTC_ARGCHK(outlen != NULL);
168
LTC_ARGCHK(key != NULL);
170
/* right key type? */
171
if (key->type != PK_PRIVATE) {
172
return CRYPT_PK_NOT_PRIVATE;
176
shared_secret = XMALLOC(DH_BUF_SIZE);
177
skey = XMALLOC(MAXBLOCKSIZE);
178
if (shared_secret == NULL || skey == NULL) {
179
if (shared_secret != NULL) {
180
XFREE(shared_secret);
188
/* check if initial header should fit */
189
if (inlen < PACKET_SIZE+1+4+4) {
190
err = CRYPT_INVALID_PACKET;
193
inlen -= PACKET_SIZE+1+4+4;
196
/* is header correct? */
197
if ((err = packet_valid_header((unsigned char *)in, PACKET_SECT_DH, PACKET_SUB_ENC_KEY)) != CRYPT_OK) {
201
/* now lets get the hash name */
203
hash = find_hash_id(in[y++]);
205
err = CRYPT_INVALID_HASH;
210
hashsize = hash_descriptor[hash].hashsize;
215
/* now check if the imported key will fit */
217
err = CRYPT_INVALID_PACKET;
224
if ((err = dh_import(in+y, x, &pubkey)) != CRYPT_OK) {
229
/* make shared key */
231
if ((err = dh_shared_secret(key, &pubkey, shared_secret, &x)) != CRYPT_OK) {
238
if ((err = hash_memory(hash, shared_secret, x, skey, &z)) != CRYPT_OK) {
242
/* load in the encrypted key */
243
LOAD32L(keysize, in+y);
245
/* will the out fit as part of the input */
246
if (inlen < keysize) {
247
err = CRYPT_INVALID_PACKET;
253
if (keysize > *outlen) {
254
err = CRYPT_BUFFER_OVERFLOW;
261
for (x = 0; x < keysize; x++, y++) {
262
out[x] = skey[x] ^ in[y];
267
#ifdef LTC_CLEAN_STACK
268
zeromem(shared_secret, DH_BUF_SIZE);
269
zeromem(skey, MAXBLOCKSIZE);
273
XFREE(shared_secret);
278
/* perform an ElGamal Signature of a hash
280
* The math works as follows. x is the private key, M is the message to sign
283
2. compute a = g^k mod p
284
3. compute b = (M - xa)/k mod p
287
Now to verify with y=g^x mod p, a and b
289
1. compute y^a * a^b = g^(xa) * g^(k*(M-xa)/k)
293
2. Compare against g^M mod p [based on input hash].
294
3. If result of #2 == result of #1 then signature valid
298
Sign a message digest using a DH private key
299
@param in The data to sign
300
@param inlen The length of the input (octets)
301
@param out [out] The destination of the signature
302
@param outlen [in/out] The max size and resulting size of the output
303
@param prng An active PRNG state
304
@param wprng The index of the PRNG desired
305
@param key A private DH key
306
@return CRYPT_OK if successful
308
int dh_sign_hash(const unsigned char *in, unsigned long inlen,
309
unsigned char *out, unsigned long *outlen,
310
prng_state *prng, int wprng, dh_key *key)
312
mp_int a, b, k, m, g, p, p1, tmp;
317
LTC_ARGCHK(in != NULL);
318
LTC_ARGCHK(out != NULL);
319
LTC_ARGCHK(outlen != NULL);
320
LTC_ARGCHK(key != NULL);
322
/* check parameters */
323
if (key->type != PK_PRIVATE) {
324
return CRYPT_PK_NOT_PRIVATE;
327
if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
331
/* is the IDX valid ? */
332
if (is_valid_idx(key->idx) != 1) {
333
return CRYPT_PK_INVALID_TYPE;
336
/* allocate ram for buf */
339
/* make up a random value k,
340
* since the order of the group is prime
341
* we need not check if gcd(k, r) is 1
343
if (prng_descriptor[wprng].read(buf, sets[key->idx].size, prng) !=
344
(unsigned long)(sets[key->idx].size)) {
345
err = CRYPT_ERROR_READPRNG;
350
if ((err = mp_init_multi(&a, &b, &k, &m, &p, &g, &p1, &tmp, NULL)) != MP_OKAY) {
351
err = mpi_to_ltc_error(err);
356
if ((err = mp_read_unsigned_bin(&m, (unsigned char *)in, inlen)) != MP_OKAY) { goto error; }
357
if ((err = mp_read_unsigned_bin(&k, buf, sets[key->idx].size)) != MP_OKAY) { goto error; }
359
/* load g, p and p1 */
360
if ((err = mp_read_radix(&g, sets[key->idx].base, 64)) != MP_OKAY) { goto error; }
361
if ((err = mp_read_radix(&p, sets[key->idx].prime, 64)) != MP_OKAY) { goto error; }
362
if ((err = mp_sub_d(&p, 1, &p1)) != MP_OKAY) { goto error; }
363
if ((err = mp_div_2(&p1, &p1)) != MP_OKAY) { goto error; } /* p1 = (p-1)/2 */
365
/* now get a = g^k mod p */
366
if ((err = mp_exptmod(&g, &k, &p, &a)) != MP_OKAY) { goto error; }
368
/* now find M = xa + kb mod p1 or just b = (M - xa)/k mod p1 */
369
if ((err = mp_invmod(&k, &p1, &k)) != MP_OKAY) { goto error; } /* k = 1/k mod p1 */
370
if ((err = mp_mulmod(&a, &key->x, &p1, &tmp)) != MP_OKAY) { goto error; } /* tmp = xa */
371
if ((err = mp_submod(&m, &tmp, &p1, &tmp)) != MP_OKAY) { goto error; } /* tmp = M - xa */
372
if ((err = mp_mulmod(&k, &tmp, &p1, &b)) != MP_OKAY) { goto error; } /* b = (M - xa)/k */
374
/* check for overflow */
375
if ((unsigned long)(PACKET_SIZE + 4 + 4 + mp_unsigned_bin_size(&a) + mp_unsigned_bin_size(&b)) > *outlen) {
376
err = CRYPT_BUFFER_OVERFLOW;
383
/* now store them both (a,b) */
384
x = (unsigned long)mp_unsigned_bin_size(&a);
385
STORE32L(x, out+y); y += 4;
386
if ((err = mp_to_unsigned_bin(&a, out+y)) != MP_OKAY) { goto error; }
389
x = (unsigned long)mp_unsigned_bin_size(&b);
390
STORE32L(x, out+y); y += 4;
391
if ((err = mp_to_unsigned_bin(&b, out+y)) != MP_OKAY) { goto error; }
394
/* check if size too big */
396
err = CRYPT_BUFFER_OVERFLOW;
401
packet_store_header(out, PACKET_SECT_DH, PACKET_SUB_SIGNED);
407
err = mpi_to_ltc_error(err);
409
mp_clear_multi(&tmp, &p1, &g, &p, &m, &k, &b, &a, NULL);
418
Verify the signature given
419
@param sig The signature
420
@param siglen The length of the signature (octets)
421
@param hash The hash that was signed
422
@param hashlen The length of the hash (octets)
423
@param stat [out] Result of signature comparison, 1==valid, 0==invalid
424
@param key The public DH key that signed the hash
425
@return CRYPT_OK if succsessful (even if signature is invalid)
427
int dh_verify_hash(const unsigned char *sig, unsigned long siglen,
428
const unsigned char *hash, unsigned long hashlen,
429
int *stat, dh_key *key)
431
mp_int a, b, p, g, m, tmp;
435
LTC_ARGCHK(sig != NULL);
436
LTC_ARGCHK(hash != NULL);
437
LTC_ARGCHK(stat != NULL);
438
LTC_ARGCHK(key != NULL);
440
/* default to invalid */
443
/* check initial input length */
444
if (siglen < PACKET_SIZE+4+4) {
445
return CRYPT_INVALID_PACKET;
449
if ((err = packet_valid_header((unsigned char *)sig, PACKET_SECT_DH, PACKET_SUB_SIGNED)) != CRYPT_OK) {
453
/* get hash out of packet */
456
/* init all bignums */
457
if ((err = mp_init_multi(&a, &p, &b, &g, &m, &tmp, NULL)) != MP_OKAY) {
458
return mpi_to_ltc_error(err);
462
INPUT_BIGNUM(&a, sig, x, y, siglen);
463
INPUT_BIGNUM(&b, sig, x, y, siglen);
466
if ((err = mp_read_radix(&p, sets[key->idx].prime, 64)) != MP_OKAY) { goto error1; }
467
if ((err = mp_read_radix(&g, sets[key->idx].base, 64)) != MP_OKAY) { goto error1; }
470
if ((err = mp_read_unsigned_bin(&m, (unsigned char *)hash, hashlen)) != MP_OKAY) { goto error1; }
473
if ((err = mp_exptmod(&g, &m, &p, &m)) != MP_OKAY) { goto error1; } /* m = g^m mod p */
476
if ((err = mp_exptmod(&key->y, &a, &p, &tmp)) != MP_OKAY) { goto error1; } /* tmp = y^a mod p */
477
if ((err = mp_exptmod(&a, &b, &p, &a)) != MP_OKAY) { goto error1; } /* a = a^b mod p */
478
if ((err = mp_mulmod(&a, &tmp, &p, &a)) != MP_OKAY) { goto error1; } /* a = y^a * a^b mod p */
480
/* y^a * a^b == g^m ??? */
481
if (mp_cmp(&a, &m) == 0) {
489
err = mpi_to_ltc_error(err);
492
mp_clear_multi(&tmp, &m, &g, &p, &b, &a, NULL);
497
/* $Source: /cvs/libtom/libtomcrypt/src/pk/dh/dh_sys.c,v $ */
498
/* $Revision: 1.3 $ */
499
/* $Date: 2005/05/05 14:35:59 $ */