crypto.c revision 1.20 
1/* $OpenBSD: crypto.c,v 1.20 2004/04/15 18:39:25 deraadt Exp $	 */
2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $	 */
3
4/*
5 * Copyright (c) 1998 Niels Provos.  All rights reserved.
6 * Copyright (c) 1999, 2000 Niklas Hallqvist.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29/*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33#include <sys/param.h>
34#include <stdlib.h>
35#include <string.h>
36
37#include "sysdep.h"
38
39#include "crypto.h"
40#include "log.h"
41
42enum cryptoerr  des1_init(struct keystate *, u_int8_t *, u_int16_t);
43enum cryptoerr  des3_init(struct keystate *, u_int8_t *, u_int16_t);
44enum cryptoerr  blf_init(struct keystate *, u_int8_t *, u_int16_t);
45enum cryptoerr  cast_init(struct keystate *, u_int8_t *, u_int16_t);
46enum cryptoerr  aes_init(struct keystate *, u_int8_t *, u_int16_t);
47void            des1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
48void            des1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
49void            des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
50void            des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
51void            blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
52void            blf_decrypt(struct keystate *, u_int8_t *, u_int16_t);
53void            cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
54void            cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
55void            aes_encrypt(struct keystate *, u_int8_t *, u_int16_t);
56void            aes_decrypt(struct keystate *, u_int8_t *, u_int16_t);
57
58struct crypto_xf transforms[] = {
59#ifdef USE_DES
60	{
61		DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, BLOCKSIZE, 0,
62		des1_init,
63		des1_encrypt, des1_decrypt
64	},
65#endif
66#ifdef USE_TRIPLEDES
67	{
68		TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, BLOCKSIZE, 0,
69		des3_init,
70		des3_encrypt, des3_decrypt
71	},
72#endif
73#ifdef USE_BLOWFISH
74	{
75		BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, BLOCKSIZE, 0,
76		blf_init,
77		blf_encrypt, blf_decrypt
78	},
79#endif
80#ifdef USE_CAST
81	{
82		CAST_CBC, "CAST (CBC-Mode)", 12, 16, BLOCKSIZE, 0,
83		cast_init,
84		cast1_encrypt, cast1_decrypt
85	},
86#endif
87#ifdef USE_AES
88	{
89		AES_CBC, "AES (CBC-Mode)", 16, 32, AES_BLOCK_SIZE, 0,
90		aes_init,
91		aes_encrypt, aes_decrypt
92	},
93#endif
94};
95
96/* Hmm, the function prototypes for des are really dumb */
97#ifdef __OpenBSD__
98#define DC	(des_cblock *)
99#else
100#define DC	(void *)
101#endif
102
103enum cryptoerr
104des1_init(struct keystate * ks, u_int8_t * key, u_int16_t len)
105{
106	/* des_set_key returns -1 for parity problems, and -2 for weak keys */
107	des_set_odd_parity(DC key);
108	switch (des_set_key(DC key, ks->ks_des[0])) {
109	case -2:
110		return EWEAKKEY;
111	default:
112		return EOKAY;
113	}
114}
115
116void
117des1_encrypt(struct keystate * ks, u_int8_t * d, u_int16_t len)
118{
119	des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_ENCRYPT);
120}
121
122void
123des1_decrypt(struct keystate * ks, u_int8_t * d, u_int16_t len)
124{
125	des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_DECRYPT);
126}
127
128#ifdef USE_TRIPLEDES
129enum cryptoerr
130des3_init(struct keystate * ks, u_int8_t * key, u_int16_t len)
131{
132	des_set_odd_parity(DC key);
133	des_set_odd_parity(DC(key + 8));
134	des_set_odd_parity(DC(key + 16));
135
136	/* As of the draft Tripe-DES does not check for weak keys */
137	des_set_key(DC key, ks->ks_des[0]);
138	des_set_key(DC(key + 8), ks->ks_des[1]);
139	des_set_key(DC(key + 16), ks->ks_des[2]);
140
141	return EOKAY;
142}
143
144void
145des3_encrypt(struct keystate * ks, u_int8_t * data, u_int16_t len)
146{
147	u_int8_t        iv[MAXBLK];
148
149	memcpy(iv, ks->riv, ks->xf->blocksize);
150	des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], ks->ks_des[1],
151			     ks->ks_des[2], DC iv, DES_ENCRYPT);
152}
153
154void
155des3_decrypt(struct keystate * ks, u_int8_t * data, u_int16_t len)
156{
157	u_int8_t        iv[MAXBLK];
158
159	memcpy(iv, ks->riv, ks->xf->blocksize);
160	des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], ks->ks_des[1],
161			     ks->ks_des[2], DC iv, DES_DECRYPT);
162}
163#undef DC
164#endif				/* USE_TRIPLEDES */
165
166#ifdef USE_BLOWFISH
167enum cryptoerr
168blf_init(struct keystate * ks, u_int8_t * key, u_int16_t len)
169{
170	blf_key(&ks->ks_blf, key, len);
171
172	return EOKAY;
173}
174
175void
176blf_encrypt(struct keystate * ks, u_int8_t * data, u_int16_t len)
177{
178	u_int16_t       i, blocksize = ks->xf->blocksize;
179	u_int8_t       *iv = ks->liv;
180	u_int32_t       xl, xr;
181
182	memcpy(iv, ks->riv, blocksize);
183
184	for (i = 0; i < len; data += blocksize, i += blocksize) {
185		XOR64(data, iv);
186		xl = GET_32BIT_BIG(data);
187		xr = GET_32BIT_BIG(data + 4);
188		Blowfish_encipher(&ks->ks_blf, &xl, &xr);
189		SET_32BIT_BIG(data, xl);
190		SET_32BIT_BIG(data + 4, xr);
191		SET64(iv, data);
192	}
193}
194
195void
196blf_decrypt(struct keystate * ks, u_int8_t * data, u_int16_t len)
197{
198	u_int16_t       i, blocksize = ks->xf->blocksize;
199	u_int32_t       xl, xr;
200
201	data += len - blocksize;
202	for (i = len - blocksize; i >= blocksize; data -= blocksize, i -= blocksize) {
203		xl = GET_32BIT_BIG(data);
204		xr = GET_32BIT_BIG(data + 4);
205		Blowfish_decipher(&ks->ks_blf, &xl, &xr);
206		SET_32BIT_BIG(data, xl);
207		SET_32BIT_BIG(data + 4, xr);
208		XOR64(data, data - blocksize);
209
210	}
211	xl = GET_32BIT_BIG(data);
212	xr = GET_32BIT_BIG(data + 4);
213	Blowfish_decipher(&ks->ks_blf, &xl, &xr);
214	SET_32BIT_BIG(data, xl);
215	SET_32BIT_BIG(data + 4, xr);
216	XOR64(data, ks->riv);
217}
218#endif				/* USE_BLOWFISH */
219
220#ifdef USE_CAST
221enum cryptoerr
222cast_init(struct keystate * ks, u_int8_t * key, u_int16_t len)
223{
224	cast_setkey(&ks->ks_cast, key, len);
225	return EOKAY;
226}
227
228void
229cast1_encrypt(struct keystate * ks, u_int8_t * data, u_int16_t len)
230{
231	u_int16_t       i, blocksize = ks->xf->blocksize;
232	u_int8_t       *iv = ks->liv;
233
234	memcpy(iv, ks->riv, blocksize);
235
236	for (i = 0; i < len; data += blocksize, i += blocksize) {
237		XOR64(data, iv);
238		cast_encrypt(&ks->ks_cast, data, data);
239		SET64(iv, data);
240	}
241}
242
243void
244cast1_decrypt(struct keystate * ks, u_int8_t * data, u_int16_t len)
245{
246	u_int16_t       i, blocksize = ks->xf->blocksize;
247
248	data += len - blocksize;
249	for (i = len - blocksize; i >= blocksize; data -= blocksize, i -= blocksize) {
250		cast_decrypt(&ks->ks_cast, data, data);
251		XOR64(data, data - blocksize);
252	}
253	cast_decrypt(&ks->ks_cast, data, data);
254	XOR64(data, ks->riv);
255}
256#endif				/* USE_CAST */
257
258#ifdef USE_AES
259enum cryptoerr
260aes_init(struct keystate * ks, u_int8_t * key, u_int16_t len)
261{
262	AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]);
263	AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]);
264	return EOKAY;
265}
266
267void
268aes_encrypt(struct keystate * ks, u_int8_t * data, u_int16_t len)
269{
270	u_int8_t        iv[MAXBLK];
271
272	memcpy(iv, ks->riv, ks->xf->blocksize);
273	AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT);
274}
275
276void
277aes_decrypt(struct keystate * ks, u_int8_t * data, u_int16_t len)
278{
279	u_int8_t        iv[MAXBLK];
280
281	memcpy(iv, ks->riv, ks->xf->blocksize);
282	AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT);
283}
284#endif				/* USE_AES */
285
286struct crypto_xf *
287crypto_get(enum transform id)
288{
289	size_t          i;
290
291	for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++)
292		if (id == transforms[i].id)
293			return &transforms[i];
294
295	return 0;
296}
297
298struct keystate *
299crypto_init(struct crypto_xf * xf, u_int8_t * key, u_int16_t len,
300	    enum cryptoerr * err)
301{
302	struct keystate *ks;
303
304	if (len < xf->keymin || len > xf->keymax) {
305		LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", len));
306		*err = EKEYLEN;
307		return 0;
308	}
309	ks = calloc(1, sizeof *ks);
310	if (!ks) {
311		log_error("crypto_init: calloc (1, %lu) failed",
312			  (unsigned long) sizeof *ks);
313		*err = ENOCRYPTO;
314		return 0;
315	}
316	ks->xf = xf;
317
318	/* Setup the IV.  */
319	ks->riv = ks->iv;
320	ks->liv = ks->iv2;
321
322	LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len));
323
324	*err = xf->init(ks, key, len);
325	if (*err != EOKAY) {
326		LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s",
327			 xf->name));
328		free(ks);
329		return 0;
330	}
331	return ks;
332}
333
334void
335crypto_update_iv(struct keystate * ks)
336{
337	u_int8_t       *tmp;
338
339	tmp = ks->riv;
340	ks->riv = ks->liv;
341	ks->liv = tmp;
342
343	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv,
344		     ks->xf->blocksize));
345}
346
347void
348crypto_init_iv(struct keystate * ks, u_int8_t * buf, size_t len)
349{
350	memcpy(ks->riv, buf, len);
351
352	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv,
353		     len));
354}
355
356void
357crypto_encrypt(struct keystate * ks, u_int8_t * buf, u_int16_t len)
358{
359	LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_encrypt: before encryption", buf,
360		     len));
361	ks->xf->encrypt(ks, buf, len);
362	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
363	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf,
364		     len));
365}
366
367void
368crypto_decrypt(struct keystate * ks, u_int8_t * buf, u_int16_t len)
369{
370	LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_decrypt: before decryption", buf,
371		     len));
372	/*
373	 * XXX There is controversy about the correctness of updating the IV
374	 * like this.
375         */
376	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
377	ks->xf->decrypt(ks, buf, len);
378	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf,
379		     len));
380}
381
382/* Make a copy of the keystate pointed to by OKS.  */
383struct keystate *
384crypto_clone_keystate(struct keystate * oks)
385{
386	struct keystate *ks;
387
388	ks = malloc(sizeof *ks);
389	if (!ks) {
390		log_error("crypto_clone_keystate: malloc (%lu) failed",
391			  (unsigned long) sizeof *ks);
392		return 0;
393	}
394	memcpy(ks, oks, sizeof *ks);
395	if (oks->riv == oks->iv) {
396		ks->riv = ks->iv;
397		ks->liv = ks->iv2;
398	} else {
399		ks->riv = ks->iv2;
400		ks->liv = ks->iv;
401	}
402	return ks;
403}
404