crypto.c revision 1.21
1/* $OpenBSD: crypto.c,v 1.21 2004/05/14 08:42:56 hshoexer Exp $ */ 2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1998 Niels Provos. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29/* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33#include <sys/param.h> 34#include <stdlib.h> 35#include <string.h> 36 37#include "sysdep.h" 38 39#include "crypto.h" 40#include "log.h" 41 42enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t); 43enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t); 44enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t); 45enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t); 46enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t); 47void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 48void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 49void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t); 50void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t); 51void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t); 52void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t); 53void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 54void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 55void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t); 56void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t); 57 58struct crypto_xf transforms[] = { 59#ifdef USE_DES 60 { 61 DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, BLOCKSIZE, 0, 62 des1_init, 63 des1_encrypt, des1_decrypt 64 }, 65#endif 66#ifdef USE_TRIPLEDES 67 { 68 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, BLOCKSIZE, 0, 69 des3_init, 70 des3_encrypt, des3_decrypt 71 }, 72#endif 73#ifdef USE_BLOWFISH 74 { 75 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, BLOCKSIZE, 0, 76 blf_init, 77 blf_encrypt, blf_decrypt 78 }, 79#endif 80#ifdef USE_CAST 81 { 82 CAST_CBC, "CAST (CBC-Mode)", 12, 16, BLOCKSIZE, 0, 83 cast_init, 84 cast1_encrypt, cast1_decrypt 85 }, 86#endif 87#ifdef USE_AES 88 { 89 AES_CBC, "AES (CBC-Mode)", 16, 32, AES_BLOCK_SIZE, 0, 90 aes_init, 91 aes_encrypt, aes_decrypt 92 }, 93#endif 94}; 95 96/* Hmm, the function prototypes for des are really dumb */ 97#ifdef __OpenBSD__ 98#define DC (des_cblock *) 99#else 100#define DC (void *) 101#endif 102 103enum cryptoerr 104des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 105{ 106 /* des_set_key returns -1 for parity problems, and -2 for weak keys */ 107 des_set_odd_parity(DC key); 108 switch (des_set_key(DC key, ks->ks_des[0])) { 109 case -2: 110 return EWEAKKEY; 111 default: 112 return EOKAY; 113 } 114} 115 116void 117des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 118{ 119 des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_ENCRYPT); 120} 121 122void 123des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 124{ 125 des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_DECRYPT); 126} 127 128#ifdef USE_TRIPLEDES 129enum cryptoerr 130des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 131{ 132 des_set_odd_parity(DC key); 133 des_set_odd_parity(DC(key + 8)); 134 des_set_odd_parity(DC(key + 16)); 135 136 /* As of the draft Tripe-DES does not check for weak keys */ 137 des_set_key(DC key, ks->ks_des[0]); 138 des_set_key(DC(key + 8), ks->ks_des[1]); 139 des_set_key(DC(key + 16), ks->ks_des[2]); 140 141 return EOKAY; 142} 143 144void 145des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 146{ 147 u_int8_t iv[MAXBLK]; 148 149 memcpy(iv, ks->riv, ks->xf->blocksize); 150 des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], 151 ks->ks_des[1], ks->ks_des[2], DC iv, DES_ENCRYPT); 152} 153 154void 155des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 156{ 157 u_int8_t iv[MAXBLK]; 158 159 memcpy(iv, ks->riv, ks->xf->blocksize); 160 des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], 161 ks->ks_des[1], ks->ks_des[2], DC iv, DES_DECRYPT); 162} 163#undef DC 164#endif /* USE_TRIPLEDES */ 165 166#ifdef USE_BLOWFISH 167enum cryptoerr 168blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 169{ 170 blf_key(&ks->ks_blf, key, len); 171 172 return EOKAY; 173} 174 175void 176blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 177{ 178 u_int16_t i, blocksize = ks->xf->blocksize; 179 u_int8_t *iv = ks->liv; 180 u_int32_t xl, xr; 181 182 memcpy(iv, ks->riv, blocksize); 183 184 for (i = 0; i < len; data += blocksize, i += blocksize) { 185 XOR64(data, iv); 186 xl = GET_32BIT_BIG(data); 187 xr = GET_32BIT_BIG(data + 4); 188 Blowfish_encipher(&ks->ks_blf, &xl, &xr); 189 SET_32BIT_BIG(data, xl); 190 SET_32BIT_BIG(data + 4, xr); 191 SET64(iv, data); 192 } 193} 194 195void 196blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 197{ 198 u_int16_t i, blocksize = ks->xf->blocksize; 199 u_int32_t xl, xr; 200 201 data += len - blocksize; 202 for (i = len - blocksize; i >= blocksize; data -= blocksize, 203 i -= blocksize) { 204 xl = GET_32BIT_BIG(data); 205 xr = GET_32BIT_BIG(data + 4); 206 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 207 SET_32BIT_BIG(data, xl); 208 SET_32BIT_BIG(data + 4, xr); 209 XOR64(data, data - blocksize); 210 211 } 212 xl = GET_32BIT_BIG(data); 213 xr = GET_32BIT_BIG(data + 4); 214 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 215 SET_32BIT_BIG(data, xl); 216 SET_32BIT_BIG(data + 4, xr); 217 XOR64(data, ks->riv); 218} 219#endif /* USE_BLOWFISH */ 220 221#ifdef USE_CAST 222enum cryptoerr 223cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 224{ 225 cast_setkey(&ks->ks_cast, key, len); 226 return EOKAY; 227} 228 229void 230cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 231{ 232 u_int16_t i, blocksize = ks->xf->blocksize; 233 u_int8_t *iv = ks->liv; 234 235 memcpy(iv, ks->riv, blocksize); 236 237 for (i = 0; i < len; data += blocksize, i += blocksize) { 238 XOR64(data, iv); 239 cast_encrypt(&ks->ks_cast, data, data); 240 SET64(iv, data); 241 } 242} 243 244void 245cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 246{ 247 u_int16_t i, blocksize = ks->xf->blocksize; 248 249 data += len - blocksize; 250 for (i = len - blocksize; i >= blocksize; data -= blocksize, 251 i -= blocksize) { 252 cast_decrypt(&ks->ks_cast, data, data); 253 XOR64(data, data - blocksize); 254 } 255 cast_decrypt(&ks->ks_cast, data, data); 256 XOR64(data, ks->riv); 257} 258#endif /* USE_CAST */ 259 260#ifdef USE_AES 261enum cryptoerr 262aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 263{ 264 AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]); 265 AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]); 266 return EOKAY; 267} 268 269void 270aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 271{ 272 u_int8_t iv[MAXBLK]; 273 274 memcpy(iv, ks->riv, ks->xf->blocksize); 275 AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT); 276} 277 278void 279aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 280{ 281 u_int8_t iv[MAXBLK]; 282 283 memcpy(iv, ks->riv, ks->xf->blocksize); 284 AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT); 285} 286#endif /* USE_AES */ 287 288struct crypto_xf * 289crypto_get(enum transform id) 290{ 291 size_t i; 292 293 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) 294 if (id == transforms[i].id) 295 return &transforms[i]; 296 297 return 0; 298} 299 300struct keystate * 301crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len, 302 enum cryptoerr *err) 303{ 304 struct keystate *ks; 305 306 if (len < xf->keymin || len > xf->keymax) { 307 LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", 308 len)); 309 *err = EKEYLEN; 310 return 0; 311 } 312 ks = calloc(1, sizeof *ks); 313 if (!ks) { 314 log_error("crypto_init: calloc (1, %lu) failed", 315 (unsigned long)sizeof *ks); 316 *err = ENOCRYPTO; 317 return 0; 318 } 319 ks->xf = xf; 320 321 /* Setup the IV. */ 322 ks->riv = ks->iv; 323 ks->liv = ks->iv2; 324 325 LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len)); 326 327 *err = xf->init(ks, key, len); 328 if (*err != EOKAY) { 329 LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", 330 xf->name)); 331 free(ks); 332 return 0; 333 } 334 return ks; 335} 336 337void 338crypto_update_iv(struct keystate *ks) 339{ 340 u_int8_t *tmp; 341 342 tmp = ks->riv; 343 ks->riv = ks->liv; 344 ks->liv = tmp; 345 346 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, 347 ks->xf->blocksize)); 348} 349 350void 351crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len) 352{ 353 memcpy(ks->riv, buf, len); 354 355 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv, 356 len)); 357} 358 359void 360crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 361{ 362 LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_encrypt: before encryption", buf, 363 len)); 364 ks->xf->encrypt(ks, buf, len); 365 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 366 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf, 367 len)); 368} 369 370void 371crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 372{ 373 LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_decrypt: before decryption", buf, 374 len)); 375 /* 376 * XXX There is controversy about the correctness of updating the IV 377 * like this. 378 */ 379 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 380 ks->xf->decrypt(ks, buf, len); 381 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf, 382 len)); 383} 384 385/* Make a copy of the keystate pointed to by OKS. */ 386struct keystate * 387crypto_clone_keystate(struct keystate *oks) 388{ 389 struct keystate *ks; 390 391 ks = malloc(sizeof *ks); 392 if (!ks) { 393 log_error("crypto_clone_keystate: malloc (%lu) failed", 394 (unsigned long)sizeof *ks); 395 return 0; 396 } 397 memcpy(ks, oks, sizeof *ks); 398 if (oks->riv == oks->iv) { 399 ks->riv = ks->iv; 400 ks->liv = ks->iv2; 401 } else { 402 ks->riv = ks->iv2; 403 ks->liv = ks->iv; 404 } 405 return ks; 406} 407