crypto.c revision 1.21 
1/* $OpenBSD: crypto.c,v 1.21 2004/05/14 08:42:56 hshoexer Exp $	 */
2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $	 */
3
4/*
5 * Copyright (c) 1998 Niels Provos.  All rights reserved.
6 * Copyright (c) 1999, 2000 Niklas Hallqvist.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29/*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33#include <sys/param.h>
34#include <stdlib.h>
35#include <string.h>
36
37#include "sysdep.h"
38
39#include "crypto.h"
40#include "log.h"
41
42enum cryptoerr  des1_init(struct keystate *, u_int8_t *, u_int16_t);
43enum cryptoerr  des3_init(struct keystate *, u_int8_t *, u_int16_t);
44enum cryptoerr  blf_init(struct keystate *, u_int8_t *, u_int16_t);
45enum cryptoerr  cast_init(struct keystate *, u_int8_t *, u_int16_t);
46enum cryptoerr  aes_init(struct keystate *, u_int8_t *, u_int16_t);
47void            des1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
48void            des1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
49void            des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
50void            des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
51void            blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
52void            blf_decrypt(struct keystate *, u_int8_t *, u_int16_t);
53void            cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
54void            cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
55void            aes_encrypt(struct keystate *, u_int8_t *, u_int16_t);
56void            aes_decrypt(struct keystate *, u_int8_t *, u_int16_t);
57
58struct crypto_xf transforms[] = {
59#ifdef USE_DES
60	{
61		DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, BLOCKSIZE, 0,
62		des1_init,
63		des1_encrypt, des1_decrypt
64	},
65#endif
66#ifdef USE_TRIPLEDES
67	{
68		TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, BLOCKSIZE, 0,
69		des3_init,
70		des3_encrypt, des3_decrypt
71	},
72#endif
73#ifdef USE_BLOWFISH
74	{
75		BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, BLOCKSIZE, 0,
76		blf_init,
77		blf_encrypt, blf_decrypt
78	},
79#endif
80#ifdef USE_CAST
81	{
82		CAST_CBC, "CAST (CBC-Mode)", 12, 16, BLOCKSIZE, 0,
83		cast_init,
84		cast1_encrypt, cast1_decrypt
85	},
86#endif
87#ifdef USE_AES
88	{
89		AES_CBC, "AES (CBC-Mode)", 16, 32, AES_BLOCK_SIZE, 0,
90		aes_init,
91		aes_encrypt, aes_decrypt
92	},
93#endif
94};
95
96/* Hmm, the function prototypes for des are really dumb */
97#ifdef __OpenBSD__
98#define DC	(des_cblock *)
99#else
100#define DC	(void *)
101#endif
102
103enum cryptoerr
104des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
105{
106	/* des_set_key returns -1 for parity problems, and -2 for weak keys */
107	des_set_odd_parity(DC key);
108	switch (des_set_key(DC key, ks->ks_des[0])) {
109	case -2:
110		return EWEAKKEY;
111	default:
112		return EOKAY;
113	}
114}
115
116void
117des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
118{
119	des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_ENCRYPT);
120}
121
122void
123des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
124{
125	des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_DECRYPT);
126}
127
128#ifdef USE_TRIPLEDES
129enum cryptoerr
130des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
131{
132	des_set_odd_parity(DC key);
133	des_set_odd_parity(DC(key + 8));
134	des_set_odd_parity(DC(key + 16));
135
136	/* As of the draft Tripe-DES does not check for weak keys */
137	des_set_key(DC key, ks->ks_des[0]);
138	des_set_key(DC(key + 8), ks->ks_des[1]);
139	des_set_key(DC(key + 16), ks->ks_des[2]);
140
141	return EOKAY;
142}
143
144void
145des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
146{
147	u_int8_t        iv[MAXBLK];
148
149	memcpy(iv, ks->riv, ks->xf->blocksize);
150	des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
151	    ks->ks_des[1], ks->ks_des[2], DC iv, DES_ENCRYPT);
152}
153
154void
155des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
156{
157	u_int8_t        iv[MAXBLK];
158
159	memcpy(iv, ks->riv, ks->xf->blocksize);
160	des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
161	    ks->ks_des[1], ks->ks_des[2], DC iv, DES_DECRYPT);
162}
163#undef DC
164#endif				/* USE_TRIPLEDES */
165
166#ifdef USE_BLOWFISH
167enum cryptoerr
168blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
169{
170	blf_key(&ks->ks_blf, key, len);
171
172	return EOKAY;
173}
174
175void
176blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
177{
178	u_int16_t       i, blocksize = ks->xf->blocksize;
179	u_int8_t       *iv = ks->liv;
180	u_int32_t       xl, xr;
181
182	memcpy(iv, ks->riv, blocksize);
183
184	for (i = 0; i < len; data += blocksize, i += blocksize) {
185		XOR64(data, iv);
186		xl = GET_32BIT_BIG(data);
187		xr = GET_32BIT_BIG(data + 4);
188		Blowfish_encipher(&ks->ks_blf, &xl, &xr);
189		SET_32BIT_BIG(data, xl);
190		SET_32BIT_BIG(data + 4, xr);
191		SET64(iv, data);
192	}
193}
194
195void
196blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
197{
198	u_int16_t       i, blocksize = ks->xf->blocksize;
199	u_int32_t       xl, xr;
200
201	data += len - blocksize;
202	for (i = len - blocksize; i >= blocksize; data -= blocksize,
203	    i -= blocksize) {
204		xl = GET_32BIT_BIG(data);
205		xr = GET_32BIT_BIG(data + 4);
206		Blowfish_decipher(&ks->ks_blf, &xl, &xr);
207		SET_32BIT_BIG(data, xl);
208		SET_32BIT_BIG(data + 4, xr);
209		XOR64(data, data - blocksize);
210
211	}
212	xl = GET_32BIT_BIG(data);
213	xr = GET_32BIT_BIG(data + 4);
214	Blowfish_decipher(&ks->ks_blf, &xl, &xr);
215	SET_32BIT_BIG(data, xl);
216	SET_32BIT_BIG(data + 4, xr);
217	XOR64(data, ks->riv);
218}
219#endif				/* USE_BLOWFISH */
220
221#ifdef USE_CAST
222enum cryptoerr
223cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
224{
225	cast_setkey(&ks->ks_cast, key, len);
226	return EOKAY;
227}
228
229void
230cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
231{
232	u_int16_t       i, blocksize = ks->xf->blocksize;
233	u_int8_t       *iv = ks->liv;
234
235	memcpy(iv, ks->riv, blocksize);
236
237	for (i = 0; i < len; data += blocksize, i += blocksize) {
238		XOR64(data, iv);
239		cast_encrypt(&ks->ks_cast, data, data);
240		SET64(iv, data);
241	}
242}
243
244void
245cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
246{
247	u_int16_t       i, blocksize = ks->xf->blocksize;
248
249	data += len - blocksize;
250	for (i = len - blocksize; i >= blocksize; data -= blocksize,
251	    i -= blocksize) {
252		cast_decrypt(&ks->ks_cast, data, data);
253		XOR64(data, data - blocksize);
254	}
255	cast_decrypt(&ks->ks_cast, data, data);
256	XOR64(data, ks->riv);
257}
258#endif				/* USE_CAST */
259
260#ifdef USE_AES
261enum cryptoerr
262aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
263{
264	AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]);
265	AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]);
266	return EOKAY;
267}
268
269void
270aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
271{
272	u_int8_t        iv[MAXBLK];
273
274	memcpy(iv, ks->riv, ks->xf->blocksize);
275	AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT);
276}
277
278void
279aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
280{
281	u_int8_t        iv[MAXBLK];
282
283	memcpy(iv, ks->riv, ks->xf->blocksize);
284	AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT);
285}
286#endif				/* USE_AES */
287
288struct crypto_xf *
289crypto_get(enum transform id)
290{
291	size_t          i;
292
293	for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++)
294		if (id == transforms[i].id)
295			return &transforms[i];
296
297	return 0;
298}
299
300struct keystate *
301crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len,
302    enum cryptoerr *err)
303{
304	struct keystate *ks;
305
306	if (len < xf->keymin || len > xf->keymax) {
307		LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d",
308		    len));
309		*err = EKEYLEN;
310		return 0;
311	}
312	ks = calloc(1, sizeof *ks);
313	if (!ks) {
314		log_error("crypto_init: calloc (1, %lu) failed",
315		    (unsigned long)sizeof *ks);
316		*err = ENOCRYPTO;
317		return 0;
318	}
319	ks->xf = xf;
320
321	/* Setup the IV.  */
322	ks->riv = ks->iv;
323	ks->liv = ks->iv2;
324
325	LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len));
326
327	*err = xf->init(ks, key, len);
328	if (*err != EOKAY) {
329		LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s",
330		    xf->name));
331		free(ks);
332		return 0;
333	}
334	return ks;
335}
336
337void
338crypto_update_iv(struct keystate *ks)
339{
340	u_int8_t       *tmp;
341
342	tmp = ks->riv;
343	ks->riv = ks->liv;
344	ks->liv = tmp;
345
346	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv,
347	    ks->xf->blocksize));
348}
349
350void
351crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len)
352{
353	memcpy(ks->riv, buf, len);
354
355	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv,
356	    len));
357}
358
359void
360crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
361{
362	LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_encrypt: before encryption", buf,
363	    len));
364	ks->xf->encrypt(ks, buf, len);
365	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
366	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf,
367	    len));
368}
369
370void
371crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
372{
373	LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_decrypt: before decryption", buf,
374	    len));
375	/*
376	 * XXX There is controversy about the correctness of updating the IV
377	 * like this.
378         */
379	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
380	ks->xf->decrypt(ks, buf, len);
381	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf,
382	    len));
383}
384
385/* Make a copy of the keystate pointed to by OKS.  */
386struct keystate *
387crypto_clone_keystate(struct keystate *oks)
388{
389	struct keystate *ks;
390
391	ks = malloc(sizeof *ks);
392	if (!ks) {
393		log_error("crypto_clone_keystate: malloc (%lu) failed",
394		    (unsigned long)sizeof *ks);
395		return 0;
396	}
397	memcpy(ks, oks, sizeof *ks);
398	if (oks->riv == oks->iv) {
399		ks->riv = ks->iv;
400		ks->liv = ks->iv2;
401	} else {
402		ks->riv = ks->iv2;
403		ks->liv = ks->iv;
404	}
405	return ks;
406}
407