crypto.c revision 1.22 
1/* $OpenBSD: crypto.c,v 1.22 2004/06/14 09:55:41 ho Exp $	 */
2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $	 */
3
4/*
5 * Copyright (c) 1998 Niels Provos.  All rights reserved.
6 * Copyright (c) 1999, 2000 Niklas Hallqvist.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29/*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33#include <sys/param.h>
34#include <stdlib.h>
35#include <string.h>
36
37#include "sysdep.h"
38
39#include "crypto.h"
40#include "log.h"
41
42enum cryptoerr  des1_init(struct keystate *, u_int8_t *, u_int16_t);
43enum cryptoerr  des3_init(struct keystate *, u_int8_t *, u_int16_t);
44enum cryptoerr  blf_init(struct keystate *, u_int8_t *, u_int16_t);
45enum cryptoerr  cast_init(struct keystate *, u_int8_t *, u_int16_t);
46enum cryptoerr  aes_init(struct keystate *, u_int8_t *, u_int16_t);
47void            des1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
48void            des1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
49void            des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
50void            des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
51void            blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
52void            blf_decrypt(struct keystate *, u_int8_t *, u_int16_t);
53void            cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
54void            cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
55void            aes_encrypt(struct keystate *, u_int8_t *, u_int16_t);
56void            aes_decrypt(struct keystate *, u_int8_t *, u_int16_t);
57
58struct crypto_xf transforms[] = {
59#ifdef USE_DES
60	{
61		DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8,
62		BLOCKSIZE, 0,
63		des1_init,
64		des1_encrypt, des1_decrypt
65	},
66#endif
67#ifdef USE_TRIPLEDES
68	{
69		TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24,
70		BLOCKSIZE, 0,
71		des3_init,
72		des3_encrypt, des3_decrypt
73	},
74#endif
75#ifdef USE_BLOWFISH
76	{
77		BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56,
78		BLOCKSIZE, 0,
79		blf_init,
80		blf_encrypt, blf_decrypt
81	},
82#endif
83#ifdef USE_CAST
84	{
85		CAST_CBC, "CAST (CBC-Mode)", 12, 16,
86		BLOCKSIZE, 0,
87		cast_init,
88		cast1_encrypt, cast1_decrypt
89	},
90#endif
91#ifdef USE_AES
92	{
93		AES_CBC, "AES (CBC-Mode)", 16, 32,
94		AES_BLOCK_SIZE, 0,
95		aes_init,
96		aes_encrypt, aes_decrypt
97	},
98#endif
99};
100
101/* Hmm, the function prototypes for des are really dumb */
102#ifdef __OpenBSD__
103#define DC	(des_cblock *)
104#else
105#define DC	(void *)
106#endif
107
108enum cryptoerr
109des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
110{
111	/* des_set_key returns -1 for parity problems, and -2 for weak keys */
112	des_set_odd_parity(DC key);
113	switch (des_set_key(DC key, ks->ks_des[0])) {
114	case -2:
115		return EWEAKKEY;
116	default:
117		return EOKAY;
118	}
119}
120
121void
122des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
123{
124	des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv,
125	    DES_ENCRYPT);
126}
127
128void
129des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
130{
131	des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv,
132	    DES_DECRYPT);
133}
134
135#ifdef USE_TRIPLEDES
136enum cryptoerr
137des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
138{
139	des_set_odd_parity(DC key);
140	des_set_odd_parity(DC(key + 8));
141	des_set_odd_parity(DC(key + 16));
142
143	/* As of the draft Tripe-DES does not check for weak keys */
144	des_set_key(DC key, ks->ks_des[0]);
145	des_set_key(DC(key + 8), ks->ks_des[1]);
146	des_set_key(DC(key + 16), ks->ks_des[2]);
147
148	return EOKAY;
149}
150
151void
152des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
153{
154	u_int8_t        iv[MAXBLK];
155
156	memcpy(iv, ks->riv, ks->xf->blocksize);
157	des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
158	    ks->ks_des[1], ks->ks_des[2], DC iv, DES_ENCRYPT);
159}
160
161void
162des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
163{
164	u_int8_t        iv[MAXBLK];
165
166	memcpy(iv, ks->riv, ks->xf->blocksize);
167	des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
168	    ks->ks_des[1], ks->ks_des[2], DC iv, DES_DECRYPT);
169}
170#undef DC
171#endif				/* USE_TRIPLEDES */
172
173#ifdef USE_BLOWFISH
174enum cryptoerr
175blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
176{
177	blf_key(&ks->ks_blf, key, len);
178
179	return EOKAY;
180}
181
182void
183blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
184{
185	u_int16_t       i, blocksize = ks->xf->blocksize;
186	u_int8_t       *iv = ks->liv;
187	u_int32_t       xl, xr;
188
189	memcpy(iv, ks->riv, blocksize);
190
191	for (i = 0; i < len; data += blocksize, i += blocksize) {
192		XOR64(data, iv);
193		xl = GET_32BIT_BIG(data);
194		xr = GET_32BIT_BIG(data + 4);
195		Blowfish_encipher(&ks->ks_blf, &xl, &xr);
196		SET_32BIT_BIG(data, xl);
197		SET_32BIT_BIG(data + 4, xr);
198		SET64(iv, data);
199	}
200}
201
202void
203blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
204{
205	u_int16_t       i, blocksize = ks->xf->blocksize;
206	u_int32_t       xl, xr;
207
208	data += len - blocksize;
209	for (i = len - blocksize; i >= blocksize; data -= blocksize,
210	    i -= blocksize) {
211		xl = GET_32BIT_BIG(data);
212		xr = GET_32BIT_BIG(data + 4);
213		Blowfish_decipher(&ks->ks_blf, &xl, &xr);
214		SET_32BIT_BIG(data, xl);
215		SET_32BIT_BIG(data + 4, xr);
216		XOR64(data, data - blocksize);
217
218	}
219	xl = GET_32BIT_BIG(data);
220	xr = GET_32BIT_BIG(data + 4);
221	Blowfish_decipher(&ks->ks_blf, &xl, &xr);
222	SET_32BIT_BIG(data, xl);
223	SET_32BIT_BIG(data + 4, xr);
224	XOR64(data, ks->riv);
225}
226#endif				/* USE_BLOWFISH */
227
228#ifdef USE_CAST
229enum cryptoerr
230cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
231{
232	cast_setkey(&ks->ks_cast, key, len);
233	return EOKAY;
234}
235
236void
237cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
238{
239	u_int16_t       i, blocksize = ks->xf->blocksize;
240	u_int8_t       *iv = ks->liv;
241
242	memcpy(iv, ks->riv, blocksize);
243
244	for (i = 0; i < len; data += blocksize, i += blocksize) {
245		XOR64(data, iv);
246		cast_encrypt(&ks->ks_cast, data, data);
247		SET64(iv, data);
248	}
249}
250
251void
252cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
253{
254	u_int16_t       i, blocksize = ks->xf->blocksize;
255
256	data += len - blocksize;
257	for (i = len - blocksize; i >= blocksize; data -= blocksize,
258	    i -= blocksize) {
259		cast_decrypt(&ks->ks_cast, data, data);
260		XOR64(data, data - blocksize);
261	}
262	cast_decrypt(&ks->ks_cast, data, data);
263	XOR64(data, ks->riv);
264}
265#endif				/* USE_CAST */
266
267#ifdef USE_AES
268enum cryptoerr
269aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
270{
271	AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]);
272	AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]);
273	return EOKAY;
274}
275
276void
277aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
278{
279	u_int8_t        iv[MAXBLK];
280
281	memcpy(iv, ks->riv, ks->xf->blocksize);
282	AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT);
283}
284
285void
286aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
287{
288	u_int8_t        iv[MAXBLK];
289
290	memcpy(iv, ks->riv, ks->xf->blocksize);
291	AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT);
292}
293#endif				/* USE_AES */
294
295struct crypto_xf *
296crypto_get(enum transform id)
297{
298	size_t          i;
299
300	for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++)
301		if (id == transforms[i].id)
302			return &transforms[i];
303
304	return 0;
305}
306
307struct keystate *
308crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len,
309    enum cryptoerr *err)
310{
311	struct keystate *ks;
312
313	if (len < xf->keymin || len > xf->keymax) {
314		LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d",
315		    len));
316		*err = EKEYLEN;
317		return 0;
318	}
319	ks = calloc(1, sizeof *ks);
320	if (!ks) {
321		log_error("crypto_init: calloc (1, %lu) failed",
322		    (unsigned long)sizeof *ks);
323		*err = ENOCRYPTO;
324		return 0;
325	}
326	ks->xf = xf;
327
328	/* Setup the IV.  */
329	ks->riv = ks->iv;
330	ks->liv = ks->iv2;
331
332	LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len));
333
334	*err = xf->init(ks, key, len);
335	if (*err != EOKAY) {
336		LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s",
337		    xf->name));
338		free(ks);
339		return 0;
340	}
341	return ks;
342}
343
344void
345crypto_update_iv(struct keystate *ks)
346{
347	u_int8_t       *tmp;
348
349	tmp = ks->riv;
350	ks->riv = ks->liv;
351	ks->liv = tmp;
352
353	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv,
354	    ks->xf->blocksize));
355}
356
357void
358crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len)
359{
360	memcpy(ks->riv, buf, len);
361
362	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv,
363	    len));
364}
365
366void
367crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
368{
369	LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_encrypt: before encryption", buf,
370	    len));
371	ks->xf->encrypt(ks, buf, len);
372	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
373	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf,
374	    len));
375}
376
377void
378crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
379{
380	LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_decrypt: before decryption", buf,
381	    len));
382	/*
383	 * XXX There is controversy about the correctness of updating the IV
384	 * like this.
385         */
386	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
387	ks->xf->decrypt(ks, buf, len);
388	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf,
389	    len));
390}
391
392/* Make a copy of the keystate pointed to by OKS.  */
393struct keystate *
394crypto_clone_keystate(struct keystate *oks)
395{
396	struct keystate *ks;
397
398	ks = malloc(sizeof *ks);
399	if (!ks) {
400		log_error("crypto_clone_keystate: malloc (%lu) failed",
401		    (unsigned long)sizeof *ks);
402		return 0;
403	}
404	memcpy(ks, oks, sizeof *ks);
405	if (oks->riv == oks->iv) {
406		ks->riv = ks->iv;
407		ks->liv = ks->iv2;
408	} else {
409		ks->riv = ks->iv2;
410		ks->liv = ks->iv;
411	}
412	return ks;
413}
414