crypto.c revision 1.25 
1/* $OpenBSD: crypto.c,v 1.25 2005/04/08 16:06:25 deraadt Exp $	 */
2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $	 */
3
4/*
5 * Copyright (c) 1998 Niels Provos.  All rights reserved.
6 * Copyright (c) 1999, 2000 Niklas Hallqvist.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29/*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33#include <sys/param.h>
34#include <stdlib.h>
35#include <string.h>
36
37#include "sysdep.h"
38
39#include "crypto.h"
40#include "log.h"
41
42enum cryptoerr  des1_init(struct keystate *, u_int8_t *, u_int16_t);
43enum cryptoerr  des3_init(struct keystate *, u_int8_t *, u_int16_t);
44enum cryptoerr  blf_init(struct keystate *, u_int8_t *, u_int16_t);
45enum cryptoerr  cast_init(struct keystate *, u_int8_t *, u_int16_t);
46enum cryptoerr  aes_init(struct keystate *, u_int8_t *, u_int16_t);
47void            des1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
48void            des1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
49void            des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
50void            des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
51void            blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
52void            blf_decrypt(struct keystate *, u_int8_t *, u_int16_t);
53void            cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
54void            cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
55void            aes_encrypt(struct keystate *, u_int8_t *, u_int16_t);
56void            aes_decrypt(struct keystate *, u_int8_t *, u_int16_t);
57
58struct crypto_xf transforms[] = {
59#ifdef USE_DES
60	{
61		DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8,
62		BLOCKSIZE, 0,
63		des1_init,
64		des1_encrypt, des1_decrypt
65	},
66#endif
67#ifdef USE_TRIPLEDES
68	{
69		TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24,
70		BLOCKSIZE, 0,
71		des3_init,
72		des3_encrypt, des3_decrypt
73	},
74#endif
75	{
76		BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56,
77		BLOCKSIZE, 0,
78		blf_init,
79		blf_encrypt, blf_decrypt
80	},
81	{
82		CAST_CBC, "CAST (CBC-Mode)", 12, 16,
83		BLOCKSIZE, 0,
84		cast_init,
85		cast1_encrypt, cast1_decrypt
86	},
87	{
88		AES_CBC, "AES (CBC-Mode)", 16, 32,
89		AES_BLOCK_SIZE, 0,
90		aes_init,
91		aes_encrypt, aes_decrypt
92	},
93};
94
95/* Hmm, the function prototypes for des are really dumb */
96#ifdef __OpenBSD__
97#define DC	(des_cblock *)
98#else
99#define DC	(void *)
100#endif
101
102enum cryptoerr
103des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
104{
105	/* des_set_key returns -1 for parity problems, and -2 for weak keys */
106	des_set_odd_parity(DC key);
107	switch (des_set_key(DC key, ks->ks_des[0])) {
108	case -2:
109		return EWEAKKEY;
110	default:
111		return EOKAY;
112	}
113}
114
115void
116des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
117{
118	des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv,
119	    DES_ENCRYPT);
120}
121
122void
123des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
124{
125	des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv,
126	    DES_DECRYPT);
127}
128
129#ifdef USE_TRIPLEDES
130enum cryptoerr
131des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
132{
133	des_set_odd_parity(DC key);
134	des_set_odd_parity(DC(key + 8));
135	des_set_odd_parity(DC(key + 16));
136
137	/* As of the draft Tripe-DES does not check for weak keys */
138	des_set_key(DC key, ks->ks_des[0]);
139	des_set_key(DC(key + 8), ks->ks_des[1]);
140	des_set_key(DC(key + 16), ks->ks_des[2]);
141
142	return EOKAY;
143}
144
145void
146des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
147{
148	u_int8_t        iv[MAXBLK];
149
150	memcpy(iv, ks->riv, ks->xf->blocksize);
151	des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
152	    ks->ks_des[1], ks->ks_des[2], DC iv, DES_ENCRYPT);
153}
154
155void
156des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
157{
158	u_int8_t        iv[MAXBLK];
159
160	memcpy(iv, ks->riv, ks->xf->blocksize);
161	des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
162	    ks->ks_des[1], ks->ks_des[2], DC iv, DES_DECRYPT);
163}
164#undef DC
165#endif				/* USE_TRIPLEDES */
166
167enum cryptoerr
168blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
169{
170	blf_key(&ks->ks_blf, key, len);
171
172	return EOKAY;
173}
174
175void
176blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
177{
178	u_int16_t       i, blocksize = ks->xf->blocksize;
179	u_int8_t       *iv = ks->liv;
180	u_int32_t       xl, xr;
181
182	memcpy(iv, ks->riv, blocksize);
183
184	for (i = 0; i < len; data += blocksize, i += blocksize) {
185		XOR64(data, iv);
186		xl = GET_32BIT_BIG(data);
187		xr = GET_32BIT_BIG(data + 4);
188		Blowfish_encipher(&ks->ks_blf, &xl, &xr);
189		SET_32BIT_BIG(data, xl);
190		SET_32BIT_BIG(data + 4, xr);
191		SET64(iv, data);
192	}
193}
194
195void
196blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
197{
198	u_int16_t       i, blocksize = ks->xf->blocksize;
199	u_int32_t       xl, xr;
200
201	data += len - blocksize;
202	for (i = len - blocksize; i >= blocksize; data -= blocksize,
203	    i -= blocksize) {
204		xl = GET_32BIT_BIG(data);
205		xr = GET_32BIT_BIG(data + 4);
206		Blowfish_decipher(&ks->ks_blf, &xl, &xr);
207		SET_32BIT_BIG(data, xl);
208		SET_32BIT_BIG(data + 4, xr);
209		XOR64(data, data - blocksize);
210
211	}
212	xl = GET_32BIT_BIG(data);
213	xr = GET_32BIT_BIG(data + 4);
214	Blowfish_decipher(&ks->ks_blf, &xl, &xr);
215	SET_32BIT_BIG(data, xl);
216	SET_32BIT_BIG(data + 4, xr);
217	XOR64(data, ks->riv);
218}
219
220enum cryptoerr
221cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
222{
223	cast_setkey(&ks->ks_cast, key, len);
224	return EOKAY;
225}
226
227void
228cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
229{
230	u_int16_t       i, blocksize = ks->xf->blocksize;
231	u_int8_t       *iv = ks->liv;
232
233	memcpy(iv, ks->riv, blocksize);
234
235	for (i = 0; i < len; data += blocksize, i += blocksize) {
236		XOR64(data, iv);
237		cast_encrypt(&ks->ks_cast, data, data);
238		SET64(iv, data);
239	}
240}
241
242void
243cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
244{
245	u_int16_t       i, blocksize = ks->xf->blocksize;
246
247	data += len - blocksize;
248	for (i = len - blocksize; i >= blocksize; data -= blocksize,
249	    i -= blocksize) {
250		cast_decrypt(&ks->ks_cast, data, data);
251		XOR64(data, data - blocksize);
252	}
253	cast_decrypt(&ks->ks_cast, data, data);
254	XOR64(data, ks->riv);
255}
256
257enum cryptoerr
258aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
259{
260	AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]);
261	AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]);
262	return EOKAY;
263}
264
265void
266aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
267{
268	u_int8_t        iv[MAXBLK];
269
270	memcpy(iv, ks->riv, ks->xf->blocksize);
271	AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT);
272}
273
274void
275aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
276{
277	u_int8_t        iv[MAXBLK];
278
279	memcpy(iv, ks->riv, ks->xf->blocksize);
280	AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT);
281}
282
283struct crypto_xf *
284crypto_get(enum transform id)
285{
286	size_t          i;
287
288	for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++)
289		if (id == transforms[i].id)
290			return &transforms[i];
291
292	return 0;
293}
294
295struct keystate *
296crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len,
297    enum cryptoerr *err)
298{
299	struct keystate *ks;
300
301	if (len < xf->keymin || len > xf->keymax) {
302		LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d",
303		    len));
304		*err = EKEYLEN;
305		return 0;
306	}
307	ks = calloc(1, sizeof *ks);
308	if (!ks) {
309		log_error("crypto_init: calloc (1, %lu) failed",
310		    (unsigned long)sizeof *ks);
311		*err = ENOCRYPTO;
312		return 0;
313	}
314	ks->xf = xf;
315
316	/* Setup the IV.  */
317	ks->riv = ks->iv;
318	ks->liv = ks->iv2;
319
320	LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len));
321
322	*err = xf->init(ks, key, len);
323	if (*err != EOKAY) {
324		LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s",
325		    xf->name));
326		free(ks);
327		return 0;
328	}
329	return ks;
330}
331
332void
333crypto_update_iv(struct keystate *ks)
334{
335	u_int8_t       *tmp;
336
337	tmp = ks->riv;
338	ks->riv = ks->liv;
339	ks->liv = tmp;
340
341	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv,
342	    ks->xf->blocksize));
343}
344
345void
346crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len)
347{
348	memcpy(ks->riv, buf, len);
349
350	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv,
351	    len));
352}
353
354void
355crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
356{
357	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: before encryption", buf,
358	    len));
359	ks->xf->encrypt(ks, buf, len);
360	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
361	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf,
362	    len));
363}
364
365void
366crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
367{
368	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: before decryption", buf,
369	    len));
370	/*
371	 * XXX There is controversy about the correctness of updating the IV
372	 * like this.
373         */
374	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
375	ks->xf->decrypt(ks, buf, len);
376	LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf,
377	    len));
378}
379
380/* Make a copy of the keystate pointed to by OKS.  */
381struct keystate *
382crypto_clone_keystate(struct keystate *oks)
383{
384	struct keystate *ks;
385
386	ks = malloc(sizeof *ks);
387	if (!ks) {
388		log_error("crypto_clone_keystate: malloc (%lu) failed",
389		    (unsigned long)sizeof *ks);
390		return 0;
391	}
392	memcpy(ks, oks, sizeof *ks);
393	if (oks->riv == oks->iv) {
394		ks->riv = ks->iv;
395		ks->liv = ks->iv2;
396	} else {
397		ks->riv = ks->iv2;
398		ks->liv = ks->iv;
399	}
400	return ks;
401}
402