crypto.c revision 1.26
1/* $OpenBSD: crypto.c,v 1.26 2005/04/08 16:20:30 deraadt Exp $ */ 2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1998 Niels Provos. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29/* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33#include <sys/param.h> 34#include <stdlib.h> 35#include <string.h> 36 37#include "sysdep.h" 38 39#include "crypto.h" 40#include "log.h" 41 42enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t); 43enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t); 44enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t); 45enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t); 46enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t); 47void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 48void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 49void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t); 50void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t); 51void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t); 52void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t); 53void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 54void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 55void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t); 56void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t); 57 58struct crypto_xf transforms[] = { 59 { 60 DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, 61 BLOCKSIZE, 0, 62 des1_init, 63 des1_encrypt, des1_decrypt 64 }, 65 { 66 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, 67 BLOCKSIZE, 0, 68 des3_init, 69 des3_encrypt, des3_decrypt 70 }, 71 { 72 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, 73 BLOCKSIZE, 0, 74 blf_init, 75 blf_encrypt, blf_decrypt 76 }, 77 { 78 CAST_CBC, "CAST (CBC-Mode)", 12, 16, 79 BLOCKSIZE, 0, 80 cast_init, 81 cast1_encrypt, cast1_decrypt 82 }, 83 { 84 AES_CBC, "AES (CBC-Mode)", 16, 32, 85 AES_BLOCK_SIZE, 0, 86 aes_init, 87 aes_encrypt, aes_decrypt 88 }, 89}; 90 91/* Hmm, the function prototypes for des are really dumb */ 92#ifdef __OpenBSD__ 93#define DC (des_cblock *) 94#else 95#define DC (void *) 96#endif 97 98enum cryptoerr 99des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 100{ 101 /* des_set_key returns -1 for parity problems, and -2 for weak keys */ 102 des_set_odd_parity(DC key); 103 switch (des_set_key(DC key, ks->ks_des[0])) { 104 case -2: 105 return EWEAKKEY; 106 default: 107 return EOKAY; 108 } 109} 110 111void 112des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 113{ 114 des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, 115 DES_ENCRYPT); 116} 117 118void 119des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 120{ 121 des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, 122 DES_DECRYPT); 123} 124 125enum cryptoerr 126des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 127{ 128 des_set_odd_parity(DC key); 129 des_set_odd_parity(DC(key + 8)); 130 des_set_odd_parity(DC(key + 16)); 131 132 /* As of the draft Tripe-DES does not check for weak keys */ 133 des_set_key(DC key, ks->ks_des[0]); 134 des_set_key(DC(key + 8), ks->ks_des[1]); 135 des_set_key(DC(key + 16), ks->ks_des[2]); 136 137 return EOKAY; 138} 139 140void 141des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 142{ 143 u_int8_t iv[MAXBLK]; 144 145 memcpy(iv, ks->riv, ks->xf->blocksize); 146 des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], 147 ks->ks_des[1], ks->ks_des[2], DC iv, DES_ENCRYPT); 148} 149 150void 151des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 152{ 153 u_int8_t iv[MAXBLK]; 154 155 memcpy(iv, ks->riv, ks->xf->blocksize); 156 des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], 157 ks->ks_des[1], ks->ks_des[2], DC iv, DES_DECRYPT); 158} 159#undef DC 160 161enum cryptoerr 162blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 163{ 164 blf_key(&ks->ks_blf, key, len); 165 166 return EOKAY; 167} 168 169void 170blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 171{ 172 u_int16_t i, blocksize = ks->xf->blocksize; 173 u_int8_t *iv = ks->liv; 174 u_int32_t xl, xr; 175 176 memcpy(iv, ks->riv, blocksize); 177 178 for (i = 0; i < len; data += blocksize, i += blocksize) { 179 XOR64(data, iv); 180 xl = GET_32BIT_BIG(data); 181 xr = GET_32BIT_BIG(data + 4); 182 Blowfish_encipher(&ks->ks_blf, &xl, &xr); 183 SET_32BIT_BIG(data, xl); 184 SET_32BIT_BIG(data + 4, xr); 185 SET64(iv, data); 186 } 187} 188 189void 190blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 191{ 192 u_int16_t i, blocksize = ks->xf->blocksize; 193 u_int32_t xl, xr; 194 195 data += len - blocksize; 196 for (i = len - blocksize; i >= blocksize; data -= blocksize, 197 i -= blocksize) { 198 xl = GET_32BIT_BIG(data); 199 xr = GET_32BIT_BIG(data + 4); 200 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 201 SET_32BIT_BIG(data, xl); 202 SET_32BIT_BIG(data + 4, xr); 203 XOR64(data, data - blocksize); 204 205 } 206 xl = GET_32BIT_BIG(data); 207 xr = GET_32BIT_BIG(data + 4); 208 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 209 SET_32BIT_BIG(data, xl); 210 SET_32BIT_BIG(data + 4, xr); 211 XOR64(data, ks->riv); 212} 213 214enum cryptoerr 215cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 216{ 217 cast_setkey(&ks->ks_cast, key, len); 218 return EOKAY; 219} 220 221void 222cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 223{ 224 u_int16_t i, blocksize = ks->xf->blocksize; 225 u_int8_t *iv = ks->liv; 226 227 memcpy(iv, ks->riv, blocksize); 228 229 for (i = 0; i < len; data += blocksize, i += blocksize) { 230 XOR64(data, iv); 231 cast_encrypt(&ks->ks_cast, data, data); 232 SET64(iv, data); 233 } 234} 235 236void 237cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 238{ 239 u_int16_t i, blocksize = ks->xf->blocksize; 240 241 data += len - blocksize; 242 for (i = len - blocksize; i >= blocksize; data -= blocksize, 243 i -= blocksize) { 244 cast_decrypt(&ks->ks_cast, data, data); 245 XOR64(data, data - blocksize); 246 } 247 cast_decrypt(&ks->ks_cast, data, data); 248 XOR64(data, ks->riv); 249} 250 251enum cryptoerr 252aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 253{ 254 AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]); 255 AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]); 256 return EOKAY; 257} 258 259void 260aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 261{ 262 u_int8_t iv[MAXBLK]; 263 264 memcpy(iv, ks->riv, ks->xf->blocksize); 265 AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT); 266} 267 268void 269aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 270{ 271 u_int8_t iv[MAXBLK]; 272 273 memcpy(iv, ks->riv, ks->xf->blocksize); 274 AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT); 275} 276 277struct crypto_xf * 278crypto_get(enum transform id) 279{ 280 size_t i; 281 282 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) 283 if (id == transforms[i].id) 284 return &transforms[i]; 285 286 return 0; 287} 288 289struct keystate * 290crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len, 291 enum cryptoerr *err) 292{ 293 struct keystate *ks; 294 295 if (len < xf->keymin || len > xf->keymax) { 296 LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", 297 len)); 298 *err = EKEYLEN; 299 return 0; 300 } 301 ks = calloc(1, sizeof *ks); 302 if (!ks) { 303 log_error("crypto_init: calloc (1, %lu) failed", 304 (unsigned long)sizeof *ks); 305 *err = ENOCRYPTO; 306 return 0; 307 } 308 ks->xf = xf; 309 310 /* Setup the IV. */ 311 ks->riv = ks->iv; 312 ks->liv = ks->iv2; 313 314 LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len)); 315 316 *err = xf->init(ks, key, len); 317 if (*err != EOKAY) { 318 LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", 319 xf->name)); 320 free(ks); 321 return 0; 322 } 323 return ks; 324} 325 326void 327crypto_update_iv(struct keystate *ks) 328{ 329 u_int8_t *tmp; 330 331 tmp = ks->riv; 332 ks->riv = ks->liv; 333 ks->liv = tmp; 334 335 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, 336 ks->xf->blocksize)); 337} 338 339void 340crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len) 341{ 342 memcpy(ks->riv, buf, len); 343 344 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv, 345 len)); 346} 347 348void 349crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 350{ 351 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: before encryption", buf, 352 len)); 353 ks->xf->encrypt(ks, buf, len); 354 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 355 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf, 356 len)); 357} 358 359void 360crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 361{ 362 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: before decryption", buf, 363 len)); 364 /* 365 * XXX There is controversy about the correctness of updating the IV 366 * like this. 367 */ 368 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 369 ks->xf->decrypt(ks, buf, len); 370 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf, 371 len)); 372} 373 374/* Make a copy of the keystate pointed to by OKS. */ 375struct keystate * 376crypto_clone_keystate(struct keystate *oks) 377{ 378 struct keystate *ks; 379 380 ks = malloc(sizeof *ks); 381 if (!ks) { 382 log_error("crypto_clone_keystate: malloc (%lu) failed", 383 (unsigned long)sizeof *ks); 384 return 0; 385 } 386 memcpy(ks, oks, sizeof *ks); 387 if (oks->riv == oks->iv) { 388 ks->riv = ks->iv; 389 ks->liv = ks->iv2; 390 } else { 391 ks->riv = ks->iv2; 392 ks->liv = ks->iv; 393 } 394 return ks; 395} 396