crypto.c revision 1.27
1/* $OpenBSD: crypto.c,v 1.27 2005/04/08 18:44:04 deraadt Exp $ */ 2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1998 Niels Provos. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29/* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33#include <sys/param.h> 34#include <stdlib.h> 35#include <string.h> 36 37#include "sysdep.h" 38 39#include "crypto.h" 40#include "log.h" 41 42enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t); 43enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t); 44enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t); 45enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t); 46enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t); 47void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 48void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 49void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t); 50void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t); 51void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t); 52void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t); 53void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 54void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 55void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t); 56void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t); 57 58struct crypto_xf transforms[] = { 59 { 60 DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, 61 BLOCKSIZE, 0, 62 des1_init, 63 des1_encrypt, des1_decrypt 64 }, 65 { 66 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, 67 BLOCKSIZE, 0, 68 des3_init, 69 des3_encrypt, des3_decrypt 70 }, 71 { 72 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, 73 BLOCKSIZE, 0, 74 blf_init, 75 blf_encrypt, blf_decrypt 76 }, 77 { 78 CAST_CBC, "CAST (CBC-Mode)", 12, 16, 79 BLOCKSIZE, 0, 80 cast_init, 81 cast1_encrypt, cast1_decrypt 82 }, 83 { 84 AES_CBC, "AES (CBC-Mode)", 16, 32, 85 AES_BLOCK_SIZE, 0, 86 aes_init, 87 aes_encrypt, aes_decrypt 88 }, 89}; 90 91enum cryptoerr 92des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 93{ 94 /* des_set_key returns -1 for parity problems, and -2 for weak keys */ 95 des_set_odd_parity((void *)key); 96 switch (des_set_key((void *)key, ks->ks_des[0])) { 97 case -2: 98 return EWEAKKEY; 99 default: 100 return EOKAY; 101 } 102} 103 104void 105des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 106{ 107 des_cbc_encrypt((void *)d, (void *)d, len, ks->ks_des[0], (void *)ks->riv, 108 DES_ENCRYPT); 109} 110 111void 112des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 113{ 114 des_cbc_encrypt((void *)d, (void *)d, len, ks->ks_des[0], (void *)ks->riv, 115 DES_DECRYPT); 116} 117 118enum cryptoerr 119des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 120{ 121 des_set_odd_parity((void *)key); 122 des_set_odd_parity((void *)(key + 8)); 123 des_set_odd_parity((void *)(key + 16)); 124 125 /* As of the draft Tripe-DES does not check for weak keys */ 126 des_set_key((void *)key, ks->ks_des[0]); 127 des_set_key((void *)(key + 8), ks->ks_des[1]); 128 des_set_key((void *)(key + 16), ks->ks_des[2]); 129 130 return EOKAY; 131} 132 133void 134des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 135{ 136 u_int8_t iv[MAXBLK]; 137 138 memcpy(iv, ks->riv, ks->xf->blocksize); 139 des_ede3_cbc_encrypt((void *)data, (void *)data, len, ks->ks_des[0], 140 ks->ks_des[1], ks->ks_des[2], (void *)iv, DES_ENCRYPT); 141} 142 143void 144des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 145{ 146 u_int8_t iv[MAXBLK]; 147 148 memcpy(iv, ks->riv, ks->xf->blocksize); 149 des_ede3_cbc_encrypt((void *)data, (void *)data, len, ks->ks_des[0], 150 ks->ks_des[1], ks->ks_des[2], (void *)iv, DES_DECRYPT); 151} 152 153enum cryptoerr 154blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 155{ 156 blf_key(&ks->ks_blf, key, len); 157 158 return EOKAY; 159} 160 161void 162blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 163{ 164 u_int16_t i, blocksize = ks->xf->blocksize; 165 u_int8_t *iv = ks->liv; 166 u_int32_t xl, xr; 167 168 memcpy(iv, ks->riv, blocksize); 169 170 for (i = 0; i < len; data += blocksize, i += blocksize) { 171 XOR64(data, iv); 172 xl = GET_32BIT_BIG(data); 173 xr = GET_32BIT_BIG(data + 4); 174 Blowfish_encipher(&ks->ks_blf, &xl, &xr); 175 SET_32BIT_BIG(data, xl); 176 SET_32BIT_BIG(data + 4, xr); 177 SET64(iv, data); 178 } 179} 180 181void 182blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 183{ 184 u_int16_t i, blocksize = ks->xf->blocksize; 185 u_int32_t xl, xr; 186 187 data += len - blocksize; 188 for (i = len - blocksize; i >= blocksize; data -= blocksize, 189 i -= blocksize) { 190 xl = GET_32BIT_BIG(data); 191 xr = GET_32BIT_BIG(data + 4); 192 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 193 SET_32BIT_BIG(data, xl); 194 SET_32BIT_BIG(data + 4, xr); 195 XOR64(data, data - blocksize); 196 197 } 198 xl = GET_32BIT_BIG(data); 199 xr = GET_32BIT_BIG(data + 4); 200 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 201 SET_32BIT_BIG(data, xl); 202 SET_32BIT_BIG(data + 4, xr); 203 XOR64(data, ks->riv); 204} 205 206enum cryptoerr 207cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 208{ 209 cast_setkey(&ks->ks_cast, key, len); 210 return EOKAY; 211} 212 213void 214cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 215{ 216 u_int16_t i, blocksize = ks->xf->blocksize; 217 u_int8_t *iv = ks->liv; 218 219 memcpy(iv, ks->riv, blocksize); 220 221 for (i = 0; i < len; data += blocksize, i += blocksize) { 222 XOR64(data, iv); 223 cast_encrypt(&ks->ks_cast, data, data); 224 SET64(iv, data); 225 } 226} 227 228void 229cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 230{ 231 u_int16_t i, blocksize = ks->xf->blocksize; 232 233 data += len - blocksize; 234 for (i = len - blocksize; i >= blocksize; data -= blocksize, 235 i -= blocksize) { 236 cast_decrypt(&ks->ks_cast, data, data); 237 XOR64(data, data - blocksize); 238 } 239 cast_decrypt(&ks->ks_cast, data, data); 240 XOR64(data, ks->riv); 241} 242 243enum cryptoerr 244aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 245{ 246 AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]); 247 AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]); 248 return EOKAY; 249} 250 251void 252aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 253{ 254 u_int8_t iv[MAXBLK]; 255 256 memcpy(iv, ks->riv, ks->xf->blocksize); 257 AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT); 258} 259 260void 261aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 262{ 263 u_int8_t iv[MAXBLK]; 264 265 memcpy(iv, ks->riv, ks->xf->blocksize); 266 AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT); 267} 268 269struct crypto_xf * 270crypto_get(enum transform id) 271{ 272 size_t i; 273 274 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) 275 if (id == transforms[i].id) 276 return &transforms[i]; 277 278 return 0; 279} 280 281struct keystate * 282crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len, 283 enum cryptoerr *err) 284{ 285 struct keystate *ks; 286 287 if (len < xf->keymin || len > xf->keymax) { 288 LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", 289 len)); 290 *err = EKEYLEN; 291 return 0; 292 } 293 ks = calloc(1, sizeof *ks); 294 if (!ks) { 295 log_error("crypto_init: calloc (1, %lu) failed", 296 (unsigned long)sizeof *ks); 297 *err = ENOCRYPTO; 298 return 0; 299 } 300 ks->xf = xf; 301 302 /* Setup the IV. */ 303 ks->riv = ks->iv; 304 ks->liv = ks->iv2; 305 306 LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len)); 307 308 *err = xf->init(ks, key, len); 309 if (*err != EOKAY) { 310 LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", 311 xf->name)); 312 free(ks); 313 return 0; 314 } 315 return ks; 316} 317 318void 319crypto_update_iv(struct keystate *ks) 320{ 321 u_int8_t *tmp; 322 323 tmp = ks->riv; 324 ks->riv = ks->liv; 325 ks->liv = tmp; 326 327 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, 328 ks->xf->blocksize)); 329} 330 331void 332crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len) 333{ 334 memcpy(ks->riv, buf, len); 335 336 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv, 337 len)); 338} 339 340void 341crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 342{ 343 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: before encryption", buf, 344 len)); 345 ks->xf->encrypt(ks, buf, len); 346 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 347 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf, 348 len)); 349} 350 351void 352crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 353{ 354 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: before decryption", buf, 355 len)); 356 /* 357 * XXX There is controversy about the correctness of updating the IV 358 * like this. 359 */ 360 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 361 ks->xf->decrypt(ks, buf, len); 362 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf, 363 len)); 364} 365 366/* Make a copy of the keystate pointed to by OKS. */ 367struct keystate * 368crypto_clone_keystate(struct keystate *oks) 369{ 370 struct keystate *ks; 371 372 ks = malloc(sizeof *ks); 373 if (!ks) { 374 log_error("crypto_clone_keystate: malloc (%lu) failed", 375 (unsigned long)sizeof *ks); 376 return 0; 377 } 378 memcpy(ks, oks, sizeof *ks); 379 if (oks->riv == oks->iv) { 380 ks->riv = ks->iv; 381 ks->liv = ks->iv2; 382 } else { 383 ks->riv = ks->iv2; 384 ks->liv = ks->iv; 385 } 386 return ks; 387} 388