crypto.c revision 1.29 
1/* $OpenBSD: crypto.c,v 1.29 2007/05/07 18:25:30 cloder Exp $	 */
2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $	 */
3
4/*
5 * Copyright (c) 1998 Niels Provos.  All rights reserved.
6 * Copyright (c) 1999, 2000 Niklas Hallqvist.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29/*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33#include <sys/param.h>
34#include <stdlib.h>
35#include <string.h>
36
37#include "crypto.h"
38#include "log.h"
39
40enum cryptoerr  des1_init(struct keystate *, u_int8_t *, u_int16_t);
41enum cryptoerr  des3_init(struct keystate *, u_int8_t *, u_int16_t);
42enum cryptoerr  blf_init(struct keystate *, u_int8_t *, u_int16_t);
43enum cryptoerr  cast_init(struct keystate *, u_int8_t *, u_int16_t);
44enum cryptoerr  aes_init(struct keystate *, u_int8_t *, u_int16_t);
45void            des1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
46void            des1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
47void            des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
48void            des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
49void            blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
50void            blf_decrypt(struct keystate *, u_int8_t *, u_int16_t);
51void            cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
52void            cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
53void            aes_encrypt(struct keystate *, u_int8_t *, u_int16_t);
54void            aes_decrypt(struct keystate *, u_int8_t *, u_int16_t);
55
56struct crypto_xf transforms[] = {
57	{
58		DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8,
59		BLOCKSIZE, 0,
60		des1_init,
61		des1_encrypt, des1_decrypt
62	},
63	{
64		TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24,
65		BLOCKSIZE, 0,
66		des3_init,
67		des3_encrypt, des3_decrypt
68	},
69	{
70		BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56,
71		BLOCKSIZE, 0,
72		blf_init,
73		blf_encrypt, blf_decrypt
74	},
75	{
76		CAST_CBC, "CAST (CBC-Mode)", 12, 16,
77		BLOCKSIZE, 0,
78		cast_init,
79		cast1_encrypt, cast1_decrypt
80	},
81	{
82		AES_CBC, "AES (CBC-Mode)", 16, 32,
83		AES_BLOCK_SIZE, 0,
84		aes_init,
85		aes_encrypt, aes_decrypt
86	},
87};
88
89enum cryptoerr
90des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
91{
92	/* des_set_key returns -1 for parity problems, and -2 for weak keys */
93	des_set_odd_parity((void *)key);
94	switch (des_set_key((void *)key, ks->ks_des[0])) {
95	case -2:
96		return EWEAKKEY;
97	default:
98		return EOKAY;
99	}
100}
101
102void
103des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
104{
105	des_cbc_encrypt((void *)d, (void *)d, len, ks->ks_des[0], (void *)ks->riv,
106	    DES_ENCRYPT);
107}
108
109void
110des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
111{
112	des_cbc_encrypt((void *)d, (void *)d, len, ks->ks_des[0], (void *)ks->riv,
113	    DES_DECRYPT);
114}
115
116enum cryptoerr
117des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
118{
119	des_set_odd_parity((void *)key);
120	des_set_odd_parity((void *)(key + 8));
121	des_set_odd_parity((void *)(key + 16));
122
123	/* As of the draft Tripe-DES does not check for weak keys */
124	des_set_key((void *)key, ks->ks_des[0]);
125	des_set_key((void *)(key + 8), ks->ks_des[1]);
126	des_set_key((void *)(key + 16), ks->ks_des[2]);
127
128	return EOKAY;
129}
130
131void
132des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
133{
134	u_int8_t        iv[MAXBLK];
135
136	memcpy(iv, ks->riv, ks->xf->blocksize);
137	des_ede3_cbc_encrypt((void *)data, (void *)data, len, ks->ks_des[0],
138	    ks->ks_des[1], ks->ks_des[2], (void *)iv, DES_ENCRYPT);
139}
140
141void
142des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
143{
144	u_int8_t        iv[MAXBLK];
145
146	memcpy(iv, ks->riv, ks->xf->blocksize);
147	des_ede3_cbc_encrypt((void *)data, (void *)data, len, ks->ks_des[0],
148	    ks->ks_des[1], ks->ks_des[2], (void *)iv, DES_DECRYPT);
149}
150
151enum cryptoerr
152blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
153{
154	blf_key(&ks->ks_blf, key, len);
155
156	return EOKAY;
157}
158
159void
160blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
161{
162	u_int16_t       i, blocksize = ks->xf->blocksize;
163	u_int8_t       *iv = ks->liv;
164	u_int32_t       xl, xr;
165
166	memcpy(iv, ks->riv, blocksize);
167
168	for (i = 0; i < len; data += blocksize, i += blocksize) {
169		XOR64(data, iv);
170		xl = GET_32BIT_BIG(data);
171		xr = GET_32BIT_BIG(data + 4);
172		Blowfish_encipher(&ks->ks_blf, &xl, &xr);
173		SET_32BIT_BIG(data, xl);
174		SET_32BIT_BIG(data + 4, xr);
175		SET64(iv, data);
176	}
177}
178
179void
180blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
181{
182	u_int16_t       i, blocksize = ks->xf->blocksize;
183	u_int32_t       xl, xr;
184
185	data += len - blocksize;
186	for (i = len - blocksize; i >= blocksize; data -= blocksize,
187	    i -= blocksize) {
188		xl = GET_32BIT_BIG(data);
189		xr = GET_32BIT_BIG(data + 4);
190		Blowfish_decipher(&ks->ks_blf, &xl, &xr);
191		SET_32BIT_BIG(data, xl);
192		SET_32BIT_BIG(data + 4, xr);
193		XOR64(data, data - blocksize);
194
195	}
196	xl = GET_32BIT_BIG(data);
197	xr = GET_32BIT_BIG(data + 4);
198	Blowfish_decipher(&ks->ks_blf, &xl, &xr);
199	SET_32BIT_BIG(data, xl);
200	SET_32BIT_BIG(data + 4, xr);
201	XOR64(data, ks->riv);
202}
203
204enum cryptoerr
205cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
206{
207	cast_setkey(&ks->ks_cast, key, len);
208	return EOKAY;
209}
210
211void
212cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
213{
214	u_int16_t       i, blocksize = ks->xf->blocksize;
215	u_int8_t       *iv = ks->liv;
216
217	memcpy(iv, ks->riv, blocksize);
218
219	for (i = 0; i < len; data += blocksize, i += blocksize) {
220		XOR64(data, iv);
221		cast_encrypt(&ks->ks_cast, data, data);
222		SET64(iv, data);
223	}
224}
225
226void
227cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
228{
229	u_int16_t       i, blocksize = ks->xf->blocksize;
230
231	data += len - blocksize;
232	for (i = len - blocksize; i >= blocksize; data -= blocksize,
233	    i -= blocksize) {
234		cast_decrypt(&ks->ks_cast, data, data);
235		XOR64(data, data - blocksize);
236	}
237	cast_decrypt(&ks->ks_cast, data, data);
238	XOR64(data, ks->riv);
239}
240
241enum cryptoerr
242aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
243{
244	AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]);
245	AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]);
246	return EOKAY;
247}
248
249void
250aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
251{
252	u_int8_t        iv[MAXBLK];
253
254	memcpy(iv, ks->riv, ks->xf->blocksize);
255	AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT);
256}
257
258void
259aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
260{
261	u_int8_t        iv[MAXBLK];
262
263	memcpy(iv, ks->riv, ks->xf->blocksize);
264	AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT);
265}
266
267struct crypto_xf *
268crypto_get(enum transform id)
269{
270	size_t          i;
271
272	for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++)
273		if (id == transforms[i].id)
274			return &transforms[i];
275
276	return 0;
277}
278
279struct keystate *
280crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len,
281    enum cryptoerr *err)
282{
283	struct keystate *ks;
284
285	if (len < xf->keymin || len > xf->keymax) {
286		LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d",
287		    len));
288		*err = EKEYLEN;
289		return 0;
290	}
291	ks = calloc(1, sizeof *ks);
292	if (!ks) {
293		log_error("crypto_init: calloc (1, %lu) failed",
294		    (unsigned long)sizeof *ks);
295		*err = ENOCRYPTO;
296		return 0;
297	}
298	ks->xf = xf;
299
300	/* Setup the IV.  */
301	ks->riv = ks->iv;
302	ks->liv = ks->iv2;
303
304	LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len));
305
306	*err = xf->init(ks, key, len);
307	if (*err != EOKAY) {
308		LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s",
309		    xf->name));
310		free(ks);
311		return 0;
312	}
313	return ks;
314}
315
316void
317crypto_update_iv(struct keystate *ks)
318{
319	u_int8_t       *tmp;
320
321	tmp = ks->riv;
322	ks->riv = ks->liv;
323	ks->liv = tmp;
324
325	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv,
326	    ks->xf->blocksize));
327}
328
329void
330crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len)
331{
332	memcpy(ks->riv, buf, len);
333
334	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv,
335	    len));
336}
337
338void
339crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
340{
341	LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: before encryption", buf,
342	    len));
343	ks->xf->encrypt(ks, buf, len);
344	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
345	LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: after encryption", buf,
346	    len));
347}
348
349void
350crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
351{
352	LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: before decryption", buf,
353	    len));
354	/*
355	 * XXX There is controversy about the correctness of updating the IV
356	 * like this.
357         */
358	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
359	ks->xf->decrypt(ks, buf, len);
360	LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: after decryption", buf,
361	    len));
362}
363
364/* Make a copy of the keystate pointed to by OKS.  */
365struct keystate *
366crypto_clone_keystate(struct keystate *oks)
367{
368	struct keystate *ks;
369
370	ks = malloc(sizeof *ks);
371	if (!ks) {
372		log_error("crypto_clone_keystate: malloc (%lu) failed",
373		    (unsigned long)sizeof *ks);
374		return 0;
375	}
376	memcpy(ks, oks, sizeof *ks);
377	if (oks->riv == oks->iv) {
378		ks->riv = ks->iv;
379		ks->liv = ks->iv2;
380	} else {
381		ks->riv = ks->iv2;
382		ks->liv = ks->iv;
383	}
384	return ks;
385}
386