crypto.c revision 1.34 
1/* $OpenBSD: crypto.c,v 1.34 2018/01/04 14:21:00 mpi Exp $	 */
2/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $	 */
3
4/*
5 * Copyright (c) 1998 Niels Provos.  All rights reserved.
6 * Copyright (c) 1999, 2000 Niklas Hallqvist.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29/*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33#include <sys/types.h>
34#include <stdlib.h>
35#include <string.h>
36
37#include "crypto.h"
38#include "log.h"
39
40enum cryptoerr  des3_init(struct keystate *, u_int8_t *, u_int16_t);
41enum cryptoerr  blf_init(struct keystate *, u_int8_t *, u_int16_t);
42enum cryptoerr  cast_init(struct keystate *, u_int8_t *, u_int16_t);
43enum cryptoerr  aes_init(struct keystate *, u_int8_t *, u_int16_t);
44void            des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
45void            des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
46void            blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
47void            blf_decrypt(struct keystate *, u_int8_t *, u_int16_t);
48void            cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
49void            cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
50void            aes_encrypt(struct keystate *, u_int8_t *, u_int16_t);
51void            aes_decrypt(struct keystate *, u_int8_t *, u_int16_t);
52
53struct crypto_xf transforms[] = {
54	{
55		TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24,
56		BLOCKSIZE, 0,
57		des3_init,
58		des3_encrypt, des3_decrypt
59	},
60	{
61		BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56,
62		BLOCKSIZE, 0,
63		blf_init,
64		blf_encrypt, blf_decrypt
65	},
66	{
67		CAST_CBC, "CAST (CBC-Mode)", 12, 16,
68		BLOCKSIZE, 0,
69		cast_init,
70		cast1_encrypt, cast1_decrypt
71	},
72	{
73		AES_CBC, "AES (CBC-Mode)", 16, 32,
74		AES_BLOCK_SIZE, 0,
75		aes_init,
76		aes_encrypt, aes_decrypt
77	},
78};
79
80enum cryptoerr
81des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
82{
83	DES_set_odd_parity((void *)key);
84	DES_set_odd_parity((void *)(key + 8));
85	DES_set_odd_parity((void *)(key + 16));
86
87	/* As of the draft Tripe-DES does not check for weak keys */
88	DES_set_key((void *)key, &ks->ks_des[0]);
89	DES_set_key((void *)(key + 8), &ks->ks_des[1]);
90	DES_set_key((void *)(key + 16), &ks->ks_des[2]);
91
92	return EOKAY;
93}
94
95void
96des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
97{
98	u_int8_t        iv[MAXBLK];
99
100	memcpy(iv, ks->riv, ks->xf->blocksize);
101	DES_ede3_cbc_encrypt((void *)data, (void *)data, len, &ks->ks_des[0],
102	    &ks->ks_des[1], &ks->ks_des[2], (void *)iv, DES_ENCRYPT);
103}
104
105void
106des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
107{
108	u_int8_t        iv[MAXBLK];
109
110	memcpy(iv, ks->riv, ks->xf->blocksize);
111	DES_ede3_cbc_encrypt((void *)data, (void *)data, len, &ks->ks_des[0],
112	    &ks->ks_des[1], &ks->ks_des[2], (void *)iv, DES_DECRYPT);
113}
114
115enum cryptoerr
116blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
117{
118	blf_key(&ks->ks_blf, key, len);
119
120	return EOKAY;
121}
122
123void
124blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
125{
126	u_int16_t       i, blocksize = ks->xf->blocksize;
127	u_int8_t       *iv = ks->liv;
128	u_int32_t       xl, xr;
129
130	memcpy(iv, ks->riv, blocksize);
131
132	for (i = 0; i < len; data += blocksize, i += blocksize) {
133		XOR64(data, iv);
134		xl = GET_32BIT_BIG(data);
135		xr = GET_32BIT_BIG(data + 4);
136		Blowfish_encipher(&ks->ks_blf, &xl, &xr);
137		SET_32BIT_BIG(data, xl);
138		SET_32BIT_BIG(data + 4, xr);
139		SET64(iv, data);
140	}
141}
142
143void
144blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
145{
146	u_int16_t       i, blocksize = ks->xf->blocksize;
147	u_int32_t       xl, xr;
148
149	data += len - blocksize;
150	for (i = len - blocksize; i >= blocksize; data -= blocksize,
151	    i -= blocksize) {
152		xl = GET_32BIT_BIG(data);
153		xr = GET_32BIT_BIG(data + 4);
154		Blowfish_decipher(&ks->ks_blf, &xl, &xr);
155		SET_32BIT_BIG(data, xl);
156		SET_32BIT_BIG(data + 4, xr);
157		XOR64(data, data - blocksize);
158
159	}
160	xl = GET_32BIT_BIG(data);
161	xr = GET_32BIT_BIG(data + 4);
162	Blowfish_decipher(&ks->ks_blf, &xl, &xr);
163	SET_32BIT_BIG(data, xl);
164	SET_32BIT_BIG(data + 4, xr);
165	XOR64(data, ks->riv);
166}
167
168enum cryptoerr
169cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
170{
171	CAST_set_key(&ks->ks_cast, len, key);
172	return EOKAY;
173}
174
175void
176cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
177{
178	memcpy(ks->liv, ks->riv, ks->xf->blocksize);
179	CAST_cbc_encrypt(data, data, len, &ks->ks_cast, ks->liv, 1);
180}
181
182void
183cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
184{
185	CAST_cbc_encrypt(data, data, len, &ks->ks_cast, ks->riv, 0);
186}
187
188enum cryptoerr
189aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
190{
191	AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]);
192	AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]);
193	return EOKAY;
194}
195
196void
197aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
198{
199	u_int8_t        iv[MAXBLK];
200
201	memcpy(iv, ks->riv, ks->xf->blocksize);
202	AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT);
203}
204
205void
206aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
207{
208	u_int8_t        iv[MAXBLK];
209
210	memcpy(iv, ks->riv, ks->xf->blocksize);
211	AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT);
212}
213
214struct crypto_xf *
215crypto_get(enum transform id)
216{
217	size_t          i;
218
219	for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++)
220		if (id == transforms[i].id)
221			return &transforms[i];
222
223	return 0;
224}
225
226struct keystate *
227crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len,
228    enum cryptoerr *err)
229{
230	struct keystate *ks;
231
232	if (len < xf->keymin || len > xf->keymax) {
233		LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d",
234		    len));
235		*err = EKEYLEN;
236		return 0;
237	}
238	ks = calloc(1, sizeof *ks);
239	if (!ks) {
240		log_error("crypto_init: calloc (1, %lu) failed",
241		    (unsigned long)sizeof *ks);
242		*err = ENOCRYPTO;
243		return 0;
244	}
245	ks->xf = xf;
246
247	/* Setup the IV.  */
248	ks->riv = ks->iv;
249	ks->liv = ks->iv2;
250
251	LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len));
252
253	*err = xf->init(ks, key, len);
254	if (*err != EOKAY) {
255		LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s",
256		    xf->name));
257		free(ks);
258		return 0;
259	}
260	return ks;
261}
262
263void
264crypto_update_iv(struct keystate *ks)
265{
266	u_int8_t       *tmp;
267
268	tmp = ks->riv;
269	ks->riv = ks->liv;
270	ks->liv = tmp;
271
272	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv,
273	    ks->xf->blocksize));
274}
275
276void
277crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len)
278{
279	memcpy(ks->riv, buf, len);
280
281	LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv,
282	    len));
283}
284
285void
286crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
287{
288	LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: before encryption", buf,
289	    len));
290	ks->xf->encrypt(ks, buf, len);
291	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
292	LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: after encryption", buf,
293	    len));
294}
295
296void
297crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
298{
299	LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: before decryption", buf,
300	    len));
301	/*
302	 * XXX There is controversy about the correctness of updating the IV
303	 * like this.
304 	*/
305	memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
306	ks->xf->decrypt(ks, buf, len);
307	LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: after decryption", buf,
308	    len));
309}
310
311/* Make a copy of the keystate pointed to by OKS.  */
312struct keystate *
313crypto_clone_keystate(struct keystate *oks)
314{
315	struct keystate *ks;
316
317	ks = malloc(sizeof *ks);
318	if (!ks) {
319		log_error("crypto_clone_keystate: malloc (%lu) failed",
320		    (unsigned long)sizeof *ks);
321		return 0;
322	}
323	memcpy(ks, oks, sizeof *ks);
324	if (oks->riv == oks->iv) {
325		ks->riv = ks->iv;
326		ks->liv = ks->iv2;
327	} else {
328		ks->riv = ks->iv2;
329		ks->liv = ks->iv;
330	}
331	return ks;
332}
333