1 /* Copyright (C) 2000-2018 Peter Selinger.
2 This file is part of ccrypt. It is free software and it is covered
3 by the GNU general public license. See the file COPYING for details. */
4
5 /* ccryptlib.c: library for encrypting/decrypting a character stream */
6
7 /* NOTE: this library is copyrighted under the GNU General Public
8 License, *not* under the GNU Library General Public License. This
9 means, among other things, that you cannot use this library in
10 closed-source software. */
11
12 /* ccryptlib implements a stream cipher based on the block cipher
13 Rijndael, the candidate for the AES standard. */
14
15 #ifdef HAVE_CONFIG_H
16 #include <config.h> /* generated by configure */
17 #endif
18
19 #include <stdlib.h>
20 #include <unistd.h>
21 #include <sys/time.h>
22 #include <stdio.h>
23 #include <string.h>
24
25 #include "ccryptlib.h"
26 #include "rijndael.h"
27 #include "platform.h"
28
29 #define MAGIC "c051" /* magic string for this version of ccrypt */
30
31 /* private struct, not visible by applications */
32 struct ccrypt_state_s {
33 int n; /* number of keys. n=1 for encryption, n>=1 for decryption */
34 roundkey *rkks; /* array of n keys */
35 int ak; /* rkks[ak] is the active key */
36 int iv; /* are we reading/writing the IV? */
37 int bufindex; /* in bytes */
38 xword32 buf[8]; /* current buffer; partly ciphertext, partly mask */
39 int flags; /* flags determining behavior */
40 };
41 typedef struct ccrypt_state_s ccrypt_state_t;
42
43 int ccrypt_errno;
44
ccrypt_state_free(ccrypt_state_t * st)45 static void ccrypt_state_free(ccrypt_state_t *st) {
46 if (st) {
47 free(st->rkks);
48 }
49 free(st);
50 }
51
52 /* ---------------------------------------------------------------------- */
53 /* some private functions dealing with hashes, keys, and nonces */
54
55 /* hash a keystring into a 256-bit cryptographic random value. */
hashstring(const char * keystring,xword32 hash[8])56 static void hashstring(const char *keystring, xword32 hash[8]) {
57 int i;
58 roundkey rkk;
59 xword32 key[8]; /* rijndael key */
60
61 for (i=0; i<8; i++)
62 key[i] = hash[i] = 0;
63
64 do {
65 for (i=0; i<32; i++) {
66 if (*keystring != 0) {
67 ((xword8 *)key)[i] ^= *keystring;
68 keystring++;
69 }
70 }
71 xrijndaelKeySched(key, 256, 256, &rkk);
72 xrijndaelEncrypt(hash, &rkk);
73 } while (*keystring != 0);
74 }
75
76 /* return a 256-bit value that is practically unique */
make_nonce(xword32 nonce[8])77 static void make_nonce(xword32 nonce[8]) {
78 char acc[512], host[256];
79 struct timeval tv;
80 static int count=0;
81
82 gethostname(host, 256); /* ignore failures */
83 host[255] = 0;
84 gettimeofday(&tv, NULL); /* ignore failures */
85 sprintf(acc, "%s,%ld,%ld,%ld,%d", host, (long)tv.tv_sec, (long)tv.tv_usec,
86 (long)getpid(), count++);
87 hashstring(acc, nonce);
88 }
89
90 /* ---------------------------------------------------------------------- */
91 /* core functions for encryption */
92
ccencrypt_init(ccrypt_stream_t * b,const char * key)93 int ccencrypt_init(ccrypt_stream_t *b, const char *key) {
94 xword32 keyblock[8];
95 ccrypt_state_t *st;
96 roundkey *rkks;
97
98 b->state = NULL;
99
100 st = (ccrypt_state_t *)malloc(sizeof(ccrypt_state_t));
101 if (st == NULL) {
102 return -1;
103 }
104 rkks = (roundkey *)malloc(sizeof(roundkey));
105 if (!rkks) {
106 free(st);
107 return -1;
108 }
109
110 st->n = 1;
111 st->rkks = rkks;
112 st->ak = 0; /* not used */
113
114 /* generate the roundkey */
115 hashstring(key, keyblock);
116 xrijndaelKeySched(keyblock, 256, 256, &st->rkks[0]);
117
118 /* make a nonce */
119 make_nonce(st->buf);
120
121 /* mark the nonce with a "magic number". */
122 strncpy((char *)st->buf, MAGIC, 4);
123
124 /* encrypt the nonce with the given key */
125 xrijndaelEncrypt(st->buf, &st->rkks[0]);
126
127 /* IV is now contained in st->buf. Initialize rest of the state. */
128 st->iv = 1;
129 st->bufindex = 0; /* initially use bufsize to count iv bytes output */
130
131 b->state = (void *)st;
132 return 0;
133 }
134
ccencrypt(ccrypt_stream_t * b)135 int ccencrypt(ccrypt_stream_t *b) {
136 ccrypt_state_t *st = (ccrypt_state_t *)b->state;
137 xword32 lbuf[8];
138 char *cbuf = (char *)st->buf;
139 int i;
140 char c, cc;
141
142 while (1) {
143 /* handle the typical case efficiently, one block at a time */
144
145 if (st->iv == 0 && st->bufindex == 32) {
146 while (b->avail_in >= 32 && b->avail_out >= 32) {
147
148 /* block-encrypt buffer */
149 xrijndaelEncrypt(st->buf, &st->rkks[0]);
150
151 /* read input to local buffer for word alignment */
152 memcpy(lbuf, b->next_in, 32);
153 b->next_in += 32;
154 b->avail_in -= 32;
155
156 /* compute ciphertext */
157 for (i=0; i<8; i++) {
158 st->buf[i] ^= lbuf[i];
159 }
160
161 /* write output */
162 memcpy(b->next_out, st->buf, 32);
163 b->next_out += 32;
164 b->avail_out -= 32;
165 }
166 }
167
168 /* handle the general case systematically, one byte at a time */
169
170 if (b->avail_out == 0) {
171 break;
172 }
173
174 else if (st->iv) { /* write IV byte */
175 *b->next_out = cbuf[st->bufindex];
176 b->next_out++;
177 b->avail_out--;
178 st->bufindex++;
179 if (st->bufindex == 32) {
180 st->iv = 0;
181 }
182 }
183
184 else if (b->avail_in == 0) {
185 break;
186 }
187
188 else { /* encrypt one byte */
189 if (st->bufindex == 32) {
190 xrijndaelEncrypt(st->buf, &st->rkks[0]);
191 st->bufindex = 0;
192 }
193 c = *b->next_in;
194 b->next_in++;
195 b->avail_in--;
196 cc = c ^ cbuf[st->bufindex];
197 cbuf[st->bufindex] = cc;
198 *b->next_out = cc;
199 b->next_out++;
200 b->avail_out--;
201 st->bufindex++;
202 }
203 }
204 return 0;
205 }
206
ccencrypt_end(ccrypt_stream_t * b)207 int ccencrypt_end(ccrypt_stream_t *b) {
208 ccrypt_state_free((ccrypt_state_t *)b->state);
209 b->state = NULL; /* guard against double free */
210 return 0;
211 }
212
213 /* ---------------------------------------------------------------------- */
214 /* core functions for decryption */
215
ccdecrypt_multi_init(ccrypt_stream_t * b,int n,const char ** keylist,int flags)216 int ccdecrypt_multi_init(ccrypt_stream_t *b, int n, const char **keylist, int flags) {
217 xword32 keyblock[8];
218 ccrypt_state_t *st;
219 roundkey *rkks;
220 int i;
221
222 b->state = NULL;
223
224 st = (ccrypt_state_t *)malloc(sizeof(ccrypt_state_t));
225 if (st == NULL) {
226 return -1;
227 }
228 rkks = (roundkey *)malloc(n * sizeof(roundkey));
229 if (!rkks) {
230 free(st);
231 return -1;
232 }
233
234 st->n = n;
235 st->rkks = rkks;
236 st->ak = 0;
237
238 /* generate the roundkeys */
239 for (i=0; i<n; i++) {
240 hashstring(keylist[i], keyblock);
241 xrijndaelKeySched(keyblock, 256, 256, &st->rkks[i]);
242 }
243
244 /* Initialize rest of the state. */
245 st->iv = 1;
246 st->bufindex = 0;
247 st->flags = flags;
248
249 b->state = (void *)st;
250 return 0;
251 }
252
ccdecrypt_init(ccrypt_stream_t * b,const char * key,int flags)253 int ccdecrypt_init(ccrypt_stream_t *b, const char *key, int flags) {
254 return ccdecrypt_multi_init(b, 1, &key, flags);
255 }
256
ccdecrypt(ccrypt_stream_t * b)257 int ccdecrypt(ccrypt_stream_t *b) {
258 ccrypt_state_t *st = (ccrypt_state_t *)b->state;
259 xword32 lbuf[8];
260 char *cbuf = (char *)st->buf;
261 int i;
262 char c, cc;
263
264 while (1) {
265 /* handle the typical case efficiently, one block at a time */
266
267 if (st->iv == 0 && st->bufindex == 32) {
268 while (b->avail_in >= 32 && b->avail_out >= 32) {
269
270 /* block-encrypt buffer */
271 xrijndaelEncrypt(st->buf, &st->rkks[st->ak]);
272 memcpy(lbuf, st->buf, 32);
273
274 /* read input */
275 memcpy(st->buf, b->next_in, 32);
276 b->next_in += 32;
277 b->avail_in -= 32;
278
279 /* compute plaintext */
280 for (i=0; i<8; i++) {
281 lbuf[i] ^= st->buf[i];
282 }
283
284 /* write output */
285 memcpy(b->next_out, lbuf, 32);
286 b->next_out += 32;
287 b->avail_out -= 32;
288 }
289 }
290
291 /* handle the general case systematically, one byte at a time */
292
293 if (b->avail_in == 0) {
294 break;
295 }
296
297 else if (st->iv) { /* read IV byte */
298 cbuf[st->bufindex] = *b->next_in;
299 b->next_in++;
300 b->avail_in--;
301 st->bufindex++;
302 if (st->bufindex == 32) {
303 st->iv = 0;
304 /* find the first matching key */
305 for (i=0; i<st->n; i++) {
306 /* check the "magic number" */
307 memcpy(lbuf, st->buf, 32);
308 xrijndaelDecrypt(lbuf, &st->rkks[i]);
309 if ((st->flags & CCRYPT_MISMATCH) != 0 || strncmp((char *)lbuf, MAGIC, 4) == 0) {
310 /* key matches */
311 break;
312 }
313 }
314 if (i<st->n) { /* matching key found */
315 st->ak = i;
316 } else { /* not found */
317 /* on error, invalidate the state so that the client cannot
318 call here again. */
319 ccrypt_state_free((ccrypt_state_t *)b->state);
320 b->state = NULL;
321 ccrypt_errno = CCRYPT_EMISMATCH;
322 return -2;
323 }
324 }
325 }
326
327 else if (b->avail_out == 0) {
328 break;
329 }
330
331 else { /* decrypt one byte */
332 if (st->bufindex == 32) {
333 xrijndaelEncrypt(st->buf, &st->rkks[st->ak]);
334 st->bufindex = 0;
335 }
336 cc = *b->next_in;
337 b->next_in++;
338 b->avail_in--;
339 c = cc ^ cbuf[st->bufindex];
340 cbuf[st->bufindex] = cc;
341 *b->next_out = c;
342 b->next_out++;
343 b->avail_out--;
344 st->bufindex++;
345 }
346 }
347 return 0;
348 }
349
ccdecrypt_end(ccrypt_stream_t * b)350 int ccdecrypt_end(ccrypt_stream_t *b) {
351 ccrypt_state_t *st;
352
353 if (b->state) {
354
355 /* verify that we have read and verified the IV */
356 st = (ccrypt_state_t *)b->state;
357 if (st->iv) {
358 ccrypt_state_free((ccrypt_state_t *)b->state);
359 b->state = NULL;
360 ccrypt_errno = CCRYPT_EFORMAT;
361 return -2;
362 }
363 }
364
365 ccrypt_state_free((ccrypt_state_t *)b->state);
366 b->state = NULL;
367 return 0;
368 }
369