1 /*
2  ---------------------------------------------------------------------------
3  Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
4  All rights reserved.
5 
6  LICENSE TERMS
7 
8  The free distribution and use of this software in both source and binary
9  form is allowed (with or without changes) provided that:
10 
11    1. distributions of this source code include the above copyright
12       notice, this list of conditions and the following disclaimer;
13 
14    2. distributions in binary form include the above copyright
15       notice, this list of conditions and the following disclaimer
16       in the documentation and/or other associated materials;
17 
18    3. the copyright holder's name is not used to endorse products
19       built using this software without specific written permission.
20 
21  ALTERNATIVELY, provided that this notice is retained in full, this product
22  may be distributed under the terms of the GNU General Public License (GPL),
23  in which case the provisions of the GPL apply INSTEAD OF those given above.
24 
25  DISCLAIMER
26 
27  This software is provided 'as is' with no explicit or implied warranties
28  in respect of its properties, including, but not limited to, correctness
29  and/or fitness for purpose.
30  -------------------------------------------------------------------------
31  Issue Date: 26/08/2003
32 
33  This file implements password based file encryption and authentication
34  using AES in CTR mode, HMAC-SHA1 authentication and RFC2898 password
35  based key derivation.
36 
37 */
38 
39 #include <memory.h>
40 
41 #include "fileenc.h"
42 
43 /* subroutine for data encryption/decryption    */
44 /* this could be speeded up a lot by aligning   */
45 /* buffers and using 32 bit operations          */
46 
encr_data(unsigned char data[],unsigned long d_len,fcrypt_ctx cx[1])47 static void encr_data(unsigned char data[], unsigned long d_len, fcrypt_ctx cx[1])
48 {
49     unsigned long i = 0, pos = cx->encr_pos;
50 
51     while(i < d_len)
52     {
53         if(pos == BLOCK_SIZE)
54         {   unsigned int j = 0;
55             /* increment encryption nonce   */
56             while(j < 8 && !++cx->nonce[j])
57                 ++j;
58             /* encrypt the nonce to form next xor buffer    */
59             aes_encrypt(cx->nonce, cx->encr_bfr, cx->encr_ctx);
60             pos = 0;
61         }
62 
63         data[i++] ^= cx->encr_bfr[pos++];
64     }
65 
66     cx->encr_pos = pos;
67 }
68 
fcrypt_init(int mode,const unsigned char pwd[],unsigned int pwd_len,const unsigned char salt[],unsigned char pwd_ver[PWD_VER_LENGTH],fcrypt_ctx cx[1])69 int fcrypt_init(
70     int mode,                               /* the mode to be used (input)          */
71     const unsigned char pwd[],              /* the user specified password (input)  */
72     unsigned int pwd_len,                   /* the length of the password (input)   */
73     const unsigned char salt[],             /* the salt (input)                     */
74 #ifdef PASSWORD_VERIFIER
75     unsigned char pwd_ver[PWD_VER_LENGTH],  /* 2 byte password verifier (output)    */
76 #endif
77     fcrypt_ctx      cx[1])                  /* the file encryption context (output) */
78 {
79     unsigned char kbuf[2 * MAX_KEY_LENGTH + PWD_VER_LENGTH];
80 
81     if(pwd_len > MAX_PWD_LENGTH)
82         return PASSWORD_TOO_LONG;
83 
84     if(mode < 1 || mode > 3)
85         return BAD_MODE;
86 
87     cx->mode = mode;
88     cx->pwd_len = pwd_len;
89     /* initialise the encryption nonce and buffer pos   */
90     cx->encr_pos = BLOCK_SIZE;
91 
92     /* if we need a random component in the encryption  */
93     /* nonce, this is where it would have to be set     */
94     memset(cx->nonce, 0, BLOCK_SIZE * sizeof(unsigned char));
95     /* initialise for authentication			        */
96     hmac_sha_begin(cx->auth_ctx);
97 
98     /* derive the encryption and authetication keys and the password verifier   */
99     derive_key(pwd, pwd_len, salt, SALT_LENGTH(mode), KEYING_ITERATIONS,
100                         kbuf, 2 * KEY_LENGTH(mode) + PWD_VER_LENGTH);
101     /* set the encryption key							*/
102     aes_encrypt_key(kbuf, KEY_LENGTH(mode), cx->encr_ctx);
103     /* set the authentication key						*/
104     hmac_sha_key(kbuf + KEY_LENGTH(mode), KEY_LENGTH(mode), cx->auth_ctx);
105 #ifdef PASSWORD_VERIFIER
106     memcpy(pwd_ver, kbuf + 2 * KEY_LENGTH(mode), PWD_VER_LENGTH);
107 #endif
108     /* clear the buffer holding the derived key values	*/
109     memset(kbuf, 0, 2 * KEY_LENGTH(mode) + PWD_VER_LENGTH);
110 
111     return GOOD_RETURN;
112 }
113 
114 /* perform 'in place' encryption and authentication */
115 
fcrypt_encrypt(unsigned char data[],unsigned int data_len,fcrypt_ctx cx[1])116 void fcrypt_encrypt(unsigned char data[], unsigned int data_len, fcrypt_ctx cx[1])
117 {
118     encr_data(data, data_len, cx);
119     hmac_sha_data(data, data_len, cx->auth_ctx);
120 }
121 
122 /* perform 'in place' authentication and decryption */
123 
fcrypt_decrypt(unsigned char data[],unsigned int data_len,fcrypt_ctx cx[1])124 void fcrypt_decrypt(unsigned char data[], unsigned int data_len, fcrypt_ctx cx[1])
125 {
126     hmac_sha_data(data, data_len, cx->auth_ctx);
127     encr_data(data, data_len, cx);
128 }
129 
130 /* close encryption/decryption and return the MAC value */
131 
fcrypt_end(unsigned char mac[],fcrypt_ctx cx[1])132 int fcrypt_end(unsigned char mac[], fcrypt_ctx cx[1])
133 {
134     unsigned int res = cx->mode;
135 
136     hmac_sha_end(mac, MAC_LENGTH(cx->mode), cx->auth_ctx);
137     memset(cx, 0, sizeof(fcrypt_ctx));	/* clear the encryption context	*/
138     return MAC_LENGTH(res);		/* return MAC length in bytes   */
139 }
140 
141