1 /* crypto.c --- Crypto functions.
2 * Copyright (C) 2002-2013 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, see http://www.gnu.org/licenses or write
18 * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
19 * Floor, Boston, MA 02110-1301, USA
20 *
21 */
22
23 #include "internal.h"
24
25 /* Get prototypes. */
26 #include "crypto.h"
27
28 /* Get _shishi_escapeprint, etc. */
29 #include "utils.h"
30
31 static int
gcd(int a,int b)32 gcd (int a, int b)
33 {
34 if (b == 0)
35 return a;
36 else
37 return gcd (b, a % b);
38 }
39
40 static int
lcm(int a,int b)41 lcm (int a, int b)
42 {
43 return a * b / gcd (a, b);
44 }
45
46 static void
rot13(Shishi * handle,char * in,char * out,int len)47 rot13 (Shishi * handle, char *in, char *out, int len)
48 {
49 if (VERBOSECRYPTONOISE (handle))
50 {
51 printf ("\t ;; rot 13 in:\n");
52 _shishi_escapeprint (in, len);
53 _shishi_hexprint (in, len);
54 _shishi_binprint (in, len);
55 }
56
57 if (len == 1)
58 {
59 out[0] =
60 ((in[0] >> 5) & 0x01) |
61 ((in[0] >> 5) & 0x02) |
62 ((in[0] >> 5) & 0x04) |
63 ((in[0] << 3) & 0x08) |
64 ((in[0] << 3) & 0x10) |
65 ((in[0] << 3) & 0x20) | ((in[0] << 3) & 0x40) | ((in[0] << 3) & 0x80);
66 }
67 else if (len > 1)
68 {
69 char nexttolast, last;
70 int i;
71
72 nexttolast = in[len - 2];
73 last = in[len - 1];
74
75 for (i = len * 8 - 1; i >= 13; i--)
76 {
77 int pos = i / 8;
78 char mask = ~(1 << (7 - i % 8));
79 int pos2 = (i - 13) / 8;
80 char mask2 = (1 << (7 - (i - 13) % 8));
81
82 out[pos] = (out[pos] & mask) |
83 (((in[pos2] & mask2) ? 0xFF : 0x00) & ~mask);
84 }
85 out[0] = ((nexttolast & 0xFF) << 3) | ((last & 0xFF) >> 5);
86 out[1] = (in[1] & ~(0xFF & (0xFF << 3))) | (0xFF & (last << 3));
87 }
88
89 if (VERBOSECRYPTONOISE (handle))
90 {
91 printf ("\t ;; rot13 out:\n");
92 _shishi_escapeprint (out, len);
93 _shishi_hexprint (out, len);
94 _shishi_binprint (out, len);
95 }
96 }
97
98 static void
ocadd(char * add1,char * add2,char * sum,int len)99 ocadd (char *add1, char *add2, char *sum, int len)
100 {
101 int i;
102 int carry = 0;
103
104 for (i = len - 1; i >= 0; i--)
105 {
106 int tmpsum = (unsigned char) add1[i] + (unsigned char) add2[i];
107
108 sum[i] = (tmpsum + carry) & 0xFF;
109 if (tmpsum + carry > 0xFF)
110 carry = 1;
111 else
112 carry = 0;
113 }
114
115 if (carry)
116 {
117 int done = 0;
118
119 for (i = len - 1; i >= 0; i--)
120 if ((unsigned char) sum[i] != 0xFF)
121 {
122 sum[i]++;
123 done = 1;
124 break;
125 }
126
127 if (!done)
128 memset (sum, 0, len);
129 }
130 }
131
132 static int
simplified_hmac(Shishi * handle,Shishi_key * key,const char * in,size_t inlen,char ** outhash,size_t * outhashlen)133 simplified_hmac (Shishi * handle,
134 Shishi_key * key,
135 const char *in, size_t inlen,
136 char **outhash, size_t * outhashlen)
137 {
138 *outhashlen = shishi_checksum_cksumlen
139 (shishi_cipher_defaultcksumtype (shishi_key_type (key)));
140 return shishi_hmac_sha1 (handle, shishi_key_value (key),
141 shishi_key_length (key), in, inlen, outhash);
142 }
143
144 static int
simplified_hmac_verify(Shishi * handle,Shishi_key * key,const char * in,size_t inlen,const char * hmac,size_t hmaclen)145 simplified_hmac_verify (Shishi * handle, Shishi_key * key,
146 const char *in, size_t inlen,
147 const char *hmac, size_t hmaclen)
148 {
149 char *hash;
150 size_t hlen;
151 int same;
152 int res;
153
154 res = simplified_hmac (handle, key, in, inlen, &hash, &hlen);
155 if (res != SHISHI_OK || hash == NULL)
156 return res;
157
158 if (VERBOSECRYPTO (handle))
159 {
160 printf ("\t ;; HMAC verify:\n");
161 _shishi_escapeprint (hash, hlen);
162 _shishi_hexprint (hash, hlen);
163 _shishi_binprint (hash, hlen);
164 _shishi_escapeprint (hmac, hmaclen);
165 _shishi_hexprint (hmac, hmaclen);
166 _shishi_binprint (hmac, hmaclen);
167 }
168
169 same = (hlen == hmaclen) && memcmp (hash, hmac, hmaclen) == 0;
170
171 free (hash);
172
173 if (!same)
174 {
175 shishi_error_printf (handle, "HMAC verify failed");
176 return SHISHI_CRYPTO_ERROR;
177 }
178
179 return SHISHI_OK;
180 }
181
182 int
_shishi_simplified_derivekey(Shishi * handle,Shishi_key * key,int keyusage,int derivekeymode,Shishi_key ** outkey)183 _shishi_simplified_derivekey (Shishi * handle,
184 Shishi_key * key,
185 int keyusage,
186 int derivekeymode, Shishi_key ** outkey)
187 {
188 char prfconstant[5];
189 int res = SHISHI_OK;
190 Shishi_key *derivedkey;
191
192 if (VERBOSECRYPTO (handle))
193 {
194 printf ("simplified_derivekey\n");
195 printf ("\t ;; mode %d (%s)\n", derivekeymode,
196 derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM ? "checksum" :
197 derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY ? "integrity" :
198 derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY ? "privacy" :
199 "base-key");
200 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
201 }
202
203
204 res = shishi_key_from_value (handle, shishi_key_type (key),
205 NULL, &derivedkey);
206 if (res != SHISHI_OK)
207 return res;
208
209 *outkey = derivedkey;
210
211 if (keyusage)
212 {
213 uint32_t tmp = htonl (keyusage);
214 memcpy (prfconstant, &tmp, 4);
215 if (derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM)
216 prfconstant[4] = '\x99';
217 else if (derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY)
218 prfconstant[4] = '\x55';
219 else /* if (derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY) */
220 prfconstant[4] = '\xAA';
221
222 res = shishi_dk (handle, key, prfconstant, 5, derivedkey);
223 }
224 else
225 {
226 shishi_key_copy (derivedkey, key);
227 }
228
229 if (VERBOSECRYPTO (handle))
230 {
231 printf ("\t ;; simplified_derivekey out (%d):\n",
232 shishi_key_length (derivedkey));
233 _shishi_hexprint (shishi_key_value (derivedkey),
234 shishi_key_length (derivedkey));
235 }
236
237 return res;
238 }
239
240 int
_shishi_simplified_dencrypt(Shishi * handle,Shishi_key * key,const char * iv,size_t ivlen,char ** ivout,size_t * ivoutlen,const char * in,size_t inlen,char ** out,size_t * outlen,int decryptp)241 _shishi_simplified_dencrypt (Shishi * handle,
242 Shishi_key * key,
243 const char *iv, size_t ivlen,
244 char **ivout, size_t * ivoutlen,
245 const char *in, size_t inlen,
246 char **out, size_t * outlen, int decryptp)
247 {
248 int rc;
249 char *pt;
250 size_t ptlen;
251 size_t padzerolen = 0;
252
253 if ((inlen % 8) != 0)
254 while (((inlen + padzerolen) % 8) != 0)
255 padzerolen++;
256
257 ptlen = inlen + padzerolen;
258
259 if (padzerolen)
260 {
261 pt = xmalloc (ptlen);
262 memcpy (pt, in, inlen);
263 memset (pt + inlen, 0, padzerolen);
264 }
265 else
266 pt = (char *) in;
267
268 switch (shishi_key_type (key))
269 {
270 case SHISHI_DES_CBC_CRC:
271 case SHISHI_DES_CBC_MD4:
272 case SHISHI_DES_CBC_MD5:
273 case SHISHI_DES_CBC_NONE:
274 rc = shishi_des (handle, decryptp, shishi_key_value (key),
275 iv, ivout, pt, ptlen, out);
276 if (ivoutlen)
277 *ivoutlen = 8;
278 if (outlen)
279 *outlen = ptlen;
280 break;
281
282 case SHISHI_DES3_CBC_HMAC_SHA1_KD:
283 case SHISHI_DES3_CBC_NONE:
284 rc = shishi_3des (handle, decryptp, shishi_key_value (key),
285 iv, ivout, pt, inlen + padzerolen, out);
286 if (ivoutlen)
287 *ivoutlen = 8;
288 if (outlen)
289 *outlen = ptlen;
290 break;
291
292 case SHISHI_AES128_CTS_HMAC_SHA1_96:
293 case SHISHI_AES256_CTS_HMAC_SHA1_96:
294 rc = shishi_aes_cts (handle, decryptp,
295 shishi_key_value (key), shishi_key_length (key),
296 iv, ivout, in, inlen, out);
297 if (ivoutlen)
298 *ivoutlen = 16;
299 if (outlen)
300 *outlen = inlen;
301 break;
302
303 default:
304 rc = SHISHI_CRYPTO_ERROR;
305 }
306
307 if (padzerolen)
308 free (pt);
309
310 return rc;
311 }
312
313 int
_shishi_simplified_encrypt(Shishi * handle,Shishi_key * key,int keyusage,const char * iv,size_t ivlen,char ** ivout,size_t * ivoutlen,const char * in,size_t inlen,char ** out,size_t * outlen)314 _shishi_simplified_encrypt (Shishi * handle,
315 Shishi_key * key,
316 int keyusage,
317 const char *iv, size_t ivlen,
318 char **ivout, size_t * ivoutlen,
319 const char *in, size_t inlen,
320 char **out, size_t * outlen)
321 {
322 int res;
323 int padzerolen = 0;
324
325 if ((shishi_key_type (key) == SHISHI_DES3_CBC_HMAC_SHA1_KD ||
326 shishi_key_type (key) == SHISHI_DES_CBC_CRC ||
327 shishi_key_type (key) == SHISHI_DES_CBC_MD4 ||
328 shishi_key_type (key) == SHISHI_DES_CBC_MD5) && (inlen % 8) != 0)
329 while (((inlen + padzerolen) % 8) != 0)
330 padzerolen++;
331
332 if (keyusage != 0)
333 {
334 char *pt = NULL, *ct = NULL, *hmac = NULL;
335 int blen = shishi_cipher_blocksize (shishi_key_type (key));
336 size_t ctlen, ptlen, hmaclen;
337 Shishi_key *privacykey = NULL, *integritykey = NULL;
338
339 ptlen = inlen + blen + padzerolen;
340 pt = xmalloc (ptlen);
341
342 res = shishi_randomize (handle, 0, pt, blen);
343 if (res != SHISHI_OK)
344 goto done;
345
346 memcpy (pt + blen, in, inlen);
347 memset (pt + blen + inlen, 0, padzerolen);
348
349 res = _shishi_simplified_derivekey (handle, key, keyusage,
350 SHISHI_DERIVEKEYMODE_PRIVACY,
351 &privacykey);
352 if (res != SHISHI_OK)
353 goto done;
354
355 res = _shishi_simplified_dencrypt (handle, privacykey,
356 iv, ivlen, ivout,
357 ivoutlen, pt, ptlen, &ct, &ctlen, 0);
358 if (res != SHISHI_OK)
359 goto done;
360
361
362 res = _shishi_simplified_derivekey (handle, key, keyusage,
363 SHISHI_DERIVEKEYMODE_INTEGRITY,
364 &integritykey);
365 if (res != SHISHI_OK)
366 goto done;
367
368 res = simplified_hmac (handle, integritykey, pt, ptlen,
369 &hmac, &hmaclen);
370 if (res != SHISHI_OK)
371 goto done;
372
373 *outlen = ctlen + hmaclen;
374 *out = xmalloc (*outlen);
375 memcpy (*out, ct, ctlen);
376 memcpy (*out + ctlen, hmac, hmaclen);
377
378 done:
379 if (privacykey)
380 shishi_key_done (privacykey);
381 if (integritykey)
382 shishi_key_done (integritykey);
383 free (hmac);
384 free (ct);
385 free (pt);
386 }
387 else
388 {
389 res = _shishi_simplified_dencrypt (handle, key, iv, ivlen,
390 ivout, ivoutlen,
391 in, inlen, out, outlen, 0);
392 }
393
394 return res;
395 }
396
397 int
_shishi_simplified_decrypt(Shishi * handle,Shishi_key * key,int keyusage,const char * iv,size_t ivlen,char ** ivout,size_t * ivoutlen,const char * in,size_t inlen,char ** out,size_t * outlen)398 _shishi_simplified_decrypt (Shishi * handle,
399 Shishi_key * key,
400 int keyusage,
401 const char *iv, size_t ivlen,
402 char **ivout, size_t * ivoutlen,
403 const char *in, size_t inlen,
404 char **out, size_t * outlen)
405 {
406 int res;
407
408 if (keyusage)
409 {
410 Shishi_key *privacykey = NULL, *integritykey = NULL;
411 int blen = shishi_cipher_blocksize (shishi_key_type (key));
412 size_t hlen = shishi_checksum_cksumlen
413 (shishi_cipher_defaultcksumtype (shishi_key_type (key)));
414
415 res = _shishi_simplified_derivekey (handle, key, keyusage,
416 SHISHI_DERIVEKEYMODE_PRIVACY,
417 &privacykey);
418 if (res != SHISHI_OK)
419 goto done;
420
421 res = _shishi_simplified_dencrypt (handle, privacykey,
422 iv, ivlen, ivout, ivoutlen,
423 in, inlen - hlen, out, outlen, 1);
424 if (res != SHISHI_OK)
425 goto done;
426
427 res = _shishi_simplified_derivekey (handle, key, keyusage,
428 SHISHI_DERIVEKEYMODE_INTEGRITY,
429 &integritykey);
430 if (res != SHISHI_OK)
431 goto done;
432
433 res = simplified_hmac_verify (handle, integritykey, *out, *outlen,
434 in + inlen - hlen, hlen);
435
436 if (res != SHISHI_OK)
437 goto done;
438
439 memmove (*out, *out + blen, *outlen - blen);
440 *outlen = *outlen - blen;
441 *out = xrealloc (*out, *outlen);
442
443 done:
444 if (privacykey)
445 shishi_key_done (privacykey);
446 if (integritykey)
447 shishi_key_done (integritykey);
448 }
449 else
450 {
451 res = _shishi_simplified_dencrypt (handle, key, iv, ivlen,
452 ivout, ivoutlen,
453 in, inlen, out, outlen, 1);
454 }
455
456 return res;
457 }
458
459 int
_shishi_simplified_checksum(Shishi * handle,Shishi_key * key,int keyusage,int cksumtype,const char * in,size_t inlen,char ** out,size_t * outlen)460 _shishi_simplified_checksum (Shishi * handle,
461 Shishi_key * key,
462 int keyusage,
463 int cksumtype,
464 const char *in, size_t inlen,
465 char **out, size_t * outlen)
466 {
467 Shishi_key *checksumkey;
468 int cksumlen = shishi_checksum_cksumlen (cksumtype);
469 int res;
470
471 res = _shishi_simplified_derivekey (handle, key, keyusage,
472 SHISHI_DERIVEKEYMODE_CHECKSUM,
473 &checksumkey);
474 if (res != SHISHI_OK)
475 return res;
476
477 res = simplified_hmac (handle, checksumkey, in, inlen, out, outlen);
478
479 shishi_key_done (checksumkey);
480
481 if (res != SHISHI_OK)
482 return res;
483
484 *outlen = cksumlen;
485
486 return SHISHI_OK;
487 }
488
489 static cipherinfo *ciphers[] = {
490 #if WITH_NULL
491 &null_info,
492 #endif
493 #if WITH_DES
494 &des_cbc_crc_info,
495 &des_cbc_md4_info,
496 &des_cbc_md5_info,
497 &des_cbc_none_info,
498 #endif
499 #if WITH_3DES
500 &des3_cbc_none_info,
501 &des3_cbc_sha1_kd_info,
502 #endif
503 #if WITH_AES
504 &aes128_cts_hmac_sha1_96_info,
505 &aes256_cts_hmac_sha1_96_info,
506 #endif
507 #if WITH_ARCFOUR
508 &arcfour_hmac_info,
509 &arcfour_hmac_exp_info
510 #endif
511 };
512
513 /**
514 * shishi_cipher_supported_p:
515 * @type: encryption type, see Shishi_etype.
516 *
517 * Find out if cipher is supported.
518 *
519 * Return value: Return 0 iff cipher is unsupported.
520 **/
521 int
shishi_cipher_supported_p(int32_t type)522 shishi_cipher_supported_p (int32_t type)
523 {
524 size_t i;
525
526 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
527 if (type == ciphers[i]->type)
528 return 1;
529
530 return 0;
531 }
532
533 /**
534 * shishi_cipher_name:
535 * @type: encryption type, see Shishi_etype.
536 *
537 * Read humanly readable string for cipher.
538 *
539 * Return value: Return name of encryption type,
540 * e.g. "des3-cbc-sha1-kd", as defined in the standards.
541 **/
542 const char *
shishi_cipher_name(int32_t type)543 shishi_cipher_name (int32_t type)
544 {
545 size_t i;
546 char *p;
547
548 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
549 {
550 if (type == ciphers[i]->type)
551 return ciphers[i]->name;
552 }
553
554 asprintf (&p, "unknown cipher %d", type);
555 return p;
556 }
557
558 /**
559 * shishi_cipher_blocksize:
560 * @type: encryption type, see Shishi_etype.
561 *
562 * Get block size for cipher.
563 *
564 * Return value: Return block size for encryption type, as defined in
565 * the standards.
566 **/
567 int
shishi_cipher_blocksize(int32_t type)568 shishi_cipher_blocksize (int32_t type)
569 {
570 size_t i;
571
572 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
573 if (type == ciphers[i]->type)
574 return ciphers[i]->blocksize;
575
576 return -1;
577 }
578
579 /**
580 * shishi_cipher_confoundersize:
581 * @type: encryption type, see Shishi_etype.
582 *
583 * Get length of confounder for cipher.
584 *
585 * Return value: Returns the size of the confounder (random data) for
586 * encryption type, as defined in the standards, or (size_t)-1 on
587 * error (e.g., unsupported encryption type).
588 **/
589 int
shishi_cipher_confoundersize(int32_t type)590 shishi_cipher_confoundersize (int32_t type)
591 {
592 size_t i;
593
594 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
595 if (type == ciphers[i]->type)
596 return ciphers[i]->confoundersize;
597
598 return -1;
599 }
600
601 /**
602 * shishi_cipher_keylen:
603 * @type: encryption type, see Shishi_etype.
604 *
605 * Get key length for cipher.
606 *
607 * Return value: Return length of key used for the encryption type, as
608 * defined in the standards.
609 **/
610 size_t
shishi_cipher_keylen(int32_t type)611 shishi_cipher_keylen (int32_t type)
612 {
613 size_t i;
614
615 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
616 if (type == ciphers[i]->type)
617 return ciphers[i]->keylen;
618
619 return -1;
620 }
621
622 /**
623 * shishi_cipher_randomlen:
624 * @type: encryption type, see Shishi_etype.
625 *
626 * Get length of random data for cipher.
627 *
628 * Return value: Return length of random used for the encryption type,
629 * as defined in the standards, or (size_t)-1 on error (e.g.,
630 * unsupported encryption type).
631 **/
632 size_t
shishi_cipher_randomlen(int32_t type)633 shishi_cipher_randomlen (int32_t type)
634 {
635 size_t i;
636
637 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
638 if (type == ciphers[i]->type)
639 return ciphers[i]->randomlen;
640
641 return -1;
642 }
643
644 /**
645 * shishi_cipher_defaultcksumtype:
646 * @type: encryption type, see Shishi_etype.
647 *
648 * Get the default checksum associated with cipher.
649 *
650 * Return value: Return associated checksum mechanism for the
651 * encryption type, as defined in the standards.
652 **/
653 int
shishi_cipher_defaultcksumtype(int32_t type)654 shishi_cipher_defaultcksumtype (int32_t type)
655 {
656 size_t i;
657
658 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
659 if (type == ciphers[i]->type)
660 return ciphers[i]->defaultcksumtype;
661
662 return -1;
663 }
664
665 struct Cipher_aliases
666 {
667 const char *name;
668 int type;
669 };
670
671 static struct Cipher_aliases cipher_aliases[] = {
672 {"des-crc", SHISHI_DES_CBC_CRC},
673 {"des-md4", SHISHI_DES_CBC_MD4},
674 {"des-md5", SHISHI_DES_CBC_MD5},
675 {"des", SHISHI_DES_CBC_MD5},
676 {"des3", SHISHI_DES3_CBC_HMAC_SHA1_KD},
677 {"3des", SHISHI_DES3_CBC_HMAC_SHA1_KD},
678 {"aes128", SHISHI_AES128_CTS_HMAC_SHA1_96},
679 {"aes256", SHISHI_AES256_CTS_HMAC_SHA1_96},
680 {"aes", SHISHI_AES256_CTS_HMAC_SHA1_96},
681 {"arcfour", SHISHI_ARCFOUR_HMAC}
682 };
683
684 /**
685 * shishi_cipher_parse:
686 * @cipher: name of encryption type, e.g. "des3-cbc-sha1-kd".
687 *
688 * Get cipher number by parsing string.
689 *
690 * Return value: Return encryption type corresponding to a string.
691 **/
692 int
shishi_cipher_parse(const char * cipher)693 shishi_cipher_parse (const char *cipher)
694 {
695 size_t i;
696 char *endptr;
697
698 i = strtol (cipher, &endptr, 0);
699
700 if (*cipher && *endptr == '\0')
701 return i;
702
703 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
704 if (strcasecmp (cipher, ciphers[i]->name) == 0)
705 return ciphers[i]->type;
706
707 for (i = 0; i < sizeof (cipher_aliases) / sizeof (cipher_aliases[0]); i++)
708 if (strcasecmp (cipher, cipher_aliases[i].name) == 0)
709 return cipher_aliases[i].type;
710
711 return -1;
712 }
713
714 static Shishi_random_to_key_function
_shishi_cipher_random_to_key(int32_t type)715 _shishi_cipher_random_to_key (int32_t type)
716 {
717 size_t i;
718
719 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
720 if (type == ciphers[i]->type)
721 return ciphers[i]->random2key;
722
723 return NULL;
724 }
725
726 static Shishi_string_to_key_function
_shishi_cipher_string_to_key(int32_t type)727 _shishi_cipher_string_to_key (int32_t type)
728 {
729 size_t i;
730
731 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
732 if (type == ciphers[i]->type)
733 return ciphers[i]->string2key;
734
735 return NULL;
736 }
737
738 static Shishi_encrypt_function
_shishi_cipher_encrypt(int32_t type)739 _shishi_cipher_encrypt (int32_t type)
740 {
741 size_t i;
742
743 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
744 if (type == ciphers[i]->type)
745 return ciphers[i]->encrypt;
746
747 return NULL;
748 }
749
750 static Shishi_decrypt_function
_shishi_cipher_decrypt(int32_t type)751 _shishi_cipher_decrypt (int32_t type)
752 {
753 size_t i;
754
755 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
756 if (type == ciphers[i]->type)
757 return ciphers[i]->decrypt;
758
759 return NULL;
760 }
761
762 static checksuminfo *checksums[] = {
763 #if WITH_DES
764 &crc32_info,
765 #endif
766 #if WITH_MD
767 &md4_info,
768 #endif
769 #if WITH_DES
770 &md4_des_info,
771 #endif
772 #if WITH_MD
773 &md5_info,
774 #endif
775 #if WITH_DES
776 &md5_des_info,
777 &md5_gss_info,
778 #endif
779 #if WITH_3DES
780 &hmac_sha1_des3_kd_info,
781 #endif
782 #if WITH_AES
783 &hmac_sha1_96_aes128_info,
784 &hmac_sha1_96_aes256_info,
785 #endif
786 #if WITH_ARCFOUR
787 &arcfour_hmac_md5_info
788 #endif
789 };
790
791 /**
792 * shishi_checksum_supported_p:
793 * @type: checksum type, see Shishi_cksumtype.
794 *
795 * Find out whether checksum is supported.
796 *
797 * Return value: Return 0 iff checksum is unsupported.
798 **/
799 int
shishi_checksum_supported_p(int32_t type)800 shishi_checksum_supported_p (int32_t type)
801 {
802 size_t i;
803
804 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
805 if (type == checksums[i]->type)
806 return 1;
807
808 return 0;
809 }
810
811 /**
812 * shishi_checksum_name:
813 * @type: checksum type, see Shishi_cksumtype.
814 *
815 * Get name of checksum.
816 *
817 * Return value: Return name of checksum type,
818 * e.g. "hmac-sha1-96-aes256", as defined in the standards.
819 **/
820 const char *
shishi_checksum_name(int32_t type)821 shishi_checksum_name (int32_t type)
822 {
823 size_t i;
824 char *p;
825
826 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
827 {
828 if (type == checksums[i]->type)
829 return checksums[i]->name;
830 }
831
832 asprintf (&p, "unknown checksum %d", type);
833 return p;
834 }
835
836 /**
837 * shishi_checksum_cksumlen:
838 * @type: checksum type, see Shishi_cksumtype.
839 *
840 * Get length of checksum output.
841 *
842 * Return value: Return length of checksum used for the checksum type,
843 * as defined in the standards.
844 **/
845 size_t
shishi_checksum_cksumlen(int32_t type)846 shishi_checksum_cksumlen (int32_t type)
847 {
848 size_t i;
849
850 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
851 if (type == checksums[i]->type)
852 return checksums[i]->cksumlen;
853
854 return -1;
855 }
856
857 /**
858 * shishi_checksum_parse:
859 * @checksum: name of checksum type, e.g. "hmac-sha1-96-aes256".
860 *
861 * Get checksum number by parsing a string.
862 *
863 * Return value: Return checksum type, see Shishi_cksumtype,
864 * corresponding to a string.
865 **/
866 int
shishi_checksum_parse(const char * checksum)867 shishi_checksum_parse (const char *checksum)
868 {
869 size_t i;
870 char *endptr;
871
872 i = strtol (checksum, &endptr, 0);
873
874 if (endptr != checksum)
875 return i;
876
877 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
878 if (strcasecmp (checksum, checksums[i]->name) == 0)
879 return checksums[i]->type;
880
881 return -1;
882 }
883
884 static Shishi_checksum_function
_shishi_checksum(int32_t type)885 _shishi_checksum (int32_t type)
886 {
887 size_t i;
888
889 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
890 if (type == checksums[i]->type)
891 return checksums[i]->checksum;
892
893 return NULL;
894 }
895
896 static Shishi_verify_function
_shishi_verify(int32_t type)897 _shishi_verify (int32_t type)
898 {
899 size_t i;
900
901 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
902 if (type == checksums[i]->type)
903 return checksums[i]->verify;
904
905 return NULL;
906 }
907
908 /**
909 * shishi_string_to_key:
910 * @handle: shishi handle as allocated by shishi_init().
911 * @keytype: cryptographic encryption type, see Shishi_etype.
912 * @password: input array with password.
913 * @passwordlen: length of input array with password.
914 * @salt: input array with salt.
915 * @saltlen: length of input array with salt.
916 * @parameter: input array with opaque encryption type specific information.
917 * @outkey: allocated key handle that will contain new key.
918 *
919 * Derive key from a string (password) and salt (commonly
920 * concatenation of realm and principal) for specified key type, and
921 * set the type and value in the given key to the computed values.
922 * The parameter value is specific for each keytype, and can be set if
923 * the parameter information is not available.
924 *
925 * Return value: Returns %SHISHI_OK iff successful.
926 **/
927 int
shishi_string_to_key(Shishi * handle,int32_t keytype,const char * password,size_t passwordlen,const char * salt,size_t saltlen,const char * parameter,Shishi_key * outkey)928 shishi_string_to_key (Shishi * handle,
929 int32_t keytype,
930 const char *password, size_t passwordlen,
931 const char *salt, size_t saltlen,
932 const char *parameter, Shishi_key * outkey)
933 {
934 Shishi_string_to_key_function string2key;
935 int res;
936
937 shishi_key_type_set (outkey, keytype);
938
939 if (VERBOSECRYPTO (handle))
940 {
941 printf ("string_to_key (%s, password, salt)\n",
942 shishi_key_name (outkey));
943 printf ("\t ;; password:\n");
944 _shishi_escapeprint (password, passwordlen);
945 _shishi_hexprint (password, passwordlen);
946 printf ("\t ;; salt:\n");
947 _shishi_escapeprint (salt, saltlen);
948 _shishi_hexprint (salt, saltlen);
949 }
950
951 string2key = _shishi_cipher_string_to_key (shishi_key_type (outkey));
952 if (string2key == NULL)
953 {
954 shishi_error_printf (handle, "Unsupported keytype %d",
955 shishi_key_type (outkey));
956 return SHISHI_CRYPTO_ERROR;
957 }
958
959 res = (*string2key) (handle, password, passwordlen,
960 salt, saltlen, parameter, outkey);
961
962 if (VERBOSECRYPTO (handle))
963 {
964 printf ("\t ;; string_to_key key:\n");
965 _shishi_hexprint (shishi_key_value (outkey),
966 shishi_key_length (outkey));
967 _shishi_binprint (shishi_key_value (outkey),
968 shishi_key_length (outkey));
969 }
970
971 return res;
972 }
973
974 /**
975 * shishi_random_to_key:
976 * @handle: shishi handle as allocated by shishi_init().
977 * @keytype: cryptographic encryption type, see Shishi_etype.
978 * @rnd: input array with random data.
979 * @rndlen: length of input array with random data.
980 * @outkey: allocated key handle that will contain new key.
981 *
982 * Derive key from random data for specified key type, and set the
983 * type and value in the given key to the computed values.
984 *
985 * Return value: Returns %SHISHI_OK iff successful.
986 **/
987 int
shishi_random_to_key(Shishi * handle,int32_t keytype,const char * rnd,size_t rndlen,Shishi_key * outkey)988 shishi_random_to_key (Shishi * handle,
989 int32_t keytype,
990 const char *rnd, size_t rndlen, Shishi_key * outkey)
991 {
992 Shishi_random_to_key_function random2key;
993 int res;
994
995 shishi_key_type_set (outkey, keytype);
996
997 if (VERBOSECRYPTO (handle))
998 {
999 printf ("random_to_key (%s, random)\n", shishi_key_name (outkey));
1000 printf ("\t ;; random:\n");
1001 _shishi_hexprint (rnd, rndlen);
1002 _shishi_binprint (rnd, rndlen);
1003 }
1004
1005 random2key = _shishi_cipher_random_to_key (keytype);
1006 if (random2key == NULL)
1007 {
1008 shishi_error_printf (handle, "Unsupported random_to_key() ekeytype %d",
1009 keytype);
1010 return SHISHI_CRYPTO_ERROR;
1011 }
1012
1013 res = (*random2key) (handle, rnd, rndlen, outkey);
1014
1015 if (VERBOSECRYPTO (handle))
1016 {
1017 printf ("\t ;; random_to_key key:\n");
1018 _shishi_hexprint (shishi_key_value (outkey),
1019 shishi_key_length (outkey));
1020 _shishi_binprint (shishi_key_value (outkey),
1021 shishi_key_length (outkey));
1022 }
1023
1024 return res;
1025 }
1026
1027 /**
1028 * shishi_checksum:
1029 * @handle: shishi handle as allocated by shishi_init().
1030 * @key: key to compute checksum with.
1031 * @keyusage: integer specifying what this key is used for.
1032 * @cksumtype: the checksum algorithm to use.
1033 * @in: input array with data to integrity protect.
1034 * @inlen: size of input array with data to integrity protect.
1035 * @out: output array with newly allocated integrity protected data.
1036 * @outlen: output variable with length of output array with checksum.
1037 *
1038 * Integrity protect data using key, possibly altered by supplied key
1039 * usage. If key usage is 0, no key derivation is used. The OUT
1040 * buffer must be deallocated by the caller.
1041 *
1042 * Return value: Returns %SHISHI_OK iff successful.
1043 **/
1044 int
shishi_checksum(Shishi * handle,Shishi_key * key,int keyusage,int cksumtype,const char * in,size_t inlen,char ** out,size_t * outlen)1045 shishi_checksum (Shishi * handle,
1046 Shishi_key * key,
1047 int keyusage,
1048 int cksumtype,
1049 const char *in, size_t inlen, char **out, size_t * outlen)
1050 {
1051 Shishi_checksum_function checksum;
1052 int res;
1053
1054 if (VERBOSECRYPTO (handle))
1055 {
1056 printf ("checksum (%s, %d, in, out)\n",
1057 shishi_key_name (key), cksumtype);
1058 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1059 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1060 printf ("\t ;; in:\n");
1061 _shishi_escapeprint (in, inlen);
1062 _shishi_hexprint (in, inlen);
1063 }
1064
1065 if (cksumtype == 0)
1066 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1067
1068 checksum = _shishi_checksum (cksumtype);
1069 if (checksum == NULL)
1070 {
1071 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1072 return SHISHI_CRYPTO_ERROR;
1073 }
1074
1075 /* XXX? check if etype and cksumtype are compatible? */
1076
1077 res = (*checksum) (handle, key, keyusage, cksumtype,
1078 in, inlen, out, outlen);
1079
1080 if (VERBOSECRYPTO (handle))
1081 {
1082 printf ("\t ;; checksum out:\n");
1083 _shishi_escapeprint (*out, *outlen);
1084 _shishi_hexprint (*out, *outlen);
1085 }
1086
1087 return res;
1088 }
1089
1090 /**
1091 * shishi_verify:
1092 * @handle: shishi handle as allocated by shishi_init().
1093 * @key: key to verify checksum with.
1094 * @keyusage: integer specifying what this key is used for.
1095 * @cksumtype: the checksum algorithm to use.
1096 * @in: input array with data that was integrity protected.
1097 * @inlen: size of input array with data that was integrity protected.
1098 * @cksum: input array with alleged checksum of data.
1099 * @cksumlen: size of input array with alleged checksum of data.
1100 *
1101 * Verify checksum of data using key, possibly altered by supplied key
1102 * usage. If key usage is 0, no key derivation is used.
1103 *
1104 * Return value: Returns %SHISHI_OK iff successful.
1105 **/
1106 int
shishi_verify(Shishi * handle,Shishi_key * key,int keyusage,int cksumtype,const char * in,size_t inlen,const char * cksum,size_t cksumlen)1107 shishi_verify (Shishi * handle,
1108 Shishi_key * key,
1109 int keyusage,
1110 int cksumtype,
1111 const char *in, size_t inlen,
1112 const char *cksum, size_t cksumlen)
1113 {
1114 Shishi_verify_function verify;
1115 int res;
1116
1117 if (VERBOSECRYPTO (handle))
1118 {
1119 printf ("verify (%s, %d, in, out)\n", shishi_key_name (key), cksumtype);
1120 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1121 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1122 printf ("\t ;; data:\n");
1123 _shishi_escapeprint (in, inlen);
1124 _shishi_hexprint (in, inlen);
1125 printf ("\t ;; mic:\n");
1126 _shishi_escapeprint (cksum, cksumlen);
1127 _shishi_hexprint (cksum, cksumlen);
1128 }
1129
1130 if (cksumtype == 0)
1131 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1132
1133 verify = _shishi_verify (cksumtype);
1134 if (verify == NULL)
1135 {
1136 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1137 return SHISHI_CRYPTO_ERROR;
1138 }
1139
1140 /* XXX? check if etype and cksumtype are compatible? */
1141
1142 res = (*verify) (handle, key, keyusage, cksumtype,
1143 in, inlen, cksum, cksumlen);
1144
1145 if (VERBOSECRYPTO (handle))
1146 printf ("\t ;; verify return: %d\n", res);
1147
1148 return res;
1149 }
1150
1151 /**
1152 * shishi_encrypt_ivupdate_etype:
1153 * @handle: shishi handle as allocated by shishi_init().
1154 * @key: key to encrypt with.
1155 * @keyusage: integer specifying what this key is encrypting.
1156 * @etype: integer specifying what cipher to use.
1157 * @iv: input array with initialization vector
1158 * @ivlen: size of input array with initialization vector.
1159 * @ivout: output array with newly allocated updated initialization vector.
1160 * @ivoutlen: size of output array with updated initialization vector.
1161 * @in: input array with data to encrypt.
1162 * @inlen: size of input array with data to encrypt.
1163 * @out: output array with newly allocated encrypted data.
1164 * @outlen: output variable with size of newly allocated output array.
1165 *
1166 * Encrypts data as per encryption method using specified
1167 * initialization vector and key. The key actually used is derived
1168 * using the key usage. If key usage is 0, no key derivation is used.
1169 * The OUT buffer must be deallocated by the caller. If IVOUT or
1170 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1171 *
1172 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1173 * exactly. Some encryption types add pad to make the data fit into
1174 * the block size of the encryption algorithm. Furthermore, the pad
1175 * is not guaranteed to look in any special way, although existing
1176 * implementations often pad with the zero byte. This means that you
1177 * may have to "frame" data, so it is possible to infer the original
1178 * length after decryption. Compare ASN.1 DER which contains such
1179 * information.
1180 *
1181 * Return value: Returns %SHISHI_OK iff successful.
1182 **/
1183 int
shishi_encrypt_ivupdate_etype(Shishi * handle,Shishi_key * key,int keyusage,int32_t etype,const char * iv,size_t ivlen,char ** ivout,size_t * ivoutlen,const char * in,size_t inlen,char ** out,size_t * outlen)1184 shishi_encrypt_ivupdate_etype (Shishi * handle,
1185 Shishi_key * key,
1186 int keyusage,
1187 int32_t etype,
1188 const char *iv, size_t ivlen,
1189 char **ivout, size_t * ivoutlen,
1190 const char *in, size_t inlen,
1191 char **out, size_t * outlen)
1192 {
1193 Shishi_encrypt_function enc;
1194 int res;
1195
1196 if (VERBOSECRYPTO (handle))
1197 {
1198 printf ("encrypt (type=%s, usage=%d, key, in)\n",
1199 shishi_key_name (key), keyusage);
1200 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1201 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1202 printf ("\t ;; in (%d):\n", inlen);
1203 _shishi_escapeprint (in, inlen);
1204 _shishi_hexprint (in, inlen);
1205 if (iv)
1206 {
1207 printf ("\t ;; iv (%d):\n", ivlen);
1208 _shishi_escapeprint (iv, ivlen);
1209 _shishi_hexprint (iv, ivlen);
1210 }
1211 }
1212
1213 enc = _shishi_cipher_encrypt (etype);
1214 if (enc == NULL)
1215 {
1216 shishi_error_printf (handle, "Unsupported keytype %d",
1217 shishi_key_type (key));
1218 return SHISHI_CRYPTO_ERROR;
1219 }
1220
1221 res = (*enc) (handle, key, keyusage, iv, ivlen, ivout, ivoutlen,
1222 in, inlen, out, outlen);
1223
1224 if (VERBOSECRYPTO (handle))
1225 {
1226 if (res == SHISHI_OK)
1227 {
1228 printf ("\t ;; encrypt out:\n");
1229 _shishi_escapeprint (*out, *outlen);
1230 _shishi_hexprint (*out, *outlen);
1231 if (ivout && ivoutlen)
1232 {
1233 printf ("\t ;; iv out:\n");
1234 _shishi_escapeprint (*ivout, *ivoutlen);
1235 _shishi_hexprint (*ivout, *ivoutlen);
1236 }
1237 }
1238 else
1239 {
1240 printf ("\t ;; encrypt out failed %d\n", res);
1241 }
1242 }
1243
1244 return res;
1245 }
1246
1247 /**
1248 * shishi_encrypt_iv_etype:
1249 * @handle: shishi handle as allocated by shishi_init().
1250 * @key: key to encrypt with.
1251 * @keyusage: integer specifying what this key is encrypting.
1252 * @etype: integer specifying what cipher to use.
1253 * @iv: input array with initialization vector
1254 * @ivlen: size of input array with initialization vector.
1255 * @in: input array with data to encrypt.
1256 * @inlen: size of input array with data to encrypt.
1257 * @out: output array with newly allocated encrypted data.
1258 * @outlen: output variable with size of newly allocated output array.
1259 *
1260 * Encrypts data as per encryption method using specified
1261 * initialization vector and key. The key actually used is derived
1262 * using the key usage. If key usage is 0, no key derivation is used.
1263 * The OUT buffer must be deallocated by the caller. The next IV is
1264 * lost, see shishi_encrypt_ivupdate_etype if you need it.
1265 *
1266 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1267 * exactly. Some encryption types add pad to make the data fit into
1268 * the block size of the encryption algorithm. Furthermore, the pad
1269 * is not guaranteed to look in any special way, although existing
1270 * implementations often pad with the zero byte. This means that you
1271 * may have to "frame" data, so it is possible to infer the original
1272 * length after decryption. Compare ASN.1 DER which contains such
1273 * information.
1274 *
1275 * Return value: Returns %SHISHI_OK iff successful.
1276 **/
1277 int
shishi_encrypt_iv_etype(Shishi * handle,Shishi_key * key,int keyusage,int32_t etype,const char * iv,size_t ivlen,const char * in,size_t inlen,char ** out,size_t * outlen)1278 shishi_encrypt_iv_etype (Shishi * handle,
1279 Shishi_key * key,
1280 int keyusage,
1281 int32_t etype,
1282 const char *iv, size_t ivlen,
1283 const char *in, size_t inlen,
1284 char **out, size_t * outlen)
1285 {
1286 return shishi_encrypt_ivupdate_etype (handle, key, keyusage, etype,
1287 iv, ivlen, NULL, NULL,
1288 in, inlen, out, outlen);
1289 }
1290
1291 /**
1292 * shishi_encrypt_etype:
1293 * @handle: shishi handle as allocated by shishi_init().
1294 * @key: key to encrypt with.
1295 * @keyusage: integer specifying what this key is encrypting.
1296 * @etype: integer specifying what cipher to use.
1297 * @in: input array with data to encrypt.
1298 * @inlen: size of input array with data to encrypt.
1299 * @out: output array with newly allocated encrypted data.
1300 * @outlen: output variable with size of newly allocated output array.
1301 *
1302 * Encrypts data as per encryption method using specified
1303 * initialization vector and key. The key actually used is derived
1304 * using the key usage. If key usage is 0, no key derivation is used.
1305 * The OUT buffer must be deallocated by the caller. The default IV
1306 * is used, see shishi_encrypt_iv_etype if you need to alter it. The
1307 * next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
1308 *
1309 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1310 * exactly. Some encryption types add pad to make the data fit into
1311 * the block size of the encryption algorithm. Furthermore, the pad
1312 * is not guaranteed to look in any special way, although existing
1313 * implementations often pad with the zero byte. This means that you
1314 * may have to "frame" data, so it is possible to infer the original
1315 * length after decryption. Compare ASN.1 DER which contains such
1316 * information.
1317 *
1318 * Return value: Returns %SHISHI_OK iff successful.
1319 **/
1320 int
shishi_encrypt_etype(Shishi * handle,Shishi_key * key,int keyusage,int32_t etype,const char * in,size_t inlen,char ** out,size_t * outlen)1321 shishi_encrypt_etype (Shishi * handle,
1322 Shishi_key * key,
1323 int keyusage,
1324 int32_t etype,
1325 const char *in, size_t inlen,
1326 char **out, size_t * outlen)
1327 {
1328 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1329 shishi_key_type (key),
1330 NULL, 0, NULL, NULL,
1331 in, inlen, out, outlen);
1332 }
1333
1334 /**
1335 * shishi_encrypt_ivupdate:
1336 * @handle: shishi handle as allocated by shishi_init().
1337 * @key: key to encrypt with.
1338 * @keyusage: integer specifying what this key is encrypting.
1339 * @iv: input array with initialization vector
1340 * @ivlen: size of input array with initialization vector.
1341 * @ivout: output array with newly allocated updated initialization vector.
1342 * @ivoutlen: size of output array with updated initialization vector.
1343 * @in: input array with data to encrypt.
1344 * @inlen: size of input array with data to encrypt.
1345 * @out: output array with newly allocated encrypted data.
1346 * @outlen: output variable with size of newly allocated output array.
1347 *
1348 * Encrypts data using specified initialization vector and key. The
1349 * key actually used is derived using the key usage. If key usage is
1350 * 0, no key derivation is used. The OUT buffer must be deallocated
1351 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1352 * saved anywhere.
1353 *
1354 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1355 * exactly. Some encryption types add pad to make the data fit into
1356 * the block size of the encryption algorithm. Furthermore, the pad
1357 * is not guaranteed to look in any special way, although existing
1358 * implementations often pad with the zero byte. This means that you
1359 * may have to "frame" data, so it is possible to infer the original
1360 * length after decryption. Compare ASN.1 DER which contains such
1361 * information.
1362 *
1363 * Return value: Returns %SHISHI_OK iff successful.
1364 **/
1365 int
shishi_encrypt_ivupdate(Shishi * handle,Shishi_key * key,int keyusage,const char * iv,size_t ivlen,char ** ivout,size_t * ivoutlen,const char * in,size_t inlen,char ** out,size_t * outlen)1366 shishi_encrypt_ivupdate (Shishi * handle,
1367 Shishi_key * key,
1368 int keyusage,
1369 const char *iv, size_t ivlen,
1370 char **ivout, size_t * ivoutlen,
1371 const char *in, size_t inlen,
1372 char **out, size_t * outlen)
1373 {
1374 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1375 shishi_key_type (key),
1376 iv, ivlen, ivout, ivoutlen,
1377 in, inlen, out, outlen);
1378 }
1379
1380 /**
1381 * shishi_encrypt_iv:
1382 * @handle: shishi handle as allocated by shishi_init().
1383 * @key: key to encrypt with.
1384 * @keyusage: integer specifying what this key is encrypting.
1385 * @iv: input array with initialization vector
1386 * @ivlen: size of input array with initialization vector.
1387 * @in: input array with data to encrypt.
1388 * @inlen: size of input array with data to encrypt.
1389 * @out: output array with newly allocated encrypted data.
1390 * @outlen: output variable with size of newly allocated output array.
1391 *
1392 * Encrypts data using specified initialization vector and key. The
1393 * key actually used is derived using the key usage. If key usage is
1394 * 0, no key derivation is used. The OUT buffer must be deallocated
1395 * by the caller. The next IV is lost, see shishi_encrypt_ivupdate if
1396 * you need it.
1397 *
1398 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1399 * exactly. Some encryption types add pad to make the data fit into
1400 * the block size of the encryption algorithm. Furthermore, the pad
1401 * is not guaranteed to look in any special way, although existing
1402 * implementations often pad with the zero byte. This means that you
1403 * may have to "frame" data, so it is possible to infer the original
1404 * length after decryption. Compare ASN.1 DER which contains such
1405 * information.
1406 *
1407 * Return value: Returns %SHISHI_OK iff successful.
1408 **/
1409 int
shishi_encrypt_iv(Shishi * handle,Shishi_key * key,int keyusage,const char * iv,size_t ivlen,const char * in,size_t inlen,char ** out,size_t * outlen)1410 shishi_encrypt_iv (Shishi * handle,
1411 Shishi_key * key,
1412 int keyusage,
1413 const char *iv, size_t ivlen,
1414 const char *in, size_t inlen, char **out, size_t * outlen)
1415 {
1416 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1417 shishi_key_type (key),
1418 iv, ivlen, NULL, NULL,
1419 in, inlen, out, outlen);
1420 }
1421
1422 /**
1423 * shishi_encrypt:
1424 * @handle: shishi handle as allocated by shishi_init().
1425 * @key: key to encrypt with.
1426 * @keyusage: integer specifying what this key is encrypting.
1427 * @in: input array with data to encrypt.
1428 * @inlen: size of input array with data to encrypt.
1429 * @out: output array with newly allocated encrypted data.
1430 * @outlen: output variable with size of newly allocated output array.
1431 *
1432 * Encrypts data using specified key. The key actually used is
1433 * derived using the key usage. If key usage is 0, no key derivation
1434 * is used. The OUT buffer must be deallocated by the caller. The
1435 * default IV is used, see shishi_encrypt_iv if you need to alter it.
1436 * The next IV is lost, see shishi_encrypt_ivupdate if you need it.
1437 *
1438 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1439 * exactly. Some encryption types add pad to make the data fit into
1440 * the block size of the encryption algorithm. Furthermore, the pad
1441 * is not guaranteed to look in any special way, although existing
1442 * implementations often pad with the zero byte. This means that you
1443 * may have to "frame" data, so it is possible to infer the original
1444 * length after decryption. Compare ASN.1 DER which contains such
1445 * information.
1446 *
1447 * Return value: Returns %SHISHI_OK iff successful.
1448 **/
1449 int
shishi_encrypt(Shishi * handle,Shishi_key * key,int keyusage,char * in,size_t inlen,char ** out,size_t * outlen)1450 shishi_encrypt (Shishi * handle,
1451 Shishi_key * key,
1452 int keyusage,
1453 char *in, size_t inlen, char **out, size_t * outlen)
1454 {
1455 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1456 shishi_key_type (key),
1457 NULL, 0, NULL, NULL,
1458 in, inlen, out, outlen);
1459 }
1460
1461 /**
1462 * shishi_decrypt_ivupdate_etype:
1463 * @handle: shishi handle as allocated by shishi_init().
1464 * @key: key to decrypt with.
1465 * @keyusage: integer specifying what this key is decrypting.
1466 * @etype: integer specifying what cipher to use.
1467 * @iv: input array with initialization vector
1468 * @ivlen: size of input array with initialization vector.
1469 * @ivout: output array with newly allocated updated initialization vector.
1470 * @ivoutlen: size of output array with updated initialization vector.
1471 * @in: input array with data to decrypt.
1472 * @inlen: size of input array with data to decrypt.
1473 * @out: output array with newly allocated decrypted data.
1474 * @outlen: output variable with size of newly allocated output array.
1475 *
1476 * Decrypts data as per encryption method using specified
1477 * initialization vector and key. The key actually used is derived
1478 * using the key usage. If key usage is 0, no key derivation is used.
1479 * The OUT buffer must be deallocated by the caller. If IVOUT or
1480 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1481 *
1482 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1483 * exactly. Some encryption types add pad to make the data fit into
1484 * the block size of the encryption algorithm. Furthermore, the pad
1485 * is not guaranteed to look in any special way, although existing
1486 * implementations often pad with the zero byte. This means that you
1487 * may have to "frame" data, so it is possible to infer the original
1488 * length after decryption. Compare ASN.1 DER which contains such
1489 * information.
1490 *
1491 * Return value: Returns %SHISHI_OK iff successful.
1492 **/
1493 int
shishi_decrypt_ivupdate_etype(Shishi * handle,Shishi_key * key,int keyusage,int32_t etype,const char * iv,size_t ivlen,char ** ivout,size_t * ivoutlen,const char * in,size_t inlen,char ** out,size_t * outlen)1494 shishi_decrypt_ivupdate_etype (Shishi * handle,
1495 Shishi_key * key,
1496 int keyusage,
1497 int32_t etype,
1498 const char *iv, size_t ivlen,
1499 char **ivout, size_t * ivoutlen,
1500 const char *in, size_t inlen,
1501 char **out, size_t * outlen)
1502 {
1503 Shishi_decrypt_function decrypt;
1504 int res;
1505
1506 if (VERBOSECRYPTO (handle))
1507 {
1508 printf ("decrypt (type=%s, usage=%d, key, in, out)\n",
1509 shishi_key_name (key), keyusage);
1510 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1511 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1512 printf ("\t ;; in (%d):\n", inlen);
1513 _shishi_escapeprint (in, inlen);
1514 _shishi_hexprint (in, inlen);
1515 if (iv)
1516 {
1517 printf ("\t ;; iv (%d):\n", ivlen);
1518 _shishi_escapeprint (iv, ivlen);
1519 _shishi_hexprint (iv, ivlen);
1520 }
1521 }
1522
1523 decrypt = _shishi_cipher_decrypt (etype);
1524 if (decrypt == NULL)
1525 {
1526 shishi_error_printf (handle, "Unsupported keytype %d",
1527 shishi_key_type (key));
1528 return SHISHI_CRYPTO_ERROR;
1529 }
1530
1531 res = (*decrypt) (handle, key, keyusage,
1532 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
1533
1534 if (VERBOSECRYPTO (handle))
1535 {
1536 if (res == SHISHI_OK)
1537 {
1538 printf ("\t ;; decrypt out:\n");
1539 _shishi_escapeprint (*out, *outlen);
1540 _shishi_hexprint (*out, *outlen);
1541 }
1542 else
1543 {
1544 printf ("\t ;; decrypt out failed %d\n", res);
1545 }
1546 }
1547
1548 return res;
1549 }
1550
1551 /**
1552 * shishi_decrypt_iv_etype:
1553 * @handle: shishi handle as allocated by shishi_init().
1554 * @key: key to decrypt with.
1555 * @keyusage: integer specifying what this key is decrypting.
1556 * @etype: integer specifying what cipher to use.
1557 * @iv: input array with initialization vector
1558 * @ivlen: size of input array with initialization vector.
1559 * @in: input array with data to decrypt.
1560 * @inlen: size of input array with data to decrypt.
1561 * @out: output array with newly allocated decrypted data.
1562 * @outlen: output variable with size of newly allocated output array.
1563 *
1564 * Decrypts data as per encryption method using specified
1565 * initialization vector and key. The key actually used is derived
1566 * using the key usage. If key usage is 0, no key derivation is used.
1567 * The OUT buffer must be deallocated by the caller. The next IV is
1568 * lost, see shishi_decrypt_ivupdate_etype if you need it.
1569 *
1570 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1571 * exactly. Some encryption types add pad to make the data fit into
1572 * the block size of the encryption algorithm. Furthermore, the pad
1573 * is not guaranteed to look in any special way, although existing
1574 * implementations often pad with the zero byte. This means that you
1575 * may have to "frame" data, so it is possible to infer the original
1576 * length after decryption. Compare ASN.1 DER which contains such
1577 * information.
1578 *
1579 * Return value: Returns %SHISHI_OK iff successful.
1580 **/
1581 int
shishi_decrypt_iv_etype(Shishi * handle,Shishi_key * key,int keyusage,int32_t etype,const char * iv,size_t ivlen,const char * in,size_t inlen,char ** out,size_t * outlen)1582 shishi_decrypt_iv_etype (Shishi * handle,
1583 Shishi_key * key,
1584 int keyusage,
1585 int32_t etype,
1586 const char *iv, size_t ivlen,
1587 const char *in, size_t inlen,
1588 char **out, size_t * outlen)
1589 {
1590 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1591 iv, ivlen, NULL, NULL,
1592 in, inlen, out, outlen);
1593 }
1594
1595 /**
1596 * shishi_decrypt_etype:
1597 * @handle: shishi handle as allocated by shishi_init().
1598 * @key: key to decrypt with.
1599 * @keyusage: integer specifying what this key is decrypting.
1600 * @etype: integer specifying what cipher to use.
1601 * @in: input array with data to decrypt.
1602 * @inlen: size of input array with data to decrypt.
1603 * @out: output array with newly allocated decrypted data.
1604 * @outlen: output variable with size of newly allocated output array.
1605 *
1606 * Decrypts data as per encryption method using specified key. The
1607 * key actually used is derived using the key usage. If key usage is
1608 * 0, no key derivation is used. The OUT buffer must be deallocated
1609 * by the caller. The default IV is used, see shishi_decrypt_iv_etype
1610 * if you need to alter it. The next IV is lost, see
1611 * shishi_decrypt_ivupdate_etype if you need it.
1612 *
1613 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1614 * exactly. Some encryption types add pad to make the data fit into
1615 * the block size of the encryption algorithm. Furthermore, the pad
1616 * is not guaranteed to look in any special way, although existing
1617 * implementations often pad with the zero byte. This means that you
1618 * may have to "frame" data, so it is possible to infer the original
1619 * length after decryption. Compare ASN.1 DER which contains such
1620 * information.
1621 *
1622 * Return value: Returns %SHISHI_OK iff successful.
1623 **/
1624 int
shishi_decrypt_etype(Shishi * handle,Shishi_key * key,int keyusage,int32_t etype,const char * in,size_t inlen,char ** out,size_t * outlen)1625 shishi_decrypt_etype (Shishi * handle,
1626 Shishi_key * key,
1627 int keyusage,
1628 int32_t etype,
1629 const char *in, size_t inlen,
1630 char **out, size_t * outlen)
1631 {
1632 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1633 NULL, 0, NULL, NULL,
1634 in, inlen, out, outlen);
1635 }
1636
1637 /**
1638 * shishi_decrypt_ivupdate:
1639 * @handle: shishi handle as allocated by shishi_init().
1640 * @key: key to decrypt with.
1641 * @keyusage: integer specifying what this key is decrypting.
1642 * @iv: input array with initialization vector
1643 * @ivlen: size of input array with initialization vector.
1644 * @ivout: output array with newly allocated updated initialization vector.
1645 * @ivoutlen: size of output array with updated initialization vector.
1646 * @in: input array with data to decrypt.
1647 * @inlen: size of input array with data to decrypt.
1648 * @out: output array with newly allocated decrypted data.
1649 * @outlen: output variable with size of newly allocated output array.
1650 *
1651 * Decrypts data using specified initialization vector and key. The
1652 * key actually used is derived using the key usage. If key usage is
1653 * 0, no key derivation is used. The OUT buffer must be deallocated
1654 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1655 * saved anywhere.
1656 *
1657 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1658 * exactly. Some encryption types add pad to make the data fit into
1659 * the block size of the encryption algorithm. Furthermore, the pad
1660 * is not guaranteed to look in any special way, although existing
1661 * implementations often pad with the zero byte. This means that you
1662 * may have to "frame" data, so it is possible to infer the original
1663 * length after decryption. Compare ASN.1 DER which contains such
1664 * information.
1665 *
1666 * Return value: Returns %SHISHI_OK iff successful.
1667 **/
1668 int
shishi_decrypt_ivupdate(Shishi * handle,Shishi_key * key,int keyusage,const char * iv,size_t ivlen,char ** ivout,size_t * ivoutlen,const char * in,size_t inlen,char ** out,size_t * outlen)1669 shishi_decrypt_ivupdate (Shishi * handle,
1670 Shishi_key * key,
1671 int keyusage,
1672 const char *iv, size_t ivlen,
1673 char **ivout, size_t * ivoutlen,
1674 const char *in, size_t inlen,
1675 char **out, size_t * outlen)
1676 {
1677 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1678 shishi_key_type (key),
1679 iv, ivlen, ivout, ivoutlen,
1680 in, inlen, out, outlen);
1681 }
1682
1683 /**
1684 * shishi_decrypt_iv:
1685 * @handle: shishi handle as allocated by shishi_init().
1686 * @key: key to decrypt with.
1687 * @keyusage: integer specifying what this key is decrypting.
1688 * @iv: input array with initialization vector
1689 * @ivlen: size of input array with initialization vector.
1690 * @in: input array with data to decrypt.
1691 * @inlen: size of input array with data to decrypt.
1692 * @out: output array with newly allocated decrypted data.
1693 * @outlen: output variable with size of newly allocated output array.
1694 *
1695 * Decrypts data using specified initialization vector and key. The
1696 * key actually used is derived using the key usage. If key usage is
1697 * 0, no key derivation is used. The OUT buffer must be deallocated
1698 * by the caller. The next IV is lost, see
1699 * shishi_decrypt_ivupdate_etype if you need it.
1700 *
1701 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1702 * exactly. Some encryption types add pad to make the data fit into
1703 * the block size of the encryption algorithm. Furthermore, the pad
1704 * is not guaranteed to look in any special way, although existing
1705 * implementations often pad with the zero byte. This means that you
1706 * may have to "frame" data, so it is possible to infer the original
1707 * length after decryption. Compare ASN.1 DER which contains such
1708 * information.
1709 *
1710 * Return value: Returns %SHISHI_OK iff successful.
1711 **/
1712 int
shishi_decrypt_iv(Shishi * handle,Shishi_key * key,int keyusage,const char * iv,size_t ivlen,const char * in,size_t inlen,char ** out,size_t * outlen)1713 shishi_decrypt_iv (Shishi * handle,
1714 Shishi_key * key,
1715 int keyusage,
1716 const char *iv, size_t ivlen,
1717 const char *in, size_t inlen, char **out, size_t * outlen)
1718 {
1719 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1720 shishi_key_type (key),
1721 iv, ivlen, NULL, NULL,
1722 in, inlen, out, outlen);
1723 }
1724
1725 /**
1726 * shishi_decrypt:
1727 * @handle: shishi handle as allocated by shishi_init().
1728 * @key: key to decrypt with.
1729 * @keyusage: integer specifying what this key is decrypting.
1730 * @in: input array with data to decrypt.
1731 * @inlen: size of input array with data to decrypt.
1732 * @out: output array with newly allocated decrypted data.
1733 * @outlen: output variable with size of newly allocated output array.
1734 *
1735 * Decrypts data specified key. The key actually used is derived
1736 * using the key usage. If key usage is 0, no key derivation is used.
1737 * The OUT buffer must be deallocated by the caller. The default IV
1738 * is used, see shishi_decrypt_iv if you need to alter it. The next
1739 * IV is lost, see shishi_decrypt_ivupdate if you need it.
1740 *
1741 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1742 * exactly. Some encryption types add pad to make the data fit into
1743 * the block size of the encryption algorithm. Furthermore, the pad
1744 * is not guaranteed to look in any special way, although existing
1745 * implementations often pad with the zero byte. This means that you
1746 * may have to "frame" data, so it is possible to infer the original
1747 * length after decryption. Compare ASN.1 DER which contains such
1748 * information.
1749 *
1750 * Return value: Returns %SHISHI_OK iff successful.
1751 **/
1752 int
shishi_decrypt(Shishi * handle,Shishi_key * key,int keyusage,const char * in,size_t inlen,char ** out,size_t * outlen)1753 shishi_decrypt (Shishi * handle,
1754 Shishi_key * key,
1755 int keyusage,
1756 const char *in, size_t inlen, char **out, size_t * outlen)
1757 {
1758 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1759 shishi_key_type (key),
1760 NULL, 0, NULL, NULL,
1761 in, inlen, out, outlen);
1762 }
1763
1764 /**
1765 * shishi_n_fold:
1766 * @handle: shishi handle as allocated by shishi_init().
1767 * @in: input array with data to decrypt.
1768 * @inlen: size of input array with data to decrypt ("M").
1769 * @out: output array with decrypted data.
1770 * @outlen: size of output array ("N").
1771 *
1772 * Fold data into a fixed length output array, with the intent to give
1773 * each input bit approximately equal weight in determining the value
1774 * of each output bit.
1775 *
1776 * The algorithm is from "A Better Key Schedule For DES-like Ciphers"
1777 * by Uri Blumenthal and Steven M. Bellovin,
1778 * http://www.research.att.com/~smb/papers/ides.pdf, although the
1779 * sample vectors provided by the paper are incorrect.
1780 *
1781 * Return value: Returns %SHISHI_OK iff successful.
1782 **/
1783 int
shishi_n_fold(Shishi * handle,const char * in,size_t inlen,char * out,size_t outlen)1784 shishi_n_fold (Shishi * handle,
1785 const char *in, size_t inlen, char *out, size_t outlen)
1786 {
1787 int m = inlen;
1788 int n = outlen;
1789 char *buf = NULL;
1790 char *a = NULL;
1791 int lcmmn = 0;
1792 int i = 0;
1793
1794 /*
1795 To n-fold a number X, replicate the input value to a length that is
1796 the least common multiple of n and the length of X. Before each
1797 repetition, the input is rotated to the right by 13 bit
1798 positions. The successive n-bit chunks are added together using
1799 1's-complement addition (that is, addition with end-around carry)
1800 to yield a n-bit result denoted <X>_n.
1801 */
1802
1803 a = xmemdup (in, m);
1804
1805 lcmmn = lcm (m, n);
1806
1807 if (VERBOSECRYPTONOISE (handle))
1808 {
1809 printf ("%d-fold (string)\n", n * 8);
1810 printf ("\t ;; string length %d bytes %d bits\n", m, m * 8);
1811 _shishi_escapeprint (a, m);
1812 _shishi_hexprint (a, m);
1813 printf ("\t ;; lcm(%d, %d) = lcm(%d, %d) = %d\n",
1814 8 * m, 8 * n, m, n, lcmmn);
1815 }
1816
1817 buf = xmalloc (lcmmn);
1818
1819 /* Replicate the input th the LCMMN length */
1820 for (i = 0; i < (lcmmn / m); i++)
1821 {
1822 if (VERBOSECRYPTONOISE (handle))
1823 {
1824 printf ("\t ;; %d-th replication\n", i + 1);
1825 printf ("string = rot13(string)\n");
1826 }
1827
1828 memcpy ((char *) &buf[i * m], a, m);
1829 rot13 (handle, a, a, m);
1830 }
1831
1832 memset (out, 0, n); /* just in case */
1833
1834 if (VERBOSECRYPTONOISE (handle))
1835 {
1836 printf ("\t ;; replicated string (length %d):\n", lcmmn);
1837 _shishi_hexprint (buf, lcmmn);
1838 _shishi_binprint (buf, lcmmn);
1839 printf ("sum = 0\n");
1840 }
1841
1842 /* Now we view the buf as set of n-byte strings
1843 Add the n-byte long chunks together, using
1844 one's complement addition, storing the
1845 result in the output string. */
1846
1847 for (i = 0; i < (lcmmn / n); i++)
1848 {
1849 if (VERBOSECRYPTONOISE (handle))
1850 {
1851 printf ("\t ;; %d-th one's complement addition sum\n", i + 1);
1852 printf ("\t ;; sum:\n");
1853 _shishi_hexprint (out, n);
1854 _shishi_binprint (out, n);
1855 printf ("\t ;; A (offset %d):\n", i * n);
1856 _shishi_hexprint (&buf[i * n], n);
1857 _shishi_binprint (&buf[i * n], n);
1858 printf ("sum = ocadd(sum, A);\n");
1859 }
1860
1861 ocadd (out, (char *) &buf[i * n], out, n);
1862
1863 if (VERBOSECRYPTONOISE (handle))
1864 {
1865 printf ("\t ;; sum:\n");
1866 _shishi_hexprint (out, n);
1867 _shishi_binprint (out, n);
1868 }
1869 }
1870
1871 if (VERBOSECRYPTONOISE (handle))
1872 {
1873 printf ("\t ;; nfold\n");
1874 _shishi_hexprint (out, n);
1875 _shishi_binprint (out, n);
1876 }
1877
1878 free (buf);
1879 free (a);
1880
1881 return SHISHI_OK;
1882 }
1883
1884 #define MAX_DR_PRFCONSTANT 1024
1885
1886 /**
1887 * shishi_dr:
1888 * @handle: shishi handle as allocated by shishi_init().
1889 * @key: input array with cryptographic key to use.
1890 * @prfconstant: input array with the constant string.
1891 * @prfconstantlen: size of input array with the constant string.
1892 * @derivedrandom: output array with derived random data.
1893 * @derivedrandomlen: size of output array with derived random data.
1894 *
1895 * Derive "random" data from a key and a constant thusly:
1896 * DR(KEY, PRFCONSTANT) = TRUNCATE(DERIVEDRANDOMLEN,
1897 * SHISHI_ENCRYPT(KEY, PRFCONSTANT)).
1898 *
1899 * Return value: Returns %SHISHI_OK iff successful.
1900 **/
1901 int
shishi_dr(Shishi * handle,Shishi_key * key,const char * prfconstant,size_t prfconstantlen,char * derivedrandom,size_t derivedrandomlen)1902 shishi_dr (Shishi * handle,
1903 Shishi_key * key,
1904 const char *prfconstant, size_t prfconstantlen,
1905 char *derivedrandom, size_t derivedrandomlen)
1906 {
1907 char *cipher;
1908 char plaintext[MAX_DR_PRFCONSTANT];
1909 char nfoldprfconstant[MAX_DR_PRFCONSTANT];
1910 size_t blocksize = shishi_cipher_blocksize (shishi_key_type (key));
1911 size_t totlen, cipherlen;
1912 int res;
1913
1914 if (VERBOSECRYPTO (handle))
1915 {
1916 printf ("dr (%s, key, prfconstant, %d)\n",
1917 shishi_cipher_name (shishi_key_type (key)), derivedrandomlen);
1918 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
1919 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1920 _shishi_binprint (shishi_key_value (key), shishi_key_length (key));
1921 printf ("\t ;; prfconstant %s':\n", prfconstant);
1922 _shishi_escapeprint (prfconstant, prfconstantlen);
1923 _shishi_hexprint (prfconstant, prfconstantlen);
1924 _shishi_binprint (prfconstant, prfconstantlen);
1925 }
1926
1927 if (prfconstantlen > MAX_DR_PRFCONSTANT)
1928 return SHISHI_TOO_SMALL_BUFFER;
1929
1930 if (prfconstantlen == blocksize)
1931 memcpy (nfoldprfconstant, prfconstant, prfconstantlen);
1932 else
1933 {
1934 res = shishi_n_fold (handle, prfconstant, prfconstantlen,
1935 nfoldprfconstant, blocksize);
1936 if (res != SHISHI_OK)
1937 return res;
1938 }
1939
1940 if (VERBOSECRYPTO (handle))
1941 {
1942 printf ("\t ;; possibly nfolded prfconstant (length %d):\n", blocksize);
1943 _shishi_escapeprint (nfoldprfconstant, blocksize);
1944 _shishi_hexprint (nfoldprfconstant, blocksize);
1945 _shishi_binprint (nfoldprfconstant, blocksize);
1946 }
1947
1948 memcpy (plaintext, nfoldprfconstant, blocksize);
1949
1950 totlen = 0;
1951 do
1952 {
1953 res = shishi_encrypt (handle, key, 0, plaintext, blocksize,
1954 &cipher, &cipherlen);
1955 if (res != SHISHI_OK)
1956 return res;
1957 if (cipherlen != blocksize)
1958 return SHISHI_CRYPTO_ERROR;
1959 memcpy (derivedrandom + totlen, cipher, cipherlen);
1960 memcpy (plaintext, cipher, cipherlen);
1961 free (cipher);
1962 totlen += cipherlen;
1963 }
1964 while (totlen < derivedrandomlen);
1965
1966 if (VERBOSECRYPTO (handle))
1967 {
1968 printf ("\t ;; derived random (length %d):\n", derivedrandomlen);
1969 _shishi_hexprint (derivedrandom, derivedrandomlen);
1970 _shishi_binprint (derivedrandom, derivedrandomlen);
1971 }
1972
1973 return SHISHI_OK;
1974 }
1975
1976 /**
1977 * shishi_dk:
1978 * @handle: shishi handle as allocated by shishi_init().
1979 * @key: input cryptographic key to use.
1980 * @prfconstant: input array with the constant string.
1981 * @prfconstantlen: size of input array with the constant string.
1982 * @derivedkey: pointer to derived key (allocated by caller).
1983 *
1984 * Derive a key from a key and a constant thusly:
1985 * DK(KEY, PRFCONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, PRFCONSTANT)).
1986 *
1987 * Return value: Returns %SHISHI_OK iff successful.
1988 **/
1989 int
shishi_dk(Shishi * handle,Shishi_key * key,const char * prfconstant,size_t prfconstantlen,Shishi_key * derivedkey)1990 shishi_dk (Shishi * handle,
1991 Shishi_key * key,
1992 const char *prfconstant, size_t prfconstantlen,
1993 Shishi_key * derivedkey)
1994 {
1995 char rnd[MAX_RANDOM_LEN];
1996 int res;
1997
1998 if (VERBOSECRYPTO (handle))
1999 {
2000 printf ("dk (%s, key, prfconstant)\n", shishi_key_name (key));
2001 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
2002 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
2003 _shishi_binprint (shishi_key_value (key), shishi_key_length (key));
2004 printf ("\t ;; prfconstant:\n");
2005 _shishi_escapeprint (prfconstant, prfconstantlen);
2006 _shishi_hexprint (prfconstant, prfconstantlen);
2007 _shishi_binprint (prfconstant, prfconstantlen);
2008 }
2009
2010 shishi_key_type_set (derivedkey, shishi_key_type (key));
2011
2012 res = shishi_dr (handle, key, prfconstant, prfconstantlen, rnd,
2013 shishi_key_length (derivedkey));
2014 if (res != SHISHI_OK)
2015 return res;
2016
2017 res = shishi_random_to_key (handle, shishi_key_type (derivedkey),
2018 rnd, shishi_key_length (derivedkey),
2019 derivedkey);
2020 if (res != SHISHI_OK)
2021 return res;
2022
2023 return SHISHI_OK;
2024 }
2025