1 /* $OpenBSD: crypto.c,v 1.35 2018/01/15 09:54:48 mpi Exp $ */
2 /* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */
3
4 /*
5 * Copyright (c) 1998 Niels Provos. All rights reserved.
6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 /*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33 #include <sys/types.h>
34 #include <stdlib.h>
35 #include <string.h>
36
37 #include "crypto.h"
38 #include "log.h"
39
40 enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t);
41 enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t);
42 enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t);
43 enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t);
44 void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
45 void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
46 void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
47 void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t);
48 void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
49 void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
50 void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t);
51 void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t);
52
53 struct crypto_xf transforms[] = {
54 {
55 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24,
56 BLOCKSIZE, 0,
57 des3_init,
58 des3_encrypt, des3_decrypt
59 },
60 {
61 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56,
62 BLOCKSIZE, 0,
63 blf_init,
64 blf_encrypt, blf_decrypt
65 },
66 {
67 CAST_CBC, "CAST (CBC-Mode)", 12, 16,
68 BLOCKSIZE, 0,
69 cast_init,
70 cast1_encrypt, cast1_decrypt
71 },
72 {
73 AES_CBC, "AES (CBC-Mode)", 16, 32,
74 AES_BLOCK_SIZE, 0,
75 aes_init,
76 aes_encrypt, aes_decrypt
77 },
78 };
79
80 enum cryptoerr
des3_init(struct keystate * ks,u_int8_t * key,u_int16_t len)81 des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
82 {
83 DES_set_odd_parity((void *)key);
84 DES_set_odd_parity((void *)(key + 8));
85 DES_set_odd_parity((void *)(key + 16));
86
87 /* As of the draft Tripe-DES does not check for weak keys */
88 DES_set_key((void *)key, &ks->ks_des[0]);
89 DES_set_key((void *)(key + 8), &ks->ks_des[1]);
90 DES_set_key((void *)(key + 16), &ks->ks_des[2]);
91
92 return EOKAY;
93 }
94
95 void
des3_encrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)96 des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
97 {
98 u_int8_t iv[MAXBLK];
99
100 memcpy(iv, ks->riv, ks->xf->blocksize);
101 DES_ede3_cbc_encrypt((void *)data, (void *)data, len, &ks->ks_des[0],
102 &ks->ks_des[1], &ks->ks_des[2], (void *)iv, DES_ENCRYPT);
103 }
104
105 void
des3_decrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)106 des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
107 {
108 u_int8_t iv[MAXBLK];
109
110 memcpy(iv, ks->riv, ks->xf->blocksize);
111 DES_ede3_cbc_encrypt((void *)data, (void *)data, len, &ks->ks_des[0],
112 &ks->ks_des[1], &ks->ks_des[2], (void *)iv, DES_DECRYPT);
113 }
114
115 enum cryptoerr
blf_init(struct keystate * ks,u_int8_t * key,u_int16_t len)116 blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
117 {
118 blf_key(&ks->ks_blf, key, len);
119
120 return EOKAY;
121 }
122
123 void
blf_encrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)124 blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
125 {
126 u_int16_t i, blocksize = ks->xf->blocksize;
127 u_int8_t *iv = ks->liv;
128 u_int32_t xl, xr;
129
130 memcpy(iv, ks->riv, blocksize);
131
132 for (i = 0; i < len; data += blocksize, i += blocksize) {
133 XOR64(data, iv);
134 xl = GET_32BIT_BIG(data);
135 xr = GET_32BIT_BIG(data + 4);
136 Blowfish_encipher(&ks->ks_blf, &xl, &xr);
137 SET_32BIT_BIG(data, xl);
138 SET_32BIT_BIG(data + 4, xr);
139 SET64(iv, data);
140 }
141 }
142
143 void
blf_decrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)144 blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
145 {
146 u_int16_t i, blocksize = ks->xf->blocksize;
147 u_int32_t xl, xr;
148
149 data += len - blocksize;
150 for (i = len - blocksize; i >= blocksize; data -= blocksize,
151 i -= blocksize) {
152 xl = GET_32BIT_BIG(data);
153 xr = GET_32BIT_BIG(data + 4);
154 Blowfish_decipher(&ks->ks_blf, &xl, &xr);
155 SET_32BIT_BIG(data, xl);
156 SET_32BIT_BIG(data + 4, xr);
157 XOR64(data, data - blocksize);
158
159 }
160 xl = GET_32BIT_BIG(data);
161 xr = GET_32BIT_BIG(data + 4);
162 Blowfish_decipher(&ks->ks_blf, &xl, &xr);
163 SET_32BIT_BIG(data, xl);
164 SET_32BIT_BIG(data + 4, xr);
165 XOR64(data, ks->riv);
166 }
167
168 enum cryptoerr
cast_init(struct keystate * ks,u_int8_t * key,u_int16_t len)169 cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
170 {
171 CAST_set_key(&ks->ks_cast, len, key);
172 return EOKAY;
173 }
174
175 void
cast1_encrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)176 cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
177 {
178 memcpy(ks->liv, ks->riv, ks->xf->blocksize);
179 CAST_cbc_encrypt(data, data, len, &ks->ks_cast, ks->liv, 1);
180 }
181
182 void
cast1_decrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)183 cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
184 {
185 CAST_cbc_encrypt(data, data, len, &ks->ks_cast, ks->riv, 0);
186 }
187
188 enum cryptoerr
aes_init(struct keystate * ks,u_int8_t * key,u_int16_t len)189 aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
190 {
191 AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]);
192 AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]);
193 return EOKAY;
194 }
195
196 void
aes_encrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)197 aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
198 {
199 u_int8_t iv[MAXBLK];
200
201 memcpy(iv, ks->riv, ks->xf->blocksize);
202 AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT);
203 }
204
205 void
aes_decrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)206 aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
207 {
208 u_int8_t iv[MAXBLK];
209
210 memcpy(iv, ks->riv, ks->xf->blocksize);
211 AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT);
212 }
213
214 struct crypto_xf *
crypto_get(enum transform id)215 crypto_get(enum transform id)
216 {
217 size_t i;
218
219 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++)
220 if (id == transforms[i].id)
221 return &transforms[i];
222
223 return 0;
224 }
225
226 struct keystate *
crypto_init(struct crypto_xf * xf,u_int8_t * key,u_int16_t len,enum cryptoerr * err)227 crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len,
228 enum cryptoerr *err)
229 {
230 struct keystate *ks;
231
232 if (len < xf->keymin || len > xf->keymax) {
233 LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d",
234 len));
235 *err = EKEYLEN;
236 return 0;
237 }
238 ks = calloc(1, sizeof *ks);
239 if (!ks) {
240 log_error("crypto_init: calloc (1, %lu) failed",
241 (unsigned long)sizeof *ks);
242 *err = ENOCRYPTO;
243 return 0;
244 }
245 ks->xf = xf;
246
247 /* Setup the IV. */
248 ks->riv = ks->iv;
249 ks->liv = ks->iv2;
250
251 LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len));
252
253 *err = xf->init(ks, key, len);
254 if (*err != EOKAY) {
255 LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s",
256 xf->name));
257 free(ks);
258 return 0;
259 }
260 return ks;
261 }
262
263 void
crypto_update_iv(struct keystate * ks)264 crypto_update_iv(struct keystate *ks)
265 {
266 u_int8_t *tmp;
267
268 tmp = ks->riv;
269 ks->riv = ks->liv;
270 ks->liv = tmp;
271
272 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv,
273 ks->xf->blocksize));
274 }
275
276 void
crypto_init_iv(struct keystate * ks,u_int8_t * buf,size_t len)277 crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len)
278 {
279 memcpy(ks->riv, buf, len);
280
281 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv,
282 len));
283 }
284
285 void
crypto_encrypt(struct keystate * ks,u_int8_t * buf,u_int16_t len)286 crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
287 {
288 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: before encryption", buf,
289 len));
290 ks->xf->encrypt(ks, buf, len);
291 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
292 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: after encryption", buf,
293 len));
294 }
295
296 void
crypto_decrypt(struct keystate * ks,u_int8_t * buf,u_int16_t len)297 crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
298 {
299 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: before decryption", buf,
300 len));
301 /*
302 * XXX There is controversy about the correctness of updating the IV
303 * like this.
304 */
305 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
306 ks->xf->decrypt(ks, buf, len);
307 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: after decryption", buf,
308 len));
309 }
310
311 /* Make a copy of the keystate pointed to by OKS. */
312 struct keystate *
crypto_clone_keystate(struct keystate * oks)313 crypto_clone_keystate(struct keystate *oks)
314 {
315 struct keystate *ks;
316
317 ks = malloc(sizeof *ks);
318 if (!ks) {
319 log_error("crypto_clone_keystate: malloc (%lu) failed",
320 (unsigned long)sizeof *ks);
321 return 0;
322 }
323 memcpy(ks, oks, sizeof *ks);
324 if (oks->riv == oks->iv) {
325 ks->riv = ks->iv;
326 ks->liv = ks->iv2;
327 } else {
328 ks->riv = ks->iv2;
329 ks->liv = ks->iv;
330 }
331 return ks;
332 }
333