1 /* $OpenBSD: crypto.c,v 1.23 2005/04/05 18:13:20 cloder Exp $ */ 2 /* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1998 Niels Provos. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33 #include <sys/param.h> 34 #include <stdlib.h> 35 #include <string.h> 36 37 #include "sysdep.h" 38 39 #include "crypto.h" 40 #include "log.h" 41 42 enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t); 43 enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t); 44 enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t); 45 enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t); 46 enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t); 47 void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 48 void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 49 void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t); 50 void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t); 51 void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t); 52 void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t); 53 void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 54 void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 55 void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t); 56 void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t); 57 58 struct crypto_xf transforms[] = { 59 #ifdef USE_DES 60 { 61 DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, 62 BLOCKSIZE, 0, 63 des1_init, 64 des1_encrypt, des1_decrypt 65 }, 66 #endif 67 #ifdef USE_TRIPLEDES 68 { 69 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, 70 BLOCKSIZE, 0, 71 des3_init, 72 des3_encrypt, des3_decrypt 73 }, 74 #endif 75 #ifdef USE_BLOWFISH 76 { 77 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, 78 BLOCKSIZE, 0, 79 blf_init, 80 blf_encrypt, blf_decrypt 81 }, 82 #endif 83 #ifdef USE_CAST 84 { 85 CAST_CBC, "CAST (CBC-Mode)", 12, 16, 86 BLOCKSIZE, 0, 87 cast_init, 88 cast1_encrypt, cast1_decrypt 89 }, 90 #endif 91 #ifdef USE_AES 92 { 93 AES_CBC, "AES (CBC-Mode)", 16, 32, 94 AES_BLOCK_SIZE, 0, 95 aes_init, 96 aes_encrypt, aes_decrypt 97 }, 98 #endif 99 }; 100 101 /* Hmm, the function prototypes for des are really dumb */ 102 #ifdef __OpenBSD__ 103 #define DC (des_cblock *) 104 #else 105 #define DC (void *) 106 #endif 107 108 enum cryptoerr 109 des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 110 { 111 /* des_set_key returns -1 for parity problems, and -2 for weak keys */ 112 des_set_odd_parity(DC key); 113 switch (des_set_key(DC key, ks->ks_des[0])) { 114 case -2: 115 return EWEAKKEY; 116 default: 117 return EOKAY; 118 } 119 } 120 121 void 122 des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 123 { 124 des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, 125 DES_ENCRYPT); 126 } 127 128 void 129 des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 130 { 131 des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, 132 DES_DECRYPT); 133 } 134 135 #ifdef USE_TRIPLEDES 136 enum cryptoerr 137 des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 138 { 139 des_set_odd_parity(DC key); 140 des_set_odd_parity(DC(key + 8)); 141 des_set_odd_parity(DC(key + 16)); 142 143 /* As of the draft Tripe-DES does not check for weak keys */ 144 des_set_key(DC key, ks->ks_des[0]); 145 des_set_key(DC(key + 8), ks->ks_des[1]); 146 des_set_key(DC(key + 16), ks->ks_des[2]); 147 148 return EOKAY; 149 } 150 151 void 152 des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 153 { 154 u_int8_t iv[MAXBLK]; 155 156 memcpy(iv, ks->riv, ks->xf->blocksize); 157 des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], 158 ks->ks_des[1], ks->ks_des[2], DC iv, DES_ENCRYPT); 159 } 160 161 void 162 des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 163 { 164 u_int8_t iv[MAXBLK]; 165 166 memcpy(iv, ks->riv, ks->xf->blocksize); 167 des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], 168 ks->ks_des[1], ks->ks_des[2], DC iv, DES_DECRYPT); 169 } 170 #undef DC 171 #endif /* USE_TRIPLEDES */ 172 173 #ifdef USE_BLOWFISH 174 enum cryptoerr 175 blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 176 { 177 blf_key(&ks->ks_blf, key, len); 178 179 return EOKAY; 180 } 181 182 void 183 blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 184 { 185 u_int16_t i, blocksize = ks->xf->blocksize; 186 u_int8_t *iv = ks->liv; 187 u_int32_t xl, xr; 188 189 memcpy(iv, ks->riv, blocksize); 190 191 for (i = 0; i < len; data += blocksize, i += blocksize) { 192 XOR64(data, iv); 193 xl = GET_32BIT_BIG(data); 194 xr = GET_32BIT_BIG(data + 4); 195 Blowfish_encipher(&ks->ks_blf, &xl, &xr); 196 SET_32BIT_BIG(data, xl); 197 SET_32BIT_BIG(data + 4, xr); 198 SET64(iv, data); 199 } 200 } 201 202 void 203 blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 204 { 205 u_int16_t i, blocksize = ks->xf->blocksize; 206 u_int32_t xl, xr; 207 208 data += len - blocksize; 209 for (i = len - blocksize; i >= blocksize; data -= blocksize, 210 i -= blocksize) { 211 xl = GET_32BIT_BIG(data); 212 xr = GET_32BIT_BIG(data + 4); 213 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 214 SET_32BIT_BIG(data, xl); 215 SET_32BIT_BIG(data + 4, xr); 216 XOR64(data, data - blocksize); 217 218 } 219 xl = GET_32BIT_BIG(data); 220 xr = GET_32BIT_BIG(data + 4); 221 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 222 SET_32BIT_BIG(data, xl); 223 SET_32BIT_BIG(data + 4, xr); 224 XOR64(data, ks->riv); 225 } 226 #endif /* USE_BLOWFISH */ 227 228 #ifdef USE_CAST 229 enum cryptoerr 230 cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 231 { 232 cast_setkey(&ks->ks_cast, key, len); 233 return EOKAY; 234 } 235 236 void 237 cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 238 { 239 u_int16_t i, blocksize = ks->xf->blocksize; 240 u_int8_t *iv = ks->liv; 241 242 memcpy(iv, ks->riv, blocksize); 243 244 for (i = 0; i < len; data += blocksize, i += blocksize) { 245 XOR64(data, iv); 246 cast_encrypt(&ks->ks_cast, data, data); 247 SET64(iv, data); 248 } 249 } 250 251 void 252 cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 253 { 254 u_int16_t i, blocksize = ks->xf->blocksize; 255 256 data += len - blocksize; 257 for (i = len - blocksize; i >= blocksize; data -= blocksize, 258 i -= blocksize) { 259 cast_decrypt(&ks->ks_cast, data, data); 260 XOR64(data, data - blocksize); 261 } 262 cast_decrypt(&ks->ks_cast, data, data); 263 XOR64(data, ks->riv); 264 } 265 #endif /* USE_CAST */ 266 267 #ifdef USE_AES 268 enum cryptoerr 269 aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 270 { 271 AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]); 272 AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]); 273 return EOKAY; 274 } 275 276 void 277 aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 278 { 279 u_int8_t iv[MAXBLK]; 280 281 memcpy(iv, ks->riv, ks->xf->blocksize); 282 AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT); 283 } 284 285 void 286 aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 287 { 288 u_int8_t iv[MAXBLK]; 289 290 memcpy(iv, ks->riv, ks->xf->blocksize); 291 AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT); 292 } 293 #endif /* USE_AES */ 294 295 struct crypto_xf * 296 crypto_get(enum transform id) 297 { 298 size_t i; 299 300 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) 301 if (id == transforms[i].id) 302 return &transforms[i]; 303 304 return 0; 305 } 306 307 struct keystate * 308 crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len, 309 enum cryptoerr *err) 310 { 311 struct keystate *ks; 312 313 if (len < xf->keymin || len > xf->keymax) { 314 LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", 315 len)); 316 *err = EKEYLEN; 317 return 0; 318 } 319 ks = calloc(1, sizeof *ks); 320 if (!ks) { 321 log_error("crypto_init: calloc (1, %lu) failed", 322 (unsigned long)sizeof *ks); 323 *err = ENOCRYPTO; 324 return 0; 325 } 326 ks->xf = xf; 327 328 /* Setup the IV. */ 329 ks->riv = ks->iv; 330 ks->liv = ks->iv2; 331 332 LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len)); 333 334 *err = xf->init(ks, key, len); 335 if (*err != EOKAY) { 336 LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", 337 xf->name)); 338 free(ks); 339 return 0; 340 } 341 return ks; 342 } 343 344 void 345 crypto_update_iv(struct keystate *ks) 346 { 347 u_int8_t *tmp; 348 349 tmp = ks->riv; 350 ks->riv = ks->liv; 351 ks->liv = tmp; 352 353 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, 354 ks->xf->blocksize)); 355 } 356 357 void 358 crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len) 359 { 360 memcpy(ks->riv, buf, len); 361 362 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv, 363 len)); 364 } 365 366 void 367 crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 368 { 369 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: before encryption", buf, 370 len)); 371 ks->xf->encrypt(ks, buf, len); 372 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 373 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf, 374 len)); 375 } 376 377 void 378 crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 379 { 380 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: before decryption", buf, 381 len)); 382 /* 383 * XXX There is controversy about the correctness of updating the IV 384 * like this. 385 */ 386 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 387 ks->xf->decrypt(ks, buf, len); 388 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf, 389 len)); 390 } 391 392 /* Make a copy of the keystate pointed to by OKS. */ 393 struct keystate * 394 crypto_clone_keystate(struct keystate *oks) 395 { 396 struct keystate *ks; 397 398 ks = malloc(sizeof *ks); 399 if (!ks) { 400 log_error("crypto_clone_keystate: malloc (%lu) failed", 401 (unsigned long)sizeof *ks); 402 return 0; 403 } 404 memcpy(ks, oks, sizeof *ks); 405 if (oks->riv == oks->iv) { 406 ks->riv = ks->iv; 407 ks->liv = ks->iv2; 408 } else { 409 ks->riv = ks->iv2; 410 ks->liv = ks->iv; 411 } 412 return ks; 413 } 414