1 /* $OpenBSD: crypto.c,v 1.19 2004/03/31 10:54:46 ho Exp $ */ 2 /* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1998 Niels Provos. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33 #include <sys/param.h> 34 #include <stdlib.h> 35 #include <string.h> 36 37 #include "sysdep.h" 38 39 #include "crypto.h" 40 #include "log.h" 41 42 enum cryptoerr des1_init (struct keystate *, u_int8_t *, u_int16_t); 43 enum cryptoerr des3_init (struct keystate *, u_int8_t *, u_int16_t); 44 enum cryptoerr blf_init (struct keystate *, u_int8_t *, u_int16_t); 45 enum cryptoerr cast_init (struct keystate *, u_int8_t *, u_int16_t); 46 enum cryptoerr aes_init (struct keystate *, u_int8_t *, u_int16_t); 47 void des1_encrypt (struct keystate *, u_int8_t *, u_int16_t); 48 void des1_decrypt (struct keystate *, u_int8_t *, u_int16_t); 49 void des3_encrypt (struct keystate *, u_int8_t *, u_int16_t); 50 void des3_decrypt (struct keystate *, u_int8_t *, u_int16_t); 51 void blf_encrypt (struct keystate *, u_int8_t *, u_int16_t); 52 void blf_decrypt (struct keystate *, u_int8_t *, u_int16_t); 53 void cast1_encrypt (struct keystate *, u_int8_t *, u_int16_t); 54 void cast1_decrypt (struct keystate *, u_int8_t *, u_int16_t); 55 void aes_encrypt (struct keystate *, u_int8_t *, u_int16_t); 56 void aes_decrypt (struct keystate *, u_int8_t *, u_int16_t); 57 58 struct crypto_xf transforms[] = { 59 #ifdef USE_DES 60 { 61 DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, BLOCKSIZE, 0, 62 des1_init, 63 des1_encrypt, des1_decrypt 64 }, 65 #endif 66 #ifdef USE_TRIPLEDES 67 { 68 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, BLOCKSIZE, 0, 69 des3_init, 70 des3_encrypt, des3_decrypt 71 }, 72 #endif 73 #ifdef USE_BLOWFISH 74 { 75 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, BLOCKSIZE, 0, 76 blf_init, 77 blf_encrypt, blf_decrypt 78 }, 79 #endif 80 #ifdef USE_CAST 81 { 82 CAST_CBC, "CAST (CBC-Mode)", 12, 16, BLOCKSIZE, 0, 83 cast_init, 84 cast1_encrypt, cast1_decrypt 85 }, 86 #endif 87 #ifdef USE_AES 88 { 89 AES_CBC, "AES (CBC-Mode)", 16, 32, AES_BLOCK_SIZE, 0, 90 aes_init, 91 aes_encrypt, aes_decrypt 92 }, 93 #endif 94 }; 95 96 /* Hmm, the function prototypes for des are really dumb */ 97 #ifdef __OpenBSD__ 98 #define DC (des_cblock *) 99 #else 100 #define DC (void *) 101 #endif 102 103 enum cryptoerr 104 des1_init (struct keystate *ks, u_int8_t *key, u_int16_t len) 105 { 106 /* des_set_key returns -1 for parity problems, and -2 for weak keys */ 107 des_set_odd_parity (DC key); 108 switch (des_set_key (DC key, ks->ks_des[0])) 109 { 110 case -2: 111 return EWEAKKEY; 112 default: 113 return EOKAY; 114 } 115 } 116 117 void 118 des1_encrypt (struct keystate *ks, u_int8_t *d, u_int16_t len) 119 { 120 des_cbc_encrypt (DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_ENCRYPT); 121 } 122 123 void 124 des1_decrypt (struct keystate *ks, u_int8_t *d, u_int16_t len) 125 { 126 des_cbc_encrypt (DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_DECRYPT); 127 } 128 129 #ifdef USE_TRIPLEDES 130 enum cryptoerr 131 des3_init (struct keystate *ks, u_int8_t *key, u_int16_t len) 132 { 133 des_set_odd_parity (DC key); 134 des_set_odd_parity (DC (key + 8)); 135 des_set_odd_parity (DC (key + 16)); 136 137 /* As of the draft Tripe-DES does not check for weak keys */ 138 des_set_key (DC key, ks->ks_des[0]); 139 des_set_key (DC (key + 8), ks->ks_des[1]); 140 des_set_key (DC (key + 16), ks->ks_des[2]); 141 142 return EOKAY; 143 } 144 145 void 146 des3_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) 147 { 148 u_int8_t iv[MAXBLK]; 149 150 memcpy (iv, ks->riv, ks->xf->blocksize); 151 des_ede3_cbc_encrypt (DC data, DC data, len, ks->ks_des[0], ks->ks_des[1], 152 ks->ks_des[2], DC iv, DES_ENCRYPT); 153 } 154 155 void 156 des3_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) 157 { 158 u_int8_t iv[MAXBLK]; 159 160 memcpy (iv, ks->riv, ks->xf->blocksize); 161 des_ede3_cbc_encrypt (DC data, DC data, len, ks->ks_des[0], ks->ks_des[1], 162 ks->ks_des[2], DC iv, DES_DECRYPT); 163 } 164 #undef DC 165 #endif /* USE_TRIPLEDES */ 166 167 #ifdef USE_BLOWFISH 168 enum cryptoerr 169 blf_init (struct keystate *ks, u_int8_t *key, u_int16_t len) 170 { 171 blf_key (&ks->ks_blf, key, len); 172 173 return EOKAY; 174 } 175 176 void 177 blf_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) 178 { 179 u_int16_t i, blocksize = ks->xf->blocksize; 180 u_int8_t *iv = ks->liv; 181 u_int32_t xl, xr; 182 183 memcpy (iv, ks->riv, blocksize); 184 185 for (i = 0; i < len; data += blocksize, i += blocksize) 186 { 187 XOR64 (data, iv); 188 xl = GET_32BIT_BIG (data); 189 xr = GET_32BIT_BIG (data + 4); 190 Blowfish_encipher (&ks->ks_blf, &xl, &xr); 191 SET_32BIT_BIG (data, xl); 192 SET_32BIT_BIG (data + 4, xr); 193 SET64 (iv, data); 194 } 195 } 196 197 void 198 blf_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) 199 { 200 u_int16_t i, blocksize = ks->xf->blocksize; 201 u_int32_t xl, xr; 202 203 data += len - blocksize; 204 for (i = len - blocksize; i >= blocksize; data -= blocksize, i -= blocksize) 205 { 206 xl = GET_32BIT_BIG (data); 207 xr = GET_32BIT_BIG (data + 4); 208 Blowfish_decipher (&ks->ks_blf, &xl, &xr); 209 SET_32BIT_BIG (data, xl); 210 SET_32BIT_BIG (data + 4, xr); 211 XOR64 (data, data - blocksize); 212 213 } 214 xl = GET_32BIT_BIG (data); 215 xr = GET_32BIT_BIG (data + 4); 216 Blowfish_decipher (&ks->ks_blf, &xl, &xr); 217 SET_32BIT_BIG (data, xl); 218 SET_32BIT_BIG (data + 4, xr); 219 XOR64 (data, ks->riv); 220 } 221 #endif /* USE_BLOWFISH */ 222 223 #ifdef USE_CAST 224 enum cryptoerr 225 cast_init (struct keystate *ks, u_int8_t *key, u_int16_t len) 226 { 227 cast_setkey (&ks->ks_cast, key, len); 228 return EOKAY; 229 } 230 231 void 232 cast1_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) 233 { 234 u_int16_t i, blocksize = ks->xf->blocksize; 235 u_int8_t *iv = ks->liv; 236 237 memcpy (iv, ks->riv, blocksize); 238 239 for (i = 0; i < len; data += blocksize, i += blocksize) 240 { 241 XOR64 (data, iv); 242 cast_encrypt (&ks->ks_cast, data, data); 243 SET64 (iv, data); 244 } 245 } 246 247 void 248 cast1_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) 249 { 250 u_int16_t i, blocksize = ks->xf->blocksize; 251 252 data += len - blocksize; 253 for (i = len - blocksize; i >= blocksize; data -= blocksize, i -= blocksize) 254 { 255 cast_decrypt (&ks->ks_cast, data, data); 256 XOR64 (data, data - blocksize); 257 } 258 cast_decrypt (&ks->ks_cast, data, data); 259 XOR64 (data, ks->riv); 260 } 261 #endif /* USE_CAST */ 262 263 #ifdef USE_AES 264 enum cryptoerr 265 aes_init (struct keystate *ks, u_int8_t *key, u_int16_t len) 266 { 267 AES_set_encrypt_key (key, len << 3, &ks->ks_aes[0]); 268 AES_set_decrypt_key (key, len << 3, &ks->ks_aes[1]); 269 return EOKAY; 270 } 271 272 void 273 aes_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) 274 { 275 u_int8_t iv[MAXBLK]; 276 277 memcpy (iv, ks->riv, ks->xf->blocksize); 278 AES_cbc_encrypt (data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT); 279 } 280 281 void 282 aes_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) 283 { 284 u_int8_t iv[MAXBLK]; 285 286 memcpy (iv, ks->riv, ks->xf->blocksize); 287 AES_cbc_encrypt (data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT); 288 } 289 #endif /* USE_AES */ 290 291 struct crypto_xf * 292 crypto_get (enum transform id) 293 { 294 size_t i; 295 296 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) 297 if (id == transforms[i].id) 298 return &transforms[i]; 299 300 return 0; 301 } 302 303 struct keystate * 304 crypto_init (struct crypto_xf *xf, u_int8_t *key, u_int16_t len, 305 enum cryptoerr *err) 306 { 307 struct keystate *ks; 308 309 if (len < xf->keymin || len > xf->keymax) 310 { 311 LOG_DBG ((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", len)); 312 *err = EKEYLEN; 313 return 0; 314 } 315 316 ks = calloc (1, sizeof *ks); 317 if (!ks) 318 { 319 log_error ("crypto_init: calloc (1, %lu) failed", 320 (unsigned long)sizeof *ks); 321 *err = ENOCRYPTO; 322 return 0; 323 } 324 325 ks->xf = xf; 326 327 /* Setup the IV. */ 328 ks->riv = ks->iv; 329 ks->liv = ks->iv2; 330 331 LOG_DBG_BUF ((LOG_CRYPTO, 40, "crypto_init: key", key, len)); 332 333 *err = xf->init (ks, key, len); 334 if (*err != EOKAY) 335 { 336 LOG_DBG ((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", 337 xf->name)); 338 free (ks); 339 return 0; 340 } 341 342 return ks; 343 } 344 345 void 346 crypto_update_iv (struct keystate *ks) 347 { 348 u_int8_t *tmp; 349 350 tmp = ks->riv; 351 ks->riv = ks->liv; 352 ks->liv = tmp; 353 354 LOG_DBG_BUF ((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, 355 ks->xf->blocksize)); 356 } 357 358 void 359 crypto_init_iv (struct keystate *ks, u_int8_t *buf, size_t len) 360 { 361 memcpy (ks->riv, buf, len); 362 363 LOG_DBG_BUF ((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv, 364 len)); 365 } 366 367 void 368 crypto_encrypt (struct keystate *ks, u_int8_t *buf, u_int16_t len) 369 { 370 LOG_DBG_BUF ((LOG_CRYPTO, 10, "crypto_encrypt: before encryption", buf, 371 len)); 372 ks->xf->encrypt (ks, buf, len); 373 memcpy (ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 374 LOG_DBG_BUF ((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf, 375 len)); 376 } 377 378 void 379 crypto_decrypt (struct keystate *ks, u_int8_t *buf, u_int16_t len) 380 { 381 LOG_DBG_BUF ((LOG_CRYPTO, 10, "crypto_decrypt: before decryption", buf, 382 len)); 383 /* 384 * XXX There is controversy about the correctness of updating the IV 385 * like this. 386 */ 387 memcpy (ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 388 ks->xf->decrypt (ks, buf, len); 389 LOG_DBG_BUF ((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf, 390 len)); 391 } 392 393 /* Make a copy of the keystate pointed to by OKS. */ 394 struct keystate * 395 crypto_clone_keystate (struct keystate *oks) 396 { 397 struct keystate *ks; 398 399 ks = malloc (sizeof *ks); 400 if (!ks) 401 { 402 log_error ("crypto_clone_keystate: malloc (%lu) failed", 403 (unsigned long)sizeof *ks); 404 return 0; 405 } 406 memcpy (ks, oks, sizeof *ks); 407 if (oks->riv == oks->iv) 408 { 409 ks->riv = ks->iv; 410 ks->liv = ks->iv2; 411 } 412 else 413 { 414 ks->riv = ks->iv2; 415 ks->liv = ks->iv; 416 } 417 return ks; 418 } 419