1 /* $OpenBSD: crypto.c,v 1.28 2005/04/08 22:32:09 cloder Exp $ */
2 /* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */
3
4 /*
5 * Copyright (c) 1998 Niels Provos. All rights reserved.
6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 /*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33 #include <sys/param.h>
34 #include <stdlib.h>
35 #include <string.h>
36
37 #include "crypto.h"
38 #include "log.h"
39
40 enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t);
41 enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t);
42 enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t);
43 enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t);
44 enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t);
45 void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
46 void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
47 void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t);
48 void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t);
49 void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t);
50 void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t);
51 void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t);
52 void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t);
53 void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t);
54 void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t);
55
56 struct crypto_xf transforms[] = {
57 {
58 DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8,
59 BLOCKSIZE, 0,
60 des1_init,
61 des1_encrypt, des1_decrypt
62 },
63 {
64 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24,
65 BLOCKSIZE, 0,
66 des3_init,
67 des3_encrypt, des3_decrypt
68 },
69 {
70 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56,
71 BLOCKSIZE, 0,
72 blf_init,
73 blf_encrypt, blf_decrypt
74 },
75 {
76 CAST_CBC, "CAST (CBC-Mode)", 12, 16,
77 BLOCKSIZE, 0,
78 cast_init,
79 cast1_encrypt, cast1_decrypt
80 },
81 {
82 AES_CBC, "AES (CBC-Mode)", 16, 32,
83 AES_BLOCK_SIZE, 0,
84 aes_init,
85 aes_encrypt, aes_decrypt
86 },
87 };
88
89 enum cryptoerr
des1_init(struct keystate * ks,u_int8_t * key,u_int16_t len)90 des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
91 {
92 /* des_set_key returns -1 for parity problems, and -2 for weak keys */
93 des_set_odd_parity((void *)key);
94 switch (des_set_key((void *)key, ks->ks_des[0])) {
95 case -2:
96 return EWEAKKEY;
97 default:
98 return EOKAY;
99 }
100 }
101
102 void
des1_encrypt(struct keystate * ks,u_int8_t * d,u_int16_t len)103 des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
104 {
105 des_cbc_encrypt((void *)d, (void *)d, len, ks->ks_des[0], (void *)ks->riv,
106 DES_ENCRYPT);
107 }
108
109 void
des1_decrypt(struct keystate * ks,u_int8_t * d,u_int16_t len)110 des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
111 {
112 des_cbc_encrypt((void *)d, (void *)d, len, ks->ks_des[0], (void *)ks->riv,
113 DES_DECRYPT);
114 }
115
116 enum cryptoerr
des3_init(struct keystate * ks,u_int8_t * key,u_int16_t len)117 des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
118 {
119 des_set_odd_parity((void *)key);
120 des_set_odd_parity((void *)(key + 8));
121 des_set_odd_parity((void *)(key + 16));
122
123 /* As of the draft Tripe-DES does not check for weak keys */
124 des_set_key((void *)key, ks->ks_des[0]);
125 des_set_key((void *)(key + 8), ks->ks_des[1]);
126 des_set_key((void *)(key + 16), ks->ks_des[2]);
127
128 return EOKAY;
129 }
130
131 void
des3_encrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)132 des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
133 {
134 u_int8_t iv[MAXBLK];
135
136 memcpy(iv, ks->riv, ks->xf->blocksize);
137 des_ede3_cbc_encrypt((void *)data, (void *)data, len, ks->ks_des[0],
138 ks->ks_des[1], ks->ks_des[2], (void *)iv, DES_ENCRYPT);
139 }
140
141 void
des3_decrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)142 des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
143 {
144 u_int8_t iv[MAXBLK];
145
146 memcpy(iv, ks->riv, ks->xf->blocksize);
147 des_ede3_cbc_encrypt((void *)data, (void *)data, len, ks->ks_des[0],
148 ks->ks_des[1], ks->ks_des[2], (void *)iv, DES_DECRYPT);
149 }
150
151 enum cryptoerr
blf_init(struct keystate * ks,u_int8_t * key,u_int16_t len)152 blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
153 {
154 blf_key(&ks->ks_blf, key, len);
155
156 return EOKAY;
157 }
158
159 void
blf_encrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)160 blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
161 {
162 u_int16_t i, blocksize = ks->xf->blocksize;
163 u_int8_t *iv = ks->liv;
164 u_int32_t xl, xr;
165
166 memcpy(iv, ks->riv, blocksize);
167
168 for (i = 0; i < len; data += blocksize, i += blocksize) {
169 XOR64(data, iv);
170 xl = GET_32BIT_BIG(data);
171 xr = GET_32BIT_BIG(data + 4);
172 Blowfish_encipher(&ks->ks_blf, &xl, &xr);
173 SET_32BIT_BIG(data, xl);
174 SET_32BIT_BIG(data + 4, xr);
175 SET64(iv, data);
176 }
177 }
178
179 void
blf_decrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)180 blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
181 {
182 u_int16_t i, blocksize = ks->xf->blocksize;
183 u_int32_t xl, xr;
184
185 data += len - blocksize;
186 for (i = len - blocksize; i >= blocksize; data -= blocksize,
187 i -= blocksize) {
188 xl = GET_32BIT_BIG(data);
189 xr = GET_32BIT_BIG(data + 4);
190 Blowfish_decipher(&ks->ks_blf, &xl, &xr);
191 SET_32BIT_BIG(data, xl);
192 SET_32BIT_BIG(data + 4, xr);
193 XOR64(data, data - blocksize);
194
195 }
196 xl = GET_32BIT_BIG(data);
197 xr = GET_32BIT_BIG(data + 4);
198 Blowfish_decipher(&ks->ks_blf, &xl, &xr);
199 SET_32BIT_BIG(data, xl);
200 SET_32BIT_BIG(data + 4, xr);
201 XOR64(data, ks->riv);
202 }
203
204 enum cryptoerr
cast_init(struct keystate * ks,u_int8_t * key,u_int16_t len)205 cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
206 {
207 cast_setkey(&ks->ks_cast, key, len);
208 return EOKAY;
209 }
210
211 void
cast1_encrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)212 cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
213 {
214 u_int16_t i, blocksize = ks->xf->blocksize;
215 u_int8_t *iv = ks->liv;
216
217 memcpy(iv, ks->riv, blocksize);
218
219 for (i = 0; i < len; data += blocksize, i += blocksize) {
220 XOR64(data, iv);
221 cast_encrypt(&ks->ks_cast, data, data);
222 SET64(iv, data);
223 }
224 }
225
226 void
cast1_decrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)227 cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
228 {
229 u_int16_t i, blocksize = ks->xf->blocksize;
230
231 data += len - blocksize;
232 for (i = len - blocksize; i >= blocksize; data -= blocksize,
233 i -= blocksize) {
234 cast_decrypt(&ks->ks_cast, data, data);
235 XOR64(data, data - blocksize);
236 }
237 cast_decrypt(&ks->ks_cast, data, data);
238 XOR64(data, ks->riv);
239 }
240
241 enum cryptoerr
aes_init(struct keystate * ks,u_int8_t * key,u_int16_t len)242 aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
243 {
244 AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]);
245 AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]);
246 return EOKAY;
247 }
248
249 void
aes_encrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)250 aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
251 {
252 u_int8_t iv[MAXBLK];
253
254 memcpy(iv, ks->riv, ks->xf->blocksize);
255 AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT);
256 }
257
258 void
aes_decrypt(struct keystate * ks,u_int8_t * data,u_int16_t len)259 aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
260 {
261 u_int8_t iv[MAXBLK];
262
263 memcpy(iv, ks->riv, ks->xf->blocksize);
264 AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT);
265 }
266
267 struct crypto_xf *
crypto_get(enum transform id)268 crypto_get(enum transform id)
269 {
270 size_t i;
271
272 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++)
273 if (id == transforms[i].id)
274 return &transforms[i];
275
276 return 0;
277 }
278
279 struct keystate *
crypto_init(struct crypto_xf * xf,u_int8_t * key,u_int16_t len,enum cryptoerr * err)280 crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len,
281 enum cryptoerr *err)
282 {
283 struct keystate *ks;
284
285 if (len < xf->keymin || len > xf->keymax) {
286 LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d",
287 len));
288 *err = EKEYLEN;
289 return 0;
290 }
291 ks = calloc(1, sizeof *ks);
292 if (!ks) {
293 log_error("crypto_init: calloc (1, %lu) failed",
294 (unsigned long)sizeof *ks);
295 *err = ENOCRYPTO;
296 return 0;
297 }
298 ks->xf = xf;
299
300 /* Setup the IV. */
301 ks->riv = ks->iv;
302 ks->liv = ks->iv2;
303
304 LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len));
305
306 *err = xf->init(ks, key, len);
307 if (*err != EOKAY) {
308 LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s",
309 xf->name));
310 free(ks);
311 return 0;
312 }
313 return ks;
314 }
315
316 void
crypto_update_iv(struct keystate * ks)317 crypto_update_iv(struct keystate *ks)
318 {
319 u_int8_t *tmp;
320
321 tmp = ks->riv;
322 ks->riv = ks->liv;
323 ks->liv = tmp;
324
325 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv,
326 ks->xf->blocksize));
327 }
328
329 void
crypto_init_iv(struct keystate * ks,u_int8_t * buf,size_t len)330 crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len)
331 {
332 memcpy(ks->riv, buf, len);
333
334 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv,
335 len));
336 }
337
338 void
crypto_encrypt(struct keystate * ks,u_int8_t * buf,u_int16_t len)339 crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
340 {
341 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: before encryption", buf,
342 len));
343 ks->xf->encrypt(ks, buf, len);
344 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
345 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf,
346 len));
347 }
348
349 void
crypto_decrypt(struct keystate * ks,u_int8_t * buf,u_int16_t len)350 crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
351 {
352 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: before decryption", buf,
353 len));
354 /*
355 * XXX There is controversy about the correctness of updating the IV
356 * like this.
357 */
358 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
359 ks->xf->decrypt(ks, buf, len);
360 LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf,
361 len));
362 }
363
364 /* Make a copy of the keystate pointed to by OKS. */
365 struct keystate *
crypto_clone_keystate(struct keystate * oks)366 crypto_clone_keystate(struct keystate *oks)
367 {
368 struct keystate *ks;
369
370 ks = malloc(sizeof *ks);
371 if (!ks) {
372 log_error("crypto_clone_keystate: malloc (%lu) failed",
373 (unsigned long)sizeof *ks);
374 return 0;
375 }
376 memcpy(ks, oks, sizeof *ks);
377 if (oks->riv == oks->iv) {
378 ks->riv = ks->iv;
379 ks->liv = ks->iv2;
380 } else {
381 ks->riv = ks->iv2;
382 ks->liv = ks->iv;
383 }
384 return ks;
385 }
386