1 /* $OpenBSD: crypto.c,v 1.35 2018/01/15 09:54:48 mpi Exp $ */ 2 /* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1998 Niels Provos. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33 #include <sys/types.h> 34 #include <stdlib.h> 35 #include <string.h> 36 37 #include "crypto.h" 38 #include "log.h" 39 40 enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t); 41 enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t); 42 enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t); 43 enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t); 44 void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t); 45 void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t); 46 void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t); 47 void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t); 48 void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 49 void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 50 void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t); 51 void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t); 52 53 struct crypto_xf transforms[] = { 54 { 55 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, 56 BLOCKSIZE, 0, 57 des3_init, 58 des3_encrypt, des3_decrypt 59 }, 60 { 61 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, 62 BLOCKSIZE, 0, 63 blf_init, 64 blf_encrypt, blf_decrypt 65 }, 66 { 67 CAST_CBC, "CAST (CBC-Mode)", 12, 16, 68 BLOCKSIZE, 0, 69 cast_init, 70 cast1_encrypt, cast1_decrypt 71 }, 72 { 73 AES_CBC, "AES (CBC-Mode)", 16, 32, 74 AES_BLOCK_SIZE, 0, 75 aes_init, 76 aes_encrypt, aes_decrypt 77 }, 78 }; 79 80 enum cryptoerr 81 des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 82 { 83 DES_set_odd_parity((void *)key); 84 DES_set_odd_parity((void *)(key + 8)); 85 DES_set_odd_parity((void *)(key + 16)); 86 87 /* As of the draft Tripe-DES does not check for weak keys */ 88 DES_set_key((void *)key, &ks->ks_des[0]); 89 DES_set_key((void *)(key + 8), &ks->ks_des[1]); 90 DES_set_key((void *)(key + 16), &ks->ks_des[2]); 91 92 return EOKAY; 93 } 94 95 void 96 des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 97 { 98 u_int8_t iv[MAXBLK]; 99 100 memcpy(iv, ks->riv, ks->xf->blocksize); 101 DES_ede3_cbc_encrypt((void *)data, (void *)data, len, &ks->ks_des[0], 102 &ks->ks_des[1], &ks->ks_des[2], (void *)iv, DES_ENCRYPT); 103 } 104 105 void 106 des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 107 { 108 u_int8_t iv[MAXBLK]; 109 110 memcpy(iv, ks->riv, ks->xf->blocksize); 111 DES_ede3_cbc_encrypt((void *)data, (void *)data, len, &ks->ks_des[0], 112 &ks->ks_des[1], &ks->ks_des[2], (void *)iv, DES_DECRYPT); 113 } 114 115 enum cryptoerr 116 blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 117 { 118 blf_key(&ks->ks_blf, key, len); 119 120 return EOKAY; 121 } 122 123 void 124 blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 125 { 126 u_int16_t i, blocksize = ks->xf->blocksize; 127 u_int8_t *iv = ks->liv; 128 u_int32_t xl, xr; 129 130 memcpy(iv, ks->riv, blocksize); 131 132 for (i = 0; i < len; data += blocksize, i += blocksize) { 133 XOR64(data, iv); 134 xl = GET_32BIT_BIG(data); 135 xr = GET_32BIT_BIG(data + 4); 136 Blowfish_encipher(&ks->ks_blf, &xl, &xr); 137 SET_32BIT_BIG(data, xl); 138 SET_32BIT_BIG(data + 4, xr); 139 SET64(iv, data); 140 } 141 } 142 143 void 144 blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 145 { 146 u_int16_t i, blocksize = ks->xf->blocksize; 147 u_int32_t xl, xr; 148 149 data += len - blocksize; 150 for (i = len - blocksize; i >= blocksize; data -= blocksize, 151 i -= blocksize) { 152 xl = GET_32BIT_BIG(data); 153 xr = GET_32BIT_BIG(data + 4); 154 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 155 SET_32BIT_BIG(data, xl); 156 SET_32BIT_BIG(data + 4, xr); 157 XOR64(data, data - blocksize); 158 159 } 160 xl = GET_32BIT_BIG(data); 161 xr = GET_32BIT_BIG(data + 4); 162 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 163 SET_32BIT_BIG(data, xl); 164 SET_32BIT_BIG(data + 4, xr); 165 XOR64(data, ks->riv); 166 } 167 168 enum cryptoerr 169 cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 170 { 171 CAST_set_key(&ks->ks_cast, len, key); 172 return EOKAY; 173 } 174 175 void 176 cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 177 { 178 memcpy(ks->liv, ks->riv, ks->xf->blocksize); 179 CAST_cbc_encrypt(data, data, len, &ks->ks_cast, ks->liv, 1); 180 } 181 182 void 183 cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 184 { 185 CAST_cbc_encrypt(data, data, len, &ks->ks_cast, ks->riv, 0); 186 } 187 188 enum cryptoerr 189 aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 190 { 191 AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]); 192 AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]); 193 return EOKAY; 194 } 195 196 void 197 aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 198 { 199 u_int8_t iv[MAXBLK]; 200 201 memcpy(iv, ks->riv, ks->xf->blocksize); 202 AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT); 203 } 204 205 void 206 aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 207 { 208 u_int8_t iv[MAXBLK]; 209 210 memcpy(iv, ks->riv, ks->xf->blocksize); 211 AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT); 212 } 213 214 struct crypto_xf * 215 crypto_get(enum transform id) 216 { 217 size_t i; 218 219 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) 220 if (id == transforms[i].id) 221 return &transforms[i]; 222 223 return 0; 224 } 225 226 struct keystate * 227 crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len, 228 enum cryptoerr *err) 229 { 230 struct keystate *ks; 231 232 if (len < xf->keymin || len > xf->keymax) { 233 LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", 234 len)); 235 *err = EKEYLEN; 236 return 0; 237 } 238 ks = calloc(1, sizeof *ks); 239 if (!ks) { 240 log_error("crypto_init: calloc (1, %lu) failed", 241 (unsigned long)sizeof *ks); 242 *err = ENOCRYPTO; 243 return 0; 244 } 245 ks->xf = xf; 246 247 /* Setup the IV. */ 248 ks->riv = ks->iv; 249 ks->liv = ks->iv2; 250 251 LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len)); 252 253 *err = xf->init(ks, key, len); 254 if (*err != EOKAY) { 255 LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", 256 xf->name)); 257 free(ks); 258 return 0; 259 } 260 return ks; 261 } 262 263 void 264 crypto_update_iv(struct keystate *ks) 265 { 266 u_int8_t *tmp; 267 268 tmp = ks->riv; 269 ks->riv = ks->liv; 270 ks->liv = tmp; 271 272 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, 273 ks->xf->blocksize)); 274 } 275 276 void 277 crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len) 278 { 279 memcpy(ks->riv, buf, len); 280 281 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv, 282 len)); 283 } 284 285 void 286 crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 287 { 288 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: before encryption", buf, 289 len)); 290 ks->xf->encrypt(ks, buf, len); 291 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 292 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: after encryption", buf, 293 len)); 294 } 295 296 void 297 crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 298 { 299 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: before decryption", buf, 300 len)); 301 /* 302 * XXX There is controversy about the correctness of updating the IV 303 * like this. 304 */ 305 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 306 ks->xf->decrypt(ks, buf, len); 307 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: after decryption", buf, 308 len)); 309 } 310 311 /* Make a copy of the keystate pointed to by OKS. */ 312 struct keystate * 313 crypto_clone_keystate(struct keystate *oks) 314 { 315 struct keystate *ks; 316 317 ks = malloc(sizeof *ks); 318 if (!ks) { 319 log_error("crypto_clone_keystate: malloc (%lu) failed", 320 (unsigned long)sizeof *ks); 321 return 0; 322 } 323 memcpy(ks, oks, sizeof *ks); 324 if (oks->riv == oks->iv) { 325 ks->riv = ks->iv; 326 ks->liv = ks->iv2; 327 } else { 328 ks->riv = ks->iv2; 329 ks->liv = ks->iv; 330 } 331 return ks; 332 } 333