1 /* $OpenBSD: crypto.c,v 1.29 2007/05/07 18:25:30 cloder Exp $ */ 2 /* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1998 Niels Provos. All rights reserved. 6 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33 #include <sys/param.h> 34 #include <stdlib.h> 35 #include <string.h> 36 37 #include "crypto.h" 38 #include "log.h" 39 40 enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t); 41 enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t); 42 enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t); 43 enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t); 44 enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t); 45 void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 46 void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 47 void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t); 48 void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t); 49 void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t); 50 void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t); 51 void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t); 52 void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t); 53 void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t); 54 void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t); 55 56 struct crypto_xf transforms[] = { 57 { 58 DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, 59 BLOCKSIZE, 0, 60 des1_init, 61 des1_encrypt, des1_decrypt 62 }, 63 { 64 TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, 65 BLOCKSIZE, 0, 66 des3_init, 67 des3_encrypt, des3_decrypt 68 }, 69 { 70 BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, 71 BLOCKSIZE, 0, 72 blf_init, 73 blf_encrypt, blf_decrypt 74 }, 75 { 76 CAST_CBC, "CAST (CBC-Mode)", 12, 16, 77 BLOCKSIZE, 0, 78 cast_init, 79 cast1_encrypt, cast1_decrypt 80 }, 81 { 82 AES_CBC, "AES (CBC-Mode)", 16, 32, 83 AES_BLOCK_SIZE, 0, 84 aes_init, 85 aes_encrypt, aes_decrypt 86 }, 87 }; 88 89 enum cryptoerr 90 des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 91 { 92 /* des_set_key returns -1 for parity problems, and -2 for weak keys */ 93 des_set_odd_parity((void *)key); 94 switch (des_set_key((void *)key, ks->ks_des[0])) { 95 case -2: 96 return EWEAKKEY; 97 default: 98 return EOKAY; 99 } 100 } 101 102 void 103 des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 104 { 105 des_cbc_encrypt((void *)d, (void *)d, len, ks->ks_des[0], (void *)ks->riv, 106 DES_ENCRYPT); 107 } 108 109 void 110 des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) 111 { 112 des_cbc_encrypt((void *)d, (void *)d, len, ks->ks_des[0], (void *)ks->riv, 113 DES_DECRYPT); 114 } 115 116 enum cryptoerr 117 des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 118 { 119 des_set_odd_parity((void *)key); 120 des_set_odd_parity((void *)(key + 8)); 121 des_set_odd_parity((void *)(key + 16)); 122 123 /* As of the draft Tripe-DES does not check for weak keys */ 124 des_set_key((void *)key, ks->ks_des[0]); 125 des_set_key((void *)(key + 8), ks->ks_des[1]); 126 des_set_key((void *)(key + 16), ks->ks_des[2]); 127 128 return EOKAY; 129 } 130 131 void 132 des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 133 { 134 u_int8_t iv[MAXBLK]; 135 136 memcpy(iv, ks->riv, ks->xf->blocksize); 137 des_ede3_cbc_encrypt((void *)data, (void *)data, len, ks->ks_des[0], 138 ks->ks_des[1], ks->ks_des[2], (void *)iv, DES_ENCRYPT); 139 } 140 141 void 142 des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 143 { 144 u_int8_t iv[MAXBLK]; 145 146 memcpy(iv, ks->riv, ks->xf->blocksize); 147 des_ede3_cbc_encrypt((void *)data, (void *)data, len, ks->ks_des[0], 148 ks->ks_des[1], ks->ks_des[2], (void *)iv, DES_DECRYPT); 149 } 150 151 enum cryptoerr 152 blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 153 { 154 blf_key(&ks->ks_blf, key, len); 155 156 return EOKAY; 157 } 158 159 void 160 blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 161 { 162 u_int16_t i, blocksize = ks->xf->blocksize; 163 u_int8_t *iv = ks->liv; 164 u_int32_t xl, xr; 165 166 memcpy(iv, ks->riv, blocksize); 167 168 for (i = 0; i < len; data += blocksize, i += blocksize) { 169 XOR64(data, iv); 170 xl = GET_32BIT_BIG(data); 171 xr = GET_32BIT_BIG(data + 4); 172 Blowfish_encipher(&ks->ks_blf, &xl, &xr); 173 SET_32BIT_BIG(data, xl); 174 SET_32BIT_BIG(data + 4, xr); 175 SET64(iv, data); 176 } 177 } 178 179 void 180 blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 181 { 182 u_int16_t i, blocksize = ks->xf->blocksize; 183 u_int32_t xl, xr; 184 185 data += len - blocksize; 186 for (i = len - blocksize; i >= blocksize; data -= blocksize, 187 i -= blocksize) { 188 xl = GET_32BIT_BIG(data); 189 xr = GET_32BIT_BIG(data + 4); 190 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 191 SET_32BIT_BIG(data, xl); 192 SET_32BIT_BIG(data + 4, xr); 193 XOR64(data, data - blocksize); 194 195 } 196 xl = GET_32BIT_BIG(data); 197 xr = GET_32BIT_BIG(data + 4); 198 Blowfish_decipher(&ks->ks_blf, &xl, &xr); 199 SET_32BIT_BIG(data, xl); 200 SET_32BIT_BIG(data + 4, xr); 201 XOR64(data, ks->riv); 202 } 203 204 enum cryptoerr 205 cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 206 { 207 cast_setkey(&ks->ks_cast, key, len); 208 return EOKAY; 209 } 210 211 void 212 cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 213 { 214 u_int16_t i, blocksize = ks->xf->blocksize; 215 u_int8_t *iv = ks->liv; 216 217 memcpy(iv, ks->riv, blocksize); 218 219 for (i = 0; i < len; data += blocksize, i += blocksize) { 220 XOR64(data, iv); 221 cast_encrypt(&ks->ks_cast, data, data); 222 SET64(iv, data); 223 } 224 } 225 226 void 227 cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 228 { 229 u_int16_t i, blocksize = ks->xf->blocksize; 230 231 data += len - blocksize; 232 for (i = len - blocksize; i >= blocksize; data -= blocksize, 233 i -= blocksize) { 234 cast_decrypt(&ks->ks_cast, data, data); 235 XOR64(data, data - blocksize); 236 } 237 cast_decrypt(&ks->ks_cast, data, data); 238 XOR64(data, ks->riv); 239 } 240 241 enum cryptoerr 242 aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len) 243 { 244 AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]); 245 AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]); 246 return EOKAY; 247 } 248 249 void 250 aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 251 { 252 u_int8_t iv[MAXBLK]; 253 254 memcpy(iv, ks->riv, ks->xf->blocksize); 255 AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT); 256 } 257 258 void 259 aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) 260 { 261 u_int8_t iv[MAXBLK]; 262 263 memcpy(iv, ks->riv, ks->xf->blocksize); 264 AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT); 265 } 266 267 struct crypto_xf * 268 crypto_get(enum transform id) 269 { 270 size_t i; 271 272 for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) 273 if (id == transforms[i].id) 274 return &transforms[i]; 275 276 return 0; 277 } 278 279 struct keystate * 280 crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len, 281 enum cryptoerr *err) 282 { 283 struct keystate *ks; 284 285 if (len < xf->keymin || len > xf->keymax) { 286 LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", 287 len)); 288 *err = EKEYLEN; 289 return 0; 290 } 291 ks = calloc(1, sizeof *ks); 292 if (!ks) { 293 log_error("crypto_init: calloc (1, %lu) failed", 294 (unsigned long)sizeof *ks); 295 *err = ENOCRYPTO; 296 return 0; 297 } 298 ks->xf = xf; 299 300 /* Setup the IV. */ 301 ks->riv = ks->iv; 302 ks->liv = ks->iv2; 303 304 LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len)); 305 306 *err = xf->init(ks, key, len); 307 if (*err != EOKAY) { 308 LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", 309 xf->name)); 310 free(ks); 311 return 0; 312 } 313 return ks; 314 } 315 316 void 317 crypto_update_iv(struct keystate *ks) 318 { 319 u_int8_t *tmp; 320 321 tmp = ks->riv; 322 ks->riv = ks->liv; 323 ks->liv = tmp; 324 325 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, 326 ks->xf->blocksize)); 327 } 328 329 void 330 crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len) 331 { 332 memcpy(ks->riv, buf, len); 333 334 LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv, 335 len)); 336 } 337 338 void 339 crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 340 { 341 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: before encryption", buf, 342 len)); 343 ks->xf->encrypt(ks, buf, len); 344 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 345 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_encrypt: after encryption", buf, 346 len)); 347 } 348 349 void 350 crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) 351 { 352 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: before decryption", buf, 353 len)); 354 /* 355 * XXX There is controversy about the correctness of updating the IV 356 * like this. 357 */ 358 memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); 359 ks->xf->decrypt(ks, buf, len); 360 LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: after decryption", buf, 361 len)); 362 } 363 364 /* Make a copy of the keystate pointed to by OKS. */ 365 struct keystate * 366 crypto_clone_keystate(struct keystate *oks) 367 { 368 struct keystate *ks; 369 370 ks = malloc(sizeof *ks); 371 if (!ks) { 372 log_error("crypto_clone_keystate: malloc (%lu) failed", 373 (unsigned long)sizeof *ks); 374 return 0; 375 } 376 memcpy(ks, oks, sizeof *ks); 377 if (oks->riv == oks->iv) { 378 ks->riv = ks->iv; 379 ks->liv = ks->iv2; 380 } else { 381 ks->riv = ks->iv2; 382 ks->liv = ks->iv; 383 } 384 return ks; 385 } 386