search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix error API.
[shishi.git] / lib / crypto.c
blobdddd1a61dfbbdab9eb1a7c01178ba36f98d66c10
1 /* crypto.c crypto functions
2 * Copyright (C) 2002, 2003 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21
22 /* XXX several functions with out/outlen writes longer than the outlen */
23
24 #include "internal.h"
25 #ifdef USE_GCRYPT
26 #include <gcrypt.h>
27 #else
28 #include "hmac.h"
29 #include "des.h"
30 #include "aes.h"
31 #include "cbc.h"
32 #include "cbc-cts.h"
33 #include "cbc-mac.h"
34 #endif
35
36 static void
37 escapeprint (const char *str, int len)
38 {
39 int i;
40
41 printf ("\t ;; `");
42 for (i = 0; i < len; i++)
43 if ((str[i] >= 'A' && str[i] <= 'Z') ||
44 (str[i] >= 'a' && str[i] <= 'z') ||
45 (str[i] >= '0' && str[i] <= '9') || str[i] == '.')
46 printf ("%c", str[i] & 0xFF);
47 else
48 printf ("\\x%02x", str[i] & 0xFF);
49 printf ("' (length %d bytes)\n", len);
50 }
51
52 static void
53 hexprint (const char *str, int len)
54 {
55 int i;
56
57 printf ("\t ;; ");
58 for (i = 0; i < len; i++)
59 {
60 printf ("%02x ", str[i] & 0xFF);
61 if ((i + 1) % 8 == 0)
62 printf (" ");
63 if ((i + 1) % 16 == 0 && i + 1 < len)
64 printf ("\n\t ;; ");
65 }
66 }
67
68 static void
69 binprint (const char *str, int len)
70 {
71 int i;
72
73 printf ("\t ;; ");
74 for (i = 0; i < len; i++)
75 {
76 printf ("%d%d%d%d%d%d%d%d ",
77 str[i] & 0x80 ? 1 : 0,
78 str[i] & 0x40 ? 1 : 0,
79 str[i] & 0x20 ? 1 : 0,
80 str[i] & 0x10 ? 1 : 0,
81 str[i] & 0x08 ? 1 : 0,
82 str[i] & 0x04 ? 1 : 0,
83 str[i] & 0x02 ? 1 : 0, str[i] & 0x01 ? 1 : 0);
84 if ((i + 1) % 3 == 0)
85 printf (" ");
86 if ((i + 1) % 6 == 0 && i + 1 < len)
87 printf ("\n\t ;; ");
88 }
89 }
90
91 static void
92 bin7print (const char *str, int len)
93 {
94 int i;
95
96 printf ("\t ;; ");
97 for (i = 0; i < len; i++)
98 {
99 printf ("%d%d%d%d%d%d%d ",
100 str[i] & 0x40 ? 1 : 0,
101 str[i] & 0x20 ? 1 : 0,
102 str[i] & 0x10 ? 1 : 0,
103 str[i] & 0x08 ? 1 : 0,
104 str[i] & 0x04 ? 1 : 0,
105 str[i] & 0x02 ? 1 : 0, str[i] & 0x01 ? 1 : 0);
106 if ((i + 1) % 3 == 0)
107 printf (" ");
108 if ((i + 1) % 6 == 0 && i + 1 < len)
109 printf ("\n\t ;; ");
110 }
111 }
112
113 static int
114 gcd (int a, int b)
115 {
116 if (b == 0)
117 return a;
118 else
119 return gcd (b, a % b);
120 }
121
122 static int
123 lcm (int a, int b)
124 {
125 return a * b / gcd (a, b);
126 }
127
128 static int
129 rot13 (Shishi * handle, char *in, char *out, int len)
130 {
131 if (VERBOSECRYPTO (handle))
132 {
133 printf ("\t ;; rot 13 in:\n");
134 escapeprint (in, len);
135 hexprint (in, len);
136 puts ("");
137 binprint (in, len);
138 puts ("");
139 }
140
141 if (len == 1)
142 {
143 out[0] =
144 ((in[0] >> 5) & 0x01) |
145 ((in[0] >> 5) & 0x02) |
146 ((in[0] >> 5) & 0x04) |
147 ((in[0] << 3) & 0x08) |
148 ((in[0] << 3) & 0x10) |
149 ((in[0] << 3) & 0x20) | ((in[0] << 3) & 0x40) | ((in[0] << 3) & 0x80);
150 }
151 else if (len > 1)
152 {
153 char nexttolast, last;
154 int i;
155
156 nexttolast = in[len - 2];
157 last = in[len - 1];
158
159 for (i = len * 8 - 1; i >= 13; i--)
160 {
161 int pos = i / 8;
162 char mask = ~(1 << (7 - i % 8));
163 int pos2 = (i - 13) / 8;
164 char mask2 = (1 << (7 - (i - 13) % 8));
165
166 out[pos] = (out[pos] & mask) |
167 (((in[pos2] & mask2) ? 0xFF : 0x00) & ~mask);
168 }
169 out[0] = ((nexttolast & 0xFF) << 3) | ((last & 0xFF) >> 5);
170 out[1] = (in[1] & ~(0xFF & (0xFF << 3))) | (0xFF & (last << 3));
171 }
172
173 if (VERBOSECRYPTO (handle))
174 {
175 printf ("\t ;; rot13 out:\n");
176 escapeprint (out, len);
177 hexprint (out, len);
178 puts ("");
179 binprint (out, len);
180 puts ("");
181 }
182
183 return SHISHI_OK;
184 }
185
186 static int
187 ocadd (char *add1, char *add2, char *sum, int len)
188 {
189 int i;
190 int carry = 0;
191
192 for (i = len - 1; i >= 0; i--)
193 {
194 int tmpsum = (unsigned char) add1[i] + (unsigned char) add2[i];
195
196 sum[i] = (tmpsum + carry) & 0xFF;
197 if (tmpsum + carry > 0xFF)
198 carry = 1;
199 else
200 carry = 0;
201 }
202 if (carry)
203 {
204 int done = 0;
205
206 for (i = len - 1; i >= 0; i--)
207 if ((unsigned char) sum[i] != 0xFF)
208 {
209 sum[i]++;
210 done = 1;
211 break;
212 }
213
214 if (!done)
215 memset (sum, 0, len);
216 }
217
218 return SHISHI_OK;
219 }
220
221 static int
222 simplified_hmac (Shishi * handle,
223 Shishi_key * key,
224 const char *in, size_t inlen,
225 char **outhash, size_t * outhashlen)
226 {
227 #if USE_GCRYPT
228 gcry_md_hd_t mdh;
229 int halg = GCRY_MD_SHA1;
230 size_t hlen = gcry_md_get_algo_dlen (halg);
231 unsigned char *hash;
232 gpg_error_t err;
233
234 err = gcry_md_open (&mdh, halg, GCRY_MD_FLAG_HMAC);
235 if (err != GPG_ERR_NO_ERROR)
236 {
237 shishi_error_printf (handle, "Libgcrypt md open failed");
238 shishi_error_set (handle, gpg_strerror (err));
239 return SHISHI_CRYPTO_INTERNAL_ERROR;
240 }
241
242 err = gcry_md_setkey (mdh, shishi_key_value (key), shishi_key_length (key));
243 if (err != GPG_ERR_NO_ERROR)
244 {
245 shishi_error_printf (handle, "Libgcrypt md setkey failed");
246 shishi_error_set (handle, gpg_strerror (err));
247 return SHISHI_CRYPTO_INTERNAL_ERROR;
248 }
249
250 gcry_md_write (mdh, in, inlen);
251
252 hash = gcry_md_read (mdh, halg);
253 if (hash == NULL)
254 {
255 shishi_error_printf (handle, "Libgcrypt failed to compute hash");
256 return SHISHI_CRYPTO_INTERNAL_ERROR;
257 }
258
259 *outhashlen = hlen;
260 *outhash = xmemdup (*outhash, hash, *outhashlen);
261
262 gcry_md_close (mdh);
263 #else
264 struct hmac_sha1_ctx ctx;
265 hmac_sha1_set_key (&ctx, shishi_key_length (key), shishi_key_value (key));
266 hmac_sha1_update (&ctx, inlen, in);
267 *outhashlen = SHA1_DIGEST_SIZE;
268 *outhash = xmalloc (*outhashlen);
269 hmac_sha1_digest (&ctx, *outhashlen, *outhash);
270 #endif
271 return SHISHI_OK;
272 }
273
274 static int
275 simplified_hmac_verify (Shishi * handle,
276 Shishi_key * key,
277 const char *in, size_t inlen,
278 const char *hmac, size_t hmaclen)
279 {
280 char *hash;
281 size_t hlen;
282 int same;
283 int res;
284
285 res = simplified_hmac (handle, key, in, inlen, &hash, &hlen);
286 if (res != SHISHI_OK || hash == NULL)
287 return res;
288
289 same = (hlen == hmaclen) && memcmp (hash, hmac, hmaclen) == 0;
290
291 free (hash);
292
293 if (!same)
294 {
295 shishi_error_printf (handle, "HMAC verify failed");
296 return SHISHI_CRYPTO_ERROR;
297 }
298
299 return SHISHI_OK;
300 }
301
302 typedef enum
303 {
304 SHISHI_DERIVEKEYMODE_CHECKSUM,
305 SHISHI_DERIVEKEYMODE_PRIVACY,
306 SHISHI_DERIVEKEYMODE_INTEGRITY
307 }
308 Shishi_derivekeymode;
309
310 static int
311 simplified_derivekey (Shishi * handle,
312 Shishi_key * key,
313 int keyusage, int derivekeymode, Shishi_key ** outkey)
314 {
315 char constant[5];
316 int res = SHISHI_OK;
317 Shishi_key *derivedkey;
318
319 if (VERBOSECRYPTO (handle))
320 {
321 printf ("simplified_derivekey\n");
322 printf ("\t ;; mode %d (%s)\n", derivekeymode,
323 derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM ? "checksum" :
324 derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY ? "integrity" :
325 derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY ? "privacy" :
326 "base-key");
327 hexprint (shishi_key_value (key), shishi_key_length (key));
328 puts ("");
329 }
330
331
332 res = shishi_key_from_value (handle, shishi_key_type (key),
333 NULL, &derivedkey);
334 if (res != SHISHI_OK)
335 return res;
336
337 *outkey = derivedkey;
338
339 if (keyusage)
340 {
341 uint32_t tmp = htonl (keyusage);
342 memcpy (constant, &tmp, 4);
343 if (derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM)
344 constant[4] = '\x99';
345 else if (derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY)
346 constant[4] = '\x55';
347 else /* if (derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY) */
348 constant[4] = '\xAA';
349
350 res = shishi_dk (handle, key, constant, 5, derivedkey);
351 }
352 else
353 {
354 shishi_key_copy (derivedkey, key);
355 }
356
357 if (VERBOSECRYPTO (handle))
358 {
359 printf ("\t ;; simplified_derivekey out (%d):\n",
360 shishi_key_length (derivedkey));
361 hexprint (shishi_key_value (derivedkey),
362 shishi_key_length (derivedkey));
363 puts ("");
364 }
365
366 return res;
367 }
368
369 static int
370 simplified_dencrypt (Shishi * handle,
371 Shishi_key * key,
372 const char *iv, size_t ivlen,
373 char **ivout, size_t * ivoutlen,
374 const char *in, size_t inlen,
375 char **out, size_t * outlen, int decryptp)
376 {
377 #ifdef USE_GCRYPT
378 gcry_cipher_hd_t ch;
379 gpg_error_t err;
380 int alg = 0;
381 int mode = GCRY_CIPHER_MODE_CBC;
382 int flags = 0;
383
384 switch (shishi_key_type (key))
385 {
386 case SHISHI_DES_CBC_CRC:
387 case SHISHI_DES_CBC_MD4:
388 case SHISHI_DES_CBC_MD5:
389 alg = GCRY_CIPHER_DES;
390 *outlen = inlen;
391 break;
392
393 case SHISHI_DES3_CBC_HMAC_SHA1_KD:
394 alg = GCRY_CIPHER_3DES;
395 *outlen = inlen;
396 break;
397
398 case SHISHI_AES128_CTS_HMAC_SHA1_96:
399 case SHISHI_AES256_CTS_HMAC_SHA1_96:
400 alg = GCRY_CIPHER_AES;
401 flags |= GCRY_CIPHER_CBC_CTS;
402 *outlen = inlen;
403 break;
404 }
405
406 err = gcry_cipher_open (&ch, alg, mode, flags);
407 if (err != GPG_ERR_NO_ERROR)
408 {
409 shishi_error_printf (handle, "Libgcrypt cipher open failed");
410 shishi_error_set (handle, gpg_strerror (err));
411 return SHISHI_CRYPTO_INTERNAL_ERROR;
412 }
413
414 err = gcry_cipher_setkey (ch, shishi_key_value (key),
415 shishi_key_length (key));
416 if (err != GPG_ERR_NO_ERROR)
417 {
418 shishi_error_printf (handle, "Libgcrypt setkey failed");
419 shishi_error_set (handle, gpg_strerror (err));
420 return SHISHI_CRYPTO_INTERNAL_ERROR;
421 }
422
423 err = gcry_cipher_setiv (ch, iv, ivlen);
424 if (err != GPG_ERR_NO_ERROR)
425 {
426 shishi_error_printf (handle, "Libgcrypt setiv failed");
427 shishi_error_set (handle, gpg_strerror (err));
428 return SHISHI_CRYPTO_INTERNAL_ERROR;
429 }
430
431 *out = xmalloc (*outlen);
432
433 if (decryptp)
434 err = gcry_cipher_decrypt (ch, (unsigned char *) *out, *outlen,
435 (const unsigned char *) in, inlen);
436 else
437 err = gcry_cipher_encrypt (ch, (unsigned char *) *out, *outlen,
438 (const unsigned char *) in, inlen);
439 if (err != GPG_ERR_NO_ERROR)
440 {
441 shishi_error_set (handle, gpg_strerror (err));
442 return SHISHI_CRYPTO_INTERNAL_ERROR;
443 }
444
445 if (ivout && ivoutlen)
446 {
447 *ivoutlen = gcry_cipher_get_algo_blklen (alg);
448 *ivout = xmalloc (*ivoutlen);
449 if (decryptp)
450 memcpy (*ivout, in + inlen - *ivoutlen, *ivoutlen);
451 else
452 /* XXX what is the output iv for CBC-CTS mode?
453 but is this value useful at all for that mode anyway?
454 Mostly it is DES apps that want the updated iv, so this is ok. */
455 memcpy (*ivout, *out + *outlen - *ivoutlen, *ivoutlen);
456 }
457
458 gcry_cipher_close (ch);
459 #else
460 struct CBC_CTX (struct des_ctx, DES_BLOCK_SIZE) des;
461 struct CBC_CTX (struct des3_ctx, DES3_BLOCK_SIZE) des3;
462 struct CBC_CTS_CTX (struct aes_ctx, AES_BLOCK_SIZE) aes;
463 int rc;
464
465 *outlen = inlen;
466 *out = xmalloc (*outlen);
467
468 switch (shishi_key_type (key))
469 {
470 case SHISHI_DES_CBC_CRC:
471 case SHISHI_DES_CBC_MD4:
472 case SHISHI_DES_CBC_MD5:
473 rc = des_set_key (&des.ctx, shishi_key_value (key));
474 if (!rc)
475 {
476 shishi_error_printf (handle, "Nettle setkey failed");
477 return SHISHI_CRYPTO_INTERNAL_ERROR;
478 }
479 memset (des.iv, 0, sizeof (des.iv));
480 /* XXX Use CBC_SET_IV (&des, iv), but how with ivlen? */
481 memcpy (des.iv, iv, ivlen < sizeof (des.iv) ? ivlen : sizeof (des.iv));
482 if (decryptp)
483 CBC_DECRYPT (&des, des_decrypt, inlen, *out, in);
484 else
485 CBC_ENCRYPT (&des, des_encrypt, inlen, *out, in);
486 if (ivout && ivoutlen)
487 {
488 *ivoutlen = sizeof (des.iv);
489 /* XXX see above */
490 *ivout = xmemdup (*ivout, des.iv, *ivoutlen);
491 }
492 break;
493
494 case SHISHI_DES3_CBC_HMAC_SHA1_KD:
495 rc = des3_set_key (&des3.ctx, shishi_key_value (key));
496 if (!rc)
497 {
498 shishi_error_printf (handle, "Nettle setkey failed");
499 return SHISHI_CRYPTO_INTERNAL_ERROR;
500 }
501 memset (des3.iv, 0, sizeof (des3.iv));
502 /* XXX Use CBC_SET_IV (&des, iv), but how with ivlen? */
503 memcpy (des3.iv, iv,
504 ivlen < sizeof (des3.iv) ? ivlen : sizeof (des3.iv));
505 if (decryptp)
506 CBC_DECRYPT (&des3, des3_decrypt, inlen, *out, in);
507 else
508 CBC_ENCRYPT (&des3, des3_encrypt, inlen, *out, in);
509 if (ivout && ivoutlen)
510 {
511 *ivoutlen = sizeof (des3.iv);
512 /* XXX see above */
513 *ivout = xmemdup (*ivout, des3.iv, *ivoutlen);
514 }
515 break;
516
517 case SHISHI_AES128_CTS_HMAC_SHA1_96:
518 case SHISHI_AES256_CTS_HMAC_SHA1_96:
519 memset (aes.iv, 0, sizeof (aes.iv));
520 /* XXX Use CBC_SET_IV (&des, iv), but how with ivlen? */
521 memcpy (aes.iv, iv, ivlen < sizeof (aes.iv) ? ivlen : sizeof (aes.iv));
522 if (decryptp)
523 {
524 aes_set_decrypt_key (&aes.ctx, shishi_key_length (key),
525 shishi_key_value (key));
526 CBC_CTS_DECRYPT (&aes, aes_decrypt, inlen, *out, in);
527 }
528 else
529 {
530 aes_set_encrypt_key (&aes.ctx, shishi_key_length (key),
531 shishi_key_value (key));
532 CBC_CTS_ENCRYPT (&aes, aes_encrypt, inlen, *out, in);
533 }
534 if (ivout && ivoutlen)
535 {
536 *ivoutlen = sizeof (aes.iv);
537 /* XXX see above */
538 *ivout = xmemdup (*ivout, aes.iv, *ivoutlen);
539 }
540 break;
541 }
542 #endif
543
544 return SHISHI_OK;
545 }
546
547 static int
548 simplified_encrypt (Shishi * handle,
549 Shishi_key * key,
550 int keyusage,
551 const char *iv, size_t ivlen,
552 char **ivout, size_t * ivoutlen,
553 const char *in, size_t inlen, char **out, size_t * outlen)
554 {
555 int res;
556 int padzerolen = 0;
557
558 if ((shishi_key_type (key) == SHISHI_DES3_CBC_HMAC_SHA1_KD ||
559 shishi_key_type (key) == SHISHI_DES_CBC_CRC ||
560 shishi_key_type (key) == SHISHI_DES_CBC_MD4 ||
561 shishi_key_type (key) == SHISHI_DES_CBC_MD5) && (inlen % 8) != 0)
562 while (((inlen + padzerolen) % 8) != 0)
563 padzerolen++;
564
565 if (keyusage != 0)
566 {
567 char *pt = NULL, *ct = NULL, *hmac = NULL;
568 int blen = shishi_cipher_blocksize (shishi_key_type (key));
569 size_t ctlen, ptlen, hmaclen;
570 Shishi_key *privacykey = NULL, *integritykey = NULL;
571
572 ptlen = inlen + blen + padzerolen;
573 pt = xmalloc (ptlen);
574
575 res = shishi_randomize (handle, pt, blen);
576 if (res != SHISHI_OK)
577 goto done;
578
579 memcpy (pt + blen, in, inlen);
580 memset (pt + blen + inlen, 0, padzerolen);
581
582 res = simplified_derivekey (handle, key, keyusage,
583 SHISHI_DERIVEKEYMODE_PRIVACY, &privacykey);
584 if (res != SHISHI_OK)
585 goto done;
586
587 res =
588 simplified_dencrypt (handle, privacykey, iv, ivlen, ivout, ivoutlen,
589 pt, ptlen, &ct, &ctlen, 0);
590 if (res != SHISHI_OK)
591 goto done;
592
593
594 res = simplified_derivekey (handle, key, keyusage,
595 SHISHI_DERIVEKEYMODE_INTEGRITY,
596 &integritykey);
597 if (res != SHISHI_OK)
598 goto done;
599
600 res =
601 simplified_hmac (handle, integritykey, pt, ptlen, &hmac, &hmaclen);
602 if (res != SHISHI_OK)
603 goto done;
604
605 *outlen = ctlen + hmaclen;
606 *out = xmalloc (*outlen);
607 memcpy (*out, ct, ctlen);
608 memcpy (*out + ctlen, hmac, hmaclen);
609
610 done:
611 if (&privacykey)
612 shishi_key_done (privacykey);
613 if (&integritykey)
614 shishi_key_done (integritykey);
615 if (hmac)
616 free (hmac);
617 if (ct)
618 free (ct);
619 if (pt)
620 free (pt);
621 }
622 else
623 {
624 res = simplified_dencrypt (handle, key, iv, ivlen, ivout, ivoutlen,
625 in, inlen, out, outlen, 0);
626 }
627
628 return res;
629 }
630
631 static int
632 simplified_decrypt (Shishi * handle,
633 Shishi_key * key,
634 int keyusage,
635 const char *iv, size_t ivlen,
636 char **ivout, size_t * ivoutlen,
637 const char *in, size_t inlen, char **out, size_t * outlen)
638 {
639 int res;
640
641 if (keyusage)
642 {
643 Shishi_key *privacykey = NULL, *integritykey = NULL;
644 int blen = shishi_cipher_blocksize (shishi_key_type (key));
645 size_t hlen = 20; /* XXX only works for SHA-1 */
646
647 res = simplified_derivekey (handle, key, keyusage,
648 SHISHI_DERIVEKEYMODE_PRIVACY, &privacykey);
649 if (res != SHISHI_OK)
650 goto done;
651
652 res =
653 simplified_dencrypt (handle, privacykey, iv, ivlen, ivout, ivoutlen,
654 in, inlen - hlen, out, outlen, 1);
655 if (res != SHISHI_OK)
656 goto done;
657
658 res = simplified_derivekey (handle, key, keyusage,
659 SHISHI_DERIVEKEYMODE_INTEGRITY,
660 &integritykey);
661 if (res != SHISHI_OK)
662 goto done;
663
664 res = simplified_hmac_verify (handle, integritykey, *out, *outlen,
665 in + inlen - hlen, hlen);
666
667 if (res != SHISHI_OK)
668 goto done;
669
670 memmove (*out, *out + blen, *outlen - blen);
671 *outlen = *outlen - blen;
672 *out = xrealloc (*out, *outlen);
673
674 done:
675 if (privacykey)
676 shishi_key_done (privacykey);
677 if (integritykey)
678 shishi_key_done (integritykey);
679 }
680 else
681 {
682 res = simplified_dencrypt (handle, key, iv, ivlen, ivout, ivoutlen,
683 in, inlen, out, outlen, 1);
684 }
685
686 return res;
687 }
688
689 static int
690 simplified_checksum (Shishi * handle,
691 Shishi_key * key,
692 int keyusage,
693 int cksumtype,
694 const char *in, size_t inlen,
695 char **out, size_t * outlen)
696 {
697 Shishi_key *checksumkey;
698 int cksumlen = shishi_checksum_cksumlen (cksumtype);
699 int res;
700
701 res = simplified_derivekey (handle, key, keyusage,
702 SHISHI_DERIVEKEYMODE_CHECKSUM, &checksumkey);
703 if (res != SHISHI_OK)
704 return res;
705
706 res = simplified_hmac (handle, checksumkey, in, inlen, out, outlen);
707
708 shishi_key_done (checksumkey);
709
710 if (res != SHISHI_OK)
711 return res;
712
713 *outlen = cksumlen;
714
715 return SHISHI_OK;
716 }
717
718 int
719 _shishi_cipher_init (void)
720 {
721 #ifdef USE_GCRYPT
722 if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P) == 0)
723 {
724 if (gcry_check_version (GCRYPT_VERSION) == NULL)
725 return SHISHI_CRYPTO_INTERNAL_ERROR;
726 if (gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0) != GPG_ERR_NO_ERROR)
727 return SHISHI_CRYPTO_INTERNAL_ERROR;
728 if (gcry_control (GCRYCTL_INITIALIZATION_FINISHED,
729 NULL, 0) != GPG_ERR_NO_ERROR)
730 return SHISHI_CRYPTO_INTERNAL_ERROR;
731 }
732 #endif
733
734 return SHISHI_OK;
735 }
736
737 typedef int (*Shishi_random_to_key_function) (Shishi * handle,
738 const char *random,
739 size_t randomlen,
740 Shishi_key * outkey);
741
742 typedef int (*Shishi_string_to_key_function) (Shishi * handle,
743 const char *password,
744 size_t passwordlen,
745 const char *salt,
746 size_t saltlen,
747 const char *parameter,
748 Shishi_key * outkey);
749
750 typedef int (*Shishi_encrypt_function) (Shishi * handle,
751 Shishi_key * key,
752 int keyusage,
753 const char *iv, size_t ivlen,
754 char **ivout, size_t * ivoutlen,
755 const char *in, size_t inlen,
756 char **out, size_t * outlen);
757
758 typedef int (*Shishi_decrypt_function) (Shishi * handle,
759 Shishi_key * key,
760 int keyusage,
761 const char *iv, size_t ivlen,
762 char **ivout, size_t * ivoutlen,
763 const char *in, size_t inlen,
764 char **out, size_t * outlen);
765
766 typedef int (*Shishi_checksum_function) (Shishi * handle,
767 Shishi_key * key,
768 int keyusage,
769 int cksumtype,
770 const char *in, size_t inlen,
771 char **out, size_t * outlen);
772
773 typedef int (*Shishi_verify_function) (Shishi * handle,
774 Shishi_key * key,
775 int keyusage,
776 int cksumtype,
777 const char *in, size_t inlen,
778 const char *cksum, size_t cksumlen);
779
780 #include "crypto-null.c"
781 #include "crypto-md.c"
782 #include "crypto-des.c"
783 #include "crypto-3des.c"
784 #include "crypto-aes.c"
785 #include "crypto-rc4.c"
786
787 struct cipherinfo
788 {
789 int32_t type;
790 char *name;
791 int blocksize;
792 int minpadsize;
793 int confoundersize;
794 int keylen;
795 int randomlen;
796 int defaultcksumtype;
797 Shishi_random_to_key_function random2key;
798 Shishi_string_to_key_function string2key;
799 Shishi_encrypt_function encrypt;
800 Shishi_decrypt_function decrypt;
801 };
802 typedef struct cipherinfo cipherinfo;
803
804 static cipherinfo null_info = {
805 SHISHI_NULL,
806 "NULL",
807 1,
808 0,
809 0,
810 0,
811 0,
812 SHISHI_RSA_MD5,
813 null_random_to_key,
814 null_string_to_key,
815 null_encrypt,
816 null_decrypt
817 };
818
819 static cipherinfo des_cbc_crc_info = {
820 SHISHI_DES_CBC_CRC,
821 "des-cbc-crc",
822 8,
823 4,
824 8,
825 8,
826 8,
827 SHISHI_RSA_MD5_DES,
828 des_random_to_key,
829 des_string_to_key,
830 des_crc_encrypt,
831 des_crc_decrypt
832 };
833
834 static cipherinfo des_cbc_md4_info = {
835 SHISHI_DES_CBC_MD4,
836 "des-cbc-md4",
837 8,
838 0,
839 8,
840 8,
841 8,
842 SHISHI_RSA_MD4_DES,
843 des_random_to_key,
844 des_string_to_key,
845 des_md4_encrypt,
846 des_md4_decrypt
847 };
848
849 static cipherinfo des_cbc_md5_info = {
850 SHISHI_DES_CBC_MD5,
851 "des-cbc-md5",
852 8,
853 0,
854 8,
855 8,
856 8,
857 SHISHI_RSA_MD5_DES,
858 des_random_to_key,
859 des_string_to_key,
860 des_md5_encrypt,
861 des_md5_decrypt
862 };
863
864 static cipherinfo des_cbc_none_info = {
865 SHISHI_DES_CBC_NONE,
866 "des-cbc-none",
867 8,
868 0,
869 8,
870 3 * 8,
871 3 * 8,
872 SHISHI_RSA_MD5_DES,
873 des_random_to_key,
874 des_string_to_key,
875 des_none_encrypt,
876 des_none_decrypt
877 };
878
879 static cipherinfo des3_cbc_none_info = {
880 SHISHI_DES3_CBC_NONE,
881 "des3-cbc-none",
882 8,
883 0,
884 8,
885 3 * 8,
886 3 * 8,
887 SHISHI_HMAC_SHA1_DES3_KD,
888 des3_random_to_key,
889 des3_string_to_key,
890 des3none_encrypt,
891 des3none_decrypt
892 };
893
894 static cipherinfo des3_cbc_sha1_kd_info = {
895 SHISHI_DES3_CBC_HMAC_SHA1_KD,
896 "des3-cbc-sha1-kd",
897 8,
898 0,
899 8,
900 3 * 8,
901 3 * 8,
902 SHISHI_HMAC_SHA1_DES3_KD,
903 des3_random_to_key,
904 des3_string_to_key,
905 _des3_encrypt,
906 _des3_decrypt
907 };
908
909 static cipherinfo aes128_cts_hmac_sha1_96_info = {
910 SHISHI_AES128_CTS_HMAC_SHA1_96,
911 "aes128-cts-hmac-sha1-96",
912 16,
913 0,
914 16,
915 128 / 8,
916 128 / 8,
917 SHISHI_HMAC_SHA1_96_AES128,
918 aes128_random_to_key,
919 aes128_string_to_key,
920 aes128_encrypt,
921 aes128_decrypt
922 };
923
924 static cipherinfo aes256_cts_hmac_sha1_96_info = {
925 SHISHI_AES256_CTS_HMAC_SHA1_96,
926 "aes256-cts-hmac-sha1-96",
927 16,
928 0,
929 16,
930 256 / 8,
931 256 / 8,
932 SHISHI_HMAC_SHA1_96_AES256,
933 aes256_random_to_key,
934 aes256_string_to_key,
935 aes256_encrypt,
936 aes256_decrypt
937 };
938
939 static cipherinfo rc4_hmac_info = {
940 SHISHI_RC4_HMAC,
941 "rc4-hmac",
942 16,
943 0,
944 16,
945 16,
946 16,
947 SHISHI_RC4_HMAC_MD5,
948 rc4_hmac_random_to_key,
949 rc4_hmac_string_to_key,
950 rc4_hmac_encrypt,
951 rc4_hmac_decrypt
952 };
953
954 static cipherinfo rc4_hmac_exp_info = {
955 SHISHI_RC4_HMAC_EXP,
956 "rc4-hmac-exp",
957 16,
958 0,
959 16,
960 16,
961 16,
962 SHISHI_RC4_HMAC_MD5,
963 rc4_hmac_random_to_key,
964 rc4_hmac_string_to_key,
965 rc4_hmac_exp_encrypt,
966 rc4_hmac_exp_decrypt
967 };
968
969 static cipherinfo *ciphers[] = {
970 &null_info,
971 &des_cbc_crc_info,
972 &des_cbc_md4_info,
973 &des_cbc_md5_info,
974 &des_cbc_none_info,
975 &des3_cbc_none_info,
976 &des3_cbc_sha1_kd_info,
977 &aes128_cts_hmac_sha1_96_info,
978 &aes256_cts_hmac_sha1_96_info,
979 &rc4_hmac_info,
980 &rc4_hmac_exp_info
981 };
982
983 /**
984 * shishi_cipher_supported_p:
985 * @type: encryption type, see Shishi_etype.
986 *
987 * Return value: Return 0 iff cipher is unsupported.
988 **/
989 int
990 shishi_cipher_supported_p (int32_t type)
991 {
992 size_t i;
993
994 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
995 if (type == ciphers[i]->type)
996 return 1;
997
998 return 0;
999 }
1000
1001 /**
1002 * shishi_cipher_name:
1003 * @type: encryption type, see Shishi_etype.
1004 *
1005 * Return value: Return name of encryption type,
1006 * e.g. "des3-cbc-sha1-kd", as defined in the standards.
1007 **/
1008 const char *
1009 shishi_cipher_name (int32_t type)
1010 {
1011 size_t i;
1012 char *p;
1013
1014 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1015 {
1016 if (type == ciphers[i]->type)
1017 return ciphers[i]->name;
1018 }
1019
1020 asprintf (&p, "unknown cipher %d", type);
1021 return p;
1022 }
1023
1024 /**
1025 * shishi_cipher_blocksize:
1026 * @type: encryption type, see Shishi_etype.
1027 *
1028 * Return value: Return block size for encryption type, as defined in
1029 * the standards.
1030 **/
1031 int
1032 shishi_cipher_blocksize (int32_t type)
1033 {
1034 size_t i;
1035
1036 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1037 if (type == ciphers[i]->type)
1038 return ciphers[i]->blocksize;
1039
1040 return -1;
1041 }
1042
1043 /**
1044 * shishi_cipher_minpadsize:
1045 * @type: encryption type, see Shishi_etype.
1046 *
1047 * Return value: Return the minimum pad size for encryption type, as
1048 * defined in the standards.
1049 **/
1050 int
1051 shishi_cipher_minpadsize (int32_t type)
1052 {
1053 size_t i;
1054
1055 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1056 if (type == ciphers[i]->type)
1057 return ciphers[i]->minpadsize;
1058
1059 return -1;
1060 }
1061
1062 /**
1063 * shishi_cipher_confoundersize:
1064 * @type: encryption type, see Shishi_etype.
1065 *
1066 * Return value: Returns the size of the confounder (random data) for
1067 * encryption type, as defined in the standards.
1068 **/
1069 int
1070 shishi_cipher_confoundersize (int32_t type)
1071 {
1072 size_t i;
1073
1074 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1075 if (type == ciphers[i]->type)
1076 return ciphers[i]->confoundersize;
1077
1078 return -1;
1079 }
1080
1081 /**
1082 * shishi_cipher_keylen:
1083 * @type: encryption type, see Shishi_etype.
1084 *
1085 * Return value: Return length of key used for the encryption type, as
1086 * defined in the standards.
1087 **/
1088 size_t
1089 shishi_cipher_keylen (int32_t type)
1090 {
1091 size_t i;
1092
1093 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1094 if (type == ciphers[i]->type)
1095 return ciphers[i]->keylen;
1096
1097 return -1;
1098 }
1099
1100 /**
1101 * shishi_cipher_randomlen:
1102 * @type: encryption type, see Shishi_etype.
1103 *
1104 * Return value: Return length of random used for the encryption type,
1105 * as defined in the standards.
1106 **/
1107 size_t
1108 shishi_cipher_randomlen (int32_t type)
1109 {
1110 size_t i;
1111
1112 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1113 if (type == ciphers[i]->type)
1114 return ciphers[i]->randomlen;
1115
1116 return -1;
1117 }
1118
1119 /**
1120 * shishi_cipher_defaultcksumtype:
1121 * @type: encryption type, see Shishi_etype.
1122 *
1123 * Return value: Return associated checksum mechanism for the
1124 * encryption type, as defined in the standards.
1125 **/
1126 int
1127 shishi_cipher_defaultcksumtype (int32_t type)
1128 {
1129 size_t i;
1130
1131 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1132 if (type == ciphers[i]->type)
1133 return ciphers[i]->defaultcksumtype;
1134
1135 return -1;
1136 }
1137
1138 /**
1139 * shishi_cipher_parse:
1140 * @cipher: name of encryption type, e.g. "des3-cbc-sha1-kd".
1141 *
1142 * Return value: Return encryption type corresponding to a string.
1143 **/
1144 int
1145 shishi_cipher_parse (const char *cipher)
1146 {
1147 size_t i;
1148 char *endptr;
1149
1150 i = strtol (cipher, &endptr, 0);
1151
1152 if (endptr != cipher)
1153 return i;
1154
1155 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1156 if (strcasecmp (cipher, ciphers[i]->name) == 0)
1157 return ciphers[i]->type;
1158
1159 return -1;
1160 }
1161
1162 static Shishi_random_to_key_function
1163 _shishi_cipher_random_to_key (int32_t type)
1164 {
1165 size_t i;
1166
1167 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1168 if (type == ciphers[i]->type)
1169 return ciphers[i]->random2key;
1170
1171 return NULL;
1172 }
1173
1174 static Shishi_string_to_key_function
1175 _shishi_cipher_string_to_key (int32_t type)
1176 {
1177 size_t i;
1178
1179 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1180 if (type == ciphers[i]->type)
1181 return ciphers[i]->string2key;
1182
1183 return NULL;
1184 }
1185
1186 static Shishi_encrypt_function
1187 _shishi_cipher_encrypt (int32_t type)
1188 {
1189 size_t i;
1190
1191 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1192 if (type == ciphers[i]->type)
1193 return ciphers[i]->encrypt;
1194
1195 return NULL;
1196 }
1197
1198 static Shishi_decrypt_function
1199 _shishi_cipher_decrypt (int32_t type)
1200 {
1201 size_t i;
1202
1203 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1204 if (type == ciphers[i]->type)
1205 return ciphers[i]->decrypt;
1206
1207 return NULL;
1208 }
1209
1210 struct checksuminfo
1211 {
1212 int32_t type;
1213 char *name;
1214 int cksumlen;
1215 Shishi_checksum_function checksum;
1216 Shishi_verify_function verify;
1217 };
1218 typedef struct checksuminfo checksuminfo;
1219
1220 static checksuminfo md4_info = {
1221 SHISHI_RSA_MD4,
1222 "rsa-md4",
1223 16,
1224 md4_checksum
1225 };
1226
1227 static checksuminfo md4_des_info = {
1228 SHISHI_RSA_MD4_DES,
1229 "rsa-md4-des",
1230 24,
1231 des_md4_checksum
1232 };
1233
1234 static checksuminfo md5_info = {
1235 SHISHI_RSA_MD5,
1236 "rsa-md5",
1237 16,
1238 md5_checksum
1239 };
1240
1241 static checksuminfo md5_des_info = {
1242 SHISHI_RSA_MD5_DES,
1243 "rsa-md5-des",
1244 24,
1245 des_md5_checksum,
1246 des_md5_verify
1247 };
1248
1249 static checksuminfo md5_gss_info = {
1250 SHISHI_RSA_MD5_DES_GSS,
1251 "rsa-md5-des-gss",
1252 8,
1253 gss_des_checksum
1254 };
1255
1256 static checksuminfo hmac_sha1_des3_kd_info = {
1257 SHISHI_HMAC_SHA1_DES3_KD,
1258 "hmac-sha1-des3-kd",
1259 20,
1260 des3_checksum
1261 };
1262
1263 static checksuminfo hmac_sha1_96_aes128_info = {
1264 SHISHI_HMAC_SHA1_96_AES128,
1265 "hmac-sha1-96-aes128",
1266 96 / 8,
1267 aes128_checksum
1268 };
1269
1270 static checksuminfo hmac_sha1_96_aes256_info = {
1271 SHISHI_HMAC_SHA1_96_AES256,
1272 "hmac-sha1-96-aes256",
1273 96 / 8,
1274 aes256_checksum
1275 };
1276
1277 static checksuminfo rc4_hmac_md5_info = {
1278 SHISHI_RC4_HMAC_MD5,
1279 "rc4-hmac-md5",
1280 16,
1281 rc4_hmac_md5_checksum
1282 };
1283
1284 static checksuminfo *checksums[] = {
1285 &md4_info,
1286 &md4_des_info,
1287 &md5_info,
1288 &md5_des_info,
1289 &md5_gss_info,
1290 &hmac_sha1_des3_kd_info,
1291 &hmac_sha1_96_aes128_info,
1292 &hmac_sha1_96_aes256_info,
1293 &rc4_hmac_md5_info
1294 };
1295
1296 /**
1297 * shishi_checksum_supported_p:
1298 * @type: checksum type, see Shishi_cksumtype.
1299 *
1300 * Return value: Return 0 iff checksum is unsupported.
1301 **/
1302 int
1303 shishi_checksum_supported_p (int32_t type)
1304 {
1305 size_t i;
1306
1307 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1308 if (type == checksums[i]->type)
1309 return 1;
1310
1311 return 0;
1312 }
1313
1314 /**
1315 * shishi_checksum_name:
1316 * @type: checksum type, see Shishi_cksumtype.
1317 *
1318 * Return value: Return name of checksum type,
1319 * e.g. "hmac-sha1-96-aes256", as defined in the standards.
1320 **/
1321 const char *
1322 shishi_checksum_name (int32_t type)
1323 {
1324 size_t i;
1325 char *p;
1326
1327 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1328 {
1329 if (type == checksums[i]->type)
1330 return checksums[i]->name;
1331 }
1332
1333 asprintf (&p, "unknown checksum %d", type);
1334 return p;
1335 }
1336
1337 /**
1338 * shishi_checksum_cksumlen:
1339 * @type: checksum type, see Shishi_cksumtype.
1340 *
1341 * Return value: Return length of checksum used for the checksum type,
1342 * as defined in the standards.
1343 **/
1344 size_t
1345 shishi_checksum_cksumlen (int32_t type)
1346 {
1347 size_t i;
1348
1349 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1350 if (type == checksums[i]->type)
1351 return checksums[i]->cksumlen;
1352
1353 return -1;
1354 }
1355
1356 /**
1357 * shishi_checksum_parse:
1358 * @checksum: name of checksum type, e.g. "hmac-sha1-96-aes256".
1359 *
1360 * Return value: Return checksum type, see Shishi_cksumtype,
1361 * corresponding to a string.
1362 **/
1363 int
1364 shishi_checksum_parse (const char *checksum)
1365 {
1366 size_t i;
1367 char *endptr;
1368
1369 i = strtol (checksum, &endptr, 0);
1370
1371 if (endptr != checksum)
1372 return i;
1373
1374 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1375 if (strcasecmp (checksum, checksums[i]->name) == 0)
1376 return checksums[i]->type;
1377
1378 return -1;
1379 }
1380
1381 static Shishi_checksum_function
1382 _shishi_checksum (int32_t type)
1383 {
1384 size_t i;
1385
1386 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1387 if (type == checksums[i]->type)
1388 return checksums[i]->checksum;
1389
1390 return NULL;
1391 }
1392
1393 static Shishi_verify_function
1394 _shishi_verify (int32_t type)
1395 {
1396 size_t i;
1397
1398 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1399 if (type == checksums[i]->type)
1400 return checksums[i]->verify;
1401
1402 return NULL;
1403 }
1404
1405 /**
1406 * shishi_string_to_key:
1407 * @handle: shishi handle as allocated by shishi_init().
1408 * @keytype: cryptographic encryption type, see Shishi_etype.
1409 * @password: input array with password.
1410 * @passwordlen: length of input array with password.
1411 * @salt: input array with salt.
1412 * @saltlen: length of input array with salt.
1413 * @parameter: input array with opaque encryption type specific information.
1414 * @outkey: allocated key handle that will contain new key.
1415 *
1416 * Derive key from a string (password) and salt (commonly
1417 * concatenation of realm and principal) for specified key type, and
1418 * set the type and value in the given key to the computed values.
1419 * The parameter value is specific for each keytype, and can be set if
1420 * the parameter information is not available.
1421 *
1422 * Return value: Returns %SHISHI_OK iff successful.
1423 **/
1424 int
1425 shishi_string_to_key (Shishi * handle,
1426 int32_t keytype,
1427 const char *password, size_t passwordlen,
1428 const char *salt, size_t saltlen,
1429 const char *parameter, Shishi_key * outkey)
1430 {
1431 Shishi_string_to_key_function string2key;
1432 int res;
1433
1434 shishi_key_type_set (outkey, keytype);
1435
1436 if (VERBOSECRYPTO (handle))
1437 {
1438 printf ("string_to_key (%s, password, salt)\n",
1439 shishi_key_name (outkey));
1440 printf ("\t ;; password:\n");
1441 escapeprint (password, passwordlen);
1442 hexprint (password, passwordlen);
1443 puts ("");
1444 printf ("\t ;; salt:\n");
1445 escapeprint (salt, saltlen);
1446 hexprint (salt, saltlen);
1447 puts ("");
1448 }
1449
1450 string2key = _shishi_cipher_string_to_key (shishi_key_type (outkey));
1451 if (string2key == NULL)
1452 {
1453 shishi_error_printf (handle, "Unsupported keytype %d",
1454 shishi_key_type (outkey));
1455 return SHISHI_CRYPTO_ERROR;
1456 }
1457
1458 res = (*string2key) (handle, password, passwordlen,
1459 salt, saltlen, parameter, outkey);
1460
1461 if (VERBOSECRYPTO (handle))
1462 {
1463 printf ("\t ;; string_to_key key:\n");
1464 hexprint (shishi_key_value (outkey), shishi_key_length (outkey));
1465 puts ("");
1466 binprint (shishi_key_value (outkey), shishi_key_length (outkey));
1467 puts ("");
1468 }
1469
1470 return res;
1471 }
1472
1473 /**
1474 * shishi_random_to_key:
1475 * @handle: shishi handle as allocated by shishi_init().
1476 * @keytype: cryptographic encryption type, see Shishi_etype.
1477 * @random: input array with random data.
1478 * @randomlen: length of input array with random data.
1479 * @outkey: allocated key handle that will contain new key.
1480 *
1481 * Derive key from random data for specified key type, and set the
1482 * type and value in the given key to the computed values.
1483 *
1484 * Return value: Returns %SHISHI_OK iff successful.
1485 **/
1486 int
1487 shishi_random_to_key (Shishi * handle,
1488 int32_t keytype,
1489 char *random, size_t randomlen, Shishi_key * outkey)
1490 {
1491 Shishi_random_to_key_function random2key;
1492 int res;
1493
1494 shishi_key_type_set (outkey, keytype);
1495
1496 if (VERBOSECRYPTO (handle))
1497 {
1498 printf ("random_to_key (%s, random)\n", shishi_key_name (outkey));
1499 printf ("\t ;; random:\n");
1500 hexprint (random, randomlen);
1501 puts ("");
1502 binprint (random, randomlen);
1503 puts ("");
1504 }
1505
1506 random2key = _shishi_cipher_random_to_key (keytype);
1507 if (random2key == NULL)
1508 {
1509 shishi_error_printf (handle, "Unsupported random_to_key() ekeytype %d",
1510 keytype);
1511 return SHISHI_CRYPTO_ERROR;
1512 }
1513
1514 res = (*random2key) (handle, random, randomlen, outkey);
1515
1516 if (VERBOSECRYPTO (handle))
1517 {
1518 printf ("\t ;; random_to_key key:\n");
1519 hexprint (shishi_key_value (outkey), shishi_key_length (outkey));
1520 puts ("");
1521 binprint (shishi_key_value (outkey), shishi_key_length (outkey));
1522 puts ("");
1523 }
1524
1525 return res;
1526 }
1527
1528 /**
1529 * shishi_checksum:
1530 * @handle: shishi handle as allocated by shishi_init().
1531 * @key: key to compute checksum with.
1532 * @keyusage: integer specifying what this key is used for.
1533 * @cksumtype: the checksum algorithm to use.
1534 * @in: input array with data to integrity protect.
1535 * @inlen: size of input array with data to integrity protect.
1536 * @out: output array with newly allocated integrity protected data.
1537 * @outlen: output variable with length of output array with checksum.
1538 *
1539 * Integrity protect data using key, possibly altered by supplied key
1540 * usage. If key usage is 0, no key derivation is used. The OUT
1541 * buffer must be deallocated by the caller.
1542 *
1543 * Return value: Returns %SHISHI_OK iff successful.
1544 **/
1545 int
1546 shishi_checksum (Shishi * handle,
1547 Shishi_key * key,
1548 int keyusage,
1549 int cksumtype,
1550 const char *in, size_t inlen, char **out, size_t * outlen)
1551 {
1552 Shishi_checksum_function checksum;
1553 int res;
1554
1555 if (VERBOSECRYPTO (handle))
1556 {
1557 printf ("checksum (%s, %d, in, out)\n",
1558 shishi_key_name (key), cksumtype);
1559 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1560 hexprint (shishi_key_value (key), shishi_key_length (key));
1561 puts ("");
1562 printf ("\t ;; in:\n");
1563 escapeprint (in, inlen);
1564 hexprint (in, inlen);
1565 puts ("");
1566 }
1567
1568 if (cksumtype == 0)
1569 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1570
1571 checksum = _shishi_checksum (cksumtype);
1572 if (checksum == NULL)
1573 {
1574 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1575 return SHISHI_CRYPTO_ERROR;
1576 }
1577
1578 /* XXX? check if etype and cksumtype are compatible? */
1579
1580 res = (*checksum) (handle, key, keyusage, cksumtype,
1581 in, inlen, out, outlen);
1582
1583 if (VERBOSECRYPTO (handle))
1584 {
1585 printf ("\t ;; checksum out:\n");
1586 escapeprint (*out, *outlen);
1587 hexprint (*out, *outlen);
1588 puts ("");
1589 }
1590
1591 return res;
1592 }
1593
1594 /**
1595 * shishi_verify:
1596 * @handle: shishi handle as allocated by shishi_init().
1597 * @key: key to verify checksum with.
1598 * @keyusage: integer specifying what this key is used for.
1599 * @cksumtype: the checksum algorithm to use.
1600 * @in: input array with data that was integrity protected.
1601 * @inlen: size of input array with data that was integrity protected.
1602 * @cksum: input array with alleged checksum of data.
1603 * @cksumlen: size of input array with alleged checksum of data.
1604 *
1605 * Verify checksum of data using key, possibly altered by supplied key
1606 * usage. If key usage is 0, no key derivation is used.
1607 *
1608 * Return value: Returns %SHISHI_OK iff successful.
1609 **/
1610 int
1611 shishi_verify (Shishi * handle,
1612 Shishi_key * key,
1613 int keyusage,
1614 int cksumtype,
1615 const char *in, size_t inlen,
1616 const char *cksum, size_t cksumlen)
1617 {
1618 Shishi_verify_function verify;
1619 int res;
1620
1621 if (VERBOSECRYPTO (handle))
1622 {
1623 printf ("verify (%s, %d, in, out)\n", shishi_key_name (key), cksumtype);
1624 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1625 hexprint (shishi_key_value (key), shishi_key_length (key));
1626 puts ("");
1627 printf ("\t ;; data:\n");
1628 escapeprint (in, inlen);
1629 hexprint (in, inlen);
1630 puts ("");
1631 printf ("\t ;; mic:\n");
1632 escapeprint (cksum, cksumlen);
1633 hexprint (cksum, cksumlen);
1634 puts ("");
1635 }
1636
1637 if (cksumtype == 0)
1638 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1639
1640 verify = _shishi_verify (cksumtype);
1641 if (verify == NULL)
1642 {
1643 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1644 return SHISHI_CRYPTO_ERROR;
1645 }
1646
1647 /* XXX? check if etype and cksumtype are compatible? */
1648
1649 res = (*verify) (handle, key, keyusage, cksumtype,
1650 in, inlen, cksum, cksumlen);
1651
1652 if (VERBOSECRYPTO (handle))
1653 printf ("\t ;; verify return: %d\n", res);
1654
1655 return res;
1656 }
1657
1658 /**
1659 * shishi_encrypt_ivupdate_etype:
1660 * @handle: shishi handle as allocated by shishi_init().
1661 * @key: key to encrypt with.
1662 * @keyusage: integer specifying what this key is encrypting.
1663 * @etype: integer specifying what cipher to use.
1664 * @iv: input array with initialization vector
1665 * @ivlen: size of input array with initialization vector.
1666 * @ivout: output array with newly allocated updated initialization vector.
1667 * @ivoutlen: size of output array with updated initialization vector.
1668 * @in: input array with data to encrypt.
1669 * @inlen: size of input array with data to encrypt.
1670 * @out: output array with newly allocated encrypted data.
1671 * @outlen: output variable with size of newly allocated output array.
1672 *
1673 * Encrypts data as per encryption method using specified
1674 * initialization vector and key. The key actually used is derived
1675 * using the key usage. If key usage is 0, no key derivation is used.
1676 * The OUT buffer must be deallocated by the caller. If IVOUT or
1677 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1678 *
1679 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1680 * exactly, some Kerberos encryption types add pad to make the data
1681 * fit into the block size of the encryption algorithm. Furthermore,
1682 * the pad is not guaranteed to look in any special way, although
1683 * existing implementations often pad with the zero byte. This means
1684 * that you may have to "frame" data, so it is possible to infer the
1685 * original length after decryption. Compare ASN.1 DER which contains
1686 * such information.
1687 *
1688 * Return value: Returns %SHISHI_OK iff successful.
1689 **/
1690 int
1691 shishi_encrypt_ivupdate_etype (Shishi * handle,
1692 Shishi_key * key,
1693 int keyusage,
1694 int32_t etype,
1695 const char *iv, size_t ivlen,
1696 char **ivout, size_t * ivoutlen,
1697 const char *in, size_t inlen,
1698 char **out, size_t * outlen)
1699 {
1700 Shishi_encrypt_function encrypt;
1701 int res;
1702
1703 if (VERBOSECRYPTO (handle))
1704 {
1705 printf ("encrypt (type=%s, usage=%d, key, in)\n",
1706 shishi_key_name (key), keyusage);
1707 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1708 hexprint (shishi_key_value (key), shishi_key_length (key));
1709 puts ("");
1710 printf ("\t ;; in (%d):\n", inlen);
1711 escapeprint (in, inlen);
1712 hexprint (in, inlen);
1713 puts ("");
1714 if (iv)
1715 {
1716 printf ("\t ;; iv (%d):\n", ivlen);
1717 escapeprint (iv, ivlen);
1718 hexprint (iv, ivlen);
1719 puts ("");
1720 }
1721 }
1722
1723 encrypt = _shishi_cipher_encrypt (etype);
1724 if (encrypt == NULL)
1725 {
1726 shishi_error_printf (handle, "Unsupported keytype %d",
1727 shishi_key_type (key));
1728 return SHISHI_CRYPTO_ERROR;
1729 }
1730
1731 res = (*encrypt) (handle, key, keyusage,
1732 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
1733
1734 if (VERBOSECRYPTO (handle))
1735 {
1736 printf ("\t ;; encrypt out:\n");
1737 escapeprint (*out, *outlen);
1738 hexprint (*out, *outlen);
1739 puts ("");
1740 if (ivout && ivoutlen)
1741 {
1742 printf ("\t ;; iv out:\n");
1743 escapeprint (*ivout, *ivoutlen);
1744 hexprint (*ivout, *ivoutlen);
1745 puts ("");
1746 }
1747 }
1748
1749 return res;
1750 }
1751
1752 /**
1753 * shishi_encrypt_iv_etype:
1754 * @handle: shishi handle as allocated by shishi_init().
1755 * @key: key to encrypt with.
1756 * @keyusage: integer specifying what this key is encrypting.
1757 * @etype: integer specifying what cipher to use.
1758 * @iv: input array with initialization vector
1759 * @ivlen: size of input array with initialization vector.
1760 * @in: input array with data to encrypt.
1761 * @inlen: size of input array with data to encrypt.
1762 * @out: output array with newly allocated encrypted data.
1763 * @outlen: output variable with size of newly allocated output array.
1764 *
1765 * Encrypts data as per encryption method using specified
1766 * initialization vector and key. The key actually used is derived
1767 * using the key usage. If key usage is 0, no key derivation is used.
1768 * The OUT buffer must be deallocated by the caller. The next IV is
1769 * lost, see shishi_encrypt_ivupdate_etype if you need it.
1770 *
1771 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1772 * exactly, some Kerberos encryption types add pad to make the data
1773 * fit into the block size of the encryption algorithm. Furthermore,
1774 * the pad is not guaranteed to look in any special way, although
1775 * existing implementations often pad with the zero byte. This means
1776 * that you may have to "frame" data, so it is possible to infer the
1777 * original length after decryption. Compare ASN.1 DER which contains
1778 * such information.
1779 *
1780 * Return value: Returns %SHISHI_OK iff successful.
1781 **/
1782 int
1783 shishi_encrypt_iv_etype (Shishi * handle,
1784 Shishi_key * key,
1785 int keyusage,
1786 int32_t etype,
1787 const char *iv, size_t ivlen,
1788 const char *in, size_t inlen,
1789 char **out, size_t * outlen)
1790 {
1791 return shishi_encrypt_ivupdate_etype (handle, key, keyusage, etype,
1792 iv, ivlen, NULL, NULL,
1793 in, inlen, out, outlen);
1794 }
1795
1796 /**
1797 * shishi_encrypt_etype:
1798 * @handle: shishi handle as allocated by shishi_init().
1799 * @key: key to encrypt with.
1800 * @keyusage: integer specifying what this key is encrypting.
1801 * @etype: integer specifying what cipher to use.
1802 * @in: input array with data to encrypt.
1803 * @inlen: size of input array with data to encrypt.
1804 * @out: output array with newly allocated encrypted data.
1805 * @outlen: output variable with size of newly allocated output array.
1806 *
1807 * Encrypts data as per encryption method using specified
1808 * initialization vector and key. The key actually used is derived
1809 * using the key usage. If key usage is 0, no key derivation is used.
1810 * The OUT buffer must be deallocated by the caller. The default IV
1811 * is used, see shishi_encrypt_iv_etype if you need to alter it. The
1812 * next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
1813 *
1814 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1815 * exactly, some Kerberos encryption types add pad to make the data
1816 * fit into the block size of the encryption algorithm. Furthermore,
1817 * the pad is not guaranteed to look in any special way, although
1818 * existing implementations often pad with the zero byte. This means
1819 * that you may have to "frame" data, so it is possible to infer the
1820 * original length after decryption. Compare ASN.1 DER which contains
1821 * such information.
1822 *
1823 * Return value: Returns %SHISHI_OK iff successful.
1824 **/
1825 int
1826 shishi_encrypt_etype (Shishi * handle,
1827 Shishi_key * key,
1828 int keyusage,
1829 int32_t etype,
1830 const char *in, size_t inlen,
1831 char **out, size_t * outlen)
1832 {
1833 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1834 shishi_key_type (key),
1835 NULL, 0, NULL, NULL,
1836 in, inlen, out, outlen);
1837 }
1838
1839 /**
1840 * shishi_encrypt_ivupdate:
1841 * @handle: shishi handle as allocated by shishi_init().
1842 * @key: key to encrypt with.
1843 * @keyusage: integer specifying what this key is encrypting.
1844 * @iv: input array with initialization vector
1845 * @ivlen: size of input array with initialization vector.
1846 * @ivout: output array with newly allocated updated initialization vector.
1847 * @ivoutlen: size of output array with updated initialization vector.
1848 * @in: input array with data to encrypt.
1849 * @inlen: size of input array with data to encrypt.
1850 * @out: output array with newly allocated encrypted data.
1851 * @outlen: output variable with size of newly allocated output array.
1852 *
1853 * Encrypts data using specified initialization vector and key. The
1854 * key actually used is derived using the key usage. If key usage is
1855 * 0, no key derivation is used. The OUT buffer must be deallocated
1856 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1857 * saved anywhere.
1858 *
1859 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1860 * exactly, some Kerberos encryption types add pad to make the data
1861 * fit into the block size of the encryption algorithm. Furthermore,
1862 * the pad is not guaranteed to look in any special way, although
1863 * existing implementations often pad with the zero byte. This means
1864 * that you may have to "frame" data, so it is possible to infer the
1865 * original length after decryption. Compare ASN.1 DER which contains
1866 * such information.
1867 *
1868 * Return value: Returns %SHISHI_OK iff successful.
1869 **/
1870 int
1871 shishi_encrypt_ivupdate (Shishi * handle,
1872 Shishi_key * key,
1873 int keyusage,
1874 const char *iv, size_t ivlen,
1875 char **ivout, size_t * ivoutlen,
1876 const char *in, size_t inlen,
1877 char **out, size_t * outlen)
1878 {
1879 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1880 shishi_key_type (key),
1881 iv, ivlen, ivout, ivoutlen,
1882 in, inlen, out, outlen);
1883 }
1884
1885 /**
1886 * shishi_encrypt_iv:
1887 * @handle: shishi handle as allocated by shishi_init().
1888 * @key: key to encrypt with.
1889 * @keyusage: integer specifying what this key is encrypting.
1890 * @iv: input array with initialization vector
1891 * @ivlen: size of input array with initialization vector.
1892 * @in: input array with data to encrypt.
1893 * @inlen: size of input array with data to encrypt.
1894 * @out: output array with newly allocated encrypted data.
1895 * @outlen: output variable with size of newly allocated output array.
1896 *
1897 * Encrypts data using specified initialization vector and key. The
1898 * key actually used is derived using the key usage. If key usage is
1899 * 0, no key derivation is used. The OUT buffer must be deallocated
1900 * by the caller. The next IV is lost, see shishi_encrypt_ivupdate if
1901 * you need it.
1902 *
1903 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1904 * exactly, some Kerberos encryption types add pad to make the data
1905 * fit into the block size of the encryption algorithm. Furthermore,
1906 * the pad is not guaranteed to look in any special way, although
1907 * existing implementations often pad with the zero byte. This means
1908 * that you may have to "frame" data, so it is possible to infer the
1909 * original length after decryption. Compare ASN.1 DER which contains
1910 * such information.
1911 *
1912 * Return value: Returns %SHISHI_OK iff successful.
1913 **/
1914 int
1915 shishi_encrypt_iv (Shishi * handle,
1916 Shishi_key * key,
1917 int keyusage,
1918 const char *iv, size_t ivlen,
1919 const char *in, size_t inlen, char **out, size_t * outlen)
1920 {
1921 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1922 shishi_key_type (key),
1923 iv, ivlen, NULL, NULL,
1924 in, inlen, out, outlen);
1925 }
1926
1927 /**
1928 * shishi_encrypt:
1929 * @handle: shishi handle as allocated by shishi_init().
1930 * @key: key to encrypt with.
1931 * @keyusage: integer specifying what this key is encrypting.
1932 * @in: input array with data to encrypt.
1933 * @inlen: size of input array with data to encrypt.
1934 * @out: output array with newly allocated encrypted data.
1935 * @outlen: output variable with size of newly allocated output array.
1936 *
1937 * Encrypts data using specified key. The key actually used is
1938 * derived using the key usage. If key usage is 0, no key derivation
1939 * is used. The OUT buffer must be deallocated by the caller. The
1940 * default IV is used, see shishi_encrypt_iv if you need to alter it.
1941 * The next IV is lost, see shishi_encrypt_ivupdate if you need it.
1942 *
1943 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1944 * exactly, some Kerberos encryption types add pad to make the data
1945 * fit into the block size of the encryption algorithm. Furthermore,
1946 * the pad is not guaranteed to look in any special way, although
1947 * existing implementations often pad with the zero byte. This means
1948 * that you may have to "frame" data, so it is possible to infer the
1949 * original length after decryption. Compare ASN.1 DER which contains
1950 * such information.
1951 *
1952 * Return value: Returns %SHISHI_OK iff successful.
1953 **/
1954 int
1955 shishi_encrypt (Shishi * handle,
1956 Shishi_key * key,
1957 int keyusage,
1958 char *in, size_t inlen, char **out, size_t * outlen)
1959 {
1960 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1961 shishi_key_type (key),
1962 NULL, 0, NULL, NULL,
1963 in, inlen, out, outlen);
1964 }
1965
1966 /**
1967 * shishi_decrypt_ivupdate_etype:
1968 * @handle: shishi handle as allocated by shishi_init().
1969 * @key: key to decrypt with.
1970 * @keyusage: integer specifying what this key is decrypting.
1971 * @etype: integer specifying what cipher to use.
1972 * @iv: input array with initialization vector
1973 * @ivlen: size of input array with initialization vector.
1974 * @ivout: output array with newly allocated updated initialization vector.
1975 * @ivoutlen: size of output array with updated initialization vector.
1976 * @in: input array with data to decrypt.
1977 * @inlen: size of input array with data to decrypt.
1978 * @out: output array with newly allocated decrypted data.
1979 * @outlen: output variable with size of newly allocated output array.
1980 *
1981 * Decrypts data as per encryption method using specified
1982 * initialization vector and key. The key actually used is derived
1983 * using the key usage. If key usage is 0, no key derivation is used.
1984 * The OUT buffer must be deallocated by the caller. If IVOUT or
1985 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1986 *
1987 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1988 * exactly, some Kerberos encryption types add pad to make the data
1989 * fit into the block size of the encryption algorithm. Furthermore,
1990 * the pad is not guaranteed to look in any special way, although
1991 * existing implementations often pad with the zero byte. This means
1992 * that you may have to "frame" data, so it is possible to infer the
1993 * original length after decryption. Compare ASN.1 DER which contains
1994 * such information.
1995 *
1996 * Return value: Returns %SHISHI_OK iff successful.
1997 **/
1998 int
1999 shishi_decrypt_ivupdate_etype (Shishi * handle,
2000 Shishi_key * key,
2001 int keyusage,
2002 int32_t etype,
2003 const char *iv, size_t ivlen,
2004 char **ivout, size_t * ivoutlen,
2005 const char *in, size_t inlen,
2006 char **out, size_t * outlen)
2007 {
2008 Shishi_decrypt_function decrypt;
2009 int res;
2010
2011 if (VERBOSECRYPTO (handle))
2012 {
2013 printf ("decrypt (type=%s, usage=%d, key, in, out)\n",
2014 shishi_key_name (key), keyusage);
2015 printf ("\t ;; key (%d):\n", shishi_key_length (key));
2016 hexprint (shishi_key_value (key), shishi_key_length (key));
2017 puts ("");
2018 printf ("\t ;; in (%d):\n", inlen);
2019 escapeprint (in, inlen);
2020 hexprint (in, inlen);
2021 puts ("");
2022 }
2023
2024 decrypt = _shishi_cipher_decrypt (etype);
2025 if (decrypt == NULL)
2026 {
2027 shishi_error_printf (handle, "Unsupported keytype %d",
2028 shishi_key_type (key));
2029 return SHISHI_CRYPTO_ERROR;
2030 }
2031
2032 res = (*decrypt) (handle, key, keyusage,
2033 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
2034
2035 if (VERBOSECRYPTO (handle))
2036 {
2037 printf ("\t ;; decrypt out:\n");
2038 escapeprint (*out, *outlen);
2039 hexprint (*out, *outlen);
2040 puts ("");
2041 }
2042
2043 return res;
2044 }
2045
2046 /**
2047 * shishi_decrypt_iv_etype:
2048 * @handle: shishi handle as allocated by shishi_init().
2049 * @key: key to decrypt with.
2050 * @keyusage: integer specifying what this key is decrypting.
2051 * @etype: integer specifying what cipher to use.
2052 * @iv: input array with initialization vector
2053 * @ivlen: size of input array with initialization vector.
2054 * @in: input array with data to decrypt.
2055 * @inlen: size of input array with data to decrypt.
2056 * @out: output array with newly allocated decrypted data.
2057 * @outlen: output variable with size of newly allocated output array.
2058 *
2059 * Decrypts data as per encryption method using specified
2060 * initialization vector and key. The key actually used is derived
2061 * using the key usage. If key usage is 0, no key derivation is used.
2062 * The OUT buffer must be deallocated by the caller. The next IV is
2063 * lost, see shishi_decrypt_ivupdate_etype if you need it.
2064 *
2065 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2066 * exactly, some Kerberos encryption types add pad to make the data
2067 * fit into the block size of the encryption algorithm. Furthermore,
2068 * the pad is not guaranteed to look in any special way, although
2069 * existing implementations often pad with the zero byte. This means
2070 * that you may have to "frame" data, so it is possible to infer the
2071 * original length after decryption. Compare ASN.1 DER which contains
2072 * such information.
2073 *
2074 * Return value: Returns %SHISHI_OK iff successful.
2075 **/
2076 int
2077 shishi_decrypt_iv_etype (Shishi * handle,
2078 Shishi_key * key,
2079 int keyusage,
2080 int32_t etype,
2081 const char *iv, size_t ivlen,
2082 const char *in, size_t inlen,
2083 char **out, size_t * outlen)
2084 {
2085 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
2086 iv, ivlen, NULL, NULL,
2087 in, inlen, out, outlen);
2088 }
2089
2090 /**
2091 * shishi_decrypt_etype:
2092 * @handle: shishi handle as allocated by shishi_init().
2093 * @key: key to decrypt with.
2094 * @keyusage: integer specifying what this key is decrypting.
2095 * @etype: integer specifying what cipher to use.
2096 * @in: input array with data to decrypt.
2097 * @inlen: size of input array with data to decrypt.
2098 * @out: output array with newly allocated decrypted data.
2099 * @outlen: output variable with size of newly allocated output array.
2100 *
2101 * Decrypts data as per encryption method using specified key. The
2102 * key actually used is derived using the key usage. If key usage is
2103 * 0, no key derivation is used. The OUT buffer must be deallocated
2104 * by the caller. The default IV is used, see shishi_decrypt_iv_etype
2105 * if you need to alter it. The next IV is lost, see
2106 * shishi_decrypt_ivupdate_etype if you need it.
2107 *
2108 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2109 * exactly, some Kerberos encryption types add pad to make the data
2110 * fit into the block size of the encryption algorithm. Furthermore,
2111 * the pad is not guaranteed to look in any special way, although
2112 * existing implementations often pad with the zero byte. This means
2113 * that you may have to "frame" data, so it is possible to infer the
2114 * original length after decryption. Compare ASN.1 DER which contains
2115 * such information.
2116 *
2117 * Return value: Returns %SHISHI_OK iff successful.
2118 **/
2119 int
2120 shishi_decrypt_etype (Shishi * handle,
2121 Shishi_key * key,
2122 int keyusage,
2123 int32_t etype,
2124 const char *in, size_t inlen,
2125 char **out, size_t * outlen)
2126 {
2127 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
2128 NULL, 0, NULL, NULL,
2129 in, inlen, out, outlen);
2130 }
2131
2132 /**
2133 * shishi_decrypt_ivupdate:
2134 * @handle: shishi handle as allocated by shishi_init().
2135 * @key: key to decrypt with.
2136 * @keyusage: integer specifying what this key is decrypting.
2137 * @iv: input array with initialization vector
2138 * @ivlen: size of input array with initialization vector.
2139 * @ivout: output array with newly allocated updated initialization vector.
2140 * @ivoutlen: size of output array with updated initialization vector.
2141 * @in: input array with data to decrypt.
2142 * @inlen: size of input array with data to decrypt.
2143 * @out: output array with newly allocated decrypted data.
2144 * @outlen: output variable with size of newly allocated output array.
2145 *
2146 * Decrypts data using specified initialization vector and key. The
2147 * key actually used is derived using the key usage. If key usage is
2148 * 0, no key derivation is used. The OUT buffer must be deallocated
2149 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
2150 * saved anywhere.
2151 *
2152 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2153 * exactly, some Kerberos encryption types add pad to make the data
2154 * fit into the block size of the encryption algorithm. Furthermore,
2155 * the pad is not guaranteed to look in any special way, although
2156 * existing implementations often pad with the zero byte. This means
2157 * that you may have to "frame" data, so it is possible to infer the
2158 * original length after decryption. Compare ASN.1 DER which contains
2159 * such information.
2160 *
2161 * Return value: Returns %SHISHI_OK iff successful.
2162 **/
2163 int
2164 shishi_decrypt_ivupdate (Shishi * handle,
2165 Shishi_key * key,
2166 int keyusage,
2167 const char *iv, size_t ivlen,
2168 char **ivout, size_t * ivoutlen,
2169 const char *in, size_t inlen,
2170 char **out, size_t * outlen)
2171 {
2172 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
2173 shishi_key_type (key),
2174 iv, ivlen, ivout, ivoutlen,
2175 in, inlen, out, outlen);
2176 }
2177
2178 /**
2179 * shishi_decrypt_iv:
2180 * @handle: shishi handle as allocated by shishi_init().
2181 * @key: key to decrypt with.
2182 * @keyusage: integer specifying what this key is decrypting.
2183 * @iv: input array with initialization vector
2184 * @ivlen: size of input array with initialization vector.
2185 * @in: input array with data to decrypt.
2186 * @inlen: size of input array with data to decrypt.
2187 * @out: output array with newly allocated decrypted data.
2188 * @outlen: output variable with size of newly allocated output array.
2189 *
2190 * Decrypts data using specified initialization vector and key. The
2191 * key actually used is derived using the key usage. If key usage is
2192 * 0, no key derivation is used. The OUT buffer must be deallocated
2193 * by the caller. The next IV is lost, see
2194 * shishi_decrypt_ivupdate_etype if you need it.
2195 *
2196 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2197 * exactly, some Kerberos encryption types add pad to make the data
2198 * fit into the block size of the encryption algorithm. Furthermore,
2199 * the pad is not guaranteed to look in any special way, although
2200 * existing implementations often pad with the zero byte. This means
2201 * that you may have to "frame" data, so it is possible to infer the
2202 * original length after decryption. Compare ASN.1 DER which contains
2203 * such information.
2204 *
2205 * Return value: Returns %SHISHI_OK iff successful.
2206 **/
2207 int
2208 shishi_decrypt_iv (Shishi * handle,
2209 Shishi_key * key,
2210 int keyusage,
2211 const char *iv, size_t ivlen,
2212 const char *in, size_t inlen, char **out, size_t * outlen)
2213 {
2214 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
2215 shishi_key_type (key),
2216 iv, ivlen, NULL, NULL,
2217 in, inlen, out, outlen);
2218 }
2219
2220 /**
2221 * shishi_decrypt:
2222 * @handle: shishi handle as allocated by shishi_init().
2223 * @key: key to decrypt with.
2224 * @keyusage: integer specifying what this key is decrypting.
2225 * @in: input array with data to decrypt.
2226 * @inlen: size of input array with data to decrypt.
2227 * @out: output array with newly allocated decrypted data.
2228 * @outlen: output variable with size of newly allocated output array.
2229 *
2230 * Decrypts data specified key. The key actually used is derived
2231 * using the key usage. If key usage is 0, no key derivation is used.
2232 * The OUT buffer must be deallocated by the caller. The default IV
2233 * is used, see shishi_decrypt_iv if you need to alter it. The next
2234 * IV is lost, see shishi_decrypt_ivupdate if you need it.
2235 *
2236 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2237 * exactly, some Kerberos encryption types add pad to make the data
2238 * fit into the block size of the encryption algorithm. Furthermore,
2239 * the pad is not guaranteed to look in any special way, although
2240 * existing implementations often pad with the zero byte. This means
2241 * that you may have to "frame" data, so it is possible to infer the
2242 * original length after decryption. Compare ASN.1 DER which contains
2243 * such information.
2244 *
2245 * Return value: Returns %SHISHI_OK iff successful.
2246 **/
2247 int
2248 shishi_decrypt (Shishi * handle,
2249 Shishi_key * key,
2250 int keyusage,
2251 const char *in, size_t inlen, char **out, size_t * outlen)
2252 {
2253 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
2254 shishi_key_type (key),
2255 NULL, 0, NULL, NULL,
2256 in, inlen, out, outlen);
2257 }
2258
2259 /**
2260 * shishi_randomize:
2261 * @handle: shishi handle as allocated by shishi_init().
2262 * @data: output array to be filled with random data.
2263 * @datalen: size of output array.
2264 *
2265 * Store cryptographically strong random data of given size in the
2266 * provided buffer.
2267 *
2268 * Return value: Returns %SHISHI_OK iff successful.
2269 **/
2270 int
2271 shishi_randomize (Shishi * handle, char *data, size_t datalen)
2272 {
2273 #ifdef USE_GCRYPT
2274 gcry_randomize (data, datalen, GCRY_STRONG_RANDOM);
2275 #else
2276 int fd;
2277 char *device;
2278
2279 device = "/dev/urandom";
2280
2281 fd = open (device, O_RDONLY);
2282 if (fd < 0)
2283 {
2284 shishi_error_printf (handle, "Could not open random device: %s\n",
2285 strerror (errno));
2286 return SHISHI_FOPEN_ERROR;
2287 }
2288 else
2289 {
2290 read (fd, data, datalen);
2291 close (fd);
2292 }
2293 #endif
2294
2295 return SHISHI_OK;
2296 }
2297
2298 /**
2299 * shishi_n_fold:
2300 * @handle: shishi handle as allocated by shishi_init().
2301 * @in: input array with data to decrypt.
2302 * @inlen: size of input array with data to decrypt ("M").
2303 * @out: output array with decrypted data.
2304 * @outlen: size of output array ("N").
2305 *
2306 * Fold data into a fixed length output array, with the intent to give
2307 * each input bit approximately equal weight in determining the value
2308 * of each output bit.
2309 *
2310 * The algorithm is from "A Better Key Schedule For DES-like Ciphers"
2311 * by Uri Blumenthal and Steven M. Bellovin,
2312 * <URL:http://www.research.att.com/~smb/papers/ides.pdf>, although
2313 * the sample vectors provided by the paper are incorrect.
2314 *
2315 * Return value: Returns %SHISHI_OK iff successful.
2316 **/
2317 int
2318 shishi_n_fold (Shishi * handle,
2319 char *in, size_t inlen, char *out, size_t outlen)
2320 {
2321 int m = inlen;
2322 int n = outlen;
2323 char *buf = NULL;
2324 char *a = NULL;
2325 int lcmmn = 0;
2326 int i = 0;
2327
2328 /*
2329 To n-fold a number X, replicate the input value to a length that is
2330 the least common multiple of n and the length of X. Before each
2331 repetition, the input is rotated to the right by 13 bit
2332 positions. The successive n-bit chunks are added together using
2333 1's-complement addition (that is, addition with end-around carry)
2334 to yield a n-bit result denoted <X>_n.
2335 */
2336
2337 a = (char *) xmemdup (a, in, m);
2338
2339 lcmmn = lcm (m, n);
2340
2341 if (VERBOSECRYPTO (handle))
2342 {
2343 printf ("%d-fold (string)\n", n * 8);
2344 printf ("\t ;; string length %d bytes %d bits\n", m, m * 8);
2345 escapeprint (a, m);
2346 hexprint (a, m);
2347 puts ("");
2348 printf ("\t ;; lcm(%d, %d) = lcm(%d, %d) = %d\n",
2349 8 * m, 8 * n, m, n, lcmmn);
2350 puts ("");
2351 }
2352
2353 buf = (char *) xmalloc (lcmmn);
2354
2355 /* Replicate the input th the LCMMN length */
2356 for (i = 0; i < (lcmmn / m); i++)
2357 {
2358 if (VERBOSECRYPTO (handle))
2359 {
2360 printf ("\t ;; %d-th replication\n", i + 1);
2361 printf ("string = rot13(string)\n");
2362 }
2363
2364 memcpy ((char *) &buf[i * m], a, m);
2365 rot13 (handle, a, a, m);
2366
2367 if (VERBOSECRYPTO (handle))
2368 puts ("");
2369 }
2370
2371 memset (out, 0, n); /* just in case */
2372
2373 if (VERBOSECRYPTO (handle))
2374 {
2375 printf ("\t ;; replicated string (length %d):\n", lcmmn);
2376 hexprint (buf, lcmmn);
2377 puts ("");
2378 binprint (buf, lcmmn);
2379 puts ("");
2380 printf ("sum = 0\n");
2381 }
2382
2383 /* Now we view the buf as set of n-byte strings
2384 Add the n-byte long chunks together, using
2385 one's complement addition, storing the
2386 result in the output string. */
2387
2388 for (i = 0; i < (lcmmn / n); i++)
2389 {
2390 if (VERBOSECRYPTO (handle))
2391 {
2392 printf ("\t ;; %d-th one's complement addition sum\n", i + 1);
2393 printf ("\t ;; sum:\n");
2394 hexprint (out, n);
2395 puts ("");
2396 binprint (out, n);
2397 puts ("");
2398 printf ("\t ;; A (offset %d):\n", i * n);
2399 hexprint (&buf[i * n], n);
2400 puts ("");
2401 binprint (&buf[i * n], n);
2402 puts ("");
2403 printf ("sum = ocadd(sum, A);\n");
2404 }
2405
2406 ocadd (out, (char *) &buf[i * n], out, n);
2407
2408 if (VERBOSECRYPTO (handle))
2409 {
2410 printf ("\t ;; sum:\n");
2411 hexprint (out, n);
2412 puts ("");
2413 binprint (out, n);
2414 puts ("");
2415 puts ("");
2416 }
2417 }
2418
2419 if (VERBOSECRYPTO (handle))
2420 {
2421 printf ("\t ;; nfold\n");
2422 hexprint (out, n);
2423 puts ("");
2424 binprint (out, n);
2425 puts ("");
2426 puts ("");
2427 }
2428
2429 free (buf);
2430 free (a);
2431
2432 return SHISHI_OK;
2433 }
2434
2435 #define MAX_DR_CONSTANT 1024
2436
2437 /**
2438 * shishi_dr:
2439 * @handle: shishi handle as allocated by shishi_init().
2440 * @key: input array with cryptographic key to use.
2441 * @constant: input array with the constant string.
2442 * @constantlen: size of input array with the constant string.
2443 * @derivedrandom: output array with derived random data.
2444 * @derivedrandomlen: size of output array with derived random data.
2445 *
2446 * Derive "random" data from a key and a constant thusly:
2447 * DR(KEY, CONSTANT) = TRUNCATE(DERIVEDRANDOMLEN,
2448 * SHISHI_ENCRYPT(KEY, CONSTANT)).
2449 *
2450 * Return value: Returns %SHISHI_OK iff successful.
2451 **/
2452 int
2453 shishi_dr (Shishi * handle,
2454 Shishi_key * key,
2455 char *constant, size_t constantlen,
2456 char *derivedrandom, size_t derivedrandomlen)
2457 {
2458 char *cipher;
2459 char plaintext[MAX_DR_CONSTANT];
2460 char nfoldconstant[MAX_DR_CONSTANT];
2461 size_t blocksize = shishi_cipher_blocksize (shishi_key_type (key));
2462 size_t totlen, cipherlen;
2463 int res;
2464
2465 if (VERBOSECRYPTO (handle))
2466 {
2467 printf ("dr (%s, key, constant, %d)\n",
2468 shishi_cipher_name (shishi_key_type (key)), derivedrandomlen);
2469 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
2470 hexprint (shishi_key_value (key), shishi_key_length (key));
2471 puts ("");
2472 binprint (shishi_key_value (key), shishi_key_length (key));
2473 puts ("");
2474 printf ("\t ;; constant %s':\n", constant);
2475 escapeprint (constant, constantlen);
2476 hexprint (constant, constantlen);
2477 puts ("");
2478 binprint (constant, constantlen);
2479 puts ("");
2480 puts ("");
2481 }
2482
2483 if (constantlen > MAX_DR_CONSTANT)
2484 return SHISHI_TOO_SMALL_BUFFER;
2485
2486 if (constantlen == blocksize)
2487 {
2488 memcpy (nfoldconstant, constant, constantlen);
2489 }
2490 else
2491 {
2492 res = shishi_n_fold (handle, constant, constantlen, nfoldconstant,
2493 blocksize);
2494 if (res != SHISHI_OK)
2495 return res;
2496 }
2497
2498 if (VERBOSECRYPTO (handle))
2499 {
2500 printf ("\t ;; possibly nfolded constant (length %d):\n", blocksize);
2501 escapeprint (nfoldconstant, blocksize);
2502 hexprint (nfoldconstant, blocksize);
2503 puts ("");
2504 binprint (nfoldconstant, blocksize);
2505 puts ("");
2506 }
2507
2508 memcpy (plaintext, nfoldconstant, blocksize);
2509
2510 totlen = 0;
2511 do
2512 {
2513 res = shishi_encrypt (handle, key, 0, plaintext, blocksize,
2514 &cipher, &cipherlen);
2515 if (res != SHISHI_OK)
2516 return res;
2517 if (cipherlen != blocksize)
2518 return SHISHI_CRYPTO_ERROR;
2519 memcpy (derivedrandom + totlen, cipher, cipherlen);
2520 memcpy (plaintext, cipher, cipherlen);
2521 free (cipher);
2522 totlen += cipherlen;
2523 }
2524 while (totlen < derivedrandomlen);
2525
2526 if (VERBOSECRYPTO (handle))
2527 {
2528 printf ("\t ;; derived random (length %d):\n", derivedrandomlen);
2529 hexprint (derivedrandom, derivedrandomlen);
2530 puts ("");
2531 binprint (derivedrandom, derivedrandomlen);
2532 puts ("");
2533 }
2534
2535 return SHISHI_OK;
2536 }
2537
2538 /**
2539 * shishi_dk:
2540 * @handle: shishi handle as allocated by shishi_init().
2541 * @key: input cryptographic key to use.
2542 * @constant: input array with the constant string.
2543 * @constantlen: size of input array with the constant string.
2544 * @derivedkey: pointer to derived key (allocated by caller).
2545 *
2546 * Derive a key from a key and a constant thusly:
2547 * DK(KEY, CONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, CONSTANT)).
2548 *
2549 * Return value: Returns %SHISHI_OK iff successful.
2550 **/
2551 int
2552 shishi_dk (Shishi * handle,
2553 Shishi_key * key,
2554 char *constant, int constantlen, Shishi_key * derivedkey)
2555 {
2556 char random[MAX_RANDOM_LEN];
2557 int res;
2558
2559 if (VERBOSECRYPTO (handle))
2560 {
2561 printf ("dk (%s, key, constant)\n", shishi_key_name (key));
2562 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
2563 hexprint (shishi_key_value (key), shishi_key_length (key));
2564 puts ("");
2565 binprint (shishi_key_value (key), shishi_key_length (key));
2566 puts ("");
2567 printf ("\t ;; constant:\n");
2568 escapeprint (constant, constantlen);
2569 hexprint (constant, constantlen);
2570 puts ("");
2571 binprint (constant, constantlen);
2572 puts ("");
2573 puts ("");
2574 }
2575
2576 shishi_key_type_set (derivedkey, shishi_key_type (key));
2577
2578 res = shishi_dr (handle, key, constant, constantlen, random,
2579 shishi_key_length (derivedkey));
2580 if (res != SHISHI_OK)
2581 return res;
2582
2583 res = shishi_random_to_key (handle, shishi_key_type (derivedkey),
2584 random, shishi_key_length (derivedkey),
2585 derivedkey);
2586 if (res != SHISHI_OK)
2587 return res;
2588
2589 return SHISHI_OK;
2590 }
Free Kerberos V5 implementation