search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Doc fix.
[shishi.git] / lib / crypto.c
blob7f2397d5d15edf8ab06617307fdd21c5effac6da
1 /* crypto.c crypto functions
2 * Copyright (C) 2002, 2003 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21
22 #include "internal.h"
23
24 static void
25 escapeprint (const char *str, int len)
26 {
27 int i;
28
29 printf ("\t ;; `");
30 for (i = 0; i < len; i++)
31 if ((str[i] >= 'A' && str[i] <= 'Z') ||
32 (str[i] >= 'a' && str[i] <= 'z') ||
33 (str[i] >= '0' && str[i] <= '9') || str[i] == '.')
34 printf ("%c", str[i] & 0xFF);
35 else
36 printf ("\\x%02x", str[i] & 0xFF);
37 printf ("' (length %d bytes)\n", len);
38 }
39
40 static void
41 hexprint (const char *str, int len)
42 {
43 int i;
44
45 printf ("\t ;; ");
46 for (i = 0; i < len; i++)
47 {
48 printf ("%02x ", str[i] & 0xFF);
49 if ((i + 1) % 8 == 0)
50 printf (" ");
51 if ((i + 1) % 16 == 0 && i + 1 < len)
52 printf ("\n\t ;; ");
53 }
54 }
55
56 static void
57 binprint (const char *str, int len)
58 {
59 int i;
60
61 printf ("\t ;; ");
62 for (i = 0; i < len; i++)
63 {
64 printf ("%d%d%d%d%d%d%d%d ",
65 str[i] & 0x80 ? 1 : 0,
66 str[i] & 0x40 ? 1 : 0,
67 str[i] & 0x20 ? 1 : 0,
68 str[i] & 0x10 ? 1 : 0,
69 str[i] & 0x08 ? 1 : 0,
70 str[i] & 0x04 ? 1 : 0,
71 str[i] & 0x02 ? 1 : 0, str[i] & 0x01 ? 1 : 0);
72 if ((i + 1) % 3 == 0)
73 printf (" ");
74 if ((i + 1) % 6 == 0 && i + 1 < len)
75 printf ("\n\t ;; ");
76 }
77 }
78
79 static void
80 bin7print (const char *str, int len)
81 {
82 int i;
83
84 printf ("\t ;; ");
85 for (i = 0; i < len; i++)
86 {
87 printf ("%d%d%d%d%d%d%d ",
88 str[i] & 0x40 ? 1 : 0,
89 str[i] & 0x20 ? 1 : 0,
90 str[i] & 0x10 ? 1 : 0,
91 str[i] & 0x08 ? 1 : 0,
92 str[i] & 0x04 ? 1 : 0,
93 str[i] & 0x02 ? 1 : 0, str[i] & 0x01 ? 1 : 0);
94 if ((i + 1) % 3 == 0)
95 printf (" ");
96 if ((i + 1) % 6 == 0 && i + 1 < len)
97 printf ("\n\t ;; ");
98 }
99 }
100
101 static int
102 gcd (int a, int b)
103 {
104 if (b == 0)
105 return a;
106 else
107 return gcd (b, a % b);
108 }
109
110 static int
111 lcm (int a, int b)
112 {
113 return a * b / gcd (a, b);
114 }
115
116 static int
117 rot13 (Shishi * handle, char *in, char *out, int len)
118 {
119 if (VERBOSECRYPTO (handle))
120 {
121 printf ("\t ;; rot 13 in:\n");
122 escapeprint (in, len);
123 hexprint (in, len);
124 puts ("");
125 binprint (in, len);
126 puts ("");
127 }
128
129 if (len == 1)
130 {
131 out[0] =
132 ((in[0] >> 5) & 0x01) |
133 ((in[0] >> 5) & 0x02) |
134 ((in[0] >> 5) & 0x04) |
135 ((in[0] << 3) & 0x08) |
136 ((in[0] << 3) & 0x10) |
137 ((in[0] << 3) & 0x20) | ((in[0] << 3) & 0x40) | ((in[0] << 3) & 0x80);
138 }
139 else if (len > 1)
140 {
141 char nexttolast, last;
142 int i;
143
144 nexttolast = in[len - 2];
145 last = in[len - 1];
146
147 for (i = len * 8 - 1; i >= 13; i--)
148 {
149 int pos = i / 8;
150 char mask = ~(1 << (7 - i % 8));
151 int pos2 = (i - 13) / 8;
152 char mask2 = (1 << (7 - (i - 13) % 8));
153
154 out[pos] = (out[pos] & mask) |
155 (((in[pos2] & mask2) ? 0xFF : 0x00) & ~mask);
156 }
157 out[0] = ((nexttolast & 0xFF) << 3) | ((last & 0xFF) >> 5);
158 out[1] = (in[1] & ~(0xFF & (0xFF << 3))) | (0xFF & (last << 3));
159 }
160
161 if (VERBOSECRYPTO (handle))
162 {
163 printf ("\t ;; rot13 out:\n");
164 escapeprint (out, len);
165 hexprint (out, len);
166 puts ("");
167 binprint (out, len);
168 puts ("");
169 }
170
171 return SHISHI_OK;
172 }
173
174 static int
175 ocadd (char *add1, char *add2, char *sum, int len)
176 {
177 int i;
178 int carry = 0;
179
180 for (i = len - 1; i >= 0; i--)
181 {
182 int tmpsum = (unsigned char) add1[i] + (unsigned char) add2[i];
183
184 sum[i] = (tmpsum + carry) & 0xFF;
185 if (tmpsum + carry > 0xFF)
186 carry = 1;
187 else
188 carry = 0;
189 }
190 if (carry)
191 {
192 int done = 0;
193
194 for (i = len - 1; i >= 0; i--)
195 if ((unsigned char) sum[i] != 0xFF)
196 {
197 sum[i]++;
198 done = 1;
199 break;
200 }
201
202 if (!done)
203 memset (sum, 0, len);
204 }
205
206 return SHISHI_OK;
207 }
208
209 static int
210 simplified_hmac (Shishi * handle,
211 Shishi_key * key,
212 const char *in, size_t inlen,
213 char **outhash, size_t * outhashlen)
214 {
215 *outhashlen = 20;
216 return shishi_hmac_sha1 (handle,
217 shishi_key_value (key), shishi_key_length (key),
218 in, inlen,
219 outhash);
220 }
221
222 static int
223 simplified_hmac_verify (Shishi * handle,
224 Shishi_key * key,
225 const char *in, size_t inlen,
226 const char *hmac, size_t hmaclen)
227 {
228 char *hash;
229 size_t hlen;
230 int same;
231 int res;
232
233 res = simplified_hmac (handle, key, in, inlen, &hash, &hlen);
234 if (res != SHISHI_OK || hash == NULL)
235 return res;
236
237 if (VERBOSECRYPTO (handle))
238 {
239 printf ("\t ;; HMAC verify:\n");
240 escapeprint (hash, hlen);
241 hexprint (hash, hlen);
242 puts ("");
243 binprint (hash, hlen);
244 puts ("");
245 escapeprint (hmac, hmaclen);
246 hexprint (hmac, hmaclen);
247 puts ("");
248 binprint (hmac, hmaclen);
249 puts ("");
250 }
251
252 same = (hlen == hmaclen) && memcmp (hash, hmac, hmaclen) == 0;
253
254 free (hash);
255
256 if (!same)
257 {
258 shishi_error_printf (handle, "HMAC verify failed");
259 return SHISHI_CRYPTO_ERROR;
260 }
261
262 return SHISHI_OK;
263 }
264
265 typedef enum
266 {
267 SHISHI_DERIVEKEYMODE_CHECKSUM,
268 SHISHI_DERIVEKEYMODE_PRIVACY,
269 SHISHI_DERIVEKEYMODE_INTEGRITY
270 }
271 Shishi_derivekeymode;
272
273 static int
274 simplified_derivekey (Shishi * handle,
275 Shishi_key * key,
276 int keyusage, int derivekeymode, Shishi_key ** outkey)
277 {
278 char constant[5];
279 int res = SHISHI_OK;
280 Shishi_key *derivedkey;
281
282 if (VERBOSECRYPTO (handle))
283 {
284 printf ("simplified_derivekey\n");
285 printf ("\t ;; mode %d (%s)\n", derivekeymode,
286 derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM ? "checksum" :
287 derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY ? "integrity" :
288 derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY ? "privacy" :
289 "base-key");
290 hexprint (shishi_key_value (key), shishi_key_length (key));
291 puts ("");
292 }
293
294
295 res = shishi_key_from_value (handle, shishi_key_type (key),
296 NULL, &derivedkey);
297 if (res != SHISHI_OK)
298 return res;
299
300 *outkey = derivedkey;
301
302 if (keyusage)
303 {
304 uint32_t tmp = htonl (keyusage);
305 memcpy (constant, &tmp, 4);
306 if (derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM)
307 constant[4] = '\x99';
308 else if (derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY)
309 constant[4] = '\x55';
310 else /* if (derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY) */
311 constant[4] = '\xAA';
312
313 res = shishi_dk (handle, key, constant, 5, derivedkey);
314 }
315 else
316 {
317 shishi_key_copy (derivedkey, key);
318 }
319
320 if (VERBOSECRYPTO (handle))
321 {
322 printf ("\t ;; simplified_derivekey out (%d):\n",
323 shishi_key_length (derivedkey));
324 hexprint (shishi_key_value (derivedkey),
325 shishi_key_length (derivedkey));
326 puts ("");
327 }
328
329 return res;
330 }
331
332 static int
333 simplified_dencrypt (Shishi * handle,
334 Shishi_key * key,
335 const char *iv, size_t ivlen,
336 char **ivout, size_t * ivoutlen,
337 const char *in, size_t inlen,
338 char **out, size_t * outlen, int decryptp)
339 {
340 int rc;
341
342 if (outlen)
343 *outlen = inlen;
344
345 switch (shishi_key_type (key))
346 {
347 case SHISHI_DES_CBC_CRC:
348 case SHISHI_DES_CBC_MD4:
349 case SHISHI_DES_CBC_MD5:
350 if (ivoutlen)
351 *ivoutlen = 8;
352 rc = shishi_des (handle, decryptp, shishi_key_value (key),
353 iv, ivout, in, inlen, out);
354 break;
355
356 case SHISHI_DES3_CBC_HMAC_SHA1_KD:
357 if (ivoutlen)
358 *ivoutlen = 8;
359 rc = shishi_3des (handle, decryptp, shishi_key_value (key),
360 iv, ivout, in, inlen, out);
361 break;
362
363 case SHISHI_AES128_CTS_HMAC_SHA1_96:
364 case SHISHI_AES256_CTS_HMAC_SHA1_96:
365 if (ivoutlen)
366 *ivoutlen = 16;
367 rc = shishi_aes_cts (handle, decryptp,
368 shishi_key_value (key), shishi_key_length (key),
369 iv, ivout, in, inlen, out);
370 break;
371
372 default:
373 rc = SHISHI_CRYPTO_ERROR;
374 }
375
376 return rc;
377 }
378
379 static int
380 simplified_encrypt (Shishi * handle,
381 Shishi_key * key,
382 int keyusage,
383 const char *iv, size_t ivlen,
384 char **ivout, size_t * ivoutlen,
385 const char *in, size_t inlen, char **out, size_t * outlen)
386 {
387 int res;
388 int padzerolen = 0;
389
390 if ((shishi_key_type (key) == SHISHI_DES3_CBC_HMAC_SHA1_KD ||
391 shishi_key_type (key) == SHISHI_DES_CBC_CRC ||
392 shishi_key_type (key) == SHISHI_DES_CBC_MD4 ||
393 shishi_key_type (key) == SHISHI_DES_CBC_MD5) && (inlen % 8) != 0)
394 while (((inlen + padzerolen) % 8) != 0)
395 padzerolen++;
396
397 if (keyusage != 0)
398 {
399 char *pt = NULL, *ct = NULL, *hmac = NULL;
400 int blen = shishi_cipher_blocksize (shishi_key_type (key));
401 size_t ctlen, ptlen, hmaclen;
402 Shishi_key *privacykey = NULL, *integritykey = NULL;
403
404 ptlen = inlen + blen + padzerolen;
405 pt = xmalloc (ptlen);
406
407 res = shishi_randomize (handle, pt, blen);
408 if (res != SHISHI_OK)
409 goto done;
410
411 memcpy (pt + blen, in, inlen);
412 memset (pt + blen + inlen, 0, padzerolen);
413
414 res = simplified_derivekey (handle, key, keyusage,
415 SHISHI_DERIVEKEYMODE_PRIVACY, &privacykey);
416 if (res != SHISHI_OK)
417 goto done;
418
419 res =
420 simplified_dencrypt (handle, privacykey, iv, ivlen, ivout, ivoutlen,
421 pt, ptlen, &ct, &ctlen, 0);
422 if (res != SHISHI_OK)
423 goto done;
424
425
426 res = simplified_derivekey (handle, key, keyusage,
427 SHISHI_DERIVEKEYMODE_INTEGRITY,
428 &integritykey);
429 if (res != SHISHI_OK)
430 goto done;
431
432 res =
433 simplified_hmac (handle, integritykey, pt, ptlen, &hmac, &hmaclen);
434 if (res != SHISHI_OK)
435 goto done;
436
437 *outlen = ctlen + hmaclen;
438 *out = xmalloc (*outlen);
439 memcpy (*out, ct, ctlen);
440 memcpy (*out + ctlen, hmac, hmaclen);
441
442 done:
443 if (&privacykey)
444 shishi_key_done (privacykey);
445 if (&integritykey)
446 shishi_key_done (integritykey);
447 if (hmac)
448 free (hmac);
449 if (ct)
450 free (ct);
451 if (pt)
452 free (pt);
453 }
454 else
455 {
456 res = simplified_dencrypt (handle, key, iv, ivlen, ivout, ivoutlen,
457 in, inlen, out, outlen, 0);
458 }
459
460 return res;
461 }
462
463 static int
464 simplified_decrypt (Shishi * handle,
465 Shishi_key * key,
466 int keyusage,
467 const char *iv, size_t ivlen,
468 char **ivout, size_t * ivoutlen,
469 const char *in, size_t inlen, char **out, size_t * outlen)
470 {
471 int res;
472
473 if (keyusage)
474 {
475 Shishi_key *privacykey = NULL, *integritykey = NULL;
476 int blen = shishi_cipher_blocksize (shishi_key_type (key));
477 size_t hlen = 20; /* XXX only works for SHA-1 */
478
479 res = simplified_derivekey (handle, key, keyusage,
480 SHISHI_DERIVEKEYMODE_PRIVACY, &privacykey);
481 if (res != SHISHI_OK)
482 goto done;
483
484 res =
485 simplified_dencrypt (handle, privacykey, iv, ivlen, ivout, ivoutlen,
486 in, inlen - hlen, out, outlen, 1);
487 if (res != SHISHI_OK)
488 goto done;
489
490 res = simplified_derivekey (handle, key, keyusage,
491 SHISHI_DERIVEKEYMODE_INTEGRITY,
492 &integritykey);
493 if (res != SHISHI_OK)
494 goto done;
495
496 res = simplified_hmac_verify (handle, integritykey, *out, *outlen,
497 in + inlen - hlen, hlen);
498
499 if (res != SHISHI_OK)
500 goto done;
501
502 memmove (*out, *out + blen, *outlen - blen);
503 *outlen = *outlen - blen;
504 *out = xrealloc (*out, *outlen);
505
506 done:
507 if (privacykey)
508 shishi_key_done (privacykey);
509 if (integritykey)
510 shishi_key_done (integritykey);
511 }
512 else
513 {
514 res = simplified_dencrypt (handle, key, iv, ivlen, ivout, ivoutlen,
515 in, inlen, out, outlen, 1);
516 }
517
518 return res;
519 }
520
521 static int
522 simplified_checksum (Shishi * handle,
523 Shishi_key * key,
524 int keyusage,
525 int cksumtype,
526 const char *in, size_t inlen,
527 char **out, size_t * outlen)
528 {
529 Shishi_key *checksumkey;
530 int cksumlen = shishi_checksum_cksumlen (cksumtype);
531 int res;
532
533 res = simplified_derivekey (handle, key, keyusage,
534 SHISHI_DERIVEKEYMODE_CHECKSUM, &checksumkey);
535 if (res != SHISHI_OK)
536 return res;
537
538 res = simplified_hmac (handle, checksumkey, in, inlen, out, outlen);
539
540 shishi_key_done (checksumkey);
541
542 if (res != SHISHI_OK)
543 return res;
544
545 *outlen = cksumlen;
546
547 return SHISHI_OK;
548 }
549
550 typedef int (*Shishi_random_to_key_function) (Shishi * handle,
551 const char *random,
552 size_t randomlen,
553 Shishi_key * outkey);
554
555 typedef int (*Shishi_string_to_key_function) (Shishi * handle,
556 const char *password,
557 size_t passwordlen,
558 const char *salt,
559 size_t saltlen,
560 const char *parameter,
561 Shishi_key * outkey);
562
563 typedef int (*Shishi_encrypt_function) (Shishi * handle,
564 Shishi_key * key,
565 int keyusage,
566 const char *iv, size_t ivlen,
567 char **ivout, size_t * ivoutlen,
568 const char *in, size_t inlen,
569 char **out, size_t * outlen);
570
571 typedef int (*Shishi_decrypt_function) (Shishi * handle,
572 Shishi_key * key,
573 int keyusage,
574 const char *iv, size_t ivlen,
575 char **ivout, size_t * ivoutlen,
576 const char *in, size_t inlen,
577 char **out, size_t * outlen);
578
579 typedef int (*Shishi_checksum_function) (Shishi * handle,
580 Shishi_key * key,
581 int keyusage,
582 int cksumtype,
583 const char *in, size_t inlen,
584 char **out, size_t * outlen);
585
586 typedef int (*Shishi_verify_function) (Shishi * handle,
587 Shishi_key * key,
588 int keyusage,
589 int cksumtype,
590 const char *in, size_t inlen,
591 const char *cksum, size_t cksumlen);
592
593 #include "crypto-null.c"
594 #include "crypto-md.c"
595 #include "crypto-des.c"
596 #include "crypto-3des.c"
597 #include "crypto-aes.c"
598 #include "crypto-rc4.c"
599
600 struct cipherinfo
601 {
602 int32_t type;
603 char *name;
604 int blocksize;
605 int minpadsize;
606 int confoundersize;
607 int keylen;
608 int randomlen;
609 int defaultcksumtype;
610 Shishi_random_to_key_function random2key;
611 Shishi_string_to_key_function string2key;
612 Shishi_encrypt_function encrypt;
613 Shishi_decrypt_function decrypt;
614 };
615 typedef struct cipherinfo cipherinfo;
616
617 static cipherinfo null_info = {
618 SHISHI_NULL,
619 "NULL",
620 1,
621 0,
622 0,
623 0,
624 0,
625 SHISHI_RSA_MD5,
626 null_random_to_key,
627 null_string_to_key,
628 null_encrypt,
629 null_decrypt
630 };
631
632 static cipherinfo des_cbc_crc_info = {
633 SHISHI_DES_CBC_CRC,
634 "des-cbc-crc",
635 8,
636 4,
637 8,
638 8,
639 8,
640 SHISHI_RSA_MD5_DES,
641 des_random_to_key,
642 des_string_to_key,
643 des_crc_encrypt,
644 des_crc_decrypt
645 };
646
647 static cipherinfo des_cbc_md4_info = {
648 SHISHI_DES_CBC_MD4,
649 "des-cbc-md4",
650 8,
651 0,
652 8,
653 8,
654 8,
655 SHISHI_RSA_MD4_DES,
656 des_random_to_key,
657 des_string_to_key,
658 des_md4_encrypt,
659 des_md4_decrypt
660 };
661
662 static cipherinfo des_cbc_md5_info = {
663 SHISHI_DES_CBC_MD5,
664 "des-cbc-md5",
665 8,
666 0,
667 8,
668 8,
669 8,
670 SHISHI_RSA_MD5_DES,
671 des_random_to_key,
672 des_string_to_key,
673 des_md5_encrypt,
674 des_md5_decrypt
675 };
676
677 static cipherinfo des_cbc_none_info = {
678 SHISHI_DES_CBC_NONE,
679 "des-cbc-none",
680 8,
681 0,
682 8,
683 3 * 8,
684 3 * 8,
685 SHISHI_RSA_MD5_DES,
686 des_random_to_key,
687 des_string_to_key,
688 des_none_encrypt,
689 des_none_decrypt
690 };
691
692 static cipherinfo des3_cbc_none_info = {
693 SHISHI_DES3_CBC_NONE,
694 "des3-cbc-none",
695 8,
696 0,
697 8,
698 3 * 8,
699 3 * 8,
700 SHISHI_HMAC_SHA1_DES3_KD,
701 des3_random_to_key,
702 des3_string_to_key,
703 des3none_encrypt,
704 des3none_decrypt
705 };
706
707 static cipherinfo des3_cbc_sha1_kd_info = {
708 SHISHI_DES3_CBC_HMAC_SHA1_KD,
709 "des3-cbc-sha1-kd",
710 8,
711 0,
712 8,
713 3 * 8,
714 3 * 8,
715 SHISHI_HMAC_SHA1_DES3_KD,
716 des3_random_to_key,
717 des3_string_to_key,
718 _des3_encrypt,
719 _des3_decrypt
720 };
721
722 static cipherinfo aes128_cts_hmac_sha1_96_info = {
723 SHISHI_AES128_CTS_HMAC_SHA1_96,
724 "aes128-cts-hmac-sha1-96",
725 16,
726 0,
727 16,
728 128 / 8,
729 128 / 8,
730 SHISHI_HMAC_SHA1_96_AES128,
731 aes128_random_to_key,
732 aes128_string_to_key,
733 aes128_encrypt,
734 aes128_decrypt
735 };
736
737 static cipherinfo aes256_cts_hmac_sha1_96_info = {
738 SHISHI_AES256_CTS_HMAC_SHA1_96,
739 "aes256-cts-hmac-sha1-96",
740 16,
741 0,
742 16,
743 256 / 8,
744 256 / 8,
745 SHISHI_HMAC_SHA1_96_AES256,
746 aes256_random_to_key,
747 aes256_string_to_key,
748 aes256_encrypt,
749 aes256_decrypt
750 };
751
752 static cipherinfo rc4_hmac_info = {
753 SHISHI_RC4_HMAC,
754 "rc4-hmac",
755 16,
756 0,
757 16,
758 16,
759 16,
760 SHISHI_RC4_HMAC_MD5,
761 rc4_hmac_random_to_key,
762 rc4_hmac_string_to_key,
763 rc4_hmac_encrypt,
764 rc4_hmac_decrypt
765 };
766
767 static cipherinfo rc4_hmac_exp_info = {
768 SHISHI_RC4_HMAC_EXP,
769 "rc4-hmac-exp",
770 16,
771 0,
772 16,
773 16,
774 16,
775 SHISHI_RC4_HMAC_MD5,
776 rc4_hmac_random_to_key,
777 rc4_hmac_string_to_key,
778 rc4_hmac_exp_encrypt,
779 rc4_hmac_exp_decrypt
780 };
781
782 static cipherinfo *ciphers[] = {
783 &null_info,
784 &des_cbc_crc_info,
785 &des_cbc_md4_info,
786 &des_cbc_md5_info,
787 &des_cbc_none_info,
788 &des3_cbc_none_info,
789 &des3_cbc_sha1_kd_info,
790 &aes128_cts_hmac_sha1_96_info,
791 &aes256_cts_hmac_sha1_96_info,
792 &rc4_hmac_info,
793 &rc4_hmac_exp_info
794 };
795
796 /**
797 * shishi_cipher_supported_p:
798 * @type: encryption type, see Shishi_etype.
799 *
800 * Return value: Return 0 iff cipher is unsupported.
801 **/
802 int
803 shishi_cipher_supported_p (int32_t type)
804 {
805 size_t i;
806
807 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
808 if (type == ciphers[i]->type)
809 return 1;
810
811 return 0;
812 }
813
814 /**
815 * shishi_cipher_name:
816 * @type: encryption type, see Shishi_etype.
817 *
818 * Return value: Return name of encryption type,
819 * e.g. "des3-cbc-sha1-kd", as defined in the standards.
820 **/
821 const char *
822 shishi_cipher_name (int32_t type)
823 {
824 size_t i;
825 char *p;
826
827 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
828 {
829 if (type == ciphers[i]->type)
830 return ciphers[i]->name;
831 }
832
833 asprintf (&p, "unknown cipher %d", type);
834 return p;
835 }
836
837 /**
838 * shishi_cipher_blocksize:
839 * @type: encryption type, see Shishi_etype.
840 *
841 * Return value: Return block size for encryption type, as defined in
842 * the standards.
843 **/
844 int
845 shishi_cipher_blocksize (int32_t type)
846 {
847 size_t i;
848
849 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
850 if (type == ciphers[i]->type)
851 return ciphers[i]->blocksize;
852
853 return -1;
854 }
855
856 /**
857 * shishi_cipher_minpadsize:
858 * @type: encryption type, see Shishi_etype.
859 *
860 * Return value: Return the minimum pad size for encryption type, as
861 * defined in the standards.
862 **/
863 int
864 shishi_cipher_minpadsize (int32_t type)
865 {
866 size_t i;
867
868 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
869 if (type == ciphers[i]->type)
870 return ciphers[i]->minpadsize;
871
872 return -1;
873 }
874
875 /**
876 * shishi_cipher_confoundersize:
877 * @type: encryption type, see Shishi_etype.
878 *
879 * Return value: Returns the size of the confounder (random data) for
880 * encryption type, as defined in the standards.
881 **/
882 int
883 shishi_cipher_confoundersize (int32_t type)
884 {
885 size_t i;
886
887 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
888 if (type == ciphers[i]->type)
889 return ciphers[i]->confoundersize;
890
891 return -1;
892 }
893
894 /**
895 * shishi_cipher_keylen:
896 * @type: encryption type, see Shishi_etype.
897 *
898 * Return value: Return length of key used for the encryption type, as
899 * defined in the standards.
900 **/
901 size_t
902 shishi_cipher_keylen (int32_t type)
903 {
904 size_t i;
905
906 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
907 if (type == ciphers[i]->type)
908 return ciphers[i]->keylen;
909
910 return -1;
911 }
912
913 /**
914 * shishi_cipher_randomlen:
915 * @type: encryption type, see Shishi_etype.
916 *
917 * Return value: Return length of random used for the encryption type,
918 * as defined in the standards.
919 **/
920 size_t
921 shishi_cipher_randomlen (int32_t type)
922 {
923 size_t i;
924
925 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
926 if (type == ciphers[i]->type)
927 return ciphers[i]->randomlen;
928
929 return -1;
930 }
931
932 /**
933 * shishi_cipher_defaultcksumtype:
934 * @type: encryption type, see Shishi_etype.
935 *
936 * Return value: Return associated checksum mechanism for the
937 * encryption type, as defined in the standards.
938 **/
939 int
940 shishi_cipher_defaultcksumtype (int32_t type)
941 {
942 size_t i;
943
944 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
945 if (type == ciphers[i]->type)
946 return ciphers[i]->defaultcksumtype;
947
948 return -1;
949 }
950
951 /**
952 * shishi_cipher_parse:
953 * @cipher: name of encryption type, e.g. "des3-cbc-sha1-kd".
954 *
955 * Return value: Return encryption type corresponding to a string.
956 **/
957 int
958 shishi_cipher_parse (const char *cipher)
959 {
960 size_t i;
961 char *endptr;
962
963 i = strtol (cipher, &endptr, 0);
964
965 if (endptr != cipher)
966 return i;
967
968 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
969 if (strcasecmp (cipher, ciphers[i]->name) == 0)
970 return ciphers[i]->type;
971
972 return -1;
973 }
974
975 static Shishi_random_to_key_function
976 _shishi_cipher_random_to_key (int32_t type)
977 {
978 size_t i;
979
980 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
981 if (type == ciphers[i]->type)
982 return ciphers[i]->random2key;
983
984 return NULL;
985 }
986
987 static Shishi_string_to_key_function
988 _shishi_cipher_string_to_key (int32_t type)
989 {
990 size_t i;
991
992 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
993 if (type == ciphers[i]->type)
994 return ciphers[i]->string2key;
995
996 return NULL;
997 }
998
999 static Shishi_encrypt_function
1000 _shishi_cipher_encrypt (int32_t type)
1001 {
1002 size_t i;
1003
1004 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1005 if (type == ciphers[i]->type)
1006 return ciphers[i]->encrypt;
1007
1008 return NULL;
1009 }
1010
1011 static Shishi_decrypt_function
1012 _shishi_cipher_decrypt (int32_t type)
1013 {
1014 size_t i;
1015
1016 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
1017 if (type == ciphers[i]->type)
1018 return ciphers[i]->decrypt;
1019
1020 return NULL;
1021 }
1022
1023 struct checksuminfo
1024 {
1025 int32_t type;
1026 char *name;
1027 int cksumlen;
1028 Shishi_checksum_function checksum;
1029 Shishi_verify_function verify;
1030 };
1031 typedef struct checksuminfo checksuminfo;
1032
1033 static checksuminfo md4_info = {
1034 SHISHI_RSA_MD4,
1035 "rsa-md4",
1036 16,
1037 md4_checksum
1038 };
1039
1040 static checksuminfo md4_des_info = {
1041 SHISHI_RSA_MD4_DES,
1042 "rsa-md4-des",
1043 24,
1044 des_md4_checksum,
1045 des_md4_verify
1046 };
1047
1048 static checksuminfo md5_info = {
1049 SHISHI_RSA_MD5,
1050 "rsa-md5",
1051 16,
1052 md5_checksum
1053 };
1054
1055 static checksuminfo md5_des_info = {
1056 SHISHI_RSA_MD5_DES,
1057 "rsa-md5-des",
1058 24,
1059 des_md5_checksum,
1060 des_md5_verify
1061 };
1062
1063 static checksuminfo md5_gss_info = {
1064 SHISHI_RSA_MD5_DES_GSS,
1065 "rsa-md5-des-gss",
1066 8,
1067 gss_des_checksum
1068 };
1069
1070 static checksuminfo hmac_sha1_des3_kd_info = {
1071 SHISHI_HMAC_SHA1_DES3_KD,
1072 "hmac-sha1-des3-kd",
1073 20,
1074 des3_checksum
1075 };
1076
1077 static checksuminfo hmac_sha1_96_aes128_info = {
1078 SHISHI_HMAC_SHA1_96_AES128,
1079 "hmac-sha1-96-aes128",
1080 96 / 8,
1081 aes128_checksum
1082 };
1083
1084 static checksuminfo hmac_sha1_96_aes256_info = {
1085 SHISHI_HMAC_SHA1_96_AES256,
1086 "hmac-sha1-96-aes256",
1087 96 / 8,
1088 aes256_checksum
1089 };
1090
1091 static checksuminfo rc4_hmac_md5_info = {
1092 SHISHI_RC4_HMAC_MD5,
1093 "rc4-hmac-md5",
1094 16,
1095 rc4_hmac_md5_checksum
1096 };
1097
1098 static checksuminfo *checksums[] = {
1099 &md4_info,
1100 &md4_des_info,
1101 &md5_info,
1102 &md5_des_info,
1103 &md5_gss_info,
1104 &hmac_sha1_des3_kd_info,
1105 &hmac_sha1_96_aes128_info,
1106 &hmac_sha1_96_aes256_info,
1107 &rc4_hmac_md5_info
1108 };
1109
1110 /**
1111 * shishi_checksum_supported_p:
1112 * @type: checksum type, see Shishi_cksumtype.
1113 *
1114 * Return value: Return 0 iff checksum is unsupported.
1115 **/
1116 int
1117 shishi_checksum_supported_p (int32_t type)
1118 {
1119 size_t i;
1120
1121 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1122 if (type == checksums[i]->type)
1123 return 1;
1124
1125 return 0;
1126 }
1127
1128 /**
1129 * shishi_checksum_name:
1130 * @type: checksum type, see Shishi_cksumtype.
1131 *
1132 * Return value: Return name of checksum type,
1133 * e.g. "hmac-sha1-96-aes256", as defined in the standards.
1134 **/
1135 const char *
1136 shishi_checksum_name (int32_t type)
1137 {
1138 size_t i;
1139 char *p;
1140
1141 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1142 {
1143 if (type == checksums[i]->type)
1144 return checksums[i]->name;
1145 }
1146
1147 asprintf (&p, "unknown checksum %d", type);
1148 return p;
1149 }
1150
1151 /**
1152 * shishi_checksum_cksumlen:
1153 * @type: checksum type, see Shishi_cksumtype.
1154 *
1155 * Return value: Return length of checksum used for the checksum type,
1156 * as defined in the standards.
1157 **/
1158 size_t
1159 shishi_checksum_cksumlen (int32_t type)
1160 {
1161 size_t i;
1162
1163 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1164 if (type == checksums[i]->type)
1165 return checksums[i]->cksumlen;
1166
1167 return -1;
1168 }
1169
1170 /**
1171 * shishi_checksum_parse:
1172 * @checksum: name of checksum type, e.g. "hmac-sha1-96-aes256".
1173 *
1174 * Return value: Return checksum type, see Shishi_cksumtype,
1175 * corresponding to a string.
1176 **/
1177 int
1178 shishi_checksum_parse (const char *checksum)
1179 {
1180 size_t i;
1181 char *endptr;
1182
1183 i = strtol (checksum, &endptr, 0);
1184
1185 if (endptr != checksum)
1186 return i;
1187
1188 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1189 if (strcasecmp (checksum, checksums[i]->name) == 0)
1190 return checksums[i]->type;
1191
1192 return -1;
1193 }
1194
1195 static Shishi_checksum_function
1196 _shishi_checksum (int32_t type)
1197 {
1198 size_t i;
1199
1200 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1201 if (type == checksums[i]->type)
1202 return checksums[i]->checksum;
1203
1204 return NULL;
1205 }
1206
1207 static Shishi_verify_function
1208 _shishi_verify (int32_t type)
1209 {
1210 size_t i;
1211
1212 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
1213 if (type == checksums[i]->type)
1214 return checksums[i]->verify;
1215
1216 return NULL;
1217 }
1218
1219 /**
1220 * shishi_string_to_key:
1221 * @handle: shishi handle as allocated by shishi_init().
1222 * @keytype: cryptographic encryption type, see Shishi_etype.
1223 * @password: input array with password.
1224 * @passwordlen: length of input array with password.
1225 * @salt: input array with salt.
1226 * @saltlen: length of input array with salt.
1227 * @parameter: input array with opaque encryption type specific information.
1228 * @outkey: allocated key handle that will contain new key.
1229 *
1230 * Derive key from a string (password) and salt (commonly
1231 * concatenation of realm and principal) for specified key type, and
1232 * set the type and value in the given key to the computed values.
1233 * The parameter value is specific for each keytype, and can be set if
1234 * the parameter information is not available.
1235 *
1236 * Return value: Returns %SHISHI_OK iff successful.
1237 **/
1238 int
1239 shishi_string_to_key (Shishi * handle,
1240 int32_t keytype,
1241 const char *password, size_t passwordlen,
1242 const char *salt, size_t saltlen,
1243 const char *parameter, Shishi_key * outkey)
1244 {
1245 Shishi_string_to_key_function string2key;
1246 int res;
1247
1248 shishi_key_type_set (outkey, keytype);
1249
1250 if (VERBOSECRYPTO (handle))
1251 {
1252 printf ("string_to_key (%s, password, salt)\n",
1253 shishi_key_name (outkey));
1254 printf ("\t ;; password:\n");
1255 escapeprint (password, passwordlen);
1256 hexprint (password, passwordlen);
1257 puts ("");
1258 printf ("\t ;; salt:\n");
1259 escapeprint (salt, saltlen);
1260 hexprint (salt, saltlen);
1261 puts ("");
1262 }
1263
1264 string2key = _shishi_cipher_string_to_key (shishi_key_type (outkey));
1265 if (string2key == NULL)
1266 {
1267 shishi_error_printf (handle, "Unsupported keytype %d",
1268 shishi_key_type (outkey));
1269 return SHISHI_CRYPTO_ERROR;
1270 }
1271
1272 res = (*string2key) (handle, password, passwordlen,
1273 salt, saltlen, parameter, outkey);
1274
1275 if (VERBOSECRYPTO (handle))
1276 {
1277 printf ("\t ;; string_to_key key:\n");
1278 hexprint (shishi_key_value (outkey), shishi_key_length (outkey));
1279 puts ("");
1280 binprint (shishi_key_value (outkey), shishi_key_length (outkey));
1281 puts ("");
1282 }
1283
1284 return res;
1285 }
1286
1287 /**
1288 * shishi_random_to_key:
1289 * @handle: shishi handle as allocated by shishi_init().
1290 * @keytype: cryptographic encryption type, see Shishi_etype.
1291 * @random: input array with random data.
1292 * @randomlen: length of input array with random data.
1293 * @outkey: allocated key handle that will contain new key.
1294 *
1295 * Derive key from random data for specified key type, and set the
1296 * type and value in the given key to the computed values.
1297 *
1298 * Return value: Returns %SHISHI_OK iff successful.
1299 **/
1300 int
1301 shishi_random_to_key (Shishi * handle,
1302 int32_t keytype,
1303 char *random, size_t randomlen, Shishi_key * outkey)
1304 {
1305 Shishi_random_to_key_function random2key;
1306 int res;
1307
1308 shishi_key_type_set (outkey, keytype);
1309
1310 if (VERBOSECRYPTO (handle))
1311 {
1312 printf ("random_to_key (%s, random)\n", shishi_key_name (outkey));
1313 printf ("\t ;; random:\n");
1314 hexprint (random, randomlen);
1315 puts ("");
1316 binprint (random, randomlen);
1317 puts ("");
1318 }
1319
1320 random2key = _shishi_cipher_random_to_key (keytype);
1321 if (random2key == NULL)
1322 {
1323 shishi_error_printf (handle, "Unsupported random_to_key() ekeytype %d",
1324 keytype);
1325 return SHISHI_CRYPTO_ERROR;
1326 }
1327
1328 res = (*random2key) (handle, random, randomlen, outkey);
1329
1330 if (VERBOSECRYPTO (handle))
1331 {
1332 printf ("\t ;; random_to_key key:\n");
1333 hexprint (shishi_key_value (outkey), shishi_key_length (outkey));
1334 puts ("");
1335 binprint (shishi_key_value (outkey), shishi_key_length (outkey));
1336 puts ("");
1337 }
1338
1339 return res;
1340 }
1341
1342 /**
1343 * shishi_checksum:
1344 * @handle: shishi handle as allocated by shishi_init().
1345 * @key: key to compute checksum with.
1346 * @keyusage: integer specifying what this key is used for.
1347 * @cksumtype: the checksum algorithm to use.
1348 * @in: input array with data to integrity protect.
1349 * @inlen: size of input array with data to integrity protect.
1350 * @out: output array with newly allocated integrity protected data.
1351 * @outlen: output variable with length of output array with checksum.
1352 *
1353 * Integrity protect data using key, possibly altered by supplied key
1354 * usage. If key usage is 0, no key derivation is used. The OUT
1355 * buffer must be deallocated by the caller.
1356 *
1357 * Return value: Returns %SHISHI_OK iff successful.
1358 **/
1359 int
1360 shishi_checksum (Shishi * handle,
1361 Shishi_key * key,
1362 int keyusage,
1363 int cksumtype,
1364 const char *in, size_t inlen, char **out, size_t * outlen)
1365 {
1366 Shishi_checksum_function checksum;
1367 int res;
1368
1369 if (VERBOSECRYPTO (handle))
1370 {
1371 printf ("checksum (%s, %d, in, out)\n",
1372 shishi_key_name (key), cksumtype);
1373 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1374 hexprint (shishi_key_value (key), shishi_key_length (key));
1375 puts ("");
1376 printf ("\t ;; in:\n");
1377 escapeprint (in, inlen);
1378 hexprint (in, inlen);
1379 puts ("");
1380 }
1381
1382 if (cksumtype == 0)
1383 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1384
1385 checksum = _shishi_checksum (cksumtype);
1386 if (checksum == NULL)
1387 {
1388 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1389 return SHISHI_CRYPTO_ERROR;
1390 }
1391
1392 /* XXX? check if etype and cksumtype are compatible? */
1393
1394 res = (*checksum) (handle, key, keyusage, cksumtype,
1395 in, inlen, out, outlen);
1396
1397 if (VERBOSECRYPTO (handle))
1398 {
1399 printf ("\t ;; checksum out:\n");
1400 escapeprint (*out, *outlen);
1401 hexprint (*out, *outlen);
1402 puts ("");
1403 }
1404
1405 return res;
1406 }
1407
1408 /**
1409 * shishi_verify:
1410 * @handle: shishi handle as allocated by shishi_init().
1411 * @key: key to verify checksum with.
1412 * @keyusage: integer specifying what this key is used for.
1413 * @cksumtype: the checksum algorithm to use.
1414 * @in: input array with data that was integrity protected.
1415 * @inlen: size of input array with data that was integrity protected.
1416 * @cksum: input array with alleged checksum of data.
1417 * @cksumlen: size of input array with alleged checksum of data.
1418 *
1419 * Verify checksum of data using key, possibly altered by supplied key
1420 * usage. If key usage is 0, no key derivation is used.
1421 *
1422 * Return value: Returns %SHISHI_OK iff successful.
1423 **/
1424 int
1425 shishi_verify (Shishi * handle,
1426 Shishi_key * key,
1427 int keyusage,
1428 int cksumtype,
1429 const char *in, size_t inlen,
1430 const char *cksum, size_t cksumlen)
1431 {
1432 Shishi_verify_function verify;
1433 int res;
1434
1435 if (VERBOSECRYPTO (handle))
1436 {
1437 printf ("verify (%s, %d, in, out)\n", shishi_key_name (key), cksumtype);
1438 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1439 hexprint (shishi_key_value (key), shishi_key_length (key));
1440 puts ("");
1441 printf ("\t ;; data:\n");
1442 escapeprint (in, inlen);
1443 hexprint (in, inlen);
1444 puts ("");
1445 printf ("\t ;; mic:\n");
1446 escapeprint (cksum, cksumlen);
1447 hexprint (cksum, cksumlen);
1448 puts ("");
1449 }
1450
1451 if (cksumtype == 0)
1452 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1453
1454 verify = _shishi_verify (cksumtype);
1455 if (verify == NULL)
1456 {
1457 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1458 return SHISHI_CRYPTO_ERROR;
1459 }
1460
1461 /* XXX? check if etype and cksumtype are compatible? */
1462
1463 res = (*verify) (handle, key, keyusage, cksumtype,
1464 in, inlen, cksum, cksumlen);
1465
1466 if (VERBOSECRYPTO (handle))
1467 printf ("\t ;; verify return: %d\n", res);
1468
1469 return res;
1470 }
1471
1472 /**
1473 * shishi_encrypt_ivupdate_etype:
1474 * @handle: shishi handle as allocated by shishi_init().
1475 * @key: key to encrypt with.
1476 * @keyusage: integer specifying what this key is encrypting.
1477 * @etype: integer specifying what cipher to use.
1478 * @iv: input array with initialization vector
1479 * @ivlen: size of input array with initialization vector.
1480 * @ivout: output array with newly allocated updated initialization vector.
1481 * @ivoutlen: size of output array with updated initialization vector.
1482 * @in: input array with data to encrypt.
1483 * @inlen: size of input array with data to encrypt.
1484 * @out: output array with newly allocated encrypted data.
1485 * @outlen: output variable with size of newly allocated output array.
1486 *
1487 * Encrypts data as per encryption method using specified
1488 * initialization vector and key. The key actually used is derived
1489 * using the key usage. If key usage is 0, no key derivation is used.
1490 * The OUT buffer must be deallocated by the caller. If IVOUT or
1491 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1492 *
1493 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1494 * exactly, some Kerberos encryption types add pad to make the data
1495 * fit into the block size of the encryption algorithm. Furthermore,
1496 * the pad is not guaranteed to look in any special way, although
1497 * existing implementations often pad with the zero byte. This means
1498 * that you may have to "frame" data, so it is possible to infer the
1499 * original length after decryption. Compare ASN.1 DER which contains
1500 * such information.
1501 *
1502 * Return value: Returns %SHISHI_OK iff successful.
1503 **/
1504 int
1505 shishi_encrypt_ivupdate_etype (Shishi * handle,
1506 Shishi_key * key,
1507 int keyusage,
1508 int32_t etype,
1509 const char *iv, size_t ivlen,
1510 char **ivout, size_t * ivoutlen,
1511 const char *in, size_t inlen,
1512 char **out, size_t * outlen)
1513 {
1514 Shishi_encrypt_function encrypt;
1515 int res;
1516
1517 if (VERBOSECRYPTO (handle))
1518 {
1519 printf ("encrypt (type=%s, usage=%d, key, in)\n",
1520 shishi_key_name (key), keyusage);
1521 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1522 hexprint (shishi_key_value (key), shishi_key_length (key));
1523 puts ("");
1524 printf ("\t ;; in (%d):\n", inlen);
1525 escapeprint (in, inlen);
1526 hexprint (in, inlen);
1527 puts ("");
1528 if (iv)
1529 {
1530 printf ("\t ;; iv (%d):\n", ivlen);
1531 escapeprint (iv, ivlen);
1532 hexprint (iv, ivlen);
1533 puts ("");
1534 }
1535 }
1536
1537 encrypt = _shishi_cipher_encrypt (etype);
1538 if (encrypt == NULL)
1539 {
1540 shishi_error_printf (handle, "Unsupported keytype %d",
1541 shishi_key_type (key));
1542 return SHISHI_CRYPTO_ERROR;
1543 }
1544
1545 res = (*encrypt) (handle, key, keyusage,
1546 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
1547
1548 if (VERBOSECRYPTO (handle))
1549 {
1550 printf ("\t ;; encrypt out:\n");
1551 escapeprint (*out, *outlen);
1552 hexprint (*out, *outlen);
1553 puts ("");
1554 if (ivout && ivoutlen)
1555 {
1556 printf ("\t ;; iv out:\n");
1557 escapeprint (*ivout, *ivoutlen);
1558 hexprint (*ivout, *ivoutlen);
1559 puts ("");
1560 }
1561 }
1562
1563 return res;
1564 }
1565
1566 /**
1567 * shishi_encrypt_iv_etype:
1568 * @handle: shishi handle as allocated by shishi_init().
1569 * @key: key to encrypt with.
1570 * @keyusage: integer specifying what this key is encrypting.
1571 * @etype: integer specifying what cipher to use.
1572 * @iv: input array with initialization vector
1573 * @ivlen: size of input array with initialization vector.
1574 * @in: input array with data to encrypt.
1575 * @inlen: size of input array with data to encrypt.
1576 * @out: output array with newly allocated encrypted data.
1577 * @outlen: output variable with size of newly allocated output array.
1578 *
1579 * Encrypts data as per encryption method using specified
1580 * initialization vector and key. The key actually used is derived
1581 * using the key usage. If key usage is 0, no key derivation is used.
1582 * The OUT buffer must be deallocated by the caller. The next IV is
1583 * lost, see shishi_encrypt_ivupdate_etype if you need it.
1584 *
1585 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1586 * exactly, some Kerberos encryption types add pad to make the data
1587 * fit into the block size of the encryption algorithm. Furthermore,
1588 * the pad is not guaranteed to look in any special way, although
1589 * existing implementations often pad with the zero byte. This means
1590 * that you may have to "frame" data, so it is possible to infer the
1591 * original length after decryption. Compare ASN.1 DER which contains
1592 * such information.
1593 *
1594 * Return value: Returns %SHISHI_OK iff successful.
1595 **/
1596 int
1597 shishi_encrypt_iv_etype (Shishi * handle,
1598 Shishi_key * key,
1599 int keyusage,
1600 int32_t etype,
1601 const char *iv, size_t ivlen,
1602 const char *in, size_t inlen,
1603 char **out, size_t * outlen)
1604 {
1605 return shishi_encrypt_ivupdate_etype (handle, key, keyusage, etype,
1606 iv, ivlen, NULL, NULL,
1607 in, inlen, out, outlen);
1608 }
1609
1610 /**
1611 * shishi_encrypt_etype:
1612 * @handle: shishi handle as allocated by shishi_init().
1613 * @key: key to encrypt with.
1614 * @keyusage: integer specifying what this key is encrypting.
1615 * @etype: integer specifying what cipher to use.
1616 * @in: input array with data to encrypt.
1617 * @inlen: size of input array with data to encrypt.
1618 * @out: output array with newly allocated encrypted data.
1619 * @outlen: output variable with size of newly allocated output array.
1620 *
1621 * Encrypts data as per encryption method using specified
1622 * initialization vector and key. The key actually used is derived
1623 * using the key usage. If key usage is 0, no key derivation is used.
1624 * The OUT buffer must be deallocated by the caller. The default IV
1625 * is used, see shishi_encrypt_iv_etype if you need to alter it. The
1626 * next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
1627 *
1628 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1629 * exactly, some Kerberos encryption types add pad to make the data
1630 * fit into the block size of the encryption algorithm. Furthermore,
1631 * the pad is not guaranteed to look in any special way, although
1632 * existing implementations often pad with the zero byte. This means
1633 * that you may have to "frame" data, so it is possible to infer the
1634 * original length after decryption. Compare ASN.1 DER which contains
1635 * such information.
1636 *
1637 * Return value: Returns %SHISHI_OK iff successful.
1638 **/
1639 int
1640 shishi_encrypt_etype (Shishi * handle,
1641 Shishi_key * key,
1642 int keyusage,
1643 int32_t etype,
1644 const char *in, size_t inlen,
1645 char **out, size_t * outlen)
1646 {
1647 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1648 shishi_key_type (key),
1649 NULL, 0, NULL, NULL,
1650 in, inlen, out, outlen);
1651 }
1652
1653 /**
1654 * shishi_encrypt_ivupdate:
1655 * @handle: shishi handle as allocated by shishi_init().
1656 * @key: key to encrypt with.
1657 * @keyusage: integer specifying what this key is encrypting.
1658 * @iv: input array with initialization vector
1659 * @ivlen: size of input array with initialization vector.
1660 * @ivout: output array with newly allocated updated initialization vector.
1661 * @ivoutlen: size of output array with updated initialization vector.
1662 * @in: input array with data to encrypt.
1663 * @inlen: size of input array with data to encrypt.
1664 * @out: output array with newly allocated encrypted data.
1665 * @outlen: output variable with size of newly allocated output array.
1666 *
1667 * Encrypts data using specified initialization vector and key. The
1668 * key actually used is derived using the key usage. If key usage is
1669 * 0, no key derivation is used. The OUT buffer must be deallocated
1670 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1671 * saved anywhere.
1672 *
1673 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1674 * exactly, some Kerberos encryption types add pad to make the data
1675 * fit into the block size of the encryption algorithm. Furthermore,
1676 * the pad is not guaranteed to look in any special way, although
1677 * existing implementations often pad with the zero byte. This means
1678 * that you may have to "frame" data, so it is possible to infer the
1679 * original length after decryption. Compare ASN.1 DER which contains
1680 * such information.
1681 *
1682 * Return value: Returns %SHISHI_OK iff successful.
1683 **/
1684 int
1685 shishi_encrypt_ivupdate (Shishi * handle,
1686 Shishi_key * key,
1687 int keyusage,
1688 const char *iv, size_t ivlen,
1689 char **ivout, size_t * ivoutlen,
1690 const char *in, size_t inlen,
1691 char **out, size_t * outlen)
1692 {
1693 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1694 shishi_key_type (key),
1695 iv, ivlen, ivout, ivoutlen,
1696 in, inlen, out, outlen);
1697 }
1698
1699 /**
1700 * shishi_encrypt_iv:
1701 * @handle: shishi handle as allocated by shishi_init().
1702 * @key: key to encrypt with.
1703 * @keyusage: integer specifying what this key is encrypting.
1704 * @iv: input array with initialization vector
1705 * @ivlen: size of input array with initialization vector.
1706 * @in: input array with data to encrypt.
1707 * @inlen: size of input array with data to encrypt.
1708 * @out: output array with newly allocated encrypted data.
1709 * @outlen: output variable with size of newly allocated output array.
1710 *
1711 * Encrypts data using specified initialization vector and key. The
1712 * key actually used is derived using the key usage. If key usage is
1713 * 0, no key derivation is used. The OUT buffer must be deallocated
1714 * by the caller. The next IV is lost, see shishi_encrypt_ivupdate if
1715 * you need it.
1716 *
1717 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1718 * exactly, some Kerberos encryption types add pad to make the data
1719 * fit into the block size of the encryption algorithm. Furthermore,
1720 * the pad is not guaranteed to look in any special way, although
1721 * existing implementations often pad with the zero byte. This means
1722 * that you may have to "frame" data, so it is possible to infer the
1723 * original length after decryption. Compare ASN.1 DER which contains
1724 * such information.
1725 *
1726 * Return value: Returns %SHISHI_OK iff successful.
1727 **/
1728 int
1729 shishi_encrypt_iv (Shishi * handle,
1730 Shishi_key * key,
1731 int keyusage,
1732 const char *iv, size_t ivlen,
1733 const char *in, size_t inlen, char **out, size_t * outlen)
1734 {
1735 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1736 shishi_key_type (key),
1737 iv, ivlen, NULL, NULL,
1738 in, inlen, out, outlen);
1739 }
1740
1741 /**
1742 * shishi_encrypt:
1743 * @handle: shishi handle as allocated by shishi_init().
1744 * @key: key to encrypt with.
1745 * @keyusage: integer specifying what this key is encrypting.
1746 * @in: input array with data to encrypt.
1747 * @inlen: size of input array with data to encrypt.
1748 * @out: output array with newly allocated encrypted data.
1749 * @outlen: output variable with size of newly allocated output array.
1750 *
1751 * Encrypts data using specified key. The key actually used is
1752 * derived using the key usage. If key usage is 0, no key derivation
1753 * is used. The OUT buffer must be deallocated by the caller. The
1754 * default IV is used, see shishi_encrypt_iv if you need to alter it.
1755 * The next IV is lost, see shishi_encrypt_ivupdate if you need it.
1756 *
1757 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1758 * exactly, some Kerberos encryption types add pad to make the data
1759 * fit into the block size of the encryption algorithm. Furthermore,
1760 * the pad is not guaranteed to look in any special way, although
1761 * existing implementations often pad with the zero byte. This means
1762 * that you may have to "frame" data, so it is possible to infer the
1763 * original length after decryption. Compare ASN.1 DER which contains
1764 * such information.
1765 *
1766 * Return value: Returns %SHISHI_OK iff successful.
1767 **/
1768 int
1769 shishi_encrypt (Shishi * handle,
1770 Shishi_key * key,
1771 int keyusage,
1772 char *in, size_t inlen, char **out, size_t * outlen)
1773 {
1774 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1775 shishi_key_type (key),
1776 NULL, 0, NULL, NULL,
1777 in, inlen, out, outlen);
1778 }
1779
1780 /**
1781 * shishi_decrypt_ivupdate_etype:
1782 * @handle: shishi handle as allocated by shishi_init().
1783 * @key: key to decrypt with.
1784 * @keyusage: integer specifying what this key is decrypting.
1785 * @etype: integer specifying what cipher to use.
1786 * @iv: input array with initialization vector
1787 * @ivlen: size of input array with initialization vector.
1788 * @ivout: output array with newly allocated updated initialization vector.
1789 * @ivoutlen: size of output array with updated initialization vector.
1790 * @in: input array with data to decrypt.
1791 * @inlen: size of input array with data to decrypt.
1792 * @out: output array with newly allocated decrypted data.
1793 * @outlen: output variable with size of newly allocated output array.
1794 *
1795 * Decrypts data as per encryption method using specified
1796 * initialization vector and key. The key actually used is derived
1797 * using the key usage. If key usage is 0, no key derivation is used.
1798 * The OUT buffer must be deallocated by the caller. If IVOUT or
1799 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1800 *
1801 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1802 * exactly, some Kerberos encryption types add pad to make the data
1803 * fit into the block size of the encryption algorithm. Furthermore,
1804 * the pad is not guaranteed to look in any special way, although
1805 * existing implementations often pad with the zero byte. This means
1806 * that you may have to "frame" data, so it is possible to infer the
1807 * original length after decryption. Compare ASN.1 DER which contains
1808 * such information.
1809 *
1810 * Return value: Returns %SHISHI_OK iff successful.
1811 **/
1812 int
1813 shishi_decrypt_ivupdate_etype (Shishi * handle,
1814 Shishi_key * key,
1815 int keyusage,
1816 int32_t etype,
1817 const char *iv, size_t ivlen,
1818 char **ivout, size_t * ivoutlen,
1819 const char *in, size_t inlen,
1820 char **out, size_t * outlen)
1821 {
1822 Shishi_decrypt_function decrypt;
1823 int res;
1824
1825 if (VERBOSECRYPTO (handle))
1826 {
1827 printf ("decrypt (type=%s, usage=%d, key, in, out)\n",
1828 shishi_key_name (key), keyusage);
1829 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1830 hexprint (shishi_key_value (key), shishi_key_length (key));
1831 puts ("");
1832 printf ("\t ;; in (%d):\n", inlen);
1833 escapeprint (in, inlen);
1834 hexprint (in, inlen);
1835 puts ("");
1836 }
1837
1838 decrypt = _shishi_cipher_decrypt (etype);
1839 if (decrypt == NULL)
1840 {
1841 shishi_error_printf (handle, "Unsupported keytype %d",
1842 shishi_key_type (key));
1843 return SHISHI_CRYPTO_ERROR;
1844 }
1845
1846 res = (*decrypt) (handle, key, keyusage,
1847 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
1848
1849 if (VERBOSECRYPTO (handle))
1850 {
1851 printf ("\t ;; decrypt out:\n");
1852 escapeprint (*out, *outlen);
1853 hexprint (*out, *outlen);
1854 puts ("");
1855 }
1856
1857 return res;
1858 }
1859
1860 /**
1861 * shishi_decrypt_iv_etype:
1862 * @handle: shishi handle as allocated by shishi_init().
1863 * @key: key to decrypt with.
1864 * @keyusage: integer specifying what this key is decrypting.
1865 * @etype: integer specifying what cipher to use.
1866 * @iv: input array with initialization vector
1867 * @ivlen: size of input array with initialization vector.
1868 * @in: input array with data to decrypt.
1869 * @inlen: size of input array with data to decrypt.
1870 * @out: output array with newly allocated decrypted data.
1871 * @outlen: output variable with size of newly allocated output array.
1872 *
1873 * Decrypts data as per encryption method using specified
1874 * initialization vector and key. The key actually used is derived
1875 * using the key usage. If key usage is 0, no key derivation is used.
1876 * The OUT buffer must be deallocated by the caller. The next IV is
1877 * lost, see shishi_decrypt_ivupdate_etype if you need it.
1878 *
1879 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1880 * exactly, some Kerberos encryption types add pad to make the data
1881 * fit into the block size of the encryption algorithm. Furthermore,
1882 * the pad is not guaranteed to look in any special way, although
1883 * existing implementations often pad with the zero byte. This means
1884 * that you may have to "frame" data, so it is possible to infer the
1885 * original length after decryption. Compare ASN.1 DER which contains
1886 * such information.
1887 *
1888 * Return value: Returns %SHISHI_OK iff successful.
1889 **/
1890 int
1891 shishi_decrypt_iv_etype (Shishi * handle,
1892 Shishi_key * key,
1893 int keyusage,
1894 int32_t etype,
1895 const char *iv, size_t ivlen,
1896 const char *in, size_t inlen,
1897 char **out, size_t * outlen)
1898 {
1899 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1900 iv, ivlen, NULL, NULL,
1901 in, inlen, out, outlen);
1902 }
1903
1904 /**
1905 * shishi_decrypt_etype:
1906 * @handle: shishi handle as allocated by shishi_init().
1907 * @key: key to decrypt with.
1908 * @keyusage: integer specifying what this key is decrypting.
1909 * @etype: integer specifying what cipher to use.
1910 * @in: input array with data to decrypt.
1911 * @inlen: size of input array with data to decrypt.
1912 * @out: output array with newly allocated decrypted data.
1913 * @outlen: output variable with size of newly allocated output array.
1914 *
1915 * Decrypts data as per encryption method using specified key. The
1916 * key actually used is derived using the key usage. If key usage is
1917 * 0, no key derivation is used. The OUT buffer must be deallocated
1918 * by the caller. The default IV is used, see shishi_decrypt_iv_etype
1919 * if you need to alter it. The next IV is lost, see
1920 * shishi_decrypt_ivupdate_etype if you need it.
1921 *
1922 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1923 * exactly, some Kerberos encryption types add pad to make the data
1924 * fit into the block size of the encryption algorithm. Furthermore,
1925 * the pad is not guaranteed to look in any special way, although
1926 * existing implementations often pad with the zero byte. This means
1927 * that you may have to "frame" data, so it is possible to infer the
1928 * original length after decryption. Compare ASN.1 DER which contains
1929 * such information.
1930 *
1931 * Return value: Returns %SHISHI_OK iff successful.
1932 **/
1933 int
1934 shishi_decrypt_etype (Shishi * handle,
1935 Shishi_key * key,
1936 int keyusage,
1937 int32_t etype,
1938 const char *in, size_t inlen,
1939 char **out, size_t * outlen)
1940 {
1941 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1942 NULL, 0, NULL, NULL,
1943 in, inlen, out, outlen);
1944 }
1945
1946 /**
1947 * shishi_decrypt_ivupdate:
1948 * @handle: shishi handle as allocated by shishi_init().
1949 * @key: key to decrypt with.
1950 * @keyusage: integer specifying what this key is decrypting.
1951 * @iv: input array with initialization vector
1952 * @ivlen: size of input array with initialization vector.
1953 * @ivout: output array with newly allocated updated initialization vector.
1954 * @ivoutlen: size of output array with updated initialization vector.
1955 * @in: input array with data to decrypt.
1956 * @inlen: size of input array with data to decrypt.
1957 * @out: output array with newly allocated decrypted data.
1958 * @outlen: output variable with size of newly allocated output array.
1959 *
1960 * Decrypts data using specified initialization vector and key. The
1961 * key actually used is derived using the key usage. If key usage is
1962 * 0, no key derivation is used. The OUT buffer must be deallocated
1963 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1964 * saved anywhere.
1965 *
1966 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1967 * exactly, some Kerberos encryption types add pad to make the data
1968 * fit into the block size of the encryption algorithm. Furthermore,
1969 * the pad is not guaranteed to look in any special way, although
1970 * existing implementations often pad with the zero byte. This means
1971 * that you may have to "frame" data, so it is possible to infer the
1972 * original length after decryption. Compare ASN.1 DER which contains
1973 * such information.
1974 *
1975 * Return value: Returns %SHISHI_OK iff successful.
1976 **/
1977 int
1978 shishi_decrypt_ivupdate (Shishi * handle,
1979 Shishi_key * key,
1980 int keyusage,
1981 const char *iv, size_t ivlen,
1982 char **ivout, size_t * ivoutlen,
1983 const char *in, size_t inlen,
1984 char **out, size_t * outlen)
1985 {
1986 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1987 shishi_key_type (key),
1988 iv, ivlen, ivout, ivoutlen,
1989 in, inlen, out, outlen);
1990 }
1991
1992 /**
1993 * shishi_decrypt_iv:
1994 * @handle: shishi handle as allocated by shishi_init().
1995 * @key: key to decrypt with.
1996 * @keyusage: integer specifying what this key is decrypting.
1997 * @iv: input array with initialization vector
1998 * @ivlen: size of input array with initialization vector.
1999 * @in: input array with data to decrypt.
2000 * @inlen: size of input array with data to decrypt.
2001 * @out: output array with newly allocated decrypted data.
2002 * @outlen: output variable with size of newly allocated output array.
2003 *
2004 * Decrypts data using specified initialization vector and key. The
2005 * key actually used is derived using the key usage. If key usage is
2006 * 0, no key derivation is used. The OUT buffer must be deallocated
2007 * by the caller. The next IV is lost, see
2008 * shishi_decrypt_ivupdate_etype if you need it.
2009 *
2010 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2011 * exactly, some Kerberos encryption types add pad to make the data
2012 * fit into the block size of the encryption algorithm. Furthermore,
2013 * the pad is not guaranteed to look in any special way, although
2014 * existing implementations often pad with the zero byte. This means
2015 * that you may have to "frame" data, so it is possible to infer the
2016 * original length after decryption. Compare ASN.1 DER which contains
2017 * such information.
2018 *
2019 * Return value: Returns %SHISHI_OK iff successful.
2020 **/
2021 int
2022 shishi_decrypt_iv (Shishi * handle,
2023 Shishi_key * key,
2024 int keyusage,
2025 const char *iv, size_t ivlen,
2026 const char *in, size_t inlen, char **out, size_t * outlen)
2027 {
2028 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
2029 shishi_key_type (key),
2030 iv, ivlen, NULL, NULL,
2031 in, inlen, out, outlen);
2032 }
2033
2034 /**
2035 * shishi_decrypt:
2036 * @handle: shishi handle as allocated by shishi_init().
2037 * @key: key to decrypt with.
2038 * @keyusage: integer specifying what this key is decrypting.
2039 * @in: input array with data to decrypt.
2040 * @inlen: size of input array with data to decrypt.
2041 * @out: output array with newly allocated decrypted data.
2042 * @outlen: output variable with size of newly allocated output array.
2043 *
2044 * Decrypts data specified key. The key actually used is derived
2045 * using the key usage. If key usage is 0, no key derivation is used.
2046 * The OUT buffer must be deallocated by the caller. The default IV
2047 * is used, see shishi_decrypt_iv if you need to alter it. The next
2048 * IV is lost, see shishi_decrypt_ivupdate if you need it.
2049 *
2050 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2051 * exactly, some Kerberos encryption types add pad to make the data
2052 * fit into the block size of the encryption algorithm. Furthermore,
2053 * the pad is not guaranteed to look in any special way, although
2054 * existing implementations often pad with the zero byte. This means
2055 * that you may have to "frame" data, so it is possible to infer the
2056 * original length after decryption. Compare ASN.1 DER which contains
2057 * such information.
2058 *
2059 * Return value: Returns %SHISHI_OK iff successful.
2060 **/
2061 int
2062 shishi_decrypt (Shishi * handle,
2063 Shishi_key * key,
2064 int keyusage,
2065 const char *in, size_t inlen, char **out, size_t * outlen)
2066 {
2067 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
2068 shishi_key_type (key),
2069 NULL, 0, NULL, NULL,
2070 in, inlen, out, outlen);
2071 }
2072
2073 /**
2074 * shishi_n_fold:
2075 * @handle: shishi handle as allocated by shishi_init().
2076 * @in: input array with data to decrypt.
2077 * @inlen: size of input array with data to decrypt ("M").
2078 * @out: output array with decrypted data.
2079 * @outlen: size of output array ("N").
2080 *
2081 * Fold data into a fixed length output array, with the intent to give
2082 * each input bit approximately equal weight in determining the value
2083 * of each output bit.
2084 *
2085 * The algorithm is from "A Better Key Schedule For DES-like Ciphers"
2086 * by Uri Blumenthal and Steven M. Bellovin,
2087 * <URL:http://www.research.att.com/~smb/papers/ides.pdf>, although
2088 * the sample vectors provided by the paper are incorrect.
2089 *
2090 * Return value: Returns %SHISHI_OK iff successful.
2091 **/
2092 int
2093 shishi_n_fold (Shishi * handle,
2094 const char *in, size_t inlen, char *out, size_t outlen)
2095 {
2096 int m = inlen;
2097 int n = outlen;
2098 char *buf = NULL;
2099 char *a = NULL;
2100 int lcmmn = 0;
2101 int i = 0;
2102
2103 /*
2104 To n-fold a number X, replicate the input value to a length that is
2105 the least common multiple of n and the length of X. Before each
2106 repetition, the input is rotated to the right by 13 bit
2107 positions. The successive n-bit chunks are added together using
2108 1's-complement addition (that is, addition with end-around carry)
2109 to yield a n-bit result denoted <X>_n.
2110 */
2111
2112 a = (char *) xmemdup (in, m);
2113
2114 lcmmn = lcm (m, n);
2115
2116 if (VERBOSECRYPTO (handle))
2117 {
2118 printf ("%d-fold (string)\n", n * 8);
2119 printf ("\t ;; string length %d bytes %d bits\n", m, m * 8);
2120 escapeprint (a, m);
2121 hexprint (a, m);
2122 puts ("");
2123 printf ("\t ;; lcm(%d, %d) = lcm(%d, %d) = %d\n",
2124 8 * m, 8 * n, m, n, lcmmn);
2125 puts ("");
2126 }
2127
2128 buf = (char *) xmalloc (lcmmn);
2129
2130 /* Replicate the input th the LCMMN length */
2131 for (i = 0; i < (lcmmn / m); i++)
2132 {
2133 if (VERBOSECRYPTO (handle))
2134 {
2135 printf ("\t ;; %d-th replication\n", i + 1);
2136 printf ("string = rot13(string)\n");
2137 }
2138
2139 memcpy ((char *) &buf[i * m], a, m);
2140 rot13 (handle, a, a, m);
2141
2142 if (VERBOSECRYPTO (handle))
2143 puts ("");
2144 }
2145
2146 memset (out, 0, n); /* just in case */
2147
2148 if (VERBOSECRYPTO (handle))
2149 {
2150 printf ("\t ;; replicated string (length %d):\n", lcmmn);
2151 hexprint (buf, lcmmn);
2152 puts ("");
2153 binprint (buf, lcmmn);
2154 puts ("");
2155 printf ("sum = 0\n");
2156 }
2157
2158 /* Now we view the buf as set of n-byte strings
2159 Add the n-byte long chunks together, using
2160 one's complement addition, storing the
2161 result in the output string. */
2162
2163 for (i = 0; i < (lcmmn / n); i++)
2164 {
2165 if (VERBOSECRYPTO (handle))
2166 {
2167 printf ("\t ;; %d-th one's complement addition sum\n", i + 1);
2168 printf ("\t ;; sum:\n");
2169 hexprint (out, n);
2170 puts ("");
2171 binprint (out, n);
2172 puts ("");
2173 printf ("\t ;; A (offset %d):\n", i * n);
2174 hexprint (&buf[i * n], n);
2175 puts ("");
2176 binprint (&buf[i * n], n);
2177 puts ("");
2178 printf ("sum = ocadd(sum, A);\n");
2179 }
2180
2181 ocadd (out, (char *) &buf[i * n], out, n);
2182
2183 if (VERBOSECRYPTO (handle))
2184 {
2185 printf ("\t ;; sum:\n");
2186 hexprint (out, n);
2187 puts ("");
2188 binprint (out, n);
2189 puts ("");
2190 puts ("");
2191 }
2192 }
2193
2194 if (VERBOSECRYPTO (handle))
2195 {
2196 printf ("\t ;; nfold\n");
2197 hexprint (out, n);
2198 puts ("");
2199 binprint (out, n);
2200 puts ("");
2201 puts ("");
2202 }
2203
2204 free (buf);
2205 free (a);
2206
2207 return SHISHI_OK;
2208 }
2209
2210 #define MAX_DR_CONSTANT 1024
2211
2212 /**
2213 * shishi_dr:
2214 * @handle: shishi handle as allocated by shishi_init().
2215 * @key: input array with cryptographic key to use.
2216 * @constant: input array with the constant string.
2217 * @constantlen: size of input array with the constant string.
2218 * @derivedrandom: output array with derived random data.
2219 * @derivedrandomlen: size of output array with derived random data.
2220 *
2221 * Derive "random" data from a key and a constant thusly:
2222 * DR(KEY, CONSTANT) = TRUNCATE(DERIVEDRANDOMLEN,
2223 * SHISHI_ENCRYPT(KEY, CONSTANT)).
2224 *
2225 * Return value: Returns %SHISHI_OK iff successful.
2226 **/
2227 int
2228 shishi_dr (Shishi * handle,
2229 Shishi_key * key,
2230 const char *constant, size_t constantlen,
2231 char *derivedrandom, size_t derivedrandomlen)
2232 {
2233 char *cipher;
2234 char plaintext[MAX_DR_CONSTANT];
2235 char nfoldconstant[MAX_DR_CONSTANT];
2236 size_t blocksize = shishi_cipher_blocksize (shishi_key_type (key));
2237 size_t totlen, cipherlen;
2238 int res;
2239
2240 if (VERBOSECRYPTO (handle))
2241 {
2242 printf ("dr (%s, key, constant, %d)\n",
2243 shishi_cipher_name (shishi_key_type (key)), derivedrandomlen);
2244 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
2245 hexprint (shishi_key_value (key), shishi_key_length (key));
2246 puts ("");
2247 binprint (shishi_key_value (key), shishi_key_length (key));
2248 puts ("");
2249 printf ("\t ;; constant %s':\n", constant);
2250 escapeprint (constant, constantlen);
2251 hexprint (constant, constantlen);
2252 puts ("");
2253 binprint (constant, constantlen);
2254 puts ("");
2255 puts ("");
2256 }
2257
2258 if (constantlen > MAX_DR_CONSTANT)
2259 return SHISHI_TOO_SMALL_BUFFER;
2260
2261 if (constantlen == blocksize)
2262 {
2263 memcpy (nfoldconstant, constant, constantlen);
2264 }
2265 else
2266 {
2267 res = shishi_n_fold (handle, constant, constantlen, nfoldconstant,
2268 blocksize);
2269 if (res != SHISHI_OK)
2270 return res;
2271 }
2272
2273 if (VERBOSECRYPTO (handle))
2274 {
2275 printf ("\t ;; possibly nfolded constant (length %d):\n", blocksize);
2276 escapeprint (nfoldconstant, blocksize);
2277 hexprint (nfoldconstant, blocksize);
2278 puts ("");
2279 binprint (nfoldconstant, blocksize);
2280 puts ("");
2281 }
2282
2283 memcpy (plaintext, nfoldconstant, blocksize);
2284
2285 totlen = 0;
2286 do
2287 {
2288 res = shishi_encrypt (handle, key, 0, plaintext, blocksize,
2289 &cipher, &cipherlen);
2290 if (res != SHISHI_OK)
2291 return res;
2292 if (cipherlen != blocksize)
2293 return SHISHI_CRYPTO_ERROR;
2294 memcpy (derivedrandom + totlen, cipher, cipherlen);
2295 memcpy (plaintext, cipher, cipherlen);
2296 free (cipher);
2297 totlen += cipherlen;
2298 }
2299 while (totlen < derivedrandomlen);
2300
2301 if (VERBOSECRYPTO (handle))
2302 {
2303 printf ("\t ;; derived random (length %d):\n", derivedrandomlen);
2304 hexprint (derivedrandom, derivedrandomlen);
2305 puts ("");
2306 binprint (derivedrandom, derivedrandomlen);
2307 puts ("");
2308 }
2309
2310 return SHISHI_OK;
2311 }
2312
2313 /**
2314 * shishi_dk:
2315 * @handle: shishi handle as allocated by shishi_init().
2316 * @key: input cryptographic key to use.
2317 * @constant: input array with the constant string.
2318 * @constantlen: size of input array with the constant string.
2319 * @derivedkey: pointer to derived key (allocated by caller).
2320 *
2321 * Derive a key from a key and a constant thusly:
2322 * DK(KEY, CONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, CONSTANT)).
2323 *
2324 * Return value: Returns %SHISHI_OK iff successful.
2325 **/
2326 int
2327 shishi_dk (Shishi * handle,
2328 Shishi_key * key,
2329 const char *constant, size_t constantlen, Shishi_key * derivedkey)
2330 {
2331 char random[MAX_RANDOM_LEN];
2332 int res;
2333
2334 if (VERBOSECRYPTO (handle))
2335 {
2336 printf ("dk (%s, key, constant)\n", shishi_key_name (key));
2337 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
2338 hexprint (shishi_key_value (key), shishi_key_length (key));
2339 puts ("");
2340 binprint (shishi_key_value (key), shishi_key_length (key));
2341 puts ("");
2342 printf ("\t ;; constant:\n");
2343 escapeprint (constant, constantlen);
2344 hexprint (constant, constantlen);
2345 puts ("");
2346 binprint (constant, constantlen);
2347 puts ("");
2348 puts ("");
2349 }
2350
2351 shishi_key_type_set (derivedkey, shishi_key_type (key));
2352
2353 res = shishi_dr (handle, key, constant, constantlen, random,
2354 shishi_key_length (derivedkey));
2355 if (res != SHISHI_OK)
2356 return res;
2357
2358 res = shishi_random_to_key (handle, shishi_key_type (derivedkey),
2359 random, shishi_key_length (derivedkey),
2360 derivedkey);
2361 if (res != SHISHI_OK)
2362 return res;
2363
2364 return SHISHI_OK;
2365 }
2366
2367 /**
2368 * shishi_pbkdf2_sha1:
2369 * @handle: shishi handle as allocated by shishi_init().
2370 * @P: input password, an octet string
2371 * @Plen: length of password, an octet string
2372 * @S: input salt, an octet string
2373 * @Slen: length of salt, an octet string
2374 * @c: iteration count, a positive integer
2375 * @dkLen: intended length in octets of the derived key, a positive integer,
2376 * at most (2^32 - 1) * hLen. The DK array must have room for this many
2377 * characters.
2378 * @DK: output derived key, a dkLen-octet string
2379 *
2380 * Derive key using the PBKDF2 defined in PKCS5. PBKDF2 applies a
2381 * pseudorandom function to derive keys. The length of the derived key
2382 * is essentially unbounded. (However, the maximum effective search
2383 * space for the derived key may be limited by the structure of the
2384 * underlying pseudorandom function, which is this function is always
2385 * SHA1.)
2386 *
2387 * Return value: Returns SHISHI_OK iff successful.
2388 **/
2389 int
2390 shishi_pbkdf2_sha1 (Shishi * handle,
2391 const char *P, size_t Plen,
2392 const char *S, size_t Slen,
2393 unsigned int c,
2394 unsigned int dkLen, char *DK)
2395 {
2396 unsigned int hLen = 20;
2397 char U[20];
2398 char T[20];
2399 unsigned int u;
2400 unsigned int l;
2401 unsigned int r;
2402 unsigned int i;
2403 unsigned int k;
2404 char *p;
2405 int rc;
2406
2407 if (c == 0)
2408 return SHISHI_PKCS5_INVALID_ITERATION_COUNT;
2409
2410 if (dkLen == 0)
2411 return SHISHI_PKCS5_INVALID_DERIVED_KEY_LENGTH;
2412
2413 /*
2414 *
2415 * Steps:
2416 *
2417 * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
2418 * stop.
2419 */
2420
2421 if (dkLen > 4294967295U)
2422 return SHISHI_PKCS5_DERIVED_KEY_TOO_LONG;
2423
2424 /*
2425 * 2. Let l be the number of hLen-octet blocks in the derived key,
2426 * rounding up, and let r be the number of octets in the last
2427 * block:
2428 *
2429 * l = CEIL (dkLen / hLen) ,
2430 * r = dkLen - (l - 1) * hLen .
2431 *
2432 * Here, CEIL (x) is the "ceiling" function, i.e. the smallest
2433 * integer greater than, or equal to, x.
2434 */
2435
2436 l = dkLen / hLen;
2437 if (dkLen % hLen)
2438 l++;
2439 r = dkLen - (l - 1) * hLen;
2440
2441 /*
2442 * 3. For each block of the derived key apply the function F defined
2443 * below to the password P, the salt S, the iteration count c, and
2444 * the block index to compute the block:
2445 *
2446 * T_1 = F (P, S, c, 1) ,
2447 * T_2 = F (P, S, c, 2) ,
2448 * ...
2449 * T_l = F (P, S, c, l) ,
2450 *
2451 * where the function F is defined as the exclusive-or sum of the
2452 * first c iterates of the underlying pseudorandom function PRF
2453 * applied to the password P and the concatenation of the salt S
2454 * and the block index i:
2455 *
2456 * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
2457 *
2458 * where
2459 *
2460 * U_1 = PRF (P, S || INT (i)) ,
2461 * U_2 = PRF (P, U_1) ,
2462 * ...
2463 * U_c = PRF (P, U_{c-1}) .
2464 *
2465 * Here, INT (i) is a four-octet encoding of the integer i, most
2466 * significant octet first.
2467 *
2468 * 4. Concatenate the blocks and extract the first dkLen octets to
2469 * produce a derived key DK:
2470 *
2471 * DK = T_1 || T_2 || ... || T_l<0..r-1>
2472 *
2473 * 5. Output the derived key DK.
2474 *
2475 * Note. The construction of the function F follows a "belt-and-
2476 * suspenders" approach. The iterates U_i are computed recursively to
2477 * remove a degree of parallelism from an opponent; they are exclusive-
2478 * ored together to reduce concerns about the recursion degenerating
2479 * into a small set of values.
2480 *
2481 */
2482
2483 for (i = 1; i <= l; i++)
2484 {
2485 memset (T, 0, hLen);
2486
2487 for (u = 1; u <= c; u++)
2488 {
2489 if (u == 1)
2490 {
2491 char *tmp;
2492 size_t tmplen = Slen + 4;
2493
2494 tmp = alloca (tmplen);
2495
2496 memcpy (tmp, S, Slen);
2497 tmp[Slen + 0] = (i & 0xff000000) >> 24;
2498 tmp[Slen + 1] = (i & 0x00ff0000) >> 16;
2499 tmp[Slen + 2] = (i & 0x0000ff00) >> 8;
2500 tmp[Slen + 3] = (i & 0x000000ff) >> 0;
2501
2502 rc = shishi_hmac_sha1 (handle, P, Plen, tmp, tmplen, &p);
2503 }
2504 else
2505 {
2506 rc = shishi_hmac_sha1 (handle, P, Plen, U, hLen, &p);
2507 }
2508
2509 if (rc != SHISHI_OK)
2510 return rc;
2511
2512 memcpy (U, p, hLen);
2513
2514 free (p);
2515
2516 for (k = 0; k < hLen; k++)
2517 T[k] ^= U[k];
2518 }
2519
2520 memcpy (DK + (i - 1) * hLen, T, i == l ? r : hLen);
2521 }
2522
2523 return SHISHI_OK;
2524 }
Free Kerberos V5 implementation