1 /* crypto.c crypto functions
2 * Copyright (C) 2002, 2003 Simon Josefsson
4 * This file is part of Shishi.
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 escapeprint (const char *str
, int len
)
30 for (i
= 0; i
< len
; i
++)
31 if ((str
[i
] >= 'A' && str
[i
] <= 'Z') ||
32 (str
[i
] >= 'a' && str
[i
] <= 'z') ||
33 (str
[i
] >= '0' && str
[i
] <= '9') || str
[i
] == '.')
34 printf ("%c", str
[i
] & 0xFF);
36 printf ("\\x%02x", str
[i
] & 0xFF);
37 printf ("' (length %d bytes)\n", len
);
41 hexprint (const char *str
, int len
)
46 for (i
= 0; i
< len
; i
++)
48 printf ("%02x ", str
[i
] & 0xFF);
51 if ((i
+ 1) % 16 == 0 && i
+ 1 < len
)
57 binprint (const char *str
, int len
)
62 for (i
= 0; i
< len
; i
++)
64 printf ("%d%d%d%d%d%d%d%d ",
65 str
[i
] & 0x80 ? 1 : 0,
66 str
[i
] & 0x40 ? 1 : 0,
67 str
[i
] & 0x20 ? 1 : 0,
68 str
[i
] & 0x10 ? 1 : 0,
69 str
[i
] & 0x08 ? 1 : 0,
70 str
[i
] & 0x04 ? 1 : 0,
71 str
[i
] & 0x02 ? 1 : 0, str
[i
] & 0x01 ? 1 : 0);
74 if ((i
+ 1) % 6 == 0 && i
+ 1 < len
)
80 bin7print (const char *str
, int len
)
85 for (i
= 0; i
< len
; i
++)
87 printf ("%d%d%d%d%d%d%d ",
88 str
[i
] & 0x40 ? 1 : 0,
89 str
[i
] & 0x20 ? 1 : 0,
90 str
[i
] & 0x10 ? 1 : 0,
91 str
[i
] & 0x08 ? 1 : 0,
92 str
[i
] & 0x04 ? 1 : 0,
93 str
[i
] & 0x02 ? 1 : 0, str
[i
] & 0x01 ? 1 : 0);
96 if ((i
+ 1) % 6 == 0 && i
+ 1 < len
)
107 return gcd (b
, a
% b
);
113 return a
* b
/ gcd (a
, b
);
117 rot13 (Shishi
* handle
, char *in
, char *out
, int len
)
119 if (VERBOSECRYPTO (handle
))
121 printf ("\t ;; rot 13 in:\n");
122 escapeprint (in
, len
);
132 ((in
[0] >> 5) & 0x01) |
133 ((in
[0] >> 5) & 0x02) |
134 ((in
[0] >> 5) & 0x04) |
135 ((in
[0] << 3) & 0x08) |
136 ((in
[0] << 3) & 0x10) |
137 ((in
[0] << 3) & 0x20) | ((in
[0] << 3) & 0x40) | ((in
[0] << 3) & 0x80);
141 char nexttolast
, last
;
144 nexttolast
= in
[len
- 2];
147 for (i
= len
* 8 - 1; i
>= 13; i
--)
150 char mask
= ~(1 << (7 - i
% 8));
151 int pos2
= (i
- 13) / 8;
152 char mask2
= (1 << (7 - (i
- 13) % 8));
154 out
[pos
] = (out
[pos
] & mask
) |
155 (((in
[pos2
] & mask2
) ? 0xFF : 0x00) & ~mask
);
157 out
[0] = ((nexttolast
& 0xFF) << 3) | ((last
& 0xFF) >> 5);
158 out
[1] = (in
[1] & ~(0xFF & (0xFF << 3))) | (0xFF & (last
<< 3));
161 if (VERBOSECRYPTO (handle
))
163 printf ("\t ;; rot13 out:\n");
164 escapeprint (out
, len
);
175 ocadd (char *add1
, char *add2
, char *sum
, int len
)
180 for (i
= len
- 1; i
>= 0; i
--)
182 int tmpsum
= (unsigned char) add1
[i
] + (unsigned char) add2
[i
];
184 sum
[i
] = (tmpsum
+ carry
) & 0xFF;
185 if (tmpsum
+ carry
> 0xFF)
194 for (i
= len
- 1; i
>= 0; i
--)
195 if ((unsigned char) sum
[i
] != 0xFF)
203 memset (sum
, 0, len
);
210 simplified_hmac (Shishi
* handle
,
212 const char *in
, size_t inlen
,
213 char **outhash
, size_t * outhashlen
)
216 return shishi_hmac_sha1 (handle
,
217 shishi_key_value (key
), shishi_key_length (key
),
223 simplified_hmac_verify (Shishi
* handle
,
225 const char *in
, size_t inlen
,
226 const char *hmac
, size_t hmaclen
)
233 res
= simplified_hmac (handle
, key
, in
, inlen
, &hash
, &hlen
);
234 if (res
!= SHISHI_OK
|| hash
== NULL
)
237 if (VERBOSECRYPTO (handle
))
239 printf ("\t ;; HMAC verify:\n");
240 escapeprint (hash
, hlen
);
241 hexprint (hash
, hlen
);
243 binprint (hash
, hlen
);
245 escapeprint (hmac
, hmaclen
);
246 hexprint (hmac
, hmaclen
);
248 binprint (hmac
, hmaclen
);
252 same
= (hlen
== hmaclen
) && memcmp (hash
, hmac
, hmaclen
) == 0;
258 shishi_error_printf (handle
, "HMAC verify failed");
259 return SHISHI_CRYPTO_ERROR
;
267 SHISHI_DERIVEKEYMODE_CHECKSUM
,
268 SHISHI_DERIVEKEYMODE_PRIVACY
,
269 SHISHI_DERIVEKEYMODE_INTEGRITY
271 Shishi_derivekeymode
;
274 simplified_derivekey (Shishi
* handle
,
276 int keyusage
, int derivekeymode
, Shishi_key
** outkey
)
280 Shishi_key
*derivedkey
;
282 if (VERBOSECRYPTO (handle
))
284 printf ("simplified_derivekey\n");
285 printf ("\t ;; mode %d (%s)\n", derivekeymode
,
286 derivekeymode
== SHISHI_DERIVEKEYMODE_CHECKSUM
? "checksum" :
287 derivekeymode
== SHISHI_DERIVEKEYMODE_INTEGRITY
? "integrity" :
288 derivekeymode
== SHISHI_DERIVEKEYMODE_PRIVACY
? "privacy" :
290 hexprint (shishi_key_value (key
), shishi_key_length (key
));
295 res
= shishi_key_from_value (handle
, shishi_key_type (key
),
297 if (res
!= SHISHI_OK
)
300 *outkey
= derivedkey
;
304 uint32_t tmp
= htonl (keyusage
);
305 memcpy (constant
, &tmp
, 4);
306 if (derivekeymode
== SHISHI_DERIVEKEYMODE_CHECKSUM
)
307 constant
[4] = '\x99';
308 else if (derivekeymode
== SHISHI_DERIVEKEYMODE_INTEGRITY
)
309 constant
[4] = '\x55';
310 else /* if (derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY) */
311 constant
[4] = '\xAA';
313 res
= shishi_dk (handle
, key
, constant
, 5, derivedkey
);
317 shishi_key_copy (derivedkey
, key
);
320 if (VERBOSECRYPTO (handle
))
322 printf ("\t ;; simplified_derivekey out (%d):\n",
323 shishi_key_length (derivedkey
));
324 hexprint (shishi_key_value (derivedkey
),
325 shishi_key_length (derivedkey
));
333 simplified_dencrypt (Shishi
* handle
,
335 const char *iv
, size_t ivlen
,
336 char **ivout
, size_t * ivoutlen
,
337 const char *in
, size_t inlen
,
338 char **out
, size_t * outlen
, int decryptp
)
345 switch (shishi_key_type (key
))
347 case SHISHI_DES_CBC_CRC
:
348 case SHISHI_DES_CBC_MD4
:
349 case SHISHI_DES_CBC_MD5
:
352 rc
= shishi_des (handle
, decryptp
, shishi_key_value (key
),
353 iv
, ivout
, in
, inlen
, out
);
356 case SHISHI_DES3_CBC_HMAC_SHA1_KD
:
359 rc
= shishi_3des (handle
, decryptp
, shishi_key_value (key
),
360 iv
, ivout
, in
, inlen
, out
);
363 case SHISHI_AES128_CTS_HMAC_SHA1_96
:
364 case SHISHI_AES256_CTS_HMAC_SHA1_96
:
367 rc
= shishi_aes_cts (handle
, decryptp
,
368 shishi_key_value (key
), shishi_key_length (key
),
369 iv
, ivout
, in
, inlen
, out
);
373 rc
= SHISHI_CRYPTO_ERROR
;
380 simplified_encrypt (Shishi
* handle
,
383 const char *iv
, size_t ivlen
,
384 char **ivout
, size_t * ivoutlen
,
385 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
390 if ((shishi_key_type (key
) == SHISHI_DES3_CBC_HMAC_SHA1_KD
||
391 shishi_key_type (key
) == SHISHI_DES_CBC_CRC
||
392 shishi_key_type (key
) == SHISHI_DES_CBC_MD4
||
393 shishi_key_type (key
) == SHISHI_DES_CBC_MD5
) && (inlen
% 8) != 0)
394 while (((inlen
+ padzerolen
) % 8) != 0)
399 char *pt
= NULL
, *ct
= NULL
, *hmac
= NULL
;
400 int blen
= shishi_cipher_blocksize (shishi_key_type (key
));
401 size_t ctlen
, ptlen
, hmaclen
;
402 Shishi_key
*privacykey
= NULL
, *integritykey
= NULL
;
404 ptlen
= inlen
+ blen
+ padzerolen
;
405 pt
= xmalloc (ptlen
);
407 res
= shishi_randomize (handle
, pt
, blen
);
408 if (res
!= SHISHI_OK
)
411 memcpy (pt
+ blen
, in
, inlen
);
412 memset (pt
+ blen
+ inlen
, 0, padzerolen
);
414 res
= simplified_derivekey (handle
, key
, keyusage
,
415 SHISHI_DERIVEKEYMODE_PRIVACY
, &privacykey
);
416 if (res
!= SHISHI_OK
)
420 simplified_dencrypt (handle
, privacykey
, iv
, ivlen
, ivout
, ivoutlen
,
421 pt
, ptlen
, &ct
, &ctlen
, 0);
422 if (res
!= SHISHI_OK
)
426 res
= simplified_derivekey (handle
, key
, keyusage
,
427 SHISHI_DERIVEKEYMODE_INTEGRITY
,
429 if (res
!= SHISHI_OK
)
433 simplified_hmac (handle
, integritykey
, pt
, ptlen
, &hmac
, &hmaclen
);
434 if (res
!= SHISHI_OK
)
437 *outlen
= ctlen
+ hmaclen
;
438 *out
= xmalloc (*outlen
);
439 memcpy (*out
, ct
, ctlen
);
440 memcpy (*out
+ ctlen
, hmac
, hmaclen
);
444 shishi_key_done (privacykey
);
446 shishi_key_done (integritykey
);
456 res
= simplified_dencrypt (handle
, key
, iv
, ivlen
, ivout
, ivoutlen
,
457 in
, inlen
, out
, outlen
, 0);
464 simplified_decrypt (Shishi
* handle
,
467 const char *iv
, size_t ivlen
,
468 char **ivout
, size_t * ivoutlen
,
469 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
475 Shishi_key
*privacykey
= NULL
, *integritykey
= NULL
;
476 int blen
= shishi_cipher_blocksize (shishi_key_type (key
));
477 size_t hlen
= 20; /* XXX only works for SHA-1 */
479 res
= simplified_derivekey (handle
, key
, keyusage
,
480 SHISHI_DERIVEKEYMODE_PRIVACY
, &privacykey
);
481 if (res
!= SHISHI_OK
)
485 simplified_dencrypt (handle
, privacykey
, iv
, ivlen
, ivout
, ivoutlen
,
486 in
, inlen
- hlen
, out
, outlen
, 1);
487 if (res
!= SHISHI_OK
)
490 res
= simplified_derivekey (handle
, key
, keyusage
,
491 SHISHI_DERIVEKEYMODE_INTEGRITY
,
493 if (res
!= SHISHI_OK
)
496 res
= simplified_hmac_verify (handle
, integritykey
, *out
, *outlen
,
497 in
+ inlen
- hlen
, hlen
);
499 if (res
!= SHISHI_OK
)
502 memmove (*out
, *out
+ blen
, *outlen
- blen
);
503 *outlen
= *outlen
- blen
;
504 *out
= xrealloc (*out
, *outlen
);
508 shishi_key_done (privacykey
);
510 shishi_key_done (integritykey
);
514 res
= simplified_dencrypt (handle
, key
, iv
, ivlen
, ivout
, ivoutlen
,
515 in
, inlen
, out
, outlen
, 1);
522 simplified_checksum (Shishi
* handle
,
526 const char *in
, size_t inlen
,
527 char **out
, size_t * outlen
)
529 Shishi_key
*checksumkey
;
530 int cksumlen
= shishi_checksum_cksumlen (cksumtype
);
533 res
= simplified_derivekey (handle
, key
, keyusage
,
534 SHISHI_DERIVEKEYMODE_CHECKSUM
, &checksumkey
);
535 if (res
!= SHISHI_OK
)
538 res
= simplified_hmac (handle
, checksumkey
, in
, inlen
, out
, outlen
);
540 shishi_key_done (checksumkey
);
542 if (res
!= SHISHI_OK
)
550 typedef int (*Shishi_random_to_key_function
) (Shishi
* handle
,
553 Shishi_key
* outkey
);
555 typedef int (*Shishi_string_to_key_function
) (Shishi
* handle
,
556 const char *password
,
560 const char *parameter
,
561 Shishi_key
* outkey
);
563 typedef int (*Shishi_encrypt_function
) (Shishi
* handle
,
566 const char *iv
, size_t ivlen
,
567 char **ivout
, size_t * ivoutlen
,
568 const char *in
, size_t inlen
,
569 char **out
, size_t * outlen
);
571 typedef int (*Shishi_decrypt_function
) (Shishi
* handle
,
574 const char *iv
, size_t ivlen
,
575 char **ivout
, size_t * ivoutlen
,
576 const char *in
, size_t inlen
,
577 char **out
, size_t * outlen
);
579 typedef int (*Shishi_checksum_function
) (Shishi
* handle
,
583 const char *in
, size_t inlen
,
584 char **out
, size_t * outlen
);
586 typedef int (*Shishi_verify_function
) (Shishi
* handle
,
590 const char *in
, size_t inlen
,
591 const char *cksum
, size_t cksumlen
);
593 #include "crypto-null.c"
594 #include "crypto-md.c"
595 #include "crypto-des.c"
596 #include "crypto-3des.c"
597 #include "crypto-aes.c"
598 #include "crypto-rc4.c"
609 int defaultcksumtype
;
610 Shishi_random_to_key_function random2key
;
611 Shishi_string_to_key_function string2key
;
612 Shishi_encrypt_function encrypt
;
613 Shishi_decrypt_function decrypt
;
615 typedef struct cipherinfo cipherinfo
;
617 static cipherinfo null_info
= {
632 static cipherinfo des_cbc_crc_info
= {
647 static cipherinfo des_cbc_md4_info
= {
662 static cipherinfo des_cbc_md5_info
= {
677 static cipherinfo des_cbc_none_info
= {
692 static cipherinfo des3_cbc_none_info
= {
693 SHISHI_DES3_CBC_NONE
,
700 SHISHI_HMAC_SHA1_DES3_KD
,
707 static cipherinfo des3_cbc_sha1_kd_info
= {
708 SHISHI_DES3_CBC_HMAC_SHA1_KD
,
715 SHISHI_HMAC_SHA1_DES3_KD
,
722 static cipherinfo aes128_cts_hmac_sha1_96_info
= {
723 SHISHI_AES128_CTS_HMAC_SHA1_96
,
724 "aes128-cts-hmac-sha1-96",
730 SHISHI_HMAC_SHA1_96_AES128
,
731 aes128_random_to_key
,
732 aes128_string_to_key
,
737 static cipherinfo aes256_cts_hmac_sha1_96_info
= {
738 SHISHI_AES256_CTS_HMAC_SHA1_96
,
739 "aes256-cts-hmac-sha1-96",
745 SHISHI_HMAC_SHA1_96_AES256
,
746 aes256_random_to_key
,
747 aes256_string_to_key
,
752 static cipherinfo rc4_hmac_info
= {
761 rc4_hmac_random_to_key
,
762 rc4_hmac_string_to_key
,
767 static cipherinfo rc4_hmac_exp_info
= {
776 rc4_hmac_random_to_key
,
777 rc4_hmac_string_to_key
,
778 rc4_hmac_exp_encrypt
,
782 static cipherinfo
*ciphers
[] = {
789 &des3_cbc_sha1_kd_info
,
790 &aes128_cts_hmac_sha1_96_info
,
791 &aes256_cts_hmac_sha1_96_info
,
797 * shishi_cipher_supported_p:
798 * @type: encryption type, see Shishi_etype.
800 * Return value: Return 0 iff cipher is unsupported.
803 shishi_cipher_supported_p (int32_t type
)
807 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
808 if (type
== ciphers
[i
]->type
)
815 * shishi_cipher_name:
816 * @type: encryption type, see Shishi_etype.
818 * Return value: Return name of encryption type,
819 * e.g. "des3-cbc-sha1-kd", as defined in the standards.
822 shishi_cipher_name (int32_t type
)
827 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
829 if (type
== ciphers
[i
]->type
)
830 return ciphers
[i
]->name
;
833 asprintf (&p
, "unknown cipher %d", type
);
838 * shishi_cipher_blocksize:
839 * @type: encryption type, see Shishi_etype.
841 * Return value: Return block size for encryption type, as defined in
845 shishi_cipher_blocksize (int32_t type
)
849 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
850 if (type
== ciphers
[i
]->type
)
851 return ciphers
[i
]->blocksize
;
857 * shishi_cipher_minpadsize:
858 * @type: encryption type, see Shishi_etype.
860 * Return value: Return the minimum pad size for encryption type, as
861 * defined in the standards.
864 shishi_cipher_minpadsize (int32_t type
)
868 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
869 if (type
== ciphers
[i
]->type
)
870 return ciphers
[i
]->minpadsize
;
876 * shishi_cipher_confoundersize:
877 * @type: encryption type, see Shishi_etype.
879 * Return value: Returns the size of the confounder (random data) for
880 * encryption type, as defined in the standards.
883 shishi_cipher_confoundersize (int32_t type
)
887 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
888 if (type
== ciphers
[i
]->type
)
889 return ciphers
[i
]->confoundersize
;
895 * shishi_cipher_keylen:
896 * @type: encryption type, see Shishi_etype.
898 * Return value: Return length of key used for the encryption type, as
899 * defined in the standards.
902 shishi_cipher_keylen (int32_t type
)
906 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
907 if (type
== ciphers
[i
]->type
)
908 return ciphers
[i
]->keylen
;
914 * shishi_cipher_randomlen:
915 * @type: encryption type, see Shishi_etype.
917 * Return value: Return length of random used for the encryption type,
918 * as defined in the standards.
921 shishi_cipher_randomlen (int32_t type
)
925 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
926 if (type
== ciphers
[i
]->type
)
927 return ciphers
[i
]->randomlen
;
933 * shishi_cipher_defaultcksumtype:
934 * @type: encryption type, see Shishi_etype.
936 * Return value: Return associated checksum mechanism for the
937 * encryption type, as defined in the standards.
940 shishi_cipher_defaultcksumtype (int32_t type
)
944 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
945 if (type
== ciphers
[i
]->type
)
946 return ciphers
[i
]->defaultcksumtype
;
952 * shishi_cipher_parse:
953 * @cipher: name of encryption type, e.g. "des3-cbc-sha1-kd".
955 * Return value: Return encryption type corresponding to a string.
958 shishi_cipher_parse (const char *cipher
)
963 i
= strtol (cipher
, &endptr
, 0);
965 if (endptr
!= cipher
)
968 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
969 if (strcasecmp (cipher
, ciphers
[i
]->name
) == 0)
970 return ciphers
[i
]->type
;
975 static Shishi_random_to_key_function
976 _shishi_cipher_random_to_key (int32_t type
)
980 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
981 if (type
== ciphers
[i
]->type
)
982 return ciphers
[i
]->random2key
;
987 static Shishi_string_to_key_function
988 _shishi_cipher_string_to_key (int32_t type
)
992 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
993 if (type
== ciphers
[i
]->type
)
994 return ciphers
[i
]->string2key
;
999 static Shishi_encrypt_function
1000 _shishi_cipher_encrypt (int32_t type
)
1004 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
1005 if (type
== ciphers
[i
]->type
)
1006 return ciphers
[i
]->encrypt
;
1011 static Shishi_decrypt_function
1012 _shishi_cipher_decrypt (int32_t type
)
1016 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
1017 if (type
== ciphers
[i
]->type
)
1018 return ciphers
[i
]->decrypt
;
1028 Shishi_checksum_function checksum
;
1029 Shishi_verify_function verify
;
1031 typedef struct checksuminfo checksuminfo
;
1033 static checksuminfo md4_info
= {
1040 static checksuminfo md4_des_info
= {
1048 static checksuminfo md5_info
= {
1055 static checksuminfo md5_des_info
= {
1063 static checksuminfo md5_gss_info
= {
1064 SHISHI_RSA_MD5_DES_GSS
,
1070 static checksuminfo hmac_sha1_des3_kd_info
= {
1071 SHISHI_HMAC_SHA1_DES3_KD
,
1072 "hmac-sha1-des3-kd",
1077 static checksuminfo hmac_sha1_96_aes128_info
= {
1078 SHISHI_HMAC_SHA1_96_AES128
,
1079 "hmac-sha1-96-aes128",
1084 static checksuminfo hmac_sha1_96_aes256_info
= {
1085 SHISHI_HMAC_SHA1_96_AES256
,
1086 "hmac-sha1-96-aes256",
1091 static checksuminfo rc4_hmac_md5_info
= {
1092 SHISHI_RC4_HMAC_MD5
,
1095 rc4_hmac_md5_checksum
1098 static checksuminfo
*checksums
[] = {
1104 &hmac_sha1_des3_kd_info
,
1105 &hmac_sha1_96_aes128_info
,
1106 &hmac_sha1_96_aes256_info
,
1111 * shishi_checksum_supported_p:
1112 * @type: checksum type, see Shishi_cksumtype.
1114 * Return value: Return 0 iff checksum is unsupported.
1117 shishi_checksum_supported_p (int32_t type
)
1121 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
1122 if (type
== checksums
[i
]->type
)
1129 * shishi_checksum_name:
1130 * @type: checksum type, see Shishi_cksumtype.
1132 * Return value: Return name of checksum type,
1133 * e.g. "hmac-sha1-96-aes256", as defined in the standards.
1136 shishi_checksum_name (int32_t type
)
1141 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
1143 if (type
== checksums
[i
]->type
)
1144 return checksums
[i
]->name
;
1147 asprintf (&p
, "unknown checksum %d", type
);
1152 * shishi_checksum_cksumlen:
1153 * @type: checksum type, see Shishi_cksumtype.
1155 * Return value: Return length of checksum used for the checksum type,
1156 * as defined in the standards.
1159 shishi_checksum_cksumlen (int32_t type
)
1163 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
1164 if (type
== checksums
[i
]->type
)
1165 return checksums
[i
]->cksumlen
;
1171 * shishi_checksum_parse:
1172 * @checksum: name of checksum type, e.g. "hmac-sha1-96-aes256".
1174 * Return value: Return checksum type, see Shishi_cksumtype,
1175 * corresponding to a string.
1178 shishi_checksum_parse (const char *checksum
)
1183 i
= strtol (checksum
, &endptr
, 0);
1185 if (endptr
!= checksum
)
1188 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
1189 if (strcasecmp (checksum
, checksums
[i
]->name
) == 0)
1190 return checksums
[i
]->type
;
1195 static Shishi_checksum_function
1196 _shishi_checksum (int32_t type
)
1200 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
1201 if (type
== checksums
[i
]->type
)
1202 return checksums
[i
]->checksum
;
1207 static Shishi_verify_function
1208 _shishi_verify (int32_t type
)
1212 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
1213 if (type
== checksums
[i
]->type
)
1214 return checksums
[i
]->verify
;
1220 * shishi_string_to_key:
1221 * @handle: shishi handle as allocated by shishi_init().
1222 * @keytype: cryptographic encryption type, see Shishi_etype.
1223 * @password: input array with password.
1224 * @passwordlen: length of input array with password.
1225 * @salt: input array with salt.
1226 * @saltlen: length of input array with salt.
1227 * @parameter: input array with opaque encryption type specific information.
1228 * @outkey: allocated key handle that will contain new key.
1230 * Derive key from a string (password) and salt (commonly
1231 * concatenation of realm and principal) for specified key type, and
1232 * set the type and value in the given key to the computed values.
1233 * The parameter value is specific for each keytype, and can be set if
1234 * the parameter information is not available.
1236 * Return value: Returns %SHISHI_OK iff successful.
1239 shishi_string_to_key (Shishi
* handle
,
1241 const char *password
, size_t passwordlen
,
1242 const char *salt
, size_t saltlen
,
1243 const char *parameter
, Shishi_key
* outkey
)
1245 Shishi_string_to_key_function string2key
;
1248 shishi_key_type_set (outkey
, keytype
);
1250 if (VERBOSECRYPTO (handle
))
1252 printf ("string_to_key (%s, password, salt)\n",
1253 shishi_key_name (outkey
));
1254 printf ("\t ;; password:\n");
1255 escapeprint (password
, passwordlen
);
1256 hexprint (password
, passwordlen
);
1258 printf ("\t ;; salt:\n");
1259 escapeprint (salt
, saltlen
);
1260 hexprint (salt
, saltlen
);
1264 string2key
= _shishi_cipher_string_to_key (shishi_key_type (outkey
));
1265 if (string2key
== NULL
)
1267 shishi_error_printf (handle
, "Unsupported keytype %d",
1268 shishi_key_type (outkey
));
1269 return SHISHI_CRYPTO_ERROR
;
1272 res
= (*string2key
) (handle
, password
, passwordlen
,
1273 salt
, saltlen
, parameter
, outkey
);
1275 if (VERBOSECRYPTO (handle
))
1277 printf ("\t ;; string_to_key key:\n");
1278 hexprint (shishi_key_value (outkey
), shishi_key_length (outkey
));
1280 binprint (shishi_key_value (outkey
), shishi_key_length (outkey
));
1288 * shishi_random_to_key:
1289 * @handle: shishi handle as allocated by shishi_init().
1290 * @keytype: cryptographic encryption type, see Shishi_etype.
1291 * @random: input array with random data.
1292 * @randomlen: length of input array with random data.
1293 * @outkey: allocated key handle that will contain new key.
1295 * Derive key from random data for specified key type, and set the
1296 * type and value in the given key to the computed values.
1298 * Return value: Returns %SHISHI_OK iff successful.
1301 shishi_random_to_key (Shishi
* handle
,
1303 char *random
, size_t randomlen
, Shishi_key
* outkey
)
1305 Shishi_random_to_key_function random2key
;
1308 shishi_key_type_set (outkey
, keytype
);
1310 if (VERBOSECRYPTO (handle
))
1312 printf ("random_to_key (%s, random)\n", shishi_key_name (outkey
));
1313 printf ("\t ;; random:\n");
1314 hexprint (random
, randomlen
);
1316 binprint (random
, randomlen
);
1320 random2key
= _shishi_cipher_random_to_key (keytype
);
1321 if (random2key
== NULL
)
1323 shishi_error_printf (handle
, "Unsupported random_to_key() ekeytype %d",
1325 return SHISHI_CRYPTO_ERROR
;
1328 res
= (*random2key
) (handle
, random
, randomlen
, outkey
);
1330 if (VERBOSECRYPTO (handle
))
1332 printf ("\t ;; random_to_key key:\n");
1333 hexprint (shishi_key_value (outkey
), shishi_key_length (outkey
));
1335 binprint (shishi_key_value (outkey
), shishi_key_length (outkey
));
1344 * @handle: shishi handle as allocated by shishi_init().
1345 * @key: key to compute checksum with.
1346 * @keyusage: integer specifying what this key is used for.
1347 * @cksumtype: the checksum algorithm to use.
1348 * @in: input array with data to integrity protect.
1349 * @inlen: size of input array with data to integrity protect.
1350 * @out: output array with newly allocated integrity protected data.
1351 * @outlen: output variable with length of output array with checksum.
1353 * Integrity protect data using key, possibly altered by supplied key
1354 * usage. If key usage is 0, no key derivation is used. The OUT
1355 * buffer must be deallocated by the caller.
1357 * Return value: Returns %SHISHI_OK iff successful.
1360 shishi_checksum (Shishi
* handle
,
1364 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
1366 Shishi_checksum_function checksum
;
1369 if (VERBOSECRYPTO (handle
))
1371 printf ("checksum (%s, %d, in, out)\n",
1372 shishi_key_name (key
), cksumtype
);
1373 printf ("\t ;; key (%d):\n", shishi_key_length (key
));
1374 hexprint (shishi_key_value (key
), shishi_key_length (key
));
1376 printf ("\t ;; in:\n");
1377 escapeprint (in
, inlen
);
1378 hexprint (in
, inlen
);
1383 cksumtype
= shishi_cipher_defaultcksumtype (shishi_key_type (key
));
1385 checksum
= _shishi_checksum (cksumtype
);
1386 if (checksum
== NULL
)
1388 shishi_error_printf (handle
, "Unsupported checksum type %d", cksumtype
);
1389 return SHISHI_CRYPTO_ERROR
;
1392 /* XXX? check if etype and cksumtype are compatible? */
1394 res
= (*checksum
) (handle
, key
, keyusage
, cksumtype
,
1395 in
, inlen
, out
, outlen
);
1397 if (VERBOSECRYPTO (handle
))
1399 printf ("\t ;; checksum out:\n");
1400 escapeprint (*out
, *outlen
);
1401 hexprint (*out
, *outlen
);
1410 * @handle: shishi handle as allocated by shishi_init().
1411 * @key: key to verify checksum with.
1412 * @keyusage: integer specifying what this key is used for.
1413 * @cksumtype: the checksum algorithm to use.
1414 * @in: input array with data that was integrity protected.
1415 * @inlen: size of input array with data that was integrity protected.
1416 * @cksum: input array with alleged checksum of data.
1417 * @cksumlen: size of input array with alleged checksum of data.
1419 * Verify checksum of data using key, possibly altered by supplied key
1420 * usage. If key usage is 0, no key derivation is used.
1422 * Return value: Returns %SHISHI_OK iff successful.
1425 shishi_verify (Shishi
* handle
,
1429 const char *in
, size_t inlen
,
1430 const char *cksum
, size_t cksumlen
)
1432 Shishi_verify_function verify
;
1435 if (VERBOSECRYPTO (handle
))
1437 printf ("verify (%s, %d, in, out)\n", shishi_key_name (key
), cksumtype
);
1438 printf ("\t ;; key (%d):\n", shishi_key_length (key
));
1439 hexprint (shishi_key_value (key
), shishi_key_length (key
));
1441 printf ("\t ;; data:\n");
1442 escapeprint (in
, inlen
);
1443 hexprint (in
, inlen
);
1445 printf ("\t ;; mic:\n");
1446 escapeprint (cksum
, cksumlen
);
1447 hexprint (cksum
, cksumlen
);
1452 cksumtype
= shishi_cipher_defaultcksumtype (shishi_key_type (key
));
1454 verify
= _shishi_verify (cksumtype
);
1457 shishi_error_printf (handle
, "Unsupported checksum type %d", cksumtype
);
1458 return SHISHI_CRYPTO_ERROR
;
1461 /* XXX? check if etype and cksumtype are compatible? */
1463 res
= (*verify
) (handle
, key
, keyusage
, cksumtype
,
1464 in
, inlen
, cksum
, cksumlen
);
1466 if (VERBOSECRYPTO (handle
))
1467 printf ("\t ;; verify return: %d\n", res
);
1473 * shishi_encrypt_ivupdate_etype:
1474 * @handle: shishi handle as allocated by shishi_init().
1475 * @key: key to encrypt with.
1476 * @keyusage: integer specifying what this key is encrypting.
1477 * @etype: integer specifying what cipher to use.
1478 * @iv: input array with initialization vector
1479 * @ivlen: size of input array with initialization vector.
1480 * @ivout: output array with newly allocated updated initialization vector.
1481 * @ivoutlen: size of output array with updated initialization vector.
1482 * @in: input array with data to encrypt.
1483 * @inlen: size of input array with data to encrypt.
1484 * @out: output array with newly allocated encrypted data.
1485 * @outlen: output variable with size of newly allocated output array.
1487 * Encrypts data as per encryption method using specified
1488 * initialization vector and key. The key actually used is derived
1489 * using the key usage. If key usage is 0, no key derivation is used.
1490 * The OUT buffer must be deallocated by the caller. If IVOUT or
1491 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1493 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1494 * exactly, some Kerberos encryption types add pad to make the data
1495 * fit into the block size of the encryption algorithm. Furthermore,
1496 * the pad is not guaranteed to look in any special way, although
1497 * existing implementations often pad with the zero byte. This means
1498 * that you may have to "frame" data, so it is possible to infer the
1499 * original length after decryption. Compare ASN.1 DER which contains
1502 * Return value: Returns %SHISHI_OK iff successful.
1505 shishi_encrypt_ivupdate_etype (Shishi
* handle
,
1509 const char *iv
, size_t ivlen
,
1510 char **ivout
, size_t * ivoutlen
,
1511 const char *in
, size_t inlen
,
1512 char **out
, size_t * outlen
)
1514 Shishi_encrypt_function encrypt
;
1517 if (VERBOSECRYPTO (handle
))
1519 printf ("encrypt (type=%s, usage=%d, key, in)\n",
1520 shishi_key_name (key
), keyusage
);
1521 printf ("\t ;; key (%d):\n", shishi_key_length (key
));
1522 hexprint (shishi_key_value (key
), shishi_key_length (key
));
1524 printf ("\t ;; in (%d):\n", inlen
);
1525 escapeprint (in
, inlen
);
1526 hexprint (in
, inlen
);
1530 printf ("\t ;; iv (%d):\n", ivlen
);
1531 escapeprint (iv
, ivlen
);
1532 hexprint (iv
, ivlen
);
1537 encrypt
= _shishi_cipher_encrypt (etype
);
1538 if (encrypt
== NULL
)
1540 shishi_error_printf (handle
, "Unsupported keytype %d",
1541 shishi_key_type (key
));
1542 return SHISHI_CRYPTO_ERROR
;
1545 res
= (*encrypt
) (handle
, key
, keyusage
,
1546 iv
, ivlen
, ivout
, ivoutlen
, in
, inlen
, out
, outlen
);
1548 if (VERBOSECRYPTO (handle
))
1550 printf ("\t ;; encrypt out:\n");
1551 escapeprint (*out
, *outlen
);
1552 hexprint (*out
, *outlen
);
1554 if (ivout
&& ivoutlen
)
1556 printf ("\t ;; iv out:\n");
1557 escapeprint (*ivout
, *ivoutlen
);
1558 hexprint (*ivout
, *ivoutlen
);
1567 * shishi_encrypt_iv_etype:
1568 * @handle: shishi handle as allocated by shishi_init().
1569 * @key: key to encrypt with.
1570 * @keyusage: integer specifying what this key is encrypting.
1571 * @etype: integer specifying what cipher to use.
1572 * @iv: input array with initialization vector
1573 * @ivlen: size of input array with initialization vector.
1574 * @in: input array with data to encrypt.
1575 * @inlen: size of input array with data to encrypt.
1576 * @out: output array with newly allocated encrypted data.
1577 * @outlen: output variable with size of newly allocated output array.
1579 * Encrypts data as per encryption method using specified
1580 * initialization vector and key. The key actually used is derived
1581 * using the key usage. If key usage is 0, no key derivation is used.
1582 * The OUT buffer must be deallocated by the caller. The next IV is
1583 * lost, see shishi_encrypt_ivupdate_etype if you need it.
1585 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1586 * exactly, some Kerberos encryption types add pad to make the data
1587 * fit into the block size of the encryption algorithm. Furthermore,
1588 * the pad is not guaranteed to look in any special way, although
1589 * existing implementations often pad with the zero byte. This means
1590 * that you may have to "frame" data, so it is possible to infer the
1591 * original length after decryption. Compare ASN.1 DER which contains
1594 * Return value: Returns %SHISHI_OK iff successful.
1597 shishi_encrypt_iv_etype (Shishi
* handle
,
1601 const char *iv
, size_t ivlen
,
1602 const char *in
, size_t inlen
,
1603 char **out
, size_t * outlen
)
1605 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
, etype
,
1606 iv
, ivlen
, NULL
, NULL
,
1607 in
, inlen
, out
, outlen
);
1611 * shishi_encrypt_etype:
1612 * @handle: shishi handle as allocated by shishi_init().
1613 * @key: key to encrypt with.
1614 * @keyusage: integer specifying what this key is encrypting.
1615 * @etype: integer specifying what cipher to use.
1616 * @in: input array with data to encrypt.
1617 * @inlen: size of input array with data to encrypt.
1618 * @out: output array with newly allocated encrypted data.
1619 * @outlen: output variable with size of newly allocated output array.
1621 * Encrypts data as per encryption method using specified
1622 * initialization vector and key. The key actually used is derived
1623 * using the key usage. If key usage is 0, no key derivation is used.
1624 * The OUT buffer must be deallocated by the caller. The default IV
1625 * is used, see shishi_encrypt_iv_etype if you need to alter it. The
1626 * next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
1628 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1629 * exactly, some Kerberos encryption types add pad to make the data
1630 * fit into the block size of the encryption algorithm. Furthermore,
1631 * the pad is not guaranteed to look in any special way, although
1632 * existing implementations often pad with the zero byte. This means
1633 * that you may have to "frame" data, so it is possible to infer the
1634 * original length after decryption. Compare ASN.1 DER which contains
1637 * Return value: Returns %SHISHI_OK iff successful.
1640 shishi_encrypt_etype (Shishi
* handle
,
1644 const char *in
, size_t inlen
,
1645 char **out
, size_t * outlen
)
1647 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
,
1648 shishi_key_type (key
),
1649 NULL
, 0, NULL
, NULL
,
1650 in
, inlen
, out
, outlen
);
1654 * shishi_encrypt_ivupdate:
1655 * @handle: shishi handle as allocated by shishi_init().
1656 * @key: key to encrypt with.
1657 * @keyusage: integer specifying what this key is encrypting.
1658 * @iv: input array with initialization vector
1659 * @ivlen: size of input array with initialization vector.
1660 * @ivout: output array with newly allocated updated initialization vector.
1661 * @ivoutlen: size of output array with updated initialization vector.
1662 * @in: input array with data to encrypt.
1663 * @inlen: size of input array with data to encrypt.
1664 * @out: output array with newly allocated encrypted data.
1665 * @outlen: output variable with size of newly allocated output array.
1667 * Encrypts data using specified initialization vector and key. The
1668 * key actually used is derived using the key usage. If key usage is
1669 * 0, no key derivation is used. The OUT buffer must be deallocated
1670 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1673 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1674 * exactly, some Kerberos encryption types add pad to make the data
1675 * fit into the block size of the encryption algorithm. Furthermore,
1676 * the pad is not guaranteed to look in any special way, although
1677 * existing implementations often pad with the zero byte. This means
1678 * that you may have to "frame" data, so it is possible to infer the
1679 * original length after decryption. Compare ASN.1 DER which contains
1682 * Return value: Returns %SHISHI_OK iff successful.
1685 shishi_encrypt_ivupdate (Shishi
* handle
,
1688 const char *iv
, size_t ivlen
,
1689 char **ivout
, size_t * ivoutlen
,
1690 const char *in
, size_t inlen
,
1691 char **out
, size_t * outlen
)
1693 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
,
1694 shishi_key_type (key
),
1695 iv
, ivlen
, ivout
, ivoutlen
,
1696 in
, inlen
, out
, outlen
);
1700 * shishi_encrypt_iv:
1701 * @handle: shishi handle as allocated by shishi_init().
1702 * @key: key to encrypt with.
1703 * @keyusage: integer specifying what this key is encrypting.
1704 * @iv: input array with initialization vector
1705 * @ivlen: size of input array with initialization vector.
1706 * @in: input array with data to encrypt.
1707 * @inlen: size of input array with data to encrypt.
1708 * @out: output array with newly allocated encrypted data.
1709 * @outlen: output variable with size of newly allocated output array.
1711 * Encrypts data using specified initialization vector and key. The
1712 * key actually used is derived using the key usage. If key usage is
1713 * 0, no key derivation is used. The OUT buffer must be deallocated
1714 * by the caller. The next IV is lost, see shishi_encrypt_ivupdate if
1717 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1718 * exactly, some Kerberos encryption types add pad to make the data
1719 * fit into the block size of the encryption algorithm. Furthermore,
1720 * the pad is not guaranteed to look in any special way, although
1721 * existing implementations often pad with the zero byte. This means
1722 * that you may have to "frame" data, so it is possible to infer the
1723 * original length after decryption. Compare ASN.1 DER which contains
1726 * Return value: Returns %SHISHI_OK iff successful.
1729 shishi_encrypt_iv (Shishi
* handle
,
1732 const char *iv
, size_t ivlen
,
1733 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
1735 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
,
1736 shishi_key_type (key
),
1737 iv
, ivlen
, NULL
, NULL
,
1738 in
, inlen
, out
, outlen
);
1743 * @handle: shishi handle as allocated by shishi_init().
1744 * @key: key to encrypt with.
1745 * @keyusage: integer specifying what this key is encrypting.
1746 * @in: input array with data to encrypt.
1747 * @inlen: size of input array with data to encrypt.
1748 * @out: output array with newly allocated encrypted data.
1749 * @outlen: output variable with size of newly allocated output array.
1751 * Encrypts data using specified key. The key actually used is
1752 * derived using the key usage. If key usage is 0, no key derivation
1753 * is used. The OUT buffer must be deallocated by the caller. The
1754 * default IV is used, see shishi_encrypt_iv if you need to alter it.
1755 * The next IV is lost, see shishi_encrypt_ivupdate if you need it.
1757 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1758 * exactly, some Kerberos encryption types add pad to make the data
1759 * fit into the block size of the encryption algorithm. Furthermore,
1760 * the pad is not guaranteed to look in any special way, although
1761 * existing implementations often pad with the zero byte. This means
1762 * that you may have to "frame" data, so it is possible to infer the
1763 * original length after decryption. Compare ASN.1 DER which contains
1766 * Return value: Returns %SHISHI_OK iff successful.
1769 shishi_encrypt (Shishi
* handle
,
1772 char *in
, size_t inlen
, char **out
, size_t * outlen
)
1774 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
,
1775 shishi_key_type (key
),
1776 NULL
, 0, NULL
, NULL
,
1777 in
, inlen
, out
, outlen
);
1781 * shishi_decrypt_ivupdate_etype:
1782 * @handle: shishi handle as allocated by shishi_init().
1783 * @key: key to decrypt with.
1784 * @keyusage: integer specifying what this key is decrypting.
1785 * @etype: integer specifying what cipher to use.
1786 * @iv: input array with initialization vector
1787 * @ivlen: size of input array with initialization vector.
1788 * @ivout: output array with newly allocated updated initialization vector.
1789 * @ivoutlen: size of output array with updated initialization vector.
1790 * @in: input array with data to decrypt.
1791 * @inlen: size of input array with data to decrypt.
1792 * @out: output array with newly allocated decrypted data.
1793 * @outlen: output variable with size of newly allocated output array.
1795 * Decrypts data as per encryption method using specified
1796 * initialization vector and key. The key actually used is derived
1797 * using the key usage. If key usage is 0, no key derivation is used.
1798 * The OUT buffer must be deallocated by the caller. If IVOUT or
1799 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1801 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1802 * exactly, some Kerberos encryption types add pad to make the data
1803 * fit into the block size of the encryption algorithm. Furthermore,
1804 * the pad is not guaranteed to look in any special way, although
1805 * existing implementations often pad with the zero byte. This means
1806 * that you may have to "frame" data, so it is possible to infer the
1807 * original length after decryption. Compare ASN.1 DER which contains
1810 * Return value: Returns %SHISHI_OK iff successful.
1813 shishi_decrypt_ivupdate_etype (Shishi
* handle
,
1817 const char *iv
, size_t ivlen
,
1818 char **ivout
, size_t * ivoutlen
,
1819 const char *in
, size_t inlen
,
1820 char **out
, size_t * outlen
)
1822 Shishi_decrypt_function decrypt
;
1825 if (VERBOSECRYPTO (handle
))
1827 printf ("decrypt (type=%s, usage=%d, key, in, out)\n",
1828 shishi_key_name (key
), keyusage
);
1829 printf ("\t ;; key (%d):\n", shishi_key_length (key
));
1830 hexprint (shishi_key_value (key
), shishi_key_length (key
));
1832 printf ("\t ;; in (%d):\n", inlen
);
1833 escapeprint (in
, inlen
);
1834 hexprint (in
, inlen
);
1838 decrypt
= _shishi_cipher_decrypt (etype
);
1839 if (decrypt
== NULL
)
1841 shishi_error_printf (handle
, "Unsupported keytype %d",
1842 shishi_key_type (key
));
1843 return SHISHI_CRYPTO_ERROR
;
1846 res
= (*decrypt
) (handle
, key
, keyusage
,
1847 iv
, ivlen
, ivout
, ivoutlen
, in
, inlen
, out
, outlen
);
1849 if (VERBOSECRYPTO (handle
))
1851 printf ("\t ;; decrypt out:\n");
1852 escapeprint (*out
, *outlen
);
1853 hexprint (*out
, *outlen
);
1861 * shishi_decrypt_iv_etype:
1862 * @handle: shishi handle as allocated by shishi_init().
1863 * @key: key to decrypt with.
1864 * @keyusage: integer specifying what this key is decrypting.
1865 * @etype: integer specifying what cipher to use.
1866 * @iv: input array with initialization vector
1867 * @ivlen: size of input array with initialization vector.
1868 * @in: input array with data to decrypt.
1869 * @inlen: size of input array with data to decrypt.
1870 * @out: output array with newly allocated decrypted data.
1871 * @outlen: output variable with size of newly allocated output array.
1873 * Decrypts data as per encryption method using specified
1874 * initialization vector and key. The key actually used is derived
1875 * using the key usage. If key usage is 0, no key derivation is used.
1876 * The OUT buffer must be deallocated by the caller. The next IV is
1877 * lost, see shishi_decrypt_ivupdate_etype if you need it.
1879 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1880 * exactly, some Kerberos encryption types add pad to make the data
1881 * fit into the block size of the encryption algorithm. Furthermore,
1882 * the pad is not guaranteed to look in any special way, although
1883 * existing implementations often pad with the zero byte. This means
1884 * that you may have to "frame" data, so it is possible to infer the
1885 * original length after decryption. Compare ASN.1 DER which contains
1888 * Return value: Returns %SHISHI_OK iff successful.
1891 shishi_decrypt_iv_etype (Shishi
* handle
,
1895 const char *iv
, size_t ivlen
,
1896 const char *in
, size_t inlen
,
1897 char **out
, size_t * outlen
)
1899 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
, etype
,
1900 iv
, ivlen
, NULL
, NULL
,
1901 in
, inlen
, out
, outlen
);
1905 * shishi_decrypt_etype:
1906 * @handle: shishi handle as allocated by shishi_init().
1907 * @key: key to decrypt with.
1908 * @keyusage: integer specifying what this key is decrypting.
1909 * @etype: integer specifying what cipher to use.
1910 * @in: input array with data to decrypt.
1911 * @inlen: size of input array with data to decrypt.
1912 * @out: output array with newly allocated decrypted data.
1913 * @outlen: output variable with size of newly allocated output array.
1915 * Decrypts data as per encryption method using specified key. The
1916 * key actually used is derived using the key usage. If key usage is
1917 * 0, no key derivation is used. The OUT buffer must be deallocated
1918 * by the caller. The default IV is used, see shishi_decrypt_iv_etype
1919 * if you need to alter it. The next IV is lost, see
1920 * shishi_decrypt_ivupdate_etype if you need it.
1922 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1923 * exactly, some Kerberos encryption types add pad to make the data
1924 * fit into the block size of the encryption algorithm. Furthermore,
1925 * the pad is not guaranteed to look in any special way, although
1926 * existing implementations often pad with the zero byte. This means
1927 * that you may have to "frame" data, so it is possible to infer the
1928 * original length after decryption. Compare ASN.1 DER which contains
1931 * Return value: Returns %SHISHI_OK iff successful.
1934 shishi_decrypt_etype (Shishi
* handle
,
1938 const char *in
, size_t inlen
,
1939 char **out
, size_t * outlen
)
1941 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
, etype
,
1942 NULL
, 0, NULL
, NULL
,
1943 in
, inlen
, out
, outlen
);
1947 * shishi_decrypt_ivupdate:
1948 * @handle: shishi handle as allocated by shishi_init().
1949 * @key: key to decrypt with.
1950 * @keyusage: integer specifying what this key is decrypting.
1951 * @iv: input array with initialization vector
1952 * @ivlen: size of input array with initialization vector.
1953 * @ivout: output array with newly allocated updated initialization vector.
1954 * @ivoutlen: size of output array with updated initialization vector.
1955 * @in: input array with data to decrypt.
1956 * @inlen: size of input array with data to decrypt.
1957 * @out: output array with newly allocated decrypted data.
1958 * @outlen: output variable with size of newly allocated output array.
1960 * Decrypts data using specified initialization vector and key. The
1961 * key actually used is derived using the key usage. If key usage is
1962 * 0, no key derivation is used. The OUT buffer must be deallocated
1963 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1966 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1967 * exactly, some Kerberos encryption types add pad to make the data
1968 * fit into the block size of the encryption algorithm. Furthermore,
1969 * the pad is not guaranteed to look in any special way, although
1970 * existing implementations often pad with the zero byte. This means
1971 * that you may have to "frame" data, so it is possible to infer the
1972 * original length after decryption. Compare ASN.1 DER which contains
1975 * Return value: Returns %SHISHI_OK iff successful.
1978 shishi_decrypt_ivupdate (Shishi
* handle
,
1981 const char *iv
, size_t ivlen
,
1982 char **ivout
, size_t * ivoutlen
,
1983 const char *in
, size_t inlen
,
1984 char **out
, size_t * outlen
)
1986 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
,
1987 shishi_key_type (key
),
1988 iv
, ivlen
, ivout
, ivoutlen
,
1989 in
, inlen
, out
, outlen
);
1993 * shishi_decrypt_iv:
1994 * @handle: shishi handle as allocated by shishi_init().
1995 * @key: key to decrypt with.
1996 * @keyusage: integer specifying what this key is decrypting.
1997 * @iv: input array with initialization vector
1998 * @ivlen: size of input array with initialization vector.
1999 * @in: input array with data to decrypt.
2000 * @inlen: size of input array with data to decrypt.
2001 * @out: output array with newly allocated decrypted data.
2002 * @outlen: output variable with size of newly allocated output array.
2004 * Decrypts data using specified initialization vector and key. The
2005 * key actually used is derived using the key usage. If key usage is
2006 * 0, no key derivation is used. The OUT buffer must be deallocated
2007 * by the caller. The next IV is lost, see
2008 * shishi_decrypt_ivupdate_etype if you need it.
2010 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2011 * exactly, some Kerberos encryption types add pad to make the data
2012 * fit into the block size of the encryption algorithm. Furthermore,
2013 * the pad is not guaranteed to look in any special way, although
2014 * existing implementations often pad with the zero byte. This means
2015 * that you may have to "frame" data, so it is possible to infer the
2016 * original length after decryption. Compare ASN.1 DER which contains
2019 * Return value: Returns %SHISHI_OK iff successful.
2022 shishi_decrypt_iv (Shishi
* handle
,
2025 const char *iv
, size_t ivlen
,
2026 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
2028 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
,
2029 shishi_key_type (key
),
2030 iv
, ivlen
, NULL
, NULL
,
2031 in
, inlen
, out
, outlen
);
2036 * @handle: shishi handle as allocated by shishi_init().
2037 * @key: key to decrypt with.
2038 * @keyusage: integer specifying what this key is decrypting.
2039 * @in: input array with data to decrypt.
2040 * @inlen: size of input array with data to decrypt.
2041 * @out: output array with newly allocated decrypted data.
2042 * @outlen: output variable with size of newly allocated output array.
2044 * Decrypts data specified key. The key actually used is derived
2045 * using the key usage. If key usage is 0, no key derivation is used.
2046 * The OUT buffer must be deallocated by the caller. The default IV
2047 * is used, see shishi_decrypt_iv if you need to alter it. The next
2048 * IV is lost, see shishi_decrypt_ivupdate if you need it.
2050 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
2051 * exactly, some Kerberos encryption types add pad to make the data
2052 * fit into the block size of the encryption algorithm. Furthermore,
2053 * the pad is not guaranteed to look in any special way, although
2054 * existing implementations often pad with the zero byte. This means
2055 * that you may have to "frame" data, so it is possible to infer the
2056 * original length after decryption. Compare ASN.1 DER which contains
2059 * Return value: Returns %SHISHI_OK iff successful.
2062 shishi_decrypt (Shishi
* handle
,
2065 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
2067 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
,
2068 shishi_key_type (key
),
2069 NULL
, 0, NULL
, NULL
,
2070 in
, inlen
, out
, outlen
);
2075 * @handle: shishi handle as allocated by shishi_init().
2076 * @in: input array with data to decrypt.
2077 * @inlen: size of input array with data to decrypt ("M").
2078 * @out: output array with decrypted data.
2079 * @outlen: size of output array ("N").
2081 * Fold data into a fixed length output array, with the intent to give
2082 * each input bit approximately equal weight in determining the value
2083 * of each output bit.
2085 * The algorithm is from "A Better Key Schedule For DES-like Ciphers"
2086 * by Uri Blumenthal and Steven M. Bellovin,
2087 * <URL:http://www.research.att.com/~smb/papers/ides.pdf>, although
2088 * the sample vectors provided by the paper are incorrect.
2090 * Return value: Returns %SHISHI_OK iff successful.
2093 shishi_n_fold (Shishi
* handle
,
2094 const char *in
, size_t inlen
, char *out
, size_t outlen
)
2104 To n-fold a number X, replicate the input value to a length that is
2105 the least common multiple of n and the length of X. Before each
2106 repetition, the input is rotated to the right by 13 bit
2107 positions. The successive n-bit chunks are added together using
2108 1's-complement addition (that is, addition with end-around carry)
2109 to yield a n-bit result denoted <X>_n.
2112 a
= (char *) xmemdup (in
, m
);
2116 if (VERBOSECRYPTO (handle
))
2118 printf ("%d-fold (string)\n", n
* 8);
2119 printf ("\t ;; string length %d bytes %d bits\n", m
, m
* 8);
2123 printf ("\t ;; lcm(%d, %d) = lcm(%d, %d) = %d\n",
2124 8 * m
, 8 * n
, m
, n
, lcmmn
);
2128 buf
= (char *) xmalloc (lcmmn
);
2130 /* Replicate the input th the LCMMN length */
2131 for (i
= 0; i
< (lcmmn
/ m
); i
++)
2133 if (VERBOSECRYPTO (handle
))
2135 printf ("\t ;; %d-th replication\n", i
+ 1);
2136 printf ("string = rot13(string)\n");
2139 memcpy ((char *) &buf
[i
* m
], a
, m
);
2140 rot13 (handle
, a
, a
, m
);
2142 if (VERBOSECRYPTO (handle
))
2146 memset (out
, 0, n
); /* just in case */
2148 if (VERBOSECRYPTO (handle
))
2150 printf ("\t ;; replicated string (length %d):\n", lcmmn
);
2151 hexprint (buf
, lcmmn
);
2153 binprint (buf
, lcmmn
);
2155 printf ("sum = 0\n");
2158 /* Now we view the buf as set of n-byte strings
2159 Add the n-byte long chunks together, using
2160 one's complement addition, storing the
2161 result in the output string. */
2163 for (i
= 0; i
< (lcmmn
/ n
); i
++)
2165 if (VERBOSECRYPTO (handle
))
2167 printf ("\t ;; %d-th one's complement addition sum\n", i
+ 1);
2168 printf ("\t ;; sum:\n");
2173 printf ("\t ;; A (offset %d):\n", i
* n
);
2174 hexprint (&buf
[i
* n
], n
);
2176 binprint (&buf
[i
* n
], n
);
2178 printf ("sum = ocadd(sum, A);\n");
2181 ocadd (out
, (char *) &buf
[i
* n
], out
, n
);
2183 if (VERBOSECRYPTO (handle
))
2185 printf ("\t ;; sum:\n");
2194 if (VERBOSECRYPTO (handle
))
2196 printf ("\t ;; nfold\n");
2210 #define MAX_DR_CONSTANT 1024
2214 * @handle: shishi handle as allocated by shishi_init().
2215 * @key: input array with cryptographic key to use.
2216 * @constant: input array with the constant string.
2217 * @constantlen: size of input array with the constant string.
2218 * @derivedrandom: output array with derived random data.
2219 * @derivedrandomlen: size of output array with derived random data.
2221 * Derive "random" data from a key and a constant thusly:
2222 * DR(KEY, CONSTANT) = TRUNCATE(DERIVEDRANDOMLEN,
2223 * SHISHI_ENCRYPT(KEY, CONSTANT)).
2225 * Return value: Returns %SHISHI_OK iff successful.
2228 shishi_dr (Shishi
* handle
,
2230 const char *constant
, size_t constantlen
,
2231 char *derivedrandom
, size_t derivedrandomlen
)
2234 char plaintext
[MAX_DR_CONSTANT
];
2235 char nfoldconstant
[MAX_DR_CONSTANT
];
2236 size_t blocksize
= shishi_cipher_blocksize (shishi_key_type (key
));
2237 size_t totlen
, cipherlen
;
2240 if (VERBOSECRYPTO (handle
))
2242 printf ("dr (%s, key, constant, %d)\n",
2243 shishi_cipher_name (shishi_key_type (key
)), derivedrandomlen
);
2244 printf ("\t ;; key (length %d):\n", shishi_key_length (key
));
2245 hexprint (shishi_key_value (key
), shishi_key_length (key
));
2247 binprint (shishi_key_value (key
), shishi_key_length (key
));
2249 printf ("\t ;; constant %s':\n", constant
);
2250 escapeprint (constant
, constantlen
);
2251 hexprint (constant
, constantlen
);
2253 binprint (constant
, constantlen
);
2258 if (constantlen
> MAX_DR_CONSTANT
)
2259 return SHISHI_TOO_SMALL_BUFFER
;
2261 if (constantlen
== blocksize
)
2263 memcpy (nfoldconstant
, constant
, constantlen
);
2267 res
= shishi_n_fold (handle
, constant
, constantlen
, nfoldconstant
,
2269 if (res
!= SHISHI_OK
)
2273 if (VERBOSECRYPTO (handle
))
2275 printf ("\t ;; possibly nfolded constant (length %d):\n", blocksize
);
2276 escapeprint (nfoldconstant
, blocksize
);
2277 hexprint (nfoldconstant
, blocksize
);
2279 binprint (nfoldconstant
, blocksize
);
2283 memcpy (plaintext
, nfoldconstant
, blocksize
);
2288 res
= shishi_encrypt (handle
, key
, 0, plaintext
, blocksize
,
2289 &cipher
, &cipherlen
);
2290 if (res
!= SHISHI_OK
)
2292 if (cipherlen
!= blocksize
)
2293 return SHISHI_CRYPTO_ERROR
;
2294 memcpy (derivedrandom
+ totlen
, cipher
, cipherlen
);
2295 memcpy (plaintext
, cipher
, cipherlen
);
2297 totlen
+= cipherlen
;
2299 while (totlen
< derivedrandomlen
);
2301 if (VERBOSECRYPTO (handle
))
2303 printf ("\t ;; derived random (length %d):\n", derivedrandomlen
);
2304 hexprint (derivedrandom
, derivedrandomlen
);
2306 binprint (derivedrandom
, derivedrandomlen
);
2315 * @handle: shishi handle as allocated by shishi_init().
2316 * @key: input cryptographic key to use.
2317 * @constant: input array with the constant string.
2318 * @constantlen: size of input array with the constant string.
2319 * @derivedkey: pointer to derived key (allocated by caller).
2321 * Derive a key from a key and a constant thusly:
2322 * DK(KEY, CONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, CONSTANT)).
2324 * Return value: Returns %SHISHI_OK iff successful.
2327 shishi_dk (Shishi
* handle
,
2329 const char *constant
, size_t constantlen
, Shishi_key
* derivedkey
)
2331 char random
[MAX_RANDOM_LEN
];
2334 if (VERBOSECRYPTO (handle
))
2336 printf ("dk (%s, key, constant)\n", shishi_key_name (key
));
2337 printf ("\t ;; key (length %d):\n", shishi_key_length (key
));
2338 hexprint (shishi_key_value (key
), shishi_key_length (key
));
2340 binprint (shishi_key_value (key
), shishi_key_length (key
));
2342 printf ("\t ;; constant:\n");
2343 escapeprint (constant
, constantlen
);
2344 hexprint (constant
, constantlen
);
2346 binprint (constant
, constantlen
);
2351 shishi_key_type_set (derivedkey
, shishi_key_type (key
));
2353 res
= shishi_dr (handle
, key
, constant
, constantlen
, random
,
2354 shishi_key_length (derivedkey
));
2355 if (res
!= SHISHI_OK
)
2358 res
= shishi_random_to_key (handle
, shishi_key_type (derivedkey
),
2359 random
, shishi_key_length (derivedkey
),
2361 if (res
!= SHISHI_OK
)
2368 * shishi_pbkdf2_sha1:
2369 * @handle: shishi handle as allocated by shishi_init().
2370 * @P: input password, an octet string
2371 * @Plen: length of password, an octet string
2372 * @S: input salt, an octet string
2373 * @Slen: length of salt, an octet string
2374 * @c: iteration count, a positive integer
2375 * @dkLen: intended length in octets of the derived key, a positive integer,
2376 * at most (2^32 - 1) * hLen. The DK array must have room for this many
2378 * @DK: output derived key, a dkLen-octet string
2380 * Derive key using the PBKDF2 defined in PKCS5. PBKDF2 applies a
2381 * pseudorandom function to derive keys. The length of the derived key
2382 * is essentially unbounded. (However, the maximum effective search
2383 * space for the derived key may be limited by the structure of the
2384 * underlying pseudorandom function, which is this function is always
2387 * Return value: Returns SHISHI_OK iff successful.
2390 shishi_pbkdf2_sha1 (Shishi
* handle
,
2391 const char *P
, size_t Plen
,
2392 const char *S
, size_t Slen
,
2394 unsigned int dkLen
, char *DK
)
2396 unsigned int hLen
= 20;
2408 return SHISHI_PKCS5_INVALID_ITERATION_COUNT
;
2411 return SHISHI_PKCS5_INVALID_DERIVED_KEY_LENGTH
;
2417 * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
2421 if (dkLen
> 4294967295U)
2422 return SHISHI_PKCS5_DERIVED_KEY_TOO_LONG
;
2425 * 2. Let l be the number of hLen-octet blocks in the derived key,
2426 * rounding up, and let r be the number of octets in the last
2429 * l = CEIL (dkLen / hLen) ,
2430 * r = dkLen - (l - 1) * hLen .
2432 * Here, CEIL (x) is the "ceiling" function, i.e. the smallest
2433 * integer greater than, or equal to, x.
2439 r
= dkLen
- (l
- 1) * hLen
;
2442 * 3. For each block of the derived key apply the function F defined
2443 * below to the password P, the salt S, the iteration count c, and
2444 * the block index to compute the block:
2446 * T_1 = F (P, S, c, 1) ,
2447 * T_2 = F (P, S, c, 2) ,
2449 * T_l = F (P, S, c, l) ,
2451 * where the function F is defined as the exclusive-or sum of the
2452 * first c iterates of the underlying pseudorandom function PRF
2453 * applied to the password P and the concatenation of the salt S
2454 * and the block index i:
2456 * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
2460 * U_1 = PRF (P, S || INT (i)) ,
2461 * U_2 = PRF (P, U_1) ,
2463 * U_c = PRF (P, U_{c-1}) .
2465 * Here, INT (i) is a four-octet encoding of the integer i, most
2466 * significant octet first.
2468 * 4. Concatenate the blocks and extract the first dkLen octets to
2469 * produce a derived key DK:
2471 * DK = T_1 || T_2 || ... || T_l<0..r-1>
2473 * 5. Output the derived key DK.
2475 * Note. The construction of the function F follows a "belt-and-
2476 * suspenders" approach. The iterates U_i are computed recursively to
2477 * remove a degree of parallelism from an opponent; they are exclusive-
2478 * ored together to reduce concerns about the recursion degenerating
2479 * into a small set of values.
2483 for (i
= 1; i
<= l
; i
++)
2485 memset (T
, 0, hLen
);
2487 for (u
= 1; u
<= c
; u
++)
2492 size_t tmplen
= Slen
+ 4;
2494 tmp
= alloca (tmplen
);
2496 memcpy (tmp
, S
, Slen
);
2497 tmp
[Slen
+ 0] = (i
& 0xff000000) >> 24;
2498 tmp
[Slen
+ 1] = (i
& 0x00ff0000) >> 16;
2499 tmp
[Slen
+ 2] = (i
& 0x0000ff00) >> 8;
2500 tmp
[Slen
+ 3] = (i
& 0x000000ff) >> 0;
2502 rc
= shishi_hmac_sha1 (handle
, P
, Plen
, tmp
, tmplen
, &p
);
2506 rc
= shishi_hmac_sha1 (handle
, P
, Plen
, U
, hLen
, &p
);
2509 if (rc
!= SHISHI_OK
)
2512 memcpy (U
, p
, hLen
);
2516 for (k
= 0; k
< hLen
; k
++)
2520 memcpy (DK
+ (i
- 1) * hLen
, T
, i
== l
? r
: hLen
);