Fix.
[shishi.git] / lib / crypto.c
blobd4933696c3f5c8bf5707075ff21e909103f5ef4e
1 /* crypto.c crypto functions
2 * Copyright (C) 2002, 2003 Simon Josefsson
4 * This file is part of Shishi.
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 #include "internal.h"
23 #include "crypto.h"
25 static int
26 gcd (int a, int b)
28 if (b == 0)
29 return a;
30 else
31 return gcd (b, a % b);
34 static int
35 lcm (int a, int b)
37 return a * b / gcd (a, b);
40 static void
41 rot13 (Shishi * handle, char *in, char *out, int len)
43 if (VERBOSECRYPTO (handle))
45 printf ("\t ;; rot 13 in:\n");
46 _shishi_escapeprint (in, len);
47 _shishi_hexprint (in, len);
48 _shishi_binprint (in, len);
51 if (len == 1)
53 out[0] =
54 ((in[0] >> 5) & 0x01) |
55 ((in[0] >> 5) & 0x02) |
56 ((in[0] >> 5) & 0x04) |
57 ((in[0] << 3) & 0x08) |
58 ((in[0] << 3) & 0x10) |
59 ((in[0] << 3) & 0x20) | ((in[0] << 3) & 0x40) | ((in[0] << 3) & 0x80);
61 else if (len > 1)
63 char nexttolast, last;
64 int i;
66 nexttolast = in[len - 2];
67 last = in[len - 1];
69 for (i = len * 8 - 1; i >= 13; i--)
71 int pos = i / 8;
72 char mask = ~(1 << (7 - i % 8));
73 int pos2 = (i - 13) / 8;
74 char mask2 = (1 << (7 - (i - 13) % 8));
76 out[pos] = (out[pos] & mask) |
77 (((in[pos2] & mask2) ? 0xFF : 0x00) & ~mask);
79 out[0] = ((nexttolast & 0xFF) << 3) | ((last & 0xFF) >> 5);
80 out[1] = (in[1] & ~(0xFF & (0xFF << 3))) | (0xFF & (last << 3));
83 if (VERBOSECRYPTO (handle))
85 printf ("\t ;; rot13 out:\n");
86 _shishi_escapeprint (out, len);
87 _shishi_hexprint (out, len);
88 _shishi_binprint (out, len);
92 static void
93 ocadd (char *add1, char *add2, char *sum, int len)
95 int i;
96 int carry = 0;
98 for (i = len - 1; i >= 0; i--)
100 int tmpsum = (unsigned char) add1[i] + (unsigned char) add2[i];
102 sum[i] = (tmpsum + carry) & 0xFF;
103 if (tmpsum + carry > 0xFF)
104 carry = 1;
105 else
106 carry = 0;
109 if (carry)
111 int done = 0;
113 for (i = len - 1; i >= 0; i--)
114 if ((unsigned char) sum[i] != 0xFF)
116 sum[i]++;
117 done = 1;
118 break;
121 if (!done)
122 memset (sum, 0, len);
126 static int
127 simplified_hmac (Shishi * handle,
128 Shishi_key * key,
129 const char *in, size_t inlen,
130 char **outhash, size_t * outhashlen)
132 *outhashlen = 20;
133 return shishi_hmac_sha1 (handle,
134 shishi_key_value (key), shishi_key_length (key),
135 in, inlen, outhash);
138 static int
139 simplified_hmac_verify (Shishi * handle, Shishi_key * key,
140 const char *in, size_t inlen,
141 const char *hmac, size_t hmaclen)
143 char *hash;
144 size_t hlen;
145 int same;
146 int res;
148 res = simplified_hmac (handle, key, in, inlen, &hash, &hlen);
149 if (res != SHISHI_OK || hash == NULL)
150 return res;
152 if (VERBOSECRYPTO (handle))
154 printf ("\t ;; HMAC verify:\n");
155 _shishi_escapeprint (hash, hlen);
156 _shishi_hexprint (hash, hlen);
157 _shishi_binprint (hash, hlen);
158 _shishi_escapeprint (hmac, hmaclen);
159 _shishi_hexprint (hmac, hmaclen);
160 _shishi_binprint (hmac, hmaclen);
163 same = (hlen == hmaclen) && memcmp (hash, hmac, hmaclen) == 0;
165 free (hash);
167 if (!same)
169 shishi_error_printf (handle, "HMAC verify failed");
170 return SHISHI_CRYPTO_ERROR;
173 return SHISHI_OK;
177 _shishi_simplified_derivekey (Shishi * handle,
178 Shishi_key * key,
179 int keyusage,
180 int derivekeymode, Shishi_key ** outkey)
182 char constant[5];
183 int res = SHISHI_OK;
184 Shishi_key *derivedkey;
186 if (VERBOSECRYPTO (handle))
188 printf ("simplified_derivekey\n");
189 printf ("\t ;; mode %d (%s)\n", derivekeymode,
190 derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM ? "checksum" :
191 derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY ? "integrity" :
192 derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY ? "privacy" :
193 "base-key");
194 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
198 res = shishi_key_from_value (handle, shishi_key_type (key),
199 NULL, &derivedkey);
200 if (res != SHISHI_OK)
201 return res;
203 *outkey = derivedkey;
205 if (keyusage)
207 uint32_t tmp = htonl (keyusage);
208 memcpy (constant, &tmp, 4);
209 if (derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM)
210 constant[4] = '\x99';
211 else if (derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY)
212 constant[4] = '\x55';
213 else /* if (derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY) */
214 constant[4] = '\xAA';
216 res = shishi_dk (handle, key, constant, 5, derivedkey);
218 else
220 shishi_key_copy (derivedkey, key);
223 if (VERBOSECRYPTO (handle))
225 printf ("\t ;; simplified_derivekey out (%d):\n",
226 shishi_key_length (derivedkey));
227 _shishi_hexprint (shishi_key_value (derivedkey),
228 shishi_key_length (derivedkey));
231 return res;
235 _shishi_simplified_dencrypt (Shishi * handle,
236 Shishi_key * key,
237 const char *iv, size_t ivlen,
238 char **ivout, size_t * ivoutlen,
239 const char *in, size_t inlen,
240 char **out, size_t * outlen, int decryptp)
242 int rc;
244 if (outlen)
245 *outlen = inlen;
247 switch (shishi_key_type (key))
249 case SHISHI_DES_CBC_CRC:
250 case SHISHI_DES_CBC_MD4:
251 case SHISHI_DES_CBC_MD5:
252 if (ivoutlen)
253 *ivoutlen = 8;
254 rc = shishi_des (handle, decryptp, shishi_key_value (key),
255 iv, ivout, in, inlen, out);
256 break;
258 case SHISHI_DES3_CBC_HMAC_SHA1_KD:
259 if (ivoutlen)
260 *ivoutlen = 8;
261 rc = shishi_3des (handle, decryptp, shishi_key_value (key),
262 iv, ivout, in, inlen, out);
263 break;
265 case SHISHI_AES128_CTS_HMAC_SHA1_96:
266 case SHISHI_AES256_CTS_HMAC_SHA1_96:
267 if (ivoutlen)
268 *ivoutlen = 16;
269 rc = shishi_aes_cts (handle, decryptp,
270 shishi_key_value (key), shishi_key_length (key),
271 iv, ivout, in, inlen, out);
272 break;
274 default:
275 rc = SHISHI_CRYPTO_ERROR;
278 return rc;
282 _shishi_simplified_encrypt (Shishi * handle,
283 Shishi_key * key,
284 int keyusage,
285 const char *iv, size_t ivlen,
286 char **ivout, size_t * ivoutlen,
287 const char *in, size_t inlen,
288 char **out, size_t * outlen)
290 int res;
291 int padzerolen = 0;
293 if ((shishi_key_type (key) == SHISHI_DES3_CBC_HMAC_SHA1_KD ||
294 shishi_key_type (key) == SHISHI_DES_CBC_CRC ||
295 shishi_key_type (key) == SHISHI_DES_CBC_MD4 ||
296 shishi_key_type (key) == SHISHI_DES_CBC_MD5) && (inlen % 8) != 0)
297 while (((inlen + padzerolen) % 8) != 0)
298 padzerolen++;
300 if (keyusage != 0)
302 char *pt = NULL, *ct = NULL, *hmac = NULL;
303 int blen = shishi_cipher_blocksize (shishi_key_type (key));
304 size_t ctlen, ptlen, hmaclen;
305 Shishi_key *privacykey = NULL, *integritykey = NULL;
307 ptlen = inlen + blen + padzerolen;
308 pt = xmalloc (ptlen);
310 res = shishi_randomize (handle, pt, blen);
311 if (res != SHISHI_OK)
312 goto done;
314 memcpy (pt + blen, in, inlen);
315 memset (pt + blen + inlen, 0, padzerolen);
317 res = _shishi_simplified_derivekey (handle, key, keyusage,
318 SHISHI_DERIVEKEYMODE_PRIVACY,
319 &privacykey);
320 if (res != SHISHI_OK)
321 goto done;
323 res = _shishi_simplified_dencrypt (handle, privacykey,
324 iv, ivlen, ivout,
325 ivoutlen, pt, ptlen, &ct, &ctlen, 0);
326 if (res != SHISHI_OK)
327 goto done;
330 res = _shishi_simplified_derivekey (handle, key, keyusage,
331 SHISHI_DERIVEKEYMODE_INTEGRITY,
332 &integritykey);
333 if (res != SHISHI_OK)
334 goto done;
336 res = simplified_hmac (handle, integritykey, pt, ptlen,
337 &hmac, &hmaclen);
338 if (res != SHISHI_OK)
339 goto done;
341 *outlen = ctlen + hmaclen;
342 *out = xmalloc (*outlen);
343 memcpy (*out, ct, ctlen);
344 memcpy (*out + ctlen, hmac, hmaclen);
346 done:
347 if (&privacykey)
348 shishi_key_done (privacykey);
349 if (&integritykey)
350 shishi_key_done (integritykey);
351 if (hmac)
352 free (hmac);
353 if (ct)
354 free (ct);
355 if (pt)
356 free (pt);
358 else
360 res = _shishi_simplified_dencrypt (handle, key, iv, ivlen,
361 ivout, ivoutlen,
362 in, inlen, out, outlen, 0);
365 return res;
369 _shishi_simplified_decrypt (Shishi * handle,
370 Shishi_key * key,
371 int keyusage,
372 const char *iv, size_t ivlen,
373 char **ivout, size_t * ivoutlen,
374 const char *in, size_t inlen,
375 char **out, size_t * outlen)
377 int res;
379 if (keyusage)
381 Shishi_key *privacykey = NULL, *integritykey = NULL;
382 int blen = shishi_cipher_blocksize (shishi_key_type (key));
383 size_t hlen = 20; /* XXX only works for SHA-1 */
385 res = _shishi_simplified_derivekey (handle, key, keyusage,
386 SHISHI_DERIVEKEYMODE_PRIVACY,
387 &privacykey);
388 if (res != SHISHI_OK)
389 goto done;
391 res = _shishi_simplified_dencrypt (handle, privacykey,
392 iv, ivlen, ivout, ivoutlen,
393 in, inlen - hlen, out, outlen, 1);
394 if (res != SHISHI_OK)
395 goto done;
397 res = _shishi_simplified_derivekey (handle, key, keyusage,
398 SHISHI_DERIVEKEYMODE_INTEGRITY,
399 &integritykey);
400 if (res != SHISHI_OK)
401 goto done;
403 res = simplified_hmac_verify (handle, integritykey, *out, *outlen,
404 in + inlen - hlen, hlen);
406 if (res != SHISHI_OK)
407 goto done;
409 memmove (*out, *out + blen, *outlen - blen);
410 *outlen = *outlen - blen;
411 *out = xrealloc (*out, *outlen);
413 done:
414 if (privacykey)
415 shishi_key_done (privacykey);
416 if (integritykey)
417 shishi_key_done (integritykey);
419 else
421 res = _shishi_simplified_dencrypt (handle, key, iv, ivlen,
422 ivout, ivoutlen,
423 in, inlen, out, outlen, 1);
426 return res;
430 _shishi_simplified_checksum (Shishi * handle,
431 Shishi_key * key,
432 int keyusage,
433 int cksumtype,
434 const char *in, size_t inlen,
435 char **out, size_t * outlen)
437 Shishi_key *checksumkey;
438 int cksumlen = shishi_checksum_cksumlen (cksumtype);
439 int res;
441 res = _shishi_simplified_derivekey (handle, key, keyusage,
442 SHISHI_DERIVEKEYMODE_CHECKSUM,
443 &checksumkey);
444 if (res != SHISHI_OK)
445 return res;
447 res = simplified_hmac (handle, checksumkey, in, inlen, out, outlen);
449 shishi_key_done (checksumkey);
451 if (res != SHISHI_OK)
452 return res;
454 *outlen = cksumlen;
456 return SHISHI_OK;
459 static cipherinfo *ciphers[] = {
460 #if WITH_NULL
461 &null_info,
462 #endif
463 #if WITH_DES
464 &des_cbc_crc_info,
465 &des_cbc_md4_info,
466 &des_cbc_md5_info,
467 &des_cbc_none_info,
468 #endif
469 #if WITH_3DES
470 &des3_cbc_none_info,
471 &des3_cbc_sha1_kd_info,
472 #endif
473 #if WITH_AES
474 &aes128_cts_hmac_sha1_96_info,
475 &aes256_cts_hmac_sha1_96_info,
476 #endif
477 #if WITH_ARCFOUR
478 &rc4_hmac_info,
479 &rc4_hmac_exp_info
480 #endif
484 * shishi_cipher_supported_p:
485 * @type: encryption type, see Shishi_etype.
487 * Return value: Return 0 iff cipher is unsupported.
490 shishi_cipher_supported_p (int32_t type)
492 size_t i;
494 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
495 if (type == ciphers[i]->type)
496 return 1;
498 return 0;
502 * shishi_cipher_name:
503 * @type: encryption type, see Shishi_etype.
505 * Return value: Return name of encryption type,
506 * e.g. "des3-cbc-sha1-kd", as defined in the standards.
508 const char *
509 shishi_cipher_name (int32_t type)
511 size_t i;
512 char *p;
514 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
516 if (type == ciphers[i]->type)
517 return ciphers[i]->name;
520 asprintf (&p, "unknown cipher %d", type);
521 return p;
525 * shishi_cipher_blocksize:
526 * @type: encryption type, see Shishi_etype.
528 * Return value: Return block size for encryption type, as defined in
529 * the standards.
532 shishi_cipher_blocksize (int32_t type)
534 size_t i;
536 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
537 if (type == ciphers[i]->type)
538 return ciphers[i]->blocksize;
540 return -1;
544 * shishi_cipher_minpadsize:
545 * @type: encryption type, see Shishi_etype.
547 * Return value: Return the minimum pad size for encryption type, as
548 * defined in the standards.
551 shishi_cipher_minpadsize (int32_t type)
553 size_t i;
555 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
556 if (type == ciphers[i]->type)
557 return ciphers[i]->minpadsize;
559 return -1;
563 * shishi_cipher_confoundersize:
564 * @type: encryption type, see Shishi_etype.
566 * Return value: Returns the size of the confounder (random data) for
567 * encryption type, as defined in the standards.
570 shishi_cipher_confoundersize (int32_t type)
572 size_t i;
574 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
575 if (type == ciphers[i]->type)
576 return ciphers[i]->confoundersize;
578 return -1;
582 * shishi_cipher_keylen:
583 * @type: encryption type, see Shishi_etype.
585 * Return value: Return length of key used for the encryption type, as
586 * defined in the standards.
588 size_t
589 shishi_cipher_keylen (int32_t type)
591 size_t i;
593 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
594 if (type == ciphers[i]->type)
595 return ciphers[i]->keylen;
597 return -1;
601 * shishi_cipher_randomlen:
602 * @type: encryption type, see Shishi_etype.
604 * Return value: Return length of random used for the encryption type,
605 * as defined in the standards.
607 size_t
608 shishi_cipher_randomlen (int32_t type)
610 size_t i;
612 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
613 if (type == ciphers[i]->type)
614 return ciphers[i]->randomlen;
616 return -1;
620 * shishi_cipher_defaultcksumtype:
621 * @type: encryption type, see Shishi_etype.
623 * Return value: Return associated checksum mechanism for the
624 * encryption type, as defined in the standards.
627 shishi_cipher_defaultcksumtype (int32_t type)
629 size_t i;
631 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
632 if (type == ciphers[i]->type)
633 return ciphers[i]->defaultcksumtype;
635 return -1;
639 * shishi_cipher_parse:
640 * @cipher: name of encryption type, e.g. "des3-cbc-sha1-kd".
642 * Return value: Return encryption type corresponding to a string.
645 shishi_cipher_parse (const char *cipher)
647 size_t i;
648 char *endptr;
650 i = strtol (cipher, &endptr, 0);
652 if (endptr != cipher)
653 return i;
655 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
656 if (strcasecmp (cipher, ciphers[i]->name) == 0)
657 return ciphers[i]->type;
659 return -1;
662 static Shishi_random_to_key_function
663 _shishi_cipher_random_to_key (int32_t type)
665 size_t i;
667 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
668 if (type == ciphers[i]->type)
669 return ciphers[i]->random2key;
671 return NULL;
674 static Shishi_string_to_key_function
675 _shishi_cipher_string_to_key (int32_t type)
677 size_t i;
679 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
680 if (type == ciphers[i]->type)
681 return ciphers[i]->string2key;
683 return NULL;
686 static Shishi_encrypt_function
687 _shishi_cipher_encrypt (int32_t type)
689 size_t i;
691 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
692 if (type == ciphers[i]->type)
693 return ciphers[i]->encrypt;
695 return NULL;
698 static Shishi_decrypt_function
699 _shishi_cipher_decrypt (int32_t type)
701 size_t i;
703 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
704 if (type == ciphers[i]->type)
705 return ciphers[i]->decrypt;
707 return NULL;
710 static checksuminfo *checksums[] = {
711 #if WITH_MD
712 &md4_info,
713 #endif
714 #if WITH_DES
715 &md4_des_info,
716 #endif
717 #if WITH_MD
718 &md5_info,
719 #endif
720 #if WITH_DES
721 &md5_des_info,
722 &md5_gss_info,
723 #endif
724 #if WITH_3DES
725 &hmac_sha1_des3_kd_info,
726 #endif
727 #if WITH_AES
728 &hmac_sha1_96_aes128_info,
729 &hmac_sha1_96_aes256_info,
730 #endif
731 #if WITH_ARCFOUR
732 &rc4_hmac_md5_info
733 #endif
737 * shishi_checksum_supported_p:
738 * @type: checksum type, see Shishi_cksumtype.
740 * Return value: Return 0 iff checksum is unsupported.
743 shishi_checksum_supported_p (int32_t type)
745 size_t i;
747 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
748 if (type == checksums[i]->type)
749 return 1;
751 return 0;
755 * shishi_checksum_name:
756 * @type: checksum type, see Shishi_cksumtype.
758 * Return value: Return name of checksum type,
759 * e.g. "hmac-sha1-96-aes256", as defined in the standards.
761 const char *
762 shishi_checksum_name (int32_t type)
764 size_t i;
765 char *p;
767 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
769 if (type == checksums[i]->type)
770 return checksums[i]->name;
773 asprintf (&p, "unknown checksum %d", type);
774 return p;
778 * shishi_checksum_cksumlen:
779 * @type: checksum type, see Shishi_cksumtype.
781 * Return value: Return length of checksum used for the checksum type,
782 * as defined in the standards.
784 size_t
785 shishi_checksum_cksumlen (int32_t type)
787 size_t i;
789 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
790 if (type == checksums[i]->type)
791 return checksums[i]->cksumlen;
793 return -1;
797 * shishi_checksum_parse:
798 * @checksum: name of checksum type, e.g. "hmac-sha1-96-aes256".
800 * Return value: Return checksum type, see Shishi_cksumtype,
801 * corresponding to a string.
804 shishi_checksum_parse (const char *checksum)
806 size_t i;
807 char *endptr;
809 i = strtol (checksum, &endptr, 0);
811 if (endptr != checksum)
812 return i;
814 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
815 if (strcasecmp (checksum, checksums[i]->name) == 0)
816 return checksums[i]->type;
818 return -1;
821 static Shishi_checksum_function
822 _shishi_checksum (int32_t type)
824 size_t i;
826 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
827 if (type == checksums[i]->type)
828 return checksums[i]->checksum;
830 return NULL;
833 static Shishi_verify_function
834 _shishi_verify (int32_t type)
836 size_t i;
838 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
839 if (type == checksums[i]->type)
840 return checksums[i]->verify;
842 return NULL;
846 * shishi_string_to_key:
847 * @handle: shishi handle as allocated by shishi_init().
848 * @keytype: cryptographic encryption type, see Shishi_etype.
849 * @password: input array with password.
850 * @passwordlen: length of input array with password.
851 * @salt: input array with salt.
852 * @saltlen: length of input array with salt.
853 * @parameter: input array with opaque encryption type specific information.
854 * @outkey: allocated key handle that will contain new key.
856 * Derive key from a string (password) and salt (commonly
857 * concatenation of realm and principal) for specified key type, and
858 * set the type and value in the given key to the computed values.
859 * The parameter value is specific for each keytype, and can be set if
860 * the parameter information is not available.
862 * Return value: Returns %SHISHI_OK iff successful.
865 shishi_string_to_key (Shishi * handle,
866 int32_t keytype,
867 const char *password, size_t passwordlen,
868 const char *salt, size_t saltlen,
869 const char *parameter, Shishi_key * outkey)
871 Shishi_string_to_key_function string2key;
872 int res;
874 shishi_key_type_set (outkey, keytype);
876 if (VERBOSECRYPTO (handle))
878 printf ("string_to_key (%s, password, salt)\n",
879 shishi_key_name (outkey));
880 printf ("\t ;; password:\n");
881 _shishi_escapeprint (password, passwordlen);
882 _shishi_hexprint (password, passwordlen);
883 printf ("\t ;; salt:\n");
884 _shishi_escapeprint (salt, saltlen);
885 _shishi_hexprint (salt, saltlen);
888 string2key = _shishi_cipher_string_to_key (shishi_key_type (outkey));
889 if (string2key == NULL)
891 shishi_error_printf (handle, "Unsupported keytype %d",
892 shishi_key_type (outkey));
893 return SHISHI_CRYPTO_ERROR;
896 res = (*string2key) (handle, password, passwordlen,
897 salt, saltlen, parameter, outkey);
899 if (VERBOSECRYPTO (handle))
901 printf ("\t ;; string_to_key key:\n");
902 _shishi_hexprint (shishi_key_value (outkey),
903 shishi_key_length (outkey));
904 _shishi_binprint (shishi_key_value (outkey),
905 shishi_key_length (outkey));
908 return res;
912 * shishi_random_to_key:
913 * @handle: shishi handle as allocated by shishi_init().
914 * @keytype: cryptographic encryption type, see Shishi_etype.
915 * @random: input array with random data.
916 * @randomlen: length of input array with random data.
917 * @outkey: allocated key handle that will contain new key.
919 * Derive key from random data for specified key type, and set the
920 * type and value in the given key to the computed values.
922 * Return value: Returns %SHISHI_OK iff successful.
925 shishi_random_to_key (Shishi * handle,
926 int32_t keytype,
927 char *random, size_t randomlen, Shishi_key * outkey)
929 Shishi_random_to_key_function random2key;
930 int res;
932 shishi_key_type_set (outkey, keytype);
934 if (VERBOSECRYPTO (handle))
936 printf ("random_to_key (%s, random)\n", shishi_key_name (outkey));
937 printf ("\t ;; random:\n");
938 _shishi_hexprint (random, randomlen);
939 _shishi_binprint (random, randomlen);
942 random2key = _shishi_cipher_random_to_key (keytype);
943 if (random2key == NULL)
945 shishi_error_printf (handle, "Unsupported random_to_key() ekeytype %d",
946 keytype);
947 return SHISHI_CRYPTO_ERROR;
950 res = (*random2key) (handle, random, randomlen, outkey);
952 if (VERBOSECRYPTO (handle))
954 printf ("\t ;; random_to_key key:\n");
955 _shishi_hexprint (shishi_key_value (outkey),
956 shishi_key_length (outkey));
957 _shishi_binprint (shishi_key_value (outkey),
958 shishi_key_length (outkey));
961 return res;
965 * shishi_checksum:
966 * @handle: shishi handle as allocated by shishi_init().
967 * @key: key to compute checksum with.
968 * @keyusage: integer specifying what this key is used for.
969 * @cksumtype: the checksum algorithm to use.
970 * @in: input array with data to integrity protect.
971 * @inlen: size of input array with data to integrity protect.
972 * @out: output array with newly allocated integrity protected data.
973 * @outlen: output variable with length of output array with checksum.
975 * Integrity protect data using key, possibly altered by supplied key
976 * usage. If key usage is 0, no key derivation is used. The OUT
977 * buffer must be deallocated by the caller.
979 * Return value: Returns %SHISHI_OK iff successful.
982 shishi_checksum (Shishi * handle,
983 Shishi_key * key,
984 int keyusage,
985 int cksumtype,
986 const char *in, size_t inlen, char **out, size_t * outlen)
988 Shishi_checksum_function checksum;
989 int res;
991 if (VERBOSECRYPTO (handle))
993 printf ("checksum (%s, %d, in, out)\n",
994 shishi_key_name (key), cksumtype);
995 printf ("\t ;; key (%d):\n", shishi_key_length (key));
996 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
997 printf ("\t ;; in:\n");
998 _shishi_escapeprint (in, inlen);
999 _shishi_hexprint (in, inlen);
1002 if (cksumtype == 0)
1003 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1005 checksum = _shishi_checksum (cksumtype);
1006 if (checksum == NULL)
1008 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1009 return SHISHI_CRYPTO_ERROR;
1012 /* XXX? check if etype and cksumtype are compatible? */
1014 res = (*checksum) (handle, key, keyusage, cksumtype,
1015 in, inlen, out, outlen);
1017 if (VERBOSECRYPTO (handle))
1019 printf ("\t ;; checksum out:\n");
1020 _shishi_escapeprint (*out, *outlen);
1021 _shishi_hexprint (*out, *outlen);
1024 return res;
1028 * shishi_verify:
1029 * @handle: shishi handle as allocated by shishi_init().
1030 * @key: key to verify checksum with.
1031 * @keyusage: integer specifying what this key is used for.
1032 * @cksumtype: the checksum algorithm to use.
1033 * @in: input array with data that was integrity protected.
1034 * @inlen: size of input array with data that was integrity protected.
1035 * @cksum: input array with alleged checksum of data.
1036 * @cksumlen: size of input array with alleged checksum of data.
1038 * Verify checksum of data using key, possibly altered by supplied key
1039 * usage. If key usage is 0, no key derivation is used.
1041 * Return value: Returns %SHISHI_OK iff successful.
1044 shishi_verify (Shishi * handle,
1045 Shishi_key * key,
1046 int keyusage,
1047 int cksumtype,
1048 const char *in, size_t inlen,
1049 const char *cksum, size_t cksumlen)
1051 Shishi_verify_function verify;
1052 int res;
1054 if (VERBOSECRYPTO (handle))
1056 printf ("verify (%s, %d, in, out)\n", shishi_key_name (key), cksumtype);
1057 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1058 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1059 printf ("\t ;; data:\n");
1060 _shishi_escapeprint (in, inlen);
1061 _shishi_hexprint (in, inlen);
1062 printf ("\t ;; mic:\n");
1063 _shishi_escapeprint (cksum, cksumlen);
1064 _shishi_hexprint (cksum, cksumlen);
1067 if (cksumtype == 0)
1068 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1070 verify = _shishi_verify (cksumtype);
1071 if (verify == NULL)
1073 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1074 return SHISHI_CRYPTO_ERROR;
1077 /* XXX? check if etype and cksumtype are compatible? */
1079 res = (*verify) (handle, key, keyusage, cksumtype,
1080 in, inlen, cksum, cksumlen);
1082 if (VERBOSECRYPTO (handle))
1083 printf ("\t ;; verify return: %d\n", res);
1085 return res;
1089 * shishi_encrypt_ivupdate_etype:
1090 * @handle: shishi handle as allocated by shishi_init().
1091 * @key: key to encrypt with.
1092 * @keyusage: integer specifying what this key is encrypting.
1093 * @etype: integer specifying what cipher to use.
1094 * @iv: input array with initialization vector
1095 * @ivlen: size of input array with initialization vector.
1096 * @ivout: output array with newly allocated updated initialization vector.
1097 * @ivoutlen: size of output array with updated initialization vector.
1098 * @in: input array with data to encrypt.
1099 * @inlen: size of input array with data to encrypt.
1100 * @out: output array with newly allocated encrypted data.
1101 * @outlen: output variable with size of newly allocated output array.
1103 * Encrypts data as per encryption method using specified
1104 * initialization vector and key. The key actually used is derived
1105 * using the key usage. If key usage is 0, no key derivation is used.
1106 * The OUT buffer must be deallocated by the caller. If IVOUT or
1107 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1109 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1110 * exactly, some Kerberos encryption types add pad to make the data
1111 * fit into the block size of the encryption algorithm. Furthermore,
1112 * the pad is not guaranteed to look in any special way, although
1113 * existing implementations often pad with the zero byte. This means
1114 * that you may have to "frame" data, so it is possible to infer the
1115 * original length after decryption. Compare ASN.1 DER which contains
1116 * such information.
1118 * Return value: Returns %SHISHI_OK iff successful.
1121 shishi_encrypt_ivupdate_etype (Shishi * handle,
1122 Shishi_key * key,
1123 int keyusage,
1124 int32_t etype,
1125 const char *iv, size_t ivlen,
1126 char **ivout, size_t * ivoutlen,
1127 const char *in, size_t inlen,
1128 char **out, size_t * outlen)
1130 Shishi_encrypt_function encrypt;
1131 int res;
1133 if (VERBOSECRYPTO (handle))
1135 printf ("encrypt (type=%s, usage=%d, key, in)\n",
1136 shishi_key_name (key), keyusage);
1137 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1138 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1139 printf ("\t ;; in (%d):\n", inlen);
1140 _shishi_escapeprint (in, inlen);
1141 _shishi_hexprint (in, inlen);
1142 if (iv)
1144 printf ("\t ;; iv (%d):\n", ivlen);
1145 _shishi_escapeprint (iv, ivlen);
1146 _shishi_hexprint (iv, ivlen);
1150 encrypt = _shishi_cipher_encrypt (etype);
1151 if (encrypt == NULL)
1153 shishi_error_printf (handle, "Unsupported keytype %d",
1154 shishi_key_type (key));
1155 return SHISHI_CRYPTO_ERROR;
1158 res = (*encrypt) (handle, key, keyusage,
1159 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
1161 if (VERBOSECRYPTO (handle))
1163 if (res == SHISHI_OK)
1165 printf ("\t ;; encrypt out:\n");
1166 _shishi_escapeprint (*out, *outlen);
1167 _shishi_hexprint (*out, *outlen);
1168 if (ivout && ivoutlen)
1170 printf ("\t ;; iv out:\n");
1171 _shishi_escapeprint (*ivout, *ivoutlen);
1172 _shishi_hexprint (*ivout, *ivoutlen);
1175 else
1177 printf ("\t ;; encrypt out failed %d\n", res);
1181 return res;
1185 * shishi_encrypt_iv_etype:
1186 * @handle: shishi handle as allocated by shishi_init().
1187 * @key: key to encrypt with.
1188 * @keyusage: integer specifying what this key is encrypting.
1189 * @etype: integer specifying what cipher to use.
1190 * @iv: input array with initialization vector
1191 * @ivlen: size of input array with initialization vector.
1192 * @in: input array with data to encrypt.
1193 * @inlen: size of input array with data to encrypt.
1194 * @out: output array with newly allocated encrypted data.
1195 * @outlen: output variable with size of newly allocated output array.
1197 * Encrypts data as per encryption method using specified
1198 * initialization vector and key. The key actually used is derived
1199 * using the key usage. If key usage is 0, no key derivation is used.
1200 * The OUT buffer must be deallocated by the caller. The next IV is
1201 * lost, see shishi_encrypt_ivupdate_etype if you need it.
1203 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1204 * exactly, some Kerberos encryption types add pad to make the data
1205 * fit into the block size of the encryption algorithm. Furthermore,
1206 * the pad is not guaranteed to look in any special way, although
1207 * existing implementations often pad with the zero byte. This means
1208 * that you may have to "frame" data, so it is possible to infer the
1209 * original length after decryption. Compare ASN.1 DER which contains
1210 * such information.
1212 * Return value: Returns %SHISHI_OK iff successful.
1215 shishi_encrypt_iv_etype (Shishi * handle,
1216 Shishi_key * key,
1217 int keyusage,
1218 int32_t etype,
1219 const char *iv, size_t ivlen,
1220 const char *in, size_t inlen,
1221 char **out, size_t * outlen)
1223 return shishi_encrypt_ivupdate_etype (handle, key, keyusage, etype,
1224 iv, ivlen, NULL, NULL,
1225 in, inlen, out, outlen);
1229 * shishi_encrypt_etype:
1230 * @handle: shishi handle as allocated by shishi_init().
1231 * @key: key to encrypt with.
1232 * @keyusage: integer specifying what this key is encrypting.
1233 * @etype: integer specifying what cipher to use.
1234 * @in: input array with data to encrypt.
1235 * @inlen: size of input array with data to encrypt.
1236 * @out: output array with newly allocated encrypted data.
1237 * @outlen: output variable with size of newly allocated output array.
1239 * Encrypts data as per encryption method using specified
1240 * initialization vector and key. The key actually used is derived
1241 * using the key usage. If key usage is 0, no key derivation is used.
1242 * The OUT buffer must be deallocated by the caller. The default IV
1243 * is used, see shishi_encrypt_iv_etype if you need to alter it. The
1244 * next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
1246 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1247 * exactly, some Kerberos encryption types add pad to make the data
1248 * fit into the block size of the encryption algorithm. Furthermore,
1249 * the pad is not guaranteed to look in any special way, although
1250 * existing implementations often pad with the zero byte. This means
1251 * that you may have to "frame" data, so it is possible to infer the
1252 * original length after decryption. Compare ASN.1 DER which contains
1253 * such information.
1255 * Return value: Returns %SHISHI_OK iff successful.
1258 shishi_encrypt_etype (Shishi * handle,
1259 Shishi_key * key,
1260 int keyusage,
1261 int32_t etype,
1262 const char *in, size_t inlen,
1263 char **out, size_t * outlen)
1265 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1266 shishi_key_type (key),
1267 NULL, 0, NULL, NULL,
1268 in, inlen, out, outlen);
1272 * shishi_encrypt_ivupdate:
1273 * @handle: shishi handle as allocated by shishi_init().
1274 * @key: key to encrypt with.
1275 * @keyusage: integer specifying what this key is encrypting.
1276 * @iv: input array with initialization vector
1277 * @ivlen: size of input array with initialization vector.
1278 * @ivout: output array with newly allocated updated initialization vector.
1279 * @ivoutlen: size of output array with updated initialization vector.
1280 * @in: input array with data to encrypt.
1281 * @inlen: size of input array with data to encrypt.
1282 * @out: output array with newly allocated encrypted data.
1283 * @outlen: output variable with size of newly allocated output array.
1285 * Encrypts data using specified initialization vector and key. The
1286 * key actually used is derived using the key usage. If key usage is
1287 * 0, no key derivation is used. The OUT buffer must be deallocated
1288 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1289 * saved anywhere.
1291 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1292 * exactly, some Kerberos encryption types add pad to make the data
1293 * fit into the block size of the encryption algorithm. Furthermore,
1294 * the pad is not guaranteed to look in any special way, although
1295 * existing implementations often pad with the zero byte. This means
1296 * that you may have to "frame" data, so it is possible to infer the
1297 * original length after decryption. Compare ASN.1 DER which contains
1298 * such information.
1300 * Return value: Returns %SHISHI_OK iff successful.
1303 shishi_encrypt_ivupdate (Shishi * handle,
1304 Shishi_key * key,
1305 int keyusage,
1306 const char *iv, size_t ivlen,
1307 char **ivout, size_t * ivoutlen,
1308 const char *in, size_t inlen,
1309 char **out, size_t * outlen)
1311 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1312 shishi_key_type (key),
1313 iv, ivlen, ivout, ivoutlen,
1314 in, inlen, out, outlen);
1318 * shishi_encrypt_iv:
1319 * @handle: shishi handle as allocated by shishi_init().
1320 * @key: key to encrypt with.
1321 * @keyusage: integer specifying what this key is encrypting.
1322 * @iv: input array with initialization vector
1323 * @ivlen: size of input array with initialization vector.
1324 * @in: input array with data to encrypt.
1325 * @inlen: size of input array with data to encrypt.
1326 * @out: output array with newly allocated encrypted data.
1327 * @outlen: output variable with size of newly allocated output array.
1329 * Encrypts data using specified initialization vector and key. The
1330 * key actually used is derived using the key usage. If key usage is
1331 * 0, no key derivation is used. The OUT buffer must be deallocated
1332 * by the caller. The next IV is lost, see shishi_encrypt_ivupdate if
1333 * you need it.
1335 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1336 * exactly, some Kerberos encryption types add pad to make the data
1337 * fit into the block size of the encryption algorithm. Furthermore,
1338 * the pad is not guaranteed to look in any special way, although
1339 * existing implementations often pad with the zero byte. This means
1340 * that you may have to "frame" data, so it is possible to infer the
1341 * original length after decryption. Compare ASN.1 DER which contains
1342 * such information.
1344 * Return value: Returns %SHISHI_OK iff successful.
1347 shishi_encrypt_iv (Shishi * handle,
1348 Shishi_key * key,
1349 int keyusage,
1350 const char *iv, size_t ivlen,
1351 const char *in, size_t inlen, char **out, size_t * outlen)
1353 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1354 shishi_key_type (key),
1355 iv, ivlen, NULL, NULL,
1356 in, inlen, out, outlen);
1360 * shishi_encrypt:
1361 * @handle: shishi handle as allocated by shishi_init().
1362 * @key: key to encrypt with.
1363 * @keyusage: integer specifying what this key is encrypting.
1364 * @in: input array with data to encrypt.
1365 * @inlen: size of input array with data to encrypt.
1366 * @out: output array with newly allocated encrypted data.
1367 * @outlen: output variable with size of newly allocated output array.
1369 * Encrypts data using specified key. The key actually used is
1370 * derived using the key usage. If key usage is 0, no key derivation
1371 * is used. The OUT buffer must be deallocated by the caller. The
1372 * default IV is used, see shishi_encrypt_iv if you need to alter it.
1373 * The next IV is lost, see shishi_encrypt_ivupdate if you need it.
1375 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1376 * exactly, some Kerberos encryption types add pad to make the data
1377 * fit into the block size of the encryption algorithm. Furthermore,
1378 * the pad is not guaranteed to look in any special way, although
1379 * existing implementations often pad with the zero byte. This means
1380 * that you may have to "frame" data, so it is possible to infer the
1381 * original length after decryption. Compare ASN.1 DER which contains
1382 * such information.
1384 * Return value: Returns %SHISHI_OK iff successful.
1387 shishi_encrypt (Shishi * handle,
1388 Shishi_key * key,
1389 int keyusage,
1390 char *in, size_t inlen, char **out, size_t * outlen)
1392 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1393 shishi_key_type (key),
1394 NULL, 0, NULL, NULL,
1395 in, inlen, out, outlen);
1399 * shishi_decrypt_ivupdate_etype:
1400 * @handle: shishi handle as allocated by shishi_init().
1401 * @key: key to decrypt with.
1402 * @keyusage: integer specifying what this key is decrypting.
1403 * @etype: integer specifying what cipher to use.
1404 * @iv: input array with initialization vector
1405 * @ivlen: size of input array with initialization vector.
1406 * @ivout: output array with newly allocated updated initialization vector.
1407 * @ivoutlen: size of output array with updated initialization vector.
1408 * @in: input array with data to decrypt.
1409 * @inlen: size of input array with data to decrypt.
1410 * @out: output array with newly allocated decrypted data.
1411 * @outlen: output variable with size of newly allocated output array.
1413 * Decrypts data as per encryption method using specified
1414 * initialization vector and key. The key actually used is derived
1415 * using the key usage. If key usage is 0, no key derivation is used.
1416 * The OUT buffer must be deallocated by the caller. If IVOUT or
1417 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1419 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1420 * exactly, some Kerberos encryption types add pad to make the data
1421 * fit into the block size of the encryption algorithm. Furthermore,
1422 * the pad is not guaranteed to look in any special way, although
1423 * existing implementations often pad with the zero byte. This means
1424 * that you may have to "frame" data, so it is possible to infer the
1425 * original length after decryption. Compare ASN.1 DER which contains
1426 * such information.
1428 * Return value: Returns %SHISHI_OK iff successful.
1431 shishi_decrypt_ivupdate_etype (Shishi * handle,
1432 Shishi_key * key,
1433 int keyusage,
1434 int32_t etype,
1435 const char *iv, size_t ivlen,
1436 char **ivout, size_t * ivoutlen,
1437 const char *in, size_t inlen,
1438 char **out, size_t * outlen)
1440 Shishi_decrypt_function decrypt;
1441 int res;
1443 if (VERBOSECRYPTO (handle))
1445 printf ("decrypt (type=%s, usage=%d, key, in, out)\n",
1446 shishi_key_name (key), keyusage);
1447 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1448 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1449 printf ("\t ;; in (%d):\n", inlen);
1450 _shishi_escapeprint (in, inlen);
1451 _shishi_hexprint (in, inlen);
1454 decrypt = _shishi_cipher_decrypt (etype);
1455 if (decrypt == NULL)
1457 shishi_error_printf (handle, "Unsupported keytype %d",
1458 shishi_key_type (key));
1459 return SHISHI_CRYPTO_ERROR;
1462 res = (*decrypt) (handle, key, keyusage,
1463 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
1465 if (VERBOSECRYPTO (handle))
1467 if (res == SHISHI_OK)
1469 printf ("\t ;; decrypt out:\n");
1470 _shishi_escapeprint (*out, *outlen);
1471 _shishi_hexprint (*out, *outlen);
1473 else
1475 printf ("\t ;; decrypt out failed %d\n", res);
1479 return res;
1483 * shishi_decrypt_iv_etype:
1484 * @handle: shishi handle as allocated by shishi_init().
1485 * @key: key to decrypt with.
1486 * @keyusage: integer specifying what this key is decrypting.
1487 * @etype: integer specifying what cipher to use.
1488 * @iv: input array with initialization vector
1489 * @ivlen: size of input array with initialization vector.
1490 * @in: input array with data to decrypt.
1491 * @inlen: size of input array with data to decrypt.
1492 * @out: output array with newly allocated decrypted data.
1493 * @outlen: output variable with size of newly allocated output array.
1495 * Decrypts data as per encryption method using specified
1496 * initialization vector and key. The key actually used is derived
1497 * using the key usage. If key usage is 0, no key derivation is used.
1498 * The OUT buffer must be deallocated by the caller. The next IV is
1499 * lost, see shishi_decrypt_ivupdate_etype if you need it.
1501 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1502 * exactly, some Kerberos encryption types add pad to make the data
1503 * fit into the block size of the encryption algorithm. Furthermore,
1504 * the pad is not guaranteed to look in any special way, although
1505 * existing implementations often pad with the zero byte. This means
1506 * that you may have to "frame" data, so it is possible to infer the
1507 * original length after decryption. Compare ASN.1 DER which contains
1508 * such information.
1510 * Return value: Returns %SHISHI_OK iff successful.
1513 shishi_decrypt_iv_etype (Shishi * handle,
1514 Shishi_key * key,
1515 int keyusage,
1516 int32_t etype,
1517 const char *iv, size_t ivlen,
1518 const char *in, size_t inlen,
1519 char **out, size_t * outlen)
1521 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1522 iv, ivlen, NULL, NULL,
1523 in, inlen, out, outlen);
1527 * shishi_decrypt_etype:
1528 * @handle: shishi handle as allocated by shishi_init().
1529 * @key: key to decrypt with.
1530 * @keyusage: integer specifying what this key is decrypting.
1531 * @etype: integer specifying what cipher to use.
1532 * @in: input array with data to decrypt.
1533 * @inlen: size of input array with data to decrypt.
1534 * @out: output array with newly allocated decrypted data.
1535 * @outlen: output variable with size of newly allocated output array.
1537 * Decrypts data as per encryption method using specified key. The
1538 * key actually used is derived using the key usage. If key usage is
1539 * 0, no key derivation is used. The OUT buffer must be deallocated
1540 * by the caller. The default IV is used, see shishi_decrypt_iv_etype
1541 * if you need to alter it. The next IV is lost, see
1542 * shishi_decrypt_ivupdate_etype if you need it.
1544 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1545 * exactly, some Kerberos encryption types add pad to make the data
1546 * fit into the block size of the encryption algorithm. Furthermore,
1547 * the pad is not guaranteed to look in any special way, although
1548 * existing implementations often pad with the zero byte. This means
1549 * that you may have to "frame" data, so it is possible to infer the
1550 * original length after decryption. Compare ASN.1 DER which contains
1551 * such information.
1553 * Return value: Returns %SHISHI_OK iff successful.
1556 shishi_decrypt_etype (Shishi * handle,
1557 Shishi_key * key,
1558 int keyusage,
1559 int32_t etype,
1560 const char *in, size_t inlen,
1561 char **out, size_t * outlen)
1563 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1564 NULL, 0, NULL, NULL,
1565 in, inlen, out, outlen);
1569 * shishi_decrypt_ivupdate:
1570 * @handle: shishi handle as allocated by shishi_init().
1571 * @key: key to decrypt with.
1572 * @keyusage: integer specifying what this key is decrypting.
1573 * @iv: input array with initialization vector
1574 * @ivlen: size of input array with initialization vector.
1575 * @ivout: output array with newly allocated updated initialization vector.
1576 * @ivoutlen: size of output array with updated initialization vector.
1577 * @in: input array with data to decrypt.
1578 * @inlen: size of input array with data to decrypt.
1579 * @out: output array with newly allocated decrypted data.
1580 * @outlen: output variable with size of newly allocated output array.
1582 * Decrypts data using specified initialization vector and key. The
1583 * key actually used is derived using the key usage. If key usage is
1584 * 0, no key derivation is used. The OUT buffer must be deallocated
1585 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1586 * saved anywhere.
1588 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1589 * exactly, some Kerberos encryption types add pad to make the data
1590 * fit into the block size of the encryption algorithm. Furthermore,
1591 * the pad is not guaranteed to look in any special way, although
1592 * existing implementations often pad with the zero byte. This means
1593 * that you may have to "frame" data, so it is possible to infer the
1594 * original length after decryption. Compare ASN.1 DER which contains
1595 * such information.
1597 * Return value: Returns %SHISHI_OK iff successful.
1600 shishi_decrypt_ivupdate (Shishi * handle,
1601 Shishi_key * key,
1602 int keyusage,
1603 const char *iv, size_t ivlen,
1604 char **ivout, size_t * ivoutlen,
1605 const char *in, size_t inlen,
1606 char **out, size_t * outlen)
1608 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1609 shishi_key_type (key),
1610 iv, ivlen, ivout, ivoutlen,
1611 in, inlen, out, outlen);
1615 * shishi_decrypt_iv:
1616 * @handle: shishi handle as allocated by shishi_init().
1617 * @key: key to decrypt with.
1618 * @keyusage: integer specifying what this key is decrypting.
1619 * @iv: input array with initialization vector
1620 * @ivlen: size of input array with initialization vector.
1621 * @in: input array with data to decrypt.
1622 * @inlen: size of input array with data to decrypt.
1623 * @out: output array with newly allocated decrypted data.
1624 * @outlen: output variable with size of newly allocated output array.
1626 * Decrypts data using specified initialization vector and key. The
1627 * key actually used is derived using the key usage. If key usage is
1628 * 0, no key derivation is used. The OUT buffer must be deallocated
1629 * by the caller. The next IV is lost, see
1630 * shishi_decrypt_ivupdate_etype if you need it.
1632 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1633 * exactly, some Kerberos encryption types add pad to make the data
1634 * fit into the block size of the encryption algorithm. Furthermore,
1635 * the pad is not guaranteed to look in any special way, although
1636 * existing implementations often pad with the zero byte. This means
1637 * that you may have to "frame" data, so it is possible to infer the
1638 * original length after decryption. Compare ASN.1 DER which contains
1639 * such information.
1641 * Return value: Returns %SHISHI_OK iff successful.
1644 shishi_decrypt_iv (Shishi * handle,
1645 Shishi_key * key,
1646 int keyusage,
1647 const char *iv, size_t ivlen,
1648 const char *in, size_t inlen, char **out, size_t * outlen)
1650 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1651 shishi_key_type (key),
1652 iv, ivlen, NULL, NULL,
1653 in, inlen, out, outlen);
1657 * shishi_decrypt:
1658 * @handle: shishi handle as allocated by shishi_init().
1659 * @key: key to decrypt with.
1660 * @keyusage: integer specifying what this key is decrypting.
1661 * @in: input array with data to decrypt.
1662 * @inlen: size of input array with data to decrypt.
1663 * @out: output array with newly allocated decrypted data.
1664 * @outlen: output variable with size of newly allocated output array.
1666 * Decrypts data specified key. The key actually used is derived
1667 * using the key usage. If key usage is 0, no key derivation is used.
1668 * The OUT buffer must be deallocated by the caller. The default IV
1669 * is used, see shishi_decrypt_iv if you need to alter it. The next
1670 * IV is lost, see shishi_decrypt_ivupdate if you need it.
1672 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1673 * exactly, some Kerberos encryption types add pad to make the data
1674 * fit into the block size of the encryption algorithm. Furthermore,
1675 * the pad is not guaranteed to look in any special way, although
1676 * existing implementations often pad with the zero byte. This means
1677 * that you may have to "frame" data, so it is possible to infer the
1678 * original length after decryption. Compare ASN.1 DER which contains
1679 * such information.
1681 * Return value: Returns %SHISHI_OK iff successful.
1684 shishi_decrypt (Shishi * handle,
1685 Shishi_key * key,
1686 int keyusage,
1687 const char *in, size_t inlen, char **out, size_t * outlen)
1689 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1690 shishi_key_type (key),
1691 NULL, 0, NULL, NULL,
1692 in, inlen, out, outlen);
1696 * shishi_n_fold:
1697 * @handle: shishi handle as allocated by shishi_init().
1698 * @in: input array with data to decrypt.
1699 * @inlen: size of input array with data to decrypt ("M").
1700 * @out: output array with decrypted data.
1701 * @outlen: size of output array ("N").
1703 * Fold data into a fixed length output array, with the intent to give
1704 * each input bit approximately equal weight in determining the value
1705 * of each output bit.
1707 * The algorithm is from "A Better Key Schedule For DES-like Ciphers"
1708 * by Uri Blumenthal and Steven M. Bellovin,
1709 * <URL:http://www.research.att.com/~smb/papers/ides.pdf>, although
1710 * the sample vectors provided by the paper are incorrect.
1712 * Return value: Returns %SHISHI_OK iff successful.
1715 shishi_n_fold (Shishi * handle,
1716 const char *in, size_t inlen, char *out, size_t outlen)
1718 int m = inlen;
1719 int n = outlen;
1720 char *buf = NULL;
1721 char *a = NULL;
1722 int lcmmn = 0;
1723 int i = 0;
1726 To n-fold a number X, replicate the input value to a length that is
1727 the least common multiple of n and the length of X. Before each
1728 repetition, the input is rotated to the right by 13 bit
1729 positions. The successive n-bit chunks are added together using
1730 1's-complement addition (that is, addition with end-around carry)
1731 to yield a n-bit result denoted <X>_n.
1734 a = (char *) xmemdup (in, m);
1736 lcmmn = lcm (m, n);
1738 if (VERBOSECRYPTO (handle))
1740 printf ("%d-fold (string)\n", n * 8);
1741 printf ("\t ;; string length %d bytes %d bits\n", m, m * 8);
1742 _shishi_escapeprint (a, m);
1743 _shishi_hexprint (a, m);
1744 printf ("\t ;; lcm(%d, %d) = lcm(%d, %d) = %d\n",
1745 8 * m, 8 * n, m, n, lcmmn);
1748 buf = (char *) xmalloc (lcmmn);
1750 /* Replicate the input th the LCMMN length */
1751 for (i = 0; i < (lcmmn / m); i++)
1753 if (VERBOSECRYPTO (handle))
1755 printf ("\t ;; %d-th replication\n", i + 1);
1756 printf ("string = rot13(string)\n");
1759 memcpy ((char *) &buf[i * m], a, m);
1760 rot13 (handle, a, a, m);
1763 memset (out, 0, n); /* just in case */
1765 if (VERBOSECRYPTO (handle))
1767 printf ("\t ;; replicated string (length %d):\n", lcmmn);
1768 _shishi_hexprint (buf, lcmmn);
1769 _shishi_binprint (buf, lcmmn);
1770 printf ("sum = 0\n");
1773 /* Now we view the buf as set of n-byte strings
1774 Add the n-byte long chunks together, using
1775 one's complement addition, storing the
1776 result in the output string. */
1778 for (i = 0; i < (lcmmn / n); i++)
1780 if (VERBOSECRYPTO (handle))
1782 printf ("\t ;; %d-th one's complement addition sum\n", i + 1);
1783 printf ("\t ;; sum:\n");
1784 _shishi_hexprint (out, n);
1785 _shishi_binprint (out, n);
1786 printf ("\t ;; A (offset %d):\n", i * n);
1787 _shishi_hexprint (&buf[i * n], n);
1788 _shishi_binprint (&buf[i * n], n);
1789 printf ("sum = ocadd(sum, A);\n");
1792 ocadd (out, (char *) &buf[i * n], out, n);
1794 if (VERBOSECRYPTO (handle))
1796 printf ("\t ;; sum:\n");
1797 _shishi_hexprint (out, n);
1798 _shishi_binprint (out, n);
1802 if (VERBOSECRYPTO (handle))
1804 printf ("\t ;; nfold\n");
1805 _shishi_hexprint (out, n);
1806 _shishi_binprint (out, n);
1809 free (buf);
1810 free (a);
1812 return SHISHI_OK;
1815 #define MAX_DR_CONSTANT 1024
1818 * shishi_dr:
1819 * @handle: shishi handle as allocated by shishi_init().
1820 * @key: input array with cryptographic key to use.
1821 * @constant: input array with the constant string.
1822 * @constantlen: size of input array with the constant string.
1823 * @derivedrandom: output array with derived random data.
1824 * @derivedrandomlen: size of output array with derived random data.
1826 * Derive "random" data from a key and a constant thusly:
1827 * DR(KEY, CONSTANT) = TRUNCATE(DERIVEDRANDOMLEN,
1828 * SHISHI_ENCRYPT(KEY, CONSTANT)).
1830 * Return value: Returns %SHISHI_OK iff successful.
1833 shishi_dr (Shishi * handle,
1834 Shishi_key * key,
1835 const char *constant, size_t constantlen,
1836 char *derivedrandom, size_t derivedrandomlen)
1838 char *cipher;
1839 char plaintext[MAX_DR_CONSTANT];
1840 char nfoldconstant[MAX_DR_CONSTANT];
1841 size_t blocksize = shishi_cipher_blocksize (shishi_key_type (key));
1842 size_t totlen, cipherlen;
1843 int res;
1845 if (VERBOSECRYPTO (handle))
1847 printf ("dr (%s, key, constant, %d)\n",
1848 shishi_cipher_name (shishi_key_type (key)), derivedrandomlen);
1849 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
1850 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1851 _shishi_binprint (shishi_key_value (key), shishi_key_length (key));
1852 printf ("\t ;; constant %s':\n", constant);
1853 _shishi_escapeprint (constant, constantlen);
1854 _shishi_hexprint (constant, constantlen);
1855 _shishi_binprint (constant, constantlen);
1858 if (constantlen > MAX_DR_CONSTANT)
1859 return SHISHI_TOO_SMALL_BUFFER;
1861 if (constantlen == blocksize)
1863 memcpy (nfoldconstant, constant, constantlen);
1865 else
1867 res = shishi_n_fold (handle, constant, constantlen, nfoldconstant,
1868 blocksize);
1869 if (res != SHISHI_OK)
1870 return res;
1873 if (VERBOSECRYPTO (handle))
1875 printf ("\t ;; possibly nfolded constant (length %d):\n", blocksize);
1876 _shishi_escapeprint (nfoldconstant, blocksize);
1877 _shishi_hexprint (nfoldconstant, blocksize);
1878 _shishi_binprint (nfoldconstant, blocksize);
1881 memcpy (plaintext, nfoldconstant, blocksize);
1883 totlen = 0;
1886 res = shishi_encrypt (handle, key, 0, plaintext, blocksize,
1887 &cipher, &cipherlen);
1888 if (res != SHISHI_OK)
1889 return res;
1890 if (cipherlen != blocksize)
1891 return SHISHI_CRYPTO_ERROR;
1892 memcpy (derivedrandom + totlen, cipher, cipherlen);
1893 memcpy (plaintext, cipher, cipherlen);
1894 free (cipher);
1895 totlen += cipherlen;
1897 while (totlen < derivedrandomlen);
1899 if (VERBOSECRYPTO (handle))
1901 printf ("\t ;; derived random (length %d):\n", derivedrandomlen);
1902 _shishi_hexprint (derivedrandom, derivedrandomlen);
1903 _shishi_binprint (derivedrandom, derivedrandomlen);
1906 return SHISHI_OK;
1910 * shishi_dk:
1911 * @handle: shishi handle as allocated by shishi_init().
1912 * @key: input cryptographic key to use.
1913 * @constant: input array with the constant string.
1914 * @constantlen: size of input array with the constant string.
1915 * @derivedkey: pointer to derived key (allocated by caller).
1917 * Derive a key from a key and a constant thusly:
1918 * DK(KEY, CONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, CONSTANT)).
1920 * Return value: Returns %SHISHI_OK iff successful.
1923 shishi_dk (Shishi * handle,
1924 Shishi_key * key,
1925 const char *constant, size_t constantlen, Shishi_key * derivedkey)
1927 char random[MAX_RANDOM_LEN];
1928 int res;
1930 if (VERBOSECRYPTO (handle))
1932 printf ("dk (%s, key, constant)\n", shishi_key_name (key));
1933 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
1934 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1935 _shishi_binprint (shishi_key_value (key), shishi_key_length (key));
1936 printf ("\t ;; constant:\n");
1937 _shishi_escapeprint (constant, constantlen);
1938 _shishi_hexprint (constant, constantlen);
1939 _shishi_binprint (constant, constantlen);
1942 shishi_key_type_set (derivedkey, shishi_key_type (key));
1944 res = shishi_dr (handle, key, constant, constantlen, random,
1945 shishi_key_length (derivedkey));
1946 if (res != SHISHI_OK)
1947 return res;
1949 res = shishi_random_to_key (handle, shishi_key_type (derivedkey),
1950 random, shishi_key_length (derivedkey),
1951 derivedkey);
1952 if (res != SHISHI_OK)
1953 return res;
1955 return SHISHI_OK;
1959 * shishi_pbkdf2_sha1:
1960 * @handle: shishi handle as allocated by shishi_init().
1961 * @P: input password, an octet string
1962 * @Plen: length of password, an octet string
1963 * @S: input salt, an octet string
1964 * @Slen: length of salt, an octet string
1965 * @c: iteration count, a positive integer
1966 * @dkLen: intended length in octets of the derived key, a positive integer,
1967 * at most (2^32 - 1) * hLen. The DK array must have room for this many
1968 * characters.
1969 * @DK: output derived key, a dkLen-octet string
1971 * Derive key using the PBKDF2 defined in PKCS5. PBKDF2 applies a
1972 * pseudorandom function to derive keys. The length of the derived key
1973 * is essentially unbounded. (However, the maximum effective search
1974 * space for the derived key may be limited by the structure of the
1975 * underlying pseudorandom function, which is this function is always
1976 * SHA1.)
1978 * Return value: Returns SHISHI_OK iff successful.
1981 shishi_pbkdf2_sha1 (Shishi * handle,
1982 const char *P, size_t Plen,
1983 const char *S, size_t Slen,
1984 unsigned int c, unsigned int dkLen, char *DK)
1986 unsigned int hLen = 20;
1987 char U[20];
1988 char T[20];
1989 unsigned int u;
1990 unsigned int l;
1991 unsigned int r;
1992 unsigned int i;
1993 unsigned int k;
1994 char *p;
1995 int rc;
1997 if (c == 0)
1998 return SHISHI_PKCS5_INVALID_ITERATION_COUNT;
2000 if (dkLen == 0)
2001 return SHISHI_PKCS5_INVALID_DERIVED_KEY_LENGTH;
2005 * Steps:
2007 * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
2008 * stop.
2011 if (dkLen > 4294967295U)
2012 return SHISHI_PKCS5_DERIVED_KEY_TOO_LONG;
2015 * 2. Let l be the number of hLen-octet blocks in the derived key,
2016 * rounding up, and let r be the number of octets in the last
2017 * block:
2019 * l = CEIL (dkLen / hLen) ,
2020 * r = dkLen - (l - 1) * hLen .
2022 * Here, CEIL (x) is the "ceiling" function, i.e. the smallest
2023 * integer greater than, or equal to, x.
2026 l = dkLen / hLen;
2027 if (dkLen % hLen)
2028 l++;
2029 r = dkLen - (l - 1) * hLen;
2032 * 3. For each block of the derived key apply the function F defined
2033 * below to the password P, the salt S, the iteration count c, and
2034 * the block index to compute the block:
2036 * T_1 = F (P, S, c, 1) ,
2037 * T_2 = F (P, S, c, 2) ,
2038 * ...
2039 * T_l = F (P, S, c, l) ,
2041 * where the function F is defined as the exclusive-or sum of the
2042 * first c iterates of the underlying pseudorandom function PRF
2043 * applied to the password P and the concatenation of the salt S
2044 * and the block index i:
2046 * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
2048 * where
2050 * U_1 = PRF (P, S || INT (i)) ,
2051 * U_2 = PRF (P, U_1) ,
2052 * ...
2053 * U_c = PRF (P, U_{c-1}) .
2055 * Here, INT (i) is a four-octet encoding of the integer i, most
2056 * significant octet first.
2058 * 4. Concatenate the blocks and extract the first dkLen octets to
2059 * produce a derived key DK:
2061 * DK = T_1 || T_2 || ... || T_l<0..r-1>
2063 * 5. Output the derived key DK.
2065 * Note. The construction of the function F follows a "belt-and-
2066 * suspenders" approach. The iterates U_i are computed recursively to
2067 * remove a degree of parallelism from an opponent; they are exclusive-
2068 * ored together to reduce concerns about the recursion degenerating
2069 * into a small set of values.
2073 for (i = 1; i <= l; i++)
2075 memset (T, 0, hLen);
2077 for (u = 1; u <= c; u++)
2079 if (u == 1)
2081 char *tmp;
2082 size_t tmplen = Slen + 4;
2084 tmp = xmalloc (tmplen);
2086 memcpy (tmp, S, Slen);
2087 tmp[Slen + 0] = (i & 0xff000000) >> 24;
2088 tmp[Slen + 1] = (i & 0x00ff0000) >> 16;
2089 tmp[Slen + 2] = (i & 0x0000ff00) >> 8;
2090 tmp[Slen + 3] = (i & 0x000000ff) >> 0;
2092 rc = shishi_hmac_sha1 (handle, P, Plen, tmp, tmplen, &p);
2094 free (tmp);
2096 else
2098 rc = shishi_hmac_sha1 (handle, P, Plen, U, hLen, &p);
2101 if (rc != SHISHI_OK)
2102 return rc;
2104 memcpy (U, p, hLen);
2106 free (p);
2108 for (k = 0; k < hLen; k++)
2109 T[k] ^= U[k];
2112 memcpy (DK + (i - 1) * hLen, T, i == l ? r : hLen);
2115 return SHISHI_OK;