1 /* crypto.c crypto functions
2 * Copyright (C) 2002, 2003 Simon Josefsson
4 * This file is part of Shishi.
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31 return gcd (b
, a
% b
);
37 return a
* b
/ gcd (a
, b
);
41 rot13 (Shishi
* handle
, char *in
, char *out
, int len
)
43 if (VERBOSECRYPTO (handle
))
45 printf ("\t ;; rot 13 in:\n");
46 _shishi_escapeprint (in
, len
);
47 _shishi_hexprint (in
, len
);
48 _shishi_binprint (in
, len
);
54 ((in
[0] >> 5) & 0x01) |
55 ((in
[0] >> 5) & 0x02) |
56 ((in
[0] >> 5) & 0x04) |
57 ((in
[0] << 3) & 0x08) |
58 ((in
[0] << 3) & 0x10) |
59 ((in
[0] << 3) & 0x20) | ((in
[0] << 3) & 0x40) | ((in
[0] << 3) & 0x80);
63 char nexttolast
, last
;
66 nexttolast
= in
[len
- 2];
69 for (i
= len
* 8 - 1; i
>= 13; i
--)
72 char mask
= ~(1 << (7 - i
% 8));
73 int pos2
= (i
- 13) / 8;
74 char mask2
= (1 << (7 - (i
- 13) % 8));
76 out
[pos
] = (out
[pos
] & mask
) |
77 (((in
[pos2
] & mask2
) ? 0xFF : 0x00) & ~mask
);
79 out
[0] = ((nexttolast
& 0xFF) << 3) | ((last
& 0xFF) >> 5);
80 out
[1] = (in
[1] & ~(0xFF & (0xFF << 3))) | (0xFF & (last
<< 3));
83 if (VERBOSECRYPTO (handle
))
85 printf ("\t ;; rot13 out:\n");
86 _shishi_escapeprint (out
, len
);
87 _shishi_hexprint (out
, len
);
88 _shishi_binprint (out
, len
);
93 ocadd (char *add1
, char *add2
, char *sum
, int len
)
98 for (i
= len
- 1; i
>= 0; i
--)
100 int tmpsum
= (unsigned char) add1
[i
] + (unsigned char) add2
[i
];
102 sum
[i
] = (tmpsum
+ carry
) & 0xFF;
103 if (tmpsum
+ carry
> 0xFF)
113 for (i
= len
- 1; i
>= 0; i
--)
114 if ((unsigned char) sum
[i
] != 0xFF)
122 memset (sum
, 0, len
);
127 simplified_hmac (Shishi
* handle
,
129 const char *in
, size_t inlen
,
130 char **outhash
, size_t * outhashlen
)
133 return shishi_hmac_sha1 (handle
,
134 shishi_key_value (key
), shishi_key_length (key
),
139 simplified_hmac_verify (Shishi
* handle
, Shishi_key
* key
,
140 const char *in
, size_t inlen
,
141 const char *hmac
, size_t hmaclen
)
148 res
= simplified_hmac (handle
, key
, in
, inlen
, &hash
, &hlen
);
149 if (res
!= SHISHI_OK
|| hash
== NULL
)
152 if (VERBOSECRYPTO (handle
))
154 printf ("\t ;; HMAC verify:\n");
155 _shishi_escapeprint (hash
, hlen
);
156 _shishi_hexprint (hash
, hlen
);
157 _shishi_binprint (hash
, hlen
);
158 _shishi_escapeprint (hmac
, hmaclen
);
159 _shishi_hexprint (hmac
, hmaclen
);
160 _shishi_binprint (hmac
, hmaclen
);
163 same
= (hlen
== hmaclen
) && memcmp (hash
, hmac
, hmaclen
) == 0;
169 shishi_error_printf (handle
, "HMAC verify failed");
170 return SHISHI_CRYPTO_ERROR
;
177 _shishi_simplified_derivekey (Shishi
* handle
,
180 int derivekeymode
, Shishi_key
** outkey
)
184 Shishi_key
*derivedkey
;
186 if (VERBOSECRYPTO (handle
))
188 printf ("simplified_derivekey\n");
189 printf ("\t ;; mode %d (%s)\n", derivekeymode
,
190 derivekeymode
== SHISHI_DERIVEKEYMODE_CHECKSUM
? "checksum" :
191 derivekeymode
== SHISHI_DERIVEKEYMODE_INTEGRITY
? "integrity" :
192 derivekeymode
== SHISHI_DERIVEKEYMODE_PRIVACY
? "privacy" :
194 _shishi_hexprint (shishi_key_value (key
), shishi_key_length (key
));
198 res
= shishi_key_from_value (handle
, shishi_key_type (key
),
200 if (res
!= SHISHI_OK
)
203 *outkey
= derivedkey
;
207 uint32_t tmp
= htonl (keyusage
);
208 memcpy (constant
, &tmp
, 4);
209 if (derivekeymode
== SHISHI_DERIVEKEYMODE_CHECKSUM
)
210 constant
[4] = '\x99';
211 else if (derivekeymode
== SHISHI_DERIVEKEYMODE_INTEGRITY
)
212 constant
[4] = '\x55';
213 else /* if (derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY) */
214 constant
[4] = '\xAA';
216 res
= shishi_dk (handle
, key
, constant
, 5, derivedkey
);
220 shishi_key_copy (derivedkey
, key
);
223 if (VERBOSECRYPTO (handle
))
225 printf ("\t ;; simplified_derivekey out (%d):\n",
226 shishi_key_length (derivedkey
));
227 _shishi_hexprint (shishi_key_value (derivedkey
),
228 shishi_key_length (derivedkey
));
235 _shishi_simplified_dencrypt (Shishi
* handle
,
237 const char *iv
, size_t ivlen
,
238 char **ivout
, size_t * ivoutlen
,
239 const char *in
, size_t inlen
,
240 char **out
, size_t * outlen
, int decryptp
)
247 switch (shishi_key_type (key
))
249 case SHISHI_DES_CBC_CRC
:
250 case SHISHI_DES_CBC_MD4
:
251 case SHISHI_DES_CBC_MD5
:
254 rc
= shishi_des (handle
, decryptp
, shishi_key_value (key
),
255 iv
, ivout
, in
, inlen
, out
);
258 case SHISHI_DES3_CBC_HMAC_SHA1_KD
:
261 rc
= shishi_3des (handle
, decryptp
, shishi_key_value (key
),
262 iv
, ivout
, in
, inlen
, out
);
265 case SHISHI_AES128_CTS_HMAC_SHA1_96
:
266 case SHISHI_AES256_CTS_HMAC_SHA1_96
:
269 rc
= shishi_aes_cts (handle
, decryptp
,
270 shishi_key_value (key
), shishi_key_length (key
),
271 iv
, ivout
, in
, inlen
, out
);
275 rc
= SHISHI_CRYPTO_ERROR
;
282 _shishi_simplified_encrypt (Shishi
* handle
,
285 const char *iv
, size_t ivlen
,
286 char **ivout
, size_t * ivoutlen
,
287 const char *in
, size_t inlen
,
288 char **out
, size_t * outlen
)
293 if ((shishi_key_type (key
) == SHISHI_DES3_CBC_HMAC_SHA1_KD
||
294 shishi_key_type (key
) == SHISHI_DES_CBC_CRC
||
295 shishi_key_type (key
) == SHISHI_DES_CBC_MD4
||
296 shishi_key_type (key
) == SHISHI_DES_CBC_MD5
) && (inlen
% 8) != 0)
297 while (((inlen
+ padzerolen
) % 8) != 0)
302 char *pt
= NULL
, *ct
= NULL
, *hmac
= NULL
;
303 int blen
= shishi_cipher_blocksize (shishi_key_type (key
));
304 size_t ctlen
, ptlen
, hmaclen
;
305 Shishi_key
*privacykey
= NULL
, *integritykey
= NULL
;
307 ptlen
= inlen
+ blen
+ padzerolen
;
308 pt
= xmalloc (ptlen
);
310 res
= shishi_randomize (handle
, pt
, blen
);
311 if (res
!= SHISHI_OK
)
314 memcpy (pt
+ blen
, in
, inlen
);
315 memset (pt
+ blen
+ inlen
, 0, padzerolen
);
317 res
= _shishi_simplified_derivekey (handle
, key
, keyusage
,
318 SHISHI_DERIVEKEYMODE_PRIVACY
,
320 if (res
!= SHISHI_OK
)
323 res
= _shishi_simplified_dencrypt (handle
, privacykey
,
325 ivoutlen
, pt
, ptlen
, &ct
, &ctlen
, 0);
326 if (res
!= SHISHI_OK
)
330 res
= _shishi_simplified_derivekey (handle
, key
, keyusage
,
331 SHISHI_DERIVEKEYMODE_INTEGRITY
,
333 if (res
!= SHISHI_OK
)
336 res
= simplified_hmac (handle
, integritykey
, pt
, ptlen
,
338 if (res
!= SHISHI_OK
)
341 *outlen
= ctlen
+ hmaclen
;
342 *out
= xmalloc (*outlen
);
343 memcpy (*out
, ct
, ctlen
);
344 memcpy (*out
+ ctlen
, hmac
, hmaclen
);
348 shishi_key_done (privacykey
);
350 shishi_key_done (integritykey
);
360 res
= _shishi_simplified_dencrypt (handle
, key
, iv
, ivlen
,
362 in
, inlen
, out
, outlen
, 0);
369 _shishi_simplified_decrypt (Shishi
* handle
,
372 const char *iv
, size_t ivlen
,
373 char **ivout
, size_t * ivoutlen
,
374 const char *in
, size_t inlen
,
375 char **out
, size_t * outlen
)
381 Shishi_key
*privacykey
= NULL
, *integritykey
= NULL
;
382 int blen
= shishi_cipher_blocksize (shishi_key_type (key
));
383 size_t hlen
= 20; /* XXX only works for SHA-1 */
385 res
= _shishi_simplified_derivekey (handle
, key
, keyusage
,
386 SHISHI_DERIVEKEYMODE_PRIVACY
,
388 if (res
!= SHISHI_OK
)
391 res
= _shishi_simplified_dencrypt (handle
, privacykey
,
392 iv
, ivlen
, ivout
, ivoutlen
,
393 in
, inlen
- hlen
, out
, outlen
, 1);
394 if (res
!= SHISHI_OK
)
397 res
= _shishi_simplified_derivekey (handle
, key
, keyusage
,
398 SHISHI_DERIVEKEYMODE_INTEGRITY
,
400 if (res
!= SHISHI_OK
)
403 res
= simplified_hmac_verify (handle
, integritykey
, *out
, *outlen
,
404 in
+ inlen
- hlen
, hlen
);
406 if (res
!= SHISHI_OK
)
409 memmove (*out
, *out
+ blen
, *outlen
- blen
);
410 *outlen
= *outlen
- blen
;
411 *out
= xrealloc (*out
, *outlen
);
415 shishi_key_done (privacykey
);
417 shishi_key_done (integritykey
);
421 res
= _shishi_simplified_dencrypt (handle
, key
, iv
, ivlen
,
423 in
, inlen
, out
, outlen
, 1);
430 _shishi_simplified_checksum (Shishi
* handle
,
434 const char *in
, size_t inlen
,
435 char **out
, size_t * outlen
)
437 Shishi_key
*checksumkey
;
438 int cksumlen
= shishi_checksum_cksumlen (cksumtype
);
441 res
= _shishi_simplified_derivekey (handle
, key
, keyusage
,
442 SHISHI_DERIVEKEYMODE_CHECKSUM
,
444 if (res
!= SHISHI_OK
)
447 res
= simplified_hmac (handle
, checksumkey
, in
, inlen
, out
, outlen
);
449 shishi_key_done (checksumkey
);
451 if (res
!= SHISHI_OK
)
459 static cipherinfo
*ciphers
[] = {
471 &des3_cbc_sha1_kd_info
,
474 &aes128_cts_hmac_sha1_96_info
,
475 &aes256_cts_hmac_sha1_96_info
,
484 * shishi_cipher_supported_p:
485 * @type: encryption type, see Shishi_etype.
487 * Return value: Return 0 iff cipher is unsupported.
490 shishi_cipher_supported_p (int32_t type
)
494 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
495 if (type
== ciphers
[i
]->type
)
502 * shishi_cipher_name:
503 * @type: encryption type, see Shishi_etype.
505 * Return value: Return name of encryption type,
506 * e.g. "des3-cbc-sha1-kd", as defined in the standards.
509 shishi_cipher_name (int32_t type
)
514 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
516 if (type
== ciphers
[i
]->type
)
517 return ciphers
[i
]->name
;
520 asprintf (&p
, "unknown cipher %d", type
);
525 * shishi_cipher_blocksize:
526 * @type: encryption type, see Shishi_etype.
528 * Return value: Return block size for encryption type, as defined in
532 shishi_cipher_blocksize (int32_t type
)
536 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
537 if (type
== ciphers
[i
]->type
)
538 return ciphers
[i
]->blocksize
;
544 * shishi_cipher_minpadsize:
545 * @type: encryption type, see Shishi_etype.
547 * Return value: Return the minimum pad size for encryption type, as
548 * defined in the standards.
551 shishi_cipher_minpadsize (int32_t type
)
555 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
556 if (type
== ciphers
[i
]->type
)
557 return ciphers
[i
]->minpadsize
;
563 * shishi_cipher_confoundersize:
564 * @type: encryption type, see Shishi_etype.
566 * Return value: Returns the size of the confounder (random data) for
567 * encryption type, as defined in the standards.
570 shishi_cipher_confoundersize (int32_t type
)
574 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
575 if (type
== ciphers
[i
]->type
)
576 return ciphers
[i
]->confoundersize
;
582 * shishi_cipher_keylen:
583 * @type: encryption type, see Shishi_etype.
585 * Return value: Return length of key used for the encryption type, as
586 * defined in the standards.
589 shishi_cipher_keylen (int32_t type
)
593 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
594 if (type
== ciphers
[i
]->type
)
595 return ciphers
[i
]->keylen
;
601 * shishi_cipher_randomlen:
602 * @type: encryption type, see Shishi_etype.
604 * Return value: Return length of random used for the encryption type,
605 * as defined in the standards.
608 shishi_cipher_randomlen (int32_t type
)
612 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
613 if (type
== ciphers
[i
]->type
)
614 return ciphers
[i
]->randomlen
;
620 * shishi_cipher_defaultcksumtype:
621 * @type: encryption type, see Shishi_etype.
623 * Return value: Return associated checksum mechanism for the
624 * encryption type, as defined in the standards.
627 shishi_cipher_defaultcksumtype (int32_t type
)
631 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
632 if (type
== ciphers
[i
]->type
)
633 return ciphers
[i
]->defaultcksumtype
;
639 * shishi_cipher_parse:
640 * @cipher: name of encryption type, e.g. "des3-cbc-sha1-kd".
642 * Return value: Return encryption type corresponding to a string.
645 shishi_cipher_parse (const char *cipher
)
650 i
= strtol (cipher
, &endptr
, 0);
652 if (endptr
!= cipher
)
655 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
656 if (strcasecmp (cipher
, ciphers
[i
]->name
) == 0)
657 return ciphers
[i
]->type
;
662 static Shishi_random_to_key_function
663 _shishi_cipher_random_to_key (int32_t type
)
667 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
668 if (type
== ciphers
[i
]->type
)
669 return ciphers
[i
]->random2key
;
674 static Shishi_string_to_key_function
675 _shishi_cipher_string_to_key (int32_t type
)
679 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
680 if (type
== ciphers
[i
]->type
)
681 return ciphers
[i
]->string2key
;
686 static Shishi_encrypt_function
687 _shishi_cipher_encrypt (int32_t type
)
691 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
692 if (type
== ciphers
[i
]->type
)
693 return ciphers
[i
]->encrypt
;
698 static Shishi_decrypt_function
699 _shishi_cipher_decrypt (int32_t type
)
703 for (i
= 0; i
< sizeof (ciphers
) / sizeof (ciphers
[0]); i
++)
704 if (type
== ciphers
[i
]->type
)
705 return ciphers
[i
]->decrypt
;
710 static checksuminfo
*checksums
[] = {
725 &hmac_sha1_des3_kd_info
,
728 &hmac_sha1_96_aes128_info
,
729 &hmac_sha1_96_aes256_info
,
737 * shishi_checksum_supported_p:
738 * @type: checksum type, see Shishi_cksumtype.
740 * Return value: Return 0 iff checksum is unsupported.
743 shishi_checksum_supported_p (int32_t type
)
747 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
748 if (type
== checksums
[i
]->type
)
755 * shishi_checksum_name:
756 * @type: checksum type, see Shishi_cksumtype.
758 * Return value: Return name of checksum type,
759 * e.g. "hmac-sha1-96-aes256", as defined in the standards.
762 shishi_checksum_name (int32_t type
)
767 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
769 if (type
== checksums
[i
]->type
)
770 return checksums
[i
]->name
;
773 asprintf (&p
, "unknown checksum %d", type
);
778 * shishi_checksum_cksumlen:
779 * @type: checksum type, see Shishi_cksumtype.
781 * Return value: Return length of checksum used for the checksum type,
782 * as defined in the standards.
785 shishi_checksum_cksumlen (int32_t type
)
789 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
790 if (type
== checksums
[i
]->type
)
791 return checksums
[i
]->cksumlen
;
797 * shishi_checksum_parse:
798 * @checksum: name of checksum type, e.g. "hmac-sha1-96-aes256".
800 * Return value: Return checksum type, see Shishi_cksumtype,
801 * corresponding to a string.
804 shishi_checksum_parse (const char *checksum
)
809 i
= strtol (checksum
, &endptr
, 0);
811 if (endptr
!= checksum
)
814 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
815 if (strcasecmp (checksum
, checksums
[i
]->name
) == 0)
816 return checksums
[i
]->type
;
821 static Shishi_checksum_function
822 _shishi_checksum (int32_t type
)
826 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
827 if (type
== checksums
[i
]->type
)
828 return checksums
[i
]->checksum
;
833 static Shishi_verify_function
834 _shishi_verify (int32_t type
)
838 for (i
= 0; i
< sizeof (checksums
) / sizeof (checksums
[0]); i
++)
839 if (type
== checksums
[i
]->type
)
840 return checksums
[i
]->verify
;
846 * shishi_string_to_key:
847 * @handle: shishi handle as allocated by shishi_init().
848 * @keytype: cryptographic encryption type, see Shishi_etype.
849 * @password: input array with password.
850 * @passwordlen: length of input array with password.
851 * @salt: input array with salt.
852 * @saltlen: length of input array with salt.
853 * @parameter: input array with opaque encryption type specific information.
854 * @outkey: allocated key handle that will contain new key.
856 * Derive key from a string (password) and salt (commonly
857 * concatenation of realm and principal) for specified key type, and
858 * set the type and value in the given key to the computed values.
859 * The parameter value is specific for each keytype, and can be set if
860 * the parameter information is not available.
862 * Return value: Returns %SHISHI_OK iff successful.
865 shishi_string_to_key (Shishi
* handle
,
867 const char *password
, size_t passwordlen
,
868 const char *salt
, size_t saltlen
,
869 const char *parameter
, Shishi_key
* outkey
)
871 Shishi_string_to_key_function string2key
;
874 shishi_key_type_set (outkey
, keytype
);
876 if (VERBOSECRYPTO (handle
))
878 printf ("string_to_key (%s, password, salt)\n",
879 shishi_key_name (outkey
));
880 printf ("\t ;; password:\n");
881 _shishi_escapeprint (password
, passwordlen
);
882 _shishi_hexprint (password
, passwordlen
);
883 printf ("\t ;; salt:\n");
884 _shishi_escapeprint (salt
, saltlen
);
885 _shishi_hexprint (salt
, saltlen
);
888 string2key
= _shishi_cipher_string_to_key (shishi_key_type (outkey
));
889 if (string2key
== NULL
)
891 shishi_error_printf (handle
, "Unsupported keytype %d",
892 shishi_key_type (outkey
));
893 return SHISHI_CRYPTO_ERROR
;
896 res
= (*string2key
) (handle
, password
, passwordlen
,
897 salt
, saltlen
, parameter
, outkey
);
899 if (VERBOSECRYPTO (handle
))
901 printf ("\t ;; string_to_key key:\n");
902 _shishi_hexprint (shishi_key_value (outkey
),
903 shishi_key_length (outkey
));
904 _shishi_binprint (shishi_key_value (outkey
),
905 shishi_key_length (outkey
));
912 * shishi_random_to_key:
913 * @handle: shishi handle as allocated by shishi_init().
914 * @keytype: cryptographic encryption type, see Shishi_etype.
915 * @random: input array with random data.
916 * @randomlen: length of input array with random data.
917 * @outkey: allocated key handle that will contain new key.
919 * Derive key from random data for specified key type, and set the
920 * type and value in the given key to the computed values.
922 * Return value: Returns %SHISHI_OK iff successful.
925 shishi_random_to_key (Shishi
* handle
,
927 char *random
, size_t randomlen
, Shishi_key
* outkey
)
929 Shishi_random_to_key_function random2key
;
932 shishi_key_type_set (outkey
, keytype
);
934 if (VERBOSECRYPTO (handle
))
936 printf ("random_to_key (%s, random)\n", shishi_key_name (outkey
));
937 printf ("\t ;; random:\n");
938 _shishi_hexprint (random
, randomlen
);
939 _shishi_binprint (random
, randomlen
);
942 random2key
= _shishi_cipher_random_to_key (keytype
);
943 if (random2key
== NULL
)
945 shishi_error_printf (handle
, "Unsupported random_to_key() ekeytype %d",
947 return SHISHI_CRYPTO_ERROR
;
950 res
= (*random2key
) (handle
, random
, randomlen
, outkey
);
952 if (VERBOSECRYPTO (handle
))
954 printf ("\t ;; random_to_key key:\n");
955 _shishi_hexprint (shishi_key_value (outkey
),
956 shishi_key_length (outkey
));
957 _shishi_binprint (shishi_key_value (outkey
),
958 shishi_key_length (outkey
));
966 * @handle: shishi handle as allocated by shishi_init().
967 * @key: key to compute checksum with.
968 * @keyusage: integer specifying what this key is used for.
969 * @cksumtype: the checksum algorithm to use.
970 * @in: input array with data to integrity protect.
971 * @inlen: size of input array with data to integrity protect.
972 * @out: output array with newly allocated integrity protected data.
973 * @outlen: output variable with length of output array with checksum.
975 * Integrity protect data using key, possibly altered by supplied key
976 * usage. If key usage is 0, no key derivation is used. The OUT
977 * buffer must be deallocated by the caller.
979 * Return value: Returns %SHISHI_OK iff successful.
982 shishi_checksum (Shishi
* handle
,
986 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
988 Shishi_checksum_function checksum
;
991 if (VERBOSECRYPTO (handle
))
993 printf ("checksum (%s, %d, in, out)\n",
994 shishi_key_name (key
), cksumtype
);
995 printf ("\t ;; key (%d):\n", shishi_key_length (key
));
996 _shishi_hexprint (shishi_key_value (key
), shishi_key_length (key
));
997 printf ("\t ;; in:\n");
998 _shishi_escapeprint (in
, inlen
);
999 _shishi_hexprint (in
, inlen
);
1003 cksumtype
= shishi_cipher_defaultcksumtype (shishi_key_type (key
));
1005 checksum
= _shishi_checksum (cksumtype
);
1006 if (checksum
== NULL
)
1008 shishi_error_printf (handle
, "Unsupported checksum type %d", cksumtype
);
1009 return SHISHI_CRYPTO_ERROR
;
1012 /* XXX? check if etype and cksumtype are compatible? */
1014 res
= (*checksum
) (handle
, key
, keyusage
, cksumtype
,
1015 in
, inlen
, out
, outlen
);
1017 if (VERBOSECRYPTO (handle
))
1019 printf ("\t ;; checksum out:\n");
1020 _shishi_escapeprint (*out
, *outlen
);
1021 _shishi_hexprint (*out
, *outlen
);
1029 * @handle: shishi handle as allocated by shishi_init().
1030 * @key: key to verify checksum with.
1031 * @keyusage: integer specifying what this key is used for.
1032 * @cksumtype: the checksum algorithm to use.
1033 * @in: input array with data that was integrity protected.
1034 * @inlen: size of input array with data that was integrity protected.
1035 * @cksum: input array with alleged checksum of data.
1036 * @cksumlen: size of input array with alleged checksum of data.
1038 * Verify checksum of data using key, possibly altered by supplied key
1039 * usage. If key usage is 0, no key derivation is used.
1041 * Return value: Returns %SHISHI_OK iff successful.
1044 shishi_verify (Shishi
* handle
,
1048 const char *in
, size_t inlen
,
1049 const char *cksum
, size_t cksumlen
)
1051 Shishi_verify_function verify
;
1054 if (VERBOSECRYPTO (handle
))
1056 printf ("verify (%s, %d, in, out)\n", shishi_key_name (key
), cksumtype
);
1057 printf ("\t ;; key (%d):\n", shishi_key_length (key
));
1058 _shishi_hexprint (shishi_key_value (key
), shishi_key_length (key
));
1059 printf ("\t ;; data:\n");
1060 _shishi_escapeprint (in
, inlen
);
1061 _shishi_hexprint (in
, inlen
);
1062 printf ("\t ;; mic:\n");
1063 _shishi_escapeprint (cksum
, cksumlen
);
1064 _shishi_hexprint (cksum
, cksumlen
);
1068 cksumtype
= shishi_cipher_defaultcksumtype (shishi_key_type (key
));
1070 verify
= _shishi_verify (cksumtype
);
1073 shishi_error_printf (handle
, "Unsupported checksum type %d", cksumtype
);
1074 return SHISHI_CRYPTO_ERROR
;
1077 /* XXX? check if etype and cksumtype are compatible? */
1079 res
= (*verify
) (handle
, key
, keyusage
, cksumtype
,
1080 in
, inlen
, cksum
, cksumlen
);
1082 if (VERBOSECRYPTO (handle
))
1083 printf ("\t ;; verify return: %d\n", res
);
1089 * shishi_encrypt_ivupdate_etype:
1090 * @handle: shishi handle as allocated by shishi_init().
1091 * @key: key to encrypt with.
1092 * @keyusage: integer specifying what this key is encrypting.
1093 * @etype: integer specifying what cipher to use.
1094 * @iv: input array with initialization vector
1095 * @ivlen: size of input array with initialization vector.
1096 * @ivout: output array with newly allocated updated initialization vector.
1097 * @ivoutlen: size of output array with updated initialization vector.
1098 * @in: input array with data to encrypt.
1099 * @inlen: size of input array with data to encrypt.
1100 * @out: output array with newly allocated encrypted data.
1101 * @outlen: output variable with size of newly allocated output array.
1103 * Encrypts data as per encryption method using specified
1104 * initialization vector and key. The key actually used is derived
1105 * using the key usage. If key usage is 0, no key derivation is used.
1106 * The OUT buffer must be deallocated by the caller. If IVOUT or
1107 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1109 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1110 * exactly, some Kerberos encryption types add pad to make the data
1111 * fit into the block size of the encryption algorithm. Furthermore,
1112 * the pad is not guaranteed to look in any special way, although
1113 * existing implementations often pad with the zero byte. This means
1114 * that you may have to "frame" data, so it is possible to infer the
1115 * original length after decryption. Compare ASN.1 DER which contains
1118 * Return value: Returns %SHISHI_OK iff successful.
1121 shishi_encrypt_ivupdate_etype (Shishi
* handle
,
1125 const char *iv
, size_t ivlen
,
1126 char **ivout
, size_t * ivoutlen
,
1127 const char *in
, size_t inlen
,
1128 char **out
, size_t * outlen
)
1130 Shishi_encrypt_function encrypt
;
1133 if (VERBOSECRYPTO (handle
))
1135 printf ("encrypt (type=%s, usage=%d, key, in)\n",
1136 shishi_key_name (key
), keyusage
);
1137 printf ("\t ;; key (%d):\n", shishi_key_length (key
));
1138 _shishi_hexprint (shishi_key_value (key
), shishi_key_length (key
));
1139 printf ("\t ;; in (%d):\n", inlen
);
1140 _shishi_escapeprint (in
, inlen
);
1141 _shishi_hexprint (in
, inlen
);
1144 printf ("\t ;; iv (%d):\n", ivlen
);
1145 _shishi_escapeprint (iv
, ivlen
);
1146 _shishi_hexprint (iv
, ivlen
);
1150 encrypt
= _shishi_cipher_encrypt (etype
);
1151 if (encrypt
== NULL
)
1153 shishi_error_printf (handle
, "Unsupported keytype %d",
1154 shishi_key_type (key
));
1155 return SHISHI_CRYPTO_ERROR
;
1158 res
= (*encrypt
) (handle
, key
, keyusage
,
1159 iv
, ivlen
, ivout
, ivoutlen
, in
, inlen
, out
, outlen
);
1161 if (VERBOSECRYPTO (handle
))
1163 if (res
== SHISHI_OK
)
1165 printf ("\t ;; encrypt out:\n");
1166 _shishi_escapeprint (*out
, *outlen
);
1167 _shishi_hexprint (*out
, *outlen
);
1168 if (ivout
&& ivoutlen
)
1170 printf ("\t ;; iv out:\n");
1171 _shishi_escapeprint (*ivout
, *ivoutlen
);
1172 _shishi_hexprint (*ivout
, *ivoutlen
);
1177 printf ("\t ;; encrypt out failed %d\n", res
);
1185 * shishi_encrypt_iv_etype:
1186 * @handle: shishi handle as allocated by shishi_init().
1187 * @key: key to encrypt with.
1188 * @keyusage: integer specifying what this key is encrypting.
1189 * @etype: integer specifying what cipher to use.
1190 * @iv: input array with initialization vector
1191 * @ivlen: size of input array with initialization vector.
1192 * @in: input array with data to encrypt.
1193 * @inlen: size of input array with data to encrypt.
1194 * @out: output array with newly allocated encrypted data.
1195 * @outlen: output variable with size of newly allocated output array.
1197 * Encrypts data as per encryption method using specified
1198 * initialization vector and key. The key actually used is derived
1199 * using the key usage. If key usage is 0, no key derivation is used.
1200 * The OUT buffer must be deallocated by the caller. The next IV is
1201 * lost, see shishi_encrypt_ivupdate_etype if you need it.
1203 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1204 * exactly, some Kerberos encryption types add pad to make the data
1205 * fit into the block size of the encryption algorithm. Furthermore,
1206 * the pad is not guaranteed to look in any special way, although
1207 * existing implementations often pad with the zero byte. This means
1208 * that you may have to "frame" data, so it is possible to infer the
1209 * original length after decryption. Compare ASN.1 DER which contains
1212 * Return value: Returns %SHISHI_OK iff successful.
1215 shishi_encrypt_iv_etype (Shishi
* handle
,
1219 const char *iv
, size_t ivlen
,
1220 const char *in
, size_t inlen
,
1221 char **out
, size_t * outlen
)
1223 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
, etype
,
1224 iv
, ivlen
, NULL
, NULL
,
1225 in
, inlen
, out
, outlen
);
1229 * shishi_encrypt_etype:
1230 * @handle: shishi handle as allocated by shishi_init().
1231 * @key: key to encrypt with.
1232 * @keyusage: integer specifying what this key is encrypting.
1233 * @etype: integer specifying what cipher to use.
1234 * @in: input array with data to encrypt.
1235 * @inlen: size of input array with data to encrypt.
1236 * @out: output array with newly allocated encrypted data.
1237 * @outlen: output variable with size of newly allocated output array.
1239 * Encrypts data as per encryption method using specified
1240 * initialization vector and key. The key actually used is derived
1241 * using the key usage. If key usage is 0, no key derivation is used.
1242 * The OUT buffer must be deallocated by the caller. The default IV
1243 * is used, see shishi_encrypt_iv_etype if you need to alter it. The
1244 * next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
1246 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1247 * exactly, some Kerberos encryption types add pad to make the data
1248 * fit into the block size of the encryption algorithm. Furthermore,
1249 * the pad is not guaranteed to look in any special way, although
1250 * existing implementations often pad with the zero byte. This means
1251 * that you may have to "frame" data, so it is possible to infer the
1252 * original length after decryption. Compare ASN.1 DER which contains
1255 * Return value: Returns %SHISHI_OK iff successful.
1258 shishi_encrypt_etype (Shishi
* handle
,
1262 const char *in
, size_t inlen
,
1263 char **out
, size_t * outlen
)
1265 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
,
1266 shishi_key_type (key
),
1267 NULL
, 0, NULL
, NULL
,
1268 in
, inlen
, out
, outlen
);
1272 * shishi_encrypt_ivupdate:
1273 * @handle: shishi handle as allocated by shishi_init().
1274 * @key: key to encrypt with.
1275 * @keyusage: integer specifying what this key is encrypting.
1276 * @iv: input array with initialization vector
1277 * @ivlen: size of input array with initialization vector.
1278 * @ivout: output array with newly allocated updated initialization vector.
1279 * @ivoutlen: size of output array with updated initialization vector.
1280 * @in: input array with data to encrypt.
1281 * @inlen: size of input array with data to encrypt.
1282 * @out: output array with newly allocated encrypted data.
1283 * @outlen: output variable with size of newly allocated output array.
1285 * Encrypts data using specified initialization vector and key. The
1286 * key actually used is derived using the key usage. If key usage is
1287 * 0, no key derivation is used. The OUT buffer must be deallocated
1288 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1291 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1292 * exactly, some Kerberos encryption types add pad to make the data
1293 * fit into the block size of the encryption algorithm. Furthermore,
1294 * the pad is not guaranteed to look in any special way, although
1295 * existing implementations often pad with the zero byte. This means
1296 * that you may have to "frame" data, so it is possible to infer the
1297 * original length after decryption. Compare ASN.1 DER which contains
1300 * Return value: Returns %SHISHI_OK iff successful.
1303 shishi_encrypt_ivupdate (Shishi
* handle
,
1306 const char *iv
, size_t ivlen
,
1307 char **ivout
, size_t * ivoutlen
,
1308 const char *in
, size_t inlen
,
1309 char **out
, size_t * outlen
)
1311 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
,
1312 shishi_key_type (key
),
1313 iv
, ivlen
, ivout
, ivoutlen
,
1314 in
, inlen
, out
, outlen
);
1318 * shishi_encrypt_iv:
1319 * @handle: shishi handle as allocated by shishi_init().
1320 * @key: key to encrypt with.
1321 * @keyusage: integer specifying what this key is encrypting.
1322 * @iv: input array with initialization vector
1323 * @ivlen: size of input array with initialization vector.
1324 * @in: input array with data to encrypt.
1325 * @inlen: size of input array with data to encrypt.
1326 * @out: output array with newly allocated encrypted data.
1327 * @outlen: output variable with size of newly allocated output array.
1329 * Encrypts data using specified initialization vector and key. The
1330 * key actually used is derived using the key usage. If key usage is
1331 * 0, no key derivation is used. The OUT buffer must be deallocated
1332 * by the caller. The next IV is lost, see shishi_encrypt_ivupdate if
1335 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1336 * exactly, some Kerberos encryption types add pad to make the data
1337 * fit into the block size of the encryption algorithm. Furthermore,
1338 * the pad is not guaranteed to look in any special way, although
1339 * existing implementations often pad with the zero byte. This means
1340 * that you may have to "frame" data, so it is possible to infer the
1341 * original length after decryption. Compare ASN.1 DER which contains
1344 * Return value: Returns %SHISHI_OK iff successful.
1347 shishi_encrypt_iv (Shishi
* handle
,
1350 const char *iv
, size_t ivlen
,
1351 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
1353 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
,
1354 shishi_key_type (key
),
1355 iv
, ivlen
, NULL
, NULL
,
1356 in
, inlen
, out
, outlen
);
1361 * @handle: shishi handle as allocated by shishi_init().
1362 * @key: key to encrypt with.
1363 * @keyusage: integer specifying what this key is encrypting.
1364 * @in: input array with data to encrypt.
1365 * @inlen: size of input array with data to encrypt.
1366 * @out: output array with newly allocated encrypted data.
1367 * @outlen: output variable with size of newly allocated output array.
1369 * Encrypts data using specified key. The key actually used is
1370 * derived using the key usage. If key usage is 0, no key derivation
1371 * is used. The OUT buffer must be deallocated by the caller. The
1372 * default IV is used, see shishi_encrypt_iv if you need to alter it.
1373 * The next IV is lost, see shishi_encrypt_ivupdate if you need it.
1375 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1376 * exactly, some Kerberos encryption types add pad to make the data
1377 * fit into the block size of the encryption algorithm. Furthermore,
1378 * the pad is not guaranteed to look in any special way, although
1379 * existing implementations often pad with the zero byte. This means
1380 * that you may have to "frame" data, so it is possible to infer the
1381 * original length after decryption. Compare ASN.1 DER which contains
1384 * Return value: Returns %SHISHI_OK iff successful.
1387 shishi_encrypt (Shishi
* handle
,
1390 char *in
, size_t inlen
, char **out
, size_t * outlen
)
1392 return shishi_encrypt_ivupdate_etype (handle
, key
, keyusage
,
1393 shishi_key_type (key
),
1394 NULL
, 0, NULL
, NULL
,
1395 in
, inlen
, out
, outlen
);
1399 * shishi_decrypt_ivupdate_etype:
1400 * @handle: shishi handle as allocated by shishi_init().
1401 * @key: key to decrypt with.
1402 * @keyusage: integer specifying what this key is decrypting.
1403 * @etype: integer specifying what cipher to use.
1404 * @iv: input array with initialization vector
1405 * @ivlen: size of input array with initialization vector.
1406 * @ivout: output array with newly allocated updated initialization vector.
1407 * @ivoutlen: size of output array with updated initialization vector.
1408 * @in: input array with data to decrypt.
1409 * @inlen: size of input array with data to decrypt.
1410 * @out: output array with newly allocated decrypted data.
1411 * @outlen: output variable with size of newly allocated output array.
1413 * Decrypts data as per encryption method using specified
1414 * initialization vector and key. The key actually used is derived
1415 * using the key usage. If key usage is 0, no key derivation is used.
1416 * The OUT buffer must be deallocated by the caller. If IVOUT or
1417 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1419 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1420 * exactly, some Kerberos encryption types add pad to make the data
1421 * fit into the block size of the encryption algorithm. Furthermore,
1422 * the pad is not guaranteed to look in any special way, although
1423 * existing implementations often pad with the zero byte. This means
1424 * that you may have to "frame" data, so it is possible to infer the
1425 * original length after decryption. Compare ASN.1 DER which contains
1428 * Return value: Returns %SHISHI_OK iff successful.
1431 shishi_decrypt_ivupdate_etype (Shishi
* handle
,
1435 const char *iv
, size_t ivlen
,
1436 char **ivout
, size_t * ivoutlen
,
1437 const char *in
, size_t inlen
,
1438 char **out
, size_t * outlen
)
1440 Shishi_decrypt_function decrypt
;
1443 if (VERBOSECRYPTO (handle
))
1445 printf ("decrypt (type=%s, usage=%d, key, in, out)\n",
1446 shishi_key_name (key
), keyusage
);
1447 printf ("\t ;; key (%d):\n", shishi_key_length (key
));
1448 _shishi_hexprint (shishi_key_value (key
), shishi_key_length (key
));
1449 printf ("\t ;; in (%d):\n", inlen
);
1450 _shishi_escapeprint (in
, inlen
);
1451 _shishi_hexprint (in
, inlen
);
1454 decrypt
= _shishi_cipher_decrypt (etype
);
1455 if (decrypt
== NULL
)
1457 shishi_error_printf (handle
, "Unsupported keytype %d",
1458 shishi_key_type (key
));
1459 return SHISHI_CRYPTO_ERROR
;
1462 res
= (*decrypt
) (handle
, key
, keyusage
,
1463 iv
, ivlen
, ivout
, ivoutlen
, in
, inlen
, out
, outlen
);
1465 if (VERBOSECRYPTO (handle
))
1467 if (res
== SHISHI_OK
)
1469 printf ("\t ;; decrypt out:\n");
1470 _shishi_escapeprint (*out
, *outlen
);
1471 _shishi_hexprint (*out
, *outlen
);
1475 printf ("\t ;; decrypt out failed %d\n", res
);
1483 * shishi_decrypt_iv_etype:
1484 * @handle: shishi handle as allocated by shishi_init().
1485 * @key: key to decrypt with.
1486 * @keyusage: integer specifying what this key is decrypting.
1487 * @etype: integer specifying what cipher to use.
1488 * @iv: input array with initialization vector
1489 * @ivlen: size of input array with initialization vector.
1490 * @in: input array with data to decrypt.
1491 * @inlen: size of input array with data to decrypt.
1492 * @out: output array with newly allocated decrypted data.
1493 * @outlen: output variable with size of newly allocated output array.
1495 * Decrypts data as per encryption method using specified
1496 * initialization vector and key. The key actually used is derived
1497 * using the key usage. If key usage is 0, no key derivation is used.
1498 * The OUT buffer must be deallocated by the caller. The next IV is
1499 * lost, see shishi_decrypt_ivupdate_etype if you need it.
1501 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1502 * exactly, some Kerberos encryption types add pad to make the data
1503 * fit into the block size of the encryption algorithm. Furthermore,
1504 * the pad is not guaranteed to look in any special way, although
1505 * existing implementations often pad with the zero byte. This means
1506 * that you may have to "frame" data, so it is possible to infer the
1507 * original length after decryption. Compare ASN.1 DER which contains
1510 * Return value: Returns %SHISHI_OK iff successful.
1513 shishi_decrypt_iv_etype (Shishi
* handle
,
1517 const char *iv
, size_t ivlen
,
1518 const char *in
, size_t inlen
,
1519 char **out
, size_t * outlen
)
1521 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
, etype
,
1522 iv
, ivlen
, NULL
, NULL
,
1523 in
, inlen
, out
, outlen
);
1527 * shishi_decrypt_etype:
1528 * @handle: shishi handle as allocated by shishi_init().
1529 * @key: key to decrypt with.
1530 * @keyusage: integer specifying what this key is decrypting.
1531 * @etype: integer specifying what cipher to use.
1532 * @in: input array with data to decrypt.
1533 * @inlen: size of input array with data to decrypt.
1534 * @out: output array with newly allocated decrypted data.
1535 * @outlen: output variable with size of newly allocated output array.
1537 * Decrypts data as per encryption method using specified key. The
1538 * key actually used is derived using the key usage. If key usage is
1539 * 0, no key derivation is used. The OUT buffer must be deallocated
1540 * by the caller. The default IV is used, see shishi_decrypt_iv_etype
1541 * if you need to alter it. The next IV is lost, see
1542 * shishi_decrypt_ivupdate_etype if you need it.
1544 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1545 * exactly, some Kerberos encryption types add pad to make the data
1546 * fit into the block size of the encryption algorithm. Furthermore,
1547 * the pad is not guaranteed to look in any special way, although
1548 * existing implementations often pad with the zero byte. This means
1549 * that you may have to "frame" data, so it is possible to infer the
1550 * original length after decryption. Compare ASN.1 DER which contains
1553 * Return value: Returns %SHISHI_OK iff successful.
1556 shishi_decrypt_etype (Shishi
* handle
,
1560 const char *in
, size_t inlen
,
1561 char **out
, size_t * outlen
)
1563 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
, etype
,
1564 NULL
, 0, NULL
, NULL
,
1565 in
, inlen
, out
, outlen
);
1569 * shishi_decrypt_ivupdate:
1570 * @handle: shishi handle as allocated by shishi_init().
1571 * @key: key to decrypt with.
1572 * @keyusage: integer specifying what this key is decrypting.
1573 * @iv: input array with initialization vector
1574 * @ivlen: size of input array with initialization vector.
1575 * @ivout: output array with newly allocated updated initialization vector.
1576 * @ivoutlen: size of output array with updated initialization vector.
1577 * @in: input array with data to decrypt.
1578 * @inlen: size of input array with data to decrypt.
1579 * @out: output array with newly allocated decrypted data.
1580 * @outlen: output variable with size of newly allocated output array.
1582 * Decrypts data using specified initialization vector and key. The
1583 * key actually used is derived using the key usage. If key usage is
1584 * 0, no key derivation is used. The OUT buffer must be deallocated
1585 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1588 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1589 * exactly, some Kerberos encryption types add pad to make the data
1590 * fit into the block size of the encryption algorithm. Furthermore,
1591 * the pad is not guaranteed to look in any special way, although
1592 * existing implementations often pad with the zero byte. This means
1593 * that you may have to "frame" data, so it is possible to infer the
1594 * original length after decryption. Compare ASN.1 DER which contains
1597 * Return value: Returns %SHISHI_OK iff successful.
1600 shishi_decrypt_ivupdate (Shishi
* handle
,
1603 const char *iv
, size_t ivlen
,
1604 char **ivout
, size_t * ivoutlen
,
1605 const char *in
, size_t inlen
,
1606 char **out
, size_t * outlen
)
1608 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
,
1609 shishi_key_type (key
),
1610 iv
, ivlen
, ivout
, ivoutlen
,
1611 in
, inlen
, out
, outlen
);
1615 * shishi_decrypt_iv:
1616 * @handle: shishi handle as allocated by shishi_init().
1617 * @key: key to decrypt with.
1618 * @keyusage: integer specifying what this key is decrypting.
1619 * @iv: input array with initialization vector
1620 * @ivlen: size of input array with initialization vector.
1621 * @in: input array with data to decrypt.
1622 * @inlen: size of input array with data to decrypt.
1623 * @out: output array with newly allocated decrypted data.
1624 * @outlen: output variable with size of newly allocated output array.
1626 * Decrypts data using specified initialization vector and key. The
1627 * key actually used is derived using the key usage. If key usage is
1628 * 0, no key derivation is used. The OUT buffer must be deallocated
1629 * by the caller. The next IV is lost, see
1630 * shishi_decrypt_ivupdate_etype if you need it.
1632 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1633 * exactly, some Kerberos encryption types add pad to make the data
1634 * fit into the block size of the encryption algorithm. Furthermore,
1635 * the pad is not guaranteed to look in any special way, although
1636 * existing implementations often pad with the zero byte. This means
1637 * that you may have to "frame" data, so it is possible to infer the
1638 * original length after decryption. Compare ASN.1 DER which contains
1641 * Return value: Returns %SHISHI_OK iff successful.
1644 shishi_decrypt_iv (Shishi
* handle
,
1647 const char *iv
, size_t ivlen
,
1648 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
1650 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
,
1651 shishi_key_type (key
),
1652 iv
, ivlen
, NULL
, NULL
,
1653 in
, inlen
, out
, outlen
);
1658 * @handle: shishi handle as allocated by shishi_init().
1659 * @key: key to decrypt with.
1660 * @keyusage: integer specifying what this key is decrypting.
1661 * @in: input array with data to decrypt.
1662 * @inlen: size of input array with data to decrypt.
1663 * @out: output array with newly allocated decrypted data.
1664 * @outlen: output variable with size of newly allocated output array.
1666 * Decrypts data specified key. The key actually used is derived
1667 * using the key usage. If key usage is 0, no key derivation is used.
1668 * The OUT buffer must be deallocated by the caller. The default IV
1669 * is used, see shishi_decrypt_iv if you need to alter it. The next
1670 * IV is lost, see shishi_decrypt_ivupdate if you need it.
1672 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1673 * exactly, some Kerberos encryption types add pad to make the data
1674 * fit into the block size of the encryption algorithm. Furthermore,
1675 * the pad is not guaranteed to look in any special way, although
1676 * existing implementations often pad with the zero byte. This means
1677 * that you may have to "frame" data, so it is possible to infer the
1678 * original length after decryption. Compare ASN.1 DER which contains
1681 * Return value: Returns %SHISHI_OK iff successful.
1684 shishi_decrypt (Shishi
* handle
,
1687 const char *in
, size_t inlen
, char **out
, size_t * outlen
)
1689 return shishi_decrypt_ivupdate_etype (handle
, key
, keyusage
,
1690 shishi_key_type (key
),
1691 NULL
, 0, NULL
, NULL
,
1692 in
, inlen
, out
, outlen
);
1697 * @handle: shishi handle as allocated by shishi_init().
1698 * @in: input array with data to decrypt.
1699 * @inlen: size of input array with data to decrypt ("M").
1700 * @out: output array with decrypted data.
1701 * @outlen: size of output array ("N").
1703 * Fold data into a fixed length output array, with the intent to give
1704 * each input bit approximately equal weight in determining the value
1705 * of each output bit.
1707 * The algorithm is from "A Better Key Schedule For DES-like Ciphers"
1708 * by Uri Blumenthal and Steven M. Bellovin,
1709 * <URL:http://www.research.att.com/~smb/papers/ides.pdf>, although
1710 * the sample vectors provided by the paper are incorrect.
1712 * Return value: Returns %SHISHI_OK iff successful.
1715 shishi_n_fold (Shishi
* handle
,
1716 const char *in
, size_t inlen
, char *out
, size_t outlen
)
1726 To n-fold a number X, replicate the input value to a length that is
1727 the least common multiple of n and the length of X. Before each
1728 repetition, the input is rotated to the right by 13 bit
1729 positions. The successive n-bit chunks are added together using
1730 1's-complement addition (that is, addition with end-around carry)
1731 to yield a n-bit result denoted <X>_n.
1734 a
= (char *) xmemdup (in
, m
);
1738 if (VERBOSECRYPTO (handle
))
1740 printf ("%d-fold (string)\n", n
* 8);
1741 printf ("\t ;; string length %d bytes %d bits\n", m
, m
* 8);
1742 _shishi_escapeprint (a
, m
);
1743 _shishi_hexprint (a
, m
);
1744 printf ("\t ;; lcm(%d, %d) = lcm(%d, %d) = %d\n",
1745 8 * m
, 8 * n
, m
, n
, lcmmn
);
1748 buf
= (char *) xmalloc (lcmmn
);
1750 /* Replicate the input th the LCMMN length */
1751 for (i
= 0; i
< (lcmmn
/ m
); i
++)
1753 if (VERBOSECRYPTO (handle
))
1755 printf ("\t ;; %d-th replication\n", i
+ 1);
1756 printf ("string = rot13(string)\n");
1759 memcpy ((char *) &buf
[i
* m
], a
, m
);
1760 rot13 (handle
, a
, a
, m
);
1763 memset (out
, 0, n
); /* just in case */
1765 if (VERBOSECRYPTO (handle
))
1767 printf ("\t ;; replicated string (length %d):\n", lcmmn
);
1768 _shishi_hexprint (buf
, lcmmn
);
1769 _shishi_binprint (buf
, lcmmn
);
1770 printf ("sum = 0\n");
1773 /* Now we view the buf as set of n-byte strings
1774 Add the n-byte long chunks together, using
1775 one's complement addition, storing the
1776 result in the output string. */
1778 for (i
= 0; i
< (lcmmn
/ n
); i
++)
1780 if (VERBOSECRYPTO (handle
))
1782 printf ("\t ;; %d-th one's complement addition sum\n", i
+ 1);
1783 printf ("\t ;; sum:\n");
1784 _shishi_hexprint (out
, n
);
1785 _shishi_binprint (out
, n
);
1786 printf ("\t ;; A (offset %d):\n", i
* n
);
1787 _shishi_hexprint (&buf
[i
* n
], n
);
1788 _shishi_binprint (&buf
[i
* n
], n
);
1789 printf ("sum = ocadd(sum, A);\n");
1792 ocadd (out
, (char *) &buf
[i
* n
], out
, n
);
1794 if (VERBOSECRYPTO (handle
))
1796 printf ("\t ;; sum:\n");
1797 _shishi_hexprint (out
, n
);
1798 _shishi_binprint (out
, n
);
1802 if (VERBOSECRYPTO (handle
))
1804 printf ("\t ;; nfold\n");
1805 _shishi_hexprint (out
, n
);
1806 _shishi_binprint (out
, n
);
1815 #define MAX_DR_CONSTANT 1024
1819 * @handle: shishi handle as allocated by shishi_init().
1820 * @key: input array with cryptographic key to use.
1821 * @constant: input array with the constant string.
1822 * @constantlen: size of input array with the constant string.
1823 * @derivedrandom: output array with derived random data.
1824 * @derivedrandomlen: size of output array with derived random data.
1826 * Derive "random" data from a key and a constant thusly:
1827 * DR(KEY, CONSTANT) = TRUNCATE(DERIVEDRANDOMLEN,
1828 * SHISHI_ENCRYPT(KEY, CONSTANT)).
1830 * Return value: Returns %SHISHI_OK iff successful.
1833 shishi_dr (Shishi
* handle
,
1835 const char *constant
, size_t constantlen
,
1836 char *derivedrandom
, size_t derivedrandomlen
)
1839 char plaintext
[MAX_DR_CONSTANT
];
1840 char nfoldconstant
[MAX_DR_CONSTANT
];
1841 size_t blocksize
= shishi_cipher_blocksize (shishi_key_type (key
));
1842 size_t totlen
, cipherlen
;
1845 if (VERBOSECRYPTO (handle
))
1847 printf ("dr (%s, key, constant, %d)\n",
1848 shishi_cipher_name (shishi_key_type (key
)), derivedrandomlen
);
1849 printf ("\t ;; key (length %d):\n", shishi_key_length (key
));
1850 _shishi_hexprint (shishi_key_value (key
), shishi_key_length (key
));
1851 _shishi_binprint (shishi_key_value (key
), shishi_key_length (key
));
1852 printf ("\t ;; constant %s':\n", constant
);
1853 _shishi_escapeprint (constant
, constantlen
);
1854 _shishi_hexprint (constant
, constantlen
);
1855 _shishi_binprint (constant
, constantlen
);
1858 if (constantlen
> MAX_DR_CONSTANT
)
1859 return SHISHI_TOO_SMALL_BUFFER
;
1861 if (constantlen
== blocksize
)
1863 memcpy (nfoldconstant
, constant
, constantlen
);
1867 res
= shishi_n_fold (handle
, constant
, constantlen
, nfoldconstant
,
1869 if (res
!= SHISHI_OK
)
1873 if (VERBOSECRYPTO (handle
))
1875 printf ("\t ;; possibly nfolded constant (length %d):\n", blocksize
);
1876 _shishi_escapeprint (nfoldconstant
, blocksize
);
1877 _shishi_hexprint (nfoldconstant
, blocksize
);
1878 _shishi_binprint (nfoldconstant
, blocksize
);
1881 memcpy (plaintext
, nfoldconstant
, blocksize
);
1886 res
= shishi_encrypt (handle
, key
, 0, plaintext
, blocksize
,
1887 &cipher
, &cipherlen
);
1888 if (res
!= SHISHI_OK
)
1890 if (cipherlen
!= blocksize
)
1891 return SHISHI_CRYPTO_ERROR
;
1892 memcpy (derivedrandom
+ totlen
, cipher
, cipherlen
);
1893 memcpy (plaintext
, cipher
, cipherlen
);
1895 totlen
+= cipherlen
;
1897 while (totlen
< derivedrandomlen
);
1899 if (VERBOSECRYPTO (handle
))
1901 printf ("\t ;; derived random (length %d):\n", derivedrandomlen
);
1902 _shishi_hexprint (derivedrandom
, derivedrandomlen
);
1903 _shishi_binprint (derivedrandom
, derivedrandomlen
);
1911 * @handle: shishi handle as allocated by shishi_init().
1912 * @key: input cryptographic key to use.
1913 * @constant: input array with the constant string.
1914 * @constantlen: size of input array with the constant string.
1915 * @derivedkey: pointer to derived key (allocated by caller).
1917 * Derive a key from a key and a constant thusly:
1918 * DK(KEY, CONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, CONSTANT)).
1920 * Return value: Returns %SHISHI_OK iff successful.
1923 shishi_dk (Shishi
* handle
,
1925 const char *constant
, size_t constantlen
, Shishi_key
* derivedkey
)
1927 char random
[MAX_RANDOM_LEN
];
1930 if (VERBOSECRYPTO (handle
))
1932 printf ("dk (%s, key, constant)\n", shishi_key_name (key
));
1933 printf ("\t ;; key (length %d):\n", shishi_key_length (key
));
1934 _shishi_hexprint (shishi_key_value (key
), shishi_key_length (key
));
1935 _shishi_binprint (shishi_key_value (key
), shishi_key_length (key
));
1936 printf ("\t ;; constant:\n");
1937 _shishi_escapeprint (constant
, constantlen
);
1938 _shishi_hexprint (constant
, constantlen
);
1939 _shishi_binprint (constant
, constantlen
);
1942 shishi_key_type_set (derivedkey
, shishi_key_type (key
));
1944 res
= shishi_dr (handle
, key
, constant
, constantlen
, random
,
1945 shishi_key_length (derivedkey
));
1946 if (res
!= SHISHI_OK
)
1949 res
= shishi_random_to_key (handle
, shishi_key_type (derivedkey
),
1950 random
, shishi_key_length (derivedkey
),
1952 if (res
!= SHISHI_OK
)
1959 * shishi_pbkdf2_sha1:
1960 * @handle: shishi handle as allocated by shishi_init().
1961 * @P: input password, an octet string
1962 * @Plen: length of password, an octet string
1963 * @S: input salt, an octet string
1964 * @Slen: length of salt, an octet string
1965 * @c: iteration count, a positive integer
1966 * @dkLen: intended length in octets of the derived key, a positive integer,
1967 * at most (2^32 - 1) * hLen. The DK array must have room for this many
1969 * @DK: output derived key, a dkLen-octet string
1971 * Derive key using the PBKDF2 defined in PKCS5. PBKDF2 applies a
1972 * pseudorandom function to derive keys. The length of the derived key
1973 * is essentially unbounded. (However, the maximum effective search
1974 * space for the derived key may be limited by the structure of the
1975 * underlying pseudorandom function, which is this function is always
1978 * Return value: Returns SHISHI_OK iff successful.
1981 shishi_pbkdf2_sha1 (Shishi
* handle
,
1982 const char *P
, size_t Plen
,
1983 const char *S
, size_t Slen
,
1984 unsigned int c
, unsigned int dkLen
, char *DK
)
1986 unsigned int hLen
= 20;
1998 return SHISHI_PKCS5_INVALID_ITERATION_COUNT
;
2001 return SHISHI_PKCS5_INVALID_DERIVED_KEY_LENGTH
;
2007 * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
2011 if (dkLen
> 4294967295U)
2012 return SHISHI_PKCS5_DERIVED_KEY_TOO_LONG
;
2015 * 2. Let l be the number of hLen-octet blocks in the derived key,
2016 * rounding up, and let r be the number of octets in the last
2019 * l = CEIL (dkLen / hLen) ,
2020 * r = dkLen - (l - 1) * hLen .
2022 * Here, CEIL (x) is the "ceiling" function, i.e. the smallest
2023 * integer greater than, or equal to, x.
2029 r
= dkLen
- (l
- 1) * hLen
;
2032 * 3. For each block of the derived key apply the function F defined
2033 * below to the password P, the salt S, the iteration count c, and
2034 * the block index to compute the block:
2036 * T_1 = F (P, S, c, 1) ,
2037 * T_2 = F (P, S, c, 2) ,
2039 * T_l = F (P, S, c, l) ,
2041 * where the function F is defined as the exclusive-or sum of the
2042 * first c iterates of the underlying pseudorandom function PRF
2043 * applied to the password P and the concatenation of the salt S
2044 * and the block index i:
2046 * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
2050 * U_1 = PRF (P, S || INT (i)) ,
2051 * U_2 = PRF (P, U_1) ,
2053 * U_c = PRF (P, U_{c-1}) .
2055 * Here, INT (i) is a four-octet encoding of the integer i, most
2056 * significant octet first.
2058 * 4. Concatenate the blocks and extract the first dkLen octets to
2059 * produce a derived key DK:
2061 * DK = T_1 || T_2 || ... || T_l<0..r-1>
2063 * 5. Output the derived key DK.
2065 * Note. The construction of the function F follows a "belt-and-
2066 * suspenders" approach. The iterates U_i are computed recursively to
2067 * remove a degree of parallelism from an opponent; they are exclusive-
2068 * ored together to reduce concerns about the recursion degenerating
2069 * into a small set of values.
2073 for (i
= 1; i
<= l
; i
++)
2075 memset (T
, 0, hLen
);
2077 for (u
= 1; u
<= c
; u
++)
2082 size_t tmplen
= Slen
+ 4;
2084 tmp
= xmalloc (tmplen
);
2086 memcpy (tmp
, S
, Slen
);
2087 tmp
[Slen
+ 0] = (i
& 0xff000000) >> 24;
2088 tmp
[Slen
+ 1] = (i
& 0x00ff0000) >> 16;
2089 tmp
[Slen
+ 2] = (i
& 0x0000ff00) >> 8;
2090 tmp
[Slen
+ 3] = (i
& 0x000000ff) >> 0;
2092 rc
= shishi_hmac_sha1 (handle
, P
, Plen
, tmp
, tmplen
, &p
);
2098 rc
= shishi_hmac_sha1 (handle
, P
, Plen
, U
, hLen
, &p
);
2101 if (rc
!= SHISHI_OK
)
2104 memcpy (U
, p
, hLen
);
2108 for (k
= 0; k
< hLen
; k
++)
2112 memcpy (DK
+ (i
- 1) * hLen
, T
, i
== l
? r
: hLen
);