search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update gnulib files.
[shishi.git] / lib / crypto.c
blob0f7ea7ca2eeec3fed079d63a5e62e30254e2614a
1 /* crypto.c --- Crypto functions.
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, see http://www.gnu.org/licenses or write
18 * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
19 * Floor, Boston, MA 02110-1301, USA
20 *
21 */
22
23 #include "internal.h"
24
25 /* Get prototypes. */
26 #include "crypto.h"
27
28 /* Get _shishi_escapeprint, etc. */
29 #include "utils.h"
30
31 static int
32 gcd (int a, int b)
33 {
34 if (b == 0)
35 return a;
36 else
37 return gcd (b, a % b);
38 }
39
40 static int
41 lcm (int a, int b)
42 {
43 return a * b / gcd (a, b);
44 }
45
46 static void
47 rot13 (Shishi * handle, char *in, char *out, int len)
48 {
49 if (VERBOSECRYPTONOISE (handle))
50 {
51 printf ("\t ;; rot 13 in:\n");
52 _shishi_escapeprint (in, len);
53 _shishi_hexprint (in, len);
54 _shishi_binprint (in, len);
55 }
56
57 if (len == 1)
58 {
59 out[0] =
60 ((in[0] >> 5) & 0x01) |
61 ((in[0] >> 5) & 0x02) |
62 ((in[0] >> 5) & 0x04) |
63 ((in[0] << 3) & 0x08) |
64 ((in[0] << 3) & 0x10) |
65 ((in[0] << 3) & 0x20) | ((in[0] << 3) & 0x40) | ((in[0] << 3) & 0x80);
66 }
67 else if (len > 1)
68 {
69 char nexttolast, last;
70 int i;
71
72 nexttolast = in[len - 2];
73 last = in[len - 1];
74
75 for (i = len * 8 - 1; i >= 13; i--)
76 {
77 int pos = i / 8;
78 char mask = ~(1 << (7 - i % 8));
79 int pos2 = (i - 13) / 8;
80 char mask2 = (1 << (7 - (i - 13) % 8));
81
82 out[pos] = (out[pos] & mask) |
83 (((in[pos2] & mask2) ? 0xFF : 0x00) & ~mask);
84 }
85 out[0] = ((nexttolast & 0xFF) << 3) | ((last & 0xFF) >> 5);
86 out[1] = (in[1] & ~(0xFF & (0xFF << 3))) | (0xFF & (last << 3));
87 }
88
89 if (VERBOSECRYPTONOISE (handle))
90 {
91 printf ("\t ;; rot13 out:\n");
92 _shishi_escapeprint (out, len);
93 _shishi_hexprint (out, len);
94 _shishi_binprint (out, len);
95 }
96 }
97
98 static void
99 ocadd (char *add1, char *add2, char *sum, int len)
100 {
101 int i;
102 int carry = 0;
103
104 for (i = len - 1; i >= 0; i--)
105 {
106 int tmpsum = (unsigned char) add1[i] + (unsigned char) add2[i];
107
108 sum[i] = (tmpsum + carry) & 0xFF;
109 if (tmpsum + carry > 0xFF)
110 carry = 1;
111 else
112 carry = 0;
113 }
114
115 if (carry)
116 {
117 int done = 0;
118
119 for (i = len - 1; i >= 0; i--)
120 if ((unsigned char) sum[i] != 0xFF)
121 {
122 sum[i]++;
123 done = 1;
124 break;
125 }
126
127 if (!done)
128 memset (sum, 0, len);
129 }
130 }
131
132 static int
133 simplified_hmac (Shishi * handle,
134 Shishi_key * key,
135 const char *in, size_t inlen,
136 char **outhash, size_t * outhashlen)
137 {
138 *outhashlen = shishi_checksum_cksumlen
139 (shishi_cipher_defaultcksumtype (shishi_key_type (key)));
140 return shishi_hmac_sha1 (handle, shishi_key_value (key),
141 shishi_key_length (key), in, inlen, outhash);
142 }
143
144 static int
145 simplified_hmac_verify (Shishi * handle, Shishi_key * key,
146 const char *in, size_t inlen,
147 const char *hmac, size_t hmaclen)
148 {
149 char *hash;
150 size_t hlen;
151 int same;
152 int res;
153
154 res = simplified_hmac (handle, key, in, inlen, &hash, &hlen);
155 if (res != SHISHI_OK || hash == NULL)
156 return res;
157
158 if (VERBOSECRYPTO (handle))
159 {
160 printf ("\t ;; HMAC verify:\n");
161 _shishi_escapeprint (hash, hlen);
162 _shishi_hexprint (hash, hlen);
163 _shishi_binprint (hash, hlen);
164 _shishi_escapeprint (hmac, hmaclen);
165 _shishi_hexprint (hmac, hmaclen);
166 _shishi_binprint (hmac, hmaclen);
167 }
168
169 same = (hlen == hmaclen) && memcmp (hash, hmac, hmaclen) == 0;
170
171 free (hash);
172
173 if (!same)
174 {
175 shishi_error_printf (handle, "HMAC verify failed");
176 return SHISHI_CRYPTO_ERROR;
177 }
178
179 return SHISHI_OK;
180 }
181
182 int
183 _shishi_simplified_derivekey (Shishi * handle,
184 Shishi_key * key,
185 int keyusage,
186 int derivekeymode, Shishi_key ** outkey)
187 {
188 char prfconstant[5];
189 int res = SHISHI_OK;
190 Shishi_key *derivedkey;
191
192 if (VERBOSECRYPTO (handle))
193 {
194 printf ("simplified_derivekey\n");
195 printf ("\t ;; mode %d (%s)\n", derivekeymode,
196 derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM ? "checksum" :
197 derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY ? "integrity" :
198 derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY ? "privacy" :
199 "base-key");
200 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
201 }
202
203
204 res = shishi_key_from_value (handle, shishi_key_type (key),
205 NULL, &derivedkey);
206 if (res != SHISHI_OK)
207 return res;
208
209 *outkey = derivedkey;
210
211 if (keyusage)
212 {
213 uint32_t tmp = htonl (keyusage);
214 memcpy (prfconstant, &tmp, 4);
215 if (derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM)
216 prfconstant[4] = '\x99';
217 else if (derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY)
218 prfconstant[4] = '\x55';
219 else /* if (derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY) */
220 prfconstant[4] = '\xAA';
221
222 res = shishi_dk (handle, key, prfconstant, 5, derivedkey);
223 }
224 else
225 {
226 shishi_key_copy (derivedkey, key);
227 }
228
229 if (VERBOSECRYPTO (handle))
230 {
231 printf ("\t ;; simplified_derivekey out (%d):\n",
232 shishi_key_length (derivedkey));
233 _shishi_hexprint (shishi_key_value (derivedkey),
234 shishi_key_length (derivedkey));
235 }
236
237 return res;
238 }
239
240 int
241 _shishi_simplified_dencrypt (Shishi * handle,
242 Shishi_key * key,
243 const char *iv, size_t ivlen,
244 char **ivout, size_t * ivoutlen,
245 const char *in, size_t inlen,
246 char **out, size_t * outlen, int decryptp)
247 {
248 int rc;
249 char *pt;
250 size_t ptlen;
251 size_t padzerolen = 0;
252
253 if ((inlen % 8) != 0)
254 while (((inlen + padzerolen) % 8) != 0)
255 padzerolen++;
256
257 ptlen = inlen + padzerolen;
258
259 if (padzerolen)
260 {
261 pt = xmalloc (ptlen);
262 memcpy (pt, in, inlen);
263 memset (pt + inlen, 0, padzerolen);
264 }
265 else
266 pt = (char *) in;
267
268 switch (shishi_key_type (key))
269 {
270 case SHISHI_DES_CBC_CRC:
271 case SHISHI_DES_CBC_MD4:
272 case SHISHI_DES_CBC_MD5:
273 case SHISHI_DES_CBC_NONE:
274 rc = shishi_des (handle, decryptp, shishi_key_value (key),
275 iv, ivout, pt, ptlen, out);
276 if (ivoutlen)
277 *ivoutlen = 8;
278 if (outlen)
279 *outlen = ptlen;
280 break;
281
282 case SHISHI_DES3_CBC_HMAC_SHA1_KD:
283 case SHISHI_DES3_CBC_NONE:
284 rc = shishi_3des (handle, decryptp, shishi_key_value (key),
285 iv, ivout, pt, inlen + padzerolen, out);
286 if (ivoutlen)
287 *ivoutlen = 8;
288 if (outlen)
289 *outlen = ptlen;
290 break;
291
292 case SHISHI_AES128_CTS_HMAC_SHA1_96:
293 case SHISHI_AES256_CTS_HMAC_SHA1_96:
294 rc = shishi_aes_cts (handle, decryptp,
295 shishi_key_value (key), shishi_key_length (key),
296 iv, ivout, in, inlen, out);
297 if (ivoutlen)
298 *ivoutlen = 16;
299 if (outlen)
300 *outlen = inlen;
301 break;
302
303 default:
304 rc = SHISHI_CRYPTO_ERROR;
305 }
306
307 if (padzerolen)
308 free (pt);
309
310 return rc;
311 }
312
313 int
314 _shishi_simplified_encrypt (Shishi * handle,
315 Shishi_key * key,
316 int keyusage,
317 const char *iv, size_t ivlen,
318 char **ivout, size_t * ivoutlen,
319 const char *in, size_t inlen,
320 char **out, size_t * outlen)
321 {
322 int res;
323 int padzerolen = 0;
324
325 if ((shishi_key_type (key) == SHISHI_DES3_CBC_HMAC_SHA1_KD ||
326 shishi_key_type (key) == SHISHI_DES_CBC_CRC ||
327 shishi_key_type (key) == SHISHI_DES_CBC_MD4 ||
328 shishi_key_type (key) == SHISHI_DES_CBC_MD5) && (inlen % 8) != 0)
329 while (((inlen + padzerolen) % 8) != 0)
330 padzerolen++;
331
332 if (keyusage != 0)
333 {
334 char *pt = NULL, *ct = NULL, *hmac = NULL;
335 int blen = shishi_cipher_blocksize (shishi_key_type (key));
336 size_t ctlen, ptlen, hmaclen;
337 Shishi_key *privacykey = NULL, *integritykey = NULL;
338
339 ptlen = inlen + blen + padzerolen;
340 pt = xmalloc (ptlen);
341
342 res = shishi_randomize (handle, 0, pt, blen);
343 if (res != SHISHI_OK)
344 goto done;
345
346 memcpy (pt + blen, in, inlen);
347 memset (pt + blen + inlen, 0, padzerolen);
348
349 res = _shishi_simplified_derivekey (handle, key, keyusage,
350 SHISHI_DERIVEKEYMODE_PRIVACY,
351 &privacykey);
352 if (res != SHISHI_OK)
353 goto done;
354
355 res = _shishi_simplified_dencrypt (handle, privacykey,
356 iv, ivlen, ivout,
357 ivoutlen, pt, ptlen, &ct, &ctlen, 0);
358 if (res != SHISHI_OK)
359 goto done;
360
361
362 res = _shishi_simplified_derivekey (handle, key, keyusage,
363 SHISHI_DERIVEKEYMODE_INTEGRITY,
364 &integritykey);
365 if (res != SHISHI_OK)
366 goto done;
367
368 res = simplified_hmac (handle, integritykey, pt, ptlen,
369 &hmac, &hmaclen);
370 if (res != SHISHI_OK)
371 goto done;
372
373 *outlen = ctlen + hmaclen;
374 *out = xmalloc (*outlen);
375 memcpy (*out, ct, ctlen);
376 memcpy (*out + ctlen, hmac, hmaclen);
377
378 done:
379 if (&privacykey)
380 shishi_key_done (privacykey);
381 if (&integritykey)
382 shishi_key_done (integritykey);
383 if (hmac)
384 free (hmac);
385 if (ct)
386 free (ct);
387 if (pt)
388 free (pt);
389 }
390 else
391 {
392 res = _shishi_simplified_dencrypt (handle, key, iv, ivlen,
393 ivout, ivoutlen,
394 in, inlen, out, outlen, 0);
395 }
396
397 return res;
398 }
399
400 int
401 _shishi_simplified_decrypt (Shishi * handle,
402 Shishi_key * key,
403 int keyusage,
404 const char *iv, size_t ivlen,
405 char **ivout, size_t * ivoutlen,
406 const char *in, size_t inlen,
407 char **out, size_t * outlen)
408 {
409 int res;
410
411 if (keyusage)
412 {
413 Shishi_key *privacykey = NULL, *integritykey = NULL;
414 int blen = shishi_cipher_blocksize (shishi_key_type (key));
415 size_t hlen = shishi_checksum_cksumlen
416 (shishi_cipher_defaultcksumtype (shishi_key_type (key)));
417
418 res = _shishi_simplified_derivekey (handle, key, keyusage,
419 SHISHI_DERIVEKEYMODE_PRIVACY,
420 &privacykey);
421 if (res != SHISHI_OK)
422 goto done;
423
424 res = _shishi_simplified_dencrypt (handle, privacykey,
425 iv, ivlen, ivout, ivoutlen,
426 in, inlen - hlen, out, outlen, 1);
427 if (res != SHISHI_OK)
428 goto done;
429
430 res = _shishi_simplified_derivekey (handle, key, keyusage,
431 SHISHI_DERIVEKEYMODE_INTEGRITY,
432 &integritykey);
433 if (res != SHISHI_OK)
434 goto done;
435
436 res = simplified_hmac_verify (handle, integritykey, *out, *outlen,
437 in + inlen - hlen, hlen);
438
439 if (res != SHISHI_OK)
440 goto done;
441
442 memmove (*out, *out + blen, *outlen - blen);
443 *outlen = *outlen - blen;
444 *out = xrealloc (*out, *outlen);
445
446 done:
447 if (privacykey)
448 shishi_key_done (privacykey);
449 if (integritykey)
450 shishi_key_done (integritykey);
451 }
452 else
453 {
454 res = _shishi_simplified_dencrypt (handle, key, iv, ivlen,
455 ivout, ivoutlen,
456 in, inlen, out, outlen, 1);
457 }
458
459 return res;
460 }
461
462 int
463 _shishi_simplified_checksum (Shishi * handle,
464 Shishi_key * key,
465 int keyusage,
466 int cksumtype,
467 const char *in, size_t inlen,
468 char **out, size_t * outlen)
469 {
470 Shishi_key *checksumkey;
471 int cksumlen = shishi_checksum_cksumlen (cksumtype);
472 int res;
473
474 res = _shishi_simplified_derivekey (handle, key, keyusage,
475 SHISHI_DERIVEKEYMODE_CHECKSUM,
476 &checksumkey);
477 if (res != SHISHI_OK)
478 return res;
479
480 res = simplified_hmac (handle, checksumkey, in, inlen, out, outlen);
481
482 shishi_key_done (checksumkey);
483
484 if (res != SHISHI_OK)
485 return res;
486
487 *outlen = cksumlen;
488
489 return SHISHI_OK;
490 }
491
492 static cipherinfo *ciphers[] = {
493 #if WITH_NULL
494 &null_info,
495 #endif
496 #if WITH_DES
497 &des_cbc_crc_info,
498 &des_cbc_md4_info,
499 &des_cbc_md5_info,
500 &des_cbc_none_info,
501 #endif
502 #if WITH_3DES
503 &des3_cbc_none_info,
504 &des3_cbc_sha1_kd_info,
505 #endif
506 #if WITH_AES
507 &aes128_cts_hmac_sha1_96_info,
508 &aes256_cts_hmac_sha1_96_info,
509 #endif
510 #if WITH_ARCFOUR
511 &arcfour_hmac_info,
512 &arcfour_hmac_exp_info
513 #endif
514 };
515
516 /**
517 * shishi_cipher_supported_p:
518 * @type: encryption type, see Shishi_etype.
519 *
520 * Find out if cipher is supported.
521 *
522 * Return value: Return 0 iff cipher is unsupported.
523 **/
524 int
525 shishi_cipher_supported_p (int32_t type)
526 {
527 size_t i;
528
529 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
530 if (type == ciphers[i]->type)
531 return 1;
532
533 return 0;
534 }
535
536 /**
537 * shishi_cipher_name:
538 * @type: encryption type, see Shishi_etype.
539 *
540 * Read humanly readable string for cipher.
541 *
542 * Return value: Return name of encryption type,
543 * e.g. "des3-cbc-sha1-kd", as defined in the standards.
544 **/
545 const char *
546 shishi_cipher_name (int32_t type)
547 {
548 size_t i;
549 char *p;
550
551 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
552 {
553 if (type == ciphers[i]->type)
554 return ciphers[i]->name;
555 }
556
557 asprintf (&p, "unknown cipher %d", type);
558 return p;
559 }
560
561 /**
562 * shishi_cipher_blocksize:
563 * @type: encryption type, see Shishi_etype.
564 *
565 * Get block size for cipher.
566 *
567 * Return value: Return block size for encryption type, as defined in
568 * the standards.
569 **/
570 int
571 shishi_cipher_blocksize (int32_t type)
572 {
573 size_t i;
574
575 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
576 if (type == ciphers[i]->type)
577 return ciphers[i]->blocksize;
578
579 return -1;
580 }
581
582 /**
583 * shishi_cipher_confoundersize:
584 * @type: encryption type, see Shishi_etype.
585 *
586 * Get length of confounder for cipher.
587 *
588 * Return value: Returns the size of the confounder (random data) for
589 * encryption type, as defined in the standards.
590 **/
591 int
592 shishi_cipher_confoundersize (int32_t type)
593 {
594 size_t i;
595
596 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
597 if (type == ciphers[i]->type)
598 return ciphers[i]->confoundersize;
599
600 return -1;
601 }
602
603 /**
604 * shishi_cipher_keylen:
605 * @type: encryption type, see Shishi_etype.
606 *
607 * Get key length for cipher.
608 *
609 * Return value: Return length of key used for the encryption type, as
610 * defined in the standards.
611 **/
612 size_t
613 shishi_cipher_keylen (int32_t type)
614 {
615 size_t i;
616
617 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
618 if (type == ciphers[i]->type)
619 return ciphers[i]->keylen;
620
621 return -1;
622 }
623
624 /**
625 * shishi_cipher_randomlen:
626 * @type: encryption type, see Shishi_etype.
627 *
628 * Get length of random data for cipher.
629 *
630 * Return value: Return length of random used for the encryption type,
631 * as defined in the standards.
632 **/
633 size_t
634 shishi_cipher_randomlen (int32_t type)
635 {
636 size_t i;
637
638 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
639 if (type == ciphers[i]->type)
640 return ciphers[i]->randomlen;
641
642 return -1;
643 }
644
645 /**
646 * shishi_cipher_defaultcksumtype:
647 * @type: encryption type, see Shishi_etype.
648 *
649 * Get the default checksum associated with cipher.
650 *
651 * Return value: Return associated checksum mechanism for the
652 * encryption type, as defined in the standards.
653 **/
654 int
655 shishi_cipher_defaultcksumtype (int32_t type)
656 {
657 size_t i;
658
659 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
660 if (type == ciphers[i]->type)
661 return ciphers[i]->defaultcksumtype;
662
663 return -1;
664 }
665
666 struct Cipher_aliases
667 {
668 const char *name;
669 int type;
670 };
671
672 static struct Cipher_aliases cipher_aliases[] = {
673 {"des-crc", SHISHI_DES_CBC_CRC},
674 {"des-md4", SHISHI_DES_CBC_MD4},
675 {"des-md5", SHISHI_DES_CBC_MD5},
676 {"des", SHISHI_DES_CBC_MD5},
677 {"des3", SHISHI_DES3_CBC_HMAC_SHA1_KD},
678 {"3des", SHISHI_DES3_CBC_HMAC_SHA1_KD},
679 {"aes128", SHISHI_AES128_CTS_HMAC_SHA1_96},
680 {"aes256", SHISHI_AES256_CTS_HMAC_SHA1_96},
681 {"aes", SHISHI_AES256_CTS_HMAC_SHA1_96},
682 {"arcfour", SHISHI_ARCFOUR_HMAC}
683 };
684
685 /**
686 * shishi_cipher_parse:
687 * @cipher: name of encryption type, e.g. "des3-cbc-sha1-kd".
688 *
689 * Get cipher number by parsing string.
690 *
691 * Return value: Return encryption type corresponding to a string.
692 **/
693 int
694 shishi_cipher_parse (const char *cipher)
695 {
696 size_t i;
697 char *endptr;
698
699 i = strtol (cipher, &endptr, 0);
700
701 if (endptr != cipher)
702 return i;
703
704 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
705 if (strcasecmp (cipher, ciphers[i]->name) == 0)
706 return ciphers[i]->type;
707
708 for (i = 0; i < sizeof (cipher_aliases) / sizeof (cipher_aliases[0]); i++)
709 if (strcasecmp (cipher, cipher_aliases[i].name) == 0)
710 return cipher_aliases[i].type;
711
712 return -1;
713 }
714
715 static Shishi_random_to_key_function
716 _shishi_cipher_random_to_key (int32_t type)
717 {
718 size_t i;
719
720 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
721 if (type == ciphers[i]->type)
722 return ciphers[i]->random2key;
723
724 return NULL;
725 }
726
727 static Shishi_string_to_key_function
728 _shishi_cipher_string_to_key (int32_t type)
729 {
730 size_t i;
731
732 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
733 if (type == ciphers[i]->type)
734 return ciphers[i]->string2key;
735
736 return NULL;
737 }
738
739 static Shishi_encrypt_function
740 _shishi_cipher_encrypt (int32_t type)
741 {
742 size_t i;
743
744 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
745 if (type == ciphers[i]->type)
746 return ciphers[i]->encrypt;
747
748 return NULL;
749 }
750
751 static Shishi_decrypt_function
752 _shishi_cipher_decrypt (int32_t type)
753 {
754 size_t i;
755
756 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
757 if (type == ciphers[i]->type)
758 return ciphers[i]->decrypt;
759
760 return NULL;
761 }
762
763 static checksuminfo *checksums[] = {
764 #if WITH_DES
765 &crc32_info,
766 #endif
767 #if WITH_MD
768 &md4_info,
769 #endif
770 #if WITH_DES
771 &md4_des_info,
772 #endif
773 #if WITH_MD
774 &md5_info,
775 #endif
776 #if WITH_DES
777 &md5_des_info,
778 &md5_gss_info,
779 #endif
780 #if WITH_3DES
781 &hmac_sha1_des3_kd_info,
782 #endif
783 #if WITH_AES
784 &hmac_sha1_96_aes128_info,
785 &hmac_sha1_96_aes256_info,
786 #endif
787 #if WITH_ARCFOUR
788 &arcfour_hmac_md5_info
789 #endif
790 };
791
792 /**
793 * shishi_checksum_supported_p:
794 * @type: checksum type, see Shishi_cksumtype.
795 *
796 * Find out whether checksum is supported.
797 *
798 * Return value: Return 0 iff checksum is unsupported.
799 **/
800 int
801 shishi_checksum_supported_p (int32_t type)
802 {
803 size_t i;
804
805 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
806 if (type == checksums[i]->type)
807 return 1;
808
809 return 0;
810 }
811
812 /**
813 * shishi_checksum_name:
814 * @type: checksum type, see Shishi_cksumtype.
815 *
816 * Get name of checksum.
817 *
818 * Return value: Return name of checksum type,
819 * e.g. "hmac-sha1-96-aes256", as defined in the standards.
820 **/
821 const char *
822 shishi_checksum_name (int32_t type)
823 {
824 size_t i;
825 char *p;
826
827 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
828 {
829 if (type == checksums[i]->type)
830 return checksums[i]->name;
831 }
832
833 asprintf (&p, "unknown checksum %d", type);
834 return p;
835 }
836
837 /**
838 * shishi_checksum_cksumlen:
839 * @type: checksum type, see Shishi_cksumtype.
840 *
841 * Get length of checksum output.
842 *
843 * Return value: Return length of checksum used for the checksum type,
844 * as defined in the standards.
845 **/
846 size_t
847 shishi_checksum_cksumlen (int32_t type)
848 {
849 size_t i;
850
851 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
852 if (type == checksums[i]->type)
853 return checksums[i]->cksumlen;
854
855 return -1;
856 }
857
858 /**
859 * shishi_checksum_parse:
860 * @checksum: name of checksum type, e.g. "hmac-sha1-96-aes256".
861 *
862 * Get checksum number by parsing a string.
863 *
864 * Return value: Return checksum type, see Shishi_cksumtype,
865 * corresponding to a string.
866 **/
867 int
868 shishi_checksum_parse (const char *checksum)
869 {
870 size_t i;
871 char *endptr;
872
873 i = strtol (checksum, &endptr, 0);
874
875 if (endptr != checksum)
876 return i;
877
878 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
879 if (strcasecmp (checksum, checksums[i]->name) == 0)
880 return checksums[i]->type;
881
882 return -1;
883 }
884
885 static Shishi_checksum_function
886 _shishi_checksum (int32_t type)
887 {
888 size_t i;
889
890 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
891 if (type == checksums[i]->type)
892 return checksums[i]->checksum;
893
894 return NULL;
895 }
896
897 static Shishi_verify_function
898 _shishi_verify (int32_t type)
899 {
900 size_t i;
901
902 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
903 if (type == checksums[i]->type)
904 return checksums[i]->verify;
905
906 return NULL;
907 }
908
909 /**
910 * shishi_string_to_key:
911 * @handle: shishi handle as allocated by shishi_init().
912 * @keytype: cryptographic encryption type, see Shishi_etype.
913 * @password: input array with password.
914 * @passwordlen: length of input array with password.
915 * @salt: input array with salt.
916 * @saltlen: length of input array with salt.
917 * @parameter: input array with opaque encryption type specific information.
918 * @outkey: allocated key handle that will contain new key.
919 *
920 * Derive key from a string (password) and salt (commonly
921 * concatenation of realm and principal) for specified key type, and
922 * set the type and value in the given key to the computed values.
923 * The parameter value is specific for each keytype, and can be set if
924 * the parameter information is not available.
925 *
926 * Return value: Returns %SHISHI_OK iff successful.
927 **/
928 int
929 shishi_string_to_key (Shishi * handle,
930 int32_t keytype,
931 const char *password, size_t passwordlen,
932 const char *salt, size_t saltlen,
933 const char *parameter, Shishi_key * outkey)
934 {
935 Shishi_string_to_key_function string2key;
936 int res;
937
938 shishi_key_type_set (outkey, keytype);
939
940 if (VERBOSECRYPTO (handle))
941 {
942 printf ("string_to_key (%s, password, salt)\n",
943 shishi_key_name (outkey));
944 printf ("\t ;; password:\n");
945 _shishi_escapeprint (password, passwordlen);
946 _shishi_hexprint (password, passwordlen);
947 printf ("\t ;; salt:\n");
948 _shishi_escapeprint (salt, saltlen);
949 _shishi_hexprint (salt, saltlen);
950 }
951
952 string2key = _shishi_cipher_string_to_key (shishi_key_type (outkey));
953 if (string2key == NULL)
954 {
955 shishi_error_printf (handle, "Unsupported keytype %d",
956 shishi_key_type (outkey));
957 return SHISHI_CRYPTO_ERROR;
958 }
959
960 res = (*string2key) (handle, password, passwordlen,
961 salt, saltlen, parameter, outkey);
962
963 if (VERBOSECRYPTO (handle))
964 {
965 printf ("\t ;; string_to_key key:\n");
966 _shishi_hexprint (shishi_key_value (outkey),
967 shishi_key_length (outkey));
968 _shishi_binprint (shishi_key_value (outkey),
969 shishi_key_length (outkey));
970 }
971
972 return res;
973 }
974
975 /**
976 * shishi_random_to_key:
977 * @handle: shishi handle as allocated by shishi_init().
978 * @keytype: cryptographic encryption type, see Shishi_etype.
979 * @rnd: input array with random data.
980 * @rndlen: length of input array with random data.
981 * @outkey: allocated key handle that will contain new key.
982 *
983 * Derive key from random data for specified key type, and set the
984 * type and value in the given key to the computed values.
985 *
986 * Return value: Returns %SHISHI_OK iff successful.
987 **/
988 int
989 shishi_random_to_key (Shishi * handle,
990 int32_t keytype,
991 const char *rnd, size_t rndlen, Shishi_key * outkey)
992 {
993 Shishi_random_to_key_function random2key;
994 int res;
995
996 shishi_key_type_set (outkey, keytype);
997
998 if (VERBOSECRYPTO (handle))
999 {
1000 printf ("random_to_key (%s, random)\n", shishi_key_name (outkey));
1001 printf ("\t ;; random:\n");
1002 _shishi_hexprint (rnd, rndlen);
1003 _shishi_binprint (rnd, rndlen);
1004 }
1005
1006 random2key = _shishi_cipher_random_to_key (keytype);
1007 if (random2key == NULL)
1008 {
1009 shishi_error_printf (handle, "Unsupported random_to_key() ekeytype %d",
1010 keytype);
1011 return SHISHI_CRYPTO_ERROR;
1012 }
1013
1014 res = (*random2key) (handle, rnd, rndlen, outkey);
1015
1016 if (VERBOSECRYPTO (handle))
1017 {
1018 printf ("\t ;; random_to_key key:\n");
1019 _shishi_hexprint (shishi_key_value (outkey),
1020 shishi_key_length (outkey));
1021 _shishi_binprint (shishi_key_value (outkey),
1022 shishi_key_length (outkey));
1023 }
1024
1025 return res;
1026 }
1027
1028 /**
1029 * shishi_checksum:
1030 * @handle: shishi handle as allocated by shishi_init().
1031 * @key: key to compute checksum with.
1032 * @keyusage: integer specifying what this key is used for.
1033 * @cksumtype: the checksum algorithm to use.
1034 * @in: input array with data to integrity protect.
1035 * @inlen: size of input array with data to integrity protect.
1036 * @out: output array with newly allocated integrity protected data.
1037 * @outlen: output variable with length of output array with checksum.
1038 *
1039 * Integrity protect data using key, possibly altered by supplied key
1040 * usage. If key usage is 0, no key derivation is used. The OUT
1041 * buffer must be deallocated by the caller.
1042 *
1043 * Return value: Returns %SHISHI_OK iff successful.
1044 **/
1045 int
1046 shishi_checksum (Shishi * handle,
1047 Shishi_key * key,
1048 int keyusage,
1049 int cksumtype,
1050 const char *in, size_t inlen, char **out, size_t * outlen)
1051 {
1052 Shishi_checksum_function checksum;
1053 int res;
1054
1055 if (VERBOSECRYPTO (handle))
1056 {
1057 printf ("checksum (%s, %d, in, out)\n",
1058 shishi_key_name (key), cksumtype);
1059 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1060 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1061 printf ("\t ;; in:\n");
1062 _shishi_escapeprint (in, inlen);
1063 _shishi_hexprint (in, inlen);
1064 }
1065
1066 if (cksumtype == 0)
1067 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1068
1069 checksum = _shishi_checksum (cksumtype);
1070 if (checksum == NULL)
1071 {
1072 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1073 return SHISHI_CRYPTO_ERROR;
1074 }
1075
1076 /* XXX? check if etype and cksumtype are compatible? */
1077
1078 res = (*checksum) (handle, key, keyusage, cksumtype,
1079 in, inlen, out, outlen);
1080
1081 if (VERBOSECRYPTO (handle))
1082 {
1083 printf ("\t ;; checksum out:\n");
1084 _shishi_escapeprint (*out, *outlen);
1085 _shishi_hexprint (*out, *outlen);
1086 }
1087
1088 return res;
1089 }
1090
1091 /**
1092 * shishi_verify:
1093 * @handle: shishi handle as allocated by shishi_init().
1094 * @key: key to verify checksum with.
1095 * @keyusage: integer specifying what this key is used for.
1096 * @cksumtype: the checksum algorithm to use.
1097 * @in: input array with data that was integrity protected.
1098 * @inlen: size of input array with data that was integrity protected.
1099 * @cksum: input array with alleged checksum of data.
1100 * @cksumlen: size of input array with alleged checksum of data.
1101 *
1102 * Verify checksum of data using key, possibly altered by supplied key
1103 * usage. If key usage is 0, no key derivation is used.
1104 *
1105 * Return value: Returns %SHISHI_OK iff successful.
1106 **/
1107 int
1108 shishi_verify (Shishi * handle,
1109 Shishi_key * key,
1110 int keyusage,
1111 int cksumtype,
1112 const char *in, size_t inlen,
1113 const char *cksum, size_t cksumlen)
1114 {
1115 Shishi_verify_function verify;
1116 int res;
1117
1118 if (VERBOSECRYPTO (handle))
1119 {
1120 printf ("verify (%s, %d, in, out)\n", shishi_key_name (key), cksumtype);
1121 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1122 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1123 printf ("\t ;; data:\n");
1124 _shishi_escapeprint (in, inlen);
1125 _shishi_hexprint (in, inlen);
1126 printf ("\t ;; mic:\n");
1127 _shishi_escapeprint (cksum, cksumlen);
1128 _shishi_hexprint (cksum, cksumlen);
1129 }
1130
1131 if (cksumtype == 0)
1132 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1133
1134 verify = _shishi_verify (cksumtype);
1135 if (verify == NULL)
1136 {
1137 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1138 return SHISHI_CRYPTO_ERROR;
1139 }
1140
1141 /* XXX? check if etype and cksumtype are compatible? */
1142
1143 res = (*verify) (handle, key, keyusage, cksumtype,
1144 in, inlen, cksum, cksumlen);
1145
1146 if (VERBOSECRYPTO (handle))
1147 printf ("\t ;; verify return: %d\n", res);
1148
1149 return res;
1150 }
1151
1152 /**
1153 * shishi_encrypt_ivupdate_etype:
1154 * @handle: shishi handle as allocated by shishi_init().
1155 * @key: key to encrypt with.
1156 * @keyusage: integer specifying what this key is encrypting.
1157 * @etype: integer specifying what cipher to use.
1158 * @iv: input array with initialization vector
1159 * @ivlen: size of input array with initialization vector.
1160 * @ivout: output array with newly allocated updated initialization vector.
1161 * @ivoutlen: size of output array with updated initialization vector.
1162 * @in: input array with data to encrypt.
1163 * @inlen: size of input array with data to encrypt.
1164 * @out: output array with newly allocated encrypted data.
1165 * @outlen: output variable with size of newly allocated output array.
1166 *
1167 * Encrypts data as per encryption method using specified
1168 * initialization vector and key. The key actually used is derived
1169 * using the key usage. If key usage is 0, no key derivation is used.
1170 * The OUT buffer must be deallocated by the caller. If IVOUT or
1171 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1172 *
1173 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1174 * exactly. Some encryption types add pad to make the data fit into
1175 * the block size of the encryption algorithm. Furthermore, the pad
1176 * is not guaranteed to look in any special way, although existing
1177 * implementations often pad with the zero byte. This means that you
1178 * may have to "frame" data, so it is possible to infer the original
1179 * length after decryption. Compare ASN.1 DER which contains such
1180 * information.
1181 *
1182 * Return value: Returns %SHISHI_OK iff successful.
1183 **/
1184 int
1185 shishi_encrypt_ivupdate_etype (Shishi * handle,
1186 Shishi_key * key,
1187 int keyusage,
1188 int32_t etype,
1189 const char *iv, size_t ivlen,
1190 char **ivout, size_t * ivoutlen,
1191 const char *in, size_t inlen,
1192 char **out, size_t * outlen)
1193 {
1194 Shishi_encrypt_function enc;
1195 int res;
1196
1197 if (VERBOSECRYPTO (handle))
1198 {
1199 printf ("encrypt (type=%s, usage=%d, key, in)\n",
1200 shishi_key_name (key), keyusage);
1201 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1202 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1203 printf ("\t ;; in (%d):\n", inlen);
1204 _shishi_escapeprint (in, inlen);
1205 _shishi_hexprint (in, inlen);
1206 if (iv)
1207 {
1208 printf ("\t ;; iv (%d):\n", ivlen);
1209 _shishi_escapeprint (iv, ivlen);
1210 _shishi_hexprint (iv, ivlen);
1211 }
1212 }
1213
1214 enc = _shishi_cipher_encrypt (etype);
1215 if (enc == NULL)
1216 {
1217 shishi_error_printf (handle, "Unsupported keytype %d",
1218 shishi_key_type (key));
1219 return SHISHI_CRYPTO_ERROR;
1220 }
1221
1222 res = (*enc) (handle, key, keyusage, iv, ivlen, ivout, ivoutlen,
1223 in, inlen, out, outlen);
1224
1225 if (VERBOSECRYPTO (handle))
1226 {
1227 if (res == SHISHI_OK)
1228 {
1229 printf ("\t ;; encrypt out:\n");
1230 _shishi_escapeprint (*out, *outlen);
1231 _shishi_hexprint (*out, *outlen);
1232 if (ivout && ivoutlen)
1233 {
1234 printf ("\t ;; iv out:\n");
1235 _shishi_escapeprint (*ivout, *ivoutlen);
1236 _shishi_hexprint (*ivout, *ivoutlen);
1237 }
1238 }
1239 else
1240 {
1241 printf ("\t ;; encrypt out failed %d\n", res);
1242 }
1243 }
1244
1245 return res;
1246 }
1247
1248 /**
1249 * shishi_encrypt_iv_etype:
1250 * @handle: shishi handle as allocated by shishi_init().
1251 * @key: key to encrypt with.
1252 * @keyusage: integer specifying what this key is encrypting.
1253 * @etype: integer specifying what cipher to use.
1254 * @iv: input array with initialization vector
1255 * @ivlen: size of input array with initialization vector.
1256 * @in: input array with data to encrypt.
1257 * @inlen: size of input array with data to encrypt.
1258 * @out: output array with newly allocated encrypted data.
1259 * @outlen: output variable with size of newly allocated output array.
1260 *
1261 * Encrypts data as per encryption method using specified
1262 * initialization vector and key. The key actually used is derived
1263 * using the key usage. If key usage is 0, no key derivation is used.
1264 * The OUT buffer must be deallocated by the caller. The next IV is
1265 * lost, see shishi_encrypt_ivupdate_etype if you need it.
1266 *
1267 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1268 * exactly. Some encryption types add pad to make the data fit into
1269 * the block size of the encryption algorithm. Furthermore, the pad
1270 * is not guaranteed to look in any special way, although existing
1271 * implementations often pad with the zero byte. This means that you
1272 * may have to "frame" data, so it is possible to infer the original
1273 * length after decryption. Compare ASN.1 DER which contains such
1274 * information.
1275 *
1276 * Return value: Returns %SHISHI_OK iff successful.
1277 **/
1278 int
1279 shishi_encrypt_iv_etype (Shishi * handle,
1280 Shishi_key * key,
1281 int keyusage,
1282 int32_t etype,
1283 const char *iv, size_t ivlen,
1284 const char *in, size_t inlen,
1285 char **out, size_t * outlen)
1286 {
1287 return shishi_encrypt_ivupdate_etype (handle, key, keyusage, etype,
1288 iv, ivlen, NULL, NULL,
1289 in, inlen, out, outlen);
1290 }
1291
1292 /**
1293 * shishi_encrypt_etype:
1294 * @handle: shishi handle as allocated by shishi_init().
1295 * @key: key to encrypt with.
1296 * @keyusage: integer specifying what this key is encrypting.
1297 * @etype: integer specifying what cipher to use.
1298 * @in: input array with data to encrypt.
1299 * @inlen: size of input array with data to encrypt.
1300 * @out: output array with newly allocated encrypted data.
1301 * @outlen: output variable with size of newly allocated output array.
1302 *
1303 * Encrypts data as per encryption method using specified
1304 * initialization vector and key. The key actually used is derived
1305 * using the key usage. If key usage is 0, no key derivation is used.
1306 * The OUT buffer must be deallocated by the caller. The default IV
1307 * is used, see shishi_encrypt_iv_etype if you need to alter it. The
1308 * next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
1309 *
1310 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1311 * exactly. Some encryption types add pad to make the data fit into
1312 * the block size of the encryption algorithm. Furthermore, the pad
1313 * is not guaranteed to look in any special way, although existing
1314 * implementations often pad with the zero byte. This means that you
1315 * may have to "frame" data, so it is possible to infer the original
1316 * length after decryption. Compare ASN.1 DER which contains such
1317 * information.
1318 *
1319 * Return value: Returns %SHISHI_OK iff successful.
1320 **/
1321 int
1322 shishi_encrypt_etype (Shishi * handle,
1323 Shishi_key * key,
1324 int keyusage,
1325 int32_t etype,
1326 const char *in, size_t inlen,
1327 char **out, size_t * outlen)
1328 {
1329 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1330 shishi_key_type (key),
1331 NULL, 0, NULL, NULL,
1332 in, inlen, out, outlen);
1333 }
1334
1335 /**
1336 * shishi_encrypt_ivupdate:
1337 * @handle: shishi handle as allocated by shishi_init().
1338 * @key: key to encrypt with.
1339 * @keyusage: integer specifying what this key is encrypting.
1340 * @iv: input array with initialization vector
1341 * @ivlen: size of input array with initialization vector.
1342 * @ivout: output array with newly allocated updated initialization vector.
1343 * @ivoutlen: size of output array with updated initialization vector.
1344 * @in: input array with data to encrypt.
1345 * @inlen: size of input array with data to encrypt.
1346 * @out: output array with newly allocated encrypted data.
1347 * @outlen: output variable with size of newly allocated output array.
1348 *
1349 * Encrypts data using specified initialization vector and key. The
1350 * key actually used is derived using the key usage. If key usage is
1351 * 0, no key derivation is used. The OUT buffer must be deallocated
1352 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1353 * saved anywhere.
1354 *
1355 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1356 * exactly. Some encryption types add pad to make the data fit into
1357 * the block size of the encryption algorithm. Furthermore, the pad
1358 * is not guaranteed to look in any special way, although existing
1359 * implementations often pad with the zero byte. This means that you
1360 * may have to "frame" data, so it is possible to infer the original
1361 * length after decryption. Compare ASN.1 DER which contains such
1362 * information.
1363 *
1364 * Return value: Returns %SHISHI_OK iff successful.
1365 **/
1366 int
1367 shishi_encrypt_ivupdate (Shishi * handle,
1368 Shishi_key * key,
1369 int keyusage,
1370 const char *iv, size_t ivlen,
1371 char **ivout, size_t * ivoutlen,
1372 const char *in, size_t inlen,
1373 char **out, size_t * outlen)
1374 {
1375 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1376 shishi_key_type (key),
1377 iv, ivlen, ivout, ivoutlen,
1378 in, inlen, out, outlen);
1379 }
1380
1381 /**
1382 * shishi_encrypt_iv:
1383 * @handle: shishi handle as allocated by shishi_init().
1384 * @key: key to encrypt with.
1385 * @keyusage: integer specifying what this key is encrypting.
1386 * @iv: input array with initialization vector
1387 * @ivlen: size of input array with initialization vector.
1388 * @in: input array with data to encrypt.
1389 * @inlen: size of input array with data to encrypt.
1390 * @out: output array with newly allocated encrypted data.
1391 * @outlen: output variable with size of newly allocated output array.
1392 *
1393 * Encrypts data using specified initialization vector and key. The
1394 * key actually used is derived using the key usage. If key usage is
1395 * 0, no key derivation is used. The OUT buffer must be deallocated
1396 * by the caller. The next IV is lost, see shishi_encrypt_ivupdate if
1397 * you need it.
1398 *
1399 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1400 * exactly. Some encryption types add pad to make the data fit into
1401 * the block size of the encryption algorithm. Furthermore, the pad
1402 * is not guaranteed to look in any special way, although existing
1403 * implementations often pad with the zero byte. This means that you
1404 * may have to "frame" data, so it is possible to infer the original
1405 * length after decryption. Compare ASN.1 DER which contains such
1406 * information.
1407 *
1408 * Return value: Returns %SHISHI_OK iff successful.
1409 **/
1410 int
1411 shishi_encrypt_iv (Shishi * handle,
1412 Shishi_key * key,
1413 int keyusage,
1414 const char *iv, size_t ivlen,
1415 const char *in, size_t inlen, char **out, size_t * outlen)
1416 {
1417 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1418 shishi_key_type (key),
1419 iv, ivlen, NULL, NULL,
1420 in, inlen, out, outlen);
1421 }
1422
1423 /**
1424 * shishi_encrypt:
1425 * @handle: shishi handle as allocated by shishi_init().
1426 * @key: key to encrypt with.
1427 * @keyusage: integer specifying what this key is encrypting.
1428 * @in: input array with data to encrypt.
1429 * @inlen: size of input array with data to encrypt.
1430 * @out: output array with newly allocated encrypted data.
1431 * @outlen: output variable with size of newly allocated output array.
1432 *
1433 * Encrypts data using specified key. The key actually used is
1434 * derived using the key usage. If key usage is 0, no key derivation
1435 * is used. The OUT buffer must be deallocated by the caller. The
1436 * default IV is used, see shishi_encrypt_iv if you need to alter it.
1437 * The next IV is lost, see shishi_encrypt_ivupdate if you need it.
1438 *
1439 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1440 * exactly. Some encryption types add pad to make the data fit into
1441 * the block size of the encryption algorithm. Furthermore, the pad
1442 * is not guaranteed to look in any special way, although existing
1443 * implementations often pad with the zero byte. This means that you
1444 * may have to "frame" data, so it is possible to infer the original
1445 * length after decryption. Compare ASN.1 DER which contains such
1446 * information.
1447 *
1448 * Return value: Returns %SHISHI_OK iff successful.
1449 **/
1450 int
1451 shishi_encrypt (Shishi * handle,
1452 Shishi_key * key,
1453 int keyusage,
1454 char *in, size_t inlen, char **out, size_t * outlen)
1455 {
1456 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1457 shishi_key_type (key),
1458 NULL, 0, NULL, NULL,
1459 in, inlen, out, outlen);
1460 }
1461
1462 /**
1463 * shishi_decrypt_ivupdate_etype:
1464 * @handle: shishi handle as allocated by shishi_init().
1465 * @key: key to decrypt with.
1466 * @keyusage: integer specifying what this key is decrypting.
1467 * @etype: integer specifying what cipher to use.
1468 * @iv: input array with initialization vector
1469 * @ivlen: size of input array with initialization vector.
1470 * @ivout: output array with newly allocated updated initialization vector.
1471 * @ivoutlen: size of output array with updated initialization vector.
1472 * @in: input array with data to decrypt.
1473 * @inlen: size of input array with data to decrypt.
1474 * @out: output array with newly allocated decrypted data.
1475 * @outlen: output variable with size of newly allocated output array.
1476 *
1477 * Decrypts data as per encryption method using specified
1478 * initialization vector and key. The key actually used is derived
1479 * using the key usage. If key usage is 0, no key derivation is used.
1480 * The OUT buffer must be deallocated by the caller. If IVOUT or
1481 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1482 *
1483 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1484 * exactly. Some encryption types add pad to make the data fit into
1485 * the block size of the encryption algorithm. Furthermore, the pad
1486 * is not guaranteed to look in any special way, although existing
1487 * implementations often pad with the zero byte. This means that you
1488 * may have to "frame" data, so it is possible to infer the original
1489 * length after decryption. Compare ASN.1 DER which contains such
1490 * information.
1491 *
1492 * Return value: Returns %SHISHI_OK iff successful.
1493 **/
1494 int
1495 shishi_decrypt_ivupdate_etype (Shishi * handle,
1496 Shishi_key * key,
1497 int keyusage,
1498 int32_t etype,
1499 const char *iv, size_t ivlen,
1500 char **ivout, size_t * ivoutlen,
1501 const char *in, size_t inlen,
1502 char **out, size_t * outlen)
1503 {
1504 Shishi_decrypt_function decrypt;
1505 int res;
1506
1507 if (VERBOSECRYPTO (handle))
1508 {
1509 printf ("decrypt (type=%s, usage=%d, key, in, out)\n",
1510 shishi_key_name (key), keyusage);
1511 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1512 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1513 printf ("\t ;; in (%d):\n", inlen);
1514 _shishi_escapeprint (in, inlen);
1515 _shishi_hexprint (in, inlen);
1516 if (iv)
1517 {
1518 printf ("\t ;; iv (%d):\n", ivlen);
1519 _shishi_escapeprint (iv, ivlen);
1520 _shishi_hexprint (iv, ivlen);
1521 }
1522 }
1523
1524 decrypt = _shishi_cipher_decrypt (etype);
1525 if (decrypt == NULL)
1526 {
1527 shishi_error_printf (handle, "Unsupported keytype %d",
1528 shishi_key_type (key));
1529 return SHISHI_CRYPTO_ERROR;
1530 }
1531
1532 res = (*decrypt) (handle, key, keyusage,
1533 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
1534
1535 if (VERBOSECRYPTO (handle))
1536 {
1537 if (res == SHISHI_OK)
1538 {
1539 printf ("\t ;; decrypt out:\n");
1540 _shishi_escapeprint (*out, *outlen);
1541 _shishi_hexprint (*out, *outlen);
1542 }
1543 else
1544 {
1545 printf ("\t ;; decrypt out failed %d\n", res);
1546 }
1547 }
1548
1549 return res;
1550 }
1551
1552 /**
1553 * shishi_decrypt_iv_etype:
1554 * @handle: shishi handle as allocated by shishi_init().
1555 * @key: key to decrypt with.
1556 * @keyusage: integer specifying what this key is decrypting.
1557 * @etype: integer specifying what cipher to use.
1558 * @iv: input array with initialization vector
1559 * @ivlen: size of input array with initialization vector.
1560 * @in: input array with data to decrypt.
1561 * @inlen: size of input array with data to decrypt.
1562 * @out: output array with newly allocated decrypted data.
1563 * @outlen: output variable with size of newly allocated output array.
1564 *
1565 * Decrypts data as per encryption method using specified
1566 * initialization vector and key. The key actually used is derived
1567 * using the key usage. If key usage is 0, no key derivation is used.
1568 * The OUT buffer must be deallocated by the caller. The next IV is
1569 * lost, see shishi_decrypt_ivupdate_etype if you need it.
1570 *
1571 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1572 * exactly. Some encryption types add pad to make the data fit into
1573 * the block size of the encryption algorithm. Furthermore, the pad
1574 * is not guaranteed to look in any special way, although existing
1575 * implementations often pad with the zero byte. This means that you
1576 * may have to "frame" data, so it is possible to infer the original
1577 * length after decryption. Compare ASN.1 DER which contains such
1578 * information.
1579 *
1580 * Return value: Returns %SHISHI_OK iff successful.
1581 **/
1582 int
1583 shishi_decrypt_iv_etype (Shishi * handle,
1584 Shishi_key * key,
1585 int keyusage,
1586 int32_t etype,
1587 const char *iv, size_t ivlen,
1588 const char *in, size_t inlen,
1589 char **out, size_t * outlen)
1590 {
1591 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1592 iv, ivlen, NULL, NULL,
1593 in, inlen, out, outlen);
1594 }
1595
1596 /**
1597 * shishi_decrypt_etype:
1598 * @handle: shishi handle as allocated by shishi_init().
1599 * @key: key to decrypt with.
1600 * @keyusage: integer specifying what this key is decrypting.
1601 * @etype: integer specifying what cipher to use.
1602 * @in: input array with data to decrypt.
1603 * @inlen: size of input array with data to decrypt.
1604 * @out: output array with newly allocated decrypted data.
1605 * @outlen: output variable with size of newly allocated output array.
1606 *
1607 * Decrypts data as per encryption method using specified key. The
1608 * key actually used is derived using the key usage. If key usage is
1609 * 0, no key derivation is used. The OUT buffer must be deallocated
1610 * by the caller. The default IV is used, see shishi_decrypt_iv_etype
1611 * if you need to alter it. The next IV is lost, see
1612 * shishi_decrypt_ivupdate_etype if you need it.
1613 *
1614 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1615 * exactly. Some encryption types add pad to make the data fit into
1616 * the block size of the encryption algorithm. Furthermore, the pad
1617 * is not guaranteed to look in any special way, although existing
1618 * implementations often pad with the zero byte. This means that you
1619 * may have to "frame" data, so it is possible to infer the original
1620 * length after decryption. Compare ASN.1 DER which contains such
1621 * information.
1622 *
1623 * Return value: Returns %SHISHI_OK iff successful.
1624 **/
1625 int
1626 shishi_decrypt_etype (Shishi * handle,
1627 Shishi_key * key,
1628 int keyusage,
1629 int32_t etype,
1630 const char *in, size_t inlen,
1631 char **out, size_t * outlen)
1632 {
1633 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1634 NULL, 0, NULL, NULL,
1635 in, inlen, out, outlen);
1636 }
1637
1638 /**
1639 * shishi_decrypt_ivupdate:
1640 * @handle: shishi handle as allocated by shishi_init().
1641 * @key: key to decrypt with.
1642 * @keyusage: integer specifying what this key is decrypting.
1643 * @iv: input array with initialization vector
1644 * @ivlen: size of input array with initialization vector.
1645 * @ivout: output array with newly allocated updated initialization vector.
1646 * @ivoutlen: size of output array with updated initialization vector.
1647 * @in: input array with data to decrypt.
1648 * @inlen: size of input array with data to decrypt.
1649 * @out: output array with newly allocated decrypted data.
1650 * @outlen: output variable with size of newly allocated output array.
1651 *
1652 * Decrypts data using specified initialization vector and key. The
1653 * key actually used is derived using the key usage. If key usage is
1654 * 0, no key derivation is used. The OUT buffer must be deallocated
1655 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1656 * saved anywhere.
1657 *
1658 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1659 * exactly. Some encryption types add pad to make the data fit into
1660 * the block size of the encryption algorithm. Furthermore, the pad
1661 * is not guaranteed to look in any special way, although existing
1662 * implementations often pad with the zero byte. This means that you
1663 * may have to "frame" data, so it is possible to infer the original
1664 * length after decryption. Compare ASN.1 DER which contains such
1665 * information.
1666 *
1667 * Return value: Returns %SHISHI_OK iff successful.
1668 **/
1669 int
1670 shishi_decrypt_ivupdate (Shishi * handle,
1671 Shishi_key * key,
1672 int keyusage,
1673 const char *iv, size_t ivlen,
1674 char **ivout, size_t * ivoutlen,
1675 const char *in, size_t inlen,
1676 char **out, size_t * outlen)
1677 {
1678 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1679 shishi_key_type (key),
1680 iv, ivlen, ivout, ivoutlen,
1681 in, inlen, out, outlen);
1682 }
1683
1684 /**
1685 * shishi_decrypt_iv:
1686 * @handle: shishi handle as allocated by shishi_init().
1687 * @key: key to decrypt with.
1688 * @keyusage: integer specifying what this key is decrypting.
1689 * @iv: input array with initialization vector
1690 * @ivlen: size of input array with initialization vector.
1691 * @in: input array with data to decrypt.
1692 * @inlen: size of input array with data to decrypt.
1693 * @out: output array with newly allocated decrypted data.
1694 * @outlen: output variable with size of newly allocated output array.
1695 *
1696 * Decrypts data using specified initialization vector and key. The
1697 * key actually used is derived using the key usage. If key usage is
1698 * 0, no key derivation is used. The OUT buffer must be deallocated
1699 * by the caller. The next IV is lost, see
1700 * shishi_decrypt_ivupdate_etype if you need it.
1701 *
1702 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1703 * exactly. Some encryption types add pad to make the data fit into
1704 * the block size of the encryption algorithm. Furthermore, the pad
1705 * is not guaranteed to look in any special way, although existing
1706 * implementations often pad with the zero byte. This means that you
1707 * may have to "frame" data, so it is possible to infer the original
1708 * length after decryption. Compare ASN.1 DER which contains such
1709 * information.
1710 *
1711 * Return value: Returns %SHISHI_OK iff successful.
1712 **/
1713 int
1714 shishi_decrypt_iv (Shishi * handle,
1715 Shishi_key * key,
1716 int keyusage,
1717 const char *iv, size_t ivlen,
1718 const char *in, size_t inlen, char **out, size_t * outlen)
1719 {
1720 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1721 shishi_key_type (key),
1722 iv, ivlen, NULL, NULL,
1723 in, inlen, out, outlen);
1724 }
1725
1726 /**
1727 * shishi_decrypt:
1728 * @handle: shishi handle as allocated by shishi_init().
1729 * @key: key to decrypt with.
1730 * @keyusage: integer specifying what this key is decrypting.
1731 * @in: input array with data to decrypt.
1732 * @inlen: size of input array with data to decrypt.
1733 * @out: output array with newly allocated decrypted data.
1734 * @outlen: output variable with size of newly allocated output array.
1735 *
1736 * Decrypts data specified key. The key actually used is derived
1737 * using the key usage. If key usage is 0, no key derivation is used.
1738 * The OUT buffer must be deallocated by the caller. The default IV
1739 * is used, see shishi_decrypt_iv if you need to alter it. The next
1740 * IV is lost, see shishi_decrypt_ivupdate if you need it.
1741 *
1742 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1743 * exactly. Some encryption types add pad to make the data fit into
1744 * the block size of the encryption algorithm. Furthermore, the pad
1745 * is not guaranteed to look in any special way, although existing
1746 * implementations often pad with the zero byte. This means that you
1747 * may have to "frame" data, so it is possible to infer the original
1748 * length after decryption. Compare ASN.1 DER which contains such
1749 * information.
1750 *
1751 * Return value: Returns %SHISHI_OK iff successful.
1752 **/
1753 int
1754 shishi_decrypt (Shishi * handle,
1755 Shishi_key * key,
1756 int keyusage,
1757 const char *in, size_t inlen, char **out, size_t * outlen)
1758 {
1759 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1760 shishi_key_type (key),
1761 NULL, 0, NULL, NULL,
1762 in, inlen, out, outlen);
1763 }
1764
1765 /**
1766 * shishi_n_fold:
1767 * @handle: shishi handle as allocated by shishi_init().
1768 * @in: input array with data to decrypt.
1769 * @inlen: size of input array with data to decrypt ("M").
1770 * @out: output array with decrypted data.
1771 * @outlen: size of output array ("N").
1772 *
1773 * Fold data into a fixed length output array, with the intent to give
1774 * each input bit approximately equal weight in determining the value
1775 * of each output bit.
1776 *
1777 * The algorithm is from "A Better Key Schedule For DES-like Ciphers"
1778 * by Uri Blumenthal and Steven M. Bellovin,
1779 * <URL:http://www.research.att.com/~smb/papers/ides.pdf>, although
1780 * the sample vectors provided by the paper are incorrect.
1781 *
1782 * Return value: Returns %SHISHI_OK iff successful.
1783 **/
1784 int
1785 shishi_n_fold (Shishi * handle,
1786 const char *in, size_t inlen, char *out, size_t outlen)
1787 {
1788 int m = inlen;
1789 int n = outlen;
1790 char *buf = NULL;
1791 char *a = NULL;
1792 int lcmmn = 0;
1793 int i = 0;
1794
1795 /*
1796 To n-fold a number X, replicate the input value to a length that is
1797 the least common multiple of n and the length of X. Before each
1798 repetition, the input is rotated to the right by 13 bit
1799 positions. The successive n-bit chunks are added together using
1800 1's-complement addition (that is, addition with end-around carry)
1801 to yield a n-bit result denoted <X>_n.
1802 */
1803
1804 a = xmemdup (in, m);
1805
1806 lcmmn = lcm (m, n);
1807
1808 if (VERBOSECRYPTONOISE (handle))
1809 {
1810 printf ("%d-fold (string)\n", n * 8);
1811 printf ("\t ;; string length %d bytes %d bits\n", m, m * 8);
1812 _shishi_escapeprint (a, m);
1813 _shishi_hexprint (a, m);
1814 printf ("\t ;; lcm(%d, %d) = lcm(%d, %d) = %d\n",
1815 8 * m, 8 * n, m, n, lcmmn);
1816 }
1817
1818 buf = (char *) xmalloc (lcmmn);
1819
1820 /* Replicate the input th the LCMMN length */
1821 for (i = 0; i < (lcmmn / m); i++)
1822 {
1823 if (VERBOSECRYPTONOISE (handle))
1824 {
1825 printf ("\t ;; %d-th replication\n", i + 1);
1826 printf ("string = rot13(string)\n");
1827 }
1828
1829 memcpy ((char *) &buf[i * m], a, m);
1830 rot13 (handle, a, a, m);
1831 }
1832
1833 memset (out, 0, n); /* just in case */
1834
1835 if (VERBOSECRYPTONOISE (handle))
1836 {
1837 printf ("\t ;; replicated string (length %d):\n", lcmmn);
1838 _shishi_hexprint (buf, lcmmn);
1839 _shishi_binprint (buf, lcmmn);
1840 printf ("sum = 0\n");
1841 }
1842
1843 /* Now we view the buf as set of n-byte strings
1844 Add the n-byte long chunks together, using
1845 one's complement addition, storing the
1846 result in the output string. */
1847
1848 for (i = 0; i < (lcmmn / n); i++)
1849 {
1850 if (VERBOSECRYPTONOISE (handle))
1851 {
1852 printf ("\t ;; %d-th one's complement addition sum\n", i + 1);
1853 printf ("\t ;; sum:\n");
1854 _shishi_hexprint (out, n);
1855 _shishi_binprint (out, n);
1856 printf ("\t ;; A (offset %d):\n", i * n);
1857 _shishi_hexprint (&buf[i * n], n);
1858 _shishi_binprint (&buf[i * n], n);
1859 printf ("sum = ocadd(sum, A);\n");
1860 }
1861
1862 ocadd (out, (char *) &buf[i * n], out, n);
1863
1864 if (VERBOSECRYPTONOISE (handle))
1865 {
1866 printf ("\t ;; sum:\n");
1867 _shishi_hexprint (out, n);
1868 _shishi_binprint (out, n);
1869 }
1870 }
1871
1872 if (VERBOSECRYPTONOISE (handle))
1873 {
1874 printf ("\t ;; nfold\n");
1875 _shishi_hexprint (out, n);
1876 _shishi_binprint (out, n);
1877 }
1878
1879 free (buf);
1880 free (a);
1881
1882 return SHISHI_OK;
1883 }
1884
1885 #define MAX_DR_PRFCONSTANT 1024
1886
1887 /**
1888 * shishi_dr:
1889 * @handle: shishi handle as allocated by shishi_init().
1890 * @key: input array with cryptographic key to use.
1891 * @prfconstant: input array with the constant string.
1892 * @prfconstantlen: size of input array with the constant string.
1893 * @derivedrandom: output array with derived random data.
1894 * @derivedrandomlen: size of output array with derived random data.
1895 *
1896 * Derive "random" data from a key and a constant thusly:
1897 * DR(KEY, PRFCONSTANT) = TRUNCATE(DERIVEDRANDOMLEN,
1898 * SHISHI_ENCRYPT(KEY, PRFCONSTANT)).
1899 *
1900 * Return value: Returns %SHISHI_OK iff successful.
1901 **/
1902 int
1903 shishi_dr (Shishi * handle,
1904 Shishi_key * key,
1905 const char *prfconstant, size_t prfconstantlen,
1906 char *derivedrandom, size_t derivedrandomlen)
1907 {
1908 char *cipher;
1909 char plaintext[MAX_DR_PRFCONSTANT];
1910 char nfoldprfconstant[MAX_DR_PRFCONSTANT];
1911 size_t blocksize = shishi_cipher_blocksize (shishi_key_type (key));
1912 size_t totlen, cipherlen;
1913 int res;
1914
1915 if (VERBOSECRYPTO (handle))
1916 {
1917 printf ("dr (%s, key, prfconstant, %d)\n",
1918 shishi_cipher_name (shishi_key_type (key)), derivedrandomlen);
1919 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
1920 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1921 _shishi_binprint (shishi_key_value (key), shishi_key_length (key));
1922 printf ("\t ;; prfconstant %s':\n", prfconstant);
1923 _shishi_escapeprint (prfconstant, prfconstantlen);
1924 _shishi_hexprint (prfconstant, prfconstantlen);
1925 _shishi_binprint (prfconstant, prfconstantlen);
1926 }
1927
1928 if (prfconstantlen > MAX_DR_PRFCONSTANT)
1929 return SHISHI_TOO_SMALL_BUFFER;
1930
1931 if (prfconstantlen == blocksize)
1932 memcpy (nfoldprfconstant, prfconstant, prfconstantlen);
1933 else
1934 {
1935 res = shishi_n_fold (handle, prfconstant, prfconstantlen,
1936 nfoldprfconstant, blocksize);
1937 if (res != SHISHI_OK)
1938 return res;
1939 }
1940
1941 if (VERBOSECRYPTO (handle))
1942 {
1943 printf ("\t ;; possibly nfolded prfconstant (length %d):\n", blocksize);
1944 _shishi_escapeprint (nfoldprfconstant, blocksize);
1945 _shishi_hexprint (nfoldprfconstant, blocksize);
1946 _shishi_binprint (nfoldprfconstant, blocksize);
1947 }
1948
1949 memcpy (plaintext, nfoldprfconstant, blocksize);
1950
1951 totlen = 0;
1952 do
1953 {
1954 res = shishi_encrypt (handle, key, 0, plaintext, blocksize,
1955 &cipher, &cipherlen);
1956 if (res != SHISHI_OK)
1957 return res;
1958 if (cipherlen != blocksize)
1959 return SHISHI_CRYPTO_ERROR;
1960 memcpy (derivedrandom + totlen, cipher, cipherlen);
1961 memcpy (plaintext, cipher, cipherlen);
1962 free (cipher);
1963 totlen += cipherlen;
1964 }
1965 while (totlen < derivedrandomlen);
1966
1967 if (VERBOSECRYPTO (handle))
1968 {
1969 printf ("\t ;; derived random (length %d):\n", derivedrandomlen);
1970 _shishi_hexprint (derivedrandom, derivedrandomlen);
1971 _shishi_binprint (derivedrandom, derivedrandomlen);
1972 }
1973
1974 return SHISHI_OK;
1975 }
1976
1977 /**
1978 * shishi_dk:
1979 * @handle: shishi handle as allocated by shishi_init().
1980 * @key: input cryptographic key to use.
1981 * @prfconstant: input array with the constant string.
1982 * @prfconstantlen: size of input array with the constant string.
1983 * @derivedkey: pointer to derived key (allocated by caller).
1984 *
1985 * Derive a key from a key and a constant thusly:
1986 * DK(KEY, PRFCONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, PRFCONSTANT)).
1987 *
1988 * Return value: Returns %SHISHI_OK iff successful.
1989 **/
1990 int
1991 shishi_dk (Shishi * handle,
1992 Shishi_key * key,
1993 const char *prfconstant, size_t prfconstantlen,
1994 Shishi_key * derivedkey)
1995 {
1996 char rnd[MAX_RANDOM_LEN];
1997 int res;
1998
1999 if (VERBOSECRYPTO (handle))
2000 {
2001 printf ("dk (%s, key, prfconstant)\n", shishi_key_name (key));
2002 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
2003 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
2004 _shishi_binprint (shishi_key_value (key), shishi_key_length (key));
2005 printf ("\t ;; prfconstant:\n");
2006 _shishi_escapeprint (prfconstant, prfconstantlen);
2007 _shishi_hexprint (prfconstant, prfconstantlen);
2008 _shishi_binprint (prfconstant, prfconstantlen);
2009 }
2010
2011 shishi_key_type_set (derivedkey, shishi_key_type (key));
2012
2013 res = shishi_dr (handle, key, prfconstant, prfconstantlen, rnd,
2014 shishi_key_length (derivedkey));
2015 if (res != SHISHI_OK)
2016 return res;
2017
2018 res = shishi_random_to_key (handle, shishi_key_type (derivedkey),
2019 rnd, shishi_key_length (derivedkey),
2020 derivedkey);
2021 if (res != SHISHI_OK)
2022 return res;
2023
2024 return SHISHI_OK;
2025 }
Free Kerberos V5 implementation