search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add old stuff.
[shishi.git] / lib / crypto.c
bloba446d13c220279ca5a27eab44f6462ef9159c778
1 /* crypto.c --- Crypto functions.
2 * Copyright (C) 2002, 2003, 2004, 2005, 2006 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
19 *
20 */
21
22 #include "internal.h"
23
24 /* Get prototypes. */
25 #include "crypto.h"
26
27 /* Get _shishi_escapeprint, etc. */
28 #include "utils.h"
29
30 static int
31 gcd (int a, int b)
32 {
33 if (b == 0)
34 return a;
35 else
36 return gcd (b, a % b);
37 }
38
39 static int
40 lcm (int a, int b)
41 {
42 return a * b / gcd (a, b);
43 }
44
45 static void
46 rot13 (Shishi * handle, char *in, char *out, int len)
47 {
48 if (VERBOSECRYPTONOISE (handle))
49 {
50 printf ("\t ;; rot 13 in:\n");
51 _shishi_escapeprint (in, len);
52 _shishi_hexprint (in, len);
53 _shishi_binprint (in, len);
54 }
55
56 if (len == 1)
57 {
58 out[0] =
59 ((in[0] >> 5) & 0x01) |
60 ((in[0] >> 5) & 0x02) |
61 ((in[0] >> 5) & 0x04) |
62 ((in[0] << 3) & 0x08) |
63 ((in[0] << 3) & 0x10) |
64 ((in[0] << 3) & 0x20) | ((in[0] << 3) & 0x40) | ((in[0] << 3) & 0x80);
65 }
66 else if (len > 1)
67 {
68 char nexttolast, last;
69 int i;
70
71 nexttolast = in[len - 2];
72 last = in[len - 1];
73
74 for (i = len * 8 - 1; i >= 13; i--)
75 {
76 int pos = i / 8;
77 char mask = ~(1 << (7 - i % 8));
78 int pos2 = (i - 13) / 8;
79 char mask2 = (1 << (7 - (i - 13) % 8));
80
81 out[pos] = (out[pos] & mask) |
82 (((in[pos2] & mask2) ? 0xFF : 0x00) & ~mask);
83 }
84 out[0] = ((nexttolast & 0xFF) << 3) | ((last & 0xFF) >> 5);
85 out[1] = (in[1] & ~(0xFF & (0xFF << 3))) | (0xFF & (last << 3));
86 }
87
88 if (VERBOSECRYPTONOISE (handle))
89 {
90 printf ("\t ;; rot13 out:\n");
91 _shishi_escapeprint (out, len);
92 _shishi_hexprint (out, len);
93 _shishi_binprint (out, len);
94 }
95 }
96
97 static void
98 ocadd (char *add1, char *add2, char *sum, int len)
99 {
100 int i;
101 int carry = 0;
102
103 for (i = len - 1; i >= 0; i--)
104 {
105 int tmpsum = (unsigned char) add1[i] + (unsigned char) add2[i];
106
107 sum[i] = (tmpsum + carry) & 0xFF;
108 if (tmpsum + carry > 0xFF)
109 carry = 1;
110 else
111 carry = 0;
112 }
113
114 if (carry)
115 {
116 int done = 0;
117
118 for (i = len - 1; i >= 0; i--)
119 if ((unsigned char) sum[i] != 0xFF)
120 {
121 sum[i]++;
122 done = 1;
123 break;
124 }
125
126 if (!done)
127 memset (sum, 0, len);
128 }
129 }
130
131 static int
132 simplified_hmac (Shishi * handle,
133 Shishi_key * key,
134 const char *in, size_t inlen,
135 char **outhash, size_t * outhashlen)
136 {
137 *outhashlen = shishi_checksum_cksumlen
138 (shishi_cipher_defaultcksumtype (shishi_key_type (key)));
139 return shishi_hmac_sha1 (handle, shishi_key_value (key),
140 shishi_key_length (key), in, inlen, outhash);
141 }
142
143 static int
144 simplified_hmac_verify (Shishi * handle, Shishi_key * key,
145 const char *in, size_t inlen,
146 const char *hmac, size_t hmaclen)
147 {
148 char *hash;
149 size_t hlen;
150 int same;
151 int res;
152
153 res = simplified_hmac (handle, key, in, inlen, &hash, &hlen);
154 if (res != SHISHI_OK || hash == NULL)
155 return res;
156
157 if (VERBOSECRYPTO (handle))
158 {
159 printf ("\t ;; HMAC verify:\n");
160 _shishi_escapeprint (hash, hlen);
161 _shishi_hexprint (hash, hlen);
162 _shishi_binprint (hash, hlen);
163 _shishi_escapeprint (hmac, hmaclen);
164 _shishi_hexprint (hmac, hmaclen);
165 _shishi_binprint (hmac, hmaclen);
166 }
167
168 same = (hlen == hmaclen) && memcmp (hash, hmac, hmaclen) == 0;
169
170 free (hash);
171
172 if (!same)
173 {
174 shishi_error_printf (handle, "HMAC verify failed");
175 return SHISHI_CRYPTO_ERROR;
176 }
177
178 return SHISHI_OK;
179 }
180
181 int
182 _shishi_simplified_derivekey (Shishi * handle,
183 Shishi_key * key,
184 int keyusage,
185 int derivekeymode, Shishi_key ** outkey)
186 {
187 char prfconstant[5];
188 int res = SHISHI_OK;
189 Shishi_key *derivedkey;
190
191 if (VERBOSECRYPTO (handle))
192 {
193 printf ("simplified_derivekey\n");
194 printf ("\t ;; mode %d (%s)\n", derivekeymode,
195 derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM ? "checksum" :
196 derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY ? "integrity" :
197 derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY ? "privacy" :
198 "base-key");
199 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
200 }
201
202
203 res = shishi_key_from_value (handle, shishi_key_type (key),
204 NULL, &derivedkey);
205 if (res != SHISHI_OK)
206 return res;
207
208 *outkey = derivedkey;
209
210 if (keyusage)
211 {
212 uint32_t tmp = htonl (keyusage);
213 memcpy (prfconstant, &tmp, 4);
214 if (derivekeymode == SHISHI_DERIVEKEYMODE_CHECKSUM)
215 prfconstant[4] = '\x99';
216 else if (derivekeymode == SHISHI_DERIVEKEYMODE_INTEGRITY)
217 prfconstant[4] = '\x55';
218 else /* if (derivekeymode == SHISHI_DERIVEKEYMODE_PRIVACY) */
219 prfconstant[4] = '\xAA';
220
221 res = shishi_dk (handle, key, prfconstant, 5, derivedkey);
222 }
223 else
224 {
225 shishi_key_copy (derivedkey, key);
226 }
227
228 if (VERBOSECRYPTO (handle))
229 {
230 printf ("\t ;; simplified_derivekey out (%d):\n",
231 shishi_key_length (derivedkey));
232 _shishi_hexprint (shishi_key_value (derivedkey),
233 shishi_key_length (derivedkey));
234 }
235
236 return res;
237 }
238
239 int
240 _shishi_simplified_dencrypt (Shishi * handle,
241 Shishi_key * key,
242 const char *iv, size_t ivlen,
243 char **ivout, size_t * ivoutlen,
244 const char *in, size_t inlen,
245 char **out, size_t * outlen, int decryptp)
246 {
247 int rc;
248 char *pt;
249 size_t ptlen;
250 size_t padzerolen = 0;
251
252 if ((inlen % 8) != 0)
253 while (((inlen + padzerolen) % 8) != 0)
254 padzerolen++;
255
256 ptlen = inlen + padzerolen;
257
258 if (padzerolen)
259 {
260 pt = xmalloc (ptlen);
261 memcpy (pt, in, inlen);
262 memset (pt + inlen, 0, padzerolen);
263 }
264 else
265 pt = (char *) in;
266
267 switch (shishi_key_type (key))
268 {
269 case SHISHI_DES_CBC_CRC:
270 case SHISHI_DES_CBC_MD4:
271 case SHISHI_DES_CBC_MD5:
272 case SHISHI_DES_CBC_NONE:
273 rc = shishi_des (handle, decryptp, shishi_key_value (key),
274 iv, ivout, pt, ptlen, out);
275 if (ivoutlen)
276 *ivoutlen = 8;
277 if (outlen)
278 *outlen = ptlen;
279 break;
280
281 case SHISHI_DES3_CBC_HMAC_SHA1_KD:
282 case SHISHI_DES3_CBC_NONE:
283 rc = shishi_3des (handle, decryptp, shishi_key_value (key),
284 iv, ivout, pt, inlen + padzerolen, out);
285 if (ivoutlen)
286 *ivoutlen = 8;
287 if (outlen)
288 *outlen = ptlen;
289 break;
290
291 case SHISHI_AES128_CTS_HMAC_SHA1_96:
292 case SHISHI_AES256_CTS_HMAC_SHA1_96:
293 rc = shishi_aes_cts (handle, decryptp,
294 shishi_key_value (key), shishi_key_length (key),
295 iv, ivout, in, inlen, out);
296 if (ivoutlen)
297 *ivoutlen = 16;
298 if (outlen)
299 *outlen = inlen;
300 break;
301
302 default:
303 rc = SHISHI_CRYPTO_ERROR;
304 }
305
306 if (padzerolen)
307 free (pt);
308
309 return rc;
310 }
311
312 int
313 _shishi_simplified_encrypt (Shishi * handle,
314 Shishi_key * key,
315 int keyusage,
316 const char *iv, size_t ivlen,
317 char **ivout, size_t * ivoutlen,
318 const char *in, size_t inlen,
319 char **out, size_t * outlen)
320 {
321 int res;
322 int padzerolen = 0;
323
324 if ((shishi_key_type (key) == SHISHI_DES3_CBC_HMAC_SHA1_KD ||
325 shishi_key_type (key) == SHISHI_DES_CBC_CRC ||
326 shishi_key_type (key) == SHISHI_DES_CBC_MD4 ||
327 shishi_key_type (key) == SHISHI_DES_CBC_MD5) && (inlen % 8) != 0)
328 while (((inlen + padzerolen) % 8) != 0)
329 padzerolen++;
330
331 if (keyusage != 0)
332 {
333 char *pt = NULL, *ct = NULL, *hmac = NULL;
334 int blen = shishi_cipher_blocksize (shishi_key_type (key));
335 size_t ctlen, ptlen, hmaclen;
336 Shishi_key *privacykey = NULL, *integritykey = NULL;
337
338 ptlen = inlen + blen + padzerolen;
339 pt = xmalloc (ptlen);
340
341 res = shishi_randomize (handle, 0, pt, blen);
342 if (res != SHISHI_OK)
343 goto done;
344
345 memcpy (pt + blen, in, inlen);
346 memset (pt + blen + inlen, 0, padzerolen);
347
348 res = _shishi_simplified_derivekey (handle, key, keyusage,
349 SHISHI_DERIVEKEYMODE_PRIVACY,
350 &privacykey);
351 if (res != SHISHI_OK)
352 goto done;
353
354 res = _shishi_simplified_dencrypt (handle, privacykey,
355 iv, ivlen, ivout,
356 ivoutlen, pt, ptlen, &ct, &ctlen, 0);
357 if (res != SHISHI_OK)
358 goto done;
359
360
361 res = _shishi_simplified_derivekey (handle, key, keyusage,
362 SHISHI_DERIVEKEYMODE_INTEGRITY,
363 &integritykey);
364 if (res != SHISHI_OK)
365 goto done;
366
367 res = simplified_hmac (handle, integritykey, pt, ptlen,
368 &hmac, &hmaclen);
369 if (res != SHISHI_OK)
370 goto done;
371
372 *outlen = ctlen + hmaclen;
373 *out = xmalloc (*outlen);
374 memcpy (*out, ct, ctlen);
375 memcpy (*out + ctlen, hmac, hmaclen);
376
377 done:
378 if (&privacykey)
379 shishi_key_done (privacykey);
380 if (&integritykey)
381 shishi_key_done (integritykey);
382 if (hmac)
383 free (hmac);
384 if (ct)
385 free (ct);
386 if (pt)
387 free (pt);
388 }
389 else
390 {
391 res = _shishi_simplified_dencrypt (handle, key, iv, ivlen,
392 ivout, ivoutlen,
393 in, inlen, out, outlen, 0);
394 }
395
396 return res;
397 }
398
399 int
400 _shishi_simplified_decrypt (Shishi * handle,
401 Shishi_key * key,
402 int keyusage,
403 const char *iv, size_t ivlen,
404 char **ivout, size_t * ivoutlen,
405 const char *in, size_t inlen,
406 char **out, size_t * outlen)
407 {
408 int res;
409
410 if (keyusage)
411 {
412 Shishi_key *privacykey = NULL, *integritykey = NULL;
413 int blen = shishi_cipher_blocksize (shishi_key_type (key));
414 size_t hlen = shishi_checksum_cksumlen
415 (shishi_cipher_defaultcksumtype (shishi_key_type (key)));
416
417 res = _shishi_simplified_derivekey (handle, key, keyusage,
418 SHISHI_DERIVEKEYMODE_PRIVACY,
419 &privacykey);
420 if (res != SHISHI_OK)
421 goto done;
422
423 res = _shishi_simplified_dencrypt (handle, privacykey,
424 iv, ivlen, ivout, ivoutlen,
425 in, inlen - hlen, out, outlen, 1);
426 if (res != SHISHI_OK)
427 goto done;
428
429 res = _shishi_simplified_derivekey (handle, key, keyusage,
430 SHISHI_DERIVEKEYMODE_INTEGRITY,
431 &integritykey);
432 if (res != SHISHI_OK)
433 goto done;
434
435 res = simplified_hmac_verify (handle, integritykey, *out, *outlen,
436 in + inlen - hlen, hlen);
437
438 if (res != SHISHI_OK)
439 goto done;
440
441 memmove (*out, *out + blen, *outlen - blen);
442 *outlen = *outlen - blen;
443 *out = xrealloc (*out, *outlen);
444
445 done:
446 if (privacykey)
447 shishi_key_done (privacykey);
448 if (integritykey)
449 shishi_key_done (integritykey);
450 }
451 else
452 {
453 res = _shishi_simplified_dencrypt (handle, key, iv, ivlen,
454 ivout, ivoutlen,
455 in, inlen, out, outlen, 1);
456 }
457
458 return res;
459 }
460
461 int
462 _shishi_simplified_checksum (Shishi * handle,
463 Shishi_key * key,
464 int keyusage,
465 int cksumtype,
466 const char *in, size_t inlen,
467 char **out, size_t * outlen)
468 {
469 Shishi_key *checksumkey;
470 int cksumlen = shishi_checksum_cksumlen (cksumtype);
471 int res;
472
473 res = _shishi_simplified_derivekey (handle, key, keyusage,
474 SHISHI_DERIVEKEYMODE_CHECKSUM,
475 &checksumkey);
476 if (res != SHISHI_OK)
477 return res;
478
479 res = simplified_hmac (handle, checksumkey, in, inlen, out, outlen);
480
481 shishi_key_done (checksumkey);
482
483 if (res != SHISHI_OK)
484 return res;
485
486 *outlen = cksumlen;
487
488 return SHISHI_OK;
489 }
490
491 static cipherinfo *ciphers[] = {
492 #if WITH_NULL
493 &null_info,
494 #endif
495 #if WITH_DES
496 &des_cbc_crc_info,
497 &des_cbc_md4_info,
498 &des_cbc_md5_info,
499 &des_cbc_none_info,
500 #endif
501 #if WITH_3DES
502 &des3_cbc_none_info,
503 &des3_cbc_sha1_kd_info,
504 #endif
505 #if WITH_AES
506 &aes128_cts_hmac_sha1_96_info,
507 &aes256_cts_hmac_sha1_96_info,
508 #endif
509 #if WITH_ARCFOUR
510 &arcfour_hmac_info,
511 &arcfour_hmac_exp_info
512 #endif
513 };
514
515 /**
516 * shishi_cipher_supported_p:
517 * @type: encryption type, see Shishi_etype.
518 *
519 * Find out if cipher is supported.
520 *
521 * Return value: Return 0 iff cipher is unsupported.
522 **/
523 int
524 shishi_cipher_supported_p (int32_t type)
525 {
526 size_t i;
527
528 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
529 if (type == ciphers[i]->type)
530 return 1;
531
532 return 0;
533 }
534
535 /**
536 * shishi_cipher_name:
537 * @type: encryption type, see Shishi_etype.
538 *
539 * Read humanly readable string for cipher.
540 *
541 * Return value: Return name of encryption type,
542 * e.g. "des3-cbc-sha1-kd", as defined in the standards.
543 **/
544 const char *
545 shishi_cipher_name (int32_t type)
546 {
547 size_t i;
548 char *p;
549
550 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
551 {
552 if (type == ciphers[i]->type)
553 return ciphers[i]->name;
554 }
555
556 asprintf (&p, "unknown cipher %d", type);
557 return p;
558 }
559
560 /**
561 * shishi_cipher_blocksize:
562 * @type: encryption type, see Shishi_etype.
563 *
564 * Get block size for cipher.
565 *
566 * Return value: Return block size for encryption type, as defined in
567 * the standards.
568 **/
569 int
570 shishi_cipher_blocksize (int32_t type)
571 {
572 size_t i;
573
574 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
575 if (type == ciphers[i]->type)
576 return ciphers[i]->blocksize;
577
578 return -1;
579 }
580
581 /**
582 * shishi_cipher_confoundersize:
583 * @type: encryption type, see Shishi_etype.
584 *
585 * Get length of confounder for cipher.
586 *
587 * Return value: Returns the size of the confounder (random data) for
588 * encryption type, as defined in the standards.
589 **/
590 int
591 shishi_cipher_confoundersize (int32_t type)
592 {
593 size_t i;
594
595 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
596 if (type == ciphers[i]->type)
597 return ciphers[i]->confoundersize;
598
599 return -1;
600 }
601
602 /**
603 * shishi_cipher_keylen:
604 * @type: encryption type, see Shishi_etype.
605 *
606 * Get key length for cipher.
607 *
608 * Return value: Return length of key used for the encryption type, as
609 * defined in the standards.
610 **/
611 size_t
612 shishi_cipher_keylen (int32_t type)
613 {
614 size_t i;
615
616 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
617 if (type == ciphers[i]->type)
618 return ciphers[i]->keylen;
619
620 return -1;
621 }
622
623 /**
624 * shishi_cipher_randomlen:
625 * @type: encryption type, see Shishi_etype.
626 *
627 * Get length of random data for cipher.
628 *
629 * Return value: Return length of random used for the encryption type,
630 * as defined in the standards.
631 **/
632 size_t
633 shishi_cipher_randomlen (int32_t type)
634 {
635 size_t i;
636
637 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
638 if (type == ciphers[i]->type)
639 return ciphers[i]->randomlen;
640
641 return -1;
642 }
643
644 /**
645 * shishi_cipher_defaultcksumtype:
646 * @type: encryption type, see Shishi_etype.
647 *
648 * Get the default checksum associated with cipher.
649 *
650 * Return value: Return associated checksum mechanism for the
651 * encryption type, as defined in the standards.
652 **/
653 int
654 shishi_cipher_defaultcksumtype (int32_t type)
655 {
656 size_t i;
657
658 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
659 if (type == ciphers[i]->type)
660 return ciphers[i]->defaultcksumtype;
661
662 return -1;
663 }
664
665 struct Cipher_aliases
666 {
667 const char *name;
668 int type;
669 };
670
671 static struct Cipher_aliases cipher_aliases[] = {
672 {"des-crc", SHISHI_DES_CBC_CRC},
673 {"des-md4", SHISHI_DES_CBC_MD4},
674 {"des-md5", SHISHI_DES_CBC_MD5},
675 {"des", SHISHI_DES_CBC_MD5},
676 {"des3", SHISHI_DES3_CBC_HMAC_SHA1_KD},
677 {"3des", SHISHI_DES3_CBC_HMAC_SHA1_KD},
678 {"aes128", SHISHI_AES128_CTS_HMAC_SHA1_96},
679 {"aes256", SHISHI_AES256_CTS_HMAC_SHA1_96},
680 {"aes", SHISHI_AES256_CTS_HMAC_SHA1_96},
681 {"arcfour", SHISHI_ARCFOUR_HMAC}
682 };
683
684 /**
685 * shishi_cipher_parse:
686 * @cipher: name of encryption type, e.g. "des3-cbc-sha1-kd".
687 *
688 * Get cipher number by parsing string.
689 *
690 * Return value: Return encryption type corresponding to a string.
691 **/
692 int
693 shishi_cipher_parse (const char *cipher)
694 {
695 size_t i;
696 char *endptr;
697
698 i = strtol (cipher, &endptr, 0);
699
700 if (endptr != cipher)
701 return i;
702
703 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
704 if (strcasecmp (cipher, ciphers[i]->name) == 0)
705 return ciphers[i]->type;
706
707 for (i = 0; i < sizeof (cipher_aliases) / sizeof (cipher_aliases[0]); i++)
708 if (strcasecmp (cipher, cipher_aliases[i].name) == 0)
709 return cipher_aliases[i].type;
710
711 return -1;
712 }
713
714 static Shishi_random_to_key_function
715 _shishi_cipher_random_to_key (int32_t type)
716 {
717 size_t i;
718
719 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
720 if (type == ciphers[i]->type)
721 return ciphers[i]->random2key;
722
723 return NULL;
724 }
725
726 static Shishi_string_to_key_function
727 _shishi_cipher_string_to_key (int32_t type)
728 {
729 size_t i;
730
731 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
732 if (type == ciphers[i]->type)
733 return ciphers[i]->string2key;
734
735 return NULL;
736 }
737
738 static Shishi_encrypt_function
739 _shishi_cipher_encrypt (int32_t type)
740 {
741 size_t i;
742
743 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
744 if (type == ciphers[i]->type)
745 return ciphers[i]->encrypt;
746
747 return NULL;
748 }
749
750 static Shishi_decrypt_function
751 _shishi_cipher_decrypt (int32_t type)
752 {
753 size_t i;
754
755 for (i = 0; i < sizeof (ciphers) / sizeof (ciphers[0]); i++)
756 if (type == ciphers[i]->type)
757 return ciphers[i]->decrypt;
758
759 return NULL;
760 }
761
762 static checksuminfo *checksums[] = {
763 #if WITH_DES
764 &crc32_info,
765 #endif
766 #if WITH_MD
767 &md4_info,
768 #endif
769 #if WITH_DES
770 &md4_des_info,
771 #endif
772 #if WITH_MD
773 &md5_info,
774 #endif
775 #if WITH_DES
776 &md5_des_info,
777 &md5_gss_info,
778 #endif
779 #if WITH_3DES
780 &hmac_sha1_des3_kd_info,
781 #endif
782 #if WITH_AES
783 &hmac_sha1_96_aes128_info,
784 &hmac_sha1_96_aes256_info,
785 #endif
786 #if WITH_ARCFOUR
787 &arcfour_hmac_md5_info
788 #endif
789 };
790
791 /**
792 * shishi_checksum_supported_p:
793 * @type: checksum type, see Shishi_cksumtype.
794 *
795 * Find out whether checksum is supported.
796 *
797 * Return value: Return 0 iff checksum is unsupported.
798 **/
799 int
800 shishi_checksum_supported_p (int32_t type)
801 {
802 size_t i;
803
804 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
805 if (type == checksums[i]->type)
806 return 1;
807
808 return 0;
809 }
810
811 /**
812 * shishi_checksum_name:
813 * @type: checksum type, see Shishi_cksumtype.
814 *
815 * Get name of checksum.
816 *
817 * Return value: Return name of checksum type,
818 * e.g. "hmac-sha1-96-aes256", as defined in the standards.
819 **/
820 const char *
821 shishi_checksum_name (int32_t type)
822 {
823 size_t i;
824 char *p;
825
826 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
827 {
828 if (type == checksums[i]->type)
829 return checksums[i]->name;
830 }
831
832 asprintf (&p, "unknown checksum %d", type);
833 return p;
834 }
835
836 /**
837 * shishi_checksum_cksumlen:
838 * @type: checksum type, see Shishi_cksumtype.
839 *
840 * Get length of checksum output.
841 *
842 * Return value: Return length of checksum used for the checksum type,
843 * as defined in the standards.
844 **/
845 size_t
846 shishi_checksum_cksumlen (int32_t type)
847 {
848 size_t i;
849
850 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
851 if (type == checksums[i]->type)
852 return checksums[i]->cksumlen;
853
854 return -1;
855 }
856
857 /**
858 * shishi_checksum_parse:
859 * @checksum: name of checksum type, e.g. "hmac-sha1-96-aes256".
860 *
861 * Get checksum number by parsing a string.
862 *
863 * Return value: Return checksum type, see Shishi_cksumtype,
864 * corresponding to a string.
865 **/
866 int
867 shishi_checksum_parse (const char *checksum)
868 {
869 size_t i;
870 char *endptr;
871
872 i = strtol (checksum, &endptr, 0);
873
874 if (endptr != checksum)
875 return i;
876
877 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
878 if (strcasecmp (checksum, checksums[i]->name) == 0)
879 return checksums[i]->type;
880
881 return -1;
882 }
883
884 static Shishi_checksum_function
885 _shishi_checksum (int32_t type)
886 {
887 size_t i;
888
889 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
890 if (type == checksums[i]->type)
891 return checksums[i]->checksum;
892
893 return NULL;
894 }
895
896 static Shishi_verify_function
897 _shishi_verify (int32_t type)
898 {
899 size_t i;
900
901 for (i = 0; i < sizeof (checksums) / sizeof (checksums[0]); i++)
902 if (type == checksums[i]->type)
903 return checksums[i]->verify;
904
905 return NULL;
906 }
907
908 /**
909 * shishi_string_to_key:
910 * @handle: shishi handle as allocated by shishi_init().
911 * @keytype: cryptographic encryption type, see Shishi_etype.
912 * @password: input array with password.
913 * @passwordlen: length of input array with password.
914 * @salt: input array with salt.
915 * @saltlen: length of input array with salt.
916 * @parameter: input array with opaque encryption type specific information.
917 * @outkey: allocated key handle that will contain new key.
918 *
919 * Derive key from a string (password) and salt (commonly
920 * concatenation of realm and principal) for specified key type, and
921 * set the type and value in the given key to the computed values.
922 * The parameter value is specific for each keytype, and can be set if
923 * the parameter information is not available.
924 *
925 * Return value: Returns %SHISHI_OK iff successful.
926 **/
927 int
928 shishi_string_to_key (Shishi * handle,
929 int32_t keytype,
930 const char *password, size_t passwordlen,
931 const char *salt, size_t saltlen,
932 const char *parameter, Shishi_key * outkey)
933 {
934 Shishi_string_to_key_function string2key;
935 int res;
936
937 shishi_key_type_set (outkey, keytype);
938
939 if (VERBOSECRYPTO (handle))
940 {
941 printf ("string_to_key (%s, password, salt)\n",
942 shishi_key_name (outkey));
943 printf ("\t ;; password:\n");
944 _shishi_escapeprint (password, passwordlen);
945 _shishi_hexprint (password, passwordlen);
946 printf ("\t ;; salt:\n");
947 _shishi_escapeprint (salt, saltlen);
948 _shishi_hexprint (salt, saltlen);
949 }
950
951 string2key = _shishi_cipher_string_to_key (shishi_key_type (outkey));
952 if (string2key == NULL)
953 {
954 shishi_error_printf (handle, "Unsupported keytype %d",
955 shishi_key_type (outkey));
956 return SHISHI_CRYPTO_ERROR;
957 }
958
959 res = (*string2key) (handle, password, passwordlen,
960 salt, saltlen, parameter, outkey);
961
962 if (VERBOSECRYPTO (handle))
963 {
964 printf ("\t ;; string_to_key key:\n");
965 _shishi_hexprint (shishi_key_value (outkey),
966 shishi_key_length (outkey));
967 _shishi_binprint (shishi_key_value (outkey),
968 shishi_key_length (outkey));
969 }
970
971 return res;
972 }
973
974 /**
975 * shishi_random_to_key:
976 * @handle: shishi handle as allocated by shishi_init().
977 * @keytype: cryptographic encryption type, see Shishi_etype.
978 * @rnd: input array with random data.
979 * @rndlen: length of input array with random data.
980 * @outkey: allocated key handle that will contain new key.
981 *
982 * Derive key from random data for specified key type, and set the
983 * type and value in the given key to the computed values.
984 *
985 * Return value: Returns %SHISHI_OK iff successful.
986 **/
987 int
988 shishi_random_to_key (Shishi * handle,
989 int32_t keytype,
990 const char *rnd, size_t rndlen, Shishi_key * outkey)
991 {
992 Shishi_random_to_key_function random2key;
993 int res;
994
995 shishi_key_type_set (outkey, keytype);
996
997 if (VERBOSECRYPTO (handle))
998 {
999 printf ("random_to_key (%s, random)\n", shishi_key_name (outkey));
1000 printf ("\t ;; random:\n");
1001 _shishi_hexprint (rnd, rndlen);
1002 _shishi_binprint (rnd, rndlen);
1003 }
1004
1005 random2key = _shishi_cipher_random_to_key (keytype);
1006 if (random2key == NULL)
1007 {
1008 shishi_error_printf (handle, "Unsupported random_to_key() ekeytype %d",
1009 keytype);
1010 return SHISHI_CRYPTO_ERROR;
1011 }
1012
1013 res = (*random2key) (handle, rnd, rndlen, outkey);
1014
1015 if (VERBOSECRYPTO (handle))
1016 {
1017 printf ("\t ;; random_to_key key:\n");
1018 _shishi_hexprint (shishi_key_value (outkey),
1019 shishi_key_length (outkey));
1020 _shishi_binprint (shishi_key_value (outkey),
1021 shishi_key_length (outkey));
1022 }
1023
1024 return res;
1025 }
1026
1027 /**
1028 * shishi_checksum:
1029 * @handle: shishi handle as allocated by shishi_init().
1030 * @key: key to compute checksum with.
1031 * @keyusage: integer specifying what this key is used for.
1032 * @cksumtype: the checksum algorithm to use.
1033 * @in: input array with data to integrity protect.
1034 * @inlen: size of input array with data to integrity protect.
1035 * @out: output array with newly allocated integrity protected data.
1036 * @outlen: output variable with length of output array with checksum.
1037 *
1038 * Integrity protect data using key, possibly altered by supplied key
1039 * usage. If key usage is 0, no key derivation is used. The OUT
1040 * buffer must be deallocated by the caller.
1041 *
1042 * Return value: Returns %SHISHI_OK iff successful.
1043 **/
1044 int
1045 shishi_checksum (Shishi * handle,
1046 Shishi_key * key,
1047 int keyusage,
1048 int cksumtype,
1049 const char *in, size_t inlen, char **out, size_t * outlen)
1050 {
1051 Shishi_checksum_function checksum;
1052 int res;
1053
1054 if (VERBOSECRYPTO (handle))
1055 {
1056 printf ("checksum (%s, %d, in, out)\n",
1057 shishi_key_name (key), cksumtype);
1058 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1059 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1060 printf ("\t ;; in:\n");
1061 _shishi_escapeprint (in, inlen);
1062 _shishi_hexprint (in, inlen);
1063 }
1064
1065 if (cksumtype == 0)
1066 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1067
1068 checksum = _shishi_checksum (cksumtype);
1069 if (checksum == NULL)
1070 {
1071 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1072 return SHISHI_CRYPTO_ERROR;
1073 }
1074
1075 /* XXX? check if etype and cksumtype are compatible? */
1076
1077 res = (*checksum) (handle, key, keyusage, cksumtype,
1078 in, inlen, out, outlen);
1079
1080 if (VERBOSECRYPTO (handle))
1081 {
1082 printf ("\t ;; checksum out:\n");
1083 _shishi_escapeprint (*out, *outlen);
1084 _shishi_hexprint (*out, *outlen);
1085 }
1086
1087 return res;
1088 }
1089
1090 /**
1091 * shishi_verify:
1092 * @handle: shishi handle as allocated by shishi_init().
1093 * @key: key to verify checksum with.
1094 * @keyusage: integer specifying what this key is used for.
1095 * @cksumtype: the checksum algorithm to use.
1096 * @in: input array with data that was integrity protected.
1097 * @inlen: size of input array with data that was integrity protected.
1098 * @cksum: input array with alleged checksum of data.
1099 * @cksumlen: size of input array with alleged checksum of data.
1100 *
1101 * Verify checksum of data using key, possibly altered by supplied key
1102 * usage. If key usage is 0, no key derivation is used.
1103 *
1104 * Return value: Returns %SHISHI_OK iff successful.
1105 **/
1106 int
1107 shishi_verify (Shishi * handle,
1108 Shishi_key * key,
1109 int keyusage,
1110 int cksumtype,
1111 const char *in, size_t inlen,
1112 const char *cksum, size_t cksumlen)
1113 {
1114 Shishi_verify_function verify;
1115 int res;
1116
1117 if (VERBOSECRYPTO (handle))
1118 {
1119 printf ("verify (%s, %d, in, out)\n", shishi_key_name (key), cksumtype);
1120 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1121 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1122 printf ("\t ;; data:\n");
1123 _shishi_escapeprint (in, inlen);
1124 _shishi_hexprint (in, inlen);
1125 printf ("\t ;; mic:\n");
1126 _shishi_escapeprint (cksum, cksumlen);
1127 _shishi_hexprint (cksum, cksumlen);
1128 }
1129
1130 if (cksumtype == 0)
1131 cksumtype = shishi_cipher_defaultcksumtype (shishi_key_type (key));
1132
1133 verify = _shishi_verify (cksumtype);
1134 if (verify == NULL)
1135 {
1136 shishi_error_printf (handle, "Unsupported checksum type %d", cksumtype);
1137 return SHISHI_CRYPTO_ERROR;
1138 }
1139
1140 /* XXX? check if etype and cksumtype are compatible? */
1141
1142 res = (*verify) (handle, key, keyusage, cksumtype,
1143 in, inlen, cksum, cksumlen);
1144
1145 if (VERBOSECRYPTO (handle))
1146 printf ("\t ;; verify return: %d\n", res);
1147
1148 return res;
1149 }
1150
1151 /**
1152 * shishi_encrypt_ivupdate_etype:
1153 * @handle: shishi handle as allocated by shishi_init().
1154 * @key: key to encrypt with.
1155 * @keyusage: integer specifying what this key is encrypting.
1156 * @etype: integer specifying what cipher to use.
1157 * @iv: input array with initialization vector
1158 * @ivlen: size of input array with initialization vector.
1159 * @ivout: output array with newly allocated updated initialization vector.
1160 * @ivoutlen: size of output array with updated initialization vector.
1161 * @in: input array with data to encrypt.
1162 * @inlen: size of input array with data to encrypt.
1163 * @out: output array with newly allocated encrypted data.
1164 * @outlen: output variable with size of newly allocated output array.
1165 *
1166 * Encrypts data as per encryption method using specified
1167 * initialization vector and key. The key actually used is derived
1168 * using the key usage. If key usage is 0, no key derivation is used.
1169 * The OUT buffer must be deallocated by the caller. If IVOUT or
1170 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1171 *
1172 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1173 * exactly. Some encryption types add pad to make the data fit into
1174 * the block size of the encryption algorithm. Furthermore, the pad
1175 * is not guaranteed to look in any special way, although existing
1176 * implementations often pad with the zero byte. This means that you
1177 * may have to "frame" data, so it is possible to infer the original
1178 * length after decryption. Compare ASN.1 DER which contains such
1179 * information.
1180 *
1181 * Return value: Returns %SHISHI_OK iff successful.
1182 **/
1183 int
1184 shishi_encrypt_ivupdate_etype (Shishi * handle,
1185 Shishi_key * key,
1186 int keyusage,
1187 int32_t etype,
1188 const char *iv, size_t ivlen,
1189 char **ivout, size_t * ivoutlen,
1190 const char *in, size_t inlen,
1191 char **out, size_t * outlen)
1192 {
1193 Shishi_encrypt_function enc;
1194 int res;
1195
1196 if (VERBOSECRYPTO (handle))
1197 {
1198 printf ("encrypt (type=%s, usage=%d, key, in)\n",
1199 shishi_key_name (key), keyusage);
1200 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1201 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1202 printf ("\t ;; in (%d):\n", inlen);
1203 _shishi_escapeprint (in, inlen);
1204 _shishi_hexprint (in, inlen);
1205 if (iv)
1206 {
1207 printf ("\t ;; iv (%d):\n", ivlen);
1208 _shishi_escapeprint (iv, ivlen);
1209 _shishi_hexprint (iv, ivlen);
1210 }
1211 }
1212
1213 enc = _shishi_cipher_encrypt (etype);
1214 if (enc == NULL)
1215 {
1216 shishi_error_printf (handle, "Unsupported keytype %d",
1217 shishi_key_type (key));
1218 return SHISHI_CRYPTO_ERROR;
1219 }
1220
1221 res = (*enc) (handle, key, keyusage, iv, ivlen, ivout, ivoutlen,
1222 in, inlen, out, outlen);
1223
1224 if (VERBOSECRYPTO (handle))
1225 {
1226 if (res == SHISHI_OK)
1227 {
1228 printf ("\t ;; encrypt out:\n");
1229 _shishi_escapeprint (*out, *outlen);
1230 _shishi_hexprint (*out, *outlen);
1231 if (ivout && ivoutlen)
1232 {
1233 printf ("\t ;; iv out:\n");
1234 _shishi_escapeprint (*ivout, *ivoutlen);
1235 _shishi_hexprint (*ivout, *ivoutlen);
1236 }
1237 }
1238 else
1239 {
1240 printf ("\t ;; encrypt out failed %d\n", res);
1241 }
1242 }
1243
1244 return res;
1245 }
1246
1247 /**
1248 * shishi_encrypt_iv_etype:
1249 * @handle: shishi handle as allocated by shishi_init().
1250 * @key: key to encrypt with.
1251 * @keyusage: integer specifying what this key is encrypting.
1252 * @etype: integer specifying what cipher to use.
1253 * @iv: input array with initialization vector
1254 * @ivlen: size of input array with initialization vector.
1255 * @in: input array with data to encrypt.
1256 * @inlen: size of input array with data to encrypt.
1257 * @out: output array with newly allocated encrypted data.
1258 * @outlen: output variable with size of newly allocated output array.
1259 *
1260 * Encrypts data as per encryption method using specified
1261 * initialization vector and key. The key actually used is derived
1262 * using the key usage. If key usage is 0, no key derivation is used.
1263 * The OUT buffer must be deallocated by the caller. The next IV is
1264 * lost, see shishi_encrypt_ivupdate_etype if you need it.
1265 *
1266 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1267 * exactly. Some encryption types add pad to make the data fit into
1268 * the block size of the encryption algorithm. Furthermore, the pad
1269 * is not guaranteed to look in any special way, although existing
1270 * implementations often pad with the zero byte. This means that you
1271 * may have to "frame" data, so it is possible to infer the original
1272 * length after decryption. Compare ASN.1 DER which contains such
1273 * information.
1274 *
1275 * Return value: Returns %SHISHI_OK iff successful.
1276 **/
1277 int
1278 shishi_encrypt_iv_etype (Shishi * handle,
1279 Shishi_key * key,
1280 int keyusage,
1281 int32_t etype,
1282 const char *iv, size_t ivlen,
1283 const char *in, size_t inlen,
1284 char **out, size_t * outlen)
1285 {
1286 return shishi_encrypt_ivupdate_etype (handle, key, keyusage, etype,
1287 iv, ivlen, NULL, NULL,
1288 in, inlen, out, outlen);
1289 }
1290
1291 /**
1292 * shishi_encrypt_etype:
1293 * @handle: shishi handle as allocated by shishi_init().
1294 * @key: key to encrypt with.
1295 * @keyusage: integer specifying what this key is encrypting.
1296 * @etype: integer specifying what cipher to use.
1297 * @in: input array with data to encrypt.
1298 * @inlen: size of input array with data to encrypt.
1299 * @out: output array with newly allocated encrypted data.
1300 * @outlen: output variable with size of newly allocated output array.
1301 *
1302 * Encrypts data as per encryption method using specified
1303 * initialization vector and key. The key actually used is derived
1304 * using the key usage. If key usage is 0, no key derivation is used.
1305 * The OUT buffer must be deallocated by the caller. The default IV
1306 * is used, see shishi_encrypt_iv_etype if you need to alter it. The
1307 * next IV is lost, see shishi_encrypt_ivupdate_etype if you need it.
1308 *
1309 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1310 * exactly. Some encryption types add pad to make the data fit into
1311 * the block size of the encryption algorithm. Furthermore, the pad
1312 * is not guaranteed to look in any special way, although existing
1313 * implementations often pad with the zero byte. This means that you
1314 * may have to "frame" data, so it is possible to infer the original
1315 * length after decryption. Compare ASN.1 DER which contains such
1316 * information.
1317 *
1318 * Return value: Returns %SHISHI_OK iff successful.
1319 **/
1320 int
1321 shishi_encrypt_etype (Shishi * handle,
1322 Shishi_key * key,
1323 int keyusage,
1324 int32_t etype,
1325 const char *in, size_t inlen,
1326 char **out, size_t * outlen)
1327 {
1328 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1329 shishi_key_type (key),
1330 NULL, 0, NULL, NULL,
1331 in, inlen, out, outlen);
1332 }
1333
1334 /**
1335 * shishi_encrypt_ivupdate:
1336 * @handle: shishi handle as allocated by shishi_init().
1337 * @key: key to encrypt with.
1338 * @keyusage: integer specifying what this key is encrypting.
1339 * @iv: input array with initialization vector
1340 * @ivlen: size of input array with initialization vector.
1341 * @ivout: output array with newly allocated updated initialization vector.
1342 * @ivoutlen: size of output array with updated initialization vector.
1343 * @in: input array with data to encrypt.
1344 * @inlen: size of input array with data to encrypt.
1345 * @out: output array with newly allocated encrypted data.
1346 * @outlen: output variable with size of newly allocated output array.
1347 *
1348 * Encrypts data using specified initialization vector and key. The
1349 * key actually used is derived using the key usage. If key usage is
1350 * 0, no key derivation is used. The OUT buffer must be deallocated
1351 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1352 * saved anywhere.
1353 *
1354 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1355 * exactly. Some encryption types add pad to make the data fit into
1356 * the block size of the encryption algorithm. Furthermore, the pad
1357 * is not guaranteed to look in any special way, although existing
1358 * implementations often pad with the zero byte. This means that you
1359 * may have to "frame" data, so it is possible to infer the original
1360 * length after decryption. Compare ASN.1 DER which contains such
1361 * information.
1362 *
1363 * Return value: Returns %SHISHI_OK iff successful.
1364 **/
1365 int
1366 shishi_encrypt_ivupdate (Shishi * handle,
1367 Shishi_key * key,
1368 int keyusage,
1369 const char *iv, size_t ivlen,
1370 char **ivout, size_t * ivoutlen,
1371 const char *in, size_t inlen,
1372 char **out, size_t * outlen)
1373 {
1374 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1375 shishi_key_type (key),
1376 iv, ivlen, ivout, ivoutlen,
1377 in, inlen, out, outlen);
1378 }
1379
1380 /**
1381 * shishi_encrypt_iv:
1382 * @handle: shishi handle as allocated by shishi_init().
1383 * @key: key to encrypt with.
1384 * @keyusage: integer specifying what this key is encrypting.
1385 * @iv: input array with initialization vector
1386 * @ivlen: size of input array with initialization vector.
1387 * @in: input array with data to encrypt.
1388 * @inlen: size of input array with data to encrypt.
1389 * @out: output array with newly allocated encrypted data.
1390 * @outlen: output variable with size of newly allocated output array.
1391 *
1392 * Encrypts data using specified initialization vector and key. The
1393 * key actually used is derived using the key usage. If key usage is
1394 * 0, no key derivation is used. The OUT buffer must be deallocated
1395 * by the caller. The next IV is lost, see shishi_encrypt_ivupdate if
1396 * you need it.
1397 *
1398 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1399 * exactly. Some encryption types add pad to make the data fit into
1400 * the block size of the encryption algorithm. Furthermore, the pad
1401 * is not guaranteed to look in any special way, although existing
1402 * implementations often pad with the zero byte. This means that you
1403 * may have to "frame" data, so it is possible to infer the original
1404 * length after decryption. Compare ASN.1 DER which contains such
1405 * information.
1406 *
1407 * Return value: Returns %SHISHI_OK iff successful.
1408 **/
1409 int
1410 shishi_encrypt_iv (Shishi * handle,
1411 Shishi_key * key,
1412 int keyusage,
1413 const char *iv, size_t ivlen,
1414 const char *in, size_t inlen, char **out, size_t * outlen)
1415 {
1416 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1417 shishi_key_type (key),
1418 iv, ivlen, NULL, NULL,
1419 in, inlen, out, outlen);
1420 }
1421
1422 /**
1423 * shishi_encrypt:
1424 * @handle: shishi handle as allocated by shishi_init().
1425 * @key: key to encrypt with.
1426 * @keyusage: integer specifying what this key is encrypting.
1427 * @in: input array with data to encrypt.
1428 * @inlen: size of input array with data to encrypt.
1429 * @out: output array with newly allocated encrypted data.
1430 * @outlen: output variable with size of newly allocated output array.
1431 *
1432 * Encrypts data using specified key. The key actually used is
1433 * derived using the key usage. If key usage is 0, no key derivation
1434 * is used. The OUT buffer must be deallocated by the caller. The
1435 * default IV is used, see shishi_encrypt_iv if you need to alter it.
1436 * The next IV is lost, see shishi_encrypt_ivupdate if you need it.
1437 *
1438 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1439 * exactly. Some encryption types add pad to make the data fit into
1440 * the block size of the encryption algorithm. Furthermore, the pad
1441 * is not guaranteed to look in any special way, although existing
1442 * implementations often pad with the zero byte. This means that you
1443 * may have to "frame" data, so it is possible to infer the original
1444 * length after decryption. Compare ASN.1 DER which contains such
1445 * information.
1446 *
1447 * Return value: Returns %SHISHI_OK iff successful.
1448 **/
1449 int
1450 shishi_encrypt (Shishi * handle,
1451 Shishi_key * key,
1452 int keyusage,
1453 char *in, size_t inlen, char **out, size_t * outlen)
1454 {
1455 return shishi_encrypt_ivupdate_etype (handle, key, keyusage,
1456 shishi_key_type (key),
1457 NULL, 0, NULL, NULL,
1458 in, inlen, out, outlen);
1459 }
1460
1461 /**
1462 * shishi_decrypt_ivupdate_etype:
1463 * @handle: shishi handle as allocated by shishi_init().
1464 * @key: key to decrypt with.
1465 * @keyusage: integer specifying what this key is decrypting.
1466 * @etype: integer specifying what cipher to use.
1467 * @iv: input array with initialization vector
1468 * @ivlen: size of input array with initialization vector.
1469 * @ivout: output array with newly allocated updated initialization vector.
1470 * @ivoutlen: size of output array with updated initialization vector.
1471 * @in: input array with data to decrypt.
1472 * @inlen: size of input array with data to decrypt.
1473 * @out: output array with newly allocated decrypted data.
1474 * @outlen: output variable with size of newly allocated output array.
1475 *
1476 * Decrypts data as per encryption method using specified
1477 * initialization vector and key. The key actually used is derived
1478 * using the key usage. If key usage is 0, no key derivation is used.
1479 * The OUT buffer must be deallocated by the caller. If IVOUT or
1480 * IVOUTLEN is NULL, the updated IV is not saved anywhere.
1481 *
1482 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1483 * exactly. Some encryption types add pad to make the data fit into
1484 * the block size of the encryption algorithm. Furthermore, the pad
1485 * is not guaranteed to look in any special way, although existing
1486 * implementations often pad with the zero byte. This means that you
1487 * may have to "frame" data, so it is possible to infer the original
1488 * length after decryption. Compare ASN.1 DER which contains such
1489 * information.
1490 *
1491 * Return value: Returns %SHISHI_OK iff successful.
1492 **/
1493 int
1494 shishi_decrypt_ivupdate_etype (Shishi * handle,
1495 Shishi_key * key,
1496 int keyusage,
1497 int32_t etype,
1498 const char *iv, size_t ivlen,
1499 char **ivout, size_t * ivoutlen,
1500 const char *in, size_t inlen,
1501 char **out, size_t * outlen)
1502 {
1503 Shishi_decrypt_function decrypt;
1504 int res;
1505
1506 if (VERBOSECRYPTO (handle))
1507 {
1508 printf ("decrypt (type=%s, usage=%d, key, in, out)\n",
1509 shishi_key_name (key), keyusage);
1510 printf ("\t ;; key (%d):\n", shishi_key_length (key));
1511 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1512 printf ("\t ;; in (%d):\n", inlen);
1513 _shishi_escapeprint (in, inlen);
1514 _shishi_hexprint (in, inlen);
1515 if (iv)
1516 {
1517 printf ("\t ;; iv (%d):\n", ivlen);
1518 _shishi_escapeprint (iv, ivlen);
1519 _shishi_hexprint (iv, ivlen);
1520 }
1521 }
1522
1523 decrypt = _shishi_cipher_decrypt (etype);
1524 if (decrypt == NULL)
1525 {
1526 shishi_error_printf (handle, "Unsupported keytype %d",
1527 shishi_key_type (key));
1528 return SHISHI_CRYPTO_ERROR;
1529 }
1530
1531 res = (*decrypt) (handle, key, keyusage,
1532 iv, ivlen, ivout, ivoutlen, in, inlen, out, outlen);
1533
1534 if (VERBOSECRYPTO (handle))
1535 {
1536 if (res == SHISHI_OK)
1537 {
1538 printf ("\t ;; decrypt out:\n");
1539 _shishi_escapeprint (*out, *outlen);
1540 _shishi_hexprint (*out, *outlen);
1541 }
1542 else
1543 {
1544 printf ("\t ;; decrypt out failed %d\n", res);
1545 }
1546 }
1547
1548 return res;
1549 }
1550
1551 /**
1552 * shishi_decrypt_iv_etype:
1553 * @handle: shishi handle as allocated by shishi_init().
1554 * @key: key to decrypt with.
1555 * @keyusage: integer specifying what this key is decrypting.
1556 * @etype: integer specifying what cipher to use.
1557 * @iv: input array with initialization vector
1558 * @ivlen: size of input array with initialization vector.
1559 * @in: input array with data to decrypt.
1560 * @inlen: size of input array with data to decrypt.
1561 * @out: output array with newly allocated decrypted data.
1562 * @outlen: output variable with size of newly allocated output array.
1563 *
1564 * Decrypts data as per encryption method using specified
1565 * initialization vector and key. The key actually used is derived
1566 * using the key usage. If key usage is 0, no key derivation is used.
1567 * The OUT buffer must be deallocated by the caller. The next IV is
1568 * lost, see shishi_decrypt_ivupdate_etype if you need it.
1569 *
1570 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1571 * exactly. Some encryption types add pad to make the data fit into
1572 * the block size of the encryption algorithm. Furthermore, the pad
1573 * is not guaranteed to look in any special way, although existing
1574 * implementations often pad with the zero byte. This means that you
1575 * may have to "frame" data, so it is possible to infer the original
1576 * length after decryption. Compare ASN.1 DER which contains such
1577 * information.
1578 *
1579 * Return value: Returns %SHISHI_OK iff successful.
1580 **/
1581 int
1582 shishi_decrypt_iv_etype (Shishi * handle,
1583 Shishi_key * key,
1584 int keyusage,
1585 int32_t etype,
1586 const char *iv, size_t ivlen,
1587 const char *in, size_t inlen,
1588 char **out, size_t * outlen)
1589 {
1590 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1591 iv, ivlen, NULL, NULL,
1592 in, inlen, out, outlen);
1593 }
1594
1595 /**
1596 * shishi_decrypt_etype:
1597 * @handle: shishi handle as allocated by shishi_init().
1598 * @key: key to decrypt with.
1599 * @keyusage: integer specifying what this key is decrypting.
1600 * @etype: integer specifying what cipher to use.
1601 * @in: input array with data to decrypt.
1602 * @inlen: size of input array with data to decrypt.
1603 * @out: output array with newly allocated decrypted data.
1604 * @outlen: output variable with size of newly allocated output array.
1605 *
1606 * Decrypts data as per encryption method using specified key. The
1607 * key actually used is derived using the key usage. If key usage is
1608 * 0, no key derivation is used. The OUT buffer must be deallocated
1609 * by the caller. The default IV is used, see shishi_decrypt_iv_etype
1610 * if you need to alter it. The next IV is lost, see
1611 * shishi_decrypt_ivupdate_etype if you need it.
1612 *
1613 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1614 * exactly. Some encryption types add pad to make the data fit into
1615 * the block size of the encryption algorithm. Furthermore, the pad
1616 * is not guaranteed to look in any special way, although existing
1617 * implementations often pad with the zero byte. This means that you
1618 * may have to "frame" data, so it is possible to infer the original
1619 * length after decryption. Compare ASN.1 DER which contains such
1620 * information.
1621 *
1622 * Return value: Returns %SHISHI_OK iff successful.
1623 **/
1624 int
1625 shishi_decrypt_etype (Shishi * handle,
1626 Shishi_key * key,
1627 int keyusage,
1628 int32_t etype,
1629 const char *in, size_t inlen,
1630 char **out, size_t * outlen)
1631 {
1632 return shishi_decrypt_ivupdate_etype (handle, key, keyusage, etype,
1633 NULL, 0, NULL, NULL,
1634 in, inlen, out, outlen);
1635 }
1636
1637 /**
1638 * shishi_decrypt_ivupdate:
1639 * @handle: shishi handle as allocated by shishi_init().
1640 * @key: key to decrypt with.
1641 * @keyusage: integer specifying what this key is decrypting.
1642 * @iv: input array with initialization vector
1643 * @ivlen: size of input array with initialization vector.
1644 * @ivout: output array with newly allocated updated initialization vector.
1645 * @ivoutlen: size of output array with updated initialization vector.
1646 * @in: input array with data to decrypt.
1647 * @inlen: size of input array with data to decrypt.
1648 * @out: output array with newly allocated decrypted data.
1649 * @outlen: output variable with size of newly allocated output array.
1650 *
1651 * Decrypts data using specified initialization vector and key. The
1652 * key actually used is derived using the key usage. If key usage is
1653 * 0, no key derivation is used. The OUT buffer must be deallocated
1654 * by the caller. If IVOUT or IVOUTLEN is NULL, the updated IV is not
1655 * saved anywhere.
1656 *
1657 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1658 * exactly. Some encryption types add pad to make the data fit into
1659 * the block size of the encryption algorithm. Furthermore, the pad
1660 * is not guaranteed to look in any special way, although existing
1661 * implementations often pad with the zero byte. This means that you
1662 * may have to "frame" data, so it is possible to infer the original
1663 * length after decryption. Compare ASN.1 DER which contains such
1664 * information.
1665 *
1666 * Return value: Returns %SHISHI_OK iff successful.
1667 **/
1668 int
1669 shishi_decrypt_ivupdate (Shishi * handle,
1670 Shishi_key * key,
1671 int keyusage,
1672 const char *iv, size_t ivlen,
1673 char **ivout, size_t * ivoutlen,
1674 const char *in, size_t inlen,
1675 char **out, size_t * outlen)
1676 {
1677 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1678 shishi_key_type (key),
1679 iv, ivlen, ivout, ivoutlen,
1680 in, inlen, out, outlen);
1681 }
1682
1683 /**
1684 * shishi_decrypt_iv:
1685 * @handle: shishi handle as allocated by shishi_init().
1686 * @key: key to decrypt with.
1687 * @keyusage: integer specifying what this key is decrypting.
1688 * @iv: input array with initialization vector
1689 * @ivlen: size of input array with initialization vector.
1690 * @in: input array with data to decrypt.
1691 * @inlen: size of input array with data to decrypt.
1692 * @out: output array with newly allocated decrypted data.
1693 * @outlen: output variable with size of newly allocated output array.
1694 *
1695 * Decrypts data using specified initialization vector and key. The
1696 * key actually used is derived using the key usage. If key usage is
1697 * 0, no key derivation is used. The OUT buffer must be deallocated
1698 * by the caller. The next IV is lost, see
1699 * shishi_decrypt_ivupdate_etype if you need it.
1700 *
1701 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1702 * exactly. Some encryption types add pad to make the data fit into
1703 * the block size of the encryption algorithm. Furthermore, the pad
1704 * is not guaranteed to look in any special way, although existing
1705 * implementations often pad with the zero byte. This means that you
1706 * may have to "frame" data, so it is possible to infer the original
1707 * length after decryption. Compare ASN.1 DER which contains such
1708 * information.
1709 *
1710 * Return value: Returns %SHISHI_OK iff successful.
1711 **/
1712 int
1713 shishi_decrypt_iv (Shishi * handle,
1714 Shishi_key * key,
1715 int keyusage,
1716 const char *iv, size_t ivlen,
1717 const char *in, size_t inlen, char **out, size_t * outlen)
1718 {
1719 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1720 shishi_key_type (key),
1721 iv, ivlen, NULL, NULL,
1722 in, inlen, out, outlen);
1723 }
1724
1725 /**
1726 * shishi_decrypt:
1727 * @handle: shishi handle as allocated by shishi_init().
1728 * @key: key to decrypt with.
1729 * @keyusage: integer specifying what this key is decrypting.
1730 * @in: input array with data to decrypt.
1731 * @inlen: size of input array with data to decrypt.
1732 * @out: output array with newly allocated decrypted data.
1733 * @outlen: output variable with size of newly allocated output array.
1734 *
1735 * Decrypts data specified key. The key actually used is derived
1736 * using the key usage. If key usage is 0, no key derivation is used.
1737 * The OUT buffer must be deallocated by the caller. The default IV
1738 * is used, see shishi_decrypt_iv if you need to alter it. The next
1739 * IV is lost, see shishi_decrypt_ivupdate if you need it.
1740 *
1741 * Note that DECRYPT(ENCRYPT(data)) does not necessarily yield data
1742 * exactly. Some encryption types add pad to make the data fit into
1743 * the block size of the encryption algorithm. Furthermore, the pad
1744 * is not guaranteed to look in any special way, although existing
1745 * implementations often pad with the zero byte. This means that you
1746 * may have to "frame" data, so it is possible to infer the original
1747 * length after decryption. Compare ASN.1 DER which contains such
1748 * information.
1749 *
1750 * Return value: Returns %SHISHI_OK iff successful.
1751 **/
1752 int
1753 shishi_decrypt (Shishi * handle,
1754 Shishi_key * key,
1755 int keyusage,
1756 const char *in, size_t inlen, char **out, size_t * outlen)
1757 {
1758 return shishi_decrypt_ivupdate_etype (handle, key, keyusage,
1759 shishi_key_type (key),
1760 NULL, 0, NULL, NULL,
1761 in, inlen, out, outlen);
1762 }
1763
1764 /**
1765 * shishi_n_fold:
1766 * @handle: shishi handle as allocated by shishi_init().
1767 * @in: input array with data to decrypt.
1768 * @inlen: size of input array with data to decrypt ("M").
1769 * @out: output array with decrypted data.
1770 * @outlen: size of output array ("N").
1771 *
1772 * Fold data into a fixed length output array, with the intent to give
1773 * each input bit approximately equal weight in determining the value
1774 * of each output bit.
1775 *
1776 * The algorithm is from "A Better Key Schedule For DES-like Ciphers"
1777 * by Uri Blumenthal and Steven M. Bellovin,
1778 * <URL:http://www.research.att.com/~smb/papers/ides.pdf>, although
1779 * the sample vectors provided by the paper are incorrect.
1780 *
1781 * Return value: Returns %SHISHI_OK iff successful.
1782 **/
1783 int
1784 shishi_n_fold (Shishi * handle,
1785 const char *in, size_t inlen, char *out, size_t outlen)
1786 {
1787 int m = inlen;
1788 int n = outlen;
1789 char *buf = NULL;
1790 char *a = NULL;
1791 int lcmmn = 0;
1792 int i = 0;
1793
1794 /*
1795 To n-fold a number X, replicate the input value to a length that is
1796 the least common multiple of n and the length of X. Before each
1797 repetition, the input is rotated to the right by 13 bit
1798 positions. The successive n-bit chunks are added together using
1799 1's-complement addition (that is, addition with end-around carry)
1800 to yield a n-bit result denoted <X>_n.
1801 */
1802
1803 a = xmemdup (in, m);
1804
1805 lcmmn = lcm (m, n);
1806
1807 if (VERBOSECRYPTONOISE (handle))
1808 {
1809 printf ("%d-fold (string)\n", n * 8);
1810 printf ("\t ;; string length %d bytes %d bits\n", m, m * 8);
1811 _shishi_escapeprint (a, m);
1812 _shishi_hexprint (a, m);
1813 printf ("\t ;; lcm(%d, %d) = lcm(%d, %d) = %d\n",
1814 8 * m, 8 * n, m, n, lcmmn);
1815 }
1816
1817 buf = (char *) xmalloc (lcmmn);
1818
1819 /* Replicate the input th the LCMMN length */
1820 for (i = 0; i < (lcmmn / m); i++)
1821 {
1822 if (VERBOSECRYPTONOISE (handle))
1823 {
1824 printf ("\t ;; %d-th replication\n", i + 1);
1825 printf ("string = rot13(string)\n");
1826 }
1827
1828 memcpy ((char *) &buf[i * m], a, m);
1829 rot13 (handle, a, a, m);
1830 }
1831
1832 memset (out, 0, n); /* just in case */
1833
1834 if (VERBOSECRYPTONOISE (handle))
1835 {
1836 printf ("\t ;; replicated string (length %d):\n", lcmmn);
1837 _shishi_hexprint (buf, lcmmn);
1838 _shishi_binprint (buf, lcmmn);
1839 printf ("sum = 0\n");
1840 }
1841
1842 /* Now we view the buf as set of n-byte strings
1843 Add the n-byte long chunks together, using
1844 one's complement addition, storing the
1845 result in the output string. */
1846
1847 for (i = 0; i < (lcmmn / n); i++)
1848 {
1849 if (VERBOSECRYPTONOISE (handle))
1850 {
1851 printf ("\t ;; %d-th one's complement addition sum\n", i + 1);
1852 printf ("\t ;; sum:\n");
1853 _shishi_hexprint (out, n);
1854 _shishi_binprint (out, n);
1855 printf ("\t ;; A (offset %d):\n", i * n);
1856 _shishi_hexprint (&buf[i * n], n);
1857 _shishi_binprint (&buf[i * n], n);
1858 printf ("sum = ocadd(sum, A);\n");
1859 }
1860
1861 ocadd (out, (char *) &buf[i * n], out, n);
1862
1863 if (VERBOSECRYPTONOISE (handle))
1864 {
1865 printf ("\t ;; sum:\n");
1866 _shishi_hexprint (out, n);
1867 _shishi_binprint (out, n);
1868 }
1869 }
1870
1871 if (VERBOSECRYPTONOISE (handle))
1872 {
1873 printf ("\t ;; nfold\n");
1874 _shishi_hexprint (out, n);
1875 _shishi_binprint (out, n);
1876 }
1877
1878 free (buf);
1879 free (a);
1880
1881 return SHISHI_OK;
1882 }
1883
1884 #define MAX_DR_PRFCONSTANT 1024
1885
1886 /**
1887 * shishi_dr:
1888 * @handle: shishi handle as allocated by shishi_init().
1889 * @key: input array with cryptographic key to use.
1890 * @prfconstant: input array with the constant string.
1891 * @prfconstantlen: size of input array with the constant string.
1892 * @derivedrandom: output array with derived random data.
1893 * @derivedrandomlen: size of output array with derived random data.
1894 *
1895 * Derive "random" data from a key and a constant thusly:
1896 * DR(KEY, PRFCONSTANT) = TRUNCATE(DERIVEDRANDOMLEN,
1897 * SHISHI_ENCRYPT(KEY, PRFCONSTANT)).
1898 *
1899 * Return value: Returns %SHISHI_OK iff successful.
1900 **/
1901 int
1902 shishi_dr (Shishi * handle,
1903 Shishi_key * key,
1904 const char *prfconstant, size_t prfconstantlen,
1905 char *derivedrandom, size_t derivedrandomlen)
1906 {
1907 char *cipher;
1908 char plaintext[MAX_DR_PRFCONSTANT];
1909 char nfoldprfconstant[MAX_DR_PRFCONSTANT];
1910 size_t blocksize = shishi_cipher_blocksize (shishi_key_type (key));
1911 size_t totlen, cipherlen;
1912 int res;
1913
1914 if (VERBOSECRYPTO (handle))
1915 {
1916 printf ("dr (%s, key, prfconstant, %d)\n",
1917 shishi_cipher_name (shishi_key_type (key)), derivedrandomlen);
1918 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
1919 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
1920 _shishi_binprint (shishi_key_value (key), shishi_key_length (key));
1921 printf ("\t ;; prfconstant %s':\n", prfconstant);
1922 _shishi_escapeprint (prfconstant, prfconstantlen);
1923 _shishi_hexprint (prfconstant, prfconstantlen);
1924 _shishi_binprint (prfconstant, prfconstantlen);
1925 }
1926
1927 if (prfconstantlen > MAX_DR_PRFCONSTANT)
1928 return SHISHI_TOO_SMALL_BUFFER;
1929
1930 if (prfconstantlen == blocksize)
1931 memcpy (nfoldprfconstant, prfconstant, prfconstantlen);
1932 else
1933 {
1934 res = shishi_n_fold (handle, prfconstant, prfconstantlen,
1935 nfoldprfconstant, blocksize);
1936 if (res != SHISHI_OK)
1937 return res;
1938 }
1939
1940 if (VERBOSECRYPTO (handle))
1941 {
1942 printf ("\t ;; possibly nfolded prfconstant (length %d):\n", blocksize);
1943 _shishi_escapeprint (nfoldprfconstant, blocksize);
1944 _shishi_hexprint (nfoldprfconstant, blocksize);
1945 _shishi_binprint (nfoldprfconstant, blocksize);
1946 }
1947
1948 memcpy (plaintext, nfoldprfconstant, blocksize);
1949
1950 totlen = 0;
1951 do
1952 {
1953 res = shishi_encrypt (handle, key, 0, plaintext, blocksize,
1954 &cipher, &cipherlen);
1955 if (res != SHISHI_OK)
1956 return res;
1957 if (cipherlen != blocksize)
1958 return SHISHI_CRYPTO_ERROR;
1959 memcpy (derivedrandom + totlen, cipher, cipherlen);
1960 memcpy (plaintext, cipher, cipherlen);
1961 free (cipher);
1962 totlen += cipherlen;
1963 }
1964 while (totlen < derivedrandomlen);
1965
1966 if (VERBOSECRYPTO (handle))
1967 {
1968 printf ("\t ;; derived random (length %d):\n", derivedrandomlen);
1969 _shishi_hexprint (derivedrandom, derivedrandomlen);
1970 _shishi_binprint (derivedrandom, derivedrandomlen);
1971 }
1972
1973 return SHISHI_OK;
1974 }
1975
1976 /**
1977 * shishi_dk:
1978 * @handle: shishi handle as allocated by shishi_init().
1979 * @key: input cryptographic key to use.
1980 * @prfconstant: input array with the constant string.
1981 * @prfconstantlen: size of input array with the constant string.
1982 * @derivedkey: pointer to derived key (allocated by caller).
1983 *
1984 * Derive a key from a key and a constant thusly:
1985 * DK(KEY, PRFCONSTANT) = SHISHI_RANDOM-TO-KEY(SHISHI_DR(KEY, PRFCONSTANT)).
1986 *
1987 * Return value: Returns %SHISHI_OK iff successful.
1988 **/
1989 int
1990 shishi_dk (Shishi * handle,
1991 Shishi_key * key,
1992 const char *prfconstant, size_t prfconstantlen,
1993 Shishi_key * derivedkey)
1994 {
1995 char rnd[MAX_RANDOM_LEN];
1996 int res;
1997
1998 if (VERBOSECRYPTO (handle))
1999 {
2000 printf ("dk (%s, key, prfconstant)\n", shishi_key_name (key));
2001 printf ("\t ;; key (length %d):\n", shishi_key_length (key));
2002 _shishi_hexprint (shishi_key_value (key), shishi_key_length (key));
2003 _shishi_binprint (shishi_key_value (key), shishi_key_length (key));
2004 printf ("\t ;; prfconstant:\n");
2005 _shishi_escapeprint (prfconstant, prfconstantlen);
2006 _shishi_hexprint (prfconstant, prfconstantlen);
2007 _shishi_binprint (prfconstant, prfconstantlen);
2008 }
2009
2010 shishi_key_type_set (derivedkey, shishi_key_type (key));
2011
2012 res = shishi_dr (handle, key, prfconstant, prfconstantlen, rnd,
2013 shishi_key_length (derivedkey));
2014 if (res != SHISHI_OK)
2015 return res;
2016
2017 res = shishi_random_to_key (handle, shishi_key_type (derivedkey),
2018 rnd, shishi_key_length (derivedkey),
2019 derivedkey);
2020 if (res != SHISHI_OK)
2021 return res;
2022
2023 return SHISHI_OK;
2024 }
Free Kerberos V5 implementation