2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * RCSID $Id: crypto.c,v 1.5 2005/12/06 22:51:34 as Exp $
20 #include <sys/types.h>
23 #define HEADER_DES_LOCL_H /* stupid trick to force prototype decl in <des.h> */
24 #include <crypto/des.h>
28 #include "constants.h"
34 #include "crypto.h" /* requires sha1.h and md5.h */
39 /* moduli and generator. */
50 MP_INT groupgenerator
; /* MODP group generator (2) */
52 static void do_3des(u_int8_t
*buf
, size_t buf_len
, u_int8_t
*key
, size_t key_size
, u_int8_t
*iv
, bool enc
);
54 static struct encrypt_desc crypto_encryptor_3des
=
56 algo_type
: IKE_ALG_ENCRYPT
,
57 algo_id
: OAKLEY_3DES_CBC
,
59 enc_ctxsize
: sizeof(des_key_schedule
) * 3,
60 enc_blocksize
: DES_CBC_BLOCK_SIZE
,
61 keydeflen
: DES_CBC_BLOCK_SIZE
* 3 * BITS_PER_BYTE
,
62 keyminlen
: DES_CBC_BLOCK_SIZE
* 3 * BITS_PER_BYTE
,
63 keymaxlen
: DES_CBC_BLOCK_SIZE
* 3 * BITS_PER_BYTE
,
67 static struct hash_desc crypto_hasher_md5
=
69 algo_type
: IKE_ALG_HASH
,
72 hash_ctx_size
: sizeof(MD5_CTX
),
73 hash_digest_size
: MD5_DIGEST_SIZE
,
74 hash_init
: (void (*)(void *)) MD5Init
,
75 hash_update
: (void (*)(void *, const u_int8_t
*, size_t)) MD5Update
,
76 hash_final
: (void (*)(u_char
*, void *)) MD5Final
,
79 static struct hash_desc crypto_hasher_sha1
=
81 algo_type
: IKE_ALG_HASH
,
84 hash_ctx_size
: sizeof(SHA1_CTX
),
85 hash_digest_size
: SHA1_DIGEST_SIZE
,
86 hash_init
: (void (*)(void *)) SHA1Init
,
87 hash_update
: (void (*)(void *, const u_int8_t
*, size_t)) SHA1Update
,
88 hash_final
: (void (*)(u_char
*, void *)) SHA1Final
,
94 if (mpz_init_set_str(&groupgenerator
, MODP_GENERATOR
, 10) != 0
95 || mpz_init_set_str(&modp1024_modulus
, MODP1024_MODULUS
, 16) != 0
96 || mpz_init_set_str(&modp1536_modulus
, MODP1536_MODULUS
, 16) != 0
97 || mpz_init_set_str(&modp2048_modulus
, MODP2048_MODULUS
, 16) != 0
98 || mpz_init_set_str(&modp3072_modulus
, MODP3072_MODULUS
, 16) != 0
99 || mpz_init_set_str(&modp4096_modulus
, MODP4096_MODULUS
, 16) != 0
100 || mpz_init_set_str(&modp6144_modulus
, MODP6144_MODULUS
, 16) != 0
101 || mpz_init_set_str(&modp8192_modulus
, MODP8192_MODULUS
, 16) != 0)
102 exit_log("mpz_init_set_str() failed in init_crypto()");
104 ike_alg_add((struct ike_alg
*) &crypto_encryptor_3des
);
105 ike_alg_add((struct ike_alg
*) &crypto_hasher_sha1
);
106 ike_alg_add((struct ike_alg
*) &crypto_hasher_md5
);
110 /* Oakley group description
112 * See RFC2409 "The Internet key exchange (IKE)" 6.
115 const struct oakley_group_desc unset_group
= {0, NULL
, 0}; /* magic signifier */
117 const struct oakley_group_desc oakley_group
[OAKLEY_GROUP_SIZE
] = {
118 # define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE)
119 { OAKLEY_GROUP_MODP1024
, &modp1024_modulus
, BYTES(1024) },
120 { OAKLEY_GROUP_MODP1536
, &modp1536_modulus
, BYTES(1536) },
121 { OAKLEY_GROUP_MODP2048
, &modp2048_modulus
, BYTES(2048) },
122 { OAKLEY_GROUP_MODP3072
, &modp3072_modulus
, BYTES(3072) },
123 { OAKLEY_GROUP_MODP4096
, &modp4096_modulus
, BYTES(4096) },
124 { OAKLEY_GROUP_MODP6144
, &modp6144_modulus
, BYTES(6144) },
125 { OAKLEY_GROUP_MODP8192
, &modp8192_modulus
, BYTES(8192) },
129 const struct oakley_group_desc
*
130 lookup_group(u_int16_t group
)
134 for (i
= 0; i
!= elemsof(oakley_group
); i
++)
135 if (group
== oakley_group
[i
].group
)
136 return &oakley_group
[i
];
140 /* Encryption Routines
142 * Each uses and updates the state object's st_new_iv.
143 * This must already be initialized.
146 /* encrypt or decrypt part of an IKE message using DES
147 * See RFC 2409 "IKE" Appendix B
149 static void __attribute__ ((unused
))
150 do_des(bool enc
, void *buf
, size_t buf_len
, struct state
*st
)
154 (void) des_set_key((des_cblock
*)st
->st_enc_key
.ptr
, ks
);
156 passert(st
->st_new_iv_len
>= DES_CBC_BLOCK_SIZE
);
157 st
->st_new_iv_len
= DES_CBC_BLOCK_SIZE
; /* truncate */
159 des_ncbc_encrypt((des_cblock
*)buf
, (des_cblock
*)buf
, buf_len
,
161 (des_cblock
*)st
->st_new_iv
, enc
);
164 /* encrypt or decrypt part of an IKE message using 3DES
165 * See RFC 2409 "IKE" Appendix B
168 do_3des(u_int8_t
*buf
, size_t buf_len
, u_int8_t
*key
, size_t key_size
, u_int8_t
*iv
, bool enc
)
170 des_key_schedule ks
[3];
172 passert (!key_size
|| (key_size
==(DES_CBC_BLOCK_SIZE
* 3)))
173 (void) des_set_key((des_cblock
*)key
+ 0, ks
[0]);
174 (void) des_set_key((des_cblock
*)key
+ 1, ks
[1]);
175 (void) des_set_key((des_cblock
*)key
+ 2, ks
[2]);
177 des_ede3_cbc_encrypt((des_cblock
*)buf
, (des_cblock
*)buf
, buf_len
,
179 (des_cblock
*)iv
, enc
);
182 /* hash and prf routines */
184 crypto_cbc_encrypt(const struct encrypt_desc
*e
, bool enc
, u_int8_t
*buf
, size_t size
, struct state
*st
)
186 passert(st
->st_new_iv_len
>= e
->enc_blocksize
);
187 st
->st_new_iv_len
= e
->enc_blocksize
; /* truncate */
189 e
->do_crypt(buf
, size
, st
->st_enc_key
.ptr
, st
->st_enc_key
.len
, st
->st_new_iv
, enc
);
191 e->set_key(&ctx, st->st_enc_key.ptr, st->st_enc_key.len);
192 e->cbc_crypt(&ctx, buf, size, st->st_new_iv, enc);
197 * rfc2104.txt specifies how HMAC works.
201 hmac_init(struct hmac_ctx
*ctx
,
202 const struct hash_desc
*h
,
203 const u_char
*key
, size_t key_len
)
208 ctx
->hmac_digest_size
= h
->hash_digest_size
;
210 /* Prepare the two pads for the HMAC */
212 memset(ctx
->buf1
, '\0', HMAC_BUFSIZE
);
214 if (key_len
<= HMAC_BUFSIZE
)
216 memcpy(ctx
->buf1
, key
, key_len
);
220 h
->hash_init(&ctx
->hash_ctx
);
221 h
->hash_update(&ctx
->hash_ctx
, key
, key_len
);
222 h
->hash_final(ctx
->buf1
, &ctx
->hash_ctx
);
225 memcpy(ctx
->buf2
, ctx
->buf1
, HMAC_BUFSIZE
);
227 for (k
= 0; k
< HMAC_BUFSIZE
; k
++)
229 ctx
->buf1
[k
] ^= HMAC_IPAD
;
230 ctx
->buf2
[k
] ^= HMAC_OPAD
;
237 hmac_reinit(struct hmac_ctx
*ctx
)
239 ctx
->h
->hash_init(&ctx
->hash_ctx
);
240 ctx
->h
->hash_update(&ctx
->hash_ctx
, ctx
->buf1
, HMAC_BUFSIZE
);
244 hmac_update(struct hmac_ctx
*ctx
,
245 const u_char
*data
, size_t data_len
)
247 ctx
->h
->hash_update(&ctx
->hash_ctx
, data
, data_len
);
251 hmac_final(u_char
*output
, struct hmac_ctx
*ctx
)
253 const struct hash_desc
*h
= ctx
->h
;
255 h
->hash_final(output
, &ctx
->hash_ctx
);
257 h
->hash_init(&ctx
->hash_ctx
);
258 h
->hash_update(&ctx
->hash_ctx
, ctx
->buf2
, HMAC_BUFSIZE
);
259 h
->hash_update(&ctx
->hash_ctx
, output
, h
->hash_digest_size
);
260 h
->hash_final(output
, &ctx
->hash_ctx
);