2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * RCSID $Id: crypto.c,v 1.22 2002/01/21 03:14:15 dhr Exp $
20 #include <sys/types.h>
24 #define HEADER_DES_LOCL_H /* stupid trick to force prototype decl in <des.h> */
27 #include "constants.h"
33 #include "crypto.h" /* requires sha1.h and md5.h */
38 /* moduli and generator. */
49 MP_INT groupgenerator; /* MODP group generator (2) */
52 static void do_des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
53 static struct encrypt_desc crypto_encrypter_des =
55 algo_type: IKE_ALG_ENCRYPT,
56 algo_id: OAKLEY_DES_CBC,
58 enc_ctxsize: sizeof(des_key_schedule),
59 enc_blocksize: DES_CBC_BLOCK_SIZE,
60 keydeflen: DES_CBC_BLOCK_SIZE * BITS_PER_BYTE,
61 keyminlen: DES_CBC_BLOCK_SIZE * BITS_PER_BYTE,
62 keymaxlen: DES_CBC_BLOCK_SIZE * BITS_PER_BYTE,
65 static void do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
66 static struct encrypt_desc crypto_encrypter_3des =
68 algo_type: IKE_ALG_ENCRYPT,
69 algo_id: OAKLEY_3DES_CBC,
71 enc_ctxsize: sizeof(des_key_schedule) * 3,
72 enc_blocksize: DES_CBC_BLOCK_SIZE,
73 keydeflen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
74 keyminlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
75 keymaxlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
78 static struct hash_desc crypto_hasher_md5 =
80 algo_type: IKE_ALG_HASH,
83 hash_ctx_size: sizeof(MD5_CTX),
84 hash_digest_size: MD5_DIGEST_SIZE,
85 hash_init: (void (*)(void *)) MD5Init,
86 hash_update: (void (*)(void *, const u_int8_t *, size_t)) MD5Update,
87 hash_final: (void (*)(u_char *, void *)) MD5Final,
89 static struct hash_desc crypto_hasher_sha1 =
91 algo_type: IKE_ALG_HASH,
94 hash_ctx_size: sizeof(SHA1_CTX),
95 hash_digest_size: SHA1_DIGEST_SIZE,
96 hash_init: (void (*)(void *)) SHA1Init,
97 hash_update: (void (*)(void *, const u_int8_t *, size_t)) SHA1Update,
98 hash_final: (void (*)(u_char *, void *)) SHA1Final,
104 if (mpz_init_set_str(&groupgenerator, MODP_GENERATOR, 10) != 0
105 || mpz_init_set_str(&modp768_modulus, MODP768_MODULUS, 16) != 0
106 || mpz_init_set_str(&modp1024_modulus, MODP1024_MODULUS, 16) != 0
107 || mpz_init_set_str(&modp1536_modulus, MODP1536_MODULUS, 16) != 0
108 || mpz_init_set_str(&modp2048_modulus, MODP2048_MODULUS, 16) != 0
109 || mpz_init_set_str(&modp3072_modulus, MODP3072_MODULUS, 16) != 0
110 || mpz_init_set_str(&modp4096_modulus, MODP4096_MODULUS, 16) != 0)
111 exit_log("mpz_init_set_str() failed in init_crypto()");
114 extern int ike_alg_init(void);
115 ike_alg_add((struct ike_alg *) &crypto_encrypter_des);
116 ike_alg_add((struct ike_alg *) &crypto_encrypter_3des);
117 ike_alg_add((struct ike_alg *) &crypto_hasher_md5);
118 ike_alg_add((struct ike_alg *) &crypto_hasher_sha1);
124 /* Oakley group description
126 * See RFC2409 "The Internet key exchange (IKE)" 6.
129 const struct oakley_group_desc unset_group = {0, NULL, 0}; /* magic signifier */
131 const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE] = {
132 # define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE)
133 { OAKLEY_GROUP_MODP768, &modp768_modulus, BYTES(768) },
134 { OAKLEY_GROUP_MODP1024, &modp1024_modulus, BYTES(1024) },
135 { OAKLEY_GROUP_MODP1536, &modp1536_modulus, BYTES(1536) },
136 { OAKLEY_GROUP_MODP2048, &modp2048_modulus, BYTES(2048) },
137 { OAKLEY_GROUP_MODP3072, &modp3072_modulus, BYTES(3072) },
138 { OAKLEY_GROUP_MODP4096, &modp4096_modulus, BYTES(4096) },
142 const struct oakley_group_desc *
143 lookup_group(u_int16_t group)
147 for (i = 0; i != elemsof(oakley_group); i++)
148 if (group == oakley_group[i].group)
149 return &oakley_group[i];
153 /* Encryption Routines
155 * Each uses and updates the state object's st_new_iv.
156 * This must already be initialized.
159 /* encrypt or decrypt part of an IKE message using DES
160 * See draft-ietf-ipsec-isakmp-oakley-07.txt Appendix B
162 static void do_des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
166 passert(!key_size || (key_size==DES_CBC_BLOCK_SIZE))
167 (void) des_set_key((des_cblock *)key + 0, ks);
169 des_ncbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
171 (des_cblock *)iv, enc);
174 /* encrypt or decrypt part of an IKE message using 3DES
175 * See draft-ietf-ipsec-isakmp-oakley-07.txt Appendix B
178 do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
180 des_key_schedule ks[3];
182 passert (!key_size || (key_size==(DES_CBC_BLOCK_SIZE * 3)))
183 (void) des_set_key((des_cblock *)key + 0, ks[0]);
184 (void) des_set_key((des_cblock *)key + 1, ks[1]);
185 (void) des_set_key((des_cblock *)key + 2, ks[2]);
187 des_ede3_cbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
189 (des_cblock *)iv, enc);
191 /* hash and prf routines */
192 /*==========================================================
194 * ike_alg linked list
196 *==========================================================
198 struct hash_desc *crypto_get_hasher(int alg)
200 return (struct hash_desc *) ike_alg_find(IKE_ALG_HASH, alg, 0);
202 struct encrypt_desc *crypto_get_encrypter(int alg)
204 return (struct encrypt_desc *) ike_alg_find(IKE_ALG_ENCRYPT, alg, 0);
207 crypto_cbc_encrypt(const struct encrypt_desc *e, bool enc, u_int8_t *buf, size_t size, struct state *st)
209 passert(st->st_new_iv_len >= e->enc_blocksize);
210 st->st_new_iv_len = e->enc_blocksize; /* truncate */
212 e->do_crypt(buf, size, st->st_enc_key.ptr, st->st_enc_key.len, st->st_new_iv, enc);
214 e->set_key(&ctx, st->st_enc_key.ptr, st->st_enc_key.len);
215 e->cbc_crypt(&ctx, buf, size, st->st_new_iv, enc);
219 * rfc2104.txt specifies how HMAC works.
223 hmac_init(struct hmac_ctx *ctx,
224 const struct hash_desc *h,
225 const u_char *key, size_t key_len)
230 ctx->hmac_digest_size = h->hash_digest_size;
232 /* Prepare the two pads for the HMAC */
234 memset(ctx->buf1, '\0', HMAC_BUFSIZE);
236 if (key_len <= HMAC_BUFSIZE)
238 memcpy(ctx->buf1, key, key_len);
242 h->hash_init(&ctx->hash_ctx);
243 h->hash_update(&ctx->hash_ctx, key, key_len);
244 h->hash_final(ctx->buf1, &ctx->hash_ctx);
247 memcpy(ctx->buf2, ctx->buf1, HMAC_BUFSIZE);
249 for (k = 0; k < HMAC_BUFSIZE; k++)
251 ctx->buf1[k] ^= HMAC_IPAD;
252 ctx->buf2[k] ^= HMAC_OPAD;
259 hmac_reinit(struct hmac_ctx *ctx)
261 ctx->h->hash_init(&ctx->hash_ctx);
262 ctx->h->hash_update(&ctx->hash_ctx, ctx->buf1, HMAC_BUFSIZE);
266 hmac_update(struct hmac_ctx *ctx,
267 const u_char *data, size_t data_len)
269 ctx->h->hash_update(&ctx->hash_ctx, data, data_len);
273 hmac_final(u_char *output, struct hmac_ctx *ctx)
275 const struct hash_desc *h = ctx->h;
277 h->hash_final(output, &ctx->hash_ctx);
279 h->hash_init(&ctx->hash_ctx);
280 h->hash_update(&ctx->hash_ctx, ctx->buf2, HMAC_BUFSIZE);
281 h->hash_update(&ctx->hash_ctx, output, h->hash_digest_size);
282 h->hash_final(output, &ctx->hash_ctx);