src/crypt.c

   1 /* Copyright (C) 2009-2014, Martin Johansson <martin@fatbob.nu>
   2    Copyright (C) 2005-2014, Thorvald Natvig <thorvald@natvig.com>
   3
   4    All rights reserved.
   5
   6    Redistribution and use in source and binary forms, with or without
   7    modification, are permitted provided that the following conditions
   8    are met:
   9
  10    - Redistributions of source code must retain the above copyright notice,
  11      this list of conditions and the following disclaimer.
  12    - Redistributions in binary form must reproduce the above copyright notice,
  13      this list of conditions and the following disclaimer in the documentation
  14      and/or other materials provided with the distribution.
  15    - Neither the name of the Developers nor the names of its contributors may
  16      be used to endorse or promote products derived from this software without
  17      specific prior written permission.
  18
  19    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  20    ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  21    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  22    A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR
  23    CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  24    EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  25    PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  26    PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  27    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  28    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  29    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  30 */
  31
  32 /*
  33  * This code implements OCB-AES128.
  34  * In the US, OCB is covered by patents. The inventor has given a license
  35  * to all programs distributed under the GPL.
  36  * uMurmur is BSD (revised) licensed, meaning you can use the code in a
  37  * closed-source program. If you do, you'll have to either replace
  38  * OCB with something else or get yourself a license.
  39  */
  40
  41 #include <string.h>
  42 #include <arpa/inet.h>
  43 #include "crypt.h"
  44 #include "ssl.h"
  45
  46 #ifdef USE_POLARSSL_HAVEGE
  47 extern havege_state hs;
  48 #endif
  49
  50 static void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag);
  51 static void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag);
  52
  53 void CryptState_init(cryptState_t *cs)
  54 {
  55         memset(cs->decrypt_history, 0, 0xff);
  56         memset(cs->raw_key, 0, AES_BLOCK_SIZE);
  57         memset(cs->encrypt_iv, 0, AES_BLOCK_SIZE);
  58         memset(cs->decrypt_iv, 0, AES_BLOCK_SIZE);
  59         cs->bInit = false;
  60         cs->uiGood = cs->uiLate = cs->uiLost = cs->uiResync = 0;
  61         cs->uiRemoteGood = cs->uiRemoteLate = cs->uiRemoteLost = cs->uiRemoteResync = 0;
  62         Timer_init(&cs->tLastGood);
  63         Timer_init(&cs->tLastRequest);
  64 }
  65
  66 bool_t CryptState_isValid(cryptState_t *cs)
  67 {
  68         return cs->bInit;
  69 }
  70
  71 void CryptState_genKey(cryptState_t *cs) {
  72         RAND_bytes(cs->raw_key, AES_BLOCK_SIZE);
  73         RAND_bytes(cs->encrypt_iv, AES_BLOCK_SIZE);
  74         RAND_bytes(cs->decrypt_iv, AES_BLOCK_SIZE);
  75 #ifndef USE_POLARSSL
  76         AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key);
  77         AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
  78 #else
  79         aes_setkey_enc(&cs->aes_enc, cs->raw_key, 128);
  80         aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
  81 #endif
  82         cs->bInit = true;
  83 }
  84
  85 void CryptState_setKey(cryptState_t *cs, const unsigned char *rkey, const unsigned char *eiv, const unsigned char *div)
  86 {
  87         memcpy(cs->raw_key, rkey, AES_BLOCK_SIZE);
  88         memcpy(cs->encrypt_iv, eiv, AES_BLOCK_SIZE);
  89         memcpy(cs->decrypt_iv, div, AES_BLOCK_SIZE);
  90 #ifndef USE_POLARSSL
  91         AES_set_encrypt_key(cs->decrypt_iv, 128, &cs->encrypt_key);
  92         AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
  93 #else
  94         aes_setkey_enc(&cs->aes_enc, cs->decrypt_iv, 128);
  95         aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
  96 #endif
  97         cs->bInit = true;
  98 }
  99
 100 void CryptState_setDecryptIV(cryptState_t *cs, const unsigned char *iv)
 101 {
 102         memcpy(cs->decrypt_iv, iv, AES_BLOCK_SIZE);
 103 }
 104
 105 void CryptState_encrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int plain_length)
 106 {
 107         unsigned char tag[AES_BLOCK_SIZE];
 108         int i;
 109         // First, increase our IV.
 110         for (i = 0; i < AES_BLOCK_SIZE; i++)
 111                 if (++cs->encrypt_iv[i])
 112                         break;
 113
 114         CryptState_ocb_encrypt(cs, source, dst+4, plain_length, cs->encrypt_iv, tag);
 115
 116         dst[0] = cs->encrypt_iv[0];
 117         dst[1] = tag[0];
 118         dst[2] = tag[1];
 119         dst[3] = tag[2];
 120 }
 121
 122 bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int crypted_length)
 123 {
 124         if (crypted_length < 4)
 125                 return false;
 126
 127         unsigned int plain_length = crypted_length - 4;
 128
 129         unsigned char saveiv[AES_BLOCK_SIZE];
 130         unsigned char ivbyte = source[0];
 131         bool_t restore = false;
 132         unsigned char tag[AES_BLOCK_SIZE];
 133
 134         int lost = 0;
 135         int late = 0;
 136
 137         memcpy(saveiv, cs->decrypt_iv, AES_BLOCK_SIZE);
 138
 139         if (((cs->decrypt_iv[0] + 1) & 0xFF) == ivbyte) {
 140                 // In order as expected.
 141                 if (ivbyte > cs->decrypt_iv[0]) {
 142                         cs->decrypt_iv[0] = ivbyte;
 143                 } else if (ivbyte < cs->decrypt_iv[0]) {
 144                         int i;
 145                         cs->decrypt_iv[0] = ivbyte;
 146                         for (i = 1; i < AES_BLOCK_SIZE; i++)
 147                                 if (++cs->decrypt_iv[i])
 148                                         break;
 149                 } else {
 150                         return false;
 151                 }
 152         } else {
 153                 // This is either out of order or a repeat.
 154
 155                 int diff = ivbyte - cs->decrypt_iv[0];
 156                 if (diff > 128)
 157                         diff = diff-256;
 158                 else if (diff < -128)
 159                         diff = diff+256;
 160
 161                 if ((ivbyte < cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
 162                         // Late packet, but no wraparound.
 163                         late = 1;
 164                         lost = -1;
 165                         cs->decrypt_iv[0] = ivbyte;
 166                         restore = true;
 167                 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
 168                         int i;
 169                         // Last was 0x02, here comes 0xff from last round
 170                         late = 1;
 171                         lost = -1;
 172                         cs->decrypt_iv[0] = ivbyte;
 173                         for (i = 1; i < AES_BLOCK_SIZE; i++)
 174                                 if (cs->decrypt_iv[i]--)
 175                                         break;
 176                         restore = true;
 177                 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > 0)) {
 178                         // Lost a few packets, but beyond that we're good.
 179                         lost = ivbyte - cs->decrypt_iv[0] - 1;
 180                         cs->decrypt_iv[0] = ivbyte;
 181                 } else if ((ivbyte < cs->decrypt_iv[0]) && (diff > 0)) {
 182                         int i;
 183                         // Lost a few packets, and wrapped around
 184                         lost = 256 - cs->decrypt_iv[0] + ivbyte - 1;
 185                         cs->decrypt_iv[0] = ivbyte;
 186                         for (i = 1; i < AES_BLOCK_SIZE; i++)
 187                                 if (++cs->decrypt_iv[i])
 188                                         break;
 189                 } else {
 190                         return false;
 191                 }
 192
 193                 if (cs->decrypt_history[cs->decrypt_iv[0]] == cs->decrypt_iv[1]) {
 194                         memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
 195                         return false;
 196                 }
 197         }
 198
 199         CryptState_ocb_decrypt(cs, source+4, dst, plain_length, cs->decrypt_iv, tag);
 200
 201         if (memcmp(tag, source+1, 3) != 0) {
 202                 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
 203                 return false;
 204         }
 205         cs->decrypt_history[cs->decrypt_iv[0]] = cs->decrypt_iv[1];
 206
 207         if (restore)
 208                 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
 209
 210         cs->uiGood++;
 211         cs->uiLate += late;
 212         cs->uiLost += lost;
 213
 214         Timer_restart(&cs->tLastGood);
 215         return true;
 216 }
 217
 218 static void inline XOR(subblock *dst, const subblock *a, const subblock *b) {
 219         int i;
 220         for (i=0;i<BLOCKSIZE;i++) {
 221                 dst[i] = a[i] ^ b[i];
 222         }
 223 }
 224
 225 static void inline S2(subblock *block) {
 226         subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
 227         int i;
 228         for (i=0;i<BLOCKSIZE-1;i++)
 229                 block[i] = SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
 230         block[BLOCKSIZE-1] = SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
 231 }
 232
 233 static void inline S3(subblock *block) {
 234         subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
 235         int i;
 236         for (i=0;i<BLOCKSIZE-1;i++)
 237                 block[i] ^= SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
 238         block[BLOCKSIZE-1] ^= SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
 239 }
 240
 241 static void inline ZERO(subblock *block) {
 242         int i;
 243         for (i=0;i<BLOCKSIZE;i++)
 244                 block[i]=0;
 245 }
 246
 247 #ifdef USE_POLARSSL
 248 #define AESencrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_enc, AES_ENCRYPT, (unsigned char *)(src), (unsigned char *)(dst));
 249 #define AESdecrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_dec, AES_DECRYPT, (unsigned char *)(src), (unsigned char *)(dst));
 250 #else
 251 #define AESencrypt(src, dst, cryptstate) AES_encrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->encrypt_key);
 252 #define AESdecrypt(src, dst, cryptstate) AES_decrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->decrypt_key);
 253 #endif
 254
 255 void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
 256         subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
 257
 258         // Initialize
 259         AESencrypt(nonce, delta, cs);
 260         ZERO(checksum);
 261
 262         while (len > AES_BLOCK_SIZE) {
 263                 S2(delta);
 264                 XOR(tmp, delta, (const subblock *)(plain));
 265                 AESencrypt(tmp, tmp, cs);
 266                 XOR((subblock *)(encrypted), delta, tmp);
 267                 XOR(checksum, checksum, (subblock *)(plain));
 268                 len -= AES_BLOCK_SIZE;
 269                 plain += AES_BLOCK_SIZE;
 270                 encrypted += AES_BLOCK_SIZE;
 271         }
 272
 273         S2(delta);
 274         ZERO(tmp);
 275         tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
 276         XOR(tmp, tmp, delta);
 277         AESencrypt(tmp, pad, cs);
 278         memcpy(tmp, plain, len);
 279         memcpy((unsigned char *)tmp + len, (unsigned char *)pad + len, AES_BLOCK_SIZE - len);
 280         XOR(checksum, checksum, tmp);
 281         XOR(tmp, pad, tmp);
 282         memcpy(encrypted, tmp, len);
 283
 284         S3(delta);
 285         XOR(tmp, delta, checksum);
 286         AESencrypt(tmp, tag, cs);
 287 }
 288
 289 void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
 290         subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
 291         // Initialize
 292         AESencrypt(nonce, delta, cs);
 293         ZERO(checksum);
 294
 295         while (len > AES_BLOCK_SIZE) {
 296                 S2(delta);
 297                 XOR(tmp, delta, (const subblock *)(encrypted));
 298                 AESdecrypt(tmp, tmp, cs);
 299                 XOR((subblock *)(plain), delta, tmp);
 300                 XOR(checksum, checksum, (const subblock *)(plain));
 301                 len -= AES_BLOCK_SIZE;
 302                 plain += AES_BLOCK_SIZE;
 303                 encrypted += AES_BLOCK_SIZE;
 304         }
 305
 306         S2(delta);
 307         ZERO(tmp);
 308         tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
 309         XOR(tmp, tmp, delta);
 310         AESencrypt(tmp, pad, cs);
 311         memset(tmp, 0, AES_BLOCK_SIZE);
 312         memcpy(tmp, encrypted, len);
 313         XOR(tmp, tmp, pad);
 314         XOR(checksum, checksum, tmp);
 315         memcpy(plain, tmp, len);
 316
 317         S3(delta);
 318         XOR(tmp, delta, checksum);
 319         AESencrypt(tmp, tag, cs);
 320 }