1 /* 2 * Wrapper functions for libnettle and libgmp 3 * Copyright (c) 2017, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <nettle/nettle-meta.h> 11 #include <nettle/des.h> 12 #undef des_encrypt 13 #include <nettle/hmac.h> 14 #include <nettle/aes.h> 15 #undef aes_encrypt 16 #undef aes_decrypt 17 #include <nettle/arcfour.h> 18 #include <nettle/bignum.h> 19 20 #include "common.h" 21 #include "md5.h" 22 #include "sha1.h" 23 #include "sha256.h" 24 #include "sha384.h" 25 #include "sha512.h" 26 #include "crypto.h" 27 28 29 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 30 { 31 struct des_ctx ctx; 32 u8 pkey[8], next, tmp; 33 int i; 34 35 /* Add parity bits to the key */ 36 next = 0; 37 for (i = 0; i < 7; i++) { 38 tmp = key[i]; 39 pkey[i] = (tmp >> i) | next | 1; 40 next = tmp << (7 - i); 41 } 42 pkey[i] = next | 1; 43 44 nettle_des_set_key(&ctx, pkey); 45 nettle_des_encrypt(&ctx, DES_BLOCK_SIZE, cypher, clear); 46 os_memset(&ctx, 0, sizeof(ctx)); 47 return 0; 48 } 49 50 51 static int nettle_digest_vector(const struct nettle_hash *alg, size_t num_elem, 52 const u8 *addr[], const size_t *len, u8 *mac) 53 { 54 void *ctx; 55 size_t i; 56 57 if (TEST_FAIL()) 58 return -1; 59 60 ctx = os_malloc(alg->context_size); 61 if (!ctx) 62 return -1; 63 alg->init(ctx); 64 for (i = 0; i < num_elem; i++) 65 alg->update(ctx, len[i], addr[i]); 66 alg->digest(ctx, alg->digest_size, mac); 67 bin_clear_free(ctx, alg->context_size); 68 return 0; 69 } 70 71 72 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 73 { 74 return nettle_digest_vector(&nettle_md4, num_elem, addr, len, mac); 75 } 76 77 78 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 79 { 80 return nettle_digest_vector(&nettle_md5, num_elem, addr, len, mac); 81 } 82 83 84 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 85 { 86 return nettle_digest_vector(&nettle_sha1, num_elem, addr, len, mac); 87 } 88 89 90 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 91 { 92 return nettle_digest_vector(&nettle_sha256, num_elem, addr, len, mac); 93 } 94 95 96 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 97 { 98 return nettle_digest_vector(&nettle_sha384, num_elem, addr, len, mac); 99 } 100 101 102 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 103 { 104 return nettle_digest_vector(&nettle_sha512, num_elem, addr, len, mac); 105 } 106 107 108 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, 109 const u8 *addr[], const size_t *len, u8 *mac) 110 { 111 struct hmac_md5_ctx ctx; 112 size_t i; 113 114 if (TEST_FAIL()) 115 return -1; 116 117 hmac_md5_set_key(&ctx, key_len, key); 118 for (i = 0; i < num_elem; i++) 119 hmac_md5_update(&ctx, len[i], addr[i]); 120 hmac_md5_digest(&ctx, MD5_DIGEST_SIZE, mac); 121 os_memset(&ctx, 0, sizeof(ctx)); 122 return 0; 123 } 124 125 126 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 127 u8 *mac) 128 { 129 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); 130 } 131 132 133 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 134 const u8 *addr[], const size_t *len, u8 *mac) 135 { 136 struct hmac_sha1_ctx ctx; 137 size_t i; 138 139 if (TEST_FAIL()) 140 return -1; 141 142 hmac_sha1_set_key(&ctx, key_len, key); 143 for (i = 0; i < num_elem; i++) 144 hmac_sha1_update(&ctx, len[i], addr[i]); 145 hmac_sha1_digest(&ctx, SHA1_DIGEST_SIZE, mac); 146 os_memset(&ctx, 0, sizeof(ctx)); 147 return 0; 148 } 149 150 151 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 152 u8 *mac) 153 { 154 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 155 } 156 157 158 #ifdef CONFIG_SHA256 159 160 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 161 const u8 *addr[], const size_t *len, u8 *mac) 162 { 163 struct hmac_sha256_ctx ctx; 164 size_t i; 165 166 if (TEST_FAIL()) 167 return -1; 168 169 hmac_sha256_set_key(&ctx, key_len, key); 170 for (i = 0; i < num_elem; i++) 171 hmac_sha256_update(&ctx, len[i], addr[i]); 172 hmac_sha256_digest(&ctx, SHA256_DIGEST_SIZE, mac); 173 os_memset(&ctx, 0, sizeof(ctx)); 174 return 0; 175 } 176 177 178 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 179 size_t data_len, u8 *mac) 180 { 181 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 182 } 183 184 #endif /* CONFIG_SHA256 */ 185 186 187 #ifdef CONFIG_SHA384 188 189 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, 190 const u8 *addr[], const size_t *len, u8 *mac) 191 { 192 struct hmac_sha384_ctx ctx; 193 size_t i; 194 195 if (TEST_FAIL()) 196 return -1; 197 198 hmac_sha384_set_key(&ctx, key_len, key); 199 for (i = 0; i < num_elem; i++) 200 hmac_sha384_update(&ctx, len[i], addr[i]); 201 hmac_sha384_digest(&ctx, SHA384_DIGEST_SIZE, mac); 202 os_memset(&ctx, 0, sizeof(ctx)); 203 return 0; 204 } 205 206 207 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, 208 size_t data_len, u8 *mac) 209 { 210 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); 211 } 212 213 #endif /* CONFIG_SHA384 */ 214 215 216 #ifdef CONFIG_SHA512 217 218 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem, 219 const u8 *addr[], const size_t *len, u8 *mac) 220 { 221 struct hmac_sha512_ctx ctx; 222 size_t i; 223 224 if (TEST_FAIL()) 225 return -1; 226 227 hmac_sha512_set_key(&ctx, key_len, key); 228 for (i = 0; i < num_elem; i++) 229 hmac_sha512_update(&ctx, len[i], addr[i]); 230 hmac_sha512_digest(&ctx, SHA512_DIGEST_SIZE, mac); 231 os_memset(&ctx, 0, sizeof(ctx)); 232 return 0; 233 } 234 235 236 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data, 237 size_t data_len, u8 *mac) 238 { 239 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac); 240 } 241 242 #endif /* CONFIG_SHA512 */ 243 244 245 void * aes_encrypt_init(const u8 *key, size_t len) 246 { 247 struct aes_ctx *ctx; 248 249 if (TEST_FAIL()) 250 return NULL; 251 ctx = os_malloc(sizeof(*ctx)); 252 if (!ctx) 253 return NULL; 254 255 nettle_aes_set_encrypt_key(ctx, len, key); 256 257 return ctx; 258 } 259 260 261 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 262 { 263 struct aes_ctx *actx = ctx; 264 nettle_aes_encrypt(actx, AES_BLOCK_SIZE, crypt, plain); 265 return 0; 266 } 267 268 269 void aes_encrypt_deinit(void *ctx) 270 { 271 struct aes_ctx *actx = ctx; 272 bin_clear_free(actx, sizeof(*actx)); 273 } 274 275 276 void * aes_decrypt_init(const u8 *key, size_t len) 277 { 278 struct aes_ctx *ctx; 279 280 if (TEST_FAIL()) 281 return NULL; 282 ctx = os_malloc(sizeof(*ctx)); 283 if (!ctx) 284 return NULL; 285 286 nettle_aes_set_decrypt_key(ctx, len, key); 287 288 return ctx; 289 } 290 291 292 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 293 { 294 struct aes_ctx *actx = ctx; 295 nettle_aes_decrypt(actx, AES_BLOCK_SIZE, plain, crypt); 296 return 0; 297 } 298 299 300 void aes_decrypt_deinit(void *ctx) 301 { 302 struct aes_ctx *actx = ctx; 303 bin_clear_free(actx, sizeof(*actx)); 304 } 305 306 307 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey, 308 u8 *pubkey) 309 { 310 size_t pubkey_len, pad; 311 312 if (os_get_random(privkey, prime_len) < 0) 313 return -1; 314 if (os_memcmp(privkey, prime, prime_len) > 0) { 315 /* Make sure private value is smaller than prime */ 316 privkey[0] = 0; 317 } 318 319 pubkey_len = prime_len; 320 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len, 321 pubkey, &pubkey_len) < 0) 322 return -1; 323 if (pubkey_len < prime_len) { 324 pad = prime_len - pubkey_len; 325 os_memmove(pubkey + pad, pubkey, pubkey_len); 326 os_memset(pubkey, 0, pad); 327 } 328 329 return 0; 330 } 331 332 333 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len, 334 const u8 *order, size_t order_len, 335 const u8 *privkey, size_t privkey_len, 336 const u8 *pubkey, size_t pubkey_len, 337 u8 *secret, size_t *len) 338 { 339 mpz_t pub; 340 int res = -1; 341 342 if (pubkey_len > prime_len || 343 (pubkey_len == prime_len && 344 os_memcmp(pubkey, prime, prime_len) >= 0)) 345 return -1; 346 347 mpz_init(pub); 348 mpz_import(pub, pubkey_len, 1, 1, 1, 0, pubkey); 349 if (mpz_cmp_d(pub, 1) <= 0) 350 goto fail; 351 352 if (order) { 353 mpz_t p, q, tmp; 354 int failed; 355 356 /* verify: pubkey^q == 1 mod p */ 357 mpz_inits(p, q, tmp, NULL); 358 mpz_import(p, prime_len, 1, 1, 1, 0, prime); 359 mpz_import(q, order_len, 1, 1, 1, 0, order); 360 mpz_powm(tmp, pub, q, p); 361 failed = mpz_cmp_d(tmp, 1) != 0; 362 mpz_clears(p, q, tmp, NULL); 363 if (failed) 364 goto fail; 365 } 366 367 res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len, 368 prime, prime_len, secret, len); 369 fail: 370 mpz_clear(pub); 371 return res; 372 } 373 374 375 int crypto_mod_exp(const u8 *base, size_t base_len, 376 const u8 *power, size_t power_len, 377 const u8 *modulus, size_t modulus_len, 378 u8 *result, size_t *result_len) 379 { 380 mpz_t bn_base, bn_exp, bn_modulus, bn_result; 381 int ret = -1; 382 size_t len; 383 384 mpz_inits(bn_base, bn_exp, bn_modulus, bn_result, NULL); 385 mpz_import(bn_base, base_len, 1, 1, 1, 0, base); 386 mpz_import(bn_exp, power_len, 1, 1, 1, 0, power); 387 mpz_import(bn_modulus, modulus_len, 1, 1, 1, 0, modulus); 388 389 mpz_powm(bn_result, bn_base, bn_exp, bn_modulus); 390 len = mpz_sizeinbase(bn_result, 2); 391 len = (len + 7) / 8; 392 if (*result_len < len) 393 goto error; 394 mpz_export(result, result_len, 1, 1, 1, 0, bn_result); 395 ret = 0; 396 397 error: 398 mpz_clears(bn_base, bn_exp, bn_modulus, bn_result, NULL); 399 return ret; 400 } 401 402 403 struct crypto_cipher { 404 enum crypto_cipher_alg alg; 405 union { 406 struct arcfour_ctx arcfour_ctx; 407 } u; 408 }; 409 410 411 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 412 const u8 *iv, const u8 *key, 413 size_t key_len) 414 { 415 struct crypto_cipher *ctx; 416 417 ctx = os_zalloc(sizeof(*ctx)); 418 if (!ctx) 419 return NULL; 420 421 ctx->alg = alg; 422 423 switch (alg) { 424 case CRYPTO_CIPHER_ALG_RC4: 425 nettle_arcfour_set_key(&ctx->u.arcfour_ctx, key_len, key); 426 break; 427 default: 428 os_free(ctx); 429 return NULL; 430 } 431 432 return ctx; 433 } 434 435 436 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 437 u8 *crypt, size_t len) 438 { 439 switch (ctx->alg) { 440 case CRYPTO_CIPHER_ALG_RC4: 441 nettle_arcfour_crypt(&ctx->u.arcfour_ctx, len, crypt, plain); 442 break; 443 default: 444 return -1; 445 } 446 447 return 0; 448 } 449 450 451 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 452 u8 *plain, size_t len) 453 { 454 switch (ctx->alg) { 455 case CRYPTO_CIPHER_ALG_RC4: 456 nettle_arcfour_crypt(&ctx->u.arcfour_ctx, len, plain, crypt); 457 break; 458 default: 459 return -1; 460 } 461 462 return 0; 463 } 464 465 466 void crypto_cipher_deinit(struct crypto_cipher *ctx) 467 { 468 bin_clear_free(ctx, sizeof(*ctx)); 469 } 470
