static int _xts_test_accel_xts_decrypt(const unsigned char *ct, unsigned char *pt, unsigned long blocks,
unsigned char *tweak, symmetric_key *skey1, symmetric_key *skey2)
{
int ret;
symmetric_xts xts;
int (*orig)(const unsigned char *, unsigned char *,
unsigned long , unsigned char *, symmetric_key *,
symmetric_key *);
/* AES can be under rijndael or aes... try to find it */
if ((xts.cipher = find_cipher("aes")) == -1) {
if ((xts.cipher = find_cipher("rijndael")) == -1) {
return CRYPT_NOP;
}
}
orig = cipher_descriptor[xts.cipher].accel_xts_decrypt;
cipher_descriptor[xts.cipher].accel_xts_decrypt = NULL;
XMEMCPY(&xts.key1, skey1, sizeof(symmetric_key));
XMEMCPY(&xts.key2, skey2, sizeof(symmetric_key));
ret = xts_decrypt(ct, blocks << 4, pt, tweak, &xts);
cipher_descriptor[xts.cipher].accel_xts_decrypt = orig;
return ret;
}
int ctr_test(void)
{
#ifdef LTC_NO_TEST
return CRYPT_NOP;
#else
static const struct {
int keylen, msglen;
unsigned char key[32], IV[16], pt[64], ct[64];
} tests[] = {
/* 128-bit key, 16-byte pt */
{
16, 16,
{0xAE,0x68,0x52,0xF8,0x12,0x10,0x67,0xCC,0x4B,0xF7,0xA5,0x76,0x55,0x77,0xF3,0x9E },
{0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
{0x53,0x69,0x6E,0x67,0x6C,0x65,0x20,0x62,0x6C,0x6F,0x63,0x6B,0x20,0x6D,0x73,0x67 },
{0xE4,0x09,0x5D,0x4F,0xB7,0xA7,0xB3,0x79,0x2D,0x61,0x75,0xA3,0x26,0x13,0x11,0xB8 },
},
/* 128-bit key, 36-byte pt */
{
16, 36,
{0x76,0x91,0xBE,0x03,0x5E,0x50,0x20,0xA8,0xAC,0x6E,0x61,0x85,0x29,0xF9,0xA0,0xDC },
{0x00,0xE0,0x01,0x7B,0x27,0x77,0x7F,0x3F,0x4A,0x17,0x86,0xF0,0x00,0x00,0x00,0x00 },
{ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
0x20,0x21,0x22,0x23
},
{ 0xC1,0xCF,0x48,0xA8,0x9F,0x2F,0xFD,0xD9,0xCF,0x46,0x52,0xE9,0xEF,0xDB,0x72,0xD7,
0x45,0x40,0xA4,0x2B,0xDE,0x6D,0x78,0x36,0xD5,0x9A,0x5C,0xEA,0xAE,0xF3,0x10,0x53,
0x25,0xB2,0x07,0x2F
},
},
};
int idx, err, x;
unsigned char buf[64];
symmetric_CTR ctr;
/* AES can be under rijndael or aes... try to find it */
if ((idx = find_cipher("aes")) == -1) {
if ((idx = find_cipher("rijndael")) == -1) {
return CRYPT_NOP;
}
}
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
if ((err = ctr_start(idx, tests[x].IV, tests[x].key, tests[x].keylen, 0, CTR_COUNTER_BIG_ENDIAN|LTC_CTR_RFC3686, &ctr)) != CRYPT_OK) {
return err;
}
if ((err = ctr_encrypt(tests[x].pt, buf, tests[x].msglen, &ctr)) != CRYPT_OK) {
return err;
}
ctr_done(&ctr);
if (XMEMCMP(buf, tests[x].ct, tests[x].msglen)) {
return CRYPT_FAIL_TESTVECTOR;
}
}
return CRYPT_OK;
#endif
}
C4Err ECB_Encrypt(Cipher_Algorithm algorithm,
const void * key,
const void * in,
size_t bytesIn,
void * out )
{
int err = kC4Err_NoErr;
int status = CRYPT_OK;
symmetric_ECB ECB;
int keylen = 0;
int cipher = -1;
switch(algorithm)
{
case kCipher_Algorithm_AES128:
keylen = 128 >> 3;
cipher = find_cipher("aes");
break;
case kCipher_Algorithm_AES192:
keylen = 192 >> 3;
cipher = find_cipher("aes");
break;
case kCipher_Algorithm_AES256:
keylen = 256 >> 3;
cipher = find_cipher("aes");
break;
case kCipher_Algorithm_2FISH256:
keylen = 256 >> 3;
cipher = find_cipher("twofish");
break;
default:
RETERR(kC4Err_BadCipherNumber);
}
status = ecb_start(cipher, key, keylen, 0, &ECB ); CKSTAT;
status = ecb_encrypt(in, out, bytesIn, &ECB); CKSTAT;
done:
ecb_done(&ECB);
if(status != CRYPT_OK)
err = sCrypt2C4Err(status);
return err;
}
int f8_test_mode(void)
{
#ifndef LTC_TEST
return CRYPT_NOP;
#else
static const unsigned char key[16] = { 0x23, 0x48, 0x29, 0x00, 0x84, 0x67, 0xbe, 0x18,
0x6c, 0x3d, 0xe1, 0x4a, 0xae, 0x72, 0xd6, 0x2c };
static const unsigned char salt[4] = { 0x32, 0xf2, 0x87, 0x0d };
static const unsigned char IV[16] = { 0x00, 0x6e, 0x5c, 0xba, 0x50, 0x68, 0x1d, 0xe5,
0x5c, 0x62, 0x15, 0x99, 0xd4, 0x62, 0x56, 0x4a };
static const unsigned char pt[39] = { 0x70, 0x73, 0x65, 0x75, 0x64, 0x6f, 0x72, 0x61,
0x6e, 0x64, 0x6f, 0x6d, 0x6e, 0x65, 0x73, 0x73,
0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20,
0x6e, 0x65, 0x78, 0x74, 0x20, 0x62, 0x65, 0x73,
0x74, 0x20, 0x74, 0x68, 0x69, 0x6e, 0x67 };
static const unsigned char ct[39] = { 0x01, 0x9c, 0xe7, 0xa2, 0x6e, 0x78, 0x54, 0x01,
0x4a, 0x63, 0x66, 0xaa, 0x95, 0xd4, 0xee, 0xfd,
0x1a, 0xd4, 0x17, 0x2a, 0x14, 0xf9, 0xfa, 0xf4,
0x55, 0xb7, 0xf1, 0xd4, 0xb6, 0x2b, 0xd0, 0x8f,
0x56, 0x2c, 0x0e, 0xef, 0x7c, 0x48, 0x02 };
unsigned char buf[39];
symmetric_F8 f8;
int err, idx;
idx = find_cipher("aes");
if (idx == -1) {
idx = find_cipher("rijndael");
if (idx == -1) return CRYPT_NOP;
}
/* initialize the context */
if ((err = f8_start(idx, IV, key, sizeof(key), salt, sizeof(salt), 0, &f8)) != CRYPT_OK) {
return err;
}
/* encrypt block */
if ((err = f8_encrypt(pt, buf, sizeof(pt), &f8)) != CRYPT_OK) {
f8_done(&f8);
return err;
}
f8_done(&f8);
/* compare */
if (XMEMCMP(buf, ct, sizeof(ct))) {
return CRYPT_FAIL_TESTVECTOR;
}
return CRYPT_OK;
#endif
}
/**
Initialize a Pelican state
@param pelmac The Pelican state to initialize
@param cipher The index of the desired cipher, must be AES
@param key The secret key
@param keylen The length of the secret key (octets)
@return CRYPT_OK if successful
*/
int pelican_init(pelican_state *pelmac, int cipher, const unsigned char *key, unsigned long keylen)
{
int index;
int err;
LTC_ARGCHK(pelmac != NULL);
LTC_ARGCHK(key != NULL);
index = find_cipher("aes");
if (cipher != index || index < 0) {
return CRYPT_INVALID_CIPHER;
}
#ifdef LTC_FAST
if (16 % sizeof(LTC_FAST_TYPE)) {
return CRYPT_INVALID_ARG;
}
#endif
if ((err = aes_setup(key, keylen, 0, &pelmac->K)) != CRYPT_OK) {
return err;
}
zeromem(pelmac->state, 16);
aes_ecb_encrypt(pelmac->state, pelmac->state, &pelmac->K);
pelmac->buflen = 0;
return CRYPT_OK;
}
int main(int argc, char *argv[]){
/* Similar situation as before,
only the test vector is more complex.*/
unsigned char key[32];
bzero(key, 32);
unsigned char initcount[16];
bzero(initcount,16);
initcount[15]=1; //For test usage
unsigned char input[32];
bzero(input, 32);
unsigned char output[32]; //counter mode: assume xor works
bzero(output, 32);
aes256ctr(output, input, 32, key, initcount);
for(int i=0; i<32; i++) printf("%02x ", output[i]);
printf("\n");
symmetric_CTR ctr;
bzero(output, 32);
register_cipher(&aes_desc);
ctr_start(find_cipher("aes"), initcount, key, 32, 0, CTR_COUNTER_BIG_ENDIAN,
&ctr);
ctr_encrypt(input, output, 32, &ctr);
ctr_done(&ctr);
for(int i=0; i<32; i++) printf("%02x ", output[i]);
printf("\n");
exit(0);
}
void ltc_init(void)
{
int cipherID;
unsigned char key[ENCRYPTION_KEY_LENGTH];
#if defined(ENCRYPTION_CTR) || defined(ENCRYPTION_CBC)
unsigned char IV[ENCRYPTION_BLOCK_LENGTH];
#endif
TRACE_DEBUG("LTC: Initializing ...\n\r");
// Register cipher
register_cipher(&CIPHER_DESC);
cipherID = find_cipher(CIPHER_NAME);
// Load key
ASCII2Hex(ENCRYPTION_KEY, key, ENCRYPTION_KEY_LENGTH);
#if defined(ENCRYPTION_CTR) || defined(ENCRYPTION_CBC)
// Load IV
ASCII2Hex(ENCRYPTION_IV, IV, ENCRYPTION_BLOCK_LENGTH);
#endif
// Start decryption mode
#if defined(ENCRYPTION_ECB)
ecb_start(cipherID, key, ENCRYPTION_KEY_LENGTH, 0, &sECB);
#elif defined(ENCRYPTION_CBC)
cbc_start(cipherID, IV, key, ENCRYPTION_KEY_LENGTH, 0, &sCBC);
#elif defined(ENCRYPTION_CTR)
ctr_start(cipherID, IV, key, ENCRYPTION_KEY_LENGTH, 0, CTR_COUNTER_BIG_ENDIAN, &sCTR);
#endif
TRACE_DEBUG("LTC: Initialization done.\n\r");
}
// =========================================================================
// Initialize libtomcrypt cypher
NTSTATUS
InitLTCCypher(
OUT int *cipher
)
{
NTSTATUS status = STATUS_CRYPTO_SYSTEM_INVALID;
DEBUGOUTCYPHERIMPL(DEBUGLEV_ENTER, (TEXT("InitLTCCypher\n")));
// Initialize cipher
*cipher = register_cipher(&cast5_desc);
if (*cipher == -1)
{
DEBUGOUTCYPHERIMPL(DEBUGLEV_ERROR, (TEXT("Could not register cipher\n")));
}
else
{
*cipher = find_cipher("cast5");
if (*cipher == -1)
{
DEBUGOUTCYPHERIMPL(DEBUGLEV_ERROR, (TEXT("Could not find cipher\n")));
}
else
{
status = STATUS_SUCCESS;
}
}
DEBUGOUTCYPHERIMPL(DEBUGLEV_EXIT, (TEXT("InitLTCCypher\n")));
return status;
}
SCLError CCM_Decrypt(uint8_t *key, size_t keyLen,
uint8_t *seq, size_t seqLen,
uint8_t *in, size_t inLen,
uint8_t *tag, size_t tagSize,
uint8_t **outData, size_t *outSize)
{
SCLError err = kSCLError_NoErr;
int status = CRYPT_OK;
uint8_t *buffer = NULL;
size_t buffLen = inLen;
int IVlen = keyLen >>1;
uint8_t bytes2Pad = 0;
unsigned char T[32];
unsigned long tagLen = sizeof(T);
buffer = XMALLOC(buffLen);
status = ccm_memory(find_cipher("aes"),
key, IVlen ,
NULL,
key+ IVlen, IVlen,
seq, seqLen,
buffer, buffLen,
in,
T, &tagLen ,
CCM_DECRYPT);CKSTAT;
// This will only compare as many bytes of the tag as you specify in tagSize
// we need to be careful with CCM to not leak key information, an easy way to do
// that is to only export half the hash.
if((memcmp(T,tag,tagSize) != 0))
RETERR(kSCLError_CorruptData);
bytes2Pad = *(buffer+buffLen-1);
*outData = buffer;
*outSize = buffLen- bytes2Pad;
done:
if(status != CRYPT_OK || err != kSCLError_NoErr)
{
if(buffer)
{
memset(buffer, buffLen, 0);
XFREE(buffer);
}
err = IsSCLError(err)?err:sCrypt2SCLError(status);
}
return err;
}
static int sqlcipher_ltc_cipher(void *ctx, int mode, unsigned char *key, int key_sz, unsigned char *iv, unsigned char *in, int in_sz, unsigned char *out) {
int rc, cipher_idx, hash_idx;
symmetric_CBC cbc;
if((cipher_idx = find_cipher(sqlcipher_ltc_get_cipher(ctx))) == -1) return SQLITE_ERROR;
if((rc = cbc_start(cipher_idx, iv, key, key_sz, 0, &cbc)) != CRYPT_OK) return SQLITE_ERROR;
rc = mode == 1 ? cbc_encrypt(in, out, in_sz, &cbc) : cbc_decrypt(in, out, in_sz, &cbc);
if(rc != CRYPT_OK) return SQLITE_ERROR;
cbc_done(&cbc);
return SQLITE_OK;
}
/**
Self-test the hash
@return CRYPT_OK if successful, CRYPT_NOP if self-tests have been disabled
*/
int chc_test(void)
{
static const struct {
unsigned char *msg,
md[MAXBLOCKSIZE];
int len;
} tests[] = {
{
(unsigned char *)"hello world",
{ 0xcf, 0x57, 0x9d, 0xc3, 0x0a, 0x0e, 0xea, 0x61,
0x0d, 0x54, 0x47, 0xc4, 0x3c, 0x06, 0xf5, 0x4e },
16
}
};
int x, oldhashidx, idx;
unsigned char out[MAXBLOCKSIZE];
hash_state md;
/* AES can be under rijndael or aes... try to find it */
if ((idx = find_cipher("aes")) == -1) {
if ((idx = find_cipher("rijndael")) == -1) {
return CRYPT_NOP;
}
}
oldhashidx = cipher_idx;
chc_register(idx);
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
chc_init(&md);
chc_process(&md, tests[x].msg, strlen((char *)tests[x].msg));
chc_done(&md, out);
if (XMEMCMP(out, tests[x].md, tests[x].len)) {
return CRYPT_FAIL_TESTVECTOR;
}
}
if (oldhashidx != UNDEFED_HASH) {
chc_register(oldhashidx);
}
return CRYPT_OK;
}
SCLError GCM_Decrypt(uint8_t *key, size_t keyLen,
uint8_t *seq, size_t seqLen,
uint8_t *in, size_t inLen,
uint8_t *tag, size_t tagSize,
uint8_t **outData, size_t *outSize)
{
SCLError err = kSCLError_NoErr;
int status = CRYPT_OK;
uint8_t *buffer = NULL;
size_t buffLen = inLen;
int IVlen = keyLen >>1;
uint8_t bytes2Pad = 0;
unsigned char T[32];
unsigned long tagLen = sizeof(T);
buffer = XMALLOC(buffLen);
status = gcm_memory(find_cipher("aes"),
key, IVlen ,
key+ IVlen, IVlen,
seq, seqLen,
buffer, buffLen,
in,
T, &tagLen ,
GCM_DECRYPT);CKSTAT;
if( tagLen != tagSize || (memcmp(T,tag,tagLen) != 0))
RETERR(kSCLError_CorruptData);
bytes2Pad = *(buffer+buffLen-1);
*outData = buffer;
*outSize = buffLen- bytes2Pad;
done:
if(status != CRYPT_OK || err != kSCLError_NoErr)
{
if(buffer)
{
memset(buffer, buffLen, 0);
XFREE(buffer);
}
err = IsSCLError(err)?err:sCrypt2SCLError(status);
}
return err;
}
/** Test f9-MAC mode
Return CRYPT_OK on succes
*/
int f9_test(void)
{
#ifdef LTC_NO_TEST
return CRYPT_NOP;
#else
static const struct {
int msglen;
unsigned char K[16], M[128], T[4];
} tests[] = {
{
20,
{ 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xB3, 0x00, 0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48 },
{ 0x38, 0xA6, 0xF0, 0x56, 0xB8, 0xAE, 0xFD, 0xA9, 0x33, 0x32, 0x34, 0x62, 0x63, 0x39, 0x38, 0x61, 0x37, 0x34, 0x79, 0x40 },
{ 0x46, 0xE0, 0x0D, 0x4B }
},
{
105,
{ 0x83, 0xFD, 0x23, 0xA2, 0x44, 0xA7, 0x4C, 0xF3, 0x58, 0xDA, 0x30, 0x19, 0xF1, 0x72, 0x26, 0x35 },
{ 0x36, 0xAF, 0x61, 0x44, 0x4F, 0x30, 0x2A, 0xD2,
0x35, 0xC6, 0x87, 0x16, 0x63, 0x3C, 0x66, 0xFB, 0x75, 0x0C, 0x26, 0x68, 0x65, 0xD5, 0x3C, 0x11, 0xEA, 0x05, 0xB1, 0xE9, 0xFA, 0x49, 0xC8, 0x39, 0x8D, 0x48, 0xE1, 0xEF, 0xA5, 0x90, 0x9D, 0x39,
0x47, 0x90, 0x28, 0x37, 0xF5, 0xAE, 0x96, 0xD5, 0xA0, 0x5B, 0xC8, 0xD6, 0x1C, 0xA8, 0xDB, 0xEF, 0x1B, 0x13, 0xA4, 0xB4, 0xAB, 0xFE, 0x4F, 0xB1, 0x00, 0x60, 0x45, 0xB6, 0x74, 0xBB, 0x54, 0x72,
0x93, 0x04, 0xC3, 0x82, 0xBE, 0x53, 0xA5, 0xAF, 0x05, 0x55, 0x61, 0x76, 0xF6, 0xEA, 0xA2, 0xEF, 0x1D, 0x05, 0xE4, 0xB0, 0x83, 0x18, 0x1E, 0xE6, 0x74, 0xCD, 0xA5, 0xA4, 0x85, 0xF7, 0x4D, 0x7A,
0x40|0x80 },
{ 0x95, 0xAE, 0x41, 0xBA },
}
};
unsigned char T[16];
unsigned long taglen;
int err, x, idx;
/* find kasumi */
if ((idx = find_cipher("kasumi")) == -1) {
return CRYPT_NOP;
}
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
taglen = 4;
if ((err = f9_memory(idx, tests[x].K, 16, tests[x].M, tests[x].msglen, T, &taglen)) != CRYPT_OK) {
return err;
}
if (taglen != 4 || XMEMCMP(T, tests[x].T, 4)) {
return CRYPT_FAIL_TESTVECTOR;
}
}
return CRYPT_OK;
#endif
}
void CAESModule::decrypt(Tools::CSecureMemory &rPlainText, Tools::CSecureMemory const &rCypherText) const
{
FASSERT(((rCypherText.getSize()-gIVSize) % gBlockSize) == 0);
FASSERT(mKey.getSize() == gKeySize);
Tools::CSecureMemory const IV(&rCypherText[0], gIVSize);
int ErrorCode;
int const Cipher = find_cipher("rijndael");
FASSERT(Cipher != -1);
symmetric_CBC CBCMode;
ErrorCode = cbc_start(Cipher, &IV[0], &mKey[0], static_cast<unsigned long>(mKey.getSize()), 0, &CBCMode);
if (ErrorCode != CRYPT_OK)
{
throw ExInternalError(std::string("Cannot setup AES cipher: ") + std::string(error_to_string(ErrorCode)));
}
Tools::CSecureMemory PaddedPlainText;
PaddedPlainText.allocate(rCypherText.getSize() - gIVSize);
ErrorCode = cbc_decrypt(&rCypherText[gIVSize], &PaddedPlainText[0], static_cast<unsigned long>(PaddedPlainText.getSize()), &CBCMode);
if (ErrorCode != CRYPT_OK)
{
throw ExInternalError(std::string("Error during decryption: ") + std::string(error_to_string(ErrorCode)));
}
ErrorCode = cbc_done(&CBCMode);
if (ErrorCode != CRYPT_OK)
{
throw ExInternalError(std::string("Error when closing decryption stream: ") + std::string(error_to_string(ErrorCode)));
}
try
{
Tools::getUnpaddedMemory(rPlainText, PaddedPlainText);
}
catch(Debug::ExAssert &rError)
{
UNUSED_ARGUMENT(rError);
throw ExKeyError(std::string("{CAESModule} Memory structure of decrypted data is invalid. Cannot delete padding bytes."));
}
return;
}
int my_aes_setup(int tmpKey){
if (register_cipher(&aes_desc) == -1) {
printf("Error registering aes\n");
exit(EXIT_FAILURE);
}
unsigned char key[32];
unsigned long keyLength = 32;
hash_memory(hash_index,(unsigned char*)&tmpKey, sizeof(int), key, &keyLength);
int err;
if ((err = cipher_descriptor[find_cipher("aes")].setup(key, keyLength, 0, &symKey)) != CRYPT_OK) {
printf("Error setting up AES ,%i, %s\n",err, error_to_string(err));
exit(EXIT_FAILURE);
}
return 0;
}
int symmetricEncrypt(unsigned char *key, unsigned long keylen, unsigned char *in, unsigned long len, unsigned char *IV, unsigned long ivlen)
{
symmetric_CTR ctr;
int err;
/* register aes first */
if ((err = register_cipher(&rijndael_desc)) == -1) {
return ERROR_REG_AES;
}
/* start up CTR mode */
if ((err = ctr_start(
find_cipher("rijndael"), /* index of desired cipher */
IV, /* the initial vecoter */
key, /* the secret key */
keylen, /* length of secret key */
0,
CTR_COUNTER_LITTLE_ENDIAN,
&ctr)
) != CRYPT_OK) {
//printf("%s\n", error_to_string(err));
return err;
}
/*
printf("from libcrypt: \n");
for(i = 0; i < 30; i++)
printf("%02x ", in[i]);
printf("\n");
fflush(stdout);
*/
if ((err = ctr_encrypt( in, /* plaintext */
in, /* ciphertext */
len, /* length of plaintext */
&ctr) /* CTR state */
) != CRYPT_OK) {
return err;
}
if ((err = ctr_done(&ctr)) != CRYPT_OK) {
return err;
}
return CRYPT_OK;
}
void aes256gcmtomcrypt(unsigned char *c, unsigned char *m,
unsigned long long mlen, unsigned char *nonce,
unsigned char *key){
/*Using libtomcrypt as alternative gives us way to check implementation*/
register_cipher(&aes_desc);
unsigned char tag[16];
unsigned long taglen=16;
unsigned char decryptag[16];
unsigned char j0[16];
memcpy(j0, nonce, 12);
j0[12]=0;
j0[13]=0;
j0[14]=0;
j0[15]=1;
gcm_memory(find_cipher("aes"), key, 32, nonce, 12, 0, 0, m+16, mlen-16,
c+16, tag, &taglen ,GCM_ENCRYPT);
memcpy(c, tag, 16);
}
int symmetricDecrypt(unsigned char *key, unsigned long keylen, unsigned char *in, unsigned long len, unsigned char *IV, unsigned long ivlen)
{
symmetric_CTR ctr;
int err;
/* register aes first */
if (register_cipher(&rijndael_desc) == -1) {
return ERROR_REG_AES;
}
/* start up CTR mode */
if ((err = ctr_start(
find_cipher("rijndael"), /* index of desired cipher */
IV, /* the initial vecoter */
key, /* the secret key */
keylen, /* length of secret key */
0,
CTR_COUNTER_LITTLE_ENDIAN,
&ctr)
) != CRYPT_OK) {
return err;
}
// if ((err = ctr_setiv( IV, /* the initial IV we gave to ctr_start */
// 16, /* the IV is 16 bytes long */
// &ctr) /* the ctr state we wish to modify */
// ) != CRYPT_OK) {
// printf("ctr_setiv error: %s\n", error_to_string(err));
// return -1;
// }
if ((err = ctr_decrypt( in, /* plaintext */
in, /* ciphertext */
len, /* length of plaintext */
&ctr) /* CTR state */
) != CRYPT_OK) {
return err;
}
if ((err = ctr_done(&ctr)) != CRYPT_OK) {
return err;
}
return CRYPT_OK;
}
void ltc_init_3DES_ECB(void)
{
int cipherID;
unsigned char key[ENCRYPTION_KEY_LENGTH];
TRACE_DEBUG("LTC: Initializing ECB...\n\r");
// Register cipher
register_cipher(&des3_desc);
cipherID = find_cipher("3des");
// Load key
ASCII2Hex(ENCRYPTION_KEY, key, ENCRYPTION_KEY_LENGTH);
// Start decryption mode
ecb_start(cipherID, key, ENCRYPTION_KEY_LENGTH, 0, &sECB);
TRACE_DEBUG("LTC: Initialization done.\n\r");
}
/**
Find a cipher flexibly. First by name then if not present by block and key size
@param name The name of the cipher desired
@param blocklen The minimum length of the block cipher desired (octets)
@param keylen The minimum length of the key size desired (octets)
@return >= 0 if found, -1 if not present
*/
int find_cipher_any(const char *name, int blocklen, int keylen)
{
int x;
LTC_ARGCHK(name != NULL);
x = find_cipher(name);
if (x != -1) return x;
for (x = 0; x < TAB_SIZE; x++) {
if (cipher_descriptor[x].name == NULL) {
continue;
}
if (blocklen <= (int)cipher_descriptor[x].block_length && keylen <= (int)cipher_descriptor[x].max_key_length) {
return x;
}
}
return -1;
}
void DB_AuthLoad_InitCrypto()
{
if (ffVersion < 319)
{
return;
}
register_hash(&sha256_desc);
register_cipher(&aes_desc);
unsigned char encKey[256];
DB_ReadXFileRawData(encKey, 256);
ZoneKey key;
DB_AuthLoad_DecryptKey(encKey, &key);
int aes = find_cipher("aes");
ctr_start(aes, key.iv, key.key, sizeof(key.key), 0, 0, &ffCTR);
memcpy(ffIV, key.iv, sizeof(ffIV));
}
/**
Find a cipher flexibly. First by name then if not present by block and key size
@param name The name of the cipher desired
@param blocklen The minimum length of the block cipher desired (octets)
@param keylen The minimum length of the key size desired (octets)
@return >= 0 if found, -1 if not present
*/
int find_cipher_any(const char *name, int blocklen, int keylen)
{
int x;
if(name != NULL) {
x = find_cipher(name);
if (x != -1) return x;
}
LTC_MUTEX_LOCK(<c_cipher_mutex);
for (x = 0; x < TAB_SIZE; x++) {
if (cipher_descriptor[x].name == NULL) {
continue;
}
if (blocklen <= (int)cipher_descriptor[x].block_length && keylen <= (int)cipher_descriptor[x].max_key_length) {
LTC_MUTEX_UNLOCK(<c_cipher_mutex);
return x;
}
}
LTC_MUTEX_UNLOCK(<c_cipher_mutex);
return -1;
}
void CAESModule::encrypt(Tools::CSecureMemory &rCypherText, Tools::CSecureMemory const &rPlainText) const
{
FASSERT(mKey.getSize() == gKeySize);
Tools::CSecureMemory IV;
getRandomIV(IV);
Tools::CSecureMemory PaddedPlainText;
getPadding(PaddedPlainText, rPlainText);
int ErrorCode;
rCypherText.allocate(PaddedPlainText.getSize()+IV.getSize());
std::memcpy(&rCypherText[0], &IV[0], IV.getSize());
int const Cipher = find_cipher("rijndael");
FASSERT(Cipher != -1);
symmetric_CBC CBCMode;
ErrorCode = cbc_start(Cipher, &IV[0], &mKey[0], static_cast<unsigned long>(mKey.getSize()), 0, &CBCMode);
if (ErrorCode != CRYPT_OK)
{
throw ExInternalError(std::string("Cannot setup AES cipher: ") + std::string(error_to_string(ErrorCode)));
}
ErrorCode = cbc_encrypt(&PaddedPlainText[0], &rCypherText[IV.getSize()], static_cast<unsigned long>(PaddedPlainText.getSize()), &CBCMode);
if (ErrorCode != CRYPT_OK)
{
throw ExInternalError(std::string("Error during encryption: ") + std::string(error_to_string(ErrorCode)));
}
ErrorCode = cbc_done(&CBCMode);
if (ErrorCode != CRYPT_OK)
{
throw ExInternalError(std::string("Error when closing encryption stream: ") + std::string(error_to_string(ErrorCode)));
}
return;
}
void ltc_init_AES_CBC(void)
{
int cipherID;
unsigned char key[ENCRYPTION_KEY_LENGTH];
unsigned char IV[ENCRYPTION_BLOCK_LENGTH];
TRACE_DEBUG("LTC: Initializing CBC...\n\r");
// Register cipher
register_cipher(&rijndael_desc);
cipherID = find_cipher("rijndael");
// Load key
ASCII2Hex(ENCRYPTION_KEY, key, ENCRYPTION_KEY_LENGTH);
// Load IV
ASCII2Hex(ENCRYPTION_IV, IV, ENCRYPTION_BLOCK_LENGTH);
// Start decryption mode
cbc_start(cipherID, IV, key, ENCRYPTION_KEY_LENGTH, 0, &sCBC);
TRACE_DEBUG("LTC: Initialization done.\n\r");
}
void ltc_init_3DES_CTR(void)
{
int cipherID;
unsigned char key[ENCRYPTION_KEY_LENGTH];
unsigned char IV[ENCRYPTION_BLOCK_LENGTH];
TRACE_DEBUG("LTC: Initializing CTR...\n\r");
// Register cipher
register_cipher(&des3_desc);
cipherID = find_cipher("3des");
// Load key
ASCII2Hex(ENCRYPTION_KEY, key, ENCRYPTION_KEY_LENGTH);
// Load IV
ASCII2Hex(ENCRYPTION_IV, IV, ENCRYPTION_BLOCK_LENGTH);
// Start decryption mode
ctr_start(cipherID, IV, key, ENCRYPTION_KEY_LENGTH, 0, CTR_COUNTER_BIG_ENDIAN, &sCTR);
TRACE_DEBUG("LTC: Initialization done.\n\r");
}
/**
Test the GCM code
@return CRYPT_OK on success
*/
int gcm_test(void)
{
#ifndef LTC_TEST
return CRYPT_NOP;
#else
static const struct {
unsigned char K[32];
int keylen;
unsigned char P[128];
unsigned long ptlen;
unsigned char A[128];
unsigned long alen;
unsigned char IV[128];
unsigned long IVlen;
unsigned char C[128];
unsigned char T[16];
} tests[] = {
/* test case #1 */
{
/* key */
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
16,
/* plaintext */
{ 0 },
0,
/* AAD data */
{ 0 },
0,
/* IV */
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 },
12,
/* ciphertext */
{ 0 },
/* tag */
{ 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a }
},
/* test case #2 */
{
/* key */
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
16,
/* PT */
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
16,
/* ADATA */
{ 0 },
0,
/* IV */
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 },
12,
/* CT */
{ 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
/* TAG */
{ 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf }
},
/* test case #3 */
{
/* key */
{ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, },
16,
/* PT */
{ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55, },
64,
/* ADATA */
{ 0 },
0,
/* IV */
{ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
0xde, 0xca, 0xf8, 0x88, },
12,
/* CT */
{ 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85, },
/* TAG */
{ 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4, }
},
/* test case #4 */
{
/* key */
{ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, },
16,
/* PT */
{ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
0xba, 0x63, 0x7b, 0x39, },
60,
/* ADATA */
{ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2, },
20,
/* IV */
{ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
0xde, 0xca, 0xf8, 0x88, },
12,
/* CT */
{ 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
0x3d, 0x58, 0xe0, 0x91, },
/* TAG */
{ 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47, }
},
/* test case #5 */
{
/* key */
{ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, },
16,
/* PT */
{ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
0xba, 0x63, 0x7b, 0x39, },
60,
/* ADATA */
{ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2, },
20,
/* IV */
{ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, },
8,
/* CT */
{ 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
0xc2, 0x3f, 0x45, 0x98, },
/* TAG */
{ 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb, }
},
/* test case #6 */
{
/* key */
{ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, },
16,
/* PT */
{ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
0xba, 0x63, 0x7b, 0x39, },
60,
/* ADATA */
{ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2, },
20,
/* IV */
{ 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
0xa6, 0x37, 0xb3, 0x9b, },
60,
/* CT */
{ 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
0x4c, 0x34, 0xae, 0xe5, },
/* TAG */
{ 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50, }
},
/* test case #46 from BG (catches the LTC bug of v1.15) */
{
/* key */
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
16,
/* PT */
{ 0xa2, 0xaa, 0xb3, 0xad, 0x8b, 0x17, 0xac, 0xdd,
0xa2, 0x88, 0x42, 0x6c, 0xd7, 0xc4, 0x29, 0xb7,
0xca, 0x86, 0xb7, 0xac, 0xa0, 0x58, 0x09, 0xc7,
0x0c, 0xe8, 0x2d, 0xb2, 0x57, 0x11, 0xcb, 0x53,
0x02, 0xeb, 0x27, 0x43, 0xb0, 0x36, 0xf3, 0xd7,
0x50, 0xd6, 0xcf, 0x0d, 0xc0, 0xac, 0xb9, 0x29,
0x50, 0xd5, 0x46, 0xdb, 0x30, 0x8f, 0x93, 0xb4,
0xff, 0x24, 0x4a, 0xfa, 0x9d, 0xc7, 0x2b, 0xcd,
0x75, 0x8d, 0x2c },
67,
/* ADATA */
{ 0x68, 0x8e, 0x1a, 0xa9, 0x84, 0xde, 0x92, 0x6d,
0xc7, 0xb4, 0xc4, 0x7f, 0x44 },
13,
/* IV */
{ 0xb7, 0x21, 0x38, 0xb5, 0xa0, 0x5f, 0xf5, 0x07,
0x0e, 0x8c, 0xd9, 0x41, 0x83, 0xf7, 0x61, 0xd8 },
16,
/* CT */
{ 0xcb, 0xc8, 0xd2, 0xf1, 0x54, 0x81, 0xa4, 0xcc,
0x7d, 0xd1, 0xe1, 0x9a, 0xaa, 0x83, 0xde, 0x56,
0x78, 0x48, 0x3e, 0xc3, 0x59, 0xae, 0x7d, 0xec,
0x2a, 0xb8, 0xd5, 0x34, 0xe0, 0x90, 0x6f, 0x4b,
0x46, 0x63, 0xfa, 0xff, 0x58, 0xa8, 0xb2, 0xd7,
0x33, 0xb8, 0x45, 0xee, 0xf7, 0xc9, 0xb3, 0x31,
0xe9, 0xe1, 0x0e, 0xb2, 0x61, 0x2c, 0x99, 0x5f,
0xeb, 0x1a, 0xc1, 0x5a, 0x62, 0x86, 0xcc, 0xe8,
0xb2, 0x97, 0xa8 },
/* TAG */
{ 0x8d, 0x2d, 0x2a, 0x93, 0x72, 0x62, 0x6f, 0x6b,
0xee, 0x85, 0x80, 0x27, 0x6a, 0x63, 0x66, 0xbf }
}
/* rest of test cases are the same except AES key size changes... ignored... */
};
int idx, err;
unsigned long x, y;
unsigned char out[2][128], T[2][16];
/* find aes */
idx = find_cipher("aes");
if (idx == -1) {
idx = find_cipher("rijndael");
if (idx == -1) {
return CRYPT_NOP;
}
}
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
y = sizeof(T[0]);
if ((err = gcm_memory(idx, tests[x].K, tests[x].keylen,
tests[x].IV, tests[x].IVlen,
tests[x].A, tests[x].alen,
(unsigned char*)tests[x].P, tests[x].ptlen,
out[0], T[0], &y, GCM_ENCRYPT)) != CRYPT_OK) {
return err;
}
if (XMEMCMP(out[0], tests[x].C, tests[x].ptlen)) {
#if 0
printf("\nCiphertext wrong %lu\n", x);
for (y = 0; y < tests[x].ptlen; y++) {
printf("%02x", out[0][y] & 255);
}
printf("\n");
#endif
return CRYPT_FAIL_TESTVECTOR;
}
if (XMEMCMP(T[0], tests[x].T, 16)) {
#if 0
printf("\nTag on plaintext wrong %lu\n", x);
for (y = 0; y < 16; y++) {
printf("%02x", T[0][y] & 255);
}
printf("\n");
#endif
return CRYPT_FAIL_TESTVECTOR;
}
y = sizeof(T[1]);
if ((err = gcm_memory(idx, tests[x].K, tests[x].keylen,
tests[x].IV, tests[x].IVlen,
tests[x].A, tests[x].alen,
out[1], tests[x].ptlen,
out[0], T[1], &y, GCM_DECRYPT)) != CRYPT_OK) {
return err;
}
if (XMEMCMP(out[1], tests[x].P, tests[x].ptlen)) {
#if 0
printf("\nplaintext wrong %lu\n", x);
for (y = 0; y < tests[x].ptlen; y++) {
printf("%02x", out[0][y] & 255);
}
printf("\n");
#endif
return CRYPT_FAIL_TESTVECTOR;
}
if (XMEMCMP(T[1], tests[x].T, 16)) {
#if 0
printf("\nTag on ciphertext wrong %lu\n", x);
for (y = 0; y < 16; y++) {
printf("%02x", T[1][y] & 255);
}
printf("\n");
#endif
return CRYPT_FAIL_TESTVECTOR;
}
}
return CRYPT_OK;
#endif
}
/**
Test LRW against specs
@return CRYPT_OK if goodly
*/
int lrw_test(void)
{
#ifndef LTC_TEST
return CRYPT_NOP;
#else
static const struct {
unsigned char key[16], tweak[16], IV[16], P[16], expected_tweak[16], C[16];
} tests[] = {
{
{ 0x45, 0x62, 0xac, 0x25, 0xf8, 0x28, 0x17, 0x6d, 0x4c, 0x26, 0x84, 0x14, 0xb5, 0x68, 0x01, 0x85 },
{ 0x25, 0x8e, 0x2a, 0x05, 0xe7, 0x3e, 0x9d, 0x03, 0xee, 0x5a, 0x83, 0x0c, 0xcc, 0x09, 0x4c, 0x87 },
{ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
{ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46 },
{ 0x25, 0x8e, 0x2a, 0x05, 0xe7, 0x3e, 0x9d, 0x03, 0xee, 0x5a, 0x83, 0x0c, 0xcc, 0x09, 0x4c, 0x87 },
{ 0xf1, 0xb2, 0x73, 0xcd, 0x65, 0xa3, 0xdf, 0x5f, 0xe9, 0x5d, 0x48, 0x92, 0x54, 0x63, 0x4e, 0xb8 }
},
{
{ 0x59, 0x70, 0x47, 0x14, 0xf5, 0x57, 0x47, 0x8c, 0xd7, 0x79, 0xe8, 0x0f, 0x54, 0x88, 0x79, 0x44 },
{ 0x35, 0x23, 0xc2, 0xde, 0xc5, 0x69, 0x4f, 0xa8, 0x72, 0xa9, 0xac, 0xa7, 0x0b, 0x2b, 0xee, 0xbc },
{ 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
{ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46 },
{ 0x1a, 0x91, 0xe1, 0x6f, 0x62, 0xb4, 0xa7, 0xd4, 0x39, 0x54, 0xd6, 0x53, 0x85, 0x95, 0xf7, 0x5e },
{ 0x00, 0xc8, 0x2b, 0xae, 0x95, 0xbb, 0xcd, 0xe5, 0x27, 0x4f, 0x07, 0x69, 0xb2, 0x60, 0xe1, 0x36 },
},
{
{ 0x59, 0x70, 0x47, 0x14, 0xf5, 0x57, 0x47, 0x8c, 0xd7, 0x79, 0xe8, 0x0f, 0x54, 0x88, 0x79, 0x44 },
{ 0x67, 0x53, 0xc9, 0x0c, 0xb7, 0xd8, 0xcd, 0xe5, 0x06, 0xa0, 0x47, 0x78, 0x1a, 0xad, 0x85, 0x11 },
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
{ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46 },
{ 0x1a, 0x91, 0xe1, 0x6f, 0x62, 0xb4, 0xa7, 0xd4, 0x39, 0x54, 0xd6, 0x53, 0x85, 0x95, 0xf7, 0x5e },
{ 0x00, 0xc8, 0x2b, 0xae, 0x95, 0xbb, 0xcd, 0xe5, 0x27, 0x4f, 0x07, 0x69, 0xb2, 0x60, 0xe1, 0x36 },
},
{
{ 0xd8, 0x2a, 0x91, 0x34, 0xb2, 0x6a, 0x56, 0x50, 0x30, 0xfe, 0x69, 0xe2, 0x37, 0x7f, 0x98, 0x47 },
{ 0x4e, 0xb5, 0x5d, 0x31, 0x05, 0x97, 0x3a, 0x3f, 0x5e, 0x23, 0xda, 0xfb, 0x5a, 0x45, 0xd6, 0xc0 },
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00 },
{ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46 },
{ 0x18, 0xc9, 0x1f, 0x6d, 0x60, 0x1a, 0x1a, 0x37, 0x5d, 0x0b, 0x0e, 0xf7, 0x3a, 0xd5, 0x74, 0xc4 },
{ 0x76, 0x32, 0x21, 0x83, 0xed, 0x8f, 0xf1, 0x82, 0xf9, 0x59, 0x62, 0x03, 0x69, 0x0e, 0x5e, 0x01 },
}
};
int idx, err, x;
symmetric_LRW lrw;
unsigned char buf[2][16];
idx = find_cipher("aes");
if (idx == -1) {
idx = find_cipher("rijndael");
if (idx == -1) {
return CRYPT_NOP;
}
}
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
/* schedule it */
if ((err = lrw_start(idx, tests[x].IV, tests[x].key, 16, tests[x].tweak, 0, &lrw)) != CRYPT_OK) {
return err;
}
/* check pad against expected tweak */
if (XMEMCMP(tests[x].expected_tweak, lrw.pad, 16)) {
lrw_done(&lrw);
return CRYPT_FAIL_TESTVECTOR;
}
/* process block */
if ((err = lrw_encrypt(tests[x].P, buf[0], 16, &lrw)) != CRYPT_OK) {
lrw_done(&lrw);
return err;
}
if (XMEMCMP(buf[0], tests[x].C, 16)) {
lrw_done(&lrw);
return CRYPT_FAIL_TESTVECTOR;
}
/* process block */
if ((err = lrw_setiv(tests[x].IV, 16, &lrw)) != CRYPT_OK) {
lrw_done(&lrw);
return err;
}
if ((err = lrw_decrypt(buf[0], buf[1], 16, &lrw)) != CRYPT_OK) {
lrw_done(&lrw);
return err;
}
if (XMEMCMP(buf[1], tests[x].P, 16)) {
lrw_done(&lrw);
return CRYPT_FAIL_TESTVECTOR;
}
if ((err = lrw_done(&lrw)) != CRYPT_OK) {
return err;
}
}
return CRYPT_OK;
#endif
}
/* Generate the actual encryption/integrity keys, using the results of the
* key exchange, as specified in section 5.2 of the IETF secsh-transport
* draft. This occurs after the DH key-exchange.
*
* ses.newkeys is the new set of keys which are generated, these are only
* taken into use after both sides have sent a newkeys message */
static void gen_new_keys() {
unsigned char IV[MAX_IV_LEN];
unsigned char key[MAX_KEY_LEN];
hash_state hs;
unsigned int keysize;
TRACE(("enter gen_new_keys"));
/* the dh_K and hash are the start of all hashes, we make use of that */
sha1_init(&hs);
sha1_process_mp(&hs, ses.dh_K);
mp_clear(ses.dh_K);
m_free(ses.dh_K);
sha1_process(&hs, ses.hash, SHA1_HASH_SIZE);
m_burn(ses.hash, SHA1_HASH_SIZE);
/* client->server IV */
hashkeys(IV, SHA1_HASH_SIZE, &hs, 'A');
/* client->server encryption key */
keysize = ses.newkeys->recv_algo_crypt->keysize;
hashkeys(key, keysize, &hs, 'C');
if (cbc_start(
find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name),
IV, key, keysize, 0,
&ses.newkeys->recv_symmetric_struct) != CRYPT_OK) {
dropbear_exit("crypto error");
}
/* server->client IV */
hashkeys(IV, SHA1_HASH_SIZE, &hs, 'B');
/* server->client encryption key */
keysize = ses.newkeys->trans_algo_crypt->keysize;
hashkeys(key, keysize, &hs, 'D');
if (cbc_start(
find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name),
IV, key, keysize, 0,
&ses.newkeys->trans_symmetric_struct) != CRYPT_OK) {
dropbear_exit("crypto error");
}
/* MAC key client->server */
keysize = ses.newkeys->recv_algo_mac->keysize;
hashkeys(ses.newkeys->recvmackey, keysize, &hs, 'E');
/* MAC key server->client */
keysize = ses.newkeys->trans_algo_mac->keysize;
hashkeys(ses.newkeys->transmackey, keysize, &hs, 'F');
#ifndef DISABLE_ZLIB
gen_new_zstreams();
#endif
/* Switch over to the new keys */
m_burn(ses.keys, sizeof(struct key_context));
m_free(ses.keys);
ses.keys = ses.newkeys;
ses.newkeys = NULL;
TRACE(("leave gen_new_keys"));
}
/**
Test the EAX implementation
@return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled
*/
int eax_test(void)
{
#ifndef LTC_TEST
return CRYPT_NOP;
#else
static const struct {
int keylen,
noncelen,
headerlen,
msglen;
unsigned char key[MAXBLOCKSIZE],
nonce[MAXBLOCKSIZE],
header[MAXBLOCKSIZE],
plaintext[MAXBLOCKSIZE],
ciphertext[MAXBLOCKSIZE],
tag[MAXBLOCKSIZE];
} tests[] = {
/* NULL message */
{
16, 0, 0, 0,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* nonce */
{ 0 },
/* header */
{ 0 },
/* plaintext */
{ 0 },
/* ciphertext */
{ 0 },
/* tag */
{ 0x9a, 0xd0, 0x7e, 0x7d, 0xbf, 0xf3, 0x01, 0xf5,
0x05, 0xde, 0x59, 0x6b, 0x96, 0x15, 0xdf, 0xff }
},
/* test with nonce */
{
16, 16, 0, 0,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* nonce */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* header */
{ 0 },
/* plaintext */
{ 0 },
/* ciphertext */
{ 0 },
/* tag */
{ 0x1c, 0xe1, 0x0d, 0x3e, 0xff, 0xd4, 0xca, 0xdb,
0xe2, 0xe4, 0x4b, 0x58, 0xd6, 0x0a, 0xb9, 0xec }
},
/* test with header [no nonce] */
{
16, 0, 16, 0,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* nonce */
{ 0 },
/* header */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* plaintext */
{ 0 },
/* ciphertext */
{ 0 },
/* tag */
{ 0x3a, 0x69, 0x8f, 0x7a, 0x27, 0x0e, 0x51, 0xb0,
0xf6, 0x5b, 0x3d, 0x3e, 0x47, 0x19, 0x3c, 0xff }
},
/* test with header + nonce + plaintext */
{
16, 16, 16, 32,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* nonce */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* header */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* plaintext */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f },
/* ciphertext */
{ 0x29, 0xd8, 0x78, 0xd1, 0xa3, 0xbe, 0x85, 0x7b,
0x6f, 0xb8, 0xc8, 0xea, 0x59, 0x50, 0xa7, 0x78,
0x33, 0x1f, 0xbf, 0x2c, 0xcf, 0x33, 0x98, 0x6f,
0x35, 0xe8, 0xcf, 0x12, 0x1d, 0xcb, 0x30, 0xbc },
/* tag */
{ 0x4f, 0xbe, 0x03, 0x38, 0xbe, 0x1c, 0x8c, 0x7e,
0x1d, 0x7a, 0xe7, 0xe4, 0x5b, 0x92, 0xc5, 0x87 }
},
/* test with header + nonce + plaintext [not even sizes!] */
{
16, 15, 14, 29,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* nonce */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e },
/* header */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d },
/* plaintext */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c },
/* ciphertext */
{ 0xdd, 0x25, 0xc7, 0x54, 0xc5, 0xb1, 0x7c, 0x59,
0x28, 0xb6, 0x9b, 0x73, 0x15, 0x5f, 0x7b, 0xb8,
0x88, 0x8f, 0xaf, 0x37, 0x09, 0x1a, 0xd9, 0x2c,
0x8a, 0x24, 0xdb, 0x86, 0x8b },
/* tag */
{ 0x0d, 0x1a, 0x14, 0xe5, 0x22, 0x24, 0xff, 0xd2,
0x3a, 0x05, 0xfa, 0x02, 0xcd, 0xef, 0x52, 0xda }
},
/* Vectors from Brian Gladman */
{
16, 16, 8, 0,
/* key */
{ 0x23, 0x39, 0x52, 0xde, 0xe4, 0xd5, 0xed, 0x5f,
0x9b, 0x9c, 0x6d, 0x6f, 0xf8, 0x0f, 0xf4, 0x78 },
/* nonce */
{ 0x62, 0xec, 0x67, 0xf9, 0xc3, 0xa4, 0xa4, 0x07,
0xfc, 0xb2, 0xa8, 0xc4, 0x90, 0x31, 0xa8, 0xb3 },
/* header */
{ 0x6b, 0xfb, 0x91, 0x4f, 0xd0, 0x7e, 0xae, 0x6b },
/* PT */
{ 0x00 },
/* CT */
{ 0x00 },
/* tag */
{ 0xe0, 0x37, 0x83, 0x0e, 0x83, 0x89, 0xf2, 0x7b,
0x02, 0x5a, 0x2d, 0x65, 0x27, 0xe7, 0x9d, 0x01 }
},
{
16, 16, 8, 2,
/* key */
{ 0x91, 0x94, 0x5d, 0x3f, 0x4d, 0xcb, 0xee, 0x0b,
0xf4, 0x5e, 0xf5, 0x22, 0x55, 0xf0, 0x95, 0xa4 },
/* nonce */
{ 0xbe, 0xca, 0xf0, 0x43, 0xb0, 0xa2, 0x3d, 0x84,
0x31, 0x94, 0xba, 0x97, 0x2c, 0x66, 0xde, 0xbd },
/* header */
{ 0xfa, 0x3b, 0xfd, 0x48, 0x06, 0xeb, 0x53, 0xfa },
/* PT */
{ 0xf7, 0xfb },
/* CT */
{ 0x19, 0xdd },
/* tag */
{ 0x5c, 0x4c, 0x93, 0x31, 0x04, 0x9d, 0x0b, 0xda,
0xb0, 0x27, 0x74, 0x08, 0xf6, 0x79, 0x67, 0xe5 }
},
{
16, 16, 8, 5,
/* key */
{ 0x01, 0xf7, 0x4a, 0xd6, 0x40, 0x77, 0xf2, 0xe7,
0x04, 0xc0, 0xf6, 0x0a, 0xda, 0x3d, 0xd5, 0x23 },
/* nonce */
{ 0x70, 0xc3, 0xdb, 0x4f, 0x0d, 0x26, 0x36, 0x84,
0x00, 0xa1, 0x0e, 0xd0, 0x5d, 0x2b, 0xff, 0x5e },
/* header */
{ 0x23, 0x4a, 0x34, 0x63, 0xc1, 0x26, 0x4a, 0xc6 },
/* PT */
{ 0x1a, 0x47, 0xcb, 0x49, 0x33 },
/* CT */
{ 0xd8, 0x51, 0xd5, 0xba, 0xe0 },
/* Tag */
{ 0x3a, 0x59, 0xf2, 0x38, 0xa2, 0x3e, 0x39, 0x19,
0x9d, 0xc9, 0x26, 0x66, 0x26, 0xc4, 0x0f, 0x80 }
}
};
int err, x, idx, res;
unsigned long len;
unsigned char outct[MAXBLOCKSIZE], outtag[MAXBLOCKSIZE];
/* AES can be under rijndael or aes... try to find it */
if ((idx = find_cipher("aes")) == -1) {
if ((idx = find_cipher("rijndael")) == -1) {
return CRYPT_NOP;
}
}
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
len = sizeof(outtag);
if ((err = eax_encrypt_authenticate_memory(idx, tests[x].key, tests[x].keylen,
tests[x].nonce, tests[x].noncelen, tests[x].header, tests[x].headerlen,
tests[x].plaintext, tests[x].msglen, outct, outtag, &len)) != CRYPT_OK) {
return err;
}
if (memcmp(outct, tests[x].ciphertext, tests[x].msglen) || memcmp(outtag, tests[x].tag, len)) {
#if 0
unsigned long y;
printf("\n\nFailure: \nCT:\n");
for (y = 0; y < (unsigned long)tests[x].msglen; ) {
printf("0x%02x", outct[y]);
if (y < (unsigned long)(tests[x].msglen-1)) printf(", ");
if (!(++y % 8)) printf("\n");
}
printf("\nTAG:\n");
for (y = 0; y < len; ) {
printf("0x%02x", outtag[y]);
if (y < len-1) printf(", ");
if (!(++y % 8)) printf("\n");
}
#endif
return CRYPT_FAIL_TESTVECTOR;
}
/* test decrypt */
if ((err = eax_decrypt_verify_memory(idx, tests[x].key, tests[x].keylen,
tests[x].nonce, tests[x].noncelen, tests[x].header, tests[x].headerlen,
outct, tests[x].msglen, outct, outtag, len, &res)) != CRYPT_OK) {
return err;
}
if ((res != 1) || memcmp(outct, tests[x].plaintext, tests[x].msglen)) {
#if 0
unsigned long y;
printf("\n\nFailure (res == %d): \nPT:\n", res);
for (y = 0; y < (unsigned long)tests[x].msglen; ) {
printf("0x%02x", outct[y]);
if (y < (unsigned long)(tests[x].msglen-1)) printf(", ");
if (!(++y % 8)) printf("\n");
}
printf("\n\n");
#endif
return CRYPT_FAIL_TESTVECTOR;
}
}
return CRYPT_OK;
#endif /* LTC_TEST */
}
SCLError CCM_Encrypt(uint8_t *key, size_t keyLen,
uint8_t *seq, size_t seqLen,
const uint8_t *in, size_t inLen,
uint8_t **outData, size_t *outSize,
uint8_t *outTag, size_t tagSize)
{
SCLError err = kSCLError_NoErr;
int status = CRYPT_OK;
uint8_t bytes2Pad;
uint8_t *buffer = NULL;
size_t buffLen = 0;
int IVlen = keyLen >>1;
unsigned char T[32];
unsigned long tagLen = 0;
unsigned long tag2Copy = tagSize;
ValidateParam (tagSize <= sizeof(T));
/* calclulate Pad byte */
if(inLen < MIN_MSG_BLOCKSIZE)
{
bytes2Pad = MIN_MSG_BLOCKSIZE - inLen;
}
else
{
bytes2Pad = roundup(inLen, MSG_BLOCKSIZE) + MSG_BLOCKSIZE - inLen;
};
buffLen = inLen + bytes2Pad;
buffer = XMALLOC(buffLen);
memcpy(buffer, in, inLen);
memset(buffer+inLen, bytes2Pad, bytes2Pad);
tagLen = sizeof(T);
status = ccm_memory(find_cipher("aes"),
key, IVlen ,
NULL,
key+ IVlen, IVlen,
seq, seqLen,
buffer, buffLen,
buffer,
T, &tagLen ,
CCM_ENCRYPT); CKSTAT;
*outData = buffer;
*outSize = buffLen;
memcpy(outTag, T, tag2Copy);
done:
if(status != CRYPT_OK)
{
if(buffer)
{
memset(buffer, buffLen, 0);
XFREE(buffer);
}
err = sCrypt2SCLError(status);
}
return err;
}
