gcry_err_code_t _gcry_cipher_setiv (gcry_cipher_hd_t hd, const void *iv, size_t ivlen) { gcry_err_code_t rc = 0; switch (hd->mode) { case GCRY_CIPHER_MODE_CCM: rc = _gcry_cipher_ccm_set_nonce (hd, iv, ivlen); break; case GCRY_CIPHER_MODE_GCM: rc = _gcry_cipher_gcm_setiv (hd, iv, ivlen); break; case GCRY_CIPHER_MODE_POLY1305: rc = _gcry_cipher_poly1305_setiv (hd, iv, ivlen); break; case GCRY_CIPHER_MODE_OCB: rc = _gcry_cipher_ocb_set_nonce (hd, iv, ivlen); break; default: rc = cipher_setiv (hd, iv, ivlen); break; } return rc; }
static void encode_seskey( DEK *dek, DEK **seskey, byte *enckey ) { CIPHER_HANDLE hd; byte buf[33]; assert ( dek->keylen <= 32 ); if(!*seskey) { *seskey=xmalloc_clear(sizeof(DEK)); (*seskey)->keylen=dek->keylen; (*seskey)->algo=dek->algo; make_session_key(*seskey); /*log_hexdump( "thekey", c->key, c->keylen );*/ } buf[0] = (*seskey)->algo; memcpy( buf + 1, (*seskey)->key, (*seskey)->keylen ); hd = cipher_open( dek->algo, CIPHER_MODE_CFB, 1 ); cipher_setkey( hd, dek->key, dek->keylen ); cipher_setiv( hd, NULL, 0 ); cipher_encrypt( hd, buf, buf, (*seskey)->keylen + 1 ); cipher_close( hd ); memcpy( enckey, buf, (*seskey)->keylen + 1 ); wipememory( buf, sizeof buf ); /* burn key */ }
gcry_error_t gcry_cipher_ctl( gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen) { gcry_err_code_t rc = GPG_ERR_NO_ERROR; switch (cmd) { case GCRYCTL_SET_KEY: rc = cipher_setkey( h, buffer, buflen ); break; case GCRYCTL_SET_IV: cipher_setiv( h, buffer, buflen ); break; case GCRYCTL_RESET: cipher_reset (h); break; case GCRYCTL_CFB_SYNC: cipher_sync( h ); break; case GCRYCTL_SET_CBC_CTS: if (buflen) if (h->flags & GCRY_CIPHER_CBC_MAC) rc = GPG_ERR_INV_FLAG; else h->flags |= GCRY_CIPHER_CBC_CTS; else h->flags &= ~GCRY_CIPHER_CBC_CTS; break; case GCRYCTL_SET_CBC_MAC: if (buflen) if (h->flags & GCRY_CIPHER_CBC_CTS) rc = GPG_ERR_INV_FLAG; else h->flags |= GCRY_CIPHER_CBC_MAC; else h->flags &= ~GCRY_CIPHER_CBC_MAC; break; case GCRYCTL_DISABLE_ALGO: /* this one expects a NULL handle and buffer pointing to an * integer with the algo number. */ if( h || !buffer || buflen != sizeof(int) ) return gcry_error (GPG_ERR_CIPHER_ALGO); disable_cipher_algo( *(int*)buffer ); break; case GCRYCTL_SET_CTR: if (buffer && buflen == h->cipher->blocksize) memcpy (h->ctr, buffer, h->cipher->blocksize); else if (buffer == NULL || buflen == 0) memset (h->ctr, 0, h->cipher->blocksize); else rc = GPG_ERR_INV_ARG; break; default: rc = GPG_ERR_INV_OP; } return gcry_error (rc); }
static void write_header( cipher_filter_context_t *cfx, IOBUF a ) { PACKET pkt; PKT_encrypted ed; byte temp[18]; unsigned blocksize; unsigned nprefix; blocksize = cipher_get_blocksize( cfx->dek->algo ); if( blocksize < 8 || blocksize > 16 ) log_fatal("unsupported blocksize %u\n", blocksize ); memset( &ed, 0, sizeof ed ); ed.len = cfx->datalen; ed.extralen = blocksize+2; ed.new_ctb = !ed.len && !RFC1991; if( cfx->dek->use_mdc ) { ed.mdc_method = DIGEST_ALGO_SHA1; cfx->mdc_hash = md_open( DIGEST_ALGO_SHA1, 0 ); if ( DBG_HASHING ) md_start_debug( cfx->mdc_hash, "creatmdc" ); } { char buf[20]; sprintf (buf, "%d %d", ed.mdc_method, cfx->dek->algo); write_status_text (STATUS_BEGIN_ENCRYPTION, buf); } init_packet( &pkt ); pkt.pkttype = cfx->dek->use_mdc? PKT_ENCRYPTED_MDC : PKT_ENCRYPTED; pkt.pkt.encrypted = &ed; if( build_packet( a, &pkt )) log_bug("build_packet(ENCR_DATA) failed\n"); nprefix = blocksize; randomize_buffer( temp, nprefix, 1 ); temp[nprefix] = temp[nprefix-2]; temp[nprefix+1] = temp[nprefix-1]; print_cipher_algo_note( cfx->dek->algo ); cfx->cipher_hd = cipher_open( cfx->dek->algo, cfx->dek->use_mdc? CIPHER_MODE_CFB : CIPHER_MODE_AUTO_CFB, 1 ); /* log_hexdump( "thekey", cfx->dek->key, cfx->dek->keylen );*/ cipher_setkey( cfx->cipher_hd, cfx->dek->key, cfx->dek->keylen ); cipher_setiv( cfx->cipher_hd, NULL, 0 ); /* log_hexdump( "prefix", temp, nprefix+2 ); */ if( cfx->mdc_hash ) /* hash the "IV" */ md_write( cfx->mdc_hash, temp, nprefix+2 ); cipher_encrypt( cfx->cipher_hd, temp, temp, nprefix+2); cipher_sync( cfx->cipher_hd ); iobuf_write(a, temp, nprefix+2); cfx->header=1; }
int main(int argc, char **argv) { int encode=0; CIPHER_HANDLE hd; char buf[4096]; int n, size=4096; int algo; #ifdef HAVE_DOSISH_SYSTEM setmode( fileno(stdin), O_BINARY ); setmode( fileno(stdout), O_BINARY ); #endif i18n_init(); if( argc > 1 && !strcmp(argv[1], "-e") ) { encode++; argc--; argv++; } else if( argc > 1 && !strcmp(argv[1], "-E") ) { encode++; argc--; argv++; size = 10; } else if( argc > 1 && !strcmp(argv[1], "-d") ) { argc--; argv++; } else if( argc > 1 && !strcmp(argv[1], "-D") ) { argc--; argv++; size = 10; } if( argc != 3 ) my_usage(); argc--; argv++; algo = string_to_cipher_algo( *argv ); argc--; argv++; hd = cipher_open( algo, CIPHER_MODE_CFB, 0 ); cipher_setkey( hd, *argv, strlen(*argv) ); cipher_setiv( hd, NULL, 0 ); while( (n = fread( buf, 1, size, stdin )) > 0 ) { if( encode ) cipher_encrypt( hd, buf, buf, n ); else cipher_decrypt( hd, buf, buf, n ); if( fwrite( buf, 1, n, stdout) != n ) log_fatal("write error\n"); } cipher_close(hd); return 0; }
/** * Test CBC decryption * * @v cipher Cipher algorithm * @v key Key * @v key_len Length of key * @v iv Initialisation vector * @v ciphertext Ciphertext data * @v expected_plaintext Expected plaintext data * @v len Length of data * @ret ok Plaintext is as expected */ int cbc_test_decrypt ( struct cipher_algorithm *cipher, const void *key, size_t key_len, const void *iv, const void *ciphertext, const void *expected_plaintext, size_t len ) { uint8_t ctx[cipher->ctxsize]; uint8_t plaintext[len]; int rc; /* Initialise cipher */ rc = cipher_setkey ( cipher, ctx, key, key_len ); assert ( rc == 0 ); cipher_setiv ( cipher, ctx, iv ); /* Perform encryption */ cipher_decrypt ( cipher, ctx, ciphertext, plaintext, len ); /* Verify result */ return ( memcmp ( plaintext, expected_plaintext, len ) == 0 ); }
/** * Calculate CBC encryption or decryption cost * * @v cipher Cipher algorithm * @v key_len Length of key * @v op Encryption or decryption operation * @ret cost Cost (in cycles per byte) */ static unsigned long cbc_cost ( struct cipher_algorithm *cipher, size_t key_len, void ( * op ) ( struct cipher_algorithm *cipher, void *ctx, const void *src, void *dst, size_t len ) ) { static uint8_t random[8192]; /* Too large for stack */ uint8_t key[key_len]; uint8_t iv[cipher->blocksize]; uint8_t ctx[cipher->ctxsize]; union profiler profiler; unsigned long long elapsed; unsigned long cost; unsigned int i; int rc; /* Fill buffer with pseudo-random data */ srand ( 0x1234568 ); for ( i = 0 ; i < sizeof ( random ) ; i++ ) random[i] = rand(); for ( i = 0 ; i < sizeof ( key ) ; i++ ) key[i] = rand(); for ( i = 0 ; i < sizeof ( iv ) ; i++ ) iv[i] = rand(); /* Initialise cipher */ rc = cipher_setkey ( cipher, ctx, key, key_len ); assert ( rc == 0 ); cipher_setiv ( cipher, ctx, iv ); /* Time operation */ profile ( &profiler ); op ( cipher, ctx, random, random, sizeof ( random ) ); elapsed = profile ( &profiler ); /* Round to nearest whole number of cycles per byte */ cost = ( ( elapsed + ( sizeof ( random ) / 2 ) ) / sizeof ( random ) ); return cost; }
/** * Generate key material * * @v tls TLS session * * The master secret must already be known. */ static int tls_generate_keys ( struct tls_session *tls ) { struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending; struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending; size_t hash_size = tx_cipherspec->digest->digestsize; size_t key_size = tx_cipherspec->key_len; size_t iv_size = tx_cipherspec->cipher->blocksize; size_t total = ( 2 * ( hash_size + key_size + iv_size ) ); uint8_t key_block[total]; uint8_t *key; int rc; /* Generate key block */ tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ), key_block, sizeof ( key_block ), "key expansion", &tls->server_random, sizeof ( tls->server_random ), &tls->client_random, sizeof ( tls->client_random ) ); /* Split key block into portions */ key = key_block; /* TX MAC secret */ memcpy ( tx_cipherspec->mac_secret, key, hash_size ); DBGC ( tls, "TLS %p TX MAC secret:\n", tls ); DBGC_HD ( tls, key, hash_size ); key += hash_size; /* RX MAC secret */ memcpy ( rx_cipherspec->mac_secret, key, hash_size ); DBGC ( tls, "TLS %p RX MAC secret:\n", tls ); DBGC_HD ( tls, key, hash_size ); key += hash_size; /* TX key */ if ( ( rc = cipher_setkey ( tx_cipherspec->cipher, tx_cipherspec->cipher_ctx, key, key_size ) ) != 0 ) { DBGC ( tls, "TLS %p could not set TX key: %s\n", tls, strerror ( rc ) ); return rc; } DBGC ( tls, "TLS %p TX key:\n", tls ); DBGC_HD ( tls, key, key_size ); key += key_size; /* RX key */ if ( ( rc = cipher_setkey ( rx_cipherspec->cipher, rx_cipherspec->cipher_ctx, key, key_size ) ) != 0 ) { DBGC ( tls, "TLS %p could not set TX key: %s\n", tls, strerror ( rc ) ); return rc; } DBGC ( tls, "TLS %p RX key:\n", tls ); DBGC_HD ( tls, key, key_size ); key += key_size; /* TX initialisation vector */ cipher_setiv ( tx_cipherspec->cipher, tx_cipherspec->cipher_ctx, key ); DBGC ( tls, "TLS %p TX IV:\n", tls ); DBGC_HD ( tls, key, iv_size ); key += iv_size; /* RX initialisation vector */ cipher_setiv ( rx_cipherspec->cipher, rx_cipherspec->cipher_ctx, key ); DBGC ( tls, "TLS %p RX IV:\n", tls ); DBGC_HD ( tls, key, iv_size ); key += iv_size; assert ( ( key_block + total ) == key ); return 0; }
struct ibuf * ikev2_msg_decrypt(struct iked *env, struct iked_sa *sa, struct ibuf *msg, struct ibuf *src) { ssize_t ivlen, encrlen, integrlen, blocklen, outlen, tmplen; uint8_t pad = 0, *ptr; struct ibuf *integr, *encr, *tmp = NULL, *out = NULL; off_t ivoff, encroff, integroff; if (sa == NULL || sa->sa_encr == NULL || sa->sa_integr == NULL) { log_debug("%s: invalid SA", __func__); print_hex(ibuf_data(src), 0, ibuf_size(src)); goto done; } if (!sa->sa_hdr.sh_initiator) { encr = sa->sa_key_iencr; integr = sa->sa_key_iauth; } else { encr = sa->sa_key_rencr; integr = sa->sa_key_rauth; } blocklen = cipher_length(sa->sa_encr); ivlen = cipher_ivlength(sa->sa_encr); ivoff = 0; integrlen = hash_length(sa->sa_integr); integroff = ibuf_size(src) - integrlen; encroff = ivlen; encrlen = ibuf_size(src) - integrlen - ivlen; if (encrlen < 0 || integroff < 0) { log_debug("%s: invalid integrity value", __func__); goto done; } log_debug("%s: IV length %zd", __func__, ivlen); print_hex(ibuf_data(src), 0, ivlen); log_debug("%s: encrypted payload length %zd", __func__, encrlen); print_hex(ibuf_data(src), encroff, encrlen); log_debug("%s: integrity checksum length %zd", __func__, integrlen); print_hex(ibuf_data(src), integroff, integrlen); /* * Validate packet checksum */ if ((tmp = ibuf_new(NULL, ibuf_length(integr))) == NULL) goto done; hash_setkey(sa->sa_integr, integr->buf, ibuf_length(integr)); hash_init(sa->sa_integr); hash_update(sa->sa_integr, ibuf_data(msg), ibuf_size(msg) - integrlen); hash_final(sa->sa_integr, tmp->buf, &tmplen); if (memcmp(tmp->buf, ibuf_data(src) + integroff, integrlen) != 0) { log_debug("%s: integrity check failed", __func__); goto done; } log_debug("%s: integrity check succeeded", __func__); print_hex(tmp->buf, 0, tmplen); ibuf_release(tmp); tmp = NULL; /* * Decrypt the payload and strip any padding */ if ((encrlen % blocklen) != 0) { log_debug("%s: unaligned encrypted payload", __func__); goto done; } cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr)); cipher_setiv(sa->sa_encr, ibuf_data(src) + ivoff, ivlen); cipher_init_decrypt(sa->sa_encr); if ((out = ibuf_new(NULL, cipher_outlength(sa->sa_encr, encrlen))) == NULL) goto done; if ((outlen = ibuf_length(out)) != 0) { cipher_update(sa->sa_encr, ibuf_data(src) + encroff, encrlen, ibuf_data(out), &outlen); ptr = ibuf_seek(out, outlen - 1, 1); pad = *ptr; } log_debug("%s: decrypted payload length %zd/%zd padding %d", __func__, outlen, encrlen, pad); print_hex(ibuf_data(out), 0, ibuf_size(out)); if (ibuf_setsize(out, outlen) != 0) goto done; ibuf_release(src); return (out); done: ibuf_release(tmp); ibuf_release(out); ibuf_release(src); return (NULL); }
struct ibuf * ikev2_msg_encrypt(struct iked *env, struct iked_sa *sa, struct ibuf *src) { size_t len, encrlen, integrlen, blocklen, outlen; uint8_t *buf, pad = 0, *ptr; struct ibuf *encr, *dst = NULL, *out = NULL; buf = ibuf_data(src); len = ibuf_size(src); log_debug("%s: decrypted length %zu", __func__, len); print_hex(buf, 0, len); if (sa == NULL || sa->sa_encr == NULL || sa->sa_integr == NULL) { log_debug("%s: invalid SA", __func__); goto done; } if (sa->sa_hdr.sh_initiator) encr = sa->sa_key_iencr; else encr = sa->sa_key_rencr; blocklen = cipher_length(sa->sa_encr); integrlen = hash_length(sa->sa_integr); encrlen = roundup(len + sizeof(pad), blocklen); pad = encrlen - (len + sizeof(pad)); /* * Pad the payload and encrypt it */ if (pad) { if ((ptr = ibuf_advance(src, pad)) == NULL) goto done; arc4random_buf(ptr, pad); } if (ibuf_add(src, &pad, sizeof(pad)) != 0) goto done; log_debug("%s: padded length %zu", __func__, ibuf_size(src)); print_hex(ibuf_data(src), 0, ibuf_size(src)); cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr)); cipher_setiv(sa->sa_encr, NULL, 0); cipher_init_encrypt(sa->sa_encr); if ((dst = ibuf_dup(sa->sa_encr->encr_iv)) == NULL) goto done; if ((out = ibuf_new(NULL, cipher_outlength(sa->sa_encr, encrlen))) == NULL) goto done; outlen = ibuf_size(out); cipher_update(sa->sa_encr, ibuf_data(src), encrlen, ibuf_data(out), &outlen); if (outlen && ibuf_add(dst, ibuf_data(out), outlen) != 0) goto done; if ((ptr = ibuf_advance(dst, integrlen)) == NULL) goto done; explicit_bzero(ptr, integrlen); log_debug("%s: length %zu, padding %d, output length %zu", __func__, len + sizeof(pad), pad, ibuf_size(dst)); print_hex(ibuf_data(dst), 0, ibuf_size(dst)); ibuf_release(src); ibuf_release(out); return (dst); done: ibuf_release(src); ibuf_release(out); ibuf_release(dst); return (NULL); }
gcry_error_t gcry_cipher_ctl( gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen) { gcry_err_code_t rc = GPG_ERR_NO_ERROR; switch (cmd) { case GCRYCTL_SET_KEY: /* Deprecated; use gcry_cipher_setkey. */ rc = cipher_setkey( h, buffer, buflen ); break; case GCRYCTL_SET_IV: /* Deprecated; use gcry_cipher_setiv. */ cipher_setiv( h, buffer, buflen ); break; case GCRYCTL_RESET: cipher_reset (h); break; case GCRYCTL_CFB_SYNC: cipher_sync( h ); break; case GCRYCTL_SET_CBC_CTS: if (buflen) if (h->flags & GCRY_CIPHER_CBC_MAC) rc = GPG_ERR_INV_FLAG; else h->flags |= GCRY_CIPHER_CBC_CTS; else h->flags &= ~GCRY_CIPHER_CBC_CTS; break; case GCRYCTL_SET_CBC_MAC: if (buflen) if (h->flags & GCRY_CIPHER_CBC_CTS) rc = GPG_ERR_INV_FLAG; else h->flags |= GCRY_CIPHER_CBC_MAC; else h->flags &= ~GCRY_CIPHER_CBC_MAC; break; case GCRYCTL_DISABLE_ALGO: /* This command expects NULL for H and BUFFER to point to an integer with the algo number. */ if( h || !buffer || buflen != sizeof(int) ) return gcry_error (GPG_ERR_CIPHER_ALGO); disable_cipher_algo( *(int*)buffer ); break; case GCRYCTL_SET_CTR: /* Deprecated; use gcry_cipher_setctr. */ rc = gpg_err_code (_gcry_cipher_setctr (h, buffer, buflen)); break; case 61: /* Disable weak key detection (private). */ if (h->extraspec->set_extra_info) rc = h->extraspec->set_extra_info (&h->context.c, CIPHER_INFO_NO_WEAK_KEY, NULL, 0); else rc = GPG_ERR_NOT_SUPPORTED; break; case 62: /* Return current input vector (private). */ /* This is the input block as used in CFB and OFB mode which has initially been set as IV. The returned format is: 1 byte Actual length of the block in bytes. n byte The block. If the provided buffer is too short, an error is returned. */ if (buflen < (1 + h->cipher->blocksize)) rc = GPG_ERR_TOO_SHORT; else { unsigned char *ivp; unsigned char *dst = buffer; int n = h->unused; if (!n) n = h->cipher->blocksize; gcry_assert (n <= h->cipher->blocksize); *dst++ = n; ivp = h->u_iv.iv + h->cipher->blocksize - n; while (n--) *dst++ = *ivp++; } break; default: rc = GPG_ERR_INV_OP; } return gcry_error (rc); }
gcry_error_t _gcry_cipher_setiv (gcry_cipher_hd_t hd, const void *iv, size_t ivlen) { cipher_setiv (hd, iv, ivlen); return 0; }