SKEYID derivation based on libstrongswan
[strongswan.git] / src / pluto / crypto.c
1 /* crypto interfaces
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier
3 * Copyright (C) 2007 Andreas Steffen
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdio.h>
17 #include <string.h>
18 #include <stddef.h>
19 #include <sys/types.h>
20
21 #include <freeswan.h>
22 #define HEADER_DES_LOCL_H /* stupid trick to force prototype decl in <des.h> */
23 #include <libdes/des.h>
24
25 #include <errno.h>
26
27 #include "constants.h"
28 #include "defs.h"
29 #include "state.h"
30 #include "log.h"
31 #include "crypto.h"
32 #include "alg_info.h"
33 #include "ike_alg.h"
34
35
36 /* moduli and generator. */
37
38 static MP_INT
39 modp1024_modulus,
40 modp1536_modulus,
41 modp2048_modulus,
42 modp3072_modulus,
43 modp4096_modulus,
44 modp6144_modulus,
45 modp8192_modulus;
46
47 MP_INT groupgenerator; /* MODP group generator (2) */
48
49 static void do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
50
51 static struct encrypt_desc crypto_encryptor_3des =
52 {
53 algo_type: IKE_ALG_ENCRYPT,
54 algo_id: OAKLEY_3DES_CBC,
55 algo_next: NULL,
56 enc_ctxsize: sizeof(des_key_schedule) * 3,
57 enc_blocksize: DES_CBC_BLOCK_SIZE,
58 keydeflen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
59 keyminlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
60 keymaxlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
61 do_crypt: do_3des,
62 };
63
64 /* MD5 hash test vectors
65 * from RFC 1321 "MD5 Message-Digest Algorithm"
66 * April 1992, R. Rivest, RSA Data Security
67 */
68
69 static const u_char md5_test0_msg[] = {
70
71 };
72
73 static const u_char md5_test0_msg_digest[] = {
74 0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04,
75 0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e
76 };
77
78 static const u_char md5_test1_msg[] = {
79 0x61
80 };
81
82 static const u_char md5_test1_msg_digest[] = {
83 0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8,
84 0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61
85 };
86
87 static const u_char md5_test2_msg[] = {
88 0x61, 0x62, 0x63
89 };
90
91 static const u_char md5_test2_msg_digest[] = {
92 0x90, 0x01, 0x50, 0x98, 0x3c, 0xd2, 0x4f, 0xb0,
93 0xd6, 0x96, 0x3f, 0x7d, 0x28, 0xe1, 0x7f, 0x72
94 };
95
96 static const u_char md5_test3_msg[] = {
97 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20,
98 0x64, 0x69, 0x67, 0x65, 0x73, 0x74
99 };
100
101 static const u_char md5_test3_msg_digest[] = {
102 0xf9, 0x6b, 0x69, 0x7d, 0x7c, 0xb7, 0x93, 0x8d,
103 0x52, 0x5a, 0x2f, 0x31, 0xaa, 0xf1, 0x61, 0xd0
104 };
105
106 static const u_char md5_test4_msg[] = {
107 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
108 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
109 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
110 0x79, 0x7a
111 };
112
113 static const u_char md5_test4_msg_digest[] = {
114 0xc3, 0xfc, 0xd3, 0xd7, 0x61, 0x92, 0xe4, 0x00,
115 0x7d, 0xfb, 0x49, 0x6c, 0xca, 0x67, 0xe1, 0x3b
116 };
117
118 static const u_char md5_test5_msg[] = {
119 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
120 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
121 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
122 0x59, 0x5a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
123 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
124 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76,
125 0x77, 0x78, 0x79, 0x7a, 0x30, 0x31, 0x32, 0x33,
126 0x34, 0x35, 0x36, 0x37, 0x38, 0x39
127 };
128
129 static const u_char md5_test5_msg_digest[] = {
130 0xd1, 0x74, 0xab, 0x98, 0xd2, 0x77, 0xd9, 0xf5,
131 0xa5, 0x61, 0x1c, 0x2c, 0x9f, 0x41, 0x9d, 0x9f
132 };
133
134 static const u_char md5_test6_msg[] = {
135 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
136 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
137 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
138 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
139 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30,
140 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
141 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
142 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
143 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
144 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30
145 };
146
147 static const u_char md5_test6_msg_digest[] = {
148 0x57, 0xed, 0xf4, 0xa2, 0x2b, 0xe3, 0xc9, 0x55,
149 0xac, 0x49, 0xda, 0x2e, 0x21, 0x07, 0xb6, 0x7a
150 };
151
152 static const hash_testvector_t md5_hash_testvectors[] = {
153 { sizeof(md5_test0_msg), md5_test0_msg, md5_test0_msg_digest },
154 { sizeof(md5_test1_msg), md5_test1_msg, md5_test1_msg_digest },
155 { sizeof(md5_test2_msg), md5_test2_msg, md5_test2_msg_digest },
156 { sizeof(md5_test3_msg), md5_test3_msg, md5_test3_msg_digest },
157 { sizeof(md5_test4_msg), md5_test4_msg, md5_test4_msg_digest },
158 { sizeof(md5_test5_msg), md5_test5_msg, md5_test5_msg_digest },
159 { sizeof(md5_test6_msg), md5_test6_msg, md5_test6_msg_digest },
160 { 0, NULL, NULL }
161 };
162
163 /* MD5 hmac test vectors
164 * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
165 * September 1997, P. Cheng, IBM & R. Glenn, NIST
166 */
167
168 static const u_char md5_hmac1_key[] = {
169 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
170 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
171 };
172
173 static const u_char md5_hmac1_msg[] = {
174 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
175 };
176
177 static const u_char md5_hmac1[] = {
178 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c,
179 0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d
180 };
181
182 static const u_char md5_hmac2_key[] = {
183 0x4a, 0x65, 0x66, 0x65
184 };
185
186 static const u_char md5_hmac2_msg[] = {
187 0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20,
188 0x79, 0x61, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20,
189 0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68,
190 0x69, 0x6e, 0x67, 0x3f
191 };
192
193 static const u_char md5_hmac2[] = {
194 0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03,
195 0xea, 0xa8, 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38
196 };
197
198 static const u_char md5_hmac3_key[] = {
199 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
200 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
201 };
202
203 static const u_char md5_hmac3_msg[] = {
204 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
205 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
206 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
207 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
208 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
209 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
210 0xdd, 0xdd
211 };
212
213 static const u_char md5_hmac3[] = {
214 0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88,
215 0xdb, 0xb8, 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6
216 };
217
218 static const u_char md5_hmac4_key[] = {
219 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
220 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
221 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
222 0x19
223 };
224
225 static const u_char md5_hmac4_msg[] = {
226 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
227 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
228 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
229 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
230 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
231 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
232 0xcd, 0xcd
233 };
234
235 static const u_char md5_hmac4[] = {
236 0x69, 0x7e, 0xaf, 0x0a, 0xca, 0x3a, 0x3a, 0xea,
237 0x3a, 0x75, 0x16, 0x47, 0x46, 0xff, 0xaa, 0x79
238 };
239
240 static const u_char md5_hmac6_key[] = {
241 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
242 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
243 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
244 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
245 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
246 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
247 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
248 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
249 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
250 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
251 };
252
253 static const u_char md5_hmac6_msg[] = {
254 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
255 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
256 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
257 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
258 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x2d, 0x20,
259 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79,
260 0x20, 0x46, 0x69, 0x72, 0x73, 0x74
261 };
262
263 static const u_char md5_hmac6[] = {
264 0x6b, 0x1a, 0xb7, 0xfe, 0x4b, 0xd7, 0xbf, 0x8f,
265 0x0b, 0x62, 0xe6, 0xce, 0x61, 0xb9, 0xd0, 0xcd
266 };
267
268 static const u_char md5_hmac7_msg[] = {
269 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
270 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
271 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
272 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
273 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x61, 0x6e,
274 0x64, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65, 0x72,
275 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x4f, 0x6e,
276 0x65, 0x20, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x2d,
277 0x53, 0x69, 0x7a, 0x65, 0x20, 0x44, 0x61, 0x74,
278 0x61
279 };
280
281 static const u_char md5_hmac7[] = {
282 0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee,
283 0x1f, 0xb1, 0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e
284 };
285
286 static const hmac_testvector_t md5_hmac_testvectors[] = {
287 { sizeof(md5_hmac1_key), md5_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, md5_hmac1 },
288 { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, md5_hmac2 },
289 { sizeof(md5_hmac3_key), md5_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, md5_hmac3 },
290 { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, md5_hmac4 },
291 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, md5_hmac6 },
292 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, md5_hmac7 },
293 { 0, NULL, 0, NULL, NULL }
294 };
295
296 static struct hash_desc crypto_hasher_md5 =
297 {
298 algo_type: IKE_ALG_HASH,
299 algo_id: OAKLEY_MD5,
300 algo_next: NULL,
301 hash_ctx_size: sizeof(MD5_CTX),
302 hash_block_size: MD5_BLOCK_SIZE,
303 hash_digest_size: MD5_DIGEST_SIZE,
304 hash_testvectors: md5_hash_testvectors,
305 hmac_testvectors: md5_hmac_testvectors,
306 hash_init: (void (*)(void *)) MD5Init,
307 hash_update: (void (*)(void *, const u_int8_t *, size_t)) MD5Update,
308 hash_final: (void (*)(u_char *, void *)) MD5Final
309 };
310
311 /* SHA-1 test vectors
312 * from "The Secure Hash Algorithm Validation System (SHAVS)"
313 * July 22, 2004, Lawrence E. Bassham III, NIST
314 */
315
316 static const u_char sha1_short2_msg[] = {
317 0x5e
318 };
319
320 static const u_char sha1_short2_msg_digest[] = {
321 0x5e, 0x6f, 0x80, 0xa3, 0x4a, 0x97, 0x98, 0xca,
322 0xfc, 0x6a, 0x5d, 0xb9, 0x6c, 0xc5, 0x7b, 0xa4,
323 0xc4, 0xdb, 0x59, 0xc2
324 };
325
326 static const u_char sha1_short4_msg[] = {
327 0x9a, 0x7d, 0xfd, 0xf1, 0xec, 0xea, 0xd0, 0x6e,
328 0xd6, 0x46, 0xaa, 0x55, 0xfe, 0x75, 0x71, 0x46
329 };
330
331 static const u_char sha1_short4_msg_digest[] = {
332 0x82, 0xab, 0xff, 0x66, 0x05, 0xdb, 0xe1, 0xc1,
333 0x7d, 0xef, 0x12, 0xa3, 0x94, 0xfa, 0x22, 0xa8,
334 0x2b, 0x54, 0x4a, 0x35
335 };
336
337 static const u_char sha1_long2_msg[] = {
338 0xf7, 0x8f, 0x92, 0x14, 0x1b, 0xcd, 0x17, 0x0a,
339 0xe8, 0x9b, 0x4f, 0xba, 0x15, 0xa1, 0xd5, 0x9f,
340 0x3f, 0xd8, 0x4d, 0x22, 0x3c, 0x92, 0x51, 0xbd,
341 0xac, 0xbb, 0xae, 0x61, 0xd0, 0x5e, 0xd1, 0x15,
342 0xa0, 0x6a, 0x7c, 0xe1, 0x17, 0xb7, 0xbe, 0xea,
343 0xd2, 0x44, 0x21, 0xde, 0xd9, 0xc3, 0x25, 0x92,
344 0xbd, 0x57, 0xed, 0xea, 0xe3, 0x9c, 0x39, 0xfa,
345 0x1f, 0xe8, 0x94, 0x6a, 0x84, 0xd0, 0xcf, 0x1f,
346 0x7b, 0xee, 0xad, 0x17, 0x13, 0xe2, 0xe0, 0x95,
347 0x98, 0x97, 0x34, 0x7f, 0x67, 0xc8, 0x0b, 0x04,
348 0x00, 0xc2, 0x09, 0x81, 0x5d, 0x6b, 0x10, 0xa6,
349 0x83, 0x83, 0x6f, 0xd5, 0x56, 0x2a, 0x56, 0xca,
350 0xb1, 0xa2, 0x8e, 0x81, 0xb6, 0x57, 0x66, 0x54,
351 0x63, 0x1c, 0xf1, 0x65, 0x66, 0xb8, 0x6e, 0x3b,
352 0x33, 0xa1, 0x08, 0xb0, 0x53, 0x07, 0xc0, 0x0a,
353 0xff, 0x14, 0xa7, 0x68, 0xed, 0x73, 0x50, 0x60,
354 0x6a, 0x0f, 0x85, 0xe6, 0xa9, 0x1d, 0x39, 0x6f,
355 0x5b, 0x5c, 0xbe, 0x57, 0x7f, 0x9b, 0x38, 0x80,
356 0x7c, 0x7d, 0x52, 0x3d, 0x6d, 0x79, 0x2f, 0x6e,
357 0xbc, 0x24, 0xa4, 0xec, 0xf2, 0xb3, 0xa4, 0x27,
358 0xcd, 0xbb, 0xfb
359 };
360
361 static const u_char sha1_long2_msg_digest[] = {
362 0xcb, 0x00, 0x82, 0xc8, 0xf1, 0x97, 0xd2, 0x60,
363 0x99, 0x1b, 0xa6, 0xa4, 0x60, 0xe7, 0x6e, 0x20,
364 0x2b, 0xad, 0x27, 0xb3
365 };
366
367 static const hash_testvector_t sha1_hash_testvectors[] = {
368 { sizeof(sha1_short2_msg), sha1_short2_msg, sha1_short2_msg_digest },
369 { sizeof(sha1_short4_msg), sha1_short4_msg, sha1_short4_msg_digest },
370 { sizeof(sha1_long2_msg), sha1_long2_msg, sha1_long2_msg_digest },
371 { 0, NULL, NULL }
372 };
373
374 /* SHA-1 hmac test vectors
375 * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
376 * September 1997, P. Cheng, IBM & R. Glenn, NIST
377 */
378
379 static const u_char sha1_hmac1_key[] = {
380 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
381 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
382 0x0b, 0x0b, 0x0b, 0x0b
383 };
384
385 static const u_char sha1_hmac1[] = {
386 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
387 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
388 0xf1, 0x46, 0xbe, 0x00
389 };
390
391 static const u_char sha1_hmac2[] = {
392 0xef, 0xfc, 0xdf, 0x6a, 0xe5, 0xeb, 0x2f, 0xa2,
393 0xd2, 0x74, 0x16, 0xd5, 0xf1, 0x84, 0xdf, 0x9c,
394 0x25, 0x9a, 0x7c, 0x79
395 };
396
397 static const u_char sha1_hmac3_key[] = {
398 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
399 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
400 0xaa, 0xaa, 0xaa, 0xaa
401 };
402
403 static const u_char sha1_hmac3[] = {
404 0x12, 0x5d, 0x73, 0x42, 0xb9, 0xac, 0x11, 0xcd,
405 0x91, 0xa3, 0x9a, 0xf4, 0x8a, 0xa1, 0x7b, 0x4f,
406 0x63, 0xf1, 0x75, 0xd3
407 };
408
409 static const u_char sha1_hmac4[] = {
410 0x4c, 0x90, 0x07, 0xf4, 0x02, 0x62, 0x50, 0xc6,
411 0xbc, 0x84, 0x14, 0xf9, 0xbf, 0x50, 0xc8, 0x6c,
412 0x2d, 0x72, 0x35, 0xda
413 };
414
415 static const u_char sha1_hmac6[] = {
416 0xaa, 0x4a, 0xe5, 0xe1, 0x52, 0x72, 0xd0, 0x0e,
417 0x95, 0x70, 0x56, 0x37, 0xce, 0x8a, 0x3b, 0x55,
418 0xed, 0x40, 0x21, 0x12
419 };
420
421 static const u_char sha1_hmac7[] = {
422 0xe8, 0xe9, 0x9d, 0x0f, 0x45, 0x23, 0x7d, 0x78,
423 0x6d, 0x6b, 0xba, 0xa7, 0x96, 0x5c, 0x78, 0x08,
424 0xbb, 0xff, 0x1a, 0x91
425 };
426
427 static const hmac_testvector_t sha1_hmac_testvectors[] = {
428 { sizeof(sha1_hmac1_key), sha1_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, sha1_hmac1 },
429 { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, sha1_hmac2 },
430 { sizeof(sha1_hmac3_key), sha1_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, sha1_hmac3 },
431 { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, sha1_hmac4 },
432 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, sha1_hmac6 },
433 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, sha1_hmac7 },
434 { 0, NULL, 0, NULL, NULL }
435 };
436
437 static struct hash_desc crypto_hasher_sha1 =
438 {
439 algo_type: IKE_ALG_HASH,
440 algo_id: OAKLEY_SHA,
441 algo_next: NULL,
442 hash_ctx_size: sizeof(SHA1_CTX),
443 hash_block_size: SHA1_BLOCK_SIZE,
444 hash_digest_size: SHA1_DIGEST_SIZE,
445 hash_testvectors: sha1_hash_testvectors,
446 hmac_testvectors: sha1_hmac_testvectors,
447 hash_init: (void (*)(void *)) SHA1Init,
448 hash_update: (void (*)(void *, const u_int8_t *, size_t)) SHA1Update,
449 hash_final: (void (*)(u_char *, void *)) SHA1Final
450 };
451
452 void init_crypto(void)
453 {
454 if (mpz_init_set_str(&groupgenerator, MODP_GENERATOR, 10) != 0
455 || mpz_init_set_str(&modp1024_modulus, MODP1024_MODULUS, 16) != 0
456 || mpz_init_set_str(&modp1536_modulus, MODP1536_MODULUS, 16) != 0
457 || mpz_init_set_str(&modp2048_modulus, MODP2048_MODULUS, 16) != 0
458 || mpz_init_set_str(&modp3072_modulus, MODP3072_MODULUS, 16) != 0
459 || mpz_init_set_str(&modp4096_modulus, MODP4096_MODULUS, 16) != 0
460 || mpz_init_set_str(&modp6144_modulus, MODP6144_MODULUS, 16) != 0
461 || mpz_init_set_str(&modp8192_modulus, MODP8192_MODULUS, 16) != 0)
462 exit_log("mpz_init_set_str() failed in init_crypto()");
463
464 ike_alg_add((struct ike_alg *) &crypto_encryptor_3des);
465 ike_alg_add((struct ike_alg *) &crypto_hasher_sha1);
466 ike_alg_add((struct ike_alg *) &crypto_hasher_md5);
467 ike_alg_init();
468 ike_alg_test();
469 }
470
471 void free_crypto(void)
472 {
473 mpz_clear(&groupgenerator);
474 mpz_clear(&modp1024_modulus);
475 mpz_clear(&modp1536_modulus);
476 mpz_clear(&modp2048_modulus);
477 mpz_clear(&modp3072_modulus);
478 mpz_clear(&modp4096_modulus);
479 mpz_clear(&modp6144_modulus);
480 mpz_clear(&modp8192_modulus);
481 }
482
483 /* Oakley group description
484 *
485 * See RFC2409 "The Internet key exchange (IKE)" 6.
486 */
487
488 const struct oakley_group_desc unset_group = {0, NULL, 0}; /* magic signifier */
489
490 const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE] = {
491 # define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE)
492 { OAKLEY_GROUP_MODP1024, &modp1024_modulus, BYTES(1024) },
493 { OAKLEY_GROUP_MODP1536, &modp1536_modulus, BYTES(1536) },
494 { OAKLEY_GROUP_MODP2048, &modp2048_modulus, BYTES(2048) },
495 { OAKLEY_GROUP_MODP3072, &modp3072_modulus, BYTES(3072) },
496 { OAKLEY_GROUP_MODP4096, &modp4096_modulus, BYTES(4096) },
497 { OAKLEY_GROUP_MODP6144, &modp6144_modulus, BYTES(6144) },
498 { OAKLEY_GROUP_MODP8192, &modp8192_modulus, BYTES(8192) },
499 # undef BYTES
500 };
501
502 const struct oakley_group_desc *lookup_group(u_int16_t group)
503 {
504 int i;
505
506 for (i = 0; i != countof(oakley_group); i++)
507 if (group == oakley_group[i].group)
508 return &oakley_group[i];
509 return NULL;
510 }
511
512 /* Encryption Routines
513 *
514 * Each uses and updates the state object's st_new_iv.
515 * This must already be initialized.
516 */
517
518 /* encrypt or decrypt part of an IKE message using DES
519 * See RFC 2409 "IKE" Appendix B
520 */
521 static void __attribute__ ((unused))
522 do_des(bool enc, void *buf, size_t buf_len, struct state *st)
523 {
524 des_key_schedule ks;
525
526 (void) des_set_key((des_cblock *)st->st_enc_key.ptr, ks);
527
528 passert(st->st_new_iv_len >= DES_CBC_BLOCK_SIZE);
529 st->st_new_iv_len = DES_CBC_BLOCK_SIZE; /* truncate */
530
531 des_ncbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
532 ks,
533 (des_cblock *)st->st_new_iv, enc);
534 }
535
536 /* encrypt or decrypt part of an IKE message using 3DES
537 * See RFC 2409 "IKE" Appendix B
538 */
539 static void do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key,
540 size_t key_size, u_int8_t *iv, bool enc)
541 {
542 des_key_schedule ks[3];
543
544 passert (!key_size || (key_size==(DES_CBC_BLOCK_SIZE * 3)))
545 (void) des_set_key((des_cblock *)key + 0, ks[0]);
546 (void) des_set_key((des_cblock *)key + 1, ks[1]);
547 (void) des_set_key((des_cblock *)key + 2, ks[2]);
548
549 des_ede3_cbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
550 ks[0], ks[1], ks[2],
551 (des_cblock *)iv, enc);
552 }
553
554 /* hash and prf routines */
555 void crypto_cbc_encrypt(const struct encrypt_desc *e, bool enc, u_int8_t *buf,
556 size_t size, struct state *st)
557 {
558 passert(st->st_new_iv_len >= e->enc_blocksize);
559 st->st_new_iv_len = e->enc_blocksize; /* truncate */
560
561 e->do_crypt(buf, size, st->st_enc_key.ptr, st->st_enc_key.len, st->st_new_iv, enc);
562 /*
563 e->set_key(&ctx, st->st_enc_key.ptr, st->st_enc_key.len);
564 e->cbc_crypt(&ctx, buf, size, st->st_new_iv, enc);
565 */
566 }
567
568 /* HMAC package
569 * rfc2104.txt specifies how HMAC works.
570 */
571
572 void hmac_init(struct hmac_ctx *ctx, const struct hash_desc *h,
573 const u_char *key, size_t key_len)
574 {
575 int k;
576
577 ctx->h = h;
578 ctx->hmac_digest_size = h->hash_digest_size;
579
580 /* Prepare the two pads for the HMAC */
581
582 memset(ctx->buf1, '\0', h->hash_block_size);
583
584 if (key_len <= h->hash_block_size)
585 {
586 memcpy(ctx->buf1, key, key_len);
587 }
588 else
589 {
590 h->hash_init(&ctx->hash_ctx);
591 h->hash_update(&ctx->hash_ctx, key, key_len);
592 h->hash_final(ctx->buf1, &ctx->hash_ctx);
593 }
594
595 memcpy(ctx->buf2, ctx->buf1, h->hash_block_size);
596
597 for (k = 0; k < h->hash_block_size; k++)
598 {
599 ctx->buf1[k] ^= HMAC_IPAD;
600 ctx->buf2[k] ^= HMAC_OPAD;
601 }
602
603 hmac_reinit(ctx);
604 }
605
606 void hmac_reinit(struct hmac_ctx *ctx)
607 {
608 ctx->h->hash_init(&ctx->hash_ctx);
609 ctx->h->hash_update(&ctx->hash_ctx, ctx->buf1, ctx->h->hash_block_size);
610 }
611
612 void hmac_update(struct hmac_ctx *ctx,
613 const u_char *data, size_t data_len)
614 {
615 ctx->h->hash_update(&ctx->hash_ctx, data, data_len);
616 }
617
618 void hmac_final(u_char *output, struct hmac_ctx *ctx)
619 {
620 const struct hash_desc *h = ctx->h;
621
622 h->hash_final(output, &ctx->hash_ctx);
623
624 h->hash_init(&ctx->hash_ctx);
625 h->hash_update(&ctx->hash_ctx, ctx->buf2, h->hash_block_size);
626 h->hash_update(&ctx->hash_ctx, output, h->hash_digest_size);
627 h->hash_final(output, &ctx->hash_ctx);
628 }
629
630 hash_algorithm_t oakley_to_hash_algorithm(int alg)
631 {
632 switch (alg)
633 {
634 case OAKLEY_MD5:
635 return HASH_MD5;
636 case OAKLEY_SHA:
637 return HASH_SHA1;
638 case OAKLEY_SHA2_256:
639 return HASH_SHA256;
640 case OAKLEY_SHA2_384:
641 return HASH_SHA384;
642 case OAKLEY_SHA2_512:
643 return HASH_SHA512;
644 default:
645 return HASH_UNKNOWN;
646 }
647 }
648
649 pseudo_random_function_t oakley_to_prf(int alg)
650 {
651 switch (alg)
652 {
653 case OAKLEY_MD5:
654 return PRF_HMAC_MD5;
655 case OAKLEY_SHA:
656 return PRF_HMAC_SHA1;
657 case OAKLEY_SHA2_256:
658 return PRF_HMAC_SHA2_256;
659 case OAKLEY_SHA2_384:
660 return PRF_HMAC_SHA2_384;
661 case OAKLEY_SHA2_512:
662 return PRF_HMAC_SHA2_512;
663 default:
664 return PRF_UNDEFINED;
665 }
666 }