8f9e2accc7d0f34c199adbc5cf771b7e8681662e
[strongswan.git] / src / pluto / crypto.c
1 /* crypto interfaces
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier
3 * Copyright (C) 2007 Andreas Steffen
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdio.h>
17 #include <string.h>
18 #include <stddef.h>
19 #include <sys/types.h>
20
21 #include <freeswan.h>
22 #define HEADER_DES_LOCL_H /* stupid trick to force prototype decl in <des.h> */
23 #include <libdes/des.h>
24
25 #include <errno.h>
26
27 #include "constants.h"
28 #include "defs.h"
29 #include "state.h"
30 #include "log.h"
31 #include "md5.h"
32 #include "sha1.h"
33 #include "crypto.h" /* requires sha1.h and md5.h */
34 #include "alg_info.h"
35 #include "ike_alg.h"
36
37
38 /* moduli and generator. */
39
40 static MP_INT
41 modp1024_modulus,
42 modp1536_modulus,
43 modp2048_modulus,
44 modp3072_modulus,
45 modp4096_modulus,
46 modp6144_modulus,
47 modp8192_modulus;
48
49 MP_INT groupgenerator; /* MODP group generator (2) */
50
51 static void do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
52
53 static struct encrypt_desc crypto_encryptor_3des =
54 {
55 algo_type: IKE_ALG_ENCRYPT,
56 algo_id: OAKLEY_3DES_CBC,
57 algo_next: NULL,
58 enc_ctxsize: sizeof(des_key_schedule) * 3,
59 enc_blocksize: DES_CBC_BLOCK_SIZE,
60 keydeflen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
61 keyminlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
62 keymaxlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
63 do_crypt: do_3des,
64 };
65
66 /* MD5 hash test vectors
67 * from RFC 1321 "MD5 Message-Digest Algorithm"
68 * April 1992, R. Rivest, RSA Data Security
69 */
70
71 static const u_char md5_test0_msg[] = {
72
73 };
74
75 static const u_char md5_test0_msg_digest[] = {
76 0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04,
77 0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e
78 };
79
80 static const u_char md5_test1_msg[] = {
81 0x61
82 };
83
84 static const u_char md5_test1_msg_digest[] = {
85 0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8,
86 0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61
87 };
88
89 static const u_char md5_test2_msg[] = {
90 0x61, 0x62, 0x63
91 };
92
93 static const u_char md5_test2_msg_digest[] = {
94 0x90, 0x01, 0x50, 0x98, 0x3c, 0xd2, 0x4f, 0xb0,
95 0xd6, 0x96, 0x3f, 0x7d, 0x28, 0xe1, 0x7f, 0x72
96 };
97
98 static const u_char md5_test3_msg[] = {
99 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20,
100 0x64, 0x69, 0x67, 0x65, 0x73, 0x74
101 };
102
103 static const u_char md5_test3_msg_digest[] = {
104 0xf9, 0x6b, 0x69, 0x7d, 0x7c, 0xb7, 0x93, 0x8d,
105 0x52, 0x5a, 0x2f, 0x31, 0xaa, 0xf1, 0x61, 0xd0
106 };
107
108 static const u_char md5_test4_msg[] = {
109 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
110 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
111 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
112 0x79, 0x7a
113 };
114
115 static const u_char md5_test4_msg_digest[] = {
116 0xc3, 0xfc, 0xd3, 0xd7, 0x61, 0x92, 0xe4, 0x00,
117 0x7d, 0xfb, 0x49, 0x6c, 0xca, 0x67, 0xe1, 0x3b
118 };
119
120 static const u_char md5_test5_msg[] = {
121 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
122 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
123 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
124 0x59, 0x5a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
125 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
126 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76,
127 0x77, 0x78, 0x79, 0x7a, 0x30, 0x31, 0x32, 0x33,
128 0x34, 0x35, 0x36, 0x37, 0x38, 0x39
129 };
130
131 static const u_char md5_test5_msg_digest[] = {
132 0xd1, 0x74, 0xab, 0x98, 0xd2, 0x77, 0xd9, 0xf5,
133 0xa5, 0x61, 0x1c, 0x2c, 0x9f, 0x41, 0x9d, 0x9f
134 };
135
136 static const u_char md5_test6_msg[] = {
137 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
138 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
139 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
140 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
141 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30,
142 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
143 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
144 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
145 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
146 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30
147 };
148
149 static const u_char md5_test6_msg_digest[] = {
150 0x57, 0xed, 0xf4, 0xa2, 0x2b, 0xe3, 0xc9, 0x55,
151 0xac, 0x49, 0xda, 0x2e, 0x21, 0x07, 0xb6, 0x7a
152 };
153
154 static const hash_testvector_t md5_hash_testvectors[] = {
155 { sizeof(md5_test0_msg), md5_test0_msg, md5_test0_msg_digest },
156 { sizeof(md5_test1_msg), md5_test1_msg, md5_test1_msg_digest },
157 { sizeof(md5_test2_msg), md5_test2_msg, md5_test2_msg_digest },
158 { sizeof(md5_test3_msg), md5_test3_msg, md5_test3_msg_digest },
159 { sizeof(md5_test4_msg), md5_test4_msg, md5_test4_msg_digest },
160 { sizeof(md5_test5_msg), md5_test5_msg, md5_test5_msg_digest },
161 { sizeof(md5_test6_msg), md5_test6_msg, md5_test6_msg_digest },
162 { 0, NULL, NULL }
163 };
164
165 /* MD5 hmac test vectors
166 * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
167 * September 1997, P. Cheng, IBM & R. Glenn, NIST
168 */
169
170 static const u_char md5_hmac1_key[] = {
171 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
172 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
173 };
174
175 static const u_char md5_hmac1_msg[] = {
176 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
177 };
178
179 static const u_char md5_hmac1[] = {
180 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c,
181 0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d
182 };
183
184 static const u_char md5_hmac2_key[] = {
185 0x4a, 0x65, 0x66, 0x65
186 };
187
188 static const u_char md5_hmac2_msg[] = {
189 0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20,
190 0x79, 0x61, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20,
191 0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68,
192 0x69, 0x6e, 0x67, 0x3f
193 };
194
195 static const u_char md5_hmac2[] = {
196 0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03,
197 0xea, 0xa8, 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38
198 };
199
200 static const u_char md5_hmac3_key[] = {
201 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
202 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
203 };
204
205 static const u_char md5_hmac3_msg[] = {
206 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
207 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
208 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
209 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
210 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
211 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
212 0xdd, 0xdd
213 };
214
215 static const u_char md5_hmac3[] = {
216 0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88,
217 0xdb, 0xb8, 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6
218 };
219
220 static const u_char md5_hmac4_key[] = {
221 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
222 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
223 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
224 0x19
225 };
226
227 static const u_char md5_hmac4_msg[] = {
228 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
229 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
230 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
231 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
232 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
233 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
234 0xcd, 0xcd
235 };
236
237 static const u_char md5_hmac4[] = {
238 0x69, 0x7e, 0xaf, 0x0a, 0xca, 0x3a, 0x3a, 0xea,
239 0x3a, 0x75, 0x16, 0x47, 0x46, 0xff, 0xaa, 0x79
240 };
241
242 static const u_char md5_hmac6_key[] = {
243 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
244 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
245 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
246 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
247 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
248 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
249 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
250 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
251 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
252 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
253 };
254
255 static const u_char md5_hmac6_msg[] = {
256 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
257 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
258 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
259 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
260 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x2d, 0x20,
261 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79,
262 0x20, 0x46, 0x69, 0x72, 0x73, 0x74
263 };
264
265 static const u_char md5_hmac6[] = {
266 0x6b, 0x1a, 0xb7, 0xfe, 0x4b, 0xd7, 0xbf, 0x8f,
267 0x0b, 0x62, 0xe6, 0xce, 0x61, 0xb9, 0xd0, 0xcd
268 };
269
270 static const u_char md5_hmac7_msg[] = {
271 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
272 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
273 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
274 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
275 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x61, 0x6e,
276 0x64, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65, 0x72,
277 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x4f, 0x6e,
278 0x65, 0x20, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x2d,
279 0x53, 0x69, 0x7a, 0x65, 0x20, 0x44, 0x61, 0x74,
280 0x61
281 };
282
283 static const u_char md5_hmac7[] = {
284 0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee,
285 0x1f, 0xb1, 0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e
286 };
287
288 static const hmac_testvector_t md5_hmac_testvectors[] = {
289 { sizeof(md5_hmac1_key), md5_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, md5_hmac1 },
290 { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, md5_hmac2 },
291 { sizeof(md5_hmac3_key), md5_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, md5_hmac3 },
292 { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, md5_hmac4 },
293 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, md5_hmac6 },
294 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, md5_hmac7 },
295 { 0, NULL, 0, NULL, NULL }
296 };
297
298 static struct hash_desc crypto_hasher_md5 =
299 {
300 algo_type: IKE_ALG_HASH,
301 algo_id: OAKLEY_MD5,
302 algo_next: NULL,
303 hash_ctx_size: sizeof(MD5_CTX),
304 hash_block_size: MD5_BLOCK_SIZE,
305 hash_digest_size: MD5_DIGEST_SIZE,
306 hash_testvectors: md5_hash_testvectors,
307 hmac_testvectors: md5_hmac_testvectors,
308 hash_init: (void (*)(void *)) MD5Init,
309 hash_update: (void (*)(void *, const u_int8_t *, size_t)) MD5Update,
310 hash_final: (void (*)(u_char *, void *)) MD5Final
311 };
312
313 /* SHA-1 test vectors
314 * from "The Secure Hash Algorithm Validation System (SHAVS)"
315 * July 22, 2004, Lawrence E. Bassham III, NIST
316 */
317
318 static const u_char sha1_short2_msg[] = {
319 0x5e
320 };
321
322 static const u_char sha1_short2_msg_digest[] = {
323 0x5e, 0x6f, 0x80, 0xa3, 0x4a, 0x97, 0x98, 0xca,
324 0xfc, 0x6a, 0x5d, 0xb9, 0x6c, 0xc5, 0x7b, 0xa4,
325 0xc4, 0xdb, 0x59, 0xc2
326 };
327
328 static const u_char sha1_short4_msg[] = {
329 0x9a, 0x7d, 0xfd, 0xf1, 0xec, 0xea, 0xd0, 0x6e,
330 0xd6, 0x46, 0xaa, 0x55, 0xfe, 0x75, 0x71, 0x46
331 };
332
333 static const u_char sha1_short4_msg_digest[] = {
334 0x82, 0xab, 0xff, 0x66, 0x05, 0xdb, 0xe1, 0xc1,
335 0x7d, 0xef, 0x12, 0xa3, 0x94, 0xfa, 0x22, 0xa8,
336 0x2b, 0x54, 0x4a, 0x35
337 };
338
339 static const u_char sha1_long2_msg[] = {
340 0xf7, 0x8f, 0x92, 0x14, 0x1b, 0xcd, 0x17, 0x0a,
341 0xe8, 0x9b, 0x4f, 0xba, 0x15, 0xa1, 0xd5, 0x9f,
342 0x3f, 0xd8, 0x4d, 0x22, 0x3c, 0x92, 0x51, 0xbd,
343 0xac, 0xbb, 0xae, 0x61, 0xd0, 0x5e, 0xd1, 0x15,
344 0xa0, 0x6a, 0x7c, 0xe1, 0x17, 0xb7, 0xbe, 0xea,
345 0xd2, 0x44, 0x21, 0xde, 0xd9, 0xc3, 0x25, 0x92,
346 0xbd, 0x57, 0xed, 0xea, 0xe3, 0x9c, 0x39, 0xfa,
347 0x1f, 0xe8, 0x94, 0x6a, 0x84, 0xd0, 0xcf, 0x1f,
348 0x7b, 0xee, 0xad, 0x17, 0x13, 0xe2, 0xe0, 0x95,
349 0x98, 0x97, 0x34, 0x7f, 0x67, 0xc8, 0x0b, 0x04,
350 0x00, 0xc2, 0x09, 0x81, 0x5d, 0x6b, 0x10, 0xa6,
351 0x83, 0x83, 0x6f, 0xd5, 0x56, 0x2a, 0x56, 0xca,
352 0xb1, 0xa2, 0x8e, 0x81, 0xb6, 0x57, 0x66, 0x54,
353 0x63, 0x1c, 0xf1, 0x65, 0x66, 0xb8, 0x6e, 0x3b,
354 0x33, 0xa1, 0x08, 0xb0, 0x53, 0x07, 0xc0, 0x0a,
355 0xff, 0x14, 0xa7, 0x68, 0xed, 0x73, 0x50, 0x60,
356 0x6a, 0x0f, 0x85, 0xe6, 0xa9, 0x1d, 0x39, 0x6f,
357 0x5b, 0x5c, 0xbe, 0x57, 0x7f, 0x9b, 0x38, 0x80,
358 0x7c, 0x7d, 0x52, 0x3d, 0x6d, 0x79, 0x2f, 0x6e,
359 0xbc, 0x24, 0xa4, 0xec, 0xf2, 0xb3, 0xa4, 0x27,
360 0xcd, 0xbb, 0xfb
361 };
362
363 static const u_char sha1_long2_msg_digest[] = {
364 0xcb, 0x00, 0x82, 0xc8, 0xf1, 0x97, 0xd2, 0x60,
365 0x99, 0x1b, 0xa6, 0xa4, 0x60, 0xe7, 0x6e, 0x20,
366 0x2b, 0xad, 0x27, 0xb3
367 };
368
369 static const hash_testvector_t sha1_hash_testvectors[] = {
370 { sizeof(sha1_short2_msg), sha1_short2_msg, sha1_short2_msg_digest },
371 { sizeof(sha1_short4_msg), sha1_short4_msg, sha1_short4_msg_digest },
372 { sizeof(sha1_long2_msg), sha1_long2_msg, sha1_long2_msg_digest },
373 { 0, NULL, NULL }
374 };
375
376 /* SHA-1 hmac test vectors
377 * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
378 * September 1997, P. Cheng, IBM & R. Glenn, NIST
379 */
380
381 static const u_char sha1_hmac1_key[] = {
382 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
383 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
384 0x0b, 0x0b, 0x0b, 0x0b
385 };
386
387 static const u_char sha1_hmac1[] = {
388 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
389 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
390 0xf1, 0x46, 0xbe, 0x00
391 };
392
393 static const u_char sha1_hmac2[] = {
394 0xef, 0xfc, 0xdf, 0x6a, 0xe5, 0xeb, 0x2f, 0xa2,
395 0xd2, 0x74, 0x16, 0xd5, 0xf1, 0x84, 0xdf, 0x9c,
396 0x25, 0x9a, 0x7c, 0x79
397 };
398
399 static const u_char sha1_hmac3_key[] = {
400 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
401 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
402 0xaa, 0xaa, 0xaa, 0xaa
403 };
404
405 static const u_char sha1_hmac3[] = {
406 0x12, 0x5d, 0x73, 0x42, 0xb9, 0xac, 0x11, 0xcd,
407 0x91, 0xa3, 0x9a, 0xf4, 0x8a, 0xa1, 0x7b, 0x4f,
408 0x63, 0xf1, 0x75, 0xd3
409 };
410
411 static const u_char sha1_hmac4[] = {
412 0x4c, 0x90, 0x07, 0xf4, 0x02, 0x62, 0x50, 0xc6,
413 0xbc, 0x84, 0x14, 0xf9, 0xbf, 0x50, 0xc8, 0x6c,
414 0x2d, 0x72, 0x35, 0xda
415 };
416
417 static const u_char sha1_hmac6[] = {
418 0xaa, 0x4a, 0xe5, 0xe1, 0x52, 0x72, 0xd0, 0x0e,
419 0x95, 0x70, 0x56, 0x37, 0xce, 0x8a, 0x3b, 0x55,
420 0xed, 0x40, 0x21, 0x12
421 };
422
423 static const u_char sha1_hmac7[] = {
424 0xe8, 0xe9, 0x9d, 0x0f, 0x45, 0x23, 0x7d, 0x78,
425 0x6d, 0x6b, 0xba, 0xa7, 0x96, 0x5c, 0x78, 0x08,
426 0xbb, 0xff, 0x1a, 0x91
427 };
428
429 static const hmac_testvector_t sha1_hmac_testvectors[] = {
430 { sizeof(sha1_hmac1_key), sha1_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, sha1_hmac1 },
431 { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, sha1_hmac2 },
432 { sizeof(sha1_hmac3_key), sha1_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, sha1_hmac3 },
433 { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, sha1_hmac4 },
434 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, sha1_hmac6 },
435 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, sha1_hmac7 },
436 { 0, NULL, 0, NULL, NULL }
437 };
438
439 static struct hash_desc crypto_hasher_sha1 =
440 {
441 algo_type: IKE_ALG_HASH,
442 algo_id: OAKLEY_SHA,
443 algo_next: NULL,
444 hash_ctx_size: sizeof(SHA1_CTX),
445 hash_block_size: SHA1_BLOCK_SIZE,
446 hash_digest_size: SHA1_DIGEST_SIZE,
447 hash_testvectors: sha1_hash_testvectors,
448 hmac_testvectors: sha1_hmac_testvectors,
449 hash_init: (void (*)(void *)) SHA1Init,
450 hash_update: (void (*)(void *, const u_int8_t *, size_t)) SHA1Update,
451 hash_final: (void (*)(u_char *, void *)) SHA1Final
452 };
453
454 void
455 init_crypto(void)
456 {
457 if (mpz_init_set_str(&groupgenerator, MODP_GENERATOR, 10) != 0
458 || mpz_init_set_str(&modp1024_modulus, MODP1024_MODULUS, 16) != 0
459 || mpz_init_set_str(&modp1536_modulus, MODP1536_MODULUS, 16) != 0
460 || mpz_init_set_str(&modp2048_modulus, MODP2048_MODULUS, 16) != 0
461 || mpz_init_set_str(&modp3072_modulus, MODP3072_MODULUS, 16) != 0
462 || mpz_init_set_str(&modp4096_modulus, MODP4096_MODULUS, 16) != 0
463 || mpz_init_set_str(&modp6144_modulus, MODP6144_MODULUS, 16) != 0
464 || mpz_init_set_str(&modp8192_modulus, MODP8192_MODULUS, 16) != 0)
465 exit_log("mpz_init_set_str() failed in init_crypto()");
466
467 ike_alg_add((struct ike_alg *) &crypto_encryptor_3des);
468 ike_alg_add((struct ike_alg *) &crypto_hasher_sha1);
469 ike_alg_add((struct ike_alg *) &crypto_hasher_md5);
470 ike_alg_init();
471 ike_alg_test();
472 }
473
474 void
475 free_crypto(void)
476 {
477 mpz_clear(&groupgenerator);
478 mpz_clear(&modp1024_modulus);
479 mpz_clear(&modp1536_modulus);
480 mpz_clear(&modp2048_modulus);
481 mpz_clear(&modp3072_modulus);
482 mpz_clear(&modp4096_modulus);
483 mpz_clear(&modp6144_modulus);
484 mpz_clear(&modp8192_modulus);
485 }
486
487 /* Oakley group description
488 *
489 * See RFC2409 "The Internet key exchange (IKE)" 6.
490 */
491
492 const struct oakley_group_desc unset_group = {0, NULL, 0}; /* magic signifier */
493
494 const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE] = {
495 # define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE)
496 { OAKLEY_GROUP_MODP1024, &modp1024_modulus, BYTES(1024) },
497 { OAKLEY_GROUP_MODP1536, &modp1536_modulus, BYTES(1536) },
498 { OAKLEY_GROUP_MODP2048, &modp2048_modulus, BYTES(2048) },
499 { OAKLEY_GROUP_MODP3072, &modp3072_modulus, BYTES(3072) },
500 { OAKLEY_GROUP_MODP4096, &modp4096_modulus, BYTES(4096) },
501 { OAKLEY_GROUP_MODP6144, &modp6144_modulus, BYTES(6144) },
502 { OAKLEY_GROUP_MODP8192, &modp8192_modulus, BYTES(8192) },
503 # undef BYTES
504 };
505
506 const struct oakley_group_desc *
507 lookup_group(u_int16_t group)
508 {
509 int i;
510
511 for (i = 0; i != countof(oakley_group); i++)
512 if (group == oakley_group[i].group)
513 return &oakley_group[i];
514 return NULL;
515 }
516
517 /* Encryption Routines
518 *
519 * Each uses and updates the state object's st_new_iv.
520 * This must already be initialized.
521 */
522
523 /* encrypt or decrypt part of an IKE message using DES
524 * See RFC 2409 "IKE" Appendix B
525 */
526 static void __attribute__ ((unused))
527 do_des(bool enc, void *buf, size_t buf_len, struct state *st)
528 {
529 des_key_schedule ks;
530
531 (void) des_set_key((des_cblock *)st->st_enc_key.ptr, ks);
532
533 passert(st->st_new_iv_len >= DES_CBC_BLOCK_SIZE);
534 st->st_new_iv_len = DES_CBC_BLOCK_SIZE; /* truncate */
535
536 des_ncbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
537 ks,
538 (des_cblock *)st->st_new_iv, enc);
539 }
540
541 /* encrypt or decrypt part of an IKE message using 3DES
542 * See RFC 2409 "IKE" Appendix B
543 */
544 static void
545 do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
546 {
547 des_key_schedule ks[3];
548
549 passert (!key_size || (key_size==(DES_CBC_BLOCK_SIZE * 3)))
550 (void) des_set_key((des_cblock *)key + 0, ks[0]);
551 (void) des_set_key((des_cblock *)key + 1, ks[1]);
552 (void) des_set_key((des_cblock *)key + 2, ks[2]);
553
554 des_ede3_cbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
555 ks[0], ks[1], ks[2],
556 (des_cblock *)iv, enc);
557 }
558
559 /* hash and prf routines */
560 void
561 crypto_cbc_encrypt(const struct encrypt_desc *e, bool enc, u_int8_t *buf, size_t size, struct state *st)
562 {
563 passert(st->st_new_iv_len >= e->enc_blocksize);
564 st->st_new_iv_len = e->enc_blocksize; /* truncate */
565
566 e->do_crypt(buf, size, st->st_enc_key.ptr, st->st_enc_key.len, st->st_new_iv, enc);
567 /*
568 e->set_key(&ctx, st->st_enc_key.ptr, st->st_enc_key.len);
569 e->cbc_crypt(&ctx, buf, size, st->st_new_iv, enc);
570 */
571 }
572
573 /* HMAC package
574 * rfc2104.txt specifies how HMAC works.
575 */
576
577 void
578 hmac_init(struct hmac_ctx *ctx,
579 const struct hash_desc *h,
580 const u_char *key, size_t key_len)
581 {
582 int k;
583
584 ctx->h = h;
585 ctx->hmac_digest_size = h->hash_digest_size;
586
587 /* Prepare the two pads for the HMAC */
588
589 memset(ctx->buf1, '\0', h->hash_block_size);
590
591 if (key_len <= h->hash_block_size)
592 {
593 memcpy(ctx->buf1, key, key_len);
594 }
595 else
596 {
597 h->hash_init(&ctx->hash_ctx);
598 h->hash_update(&ctx->hash_ctx, key, key_len);
599 h->hash_final(ctx->buf1, &ctx->hash_ctx);
600 }
601
602 memcpy(ctx->buf2, ctx->buf1, h->hash_block_size);
603
604 for (k = 0; k < h->hash_block_size; k++)
605 {
606 ctx->buf1[k] ^= HMAC_IPAD;
607 ctx->buf2[k] ^= HMAC_OPAD;
608 }
609
610 hmac_reinit(ctx);
611 }
612
613 void
614 hmac_reinit(struct hmac_ctx *ctx)
615 {
616 ctx->h->hash_init(&ctx->hash_ctx);
617 ctx->h->hash_update(&ctx->hash_ctx, ctx->buf1, ctx->h->hash_block_size);
618 }
619
620 void
621 hmac_update(struct hmac_ctx *ctx,
622 const u_char *data, size_t data_len)
623 {
624 ctx->h->hash_update(&ctx->hash_ctx, data, data_len);
625 }
626
627 void
628 hmac_final(u_char *output, struct hmac_ctx *ctx)
629 {
630 const struct hash_desc *h = ctx->h;
631
632 h->hash_final(output, &ctx->hash_ctx);
633
634 h->hash_init(&ctx->hash_ctx);
635 h->hash_update(&ctx->hash_ctx, ctx->buf2, h->hash_block_size);
636 h->hash_update(&ctx->hash_ctx, output, h->hash_digest_size);
637 h->hash_final(output, &ctx->hash_ctx);
638 }