fixed ikev1 iv derivation
[strongswan.git] / src / pluto / crypto.c
1 /* crypto interfaces
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier
3 * Copyright (C) 2007 Andreas Steffen
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdio.h>
17 #include <string.h>
18 #include <stddef.h>
19 #include <sys/types.h>
20
21 #include <freeswan.h>
22 #define HEADER_DES_LOCL_H /* stupid trick to force prototype decl in <des.h> */
23 #include <libdes/des.h>
24
25 #include <errno.h>
26
27 #include <crypto/hashers/hasher.h>
28
29 #include "constants.h"
30 #include "defs.h"
31 #include "state.h"
32 #include "log.h"
33 #include "crypto.h"
34 #include "alg_info.h"
35 #include "ike_alg.h"
36
37
38 /* moduli and generator. */
39
40 static MP_INT
41 modp1024_modulus,
42 modp1536_modulus,
43 modp2048_modulus,
44 modp3072_modulus,
45 modp4096_modulus,
46 modp6144_modulus,
47 modp8192_modulus;
48
49 MP_INT groupgenerator; /* MODP group generator (2) */
50
51 static void do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
52
53 static struct encrypt_desc crypto_encryptor_3des =
54 {
55 algo_type: IKE_ALG_ENCRYPT,
56 algo_id: OAKLEY_3DES_CBC,
57 algo_next: NULL,
58 enc_ctxsize: sizeof(des_key_schedule) * 3,
59 enc_blocksize: DES_CBC_BLOCK_SIZE,
60 keydeflen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
61 keyminlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
62 keymaxlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
63 do_crypt: do_3des,
64 enc_testvectors: NULL
65 };
66
67 /* MD5 hash test vectors
68 * from RFC 1321 "MD5 Message-Digest Algorithm"
69 * April 1992, R. Rivest, RSA Data Security
70 */
71
72 static const u_char md5_test0_msg[] = {
73
74 };
75
76 static const u_char md5_test0_msg_digest[] = {
77 0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04,
78 0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e
79 };
80
81 static const u_char md5_test1_msg[] = {
82 0x61
83 };
84
85 static const u_char md5_test1_msg_digest[] = {
86 0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8,
87 0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61
88 };
89
90 static const u_char md5_test2_msg[] = {
91 0x61, 0x62, 0x63
92 };
93
94 static const u_char md5_test2_msg_digest[] = {
95 0x90, 0x01, 0x50, 0x98, 0x3c, 0xd2, 0x4f, 0xb0,
96 0xd6, 0x96, 0x3f, 0x7d, 0x28, 0xe1, 0x7f, 0x72
97 };
98
99 static const u_char md5_test3_msg[] = {
100 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20,
101 0x64, 0x69, 0x67, 0x65, 0x73, 0x74
102 };
103
104 static const u_char md5_test3_msg_digest[] = {
105 0xf9, 0x6b, 0x69, 0x7d, 0x7c, 0xb7, 0x93, 0x8d,
106 0x52, 0x5a, 0x2f, 0x31, 0xaa, 0xf1, 0x61, 0xd0
107 };
108
109 static const u_char md5_test4_msg[] = {
110 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
111 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
112 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
113 0x79, 0x7a
114 };
115
116 static const u_char md5_test4_msg_digest[] = {
117 0xc3, 0xfc, 0xd3, 0xd7, 0x61, 0x92, 0xe4, 0x00,
118 0x7d, 0xfb, 0x49, 0x6c, 0xca, 0x67, 0xe1, 0x3b
119 };
120
121 static const u_char md5_test5_msg[] = {
122 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
123 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
124 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
125 0x59, 0x5a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
126 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
127 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76,
128 0x77, 0x78, 0x79, 0x7a, 0x30, 0x31, 0x32, 0x33,
129 0x34, 0x35, 0x36, 0x37, 0x38, 0x39
130 };
131
132 static const u_char md5_test5_msg_digest[] = {
133 0xd1, 0x74, 0xab, 0x98, 0xd2, 0x77, 0xd9, 0xf5,
134 0xa5, 0x61, 0x1c, 0x2c, 0x9f, 0x41, 0x9d, 0x9f
135 };
136
137 static const u_char md5_test6_msg[] = {
138 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
139 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
140 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
141 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
142 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30,
143 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
144 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
145 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
146 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
147 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30
148 };
149
150 static const u_char md5_test6_msg_digest[] = {
151 0x57, 0xed, 0xf4, 0xa2, 0x2b, 0xe3, 0xc9, 0x55,
152 0xac, 0x49, 0xda, 0x2e, 0x21, 0x07, 0xb6, 0x7a
153 };
154
155 static const hash_testvector_t md5_hash_testvectors[] = {
156 { sizeof(md5_test0_msg), md5_test0_msg, md5_test0_msg_digest },
157 { sizeof(md5_test1_msg), md5_test1_msg, md5_test1_msg_digest },
158 { sizeof(md5_test2_msg), md5_test2_msg, md5_test2_msg_digest },
159 { sizeof(md5_test3_msg), md5_test3_msg, md5_test3_msg_digest },
160 { sizeof(md5_test4_msg), md5_test4_msg, md5_test4_msg_digest },
161 { sizeof(md5_test5_msg), md5_test5_msg, md5_test5_msg_digest },
162 { sizeof(md5_test6_msg), md5_test6_msg, md5_test6_msg_digest },
163 { 0, NULL, NULL }
164 };
165
166 /* MD5 hmac test vectors
167 * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
168 * September 1997, P. Cheng, IBM & R. Glenn, NIST
169 */
170
171 static const u_char md5_hmac1_key[] = {
172 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
173 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
174 };
175
176 static const u_char md5_hmac1_msg[] = {
177 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
178 };
179
180 static const u_char md5_hmac1[] = {
181 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c,
182 0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d
183 };
184
185 static const u_char md5_hmac2_key[] = {
186 0x4a, 0x65, 0x66, 0x65
187 };
188
189 static const u_char md5_hmac2_msg[] = {
190 0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20,
191 0x79, 0x61, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20,
192 0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68,
193 0x69, 0x6e, 0x67, 0x3f
194 };
195
196 static const u_char md5_hmac2[] = {
197 0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03,
198 0xea, 0xa8, 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38
199 };
200
201 static const u_char md5_hmac3_key[] = {
202 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
203 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
204 };
205
206 static const u_char md5_hmac3_msg[] = {
207 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
208 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
209 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
210 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
211 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
212 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
213 0xdd, 0xdd
214 };
215
216 static const u_char md5_hmac3[] = {
217 0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88,
218 0xdb, 0xb8, 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6
219 };
220
221 static const u_char md5_hmac4_key[] = {
222 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
223 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
224 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
225 0x19
226 };
227
228 static const u_char md5_hmac4_msg[] = {
229 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
230 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
231 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
232 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
233 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
234 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
235 0xcd, 0xcd
236 };
237
238 static const u_char md5_hmac4[] = {
239 0x69, 0x7e, 0xaf, 0x0a, 0xca, 0x3a, 0x3a, 0xea,
240 0x3a, 0x75, 0x16, 0x47, 0x46, 0xff, 0xaa, 0x79
241 };
242
243 static const u_char md5_hmac6_key[] = {
244 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
245 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
246 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
247 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
248 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
249 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
250 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
251 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
252 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
253 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
254 };
255
256 static const u_char md5_hmac6_msg[] = {
257 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
258 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
259 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
260 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
261 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x2d, 0x20,
262 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79,
263 0x20, 0x46, 0x69, 0x72, 0x73, 0x74
264 };
265
266 static const u_char md5_hmac6[] = {
267 0x6b, 0x1a, 0xb7, 0xfe, 0x4b, 0xd7, 0xbf, 0x8f,
268 0x0b, 0x62, 0xe6, 0xce, 0x61, 0xb9, 0xd0, 0xcd
269 };
270
271 static const u_char md5_hmac7_msg[] = {
272 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
273 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
274 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
275 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
276 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x61, 0x6e,
277 0x64, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65, 0x72,
278 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x4f, 0x6e,
279 0x65, 0x20, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x2d,
280 0x53, 0x69, 0x7a, 0x65, 0x20, 0x44, 0x61, 0x74,
281 0x61
282 };
283
284 static const u_char md5_hmac7[] = {
285 0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee,
286 0x1f, 0xb1, 0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e
287 };
288
289 static const hmac_testvector_t md5_hmac_testvectors[] = {
290 { sizeof(md5_hmac1_key), md5_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, md5_hmac1 },
291 { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, md5_hmac2 },
292 { sizeof(md5_hmac3_key), md5_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, md5_hmac3 },
293 { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, md5_hmac4 },
294 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, md5_hmac6 },
295 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, md5_hmac7 },
296 { 0, NULL, 0, NULL, NULL }
297 };
298
299 static struct hash_desc crypto_hasher_md5 =
300 {
301 algo_type: IKE_ALG_HASH,
302 algo_id: OAKLEY_MD5,
303 algo_next: NULL,
304 hash_digest_size: HASH_SIZE_MD5,
305 hash_testvectors: md5_hash_testvectors,
306 hmac_testvectors: md5_hmac_testvectors,
307 };
308
309 /* SHA-1 test vectors
310 * from "The Secure Hash Algorithm Validation System (SHAVS)"
311 * July 22, 2004, Lawrence E. Bassham III, NIST
312 */
313
314 static const u_char sha1_short2_msg[] = {
315 0x5e
316 };
317
318 static const u_char sha1_short2_msg_digest[] = {
319 0x5e, 0x6f, 0x80, 0xa3, 0x4a, 0x97, 0x98, 0xca,
320 0xfc, 0x6a, 0x5d, 0xb9, 0x6c, 0xc5, 0x7b, 0xa4,
321 0xc4, 0xdb, 0x59, 0xc2
322 };
323
324 static const u_char sha1_short4_msg[] = {
325 0x9a, 0x7d, 0xfd, 0xf1, 0xec, 0xea, 0xd0, 0x6e,
326 0xd6, 0x46, 0xaa, 0x55, 0xfe, 0x75, 0x71, 0x46
327 };
328
329 static const u_char sha1_short4_msg_digest[] = {
330 0x82, 0xab, 0xff, 0x66, 0x05, 0xdb, 0xe1, 0xc1,
331 0x7d, 0xef, 0x12, 0xa3, 0x94, 0xfa, 0x22, 0xa8,
332 0x2b, 0x54, 0x4a, 0x35
333 };
334
335 static const u_char sha1_long2_msg[] = {
336 0xf7, 0x8f, 0x92, 0x14, 0x1b, 0xcd, 0x17, 0x0a,
337 0xe8, 0x9b, 0x4f, 0xba, 0x15, 0xa1, 0xd5, 0x9f,
338 0x3f, 0xd8, 0x4d, 0x22, 0x3c, 0x92, 0x51, 0xbd,
339 0xac, 0xbb, 0xae, 0x61, 0xd0, 0x5e, 0xd1, 0x15,
340 0xa0, 0x6a, 0x7c, 0xe1, 0x17, 0xb7, 0xbe, 0xea,
341 0xd2, 0x44, 0x21, 0xde, 0xd9, 0xc3, 0x25, 0x92,
342 0xbd, 0x57, 0xed, 0xea, 0xe3, 0x9c, 0x39, 0xfa,
343 0x1f, 0xe8, 0x94, 0x6a, 0x84, 0xd0, 0xcf, 0x1f,
344 0x7b, 0xee, 0xad, 0x17, 0x13, 0xe2, 0xe0, 0x95,
345 0x98, 0x97, 0x34, 0x7f, 0x67, 0xc8, 0x0b, 0x04,
346 0x00, 0xc2, 0x09, 0x81, 0x5d, 0x6b, 0x10, 0xa6,
347 0x83, 0x83, 0x6f, 0xd5, 0x56, 0x2a, 0x56, 0xca,
348 0xb1, 0xa2, 0x8e, 0x81, 0xb6, 0x57, 0x66, 0x54,
349 0x63, 0x1c, 0xf1, 0x65, 0x66, 0xb8, 0x6e, 0x3b,
350 0x33, 0xa1, 0x08, 0xb0, 0x53, 0x07, 0xc0, 0x0a,
351 0xff, 0x14, 0xa7, 0x68, 0xed, 0x73, 0x50, 0x60,
352 0x6a, 0x0f, 0x85, 0xe6, 0xa9, 0x1d, 0x39, 0x6f,
353 0x5b, 0x5c, 0xbe, 0x57, 0x7f, 0x9b, 0x38, 0x80,
354 0x7c, 0x7d, 0x52, 0x3d, 0x6d, 0x79, 0x2f, 0x6e,
355 0xbc, 0x24, 0xa4, 0xec, 0xf2, 0xb3, 0xa4, 0x27,
356 0xcd, 0xbb, 0xfb
357 };
358
359 static const u_char sha1_long2_msg_digest[] = {
360 0xcb, 0x00, 0x82, 0xc8, 0xf1, 0x97, 0xd2, 0x60,
361 0x99, 0x1b, 0xa6, 0xa4, 0x60, 0xe7, 0x6e, 0x20,
362 0x2b, 0xad, 0x27, 0xb3
363 };
364
365 static const hash_testvector_t sha1_hash_testvectors[] = {
366 { sizeof(sha1_short2_msg), sha1_short2_msg, sha1_short2_msg_digest },
367 { sizeof(sha1_short4_msg), sha1_short4_msg, sha1_short4_msg_digest },
368 { sizeof(sha1_long2_msg), sha1_long2_msg, sha1_long2_msg_digest },
369 { 0, NULL, NULL }
370 };
371
372 /* SHA-1 hmac test vectors
373 * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
374 * September 1997, P. Cheng, IBM & R. Glenn, NIST
375 */
376
377 static const u_char sha1_hmac1_key[] = {
378 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
379 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
380 0x0b, 0x0b, 0x0b, 0x0b
381 };
382
383 static const u_char sha1_hmac1[] = {
384 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
385 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
386 0xf1, 0x46, 0xbe, 0x00
387 };
388
389 static const u_char sha1_hmac2[] = {
390 0xef, 0xfc, 0xdf, 0x6a, 0xe5, 0xeb, 0x2f, 0xa2,
391 0xd2, 0x74, 0x16, 0xd5, 0xf1, 0x84, 0xdf, 0x9c,
392 0x25, 0x9a, 0x7c, 0x79
393 };
394
395 static const u_char sha1_hmac3_key[] = {
396 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
397 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
398 0xaa, 0xaa, 0xaa, 0xaa
399 };
400
401 static const u_char sha1_hmac3[] = {
402 0x12, 0x5d, 0x73, 0x42, 0xb9, 0xac, 0x11, 0xcd,
403 0x91, 0xa3, 0x9a, 0xf4, 0x8a, 0xa1, 0x7b, 0x4f,
404 0x63, 0xf1, 0x75, 0xd3
405 };
406
407 static const u_char sha1_hmac4[] = {
408 0x4c, 0x90, 0x07, 0xf4, 0x02, 0x62, 0x50, 0xc6,
409 0xbc, 0x84, 0x14, 0xf9, 0xbf, 0x50, 0xc8, 0x6c,
410 0x2d, 0x72, 0x35, 0xda
411 };
412
413 static const u_char sha1_hmac6[] = {
414 0xaa, 0x4a, 0xe5, 0xe1, 0x52, 0x72, 0xd0, 0x0e,
415 0x95, 0x70, 0x56, 0x37, 0xce, 0x8a, 0x3b, 0x55,
416 0xed, 0x40, 0x21, 0x12
417 };
418
419 static const u_char sha1_hmac7[] = {
420 0xe8, 0xe9, 0x9d, 0x0f, 0x45, 0x23, 0x7d, 0x78,
421 0x6d, 0x6b, 0xba, 0xa7, 0x96, 0x5c, 0x78, 0x08,
422 0xbb, 0xff, 0x1a, 0x91
423 };
424
425 static const hmac_testvector_t sha1_hmac_testvectors[] = {
426 { sizeof(sha1_hmac1_key), sha1_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, sha1_hmac1 },
427 { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, sha1_hmac2 },
428 { sizeof(sha1_hmac3_key), sha1_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, sha1_hmac3 },
429 { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, sha1_hmac4 },
430 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, sha1_hmac6 },
431 { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, sha1_hmac7 },
432 { 0, NULL, 0, NULL, NULL }
433 };
434
435 static struct hash_desc crypto_hasher_sha1 =
436 {
437 algo_type: IKE_ALG_HASH,
438 algo_id: OAKLEY_SHA,
439 algo_next: NULL,
440 hash_digest_size: HASH_SIZE_SHA1,
441 hash_testvectors: sha1_hash_testvectors,
442 hmac_testvectors: sha1_hmac_testvectors
443 };
444
445 void init_crypto(void)
446 {
447 if (mpz_init_set_str(&groupgenerator, MODP_GENERATOR, 10) != 0
448 || mpz_init_set_str(&modp1024_modulus, MODP1024_MODULUS, 16) != 0
449 || mpz_init_set_str(&modp1536_modulus, MODP1536_MODULUS, 16) != 0
450 || mpz_init_set_str(&modp2048_modulus, MODP2048_MODULUS, 16) != 0
451 || mpz_init_set_str(&modp3072_modulus, MODP3072_MODULUS, 16) != 0
452 || mpz_init_set_str(&modp4096_modulus, MODP4096_MODULUS, 16) != 0
453 || mpz_init_set_str(&modp6144_modulus, MODP6144_MODULUS, 16) != 0
454 || mpz_init_set_str(&modp8192_modulus, MODP8192_MODULUS, 16) != 0)
455 exit_log("mpz_init_set_str() failed in init_crypto()");
456
457 ike_alg_add((struct ike_alg *) &crypto_encryptor_3des);
458 ike_alg_add((struct ike_alg *) &crypto_hasher_sha1);
459 ike_alg_add((struct ike_alg *) &crypto_hasher_md5);
460 ike_alg_init();
461 ike_alg_test();
462 }
463
464 void free_crypto(void)
465 {
466 mpz_clear(&groupgenerator);
467 mpz_clear(&modp1024_modulus);
468 mpz_clear(&modp1536_modulus);
469 mpz_clear(&modp2048_modulus);
470 mpz_clear(&modp3072_modulus);
471 mpz_clear(&modp4096_modulus);
472 mpz_clear(&modp6144_modulus);
473 mpz_clear(&modp8192_modulus);
474 }
475
476 /* Oakley group description
477 *
478 * See RFC2409 "The Internet key exchange (IKE)" 6.
479 */
480
481 const struct oakley_group_desc unset_group = {0, NULL, 0}; /* magic signifier */
482
483 const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE] = {
484 # define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE)
485 { OAKLEY_GROUP_MODP1024, &modp1024_modulus, BYTES(1024) },
486 { OAKLEY_GROUP_MODP1536, &modp1536_modulus, BYTES(1536) },
487 { OAKLEY_GROUP_MODP2048, &modp2048_modulus, BYTES(2048) },
488 { OAKLEY_GROUP_MODP3072, &modp3072_modulus, BYTES(3072) },
489 { OAKLEY_GROUP_MODP4096, &modp4096_modulus, BYTES(4096) },
490 { OAKLEY_GROUP_MODP6144, &modp6144_modulus, BYTES(6144) },
491 { OAKLEY_GROUP_MODP8192, &modp8192_modulus, BYTES(8192) },
492 # undef BYTES
493 };
494
495 const struct oakley_group_desc *lookup_group(u_int16_t group)
496 {
497 int i;
498
499 for (i = 0; i != countof(oakley_group); i++)
500 if (group == oakley_group[i].group)
501 return &oakley_group[i];
502 return NULL;
503 }
504
505 /* Encryption Routines
506 *
507 * Each uses and updates the state object's st_new_iv.
508 * This must already be initialized.
509 */
510
511 /* encrypt or decrypt part of an IKE message using DES
512 * See RFC 2409 "IKE" Appendix B
513 */
514 static void __attribute__ ((unused))
515 do_des(bool enc, void *buf, size_t buf_len, struct state *st)
516 {
517 des_key_schedule ks;
518
519 (void) des_set_key((des_cblock *)st->st_enc_key.ptr, ks);
520
521 passert(st->st_new_iv_len >= DES_CBC_BLOCK_SIZE);
522 st->st_new_iv_len = DES_CBC_BLOCK_SIZE; /* truncate */
523
524 des_ncbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
525 ks,
526 (des_cblock *)st->st_new_iv, enc);
527 }
528
529 /* encrypt or decrypt part of an IKE message using 3DES
530 * See RFC 2409 "IKE" Appendix B
531 */
532 static void do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key,
533 size_t key_size, u_int8_t *iv, bool enc)
534 {
535 des_key_schedule ks[3];
536
537 passert (!key_size || (key_size==(DES_CBC_BLOCK_SIZE * 3)))
538 (void) des_set_key((des_cblock *)key + 0, ks[0]);
539 (void) des_set_key((des_cblock *)key + 1, ks[1]);
540 (void) des_set_key((des_cblock *)key + 2, ks[2]);
541
542 des_ede3_cbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
543 ks[0], ks[1], ks[2],
544 (des_cblock *)iv, enc);
545 }
546
547 void crypto_cbc_encrypt(const struct encrypt_desc *e, bool enc, u_int8_t *buf,
548 size_t size, struct state *st)
549 {
550 chunk_t data = { buf, size };
551 chunk_t iv;
552 char *new_iv;
553 size_t crypter_block_size;
554 encryption_algorithm_t enc_alg;
555 crypter_t *crypter;
556
557 enc_alg = oakley_to_encryption_algorithm(e->algo_id);
558 crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
559 crypter->set_key(crypter, st->st_enc_key);
560 crypter_block_size = crypter->get_block_size(crypter);
561
562 /* form iv by truncation */
563 passert(st->st_new_iv_len >= crypter_block_size);
564 st->st_new_iv_len = crypter_block_size;
565 iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
566
567 if (enc)
568 {
569 crypter->encrypt(crypter, data, iv, NULL);
570 new_iv = data.ptr + data.len - crypter_block_size;
571 }
572 else
573 {
574 new_iv = alloca(crypter_block_size);
575 memcpy(new_iv, data.ptr + data.len - crypter_block_size,
576 crypter_block_size);
577 crypter->decrypt(crypter, data, iv, NULL);
578 }
579 crypter->destroy(crypter);
580 memcpy(st->st_new_iv, new_iv, crypter_block_size);
581 }
582
583 encryption_algorithm_t oakley_to_encryption_algorithm(int alg)
584 {
585 switch (alg)
586 {
587 case OAKLEY_DES_CBC:
588 return ENCR_DES;
589 case OAKLEY_IDEA_CBC:
590 return ENCR_IDEA;
591 case OAKLEY_BLOWFISH_CBC:
592 return ENCR_BLOWFISH;
593 case OAKLEY_RC5_R16_B64_CBC:
594 return ENCR_RC5;
595 case OAKLEY_3DES_CBC:
596 return ENCR_3DES;
597 case OAKLEY_CAST_CBC:
598 return ENCR_CAST;
599 case OAKLEY_AES_CBC:
600 return ENCR_AES_CBC;
601 case OAKLEY_SERPENT_CBC:
602 return ENCR_SERPENT_CBC;
603 case OAKLEY_TWOFISH_CBC:
604 case OAKLEY_TWOFISH_CBC_SSH:
605 return ENCR_TWOFISH_CBC;
606 default:
607 return ENCR_UNDEFINED;
608 }
609 }
610
611 hash_algorithm_t oakley_to_hash_algorithm(int alg)
612 {
613 switch (alg)
614 {
615 case OAKLEY_MD5:
616 return HASH_MD5;
617 case OAKLEY_SHA:
618 return HASH_SHA1;
619 case OAKLEY_SHA2_256:
620 return HASH_SHA256;
621 case OAKLEY_SHA2_384:
622 return HASH_SHA384;
623 case OAKLEY_SHA2_512:
624 return HASH_SHA512;
625 default:
626 return HASH_UNKNOWN;
627 }
628 }
629
630 pseudo_random_function_t oakley_to_prf(int alg)
631 {
632 switch (alg)
633 {
634 case OAKLEY_MD5:
635 return PRF_HMAC_MD5;
636 case OAKLEY_SHA:
637 return PRF_HMAC_SHA1;
638 case OAKLEY_SHA2_256:
639 return PRF_HMAC_SHA2_256;
640 case OAKLEY_SHA2_384:
641 return PRF_HMAC_SHA2_384;
642 case OAKLEY_SHA2_512:
643 return PRF_HMAC_SHA2_512;
644 default:
645 return PRF_UNDEFINED;
646 }
647 }