/*@-compdef@*/ /* * Copyright (c) 2000, 2001, 2002 Virtual Unlimited, B.V. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * */ /*!\file dhaes.c * \brief DHAES encryption scheme. * * This code implements the encryption scheme from the paper: * * "DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem" * Michel Abdalla, Mihir Bellare, Phillip Rogaway * September 1998 * * Good combinations will be: * * - For 64-bit encryption: * - DHAES(MD5, Blowfish, HMAC-MD5) <- best candidate * - DHAES(MD5, Blowfish, HMAC-SHA-1) * - DHAES(MD5, Blowfish, HMAC-SHA-256) * * - For 96-bit encryption with 64-bit mac: * - DHAES(SHA-1, Blowfish, HMAC-MD5, 96) * - DHAES(SHA-1, Blowfish, HMAC-SHA-1, 96) <- best candidate * - DHAES(SHA-1, Blowfish, HMAC-SHA-256, 96) <- best candidate * * - For 128-bit encryption: * - DHAES(SHA-256, Blowfish, HMAC-MD5) * - DHAES(SHA-256, Blowfish, HMAC-SHA-1) * - DHAES(SHA-256, Blowfish, HMAC-SHA-256) */ #include "system.h" #include "dhaes.h" #include "dlsvdp-dh.h" #include "blockmode.h" #include "blockpad.h" #include "debug.h" int dhaes_pUsable(const dhaes_pParameters* params) { size_t keybits = (params->hash->digestsize << 3); /* digestsize in bytes times 8 bits */ size_t cipherkeybits = params->cipherkeybits; size_t mackeybits = params->mackeybits; /* test if keybits is a multiple of 32 */ if ((keybits & 31) != 0) return 0; /* test if cipherkeybits + mackeybits < keybits */ if ((cipherkeybits + mackeybits) > keybits) return 0; if (mackeybits == 0) { if (cipherkeybits == 0) cipherkeybits = mackeybits = (keybits >> 1); else mackeybits = keybits - cipherkeybits; } /* test if keybits length is appropriate for cipher */ if ((cipherkeybits < params->cipher->keybitsmin) || (cipherkeybits > params->cipher->keybitsmax)) return 0; if (((cipherkeybits - params->cipher->keybitsmin) % params->cipher->keybitsinc) != 0) return 0; /* test if keybits length is appropriate for mac */ if ((mackeybits < params->mac->keybitsmin) || (((unsigned)params->mackeybits) > params->mac->keybitsmax)) return 0; if (((mackeybits - params->mac->keybitsmin) % params->mac->keybitsinc) != 0) return 0; return 1; } int dhaes_pContextInit(dhaes_pContext* ctxt, const dhaes_pParameters* params) { if (ctxt == (dhaes_pContext*) 0) return -1; if (params == (dhaes_pParameters*) 0) return -1; if (params->param == (dldp_p*) 0) return -1; if (params->hash == (hashFunction*) 0) return -1; if (params->cipher == (blockCipher*) 0) return -1; if (params->mac == (keyedHashFunction*) 0) return -1; if (!dhaes_pUsable(params)) return -1; (void) dldp_pInit(&ctxt->param); (void) dldp_pCopy(&ctxt->param, params->param); mpnzero(&ctxt->pub); mpnzero(&ctxt->pri); /*@-modobserver@*/ if (hashFunctionContextInit(&ctxt->hash, params->hash)) return -1; if (blockCipherContextInit(&ctxt->cipher, params->cipher)) return -1; if (keyedHashFunctionContextInit(&ctxt->mac, params->mac)) return -1; /*@=modobserver@*/ ctxt->cipherkeybits = params->cipherkeybits; ctxt->mackeybits = params->mackeybits; return 0; } int dhaes_pContextInitDecrypt(dhaes_pContext* ctxt, const dhaes_pParameters* params, const mpnumber* pri) { if (dhaes_pContextInit(ctxt, params)) return -1; mpncopy(&ctxt->pri, pri); return 0; } int dhaes_pContextInitEncrypt(dhaes_pContext* ctxt, const dhaes_pParameters* params, const mpnumber* pub) { if (dhaes_pContextInit(ctxt, params)) return -1; mpncopy(&ctxt->pub, pub); return 0; } int dhaes_pContextFree(dhaes_pContext* ctxt) { (void) dldp_pFree(&ctxt->param); mpnfree(&ctxt->pub); mpnfree(&ctxt->pri); /*@-mustfree -modobserver @*/ /* ctxt is OK */ if (hashFunctionContextFree(&ctxt->hash)) return -1; if (blockCipherContextFree(&ctxt->cipher)) return -1; if (keyedHashFunctionContextFree(&ctxt->mac)) return -1; return 0; /*@=mustfree =modobserver @*/ } /** */ static int dhaes_pContextSetup(dhaes_pContext* ctxt, const mpnumber* privkey, const mpnumber* pubkey, const mpnumber* message, cipherOperation op) /*@modifies ctxt @*/ { register int rc; mpnumber secret; byte* digest = (byte*) malloc(ctxt->hash.algo->digestsize); if (digest == (byte*) 0) return -1; /* compute the shared secret, Diffie-Hellman style */ mpnzero(&secret); if (dlsvdp_pDHSecret(&ctxt->param, privkey, pubkey, &secret)) { mpnfree(&secret); free(digest); return -1; } /* compute the hash of the message (ephemeral public) key and the shared secret */ (void) hashFunctionContextReset (&ctxt->hash); (void) hashFunctionContextUpdateMP(&ctxt->hash, message); (void) hashFunctionContextUpdateMP(&ctxt->hash, &secret); (void) hashFunctionContextDigest (&ctxt->hash, digest); /* we don't need the secret anymore */ mpnwipe(&secret); mpnfree(&secret); /* * NOTE: blockciphers and keyed hash functions take keys with sizes * specified in bits and key data passed in bytes. * * Both blockcipher and keyed hash function have a min and max key size. * * This function will split the digest of the shared secret in two halves, * and pad with zero bits or truncate if necessary to meet algorithm key * size requirements. */ /*@-usedef@*/ /* LCL: digest already set */ if (ctxt->hash.algo->digestsize > 0) { byte* mackey = digest; byte* cipherkey = digest + ((unsigned)(ctxt->mackeybits + 7) >> 3); if ((rc = keyedHashFunctionContextSetup(&ctxt->mac, mackey, ctxt->mackeybits))) goto setup_end; if ((rc = blockCipherContextSetup(&ctxt->cipher, cipherkey, ctxt->cipherkeybits, op))) goto setup_end; rc = 0; } else rc = -1; /*@=usedef@*/ setup_end: /* wipe digest for good measure */ memset(digest, 0, ctxt->hash.algo->digestsize); free(digest); /*@-mustfree@*/ /* {secret,digest}.data are OK */ return rc; /*@=mustfree@*/ } memchunk* dhaes_pContextEncrypt(dhaes_pContext* ctxt, mpnumber* ephemeralPublicKey, mpnumber* mac, const memchunk* cleartext, randomGeneratorContext* rng) { memchunk* ciphertext = (memchunk*) 0; memchunk* paddedtext; mpnumber ephemeralPrivateKey; /* make the ephemeral keypair */ mpnzero(&ephemeralPrivateKey); (void) dldp_pPair(&ctxt->param, rng, &ephemeralPrivateKey, ephemeralPublicKey); /* Setup the key and initialize the mac and the blockcipher */ if (dhaes_pContextSetup(ctxt, &ephemeralPrivateKey, &ctxt->pub, ephemeralPublicKey, ENCRYPT)) goto encrypt_end; /* add pkcs-5 padding */ paddedtext = pkcs5PadCopy(ctxt->cipher.algo->blocksize, cleartext); if (paddedtext == (memchunk*) 0) goto encrypt_end; /* encrypt the memchunk in CBC mode */ if (blockEncryptCBC(ctxt->cipher.algo, ctxt->cipher.param, (uint32_t*) paddedtext->data, (const uint32_t*) paddedtext->data, paddedtext->size / ctxt->cipher.algo->blocksize)) { free(paddedtext->data); free(paddedtext); goto encrypt_end; } /* Compute the mac */ if (keyedHashFunctionContextUpdateMC(&ctxt->mac, paddedtext)) { free(paddedtext->data); free(paddedtext); goto encrypt_end; } if (keyedHashFunctionContextDigestMP(&ctxt->mac, mac)) { free(paddedtext->data); free(paddedtext); goto encrypt_end; } ciphertext = paddedtext; encrypt_end: mpnwipe(&ephemeralPrivateKey); mpnfree(&ephemeralPrivateKey); /*@-mustfree@*/ /* ephemeralPrivateKey.data is OK */ return ciphertext; /*@=mustfree@*/ } memchunk* dhaes_pContextDecrypt(dhaes_pContext* ctxt, const mpnumber* ephemeralPublicKey, const mpnumber* mac, const memchunk* ciphertext) { memchunk* cleartext = (memchunk*) 0; memchunk* paddedtext; /* Setup the key and initialize the mac and the blockcipher */ if (dhaes_pContextSetup(ctxt, &ctxt->pri, ephemeralPublicKey, ephemeralPublicKey, DECRYPT)) goto decrypt_end; /* Verify the mac */ if (keyedHashFunctionContextUpdateMC(&ctxt->mac, ciphertext)) goto decrypt_end; if (keyedHashFunctionContextDigestMatch(&ctxt->mac, mac) == 0) goto decrypt_end; /* decrypt the memchunk with CBC mode */ paddedtext = (memchunk*) calloc(1, sizeof(*paddedtext)); if (paddedtext == (memchunk*) 0) goto decrypt_end; paddedtext->size = ciphertext->size; /*@-mustfree@*/ /* paddedtext->data is OK */ paddedtext->data = (byte*) malloc(ciphertext->size); /*@=mustfree@*/ if (paddedtext->data == (byte*) 0) { free(paddedtext); goto decrypt_end; } if (blockDecryptCBC(ctxt->cipher.algo, ctxt->cipher.param, (uint32_t*) paddedtext->data, (const uint32_t*) ciphertext->data, paddedtext->size / ctxt->cipher.algo->blocksize)) { free(paddedtext->data); free(paddedtext); goto decrypt_end; } /* remove pkcs-5 padding */ cleartext = pkcs5Unpad(ctxt->cipher.algo->blocksize, paddedtext); if (cleartext == (memchunk*) 0) { free(paddedtext->data); free(paddedtext); } decrypt_end: /*@-usereleased@*/ /* LCL: cleartext released??? */ return cleartext; /*@=usereleased@*/ } /*@=compdef@*/