folkslinux
/
rpm
mirror of https://github.com/rpm-software-management/rpm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rpm/beecrypt/dhaes.c

365 lines
9.4 KiB
C
Raw Blame History

/*@-compdef@*/
/*
* Copyright (c) 2000, 2001, 2002 Virtual Unlimited, B.V.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*/
/*!\file dhaes.c
* \brief DHAES encryption scheme.
*
* This code implements the encryption scheme from the paper:
*
* "DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem"
* Michel Abdalla, Mihir Bellare, Phillip Rogaway
* September 1998
*
* Good combinations will be:
*
* - For 64-bit encryption:
* - DHAES(MD5, Blowfish, HMAC-MD5) <- best candidate
* - DHAES(MD5, Blowfish, HMAC-SHA-1)
* - DHAES(MD5, Blowfish, HMAC-SHA-256)
*
* - For 96-bit encryption with 64-bit mac:
* - DHAES(SHA-1, Blowfish, HMAC-MD5, 96)
* - DHAES(SHA-1, Blowfish, HMAC-SHA-1, 96) <- best candidate
* - DHAES(SHA-1, Blowfish, HMAC-SHA-256, 96) <- best candidate
*
* - For 128-bit encryption:
* - DHAES(SHA-256, Blowfish, HMAC-MD5)
* - DHAES(SHA-256, Blowfish, HMAC-SHA-1)
* - DHAES(SHA-256, Blowfish, HMAC-SHA-256)
*/
#include "system.h"
#include "dhaes.h"
#include "dlsvdp-dh.h"
#include "blockmode.h"
#include "blockpad.h"
#include "debug.h"
int dhaes_pUsable(const dhaes_pParameters* params)
{
size_t keybits = (params->hash->digestsize << 3); /* digestsize in bytes times 8 bits */
size_t cipherkeybits = params->cipherkeybits;
size_t mackeybits = params->mackeybits;
/* test if keybits is a multiple of 32 */
if ((keybits & 31) != 0)
return 0;
/* test if cipherkeybits + mackeybits < keybits */
if ((cipherkeybits + mackeybits) > keybits)
return 0;
if (mackeybits == 0)
{
if (cipherkeybits == 0)
cipherkeybits = mackeybits = (keybits >> 1);
else
mackeybits = keybits - cipherkeybits;
}
/* test if keybits length is appropriate for cipher */
if ((cipherkeybits < params->cipher->keybitsmin) ||
(cipherkeybits > params->cipher->keybitsmax))
return 0;
if (((cipherkeybits - params->cipher->keybitsmin) % params->cipher->keybitsinc) != 0)
return 0;
/* test if keybits length is appropriate for mac */
if ((mackeybits < params->mac->keybitsmin) ||
(((unsigned)params->mackeybits) > params->mac->keybitsmax))
return 0;
if (((mackeybits - params->mac->keybitsmin) % params->mac->keybitsinc) != 0)
return 0;
return 1;
}
int dhaes_pContextInit(dhaes_pContext* ctxt, const dhaes_pParameters* params)
{
if (ctxt == (dhaes_pContext*) 0)
return -1;
if (params == (dhaes_pParameters*) 0)
return -1;
if (params->param == (dldp_p*) 0)
return -1;
if (params->hash == (hashFunction*) 0)
return -1;
if (params->cipher == (blockCipher*) 0)
return -1;
if (params->mac == (keyedHashFunction*) 0)
return -1;
if (!dhaes_pUsable(params))
return -1;
(void) dldp_pInit(&ctxt->param);
(void) dldp_pCopy(&ctxt->param, params->param);
mpnzero(&ctxt->pub);
mpnzero(&ctxt->pri);
/*@-modobserver@*/
if (hashFunctionContextInit(&ctxt->hash, params->hash))
return -1;
if (blockCipherContextInit(&ctxt->cipher, params->cipher))
return -1;
if (keyedHashFunctionContextInit(&ctxt->mac, params->mac))
return -1;
/*@=modobserver@*/
ctxt->cipherkeybits = params->cipherkeybits;
ctxt->mackeybits = params->mackeybits;
return 0;
}
int dhaes_pContextInitDecrypt(dhaes_pContext* ctxt, const dhaes_pParameters* params, const mpnumber* pri)
{
if (dhaes_pContextInit(ctxt, params))
return -1;
mpncopy(&ctxt->pri, pri);
return 0;
}
int dhaes_pContextInitEncrypt(dhaes_pContext* ctxt, const dhaes_pParameters* params, const mpnumber* pub)
{
if (dhaes_pContextInit(ctxt, params))
return -1;
mpncopy(&ctxt->pub, pub);
return 0;
}
int dhaes_pContextFree(dhaes_pContext* ctxt)
{
(void) dldp_pFree(&ctxt->param);
mpnfree(&ctxt->pub);
mpnfree(&ctxt->pri);
/*@-mustfree -modobserver @*/ /* ctxt is OK */
if (hashFunctionContextFree(&ctxt->hash))
return -1;
if (blockCipherContextFree(&ctxt->cipher))
return -1;
if (keyedHashFunctionContextFree(&ctxt->mac))
return -1;
return 0;
/*@=mustfree =modobserver @*/
}
/**
*/
static int dhaes_pContextSetup(dhaes_pContext* ctxt, const mpnumber* privkey, const mpnumber* pubkey, const mpnumber* message, cipherOperation op)
/*@modifies ctxt @*/
{
register int rc;
mpnumber secret;
byte* digest = (byte*) malloc(ctxt->hash.algo->digestsize);
if (digest == (byte*) 0)
return -1;
/* compute the shared secret, Diffie-Hellman style */
mpnzero(&secret);
if (dlsvdp_pDHSecret(&ctxt->param, privkey, pubkey, &secret))
{
mpnfree(&secret);
free(digest);
return -1;
}
/* compute the hash of the message (ephemeral public) key and the shared secret */
(void) hashFunctionContextReset (&ctxt->hash);
(void) hashFunctionContextUpdateMP(&ctxt->hash, message);
(void) hashFunctionContextUpdateMP(&ctxt->hash, &secret);
(void) hashFunctionContextDigest (&ctxt->hash, digest);
/* we don't need the secret anymore */
mpnwipe(&secret);
mpnfree(&secret);
/*
* NOTE: blockciphers and keyed hash functions take keys with sizes
* specified in bits and key data passed in bytes.
*
* Both blockcipher and keyed hash function have a min and max key size.
*
* This function will split the digest of the shared secret in two halves,
* and pad with zero bits or truncate if necessary to meet algorithm key
* size requirements.
*/
/*@-usedef@*/ /* LCL: digest already set */
if (ctxt->hash.algo->digestsize > 0)
{
byte* mackey = digest;
byte* cipherkey = digest + ((unsigned)(ctxt->mackeybits + 7) >> 3);
if ((rc = keyedHashFunctionContextSetup(&ctxt->mac, mackey, ctxt->mackeybits)))
goto setup_end;
if ((rc = blockCipherContextSetup(&ctxt->cipher, cipherkey, ctxt->cipherkeybits, op)))
goto setup_end;
rc = 0;
}
else
rc = -1;
/*@=usedef@*/
setup_end:
/* wipe digest for good measure */
memset(digest, 0, ctxt->hash.algo->digestsize);
free(digest);
/*@-mustfree@*/ /* {secret,digest}.data are OK */
return rc;
/*@=mustfree@*/
}
memchunk* dhaes_pContextEncrypt(dhaes_pContext* ctxt, mpnumber* ephemeralPublicKey, mpnumber* mac, const memchunk* cleartext, randomGeneratorContext* rng)
{
memchunk* ciphertext = (memchunk*) 0;
memchunk* paddedtext;
mpnumber ephemeralPrivateKey;
/* make the ephemeral keypair */
mpnzero(&ephemeralPrivateKey);
(void) dldp_pPair(&ctxt->param, rng, &ephemeralPrivateKey, ephemeralPublicKey);
/* Setup the key and initialize the mac and the blockcipher */
if (dhaes_pContextSetup(ctxt, &ephemeralPrivateKey, &ctxt->pub, ephemeralPublicKey, ENCRYPT))
goto encrypt_end;
/* add pkcs-5 padding */
paddedtext = pkcs5PadCopy(ctxt->cipher.algo->blocksize, cleartext);
if (paddedtext == (memchunk*) 0)
goto encrypt_end;
/* encrypt the memchunk in CBC mode */
if (blockEncryptCBC(ctxt->cipher.algo, ctxt->cipher.param, (uint32_t*) paddedtext->data, (const uint32_t*) paddedtext->data, paddedtext->size / ctxt->cipher.algo->blocksize))
{
free(paddedtext->data);
free(paddedtext);
goto encrypt_end;
}
/* Compute the mac */
if (keyedHashFunctionContextUpdateMC(&ctxt->mac, paddedtext))
{
free(paddedtext->data);
free(paddedtext);
goto encrypt_end;
}
if (keyedHashFunctionContextDigestMP(&ctxt->mac, mac))
{
free(paddedtext->data);
free(paddedtext);
goto encrypt_end;
}
ciphertext = paddedtext;
encrypt_end:
mpnwipe(&ephemeralPrivateKey);
mpnfree(&ephemeralPrivateKey);
/*@-mustfree@*/ /* ephemeralPrivateKey.data is OK */
return ciphertext;
/*@=mustfree@*/
}
memchunk* dhaes_pContextDecrypt(dhaes_pContext* ctxt, const mpnumber* ephemeralPublicKey, const mpnumber* mac, const memchunk* ciphertext)
{
memchunk* cleartext = (memchunk*) 0;
memchunk* paddedtext;
/* Setup the key and initialize the mac and the blockcipher */
if (dhaes_pContextSetup(ctxt, &ctxt->pri, ephemeralPublicKey, ephemeralPublicKey, DECRYPT))
goto decrypt_end;
/* Verify the mac */
if (keyedHashFunctionContextUpdateMC(&ctxt->mac, ciphertext))
goto decrypt_end;
if (keyedHashFunctionContextDigestMatch(&ctxt->mac, mac) == 0)
goto decrypt_end;
/* decrypt the memchunk with CBC mode */
paddedtext = (memchunk*) calloc(1, sizeof(*paddedtext));
if (paddedtext == (memchunk*) 0)
goto decrypt_end;
paddedtext->size = ciphertext->size;
/*@-mustfree@*/ /* paddedtext->data is OK */
paddedtext->data = (byte*) malloc(ciphertext->size);
/*@=mustfree@*/
if (paddedtext->data == (byte*) 0)
{
free(paddedtext);
goto decrypt_end;
}
if (blockDecryptCBC(ctxt->cipher.algo, ctxt->cipher.param, (uint32_t*) paddedtext->data, (const uint32_t*) ciphertext->data, paddedtext->size / ctxt->cipher.algo->blocksize))
{
free(paddedtext->data);
free(paddedtext);
goto decrypt_end;
}
/* remove pkcs-5 padding */
cleartext = pkcs5Unpad(ctxt->cipher.algo->blocksize, paddedtext);
if (cleartext == (memchunk*) 0)
{
free(paddedtext->data);
free(paddedtext);
}
decrypt_end:
/*@-usereleased@*/ /* LCL: cleartext released??? */
return cleartext;
/*@=usereleased@*/
}
/*@=compdef@*/
Reference in New Issue View Git Blame Copy Permalink