package/ead/src/ead-crypt.c

   1 /*
   2  * Copyright (C) 2008 Felix Fietkau <nbd@openwrt.org>
   3  *
   4  * This program is free software; you can redistribute it and/or modify
   5  * it under the terms of the GNU General Public License version 2
   6  * as published by the Free Software Foundation
   7  *
   8  * This program is distributed in the hope that it will be useful,
   9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11  * GNU General Public License for more details.
  12  */
  13
  14 #include <stddef.h>
  15 #include <stdint.h>
  16 #include <stdlib.h>
  17 #include <stdbool.h>
  18 #include <string.h>
  19 #include <unistd.h>
  20 #include <stdio.h>
  21 #include "ead.h"
  22
  23 #include "sha1.c"
  24 #include "aes.c"
  25
  26 #if EAD_DEBUGLEVEL >= 1
  27 #define DEBUG(n, format, ...) do { \
  28         if (EAD_DEBUGLEVEL >= n) \
  29                 fprintf(stderr, format, ##__VA_ARGS__); \
  30 } while (0);
  31
  32 #else
  33 #define DEBUG(n, format, ...) do {} while(0)
  34 #endif
  35
  36
  37 static uint32_t aes_enc_ctx[AES_PRIV_SIZE];
  38 static uint32_t aes_dec_ctx[AES_PRIV_SIZE];
  39 static uint32_t ead_rx_iv;
  40 static uint32_t ead_tx_iv;
  41 static uint32_t ivofs_vec;
  42 static unsigned int ivofs_idx = 0;
  43 static uint32_t W[80]; /* work space for sha1 */
  44
  45 #define EAD_ENC_PAD     64
  46
  47 void
  48 ead_set_key(unsigned char *skey)
  49 {
  50         uint32_t *ivp = (uint32_t *)skey;
  51
  52         memset(aes_enc_ctx, 0, sizeof(aes_enc_ctx));
  53         memset(aes_dec_ctx, 0, sizeof(aes_dec_ctx));
  54
  55         /* first 32 bytes of skey are used as aes key for
  56          * encryption and decryption */
  57         rijndaelKeySetupEnc(aes_enc_ctx, skey);
  58         rijndaelKeySetupDec(aes_dec_ctx, skey);
  59
  60         /* the following bytes are used as initialization vector for messages
  61          * (highest byte cleared to avoid overflow) */
  62         ivp += 8;
  63         ead_rx_iv = ntohl(*ivp) & 0x00ffffff;
  64         ead_tx_iv = ead_rx_iv;
  65
  66         /* the last bytes are used to feed the random iv increment */
  67         ivp++;
  68         ivofs_vec = *ivp;
  69 }
  70
  71
  72 static bool
  73 ead_check_rx_iv(uint32_t iv)
  74 {
  75         if (iv <= ead_rx_iv)
  76                 return false;
  77
  78         if (iv > ead_rx_iv + EAD_MAX_IV_INCR)
  79                 return false;
  80
  81         ead_rx_iv = iv;
  82         return true;
  83 }
  84
  85
  86 static uint32_t
  87 ead_get_tx_iv(void)
  88 {
  89         unsigned int ofs;
  90
  91         ofs = 1 + ((ivofs_vec >> 2 * ivofs_idx) & 0x3);
  92         ivofs_idx = (ivofs_idx + 1) % 16;
  93         ead_tx_iv += ofs;
  94
  95         return ead_tx_iv;
  96 }
  97
  98 static void
  99 ead_hash_message(struct ead_msg_encrypted *enc, uint32_t *hash, int len)
 100 {
 101         unsigned char *data = (unsigned char *) enc;
 102
 103         /* hash the packet with the stored hash part initialized to zero */
 104         sha_init(hash);
 105         memset(enc->hash, 0, sizeof(enc->hash));
 106         while (len > 0) {
 107                 sha_transform(hash, data, W);
 108                 len -= 64;
 109                 data += 64;
 110         }
 111 }
 112
 113 void
 114 ead_encrypt_message(struct ead_msg *msg, unsigned int len)
 115 {
 116         struct ead_msg_encrypted *enc = EAD_DATA(msg, enc);
 117         unsigned char *data = (unsigned char *) enc;
 118         uint32_t hash[5];
 119         int enclen, i;
 120
 121         len += sizeof(struct ead_msg_encrypted);
 122         enc->pad = (EAD_ENC_PAD - (len % EAD_ENC_PAD)) % EAD_ENC_PAD;
 123         enclen = len + enc->pad;
 124         msg->len = htonl(enclen);
 125         enc->iv = htonl(ead_get_tx_iv());
 126
 127         ead_hash_message(enc, hash, enclen);
 128         for (i = 0; i < 5; i++)
 129                 enc->hash[i] = htonl(hash[i]);
 130         DEBUG(2, "SHA1 generate (0x%08x), len=%d\n", enc->hash[0], enclen);
 131
 132         while (enclen > 0) {
 133                 rijndaelEncrypt(aes_enc_ctx, data, data);
 134                 data += 16;
 135                 enclen -= 16;
 136         }
 137 }
 138
 139 int
 140 ead_decrypt_message(struct ead_msg *msg)
 141 {
 142         struct ead_msg_encrypted *enc = EAD_DATA(msg, enc);
 143         unsigned char *data = (unsigned char *) enc;
 144         uint32_t hash_old[5], hash_new[5];
 145         int len = ntohl(msg->len);
 146         int i, enclen = len;
 147
 148         if (!len || (len % EAD_ENC_PAD > 0))
 149                 return 0;
 150
 151         while (len > 0) {
 152                 rijndaelDecrypt(aes_dec_ctx, data, data);
 153                 data += 16;
 154                 len -= 16;
 155         }
 156
 157         data = (unsigned char *) enc;
 158
 159         if (enc->pad >= EAD_ENC_PAD) {
 160                 DEBUG(2, "Invalid padding length\n");
 161                 return 0;
 162         }
 163
 164         if (!ead_check_rx_iv(ntohl(enc->iv))) {
 165                 DEBUG(2, "RX IV mismatch (0x%08x <> 0x%08x)\n", ead_rx_iv, ntohl(enc->iv));
 166                 return 0;
 167         }
 168
 169         for (i = 0; i < 5; i++)
 170                 hash_old[i] = ntohl(enc->hash[i]);
 171         ead_hash_message(enc, hash_new, enclen);
 172         if (memcmp(hash_old, hash_new, sizeof(hash_old)) != 0) {
 173                 DEBUG(2, "SHA1 mismatch (0x%08x != 0x%08x), len=%d\n", hash_old[0], hash_new[0], enclen);
 174                 return 0;
 175         }
 176
 177         enclen -= enc->pad + sizeof(struct ead_msg_encrypted);
 178         return enclen;
 179 }