lib/nettle/cipher.c

   1 /*
   2  * Copyright (C) 2010-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GNUTLS.
   7  *
   8  * The GNUTLS library is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 3 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 /* Here lie nettle's wrappers for cipher support.
  24  */
  25
  26 #include <gnutls_int.h>
  27 #include <gnutls_errors.h>
  28 #include <gnutls_cipher_int.h>
  29 #include <nettle/aes.h>
  30 #include <nettle/camellia.h>
  31 #include <nettle/arcfour.h>
  32 #include <nettle/arctwo.h>
  33 #include <nettle/des.h>
  34 #include <nettle/nettle-meta.h>
  35 #include <nettle/cbc.h>
  36 #include <nettle/gcm.h>
  37
  38 /* Functions that refer to the nettle library.
  39  */
  40
  41 #define MAX_BLOCK_SIZE 32
  42
  43 typedef void (*encrypt_func) (void *, nettle_crypt_func, unsigned, uint8_t *,
  44                               unsigned, uint8_t *, const uint8_t *);
  45 typedef void (*decrypt_func) (void *, nettle_crypt_func, unsigned, uint8_t *,
  46                               unsigned, uint8_t *, const uint8_t *);
  47 typedef void (*auth_func) (void *, unsigned, const uint8_t *);
  48
  49 typedef void (*tag_func) (void *, unsigned, uint8_t *);
  50
  51 typedef void (*setkey_func) (void *, unsigned, const uint8_t *);
  52
  53 static void
  54 stream_encrypt (void *ctx, nettle_crypt_func func, unsigned block_size,
  55                 uint8_t * iv, unsigned length, uint8_t * dst,
  56                 const uint8_t * src)
  57 {
  58   func (ctx, length, dst, src);
  59 }
  60
  61 struct nettle_cipher_ctx
  62 {
  63   union
  64   {
  65     struct aes_ctx aes;
  66     struct camellia_ctx camellia;
  67     struct arcfour_ctx arcfour;
  68     struct arctwo_ctx arctwo;
  69     struct des3_ctx des3;
  70     struct des_ctx des;
  71     struct gcm_aes_ctx aes_gcm;
  72   } ctx;
  73   void *ctx_ptr;
  74   uint8_t iv[MAX_BLOCK_SIZE];
  75   gnutls_cipher_algorithm_t algo;
  76   size_t block_size;
  77   nettle_crypt_func *i_encrypt;
  78   nettle_crypt_func *i_decrypt;
  79   encrypt_func encrypt;
  80   decrypt_func decrypt;
  81   auth_func auth;
  82   tag_func tag;
  83   int enc;
  84 };
  85
  86 #define GCM_DEFAULT_NONCE_SIZE 12
  87
  88 static void _gcm_encrypt(void *_ctx, nettle_crypt_func f,
  89             unsigned block_size, uint8_t *iv,
  90             unsigned length, uint8_t *dst,
  91             const uint8_t *src)
  92 {
  93   gcm_aes_encrypt(_ctx, length, dst, src);
  94 }
  95
  96 static void _gcm_decrypt(void *_ctx, nettle_crypt_func f,
  97             unsigned block_size, uint8_t *iv,
  98             unsigned length, uint8_t *dst,
  99             const uint8_t *src)
 100 {
 101   gcm_aes_decrypt(_ctx, length, dst, src);
 102 }
 103
 104 static int wrap_nettle_cipher_exists(gnutls_cipher_algorithm_t algo)
 105 {
 106   switch (algo)
 107     {
 108     case GNUTLS_CIPHER_AES_128_GCM:
 109     case GNUTLS_CIPHER_AES_256_GCM:
 110     case GNUTLS_CIPHER_CAMELLIA_128_CBC:
 111     case GNUTLS_CIPHER_CAMELLIA_192_CBC:
 112     case GNUTLS_CIPHER_CAMELLIA_256_CBC:
 113     case GNUTLS_CIPHER_AES_128_CBC:
 114     case GNUTLS_CIPHER_AES_192_CBC:
 115     case GNUTLS_CIPHER_AES_256_CBC:
 116     case GNUTLS_CIPHER_3DES_CBC:
 117     case GNUTLS_CIPHER_DES_CBC:
 118     case GNUTLS_CIPHER_ARCFOUR_128:
 119     case GNUTLS_CIPHER_ARCFOUR_40:
 120     case GNUTLS_CIPHER_RC2_40_CBC:
 121       return 1;
 122     default:
 123       return 0;
 124     }
 125 }
 126
 127 static int
 128 wrap_nettle_cipher_init (gnutls_cipher_algorithm_t algo, void **_ctx, int enc)
 129 {
 130   struct nettle_cipher_ctx *ctx;
 131
 132   ctx = gnutls_calloc (1, sizeof (*ctx));
 133   if (ctx == NULL)
 134     {
 135       gnutls_assert ();
 136       return GNUTLS_E_MEMORY_ERROR;
 137     }
 138
 139   ctx->algo = algo;
 140   ctx->enc = enc;
 141
 142   switch (algo)
 143     {
 144     case GNUTLS_CIPHER_AES_128_GCM:
 145     case GNUTLS_CIPHER_AES_256_GCM:
 146       ctx->encrypt = _gcm_encrypt;
 147       ctx->decrypt = _gcm_decrypt;
 148       ctx->i_encrypt = (nettle_crypt_func*) aes_encrypt;
 149       ctx->auth = (auth_func)gcm_aes_update;
 150       ctx->tag = (tag_func)gcm_aes_digest;
 151       ctx->ctx_ptr = &ctx->ctx.aes_gcm;
 152       ctx->block_size = AES_BLOCK_SIZE;
 153       break;
 154     case GNUTLS_CIPHER_CAMELLIA_128_CBC:
 155     case GNUTLS_CIPHER_CAMELLIA_192_CBC:
 156     case GNUTLS_CIPHER_CAMELLIA_256_CBC:
 157       ctx->encrypt = cbc_encrypt;
 158       ctx->decrypt = cbc_decrypt;
 159       ctx->i_encrypt = (nettle_crypt_func*)camellia_crypt;
 160       ctx->i_decrypt = (nettle_crypt_func*)camellia_crypt;
 161       ctx->ctx_ptr = &ctx->ctx.camellia;
 162       ctx->block_size = CAMELLIA_BLOCK_SIZE;
 163       break;
 164     case GNUTLS_CIPHER_AES_128_CBC:
 165     case GNUTLS_CIPHER_AES_192_CBC:
 166     case GNUTLS_CIPHER_AES_256_CBC:
 167       ctx->encrypt = cbc_encrypt;
 168       ctx->decrypt = cbc_decrypt;
 169       ctx->i_encrypt = (nettle_crypt_func*)aes_encrypt;
 170       ctx->i_decrypt = (nettle_crypt_func*)aes_decrypt;
 171       ctx->ctx_ptr = &ctx->ctx.aes;
 172       ctx->block_size = AES_BLOCK_SIZE;
 173       break;
 174     case GNUTLS_CIPHER_3DES_CBC:
 175       ctx->encrypt = cbc_encrypt;
 176       ctx->decrypt = cbc_decrypt;
 177       ctx->i_encrypt = (nettle_crypt_func *) des3_encrypt;
 178       ctx->i_decrypt = (nettle_crypt_func *) des3_decrypt;
 179       ctx->ctx_ptr = &ctx->ctx.des3;
 180       ctx->block_size = DES3_BLOCK_SIZE;
 181       break;
 182     case GNUTLS_CIPHER_DES_CBC:
 183       ctx->encrypt = cbc_encrypt;
 184       ctx->decrypt = cbc_decrypt;
 185       ctx->i_encrypt = (nettle_crypt_func *) des_encrypt;
 186       ctx->i_decrypt = (nettle_crypt_func *) des_decrypt;
 187       ctx->ctx_ptr = &ctx->ctx.des;
 188       ctx->block_size = DES_BLOCK_SIZE;
 189       break;
 190     case GNUTLS_CIPHER_ARCFOUR_128:
 191     case GNUTLS_CIPHER_ARCFOUR_40:
 192       ctx->encrypt = stream_encrypt;
 193       ctx->decrypt = stream_encrypt;
 194       ctx->i_encrypt = (nettle_crypt_func *) arcfour_crypt;
 195       ctx->i_decrypt = (nettle_crypt_func *) arcfour_crypt;
 196       ctx->ctx_ptr = &ctx->ctx.arcfour;
 197       ctx->block_size = 1;
 198       break;
 199     case GNUTLS_CIPHER_RC2_40_CBC:
 200       ctx->encrypt = cbc_encrypt;
 201       ctx->decrypt = cbc_decrypt;
 202       ctx->i_encrypt = (nettle_crypt_func *) arctwo_encrypt;
 203       ctx->i_decrypt = (nettle_crypt_func *) arctwo_decrypt;
 204       ctx->ctx_ptr = &ctx->ctx.arctwo;
 205       ctx->block_size = ARCTWO_BLOCK_SIZE;
 206       break;
 207     default:
 208       gnutls_assert ();
 209       gnutls_free(ctx);
 210       return GNUTLS_E_INVALID_REQUEST;
 211     }
 212
 213   *_ctx = ctx;
 214
 215   return 0;
 216 }
 217
 218 static int
 219 wrap_nettle_cipher_setkey (void *_ctx, const void *key, size_t keysize)
 220 {
 221   struct nettle_cipher_ctx *ctx = _ctx;
 222   uint8_t des_key[DES3_KEY_SIZE];
 223
 224   switch (ctx->algo)
 225     {
 226     case GNUTLS_CIPHER_AES_128_GCM:
 227     case GNUTLS_CIPHER_AES_256_GCM:
 228       gcm_aes_set_key(&ctx->ctx.aes_gcm, keysize, key);
 229       break;
 230     case GNUTLS_CIPHER_AES_128_CBC:
 231     case GNUTLS_CIPHER_AES_192_CBC:
 232     case GNUTLS_CIPHER_AES_256_CBC:
 233       if (ctx->enc)
 234         aes_set_encrypt_key (ctx->ctx_ptr, keysize, key);
 235       else
 236         aes_set_decrypt_key (ctx->ctx_ptr, keysize, key);
 237       break;
 238     case GNUTLS_CIPHER_CAMELLIA_128_CBC:
 239     case GNUTLS_CIPHER_CAMELLIA_192_CBC:
 240     case GNUTLS_CIPHER_CAMELLIA_256_CBC:
 241       if (ctx->enc)
 242         camellia_set_encrypt_key (ctx->ctx_ptr, keysize, key);
 243       else
 244         camellia_set_decrypt_key (ctx->ctx_ptr, keysize, key);
 245       break;
 246     case GNUTLS_CIPHER_3DES_CBC:
 247       if (keysize != DES3_KEY_SIZE)
 248         {
 249           gnutls_assert ();
 250           return GNUTLS_E_INTERNAL_ERROR;
 251         }
 252
 253       des_fix_parity (keysize, des_key, key);
 254
 255       /* this fails on weak keys */
 256       if (des3_set_key (ctx->ctx_ptr, des_key) != 1)
 257         {
 258           gnutls_assert ();
 259           return GNUTLS_E_INTERNAL_ERROR;
 260         }
 261       break;
 262     case GNUTLS_CIPHER_DES_CBC:
 263       if (keysize != DES_KEY_SIZE)
 264         {
 265           gnutls_assert ();
 266           return GNUTLS_E_INTERNAL_ERROR;
 267         }
 268
 269       des_fix_parity (keysize, des_key, key);
 270
 271       if (des_set_key (ctx->ctx_ptr, des_key) != 1)
 272         {
 273           gnutls_assert ();
 274           return GNUTLS_E_INTERNAL_ERROR;
 275         }
 276       break;
 277     case GNUTLS_CIPHER_ARCFOUR_128:
 278     case GNUTLS_CIPHER_ARCFOUR_40:
 279       arcfour_set_key (ctx->ctx_ptr, keysize, key);
 280       break;
 281     case GNUTLS_CIPHER_RC2_40_CBC:
 282       arctwo_set_key (ctx->ctx_ptr, keysize, key);
 283       break;
 284     default:
 285       gnutls_assert ();
 286       return GNUTLS_E_INVALID_REQUEST;
 287     }
 288
 289   return 0;
 290 }
 291
 292 static int
 293 wrap_nettle_cipher_setiv (void *_ctx, const void *iv, size_t ivsize)
 294 {
 295 struct nettle_cipher_ctx *ctx = _ctx;
 296
 297   switch (ctx->algo)
 298     {
 299     case GNUTLS_CIPHER_AES_128_GCM:
 300     case GNUTLS_CIPHER_AES_256_GCM:
 301       if (ivsize != GCM_DEFAULT_NONCE_SIZE)
 302         {
 303           gnutls_assert ();
 304           return GNUTLS_E_INVALID_REQUEST;
 305         }
 306
 307       gcm_aes_set_iv(&ctx->ctx.aes_gcm, GCM_DEFAULT_NONCE_SIZE, iv);
 308       break;
 309     default:
 310       if (ivsize > ctx->block_size)
 311         {
 312           gnutls_assert ();
 313           return GNUTLS_E_INVALID_REQUEST;
 314         }
 315
 316       memcpy (ctx->iv, iv, ivsize);
 317     }
 318
 319   return 0;
 320 }
 321
 322 static int
 323 wrap_nettle_cipher_decrypt (void *_ctx, const void *encr, size_t encrsize,
 324                             void *plain, size_t plainsize)
 325 {
 326   struct nettle_cipher_ctx *ctx = _ctx;
 327
 328   ctx->decrypt (ctx->ctx_ptr, ctx->i_decrypt, ctx->block_size, ctx->iv,
 329                 encrsize, plain, encr);
 330
 331   return 0;
 332 }
 333
 334 static int
 335 wrap_nettle_cipher_encrypt (void *_ctx, const void *plain, size_t plainsize,
 336                             void *encr, size_t encrsize)
 337 {
 338   struct nettle_cipher_ctx *ctx = _ctx;
 339
 340   ctx->encrypt (ctx->ctx_ptr, ctx->i_encrypt, ctx->block_size, ctx->iv,
 341                 plainsize, encr, plain);
 342
 343   return 0;
 344 }
 345
 346 static int
 347 wrap_nettle_cipher_auth (void *_ctx, const void *plain, size_t plainsize)
 348 {
 349   struct nettle_cipher_ctx *ctx = _ctx;
 350
 351   ctx->auth (ctx->ctx_ptr, plainsize, plain);
 352
 353   return 0;
 354 }
 355
 356 static void
 357 wrap_nettle_cipher_tag (void *_ctx, void *tag, size_t tagsize)
 358 {
 359   struct nettle_cipher_ctx *ctx = _ctx;
 360
 361   ctx->tag (ctx->ctx_ptr, tagsize, tag);
 362
 363 }
 364
 365 static void
 366 wrap_nettle_cipher_close (void *h)
 367 {
 368   gnutls_free (h);
 369 }
 370
 371 gnutls_crypto_cipher_st _gnutls_cipher_ops = {
 372   .init = wrap_nettle_cipher_init,
 373   .exists = wrap_nettle_cipher_exists,
 374   .setiv = wrap_nettle_cipher_setiv,
 375   .setkey = wrap_nettle_cipher_setkey,
 376   .encrypt = wrap_nettle_cipher_encrypt,
 377   .decrypt = wrap_nettle_cipher_decrypt,
 378   .deinit = wrap_nettle_cipher_close,
 379   .auth = wrap_nettle_cipher_auth,
 380   .tag = wrap_nettle_cipher_tag,
 381 };