Home Explore Help
Sign In
g
/
mumlib
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
mumlib
/
src
/
CryptState.cpp

CryptState.cpp 9.9 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300 
  1. /* Copyright (C) 2005-2011, Thorvald Natvig <thorvald@natvig.com>
    2. 

  2. 

  3.    All rights reserved.
    4. 

  4. 

  5.    Redistribution and use in source and binary forms, with or without
    6. 

  6.    modification, are permitted provided that the following conditions
    7. 

  7.    are met:
    8. 

  8. 

  9.    - Redistributions of source code must retain the above copyright notice,
    10. 

  10.      this list of conditions and the following disclaimer.
    11. 

  11.    - Redistributions in binary form must reproduce the above copyright notice,
    12. 

  12.      this list of conditions and the following disclaimer in the documentation
    13. 

  13.      and/or other materials provided with the distribution.
    14. 

  14.    - Neither the name of the Mumble Developers nor the names of its
    15. 

  15.      contributors may be used to endorse or promote products derived from this
    16. 

  16.      software without specific prior written permission.
    17. 

  17. 

  18.    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
    19. 

  19.    ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
    20. 

  20.    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
    21. 

  21.    A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR
    22. 

  22.    CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
    23. 

  23.    EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
    24. 

  24.    PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
    25. 

  25.    PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
    26. 

  26.    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
    27. 

  27.    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
    28. 

  28.    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    29. 

  29. */
    30. 

  30. 

  31. /*
    32. 

  32.  * This code implements OCB-AES128.
    33. 

  33.  * In the US, OCB is covered by patents. The inventor has given a license
    34. 

  34.  * to all programs distributed under the GPL.
    35. 

  35.  * Mumble is BSD (revised) licensed, meaning you can use the code in a
    36. 

  36.  * closed-source program. If you do, you'll have to either replace
    37. 

  37.  * OCB with something else or get yourself a license.
    38. 

  38.  */
    39. 

  39. 

  40. 

  41. #include "mumlib/CryptState.hpp"
    42. 

  42. 

  43. #include <openssl/rand.h>
    44. 

  44. #include <cstring>
    45. 

  45. #include <cstdint>
    46. 

  46. 

  47. using namespace std;
    48. 

  48. 

  49. mumlib::CryptState::CryptState() {
    50. 

  50.     for (int i = 0; i < 0x100; i++)
    51. 

  51.         decrypt_history[i] = 0;
    52. 

  52.     bInit = false;
    53. 

  53.     uiGood = uiLate = uiLost = uiResync = 0;
    54. 

  54.     uiRemoteGood = uiRemoteLate = uiRemoteLost = uiRemoteResync = 0;
    55. 

  55. }
    56. 

  56. 

  57. bool mumlib::CryptState::isValid() const {
    58. 

  58.     return bInit;
    59. 

  59. }
    60. 

  60. 

  61. void mumlib::CryptState::genKey() {
    62. 

  62. 	RAND_bytes(raw_key, AES_BLOCK_SIZE);
    63. 

  63. 	RAND_bytes(encrypt_iv, AES_BLOCK_SIZE);
    64. 

  64. 	RAND_bytes(decrypt_iv, AES_BLOCK_SIZE);
    65. 

  65. 	AES_set_encrypt_key(raw_key, 128, &encrypt_key);
    66. 

  66. 	AES_set_decrypt_key(raw_key, 128, &decrypt_key);
    67. 

  67. 	bInit = true;
    68. 

  68. }
    69. 

  69. 

  70. void mumlib::CryptState::setKey(const unsigned char *rkey, const unsigned char *eiv, const unsigned char *div) {
    71. 

  71.     memcpy(raw_key, rkey, AES_BLOCK_SIZE);
    72. 

  72.     memcpy(encrypt_iv, eiv, AES_BLOCK_SIZE);
    73. 

  73.     memcpy(decrypt_iv, div, AES_BLOCK_SIZE);
    74. 

  74.     AES_set_encrypt_key(raw_key, 128, &encrypt_key);
    75. 

  75.     AES_set_decrypt_key(raw_key, 128, &decrypt_key);
    76. 

  76.     bInit = true;
    77. 

  77. }
    78. 

  78. 

  79. void mumlib::CryptState::setDecryptIV(const unsigned char *iv) {
    80. 

  80.     memcpy(decrypt_iv, iv, AES_BLOCK_SIZE);
    81. 

  81. }
    82. 

  82. 

  83. const unsigned char* mumlib::CryptState::getEncryptIV() const {
    84. 

  84. 	return encrypt_iv;
    85. 

  85. }
    86. 

  86. 

  87. void mumlib::CryptState::encrypt(const unsigned char *source, unsigned char *dst, unsigned int plain_length) {
    88. 

  88.     unsigned char tag[AES_BLOCK_SIZE];
    89. 

  89. 

  90.     // First, increase our IV.
    91. 

  91.     for (int i = 0; i < AES_BLOCK_SIZE; i++)
    92. 

  92.         if (++encrypt_iv[i])
    93. 

  93.             break;
    94. 

  94. 

  95.     ocb_encrypt(source, dst + 4, plain_length, encrypt_iv, tag);
    96. 

  96. 

  97.     dst[0] = encrypt_iv[0];
    98. 

  98.     dst[1] = tag[0];
    99. 

  99.     dst[2] = tag[1];
    100. 

  100.     dst[3] = tag[2];
    101. 

  101. }
    102. 

  102. 

  103. bool mumlib::CryptState::decrypt(const unsigned char *source, unsigned char *dst, unsigned int crypted_length) {
    104. 

  104.     if (crypted_length < 4)
    105. 

  105.         return false;
    106. 

  106. 

  107.     unsigned int plain_length = crypted_length - 4;
    108. 

  108. 

  109.     unsigned char saveiv[AES_BLOCK_SIZE];
    110. 

  110.     unsigned char ivbyte = source[0];
    111. 

  111.     bool restore = false;
    112. 

  112.     unsigned char tag[AES_BLOCK_SIZE];
    113. 

  113. 

  114.     int lost = 0;
    115. 

  115.     int late = 0;
    116. 

  116. 

  117.     memcpy(saveiv, decrypt_iv, AES_BLOCK_SIZE);
    118. 

  118. 

  119.     if (((decrypt_iv[0] + 1) & 0xFF) == ivbyte) {
    120. 

  120.         // In order as expected.
    121. 

  121.         if (ivbyte > decrypt_iv[0]) {
    122. 

  122.             decrypt_iv[0] = ivbyte;
    123. 

  123.         } else if (ivbyte < decrypt_iv[0]) {
    124. 

  124.             decrypt_iv[0] = ivbyte;
    125. 

  125.             for (int i = 1; i < AES_BLOCK_SIZE; i++)
    126. 

  126.                 if (++decrypt_iv[i])
    127. 

  127.                     break;
    128. 

  128.         } else {
    129. 

  129.             return false;
    130. 

  130.         }
    131. 

  131.     } else {
    132. 

  132.         // This is either out of order or a repeat.
    133. 

  133. 

  134.         int diff = ivbyte - decrypt_iv[0];
    135. 

  135.         if (diff > 128)
    136. 

  136.             diff = diff - 256;
    137. 

  137.         else if (diff < -128)
    138. 

  138.             diff = diff + 256;
    139. 

  139. 

  140.         if ((ivbyte < decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
    141. 

  141.             // Late packet, but no wraparound.
    142. 

  142.             late = 1;
    143. 

  143.             lost = -1;
    144. 

  144.             decrypt_iv[0] = ivbyte;
    145. 

  145.             restore = true;
    146. 

  146.         } else if ((ivbyte > decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
    147. 

  147.             // Last was 0x02, here comes 0xff from last round
    148. 

  148.             late = 1;
    149. 

  149.             lost = -1;
    150. 

  150.             decrypt_iv[0] = ivbyte;
    151. 

  151.             for (int i = 1; i < AES_BLOCK_SIZE; i++)
    152. 

  152.                 if (decrypt_iv[i]--)
    153. 

  153.                     break;
    154. 

  154.             restore = true;
    155. 

  155.         } else if ((ivbyte > decrypt_iv[0]) && (diff > 0)) {
    156. 

  156.             // Lost a few packets, but beyond that we're good.
    157. 

  157.             lost = ivbyte - decrypt_iv[0] - 1;
    158. 

  158.             decrypt_iv[0] = ivbyte;
    159. 

  159.         } else if ((ivbyte < decrypt_iv[0]) && (diff > 0)) {
    160. 

  160.             // Lost a few packets, and wrapped around
    161. 

  161.             lost = 256 - decrypt_iv[0] + ivbyte - 1;
    162. 

  162.             decrypt_iv[0] = ivbyte;
    163. 

  163.             for (int i = 1; i < AES_BLOCK_SIZE; i++)
    164. 

  164.                 if (++decrypt_iv[i])
    165. 

  165.                     break;
    166. 

  166.         } else {
    167. 

  167.             return false;
    168. 

  168.         }
    169. 

  169. 

  170.         if (decrypt_history[decrypt_iv[0]] == decrypt_iv[1]) {
    171. 

  171.             memcpy(decrypt_iv, saveiv, AES_BLOCK_SIZE);
    172. 

  172.             return false;
    173. 

  173.         }
    174. 

  174.     }
    175. 

  175. 

  176.     ocb_decrypt(source + 4, dst, plain_length, decrypt_iv, tag);
    177. 

  177. 

  178.     if (memcmp(tag, source + 1, 3) != 0) {
    179. 

  179.         memcpy(decrypt_iv, saveiv, AES_BLOCK_SIZE);
    180. 

  180.         return false;
    181. 

  181.     }
    182. 

  182.     decrypt_history[decrypt_iv[0]] = decrypt_iv[1];
    183. 

  183. 

  184.     if (restore)
    185. 

  185.         memcpy(decrypt_iv, saveiv, AES_BLOCK_SIZE);
    186. 

  186. 

  187.     uiGood++;
    188. 

  188.     uiLate += late;
    189. 

  189.     uiLost += lost;
    190. 

  190. 

  191.     return true;
    192. 

  192. }
    193. 

  193. 

  194. #define BLOCKSIZE 2
    195. 

  195. #define SHIFTBITS 63
    196. 

  196. typedef uint64_t subblock;
    197. 

  197. 

  198. #define SWAP64(x) (__builtin_bswap64(x))
    199. 

  199. #define SWAPPED(x) SWAP64(x)
    200. 

  200. 

  201. typedef subblock keyblock[BLOCKSIZE];
    202. 

  202. 

  203. static void inline XOR(subblock *dst, const subblock *a, const subblock *b) {
    204. 

  204.     for (int i = 0; i < BLOCKSIZE; i++) {
    205. 

  205.         dst[i] = a[i] ^ b[i];
    206. 

  206.     }
    207. 

  207. }
    208. 

  208. 

  209. static void inline S2(subblock *block) {
    210. 

  210.     subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
    211. 

  211.     for (int i = 0; i < BLOCKSIZE - 1; i++)
    212. 

  212.         block[i] = SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i + 1]) >> SHIFTBITS));
    213. 

  213.     block[BLOCKSIZE - 1] = SWAPPED((SWAPPED(block[BLOCKSIZE - 1]) << 1) ^ (carry * 0x87));
    214. 

  214. }
    215. 

  215. 

  216. static void inline S3(subblock *block) {
    217. 

  217.     subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
    218. 

  218.     for (int i = 0; i < BLOCKSIZE - 1; i++)
    219. 

  219.         block[i] ^= SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i + 1]) >> SHIFTBITS));
    220. 

  220.     block[BLOCKSIZE - 1] ^= SWAPPED((SWAPPED(block[BLOCKSIZE - 1]) << 1) ^ (carry * 0x87));
    221. 

  221. }
    222. 

  222. 

  223. static void inline ZERO(keyblock &block) {
    224. 

  224.     for (int i = 0; i < BLOCKSIZE; i++)
    225. 

  225.         block[i] = 0;
    226. 

  226. }
    227. 

  227. 

  228. #define AESencrypt(src, dst, key) AES_encrypt(reinterpret_cast<const unsigned char *>(src),reinterpret_cast<unsigned char *>(dst), key);
    229. 

  229. #define AESdecrypt(src, dst, key) AES_decrypt(reinterpret_cast<const unsigned char *>(src),reinterpret_cast<unsigned char *>(dst), key);
    230. 

  230. 

  231. void mumlib::CryptState::ocb_encrypt(const unsigned char *plain, unsigned char *encrypted, unsigned int len,
    232. 

  232.                                      const unsigned char *nonce, unsigned char *tag) {
    233. 

  233.     keyblock checksum, delta, tmp, pad;
    234. 

  234. 

  235.     // Initialize
    236. 

  236.     AESencrypt(nonce, delta, &encrypt_key);
    237. 

  237.     ZERO(checksum);
    238. 

  238. 

  239.     while (len > AES_BLOCK_SIZE) {
    240. 

  240.         S2(delta);
    241. 

  241.         XOR(tmp, delta, reinterpret_cast<const subblock *>(plain));
    242. 

  242.         AESencrypt(tmp, tmp, &encrypt_key);
    243. 

  243.         XOR(reinterpret_cast<subblock *>(encrypted), delta, tmp);
    244. 

  244.         XOR(checksum, checksum, reinterpret_cast<const subblock *>(plain));
    245. 

  245.         len -= AES_BLOCK_SIZE;
    246. 

  246.         plain += AES_BLOCK_SIZE;
    247. 

  247.         encrypted += AES_BLOCK_SIZE;
    248. 

  248.     }
    249. 

  249. 

  250.     S2(delta);
    251. 

  251.     ZERO(tmp);
    252. 

  252.     tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
    253. 

  253.     XOR(tmp, tmp, delta);
    254. 

  254.     AESencrypt(tmp, pad, &encrypt_key);
    255. 

  255.     memcpy(tmp, plain, len);
    256. 

  256.     memcpy(reinterpret_cast<unsigned char *>(tmp) + len, reinterpret_cast<const unsigned char *>(pad) + len,
    257. 

  257.            AES_BLOCK_SIZE - len);
    258. 

  258.     XOR(checksum, checksum, tmp);
    259. 

  259.     XOR(tmp, pad, tmp);
    260. 

  260.     memcpy(encrypted, tmp, len);
    261. 

  261. 

  262.     S3(delta);
    263. 

  263.     XOR(tmp, delta, checksum);
    264. 

  264.     AESencrypt(tmp, tag, &encrypt_key);
    265. 

  265. }
    266. 

  266. 

  267. void mumlib::CryptState::ocb_decrypt(const unsigned char *encrypted, unsigned char *plain, unsigned int len,
    268. 

  268.                                      const unsigned char *nonce, unsigned char *tag) {
    269. 

  269.     keyblock checksum, delta, tmp, pad;
    270. 

  270. 

  271.     // Initialize
    272. 

  272.     AESencrypt(nonce, delta, &encrypt_key);
    273. 

  273.     ZERO(checksum);
    274. 

  274. 

  275.     while (len > AES_BLOCK_SIZE) {
    276. 

  276.         S2(delta);
    277. 

  277.         XOR(tmp, delta, reinterpret_cast<const subblock *>(encrypted));
    278. 

  278.         AESdecrypt(tmp, tmp, &decrypt_key);
    279. 

  279.         XOR(reinterpret_cast<subblock *>(plain), delta, tmp);
    280. 

  280.         XOR(checksum, checksum, reinterpret_cast<const subblock *>(plain));
    281. 

  281.         len -= AES_BLOCK_SIZE;
    282. 

  282.         plain += AES_BLOCK_SIZE;
    283. 

  283.         encrypted += AES_BLOCK_SIZE;
    284. 

  284.     }
    285. 

  285. 

  286.     S2(delta);
    287. 

  287.     ZERO(tmp);
    288. 

  288.     tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
    289. 

  289.     XOR(tmp, tmp, delta);
    290. 

  290.     AESencrypt(tmp, pad, &encrypt_key);
    291. 

  291.     memset(tmp, 0, AES_BLOCK_SIZE);
    292. 

  292.     memcpy(tmp, encrypted, len);
    293. 

  293.     XOR(tmp, tmp, pad);
    294. 

  294.     XOR(checksum, checksum, tmp);
    295. 

  295.     memcpy(plain, tmp, len);
    296. 

  296. 

  297.     S3(delta);
    298. 

  298.     XOR(tmp, delta, checksum);
    299. 

  299.     AESencrypt(tmp, tag, &encrypt_key);
    300. 

  300. }
    301.