X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fgcrypt%2Fcipher.c;h=0f7b008db94cd26e5f120102d462633b60483e1b;hb=77cd819058de43a5fcea54300dde50e03088c318;hp=6a2cc5a1076a556675a5d471636d7983c60191da;hpb=33f241d97852d7a171f1aaf1bda7f66356ff889e;p=tinc

diff --git a/src/gcrypt/cipher.c b/src/gcrypt/cipher.c
index 6a2cc5a1..0f7b008d 100644
--- a/src/gcrypt/cipher.c
+++ b/src/gcrypt/cipher.c
@@ -1,6 +1,6 @@
 /*
     cipher.c -- Symmetric block cipher handling
-    Copyright (C) 2007 Guus Sliepen <guus@tinc-vpn.org>
+    Copyright (C) 2007-2012 Guus Sliepen <guus@tinc-vpn.org>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -36,26 +36,26 @@ static struct {
 	{NULL, GCRY_CIPHER_BLOWFISH, GCRY_CIPHER_MODE_CFB, 93},
 	{NULL, GCRY_CIPHER_BLOWFISH, GCRY_CIPHER_MODE_OFB, 94},
 
-	{NULL, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 418},
-	{"aes", GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 419},
-	{NULL, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CFB, 421},
-	{NULL, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_OFB, 420},
+	{"aes-128-ecb", GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 418},
+	{"aes-128-cbc", GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 419},
+	{"aes-128-cfb", GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CFB, 421},
+	{"aes-128-ofb", GCRY_CIPHER_AES, GCRY_CIPHER_MODE_OFB, 420},
 
-	{NULL, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_ECB, 422},
-	{"aes192", GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CBC, 423},
-	{NULL, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CFB, 425},
-	{NULL, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_OFB, 424},
+	{"aes-192-ecb", GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_ECB, 422},
+	{"aes-192-cbc", GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CBC, 423},
+	{"aes-192-cfb", GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CFB, 425},
+	{"aes-192-ofb", GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_OFB, 424},
 
-	{NULL, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_ECB, 426},
-	{"aes256", GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CBC, 427},
-	{NULL, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CFB, 429},
-	{NULL, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_OFB, 428},
+	{"aes-256-ecb", GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_ECB, 426},
+	{"aes-256-cbc", GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CBC, 427},
+	{"aes-256-cfb", GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CFB, 429},
+	{"aes-256-ofb", GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_OFB, 428},
 };
 
 static bool nametocipher(const char *name, int *algo, int *mode) {
 	size_t i;
 
-	for(i = 0; i < sizeof ciphertable / sizeof *ciphertable; i++) {
+	for(i = 0; i < sizeof(ciphertable) / sizeof(*ciphertable); i++) {
 		if(ciphertable[i].name && !strcasecmp(name, ciphertable[i].name)) {
 			*algo = ciphertable[i].algo;
 			*mode = ciphertable[i].mode;
@@ -69,7 +69,7 @@ static bool nametocipher(const char *name, int *algo, int *mode) {
 static bool nidtocipher(int nid, int *algo, int *mode) {
 	size_t i;
 
-	for(i = 0; i < sizeof ciphertable / sizeof *ciphertable; i++) {
+	for(i = 0; i < sizeof(ciphertable) / sizeof(*ciphertable); i++) {
 		if(nid == ciphertable[i].nid) {
 			*algo = ciphertable[i].algo;
 			*mode = ciphertable[i].mode;
@@ -83,7 +83,7 @@ static bool nidtocipher(int nid, int *algo, int *mode) {
 static bool ciphertonid(int algo, int mode, int *nid) {
 	size_t i;
 
-	for(i = 0; i < sizeof ciphertable / sizeof *ciphertable; i++) {
+	for(i = 0; i < sizeof(ciphertable) / sizeof(*ciphertable); i++) {
 		if(algo == ciphertable[i].algo && mode == ciphertable[i].mode) {
 			*nid = ciphertable[i].nid;
 			return true;
@@ -97,12 +97,12 @@ static bool cipher_open(cipher_t *cipher, int algo, int mode) {
 	gcry_error_t err;
 
 	if(!ciphertonid(algo, mode, &cipher->nid)) {
-		logger(LOG_DEBUG, "Cipher %d mode %d has no corresponding nid!", algo, mode);
+		logger(DEBUG_ALWAYS, LOG_DEBUG, "Cipher %d mode %d has no corresponding nid!", algo, mode);
 		return false;
 	}
 
 	if((err = gcry_cipher_open(&cipher->handle, algo, mode, 0))) {
-		logger(LOG_DEBUG, "Unable to intialise cipher %d mode %d: %s", algo, mode, gcry_strerror(err));
+		logger(DEBUG_ALWAYS, LOG_DEBUG, "Unable to initialise cipher %d mode %d: %s", algo, mode, gcry_strerror(err));
 		return false;
 	}
 
@@ -118,7 +118,7 @@ bool cipher_open_by_name(cipher_t *cipher, const char *name) {
 	int algo, mode;
 
 	if(!nametocipher(name, &algo, &mode)) {
-		logger(LOG_DEBUG, "Unknown cipher name '%s'!", name);
+		logger(DEBUG_ALWAYS, LOG_DEBUG, "Unknown cipher name '%s'!", name);
 		return false;
 	}
 
@@ -129,7 +129,7 @@ bool cipher_open_by_nid(cipher_t *cipher, int nid) {
 	int algo, mode;
 
 	if(!nidtocipher(nid, &algo, &mode)) {
-		logger(LOG_DEBUG, "Unknown cipher ID %d!", nid);
+		logger(DEBUG_ALWAYS, LOG_DEBUG, "Unknown cipher ID %d!", nid);
 		return false;
 	}
 
@@ -146,16 +146,45 @@ void cipher_close(cipher_t *cipher) {
 		cipher->handle = NULL;
 	}
 
-	if(cipher->key) {
-		free(cipher->key);
-		cipher->key = NULL;
-	}
+	free(cipher->key);
+
+	memset(cipher, 0, sizeof(*cipher));
 }
 
 size_t cipher_keylength(const cipher_t *cipher) {
+	if(!cipher) {
+		return 0;
+	}
+
 	return cipher->keylen + cipher->blklen;
 }
 
+uint64_t cipher_budget(const cipher_t *cipher) {
+	if(!cipher) {
+		return UINT64_MAX; // NULL cipher
+	}
+
+	size_t ivlen = cipher->blklen;
+	size_t blklen = cipher->blklen;
+
+	size_t len = blklen > 1
+	             ? blklen
+	             : ivlen > 1 ? ivlen : 8;
+	size_t bits = len * 4 - 1;
+
+	return bits < 64
+	       ? UINT64_C(1) << bits
+	       : UINT64_MAX;
+}
+
+size_t cipher_blocksize(const cipher_t *cipher) {
+	if(!cipher || !cipher->blklen) {
+		return 1;
+	}
+
+	return cipher->blklen;
+}
+
 void cipher_get_key(const cipher_t *cipher, void *key) {
 	memcpy(key, cipher->key, cipher->keylen + cipher->blklen);
 }
@@ -170,10 +199,14 @@ bool cipher_set_key(cipher_t *cipher, void *key, bool encrypt) {
 }
 
 bool cipher_set_key_from_rsa(cipher_t *cipher, void *key, size_t len, bool encrypt) {
-	memcpy(cipher->key, key + len - cipher->keylen, cipher->keylen + cipher->blklen);
-	memcpy(cipher->key + cipher->keylen, key + len - cipher->keylen - cipher->blklen, cipher->blklen);
-
+	memcpy(cipher->key,
+	       key + len - cipher->keylen,
+	       cipher->keylen);
 	gcry_cipher_setkey(cipher->handle, cipher->key, cipher->keylen);
+
+	memcpy(cipher->key + cipher->keylen,
+	       key + len - cipher->blklen - cipher->keylen,
+	       cipher->blklen);
 	gcry_cipher_setiv(cipher->handle, cipher->key + cipher->keylen, cipher->blklen);
 
 	return true;
@@ -193,13 +226,14 @@ bool cipher_encrypt(cipher_t *cipher, const void *indata, size_t inlen, void *ou
 	uint8_t pad[cipher->blklen];
 
 	if(cipher->padding) {
-		if(!oneshot)
+		if(!oneshot) {
 			return false;
+		}
 
 		size_t reqlen = ((inlen + cipher->blklen) / cipher->blklen) * cipher->blklen;
 
 		if(*outlen < reqlen) {
-			logger(LOG_ERR, "Error while encrypting: not enough room for padding");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Error while encrypting: not enough room for padding");
 			return false;
 		}
 
@@ -207,23 +241,25 @@ bool cipher_encrypt(cipher_t *cipher, const void *indata, size_t inlen, void *ou
 		inlen = reqlen - cipher->blklen;
 
 		for(int i = 0; i < cipher->blklen; i++)
-			if(i < cipher->blklen - padbyte)
+			if(i < cipher->blklen - padbyte) {
 				pad[i] = ((uint8_t *)indata)[inlen + i];
-			else
+			} else {
 				pad[i] = padbyte;
+			}
 	}
-	
-	if(oneshot)
+
+	if(oneshot) {
 		gcry_cipher_setiv(cipher->handle, cipher->key + cipher->keylen, cipher->blklen);
+	}
 
 	if((err = gcry_cipher_encrypt(cipher->handle, outdata, *outlen, indata, inlen))) {
-		logger(LOG_ERR, "Error while encrypting: %s", gcry_strerror(err));
+		logger(DEBUG_ALWAYS, LOG_ERR, "Error while encrypting: %s", gcry_strerror(err));
 		return false;
 	}
 
 	if(cipher->padding) {
 		if((err = gcry_cipher_encrypt(cipher->handle, outdata + inlen, cipher->blklen, pad, cipher->blklen))) {
-			logger(LOG_ERR, "Error while encrypting: %s", gcry_strerror(err));
+			logger(DEBUG_ALWAYS, LOG_ERR, "Error while encrypting: %s", gcry_strerror(err));
 			return false;
 		}
 
@@ -237,41 +273,48 @@ bool cipher_encrypt(cipher_t *cipher, const void *indata, size_t inlen, void *ou
 bool cipher_decrypt(cipher_t *cipher, const void *indata, size_t inlen, void *outdata, size_t *outlen, bool oneshot) {
 	gcry_error_t err;
 
-	if(oneshot)
+	if(oneshot) {
 		gcry_cipher_setiv(cipher->handle, cipher->key + cipher->keylen, cipher->blklen);
+	}
 
 	if((err = gcry_cipher_decrypt(cipher->handle, outdata, *outlen, indata, inlen))) {
-		logger(LOG_ERR, "Error while decrypting: %s", gcry_strerror(err));
+		logger(DEBUG_ALWAYS, LOG_ERR, "Error while decrypting: %s", gcry_strerror(err));
 		return false;
 	}
 
 	if(cipher->padding) {
-		if(!oneshot)
+		if(!oneshot) {
 			return false;
+		}
 
 		uint8_t padbyte = ((uint8_t *)outdata)[inlen - 1];
 
 		if(padbyte == 0 || padbyte > cipher->blklen || padbyte > inlen) {
-			logger(LOG_ERR, "Error while decrypting: invalid padding");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Error while decrypting: invalid padding");
 			return false;
 		}
 
 		size_t origlen = inlen - padbyte;
 
-		for(int i = inlen - 1; i >= origlen; i--)
+		for(size_t i = inlen - 1; i >= origlen; i--)
 			if(((uint8_t *)outdata)[i] != padbyte) {
-				logger(LOG_ERR, "Error while decrypting: invalid padding");
+				logger(DEBUG_ALWAYS, LOG_ERR, "Error while decrypting: invalid padding");
 				return false;
 			}
 
 		*outlen = origlen;
-	} else
+	} else {
 		*outlen = inlen;
+	}
 
 	return true;
 }
 
 int cipher_get_nid(const cipher_t *cipher) {
+	if(!cipher || !cipher->nid) {
+		return 0;
+	}
+
 	return cipher->nid;
 }