ref: e3a64494e782de289e1c7e12a4b3a2f73e0064e8
parent: 2095bdbf454fbe01501d0cda74e34ecb4b9d90ae
author: cinap_lenrek <[email protected]>
date: Tue Sep 1 17:35:43 EDT 2015
libsec: remove flawed aes() digest and hmac_aes() implementations (thanks aiju)
--- a/sys/include/libsec.h
+++ b/sys/include/libsec.h
@@ -141,7 +141,6 @@
SHA2_512dlen= 64, /* SHA-512 digest length */
MD4dlen= 16, /* MD4 digest length */
MD5dlen= 16, /* MD5 digest length */
- AESdlen= 16, /* TODO: see rfc */
Hmacblksz = 64, /* in bytes; from rfc2104 */
};
@@ -167,7 +166,6 @@
typedef struct DigestState SHA2_512state;
typedef struct DigestState MD5state;
typedef struct DigestState MD4state;
-typedef struct DigestState AEShstate;
DigestState* md4(uchar*, ulong, uchar*, DigestState*);
DigestState* md5(uchar*, ulong, uchar*, DigestState*);
@@ -176,7 +174,6 @@
DigestState* sha2_256(uchar*, ulong, uchar*, DigestState*);
DigestState* sha2_384(uchar*, ulong, uchar*, DigestState*);
DigestState* sha2_512(uchar*, ulong, uchar*, DigestState*);
-DigestState* aes(uchar*, ulong, uchar*, DigestState*);
DigestState* hmac_x(uchar *p, ulong len, uchar *key, ulong klen,
uchar *digest, DigestState *s,
DigestState*(*x)(uchar*, ulong, uchar*, DigestState*),
@@ -187,7 +184,6 @@
DigestState* hmac_sha2_256(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
DigestState* hmac_sha2_384(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
DigestState* hmac_sha2_512(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
-DigestState* hmac_aes(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
char* md5pickle(MD5state*);
MD5state* md5unpickle(char*);
char* sha1pickle(SHA1state*);
--- a/sys/man/2/sechash
+++ b/sys/man/2/sechash
@@ -3,9 +3,9 @@
md4, md5,
sha1, sha2_224, sha2_256, sha2_384, sha2_512,
ripemd160,
-aes, hmac_x, hmac_md5,
+hmac_x, hmac_md5,
hmac_sha1, hmac_sha2_224, hmac_sha2_256, hmac_sha2_384, hmac_sha2_512,
-hmac_aes, md5pickle, md5unpickle,
+md5pickle, md5unpickle,
sha1pickle, sha1unpickle \- cryptographically secure hashes
.SH SYNOPSIS
.nr Wd \w'\fLDS* \fP'u
@@ -58,8 +58,6 @@
.Ti
DS* ripemd160(uchar *data, ulong dlen, uchar *digest, DS *state)
.Ti
-DS* aes(uchar *data, ulong dlen, uchar *digest, DS *state)
-.Ti
DS* hmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DS *s, DS*(*x)(uchar*, ulong, uchar*, DS*), int xlen)
.Ti
DS* hmac_md5(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest, DS *state)
@@ -73,8 +71,6 @@
DS* hmac_sha2_384(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest, DS *state)
.Ti
DS* hmac_sha2_512(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest, DS *state)
-.Ti
-DS* hmac_aes(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest, DS *state)
.SH DESCRIPTION
.DT
We support several secure hash functions. The output of a
@@ -96,15 +92,13 @@
.IR sha2_384 ,
.IR sha2_512 ,
.IR ripemd160 ,
-.IR aes ,
.IR hmac_md5 ,
.IR hmac_sha1 ,
.IR hmac_sha2_224 ,
.IR hmac_sha2_256 ,
.IR hmac_sha2_384 ,
-.IR hmac_sha2_512 ,
and
-.I hmac_aes
+.IR hmac_sha2_512
differ only in the length of the resulting digest
and in the security of the hash.
.I Sha2_*
@@ -143,9 +137,8 @@
.IR hmac_sha2_224 ,
.IR hmac_sha2_256 ,
.IR hmac_sha2_384 ,
-.IR hmac_sha2_512 ,
and
-.I hmac_aes
+.IR hmac_sha2_512
are used slightly differently. These hash algorithms are keyed and require
a key to be specified on every call.
The digest lengths for these hashes are the obvious ones from
@@ -194,7 +187,6 @@
.SH SOURCE
.B /sys/src/libsec
.SH SEE ALSO
-.IR aes (2),
.IR blowfish (2),
.IR des (2),
.IR elgamal (2),
--- a/sys/src/9/ip/esp.c
+++ b/sys/src/9/ip/esp.c
@@ -162,7 +162,6 @@
static void nullahinit(Espcb*, char*, uchar *key, unsigned keylen);
static void shaahinit(Espcb*, char*, uchar *key, unsigned keylen);
-static void aesahinit(Espcb*, char*, uchar *key, unsigned keylen);
static void md5ahinit(Espcb*, char*, uchar *key, unsigned keylen);
static Algorithm espalg[] =
@@ -172,8 +171,6 @@
"aes_128_cbc", 128, aescbcespinit, /* new rfc3602 */
"aes_ctr", 128, aesctrespinit, /* new rfc3686 */
"des_56_cbc", 64, desespinit, /* rfc2405, deprecated */
- /* rc4 was never required, was used in original bandt */
-// "rc4_128", 128, rc4espinit,
nil, 0, nil,
};
@@ -181,7 +178,6 @@
{
"null", 0, nullahinit,
"hmac_sha1_96", 128, shaahinit, /* rfc2404 */
- "aes_xcbc_mac_96", 128, aesahinit, /* new rfc3566 */
"hmac_md5_96", 128, md5ahinit, /* rfc2403 */
nil, 0, nil,
};
@@ -803,37 +799,6 @@
/*
* aes
*/
-
-/* ah_aes_xcbc_mac_96, rfc3566 */
-static int
-aesahauth(Espcb *ecb, uchar *t, int tlen, uchar *auth)
-{
- int r;
- uchar hash[AESdlen];
-
- memset(hash, 0, AESdlen);
- ecb->ds = hmac_aes(t, tlen, (uchar*)ecb->ahstate, BITS2BYTES(96), hash,
- ecb->ds);
- r = memcmp(auth, hash, ecb->ahlen) == 0;
- memmove(auth, hash, ecb->ahlen);
- return r;
-}
-
-static void
-aesahinit(Espcb *ecb, char *name, uchar *key, unsigned klen)
-{
- if(klen != 128)
- panic("aesahinit: keylen not 128");
- klen /= BI2BY;
-
- ecb->ahalg = name;
- ecb->ahblklen = 1;
- ecb->ahlen = BITS2BYTES(96);
- ecb->auth = aesahauth;
- ecb->ahstate = smalloc(klen);
- memmove(ecb->ahstate, key, klen);
-}
-
static int
aescbccipher(Espcb *ecb, uchar *p, int n) /* 128-bit blocks */
{
--- a/sys/src/libsec/port/aes.c
+++ b/sys/src/libsec/port/aes.c
@@ -59,7 +59,7 @@
},
};
-int aes_setupEnc(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[],
+static int aes_setupEnc(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[],
int keyBits);
static int aes_setupDec(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[],
int keyBits);
@@ -219,140 +219,6 @@
*p++ ^= *ip++;
}
}
-
-/* taken from sha1; TODO: verify suitability (esp. byte order) for aes */
-/*
- * encodes input (ulong) into output (uchar). Assumes len is
- * a multiple of 4.
- */
-static void
-encode(uchar *output, ulong *input, ulong len)
-{
- ulong x;
- uchar *e;
-
- for(e = output + len; output < e;) {
- x = *input++;
- *output++ = x >> 24;
- *output++ = x >> 16;
- *output++ = x >> 8;
- *output++ = x;
- }
-}
-
-/* TODO: verify use of aes_encrypt here */
-AEShstate*
-aes(uchar *p, ulong len, uchar *digest, AEShstate *s)
-{
- uchar buf[128];
- ulong x[16];
- int i;
- uchar *e;
-
- if(s == nil){
- s = malloc(sizeof(*s));
- if(s == nil)
- return nil;
- memset(s, 0, sizeof(*s));
- s->malloced = 1;
- }
-
- if(s->seeded == 0){
- /* seed the state, these constants would look nicer big-endian */
- s->state[0] = 0x67452301;
- s->state[1] = 0xefcdab89;
- s->state[2] = 0x98badcfe;
- s->state[3] = 0x10325476;
- /* in sha1 (20-byte digest), but not md5 (16 bytes)*/
- s->state[4] = 0xc3d2e1f0;
- s->seeded = 1;
- }
-
- /* fill out the partial 64 byte block from previous calls */
- if(s->blen){
- i = 64 - s->blen;
- if(len < i)
- i = len;
- memmove(s->buf + s->blen, p, i);
- len -= i;
- s->blen += i;
- p += i;
- if(s->blen == 64){
- /* encrypt s->buf into s->state */
- // _sha1block(s->buf, s->blen, s->state);
- aes_encrypt((ulong *)s->buf, 1, s->buf, (uchar *)s->state);
- s->len += s->blen;
- s->blen = 0;
- }
- }
-
- /* do 64 byte blocks */
- i = len & ~0x3f;
- if(i){
- /* encrypt p into s->state */
- // _sha1block(p, i, s->state);
- aes_encrypt((ulong *)s->buf, 1, p, (uchar *)s->state);
- s->len += i;
- len -= i;
- p += i;
- }
-
- /* save the left overs if not last call */
- if(digest == 0){
- if(len){
- memmove(s->buf, p, len);
- s->blen += len;
- }
- return s;
- }
-
- /*
- * this is the last time through, pad what's left with 0x80,
- * 0's, and the input count to create a multiple of 64 bytes
- */
- if(s->blen){
- p = s->buf;
- len = s->blen;
- } else {
- memmove(buf, p, len);
- p = buf;
- }
- s->len += len;
- e = p + len;
- if(len < 56)
- i = 56 - len;
- else
- i = 120 - len;
- memset(e, 0, i);
- *e = 0x80;
- len += i;
-
- /* append the count */
- x[0] = s->len>>29; /* byte-order dependent */
- x[1] = s->len<<3;
- encode(p+len, x, 8);
-
- /* digest the last part */
- /* encrypt p into s->state */
- // _sha1block(p, len+8, s->state);
- aes_encrypt((ulong *)s->buf, 1, p, (uchar *)s->state);
- s->len += len+8; /* sha1: +8 */
-
- /* return result and free state */
- encode((uchar *)digest, (ulong *)s->state, AESdlen);
- if(s->malloced == 1)
- free(s);
- return nil;
-}
-
-DigestState*
-hmac_aes(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest,
- DigestState *s)
-{
- return hmac_x(p, len, key, klen, digest, s, aes, AESdlen);
-}
-
-
/*
* this function has been changed for plan 9.