--- truecrypt/common/crypto.c 2018/04/24 16:41:28 1.1.1.5 +++ truecrypt/common/crypto.c 2018/04/24 16:44:45 1.1.1.9 @@ -1,14 +1,21 @@ -/* The source code contained in this file has been derived from the source code - of Encryption for the Masses 2.02a by Paul Le Roux. Modifications and - additions to that source code contained in this file are Copyright (c) 2004 - TrueCrypt Foundation and Copyright (c) 2004 TrueCrypt Team. Unmodified - parts are Copyright (c) 1998-99 Paul Le Roux. This is a TrueCrypt Foundation - release. Please see the file license.txt for full license details. */ - -#include "TCdefs.h" -#include "crypto.h" -#include "random.h" -#include "crc.h" +/* Legal Notice: The source code contained in this file has been derived from + the source code of Encryption for the Masses 2.02a, which is Copyright (c) + 1998-99 Paul Le Roux and which is covered by the 'License Agreement for + Encryption for the Masses'. Modifications and additions to that source code + contained in this file are Copyright (c) 2004-2006 TrueCrypt Foundation and + Copyright (c) 2004 TrueCrypt Team, and are covered by TrueCrypt License 2.0 + the full text of which is contained in the file License.txt included in + TrueCrypt binary and source code distribution archives. */ + +#include "Tcdefs.h" +#include "Crypto.h" +#include "Crc.h" +#include "Endian.h" + +#ifdef LINUX_DRIVER +#include +#include +#endif /* Update the following when adding a new cipher or EA: @@ -22,46 +29,60 @@ CipherInit() EncipherBlock() DecipherBlock() + */ // Cipher configuration static Cipher Ciphers[] = { -// ID Name Block size Key size Key schedule size +// Block Size Key Size Key Schedule Size +// ID Name (Bytes) (Bytes) (Bytes) { AES, "AES", 16, 32, sizeof(aes_encrypt_ctx)+sizeof(aes_decrypt_ctx) }, { BLOWFISH, "Blowfish", 8, 56, 4168 }, { CAST, "CAST5", 8, 16, 128 }, { DES56, "DES", 8, 7, 128 }, { SERPENT, "Serpent", 16, 32, 140*4 }, - { TRIPLEDES,"Triple DES", 8, 7*3, 128*3 }, + { TRIPLEDES,"Triple DES", 8, 8*3, 128*3 }, { TWOFISH, "Twofish", 16, 32, TWOFISH_KS }, { 0, 0, 0, 0, 0 } }; // Encryption algorithm configuration +// The following modes have been deprecated (legacy): CBC, INNER_CBC, OUTER_CBC static EncryptionAlgorithm EncryptionAlgorithms[] = { - // Cipher(s) Mode - { { 0, 0 } , 0 }, // (must be null) - { { AES, 0 } , CBC }, // AES - { { BLOWFISH, 0 } , CBC }, // Blowfish - { { CAST, 0 } , CBC }, // CAST5 - { { SERPENT, 0 } , CBC }, // Serpent - { { TRIPLEDES, 0 } , CBC }, // Triple DES - { { TWOFISH, 0 } , CBC }, // Twofish - { { BLOWFISH, AES, 0 } , INNER_CBC }, // AES-Blowfish - { { SERPENT, BLOWFISH, AES, 0 } , INNER_CBC }, // AES-Blowfish-Serpent - { { TWOFISH, AES, 0 } , OUTER_CBC }, // AES-Twofish - { { SERPENT, TWOFISH, AES, 0 } , OUTER_CBC }, // AES-Twofish-Serpent - { { AES, SERPENT, 0 } , OUTER_CBC }, // Serpent-AES - { { AES, TWOFISH, SERPENT, 0 } , OUTER_CBC }, // Serpent-Twofish-AES - { { SERPENT, TWOFISH, 0 } , OUTER_CBC }, // Twofish-Serpent - { { 0, 0 } , 0 } // (must be null) + // Cipher(s) Modes + { { 0, 0 } , { 0, 0, 0 } }, // Must be all-zero + { { AES, 0 } , { LRW, CBC, 0 } }, + { { BLOWFISH, 0 } , { LRW, CBC, 0 } }, + { { CAST, 0 } , { LRW, CBC, 0 } }, + { { SERPENT, 0 } , { LRW, CBC, 0 } }, + { { TRIPLEDES, 0 } , { LRW, CBC, 0 } }, + { { TWOFISH, 0 } , { LRW, CBC, 0 } }, + { { TWOFISH, AES, 0 } , { LRW, OUTER_CBC, 0 } }, + { { SERPENT, TWOFISH, AES, 0 } , { LRW, OUTER_CBC, 0 } }, + { { AES, SERPENT, 0 } , { LRW, OUTER_CBC, 0 } }, + { { AES, TWOFISH, SERPENT, 0 } , { LRW, OUTER_CBC, 0 } }, + { { SERPENT, TWOFISH, 0 } , { LRW, OUTER_CBC, 0 } }, + { { BLOWFISH, AES, 0 } , { INNER_CBC, 0, 0 } }, + { { SERPENT, BLOWFISH, AES, 0 } , { INNER_CBC, 0, 0 } }, + { { 0, 0 } , { 0, 0, 0 } } // Must be all-zero }; +// Hash algorithms +static Hash Hashes[] = +{ + { RIPEMD160, "RIPEMD-160" }, + { SHA1, "SHA-1" }, + { WHIRLPOOL, "Whirlpool" }, + { 0, 0 } +}; -void CipherInit (int cipher, unsigned char *key, unsigned char *ks) +/* Return values: 0 = success, ERR_CIPHER_INIT_FAILURE (fatal), ERR_CIPHER_INIT_WEAK_KEY (non-fatal) */ +int CipherInit (int cipher, unsigned char *key, unsigned __int8 *ks) { + int retVal = 0; + switch (cipher) { case BLOWFISH: @@ -69,12 +90,24 @@ void CipherInit (int cipher, unsigned ch break; case AES: - aes_encrypt_key(key, CipherGetKeySize(AES), (aes_encrypt_ctx *) ks); - aes_decrypt_key(key, CipherGetKeySize(AES), (aes_decrypt_ctx *) (ks + sizeof(aes_encrypt_ctx))); + if (aes_encrypt_key(key, CipherGetKeySize(AES), (aes_encrypt_ctx *) ks) != EXIT_SUCCESS) + return ERR_CIPHER_INIT_FAILURE; + + if (aes_decrypt_key(key, CipherGetKeySize(AES), (aes_decrypt_ctx *) (ks + sizeof(aes_encrypt_ctx))) != EXIT_SUCCESS) + return ERR_CIPHER_INIT_FAILURE; + break; - case DES56: - des_key_sched ((des_cblock *) key, (struct des_ks_struct *) ks); + case DES56: + /* Included for testing purposes only */ + switch (des_key_sched ((des_cblock *) key, (struct des_ks_struct *) ks)) + { + case -1: + return ERR_CIPHER_INIT_FAILURE; + case -2: + retVal = ERR_CIPHER_INIT_WEAK_KEY; // Non-fatal error + break; + } break; case CAST: @@ -86,9 +119,37 @@ void CipherInit (int cipher, unsigned ch break; case TRIPLEDES: - des_key_sched ((des_cblock *) key, (struct des_ks_struct *) ks); - des_key_sched ((des_cblock *) ((char*)(key)+8), (struct des_ks_struct *) (ks + CipherGetKeyScheduleSize (DES56))); - des_key_sched ((des_cblock *) ((char*)(key)+16), (struct des_ks_struct *) (ks + CipherGetKeyScheduleSize (DES56) * 2)); + switch (des_key_sched ((des_cblock *) key, (struct des_ks_struct *) ks)) + { + case -1: + return ERR_CIPHER_INIT_FAILURE; + case -2: + retVal = ERR_CIPHER_INIT_WEAK_KEY; // Non-fatal error + break; + } + switch (des_key_sched ((des_cblock *) ((char*)(key)+8), (struct des_ks_struct *) (ks + CipherGetKeyScheduleSize (DES56)))) + { + case -1: + return ERR_CIPHER_INIT_FAILURE; + case -2: + retVal = ERR_CIPHER_INIT_WEAK_KEY; // Non-fatal error + break; + } + switch (des_key_sched ((des_cblock *) ((char*)(key)+16), (struct des_ks_struct *) (ks + CipherGetKeyScheduleSize (DES56) * 2))) + { + case -1: + return ERR_CIPHER_INIT_FAILURE; + case -2: + retVal = ERR_CIPHER_INIT_WEAK_KEY; // Non-fatal error + break; + } + + // Verify whether all three DES keys are mutually different + if (((*((__int64 *) key) ^ *((__int64 *) key+1)) & 0xFEFEFEFEFEFEFEFE) == 0 + || ((*((__int64 *) key+1) ^ *((__int64 *) key+2)) & 0xFEFEFEFEFEFEFEFE) == 0 + || ((*((__int64 *) key) ^ *((__int64 *) key+2)) & 0xFEFEFEFEFEFEFEFE) == 0) + retVal = ERR_CIPHER_INIT_WEAK_KEY; // Non-fatal error + break; case TWOFISH: @@ -96,13 +157,14 @@ void CipherInit (int cipher, unsigned ch break; } + return retVal; } void EncipherBlock(int cipher, void *data, void *ks) { switch (cipher) { - case BLOWFISH: BF_encrypt (data, ks); break; + case BLOWFISH: BF_ecb_le_encrypt (data, data, ks, 1); break; case AES: aes_encrypt (data, data, ks); break; case DES56: des_encrypt (data, ks, 1); break; case CAST: CAST_ecb_encrypt (data, data, ks, 1); break; @@ -117,7 +179,7 @@ void DecipherBlock(int cipher, void *dat { switch (cipher) { - case BLOWFISH: BF_decrypt (data, ks); break; + case BLOWFISH: BF_ecb_le_encrypt (data, data, ks, 0); break; case AES: aes_decrypt (data, data, (void *) ((char *) ks + sizeof(aes_encrypt_ctx))); break; case DES56: des_encrypt (data, ks, 0); break; case CAST: CAST_ecb_encrypt (data, data, ks,0); break; @@ -188,19 +250,53 @@ int EAGetNext (int previousEA) return 0; } -void EAInit (int ea, unsigned char *key, unsigned char *ks) + +// Return values: 0 = success, ERR_CIPHER_INIT_FAILURE (fatal), ERR_CIPHER_INIT_WEAK_KEY (non-fatal) +int EAInit (int ea, unsigned char *key, unsigned __int8 *ks) { - int i = 0, c; + int c, retVal = 0; for (c = EAGetFirstCipher (ea); c != 0; c = EAGetNextCipher (ea, c)) { - CipherInit (c, key, ks); + switch (CipherInit (c, key, ks)) + { + case ERR_CIPHER_INIT_FAILURE: + return ERR_CIPHER_INIT_FAILURE; + + case ERR_CIPHER_INIT_WEAK_KEY: + retVal = ERR_CIPHER_INIT_WEAK_KEY; // Non-fatal error + break; + } key += CipherGetKeySize (c); ks += CipherGetKeyScheduleSize (c); } + return retVal; } + +int EAInitMode (PCRYPTO_INFO ci) +{ + switch (ci->mode) + { + case LRW: + switch (CipherGetBlockSize (EAGetFirstCipher (ci->ea))) + { + case 8: + return Gf64TabInit (ci->iv, &ci->gf_ctx); + + case 16: + return Gf128Tab64Init (ci->iv, &ci->gf_ctx); + + default: + return FALSE; + } + } + + return TRUE; +} + + // Returns name of EA, cascaded cipher names are separated by hyphens char *EAGetName (char *buf, int ea) { @@ -216,13 +312,31 @@ char *EAGetName (char *buf, int ea) return buf; } + +int EAGetByName (char *name) +{ + int ea = EAGetFirst (); + char n[128]; + + do + { + EAGetName (n, ea); + if (strcmp (n, name) == 0) + return ea; + } + while (ea = EAGetNext (ea)); + + return 0; +} + + // Returns sum of key sizes of all EA ciphers int EAGetKeySize (int ea) { - int i = EAGetFirstCipher(ea); + int i = EAGetFirstCipher (ea); int size = CipherGetKeySize (i); - while (i = EAGetNextCipher(ea, i)) + while (i = EAGetNextCipher (ea, i)) { size += CipherGetKeySize (i); } @@ -230,44 +344,65 @@ int EAGetKeySize (int ea) return size; } -// Returns the mode of operation of the whole EA -int EAGetMode (int ea) + +// Returns the first mode of operation of EA +int EAGetFirstMode (int ea) { - return (EncryptionAlgorithms[ea].Mode); + return (EncryptionAlgorithms[ea].Modes[0]); } -// Returns the name of the mode of operation of the whole EA -char *EAGetModeName (char *name, int ea, BOOL capitalLetters) + +int EAGetNextMode (int ea, int previousModeId) { - char eaName[100]; + int c, i = 0; + while (c = EncryptionAlgorithms[ea].Modes[i++]) + { + if (c == previousModeId) + return EncryptionAlgorithms[ea].Modes[i]; + } + + return 0; +} + - switch (EncryptionAlgorithms[ea].Mode) +// Returns the name of the mode of operation of the whole EA +char *EAGetModeName (int ea, int mode, BOOL capitalLetters) +{ + switch (mode) { + case LRW: + return "LRW"; + case CBC: - EAGetName (eaName, ea); + { + /* Deprecated/legacy */ - if (strcmp (eaName, "Triple DES") == 0) - sprintf (name, "%s", capitalLetters ? "Outer-CBC" : "outer-CBC"); - else - sprintf (name, "%s", "CBC"); + char eaName[100]; + EAGetName (eaName, ea); - break; + if (strcmp (eaName, "Triple DES") == 0) + return capitalLetters ? "Outer-CBC" : "outer-CBC"; + + return "CBC"; + } case OUTER_CBC: - strcpy (name, capitalLetters ? "Outer-CBC" : "outer-CBC"); - break; + + /* Deprecated/legacy */ + + return capitalLetters ? "Outer-CBC" : "outer-CBC"; case INNER_CBC: - strcpy (name, capitalLetters ? "Inner-CBC" : "inner-CBC"); - break; - default: - strcpy (name, "[unknown]"); - break; + /* Deprecated/legacy */ + + return capitalLetters ? "Inner-CBC" : "inner-CBC"; + } - return name; + return "[unknown]"; } + // Returns sum of key schedule sizes of all EA ciphers int EAGetKeyScheduleSize (int ea) { @@ -282,6 +417,7 @@ int EAGetKeyScheduleSize (int ea) return size; } + // Returns largest key needed by all EAs int EAGetLargestKey () { @@ -296,6 +432,7 @@ int EAGetLargestKey () return key; } + // Returns number of ciphers in EA int EAGetCipherCount (int ea) { @@ -311,6 +448,7 @@ int EAGetFirstCipher (int ea) return EncryptionAlgorithms[ea].Ciphers[0]; } + int EAGetLastCipher (int ea) { int c, i = 0; @@ -319,6 +457,7 @@ int EAGetLastCipher (int ea) return EncryptionAlgorithms[ea].Ciphers[i - 2]; } + int EAGetNextCipher (int ea, int previousCipherId) { int c, i = 0; @@ -331,6 +470,7 @@ int EAGetNextCipher (int ea, int previou return 0; } + int EAGetPreviousCipher (int ea, int previousCipherId) { int c, i = 0; @@ -348,28 +488,46 @@ int EAGetPreviousCipher (int ea, int pre } -// Hash support functions +Hash *HashGet (int id) +{ + int i; + for (i = 0; Hashes[i].Id != 0; i++) + if (Hashes[i].Id == id) + return &Hashes[i]; + + return 0; +} + -char * get_hash_name (int pkcs5) +int HashGetIdByName (char *name) { - switch (pkcs5) - { - case SHA1: return "HMAC-SHA-1"; - case RIPEMD160: return "HMAC-RIPEMD-160"; - default: return "Unknown"; - } + int i; + for (i = 0; Hashes[i].Id != 0; i++) + if (strcmp (Hashes[i].Name, name) == 0) + return Hashes[i].Id; + + return 0; } +char *HashGetName (int hashId) +{ + return HashGet (hashId) -> Name; +} + PCRYPTO_INFO crypto_open () { /* Do the crt allocation */ - PCRYPTO_INFO cryptoInfo = TCalloc (sizeof (CRYPTO_INFO)); + PCRYPTO_INFO cryptoInfo = (PCRYPTO_INFO) TCalloc (sizeof (CRYPTO_INFO)); + memset (cryptoInfo, 0, sizeof (CRYPTO_INFO)); + #ifndef DEVICE_DRIVER +#ifdef _WIN32 VirtualLock (cryptoInfo, sizeof (CRYPTO_INFO)); #endif +#endif if (cryptoInfo == NULL) return NULL; @@ -389,31 +547,82 @@ crypto_loadkey (PKEY_INFO keyInfo, char void crypto_close (PCRYPTO_INFO cryptoInfo) { - burn (cryptoInfo, sizeof (CRYPTO_INFO)); + if (cryptoInfo != NULL) + { + burn (cryptoInfo, sizeof (CRYPTO_INFO)); #ifndef DEVICE_DRIVER - VirtualUnlock (cryptoInfo, sizeof (CRYPTO_INFO)); +#ifdef _WIN32 + VirtualUnlock (cryptoInfo, sizeof (CRYPTO_INFO)); +#endif #endif - TCfree (cryptoInfo); + TCfree (cryptoInfo); + } } -// Initializes IV and whitening values for sector encryption/decryption +// Detect weak and potentially weak secondary LRW keys. +// Remark: These tests reduce the key search space by approximately 0.001% +BOOL DetectWeakSecondaryKey (unsigned char *key, int len) +{ +#define LRW_MAX_SUCCESSIVE_IDENTICAL_BITS 24 +#define LRW_MIN_HAMMING_WEIGHT_16 39 +#define LRW_MIN_HAMMING_WEIGHT_8 15 + + int minWeight = (len == 16 ? LRW_MIN_HAMMING_WEIGHT_16 : LRW_MIN_HAMMING_WEIGHT_8); + int i, b, zero = 0, one = 0, zeroTotal = 0, oneTotal = 0; + + for (i = 0; i < len; i++) + { + for (b = 7; b >= 0; b--) + { + if ((key[i] & (1 << b)) == 0) + { + zeroTotal++; + zero++; + one = 0; + } + else + { + oneTotal++; + one++; + zero = 0; + } + + // Maximum number of consecutive identical bit values + if (one >= LRW_MAX_SUCCESSIVE_IDENTICAL_BITS || zero >= LRW_MAX_SUCCESSIVE_IDENTICAL_BITS) + return TRUE; + } + } + + // Minimum and maximum Hamming weight + if (zeroTotal < minWeight || oneTotal < minWeight) + return TRUE; + + return FALSE; +} + + +// Initializes IV and whitening values for sector encryption/decryption in CBC mode. +// IMPORTANT: This function has been deprecated (legacy). static void InitSectorIVAndWhitening (unsigned __int64 secNo, int blockSize, - unsigned long *iv, + unsigned __int32 *iv, unsigned __int64 *ivSeed, - unsigned long *whitening) + unsigned __int32 *whitening) { + + /* IMPORTANT: This function has been deprecated (legacy) */ + unsigned __int64 iv64[4]; - unsigned long *iv32 = (unsigned long *) iv64; + unsigned __int32 *iv32 = (unsigned __int32 *) iv64; - iv64[0] = ivSeed[0] ^ secNo; - iv64[1] = ivSeed[1] ^ secNo; - iv64[2] = ivSeed[2] ^ secNo; + iv64[0] = ivSeed[0] ^ LE64(secNo); + iv64[1] = ivSeed[1] ^ LE64(secNo); + iv64[2] = ivSeed[2] ^ LE64(secNo); if (blockSize == 16) { - iv64[3] = ivSeed[3] ^ secNo; + iv64[3] = ivSeed[3] ^ LE64(secNo); } iv[0] = iv32[0]; @@ -428,22 +637,22 @@ InitSectorIVAndWhitening (unsigned __int iv[2] = iv32[2]; iv[3] = iv32[3]; - whitening[0] = crc32long ( &iv32[4] ) ^ crc32long ( &iv32[7] ); - whitening[1] = crc32long ( &iv32[5] ) ^ crc32long ( &iv32[6] ); + whitening[0] = LE32( crc32int ( &iv32[4] ) ^ crc32int ( &iv32[7] ) ); + whitening[1] = LE32( crc32int ( &iv32[5] ) ^ crc32int ( &iv32[6] ) ); break; case 8: // 64-bit block - whitening[0] = crc32long ( &iv32[2] ) ^ crc32long ( &iv32[5] ); - whitening[1] = crc32long ( &iv32[3] ) ^ crc32long ( &iv32[4] ); + whitening[0] = LE32( crc32int ( &iv32[2] ) ^ crc32int ( &iv32[5] ) ); + whitening[1] = LE32( crc32int ( &iv32[3] ) ^ crc32int ( &iv32[4] ) ); break; } } -// EncryptBufferCBC +// EncryptBufferCBC (deprecated/legacy) // // data: data to be encrypted // len: number of bytes to encrypt (must be divisible by the largest cipher block size) @@ -454,15 +663,17 @@ InitSectorIVAndWhitening (unsigned __int // cipher: CBC/inner-CBC cipher ID (0 = outer-CBC) static void -EncryptBufferCBC (unsigned long *data, - unsigned __int64 len, - unsigned char *ks, - unsigned long *iv, - unsigned long *whitening, +EncryptBufferCBC (unsigned __int32 *data, + unsigned int len, + unsigned __int8 *ks, + unsigned __int32 *iv, + unsigned __int32 *whitening, int ea, int cipher) { - unsigned long bufIV[4]; + /* IMPORTANT: This function has been deprecated (legacy) */ + + unsigned __int32 bufIV[4]; unsigned __int64 i; int blockSize = CipherGetBlockSize (ea != 0 ? EAGetFirstCipher (ea) : cipher); @@ -521,12 +732,12 @@ EncryptBufferCBC (unsigned long *data, data[3] ^= whitening[1]; } - data += blockSize / sizeof(data); + data += blockSize / sizeof(*data); } } -// DecryptBufferCBC +// DecryptBufferCBC (deprecated/legacy) // // data: data to be decrypted // len: number of bytes to decrypt (must be divisible by the largest cipher block size) @@ -537,17 +748,20 @@ EncryptBufferCBC (unsigned long *data, // cipher: CBC/inner-CBC cipher ID (0 = outer-CBC) static void -DecryptBufferCBC (unsigned long *data, - unsigned __int64 len, - unsigned char *ks, - unsigned long *iv, - unsigned long *whitening, +DecryptBufferCBC (unsigned __int32 *data, + unsigned int len, + unsigned __int8 *ks, + unsigned __int32 *iv, + unsigned __int32 *whitening, int ea, int cipher) { - unsigned long bufIV[4]; + + /* IMPORTANT: This function has been deprecated (legacy) */ + + unsigned __int32 bufIV[4]; unsigned __int64 i; - unsigned long ct[4]; + unsigned __int32 ct[4]; int blockSize = CipherGetBlockSize (ea != 0 ? EAGetFirstCipher (ea) : cipher); // IV @@ -609,8 +823,187 @@ DecryptBufferCBC (unsigned long *data, bufIV[3] = ct[3]; } - data += blockSize / sizeof(data); + data += blockSize / sizeof(*data); + } +} + + +void Xor128 (unsigned __int64 *a, unsigned __int64 *b) +{ + *a++ ^= *b++; + *a ^= *b; +} + + +void Xor64 (unsigned __int64 *a, unsigned __int64 *b) +{ + *a ^= *b; +} + + +void EncryptBufferLRW128 (unsigned __int8 *plainText, unsigned int length, unsigned __int64 blockIndex, PCRYPTO_INFO cryptoInfo) +{ + int cipher = EAGetFirstCipher (cryptoInfo->ea); + int cipherCount = EAGetCipherCount (cryptoInfo->ea); + unsigned __int8 *p = plainText; + unsigned __int8 *ks = cryptoInfo->ks; + unsigned __int8 i[8]; + unsigned __int8 t[16]; + unsigned int b; + + *(unsigned __int64 *)i = BE64(blockIndex); + + // Note that the maximum supported volume size is 8589934592 GB (i.e., 2^63 bytes). + + for (b = 0; b < length >> 4; b++) + { + Gf128MulBy64Tab (i, t, &cryptoInfo->gf_ctx); + Xor128 ((unsigned __int64 *)p, (unsigned __int64 *)t); + + if (cipherCount > 1) + { + // Cipher cascade + for (cipher = EAGetFirstCipher (cryptoInfo->ea); + cipher != 0; + cipher = EAGetNextCipher (cryptoInfo->ea, cipher)) + { + EncipherBlock (cipher, p, ks); + ks += CipherGetKeyScheduleSize (cipher); + } + ks = cryptoInfo->ks; + } + else + { + EncipherBlock (cipher, p, ks); + } + + Xor128 ((unsigned __int64 *)p, (unsigned __int64 *)t); + + p += 16; + + if (i[7] != 0xff) + i[7]++; + else + *(unsigned __int64 *)i = BE64 ( BE64(*(unsigned __int64 *)i) + 1 ); } + + memset (t, 0, sizeof (t)); +} + + +void EncryptBufferLRW64 (unsigned __int8 *plainText, unsigned int length, unsigned __int64 blockIndex, PCRYPTO_INFO cryptoInfo) +{ + int cipher = EAGetFirstCipher (cryptoInfo->ea); + unsigned __int8 *p = plainText; + unsigned __int8 *ks = cryptoInfo->ks; + unsigned __int8 i[8]; + unsigned __int8 t[8]; + unsigned int b; + + *(unsigned __int64 *)i = BE64(blockIndex); + + for (b = 0; b < length >> 3; b++) + { + Gf64MulTab (i, t, &cryptoInfo->gf_ctx); + Xor64 ((unsigned __int64 *)p, (unsigned __int64 *)t); + + EncipherBlock (cipher, p, ks); + + Xor64 ((unsigned __int64 *)p, (unsigned __int64 *)t); + + p += 8; + + if (i[7] != 0xff) + i[7]++; + else + *(unsigned __int64 *)i = BE64 ( BE64(*(unsigned __int64 *)i) + 1 ); + } + + memset (t, 0, sizeof (t)); +} + + +void DecryptBufferLRW128 (unsigned __int8 *plainText, int length, unsigned __int64 blockIndex, PCRYPTO_INFO cryptoInfo) +{ + int cipher = EAGetFirstCipher (cryptoInfo->ea); + int cipherCount = EAGetCipherCount (cryptoInfo->ea); + unsigned __int8 *p = plainText; + unsigned __int8 *ks = cryptoInfo->ks; + unsigned __int8 i[8]; + unsigned __int8 t[16]; + int b; + + *(unsigned __int64 *)i = BE64(blockIndex); + + // Note that the maximum supported volume size is 8589934592 GB (i.e., 2^63 bytes). + + for (b = 0; b < length >> 4; b++) + { + Gf128MulBy64Tab (i, t, &cryptoInfo->gf_ctx); + Xor128 ((unsigned __int64 *)p, (unsigned __int64 *)t); + + if (cipherCount > 1) + { + // Cipher cascade + ks = cryptoInfo->ks + EAGetKeyScheduleSize (cryptoInfo->ea); + + for (cipher = EAGetLastCipher (cryptoInfo->ea); + cipher != 0; + cipher = EAGetPreviousCipher (cryptoInfo->ea, cipher)) + { + ks -= CipherGetKeyScheduleSize (cipher); + DecipherBlock (cipher, p, ks); + } + } + else + { + DecipherBlock (cipher, p, ks); + } + + Xor128 ((unsigned __int64 *)p, (unsigned __int64 *)t); + + p += 16; + + if (i[7] != 0xff) + i[7]++; + else + *(unsigned __int64 *)i = BE64 ( BE64(*(unsigned __int64 *)i) + 1 ); + } + + memset (t, 0, sizeof (t)); +} + + + +void DecryptBufferLRW64 (unsigned __int8 *plainText, int length, unsigned __int64 blockIndex, PCRYPTO_INFO cryptoInfo) +{ + int cipher = EAGetFirstCipher (cryptoInfo->ea); + unsigned __int8 *p = plainText; + unsigned __int8 *ks = cryptoInfo->ks; + unsigned __int8 i[8]; + unsigned __int8 t[8]; + int b; + + *(unsigned __int64 *)i = BE64(blockIndex); + + for (b = 0; b < length >> 3; b++) + { + Gf64MulTab (i, t, &cryptoInfo->gf_ctx); + Xor64 ((unsigned __int64 *)p, (unsigned __int64 *)t); + + DecipherBlock (cipher, p, ks); + + Xor64 ((unsigned __int64 *)p, (unsigned __int64 *)t); + + p += 8; + + if (i[7] != 0xff) + i[7]++; + else + *(unsigned __int64 *)i = BE64 ( BE64(*(unsigned __int64 *)i) + 1 ); + } + + memset (t, 0, sizeof (t)); } @@ -619,56 +1012,90 @@ DecryptBufferCBC (unsigned long *data, // buf: data to be encrypted // len: number of bytes to encrypt; must be divisible by the block size (for cascaded // ciphers divisible by the largest block size used within the cascade) -// ks: scheduled key -// iv: IV -// whitening: whitening constants -// ea: encryption algorithm void -EncryptBuffer (unsigned long *buf, +EncryptBuffer (unsigned __int32 *buf, unsigned __int64 len, - unsigned char *ks, - void *iv, - void *whitening, - int ea) + PCRYPTO_INFO cryptoInfo) { - unsigned __int64 *iv64 = (unsigned __int64 *) iv; - int cipher; - switch (EAGetMode(ea)) + switch (cryptoInfo->mode) { + case LRW: + switch (CipherGetBlockSize (EAGetFirstCipher (cryptoInfo->ea))) + { + case 8: + EncryptBufferLRW64 ((unsigned __int8 *)buf, (unsigned int) len, 1, cryptoInfo); + break; + + case 16: + EncryptBufferLRW128 ((unsigned __int8 *)buf, (unsigned int) len, 1, cryptoInfo); + break; + } + break; + case CBC: case INNER_CBC: - - for (cipher = EAGetFirstCipher (ea); cipher != 0; cipher = EAGetNextCipher (ea, cipher)) { - EncryptBufferCBC (buf, - len, - ks, - (unsigned long *) iv, - (unsigned long *) whitening, - 0, - cipher); + /* Deprecated/legacy */ - ks += CipherGetKeyScheduleSize (cipher); - } + unsigned __int8 *ks = cryptoInfo->ks; + int cipher; + for (cipher = EAGetFirstCipher (cryptoInfo->ea); + cipher != 0; + cipher = EAGetNextCipher (cryptoInfo->ea, cipher)) + { + EncryptBufferCBC (buf, + (unsigned int) len, + ks, + (unsigned __int32 *) cryptoInfo->iv, + (unsigned __int32 *) &cryptoInfo->iv[8], + 0, + cipher); + ks += CipherGetKeyScheduleSize (cipher); + } + } break; case OUTER_CBC: + /* Deprecated/legacy */ + EncryptBufferCBC (buf, - len, - ks, - (unsigned long *) iv, - (unsigned long *) whitening, - ea, + (unsigned int) len, + cryptoInfo->ks, + (unsigned __int32 *) cryptoInfo->iv, + (unsigned __int32 *) &cryptoInfo->iv[8], + cryptoInfo->ea, 0); break; } } +// Convert sector number to the index of the first LRW block in the sector. +// Note that the maximum supported volume size is 8589934592 GB (i.e., 2^63 bytes). +unsigned __int64 LRWSector2Index (unsigned __int64 sector, int blockSize, PCRYPTO_INFO ci) +{ + if (ci->hiddenVolume) + sector -= ci->hiddenVolumeOffset / SECTOR_SIZE; + else + sector -= HEADER_SIZE / SECTOR_SIZE; // Compensate for the volume header size + + switch (blockSize) + { + case 8: + return (sector << 6) | 1; + + case 16: + return (sector << 5) | 1; + } + + return 0; +} + + // EncryptSectors // // buf: data to be encrypted @@ -679,23 +1106,47 @@ EncryptBuffer (unsigned long *buf, // ea: encryption algorithm void _cdecl -EncryptSectors (unsigned long *buf, +EncryptSectors (unsigned __int32 *buf, unsigned __int64 secNo, unsigned __int64 noSectors, - unsigned char *ks, - void *iv, - int ea) -{ - unsigned __int64 *iv64 = (unsigned __int64 *) iv; - unsigned long sectorIV[4]; - unsigned long secWhitening[2]; + PCRYPTO_INFO ci) +{ + int ea = ci->ea; + void *iv = ci->iv; // Deprecated/legacy + unsigned __int8 *ks = ci->ks; + unsigned __int64 *iv64 = (unsigned __int64 *) iv; // Deprecated/legacy + unsigned __int32 sectorIV[4]; // Deprecated/legacy + unsigned __int32 secWhitening[2]; // Deprecated/legacy int cipher; - switch (EAGetMode(ea)) + switch (ci->mode) { + case LRW: + { + switch (CipherGetBlockSize (EAGetFirstCipher (ea))) + { + case 8: + EncryptBufferLRW64 ((unsigned __int8 *)buf, + (unsigned int) noSectors * SECTOR_SIZE, + LRWSector2Index (secNo, 8, ci), + ci); + break; + + case 16: + EncryptBufferLRW128 ((unsigned __int8 *)buf, + (unsigned int) noSectors * SECTOR_SIZE, + LRWSector2Index (secNo, 16, ci), + ci); + break; + } + } + break; + case CBC: case INNER_CBC: + /* Deprecated/legacy */ + while (noSectors--) { for (cipher = EAGetFirstCipher (ea); cipher != 0; cipher = EAGetNextCipher (ea, cipher)) @@ -713,13 +1164,15 @@ EncryptSectors (unsigned long *buf, ks += CipherGetKeyScheduleSize (cipher); } ks -= EAGetKeyScheduleSize (ea); - buf += SECTOR_SIZE / sizeof(buf); + buf += SECTOR_SIZE / sizeof(*buf); secNo++; } break; case OUTER_CBC: + /* Deprecated/legacy */ + while (noSectors--) { InitSectorIVAndWhitening (secNo, CipherGetBlockSize (EAGetFirstCipher (ea)), sectorIV, iv64, secWhitening); @@ -732,7 +1185,7 @@ EncryptSectors (unsigned long *buf, ea, 0); - buf += SECTOR_SIZE / sizeof(buf); + buf += SECTOR_SIZE / sizeof(*buf); secNo++; } break; @@ -744,49 +1197,61 @@ EncryptSectors (unsigned long *buf, // buf: data to be decrypted // len: number of bytes to decrypt; must be divisible by the block size (for cascaded // ciphers divisible by the largest block size used within the cascade) -// ks: scheduled key -// iv: IV -// whitening: whitening constants -// ea: encryption algorithm void -DecryptBuffer (unsigned long *buf, +DecryptBuffer (unsigned __int32 *buf, unsigned __int64 len, - unsigned char *ks, - void *iv, - void *whitening, - int ea) + PCRYPTO_INFO cryptoInfo) { - unsigned __int64 *iv64 = (unsigned __int64 *) iv; - int cipher; - - switch (EAGetMode(ea)) + switch (cryptoInfo->mode) { + case LRW: + switch (CipherGetBlockSize (EAGetFirstCipher (cryptoInfo->ea))) + { + case 8: + DecryptBufferLRW64 ((unsigned __int8 *)buf, (unsigned int) len, 1, cryptoInfo); + break; + + case 16: + DecryptBufferLRW128 ((unsigned __int8 *)buf, (unsigned int) len, 1, cryptoInfo); + break; + } + break; + case CBC: case INNER_CBC: - - ks += EAGetKeyScheduleSize (ea); - for (cipher = EAGetLastCipher (ea); cipher != 0; cipher = EAGetPreviousCipher (ea, cipher)) { - ks -= CipherGetKeyScheduleSize (cipher); - DecryptBufferCBC (buf, - len, - ks, - (unsigned long *) iv, - (unsigned long *) whitening, - 0, - cipher); + /* Deprecated/legacy */ + + unsigned __int8 *ks = cryptoInfo->ks + EAGetKeyScheduleSize (cryptoInfo->ea); + int cipher; + for (cipher = EAGetLastCipher (cryptoInfo->ea); + cipher != 0; + cipher = EAGetPreviousCipher (cryptoInfo->ea, cipher)) + { + ks -= CipherGetKeyScheduleSize (cipher); + + DecryptBufferCBC (buf, + (unsigned int) len, + ks, + (unsigned __int32 *) cryptoInfo->iv, + (unsigned __int32 *) &cryptoInfo->iv[8], + 0, + cipher); + } } break; case OUTER_CBC: + /* Deprecated/legacy */ + DecryptBufferCBC (buf, - len, - ks, - (unsigned long *) iv, - (unsigned long *) whitening, - ea, + (unsigned int) len, + cryptoInfo->ks, + (unsigned __int32 *) cryptoInfo->iv, + (unsigned __int32 *) &cryptoInfo->iv[8], + cryptoInfo->ea, 0); break; @@ -803,23 +1268,48 @@ DecryptBuffer (unsigned long *buf, // ea: encryption algorithm void _cdecl -DecryptSectors (unsigned long *buf, +DecryptSectors (unsigned __int32 *buf, unsigned __int64 secNo, unsigned __int64 noSectors, - unsigned char *ks, - void *iv, - int ea) -{ - unsigned __int64 *iv64 = (unsigned __int64 *) iv; - unsigned long sectorIV[4]; - unsigned long secWhitening[2]; + PCRYPTO_INFO ci +) +{ + int ea = ci->ea; + void *iv = ci->iv; // Deprecated/legacy + unsigned __int8 *ks = ci->ks; + unsigned __int64 *iv64 = (unsigned __int64 *) iv; // Deprecated/legacy + unsigned __int32 sectorIV[4]; // Deprecated/legacy + unsigned __int32 secWhitening[2]; // Deprecated/legacy int cipher; - switch (EAGetMode(ea)) + switch (ci->mode) { + case LRW: + { + switch (CipherGetBlockSize (EAGetFirstCipher (ea))) + { + case 8: + DecryptBufferLRW64 ((unsigned __int8 *)buf, + (unsigned int) noSectors * SECTOR_SIZE, + LRWSector2Index (secNo, 8, ci), + ci); + break; + + case 16: + DecryptBufferLRW128 ((unsigned __int8 *)buf, + (unsigned int) noSectors * SECTOR_SIZE, + LRWSector2Index (secNo, 16, ci), + ci); + break; + } + } + break; + case CBC: case INNER_CBC: + /* Deprecated/legacy */ + while (noSectors--) { ks += EAGetKeyScheduleSize (ea); @@ -837,13 +1327,15 @@ DecryptSectors (unsigned long *buf, 0, cipher); } - buf += SECTOR_SIZE / sizeof(buf); + buf += SECTOR_SIZE / sizeof(*buf); secNo++; } break; case OUTER_CBC: + /* Deprecated/legacy */ + while (noSectors--) { InitSectorIVAndWhitening (secNo, CipherGetBlockSize (EAGetFirstCipher (ea)), sectorIV, iv64, secWhitening); @@ -856,7 +1348,7 @@ DecryptSectors (unsigned long *buf, ea, 0); - buf += SECTOR_SIZE / sizeof(buf); + buf += SECTOR_SIZE / sizeof(*buf); secNo++; } break;