xform.c revision 143423
1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * 21 * Copyright (C) 2001, Angelos D. Keromytis. 22 * 23 * Permission to use, copy, and modify this software with or without fee 24 * is hereby granted, provided that this entire notice is included in 25 * all copies of any software which is or includes a copy or 26 * modification of this software. 27 * You may use this code under the GNU public license if you so wish. Please 28 * contribute changes back to the authors under this freer than GPL license 29 * so that we may further the use of strong encryption without limitations to 30 * all. 31 * 32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 36 * PURPOSE. 37 */ 38 39#include <sys/cdefs.h> 40__FBSDID("$FreeBSD: head/sys/opencrypto/xform.c 143423 2005-03-11 17:24:46Z ume $"); 41 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/malloc.h> 45#include <sys/sysctl.h> 46#include <sys/errno.h> 47#include <sys/time.h> 48#include <sys/kernel.h> 49#include <machine/cpu.h> 50 51#include <crypto/blowfish/blowfish.h> 52#include <crypto/des/des.h> 53#include <crypto/rijndael/rijndael.h> 54#include <crypto/sha1.h> 55 56#include <opencrypto/cast.h> 57#include <opencrypto/deflate.h> 58#include <opencrypto/rmd160.h> 59#include <opencrypto/skipjack.h> 60 61#include <sys/md5.h> 62 63#include <opencrypto/cryptodev.h> 64#include <opencrypto/xform.h> 65 66static void null_encrypt(caddr_t, u_int8_t *); 67static void null_decrypt(caddr_t, u_int8_t *); 68static int null_setkey(u_int8_t **, u_int8_t *, int); 69static void null_zerokey(u_int8_t **); 70 71static int des1_setkey(u_int8_t **, u_int8_t *, int); 72static int des3_setkey(u_int8_t **, u_int8_t *, int); 73static int blf_setkey(u_int8_t **, u_int8_t *, int); 74static int cast5_setkey(u_int8_t **, u_int8_t *, int); 75static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 76static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 77static void des1_encrypt(caddr_t, u_int8_t *); 78static void des3_encrypt(caddr_t, u_int8_t *); 79static void blf_encrypt(caddr_t, u_int8_t *); 80static void cast5_encrypt(caddr_t, u_int8_t *); 81static void skipjack_encrypt(caddr_t, u_int8_t *); 82static void rijndael128_encrypt(caddr_t, u_int8_t *); 83static void des1_decrypt(caddr_t, u_int8_t *); 84static void des3_decrypt(caddr_t, u_int8_t *); 85static void blf_decrypt(caddr_t, u_int8_t *); 86static void cast5_decrypt(caddr_t, u_int8_t *); 87static void skipjack_decrypt(caddr_t, u_int8_t *); 88static void rijndael128_decrypt(caddr_t, u_int8_t *); 89static void des1_zerokey(u_int8_t **); 90static void des3_zerokey(u_int8_t **); 91static void blf_zerokey(u_int8_t **); 92static void cast5_zerokey(u_int8_t **); 93static void skipjack_zerokey(u_int8_t **); 94static void rijndael128_zerokey(u_int8_t **); 95 96static void null_init(void *); 97static int null_update(void *, u_int8_t *, u_int16_t); 98static void null_final(u_int8_t *, void *); 99static int MD5Update_int(void *, u_int8_t *, u_int16_t); 100static void SHA1Init_int(void *); 101static int SHA1Update_int(void *, u_int8_t *, u_int16_t); 102static void SHA1Final_int(u_int8_t *, void *); 103static int RMD160Update_int(void *, u_int8_t *, u_int16_t); 104static int SHA256Update_int(void *, u_int8_t *, u_int16_t); 105static int SHA384Update_int(void *, u_int8_t *, u_int16_t); 106static int SHA512Update_int(void *, u_int8_t *, u_int16_t); 107 108static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 109static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 110 111MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 112 113/* Encryption instances */ 114struct enc_xform enc_xform_null = { 115 CRYPTO_NULL_CBC, "NULL", 116 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 117 4, 0, 256, /* 2048 bits, max key */ 118 null_encrypt, 119 null_decrypt, 120 null_setkey, 121 null_zerokey, 122}; 123 124struct enc_xform enc_xform_des = { 125 CRYPTO_DES_CBC, "DES", 126 8, 8, 8, 127 des1_encrypt, 128 des1_decrypt, 129 des1_setkey, 130 des1_zerokey, 131}; 132 133struct enc_xform enc_xform_3des = { 134 CRYPTO_3DES_CBC, "3DES", 135 8, 24, 24, 136 des3_encrypt, 137 des3_decrypt, 138 des3_setkey, 139 des3_zerokey 140}; 141 142struct enc_xform enc_xform_blf = { 143 CRYPTO_BLF_CBC, "Blowfish", 144 8, 5, 56 /* 448 bits, max key */, 145 blf_encrypt, 146 blf_decrypt, 147 blf_setkey, 148 blf_zerokey 149}; 150 151struct enc_xform enc_xform_cast5 = { 152 CRYPTO_CAST_CBC, "CAST-128", 153 8, 5, 16, 154 cast5_encrypt, 155 cast5_decrypt, 156 cast5_setkey, 157 cast5_zerokey 158}; 159 160struct enc_xform enc_xform_skipjack = { 161 CRYPTO_SKIPJACK_CBC, "Skipjack", 162 8, 10, 10, 163 skipjack_encrypt, 164 skipjack_decrypt, 165 skipjack_setkey, 166 skipjack_zerokey 167}; 168 169struct enc_xform enc_xform_rijndael128 = { 170 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 171 16, 8, 32, 172 rijndael128_encrypt, 173 rijndael128_decrypt, 174 rijndael128_setkey, 175 rijndael128_zerokey, 176}; 177 178struct enc_xform enc_xform_arc4 = { 179 CRYPTO_ARC4, "ARC4", 180 1, 1, 32, 181 NULL, 182 NULL, 183 NULL, 184 NULL, 185}; 186 187/* Authentication instances */ 188struct auth_hash auth_hash_null = { 189 CRYPTO_NULL_HMAC, "NULL-HMAC", 190 0, 0, 12, sizeof(int), /* NB: context isn't used */ 191 null_init, null_update, null_final 192}; 193 194struct auth_hash auth_hash_hmac_md5_96 = { 195 CRYPTO_MD5_HMAC, "HMAC-MD5", 196 16, 16, 12, sizeof(MD5_CTX), 197 (void (*) (void *)) MD5Init, MD5Update_int, 198 (void (*) (u_int8_t *, void *)) MD5Final 199}; 200 201struct auth_hash auth_hash_hmac_sha1_96 = { 202 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 203 20, 20, 12, sizeof(SHA1_CTX), 204 SHA1Init_int, SHA1Update_int, SHA1Final_int 205}; 206 207struct auth_hash auth_hash_hmac_ripemd_160_96 = { 208 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 209 20, 20, 12, sizeof(RMD160_CTX), 210 (void (*)(void *)) RMD160Init, RMD160Update_int, 211 (void (*)(u_int8_t *, void *)) RMD160Final 212}; 213 214struct auth_hash auth_hash_key_md5 = { 215 CRYPTO_MD5_KPDK, "Keyed MD5", 216 0, 16, 12, sizeof(MD5_CTX), 217 (void (*)(void *)) MD5Init, MD5Update_int, 218 (void (*)(u_int8_t *, void *)) MD5Final 219}; 220 221struct auth_hash auth_hash_key_sha1 = { 222 CRYPTO_SHA1_KPDK, "Keyed SHA1", 223 0, 20, 12, sizeof(SHA1_CTX), 224 SHA1Init_int, SHA1Update_int, SHA1Final_int 225}; 226 227struct auth_hash auth_hash_hmac_sha2_256 = { 228 CRYPTO_SHA2_HMAC, "HMAC-SHA2", 229 32, 32, 12, sizeof(SHA256_CTX), 230 (void (*)(void *)) SHA256_Init, SHA256Update_int, 231 (void (*)(u_int8_t *, void *)) SHA256_Final 232}; 233 234struct auth_hash auth_hash_hmac_sha2_384 = { 235 CRYPTO_SHA2_HMAC, "HMAC-SHA2-384", 236 48, 48, 12, sizeof(SHA384_CTX), 237 (void (*)(void *)) SHA384_Init, SHA384Update_int, 238 (void (*)(u_int8_t *, void *)) SHA384_Final 239}; 240 241struct auth_hash auth_hash_hmac_sha2_512 = { 242 CRYPTO_SHA2_HMAC, "HMAC-SHA2-512", 243 64, 64, 12, sizeof(SHA512_CTX), 244 (void (*)(void *)) SHA512_Init, SHA512Update_int, 245 (void (*)(u_int8_t *, void *)) SHA512_Final 246}; 247 248/* Compression instance */ 249struct comp_algo comp_algo_deflate = { 250 CRYPTO_DEFLATE_COMP, "Deflate", 251 90, deflate_compress, 252 deflate_decompress 253}; 254 255/* 256 * Encryption wrapper routines. 257 */ 258static void 259null_encrypt(caddr_t key, u_int8_t *blk) 260{ 261} 262static void 263null_decrypt(caddr_t key, u_int8_t *blk) 264{ 265} 266static int 267null_setkey(u_int8_t **sched, u_int8_t *key, int len) 268{ 269 *sched = NULL; 270 return 0; 271} 272static void 273null_zerokey(u_int8_t **sched) 274{ 275 *sched = NULL; 276} 277 278static void 279des1_encrypt(caddr_t key, u_int8_t *blk) 280{ 281 des_cblock *cb = (des_cblock *) blk; 282 des_key_schedule *p = (des_key_schedule *) key; 283 284 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 285} 286 287static void 288des1_decrypt(caddr_t key, u_int8_t *blk) 289{ 290 des_cblock *cb = (des_cblock *) blk; 291 des_key_schedule *p = (des_key_schedule *) key; 292 293 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 294} 295 296static int 297des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 298{ 299 des_key_schedule *p; 300 int err; 301 302 MALLOC(p, des_key_schedule *, sizeof (des_key_schedule), 303 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 304 if (p != NULL) { 305 des_set_key((des_cblock *) key, p[0]); 306 err = 0; 307 } else 308 err = ENOMEM; 309 *sched = (u_int8_t *) p; 310 return err; 311} 312 313static void 314des1_zerokey(u_int8_t **sched) 315{ 316 bzero(*sched, sizeof (des_key_schedule)); 317 FREE(*sched, M_CRYPTO_DATA); 318 *sched = NULL; 319} 320 321static void 322des3_encrypt(caddr_t key, u_int8_t *blk) 323{ 324 des_cblock *cb = (des_cblock *) blk; 325 des_key_schedule *p = (des_key_schedule *) key; 326 327 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 328} 329 330static void 331des3_decrypt(caddr_t key, u_int8_t *blk) 332{ 333 des_cblock *cb = (des_cblock *) blk; 334 des_key_schedule *p = (des_key_schedule *) key; 335 336 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 337} 338 339static int 340des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 341{ 342 des_key_schedule *p; 343 int err; 344 345 MALLOC(p, des_key_schedule *, 3*sizeof (des_key_schedule), 346 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 347 if (p != NULL) { 348 des_set_key((des_cblock *)(key + 0), p[0]); 349 des_set_key((des_cblock *)(key + 8), p[1]); 350 des_set_key((des_cblock *)(key + 16), p[2]); 351 err = 0; 352 } else 353 err = ENOMEM; 354 *sched = (u_int8_t *) p; 355 return err; 356} 357 358static void 359des3_zerokey(u_int8_t **sched) 360{ 361 bzero(*sched, 3*sizeof (des_key_schedule)); 362 FREE(*sched, M_CRYPTO_DATA); 363 *sched = NULL; 364} 365 366static void 367blf_encrypt(caddr_t key, u_int8_t *blk) 368{ 369 BF_LONG t[2]; 370 371 memcpy(t, blk, sizeof (t)); 372 t[0] = ntohl(t[0]); 373 t[1] = ntohl(t[1]); 374 /* NB: BF_encrypt expects the block in host order! */ 375 BF_encrypt(t, (BF_KEY *) key); 376 t[0] = htonl(t[0]); 377 t[1] = htonl(t[1]); 378 memcpy(blk, t, sizeof (t)); 379} 380 381static void 382blf_decrypt(caddr_t key, u_int8_t *blk) 383{ 384 BF_LONG t[2]; 385 386 memcpy(t, blk, sizeof (t)); 387 t[0] = ntohl(t[0]); 388 t[1] = ntohl(t[1]); 389 /* NB: BF_decrypt expects the block in host order! */ 390 BF_decrypt(t, (BF_KEY *) key); 391 t[0] = htonl(t[0]); 392 t[1] = htonl(t[1]); 393 memcpy(blk, t, sizeof (t)); 394} 395 396static int 397blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 398{ 399 int err; 400 401 MALLOC(*sched, u_int8_t *, sizeof(BF_KEY), 402 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 403 if (*sched != NULL) { 404 BF_set_key((BF_KEY *) *sched, len, key); 405 err = 0; 406 } else 407 err = ENOMEM; 408 return err; 409} 410 411static void 412blf_zerokey(u_int8_t **sched) 413{ 414 bzero(*sched, sizeof(BF_KEY)); 415 FREE(*sched, M_CRYPTO_DATA); 416 *sched = NULL; 417} 418 419static void 420cast5_encrypt(caddr_t key, u_int8_t *blk) 421{ 422 cast_encrypt((cast_key *) key, blk, blk); 423} 424 425static void 426cast5_decrypt(caddr_t key, u_int8_t *blk) 427{ 428 cast_decrypt((cast_key *) key, blk, blk); 429} 430 431static int 432cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 433{ 434 int err; 435 436 MALLOC(*sched, u_int8_t *, sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 437 if (*sched != NULL) { 438 cast_setkey((cast_key *)*sched, key, len); 439 err = 0; 440 } else 441 err = ENOMEM; 442 return err; 443} 444 445static void 446cast5_zerokey(u_int8_t **sched) 447{ 448 bzero(*sched, sizeof(cast_key)); 449 FREE(*sched, M_CRYPTO_DATA); 450 *sched = NULL; 451} 452 453static void 454skipjack_encrypt(caddr_t key, u_int8_t *blk) 455{ 456 skipjack_forwards(blk, blk, (u_int8_t **) key); 457} 458 459static void 460skipjack_decrypt(caddr_t key, u_int8_t *blk) 461{ 462 skipjack_backwards(blk, blk, (u_int8_t **) key); 463} 464 465static int 466skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 467{ 468 int err; 469 470 /* NB: allocate all the memory that's needed at once */ 471 MALLOC(*sched, u_int8_t *, 10 * (sizeof(u_int8_t *) + 0x100), 472 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 473 if (*sched != NULL) { 474 u_int8_t** key_tables = (u_int8_t**) *sched; 475 u_int8_t* table = (u_int8_t*) &key_tables[10]; 476 int k; 477 478 for (k = 0; k < 10; k++) { 479 key_tables[k] = table; 480 table += 0x100; 481 } 482 subkey_table_gen(key, (u_int8_t **) *sched); 483 err = 0; 484 } else 485 err = ENOMEM; 486 return err; 487} 488 489static void 490skipjack_zerokey(u_int8_t **sched) 491{ 492 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 493 FREE(*sched, M_CRYPTO_DATA); 494 *sched = NULL; 495} 496 497static void 498rijndael128_encrypt(caddr_t key, u_int8_t *blk) 499{ 500 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 501} 502 503static void 504rijndael128_decrypt(caddr_t key, u_int8_t *blk) 505{ 506 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 507 (u_char *) blk); 508} 509 510static int 511rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 512{ 513 int err; 514 515 MALLOC(*sched, u_int8_t *, sizeof(rijndael_ctx), M_CRYPTO_DATA, 516 M_NOWAIT|M_ZERO); 517 if (*sched != NULL) { 518 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 519 len * 8); 520 err = 0; 521 } else 522 err = ENOMEM; 523 return err; 524} 525 526static void 527rijndael128_zerokey(u_int8_t **sched) 528{ 529 bzero(*sched, sizeof(rijndael_ctx)); 530 FREE(*sched, M_CRYPTO_DATA); 531 *sched = NULL; 532} 533 534/* 535 * And now for auth. 536 */ 537 538static void 539null_init(void *ctx) 540{ 541} 542 543static int 544null_update(void *ctx, u_int8_t *buf, u_int16_t len) 545{ 546 return 0; 547} 548 549static void 550null_final(u_int8_t *buf, void *ctx) 551{ 552 if (buf != (u_int8_t *) 0) 553 bzero(buf, 12); 554} 555 556static int 557RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 558{ 559 RMD160Update(ctx, buf, len); 560 return 0; 561} 562 563static int 564MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 565{ 566 MD5Update(ctx, buf, len); 567 return 0; 568} 569 570static void 571SHA1Init_int(void *ctx) 572{ 573 SHA1Init(ctx); 574} 575 576static int 577SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 578{ 579 SHA1Update(ctx, buf, len); 580 return 0; 581} 582 583static void 584SHA1Final_int(u_int8_t *blk, void *ctx) 585{ 586 SHA1Final(blk, ctx); 587} 588 589static int 590SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 591{ 592 SHA256_Update(ctx, buf, len); 593 return 0; 594} 595 596static int 597SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 598{ 599 SHA384_Update(ctx, buf, len); 600 return 0; 601} 602 603static int 604SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 605{ 606 SHA512_Update(ctx, buf, len); 607 return 0; 608} 609 610/* 611 * And compression 612 */ 613 614static u_int32_t 615deflate_compress(data, size, out) 616 u_int8_t *data; 617 u_int32_t size; 618 u_int8_t **out; 619{ 620 return deflate_global(data, size, 0, out); 621} 622 623static u_int32_t 624deflate_decompress(data, size, out) 625 u_int8_t *data; 626 u_int32_t size; 627 u_int8_t **out; 628{ 629 return deflate_global(data, size, 1, out); 630} 631