xform_cml.c revision 184205
1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * 21 * Copyright (C) 2001, Angelos D. Keromytis. 22 * 23 * Permission to use, copy, and modify this software with or without fee 24 * is hereby granted, provided that this entire notice is included in 25 * all copies of any software which is or includes a copy or 26 * modification of this software. 27 * You may use this code under the GNU public license if you so wish. Please 28 * contribute changes back to the authors under this freer than GPL license 29 * so that we may further the use of strong encryption without limitations to 30 * all. 31 * 32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 36 * PURPOSE. 37 */ 38 39#include <sys/cdefs.h> 40__FBSDID("$FreeBSD: head/sys/opencrypto/xform.c 184205 2008-10-23 15:53:51Z des $"); 41 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/malloc.h> 45#include <sys/sysctl.h> 46#include <sys/errno.h> 47#include <sys/time.h> 48#include <sys/kernel.h> 49#include <machine/cpu.h> 50 51#include <crypto/blowfish/blowfish.h> 52#include <crypto/des/des.h> 53#include <crypto/rijndael/rijndael.h> 54#include <crypto/camellia/camellia.h> 55#include <crypto/sha1.h> 56 57#include <opencrypto/cast.h> 58#include <opencrypto/deflate.h> 59#include <opencrypto/rmd160.h> 60#include <opencrypto/skipjack.h> 61 62#include <sys/md5.h> 63 64#include <opencrypto/cryptodev.h> 65#include <opencrypto/xform.h> 66 67static void null_encrypt(caddr_t, u_int8_t *); 68static void null_decrypt(caddr_t, u_int8_t *); 69static int null_setkey(u_int8_t **, u_int8_t *, int); 70static void null_zerokey(u_int8_t **); 71 72static int des1_setkey(u_int8_t **, u_int8_t *, int); 73static int des3_setkey(u_int8_t **, u_int8_t *, int); 74static int blf_setkey(u_int8_t **, u_int8_t *, int); 75static int cast5_setkey(u_int8_t **, u_int8_t *, int); 76static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 77static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 78static int cml_setkey(u_int8_t **, u_int8_t *, int); 79static void des1_encrypt(caddr_t, u_int8_t *); 80static void des3_encrypt(caddr_t, u_int8_t *); 81static void blf_encrypt(caddr_t, u_int8_t *); 82static void cast5_encrypt(caddr_t, u_int8_t *); 83static void skipjack_encrypt(caddr_t, u_int8_t *); 84static void rijndael128_encrypt(caddr_t, u_int8_t *); 85static void cml_encrypt(caddr_t, u_int8_t *); 86static void des1_decrypt(caddr_t, u_int8_t *); 87static void des3_decrypt(caddr_t, u_int8_t *); 88static void blf_decrypt(caddr_t, u_int8_t *); 89static void cast5_decrypt(caddr_t, u_int8_t *); 90static void skipjack_decrypt(caddr_t, u_int8_t *); 91static void rijndael128_decrypt(caddr_t, u_int8_t *); 92static void cml_decrypt(caddr_t, u_int8_t *); 93static void des1_zerokey(u_int8_t **); 94static void des3_zerokey(u_int8_t **); 95static void blf_zerokey(u_int8_t **); 96static void cast5_zerokey(u_int8_t **); 97static void skipjack_zerokey(u_int8_t **); 98static void rijndael128_zerokey(u_int8_t **); 99static void cml_zerokey(u_int8_t **); 100 101static void null_init(void *); 102static int null_update(void *, u_int8_t *, u_int16_t); 103static void null_final(u_int8_t *, void *); 104static int MD5Update_int(void *, u_int8_t *, u_int16_t); 105static void SHA1Init_int(void *); 106static int SHA1Update_int(void *, u_int8_t *, u_int16_t); 107static void SHA1Final_int(u_int8_t *, void *); 108static int RMD160Update_int(void *, u_int8_t *, u_int16_t); 109static int SHA256Update_int(void *, u_int8_t *, u_int16_t); 110static int SHA384Update_int(void *, u_int8_t *, u_int16_t); 111static int SHA512Update_int(void *, u_int8_t *, u_int16_t); 112 113static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 114static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 115 116MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 117 118/* Encryption instances */ 119struct enc_xform enc_xform_null = { 120 CRYPTO_NULL_CBC, "NULL", 121 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 122 NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */ 123 null_encrypt, 124 null_decrypt, 125 null_setkey, 126 null_zerokey, 127}; 128 129struct enc_xform enc_xform_des = { 130 CRYPTO_DES_CBC, "DES", 131 DES_BLOCK_LEN, 8, 8, 132 des1_encrypt, 133 des1_decrypt, 134 des1_setkey, 135 des1_zerokey, 136}; 137 138struct enc_xform enc_xform_3des = { 139 CRYPTO_3DES_CBC, "3DES", 140 DES3_BLOCK_LEN, 24, 24, 141 des3_encrypt, 142 des3_decrypt, 143 des3_setkey, 144 des3_zerokey 145}; 146 147struct enc_xform enc_xform_blf = { 148 CRYPTO_BLF_CBC, "Blowfish", 149 BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */, 150 blf_encrypt, 151 blf_decrypt, 152 blf_setkey, 153 blf_zerokey 154}; 155 156struct enc_xform enc_xform_cast5 = { 157 CRYPTO_CAST_CBC, "CAST-128", 158 CAST128_BLOCK_LEN, 5, 16, 159 cast5_encrypt, 160 cast5_decrypt, 161 cast5_setkey, 162 cast5_zerokey 163}; 164 165struct enc_xform enc_xform_skipjack = { 166 CRYPTO_SKIPJACK_CBC, "Skipjack", 167 SKIPJACK_BLOCK_LEN, 10, 10, 168 skipjack_encrypt, 169 skipjack_decrypt, 170 skipjack_setkey, 171 skipjack_zerokey 172}; 173 174struct enc_xform enc_xform_rijndael128 = { 175 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 176 RIJNDAEL128_BLOCK_LEN, 8, 32, 177 rijndael128_encrypt, 178 rijndael128_decrypt, 179 rijndael128_setkey, 180 rijndael128_zerokey, 181}; 182 183struct enc_xform enc_xform_arc4 = { 184 CRYPTO_ARC4, "ARC4", 185 1, 1, 32, 186 NULL, 187 NULL, 188 NULL, 189 NULL, 190}; 191 192struct enc_xform enc_xform_camellia = { 193 CRYPTO_CAMELLIA_CBC, "Camellia", 194 CAMELLIA_BLOCK_LEN, 8, 32, 195 cml_encrypt, 196 cml_decrypt, 197 cml_setkey, 198 cml_zerokey, 199}; 200 201/* Authentication instances */ 202struct auth_hash auth_hash_null = { 203 CRYPTO_NULL_HMAC, "NULL-HMAC", 204 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */ 205 null_init, null_update, null_final 206}; 207 208struct auth_hash auth_hash_hmac_md5 = { 209 CRYPTO_MD5_HMAC, "HMAC-MD5", 210 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX), 211 (void (*) (void *)) MD5Init, MD5Update_int, 212 (void (*) (u_int8_t *, void *)) MD5Final 213}; 214 215struct auth_hash auth_hash_hmac_sha1 = { 216 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 217 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX), 218 SHA1Init_int, SHA1Update_int, SHA1Final_int 219}; 220 221struct auth_hash auth_hash_hmac_ripemd_160 = { 222 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 223 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX), 224 (void (*)(void *)) RMD160Init, RMD160Update_int, 225 (void (*)(u_int8_t *, void *)) RMD160Final 226}; 227 228struct auth_hash auth_hash_key_md5 = { 229 CRYPTO_MD5_KPDK, "Keyed MD5", 230 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX), 231 (void (*)(void *)) MD5Init, MD5Update_int, 232 (void (*)(u_int8_t *, void *)) MD5Final 233}; 234 235struct auth_hash auth_hash_key_sha1 = { 236 CRYPTO_SHA1_KPDK, "Keyed SHA1", 237 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX), 238 SHA1Init_int, SHA1Update_int, SHA1Final_int 239}; 240 241struct auth_hash auth_hash_hmac_sha2_256 = { 242 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 243 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX), 244 (void (*)(void *)) SHA256_Init, SHA256Update_int, 245 (void (*)(u_int8_t *, void *)) SHA256_Final 246}; 247 248struct auth_hash auth_hash_hmac_sha2_384 = { 249 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 250 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX), 251 (void (*)(void *)) SHA384_Init, SHA384Update_int, 252 (void (*)(u_int8_t *, void *)) SHA384_Final 253}; 254 255struct auth_hash auth_hash_hmac_sha2_512 = { 256 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 257 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX), 258 (void (*)(void *)) SHA512_Init, SHA512Update_int, 259 (void (*)(u_int8_t *, void *)) SHA512_Final 260}; 261 262/* Compression instance */ 263struct comp_algo comp_algo_deflate = { 264 CRYPTO_DEFLATE_COMP, "Deflate", 265 90, deflate_compress, 266 deflate_decompress 267}; 268 269/* 270 * Encryption wrapper routines. 271 */ 272static void 273null_encrypt(caddr_t key, u_int8_t *blk) 274{ 275} 276static void 277null_decrypt(caddr_t key, u_int8_t *blk) 278{ 279} 280static int 281null_setkey(u_int8_t **sched, u_int8_t *key, int len) 282{ 283 *sched = NULL; 284 return 0; 285} 286static void 287null_zerokey(u_int8_t **sched) 288{ 289 *sched = NULL; 290} 291 292static void 293des1_encrypt(caddr_t key, u_int8_t *blk) 294{ 295 des_cblock *cb = (des_cblock *) blk; 296 des_key_schedule *p = (des_key_schedule *) key; 297 298 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 299} 300 301static void 302des1_decrypt(caddr_t key, u_int8_t *blk) 303{ 304 des_cblock *cb = (des_cblock *) blk; 305 des_key_schedule *p = (des_key_schedule *) key; 306 307 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 308} 309 310static int 311des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 312{ 313 des_key_schedule *p; 314 int err; 315 316 p = malloc(sizeof (des_key_schedule), 317 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 318 if (p != NULL) { 319 des_set_key((des_cblock *) key, p[0]); 320 err = 0; 321 } else 322 err = ENOMEM; 323 *sched = (u_int8_t *) p; 324 return err; 325} 326 327static void 328des1_zerokey(u_int8_t **sched) 329{ 330 bzero(*sched, sizeof (des_key_schedule)); 331 free(*sched, M_CRYPTO_DATA); 332 *sched = NULL; 333} 334 335static void 336des3_encrypt(caddr_t key, u_int8_t *blk) 337{ 338 des_cblock *cb = (des_cblock *) blk; 339 des_key_schedule *p = (des_key_schedule *) key; 340 341 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 342} 343 344static void 345des3_decrypt(caddr_t key, u_int8_t *blk) 346{ 347 des_cblock *cb = (des_cblock *) blk; 348 des_key_schedule *p = (des_key_schedule *) key; 349 350 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 351} 352 353static int 354des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 355{ 356 des_key_schedule *p; 357 int err; 358 359 p = malloc(3*sizeof (des_key_schedule), 360 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 361 if (p != NULL) { 362 des_set_key((des_cblock *)(key + 0), p[0]); 363 des_set_key((des_cblock *)(key + 8), p[1]); 364 des_set_key((des_cblock *)(key + 16), p[2]); 365 err = 0; 366 } else 367 err = ENOMEM; 368 *sched = (u_int8_t *) p; 369 return err; 370} 371 372static void 373des3_zerokey(u_int8_t **sched) 374{ 375 bzero(*sched, 3*sizeof (des_key_schedule)); 376 free(*sched, M_CRYPTO_DATA); 377 *sched = NULL; 378} 379 380static void 381blf_encrypt(caddr_t key, u_int8_t *blk) 382{ 383 BF_LONG t[2]; 384 385 memcpy(t, blk, sizeof (t)); 386 t[0] = ntohl(t[0]); 387 t[1] = ntohl(t[1]); 388 /* NB: BF_encrypt expects the block in host order! */ 389 BF_encrypt(t, (BF_KEY *) key); 390 t[0] = htonl(t[0]); 391 t[1] = htonl(t[1]); 392 memcpy(blk, t, sizeof (t)); 393} 394 395static void 396blf_decrypt(caddr_t key, u_int8_t *blk) 397{ 398 BF_LONG t[2]; 399 400 memcpy(t, blk, sizeof (t)); 401 t[0] = ntohl(t[0]); 402 t[1] = ntohl(t[1]); 403 /* NB: BF_decrypt expects the block in host order! */ 404 BF_decrypt(t, (BF_KEY *) key); 405 t[0] = htonl(t[0]); 406 t[1] = htonl(t[1]); 407 memcpy(blk, t, sizeof (t)); 408} 409 410static int 411blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 412{ 413 int err; 414 415 *sched = malloc(sizeof(BF_KEY), 416 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 417 if (*sched != NULL) { 418 BF_set_key((BF_KEY *) *sched, len, key); 419 err = 0; 420 } else 421 err = ENOMEM; 422 return err; 423} 424 425static void 426blf_zerokey(u_int8_t **sched) 427{ 428 bzero(*sched, sizeof(BF_KEY)); 429 free(*sched, M_CRYPTO_DATA); 430 *sched = NULL; 431} 432 433static void 434cast5_encrypt(caddr_t key, u_int8_t *blk) 435{ 436 cast_encrypt((cast_key *) key, blk, blk); 437} 438 439static void 440cast5_decrypt(caddr_t key, u_int8_t *blk) 441{ 442 cast_decrypt((cast_key *) key, blk, blk); 443} 444 445static int 446cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 447{ 448 int err; 449 450 *sched = malloc(sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 451 if (*sched != NULL) { 452 cast_setkey((cast_key *)*sched, key, len); 453 err = 0; 454 } else 455 err = ENOMEM; 456 return err; 457} 458 459static void 460cast5_zerokey(u_int8_t **sched) 461{ 462 bzero(*sched, sizeof(cast_key)); 463 free(*sched, M_CRYPTO_DATA); 464 *sched = NULL; 465} 466 467static void 468skipjack_encrypt(caddr_t key, u_int8_t *blk) 469{ 470 skipjack_forwards(blk, blk, (u_int8_t **) key); 471} 472 473static void 474skipjack_decrypt(caddr_t key, u_int8_t *blk) 475{ 476 skipjack_backwards(blk, blk, (u_int8_t **) key); 477} 478 479static int 480skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 481{ 482 int err; 483 484 /* NB: allocate all the memory that's needed at once */ 485 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 486 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 487 if (*sched != NULL) { 488 u_int8_t** key_tables = (u_int8_t**) *sched; 489 u_int8_t* table = (u_int8_t*) &key_tables[10]; 490 int k; 491 492 for (k = 0; k < 10; k++) { 493 key_tables[k] = table; 494 table += 0x100; 495 } 496 subkey_table_gen(key, (u_int8_t **) *sched); 497 err = 0; 498 } else 499 err = ENOMEM; 500 return err; 501} 502 503static void 504skipjack_zerokey(u_int8_t **sched) 505{ 506 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 507 free(*sched, M_CRYPTO_DATA); 508 *sched = NULL; 509} 510 511static void 512rijndael128_encrypt(caddr_t key, u_int8_t *blk) 513{ 514 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 515} 516 517static void 518rijndael128_decrypt(caddr_t key, u_int8_t *blk) 519{ 520 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 521 (u_char *) blk); 522} 523 524static int 525rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 526{ 527 int err; 528 529 if (len != 16 && len != 24 && len != 32) 530 return (EINVAL); 531 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 532 M_NOWAIT|M_ZERO); 533 if (*sched != NULL) { 534 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 535 len * 8); 536 err = 0; 537 } else 538 err = ENOMEM; 539 return err; 540} 541 542static void 543rijndael128_zerokey(u_int8_t **sched) 544{ 545 bzero(*sched, sizeof(rijndael_ctx)); 546 free(*sched, M_CRYPTO_DATA); 547 *sched = NULL; 548} 549 550static void 551cml_encrypt(caddr_t key, u_int8_t *blk) 552{ 553 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 554} 555 556static void 557cml_decrypt(caddr_t key, u_int8_t *blk) 558{ 559 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 560 (u_char *) blk); 561} 562 563static int 564cml_setkey(u_int8_t **sched, u_int8_t *key, int len) 565{ 566 int err; 567 568 if (len != 16 && len != 24 && len != 32) 569 return (EINVAL); 570 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 571 M_NOWAIT|M_ZERO); 572 if (*sched != NULL) { 573 camellia_set_key((camellia_ctx *) *sched, (u_char *) key, 574 len * 8); 575 err = 0; 576 } else 577 err = ENOMEM; 578 return err; 579} 580 581static void 582cml_zerokey(u_int8_t **sched) 583{ 584 bzero(*sched, sizeof(camellia_ctx)); 585 free(*sched, M_CRYPTO_DATA); 586 *sched = NULL; 587} 588 589/* 590 * And now for auth. 591 */ 592 593static void 594null_init(void *ctx) 595{ 596} 597 598static int 599null_update(void *ctx, u_int8_t *buf, u_int16_t len) 600{ 601 return 0; 602} 603 604static void 605null_final(u_int8_t *buf, void *ctx) 606{ 607 if (buf != (u_int8_t *) 0) 608 bzero(buf, 12); 609} 610 611static int 612RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 613{ 614 RMD160Update(ctx, buf, len); 615 return 0; 616} 617 618static int 619MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 620{ 621 MD5Update(ctx, buf, len); 622 return 0; 623} 624 625static void 626SHA1Init_int(void *ctx) 627{ 628 SHA1Init(ctx); 629} 630 631static int 632SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 633{ 634 SHA1Update(ctx, buf, len); 635 return 0; 636} 637 638static void 639SHA1Final_int(u_int8_t *blk, void *ctx) 640{ 641 SHA1Final(blk, ctx); 642} 643 644static int 645SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 646{ 647 SHA256_Update(ctx, buf, len); 648 return 0; 649} 650 651static int 652SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 653{ 654 SHA384_Update(ctx, buf, len); 655 return 0; 656} 657 658static int 659SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 660{ 661 SHA512_Update(ctx, buf, len); 662 return 0; 663} 664 665/* 666 * And compression 667 */ 668 669static u_int32_t 670deflate_compress(data, size, out) 671 u_int8_t *data; 672 u_int32_t size; 673 u_int8_t **out; 674{ 675 return deflate_global(data, size, 0, out); 676} 677 678static u_int32_t 679deflate_decompress(data, size, out) 680 u_int8_t *data; 681 u_int32_t size; 682 u_int8_t **out; 683{ 684 return deflate_global(data, size, 1, out); 685} 686