xform_cml.c revision 275732
1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50#include <sys/cdefs.h> 51__FBSDID("$FreeBSD: head/sys/opencrypto/xform.c 275732 2014-12-12 19:56:36Z jmg $"); 52 53#include <sys/param.h> 54#include <sys/systm.h> 55#include <sys/malloc.h> 56#include <sys/sysctl.h> 57#include <sys/errno.h> 58#include <sys/time.h> 59#include <sys/kernel.h> 60#include <machine/cpu.h> 61 62#include <crypto/blowfish/blowfish.h> 63#include <crypto/des/des.h> 64#include <crypto/rijndael/rijndael.h> 65#include <crypto/camellia/camellia.h> 66#include <crypto/sha1.h> 67 68#include <opencrypto/cast.h> 69#include <opencrypto/deflate.h> 70#include <opencrypto/rmd160.h> 71#include <opencrypto/skipjack.h> 72 73#include <sys/md5.h> 74 75#include <opencrypto/cryptodev.h> 76#include <opencrypto/xform.h> 77 78static int null_setkey(u_int8_t **, u_int8_t *, int); 79static int des1_setkey(u_int8_t **, u_int8_t *, int); 80static int des3_setkey(u_int8_t **, u_int8_t *, int); 81static int blf_setkey(u_int8_t **, u_int8_t *, int); 82static int cast5_setkey(u_int8_t **, u_int8_t *, int); 83static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 84static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 85static int aes_icm_setkey(u_int8_t **, u_int8_t *, int); 86static int aes_xts_setkey(u_int8_t **, u_int8_t *, int); 87static int cml_setkey(u_int8_t **, u_int8_t *, int); 88 89static void null_encrypt(caddr_t, u_int8_t *); 90static void des1_encrypt(caddr_t, u_int8_t *); 91static void des3_encrypt(caddr_t, u_int8_t *); 92static void blf_encrypt(caddr_t, u_int8_t *); 93static void cast5_encrypt(caddr_t, u_int8_t *); 94static void skipjack_encrypt(caddr_t, u_int8_t *); 95static void rijndael128_encrypt(caddr_t, u_int8_t *); 96static void aes_xts_encrypt(caddr_t, u_int8_t *); 97static void cml_encrypt(caddr_t, u_int8_t *); 98 99static void null_decrypt(caddr_t, u_int8_t *); 100static void des1_decrypt(caddr_t, u_int8_t *); 101static void des3_decrypt(caddr_t, u_int8_t *); 102static void blf_decrypt(caddr_t, u_int8_t *); 103static void cast5_decrypt(caddr_t, u_int8_t *); 104static void skipjack_decrypt(caddr_t, u_int8_t *); 105static void rijndael128_decrypt(caddr_t, u_int8_t *); 106static void aes_xts_decrypt(caddr_t, u_int8_t *); 107static void cml_decrypt(caddr_t, u_int8_t *); 108 109static void aes_icm_crypt(caddr_t, u_int8_t *); 110 111static void null_zerokey(u_int8_t **); 112static void des1_zerokey(u_int8_t **); 113static void des3_zerokey(u_int8_t **); 114static void blf_zerokey(u_int8_t **); 115static void cast5_zerokey(u_int8_t **); 116static void skipjack_zerokey(u_int8_t **); 117static void rijndael128_zerokey(u_int8_t **); 118static void aes_icm_zerokey(u_int8_t **); 119static void aes_xts_zerokey(u_int8_t **); 120static void cml_zerokey(u_int8_t **); 121 122static void aes_icm_reinit(caddr_t, u_int8_t *); 123static void aes_xts_reinit(caddr_t, u_int8_t *); 124static void aes_gcm_reinit(caddr_t, u_int8_t *); 125 126static void null_init(void *); 127static void null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len); 128static int null_update(void *, const u_int8_t *, u_int16_t); 129static void null_final(u_int8_t *, void *); 130static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 131static void SHA1Init_int(void *); 132static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 133static void SHA1Final_int(u_int8_t *, void *); 134static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 135static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 136static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 137static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 138 139static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 140static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 141 142#define AESICM_BLOCKSIZE 16 143 144struct aes_icm_ctx { 145 u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)]; 146 /* ac_block is initalized to IV */ 147 u_int8_t ac_block[AESICM_BLOCKSIZE]; 148 int ac_nr; 149}; 150 151MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 152 153/* Encryption instances */ 154struct enc_xform enc_xform_null = { 155 CRYPTO_NULL_CBC, "NULL", 156 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 157 NULL_BLOCK_LEN, NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */ 158 null_encrypt, 159 null_decrypt, 160 null_setkey, 161 null_zerokey, 162 NULL, 163}; 164 165struct enc_xform enc_xform_des = { 166 CRYPTO_DES_CBC, "DES", 167 DES_BLOCK_LEN, DES_BLOCK_LEN, 8, 8, 168 des1_encrypt, 169 des1_decrypt, 170 des1_setkey, 171 des1_zerokey, 172 NULL, 173}; 174 175struct enc_xform enc_xform_3des = { 176 CRYPTO_3DES_CBC, "3DES", 177 DES3_BLOCK_LEN, DES3_BLOCK_LEN, 24, 24, 178 des3_encrypt, 179 des3_decrypt, 180 des3_setkey, 181 des3_zerokey, 182 NULL, 183}; 184 185struct enc_xform enc_xform_blf = { 186 CRYPTO_BLF_CBC, "Blowfish", 187 BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */, 188 blf_encrypt, 189 blf_decrypt, 190 blf_setkey, 191 blf_zerokey, 192 NULL, 193}; 194 195struct enc_xform enc_xform_cast5 = { 196 CRYPTO_CAST_CBC, "CAST-128", 197 CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, 5, 16, 198 cast5_encrypt, 199 cast5_decrypt, 200 cast5_setkey, 201 cast5_zerokey, 202 NULL, 203}; 204 205struct enc_xform enc_xform_skipjack = { 206 CRYPTO_SKIPJACK_CBC, "Skipjack", 207 SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, 10, 10, 208 skipjack_encrypt, 209 skipjack_decrypt, skipjack_setkey, 210 skipjack_zerokey, 211 NULL, 212}; 213 214struct enc_xform enc_xform_rijndael128 = { 215 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 216 RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 16, 32, 217 rijndael128_encrypt, 218 rijndael128_decrypt, 219 rijndael128_setkey, 220 rijndael128_zerokey, 221 NULL, 222}; 223 224struct enc_xform enc_xform_aes_icm = { 225 CRYPTO_AES_ICM, "AES-ICM", 226 RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 16, 32, 227 aes_icm_crypt, 228 aes_icm_crypt, 229 aes_icm_setkey, 230 rijndael128_zerokey, 231 aes_icm_reinit, 232}; 233 234struct enc_xform enc_xform_aes_nist_gcm = { 235 CRYPTO_AES_NIST_GCM_16, "AES-GCM", 236 1, 12, 16, 32, 237 aes_icm_crypt, 238 aes_icm_crypt, 239 aes_icm_setkey, 240 aes_icm_zerokey, 241 aes_gcm_reinit, 242}; 243 244struct enc_xform enc_xform_aes_nist_gmac = { 245 CRYPTO_AES_NIST_GMAC, "AES-GMAC", 246 1, 12, 16, 32, 247 NULL, 248 NULL, 249 NULL, 250 NULL, 251 NULL, 252}; 253 254struct enc_xform enc_xform_aes_xts = { 255 CRYPTO_AES_XTS, "AES-XTS", 256 RIJNDAEL128_BLOCK_LEN, 8, 32, 64, 257 aes_xts_encrypt, 258 aes_xts_decrypt, 259 aes_xts_setkey, 260 aes_xts_zerokey, 261 aes_xts_reinit 262}; 263 264struct enc_xform enc_xform_arc4 = { 265 CRYPTO_ARC4, "ARC4", 266 1, 1, 1, 32, 267 NULL, 268 NULL, 269 NULL, 270 NULL, 271 NULL, 272}; 273 274struct enc_xform enc_xform_camellia = { 275 CRYPTO_CAMELLIA_CBC, "Camellia", 276 CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, 8, 32, 277 cml_encrypt, 278 cml_decrypt, 279 cml_setkey, 280 cml_zerokey, 281 NULL, 282}; 283 284/* Authentication instances */ 285struct auth_hash auth_hash_null = { /* NB: context isn't used */ 286 CRYPTO_NULL_HMAC, "NULL-HMAC", 287 0, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN, 288 null_init, null_reinit, null_reinit, null_update, null_final 289}; 290 291struct auth_hash auth_hash_hmac_md5 = { 292 CRYPTO_MD5_HMAC, "HMAC-MD5", 293 16, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN, 294 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 295 (void (*) (u_int8_t *, void *)) MD5Final 296}; 297 298struct auth_hash auth_hash_hmac_sha1 = { 299 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 300 20, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN, 301 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 302}; 303 304struct auth_hash auth_hash_hmac_ripemd_160 = { 305 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 306 20, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), RIPEMD160_HMAC_BLOCK_LEN, 307 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 308 (void (*)(u_int8_t *, void *)) RMD160Final 309}; 310 311struct auth_hash auth_hash_key_md5 = { 312 CRYPTO_MD5_KPDK, "Keyed MD5", 313 0, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0, 314 (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, 315 (void (*)(u_int8_t *, void *)) MD5Final 316}; 317 318struct auth_hash auth_hash_key_sha1 = { 319 CRYPTO_SHA1_KPDK, "Keyed SHA1", 320 0, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0, 321 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 322}; 323 324struct auth_hash auth_hash_hmac_sha2_256 = { 325 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 326 32, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), SHA2_256_HMAC_BLOCK_LEN, 327 (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int, 328 (void (*)(u_int8_t *, void *)) SHA256_Final 329}; 330 331struct auth_hash auth_hash_hmac_sha2_384 = { 332 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 333 48, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), SHA2_384_HMAC_BLOCK_LEN, 334 (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int, 335 (void (*)(u_int8_t *, void *)) SHA384_Final 336}; 337 338struct auth_hash auth_hash_hmac_sha2_512 = { 339 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 340 64, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), SHA2_512_HMAC_BLOCK_LEN, 341 (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int, 342 (void (*)(u_int8_t *, void *)) SHA512_Final 343}; 344 345struct auth_hash auth_hash_nist_gmac_aes_128 = { 346 CRYPTO_AES_128_NIST_GMAC, "GMAC-AES-128", 347 16, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN, 348 (void (*)(void *)) AES_GMAC_Init, 349 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 350 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 351 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 352 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 353}; 354 355struct auth_hash auth_hash_nist_gmac_aes_192 = { 356 CRYPTO_AES_192_NIST_GMAC, "GMAC-AES-192", 357 24, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN, 358 (void (*)(void *)) AES_GMAC_Init, 359 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 360 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 361 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 362 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 363}; 364 365struct auth_hash auth_hash_nist_gmac_aes_256 = { 366 CRYPTO_AES_256_NIST_GMAC, "GMAC-AES-256", 367 32, 16, sizeof(struct aes_gmac_ctx), GMAC_BLOCK_LEN, 368 (void (*)(void *)) AES_GMAC_Init, 369 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 370 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 371 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 372 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 373}; 374 375/* Compression instance */ 376struct comp_algo comp_algo_deflate = { 377 CRYPTO_DEFLATE_COMP, "Deflate", 378 90, deflate_compress, 379 deflate_decompress 380}; 381 382/* 383 * Encryption wrapper routines. 384 */ 385static void 386null_encrypt(caddr_t key, u_int8_t *blk) 387{ 388} 389static void 390null_decrypt(caddr_t key, u_int8_t *blk) 391{ 392} 393static int 394null_setkey(u_int8_t **sched, u_int8_t *key, int len) 395{ 396 *sched = NULL; 397 return 0; 398} 399static void 400null_zerokey(u_int8_t **sched) 401{ 402 *sched = NULL; 403} 404 405static void 406des1_encrypt(caddr_t key, u_int8_t *blk) 407{ 408 des_cblock *cb = (des_cblock *) blk; 409 des_key_schedule *p = (des_key_schedule *) key; 410 411 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 412} 413 414static void 415des1_decrypt(caddr_t key, u_int8_t *blk) 416{ 417 des_cblock *cb = (des_cblock *) blk; 418 des_key_schedule *p = (des_key_schedule *) key; 419 420 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 421} 422 423static int 424des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 425{ 426 des_key_schedule *p; 427 int err; 428 429 p = malloc(sizeof (des_key_schedule), 430 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 431 if (p != NULL) { 432 des_set_key((des_cblock *) key, p[0]); 433 err = 0; 434 } else 435 err = ENOMEM; 436 *sched = (u_int8_t *) p; 437 return err; 438} 439 440static void 441des1_zerokey(u_int8_t **sched) 442{ 443 bzero(*sched, sizeof (des_key_schedule)); 444 free(*sched, M_CRYPTO_DATA); 445 *sched = NULL; 446} 447 448static void 449des3_encrypt(caddr_t key, u_int8_t *blk) 450{ 451 des_cblock *cb = (des_cblock *) blk; 452 des_key_schedule *p = (des_key_schedule *) key; 453 454 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 455} 456 457static void 458des3_decrypt(caddr_t key, u_int8_t *blk) 459{ 460 des_cblock *cb = (des_cblock *) blk; 461 des_key_schedule *p = (des_key_schedule *) key; 462 463 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 464} 465 466static int 467des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 468{ 469 des_key_schedule *p; 470 int err; 471 472 p = malloc(3*sizeof (des_key_schedule), 473 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 474 if (p != NULL) { 475 des_set_key((des_cblock *)(key + 0), p[0]); 476 des_set_key((des_cblock *)(key + 8), p[1]); 477 des_set_key((des_cblock *)(key + 16), p[2]); 478 err = 0; 479 } else 480 err = ENOMEM; 481 *sched = (u_int8_t *) p; 482 return err; 483} 484 485static void 486des3_zerokey(u_int8_t **sched) 487{ 488 bzero(*sched, 3*sizeof (des_key_schedule)); 489 free(*sched, M_CRYPTO_DATA); 490 *sched = NULL; 491} 492 493static void 494blf_encrypt(caddr_t key, u_int8_t *blk) 495{ 496 BF_LONG t[2]; 497 498 memcpy(t, blk, sizeof (t)); 499 t[0] = ntohl(t[0]); 500 t[1] = ntohl(t[1]); 501 /* NB: BF_encrypt expects the block in host order! */ 502 BF_encrypt(t, (BF_KEY *) key); 503 t[0] = htonl(t[0]); 504 t[1] = htonl(t[1]); 505 memcpy(blk, t, sizeof (t)); 506} 507 508static void 509blf_decrypt(caddr_t key, u_int8_t *blk) 510{ 511 BF_LONG t[2]; 512 513 memcpy(t, blk, sizeof (t)); 514 t[0] = ntohl(t[0]); 515 t[1] = ntohl(t[1]); 516 /* NB: BF_decrypt expects the block in host order! */ 517 BF_decrypt(t, (BF_KEY *) key); 518 t[0] = htonl(t[0]); 519 t[1] = htonl(t[1]); 520 memcpy(blk, t, sizeof (t)); 521} 522 523static int 524blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 525{ 526 int err; 527 528 *sched = malloc(sizeof(BF_KEY), 529 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 530 if (*sched != NULL) { 531 BF_set_key((BF_KEY *) *sched, len, key); 532 err = 0; 533 } else 534 err = ENOMEM; 535 return err; 536} 537 538static void 539blf_zerokey(u_int8_t **sched) 540{ 541 bzero(*sched, sizeof(BF_KEY)); 542 free(*sched, M_CRYPTO_DATA); 543 *sched = NULL; 544} 545 546static void 547cast5_encrypt(caddr_t key, u_int8_t *blk) 548{ 549 cast_encrypt((cast_key *) key, blk, blk); 550} 551 552static void 553cast5_decrypt(caddr_t key, u_int8_t *blk) 554{ 555 cast_decrypt((cast_key *) key, blk, blk); 556} 557 558static int 559cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 560{ 561 int err; 562 563 *sched = malloc(sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 564 if (*sched != NULL) { 565 cast_setkey((cast_key *)*sched, key, len); 566 err = 0; 567 } else 568 err = ENOMEM; 569 return err; 570} 571 572static void 573cast5_zerokey(u_int8_t **sched) 574{ 575 bzero(*sched, sizeof(cast_key)); 576 free(*sched, M_CRYPTO_DATA); 577 *sched = NULL; 578} 579 580static void 581skipjack_encrypt(caddr_t key, u_int8_t *blk) 582{ 583 skipjack_forwards(blk, blk, (u_int8_t **) key); 584} 585 586static void 587skipjack_decrypt(caddr_t key, u_int8_t *blk) 588{ 589 skipjack_backwards(blk, blk, (u_int8_t **) key); 590} 591 592static int 593skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 594{ 595 int err; 596 597 /* NB: allocate all the memory that's needed at once */ 598 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 599 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 600 if (*sched != NULL) { 601 u_int8_t** key_tables = (u_int8_t**) *sched; 602 u_int8_t* table = (u_int8_t*) &key_tables[10]; 603 int k; 604 605 for (k = 0; k < 10; k++) { 606 key_tables[k] = table; 607 table += 0x100; 608 } 609 subkey_table_gen(key, (u_int8_t **) *sched); 610 err = 0; 611 } else 612 err = ENOMEM; 613 return err; 614} 615 616static void 617skipjack_zerokey(u_int8_t **sched) 618{ 619 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 620 free(*sched, M_CRYPTO_DATA); 621 *sched = NULL; 622} 623 624static void 625rijndael128_encrypt(caddr_t key, u_int8_t *blk) 626{ 627 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 628} 629 630static void 631rijndael128_decrypt(caddr_t key, u_int8_t *blk) 632{ 633 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 634 (u_char *) blk); 635} 636 637static int 638rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 639{ 640 int err; 641 642 if (len != 16 && len != 24 && len != 32) 643 return (EINVAL); 644 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 645 M_NOWAIT|M_ZERO); 646 if (*sched != NULL) { 647 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 648 len * 8); 649 err = 0; 650 } else 651 err = ENOMEM; 652 return err; 653} 654 655static void 656rijndael128_zerokey(u_int8_t **sched) 657{ 658 bzero(*sched, sizeof(rijndael_ctx)); 659 free(*sched, M_CRYPTO_DATA); 660 *sched = NULL; 661} 662 663void 664aes_icm_reinit(caddr_t key, u_int8_t *iv) 665{ 666 struct aes_icm_ctx *ctx; 667 668 ctx = (struct aes_icm_ctx *)key; 669 bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE); 670} 671 672void 673aes_gcm_reinit(caddr_t key, u_int8_t *iv) 674{ 675 struct aes_icm_ctx *ctx; 676 677 aes_icm_reinit(key, iv); 678 679 ctx = (struct aes_icm_ctx *)key; 680 /* GCM starts with 2 as counter 1 is used for final xor of tag. */ 681 bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4); 682 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2; 683} 684 685void 686aes_icm_crypt(caddr_t key, u_int8_t *data) 687{ 688 struct aes_icm_ctx *ctx; 689 u_int8_t keystream[AESICM_BLOCKSIZE]; 690 int i; 691 692 ctx = (struct aes_icm_ctx *)key; 693 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 694 for (i = 0; i < AESICM_BLOCKSIZE; i++) 695 data[i] ^= keystream[i]; 696 explicit_bzero(keystream, sizeof(keystream)); 697 698 /* increment counter */ 699 for (i = AESICM_BLOCKSIZE - 1; 700 i >= 0; i--) 701 if (++ctx->ac_block[i]) /* continue on overflow */ 702 break; 703} 704 705int 706aes_icm_setkey(u_int8_t **sched, u_int8_t *key, int len) 707{ 708 struct aes_icm_ctx *ctx; 709 710 *sched = malloc(sizeof(struct aes_icm_ctx), M_CRYPTO_DATA, 711 M_NOWAIT | M_ZERO); 712 if (*sched == NULL) 713 return ENOMEM; 714 715 ctx = (struct aes_icm_ctx *)*sched; 716 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key, len * 8); 717 if (ctx->ac_nr == 0) 718 return EINVAL; 719 return 0; 720} 721 722void 723aes_icm_zerokey(u_int8_t **sched) 724{ 725 726 bzero(*sched, sizeof(struct aes_icm_ctx)); 727 free(*sched, M_CRYPTO_DATA); 728 *sched = NULL; 729} 730 731#define AES_XTS_BLOCKSIZE 16 732#define AES_XTS_IVSIZE 8 733#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ 734 735struct aes_xts_ctx { 736 rijndael_ctx key1; 737 rijndael_ctx key2; 738 u_int8_t tweak[AES_XTS_BLOCKSIZE]; 739}; 740 741void 742aes_xts_reinit(caddr_t key, u_int8_t *iv) 743{ 744 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 745 u_int64_t blocknum; 746 u_int i; 747 748 /* 749 * Prepare tweak as E_k2(IV). IV is specified as LE representation 750 * of a 64-bit block number which we allow to be passed in directly. 751 */ 752 bcopy(iv, &blocknum, AES_XTS_IVSIZE); 753 for (i = 0; i < AES_XTS_IVSIZE; i++) { 754 ctx->tweak[i] = blocknum & 0xff; 755 blocknum >>= 8; 756 } 757 /* Last 64 bits of IV are always zero */ 758 bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); 759 760 rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); 761} 762 763static void 764aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) 765{ 766 u_int8_t block[AES_XTS_BLOCKSIZE]; 767 u_int i, carry_in, carry_out; 768 769 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 770 block[i] = data[i] ^ ctx->tweak[i]; 771 772 if (do_encrypt) 773 rijndael_encrypt(&ctx->key1, block, data); 774 else 775 rijndael_decrypt(&ctx->key1, block, data); 776 777 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 778 data[i] ^= ctx->tweak[i]; 779 780 /* Exponentiate tweak */ 781 carry_in = 0; 782 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { 783 carry_out = ctx->tweak[i] & 0x80; 784 ctx->tweak[i] = (ctx->tweak[i] << 1) | (carry_in ? 1 : 0); 785 carry_in = carry_out; 786 } 787 if (carry_in) 788 ctx->tweak[0] ^= AES_XTS_ALPHA; 789 bzero(block, sizeof(block)); 790} 791 792void 793aes_xts_encrypt(caddr_t key, u_int8_t *data) 794{ 795 aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); 796} 797 798void 799aes_xts_decrypt(caddr_t key, u_int8_t *data) 800{ 801 aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); 802} 803 804int 805aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len) 806{ 807 struct aes_xts_ctx *ctx; 808 809 if (len != 32 && len != 64) 810 return EINVAL; 811 812 *sched = malloc(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA, 813 M_NOWAIT | M_ZERO); 814 if (*sched == NULL) 815 return ENOMEM; 816 ctx = (struct aes_xts_ctx *)*sched; 817 818 rijndael_set_key(&ctx->key1, key, len * 4); 819 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 820 821 return 0; 822} 823 824void 825aes_xts_zerokey(u_int8_t **sched) 826{ 827 bzero(*sched, sizeof(struct aes_xts_ctx)); 828 free(*sched, M_CRYPTO_DATA); 829 *sched = NULL; 830} 831 832static void 833cml_encrypt(caddr_t key, u_int8_t *blk) 834{ 835 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 836} 837 838static void 839cml_decrypt(caddr_t key, u_int8_t *blk) 840{ 841 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 842 (u_char *) blk); 843} 844 845static int 846cml_setkey(u_int8_t **sched, u_int8_t *key, int len) 847{ 848 int err; 849 850 if (len != 16 && len != 24 && len != 32) 851 return (EINVAL); 852 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 853 M_NOWAIT|M_ZERO); 854 if (*sched != NULL) { 855 camellia_set_key((camellia_ctx *) *sched, (u_char *) key, 856 len * 8); 857 err = 0; 858 } else 859 err = ENOMEM; 860 return err; 861} 862 863static void 864cml_zerokey(u_int8_t **sched) 865{ 866 bzero(*sched, sizeof(camellia_ctx)); 867 free(*sched, M_CRYPTO_DATA); 868 *sched = NULL; 869} 870 871/* 872 * And now for auth. 873 */ 874 875static void 876null_init(void *ctx) 877{ 878} 879 880static void 881null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len) 882{ 883} 884 885static int 886null_update(void *ctx, const u_int8_t *buf, u_int16_t len) 887{ 888 return 0; 889} 890 891static void 892null_final(u_int8_t *buf, void *ctx) 893{ 894 if (buf != (u_int8_t *) 0) 895 bzero(buf, 12); 896} 897 898static int 899RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 900{ 901 RMD160Update(ctx, buf, len); 902 return 0; 903} 904 905static int 906MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 907{ 908 MD5Update(ctx, buf, len); 909 return 0; 910} 911 912static void 913SHA1Init_int(void *ctx) 914{ 915 SHA1Init(ctx); 916} 917 918static int 919SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 920{ 921 SHA1Update(ctx, buf, len); 922 return 0; 923} 924 925static void 926SHA1Final_int(u_int8_t *blk, void *ctx) 927{ 928 SHA1Final(blk, ctx); 929} 930 931static int 932SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 933{ 934 SHA256_Update(ctx, buf, len); 935 return 0; 936} 937 938static int 939SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 940{ 941 SHA384_Update(ctx, buf, len); 942 return 0; 943} 944 945static int 946SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 947{ 948 SHA512_Update(ctx, buf, len); 949 return 0; 950} 951 952/* 953 * And compression 954 */ 955 956static u_int32_t 957deflate_compress(data, size, out) 958 u_int8_t *data; 959 u_int32_t size; 960 u_int8_t **out; 961{ 962 return deflate_global(data, size, 0, out); 963} 964 965static u_int32_t 966deflate_decompress(data, size, out) 967 u_int8_t *data; 968 u_int32_t size; 969 u_int8_t **out; 970{ 971 return deflate_global(data, size, 1, out); 972} 973