xform_gmac.c revision 290924
1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50#include <sys/cdefs.h> 51__FBSDID("$FreeBSD: head/sys/opencrypto/xform.c 290924 2015-11-16 07:10:42Z ae $"); 52 53#include <sys/param.h> 54#include <sys/systm.h> 55#include <sys/malloc.h> 56#include <sys/sysctl.h> 57#include <sys/errno.h> 58#include <sys/time.h> 59#include <sys/kernel.h> 60#include <machine/cpu.h> 61 62#include <crypto/blowfish/blowfish.h> 63#include <crypto/des/des.h> 64#include <crypto/rijndael/rijndael.h> 65#include <crypto/camellia/camellia.h> 66#include <crypto/sha1.h> 67 68#include <opencrypto/cast.h> 69#include <opencrypto/deflate.h> 70#include <opencrypto/rmd160.h> 71#include <opencrypto/skipjack.h> 72 73#include <sys/md5.h> 74 75#include <opencrypto/cryptodev.h> 76#include <opencrypto/xform.h> 77 78static int null_setkey(u_int8_t **, u_int8_t *, int); 79static int des1_setkey(u_int8_t **, u_int8_t *, int); 80static int des3_setkey(u_int8_t **, u_int8_t *, int); 81static int blf_setkey(u_int8_t **, u_int8_t *, int); 82static int cast5_setkey(u_int8_t **, u_int8_t *, int); 83static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 84static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 85static int aes_icm_setkey(u_int8_t **, u_int8_t *, int); 86static int aes_xts_setkey(u_int8_t **, u_int8_t *, int); 87static int cml_setkey(u_int8_t **, u_int8_t *, int); 88 89static void null_encrypt(caddr_t, u_int8_t *); 90static void des1_encrypt(caddr_t, u_int8_t *); 91static void des3_encrypt(caddr_t, u_int8_t *); 92static void blf_encrypt(caddr_t, u_int8_t *); 93static void cast5_encrypt(caddr_t, u_int8_t *); 94static void skipjack_encrypt(caddr_t, u_int8_t *); 95static void rijndael128_encrypt(caddr_t, u_int8_t *); 96static void aes_xts_encrypt(caddr_t, u_int8_t *); 97static void cml_encrypt(caddr_t, u_int8_t *); 98 99static void null_decrypt(caddr_t, u_int8_t *); 100static void des1_decrypt(caddr_t, u_int8_t *); 101static void des3_decrypt(caddr_t, u_int8_t *); 102static void blf_decrypt(caddr_t, u_int8_t *); 103static void cast5_decrypt(caddr_t, u_int8_t *); 104static void skipjack_decrypt(caddr_t, u_int8_t *); 105static void rijndael128_decrypt(caddr_t, u_int8_t *); 106static void aes_xts_decrypt(caddr_t, u_int8_t *); 107static void cml_decrypt(caddr_t, u_int8_t *); 108 109static void aes_icm_crypt(caddr_t, u_int8_t *); 110 111static void null_zerokey(u_int8_t **); 112static void des1_zerokey(u_int8_t **); 113static void des3_zerokey(u_int8_t **); 114static void blf_zerokey(u_int8_t **); 115static void cast5_zerokey(u_int8_t **); 116static void skipjack_zerokey(u_int8_t **); 117static void rijndael128_zerokey(u_int8_t **); 118static void aes_icm_zerokey(u_int8_t **); 119static void aes_xts_zerokey(u_int8_t **); 120static void cml_zerokey(u_int8_t **); 121 122static void aes_icm_reinit(caddr_t, u_int8_t *); 123static void aes_xts_reinit(caddr_t, u_int8_t *); 124static void aes_gcm_reinit(caddr_t, u_int8_t *); 125 126static void null_init(void *); 127static void null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len); 128static int null_update(void *, const u_int8_t *, u_int16_t); 129static void null_final(u_int8_t *, void *); 130static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 131static void SHA1Init_int(void *); 132static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 133static void SHA1Final_int(u_int8_t *, void *); 134static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 135static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 136static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 137static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 138 139static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 140static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 141 142#define AESICM_BLOCKSIZE AES_BLOCK_LEN 143 144struct aes_icm_ctx { 145 u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)]; 146 /* ac_block is initalized to IV */ 147 u_int8_t ac_block[AESICM_BLOCKSIZE]; 148 int ac_nr; 149}; 150 151MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 152 153/* Encryption instances */ 154struct enc_xform enc_xform_null = { 155 CRYPTO_NULL_CBC, "NULL", 156 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 157 NULL_BLOCK_LEN, 0, NULL_MIN_KEY, NULL_MAX_KEY, 158 null_encrypt, 159 null_decrypt, 160 null_setkey, 161 null_zerokey, 162 NULL, 163}; 164 165struct enc_xform enc_xform_des = { 166 CRYPTO_DES_CBC, "DES", 167 DES_BLOCK_LEN, DES_BLOCK_LEN, DES_MIN_KEY, DES_MAX_KEY, 168 des1_encrypt, 169 des1_decrypt, 170 des1_setkey, 171 des1_zerokey, 172 NULL, 173}; 174 175struct enc_xform enc_xform_3des = { 176 CRYPTO_3DES_CBC, "3DES", 177 DES3_BLOCK_LEN, DES3_BLOCK_LEN, TRIPLE_DES_MIN_KEY, 178 TRIPLE_DES_MAX_KEY, 179 des3_encrypt, 180 des3_decrypt, 181 des3_setkey, 182 des3_zerokey, 183 NULL, 184}; 185 186struct enc_xform enc_xform_blf = { 187 CRYPTO_BLF_CBC, "Blowfish", 188 BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, BLOWFISH_MIN_KEY, 189 BLOWFISH_MAX_KEY, 190 blf_encrypt, 191 blf_decrypt, 192 blf_setkey, 193 blf_zerokey, 194 NULL, 195}; 196 197struct enc_xform enc_xform_cast5 = { 198 CRYPTO_CAST_CBC, "CAST-128", 199 CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, CAST_MIN_KEY, CAST_MAX_KEY, 200 cast5_encrypt, 201 cast5_decrypt, 202 cast5_setkey, 203 cast5_zerokey, 204 NULL, 205}; 206 207struct enc_xform enc_xform_skipjack = { 208 CRYPTO_SKIPJACK_CBC, "Skipjack", 209 SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, SKIPJACK_MIN_KEY, 210 SKIPJACK_MAX_KEY, 211 skipjack_encrypt, 212 skipjack_decrypt, skipjack_setkey, 213 skipjack_zerokey, 214 NULL, 215}; 216 217struct enc_xform enc_xform_rijndael128 = { 218 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 219 RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, RIJNDAEL_MIN_KEY, 220 RIJNDAEL_MAX_KEY, 221 rijndael128_encrypt, 222 rijndael128_decrypt, 223 rijndael128_setkey, 224 rijndael128_zerokey, 225 NULL, 226}; 227 228struct enc_xform enc_xform_aes_icm = { 229 CRYPTO_AES_ICM, "AES-ICM", 230 AES_BLOCK_LEN, AES_BLOCK_LEN, AES_MIN_KEY, AES_MAX_KEY, 231 aes_icm_crypt, 232 aes_icm_crypt, 233 aes_icm_setkey, 234 rijndael128_zerokey, 235 aes_icm_reinit, 236}; 237 238struct enc_xform enc_xform_aes_nist_gcm = { 239 CRYPTO_AES_NIST_GCM_16, "AES-GCM", 240 AES_ICM_BLOCK_LEN, AES_GCM_IV_LEN, AES_MIN_KEY, AES_MAX_KEY, 241 aes_icm_crypt, 242 aes_icm_crypt, 243 aes_icm_setkey, 244 aes_icm_zerokey, 245 aes_gcm_reinit, 246}; 247 248struct enc_xform enc_xform_aes_nist_gmac = { 249 CRYPTO_AES_NIST_GMAC, "AES-GMAC", 250 AES_ICM_BLOCK_LEN, AES_GCM_IV_LEN, AES_MIN_KEY, AES_MAX_KEY, 251 NULL, 252 NULL, 253 NULL, 254 NULL, 255 NULL, 256}; 257 258struct enc_xform enc_xform_aes_xts = { 259 CRYPTO_AES_XTS, "AES-XTS", 260 AES_BLOCK_LEN, AES_XTS_IV_LEN, AES_XTS_MIN_KEY, AES_XTS_MAX_KEY, 261 aes_xts_encrypt, 262 aes_xts_decrypt, 263 aes_xts_setkey, 264 aes_xts_zerokey, 265 aes_xts_reinit 266}; 267 268struct enc_xform enc_xform_arc4 = { 269 CRYPTO_ARC4, "ARC4", 270 ARC4_BLOCK_LEN, ARC4_IV_LEN, ARC4_MIN_KEY, ARC4_MAX_KEY, 271 NULL, 272 NULL, 273 NULL, 274 NULL, 275 NULL, 276}; 277 278struct enc_xform enc_xform_camellia = { 279 CRYPTO_CAMELLIA_CBC, "Camellia", 280 CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, CAMELLIA_MIN_KEY, 281 CAMELLIA_MAX_KEY, 282 cml_encrypt, 283 cml_decrypt, 284 cml_setkey, 285 cml_zerokey, 286 NULL, 287}; 288 289/* Authentication instances */ 290struct auth_hash auth_hash_null = { /* NB: context isn't used */ 291 CRYPTO_NULL_HMAC, "NULL-HMAC", 292 NULL_HMAC_KEY_LEN, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN, 293 null_init, null_reinit, null_reinit, null_update, null_final 294}; 295 296struct auth_hash auth_hash_hmac_md5 = { 297 CRYPTO_MD5_HMAC, "HMAC-MD5", 298 MD5_HMAC_KEY_LEN, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN, 299 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 300 (void (*) (u_int8_t *, void *)) MD5Final 301}; 302 303struct auth_hash auth_hash_hmac_sha1 = { 304 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 305 SHA1_HMAC_KEY_LEN, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN, 306 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 307}; 308 309struct auth_hash auth_hash_hmac_ripemd_160 = { 310 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 311 RIPEMD160_HMAC_KEY_LEN, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), 312 RIPEMD160_HMAC_BLOCK_LEN, 313 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 314 (void (*)(u_int8_t *, void *)) RMD160Final 315}; 316 317struct auth_hash auth_hash_key_md5 = { 318 CRYPTO_MD5_KPDK, "Keyed MD5", 319 NULL_HMAC_KEY_LEN, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0, 320 (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, 321 (void (*)(u_int8_t *, void *)) MD5Final 322}; 323 324struct auth_hash auth_hash_key_sha1 = { 325 CRYPTO_SHA1_KPDK, "Keyed SHA1", 326 NULL_HMAC_KEY_LEN, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0, 327 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 328}; 329 330struct auth_hash auth_hash_hmac_sha2_256 = { 331 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 332 SHA2_256_HMAC_KEY_LEN, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), 333 SHA2_256_HMAC_BLOCK_LEN, 334 (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int, 335 (void (*)(u_int8_t *, void *)) SHA256_Final 336}; 337 338struct auth_hash auth_hash_hmac_sha2_384 = { 339 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 340 SHA2_384_HMAC_KEY_LEN, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), 341 SHA2_384_HMAC_BLOCK_LEN, 342 (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int, 343 (void (*)(u_int8_t *, void *)) SHA384_Final 344}; 345 346struct auth_hash auth_hash_hmac_sha2_512 = { 347 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 348 SHA2_512_HMAC_KEY_LEN, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), 349 SHA2_512_HMAC_BLOCK_LEN, 350 (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int, 351 (void (*)(u_int8_t *, void *)) SHA512_Final 352}; 353 354struct auth_hash auth_hash_nist_gmac_aes_128 = { 355 CRYPTO_AES_128_NIST_GMAC, "GMAC-AES-128", 356 AES_128_GMAC_KEY_LEN, AES_GMAC_HASH_LEN, sizeof(struct aes_gmac_ctx), 357 GMAC_BLOCK_LEN, 358 (void (*)(void *)) AES_GMAC_Init, 359 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 360 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 361 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 362 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 363}; 364 365struct auth_hash auth_hash_nist_gmac_aes_192 = { 366 CRYPTO_AES_192_NIST_GMAC, "GMAC-AES-192", 367 AES_192_GMAC_KEY_LEN, AES_GMAC_HASH_LEN, sizeof(struct aes_gmac_ctx), 368 GMAC_BLOCK_LEN, 369 (void (*)(void *)) AES_GMAC_Init, 370 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 371 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 372 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 373 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 374}; 375 376struct auth_hash auth_hash_nist_gmac_aes_256 = { 377 CRYPTO_AES_256_NIST_GMAC, "GMAC-AES-256", 378 AES_256_GMAC_KEY_LEN, AES_GMAC_HASH_LEN, sizeof(struct aes_gmac_ctx), 379 GMAC_BLOCK_LEN, 380 (void (*)(void *)) AES_GMAC_Init, 381 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 382 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 383 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 384 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 385}; 386 387/* Compression instance */ 388struct comp_algo comp_algo_deflate = { 389 CRYPTO_DEFLATE_COMP, "Deflate", 390 90, deflate_compress, 391 deflate_decompress 392}; 393 394/* 395 * Encryption wrapper routines. 396 */ 397static void 398null_encrypt(caddr_t key, u_int8_t *blk) 399{ 400} 401static void 402null_decrypt(caddr_t key, u_int8_t *blk) 403{ 404} 405static int 406null_setkey(u_int8_t **sched, u_int8_t *key, int len) 407{ 408 *sched = NULL; 409 return 0; 410} 411static void 412null_zerokey(u_int8_t **sched) 413{ 414 *sched = NULL; 415} 416 417static void 418des1_encrypt(caddr_t key, u_int8_t *blk) 419{ 420 des_cblock *cb = (des_cblock *) blk; 421 des_key_schedule *p = (des_key_schedule *) key; 422 423 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 424} 425 426static void 427des1_decrypt(caddr_t key, u_int8_t *blk) 428{ 429 des_cblock *cb = (des_cblock *) blk; 430 des_key_schedule *p = (des_key_schedule *) key; 431 432 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 433} 434 435static int 436des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 437{ 438 des_key_schedule *p; 439 int err; 440 441 p = malloc(sizeof (des_key_schedule), 442 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 443 if (p != NULL) { 444 des_set_key((des_cblock *) key, p[0]); 445 err = 0; 446 } else 447 err = ENOMEM; 448 *sched = (u_int8_t *) p; 449 return err; 450} 451 452static void 453des1_zerokey(u_int8_t **sched) 454{ 455 bzero(*sched, sizeof (des_key_schedule)); 456 free(*sched, M_CRYPTO_DATA); 457 *sched = NULL; 458} 459 460static void 461des3_encrypt(caddr_t key, u_int8_t *blk) 462{ 463 des_cblock *cb = (des_cblock *) blk; 464 des_key_schedule *p = (des_key_schedule *) key; 465 466 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 467} 468 469static void 470des3_decrypt(caddr_t key, u_int8_t *blk) 471{ 472 des_cblock *cb = (des_cblock *) blk; 473 des_key_schedule *p = (des_key_schedule *) key; 474 475 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 476} 477 478static int 479des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 480{ 481 des_key_schedule *p; 482 int err; 483 484 p = malloc(3*sizeof (des_key_schedule), 485 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 486 if (p != NULL) { 487 des_set_key((des_cblock *)(key + 0), p[0]); 488 des_set_key((des_cblock *)(key + 8), p[1]); 489 des_set_key((des_cblock *)(key + 16), p[2]); 490 err = 0; 491 } else 492 err = ENOMEM; 493 *sched = (u_int8_t *) p; 494 return err; 495} 496 497static void 498des3_zerokey(u_int8_t **sched) 499{ 500 bzero(*sched, 3*sizeof (des_key_schedule)); 501 free(*sched, M_CRYPTO_DATA); 502 *sched = NULL; 503} 504 505static void 506blf_encrypt(caddr_t key, u_int8_t *blk) 507{ 508 BF_LONG t[2]; 509 510 memcpy(t, blk, sizeof (t)); 511 t[0] = ntohl(t[0]); 512 t[1] = ntohl(t[1]); 513 /* NB: BF_encrypt expects the block in host order! */ 514 BF_encrypt(t, (BF_KEY *) key); 515 t[0] = htonl(t[0]); 516 t[1] = htonl(t[1]); 517 memcpy(blk, t, sizeof (t)); 518} 519 520static void 521blf_decrypt(caddr_t key, u_int8_t *blk) 522{ 523 BF_LONG t[2]; 524 525 memcpy(t, blk, sizeof (t)); 526 t[0] = ntohl(t[0]); 527 t[1] = ntohl(t[1]); 528 /* NB: BF_decrypt expects the block in host order! */ 529 BF_decrypt(t, (BF_KEY *) key); 530 t[0] = htonl(t[0]); 531 t[1] = htonl(t[1]); 532 memcpy(blk, t, sizeof (t)); 533} 534 535static int 536blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 537{ 538 int err; 539 540 *sched = malloc(sizeof(BF_KEY), 541 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 542 if (*sched != NULL) { 543 BF_set_key((BF_KEY *) *sched, len, key); 544 err = 0; 545 } else 546 err = ENOMEM; 547 return err; 548} 549 550static void 551blf_zerokey(u_int8_t **sched) 552{ 553 bzero(*sched, sizeof(BF_KEY)); 554 free(*sched, M_CRYPTO_DATA); 555 *sched = NULL; 556} 557 558static void 559cast5_encrypt(caddr_t key, u_int8_t *blk) 560{ 561 cast_encrypt((cast_key *) key, blk, blk); 562} 563 564static void 565cast5_decrypt(caddr_t key, u_int8_t *blk) 566{ 567 cast_decrypt((cast_key *) key, blk, blk); 568} 569 570static int 571cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 572{ 573 int err; 574 575 *sched = malloc(sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 576 if (*sched != NULL) { 577 cast_setkey((cast_key *)*sched, key, len); 578 err = 0; 579 } else 580 err = ENOMEM; 581 return err; 582} 583 584static void 585cast5_zerokey(u_int8_t **sched) 586{ 587 bzero(*sched, sizeof(cast_key)); 588 free(*sched, M_CRYPTO_DATA); 589 *sched = NULL; 590} 591 592static void 593skipjack_encrypt(caddr_t key, u_int8_t *blk) 594{ 595 skipjack_forwards(blk, blk, (u_int8_t **) key); 596} 597 598static void 599skipjack_decrypt(caddr_t key, u_int8_t *blk) 600{ 601 skipjack_backwards(blk, blk, (u_int8_t **) key); 602} 603 604static int 605skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 606{ 607 int err; 608 609 /* NB: allocate all the memory that's needed at once */ 610 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 611 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 612 if (*sched != NULL) { 613 u_int8_t** key_tables = (u_int8_t**) *sched; 614 u_int8_t* table = (u_int8_t*) &key_tables[10]; 615 int k; 616 617 for (k = 0; k < 10; k++) { 618 key_tables[k] = table; 619 table += 0x100; 620 } 621 subkey_table_gen(key, (u_int8_t **) *sched); 622 err = 0; 623 } else 624 err = ENOMEM; 625 return err; 626} 627 628static void 629skipjack_zerokey(u_int8_t **sched) 630{ 631 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 632 free(*sched, M_CRYPTO_DATA); 633 *sched = NULL; 634} 635 636static void 637rijndael128_encrypt(caddr_t key, u_int8_t *blk) 638{ 639 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 640} 641 642static void 643rijndael128_decrypt(caddr_t key, u_int8_t *blk) 644{ 645 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 646 (u_char *) blk); 647} 648 649static int 650rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 651{ 652 int err; 653 654 if (len != 16 && len != 24 && len != 32) 655 return (EINVAL); 656 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 657 M_NOWAIT|M_ZERO); 658 if (*sched != NULL) { 659 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 660 len * 8); 661 err = 0; 662 } else 663 err = ENOMEM; 664 return err; 665} 666 667static void 668rijndael128_zerokey(u_int8_t **sched) 669{ 670 bzero(*sched, sizeof(rijndael_ctx)); 671 free(*sched, M_CRYPTO_DATA); 672 *sched = NULL; 673} 674 675void 676aes_icm_reinit(caddr_t key, u_int8_t *iv) 677{ 678 struct aes_icm_ctx *ctx; 679 680 ctx = (struct aes_icm_ctx *)key; 681 bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE); 682} 683 684void 685aes_gcm_reinit(caddr_t key, u_int8_t *iv) 686{ 687 struct aes_icm_ctx *ctx; 688 689 aes_icm_reinit(key, iv); 690 691 ctx = (struct aes_icm_ctx *)key; 692 /* GCM starts with 2 as counter 1 is used for final xor of tag. */ 693 bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4); 694 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2; 695} 696 697void 698aes_icm_crypt(caddr_t key, u_int8_t *data) 699{ 700 struct aes_icm_ctx *ctx; 701 u_int8_t keystream[AESICM_BLOCKSIZE]; 702 int i; 703 704 ctx = (struct aes_icm_ctx *)key; 705 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 706 for (i = 0; i < AESICM_BLOCKSIZE; i++) 707 data[i] ^= keystream[i]; 708 explicit_bzero(keystream, sizeof(keystream)); 709 710 /* increment counter */ 711 for (i = AESICM_BLOCKSIZE - 1; 712 i >= 0; i--) 713 if (++ctx->ac_block[i]) /* continue on overflow */ 714 break; 715} 716 717int 718aes_icm_setkey(u_int8_t **sched, u_int8_t *key, int len) 719{ 720 struct aes_icm_ctx *ctx; 721 722 if (len != 16 && len != 24 && len != 32) 723 return EINVAL; 724 725 *sched = malloc(sizeof(struct aes_icm_ctx), M_CRYPTO_DATA, 726 M_NOWAIT | M_ZERO); 727 if (*sched == NULL) 728 return ENOMEM; 729 730 ctx = (struct aes_icm_ctx *)*sched; 731 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key, len * 8); 732 return 0; 733} 734 735void 736aes_icm_zerokey(u_int8_t **sched) 737{ 738 739 bzero(*sched, sizeof(struct aes_icm_ctx)); 740 free(*sched, M_CRYPTO_DATA); 741 *sched = NULL; 742} 743 744#define AES_XTS_BLOCKSIZE 16 745#define AES_XTS_IVSIZE 8 746#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ 747 748struct aes_xts_ctx { 749 rijndael_ctx key1; 750 rijndael_ctx key2; 751 u_int8_t tweak[AES_XTS_BLOCKSIZE]; 752}; 753 754void 755aes_xts_reinit(caddr_t key, u_int8_t *iv) 756{ 757 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 758 u_int64_t blocknum; 759 u_int i; 760 761 /* 762 * Prepare tweak as E_k2(IV). IV is specified as LE representation 763 * of a 64-bit block number which we allow to be passed in directly. 764 */ 765 bcopy(iv, &blocknum, AES_XTS_IVSIZE); 766 for (i = 0; i < AES_XTS_IVSIZE; i++) { 767 ctx->tweak[i] = blocknum & 0xff; 768 blocknum >>= 8; 769 } 770 /* Last 64 bits of IV are always zero */ 771 bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); 772 773 rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); 774} 775 776static void 777aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) 778{ 779 u_int8_t block[AES_XTS_BLOCKSIZE]; 780 u_int i, carry_in, carry_out; 781 782 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 783 block[i] = data[i] ^ ctx->tweak[i]; 784 785 if (do_encrypt) 786 rijndael_encrypt(&ctx->key1, block, data); 787 else 788 rijndael_decrypt(&ctx->key1, block, data); 789 790 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 791 data[i] ^= ctx->tweak[i]; 792 793 /* Exponentiate tweak */ 794 carry_in = 0; 795 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { 796 carry_out = ctx->tweak[i] & 0x80; 797 ctx->tweak[i] = (ctx->tweak[i] << 1) | (carry_in ? 1 : 0); 798 carry_in = carry_out; 799 } 800 if (carry_in) 801 ctx->tweak[0] ^= AES_XTS_ALPHA; 802 bzero(block, sizeof(block)); 803} 804 805void 806aes_xts_encrypt(caddr_t key, u_int8_t *data) 807{ 808 aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); 809} 810 811void 812aes_xts_decrypt(caddr_t key, u_int8_t *data) 813{ 814 aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); 815} 816 817int 818aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len) 819{ 820 struct aes_xts_ctx *ctx; 821 822 if (len != 32 && len != 64) 823 return EINVAL; 824 825 *sched = malloc(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA, 826 M_NOWAIT | M_ZERO); 827 if (*sched == NULL) 828 return ENOMEM; 829 ctx = (struct aes_xts_ctx *)*sched; 830 831 rijndael_set_key(&ctx->key1, key, len * 4); 832 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 833 834 return 0; 835} 836 837void 838aes_xts_zerokey(u_int8_t **sched) 839{ 840 bzero(*sched, sizeof(struct aes_xts_ctx)); 841 free(*sched, M_CRYPTO_DATA); 842 *sched = NULL; 843} 844 845static void 846cml_encrypt(caddr_t key, u_int8_t *blk) 847{ 848 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 849} 850 851static void 852cml_decrypt(caddr_t key, u_int8_t *blk) 853{ 854 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 855 (u_char *) blk); 856} 857 858static int 859cml_setkey(u_int8_t **sched, u_int8_t *key, int len) 860{ 861 int err; 862 863 if (len != 16 && len != 24 && len != 32) 864 return (EINVAL); 865 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 866 M_NOWAIT|M_ZERO); 867 if (*sched != NULL) { 868 camellia_set_key((camellia_ctx *) *sched, (u_char *) key, 869 len * 8); 870 err = 0; 871 } else 872 err = ENOMEM; 873 return err; 874} 875 876static void 877cml_zerokey(u_int8_t **sched) 878{ 879 bzero(*sched, sizeof(camellia_ctx)); 880 free(*sched, M_CRYPTO_DATA); 881 *sched = NULL; 882} 883 884/* 885 * And now for auth. 886 */ 887 888static void 889null_init(void *ctx) 890{ 891} 892 893static void 894null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len) 895{ 896} 897 898static int 899null_update(void *ctx, const u_int8_t *buf, u_int16_t len) 900{ 901 return 0; 902} 903 904static void 905null_final(u_int8_t *buf, void *ctx) 906{ 907 if (buf != (u_int8_t *) 0) 908 bzero(buf, 12); 909} 910 911static int 912RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 913{ 914 RMD160Update(ctx, buf, len); 915 return 0; 916} 917 918static int 919MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 920{ 921 MD5Update(ctx, buf, len); 922 return 0; 923} 924 925static void 926SHA1Init_int(void *ctx) 927{ 928 SHA1Init(ctx); 929} 930 931static int 932SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 933{ 934 SHA1Update(ctx, buf, len); 935 return 0; 936} 937 938static void 939SHA1Final_int(u_int8_t *blk, void *ctx) 940{ 941 SHA1Final(blk, ctx); 942} 943 944static int 945SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 946{ 947 SHA256_Update(ctx, buf, len); 948 return 0; 949} 950 951static int 952SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 953{ 954 SHA384_Update(ctx, buf, len); 955 return 0; 956} 957 958static int 959SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 960{ 961 SHA512_Update(ctx, buf, len); 962 return 0; 963} 964 965/* 966 * And compression 967 */ 968 969static u_int32_t 970deflate_compress(data, size, out) 971 u_int8_t *data; 972 u_int32_t size; 973 u_int8_t **out; 974{ 975 return deflate_global(data, size, 0, out); 976} 977 978static u_int32_t 979deflate_decompress(data, size, out) 980 u_int8_t *data; 981 u_int32_t size; 982 u_int8_t **out; 983{ 984 return deflate_global(data, size, 1, out); 985} 986