xform.c revision 247061
1264790Sbapt/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2264790Sbapt/*- 3264790Sbapt * The authors of this code are John Ioannidis (ji@tla.org), 4264790Sbapt * Angelos D. Keromytis (kermit@csd.uch.gr), 5264790Sbapt * Niels Provos (provos@physnet.uni-hamburg.de) and 6264790Sbapt * Damien Miller (djm@mindrot.org). 7264790Sbapt * 8264790Sbapt * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9264790Sbapt * in November 1995. 10264790Sbapt * 11264790Sbapt * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12264790Sbapt * by Angelos D. Keromytis. 13264790Sbapt * 14264790Sbapt * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15264790Sbapt * and Niels Provos. 16264790Sbapt * 17264790Sbapt * Additional features in 1999 by Angelos D. Keromytis. 18264790Sbapt * 19264790Sbapt * AES XTS implementation in 2008 by Damien Miller 20264790Sbapt * 21264790Sbapt * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22264790Sbapt * Angelos D. Keromytis and Niels Provos. 23264790Sbapt * 24264790Sbapt * Copyright (C) 2001, Angelos D. Keromytis. 25264790Sbapt * 26264790Sbapt * Copyright (C) 2008, Damien Miller 27264790Sbapt * 28264790Sbapt * Permission to use, copy, and modify this software with or without fee 29264790Sbapt * is hereby granted, provided that this entire notice is included in 30264790Sbapt * all copies of any software which is or includes a copy or 31264790Sbapt * modification of this software. 32264790Sbapt * You may use this code under the GNU public license if you so wish. Please 33264790Sbapt * contribute changes back to the authors under this freer than GPL license 34264790Sbapt * so that we may further the use of strong encryption without limitations to 35264790Sbapt * all. 36264790Sbapt * 37264790Sbapt * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 38264790Sbapt * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 39264790Sbapt * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 40264790Sbapt * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 41264790Sbapt * PURPOSE. 42264790Sbapt */ 43264790Sbapt 44264790Sbapt#include <sys/cdefs.h> 45264790Sbapt__FBSDID("$FreeBSD: head/sys/opencrypto/xform.c 247061 2013-02-20 22:59:53Z pjd $"); 46264790Sbapt 47264790Sbapt#include <sys/param.h> 48264790Sbapt#include <sys/systm.h> 49264790Sbapt#include <sys/malloc.h> 50264790Sbapt#include <sys/sysctl.h> 51264790Sbapt#include <sys/errno.h> 52264790Sbapt#include <sys/time.h> 53264790Sbapt#include <sys/kernel.h> 54264790Sbapt#include <machine/cpu.h> 55264790Sbapt 56264790Sbapt#include <crypto/blowfish/blowfish.h> 57264790Sbapt#include <crypto/des/des.h> 58264790Sbapt#include <crypto/rijndael/rijndael.h> 59264790Sbapt#include <crypto/camellia/camellia.h> 60264790Sbapt#include <crypto/sha1.h> 61264790Sbapt 62264790Sbapt#include <opencrypto/cast.h> 63264790Sbapt#include <opencrypto/deflate.h> 64264790Sbapt#include <opencrypto/rmd160.h> 65264790Sbapt#include <opencrypto/skipjack.h> 66264790Sbapt 67264790Sbapt#include <sys/md5.h> 68264790Sbapt 69264790Sbapt#include <opencrypto/cryptodev.h> 70264790Sbapt#include <opencrypto/xform.h> 71264790Sbapt 72264790Sbaptstatic int null_setkey(u_int8_t **, u_int8_t *, int); 73264790Sbaptstatic int des1_setkey(u_int8_t **, u_int8_t *, int); 74264790Sbaptstatic int des3_setkey(u_int8_t **, u_int8_t *, int); 75264790Sbaptstatic int blf_setkey(u_int8_t **, u_int8_t *, int); 76264790Sbaptstatic int cast5_setkey(u_int8_t **, u_int8_t *, int); 77264790Sbaptstatic int skipjack_setkey(u_int8_t **, u_int8_t *, int); 78264790Sbaptstatic int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 79264790Sbaptstatic int aes_xts_setkey(u_int8_t **, u_int8_t *, int); 80264790Sbaptstatic int cml_setkey(u_int8_t **, u_int8_t *, int); 81264790Sbapt 82264790Sbaptstatic void null_encrypt(caddr_t, u_int8_t *); 83264790Sbaptstatic void des1_encrypt(caddr_t, u_int8_t *); 84264790Sbaptstatic void des3_encrypt(caddr_t, u_int8_t *); 85264790Sbaptstatic void blf_encrypt(caddr_t, u_int8_t *); 86264790Sbaptstatic void cast5_encrypt(caddr_t, u_int8_t *); 87264790Sbaptstatic void skipjack_encrypt(caddr_t, u_int8_t *); 88264790Sbaptstatic void rijndael128_encrypt(caddr_t, u_int8_t *); 89264790Sbaptstatic void aes_xts_encrypt(caddr_t, u_int8_t *); 90264790Sbaptstatic void cml_encrypt(caddr_t, u_int8_t *); 91264790Sbapt 92264790Sbaptstatic void null_decrypt(caddr_t, u_int8_t *); 93264790Sbaptstatic void des1_decrypt(caddr_t, u_int8_t *); 94264790Sbaptstatic void des3_decrypt(caddr_t, u_int8_t *); 95264790Sbaptstatic void blf_decrypt(caddr_t, u_int8_t *); 96264790Sbaptstatic void cast5_decrypt(caddr_t, u_int8_t *); 97264790Sbaptstatic void skipjack_decrypt(caddr_t, u_int8_t *); 98264790Sbaptstatic void rijndael128_decrypt(caddr_t, u_int8_t *); 99264790Sbaptstatic void aes_xts_decrypt(caddr_t, u_int8_t *); 100264790Sbaptstatic void cml_decrypt(caddr_t, u_int8_t *); 101264790Sbapt 102264790Sbaptstatic void null_zerokey(u_int8_t **); 103264790Sbaptstatic void des1_zerokey(u_int8_t **); 104264790Sbaptstatic void des3_zerokey(u_int8_t **); 105264790Sbaptstatic void blf_zerokey(u_int8_t **); 106264790Sbaptstatic void cast5_zerokey(u_int8_t **); 107264790Sbaptstatic void skipjack_zerokey(u_int8_t **); 108264790Sbaptstatic void rijndael128_zerokey(u_int8_t **); 109264790Sbaptstatic void aes_xts_zerokey(u_int8_t **); 110264790Sbaptstatic void cml_zerokey(u_int8_t **); 111264790Sbapt 112264790Sbaptstatic void aes_xts_reinit(caddr_t, u_int8_t *); 113264790Sbapt 114264790Sbaptstatic void null_init(void *); 115264790Sbaptstatic int null_update(void *, u_int8_t *, u_int16_t); 116264790Sbaptstatic void null_final(u_int8_t *, void *); 117264790Sbaptstatic int MD5Update_int(void *, u_int8_t *, u_int16_t); 118264790Sbaptstatic void SHA1Init_int(void *); 119264790Sbaptstatic int SHA1Update_int(void *, u_int8_t *, u_int16_t); 120264790Sbaptstatic void SHA1Final_int(u_int8_t *, void *); 121264790Sbaptstatic int RMD160Update_int(void *, u_int8_t *, u_int16_t); 122264790Sbaptstatic int SHA256Update_int(void *, u_int8_t *, u_int16_t); 123264790Sbaptstatic int SHA384Update_int(void *, u_int8_t *, u_int16_t); 124264790Sbaptstatic int SHA512Update_int(void *, u_int8_t *, u_int16_t); 125264790Sbapt 126264790Sbaptstatic u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 127264790Sbaptstatic u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 128264790Sbapt 129264790SbaptMALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 130264790Sbapt 131264790Sbapt/* Encryption instances */ 132264790Sbaptstruct enc_xform enc_xform_null = { 133264790Sbapt CRYPTO_NULL_CBC, "NULL", 134264790Sbapt /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 135264790Sbapt NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */ 136264790Sbapt null_encrypt, 137264790Sbapt null_decrypt, 138264790Sbapt null_setkey, 139264790Sbapt null_zerokey, 140264790Sbapt NULL 141264790Sbapt}; 142264790Sbapt 143264790Sbaptstruct enc_xform enc_xform_des = { 144264790Sbapt CRYPTO_DES_CBC, "DES", 145264790Sbapt DES_BLOCK_LEN, 8, 8, 146264790Sbapt des1_encrypt, 147264790Sbapt des1_decrypt, 148264790Sbapt des1_setkey, 149264790Sbapt des1_zerokey, 150264790Sbapt NULL 151264790Sbapt}; 152264790Sbapt 153264790Sbaptstruct enc_xform enc_xform_3des = { 154264790Sbapt CRYPTO_3DES_CBC, "3DES", 155264790Sbapt DES3_BLOCK_LEN, 24, 24, 156264790Sbapt des3_encrypt, 157264790Sbapt des3_decrypt, 158264790Sbapt des3_setkey, 159264790Sbapt des3_zerokey, 160264790Sbapt NULL 161264790Sbapt}; 162264790Sbapt 163264790Sbaptstruct enc_xform enc_xform_blf = { 164264790Sbapt CRYPTO_BLF_CBC, "Blowfish", 165264790Sbapt BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */, 166264790Sbapt blf_encrypt, 167264790Sbapt blf_decrypt, 168264790Sbapt blf_setkey, 169264790Sbapt blf_zerokey, 170264790Sbapt NULL 171264790Sbapt}; 172264790Sbapt 173264790Sbaptstruct enc_xform enc_xform_cast5 = { 174264790Sbapt CRYPTO_CAST_CBC, "CAST-128", 175264790Sbapt CAST128_BLOCK_LEN, 5, 16, 176264790Sbapt cast5_encrypt, 177264790Sbapt cast5_decrypt, 178264790Sbapt cast5_setkey, 179264790Sbapt cast5_zerokey, 180264790Sbapt NULL 181264790Sbapt}; 182264790Sbapt 183264790Sbaptstruct enc_xform enc_xform_skipjack = { 184264790Sbapt CRYPTO_SKIPJACK_CBC, "Skipjack", 185264790Sbapt SKIPJACK_BLOCK_LEN, 10, 10, 186264790Sbapt skipjack_encrypt, 187264790Sbapt skipjack_decrypt, 188264790Sbapt skipjack_setkey, 189264790Sbapt skipjack_zerokey, 190264790Sbapt NULL 191264790Sbapt}; 192264790Sbapt 193264790Sbaptstruct enc_xform enc_xform_rijndael128 = { 194264790Sbapt CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 195264790Sbapt RIJNDAEL128_BLOCK_LEN, 8, 32, 196264790Sbapt rijndael128_encrypt, 197264790Sbapt rijndael128_decrypt, 198264790Sbapt rijndael128_setkey, 199264790Sbapt rijndael128_zerokey, 200264790Sbapt NULL 201264790Sbapt}; 202264790Sbapt 203264790Sbaptstruct enc_xform enc_xform_aes_xts = { 204264790Sbapt CRYPTO_AES_XTS, "AES-XTS", 205264790Sbapt RIJNDAEL128_BLOCK_LEN, 32, 64, 206264790Sbapt aes_xts_encrypt, 207264790Sbapt aes_xts_decrypt, 208264790Sbapt aes_xts_setkey, 209264790Sbapt aes_xts_zerokey, 210264790Sbapt aes_xts_reinit 211264790Sbapt}; 212264790Sbapt 213264790Sbaptstruct enc_xform enc_xform_arc4 = { 214264790Sbapt CRYPTO_ARC4, "ARC4", 215264790Sbapt 1, 1, 32, 216264790Sbapt NULL, 217264790Sbapt NULL, 218264790Sbapt NULL, 219264790Sbapt NULL, 220264790Sbapt NULL 221264790Sbapt}; 222264790Sbapt 223264790Sbaptstruct enc_xform enc_xform_camellia = { 224264790Sbapt CRYPTO_CAMELLIA_CBC, "Camellia", 225264790Sbapt CAMELLIA_BLOCK_LEN, 8, 32, 226264790Sbapt cml_encrypt, 227264790Sbapt cml_decrypt, 228264790Sbapt cml_setkey, 229264790Sbapt cml_zerokey, 230264790Sbapt NULL 231264790Sbapt}; 232264790Sbapt 233264790Sbapt/* Authentication instances */ 234264790Sbaptstruct auth_hash auth_hash_null = { 235264790Sbapt CRYPTO_NULL_HMAC, "NULL-HMAC", 236264790Sbapt 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */ 237264790Sbapt null_init, null_update, null_final 238264790Sbapt}; 239264790Sbapt 240264790Sbaptstruct auth_hash auth_hash_hmac_md5 = { 241264790Sbapt CRYPTO_MD5_HMAC, "HMAC-MD5", 242264790Sbapt 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX), 243264790Sbapt (void (*) (void *)) MD5Init, MD5Update_int, 244264790Sbapt (void (*) (u_int8_t *, void *)) MD5Final 245264790Sbapt}; 246264790Sbapt 247264790Sbaptstruct auth_hash auth_hash_hmac_sha1 = { 248264790Sbapt CRYPTO_SHA1_HMAC, "HMAC-SHA1", 249264790Sbapt 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX), 250264790Sbapt SHA1Init_int, SHA1Update_int, SHA1Final_int 251264790Sbapt}; 252264790Sbapt 253264790Sbaptstruct auth_hash auth_hash_hmac_ripemd_160 = { 254264790Sbapt CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 255264790Sbapt 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX), 256264790Sbapt (void (*)(void *)) RMD160Init, RMD160Update_int, 257264790Sbapt (void (*)(u_int8_t *, void *)) RMD160Final 258264790Sbapt}; 259264790Sbapt 260264790Sbaptstruct auth_hash auth_hash_key_md5 = { 261264790Sbapt CRYPTO_MD5_KPDK, "Keyed MD5", 262264790Sbapt 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX), 263264790Sbapt (void (*)(void *)) MD5Init, MD5Update_int, 264264790Sbapt (void (*)(u_int8_t *, void *)) MD5Final 265264790Sbapt}; 266264790Sbapt 267264790Sbaptstruct auth_hash auth_hash_key_sha1 = { 268264790Sbapt CRYPTO_SHA1_KPDK, "Keyed SHA1", 269264790Sbapt 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX), 270264790Sbapt SHA1Init_int, SHA1Update_int, SHA1Final_int 271264790Sbapt}; 272264790Sbapt 273264790Sbaptstruct auth_hash auth_hash_hmac_sha2_256 = { 274264790Sbapt CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 275264790Sbapt 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX), 276264790Sbapt (void (*)(void *)) SHA256_Init, SHA256Update_int, 277264790Sbapt (void (*)(u_int8_t *, void *)) SHA256_Final 278264790Sbapt}; 279264790Sbapt 280264790Sbaptstruct auth_hash auth_hash_hmac_sha2_384 = { 281264790Sbapt CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 282264790Sbapt 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX), 283264790Sbapt (void (*)(void *)) SHA384_Init, SHA384Update_int, 284264790Sbapt (void (*)(u_int8_t *, void *)) SHA384_Final 285264790Sbapt}; 286264790Sbapt 287264790Sbaptstruct auth_hash auth_hash_hmac_sha2_512 = { 288264790Sbapt CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 289264790Sbapt 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX), 290264790Sbapt (void (*)(void *)) SHA512_Init, SHA512Update_int, 291264790Sbapt (void (*)(u_int8_t *, void *)) SHA512_Final 292264790Sbapt}; 293264790Sbapt 294264790Sbapt/* Compression instance */ 295264790Sbaptstruct comp_algo comp_algo_deflate = { 296264790Sbapt CRYPTO_DEFLATE_COMP, "Deflate", 297264790Sbapt 90, deflate_compress, 298264790Sbapt deflate_decompress 299264790Sbapt}; 300264790Sbapt 301264790Sbapt/* 302264790Sbapt * Encryption wrapper routines. 303264790Sbapt */ 304264790Sbaptstatic void 305264790Sbaptnull_encrypt(caddr_t key, u_int8_t *blk) 306264790Sbapt{ 307264790Sbapt} 308264790Sbaptstatic void 309264790Sbaptnull_decrypt(caddr_t key, u_int8_t *blk) 310264790Sbapt{ 311264790Sbapt} 312264790Sbaptstatic int 313264790Sbaptnull_setkey(u_int8_t **sched, u_int8_t *key, int len) 314264790Sbapt{ 315264790Sbapt *sched = NULL; 316264790Sbapt return 0; 317264790Sbapt} 318264790Sbaptstatic void 319264790Sbaptnull_zerokey(u_int8_t **sched) 320264790Sbapt{ 321264790Sbapt *sched = NULL; 322264790Sbapt} 323264790Sbapt 324264790Sbaptstatic void 325264790Sbaptdes1_encrypt(caddr_t key, u_int8_t *blk) 326264790Sbapt{ 327264790Sbapt des_cblock *cb = (des_cblock *) blk; 328264790Sbapt des_key_schedule *p = (des_key_schedule *) key; 329264790Sbapt 330264790Sbapt des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 331264790Sbapt} 332264790Sbapt 333264790Sbaptstatic void 334264790Sbaptdes1_decrypt(caddr_t key, u_int8_t *blk) 335264790Sbapt{ 336264790Sbapt des_cblock *cb = (des_cblock *) blk; 337264790Sbapt des_key_schedule *p = (des_key_schedule *) key; 338264790Sbapt 339264790Sbapt des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 340264790Sbapt} 341264790Sbapt 342264790Sbaptstatic int 343264790Sbaptdes1_setkey(u_int8_t **sched, u_int8_t *key, int len) 344264790Sbapt{ 345264790Sbapt des_key_schedule *p; 346264790Sbapt int err; 347264790Sbapt 348264790Sbapt p = malloc(sizeof (des_key_schedule), 349264790Sbapt M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 350264790Sbapt if (p != NULL) { 351264790Sbapt des_set_key((des_cblock *) key, p[0]); 352264790Sbapt err = 0; 353264790Sbapt } else 354264790Sbapt err = ENOMEM; 355264790Sbapt *sched = (u_int8_t *) p; 356264790Sbapt return err; 357264790Sbapt} 358264790Sbapt 359264790Sbaptstatic void 360264790Sbaptdes1_zerokey(u_int8_t **sched) 361264790Sbapt{ 362264790Sbapt bzero(*sched, sizeof (des_key_schedule)); 363264790Sbapt free(*sched, M_CRYPTO_DATA); 364264790Sbapt *sched = NULL; 365264790Sbapt} 366264790Sbapt 367264790Sbaptstatic void 368264790Sbaptdes3_encrypt(caddr_t key, u_int8_t *blk) 369264790Sbapt{ 370264790Sbapt des_cblock *cb = (des_cblock *) blk; 371264790Sbapt des_key_schedule *p = (des_key_schedule *) key; 372264790Sbapt 373264790Sbapt des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 374264790Sbapt} 375264790Sbapt 376264790Sbaptstatic void 377264790Sbaptdes3_decrypt(caddr_t key, u_int8_t *blk) 378264790Sbapt{ 379264790Sbapt des_cblock *cb = (des_cblock *) blk; 380264790Sbapt des_key_schedule *p = (des_key_schedule *) key; 381264790Sbapt 382264790Sbapt des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 383264790Sbapt} 384264790Sbapt 385264790Sbaptstatic int 386264790Sbaptdes3_setkey(u_int8_t **sched, u_int8_t *key, int len) 387264790Sbapt{ 388264790Sbapt des_key_schedule *p; 389264790Sbapt int err; 390264790Sbapt 391264790Sbapt p = malloc(3*sizeof (des_key_schedule), 392264790Sbapt M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 393264790Sbapt if (p != NULL) { 394264790Sbapt des_set_key((des_cblock *)(key + 0), p[0]); 395264790Sbapt des_set_key((des_cblock *)(key + 8), p[1]); 396264790Sbapt des_set_key((des_cblock *)(key + 16), p[2]); 397264790Sbapt err = 0; 398264790Sbapt } else 399264790Sbapt err = ENOMEM; 400264790Sbapt *sched = (u_int8_t *) p; 401264790Sbapt return err; 402264790Sbapt} 403264790Sbapt 404264790Sbaptstatic void 405264790Sbaptdes3_zerokey(u_int8_t **sched) 406264790Sbapt{ 407264790Sbapt bzero(*sched, 3*sizeof (des_key_schedule)); 408264790Sbapt free(*sched, M_CRYPTO_DATA); 409264790Sbapt *sched = NULL; 410264790Sbapt} 411264790Sbapt 412264790Sbaptstatic void 413264790Sbaptblf_encrypt(caddr_t key, u_int8_t *blk) 414264790Sbapt{ 415264790Sbapt BF_LONG t[2]; 416264790Sbapt 417264790Sbapt memcpy(t, blk, sizeof (t)); 418264790Sbapt t[0] = ntohl(t[0]); 419264790Sbapt t[1] = ntohl(t[1]); 420264790Sbapt /* NB: BF_encrypt expects the block in host order! */ 421264790Sbapt BF_encrypt(t, (BF_KEY *) key); 422264790Sbapt t[0] = htonl(t[0]); 423264790Sbapt t[1] = htonl(t[1]); 424264790Sbapt memcpy(blk, t, sizeof (t)); 425264790Sbapt} 426264790Sbapt 427264790Sbaptstatic void 428264790Sbaptblf_decrypt(caddr_t key, u_int8_t *blk) 429264790Sbapt{ 430264790Sbapt BF_LONG t[2]; 431264790Sbapt 432264790Sbapt memcpy(t, blk, sizeof (t)); 433264790Sbapt t[0] = ntohl(t[0]); 434264790Sbapt t[1] = ntohl(t[1]); 435264790Sbapt /* NB: BF_decrypt expects the block in host order! */ 436264790Sbapt BF_decrypt(t, (BF_KEY *) key); 437264790Sbapt t[0] = htonl(t[0]); 438264790Sbapt t[1] = htonl(t[1]); 439264790Sbapt memcpy(blk, t, sizeof (t)); 440264790Sbapt} 441264790Sbapt 442264790Sbaptstatic int 443264790Sbaptblf_setkey(u_int8_t **sched, u_int8_t *key, int len) 444264790Sbapt{ 445264790Sbapt int err; 446264790Sbapt 447264790Sbapt *sched = malloc(sizeof(BF_KEY), 448264790Sbapt M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 449264790Sbapt if (*sched != NULL) { 450264790Sbapt BF_set_key((BF_KEY *) *sched, len, key); 451264790Sbapt err = 0; 452264790Sbapt } else 453264790Sbapt err = ENOMEM; 454264790Sbapt return err; 455264790Sbapt} 456264790Sbapt 457264790Sbaptstatic void 458264790Sbaptblf_zerokey(u_int8_t **sched) 459264790Sbapt{ 460264790Sbapt bzero(*sched, sizeof(BF_KEY)); 461264790Sbapt free(*sched, M_CRYPTO_DATA); 462264790Sbapt *sched = NULL; 463264790Sbapt} 464264790Sbapt 465264790Sbaptstatic void 466264790Sbaptcast5_encrypt(caddr_t key, u_int8_t *blk) 467264790Sbapt{ 468264790Sbapt cast_encrypt((cast_key *) key, blk, blk); 469264790Sbapt} 470264790Sbapt 471264790Sbaptstatic void 472264790Sbaptcast5_decrypt(caddr_t key, u_int8_t *blk) 473264790Sbapt{ 474264790Sbapt cast_decrypt((cast_key *) key, blk, blk); 475264790Sbapt} 476264790Sbapt 477264790Sbaptstatic int 478264790Sbaptcast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 479264790Sbapt{ 480264790Sbapt int err; 481264790Sbapt 482264790Sbapt *sched = malloc(sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 483264790Sbapt if (*sched != NULL) { 484264790Sbapt cast_setkey((cast_key *)*sched, key, len); 485264790Sbapt err = 0; 486 } else 487 err = ENOMEM; 488 return err; 489} 490 491static void 492cast5_zerokey(u_int8_t **sched) 493{ 494 bzero(*sched, sizeof(cast_key)); 495 free(*sched, M_CRYPTO_DATA); 496 *sched = NULL; 497} 498 499static void 500skipjack_encrypt(caddr_t key, u_int8_t *blk) 501{ 502 skipjack_forwards(blk, blk, (u_int8_t **) key); 503} 504 505static void 506skipjack_decrypt(caddr_t key, u_int8_t *blk) 507{ 508 skipjack_backwards(blk, blk, (u_int8_t **) key); 509} 510 511static int 512skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 513{ 514 int err; 515 516 /* NB: allocate all the memory that's needed at once */ 517 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 518 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 519 if (*sched != NULL) { 520 u_int8_t** key_tables = (u_int8_t**) *sched; 521 u_int8_t* table = (u_int8_t*) &key_tables[10]; 522 int k; 523 524 for (k = 0; k < 10; k++) { 525 key_tables[k] = table; 526 table += 0x100; 527 } 528 subkey_table_gen(key, (u_int8_t **) *sched); 529 err = 0; 530 } else 531 err = ENOMEM; 532 return err; 533} 534 535static void 536skipjack_zerokey(u_int8_t **sched) 537{ 538 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 539 free(*sched, M_CRYPTO_DATA); 540 *sched = NULL; 541} 542 543static void 544rijndael128_encrypt(caddr_t key, u_int8_t *blk) 545{ 546 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 547} 548 549static void 550rijndael128_decrypt(caddr_t key, u_int8_t *blk) 551{ 552 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 553 (u_char *) blk); 554} 555 556static int 557rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 558{ 559 int err; 560 561 if (len != 16 && len != 24 && len != 32) 562 return (EINVAL); 563 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 564 M_NOWAIT|M_ZERO); 565 if (*sched != NULL) { 566 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 567 len * 8); 568 err = 0; 569 } else 570 err = ENOMEM; 571 return err; 572} 573 574static void 575rijndael128_zerokey(u_int8_t **sched) 576{ 577 bzero(*sched, sizeof(rijndael_ctx)); 578 free(*sched, M_CRYPTO_DATA); 579 *sched = NULL; 580} 581 582#define AES_XTS_BLOCKSIZE 16 583#define AES_XTS_IVSIZE 8 584#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ 585 586struct aes_xts_ctx { 587 rijndael_ctx key1; 588 rijndael_ctx key2; 589 u_int8_t tweak[AES_XTS_BLOCKSIZE]; 590}; 591 592void 593aes_xts_reinit(caddr_t key, u_int8_t *iv) 594{ 595 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 596 u_int64_t blocknum; 597 u_int i; 598 599 /* 600 * Prepare tweak as E_k2(IV). IV is specified as LE representation 601 * of a 64-bit block number which we allow to be passed in directly. 602 */ 603 bcopy(iv, &blocknum, AES_XTS_IVSIZE); 604 for (i = 0; i < AES_XTS_IVSIZE; i++) { 605 ctx->tweak[i] = blocknum & 0xff; 606 blocknum >>= 8; 607 } 608 /* Last 64 bits of IV are always zero */ 609 bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); 610 611 rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); 612} 613 614static void 615aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) 616{ 617 u_int8_t block[AES_XTS_BLOCKSIZE]; 618 u_int i, carry_in, carry_out; 619 620 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 621 block[i] = data[i] ^ ctx->tweak[i]; 622 623 if (do_encrypt) 624 rijndael_encrypt(&ctx->key1, block, data); 625 else 626 rijndael_decrypt(&ctx->key1, block, data); 627 628 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 629 data[i] ^= ctx->tweak[i]; 630 631 /* Exponentiate tweak */ 632 carry_in = 0; 633 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { 634 carry_out = ctx->tweak[i] & 0x80; 635 ctx->tweak[i] = (ctx->tweak[i] << 1) | (carry_in ? 1 : 0); 636 carry_in = carry_out; 637 } 638 if (carry_in) 639 ctx->tweak[0] ^= AES_XTS_ALPHA; 640 bzero(block, sizeof(block)); 641} 642 643void 644aes_xts_encrypt(caddr_t key, u_int8_t *data) 645{ 646 aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); 647} 648 649void 650aes_xts_decrypt(caddr_t key, u_int8_t *data) 651{ 652 aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); 653} 654 655int 656aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len) 657{ 658 struct aes_xts_ctx *ctx; 659 660 if (len != 32 && len != 64) 661 return EINVAL; 662 663 *sched = malloc(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA, 664 M_NOWAIT | M_ZERO); 665 if (*sched == NULL) 666 return ENOMEM; 667 ctx = (struct aes_xts_ctx *)*sched; 668 669 rijndael_set_key(&ctx->key1, key, len * 4); 670 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 671 672 return 0; 673} 674 675void 676aes_xts_zerokey(u_int8_t **sched) 677{ 678 bzero(*sched, sizeof(struct aes_xts_ctx)); 679 free(*sched, M_CRYPTO_DATA); 680 *sched = NULL; 681} 682 683static void 684cml_encrypt(caddr_t key, u_int8_t *blk) 685{ 686 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 687} 688 689static void 690cml_decrypt(caddr_t key, u_int8_t *blk) 691{ 692 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 693 (u_char *) blk); 694} 695 696static int 697cml_setkey(u_int8_t **sched, u_int8_t *key, int len) 698{ 699 int err; 700 701 if (len != 16 && len != 24 && len != 32) 702 return (EINVAL); 703 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 704 M_NOWAIT|M_ZERO); 705 if (*sched != NULL) { 706 camellia_set_key((camellia_ctx *) *sched, (u_char *) key, 707 len * 8); 708 err = 0; 709 } else 710 err = ENOMEM; 711 return err; 712} 713 714static void 715cml_zerokey(u_int8_t **sched) 716{ 717 bzero(*sched, sizeof(camellia_ctx)); 718 free(*sched, M_CRYPTO_DATA); 719 *sched = NULL; 720} 721 722/* 723 * And now for auth. 724 */ 725 726static void 727null_init(void *ctx) 728{ 729} 730 731static int 732null_update(void *ctx, u_int8_t *buf, u_int16_t len) 733{ 734 return 0; 735} 736 737static void 738null_final(u_int8_t *buf, void *ctx) 739{ 740 if (buf != (u_int8_t *) 0) 741 bzero(buf, 12); 742} 743 744static int 745RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 746{ 747 RMD160Update(ctx, buf, len); 748 return 0; 749} 750 751static int 752MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 753{ 754 MD5Update(ctx, buf, len); 755 return 0; 756} 757 758static void 759SHA1Init_int(void *ctx) 760{ 761 SHA1Init(ctx); 762} 763 764static int 765SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 766{ 767 SHA1Update(ctx, buf, len); 768 return 0; 769} 770 771static void 772SHA1Final_int(u_int8_t *blk, void *ctx) 773{ 774 SHA1Final(blk, ctx); 775} 776 777static int 778SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 779{ 780 SHA256_Update(ctx, buf, len); 781 return 0; 782} 783 784static int 785SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 786{ 787 SHA384_Update(ctx, buf, len); 788 return 0; 789} 790 791static int 792SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 793{ 794 SHA512_Update(ctx, buf, len); 795 return 0; 796} 797 798/* 799 * And compression 800 */ 801 802static u_int32_t 803deflate_compress(data, size, out) 804 u_int8_t *data; 805 u_int32_t size; 806 u_int8_t **out; 807{ 808 return deflate_global(data, size, 0, out); 809} 810 811static u_int32_t 812deflate_decompress(data, size, out) 813 u_int8_t *data; 814 u_int32_t size; 815 u_int8_t **out; 816{ 817 return deflate_global(data, size, 1, out); 818} 819