xform_gmac.c revision 285526
1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50#include <sys/cdefs.h> 51__FBSDID("$FreeBSD: head/sys/opencrypto/xform.c 285526 2015-07-14 07:45:18Z jmg $"); 52 53#include <sys/param.h> 54#include <sys/systm.h> 55#include <sys/malloc.h> 56#include <sys/sysctl.h> 57#include <sys/errno.h> 58#include <sys/time.h> 59#include <sys/kernel.h> 60#include <machine/cpu.h> 61 62#include <crypto/blowfish/blowfish.h> 63#include <crypto/des/des.h> 64#include <crypto/rijndael/rijndael.h> 65#include <crypto/camellia/camellia.h> 66#include <crypto/sha1.h> 67 68#include <opencrypto/cast.h> 69#include <opencrypto/deflate.h> 70#include <opencrypto/rmd160.h> 71#include <opencrypto/skipjack.h> 72 73#include <sys/md5.h> 74 75#include <opencrypto/cryptodev.h> 76#include <opencrypto/xform.h> 77 78static int null_setkey(u_int8_t **, u_int8_t *, int); 79static int des1_setkey(u_int8_t **, u_int8_t *, int); 80static int des3_setkey(u_int8_t **, u_int8_t *, int); 81static int blf_setkey(u_int8_t **, u_int8_t *, int); 82static int cast5_setkey(u_int8_t **, u_int8_t *, int); 83static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 84static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 85static int aes_icm_setkey(u_int8_t **, u_int8_t *, int); 86static int aes_xts_setkey(u_int8_t **, u_int8_t *, int); 87static int cml_setkey(u_int8_t **, u_int8_t *, int); 88 89static void null_encrypt(caddr_t, u_int8_t *); 90static void des1_encrypt(caddr_t, u_int8_t *); 91static void des3_encrypt(caddr_t, u_int8_t *); 92static void blf_encrypt(caddr_t, u_int8_t *); 93static void cast5_encrypt(caddr_t, u_int8_t *); 94static void skipjack_encrypt(caddr_t, u_int8_t *); 95static void rijndael128_encrypt(caddr_t, u_int8_t *); 96static void aes_xts_encrypt(caddr_t, u_int8_t *); 97static void cml_encrypt(caddr_t, u_int8_t *); 98 99static void null_decrypt(caddr_t, u_int8_t *); 100static void des1_decrypt(caddr_t, u_int8_t *); 101static void des3_decrypt(caddr_t, u_int8_t *); 102static void blf_decrypt(caddr_t, u_int8_t *); 103static void cast5_decrypt(caddr_t, u_int8_t *); 104static void skipjack_decrypt(caddr_t, u_int8_t *); 105static void rijndael128_decrypt(caddr_t, u_int8_t *); 106static void aes_xts_decrypt(caddr_t, u_int8_t *); 107static void cml_decrypt(caddr_t, u_int8_t *); 108 109static void aes_icm_crypt(caddr_t, u_int8_t *); 110 111static void null_zerokey(u_int8_t **); 112static void des1_zerokey(u_int8_t **); 113static void des3_zerokey(u_int8_t **); 114static void blf_zerokey(u_int8_t **); 115static void cast5_zerokey(u_int8_t **); 116static void skipjack_zerokey(u_int8_t **); 117static void rijndael128_zerokey(u_int8_t **); 118static void aes_icm_zerokey(u_int8_t **); 119static void aes_xts_zerokey(u_int8_t **); 120static void cml_zerokey(u_int8_t **); 121 122static void aes_icm_reinit(caddr_t, u_int8_t *); 123static void aes_xts_reinit(caddr_t, u_int8_t *); 124static void aes_gcm_reinit(caddr_t, u_int8_t *); 125 126static void null_init(void *); 127static void null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len); 128static int null_update(void *, const u_int8_t *, u_int16_t); 129static void null_final(u_int8_t *, void *); 130static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 131static void SHA1Init_int(void *); 132static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 133static void SHA1Final_int(u_int8_t *, void *); 134static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 135static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 136static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 137static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 138 139static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 140static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 141 142#define AESICM_BLOCKSIZE 16 143 144struct aes_icm_ctx { 145 u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)]; 146 /* ac_block is initalized to IV */ 147 u_int8_t ac_block[AESICM_BLOCKSIZE]; 148 int ac_nr; 149}; 150 151MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 152 153/* Encryption instances */ 154struct enc_xform enc_xform_null = { 155 CRYPTO_NULL_CBC, "NULL", 156 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 157 NULL_BLOCK_LEN, NULL_BLOCK_LEN, NULL_MIN_KEY, NULL_MAX_KEY, 158 null_encrypt, 159 null_decrypt, 160 null_setkey, 161 null_zerokey, 162 NULL, 163}; 164 165struct enc_xform enc_xform_des = { 166 CRYPTO_DES_CBC, "DES", 167 DES_BLOCK_LEN, DES_BLOCK_LEN, DES_MIN_KEY, DES_MAX_KEY, 168 des1_encrypt, 169 des1_decrypt, 170 des1_setkey, 171 des1_zerokey, 172 NULL, 173}; 174 175struct enc_xform enc_xform_3des = { 176 CRYPTO_3DES_CBC, "3DES", 177 DES3_BLOCK_LEN, DES3_BLOCK_LEN, TRIPLE_DES_MIN_KEY, 178 TRIPLE_DES_MAX_KEY, 179 des3_encrypt, 180 des3_decrypt, 181 des3_setkey, 182 des3_zerokey, 183 NULL, 184}; 185 186struct enc_xform enc_xform_blf = { 187 CRYPTO_BLF_CBC, "Blowfish", 188 BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, BLOWFISH_MIN_KEY, 189 BLOWFISH_MAX_KEY, 190 blf_encrypt, 191 blf_decrypt, 192 blf_setkey, 193 blf_zerokey, 194 NULL, 195}; 196 197struct enc_xform enc_xform_cast5 = { 198 CRYPTO_CAST_CBC, "CAST-128", 199 CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, CAST_MIN_KEY, CAST_MAX_KEY, 200 cast5_encrypt, 201 cast5_decrypt, 202 cast5_setkey, 203 cast5_zerokey, 204 NULL, 205}; 206 207struct enc_xform enc_xform_skipjack = { 208 CRYPTO_SKIPJACK_CBC, "Skipjack", 209 SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, SKIPJACK_MIN_KEY, 210 SKIPJACK_MAX_KEY, 211 skipjack_encrypt, 212 skipjack_decrypt, skipjack_setkey, 213 skipjack_zerokey, 214 NULL, 215}; 216 217struct enc_xform enc_xform_rijndael128 = { 218 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 219 RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, RIJNDAEL_MIN_KEY, 220 RIJNDAEL_MAX_KEY, 221 rijndael128_encrypt, 222 rijndael128_decrypt, 223 rijndael128_setkey, 224 rijndael128_zerokey, 225 NULL, 226}; 227 228struct enc_xform enc_xform_aes_icm = { 229 CRYPTO_AES_ICM, "AES-ICM", 230 AES_BLOCK_LEN, AES_BLOCK_LEN, AES_MIN_KEY, AES_MAX_KEY, 231 aes_icm_crypt, 232 aes_icm_crypt, 233 aes_icm_setkey, 234 rijndael128_zerokey, 235 aes_icm_reinit, 236}; 237 238struct enc_xform enc_xform_aes_nist_gcm = { 239 CRYPTO_AES_NIST_GCM_16, "AES-GCM", 240 AES_ICM_BLOCK_LEN, AES_GCM_IV_LEN, AES_MIN_KEY, AES_MAX_KEY, 241 aes_icm_crypt, 242 aes_icm_crypt, 243 aes_icm_setkey, 244 aes_icm_zerokey, 245 aes_gcm_reinit, 246}; 247 248struct enc_xform enc_xform_aes_nist_gmac = { 249 CRYPTO_AES_NIST_GMAC, "AES-GMAC", 250 AES_ICM_BLOCK_LEN, AES_GCM_IV_LEN, AES_MIN_KEY, AES_MAX_KEY, 251 NULL, 252 NULL, 253 NULL, 254 NULL, 255 NULL, 256}; 257 258struct enc_xform enc_xform_aes_xts = { 259 CRYPTO_AES_XTS, "AES-XTS", 260 AES_BLOCK_LEN, AES_XTS_IV_LEN, AES_XTS_MIN_KEY, AES_XTS_MAX_KEY, 261 aes_xts_encrypt, 262 aes_xts_decrypt, 263 aes_xts_setkey, 264 aes_xts_zerokey, 265 aes_xts_reinit 266}; 267 268struct enc_xform enc_xform_arc4 = { 269 CRYPTO_ARC4, "ARC4", 270 ARC4_BLOCK_LEN, ARC4_IV_LEN, ARC4_MIN_KEY, ARC4_MAX_KEY, 271 NULL, 272 NULL, 273 NULL, 274 NULL, 275 NULL, 276}; 277 278struct enc_xform enc_xform_camellia = { 279 CRYPTO_CAMELLIA_CBC, "Camellia", 280 CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, CAMELLIA_MIN_KEY, 281 CAMELLIA_MAX_KEY, 282 cml_encrypt, 283 cml_decrypt, 284 cml_setkey, 285 cml_zerokey, 286 NULL, 287}; 288 289/* Authentication instances */ 290struct auth_hash auth_hash_null = { /* NB: context isn't used */ 291 CRYPTO_NULL_HMAC, "NULL-HMAC", 292 NULL_HMAC_KEY_LEN, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN, 293 null_init, null_reinit, null_reinit, null_update, null_final 294}; 295 296struct auth_hash auth_hash_hmac_md5 = { 297 CRYPTO_MD5_HMAC, "HMAC-MD5", 298 MD5_HMAC_KEY_LEN, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN, 299 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 300 (void (*) (u_int8_t *, void *)) MD5Final 301}; 302 303struct auth_hash auth_hash_hmac_sha1 = { 304 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 305 SHA1_HMAC_KEY_LEN, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN, 306 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 307}; 308 309struct auth_hash auth_hash_hmac_ripemd_160 = { 310 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 311 RIPEMD160_HMAC_KEY_LEN, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), 312 RIPEMD160_HMAC_BLOCK_LEN, 313 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 314 (void (*)(u_int8_t *, void *)) RMD160Final 315}; 316 317struct auth_hash auth_hash_key_md5 = { 318 CRYPTO_MD5_KPDK, "Keyed MD5", 319 NULL_HMAC_KEY_LEN, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0, 320 (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, 321 (void (*)(u_int8_t *, void *)) MD5Final 322}; 323 324struct auth_hash auth_hash_key_sha1 = { 325 CRYPTO_SHA1_KPDK, "Keyed SHA1", 326 NULL_HMAC_KEY_LEN, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0, 327 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 328}; 329 330struct auth_hash auth_hash_hmac_sha2_256 = { 331 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 332 SHA2_256_HMAC_KEY_LEN, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), 333 SHA2_256_HMAC_BLOCK_LEN, 334 (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int, 335 (void (*)(u_int8_t *, void *)) SHA256_Final 336}; 337 338struct auth_hash auth_hash_hmac_sha2_384 = { 339 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 340 SHA2_384_HMAC_KEY_LEN, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), 341 SHA2_384_HMAC_BLOCK_LEN, 342 (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int, 343 (void (*)(u_int8_t *, void *)) SHA384_Final 344}; 345 346struct auth_hash auth_hash_hmac_sha2_512 = { 347 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 348 SHA2_512_HMAC_KEY_LEN, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), 349 SHA2_512_HMAC_BLOCK_LEN, 350 (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int, 351 (void (*)(u_int8_t *, void *)) SHA512_Final 352}; 353 354struct auth_hash auth_hash_nist_gmac_aes_128 = { 355 CRYPTO_AES_128_NIST_GMAC, "GMAC-AES-128", 356 AES_128_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx), 357 GMAC_BLOCK_LEN, 358 (void (*)(void *)) AES_GMAC_Init, 359 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 360 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 361 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 362 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 363}; 364 365struct auth_hash auth_hash_nist_gmac_aes_192 = { 366 CRYPTO_AES_192_NIST_GMAC, "GMAC-AES-192", 367 AES_192_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx), 368 GMAC_BLOCK_LEN, 369 (void (*)(void *)) AES_GMAC_Init, 370 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 371 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 372 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 373 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 374}; 375 376struct auth_hash auth_hash_nist_gmac_aes_256 = { 377 CRYPTO_AES_256_NIST_GMAC, "GMAC-AES-256", 378 AES_256_HMAC_KEY_LEN, AES_HASH_LEN, sizeof(struct aes_gmac_ctx), 379 GMAC_BLOCK_LEN, 380 (void (*)(void *)) AES_GMAC_Init, 381 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 382 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 383 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 384 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 385}; 386 387/* Compression instance */ 388struct comp_algo comp_algo_deflate = { 389 CRYPTO_DEFLATE_COMP, "Deflate", 390 90, deflate_compress, 391 deflate_decompress 392}; 393 394/* 395 * Encryption wrapper routines. 396 */ 397static void 398null_encrypt(caddr_t key, u_int8_t *blk) 399{ 400} 401static void 402null_decrypt(caddr_t key, u_int8_t *blk) 403{ 404} 405static int 406null_setkey(u_int8_t **sched, u_int8_t *key, int len) 407{ 408 *sched = NULL; 409 return 0; 410} 411static void 412null_zerokey(u_int8_t **sched) 413{ 414 *sched = NULL; 415} 416 417static void 418des1_encrypt(caddr_t key, u_int8_t *blk) 419{ 420 des_cblock *cb = (des_cblock *) blk; 421 des_key_schedule *p = (des_key_schedule *) key; 422 423 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 424} 425 426static void 427des1_decrypt(caddr_t key, u_int8_t *blk) 428{ 429 des_cblock *cb = (des_cblock *) blk; 430 des_key_schedule *p = (des_key_schedule *) key; 431 432 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 433} 434 435static int 436des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 437{ 438 des_key_schedule *p; 439 int err; 440 441 p = malloc(sizeof (des_key_schedule), 442 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 443 if (p != NULL) { 444 des_set_key((des_cblock *) key, p[0]); 445 err = 0; 446 } else 447 err = ENOMEM; 448 *sched = (u_int8_t *) p; 449 return err; 450} 451 452static void 453des1_zerokey(u_int8_t **sched) 454{ 455 bzero(*sched, sizeof (des_key_schedule)); 456 free(*sched, M_CRYPTO_DATA); 457 *sched = NULL; 458} 459 460static void 461des3_encrypt(caddr_t key, u_int8_t *blk) 462{ 463 des_cblock *cb = (des_cblock *) blk; 464 des_key_schedule *p = (des_key_schedule *) key; 465 466 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 467} 468 469static void 470des3_decrypt(caddr_t key, u_int8_t *blk) 471{ 472 des_cblock *cb = (des_cblock *) blk; 473 des_key_schedule *p = (des_key_schedule *) key; 474 475 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 476} 477 478static int 479des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 480{ 481 des_key_schedule *p; 482 int err; 483 484 p = malloc(3*sizeof (des_key_schedule), 485 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 486 if (p != NULL) { 487 des_set_key((des_cblock *)(key + 0), p[0]); 488 des_set_key((des_cblock *)(key + 8), p[1]); 489 des_set_key((des_cblock *)(key + 16), p[2]); 490 err = 0; 491 } else 492 err = ENOMEM; 493 *sched = (u_int8_t *) p; 494 return err; 495} 496 497static void 498des3_zerokey(u_int8_t **sched) 499{ 500 bzero(*sched, 3*sizeof (des_key_schedule)); 501 free(*sched, M_CRYPTO_DATA); 502 *sched = NULL; 503} 504 505static void 506blf_encrypt(caddr_t key, u_int8_t *blk) 507{ 508 BF_LONG t[2]; 509 510 memcpy(t, blk, sizeof (t)); 511 t[0] = ntohl(t[0]); 512 t[1] = ntohl(t[1]); 513 /* NB: BF_encrypt expects the block in host order! */ 514 BF_encrypt(t, (BF_KEY *) key); 515 t[0] = htonl(t[0]); 516 t[1] = htonl(t[1]); 517 memcpy(blk, t, sizeof (t)); 518} 519 520static void 521blf_decrypt(caddr_t key, u_int8_t *blk) 522{ 523 BF_LONG t[2]; 524 525 memcpy(t, blk, sizeof (t)); 526 t[0] = ntohl(t[0]); 527 t[1] = ntohl(t[1]); 528 /* NB: BF_decrypt expects the block in host order! */ 529 BF_decrypt(t, (BF_KEY *) key); 530 t[0] = htonl(t[0]); 531 t[1] = htonl(t[1]); 532 memcpy(blk, t, sizeof (t)); 533} 534 535static int 536blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 537{ 538 int err; 539 540 *sched = malloc(sizeof(BF_KEY), 541 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 542 if (*sched != NULL) { 543 BF_set_key((BF_KEY *) *sched, len, key); 544 err = 0; 545 } else 546 err = ENOMEM; 547 return err; 548} 549 550static void 551blf_zerokey(u_int8_t **sched) 552{ 553 bzero(*sched, sizeof(BF_KEY)); 554 free(*sched, M_CRYPTO_DATA); 555 *sched = NULL; 556} 557 558static void 559cast5_encrypt(caddr_t key, u_int8_t *blk) 560{ 561 cast_encrypt((cast_key *) key, blk, blk); 562} 563 564static void 565cast5_decrypt(caddr_t key, u_int8_t *blk) 566{ 567 cast_decrypt((cast_key *) key, blk, blk); 568} 569 570static int 571cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 572{ 573 int err; 574 575 *sched = malloc(sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 576 if (*sched != NULL) { 577 cast_setkey((cast_key *)*sched, key, len); 578 err = 0; 579 } else 580 err = ENOMEM; 581 return err; 582} 583 584static void 585cast5_zerokey(u_int8_t **sched) 586{ 587 bzero(*sched, sizeof(cast_key)); 588 free(*sched, M_CRYPTO_DATA); 589 *sched = NULL; 590} 591 592static void 593skipjack_encrypt(caddr_t key, u_int8_t *blk) 594{ 595 skipjack_forwards(blk, blk, (u_int8_t **) key); 596} 597 598static void 599skipjack_decrypt(caddr_t key, u_int8_t *blk) 600{ 601 skipjack_backwards(blk, blk, (u_int8_t **) key); 602} 603 604static int 605skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 606{ 607 int err; 608 609 /* NB: allocate all the memory that's needed at once */ 610 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 611 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 612 if (*sched != NULL) { 613 u_int8_t** key_tables = (u_int8_t**) *sched; 614 u_int8_t* table = (u_int8_t*) &key_tables[10]; 615 int k; 616 617 for (k = 0; k < 10; k++) { 618 key_tables[k] = table; 619 table += 0x100; 620 } 621 subkey_table_gen(key, (u_int8_t **) *sched); 622 err = 0; 623 } else 624 err = ENOMEM; 625 return err; 626} 627 628static void 629skipjack_zerokey(u_int8_t **sched) 630{ 631 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 632 free(*sched, M_CRYPTO_DATA); 633 *sched = NULL; 634} 635 636static void 637rijndael128_encrypt(caddr_t key, u_int8_t *blk) 638{ 639 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 640} 641 642static void 643rijndael128_decrypt(caddr_t key, u_int8_t *blk) 644{ 645 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 646 (u_char *) blk); 647} 648 649static int 650rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 651{ 652 int err; 653 654 if (len != 16 && len != 24 && len != 32) 655 return (EINVAL); 656 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 657 M_NOWAIT|M_ZERO); 658 if (*sched != NULL) { 659 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 660 len * 8); 661 err = 0; 662 } else 663 err = ENOMEM; 664 return err; 665} 666 667static void 668rijndael128_zerokey(u_int8_t **sched) 669{ 670 bzero(*sched, sizeof(rijndael_ctx)); 671 free(*sched, M_CRYPTO_DATA); 672 *sched = NULL; 673} 674 675void 676aes_icm_reinit(caddr_t key, u_int8_t *iv) 677{ 678 struct aes_icm_ctx *ctx; 679 680 ctx = (struct aes_icm_ctx *)key; 681 bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE); 682} 683 684void 685aes_gcm_reinit(caddr_t key, u_int8_t *iv) 686{ 687 struct aes_icm_ctx *ctx; 688 689 aes_icm_reinit(key, iv); 690 691 ctx = (struct aes_icm_ctx *)key; 692 /* GCM starts with 2 as counter 1 is used for final xor of tag. */ 693 bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4); 694 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2; 695} 696 697void 698aes_icm_crypt(caddr_t key, u_int8_t *data) 699{ 700 struct aes_icm_ctx *ctx; 701 u_int8_t keystream[AESICM_BLOCKSIZE]; 702 int i; 703 704 ctx = (struct aes_icm_ctx *)key; 705 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 706 for (i = 0; i < AESICM_BLOCKSIZE; i++) 707 data[i] ^= keystream[i]; 708 explicit_bzero(keystream, sizeof(keystream)); 709 710 /* increment counter */ 711 for (i = AESICM_BLOCKSIZE - 1; 712 i >= 0; i--) 713 if (++ctx->ac_block[i]) /* continue on overflow */ 714 break; 715} 716 717int 718aes_icm_setkey(u_int8_t **sched, u_int8_t *key, int len) 719{ 720 struct aes_icm_ctx *ctx; 721 722 *sched = malloc(sizeof(struct aes_icm_ctx), M_CRYPTO_DATA, 723 M_NOWAIT | M_ZERO); 724 if (*sched == NULL) 725 return ENOMEM; 726 727 ctx = (struct aes_icm_ctx *)*sched; 728 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key, len * 8); 729 if (ctx->ac_nr == 0) 730 return EINVAL; 731 return 0; 732} 733 734void 735aes_icm_zerokey(u_int8_t **sched) 736{ 737 738 bzero(*sched, sizeof(struct aes_icm_ctx)); 739 free(*sched, M_CRYPTO_DATA); 740 *sched = NULL; 741} 742 743#define AES_XTS_BLOCKSIZE 16 744#define AES_XTS_IVSIZE 8 745#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ 746 747struct aes_xts_ctx { 748 rijndael_ctx key1; 749 rijndael_ctx key2; 750 u_int8_t tweak[AES_XTS_BLOCKSIZE]; 751}; 752 753void 754aes_xts_reinit(caddr_t key, u_int8_t *iv) 755{ 756 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 757 u_int64_t blocknum; 758 u_int i; 759 760 /* 761 * Prepare tweak as E_k2(IV). IV is specified as LE representation 762 * of a 64-bit block number which we allow to be passed in directly. 763 */ 764 bcopy(iv, &blocknum, AES_XTS_IVSIZE); 765 for (i = 0; i < AES_XTS_IVSIZE; i++) { 766 ctx->tweak[i] = blocknum & 0xff; 767 blocknum >>= 8; 768 } 769 /* Last 64 bits of IV are always zero */ 770 bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); 771 772 rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); 773} 774 775static void 776aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) 777{ 778 u_int8_t block[AES_XTS_BLOCKSIZE]; 779 u_int i, carry_in, carry_out; 780 781 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 782 block[i] = data[i] ^ ctx->tweak[i]; 783 784 if (do_encrypt) 785 rijndael_encrypt(&ctx->key1, block, data); 786 else 787 rijndael_decrypt(&ctx->key1, block, data); 788 789 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 790 data[i] ^= ctx->tweak[i]; 791 792 /* Exponentiate tweak */ 793 carry_in = 0; 794 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { 795 carry_out = ctx->tweak[i] & 0x80; 796 ctx->tweak[i] = (ctx->tweak[i] << 1) | (carry_in ? 1 : 0); 797 carry_in = carry_out; 798 } 799 if (carry_in) 800 ctx->tweak[0] ^= AES_XTS_ALPHA; 801 bzero(block, sizeof(block)); 802} 803 804void 805aes_xts_encrypt(caddr_t key, u_int8_t *data) 806{ 807 aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); 808} 809 810void 811aes_xts_decrypt(caddr_t key, u_int8_t *data) 812{ 813 aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); 814} 815 816int 817aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len) 818{ 819 struct aes_xts_ctx *ctx; 820 821 if (len != 32 && len != 64) 822 return EINVAL; 823 824 *sched = malloc(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA, 825 M_NOWAIT | M_ZERO); 826 if (*sched == NULL) 827 return ENOMEM; 828 ctx = (struct aes_xts_ctx *)*sched; 829 830 rijndael_set_key(&ctx->key1, key, len * 4); 831 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 832 833 return 0; 834} 835 836void 837aes_xts_zerokey(u_int8_t **sched) 838{ 839 bzero(*sched, sizeof(struct aes_xts_ctx)); 840 free(*sched, M_CRYPTO_DATA); 841 *sched = NULL; 842} 843 844static void 845cml_encrypt(caddr_t key, u_int8_t *blk) 846{ 847 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 848} 849 850static void 851cml_decrypt(caddr_t key, u_int8_t *blk) 852{ 853 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 854 (u_char *) blk); 855} 856 857static int 858cml_setkey(u_int8_t **sched, u_int8_t *key, int len) 859{ 860 int err; 861 862 if (len != 16 && len != 24 && len != 32) 863 return (EINVAL); 864 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 865 M_NOWAIT|M_ZERO); 866 if (*sched != NULL) { 867 camellia_set_key((camellia_ctx *) *sched, (u_char *) key, 868 len * 8); 869 err = 0; 870 } else 871 err = ENOMEM; 872 return err; 873} 874 875static void 876cml_zerokey(u_int8_t **sched) 877{ 878 bzero(*sched, sizeof(camellia_ctx)); 879 free(*sched, M_CRYPTO_DATA); 880 *sched = NULL; 881} 882 883/* 884 * And now for auth. 885 */ 886 887static void 888null_init(void *ctx) 889{ 890} 891 892static void 893null_reinit(void *ctx, const u_int8_t *buf, u_int16_t len) 894{ 895} 896 897static int 898null_update(void *ctx, const u_int8_t *buf, u_int16_t len) 899{ 900 return 0; 901} 902 903static void 904null_final(u_int8_t *buf, void *ctx) 905{ 906 if (buf != (u_int8_t *) 0) 907 bzero(buf, 12); 908} 909 910static int 911RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 912{ 913 RMD160Update(ctx, buf, len); 914 return 0; 915} 916 917static int 918MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 919{ 920 MD5Update(ctx, buf, len); 921 return 0; 922} 923 924static void 925SHA1Init_int(void *ctx) 926{ 927 SHA1Init(ctx); 928} 929 930static int 931SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 932{ 933 SHA1Update(ctx, buf, len); 934 return 0; 935} 936 937static void 938SHA1Final_int(u_int8_t *blk, void *ctx) 939{ 940 SHA1Final(blk, ctx); 941} 942 943static int 944SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 945{ 946 SHA256_Update(ctx, buf, len); 947 return 0; 948} 949 950static int 951SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 952{ 953 SHA384_Update(ctx, buf, len); 954 return 0; 955} 956 957static int 958SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 959{ 960 SHA512_Update(ctx, buf, len); 961 return 0; 962} 963 964/* 965 * And compression 966 */ 967 968static u_int32_t 969deflate_compress(data, size, out) 970 u_int8_t *data; 971 u_int32_t size; 972 u_int8_t **out; 973{ 974 return deflate_global(data, size, 0, out); 975} 976 977static u_int32_t 978deflate_decompress(data, size, out) 979 u_int8_t *data; 980 u_int32_t size; 981 u_int8_t **out; 982{ 983 return deflate_global(data, size, 1, out); 984} 985