1 /* $NetBSD: cryptosoft_xform.c,v 1.30 2020/06/30 04:14:55 riastradh Exp $ */ 2 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ 3 /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ 4 5 /* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 11 * in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Permission to use, copy, and modify this software with or without fee 27 * is hereby granted, provided that this entire notice is included in 28 * all copies of any software which is or includes a copy or 29 * modification of this software. 30 * You may use this code under the GNU public license if you so wish. Please 31 * contribute changes back to the authors under this freer than GPL license 32 * so that we may further the use of strong encryption without limitations to 33 * all. 34 * 35 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 36 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 37 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 38 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 39 * PURPOSE. 40 */ 41 42 #include <sys/cdefs.h> 43 __KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.30 2020/06/30 04:14:55 riastradh Exp $"); 44 45 #include <sys/cprng.h> 46 #include <sys/kmem.h> 47 #include <sys/md5.h> 48 #include <sys/rmd160.h> 49 #include <sys/sha1.h> 50 #include <sys/sha2.h> 51 52 #include <crypto/aes/aes.h> 53 #include <crypto/blowfish/blowfish.h> 54 #include <crypto/camellia/camellia.h> 55 #include <crypto/cast128/cast128.h> 56 #include <crypto/des/des.h> 57 #include <crypto/skipjack/skipjack.h> 58 59 #include <opencrypto/aesxcbcmac.h> 60 #include <opencrypto/deflate.h> 61 #include <opencrypto/gmac.h> 62 63 struct swcr_auth_hash { 64 const struct auth_hash *auth_hash; 65 int ctxsize; 66 void (*Init)(void *); 67 void (*Setkey)(void *, const uint8_t *, uint16_t); 68 void (*Reinit)(void *, const uint8_t *, uint16_t); 69 int (*Update)(void *, const uint8_t *, uint16_t); 70 void (*Final)(uint8_t *, void *); 71 }; 72 73 struct swcr_enc_xform { 74 const struct enc_xform *enc_xform; 75 void (*encrypt)(void *, uint8_t *); 76 void (*decrypt)(void *, uint8_t *); 77 int (*setkey)(uint8_t **, const uint8_t *, int); 78 void (*zerokey)(uint8_t **); 79 void (*reinit)(void *, const uint8_t *, uint8_t *); 80 }; 81 82 struct swcr_comp_algo { 83 const struct comp_algo *unused_comp_algo; 84 uint32_t (*compress)(uint8_t *, uint32_t, uint8_t **); 85 uint32_t (*decompress)(uint8_t *, uint32_t, uint8_t **, int); 86 }; 87 88 static void null_encrypt(void *, u_int8_t *); 89 static void null_decrypt(void *, u_int8_t *); 90 static int null_setkey(u_int8_t **, const u_int8_t *, int); 91 static void null_zerokey(u_int8_t **); 92 93 static int des1_setkey(u_int8_t **, const u_int8_t *, int); 94 static int des3_setkey(u_int8_t **, const u_int8_t *, int); 95 static int blf_setkey(u_int8_t **, const u_int8_t *, int); 96 static int cast5_setkey(u_int8_t **, const u_int8_t *, int); 97 static int skipjack_setkey(u_int8_t **, const u_int8_t *, int); 98 static int aes_setkey(u_int8_t **, const u_int8_t *, int); 99 static int cml_setkey(u_int8_t **, const u_int8_t *, int); 100 static int aes_ctr_setkey(u_int8_t **, const u_int8_t *, int); 101 static int aes_gmac_setkey(u_int8_t **, const u_int8_t *, int); 102 static void des1_encrypt(void *, u_int8_t *); 103 static void des3_encrypt(void *, u_int8_t *); 104 static void blf_encrypt(void *, u_int8_t *); 105 static void cast5_encrypt(void *, u_int8_t *); 106 static void skipjack_encrypt(void *, u_int8_t *); 107 static void aes_encrypt(void *, u_int8_t *); 108 static void cml_encrypt(void *, u_int8_t *); 109 static void des1_decrypt(void *, u_int8_t *); 110 static void des3_decrypt(void *, u_int8_t *); 111 static void blf_decrypt(void *, u_int8_t *); 112 static void cast5_decrypt(void *, u_int8_t *); 113 static void skipjack_decrypt(void *, u_int8_t *); 114 static void aes_decrypt(void *, u_int8_t *); 115 static void cml_decrypt(void *, u_int8_t *); 116 static void aes_ctr_crypt(void *, u_int8_t *); 117 static void des1_zerokey(u_int8_t **); 118 static void des3_zerokey(u_int8_t **); 119 static void blf_zerokey(u_int8_t **); 120 static void cast5_zerokey(u_int8_t **); 121 static void skipjack_zerokey(u_int8_t **); 122 static void aes_zerokey(u_int8_t **); 123 static void cml_zerokey(u_int8_t **); 124 static void aes_ctr_zerokey(u_int8_t **); 125 static void aes_gmac_zerokey(u_int8_t **); 126 static void aes_ctr_reinit(void *, const u_int8_t *, u_int8_t *); 127 static void aes_gcm_reinit(void *, const u_int8_t *, u_int8_t *); 128 static void aes_gmac_reinit(void *, const u_int8_t *, u_int8_t *); 129 130 static void null_init(void *); 131 static int null_update(void *, const u_int8_t *, u_int16_t); 132 static void null_final(u_int8_t *, void *); 133 134 static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 135 static void SHA1Init_int(void *); 136 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 137 static void SHA1Final_int(u_int8_t *, void *); 138 139 140 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 141 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 142 static void SHA1Final_int(u_int8_t *, void *); 143 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 144 static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 145 static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 146 static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 147 148 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 149 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 150 static u_int32_t gzip_compress(u_int8_t *, u_int32_t, u_int8_t **); 151 static u_int32_t gzip_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 152 153 /* Encryption instances */ 154 static const struct swcr_enc_xform swcr_enc_xform_null = { 155 &enc_xform_null, 156 null_encrypt, 157 null_decrypt, 158 null_setkey, 159 null_zerokey, 160 NULL 161 }; 162 163 static const struct swcr_enc_xform swcr_enc_xform_des = { 164 &enc_xform_des, 165 des1_encrypt, 166 des1_decrypt, 167 des1_setkey, 168 des1_zerokey, 169 NULL 170 }; 171 172 static const struct swcr_enc_xform swcr_enc_xform_3des = { 173 &enc_xform_3des, 174 des3_encrypt, 175 des3_decrypt, 176 des3_setkey, 177 des3_zerokey, 178 NULL 179 }; 180 181 static const struct swcr_enc_xform swcr_enc_xform_blf = { 182 &enc_xform_blf, 183 blf_encrypt, 184 blf_decrypt, 185 blf_setkey, 186 blf_zerokey, 187 NULL 188 }; 189 190 static const struct swcr_enc_xform swcr_enc_xform_cast5 = { 191 &enc_xform_cast5, 192 cast5_encrypt, 193 cast5_decrypt, 194 cast5_setkey, 195 cast5_zerokey, 196 NULL 197 }; 198 199 static const struct swcr_enc_xform swcr_enc_xform_skipjack = { 200 &enc_xform_skipjack, 201 skipjack_encrypt, 202 skipjack_decrypt, 203 skipjack_setkey, 204 skipjack_zerokey, 205 NULL 206 }; 207 208 static const struct swcr_enc_xform swcr_enc_xform_aes = { 209 &enc_xform_aes, 210 aes_encrypt, 211 aes_decrypt, 212 aes_setkey, 213 aes_zerokey, 214 NULL 215 }; 216 217 static const struct swcr_enc_xform swcr_enc_xform_aes_ctr = { 218 &enc_xform_aes_ctr, 219 aes_ctr_crypt, 220 aes_ctr_crypt, 221 aes_ctr_setkey, 222 aes_ctr_zerokey, 223 aes_ctr_reinit 224 }; 225 226 static const struct swcr_enc_xform swcr_enc_xform_aes_gcm = { 227 &enc_xform_aes_gcm, 228 aes_ctr_crypt, 229 aes_ctr_crypt, 230 aes_ctr_setkey, 231 aes_ctr_zerokey, 232 aes_gcm_reinit 233 }; 234 235 static const struct swcr_enc_xform swcr_enc_xform_aes_gmac = { 236 &enc_xform_aes_gmac, 237 NULL, 238 NULL, 239 aes_gmac_setkey, 240 aes_gmac_zerokey, 241 aes_gmac_reinit 242 }; 243 244 static const struct swcr_enc_xform swcr_enc_xform_camellia = { 245 &enc_xform_camellia, 246 cml_encrypt, 247 cml_decrypt, 248 cml_setkey, 249 cml_zerokey, 250 NULL 251 }; 252 253 /* Authentication instances */ 254 static const struct swcr_auth_hash swcr_auth_hash_null = { 255 &auth_hash_null, sizeof(int), /* NB: context isn't used */ 256 null_init, NULL, NULL, null_update, null_final 257 }; 258 259 static const struct swcr_auth_hash swcr_auth_hash_hmac_md5 = { 260 &auth_hash_hmac_md5, sizeof(MD5_CTX), 261 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 262 (void (*) (u_int8_t *, void *)) MD5Final 263 }; 264 265 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1 = { 266 &auth_hash_hmac_sha1, sizeof(SHA1_CTX), 267 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 268 }; 269 270 static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160 = { 271 &auth_hash_hmac_ripemd_160, sizeof(RMD160_CTX), 272 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 273 (void (*)(u_int8_t *, void *)) RMD160Final 274 }; 275 static const struct swcr_auth_hash swcr_auth_hash_hmac_md5_96 = { 276 &auth_hash_hmac_md5_96, sizeof(MD5_CTX), 277 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 278 (void (*) (u_int8_t *, void *)) MD5Final 279 }; 280 281 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1_96 = { 282 &auth_hash_hmac_sha1_96, sizeof(SHA1_CTX), 283 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 284 }; 285 286 static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160_96 = { 287 &auth_hash_hmac_ripemd_160_96, sizeof(RMD160_CTX), 288 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 289 (void (*)(u_int8_t *, void *)) RMD160Final 290 }; 291 292 static const struct swcr_auth_hash swcr_auth_hash_key_md5 = { 293 &auth_hash_key_md5, sizeof(MD5_CTX), 294 (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, 295 (void (*)(u_int8_t *, void *)) MD5Final 296 }; 297 298 static const struct swcr_auth_hash swcr_auth_hash_key_sha1 = { 299 &auth_hash_key_sha1, sizeof(SHA1_CTX), 300 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 301 }; 302 303 static const struct swcr_auth_hash swcr_auth_hash_md5 = { 304 &auth_hash_md5, sizeof(MD5_CTX), 305 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 306 (void (*) (u_int8_t *, void *)) MD5Final 307 }; 308 309 static const struct swcr_auth_hash swcr_auth_hash_sha1 = { 310 &auth_hash_sha1, sizeof(SHA1_CTX), 311 (void (*)(void *)) SHA1Init, NULL, NULL, SHA1Update_int, 312 (void (*)(u_int8_t *, void *)) SHA1Final 313 }; 314 315 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_256 = { 316 &auth_hash_hmac_sha2_256, sizeof(SHA256_CTX), 317 (void (*)(void *))(void *)SHA256_Init, NULL, NULL, SHA256Update_int, 318 (void (*)(u_int8_t *, void *))(void *)SHA256_Final 319 }; 320 321 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_384 = { 322 &auth_hash_hmac_sha2_384, sizeof(SHA384_CTX), 323 (void (*)(void *))(void *)SHA384_Init, NULL, NULL, SHA384Update_int, 324 (void (*)(u_int8_t *, void *))(void *)SHA384_Final 325 }; 326 327 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_512 = { 328 &auth_hash_hmac_sha2_512, sizeof(SHA512_CTX), 329 (void (*)(void *))(void *)SHA512_Init, NULL, NULL, SHA512Update_int, 330 (void (*)(u_int8_t *, void *))(void *)SHA512_Final 331 }; 332 333 static const struct swcr_auth_hash swcr_auth_hash_aes_xcbc_mac = { 334 &auth_hash_aes_xcbc_mac_96, sizeof(aesxcbc_ctx), 335 null_init, 336 (void (*)(void *, const u_int8_t *, u_int16_t))(void *)aes_xcbc_mac_init, 337 NULL, aes_xcbc_mac_loop, aes_xcbc_mac_result 338 }; 339 340 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_128 = { 341 &auth_hash_gmac_aes_128, sizeof(AES_GMAC_CTX), 342 (void (*)(void *))AES_GMAC_Init, 343 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 344 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 345 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 346 (void (*)(u_int8_t *, void *))AES_GMAC_Final 347 }; 348 349 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_192 = { 350 &auth_hash_gmac_aes_192, sizeof(AES_GMAC_CTX), 351 (void (*)(void *))AES_GMAC_Init, 352 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 353 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 354 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 355 (void (*)(u_int8_t *, void *))AES_GMAC_Final 356 }; 357 358 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_256 = { 359 &auth_hash_gmac_aes_256, sizeof(AES_GMAC_CTX), 360 (void (*)(void *))AES_GMAC_Init, 361 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 362 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 363 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 364 (void (*)(u_int8_t *, void *))AES_GMAC_Final 365 }; 366 367 /* Compression instance */ 368 static const struct swcr_comp_algo swcr_comp_algo_deflate = { 369 &comp_algo_deflate, 370 deflate_compress, 371 deflate_decompress 372 }; 373 374 static const struct swcr_comp_algo swcr_comp_algo_deflate_nogrow = { 375 &comp_algo_deflate_nogrow, 376 deflate_compress, 377 deflate_decompress 378 }; 379 380 static const struct swcr_comp_algo swcr_comp_algo_gzip = { 381 &comp_algo_deflate, 382 gzip_compress, 383 gzip_decompress 384 }; 385 386 /* 387 * Encryption wrapper routines. 388 */ 389 static void 390 null_encrypt(void *key, u_int8_t *blk) 391 { 392 } 393 static void 394 null_decrypt(void *key, u_int8_t *blk) 395 { 396 } 397 static int 398 null_setkey(u_int8_t **sched, const u_int8_t *key, int len) 399 { 400 *sched = NULL; 401 return 0; 402 } 403 static void 404 null_zerokey(u_int8_t **sched) 405 { 406 *sched = NULL; 407 } 408 409 static void 410 des1_encrypt(void *key, u_int8_t *blk) 411 { 412 des_cblock *cb = (des_cblock *) blk; 413 des_key_schedule *p = (des_key_schedule *) key; 414 415 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 416 } 417 418 static void 419 des1_decrypt(void *key, u_int8_t *blk) 420 { 421 des_cblock *cb = (des_cblock *) blk; 422 des_key_schedule *p = (des_key_schedule *) key; 423 424 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 425 } 426 427 static int 428 des1_setkey(u_int8_t **sched, const u_int8_t *key, int len) 429 { 430 des_key_schedule *p; 431 432 p = malloc(sizeof (des_key_schedule), 433 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 434 *sched = (u_int8_t *) p; 435 if (p == NULL) 436 return ENOMEM; 437 des_set_key((des_cblock *)__UNCONST(key), p[0]); 438 return 0; 439 } 440 441 static void 442 des1_zerokey(u_int8_t **sched) 443 { 444 memset(*sched, 0, sizeof (des_key_schedule)); 445 free(*sched, M_CRYPTO_DATA); 446 *sched = NULL; 447 } 448 449 static void 450 des3_encrypt(void *key, u_int8_t *blk) 451 { 452 des_cblock *cb = (des_cblock *) blk; 453 des_key_schedule *p = (des_key_schedule *) key; 454 455 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 456 } 457 458 static void 459 des3_decrypt(void *key, u_int8_t *blk) 460 { 461 des_cblock *cb = (des_cblock *) blk; 462 des_key_schedule *p = (des_key_schedule *) key; 463 464 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 465 } 466 467 static int 468 des3_setkey(u_int8_t **sched, const u_int8_t *key, int len) 469 { 470 des_key_schedule *p; 471 472 p = malloc(3*sizeof (des_key_schedule), 473 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 474 *sched = (u_int8_t *) p; 475 if (p == NULL) 476 return ENOMEM; 477 des_set_key((des_cblock *)__UNCONST(key + 0), p[0]); 478 des_set_key((des_cblock *)__UNCONST(key + 8), p[1]); 479 des_set_key((des_cblock *)__UNCONST(key + 16), p[2]); 480 return 0; 481 } 482 483 static void 484 des3_zerokey(u_int8_t **sched) 485 { 486 memset(*sched, 0, 3*sizeof (des_key_schedule)); 487 free(*sched, M_CRYPTO_DATA); 488 *sched = NULL; 489 } 490 491 static void 492 blf_encrypt(void *key, u_int8_t *blk) 493 { 494 495 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 1); 496 } 497 498 static void 499 blf_decrypt(void *key, u_int8_t *blk) 500 { 501 502 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 0); 503 } 504 505 static int 506 blf_setkey(u_int8_t **sched, const u_int8_t *key, int len) 507 { 508 509 *sched = malloc(sizeof(BF_KEY), 510 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 511 if (*sched == NULL) 512 return ENOMEM; 513 BF_set_key((BF_KEY *) *sched, len, key); 514 return 0; 515 } 516 517 static void 518 blf_zerokey(u_int8_t **sched) 519 { 520 memset(*sched, 0, sizeof(BF_KEY)); 521 free(*sched, M_CRYPTO_DATA); 522 *sched = NULL; 523 } 524 525 static void 526 cast5_encrypt(void *key, u_int8_t *blk) 527 { 528 cast128_encrypt((cast128_key *) key, blk, blk); 529 } 530 531 static void 532 cast5_decrypt(void *key, u_int8_t *blk) 533 { 534 cast128_decrypt((cast128_key *) key, blk, blk); 535 } 536 537 static int 538 cast5_setkey(u_int8_t **sched, const u_int8_t *key, int len) 539 { 540 541 *sched = malloc(sizeof(cast128_key), M_CRYPTO_DATA, 542 M_NOWAIT|M_ZERO); 543 if (*sched == NULL) 544 return ENOMEM; 545 cast128_setkey((cast128_key *)*sched, key, len); 546 return 0; 547 } 548 549 static void 550 cast5_zerokey(u_int8_t **sched) 551 { 552 memset(*sched, 0, sizeof(cast128_key)); 553 free(*sched, M_CRYPTO_DATA); 554 *sched = NULL; 555 } 556 557 static void 558 skipjack_encrypt(void *key, u_int8_t *blk) 559 { 560 skipjack_forwards(blk, blk, (u_int8_t **) key); 561 } 562 563 static void 564 skipjack_decrypt(void *key, u_int8_t *blk) 565 { 566 skipjack_backwards(blk, blk, (u_int8_t **) key); 567 } 568 569 static int 570 skipjack_setkey(u_int8_t **sched, const u_int8_t *key, int len) 571 { 572 573 /* NB: allocate all the memory that's needed at once */ 574 /* XXX assumes bytes are aligned on sizeof(u_char) == 1 boundaries. 575 * Will this break a pdp-10, Cray-1, or GE-645 port? 576 */ 577 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 578 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 579 580 if (*sched == NULL) 581 return ENOMEM; 582 583 u_int8_t** key_tables = (u_int8_t**) *sched; 584 u_int8_t* table = (u_int8_t*) &key_tables[10]; 585 int k; 586 587 for (k = 0; k < 10; k++) { 588 key_tables[k] = table; 589 table += 0x100; 590 } 591 subkey_table_gen(key, (u_int8_t **) *sched); 592 return 0; 593 } 594 595 static void 596 skipjack_zerokey(u_int8_t **sched) 597 { 598 memset(*sched, 0, 10 * (sizeof(u_int8_t *) + 0x100)); 599 free(*sched, M_CRYPTO_DATA); 600 *sched = NULL; 601 } 602 603 struct aes_ctx { 604 struct aesenc enc; 605 struct aesdec dec; 606 uint32_t nr; 607 }; 608 609 static void 610 aes_encrypt(void *key, u_int8_t *blk) 611 { 612 struct aes_ctx *ctx = key; 613 614 aes_enc(&ctx->enc, blk, blk, ctx->nr); 615 } 616 617 static void 618 aes_decrypt(void *key, u_int8_t *blk) 619 { 620 struct aes_ctx *ctx = key; 621 622 aes_dec(&ctx->dec, blk, blk, ctx->nr); 623 } 624 625 static int 626 aes_setkey(u_int8_t **sched, const u_int8_t *key, int len) 627 { 628 struct aes_ctx *ctx; 629 630 if (len != 16 && len != 24 && len != 32) 631 return EINVAL; 632 ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); 633 if (ctx == NULL) 634 return ENOMEM; 635 636 switch (len) { 637 case 16: 638 aes_setenckey128(&ctx->enc, key); 639 aes_setdeckey128(&ctx->dec, key); 640 ctx->nr = AES_128_NROUNDS; 641 break; 642 case 24: 643 aes_setenckey192(&ctx->enc, key); 644 aes_setdeckey192(&ctx->dec, key); 645 ctx->nr = AES_192_NROUNDS; 646 break; 647 case 32: 648 aes_setenckey256(&ctx->enc, key); 649 aes_setdeckey256(&ctx->dec, key); 650 ctx->nr = AES_256_NROUNDS; 651 break; 652 } 653 654 *sched = (void *)ctx; 655 return 0; 656 } 657 658 static void 659 aes_zerokey(u_int8_t **sched) 660 { 661 struct aes_ctx *ctx = (void *)*sched; 662 663 explicit_memset(ctx, 0, sizeof(*ctx)); 664 kmem_free(ctx, sizeof(*ctx)); 665 *sched = NULL; 666 } 667 668 static void 669 cml_encrypt(void *key, u_int8_t *blk) 670 { 671 672 camellia_encrypt(key, blk, blk); 673 } 674 675 static void 676 cml_decrypt(void *key, u_int8_t *blk) 677 { 678 679 camellia_decrypt(key, blk, blk); 680 } 681 682 static int 683 cml_setkey(u_int8_t **sched, const u_int8_t *key, int len) 684 { 685 686 if (len != 16 && len != 24 && len != 32) 687 return (EINVAL); 688 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 689 M_NOWAIT|M_ZERO); 690 if (*sched == NULL) 691 return ENOMEM; 692 693 camellia_set_key((camellia_ctx *) *sched, key, len * 8); 694 return 0; 695 } 696 697 static void 698 cml_zerokey(u_int8_t **sched) 699 { 700 701 memset(*sched, 0, sizeof(camellia_ctx)); 702 free(*sched, M_CRYPTO_DATA); 703 *sched = NULL; 704 } 705 706 #define AESCTR_NONCESIZE 4 707 #define AESCTR_IVSIZE 8 708 #define AESCTR_BLOCKSIZE 16 709 710 struct aes_ctr_ctx { 711 /* need only encryption half */ 712 struct aesenc ac_ek; 713 u_int8_t ac_block[AESCTR_BLOCKSIZE]; 714 int ac_nr; 715 struct { 716 u_int64_t lastiv; 717 } ivgenctx; 718 }; 719 720 static void 721 aes_ctr_crypt(void *key, u_int8_t *blk) 722 { 723 struct aes_ctr_ctx *ctx; 724 u_int8_t keystream[AESCTR_BLOCKSIZE]; 725 int i; 726 727 ctx = key; 728 /* increment counter */ 729 for (i = AESCTR_BLOCKSIZE - 1; 730 i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) 731 if (++ctx->ac_block[i]) /* continue on overflow */ 732 break; 733 aes_enc(&ctx->ac_ek, ctx->ac_block, keystream, ctx->ac_nr); 734 for (i = 0; i < AESCTR_BLOCKSIZE; i++) 735 blk[i] ^= keystream[i]; 736 explicit_memset(keystream, 0, sizeof(keystream)); 737 } 738 739 int 740 aes_ctr_setkey(u_int8_t **sched, const u_int8_t *key, int len) 741 { 742 struct aes_ctr_ctx *ctx; 743 744 if (len < AESCTR_NONCESIZE) 745 return EINVAL; 746 747 ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); 748 if (!ctx) 749 return ENOMEM; 750 switch (len) { 751 case 16 + AESCTR_NONCESIZE: 752 ctx->ac_nr = aes_setenckey128(&ctx->ac_ek, key); 753 break; 754 case 24 + AESCTR_NONCESIZE: 755 ctx->ac_nr = aes_setenckey192(&ctx->ac_ek, key); 756 break; 757 case 32 + AESCTR_NONCESIZE: 758 ctx->ac_nr = aes_setenckey256(&ctx->ac_ek, key); 759 break; 760 default: 761 aes_ctr_zerokey((u_int8_t **)&ctx); 762 return EINVAL; 763 } 764 memcpy(ctx->ac_block, key + len - AESCTR_NONCESIZE, AESCTR_NONCESIZE); 765 /* random start value for simple counter */ 766 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 767 *sched = (void *)ctx; 768 return 0; 769 } 770 771 void 772 aes_ctr_zerokey(u_int8_t **sched) 773 { 774 struct aes_ctr_ctx *ctx = (void *)*sched; 775 776 explicit_memset(ctx, 0, sizeof(*ctx)); 777 kmem_free(ctx, sizeof(*ctx)); 778 *sched = NULL; 779 } 780 781 void 782 aes_ctr_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 783 { 784 struct aes_ctr_ctx *ctx = key; 785 786 if (!iv) { 787 ctx->ivgenctx.lastiv++; 788 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 789 } 790 if (ivout) 791 memcpy(ivout, iv, AESCTR_IVSIZE); 792 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 793 /* reset counter */ 794 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 795 } 796 797 void 798 aes_gcm_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 799 { 800 struct aes_ctr_ctx *ctx = key; 801 802 if (!iv) { 803 ctx->ivgenctx.lastiv++; 804 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 805 } 806 if (ivout) 807 memcpy(ivout, iv, AESCTR_IVSIZE); 808 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 809 /* reset counter */ 810 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 811 ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ 812 } 813 814 struct aes_gmac_ctx { 815 struct { 816 u_int64_t lastiv; 817 } ivgenctx; 818 }; 819 820 int 821 aes_gmac_setkey(u_int8_t **sched, const u_int8_t *key, int len) 822 { 823 struct aes_gmac_ctx *ctx; 824 825 ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); 826 if (!ctx) 827 return ENOMEM; 828 829 /* random start value for simple counter */ 830 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 831 *sched = (void *)ctx; 832 return 0; 833 } 834 835 void 836 aes_gmac_zerokey(u_int8_t **sched) 837 { 838 struct aes_gmac_ctx *ctx = (void *)*sched; 839 840 kmem_free(ctx, sizeof(*ctx)); 841 *sched = NULL; 842 } 843 844 void 845 aes_gmac_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 846 { 847 struct aes_gmac_ctx *ctx = key; 848 849 if (!iv) { 850 ctx->ivgenctx.lastiv++; 851 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 852 } 853 if (ivout) 854 memcpy(ivout, iv, AESCTR_IVSIZE); 855 } 856 857 /* 858 * And now for auth. 859 */ 860 861 static void 862 null_init(void *ctx) 863 { 864 } 865 866 static int 867 null_update(void *ctx, const u_int8_t *buf, 868 u_int16_t len) 869 { 870 return 0; 871 } 872 873 static void 874 null_final(u_int8_t *buf, void *ctx) 875 { 876 if (buf != (u_int8_t *) 0) 877 memset(buf, 0, 12); 878 } 879 880 static int 881 RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 882 { 883 RMD160Update(ctx, buf, len); 884 return 0; 885 } 886 887 static int 888 MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 889 { 890 MD5Update(ctx, buf, len); 891 return 0; 892 } 893 894 static void 895 SHA1Init_int(void *ctx) 896 { 897 SHA1Init(ctx); 898 } 899 900 static int 901 SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 902 { 903 SHA1Update(ctx, buf, len); 904 return 0; 905 } 906 907 static void 908 SHA1Final_int(u_int8_t *blk, void *ctx) 909 { 910 SHA1Final(blk, ctx); 911 } 912 913 static int 914 SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 915 { 916 SHA256_Update(ctx, buf, len); 917 return 0; 918 } 919 920 static int 921 SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 922 { 923 SHA384_Update(ctx, buf, len); 924 return 0; 925 } 926 927 static int 928 SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 929 { 930 SHA512_Update(ctx, buf, len); 931 return 0; 932 } 933 934 /* 935 * And compression 936 */ 937 938 static u_int32_t 939 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 940 { 941 return deflate_global(data, size, 0, out, 0); 942 } 943 944 static u_int32_t 945 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 946 int size_hint) 947 { 948 return deflate_global(data, size, 1, out, size_hint); 949 } 950 951 static u_int32_t 952 gzip_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 953 { 954 return gzip_global(data, size, 0, out, 0); 955 } 956 957 static u_int32_t 958 gzip_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 959 int size_hint) 960 { 961 return gzip_global(data, size, 1, out, size_hint); 962 } 963