1 /* $NetBSD: cryptosoft_xform.c,v 1.26 2013/02/02 21:06:31 christos Exp $ */ 2 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ 3 /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ 4 5 /* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 11 * in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Permission to use, copy, and modify this software with or without fee 27 * is hereby granted, provided that this entire notice is included in 28 * all copies of any software which is or includes a copy or 29 * modification of this software. 30 * You may use this code under the GNU public license if you so wish. Please 31 * contribute changes back to the authors under this freer than GPL license 32 * so that we may further the use of strong encryption without limitations to 33 * all. 34 * 35 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 36 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 37 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 38 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 39 * PURPOSE. 40 */ 41 42 #include <sys/cdefs.h> 43 __KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.26 2013/02/02 21:06:31 christos Exp $"); 44 45 #include <crypto/blowfish/blowfish.h> 46 #include <crypto/cast128/cast128.h> 47 #include <crypto/des/des.h> 48 #include <crypto/rijndael/rijndael.h> 49 #include <crypto/skipjack/skipjack.h> 50 #include <crypto/camellia/camellia.h> 51 52 #include <opencrypto/deflate.h> 53 54 #include <sys/md5.h> 55 #include <sys/rmd160.h> 56 #include <sys/sha1.h> 57 #include <sys/sha2.h> 58 #include <sys/cprng.h> 59 #include <opencrypto/aesxcbcmac.h> 60 #include <opencrypto/gmac.h> 61 62 struct swcr_auth_hash { 63 const struct auth_hash *auth_hash; 64 int ctxsize; 65 void (*Init)(void *); 66 void (*Setkey)(void *, const uint8_t *, uint16_t); 67 void (*Reinit)(void *, const uint8_t *, uint16_t); 68 int (*Update)(void *, const uint8_t *, uint16_t); 69 void (*Final)(uint8_t *, void *); 70 }; 71 72 struct swcr_enc_xform { 73 const struct enc_xform *enc_xform; 74 void (*encrypt)(void *, uint8_t *); 75 void (*decrypt)(void *, uint8_t *); 76 int (*setkey)(uint8_t **, const uint8_t *, int); 77 void (*zerokey)(uint8_t **); 78 void (*reinit)(void *, const uint8_t *, uint8_t *); 79 }; 80 81 struct swcr_comp_algo { 82 const struct comp_algo *unused_comp_algo; 83 uint32_t (*compress)(uint8_t *, uint32_t, uint8_t **); 84 uint32_t (*decompress)(uint8_t *, uint32_t, uint8_t **, int); 85 }; 86 87 static void null_encrypt(void *, u_int8_t *); 88 static void null_decrypt(void *, u_int8_t *); 89 static int null_setkey(u_int8_t **, const u_int8_t *, int); 90 static void null_zerokey(u_int8_t **); 91 92 static int des1_setkey(u_int8_t **, const u_int8_t *, int); 93 static int des3_setkey(u_int8_t **, const u_int8_t *, int); 94 static int blf_setkey(u_int8_t **, const u_int8_t *, int); 95 static int cast5_setkey(u_int8_t **, const u_int8_t *, int); 96 static int skipjack_setkey(u_int8_t **, const u_int8_t *, int); 97 static int rijndael128_setkey(u_int8_t **, const u_int8_t *, int); 98 static int cml_setkey(u_int8_t **, const u_int8_t *, int); 99 static int aes_ctr_setkey(u_int8_t **, const u_int8_t *, int); 100 static int aes_gmac_setkey(u_int8_t **, const u_int8_t *, int); 101 static void des1_encrypt(void *, u_int8_t *); 102 static void des3_encrypt(void *, u_int8_t *); 103 static void blf_encrypt(void *, u_int8_t *); 104 static void cast5_encrypt(void *, u_int8_t *); 105 static void skipjack_encrypt(void *, u_int8_t *); 106 static void rijndael128_encrypt(void *, u_int8_t *); 107 static void cml_encrypt(void *, u_int8_t *); 108 static void des1_decrypt(void *, u_int8_t *); 109 static void des3_decrypt(void *, u_int8_t *); 110 static void blf_decrypt(void *, u_int8_t *); 111 static void cast5_decrypt(void *, u_int8_t *); 112 static void skipjack_decrypt(void *, u_int8_t *); 113 static void rijndael128_decrypt(void *, u_int8_t *); 114 static void cml_decrypt(void *, u_int8_t *); 115 static void aes_ctr_crypt(void *, u_int8_t *); 116 static void des1_zerokey(u_int8_t **); 117 static void des3_zerokey(u_int8_t **); 118 static void blf_zerokey(u_int8_t **); 119 static void cast5_zerokey(u_int8_t **); 120 static void skipjack_zerokey(u_int8_t **); 121 static void rijndael128_zerokey(u_int8_t **); 122 static void cml_zerokey(u_int8_t **); 123 static void aes_ctr_zerokey(u_int8_t **); 124 static void aes_gmac_zerokey(u_int8_t **); 125 static void aes_ctr_reinit(void *, const u_int8_t *, u_int8_t *); 126 static void aes_gcm_reinit(void *, const u_int8_t *, u_int8_t *); 127 static void aes_gmac_reinit(void *, const u_int8_t *, u_int8_t *); 128 129 static void null_init(void *); 130 static int null_update(void *, const u_int8_t *, u_int16_t); 131 static void null_final(u_int8_t *, void *); 132 133 static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 134 static void SHA1Init_int(void *); 135 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 136 static void SHA1Final_int(u_int8_t *, void *); 137 138 139 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 140 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 141 static void SHA1Final_int(u_int8_t *, void *); 142 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 143 static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 144 static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 145 static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 146 147 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 148 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 149 static u_int32_t gzip_compress(u_int8_t *, u_int32_t, u_int8_t **); 150 static u_int32_t gzip_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 151 152 /* Encryption instances */ 153 static const struct swcr_enc_xform swcr_enc_xform_null = { 154 &enc_xform_null, 155 null_encrypt, 156 null_decrypt, 157 null_setkey, 158 null_zerokey, 159 NULL 160 }; 161 162 static const struct swcr_enc_xform swcr_enc_xform_des = { 163 &enc_xform_des, 164 des1_encrypt, 165 des1_decrypt, 166 des1_setkey, 167 des1_zerokey, 168 NULL 169 }; 170 171 static const struct swcr_enc_xform swcr_enc_xform_3des = { 172 &enc_xform_3des, 173 des3_encrypt, 174 des3_decrypt, 175 des3_setkey, 176 des3_zerokey, 177 NULL 178 }; 179 180 static const struct swcr_enc_xform swcr_enc_xform_blf = { 181 &enc_xform_blf, 182 blf_encrypt, 183 blf_decrypt, 184 blf_setkey, 185 blf_zerokey, 186 NULL 187 }; 188 189 static const struct swcr_enc_xform swcr_enc_xform_cast5 = { 190 &enc_xform_cast5, 191 cast5_encrypt, 192 cast5_decrypt, 193 cast5_setkey, 194 cast5_zerokey, 195 NULL 196 }; 197 198 static const struct swcr_enc_xform swcr_enc_xform_skipjack = { 199 &enc_xform_skipjack, 200 skipjack_encrypt, 201 skipjack_decrypt, 202 skipjack_setkey, 203 skipjack_zerokey, 204 NULL 205 }; 206 207 static const struct swcr_enc_xform swcr_enc_xform_rijndael128 = { 208 &enc_xform_rijndael128, 209 rijndael128_encrypt, 210 rijndael128_decrypt, 211 rijndael128_setkey, 212 rijndael128_zerokey, 213 NULL 214 }; 215 216 static const struct swcr_enc_xform swcr_enc_xform_aes_ctr = { 217 &enc_xform_aes_ctr, 218 aes_ctr_crypt, 219 aes_ctr_crypt, 220 aes_ctr_setkey, 221 aes_ctr_zerokey, 222 aes_ctr_reinit 223 }; 224 225 static const struct swcr_enc_xform swcr_enc_xform_aes_gcm = { 226 &enc_xform_aes_gcm, 227 aes_ctr_crypt, 228 aes_ctr_crypt, 229 aes_ctr_setkey, 230 aes_ctr_zerokey, 231 aes_gcm_reinit 232 }; 233 234 static const struct swcr_enc_xform swcr_enc_xform_aes_gmac = { 235 &enc_xform_aes_gmac, 236 NULL, 237 NULL, 238 aes_gmac_setkey, 239 aes_gmac_zerokey, 240 aes_gmac_reinit 241 }; 242 243 static const struct swcr_enc_xform swcr_enc_xform_camellia = { 244 &enc_xform_camellia, 245 cml_encrypt, 246 cml_decrypt, 247 cml_setkey, 248 cml_zerokey, 249 NULL 250 }; 251 252 /* Authentication instances */ 253 static const struct swcr_auth_hash swcr_auth_hash_null = { 254 &auth_hash_null, sizeof(int), /* NB: context isn't used */ 255 null_init, NULL, NULL, null_update, null_final 256 }; 257 258 static const struct swcr_auth_hash swcr_auth_hash_hmac_md5 = { 259 &auth_hash_hmac_md5, sizeof(MD5_CTX), 260 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 261 (void (*) (u_int8_t *, void *)) MD5Final 262 }; 263 264 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1 = { 265 &auth_hash_hmac_sha1, sizeof(SHA1_CTX), 266 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 267 }; 268 269 static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160 = { 270 &auth_hash_hmac_ripemd_160, sizeof(RMD160_CTX), 271 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 272 (void (*)(u_int8_t *, void *)) RMD160Final 273 }; 274 static const struct swcr_auth_hash swcr_auth_hash_hmac_md5_96 = { 275 &auth_hash_hmac_md5_96, sizeof(MD5_CTX), 276 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 277 (void (*) (u_int8_t *, void *)) MD5Final 278 }; 279 280 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1_96 = { 281 &auth_hash_hmac_sha1_96, sizeof(SHA1_CTX), 282 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 283 }; 284 285 static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160_96 = { 286 &auth_hash_hmac_ripemd_160_96, sizeof(RMD160_CTX), 287 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 288 (void (*)(u_int8_t *, void *)) RMD160Final 289 }; 290 291 static const struct swcr_auth_hash swcr_auth_hash_key_md5 = { 292 &auth_hash_key_md5, sizeof(MD5_CTX), 293 (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, 294 (void (*)(u_int8_t *, void *)) MD5Final 295 }; 296 297 static const struct swcr_auth_hash swcr_auth_hash_key_sha1 = { 298 &auth_hash_key_sha1, sizeof(SHA1_CTX), 299 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 300 }; 301 302 static const struct swcr_auth_hash swcr_auth_hash_md5 = { 303 &auth_hash_md5, sizeof(MD5_CTX), 304 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 305 (void (*) (u_int8_t *, void *)) MD5Final 306 }; 307 308 static const struct swcr_auth_hash swcr_auth_hash_sha1 = { 309 &auth_hash_sha1, sizeof(SHA1_CTX), 310 (void (*)(void *)) SHA1Init, NULL, NULL, SHA1Update_int, 311 (void (*)(u_int8_t *, void *)) SHA1Final 312 }; 313 314 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_256 = { 315 &auth_hash_hmac_sha2_256, sizeof(SHA256_CTX), 316 (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int, 317 (void (*)(u_int8_t *, void *)) SHA256_Final 318 }; 319 320 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_384 = { 321 &auth_hash_hmac_sha2_384, sizeof(SHA384_CTX), 322 (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int, 323 (void (*)(u_int8_t *, void *)) SHA384_Final 324 }; 325 326 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_512 = { 327 &auth_hash_hmac_sha2_512, sizeof(SHA512_CTX), 328 (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int, 329 (void (*)(u_int8_t *, void *)) SHA512_Final 330 }; 331 332 static const struct swcr_auth_hash swcr_auth_hash_aes_xcbc_mac = { 333 &auth_hash_aes_xcbc_mac_96, sizeof(aesxcbc_ctx), 334 null_init, 335 (void (*)(void *, const u_int8_t *, u_int16_t))aes_xcbc_mac_init, 336 NULL, aes_xcbc_mac_loop, aes_xcbc_mac_result 337 }; 338 339 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_128 = { 340 &auth_hash_gmac_aes_128, sizeof(AES_GMAC_CTX), 341 (void (*)(void *))AES_GMAC_Init, 342 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 343 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 344 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 345 (void (*)(u_int8_t *, void *))AES_GMAC_Final 346 }; 347 348 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_192 = { 349 &auth_hash_gmac_aes_192, sizeof(AES_GMAC_CTX), 350 (void (*)(void *))AES_GMAC_Init, 351 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 352 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 353 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 354 (void (*)(u_int8_t *, void *))AES_GMAC_Final 355 }; 356 357 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_256 = { 358 &auth_hash_gmac_aes_256, sizeof(AES_GMAC_CTX), 359 (void (*)(void *))AES_GMAC_Init, 360 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 361 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 362 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 363 (void (*)(u_int8_t *, void *))AES_GMAC_Final 364 }; 365 366 /* Compression instance */ 367 static const struct swcr_comp_algo swcr_comp_algo_deflate = { 368 &comp_algo_deflate, 369 deflate_compress, 370 deflate_decompress 371 }; 372 373 static const struct swcr_comp_algo swcr_comp_algo_deflate_nogrow = { 374 &comp_algo_deflate_nogrow, 375 deflate_compress, 376 deflate_decompress 377 }; 378 379 static const struct swcr_comp_algo swcr_comp_algo_gzip = { 380 &comp_algo_deflate, 381 gzip_compress, 382 gzip_decompress 383 }; 384 385 /* 386 * Encryption wrapper routines. 387 */ 388 static void 389 null_encrypt(void *key, u_int8_t *blk) 390 { 391 } 392 static void 393 null_decrypt(void *key, u_int8_t *blk) 394 { 395 } 396 static int 397 null_setkey(u_int8_t **sched, const u_int8_t *key, int len) 398 { 399 *sched = NULL; 400 return 0; 401 } 402 static void 403 null_zerokey(u_int8_t **sched) 404 { 405 *sched = NULL; 406 } 407 408 static void 409 des1_encrypt(void *key, u_int8_t *blk) 410 { 411 des_cblock *cb = (des_cblock *) blk; 412 des_key_schedule *p = (des_key_schedule *) key; 413 414 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 415 } 416 417 static void 418 des1_decrypt(void *key, u_int8_t *blk) 419 { 420 des_cblock *cb = (des_cblock *) blk; 421 des_key_schedule *p = (des_key_schedule *) key; 422 423 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 424 } 425 426 static int 427 des1_setkey(u_int8_t **sched, const u_int8_t *key, int len) 428 { 429 des_key_schedule *p; 430 int err; 431 432 p = malloc(sizeof (des_key_schedule), 433 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 434 if (p != NULL) { 435 des_set_key((des_cblock *)__UNCONST(key), p[0]); 436 err = 0; 437 } else 438 err = ENOMEM; 439 *sched = (u_int8_t *) p; 440 return err; 441 } 442 443 static void 444 des1_zerokey(u_int8_t **sched) 445 { 446 memset(*sched, 0, sizeof (des_key_schedule)); 447 free(*sched, M_CRYPTO_DATA); 448 *sched = NULL; 449 } 450 451 static void 452 des3_encrypt(void *key, u_int8_t *blk) 453 { 454 des_cblock *cb = (des_cblock *) blk; 455 des_key_schedule *p = (des_key_schedule *) key; 456 457 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 458 } 459 460 static void 461 des3_decrypt(void *key, u_int8_t *blk) 462 { 463 des_cblock *cb = (des_cblock *) blk; 464 des_key_schedule *p = (des_key_schedule *) key; 465 466 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 467 } 468 469 static int 470 des3_setkey(u_int8_t **sched, const u_int8_t *key, int len) 471 { 472 des_key_schedule *p; 473 int err; 474 475 p = malloc(3*sizeof (des_key_schedule), 476 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 477 if (p != NULL) { 478 des_set_key((des_cblock *)__UNCONST(key + 0), p[0]); 479 des_set_key((des_cblock *)__UNCONST(key + 8), p[1]); 480 des_set_key((des_cblock *)__UNCONST(key + 16), p[2]); 481 err = 0; 482 } else 483 err = ENOMEM; 484 *sched = (u_int8_t *) p; 485 return err; 486 } 487 488 static void 489 des3_zerokey(u_int8_t **sched) 490 { 491 memset(*sched, 0, 3*sizeof (des_key_schedule)); 492 free(*sched, M_CRYPTO_DATA); 493 *sched = NULL; 494 } 495 496 static void 497 blf_encrypt(void *key, u_int8_t *blk) 498 { 499 500 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 1); 501 } 502 503 static void 504 blf_decrypt(void *key, u_int8_t *blk) 505 { 506 507 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 0); 508 } 509 510 static int 511 blf_setkey(u_int8_t **sched, const u_int8_t *key, int len) 512 { 513 int err; 514 515 *sched = malloc(sizeof(BF_KEY), 516 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 517 if (*sched != NULL) { 518 BF_set_key((BF_KEY *) *sched, len, key); 519 err = 0; 520 } else 521 err = ENOMEM; 522 return err; 523 } 524 525 static void 526 blf_zerokey(u_int8_t **sched) 527 { 528 memset(*sched, 0, sizeof(BF_KEY)); 529 free(*sched, M_CRYPTO_DATA); 530 *sched = NULL; 531 } 532 533 static void 534 cast5_encrypt(void *key, u_int8_t *blk) 535 { 536 cast128_encrypt((cast128_key *) key, blk, blk); 537 } 538 539 static void 540 cast5_decrypt(void *key, u_int8_t *blk) 541 { 542 cast128_decrypt((cast128_key *) key, blk, blk); 543 } 544 545 static int 546 cast5_setkey(u_int8_t **sched, const u_int8_t *key, int len) 547 { 548 int err; 549 550 *sched = malloc(sizeof(cast128_key), M_CRYPTO_DATA, 551 M_NOWAIT|M_ZERO); 552 if (*sched != NULL) { 553 cast128_setkey((cast128_key *)*sched, key, len); 554 err = 0; 555 } else 556 err = ENOMEM; 557 return err; 558 } 559 560 static void 561 cast5_zerokey(u_int8_t **sched) 562 { 563 memset(*sched, 0, sizeof(cast128_key)); 564 free(*sched, M_CRYPTO_DATA); 565 *sched = NULL; 566 } 567 568 static void 569 skipjack_encrypt(void *key, u_int8_t *blk) 570 { 571 skipjack_forwards(blk, blk, (u_int8_t **) key); 572 } 573 574 static void 575 skipjack_decrypt(void *key, u_int8_t *blk) 576 { 577 skipjack_backwards(blk, blk, (u_int8_t **) key); 578 } 579 580 static int 581 skipjack_setkey(u_int8_t **sched, const u_int8_t *key, int len) 582 { 583 int err; 584 585 /* NB: allocate all the memory that's needed at once */ 586 /* XXX assumes bytes are aligned on sizeof(u_char) == 1 boundaries. 587 * Will this break a pdp-10, Cray-1, or GE-645 port? 588 */ 589 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 590 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 591 592 if (*sched != NULL) { 593 594 u_int8_t** key_tables = (u_int8_t**) *sched; 595 u_int8_t* table = (u_int8_t*) &key_tables[10]; 596 int k; 597 598 for (k = 0; k < 10; k++) { 599 key_tables[k] = table; 600 table += 0x100; 601 } 602 subkey_table_gen(key, (u_int8_t **) *sched); 603 err = 0; 604 } else 605 err = ENOMEM; 606 return err; 607 } 608 609 static void 610 skipjack_zerokey(u_int8_t **sched) 611 { 612 memset(*sched, 0, 10 * (sizeof(u_int8_t *) + 0x100)); 613 free(*sched, M_CRYPTO_DATA); 614 *sched = NULL; 615 } 616 617 static void 618 rijndael128_encrypt(void *key, u_int8_t *blk) 619 { 620 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 621 } 622 623 static void 624 rijndael128_decrypt(void *key, u_int8_t *blk) 625 { 626 rijndael_decrypt((rijndael_ctx *) key, (u_char *) blk, 627 (u_char *) blk); 628 } 629 630 static int 631 rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len) 632 { 633 int err; 634 635 if (len != 16 && len != 24 && len != 32) 636 return EINVAL; 637 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 638 M_NOWAIT|M_ZERO); 639 if (*sched != NULL) { 640 rijndael_set_key((rijndael_ctx *) *sched, key, len * 8); 641 err = 0; 642 } else 643 err = ENOMEM; 644 return err; 645 } 646 647 static void 648 rijndael128_zerokey(u_int8_t **sched) 649 { 650 memset(*sched, 0, sizeof(rijndael_ctx)); 651 free(*sched, M_CRYPTO_DATA); 652 *sched = NULL; 653 } 654 655 static void 656 cml_encrypt(void *key, u_int8_t *blk) 657 { 658 659 camellia_encrypt(key, blk, blk); 660 } 661 662 static void 663 cml_decrypt(void *key, u_int8_t *blk) 664 { 665 666 camellia_decrypt(key, blk, blk); 667 } 668 669 static int 670 cml_setkey(u_int8_t **sched, const u_int8_t *key, int len) 671 { 672 int err; 673 674 if (len != 16 && len != 24 && len != 32) 675 return (EINVAL); 676 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 677 M_NOWAIT|M_ZERO); 678 if (*sched != NULL) { 679 camellia_set_key((camellia_ctx *) *sched, key, len * 8); 680 err = 0; 681 } else 682 err = ENOMEM; 683 return err; 684 } 685 686 static void 687 cml_zerokey(u_int8_t **sched) 688 { 689 690 memset(*sched, 0, sizeof(camellia_ctx)); 691 free(*sched, M_CRYPTO_DATA); 692 *sched = NULL; 693 } 694 695 #define AESCTR_NONCESIZE 4 696 #define AESCTR_IVSIZE 8 697 #define AESCTR_BLOCKSIZE 16 698 699 struct aes_ctr_ctx { 700 /* need only encryption half */ 701 u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)]; 702 u_int8_t ac_block[AESCTR_BLOCKSIZE]; 703 int ac_nr; 704 struct { 705 u_int64_t lastiv; 706 } ivgenctx; 707 }; 708 709 static void 710 aes_ctr_crypt(void *key, u_int8_t *blk) 711 { 712 struct aes_ctr_ctx *ctx; 713 u_int8_t keystream[AESCTR_BLOCKSIZE]; 714 int i; 715 716 ctx = key; 717 /* increment counter */ 718 for (i = AESCTR_BLOCKSIZE - 1; 719 i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) 720 if (++ctx->ac_block[i]) /* continue on overflow */ 721 break; 722 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 723 for (i = 0; i < AESCTR_BLOCKSIZE; i++) 724 blk[i] ^= keystream[i]; 725 memset(keystream, 0, sizeof(keystream)); 726 } 727 728 int 729 aes_ctr_setkey(u_int8_t **sched, const u_int8_t *key, int len) 730 { 731 struct aes_ctr_ctx *ctx; 732 733 if (len < AESCTR_NONCESIZE) 734 return EINVAL; 735 736 ctx = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA, 737 M_NOWAIT|M_ZERO); 738 if (!ctx) 739 return ENOMEM; 740 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (const u_char *)key, 741 (len - AESCTR_NONCESIZE) * 8); 742 if (!ctx->ac_nr) { /* wrong key len */ 743 aes_ctr_zerokey((u_int8_t **)&ctx); 744 return EINVAL; 745 } 746 memcpy(ctx->ac_block, key + len - AESCTR_NONCESIZE, AESCTR_NONCESIZE); 747 /* random start value for simple counter */ 748 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 749 *sched = (void *)ctx; 750 return 0; 751 } 752 753 void 754 aes_ctr_zerokey(u_int8_t **sched) 755 { 756 757 memset(*sched, 0, sizeof(struct aes_ctr_ctx)); 758 free(*sched, M_CRYPTO_DATA); 759 *sched = NULL; 760 } 761 762 void 763 aes_ctr_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 764 { 765 struct aes_ctr_ctx *ctx = key; 766 767 if (!iv) { 768 ctx->ivgenctx.lastiv++; 769 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 770 } 771 if (ivout) 772 memcpy(ivout, iv, AESCTR_IVSIZE); 773 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 774 /* reset counter */ 775 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 776 } 777 778 void 779 aes_gcm_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 780 { 781 struct aes_ctr_ctx *ctx = key; 782 783 if (!iv) { 784 ctx->ivgenctx.lastiv++; 785 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 786 } 787 if (ivout) 788 memcpy(ivout, iv, AESCTR_IVSIZE); 789 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 790 /* reset counter */ 791 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 792 ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ 793 } 794 795 struct aes_gmac_ctx { 796 struct { 797 u_int64_t lastiv; 798 } ivgenctx; 799 }; 800 801 int 802 aes_gmac_setkey(u_int8_t **sched, const u_int8_t *key, int len) 803 { 804 struct aes_gmac_ctx *ctx; 805 806 ctx = malloc(sizeof(struct aes_gmac_ctx), M_CRYPTO_DATA, 807 M_NOWAIT|M_ZERO); 808 if (!ctx) 809 return ENOMEM; 810 811 /* random start value for simple counter */ 812 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 813 *sched = (void *)ctx; 814 return 0; 815 } 816 817 void 818 aes_gmac_zerokey(u_int8_t **sched) 819 { 820 821 free(*sched, M_CRYPTO_DATA); 822 *sched = NULL; 823 } 824 825 void 826 aes_gmac_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 827 { 828 struct aes_gmac_ctx *ctx = key; 829 830 if (!iv) { 831 ctx->ivgenctx.lastiv++; 832 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 833 } 834 if (ivout) 835 memcpy(ivout, iv, AESCTR_IVSIZE); 836 } 837 838 /* 839 * And now for auth. 840 */ 841 842 static void 843 null_init(void *ctx) 844 { 845 } 846 847 static int 848 null_update(void *ctx, const u_int8_t *buf, 849 u_int16_t len) 850 { 851 return 0; 852 } 853 854 static void 855 null_final(u_int8_t *buf, void *ctx) 856 { 857 if (buf != (u_int8_t *) 0) 858 memset(buf, 0, 12); 859 } 860 861 static int 862 RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 863 { 864 RMD160Update(ctx, buf, len); 865 return 0; 866 } 867 868 static int 869 MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 870 { 871 MD5Update(ctx, buf, len); 872 return 0; 873 } 874 875 static void 876 SHA1Init_int(void *ctx) 877 { 878 SHA1Init(ctx); 879 } 880 881 static int 882 SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 883 { 884 SHA1Update(ctx, buf, len); 885 return 0; 886 } 887 888 static void 889 SHA1Final_int(u_int8_t *blk, void *ctx) 890 { 891 SHA1Final(blk, ctx); 892 } 893 894 static int 895 SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 896 { 897 SHA256_Update(ctx, buf, len); 898 return 0; 899 } 900 901 static int 902 SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 903 { 904 SHA384_Update(ctx, buf, len); 905 return 0; 906 } 907 908 static int 909 SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 910 { 911 SHA512_Update(ctx, buf, len); 912 return 0; 913 } 914 915 /* 916 * And compression 917 */ 918 919 static u_int32_t 920 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 921 { 922 return deflate_global(data, size, 0, out, 0); 923 } 924 925 static u_int32_t 926 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 927 int size_hint) 928 { 929 return deflate_global(data, size, 1, out, size_hint); 930 } 931 932 static u_int32_t 933 gzip_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 934 { 935 return gzip_global(data, size, 0, out, 0); 936 } 937 938 static u_int32_t 939 gzip_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 940 int size_hint) 941 { 942 return gzip_global(data, size, 1, out, size_hint); 943 } 944