1 /* $NetBSD: cryptosoft_xform.c,v 1.25 2011/11/28 08:05:06 tls Exp $ */ 2 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ 3 /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ 4 5 /* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 11 * in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Permission to use, copy, and modify this software with or without fee 27 * is hereby granted, provided that this entire notice is included in 28 * all copies of any software which is or includes a copy or 29 * modification of this software. 30 * You may use this code under the GNU public license if you so wish. Please 31 * contribute changes back to the authors under this freer than GPL license 32 * so that we may further the use of strong encryption without limitations to 33 * all. 34 * 35 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 36 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 37 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 38 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 39 * PURPOSE. 40 */ 41 42 #include <sys/cdefs.h> 43 __KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.25 2011/11/28 08:05:06 tls Exp $"); 44 45 #include <crypto/blowfish/blowfish.h> 46 #include <crypto/cast128/cast128.h> 47 #include <crypto/des/des.h> 48 #include <crypto/rijndael/rijndael.h> 49 #include <crypto/skipjack/skipjack.h> 50 #include <crypto/camellia/camellia.h> 51 52 #include <opencrypto/deflate.h> 53 54 #include <sys/md5.h> 55 #include <sys/rmd160.h> 56 #include <sys/sha1.h> 57 #include <sys/sha2.h> 58 #include <opencrypto/aesxcbcmac.h> 59 #include <opencrypto/gmac.h> 60 61 struct swcr_auth_hash { 62 const struct auth_hash *auth_hash; 63 int ctxsize; 64 void (*Init)(void *); 65 void (*Setkey)(void *, const uint8_t *, uint16_t); 66 void (*Reinit)(void *, const uint8_t *, uint16_t); 67 int (*Update)(void *, const uint8_t *, uint16_t); 68 void (*Final)(uint8_t *, void *); 69 }; 70 71 struct swcr_enc_xform { 72 const struct enc_xform *enc_xform; 73 void (*encrypt)(void *, uint8_t *); 74 void (*decrypt)(void *, uint8_t *); 75 int (*setkey)(uint8_t **, const uint8_t *, int); 76 void (*zerokey)(uint8_t **); 77 void (*reinit)(void *, const uint8_t *, uint8_t *); 78 }; 79 80 struct swcr_comp_algo { 81 const struct comp_algo *unused_comp_algo; 82 uint32_t (*compress)(uint8_t *, uint32_t, uint8_t **); 83 uint32_t (*decompress)(uint8_t *, uint32_t, uint8_t **, int); 84 }; 85 86 static void null_encrypt(void *, u_int8_t *); 87 static void null_decrypt(void *, u_int8_t *); 88 static int null_setkey(u_int8_t **, const u_int8_t *, int); 89 static void null_zerokey(u_int8_t **); 90 91 static int des1_setkey(u_int8_t **, const u_int8_t *, int); 92 static int des3_setkey(u_int8_t **, const u_int8_t *, int); 93 static int blf_setkey(u_int8_t **, const u_int8_t *, int); 94 static int cast5_setkey(u_int8_t **, const u_int8_t *, int); 95 static int skipjack_setkey(u_int8_t **, const u_int8_t *, int); 96 static int rijndael128_setkey(u_int8_t **, const u_int8_t *, int); 97 static int cml_setkey(u_int8_t **, const u_int8_t *, int); 98 static int aes_ctr_setkey(u_int8_t **, const u_int8_t *, int); 99 static int aes_gmac_setkey(u_int8_t **, const u_int8_t *, int); 100 static void des1_encrypt(void *, u_int8_t *); 101 static void des3_encrypt(void *, u_int8_t *); 102 static void blf_encrypt(void *, u_int8_t *); 103 static void cast5_encrypt(void *, u_int8_t *); 104 static void skipjack_encrypt(void *, u_int8_t *); 105 static void rijndael128_encrypt(void *, u_int8_t *); 106 static void cml_encrypt(void *, u_int8_t *); 107 static void des1_decrypt(void *, u_int8_t *); 108 static void des3_decrypt(void *, u_int8_t *); 109 static void blf_decrypt(void *, u_int8_t *); 110 static void cast5_decrypt(void *, u_int8_t *); 111 static void skipjack_decrypt(void *, u_int8_t *); 112 static void rijndael128_decrypt(void *, u_int8_t *); 113 static void cml_decrypt(void *, u_int8_t *); 114 static void aes_ctr_crypt(void *, u_int8_t *); 115 static void des1_zerokey(u_int8_t **); 116 static void des3_zerokey(u_int8_t **); 117 static void blf_zerokey(u_int8_t **); 118 static void cast5_zerokey(u_int8_t **); 119 static void skipjack_zerokey(u_int8_t **); 120 static void rijndael128_zerokey(u_int8_t **); 121 static void cml_zerokey(u_int8_t **); 122 static void aes_ctr_zerokey(u_int8_t **); 123 static void aes_gmac_zerokey(u_int8_t **); 124 static void aes_ctr_reinit(void *, const u_int8_t *, u_int8_t *); 125 static void aes_gcm_reinit(void *, const u_int8_t *, u_int8_t *); 126 static void aes_gmac_reinit(void *, const u_int8_t *, u_int8_t *); 127 128 static void null_init(void *); 129 static int null_update(void *, const u_int8_t *, u_int16_t); 130 static void null_final(u_int8_t *, void *); 131 132 static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 133 static void SHA1Init_int(void *); 134 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 135 static void SHA1Final_int(u_int8_t *, void *); 136 137 138 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 139 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 140 static void SHA1Final_int(u_int8_t *, void *); 141 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 142 static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 143 static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 144 static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 145 146 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 147 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 148 static u_int32_t gzip_compress(u_int8_t *, u_int32_t, u_int8_t **); 149 static u_int32_t gzip_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 150 151 /* Encryption instances */ 152 static const struct swcr_enc_xform swcr_enc_xform_null = { 153 &enc_xform_null, 154 null_encrypt, 155 null_decrypt, 156 null_setkey, 157 null_zerokey, 158 NULL 159 }; 160 161 static const struct swcr_enc_xform swcr_enc_xform_des = { 162 &enc_xform_des, 163 des1_encrypt, 164 des1_decrypt, 165 des1_setkey, 166 des1_zerokey, 167 NULL 168 }; 169 170 static const struct swcr_enc_xform swcr_enc_xform_3des = { 171 &enc_xform_3des, 172 des3_encrypt, 173 des3_decrypt, 174 des3_setkey, 175 des3_zerokey, 176 NULL 177 }; 178 179 static const struct swcr_enc_xform swcr_enc_xform_blf = { 180 &enc_xform_blf, 181 blf_encrypt, 182 blf_decrypt, 183 blf_setkey, 184 blf_zerokey, 185 NULL 186 }; 187 188 static const struct swcr_enc_xform swcr_enc_xform_cast5 = { 189 &enc_xform_cast5, 190 cast5_encrypt, 191 cast5_decrypt, 192 cast5_setkey, 193 cast5_zerokey, 194 NULL 195 }; 196 197 static const struct swcr_enc_xform swcr_enc_xform_skipjack = { 198 &enc_xform_skipjack, 199 skipjack_encrypt, 200 skipjack_decrypt, 201 skipjack_setkey, 202 skipjack_zerokey, 203 NULL 204 }; 205 206 static const struct swcr_enc_xform swcr_enc_xform_rijndael128 = { 207 &enc_xform_rijndael128, 208 rijndael128_encrypt, 209 rijndael128_decrypt, 210 rijndael128_setkey, 211 rijndael128_zerokey, 212 NULL 213 }; 214 215 static const struct swcr_enc_xform swcr_enc_xform_aes_ctr = { 216 &enc_xform_aes_ctr, 217 aes_ctr_crypt, 218 aes_ctr_crypt, 219 aes_ctr_setkey, 220 aes_ctr_zerokey, 221 aes_ctr_reinit 222 }; 223 224 static const struct swcr_enc_xform swcr_enc_xform_aes_gcm = { 225 &enc_xform_aes_gcm, 226 aes_ctr_crypt, 227 aes_ctr_crypt, 228 aes_ctr_setkey, 229 aes_ctr_zerokey, 230 aes_gcm_reinit 231 }; 232 233 static const struct swcr_enc_xform swcr_enc_xform_aes_gmac = { 234 &enc_xform_aes_gmac, 235 NULL, 236 NULL, 237 aes_gmac_setkey, 238 aes_gmac_zerokey, 239 aes_gmac_reinit 240 }; 241 242 static const struct swcr_enc_xform swcr_enc_xform_camellia = { 243 &enc_xform_camellia, 244 cml_encrypt, 245 cml_decrypt, 246 cml_setkey, 247 cml_zerokey, 248 NULL 249 }; 250 251 /* Authentication instances */ 252 static const struct swcr_auth_hash swcr_auth_hash_null = { 253 &auth_hash_null, sizeof(int), /* NB: context isn't used */ 254 null_init, NULL, NULL, null_update, null_final 255 }; 256 257 static const struct swcr_auth_hash swcr_auth_hash_hmac_md5 = { 258 &auth_hash_hmac_md5, sizeof(MD5_CTX), 259 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 260 (void (*) (u_int8_t *, void *)) MD5Final 261 }; 262 263 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1 = { 264 &auth_hash_hmac_sha1, sizeof(SHA1_CTX), 265 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 266 }; 267 268 static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160 = { 269 &auth_hash_hmac_ripemd_160, sizeof(RMD160_CTX), 270 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 271 (void (*)(u_int8_t *, void *)) RMD160Final 272 }; 273 static const struct swcr_auth_hash swcr_auth_hash_hmac_md5_96 = { 274 &auth_hash_hmac_md5_96, sizeof(MD5_CTX), 275 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 276 (void (*) (u_int8_t *, void *)) MD5Final 277 }; 278 279 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1_96 = { 280 &auth_hash_hmac_sha1_96, sizeof(SHA1_CTX), 281 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 282 }; 283 284 static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160_96 = { 285 &auth_hash_hmac_ripemd_160_96, sizeof(RMD160_CTX), 286 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 287 (void (*)(u_int8_t *, void *)) RMD160Final 288 }; 289 290 static const struct swcr_auth_hash swcr_auth_hash_key_md5 = { 291 &auth_hash_key_md5, sizeof(MD5_CTX), 292 (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, 293 (void (*)(u_int8_t *, void *)) MD5Final 294 }; 295 296 static const struct swcr_auth_hash swcr_auth_hash_key_sha1 = { 297 &auth_hash_key_sha1, sizeof(SHA1_CTX), 298 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 299 }; 300 301 static const struct swcr_auth_hash swcr_auth_hash_md5 = { 302 &auth_hash_md5, sizeof(MD5_CTX), 303 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 304 (void (*) (u_int8_t *, void *)) MD5Final 305 }; 306 307 static const struct swcr_auth_hash swcr_auth_hash_sha1 = { 308 &auth_hash_sha1, sizeof(SHA1_CTX), 309 (void (*)(void *)) SHA1Init, NULL, NULL, SHA1Update_int, 310 (void (*)(u_int8_t *, void *)) SHA1Final 311 }; 312 313 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_256 = { 314 &auth_hash_hmac_sha2_256, sizeof(SHA256_CTX), 315 (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int, 316 (void (*)(u_int8_t *, void *)) SHA256_Final 317 }; 318 319 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_384 = { 320 &auth_hash_hmac_sha2_384, sizeof(SHA384_CTX), 321 (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int, 322 (void (*)(u_int8_t *, void *)) SHA384_Final 323 }; 324 325 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_512 = { 326 &auth_hash_hmac_sha2_512, sizeof(SHA512_CTX), 327 (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int, 328 (void (*)(u_int8_t *, void *)) SHA512_Final 329 }; 330 331 static const struct swcr_auth_hash swcr_auth_hash_aes_xcbc_mac = { 332 &auth_hash_aes_xcbc_mac_96, sizeof(aesxcbc_ctx), 333 null_init, 334 (void (*)(void *, const u_int8_t *, u_int16_t))aes_xcbc_mac_init, 335 NULL, aes_xcbc_mac_loop, aes_xcbc_mac_result 336 }; 337 338 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_128 = { 339 &auth_hash_gmac_aes_128, sizeof(AES_GMAC_CTX), 340 (void (*)(void *))AES_GMAC_Init, 341 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 342 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 343 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 344 (void (*)(u_int8_t *, void *))AES_GMAC_Final 345 }; 346 347 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_192 = { 348 &auth_hash_gmac_aes_192, sizeof(AES_GMAC_CTX), 349 (void (*)(void *))AES_GMAC_Init, 350 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 351 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 352 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 353 (void (*)(u_int8_t *, void *))AES_GMAC_Final 354 }; 355 356 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_256 = { 357 &auth_hash_gmac_aes_256, sizeof(AES_GMAC_CTX), 358 (void (*)(void *))AES_GMAC_Init, 359 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 360 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 361 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 362 (void (*)(u_int8_t *, void *))AES_GMAC_Final 363 }; 364 365 /* Compression instance */ 366 static const struct swcr_comp_algo swcr_comp_algo_deflate = { 367 &comp_algo_deflate, 368 deflate_compress, 369 deflate_decompress 370 }; 371 372 static const struct swcr_comp_algo swcr_comp_algo_deflate_nogrow = { 373 &comp_algo_deflate_nogrow, 374 deflate_compress, 375 deflate_decompress 376 }; 377 378 static const struct swcr_comp_algo swcr_comp_algo_gzip = { 379 &comp_algo_deflate, 380 gzip_compress, 381 gzip_decompress 382 }; 383 384 /* 385 * Encryption wrapper routines. 386 */ 387 static void 388 null_encrypt(void *key, u_int8_t *blk) 389 { 390 } 391 static void 392 null_decrypt(void *key, u_int8_t *blk) 393 { 394 } 395 static int 396 null_setkey(u_int8_t **sched, const u_int8_t *key, int len) 397 { 398 *sched = NULL; 399 return 0; 400 } 401 static void 402 null_zerokey(u_int8_t **sched) 403 { 404 *sched = NULL; 405 } 406 407 static void 408 des1_encrypt(void *key, u_int8_t *blk) 409 { 410 des_cblock *cb = (des_cblock *) blk; 411 des_key_schedule *p = (des_key_schedule *) key; 412 413 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 414 } 415 416 static void 417 des1_decrypt(void *key, u_int8_t *blk) 418 { 419 des_cblock *cb = (des_cblock *) blk; 420 des_key_schedule *p = (des_key_schedule *) key; 421 422 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 423 } 424 425 static int 426 des1_setkey(u_int8_t **sched, const u_int8_t *key, int len) 427 { 428 des_key_schedule *p; 429 int err; 430 431 p = malloc(sizeof (des_key_schedule), 432 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 433 if (p != NULL) { 434 des_set_key((des_cblock *)__UNCONST(key), p[0]); 435 err = 0; 436 } else 437 err = ENOMEM; 438 *sched = (u_int8_t *) p; 439 return err; 440 } 441 442 static void 443 des1_zerokey(u_int8_t **sched) 444 { 445 memset(*sched, 0, sizeof (des_key_schedule)); 446 free(*sched, M_CRYPTO_DATA); 447 *sched = NULL; 448 } 449 450 static void 451 des3_encrypt(void *key, u_int8_t *blk) 452 { 453 des_cblock *cb = (des_cblock *) blk; 454 des_key_schedule *p = (des_key_schedule *) key; 455 456 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 457 } 458 459 static void 460 des3_decrypt(void *key, u_int8_t *blk) 461 { 462 des_cblock *cb = (des_cblock *) blk; 463 des_key_schedule *p = (des_key_schedule *) key; 464 465 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 466 } 467 468 static int 469 des3_setkey(u_int8_t **sched, const u_int8_t *key, int len) 470 { 471 des_key_schedule *p; 472 int err; 473 474 p = malloc(3*sizeof (des_key_schedule), 475 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 476 if (p != NULL) { 477 des_set_key((des_cblock *)__UNCONST(key + 0), p[0]); 478 des_set_key((des_cblock *)__UNCONST(key + 8), p[1]); 479 des_set_key((des_cblock *)__UNCONST(key + 16), p[2]); 480 err = 0; 481 } else 482 err = ENOMEM; 483 *sched = (u_int8_t *) p; 484 return err; 485 } 486 487 static void 488 des3_zerokey(u_int8_t **sched) 489 { 490 memset(*sched, 0, 3*sizeof (des_key_schedule)); 491 free(*sched, M_CRYPTO_DATA); 492 *sched = NULL; 493 } 494 495 static void 496 blf_encrypt(void *key, u_int8_t *blk) 497 { 498 499 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 1); 500 } 501 502 static void 503 blf_decrypt(void *key, u_int8_t *blk) 504 { 505 506 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 0); 507 } 508 509 static int 510 blf_setkey(u_int8_t **sched, const u_int8_t *key, int len) 511 { 512 int err; 513 514 *sched = malloc(sizeof(BF_KEY), 515 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 516 if (*sched != NULL) { 517 BF_set_key((BF_KEY *) *sched, len, key); 518 err = 0; 519 } else 520 err = ENOMEM; 521 return err; 522 } 523 524 static void 525 blf_zerokey(u_int8_t **sched) 526 { 527 memset(*sched, 0, sizeof(BF_KEY)); 528 free(*sched, M_CRYPTO_DATA); 529 *sched = NULL; 530 } 531 532 static void 533 cast5_encrypt(void *key, u_int8_t *blk) 534 { 535 cast128_encrypt((cast128_key *) key, blk, blk); 536 } 537 538 static void 539 cast5_decrypt(void *key, u_int8_t *blk) 540 { 541 cast128_decrypt((cast128_key *) key, blk, blk); 542 } 543 544 static int 545 cast5_setkey(u_int8_t **sched, const u_int8_t *key, int len) 546 { 547 int err; 548 549 *sched = malloc(sizeof(cast128_key), M_CRYPTO_DATA, 550 M_NOWAIT|M_ZERO); 551 if (*sched != NULL) { 552 cast128_setkey((cast128_key *)*sched, key, len); 553 err = 0; 554 } else 555 err = ENOMEM; 556 return err; 557 } 558 559 static void 560 cast5_zerokey(u_int8_t **sched) 561 { 562 memset(*sched, 0, sizeof(cast128_key)); 563 free(*sched, M_CRYPTO_DATA); 564 *sched = NULL; 565 } 566 567 static void 568 skipjack_encrypt(void *key, u_int8_t *blk) 569 { 570 skipjack_forwards(blk, blk, (u_int8_t **) key); 571 } 572 573 static void 574 skipjack_decrypt(void *key, u_int8_t *blk) 575 { 576 skipjack_backwards(blk, blk, (u_int8_t **) key); 577 } 578 579 static int 580 skipjack_setkey(u_int8_t **sched, const u_int8_t *key, int len) 581 { 582 int err; 583 584 /* NB: allocate all the memory that's needed at once */ 585 /* XXX assumes bytes are aligned on sizeof(u_char) == 1 boundaries. 586 * Will this break a pdp-10, Cray-1, or GE-645 port? 587 */ 588 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 589 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 590 591 if (*sched != NULL) { 592 593 u_int8_t** key_tables = (u_int8_t**) *sched; 594 u_int8_t* table = (u_int8_t*) &key_tables[10]; 595 int k; 596 597 for (k = 0; k < 10; k++) { 598 key_tables[k] = table; 599 table += 0x100; 600 } 601 subkey_table_gen(key, (u_int8_t **) *sched); 602 err = 0; 603 } else 604 err = ENOMEM; 605 return err; 606 } 607 608 static void 609 skipjack_zerokey(u_int8_t **sched) 610 { 611 memset(*sched, 0, 10 * (sizeof(u_int8_t *) + 0x100)); 612 free(*sched, M_CRYPTO_DATA); 613 *sched = NULL; 614 } 615 616 static void 617 rijndael128_encrypt(void *key, u_int8_t *blk) 618 { 619 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 620 } 621 622 static void 623 rijndael128_decrypt(void *key, u_int8_t *blk) 624 { 625 rijndael_decrypt((rijndael_ctx *) key, (u_char *) blk, 626 (u_char *) blk); 627 } 628 629 static int 630 rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len) 631 { 632 int err; 633 634 if (len != 16 && len != 24 && len != 32) 635 return EINVAL; 636 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 637 M_NOWAIT|M_ZERO); 638 if (*sched != NULL) { 639 rijndael_set_key((rijndael_ctx *) *sched, key, len * 8); 640 err = 0; 641 } else 642 err = ENOMEM; 643 return err; 644 } 645 646 static void 647 rijndael128_zerokey(u_int8_t **sched) 648 { 649 memset(*sched, 0, sizeof(rijndael_ctx)); 650 free(*sched, M_CRYPTO_DATA); 651 *sched = NULL; 652 } 653 654 static void 655 cml_encrypt(void *key, u_int8_t *blk) 656 { 657 658 camellia_encrypt(key, blk, blk); 659 } 660 661 static void 662 cml_decrypt(void *key, u_int8_t *blk) 663 { 664 665 camellia_decrypt(key, blk, blk); 666 } 667 668 static int 669 cml_setkey(u_int8_t **sched, const u_int8_t *key, int len) 670 { 671 int err; 672 673 if (len != 16 && len != 24 && len != 32) 674 return (EINVAL); 675 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 676 M_NOWAIT|M_ZERO); 677 if (*sched != NULL) { 678 camellia_set_key((camellia_ctx *) *sched, key, len * 8); 679 err = 0; 680 } else 681 err = ENOMEM; 682 return err; 683 } 684 685 static void 686 cml_zerokey(u_int8_t **sched) 687 { 688 689 memset(*sched, 0, sizeof(camellia_ctx)); 690 free(*sched, M_CRYPTO_DATA); 691 *sched = NULL; 692 } 693 694 #define AESCTR_NONCESIZE 4 695 #define AESCTR_IVSIZE 8 696 #define AESCTR_BLOCKSIZE 16 697 698 struct aes_ctr_ctx { 699 /* need only encryption half */ 700 u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)]; 701 u_int8_t ac_block[AESCTR_BLOCKSIZE]; 702 int ac_nr; 703 struct { 704 u_int64_t lastiv; 705 } ivgenctx; 706 }; 707 708 static void 709 aes_ctr_crypt(void *key, u_int8_t *blk) 710 { 711 struct aes_ctr_ctx *ctx; 712 u_int8_t keystream[AESCTR_BLOCKSIZE]; 713 int i; 714 715 ctx = key; 716 /* increment counter */ 717 for (i = AESCTR_BLOCKSIZE - 1; 718 i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) 719 if (++ctx->ac_block[i]) /* continue on overflow */ 720 break; 721 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 722 for (i = 0; i < AESCTR_BLOCKSIZE; i++) 723 blk[i] ^= keystream[i]; 724 memset(keystream, 0, sizeof(keystream)); 725 } 726 727 int 728 aes_ctr_setkey(u_int8_t **sched, const u_int8_t *key, int len) 729 { 730 struct aes_ctr_ctx *ctx; 731 732 if (len < AESCTR_NONCESIZE) 733 return EINVAL; 734 735 ctx = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA, 736 M_NOWAIT|M_ZERO); 737 if (!ctx) 738 return ENOMEM; 739 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (const u_char *)key, 740 (len - AESCTR_NONCESIZE) * 8); 741 if (!ctx->ac_nr) { /* wrong key len */ 742 aes_ctr_zerokey((u_int8_t **)&ctx); 743 return EINVAL; 744 } 745 memcpy(ctx->ac_block, key + len - AESCTR_NONCESIZE, AESCTR_NONCESIZE); 746 /* random start value for simple counter */ 747 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 748 *sched = (void *)ctx; 749 return 0; 750 } 751 752 void 753 aes_ctr_zerokey(u_int8_t **sched) 754 { 755 756 memset(*sched, 0, sizeof(struct aes_ctr_ctx)); 757 free(*sched, M_CRYPTO_DATA); 758 *sched = NULL; 759 } 760 761 void 762 aes_ctr_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 763 { 764 struct aes_ctr_ctx *ctx = key; 765 766 if (!iv) { 767 ctx->ivgenctx.lastiv++; 768 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 769 } 770 if (ivout) 771 memcpy(ivout, iv, AESCTR_IVSIZE); 772 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 773 /* reset counter */ 774 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 775 } 776 777 void 778 aes_gcm_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 779 { 780 struct aes_ctr_ctx *ctx = key; 781 782 if (!iv) { 783 ctx->ivgenctx.lastiv++; 784 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 785 } 786 if (ivout) 787 memcpy(ivout, iv, AESCTR_IVSIZE); 788 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 789 /* reset counter */ 790 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 791 ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ 792 } 793 794 struct aes_gmac_ctx { 795 struct { 796 u_int64_t lastiv; 797 } ivgenctx; 798 }; 799 800 int 801 aes_gmac_setkey(u_int8_t **sched, const u_int8_t *key, int len) 802 { 803 struct aes_gmac_ctx *ctx; 804 805 ctx = malloc(sizeof(struct aes_gmac_ctx), M_CRYPTO_DATA, 806 M_NOWAIT|M_ZERO); 807 if (!ctx) 808 return ENOMEM; 809 810 /* random start value for simple counter */ 811 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 812 *sched = (void *)ctx; 813 return 0; 814 } 815 816 void 817 aes_gmac_zerokey(u_int8_t **sched) 818 { 819 820 free(*sched, M_CRYPTO_DATA); 821 *sched = NULL; 822 } 823 824 void 825 aes_gmac_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 826 { 827 struct aes_gmac_ctx *ctx = key; 828 829 if (!iv) { 830 ctx->ivgenctx.lastiv++; 831 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 832 } 833 if (ivout) 834 memcpy(ivout, iv, AESCTR_IVSIZE); 835 } 836 837 /* 838 * And now for auth. 839 */ 840 841 static void 842 null_init(void *ctx) 843 { 844 } 845 846 static int 847 null_update(void *ctx, const u_int8_t *buf, 848 u_int16_t len) 849 { 850 return 0; 851 } 852 853 static void 854 null_final(u_int8_t *buf, void *ctx) 855 { 856 if (buf != (u_int8_t *) 0) 857 memset(buf, 0, 12); 858 } 859 860 static int 861 RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 862 { 863 RMD160Update(ctx, buf, len); 864 return 0; 865 } 866 867 static int 868 MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 869 { 870 MD5Update(ctx, buf, len); 871 return 0; 872 } 873 874 static void 875 SHA1Init_int(void *ctx) 876 { 877 SHA1Init(ctx); 878 } 879 880 static int 881 SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 882 { 883 SHA1Update(ctx, buf, len); 884 return 0; 885 } 886 887 static void 888 SHA1Final_int(u_int8_t *blk, void *ctx) 889 { 890 SHA1Final(blk, ctx); 891 } 892 893 static int 894 SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 895 { 896 SHA256_Update(ctx, buf, len); 897 return 0; 898 } 899 900 static int 901 SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 902 { 903 SHA384_Update(ctx, buf, len); 904 return 0; 905 } 906 907 static int 908 SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 909 { 910 SHA512_Update(ctx, buf, len); 911 return 0; 912 } 913 914 /* 915 * And compression 916 */ 917 918 static u_int32_t 919 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 920 { 921 return deflate_global(data, size, 0, out, 0); 922 } 923 924 static u_int32_t 925 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 926 int size_hint) 927 { 928 return deflate_global(data, size, 1, out, size_hint); 929 } 930 931 static u_int32_t 932 gzip_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 933 { 934 return gzip_global(data, size, 0, out, 0); 935 } 936 937 static u_int32_t 938 gzip_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 939 int size_hint) 940 { 941 return gzip_global(data, size, 1, out, size_hint); 942 } 943