1 /* $NetBSD: cryptosoft_xform.c,v 1.27 2014/11/27 20:30:21 christos Exp $ */ 2 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ 3 /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ 4 5 /* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 11 * in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Permission to use, copy, and modify this software with or without fee 27 * is hereby granted, provided that this entire notice is included in 28 * all copies of any software which is or includes a copy or 29 * modification of this software. 30 * You may use this code under the GNU public license if you so wish. Please 31 * contribute changes back to the authors under this freer than GPL license 32 * so that we may further the use of strong encryption without limitations to 33 * all. 34 * 35 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 36 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 37 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 38 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 39 * PURPOSE. 40 */ 41 42 #include <sys/cdefs.h> 43 __KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.27 2014/11/27 20:30:21 christos Exp $"); 44 45 #include <crypto/blowfish/blowfish.h> 46 #include <crypto/cast128/cast128.h> 47 #include <crypto/des/des.h> 48 #include <crypto/rijndael/rijndael.h> 49 #include <crypto/skipjack/skipjack.h> 50 #include <crypto/camellia/camellia.h> 51 52 #include <opencrypto/deflate.h> 53 54 #include <sys/md5.h> 55 #include <sys/rmd160.h> 56 #include <sys/sha1.h> 57 #include <sys/sha2.h> 58 #include <sys/cprng.h> 59 #include <opencrypto/aesxcbcmac.h> 60 #include <opencrypto/gmac.h> 61 62 struct swcr_auth_hash { 63 const struct auth_hash *auth_hash; 64 int ctxsize; 65 void (*Init)(void *); 66 void (*Setkey)(void *, const uint8_t *, uint16_t); 67 void (*Reinit)(void *, const uint8_t *, uint16_t); 68 int (*Update)(void *, const uint8_t *, uint16_t); 69 void (*Final)(uint8_t *, void *); 70 }; 71 72 struct swcr_enc_xform { 73 const struct enc_xform *enc_xform; 74 void (*encrypt)(void *, uint8_t *); 75 void (*decrypt)(void *, uint8_t *); 76 int (*setkey)(uint8_t **, const uint8_t *, int); 77 void (*zerokey)(uint8_t **); 78 void (*reinit)(void *, const uint8_t *, uint8_t *); 79 }; 80 81 struct swcr_comp_algo { 82 const struct comp_algo *unused_comp_algo; 83 uint32_t (*compress)(uint8_t *, uint32_t, uint8_t **); 84 uint32_t (*decompress)(uint8_t *, uint32_t, uint8_t **, int); 85 }; 86 87 static void null_encrypt(void *, u_int8_t *); 88 static void null_decrypt(void *, u_int8_t *); 89 static int null_setkey(u_int8_t **, const u_int8_t *, int); 90 static void null_zerokey(u_int8_t **); 91 92 static int des1_setkey(u_int8_t **, const u_int8_t *, int); 93 static int des3_setkey(u_int8_t **, const u_int8_t *, int); 94 static int blf_setkey(u_int8_t **, const u_int8_t *, int); 95 static int cast5_setkey(u_int8_t **, const u_int8_t *, int); 96 static int skipjack_setkey(u_int8_t **, const u_int8_t *, int); 97 static int rijndael128_setkey(u_int8_t **, const u_int8_t *, int); 98 static int cml_setkey(u_int8_t **, const u_int8_t *, int); 99 static int aes_ctr_setkey(u_int8_t **, const u_int8_t *, int); 100 static int aes_gmac_setkey(u_int8_t **, const u_int8_t *, int); 101 static void des1_encrypt(void *, u_int8_t *); 102 static void des3_encrypt(void *, u_int8_t *); 103 static void blf_encrypt(void *, u_int8_t *); 104 static void cast5_encrypt(void *, u_int8_t *); 105 static void skipjack_encrypt(void *, u_int8_t *); 106 static void rijndael128_encrypt(void *, u_int8_t *); 107 static void cml_encrypt(void *, u_int8_t *); 108 static void des1_decrypt(void *, u_int8_t *); 109 static void des3_decrypt(void *, u_int8_t *); 110 static void blf_decrypt(void *, u_int8_t *); 111 static void cast5_decrypt(void *, u_int8_t *); 112 static void skipjack_decrypt(void *, u_int8_t *); 113 static void rijndael128_decrypt(void *, u_int8_t *); 114 static void cml_decrypt(void *, u_int8_t *); 115 static void aes_ctr_crypt(void *, u_int8_t *); 116 static void des1_zerokey(u_int8_t **); 117 static void des3_zerokey(u_int8_t **); 118 static void blf_zerokey(u_int8_t **); 119 static void cast5_zerokey(u_int8_t **); 120 static void skipjack_zerokey(u_int8_t **); 121 static void rijndael128_zerokey(u_int8_t **); 122 static void cml_zerokey(u_int8_t **); 123 static void aes_ctr_zerokey(u_int8_t **); 124 static void aes_gmac_zerokey(u_int8_t **); 125 static void aes_ctr_reinit(void *, const u_int8_t *, u_int8_t *); 126 static void aes_gcm_reinit(void *, const u_int8_t *, u_int8_t *); 127 static void aes_gmac_reinit(void *, const u_int8_t *, u_int8_t *); 128 129 static void null_init(void *); 130 static int null_update(void *, const u_int8_t *, u_int16_t); 131 static void null_final(u_int8_t *, void *); 132 133 static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 134 static void SHA1Init_int(void *); 135 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 136 static void SHA1Final_int(u_int8_t *, void *); 137 138 139 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 140 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 141 static void SHA1Final_int(u_int8_t *, void *); 142 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 143 static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 144 static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 145 static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 146 147 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 148 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 149 static u_int32_t gzip_compress(u_int8_t *, u_int32_t, u_int8_t **); 150 static u_int32_t gzip_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 151 152 /* Encryption instances */ 153 static const struct swcr_enc_xform swcr_enc_xform_null = { 154 &enc_xform_null, 155 null_encrypt, 156 null_decrypt, 157 null_setkey, 158 null_zerokey, 159 NULL 160 }; 161 162 static const struct swcr_enc_xform swcr_enc_xform_des = { 163 &enc_xform_des, 164 des1_encrypt, 165 des1_decrypt, 166 des1_setkey, 167 des1_zerokey, 168 NULL 169 }; 170 171 static const struct swcr_enc_xform swcr_enc_xform_3des = { 172 &enc_xform_3des, 173 des3_encrypt, 174 des3_decrypt, 175 des3_setkey, 176 des3_zerokey, 177 NULL 178 }; 179 180 static const struct swcr_enc_xform swcr_enc_xform_blf = { 181 &enc_xform_blf, 182 blf_encrypt, 183 blf_decrypt, 184 blf_setkey, 185 blf_zerokey, 186 NULL 187 }; 188 189 static const struct swcr_enc_xform swcr_enc_xform_cast5 = { 190 &enc_xform_cast5, 191 cast5_encrypt, 192 cast5_decrypt, 193 cast5_setkey, 194 cast5_zerokey, 195 NULL 196 }; 197 198 static const struct swcr_enc_xform swcr_enc_xform_skipjack = { 199 &enc_xform_skipjack, 200 skipjack_encrypt, 201 skipjack_decrypt, 202 skipjack_setkey, 203 skipjack_zerokey, 204 NULL 205 }; 206 207 static const struct swcr_enc_xform swcr_enc_xform_rijndael128 = { 208 &enc_xform_rijndael128, 209 rijndael128_encrypt, 210 rijndael128_decrypt, 211 rijndael128_setkey, 212 rijndael128_zerokey, 213 NULL 214 }; 215 216 static const struct swcr_enc_xform swcr_enc_xform_aes_ctr = { 217 &enc_xform_aes_ctr, 218 aes_ctr_crypt, 219 aes_ctr_crypt, 220 aes_ctr_setkey, 221 aes_ctr_zerokey, 222 aes_ctr_reinit 223 }; 224 225 static const struct swcr_enc_xform swcr_enc_xform_aes_gcm = { 226 &enc_xform_aes_gcm, 227 aes_ctr_crypt, 228 aes_ctr_crypt, 229 aes_ctr_setkey, 230 aes_ctr_zerokey, 231 aes_gcm_reinit 232 }; 233 234 static const struct swcr_enc_xform swcr_enc_xform_aes_gmac = { 235 &enc_xform_aes_gmac, 236 NULL, 237 NULL, 238 aes_gmac_setkey, 239 aes_gmac_zerokey, 240 aes_gmac_reinit 241 }; 242 243 static const struct swcr_enc_xform swcr_enc_xform_camellia = { 244 &enc_xform_camellia, 245 cml_encrypt, 246 cml_decrypt, 247 cml_setkey, 248 cml_zerokey, 249 NULL 250 }; 251 252 /* Authentication instances */ 253 static const struct swcr_auth_hash swcr_auth_hash_null = { 254 &auth_hash_null, sizeof(int), /* NB: context isn't used */ 255 null_init, NULL, NULL, null_update, null_final 256 }; 257 258 static const struct swcr_auth_hash swcr_auth_hash_hmac_md5 = { 259 &auth_hash_hmac_md5, sizeof(MD5_CTX), 260 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 261 (void (*) (u_int8_t *, void *)) MD5Final 262 }; 263 264 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1 = { 265 &auth_hash_hmac_sha1, sizeof(SHA1_CTX), 266 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 267 }; 268 269 static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160 = { 270 &auth_hash_hmac_ripemd_160, sizeof(RMD160_CTX), 271 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 272 (void (*)(u_int8_t *, void *)) RMD160Final 273 }; 274 static const struct swcr_auth_hash swcr_auth_hash_hmac_md5_96 = { 275 &auth_hash_hmac_md5_96, sizeof(MD5_CTX), 276 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 277 (void (*) (u_int8_t *, void *)) MD5Final 278 }; 279 280 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1_96 = { 281 &auth_hash_hmac_sha1_96, sizeof(SHA1_CTX), 282 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 283 }; 284 285 static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160_96 = { 286 &auth_hash_hmac_ripemd_160_96, sizeof(RMD160_CTX), 287 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 288 (void (*)(u_int8_t *, void *)) RMD160Final 289 }; 290 291 static const struct swcr_auth_hash swcr_auth_hash_key_md5 = { 292 &auth_hash_key_md5, sizeof(MD5_CTX), 293 (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, 294 (void (*)(u_int8_t *, void *)) MD5Final 295 }; 296 297 static const struct swcr_auth_hash swcr_auth_hash_key_sha1 = { 298 &auth_hash_key_sha1, sizeof(SHA1_CTX), 299 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 300 }; 301 302 static const struct swcr_auth_hash swcr_auth_hash_md5 = { 303 &auth_hash_md5, sizeof(MD5_CTX), 304 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 305 (void (*) (u_int8_t *, void *)) MD5Final 306 }; 307 308 static const struct swcr_auth_hash swcr_auth_hash_sha1 = { 309 &auth_hash_sha1, sizeof(SHA1_CTX), 310 (void (*)(void *)) SHA1Init, NULL, NULL, SHA1Update_int, 311 (void (*)(u_int8_t *, void *)) SHA1Final 312 }; 313 314 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_256 = { 315 &auth_hash_hmac_sha2_256, sizeof(SHA256_CTX), 316 (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int, 317 (void (*)(u_int8_t *, void *)) SHA256_Final 318 }; 319 320 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_384 = { 321 &auth_hash_hmac_sha2_384, sizeof(SHA384_CTX), 322 (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int, 323 (void (*)(u_int8_t *, void *)) SHA384_Final 324 }; 325 326 static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_512 = { 327 &auth_hash_hmac_sha2_512, sizeof(SHA512_CTX), 328 (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int, 329 (void (*)(u_int8_t *, void *)) SHA512_Final 330 }; 331 332 static const struct swcr_auth_hash swcr_auth_hash_aes_xcbc_mac = { 333 &auth_hash_aes_xcbc_mac_96, sizeof(aesxcbc_ctx), 334 null_init, 335 (void (*)(void *, const u_int8_t *, u_int16_t))aes_xcbc_mac_init, 336 NULL, aes_xcbc_mac_loop, aes_xcbc_mac_result 337 }; 338 339 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_128 = { 340 &auth_hash_gmac_aes_128, sizeof(AES_GMAC_CTX), 341 (void (*)(void *))AES_GMAC_Init, 342 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 343 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 344 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 345 (void (*)(u_int8_t *, void *))AES_GMAC_Final 346 }; 347 348 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_192 = { 349 &auth_hash_gmac_aes_192, sizeof(AES_GMAC_CTX), 350 (void (*)(void *))AES_GMAC_Init, 351 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 352 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 353 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 354 (void (*)(u_int8_t *, void *))AES_GMAC_Final 355 }; 356 357 static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_256 = { 358 &auth_hash_gmac_aes_256, sizeof(AES_GMAC_CTX), 359 (void (*)(void *))AES_GMAC_Init, 360 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 361 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 362 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 363 (void (*)(u_int8_t *, void *))AES_GMAC_Final 364 }; 365 366 /* Compression instance */ 367 static const struct swcr_comp_algo swcr_comp_algo_deflate = { 368 &comp_algo_deflate, 369 deflate_compress, 370 deflate_decompress 371 }; 372 373 static const struct swcr_comp_algo swcr_comp_algo_deflate_nogrow = { 374 &comp_algo_deflate_nogrow, 375 deflate_compress, 376 deflate_decompress 377 }; 378 379 static const struct swcr_comp_algo swcr_comp_algo_gzip = { 380 &comp_algo_deflate, 381 gzip_compress, 382 gzip_decompress 383 }; 384 385 /* 386 * Encryption wrapper routines. 387 */ 388 static void 389 null_encrypt(void *key, u_int8_t *blk) 390 { 391 } 392 static void 393 null_decrypt(void *key, u_int8_t *blk) 394 { 395 } 396 static int 397 null_setkey(u_int8_t **sched, const u_int8_t *key, int len) 398 { 399 *sched = NULL; 400 return 0; 401 } 402 static void 403 null_zerokey(u_int8_t **sched) 404 { 405 *sched = NULL; 406 } 407 408 static void 409 des1_encrypt(void *key, u_int8_t *blk) 410 { 411 des_cblock *cb = (des_cblock *) blk; 412 des_key_schedule *p = (des_key_schedule *) key; 413 414 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 415 } 416 417 static void 418 des1_decrypt(void *key, u_int8_t *blk) 419 { 420 des_cblock *cb = (des_cblock *) blk; 421 des_key_schedule *p = (des_key_schedule *) key; 422 423 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 424 } 425 426 static int 427 des1_setkey(u_int8_t **sched, const u_int8_t *key, int len) 428 { 429 des_key_schedule *p; 430 431 p = malloc(sizeof (des_key_schedule), 432 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 433 *sched = (u_int8_t *) p; 434 if (p == NULL) 435 return ENOMEM; 436 des_set_key((des_cblock *)__UNCONST(key), p[0]); 437 return 0; 438 } 439 440 static void 441 des1_zerokey(u_int8_t **sched) 442 { 443 memset(*sched, 0, sizeof (des_key_schedule)); 444 free(*sched, M_CRYPTO_DATA); 445 *sched = NULL; 446 } 447 448 static void 449 des3_encrypt(void *key, u_int8_t *blk) 450 { 451 des_cblock *cb = (des_cblock *) blk; 452 des_key_schedule *p = (des_key_schedule *) key; 453 454 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 455 } 456 457 static void 458 des3_decrypt(void *key, u_int8_t *blk) 459 { 460 des_cblock *cb = (des_cblock *) blk; 461 des_key_schedule *p = (des_key_schedule *) key; 462 463 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 464 } 465 466 static int 467 des3_setkey(u_int8_t **sched, const u_int8_t *key, int len) 468 { 469 des_key_schedule *p; 470 471 p = malloc(3*sizeof (des_key_schedule), 472 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 473 *sched = (u_int8_t *) p; 474 if (p == NULL) 475 return ENOMEM; 476 des_set_key((des_cblock *)__UNCONST(key + 0), p[0]); 477 des_set_key((des_cblock *)__UNCONST(key + 8), p[1]); 478 des_set_key((des_cblock *)__UNCONST(key + 16), p[2]); 479 return 0; 480 } 481 482 static void 483 des3_zerokey(u_int8_t **sched) 484 { 485 memset(*sched, 0, 3*sizeof (des_key_schedule)); 486 free(*sched, M_CRYPTO_DATA); 487 *sched = NULL; 488 } 489 490 static void 491 blf_encrypt(void *key, u_int8_t *blk) 492 { 493 494 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 1); 495 } 496 497 static void 498 blf_decrypt(void *key, u_int8_t *blk) 499 { 500 501 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 0); 502 } 503 504 static int 505 blf_setkey(u_int8_t **sched, const u_int8_t *key, int len) 506 { 507 508 *sched = malloc(sizeof(BF_KEY), 509 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 510 if (*sched == NULL) 511 return ENOMEM; 512 BF_set_key((BF_KEY *) *sched, len, key); 513 return 0; 514 } 515 516 static void 517 blf_zerokey(u_int8_t **sched) 518 { 519 memset(*sched, 0, sizeof(BF_KEY)); 520 free(*sched, M_CRYPTO_DATA); 521 *sched = NULL; 522 } 523 524 static void 525 cast5_encrypt(void *key, u_int8_t *blk) 526 { 527 cast128_encrypt((cast128_key *) key, blk, blk); 528 } 529 530 static void 531 cast5_decrypt(void *key, u_int8_t *blk) 532 { 533 cast128_decrypt((cast128_key *) key, blk, blk); 534 } 535 536 static int 537 cast5_setkey(u_int8_t **sched, const u_int8_t *key, int len) 538 { 539 540 *sched = malloc(sizeof(cast128_key), M_CRYPTO_DATA, 541 M_NOWAIT|M_ZERO); 542 if (*sched == NULL) 543 return ENOMEM; 544 cast128_setkey((cast128_key *)*sched, key, len); 545 return 0; 546 } 547 548 static void 549 cast5_zerokey(u_int8_t **sched) 550 { 551 memset(*sched, 0, sizeof(cast128_key)); 552 free(*sched, M_CRYPTO_DATA); 553 *sched = NULL; 554 } 555 556 static void 557 skipjack_encrypt(void *key, u_int8_t *blk) 558 { 559 skipjack_forwards(blk, blk, (u_int8_t **) key); 560 } 561 562 static void 563 skipjack_decrypt(void *key, u_int8_t *blk) 564 { 565 skipjack_backwards(blk, blk, (u_int8_t **) key); 566 } 567 568 static int 569 skipjack_setkey(u_int8_t **sched, const u_int8_t *key, int len) 570 { 571 572 /* NB: allocate all the memory that's needed at once */ 573 /* XXX assumes bytes are aligned on sizeof(u_char) == 1 boundaries. 574 * Will this break a pdp-10, Cray-1, or GE-645 port? 575 */ 576 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 577 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 578 579 if (*sched == NULL) 580 return ENOMEM; 581 582 u_int8_t** key_tables = (u_int8_t**) *sched; 583 u_int8_t* table = (u_int8_t*) &key_tables[10]; 584 int k; 585 586 for (k = 0; k < 10; k++) { 587 key_tables[k] = table; 588 table += 0x100; 589 } 590 subkey_table_gen(key, (u_int8_t **) *sched); 591 return 0; 592 } 593 594 static void 595 skipjack_zerokey(u_int8_t **sched) 596 { 597 memset(*sched, 0, 10 * (sizeof(u_int8_t *) + 0x100)); 598 free(*sched, M_CRYPTO_DATA); 599 *sched = NULL; 600 } 601 602 static void 603 rijndael128_encrypt(void *key, u_int8_t *blk) 604 { 605 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 606 } 607 608 static void 609 rijndael128_decrypt(void *key, u_int8_t *blk) 610 { 611 rijndael_decrypt((rijndael_ctx *) key, (u_char *) blk, 612 (u_char *) blk); 613 } 614 615 static int 616 rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len) 617 { 618 619 if (len != 16 && len != 24 && len != 32) 620 return EINVAL; 621 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 622 M_NOWAIT|M_ZERO); 623 if (*sched == NULL) 624 return ENOMEM; 625 rijndael_set_key((rijndael_ctx *) *sched, key, len * 8); 626 return 0; 627 } 628 629 static void 630 rijndael128_zerokey(u_int8_t **sched) 631 { 632 memset(*sched, 0, sizeof(rijndael_ctx)); 633 free(*sched, M_CRYPTO_DATA); 634 *sched = NULL; 635 } 636 637 static void 638 cml_encrypt(void *key, u_int8_t *blk) 639 { 640 641 camellia_encrypt(key, blk, blk); 642 } 643 644 static void 645 cml_decrypt(void *key, u_int8_t *blk) 646 { 647 648 camellia_decrypt(key, blk, blk); 649 } 650 651 static int 652 cml_setkey(u_int8_t **sched, const u_int8_t *key, int len) 653 { 654 655 if (len != 16 && len != 24 && len != 32) 656 return (EINVAL); 657 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 658 M_NOWAIT|M_ZERO); 659 if (*sched == NULL) 660 return ENOMEM; 661 662 camellia_set_key((camellia_ctx *) *sched, key, len * 8); 663 return 0; 664 } 665 666 static void 667 cml_zerokey(u_int8_t **sched) 668 { 669 670 memset(*sched, 0, sizeof(camellia_ctx)); 671 free(*sched, M_CRYPTO_DATA); 672 *sched = NULL; 673 } 674 675 #define AESCTR_NONCESIZE 4 676 #define AESCTR_IVSIZE 8 677 #define AESCTR_BLOCKSIZE 16 678 679 struct aes_ctr_ctx { 680 /* need only encryption half */ 681 u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)]; 682 u_int8_t ac_block[AESCTR_BLOCKSIZE]; 683 int ac_nr; 684 struct { 685 u_int64_t lastiv; 686 } ivgenctx; 687 }; 688 689 static void 690 aes_ctr_crypt(void *key, u_int8_t *blk) 691 { 692 struct aes_ctr_ctx *ctx; 693 u_int8_t keystream[AESCTR_BLOCKSIZE]; 694 int i; 695 696 ctx = key; 697 /* increment counter */ 698 for (i = AESCTR_BLOCKSIZE - 1; 699 i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) 700 if (++ctx->ac_block[i]) /* continue on overflow */ 701 break; 702 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 703 for (i = 0; i < AESCTR_BLOCKSIZE; i++) 704 blk[i] ^= keystream[i]; 705 memset(keystream, 0, sizeof(keystream)); 706 } 707 708 int 709 aes_ctr_setkey(u_int8_t **sched, const u_int8_t *key, int len) 710 { 711 struct aes_ctr_ctx *ctx; 712 713 if (len < AESCTR_NONCESIZE) 714 return EINVAL; 715 716 ctx = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA, 717 M_NOWAIT|M_ZERO); 718 if (!ctx) 719 return ENOMEM; 720 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (const u_char *)key, 721 (len - AESCTR_NONCESIZE) * 8); 722 if (!ctx->ac_nr) { /* wrong key len */ 723 aes_ctr_zerokey((u_int8_t **)&ctx); 724 return EINVAL; 725 } 726 memcpy(ctx->ac_block, key + len - AESCTR_NONCESIZE, AESCTR_NONCESIZE); 727 /* random start value for simple counter */ 728 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 729 *sched = (void *)ctx; 730 return 0; 731 } 732 733 void 734 aes_ctr_zerokey(u_int8_t **sched) 735 { 736 737 memset(*sched, 0, sizeof(struct aes_ctr_ctx)); 738 free(*sched, M_CRYPTO_DATA); 739 *sched = NULL; 740 } 741 742 void 743 aes_ctr_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 744 { 745 struct aes_ctr_ctx *ctx = key; 746 747 if (!iv) { 748 ctx->ivgenctx.lastiv++; 749 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 750 } 751 if (ivout) 752 memcpy(ivout, iv, AESCTR_IVSIZE); 753 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 754 /* reset counter */ 755 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 756 } 757 758 void 759 aes_gcm_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 760 { 761 struct aes_ctr_ctx *ctx = key; 762 763 if (!iv) { 764 ctx->ivgenctx.lastiv++; 765 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 766 } 767 if (ivout) 768 memcpy(ivout, iv, AESCTR_IVSIZE); 769 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 770 /* reset counter */ 771 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 772 ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ 773 } 774 775 struct aes_gmac_ctx { 776 struct { 777 u_int64_t lastiv; 778 } ivgenctx; 779 }; 780 781 int 782 aes_gmac_setkey(u_int8_t **sched, const u_int8_t *key, int len) 783 { 784 struct aes_gmac_ctx *ctx; 785 786 ctx = malloc(sizeof(struct aes_gmac_ctx), M_CRYPTO_DATA, 787 M_NOWAIT|M_ZERO); 788 if (!ctx) 789 return ENOMEM; 790 791 /* random start value for simple counter */ 792 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 793 *sched = (void *)ctx; 794 return 0; 795 } 796 797 void 798 aes_gmac_zerokey(u_int8_t **sched) 799 { 800 801 free(*sched, M_CRYPTO_DATA); 802 *sched = NULL; 803 } 804 805 void 806 aes_gmac_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 807 { 808 struct aes_gmac_ctx *ctx = key; 809 810 if (!iv) { 811 ctx->ivgenctx.lastiv++; 812 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 813 } 814 if (ivout) 815 memcpy(ivout, iv, AESCTR_IVSIZE); 816 } 817 818 /* 819 * And now for auth. 820 */ 821 822 static void 823 null_init(void *ctx) 824 { 825 } 826 827 static int 828 null_update(void *ctx, const u_int8_t *buf, 829 u_int16_t len) 830 { 831 return 0; 832 } 833 834 static void 835 null_final(u_int8_t *buf, void *ctx) 836 { 837 if (buf != (u_int8_t *) 0) 838 memset(buf, 0, 12); 839 } 840 841 static int 842 RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 843 { 844 RMD160Update(ctx, buf, len); 845 return 0; 846 } 847 848 static int 849 MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 850 { 851 MD5Update(ctx, buf, len); 852 return 0; 853 } 854 855 static void 856 SHA1Init_int(void *ctx) 857 { 858 SHA1Init(ctx); 859 } 860 861 static int 862 SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 863 { 864 SHA1Update(ctx, buf, len); 865 return 0; 866 } 867 868 static void 869 SHA1Final_int(u_int8_t *blk, void *ctx) 870 { 871 SHA1Final(blk, ctx); 872 } 873 874 static int 875 SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 876 { 877 SHA256_Update(ctx, buf, len); 878 return 0; 879 } 880 881 static int 882 SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 883 { 884 SHA384_Update(ctx, buf, len); 885 return 0; 886 } 887 888 static int 889 SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 890 { 891 SHA512_Update(ctx, buf, len); 892 return 0; 893 } 894 895 /* 896 * And compression 897 */ 898 899 static u_int32_t 900 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 901 { 902 return deflate_global(data, size, 0, out, 0); 903 } 904 905 static u_int32_t 906 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 907 int size_hint) 908 { 909 return deflate_global(data, size, 1, out, size_hint); 910 } 911 912 static u_int32_t 913 gzip_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 914 { 915 return gzip_global(data, size, 0, out, 0); 916 } 917 918 static u_int32_t 919 gzip_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 920 int size_hint) 921 { 922 return gzip_global(data, size, 1, out, size_hint); 923 } 924