1 /* $NetBSD: xform.c,v 1.13 2003/11/18 23:01:39 jonathan Exp $ */ 2 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ 3 /* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ 4 5 /* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 11 * in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Permission to use, copy, and modify this software with or without fee 27 * is hereby granted, provided that this entire notice is included in 28 * all copies of any software which is or includes a copy or 29 * modification of this software. 30 * You may use this code under the GNU public license if you so wish. Please 31 * contribute changes back to the authors under this freer than GPL license 32 * so that we may further the use of strong encryption without limitations to 33 * all. 34 * 35 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 36 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 37 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 38 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 39 * PURPOSE. 40 */ 41 42 #include <sys/cdefs.h> 43 __KERNEL_RCSID(0, "$NetBSD: xform.c,v 1.13 2003/11/18 23:01:39 jonathan Exp $"); 44 45 #include <sys/param.h> 46 #include <sys/systm.h> 47 #include <sys/malloc.h> 48 #include <sys/sysctl.h> 49 #include <sys/errno.h> 50 #include <sys/time.h> 51 #include <sys/kernel.h> 52 #include <machine/cpu.h> 53 54 #include <crypto/blowfish/blowfish.h> 55 #include <crypto/cast128/cast128.h> 56 #include <crypto/des/des.h> 57 #include <crypto/rijndael/rijndael.h> 58 #include <crypto/ripemd160/rmd160.h> 59 #include <crypto/skipjack/skipjack.h> 60 61 #include <opencrypto/deflate.h> 62 63 #include <sys/md5.h> 64 #include <sys/sha1.h> 65 66 #include <opencrypto/cryptodev.h> 67 #include <opencrypto/xform.h> 68 69 static void null_encrypt(caddr_t, u_int8_t *); 70 static void null_decrypt(caddr_t, u_int8_t *); 71 static int null_setkey(u_int8_t **, const u_int8_t *, int); 72 static void null_zerokey(u_int8_t **); 73 74 static int des1_setkey(u_int8_t **, const u_int8_t *, int); 75 static int des3_setkey(u_int8_t **, const u_int8_t *, int); 76 static int blf_setkey(u_int8_t **, const u_int8_t *, int); 77 static int cast5_setkey(u_int8_t **, const u_int8_t *, int); 78 static int skipjack_setkey(u_int8_t **, const u_int8_t *, int); 79 static int rijndael128_setkey(u_int8_t **, const u_int8_t *, int); 80 static void des1_encrypt(caddr_t, u_int8_t *); 81 static void des3_encrypt(caddr_t, u_int8_t *); 82 static void blf_encrypt(caddr_t, u_int8_t *); 83 static void cast5_encrypt(caddr_t, u_int8_t *); 84 static void skipjack_encrypt(caddr_t, u_int8_t *); 85 static void rijndael128_encrypt(caddr_t, u_int8_t *); 86 static void des1_decrypt(caddr_t, u_int8_t *); 87 static void des3_decrypt(caddr_t, u_int8_t *); 88 static void blf_decrypt(caddr_t, u_int8_t *); 89 static void cast5_decrypt(caddr_t, u_int8_t *); 90 static void skipjack_decrypt(caddr_t, u_int8_t *); 91 static void rijndael128_decrypt(caddr_t, u_int8_t *); 92 static void des1_zerokey(u_int8_t **); 93 static void des3_zerokey(u_int8_t **); 94 static void blf_zerokey(u_int8_t **); 95 static void cast5_zerokey(u_int8_t **); 96 static void skipjack_zerokey(u_int8_t **); 97 static void rijndael128_zerokey(u_int8_t **); 98 99 static void null_init(void *); 100 static int null_update(void *, const u_int8_t *, u_int16_t); 101 static void null_final(u_int8_t *, void *); 102 103 static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 104 static void SHA1Init_int(void *); 105 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 106 static void SHA1Final_int(u_int8_t *, void *); 107 108 109 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 110 static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 111 static void SHA1Final_int(u_int8_t *, void *); 112 static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 113 static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 114 static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 115 static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 116 117 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 118 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 119 120 MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 121 122 /* Encryption instances */ 123 struct enc_xform enc_xform_null = { 124 CRYPTO_NULL_CBC, "NULL", 125 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 126 4, 0, 256, /* 2048 bits, max key */ 127 null_encrypt, 128 null_decrypt, 129 null_setkey, 130 null_zerokey, 131 }; 132 133 struct enc_xform enc_xform_des = { 134 CRYPTO_DES_CBC, "DES", 135 8, 8, 8, 136 des1_encrypt, 137 des1_decrypt, 138 des1_setkey, 139 des1_zerokey, 140 }; 141 142 struct enc_xform enc_xform_3des = { 143 CRYPTO_3DES_CBC, "3DES", 144 8, 24, 24, 145 des3_encrypt, 146 des3_decrypt, 147 des3_setkey, 148 des3_zerokey 149 }; 150 151 struct enc_xform enc_xform_blf = { 152 CRYPTO_BLF_CBC, "Blowfish", 153 8, 5, 56 /* 448 bits, max key */, 154 blf_encrypt, 155 blf_decrypt, 156 blf_setkey, 157 blf_zerokey 158 }; 159 160 struct enc_xform enc_xform_cast5 = { 161 CRYPTO_CAST_CBC, "CAST-128", 162 8, 5, 16, 163 cast5_encrypt, 164 cast5_decrypt, 165 cast5_setkey, 166 cast5_zerokey 167 }; 168 169 struct enc_xform enc_xform_skipjack = { 170 CRYPTO_SKIPJACK_CBC, "Skipjack", 171 8, 10, 10, 172 skipjack_encrypt, 173 skipjack_decrypt, 174 skipjack_setkey, 175 skipjack_zerokey 176 }; 177 178 struct enc_xform enc_xform_rijndael128 = { 179 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 180 16, 8, 32, 181 rijndael128_encrypt, 182 rijndael128_decrypt, 183 rijndael128_setkey, 184 rijndael128_zerokey, 185 }; 186 187 struct enc_xform enc_xform_arc4 = { 188 CRYPTO_ARC4, "ARC4", 189 1, 1, 32, 190 NULL, 191 NULL, 192 NULL, 193 NULL, 194 }; 195 196 /* Authentication instances */ 197 struct auth_hash auth_hash_null = { 198 CRYPTO_NULL_HMAC, "NULL-HMAC", 199 0, 0, 12, sizeof(int), /* NB: context isn't used */ 200 null_init, null_update, null_final 201 }; 202 203 struct auth_hash auth_hash_hmac_md5_96 = { 204 CRYPTO_MD5_HMAC, "HMAC-MD5", 205 16, 16, 12, sizeof(MD5_CTX), 206 (void (*) (void *)) MD5Init, MD5Update_int, 207 (void (*) (u_int8_t *, void *)) MD5Final 208 }; 209 210 struct auth_hash auth_hash_hmac_sha1_96 = { 211 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 212 20, 20, 12, sizeof(SHA1_CTX), 213 SHA1Init_int, SHA1Update_int, SHA1Final_int 214 }; 215 216 struct auth_hash auth_hash_hmac_ripemd_160_96 = { 217 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 218 20, 20, 12, sizeof(RMD160_CTX), 219 (void (*)(void *)) RMD160Init, RMD160Update_int, 220 (void (*)(u_int8_t *, void *)) RMD160Final 221 }; 222 223 struct auth_hash auth_hash_key_md5 = { 224 CRYPTO_MD5_KPDK, "Keyed MD5", 225 0, 16, 16, sizeof(MD5_CTX), 226 (void (*)(void *)) MD5Init, MD5Update_int, 227 (void (*)(u_int8_t *, void *)) MD5Final 228 }; 229 230 struct auth_hash auth_hash_key_sha1 = { 231 CRYPTO_SHA1_KPDK, "Keyed SHA1", 232 0, 20, 20, sizeof(SHA1_CTX), 233 SHA1Init_int, SHA1Update_int, SHA1Final_int 234 }; 235 236 struct auth_hash auth_hash_md5 = { 237 CRYPTO_MD5, "MD5", 238 0, 16, 16, sizeof(MD5_CTX), 239 (void (*) (void *)) MD5Init, MD5Update_int, 240 (void (*) (u_int8_t *, void *)) MD5Final 241 }; 242 243 struct auth_hash auth_hash_sha1 = { 244 CRYPTO_SHA1, "SHA1", 245 0, 20, 20, sizeof(SHA1_CTX), 246 (void (*)(void *)) SHA1Init, SHA1Update_int, 247 (void (*)(u_int8_t *, void *)) SHA1Final 248 }; 249 250 struct auth_hash auth_hash_hmac_sha2_256 = { 251 CRYPTO_SHA2_HMAC, "HMAC-SHA2", 252 32, 32, 12, sizeof(SHA256_CTX), 253 (void (*)(void *)) SHA256_Init, SHA256Update_int, 254 (void (*)(u_int8_t *, void *)) SHA256_Final 255 }; 256 257 struct auth_hash auth_hash_hmac_sha2_384 = { 258 CRYPTO_SHA2_HMAC, "HMAC-SHA2-384", 259 48, 48, 12, sizeof(SHA384_CTX), 260 (void (*)(void *)) SHA384_Init, SHA384Update_int, 261 (void (*)(u_int8_t *, void *)) SHA384_Final 262 }; 263 264 struct auth_hash auth_hash_hmac_sha2_512 = { 265 CRYPTO_SHA2_HMAC, "HMAC-SHA2-512", 266 64, 64, 12, sizeof(SHA512_CTX), 267 (void (*)(void *)) SHA512_Init, SHA512Update_int, 268 (void (*)(u_int8_t *, void *)) SHA512_Final 269 }; 270 271 /* Compression instance */ 272 struct comp_algo comp_algo_deflate = { 273 CRYPTO_DEFLATE_COMP, "Deflate", 274 90, deflate_compress, 275 deflate_decompress 276 }; 277 278 /* 279 * Encryption wrapper routines. 280 */ 281 static void 282 null_encrypt(caddr_t key, u_int8_t *blk) 283 { 284 } 285 static void 286 null_decrypt(caddr_t key, u_int8_t *blk) 287 { 288 } 289 static int 290 null_setkey(u_int8_t **sched, const u_int8_t *key, int len) 291 { 292 *sched = NULL; 293 return 0; 294 } 295 static void 296 null_zerokey(u_int8_t **sched) 297 { 298 *sched = NULL; 299 } 300 301 static void 302 des1_encrypt(caddr_t key, u_int8_t *blk) 303 { 304 des_cblock *cb = (des_cblock *) blk; 305 des_key_schedule *p = (des_key_schedule *) key; 306 307 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 308 } 309 310 static void 311 des1_decrypt(caddr_t key, u_int8_t *blk) 312 { 313 des_cblock *cb = (des_cblock *) blk; 314 des_key_schedule *p = (des_key_schedule *) key; 315 316 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 317 } 318 319 static int 320 des1_setkey(u_int8_t **sched, const u_int8_t *key, int len) 321 { 322 des_key_schedule *p; 323 int err; 324 325 MALLOC(p, des_key_schedule *, sizeof (des_key_schedule), 326 M_CRYPTO_DATA, M_NOWAIT); 327 if (p != NULL) { 328 bzero(p, sizeof(des_key_schedule)); 329 des_set_key((des_cblock *) key, p[0]); 330 err = 0; 331 } else 332 err = ENOMEM; 333 *sched = (u_int8_t *) p; 334 return err; 335 } 336 337 static void 338 des1_zerokey(u_int8_t **sched) 339 { 340 bzero(*sched, sizeof (des_key_schedule)); 341 FREE(*sched, M_CRYPTO_DATA); 342 *sched = NULL; 343 } 344 345 static void 346 des3_encrypt(caddr_t key, u_int8_t *blk) 347 { 348 des_cblock *cb = (des_cblock *) blk; 349 des_key_schedule *p = (des_key_schedule *) key; 350 351 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 352 } 353 354 static void 355 des3_decrypt(caddr_t key, u_int8_t *blk) 356 { 357 des_cblock *cb = (des_cblock *) blk; 358 des_key_schedule *p = (des_key_schedule *) key; 359 360 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 361 } 362 363 static int 364 des3_setkey(u_int8_t **sched, const u_int8_t *key, int len) 365 { 366 des_key_schedule *p; 367 int err; 368 369 MALLOC(p, des_key_schedule *, 3*sizeof (des_key_schedule), 370 M_CRYPTO_DATA, M_NOWAIT); 371 if (p != NULL) { 372 bzero(p, 3*sizeof(des_key_schedule)); 373 des_set_key((des_cblock *)(key + 0), p[0]); 374 des_set_key((des_cblock *)(key + 8), p[1]); 375 des_set_key((des_cblock *)(key + 16), p[2]); 376 err = 0; 377 } else 378 err = ENOMEM; 379 *sched = (u_int8_t *) p; 380 return err; 381 } 382 383 static void 384 des3_zerokey(u_int8_t **sched) 385 { 386 bzero(*sched, 3*sizeof (des_key_schedule)); 387 FREE(*sched, M_CRYPTO_DATA); 388 *sched = NULL; 389 } 390 391 static void 392 blf_encrypt(caddr_t key, u_int8_t *blk) 393 { 394 395 #if defined(__NetBSD__) 396 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 1); 397 #else 398 blf_ecb_encrypt((blf_ctx *) key, blk, 8); 399 #endif 400 } 401 402 static void 403 blf_decrypt(caddr_t key, u_int8_t *blk) 404 { 405 406 #if defined(__NetBSD__) 407 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 0); 408 #else 409 blf_ecb_decrypt((blf_ctx *) key, blk, 8); 410 #endif 411 } 412 413 static int 414 blf_setkey(u_int8_t **sched, const u_int8_t *key, int len) 415 { 416 int err; 417 418 #if defined(__FreeBSD__) || defined(__NetBSD__) 419 #define BLF_SIZ sizeof(BF_KEY) 420 #else 421 #define BLF_SIZ sizeof(blf_ctx) 422 #endif 423 424 MALLOC(*sched, u_int8_t *, BLF_SIZ, 425 M_CRYPTO_DATA, M_NOWAIT); 426 if (*sched != NULL) { 427 bzero(*sched, BLF_SIZ); 428 #if defined(__FreeBSD__) || defined(__NetBSD__) 429 BF_set_key((BF_KEY *) *sched, len, key); 430 #else 431 blf_key((blf_ctx *)*sched, key, len); 432 #endif 433 err = 0; 434 } else 435 err = ENOMEM; 436 return err; 437 } 438 439 static void 440 blf_zerokey(u_int8_t **sched) 441 { 442 bzero(*sched, BLF_SIZ); 443 FREE(*sched, M_CRYPTO_DATA); 444 *sched = NULL; 445 } 446 447 static void 448 cast5_encrypt(caddr_t key, u_int8_t *blk) 449 { 450 cast128_encrypt((cast128_key *) key, blk, blk); 451 } 452 453 static void 454 cast5_decrypt(caddr_t key, u_int8_t *blk) 455 { 456 cast128_decrypt((cast128_key *) key, blk, blk); 457 } 458 459 static int 460 cast5_setkey(u_int8_t **sched, const u_int8_t *key, int len) 461 { 462 int err; 463 464 MALLOC(*sched, u_int8_t *, sizeof(cast128_key), M_CRYPTO_DATA, 465 M_NOWAIT); 466 if (*sched != NULL) { 467 bzero(*sched, sizeof(cast128_key)); 468 cast128_setkey((cast128_key *)*sched, key, len); 469 err = 0; 470 } else 471 err = ENOMEM; 472 return err; 473 } 474 475 static void 476 cast5_zerokey(u_int8_t **sched) 477 { 478 bzero(*sched, sizeof(cast128_key)); 479 FREE(*sched, M_CRYPTO_DATA); 480 *sched = NULL; 481 } 482 483 static void 484 skipjack_encrypt(caddr_t key, u_int8_t *blk) 485 { 486 skipjack_forwards(blk, blk, (u_int8_t **) key); 487 } 488 489 static void 490 skipjack_decrypt(caddr_t key, u_int8_t *blk) 491 { 492 skipjack_backwards(blk, blk, (u_int8_t **) key); 493 } 494 495 static int 496 skipjack_setkey(u_int8_t **sched, const u_int8_t *key, int len) 497 { 498 int err; 499 500 /* NB: allocate all the memory that's needed at once */ 501 /* XXX assumes bytes are aligned on sizeof(u_char) == 1 boundaries. 502 * Will this break a pdp-10, Cray-1, or GE-645 port? 503 */ 504 MALLOC(*sched, u_int8_t *, 10 * (sizeof(u_int8_t *) + 0x100), 505 M_CRYPTO_DATA, M_NOWAIT); 506 507 if (*sched != NULL) { 508 509 u_int8_t** key_tables = (u_int8_t**) *sched; 510 u_int8_t* table = (u_int8_t*) &key_tables[10]; 511 int k; 512 513 bzero(*sched, 10 * sizeof(u_int8_t *)+0x100); 514 515 for (k = 0; k < 10; k++) { 516 key_tables[k] = table; 517 table += 0x100; 518 } 519 subkey_table_gen(key, (u_int8_t **) *sched); 520 err = 0; 521 } else 522 err = ENOMEM; 523 return err; 524 } 525 526 static void 527 skipjack_zerokey(u_int8_t **sched) 528 { 529 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 530 FREE(*sched, M_CRYPTO_DATA); 531 *sched = NULL; 532 } 533 534 static void 535 rijndael128_encrypt(caddr_t key, u_int8_t *blk) 536 { 537 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 538 } 539 540 static void 541 rijndael128_decrypt(caddr_t key, u_int8_t *blk) 542 { 543 rijndael_decrypt((rijndael_ctx *) key, (u_char *) blk, 544 (u_char *) blk); 545 } 546 547 static int 548 rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len) 549 { 550 int err; 551 552 MALLOC(*sched, u_int8_t *, sizeof(rijndael_ctx), M_CRYPTO_DATA, 553 M_WAITOK); 554 if (*sched != NULL) { 555 bzero(*sched, sizeof(rijndael_ctx)); 556 rijndael_set_key((rijndael_ctx *) *sched, key, len * 8); 557 err = 0; 558 } else 559 err = ENOMEM; 560 return err; 561 } 562 563 static void 564 rijndael128_zerokey(u_int8_t **sched) 565 { 566 bzero(*sched, sizeof(rijndael_ctx)); 567 FREE(*sched, M_CRYPTO_DATA); 568 *sched = NULL; 569 } 570 571 /* 572 * And now for auth. 573 */ 574 575 static void 576 null_init(void *ctx) 577 { 578 } 579 580 static int 581 null_update(void *ctx, const u_int8_t *buf, u_int16_t len) 582 { 583 return 0; 584 } 585 586 static void 587 null_final(u_int8_t *buf, void *ctx) 588 { 589 if (buf != (u_int8_t *) 0) 590 bzero(buf, 12); 591 } 592 593 static int 594 RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 595 { 596 RMD160Update(ctx, buf, len); 597 return 0; 598 } 599 600 static int 601 MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 602 { 603 MD5Update(ctx, buf, len); 604 return 0; 605 } 606 607 static void 608 SHA1Init_int(void *ctx) 609 { 610 SHA1Init(ctx); 611 } 612 613 static int 614 SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 615 { 616 SHA1Update(ctx, buf, len); 617 return 0; 618 } 619 620 static void 621 SHA1Final_int(u_int8_t *blk, void *ctx) 622 { 623 SHA1Final(blk, ctx); 624 } 625 626 static int 627 SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 628 { 629 SHA256_Update(ctx, buf, len); 630 return 0; 631 } 632 633 static int 634 SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 635 { 636 SHA384_Update(ctx, buf, len); 637 return 0; 638 } 639 640 static int 641 SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 642 { 643 SHA512_Update(ctx, buf, len); 644 return 0; 645 } 646 647 /* 648 * And compression 649 */ 650 651 static u_int32_t 652 deflate_compress(data, size, out) 653 u_int8_t *data; 654 u_int32_t size; 655 u_int8_t **out; 656 { 657 return deflate_global(data, size, 0, out); 658 } 659 660 static u_int32_t 661 deflate_decompress(data, size, out) 662 u_int8_t *data; 663 u_int32_t size; 664 u_int8_t **out; 665 { 666 return deflate_global(data, size, 1, out); 667 } 668