1 /* $OpenBSD: xform.c,v 1.43 2011/07/07 02:57:24 deraadt Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * 28 * Permission to use, copy, and modify this software with or without fee 29 * is hereby granted, provided that this entire notice is included in 30 * all copies of any software which is or includes a copy or 31 * modification of this software. 32 * You may use this code under the GNU public license if you so wish. Please 33 * contribute changes back to the authors under this freer than GPL license 34 * so that we may further the use of strong encryption without limitations to 35 * all. 36 * 37 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 38 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 39 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 40 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 41 * PURPOSE. 42 */ 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/malloc.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <machine/cpu.h> 51 52 #include <crypto/md5.h> 53 #include <crypto/sha1.h> 54 #include <crypto/sha2.h> 55 #include <crypto/rmd160.h> 56 #include <crypto/blf.h> 57 #include <crypto/cast.h> 58 #include <crypto/rijndael.h> 59 #include <crypto/cryptodev.h> 60 #include <crypto/xform.h> 61 #include <lib/libz/zlib.h> 62 #include <crypto/gmac.h> 63 64 extern void des_ecb3_encrypt(caddr_t, caddr_t, caddr_t, caddr_t, caddr_t, int); 65 extern void des_ecb_encrypt(caddr_t, caddr_t, caddr_t, int); 66 67 int des_set_key(caddr_t, caddr_t); 68 int des1_setkey(u_int8_t **, u_int8_t *, int); 69 int des3_setkey(u_int8_t **, u_int8_t *, int); 70 int blf_setkey(u_int8_t **, u_int8_t *, int); 71 int cast5_setkey(u_int8_t **, u_int8_t *, int); 72 int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 73 int aes_ctr_setkey(u_int8_t **, u_int8_t *, int); 74 int aes_xts_setkey(u_int8_t **, u_int8_t *, int); 75 int null_setkey(u_int8_t **, u_int8_t *, int); 76 77 void des1_encrypt(caddr_t, u_int8_t *); 78 void des3_encrypt(caddr_t, u_int8_t *); 79 void blf_encrypt(caddr_t, u_int8_t *); 80 void cast5_encrypt(caddr_t, u_int8_t *); 81 void rijndael128_encrypt(caddr_t, u_int8_t *); 82 void null_encrypt(caddr_t, u_int8_t *); 83 void aes_xts_encrypt(caddr_t, u_int8_t *); 84 85 void des1_decrypt(caddr_t, u_int8_t *); 86 void des3_decrypt(caddr_t, u_int8_t *); 87 void blf_decrypt(caddr_t, u_int8_t *); 88 void cast5_decrypt(caddr_t, u_int8_t *); 89 void rijndael128_decrypt(caddr_t, u_int8_t *); 90 void null_decrypt(caddr_t, u_int8_t *); 91 void aes_xts_decrypt(caddr_t, u_int8_t *); 92 93 void aes_ctr_crypt(caddr_t, u_int8_t *); 94 95 void des1_zerokey(u_int8_t **); 96 void des3_zerokey(u_int8_t **); 97 void blf_zerokey(u_int8_t **); 98 void cast5_zerokey(u_int8_t **); 99 void rijndael128_zerokey(u_int8_t **); 100 void aes_ctr_zerokey(u_int8_t **); 101 void aes_xts_zerokey(u_int8_t **); 102 void null_zerokey(u_int8_t **); 103 104 void aes_ctr_reinit(caddr_t, u_int8_t *); 105 void aes_xts_reinit(caddr_t, u_int8_t *); 106 void aes_gcm_reinit(caddr_t, u_int8_t *); 107 108 int MD5Update_int(void *, const u_int8_t *, u_int16_t); 109 int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 110 int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 111 int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 112 int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 113 int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 114 115 u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 116 u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 117 u_int32_t lzs_dummy(u_int8_t *, u_int32_t, u_int8_t **); 118 119 /* Helper */ 120 struct aes_xts_ctx; 121 void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int); 122 123 /* Encryption instances */ 124 struct enc_xform enc_xform_des = { 125 CRYPTO_DES_CBC, "DES", 126 8, 8, 8, 8, 127 des1_encrypt, 128 des1_decrypt, 129 des1_setkey, 130 des1_zerokey, 131 NULL 132 }; 133 134 struct enc_xform enc_xform_3des = { 135 CRYPTO_3DES_CBC, "3DES", 136 8, 8, 24, 24, 137 des3_encrypt, 138 des3_decrypt, 139 des3_setkey, 140 des3_zerokey, 141 NULL 142 }; 143 144 struct enc_xform enc_xform_blf = { 145 CRYPTO_BLF_CBC, "Blowfish", 146 8, 8, 5, 56 /* 448 bits, max key */, 147 blf_encrypt, 148 blf_decrypt, 149 blf_setkey, 150 blf_zerokey, 151 NULL 152 }; 153 154 struct enc_xform enc_xform_cast5 = { 155 CRYPTO_CAST_CBC, "CAST-128", 156 8, 8, 5, 16, 157 cast5_encrypt, 158 cast5_decrypt, 159 cast5_setkey, 160 cast5_zerokey, 161 NULL 162 }; 163 164 struct enc_xform enc_xform_rijndael128 = { 165 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 166 16, 16, 16, 32, 167 rijndael128_encrypt, 168 rijndael128_decrypt, 169 rijndael128_setkey, 170 rijndael128_zerokey, 171 NULL 172 }; 173 174 struct enc_xform enc_xform_aes_ctr = { 175 CRYPTO_AES_CTR, "AES-CTR", 176 16, 8, 16+4, 32+4, 177 aes_ctr_crypt, 178 aes_ctr_crypt, 179 aes_ctr_setkey, 180 aes_ctr_zerokey, 181 aes_ctr_reinit 182 }; 183 184 struct enc_xform enc_xform_aes_gcm = { 185 CRYPTO_AES_GCM_16, "AES-GCM", 186 1, 8, 16+4, 32+4, 187 aes_ctr_crypt, 188 aes_ctr_crypt, 189 aes_ctr_setkey, 190 aes_ctr_zerokey, 191 aes_gcm_reinit 192 }; 193 194 struct enc_xform enc_xform_aes_gmac = { 195 CRYPTO_AES_GMAC, "AES-GMAC", 196 1, 8, 16+4, 32+4, 197 NULL, 198 NULL, 199 NULL, 200 NULL, 201 NULL 202 }; 203 204 struct enc_xform enc_xform_aes_xts = { 205 CRYPTO_AES_XTS, "AES-XTS", 206 16, 8, 32, 64, 207 aes_xts_encrypt, 208 aes_xts_decrypt, 209 aes_xts_setkey, 210 aes_xts_zerokey, 211 aes_xts_reinit 212 }; 213 214 struct enc_xform enc_xform_arc4 = { 215 CRYPTO_ARC4, "ARC4", 216 1, 1, 1, 32, 217 NULL, 218 NULL, 219 NULL, 220 NULL, 221 NULL 222 }; 223 224 struct enc_xform enc_xform_null = { 225 CRYPTO_NULL, "NULL", 226 4, 0, 0, 256, 227 null_encrypt, 228 null_decrypt, 229 null_setkey, 230 null_zerokey, 231 NULL 232 }; 233 234 /* Authentication instances */ 235 struct auth_hash auth_hash_hmac_md5_96 = { 236 CRYPTO_MD5_HMAC, "HMAC-MD5", 237 16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN, 238 (void (*) (void *)) MD5Init, NULL, NULL, 239 MD5Update_int, 240 (void (*) (u_int8_t *, void *)) MD5Final 241 }; 242 243 struct auth_hash auth_hash_hmac_sha1_96 = { 244 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 245 20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN, 246 (void (*) (void *)) SHA1Init, NULL, NULL, 247 SHA1Update_int, 248 (void (*) (u_int8_t *, void *)) SHA1Final 249 }; 250 251 struct auth_hash auth_hash_hmac_ripemd_160_96 = { 252 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 253 20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN, 254 (void (*)(void *)) RMD160Init, NULL, NULL, 255 RMD160Update_int, 256 (void (*)(u_int8_t *, void *)) RMD160Final 257 }; 258 259 struct auth_hash auth_hash_hmac_sha2_256_128 = { 260 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 261 32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN, 262 (void (*)(void *)) SHA256Init, NULL, NULL, 263 SHA256Update_int, 264 (void (*)(u_int8_t *, void *)) SHA256Final 265 }; 266 267 struct auth_hash auth_hash_hmac_sha2_384_192 = { 268 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 269 48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN, 270 (void (*)(void *)) SHA384Init, NULL, NULL, 271 SHA384Update_int, 272 (void (*)(u_int8_t *, void *)) SHA384Final 273 }; 274 275 struct auth_hash auth_hash_hmac_sha2_512_256 = { 276 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 277 64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN, 278 (void (*)(void *)) SHA512Init, NULL, NULL, 279 SHA512Update_int, 280 (void (*)(u_int8_t *, void *)) SHA512Final 281 }; 282 283 struct auth_hash auth_hash_gmac_aes_128 = { 284 CRYPTO_AES_128_GMAC, "GMAC-AES-128", 285 16+4, 16, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN, 286 (void (*)(void *)) AES_GMAC_Init, 287 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 288 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 289 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 290 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 291 }; 292 293 struct auth_hash auth_hash_gmac_aes_192 = { 294 CRYPTO_AES_192_GMAC, "GMAC-AES-192", 295 24+4, 16, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN, 296 (void (*)(void *)) AES_GMAC_Init, 297 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 298 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 299 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 300 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 301 }; 302 303 struct auth_hash auth_hash_gmac_aes_256 = { 304 CRYPTO_AES_256_GMAC, "GMAC-AES-256", 305 32+4, 16, 16, sizeof(AES_GMAC_CTX), GMAC_BLOCK_LEN, 306 (void (*)(void *)) AES_GMAC_Init, 307 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 308 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 309 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Update, 310 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 311 }; 312 313 struct auth_hash auth_hash_key_md5 = { 314 CRYPTO_MD5_KPDK, "Keyed MD5", 315 0, 16, 16, sizeof(MD5_CTX), 0, 316 (void (*)(void *)) MD5Init, NULL, NULL, 317 MD5Update_int, 318 (void (*)(u_int8_t *, void *)) MD5Final 319 }; 320 321 struct auth_hash auth_hash_key_sha1 = { 322 CRYPTO_SHA1_KPDK, "Keyed SHA1", 323 0, 20, 20, sizeof(SHA1_CTX), 0, 324 (void (*)(void *)) SHA1Init, NULL, NULL, 325 SHA1Update_int, 326 (void (*)(u_int8_t *, void *)) SHA1Final 327 }; 328 329 struct auth_hash auth_hash_md5 = { 330 CRYPTO_MD5, "MD5", 331 0, 16, 16, sizeof(MD5_CTX), 0, 332 (void (*) (void *)) MD5Init, NULL, NULL, 333 MD5Update_int, 334 (void (*) (u_int8_t *, void *)) MD5Final 335 }; 336 337 struct auth_hash auth_hash_sha1 = { 338 CRYPTO_SHA1, "SHA1", 339 0, 20, 20, sizeof(SHA1_CTX), 0, 340 (void (*)(void *)) SHA1Init, NULL, NULL, 341 SHA1Update_int, 342 (void (*)(u_int8_t *, void *)) SHA1Final 343 }; 344 345 /* Compression instance */ 346 struct comp_algo comp_algo_deflate = { 347 CRYPTO_DEFLATE_COMP, "Deflate", 348 90, deflate_compress, 349 deflate_decompress 350 }; 351 352 struct comp_algo comp_algo_lzs = { 353 CRYPTO_LZS_COMP, "LZS", 354 90, lzs_dummy, 355 lzs_dummy 356 }; 357 358 /* 359 * Encryption wrapper routines. 360 */ 361 void 362 des1_encrypt(caddr_t key, u_int8_t *blk) 363 { 364 des_ecb_encrypt(blk, blk, key, 1); 365 } 366 367 void 368 des1_decrypt(caddr_t key, u_int8_t *blk) 369 { 370 des_ecb_encrypt(blk, blk, key, 0); 371 } 372 373 int 374 des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 375 { 376 *sched = malloc(128, M_CRYPTO_DATA, M_WAITOK | M_ZERO); 377 378 if (des_set_key(key, *sched) < 0) { 379 des1_zerokey(sched); 380 return -1; 381 } 382 383 return 0; 384 } 385 386 void 387 des1_zerokey(u_int8_t **sched) 388 { 389 explicit_bzero(*sched, 128); 390 free(*sched, M_CRYPTO_DATA); 391 *sched = NULL; 392 } 393 394 void 395 des3_encrypt(caddr_t key, u_int8_t *blk) 396 { 397 des_ecb3_encrypt(blk, blk, key, key + 128, key + 256, 1); 398 } 399 400 void 401 des3_decrypt(caddr_t key, u_int8_t *blk) 402 { 403 des_ecb3_encrypt(blk, blk, key + 256, key + 128, key, 0); 404 } 405 406 int 407 des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 408 { 409 *sched = malloc(384, M_CRYPTO_DATA, M_WAITOK | M_ZERO); 410 411 if (des_set_key(key, *sched) < 0 || des_set_key(key + 8, *sched + 128) 412 < 0 || des_set_key(key + 16, *sched + 256) < 0) { 413 des3_zerokey(sched); 414 return -1; 415 } 416 417 return 0; 418 } 419 420 void 421 des3_zerokey(u_int8_t **sched) 422 { 423 explicit_bzero(*sched, 384); 424 free(*sched, M_CRYPTO_DATA); 425 *sched = NULL; 426 } 427 428 void 429 blf_encrypt(caddr_t key, u_int8_t *blk) 430 { 431 blf_ecb_encrypt((blf_ctx *) key, blk, 8); 432 } 433 434 void 435 blf_decrypt(caddr_t key, u_int8_t *blk) 436 { 437 blf_ecb_decrypt((blf_ctx *) key, blk, 8); 438 } 439 440 int 441 blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 442 { 443 *sched = malloc(sizeof(blf_ctx), M_CRYPTO_DATA, M_WAITOK | M_ZERO); 444 blf_key((blf_ctx *)*sched, key, len); 445 446 return 0; 447 } 448 449 void 450 blf_zerokey(u_int8_t **sched) 451 { 452 explicit_bzero(*sched, sizeof(blf_ctx)); 453 free(*sched, M_CRYPTO_DATA); 454 *sched = NULL; 455 } 456 457 int 458 null_setkey(u_int8_t **sched, u_int8_t *key, int len) 459 { 460 return 0; 461 } 462 463 void 464 null_zerokey(u_int8_t **sched) 465 { 466 } 467 468 void 469 null_encrypt(caddr_t key, u_int8_t *blk) 470 { 471 } 472 473 void 474 null_decrypt(caddr_t key, u_int8_t *blk) 475 { 476 } 477 478 void 479 cast5_encrypt(caddr_t key, u_int8_t *blk) 480 { 481 cast_encrypt((cast_key *) key, blk, blk); 482 } 483 484 void 485 cast5_decrypt(caddr_t key, u_int8_t *blk) 486 { 487 cast_decrypt((cast_key *) key, blk, blk); 488 } 489 490 int 491 cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 492 { 493 *sched = malloc(sizeof(cast_key), M_CRYPTO_DATA, M_WAITOK | M_ZERO); 494 cast_setkey((cast_key *)*sched, key, len); 495 496 return 0; 497 } 498 499 void 500 cast5_zerokey(u_int8_t **sched) 501 { 502 explicit_bzero(*sched, sizeof(cast_key)); 503 free(*sched, M_CRYPTO_DATA); 504 *sched = NULL; 505 } 506 507 void 508 rijndael128_encrypt(caddr_t key, u_int8_t *blk) 509 { 510 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 511 } 512 513 void 514 rijndael128_decrypt(caddr_t key, u_int8_t *blk) 515 { 516 rijndael_decrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 517 } 518 519 int 520 rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 521 { 522 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, M_WAITOK | M_ZERO); 523 524 if (rijndael_set_key((rijndael_ctx *)*sched, (u_char *)key, len * 8) 525 < 0) { 526 rijndael128_zerokey(sched); 527 return -1; 528 } 529 530 return 0; 531 } 532 533 void 534 rijndael128_zerokey(u_int8_t **sched) 535 { 536 explicit_bzero(*sched, sizeof(rijndael_ctx)); 537 free(*sched, M_CRYPTO_DATA); 538 *sched = NULL; 539 } 540 541 #define AESCTR_NONCESIZE 4 542 #define AESCTR_IVSIZE 8 543 #define AESCTR_BLOCKSIZE 16 544 545 struct aes_ctr_ctx { 546 u_int32_t ac_ek[4*(AES_MAXROUNDS + 1)]; 547 u_int8_t ac_block[AESCTR_BLOCKSIZE]; 548 int ac_nr; 549 }; 550 551 void 552 aes_ctr_reinit(caddr_t key, u_int8_t *iv) 553 { 554 struct aes_ctr_ctx *ctx; 555 556 ctx = (struct aes_ctr_ctx *)key; 557 bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE); 558 559 /* reset counter */ 560 bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4); 561 } 562 563 void 564 aes_gcm_reinit(caddr_t key, u_int8_t *iv) 565 { 566 struct aes_ctr_ctx *ctx; 567 568 ctx = (struct aes_ctr_ctx *)key; 569 bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE); 570 571 /* reset counter */ 572 bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4); 573 ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ 574 } 575 576 void 577 aes_ctr_crypt(caddr_t key, u_int8_t *data) 578 { 579 struct aes_ctr_ctx *ctx; 580 u_int8_t keystream[AESCTR_BLOCKSIZE]; 581 int i; 582 583 ctx = (struct aes_ctr_ctx *)key; 584 /* increment counter */ 585 for (i = AESCTR_BLOCKSIZE - 1; 586 i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) 587 if (++ctx->ac_block[i]) /* continue on overflow */ 588 break; 589 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 590 for (i = 0; i < AESCTR_BLOCKSIZE; i++) 591 data[i] ^= keystream[i]; 592 explicit_bzero(keystream, sizeof(keystream)); 593 } 594 595 int 596 aes_ctr_setkey(u_int8_t **sched, u_int8_t *key, int len) 597 { 598 struct aes_ctr_ctx *ctx; 599 600 if (len < AESCTR_NONCESIZE) 601 return -1; 602 603 *sched = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA, M_WAITOK | 604 M_ZERO); 605 ctx = (struct aes_ctr_ctx *)*sched; 606 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key, 607 (len - AESCTR_NONCESIZE) * 8); 608 if (ctx->ac_nr == 0) { 609 aes_ctr_zerokey(sched); 610 return -1; 611 } 612 bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE); 613 return 0; 614 } 615 616 void 617 aes_ctr_zerokey(u_int8_t **sched) 618 { 619 explicit_bzero(*sched, sizeof(struct aes_ctr_ctx)); 620 free(*sched, M_CRYPTO_DATA); 621 *sched = NULL; 622 } 623 624 #define AES_XTS_BLOCKSIZE 16 625 #define AES_XTS_IVSIZE 8 626 #define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ 627 628 struct aes_xts_ctx { 629 rijndael_ctx key1; 630 rijndael_ctx key2; 631 u_int8_t tweak[AES_XTS_BLOCKSIZE]; 632 }; 633 634 void 635 aes_xts_reinit(caddr_t key, u_int8_t *iv) 636 { 637 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 638 u_int64_t blocknum; 639 u_int i; 640 641 /* 642 * Prepare tweak as E_k2(IV). IV is specified as LE representation 643 * of a 64-bit block number which we allow to be passed in directly. 644 */ 645 bcopy(iv, &blocknum, AES_XTS_IVSIZE); 646 for (i = 0; i < AES_XTS_IVSIZE; i++) { 647 ctx->tweak[i] = blocknum & 0xff; 648 blocknum >>= 8; 649 } 650 /* Last 64 bits of IV are always zero */ 651 bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); 652 653 rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); 654 } 655 656 void 657 aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) 658 { 659 u_int8_t block[AES_XTS_BLOCKSIZE]; 660 u_int i, carry_in, carry_out; 661 662 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 663 block[i] = data[i] ^ ctx->tweak[i]; 664 665 if (do_encrypt) 666 rijndael_encrypt(&ctx->key1, block, data); 667 else 668 rijndael_decrypt(&ctx->key1, block, data); 669 670 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 671 data[i] ^= ctx->tweak[i]; 672 673 /* Exponentiate tweak */ 674 carry_in = 0; 675 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { 676 carry_out = ctx->tweak[i] & 0x80; 677 ctx->tweak[i] = (ctx->tweak[i] << 1) | (carry_in ? 1 : 0); 678 carry_in = carry_out; 679 } 680 if (carry_in) 681 ctx->tweak[0] ^= AES_XTS_ALPHA; 682 explicit_bzero(block, sizeof(block)); 683 } 684 685 void 686 aes_xts_encrypt(caddr_t key, u_int8_t *data) 687 { 688 aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); 689 } 690 691 void 692 aes_xts_decrypt(caddr_t key, u_int8_t *data) 693 { 694 aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); 695 } 696 697 int 698 aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len) 699 { 700 struct aes_xts_ctx *ctx; 701 702 if (len != 32 && len != 64) 703 return -1; 704 705 *sched = malloc(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA, 706 M_WAITOK | M_ZERO); 707 ctx = (struct aes_xts_ctx *)*sched; 708 709 rijndael_set_key(&ctx->key1, key, len * 4); 710 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 711 712 return 0; 713 } 714 715 void 716 aes_xts_zerokey(u_int8_t **sched) 717 { 718 explicit_bzero(*sched, sizeof(struct aes_xts_ctx)); 719 free(*sched, M_CRYPTO_DATA); 720 *sched = NULL; 721 } 722 723 724 /* 725 * And now for auth. 726 */ 727 728 int 729 RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 730 { 731 RMD160Update(ctx, buf, len); 732 return 0; 733 } 734 735 int 736 MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 737 { 738 MD5Update(ctx, buf, len); 739 return 0; 740 } 741 742 int 743 SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 744 { 745 SHA1Update(ctx, buf, len); 746 return 0; 747 } 748 749 int 750 SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 751 { 752 SHA256Update(ctx, buf, len); 753 return 0; 754 } 755 756 int 757 SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 758 { 759 SHA384Update(ctx, buf, len); 760 return 0; 761 } 762 763 int 764 SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 765 { 766 SHA512Update(ctx, buf, len); 767 return 0; 768 } 769 770 771 u_int32_t deflate_global(u_int8_t *, u_int32_t, int, u_int8_t **); 772 773 struct deflate_buf { 774 u_int8_t *out; 775 u_int32_t size; 776 int flag; 777 }; 778 779 /* 780 * And compression 781 */ 782 783 u_int32_t 784 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 785 { 786 return deflate_global(data, size, 0, out); 787 } 788 789 u_int32_t 790 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out) 791 { 792 return deflate_global(data, size, 1, out); 793 } 794 795 u_int32_t 796 lzs_dummy(u_int8_t *data, u_int32_t size, u_int8_t **out) 797 { 798 *out = NULL; 799 return (0); 800 } 801