1 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.10 2008/10/23 15:53:51 des Exp $ */ 2 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 3 /*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * 22 * Copyright (C) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/sysctl.h> 44 #include <sys/errno.h> 45 #include <sys/time.h> 46 #include <sys/kernel.h> 47 #include <machine/cpu.h> 48 49 #include <crypto/blowfish/blowfish.h> 50 #include <crypto/des/des.h> 51 #include <crypto/rijndael/rijndael.h> 52 #include <crypto/camellia/camellia.h> 53 #include <crypto/sha1.h> 54 55 #include <opencrypto/cast.h> 56 #include <opencrypto/deflate.h> 57 #include <opencrypto/rmd160.h> 58 #include <opencrypto/skipjack.h> 59 60 #include <sys/md5.h> 61 62 #include <opencrypto/cryptodev.h> 63 #include <opencrypto/xform.h> 64 65 static void null_encrypt(caddr_t, u_int8_t *); 66 static void null_decrypt(caddr_t, u_int8_t *); 67 static int null_setkey(u_int8_t **, u_int8_t *, int); 68 static void null_zerokey(u_int8_t **); 69 70 static int des1_setkey(u_int8_t **, u_int8_t *, int); 71 static int des3_setkey(u_int8_t **, u_int8_t *, int); 72 static int blf_setkey(u_int8_t **, u_int8_t *, int); 73 static int cast5_setkey(u_int8_t **, u_int8_t *, int); 74 static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 75 static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 76 static int cml_setkey(u_int8_t **, u_int8_t *, int); 77 static void des1_encrypt(caddr_t, u_int8_t *); 78 static void des3_encrypt(caddr_t, u_int8_t *); 79 static void blf_encrypt(caddr_t, u_int8_t *); 80 static void cast5_encrypt(caddr_t, u_int8_t *); 81 static void skipjack_encrypt(caddr_t, u_int8_t *); 82 static void rijndael128_encrypt(caddr_t, u_int8_t *); 83 static void cml_encrypt(caddr_t, u_int8_t *); 84 static void des1_decrypt(caddr_t, u_int8_t *); 85 static void des3_decrypt(caddr_t, u_int8_t *); 86 static void blf_decrypt(caddr_t, u_int8_t *); 87 static void cast5_decrypt(caddr_t, u_int8_t *); 88 static void skipjack_decrypt(caddr_t, u_int8_t *); 89 static void rijndael128_decrypt(caddr_t, u_int8_t *); 90 static void cml_decrypt(caddr_t, u_int8_t *); 91 static void des1_zerokey(u_int8_t **); 92 static void des3_zerokey(u_int8_t **); 93 static void blf_zerokey(u_int8_t **); 94 static void cast5_zerokey(u_int8_t **); 95 static void skipjack_zerokey(u_int8_t **); 96 static void rijndael128_zerokey(u_int8_t **); 97 static void cml_zerokey(u_int8_t **); 98 99 static void null_init(void *); 100 static int null_update(void *, u_int8_t *, u_int16_t); 101 static void null_final(u_int8_t *, void *); 102 static int MD5Update_int(void *, u_int8_t *, u_int16_t); 103 static void SHA1Init_int(void *); 104 static int SHA1Update_int(void *, u_int8_t *, u_int16_t); 105 static void SHA1Final_int(u_int8_t *, void *); 106 static int RMD160Update_int(void *, u_int8_t *, u_int16_t); 107 static int SHA256Update_int(void *, u_int8_t *, u_int16_t); 108 static int SHA384Update_int(void *, u_int8_t *, u_int16_t); 109 static int SHA512Update_int(void *, u_int8_t *, u_int16_t); 110 111 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 112 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 113 114 MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 115 116 /* Encryption instances */ 117 struct enc_xform enc_xform_null = { 118 CRYPTO_NULL_CBC, "NULL", 119 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 120 NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */ 121 null_encrypt, 122 null_decrypt, 123 null_setkey, 124 null_zerokey, 125 }; 126 127 struct enc_xform enc_xform_des = { 128 CRYPTO_DES_CBC, "DES", 129 DES_BLOCK_LEN, 8, 8, 130 des1_encrypt, 131 des1_decrypt, 132 des1_setkey, 133 des1_zerokey, 134 }; 135 136 struct enc_xform enc_xform_3des = { 137 CRYPTO_3DES_CBC, "3DES", 138 DES3_BLOCK_LEN, 24, 24, 139 des3_encrypt, 140 des3_decrypt, 141 des3_setkey, 142 des3_zerokey 143 }; 144 145 struct enc_xform enc_xform_blf = { 146 CRYPTO_BLF_CBC, "Blowfish", 147 BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */, 148 blf_encrypt, 149 blf_decrypt, 150 blf_setkey, 151 blf_zerokey 152 }; 153 154 struct enc_xform enc_xform_cast5 = { 155 CRYPTO_CAST_CBC, "CAST-128", 156 CAST128_BLOCK_LEN, 5, 16, 157 cast5_encrypt, 158 cast5_decrypt, 159 cast5_setkey, 160 cast5_zerokey 161 }; 162 163 struct enc_xform enc_xform_skipjack = { 164 CRYPTO_SKIPJACK_CBC, "Skipjack", 165 SKIPJACK_BLOCK_LEN, 10, 10, 166 skipjack_encrypt, 167 skipjack_decrypt, 168 skipjack_setkey, 169 skipjack_zerokey 170 }; 171 172 struct enc_xform enc_xform_rijndael128 = { 173 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 174 RIJNDAEL128_BLOCK_LEN, 8, 32, 175 rijndael128_encrypt, 176 rijndael128_decrypt, 177 rijndael128_setkey, 178 rijndael128_zerokey, 179 }; 180 181 struct enc_xform enc_xform_arc4 = { 182 CRYPTO_ARC4, "ARC4", 183 1, 1, 32, 184 NULL, 185 NULL, 186 NULL, 187 NULL, 188 }; 189 190 struct enc_xform enc_xform_camellia = { 191 CRYPTO_CAMELLIA_CBC, "Camellia", 192 CAMELLIA_BLOCK_LEN, 8, 32, 193 cml_encrypt, 194 cml_decrypt, 195 cml_setkey, 196 cml_zerokey, 197 }; 198 199 /* Authentication instances */ 200 struct auth_hash auth_hash_null = { 201 CRYPTO_NULL_HMAC, "NULL-HMAC", 202 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */ 203 null_init, null_update, null_final 204 }; 205 206 struct auth_hash auth_hash_hmac_md5 = { 207 CRYPTO_MD5_HMAC, "HMAC-MD5", 208 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX), 209 (void (*) (void *)) MD5Init, MD5Update_int, 210 (void (*) (u_int8_t *, void *)) MD5Final 211 }; 212 213 struct auth_hash auth_hash_hmac_sha1 = { 214 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 215 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX), 216 SHA1Init_int, SHA1Update_int, SHA1Final_int 217 }; 218 219 struct auth_hash auth_hash_hmac_ripemd_160 = { 220 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 221 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX), 222 (void (*)(void *)) RMD160Init, RMD160Update_int, 223 (void (*)(u_int8_t *, void *)) RMD160Final 224 }; 225 226 struct auth_hash auth_hash_key_md5 = { 227 CRYPTO_MD5_KPDK, "Keyed MD5", 228 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX), 229 (void (*)(void *)) MD5Init, MD5Update_int, 230 (void (*)(u_int8_t *, void *)) MD5Final 231 }; 232 233 struct auth_hash auth_hash_key_sha1 = { 234 CRYPTO_SHA1_KPDK, "Keyed SHA1", 235 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX), 236 SHA1Init_int, SHA1Update_int, SHA1Final_int 237 }; 238 239 struct auth_hash auth_hash_hmac_sha2_256 = { 240 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 241 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX), 242 (void (*)(void *)) SHA256_Init, SHA256Update_int, 243 (void (*)(u_int8_t *, void *)) SHA256_Final 244 }; 245 246 struct auth_hash auth_hash_hmac_sha2_384 = { 247 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 248 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX), 249 (void (*)(void *)) SHA384_Init, SHA384Update_int, 250 (void (*)(u_int8_t *, void *)) SHA384_Final 251 }; 252 253 struct auth_hash auth_hash_hmac_sha2_512 = { 254 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 255 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX), 256 (void (*)(void *)) SHA512_Init, SHA512Update_int, 257 (void (*)(u_int8_t *, void *)) SHA512_Final 258 }; 259 260 /* Compression instance */ 261 struct comp_algo comp_algo_deflate = { 262 CRYPTO_DEFLATE_COMP, "Deflate", 263 90, deflate_compress, 264 deflate_decompress 265 }; 266 267 /* 268 * Encryption wrapper routines. 269 */ 270 static void 271 null_encrypt(caddr_t key, u_int8_t *blk) 272 { 273 } 274 static void 275 null_decrypt(caddr_t key, u_int8_t *blk) 276 { 277 } 278 static int 279 null_setkey(u_int8_t **sched, u_int8_t *key, int len) 280 { 281 *sched = NULL; 282 return 0; 283 } 284 static void 285 null_zerokey(u_int8_t **sched) 286 { 287 *sched = NULL; 288 } 289 290 static void 291 des1_encrypt(caddr_t key, u_int8_t *blk) 292 { 293 des_cblock *cb = (des_cblock *) blk; 294 des_key_schedule *p = (des_key_schedule *) key; 295 296 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 297 } 298 299 static void 300 des1_decrypt(caddr_t key, u_int8_t *blk) 301 { 302 des_cblock *cb = (des_cblock *) blk; 303 des_key_schedule *p = (des_key_schedule *) key; 304 305 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 306 } 307 308 static int 309 des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 310 { 311 des_key_schedule *p; 312 int err; 313 314 p = kmalloc(sizeof (des_key_schedule), 315 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 316 if (p != NULL) { 317 des_set_key((des_cblock *) key, p[0]); 318 err = 0; 319 } else 320 err = ENOMEM; 321 *sched = (u_int8_t *) p; 322 return err; 323 } 324 325 static void 326 des1_zerokey(u_int8_t **sched) 327 { 328 bzero(*sched, sizeof (des_key_schedule)); 329 kfree(*sched, M_CRYPTO_DATA); 330 *sched = NULL; 331 } 332 333 static void 334 des3_encrypt(caddr_t key, u_int8_t *blk) 335 { 336 des_cblock *cb = (des_cblock *) blk; 337 des_key_schedule *p = (des_key_schedule *) key; 338 339 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 340 } 341 342 static void 343 des3_decrypt(caddr_t key, u_int8_t *blk) 344 { 345 des_cblock *cb = (des_cblock *) blk; 346 des_key_schedule *p = (des_key_schedule *) key; 347 348 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 349 } 350 351 static int 352 des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 353 { 354 des_key_schedule *p; 355 int err; 356 357 p = kmalloc(3*sizeof (des_key_schedule), 358 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 359 if (p != NULL) { 360 des_set_key((des_cblock *)(key + 0), p[0]); 361 des_set_key((des_cblock *)(key + 8), p[1]); 362 des_set_key((des_cblock *)(key + 16), p[2]); 363 err = 0; 364 } else 365 err = ENOMEM; 366 *sched = (u_int8_t *) p; 367 return err; 368 } 369 370 static void 371 des3_zerokey(u_int8_t **sched) 372 { 373 bzero(*sched, 3*sizeof (des_key_schedule)); 374 kfree(*sched, M_CRYPTO_DATA); 375 *sched = NULL; 376 } 377 378 static void 379 blf_encrypt(caddr_t key, u_int8_t *blk) 380 { 381 BF_LONG t[2]; 382 383 memcpy(t, blk, sizeof (t)); 384 t[0] = ntohl(t[0]); 385 t[1] = ntohl(t[1]); 386 /* NB: BF_encrypt expects the block in host order! */ 387 BF_encrypt(t, (BF_KEY *) key); 388 t[0] = htonl(t[0]); 389 t[1] = htonl(t[1]); 390 memcpy(blk, t, sizeof (t)); 391 } 392 393 static void 394 blf_decrypt(caddr_t key, u_int8_t *blk) 395 { 396 BF_LONG t[2]; 397 398 memcpy(t, blk, sizeof (t)); 399 t[0] = ntohl(t[0]); 400 t[1] = ntohl(t[1]); 401 /* NB: BF_decrypt expects the block in host order! */ 402 BF_decrypt(t, (BF_KEY *) key); 403 t[0] = htonl(t[0]); 404 t[1] = htonl(t[1]); 405 memcpy(blk, t, sizeof (t)); 406 } 407 408 static int 409 blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 410 { 411 int err; 412 413 *sched = kmalloc(sizeof(BF_KEY), 414 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 415 if (*sched != NULL) { 416 BF_set_key((BF_KEY *) *sched, len, key); 417 err = 0; 418 } else 419 err = ENOMEM; 420 return err; 421 } 422 423 static void 424 blf_zerokey(u_int8_t **sched) 425 { 426 bzero(*sched, sizeof(BF_KEY)); 427 kfree(*sched, M_CRYPTO_DATA); 428 *sched = NULL; 429 } 430 431 static void 432 cast5_encrypt(caddr_t key, u_int8_t *blk) 433 { 434 cast_encrypt((cast_key *) key, blk, blk); 435 } 436 437 static void 438 cast5_decrypt(caddr_t key, u_int8_t *blk) 439 { 440 cast_decrypt((cast_key *) key, blk, blk); 441 } 442 443 static int 444 cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 445 { 446 int err; 447 448 *sched = kmalloc(sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 449 if (*sched != NULL) { 450 cast_setkey((cast_key *)*sched, key, len); 451 err = 0; 452 } else 453 err = ENOMEM; 454 return err; 455 } 456 457 static void 458 cast5_zerokey(u_int8_t **sched) 459 { 460 bzero(*sched, sizeof(cast_key)); 461 kfree(*sched, M_CRYPTO_DATA); 462 *sched = NULL; 463 } 464 465 static void 466 skipjack_encrypt(caddr_t key, u_int8_t *blk) 467 { 468 skipjack_forwards(blk, blk, (u_int8_t **) key); 469 } 470 471 static void 472 skipjack_decrypt(caddr_t key, u_int8_t *blk) 473 { 474 skipjack_backwards(blk, blk, (u_int8_t **) key); 475 } 476 477 static int 478 skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 479 { 480 int err; 481 482 /* NB: allocate all the memory that's needed at once */ 483 *sched = kmalloc(10 * (sizeof(u_int8_t *) + 0x100), 484 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 485 if (*sched != NULL) { 486 u_int8_t** key_tables = (u_int8_t**) *sched; 487 u_int8_t* table = (u_int8_t*) &key_tables[10]; 488 int k; 489 490 for (k = 0; k < 10; k++) { 491 key_tables[k] = table; 492 table += 0x100; 493 } 494 subkey_table_gen(key, (u_int8_t **) *sched); 495 err = 0; 496 } else 497 err = ENOMEM; 498 return err; 499 } 500 501 static void 502 skipjack_zerokey(u_int8_t **sched) 503 { 504 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 505 kfree(*sched, M_CRYPTO_DATA); 506 *sched = NULL; 507 } 508 509 static void 510 rijndael128_encrypt(caddr_t key, u_int8_t *blk) 511 { 512 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 513 } 514 515 static void 516 rijndael128_decrypt(caddr_t key, u_int8_t *blk) 517 { 518 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 519 (u_char *) blk); 520 } 521 522 static int 523 rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 524 { 525 int err; 526 527 if (len != 16 && len != 24 && len != 32) 528 return (EINVAL); 529 *sched = kmalloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 530 M_NOWAIT|M_ZERO); 531 if (*sched != NULL) { 532 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 533 len * 8); 534 err = 0; 535 } else 536 err = ENOMEM; 537 return err; 538 } 539 540 static void 541 rijndael128_zerokey(u_int8_t **sched) 542 { 543 bzero(*sched, sizeof(rijndael_ctx)); 544 kfree(*sched, M_CRYPTO_DATA); 545 *sched = NULL; 546 } 547 548 static void 549 cml_encrypt(caddr_t key, u_int8_t *blk) 550 { 551 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 552 } 553 554 static void 555 cml_decrypt(caddr_t key, u_int8_t *blk) 556 { 557 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 558 (u_char *) blk); 559 } 560 561 static int 562 cml_setkey(u_int8_t **sched, u_int8_t *key, int len) 563 { 564 int err; 565 566 if (len != 16 && len != 24 && len != 32) 567 return (EINVAL); 568 *sched = kmalloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 569 M_NOWAIT|M_ZERO); 570 if (*sched != NULL) { 571 camellia_set_key((camellia_ctx *) *sched, (u_char *) key, 572 len * 8); 573 err = 0; 574 } else 575 err = ENOMEM; 576 return err; 577 } 578 579 static void 580 cml_zerokey(u_int8_t **sched) 581 { 582 bzero(*sched, sizeof(camellia_ctx)); 583 kfree(*sched, M_CRYPTO_DATA); 584 *sched = NULL; 585 } 586 587 /* 588 * And now for auth. 589 */ 590 591 static void 592 null_init(void *ctx) 593 { 594 } 595 596 static int 597 null_update(void *ctx, u_int8_t *buf, u_int16_t len) 598 { 599 return 0; 600 } 601 602 static void 603 null_final(u_int8_t *buf, void *ctx) 604 { 605 if (buf != NULL) 606 bzero(buf, 12); 607 } 608 609 static int 610 RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 611 { 612 RMD160Update(ctx, buf, len); 613 return 0; 614 } 615 616 static int 617 MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 618 { 619 MD5Update(ctx, buf, len); 620 return 0; 621 } 622 623 static void 624 SHA1Init_int(void *ctx) 625 { 626 SHA1Init(ctx); 627 } 628 629 static int 630 SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 631 { 632 SHA1Update(ctx, buf, len); 633 return 0; 634 } 635 636 static void 637 SHA1Final_int(u_int8_t *blk, void *ctx) 638 { 639 SHA1Final(blk, ctx); 640 } 641 642 static int 643 SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 644 { 645 SHA256_Update(ctx, buf, len); 646 return 0; 647 } 648 649 static int 650 SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 651 { 652 SHA384_Update(ctx, buf, len); 653 return 0; 654 } 655 656 static int 657 SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 658 { 659 SHA512_Update(ctx, buf, len); 660 return 0; 661 } 662 663 /* 664 * And compression 665 */ 666 667 static u_int32_t 668 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 669 { 670 return deflate_global(data, size, 0, out); 671 } 672 673 static u_int32_t 674 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out) 675 { 676 return deflate_global(data, size, 1, out); 677 } 678