1 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.10 2008/10/23 15:53:51 des Exp $ */ 2 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 3 /*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * 22 * Copyright (C) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/sysctl.h> 44 #include <sys/errno.h> 45 #include <sys/time.h> 46 #include <sys/kernel.h> 47 #include <machine/cpu.h> 48 49 #include <crypto/blowfish/blowfish.h> 50 #include <crypto/des/des.h> 51 #include <crypto/rijndael/rijndael.h> 52 #include <crypto/camellia/camellia.h> 53 #include <crypto/sha1.h> 54 55 #include <opencrypto/cast.h> 56 #include <opencrypto/deflate.h> 57 #include <opencrypto/rmd160.h> 58 #include <opencrypto/skipjack.h> 59 60 #include <sys/md5.h> 61 62 #include <opencrypto/cryptodev.h> 63 #include <opencrypto/xform.h> 64 65 static void null_encrypt(caddr_t, u_int8_t *, u_int8_t *); 66 static void null_decrypt(caddr_t, u_int8_t *, u_int8_t *); 67 static int null_setkey(u_int8_t **, u_int8_t *, int); 68 static void null_zerokey(u_int8_t **); 69 70 static int des1_setkey(u_int8_t **, u_int8_t *, int); 71 static int des3_setkey(u_int8_t **, u_int8_t *, int); 72 static int blf_setkey(u_int8_t **, u_int8_t *, int); 73 static int cast5_setkey(u_int8_t **, u_int8_t *, int); 74 static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 75 static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 76 static int aes_xts_setkey(u_int8_t **, u_int8_t *, int); 77 static int aes_ctr_setkey(u_int8_t **, u_int8_t *, int); 78 static int cml_setkey(u_int8_t **, u_int8_t *, int); 79 static void des1_encrypt(caddr_t, u_int8_t *, u_int8_t *); 80 static void des3_encrypt(caddr_t, u_int8_t *, u_int8_t *); 81 static void blf_encrypt(caddr_t, u_int8_t *, u_int8_t *); 82 static void cast5_encrypt(caddr_t, u_int8_t *, u_int8_t *); 83 static void skipjack_encrypt(caddr_t, u_int8_t *, u_int8_t *); 84 static void rijndael128_encrypt(caddr_t, u_int8_t *, u_int8_t *); 85 static void aes_xts_encrypt(caddr_t, u_int8_t *, u_int8_t *); 86 static void cml_encrypt(caddr_t, u_int8_t *, u_int8_t *); 87 static void des1_decrypt(caddr_t, u_int8_t *, u_int8_t *); 88 static void des3_decrypt(caddr_t, u_int8_t *, u_int8_t *); 89 static void blf_decrypt(caddr_t, u_int8_t *, u_int8_t *); 90 static void cast5_decrypt(caddr_t, u_int8_t *, u_int8_t *); 91 static void skipjack_decrypt(caddr_t, u_int8_t *, u_int8_t *); 92 static void rijndael128_decrypt(caddr_t, u_int8_t *, u_int8_t *); 93 static void aes_xts_decrypt(caddr_t, u_int8_t *, u_int8_t *); 94 static void cml_decrypt(caddr_t, u_int8_t *, u_int8_t *); 95 static void des1_zerokey(u_int8_t **); 96 static void des3_zerokey(u_int8_t **); 97 static void blf_zerokey(u_int8_t **); 98 static void cast5_zerokey(u_int8_t **); 99 static void skipjack_zerokey(u_int8_t **); 100 static void rijndael128_zerokey(u_int8_t **); 101 static void aes_xts_zerokey(u_int8_t **); 102 static void aes_ctr_zerokey(u_int8_t **); 103 static void cml_zerokey(u_int8_t **); 104 105 static void aes_ctr_crypt(caddr_t, u_int8_t *, u_int8_t *); 106 107 static void aes_ctr_reinit(caddr_t, u_int8_t *); 108 static void aes_xts_reinit(caddr_t, u_int8_t *); 109 110 static void null_init(void *); 111 static int null_update(void *, u_int8_t *, u_int16_t); 112 static void null_final(u_int8_t *, void *); 113 static int MD5Update_int(void *, u_int8_t *, u_int16_t); 114 static void SHA1Init_int(void *); 115 static int SHA1Update_int(void *, u_int8_t *, u_int16_t); 116 static void SHA1Final_int(u_int8_t *, void *); 117 static int RMD160Update_int(void *, u_int8_t *, u_int16_t); 118 static int SHA256Update_int(void *, u_int8_t *, u_int16_t); 119 static int SHA384Update_int(void *, u_int8_t *, u_int16_t); 120 static int SHA512Update_int(void *, u_int8_t *, u_int16_t); 121 122 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 123 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 124 125 /* Helper */ 126 struct aes_xts_ctx; 127 static void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int8_t *, u_int); 128 129 MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 130 131 /* Encryption instances */ 132 struct enc_xform enc_xform_null = { 133 CRYPTO_NULL_CBC, "NULL", 134 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 135 NULL_BLOCK_LEN, NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */ 136 null_encrypt, 137 null_decrypt, 138 null_setkey, 139 null_zerokey, 140 NULL 141 }; 142 143 struct enc_xform enc_xform_des = { 144 CRYPTO_DES_CBC, "DES", 145 DES_BLOCK_LEN, DES_BLOCK_LEN, 8, 8, 146 des1_encrypt, 147 des1_decrypt, 148 des1_setkey, 149 des1_zerokey, 150 NULL 151 }; 152 153 struct enc_xform enc_xform_3des = { 154 CRYPTO_3DES_CBC, "3DES", 155 DES3_BLOCK_LEN, DES3_BLOCK_LEN, 24, 24, 156 des3_encrypt, 157 des3_decrypt, 158 des3_setkey, 159 des3_zerokey, 160 NULL 161 }; 162 163 struct enc_xform enc_xform_blf = { 164 CRYPTO_BLF_CBC, "Blowfish", 165 BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */, 166 blf_encrypt, 167 blf_decrypt, 168 blf_setkey, 169 blf_zerokey, 170 NULL 171 }; 172 173 struct enc_xform enc_xform_cast5 = { 174 CRYPTO_CAST_CBC, "CAST-128", 175 CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, 5, 16, 176 cast5_encrypt, 177 cast5_decrypt, 178 cast5_setkey, 179 cast5_zerokey, 180 NULL 181 }; 182 183 struct enc_xform enc_xform_skipjack = { 184 CRYPTO_SKIPJACK_CBC, "Skipjack", 185 SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, 10, 10, 186 skipjack_encrypt, 187 skipjack_decrypt, 188 skipjack_setkey, 189 skipjack_zerokey, 190 NULL 191 }; 192 193 struct enc_xform enc_xform_rijndael128 = { 194 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 195 RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 8, 32, 196 rijndael128_encrypt, 197 rijndael128_decrypt, 198 rijndael128_setkey, 199 rijndael128_zerokey, 200 NULL 201 }; 202 203 struct enc_xform enc_xform_aes_xts = { 204 CRYPTO_AES_XTS, "AES-XTS", 205 AES_XTS_BLOCK_LEN, AES_XTS_IV_LEN, 32, 64, 206 aes_xts_encrypt, 207 aes_xts_decrypt, 208 aes_xts_setkey, 209 aes_xts_zerokey, 210 aes_xts_reinit 211 }; 212 213 struct enc_xform enc_xform_aes_ctr = { 214 CRYPTO_AES_CTR, "AES-CTR", 215 AESCTR_BLOCK_LEN, AESCTR_IV_LEN, 16+4, 32+4, 216 aes_ctr_crypt, 217 aes_ctr_crypt, 218 aes_ctr_setkey, 219 aes_ctr_zerokey, 220 aes_ctr_reinit 221 }; 222 223 struct enc_xform enc_xform_arc4 = { 224 CRYPTO_ARC4, "ARC4", 225 1, 1, 1, 32, 226 NULL, 227 NULL, 228 NULL, 229 NULL, 230 NULL 231 }; 232 233 struct enc_xform enc_xform_camellia = { 234 CRYPTO_CAMELLIA_CBC, "Camellia", 235 CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, 8, 32, 236 cml_encrypt, 237 cml_decrypt, 238 cml_setkey, 239 cml_zerokey, 240 NULL 241 }; 242 243 /* Authentication instances */ 244 struct auth_hash auth_hash_null = { 245 CRYPTO_NULL_HMAC, "NULL-HMAC", 246 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */ 247 null_init, null_update, null_final 248 }; 249 250 struct auth_hash auth_hash_hmac_md5 = { 251 CRYPTO_MD5_HMAC, "HMAC-MD5", 252 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX), 253 (void (*) (void *)) MD5Init, MD5Update_int, 254 (void (*) (u_int8_t *, void *)) MD5Final 255 }; 256 257 struct auth_hash auth_hash_hmac_sha1 = { 258 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 259 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX), 260 SHA1Init_int, SHA1Update_int, SHA1Final_int 261 }; 262 263 struct auth_hash auth_hash_hmac_ripemd_160 = { 264 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 265 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX), 266 (void (*)(void *)) RMD160Init, RMD160Update_int, 267 (void (*)(u_int8_t *, void *)) RMD160Final 268 }; 269 270 struct auth_hash auth_hash_key_md5 = { 271 CRYPTO_MD5_KPDK, "Keyed MD5", 272 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX), 273 (void (*)(void *)) MD5Init, MD5Update_int, 274 (void (*)(u_int8_t *, void *)) MD5Final 275 }; 276 277 struct auth_hash auth_hash_key_sha1 = { 278 CRYPTO_SHA1_KPDK, "Keyed SHA1", 279 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX), 280 SHA1Init_int, SHA1Update_int, SHA1Final_int 281 }; 282 283 struct auth_hash auth_hash_hmac_sha2_256 = { 284 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 285 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX), 286 (void (*)(void *)) SHA256_Init, SHA256Update_int, 287 (void (*)(u_int8_t *, void *)) SHA256_Final 288 }; 289 290 struct auth_hash auth_hash_hmac_sha2_384 = { 291 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 292 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX), 293 (void (*)(void *)) SHA384_Init, SHA384Update_int, 294 (void (*)(u_int8_t *, void *)) SHA384_Final 295 }; 296 297 struct auth_hash auth_hash_hmac_sha2_512 = { 298 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 299 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX), 300 (void (*)(void *)) SHA512_Init, SHA512Update_int, 301 (void (*)(u_int8_t *, void *)) SHA512_Final 302 }; 303 304 /* Compression instance */ 305 struct comp_algo comp_algo_deflate = { 306 CRYPTO_DEFLATE_COMP, "Deflate", 307 90, deflate_compress, 308 deflate_decompress 309 }; 310 311 /* 312 * Encryption wrapper routines. 313 */ 314 static void 315 null_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 316 { 317 } 318 static void 319 null_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 320 { 321 } 322 static int 323 null_setkey(u_int8_t **sched, u_int8_t *key, int len) 324 { 325 *sched = NULL; 326 return 0; 327 } 328 static void 329 null_zerokey(u_int8_t **sched) 330 { 331 *sched = NULL; 332 } 333 334 static void 335 des1_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 336 { 337 des_cblock *cb = (des_cblock *) blk; 338 des_key_schedule *p = (des_key_schedule *) key; 339 340 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 341 } 342 343 static void 344 des1_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 345 { 346 des_cblock *cb = (des_cblock *) blk; 347 des_key_schedule *p = (des_key_schedule *) key; 348 349 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 350 } 351 352 static int 353 des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 354 { 355 des_key_schedule *p; 356 int err; 357 358 p = kmalloc(sizeof (des_key_schedule), 359 M_CRYPTO_DATA, M_INTWAIT | M_ZERO); 360 if (p != NULL) { 361 des_set_key((des_cblock *) key, p[0]); 362 err = 0; 363 } else 364 err = ENOMEM; 365 *sched = (u_int8_t *) p; 366 return err; 367 } 368 369 static void 370 des1_zerokey(u_int8_t **sched) 371 { 372 bzero(*sched, sizeof (des_key_schedule)); 373 kfree(*sched, M_CRYPTO_DATA); 374 *sched = NULL; 375 } 376 377 static void 378 des3_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 379 { 380 des_cblock *cb = (des_cblock *) blk; 381 des_key_schedule *p = (des_key_schedule *) key; 382 383 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 384 } 385 386 static void 387 des3_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 388 { 389 des_cblock *cb = (des_cblock *) blk; 390 des_key_schedule *p = (des_key_schedule *) key; 391 392 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 393 } 394 395 static int 396 des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 397 { 398 des_key_schedule *p; 399 int err; 400 401 p = kmalloc(3 * sizeof(des_key_schedule), 402 M_CRYPTO_DATA, M_INTWAIT | M_ZERO); 403 if (p != NULL) { 404 des_set_key((des_cblock *)(key + 0), p[0]); 405 des_set_key((des_cblock *)(key + 8), p[1]); 406 des_set_key((des_cblock *)(key + 16), p[2]); 407 err = 0; 408 } else 409 err = ENOMEM; 410 *sched = (u_int8_t *) p; 411 return err; 412 } 413 414 static void 415 des3_zerokey(u_int8_t **sched) 416 { 417 bzero(*sched, 3*sizeof (des_key_schedule)); 418 kfree(*sched, M_CRYPTO_DATA); 419 *sched = NULL; 420 } 421 422 static void 423 blf_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 424 { 425 BF_LONG t[2]; 426 427 memcpy(t, blk, sizeof (t)); 428 t[0] = ntohl(t[0]); 429 t[1] = ntohl(t[1]); 430 /* NB: BF_encrypt expects the block in host order! */ 431 BF_encrypt(t, (BF_KEY *) key); 432 t[0] = htonl(t[0]); 433 t[1] = htonl(t[1]); 434 memcpy(blk, t, sizeof (t)); 435 } 436 437 static void 438 blf_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 439 { 440 BF_LONG t[2]; 441 442 memcpy(t, blk, sizeof (t)); 443 t[0] = ntohl(t[0]); 444 t[1] = ntohl(t[1]); 445 /* NB: BF_decrypt expects the block in host order! */ 446 BF_decrypt(t, (BF_KEY *) key); 447 t[0] = htonl(t[0]); 448 t[1] = htonl(t[1]); 449 memcpy(blk, t, sizeof (t)); 450 } 451 452 static int 453 blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 454 { 455 int err; 456 457 *sched = kmalloc(sizeof(BF_KEY), M_CRYPTO_DATA, M_INTWAIT | M_ZERO); 458 if (*sched != NULL) { 459 BF_set_key((BF_KEY *) *sched, len, key); 460 err = 0; 461 } else 462 err = ENOMEM; 463 return err; 464 } 465 466 static void 467 blf_zerokey(u_int8_t **sched) 468 { 469 bzero(*sched, sizeof(BF_KEY)); 470 kfree(*sched, M_CRYPTO_DATA); 471 *sched = NULL; 472 } 473 474 static void 475 cast5_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 476 { 477 cast_encrypt((cast_key *) key, blk, blk); 478 } 479 480 static void 481 cast5_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 482 { 483 cast_decrypt((cast_key *) key, blk, blk); 484 } 485 486 static int 487 cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 488 { 489 int err; 490 491 *sched = kmalloc(sizeof(cast_key), M_CRYPTO_DATA, M_INTWAIT | M_ZERO); 492 if (*sched != NULL) { 493 cast_setkey((cast_key *)*sched, key, len); 494 err = 0; 495 } else 496 err = ENOMEM; 497 return err; 498 } 499 500 static void 501 cast5_zerokey(u_int8_t **sched) 502 { 503 bzero(*sched, sizeof(cast_key)); 504 kfree(*sched, M_CRYPTO_DATA); 505 *sched = NULL; 506 } 507 508 static void 509 skipjack_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 510 { 511 skipjack_forwards(blk, blk, (u_int8_t **) key); 512 } 513 514 static void 515 skipjack_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 516 { 517 skipjack_backwards(blk, blk, (u_int8_t **) key); 518 } 519 520 static int 521 skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 522 { 523 int err; 524 525 /* NB: allocate all the memory that's needed at once */ 526 *sched = kmalloc(10 * (sizeof(u_int8_t *) + 0x100), 527 M_CRYPTO_DATA, M_INTWAIT | M_ZERO); 528 if (*sched != NULL) { 529 u_int8_t** key_tables = (u_int8_t**) *sched; 530 u_int8_t* table = (u_int8_t*) &key_tables[10]; 531 int k; 532 533 for (k = 0; k < 10; k++) { 534 key_tables[k] = table; 535 table += 0x100; 536 } 537 subkey_table_gen(key, (u_int8_t **) *sched); 538 err = 0; 539 } else 540 err = ENOMEM; 541 return err; 542 } 543 544 static void 545 skipjack_zerokey(u_int8_t **sched) 546 { 547 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 548 kfree(*sched, M_CRYPTO_DATA); 549 *sched = NULL; 550 } 551 552 static void 553 rijndael128_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 554 { 555 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 556 } 557 558 static void 559 rijndael128_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 560 { 561 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 562 (u_char *) blk); 563 } 564 565 static int 566 rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 567 { 568 int err; 569 570 if (len != 16 && len != 24 && len != 32) 571 return (EINVAL); 572 *sched = kmalloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 573 M_INTWAIT | M_ZERO); 574 if (*sched != NULL) { 575 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 576 len * 8); 577 err = 0; 578 } else 579 err = ENOMEM; 580 return err; 581 } 582 583 static void 584 rijndael128_zerokey(u_int8_t **sched) 585 { 586 bzero(*sched, sizeof(rijndael_ctx)); 587 kfree(*sched, M_CRYPTO_DATA); 588 *sched = NULL; 589 } 590 591 #define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ 592 593 struct aes_xts_ctx { 594 rijndael_ctx key1; 595 rijndael_ctx key2; 596 }; 597 598 void 599 aes_xts_reinit(caddr_t key, u_int8_t *iv) 600 { 601 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 602 #if 0 603 u_int64_t blocknum; 604 u_int i; 605 #endif 606 607 #if 0 608 /* 609 * XXX: I've no idea why OpenBSD chose to make this dance of the moon 610 * around just copying the IV... 611 */ 612 /* 613 * Prepare tweak as E_k2(IV). IV is specified as LE representation 614 * of a 64-bit block number which we allow to be passed in directly. 615 */ 616 bcopy(iv, &blocknum, AES_XTS_IV_LEN); 617 for (i = 0; i < AES_XTS_IV_LEN; i++) { 618 ctx->tweak[i] = blocknum & 0xff; 619 blocknum >>= 8; 620 } 621 #endif 622 /* Last 64 bits of IV are always zero */ 623 bzero(iv + AES_XTS_IV_LEN, AES_XTS_IV_LEN); 624 625 rijndael_encrypt(&ctx->key2, iv, iv); 626 } 627 628 void 629 aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int8_t *iv, u_int do_encrypt) 630 { 631 u_int8_t block[AES_XTS_BLOCK_LEN]; 632 u_int i, carry_in, carry_out; 633 634 for (i = 0; i < AES_XTS_BLOCK_LEN; i++) 635 block[i] = data[i] ^ iv[i]; 636 637 if (do_encrypt) 638 rijndael_encrypt(&ctx->key1, block, data); 639 else 640 rijndael_decrypt(&ctx->key1, block, data); 641 642 for (i = 0; i < AES_XTS_BLOCK_LEN; i++) 643 data[i] ^= iv[i]; 644 645 /* Exponentiate tweak */ 646 carry_in = 0; 647 for (i = 0; i < AES_XTS_BLOCK_LEN; i++) { 648 carry_out = iv[i] & 0x80; 649 iv[i] = (iv[i] << 1) | (carry_in ? 1 : 0); 650 carry_in = carry_out; 651 } 652 if (carry_in) 653 iv[0] ^= AES_XTS_ALPHA; 654 bzero(block, sizeof(block)); 655 } 656 657 void 658 aes_xts_encrypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 659 { 660 aes_xts_crypt((struct aes_xts_ctx *)key, data, iv, 1); 661 } 662 663 void 664 aes_xts_decrypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 665 { 666 aes_xts_crypt((struct aes_xts_ctx *)key, data, iv, 0); 667 } 668 669 int 670 aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len) 671 { 672 struct aes_xts_ctx *ctx; 673 674 if (len != 32 && len != 64) 675 return -1; 676 677 *sched = kmalloc(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA, 678 M_WAITOK | M_ZERO); 679 ctx = (struct aes_xts_ctx *)*sched; 680 681 rijndael_set_key(&ctx->key1, key, len * 4); 682 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 683 684 return 0; 685 } 686 687 void 688 aes_xts_zerokey(u_int8_t **sched) 689 { 690 bzero(*sched, sizeof(struct aes_xts_ctx)); 691 kfree(*sched, M_CRYPTO_DATA); 692 *sched = NULL; 693 } 694 695 #define AESCTR_NONCESIZE 4 696 697 struct aes_ctr_ctx { 698 u_int32_t ac_ek[4*(14 + 1)]; 699 u_int8_t ac_block[AESCTR_BLOCK_LEN]; 700 int ac_nr; 701 }; 702 703 void 704 aes_ctr_reinit(caddr_t key, u_int8_t *iv) 705 { 706 struct aes_ctr_ctx *ctx; 707 708 ctx = (struct aes_ctr_ctx *)key; 709 bcopy(iv, iv + AESCTR_NONCESIZE, AESCTR_IV_LEN); 710 bcopy(ctx->ac_block, iv, AESCTR_NONCESIZE); 711 712 /* reset counter */ 713 bzero(iv + AESCTR_NONCESIZE + AESCTR_IV_LEN, 4); 714 } 715 716 void 717 aes_ctr_crypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 718 { 719 struct aes_ctr_ctx *ctx; 720 u_int8_t keystream[AESCTR_BLOCK_LEN]; 721 int i; 722 723 ctx = (struct aes_ctr_ctx *)key; 724 /* increment counter */ 725 for (i = AESCTR_BLOCK_LEN - 1; 726 i >= AESCTR_NONCESIZE + AESCTR_IV_LEN; i--) 727 if (++iv[i]) /* continue on overflow */ 728 break; 729 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, iv, keystream); 730 for (i = 0; i < AESCTR_BLOCK_LEN; i++) 731 data[i] ^= keystream[i]; 732 } 733 734 int 735 aes_ctr_setkey(u_int8_t **sched, u_int8_t *key, int len) 736 { 737 struct aes_ctr_ctx *ctx; 738 739 if (len < AESCTR_NONCESIZE) 740 return -1; 741 742 *sched = kmalloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA, 743 M_WAITOK | M_ZERO); 744 ctx = (struct aes_ctr_ctx *)*sched; 745 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key, 746 (len - AESCTR_NONCESIZE) * 8); 747 if (ctx->ac_nr == 0) { 748 aes_ctr_zerokey(sched); 749 return -1; 750 } 751 bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE); 752 return 0; 753 } 754 755 void 756 aes_ctr_zerokey(u_int8_t **sched) 757 { 758 bzero(*sched, sizeof(struct aes_ctr_ctx)); 759 kfree(*sched, M_CRYPTO_DATA); 760 *sched = NULL; 761 } 762 763 static void 764 cml_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 765 { 766 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 767 } 768 769 static void 770 cml_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 771 { 772 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 773 (u_char *) blk); 774 } 775 776 static int 777 cml_setkey(u_int8_t **sched, u_int8_t *key, int len) 778 { 779 int err; 780 781 if (len != 16 && len != 24 && len != 32) 782 return (EINVAL); 783 *sched = kmalloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 784 M_INTWAIT | M_ZERO); 785 if (*sched != NULL) { 786 camellia_set_key((camellia_ctx *) *sched, (u_char *) key, 787 len * 8); 788 err = 0; 789 } else 790 err = ENOMEM; 791 return err; 792 } 793 794 static void 795 cml_zerokey(u_int8_t **sched) 796 { 797 bzero(*sched, sizeof(camellia_ctx)); 798 kfree(*sched, M_CRYPTO_DATA); 799 *sched = NULL; 800 } 801 802 /* 803 * And now for auth. 804 */ 805 806 static void 807 null_init(void *ctx) 808 { 809 } 810 811 static int 812 null_update(void *ctx, u_int8_t *buf, u_int16_t len) 813 { 814 return 0; 815 } 816 817 static void 818 null_final(u_int8_t *buf, void *ctx) 819 { 820 if (buf != NULL) 821 bzero(buf, 12); 822 } 823 824 static int 825 RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 826 { 827 RMD160Update(ctx, buf, len); 828 return 0; 829 } 830 831 static int 832 MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 833 { 834 MD5Update(ctx, buf, len); 835 return 0; 836 } 837 838 static void 839 SHA1Init_int(void *ctx) 840 { 841 SHA1Init(ctx); 842 } 843 844 static int 845 SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 846 { 847 SHA1Update(ctx, buf, len); 848 return 0; 849 } 850 851 static void 852 SHA1Final_int(u_int8_t *blk, void *ctx) 853 { 854 SHA1Final(blk, ctx); 855 } 856 857 static int 858 SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 859 { 860 SHA256_Update(ctx, buf, len); 861 return 0; 862 } 863 864 static int 865 SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 866 { 867 SHA384_Update(ctx, buf, len); 868 return 0; 869 } 870 871 static int 872 SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 873 { 874 SHA512_Update(ctx, buf, len); 875 return 0; 876 } 877 878 /* 879 * And compression 880 */ 881 882 static u_int32_t 883 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 884 { 885 return deflate_global(data, size, 0, out); 886 } 887 888 static u_int32_t 889 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out) 890 { 891 return deflate_global(data, size, 1, out); 892 } 893