1 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ 2 /* $DragonFly: src/sys/opencrypto/xform.c,v 1.3 2008/03/01 22:03:13 swildner Exp $ */ 3 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 4 /* 5 * The authors of this code are John Ioannidis (ji@tla.org), 6 * Angelos D. Keromytis (kermit@csd.uch.gr) and 7 * Niels Provos (provos@physnet.uni-hamburg.de). 8 * 9 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 10 * in November 1995. 11 * 12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * by Angelos D. Keromytis. 14 * 15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 16 * and Niels Provos. 17 * 18 * Additional features in 1999 by Angelos D. Keromytis. 19 * 20 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 21 * Angelos D. Keromytis and Niels Provos. 22 * 23 * Copyright (C) 2001, Angelos D. Keromytis. 24 * 25 * Permission to use, copy, and modify this software with or without fee 26 * is hereby granted, provided that this entire notice is included in 27 * all copies of any software which is or includes a copy or 28 * modification of this software. 29 * You may use this code under the GNU public license if you so wish. Please 30 * contribute changes back to the authors under this freer than GPL license 31 * so that we may further the use of strong encryption without limitations to 32 * all. 33 * 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 38 * PURPOSE. 39 */ 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/malloc.h> 44 #include <sys/sysctl.h> 45 #include <sys/errno.h> 46 #include <sys/time.h> 47 #include <sys/kernel.h> 48 #include <machine/cpu.h> 49 50 #include <crypto/blowfish/blowfish.h> 51 #include <crypto/des/des.h> 52 #include <crypto/sha1.h> 53 54 #include <opencrypto/cast.h> 55 #include <opencrypto/deflate.h> 56 #include <opencrypto/rijndael.h> 57 #include <opencrypto/rmd160.h> 58 #include <opencrypto/skipjack.h> 59 60 #include <sys/md5.h> 61 62 #include <opencrypto/cryptodev.h> 63 #include <opencrypto/xform.h> 64 65 static void null_encrypt(caddr_t, u_int8_t *); 66 static void null_decrypt(caddr_t, u_int8_t *); 67 static int null_setkey(u_int8_t **, u_int8_t *, int); 68 static void null_zerokey(u_int8_t **); 69 70 static int des1_setkey(u_int8_t **, u_int8_t *, int); 71 static int des3_setkey(u_int8_t **, u_int8_t *, int); 72 static int blf_setkey(u_int8_t **, u_int8_t *, int); 73 static int cast5_setkey(u_int8_t **, u_int8_t *, int); 74 static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 75 static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 76 static void des1_encrypt(caddr_t, u_int8_t *); 77 static void des3_encrypt(caddr_t, u_int8_t *); 78 static void blf_encrypt(caddr_t, u_int8_t *); 79 static void cast5_encrypt(caddr_t, u_int8_t *); 80 static void skipjack_encrypt(caddr_t, u_int8_t *); 81 static void rijndael128_encrypt(caddr_t, u_int8_t *); 82 static void des1_decrypt(caddr_t, u_int8_t *); 83 static void des3_decrypt(caddr_t, u_int8_t *); 84 static void blf_decrypt(caddr_t, u_int8_t *); 85 static void cast5_decrypt(caddr_t, u_int8_t *); 86 static void skipjack_decrypt(caddr_t, u_int8_t *); 87 static void rijndael128_decrypt(caddr_t, u_int8_t *); 88 static void des1_zerokey(u_int8_t **); 89 static void des3_zerokey(u_int8_t **); 90 static void blf_zerokey(u_int8_t **); 91 static void cast5_zerokey(u_int8_t **); 92 static void skipjack_zerokey(u_int8_t **); 93 static void rijndael128_zerokey(u_int8_t **); 94 95 static void null_init(void *); 96 static int null_update(void *, u_int8_t *, u_int16_t); 97 static void null_final(u_int8_t *, void *); 98 static int MD5Update_int(void *, u_int8_t *, u_int16_t); 99 static void SHA1Init_int(void *); 100 static int SHA1Update_int(void *, u_int8_t *, u_int16_t); 101 static void SHA1Final_int(u_int8_t *, void *); 102 static int RMD160Update_int(void *, u_int8_t *, u_int16_t); 103 static int SHA256Update_int(void *, u_int8_t *, u_int16_t); 104 static int SHA384Update_int(void *, u_int8_t *, u_int16_t); 105 static int SHA512Update_int(void *, u_int8_t *, u_int16_t); 106 107 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 108 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 109 110 MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 111 112 /* Encryption instances */ 113 struct enc_xform enc_xform_null = { 114 CRYPTO_NULL_CBC, "NULL", 115 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 116 4, 0, 256, /* 2048 bits, max key */ 117 null_encrypt, 118 null_decrypt, 119 null_setkey, 120 null_zerokey, 121 }; 122 123 struct enc_xform enc_xform_des = { 124 CRYPTO_DES_CBC, "DES", 125 8, 8, 8, 126 des1_encrypt, 127 des1_decrypt, 128 des1_setkey, 129 des1_zerokey, 130 }; 131 132 struct enc_xform enc_xform_3des = { 133 CRYPTO_3DES_CBC, "3DES", 134 8, 24, 24, 135 des3_encrypt, 136 des3_decrypt, 137 des3_setkey, 138 des3_zerokey 139 }; 140 141 struct enc_xform enc_xform_blf = { 142 CRYPTO_BLF_CBC, "Blowfish", 143 8, 5, 56 /* 448 bits, max key */, 144 blf_encrypt, 145 blf_decrypt, 146 blf_setkey, 147 blf_zerokey 148 }; 149 150 struct enc_xform enc_xform_cast5 = { 151 CRYPTO_CAST_CBC, "CAST-128", 152 8, 5, 16, 153 cast5_encrypt, 154 cast5_decrypt, 155 cast5_setkey, 156 cast5_zerokey 157 }; 158 159 struct enc_xform enc_xform_skipjack = { 160 CRYPTO_SKIPJACK_CBC, "Skipjack", 161 8, 10, 10, 162 skipjack_encrypt, 163 skipjack_decrypt, 164 skipjack_setkey, 165 skipjack_zerokey 166 }; 167 168 struct enc_xform enc_xform_rijndael128 = { 169 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 170 16, 8, 32, 171 rijndael128_encrypt, 172 rijndael128_decrypt, 173 rijndael128_setkey, 174 rijndael128_zerokey, 175 }; 176 177 struct enc_xform enc_xform_arc4 = { 178 CRYPTO_ARC4, "ARC4", 179 1, 1, 32, 180 NULL, 181 NULL, 182 NULL, 183 NULL, 184 }; 185 186 /* Authentication instances */ 187 struct auth_hash auth_hash_null = { 188 CRYPTO_NULL_HMAC, "NULL-HMAC", 189 0, 0, 12, sizeof(int), /* NB: context isn't used */ 190 null_init, null_update, null_final 191 }; 192 193 struct auth_hash auth_hash_hmac_md5_96 = { 194 CRYPTO_MD5_HMAC, "HMAC-MD5", 195 16, 16, 12, sizeof(MD5_CTX), 196 (void (*) (void *)) MD5Init, MD5Update_int, 197 (void (*) (u_int8_t *, void *)) MD5Final 198 }; 199 200 struct auth_hash auth_hash_hmac_sha1_96 = { 201 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 202 20, 20, 12, sizeof(SHA1_CTX), 203 SHA1Init_int, SHA1Update_int, SHA1Final_int 204 }; 205 206 struct auth_hash auth_hash_hmac_ripemd_160_96 = { 207 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 208 20, 20, 12, sizeof(RMD160_CTX), 209 (void (*)(void *)) RMD160Init, RMD160Update_int, 210 (void (*)(u_int8_t *, void *)) RMD160Final 211 }; 212 213 struct auth_hash auth_hash_key_md5 = { 214 CRYPTO_MD5_KPDK, "Keyed MD5", 215 0, 16, 12, sizeof(MD5_CTX), 216 (void (*)(void *)) MD5Init, MD5Update_int, 217 (void (*)(u_int8_t *, void *)) MD5Final 218 }; 219 220 struct auth_hash auth_hash_key_sha1 = { 221 CRYPTO_SHA1_KPDK, "Keyed SHA1", 222 0, 20, 12, sizeof(SHA1_CTX), 223 SHA1Init_int, SHA1Update_int, SHA1Final_int 224 }; 225 226 struct auth_hash auth_hash_hmac_sha2_256 = { 227 CRYPTO_SHA2_HMAC, "HMAC-SHA2", 228 32, 32, 12, sizeof(SHA256_CTX), 229 (void (*)(void *)) SHA256_Init, SHA256Update_int, 230 (void (*)(u_int8_t *, void *)) SHA256_Final 231 }; 232 233 struct auth_hash auth_hash_hmac_sha2_384 = { 234 CRYPTO_SHA2_HMAC, "HMAC-SHA2-384", 235 48, 48, 12, sizeof(SHA384_CTX), 236 (void (*)(void *)) SHA384_Init, SHA384Update_int, 237 (void (*)(u_int8_t *, void *)) SHA384_Final 238 }; 239 240 struct auth_hash auth_hash_hmac_sha2_512 = { 241 CRYPTO_SHA2_HMAC, "HMAC-SHA2-512", 242 64, 64, 12, sizeof(SHA512_CTX), 243 (void (*)(void *)) SHA512_Init, SHA512Update_int, 244 (void (*)(u_int8_t *, void *)) SHA512_Final 245 }; 246 247 /* Compression instance */ 248 struct comp_algo comp_algo_deflate = { 249 CRYPTO_DEFLATE_COMP, "Deflate", 250 90, deflate_compress, 251 deflate_decompress 252 }; 253 254 /* 255 * Encryption wrapper routines. 256 */ 257 static void 258 null_encrypt(caddr_t key, u_int8_t *blk) 259 { 260 } 261 static void 262 null_decrypt(caddr_t key, u_int8_t *blk) 263 { 264 } 265 static int 266 null_setkey(u_int8_t **sched, u_int8_t *key, int len) 267 { 268 *sched = NULL; 269 return 0; 270 } 271 static void 272 null_zerokey(u_int8_t **sched) 273 { 274 *sched = NULL; 275 } 276 277 static void 278 des1_encrypt(caddr_t key, u_int8_t *blk) 279 { 280 des_cblock *cb = (des_cblock *) blk; 281 des_key_schedule *p = (des_key_schedule *) key; 282 283 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 284 } 285 286 static void 287 des1_decrypt(caddr_t key, u_int8_t *blk) 288 { 289 des_cblock *cb = (des_cblock *) blk; 290 des_key_schedule *p = (des_key_schedule *) key; 291 292 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 293 } 294 295 static int 296 des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 297 { 298 des_key_schedule *p; 299 int err; 300 301 MALLOC(p, des_key_schedule *, sizeof (des_key_schedule), 302 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 303 if (p != NULL) { 304 des_set_key((des_cblock *) key, p[0]); 305 err = 0; 306 } else 307 err = ENOMEM; 308 *sched = (u_int8_t *) p; 309 return err; 310 } 311 312 static void 313 des1_zerokey(u_int8_t **sched) 314 { 315 bzero(*sched, sizeof (des_key_schedule)); 316 FREE(*sched, M_CRYPTO_DATA); 317 *sched = NULL; 318 } 319 320 static void 321 des3_encrypt(caddr_t key, u_int8_t *blk) 322 { 323 des_cblock *cb = (des_cblock *) blk; 324 des_key_schedule *p = (des_key_schedule *) key; 325 326 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 327 } 328 329 static void 330 des3_decrypt(caddr_t key, u_int8_t *blk) 331 { 332 des_cblock *cb = (des_cblock *) blk; 333 des_key_schedule *p = (des_key_schedule *) key; 334 335 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 336 } 337 338 static int 339 des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 340 { 341 des_key_schedule *p; 342 int err; 343 344 MALLOC(p, des_key_schedule *, 3*sizeof (des_key_schedule), 345 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 346 if (p != NULL) { 347 des_set_key((des_cblock *)(key + 0), p[0]); 348 des_set_key((des_cblock *)(key + 8), p[1]); 349 des_set_key((des_cblock *)(key + 16), p[2]); 350 err = 0; 351 } else 352 err = ENOMEM; 353 *sched = (u_int8_t *) p; 354 return err; 355 } 356 357 static void 358 des3_zerokey(u_int8_t **sched) 359 { 360 bzero(*sched, 3*sizeof (des_key_schedule)); 361 FREE(*sched, M_CRYPTO_DATA); 362 *sched = NULL; 363 } 364 365 static void 366 blf_encrypt(caddr_t key, u_int8_t *blk) 367 { 368 BF_LONG t[2]; 369 370 memcpy(t, blk, sizeof (t)); 371 t[0] = ntohl(t[0]); 372 t[1] = ntohl(t[1]); 373 /* NB: BF_encrypt expects the block in host order! */ 374 BF_encrypt(t, (BF_KEY *) key); 375 t[0] = htonl(t[0]); 376 t[1] = htonl(t[1]); 377 memcpy(blk, t, sizeof (t)); 378 } 379 380 static void 381 blf_decrypt(caddr_t key, u_int8_t *blk) 382 { 383 BF_LONG t[2]; 384 385 memcpy(t, blk, sizeof (t)); 386 t[0] = ntohl(t[0]); 387 t[1] = ntohl(t[1]); 388 /* NB: BF_decrypt expects the block in host order! */ 389 BF_decrypt(t, (BF_KEY *) key); 390 t[0] = htonl(t[0]); 391 t[1] = htonl(t[1]); 392 memcpy(blk, t, sizeof (t)); 393 } 394 395 static int 396 blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 397 { 398 int err; 399 400 MALLOC(*sched, u_int8_t *, sizeof(BF_KEY), 401 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 402 if (*sched != NULL) { 403 BF_set_key((BF_KEY *) *sched, len, key); 404 err = 0; 405 } else 406 err = ENOMEM; 407 return err; 408 } 409 410 static void 411 blf_zerokey(u_int8_t **sched) 412 { 413 bzero(*sched, sizeof(BF_KEY)); 414 FREE(*sched, M_CRYPTO_DATA); 415 *sched = NULL; 416 } 417 418 static void 419 cast5_encrypt(caddr_t key, u_int8_t *blk) 420 { 421 cast_encrypt((cast_key *) key, blk, blk); 422 } 423 424 static void 425 cast5_decrypt(caddr_t key, u_int8_t *blk) 426 { 427 cast_decrypt((cast_key *) key, blk, blk); 428 } 429 430 static int 431 cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 432 { 433 int err; 434 435 MALLOC(*sched, u_int8_t *, sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 436 if (*sched != NULL) { 437 cast_setkey((cast_key *)*sched, key, len); 438 err = 0; 439 } else 440 err = ENOMEM; 441 return err; 442 } 443 444 static void 445 cast5_zerokey(u_int8_t **sched) 446 { 447 bzero(*sched, sizeof(cast_key)); 448 FREE(*sched, M_CRYPTO_DATA); 449 *sched = NULL; 450 } 451 452 static void 453 skipjack_encrypt(caddr_t key, u_int8_t *blk) 454 { 455 skipjack_forwards(blk, blk, (u_int8_t **) key); 456 } 457 458 static void 459 skipjack_decrypt(caddr_t key, u_int8_t *blk) 460 { 461 skipjack_backwards(blk, blk, (u_int8_t **) key); 462 } 463 464 static int 465 skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 466 { 467 int err; 468 469 /* NB: allocate all the memory that's needed at once */ 470 MALLOC(*sched, u_int8_t *, 10 * (sizeof(u_int8_t *) + 0x100), 471 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 472 if (*sched != NULL) { 473 u_int8_t** key_tables = (u_int8_t**) *sched; 474 u_int8_t* table = (u_int8_t*) &key_tables[10]; 475 int k; 476 477 for (k = 0; k < 10; k++) { 478 key_tables[k] = table; 479 table += 0x100; 480 } 481 subkey_table_gen(key, (u_int8_t **) *sched); 482 err = 0; 483 } else 484 err = ENOMEM; 485 return err; 486 } 487 488 static void 489 skipjack_zerokey(u_int8_t **sched) 490 { 491 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 492 FREE(*sched, M_CRYPTO_DATA); 493 *sched = NULL; 494 } 495 496 static void 497 rijndael128_encrypt(caddr_t key, u_int8_t *blk) 498 { 499 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 500 } 501 502 static void 503 rijndael128_decrypt(caddr_t key, u_int8_t *blk) 504 { 505 rijndael_decrypt(((rijndael_ctx *) key) + 1, (u_char *) blk, 506 (u_char *) blk); 507 } 508 509 static int 510 rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 511 { 512 int err; 513 514 MALLOC(*sched, u_int8_t *, 2 * sizeof(rijndael_ctx), M_CRYPTO_DATA, 515 M_NOWAIT|M_ZERO); 516 if (*sched != NULL) { 517 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, len * 8, 1); 518 rijndael_set_key(((rijndael_ctx *) *sched) + 1, (u_char *) key, 519 len * 8, 0); 520 err = 0; 521 } else 522 err = ENOMEM; 523 return err; 524 } 525 526 static void 527 rijndael128_zerokey(u_int8_t **sched) 528 { 529 bzero(*sched, 2 * sizeof(rijndael_ctx)); 530 FREE(*sched, M_CRYPTO_DATA); 531 *sched = NULL; 532 } 533 534 /* 535 * And now for auth. 536 */ 537 538 static void 539 null_init(void *ctx) 540 { 541 } 542 543 static int 544 null_update(void *ctx, u_int8_t *buf, u_int16_t len) 545 { 546 return 0; 547 } 548 549 static void 550 null_final(u_int8_t *buf, void *ctx) 551 { 552 if (buf != NULL) 553 bzero(buf, 12); 554 } 555 556 static int 557 RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 558 { 559 RMD160Update(ctx, buf, len); 560 return 0; 561 } 562 563 static int 564 MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 565 { 566 MD5Update(ctx, buf, len); 567 return 0; 568 } 569 570 static void 571 SHA1Init_int(void *ctx) 572 { 573 SHA1Init(ctx); 574 } 575 576 static int 577 SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 578 { 579 SHA1Update(ctx, buf, len); 580 return 0; 581 } 582 583 static void 584 SHA1Final_int(u_int8_t *blk, void *ctx) 585 { 586 SHA1Final(blk, ctx); 587 } 588 589 static int 590 SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 591 { 592 SHA256_Update(ctx, buf, len); 593 return 0; 594 } 595 596 static int 597 SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 598 { 599 SHA384_Update(ctx, buf, len); 600 return 0; 601 } 602 603 static int 604 SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 605 { 606 SHA512_Update(ctx, buf, len); 607 return 0; 608 } 609 610 /* 611 * And compression 612 */ 613 614 static u_int32_t 615 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 616 { 617 return deflate_global(data, size, 0, out); 618 } 619 620 static u_int32_t 621 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out) 622 { 623 return deflate_global(data, size, 1, out); 624 } 625