1 /* $FreeBSD: src/sys/opencrypto/xform.c,v 1.10 2008/10/23 15:53:51 des Exp $ */ 2 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 3 /*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * 22 * Copyright (C) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/sysctl.h> 44 #include <sys/errno.h> 45 #include <sys/time.h> 46 #include <sys/kernel.h> 47 #include <machine/cpu.h> 48 49 #include <crypto/blowfish/blowfish.h> 50 #include <crypto/camellia/camellia.h> 51 #include <crypto/des/des.h> 52 #include <crypto/rijndael/rijndael.h> 53 #include <crypto/serpent/serpent.h> 54 #include <crypto/sha1.h> 55 #include <crypto/twofish/twofish.h> 56 57 #include <opencrypto/cast.h> 58 #include <opencrypto/deflate.h> 59 #include <opencrypto/gmac.h> 60 #include <opencrypto/rmd160.h> 61 #include <opencrypto/skipjack.h> 62 63 #include <sys/md5.h> 64 65 #include <opencrypto/cryptodev.h> 66 #include <opencrypto/xform.h> 67 68 static void null_encrypt(caddr_t, u_int8_t *, u_int8_t *); 69 static void null_decrypt(caddr_t, u_int8_t *, u_int8_t *); 70 static int null_setkey(void *, u_int8_t *, int); 71 72 static int des1_setkey(void *, u_int8_t *, int); 73 static int des3_setkey(void *, u_int8_t *, int); 74 static int blf_setkey(void *, u_int8_t *, int); 75 static int cast5_setkey(void *, u_int8_t *, int); 76 static int skipjack_setkey(void *, u_int8_t *, int); 77 static int rijndael128_setkey(void *, u_int8_t *, int); 78 static int aes_xts_setkey(void *, u_int8_t *, int); 79 static int aes_ctr_setkey(void *, u_int8_t *, int); 80 static int cml_setkey(void *, u_int8_t *, int); 81 static int twofish128_setkey(void *, u_int8_t *, int); 82 static int serpent128_setkey(void *, u_int8_t *, int); 83 static int twofish_xts_setkey(void *, u_int8_t *, int); 84 static int serpent_xts_setkey(void *, u_int8_t *, int); 85 86 static void des1_encrypt(caddr_t, u_int8_t *, u_int8_t *); 87 static void des3_encrypt(caddr_t, u_int8_t *, u_int8_t *); 88 static void blf_encrypt(caddr_t, u_int8_t *, u_int8_t *); 89 static void cast5_encrypt(caddr_t, u_int8_t *, u_int8_t *); 90 static void skipjack_encrypt(caddr_t, u_int8_t *, u_int8_t *); 91 static void rijndael128_encrypt(caddr_t, u_int8_t *, u_int8_t *); 92 static void aes_xts_encrypt(caddr_t, u_int8_t *, u_int8_t *); 93 static void cml_encrypt(caddr_t, u_int8_t *, u_int8_t *); 94 static void twofish128_encrypt(caddr_t, u_int8_t *, u_int8_t *); 95 static void serpent128_encrypt(caddr_t, u_int8_t *, u_int8_t *); 96 static void twofish_xts_encrypt(caddr_t, u_int8_t *, u_int8_t *); 97 static void serpent_xts_encrypt(caddr_t, u_int8_t *, u_int8_t *); 98 99 static void des1_decrypt(caddr_t, u_int8_t *, u_int8_t *); 100 static void des3_decrypt(caddr_t, u_int8_t *, u_int8_t *); 101 static void blf_decrypt(caddr_t, u_int8_t *, u_int8_t *); 102 static void cast5_decrypt(caddr_t, u_int8_t *, u_int8_t *); 103 static void skipjack_decrypt(caddr_t, u_int8_t *, u_int8_t *); 104 static void rijndael128_decrypt(caddr_t, u_int8_t *, u_int8_t *); 105 static void aes_xts_decrypt(caddr_t, u_int8_t *, u_int8_t *); 106 static void cml_decrypt(caddr_t, u_int8_t *, u_int8_t *); 107 static void twofish128_decrypt(caddr_t, u_int8_t *, u_int8_t *); 108 static void serpent128_decrypt(caddr_t, u_int8_t *, u_int8_t *); 109 static void twofish_xts_decrypt(caddr_t, u_int8_t *, u_int8_t *); 110 static void serpent_xts_decrypt(caddr_t, u_int8_t *, u_int8_t *); 111 112 static void aes_ctr_crypt(caddr_t, u_int8_t *, u_int8_t *); 113 114 static void aes_ctr_reinit(caddr_t, u_int8_t *); 115 static void aes_xts_reinit(caddr_t, u_int8_t *); 116 static void aes_gcm_reinit(caddr_t, u_int8_t *); 117 static void twofish_xts_reinit(caddr_t, u_int8_t *); 118 static void serpent_xts_reinit(caddr_t, u_int8_t *); 119 120 static void null_init(void *); 121 static int null_update(void *, u_int8_t *, u_int16_t); 122 static void null_final(u_int8_t *, void *); 123 static int MD5Update_int(void *, u_int8_t *, u_int16_t); 124 static void SHA1Init_int(void *); 125 static int SHA1Update_int(void *, u_int8_t *, u_int16_t); 126 static void SHA1Final_int(u_int8_t *, void *); 127 static int RMD160Update_int(void *, u_int8_t *, u_int16_t); 128 static int SHA256Update_int(void *, u_int8_t *, u_int16_t); 129 static int SHA384Update_int(void *, u_int8_t *, u_int16_t); 130 static int SHA512Update_int(void *, u_int8_t *, u_int16_t); 131 132 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 133 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 134 135 #define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ 136 #define AESCTR_NONCESIZE 4 137 138 struct aes_xts_ctx { 139 rijndael_ctx key1; 140 rijndael_ctx key2; 141 }; 142 143 struct aes_ctr_ctx { 144 u_int32_t ac_ek[4*(14 + 1)]; 145 u_int8_t ac_block[AESCTR_BLOCK_LEN]; 146 int ac_nr; 147 }; 148 149 struct twofish_xts_ctx { 150 twofish_ctx key1; 151 twofish_ctx key2; 152 }; 153 154 struct serpent_xts_ctx { 155 serpent_ctx key1; 156 serpent_ctx key2; 157 }; 158 159 /* Helper */ 160 static void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int8_t *, u_int); 161 static void twofish_xts_crypt(struct twofish_xts_ctx *, u_int8_t *, u_int8_t *, 162 u_int); 163 static void serpent_xts_crypt(struct serpent_xts_ctx *, u_int8_t *, u_int8_t *, 164 u_int); 165 166 MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 167 168 /* Encryption instances */ 169 struct enc_xform enc_xform_null = { 170 CRYPTO_NULL_CBC, "NULL", 171 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 172 NULL_BLOCK_LEN, NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */ 173 sizeof(int), /* NB: context isn't used */ 174 null_encrypt, 175 null_decrypt, 176 null_setkey, 177 NULL, 178 }; 179 180 struct enc_xform enc_xform_des = { 181 CRYPTO_DES_CBC, "DES", 182 DES_BLOCK_LEN, DES_BLOCK_LEN, 8, 8, 183 sizeof(des_key_schedule), 184 des1_encrypt, 185 des1_decrypt, 186 des1_setkey, 187 NULL, 188 }; 189 190 struct enc_xform enc_xform_3des = { 191 CRYPTO_3DES_CBC, "3DES", 192 DES3_BLOCK_LEN, DES3_BLOCK_LEN, 24, 24, 193 3 * sizeof(des_key_schedule), 194 des3_encrypt, 195 des3_decrypt, 196 des3_setkey, 197 NULL, 198 }; 199 200 struct enc_xform enc_xform_blf = { 201 CRYPTO_BLF_CBC, "Blowfish", 202 BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */, 203 sizeof(BF_KEY), 204 blf_encrypt, 205 blf_decrypt, 206 blf_setkey, 207 NULL, 208 }; 209 210 struct enc_xform enc_xform_cast5 = { 211 CRYPTO_CAST_CBC, "CAST-128", 212 CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, 5, 16, 213 sizeof(cast_key), 214 cast5_encrypt, 215 cast5_decrypt, 216 cast5_setkey, 217 NULL, 218 }; 219 220 struct enc_xform enc_xform_skipjack = { 221 CRYPTO_SKIPJACK_CBC, "Skipjack", 222 SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, 10, 10, 223 10 * (sizeof(u_int8_t *) + 0x100), /* NB: all needed memory */ 224 skipjack_encrypt, 225 skipjack_decrypt, 226 skipjack_setkey, 227 NULL, 228 }; 229 230 struct enc_xform enc_xform_rijndael128 = { 231 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 232 RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 8, 32, 233 sizeof(rijndael_ctx), 234 rijndael128_encrypt, 235 rijndael128_decrypt, 236 rijndael128_setkey, 237 NULL, 238 }; 239 240 struct enc_xform enc_xform_aes_xts = { 241 CRYPTO_AES_XTS, "AES-XTS", 242 AES_XTS_BLOCK_LEN, AES_XTS_IV_LEN, 32, 64, 243 sizeof(struct aes_xts_ctx), 244 aes_xts_encrypt, 245 aes_xts_decrypt, 246 aes_xts_setkey, 247 aes_xts_reinit, 248 }; 249 250 struct enc_xform enc_xform_aes_ctr = { 251 CRYPTO_AES_CTR, "AES-CTR", 252 AESCTR_BLOCK_LEN, AESCTR_IV_LEN, 16+4, 32+4, 253 sizeof(struct aes_ctr_ctx), 254 aes_ctr_crypt, 255 aes_ctr_crypt, 256 aes_ctr_setkey, 257 aes_ctr_reinit, 258 }; 259 260 struct enc_xform enc_xform_aes_gcm = { 261 CRYPTO_AES_GCM_16, "AES-GCM", 262 AESGCM_BLOCK_LEN, AESGCM_IV_LEN, 16+4, 32+4, 263 sizeof(struct aes_ctr_ctx), 264 aes_ctr_crypt, 265 aes_ctr_crypt, 266 aes_ctr_setkey, 267 aes_gcm_reinit, 268 }; 269 270 struct enc_xform enc_xform_aes_gmac = { 271 CRYPTO_AES_GMAC, "AES-GMAC", 272 AESGMAC_BLOCK_LEN, AESGMAC_IV_LEN, 16+4, 32+4, 273 0, /* NB: no context */ 274 NULL, 275 NULL, 276 NULL, 277 NULL, 278 }; 279 280 struct enc_xform enc_xform_arc4 = { 281 CRYPTO_ARC4, "ARC4", 282 1, 1, 1, 32, 283 0, /* NB: no context */ 284 NULL, 285 NULL, 286 NULL, 287 NULL, 288 }; 289 290 struct enc_xform enc_xform_camellia = { 291 CRYPTO_CAMELLIA_CBC, "Camellia", 292 CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, 8, 32, 293 sizeof(camellia_ctx), 294 cml_encrypt, 295 cml_decrypt, 296 cml_setkey, 297 NULL, 298 }; 299 300 struct enc_xform enc_xform_twofish = { 301 CRYPTO_TWOFISH_CBC, "Twofish", 302 TWOFISH_BLOCK_LEN, TWOFISH_BLOCK_LEN, 8, 32, 303 sizeof(twofish_ctx), 304 twofish128_encrypt, 305 twofish128_decrypt, 306 twofish128_setkey, 307 NULL, 308 }; 309 310 struct enc_xform enc_xform_serpent = { 311 CRYPTO_SERPENT_CBC, "Serpent", 312 SERPENT_BLOCK_LEN, SERPENT_BLOCK_LEN, 8, 32, 313 sizeof(serpent_ctx), 314 serpent128_encrypt, 315 serpent128_decrypt, 316 serpent128_setkey, 317 NULL, 318 }; 319 320 struct enc_xform enc_xform_twofish_xts = { 321 CRYPTO_TWOFISH_XTS, "TWOFISH-XTS", 322 TWOFISH_XTS_BLOCK_LEN, TWOFISH_XTS_IV_LEN, 32, 64, 323 sizeof(struct twofish_xts_ctx), 324 twofish_xts_encrypt, 325 twofish_xts_decrypt, 326 twofish_xts_setkey, 327 twofish_xts_reinit, 328 }; 329 330 struct enc_xform enc_xform_serpent_xts = { 331 CRYPTO_SERPENT_XTS, "SERPENT-XTS", 332 SERPENT_XTS_BLOCK_LEN, SERPENT_XTS_IV_LEN, 32, 64, 333 sizeof(struct serpent_xts_ctx), 334 serpent_xts_encrypt, 335 serpent_xts_decrypt, 336 serpent_xts_setkey, 337 serpent_xts_reinit, 338 }; 339 340 341 /* Authentication instances */ 342 struct auth_hash auth_hash_null = { 343 CRYPTO_NULL_HMAC, "NULL-HMAC", 344 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, 345 sizeof(int), /* NB: context isn't used */ 346 null_init, NULL, NULL, null_update, null_final 347 }; 348 349 struct auth_hash auth_hash_hmac_md5 = { 350 CRYPTO_MD5_HMAC, "HMAC-MD5", 351 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX), 352 (void (*) (void *)) MD5Init, NULL, NULL, 353 MD5Update_int, 354 (void (*) (u_int8_t *, void *)) MD5Final 355 }; 356 357 struct auth_hash auth_hash_hmac_sha1 = { 358 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 359 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX), 360 SHA1Init_int, NULL, NULL, 361 SHA1Update_int, SHA1Final_int 362 }; 363 364 struct auth_hash auth_hash_hmac_ripemd_160 = { 365 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 366 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX), 367 (void (*)(void *)) RMD160Init, NULL, NULL, 368 RMD160Update_int, 369 (void (*)(u_int8_t *, void *)) RMD160Final 370 }; 371 372 struct auth_hash auth_hash_key_md5 = { 373 CRYPTO_MD5_KPDK, "Keyed MD5", 374 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX), 375 (void (*)(void *)) MD5Init, NULL, NULL, 376 MD5Update_int, 377 (void (*)(u_int8_t *, void *)) MD5Final 378 }; 379 380 struct auth_hash auth_hash_key_sha1 = { 381 CRYPTO_SHA1_KPDK, "Keyed SHA1", 382 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX), 383 SHA1Init_int, NULL, NULL, 384 SHA1Update_int, SHA1Final_int 385 }; 386 387 struct auth_hash auth_hash_hmac_sha2_256 = { 388 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 389 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX), 390 (void (*)(void *)) SHA256_Init, NULL, NULL, 391 SHA256Update_int, 392 (void (*)(u_int8_t *, void *)) SHA256_Final 393 }; 394 395 struct auth_hash auth_hash_hmac_sha2_384 = { 396 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 397 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX), 398 (void (*)(void *)) SHA384_Init, NULL, NULL, 399 SHA384Update_int, 400 (void (*)(u_int8_t *, void *)) SHA384_Final 401 }; 402 403 struct auth_hash auth_hash_hmac_sha2_512 = { 404 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 405 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX), 406 (void (*)(void *)) SHA512_Init, NULL, NULL, 407 SHA512Update_int, 408 (void (*)(u_int8_t *, void *)) SHA512_Final 409 }; 410 411 struct auth_hash auth_hash_gmac_aes_128 = { 412 CRYPTO_AES_128_GMAC, "GMAC-AES-128", 413 16+4, 16, 16, sizeof(AES_GMAC_CTX), 414 (void (*)(void *)) AES_GMAC_Init, 415 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 416 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 417 (int (*)(void *, u_int8_t *, u_int16_t)) AES_GMAC_Update, 418 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 419 }; 420 421 struct auth_hash auth_hash_gmac_aes_192 = { 422 CRYPTO_AES_192_GMAC, "GMAC-AES-192", 423 24+4, 16, 16, sizeof(AES_GMAC_CTX), 424 (void (*)(void *)) AES_GMAC_Init, 425 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 426 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 427 (int (*)(void *, u_int8_t *, u_int16_t)) AES_GMAC_Update, 428 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 429 }; 430 431 struct auth_hash auth_hash_gmac_aes_256 = { 432 CRYPTO_AES_256_GMAC, "GMAC-AES-256", 433 32+4, 16, 16, sizeof(AES_GMAC_CTX), 434 (void (*)(void *)) AES_GMAC_Init, 435 (int (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey, 436 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit, 437 (int (*)(void *, u_int8_t *, u_int16_t)) AES_GMAC_Update, 438 (void (*)(u_int8_t *, void *)) AES_GMAC_Final 439 }; 440 441 /* Compression instance */ 442 struct comp_algo comp_algo_deflate = { 443 CRYPTO_DEFLATE_COMP, "Deflate", 444 90, deflate_compress, 445 deflate_decompress 446 }; 447 448 /* 449 * Encryption wrapper routines. 450 */ 451 452 static void 453 null_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 454 { 455 } 456 457 static void 458 null_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 459 { 460 } 461 462 static int 463 null_setkey(void *sched, u_int8_t *key, int len) 464 { 465 return 0; 466 } 467 468 static void 469 des1_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 470 { 471 des_cblock *cb = (des_cblock *) blk; 472 des_key_schedule *p = (des_key_schedule *) key; 473 474 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 475 } 476 477 static void 478 des1_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 479 { 480 des_cblock *cb = (des_cblock *) blk; 481 des_key_schedule *p = (des_key_schedule *) key; 482 483 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 484 } 485 486 static int 487 des1_setkey(void *sched, u_int8_t *key, int len) 488 { 489 return des_set_key((des_cblock *)key, sched); 490 } 491 492 static void 493 des3_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 494 { 495 des_cblock *cb = (des_cblock *) blk; 496 des_key_schedule *p = (des_key_schedule *) key; 497 498 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 499 } 500 501 static void 502 des3_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 503 { 504 des_cblock *cb = (des_cblock *) blk; 505 des_key_schedule *p = (des_key_schedule *) key; 506 507 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 508 } 509 510 static int 511 des3_setkey(void *sched, u_int8_t *key, int len) 512 { 513 des_key_schedule *p; 514 515 p = sched; 516 if (des_set_key((des_cblock *)(key + 0), p[0]) < 0 || 517 des_set_key((des_cblock *)(key + 8), p[1]) < 0 || 518 des_set_key((des_cblock *)(key + 16), p[2]) < 0) 519 return -1; 520 521 return 0; 522 } 523 524 static void 525 blf_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 526 { 527 BF_LONG t[2]; 528 529 memcpy(t, blk, sizeof (t)); 530 t[0] = ntohl(t[0]); 531 t[1] = ntohl(t[1]); 532 /* NB: BF_encrypt expects the block in host order! */ 533 BF_encrypt(t, (BF_KEY *) key); 534 t[0] = htonl(t[0]); 535 t[1] = htonl(t[1]); 536 memcpy(blk, t, sizeof (t)); 537 } 538 539 static void 540 blf_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 541 { 542 BF_LONG t[2]; 543 544 memcpy(t, blk, sizeof (t)); 545 t[0] = ntohl(t[0]); 546 t[1] = ntohl(t[1]); 547 /* NB: BF_decrypt expects the block in host order! */ 548 BF_decrypt(t, (BF_KEY *) key); 549 t[0] = htonl(t[0]); 550 t[1] = htonl(t[1]); 551 memcpy(blk, t, sizeof (t)); 552 } 553 554 static int 555 blf_setkey(void *sched, u_int8_t *key, int len) 556 { 557 BF_set_key(sched, len, key); 558 return 0; 559 } 560 561 static void 562 cast5_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 563 { 564 cast_encrypt((cast_key *) key, blk, blk); 565 } 566 567 static void 568 cast5_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 569 { 570 cast_decrypt((cast_key *) key, blk, blk); 571 } 572 573 static int 574 cast5_setkey(void *sched, u_int8_t *key, int len) 575 { 576 cast_setkey(sched, key, len); 577 return 0; 578 } 579 580 static void 581 skipjack_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 582 { 583 skipjack_forwards(blk, blk, (u_int8_t **) key); 584 } 585 586 static void 587 skipjack_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 588 { 589 skipjack_backwards(blk, blk, (u_int8_t **) key); 590 } 591 592 static int 593 skipjack_setkey(void *sched, u_int8_t *key, int len) 594 { 595 u_int8_t **key_tables = sched; 596 u_int8_t *table = (u_int8_t *)&key_tables[10]; 597 int k; 598 599 for (k = 0; k < 10; k++) { 600 key_tables[k] = table; 601 table += 0x100; 602 } 603 subkey_table_gen(key, sched); 604 605 return 0; 606 } 607 608 static void 609 rijndael128_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 610 { 611 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 612 } 613 614 static void 615 rijndael128_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 616 { 617 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 618 (u_char *) blk); 619 } 620 621 static int 622 rijndael128_setkey(void *sched, u_int8_t *key, int len) 623 { 624 if (len != 16 && len != 24 && len != 32) 625 return (EINVAL); 626 627 rijndael_set_key(sched, (u_char *) key, len * 8); 628 629 return 0; 630 } 631 632 void 633 aes_xts_reinit(caddr_t key, u_int8_t *iv) 634 { 635 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 636 #if 0 637 u_int64_t blocknum; 638 u_int i; 639 #endif 640 641 #if 0 642 /* 643 * Prepare tweak as E_k2(IV). IV is specified as LE representation 644 * of a 64-bit block number which we allow to be passed in directly. 645 */ 646 /* XXX: possibly use htole64? */ 647 #endif 648 /* Last 64 bits of IV are always zero */ 649 bzero(iv + AES_XTS_IV_LEN, AES_XTS_IV_LEN); 650 651 rijndael_encrypt(&ctx->key2, iv, iv); 652 } 653 654 void 655 aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int8_t *iv, 656 u_int do_encrypt) 657 { 658 u_int8_t block[AES_XTS_BLOCK_LEN]; 659 u_int i, carry_in, carry_out; 660 661 for (i = 0; i < AES_XTS_BLOCK_LEN; i++) 662 block[i] = data[i] ^ iv[i]; 663 664 if (do_encrypt) 665 rijndael_encrypt(&ctx->key1, block, data); 666 else 667 rijndael_decrypt(&ctx->key1, block, data); 668 669 for (i = 0; i < AES_XTS_BLOCK_LEN; i++) 670 data[i] ^= iv[i]; 671 672 /* Exponentiate tweak */ 673 carry_in = 0; 674 for (i = 0; i < AES_XTS_BLOCK_LEN; i++) { 675 carry_out = iv[i] & 0x80; 676 iv[i] = (iv[i] << 1) | (carry_in ? 1 : 0); 677 carry_in = carry_out; 678 } 679 if (carry_in) 680 iv[0] ^= AES_XTS_ALPHA; 681 bzero(block, sizeof(block)); 682 } 683 684 void 685 aes_xts_encrypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 686 { 687 aes_xts_crypt((struct aes_xts_ctx *)key, data, iv, 1); 688 } 689 690 void 691 aes_xts_decrypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 692 { 693 aes_xts_crypt((struct aes_xts_ctx *)key, data, iv, 0); 694 } 695 696 int 697 aes_xts_setkey(void *sched, u_int8_t *key, int len) 698 { 699 struct aes_xts_ctx *ctx; 700 701 if (len != 32 && len != 64) 702 return -1; 703 704 ctx = sched; 705 rijndael_set_key(&ctx->key1, key, len * 4); 706 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 707 708 return 0; 709 } 710 711 void 712 aes_ctr_reinit(caddr_t key, u_int8_t *iv) 713 { 714 struct aes_ctr_ctx *ctx; 715 716 ctx = (struct aes_ctr_ctx *)key; 717 bcopy(iv, iv + AESCTR_NONCESIZE, AESCTR_IV_LEN); 718 bcopy(ctx->ac_block, iv, AESCTR_NONCESIZE); 719 720 /* reset counter */ 721 bzero(iv + AESCTR_NONCESIZE + AESCTR_IV_LEN, 4); 722 } 723 724 void 725 aes_ctr_crypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 726 { 727 struct aes_ctr_ctx *ctx; 728 u_int8_t keystream[AESCTR_BLOCK_LEN]; 729 int i; 730 731 ctx = (struct aes_ctr_ctx *)key; 732 /* increment counter */ 733 for (i = AESCTR_BLOCK_LEN - 1; 734 i >= AESCTR_NONCESIZE + AESCTR_IV_LEN; i--) 735 if (++iv[i]) /* continue on overflow */ 736 break; 737 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, iv, keystream); 738 for (i = 0; i < AESCTR_BLOCK_LEN; i++) 739 data[i] ^= keystream[i]; 740 bzero(keystream, sizeof(keystream)); 741 } 742 743 int 744 aes_ctr_setkey(void *sched, u_int8_t *key, int len) 745 { 746 struct aes_ctr_ctx *ctx; 747 748 len -= AESCTR_NONCESIZE; 749 if (len < 0) 750 return -1; 751 if (!(len == 16 || len == 24 || len == 32)) 752 return -1; /* invalid key bits */ 753 754 ctx = sched; 755 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8); 756 if (ctx->ac_nr == 0) { 757 bzero(ctx, sizeof(struct aes_ctr_ctx)); 758 return -1; 759 } 760 761 bcopy(key + len, ctx->ac_block, AESCTR_NONCESIZE); 762 763 return 0; 764 } 765 766 static void 767 aes_gcm_reinit(caddr_t key, u_int8_t *iv) 768 { 769 struct aes_ctr_ctx *ctx; 770 771 ctx = (struct aes_ctr_ctx *)key; 772 bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IV_LEN); 773 774 /* reset counter */ 775 bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IV_LEN, 4); 776 ctx->ac_block[AESCTR_BLOCK_LEN - 1] = 1; /* GCM starts with 1 */ 777 } 778 779 static void 780 cml_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 781 { 782 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 783 } 784 785 static void 786 cml_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 787 { 788 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 789 (u_char *) blk); 790 } 791 792 static int 793 cml_setkey(void *sched, u_int8_t *key, int len) 794 { 795 if (len != 16 && len != 24 && len != 32) 796 return (EINVAL); 797 798 camellia_set_key(sched, key, len * 8); 799 800 return 0; 801 } 802 803 static void 804 twofish128_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 805 { 806 twofish_encrypt((twofish_ctx *) key, blk, blk); 807 } 808 809 static void 810 twofish128_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 811 { 812 twofish_decrypt(((twofish_ctx *) key), blk, blk); 813 } 814 815 static int 816 twofish128_setkey(void *sched, u_int8_t *key, int len) 817 { 818 if (len != 16 && len != 24 && len != 32) 819 return (EINVAL); 820 821 twofish_set_key(sched, key, len * 8); 822 823 return 0; 824 } 825 826 static void 827 serpent128_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 828 { 829 serpent_encrypt((serpent_ctx *) key, blk, blk); 830 } 831 832 static void 833 serpent128_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv) 834 { 835 serpent_decrypt(((serpent_ctx *) key), blk, blk); 836 } 837 838 static int 839 serpent128_setkey(void *sched, u_int8_t *key, int len) 840 { 841 if (len != 16 && len != 24 && len != 32) 842 return (EINVAL); 843 844 serpent_set_key(sched, key, len * 8); 845 846 return 0; 847 } 848 849 850 void 851 twofish_xts_reinit(caddr_t key, u_int8_t *iv) 852 { 853 struct twofish_xts_ctx *ctx = (struct twofish_xts_ctx *)key; 854 #if 0 855 u_int64_t blocknum; 856 #endif 857 858 #if 0 859 /* 860 * Prepare tweak as E_k2(IV). IV is specified as LE representation 861 * of a 64-bit block number which we allow to be passed in directly. 862 */ 863 /* XXX: possibly use htole64? */ 864 #endif 865 /* Last 64 bits of IV are always zero */ 866 bzero(iv + TWOFISH_XTS_IV_LEN, TWOFISH_XTS_IV_LEN); 867 868 twofish_encrypt(&ctx->key2, iv, iv); 869 } 870 871 void 872 twofish_xts_crypt(struct twofish_xts_ctx *ctx, u_int8_t *data, u_int8_t *iv, 873 u_int do_encrypt) 874 { 875 u_int8_t block[TWOFISH_XTS_BLOCK_LEN]; 876 u_int i, carry_in, carry_out; 877 878 for (i = 0; i < TWOFISH_XTS_BLOCK_LEN; i++) 879 block[i] = data[i] ^ iv[i]; 880 881 if (do_encrypt) 882 twofish_encrypt(&ctx->key1, block, data); 883 else 884 twofish_decrypt(&ctx->key1, block, data); 885 886 for (i = 0; i < TWOFISH_XTS_BLOCK_LEN; i++) 887 data[i] ^= iv[i]; 888 889 /* Exponentiate tweak */ 890 carry_in = 0; 891 for (i = 0; i < TWOFISH_XTS_BLOCK_LEN; i++) { 892 carry_out = iv[i] & 0x80; 893 iv[i] = (iv[i] << 1) | (carry_in ? 1 : 0); 894 carry_in = carry_out; 895 } 896 if (carry_in) 897 iv[0] ^= AES_XTS_ALPHA; 898 bzero(block, sizeof(block)); 899 } 900 901 void 902 twofish_xts_encrypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 903 { 904 twofish_xts_crypt((struct twofish_xts_ctx *)key, data, iv, 1); 905 } 906 907 void 908 twofish_xts_decrypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 909 { 910 twofish_xts_crypt((struct twofish_xts_ctx *)key, data, iv, 0); 911 } 912 913 int 914 twofish_xts_setkey(void *sched, u_int8_t *key, int len) 915 { 916 struct twofish_xts_ctx *ctx; 917 918 if (len != 32 && len != 64) 919 return -1; 920 921 ctx = sched; 922 twofish_set_key(&ctx->key1, key, len * 4); 923 twofish_set_key(&ctx->key2, key + (len / 2), len * 4); 924 925 return 0; 926 } 927 928 929 void 930 serpent_xts_reinit(caddr_t key, u_int8_t *iv) 931 { 932 struct serpent_xts_ctx *ctx = (struct serpent_xts_ctx *)key; 933 #if 0 934 u_int64_t blocknum; 935 u_int i; 936 #endif 937 938 #if 0 939 /* 940 * Prepare tweak as E_k2(IV). IV is specified as LE representation 941 * of a 64-bit block number which we allow to be passed in directly. 942 */ 943 /* XXX: possibly use htole64? */ 944 #endif 945 /* Last 64 bits of IV are always zero */ 946 bzero(iv + SERPENT_XTS_IV_LEN, SERPENT_XTS_IV_LEN); 947 948 serpent_encrypt(&ctx->key2, iv, iv); 949 } 950 951 void 952 serpent_xts_crypt(struct serpent_xts_ctx *ctx, u_int8_t *data, u_int8_t *iv, 953 u_int do_encrypt) 954 { 955 u_int8_t block[SERPENT_XTS_BLOCK_LEN]; 956 u_int i, carry_in, carry_out; 957 958 for (i = 0; i < SERPENT_XTS_BLOCK_LEN; i++) 959 block[i] = data[i] ^ iv[i]; 960 961 if (do_encrypt) 962 serpent_encrypt(&ctx->key1, block, data); 963 else 964 serpent_decrypt(&ctx->key1, block, data); 965 966 for (i = 0; i < SERPENT_XTS_BLOCK_LEN; i++) 967 data[i] ^= iv[i]; 968 969 /* Exponentiate tweak */ 970 carry_in = 0; 971 for (i = 0; i < SERPENT_XTS_BLOCK_LEN; i++) { 972 carry_out = iv[i] & 0x80; 973 iv[i] = (iv[i] << 1) | (carry_in ? 1 : 0); 974 carry_in = carry_out; 975 } 976 if (carry_in) 977 iv[0] ^= AES_XTS_ALPHA; 978 bzero(block, sizeof(block)); 979 } 980 981 void 982 serpent_xts_encrypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 983 { 984 serpent_xts_crypt((struct serpent_xts_ctx *)key, data, iv, 1); 985 } 986 987 void 988 serpent_xts_decrypt(caddr_t key, u_int8_t *data, u_int8_t *iv) 989 { 990 serpent_xts_crypt((struct serpent_xts_ctx *)key, data, iv, 0); 991 } 992 993 int 994 serpent_xts_setkey(void *sched, u_int8_t *key, int len) 995 { 996 struct serpent_xts_ctx *ctx; 997 998 if (len != 32 && len != 64) 999 return -1; 1000 1001 ctx = sched; 1002 serpent_set_key(&ctx->key1, key, len * 4); 1003 serpent_set_key(&ctx->key2, key + (len / 2), len * 4); 1004 1005 return 0; 1006 } 1007 1008 1009 /* 1010 * And now for auth. 1011 */ 1012 1013 static void 1014 null_init(void *ctx) 1015 { 1016 } 1017 1018 static int 1019 null_update(void *ctx, u_int8_t *buf, u_int16_t len) 1020 { 1021 return 0; 1022 } 1023 1024 static void 1025 null_final(u_int8_t *buf, void *ctx) 1026 { 1027 if (buf != NULL) 1028 bzero(buf, 12); 1029 } 1030 1031 static int 1032 RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 1033 { 1034 RMD160Update(ctx, buf, len); 1035 return 0; 1036 } 1037 1038 static int 1039 MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 1040 { 1041 MD5Update(ctx, buf, len); 1042 return 0; 1043 } 1044 1045 static void 1046 SHA1Init_int(void *ctx) 1047 { 1048 SHA1Init(ctx); 1049 } 1050 1051 static int 1052 SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 1053 { 1054 SHA1Update(ctx, buf, len); 1055 return 0; 1056 } 1057 1058 static void 1059 SHA1Final_int(u_int8_t *blk, void *ctx) 1060 { 1061 SHA1Final(blk, ctx); 1062 } 1063 1064 static int 1065 SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 1066 { 1067 SHA256_Update(ctx, buf, len); 1068 return 0; 1069 } 1070 1071 static int 1072 SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 1073 { 1074 SHA384_Update(ctx, buf, len); 1075 return 0; 1076 } 1077 1078 static int 1079 SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 1080 { 1081 SHA512_Update(ctx, buf, len); 1082 return 0; 1083 } 1084 1085 /* 1086 * And compression 1087 */ 1088 1089 static u_int32_t 1090 deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 1091 { 1092 return deflate_global(data, size, 0, out); 1093 } 1094 1095 static u_int32_t 1096 deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out) 1097 { 1098 return deflate_global(data, size, 1, out); 1099 } 1100