1/* $NetBSD: cryptosoft_xform.c,v 1.30 2020/06/30 04:14:55 riastradh Exp $ */ 2/* $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $ */ 3/* $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $ */ 4 5/* 6 * The authors of this code are John Ioannidis (ji@tla.org), 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 8 * Niels Provos (provos@physnet.uni-hamburg.de). 9 * 10 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 11 * in November 1995. 12 * 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 14 * by Angelos D. Keromytis. 15 * 16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 17 * and Niels Provos. 18 * 19 * Additional features in 1999 by Angelos D. Keromytis. 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Permission to use, copy, and modify this software with or without fee 27 * is hereby granted, provided that this entire notice is included in 28 * all copies of any software which is or includes a copy or 29 * modification of this software. 30 * You may use this code under the GNU public license if you so wish. Please 31 * contribute changes back to the authors under this freer than GPL license 32 * so that we may further the use of strong encryption without limitations to 33 * all. 34 * 35 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 36 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 37 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 38 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 39 * PURPOSE. 40 */ 41 42#include <sys/cdefs.h> 43__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.30 2020/06/30 04:14:55 riastradh Exp $"); 44 45#include <sys/cprng.h> 46#include <sys/kmem.h> 47#include <sys/md5.h> 48#include <sys/rmd160.h> 49#include <sys/sha1.h> 50#include <sys/sha2.h> 51 52#include <crypto/aes/aes.h> 53#include <crypto/blowfish/blowfish.h> 54#include <crypto/camellia/camellia.h> 55#include <crypto/cast128/cast128.h> 56#include <crypto/des/des.h> 57#include <crypto/skipjack/skipjack.h> 58 59#include <opencrypto/aesxcbcmac.h> 60#include <opencrypto/deflate.h> 61#include <opencrypto/gmac.h> 62 63struct swcr_auth_hash { 64 const struct auth_hash *auth_hash; 65 int ctxsize; 66 void (*Init)(void *); 67 void (*Setkey)(void *, const uint8_t *, uint16_t); 68 void (*Reinit)(void *, const uint8_t *, uint16_t); 69 int (*Update)(void *, const uint8_t *, uint16_t); 70 void (*Final)(uint8_t *, void *); 71}; 72 73struct swcr_enc_xform { 74 const struct enc_xform *enc_xform; 75 void (*encrypt)(void *, uint8_t *); 76 void (*decrypt)(void *, uint8_t *); 77 int (*setkey)(uint8_t **, const uint8_t *, int); 78 void (*zerokey)(uint8_t **); 79 void (*reinit)(void *, const uint8_t *, uint8_t *); 80}; 81 82struct swcr_comp_algo { 83 const struct comp_algo *unused_comp_algo; 84 uint32_t (*compress)(uint8_t *, uint32_t, uint8_t **); 85 uint32_t (*decompress)(uint8_t *, uint32_t, uint8_t **, int); 86}; 87 88static void null_encrypt(void *, u_int8_t *); 89static void null_decrypt(void *, u_int8_t *); 90static int null_setkey(u_int8_t **, const u_int8_t *, int); 91static void null_zerokey(u_int8_t **); 92 93static int des1_setkey(u_int8_t **, const u_int8_t *, int); 94static int des3_setkey(u_int8_t **, const u_int8_t *, int); 95static int blf_setkey(u_int8_t **, const u_int8_t *, int); 96static int cast5_setkey(u_int8_t **, const u_int8_t *, int); 97static int skipjack_setkey(u_int8_t **, const u_int8_t *, int); 98static int aes_setkey(u_int8_t **, const u_int8_t *, int); 99static int cml_setkey(u_int8_t **, const u_int8_t *, int); 100static int aes_ctr_setkey(u_int8_t **, const u_int8_t *, int); 101static int aes_gmac_setkey(u_int8_t **, const u_int8_t *, int); 102static void des1_encrypt(void *, u_int8_t *); 103static void des3_encrypt(void *, u_int8_t *); 104static void blf_encrypt(void *, u_int8_t *); 105static void cast5_encrypt(void *, u_int8_t *); 106static void skipjack_encrypt(void *, u_int8_t *); 107static void aes_encrypt(void *, u_int8_t *); 108static void cml_encrypt(void *, u_int8_t *); 109static void des1_decrypt(void *, u_int8_t *); 110static void des3_decrypt(void *, u_int8_t *); 111static void blf_decrypt(void *, u_int8_t *); 112static void cast5_decrypt(void *, u_int8_t *); 113static void skipjack_decrypt(void *, u_int8_t *); 114static void aes_decrypt(void *, u_int8_t *); 115static void cml_decrypt(void *, u_int8_t *); 116static void aes_ctr_crypt(void *, u_int8_t *); 117static void des1_zerokey(u_int8_t **); 118static void des3_zerokey(u_int8_t **); 119static void blf_zerokey(u_int8_t **); 120static void cast5_zerokey(u_int8_t **); 121static void skipjack_zerokey(u_int8_t **); 122static void aes_zerokey(u_int8_t **); 123static void cml_zerokey(u_int8_t **); 124static void aes_ctr_zerokey(u_int8_t **); 125static void aes_gmac_zerokey(u_int8_t **); 126static void aes_ctr_reinit(void *, const u_int8_t *, u_int8_t *); 127static void aes_gcm_reinit(void *, const u_int8_t *, u_int8_t *); 128static void aes_gmac_reinit(void *, const u_int8_t *, u_int8_t *); 129 130static void null_init(void *); 131static int null_update(void *, const u_int8_t *, u_int16_t); 132static void null_final(u_int8_t *, void *); 133 134static int MD5Update_int(void *, const u_int8_t *, u_int16_t); 135static void SHA1Init_int(void *); 136static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 137static void SHA1Final_int(u_int8_t *, void *); 138 139 140static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 141static int SHA1Update_int(void *, const u_int8_t *, u_int16_t); 142static void SHA1Final_int(u_int8_t *, void *); 143static int RMD160Update_int(void *, const u_int8_t *, u_int16_t); 144static int SHA256Update_int(void *, const u_int8_t *, u_int16_t); 145static int SHA384Update_int(void *, const u_int8_t *, u_int16_t); 146static int SHA512Update_int(void *, const u_int8_t *, u_int16_t); 147 148static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 149static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 150static u_int32_t gzip_compress(u_int8_t *, u_int32_t, u_int8_t **); 151static u_int32_t gzip_decompress(u_int8_t *, u_int32_t, u_int8_t **, int); 152 153/* Encryption instances */ 154static const struct swcr_enc_xform swcr_enc_xform_null = { 155 &enc_xform_null, 156 null_encrypt, 157 null_decrypt, 158 null_setkey, 159 null_zerokey, 160 NULL 161}; 162 163static const struct swcr_enc_xform swcr_enc_xform_des = { 164 &enc_xform_des, 165 des1_encrypt, 166 des1_decrypt, 167 des1_setkey, 168 des1_zerokey, 169 NULL 170}; 171 172static const struct swcr_enc_xform swcr_enc_xform_3des = { 173 &enc_xform_3des, 174 des3_encrypt, 175 des3_decrypt, 176 des3_setkey, 177 des3_zerokey, 178 NULL 179}; 180 181static const struct swcr_enc_xform swcr_enc_xform_blf = { 182 &enc_xform_blf, 183 blf_encrypt, 184 blf_decrypt, 185 blf_setkey, 186 blf_zerokey, 187 NULL 188}; 189 190static const struct swcr_enc_xform swcr_enc_xform_cast5 = { 191 &enc_xform_cast5, 192 cast5_encrypt, 193 cast5_decrypt, 194 cast5_setkey, 195 cast5_zerokey, 196 NULL 197}; 198 199static const struct swcr_enc_xform swcr_enc_xform_skipjack = { 200 &enc_xform_skipjack, 201 skipjack_encrypt, 202 skipjack_decrypt, 203 skipjack_setkey, 204 skipjack_zerokey, 205 NULL 206}; 207 208static const struct swcr_enc_xform swcr_enc_xform_aes = { 209 &enc_xform_aes, 210 aes_encrypt, 211 aes_decrypt, 212 aes_setkey, 213 aes_zerokey, 214 NULL 215}; 216 217static const struct swcr_enc_xform swcr_enc_xform_aes_ctr = { 218 &enc_xform_aes_ctr, 219 aes_ctr_crypt, 220 aes_ctr_crypt, 221 aes_ctr_setkey, 222 aes_ctr_zerokey, 223 aes_ctr_reinit 224}; 225 226static const struct swcr_enc_xform swcr_enc_xform_aes_gcm = { 227 &enc_xform_aes_gcm, 228 aes_ctr_crypt, 229 aes_ctr_crypt, 230 aes_ctr_setkey, 231 aes_ctr_zerokey, 232 aes_gcm_reinit 233}; 234 235static const struct swcr_enc_xform swcr_enc_xform_aes_gmac = { 236 &enc_xform_aes_gmac, 237 NULL, 238 NULL, 239 aes_gmac_setkey, 240 aes_gmac_zerokey, 241 aes_gmac_reinit 242}; 243 244static const struct swcr_enc_xform swcr_enc_xform_camellia = { 245 &enc_xform_camellia, 246 cml_encrypt, 247 cml_decrypt, 248 cml_setkey, 249 cml_zerokey, 250 NULL 251}; 252 253/* Authentication instances */ 254static const struct swcr_auth_hash swcr_auth_hash_null = { 255 &auth_hash_null, sizeof(int), /* NB: context isn't used */ 256 null_init, NULL, NULL, null_update, null_final 257}; 258 259static const struct swcr_auth_hash swcr_auth_hash_hmac_md5 = { 260 &auth_hash_hmac_md5, sizeof(MD5_CTX), 261 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 262 (void (*) (u_int8_t *, void *)) MD5Final 263}; 264 265static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1 = { 266 &auth_hash_hmac_sha1, sizeof(SHA1_CTX), 267 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 268}; 269 270static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160 = { 271 &auth_hash_hmac_ripemd_160, sizeof(RMD160_CTX), 272 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 273 (void (*)(u_int8_t *, void *)) RMD160Final 274}; 275static const struct swcr_auth_hash swcr_auth_hash_hmac_md5_96 = { 276 &auth_hash_hmac_md5_96, sizeof(MD5_CTX), 277 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 278 (void (*) (u_int8_t *, void *)) MD5Final 279}; 280 281static const struct swcr_auth_hash swcr_auth_hash_hmac_sha1_96 = { 282 &auth_hash_hmac_sha1_96, sizeof(SHA1_CTX), 283 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 284}; 285 286static const struct swcr_auth_hash swcr_auth_hash_hmac_ripemd_160_96 = { 287 &auth_hash_hmac_ripemd_160_96, sizeof(RMD160_CTX), 288 (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, 289 (void (*)(u_int8_t *, void *)) RMD160Final 290}; 291 292static const struct swcr_auth_hash swcr_auth_hash_key_md5 = { 293 &auth_hash_key_md5, sizeof(MD5_CTX), 294 (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, 295 (void (*)(u_int8_t *, void *)) MD5Final 296}; 297 298static const struct swcr_auth_hash swcr_auth_hash_key_sha1 = { 299 &auth_hash_key_sha1, sizeof(SHA1_CTX), 300 SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int 301}; 302 303static const struct swcr_auth_hash swcr_auth_hash_md5 = { 304 &auth_hash_md5, sizeof(MD5_CTX), 305 (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, 306 (void (*) (u_int8_t *, void *)) MD5Final 307}; 308 309static const struct swcr_auth_hash swcr_auth_hash_sha1 = { 310 &auth_hash_sha1, sizeof(SHA1_CTX), 311 (void (*)(void *)) SHA1Init, NULL, NULL, SHA1Update_int, 312 (void (*)(u_int8_t *, void *)) SHA1Final 313}; 314 315static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_256 = { 316 &auth_hash_hmac_sha2_256, sizeof(SHA256_CTX), 317 (void (*)(void *))(void *)SHA256_Init, NULL, NULL, SHA256Update_int, 318 (void (*)(u_int8_t *, void *))(void *)SHA256_Final 319}; 320 321static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_384 = { 322 &auth_hash_hmac_sha2_384, sizeof(SHA384_CTX), 323 (void (*)(void *))(void *)SHA384_Init, NULL, NULL, SHA384Update_int, 324 (void (*)(u_int8_t *, void *))(void *)SHA384_Final 325}; 326 327static const struct swcr_auth_hash swcr_auth_hash_hmac_sha2_512 = { 328 &auth_hash_hmac_sha2_512, sizeof(SHA512_CTX), 329 (void (*)(void *))(void *)SHA512_Init, NULL, NULL, SHA512Update_int, 330 (void (*)(u_int8_t *, void *))(void *)SHA512_Final 331}; 332 333static const struct swcr_auth_hash swcr_auth_hash_aes_xcbc_mac = { 334 &auth_hash_aes_xcbc_mac_96, sizeof(aesxcbc_ctx), 335 null_init, 336 (void (*)(void *, const u_int8_t *, u_int16_t))(void *)aes_xcbc_mac_init, 337 NULL, aes_xcbc_mac_loop, aes_xcbc_mac_result 338}; 339 340static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_128 = { 341 &auth_hash_gmac_aes_128, sizeof(AES_GMAC_CTX), 342 (void (*)(void *))AES_GMAC_Init, 343 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 344 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 345 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 346 (void (*)(u_int8_t *, void *))AES_GMAC_Final 347}; 348 349static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_192 = { 350 &auth_hash_gmac_aes_192, sizeof(AES_GMAC_CTX), 351 (void (*)(void *))AES_GMAC_Init, 352 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 353 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 354 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 355 (void (*)(u_int8_t *, void *))AES_GMAC_Final 356}; 357 358static const struct swcr_auth_hash swcr_auth_hash_gmac_aes_256 = { 359 &auth_hash_gmac_aes_256, sizeof(AES_GMAC_CTX), 360 (void (*)(void *))AES_GMAC_Init, 361 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Setkey, 362 (void (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Reinit, 363 (int (*)(void *, const u_int8_t *, u_int16_t))AES_GMAC_Update, 364 (void (*)(u_int8_t *, void *))AES_GMAC_Final 365}; 366 367/* Compression instance */ 368static const struct swcr_comp_algo swcr_comp_algo_deflate = { 369 &comp_algo_deflate, 370 deflate_compress, 371 deflate_decompress 372}; 373 374static const struct swcr_comp_algo swcr_comp_algo_deflate_nogrow = { 375 &comp_algo_deflate_nogrow, 376 deflate_compress, 377 deflate_decompress 378}; 379 380static const struct swcr_comp_algo swcr_comp_algo_gzip = { 381 &comp_algo_deflate, 382 gzip_compress, 383 gzip_decompress 384}; 385 386/* 387 * Encryption wrapper routines. 388 */ 389static void 390null_encrypt(void *key, u_int8_t *blk) 391{ 392} 393static void 394null_decrypt(void *key, u_int8_t *blk) 395{ 396} 397static int 398null_setkey(u_int8_t **sched, const u_int8_t *key, int len) 399{ 400 *sched = NULL; 401 return 0; 402} 403static void 404null_zerokey(u_int8_t **sched) 405{ 406 *sched = NULL; 407} 408 409static void 410des1_encrypt(void *key, u_int8_t *blk) 411{ 412 des_cblock *cb = (des_cblock *) blk; 413 des_key_schedule *p = (des_key_schedule *) key; 414 415 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 416} 417 418static void 419des1_decrypt(void *key, u_int8_t *blk) 420{ 421 des_cblock *cb = (des_cblock *) blk; 422 des_key_schedule *p = (des_key_schedule *) key; 423 424 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 425} 426 427static int 428des1_setkey(u_int8_t **sched, const u_int8_t *key, int len) 429{ 430 des_key_schedule *p; 431 432 p = malloc(sizeof (des_key_schedule), 433 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 434 *sched = (u_int8_t *) p; 435 if (p == NULL) 436 return ENOMEM; 437 des_set_key((des_cblock *)__UNCONST(key), p[0]); 438 return 0; 439} 440 441static void 442des1_zerokey(u_int8_t **sched) 443{ 444 memset(*sched, 0, sizeof (des_key_schedule)); 445 free(*sched, M_CRYPTO_DATA); 446 *sched = NULL; 447} 448 449static void 450des3_encrypt(void *key, u_int8_t *blk) 451{ 452 des_cblock *cb = (des_cblock *) blk; 453 des_key_schedule *p = (des_key_schedule *) key; 454 455 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 456} 457 458static void 459des3_decrypt(void *key, u_int8_t *blk) 460{ 461 des_cblock *cb = (des_cblock *) blk; 462 des_key_schedule *p = (des_key_schedule *) key; 463 464 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 465} 466 467static int 468des3_setkey(u_int8_t **sched, const u_int8_t *key, int len) 469{ 470 des_key_schedule *p; 471 472 p = malloc(3*sizeof (des_key_schedule), 473 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 474 *sched = (u_int8_t *) p; 475 if (p == NULL) 476 return ENOMEM; 477 des_set_key((des_cblock *)__UNCONST(key + 0), p[0]); 478 des_set_key((des_cblock *)__UNCONST(key + 8), p[1]); 479 des_set_key((des_cblock *)__UNCONST(key + 16), p[2]); 480 return 0; 481} 482 483static void 484des3_zerokey(u_int8_t **sched) 485{ 486 memset(*sched, 0, 3*sizeof (des_key_schedule)); 487 free(*sched, M_CRYPTO_DATA); 488 *sched = NULL; 489} 490 491static void 492blf_encrypt(void *key, u_int8_t *blk) 493{ 494 495 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 1); 496} 497 498static void 499blf_decrypt(void *key, u_int8_t *blk) 500{ 501 502 BF_ecb_encrypt(blk, blk, (BF_KEY *)key, 0); 503} 504 505static int 506blf_setkey(u_int8_t **sched, const u_int8_t *key, int len) 507{ 508 509 *sched = malloc(sizeof(BF_KEY), 510 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 511 if (*sched == NULL) 512 return ENOMEM; 513 BF_set_key((BF_KEY *) *sched, len, key); 514 return 0; 515} 516 517static void 518blf_zerokey(u_int8_t **sched) 519{ 520 memset(*sched, 0, sizeof(BF_KEY)); 521 free(*sched, M_CRYPTO_DATA); 522 *sched = NULL; 523} 524 525static void 526cast5_encrypt(void *key, u_int8_t *blk) 527{ 528 cast128_encrypt((cast128_key *) key, blk, blk); 529} 530 531static void 532cast5_decrypt(void *key, u_int8_t *blk) 533{ 534 cast128_decrypt((cast128_key *) key, blk, blk); 535} 536 537static int 538cast5_setkey(u_int8_t **sched, const u_int8_t *key, int len) 539{ 540 541 *sched = malloc(sizeof(cast128_key), M_CRYPTO_DATA, 542 M_NOWAIT|M_ZERO); 543 if (*sched == NULL) 544 return ENOMEM; 545 cast128_setkey((cast128_key *)*sched, key, len); 546 return 0; 547} 548 549static void 550cast5_zerokey(u_int8_t **sched) 551{ 552 memset(*sched, 0, sizeof(cast128_key)); 553 free(*sched, M_CRYPTO_DATA); 554 *sched = NULL; 555} 556 557static void 558skipjack_encrypt(void *key, u_int8_t *blk) 559{ 560 skipjack_forwards(blk, blk, (u_int8_t **) key); 561} 562 563static void 564skipjack_decrypt(void *key, u_int8_t *blk) 565{ 566 skipjack_backwards(blk, blk, (u_int8_t **) key); 567} 568 569static int 570skipjack_setkey(u_int8_t **sched, const u_int8_t *key, int len) 571{ 572 573 /* NB: allocate all the memory that's needed at once */ 574 /* XXX assumes bytes are aligned on sizeof(u_char) == 1 boundaries. 575 * Will this break a pdp-10, Cray-1, or GE-645 port? 576 */ 577 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 578 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 579 580 if (*sched == NULL) 581 return ENOMEM; 582 583 u_int8_t** key_tables = (u_int8_t**) *sched; 584 u_int8_t* table = (u_int8_t*) &key_tables[10]; 585 int k; 586 587 for (k = 0; k < 10; k++) { 588 key_tables[k] = table; 589 table += 0x100; 590 } 591 subkey_table_gen(key, (u_int8_t **) *sched); 592 return 0; 593} 594 595static void 596skipjack_zerokey(u_int8_t **sched) 597{ 598 memset(*sched, 0, 10 * (sizeof(u_int8_t *) + 0x100)); 599 free(*sched, M_CRYPTO_DATA); 600 *sched = NULL; 601} 602 603struct aes_ctx { 604 struct aesenc enc; 605 struct aesdec dec; 606 uint32_t nr; 607}; 608 609static void 610aes_encrypt(void *key, u_int8_t *blk) 611{ 612 struct aes_ctx *ctx = key; 613 614 aes_enc(&ctx->enc, blk, blk, ctx->nr); 615} 616 617static void 618aes_decrypt(void *key, u_int8_t *blk) 619{ 620 struct aes_ctx *ctx = key; 621 622 aes_dec(&ctx->dec, blk, blk, ctx->nr); 623} 624 625static int 626aes_setkey(u_int8_t **sched, const u_int8_t *key, int len) 627{ 628 struct aes_ctx *ctx; 629 630 if (len != 16 && len != 24 && len != 32) 631 return EINVAL; 632 ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); 633 if (ctx == NULL) 634 return ENOMEM; 635 636 switch (len) { 637 case 16: 638 aes_setenckey128(&ctx->enc, key); 639 aes_setdeckey128(&ctx->dec, key); 640 ctx->nr = AES_128_NROUNDS; 641 break; 642 case 24: 643 aes_setenckey192(&ctx->enc, key); 644 aes_setdeckey192(&ctx->dec, key); 645 ctx->nr = AES_192_NROUNDS; 646 break; 647 case 32: 648 aes_setenckey256(&ctx->enc, key); 649 aes_setdeckey256(&ctx->dec, key); 650 ctx->nr = AES_256_NROUNDS; 651 break; 652 } 653 654 *sched = (void *)ctx; 655 return 0; 656} 657 658static void 659aes_zerokey(u_int8_t **sched) 660{ 661 struct aes_ctx *ctx = (void *)*sched; 662 663 explicit_memset(ctx, 0, sizeof(*ctx)); 664 kmem_free(ctx, sizeof(*ctx)); 665 *sched = NULL; 666} 667 668static void 669cml_encrypt(void *key, u_int8_t *blk) 670{ 671 672 camellia_encrypt(key, blk, blk); 673} 674 675static void 676cml_decrypt(void *key, u_int8_t *blk) 677{ 678 679 camellia_decrypt(key, blk, blk); 680} 681 682static int 683cml_setkey(u_int8_t **sched, const u_int8_t *key, int len) 684{ 685 686 if (len != 16 && len != 24 && len != 32) 687 return (EINVAL); 688 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 689 M_NOWAIT|M_ZERO); 690 if (*sched == NULL) 691 return ENOMEM; 692 693 camellia_set_key((camellia_ctx *) *sched, key, len * 8); 694 return 0; 695} 696 697static void 698cml_zerokey(u_int8_t **sched) 699{ 700 701 memset(*sched, 0, sizeof(camellia_ctx)); 702 free(*sched, M_CRYPTO_DATA); 703 *sched = NULL; 704} 705 706#define AESCTR_NONCESIZE 4 707#define AESCTR_IVSIZE 8 708#define AESCTR_BLOCKSIZE 16 709 710struct aes_ctr_ctx { 711 /* need only encryption half */ 712 struct aesenc ac_ek; 713 u_int8_t ac_block[AESCTR_BLOCKSIZE]; 714 int ac_nr; 715 struct { 716 u_int64_t lastiv; 717 } ivgenctx; 718}; 719 720static void 721aes_ctr_crypt(void *key, u_int8_t *blk) 722{ 723 struct aes_ctr_ctx *ctx; 724 u_int8_t keystream[AESCTR_BLOCKSIZE]; 725 int i; 726 727 ctx = key; 728 /* increment counter */ 729 for (i = AESCTR_BLOCKSIZE - 1; 730 i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) 731 if (++ctx->ac_block[i]) /* continue on overflow */ 732 break; 733 aes_enc(&ctx->ac_ek, ctx->ac_block, keystream, ctx->ac_nr); 734 for (i = 0; i < AESCTR_BLOCKSIZE; i++) 735 blk[i] ^= keystream[i]; 736 explicit_memset(keystream, 0, sizeof(keystream)); 737} 738 739int 740aes_ctr_setkey(u_int8_t **sched, const u_int8_t *key, int len) 741{ 742 struct aes_ctr_ctx *ctx; 743 744 if (len < AESCTR_NONCESIZE) 745 return EINVAL; 746 747 ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); 748 if (!ctx) 749 return ENOMEM; 750 switch (len) { 751 case 16 + AESCTR_NONCESIZE: 752 ctx->ac_nr = aes_setenckey128(&ctx->ac_ek, key); 753 break; 754 case 24 + AESCTR_NONCESIZE: 755 ctx->ac_nr = aes_setenckey192(&ctx->ac_ek, key); 756 break; 757 case 32 + AESCTR_NONCESIZE: 758 ctx->ac_nr = aes_setenckey256(&ctx->ac_ek, key); 759 break; 760 default: 761 aes_ctr_zerokey((u_int8_t **)&ctx); 762 return EINVAL; 763 } 764 memcpy(ctx->ac_block, key + len - AESCTR_NONCESIZE, AESCTR_NONCESIZE); 765 /* random start value for simple counter */ 766 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 767 *sched = (void *)ctx; 768 return 0; 769} 770 771void 772aes_ctr_zerokey(u_int8_t **sched) 773{ 774 struct aes_ctr_ctx *ctx = (void *)*sched; 775 776 explicit_memset(ctx, 0, sizeof(*ctx)); 777 kmem_free(ctx, sizeof(*ctx)); 778 *sched = NULL; 779} 780 781void 782aes_ctr_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 783{ 784 struct aes_ctr_ctx *ctx = key; 785 786 if (!iv) { 787 ctx->ivgenctx.lastiv++; 788 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 789 } 790 if (ivout) 791 memcpy(ivout, iv, AESCTR_IVSIZE); 792 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 793 /* reset counter */ 794 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 795} 796 797void 798aes_gcm_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 799{ 800 struct aes_ctr_ctx *ctx = key; 801 802 if (!iv) { 803 ctx->ivgenctx.lastiv++; 804 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 805 } 806 if (ivout) 807 memcpy(ivout, iv, AESCTR_IVSIZE); 808 memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE); 809 /* reset counter */ 810 memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4); 811 ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ 812} 813 814struct aes_gmac_ctx { 815 struct { 816 u_int64_t lastiv; 817 } ivgenctx; 818}; 819 820int 821aes_gmac_setkey(u_int8_t **sched, const u_int8_t *key, int len) 822{ 823 struct aes_gmac_ctx *ctx; 824 825 ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP); 826 if (!ctx) 827 return ENOMEM; 828 829 /* random start value for simple counter */ 830 cprng_fast(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv)); 831 *sched = (void *)ctx; 832 return 0; 833} 834 835void 836aes_gmac_zerokey(u_int8_t **sched) 837{ 838 struct aes_gmac_ctx *ctx = (void *)*sched; 839 840 kmem_free(ctx, sizeof(*ctx)); 841 *sched = NULL; 842} 843 844void 845aes_gmac_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout) 846{ 847 struct aes_gmac_ctx *ctx = key; 848 849 if (!iv) { 850 ctx->ivgenctx.lastiv++; 851 iv = (const u_int8_t *)&ctx->ivgenctx.lastiv; 852 } 853 if (ivout) 854 memcpy(ivout, iv, AESCTR_IVSIZE); 855} 856 857/* 858 * And now for auth. 859 */ 860 861static void 862null_init(void *ctx) 863{ 864} 865 866static int 867null_update(void *ctx, const u_int8_t *buf, 868 u_int16_t len) 869{ 870 return 0; 871} 872 873static void 874null_final(u_int8_t *buf, void *ctx) 875{ 876 if (buf != (u_int8_t *) 0) 877 memset(buf, 0, 12); 878} 879 880static int 881RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 882{ 883 RMD160Update(ctx, buf, len); 884 return 0; 885} 886 887static int 888MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 889{ 890 MD5Update(ctx, buf, len); 891 return 0; 892} 893 894static void 895SHA1Init_int(void *ctx) 896{ 897 SHA1Init(ctx); 898} 899 900static int 901SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 902{ 903 SHA1Update(ctx, buf, len); 904 return 0; 905} 906 907static void 908SHA1Final_int(u_int8_t *blk, void *ctx) 909{ 910 SHA1Final(blk, ctx); 911} 912 913static int 914SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 915{ 916 SHA256_Update(ctx, buf, len); 917 return 0; 918} 919 920static int 921SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 922{ 923 SHA384_Update(ctx, buf, len); 924 return 0; 925} 926 927static int 928SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) 929{ 930 SHA512_Update(ctx, buf, len); 931 return 0; 932} 933 934/* 935 * And compression 936 */ 937 938static u_int32_t 939deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 940{ 941 return deflate_global(data, size, 0, out, 0); 942} 943 944static u_int32_t 945deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 946 int size_hint) 947{ 948 return deflate_global(data, size, 1, out, size_hint); 949} 950 951static u_int32_t 952gzip_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) 953{ 954 return gzip_global(data, size, 0, out, 0); 955} 956 957static u_int32_t 958gzip_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out, 959 int size_hint) 960{ 961 return gzip_global(data, size, 1, out, size_hint); 962} 963