1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
16 * Additional features in 1999 by Angelos D. Keromytis.
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (C) 2001, Angelos D. Keromytis.
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
45 #include <sys/sysctl.h>
46 #include <sys/errno.h>
48 #include <sys/kernel.h>
49 #include <machine/cpu.h>
51 #include <crypto/blowfish/blowfish.h>
52 #include <crypto/des/des.h>
53 #include <crypto/rijndael/rijndael.h>
54 #include <crypto/camellia/camellia.h>
55 #include <crypto/sha1.h>
57 #include <opencrypto/cast.h>
58 #include <opencrypto/deflate.h>
59 #include <opencrypto/rmd160.h>
60 #include <opencrypto/skipjack.h>
64 #include <opencrypto/cryptodev.h>
65 #include <opencrypto/xform.h>
67 static void null_encrypt(caddr_t, u_int8_t *);
68 static void null_decrypt(caddr_t, u_int8_t *);
69 static int null_setkey(u_int8_t **, u_int8_t *, int);
70 static void null_zerokey(u_int8_t **);
72 static int des1_setkey(u_int8_t **, u_int8_t *, int);
73 static int des3_setkey(u_int8_t **, u_int8_t *, int);
74 static int blf_setkey(u_int8_t **, u_int8_t *, int);
75 static int cast5_setkey(u_int8_t **, u_int8_t *, int);
76 static int skipjack_setkey(u_int8_t **, u_int8_t *, int);
77 static int rijndael128_setkey(u_int8_t **, u_int8_t *, int);
78 static int cml_setkey(u_int8_t **, u_int8_t *, int);
79 static void des1_encrypt(caddr_t, u_int8_t *);
80 static void des3_encrypt(caddr_t, u_int8_t *);
81 static void blf_encrypt(caddr_t, u_int8_t *);
82 static void cast5_encrypt(caddr_t, u_int8_t *);
83 static void skipjack_encrypt(caddr_t, u_int8_t *);
84 static void rijndael128_encrypt(caddr_t, u_int8_t *);
85 static void cml_encrypt(caddr_t, u_int8_t *);
86 static void des1_decrypt(caddr_t, u_int8_t *);
87 static void des3_decrypt(caddr_t, u_int8_t *);
88 static void blf_decrypt(caddr_t, u_int8_t *);
89 static void cast5_decrypt(caddr_t, u_int8_t *);
90 static void skipjack_decrypt(caddr_t, u_int8_t *);
91 static void rijndael128_decrypt(caddr_t, u_int8_t *);
92 static void cml_decrypt(caddr_t, u_int8_t *);
93 static void des1_zerokey(u_int8_t **);
94 static void des3_zerokey(u_int8_t **);
95 static void blf_zerokey(u_int8_t **);
96 static void cast5_zerokey(u_int8_t **);
97 static void skipjack_zerokey(u_int8_t **);
98 static void rijndael128_zerokey(u_int8_t **);
99 static void cml_zerokey(u_int8_t **);
101 static void null_init(void *);
102 static int null_update(void *, u_int8_t *, u_int16_t);
103 static void null_final(u_int8_t *, void *);
104 static int MD5Update_int(void *, u_int8_t *, u_int16_t);
105 static void SHA1Init_int(void *);
106 static int SHA1Update_int(void *, u_int8_t *, u_int16_t);
107 static void SHA1Final_int(u_int8_t *, void *);
108 static int RMD160Update_int(void *, u_int8_t *, u_int16_t);
109 static int SHA256Update_int(void *, u_int8_t *, u_int16_t);
110 static int SHA384Update_int(void *, u_int8_t *, u_int16_t);
111 static int SHA512Update_int(void *, u_int8_t *, u_int16_t);
113 static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **);
114 static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **);
116 MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers");
118 /* Encryption instances */
119 struct enc_xform enc_xform_null = {
120 CRYPTO_NULL_CBC, "NULL",
121 /* NB: blocksize of 4 is to generate a properly aligned ESP header */
122 NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */
129 struct enc_xform enc_xform_des = {
130 CRYPTO_DES_CBC, "DES",
138 struct enc_xform enc_xform_3des = {
139 CRYPTO_3DES_CBC, "3DES",
140 DES3_BLOCK_LEN, 24, 24,
147 struct enc_xform enc_xform_blf = {
148 CRYPTO_BLF_CBC, "Blowfish",
149 BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */,
156 struct enc_xform enc_xform_cast5 = {
157 CRYPTO_CAST_CBC, "CAST-128",
158 CAST128_BLOCK_LEN, 5, 16,
165 struct enc_xform enc_xform_skipjack = {
166 CRYPTO_SKIPJACK_CBC, "Skipjack",
167 SKIPJACK_BLOCK_LEN, 10, 10,
174 struct enc_xform enc_xform_rijndael128 = {
175 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES",
176 RIJNDAEL128_BLOCK_LEN, 8, 32,
183 struct enc_xform enc_xform_arc4 = {
192 struct enc_xform enc_xform_camellia = {
193 CRYPTO_CAMELLIA_CBC, "Camellia",
194 CAMELLIA_BLOCK_LEN, 8, 32,
201 /* Authentication instances */
202 struct auth_hash auth_hash_null = {
203 CRYPTO_NULL_HMAC, "NULL-HMAC",
204 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */
205 null_init, null_update, null_final
208 struct auth_hash auth_hash_hmac_md5 = {
209 CRYPTO_MD5_HMAC, "HMAC-MD5",
210 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX),
211 (void (*) (void *)) MD5Init, MD5Update_int,
212 (void (*) (u_int8_t *, void *)) MD5Final
215 struct auth_hash auth_hash_hmac_sha1 = {
216 CRYPTO_SHA1_HMAC, "HMAC-SHA1",
217 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX),
218 SHA1Init_int, SHA1Update_int, SHA1Final_int
221 struct auth_hash auth_hash_hmac_ripemd_160 = {
222 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
223 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX),
224 (void (*)(void *)) RMD160Init, RMD160Update_int,
225 (void (*)(u_int8_t *, void *)) RMD160Final
228 struct auth_hash auth_hash_key_md5 = {
229 CRYPTO_MD5_KPDK, "Keyed MD5",
230 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX),
231 (void (*)(void *)) MD5Init, MD5Update_int,
232 (void (*)(u_int8_t *, void *)) MD5Final
235 struct auth_hash auth_hash_key_sha1 = {
236 CRYPTO_SHA1_KPDK, "Keyed SHA1",
237 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX),
238 SHA1Init_int, SHA1Update_int, SHA1Final_int
241 struct auth_hash auth_hash_hmac_sha2_256 = {
242 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
243 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX),
244 (void (*)(void *)) SHA256_Init, SHA256Update_int,
245 (void (*)(u_int8_t *, void *)) SHA256_Final
248 struct auth_hash auth_hash_hmac_sha2_384 = {
249 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
250 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX),
251 (void (*)(void *)) SHA384_Init, SHA384Update_int,
252 (void (*)(u_int8_t *, void *)) SHA384_Final
255 struct auth_hash auth_hash_hmac_sha2_512 = {
256 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
257 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX),
258 (void (*)(void *)) SHA512_Init, SHA512Update_int,
259 (void (*)(u_int8_t *, void *)) SHA512_Final
262 /* Compression instance */
263 struct comp_algo comp_algo_deflate = {
264 CRYPTO_DEFLATE_COMP, "Deflate",
265 90, deflate_compress,
270 * Encryption wrapper routines.
273 null_encrypt(caddr_t key, u_int8_t *blk)
277 null_decrypt(caddr_t key, u_int8_t *blk)
281 null_setkey(u_int8_t **sched, u_int8_t *key, int len)
287 null_zerokey(u_int8_t **sched)
293 des1_encrypt(caddr_t key, u_int8_t *blk)
295 des_cblock *cb = (des_cblock *) blk;
296 des_key_schedule *p = (des_key_schedule *) key;
298 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT);
302 des1_decrypt(caddr_t key, u_int8_t *blk)
304 des_cblock *cb = (des_cblock *) blk;
305 des_key_schedule *p = (des_key_schedule *) key;
307 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT);
311 des1_setkey(u_int8_t **sched, u_int8_t *key, int len)
316 p = malloc(sizeof (des_key_schedule),
317 M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
319 des_set_key((des_cblock *) key, p[0]);
323 *sched = (u_int8_t *) p;
328 des1_zerokey(u_int8_t **sched)
330 bzero(*sched, sizeof (des_key_schedule));
331 free(*sched, M_CRYPTO_DATA);
336 des3_encrypt(caddr_t key, u_int8_t *blk)
338 des_cblock *cb = (des_cblock *) blk;
339 des_key_schedule *p = (des_key_schedule *) key;
341 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT);
345 des3_decrypt(caddr_t key, u_int8_t *blk)
347 des_cblock *cb = (des_cblock *) blk;
348 des_key_schedule *p = (des_key_schedule *) key;
350 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT);
354 des3_setkey(u_int8_t **sched, u_int8_t *key, int len)
359 p = malloc(3*sizeof (des_key_schedule),
360 M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
362 des_set_key((des_cblock *)(key + 0), p[0]);
363 des_set_key((des_cblock *)(key + 8), p[1]);
364 des_set_key((des_cblock *)(key + 16), p[2]);
368 *sched = (u_int8_t *) p;
373 des3_zerokey(u_int8_t **sched)
375 bzero(*sched, 3*sizeof (des_key_schedule));
376 free(*sched, M_CRYPTO_DATA);
381 blf_encrypt(caddr_t key, u_int8_t *blk)
385 memcpy(t, blk, sizeof (t));
388 /* NB: BF_encrypt expects the block in host order! */
389 BF_encrypt(t, (BF_KEY *) key);
392 memcpy(blk, t, sizeof (t));
396 blf_decrypt(caddr_t key, u_int8_t *blk)
400 memcpy(t, blk, sizeof (t));
403 /* NB: BF_decrypt expects the block in host order! */
404 BF_decrypt(t, (BF_KEY *) key);
407 memcpy(blk, t, sizeof (t));
411 blf_setkey(u_int8_t **sched, u_int8_t *key, int len)
415 *sched = malloc(sizeof(BF_KEY),
416 M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
417 if (*sched != NULL) {
418 BF_set_key((BF_KEY *) *sched, len, key);
426 blf_zerokey(u_int8_t **sched)
428 bzero(*sched, sizeof(BF_KEY));
429 free(*sched, M_CRYPTO_DATA);
434 cast5_encrypt(caddr_t key, u_int8_t *blk)
436 cast_encrypt((cast_key *) key, blk, blk);
440 cast5_decrypt(caddr_t key, u_int8_t *blk)
442 cast_decrypt((cast_key *) key, blk, blk);
446 cast5_setkey(u_int8_t **sched, u_int8_t *key, int len)
450 *sched = malloc(sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
451 if (*sched != NULL) {
452 cast_setkey((cast_key *)*sched, key, len);
460 cast5_zerokey(u_int8_t **sched)
462 bzero(*sched, sizeof(cast_key));
463 free(*sched, M_CRYPTO_DATA);
468 skipjack_encrypt(caddr_t key, u_int8_t *blk)
470 skipjack_forwards(blk, blk, (u_int8_t **) key);
474 skipjack_decrypt(caddr_t key, u_int8_t *blk)
476 skipjack_backwards(blk, blk, (u_int8_t **) key);
480 skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len)
484 /* NB: allocate all the memory that's needed at once */
485 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100),
486 M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
487 if (*sched != NULL) {
488 u_int8_t** key_tables = (u_int8_t**) *sched;
489 u_int8_t* table = (u_int8_t*) &key_tables[10];
492 for (k = 0; k < 10; k++) {
493 key_tables[k] = table;
496 subkey_table_gen(key, (u_int8_t **) *sched);
504 skipjack_zerokey(u_int8_t **sched)
506 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100));
507 free(*sched, M_CRYPTO_DATA);
512 rijndael128_encrypt(caddr_t key, u_int8_t *blk)
514 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk);
518 rijndael128_decrypt(caddr_t key, u_int8_t *blk)
520 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk,
525 rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len)
529 if (len != 16 && len != 24 && len != 32)
531 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA,
533 if (*sched != NULL) {
534 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key,
543 rijndael128_zerokey(u_int8_t **sched)
545 bzero(*sched, sizeof(rijndael_ctx));
546 free(*sched, M_CRYPTO_DATA);
551 cml_encrypt(caddr_t key, u_int8_t *blk)
553 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk);
557 cml_decrypt(caddr_t key, u_int8_t *blk)
559 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk,
564 cml_setkey(u_int8_t **sched, u_int8_t *key, int len)
568 if (len != 16 && len != 24 && len != 32)
570 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA,
572 if (*sched != NULL) {
573 camellia_set_key((camellia_ctx *) *sched, (u_char *) key,
582 cml_zerokey(u_int8_t **sched)
584 bzero(*sched, sizeof(camellia_ctx));
585 free(*sched, M_CRYPTO_DATA);
599 null_update(void *ctx, u_int8_t *buf, u_int16_t len)
605 null_final(u_int8_t *buf, void *ctx)
607 if (buf != (u_int8_t *) 0)
612 RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
614 RMD160Update(ctx, buf, len);
619 MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
621 MD5Update(ctx, buf, len);
626 SHA1Init_int(void *ctx)
632 SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
634 SHA1Update(ctx, buf, len);
639 SHA1Final_int(u_int8_t *blk, void *ctx)
645 SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
647 SHA256_Update(ctx, buf, len);
652 SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
654 SHA384_Update(ctx, buf, len);
659 SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
661 SHA512_Update(ctx, buf, len);
670 deflate_compress(data, size, out)
675 return deflate_global(data, size, 0, out);
679 deflate_decompress(data, size, out)
684 return deflate_global(data, size, 1, out);