opencrypto - add twofish support to cryptosoft/dev
[dragonfly.git] / sys / opencrypto / xform.c
CommitLineData
42ee1e6b 1/* $FreeBSD: src/sys/opencrypto/xform.c,v 1.10 2008/10/23 15:53:51 des Exp $ */
984263bc 2/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
42ee1e6b 3/*-
984263bc
MD
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr) and
6 * Niels Provos (provos@physnet.uni-hamburg.de).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 *
22 * Copyright (C) 2001, Angelos D. Keromytis.
23 *
24 * Permission to use, copy, and modify this software with or without fee
25 * is hereby granted, provided that this entire notice is included in
26 * all copies of any software which is or includes a copy or
27 * modification of this software.
28 * You may use this code under the GNU public license if you so wish. Please
29 * contribute changes back to the authors under this freer than GPL license
30 * so that we may further the use of strong encryption without limitations to
31 * all.
32 *
33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
37 * PURPOSE.
38 */
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/malloc.h>
43#include <sys/sysctl.h>
44#include <sys/errno.h>
45#include <sys/time.h>
46#include <sys/kernel.h>
47#include <machine/cpu.h>
48
49#include <crypto/blowfish/blowfish.h>
50#include <crypto/des/des.h>
42ee1e6b
SW
51#include <crypto/rijndael/rijndael.h>
52#include <crypto/camellia/camellia.h>
37cb95f9 53#include <crypto/twofish/twofish.h>
984263bc
MD
54#include <crypto/sha1.h>
55
56#include <opencrypto/cast.h>
57#include <opencrypto/deflate.h>
984263bc
MD
58#include <opencrypto/rmd160.h>
59#include <opencrypto/skipjack.h>
aface142 60#include <opencrypto/gmac.h>
984263bc
MD
61
62#include <sys/md5.h>
63
64#include <opencrypto/cryptodev.h>
65#include <opencrypto/xform.h>
66
400158c1
AH
67static void null_encrypt(caddr_t, u_int8_t *, u_int8_t *);
68static void null_decrypt(caddr_t, u_int8_t *, u_int8_t *);
984263bc
MD
69static int null_setkey(u_int8_t **, u_int8_t *, int);
70static void null_zerokey(u_int8_t **);
71
72static int des1_setkey(u_int8_t **, u_int8_t *, int);
73static int des3_setkey(u_int8_t **, u_int8_t *, int);
74static int blf_setkey(u_int8_t **, u_int8_t *, int);
75static int cast5_setkey(u_int8_t **, u_int8_t *, int);
76static int skipjack_setkey(u_int8_t **, u_int8_t *, int);
77static int rijndael128_setkey(u_int8_t **, u_int8_t *, int);
da41e4e5
AH
78static int aes_xts_setkey(u_int8_t **, u_int8_t *, int);
79static int aes_ctr_setkey(u_int8_t **, u_int8_t *, int);
42ee1e6b 80static int cml_setkey(u_int8_t **, u_int8_t *, int);
37cb95f9 81static int twofish128_setkey(u_int8_t **, u_int8_t *, int);
400158c1
AH
82static void des1_encrypt(caddr_t, u_int8_t *, u_int8_t *);
83static void des3_encrypt(caddr_t, u_int8_t *, u_int8_t *);
84static void blf_encrypt(caddr_t, u_int8_t *, u_int8_t *);
85static void cast5_encrypt(caddr_t, u_int8_t *, u_int8_t *);
86static void skipjack_encrypt(caddr_t, u_int8_t *, u_int8_t *);
87static void rijndael128_encrypt(caddr_t, u_int8_t *, u_int8_t *);
88static void aes_xts_encrypt(caddr_t, u_int8_t *, u_int8_t *);
89static void cml_encrypt(caddr_t, u_int8_t *, u_int8_t *);
37cb95f9 90static void twofish128_encrypt(caddr_t, u_int8_t *, u_int8_t *);
400158c1
AH
91static void des1_decrypt(caddr_t, u_int8_t *, u_int8_t *);
92static void des3_decrypt(caddr_t, u_int8_t *, u_int8_t *);
93static void blf_decrypt(caddr_t, u_int8_t *, u_int8_t *);
94static void cast5_decrypt(caddr_t, u_int8_t *, u_int8_t *);
95static void skipjack_decrypt(caddr_t, u_int8_t *, u_int8_t *);
96static void rijndael128_decrypt(caddr_t, u_int8_t *, u_int8_t *);
97static void aes_xts_decrypt(caddr_t, u_int8_t *, u_int8_t *);
98static void cml_decrypt(caddr_t, u_int8_t *, u_int8_t *);
37cb95f9 99static void twofish128_decrypt(caddr_t, u_int8_t *, u_int8_t *);
984263bc
MD
100static void des1_zerokey(u_int8_t **);
101static void des3_zerokey(u_int8_t **);
102static void blf_zerokey(u_int8_t **);
103static void cast5_zerokey(u_int8_t **);
104static void skipjack_zerokey(u_int8_t **);
105static void rijndael128_zerokey(u_int8_t **);
da41e4e5
AH
106static void aes_xts_zerokey(u_int8_t **);
107static void aes_ctr_zerokey(u_int8_t **);
42ee1e6b 108static void cml_zerokey(u_int8_t **);
37cb95f9 109static void twofish128_zerokey(u_int8_t **);
984263bc 110
400158c1 111static void aes_ctr_crypt(caddr_t, u_int8_t *, u_int8_t *);
da41e4e5
AH
112
113static void aes_ctr_reinit(caddr_t, u_int8_t *);
114static void aes_xts_reinit(caddr_t, u_int8_t *);
aface142 115static void aes_gcm_reinit(caddr_t, u_int8_t *);
da41e4e5 116
984263bc
MD
117static void null_init(void *);
118static int null_update(void *, u_int8_t *, u_int16_t);
119static void null_final(u_int8_t *, void *);
120static int MD5Update_int(void *, u_int8_t *, u_int16_t);
121static void SHA1Init_int(void *);
122static int SHA1Update_int(void *, u_int8_t *, u_int16_t);
123static void SHA1Final_int(u_int8_t *, void *);
124static int RMD160Update_int(void *, u_int8_t *, u_int16_t);
125static int SHA256Update_int(void *, u_int8_t *, u_int16_t);
126static int SHA384Update_int(void *, u_int8_t *, u_int16_t);
127static int SHA512Update_int(void *, u_int8_t *, u_int16_t);
128
129static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **);
130static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **);
131
da41e4e5
AH
132/* Helper */
133struct aes_xts_ctx;
400158c1 134static void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int8_t *, u_int);
da41e4e5 135
984263bc
MD
136MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers");
137
138/* Encryption instances */
139struct enc_xform enc_xform_null = {
140 CRYPTO_NULL_CBC, "NULL",
141 /* NB: blocksize of 4 is to generate a properly aligned ESP header */
da41e4e5 142 NULL_BLOCK_LEN, NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */
984263bc
MD
143 null_encrypt,
144 null_decrypt,
145 null_setkey,
146 null_zerokey,
da41e4e5 147 NULL
984263bc
MD
148};
149
150struct enc_xform enc_xform_des = {
151 CRYPTO_DES_CBC, "DES",
da41e4e5 152 DES_BLOCK_LEN, DES_BLOCK_LEN, 8, 8,
984263bc
MD
153 des1_encrypt,
154 des1_decrypt,
155 des1_setkey,
156 des1_zerokey,
da41e4e5 157 NULL
984263bc
MD
158};
159
160struct enc_xform enc_xform_3des = {
161 CRYPTO_3DES_CBC, "3DES",
da41e4e5 162 DES3_BLOCK_LEN, DES3_BLOCK_LEN, 24, 24,
984263bc
MD
163 des3_encrypt,
164 des3_decrypt,
165 des3_setkey,
da41e4e5
AH
166 des3_zerokey,
167 NULL
984263bc
MD
168};
169
170struct enc_xform enc_xform_blf = {
171 CRYPTO_BLF_CBC, "Blowfish",
da41e4e5 172 BLOWFISH_BLOCK_LEN, BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */,
984263bc
MD
173 blf_encrypt,
174 blf_decrypt,
175 blf_setkey,
da41e4e5
AH
176 blf_zerokey,
177 NULL
984263bc
MD
178};
179
180struct enc_xform enc_xform_cast5 = {
181 CRYPTO_CAST_CBC, "CAST-128",
da41e4e5 182 CAST128_BLOCK_LEN, CAST128_BLOCK_LEN, 5, 16,
984263bc
MD
183 cast5_encrypt,
184 cast5_decrypt,
185 cast5_setkey,
da41e4e5
AH
186 cast5_zerokey,
187 NULL
984263bc
MD
188};
189
190struct enc_xform enc_xform_skipjack = {
191 CRYPTO_SKIPJACK_CBC, "Skipjack",
da41e4e5 192 SKIPJACK_BLOCK_LEN, SKIPJACK_BLOCK_LEN, 10, 10,
984263bc
MD
193 skipjack_encrypt,
194 skipjack_decrypt,
195 skipjack_setkey,
da41e4e5
AH
196 skipjack_zerokey,
197 NULL
984263bc
MD
198};
199
200struct enc_xform enc_xform_rijndael128 = {
201 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES",
da41e4e5 202 RIJNDAEL128_BLOCK_LEN, RIJNDAEL128_BLOCK_LEN, 8, 32,
984263bc
MD
203 rijndael128_encrypt,
204 rijndael128_decrypt,
205 rijndael128_setkey,
206 rijndael128_zerokey,
da41e4e5
AH
207 NULL
208};
209
210struct enc_xform enc_xform_aes_xts = {
211 CRYPTO_AES_XTS, "AES-XTS",
212 AES_XTS_BLOCK_LEN, AES_XTS_IV_LEN, 32, 64,
213 aes_xts_encrypt,
214 aes_xts_decrypt,
215 aes_xts_setkey,
216 aes_xts_zerokey,
217 aes_xts_reinit
218};
219
220struct enc_xform enc_xform_aes_ctr = {
221 CRYPTO_AES_CTR, "AES-CTR",
222 AESCTR_BLOCK_LEN, AESCTR_IV_LEN, 16+4, 32+4,
223 aes_ctr_crypt,
224 aes_ctr_crypt,
225 aes_ctr_setkey,
226 aes_ctr_zerokey,
227 aes_ctr_reinit
984263bc
MD
228};
229
aface142
AH
230struct enc_xform enc_xform_aes_gcm = {
231 CRYPTO_AES_GCM_16, "AES-GCM",
232 AESGCM_BLOCK_LEN, AESGCM_IV_LEN, 16+4, 32+4,
233 aes_ctr_crypt,
234 aes_ctr_crypt,
235 aes_ctr_setkey,
236 aes_ctr_zerokey,
237 aes_gcm_reinit
238};
239
240struct enc_xform enc_xform_aes_gmac = {
241 CRYPTO_AES_GMAC, "AES-GMAC",
242 AESGMAC_BLOCK_LEN, AESGMAC_IV_LEN, 16+4, 32+4,
243 NULL,
244 NULL,
245 NULL,
246 NULL,
247 NULL
248};
249
984263bc
MD
250struct enc_xform enc_xform_arc4 = {
251 CRYPTO_ARC4, "ARC4",
da41e4e5 252 1, 1, 1, 32,
984263bc
MD
253 NULL,
254 NULL,
255 NULL,
256 NULL,
da41e4e5 257 NULL
984263bc
MD
258};
259
42ee1e6b
SW
260struct enc_xform enc_xform_camellia = {
261 CRYPTO_CAMELLIA_CBC, "Camellia",
da41e4e5 262 CAMELLIA_BLOCK_LEN, CAMELLIA_BLOCK_LEN, 8, 32,
42ee1e6b
SW
263 cml_encrypt,
264 cml_decrypt,
265 cml_setkey,
266 cml_zerokey,
da41e4e5 267 NULL
42ee1e6b
SW
268};
269
37cb95f9
AH
270struct enc_xform enc_xform_twofish = {
271 CRYPTO_TWOFISH_CBC, "Twofish",
272 TWOFISH_BLOCK_LEN, TWOFISH_BLOCK_LEN, 8, 32,
273 twofish128_encrypt,
274 twofish128_decrypt,
275 twofish128_setkey,
276 twofish128_zerokey,
277 NULL
278};
279
984263bc
MD
280/* Authentication instances */
281struct auth_hash auth_hash_null = {
282 CRYPTO_NULL_HMAC, "NULL-HMAC",
42ee1e6b 283 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */
aface142 284 null_init, NULL, NULL, null_update, null_final
984263bc
MD
285};
286
42ee1e6b 287struct auth_hash auth_hash_hmac_md5 = {
984263bc 288 CRYPTO_MD5_HMAC, "HMAC-MD5",
42ee1e6b 289 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX),
aface142
AH
290 (void (*) (void *)) MD5Init, NULL, NULL,
291 MD5Update_int,
984263bc
MD
292 (void (*) (u_int8_t *, void *)) MD5Final
293};
294
42ee1e6b 295struct auth_hash auth_hash_hmac_sha1 = {
984263bc 296 CRYPTO_SHA1_HMAC, "HMAC-SHA1",
42ee1e6b 297 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX),
aface142
AH
298 SHA1Init_int, NULL, NULL,
299 SHA1Update_int, SHA1Final_int
984263bc
MD
300};
301
42ee1e6b 302struct auth_hash auth_hash_hmac_ripemd_160 = {
984263bc 303 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
42ee1e6b 304 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX),
aface142
AH
305 (void (*)(void *)) RMD160Init, NULL, NULL,
306 RMD160Update_int,
984263bc
MD
307 (void (*)(u_int8_t *, void *)) RMD160Final
308};
309
310struct auth_hash auth_hash_key_md5 = {
311 CRYPTO_MD5_KPDK, "Keyed MD5",
42ee1e6b 312 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX),
aface142
AH
313 (void (*)(void *)) MD5Init, NULL, NULL,
314 MD5Update_int,
984263bc
MD
315 (void (*)(u_int8_t *, void *)) MD5Final
316};
317
318struct auth_hash auth_hash_key_sha1 = {
319 CRYPTO_SHA1_KPDK, "Keyed SHA1",
42ee1e6b 320 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX),
aface142
AH
321 SHA1Init_int, NULL, NULL,
322 SHA1Update_int, SHA1Final_int
984263bc
MD
323};
324
325struct auth_hash auth_hash_hmac_sha2_256 = {
42ee1e6b
SW
326 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
327 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX),
aface142
AH
328 (void (*)(void *)) SHA256_Init, NULL, NULL,
329 SHA256Update_int,
984263bc
MD
330 (void (*)(u_int8_t *, void *)) SHA256_Final
331};
332
333struct auth_hash auth_hash_hmac_sha2_384 = {
42ee1e6b
SW
334 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
335 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX),
aface142
AH
336 (void (*)(void *)) SHA384_Init, NULL, NULL,
337 SHA384Update_int,
984263bc
MD
338 (void (*)(u_int8_t *, void *)) SHA384_Final
339};
340
341struct auth_hash auth_hash_hmac_sha2_512 = {
42ee1e6b
SW
342 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
343 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX),
aface142
AH
344 (void (*)(void *)) SHA512_Init, NULL, NULL,
345 SHA512Update_int,
984263bc
MD
346 (void (*)(u_int8_t *, void *)) SHA512_Final
347};
348
aface142
AH
349struct auth_hash auth_hash_gmac_aes_128 = {
350 CRYPTO_AES_128_GMAC, "GMAC-AES-128",
351 16+4, 16, 16, sizeof(AES_GMAC_CTX),
352 (void (*)(void *)) AES_GMAC_Init,
353 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
354 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
355 (int (*)(void *, u_int8_t *, u_int16_t)) AES_GMAC_Update,
356 (void (*)(u_int8_t *, void *)) AES_GMAC_Final
357};
358
359struct auth_hash auth_hash_gmac_aes_192 = {
360 CRYPTO_AES_192_GMAC, "GMAC-AES-192",
361 24+4, 16, 16, sizeof(AES_GMAC_CTX),
362 (void (*)(void *)) AES_GMAC_Init,
363 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
364 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
365 (int (*)(void *, u_int8_t *, u_int16_t)) AES_GMAC_Update,
366 (void (*)(u_int8_t *, void *)) AES_GMAC_Final
367};
368
369struct auth_hash auth_hash_gmac_aes_256 = {
370 CRYPTO_AES_256_GMAC, "GMAC-AES-256",
371 32+4, 16, 16, sizeof(AES_GMAC_CTX),
372 (void (*)(void *)) AES_GMAC_Init,
373 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Setkey,
374 (void (*)(void *, const u_int8_t *, u_int16_t)) AES_GMAC_Reinit,
375 (int (*)(void *, u_int8_t *, u_int16_t)) AES_GMAC_Update,
376 (void (*)(u_int8_t *, void *)) AES_GMAC_Final
377};
378
984263bc
MD
379/* Compression instance */
380struct comp_algo comp_algo_deflate = {
381 CRYPTO_DEFLATE_COMP, "Deflate",
382 90, deflate_compress,
383 deflate_decompress
384};
385
386/*
387 * Encryption wrapper routines.
388 */
389static void
400158c1 390null_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
391{
392}
393static void
400158c1 394null_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
395{
396}
397static int
398null_setkey(u_int8_t **sched, u_int8_t *key, int len)
399{
400 *sched = NULL;
401 return 0;
402}
403static void
404null_zerokey(u_int8_t **sched)
405{
406 *sched = NULL;
407}
408
409static void
400158c1 410des1_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
411{
412 des_cblock *cb = (des_cblock *) blk;
413 des_key_schedule *p = (des_key_schedule *) key;
414
415 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT);
416}
417
418static void
400158c1 419des1_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
420{
421 des_cblock *cb = (des_cblock *) blk;
422 des_key_schedule *p = (des_key_schedule *) key;
423
424 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT);
425}
426
427static int
428des1_setkey(u_int8_t **sched, u_int8_t *key, int len)
429{
430 des_key_schedule *p;
431 int err;
432
54734da1 433 p = kmalloc(sizeof (des_key_schedule),
a0419b33 434 M_CRYPTO_DATA, M_INTWAIT | M_ZERO);
984263bc
MD
435 if (p != NULL) {
436 des_set_key((des_cblock *) key, p[0]);
437 err = 0;
438 } else
439 err = ENOMEM;
440 *sched = (u_int8_t *) p;
441 return err;
442}
443
444static void
445des1_zerokey(u_int8_t **sched)
446{
447 bzero(*sched, sizeof (des_key_schedule));
42ee1e6b 448 kfree(*sched, M_CRYPTO_DATA);
984263bc
MD
449 *sched = NULL;
450}
451
452static void
400158c1 453des3_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
454{
455 des_cblock *cb = (des_cblock *) blk;
456 des_key_schedule *p = (des_key_schedule *) key;
457
458 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT);
459}
460
461static void
400158c1 462des3_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
463{
464 des_cblock *cb = (des_cblock *) blk;
465 des_key_schedule *p = (des_key_schedule *) key;
466
467 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT);
468}
469
470static int
471des3_setkey(u_int8_t **sched, u_int8_t *key, int len)
472{
473 des_key_schedule *p;
474 int err;
475
a0419b33
MD
476 p = kmalloc(3 * sizeof(des_key_schedule),
477 M_CRYPTO_DATA, M_INTWAIT | M_ZERO);
984263bc
MD
478 if (p != NULL) {
479 des_set_key((des_cblock *)(key + 0), p[0]);
480 des_set_key((des_cblock *)(key + 8), p[1]);
481 des_set_key((des_cblock *)(key + 16), p[2]);
482 err = 0;
483 } else
484 err = ENOMEM;
485 *sched = (u_int8_t *) p;
486 return err;
487}
488
489static void
490des3_zerokey(u_int8_t **sched)
491{
492 bzero(*sched, 3*sizeof (des_key_schedule));
42ee1e6b 493 kfree(*sched, M_CRYPTO_DATA);
984263bc
MD
494 *sched = NULL;
495}
496
497static void
400158c1 498blf_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
499{
500 BF_LONG t[2];
501
502 memcpy(t, blk, sizeof (t));
503 t[0] = ntohl(t[0]);
504 t[1] = ntohl(t[1]);
505 /* NB: BF_encrypt expects the block in host order! */
506 BF_encrypt(t, (BF_KEY *) key);
507 t[0] = htonl(t[0]);
508 t[1] = htonl(t[1]);
509 memcpy(blk, t, sizeof (t));
510}
511
512static void
400158c1 513blf_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
514{
515 BF_LONG t[2];
516
517 memcpy(t, blk, sizeof (t));
518 t[0] = ntohl(t[0]);
519 t[1] = ntohl(t[1]);
520 /* NB: BF_decrypt expects the block in host order! */
521 BF_decrypt(t, (BF_KEY *) key);
522 t[0] = htonl(t[0]);
523 t[1] = htonl(t[1]);
524 memcpy(blk, t, sizeof (t));
525}
526
527static int
528blf_setkey(u_int8_t **sched, u_int8_t *key, int len)
529{
530 int err;
531
a0419b33 532 *sched = kmalloc(sizeof(BF_KEY), M_CRYPTO_DATA, M_INTWAIT | M_ZERO);
984263bc
MD
533 if (*sched != NULL) {
534 BF_set_key((BF_KEY *) *sched, len, key);
535 err = 0;
536 } else
537 err = ENOMEM;
538 return err;
539}
540
541static void
542blf_zerokey(u_int8_t **sched)
543{
544 bzero(*sched, sizeof(BF_KEY));
42ee1e6b 545 kfree(*sched, M_CRYPTO_DATA);
984263bc
MD
546 *sched = NULL;
547}
548
549static void
400158c1 550cast5_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
551{
552 cast_encrypt((cast_key *) key, blk, blk);
553}
554
555static void
400158c1 556cast5_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
557{
558 cast_decrypt((cast_key *) key, blk, blk);
559}
560
561static int
562cast5_setkey(u_int8_t **sched, u_int8_t *key, int len)
563{
564 int err;
565
a0419b33 566 *sched = kmalloc(sizeof(cast_key), M_CRYPTO_DATA, M_INTWAIT | M_ZERO);
984263bc
MD
567 if (*sched != NULL) {
568 cast_setkey((cast_key *)*sched, key, len);
569 err = 0;
570 } else
571 err = ENOMEM;
572 return err;
573}
574
575static void
576cast5_zerokey(u_int8_t **sched)
577{
578 bzero(*sched, sizeof(cast_key));
42ee1e6b 579 kfree(*sched, M_CRYPTO_DATA);
984263bc
MD
580 *sched = NULL;
581}
582
583static void
400158c1 584skipjack_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
585{
586 skipjack_forwards(blk, blk, (u_int8_t **) key);
587}
588
589static void
400158c1 590skipjack_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
591{
592 skipjack_backwards(blk, blk, (u_int8_t **) key);
593}
594
595static int
596skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len)
597{
598 int err;
599
600 /* NB: allocate all the memory that's needed at once */
54734da1 601 *sched = kmalloc(10 * (sizeof(u_int8_t *) + 0x100),
a0419b33 602 M_CRYPTO_DATA, M_INTWAIT | M_ZERO);
984263bc
MD
603 if (*sched != NULL) {
604 u_int8_t** key_tables = (u_int8_t**) *sched;
605 u_int8_t* table = (u_int8_t*) &key_tables[10];
606 int k;
607
608 for (k = 0; k < 10; k++) {
609 key_tables[k] = table;
610 table += 0x100;
611 }
612 subkey_table_gen(key, (u_int8_t **) *sched);
613 err = 0;
614 } else
615 err = ENOMEM;
616 return err;
617}
618
619static void
620skipjack_zerokey(u_int8_t **sched)
621{
622 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100));
42ee1e6b 623 kfree(*sched, M_CRYPTO_DATA);
984263bc
MD
624 *sched = NULL;
625}
626
627static void
400158c1 628rijndael128_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc
MD
629{
630 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk);
631}
632
633static void
400158c1 634rijndael128_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
984263bc 635{
42ee1e6b 636 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk,
984263bc
MD
637 (u_char *) blk);
638}
639
640static int
641rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len)
642{
643 int err;
644
42ee1e6b
SW
645 if (len != 16 && len != 24 && len != 32)
646 return (EINVAL);
54734da1 647 *sched = kmalloc(sizeof(rijndael_ctx), M_CRYPTO_DATA,
a0419b33 648 M_INTWAIT | M_ZERO);
984263bc 649 if (*sched != NULL) {
42ee1e6b
SW
650 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key,
651 len * 8);
984263bc
MD
652 err = 0;
653 } else
654 err = ENOMEM;
655 return err;
656}
657
658static void
659rijndael128_zerokey(u_int8_t **sched)
660{
42ee1e6b 661 bzero(*sched, sizeof(rijndael_ctx));
54734da1 662 kfree(*sched, M_CRYPTO_DATA);
42ee1e6b
SW
663 *sched = NULL;
664}
665
da41e4e5
AH
666#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */
667
668struct aes_xts_ctx {
669 rijndael_ctx key1;
670 rijndael_ctx key2;
da41e4e5
AH
671};
672
673void
674aes_xts_reinit(caddr_t key, u_int8_t *iv)
675{
676 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key;
400158c1 677#if 0
da41e4e5
AH
678 u_int64_t blocknum;
679 u_int i;
400158c1 680#endif
da41e4e5 681
400158c1
AH
682#if 0
683 /*
684 * XXX: I've no idea why OpenBSD chose to make this dance of the moon
685 * around just copying the IV...
686 */
da41e4e5 687 /*
400158c1
AH
688 * Prepare tweak as E_k2(IV). IV is specified as LE representation
689 * of a 64-bit block number which we allow to be passed in directly.
690 */
da41e4e5
AH
691 bcopy(iv, &blocknum, AES_XTS_IV_LEN);
692 for (i = 0; i < AES_XTS_IV_LEN; i++) {
693 ctx->tweak[i] = blocknum & 0xff;
694 blocknum >>= 8;
695 }
400158c1 696#endif
da41e4e5 697 /* Last 64 bits of IV are always zero */
400158c1 698 bzero(iv + AES_XTS_IV_LEN, AES_XTS_IV_LEN);
da41e4e5 699
400158c1 700 rijndael_encrypt(&ctx->key2, iv, iv);
da41e4e5
AH
701}
702
703void
400158c1 704aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int8_t *iv, u_int do_encrypt)
da41e4e5
AH
705{
706 u_int8_t block[AES_XTS_BLOCK_LEN];
707 u_int i, carry_in, carry_out;
708
709 for (i = 0; i < AES_XTS_BLOCK_LEN; i++)
400158c1 710 block[i] = data[i] ^ iv[i];
da41e4e5
AH
711
712 if (do_encrypt)
713 rijndael_encrypt(&ctx->key1, block, data);
714 else
715 rijndael_decrypt(&ctx->key1, block, data);
716
717 for (i = 0; i < AES_XTS_BLOCK_LEN; i++)
400158c1 718 data[i] ^= iv[i];
da41e4e5
AH
719
720 /* Exponentiate tweak */
721 carry_in = 0;
722 for (i = 0; i < AES_XTS_BLOCK_LEN; i++) {
400158c1
AH
723 carry_out = iv[i] & 0x80;
724 iv[i] = (iv[i] << 1) | (carry_in ? 1 : 0);
da41e4e5
AH
725 carry_in = carry_out;
726 }
727 if (carry_in)
400158c1 728 iv[0] ^= AES_XTS_ALPHA;
da41e4e5
AH
729 bzero(block, sizeof(block));
730}
731
732void
400158c1 733aes_xts_encrypt(caddr_t key, u_int8_t *data, u_int8_t *iv)
da41e4e5 734{
400158c1 735 aes_xts_crypt((struct aes_xts_ctx *)key, data, iv, 1);
da41e4e5
AH
736}
737
738void
400158c1 739aes_xts_decrypt(caddr_t key, u_int8_t *data, u_int8_t *iv)
da41e4e5 740{
400158c1 741 aes_xts_crypt((struct aes_xts_ctx *)key, data, iv, 0);
da41e4e5
AH
742}
743
744int
745aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len)
746{
747 struct aes_xts_ctx *ctx;
748
749 if (len != 32 && len != 64)
750 return -1;
751
752 *sched = kmalloc(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA,
753 M_WAITOK | M_ZERO);
754 ctx = (struct aes_xts_ctx *)*sched;
755
756 rijndael_set_key(&ctx->key1, key, len * 4);
757 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4);
758
759 return 0;
760}
761
762void
763aes_xts_zerokey(u_int8_t **sched)
764{
765 bzero(*sched, sizeof(struct aes_xts_ctx));
766 kfree(*sched, M_CRYPTO_DATA);
767 *sched = NULL;
768}
769
770#define AESCTR_NONCESIZE 4
771
772struct aes_ctr_ctx {
773 u_int32_t ac_ek[4*(14 + 1)];
774 u_int8_t ac_block[AESCTR_BLOCK_LEN];
775 int ac_nr;
776};
777
778void
779aes_ctr_reinit(caddr_t key, u_int8_t *iv)
780{
781 struct aes_ctr_ctx *ctx;
782
783 ctx = (struct aes_ctr_ctx *)key;
400158c1
AH
784 bcopy(iv, iv + AESCTR_NONCESIZE, AESCTR_IV_LEN);
785 bcopy(ctx->ac_block, iv, AESCTR_NONCESIZE);
da41e4e5
AH
786
787 /* reset counter */
400158c1 788 bzero(iv + AESCTR_NONCESIZE + AESCTR_IV_LEN, 4);
da41e4e5
AH
789}
790
791void
400158c1 792aes_ctr_crypt(caddr_t key, u_int8_t *data, u_int8_t *iv)
da41e4e5
AH
793{
794 struct aes_ctr_ctx *ctx;
795 u_int8_t keystream[AESCTR_BLOCK_LEN];
796 int i;
797
798 ctx = (struct aes_ctr_ctx *)key;
799 /* increment counter */
800 for (i = AESCTR_BLOCK_LEN - 1;
801 i >= AESCTR_NONCESIZE + AESCTR_IV_LEN; i--)
400158c1 802 if (++iv[i]) /* continue on overflow */
da41e4e5 803 break;
400158c1 804 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, iv, keystream);
da41e4e5
AH
805 for (i = 0; i < AESCTR_BLOCK_LEN; i++)
806 data[i] ^= keystream[i];
d6715a19 807 bzero(keystream, sizeof(keystream));
da41e4e5
AH
808}
809
810int
811aes_ctr_setkey(u_int8_t **sched, u_int8_t *key, int len)
812{
813 struct aes_ctr_ctx *ctx;
814
815 if (len < AESCTR_NONCESIZE)
816 return -1;
817
818 *sched = kmalloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA,
819 M_WAITOK | M_ZERO);
820 ctx = (struct aes_ctr_ctx *)*sched;
821 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key,
822 (len - AESCTR_NONCESIZE) * 8);
823 if (ctx->ac_nr == 0) {
824 aes_ctr_zerokey(sched);
825 return -1;
826 }
827 bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE);
828 return 0;
829}
830
831void
832aes_ctr_zerokey(u_int8_t **sched)
833{
834 bzero(*sched, sizeof(struct aes_ctr_ctx));
835 kfree(*sched, M_CRYPTO_DATA);
836 *sched = NULL;
837}
838
aface142
AH
839static void
840aes_gcm_reinit(caddr_t key, u_int8_t *iv)
841{
842 struct aes_ctr_ctx *ctx;
843
844 ctx = (struct aes_ctr_ctx *)key;
845 bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IV_LEN);
846
847 /* reset counter */
848 bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IV_LEN, 4);
849 ctx->ac_block[AESCTR_BLOCK_LEN - 1] = 1; /* GCM starts with 1 */
850}
851
42ee1e6b 852static void
400158c1 853cml_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
42ee1e6b
SW
854{
855 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk);
856}
857
858static void
400158c1 859cml_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
42ee1e6b
SW
860{
861 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk,
862 (u_char *) blk);
863}
864
865static int
866cml_setkey(u_int8_t **sched, u_int8_t *key, int len)
867{
868 int err;
869
870 if (len != 16 && len != 24 && len != 32)
871 return (EINVAL);
872 *sched = kmalloc(sizeof(camellia_ctx), M_CRYPTO_DATA,
a0419b33 873 M_INTWAIT | M_ZERO);
42ee1e6b
SW
874 if (*sched != NULL) {
875 camellia_set_key((camellia_ctx *) *sched, (u_char *) key,
876 len * 8);
877 err = 0;
878 } else
879 err = ENOMEM;
880 return err;
881}
882
883static void
884cml_zerokey(u_int8_t **sched)
885{
886 bzero(*sched, sizeof(camellia_ctx));
887 kfree(*sched, M_CRYPTO_DATA);
984263bc
MD
888 *sched = NULL;
889}
890
37cb95f9
AH
891static void
892twofish128_encrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
893{
894 twofish_encrypt((twofish_ctx *) key, (u_int8_t *) blk,
895 (u_int8_t *) blk);
896}
897
898static void
899twofish128_decrypt(caddr_t key, u_int8_t *blk, u_int8_t *iv)
900{
901 twofish_decrypt(((twofish_ctx *) key), (u_int8_t *) blk,
902 (u_int8_t *) blk);
903}
904
905static int
906twofish128_setkey(u_int8_t **sched, u_int8_t *key, int len)
907{
908 int err;
909
910 if (len != 16 && len != 24 && len != 32)
911 return (EINVAL);
912 *sched = kmalloc(sizeof(twofish_ctx), M_CRYPTO_DATA,
913 M_INTWAIT | M_ZERO);
914 if (*sched != NULL) {
915 twofish_set_key((twofish_ctx *) *sched, (u_int8_t *) key,
916 len * 8);
917 err = 0;
918 } else
919 err = ENOMEM;
920 return err;
921}
922
923static void
924twofish128_zerokey(u_int8_t **sched)
925{
926 bzero(*sched, sizeof(twofish_ctx));
927 kfree(*sched, M_CRYPTO_DATA);
928 *sched = NULL;
929}
930
931
984263bc
MD
932/*
933 * And now for auth.
934 */
935
936static void
937null_init(void *ctx)
938{
939}
940
941static int
942null_update(void *ctx, u_int8_t *buf, u_int16_t len)
943{
944 return 0;
945}
946
947static void
948null_final(u_int8_t *buf, void *ctx)
949{
902ec341 950 if (buf != NULL)
984263bc
MD
951 bzero(buf, 12);
952}
953
954static int
955RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
956{
957 RMD160Update(ctx, buf, len);
958 return 0;
959}
960
961static int
962MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
963{
964 MD5Update(ctx, buf, len);
965 return 0;
966}
967
968static void
969SHA1Init_int(void *ctx)
970{
971 SHA1Init(ctx);
972}
973
974static int
975SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
976{
977 SHA1Update(ctx, buf, len);
978 return 0;
979}
980
981static void
982SHA1Final_int(u_int8_t *blk, void *ctx)
983{
984 SHA1Final(blk, ctx);
985}
986
987static int
988SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
989{
990 SHA256_Update(ctx, buf, len);
991 return 0;
992}
993
994static int
995SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
996{
997 SHA384_Update(ctx, buf, len);
998 return 0;
999}
1000
1001static int
1002SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len)
1003{
1004 SHA512_Update(ctx, buf, len);
1005 return 0;
1006}
1007
1008/*
1009 * And compression
1010 */
1011
1012static u_int32_t
773330af 1013deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out)
984263bc
MD
1014{
1015 return deflate_global(data, size, 0, out);
1016}
1017
1018static u_int32_t
773330af 1019deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out)
984263bc
MD
1020{
1021 return deflate_global(data, size, 1, out);
1022}