diff --git a/crypto/aes.c b/crypto/aes.c index c9afe47815..f885e145cb 100644 --- a/crypto/aes.c +++ b/crypto/aes.c @@ -1,842 +1,878 @@ -/**************************************************************************** - * crypto/aes.c +/* $OpenBSD: aes.c,v 1.2 2020/07/22 13:54:30 tobhe Exp $ */ +/* + * Copyright (c) 2016 Thomas Pornin * - * Copyright (C) 2011 Texas Instruments Incorporated - http://www.ti.com/ - * Extracted from the CC3000 Host Driver Implementation. + * Modified for OpenBSD by Thomas Pornin and Mike Belopuhov. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: * - * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. * - * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the - * distribution. - * - * Neither the name of Texas Instruments Incorporated nor the names of - * its contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - ****************************************************************************/ + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ -/**************************************************************************** - * Included Files - ****************************************************************************/ +#include +#include +#include -#include +#include "aes.h" -#include -#include - -#include - -/**************************************************************************** - * Private Data - ****************************************************************************/ - -/* Forward sbox */ - -static const uint8_t g_sbox[256] = +static inline void +enc32le(void *dst, uint32_t x) { - /* 0 1 2 3 4 5 6 7 8 9 - * A B C D E F - */ + unsigned char *buf = dst; - 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, - 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, /* 0 */ - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, - 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, /* 1 */ - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, - 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, /* 2 */ - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, - 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, /* 3 */ - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, - 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, /* 4 */ - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, - 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, /* 5 */ - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, - 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, /* 6 */ - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, - 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, /* 7 */ - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, - 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, /* 8 */ - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, - 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, /* 9 */ - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, - 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, /* A */ - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, - 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, /* B */ - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, - 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, /* C */ - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, - 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, /* D */ - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, - 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, /* E */ - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, - 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 /* F */ + buf[0] = (unsigned char)x; + buf[1] = (unsigned char)(x >> 8); + buf[2] = (unsigned char)(x >> 16); + buf[3] = (unsigned char)(x >> 24); +} + +static inline uint32_t +dec32le(const void *src) +{ + const unsigned char *buf = src; + + return (uint32_t)buf[0] + | ((uint32_t)buf[1] << 8) + | ((uint32_t)buf[2] << 16) + | ((uint32_t)buf[3] << 24); +} + +/* + * This constant-time implementation is "bitsliced": the 128-bit state is + * split over eight 32-bit words q* in the following way: + * + * -- Input block consists in 16 bytes: + * a00 a10 a20 a30 a01 a11 a21 a31 a02 a12 a22 a32 a03 a13 a23 a33 + * In the terminology of FIPS 197, this is a 4x4 matrix which is read + * column by column. + * + * -- Each byte is split into eight bits which are distributed over the + * eight words, at the same rank. Thus, for a byte x at rank k, bit 0 + * (least significant) of x will be at rank k in q0 (if that bit is b, + * then it contributes "b << k" to the value of q0), bit 1 of x will be + * at rank k in q1, and so on. + * + * -- Ranks given to bits are in "row order" and are either all even, or + * all odd. Two independent AES states are thus interleaved, one using + * the even ranks, the other the odd ranks. Row order means: + * a00 a01 a02 a03 a10 a11 a12 a13 a20 a21 a22 a23 a30 a31 a32 a33 + * + * Converting input bytes from two AES blocks to bitslice representation + * is done in the following way: + * -- Decode first block into the four words q0 q2 q4 q6, in that order, + * using little-endian convention. + * -- Decode second block into the four words q1 q3 q5 q7, in that order, + * using little-endian convention. + * -- Call aes_ct_ortho(). + * + * Converting back to bytes is done by using the reverse operations. Note + * that aes_ct_ortho() is its own inverse. + */ + +/* + * The AES S-box, as a bitsliced constant-time version. The input array + * consists in eight 32-bit words; 32 S-box instances are computed in + * parallel. Bits 0 to 7 of each S-box input (bit 0 is least significant) + * are spread over the words 0 to 7, at the same rank. + */ +static void +aes_ct_bitslice_Sbox(uint32_t *q) +{ + /* + * This S-box implementation is a straightforward translation of + * the circuit described by Boyar and Peralta in "A new + * combinational logic minimization technique with applications + * to cryptology" (https://eprint.iacr.org/2009/191.pdf). + * + * Note that variables x* (input) and s* (output) are numbered + * in "reverse" order (x0 is the high bit, x7 is the low bit). + */ + + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; + uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; + uint32_t y20, y21; + uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; + uint32_t z10, z11, z12, z13, z14, z15, z16, z17; + uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; + uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; + uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; + uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; + uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; + uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; + uint32_t t60, t61, t62, t63, t64, t65, t66, t67; + uint32_t s0, s1, s2, s3, s4, s5, s6, s7; + + x0 = q[7]; + x1 = q[6]; + x2 = q[5]; + x3 = q[4]; + x4 = q[3]; + x5 = q[2]; + x6 = q[1]; + x7 = q[0]; + + /* + * Top linear transformation. + */ + y14 = x3 ^ x5; + y13 = x0 ^ x6; + y9 = x0 ^ x3; + y8 = x0 ^ x5; + t0 = x1 ^ x2; + y1 = t0 ^ x7; + y4 = y1 ^ x3; + y12 = y13 ^ y14; + y2 = y1 ^ x0; + y5 = y1 ^ x6; + y3 = y5 ^ y8; + t1 = x4 ^ y12; + y15 = t1 ^ x5; + y20 = t1 ^ x1; + y6 = y15 ^ x7; + y10 = y15 ^ t0; + y11 = y20 ^ y9; + y7 = x7 ^ y11; + y17 = y10 ^ y11; + y19 = y10 ^ y8; + y16 = t0 ^ y11; + y21 = y13 ^ y16; + y18 = x0 ^ y16; + + /* + * Non-linear section. + */ + t2 = y12 & y15; + t3 = y3 & y6; + t4 = t3 ^ t2; + t5 = y4 & x7; + t6 = t5 ^ t2; + t7 = y13 & y16; + t8 = y5 & y1; + t9 = t8 ^ t7; + t10 = y2 & y7; + t11 = t10 ^ t7; + t12 = y9 & y11; + t13 = y14 & y17; + t14 = t13 ^ t12; + t15 = y8 & y10; + t16 = t15 ^ t12; + t17 = t4 ^ t14; + t18 = t6 ^ t16; + t19 = t9 ^ t14; + t20 = t11 ^ t16; + t21 = t17 ^ y20; + t22 = t18 ^ y19; + t23 = t19 ^ y21; + t24 = t20 ^ y18; + + t25 = t21 ^ t22; + t26 = t21 & t23; + t27 = t24 ^ t26; + t28 = t25 & t27; + t29 = t28 ^ t22; + t30 = t23 ^ t24; + t31 = t22 ^ t26; + t32 = t31 & t30; + t33 = t32 ^ t24; + t34 = t23 ^ t33; + t35 = t27 ^ t33; + t36 = t24 & t35; + t37 = t36 ^ t34; + t38 = t27 ^ t36; + t39 = t29 & t38; + t40 = t25 ^ t39; + + t41 = t40 ^ t37; + t42 = t29 ^ t33; + t43 = t29 ^ t40; + t44 = t33 ^ t37; + t45 = t42 ^ t41; + z0 = t44 & y15; + z1 = t37 & y6; + z2 = t33 & x7; + z3 = t43 & y16; + z4 = t40 & y1; + z5 = t29 & y7; + z6 = t42 & y11; + z7 = t45 & y17; + z8 = t41 & y10; + z9 = t44 & y12; + z10 = t37 & y3; + z11 = t33 & y4; + z12 = t43 & y13; + z13 = t40 & y5; + z14 = t29 & y2; + z15 = t42 & y9; + z16 = t45 & y14; + z17 = t41 & y8; + + /* + * Bottom linear transformation. + */ + t46 = z15 ^ z16; + t47 = z10 ^ z11; + t48 = z5 ^ z13; + t49 = z9 ^ z10; + t50 = z2 ^ z12; + t51 = z2 ^ z5; + t52 = z7 ^ z8; + t53 = z0 ^ z3; + t54 = z6 ^ z7; + t55 = z16 ^ z17; + t56 = z12 ^ t48; + t57 = t50 ^ t53; + t58 = z4 ^ t46; + t59 = z3 ^ t54; + t60 = t46 ^ t57; + t61 = z14 ^ t57; + t62 = t52 ^ t58; + t63 = t49 ^ t58; + t64 = z4 ^ t59; + t65 = t61 ^ t62; + t66 = z1 ^ t63; + s0 = t59 ^ t63; + s6 = t56 ^ ~t62; + s7 = t48 ^ ~t60; + t67 = t64 ^ t65; + s3 = t53 ^ t66; + s4 = t51 ^ t66; + s5 = t47 ^ t65; + s1 = t64 ^ ~s3; + s2 = t55 ^ ~t67; + + q[7] = s0; + q[6] = s1; + q[5] = s2; + q[4] = s3; + q[3] = s4; + q[2] = s5; + q[1] = s6; + q[0] = s7; +} + +/* + * Perform bytewise orthogonalization of eight 32-bit words. Bytes + * of q0..q7 are spread over all words: for a byte x that occurs + * at rank i in q[j] (byte x uses bits 8*i to 8*i+7 in q[j]), the bit + * of rank k in x (0 <= k <= 7) goes to q[k] at rank 8*i+j. + * + * This operation is an involution. + */ +static void +aes_ct_ortho(uint32_t *q) +{ +#define SWAPN(cl, ch, s, x, y) do { \ + uint32_t a, b; \ + a = (x); \ + b = (y); \ + (x) = (a & (uint32_t)cl) | ((b & (uint32_t)cl) << (s)); \ + (y) = ((a & (uint32_t)ch) >> (s)) | (b & (uint32_t)ch); \ + } while (0) + +#define SWAP2(x, y) SWAPN(0x55555555, 0xAAAAAAAA, 1, x, y) +#define SWAP4(x, y) SWAPN(0x33333333, 0xCCCCCCCC, 2, x, y) +#define SWAP8(x, y) SWAPN(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) + + SWAP2(q[0], q[1]); + SWAP2(q[2], q[3]); + SWAP2(q[4], q[5]); + SWAP2(q[6], q[7]); + + SWAP4(q[0], q[2]); + SWAP4(q[1], q[3]); + SWAP4(q[4], q[6]); + SWAP4(q[5], q[7]); + + SWAP8(q[0], q[4]); + SWAP8(q[1], q[5]); + SWAP8(q[2], q[6]); + SWAP8(q[3], q[7]); +} + +static inline uint32_t +sub_word(uint32_t x) +{ + uint32_t q[8]; + int i; + + for (i = 0; i < 8; i ++) { + q[i] = x; + } + aes_ct_ortho(q); + aes_ct_bitslice_Sbox(q); + aes_ct_ortho(q); + return q[0]; +} + +static const unsigned char Rcon[] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36 }; -/* Inverse sbox */ - -static const uint8_t g_rsbox[256] = +/* + * Base key schedule code. The function sub_word() must be defined + * below. Subkeys are produced in little-endian convention (but not + * bitsliced). Key length is expressed in bytes. + */ +static unsigned +aes_keysched_base(uint32_t *skey, const void *key, size_t key_len) { - 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, - 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, - 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, - 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, - 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, - 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, - 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, - 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, - 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, - 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, - 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, - 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, - 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, - 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, - 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, - 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, - 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, - 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, - 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, - 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, - 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, - 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, - 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, - 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, - 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, - 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, - 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, - 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, - 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, - 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, - 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, - 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d -}; + unsigned num_rounds; + int i, j, k, nk, nkf; + uint32_t tmp; -/* Round constant */ - -static const uint8_t g_rcon[11] = -{ - 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 -}; - -static struct aes_state_s g_aes_state; - -/**************************************************************************** - * Private Functions - ****************************************************************************/ - -/**************************************************************************** - * Name: expand_key - * - * Description: - * Expend a 16 bytes key for AES128 implementation - * - * Input Parameters: - * key AES128 key - 16 bytes - * expanded_key expanded AES128 key - * - * Returned Value: - * None - * - ****************************************************************************/ - -static void expand_key(FAR uint8_t *expanded_key, FAR const uint8_t *key) -{ - uint16_t buf1; - uint16_t ii; - - for (ii = 0; ii < 16; ii++) - { - expanded_key[ii] = key[ii]; - } - - for (ii = 1; ii < 11; ii++) - { - buf1 = expanded_key[ii * 16 - 4]; - expanded_key[ii * 16 + 0] = g_sbox[expanded_key[ii *16 - 3]] ^ - expanded_key[(ii - 1) * 16 + 0] ^ g_rcon[ii]; - - expanded_key[ii * 16 + 1] = g_sbox[expanded_key[ii *16 - 2]] ^ - expanded_key[(ii - 1) * 16 + 1]; - - expanded_key[ii * 16 + 2] = g_sbox[expanded_key[ii *16 - 1]] ^ - expanded_key[(ii - 1) * 16 + 2]; - - expanded_key[ii * 16 + 3] = g_sbox[buf1] ^ - expanded_key[(ii - 1) * 16 + 3]; - - expanded_key[ii * 16 + 4] = expanded_key[(ii - 1) * 16 + 4] ^ - expanded_key[ii * 16 + 0]; - - expanded_key[ii * 16 + 5] = expanded_key[(ii - 1) * 16 + 5] ^ - expanded_key[ii * 16 + 1]; - - expanded_key[ii * 16 + 6] = expanded_key[(ii - 1) * 16 + 6] ^ - expanded_key[ii * 16 + 2]; - - expanded_key[ii * 16 + 7] = expanded_key[(ii - 1) * 16 + 7] ^ - expanded_key[ii * 16 + 3]; - - expanded_key[ii * 16 + 8] = expanded_key[(ii - 1) * 16 + 8] ^ - expanded_key[ii * 16 + 4]; - - expanded_key[ii * 16 + 9] = expanded_key[(ii - 1) * 16 + 9] ^ - expanded_key[ii * 16 + 5]; - - expanded_key[ii * 16 +10] = expanded_key[(ii - 1) * 16 +10] ^ - expanded_key[ii * 16 + 6]; - - expanded_key[ii * 16 +11] = expanded_key[(ii - 1) * 16 +11] ^ - expanded_key[ii * 16 + 7]; - - expanded_key[ii * 16 +12] = expanded_key[(ii - 1) * 16 +12] ^ - expanded_key[ii * 16 + 8]; - - expanded_key[ii * 16 +13] = expanded_key[(ii - 1) * 16 +13] ^ - expanded_key[ii * 16 + 9]; - - expanded_key[ii * 16 +14] = expanded_key[(ii - 1) * 16 +14] ^ - expanded_key[ii * 16 +10]; - - expanded_key[ii * 16 +15] = expanded_key[(ii - 1) * 16 +15] ^ - expanded_key[ii * 16 +11]; - } + switch (key_len) { + case 16: + num_rounds = 10; + break; + case 24: + num_rounds = 12; + break; + case 32: + num_rounds = 14; + break; + default: + return 0; + } + nk = (int)(key_len >> 2); + nkf = (int)((num_rounds + 1) << 2); + for (i = 0; i < nk; i ++) { + tmp = dec32le((const unsigned char *)key + (i << 2)); + skey[i] = tmp; + } + tmp = skey[(key_len >> 2) - 1]; + for (i = nk, j = 0, k = 0; i < nkf; i ++) { + if (j == 0) { + tmp = (tmp << 24) | (tmp >> 8); + tmp = sub_word(tmp) ^ Rcon[k]; + } else if (nk > 6 && j == 4) { + tmp = sub_word(tmp); + } + tmp ^= skey[i - nk]; + skey[i] = tmp; + if (++ j == nk) { + j = 0; + k ++; + } + } + return num_rounds; } -/**************************************************************************** - * Name: galois_mul2 - * - * Description: - * Multiply by 2 in the galois field - * - * Input Parameters: - * value argument to multiply - * - * Returned Value: - * Multiplied argument - * - ****************************************************************************/ - -static uint8_t galois_mul2(uint8_t value) +/* + * AES key schedule, constant-time version. skey[] is filled with n+1 + * 128-bit subkeys, where n is the number of rounds (10 to 14, depending + * on key size). The number of rounds is returned. If the key size is + * invalid (not 16, 24 or 32), then 0 is returned. + */ +unsigned +aes_ct_keysched(uint32_t *comp_skey, const void *key, size_t key_len) { - if (value >> 7) - { - value = value << 1; - return (value ^ 0x1b); - } - else - { - return value << 1; - } + uint32_t skey[60]; + unsigned u, num_rounds; + + num_rounds = aes_keysched_base(skey, key, key_len); + for (u = 0; u <= num_rounds; u ++) { + uint32_t q[8]; + + q[0] = q[1] = skey[(u << 2) + 0]; + q[2] = q[3] = skey[(u << 2) + 1]; + q[4] = q[5] = skey[(u << 2) + 2]; + q[6] = q[7] = skey[(u << 2) + 3]; + aes_ct_ortho(q); + comp_skey[(u << 2) + 0] = + (q[0] & 0x55555555) | (q[1] & 0xAAAAAAAA); + comp_skey[(u << 2) + 1] = + (q[2] & 0x55555555) | (q[3] & 0xAAAAAAAA); + comp_skey[(u << 2) + 2] = + (q[4] & 0x55555555) | (q[5] & 0xAAAAAAAA); + comp_skey[(u << 2) + 3] = + (q[6] & 0x55555555) | (q[7] & 0xAAAAAAAA); + } + return num_rounds; } -/**************************************************************************** - * Name: aes_encr - * - * Description: - * Internal implementation of AES128 encryption. - * Straight forward aes encryption implementation. First the group of - * operations: - * - * - addRoundKey - * - subbytes - * - shiftrows - * - mixcolums - * - * is executed 9 times, after this addroundkey to finish the 9th round, - * after that the 10th round without mixcolums no further subfunctions - * to save cycles for function calls no structuring with "for (....)" - * to save cycles. - * - * Input Parameters: - * expanded_key expanded AES128 key - * state 16 bytes of plain text and cipher text - * - * Returned Value: - * None - * - ****************************************************************************/ - -static void aes_encr(FAR uint8_t *state, FAR const uint8_t *expanded_key) +/* + * Expand AES subkeys as produced by aes_ct_keysched(), into + * a larger array suitable for aes_ct_bitslice_encrypt() and + * aes_ct_bitslice_decrypt(). + */ +void +aes_ct_skey_expand(uint32_t *skey, + unsigned num_rounds, const uint32_t *comp_skey) { - uint8_t buf1; - uint8_t buf2; - uint8_t buf3; - uint8_t round; + unsigned u, v, n; - for (round = 0; round < 9; round ++) - { - /* addroundkey, sbox and shiftrows */ + n = (num_rounds + 1) << 2; + for (u = 0, v = 0; u < n; u ++, v += 2) { + uint32_t x, y; - /* Row 0 */ - - state[0] = g_sbox[(state[0] ^ expanded_key[(round * 16)])]; - state[4] = g_sbox[(state[4] ^ expanded_key[(round * 16) + 4])]; - state[8] = g_sbox[(state[8] ^ expanded_key[(round * 16) + 8])]; - state[12] = g_sbox[(state[12] ^ expanded_key[(round * 16) + 12])]; - - /* Row 1 */ - - buf1 = state[1] ^ expanded_key[(round * 16) + 1]; - state[1] = g_sbox[(state[5] ^ expanded_key[(round * 16) + 5])]; - state[5] = g_sbox[(state[9] ^ expanded_key[(round * 16) + 9])]; - state[9] = g_sbox[(state[13] ^ expanded_key[(round * 16) + 13])]; - state[13] = g_sbox[buf1]; - - /* Row 2 */ - - buf1 = state[2] ^ expanded_key[(round * 16) + 2]; - buf2 = state[6] ^ expanded_key[(round * 16) + 6]; - state[2] = g_sbox[(state[10] ^ expanded_key[(round * 16) + 10])]; - state[6] = g_sbox[(state[14] ^ expanded_key[(round * 16) + 14])]; - state[10] = g_sbox[buf1]; - state[14] = g_sbox[buf2]; - - /* Row 3 */ - - buf1 = state[15] ^ expanded_key[(round * 16) + 15]; - state[15] = g_sbox[(state[11] ^ expanded_key[(round * 16) + 11])]; - state[11] = g_sbox[(state[7] ^ expanded_key[(round * 16) + 7])]; - state[7] = g_sbox[(state[3] ^ expanded_key[(round * 16) + 3])]; - state[3] = g_sbox[buf1]; - - /* mixcolums */ - - /* Col1 */ - - buf1 = state[0] ^ state[1] ^ state[2] ^ state[3]; - buf2 = state[0]; - - buf3 = state[0] ^ state[1]; - buf3 = galois_mul2(buf3); - state[0] = state[0] ^ buf3 ^ buf1; - - buf3 = state[1] ^ state[2]; - buf3 = galois_mul2(buf3); - state[1] = state[1] ^ buf3 ^ buf1; - - buf3 = state[2] ^ state[3]; - buf3 = galois_mul2(buf3); - state[2] = state[2] ^ buf3 ^ buf1; - - buf3 = state[3] ^ buf2; - buf3 = galois_mul2(buf3); - state[3] = state[3] ^ buf3 ^ buf1; - - /* Col2 */ - - buf1 = state[4] ^ state[5] ^ state[6] ^ state[7]; - buf2 = state[4]; - - buf3 = state[4] ^ state[5]; - buf3 = galois_mul2(buf3); - state[4] = state[4] ^ buf3 ^ buf1; - - buf3 = state[5] ^ state[6]; - buf3 = galois_mul2(buf3); - state[5] = state[5] ^ buf3 ^ buf1; - - buf3 = state[6] ^ state[7]; - buf3 = galois_mul2(buf3); - state[6] = state[6] ^ buf3 ^ buf1; - - buf3 = state[7] ^ buf2; - buf3 = galois_mul2(buf3); - state[7] = state[7] ^ buf3 ^ buf1; - - /* Col3 */ - - buf1 = state[8] ^ state[9] ^ state[10] ^ state[11]; - buf2 = state[8]; - - buf3 = state[8] ^ state[9]; - buf3 = galois_mul2(buf3); - state[8] = state[8] ^ buf3 ^ buf1; - - buf3 = state[9] ^ state[10]; - buf3 = galois_mul2(buf3); - state[9] = state[9] ^ buf3 ^ buf1; - - buf3 = state[10] ^ state[11]; - buf3 = galois_mul2(buf3); - state[10] = state[10] ^ buf3 ^ buf1; - - buf3 = state[11] ^ buf2; - buf3 = galois_mul2(buf3); - state[11] = state[11] ^ buf3 ^ buf1; - - /* Col4 */ - - buf1 = state[12] ^ state[13] ^ state[14] ^ state[15]; - buf2 = state[12]; - - buf3 = state[12] ^ state[13]; - buf3 = galois_mul2(buf3); - state[12] = state[12] ^ buf3 ^ buf1; - - buf3 = state[13] ^ state[14]; - buf3 = galois_mul2(buf3); - state[13] = state[13] ^ buf3 ^ buf1; - - buf3 = state[14] ^ state[15]; - buf3 = galois_mul2(buf3); - state[14] = state[14] ^ buf3 ^ buf1; - - buf3 = state[15] ^ buf2; - buf3 = galois_mul2(buf3); - state[15] = state[15] ^ buf3 ^ buf1; - } - - /* 10th round without mixcols */ - - state[0] = g_sbox[(state[0] ^ expanded_key[(round * 16)])]; - state[4] = g_sbox[(state[4] ^ expanded_key[(round * 16) + 4])]; - state[8] = g_sbox[(state[8] ^ expanded_key[(round * 16) + 8])]; - state[12] = g_sbox[(state[12] ^ expanded_key[(round * 16) + 12])]; - - /* Row 1 */ - - buf1 = state[1] ^ expanded_key[(round * 16) + 1]; - state[1] = g_sbox[(state[5] ^ expanded_key[(round * 16) + 5])]; - state[5] = g_sbox[(state[9] ^ expanded_key[(round * 16) + 9])]; - state[9] = g_sbox[(state[13] ^ expanded_key[(round * 16) + 13])]; - state[13] = g_sbox[buf1]; - - /* Row 2 */ - - buf1 = state[2] ^ expanded_key[(round * 16) + 2]; - buf2 = state[6] ^ expanded_key[(round * 16) + 6]; - state[2] = g_sbox[(state[10] ^ expanded_key[(round * 16) + 10])]; - state[6] = g_sbox[(state[14] ^ expanded_key[(round * 16) + 14])]; - state[10] = g_sbox[buf1]; - state[14] = g_sbox[buf2]; - - /* Row 3 */ - - buf1 = state[15] ^ expanded_key[(round * 16) + 15]; - state[15] = g_sbox[(state[11] ^ expanded_key[(round * 16) + 11])]; - state[11] = g_sbox[(state[7] ^ expanded_key[(round * 16) + 7])]; - state[7] = g_sbox[(state[3] ^ expanded_key[(round * 16) + 3])]; - state[3] = g_sbox[buf1]; - - /* Last addroundkey */ - - state[0] ^= expanded_key[160]; - state[1] ^= expanded_key[161]; - state[2] ^= expanded_key[162]; - state[3] ^= expanded_key[163]; - state[4] ^= expanded_key[164]; - state[5] ^= expanded_key[165]; - state[6] ^= expanded_key[166]; - state[7] ^= expanded_key[167]; - state[8] ^= expanded_key[168]; - state[9] ^= expanded_key[169]; - state[10] ^= expanded_key[170]; - state[11] ^= expanded_key[171]; - state[12] ^= expanded_key[172]; - state[13] ^= expanded_key[173]; - state[14] ^= expanded_key[174]; - state[15] ^= expanded_key[175]; + x = y = comp_skey[u]; + x &= 0x55555555; + skey[v + 0] = x | (x << 1); + y &= 0xAAAAAAAA; + skey[v + 1] = y | (y >> 1); + } } -/**************************************************************************** - * Name: aes_decr - * - * Description: - * Internal implementation of AES128 decryption. - * Straight forward aes decryption implementation. The order of substeps is - * the exact reverse of decryption inverse functions: - * - * - addRoundKey is its own inverse - * - rsbox is inverse of sbox - * - rightshift instead of leftshift - * - invMixColumns = barreto + mixColumns - * - * No further subfunctions to save cycles for function calls no structuring - * with "for (....)" to save cycles - * - * Input Parameters: - * expanded_key expanded AES128 key - * state 16 bytes of cipher text and plain text - * - * Returned Value: - * None - * - ****************************************************************************/ - -static void aes_decr(FAR uint8_t *state, FAR const uint8_t *expanded_key) +static inline void +add_round_key(uint32_t *q, const uint32_t *sk) { - uint8_t buf1; - uint8_t buf2; - uint8_t buf3; - int8_t round; - - round = 9; - - /* Initial addroundkey */ - - state[0] ^= expanded_key[160]; - state[1] ^= expanded_key[161]; - state[2] ^= expanded_key[162]; - state[3] ^= expanded_key[163]; - state[4] ^= expanded_key[164]; - state[5] ^= expanded_key[165]; - state[6] ^= expanded_key[166]; - state[7] ^= expanded_key[167]; - state[8] ^= expanded_key[168]; - state[9] ^= expanded_key[169]; - state[10] ^= expanded_key[170]; - state[11] ^= expanded_key[171]; - state[12] ^= expanded_key[172]; - state[13] ^= expanded_key[173]; - state[14] ^= expanded_key[174]; - state[15] ^= expanded_key[175]; - - /* 10th round without mixcols */ - - state[0] = g_rsbox[state[0]] ^ expanded_key[(round * 16)]; - state[4] = g_rsbox[state[4]] ^ expanded_key[(round * 16) + 4]; - state[8] = g_rsbox[state[8]] ^ expanded_key[(round * 16) + 8]; - state[12] = g_rsbox[state[12]] ^ expanded_key[(round * 16) + 12]; - - /* Row 1 */ - - buf1 = g_rsbox[state[13]] ^ expanded_key[(round * 16) + 1]; - state[13] = g_rsbox[state[9]] ^ expanded_key[(round * 16) + 13]; - state[9] = g_rsbox[state[5]] ^ expanded_key[(round * 16) + 9]; - state[5] = g_rsbox[state[1]] ^ expanded_key[(round * 16) + 5]; - state[1] = buf1; - - /* Row 2 */ - - buf1 = g_rsbox[state[2]] ^ expanded_key[(round * 16) + 10]; - buf2 = g_rsbox[state[6]] ^ expanded_key[(round * 16) + 14]; - state[2] = g_rsbox[state[10]] ^ expanded_key[(round * 16) + 2]; - state[6] = g_rsbox[state[14]] ^ expanded_key[(round * 16) + 6]; - state[10] = buf1; - state[14] = buf2; - - /* Row 3 */ - - buf1 = g_rsbox[state[3]] ^ expanded_key[(round * 16) + 15]; - state[3] = g_rsbox[state[7]] ^ expanded_key[(round * 16) + 3]; - state[7] = g_rsbox[state[11]] ^ expanded_key[(round * 16) + 7]; - state[11] = g_rsbox[state[15]] ^ expanded_key[(round * 16) + 11]; - state[15] = buf1; - - for (round = 8; round >= 0; round--) - { - /* barreto */ - - /* Col1 */ - - buf1 = galois_mul2(galois_mul2(state[0] ^ state[2])); - buf2 = galois_mul2(galois_mul2(state[1] ^ state[3])); - state[0] ^= buf1; - state[1] ^= buf2; - state[2] ^= buf1; - state[3] ^= buf2; - - /* Col2 */ - - buf1 = galois_mul2(galois_mul2(state[4] ^ state[6])); - buf2 = galois_mul2(galois_mul2(state[5] ^ state[7])); - state[4] ^= buf1; - state[5] ^= buf2; - state[6] ^= buf1; - state[7] ^= buf2; - - /* Col3 */ - - buf1 = galois_mul2(galois_mul2(state[8] ^ state[10])); - buf2 = galois_mul2(galois_mul2(state[9] ^ state[11])); - state[8] ^= buf1; - state[9] ^= buf2; - state[10] ^= buf1; - state[11] ^= buf2; - - /* Col4 */ - - buf1 = galois_mul2(galois_mul2(state[12] ^ state[14])); - buf2 = galois_mul2(galois_mul2(state[13] ^ state[15])); - state[12] ^= buf1; - state[13] ^= buf2; - state[14] ^= buf1; - state[15] ^= buf2; - - /* mixcolums */ - - /* Col1 */ - - buf1 = state[0] ^ state[1] ^ state[2] ^ state[3]; - buf2 = state[0]; - - buf3 = state[0] ^ state[1]; - buf3 = galois_mul2(buf3); - state[0] = state[0] ^ buf3 ^ buf1; - - buf3 = state[1] ^ state[2]; - buf3 = galois_mul2(buf3); - state[1] = state[1] ^ buf3 ^ buf1; - - buf3 = state[2] ^ state[3]; - buf3 = galois_mul2(buf3); - state[2] = state[2] ^ buf3 ^ buf1; - - buf3 = state[3] ^ buf2; - buf3 = galois_mul2(buf3); - state[3] = state[3] ^ buf3 ^ buf1; - - /* Col2 */ - - buf1 = state[4] ^ state[5] ^ state[6] ^ state[7]; - buf2 = state[4]; - - buf3 = state[4] ^ state[5]; - buf3 = galois_mul2(buf3); - state[4] = state[4] ^ buf3 ^ buf1; - - buf3 = state[5] ^ state[6]; - buf3 = galois_mul2(buf3); - state[5] = state[5] ^ buf3 ^ buf1; - - buf3 = state[6] ^ state[7]; - buf3 = galois_mul2(buf3); - state[6] = state[6] ^ buf3 ^ buf1; - - buf3 = state[7] ^ buf2; - buf3 = galois_mul2(buf3); - state[7] = state[7] ^ buf3 ^ buf1; - - /* Col3 */ - - buf1 = state[8] ^ state[9] ^ state[10] ^ state[11]; - buf2 = state[8]; - - buf3 = state[8] ^ state[9]; - buf3 = galois_mul2(buf3); - state[8] = state[8] ^ buf3 ^ buf1; - - buf3 = state[9] ^ state[10]; - buf3 = galois_mul2(buf3); - state[9] = state[9] ^ buf3 ^ buf1; - - buf3 = state[10] ^ state[11]; - buf3 = galois_mul2(buf3); - state[10] = state[10] ^ buf3 ^ buf1; - - buf3 = state[11] ^ buf2; - buf3 = galois_mul2(buf3); - state[11] = state[11] ^ buf3 ^ buf1; - - /* Col4 */ - - buf1 = state[12] ^ state[13] ^ state[14] ^ state[15]; - buf2 = state[12]; - - buf3 = state[12] ^ state[13]; - buf3 = galois_mul2(buf3); - state[12] = state[12] ^ buf3 ^ buf1; - - buf3 = state[13] ^ state[14]; - buf3 = galois_mul2(buf3); - state[13] = state[13] ^ buf3 ^ buf1; - - buf3 = state[14] ^ state[15]; - buf3 = galois_mul2(buf3); - state[14] = state[14] ^ buf3 ^ buf1; - - buf3 = state[15] ^ buf2; - buf3 = galois_mul2(buf3); - state[15] = state[15] ^ buf3 ^ buf1; - - /* addroundkey, rsbox and shiftrows */ - - /* Row 0 */ - - state[0] = g_rsbox[state[0]] ^ expanded_key[(round * 16)]; - state[4] = g_rsbox[state[4]] ^ expanded_key[(round * 16) + 4]; - state[8] = g_rsbox[state[8]] ^ expanded_key[(round * 16) + 8]; - state[12] = g_rsbox[state[12]] ^ expanded_key[(round * 16) + 12]; - - /* Row 1 */ - - buf1 = g_rsbox[state[13]] ^ expanded_key[(round * 16) + 1]; - state[13] = g_rsbox[state[9]] ^ expanded_key[(round * 16) + 13]; - state[9] = g_rsbox[state[5]] ^ expanded_key[(round * 16) + 9]; - state[5] = g_rsbox[state[1]] ^ expanded_key[(round * 16) + 5]; - state[1] = buf1; - - /* Row 2 */ - - buf1 = g_rsbox[state[2]] ^ expanded_key[(round * 16) + 10]; - buf2 = g_rsbox[state[6]] ^ expanded_key[(round * 16) + 14]; - state[2] = g_rsbox[state[10]] ^ expanded_key[(round * 16) + 2]; - state[6] = g_rsbox[state[14]] ^ expanded_key[(round * 16) + 6]; - state[10] = buf1; - state[14] = buf2; - - /* Row 3 */ - - buf1 = g_rsbox[state[3]] ^ expanded_key[(round * 16) + 15]; - state[3] = g_rsbox[state[7]] ^ expanded_key[(round * 16) + 3]; - state[7] = g_rsbox[state[11]] ^ expanded_key[(round * 16) + 7]; - state[11] = g_rsbox[state[15]] ^ expanded_key[(round * 16) + 11]; - state[15] = buf1; - } + q[0] ^= sk[0]; + q[1] ^= sk[1]; + q[2] ^= sk[2]; + q[3] ^= sk[3]; + q[4] ^= sk[4]; + q[5] ^= sk[5]; + q[6] ^= sk[6]; + q[7] ^= sk[7]; } -/**************************************************************************** - * Public Functions - ****************************************************************************/ - -/**************************************************************************** - * Name: aes_setupkey - * - * Description: - * Configure the given AES context for operation with the selected key. - * - * Input Parameters: - * state an AES context that can be used for AES operations - * key a pointer to a 16-byte buffer holding the AES-128 key - * len length of the key, must be 16 - * - * TODO: Support other key lengths of 24 (AES-192) and 32 (AES-256) - * - * Returned Value: - * 0 if OK - * -EINVAL if len is not 16 - * - ****************************************************************************/ - -int aes_setupkey(FAR struct aes_state_s *state, - FAR const uint8_t *key, - int len) +static inline void +shift_rows(uint32_t *q) { - if (len != 16) - { - return -EINVAL; - } + int i; - expand_key(state->expanded_key, key); - return 0; + for (i = 0; i < 8; i ++) { + uint32_t x; + + x = q[i]; + q[i] = (x & 0x000000FF) + | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) + | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) + | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); + } } -/**************************************************************************** - * Name: aes_encipher - * - * Description: - * Encipher some 16-byte blocks (without any operation mode) using the - * previously defined key. The function can be called multiple times with - * the same state parameter. - * - * Returned Value: - * None - * - ****************************************************************************/ - -void aes_encipher(FAR struct aes_state_s *state, FAR uint8_t *blocks, - int nblk) +static inline uint32_t +rotr16(uint32_t x) { - int i; - uint32_t off = 0; - - for (i = 0; i < nblk; i++) - { - aes_encr(blocks + off, state->expanded_key); - off += 16; - } + return (x << 16) | (x >> 16); } -/**************************************************************************** - * Name: aes_decipher - * - * Description: - * Decipher some 16-byte blocks (without any operation mode) using the - * previously defined key. The function can be called multiple times with - * the same state parameter. - * - * Returned Value: - * None - * - ****************************************************************************/ - -void aes_decipher(FAR struct aes_state_s *state, FAR uint8_t *blocks, - int nblk) +static inline void +mix_columns(uint32_t *q) { - int i; - uint32_t off = 0; + uint32_t q0, q1, q2, q3, q4, q5, q6, q7; + uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - for (i = 0; i < nblk; i++) - { - aes_decr(blocks + off, state->expanded_key); - off += 16; - } + q0 = q[0]; + q1 = q[1]; + q2 = q[2]; + q3 = q[3]; + q4 = q[4]; + q5 = q[5]; + q6 = q[6]; + q7 = q[7]; + r0 = (q0 >> 8) | (q0 << 24); + r1 = (q1 >> 8) | (q1 << 24); + r2 = (q2 >> 8) | (q2 << 24); + r3 = (q3 >> 8) | (q3 << 24); + r4 = (q4 >> 8) | (q4 << 24); + r5 = (q5 >> 8) | (q5 << 24); + r6 = (q6 >> 8) | (q6 << 24); + r7 = (q7 >> 8) | (q7 << 24); + + q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); + q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); + q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); + q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); + q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); + q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); + q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); + q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); } -/**************************************************************************** - * Name: aes_encrypt - * - * Description: - * AES128 encryption: Given AES128 key and 16 bytes plain text, cipher - * text of 16 bytes is computed. The AES implementation is in mode ECB - * (Electronic Code Book). - * - * Input Parameters: - * key AES128 key of size 16 bytes - * state 16 bytes of plain text and cipher text - * - * Returned Value: - * None - * - ****************************************************************************/ - -void aes_encrypt(FAR uint8_t *state, FAR const uint8_t *key) +/* + * Compute AES encryption on bitsliced data. Since input is stored on + * eight 32-bit words, two block encryptions are actually performed + * in parallel. + */ +void +aes_ct_bitslice_encrypt(unsigned num_rounds, + const uint32_t *skey, uint32_t *q) { - /* Expand the key into 176 bytes */ + unsigned u; - aes_setupkey(&g_aes_state, key, 16); - aes_encr(state, g_aes_state.expanded_key); + add_round_key(q, skey); + for (u = 1; u < num_rounds; u ++) { + aes_ct_bitslice_Sbox(q); + shift_rows(q); + mix_columns(q); + add_round_key(q, skey + (u << 3)); + } + aes_ct_bitslice_Sbox(q); + shift_rows(q); + add_round_key(q, skey + (num_rounds << 3)); } -/**************************************************************************** - * Name: aes_decrypt - * - * Description: - * AES128 decryption: Given AES128 key and 16 bytes cipher text, plain - * text of 16 bytes is computed The AES implementation is in mode ECB - * (Electronic Code Book). - * - * Input Parameters: - * key AES128 key of size 16 bytes - * state 16 bytes of plain text and cipher text - * - * Returned Value: - * None - * - ****************************************************************************/ - -void aes_decrypt(FAR uint8_t *state, FAR const uint8_t *key) +/* + * Like aes_ct_bitslice_Sbox(), but for the inverse S-box. + */ +void +aes_ct_bitslice_invSbox(uint32_t *q) { - /* Expand the key into 176 bytes */ + /* + * AES S-box is: + * S(x) = A(I(x)) ^ 0x63 + * where I() is inversion in GF(256), and A() is a linear + * transform (0 is formally defined to be its own inverse). + * Since inversion is an involution, the inverse S-box can be + * computed from the S-box as: + * iS(x) = B(S(B(x ^ 0x63)) ^ 0x63) + * where B() is the inverse of A(). Indeed, for any y in GF(256): + * iS(S(y)) = B(A(I(B(A(I(y)) ^ 0x63 ^ 0x63))) ^ 0x63 ^ 0x63) = y + * + * Note: we reuse the implementation of the forward S-box, + * instead of duplicating it here, so that total code size is + * lower. By merging the B() transforms into the S-box circuit + * we could make faster CBC decryption, but CBC decryption is + * already quite faster than CBC encryption because we can + * process two blocks in parallel. + */ + uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - aes_setupkey(&g_aes_state, key, 16); - aes_decr(state, g_aes_state.expanded_key); + q0 = ~q[0]; + q1 = ~q[1]; + q2 = q[2]; + q3 = q[3]; + q4 = q[4]; + q5 = ~q[5]; + q6 = ~q[6]; + q7 = q[7]; + q[7] = q1 ^ q4 ^ q6; + q[6] = q0 ^ q3 ^ q5; + q[5] = q7 ^ q2 ^ q4; + q[4] = q6 ^ q1 ^ q3; + q[3] = q5 ^ q0 ^ q2; + q[2] = q4 ^ q7 ^ q1; + q[1] = q3 ^ q6 ^ q0; + q[0] = q2 ^ q5 ^ q7; + + aes_ct_bitslice_Sbox(q); + + q0 = ~q[0]; + q1 = ~q[1]; + q2 = q[2]; + q3 = q[3]; + q4 = q[4]; + q5 = ~q[5]; + q6 = ~q[6]; + q7 = q[7]; + q[7] = q1 ^ q4 ^ q6; + q[6] = q0 ^ q3 ^ q5; + q[5] = q7 ^ q2 ^ q4; + q[4] = q6 ^ q1 ^ q3; + q[3] = q5 ^ q0 ^ q2; + q[2] = q4 ^ q7 ^ q1; + q[1] = q3 ^ q6 ^ q0; + q[0] = q2 ^ q5 ^ q7; +} + +static inline void +inv_shift_rows(uint32_t *q) +{ + int i; + + for (i = 0; i < 8; i ++) { + uint32_t x; + + x = q[i]; + q[i] = (x & 0x000000FF) + | ((x & 0x00003F00) << 2) | ((x & 0x0000C000) >> 6) + | ((x & 0x000F0000) << 4) | ((x & 0x00F00000) >> 4) + | ((x & 0x03000000) << 6) | ((x & 0xFC000000) >> 2); + } +} + +static void +inv_mix_columns(uint32_t *q) +{ + uint32_t q0, q1, q2, q3, q4, q5, q6, q7; + uint32_t r0, r1, r2, r3, r4, r5, r6, r7; + + q0 = q[0]; + q1 = q[1]; + q2 = q[2]; + q3 = q[3]; + q4 = q[4]; + q5 = q[5]; + q6 = q[6]; + q7 = q[7]; + r0 = (q0 >> 8) | (q0 << 24); + r1 = (q1 >> 8) | (q1 << 24); + r2 = (q2 >> 8) | (q2 << 24); + r3 = (q3 >> 8) | (q3 << 24); + r4 = (q4 >> 8) | (q4 << 24); + r5 = (q5 >> 8) | (q5 << 24); + r6 = (q6 >> 8) | (q6 << 24); + r7 = (q7 >> 8) | (q7 << 24); + + q[0] = q5 ^ q6 ^ q7 ^ r0 ^ r5 ^ r7 ^ rotr16(q0 ^ q5 ^ q6 ^ r0 ^ r5); + q[1] = q0 ^ q5 ^ r0 ^ r1 ^ r5 ^ r6 ^ r7 ^ rotr16(q1 ^ q5 ^ q7 ^ r1 ^ r5 ^ r6); + q[2] = q0 ^ q1 ^ q6 ^ r1 ^ r2 ^ r6 ^ r7 ^ rotr16(q0 ^ q2 ^ q6 ^ r2 ^ r6 ^ r7); + q[3] = q0 ^ q1 ^ q2 ^ q5 ^ q6 ^ r0 ^ r2 ^ r3 ^ r5 ^ rotr16(q0 ^ q1 ^ q3 ^ q5 ^ q6 ^ q7 ^ r0 ^ r3 ^ r5 ^ r7); + q[4] = q1 ^ q2 ^ q3 ^ q5 ^ r1 ^ r3 ^ r4 ^ r5 ^ r6 ^ r7 ^ rotr16(q1 ^ q2 ^ q4 ^ q5 ^ q7 ^ r1 ^ r4 ^ r5 ^ r6); + q[5] = q2 ^ q3 ^ q4 ^ q6 ^ r2 ^ r4 ^ r5 ^ r6 ^ r7 ^ rotr16(q2 ^ q3 ^ q5 ^ q6 ^ r2 ^ r5 ^ r6 ^ r7); + q[6] = q3 ^ q4 ^ q5 ^ q7 ^ r3 ^ r5 ^ r6 ^ r7 ^ rotr16(q3 ^ q4 ^ q6 ^ q7 ^ r3 ^ r6 ^ r7); + q[7] = q4 ^ q5 ^ q6 ^ r4 ^ r6 ^ r7 ^ rotr16(q4 ^ q5 ^ q7 ^ r4 ^ r7); +} + +/* + * Compute AES decryption on bitsliced data. Since input is stored on + * eight 32-bit words, two block decryptions are actually performed + * in parallel. + */ +void +aes_ct_bitslice_decrypt(unsigned num_rounds, + const uint32_t *skey, uint32_t *q) +{ + unsigned u; + + add_round_key(q, skey + (num_rounds << 3)); + for (u = num_rounds - 1; u > 0; u --) { + inv_shift_rows(q); + aes_ct_bitslice_invSbox(q); + add_round_key(q, skey + (u << 3)); + inv_mix_columns(q); + } + inv_shift_rows(q); + aes_ct_bitslice_invSbox(q); + add_round_key(q, skey); +} + + +int +AES_Setkey(AES_CTX *ctx, const uint8_t *key, int len) +{ + ctx->num_rounds = aes_ct_keysched(ctx->sk, key, len); + if (ctx->num_rounds == 0) + return -1; + aes_ct_skey_expand(ctx->sk_exp, ctx->num_rounds, ctx->sk); + return 0; +} + +void +AES_Encrypt_ECB(AES_CTX *ctx, const uint8_t *src, + uint8_t *dst, size_t num_blocks) +{ + while (num_blocks > 0) { + uint32_t q[8]; + + q[0] = dec32le(src); + q[2] = dec32le(src + 4); + q[4] = dec32le(src + 8); + q[6] = dec32le(src + 12); + if (num_blocks > 1) { + q[1] = dec32le(src + 16); + q[3] = dec32le(src + 20); + q[5] = dec32le(src + 24); + q[7] = dec32le(src + 28); + } else { + q[1] = 0; + q[3] = 0; + q[5] = 0; + q[7] = 0; + } + aes_ct_ortho(q); + aes_ct_bitslice_encrypt(ctx->num_rounds, ctx->sk_exp, q); + aes_ct_ortho(q); + enc32le(dst, q[0]); + enc32le(dst + 4, q[2]); + enc32le(dst + 8, q[4]); + enc32le(dst + 12, q[6]); + if (num_blocks > 1) { + enc32le(dst + 16, q[1]); + enc32le(dst + 20, q[3]); + enc32le(dst + 24, q[5]); + enc32le(dst + 28, q[7]); + src += 32; + dst += 32; + num_blocks -= 2; + } else { + break; + } + } +} + +void +AES_Decrypt_ECB(AES_CTX *ctx, const uint8_t *src, + uint8_t *dst, size_t num_blocks) +{ + while (num_blocks > 0) { + uint32_t q[8]; + + q[0] = dec32le(src); + q[2] = dec32le(src + 4); + q[4] = dec32le(src + 8); + q[6] = dec32le(src + 12); + if (num_blocks > 1) { + q[1] = dec32le(src + 16); + q[3] = dec32le(src + 20); + q[5] = dec32le(src + 24); + q[7] = dec32le(src + 28); + } else { + q[1] = 0; + q[3] = 0; + q[5] = 0; + q[7] = 0; + } + aes_ct_ortho(q); + aes_ct_bitslice_decrypt(ctx->num_rounds, ctx->sk_exp, q); + aes_ct_ortho(q); + enc32le(dst, q[0]); + enc32le(dst + 4, q[2]); + enc32le(dst + 8, q[4]); + enc32le(dst + 12, q[6]); + if (num_blocks > 1) { + enc32le(dst + 16, q[1]); + enc32le(dst + 20, q[3]); + enc32le(dst + 24, q[5]); + enc32le(dst + 28, q[7]); + src += 32; + dst += 32; + num_blocks -= 2; + } else { + break; + } + } +} + +void +AES_Encrypt(AES_CTX *ctx, const uint8_t *src, uint8_t *dst) +{ + AES_Encrypt_ECB(ctx, src, dst, 1); +} + +void +AES_Decrypt(AES_CTX *ctx, const uint8_t *src, uint8_t *dst) +{ + AES_Decrypt_ECB(ctx, src, dst, 1); +} + +int +AES_KeySetup_Encrypt(uint32_t *skey, const uint8_t *key, int len) +{ + unsigned r, u; + uint32_t tkey[60]; + + r = aes_keysched_base(tkey, key, len); + if (r == 0) { + return 0; + } + for (u = 0; u < ((r + 1) << 2); u ++) { + uint32_t w; + + w = tkey[u]; + skey[u] = (w << 24) + | ((w & 0x0000FF00) << 8) + | ((w & 0x00FF0000) >> 8) + | (w >> 24); + } + return r; +} + +/* + * Reduce value x modulo polynomial x^8+x^4+x^3+x+1. This works as + * long as x fits on 12 bits at most. + */ +static inline uint32_t +redgf256(uint32_t x) +{ + uint32_t h; + + h = x >> 8; + return (x ^ h ^ (h << 1) ^ (h << 3) ^ (h << 4)) & 0xFF; +} + +/* + * Multiplication by 0x09 in GF(256). + */ +static inline uint32_t +mul9(uint32_t x) +{ + return redgf256(x ^ (x << 3)); +} + +/* + * Multiplication by 0x0B in GF(256). + */ +static inline uint32_t +mulb(uint32_t x) +{ + return redgf256(x ^ (x << 1) ^ (x << 3)); +} + +/* + * Multiplication by 0x0D in GF(256). + */ +static inline uint32_t +muld(uint32_t x) +{ + return redgf256(x ^ (x << 2) ^ (x << 3)); +} + +/* + * Multiplication by 0x0E in GF(256). + */ +static inline uint32_t +mule(uint32_t x) +{ + return redgf256((x << 1) ^ (x << 2) ^ (x << 3)); +} + +int +AES_KeySetup_Decrypt(uint32_t *skey, const uint8_t *key, int len) +{ + unsigned r, u; + uint32_t tkey[60]; + + /* + * Compute encryption subkeys. We get them in big-endian + * notation. + */ + r = AES_KeySetup_Encrypt(tkey, key, len); + if (r == 0) { + return 0; + } + + /* + * Copy the subkeys in reverse order. Also, apply InvMixColumns() + * on the subkeys (except first and last). + */ + memcpy(skey + (r << 2), tkey, 4 * sizeof(uint32_t)); + memcpy(skey, tkey + (r << 2), 4 * sizeof(uint32_t)); + for (u = 4; u < (r << 2); u ++) { + uint32_t sk, sk0, sk1, sk2, sk3; + uint32_t tk, tk0, tk1, tk2, tk3; + + sk = tkey[u]; + sk0 = sk >> 24; + sk1 = (sk >> 16) & 0xFF; + sk2 = (sk >> 8) & 0xFF; + sk3 = sk & 0xFF; + tk0 = mule(sk0) ^ mulb(sk1) ^ muld(sk2) ^ mul9(sk3); + tk1 = mul9(sk0) ^ mule(sk1) ^ mulb(sk2) ^ muld(sk3); + tk2 = muld(sk0) ^ mul9(sk1) ^ mule(sk2) ^ mulb(sk3); + tk3 = mulb(sk0) ^ muld(sk1) ^ mul9(sk2) ^ mule(sk3); + tk = (tk0 << 24) ^ (tk1 << 16) ^ (tk2 << 8) ^ tk3; + skey[((r - (u >> 2)) << 2) + (u & 3)] = tk; + } + + return r; } diff --git a/crypto/blf.c b/crypto/blf.c new file mode 100644 index 0000000000..957d83da7b --- /dev/null +++ b/crypto/blf.c @@ -0,0 +1,655 @@ +/* $OpenBSD: blf.c,v 1.8 2021/11/29 01:04:45 djm Exp $ */ + +/* + * Blowfish block cipher for OpenBSD + * Copyright 1997 Niels Provos + * All rights reserved. + * + * Implementation advice by David Mazieres . + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code is derived from section 14.3 and the given source + * in section V of Applied Cryptography, second edition. + * Blowfish is an unpatented fast block cipher designed by + * Bruce Schneier. + */ + +#include +#include + +#include + +#undef inline +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +/* Function for Feistel Networks */ + +#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \ + + (s)[0x100 + (((x)>>16)&0xFF)]) \ + ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \ + + (s)[0x300 + ( (x) &0xFF)]) + +#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n]) + +void +Blowfish_encipher(blf_ctx *c, u_int32_t *x) +{ + u_int32_t Xl; + u_int32_t Xr; + u_int32_t *s = c->S[0]; + u_int32_t *p = c->P; + + Xl = x[0]; + Xr = x[1]; + + Xl ^= p[0]; + BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2); + BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4); + BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6); + BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8); + BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10); + BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12); + BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14); + BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16); + + x[0] = Xr ^ p[17]; + x[1] = Xl; +} + +void +Blowfish_decipher(blf_ctx *c, u_int32_t *x) +{ + u_int32_t Xl; + u_int32_t Xr; + u_int32_t *s = c->S[0]; + u_int32_t *p = c->P; + + Xl = x[0]; + Xr = x[1]; + + Xl ^= p[17]; + BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15); + BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13); + BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11); + BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9); + BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7); + BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5); + BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3); + BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1); + + x[0] = Xr ^ p[0]; + x[1] = Xl; +} + +void +Blowfish_initstate(blf_ctx *c) +{ + /* P-box and S-box tables initialized with digits of Pi */ + + static const blf_ctx initstate = + + { { + { + 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, + 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, + 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, + 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, + 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, + 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, + 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, + 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, + 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, + 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, + 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, + 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, + 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, + 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, + 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, + 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, + 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, + 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, + 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, + 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, + 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, + 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, + 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, + 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, + 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, + 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, + 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, + 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, + 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, + 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, + 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, + 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, + 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, + 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, + 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, + 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, + 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, + 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, + 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, + 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, + 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, + 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, + 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, + 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, + 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, + 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, + 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, + 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, + 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, + 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, + 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, + 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, + 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, + 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, + 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, + 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, + 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, + 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, + 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, + 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, + 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, + 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, + 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, + 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a}, + { + 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, + 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, + 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, + 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, + 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, + 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, + 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, + 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, + 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, + 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, + 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, + 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, + 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, + 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, + 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, + 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, + 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, + 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, + 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, + 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, + 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, + 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, + 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, + 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, + 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, + 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, + 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, + 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, + 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, + 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, + 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, + 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, + 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, + 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, + 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, + 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, + 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, + 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, + 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, + 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, + 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, + 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, + 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, + 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, + 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, + 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, + 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, + 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, + 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, + 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, + 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, + 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, + 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, + 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, + 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, + 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, + 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, + 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, + 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, + 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, + 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, + 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, + 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, + 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7}, + { + 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, + 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, + 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, + 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, + 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, + 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, + 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, + 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, + 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, + 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, + 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, + 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, + 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, + 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, + 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, + 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, + 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, + 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, + 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, + 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, + 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, + 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, + 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, + 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, + 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, + 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, + 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, + 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, + 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, + 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, + 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, + 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, + 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, + 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, + 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, + 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, + 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, + 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, + 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, + 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, + 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, + 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, + 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, + 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, + 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, + 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, + 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, + 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, + 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, + 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, + 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, + 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, + 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, + 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, + 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, + 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, + 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, + 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, + 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, + 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, + 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, + 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, + 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, + 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0}, + { + 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, + 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, + 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, + 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, + 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, + 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, + 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, + 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, + 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, + 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, + 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, + 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, + 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, + 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, + 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, + 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, + 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, + 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, + 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, + 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, + 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, + 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, + 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, + 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, + 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, + 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, + 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, + 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, + 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, + 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, + 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, + 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, + 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, + 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, + 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, + 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, + 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, + 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, + 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, + 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, + 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, + 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, + 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, + 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, + 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, + 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, + 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, + 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, + 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, + 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, + 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, + 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, + 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, + 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, + 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, + 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, + 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, + 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, + 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, + 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, + 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, + 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, + 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, + 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6} + }, + { + 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, + 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, + 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, + 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, + 0x9216d5d9, 0x8979fb1b + } }; + + *c = initstate; +} + +u_int32_t +Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes, + u_int16_t *current) +{ + u_int8_t i; + u_int16_t j; + u_int32_t temp; + + temp = 0x00000000; + j = *current; + + for (i = 0; i < 4; i++, j++) { + if (j >= databytes) + j = 0; + temp = (temp << 8) | data[j]; + } + + *current = j; + return temp; +} + +void +Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes) +{ + u_int16_t i; + u_int16_t j; + u_int16_t k; + u_int32_t temp; + u_int32_t data[2]; + + j = 0; + for (i = 0; i < BLF_N + 2; i++) { + /* Extract 4 int8 to 1 int32 from keystream */ + temp = Blowfish_stream2word(key, keybytes, &j); + c->P[i] = c->P[i] ^ temp; + } + + j = 0; + data[0] = 0x00000000; + data[1] = 0x00000000; + for (i = 0; i < BLF_N + 2; i += 2) { + Blowfish_encipher(c, data); + + c->P[i] = data[0]; + c->P[i + 1] = data[1]; + } + + for (i = 0; i < 4; i++) { + for (k = 0; k < 256; k += 2) { + Blowfish_encipher(c, data); + + c->S[i][k] = data[0]; + c->S[i][k + 1] = data[1]; + } + } +} + + +void +Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes, + const u_int8_t *key, u_int16_t keybytes) +{ + u_int16_t i; + u_int16_t j; + u_int16_t k; + u_int32_t temp; + u_int32_t d[2]; + + j = 0; + for (i = 0; i < BLF_N + 2; i++) { + /* Extract 4 int8 to 1 int32 from keystream */ + temp = Blowfish_stream2word(key, keybytes, &j); + c->P[i] = c->P[i] ^ temp; + } + + j = 0; + d[0] = 0x00000000; + d[1] = 0x00000000; + for (i = 0; i < BLF_N + 2; i += 2) { + d[0] ^= Blowfish_stream2word(data, databytes, &j); + d[1] ^= Blowfish_stream2word(data, databytes, &j); + Blowfish_encipher(c, d); + + c->P[i] = d[0]; + c->P[i + 1] = d[1]; + } + + for (i = 0; i < 4; i++) { + for (k = 0; k < 256; k += 2) { + d[0]^= Blowfish_stream2word(data, databytes, &j); + d[1] ^= Blowfish_stream2word(data, databytes, &j); + Blowfish_encipher(c, d); + + c->S[i][k] = d[0]; + c->S[i][k + 1] = d[1]; + } + } + +} + +void +blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len) +{ + /* Initialize S-boxes and subkeys with Pi */ + Blowfish_initstate(c); + + /* Transform S-boxes and subkeys with key */ + Blowfish_expand0state(c, k, len); +} + +void +blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks) +{ + u_int32_t *d; + u_int16_t i; + + d = data; + for (i = 0; i < blocks; i++) { + Blowfish_encipher(c, d); + d += 2; + } +} + +void +blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks) +{ + u_int32_t *d; + u_int16_t i; + + d = data; + for (i = 0; i < blocks; i++) { + Blowfish_decipher(c, d); + d += 2; + } +} + +void +blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r, d[2]; + u_int32_t i; + + for (i = 0; i < len; i += 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + d[0] = l; + d[1] = r; + Blowfish_encipher(c, d); + l = d[0]; + r = d[1]; + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + data += 8; + } +} + +void +blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r, d[2]; + u_int32_t i; + + for (i = 0; i < len; i += 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + d[0] = l; + d[1] = r; + Blowfish_decipher(c, d); + l = d[0]; + r = d[1]; + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + data += 8; + } +} + +void +blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r, d[2]; + u_int32_t i, j; + + for (i = 0; i < len; i += 8) { + for (j = 0; j < 8; j++) + data[j] ^= iv[j]; + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + d[0] = l; + d[1] = r; + Blowfish_encipher(c, d); + l = d[0]; + r = d[1]; + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + iv = data; + data += 8; + } +} + +void +blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len) +{ + u_int32_t l, r, d[2]; + u_int8_t *iv; + u_int32_t i, j; + + iv = data + len - 16; + data = data + len - 8; + for (i = len - 8; i >= 8; i -= 8) { + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + d[0] = l; + d[1] = r; + Blowfish_decipher(c, d); + l = d[0]; + r = d[1]; + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + for (j = 0; j < 8; j++) + data[j] ^= iv[j]; + iv -= 8; + data -= 8; + } + l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; + r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; + d[0] = l; + d[1] = r; + Blowfish_decipher(c, d); + l = d[0]; + r = d[1]; + data[0] = l >> 24 & 0xff; + data[1] = l >> 16 & 0xff; + data[2] = l >> 8 & 0xff; + data[3] = l & 0xff; + data[4] = r >> 24 & 0xff; + data[5] = r >> 16 & 0xff; + data[6] = r >> 8 & 0xff; + data[7] = r & 0xff; + for (j = 0; j < 8; j++) + data[j] ^= iva[j]; +} diff --git a/crypto/cast.c b/crypto/cast.c new file mode 100644 index 0000000000..378d157662 --- /dev/null +++ b/crypto/cast.c @@ -0,0 +1,277 @@ +/* $OpenBSD: cast.c,v 1.4 2012/04/25 04:12:27 matthew Exp $ */ + +/* + * CAST-128 in C + * Written by Steve Reid + * 100% Public Domain - no warranty + * Released 1997.10.11 + */ + +#include +#include +#include +#include + +/* Macros to access 8-bit bytes out of a 32-bit word */ +#define U_INT8_Ta(x) ( (u_int8_t) (x>>24) ) +#define U_INT8_Tb(x) ( (u_int8_t) ((x>>16)&255) ) +#define U_INT8_Tc(x) ( (u_int8_t) ((x>>8)&255) ) +#define U_INT8_Td(x) ( (u_int8_t) ((x)&255) ) + +/* Circular left shift */ +#define ROL(x, n) ( ((x)<<(n)) | ((x)>>(32-(n))) ) + +/* CAST-128 uses three different round functions */ +#define F1(l, r, i) \ + t = ROL(key->xkey[i] + r, key->xkey[i+16]); \ + l ^= ((cast_sbox1[U_INT8_Ta(t)] ^ cast_sbox2[U_INT8_Tb(t)]) - \ + cast_sbox3[U_INT8_Tc(t)]) + cast_sbox4[U_INT8_Td(t)]; +#define F2(l, r, i) \ + t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \ + l ^= ((cast_sbox1[U_INT8_Ta(t)] - cast_sbox2[U_INT8_Tb(t)]) + \ + cast_sbox3[U_INT8_Tc(t)]) ^ cast_sbox4[U_INT8_Td(t)]; +#define F3(l, r, i) \ + t = ROL(key->xkey[i] - r, key->xkey[i+16]); \ + l ^= ((cast_sbox1[U_INT8_Ta(t)] + cast_sbox2[U_INT8_Tb(t)]) ^ \ + cast_sbox3[U_INT8_Tc(t)]) - cast_sbox4[U_INT8_Td(t)]; + + +/***** Encryption Function *****/ + +void +cast_encrypt(cast_key *key, u_int8_t *inblock, u_int8_t *outblock) +{ + u_int32_t t, l, r; + + /* Get inblock into l,r */ + l = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) | + ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3]; + r = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) | + ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7]; + /* Do the work */ + F1(l, r, 0); + F2(r, l, 1); + F3(l, r, 2); + F1(r, l, 3); + F2(l, r, 4); + F3(r, l, 5); + F1(l, r, 6); + F2(r, l, 7); + F3(l, r, 8); + F1(r, l, 9); + F2(l, r, 10); + F3(r, l, 11); + /* Only do full 16 rounds if key length > 80 bits */ + if (key->rounds > 12) { + F1(l, r, 12); + F2(r, l, 13); + F3(l, r, 14); + F1(r, l, 15); + } + /* Put l,r into outblock */ + outblock[0] = U_INT8_Ta(r); + outblock[1] = U_INT8_Tb(r); + outblock[2] = U_INT8_Tc(r); + outblock[3] = U_INT8_Td(r); + outblock[4] = U_INT8_Ta(l); + outblock[5] = U_INT8_Tb(l); + outblock[6] = U_INT8_Tc(l); + outblock[7] = U_INT8_Td(l); + /* Wipe clean */ + t = l = r = 0; +} + + +/***** Decryption Function *****/ + +void +cast_decrypt(cast_key *key, u_int8_t *inblock, u_int8_t *outblock) +{ + u_int32_t t, l, r; + + /* Get inblock into l,r */ + r = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) | + ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3]; + l = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) | + ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7]; + /* Do the work */ + /* Only do full 16 rounds if key length > 80 bits */ + if (key->rounds > 12) { + F1(r, l, 15); + F3(l, r, 14); + F2(r, l, 13); + F1(l, r, 12); + } + F3(r, l, 11); + F2(l, r, 10); + F1(r, l, 9); + F3(l, r, 8); + F2(r, l, 7); + F1(l, r, 6); + F3(r, l, 5); + F2(l, r, 4); + F1(r, l, 3); + F3(l, r, 2); + F2(r, l, 1); + F1(l, r, 0); + /* Put l,r into outblock */ + outblock[0] = U_INT8_Ta(l); + outblock[1] = U_INT8_Tb(l); + outblock[2] = U_INT8_Tc(l); + outblock[3] = U_INT8_Td(l); + outblock[4] = U_INT8_Ta(r); + outblock[5] = U_INT8_Tb(r); + outblock[6] = U_INT8_Tc(r); + outblock[7] = U_INT8_Td(r); + /* Wipe clean */ + t = l = r = 0; +} + + +/***** Key Schedule *****/ + +void +cast_setkey(cast_key *key, u_int8_t *rawkey, int keybytes) +{ + u_int32_t t[4], z[4], x[4]; + int i; + + /* Set number of rounds to 12 or 16, depending on key length */ + key->rounds = (keybytes <= 10 ? 12 : 16); + + /* Copy key to workspace x */ + for (i = 0; i < 4; i++) { + x[i] = 0; + if ((i*4+0) < keybytes) x[i] = (u_int32_t)rawkey[i*4+0] << 24; + if ((i*4+1) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+1] << 16; + if ((i*4+2) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+2] << 8; + if ((i*4+3) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+3]; + } + /* Generate 32 subkeys, four at a time */ + for (i = 0; i < 32; i+=4) { + switch (i & 4) { + case 0: + t[0] = z[0] = x[0] ^ cast_sbox5[U_INT8_Tb(x[3])] ^ + cast_sbox6[U_INT8_Td(x[3])] ^ + cast_sbox7[U_INT8_Ta(x[3])] ^ + cast_sbox8[U_INT8_Tc(x[3])] ^ + cast_sbox7[U_INT8_Ta(x[2])]; + t[1] = z[1] = x[2] ^ cast_sbox5[U_INT8_Ta(z[0])] ^ + cast_sbox6[U_INT8_Tc(z[0])] ^ + cast_sbox7[U_INT8_Tb(z[0])] ^ + cast_sbox8[U_INT8_Td(z[0])] ^ + cast_sbox8[U_INT8_Tc(x[2])]; + t[2] = z[2] = x[3] ^ cast_sbox5[U_INT8_Td(z[1])] ^ + cast_sbox6[U_INT8_Tc(z[1])] ^ + cast_sbox7[U_INT8_Tb(z[1])] ^ + cast_sbox8[U_INT8_Ta(z[1])] ^ + cast_sbox5[U_INT8_Tb(x[2])]; + t[3] = z[3] = x[1] ^ cast_sbox5[U_INT8_Tc(z[2])] ^ + cast_sbox6[U_INT8_Tb(z[2])] ^ + cast_sbox7[U_INT8_Td(z[2])] ^ + cast_sbox8[U_INT8_Ta(z[2])] ^ + cast_sbox6[U_INT8_Td(x[2])]; + break; + case 4: + t[0] = x[0] = z[2] ^ cast_sbox5[U_INT8_Tb(z[1])] ^ + cast_sbox6[U_INT8_Td(z[1])] ^ + cast_sbox7[U_INT8_Ta(z[1])] ^ + cast_sbox8[U_INT8_Tc(z[1])] ^ + cast_sbox7[U_INT8_Ta(z[0])]; + t[1] = x[1] = z[0] ^ cast_sbox5[U_INT8_Ta(x[0])] ^ + cast_sbox6[U_INT8_Tc(x[0])] ^ + cast_sbox7[U_INT8_Tb(x[0])] ^ + cast_sbox8[U_INT8_Td(x[0])] ^ + cast_sbox8[U_INT8_Tc(z[0])]; + t[2] = x[2] = z[1] ^ cast_sbox5[U_INT8_Td(x[1])] ^ + cast_sbox6[U_INT8_Tc(x[1])] ^ + cast_sbox7[U_INT8_Tb(x[1])] ^ + cast_sbox8[U_INT8_Ta(x[1])] ^ + cast_sbox5[U_INT8_Tb(z[0])]; + t[3] = x[3] = z[3] ^ cast_sbox5[U_INT8_Tc(x[2])] ^ + cast_sbox6[U_INT8_Tb(x[2])] ^ + cast_sbox7[U_INT8_Td(x[2])] ^ + cast_sbox8[U_INT8_Ta(x[2])] ^ + cast_sbox6[U_INT8_Td(z[0])]; + break; + } + switch (i & 12) { + case 0: + case 12: + key->xkey[i+0] = cast_sbox5[U_INT8_Ta(t[2])] ^ + cast_sbox6[U_INT8_Tb(t[2])] ^ + cast_sbox7[U_INT8_Td(t[1])] ^ + cast_sbox8[U_INT8_Tc(t[1])]; + key->xkey[i+1] = cast_sbox5[U_INT8_Tc(t[2])] ^ + cast_sbox6[U_INT8_Td(t[2])] ^ + cast_sbox7[U_INT8_Tb(t[1])] ^ + cast_sbox8[U_INT8_Ta(t[1])]; + key->xkey[i+2] = cast_sbox5[U_INT8_Ta(t[3])] ^ + cast_sbox6[U_INT8_Tb(t[3])] ^ + cast_sbox7[U_INT8_Td(t[0])] ^ + cast_sbox8[U_INT8_Tc(t[0])]; + key->xkey[i+3] = cast_sbox5[U_INT8_Tc(t[3])] ^ + cast_sbox6[U_INT8_Td(t[3])] ^ + cast_sbox7[U_INT8_Tb(t[0])] ^ + cast_sbox8[U_INT8_Ta(t[0])]; + break; + case 4: + case 8: + key->xkey[i+0] = cast_sbox5[U_INT8_Td(t[0])] ^ + cast_sbox6[U_INT8_Tc(t[0])] ^ + cast_sbox7[U_INT8_Ta(t[3])] ^ + cast_sbox8[U_INT8_Tb(t[3])]; + key->xkey[i+1] = cast_sbox5[U_INT8_Tb(t[0])] ^ + cast_sbox6[U_INT8_Ta(t[0])] ^ + cast_sbox7[U_INT8_Tc(t[3])] ^ + cast_sbox8[U_INT8_Td(t[3])]; + key->xkey[i+2] = cast_sbox5[U_INT8_Td(t[1])] ^ + cast_sbox6[U_INT8_Tc(t[1])] ^ + cast_sbox7[U_INT8_Ta(t[2])] ^ + cast_sbox8[U_INT8_Tb(t[2])]; + key->xkey[i+3] = cast_sbox5[U_INT8_Tb(t[1])] ^ + cast_sbox6[U_INT8_Ta(t[1])] ^ + cast_sbox7[U_INT8_Tc(t[2])] ^ + cast_sbox8[U_INT8_Td(t[2])]; + break; + } + switch (i & 12) { + case 0: + key->xkey[i+0] ^= cast_sbox5[U_INT8_Tc(z[0])]; + key->xkey[i+1] ^= cast_sbox6[U_INT8_Tc(z[1])]; + key->xkey[i+2] ^= cast_sbox7[U_INT8_Tb(z[2])]; + key->xkey[i+3] ^= cast_sbox8[U_INT8_Ta(z[3])]; + break; + case 4: + key->xkey[i+0] ^= cast_sbox5[U_INT8_Ta(x[2])]; + key->xkey[i+1] ^= cast_sbox6[U_INT8_Tb(x[3])]; + key->xkey[i+2] ^= cast_sbox7[U_INT8_Td(x[0])]; + key->xkey[i+3] ^= cast_sbox8[U_INT8_Td(x[1])]; + break; + case 8: + key->xkey[i+0] ^= cast_sbox5[U_INT8_Tb(z[2])]; + key->xkey[i+1] ^= cast_sbox6[U_INT8_Ta(z[3])]; + key->xkey[i+2] ^= cast_sbox7[U_INT8_Tc(z[0])]; + key->xkey[i+3] ^= cast_sbox8[U_INT8_Tc(z[1])]; + break; + case 12: + key->xkey[i+0] ^= cast_sbox5[U_INT8_Td(x[0])]; + key->xkey[i+1] ^= cast_sbox6[U_INT8_Td(x[1])]; + key->xkey[i+2] ^= cast_sbox7[U_INT8_Ta(x[2])]; + key->xkey[i+3] ^= cast_sbox8[U_INT8_Tb(x[3])]; + break; + } + if (i >= 16) { + key->xkey[i+0] &= 31; + key->xkey[i+1] &= 31; + key->xkey[i+2] &= 31; + key->xkey[i+3] &= 31; + } + } + /* Wipe clean */ + explicit_bzero(t, sizeof(t)); + explicit_bzero(x, sizeof(x)); + explicit_bzero(z, sizeof(z)); +} + +/* Made in Canada */ diff --git a/crypto/castsb.h b/crypto/castsb.h new file mode 100644 index 0000000000..0e1fb79623 --- /dev/null +++ b/crypto/castsb.h @@ -0,0 +1,544 @@ +/* $OpenBSD: castsb.h,v 1.1 2000/02/28 23:13:04 deraadt Exp $ */ +/* + * CAST-128 in C + * Written by Steve Reid + * 100% Public Domain - no warranty + * Released 1997.10.11 + */ + +static const u_int32_t cast_sbox1[256] = { + 0x30FB40D4, 0x9FA0FF0B, 0x6BECCD2F, 0x3F258C7A, + 0x1E213F2F, 0x9C004DD3, 0x6003E540, 0xCF9FC949, + 0xBFD4AF27, 0x88BBBDB5, 0xE2034090, 0x98D09675, + 0x6E63A0E0, 0x15C361D2, 0xC2E7661D, 0x22D4FF8E, + 0x28683B6F, 0xC07FD059, 0xFF2379C8, 0x775F50E2, + 0x43C340D3, 0xDF2F8656, 0x887CA41A, 0xA2D2BD2D, + 0xA1C9E0D6, 0x346C4819, 0x61B76D87, 0x22540F2F, + 0x2ABE32E1, 0xAA54166B, 0x22568E3A, 0xA2D341D0, + 0x66DB40C8, 0xA784392F, 0x004DFF2F, 0x2DB9D2DE, + 0x97943FAC, 0x4A97C1D8, 0x527644B7, 0xB5F437A7, + 0xB82CBAEF, 0xD751D159, 0x6FF7F0ED, 0x5A097A1F, + 0x827B68D0, 0x90ECF52E, 0x22B0C054, 0xBC8E5935, + 0x4B6D2F7F, 0x50BB64A2, 0xD2664910, 0xBEE5812D, + 0xB7332290, 0xE93B159F, 0xB48EE411, 0x4BFF345D, + 0xFD45C240, 0xAD31973F, 0xC4F6D02E, 0x55FC8165, + 0xD5B1CAAD, 0xA1AC2DAE, 0xA2D4B76D, 0xC19B0C50, + 0x882240F2, 0x0C6E4F38, 0xA4E4BFD7, 0x4F5BA272, + 0x564C1D2F, 0xC59C5319, 0xB949E354, 0xB04669FE, + 0xB1B6AB8A, 0xC71358DD, 0x6385C545, 0x110F935D, + 0x57538AD5, 0x6A390493, 0xE63D37E0, 0x2A54F6B3, + 0x3A787D5F, 0x6276A0B5, 0x19A6FCDF, 0x7A42206A, + 0x29F9D4D5, 0xF61B1891, 0xBB72275E, 0xAA508167, + 0x38901091, 0xC6B505EB, 0x84C7CB8C, 0x2AD75A0F, + 0x874A1427, 0xA2D1936B, 0x2AD286AF, 0xAA56D291, + 0xD7894360, 0x425C750D, 0x93B39E26, 0x187184C9, + 0x6C00B32D, 0x73E2BB14, 0xA0BEBC3C, 0x54623779, + 0x64459EAB, 0x3F328B82, 0x7718CF82, 0x59A2CEA6, + 0x04EE002E, 0x89FE78E6, 0x3FAB0950, 0x325FF6C2, + 0x81383F05, 0x6963C5C8, 0x76CB5AD6, 0xD49974C9, + 0xCA180DCF, 0x380782D5, 0xC7FA5CF6, 0x8AC31511, + 0x35E79E13, 0x47DA91D0, 0xF40F9086, 0xA7E2419E, + 0x31366241, 0x051EF495, 0xAA573B04, 0x4A805D8D, + 0x548300D0, 0x00322A3C, 0xBF64CDDF, 0xBA57A68E, + 0x75C6372B, 0x50AFD341, 0xA7C13275, 0x915A0BF5, + 0x6B54BFAB, 0x2B0B1426, 0xAB4CC9D7, 0x449CCD82, + 0xF7FBF265, 0xAB85C5F3, 0x1B55DB94, 0xAAD4E324, + 0xCFA4BD3F, 0x2DEAA3E2, 0x9E204D02, 0xC8BD25AC, + 0xEADF55B3, 0xD5BD9E98, 0xE31231B2, 0x2AD5AD6C, + 0x954329DE, 0xADBE4528, 0xD8710F69, 0xAA51C90F, + 0xAA786BF6, 0x22513F1E, 0xAA51A79B, 0x2AD344CC, + 0x7B5A41F0, 0xD37CFBAD, 0x1B069505, 0x41ECE491, + 0xB4C332E6, 0x032268D4, 0xC9600ACC, 0xCE387E6D, + 0xBF6BB16C, 0x6A70FB78, 0x0D03D9C9, 0xD4DF39DE, + 0xE01063DA, 0x4736F464, 0x5AD328D8, 0xB347CC96, + 0x75BB0FC3, 0x98511BFB, 0x4FFBCC35, 0xB58BCF6A, + 0xE11F0ABC, 0xBFC5FE4A, 0xA70AEC10, 0xAC39570A, + 0x3F04442F, 0x6188B153, 0xE0397A2E, 0x5727CB79, + 0x9CEB418F, 0x1CACD68D, 0x2AD37C96, 0x0175CB9D, + 0xC69DFF09, 0xC75B65F0, 0xD9DB40D8, 0xEC0E7779, + 0x4744EAD4, 0xB11C3274, 0xDD24CB9E, 0x7E1C54BD, + 0xF01144F9, 0xD2240EB1, 0x9675B3FD, 0xA3AC3755, + 0xD47C27AF, 0x51C85F4D, 0x56907596, 0xA5BB15E6, + 0x580304F0, 0xCA042CF1, 0x011A37EA, 0x8DBFAADB, + 0x35BA3E4A, 0x3526FFA0, 0xC37B4D09, 0xBC306ED9, + 0x98A52666, 0x5648F725, 0xFF5E569D, 0x0CED63D0, + 0x7C63B2CF, 0x700B45E1, 0xD5EA50F1, 0x85A92872, + 0xAF1FBDA7, 0xD4234870, 0xA7870BF3, 0x2D3B4D79, + 0x42E04198, 0x0CD0EDE7, 0x26470DB8, 0xF881814C, + 0x474D6AD7, 0x7C0C5E5C, 0xD1231959, 0x381B7298, + 0xF5D2F4DB, 0xAB838653, 0x6E2F1E23, 0x83719C9E, + 0xBD91E046, 0x9A56456E, 0xDC39200C, 0x20C8C571, + 0x962BDA1C, 0xE1E696FF, 0xB141AB08, 0x7CCA89B9, + 0x1A69E783, 0x02CC4843, 0xA2F7C579, 0x429EF47D, + 0x427B169C, 0x5AC9F049, 0xDD8F0F00, 0x5C8165BF +}; + +static const u_int32_t cast_sbox2[256] = { + 0x1F201094, 0xEF0BA75B, 0x69E3CF7E, 0x393F4380, + 0xFE61CF7A, 0xEEC5207A, 0x55889C94, 0x72FC0651, + 0xADA7EF79, 0x4E1D7235, 0xD55A63CE, 0xDE0436BA, + 0x99C430EF, 0x5F0C0794, 0x18DCDB7D, 0xA1D6EFF3, + 0xA0B52F7B, 0x59E83605, 0xEE15B094, 0xE9FFD909, + 0xDC440086, 0xEF944459, 0xBA83CCB3, 0xE0C3CDFB, + 0xD1DA4181, 0x3B092AB1, 0xF997F1C1, 0xA5E6CF7B, + 0x01420DDB, 0xE4E7EF5B, 0x25A1FF41, 0xE180F806, + 0x1FC41080, 0x179BEE7A, 0xD37AC6A9, 0xFE5830A4, + 0x98DE8B7F, 0x77E83F4E, 0x79929269, 0x24FA9F7B, + 0xE113C85B, 0xACC40083, 0xD7503525, 0xF7EA615F, + 0x62143154, 0x0D554B63, 0x5D681121, 0xC866C359, + 0x3D63CF73, 0xCEE234C0, 0xD4D87E87, 0x5C672B21, + 0x071F6181, 0x39F7627F, 0x361E3084, 0xE4EB573B, + 0x602F64A4, 0xD63ACD9C, 0x1BBC4635, 0x9E81032D, + 0x2701F50C, 0x99847AB4, 0xA0E3DF79, 0xBA6CF38C, + 0x10843094, 0x2537A95E, 0xF46F6FFE, 0xA1FF3B1F, + 0x208CFB6A, 0x8F458C74, 0xD9E0A227, 0x4EC73A34, + 0xFC884F69, 0x3E4DE8DF, 0xEF0E0088, 0x3559648D, + 0x8A45388C, 0x1D804366, 0x721D9BFD, 0xA58684BB, + 0xE8256333, 0x844E8212, 0x128D8098, 0xFED33FB4, + 0xCE280AE1, 0x27E19BA5, 0xD5A6C252, 0xE49754BD, + 0xC5D655DD, 0xEB667064, 0x77840B4D, 0xA1B6A801, + 0x84DB26A9, 0xE0B56714, 0x21F043B7, 0xE5D05860, + 0x54F03084, 0x066FF472, 0xA31AA153, 0xDADC4755, + 0xB5625DBF, 0x68561BE6, 0x83CA6B94, 0x2D6ED23B, + 0xECCF01DB, 0xA6D3D0BA, 0xB6803D5C, 0xAF77A709, + 0x33B4A34C, 0x397BC8D6, 0x5EE22B95, 0x5F0E5304, + 0x81ED6F61, 0x20E74364, 0xB45E1378, 0xDE18639B, + 0x881CA122, 0xB96726D1, 0x8049A7E8, 0x22B7DA7B, + 0x5E552D25, 0x5272D237, 0x79D2951C, 0xC60D894C, + 0x488CB402, 0x1BA4FE5B, 0xA4B09F6B, 0x1CA815CF, + 0xA20C3005, 0x8871DF63, 0xB9DE2FCB, 0x0CC6C9E9, + 0x0BEEFF53, 0xE3214517, 0xB4542835, 0x9F63293C, + 0xEE41E729, 0x6E1D2D7C, 0x50045286, 0x1E6685F3, + 0xF33401C6, 0x30A22C95, 0x31A70850, 0x60930F13, + 0x73F98417, 0xA1269859, 0xEC645C44, 0x52C877A9, + 0xCDFF33A6, 0xA02B1741, 0x7CBAD9A2, 0x2180036F, + 0x50D99C08, 0xCB3F4861, 0xC26BD765, 0x64A3F6AB, + 0x80342676, 0x25A75E7B, 0xE4E6D1FC, 0x20C710E6, + 0xCDF0B680, 0x17844D3B, 0x31EEF84D, 0x7E0824E4, + 0x2CCB49EB, 0x846A3BAE, 0x8FF77888, 0xEE5D60F6, + 0x7AF75673, 0x2FDD5CDB, 0xA11631C1, 0x30F66F43, + 0xB3FAEC54, 0x157FD7FA, 0xEF8579CC, 0xD152DE58, + 0xDB2FFD5E, 0x8F32CE19, 0x306AF97A, 0x02F03EF8, + 0x99319AD5, 0xC242FA0F, 0xA7E3EBB0, 0xC68E4906, + 0xB8DA230C, 0x80823028, 0xDCDEF3C8, 0xD35FB171, + 0x088A1BC8, 0xBEC0C560, 0x61A3C9E8, 0xBCA8F54D, + 0xC72FEFFA, 0x22822E99, 0x82C570B4, 0xD8D94E89, + 0x8B1C34BC, 0x301E16E6, 0x273BE979, 0xB0FFEAA6, + 0x61D9B8C6, 0x00B24869, 0xB7FFCE3F, 0x08DC283B, + 0x43DAF65A, 0xF7E19798, 0x7619B72F, 0x8F1C9BA4, + 0xDC8637A0, 0x16A7D3B1, 0x9FC393B7, 0xA7136EEB, + 0xC6BCC63E, 0x1A513742, 0xEF6828BC, 0x520365D6, + 0x2D6A77AB, 0x3527ED4B, 0x821FD216, 0x095C6E2E, + 0xDB92F2FB, 0x5EEA29CB, 0x145892F5, 0x91584F7F, + 0x5483697B, 0x2667A8CC, 0x85196048, 0x8C4BACEA, + 0x833860D4, 0x0D23E0F9, 0x6C387E8A, 0x0AE6D249, + 0xB284600C, 0xD835731D, 0xDCB1C647, 0xAC4C56EA, + 0x3EBD81B3, 0x230EABB0, 0x6438BC87, 0xF0B5B1FA, + 0x8F5EA2B3, 0xFC184642, 0x0A036B7A, 0x4FB089BD, + 0x649DA589, 0xA345415E, 0x5C038323, 0x3E5D3BB9, + 0x43D79572, 0x7E6DD07C, 0x06DFDF1E, 0x6C6CC4EF, + 0x7160A539, 0x73BFBE70, 0x83877605, 0x4523ECF1 +}; + +static const u_int32_t cast_sbox3[256] = { + 0x8DEFC240, 0x25FA5D9F, 0xEB903DBF, 0xE810C907, + 0x47607FFF, 0x369FE44B, 0x8C1FC644, 0xAECECA90, + 0xBEB1F9BF, 0xEEFBCAEA, 0xE8CF1950, 0x51DF07AE, + 0x920E8806, 0xF0AD0548, 0xE13C8D83, 0x927010D5, + 0x11107D9F, 0x07647DB9, 0xB2E3E4D4, 0x3D4F285E, + 0xB9AFA820, 0xFADE82E0, 0xA067268B, 0x8272792E, + 0x553FB2C0, 0x489AE22B, 0xD4EF9794, 0x125E3FBC, + 0x21FFFCEE, 0x825B1BFD, 0x9255C5ED, 0x1257A240, + 0x4E1A8302, 0xBAE07FFF, 0x528246E7, 0x8E57140E, + 0x3373F7BF, 0x8C9F8188, 0xA6FC4EE8, 0xC982B5A5, + 0xA8C01DB7, 0x579FC264, 0x67094F31, 0xF2BD3F5F, + 0x40FFF7C1, 0x1FB78DFC, 0x8E6BD2C1, 0x437BE59B, + 0x99B03DBF, 0xB5DBC64B, 0x638DC0E6, 0x55819D99, + 0xA197C81C, 0x4A012D6E, 0xC5884A28, 0xCCC36F71, + 0xB843C213, 0x6C0743F1, 0x8309893C, 0x0FEDDD5F, + 0x2F7FE850, 0xD7C07F7E, 0x02507FBF, 0x5AFB9A04, + 0xA747D2D0, 0x1651192E, 0xAF70BF3E, 0x58C31380, + 0x5F98302E, 0x727CC3C4, 0x0A0FB402, 0x0F7FEF82, + 0x8C96FDAD, 0x5D2C2AAE, 0x8EE99A49, 0x50DA88B8, + 0x8427F4A0, 0x1EAC5790, 0x796FB449, 0x8252DC15, + 0xEFBD7D9B, 0xA672597D, 0xADA840D8, 0x45F54504, + 0xFA5D7403, 0xE83EC305, 0x4F91751A, 0x925669C2, + 0x23EFE941, 0xA903F12E, 0x60270DF2, 0x0276E4B6, + 0x94FD6574, 0x927985B2, 0x8276DBCB, 0x02778176, + 0xF8AF918D, 0x4E48F79E, 0x8F616DDF, 0xE29D840E, + 0x842F7D83, 0x340CE5C8, 0x96BBB682, 0x93B4B148, + 0xEF303CAB, 0x984FAF28, 0x779FAF9B, 0x92DC560D, + 0x224D1E20, 0x8437AA88, 0x7D29DC96, 0x2756D3DC, + 0x8B907CEE, 0xB51FD240, 0xE7C07CE3, 0xE566B4A1, + 0xC3E9615E, 0x3CF8209D, 0x6094D1E3, 0xCD9CA341, + 0x5C76460E, 0x00EA983B, 0xD4D67881, 0xFD47572C, + 0xF76CEDD9, 0xBDA8229C, 0x127DADAA, 0x438A074E, + 0x1F97C090, 0x081BDB8A, 0x93A07EBE, 0xB938CA15, + 0x97B03CFF, 0x3DC2C0F8, 0x8D1AB2EC, 0x64380E51, + 0x68CC7BFB, 0xD90F2788, 0x12490181, 0x5DE5FFD4, + 0xDD7EF86A, 0x76A2E214, 0xB9A40368, 0x925D958F, + 0x4B39FFFA, 0xBA39AEE9, 0xA4FFD30B, 0xFAF7933B, + 0x6D498623, 0x193CBCFA, 0x27627545, 0x825CF47A, + 0x61BD8BA0, 0xD11E42D1, 0xCEAD04F4, 0x127EA392, + 0x10428DB7, 0x8272A972, 0x9270C4A8, 0x127DE50B, + 0x285BA1C8, 0x3C62F44F, 0x35C0EAA5, 0xE805D231, + 0x428929FB, 0xB4FCDF82, 0x4FB66A53, 0x0E7DC15B, + 0x1F081FAB, 0x108618AE, 0xFCFD086D, 0xF9FF2889, + 0x694BCC11, 0x236A5CAE, 0x12DECA4D, 0x2C3F8CC5, + 0xD2D02DFE, 0xF8EF5896, 0xE4CF52DA, 0x95155B67, + 0x494A488C, 0xB9B6A80C, 0x5C8F82BC, 0x89D36B45, + 0x3A609437, 0xEC00C9A9, 0x44715253, 0x0A874B49, + 0xD773BC40, 0x7C34671C, 0x02717EF6, 0x4FEB5536, + 0xA2D02FFF, 0xD2BF60C4, 0xD43F03C0, 0x50B4EF6D, + 0x07478CD1, 0x006E1888, 0xA2E53F55, 0xB9E6D4BC, + 0xA2048016, 0x97573833, 0xD7207D67, 0xDE0F8F3D, + 0x72F87B33, 0xABCC4F33, 0x7688C55D, 0x7B00A6B0, + 0x947B0001, 0x570075D2, 0xF9BB88F8, 0x8942019E, + 0x4264A5FF, 0x856302E0, 0x72DBD92B, 0xEE971B69, + 0x6EA22FDE, 0x5F08AE2B, 0xAF7A616D, 0xE5C98767, + 0xCF1FEBD2, 0x61EFC8C2, 0xF1AC2571, 0xCC8239C2, + 0x67214CB8, 0xB1E583D1, 0xB7DC3E62, 0x7F10BDCE, + 0xF90A5C38, 0x0FF0443D, 0x606E6DC6, 0x60543A49, + 0x5727C148, 0x2BE98A1D, 0x8AB41738, 0x20E1BE24, + 0xAF96DA0F, 0x68458425, 0x99833BE5, 0x600D457D, + 0x282F9350, 0x8334B362, 0xD91D1120, 0x2B6D8DA0, + 0x642B1E31, 0x9C305A00, 0x52BCE688, 0x1B03588A, + 0xF7BAEFD5, 0x4142ED9C, 0xA4315C11, 0x83323EC5, + 0xDFEF4636, 0xA133C501, 0xE9D3531C, 0xEE353783 +}; + +static const u_int32_t cast_sbox4[256] = { + 0x9DB30420, 0x1FB6E9DE, 0xA7BE7BEF, 0xD273A298, + 0x4A4F7BDB, 0x64AD8C57, 0x85510443, 0xFA020ED1, + 0x7E287AFF, 0xE60FB663, 0x095F35A1, 0x79EBF120, + 0xFD059D43, 0x6497B7B1, 0xF3641F63, 0x241E4ADF, + 0x28147F5F, 0x4FA2B8CD, 0xC9430040, 0x0CC32220, + 0xFDD30B30, 0xC0A5374F, 0x1D2D00D9, 0x24147B15, + 0xEE4D111A, 0x0FCA5167, 0x71FF904C, 0x2D195FFE, + 0x1A05645F, 0x0C13FEFE, 0x081B08CA, 0x05170121, + 0x80530100, 0xE83E5EFE, 0xAC9AF4F8, 0x7FE72701, + 0xD2B8EE5F, 0x06DF4261, 0xBB9E9B8A, 0x7293EA25, + 0xCE84FFDF, 0xF5718801, 0x3DD64B04, 0xA26F263B, + 0x7ED48400, 0x547EEBE6, 0x446D4CA0, 0x6CF3D6F5, + 0x2649ABDF, 0xAEA0C7F5, 0x36338CC1, 0x503F7E93, + 0xD3772061, 0x11B638E1, 0x72500E03, 0xF80EB2BB, + 0xABE0502E, 0xEC8D77DE, 0x57971E81, 0xE14F6746, + 0xC9335400, 0x6920318F, 0x081DBB99, 0xFFC304A5, + 0x4D351805, 0x7F3D5CE3, 0xA6C866C6, 0x5D5BCCA9, + 0xDAEC6FEA, 0x9F926F91, 0x9F46222F, 0x3991467D, + 0xA5BF6D8E, 0x1143C44F, 0x43958302, 0xD0214EEB, + 0x022083B8, 0x3FB6180C, 0x18F8931E, 0x281658E6, + 0x26486E3E, 0x8BD78A70, 0x7477E4C1, 0xB506E07C, + 0xF32D0A25, 0x79098B02, 0xE4EABB81, 0x28123B23, + 0x69DEAD38, 0x1574CA16, 0xDF871B62, 0x211C40B7, + 0xA51A9EF9, 0x0014377B, 0x041E8AC8, 0x09114003, + 0xBD59E4D2, 0xE3D156D5, 0x4FE876D5, 0x2F91A340, + 0x557BE8DE, 0x00EAE4A7, 0x0CE5C2EC, 0x4DB4BBA6, + 0xE756BDFF, 0xDD3369AC, 0xEC17B035, 0x06572327, + 0x99AFC8B0, 0x56C8C391, 0x6B65811C, 0x5E146119, + 0x6E85CB75, 0xBE07C002, 0xC2325577, 0x893FF4EC, + 0x5BBFC92D, 0xD0EC3B25, 0xB7801AB7, 0x8D6D3B24, + 0x20C763EF, 0xC366A5FC, 0x9C382880, 0x0ACE3205, + 0xAAC9548A, 0xECA1D7C7, 0x041AFA32, 0x1D16625A, + 0x6701902C, 0x9B757A54, 0x31D477F7, 0x9126B031, + 0x36CC6FDB, 0xC70B8B46, 0xD9E66A48, 0x56E55A79, + 0x026A4CEB, 0x52437EFF, 0x2F8F76B4, 0x0DF980A5, + 0x8674CDE3, 0xEDDA04EB, 0x17A9BE04, 0x2C18F4DF, + 0xB7747F9D, 0xAB2AF7B4, 0xEFC34D20, 0x2E096B7C, + 0x1741A254, 0xE5B6A035, 0x213D42F6, 0x2C1C7C26, + 0x61C2F50F, 0x6552DAF9, 0xD2C231F8, 0x25130F69, + 0xD8167FA2, 0x0418F2C8, 0x001A96A6, 0x0D1526AB, + 0x63315C21, 0x5E0A72EC, 0x49BAFEFD, 0x187908D9, + 0x8D0DBD86, 0x311170A7, 0x3E9B640C, 0xCC3E10D7, + 0xD5CAD3B6, 0x0CAEC388, 0xF73001E1, 0x6C728AFF, + 0x71EAE2A1, 0x1F9AF36E, 0xCFCBD12F, 0xC1DE8417, + 0xAC07BE6B, 0xCB44A1D8, 0x8B9B0F56, 0x013988C3, + 0xB1C52FCA, 0xB4BE31CD, 0xD8782806, 0x12A3A4E2, + 0x6F7DE532, 0x58FD7EB6, 0xD01EE900, 0x24ADFFC2, + 0xF4990FC5, 0x9711AAC5, 0x001D7B95, 0x82E5E7D2, + 0x109873F6, 0x00613096, 0xC32D9521, 0xADA121FF, + 0x29908415, 0x7FBB977F, 0xAF9EB3DB, 0x29C9ED2A, + 0x5CE2A465, 0xA730F32C, 0xD0AA3FE8, 0x8A5CC091, + 0xD49E2CE7, 0x0CE454A9, 0xD60ACD86, 0x015F1919, + 0x77079103, 0xDEA03AF6, 0x78A8565E, 0xDEE356DF, + 0x21F05CBE, 0x8B75E387, 0xB3C50651, 0xB8A5C3EF, + 0xD8EEB6D2, 0xE523BE77, 0xC2154529, 0x2F69EFDF, + 0xAFE67AFB, 0xF470C4B2, 0xF3E0EB5B, 0xD6CC9876, + 0x39E4460C, 0x1FDA8538, 0x1987832F, 0xCA007367, + 0xA99144F8, 0x296B299E, 0x492FC295, 0x9266BEAB, + 0xB5676E69, 0x9BD3DDDA, 0xDF7E052F, 0xDB25701C, + 0x1B5E51EE, 0xF65324E6, 0x6AFCE36C, 0x0316CC04, + 0x8644213E, 0xB7DC59D0, 0x7965291F, 0xCCD6FD43, + 0x41823979, 0x932BCDF6, 0xB657C34D, 0x4EDFD282, + 0x7AE5290C, 0x3CB9536B, 0x851E20FE, 0x9833557E, + 0x13ECF0B0, 0xD3FFB372, 0x3F85C5C1, 0x0AEF7ED2 +}; + +static const u_int32_t cast_sbox5[256] = { + 0x7EC90C04, 0x2C6E74B9, 0x9B0E66DF, 0xA6337911, + 0xB86A7FFF, 0x1DD358F5, 0x44DD9D44, 0x1731167F, + 0x08FBF1FA, 0xE7F511CC, 0xD2051B00, 0x735ABA00, + 0x2AB722D8, 0x386381CB, 0xACF6243A, 0x69BEFD7A, + 0xE6A2E77F, 0xF0C720CD, 0xC4494816, 0xCCF5C180, + 0x38851640, 0x15B0A848, 0xE68B18CB, 0x4CAADEFF, + 0x5F480A01, 0x0412B2AA, 0x259814FC, 0x41D0EFE2, + 0x4E40B48D, 0x248EB6FB, 0x8DBA1CFE, 0x41A99B02, + 0x1A550A04, 0xBA8F65CB, 0x7251F4E7, 0x95A51725, + 0xC106ECD7, 0x97A5980A, 0xC539B9AA, 0x4D79FE6A, + 0xF2F3F763, 0x68AF8040, 0xED0C9E56, 0x11B4958B, + 0xE1EB5A88, 0x8709E6B0, 0xD7E07156, 0x4E29FEA7, + 0x6366E52D, 0x02D1C000, 0xC4AC8E05, 0x9377F571, + 0x0C05372A, 0x578535F2, 0x2261BE02, 0xD642A0C9, + 0xDF13A280, 0x74B55BD2, 0x682199C0, 0xD421E5EC, + 0x53FB3CE8, 0xC8ADEDB3, 0x28A87FC9, 0x3D959981, + 0x5C1FF900, 0xFE38D399, 0x0C4EFF0B, 0x062407EA, + 0xAA2F4FB1, 0x4FB96976, 0x90C79505, 0xB0A8A774, + 0xEF55A1FF, 0xE59CA2C2, 0xA6B62D27, 0xE66A4263, + 0xDF65001F, 0x0EC50966, 0xDFDD55BC, 0x29DE0655, + 0x911E739A, 0x17AF8975, 0x32C7911C, 0x89F89468, + 0x0D01E980, 0x524755F4, 0x03B63CC9, 0x0CC844B2, + 0xBCF3F0AA, 0x87AC36E9, 0xE53A7426, 0x01B3D82B, + 0x1A9E7449, 0x64EE2D7E, 0xCDDBB1DA, 0x01C94910, + 0xB868BF80, 0x0D26F3FD, 0x9342EDE7, 0x04A5C284, + 0x636737B6, 0x50F5B616, 0xF24766E3, 0x8ECA36C1, + 0x136E05DB, 0xFEF18391, 0xFB887A37, 0xD6E7F7D4, + 0xC7FB7DC9, 0x3063FCDF, 0xB6F589DE, 0xEC2941DA, + 0x26E46695, 0xB7566419, 0xF654EFC5, 0xD08D58B7, + 0x48925401, 0xC1BACB7F, 0xE5FF550F, 0xB6083049, + 0x5BB5D0E8, 0x87D72E5A, 0xAB6A6EE1, 0x223A66CE, + 0xC62BF3CD, 0x9E0885F9, 0x68CB3E47, 0x086C010F, + 0xA21DE820, 0xD18B69DE, 0xF3F65777, 0xFA02C3F6, + 0x407EDAC3, 0xCBB3D550, 0x1793084D, 0xB0D70EBA, + 0x0AB378D5, 0xD951FB0C, 0xDED7DA56, 0x4124BBE4, + 0x94CA0B56, 0x0F5755D1, 0xE0E1E56E, 0x6184B5BE, + 0x580A249F, 0x94F74BC0, 0xE327888E, 0x9F7B5561, + 0xC3DC0280, 0x05687715, 0x646C6BD7, 0x44904DB3, + 0x66B4F0A3, 0xC0F1648A, 0x697ED5AF, 0x49E92FF6, + 0x309E374F, 0x2CB6356A, 0x85808573, 0x4991F840, + 0x76F0AE02, 0x083BE84D, 0x28421C9A, 0x44489406, + 0x736E4CB8, 0xC1092910, 0x8BC95FC6, 0x7D869CF4, + 0x134F616F, 0x2E77118D, 0xB31B2BE1, 0xAA90B472, + 0x3CA5D717, 0x7D161BBA, 0x9CAD9010, 0xAF462BA2, + 0x9FE459D2, 0x45D34559, 0xD9F2DA13, 0xDBC65487, + 0xF3E4F94E, 0x176D486F, 0x097C13EA, 0x631DA5C7, + 0x445F7382, 0x175683F4, 0xCDC66A97, 0x70BE0288, + 0xB3CDCF72, 0x6E5DD2F3, 0x20936079, 0x459B80A5, + 0xBE60E2DB, 0xA9C23101, 0xEBA5315C, 0x224E42F2, + 0x1C5C1572, 0xF6721B2C, 0x1AD2FFF3, 0x8C25404E, + 0x324ED72F, 0x4067B7FD, 0x0523138E, 0x5CA3BC78, + 0xDC0FD66E, 0x75922283, 0x784D6B17, 0x58EBB16E, + 0x44094F85, 0x3F481D87, 0xFCFEAE7B, 0x77B5FF76, + 0x8C2302BF, 0xAAF47556, 0x5F46B02A, 0x2B092801, + 0x3D38F5F7, 0x0CA81F36, 0x52AF4A8A, 0x66D5E7C0, + 0xDF3B0874, 0x95055110, 0x1B5AD7A8, 0xF61ED5AD, + 0x6CF6E479, 0x20758184, 0xD0CEFA65, 0x88F7BE58, + 0x4A046826, 0x0FF6F8F3, 0xA09C7F70, 0x5346ABA0, + 0x5CE96C28, 0xE176EDA3, 0x6BAC307F, 0x376829D2, + 0x85360FA9, 0x17E3FE2A, 0x24B79767, 0xF5A96B20, + 0xD6CD2595, 0x68FF1EBF, 0x7555442C, 0xF19F06BE, + 0xF9E0659A, 0xEEB9491D, 0x34010718, 0xBB30CAB8, + 0xE822FE15, 0x88570983, 0x750E6249, 0xDA627E55, + 0x5E76FFA8, 0xB1534546, 0x6D47DE08, 0xEFE9E7D4 +}; + +static const u_int32_t cast_sbox6[256] = { + 0xF6FA8F9D, 0x2CAC6CE1, 0x4CA34867, 0xE2337F7C, + 0x95DB08E7, 0x016843B4, 0xECED5CBC, 0x325553AC, + 0xBF9F0960, 0xDFA1E2ED, 0x83F0579D, 0x63ED86B9, + 0x1AB6A6B8, 0xDE5EBE39, 0xF38FF732, 0x8989B138, + 0x33F14961, 0xC01937BD, 0xF506C6DA, 0xE4625E7E, + 0xA308EA99, 0x4E23E33C, 0x79CBD7CC, 0x48A14367, + 0xA3149619, 0xFEC94BD5, 0xA114174A, 0xEAA01866, + 0xA084DB2D, 0x09A8486F, 0xA888614A, 0x2900AF98, + 0x01665991, 0xE1992863, 0xC8F30C60, 0x2E78EF3C, + 0xD0D51932, 0xCF0FEC14, 0xF7CA07D2, 0xD0A82072, + 0xFD41197E, 0x9305A6B0, 0xE86BE3DA, 0x74BED3CD, + 0x372DA53C, 0x4C7F4448, 0xDAB5D440, 0x6DBA0EC3, + 0x083919A7, 0x9FBAEED9, 0x49DBCFB0, 0x4E670C53, + 0x5C3D9C01, 0x64BDB941, 0x2C0E636A, 0xBA7DD9CD, + 0xEA6F7388, 0xE70BC762, 0x35F29ADB, 0x5C4CDD8D, + 0xF0D48D8C, 0xB88153E2, 0x08A19866, 0x1AE2EAC8, + 0x284CAF89, 0xAA928223, 0x9334BE53, 0x3B3A21BF, + 0x16434BE3, 0x9AEA3906, 0xEFE8C36E, 0xF890CDD9, + 0x80226DAE, 0xC340A4A3, 0xDF7E9C09, 0xA694A807, + 0x5B7C5ECC, 0x221DB3A6, 0x9A69A02F, 0x68818A54, + 0xCEB2296F, 0x53C0843A, 0xFE893655, 0x25BFE68A, + 0xB4628ABC, 0xCF222EBF, 0x25AC6F48, 0xA9A99387, + 0x53BDDB65, 0xE76FFBE7, 0xE967FD78, 0x0BA93563, + 0x8E342BC1, 0xE8A11BE9, 0x4980740D, 0xC8087DFC, + 0x8DE4BF99, 0xA11101A0, 0x7FD37975, 0xDA5A26C0, + 0xE81F994F, 0x9528CD89, 0xFD339FED, 0xB87834BF, + 0x5F04456D, 0x22258698, 0xC9C4C83B, 0x2DC156BE, + 0x4F628DAA, 0x57F55EC5, 0xE2220ABE, 0xD2916EBF, + 0x4EC75B95, 0x24F2C3C0, 0x42D15D99, 0xCD0D7FA0, + 0x7B6E27FF, 0xA8DC8AF0, 0x7345C106, 0xF41E232F, + 0x35162386, 0xE6EA8926, 0x3333B094, 0x157EC6F2, + 0x372B74AF, 0x692573E4, 0xE9A9D848, 0xF3160289, + 0x3A62EF1D, 0xA787E238, 0xF3A5F676, 0x74364853, + 0x20951063, 0x4576698D, 0xB6FAD407, 0x592AF950, + 0x36F73523, 0x4CFB6E87, 0x7DA4CEC0, 0x6C152DAA, + 0xCB0396A8, 0xC50DFE5D, 0xFCD707AB, 0x0921C42F, + 0x89DFF0BB, 0x5FE2BE78, 0x448F4F33, 0x754613C9, + 0x2B05D08D, 0x48B9D585, 0xDC049441, 0xC8098F9B, + 0x7DEDE786, 0xC39A3373, 0x42410005, 0x6A091751, + 0x0EF3C8A6, 0x890072D6, 0x28207682, 0xA9A9F7BE, + 0xBF32679D, 0xD45B5B75, 0xB353FD00, 0xCBB0E358, + 0x830F220A, 0x1F8FB214, 0xD372CF08, 0xCC3C4A13, + 0x8CF63166, 0x061C87BE, 0x88C98F88, 0x6062E397, + 0x47CF8E7A, 0xB6C85283, 0x3CC2ACFB, 0x3FC06976, + 0x4E8F0252, 0x64D8314D, 0xDA3870E3, 0x1E665459, + 0xC10908F0, 0x513021A5, 0x6C5B68B7, 0x822F8AA0, + 0x3007CD3E, 0x74719EEF, 0xDC872681, 0x073340D4, + 0x7E432FD9, 0x0C5EC241, 0x8809286C, 0xF592D891, + 0x08A930F6, 0x957EF305, 0xB7FBFFBD, 0xC266E96F, + 0x6FE4AC98, 0xB173ECC0, 0xBC60B42A, 0x953498DA, + 0xFBA1AE12, 0x2D4BD736, 0x0F25FAAB, 0xA4F3FCEB, + 0xE2969123, 0x257F0C3D, 0x9348AF49, 0x361400BC, + 0xE8816F4A, 0x3814F200, 0xA3F94043, 0x9C7A54C2, + 0xBC704F57, 0xDA41E7F9, 0xC25AD33A, 0x54F4A084, + 0xB17F5505, 0x59357CBE, 0xEDBD15C8, 0x7F97C5AB, + 0xBA5AC7B5, 0xB6F6DEAF, 0x3A479C3A, 0x5302DA25, + 0x653D7E6A, 0x54268D49, 0x51A477EA, 0x5017D55B, + 0xD7D25D88, 0x44136C76, 0x0404A8C8, 0xB8E5A121, + 0xB81A928A, 0x60ED5869, 0x97C55B96, 0xEAEC991B, + 0x29935913, 0x01FDB7F1, 0x088E8DFA, 0x9AB6F6F5, + 0x3B4CBF9F, 0x4A5DE3AB, 0xE6051D35, 0xA0E1D855, + 0xD36B4CF1, 0xF544EDEB, 0xB0E93524, 0xBEBB8FBD, + 0xA2D762CF, 0x49C92F54, 0x38B5F331, 0x7128A454, + 0x48392905, 0xA65B1DB8, 0x851C97BD, 0xD675CF2F +}; + +static const u_int32_t cast_sbox7[256] = { + 0x85E04019, 0x332BF567, 0x662DBFFF, 0xCFC65693, + 0x2A8D7F6F, 0xAB9BC912, 0xDE6008A1, 0x2028DA1F, + 0x0227BCE7, 0x4D642916, 0x18FAC300, 0x50F18B82, + 0x2CB2CB11, 0xB232E75C, 0x4B3695F2, 0xB28707DE, + 0xA05FBCF6, 0xCD4181E9, 0xE150210C, 0xE24EF1BD, + 0xB168C381, 0xFDE4E789, 0x5C79B0D8, 0x1E8BFD43, + 0x4D495001, 0x38BE4341, 0x913CEE1D, 0x92A79C3F, + 0x089766BE, 0xBAEEADF4, 0x1286BECF, 0xB6EACB19, + 0x2660C200, 0x7565BDE4, 0x64241F7A, 0x8248DCA9, + 0xC3B3AD66, 0x28136086, 0x0BD8DFA8, 0x356D1CF2, + 0x107789BE, 0xB3B2E9CE, 0x0502AA8F, 0x0BC0351E, + 0x166BF52A, 0xEB12FF82, 0xE3486911, 0xD34D7516, + 0x4E7B3AFF, 0x5F43671B, 0x9CF6E037, 0x4981AC83, + 0x334266CE, 0x8C9341B7, 0xD0D854C0, 0xCB3A6C88, + 0x47BC2829, 0x4725BA37, 0xA66AD22B, 0x7AD61F1E, + 0x0C5CBAFA, 0x4437F107, 0xB6E79962, 0x42D2D816, + 0x0A961288, 0xE1A5C06E, 0x13749E67, 0x72FC081A, + 0xB1D139F7, 0xF9583745, 0xCF19DF58, 0xBEC3F756, + 0xC06EBA30, 0x07211B24, 0x45C28829, 0xC95E317F, + 0xBC8EC511, 0x38BC46E9, 0xC6E6FA14, 0xBAE8584A, + 0xAD4EBC46, 0x468F508B, 0x7829435F, 0xF124183B, + 0x821DBA9F, 0xAFF60FF4, 0xEA2C4E6D, 0x16E39264, + 0x92544A8B, 0x009B4FC3, 0xABA68CED, 0x9AC96F78, + 0x06A5B79A, 0xB2856E6E, 0x1AEC3CA9, 0xBE838688, + 0x0E0804E9, 0x55F1BE56, 0xE7E5363B, 0xB3A1F25D, + 0xF7DEBB85, 0x61FE033C, 0x16746233, 0x3C034C28, + 0xDA6D0C74, 0x79AAC56C, 0x3CE4E1AD, 0x51F0C802, + 0x98F8F35A, 0x1626A49F, 0xEED82B29, 0x1D382FE3, + 0x0C4FB99A, 0xBB325778, 0x3EC6D97B, 0x6E77A6A9, + 0xCB658B5C, 0xD45230C7, 0x2BD1408B, 0x60C03EB7, + 0xB9068D78, 0xA33754F4, 0xF430C87D, 0xC8A71302, + 0xB96D8C32, 0xEBD4E7BE, 0xBE8B9D2D, 0x7979FB06, + 0xE7225308, 0x8B75CF77, 0x11EF8DA4, 0xE083C858, + 0x8D6B786F, 0x5A6317A6, 0xFA5CF7A0, 0x5DDA0033, + 0xF28EBFB0, 0xF5B9C310, 0xA0EAC280, 0x08B9767A, + 0xA3D9D2B0, 0x79D34217, 0x021A718D, 0x9AC6336A, + 0x2711FD60, 0x438050E3, 0x069908A8, 0x3D7FEDC4, + 0x826D2BEF, 0x4EEB8476, 0x488DCF25, 0x36C9D566, + 0x28E74E41, 0xC2610ACA, 0x3D49A9CF, 0xBAE3B9DF, + 0xB65F8DE6, 0x92AEAF64, 0x3AC7D5E6, 0x9EA80509, + 0xF22B017D, 0xA4173F70, 0xDD1E16C3, 0x15E0D7F9, + 0x50B1B887, 0x2B9F4FD5, 0x625ABA82, 0x6A017962, + 0x2EC01B9C, 0x15488AA9, 0xD716E740, 0x40055A2C, + 0x93D29A22, 0xE32DBF9A, 0x058745B9, 0x3453DC1E, + 0xD699296E, 0x496CFF6F, 0x1C9F4986, 0xDFE2ED07, + 0xB87242D1, 0x19DE7EAE, 0x053E561A, 0x15AD6F8C, + 0x66626C1C, 0x7154C24C, 0xEA082B2A, 0x93EB2939, + 0x17DCB0F0, 0x58D4F2AE, 0x9EA294FB, 0x52CF564C, + 0x9883FE66, 0x2EC40581, 0x763953C3, 0x01D6692E, + 0xD3A0C108, 0xA1E7160E, 0xE4F2DFA6, 0x693ED285, + 0x74904698, 0x4C2B0EDD, 0x4F757656, 0x5D393378, + 0xA132234F, 0x3D321C5D, 0xC3F5E194, 0x4B269301, + 0xC79F022F, 0x3C997E7E, 0x5E4F9504, 0x3FFAFBBD, + 0x76F7AD0E, 0x296693F4, 0x3D1FCE6F, 0xC61E45BE, + 0xD3B5AB34, 0xF72BF9B7, 0x1B0434C0, 0x4E72B567, + 0x5592A33D, 0xB5229301, 0xCFD2A87F, 0x60AEB767, + 0x1814386B, 0x30BCC33D, 0x38A0C07D, 0xFD1606F2, + 0xC363519B, 0x589DD390, 0x5479F8E6, 0x1CB8D647, + 0x97FD61A9, 0xEA7759F4, 0x2D57539D, 0x569A58CF, + 0xE84E63AD, 0x462E1B78, 0x6580F87E, 0xF3817914, + 0x91DA55F4, 0x40A230F3, 0xD1988F35, 0xB6E318D2, + 0x3FFA50BC, 0x3D40F021, 0xC3C0BDAE, 0x4958C24C, + 0x518F36B2, 0x84B1D370, 0x0FEDCE83, 0x878DDADA, + 0xF2A279C7, 0x94E01BE8, 0x90716F4B, 0x954B8AA3 +}; + +static const u_int32_t cast_sbox8[256] = { + 0xE216300D, 0xBBDDFFFC, 0xA7EBDABD, 0x35648095, + 0x7789F8B7, 0xE6C1121B, 0x0E241600, 0x052CE8B5, + 0x11A9CFB0, 0xE5952F11, 0xECE7990A, 0x9386D174, + 0x2A42931C, 0x76E38111, 0xB12DEF3A, 0x37DDDDFC, + 0xDE9ADEB1, 0x0A0CC32C, 0xBE197029, 0x84A00940, + 0xBB243A0F, 0xB4D137CF, 0xB44E79F0, 0x049EEDFD, + 0x0B15A15D, 0x480D3168, 0x8BBBDE5A, 0x669DED42, + 0xC7ECE831, 0x3F8F95E7, 0x72DF191B, 0x7580330D, + 0x94074251, 0x5C7DCDFA, 0xABBE6D63, 0xAA402164, + 0xB301D40A, 0x02E7D1CA, 0x53571DAE, 0x7A3182A2, + 0x12A8DDEC, 0xFDAA335D, 0x176F43E8, 0x71FB46D4, + 0x38129022, 0xCE949AD4, 0xB84769AD, 0x965BD862, + 0x82F3D055, 0x66FB9767, 0x15B80B4E, 0x1D5B47A0, + 0x4CFDE06F, 0xC28EC4B8, 0x57E8726E, 0x647A78FC, + 0x99865D44, 0x608BD593, 0x6C200E03, 0x39DC5FF6, + 0x5D0B00A3, 0xAE63AFF2, 0x7E8BD632, 0x70108C0C, + 0xBBD35049, 0x2998DF04, 0x980CF42A, 0x9B6DF491, + 0x9E7EDD53, 0x06918548, 0x58CB7E07, 0x3B74EF2E, + 0x522FFFB1, 0xD24708CC, 0x1C7E27CD, 0xA4EB215B, + 0x3CF1D2E2, 0x19B47A38, 0x424F7618, 0x35856039, + 0x9D17DEE7, 0x27EB35E6, 0xC9AFF67B, 0x36BAF5B8, + 0x09C467CD, 0xC18910B1, 0xE11DBF7B, 0x06CD1AF8, + 0x7170C608, 0x2D5E3354, 0xD4DE495A, 0x64C6D006, + 0xBCC0C62C, 0x3DD00DB3, 0x708F8F34, 0x77D51B42, + 0x264F620F, 0x24B8D2BF, 0x15C1B79E, 0x46A52564, + 0xF8D7E54E, 0x3E378160, 0x7895CDA5, 0x859C15A5, + 0xE6459788, 0xC37BC75F, 0xDB07BA0C, 0x0676A3AB, + 0x7F229B1E, 0x31842E7B, 0x24259FD7, 0xF8BEF472, + 0x835FFCB8, 0x6DF4C1F2, 0x96F5B195, 0xFD0AF0FC, + 0xB0FE134C, 0xE2506D3D, 0x4F9B12EA, 0xF215F225, + 0xA223736F, 0x9FB4C428, 0x25D04979, 0x34C713F8, + 0xC4618187, 0xEA7A6E98, 0x7CD16EFC, 0x1436876C, + 0xF1544107, 0xBEDEEE14, 0x56E9AF27, 0xA04AA441, + 0x3CF7C899, 0x92ECBAE6, 0xDD67016D, 0x151682EB, + 0xA842EEDF, 0xFDBA60B4, 0xF1907B75, 0x20E3030F, + 0x24D8C29E, 0xE139673B, 0xEFA63FB8, 0x71873054, + 0xB6F2CF3B, 0x9F326442, 0xCB15A4CC, 0xB01A4504, + 0xF1E47D8D, 0x844A1BE5, 0xBAE7DFDC, 0x42CBDA70, + 0xCD7DAE0A, 0x57E85B7A, 0xD53F5AF6, 0x20CF4D8C, + 0xCEA4D428, 0x79D130A4, 0x3486EBFB, 0x33D3CDDC, + 0x77853B53, 0x37EFFCB5, 0xC5068778, 0xE580B3E6, + 0x4E68B8F4, 0xC5C8B37E, 0x0D809EA2, 0x398FEB7C, + 0x132A4F94, 0x43B7950E, 0x2FEE7D1C, 0x223613BD, + 0xDD06CAA2, 0x37DF932B, 0xC4248289, 0xACF3EBC3, + 0x5715F6B7, 0xEF3478DD, 0xF267616F, 0xC148CBE4, + 0x9052815E, 0x5E410FAB, 0xB48A2465, 0x2EDA7FA4, + 0xE87B40E4, 0xE98EA084, 0x5889E9E1, 0xEFD390FC, + 0xDD07D35B, 0xDB485694, 0x38D7E5B2, 0x57720101, + 0x730EDEBC, 0x5B643113, 0x94917E4F, 0x503C2FBA, + 0x646F1282, 0x7523D24A, 0xE0779695, 0xF9C17A8F, + 0x7A5B2121, 0xD187B896, 0x29263A4D, 0xBA510CDF, + 0x81F47C9F, 0xAD1163ED, 0xEA7B5965, 0x1A00726E, + 0x11403092, 0x00DA6D77, 0x4A0CDD61, 0xAD1F4603, + 0x605BDFB0, 0x9EEDC364, 0x22EBE6A8, 0xCEE7D28A, + 0xA0E736A0, 0x5564A6B9, 0x10853209, 0xC7EB8F37, + 0x2DE705CA, 0x8951570F, 0xDF09822B, 0xBD691A6C, + 0xAA12E4F2, 0x87451C0F, 0xE0F6A27A, 0x3ADA4819, + 0x4CF1764F, 0x0D771C2B, 0x67CDB156, 0x350D8384, + 0x5938FA0F, 0x42399EF3, 0x36997B07, 0x0E84093D, + 0x4AA93E61, 0x8360D87B, 0x1FA98B0C, 0x1149382C, + 0xE97625A5, 0x0614D1B7, 0x0E25244B, 0x0C768347, + 0x589E8D82, 0x0D2059D1, 0xA466BB1E, 0xF8DA0A82, + 0x04F19130, 0xBA6E4EC0, 0x99265164, 0x1EE7230D, + 0x50B2AD80, 0xEAEE6801, 0x8DB2A283, 0xEA8BF59E +}; + diff --git a/crypto/chacha_private.h b/crypto/chacha_private.h new file mode 100644 index 0000000000..8c926ea4b0 --- /dev/null +++ b/crypto/chacha_private.h @@ -0,0 +1,261 @@ +/* $OpenBSD: chacha_private.h,v 1.4 2020/07/22 13:54:30 tobhe Exp $ */ +/* +chacha-merged.c version 20080118 +D. J. Bernstein +Public domain. +*/ + +#include + +typedef unsigned char u8; +typedef unsigned int u32; + +typedef struct +{ + u32 input[16]; /* could be compressed */ +} chacha_ctx; + +#define U8C(v) (v##U) +#define U32C(v) (v##U) + +#define U8V(v) ((u8)(v) & U8C(0xFF)) +#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF)) + +#define ROTL32(v, n) \ + (U32V((v) << (n)) | ((v) >> (32 - (n)))) + +#define U8TO32_LITTLE(p) \ + (((u32)((p)[0]) ) | \ + ((u32)((p)[1]) << 8) | \ + ((u32)((p)[2]) << 16) | \ + ((u32)((p)[3]) << 24)) + +#define U32TO8_LITTLE(p, v) \ + do { \ + (p)[0] = U8V((v) ); \ + (p)[1] = U8V((v) >> 8); \ + (p)[2] = U8V((v) >> 16); \ + (p)[3] = U8V((v) >> 24); \ + } while (0) + +#define ROTATE(v,c) (ROTL32(v,c)) +#define XOR(v,w) ((v) ^ (w)) +#define PLUS(v,w) (U32V((v) + (w))) +#define PLUSONE(v) (PLUS((v),1)) + +#define QUARTERROUND(a,b,c,d) \ + a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \ + a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ + c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); + +static const char sigma[16] = "expand 32-byte k"; +static const char tau[16] = "expand 16-byte k"; + +static inline void +hchacha20(u32 derived_key[8], const u8 nonce[16], const u8 key[32]) +{ + int i; + uint32_t x[] = { + U8TO32_LITTLE(sigma + 0), + U8TO32_LITTLE(sigma + 4), + U8TO32_LITTLE(sigma + 8), + U8TO32_LITTLE(sigma + 12), + U8TO32_LITTLE(key + 0), + U8TO32_LITTLE(key + 4), + U8TO32_LITTLE(key + 8), + U8TO32_LITTLE(key + 12), + U8TO32_LITTLE(key + 16), + U8TO32_LITTLE(key + 20), + U8TO32_LITTLE(key + 24), + U8TO32_LITTLE(key + 28), + U8TO32_LITTLE(nonce + 0), + U8TO32_LITTLE(nonce + 4), + U8TO32_LITTLE(nonce + 8), + U8TO32_LITTLE(nonce + 12) + }; + + for (i = 20;i > 0;i -= 2) { + QUARTERROUND( x[0], x[4], x[8],x[12]) + QUARTERROUND( x[1], x[5], x[9],x[13]) + QUARTERROUND( x[2], x[6],x[10],x[14]) + QUARTERROUND( x[3], x[7],x[11],x[15]) + QUARTERROUND( x[0], x[5],x[10],x[15]) + QUARTERROUND( x[1], x[6],x[11],x[12]) + QUARTERROUND( x[2], x[7], x[8],x[13]) + QUARTERROUND( x[3], x[4], x[9],x[14]) + } + + memcpy(derived_key + 0, x + 0, sizeof(u32) * 4); + memcpy(derived_key + 4, x + 12, sizeof(u32) * 4); +} + +static void +chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits) +{ + const char *constants; + + x->input[4] = U8TO32_LITTLE(k + 0); + x->input[5] = U8TO32_LITTLE(k + 4); + x->input[6] = U8TO32_LITTLE(k + 8); + x->input[7] = U8TO32_LITTLE(k + 12); + if (kbits == 256) { /* recommended */ + k += 16; + constants = sigma; + } else { /* kbits == 128 */ + constants = tau; + } + x->input[8] = U8TO32_LITTLE(k + 0); + x->input[9] = U8TO32_LITTLE(k + 4); + x->input[10] = U8TO32_LITTLE(k + 8); + x->input[11] = U8TO32_LITTLE(k + 12); + x->input[0] = U8TO32_LITTLE(constants + 0); + x->input[1] = U8TO32_LITTLE(constants + 4); + x->input[2] = U8TO32_LITTLE(constants + 8); + x->input[3] = U8TO32_LITTLE(constants + 12); +} + +static void +chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter) +{ + x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0); + x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4); + x->input[14] = U8TO32_LITTLE(iv + 0); + x->input[15] = U8TO32_LITTLE(iv + 4); +} + +static void +chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) +{ + u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + u8 *ctarget = NULL; + u8 tmp[64]; + u_int i; + + if (!bytes) return; + + j0 = x->input[0]; + j1 = x->input[1]; + j2 = x->input[2]; + j3 = x->input[3]; + j4 = x->input[4]; + j5 = x->input[5]; + j6 = x->input[6]; + j7 = x->input[7]; + j8 = x->input[8]; + j9 = x->input[9]; + j10 = x->input[10]; + j11 = x->input[11]; + j12 = x->input[12]; + j13 = x->input[13]; + j14 = x->input[14]; + j15 = x->input[15]; + + for (;;) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) tmp[i] = m[i]; + m = tmp; + ctarget = c; + c = tmp; + } + x0 = j0; + x1 = j1; + x2 = j2; + x3 = j3; + x4 = j4; + x5 = j5; + x6 = j6; + x7 = j7; + x8 = j8; + x9 = j9; + x10 = j10; + x11 = j11; + x12 = j12; + x13 = j13; + x14 = j14; + x15 = j15; + for (i = 20;i > 0;i -= 2) { + QUARTERROUND( x0, x4, x8,x12) + QUARTERROUND( x1, x5, x9,x13) + QUARTERROUND( x2, x6,x10,x14) + QUARTERROUND( x3, x7,x11,x15) + QUARTERROUND( x0, x5,x10,x15) + QUARTERROUND( x1, x6,x11,x12) + QUARTERROUND( x2, x7, x8,x13) + QUARTERROUND( x3, x4, x9,x14) + } + x0 = PLUS(x0,j0); + x1 = PLUS(x1,j1); + x2 = PLUS(x2,j2); + x3 = PLUS(x3,j3); + x4 = PLUS(x4,j4); + x5 = PLUS(x5,j5); + x6 = PLUS(x6,j6); + x7 = PLUS(x7,j7); + x8 = PLUS(x8,j8); + x9 = PLUS(x9,j9); + x10 = PLUS(x10,j10); + x11 = PLUS(x11,j11); + x12 = PLUS(x12,j12); + x13 = PLUS(x13,j13); + x14 = PLUS(x14,j14); + x15 = PLUS(x15,j15); + +#ifndef KEYSTREAM_ONLY + x0 = XOR(x0,U8TO32_LITTLE(m + 0)); + x1 = XOR(x1,U8TO32_LITTLE(m + 4)); + x2 = XOR(x2,U8TO32_LITTLE(m + 8)); + x3 = XOR(x3,U8TO32_LITTLE(m + 12)); + x4 = XOR(x4,U8TO32_LITTLE(m + 16)); + x5 = XOR(x5,U8TO32_LITTLE(m + 20)); + x6 = XOR(x6,U8TO32_LITTLE(m + 24)); + x7 = XOR(x7,U8TO32_LITTLE(m + 28)); + x8 = XOR(x8,U8TO32_LITTLE(m + 32)); + x9 = XOR(x9,U8TO32_LITTLE(m + 36)); + x10 = XOR(x10,U8TO32_LITTLE(m + 40)); + x11 = XOR(x11,U8TO32_LITTLE(m + 44)); + x12 = XOR(x12,U8TO32_LITTLE(m + 48)); + x13 = XOR(x13,U8TO32_LITTLE(m + 52)); + x14 = XOR(x14,U8TO32_LITTLE(m + 56)); + x15 = XOR(x15,U8TO32_LITTLE(m + 60)); +#endif + + j12 = PLUSONE(j12); + if (!j12) { + j13 = PLUSONE(j13); + /* stopping at 2^70 bytes per nonce is user's responsibility */ + } + + U32TO8_LITTLE(c + 0,x0); + U32TO8_LITTLE(c + 4,x1); + U32TO8_LITTLE(c + 8,x2); + U32TO8_LITTLE(c + 12,x3); + U32TO8_LITTLE(c + 16,x4); + U32TO8_LITTLE(c + 20,x5); + U32TO8_LITTLE(c + 24,x6); + U32TO8_LITTLE(c + 28,x7); + U32TO8_LITTLE(c + 32,x8); + U32TO8_LITTLE(c + 36,x9); + U32TO8_LITTLE(c + 40,x10); + U32TO8_LITTLE(c + 44,x11); + U32TO8_LITTLE(c + 48,x12); + U32TO8_LITTLE(c + 52,x13); + U32TO8_LITTLE(c + 56,x14); + U32TO8_LITTLE(c + 60,x15); + + if (bytes <= 64) { + if (bytes < 64) { + for (i = 0;i < bytes;++i) ctarget[i] = c[i]; + } + x->input[12] = j12; + x->input[13] = j13; + return; + } + bytes -= 64; + c += 64; +#ifndef KEYSTREAM_ONLY + m += 64; +#endif + } +} diff --git a/crypto/chachapoly.c b/crypto/chachapoly.c new file mode 100644 index 0000000000..b4cdbea7b2 --- /dev/null +++ b/crypto/chachapoly.c @@ -0,0 +1,262 @@ +/* $OpenBSD: chachapoly.c,v 1.6 2020/07/22 13:54:30 tobhe Exp $ */ +/* + * Copyright (c) 2015 Mike Belopuhov + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include + +#include +#include +#include + +int +chacha20_setkey(void *sched, u_int8_t *key, int len) +{ + struct chacha20_ctx *ctx = (struct chacha20_ctx *)sched; + + if (len != CHACHA20_KEYSIZE + CHACHA20_SALT) + return (-1); + + /* initial counter is 1 */ + ctx->nonce[0] = 1; + memcpy(ctx->nonce + CHACHA20_CTR, key + CHACHA20_KEYSIZE, + CHACHA20_SALT); + chacha_keysetup((chacha_ctx *)&ctx->block, key, CHACHA20_KEYSIZE * 8); + return (0); +} + +void +chacha20_reinit(caddr_t key, u_int8_t *iv) +{ + struct chacha20_ctx *ctx = (struct chacha20_ctx *)key; + + chacha_ivsetup((chacha_ctx *)ctx->block, iv, ctx->nonce); +} + +void +chacha20_crypt(caddr_t key, u_int8_t *data) +{ + struct chacha20_ctx *ctx = (struct chacha20_ctx *)key; + + chacha_encrypt_bytes((chacha_ctx *)ctx->block, data, data, + CHACHA20_BLOCK_LEN); +} + +void +Chacha20_Poly1305_Init(void *xctx) +{ + CHACHA20_POLY1305_CTX *ctx = xctx; + + memset(ctx, 0, sizeof(*ctx)); +} + +void +Chacha20_Poly1305_Setkey(void *xctx, const uint8_t *key, uint16_t klen) +{ + CHACHA20_POLY1305_CTX *ctx = xctx; + + /* salt is provided with the key material */ + memcpy(ctx->nonce + CHACHA20_CTR, key + CHACHA20_KEYSIZE, + CHACHA20_SALT); + chacha_keysetup((chacha_ctx *)&ctx->chacha, key, CHACHA20_KEYSIZE * 8); +} + +void +Chacha20_Poly1305_Reinit(void *xctx, const uint8_t *iv, uint16_t ivlen) +{ + CHACHA20_POLY1305_CTX *ctx = xctx; + + /* initial counter is 0 */ + chacha_ivsetup((chacha_ctx *)&ctx->chacha, iv, ctx->nonce); + chacha_encrypt_bytes((chacha_ctx *)&ctx->chacha, ctx->key, ctx->key, + POLY1305_KEYLEN); + poly1305_init((poly1305_state *)&ctx->poly, ctx->key); +} + +int +Chacha20_Poly1305_Update(void *xctx, const uint8_t *data, uint16_t len) +{ + static const char zeroes[POLY1305_BLOCK_LEN]; + CHACHA20_POLY1305_CTX *ctx = xctx; + size_t rem; + + poly1305_update((poly1305_state *)&ctx->poly, data, len); + + /* number of bytes in the last 16 byte block */ + rem = (len + POLY1305_BLOCK_LEN) & (POLY1305_BLOCK_LEN - 1); + if (rem > 0) + poly1305_update((poly1305_state *)&ctx->poly, zeroes, + POLY1305_BLOCK_LEN - rem); + return (0); +} + +void +Chacha20_Poly1305_Final(uint8_t tag[POLY1305_TAGLEN], void *xctx) +{ + CHACHA20_POLY1305_CTX *ctx = xctx; + + poly1305_finish((poly1305_state *)&ctx->poly, tag); + explicit_bzero(ctx, sizeof(*ctx)); +} + +static const uint8_t pad0[16] = { 0 }; + +void +chacha20poly1305_encrypt( + uint8_t *dst, + const uint8_t *src, + const size_t src_len, + const uint8_t *ad, + const size_t ad_len, + const uint64_t nonce, + const uint8_t key[CHACHA20POLY1305_KEY_SIZE] +) { + poly1305_state poly1305_ctx; + chacha_ctx chacha_ctx; + union { + uint8_t b0[CHACHA20POLY1305_KEY_SIZE]; + uint64_t lens[2]; + } b = { { 0 } }; + uint64_t le_nonce = htole64(nonce); + + chacha_keysetup(&chacha_ctx, key, CHACHA20POLY1305_KEY_SIZE * 8); + chacha_ivsetup(&chacha_ctx, (uint8_t *) &le_nonce, NULL); + chacha_encrypt_bytes(&chacha_ctx, b.b0, b.b0, sizeof(b.b0)); + poly1305_init(&poly1305_ctx, b.b0); + + poly1305_update(&poly1305_ctx, ad, ad_len); + poly1305_update(&poly1305_ctx, pad0, (0x10 - ad_len) & 0xf); + + chacha_encrypt_bytes(&chacha_ctx, (uint8_t *) src, dst, src_len); + + poly1305_update(&poly1305_ctx, dst, src_len); + poly1305_update(&poly1305_ctx, pad0, (0x10 - src_len) & 0xf); + + b.lens[0] = htole64(ad_len); + b.lens[1] = htole64(src_len); + poly1305_update(&poly1305_ctx, (uint8_t *)b.lens, sizeof(b.lens)); + + poly1305_finish(&poly1305_ctx, dst + src_len); + + explicit_bzero(&chacha_ctx, sizeof(chacha_ctx)); + explicit_bzero(&b, sizeof(b)); +} + +int +chacha20poly1305_decrypt( + uint8_t *dst, + const uint8_t *src, + const size_t src_len, + const uint8_t *ad, + const size_t ad_len, + const uint64_t nonce, + const uint8_t key[CHACHA20POLY1305_KEY_SIZE] +) { + poly1305_state poly1305_ctx; + chacha_ctx chacha_ctx; + int ret; + size_t dst_len; + union { + uint8_t b0[CHACHA20POLY1305_KEY_SIZE]; + uint8_t mac[CHACHA20POLY1305_AUTHTAG_SIZE]; + uint64_t lens[2]; + } b = { { 0 } }; + uint64_t le_nonce = htole64(nonce); + + if (src_len < CHACHA20POLY1305_AUTHTAG_SIZE) + return 0; + + chacha_keysetup(&chacha_ctx, key, CHACHA20POLY1305_KEY_SIZE * 8); + chacha_ivsetup(&chacha_ctx, (uint8_t *) &le_nonce, NULL); + chacha_encrypt_bytes(&chacha_ctx, b.b0, b.b0, sizeof(b.b0)); + poly1305_init(&poly1305_ctx, b.b0); + + poly1305_update(&poly1305_ctx, ad, ad_len); + poly1305_update(&poly1305_ctx, pad0, (0x10 - ad_len) & 0xf); + + dst_len = src_len - CHACHA20POLY1305_AUTHTAG_SIZE; + poly1305_update(&poly1305_ctx, src, dst_len); + poly1305_update(&poly1305_ctx, pad0, (0x10 - dst_len) & 0xf); + + b.lens[0] = htole64(ad_len); + b.lens[1] = htole64(dst_len); + poly1305_update(&poly1305_ctx, (uint8_t *)b.lens, sizeof(b.lens)); + + poly1305_finish(&poly1305_ctx, b.mac); + + ret = timingsafe_bcmp(b.mac, src + dst_len, CHACHA20POLY1305_AUTHTAG_SIZE); + if (!ret) + chacha_encrypt_bytes(&chacha_ctx, (uint8_t *) src, dst, dst_len); + + explicit_bzero(&chacha_ctx, sizeof(chacha_ctx)); + explicit_bzero(&b, sizeof(b)); + + return !ret; +} + +void +xchacha20poly1305_encrypt( + uint8_t *dst, + const uint8_t *src, + const size_t src_len, + const uint8_t *ad, + const size_t ad_len, + const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE], + const uint8_t key[CHACHA20POLY1305_KEY_SIZE] +) { + int i; + uint32_t derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof(uint32_t)]; + uint64_t h_nonce; + + memcpy(&h_nonce, nonce + 16, sizeof(h_nonce)); + h_nonce = le64toh(h_nonce); + hchacha20(derived_key, nonce, key); + + for(i = 0; i < (sizeof(derived_key)/sizeof(derived_key[0])); i++) + (derived_key[i]) = htole32((derived_key[i])); + + chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, + h_nonce, (uint8_t *)derived_key); + explicit_bzero(derived_key, CHACHA20POLY1305_KEY_SIZE); +} + +int +xchacha20poly1305_decrypt( + uint8_t *dst, + const uint8_t *src, + const size_t src_len, + const uint8_t *ad, + const size_t ad_len, + const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE], + const uint8_t key[CHACHA20POLY1305_KEY_SIZE] +) { + int ret, i; + uint32_t derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof(uint32_t)]; + uint64_t h_nonce; + + memcpy(&h_nonce, nonce + 16, sizeof(h_nonce)); + h_nonce = le64toh(h_nonce); + hchacha20(derived_key, nonce, key); + for(i = 0; i < (sizeof(derived_key)/sizeof(derived_key[0])); i++) + (derived_key[i]) = htole32((derived_key[i])); + + ret = chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len, + h_nonce, (uint8_t *)derived_key); + explicit_bzero(derived_key, CHACHA20POLY1305_KEY_SIZE); + + return ret; +} diff --git a/crypto/cmac.c b/crypto/cmac.c new file mode 100644 index 0000000000..97ad3fc22c --- /dev/null +++ b/crypto/cmac.c @@ -0,0 +1,120 @@ +/* $OpenBSD: cmac.c,v 1.3 2017/05/02 17:07:06 mikeb Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the CMAC (Cipher-based Message Authentication) + * algorithm described in FIPS SP800-38B using the AES-128 cipher. + */ + +#include +#include + +#include +#include + +#define LSHIFT(v, r) do { \ + int i; \ + for (i = 0; i < 15; i++) \ + (r)[i] = (v)[i] << 1 | (v)[i + 1] >> 7; \ + (r)[15] = (v)[15] << 1; \ +} while (0) + +#define XOR(v, r) do { \ + int i; \ + for (i = 0; i < 16; i++) \ + (r)[i] ^= (v)[i]; \ +} while (0) + +void +AES_CMAC_Init(AES_CMAC_CTX *ctx) +{ + memset(ctx->X, 0, sizeof ctx->X); + ctx->M_n = 0; +} + +void +AES_CMAC_SetKey(AES_CMAC_CTX *ctx, const u_int8_t key[AES_CMAC_KEY_LENGTH]) +{ + AES_Setkey(&ctx->aesctx, key, 16); +} + +void +AES_CMAC_Update(AES_CMAC_CTX *ctx, const u_int8_t *data, u_int len) +{ + u_int mlen; + + if (ctx->M_n > 0) { + mlen = MIN(16 - ctx->M_n, len); + memcpy(ctx->M_last + ctx->M_n, data, mlen); + ctx->M_n += mlen; + if (ctx->M_n < 16 || len == mlen) + return; + XOR(ctx->M_last, ctx->X); + AES_Encrypt(&ctx->aesctx, ctx->X, ctx->X); + data += mlen; + len -= mlen; + } + while (len > 16) { /* not last block */ + XOR(data, ctx->X); + AES_Encrypt(&ctx->aesctx, ctx->X, ctx->X); + data += 16; + len -= 16; + } + /* potential last block, save it */ + memcpy(ctx->M_last, data, len); + ctx->M_n = len; +} + +void +AES_CMAC_Final(u_int8_t digest[AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *ctx) +{ + u_int8_t K[16]; + + /* generate subkey K1 */ + memset(K, 0, sizeof K); + AES_Encrypt(&ctx->aesctx, K, K); + + if (K[0] & 0x80) { + LSHIFT(K, K); + K[15] ^= 0x87; + } else + LSHIFT(K, K); + + if (ctx->M_n == 16) { + /* last block was a complete block */ + XOR(K, ctx->M_last); + } else { + /* generate subkey K2 */ + if (K[0] & 0x80) { + LSHIFT(K, K); + K[15] ^= 0x87; + } else + LSHIFT(K, K); + + /* padding(M_last) */ + ctx->M_last[ctx->M_n] = 0x80; + while (++ctx->M_n < 16) + ctx->M_last[ctx->M_n] = 0; + + XOR(K, ctx->M_last); + } + XOR(ctx->M_last, ctx->X); + AES_Encrypt(&ctx->aesctx, ctx->X, digest); + + explicit_bzero(K, sizeof K); +} diff --git a/crypto/crypto.c b/crypto/crypto.c index 1b01ab547c..f62752d278 100644 --- a/crypto/crypto.c +++ b/crypto/crypto.c @@ -1,74 +1,663 @@ -/**************************************************************************** - * crypto/crypto.c +/* $OpenBSD: crypto.c,v 1.65 2014/07/13 23:24:47 deraadt Exp $ */ +/* + * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. The - * ASF licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the - * License. You may obtain a copy of the License at + * This code was written by Angelos D. Keromytis in Athens, Greece, in + * February 2000. Network Security Technologies Inc. (NSTI) kindly + * supported the development of this code. * - * http://www.apache.org/licenses/LICENSE-2.0 + * Copyright (c) 2000, 2001 Angelos D. Keromytis * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations - * under the License. + * Permission to use, copy, and modify this software with or without fee + * is hereby granted, provided that this entire notice is included in + * all source code copies of any software which is or includes a copy or + * modification of this software. * - ****************************************************************************/ + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + */ -/**************************************************************************** - * Included Files - ****************************************************************************/ +#include +#include +#include +#include +#include -#include +#include -#include -#include -#include -#include -#include -#include +void crypto_init(void); -#include -#include +struct cryptocap *crypto_drivers = NULL; +int crypto_drivers_num = 0; -/**************************************************************************** - * Private Function Prototypes - ****************************************************************************/ +struct pool cryptop_pool; +struct pool cryptodesc_pool; -/**************************************************************************** - * Private Data - ****************************************************************************/ +struct taskq *crypto_taskq; -/**************************************************************************** - * Private Functions - ****************************************************************************/ - -/**************************************************************************** - * Public Functions - ****************************************************************************/ - -int up_cryptoinitialize(void) +/* + * Create a new session. + */ +int +crypto_newsession(u_int64_t *sid, struct cryptoini *cri, int hard) { -#ifdef CONFIG_CRYPTO_ALGTEST - int ret; + u_int32_t hid, lid, hid2 = -1; + struct cryptocap *cpc; + struct cryptoini *cr; + int err, s, turn = 0; -#ifdef CONFIG_CRYPTO_ALGTEST - ret = crypto_test(); - if (ret) - { - crypterr("ERROR: crypto test failed\n"); - } - else - { - cryptinfo("crypto test OK\n"); - } -#endif + if (crypto_drivers == NULL) + return EINVAL; - return ret; -#else - return OK; -#endif + s = splvm(); + + /* + * The algorithm we use here is pretty stupid; just use the + * first driver that supports all the algorithms we need. Do + * a double-pass over all the drivers, ignoring software ones + * at first, to deal with cases of drivers that register after + * the software one(s) --- e.g., PCMCIA crypto cards. + * + * XXX We need more smarts here (in real life too, but that's + * XXX another story altogether). + */ + do { + for (hid = 0; hid < crypto_drivers_num; hid++) { + cpc = &crypto_drivers[hid]; + + /* + * If it's not initialized or has remaining sessions + * referencing it, skip. + */ + if (cpc->cc_newsession == NULL || + (cpc->cc_flags & CRYPTOCAP_F_CLEANUP)) + continue; + + if (cpc->cc_flags & CRYPTOCAP_F_SOFTWARE) { + /* + * First round of search, ignore + * software drivers. + */ + if (turn == 0) + continue; + } else { /* !CRYPTOCAP_F_SOFTWARE */ + /* Second round of search, only software. */ + if (turn == 1) + continue; + } + + /* See if all the algorithms are supported. */ + for (cr = cri; cr; cr = cr->cri_next) { + if (cpc->cc_alg[cr->cri_alg] == 0) + break; + } + + /* + * If even one algorithm is not supported, + * keep searching. + */ + if (cr != NULL) + continue; + + /* + * If we had a previous match, see how it compares + * to this one. Keep "remembering" whichever is + * the best of the two. + */ + if (hid2 != -1) { + /* + * Compare session numbers, pick the one + * with the lowest. + * XXX Need better metrics, this will + * XXX just do un-weighted round-robin. + */ + if (crypto_drivers[hid].cc_sessions <= + crypto_drivers[hid2].cc_sessions) + hid2 = hid; + } else { + /* + * Remember this one, for future + * comparisons. + */ + hid2 = hid; + } + } + + /* + * If we found something worth remembering, leave. The + * side-effect is that we will always prefer a hardware + * driver over the software one. + */ + if (hid2 != -1) + break; + + turn++; + + /* If we only want hardware drivers, don't do second pass. */ + } while (turn <= 2 && hard == 0); + + hid = hid2; + + /* + * Can't do everything in one session. + * + * XXX Fix this. We need to inject a "virtual" session + * XXX layer right about here. + */ + + if (hid == -1) { + splx(s); + return EINVAL; + } + + /* Call the driver initialization routine. */ + lid = hid; /* Pass the driver ID. */ + err = crypto_drivers[hid].cc_newsession(&lid, cri); + if (err == 0) { + (*sid) = hid; + (*sid) <<= 32; + (*sid) |= (lid & 0xffffffff); + crypto_drivers[hid].cc_sessions++; + } + + splx(s); + return err; +} + +/* + * Delete an existing session (or a reserved session on an unregistered + * driver). + */ +int +crypto_freesession(u_int64_t sid) +{ + int err = 0, s; + u_int32_t hid; + + if (crypto_drivers == NULL) + return EINVAL; + + /* Determine two IDs. */ + hid = (sid >> 32) & 0xffffffff; + + if (hid >= crypto_drivers_num) + return ENOENT; + + s = splvm(); + + if (crypto_drivers[hid].cc_sessions) + crypto_drivers[hid].cc_sessions--; + + /* Call the driver cleanup routine, if available. */ + if (crypto_drivers[hid].cc_freesession) + err = crypto_drivers[hid].cc_freesession(sid); + + /* + * If this was the last session of a driver marked as invalid, + * make the entry available for reuse. + */ + if ((crypto_drivers[hid].cc_flags & CRYPTOCAP_F_CLEANUP) && + crypto_drivers[hid].cc_sessions == 0) + explicit_bzero(&crypto_drivers[hid], sizeof(struct cryptocap)); + + splx(s); + return err; +} + +/* + * Find an empty slot. + */ +int32_t +crypto_get_driverid(u_int8_t flags) +{ + struct cryptocap *newdrv; + int i, s; + + s = splvm(); + + if (crypto_drivers_num == 0) { + crypto_drivers_num = CRYPTO_DRIVERS_INITIAL; + crypto_drivers = mallocarray(crypto_drivers_num, + sizeof(struct cryptocap), M_CRYPTO_DATA, M_NOWAIT); + if (crypto_drivers == NULL) { + crypto_drivers_num = 0; + splx(s); + return -1; + } + + bzero(crypto_drivers, crypto_drivers_num * + sizeof(struct cryptocap)); + } + + for (i = 0; i < crypto_drivers_num; i++) { + if (crypto_drivers[i].cc_process == NULL && + !(crypto_drivers[i].cc_flags & CRYPTOCAP_F_CLEANUP) && + crypto_drivers[i].cc_sessions == 0) { + crypto_drivers[i].cc_sessions = 1; /* Mark */ + crypto_drivers[i].cc_flags = flags; + splx(s); + return i; + } + } + + /* Out of entries, allocate some more. */ + if (i == crypto_drivers_num) { + if (crypto_drivers_num >= CRYPTO_DRIVERS_MAX) { + splx(s); + return -1; + } + + newdrv = mallocarray(crypto_drivers_num, + 2 * sizeof(struct cryptocap), M_CRYPTO_DATA, M_NOWAIT); + if (newdrv == NULL) { + splx(s); + return -1; + } + + bcopy(crypto_drivers, newdrv, + crypto_drivers_num * sizeof(struct cryptocap)); + bzero(&newdrv[crypto_drivers_num], + crypto_drivers_num * sizeof(struct cryptocap)); + + newdrv[i].cc_sessions = 1; /* Mark */ + newdrv[i].cc_flags = flags; + crypto_drivers_num *= 2; + + free(crypto_drivers, M_CRYPTO_DATA, 0); + crypto_drivers = newdrv; + splx(s); + return i; + } + + /* Shouldn't really get here... */ + splx(s); + return -1; +} + +/* + * Register a crypto driver. It should be called once for each algorithm + * supported by the driver. + */ +int +crypto_kregister(u_int32_t driverid, int *kalg, + int (*kprocess)(struct cryptkop *)) +{ + int s, i; + + if (driverid >= crypto_drivers_num || kalg == NULL || + crypto_drivers == NULL) + return EINVAL; + + s = splvm(); + + for (i = 0; i <= CRK_ALGORITHM_MAX; i++) { + /* + * XXX Do some performance testing to determine + * placing. We probably need an auxiliary data + * structure that describes relative performances. + */ + + crypto_drivers[driverid].cc_kalg[i] = kalg[i]; + } + + crypto_drivers[driverid].cc_kprocess = kprocess; + + splx(s); + return 0; +} + +/* Register a crypto driver. */ +int +crypto_register(u_int32_t driverid, int *alg, + int (*newses)(u_int32_t *, struct cryptoini *), + int (*freeses)(u_int64_t), int (*process)(struct cryptop *)) +{ + int s, i; + + + if (driverid >= crypto_drivers_num || alg == NULL || + crypto_drivers == NULL) + return EINVAL; + + s = splvm(); + + for (i = 0; i <= CRYPTO_ALGORITHM_MAX; i++) { + /* + * XXX Do some performance testing to determine + * placing. We probably need an auxiliary data + * structure that describes relative performances. + */ + + crypto_drivers[driverid].cc_alg[i] = alg[i]; + } + + + crypto_drivers[driverid].cc_newsession = newses; + crypto_drivers[driverid].cc_process = process; + crypto_drivers[driverid].cc_freesession = freeses; + crypto_drivers[driverid].cc_sessions = 0; /* Unmark */ + + splx(s); + + return 0; +} + +/* + * Unregister a crypto driver. If there are pending sessions using it, + * leave enough information around so that subsequent calls using those + * sessions will correctly detect the driver being unregistered and reroute + * the request. + */ +int +crypto_unregister(u_int32_t driverid, int alg) +{ + int i = CRYPTO_ALGORITHM_MAX + 1, s; + u_int32_t ses; + + s = splvm(); + + /* Sanity checks. */ + if (driverid >= crypto_drivers_num || crypto_drivers == NULL || + ((alg <= 0 || alg > CRYPTO_ALGORITHM_MAX) && + alg != CRYPTO_ALGORITHM_MAX + 1) || + crypto_drivers[driverid].cc_alg[alg] == 0) { + splx(s); + return EINVAL; + } + + if (alg != CRYPTO_ALGORITHM_MAX + 1) { + crypto_drivers[driverid].cc_alg[alg] = 0; + + /* Was this the last algorithm ? */ + for (i = 1; i <= CRYPTO_ALGORITHM_MAX; i++) + if (crypto_drivers[driverid].cc_alg[i] != 0) + break; + } + + /* + * If a driver unregistered its last algorithm or all of them + * (alg == CRYPTO_ALGORITHM_MAX + 1), cleanup its entry. + */ + if (i == CRYPTO_ALGORITHM_MAX + 1 || alg == CRYPTO_ALGORITHM_MAX + 1) { + ses = crypto_drivers[driverid].cc_sessions; + bzero(&crypto_drivers[driverid], sizeof(struct cryptocap)); + if (ses != 0) { + /* + * If there are pending sessions, just mark as invalid. + */ + crypto_drivers[driverid].cc_flags |= CRYPTOCAP_F_CLEANUP; + crypto_drivers[driverid].cc_sessions = ses; + } + } + splx(s); + return 0; +} + +/* + * Add crypto request to a queue, to be processed by a kernel thread. + */ +int +crypto_dispatch(struct cryptop *crp) +{ + if (crypto_taskq && !(crp->crp_flags & CRYPTO_F_NOQUEUE)) { + task_set(&crp->crp_task, (void (*))crypto_invoke, crp, NULL); + task_add(crypto_taskq, &crp->crp_task); + } else { + crypto_invoke(crp); + } + + return 0; +} + +int +crypto_kdispatch(struct cryptkop *krp) +{ + if (crypto_taskq) { + task_set(&krp->krp_task, (void (*))crypto_kinvoke, krp, NULL); + task_add(crypto_taskq, &krp->krp_task); + } else { + crypto_kinvoke(krp); + } + + return 0; +} + +/* + * Dispatch an asymmetric crypto request to the appropriate crypto devices. + */ +int +crypto_kinvoke(struct cryptkop *krp) +{ + extern int cryptodevallowsoft; + u_int32_t hid; + int error; + int s; + + /* Sanity checks. */ + if (krp == NULL || krp->krp_callback == NULL) + return (EINVAL); + + s = splvm(); + for (hid = 0; hid < crypto_drivers_num; hid++) { + if ((crypto_drivers[hid].cc_flags & CRYPTOCAP_F_SOFTWARE) && + cryptodevallowsoft == 0) + continue; + if (crypto_drivers[hid].cc_kprocess == NULL) + continue; + if ((crypto_drivers[hid].cc_kalg[krp->krp_op] & + CRYPTO_ALG_FLAG_SUPPORTED) == 0) + continue; + break; + } + + if (hid == crypto_drivers_num) { + krp->krp_status = ENODEV; + crypto_kdone(krp); + splx(s); + return (0); + } + + krp->krp_hid = hid; + + crypto_drivers[hid].cc_koperations++; + + error = crypto_drivers[hid].cc_kprocess(krp); + if (error) { + krp->krp_status = error; + crypto_kdone(krp); + } + splx(s); + return (0); +} + +/* + * Dispatch a crypto request to the appropriate crypto devices. + */ +int +crypto_invoke(struct cryptop *crp) +{ + struct cryptodesc *crd; + u_int64_t nid; + u_int32_t hid; + int error; + int s; + + /* Sanity checks. */ + if (crp == NULL || crp->crp_callback == NULL) + return EINVAL; + + s = splvm(); + if (crp->crp_desc == NULL || crypto_drivers == NULL) { + crp->crp_etype = EINVAL; + crypto_done(crp); + splx(s); + return 0; + } + + hid = (crp->crp_sid >> 32) & 0xffffffff; + if (hid >= crypto_drivers_num) + goto migrate; + + if (crypto_drivers[hid].cc_flags & CRYPTOCAP_F_CLEANUP) { + crypto_freesession(crp->crp_sid); + goto migrate; + } + + if (crypto_drivers[hid].cc_process == NULL) + goto migrate; + + crypto_drivers[hid].cc_operations++; + crypto_drivers[hid].cc_bytes += crp->crp_ilen; + + error = crypto_drivers[hid].cc_process(crp); + if (error) { + if (error == ERESTART) { + /* Unregister driver and migrate session. */ + crypto_unregister(hid, CRYPTO_ALGORITHM_MAX + 1); + goto migrate; + } else { + crp->crp_etype = error; + } + } + + splx(s); + return 0; + + migrate: + /* Migrate session. */ + for (crd = crp->crp_desc; crd->crd_next; crd = crd->crd_next) + crd->CRD_INI.cri_next = &(crd->crd_next->CRD_INI); + + if (crypto_newsession(&nid, &(crp->crp_desc->CRD_INI), 0) == 0) + crp->crp_sid = nid; + + crp->crp_etype = EAGAIN; + crypto_done(crp); + splx(s); + return 0; +} + +/* + * Release a set of crypto descriptors. + */ +void +crypto_freereq(struct cryptop *crp) +{ + struct cryptodesc *crd; + int s; + + if (crp == NULL) + return; + + s = splvm(); + + while ((crd = crp->crp_desc) != NULL) { + crp->crp_desc = crd->crd_next; + pool_put(&cryptodesc_pool, crd); + } + + pool_put(&cryptop_pool, crp); + splx(s); +} + +/* + * Acquire a set of crypto descriptors. + */ +struct cryptop * +crypto_getreq(int num) +{ + struct cryptodesc *crd; + struct cryptop *crp; + int s; + + s = splvm(); + + crp = pool_get(&cryptop_pool, PR_NOWAIT); + if (crp == NULL) { + splx(s); + return NULL; + } + bzero(crp, sizeof(struct cryptop)); + + while (num--) { + crd = pool_get(&cryptodesc_pool, PR_NOWAIT); + if (crd == NULL) { + splx(s); + crypto_freereq(crp); + return NULL; + } + + bzero(crd, sizeof(struct cryptodesc)); + crd->crd_next = crp->crp_desc; + crp->crp_desc = crd; + } + + splx(s); + return crp; +} + +void +crypto_init(void) +{ + crypto_taskq = taskq_create("crypto", 1, IPL_HIGH); + + pool_init(&cryptop_pool, sizeof(struct cryptop), 0, 0, + 0, "cryptop", NULL); + pool_init(&cryptodesc_pool, sizeof(struct cryptodesc), 0, 0, + 0, "cryptodesc", NULL); +} + +/* + * Invoke the callback on behalf of the driver. + */ +void +crypto_done(struct cryptop *crp) +{ + crp->crp_flags |= CRYPTO_F_DONE; + if (crp->crp_flags & CRYPTO_F_NOQUEUE) { + /* not from the crypto queue, wakeup the userland process */ + crp->crp_callback(crp); + } else { + task_set(&crp->crp_task, (void (*))crp->crp_callback, + crp, NULL); + task_add(crypto_taskq, &crp->crp_task); + } +} + +/* + * Invoke the callback on behalf of the driver. + */ +void +crypto_kdone(struct cryptkop *krp) +{ + task_set(&krp->krp_task, (void (*))krp->krp_callback, krp, NULL); + task_add(crypto_taskq, &krp->krp_task); +} + +int +crypto_getfeat(int *featp) +{ + extern int cryptodevallowsoft, userasymcrypto; + int hid, kalg, feat = 0; + + if (userasymcrypto == 0) + goto out; + for (hid = 0; hid < crypto_drivers_num; hid++) { + if ((crypto_drivers[hid].cc_flags & CRYPTOCAP_F_SOFTWARE) && + cryptodevallowsoft == 0) { + continue; + } + if (crypto_drivers[hid].cc_kprocess == NULL) + continue; + for (kalg = 0; kalg <= CRK_ALGORITHM_MAX; kalg++) + if ((crypto_drivers[hid].cc_kalg[kalg] & + CRYPTO_ALG_FLAG_SUPPORTED) != 0) + feat |= 1 << kalg; + } +out: + *featp = feat; + return (0); } diff --git a/crypto/cryptodev.c b/crypto/cryptodev.c index c6e5c6bae5..b704aac212 100644 --- a/crypto/cryptodev.c +++ b/crypto/cryptodev.c @@ -1,169 +1,760 @@ -/**************************************************************************** - * crypto/cryptodev.c +/* $OpenBSD: cryptodev.c,v 1.82 2014/08/18 05:11:03 dlg Exp $ */ + +/* + * Copyright (c) 2001 Theo de Raadt * - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. The - * ASF licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the - * License. You may obtain a copy of the License at + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * http://www.apache.org/licenses/LICENSE-2.0 + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations - * under the License. + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - ****************************************************************************/ + * Effort sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F30602-01-2-0537. + * + */ -/**************************************************************************** - * Included Files - ****************************************************************************/ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include -#include +extern struct cryptocap *crypto_drivers; +extern int crypto_drivers_num; -#include -#include -#include -#include -#include +struct csession { + TAILQ_ENTRY(csession) next; + u_int64_t sid; + u_int32_t ses; -#include -#include + u_int32_t cipher; + struct enc_xform *txform; + u_int32_t mac; + struct auth_hash *thash; -#include -#include + caddr_t key; + int keylen; + u_char tmp_iv[EALG_MAX_BLOCK_LEN]; -/**************************************************************************** - * Pre-processor Definitions - ****************************************************************************/ + caddr_t mackey; + int mackeylen; + u_char tmp_mac[CRYPTO_MAX_MAC_LEN]; -#ifdef CONFIG_CRYPTO_AES -# define AES_CYPHER(mode) \ - aes_cypher(op->dst, op->src, op->len, op->iv, ses->key, ses->keylen, \ - mode, encrypt) -#endif - -/**************************************************************************** - * Private Function Prototypes - ****************************************************************************/ - -/* Character driver methods */ - -static ssize_t cryptodev_read(FAR struct file *filep, - FAR char *buffer, - size_t len); -static ssize_t cryptodev_write(FAR struct file *filep, - FAR const char *buffer, - size_t len); -static int cryptodev_ioctl(FAR struct file *filep, - int cmd, - unsigned long arg); - -/**************************************************************************** - * Private Data - ****************************************************************************/ - -static const struct file_operations g_cryptodevops = -{ - NULL, /* open */ - NULL, /* close */ - cryptodev_read, /* read */ - cryptodev_write, /* write */ - NULL, /* seek */ - cryptodev_ioctl, /* ioctl */ - NULL /* poll */ -#ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS - , NULL /* unlink */ -#endif + struct iovec iovec[IOV_MAX]; + struct uio uio; + int error; }; -/**************************************************************************** - * Private Functions - ****************************************************************************/ +struct fcrypt { + TAILQ_HEAD(csessionlist, csession) csessions; + int sesn; +}; -static ssize_t cryptodev_read(FAR struct file *filep, - FAR char *buffer, - size_t len) +void cryptoattach(int); + +int cryptof_read(struct file *, off_t *, struct uio *, struct ucred *); +int cryptof_write(struct file *, off_t *, struct uio *, struct ucred *); +int cryptof_ioctl(struct file *, u_long, caddr_t, struct proc *p); +int cryptof_poll(struct file *, int, struct proc *); +int cryptof_kqfilter(struct file *, struct knote *); +int cryptof_stat(struct file *, struct stat *, struct proc *); +int cryptof_close(struct file *, struct proc *); + +static struct fileops cryptofops = { + cryptof_read, + cryptof_write, + cryptof_ioctl, + cryptof_poll, + cryptof_kqfilter, + cryptof_stat, + cryptof_close +}; + +struct csession *csefind(struct fcrypt *, u_int); +int csedelete(struct fcrypt *, struct csession *); +struct csession *cseadd(struct fcrypt *, struct csession *); +struct csession *csecreate(struct fcrypt *, u_int64_t, caddr_t, u_int64_t, + caddr_t, u_int64_t, u_int32_t, u_int32_t, struct enc_xform *, + struct auth_hash *); +int csefree(struct csession *); + +int cryptodev_op(struct csession *, struct crypt_op *, struct proc *); +int cryptodev_key(struct crypt_kop *); +int cryptodev_dokey(struct crypt_kop *kop, struct crparam kvp[]); + +int cryptodev_cb(struct cryptop *); +int cryptodevkey_cb(struct cryptkop *); + +int usercrypto = 0; /* userland may do crypto requests */ +int userasymcrypto = 0; /* userland may do asymmetric crypto reqs */ +int cryptodevallowsoft = 0; /* only use hardware crypto */ + +/* ARGSUSED */ +int +cryptof_read(struct file *fp, off_t *poff, struct uio *uio, struct ucred *cred) { - return -EACCES; + return (EIO); } -static ssize_t cryptodev_write(FAR struct file *filep, - FAR const char *buffer, - size_t len) +/* ARGSUSED */ +int +cryptof_write(struct file *fp, off_t *poff, struct uio *uio, struct ucred *cred) { - return -EACCES; + return (EIO); } -static int cryptodev_ioctl(FAR struct file *filep, - int cmd, - unsigned long arg) +/* ARGSUSED */ +int +cryptof_ioctl(struct file *fp, u_long cmd, caddr_t data, struct proc *p) { - switch (cmd) - { - case CIOCGSESSION: - { - FAR struct session_op *ses = (FAR struct session_op *)arg; - ses->ses = (uint32_t)ses; - return OK; - } + struct cryptoini cria, crie; + struct fcrypt *fcr = fp->f_data; + struct csession *cse; + struct session_op *sop; + struct crypt_op *cop; + struct enc_xform *txform = NULL; + struct auth_hash *thash = NULL; + u_int64_t sid; + u_int32_t ses; + int error = 0; - case CIOCFSESSION: - { - return OK; - } + switch (cmd) { + case CIOCGSESSION: + sop = (struct session_op *)data; + switch (sop->cipher) { + case 0: + break; + case CRYPTO_DES_CBC: + txform = &enc_xform_des; + break; + case CRYPTO_3DES_CBC: + txform = &enc_xform_3des; + break; + case CRYPTO_BLF_CBC: + txform = &enc_xform_blf; + break; + case CRYPTO_CAST_CBC: + txform = &enc_xform_cast5; + break; + case CRYPTO_AES_CBC: + txform = &enc_xform_rijndael128; + break; + case CRYPTO_AES_CTR: + txform = &enc_xform_aes_ctr; + break; + case CRYPTO_AES_XTS: + txform = &enc_xform_aes_xts; + break; + case CRYPTO_ARC4: + txform = &enc_xform_arc4; + break; + case CRYPTO_NULL: + txform = &enc_xform_null; + break; + default: + return (EINVAL); + } -#ifdef CONFIG_CRYPTO_AES - case CIOCCRYPT: - { - FAR struct crypt_op *op = (FAR struct crypt_op *)arg; - FAR struct session_op *ses = (FAR struct session_op *)op->ses; - int encrypt; - - switch (op->op) - { - case COP_ENCRYPT: - encrypt = 1; - break; - - case COP_DECRYPT: - encrypt = 0; - break; - - default: - return -EINVAL; - } - - switch (ses->cipher) - { - case CRYPTO_AES_ECB: - return AES_CYPHER(AES_MODE_ECB); - - case CRYPTO_AES_CBC: - return AES_CYPHER(AES_MODE_CBC); - - case CRYPTO_AES_CTR: - return AES_CYPHER(AES_MODE_CTR); - - default: - return -EINVAL; - } - } + switch (sop->mac) { + case 0: + break; +#if 0 + case CRYPTO_MD5_HMAC: + thash = &auth_hash_hmac_md5_96; + break; + case CRYPTO_SHA1_HMAC: + thash = &auth_hash_hmac_sha1_96; + break; + case CRYPTO_RIPEMD160_HMAC: + thash = &auth_hash_hmac_ripemd_160_96; + break; + case CRYPTO_MD5: + thash = &auth_hash_md5; + break; + case CRYPTO_SHA1: + thash = &auth_hash_sha1; + break; #endif + default: + return (EINVAL); + } - default: - return -ENOTTY; - } + bzero(&crie, sizeof(crie)); + bzero(&cria, sizeof(cria)); + + if (txform) { + crie.cri_alg = txform->type; + crie.cri_klen = sop->keylen * 8; + if (sop->keylen > txform->maxkey || + sop->keylen < txform->minkey) { + error = EINVAL; + goto bail; + } + + crie.cri_key = malloc(crie.cri_klen / 8, M_XDATA, + M_WAITOK); + if ((error = copyin(sop->key, crie.cri_key, + crie.cri_klen / 8))) + goto bail; + if (thash) + crie.cri_next = &cria; + } + + if (thash) { + cria.cri_alg = thash->type; + cria.cri_klen = sop->mackeylen * 8; + if (sop->mackeylen != thash->keysize) { + error = EINVAL; + goto bail; + } + + if (cria.cri_klen) { + cria.cri_key = malloc(cria.cri_klen / 8, + M_XDATA, M_WAITOK); + if ((error = copyin(sop->mackey, cria.cri_key, + cria.cri_klen / 8))) + goto bail; + } + } + + error = crypto_newsession(&sid, (txform ? &crie : &cria), + !cryptodevallowsoft); + + if (error) + goto bail; + + cse = csecreate(fcr, sid, crie.cri_key, crie.cri_klen, + cria.cri_key, cria.cri_klen, sop->cipher, sop->mac, txform, + thash); + + if (cse == NULL) { + crypto_freesession(sid); + error = EINVAL; + goto bail; + } + sop->ses = cse->ses; + +bail: + if (error) { + if (crie.cri_key) { + explicit_bzero(crie.cri_key, crie.cri_klen / 8); + free(crie.cri_key, M_XDATA, 0); + } + if (cria.cri_key) { + explicit_bzero(cria.cri_key, cria.cri_klen / 8); + free(cria.cri_key, M_XDATA, 0); + } + } + break; + case CIOCFSESSION: + ses = *(u_int32_t *)data; + cse = csefind(fcr, ses); + if (cse == NULL) + return (EINVAL); + csedelete(fcr, cse); + error = csefree(cse); + break; + case CIOCCRYPT: + cop = (struct crypt_op *)data; + cse = csefind(fcr, cop->ses); + if (cse == NULL) + return (EINVAL); + error = cryptodev_op(cse, cop, p); + break; + case CIOCKEY: + error = cryptodev_key((struct crypt_kop *)data); + break; + case CIOCASYMFEAT: + error = crypto_getfeat((int *)data); + break; + default: + error = EINVAL; + } + return (error); } -/**************************************************************************** - * Public Functions - ****************************************************************************/ - -void devcrypto_register(void) +int +cryptodev_op(struct csession *cse, struct crypt_op *cop, struct proc *p) { - register_driver("/dev/crypto", &g_cryptodevops, 0666, NULL); + struct cryptop *crp = NULL; + struct cryptodesc *crde = NULL, *crda = NULL; + int s, error; + u_int32_t hid; + + if (cop->len > 64*1024-4) + return (E2BIG); + + if (cse->txform) { + if (cop->len == 0 || (cop->len % cse->txform->blocksize) != 0) + return (EINVAL); + } + + bzero(&cse->uio, sizeof(cse->uio)); + cse->uio.uio_iovcnt = 1; + cse->uio.uio_segflg = UIO_SYSSPACE; + cse->uio.uio_rw = UIO_WRITE; + cse->uio.uio_procp = p; + cse->uio.uio_iov = cse->iovec; + bzero(&cse->iovec, sizeof(cse->iovec)); + cse->uio.uio_iov[0].iov_len = cop->len; + cse->uio.uio_iov[0].iov_base = dma_alloc(cop->len, M_WAITOK); + cse->uio.uio_resid = cse->uio.uio_iov[0].iov_len; + + /* number of requests, not logical and */ + crp = crypto_getreq((cse->txform != NULL) + (cse->thash != NULL)); + if (crp == NULL) { + error = ENOMEM; + goto bail; + } + + if (cse->thash) { + crda = crp->crp_desc; + if (cse->txform) + crde = crda->crd_next; + } else { + if (cse->txform) + crde = crp->crp_desc; + else { + error = EINVAL; + goto bail; + } + } + + if ((error = copyin(cop->src, cse->uio.uio_iov[0].iov_base, cop->len))) + goto bail; + + if (crda) { + crda->crd_skip = 0; + crda->crd_len = cop->len; + crda->crd_inject = 0; /* ??? */ + + crda->crd_alg = cse->mac; + crda->crd_key = cse->mackey; + crda->crd_klen = cse->mackeylen * 8; + } + + if (crde) { + if (cop->op == COP_ENCRYPT) + crde->crd_flags |= CRD_F_ENCRYPT; + else + crde->crd_flags &= ~CRD_F_ENCRYPT; + crde->crd_len = cop->len; + crde->crd_inject = 0; + + crde->crd_alg = cse->cipher; + crde->crd_key = cse->key; + crde->crd_klen = cse->keylen * 8; + } + + crp->crp_ilen = cop->len; + crp->crp_buf = (caddr_t)&cse->uio; + crp->crp_callback = cryptodev_cb; + crp->crp_sid = cse->sid; + crp->crp_opaque = cse; + + if (cop->iv) { + if (crde == NULL) { + error = EINVAL; + goto bail; + } + if (cse->cipher == CRYPTO_ARC4) { /* XXX use flag? */ + error = EINVAL; + goto bail; + } + if ((error = copyin(cop->iv, cse->tmp_iv, cse->txform->blocksize))) + goto bail; + bcopy(cse->tmp_iv, crde->crd_iv, cse->txform->blocksize); + crde->crd_flags |= CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT; + crde->crd_skip = 0; + } else if (cse->cipher == CRYPTO_ARC4) { /* XXX use flag? */ + crde->crd_skip = 0; + } else if (crde) { + crde->crd_flags |= CRD_F_IV_PRESENT; + crde->crd_skip = cse->txform->blocksize; + crde->crd_len -= cse->txform->blocksize; + } + + if (cop->mac) { + if (crda == NULL) { + error = EINVAL; + goto bail; + } + crp->crp_mac = cse->tmp_mac; + } + + /* try the fast path first */ + crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_NOQUEUE; + hid = (crp->crp_sid >> 32) & 0xffffffff; + if (hid >= crypto_drivers_num) + goto dispatch; + if (crypto_drivers[hid].cc_flags & CRYPTOCAP_F_SOFTWARE) + goto dispatch; + if (crypto_drivers[hid].cc_process == NULL) + goto dispatch; + error = crypto_drivers[hid].cc_process(crp); + if (error) { + /* clear error */ + crp->crp_etype = 0; + goto dispatch; + } + goto processed; + dispatch: + crp->crp_flags = CRYPTO_F_IOV; + crypto_dispatch(crp); + processed: + s = splnet(); + while (!(crp->crp_flags & CRYPTO_F_DONE)) { + error = tsleep(cse, PSOCK, "crydev", 0); + } + splx(s); + if (error) { + /* XXX can this happen? if so, how do we recover? */ + goto bail; + } + + if (cse->error) { + error = cse->error; + goto bail; + } + if (crp->crp_etype != 0) { + error = crp->crp_etype; + goto bail; + } + + + if (cop->dst && + (error = copyout(cse->uio.uio_iov[0].iov_base, cop->dst, cop->len))) + goto bail; + + if (cop->mac && + (error = copyout(crp->crp_mac, cop->mac, cse->thash->authsize))) + goto bail; + +bail: + if (crp) + crypto_freereq(crp); + if (cse->uio.uio_iov[0].iov_base) + dma_free(cse->uio.uio_iov[0].iov_base, cop->len); + + return (error); +} + +int +cryptodev_cb(struct cryptop *crp) +{ + struct csession *cse = crp->crp_opaque; + + cse->error = crp->crp_etype; + if (crp->crp_etype == EAGAIN) { + crp->crp_flags = CRYPTO_F_IOV; + return crypto_dispatch(crp); + } + wakeup(cse); + return (0); +} + +int +cryptodevkey_cb(struct cryptkop *krp) +{ + + wakeup(krp); + return (0); +} + +int +cryptodev_key(struct crypt_kop *kop) +{ + struct cryptkop *krp = NULL; + int error = EINVAL; + int in, out, size, i; + + if (kop->crk_iparams + kop->crk_oparams > CRK_MAXPARAM) { + return (EFBIG); + } + + in = kop->crk_iparams; + out = kop->crk_oparams; + switch (kop->crk_op) { + case CRK_MOD_EXP: + if (in == 3 && out == 1) + break; + return (EINVAL); + case CRK_MOD_EXP_CRT: + if (in == 6 && out == 1) + break; + return (EINVAL); + case CRK_DSA_SIGN: + if (in == 5 && out == 2) + break; + return (EINVAL); + case CRK_DSA_VERIFY: + if (in == 7 && out == 0) + break; + return (EINVAL); + case CRK_DH_COMPUTE_KEY: + if (in == 3 && out == 1) + break; + return (EINVAL); + default: + return (EINVAL); + } + + krp = malloc(sizeof *krp, M_XDATA, M_WAITOK | M_ZERO); + krp->krp_op = kop->crk_op; + krp->krp_status = kop->crk_status; + krp->krp_iparams = kop->crk_iparams; + krp->krp_oparams = kop->crk_oparams; + krp->krp_status = 0; + krp->krp_callback = cryptodevkey_cb; + + for (i = 0; i < CRK_MAXPARAM; i++) { + krp->krp_param[i].crp_nbits = kop->crk_param[i].crp_nbits; + if (kop->crk_param[i].crp_nbits > 65536) { + /* XXX how big do we need to support? */ + goto fail; + } + } + for (i = 0; i < krp->krp_iparams + krp->krp_oparams; i++) { + size = (krp->krp_param[i].crp_nbits + 7) / 8; + if (size == 0) + continue; + krp->krp_param[i].crp_p = malloc(size, M_XDATA, M_WAITOK); + if (i >= krp->krp_iparams) + continue; + error = copyin(kop->crk_param[i].crp_p, krp->krp_param[i].crp_p, size); + if (error) + goto fail; + } + + error = crypto_kdispatch(krp); + if (error) + goto fail; + error = tsleep(krp, PSOCK, "crydev", 0); + if (error) { + /* XXX can this happen? if so, how do we recover? */ + goto fail; + } + + if (krp->krp_status != 0) { + error = krp->krp_status; + goto fail; + } + + for (i = krp->krp_iparams; i < krp->krp_iparams + krp->krp_oparams; i++) { + size = (krp->krp_param[i].crp_nbits + 7) / 8; + if (size == 0) + continue; + error = copyout(krp->krp_param[i].crp_p, kop->crk_param[i].crp_p, size); + if (error) + goto fail; + } + +fail: + if (krp) { + kop->crk_status = krp->krp_status; + for (i = 0; i < CRK_MAXPARAM; i++) { + if (krp->krp_param[i].crp_p) { + explicit_bzero(krp->krp_param[i].crp_p, + (krp->krp_param[i].crp_nbits + 7) / 8); + free(krp->krp_param[i].crp_p, M_XDATA, 0); + } + } + free(krp, M_XDATA, 0); + } + return (error); +} + +/* ARGSUSED */ +int +cryptof_poll(struct file *fp, int events, struct proc *p) +{ + return (0); +} + +/* ARGSUSED */ +int +cryptof_kqfilter(struct file *fp, struct knote *kn) +{ + return (0); +} + +/* ARGSUSED */ +int +cryptof_stat(struct file *fp, struct stat *sb, struct proc *p) +{ + return (EOPNOTSUPP); +} + +/* ARGSUSED */ +int +cryptof_close(struct file *fp, struct proc *p) +{ + struct fcrypt *fcr = fp->f_data; + struct csession *cse; + + while ((cse = TAILQ_FIRST(&fcr->csessions))) { + TAILQ_REMOVE(&fcr->csessions, cse, next); + (void)csefree(cse); + } + free(fcr, M_XDATA, 0); + fp->f_data = NULL; + return 0; +} + +void +cryptoattach(int n) +{ +} + +int +cryptoopen(dev_t dev, int flag, int mode, struct proc *p) +{ + if (usercrypto == 0) + return (ENXIO); +#ifdef CRYPTO + return (0); +#else + return (ENXIO); +#endif +} + +int +cryptoclose(dev_t dev, int flag, int mode, struct proc *p) +{ + return (0); +} + +int +cryptoioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p) +{ + struct file *f; + struct fcrypt *fcr; + int fd, error; + + switch (cmd) { + case CRIOGET: + fcr = malloc(sizeof(struct fcrypt), M_XDATA, M_WAITOK); + TAILQ_INIT(&fcr->csessions); + fcr->sesn = 0; + + fdplock(p->p_fd); + error = falloc(p, &f, &fd); + fdpunlock(p->p_fd); + if (error) { + free(fcr, M_XDATA, 0); + return (error); + } + f->f_flag = FREAD | FWRITE; + f->f_type = DTYPE_CRYPTO; + f->f_ops = &cryptofops; + f->f_data = fcr; + *(u_int32_t *)data = fd; + FILE_SET_MATURE(f, p); + break; + default: + error = EINVAL; + break; + } + return (error); +} + +struct csession * +csefind(struct fcrypt *fcr, u_int ses) +{ + struct csession *cse; + + TAILQ_FOREACH(cse, &fcr->csessions, next) + if (cse->ses == ses) + return (cse); + return (NULL); +} + +int +csedelete(struct fcrypt *fcr, struct csession *cse_del) +{ + struct csession *cse; + + TAILQ_FOREACH(cse, &fcr->csessions, next) { + if (cse == cse_del) { + TAILQ_REMOVE(&fcr->csessions, cse, next); + return (1); + } + } + return (0); +} + +struct csession * +cseadd(struct fcrypt *fcr, struct csession *cse) +{ + TAILQ_INSERT_TAIL(&fcr->csessions, cse, next); + cse->ses = fcr->sesn++; + return (cse); +} + +struct csession * +csecreate(struct fcrypt *fcr, u_int64_t sid, caddr_t key, u_int64_t keylen, + caddr_t mackey, u_int64_t mackeylen, u_int32_t cipher, u_int32_t mac, + struct enc_xform *txform, struct auth_hash *thash) +{ + struct csession *cse; + + cse = malloc(sizeof(struct csession), M_XDATA, M_NOWAIT); + if (cse == NULL) + return NULL; + cse->key = key; + cse->keylen = keylen/8; + cse->mackey = mackey; + cse->mackeylen = mackeylen/8; + cse->sid = sid; + cse->cipher = cipher; + cse->mac = mac; + cse->txform = txform; + cse->thash = thash; + cseadd(fcr, cse); + return (cse); +} + +int +csefree(struct csession *cse) +{ + int error; + + error = crypto_freesession(cse->sid); + if (cse->key) + free(cse->key, M_XDATA, 0); + if (cse->mackey) + free(cse->mackey, M_XDATA, 0); + free(cse, M_XDATA, 0); + return (error); } diff --git a/crypto/cryptosoft.c b/crypto/cryptosoft.c new file mode 100644 index 0000000000..8715bed9e4 --- /dev/null +++ b/crypto/cryptosoft.c @@ -0,0 +1,1238 @@ +/* $OpenBSD: cryptosoft.c,v 1.71 2014/07/13 23:24:47 deraadt Exp $ */ + +/* + * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) + * + * This code was written by Angelos D. Keromytis in Athens, Greece, in + * February 2000. Network Security Technologies Inc. (NSTI) kindly + * supported the development of this code. + * + * Copyright (c) 2000, 2001 Angelos D. Keromytis + * + * Permission to use, copy, and modify this software with or without fee + * is hereby granted, provided that this entire notice is included in + * all source code copies of any software which is or includes a copy or + * modification of this software. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN] = { + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 +}; + +const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN] = { + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, + 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C +}; + + +struct swcr_data **swcr_sessions = NULL; +u_int32_t swcr_sesnum = 0; +int32_t swcr_id = -1; + +#define COPYBACK(x, a, b, c, d) \ + do { \ + if ((x) == CRYPTO_BUF_MBUF) \ + m_copyback((struct mbuf *)a,b,c,d,M_NOWAIT); \ + else \ + cuio_copyback((struct uio *)a,b,c,d); \ + } while (0) +#define COPYDATA(x, a, b, c, d) \ + do { \ + if ((x) == CRYPTO_BUF_MBUF) \ + m_copydata((struct mbuf *)a,b,c,d); \ + else \ + cuio_copydata((struct uio *)a,b,c,d); \ + } while (0) + +/* + * Apply a symmetric encryption/decryption algorithm. + */ +int +swcr_encdec(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf, + int outtype) +{ + unsigned char iv[EALG_MAX_BLOCK_LEN], blk[EALG_MAX_BLOCK_LEN], *idat; + unsigned char *ivp, *nivp, iv2[EALG_MAX_BLOCK_LEN]; + struct enc_xform *exf; + int i, k, j, blks, ind, count, ivlen; + struct mbuf *m = NULL; + struct uio *uio = NULL; + + exf = sw->sw_exf; + blks = exf->blocksize; + ivlen = exf->ivsize; + + /* Check for non-padded data */ + if (crd->crd_len % blks) + return EINVAL; + + if (outtype == CRYPTO_BUF_MBUF) + m = (struct mbuf *) buf; + else + uio = (struct uio *) buf; + + /* Initialize the IV */ + if (crd->crd_flags & CRD_F_ENCRYPT) { + /* IV explicitly provided ? */ + if (crd->crd_flags & CRD_F_IV_EXPLICIT) + bcopy(crd->crd_iv, iv, ivlen); + else + arc4random_buf(iv, ivlen); + + /* Do we need to write the IV */ + if (!(crd->crd_flags & CRD_F_IV_PRESENT)) + COPYBACK(outtype, buf, crd->crd_inject, ivlen, iv); + + } else { /* Decryption */ + /* IV explicitly provided ? */ + if (crd->crd_flags & CRD_F_IV_EXPLICIT) + bcopy(crd->crd_iv, iv, ivlen); + else { + /* Get IV off buf */ + COPYDATA(outtype, buf, crd->crd_inject, ivlen, iv); + } + } + + ivp = iv; + + /* + * xforms that provide a reinit method perform all IV + * handling themselves. + */ + if (exf->reinit) + exf->reinit(sw->sw_kschedule, iv); + + if (outtype == CRYPTO_BUF_MBUF) { + /* Find beginning of data */ + m = m_getptr(m, crd->crd_skip, &k); + if (m == NULL) + return EINVAL; + + i = crd->crd_len; + + while (i > 0) { + /* + * If there's insufficient data at the end of + * an mbuf, we have to do some copying. + */ + if (m->m_len < k + blks && m->m_len != k) { + m_copydata(m, k, blks, blk); + + /* Actual encryption/decryption */ + if (exf->reinit) { + if (crd->crd_flags & CRD_F_ENCRYPT) { + exf->encrypt(sw->sw_kschedule, + blk); + } else { + exf->decrypt(sw->sw_kschedule, + blk); + } + } else if (crd->crd_flags & CRD_F_ENCRYPT) { + /* XOR with previous block */ + for (j = 0; j < blks; j++) + blk[j] ^= ivp[j]; + + exf->encrypt(sw->sw_kschedule, blk); + + /* + * Keep encrypted block for XOR'ing + * with next block + */ + bcopy(blk, iv, blks); + ivp = iv; + } else { /* decrypt */ + /* + * Keep encrypted block for XOR'ing + * with next block + */ + nivp = (ivp == iv) ? iv2 : iv; + bcopy(blk, nivp, blks); + + exf->decrypt(sw->sw_kschedule, blk); + + /* XOR with previous block */ + for (j = 0; j < blks; j++) + blk[j] ^= ivp[j]; + ivp = nivp; + } + + /* Copy back decrypted block */ + m_copyback(m, k, blks, blk, M_NOWAIT); + + /* Advance pointer */ + m = m_getptr(m, k + blks, &k); + if (m == NULL) + return EINVAL; + + i -= blks; + + /* Could be done... */ + if (i == 0) + break; + } + + /* Skip possibly empty mbufs */ + if (k == m->m_len) { + for (m = m->m_next; m && m->m_len == 0; + m = m->m_next) + ; + k = 0; + } + + /* Sanity check */ + if (m == NULL) + return EINVAL; + + /* + * Warning: idat may point to garbage here, but + * we only use it in the while() loop, only if + * there are indeed enough data. + */ + idat = mtod(m, unsigned char *) + k; + + while (m->m_len >= k + blks && i > 0) { + if (exf->reinit) { + if (crd->crd_flags & CRD_F_ENCRYPT) { + exf->encrypt(sw->sw_kschedule, + idat); + } else { + exf->decrypt(sw->sw_kschedule, + idat); + } + } else if (crd->crd_flags & CRD_F_ENCRYPT) { + /* XOR with previous block/IV */ + for (j = 0; j < blks; j++) + idat[j] ^= ivp[j]; + + exf->encrypt(sw->sw_kschedule, idat); + ivp = idat; + } else { /* decrypt */ + /* + * Keep encrypted block to be used + * in next block's processing. + */ + nivp = (ivp == iv) ? iv2 : iv; + bcopy(idat, nivp, blks); + + exf->decrypt(sw->sw_kschedule, idat); + + /* XOR with previous block/IV */ + for (j = 0; j < blks; j++) + idat[j] ^= ivp[j]; + ivp = nivp; + } + + idat += blks; + k += blks; + i -= blks; + } + } + } else { + /* Find beginning of data */ + count = crd->crd_skip; + ind = cuio_getptr(uio, count, &k); + if (ind == -1) + return EINVAL; + + i = crd->crd_len; + + while (i > 0) { + /* + * If there's insufficient data at the end, + * we have to do some copying. + */ + if (uio->uio_iov[ind].iov_len < k + blks && + uio->uio_iov[ind].iov_len != k) { + cuio_copydata(uio, count, blks, blk); + + /* Actual encryption/decryption */ + if (exf->reinit) { + if (crd->crd_flags & CRD_F_ENCRYPT) { + exf->encrypt(sw->sw_kschedule, + blk); + } else { + exf->decrypt(sw->sw_kschedule, + blk); + } + } else if (crd->crd_flags & CRD_F_ENCRYPT) { + /* XOR with previous block */ + for (j = 0; j < blks; j++) + blk[j] ^= ivp[j]; + + exf->encrypt(sw->sw_kschedule, blk); + + /* + * Keep encrypted block for XOR'ing + * with next block + */ + bcopy(blk, iv, blks); + ivp = iv; + } else { /* decrypt */ + /* + * Keep encrypted block for XOR'ing + * with next block + */ + nivp = (ivp == iv) ? iv2 : iv; + bcopy(blk, nivp, blks); + + exf->decrypt(sw->sw_kschedule, blk); + + /* XOR with previous block */ + for (j = 0; j < blks; j++) + blk[j] ^= ivp[j]; + ivp = nivp; + } + + /* Copy back decrypted block */ + cuio_copyback(uio, count, blks, blk); + + count += blks; + + /* Advance pointer */ + ind = cuio_getptr(uio, count, &k); + if (ind == -1) + return (EINVAL); + + i -= blks; + + /* Could be done... */ + if (i == 0) + break; + } + + /* + * Warning: idat may point to garbage here, but + * we only use it in the while() loop, only if + * there are indeed enough data. + */ + idat = (char *)uio->uio_iov[ind].iov_base + k; + + while (uio->uio_iov[ind].iov_len >= k + blks && + i > 0) { + if (exf->reinit) { + if (crd->crd_flags & CRD_F_ENCRYPT) { + exf->encrypt(sw->sw_kschedule, + idat); + } else { + exf->decrypt(sw->sw_kschedule, + idat); + } + } else if (crd->crd_flags & CRD_F_ENCRYPT) { + /* XOR with previous block/IV */ + for (j = 0; j < blks; j++) + idat[j] ^= ivp[j]; + + exf->encrypt(sw->sw_kschedule, idat); + ivp = idat; + } else { /* decrypt */ + /* + * Keep encrypted block to be used + * in next block's processing. + */ + nivp = (ivp == iv) ? iv2 : iv; + bcopy(idat, nivp, blks); + + exf->decrypt(sw->sw_kschedule, idat); + + /* XOR with previous block/IV */ + for (j = 0; j < blks; j++) + idat[j] ^= ivp[j]; + ivp = nivp; + } + + idat += blks; + count += blks; + k += blks; + i -= blks; + } + + /* + * Advance to the next iov if the end of the current iov + * is aligned with the end of a cipher block. + * Note that the code is equivalent to calling: + * ind = cuio_getptr(uio, count, &k); + */ + if (i > 0 && k == uio->uio_iov[ind].iov_len) { + k = 0; + ind++; + if (ind >= uio->uio_iovcnt) + return (EINVAL); + } + } + } + + return 0; /* Done with encryption/decryption */ +} + +/* + * Compute keyed-hash authenticator. + */ +int +swcr_authcompute(struct cryptop *crp, struct cryptodesc *crd, + struct swcr_data *sw, caddr_t buf, int outtype) +{ + unsigned char aalg[AALG_MAX_RESULT_LEN]; + struct auth_hash *axf; + union authctx ctx; + int err; + + if (sw->sw_ictx == 0) + return EINVAL; + + axf = sw->sw_axf; + + bcopy(sw->sw_ictx, &ctx, axf->ctxsize); + + if (outtype == CRYPTO_BUF_MBUF) + err = m_apply((struct mbuf *) buf, crd->crd_skip, crd->crd_len, + (int (*)(caddr_t, caddr_t, unsigned int)) axf->Update, + (caddr_t) &ctx); + else + err = cuio_apply((struct uio *) buf, crd->crd_skip, + crd->crd_len, + (int (*)(caddr_t, caddr_t, unsigned int)) axf->Update, + (caddr_t) &ctx); + + if (err) + return err; + + if (crd->crd_flags & CRD_F_ESN) + axf->Update(&ctx, crd->crd_esn, 4); + + switch (sw->sw_alg) { + case CRYPTO_MD5_HMAC: + case CRYPTO_SHA1_HMAC: + case CRYPTO_RIPEMD160_HMAC: + case CRYPTO_SHA2_256_HMAC: + case CRYPTO_SHA2_384_HMAC: + case CRYPTO_SHA2_512_HMAC: + if (sw->sw_octx == NULL) + return EINVAL; + + axf->Final(aalg, &ctx); + bcopy(sw->sw_octx, &ctx, axf->ctxsize); + axf->Update(&ctx, aalg, axf->hashsize); + axf->Final(aalg, &ctx); + break; + + case CRYPTO_MD5_KPDK: + case CRYPTO_SHA1_KPDK: + if (sw->sw_octx == NULL) + return EINVAL; + + axf->Update(&ctx, sw->sw_octx, sw->sw_klen); + axf->Final(aalg, &ctx); + break; + + case CRYPTO_MD5: + case CRYPTO_SHA1: + axf->Final(aalg, &ctx); + break; + } + + /* Inject the authentication data */ + if (outtype == CRYPTO_BUF_MBUF) + COPYBACK(outtype, buf, crd->crd_inject, axf->authsize, aalg); + else + bcopy(aalg, crp->crp_mac, axf->authsize); + + return 0; +} + +/* + * Apply a combined encryption-authentication transformation + */ +int +swcr_authenc(struct cryptop *crp) +{ + uint32_t blkbuf[howmany(EALG_MAX_BLOCK_LEN, sizeof(uint32_t))]; + u_char *blk = (u_char *)blkbuf; + u_char aalg[AALG_MAX_RESULT_LEN]; + u_char iv[EALG_MAX_BLOCK_LEN]; + union authctx ctx; + struct cryptodesc *crd, *crda = NULL, *crde = NULL; + struct swcr_data *sw, *swa, *swe = NULL; + struct auth_hash *axf = NULL; + struct enc_xform *exf = NULL; + struct mbuf *m = NULL; + struct uio *uio = NULL; + caddr_t buf = (caddr_t)crp->crp_buf; + uint32_t *blkp; + int aadlen, blksz, i, ivlen, outtype, len, iskip, oskip; + + ivlen = blksz = iskip = oskip = 0; + + for (crd = crp->crp_desc; crd; crd = crd->crd_next) { + for (sw = swcr_sessions[crp->crp_sid & 0xffffffff]; + sw && sw->sw_alg != crd->crd_alg; + sw = sw->sw_next) + ; + if (sw == NULL) + return (EINVAL); + + switch (sw->sw_alg) { + case CRYPTO_AES_GCM_16: + case CRYPTO_AES_GMAC: + swe = sw; + crde = crd; + exf = swe->sw_exf; + ivlen = exf->ivsize; + break; + case CRYPTO_AES_128_GMAC: + case CRYPTO_AES_192_GMAC: + case CRYPTO_AES_256_GMAC: + swa = sw; + crda = crd; + axf = swa->sw_axf; + if (swa->sw_ictx == 0) + return (EINVAL); + bcopy(swa->sw_ictx, &ctx, axf->ctxsize); + blksz = axf->blocksize; + break; + default: + return (EINVAL); + } + } + if (crde == NULL || crda == NULL) + return (EINVAL); + + if (crp->crp_flags & CRYPTO_F_IMBUF) { + outtype = CRYPTO_BUF_MBUF; + m = (struct mbuf *)buf; + } else { + outtype = CRYPTO_BUF_IOV; + uio = (struct uio *)buf; + } + + /* Initialize the IV */ + if (crde->crd_flags & CRD_F_ENCRYPT) { + /* IV explicitly provided ? */ + if (crde->crd_flags & CRD_F_IV_EXPLICIT) + bcopy(crde->crd_iv, iv, ivlen); + else + arc4random_buf(iv, ivlen); + + /* Do we need to write the IV */ + if (!(crde->crd_flags & CRD_F_IV_PRESENT)) + COPYBACK(outtype, buf, crde->crd_inject, ivlen, iv); + + } else { /* Decryption */ + /* IV explicitly provided ? */ + if (crde->crd_flags & CRD_F_IV_EXPLICIT) + bcopy(crde->crd_iv, iv, ivlen); + else { + /* Get IV off buf */ + COPYDATA(outtype, buf, crde->crd_inject, ivlen, iv); + } + } + + /* Supply MAC with IV */ + if (axf->Reinit) + axf->Reinit(&ctx, iv, ivlen); + + /* Supply MAC with AAD */ + aadlen = crda->crd_len; + /* + * Section 5 of RFC 4106 specifies that AAD construction consists of + * {SPI, ESN, SN} whereas the real packet contains only {SPI, SN}. + * Unfortunately it doesn't follow a good example set in the Section + * 3.3.2.1 of RFC 4303 where upper part of the ESN, located in the + * external (to the packet) memory buffer, is processed by the hash + * function in the end thus allowing to retain simple programming + * interfaces and avoid kludges like the one below. + */ + if (crda->crd_flags & CRD_F_ESN) { + aadlen += 4; + /* SPI */ + COPYDATA(outtype, buf, crda->crd_skip, 4, blk); + iskip = 4; /* loop below will start with an offset of 4 */ + /* ESN */ + bcopy(crda->crd_esn, blk + 4, 4); + oskip = iskip + 4; /* offset output buffer blk by 8 */ + } + for (i = iskip; i < crda->crd_len; i += blksz) { + len = MIN(crda->crd_len - i, blksz - oskip); + COPYDATA(outtype, buf, crda->crd_skip + i, len, blk + oskip); + bzero(blk + len + oskip, blksz - len - oskip); + axf->Update(&ctx, blk, blksz); + oskip = 0; /* reset initial output offset */ + } + + if (exf->reinit) + exf->reinit(swe->sw_kschedule, iv); + + /* Do encryption/decryption with MAC */ + for (i = 0; i < crde->crd_len; i += blksz) { + len = MIN(crde->crd_len - i, blksz); + if (len < blksz) + bzero(blk, blksz); + COPYDATA(outtype, buf, crde->crd_skip + i, len, blk); + if (crde->crd_flags & CRD_F_ENCRYPT) { + exf->encrypt(swe->sw_kschedule, blk); + axf->Update(&ctx, blk, len); + } else { + axf->Update(&ctx, blk, len); + exf->decrypt(swe->sw_kschedule, blk); + } + COPYBACK(outtype, buf, crde->crd_skip + i, len, blk); + } + + /* Do any required special finalization */ + switch (crda->crd_alg) { + case CRYPTO_AES_128_GMAC: + case CRYPTO_AES_192_GMAC: + case CRYPTO_AES_256_GMAC: + /* length block */ + bzero(blk, blksz); + blkp = (uint32_t *)blk + 1; + *blkp = htobe32(aadlen * 8); + blkp = (uint32_t *)blk + 3; + *blkp = htobe32(crde->crd_len * 8); + axf->Update(&ctx, blk, blksz); + break; + } + + /* Finalize MAC */ + axf->Final(aalg, &ctx); + + /* Inject the authentication data */ + if (outtype == CRYPTO_BUF_MBUF) + COPYBACK(outtype, buf, crda->crd_inject, axf->authsize, aalg); + else + bcopy(aalg, crp->crp_mac, axf->authsize); + + return (0); +} + +/* + * Apply a compression/decompression algorithm + */ +int +swcr_compdec(struct cryptodesc *crd, struct swcr_data *sw, + caddr_t buf, int outtype) +{ + u_int8_t *data, *out; + struct comp_algo *cxf; + int adj; + u_int32_t result; + + cxf = sw->sw_cxf; + + /* We must handle the whole buffer of data in one time + * then if there is not all the data in the mbuf, we must + * copy in a buffer. + */ + + data = malloc(crd->crd_len, M_CRYPTO_DATA, M_NOWAIT); + if (data == NULL) + return (EINVAL); + COPYDATA(outtype, buf, crd->crd_skip, crd->crd_len, data); + + if (crd->crd_flags & CRD_F_COMP) + result = cxf->compress(data, crd->crd_len, &out); + else + result = cxf->decompress(data, crd->crd_len, &out); + + free(data, M_CRYPTO_DATA, 0); + if (result == 0) + return EINVAL; + + /* Copy back the (de)compressed data. m_copyback is + * extending the mbuf as necessary. + */ + sw->sw_size = result; + /* Check the compressed size when doing compression */ + if (crd->crd_flags & CRD_F_COMP) { + if (result > crd->crd_len) { + /* Compression was useless, we lost time */ + free(out, M_CRYPTO_DATA, 0); + return 0; + } + } + + COPYBACK(outtype, buf, crd->crd_skip, result, out); + if (result < crd->crd_len) { + adj = result - crd->crd_len; + if (outtype == CRYPTO_BUF_MBUF) { + adj = result - crd->crd_len; + m_adj((struct mbuf *)buf, adj); + } else { + struct uio *uio = (struct uio *)buf; + int ind; + + adj = crd->crd_len - result; + ind = uio->uio_iovcnt - 1; + + while (adj > 0 && ind >= 0) { + if (adj < uio->uio_iov[ind].iov_len) { + uio->uio_iov[ind].iov_len -= adj; + break; + } + + adj -= uio->uio_iov[ind].iov_len; + uio->uio_iov[ind].iov_len = 0; + ind--; + uio->uio_iovcnt--; + } + } + } + free(out, M_CRYPTO_DATA, 0); + return 0; +} + +/* + * Generate a new software session. + */ +int +swcr_newsession(u_int32_t *sid, struct cryptoini *cri) +{ + struct swcr_data **swd; + struct auth_hash *axf; + struct enc_xform *txf; + struct comp_algo *cxf; + u_int32_t i; + int k; + + if (sid == NULL || cri == NULL) + return EINVAL; + + if (swcr_sessions) { + for (i = 1; i < swcr_sesnum; i++) + if (swcr_sessions[i] == NULL) + break; + } + + if (swcr_sessions == NULL || i == swcr_sesnum) { + if (swcr_sessions == NULL) { + i = 1; /* We leave swcr_sessions[0] empty */ + swcr_sesnum = CRYPTO_SW_SESSIONS; + } else + swcr_sesnum *= 2; + + swd = mallocarray(swcr_sesnum, sizeof(struct swcr_data *), + M_CRYPTO_DATA, M_NOWAIT | M_ZERO); + if (swd == NULL) { + /* Reset session number */ + if (swcr_sesnum == CRYPTO_SW_SESSIONS) + swcr_sesnum = 0; + else + swcr_sesnum /= 2; + return ENOBUFS; + } + + /* Copy existing sessions */ + if (swcr_sessions) { + bcopy(swcr_sessions, swd, + (swcr_sesnum / 2) * sizeof(struct swcr_data *)); + free(swcr_sessions, M_CRYPTO_DATA, 0); + } + + swcr_sessions = swd; + } + + swd = &swcr_sessions[i]; + *sid = i; + + while (cri) { + *swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA, + M_NOWAIT | M_ZERO); + if (*swd == NULL) { + swcr_freesession(i); + return ENOBUFS; + } + + switch (cri->cri_alg) { + case CRYPTO_DES_CBC: + txf = &enc_xform_des; + goto enccommon; + case CRYPTO_3DES_CBC: + txf = &enc_xform_3des; + goto enccommon; + case CRYPTO_BLF_CBC: + txf = &enc_xform_blf; + goto enccommon; + case CRYPTO_CAST_CBC: + txf = &enc_xform_cast5; + goto enccommon; + case CRYPTO_RIJNDAEL128_CBC: + txf = &enc_xform_rijndael128; + goto enccommon; + case CRYPTO_AES_CTR: + txf = &enc_xform_aes_ctr; + goto enccommon; + case CRYPTO_AES_XTS: + txf = &enc_xform_aes_xts; + goto enccommon; + case CRYPTO_AES_GCM_16: + txf = &enc_xform_aes_gcm; + goto enccommon; + case CRYPTO_AES_GMAC: + txf = &enc_xform_aes_gmac; + (*swd)->sw_exf = txf; + break; + case CRYPTO_NULL: + txf = &enc_xform_null; + goto enccommon; + enccommon: + if (txf->ctxsize > 0) { + (*swd)->sw_kschedule = malloc(txf->ctxsize, + M_CRYPTO_DATA, M_NOWAIT | M_ZERO); + if ((*swd)->sw_kschedule == NULL) { + swcr_freesession(i); + return EINVAL; + } + } + if (txf->setkey((*swd)->sw_kschedule, cri->cri_key, + cri->cri_klen / 8) < 0) { + swcr_freesession(i); + return EINVAL; + } + (*swd)->sw_exf = txf; + break; + + case CRYPTO_MD5_HMAC: + axf = &auth_hash_hmac_md5_96; + goto authcommon; + case CRYPTO_SHA1_HMAC: + axf = &auth_hash_hmac_sha1_96; + goto authcommon; + case CRYPTO_RIPEMD160_HMAC: + axf = &auth_hash_hmac_ripemd_160_96; + goto authcommon; + case CRYPTO_SHA2_256_HMAC: + axf = &auth_hash_hmac_sha2_256_128; + goto authcommon; + case CRYPTO_SHA2_384_HMAC: + axf = &auth_hash_hmac_sha2_384_192; + goto authcommon; + case CRYPTO_SHA2_512_HMAC: + axf = &auth_hash_hmac_sha2_512_256; + authcommon: + (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA, + M_NOWAIT); + if ((*swd)->sw_ictx == NULL) { + swcr_freesession(i); + return ENOBUFS; + } + + (*swd)->sw_octx = malloc(axf->ctxsize, M_CRYPTO_DATA, + M_NOWAIT); + if ((*swd)->sw_octx == NULL) { + swcr_freesession(i); + return ENOBUFS; + } + + for (k = 0; k < cri->cri_klen / 8; k++) + cri->cri_key[k] ^= HMAC_IPAD_VAL; + + axf->Init((*swd)->sw_ictx); + axf->Update((*swd)->sw_ictx, cri->cri_key, + cri->cri_klen / 8); + axf->Update((*swd)->sw_ictx, hmac_ipad_buffer, + axf->blocksize - (cri->cri_klen / 8)); + + for (k = 0; k < cri->cri_klen / 8; k++) + cri->cri_key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL); + + axf->Init((*swd)->sw_octx); + axf->Update((*swd)->sw_octx, cri->cri_key, + cri->cri_klen / 8); + axf->Update((*swd)->sw_octx, hmac_opad_buffer, + axf->blocksize - (cri->cri_klen / 8)); + + for (k = 0; k < cri->cri_klen / 8; k++) + cri->cri_key[k] ^= HMAC_OPAD_VAL; + (*swd)->sw_axf = axf; + break; + + case CRYPTO_MD5_KPDK: + axf = &auth_hash_key_md5; + goto auth2common; + + case CRYPTO_SHA1_KPDK: + axf = &auth_hash_key_sha1; + auth2common: + (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA, + M_NOWAIT); + if ((*swd)->sw_ictx == NULL) { + swcr_freesession(i); + return ENOBUFS; + } + + /* Store the key so we can "append" it to the payload */ + (*swd)->sw_octx = malloc(cri->cri_klen / 8, M_CRYPTO_DATA, + M_NOWAIT); + if ((*swd)->sw_octx == NULL) { + swcr_freesession(i); + return ENOBUFS; + } + + (*swd)->sw_klen = cri->cri_klen / 8; + bcopy(cri->cri_key, (*swd)->sw_octx, cri->cri_klen / 8); + axf->Init((*swd)->sw_ictx); + axf->Update((*swd)->sw_ictx, cri->cri_key, + cri->cri_klen / 8); + axf->Final(NULL, (*swd)->sw_ictx); + (*swd)->sw_axf = axf; + break; + + case CRYPTO_MD5: + axf = &auth_hash_md5; + goto auth3common; + + case CRYPTO_SHA1: + axf = &auth_hash_sha1; + auth3common: + (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA, + M_NOWAIT); + if ((*swd)->sw_ictx == NULL) { + swcr_freesession(i); + return ENOBUFS; + } + + axf->Init((*swd)->sw_ictx); + (*swd)->sw_axf = axf; + break; + + case CRYPTO_AES_128_GMAC: + axf = &auth_hash_gmac_aes_128; + goto auth4common; + + case CRYPTO_AES_192_GMAC: + axf = &auth_hash_gmac_aes_192; + goto auth4common; + + case CRYPTO_AES_256_GMAC: + axf = &auth_hash_gmac_aes_256; + auth4common: + (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA, + M_NOWAIT); + if ((*swd)->sw_ictx == NULL) { + swcr_freesession(i); + return ENOBUFS; + } + axf->Init((*swd)->sw_ictx); + axf->Setkey((*swd)->sw_ictx, cri->cri_key, + cri->cri_klen / 8); + (*swd)->sw_axf = axf; + break; + + case CRYPTO_DEFLATE_COMP: + cxf = &comp_algo_deflate; + (*swd)->sw_cxf = cxf; + break; + case CRYPTO_ESN: + /* nothing to do */ + break; + default: + swcr_freesession(i); + return EINVAL; + } + + (*swd)->sw_alg = cri->cri_alg; + cri = cri->cri_next; + swd = &((*swd)->sw_next); + } + return 0; +} + +/* + * Free a session. + */ +int +swcr_freesession(u_int64_t tid) +{ + struct swcr_data *swd; + struct enc_xform *txf; + struct auth_hash *axf; + u_int32_t sid = ((u_int32_t) tid) & 0xffffffff; + + if (sid > swcr_sesnum || swcr_sessions == NULL || + swcr_sessions[sid] == NULL) + return EINVAL; + + /* Silently accept and return */ + if (sid == 0) + return 0; + + while ((swd = swcr_sessions[sid]) != NULL) { + swcr_sessions[sid] = swd->sw_next; + + switch (swd->sw_alg) { + case CRYPTO_DES_CBC: + case CRYPTO_3DES_CBC: + case CRYPTO_BLF_CBC: + case CRYPTO_CAST_CBC: + case CRYPTO_RIJNDAEL128_CBC: + case CRYPTO_AES_CTR: + case CRYPTO_AES_XTS: + case CRYPTO_AES_GCM_16: + case CRYPTO_AES_GMAC: + case CRYPTO_NULL: + txf = swd->sw_exf; + + if (swd->sw_kschedule) { + explicit_bzero(swd->sw_kschedule, txf->ctxsize); + free(swd->sw_kschedule, M_CRYPTO_DATA, 0); + } + break; + + case CRYPTO_MD5_HMAC: + case CRYPTO_SHA1_HMAC: + case CRYPTO_RIPEMD160_HMAC: + case CRYPTO_SHA2_256_HMAC: + case CRYPTO_SHA2_384_HMAC: + case CRYPTO_SHA2_512_HMAC: + axf = swd->sw_axf; + + if (swd->sw_ictx) { + explicit_bzero(swd->sw_ictx, axf->ctxsize); + free(swd->sw_ictx, M_CRYPTO_DATA, 0); + } + if (swd->sw_octx) { + explicit_bzero(swd->sw_octx, axf->ctxsize); + free(swd->sw_octx, M_CRYPTO_DATA, 0); + } + break; + + case CRYPTO_MD5_KPDK: + case CRYPTO_SHA1_KPDK: + axf = swd->sw_axf; + + if (swd->sw_ictx) { + explicit_bzero(swd->sw_ictx, axf->ctxsize); + free(swd->sw_ictx, M_CRYPTO_DATA, 0); + } + if (swd->sw_octx) { + explicit_bzero(swd->sw_octx, swd->sw_klen); + free(swd->sw_octx, M_CRYPTO_DATA, 0); + } + break; + + case CRYPTO_AES_128_GMAC: + case CRYPTO_AES_192_GMAC: + case CRYPTO_AES_256_GMAC: + case CRYPTO_MD5: + case CRYPTO_SHA1: + axf = swd->sw_axf; + + if (swd->sw_ictx) { + explicit_bzero(swd->sw_ictx, axf->ctxsize); + free(swd->sw_ictx, M_CRYPTO_DATA, 0); + } + break; + } + + free(swd, M_CRYPTO_DATA, 0); + } + return 0; +} + +/* + * Process a software request. + */ +int +swcr_process(struct cryptop *crp) +{ + struct cryptodesc *crd; + struct swcr_data *sw; + u_int32_t lid; + int type; + + /* Sanity check */ + if (crp == NULL) + return EINVAL; + + if (crp->crp_desc == NULL || crp->crp_buf == NULL) { + crp->crp_etype = EINVAL; + goto done; + } + + lid = crp->crp_sid & 0xffffffff; + if (lid >= swcr_sesnum || lid == 0 || swcr_sessions[lid] == NULL) { + crp->crp_etype = ENOENT; + goto done; + } + + if (crp->crp_flags & CRYPTO_F_IMBUF) + type = CRYPTO_BUF_MBUF; + else + type = CRYPTO_BUF_IOV; + + /* Go through crypto descriptors, processing as we go */ + for (crd = crp->crp_desc; crd; crd = crd->crd_next) { + /* + * Find the crypto context. + * + * XXX Note that the logic here prevents us from having + * XXX the same algorithm multiple times in a session + * XXX (or rather, we can but it won't give us the right + * XXX results). To do that, we'd need some way of differentiating + * XXX between the various instances of an algorithm (so we can + * XXX locate the correct crypto context). + */ + for (sw = swcr_sessions[lid]; + sw && sw->sw_alg != crd->crd_alg; + sw = sw->sw_next) + ; + + /* No such context ? */ + if (sw == NULL) { + crp->crp_etype = EINVAL; + goto done; + } + + switch (sw->sw_alg) { + case CRYPTO_NULL: + break; + case CRYPTO_DES_CBC: + case CRYPTO_3DES_CBC: + case CRYPTO_BLF_CBC: + case CRYPTO_CAST_CBC: + case CRYPTO_RIJNDAEL128_CBC: + case CRYPTO_AES_CTR: + case CRYPTO_AES_XTS: + if ((crp->crp_etype = swcr_encdec(crd, sw, + crp->crp_buf, type)) != 0) + goto done; + break; + case CRYPTO_MD5_HMAC: + case CRYPTO_SHA1_HMAC: + case CRYPTO_RIPEMD160_HMAC: + case CRYPTO_SHA2_256_HMAC: + case CRYPTO_SHA2_384_HMAC: + case CRYPTO_SHA2_512_HMAC: + case CRYPTO_MD5_KPDK: + case CRYPTO_SHA1_KPDK: + case CRYPTO_MD5: + case CRYPTO_SHA1: + if ((crp->crp_etype = swcr_authcompute(crp, crd, sw, + crp->crp_buf, type)) != 0) + goto done; + break; + + case CRYPTO_AES_GCM_16: + case CRYPTO_AES_GMAC: + case CRYPTO_AES_128_GMAC: + case CRYPTO_AES_192_GMAC: + case CRYPTO_AES_256_GMAC: + crp->crp_etype = swcr_authenc(crp); + goto done; + + case CRYPTO_DEFLATE_COMP: + if ((crp->crp_etype = swcr_compdec(crd, sw, + crp->crp_buf, type)) != 0) + goto done; + else + crp->crp_olen = (int)sw->sw_size; + break; + + default: + /* Unknown/unsupported algorithm */ + crp->crp_etype = EINVAL; + goto done; + } + } + +done: + crypto_done(crp); + return 0; +} + +/* + * Initialize the driver, called from the kernel main(). + */ +void +swcr_init(void) +{ + int algs[CRYPTO_ALGORITHM_MAX + 1]; + int flags = CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_ENCRYPT_MAC | + CRYPTOCAP_F_MAC_ENCRYPT; + + swcr_id = crypto_get_driverid(flags); + if (swcr_id < 0) { + /* This should never happen */ + panic("Software crypto device cannot initialize!"); + } + + bzero(algs, sizeof(algs)); + + algs[CRYPTO_DES_CBC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_3DES_CBC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_BLF_CBC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_CAST_CBC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_MD5_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_SHA1_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_RIPEMD160_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_MD5_KPDK] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_SHA1_KPDK] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_MD5] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_SHA1] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_RIJNDAEL128_CBC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_AES_CTR] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_AES_XTS] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_AES_GCM_16] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_AES_GMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_DEFLATE_COMP] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_NULL] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_SHA2_256_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_SHA2_384_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_SHA2_512_HMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_AES_128_GMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_AES_192_GMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_AES_256_GMAC] = CRYPTO_ALG_FLAG_SUPPORTED; + algs[CRYPTO_ESN] = CRYPTO_ALG_FLAG_SUPPORTED; + + crypto_register(swcr_id, algs, swcr_newsession, + swcr_freesession, swcr_process); +} diff --git a/crypto/des_locl.h b/crypto/des_locl.h new file mode 100644 index 0000000000..a9f3801069 --- /dev/null +++ b/crypto/des_locl.h @@ -0,0 +1,161 @@ +/* $OpenBSD: des_locl.h,v 1.7 2015/12/10 21:00:51 naddy Exp $ */ + +/* lib/des/des_locl.h */ +/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au) + * All rights reserved. + * + * This file is part of an SSL implementation written + * by Eric Young (eay@mincom.oz.au). + * The implementation was written so as to conform with Netscapes SSL + * specification. This library and applications are + * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE + * as long as the following conditions are aheared to. + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. If this code is used in a product, + * Eric Young should be given attribution as the author of the parts used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Eric Young (eay@mincom.oz.au) + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#ifndef HEADER_DES_LOCL_H +#define HEADER_DES_LOCL_H + +#include +#include + +typedef unsigned char des_cblock[8]; +typedef struct des_ks_struct + { + union { + des_cblock cblock; + /* make sure things are correct size on machines with + * 8 byte longs */ + int32_t pad[2]; + } ks; + } des_key_schedule[16]; + +#define DES_KEY_SZ (sizeof(des_cblock)) +#define DES_SCHEDULE_SZ (sizeof(des_key_schedule)) + + +void des_encrypt2(u_int32_t *data,des_key_schedule ks, int enc); + + +#define ITERATIONS 16 +#define HALF_ITERATIONS 8 + + +#define c2l(c,l) (l =((u_int32_t)(*((c)++))) , \ + l|=((u_int32_t)(*((c)++)))<< 8L, \ + l|=((u_int32_t)(*((c)++)))<<16L, \ + l|=((u_int32_t)(*((c)++)))<<24L) + +#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16L)&0xff), \ + *((c)++)=(unsigned char)(((l)>>24L)&0xff)) + +#define D_ENCRYPT(Q,R,S) {\ + u=(R^s[S ]); \ + t=R^s[S+1]; \ + t=((t>>4L)+(t<<28L)); \ + Q^= des_SPtrans[1][(t )&0x3f]| \ + des_SPtrans[3][(t>> 8L)&0x3f]| \ + des_SPtrans[5][(t>>16L)&0x3f]| \ + des_SPtrans[7][(t>>24L)&0x3f]| \ + des_SPtrans[0][(u )&0x3f]| \ + des_SPtrans[2][(u>> 8L)&0x3f]| \ + des_SPtrans[4][(u>>16L)&0x3f]| \ + des_SPtrans[6][(u>>24L)&0x3f]; } + + /* IP and FP + * The problem is more of a geometric problem that random bit fiddling. + 0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6 + 8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4 + 16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2 + 24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0 + + 32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7 + 40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5 + 48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3 + 56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1 + + The output has been subject to swaps of the form + 0 1 -> 3 1 but the odd and even bits have been put into + 2 3 2 0 + different words. The main trick is to remember that + t=((l>>size)^r)&(mask); + r^=t; + l^=(t<>(n))^(b))&(m)),\ + (b)^=(t),\ + (a)^=((t)<<(n))) + +#define IP(l,r) \ + { \ + register u_int32_t tt; \ + PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \ + PERM_OP(l,r,tt,16,0x0000ffffL); \ + PERM_OP(r,l,tt, 2,0x33333333L); \ + PERM_OP(l,r,tt, 8,0x00ff00ffL); \ + PERM_OP(r,l,tt, 1,0x55555555L); \ + } + +#define FP(l,r) \ + { \ + register u_int32_t tt; \ + PERM_OP(l,r,tt, 1,0x55555555L); \ + PERM_OP(r,l,tt, 8,0x00ff00ffL); \ + PERM_OP(l,r,tt, 2,0x33333333L); \ + PERM_OP(r,l,tt,16,0x0000ffffL); \ + PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \ + } +#endif diff --git a/crypto/ecb3_enc.c b/crypto/ecb3_enc.c new file mode 100644 index 0000000000..6fdb9f9d4d --- /dev/null +++ b/crypto/ecb3_enc.c @@ -0,0 +1,76 @@ +/* $OpenBSD: ecb3_enc.c,v 1.3 2013/11/18 18:49:53 brad Exp $ */ + +/* lib/des/ecb3_enc.c */ +/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au) + * All rights reserved. + * + * This file is part of an SSL implementation written + * by Eric Young (eay@mincom.oz.au). + * The implementation was written so as to conform with Netscapes SSL + * specification. This library and applications are + * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE + * as long as the following conditions are aheared to. + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. If this code is used in a product, + * Eric Young should be given attribution as the author of the parts used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Eric Young (eay@mincom.oz.au) + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include "des_locl.h" + +void +des_ecb3_encrypt(des_cblock (*input), des_cblock (*output), + des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, + int encrypt) +{ + register u_int32_t l0, l1; + register unsigned char *in, *out; + u_int32_t ll[2]; + + in = (unsigned char *) input; + out = (unsigned char *) output; + c2l(in, l0); + c2l(in, l1); + IP(l0, l1); + ll[0] = l0; + ll[1] = l1; + des_encrypt2(ll, ks1, encrypt); + des_encrypt2(ll, ks2, !encrypt); + des_encrypt2(ll, ks3, encrypt); + l0 = ll[0]; + l1 = ll[1]; + FP(l1, l0); + l2c(l0, out); + l2c(l1, out); +} diff --git a/crypto/ecb_enc.c b/crypto/ecb_enc.c new file mode 100644 index 0000000000..fa20c81f4f --- /dev/null +++ b/crypto/ecb_enc.c @@ -0,0 +1,102 @@ +/* $OpenBSD: ecb_enc.c,v 1.6 2015/12/10 21:00:51 naddy Exp $ */ + +/* lib/des/ecb_enc.c */ +/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au) + * All rights reserved. + * + * This file is part of an SSL implementation written + * by Eric Young (eay@mincom.oz.au). + * The implementation was written so as to conform with Netscapes SSL + * specification. This library and applications are + * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE + * as long as the following conditions are aheared to. + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. If this code is used in a product, + * Eric Young should be given attribution as the author of the parts used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Eric Young (eay@mincom.oz.au) + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include "des_locl.h" +#include "spr.h" + +void +des_encrypt2(u_int32_t *data, des_key_schedule ks, int encrypt) +{ + register u_int32_t l, r, t, u; +#ifdef DES_USE_PTR + register unsigned char *des_SP=(unsigned char *)des_SPtrans; +#endif + register int i; + register u_int32_t *s; + + u = data[0]; + r = data[1]; + + /* Things have been modified so that the initial rotate is + * done outside the loop. This required the + * des_SPtrans values in sp.h to be rotated 1 bit to the right. + * One perl script later and things have a 5% speed up on a sparc2. + * Thanks to Richard Outerbridge <71755.204@CompuServe.COM> + * for pointing this out. */ + l = (r << 1) | (r >> 31); + r = (u << 1) | (u >> 31); + + /* clear the top bits on machines with 8byte longs */ + l &= 0xffffffffL; + r &= 0xffffffffL; + + s = (u_int32_t *) ks; + /* I don't know if it is worth the effort of loop unrolling the + * inner loop */ + if (encrypt) { + for (i = 0; i < 32; i += 4) { + D_ENCRYPT(l, r, i + 0); /* 1 */ + D_ENCRYPT(r, l, i + 2); /* 2 */ + } + } else { + for (i = 30; i > 0; i -= 4) { + D_ENCRYPT(l, r, i - 0); /* 16 */ + D_ENCRYPT(r, l, i - 2); /* 15 */ + } + } + l = (l >> 1) | (l << 31); + r = (r >> 1) | (r << 31); + /* clear the top bits on machines with 8byte longs */ + l &= 0xffffffffL; + r &= 0xffffffffL; + + data[0] = l; + data[1] = r; + l = r = t = u = 0; +} diff --git a/crypto/gmac.c b/crypto/gmac.c new file mode 100644 index 0000000000..c69a3e4546 --- /dev/null +++ b/crypto/gmac.c @@ -0,0 +1,168 @@ +/* $OpenBSD: gmac.c,v 1.10 2017/05/02 11:44:32 mikeb Exp $ */ + +/* + * Copyright (c) 2010 Mike Belopuhov + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the Message Authentication part of the + * Galois/Counter Mode (as being described in the RFC 4543) using + * the AES cipher. FIPS SP 800-38D describes the algorithm details. + */ + +#include +#include + +#include +#include + +void ghash_gfmul(uint32_t *, uint32_t *, uint32_t *); +void ghash_update_mi(GHASH_CTX *, uint8_t *, size_t); + +/* Allow overriding with optimized MD function */ +void (*ghash_update)(GHASH_CTX *, uint8_t *, size_t) = ghash_update_mi; + +/* Computes a block multiplication in the GF(2^128) */ +void +ghash_gfmul(uint32_t *X, uint32_t *Y, uint32_t *product) +{ + uint32_t v[4]; + uint32_t z[4] = { 0, 0, 0, 0}; + uint8_t *x = (uint8_t *)X; + uint32_t mask; + int i; + + v[0] = betoh32(Y[0]); + v[1] = betoh32(Y[1]); + v[2] = betoh32(Y[2]); + v[3] = betoh32(Y[3]); + + for (i = 0; i < GMAC_BLOCK_LEN * 8; i++) { + /* update Z */ + mask = !!(x[i >> 3] & (1 << (~i & 7))); + mask = ~(mask - 1); + z[0] ^= v[0] & mask; + z[1] ^= v[1] & mask; + z[2] ^= v[2] & mask; + z[3] ^= v[3] & mask; + + /* update V */ + mask = ~((v[3] & 1) - 1); + v[3] = (v[2] << 31) | (v[3] >> 1); + v[2] = (v[1] << 31) | (v[2] >> 1); + v[1] = (v[0] << 31) | (v[1] >> 1); + v[0] = (v[0] >> 1) ^ (0xe1000000 & mask); + } + + product[0] = htobe32(z[0]); + product[1] = htobe32(z[1]); + product[2] = htobe32(z[2]); + product[3] = htobe32(z[3]); +} + +void +ghash_update_mi(GHASH_CTX *ctx, uint8_t *X, size_t len) +{ + uint32_t *x = (uint32_t *)X; + uint32_t *s = (uint32_t *)ctx->S; + uint32_t *y = (uint32_t *)ctx->Z; + int i; + + for (i = 0; i < len / GMAC_BLOCK_LEN; i++) { + s[0] = y[0] ^ x[0]; + s[1] = y[1] ^ x[1]; + s[2] = y[2] ^ x[2]; + s[3] = y[3] ^ x[3]; + + ghash_gfmul((uint32_t *)ctx->S, (uint32_t *)ctx->H, + (uint32_t *)ctx->S); + + y = s; + x += 4; + } + + bcopy(ctx->S, ctx->Z, GMAC_BLOCK_LEN); +} + +#define AESCTR_NONCESIZE 4 + +void +AES_GMAC_Init(void *xctx) +{ + AES_GMAC_CTX *ctx = xctx; + + bzero(ctx->ghash.H, GMAC_BLOCK_LEN); + bzero(ctx->ghash.S, GMAC_BLOCK_LEN); + bzero(ctx->ghash.Z, GMAC_BLOCK_LEN); + bzero(ctx->J, GMAC_BLOCK_LEN); +} + +void +AES_GMAC_Setkey(void *xctx, const uint8_t *key, uint16_t klen) +{ + AES_GMAC_CTX *ctx = xctx; + + AES_Setkey(&ctx->K, key, klen - AESCTR_NONCESIZE); + /* copy out salt to the counter block */ + bcopy(key + klen - AESCTR_NONCESIZE, ctx->J, AESCTR_NONCESIZE); + /* prepare a hash subkey */ + AES_Encrypt(&ctx->K, ctx->ghash.H, ctx->ghash.H); +} + +void +AES_GMAC_Reinit(void *xctx, const uint8_t *iv, uint16_t ivlen) +{ + AES_GMAC_CTX *ctx = xctx; + + /* copy out IV to the counter block */ + bcopy(iv, ctx->J + AESCTR_NONCESIZE, ivlen); +} + +int +AES_GMAC_Update(void *xctx, const uint8_t *data, uint16_t len) +{ + AES_GMAC_CTX *ctx = xctx; + uint32_t blk[4] = { 0, 0, 0, 0 }; + int plen; + + if (len > 0) { + plen = len % GMAC_BLOCK_LEN; + if (len >= GMAC_BLOCK_LEN) + (*ghash_update)(&ctx->ghash, (uint8_t *)data, + len - plen); + if (plen) { + memcpy((uint8_t *)blk, (uint8_t *)data + (len - plen), + plen); + (*ghash_update)(&ctx->ghash, (uint8_t *)blk, + GMAC_BLOCK_LEN); + } + } + return (0); +} + +void +AES_GMAC_Final(uint8_t digest[GMAC_DIGEST_LEN], void *xctx) +{ + AES_GMAC_CTX *ctx = xctx; + uint8_t keystream[GMAC_BLOCK_LEN]; + int i; + + /* do one round of GCTR */ + ctx->J[GMAC_BLOCK_LEN - 1] = 1; + AES_Encrypt(&ctx->K, ctx->J, keystream); + for (i = 0; i < GMAC_DIGEST_LEN; i++) + digest[i] = ctx->ghash.S[i] ^ keystream[i]; + explicit_bzero(keystream, sizeof(keystream)); +} diff --git a/crypto/hmac.c b/crypto/hmac.c new file mode 100644 index 0000000000..ea2c173814 --- /dev/null +++ b/crypto/hmac.c @@ -0,0 +1,192 @@ +/* $OpenBSD: hmac.c,v 1.4 2016/09/19 18:09:40 tedu Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the HMAC algorithm described in RFC 2104 using + * the MD5, SHA1 and SHA-256 hash functions. + */ + +#include +#include + +#include +#include +#include +#include + +void +HMAC_MD5_Init(HMAC_MD5_CTX *ctx, const u_int8_t *key, u_int key_len) +{ + u_int8_t k_ipad[MD5_BLOCK_LENGTH]; + int i; + + if (key_len > MD5_BLOCK_LENGTH) { + MD5Init(&ctx->ctx); + MD5Update(&ctx->ctx, key, key_len); + MD5Final(ctx->key, &ctx->ctx); + ctx->key_len = MD5_DIGEST_LENGTH; + } else { + bcopy(key, ctx->key, key_len); + ctx->key_len = key_len; + } + + bzero(k_ipad, MD5_BLOCK_LENGTH); + memcpy(k_ipad, ctx->key, ctx->key_len); + for (i = 0; i < MD5_BLOCK_LENGTH; i++) + k_ipad[i] ^= 0x36; + + MD5Init(&ctx->ctx); + MD5Update(&ctx->ctx, k_ipad, MD5_BLOCK_LENGTH); + + explicit_bzero(k_ipad, sizeof k_ipad); +} + +void +HMAC_MD5_Update(HMAC_MD5_CTX *ctx, const u_int8_t *data, u_int len) +{ + MD5Update(&ctx->ctx, data, len); +} + +void +HMAC_MD5_Final(u_int8_t digest[MD5_DIGEST_LENGTH], HMAC_MD5_CTX *ctx) +{ + u_int8_t k_opad[MD5_BLOCK_LENGTH]; + int i; + + MD5Final(digest, &ctx->ctx); + + bzero(k_opad, MD5_BLOCK_LENGTH); + memcpy(k_opad, ctx->key, ctx->key_len); + for (i = 0; i < MD5_BLOCK_LENGTH; i++) + k_opad[i] ^= 0x5c; + + MD5Init(&ctx->ctx); + MD5Update(&ctx->ctx, k_opad, MD5_BLOCK_LENGTH); + MD5Update(&ctx->ctx, digest, MD5_DIGEST_LENGTH); + MD5Final(digest, &ctx->ctx); + + explicit_bzero(k_opad, sizeof k_opad); +} + +void +HMAC_SHA1_Init(HMAC_SHA1_CTX *ctx, const u_int8_t *key, u_int key_len) +{ + u_int8_t k_ipad[SHA1_BLOCK_LENGTH]; + int i; + + if (key_len > SHA1_BLOCK_LENGTH) { + SHA1Init(&ctx->ctx); + SHA1Update(&ctx->ctx, key, key_len); + SHA1Final(ctx->key, &ctx->ctx); + ctx->key_len = SHA1_DIGEST_LENGTH; + } else { + bcopy(key, ctx->key, key_len); + ctx->key_len = key_len; + } + + bzero(k_ipad, SHA1_BLOCK_LENGTH); + memcpy(k_ipad, ctx->key, ctx->key_len); + for (i = 0; i < SHA1_BLOCK_LENGTH; i++) + k_ipad[i] ^= 0x36; + + SHA1Init(&ctx->ctx); + SHA1Update(&ctx->ctx, k_ipad, SHA1_BLOCK_LENGTH); + + explicit_bzero(k_ipad, sizeof k_ipad); +} + +void +HMAC_SHA1_Update(HMAC_SHA1_CTX *ctx, const u_int8_t *data, u_int len) +{ + SHA1Update(&ctx->ctx, data, len); +} + +void +HMAC_SHA1_Final(u_int8_t digest[SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *ctx) +{ + u_int8_t k_opad[SHA1_BLOCK_LENGTH]; + int i; + + SHA1Final(digest, &ctx->ctx); + + bzero(k_opad, SHA1_BLOCK_LENGTH); + memcpy(k_opad, ctx->key, ctx->key_len); + for (i = 0; i < SHA1_BLOCK_LENGTH; i++) + k_opad[i] ^= 0x5c; + + SHA1Init(&ctx->ctx); + SHA1Update(&ctx->ctx, k_opad, SHA1_BLOCK_LENGTH); + SHA1Update(&ctx->ctx, digest, SHA1_DIGEST_LENGTH); + SHA1Final(digest, &ctx->ctx); + + explicit_bzero(k_opad, sizeof k_opad); +} + +void +HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const u_int8_t *key, u_int key_len) +{ + u_int8_t k_ipad[SHA256_BLOCK_LENGTH]; + int i; + + if (key_len > SHA256_BLOCK_LENGTH) { + SHA256Init(&ctx->ctx); + SHA256Update(&ctx->ctx, key, key_len); + SHA256Final(ctx->key, &ctx->ctx); + ctx->key_len = SHA256_DIGEST_LENGTH; + } else { + bcopy(key, ctx->key, key_len); + ctx->key_len = key_len; + } + + bzero(k_ipad, SHA256_BLOCK_LENGTH); + memcpy(k_ipad, ctx->key, ctx->key_len); + for (i = 0; i < SHA256_BLOCK_LENGTH; i++) + k_ipad[i] ^= 0x36; + + SHA256Init(&ctx->ctx); + SHA256Update(&ctx->ctx, k_ipad, SHA256_BLOCK_LENGTH); + + explicit_bzero(k_ipad, sizeof k_ipad); +} + +void +HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const u_int8_t *data, u_int len) +{ + SHA256Update(&ctx->ctx, data, len); +} + +void +HMAC_SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *ctx) +{ + u_int8_t k_opad[SHA256_BLOCK_LENGTH]; + int i; + + SHA256Final(digest, &ctx->ctx); + + bzero(k_opad, SHA256_BLOCK_LENGTH); + memcpy(k_opad, ctx->key, ctx->key_len); + for (i = 0; i < SHA256_BLOCK_LENGTH; i++) + k_opad[i] ^= 0x5c; + + SHA256Init(&ctx->ctx); + SHA256Update(&ctx->ctx, k_opad, SHA256_BLOCK_LENGTH); + SHA256Update(&ctx->ctx, digest, SHA256_DIGEST_LENGTH); + SHA256Final(digest, &ctx->ctx); + + explicit_bzero(k_opad, sizeof k_opad); +} diff --git a/crypto/idgen.c b/crypto/idgen.c new file mode 100644 index 0000000000..c744ab0b81 --- /dev/null +++ b/crypto/idgen.c @@ -0,0 +1,138 @@ +/* $OpenBSD: idgen.c,v 1.8 2020/07/22 13:54:30 tobhe Exp $ */ +/* + * Copyright (c) 2008 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * IDGEN32: non-repeating ID generation covering an almost maximal 32-bit + * range. + * + * IDGEN32 is based on public domain SKIP32 by Greg Rose. + */ + +#include +#include +#include + +#include + +static const u_int8_t idgen32_ftable[256] = { + 0xa3, 0xd7, 0x09, 0x83, 0xf8, 0x48, 0xf6, 0xf4, + 0xb3, 0x21, 0x15, 0x78, 0x99, 0xb1, 0xaf, 0xf9, + 0xe7, 0x2d, 0x4d, 0x8a, 0xce, 0x4c, 0xca, 0x2e, + 0x52, 0x95, 0xd9, 0x1e, 0x4e, 0x38, 0x44, 0x28, + 0x0a, 0xdf, 0x02, 0xa0, 0x17, 0xf1, 0x60, 0x68, + 0x12, 0xb7, 0x7a, 0xc3, 0xe9, 0xfa, 0x3d, 0x53, + 0x96, 0x84, 0x6b, 0xba, 0xf2, 0x63, 0x9a, 0x19, + 0x7c, 0xae, 0xe5, 0xf5, 0xf7, 0x16, 0x6a, 0xa2, + 0x39, 0xb6, 0x7b, 0x0f, 0xc1, 0x93, 0x81, 0x1b, + 0xee, 0xb4, 0x1a, 0xea, 0xd0, 0x91, 0x2f, 0xb8, + 0x55, 0xb9, 0xda, 0x85, 0x3f, 0x41, 0xbf, 0xe0, + 0x5a, 0x58, 0x80, 0x5f, 0x66, 0x0b, 0xd8, 0x90, + 0x35, 0xd5, 0xc0, 0xa7, 0x33, 0x06, 0x65, 0x69, + 0x45, 0x00, 0x94, 0x56, 0x6d, 0x98, 0x9b, 0x76, + 0x97, 0xfc, 0xb2, 0xc2, 0xb0, 0xfe, 0xdb, 0x20, + 0xe1, 0xeb, 0xd6, 0xe4, 0xdd, 0x47, 0x4a, 0x1d, + 0x42, 0xed, 0x9e, 0x6e, 0x49, 0x3c, 0xcd, 0x43, + 0x27, 0xd2, 0x07, 0xd4, 0xde, 0xc7, 0x67, 0x18, + 0x89, 0xcb, 0x30, 0x1f, 0x8d, 0xc6, 0x8f, 0xaa, + 0xc8, 0x74, 0xdc, 0xc9, 0x5d, 0x5c, 0x31, 0xa4, + 0x70, 0x88, 0x61, 0x2c, 0x9f, 0x0d, 0x2b, 0x87, + 0x50, 0x82, 0x54, 0x64, 0x26, 0x7d, 0x03, 0x40, + 0x34, 0x4b, 0x1c, 0x73, 0xd1, 0xc4, 0xfd, 0x3b, + 0xcc, 0xfb, 0x7f, 0xab, 0xe6, 0x3e, 0x5b, 0xa5, + 0xad, 0x04, 0x23, 0x9c, 0x14, 0x51, 0x22, 0xf0, + 0x29, 0x79, 0x71, 0x7e, 0xff, 0x8c, 0x0e, 0xe2, + 0x0c, 0xef, 0xbc, 0x72, 0x75, 0x6f, 0x37, 0xa1, + 0xec, 0xd3, 0x8e, 0x62, 0x8b, 0x86, 0x10, 0xe8, + 0x08, 0x77, 0x11, 0xbe, 0x92, 0x4f, 0x24, 0xc5, + 0x32, 0x36, 0x9d, 0xcf, 0xf3, 0xa6, 0xbb, 0xac, + 0x5e, 0x6c, 0xa9, 0x13, 0x57, 0x25, 0xb5, 0xe3, + 0xbd, 0xa8, 0x3a, 0x01, 0x05, 0x59, 0x2a, 0x46 +}; + +static u_int16_t +idgen32_g(u_int8_t *key, int k, u_int16_t w) +{ + u_int8_t g1, g2, g3, g4, g5, g6; + u_int o = k * 4; + + g1 = (w >> 8) & 0xff; + g2 = w & 0xff; + + g3 = idgen32_ftable[g2 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g1; + g4 = idgen32_ftable[g3 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g2; + g5 = idgen32_ftable[g4 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g3; + g6 = idgen32_ftable[g5 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g4; + + return (g5 << 8) | g6; +} + +static u_int32_t +idgen32_permute(struct idgen32_ctx *ctx, u_int32_t in) +{ + u_int i, r; + u_int16_t wl, wr; + + wl = (in >> 16) & 0x7fff; + wr = in & 0xffff; + + /* Doubled up rounds, with an odd round at the end to swap */ + for (i = r = 0; i < IDGEN32_ROUNDS / 2; ++i) { + wr ^= (idgen32_g(ctx->id32_key, r, wl) ^ r); + r++; + wl ^= (idgen32_g(ctx->id32_key, r, wr) ^ r) & 0x7fff; + r++; + } + wr ^= (idgen32_g(ctx->id32_key, r, wl) ^ r); + + return (wl << 16) | wr; +} + +static void +idgen32_rekey(struct idgen32_ctx *ctx) +{ + ctx->id32_counter = 0; + ctx->id32_hibit ^= 0x80000000; + ctx->id32_offset = arc4random(); + arc4random_buf(ctx->id32_key, sizeof(ctx->id32_key)); + ctx->id32_rekey_time = getuptime() + IDGEN32_REKEY_TIME; +} + +void +idgen32_init(struct idgen32_ctx *ctx) +{ + bzero(ctx, sizeof(*ctx)); + ctx->id32_hibit = arc4random() & 0x80000000; + idgen32_rekey(ctx); +} + +u_int32_t +idgen32(struct idgen32_ctx *ctx) +{ + u_int32_t ret; + + do { + /* Rekey a little early to avoid "card counting" attack */ + if (ctx->id32_counter > IDGEN32_REKEY_LIMIT || + ctx->id32_rekey_time < getuptime()) + idgen32_rekey(ctx); + ret = ctx->id32_hibit | idgen32_permute(ctx, + (ctx->id32_offset + ctx->id32_counter++) & 0x7fffffff); + } while (ret == 0); /* Zero IDs are often special, so avoid */ + + return ret; +} + diff --git a/crypto/key_wrap.c b/crypto/key_wrap.c new file mode 100644 index 0000000000..adbc11bc54 --- /dev/null +++ b/crypto/key_wrap.c @@ -0,0 +1,112 @@ +/* $OpenBSD: key_wrap.c,v 1.5 2017/05/02 17:07:06 mikeb Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the AES Key Wrap algorithm described in RFC 3394. + */ + +#include +#include + +#include +#include + +static const u_int8_t IV[8] = + { 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6 }; + +void +aes_key_wrap_set_key(aes_key_wrap_ctx *ctx, const u_int8_t *K, size_t K_len) +{ + AES_Setkey(&ctx->ctx, K, K_len); +} + +void +aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *ctx, const u_int8_t *K, + size_t K_len) +{ + AES_Setkey(&ctx->ctx, K, K_len); +} + +void +aes_key_wrap(aes_key_wrap_ctx *ctx, const u_int8_t *P, size_t n, u_int8_t *C) +{ + u_int64_t B[2], t; + u_int8_t *A, *R; + size_t i; + int j; + + memmove(C + 8, P, n * 8); /* P and C may overlap */ + A = C; /* A points to C[0] */ + memcpy(A, IV, 8); /* A = IV, an initial value */ + + for (j = 0, t = 1; j <= 5; j++) { + R = C + 8; + for (i = 1; i <= n; i++, t++) { + /* B = A | R[i] */ + memcpy(&B[0], A, 8); + memcpy(&B[1], R, 8); + /* B = AES(K, B) */ + AES_Encrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B); + /* MSB(64, B) = MSB(64, B) ^ t */ + B[0] ^= htobe64(t); + /* A = MSB(64, B) */ + memcpy(A, &B[0], 8); + /* R[i] = LSB(64, B) */ + memcpy(R, &B[1], 8); + + R += 8; + } + } + explicit_bzero(B, sizeof B); +} + +int +aes_key_unwrap(aes_key_wrap_ctx *ctx, const u_int8_t *C, u_int8_t *P, size_t n) +{ + u_int64_t B[2], t; + u_int8_t A[8], *R; + size_t i; + int j; + + memcpy(A, C, 8); /* A = C[0] */ + memmove(P, C + 8, n * 8); /* P and C may overlap */ + + for (j = 5, t = 6 * n; j >= 0; j--) { + R = P + (n - 1) * 8; + for (i = n; i >= 1; i--, t--) { + /* MSB(64, B) = A */ + memcpy(&B[0], A, 8); + /* MSB(64, B) = MSB(64, B) ^ t */ + B[0] ^= htobe64(t); + /* B = MSB(64, B) | R[i] */ + memcpy(&B[1], R, 8); + /* B = AES-1(K, B) */ + AES_Decrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B); + /* A = MSB(64, B) */ + memcpy(A, &B[0], 8); + /* R[i] = LSB(64, B) */ + memcpy(R, &B[1], 8); + + R -= 8; + } + } + explicit_bzero(B, sizeof B); + + /* check that A is an appropriate initial value */ + return timingsafe_bcmp(A, IV, 8) != 0; +} diff --git a/crypto/md5.c b/crypto/md5.c new file mode 100644 index 0000000000..a896aa1f23 --- /dev/null +++ b/crypto/md5.c @@ -0,0 +1,238 @@ +/* $OpenBSD: md5.c,v 1.4 2014/12/28 10:04:35 tedu Exp $ */ + +/* + * This code implements the MD5 message-digest algorithm. + * The algorithm is due to Ron Rivest. This code was + * written by Colin Plumb in 1993, no copyright is claimed. + * This code is in the public domain; do with it what you wish. + * + * Equivalent code is available from RSA Data Security, Inc. + * This code has been tested against that, and is equivalent, + * except that you don't need to include two pages of legalese + * with every copy. + * + * To compute the message digest of a chunk of bytes, declare an + * MD5Context structure, pass it to MD5Init, call MD5Update as + * needed on buffers full of bytes, and then call MD5Final, which + * will fill a supplied 16-byte array with the digest. + */ + +#include +#include +#include + +#define PUT_64BIT_LE(cp, value) do { \ + (cp)[7] = (value) >> 56; \ + (cp)[6] = (value) >> 48; \ + (cp)[5] = (value) >> 40; \ + (cp)[4] = (value) >> 32; \ + (cp)[3] = (value) >> 24; \ + (cp)[2] = (value) >> 16; \ + (cp)[1] = (value) >> 8; \ + (cp)[0] = (value); } while (0) + +#define PUT_32BIT_LE(cp, value) do { \ + (cp)[3] = (value) >> 24; \ + (cp)[2] = (value) >> 16; \ + (cp)[1] = (value) >> 8; \ + (cp)[0] = (value); } while (0) + +static u_int8_t PADDING[MD5_BLOCK_LENGTH] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +/* + * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious + * initialization constants. + */ +void +MD5Init(MD5_CTX *ctx) +{ + ctx->count = 0; + ctx->state[0] = 0x67452301; + ctx->state[1] = 0xefcdab89; + ctx->state[2] = 0x98badcfe; + ctx->state[3] = 0x10325476; +} + +/* + * Update context to reflect the concatenation of another buffer full + * of bytes. + */ +void +MD5Update(MD5_CTX *ctx, const void *inputptr, size_t len) +{ + const uint8_t *input = inputptr; + size_t have, need; + + /* Check how many bytes we already have and how many more we need. */ + have = (size_t)((ctx->count >> 3) & (MD5_BLOCK_LENGTH - 1)); + need = MD5_BLOCK_LENGTH - have; + + /* Update bitcount */ + ctx->count += (u_int64_t)len << 3; + + if (len >= need) { + if (have != 0) { + memcpy(ctx->buffer + have, input, need); + MD5Transform(ctx->state, ctx->buffer); + input += need; + len -= need; + have = 0; + } + + /* Process data in MD5_BLOCK_LENGTH-byte chunks. */ + while (len >= MD5_BLOCK_LENGTH) { + MD5Transform(ctx->state, input); + input += MD5_BLOCK_LENGTH; + len -= MD5_BLOCK_LENGTH; + } + } + + /* Handle any remaining bytes of data. */ + if (len != 0) + memcpy(ctx->buffer + have, input, len); +} + +/* + * Final wrapup - pad to 64-byte boundary with the bit pattern + * 1 0* (64-bit count of bits processed, MSB-first) + */ +void +MD5Final(unsigned char digest[MD5_DIGEST_LENGTH], MD5_CTX *ctx) +{ + u_int8_t count[8]; + size_t padlen; + int i; + + /* Convert count to 8 bytes in little endian order. */ + PUT_64BIT_LE(count, ctx->count); + + /* Pad out to 56 mod 64. */ + padlen = MD5_BLOCK_LENGTH - + ((ctx->count >> 3) & (MD5_BLOCK_LENGTH - 1)); + if (padlen < 1 + 8) + padlen += MD5_BLOCK_LENGTH; + MD5Update(ctx, PADDING, padlen - 8); /* padlen - 8 <= 64 */ + MD5Update(ctx, count, 8); + + for (i = 0; i < 4; i++) + PUT_32BIT_LE(digest + i * 4, ctx->state[i]); + explicit_bzero(ctx, sizeof(*ctx)); /* in case it's sensitive */ +} + + +/* The four core functions - F1 is optimized somewhat */ + +/* #define F1(x, y, z) (x & y | ~x & z) */ +#define F1(x, y, z) (z ^ (x & (y ^ z))) +#define F2(x, y, z) F1(z, x, y) +#define F3(x, y, z) (x ^ y ^ z) +#define F4(x, y, z) (y ^ (x | ~z)) + +/* This is the central step in the MD5 algorithm. */ +#define MD5STEP(f, w, x, y, z, data, s) \ + ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) + +/* + * The core of the MD5 algorithm, this alters an existing MD5 hash to + * reflect the addition of 16 longwords of new data. MD5Update blocks + * the data and converts bytes into longwords for this routine. + */ +void +MD5Transform(u_int32_t state[4], const u_int8_t block[MD5_BLOCK_LENGTH]) +{ + u_int32_t a, b, c, d, in[MD5_BLOCK_LENGTH / 4]; + +#if BYTE_ORDER == LITTLE_ENDIAN + memcpy(in, block, sizeof(in)); +#else + for (a = 0; a < MD5_BLOCK_LENGTH / 4; a++) { + in[a] = (u_int32_t)( + (u_int32_t)(block[a * 4 + 0]) | + (u_int32_t)(block[a * 4 + 1]) << 8 | + (u_int32_t)(block[a * 4 + 2]) << 16 | + (u_int32_t)(block[a * 4 + 3]) << 24); + } +#endif + + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + + MD5STEP(F1, a, b, c, d, in[ 0] + 0xd76aa478, 7); + MD5STEP(F1, d, a, b, c, in[ 1] + 0xe8c7b756, 12); + MD5STEP(F1, c, d, a, b, in[ 2] + 0x242070db, 17); + MD5STEP(F1, b, c, d, a, in[ 3] + 0xc1bdceee, 22); + MD5STEP(F1, a, b, c, d, in[ 4] + 0xf57c0faf, 7); + MD5STEP(F1, d, a, b, c, in[ 5] + 0x4787c62a, 12); + MD5STEP(F1, c, d, a, b, in[ 6] + 0xa8304613, 17); + MD5STEP(F1, b, c, d, a, in[ 7] + 0xfd469501, 22); + MD5STEP(F1, a, b, c, d, in[ 8] + 0x698098d8, 7); + MD5STEP(F1, d, a, b, c, in[ 9] + 0x8b44f7af, 12); + MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); + MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); + MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); + MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); + MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); + MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); + + MD5STEP(F2, a, b, c, d, in[ 1] + 0xf61e2562, 5); + MD5STEP(F2, d, a, b, c, in[ 6] + 0xc040b340, 9); + MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); + MD5STEP(F2, b, c, d, a, in[ 0] + 0xe9b6c7aa, 20); + MD5STEP(F2, a, b, c, d, in[ 5] + 0xd62f105d, 5); + MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); + MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); + MD5STEP(F2, b, c, d, a, in[ 4] + 0xe7d3fbc8, 20); + MD5STEP(F2, a, b, c, d, in[ 9] + 0x21e1cde6, 5); + MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); + MD5STEP(F2, c, d, a, b, in[ 3] + 0xf4d50d87, 14); + MD5STEP(F2, b, c, d, a, in[ 8] + 0x455a14ed, 20); + MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); + MD5STEP(F2, d, a, b, c, in[ 2] + 0xfcefa3f8, 9); + MD5STEP(F2, c, d, a, b, in[ 7] + 0x676f02d9, 14); + MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); + + MD5STEP(F3, a, b, c, d, in[ 5] + 0xfffa3942, 4); + MD5STEP(F3, d, a, b, c, in[ 8] + 0x8771f681, 11); + MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); + MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); + MD5STEP(F3, a, b, c, d, in[ 1] + 0xa4beea44, 4); + MD5STEP(F3, d, a, b, c, in[ 4] + 0x4bdecfa9, 11); + MD5STEP(F3, c, d, a, b, in[ 7] + 0xf6bb4b60, 16); + MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); + MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); + MD5STEP(F3, d, a, b, c, in[ 0] + 0xeaa127fa, 11); + MD5STEP(F3, c, d, a, b, in[ 3] + 0xd4ef3085, 16); + MD5STEP(F3, b, c, d, a, in[ 6] + 0x04881d05, 23); + MD5STEP(F3, a, b, c, d, in[ 9] + 0xd9d4d039, 4); + MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); + MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); + MD5STEP(F3, b, c, d, a, in[2 ] + 0xc4ac5665, 23); + + MD5STEP(F4, a, b, c, d, in[ 0] + 0xf4292244, 6); + MD5STEP(F4, d, a, b, c, in[7 ] + 0x432aff97, 10); + MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); + MD5STEP(F4, b, c, d, a, in[5 ] + 0xfc93a039, 21); + MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); + MD5STEP(F4, d, a, b, c, in[3 ] + 0x8f0ccc92, 10); + MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); + MD5STEP(F4, b, c, d, a, in[1 ] + 0x85845dd1, 21); + MD5STEP(F4, a, b, c, d, in[8 ] + 0x6fa87e4f, 6); + MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); + MD5STEP(F4, c, d, a, b, in[6 ] + 0xa3014314, 15); + MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); + MD5STEP(F4, a, b, c, d, in[4 ] + 0xf7537e82, 6); + MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); + MD5STEP(F4, c, d, a, b, in[2 ] + 0x2ad7d2bb, 15); + MD5STEP(F4, b, c, d, a, in[9 ] + 0xeb86d391, 21); + + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; +} diff --git a/crypto/podd.h b/crypto/podd.h new file mode 100644 index 0000000000..7dcb7ad97b --- /dev/null +++ b/crypto/podd.h @@ -0,0 +1,66 @@ +/* $OpenBSD: podd.h,v 1.1 2000/02/28 23:13:05 deraadt Exp $ */ + +/* lib/des/podd.h */ +/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au) + * All rights reserved. + * + * This file is part of an SSL implementation written + * by Eric Young (eay@mincom.oz.au). + * The implementation was written so as to conform with Netscapes SSL + * specification. This library and applications are + * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE + * as long as the following conditions are aheared to. + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. If this code is used in a product, + * Eric Young should be given attribution as the author of the parts used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Eric Young (eay@mincom.oz.au) + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +static const unsigned char odd_parity[256]={ + 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, + 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, + 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, + 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, + 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, + 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, + 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110, +112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127, +128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143, +145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158, +161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174, +176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191, +193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206, +208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223, +224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239, +241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254}; diff --git a/crypto/poly1305.c b/crypto/poly1305.c new file mode 100644 index 0000000000..3f7aec4442 --- /dev/null +++ b/crypto/poly1305.c @@ -0,0 +1,301 @@ +/* $OpenBSD: poly1305.c,v 1.2 2020/07/22 13:54:30 tobhe Exp $ */ +/* + * Public Domain poly1305 from Andrew Moon + * Based on poly1305-donna.c, poly1305-donna-32.h and poly1305-donna.h from: + * https://github.com/floodyberry/poly1305-donna + */ + +#include +#include + +#include "poly1305.h" + +/* + * poly1305 implementation using 32 bit * 32 bit = 64 bit multiplication + * and 64 bit addition. + */ + +/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */ +static unsigned long +U8TO32(const unsigned char *p) +{ + return (((unsigned long)(p[0] & 0xff)) | + ((unsigned long)(p[1] & 0xff) << 8) | + ((unsigned long)(p[2] & 0xff) << 16) | + ((unsigned long)(p[3] & 0xff) << 24)); +} + +/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */ +static void +U32TO8(unsigned char *p, unsigned long v) +{ + p[0] = (v) & 0xff; + p[1] = (v >> 8) & 0xff; + p[2] = (v >> 16) & 0xff; + p[3] = (v >> 24) & 0xff; +} + +void +poly1305_init(poly1305_state *st, const unsigned char key[32]) +{ + /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ + st->r[0] = (U8TO32(&key[0])) & 0x3ffffff; + st->r[1] = (U8TO32(&key[3]) >> 2) & 0x3ffff03; + st->r[2] = (U8TO32(&key[6]) >> 4) & 0x3ffc0ff; + st->r[3] = (U8TO32(&key[9]) >> 6) & 0x3f03fff; + st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff; + + /* h = 0 */ + st->h[0] = 0; + st->h[1] = 0; + st->h[2] = 0; + st->h[3] = 0; + st->h[4] = 0; + + /* save pad for later */ + st->pad[0] = U8TO32(&key[16]); + st->pad[1] = U8TO32(&key[20]); + st->pad[2] = U8TO32(&key[24]); + st->pad[3] = U8TO32(&key[28]); + + st->leftover = 0; + st->final = 0; +} + +static void +poly1305_blocks(poly1305_state *st, const unsigned char *m, size_t bytes) +{ + const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */ + unsigned long r0, r1, r2, r3, r4; + unsigned long s1, s2, s3, s4; + unsigned long h0, h1, h2, h3, h4; + unsigned long long d0, d1, d2, d3, d4; + unsigned long c; + + r0 = st->r[0]; + r1 = st->r[1]; + r2 = st->r[2]; + r3 = st->r[3]; + r4 = st->r[4]; + + s1 = r1 * 5; + s2 = r2 * 5; + s3 = r3 * 5; + s4 = r4 * 5; + + h0 = st->h[0]; + h1 = st->h[1]; + h2 = st->h[2]; + h3 = st->h[3]; + h4 = st->h[4]; + + while (bytes >= poly1305_block_size) { + /* h += m[i] */ + h0 += (U8TO32(m + 0)) & 0x3ffffff; + h1 += (U8TO32(m + 3) >> 2) & 0x3ffffff; + h2 += (U8TO32(m + 6) >> 4) & 0x3ffffff; + h3 += (U8TO32(m + 9) >> 6) & 0x3ffffff; + h4 += (U8TO32(m + 12) >> 8) | hibit; + + /* h *= r */ + d0 = ((unsigned long long)h0 * r0) + + ((unsigned long long)h1 * s4) + + ((unsigned long long)h2 * s3) + + ((unsigned long long)h3 * s2) + + ((unsigned long long)h4 * s1); + d1 = ((unsigned long long)h0 * r1) + + ((unsigned long long)h1 * r0) + + ((unsigned long long)h2 * s4) + + ((unsigned long long)h3 * s3) + + ((unsigned long long)h4 * s2); + d2 = ((unsigned long long)h0 * r2) + + ((unsigned long long)h1 * r1) + + ((unsigned long long)h2 * r0) + + ((unsigned long long)h3 * s4) + + ((unsigned long long)h4 * s3); + d3 = ((unsigned long long)h0 * r3) + + ((unsigned long long)h1 * r2) + + ((unsigned long long)h2 * r1) + + ((unsigned long long)h3 * r0) + + ((unsigned long long)h4 * s4); + d4 = ((unsigned long long)h0 * r4) + + ((unsigned long long)h1 * r3) + + ((unsigned long long)h2 * r2) + + ((unsigned long long)h3 * r1) + + ((unsigned long long)h4 * r0); + + /* (partial) h %= p */ + c = (unsigned long)(d0 >> 26); + h0 = (unsigned long)d0 & 0x3ffffff; + d1 += c; + c = (unsigned long)(d1 >> 26); + h1 = (unsigned long)d1 & 0x3ffffff; + d2 += c; + c = (unsigned long)(d2 >> 26); + h2 = (unsigned long)d2 & 0x3ffffff; + d3 += c; + c = (unsigned long)(d3 >> 26); + h3 = (unsigned long)d3 & 0x3ffffff; + d4 += c; + c = (unsigned long)(d4 >> 26); + h4 = (unsigned long)d4 & 0x3ffffff; + h0 += c * 5; + c = (h0 >> 26); + h0 = h0 & 0x3ffffff; + h1 += c; + + m += poly1305_block_size; + bytes -= poly1305_block_size; + } + + st->h[0] = h0; + st->h[1] = h1; + st->h[2] = h2; + st->h[3] = h3; + st->h[4] = h4; +} + +void +poly1305_update(poly1305_state *st, const unsigned char *m, size_t bytes) +{ + size_t i; + + /* handle leftover */ + if (st->leftover) { + size_t want = (poly1305_block_size - st->leftover); + if (want > bytes) + want = bytes; + for (i = 0; i < want; i++) + st->buffer[st->leftover + i] = m[i]; + bytes -= want; + m += want; + st->leftover += want; + if (st->leftover < poly1305_block_size) + return; + poly1305_blocks(st, st->buffer, poly1305_block_size); + st->leftover = 0; + } + + /* process full blocks */ + if (bytes >= poly1305_block_size) { + size_t want = (bytes & ~(poly1305_block_size - 1)); + poly1305_blocks(st, m, want); + m += want; + bytes -= want; + } + + /* store leftover */ + if (bytes) { + for (i = 0; i < bytes; i++) + st->buffer[st->leftover + i] = m[i]; + st->leftover += bytes; + } +} + +void +poly1305_finish(poly1305_state *st, unsigned char mac[16]) +{ + unsigned long h0, h1, h2, h3, h4, c; + unsigned long g0, g1, g2, g3, g4; + unsigned long long f; + unsigned long mask; + + /* process the remaining block */ + if (st->leftover) { + size_t i = st->leftover; + st->buffer[i++] = 1; + for (; i < poly1305_block_size; i++) + st->buffer[i] = 0; + st->final = 1; + poly1305_blocks(st, st->buffer, poly1305_block_size); + } + + /* fully carry h */ + h0 = st->h[0]; + h1 = st->h[1]; + h2 = st->h[2]; + h3 = st->h[3]; + h4 = st->h[4]; + + c = h1 >> 26; + h1 = h1 & 0x3ffffff; + h2 += c; + c = h2 >> 26; + h2 = h2 & 0x3ffffff; + h3 += c; + c = h3 >> 26; + h3 = h3 & 0x3ffffff; + h4 += c; + c = h4 >> 26; + h4 = h4 & 0x3ffffff; + h0 += c * 5; + c = h0 >> 26; + h0 = h0 & 0x3ffffff; + h1 += c; + + /* compute h + -p */ + g0 = h0 + 5; + c = g0 >> 26; + g0 &= 0x3ffffff; + g1 = h1 + c; + c = g1 >> 26; + g1 &= 0x3ffffff; + g2 = h2 + c; + c = g2 >> 26; + g2 &= 0x3ffffff; + g3 = h3 + c; + c = g3 >> 26; + g3 &= 0x3ffffff; + g4 = h4 + c - (1 << 26); + + /* select h if h < p, or h + -p if h >= p */ + mask = (g4 >> ((sizeof(unsigned long) * 8) - 1)) - 1; + g0 &= mask; + g1 &= mask; + g2 &= mask; + g3 &= mask; + g4 &= mask; + mask = ~mask; + h0 = (h0 & mask) | g0; + h1 = (h1 & mask) | g1; + h2 = (h2 & mask) | g2; + h3 = (h3 & mask) | g3; + h4 = (h4 & mask) | g4; + + /* h = h % (2^128) */ + h0 = ((h0) | (h1 << 26)) & 0xffffffff; + h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff; + h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff; + h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff; + + /* mac = (h + pad) % (2^128) */ + f = (unsigned long long)h0 + st->pad[0]; + h0 = (unsigned long)f; + f = (unsigned long long)h1 + st->pad[1] + (f >> 32); + h1 = (unsigned long)f; + f = (unsigned long long)h2 + st->pad[2] + (f >> 32); + h2 = (unsigned long)f; + f = (unsigned long long)h3 + st->pad[3] + (f >> 32); + h3 = (unsigned long)f; + + U32TO8(mac + 0, h0); + U32TO8(mac + 4, h1); + U32TO8(mac + 8, h2); + U32TO8(mac + 12, h3); + + /* zero out the state */ + st->h[0] = 0; + st->h[1] = 0; + st->h[2] = 0; + st->h[3] = 0; + st->h[4] = 0; + st->r[0] = 0; + st->r[1] = 0; + st->r[2] = 0; + st->r[3] = 0; + st->r[4] = 0; + st->pad[0] = 0; + st->pad[1] = 0; + st->pad[2] = 0; + st->pad[3] = 0; +} diff --git a/crypto/rijndael.c b/crypto/rijndael.c new file mode 100644 index 0000000000..0b706504fd --- /dev/null +++ b/crypto/rijndael.c @@ -0,0 +1,1167 @@ +/* $OpenBSD: rijndael.c,v 1.20 2014/11/17 12:27:47 mikeb Exp $ */ + +/** + * rijndael-alg-fst.c + * + * @version 3.0 (December 2000) + * + * Optimised ANSI C code for the Rijndael cipher (now AES) + * + * @author Vincent Rijmen + * @author Antoon Bosselaers + * @author Paulo Barreto + * + * This code is hereby placed in the public domain. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include + +#include + +#undef FULL_UNROLL + +/* +Te0[x] = S [x].[02, 01, 01, 03]; +Te1[x] = S [x].[03, 02, 01, 01]; +Te2[x] = S [x].[01, 03, 02, 01]; +Te3[x] = S [x].[01, 01, 03, 02]; + +Td0[x] = Si[x].[0e, 09, 0d, 0b]; +Td1[x] = Si[x].[0b, 0e, 09, 0d]; +Td2[x] = Si[x].[0d, 0b, 0e, 09]; +Td3[x] = Si[x].[09, 0d, 0b, 0e]; +Td4[x] = Si[x].[01]; +*/ + +static const u32 Te0[256] = { + 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, + 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U, + 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU, + 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU, + 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U, + 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU, + 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU, + 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU, + 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU, + 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU, + 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U, + 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU, + 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU, + 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U, + 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU, + 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU, + 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU, + 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU, + 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU, + 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U, + 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU, + 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU, + 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU, + 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU, + 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U, + 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U, + 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U, + 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U, + 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU, + 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U, + 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U, + 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU, + 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU, + 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U, + 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U, + 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U, + 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU, + 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U, + 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU, + 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U, + 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU, + 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U, + 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U, + 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU, + 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U, + 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U, + 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U, + 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U, + 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U, + 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U, + 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U, + 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U, + 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU, + 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U, + 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U, + 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U, + 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U, + 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U, + 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U, + 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU, + 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U, + 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U, + 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U, + 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU, +}; +static const u32 Te1[256] = { + 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU, + 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U, + 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU, + 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U, + 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU, + 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U, + 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU, + 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U, + 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U, + 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU, + 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U, + 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U, + 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U, + 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU, + 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U, + 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U, + 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU, + 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U, + 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U, + 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U, + 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU, + 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU, + 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U, + 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU, + 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU, + 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U, + 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU, + 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U, + 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU, + 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U, + 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U, + 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U, + 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU, + 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U, + 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU, + 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U, + 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU, + 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U, + 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U, + 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU, + 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU, + 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU, + 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U, + 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U, + 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU, + 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U, + 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU, + 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U, + 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU, + 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U, + 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU, + 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU, + 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U, + 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU, + 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U, + 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU, + 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U, + 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U, + 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U, + 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU, + 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU, + 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U, + 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU, + 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U, +}; +static const u32 Te2[256] = { + 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU, + 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U, + 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU, + 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U, + 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU, + 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U, + 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU, + 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U, + 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U, + 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU, + 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U, + 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U, + 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U, + 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU, + 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U, + 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U, + 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU, + 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U, + 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U, + 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U, + 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU, + 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU, + 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U, + 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU, + 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU, + 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U, + 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU, + 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U, + 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU, + 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U, + 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U, + 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U, + 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU, + 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U, + 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU, + 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U, + 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU, + 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U, + 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U, + 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU, + 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU, + 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU, + 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U, + 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U, + 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU, + 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U, + 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU, + 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U, + 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU, + 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U, + 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU, + 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU, + 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U, + 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU, + 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U, + 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU, + 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U, + 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U, + 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U, + 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU, + 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU, + 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U, + 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU, + 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U, +}; +static const u32 Te3[256] = { + 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U, + 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U, + 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U, + 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU, + 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU, + 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU, + 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U, + 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU, + 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU, + 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U, + 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U, + 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU, + 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU, + 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU, + 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU, + 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU, + 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U, + 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU, + 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU, + 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U, + 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U, + 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U, + 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U, + 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U, + 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU, + 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U, + 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU, + 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU, + 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U, + 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U, + 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U, + 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU, + 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U, + 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU, + 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU, + 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U, + 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U, + 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU, + 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U, + 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU, + 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U, + 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U, + 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U, + 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U, + 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU, + 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U, + 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU, + 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U, + 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU, + 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U, + 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU, + 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU, + 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU, + 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU, + 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U, + 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U, + 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U, + 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U, + 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U, + 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U, + 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU, + 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U, + 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU, + 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU, +}; +static const u32 Td0[256] = { + 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U, + 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U, + 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U, + 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU, + 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U, + 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U, + 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU, + 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U, + 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU, + 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U, + 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U, + 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U, + 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U, + 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU, + 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U, + 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU, + 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U, + 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU, + 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U, + 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U, + 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U, + 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU, + 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U, + 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU, + 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U, + 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU, + 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U, + 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU, + 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU, + 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U, + 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU, + 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U, + 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU, + 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U, + 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U, + 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U, + 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU, + 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U, + 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U, + 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU, + 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U, + 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U, + 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U, + 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U, + 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U, + 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU, + 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U, + 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U, + 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U, + 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U, + 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U, + 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU, + 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU, + 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU, + 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU, + 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U, + 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U, + 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU, + 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU, + 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U, + 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU, + 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U, + 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U, + 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U, +}; +static const u32 Td1[256] = { + 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU, + 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U, + 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU, + 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U, + 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U, + 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U, + 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U, + 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U, + 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U, + 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU, + 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU, + 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU, + 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U, + 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU, + 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U, + 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U, + 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U, + 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU, + 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU, + 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U, + 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU, + 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U, + 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU, + 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU, + 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U, + 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U, + 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U, + 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU, + 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U, + 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU, + 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U, + 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U, + 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U, + 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU, + 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U, + 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U, + 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U, + 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U, + 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U, + 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U, + 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU, + 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU, + 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U, + 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU, + 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U, + 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU, + 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU, + 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U, + 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU, + 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U, + 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U, + 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U, + 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U, + 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U, + 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U, + 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U, + 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU, + 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U, + 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U, + 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU, + 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U, + 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U, + 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U, + 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U, +}; +static const u32 Td2[256] = { + 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U, + 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U, + 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U, + 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U, + 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU, + 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U, + 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U, + 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U, + 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U, + 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU, + 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U, + 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U, + 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU, + 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U, + 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U, + 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U, + 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U, + 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U, + 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U, + 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU, + 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U, + 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U, + 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U, + 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U, + 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U, + 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU, + 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU, + 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U, + 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU, + 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U, + 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU, + 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU, + 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU, + 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU, + 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U, + 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U, + 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U, + 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U, + 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U, + 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U, + 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U, + 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU, + 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU, + 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U, + 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U, + 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU, + 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU, + 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U, + 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U, + 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U, + 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U, + 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U, + 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U, + 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U, + 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU, + 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U, + 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U, + 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U, + 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U, + 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U, + 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U, + 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU, + 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U, + 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U, +}; +static const u32 Td3[256] = { + 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU, + 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU, + 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U, + 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U, + 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU, + 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU, + 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U, + 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU, + 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U, + 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU, + 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U, + 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U, + 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U, + 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U, + 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U, + 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU, + 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU, + 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U, + 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U, + 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU, + 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU, + 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U, + 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U, + 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U, + 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U, + 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU, + 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U, + 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U, + 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU, + 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU, + 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U, + 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U, + 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U, + 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU, + 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U, + 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U, + 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U, + 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U, + 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U, + 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U, + 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U, + 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU, + 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U, + 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U, + 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU, + 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU, + 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U, + 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU, + 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U, + 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U, + 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U, + 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U, + 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U, + 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U, + 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU, + 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU, + 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU, + 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU, + 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U, + 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U, + 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U, + 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU, + 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U, + 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U, +}; +static const u8 Td4[256] = { + 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U, + 0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU, + 0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U, + 0x34U, 0x8eU, 0x43U, 0x44U, 0xc4U, 0xdeU, 0xe9U, 0xcbU, + 0x54U, 0x7bU, 0x94U, 0x32U, 0xa6U, 0xc2U, 0x23U, 0x3dU, + 0xeeU, 0x4cU, 0x95U, 0x0bU, 0x42U, 0xfaU, 0xc3U, 0x4eU, + 0x08U, 0x2eU, 0xa1U, 0x66U, 0x28U, 0xd9U, 0x24U, 0xb2U, + 0x76U, 0x5bU, 0xa2U, 0x49U, 0x6dU, 0x8bU, 0xd1U, 0x25U, + 0x72U, 0xf8U, 0xf6U, 0x64U, 0x86U, 0x68U, 0x98U, 0x16U, + 0xd4U, 0xa4U, 0x5cU, 0xccU, 0x5dU, 0x65U, 0xb6U, 0x92U, + 0x6cU, 0x70U, 0x48U, 0x50U, 0xfdU, 0xedU, 0xb9U, 0xdaU, + 0x5eU, 0x15U, 0x46U, 0x57U, 0xa7U, 0x8dU, 0x9dU, 0x84U, + 0x90U, 0xd8U, 0xabU, 0x00U, 0x8cU, 0xbcU, 0xd3U, 0x0aU, + 0xf7U, 0xe4U, 0x58U, 0x05U, 0xb8U, 0xb3U, 0x45U, 0x06U, + 0xd0U, 0x2cU, 0x1eU, 0x8fU, 0xcaU, 0x3fU, 0x0fU, 0x02U, + 0xc1U, 0xafU, 0xbdU, 0x03U, 0x01U, 0x13U, 0x8aU, 0x6bU, + 0x3aU, 0x91U, 0x11U, 0x41U, 0x4fU, 0x67U, 0xdcU, 0xeaU, + 0x97U, 0xf2U, 0xcfU, 0xceU, 0xf0U, 0xb4U, 0xe6U, 0x73U, + 0x96U, 0xacU, 0x74U, 0x22U, 0xe7U, 0xadU, 0x35U, 0x85U, + 0xe2U, 0xf9U, 0x37U, 0xe8U, 0x1cU, 0x75U, 0xdfU, 0x6eU, + 0x47U, 0xf1U, 0x1aU, 0x71U, 0x1dU, 0x29U, 0xc5U, 0x89U, + 0x6fU, 0xb7U, 0x62U, 0x0eU, 0xaaU, 0x18U, 0xbeU, 0x1bU, + 0xfcU, 0x56U, 0x3eU, 0x4bU, 0xc6U, 0xd2U, 0x79U, 0x20U, + 0x9aU, 0xdbU, 0xc0U, 0xfeU, 0x78U, 0xcdU, 0x5aU, 0xf4U, + 0x1fU, 0xddU, 0xa8U, 0x33U, 0x88U, 0x07U, 0xc7U, 0x31U, + 0xb1U, 0x12U, 0x10U, 0x59U, 0x27U, 0x80U, 0xecU, 0x5fU, + 0x60U, 0x51U, 0x7fU, 0xa9U, 0x19U, 0xb5U, 0x4aU, 0x0dU, + 0x2dU, 0xe5U, 0x7aU, 0x9fU, 0x93U, 0xc9U, 0x9cU, 0xefU, + 0xa0U, 0xe0U, 0x3bU, 0x4dU, 0xaeU, 0x2aU, 0xf5U, 0xb0U, + 0xc8U, 0xebU, 0xbbU, 0x3cU, 0x83U, 0x53U, 0x99U, 0x61U, + 0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U, + 0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU, +}; +static const u32 rcon[] = { + 0x01000000, 0x02000000, 0x04000000, 0x08000000, + 0x10000000, 0x20000000, 0x40000000, 0x80000000, + 0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */ +}; + +#define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] << 8) ^ ((u32)(pt)[3])) +#define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >> 8); (ct)[3] = (u8)(st); } + +/** + * Expand the cipher key into the encryption key schedule. + * + * @return the number of rounds for the given cipher key size. + */ +int +rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) +{ + int i = 0; + u32 temp; + + rk[0] = GETU32(cipherKey ); + rk[1] = GETU32(cipherKey + 4); + rk[2] = GETU32(cipherKey + 8); + rk[3] = GETU32(cipherKey + 12); + if (keyBits == 128) { + for (;;) { + temp = rk[3]; + rk[4] = rk[0] ^ + (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te0[(temp ) & 0xff] & 0x0000ff00) ^ + (Te1[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[5] = rk[1] ^ rk[4]; + rk[6] = rk[2] ^ rk[5]; + rk[7] = rk[3] ^ rk[6]; + if (++i == 10) { + return 10; + } + rk += 4; + } + } + rk[4] = GETU32(cipherKey + 16); + rk[5] = GETU32(cipherKey + 20); + if (keyBits == 192) { + for (;;) { + temp = rk[ 5]; + rk[ 6] = rk[ 0] ^ + (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te0[(temp ) & 0xff] & 0x0000ff00) ^ + (Te1[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[ 7] = rk[ 1] ^ rk[ 6]; + rk[ 8] = rk[ 2] ^ rk[ 7]; + rk[ 9] = rk[ 3] ^ rk[ 8]; + if (++i == 8) { + return 12; + } + rk[10] = rk[ 4] ^ rk[ 9]; + rk[11] = rk[ 5] ^ rk[10]; + rk += 6; + } + } + rk[6] = GETU32(cipherKey + 24); + rk[7] = GETU32(cipherKey + 28); + if (keyBits == 256) { + for (;;) { + temp = rk[ 7]; + rk[ 8] = rk[ 0] ^ + (Te2[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te3[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te0[(temp ) & 0xff] & 0x0000ff00) ^ + (Te1[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[ 9] = rk[ 1] ^ rk[ 8]; + rk[10] = rk[ 2] ^ rk[ 9]; + rk[11] = rk[ 3] ^ rk[10]; + if (++i == 7) { + return 14; + } + temp = rk[11]; + rk[12] = rk[ 4] ^ + (Te2[(temp >> 24) ] & 0xff000000) ^ + (Te3[(temp >> 16) & 0xff] & 0x00ff0000) ^ + (Te0[(temp >> 8) & 0xff] & 0x0000ff00) ^ + (Te1[(temp ) & 0xff] & 0x000000ff); + rk[13] = rk[ 5] ^ rk[12]; + rk[14] = rk[ 6] ^ rk[13]; + rk[15] = rk[ 7] ^ rk[14]; + rk += 8; + } + } + return 0; +} + +/** + * Expand the cipher key into the decryption key schedule. + * + * @return the number of rounds for the given cipher key size. + */ +int +rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) +{ + int Nr, i, j; + u32 temp; + + /* expand the cipher key: */ + Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits); + + /* invert the order of the round keys: */ + for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) { + temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp; + temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp; + temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp; + temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp; + } + /* apply the inverse MixColumn transform to all round keys but the first and the last: */ + for (i = 1; i < Nr; i++) { + rk += 4; + rk[0] = + Td0[Te1[(rk[0] >> 24) ] & 0xff] ^ + Td1[Te1[(rk[0] >> 16) & 0xff] & 0xff] ^ + Td2[Te1[(rk[0] >> 8) & 0xff] & 0xff] ^ + Td3[Te1[(rk[0] ) & 0xff] & 0xff]; + rk[1] = + Td0[Te1[(rk[1] >> 24) ] & 0xff] ^ + Td1[Te1[(rk[1] >> 16) & 0xff] & 0xff] ^ + Td2[Te1[(rk[1] >> 8) & 0xff] & 0xff] ^ + Td3[Te1[(rk[1] ) & 0xff] & 0xff]; + rk[2] = + Td0[Te1[(rk[2] >> 24) ] & 0xff] ^ + Td1[Te1[(rk[2] >> 16) & 0xff] & 0xff] ^ + Td2[Te1[(rk[2] >> 8) & 0xff] & 0xff] ^ + Td3[Te1[(rk[2] ) & 0xff] & 0xff]; + rk[3] = + Td0[Te1[(rk[3] >> 24) ] & 0xff] ^ + Td1[Te1[(rk[3] >> 16) & 0xff] & 0xff] ^ + Td2[Te1[(rk[3] >> 8) & 0xff] & 0xff] ^ + Td3[Te1[(rk[3] ) & 0xff] & 0xff]; + } + return Nr; +} + +void +rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], + u8 ct[16]) +{ + u32 s0, s1, s2, s3, t0, t1, t2, t3; +#ifndef FULL_UNROLL + int r; +#endif /* ?FULL_UNROLL */ + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(pt ) ^ rk[0]; + s1 = GETU32(pt + 4) ^ rk[1]; + s2 = GETU32(pt + 8) ^ rk[2]; + s3 = GETU32(pt + 12) ^ rk[3]; +#ifdef FULL_UNROLL + /* round 1: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11]; + /* round 3: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19]; + /* round 5: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27]; + /* round 7: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35]; + /* round 9: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39]; + if (Nr > 10) { + /* round 10: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43]; + /* round 11: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47]; + if (Nr > 12) { + /* round 12: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51]; + /* round 13: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55]; + } + } + rk += Nr << 2; +#else /* !FULL_UNROLL */ + /* + * Nr - 1 full rounds: + */ + r = Nr >> 1; + for (;;) { + t0 = + Te0[(s0 >> 24) ] ^ + Te1[(s1 >> 16) & 0xff] ^ + Te2[(s2 >> 8) & 0xff] ^ + Te3[(s3 ) & 0xff] ^ + rk[4]; + t1 = + Te0[(s1 >> 24) ] ^ + Te1[(s2 >> 16) & 0xff] ^ + Te2[(s3 >> 8) & 0xff] ^ + Te3[(s0 ) & 0xff] ^ + rk[5]; + t2 = + Te0[(s2 >> 24) ] ^ + Te1[(s3 >> 16) & 0xff] ^ + Te2[(s0 >> 8) & 0xff] ^ + Te3[(s1 ) & 0xff] ^ + rk[6]; + t3 = + Te0[(s3 >> 24) ] ^ + Te1[(s0 >> 16) & 0xff] ^ + Te2[(s1 >> 8) & 0xff] ^ + Te3[(s2 ) & 0xff] ^ + rk[7]; + + rk += 8; + if (--r == 0) { + break; + } + + s0 = + Te0[(t0 >> 24) ] ^ + Te1[(t1 >> 16) & 0xff] ^ + Te2[(t2 >> 8) & 0xff] ^ + Te3[(t3 ) & 0xff] ^ + rk[0]; + s1 = + Te0[(t1 >> 24) ] ^ + Te1[(t2 >> 16) & 0xff] ^ + Te2[(t3 >> 8) & 0xff] ^ + Te3[(t0 ) & 0xff] ^ + rk[1]; + s2 = + Te0[(t2 >> 24) ] ^ + Te1[(t3 >> 16) & 0xff] ^ + Te2[(t0 >> 8) & 0xff] ^ + Te3[(t1 ) & 0xff] ^ + rk[2]; + s3 = + Te0[(t3 >> 24) ] ^ + Te1[(t0 >> 16) & 0xff] ^ + Te2[(t1 >> 8) & 0xff] ^ + Te3[(t2 ) & 0xff] ^ + rk[3]; + } +#endif /* ?FULL_UNROLL */ + /* + * apply last round and + * map cipher state to byte array block: + */ + s0 = + (Te2[(t0 >> 24) ] & 0xff000000) ^ + (Te3[(t1 >> 16) & 0xff] & 0x00ff0000) ^ + (Te0[(t2 >> 8) & 0xff] & 0x0000ff00) ^ + (Te1[(t3 ) & 0xff] & 0x000000ff) ^ + rk[0]; + PUTU32(ct , s0); + s1 = + (Te2[(t1 >> 24) ] & 0xff000000) ^ + (Te3[(t2 >> 16) & 0xff] & 0x00ff0000) ^ + (Te0[(t3 >> 8) & 0xff] & 0x0000ff00) ^ + (Te1[(t0 ) & 0xff] & 0x000000ff) ^ + rk[1]; + PUTU32(ct + 4, s1); + s2 = + (Te2[(t2 >> 24) ] & 0xff000000) ^ + (Te3[(t3 >> 16) & 0xff] & 0x00ff0000) ^ + (Te0[(t0 >> 8) & 0xff] & 0x0000ff00) ^ + (Te1[(t1 ) & 0xff] & 0x000000ff) ^ + rk[2]; + PUTU32(ct + 8, s2); + s3 = + (Te2[(t3 >> 24) ] & 0xff000000) ^ + (Te3[(t0 >> 16) & 0xff] & 0x00ff0000) ^ + (Te0[(t1 >> 8) & 0xff] & 0x0000ff00) ^ + (Te1[(t2 ) & 0xff] & 0x000000ff) ^ + rk[3]; + PUTU32(ct + 12, s3); +} + +static void +rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], + u8 pt[16]) +{ + u32 s0, s1, s2, s3, t0, t1, t2, t3; +#ifndef FULL_UNROLL + int r; +#endif /* ?FULL_UNROLL */ + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(ct ) ^ rk[0]; + s1 = GETU32(ct + 4) ^ rk[1]; + s2 = GETU32(ct + 8) ^ rk[2]; + s3 = GETU32(ct + 12) ^ rk[3]; +#ifdef FULL_UNROLL + /* round 1: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11]; + /* round 3: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19]; + /* round 5: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27]; + /* round 7: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35]; + /* round 9: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39]; + if (Nr > 10) { + /* round 10: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43]; + /* round 11: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47]; + if (Nr > 12) { + /* round 12: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51]; + /* round 13: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55]; + } + } + rk += Nr << 2; +#else /* !FULL_UNROLL */ + /* + * Nr - 1 full rounds: + */ + r = Nr >> 1; + for (;;) { + t0 = + Td0[(s0 >> 24) ] ^ + Td1[(s3 >> 16) & 0xff] ^ + Td2[(s2 >> 8) & 0xff] ^ + Td3[(s1 ) & 0xff] ^ + rk[4]; + t1 = + Td0[(s1 >> 24) ] ^ + Td1[(s0 >> 16) & 0xff] ^ + Td2[(s3 >> 8) & 0xff] ^ + Td3[(s2 ) & 0xff] ^ + rk[5]; + t2 = + Td0[(s2 >> 24) ] ^ + Td1[(s1 >> 16) & 0xff] ^ + Td2[(s0 >> 8) & 0xff] ^ + Td3[(s3 ) & 0xff] ^ + rk[6]; + t3 = + Td0[(s3 >> 24) ] ^ + Td1[(s2 >> 16) & 0xff] ^ + Td2[(s1 >> 8) & 0xff] ^ + Td3[(s0 ) & 0xff] ^ + rk[7]; + + rk += 8; + if (--r == 0) { + break; + } + + s0 = + Td0[(t0 >> 24) ] ^ + Td1[(t3 >> 16) & 0xff] ^ + Td2[(t2 >> 8) & 0xff] ^ + Td3[(t1 ) & 0xff] ^ + rk[0]; + s1 = + Td0[(t1 >> 24) ] ^ + Td1[(t0 >> 16) & 0xff] ^ + Td2[(t3 >> 8) & 0xff] ^ + Td3[(t2 ) & 0xff] ^ + rk[1]; + s2 = + Td0[(t2 >> 24) ] ^ + Td1[(t1 >> 16) & 0xff] ^ + Td2[(t0 >> 8) & 0xff] ^ + Td3[(t3 ) & 0xff] ^ + rk[2]; + s3 = + Td0[(t3 >> 24) ] ^ + Td1[(t2 >> 16) & 0xff] ^ + Td2[(t1 >> 8) & 0xff] ^ + Td3[(t0 ) & 0xff] ^ + rk[3]; + } +#endif /* ?FULL_UNROLL */ + /* + * apply last round and + * map cipher state to byte array block: + */ + s0 = + (Td4[(t0 >> 24) ] << 24) ^ + (Td4[(t3 >> 16) & 0xff] << 16) ^ + (Td4[(t2 >> 8) & 0xff] << 8) ^ + (Td4[(t1 ) & 0xff]) ^ + rk[0]; + PUTU32(pt , s0); + s1 = + (Td4[(t1 >> 24) ] << 24) ^ + (Td4[(t0 >> 16) & 0xff] << 16) ^ + (Td4[(t3 >> 8) & 0xff] << 8) ^ + (Td4[(t2 ) & 0xff]) ^ + rk[1]; + PUTU32(pt + 4, s1); + s2 = + (Td4[(t2 >> 24) ] << 24) ^ + (Td4[(t1 >> 16) & 0xff] << 16) ^ + (Td4[(t0 >> 8) & 0xff] << 8) ^ + (Td4[(t3 ) & 0xff]) ^ + rk[2]; + PUTU32(pt + 8, s2); + s3 = + (Td4[(t3 >> 24) ] << 24) ^ + (Td4[(t2 >> 16) & 0xff] << 16) ^ + (Td4[(t1 >> 8) & 0xff] << 8) ^ + (Td4[(t0 ) & 0xff]) ^ + rk[3]; + PUTU32(pt + 12, s3); +} + +/* setup key context for encryption only */ +int +rijndael_set_key_enc_only(rijndael_ctx *ctx, const u_char *key, int bits) +{ + int rounds; + + rounds = rijndaelKeySetupEnc(ctx->ek, key, bits); + if (rounds == 0) + return -1; + + ctx->Nr = rounds; + ctx->enc_only = 1; + + return 0; +} + +/* setup key context for both encryption and decryption */ +int +rijndael_set_key(rijndael_ctx *ctx, const u_char *key, int bits) +{ + int rounds; + + rounds = rijndaelKeySetupEnc(ctx->ek, key, bits); + if (rounds == 0) + return -1; + if (rijndaelKeySetupDec(ctx->dk, key, bits) != rounds) + return -1; + + ctx->Nr = rounds; + ctx->enc_only = 0; + + return 0; +} + +void +rijndael_decrypt(rijndael_ctx *ctx, const u_char *src, u_char *dst) +{ + rijndaelDecrypt(ctx->dk, ctx->Nr, src, dst); +} + +void +rijndael_encrypt(rijndael_ctx *ctx, const u_char *src, u_char *dst) +{ + rijndaelEncrypt(ctx->ek, ctx->Nr, src, dst); +} diff --git a/crypto/rmd160.c b/crypto/rmd160.c new file mode 100644 index 0000000000..e2af9ace7a --- /dev/null +++ b/crypto/rmd160.c @@ -0,0 +1,366 @@ +/* $OpenBSD: rmd160.c,v 1.5 2011/01/11 15:42:05 deraadt Exp $ */ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/* + * Preneel, Bosselaers, Dobbertin, "The Cryptographic Hash Function RIPEMD-160", + * RSA Laboratories, CryptoBytes, Volume 3, Number 2, Autumn 1997, + * ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto3n2.pdf + */ +#include +#include +#include +#include + +#define PUT_64BIT_LE(cp, value) do { \ + (cp)[7] = (value) >> 56; \ + (cp)[6] = (value) >> 48; \ + (cp)[5] = (value) >> 40; \ + (cp)[4] = (value) >> 32; \ + (cp)[3] = (value) >> 24; \ + (cp)[2] = (value) >> 16; \ + (cp)[1] = (value) >> 8; \ + (cp)[0] = (value); } while (0) + +#define PUT_32BIT_LE(cp, value) do { \ + (cp)[3] = (value) >> 24; \ + (cp)[2] = (value) >> 16; \ + (cp)[1] = (value) >> 8; \ + (cp)[0] = (value); } while (0) + +#define H0 0x67452301U +#define H1 0xEFCDAB89U +#define H2 0x98BADCFEU +#define H3 0x10325476U +#define H4 0xC3D2E1F0U + +#define K0 0x00000000U +#define K1 0x5A827999U +#define K2 0x6ED9EBA1U +#define K3 0x8F1BBCDCU +#define K4 0xA953FD4EU + +#define KK0 0x50A28BE6U +#define KK1 0x5C4DD124U +#define KK2 0x6D703EF3U +#define KK3 0x7A6D76E9U +#define KK4 0x00000000U + +/* rotate x left n bits. */ +#define ROL(n, x) (((x) << (n)) | ((x) >> (32-(n)))) + +#define F0(x, y, z) ((x) ^ (y) ^ (z)) +#define F1(x, y, z) (((x) & (y)) | ((~x) & (z))) +#define F2(x, y, z) (((x) | (~y)) ^ (z)) +#define F3(x, y, z) (((x) & (z)) | ((y) & (~z))) +#define F4(x, y, z) ((x) ^ ((y) | (~z))) + +#define R(a, b, c, d, e, Fj, Kj, sj, rj) \ + do { \ + a = ROL(sj, a + Fj(b,c,d) + X(rj) + Kj) + e; \ + c = ROL(10, c); \ + } while(0) + +#define X(i) x[i] + +static u_char PADDING[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +void +RMD160Init(RMD160_CTX *ctx) +{ + ctx->count = 0; + ctx->state[0] = H0; + ctx->state[1] = H1; + ctx->state[2] = H2; + ctx->state[3] = H3; + ctx->state[4] = H4; +} + +void +RMD160Update(RMD160_CTX *ctx, const u_char *input, u_int32_t len) +{ + u_int32_t have, off, need; + + have = (ctx->count/8) % 64; + need = 64 - have; + ctx->count += 8 * len; + off = 0; + + if (len >= need) { + if (have) { + memcpy(ctx->buffer + have, input, need); + RMD160Transform(ctx->state, ctx->buffer); + off = need; + have = 0; + } + /* now the buffer is empty */ + while (off + 64 <= len) { + RMD160Transform(ctx->state, input+off); + off += 64; + } + } + if (off < len) + memcpy(ctx->buffer + have, input+off, len-off); +} + +void +RMD160Final(u_char digest[20], RMD160_CTX *ctx) +{ + int i; + u_char size[8]; + u_int32_t padlen; + + PUT_64BIT_LE(size, ctx->count); + + /* + * pad to 64 byte blocks, at least one byte from PADDING plus 8 bytes + * for the size + */ + padlen = 64 - ((ctx->count/8) % 64); + if (padlen < 1 + 8) + padlen += 64; + RMD160Update(ctx, PADDING, padlen - 8); /* padlen - 8 <= 64 */ + RMD160Update(ctx, size, 8); + + if (digest != NULL) + for (i = 0; i < 5; i++) + PUT_32BIT_LE(digest + i*4, ctx->state[i]); + + explicit_bzero(ctx, sizeof (*ctx)); +} + +void +RMD160Transform(u_int32_t state[5], const u_char block[64]) +{ + u_int32_t a, b, c, d, e, aa, bb, cc, dd, ee, t, x[16]; + +#if BYTE_ORDER == LITTLE_ENDIAN + memcpy(x, block, 64); +#else + int i; + + for (i = 0; i < 16; i++) + x[i] = (u_int32_t)( + (u_int32_t)(block[i*4 + 0]) | + (u_int32_t)(block[i*4 + 1]) << 8 | + (u_int32_t)(block[i*4 + 2]) << 16 | + (u_int32_t)(block[i*4 + 3]) << 24); +#endif + + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + + /* Round 1 */ + R(a, b, c, d, e, F0, K0, 11, 0); + R(e, a, b, c, d, F0, K0, 14, 1); + R(d, e, a, b, c, F0, K0, 15, 2); + R(c, d, e, a, b, F0, K0, 12, 3); + R(b, c, d, e, a, F0, K0, 5, 4); + R(a, b, c, d, e, F0, K0, 8, 5); + R(e, a, b, c, d, F0, K0, 7, 6); + R(d, e, a, b, c, F0, K0, 9, 7); + R(c, d, e, a, b, F0, K0, 11, 8); + R(b, c, d, e, a, F0, K0, 13, 9); + R(a, b, c, d, e, F0, K0, 14, 10); + R(e, a, b, c, d, F0, K0, 15, 11); + R(d, e, a, b, c, F0, K0, 6, 12); + R(c, d, e, a, b, F0, K0, 7, 13); + R(b, c, d, e, a, F0, K0, 9, 14); + R(a, b, c, d, e, F0, K0, 8, 15); /* #15 */ + /* Round 2 */ + R(e, a, b, c, d, F1, K1, 7, 7); + R(d, e, a, b, c, F1, K1, 6, 4); + R(c, d, e, a, b, F1, K1, 8, 13); + R(b, c, d, e, a, F1, K1, 13, 1); + R(a, b, c, d, e, F1, K1, 11, 10); + R(e, a, b, c, d, F1, K1, 9, 6); + R(d, e, a, b, c, F1, K1, 7, 15); + R(c, d, e, a, b, F1, K1, 15, 3); + R(b, c, d, e, a, F1, K1, 7, 12); + R(a, b, c, d, e, F1, K1, 12, 0); + R(e, a, b, c, d, F1, K1, 15, 9); + R(d, e, a, b, c, F1, K1, 9, 5); + R(c, d, e, a, b, F1, K1, 11, 2); + R(b, c, d, e, a, F1, K1, 7, 14); + R(a, b, c, d, e, F1, K1, 13, 11); + R(e, a, b, c, d, F1, K1, 12, 8); /* #31 */ + /* Round 3 */ + R(d, e, a, b, c, F2, K2, 11, 3); + R(c, d, e, a, b, F2, K2, 13, 10); + R(b, c, d, e, a, F2, K2, 6, 14); + R(a, b, c, d, e, F2, K2, 7, 4); + R(e, a, b, c, d, F2, K2, 14, 9); + R(d, e, a, b, c, F2, K2, 9, 15); + R(c, d, e, a, b, F2, K2, 13, 8); + R(b, c, d, e, a, F2, K2, 15, 1); + R(a, b, c, d, e, F2, K2, 14, 2); + R(e, a, b, c, d, F2, K2, 8, 7); + R(d, e, a, b, c, F2, K2, 13, 0); + R(c, d, e, a, b, F2, K2, 6, 6); + R(b, c, d, e, a, F2, K2, 5, 13); + R(a, b, c, d, e, F2, K2, 12, 11); + R(e, a, b, c, d, F2, K2, 7, 5); + R(d, e, a, b, c, F2, K2, 5, 12); /* #47 */ + /* Round 4 */ + R(c, d, e, a, b, F3, K3, 11, 1); + R(b, c, d, e, a, F3, K3, 12, 9); + R(a, b, c, d, e, F3, K3, 14, 11); + R(e, a, b, c, d, F3, K3, 15, 10); + R(d, e, a, b, c, F3, K3, 14, 0); + R(c, d, e, a, b, F3, K3, 15, 8); + R(b, c, d, e, a, F3, K3, 9, 12); + R(a, b, c, d, e, F3, K3, 8, 4); + R(e, a, b, c, d, F3, K3, 9, 13); + R(d, e, a, b, c, F3, K3, 14, 3); + R(c, d, e, a, b, F3, K3, 5, 7); + R(b, c, d, e, a, F3, K3, 6, 15); + R(a, b, c, d, e, F3, K3, 8, 14); + R(e, a, b, c, d, F3, K3, 6, 5); + R(d, e, a, b, c, F3, K3, 5, 6); + R(c, d, e, a, b, F3, K3, 12, 2); /* #63 */ + /* Round 5 */ + R(b, c, d, e, a, F4, K4, 9, 4); + R(a, b, c, d, e, F4, K4, 15, 0); + R(e, a, b, c, d, F4, K4, 5, 5); + R(d, e, a, b, c, F4, K4, 11, 9); + R(c, d, e, a, b, F4, K4, 6, 7); + R(b, c, d, e, a, F4, K4, 8, 12); + R(a, b, c, d, e, F4, K4, 13, 2); + R(e, a, b, c, d, F4, K4, 12, 10); + R(d, e, a, b, c, F4, K4, 5, 14); + R(c, d, e, a, b, F4, K4, 12, 1); + R(b, c, d, e, a, F4, K4, 13, 3); + R(a, b, c, d, e, F4, K4, 14, 8); + R(e, a, b, c, d, F4, K4, 11, 11); + R(d, e, a, b, c, F4, K4, 8, 6); + R(c, d, e, a, b, F4, K4, 5, 15); + R(b, c, d, e, a, F4, K4, 6, 13); /* #79 */ + + aa = a ; bb = b; cc = c; dd = d; ee = e; + + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + + /* Parallel round 1 */ + R(a, b, c, d, e, F4, KK0, 8, 5); + R(e, a, b, c, d, F4, KK0, 9, 14); + R(d, e, a, b, c, F4, KK0, 9, 7); + R(c, d, e, a, b, F4, KK0, 11, 0); + R(b, c, d, e, a, F4, KK0, 13, 9); + R(a, b, c, d, e, F4, KK0, 15, 2); + R(e, a, b, c, d, F4, KK0, 15, 11); + R(d, e, a, b, c, F4, KK0, 5, 4); + R(c, d, e, a, b, F4, KK0, 7, 13); + R(b, c, d, e, a, F4, KK0, 7, 6); + R(a, b, c, d, e, F4, KK0, 8, 15); + R(e, a, b, c, d, F4, KK0, 11, 8); + R(d, e, a, b, c, F4, KK0, 14, 1); + R(c, d, e, a, b, F4, KK0, 14, 10); + R(b, c, d, e, a, F4, KK0, 12, 3); + R(a, b, c, d, e, F4, KK0, 6, 12); /* #15 */ + /* Parallel round 2 */ + R(e, a, b, c, d, F3, KK1, 9, 6); + R(d, e, a, b, c, F3, KK1, 13, 11); + R(c, d, e, a, b, F3, KK1, 15, 3); + R(b, c, d, e, a, F3, KK1, 7, 7); + R(a, b, c, d, e, F3, KK1, 12, 0); + R(e, a, b, c, d, F3, KK1, 8, 13); + R(d, e, a, b, c, F3, KK1, 9, 5); + R(c, d, e, a, b, F3, KK1, 11, 10); + R(b, c, d, e, a, F3, KK1, 7, 14); + R(a, b, c, d, e, F3, KK1, 7, 15); + R(e, a, b, c, d, F3, KK1, 12, 8); + R(d, e, a, b, c, F3, KK1, 7, 12); + R(c, d, e, a, b, F3, KK1, 6, 4); + R(b, c, d, e, a, F3, KK1, 15, 9); + R(a, b, c, d, e, F3, KK1, 13, 1); + R(e, a, b, c, d, F3, KK1, 11, 2); /* #31 */ + /* Parallel round 3 */ + R(d, e, a, b, c, F2, KK2, 9, 15); + R(c, d, e, a, b, F2, KK2, 7, 5); + R(b, c, d, e, a, F2, KK2, 15, 1); + R(a, b, c, d, e, F2, KK2, 11, 3); + R(e, a, b, c, d, F2, KK2, 8, 7); + R(d, e, a, b, c, F2, KK2, 6, 14); + R(c, d, e, a, b, F2, KK2, 6, 6); + R(b, c, d, e, a, F2, KK2, 14, 9); + R(a, b, c, d, e, F2, KK2, 12, 11); + R(e, a, b, c, d, F2, KK2, 13, 8); + R(d, e, a, b, c, F2, KK2, 5, 12); + R(c, d, e, a, b, F2, KK2, 14, 2); + R(b, c, d, e, a, F2, KK2, 13, 10); + R(a, b, c, d, e, F2, KK2, 13, 0); + R(e, a, b, c, d, F2, KK2, 7, 4); + R(d, e, a, b, c, F2, KK2, 5, 13); /* #47 */ + /* Parallel round 4 */ + R(c, d, e, a, b, F1, KK3, 15, 8); + R(b, c, d, e, a, F1, KK3, 5, 6); + R(a, b, c, d, e, F1, KK3, 8, 4); + R(e, a, b, c, d, F1, KK3, 11, 1); + R(d, e, a, b, c, F1, KK3, 14, 3); + R(c, d, e, a, b, F1, KK3, 14, 11); + R(b, c, d, e, a, F1, KK3, 6, 15); + R(a, b, c, d, e, F1, KK3, 14, 0); + R(e, a, b, c, d, F1, KK3, 6, 5); + R(d, e, a, b, c, F1, KK3, 9, 12); + R(c, d, e, a, b, F1, KK3, 12, 2); + R(b, c, d, e, a, F1, KK3, 9, 13); + R(a, b, c, d, e, F1, KK3, 12, 9); + R(e, a, b, c, d, F1, KK3, 5, 7); + R(d, e, a, b, c, F1, KK3, 15, 10); + R(c, d, e, a, b, F1, KK3, 8, 14); /* #63 */ + /* Parallel round 5 */ + R(b, c, d, e, a, F0, KK4, 8, 12); + R(a, b, c, d, e, F0, KK4, 5, 15); + R(e, a, b, c, d, F0, KK4, 12, 10); + R(d, e, a, b, c, F0, KK4, 9, 4); + R(c, d, e, a, b, F0, KK4, 12, 1); + R(b, c, d, e, a, F0, KK4, 5, 5); + R(a, b, c, d, e, F0, KK4, 14, 8); + R(e, a, b, c, d, F0, KK4, 6, 7); + R(d, e, a, b, c, F0, KK4, 8, 6); + R(c, d, e, a, b, F0, KK4, 13, 2); + R(b, c, d, e, a, F0, KK4, 6, 13); + R(a, b, c, d, e, F0, KK4, 5, 14); + R(e, a, b, c, d, F0, KK4, 15, 0); + R(d, e, a, b, c, F0, KK4, 13, 3); + R(c, d, e, a, b, F0, KK4, 11, 9); + R(b, c, d, e, a, F0, KK4, 11, 11); /* #79 */ + + t = state[1] + cc + d; + state[1] = state[2] + dd + e; + state[2] = state[3] + ee + a; + state[3] = state[4] + aa + b; + state[4] = state[0] + bb + c; + state[0] = t; +} diff --git a/crypto/set_key.c b/crypto/set_key.c new file mode 100644 index 0000000000..0f2595d619 --- /dev/null +++ b/crypto/set_key.c @@ -0,0 +1,214 @@ +/* $OpenBSD: set_key.c,v 1.5 2021/03/12 10:22:46 jsg Exp $ */ + +/* lib/des/set_key.c */ +/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au) + * All rights reserved. + * + * This file is part of an SSL implementation written + * by Eric Young (eay@mincom.oz.au). + * The implementation was written so as to conform with Netscapes SSL + * specification. This library and applications are + * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE + * as long as the following conditions are aheared to. + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. If this code is used in a product, + * Eric Young should be given attribution as the author of the parts used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Eric Young (eay@mincom.oz.au) + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +/* set_key.c v 1.4 eay 24/9/91 + * 1.4 Speed up by 400% :-) + * 1.3 added register declarations. + * 1.2 unrolled make_key_sched a bit more + * 1.1 added norm_expand_bits + * 1.0 First working version + */ +#include "des_locl.h" +#include "podd.h" +#include "sk.h" + +static int check_parity(des_cblock (*key)); + +int des_check_key=0; + +static int +check_parity(des_cblock (*key)) +{ + int i; + + for (i = 0; i < DES_KEY_SZ; i++) { + if ((*key)[i] != odd_parity[(*key)[i]]) + return(0); + } + return (1); +} + +/* Weak and semi week keys as take from + * %A D.W. Davies + * %A W.L. Price + * %T Security for Computer Networks + * %I John Wiley & Sons + * %D 1984 + * Many thanks to smb@ulysses.att.com (Steven Bellovin) for the reference + * (and actual cblock values). + */ +#define NUM_WEAK_KEY 16 +static des_cblock weak_keys[NUM_WEAK_KEY]={ + /* weak keys */ + {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, + {0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE}, + {0x1F,0x1F,0x1F,0x1F,0x1F,0x1F,0x1F,0x1F}, + {0xE0,0xE0,0xE0,0xE0,0xE0,0xE0,0xE0,0xE0}, + /* semi-weak keys */ + {0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE}, + {0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01}, + {0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1}, + {0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E}, + {0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1}, + {0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01}, + {0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE}, + {0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E}, + {0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E}, + {0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01}, + {0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE}, + {0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}}; + +int +des_is_weak_key(des_cblock (*key)) +{ + int i; + + for (i = 0; i < NUM_WEAK_KEY; i++) { + /* Added == 0 to comparison, I obviously don't run + * this section very often :-(, thanks to + * engineering@MorningStar.Com for the fix + * eay 93/06/29 */ + if (bcmp(weak_keys[i], key, sizeof(des_cblock)) == 0) + return (1); + } + return (0); +} + +/* NOW DEFINED IN des_local.h + * See ecb_encrypt.c for a pseudo description of these macros. + * #define PERM_OP(a, b, t, n, m) ((t) = ((((a) >> (n))^(b)) & (m)),\ + * (b)^=(t),\ + * (a) = ((a)^((t) << (n)))) + */ + +#define HPERM_OP(a, t, n, m) ((t) = ((((a) << (16 - (n)))^(a)) & (m)),\ + (a) = (a)^(t)^(t >> (16 - (n)))) + +static int shifts2[16]={0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0}; + +/* return 0 if key parity is odd (correct), + * return -1 if key parity error, + * return -2 if illegal weak key. + */ +int +des_set_key(des_cblock (*key), des_key_schedule schedule) +{ + register u_int32_t c, d, t, s; + register unsigned char *in; + register u_int32_t *k; + register int i; + + if (des_check_key) { + if (!check_parity(key)) + return(-1); + + if (des_is_weak_key(key)) + return(-2); + } + + k = (u_int32_t *) schedule; + in = (unsigned char *) key; + + c2l(in, c); + c2l(in, d); + + /* do PC1 in 60 simple operations */ +/* PERM_OP(d, c, t, 4, 0x0f0f0f0fL); + HPERM_OP(c, t, -2, 0xcccc0000L); + HPERM_OP(c, t, -1, 0xaaaa0000L); + HPERM_OP(c, t, 8, 0x00ff0000L); + HPERM_OP(c, t, -1, 0xaaaa0000L); + HPERM_OP(d, t, -8, 0xff000000L); + HPERM_OP(d, t, 8, 0x00ff0000L); + HPERM_OP(d, t, 2, 0x33330000L); + d = ((d & 0x00aa00aaL) << 7L) | ((d & 0x55005500L) >> 7L) | (d & 0xaa55aa55L); + d = (d >> 8) | ((c & 0xf0000000L) >> 4); + c &= 0x0fffffffL; */ + + /* I now do it in 47 simple operations :-) + * Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov) + * for the inspiration. :-) */ + PERM_OP (d, c, t, 4, 0x0f0f0f0fL); + HPERM_OP(c, t, -2, 0xcccc0000L); + HPERM_OP(d, t, -2, 0xcccc0000L); + PERM_OP (d, c, t, 1, 0x55555555L); + PERM_OP (c, d, t, 8, 0x00ff00ffL); + PERM_OP (d, c, t, 1, 0x55555555L); + d = (((d & 0x000000ffL) << 16L) | (d & 0x0000ff00L) | + ((d & 0x00ff0000L) >> 16L) | ((c & 0xf0000000L) >> 4L)); + c &= 0x0fffffffL; + + for (i = 0; i < ITERATIONS; i++) { + if (shifts2[i]) + { c = ((c >> 2L) | (c << 26L)); d = ((d >> 2L) | (d << 26L)); } + else + { c = ((c >> 1L) | (c << 27L)); d = ((d >> 1L) | (d << 27L)); } + c &= 0x0fffffffL; + d &= 0x0fffffffL; + /* could be a few less shifts but I am to lazy at this + * point in time to investigate */ + s = des_skb[0][ (c ) & 0x3f ]| + des_skb[1][((c >> 6) & 0x03) | ((c >> 7L) & 0x3c)]| + des_skb[2][((c >> 13) & 0x0f) | ((c >> 14L) & 0x30)]| + des_skb[3][((c >> 20) & 0x01) | ((c >> 21L) & 0x06) | + ((c >> 22L) & 0x38)]; + t = des_skb[4][ (d ) & 0x3f ]| + des_skb[5][((d >> 7L) & 0x03) | ((d >> 8L) & 0x3c)]| + des_skb[6][ (d >> 15L) & 0x3f ]| + des_skb[7][((d >> 21L) & 0x0f) | ((d >> 22L) & 0x30)]; + + /* table contained 0213 4657 */ + *(k++) = ((t << 16L) | (s & 0x0000ffffL)) & 0xffffffffL; + s = ((s >> 16L) | (t & 0xffff0000L)); + + s = (s << 4L) | (s >> 28L); + *(k++) = s & 0xffffffffL; + } + return (0); +} diff --git a/crypto/sha1.c b/crypto/sha1.c new file mode 100644 index 0000000000..1e910ae5a9 --- /dev/null +++ b/crypto/sha1.c @@ -0,0 +1,169 @@ +/* $OpenBSD: sha1.c,v 1.11 2014/12/28 10:04:35 tedu Exp $ */ + +/* + * SHA-1 in C + * By Steve Reid + * 100% Public Domain + * + * Test Vectors (from FIPS PUB 180-1) + * "abc" + * A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D + * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" + * 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 + * A million repetitions of "a" + * 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F +*/ + +/* #define LITTLE_ENDIAN * This should be #define'd already, if true. */ +/* #define SHA1HANDSOFF * Copies data before messing with it. */ + +#define SHA1HANDSOFF + +#include +#include + +#include + +#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) + +/* blk0() and blk() perform the initial expand. */ +/* I got the idea of expanding during the round function from SSLeay */ +#if BYTE_ORDER == LITTLE_ENDIAN +#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ + |(rol(block->l[i],8)&0x00FF00FF)) +#else +#define blk0(i) block->l[i] +#endif +#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ + ^block->l[(i+2)&15]^block->l[i&15],1)) + +/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ +#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); +#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); +#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); + +/* Hash a single 512-bit block. This is the core of the algorithm. */ + +void +SHA1Transform(u_int32_t state[5], const unsigned char buffer[SHA1_BLOCK_LENGTH]) +{ + u_int32_t a, b, c, d, e; + typedef union { + unsigned char c[64]; + unsigned int l[16]; + } CHAR64LONG16; + CHAR64LONG16* block; +#ifdef SHA1HANDSOFF + unsigned char workspace[SHA1_BLOCK_LENGTH]; + + block = (CHAR64LONG16 *)workspace; + memcpy(block, buffer, SHA1_BLOCK_LENGTH); +#else + block = (CHAR64LONG16 *)buffer; +#endif + /* Copy context->state[] to working vars */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + + /* 4 rounds of 20 operations each. Loop unrolled. */ + R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); + R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); + R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); + R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); + R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); + R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); + R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); + R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); + R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); + R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); + R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); + R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); + R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); + R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); + R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); + R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); + R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); + R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); + R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); + R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); + + /* Add the working vars back into context.state[] */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + /* Wipe variables */ + a = b = c = d = e = 0; +} + + +/* SHA1Init - Initialize new context */ + +void +SHA1Init(SHA1_CTX *context) +{ + /* SHA1 initialization constants */ + context->count = 0; + context->state[0] = 0x67452301; + context->state[1] = 0xEFCDAB89; + context->state[2] = 0x98BADCFE; + context->state[3] = 0x10325476; + context->state[4] = 0xC3D2E1F0; +} + + +/* Run your data through this. */ + +void +SHA1Update(SHA1_CTX *context, const void *dataptr, unsigned int len) +{ + const uint8_t *data = dataptr; + unsigned int i; + unsigned int j; + + j = (u_int32_t)((context->count >> 3) & 63); + context->count += (len << 3); + if ((j + len) > 63) { + memcpy(&context->buffer[j], data, (i = 64 - j)); + SHA1Transform(context->state, context->buffer); + for ( ; i + 63 < len; i += 64) { + SHA1Transform(context->state, &data[i]); + } + j = 0; + } + else i = 0; + memcpy(&context->buffer[j], &data[i], len - i); +} + + +/* Add padding and return the message digest. */ + +void +SHA1Final(unsigned char digest[SHA1_DIGEST_LENGTH], SHA1_CTX *context) +{ + unsigned int i; + unsigned char finalcount[8]; + + for (i = 0; i < 8; i++) { + finalcount[i] = (unsigned char)((context->count >> + ((7 - (i & 7)) * 8)) & 255); /* Endian independent */ + } + SHA1Update(context, "\200", 1); + while ((context->count & 504) != 448) { + SHA1Update(context, "\0", 1); + } + SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ + + for (i = 0; i < SHA1_DIGEST_LENGTH; i++) { + digest[i] = (unsigned char)((context->state[i >> 2] >> + ((3 - (i & 3)) * 8)) & 255); + } + explicit_bzero(&finalcount, sizeof(finalcount)); + explicit_bzero(context, sizeof(*context)); +} diff --git a/crypto/sha2.c b/crypto/sha2.c new file mode 100644 index 0000000000..769b73262c --- /dev/null +++ b/crypto/sha2.c @@ -0,0 +1,855 @@ +/* $OpenBSD: sha2.c,v 1.19 2021/03/12 10:22:46 jsg Exp $ */ + +/* + * FILE: sha2.c + * AUTHOR: Aaron D. Gifford + * + * Copyright (c) 2000-2001, Aaron D. Gifford + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the names of contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ + */ + +#include +#include +#include + +/* + * UNROLLED TRANSFORM LOOP NOTE: + * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform + * loop version for the hash transform rounds (defined using macros + * later in this file). Either define on the command line, for example: + * + * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c + * + * or define below: + * + * #define SHA2_UNROLL_TRANSFORM + * + */ +#ifndef SMALL_KERNEL +#if defined(__amd64__) || defined(__i386__) +#define SHA2_UNROLL_TRANSFORM +#endif +#endif + +/*** SHA-256/384/512 Machine Architecture Definitions *****************/ +/* + * BYTE_ORDER NOTE: + * + * Please make sure that your system defines BYTE_ORDER. If your + * architecture is little-endian, make sure it also defines + * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are + * equivalent. + * + * If your system does not define the above, then you can do so by + * hand like this: + * + * #define LITTLE_ENDIAN 1234 + * #define BIG_ENDIAN 4321 + * + * And for little-endian machines, add: + * + * #define BYTE_ORDER LITTLE_ENDIAN + * + * Or for big-endian machines: + * + * #define BYTE_ORDER BIG_ENDIAN + * + * The FreeBSD machine this was written on defines BYTE_ORDER + * appropriately by including (which in turn includes + * where the appropriate definitions are actually + * made). + */ +#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) +#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN +#endif + + +/*** SHA-256/384/512 Various Length Definitions ***********************/ +/* NOTE: Most of these are in sha2.h */ +#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) +#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) +#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) + +/* + * Macro for incrementally adding the unsigned 64-bit integer n to the + * unsigned 128-bit integer (represented using a two-element array of + * 64-bit words): + */ +#define ADDINC128(w,n) { \ + (w)[0] += (u_int64_t)(n); \ + if ((w)[0] < (n)) { \ + (w)[1]++; \ + } \ +} + +/*** THE SIX LOGICAL FUNCTIONS ****************************************/ +/* + * Bit shifting and rotation (used by the six SHA-XYZ logical functions: + * + * NOTE: The naming of R and S appears backwards here (R is a SHIFT and + * S is a ROTATION) because the SHA-256/384/512 description document + * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this + * same "backwards" definition. + */ +/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ +#define R(b,x) ((x) >> (b)) +/* 32-bit Rotate-right (used in SHA-256): */ +#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) +/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ +#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) + +/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ +#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) + +/* Four of six logical functions used in SHA-256: */ +#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) +#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) +#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) +#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) + +/* Four of six logical functions used in SHA-384 and SHA-512: */ +#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) +#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) +#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) +#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) + +/*** INTERNAL FUNCTION PROTOTYPES *************************************/ +/* NOTE: These should not be accessed directly from outside this + * library -- they are intended for private internal visibility/use + * only. + */ +void SHA512Last(SHA2_CTX *); +void SHA256Transform(u_int32_t *, const u_int8_t *); +void SHA512Transform(u_int64_t *, const u_int8_t *); + + +/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ +/* Hash constant words K for SHA-256: */ +const static u_int32_t K256[64] = { + 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, + 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, + 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, + 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, + 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, + 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, + 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, + 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, + 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, + 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, + 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, + 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, + 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, + 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, + 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, + 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL +}; + +/* Initial hash value H for SHA-256: */ +const static u_int32_t sha256_initial_hash_value[8] = { + 0x6a09e667UL, + 0xbb67ae85UL, + 0x3c6ef372UL, + 0xa54ff53aUL, + 0x510e527fUL, + 0x9b05688cUL, + 0x1f83d9abUL, + 0x5be0cd19UL +}; + +/* Hash constant words K for SHA-384 and SHA-512: */ +const static u_int64_t K512[80] = { + 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, + 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, + 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, + 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, + 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, + 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, + 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, + 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, + 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, + 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, + 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, + 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, + 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, + 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, + 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, + 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, + 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, + 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, + 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, + 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, + 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, + 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, + 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, + 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, + 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, + 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, + 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, + 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, + 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, + 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, + 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, + 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, + 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, + 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, + 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, + 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, + 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, + 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, + 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, + 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL +}; + +/* Initial hash value H for SHA-384 */ +const static u_int64_t sha384_initial_hash_value[8] = { + 0xcbbb9d5dc1059ed8ULL, + 0x629a292a367cd507ULL, + 0x9159015a3070dd17ULL, + 0x152fecd8f70e5939ULL, + 0x67332667ffc00b31ULL, + 0x8eb44a8768581511ULL, + 0xdb0c2e0d64f98fa7ULL, + 0x47b5481dbefa4fa4ULL +}; + +/* Initial hash value H for SHA-512 */ +const static u_int64_t sha512_initial_hash_value[8] = { + 0x6a09e667f3bcc908ULL, + 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, + 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, + 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, + 0x5be0cd19137e2179ULL +}; + + +/*** SHA-256: *********************************************************/ +void +SHA256Init(SHA2_CTX *context) +{ + memcpy(context->state.st32, sha256_initial_hash_value, + SHA256_DIGEST_LENGTH); + memset(context->buffer, 0, SHA256_BLOCK_LENGTH); + context->bitcount[0] = 0; +} + +#ifdef SHA2_UNROLL_TRANSFORM + +/* Unrolled SHA-256 round macros: */ + +#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ + W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | \ + ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); \ + data += 4; \ + T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ + (d) += T1; \ + (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ + j++; \ +} while(0) + +#define ROUND256(a,b,c,d,e,f,g,h) do { \ + s0 = W256[(j+1)&0x0f]; \ + s0 = sigma0_256(s0); \ + s1 = W256[(j+14)&0x0f]; \ + s1 = sigma1_256(s1); \ + T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ + (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ + (d) += T1; \ + (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ + j++; \ +} while(0) + +void +SHA256Transform(u_int32_t *state, const u_int8_t *data) +{ + u_int32_t a, b, c, d, e, f, g, h, s0, s1; + u_int32_t T1, W256[16]; + int j; + + /* Initialize registers with the prev. intermediate value */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + f = state[5]; + g = state[6]; + h = state[7]; + + j = 0; + do { + /* Rounds 0 to 15 (unrolled): */ + ROUND256_0_TO_15(a,b,c,d,e,f,g,h); + ROUND256_0_TO_15(h,a,b,c,d,e,f,g); + ROUND256_0_TO_15(g,h,a,b,c,d,e,f); + ROUND256_0_TO_15(f,g,h,a,b,c,d,e); + ROUND256_0_TO_15(e,f,g,h,a,b,c,d); + ROUND256_0_TO_15(d,e,f,g,h,a,b,c); + ROUND256_0_TO_15(c,d,e,f,g,h,a,b); + ROUND256_0_TO_15(b,c,d,e,f,g,h,a); + } while (j < 16); + + /* Now for the remaining rounds to 64: */ + do { + ROUND256(a,b,c,d,e,f,g,h); + ROUND256(h,a,b,c,d,e,f,g); + ROUND256(g,h,a,b,c,d,e,f); + ROUND256(f,g,h,a,b,c,d,e); + ROUND256(e,f,g,h,a,b,c,d); + ROUND256(d,e,f,g,h,a,b,c); + ROUND256(c,d,e,f,g,h,a,b); + ROUND256(b,c,d,e,f,g,h,a); + } while (j < 64); + + /* Compute the current intermediate hash value */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + state[5] += f; + state[6] += g; + state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = 0; +} + +#else /* SHA2_UNROLL_TRANSFORM */ + +void +SHA256Transform(u_int32_t *state, const u_int8_t *data) +{ + u_int32_t a, b, c, d, e, f, g, h, s0, s1; + u_int32_t T1, T2, W256[16]; + int j; + + /* Initialize registers with the prev. intermediate value */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + f = state[5]; + g = state[6]; + h = state[7]; + + j = 0; + do { + W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | + ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); + data += 4; + /* Apply the SHA-256 compression function to update a..h */ + T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; + T2 = Sigma0_256(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 16); + + do { + /* Part of the message block expansion: */ + s0 = W256[(j+1)&0x0f]; + s0 = sigma0_256(s0); + s1 = W256[(j+14)&0x0f]; + s1 = sigma1_256(s1); + + /* Apply the SHA-256 compression function to update a..h */ + T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + + (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); + T2 = Sigma0_256(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 64); + + /* Compute the current intermediate hash value */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + state[5] += f; + state[6] += g; + state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = T2 = 0; +} + +#endif /* SHA2_UNROLL_TRANSFORM */ + +void +SHA256Update(SHA2_CTX *context, const void *dataptr, size_t len) +{ + const uint8_t *data = dataptr; + size_t freespace, usedspace; + + /* Calling with no data is valid (we do nothing) */ + if (len == 0) + return; + + usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; + if (usedspace > 0) { + /* Calculate how much free space is available in the buffer */ + freespace = SHA256_BLOCK_LENGTH - usedspace; + + if (len >= freespace) { + /* Fill the buffer completely and process it */ + memcpy(&context->buffer[usedspace], data, freespace); + context->bitcount[0] += freespace << 3; + len -= freespace; + data += freespace; + SHA256Transform(context->state.st32, context->buffer); + } else { + /* The buffer is not yet full */ + memcpy(&context->buffer[usedspace], data, len); + context->bitcount[0] += len << 3; + /* Clean up: */ + usedspace = freespace = 0; + return; + } + } + while (len >= SHA256_BLOCK_LENGTH) { + /* Process as many complete blocks as we can */ + SHA256Transform(context->state.st32, data); + context->bitcount[0] += SHA256_BLOCK_LENGTH << 3; + len -= SHA256_BLOCK_LENGTH; + data += SHA256_BLOCK_LENGTH; + } + if (len > 0) { + /* There's left-overs, so save 'em */ + memcpy(context->buffer, data, len); + context->bitcount[0] += len << 3; + } + /* Clean up: */ + usedspace = freespace = 0; +} + +void +SHA256Final(u_int8_t digest[], SHA2_CTX *context) +{ + unsigned int usedspace; + + usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; +#if BYTE_ORDER == LITTLE_ENDIAN + /* Convert FROM host byte order */ + context->bitcount[0] = swap64(context->bitcount[0]); +#endif + if (usedspace > 0) { + /* Begin padding with a 1 bit: */ + context->buffer[usedspace++] = 0x80; + + if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { + /* Set-up for the last transform: */ + memset(&context->buffer[usedspace], 0, + SHA256_SHORT_BLOCK_LENGTH - usedspace); + } else { + if (usedspace < SHA256_BLOCK_LENGTH) { + memset(&context->buffer[usedspace], 0, + SHA256_BLOCK_LENGTH - usedspace); + } + /* Do second-to-last transform: */ + SHA256Transform(context->state.st32, context->buffer); + + /* And set-up for the last transform: */ + memset(context->buffer, 0, + SHA256_SHORT_BLOCK_LENGTH); + } + } else { + /* Set-up for the last transform: */ + memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); + + /* Begin padding with a 1 bit: */ + *context->buffer = 0x80; + } + /* Set the bit count: */ + *(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[0]; + + /* Final transform: */ + SHA256Transform(context->state.st32, context->buffer); + +#if BYTE_ORDER == LITTLE_ENDIAN + { + /* Convert TO host byte order */ + int j; + for (j = 0; j < 8; j++) { + context->state.st32[j] = swap32(context->state.st32[j]); + } + } +#endif + memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH); + /* Clean up state data: */ + explicit_bzero(context, sizeof(*context)); + usedspace = 0; +} + + +/*** SHA-512: *********************************************************/ +void +SHA512Init(SHA2_CTX *context) +{ + memcpy(context->state.st64, sha512_initial_hash_value, + SHA512_DIGEST_LENGTH); + memset(context->buffer, 0, SHA512_BLOCK_LENGTH); + context->bitcount[0] = context->bitcount[1] = 0; +} + +#ifdef SHA2_UNROLL_TRANSFORM + +/* Unrolled SHA-512 round macros: */ + +#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ + W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | \ + ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | \ + ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | \ + ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); \ + data += 8; \ + T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ + (d) += T1; \ + (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ + j++; \ +} while(0) + + +#define ROUND512(a,b,c,d,e,f,g,h) do { \ + s0 = W512[(j+1)&0x0f]; \ + s0 = sigma0_512(s0); \ + s1 = W512[(j+14)&0x0f]; \ + s1 = sigma1_512(s1); \ + T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ + (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ + (d) += T1; \ + (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ + j++; \ +} while(0) + +void +SHA512Transform(u_int64_t *state, const u_int8_t *data) +{ + u_int64_t a, b, c, d, e, f, g, h, s0, s1; + u_int64_t T1, W512[16]; + int j; + + /* Initialize registers with the prev. intermediate value */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + f = state[5]; + g = state[6]; + h = state[7]; + + j = 0; + do { + ROUND512_0_TO_15(a,b,c,d,e,f,g,h); + ROUND512_0_TO_15(h,a,b,c,d,e,f,g); + ROUND512_0_TO_15(g,h,a,b,c,d,e,f); + ROUND512_0_TO_15(f,g,h,a,b,c,d,e); + ROUND512_0_TO_15(e,f,g,h,a,b,c,d); + ROUND512_0_TO_15(d,e,f,g,h,a,b,c); + ROUND512_0_TO_15(c,d,e,f,g,h,a,b); + ROUND512_0_TO_15(b,c,d,e,f,g,h,a); + } while (j < 16); + + /* Now for the remaining rounds up to 79: */ + do { + ROUND512(a,b,c,d,e,f,g,h); + ROUND512(h,a,b,c,d,e,f,g); + ROUND512(g,h,a,b,c,d,e,f); + ROUND512(f,g,h,a,b,c,d,e); + ROUND512(e,f,g,h,a,b,c,d); + ROUND512(d,e,f,g,h,a,b,c); + ROUND512(c,d,e,f,g,h,a,b); + ROUND512(b,c,d,e,f,g,h,a); + } while (j < 80); + + /* Compute the current intermediate hash value */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + state[5] += f; + state[6] += g; + state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = 0; +} + +#else /* SHA2_UNROLL_TRANSFORM */ + +void +SHA512Transform(u_int64_t *state, const u_int8_t *data) +{ + u_int64_t a, b, c, d, e, f, g, h, s0, s1; + u_int64_t T1, T2, W512[16]; + int j; + + /* Initialize registers with the prev. intermediate value */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + f = state[5]; + g = state[6]; + h = state[7]; + + j = 0; + do { + W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | + ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | + ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | + ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); + data += 8; + /* Apply the SHA-512 compression function to update a..h */ + T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; + T2 = Sigma0_512(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 16); + + do { + /* Part of the message block expansion: */ + s0 = W512[(j+1)&0x0f]; + s0 = sigma0_512(s0); + s1 = W512[(j+14)&0x0f]; + s1 = sigma1_512(s1); + + /* Apply the SHA-512 compression function to update a..h */ + T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + + (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); + T2 = Sigma0_512(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 80); + + /* Compute the current intermediate hash value */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + state[5] += f; + state[6] += g; + state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = T2 = 0; +} + +#endif /* SHA2_UNROLL_TRANSFORM */ + +void +SHA512Update(SHA2_CTX *context, const void *dataptr, size_t len) +{ + const uint8_t *data = dataptr; + size_t freespace, usedspace; + + /* Calling with no data is valid (we do nothing) */ + if (len == 0) + return; + + usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; + if (usedspace > 0) { + /* Calculate how much free space is available in the buffer */ + freespace = SHA512_BLOCK_LENGTH - usedspace; + + if (len >= freespace) { + /* Fill the buffer completely and process it */ + memcpy(&context->buffer[usedspace], data, freespace); + ADDINC128(context->bitcount, freespace << 3); + len -= freespace; + data += freespace; + SHA512Transform(context->state.st64, context->buffer); + } else { + /* The buffer is not yet full */ + memcpy(&context->buffer[usedspace], data, len); + ADDINC128(context->bitcount, len << 3); + /* Clean up: */ + usedspace = freespace = 0; + return; + } + } + while (len >= SHA512_BLOCK_LENGTH) { + /* Process as many complete blocks as we can */ + SHA512Transform(context->state.st64, data); + ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); + len -= SHA512_BLOCK_LENGTH; + data += SHA512_BLOCK_LENGTH; + } + if (len > 0) { + /* There's left-overs, so save 'em */ + memcpy(context->buffer, data, len); + ADDINC128(context->bitcount, len << 3); + } + /* Clean up: */ + usedspace = freespace = 0; +} + +void +SHA512Last(SHA2_CTX *context) +{ + unsigned int usedspace; + + usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; +#if BYTE_ORDER == LITTLE_ENDIAN + /* Convert FROM host byte order */ + context->bitcount[0] = swap64(context->bitcount[0]); + context->bitcount[1] = swap64(context->bitcount[1]); +#endif + if (usedspace > 0) { + /* Begin padding with a 1 bit: */ + context->buffer[usedspace++] = 0x80; + + if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { + /* Set-up for the last transform: */ + memset(&context->buffer[usedspace], 0, + SHA512_SHORT_BLOCK_LENGTH - usedspace); + } else { + if (usedspace < SHA512_BLOCK_LENGTH) { + memset(&context->buffer[usedspace], 0, + SHA512_BLOCK_LENGTH - usedspace); + } + /* Do second-to-last transform: */ + SHA512Transform(context->state.st64, context->buffer); + + /* And set-up for the last transform: */ + memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2); + } + } else { + /* Prepare for final transform: */ + memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH); + + /* Begin padding with a 1 bit: */ + *context->buffer = 0x80; + } + /* Store the length of input data (in bits): */ + *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; + *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0]; + + /* Final transform: */ + SHA512Transform(context->state.st64, context->buffer); +} + +void +SHA512Final(u_int8_t digest[], SHA2_CTX *context) +{ + + SHA512Last(context); + + /* Save the hash data for output: */ +#if BYTE_ORDER == LITTLE_ENDIAN + { + /* Convert TO host byte order */ + int j; + for (j = 0; j < 8; j++) { + context->state.st64[j] = swap64(context->state.st64[j]); + } + } +#endif + memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH); + + /* Zero out state data */ + explicit_bzero(context, sizeof(*context)); +} + + +/*** SHA-384: *********************************************************/ +void +SHA384Init(SHA2_CTX *context) +{ + memcpy(context->state.st64, sha384_initial_hash_value, + SHA512_DIGEST_LENGTH); + memset(context->buffer, 0, SHA384_BLOCK_LENGTH); + context->bitcount[0] = context->bitcount[1] = 0; +} + +void +SHA384Update(SHA2_CTX *context, const void *data, size_t len) +{ + SHA512Update(context, data, len); +} + +void +SHA384Final(u_int8_t digest[], SHA2_CTX *context) +{ + + SHA512Last(context); + + /* Save the hash data for output: */ +#if BYTE_ORDER == LITTLE_ENDIAN + { + /* Convert TO host byte order */ + int j; + for (j = 0; j < 6; j++) { + context->state.st64[j] = swap64(context->state.st64[j]); + } + } +#endif + memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH); + /* Zero out state data */ + explicit_bzero(context, sizeof(*context)); +} diff --git a/crypto/siphash.c b/crypto/siphash.c new file mode 100644 index 0000000000..33bb7b4632 --- /dev/null +++ b/crypto/siphash.c @@ -0,0 +1,181 @@ +/* $OpenBSD: siphash.c,v 1.5 2018/01/05 19:05:09 mikeb Exp $ */ + +/*- + * Copyright (c) 2013 Andre Oppermann + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d + * are the number of compression rounds and the number of finalization rounds. + * A compression round is identical to a finalization round and this round + * function is called SipRound. Given a 128-bit key k and a (possibly empty) + * byte string m, SipHash-c-d returns a 64-bit value SipHash-c-d(k; m). + * + * Implemented from the paper "SipHash: a fast short-input PRF", 2012.09.18, + * by Jean-Philippe Aumasson and Daniel J. Bernstein, + * Permanent Document ID b9a943a805fbfc6fde808af9fc0ecdfa + * https://131002.net/siphash/siphash.pdf + * https://131002.net/siphash/ + */ + +#include +#include + +#include + +static void SipHash_CRounds(SIPHASH_CTX *, int); +static void SipHash_Rounds(SIPHASH_CTX *, int); + +void +SipHash_Init(SIPHASH_CTX *ctx, const SIPHASH_KEY *key) +{ + uint64_t k0, k1; + + k0 = lemtoh64(&key->k0); + k1 = lemtoh64(&key->k1); + + ctx->v[0] = 0x736f6d6570736575ULL ^ k0; + ctx->v[1] = 0x646f72616e646f6dULL ^ k1; + ctx->v[2] = 0x6c7967656e657261ULL ^ k0; + ctx->v[3] = 0x7465646279746573ULL ^ k1; + + memset(ctx->buf, 0, sizeof(ctx->buf)); + ctx->bytes = 0; +} + +void +SipHash_Update(SIPHASH_CTX *ctx, int rc, int rf, const void *src, size_t len) +{ + const uint8_t *ptr = src; + size_t left, used; + + if (len == 0) + return; + + used = ctx->bytes % sizeof(ctx->buf); + ctx->bytes += len; + + if (used > 0) { + left = sizeof(ctx->buf) - used; + + if (len >= left) { + memcpy(&ctx->buf[used], ptr, left); + SipHash_CRounds(ctx, rc); + len -= left; + ptr += left; + } else { + memcpy(&ctx->buf[used], ptr, len); + return; + } + } + + while (len >= sizeof(ctx->buf)) { + memcpy(ctx->buf, ptr, sizeof(ctx->buf)); + SipHash_CRounds(ctx, rc); + len -= sizeof(ctx->buf); + ptr += sizeof(ctx->buf); + } + + if (len > 0) + memcpy(ctx->buf, ptr, len); +} + +void +SipHash_Final(void *dst, SIPHASH_CTX *ctx, int rc, int rf) +{ + uint64_t r; + + htolem64(&r, SipHash_End(ctx, rc, rf)); + memcpy(dst, &r, sizeof r); +} + +uint64_t +SipHash_End(SIPHASH_CTX *ctx, int rc, int rf) +{ + uint64_t r; + size_t left, used; + + used = ctx->bytes % sizeof(ctx->buf); + left = sizeof(ctx->buf) - used; + memset(&ctx->buf[used], 0, left - 1); + ctx->buf[7] = ctx->bytes; + + SipHash_CRounds(ctx, rc); + ctx->v[2] ^= 0xff; + SipHash_Rounds(ctx, rf); + + r = (ctx->v[0] ^ ctx->v[1]) ^ (ctx->v[2] ^ ctx->v[3]); + explicit_bzero(ctx, sizeof(*ctx)); + return (r); +} + +uint64_t +SipHash(const SIPHASH_KEY *key, int rc, int rf, const void *src, size_t len) +{ + SIPHASH_CTX ctx; + + SipHash_Init(&ctx, key); + SipHash_Update(&ctx, rc, rf, src, len); + return (SipHash_End(&ctx, rc, rf)); +} + +#define SIP_ROTL(x, b) ((x) << (b)) | ( (x) >> (64 - (b))) + +static void +SipHash_Rounds(SIPHASH_CTX *ctx, int rounds) +{ + while (rounds--) { + ctx->v[0] += ctx->v[1]; + ctx->v[2] += ctx->v[3]; + ctx->v[1] = SIP_ROTL(ctx->v[1], 13); + ctx->v[3] = SIP_ROTL(ctx->v[3], 16); + + ctx->v[1] ^= ctx->v[0]; + ctx->v[3] ^= ctx->v[2]; + ctx->v[0] = SIP_ROTL(ctx->v[0], 32); + + ctx->v[2] += ctx->v[1]; + ctx->v[0] += ctx->v[3]; + ctx->v[1] = SIP_ROTL(ctx->v[1], 17); + ctx->v[3] = SIP_ROTL(ctx->v[3], 21); + + ctx->v[1] ^= ctx->v[2]; + ctx->v[3] ^= ctx->v[0]; + ctx->v[2] = SIP_ROTL(ctx->v[2], 32); + } +} + +static void +SipHash_CRounds(SIPHASH_CTX *ctx, int rounds) +{ + uint64_t m = lemtoh64((uint64_t *)ctx->buf); + + ctx->v[3] ^= m; + SipHash_Rounds(ctx, rounds); + ctx->v[0] ^= m; +} diff --git a/crypto/sk.h b/crypto/sk.h new file mode 100644 index 0000000000..e087471c0c --- /dev/null +++ b/crypto/sk.h @@ -0,0 +1,195 @@ +/* $OpenBSD: sk.h,v 1.2 2002/10/27 13:24:26 miod Exp $ */ + +/* lib/des/sk.h */ +/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au) + * All rights reserved. + * + * This file is part of an SSL implementation written + * by Eric Young (eay@mincom.oz.au). + * The implementation was written so as to conform with Netscapes SSL + * specification. This library and applications are + * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE + * as long as the following conditions are aheared to. + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. If this code is used in a product, + * Eric Young should be given attribution as the author of the parts used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Eric Young (eay@mincom.oz.au) + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +static const u_int32_t des_skb[8][64]={ +{ +/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */ +0x00000000L,0x00000010L,0x20000000L,0x20000010L, +0x00010000L,0x00010010L,0x20010000L,0x20010010L, +0x00000800L,0x00000810L,0x20000800L,0x20000810L, +0x00010800L,0x00010810L,0x20010800L,0x20010810L, +0x00000020L,0x00000030L,0x20000020L,0x20000030L, +0x00010020L,0x00010030L,0x20010020L,0x20010030L, +0x00000820L,0x00000830L,0x20000820L,0x20000830L, +0x00010820L,0x00010830L,0x20010820L,0x20010830L, +0x00080000L,0x00080010L,0x20080000L,0x20080010L, +0x00090000L,0x00090010L,0x20090000L,0x20090010L, +0x00080800L,0x00080810L,0x20080800L,0x20080810L, +0x00090800L,0x00090810L,0x20090800L,0x20090810L, +0x00080020L,0x00080030L,0x20080020L,0x20080030L, +0x00090020L,0x00090030L,0x20090020L,0x20090030L, +0x00080820L,0x00080830L,0x20080820L,0x20080830L, +0x00090820L,0x00090830L,0x20090820L,0x20090830L, +},{ +/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */ +0x00000000L,0x02000000L,0x00002000L,0x02002000L, +0x00200000L,0x02200000L,0x00202000L,0x02202000L, +0x00000004L,0x02000004L,0x00002004L,0x02002004L, +0x00200004L,0x02200004L,0x00202004L,0x02202004L, +0x00000400L,0x02000400L,0x00002400L,0x02002400L, +0x00200400L,0x02200400L,0x00202400L,0x02202400L, +0x00000404L,0x02000404L,0x00002404L,0x02002404L, +0x00200404L,0x02200404L,0x00202404L,0x02202404L, +0x10000000L,0x12000000L,0x10002000L,0x12002000L, +0x10200000L,0x12200000L,0x10202000L,0x12202000L, +0x10000004L,0x12000004L,0x10002004L,0x12002004L, +0x10200004L,0x12200004L,0x10202004L,0x12202004L, +0x10000400L,0x12000400L,0x10002400L,0x12002400L, +0x10200400L,0x12200400L,0x10202400L,0x12202400L, +0x10000404L,0x12000404L,0x10002404L,0x12002404L, +0x10200404L,0x12200404L,0x10202404L,0x12202404L, +},{ +/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */ +0x00000000L,0x00000001L,0x00040000L,0x00040001L, +0x01000000L,0x01000001L,0x01040000L,0x01040001L, +0x00000002L,0x00000003L,0x00040002L,0x00040003L, +0x01000002L,0x01000003L,0x01040002L,0x01040003L, +0x00000200L,0x00000201L,0x00040200L,0x00040201L, +0x01000200L,0x01000201L,0x01040200L,0x01040201L, +0x00000202L,0x00000203L,0x00040202L,0x00040203L, +0x01000202L,0x01000203L,0x01040202L,0x01040203L, +0x08000000L,0x08000001L,0x08040000L,0x08040001L, +0x09000000L,0x09000001L,0x09040000L,0x09040001L, +0x08000002L,0x08000003L,0x08040002L,0x08040003L, +0x09000002L,0x09000003L,0x09040002L,0x09040003L, +0x08000200L,0x08000201L,0x08040200L,0x08040201L, +0x09000200L,0x09000201L,0x09040200L,0x09040201L, +0x08000202L,0x08000203L,0x08040202L,0x08040203L, +0x09000202L,0x09000203L,0x09040202L,0x09040203L, +},{ +/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */ +0x00000000L,0x00100000L,0x00000100L,0x00100100L, +0x00000008L,0x00100008L,0x00000108L,0x00100108L, +0x00001000L,0x00101000L,0x00001100L,0x00101100L, +0x00001008L,0x00101008L,0x00001108L,0x00101108L, +0x04000000L,0x04100000L,0x04000100L,0x04100100L, +0x04000008L,0x04100008L,0x04000108L,0x04100108L, +0x04001000L,0x04101000L,0x04001100L,0x04101100L, +0x04001008L,0x04101008L,0x04001108L,0x04101108L, +0x00020000L,0x00120000L,0x00020100L,0x00120100L, +0x00020008L,0x00120008L,0x00020108L,0x00120108L, +0x00021000L,0x00121000L,0x00021100L,0x00121100L, +0x00021008L,0x00121008L,0x00021108L,0x00121108L, +0x04020000L,0x04120000L,0x04020100L,0x04120100L, +0x04020008L,0x04120008L,0x04020108L,0x04120108L, +0x04021000L,0x04121000L,0x04021100L,0x04121100L, +0x04021008L,0x04121008L,0x04021108L,0x04121108L, +},{ +/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */ +0x00000000L,0x10000000L,0x00010000L,0x10010000L, +0x00000004L,0x10000004L,0x00010004L,0x10010004L, +0x20000000L,0x30000000L,0x20010000L,0x30010000L, +0x20000004L,0x30000004L,0x20010004L,0x30010004L, +0x00100000L,0x10100000L,0x00110000L,0x10110000L, +0x00100004L,0x10100004L,0x00110004L,0x10110004L, +0x20100000L,0x30100000L,0x20110000L,0x30110000L, +0x20100004L,0x30100004L,0x20110004L,0x30110004L, +0x00001000L,0x10001000L,0x00011000L,0x10011000L, +0x00001004L,0x10001004L,0x00011004L,0x10011004L, +0x20001000L,0x30001000L,0x20011000L,0x30011000L, +0x20001004L,0x30001004L,0x20011004L,0x30011004L, +0x00101000L,0x10101000L,0x00111000L,0x10111000L, +0x00101004L,0x10101004L,0x00111004L,0x10111004L, +0x20101000L,0x30101000L,0x20111000L,0x30111000L, +0x20101004L,0x30101004L,0x20111004L,0x30111004L, +},{ +/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */ +0x00000000L,0x08000000L,0x00000008L,0x08000008L, +0x00000400L,0x08000400L,0x00000408L,0x08000408L, +0x00020000L,0x08020000L,0x00020008L,0x08020008L, +0x00020400L,0x08020400L,0x00020408L,0x08020408L, +0x00000001L,0x08000001L,0x00000009L,0x08000009L, +0x00000401L,0x08000401L,0x00000409L,0x08000409L, +0x00020001L,0x08020001L,0x00020009L,0x08020009L, +0x00020401L,0x08020401L,0x00020409L,0x08020409L, +0x02000000L,0x0A000000L,0x02000008L,0x0A000008L, +0x02000400L,0x0A000400L,0x02000408L,0x0A000408L, +0x02020000L,0x0A020000L,0x02020008L,0x0A020008L, +0x02020400L,0x0A020400L,0x02020408L,0x0A020408L, +0x02000001L,0x0A000001L,0x02000009L,0x0A000009L, +0x02000401L,0x0A000401L,0x02000409L,0x0A000409L, +0x02020001L,0x0A020001L,0x02020009L,0x0A020009L, +0x02020401L,0x0A020401L,0x02020409L,0x0A020409L, +},{ +/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */ +0x00000000L,0x00000100L,0x00080000L,0x00080100L, +0x01000000L,0x01000100L,0x01080000L,0x01080100L, +0x00000010L,0x00000110L,0x00080010L,0x00080110L, +0x01000010L,0x01000110L,0x01080010L,0x01080110L, +0x00200000L,0x00200100L,0x00280000L,0x00280100L, +0x01200000L,0x01200100L,0x01280000L,0x01280100L, +0x00200010L,0x00200110L,0x00280010L,0x00280110L, +0x01200010L,0x01200110L,0x01280010L,0x01280110L, +0x00000200L,0x00000300L,0x00080200L,0x00080300L, +0x01000200L,0x01000300L,0x01080200L,0x01080300L, +0x00000210L,0x00000310L,0x00080210L,0x00080310L, +0x01000210L,0x01000310L,0x01080210L,0x01080310L, +0x00200200L,0x00200300L,0x00280200L,0x00280300L, +0x01200200L,0x01200300L,0x01280200L,0x01280300L, +0x00200210L,0x00200310L,0x00280210L,0x00280310L, +0x01200210L,0x01200310L,0x01280210L,0x01280310L, +},{ +/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */ +0x00000000L,0x04000000L,0x00040000L,0x04040000L, +0x00000002L,0x04000002L,0x00040002L,0x04040002L, +0x00002000L,0x04002000L,0x00042000L,0x04042000L, +0x00002002L,0x04002002L,0x00042002L,0x04042002L, +0x00000020L,0x04000020L,0x00040020L,0x04040020L, +0x00000022L,0x04000022L,0x00040022L,0x04040022L, +0x00002020L,0x04002020L,0x00042020L,0x04042020L, +0x00002022L,0x04002022L,0x00042022L,0x04042022L, +0x00000800L,0x04000800L,0x00040800L,0x04040800L, +0x00000802L,0x04000802L,0x00040802L,0x04040802L, +0x00002800L,0x04002800L,0x00042800L,0x04042800L, +0x00002802L,0x04002802L,0x00042802L,0x04042802L, +0x00000820L,0x04000820L,0x00040820L,0x04040820L, +0x00000822L,0x04000822L,0x00040822L,0x04040822L, +0x00002820L,0x04002820L,0x00042820L,0x04042820L, +0x00002822L,0x04002822L,0x00042822L,0x04042822L, +}}; diff --git a/crypto/spr.h b/crypto/spr.h new file mode 100644 index 0000000000..8be4254c8c --- /dev/null +++ b/crypto/spr.h @@ -0,0 +1,195 @@ +/* $OpenBSD: spr.h,v 1.2 2002/10/27 13:24:26 miod Exp $ */ + +/* lib/des/spr.h */ +/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au) + * All rights reserved. + * + * This file is part of an SSL implementation written + * by Eric Young (eay@mincom.oz.au). + * The implementation was written so as to conform with Netscapes SSL + * specification. This library and applications are + * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE + * as long as the following conditions are aheared to. + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. If this code is used in a product, + * Eric Young should be given attribution as the author of the parts used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Eric Young (eay@mincom.oz.au) + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +static const u_int32_t des_SPtrans[8][64]={ +{ +/* nibble 0 */ +0x00820200L, 0x00020000L, 0x80800000L, 0x80820200L, +0x00800000L, 0x80020200L, 0x80020000L, 0x80800000L, +0x80020200L, 0x00820200L, 0x00820000L, 0x80000200L, +0x80800200L, 0x00800000L, 0x00000000L, 0x80020000L, +0x00020000L, 0x80000000L, 0x00800200L, 0x00020200L, +0x80820200L, 0x00820000L, 0x80000200L, 0x00800200L, +0x80000000L, 0x00000200L, 0x00020200L, 0x80820000L, +0x00000200L, 0x80800200L, 0x80820000L, 0x00000000L, +0x00000000L, 0x80820200L, 0x00800200L, 0x80020000L, +0x00820200L, 0x00020000L, 0x80000200L, 0x00800200L, +0x80820000L, 0x00000200L, 0x00020200L, 0x80800000L, +0x80020200L, 0x80000000L, 0x80800000L, 0x00820000L, +0x80820200L, 0x00020200L, 0x00820000L, 0x80800200L, +0x00800000L, 0x80000200L, 0x80020000L, 0x00000000L, +0x00020000L, 0x00800000L, 0x80800200L, 0x00820200L, +0x80000000L, 0x80820000L, 0x00000200L, 0x80020200L, +},{ +/* nibble 1 */ +0x10042004L, 0x00000000L, 0x00042000L, 0x10040000L, +0x10000004L, 0x00002004L, 0x10002000L, 0x00042000L, +0x00002000L, 0x10040004L, 0x00000004L, 0x10002000L, +0x00040004L, 0x10042000L, 0x10040000L, 0x00000004L, +0x00040000L, 0x10002004L, 0x10040004L, 0x00002000L, +0x00042004L, 0x10000000L, 0x00000000L, 0x00040004L, +0x10002004L, 0x00042004L, 0x10042000L, 0x10000004L, +0x10000000L, 0x00040000L, 0x00002004L, 0x10042004L, +0x00040004L, 0x10042000L, 0x10002000L, 0x00042004L, +0x10042004L, 0x00040004L, 0x10000004L, 0x00000000L, +0x10000000L, 0x00002004L, 0x00040000L, 0x10040004L, +0x00002000L, 0x10000000L, 0x00042004L, 0x10002004L, +0x10042000L, 0x00002000L, 0x00000000L, 0x10000004L, +0x00000004L, 0x10042004L, 0x00042000L, 0x10040000L, +0x10040004L, 0x00040000L, 0x00002004L, 0x10002000L, +0x10002004L, 0x00000004L, 0x10040000L, 0x00042000L, +},{ +/* nibble 2 */ +0x41000000L, 0x01010040L, 0x00000040L, 0x41000040L, +0x40010000L, 0x01000000L, 0x41000040L, 0x00010040L, +0x01000040L, 0x00010000L, 0x01010000L, 0x40000000L, +0x41010040L, 0x40000040L, 0x40000000L, 0x41010000L, +0x00000000L, 0x40010000L, 0x01010040L, 0x00000040L, +0x40000040L, 0x41010040L, 0x00010000L, 0x41000000L, +0x41010000L, 0x01000040L, 0x40010040L, 0x01010000L, +0x00010040L, 0x00000000L, 0x01000000L, 0x40010040L, +0x01010040L, 0x00000040L, 0x40000000L, 0x00010000L, +0x40000040L, 0x40010000L, 0x01010000L, 0x41000040L, +0x00000000L, 0x01010040L, 0x00010040L, 0x41010000L, +0x40010000L, 0x01000000L, 0x41010040L, 0x40000000L, +0x40010040L, 0x41000000L, 0x01000000L, 0x41010040L, +0x00010000L, 0x01000040L, 0x41000040L, 0x00010040L, +0x01000040L, 0x00000000L, 0x41010000L, 0x40000040L, +0x41000000L, 0x40010040L, 0x00000040L, 0x01010000L, +},{ +/* nibble 3 */ +0x00100402L, 0x04000400L, 0x00000002L, 0x04100402L, +0x00000000L, 0x04100000L, 0x04000402L, 0x00100002L, +0x04100400L, 0x04000002L, 0x04000000L, 0x00000402L, +0x04000002L, 0x00100402L, 0x00100000L, 0x04000000L, +0x04100002L, 0x00100400L, 0x00000400L, 0x00000002L, +0x00100400L, 0x04000402L, 0x04100000L, 0x00000400L, +0x00000402L, 0x00000000L, 0x00100002L, 0x04100400L, +0x04000400L, 0x04100002L, 0x04100402L, 0x00100000L, +0x04100002L, 0x00000402L, 0x00100000L, 0x04000002L, +0x00100400L, 0x04000400L, 0x00000002L, 0x04100000L, +0x04000402L, 0x00000000L, 0x00000400L, 0x00100002L, +0x00000000L, 0x04100002L, 0x04100400L, 0x00000400L, +0x04000000L, 0x04100402L, 0x00100402L, 0x00100000L, +0x04100402L, 0x00000002L, 0x04000400L, 0x00100402L, +0x00100002L, 0x00100400L, 0x04100000L, 0x04000402L, +0x00000402L, 0x04000000L, 0x04000002L, 0x04100400L, +},{ +/* nibble 4 */ +0x02000000L, 0x00004000L, 0x00000100L, 0x02004108L, +0x02004008L, 0x02000100L, 0x00004108L, 0x02004000L, +0x00004000L, 0x00000008L, 0x02000008L, 0x00004100L, +0x02000108L, 0x02004008L, 0x02004100L, 0x00000000L, +0x00004100L, 0x02000000L, 0x00004008L, 0x00000108L, +0x02000100L, 0x00004108L, 0x00000000L, 0x02000008L, +0x00000008L, 0x02000108L, 0x02004108L, 0x00004008L, +0x02004000L, 0x00000100L, 0x00000108L, 0x02004100L, +0x02004100L, 0x02000108L, 0x00004008L, 0x02004000L, +0x00004000L, 0x00000008L, 0x02000008L, 0x02000100L, +0x02000000L, 0x00004100L, 0x02004108L, 0x00000000L, +0x00004108L, 0x02000000L, 0x00000100L, 0x00004008L, +0x02000108L, 0x00000100L, 0x00000000L, 0x02004108L, +0x02004008L, 0x02004100L, 0x00000108L, 0x00004000L, +0x00004100L, 0x02004008L, 0x02000100L, 0x00000108L, +0x00000008L, 0x00004108L, 0x02004000L, 0x02000008L, +},{ +/* nibble 5 */ +0x20000010L, 0x00080010L, 0x00000000L, 0x20080800L, +0x00080010L, 0x00000800L, 0x20000810L, 0x00080000L, +0x00000810L, 0x20080810L, 0x00080800L, 0x20000000L, +0x20000800L, 0x20000010L, 0x20080000L, 0x00080810L, +0x00080000L, 0x20000810L, 0x20080010L, 0x00000000L, +0x00000800L, 0x00000010L, 0x20080800L, 0x20080010L, +0x20080810L, 0x20080000L, 0x20000000L, 0x00000810L, +0x00000010L, 0x00080800L, 0x00080810L, 0x20000800L, +0x00000810L, 0x20000000L, 0x20000800L, 0x00080810L, +0x20080800L, 0x00080010L, 0x00000000L, 0x20000800L, +0x20000000L, 0x00000800L, 0x20080010L, 0x00080000L, +0x00080010L, 0x20080810L, 0x00080800L, 0x00000010L, +0x20080810L, 0x00080800L, 0x00080000L, 0x20000810L, +0x20000010L, 0x20080000L, 0x00080810L, 0x00000000L, +0x00000800L, 0x20000010L, 0x20000810L, 0x20080800L, +0x20080000L, 0x00000810L, 0x00000010L, 0x20080010L, +},{ +/* nibble 6 */ +0x00001000L, 0x00000080L, 0x00400080L, 0x00400001L, +0x00401081L, 0x00001001L, 0x00001080L, 0x00000000L, +0x00400000L, 0x00400081L, 0x00000081L, 0x00401000L, +0x00000001L, 0x00401080L, 0x00401000L, 0x00000081L, +0x00400081L, 0x00001000L, 0x00001001L, 0x00401081L, +0x00000000L, 0x00400080L, 0x00400001L, 0x00001080L, +0x00401001L, 0x00001081L, 0x00401080L, 0x00000001L, +0x00001081L, 0x00401001L, 0x00000080L, 0x00400000L, +0x00001081L, 0x00401000L, 0x00401001L, 0x00000081L, +0x00001000L, 0x00000080L, 0x00400000L, 0x00401001L, +0x00400081L, 0x00001081L, 0x00001080L, 0x00000000L, +0x00000080L, 0x00400001L, 0x00000001L, 0x00400080L, +0x00000000L, 0x00400081L, 0x00400080L, 0x00001080L, +0x00000081L, 0x00001000L, 0x00401081L, 0x00400000L, +0x00401080L, 0x00000001L, 0x00001001L, 0x00401081L, +0x00400001L, 0x00401080L, 0x00401000L, 0x00001001L, +},{ +/* nibble 7 */ +0x08200020L, 0x08208000L, 0x00008020L, 0x00000000L, +0x08008000L, 0x00200020L, 0x08200000L, 0x08208020L, +0x00000020L, 0x08000000L, 0x00208000L, 0x00008020L, +0x00208020L, 0x08008020L, 0x08000020L, 0x08200000L, +0x00008000L, 0x00208020L, 0x00200020L, 0x08008000L, +0x08208020L, 0x08000020L, 0x00000000L, 0x00208000L, +0x08000000L, 0x00200000L, 0x08008020L, 0x08200020L, +0x00200000L, 0x00008000L, 0x08208000L, 0x00000020L, +0x00200000L, 0x00008000L, 0x08000020L, 0x08208020L, +0x00008020L, 0x08000000L, 0x00000000L, 0x00208000L, +0x08200020L, 0x08008020L, 0x08008000L, 0x00200020L, +0x08208000L, 0x00000020L, 0x00200020L, 0x08008000L, +0x08208020L, 0x00200000L, 0x08200000L, 0x08000020L, +0x00208000L, 0x00008020L, 0x08008020L, 0x08200000L, +0x00000020L, 0x08208000L, 0x00208020L, 0x00000000L, +0x08000000L, 0x08200020L, 0x00008000L, 0x00208020L, +}}; diff --git a/crypto/xform.c b/crypto/xform.c new file mode 100644 index 0000000000..5b22ce02e2 --- /dev/null +++ b/crypto/xform.c @@ -0,0 +1,613 @@ +/* $OpenBSD: xform.c,v 1.61 2021/10/22 12:30:53 bluhm Exp $ */ +/* + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr), + * Niels Provos (provos@physnet.uni-hamburg.de), + * Damien Miller (djm@mindrot.org) and + * Mike Belopuhov (mikeb@openbsd.org). + * + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. + * + * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Additional features in 1999 by Angelos D. Keromytis. + * + * AES XTS implementation in 2008 by Damien Miller + * + * AES-GCM-16 and Chacha20-Poly1305 AEAD modes by Mike Belopuhov. + * + * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, + * Angelos D. Keromytis and Niels Provos. + * + * Copyright (C) 2001, Angelos D. Keromytis. + * + * Copyright (C) 2008, Damien Miller + * + * Copyright (C) 2010, 2015, Mike Belopuhov + * + * Permission to use, copy, and modify this software with or without fee + * is hereby granted, provided that this entire notice is included in + * all copies of any software which is or includes a copy or + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +extern void des_ecb3_encrypt(caddr_t, caddr_t, caddr_t, caddr_t, caddr_t, int); + +int des_set_key(void *, caddr_t); +int des3_setkey(void *, u_int8_t *, int); +int blf_setkey(void *, u_int8_t *, int); +int cast5_setkey(void *, u_int8_t *, int); +int aes_setkey(void *, u_int8_t *, int); +int aes_ctr_setkey(void *, u_int8_t *, int); +int aes_xts_setkey(void *, u_int8_t *, int); +int null_setkey(void *, u_int8_t *, int); + +void des3_encrypt(caddr_t, u_int8_t *); +void blf_encrypt(caddr_t, u_int8_t *); +void cast5_encrypt(caddr_t, u_int8_t *); +void aes_encrypt(caddr_t, u_int8_t *); +void null_encrypt(caddr_t, u_int8_t *); +void aes_xts_encrypt(caddr_t, u_int8_t *); + +void des3_decrypt(caddr_t, u_int8_t *); +void blf_decrypt(caddr_t, u_int8_t *); +void cast5_decrypt(caddr_t, u_int8_t *); +void aes_decrypt(caddr_t, u_int8_t *); +void null_decrypt(caddr_t, u_int8_t *); +void aes_xts_decrypt(caddr_t, u_int8_t *); + +void aes_ctr_crypt(caddr_t, u_int8_t *); + +void aes_ctr_reinit(caddr_t, u_int8_t *); +void aes_xts_reinit(caddr_t, u_int8_t *); +void aes_gcm_reinit(caddr_t, u_int8_t *); + +int MD5Update_int(void *, const u_int8_t *, u_int16_t); +int SHA1Update_int(void *, const u_int8_t *, u_int16_t); +int RMD160Update_int(void *, const u_int8_t *, u_int16_t); +int SHA256Update_int(void *, const u_int8_t *, u_int16_t); +int SHA384Update_int(void *, const u_int8_t *, u_int16_t); +int SHA512Update_int(void *, const u_int8_t *, u_int16_t); + +u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); +u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); + +struct aes_ctr_ctx { + AES_CTX ac_key; + u_int8_t ac_block[AESCTR_BLOCKSIZE]; +}; + +struct aes_xts_ctx { + rijndael_ctx key1; + rijndael_ctx key2; + u_int8_t tweak[AES_XTS_BLOCKSIZE]; +}; + +/* Helper */ +void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int); + +/* Encryption instances */ +const struct enc_xform enc_xform_3des = { + CRYPTO_3DES_CBC, "3DES", + 8, 8, 24, 24, 384, + des3_encrypt, + des3_decrypt, + des3_setkey, + NULL +}; + +const struct enc_xform enc_xform_blf = { + CRYPTO_BLF_CBC, "Blowfish", + 8, 8, 5, 56 /* 448 bits, max key */, + sizeof(blf_ctx), + blf_encrypt, + blf_decrypt, + blf_setkey, + NULL +}; + +const struct enc_xform enc_xform_cast5 = { + CRYPTO_CAST_CBC, "CAST-128", + 8, 8, 5, 16, + sizeof(cast_key), + cast5_encrypt, + cast5_decrypt, + cast5_setkey, + NULL +}; + +const struct enc_xform enc_xform_aes = { + CRYPTO_AES_CBC, "AES", + 16, 16, 16, 32, + sizeof(AES_CTX), + aes_encrypt, + aes_decrypt, + aes_setkey, + NULL +}; + +const struct enc_xform enc_xform_aes_ctr = { + CRYPTO_AES_CTR, "AES-CTR", + 16, 8, 16+4, 32+4, + sizeof(struct aes_ctr_ctx), + aes_ctr_crypt, + aes_ctr_crypt, + aes_ctr_setkey, + aes_ctr_reinit +}; + +const struct enc_xform enc_xform_aes_gcm = { + CRYPTO_AES_GCM_16, "AES-GCM", + 1, 8, 16+4, 32+4, + sizeof(struct aes_ctr_ctx), + aes_ctr_crypt, + aes_ctr_crypt, + aes_ctr_setkey, + aes_gcm_reinit +}; + +const struct enc_xform enc_xform_aes_gmac = { + CRYPTO_AES_GMAC, "AES-GMAC", + 1, 8, 16+4, 32+4, 0, + NULL, + NULL, + NULL, + NULL +}; + +const struct enc_xform enc_xform_aes_xts = { + CRYPTO_AES_XTS, "AES-XTS", + 16, 8, 32, 64, + sizeof(struct aes_xts_ctx), + aes_xts_encrypt, + aes_xts_decrypt, + aes_xts_setkey, + aes_xts_reinit +}; + +const struct enc_xform enc_xform_chacha20_poly1305 = { + CRYPTO_CHACHA20_POLY1305, "CHACHA20-POLY1305", + 1, 8, 32+4, 32+4, + sizeof(struct chacha20_ctx), + chacha20_crypt, + chacha20_crypt, + chacha20_setkey, + chacha20_reinit +}; + +const struct enc_xform enc_xform_null = { + CRYPTO_NULL, "NULL", + 4, 0, 0, 256, 0, + null_encrypt, + null_decrypt, + null_setkey, + NULL +}; + +/* Authentication instances */ +const struct auth_hash auth_hash_hmac_md5_96 = { + CRYPTO_MD5_HMAC, "HMAC-MD5", + 16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN, + (void (*) (void *)) MD5Init, NULL, NULL, + MD5Update_int, + (void (*) (u_int8_t *, void *)) MD5Final +}; + +const struct auth_hash auth_hash_hmac_sha1_96 = { + CRYPTO_SHA1_HMAC, "HMAC-SHA1", + 20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN, + (void (*) (void *)) SHA1Init, NULL, NULL, + SHA1Update_int, + (void (*) (u_int8_t *, void *)) SHA1Final +}; + +const struct auth_hash auth_hash_hmac_ripemd_160_96 = { + CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", + 20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN, + (void (*)(void *)) RMD160Init, NULL, NULL, + RMD160Update_int, + (void (*)(u_int8_t *, void *)) RMD160Final +}; + +const struct auth_hash auth_hash_hmac_sha2_256_128 = { + CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", + 32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN, + (void (*)(void *)) SHA256Init, NULL, NULL, + SHA256Update_int, + (void (*)(u_int8_t *, void *)) SHA256Final +}; + +const struct auth_hash auth_hash_hmac_sha2_384_192 = { + CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", + 48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN, + (void (*)(void *)) SHA384Init, NULL, NULL, + SHA384Update_int, + (void (*)(u_int8_t *, void *)) SHA384Final +}; + +const struct auth_hash auth_hash_hmac_sha2_512_256 = { + CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", + 64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN, + (void (*)(void *)) SHA512Init, NULL, NULL, + SHA512Update_int, + (void (*)(u_int8_t *, void *)) SHA512Final +}; + +const struct auth_hash auth_hash_gmac_aes_128 = { + CRYPTO_AES_128_GMAC, "GMAC-AES-128", + 16+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), + AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, + AES_GMAC_Update, AES_GMAC_Final +}; + +const struct auth_hash auth_hash_gmac_aes_192 = { + CRYPTO_AES_192_GMAC, "GMAC-AES-192", + 24+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), + AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, + AES_GMAC_Update, AES_GMAC_Final +}; + +const struct auth_hash auth_hash_gmac_aes_256 = { + CRYPTO_AES_256_GMAC, "GMAC-AES-256", + 32+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX), + AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit, + AES_GMAC_Update, AES_GMAC_Final +}; + +const struct auth_hash auth_hash_chacha20_poly1305 = { + CRYPTO_CHACHA20_POLY1305_MAC, "CHACHA20-POLY1305", + CHACHA20_KEYSIZE+CHACHA20_SALT, POLY1305_BLOCK_LEN, POLY1305_TAGLEN, + sizeof(CHACHA20_POLY1305_CTX), CHACHA20_BLOCK_LEN, + Chacha20_Poly1305_Init, Chacha20_Poly1305_Setkey, + Chacha20_Poly1305_Reinit, Chacha20_Poly1305_Update, + Chacha20_Poly1305_Final +}; + +/* Compression instance */ +const struct comp_algo comp_algo_deflate = { + CRYPTO_DEFLATE_COMP, "Deflate", + 90, deflate_compress, + deflate_decompress +}; + +/* + * Encryption wrapper routines. + */ +void +des3_encrypt(caddr_t key, u_int8_t *blk) +{ + des_ecb3_encrypt(blk, blk, key, key + 128, key + 256, 1); +} + +void +des3_decrypt(caddr_t key, u_int8_t *blk) +{ + des_ecb3_encrypt(blk, blk, key + 256, key + 128, key, 0); +} + +int +des3_setkey(void *sched, u_int8_t *key, int len) +{ + if (des_set_key(key, sched) < 0 || des_set_key(key + 8, sched + 128) + < 0 || des_set_key(key + 16, sched + 256) < 0) + return -1; + + return 0; +} + +void +blf_encrypt(caddr_t key, u_int8_t *blk) +{ + blf_ecb_encrypt((blf_ctx *) key, blk, 8); +} + +void +blf_decrypt(caddr_t key, u_int8_t *blk) +{ + blf_ecb_decrypt((blf_ctx *) key, blk, 8); +} + +int +blf_setkey(void *sched, u_int8_t *key, int len) +{ + blf_key((blf_ctx *)sched, key, len); + + return 0; +} + +int +null_setkey(void *sched, u_int8_t *key, int len) +{ + return 0; +} + +void +null_encrypt(caddr_t key, u_int8_t *blk) +{ +} + +void +null_decrypt(caddr_t key, u_int8_t *blk) +{ +} + +void +cast5_encrypt(caddr_t key, u_int8_t *blk) +{ + cast_encrypt((cast_key *) key, blk, blk); +} + +void +cast5_decrypt(caddr_t key, u_int8_t *blk) +{ + cast_decrypt((cast_key *) key, blk, blk); +} + +int +cast5_setkey(void *sched, u_int8_t *key, int len) +{ + cast_setkey((cast_key *)sched, key, len); + + return 0; +} + +void +aes_encrypt(caddr_t key, u_int8_t *blk) +{ + AES_Encrypt((AES_CTX *)key, blk, blk); +} + +void +aes_decrypt(caddr_t key, u_int8_t *blk) +{ + AES_Decrypt((AES_CTX *)key, blk, blk); +} + +int +aes_setkey(void *sched, u_int8_t *key, int len) +{ + return AES_Setkey((AES_CTX *)sched, key, len); +} + +void +aes_ctr_reinit(caddr_t key, u_int8_t *iv) +{ + struct aes_ctr_ctx *ctx; + + ctx = (struct aes_ctr_ctx *)key; + bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE); + + /* reset counter */ + bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4); +} + +void +aes_gcm_reinit(caddr_t key, u_int8_t *iv) +{ + struct aes_ctr_ctx *ctx; + + ctx = (struct aes_ctr_ctx *)key; + bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE); + + /* reset counter */ + bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4); + ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */ +} + +void +aes_ctr_crypt(caddr_t key, u_int8_t *data) +{ + struct aes_ctr_ctx *ctx; + u_int8_t keystream[AESCTR_BLOCKSIZE]; + int i; + + ctx = (struct aes_ctr_ctx *)key; + /* increment counter */ + for (i = AESCTR_BLOCKSIZE - 1; + i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--) + if (++ctx->ac_block[i]) /* continue on overflow */ + break; + AES_Encrypt(&ctx->ac_key, ctx->ac_block, keystream); + for (i = 0; i < AESCTR_BLOCKSIZE; i++) + data[i] ^= keystream[i]; + explicit_bzero(keystream, sizeof(keystream)); +} + +int +aes_ctr_setkey(void *sched, u_int8_t *key, int len) +{ + struct aes_ctr_ctx *ctx; + + if (len < AESCTR_NONCESIZE) + return -1; + + ctx = (struct aes_ctr_ctx *)sched; + if (AES_Setkey(&ctx->ac_key, key, len - AESCTR_NONCESIZE) != 0) + return -1; + bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE); + return 0; +} + +void +aes_xts_reinit(caddr_t key, u_int8_t *iv) +{ + struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; + u_int64_t blocknum; + u_int i; + + /* + * Prepare tweak as E_k2(IV). IV is specified as LE representation + * of a 64-bit block number which we allow to be passed in directly. + */ + memcpy(&blocknum, iv, AES_XTS_IVSIZE); + for (i = 0; i < AES_XTS_IVSIZE; i++) { + ctx->tweak[i] = blocknum & 0xff; + blocknum >>= 8; + } + /* Last 64 bits of IV are always zero */ + bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); + + rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); +} + +void +aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) +{ + u_int8_t block[AES_XTS_BLOCKSIZE]; + u_int i, carry_in, carry_out; + + for (i = 0; i < AES_XTS_BLOCKSIZE; i++) + block[i] = data[i] ^ ctx->tweak[i]; + + if (do_encrypt) + rijndael_encrypt(&ctx->key1, block, data); + else + rijndael_decrypt(&ctx->key1, block, data); + + for (i = 0; i < AES_XTS_BLOCKSIZE; i++) + data[i] ^= ctx->tweak[i]; + + /* Exponentiate tweak */ + carry_in = 0; + for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { + carry_out = ctx->tweak[i] & 0x80; + ctx->tweak[i] = (ctx->tweak[i] << 1) | carry_in; + carry_in = carry_out >> 7; + } + ctx->tweak[0] ^= (AES_XTS_ALPHA & -carry_in); + explicit_bzero(block, sizeof(block)); +} + +void +aes_xts_encrypt(caddr_t key, u_int8_t *data) +{ + aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); +} + +void +aes_xts_decrypt(caddr_t key, u_int8_t *data) +{ + aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); +} + +int +aes_xts_setkey(void *sched, u_int8_t *key, int len) +{ + struct aes_xts_ctx *ctx; + + if (len != 32 && len != 64) + return -1; + + ctx = (struct aes_xts_ctx *)sched; + + rijndael_set_key(&ctx->key1, key, len * 4); + rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); + + return 0; +} + +/* + * And now for auth. + */ + +int +RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) +{ + RMD160Update(ctx, buf, len); + return 0; +} + +int +MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) +{ + MD5Update(ctx, buf, len); + return 0; +} + +int +SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) +{ + SHA1Update(ctx, buf, len); + return 0; +} + +int +SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) +{ + SHA256Update(ctx, buf, len); + return 0; +} + +int +SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) +{ + SHA384Update(ctx, buf, len); + return 0; +} + +int +SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len) +{ + SHA512Update(ctx, buf, len); + return 0; +} + + +u_int32_t deflate_global(u_int8_t *, u_int32_t, int, u_int8_t **); + +struct deflate_buf { + u_int8_t *out; + u_int32_t size; + int flag; +}; + +/* + * And compression + */ + +u_int32_t +deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out) +{ + return deflate_global(data, size, 0, out); +} + +u_int32_t +deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out) +{ + return deflate_global(data, size, 1, out); +} diff --git a/include/crypto/aes.h b/include/crypto/aes.h new file mode 100644 index 0000000000..8c685ef058 --- /dev/null +++ b/include/crypto/aes.h @@ -0,0 +1,50 @@ +/* $OpenBSD: aes.h,v 1.4 2020/07/22 13:54:30 tobhe Exp $ */ +/* + * Copyright (c) 2016 Thomas Pornin + * Copyright (c) 2016 Mike Belopuhov + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#ifndef _AES_H_ +#define _AES_H_ + +#ifndef AES_MAXROUNDS +#define AES_MAXROUNDS (14) +#endif + +typedef struct aes_ctx { + uint32_t sk[60]; + uint32_t sk_exp[120]; + + unsigned num_rounds; +} AES_CTX; + +int AES_Setkey(AES_CTX *, const uint8_t *, int); +void AES_Encrypt(AES_CTX *, const uint8_t *, uint8_t *); +void AES_Decrypt(AES_CTX *, const uint8_t *, uint8_t *); +void AES_Encrypt_ECB(AES_CTX *, const uint8_t *, uint8_t *, size_t); +void AES_Decrypt_ECB(AES_CTX *, const uint8_t *, uint8_t *, size_t); + +int AES_KeySetup_Encrypt(uint32_t *, const uint8_t *, int); +int AES_KeySetup_Decrypt(uint32_t *, const uint8_t *, int); + +#endif /* _AES_H_ */ diff --git a/include/crypto/blf.h b/include/crypto/blf.h new file mode 100644 index 0000000000..7ea350c529 --- /dev/null +++ b/include/crypto/blf.h @@ -0,0 +1,79 @@ +/* $OpenBSD: blf.h,v 1.7 2021/11/29 01:04:45 djm Exp $ */ + +/* + * Blowfish - a fast block cipher designed by Bruce Schneier + * + * Copyright 1997 Niels Provos + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _BLF_H_ +#define _BLF_H_ + +/* Schneier states the maximum key length to be 56 bytes. + * The way how the subkeys are initialized by the key up + * to (N+2)*4 i.e. 72 bytes are utilized. + * Warning: For normal blowfish encryption only 56 bytes + * of the key affect all cipherbits. + */ + +#define BLF_N 16 /* Number of Subkeys */ +#define BLF_MAXKEYLEN ((BLF_N-2)*4) /* 448 bits */ +#define BLF_MAXUTILIZED ((BLF_N+2)*4) /* 576 bits */ + +/* Blowfish context */ +typedef struct BlowfishContext { + u_int32_t S[4][256]; /* S-Boxes */ + u_int32_t P[BLF_N + 2]; /* Subkeys */ +} blf_ctx; + +/* Raw access to customized Blowfish + * blf_key is just: + * Blowfish_initstate( state ) + * Blowfish_expand0state( state, key, keylen ) + */ + +void Blowfish_encipher(blf_ctx *, u_int32_t *); +void Blowfish_decipher(blf_ctx *, u_int32_t *); +void Blowfish_initstate(blf_ctx *); +void Blowfish_expand0state(blf_ctx *, const u_int8_t *, u_int16_t); +void Blowfish_expandstate(blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t); + +/* Standard Blowfish */ + +void blf_key(blf_ctx *, const u_int8_t *, u_int16_t); +void blf_enc(blf_ctx *, u_int32_t *, u_int16_t); +void blf_dec(blf_ctx *, u_int32_t *, u_int16_t); + +/* Converts u_int8_t to u_int32_t */ +u_int32_t Blowfish_stream2word(const u_int8_t *, u_int16_t , + u_int16_t *); + +void blf_ecb_encrypt(blf_ctx *, u_int8_t *, u_int32_t); +void blf_ecb_decrypt(blf_ctx *, u_int8_t *, u_int32_t); + +void blf_cbc_encrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t); +void blf_cbc_decrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t); +#endif diff --git a/include/crypto/cast.h b/include/crypto/cast.h new file mode 100644 index 0000000000..22edd110cf --- /dev/null +++ b/include/crypto/cast.h @@ -0,0 +1,22 @@ +/* $OpenBSD: cast.h,v 1.2 2002/03/14 01:26:51 millert Exp $ */ + +/* + * CAST-128 in C + * Written by Steve Reid + * 100% Public Domain - no warranty + * Released 1997.10.11 + */ + +#ifndef _CAST_H_ +#define _CAST_H_ + +typedef struct { + u_int32_t xkey[32]; /* Key, after expansion */ + int rounds; /* Number of rounds to use, 12 or 16 */ +} cast_key; + +void cast_setkey(cast_key * key, u_int8_t * rawkey, int keybytes); +void cast_encrypt(cast_key * key, u_int8_t * inblock, u_int8_t * outblock); +void cast_decrypt(cast_key * key, u_int8_t * inblock, u_int8_t * outblock); + +#endif /* ifndef _CAST_H_ */ diff --git a/include/crypto/chachapoly.h b/include/crypto/chachapoly.h new file mode 100644 index 0000000000..e793cfb7de --- /dev/null +++ b/include/crypto/chachapoly.h @@ -0,0 +1,86 @@ +/* $OpenBSD: chachapoly.h,v 1.4 2020/07/22 13:54:30 tobhe Exp $ */ +/* + * Copyright (c) 2015 Mike Belopuhov + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _CHACHAPOLY_H_ +#define _CHACHAPOLY_H_ + +#define CHACHA20_KEYSIZE 32 +#define CHACHA20_CTR 4 +#define CHACHA20_SALT 4 +#define CHACHA20_NONCE 8 +#define CHACHA20_BLOCK_LEN 64 + +struct chacha20_ctx { + uint8_t block[CHACHA20_BLOCK_LEN]; + uint8_t nonce[CHACHA20_NONCE]; +}; + +int chacha20_setkey(void *, u_int8_t *, int); +void chacha20_reinit(caddr_t, u_int8_t *); +void chacha20_crypt(caddr_t, u_int8_t *); + + +#define POLY1305_KEYLEN 32 +#define POLY1305_TAGLEN 16 +#define POLY1305_BLOCK_LEN 16 + +struct poly1305_ctx { + /* r, h, pad, leftover */ + unsigned long state[5+5+4]; + size_t leftover; + unsigned char buffer[POLY1305_BLOCK_LEN]; + unsigned char final; +}; + +typedef struct { + uint8_t key[POLY1305_KEYLEN]; + /* counter, salt */ + uint8_t nonce[CHACHA20_NONCE]; + struct chacha20_ctx chacha; + struct poly1305_ctx poly; +} CHACHA20_POLY1305_CTX; + +void Chacha20_Poly1305_Init(void *); +void Chacha20_Poly1305_Setkey(void *, const uint8_t *, uint16_t); +void Chacha20_Poly1305_Reinit(void *, const uint8_t *, uint16_t); +int Chacha20_Poly1305_Update(void *, const uint8_t *, uint16_t); +void Chacha20_Poly1305_Final(uint8_t[POLY1305_TAGLEN], void *); + +/* WireGuard crypto */ +#define CHACHA20POLY1305_KEY_SIZE CHACHA20_KEYSIZE +#define CHACHA20POLY1305_AUTHTAG_SIZE POLY1305_TAGLEN +#define XCHACHA20POLY1305_NONCE_SIZE 24 + +void chacha20poly1305_encrypt(uint8_t *, const uint8_t *, const size_t, + const uint8_t *, const size_t, const uint64_t, + const uint8_t[CHACHA20POLY1305_KEY_SIZE]); + +int chacha20poly1305_decrypt(uint8_t *, const uint8_t *, const size_t, + const uint8_t *, const size_t, const uint64_t, + const uint8_t[CHACHA20POLY1305_KEY_SIZE]); + +void xchacha20poly1305_encrypt(uint8_t *, const uint8_t *, const size_t, + const uint8_t *, const size_t, + const uint8_t[XCHACHA20POLY1305_NONCE_SIZE], + const uint8_t[CHACHA20POLY1305_KEY_SIZE]); + +int xchacha20poly1305_decrypt(uint8_t *, const uint8_t *, const size_t, + const uint8_t *, const size_t, + const uint8_t[XCHACHA20POLY1305_NONCE_SIZE], + const uint8_t[CHACHA20POLY1305_KEY_SIZE]); + +#endif /* _CHACHAPOLY_H_ */ diff --git a/include/crypto/cmac.h b/include/crypto/cmac.h new file mode 100644 index 0000000000..b497835fcf --- /dev/null +++ b/include/crypto/cmac.h @@ -0,0 +1,41 @@ +/* $OpenBSD: cmac.h,v 1.3 2017/05/02 17:07:06 mikeb Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _CMAC_H_ +#define _CMAC_H_ + +#define AES_CMAC_KEY_LENGTH 16 +#define AES_CMAC_DIGEST_LENGTH 16 + +typedef struct _AES_CMAC_CTX { + AES_CTX aesctx; + u_int8_t X[16]; + u_int8_t M_last[16]; + u_int M_n; +} AES_CMAC_CTX; + +__BEGIN_DECLS +void AES_CMAC_Init(AES_CMAC_CTX *); +void AES_CMAC_SetKey(AES_CMAC_CTX *, const u_int8_t [AES_CMAC_KEY_LENGTH]); +void AES_CMAC_Update(AES_CMAC_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void AES_CMAC_Final(u_int8_t [AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *) + __attribute__((__bounded__(__minbytes__,1,AES_CMAC_DIGEST_LENGTH))); +__END_DECLS + +#endif /* _CMAC_H_ */ diff --git a/include/crypto/cryptodev.h b/include/crypto/cryptodev.h new file mode 100644 index 0000000000..69911e7e0e --- /dev/null +++ b/include/crypto/cryptodev.h @@ -0,0 +1,345 @@ +/* $OpenBSD: cryptodev.h,v 1.58 2013/10/31 10:32:38 mikeb Exp $ */ + +/* + * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) + * + * This code was written by Angelos D. Keromytis in Athens, Greece, in + * February 2000. Network Security Technologies Inc. (NSTI) kindly + * supported the development of this code. + * + * Copyright (c) 2000 Angelos D. Keromytis + * + * Permission to use, copy, and modify this software with or without fee + * is hereby granted, provided that this entire notice is included in + * all source code copies of any software which is or includes a copy or + * modification of this software. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + * + * Copyright (c) 2001 Theo de Raadt + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Effort sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F30602-01-2-0537. + * + */ + +#ifndef _CRYPTO_CRYPTO_H_ +#define _CRYPTO_CRYPTO_H_ + +#include +#include + +/* Some initial values */ +#define CRYPTO_DRIVERS_INITIAL 4 +#define CRYPTO_DRIVERS_MAX 128 +#define CRYPTO_SW_SESSIONS 32 + +/* HMAC values */ +#define HMAC_MD5_BLOCK_LEN 64 +#define HMAC_SHA1_BLOCK_LEN 64 +#define HMAC_RIPEMD160_BLOCK_LEN 64 +#define HMAC_SHA2_256_BLOCK_LEN 64 +#define HMAC_SHA2_384_BLOCK_LEN 128 +#define HMAC_SHA2_512_BLOCK_LEN 128 +#define HMAC_MAX_BLOCK_LEN HMAC_SHA2_512_BLOCK_LEN /* keep in sync */ +#define HMAC_IPAD_VAL 0x36 +#define HMAC_OPAD_VAL 0x5C + +/* Encryption algorithm block sizes */ +#define DES_BLOCK_LEN 8 +#define DES3_BLOCK_LEN 8 +#define BLOWFISH_BLOCK_LEN 8 +#define CAST128_BLOCK_LEN 8 +#define RIJNDAEL128_BLOCK_LEN 16 +#define EALG_MAX_BLOCK_LEN 16 /* Keep this updated */ + +/* Maximum hash algorithm result length */ +#define AALG_MAX_RESULT_LEN 64 /* Keep this updated */ + +#define CRYPTO_DES_CBC 1 +#define CRYPTO_3DES_CBC 2 +#define CRYPTO_BLF_CBC 3 +#define CRYPTO_CAST_CBC 4 +#define CRYPTO_MD5_HMAC 6 +#define CRYPTO_SHA1_HMAC 7 +#define CRYPTO_RIPEMD160_HMAC 8 +#define CRYPTO_MD5_KPDK 9 +#define CRYPTO_SHA1_KPDK 10 +#define CRYPTO_RIJNDAEL128_CBC 11 /* 128 bit blocksize */ +#define CRYPTO_AES_CBC 11 /* 128 bit blocksize -- the same as above */ +#define CRYPTO_ARC4 12 +#define CRYPTO_MD5 13 +#define CRYPTO_SHA1 14 +#define CRYPTO_DEFLATE_COMP 15 /* Deflate compression algorithm */ +#define CRYPTO_NULL 16 +#define CRYPTO_LZS_COMP 17 /* LZS compression algorithm */ +#define CRYPTO_SHA2_256_HMAC 18 +#define CRYPTO_SHA2_384_HMAC 19 +#define CRYPTO_SHA2_512_HMAC 20 +#define CRYPTO_AES_CTR 21 +#define CRYPTO_AES_XTS 22 +#define CRYPTO_AES_GCM_16 23 +#define CRYPTO_AES_128_GMAC 24 +#define CRYPTO_AES_192_GMAC 25 +#define CRYPTO_AES_256_GMAC 26 +#define CRYPTO_AES_GMAC 27 +#define CRYPTO_ESN 28 /* Support for Extended Sequence Numbers */ +#define CRYPTO_ALGORITHM_MAX 28 /* Keep updated */ + +/* Algorithm flags */ +#define CRYPTO_ALG_FLAG_SUPPORTED 0x01 /* Algorithm is supported */ +#define CRYPTO_ALG_FLAG_RNG_ENABLE 0x02 /* Has HW RNG for DH/DSA */ +#define CRYPTO_ALG_FLAG_DSA_SHA 0x04 /* Can do SHA on msg */ + +/* Standard initialization structure beginning */ +struct cryptoini { + int cri_alg; /* Algorithm to use */ + int cri_klen; /* Key length, in bits */ + int cri_rnd; /* Algorithm rounds, where relevant */ + caddr_t cri_key; /* key to use */ + union { + u_int8_t iv[EALG_MAX_BLOCK_LEN]; /* IV to use */ + u_int8_t esn[4]; /* high-order ESN */ + } u; +#define cri_iv u.iv +#define cri_esn u.esn + struct cryptoini *cri_next; +}; + +/* Describe boundaries of a single crypto operation */ +struct cryptodesc { + int crd_skip; /* How many bytes to ignore from start */ + int crd_len; /* How many bytes to process */ + int crd_inject; /* Where to inject results, if applicable */ + int crd_flags; + +#define CRD_F_ENCRYPT 0x01 /* Set when doing encryption */ +#define CRD_F_IV_PRESENT 0x02 /* When encrypting, IV is already in + place, so don't copy. */ +#define CRD_F_IV_EXPLICIT 0x04 /* IV explicitly provided */ +#define CRD_F_DSA_SHA_NEEDED 0x08 /* Compute SHA-1 of buffer for DSA */ +#define CRD_F_COMP 0x10 /* Set when doing compression */ +#define CRD_F_ESN 0x20 /* Set when ESN field is provided */ + + struct cryptoini CRD_INI; /* Initialization/context data */ +#define crd_esn CRD_INI.cri_esn +#define crd_iv CRD_INI.cri_iv +#define crd_key CRD_INI.cri_key +#define crd_rnd CRD_INI.cri_rnd +#define crd_alg CRD_INI.cri_alg +#define crd_klen CRD_INI.cri_klen + + struct cryptodesc *crd_next; +}; + +/* Structure describing complete operation */ +struct cryptop { + struct task crp_task; + + u_int64_t crp_sid; /* Session ID */ + int crp_ilen; /* Input data total length */ + int crp_olen; /* Result total length */ + int crp_alloctype; /* Type of buf to allocate if needed */ + + int crp_etype; /* + * Error type (zero means no error). + * All error codes except EAGAIN + * indicate possible data corruption (as in, + * the data have been touched). On all + * errors, the crp_sid may have changed + * (reset to a new one), so the caller + * should always check and use the new + * value on future requests. + */ + int crp_flags; + +#define CRYPTO_F_IMBUF 0x0001 /* Input/output are mbuf chains, otherwise contig */ +#define CRYPTO_F_IOV 0x0002 /* Input/output are uio */ +#define CRYPTO_F_REL 0x0004 /* Must return data in same place */ +#define CRYPTO_F_NOQUEUE 0x0008 /* Don't use crypto queue/thread */ +#define CRYPTO_F_DONE 0x0010 /* request completed */ + + void *crp_buf; /* Data to be processed */ + void *crp_opaque; /* Opaque pointer, passed along */ + struct cryptodesc *crp_desc; /* Linked list of processing descriptors */ + + int (*crp_callback)(struct cryptop *); /* Callback function */ + + caddr_t crp_mac; +}; + +#define CRYPTO_BUF_IOV 0x1 +#define CRYPTO_BUF_MBUF 0x2 + +#define CRYPTO_OP_DECRYPT 0x0 +#define CRYPTO_OP_ENCRYPT 0x1 + +/* bignum parameter, in packed bytes, ... */ +struct crparam { + caddr_t crp_p; + u_int crp_nbits; +}; + +#define CRK_MAXPARAM 8 + +struct crypt_kop { + u_int crk_op; /* ie. CRK_MOD_EXP or other */ + u_int crk_status; /* return status */ + u_short crk_iparams; /* # of input parameters */ + u_short crk_oparams; /* # of output parameters */ + u_int crk_pad1; + struct crparam crk_param[CRK_MAXPARAM]; +}; +#define CRK_MOD_EXP 0 +#define CRK_MOD_EXP_CRT 1 +#define CRK_DSA_SIGN 2 +#define CRK_DSA_VERIFY 3 +#define CRK_DH_COMPUTE_KEY 4 +#define CRK_ALGORITHM_MAX 4 /* Keep updated */ + +#define CRF_MOD_EXP (1 << CRK_MOD_EXP) +#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT) +#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN) +#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY) +#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY) + +struct cryptkop { + struct task krp_task; + + u_int krp_op; /* ie. CRK_MOD_EXP or other */ + u_int krp_status; /* return status */ + u_short krp_iparams; /* # of input parameters */ + u_short krp_oparams; /* # of output parameters */ + u_int32_t krp_hid; + struct crparam krp_param[CRK_MAXPARAM]; /* kvm */ + int (*krp_callback)(struct cryptkop *); +}; + +/* Crypto capabilities structure */ +struct cryptocap { + u_int64_t cc_operations; /* Counter of how many ops done */ + u_int64_t cc_bytes; /* Counter of how many bytes done */ + u_int64_t cc_koperations; /* How many PK ops done */ + + u_int32_t cc_sessions; /* How many sessions allocated */ + + /* Symmetric/hash algorithms supported */ + int cc_alg[CRYPTO_ALGORITHM_MAX + 1]; + + /* Asymmetric algorithms supported */ + int cc_kalg[CRK_ALGORITHM_MAX + 1]; + + int cc_queued; /* Operations queued */ + + u_int8_t cc_flags; +#define CRYPTOCAP_F_CLEANUP 0x01 +#define CRYPTOCAP_F_SOFTWARE 0x02 +#define CRYPTOCAP_F_ENCRYPT_MAC 0x04 /* Can do encrypt-then-MAC (IPsec) */ +#define CRYPTOCAP_F_MAC_ENCRYPT 0x08 /* Can do MAC-then-encrypt (TLS) */ + + int (*cc_newsession) (u_int32_t *, struct cryptoini *); + int (*cc_process) (struct cryptop *); + int (*cc_freesession) (u_int64_t); + int (*cc_kprocess) (struct cryptkop *); +}; + +/* + * ioctl parameter to request creation of a session. + */ +struct session_op { + u_int32_t cipher; /* ie. CRYPTO_DES_CBC */ + u_int32_t mac; /* ie. CRYPTO_MD5_HMAC */ + + u_int32_t keylen; /* cipher key */ + caddr_t key; + int mackeylen; /* mac key */ + caddr_t mackey; + + u_int32_t ses; /* returns: session # */ +}; + +/* + * ioctl parameter to request a crypt/decrypt operation against a session. + */ +struct crypt_op { + u_int32_t ses; + u_int16_t op; /* ie. COP_ENCRYPT */ +#define COP_ENCRYPT 1 +#define COP_DECRYPT 2 + u_int16_t flags; /* always 0 */ + + u_int len; + caddr_t src, dst; /* become iov[] inside kernel */ + caddr_t mac; /* must be big enough for chosen MAC */ + caddr_t iv; +}; + +#define CRYPTO_MAX_MAC_LEN 20 + +/* + * done against open of /dev/crypto, to get a cloned descriptor. + * Please use F_SETFD against the cloned descriptor. + */ +#define CRIOGET _IOWR('c', 100, u_int32_t) + +/* the following are done against the cloned descriptor */ +#define CIOCGSESSION _IOWR('c', 101, struct session_op) +#define CIOCFSESSION _IOW('c', 102, u_int32_t) +#define CIOCCRYPT _IOWR('c', 103, struct crypt_op) +#define CIOCKEY _IOWR('c', 104, struct crypt_kop) + +#define CIOCASYMFEAT _IOR('c', 105, u_int32_t) + +#ifdef _KERNEL +int crypto_newsession(u_int64_t *, struct cryptoini *, int); +int crypto_freesession(u_int64_t); +int crypto_dispatch(struct cryptop *); +int crypto_kdispatch(struct cryptkop *); +int crypto_register(u_int32_t, int *, + int (*)(u_int32_t *, struct cryptoini *), int (*)(u_int64_t), + int (*)(struct cryptop *)); +int crypto_kregister(u_int32_t, int *, int (*)(struct cryptkop *)); +int crypto_unregister(u_int32_t, int); +int32_t crypto_get_driverid(u_int8_t); +int crypto_invoke(struct cryptop *); +int crypto_kinvoke(struct cryptkop *); +void crypto_done(struct cryptop *); +void crypto_kdone(struct cryptkop *); +int crypto_getfeat(int *); + +void cuio_copydata(struct uio *, int, int, caddr_t); +void cuio_copyback(struct uio *, int, int, const void *); +int cuio_getptr(struct uio *, int, int *); +int cuio_apply(struct uio *, int, int, + int (*f)(caddr_t, caddr_t, unsigned int), caddr_t); + +struct cryptop *crypto_getreq(int); +void crypto_freereq(struct cryptop *); +#endif /* _KERNEL */ +#endif /* _CRYPTO_CRYPTO_H_ */ diff --git a/include/crypto/cryptosoft.h b/include/crypto/cryptosoft.h new file mode 100644 index 0000000000..070b974abc --- /dev/null +++ b/include/crypto/cryptosoft.h @@ -0,0 +1,74 @@ +/* $OpenBSD: cryptosoft.h,v 1.14 2012/12/07 17:03:22 mikeb Exp $ */ + +/* + * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) + * + * This code was written by Angelos D. Keromytis in Athens, Greece, in + * February 2000. Network Security Technologies Inc. (NSTI) kindly + * supported the development of this code. + * + * Copyright (c) 2000 Angelos D. Keromytis + * + * Permission to use, copy, and modify this software with or without fee + * is hereby granted, provided that this entire notice is included in + * all source code copies of any software which is or includes a copy or + * modification of this software. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + */ + +#ifndef _CRYPTO_CRYPTOSOFT_H_ +#define _CRYPTO_CRYPTOSOFT_H_ + +/* Software session entry */ +struct swcr_data { + int sw_alg; /* Algorithm */ + union { + struct { + u_int8_t *SW_ictx; + u_int8_t *SW_octx; + u_int32_t SW_klen; + struct auth_hash *SW_axf; + } SWCR_AUTH; + struct { + u_int8_t *SW_kschedule; + struct enc_xform *SW_exf; + } SWCR_ENC; + struct { + u_int32_t SW_size; + struct comp_algo *SW_cxf; + } SWCR_COMP; + } SWCR_UN; + +#define sw_ictx SWCR_UN.SWCR_AUTH.SW_ictx +#define sw_octx SWCR_UN.SWCR_AUTH.SW_octx +#define sw_klen SWCR_UN.SWCR_AUTH.SW_klen +#define sw_axf SWCR_UN.SWCR_AUTH.SW_axf +#define sw_kschedule SWCR_UN.SWCR_ENC.SW_kschedule +#define sw_exf SWCR_UN.SWCR_ENC.SW_exf +#define sw_size SWCR_UN.SWCR_COMP.SW_size +#define sw_cxf SWCR_UN.SWCR_COMP.SW_cxf + + struct swcr_data *sw_next; +}; + +#ifdef _KERNEL +extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN]; +extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN]; + +int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int); +int swcr_authcompute(struct cryptop *, struct cryptodesc *, struct swcr_data *, + caddr_t, int); +int swcr_authenc(struct cryptop *); +int swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int); +int swcr_process(struct cryptop *); +int swcr_newsession(u_int32_t *, struct cryptoini *); +int swcr_freesession(u_int64_t); +void swcr_init(void); +#endif /* _KERNEL */ + +#endif /* _CRYPTO_CRYPTO_H_ */ diff --git a/include/crypto/gmac.h b/include/crypto/gmac.h new file mode 100644 index 0000000000..7ebc53a3e4 --- /dev/null +++ b/include/crypto/gmac.h @@ -0,0 +1,49 @@ +/* $OpenBSD: gmac.h,v 1.6 2017/05/02 11:44:32 mikeb Exp $ */ + +/* + * Copyright (c) 2010 Mike Belopuhov + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _GMAC_H_ +#define _GMAC_H_ + +#include + +#define GMAC_BLOCK_LEN 16 +#define GMAC_DIGEST_LEN 16 + +typedef struct _GHASH_CTX { + uint8_t H[GMAC_BLOCK_LEN]; /* hash subkey */ + uint8_t S[GMAC_BLOCK_LEN]; /* state */ + uint8_t Z[GMAC_BLOCK_LEN]; /* initial state */ +} GHASH_CTX; + +typedef struct _AES_GMAC_CTX { + GHASH_CTX ghash; + AES_CTX K; + uint8_t J[GMAC_BLOCK_LEN]; /* counter block */ +} AES_GMAC_CTX; + +__BEGIN_DECLS +extern void (*ghash_update)(GHASH_CTX *, uint8_t *, size_t); + +void AES_GMAC_Init(void *); +void AES_GMAC_Setkey(void *, const uint8_t *, uint16_t); +void AES_GMAC_Reinit(void *, const uint8_t *, uint16_t); +int AES_GMAC_Update(void *, const uint8_t *, uint16_t); +void AES_GMAC_Final(uint8_t [GMAC_DIGEST_LEN], void *); +__END_DECLS + +#endif /* _GMAC_H_ */ diff --git a/include/crypto/hmac.h b/include/crypto/hmac.h new file mode 100644 index 0000000000..886bb49d0f --- /dev/null +++ b/include/crypto/hmac.h @@ -0,0 +1,65 @@ +/* $OpenBSD: hmac.h,v 1.3 2012/12/05 23:20:15 deraadt Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _HMAC_H_ +#define _HMAC_H_ + +typedef struct _HMAC_MD5_CTX { + MD5_CTX ctx; + u_int8_t key[MD5_BLOCK_LENGTH]; + u_int key_len; +} HMAC_MD5_CTX; + +typedef struct _HMAC_SHA1_CTX { + SHA1_CTX ctx; + u_int8_t key[SHA1_BLOCK_LENGTH]; + u_int key_len; +} HMAC_SHA1_CTX; + +typedef struct _HMAC_SHA256_CTX { + SHA2_CTX ctx; + u_int8_t key[SHA256_BLOCK_LENGTH]; + u_int key_len; +} HMAC_SHA256_CTX; + +__BEGIN_DECLS + +void HMAC_MD5_Init(HMAC_MD5_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_MD5_Update(HMAC_MD5_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_MD5_Final(u_int8_t [MD5_DIGEST_LENGTH], HMAC_MD5_CTX *) + __attribute__((__bounded__(__minbytes__,1,MD5_DIGEST_LENGTH))); + +void HMAC_SHA1_Init(HMAC_SHA1_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_SHA1_Update(HMAC_SHA1_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_SHA1_Final(u_int8_t [SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *) + __attribute__((__bounded__(__minbytes__,1,SHA1_DIGEST_LENGTH))); + +void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_SHA256_Final(u_int8_t [SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *) + __attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH))); + +__END_DECLS + +#endif /* _HMAC_H_ */ diff --git a/include/crypto/idgen.h b/include/crypto/idgen.h new file mode 100644 index 0000000000..2c96627db9 --- /dev/null +++ b/include/crypto/idgen.h @@ -0,0 +1,33 @@ +/* $OpenBSD: idgen.h,v 1.3 2013/06/05 05:45:54 djm Exp $ */ +/* + * Copyright (c) 2008 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#define IDGEN32_ROUNDS 31 +#define IDGEN32_KEYLEN 32 +#define IDGEN32_REKEY_LIMIT 0x60000000 +#define IDGEN32_REKEY_TIME 600 + +struct idgen32_ctx { + u_int32_t id32_counter; + u_int32_t id32_offset; + u_int32_t id32_hibit; + u_int8_t id32_key[IDGEN32_KEYLEN]; + time_t id32_rekey_time; +}; + +void idgen32_init(struct idgen32_ctx *); +u_int32_t idgen32(struct idgen32_ctx *); + diff --git a/include/crypto/key_wrap.h b/include/crypto/key_wrap.h new file mode 100644 index 0000000000..06aff916d4 --- /dev/null +++ b/include/crypto/key_wrap.h @@ -0,0 +1,36 @@ +/* $OpenBSD: key_wrap.h,v 1.3 2017/05/02 17:07:06 mikeb Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _KEY_WRAP_H_ +#define _KEY_WRAP_H_ + +typedef struct _aes_key_wrap_ctx { + AES_CTX ctx; +} aes_key_wrap_ctx; + +__BEGIN_DECLS + +void aes_key_wrap_set_key(aes_key_wrap_ctx *, const u_int8_t *, size_t); +void aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *, const u_int8_t *, + size_t); +void aes_key_wrap(aes_key_wrap_ctx *, const u_int8_t *, size_t, u_int8_t *); +int aes_key_unwrap(aes_key_wrap_ctx *, const u_int8_t *, u_int8_t *, + size_t); +__END_DECLS + +#endif /* _KEY_WRAP_H_ */ diff --git a/include/crypto/md5.h b/include/crypto/md5.h new file mode 100644 index 0000000000..24f5c4e0d5 --- /dev/null +++ b/include/crypto/md5.h @@ -0,0 +1,38 @@ +/* $OpenBSD: md5.h,v 1.3 2014/11/16 17:39:09 tedu Exp $ */ + +/* + * This code implements the MD5 message-digest algorithm. + * The algorithm is due to Ron Rivest. This code was + * written by Colin Plumb in 1993, no copyright is claimed. + * This code is in the public domain; do with it what you wish. + * + * Equivalent code is available from RSA Data Security, Inc. + * This code has been tested against that, and is equivalent, + * except that you don't need to include two pages of legalese + * with every copy. + */ + +#ifndef _MD5_H_ +#define _MD5_H_ + +#define MD5_BLOCK_LENGTH 64 +#define MD5_DIGEST_LENGTH 16 + +typedef struct MD5Context { + u_int32_t state[4]; /* state */ + u_int64_t count; /* number of bits, mod 2^64 */ + u_int8_t buffer[MD5_BLOCK_LENGTH]; /* input buffer */ +} MD5_CTX; + +__BEGIN_DECLS +void MD5Init(MD5_CTX *); +void MD5Update(MD5_CTX *, const void *, size_t) + __attribute__((__bounded__(__string__,2,3))); +void MD5Final(u_int8_t [MD5_DIGEST_LENGTH], MD5_CTX *) + __attribute__((__bounded__(__minbytes__,1,MD5_DIGEST_LENGTH))); +void MD5Transform(u_int32_t [4], const u_int8_t [MD5_BLOCK_LENGTH]) + __attribute__((__bounded__(__minbytes__,1,4))) + __attribute__((__bounded__(__minbytes__,2,MD5_BLOCK_LENGTH))); +__END_DECLS + +#endif /* _MD5_H_ */ diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h new file mode 100644 index 0000000000..bd68586c3e --- /dev/null +++ b/include/crypto/poly1305.h @@ -0,0 +1,27 @@ +/* $OpenBSD: poly1305.h,v 1.2 2020/07/22 13:54:30 tobhe Exp $ */ +/* + * Public Domain poly1305 from Andrew Moon + * + * poly1305 implementation using 32 bit * 32 bit = 64 bit multiplication + * and 64 bit addition from https://github.com/floodyberry/poly1305-donna + */ + +#ifndef _POLY1305_H_ +#define _POLY1305_H_ + +#define poly1305_block_size 16 + +typedef struct poly1305_state { + unsigned long r[5]; + unsigned long h[5]; + unsigned long pad[4]; + size_t leftover; + unsigned char buffer[poly1305_block_size]; + unsigned char final; +} poly1305_state; + +void poly1305_init(poly1305_state *, const unsigned char[32]); +void poly1305_update(poly1305_state *, const unsigned char *, size_t); +void poly1305_finish(poly1305_state *, unsigned char[16]); + +#endif /* _POLY1305_H_ */ diff --git a/include/crypto/rijndael.h b/include/crypto/rijndael.h new file mode 100644 index 0000000000..845d23076d --- /dev/null +++ b/include/crypto/rijndael.h @@ -0,0 +1,58 @@ +/* $OpenBSD: rijndael.h,v 1.13 2008/06/09 07:49:45 djm Exp $ */ + +/** + * rijndael-alg-fst.h + * + * @version 3.0 (December 2000) + * + * Optimised ANSI C code for the Rijndael cipher (now AES) + * + * @author Vincent Rijmen + * @author Antoon Bosselaers + * @author Paulo Barreto + * + * This code is hereby placed in the public domain. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef __RIJNDAEL_H +#define __RIJNDAEL_H + +#define AES_MAXKEYBITS (256) +#define AES_MAXKEYBYTES (AES_MAXKEYBITS/8) +/* for 256-bit keys, fewer for less */ +#define AES_MAXROUNDS 14 + +typedef unsigned char u8; +typedef unsigned short u16; +typedef unsigned int u32; + +/* The structure for key information */ +typedef struct { + int enc_only; /* context contains only encrypt schedule */ + int Nr; /* key-length-dependent number of rounds */ + u32 ek[4*(AES_MAXROUNDS + 1)]; /* encrypt key schedule */ + u32 dk[4*(AES_MAXROUNDS + 1)]; /* decrypt key schedule */ +} rijndael_ctx; + +int rijndael_set_key(rijndael_ctx *, const u_char *, int); +int rijndael_set_key_enc_only(rijndael_ctx *, const u_char *, int); +void rijndael_decrypt(rijndael_ctx *, const u_char *, u_char *); +void rijndael_encrypt(rijndael_ctx *, const u_char *, u_char *); + +int rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int); +int rijndaelKeySetupDec(unsigned int [], const unsigned char [], int); +void rijndaelEncrypt(const unsigned int [], int, const unsigned char [], + unsigned char []); + +#endif /* __RIJNDAEL_H */ diff --git a/include/crypto/rmd160.h b/include/crypto/rmd160.h new file mode 100644 index 0000000000..26b59e7525 --- /dev/null +++ b/include/crypto/rmd160.h @@ -0,0 +1,49 @@ +/* $OpenBSD: rmd160.h,v 1.5 2009/07/05 19:33:46 millert Exp $ */ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef _RMD160_H +#define _RMD160_H + +#define RMD160_BLOCK_LENGTH 64 +#define RMD160_DIGEST_LENGTH 20 + +/* RMD160 context. */ +typedef struct RMD160Context { + u_int32_t state[5]; /* state */ + u_int64_t count; /* number of bits, mod 2^64 */ + u_char buffer[RMD160_BLOCK_LENGTH]; /* input buffer */ +} RMD160_CTX; + +__BEGIN_DECLS +void RMD160Init(RMD160_CTX *); +void RMD160Transform(u_int32_t [5], const u_char [RMD160_BLOCK_LENGTH]) + __attribute__((__bounded__(__minbytes__,1,5))) + __attribute__((__bounded__(__minbytes__,2,RMD160_BLOCK_LENGTH))); +void RMD160Update(RMD160_CTX *, const u_char *, u_int32_t) + __attribute__((__bounded__(__string__,2,3))); +void RMD160Final(u_char [RMD160_DIGEST_LENGTH], RMD160_CTX *) + __attribute__((__bounded__(__minbytes__,1,RMD160_DIGEST_LENGTH))); +__END_DECLS + +#endif /* _RMD160_H */ diff --git a/include/crypto/sha1.h b/include/crypto/sha1.h new file mode 100644 index 0000000000..66171aba5d --- /dev/null +++ b/include/crypto/sha1.h @@ -0,0 +1,26 @@ +/* $OpenBSD: sha1.h,v 1.6 2014/11/16 17:39:09 tedu Exp $ */ + +/* + * SHA-1 in C + * By Steve Reid + * 100% Public Domain + */ + +#ifndef _SHA1_H_ +#define _SHA1_H_ + +#define SHA1_BLOCK_LENGTH 64 +#define SHA1_DIGEST_LENGTH 20 + +typedef struct { + u_int32_t state[5]; + u_int64_t count; + unsigned char buffer[SHA1_BLOCK_LENGTH]; +} SHA1_CTX; + +void SHA1Init(SHA1_CTX * context); +void SHA1Transform(u_int32_t state[5], const unsigned char buffer[SHA1_BLOCK_LENGTH]); +void SHA1Update(SHA1_CTX *context, const void *data, unsigned int len); +void SHA1Final(unsigned char digest[SHA1_DIGEST_LENGTH], SHA1_CTX *context); + +#endif /* _SHA1_H_ */ diff --git a/include/crypto/sha2.h b/include/crypto/sha2.h new file mode 100644 index 0000000000..461b49b981 --- /dev/null +++ b/include/crypto/sha2.h @@ -0,0 +1,83 @@ +/* $OpenBSD: sha2.h,v 1.5 2014/11/16 17:39:09 tedu Exp $ */ + +/* + * FILE: sha2.h + * AUTHOR: Aaron D. Gifford + * + * Copyright (c) 2000-2001, Aaron D. Gifford + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the names of contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $ + */ + +#ifndef _SHA2_H +#define _SHA2_H + + +/*** SHA-256/384/512 Various Length Definitions ***********************/ +#define SHA256_BLOCK_LENGTH 64 +#define SHA256_DIGEST_LENGTH 32 +#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1) +#define SHA384_BLOCK_LENGTH 128 +#define SHA384_DIGEST_LENGTH 48 +#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1) +#define SHA512_BLOCK_LENGTH 128 +#define SHA512_DIGEST_LENGTH 64 +#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1) + + +/*** SHA-256/384/512 Context Structure *******************************/ +typedef struct _SHA2_CTX { + union { + u_int32_t st32[8]; + u_int64_t st64[8]; + } state; + u_int64_t bitcount[2]; + u_int8_t buffer[SHA512_BLOCK_LENGTH]; +} SHA2_CTX; + +__BEGIN_DECLS +void SHA256Init(SHA2_CTX *); +void SHA256Update(SHA2_CTX *, const void *, size_t) + __attribute__((__bounded__(__string__,2,3))); +void SHA256Final(u_int8_t[SHA256_DIGEST_LENGTH], SHA2_CTX *) + __attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH))); + +void SHA384Init(SHA2_CTX *); +void SHA384Update(SHA2_CTX *, const void *, size_t) + __attribute__((__bounded__(__string__,2,3))); +void SHA384Final(u_int8_t[SHA384_DIGEST_LENGTH], SHA2_CTX *) + __attribute__((__bounded__(__minbytes__,1,SHA384_DIGEST_LENGTH))); + +void SHA512Init(SHA2_CTX *); +void SHA512Update(SHA2_CTX *, const void *, size_t) + __attribute__((__bounded__(__string__,2,3))); +void SHA512Final(u_int8_t[SHA512_DIGEST_LENGTH], SHA2_CTX *) + __attribute__((__bounded__(__minbytes__,1,SHA512_DIGEST_LENGTH))); +__END_DECLS + +#endif /* _SHA2_H */ diff --git a/include/crypto/siphash.h b/include/crypto/siphash.h new file mode 100644 index 0000000000..fa12be2cc6 --- /dev/null +++ b/include/crypto/siphash.h @@ -0,0 +1,87 @@ +/* $OpenBSD: siphash.h,v 1.5 2015/02/20 11:51:03 tedu Exp $ */ +/*- + * Copyright (c) 2013 Andre Oppermann + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/* + * SipHash is a family of pseudorandom functions (a.k.a. keyed hash functions) + * optimized for speed on short messages returning a 64bit hash/digest value. + * + * The number of rounds is defined during the initialization: + * SipHash24_Init() for the fast and resonable strong version + * SipHash48_Init() for the strong version (half as fast) + * + * struct SIPHASH_CTX ctx; + * SipHash24_Init(&ctx); + * SipHash_SetKey(&ctx, "16bytes long key"); + * SipHash_Update(&ctx, pointer_to_string, length_of_string); + * SipHash_Final(output, &ctx); + */ + +#ifndef _SIPHASH_H_ +#define _SIPHASH_H_ + +#define SIPHASH_BLOCK_LENGTH 8 +#define SIPHASH_KEY_LENGTH 16 +#define SIPHASH_DIGEST_LENGTH 8 + +typedef struct _SIPHASH_CTX { + uint64_t v[4]; + uint8_t buf[SIPHASH_BLOCK_LENGTH]; + uint32_t bytes; +} SIPHASH_CTX; + +typedef struct { + uint64_t k0; + uint64_t k1; +} SIPHASH_KEY; + +void SipHash_Init(SIPHASH_CTX *, const SIPHASH_KEY *); +void SipHash_Update(SIPHASH_CTX *, int, int, const void *, size_t) + __bounded((__buffer__, 4, 5)); +uint64_t SipHash_End(SIPHASH_CTX *, int, int); +void SipHash_Final(void *, SIPHASH_CTX *, int, int) + __bounded((__minbytes__, 1, SIPHASH_DIGEST_LENGTH)); +uint64_t SipHash(const SIPHASH_KEY *, int, int, const void *, size_t) + __bounded((__buffer__, 4, 5)); + +#define SipHash24_Init(_c, _k) SipHash_Init((_c), (_k)) +#define SipHash24_Update(_c, _p, _l) SipHash_Update((_c), 2, 4, (_p), (_l)) +#define SipHash24_End(_d) SipHash_End((_d), 2, 4) +#define SipHash24_Final(_d, _c) SipHash_Final((_d), (_c), 2, 4) +#define SipHash24(_k, _p, _l) SipHash((_k), 2, 4, (_p), (_l)) + +#define SipHash48_Init(_c, _k) SipHash_Init((_c), (_k)) +#define SipHash48_Update(_c, _p, _l) SipHash_Update((_c), 4, 8, (_p), (_l)) +#define SipHash48_End(_d) SipHash_End((_d), 4, 8) +#define SipHash48_Final(_d, _c) SipHash_Final((_d), (_c), 4, 8) +#define SipHash48(_k, _p, _l) SipHash((_k), 4, 8, (_p), (_l)) + +#endif /* _SIPHASH_H_ */ diff --git a/include/crypto/xform.h b/include/crypto/xform.h new file mode 100644 index 0000000000..dd6d8577c8 --- /dev/null +++ b/include/crypto/xform.h @@ -0,0 +1,111 @@ +/* $OpenBSD: xform.h,v 1.32 2021/10/22 12:30:53 bluhm Exp $ */ + +/* + * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) + * + * This code was written by Angelos D. Keromytis in Athens, Greece, in + * February 2000. Network Security Technologies Inc. (NSTI) kindly + * supported the development of this code. + * + * Copyright (c) 2000 Angelos D. Keromytis + * + * Permission to use, copy, and modify this software with or without fee + * is hereby granted, provided that this entire notice is included in + * all source code copies of any software which is or includes a copy or + * modification of this software. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + */ + +#ifndef _CRYPTO_XFORM_H_ +#define _CRYPTO_XFORM_H_ + +#include +#include +#include +#include +#include + +#define AESCTR_NONCESIZE 4 +#define AESCTR_IVSIZE 8 +#define AESCTR_BLOCKSIZE 16 + +#define AES_XTS_BLOCKSIZE 16 +#define AES_XTS_IVSIZE 8 +#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ + +/* Declarations */ +struct auth_hash { + int type; + char *name; + u_int16_t keysize; + u_int16_t hashsize; + u_int16_t authsize; + u_int16_t ctxsize; + u_int16_t blocksize; + void (*Init) (void *); + void (*Setkey) (void *, const u_int8_t *, u_int16_t); + void (*Reinit) (void *, const u_int8_t *, u_int16_t); + int (*Update) (void *, const u_int8_t *, u_int16_t); + void (*Final) (u_int8_t *, void *); +}; + +struct enc_xform { + int type; + char *name; + u_int16_t blocksize; + u_int16_t ivsize; + u_int16_t minkey; + u_int16_t maxkey; + u_int16_t ctxsize; + void (*encrypt) (caddr_t, u_int8_t *); + void (*decrypt) (caddr_t, u_int8_t *); + int (*setkey) (void *, u_int8_t *, int len); + void (*reinit) (caddr_t, u_int8_t *); +}; + +struct comp_algo { + int type; + char *name; + size_t minlen; + u_int32_t (*compress) (u_int8_t *, u_int32_t, u_int8_t **); + u_int32_t (*decompress) (u_int8_t *, u_int32_t, u_int8_t **); +}; + +union authctx { + MD5_CTX md5ctx; + SHA1_CTX sha1ctx; + RMD160_CTX rmd160ctx; + SHA2_CTX sha2_ctx; + AES_GMAC_CTX aes_gmac_ctx; +}; + +extern const struct enc_xform enc_xform_3des; +extern const struct enc_xform enc_xform_blf; +extern const struct enc_xform enc_xform_cast5; +extern const struct enc_xform enc_xform_aes; +extern const struct enc_xform enc_xform_aes_ctr; +extern const struct enc_xform enc_xform_aes_gcm; +extern const struct enc_xform enc_xform_aes_gmac; +extern const struct enc_xform enc_xform_aes_xts; +extern const struct enc_xform enc_xform_chacha20_poly1305; +extern const struct enc_xform enc_xform_null; + +extern const struct auth_hash auth_hash_hmac_md5_96; +extern const struct auth_hash auth_hash_hmac_sha1_96; +extern const struct auth_hash auth_hash_hmac_ripemd_160_96; +extern const struct auth_hash auth_hash_hmac_sha2_256_128; +extern const struct auth_hash auth_hash_hmac_sha2_384_192; +extern const struct auth_hash auth_hash_hmac_sha2_512_256; +extern const struct auth_hash auth_hash_gmac_aes_128; +extern const struct auth_hash auth_hash_gmac_aes_192; +extern const struct auth_hash auth_hash_gmac_aes_256; +extern const struct auth_hash auth_hash_chacha20_poly1305; + +extern const struct comp_algo comp_algo_deflate; + +#endif /* _CRYPTO_XFORM_H_ */ diff --git a/include/nuttx/crypto/aes.h b/include/nuttx/crypto/aes.h deleted file mode 100644 index bd6c02f92b..0000000000 --- a/include/nuttx/crypto/aes.h +++ /dev/null @@ -1,171 +0,0 @@ -/**************************************************************************** - * include/nuttx/crypto/aes.h - * - * Copyright (C) 2011 Texas Instruments Incorporated - http://www.ti.com/ - * Extracted from the CC3000 Host Driver Implementation. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the - * distribution. - * - * Neither the name of Texas Instruments Incorporated nor the names of - * its contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - ****************************************************************************/ - -#ifndef __INCLUDE_NUTTX_CRYPTO_AES_H -#define __INCLUDE_NUTTX_CRYPTO_AES_H - -/**************************************************************************** - * Included Files - ****************************************************************************/ - -#include -#include - -/**************************************************************************** - * Pre-processor Definitions - ****************************************************************************/ - -#define AES128_KEY_SIZE 16 - -/**************************************************************************** - * Public Types - ****************************************************************************/ - -struct aes_state_s -{ - uint8_t expanded_key[176]; -}; - -/**************************************************************************** - * Public Data - ****************************************************************************/ - -#ifdef __cplusplus -extern "C" -{ -#endif - -/**************************************************************************** - * Public Function Prototypes - ****************************************************************************/ - -/**************************************************************************** - * Name: aes_encrypt - * - * Description: - * AES128 encryption: Given AES128 key and 16 bytes plain text, cipher - * text of 16 bytes is computed. The AES implementation is in mode ECB - * (Electronic Code Book). - * - * Input Parameters: - * key AES128 key of size 16 bytes - * state 16 bytes of plain text and cipher text - * - * Returned Value: - * None - * - ****************************************************************************/ - -void aes_encrypt(FAR uint8_t *state, FAR const uint8_t *key); - -/**************************************************************************** - * Name: aes_decrypt - * - * Description: - * AES128 decryption: Given AES128 key and 16 bytes cipher text, plain - * text of 16 bytes is computed The AES implementation is in mode ECB - * (Electronic Code Book). - * - * Input Parameters: - * key AES128 key of size 16 bytes - * state 16 bytes of plain text and cipher text - * - * Returned Value: - * None - * - ****************************************************************************/ - -void aes_decrypt(FAR uint8_t *state, FAR const uint8_t *key); - -/**************************************************************************** - * Name: aes_setupkey - * - * Description: - * Configure the given AES context for operation with the selected key. - * - * Input Parameters: - * state an AES context that can be used for AES operations - * key a pointer to a 16-byte buffer holding the AES-128 key - * len length of the key, must be 16 - * - * TODO: Support other key lengths of 24 (AES-192) and 32 (AES-256) - * - * Returned Value: - * 0 if OK - * -EINVAL if len is not 16 - * - ****************************************************************************/ - -int aes_setupkey(FAR struct aes_state_s *state, FAR const uint8_t *key, - int len); - -/**************************************************************************** - * Name: aes_encipher - * - * Description: - * Encipher some 16-byte blocks (without any operation mode) using the - * previously defined key. The function can be called multiple times with - * the same state parameter. - * - * Returned Value: - * None - * - ****************************************************************************/ - -void aes_encipher(FAR struct aes_state_s *state, FAR uint8_t *blocks, - int nblk); - -/**************************************************************************** - * Name: aes_decipher - * - * Description: - * Decipher some 16-byte blocks (without any operation mode) using the - * previously defined key. The function can be called multiple times with - * the same state parameter. - * - * Returned Value: - * None - * - ****************************************************************************/ - -void aes_decipher(FAR struct aes_state_s *state, FAR uint8_t *blocks, - int nblk); - -#ifdef __cplusplus -} -#endif /* __cplusplus */ - -#endif /* __INCLUDE_NUTTX_CRYPTO_AES_H */ diff --git a/include/nuttx/crypto/cryptodev.h b/include/nuttx/crypto/cryptodev.h deleted file mode 100644 index 23e1cacc4e..0000000000 --- a/include/nuttx/crypto/cryptodev.h +++ /dev/null @@ -1,80 +0,0 @@ -/**************************************************************************** - * include/nuttx/crypto/cryptodev.h - * - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. The - * ASF licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the - * License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations - * under the License. - * - ****************************************************************************/ - -#ifndef __INCLUDE_NUTTX_CRYPTO_CRYPTODEV_H -#define __INCLUDE_NUTTX_CRYPTO_CRYPTODEV_H - -/**************************************************************************** - * Included Files - ****************************************************************************/ - -#include - -/**************************************************************************** - * Pre-processor Definitions - ****************************************************************************/ - -#define RIJNDAEL128_BLOCK_LEN 16 -#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN - -#define CRYPTO_ALGORITHM_MIN 1 -#define CRYPTO_AES_ECB 1 -#define CRYPTO_AES_CBC 2 -#define CRYPTO_AES_CTR 3 -#define CRYPTO_ALGORITHM_MAX 1 - -#define CRYPTO_FLAG_HARDWARE 0x01000000 /* hardware accelerated */ -#define CRYPTO_FLAG_SOFTWARE 0x02000000 /* software implementation */ - -#define COP_ENCRYPT 1 -#define COP_DECRYPT 2 -#define COP_F_BATCH 0x0008 /* Batch op if possible */ - -#define CIOCGSESSION 101 -#define CIOCFSESSION 102 -#define CIOCCRYPT 103 - -typedef char *caddr_t; - -struct session_op -{ - uint32_t cipher; /* ie. CRYPTO_AES_EBC */ - uint32_t mac; - - uint32_t keylen; /* cipher key */ - caddr_t key; - int mackeylen; /* mac key */ - caddr_t mackey; - - uint32_t ses; /* returns: session # */ -}; - -struct crypt_op -{ - uint32_t ses; - uint16_t op; /* i.e. COP_ENCRYPT */ - uint16_t flags; - unsigned len; - caddr_t src, dst; /* become iov[] inside kernel */ - caddr_t mac; /* must be big enough for chosen MAC */ - caddr_t iv; -}; - -#endif /* __INCLUDE_NUTTX_CRYPTO_CRYPTODEV_H */