nuttx/nuttx-update
1
2
Fork 1
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

crypto: Initial copy from https://github.com/openbsd/sys/crypto

Browse source 
public header files put into include/crpyto
private header/source files put into crpyto

crypto.c cryptodev.[c|h] cryptosoft.[c|h] come from:
commit id is f245bed2a7593bf0decce50caaed4ce05fefd6cf

the rest come from:
commit id is 61b0e532b2dce0a91cf3ea67d346645a61a88cdd

Signed-off-by: anjiahao <anjiahao@xiaomi.com>
This commit is contained in:
anjiahao 2022-07-18 15:00:30 +08:00 committed by Xiang Xiao
parent 2b071b7a42
commit c7d347c7f0
50 changed files with 12438 additions and 1248 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1632
crypto/aes.c
View file

File diff suppressed because it is too large Load diff

655
crypto/blf.c Normal file
View file

@ -0,0 +1,655 @@
/* $OpenBSD: blf.c,v 1.8 2021/11/29 01:04:45 djm Exp $ */
/*
* Blowfish block cipher for OpenBSD
* Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
* All rights reserved.
*
* Implementation advice by David Mazieres <dm@lcs.mit.edu>.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This code is derived from section 14.3 and the given source
* in section V of Applied Cryptography, second edition.
* Blowfish is an unpatented fast block cipher designed by
* Bruce Schneier.
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <crypto/blf.h>
#undef inline
#ifdef __GNUC__
#define inline __inline
#else /* !__GNUC__ */
#define inline
#endif /* !__GNUC__ */
/* Function for Feistel Networks */
#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \
+ (s)[0x100 + (((x)>>16)&0xFF)]) \
^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
+ (s)[0x300 + ( (x) &0xFF)])
#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n])
void
Blowfish_encipher(blf_ctx *c, u_int32_t *x)
{
u_int32_t Xl;
u_int32_t Xr;
u_int32_t *s = c->S[0];
u_int32_t *p = c->P;
Xl = x[0];
Xr = x[1];
Xl ^= p[0];
BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
x[0] = Xr ^ p[17];
x[1] = Xl;
}
void
Blowfish_decipher(blf_ctx *c, u_int32_t *x)
{
u_int32_t Xl;
u_int32_t Xr;
u_int32_t *s = c->S[0];
u_int32_t *p = c->P;
Xl = x[0];
Xr = x[1];
Xl ^= p[17];
BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15);
BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13);
BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11);
BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9);
BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7);
BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5);
BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3);
BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1);
x[0] = Xr ^ p[0];
x[1] = Xl;
}
void
Blowfish_initstate(blf_ctx *c)
{
/* P-box and S-box tables initialized with digits of Pi */
static const blf_ctx initstate =
{ {
{
0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
{
0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
{
0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
{
0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
},
{
0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
0x9216d5d9, 0x8979fb1b
} };
*c = initstate;
}
u_int32_t
Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes,
u_int16_t *current)
{
u_int8_t i;
u_int16_t j;
u_int32_t temp;
temp = 0x00000000;
j = *current;
for (i = 0; i < 4; i++, j++) {
if (j >= databytes)
j = 0;
temp = (temp << 8) | data[j];
}
*current = j;
return temp;
}
void
Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes)
{
u_int16_t i;
u_int16_t j;
u_int16_t k;
u_int32_t temp;
u_int32_t data[2];
j = 0;
for (i = 0; i < BLF_N + 2; i++) {
/* Extract 4 int8 to 1 int32 from keystream */
temp = Blowfish_stream2word(key, keybytes, &j);
c->P[i] = c->P[i] ^ temp;
}
j = 0;
data[0] = 0x00000000;
data[1] = 0x00000000;
for (i = 0; i < BLF_N + 2; i += 2) {
Blowfish_encipher(c, data);
c->P[i] = data[0];
c->P[i + 1] = data[1];
}
for (i = 0; i < 4; i++) {
for (k = 0; k < 256; k += 2) {
Blowfish_encipher(c, data);
c->S[i][k] = data[0];
c->S[i][k + 1] = data[1];
}
}
}
void
Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes,
const u_int8_t *key, u_int16_t keybytes)
{
u_int16_t i;
u_int16_t j;
u_int16_t k;
u_int32_t temp;
u_int32_t d[2];
j = 0;
for (i = 0; i < BLF_N + 2; i++) {
/* Extract 4 int8 to 1 int32 from keystream */
temp = Blowfish_stream2word(key, keybytes, &j);
c->P[i] = c->P[i] ^ temp;
}
j = 0;
d[0] = 0x00000000;
d[1] = 0x00000000;
for (i = 0; i < BLF_N + 2; i += 2) {
d[0] ^= Blowfish_stream2word(data, databytes, &j);
d[1] ^= Blowfish_stream2word(data, databytes, &j);
Blowfish_encipher(c, d);
c->P[i] = d[0];
c->P[i + 1] = d[1];
}
for (i = 0; i < 4; i++) {
for (k = 0; k < 256; k += 2) {
d[0]^= Blowfish_stream2word(data, databytes, &j);
d[1] ^= Blowfish_stream2word(data, databytes, &j);
Blowfish_encipher(c, d);
c->S[i][k] = d[0];
c->S[i][k + 1] = d[1];
}
}
}
void
blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len)
{
/* Initialize S-boxes and subkeys with Pi */
Blowfish_initstate(c);
/* Transform S-boxes and subkeys with key */
Blowfish_expand0state(c, k, len);
}
void
blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
{
u_int32_t *d;
u_int16_t i;
d = data;
for (i = 0; i < blocks; i++) {
Blowfish_encipher(c, d);
d += 2;
}
}
void
blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
{
u_int32_t *d;
u_int16_t i;
d = data;
for (i = 0; i < blocks; i++) {
Blowfish_decipher(c, d);
d += 2;
}
}
void
blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
{
u_int32_t l, r, d[2];
u_int32_t i;
for (i = 0; i < len; i += 8) {
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
d[0] = l;
d[1] = r;
Blowfish_encipher(c, d);
l = d[0];
r = d[1];
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
data += 8;
}
}
void
blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
{
u_int32_t l, r, d[2];
u_int32_t i;
for (i = 0; i < len; i += 8) {
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
d[0] = l;
d[1] = r;
Blowfish_decipher(c, d);
l = d[0];
r = d[1];
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
data += 8;
}
}
void
blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len)
{
u_int32_t l, r, d[2];
u_int32_t i, j;
for (i = 0; i < len; i += 8) {
for (j = 0; j < 8; j++)
data[j] ^= iv[j];
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
d[0] = l;
d[1] = r;
Blowfish_encipher(c, d);
l = d[0];
r = d[1];
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
iv = data;
data += 8;
}
}
void
blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len)
{
u_int32_t l, r, d[2];
u_int8_t *iv;
u_int32_t i, j;
iv = data + len - 16;
data = data + len - 8;
for (i = len - 8; i >= 8; i -= 8) {
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
d[0] = l;
d[1] = r;
Blowfish_decipher(c, d);
l = d[0];
r = d[1];
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
for (j = 0; j < 8; j++)
data[j] ^= iv[j];
iv -= 8;
data -= 8;
}
l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
d[0] = l;
d[1] = r;
Blowfish_decipher(c, d);
l = d[0];
r = d[1];
data[0] = l >> 24 & 0xff;
data[1] = l >> 16 & 0xff;
data[2] = l >> 8 & 0xff;
data[3] = l & 0xff;
data[4] = r >> 24 & 0xff;
data[5] = r >> 16 & 0xff;
data[6] = r >> 8 & 0xff;
data[7] = r & 0xff;
for (j = 0; j < 8; j++)
data[j] ^= iva[j];
}

277
crypto/cast.c Normal file
View file

@ -0,0 +1,277 @@
/* $OpenBSD: cast.c,v 1.4 2012/04/25 04:12:27 matthew Exp $ */
/*
* CAST-128 in C
* Written by Steve Reid <sreid@sea-to-sky.net>
* 100% Public Domain - no warranty
* Released 1997.10.11
*/
#include <sys/types.h>
#include <sys/systm.h>
#include <crypto/cast.h>
#include <crypto/castsb.h>
/* Macros to access 8-bit bytes out of a 32-bit word */
#define U_INT8_Ta(x) ( (u_int8_t) (x>>24) )
#define U_INT8_Tb(x) ( (u_int8_t) ((x>>16)&255) )
#define U_INT8_Tc(x) ( (u_int8_t) ((x>>8)&255) )
#define U_INT8_Td(x) ( (u_int8_t) ((x)&255) )
/* Circular left shift */
#define ROL(x, n) ( ((x)<<(n)) | ((x)>>(32-(n))) )
/* CAST-128 uses three different round functions */
#define F1(l, r, i) \
t = ROL(key->xkey[i] + r, key->xkey[i+16]); \
l ^= ((cast_sbox1[U_INT8_Ta(t)] ^ cast_sbox2[U_INT8_Tb(t)]) - \
cast_sbox3[U_INT8_Tc(t)]) + cast_sbox4[U_INT8_Td(t)];
#define F2(l, r, i) \
t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \
l ^= ((cast_sbox1[U_INT8_Ta(t)] - cast_sbox2[U_INT8_Tb(t)]) + \
cast_sbox3[U_INT8_Tc(t)]) ^ cast_sbox4[U_INT8_Td(t)];
#define F3(l, r, i) \
t = ROL(key->xkey[i] - r, key->xkey[i+16]); \
l ^= ((cast_sbox1[U_INT8_Ta(t)] + cast_sbox2[U_INT8_Tb(t)]) ^ \
cast_sbox3[U_INT8_Tc(t)]) - cast_sbox4[U_INT8_Td(t)];
/***** Encryption Function *****/
void
cast_encrypt(cast_key *key, u_int8_t *inblock, u_int8_t *outblock)
{
u_int32_t t, l, r;
/* Get inblock into l,r */
l = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) |
((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3];
r = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) |
((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7];
/* Do the work */
F1(l, r, 0);
F2(r, l, 1);
F3(l, r, 2);
F1(r, l, 3);
F2(l, r, 4);
F3(r, l, 5);
F1(l, r, 6);
F2(r, l, 7);
F3(l, r, 8);
F1(r, l, 9);
F2(l, r, 10);
F3(r, l, 11);
/* Only do full 16 rounds if key length > 80 bits */
if (key->rounds > 12) {
F1(l, r, 12);
F2(r, l, 13);
F3(l, r, 14);
F1(r, l, 15);
}
/* Put l,r into outblock */
outblock[0] = U_INT8_Ta(r);
outblock[1] = U_INT8_Tb(r);
outblock[2] = U_INT8_Tc(r);
outblock[3] = U_INT8_Td(r);
outblock[4] = U_INT8_Ta(l);
outblock[5] = U_INT8_Tb(l);
outblock[6] = U_INT8_Tc(l);
outblock[7] = U_INT8_Td(l);
/* Wipe clean */
t = l = r = 0;
}
/***** Decryption Function *****/
void
cast_decrypt(cast_key *key, u_int8_t *inblock, u_int8_t *outblock)
{
u_int32_t t, l, r;
/* Get inblock into l,r */
r = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) |
((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3];
l = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) |
((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7];
/* Do the work */
/* Only do full 16 rounds if key length > 80 bits */
if (key->rounds > 12) {
F1(r, l, 15);
F3(l, r, 14);
F2(r, l, 13);
F1(l, r, 12);
}
F3(r, l, 11);
F2(l, r, 10);
F1(r, l, 9);
F3(l, r, 8);
F2(r, l, 7);
F1(l, r, 6);
F3(r, l, 5);
F2(l, r, 4);
F1(r, l, 3);
F3(l, r, 2);
F2(r, l, 1);
F1(l, r, 0);
/* Put l,r into outblock */
outblock[0] = U_INT8_Ta(l);
outblock[1] = U_INT8_Tb(l);
outblock[2] = U_INT8_Tc(l);
outblock[3] = U_INT8_Td(l);
outblock[4] = U_INT8_Ta(r);
outblock[5] = U_INT8_Tb(r);
outblock[6] = U_INT8_Tc(r);
outblock[7] = U_INT8_Td(r);
/* Wipe clean */
t = l = r = 0;
}
/***** Key Schedule *****/
void
cast_setkey(cast_key *key, u_int8_t *rawkey, int keybytes)
{
u_int32_t t[4], z[4], x[4];
int i;
/* Set number of rounds to 12 or 16, depending on key length */
key->rounds = (keybytes <= 10 ? 12 : 16);
/* Copy key to workspace x */
for (i = 0; i < 4; i++) {
x[i] = 0;
if ((i*4+0) < keybytes) x[i] = (u_int32_t)rawkey[i*4+0] << 24;
if ((i*4+1) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+1] << 16;
if ((i*4+2) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+2] << 8;
if ((i*4+3) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+3];
}
/* Generate 32 subkeys, four at a time */
for (i = 0; i < 32; i+=4) {
switch (i & 4) {
case 0:
t[0] = z[0] = x[0] ^ cast_sbox5[U_INT8_Tb(x[3])] ^
cast_sbox6[U_INT8_Td(x[3])] ^
cast_sbox7[U_INT8_Ta(x[3])] ^
cast_sbox8[U_INT8_Tc(x[3])] ^
cast_sbox7[U_INT8_Ta(x[2])];
t[1] = z[1] = x[2] ^ cast_sbox5[U_INT8_Ta(z[0])] ^
cast_sbox6[U_INT8_Tc(z[0])] ^
cast_sbox7[U_INT8_Tb(z[0])] ^
cast_sbox8[U_INT8_Td(z[0])] ^
cast_sbox8[U_INT8_Tc(x[2])];
t[2] = z[2] = x[3] ^ cast_sbox5[U_INT8_Td(z[1])] ^
cast_sbox6[U_INT8_Tc(z[1])] ^
cast_sbox7[U_INT8_Tb(z[1])] ^
cast_sbox8[U_INT8_Ta(z[1])] ^
cast_sbox5[U_INT8_Tb(x[2])];
t[3] = z[3] = x[1] ^ cast_sbox5[U_INT8_Tc(z[2])] ^
cast_sbox6[U_INT8_Tb(z[2])] ^
cast_sbox7[U_INT8_Td(z[2])] ^
cast_sbox8[U_INT8_Ta(z[2])] ^
cast_sbox6[U_INT8_Td(x[2])];
break;
case 4:
t[0] = x[0] = z[2] ^ cast_sbox5[U_INT8_Tb(z[1])] ^
cast_sbox6[U_INT8_Td(z[1])] ^
cast_sbox7[U_INT8_Ta(z[1])] ^
cast_sbox8[U_INT8_Tc(z[1])] ^
cast_sbox7[U_INT8_Ta(z[0])];
t[1] = x[1] = z[0] ^ cast_sbox5[U_INT8_Ta(x[0])] ^
cast_sbox6[U_INT8_Tc(x[0])] ^
cast_sbox7[U_INT8_Tb(x[0])] ^
cast_sbox8[U_INT8_Td(x[0])] ^
cast_sbox8[U_INT8_Tc(z[0])];
t[2] = x[2] = z[1] ^ cast_sbox5[U_INT8_Td(x[1])] ^
cast_sbox6[U_INT8_Tc(x[1])] ^
cast_sbox7[U_INT8_Tb(x[1])] ^
cast_sbox8[U_INT8_Ta(x[1])] ^
cast_sbox5[U_INT8_Tb(z[0])];
t[3] = x[3] = z[3] ^ cast_sbox5[U_INT8_Tc(x[2])] ^
cast_sbox6[U_INT8_Tb(x[2])] ^
cast_sbox7[U_INT8_Td(x[2])] ^
cast_sbox8[U_INT8_Ta(x[2])] ^
cast_sbox6[U_INT8_Td(z[0])];
break;
}
switch (i & 12) {
case 0:
case 12:
key->xkey[i+0] = cast_sbox5[U_INT8_Ta(t[2])] ^
cast_sbox6[U_INT8_Tb(t[2])] ^
cast_sbox7[U_INT8_Td(t[1])] ^
cast_sbox8[U_INT8_Tc(t[1])];
key->xkey[i+1] = cast_sbox5[U_INT8_Tc(t[2])] ^
cast_sbox6[U_INT8_Td(t[2])] ^
cast_sbox7[U_INT8_Tb(t[1])] ^
cast_sbox8[U_INT8_Ta(t[1])];
key->xkey[i+2] = cast_sbox5[U_INT8_Ta(t[3])] ^
cast_sbox6[U_INT8_Tb(t[3])] ^
cast_sbox7[U_INT8_Td(t[0])] ^
cast_sbox8[U_INT8_Tc(t[0])];
key->xkey[i+3] = cast_sbox5[U_INT8_Tc(t[3])] ^
cast_sbox6[U_INT8_Td(t[3])] ^
cast_sbox7[U_INT8_Tb(t[0])] ^
cast_sbox8[U_INT8_Ta(t[0])];
break;
case 4:
case 8:
key->xkey[i+0] = cast_sbox5[U_INT8_Td(t[0])] ^
cast_sbox6[U_INT8_Tc(t[0])] ^
cast_sbox7[U_INT8_Ta(t[3])] ^
cast_sbox8[U_INT8_Tb(t[3])];
key->xkey[i+1] = cast_sbox5[U_INT8_Tb(t[0])] ^
cast_sbox6[U_INT8_Ta(t[0])] ^
cast_sbox7[U_INT8_Tc(t[3])] ^
cast_sbox8[U_INT8_Td(t[3])];
key->xkey[i+2] = cast_sbox5[U_INT8_Td(t[1])] ^
cast_sbox6[U_INT8_Tc(t[1])] ^
cast_sbox7[U_INT8_Ta(t[2])] ^
cast_sbox8[U_INT8_Tb(t[2])];
key->xkey[i+3] = cast_sbox5[U_INT8_Tb(t[1])] ^
cast_sbox6[U_INT8_Ta(t[1])] ^
cast_sbox7[U_INT8_Tc(t[2])] ^
cast_sbox8[U_INT8_Td(t[2])];
break;
}
switch (i & 12) {
case 0:
key->xkey[i+0] ^= cast_sbox5[U_INT8_Tc(z[0])];
key->xkey[i+1] ^= cast_sbox6[U_INT8_Tc(z[1])];
key->xkey[i+2] ^= cast_sbox7[U_INT8_Tb(z[2])];
key->xkey[i+3] ^= cast_sbox8[U_INT8_Ta(z[3])];
break;
case 4:
key->xkey[i+0] ^= cast_sbox5[U_INT8_Ta(x[2])];
key->xkey[i+1] ^= cast_sbox6[U_INT8_Tb(x[3])];
key->xkey[i+2] ^= cast_sbox7[U_INT8_Td(x[0])];
key->xkey[i+3] ^= cast_sbox8[U_INT8_Td(x[1])];
break;
case 8:
key->xkey[i+0] ^= cast_sbox5[U_INT8_Tb(z[2])];
key->xkey[i+1] ^= cast_sbox6[U_INT8_Ta(z[3])];
key->xkey[i+2] ^= cast_sbox7[U_INT8_Tc(z[0])];
key->xkey[i+3] ^= cast_sbox8[U_INT8_Tc(z[1])];
break;
case 12:
key->xkey[i+0] ^= cast_sbox5[U_INT8_Td(x[0])];
key->xkey[i+1] ^= cast_sbox6[U_INT8_Td(x[1])];
key->xkey[i+2] ^= cast_sbox7[U_INT8_Ta(x[2])];
key->xkey[i+3] ^= cast_sbox8[U_INT8_Tb(x[3])];
break;
}
if (i >= 16) {
key->xkey[i+0] &= 31;
key->xkey[i+1] &= 31;
key->xkey[i+2] &= 31;
key->xkey[i+3] &= 31;
}
}
/* Wipe clean */
explicit_bzero(t, sizeof(t));
explicit_bzero(x, sizeof(x));
explicit_bzero(z, sizeof(z));
}
/* Made in Canada */

544
crypto/castsb.h Normal file
View file

@ -0,0 +1,544 @@
/* $OpenBSD: castsb.h,v 1.1 2000/02/28 23:13:04 deraadt Exp $ */
/*
* CAST-128 in C
* Written by Steve Reid <sreid@sea-to-sky.net>
* 100% Public Domain - no warranty
* Released 1997.10.11
*/
static const u_int32_t cast_sbox1[256] = {
0x30FB40D4, 0x9FA0FF0B, 0x6BECCD2F, 0x3F258C7A,
0x1E213F2F, 0x9C004DD3, 0x6003E540, 0xCF9FC949,
0xBFD4AF27, 0x88BBBDB5, 0xE2034090, 0x98D09675,
0x6E63A0E0, 0x15C361D2, 0xC2E7661D, 0x22D4FF8E,
0x28683B6F, 0xC07FD059, 0xFF2379C8, 0x775F50E2,
0x43C340D3, 0xDF2F8656, 0x887CA41A, 0xA2D2BD2D,
0xA1C9E0D6, 0x346C4819, 0x61B76D87, 0x22540F2F,
0x2ABE32E1, 0xAA54166B, 0x22568E3A, 0xA2D341D0,
0x66DB40C8, 0xA784392F, 0x004DFF2F, 0x2DB9D2DE,
0x97943FAC, 0x4A97C1D8, 0x527644B7, 0xB5F437A7,
0xB82CBAEF, 0xD751D159, 0x6FF7F0ED, 0x5A097A1F,
0x827B68D0, 0x90ECF52E, 0x22B0C054, 0xBC8E5935,
0x4B6D2F7F, 0x50BB64A2, 0xD2664910, 0xBEE5812D,
0xB7332290, 0xE93B159F, 0xB48EE411, 0x4BFF345D,
0xFD45C240, 0xAD31973F, 0xC4F6D02E, 0x55FC8165,
0xD5B1CAAD, 0xA1AC2DAE, 0xA2D4B76D, 0xC19B0C50,
0x882240F2, 0x0C6E4F38, 0xA4E4BFD7, 0x4F5BA272,
0x564C1D2F, 0xC59C5319, 0xB949E354, 0xB04669FE,
0xB1B6AB8A, 0xC71358DD, 0x6385C545, 0x110F935D,
0x57538AD5, 0x6A390493, 0xE63D37E0, 0x2A54F6B3,
0x3A787D5F, 0x6276A0B5, 0x19A6FCDF, 0x7A42206A,
0x29F9D4D5, 0xF61B1891, 0xBB72275E, 0xAA508167,
0x38901091, 0xC6B505EB, 0x84C7CB8C, 0x2AD75A0F,
0x874A1427, 0xA2D1936B, 0x2AD286AF, 0xAA56D291,
0xD7894360, 0x425C750D, 0x93B39E26, 0x187184C9,
0x6C00B32D, 0x73E2BB14, 0xA0BEBC3C, 0x54623779,
0x64459EAB, 0x3F328B82, 0x7718CF82, 0x59A2CEA6,
0x04EE002E, 0x89FE78E6, 0x3FAB0950, 0x325FF6C2,
0x81383F05, 0x6963C5C8, 0x76CB5AD6, 0xD49974C9,
0xCA180DCF, 0x380782D5, 0xC7FA5CF6, 0x8AC31511,
0x35E79E13, 0x47DA91D0, 0xF40F9086, 0xA7E2419E,
0x31366241, 0x051EF495, 0xAA573B04, 0x4A805D8D,
0x548300D0, 0x00322A3C, 0xBF64CDDF, 0xBA57A68E,
0x75C6372B, 0x50AFD341, 0xA7C13275, 0x915A0BF5,
0x6B54BFAB, 0x2B0B1426, 0xAB4CC9D7, 0x449CCD82,
0xF7FBF265, 0xAB85C5F3, 0x1B55DB94, 0xAAD4E324,
0xCFA4BD3F, 0x2DEAA3E2, 0x9E204D02, 0xC8BD25AC,
0xEADF55B3, 0xD5BD9E98, 0xE31231B2, 0x2AD5AD6C,
0x954329DE, 0xADBE4528, 0xD8710F69, 0xAA51C90F,
0xAA786BF6, 0x22513F1E, 0xAA51A79B, 0x2AD344CC,
0x7B5A41F0, 0xD37CFBAD, 0x1B069505, 0x41ECE491,
0xB4C332E6, 0x032268D4, 0xC9600ACC, 0xCE387E6D,
0xBF6BB16C, 0x6A70FB78, 0x0D03D9C9, 0xD4DF39DE,
0xE01063DA, 0x4736F464, 0x5AD328D8, 0xB347CC96,
0x75BB0FC3, 0x98511BFB, 0x4FFBCC35, 0xB58BCF6A,
0xE11F0ABC, 0xBFC5FE4A, 0xA70AEC10, 0xAC39570A,
0x3F04442F, 0x6188B153, 0xE0397A2E, 0x5727CB79,
0x9CEB418F, 0x1CACD68D, 0x2AD37C96, 0x0175CB9D,
0xC69DFF09, 0xC75B65F0, 0xD9DB40D8, 0xEC0E7779,
0x4744EAD4, 0xB11C3274, 0xDD24CB9E, 0x7E1C54BD,
0xF01144F9, 0xD2240EB1, 0x9675B3FD, 0xA3AC3755,
0xD47C27AF, 0x51C85F4D, 0x56907596, 0xA5BB15E6,
0x580304F0, 0xCA042CF1, 0x011A37EA, 0x8DBFAADB,
0x35BA3E4A, 0x3526FFA0, 0xC37B4D09, 0xBC306ED9,
0x98A52666, 0x5648F725, 0xFF5E569D, 0x0CED63D0,
0x7C63B2CF, 0x700B45E1, 0xD5EA50F1, 0x85A92872,
0xAF1FBDA7, 0xD4234870, 0xA7870BF3, 0x2D3B4D79,
0x42E04198, 0x0CD0EDE7, 0x26470DB8, 0xF881814C,
0x474D6AD7, 0x7C0C5E5C, 0xD1231959, 0x381B7298,
0xF5D2F4DB, 0xAB838653, 0x6E2F1E23, 0x83719C9E,
0xBD91E046, 0x9A56456E, 0xDC39200C, 0x20C8C571,
0x962BDA1C, 0xE1E696FF, 0xB141AB08, 0x7CCA89B9,
0x1A69E783, 0x02CC4843, 0xA2F7C579, 0x429EF47D,
0x427B169C, 0x5AC9F049, 0xDD8F0F00, 0x5C8165BF
};
static const u_int32_t cast_sbox2[256] = {
0x1F201094, 0xEF0BA75B, 0x69E3CF7E, 0x393F4380,
0xFE61CF7A, 0xEEC5207A, 0x55889C94, 0x72FC0651,
0xADA7EF79, 0x4E1D7235, 0xD55A63CE, 0xDE0436BA,
0x99C430EF, 0x5F0C0794, 0x18DCDB7D, 0xA1D6EFF3,
0xA0B52F7B, 0x59E83605, 0xEE15B094, 0xE9FFD909,
0xDC440086, 0xEF944459, 0xBA83CCB3, 0xE0C3CDFB,
0xD1DA4181, 0x3B092AB1, 0xF997F1C1, 0xA5E6CF7B,
0x01420DDB, 0xE4E7EF5B, 0x25A1FF41, 0xE180F806,
0x1FC41080, 0x179BEE7A, 0xD37AC6A9, 0xFE5830A4,
0x98DE8B7F, 0x77E83F4E, 0x79929269, 0x24FA9F7B,
0xE113C85B, 0xACC40083, 0xD7503525, 0xF7EA615F,
0x62143154, 0x0D554B63, 0x5D681121, 0xC866C359,
0x3D63CF73, 0xCEE234C0, 0xD4D87E87, 0x5C672B21,
0x071F6181, 0x39F7627F, 0x361E3084, 0xE4EB573B,
0x602F64A4, 0xD63ACD9C, 0x1BBC4635, 0x9E81032D,
0x2701F50C, 0x99847AB4, 0xA0E3DF79, 0xBA6CF38C,
0x10843094, 0x2537A95E, 0xF46F6FFE, 0xA1FF3B1F,
0x208CFB6A, 0x8F458C74, 0xD9E0A227, 0x4EC73A34,
0xFC884F69, 0x3E4DE8DF, 0xEF0E0088, 0x3559648D,
0x8A45388C, 0x1D804366, 0x721D9BFD, 0xA58684BB,
0xE8256333, 0x844E8212, 0x128D8098, 0xFED33FB4,
0xCE280AE1, 0x27E19BA5, 0xD5A6C252, 0xE49754BD,
0xC5D655DD, 0xEB667064, 0x77840B4D, 0xA1B6A801,
0x84DB26A9, 0xE0B56714, 0x21F043B7, 0xE5D05860,
0x54F03084, 0x066FF472, 0xA31AA153, 0xDADC4755,
0xB5625DBF, 0x68561BE6, 0x83CA6B94, 0x2D6ED23B,
0xECCF01DB, 0xA6D3D0BA, 0xB6803D5C, 0xAF77A709,
0x33B4A34C, 0x397BC8D6, 0x5EE22B95, 0x5F0E5304,
0x81ED6F61, 0x20E74364, 0xB45E1378, 0xDE18639B,
0x881CA122, 0xB96726D1, 0x8049A7E8, 0x22B7DA7B,
0x5E552D25, 0x5272D237, 0x79D2951C, 0xC60D894C,
0x488CB402, 0x1BA4FE5B, 0xA4B09F6B, 0x1CA815CF,
0xA20C3005, 0x8871DF63, 0xB9DE2FCB, 0x0CC6C9E9,
0x0BEEFF53, 0xE3214517, 0xB4542835, 0x9F63293C,
0xEE41E729, 0x6E1D2D7C, 0x50045286, 0x1E6685F3,
0xF33401C6, 0x30A22C95, 0x31A70850, 0x60930F13,
0x73F98417, 0xA1269859, 0xEC645C44, 0x52C877A9,
0xCDFF33A6, 0xA02B1741, 0x7CBAD9A2, 0x2180036F,
0x50D99C08, 0xCB3F4861, 0xC26BD765, 0x64A3F6AB,
0x80342676, 0x25A75E7B, 0xE4E6D1FC, 0x20C710E6,
0xCDF0B680, 0x17844D3B, 0x31EEF84D, 0x7E0824E4,
0x2CCB49EB, 0x846A3BAE, 0x8FF77888, 0xEE5D60F6,
0x7AF75673, 0x2FDD5CDB, 0xA11631C1, 0x30F66F43,
0xB3FAEC54, 0x157FD7FA, 0xEF8579CC, 0xD152DE58,
0xDB2FFD5E, 0x8F32CE19, 0x306AF97A, 0x02F03EF8,
0x99319AD5, 0xC242FA0F, 0xA7E3EBB0, 0xC68E4906,
0xB8DA230C, 0x80823028, 0xDCDEF3C8, 0xD35FB171,
0x088A1BC8, 0xBEC0C560, 0x61A3C9E8, 0xBCA8F54D,
0xC72FEFFA, 0x22822E99, 0x82C570B4, 0xD8D94E89,
0x8B1C34BC, 0x301E16E6, 0x273BE979, 0xB0FFEAA6,
0x61D9B8C6, 0x00B24869, 0xB7FFCE3F, 0x08DC283B,
0x43DAF65A, 0xF7E19798, 0x7619B72F, 0x8F1C9BA4,
0xDC8637A0, 0x16A7D3B1, 0x9FC393B7, 0xA7136EEB,
0xC6BCC63E, 0x1A513742, 0xEF6828BC, 0x520365D6,
0x2D6A77AB, 0x3527ED4B, 0x821FD216, 0x095C6E2E,
0xDB92F2FB, 0x5EEA29CB, 0x145892F5, 0x91584F7F,
0x5483697B, 0x2667A8CC, 0x85196048, 0x8C4BACEA,
0x833860D4, 0x0D23E0F9, 0x6C387E8A, 0x0AE6D249,
0xB284600C, 0xD835731D, 0xDCB1C647, 0xAC4C56EA,
0x3EBD81B3, 0x230EABB0, 0x6438BC87, 0xF0B5B1FA,
0x8F5EA2B3, 0xFC184642, 0x0A036B7A, 0x4FB089BD,
0x649DA589, 0xA345415E, 0x5C038323, 0x3E5D3BB9,
0x43D79572, 0x7E6DD07C, 0x06DFDF1E, 0x6C6CC4EF,
0x7160A539, 0x73BFBE70, 0x83877605, 0x4523ECF1
};
static const u_int32_t cast_sbox3[256] = {
0x8DEFC240, 0x25FA5D9F, 0xEB903DBF, 0xE810C907,
0x47607FFF, 0x369FE44B, 0x8C1FC644, 0xAECECA90,
0xBEB1F9BF, 0xEEFBCAEA, 0xE8CF1950, 0x51DF07AE,
0x920E8806, 0xF0AD0548, 0xE13C8D83, 0x927010D5,
0x11107D9F, 0x07647DB9, 0xB2E3E4D4, 0x3D4F285E,
0xB9AFA820, 0xFADE82E0, 0xA067268B, 0x8272792E,
0x553FB2C0, 0x489AE22B, 0xD4EF9794, 0x125E3FBC,
0x21FFFCEE, 0x825B1BFD, 0x9255C5ED, 0x1257A240,
0x4E1A8302, 0xBAE07FFF, 0x528246E7, 0x8E57140E,
0x3373F7BF, 0x8C9F8188, 0xA6FC4EE8, 0xC982B5A5,
0xA8C01DB7, 0x579FC264, 0x67094F31, 0xF2BD3F5F,
0x40FFF7C1, 0x1FB78DFC, 0x8E6BD2C1, 0x437BE59B,
0x99B03DBF, 0xB5DBC64B, 0x638DC0E6, 0x55819D99,
0xA197C81C, 0x4A012D6E, 0xC5884A28, 0xCCC36F71,
0xB843C213, 0x6C0743F1, 0x8309893C, 0x0FEDDD5F,
0x2F7FE850, 0xD7C07F7E, 0x02507FBF, 0x5AFB9A04,
0xA747D2D0, 0x1651192E, 0xAF70BF3E, 0x58C31380,
0x5F98302E, 0x727CC3C4, 0x0A0FB402, 0x0F7FEF82,
0x8C96FDAD, 0x5D2C2AAE, 0x8EE99A49, 0x50DA88B8,
0x8427F4A0, 0x1EAC5790, 0x796FB449, 0x8252DC15,
0xEFBD7D9B, 0xA672597D, 0xADA840D8, 0x45F54504,
0xFA5D7403, 0xE83EC305, 0x4F91751A, 0x925669C2,
0x23EFE941, 0xA903F12E, 0x60270DF2, 0x0276E4B6,
0x94FD6574, 0x927985B2, 0x8276DBCB, 0x02778176,
0xF8AF918D, 0x4E48F79E, 0x8F616DDF, 0xE29D840E,
0x842F7D83, 0x340CE5C8, 0x96BBB682, 0x93B4B148,
0xEF303CAB, 0x984FAF28, 0x779FAF9B, 0x92DC560D,
0x224D1E20, 0x8437AA88, 0x7D29DC96, 0x2756D3DC,
0x8B907CEE, 0xB51FD240, 0xE7C07CE3, 0xE566B4A1,
0xC3E9615E, 0x3CF8209D, 0x6094D1E3, 0xCD9CA341,
0x5C76460E, 0x00EA983B, 0xD4D67881, 0xFD47572C,
0xF76CEDD9, 0xBDA8229C, 0x127DADAA, 0x438A074E,
0x1F97C090, 0x081BDB8A, 0x93A07EBE, 0xB938CA15,
0x97B03CFF, 0x3DC2C0F8, 0x8D1AB2EC, 0x64380E51,
0x68CC7BFB, 0xD90F2788, 0x12490181, 0x5DE5FFD4,
0xDD7EF86A, 0x76A2E214, 0xB9A40368, 0x925D958F,
0x4B39FFFA, 0xBA39AEE9, 0xA4FFD30B, 0xFAF7933B,
0x6D498623, 0x193CBCFA, 0x27627545, 0x825CF47A,
0x61BD8BA0, 0xD11E42D1, 0xCEAD04F4, 0x127EA392,
0x10428DB7, 0x8272A972, 0x9270C4A8, 0x127DE50B,
0x285BA1C8, 0x3C62F44F, 0x35C0EAA5, 0xE805D231,
0x428929FB, 0xB4FCDF82, 0x4FB66A53, 0x0E7DC15B,
0x1F081FAB, 0x108618AE, 0xFCFD086D, 0xF9FF2889,
0x694BCC11, 0x236A5CAE, 0x12DECA4D, 0x2C3F8CC5,
0xD2D02DFE, 0xF8EF5896, 0xE4CF52DA, 0x95155B67,
0x494A488C, 0xB9B6A80C, 0x5C8F82BC, 0x89D36B45,
0x3A609437, 0xEC00C9A9, 0x44715253, 0x0A874B49,
0xD773BC40, 0x7C34671C, 0x02717EF6, 0x4FEB5536,
0xA2D02FFF, 0xD2BF60C4, 0xD43F03C0, 0x50B4EF6D,
0x07478CD1, 0x006E1888, 0xA2E53F55, 0xB9E6D4BC,
0xA2048016, 0x97573833, 0xD7207D67, 0xDE0F8F3D,
0x72F87B33, 0xABCC4F33, 0x7688C55D, 0x7B00A6B0,
0x947B0001, 0x570075D2, 0xF9BB88F8, 0x8942019E,
0x4264A5FF, 0x856302E0, 0x72DBD92B, 0xEE971B69,
0x6EA22FDE, 0x5F08AE2B, 0xAF7A616D, 0xE5C98767,
0xCF1FEBD2, 0x61EFC8C2, 0xF1AC2571, 0xCC8239C2,
0x67214CB8, 0xB1E583D1, 0xB7DC3E62, 0x7F10BDCE,
0xF90A5C38, 0x0FF0443D, 0x606E6DC6, 0x60543A49,
0x5727C148, 0x2BE98A1D, 0x8AB41738, 0x20E1BE24,
0xAF96DA0F, 0x68458425, 0x99833BE5, 0x600D457D,
0x282F9350, 0x8334B362, 0xD91D1120, 0x2B6D8DA0,
0x642B1E31, 0x9C305A00, 0x52BCE688, 0x1B03588A,
0xF7BAEFD5, 0x4142ED9C, 0xA4315C11, 0x83323EC5,
0xDFEF4636, 0xA133C501, 0xE9D3531C, 0xEE353783
};
static const u_int32_t cast_sbox4[256] = {
0x9DB30420, 0x1FB6E9DE, 0xA7BE7BEF, 0xD273A298,
0x4A4F7BDB, 0x64AD8C57, 0x85510443, 0xFA020ED1,
0x7E287AFF, 0xE60FB663, 0x095F35A1, 0x79EBF120,
0xFD059D43, 0x6497B7B1, 0xF3641F63, 0x241E4ADF,
0x28147F5F, 0x4FA2B8CD, 0xC9430040, 0x0CC32220,
0xFDD30B30, 0xC0A5374F, 0x1D2D00D9, 0x24147B15,
0xEE4D111A, 0x0FCA5167, 0x71FF904C, 0x2D195FFE,
0x1A05645F, 0x0C13FEFE, 0x081B08CA, 0x05170121,
0x80530100, 0xE83E5EFE, 0xAC9AF4F8, 0x7FE72701,
0xD2B8EE5F, 0x06DF4261, 0xBB9E9B8A, 0x7293EA25,
0xCE84FFDF, 0xF5718801, 0x3DD64B04, 0xA26F263B,
0x7ED48400, 0x547EEBE6, 0x446D4CA0, 0x6CF3D6F5,
0x2649ABDF, 0xAEA0C7F5, 0x36338CC1, 0x503F7E93,
0xD3772061, 0x11B638E1, 0x72500E03, 0xF80EB2BB,
0xABE0502E, 0xEC8D77DE, 0x57971E81, 0xE14F6746,
0xC9335400, 0x6920318F, 0x081DBB99, 0xFFC304A5,
0x4D351805, 0x7F3D5CE3, 0xA6C866C6, 0x5D5BCCA9,
0xDAEC6FEA, 0x9F926F91, 0x9F46222F, 0x3991467D,
0xA5BF6D8E, 0x1143C44F, 0x43958302, 0xD0214EEB,
0x022083B8, 0x3FB6180C, 0x18F8931E, 0x281658E6,
0x26486E3E, 0x8BD78A70, 0x7477E4C1, 0xB506E07C,
0xF32D0A25, 0x79098B02, 0xE4EABB81, 0x28123B23,
0x69DEAD38, 0x1574CA16, 0xDF871B62, 0x211C40B7,
0xA51A9EF9, 0x0014377B, 0x041E8AC8, 0x09114003,
0xBD59E4D2, 0xE3D156D5, 0x4FE876D5, 0x2F91A340,
0x557BE8DE, 0x00EAE4A7, 0x0CE5C2EC, 0x4DB4BBA6,
0xE756BDFF, 0xDD3369AC, 0xEC17B035, 0x06572327,
0x99AFC8B0, 0x56C8C391, 0x6B65811C, 0x5E146119,
0x6E85CB75, 0xBE07C002, 0xC2325577, 0x893FF4EC,
0x5BBFC92D, 0xD0EC3B25, 0xB7801AB7, 0x8D6D3B24,
0x20C763EF, 0xC366A5FC, 0x9C382880, 0x0ACE3205,
0xAAC9548A, 0xECA1D7C7, 0x041AFA32, 0x1D16625A,
0x6701902C, 0x9B757A54, 0x31D477F7, 0x9126B031,
0x36CC6FDB, 0xC70B8B46, 0xD9E66A48, 0x56E55A79,
0x026A4CEB, 0x52437EFF, 0x2F8F76B4, 0x0DF980A5,
0x8674CDE3, 0xEDDA04EB, 0x17A9BE04, 0x2C18F4DF,
0xB7747F9D, 0xAB2AF7B4, 0xEFC34D20, 0x2E096B7C,
0x1741A254, 0xE5B6A035, 0x213D42F6, 0x2C1C7C26,
0x61C2F50F, 0x6552DAF9, 0xD2C231F8, 0x25130F69,
0xD8167FA2, 0x0418F2C8, 0x001A96A6, 0x0D1526AB,
0x63315C21, 0x5E0A72EC, 0x49BAFEFD, 0x187908D9,
0x8D0DBD86, 0x311170A7, 0x3E9B640C, 0xCC3E10D7,
0xD5CAD3B6, 0x0CAEC388, 0xF73001E1, 0x6C728AFF,
0x71EAE2A1, 0x1F9AF36E, 0xCFCBD12F, 0xC1DE8417,
0xAC07BE6B, 0xCB44A1D8, 0x8B9B0F56, 0x013988C3,
0xB1C52FCA, 0xB4BE31CD, 0xD8782806, 0x12A3A4E2,
0x6F7DE532, 0x58FD7EB6, 0xD01EE900, 0x24ADFFC2,
0xF4990FC5, 0x9711AAC5, 0x001D7B95, 0x82E5E7D2,
0x109873F6, 0x00613096, 0xC32D9521, 0xADA121FF,
0x29908415, 0x7FBB977F, 0xAF9EB3DB, 0x29C9ED2A,
0x5CE2A465, 0xA730F32C, 0xD0AA3FE8, 0x8A5CC091,
0xD49E2CE7, 0x0CE454A9, 0xD60ACD86, 0x015F1919,
0x77079103, 0xDEA03AF6, 0x78A8565E, 0xDEE356DF,
0x21F05CBE, 0x8B75E387, 0xB3C50651, 0xB8A5C3EF,
0xD8EEB6D2, 0xE523BE77, 0xC2154529, 0x2F69EFDF,
0xAFE67AFB, 0xF470C4B2, 0xF3E0EB5B, 0xD6CC9876,
0x39E4460C, 0x1FDA8538, 0x1987832F, 0xCA007367,
0xA99144F8, 0x296B299E, 0x492FC295, 0x9266BEAB,
0xB5676E69, 0x9BD3DDDA, 0xDF7E052F, 0xDB25701C,
0x1B5E51EE, 0xF65324E6, 0x6AFCE36C, 0x0316CC04,
0x8644213E, 0xB7DC59D0, 0x7965291F, 0xCCD6FD43,
0x41823979, 0x932BCDF6, 0xB657C34D, 0x4EDFD282,
0x7AE5290C, 0x3CB9536B, 0x851E20FE, 0x9833557E,
0x13ECF0B0, 0xD3FFB372, 0x3F85C5C1, 0x0AEF7ED2
};
static const u_int32_t cast_sbox5[256] = {
0x7EC90C04, 0x2C6E74B9, 0x9B0E66DF, 0xA6337911,
0xB86A7FFF, 0x1DD358F5, 0x44DD9D44, 0x1731167F,
0x08FBF1FA, 0xE7F511CC, 0xD2051B00, 0x735ABA00,
0x2AB722D8, 0x386381CB, 0xACF6243A, 0x69BEFD7A,
0xE6A2E77F, 0xF0C720CD, 0xC4494816, 0xCCF5C180,
0x38851640, 0x15B0A848, 0xE68B18CB, 0x4CAADEFF,
0x5F480A01, 0x0412B2AA, 0x259814FC, 0x41D0EFE2,
0x4E40B48D, 0x248EB6FB, 0x8DBA1CFE, 0x41A99B02,
0x1A550A04, 0xBA8F65CB, 0x7251F4E7, 0x95A51725,
0xC106ECD7, 0x97A5980A, 0xC539B9AA, 0x4D79FE6A,
0xF2F3F763, 0x68AF8040, 0xED0C9E56, 0x11B4958B,
0xE1EB5A88, 0x8709E6B0, 0xD7E07156, 0x4E29FEA7,
0x6366E52D, 0x02D1C000, 0xC4AC8E05, 0x9377F571,
0x0C05372A, 0x578535F2, 0x2261BE02, 0xD642A0C9,
0xDF13A280, 0x74B55BD2, 0x682199C0, 0xD421E5EC,
0x53FB3CE8, 0xC8ADEDB3, 0x28A87FC9, 0x3D959981,
0x5C1FF900, 0xFE38D399, 0x0C4EFF0B, 0x062407EA,
0xAA2F4FB1, 0x4FB96976, 0x90C79505, 0xB0A8A774,
0xEF55A1FF, 0xE59CA2C2, 0xA6B62D27, 0xE66A4263,
0xDF65001F, 0x0EC50966, 0xDFDD55BC, 0x29DE0655,
0x911E739A, 0x17AF8975, 0x32C7911C, 0x89F89468,
0x0D01E980, 0x524755F4, 0x03B63CC9, 0x0CC844B2,
0xBCF3F0AA, 0x87AC36E9, 0xE53A7426, 0x01B3D82B,
0x1A9E7449, 0x64EE2D7E, 0xCDDBB1DA, 0x01C94910,
0xB868BF80, 0x0D26F3FD, 0x9342EDE7, 0x04A5C284,
0x636737B6, 0x50F5B616, 0xF24766E3, 0x8ECA36C1,
0x136E05DB, 0xFEF18391, 0xFB887A37, 0xD6E7F7D4,
0xC7FB7DC9, 0x3063FCDF, 0xB6F589DE, 0xEC2941DA,
0x26E46695, 0xB7566419, 0xF654EFC5, 0xD08D58B7,
0x48925401, 0xC1BACB7F, 0xE5FF550F, 0xB6083049,
0x5BB5D0E8, 0x87D72E5A, 0xAB6A6EE1, 0x223A66CE,
0xC62BF3CD, 0x9E0885F9, 0x68CB3E47, 0x086C010F,
0xA21DE820, 0xD18B69DE, 0xF3F65777, 0xFA02C3F6,
0x407EDAC3, 0xCBB3D550, 0x1793084D, 0xB0D70EBA,
0x0AB378D5, 0xD951FB0C, 0xDED7DA56, 0x4124BBE4,
0x94CA0B56, 0x0F5755D1, 0xE0E1E56E, 0x6184B5BE,
0x580A249F, 0x94F74BC0, 0xE327888E, 0x9F7B5561,
0xC3DC0280, 0x05687715, 0x646C6BD7, 0x44904DB3,
0x66B4F0A3, 0xC0F1648A, 0x697ED5AF, 0x49E92FF6,
0x309E374F, 0x2CB6356A, 0x85808573, 0x4991F840,
0x76F0AE02, 0x083BE84D, 0x28421C9A, 0x44489406,
0x736E4CB8, 0xC1092910, 0x8BC95FC6, 0x7D869CF4,
0x134F616F, 0x2E77118D, 0xB31B2BE1, 0xAA90B472,
0x3CA5D717, 0x7D161BBA, 0x9CAD9010, 0xAF462BA2,
0x9FE459D2, 0x45D34559, 0xD9F2DA13, 0xDBC65487,
0xF3E4F94E, 0x176D486F, 0x097C13EA, 0x631DA5C7,
0x445F7382, 0x175683F4, 0xCDC66A97, 0x70BE0288,
0xB3CDCF72, 0x6E5DD2F3, 0x20936079, 0x459B80A5,
0xBE60E2DB, 0xA9C23101, 0xEBA5315C, 0x224E42F2,
0x1C5C1572, 0xF6721B2C, 0x1AD2FFF3, 0x8C25404E,
0x324ED72F, 0x4067B7FD, 0x0523138E, 0x5CA3BC78,
0xDC0FD66E, 0x75922283, 0x784D6B17, 0x58EBB16E,
0x44094F85, 0x3F481D87, 0xFCFEAE7B, 0x77B5FF76,
0x8C2302BF, 0xAAF47556, 0x5F46B02A, 0x2B092801,
0x3D38F5F7, 0x0CA81F36, 0x52AF4A8A, 0x66D5E7C0,
0xDF3B0874, 0x95055110, 0x1B5AD7A8, 0xF61ED5AD,
0x6CF6E479, 0x20758184, 0xD0CEFA65, 0x88F7BE58,
0x4A046826, 0x0FF6F8F3, 0xA09C7F70, 0x5346ABA0,
0x5CE96C28, 0xE176EDA3, 0x6BAC307F, 0x376829D2,
0x85360FA9, 0x17E3FE2A, 0x24B79767, 0xF5A96B20,
0xD6CD2595, 0x68FF1EBF, 0x7555442C, 0xF19F06BE,
0xF9E0659A, 0xEEB9491D, 0x34010718, 0xBB30CAB8,
0xE822FE15, 0x88570983, 0x750E6249, 0xDA627E55,
0x5E76FFA8, 0xB1534546, 0x6D47DE08, 0xEFE9E7D4
};
static const u_int32_t cast_sbox6[256] = {
0xF6FA8F9D, 0x2CAC6CE1, 0x4CA34867, 0xE2337F7C,
0x95DB08E7, 0x016843B4, 0xECED5CBC, 0x325553AC,
0xBF9F0960, 0xDFA1E2ED, 0x83F0579D, 0x63ED86B9,
0x1AB6A6B8, 0xDE5EBE39, 0xF38FF732, 0x8989B138,
0x33F14961, 0xC01937BD, 0xF506C6DA, 0xE4625E7E,
0xA308EA99, 0x4E23E33C, 0x79CBD7CC, 0x48A14367,
0xA3149619, 0xFEC94BD5, 0xA114174A, 0xEAA01866,
0xA084DB2D, 0x09A8486F, 0xA888614A, 0x2900AF98,
0x01665991, 0xE1992863, 0xC8F30C60, 0x2E78EF3C,
0xD0D51932, 0xCF0FEC14, 0xF7CA07D2, 0xD0A82072,
0xFD41197E, 0x9305A6B0, 0xE86BE3DA, 0x74BED3CD,
0x372DA53C, 0x4C7F4448, 0xDAB5D440, 0x6DBA0EC3,
0x083919A7, 0x9FBAEED9, 0x49DBCFB0, 0x4E670C53,
0x5C3D9C01, 0x64BDB941, 0x2C0E636A, 0xBA7DD9CD,
0xEA6F7388, 0xE70BC762, 0x35F29ADB, 0x5C4CDD8D,
0xF0D48D8C, 0xB88153E2, 0x08A19866, 0x1AE2EAC8,
0x284CAF89, 0xAA928223, 0x9334BE53, 0x3B3A21BF,
0x16434BE3, 0x9AEA3906, 0xEFE8C36E, 0xF890CDD9,
0x80226DAE, 0xC340A4A3, 0xDF7E9C09, 0xA694A807,
0x5B7C5ECC, 0x221DB3A6, 0x9A69A02F, 0x68818A54,
0xCEB2296F, 0x53C0843A, 0xFE893655, 0x25BFE68A,
0xB4628ABC, 0xCF222EBF, 0x25AC6F48, 0xA9A99387,
0x53BDDB65, 0xE76FFBE7, 0xE967FD78, 0x0BA93563,
0x8E342BC1, 0xE8A11BE9, 0x4980740D, 0xC8087DFC,
0x8DE4BF99, 0xA11101A0, 0x7FD37975, 0xDA5A26C0,
0xE81F994F, 0x9528CD89, 0xFD339FED, 0xB87834BF,
0x5F04456D, 0x22258698, 0xC9C4C83B, 0x2DC156BE,
0x4F628DAA, 0x57F55EC5, 0xE2220ABE, 0xD2916EBF,
0x4EC75B95, 0x24F2C3C0, 0x42D15D99, 0xCD0D7FA0,
0x7B6E27FF, 0xA8DC8AF0, 0x7345C106, 0xF41E232F,
0x35162386, 0xE6EA8926, 0x3333B094, 0x157EC6F2,
0x372B74AF, 0x692573E4, 0xE9A9D848, 0xF3160289,
0x3A62EF1D, 0xA787E238, 0xF3A5F676, 0x74364853,
0x20951063, 0x4576698D, 0xB6FAD407, 0x592AF950,
0x36F73523, 0x4CFB6E87, 0x7DA4CEC0, 0x6C152DAA,
0xCB0396A8, 0xC50DFE5D, 0xFCD707AB, 0x0921C42F,
0x89DFF0BB, 0x5FE2BE78, 0x448F4F33, 0x754613C9,
0x2B05D08D, 0x48B9D585, 0xDC049441, 0xC8098F9B,
0x7DEDE786, 0xC39A3373, 0x42410005, 0x6A091751,
0x0EF3C8A6, 0x890072D6, 0x28207682, 0xA9A9F7BE,
0xBF32679D, 0xD45B5B75, 0xB353FD00, 0xCBB0E358,
0x830F220A, 0x1F8FB214, 0xD372CF08, 0xCC3C4A13,
0x8CF63166, 0x061C87BE, 0x88C98F88, 0x6062E397,
0x47CF8E7A, 0xB6C85283, 0x3CC2ACFB, 0x3FC06976,
0x4E8F0252, 0x64D8314D, 0xDA3870E3, 0x1E665459,
0xC10908F0, 0x513021A5, 0x6C5B68B7, 0x822F8AA0,
0x3007CD3E, 0x74719EEF, 0xDC872681, 0x073340D4,
0x7E432FD9, 0x0C5EC241, 0x8809286C, 0xF592D891,
0x08A930F6, 0x957EF305, 0xB7FBFFBD, 0xC266E96F,
0x6FE4AC98, 0xB173ECC0, 0xBC60B42A, 0x953498DA,
0xFBA1AE12, 0x2D4BD736, 0x0F25FAAB, 0xA4F3FCEB,
0xE2969123, 0x257F0C3D, 0x9348AF49, 0x361400BC,
0xE8816F4A, 0x3814F200, 0xA3F94043, 0x9C7A54C2,
0xBC704F57, 0xDA41E7F9, 0xC25AD33A, 0x54F4A084,
0xB17F5505, 0x59357CBE, 0xEDBD15C8, 0x7F97C5AB,
0xBA5AC7B5, 0xB6F6DEAF, 0x3A479C3A, 0x5302DA25,
0x653D7E6A, 0x54268D49, 0x51A477EA, 0x5017D55B,
0xD7D25D88, 0x44136C76, 0x0404A8C8, 0xB8E5A121,
0xB81A928A, 0x60ED5869, 0x97C55B96, 0xEAEC991B,
0x29935913, 0x01FDB7F1, 0x088E8DFA, 0x9AB6F6F5,
0x3B4CBF9F, 0x4A5DE3AB, 0xE6051D35, 0xA0E1D855,
0xD36B4CF1, 0xF544EDEB, 0xB0E93524, 0xBEBB8FBD,
0xA2D762CF, 0x49C92F54, 0x38B5F331, 0x7128A454,
0x48392905, 0xA65B1DB8, 0x851C97BD, 0xD675CF2F
};
static const u_int32_t cast_sbox7[256] = {
0x85E04019, 0x332BF567, 0x662DBFFF, 0xCFC65693,
0x2A8D7F6F, 0xAB9BC912, 0xDE6008A1, 0x2028DA1F,
0x0227BCE7, 0x4D642916, 0x18FAC300, 0x50F18B82,
0x2CB2CB11, 0xB232E75C, 0x4B3695F2, 0xB28707DE,
0xA05FBCF6, 0xCD4181E9, 0xE150210C, 0xE24EF1BD,
0xB168C381, 0xFDE4E789, 0x5C79B0D8, 0x1E8BFD43,
0x4D495001, 0x38BE4341, 0x913CEE1D, 0x92A79C3F,
0x089766BE, 0xBAEEADF4, 0x1286BECF, 0xB6EACB19,
0x2660C200, 0x7565BDE4, 0x64241F7A, 0x8248DCA9,
0xC3B3AD66, 0x28136086, 0x0BD8DFA8, 0x356D1CF2,
0x107789BE, 0xB3B2E9CE, 0x0502AA8F, 0x0BC0351E,
0x166BF52A, 0xEB12FF82, 0xE3486911, 0xD34D7516,
0x4E7B3AFF, 0x5F43671B, 0x9CF6E037, 0x4981AC83,
0x334266CE, 0x8C9341B7, 0xD0D854C0, 0xCB3A6C88,
0x47BC2829, 0x4725BA37, 0xA66AD22B, 0x7AD61F1E,
0x0C5CBAFA, 0x4437F107, 0xB6E79962, 0x42D2D816,
0x0A961288, 0xE1A5C06E, 0x13749E67, 0x72FC081A,
0xB1D139F7, 0xF9583745, 0xCF19DF58, 0xBEC3F756,
0xC06EBA30, 0x07211B24, 0x45C28829, 0xC95E317F,
0xBC8EC511, 0x38BC46E9, 0xC6E6FA14, 0xBAE8584A,
0xAD4EBC46, 0x468F508B, 0x7829435F, 0xF124183B,
0x821DBA9F, 0xAFF60FF4, 0xEA2C4E6D, 0x16E39264,
0x92544A8B, 0x009B4FC3, 0xABA68CED, 0x9AC96F78,
0x06A5B79A, 0xB2856E6E, 0x1AEC3CA9, 0xBE838688,
0x0E0804E9, 0x55F1BE56, 0xE7E5363B, 0xB3A1F25D,
0xF7DEBB85, 0x61FE033C, 0x16746233, 0x3C034C28,
0xDA6D0C74, 0x79AAC56C, 0x3CE4E1AD, 0x51F0C802,
0x98F8F35A, 0x1626A49F, 0xEED82B29, 0x1D382FE3,
0x0C4FB99A, 0xBB325778, 0x3EC6D97B, 0x6E77A6A9,
0xCB658B5C, 0xD45230C7, 0x2BD1408B, 0x60C03EB7,
0xB9068D78, 0xA33754F4, 0xF430C87D, 0xC8A71302,
0xB96D8C32, 0xEBD4E7BE, 0xBE8B9D2D, 0x7979FB06,
0xE7225308, 0x8B75CF77, 0x11EF8DA4, 0xE083C858,
0x8D6B786F, 0x5A6317A6, 0xFA5CF7A0, 0x5DDA0033,
0xF28EBFB0, 0xF5B9C310, 0xA0EAC280, 0x08B9767A,
0xA3D9D2B0, 0x79D34217, 0x021A718D, 0x9AC6336A,
0x2711FD60, 0x438050E3, 0x069908A8, 0x3D7FEDC4,
0x826D2BEF, 0x4EEB8476, 0x488DCF25, 0x36C9D566,
0x28E74E41, 0xC2610ACA, 0x3D49A9CF, 0xBAE3B9DF,
0xB65F8DE6, 0x92AEAF64, 0x3AC7D5E6, 0x9EA80509,
0xF22B017D, 0xA4173F70, 0xDD1E16C3, 0x15E0D7F9,
0x50B1B887, 0x2B9F4FD5, 0x625ABA82, 0x6A017962,
0x2EC01B9C, 0x15488AA9, 0xD716E740, 0x40055A2C,
0x93D29A22, 0xE32DBF9A, 0x058745B9, 0x3453DC1E,
0xD699296E, 0x496CFF6F, 0x1C9F4986, 0xDFE2ED07,
0xB87242D1, 0x19DE7EAE, 0x053E561A, 0x15AD6F8C,
0x66626C1C, 0x7154C24C, 0xEA082B2A, 0x93EB2939,
0x17DCB0F0, 0x58D4F2AE, 0x9EA294FB, 0x52CF564C,
0x9883FE66, 0x2EC40581, 0x763953C3, 0x01D6692E,
0xD3A0C108, 0xA1E7160E, 0xE4F2DFA6, 0x693ED285,
0x74904698, 0x4C2B0EDD, 0x4F757656, 0x5D393378,
0xA132234F, 0x3D321C5D, 0xC3F5E194, 0x4B269301,
0xC79F022F, 0x3C997E7E, 0x5E4F9504, 0x3FFAFBBD,
0x76F7AD0E, 0x296693F4, 0x3D1FCE6F, 0xC61E45BE,
0xD3B5AB34, 0xF72BF9B7, 0x1B0434C0, 0x4E72B567,
0x5592A33D, 0xB5229301, 0xCFD2A87F, 0x60AEB767,
0x1814386B, 0x30BCC33D, 0x38A0C07D, 0xFD1606F2,
0xC363519B, 0x589DD390, 0x5479F8E6, 0x1CB8D647,
0x97FD61A9, 0xEA7759F4, 0x2D57539D, 0x569A58CF,
0xE84E63AD, 0x462E1B78, 0x6580F87E, 0xF3817914,
0x91DA55F4, 0x40A230F3, 0xD1988F35, 0xB6E318D2,
0x3FFA50BC, 0x3D40F021, 0xC3C0BDAE, 0x4958C24C,
0x518F36B2, 0x84B1D370, 0x0FEDCE83, 0x878DDADA,
0xF2A279C7, 0x94E01BE8, 0x90716F4B, 0x954B8AA3
};
static const u_int32_t cast_sbox8[256] = {
0xE216300D, 0xBBDDFFFC, 0xA7EBDABD, 0x35648095,
0x7789F8B7, 0xE6C1121B, 0x0E241600, 0x052CE8B5,
0x11A9CFB0, 0xE5952F11, 0xECE7990A, 0x9386D174,
0x2A42931C, 0x76E38111, 0xB12DEF3A, 0x37DDDDFC,
0xDE9ADEB1, 0x0A0CC32C, 0xBE197029, 0x84A00940,
0xBB243A0F, 0xB4D137CF, 0xB44E79F0, 0x049EEDFD,
0x0B15A15D, 0x480D3168, 0x8BBBDE5A, 0x669DED42,
0xC7ECE831, 0x3F8F95E7, 0x72DF191B, 0x7580330D,
0x94074251, 0x5C7DCDFA, 0xABBE6D63, 0xAA402164,
0xB301D40A, 0x02E7D1CA, 0x53571DAE, 0x7A3182A2,
0x12A8DDEC, 0xFDAA335D, 0x176F43E8, 0x71FB46D4,
0x38129022, 0xCE949AD4, 0xB84769AD, 0x965BD862,
0x82F3D055, 0x66FB9767, 0x15B80B4E, 0x1D5B47A0,
0x4CFDE06F, 0xC28EC4B8, 0x57E8726E, 0x647A78FC,
0x99865D44, 0x608BD593, 0x6C200E03, 0x39DC5FF6,
0x5D0B00A3, 0xAE63AFF2, 0x7E8BD632, 0x70108C0C,
0xBBD35049, 0x2998DF04, 0x980CF42A, 0x9B6DF491,
0x9E7EDD53, 0x06918548, 0x58CB7E07, 0x3B74EF2E,
0x522FFFB1, 0xD24708CC, 0x1C7E27CD, 0xA4EB215B,
0x3CF1D2E2, 0x19B47A38, 0x424F7618, 0x35856039,
0x9D17DEE7, 0x27EB35E6, 0xC9AFF67B, 0x36BAF5B8,
0x09C467CD, 0xC18910B1, 0xE11DBF7B, 0x06CD1AF8,
0x7170C608, 0x2D5E3354, 0xD4DE495A, 0x64C6D006,
0xBCC0C62C, 0x3DD00DB3, 0x708F8F34, 0x77D51B42,
0x264F620F, 0x24B8D2BF, 0x15C1B79E, 0x46A52564,
0xF8D7E54E, 0x3E378160, 0x7895CDA5, 0x859C15A5,
0xE6459788, 0xC37BC75F, 0xDB07BA0C, 0x0676A3AB,
0x7F229B1E, 0x31842E7B, 0x24259FD7, 0xF8BEF472,
0x835FFCB8, 0x6DF4C1F2, 0x96F5B195, 0xFD0AF0FC,
0xB0FE134C, 0xE2506D3D, 0x4F9B12EA, 0xF215F225,
0xA223736F, 0x9FB4C428, 0x25D04979, 0x34C713F8,
0xC4618187, 0xEA7A6E98, 0x7CD16EFC, 0x1436876C,
0xF1544107, 0xBEDEEE14, 0x56E9AF27, 0xA04AA441,
0x3CF7C899, 0x92ECBAE6, 0xDD67016D, 0x151682EB,
0xA842EEDF, 0xFDBA60B4, 0xF1907B75, 0x20E3030F,
0x24D8C29E, 0xE139673B, 0xEFA63FB8, 0x71873054,
0xB6F2CF3B, 0x9F326442, 0xCB15A4CC, 0xB01A4504,
0xF1E47D8D, 0x844A1BE5, 0xBAE7DFDC, 0x42CBDA70,
0xCD7DAE0A, 0x57E85B7A, 0xD53F5AF6, 0x20CF4D8C,
0xCEA4D428, 0x79D130A4, 0x3486EBFB, 0x33D3CDDC,
0x77853B53, 0x37EFFCB5, 0xC5068778, 0xE580B3E6,
0x4E68B8F4, 0xC5C8B37E, 0x0D809EA2, 0x398FEB7C,
0x132A4F94, 0x43B7950E, 0x2FEE7D1C, 0x223613BD,
0xDD06CAA2, 0x37DF932B, 0xC4248289, 0xACF3EBC3,
0x5715F6B7, 0xEF3478DD, 0xF267616F, 0xC148CBE4,
0x9052815E, 0x5E410FAB, 0xB48A2465, 0x2EDA7FA4,
0xE87B40E4, 0xE98EA084, 0x5889E9E1, 0xEFD390FC,
0xDD07D35B, 0xDB485694, 0x38D7E5B2, 0x57720101,
0x730EDEBC, 0x5B643113, 0x94917E4F, 0x503C2FBA,
0x646F1282, 0x7523D24A, 0xE0779695, 0xF9C17A8F,
0x7A5B2121, 0xD187B896, 0x29263A4D, 0xBA510CDF,
0x81F47C9F, 0xAD1163ED, 0xEA7B5965, 0x1A00726E,
0x11403092, 0x00DA6D77, 0x4A0CDD61, 0xAD1F4603,
0x605BDFB0, 0x9EEDC364, 0x22EBE6A8, 0xCEE7D28A,
0xA0E736A0, 0x5564A6B9, 0x10853209, 0xC7EB8F37,
0x2DE705CA, 0x8951570F, 0xDF09822B, 0xBD691A6C,
0xAA12E4F2, 0x87451C0F, 0xE0F6A27A, 0x3ADA4819,
0x4CF1764F, 0x0D771C2B, 0x67CDB156, 0x350D8384,
0x5938FA0F, 0x42399EF3, 0x36997B07, 0x0E84093D,
0x4AA93E61, 0x8360D87B, 0x1FA98B0C, 0x1149382C,
0xE97625A5, 0x0614D1B7, 0x0E25244B, 0x0C768347,
0x589E8D82, 0x0D2059D1, 0xA466BB1E, 0xF8DA0A82,
0x04F19130, 0xBA6E4EC0, 0x99265164, 0x1EE7230D,
0x50B2AD80, 0xEAEE6801, 0x8DB2A283, 0xEA8BF59E
};

261
crypto/chacha_private.h Normal file
View file

@ -0,0 +1,261 @@
/* $OpenBSD: chacha_private.h,v 1.4 2020/07/22 13:54:30 tobhe Exp $ */
/*
chacha-merged.c version 20080118
D. J. Bernstein
Public domain.
*/
#include <sys/systm.h>
typedef unsigned char u8;
typedef unsigned int u32;
typedef struct
{
u32 input[16]; /* could be compressed */
} chacha_ctx;
#define U8C(v) (v##U)
#define U32C(v) (v##U)
#define U8V(v) ((u8)(v) & U8C(0xFF))
#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
#define ROTL32(v, n) \
(U32V((v) << (n)) | ((v) >> (32 - (n))))
#define U8TO32_LITTLE(p) \
(((u32)((p)[0]) ) | \
((u32)((p)[1]) << 8) | \
((u32)((p)[2]) << 16) | \
((u32)((p)[3]) << 24))
#define U32TO8_LITTLE(p, v) \
do { \
(p)[0] = U8V((v) ); \
(p)[1] = U8V((v) >> 8); \
(p)[2] = U8V((v) >> 16); \
(p)[3] = U8V((v) >> 24); \
} while (0)
#define ROTATE(v,c) (ROTL32(v,c))
#define XOR(v,w) ((v) ^ (w))
#define PLUS(v,w) (U32V((v) + (w)))
#define PLUSONE(v) (PLUS((v),1))
#define QUARTERROUND(a,b,c,d) \
a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
static const char sigma[16] = "expand 32-byte k";
static const char tau[16] = "expand 16-byte k";
static inline void
hchacha20(u32 derived_key[8], const u8 nonce[16], const u8 key[32])
{
int i;
uint32_t x[] = {
U8TO32_LITTLE(sigma + 0),
U8TO32_LITTLE(sigma + 4),
U8TO32_LITTLE(sigma + 8),
U8TO32_LITTLE(sigma + 12),
U8TO32_LITTLE(key + 0),
U8TO32_LITTLE(key + 4),
U8TO32_LITTLE(key + 8),
U8TO32_LITTLE(key + 12),
U8TO32_LITTLE(key + 16),
U8TO32_LITTLE(key + 20),
U8TO32_LITTLE(key + 24),
U8TO32_LITTLE(key + 28),
U8TO32_LITTLE(nonce + 0),
U8TO32_LITTLE(nonce + 4),
U8TO32_LITTLE(nonce + 8),
U8TO32_LITTLE(nonce + 12)
};
for (i = 20;i > 0;i -= 2) {
QUARTERROUND( x[0], x[4], x[8],x[12])
QUARTERROUND( x[1], x[5], x[9],x[13])
QUARTERROUND( x[2], x[6],x[10],x[14])
QUARTERROUND( x[3], x[7],x[11],x[15])
QUARTERROUND( x[0], x[5],x[10],x[15])
QUARTERROUND( x[1], x[6],x[11],x[12])
QUARTERROUND( x[2], x[7], x[8],x[13])
QUARTERROUND( x[3], x[4], x[9],x[14])
}
memcpy(derived_key + 0, x + 0, sizeof(u32) * 4);
memcpy(derived_key + 4, x + 12, sizeof(u32) * 4);
}
static void
chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
{
const char *constants;
x->input[4] = U8TO32_LITTLE(k + 0);
x->input[5] = U8TO32_LITTLE(k + 4);
x->input[6] = U8TO32_LITTLE(k + 8);
x->input[7] = U8TO32_LITTLE(k + 12);
if (kbits == 256) { /* recommended */
k += 16;
constants = sigma;
} else { /* kbits == 128 */
constants = tau;
}
x->input[8] = U8TO32_LITTLE(k + 0);
x->input[9] = U8TO32_LITTLE(k + 4);
x->input[10] = U8TO32_LITTLE(k + 8);
x->input[11] = U8TO32_LITTLE(k + 12);
x->input[0] = U8TO32_LITTLE(constants + 0);
x->input[1] = U8TO32_LITTLE(constants + 4);
x->input[2] = U8TO32_LITTLE(constants + 8);
x->input[3] = U8TO32_LITTLE(constants + 12);
}
static void
chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
{
x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
x->input[14] = U8TO32_LITTLE(iv + 0);
x->input[15] = U8TO32_LITTLE(iv + 4);
}
static void
chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
{
u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
u8 *ctarget = NULL;
u8 tmp[64];
u_int i;
if (!bytes) return;
j0 = x->input[0];
j1 = x->input[1];
j2 = x->input[2];
j3 = x->input[3];
j4 = x->input[4];
j5 = x->input[5];
j6 = x->input[6];
j7 = x->input[7];
j8 = x->input[8];
j9 = x->input[9];
j10 = x->input[10];
j11 = x->input[11];
j12 = x->input[12];
j13 = x->input[13];
j14 = x->input[14];
j15 = x->input[15];
for (;;) {
if (bytes < 64) {
for (i = 0;i < bytes;++i) tmp[i] = m[i];
m = tmp;
ctarget = c;
c = tmp;
}
x0 = j0;
x1 = j1;
x2 = j2;
x3 = j3;
x4 = j4;
x5 = j5;
x6 = j6;
x7 = j7;
x8 = j8;
x9 = j9;
x10 = j10;
x11 = j11;
x12 = j12;
x13 = j13;
x14 = j14;
x15 = j15;
for (i = 20;i > 0;i -= 2) {
QUARTERROUND( x0, x4, x8,x12)
QUARTERROUND( x1, x5, x9,x13)
QUARTERROUND( x2, x6,x10,x14)
QUARTERROUND( x3, x7,x11,x15)
QUARTERROUND( x0, x5,x10,x15)
QUARTERROUND( x1, x6,x11,x12)
QUARTERROUND( x2, x7, x8,x13)
QUARTERROUND( x3, x4, x9,x14)
}
x0 = PLUS(x0,j0);
x1 = PLUS(x1,j1);
x2 = PLUS(x2,j2);
x3 = PLUS(x3,j3);
x4 = PLUS(x4,j4);
x5 = PLUS(x5,j5);
x6 = PLUS(x6,j6);
x7 = PLUS(x7,j7);
x8 = PLUS(x8,j8);
x9 = PLUS(x9,j9);
x10 = PLUS(x10,j10);
x11 = PLUS(x11,j11);
x12 = PLUS(x12,j12);
x13 = PLUS(x13,j13);
x14 = PLUS(x14,j14);
x15 = PLUS(x15,j15);
#ifndef KEYSTREAM_ONLY
x0 = XOR(x0,U8TO32_LITTLE(m + 0));
x1 = XOR(x1,U8TO32_LITTLE(m + 4));
x2 = XOR(x2,U8TO32_LITTLE(m + 8));
x3 = XOR(x3,U8TO32_LITTLE(m + 12));
x4 = XOR(x4,U8TO32_LITTLE(m + 16));
x5 = XOR(x5,U8TO32_LITTLE(m + 20));
x6 = XOR(x6,U8TO32_LITTLE(m + 24));
x7 = XOR(x7,U8TO32_LITTLE(m + 28));
x8 = XOR(x8,U8TO32_LITTLE(m + 32));
x9 = XOR(x9,U8TO32_LITTLE(m + 36));
x10 = XOR(x10,U8TO32_LITTLE(m + 40));
x11 = XOR(x11,U8TO32_LITTLE(m + 44));
x12 = XOR(x12,U8TO32_LITTLE(m + 48));
x13 = XOR(x13,U8TO32_LITTLE(m + 52));
x14 = XOR(x14,U8TO32_LITTLE(m + 56));
x15 = XOR(x15,U8TO32_LITTLE(m + 60));
#endif
j12 = PLUSONE(j12);
if (!j12) {
j13 = PLUSONE(j13);
/* stopping at 2^70 bytes per nonce is user's responsibility */
}
U32TO8_LITTLE(c + 0,x0);
U32TO8_LITTLE(c + 4,x1);
U32TO8_LITTLE(c + 8,x2);
U32TO8_LITTLE(c + 12,x3);
U32TO8_LITTLE(c + 16,x4);
U32TO8_LITTLE(c + 20,x5);
U32TO8_LITTLE(c + 24,x6);
U32TO8_LITTLE(c + 28,x7);
U32TO8_LITTLE(c + 32,x8);
U32TO8_LITTLE(c + 36,x9);
U32TO8_LITTLE(c + 40,x10);
U32TO8_LITTLE(c + 44,x11);
U32TO8_LITTLE(c + 48,x12);
U32TO8_LITTLE(c + 52,x13);
U32TO8_LITTLE(c + 56,x14);
U32TO8_LITTLE(c + 60,x15);
if (bytes <= 64) {
if (bytes < 64) {
for (i = 0;i < bytes;++i) ctarget[i] = c[i];
}
x->input[12] = j12;
x->input[13] = j13;
return;
}
bytes -= 64;
c += 64;
#ifndef KEYSTREAM_ONLY
m += 64;
#endif
}
}

262
crypto/chachapoly.c Normal file
View file

@ -0,0 +1,262 @@
/* $OpenBSD: chachapoly.c,v 1.6 2020/07/22 13:54:30 tobhe Exp $ */
/*
* Copyright (c) 2015 Mike Belopuhov
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <lib/libkern/libkern.h>
#include <crypto/chacha_private.h>
#include <crypto/poly1305.h>
#include <crypto/chachapoly.h>
int
chacha20_setkey(void *sched, u_int8_t *key, int len)
{
struct chacha20_ctx *ctx = (struct chacha20_ctx *)sched;
if (len != CHACHA20_KEYSIZE + CHACHA20_SALT)
return (-1);
/* initial counter is 1 */
ctx->nonce[0] = 1;
memcpy(ctx->nonce + CHACHA20_CTR, key + CHACHA20_KEYSIZE,
CHACHA20_SALT);
chacha_keysetup((chacha_ctx *)&ctx->block, key, CHACHA20_KEYSIZE * 8);
return (0);
}
void
chacha20_reinit(caddr_t key, u_int8_t *iv)
{
struct chacha20_ctx *ctx = (struct chacha20_ctx *)key;
chacha_ivsetup((chacha_ctx *)ctx->block, iv, ctx->nonce);
}
void
chacha20_crypt(caddr_t key, u_int8_t *data)
{
struct chacha20_ctx *ctx = (struct chacha20_ctx *)key;
chacha_encrypt_bytes((chacha_ctx *)ctx->block, data, data,
CHACHA20_BLOCK_LEN);
}
void
Chacha20_Poly1305_Init(void *xctx)
{
CHACHA20_POLY1305_CTX *ctx = xctx;
memset(ctx, 0, sizeof(*ctx));
}
void
Chacha20_Poly1305_Setkey(void *xctx, const uint8_t *key, uint16_t klen)
{
CHACHA20_POLY1305_CTX *ctx = xctx;
/* salt is provided with the key material */
memcpy(ctx->nonce + CHACHA20_CTR, key + CHACHA20_KEYSIZE,
CHACHA20_SALT);
chacha_keysetup((chacha_ctx *)&ctx->chacha, key, CHACHA20_KEYSIZE * 8);
}
void
Chacha20_Poly1305_Reinit(void *xctx, const uint8_t *iv, uint16_t ivlen)
{
CHACHA20_POLY1305_CTX *ctx = xctx;
/* initial counter is 0 */
chacha_ivsetup((chacha_ctx *)&ctx->chacha, iv, ctx->nonce);
chacha_encrypt_bytes((chacha_ctx *)&ctx->chacha, ctx->key, ctx->key,
POLY1305_KEYLEN);
poly1305_init((poly1305_state *)&ctx->poly, ctx->key);
}
int
Chacha20_Poly1305_Update(void *xctx, const uint8_t *data, uint16_t len)
{
static const char zeroes[POLY1305_BLOCK_LEN];
CHACHA20_POLY1305_CTX *ctx = xctx;
size_t rem;
poly1305_update((poly1305_state *)&ctx->poly, data, len);
/* number of bytes in the last 16 byte block */
rem = (len + POLY1305_BLOCK_LEN) & (POLY1305_BLOCK_LEN - 1);
if (rem > 0)
poly1305_update((poly1305_state *)&ctx->poly, zeroes,
POLY1305_BLOCK_LEN - rem);
return (0);
}
void
Chacha20_Poly1305_Final(uint8_t tag[POLY1305_TAGLEN], void *xctx)
{
CHACHA20_POLY1305_CTX *ctx = xctx;
poly1305_finish((poly1305_state *)&ctx->poly, tag);
explicit_bzero(ctx, sizeof(*ctx));
}
static const uint8_t pad0[16] = { 0 };
void
chacha20poly1305_encrypt(
uint8_t *dst,
const uint8_t *src,
const size_t src_len,
const uint8_t *ad,
const size_t ad_len,
const uint64_t nonce,
const uint8_t key[CHACHA20POLY1305_KEY_SIZE]
) {
poly1305_state poly1305_ctx;
chacha_ctx chacha_ctx;
union {
uint8_t b0[CHACHA20POLY1305_KEY_SIZE];
uint64_t lens[2];
} b = { { 0 } };
uint64_t le_nonce = htole64(nonce);
chacha_keysetup(&chacha_ctx, key, CHACHA20POLY1305_KEY_SIZE * 8);
chacha_ivsetup(&chacha_ctx, (uint8_t *) &le_nonce, NULL);
chacha_encrypt_bytes(&chacha_ctx, b.b0, b.b0, sizeof(b.b0));
poly1305_init(&poly1305_ctx, b.b0);
poly1305_update(&poly1305_ctx, ad, ad_len);
poly1305_update(&poly1305_ctx, pad0, (0x10 - ad_len) & 0xf);
chacha_encrypt_bytes(&chacha_ctx, (uint8_t *) src, dst, src_len);
poly1305_update(&poly1305_ctx, dst, src_len);
poly1305_update(&poly1305_ctx, pad0, (0x10 - src_len) & 0xf);
b.lens[0] = htole64(ad_len);
b.lens[1] = htole64(src_len);
poly1305_update(&poly1305_ctx, (uint8_t *)b.lens, sizeof(b.lens));
poly1305_finish(&poly1305_ctx, dst + src_len);
explicit_bzero(&chacha_ctx, sizeof(chacha_ctx));
explicit_bzero(&b, sizeof(b));
}
int
chacha20poly1305_decrypt(
uint8_t *dst,
const uint8_t *src,
const size_t src_len,
const uint8_t *ad,
const size_t ad_len,
const uint64_t nonce,
const uint8_t key[CHACHA20POLY1305_KEY_SIZE]
) {
poly1305_state poly1305_ctx;
chacha_ctx chacha_ctx;
int ret;
size_t dst_len;
union {
uint8_t b0[CHACHA20POLY1305_KEY_SIZE];
uint8_t mac[CHACHA20POLY1305_AUTHTAG_SIZE];
uint64_t lens[2];
} b = { { 0 } };
uint64_t le_nonce = htole64(nonce);
if (src_len < CHACHA20POLY1305_AUTHTAG_SIZE)
return 0;
chacha_keysetup(&chacha_ctx, key, CHACHA20POLY1305_KEY_SIZE * 8);
chacha_ivsetup(&chacha_ctx, (uint8_t *) &le_nonce, NULL);
chacha_encrypt_bytes(&chacha_ctx, b.b0, b.b0, sizeof(b.b0));
poly1305_init(&poly1305_ctx, b.b0);
poly1305_update(&poly1305_ctx, ad, ad_len);
poly1305_update(&poly1305_ctx, pad0, (0x10 - ad_len) & 0xf);
dst_len = src_len - CHACHA20POLY1305_AUTHTAG_SIZE;
poly1305_update(&poly1305_ctx, src, dst_len);
poly1305_update(&poly1305_ctx, pad0, (0x10 - dst_len) & 0xf);
b.lens[0] = htole64(ad_len);
b.lens[1] = htole64(dst_len);
poly1305_update(&poly1305_ctx, (uint8_t *)b.lens, sizeof(b.lens));
poly1305_finish(&poly1305_ctx, b.mac);
ret = timingsafe_bcmp(b.mac, src + dst_len, CHACHA20POLY1305_AUTHTAG_SIZE);
if (!ret)
chacha_encrypt_bytes(&chacha_ctx, (uint8_t *) src, dst, dst_len);
explicit_bzero(&chacha_ctx, sizeof(chacha_ctx));
explicit_bzero(&b, sizeof(b));
return !ret;
}
void
xchacha20poly1305_encrypt(
uint8_t *dst,
const uint8_t *src,
const size_t src_len,
const uint8_t *ad,
const size_t ad_len,
const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],
const uint8_t key[CHACHA20POLY1305_KEY_SIZE]
) {
int i;
uint32_t derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof(uint32_t)];
uint64_t h_nonce;
memcpy(&h_nonce, nonce + 16, sizeof(h_nonce));
h_nonce = le64toh(h_nonce);
hchacha20(derived_key, nonce, key);
for(i = 0; i < (sizeof(derived_key)/sizeof(derived_key[0])); i++)
(derived_key[i]) = htole32((derived_key[i]));
chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len,
h_nonce, (uint8_t *)derived_key);
explicit_bzero(derived_key, CHACHA20POLY1305_KEY_SIZE);
}
int
xchacha20poly1305_decrypt(
uint8_t *dst,
const uint8_t *src,
const size_t src_len,
const uint8_t *ad,
const size_t ad_len,
const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],
const uint8_t key[CHACHA20POLY1305_KEY_SIZE]
) {
int ret, i;
uint32_t derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof(uint32_t)];
uint64_t h_nonce;
memcpy(&h_nonce, nonce + 16, sizeof(h_nonce));
h_nonce = le64toh(h_nonce);
hchacha20(derived_key, nonce, key);
for(i = 0; i < (sizeof(derived_key)/sizeof(derived_key[0])); i++)
(derived_key[i]) = htole32((derived_key[i]));
ret = chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
h_nonce, (uint8_t *)derived_key);
explicit_bzero(derived_key, CHACHA20POLY1305_KEY_SIZE);
return ret;
}

120
crypto/cmac.c Normal file
View file

@ -0,0 +1,120 @@
/* $OpenBSD: cmac.c,v 1.3 2017/05/02 17:07:06 mikeb Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* This code implements the CMAC (Cipher-based Message Authentication)
* algorithm described in FIPS SP800-38B using the AES-128 cipher.
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <crypto/aes.h>
#include <crypto/cmac.h>
#define LSHIFT(v, r) do { \
int i; \
for (i = 0; i < 15; i++) \
(r)[i] = (v)[i] << 1 | (v)[i + 1] >> 7; \
(r)[15] = (v)[15] << 1; \
} while (0)
#define XOR(v, r) do { \
int i; \
for (i = 0; i < 16; i++) \
(r)[i] ^= (v)[i]; \
} while (0)
void
AES_CMAC_Init(AES_CMAC_CTX *ctx)
{
memset(ctx->X, 0, sizeof ctx->X);
ctx->M_n = 0;
}
void
AES_CMAC_SetKey(AES_CMAC_CTX *ctx, const u_int8_t key[AES_CMAC_KEY_LENGTH])
{
AES_Setkey(&ctx->aesctx, key, 16);
}
void
AES_CMAC_Update(AES_CMAC_CTX *ctx, const u_int8_t *data, u_int len)
{
u_int mlen;
if (ctx->M_n > 0) {
mlen = MIN(16 - ctx->M_n, len);
memcpy(ctx->M_last + ctx->M_n, data, mlen);
ctx->M_n += mlen;
if (ctx->M_n < 16 || len == mlen)
return;
XOR(ctx->M_last, ctx->X);
AES_Encrypt(&ctx->aesctx, ctx->X, ctx->X);
data += mlen;
len -= mlen;
}
while (len > 16) { /* not last block */
XOR(data, ctx->X);
AES_Encrypt(&ctx->aesctx, ctx->X, ctx->X);
data += 16;
len -= 16;
}
/* potential last block, save it */
memcpy(ctx->M_last, data, len);
ctx->M_n = len;
}
void
AES_CMAC_Final(u_int8_t digest[AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *ctx)
{
u_int8_t K[16];
/* generate subkey K1 */
memset(K, 0, sizeof K);
AES_Encrypt(&ctx->aesctx, K, K);
if (K[0] & 0x80) {
LSHIFT(K, K);
K[15] ^= 0x87;
} else
LSHIFT(K, K);
if (ctx->M_n == 16) {
/* last block was a complete block */
XOR(K, ctx->M_last);
} else {
/* generate subkey K2 */
if (K[0] & 0x80) {
LSHIFT(K, K);
K[15] ^= 0x87;
} else
LSHIFT(K, K);
/* padding(M_last) */
ctx->M_last[ctx->M_n] = 0x80;
while (++ctx->M_n < 16)
ctx->M_last[ctx->M_n] = 0;
XOR(K, ctx->M_last);
}
XOR(ctx->M_last, ctx->X);
AES_Encrypt(&ctx->aesctx, ctx->X, digest);
explicit_bzero(K, sizeof K);
}

707
crypto/crypto.c
View file

@ -1,74 +1,663 @@
/****************************************************************************
* crypto/crypto.c
/* $OpenBSD: crypto.c,v 1.65 2014/07/13 23:24:47 deraadt Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership. The
* ASF licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the
* License. You may obtain a copy of the License at
* This code was written by Angelos D. Keromytis in Athens, Greece, in
* February 2000. Network Security Technologies Inc. (NSTI) kindly
* supported the development of this code.
*
* http://www.apache.org/licenses/LICENSE-2.0
* Copyright (c) 2000, 2001 Angelos D. Keromytis
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
* Permission to use, copy, and modify this software with or without fee
* is hereby granted, provided that this entire notice is included in
* all source code copies of any software which is or includes a copy or
* modification of this software.
*
****************************************************************************/
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
* PURPOSE.
*/
/****************************************************************************
* Included Files
****************************************************************************/
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/malloc.h>
#include <sys/proc.h>
#include <sys/pool.h>
#include <nuttx/config.h>
#include <crypto/cryptodev.h>
#include <sys/types.h>
#include <stdbool.h>
#include <string.h>
#include <poll.h>
#include <debug.h>
#include <errno.h>
void crypto_init(void);
#include <nuttx/fs/fs.h>
#include <nuttx/crypto/crypto.h>
struct cryptocap *crypto_drivers = NULL;
int crypto_drivers_num = 0;
/****************************************************************************
* Private Function Prototypes
****************************************************************************/
struct pool cryptop_pool;
struct pool cryptodesc_pool;
/****************************************************************************
* Private Data
****************************************************************************/
struct taskq *crypto_taskq;
/****************************************************************************
* Private Functions
****************************************************************************/
/****************************************************************************
* Public Functions
****************************************************************************/
int up_cryptoinitialize(void)
/*
* Create a new session.
*/
int
crypto_newsession(u_int64_t *sid, struct cryptoini *cri, int hard)
{
#ifdef CONFIG_CRYPTO_ALGTEST
int ret;
u_int32_t hid, lid, hid2 = -1;
struct cryptocap *cpc;
struct cryptoini *cr;
int err, s, turn = 0;
#ifdef CONFIG_CRYPTO_ALGTEST
ret = crypto_test();
if (ret)
{
crypterr("ERROR: crypto test failed\n");
}
else
{
cryptinfo("crypto test OK\n");
}
#endif
if (crypto_drivers == NULL)
return EINVAL;
return ret;
#else
return OK;
#endif
s = splvm();
/*
* The algorithm we use here is pretty stupid; just use the
* first driver that supports all the algorithms we need. Do
* a double-pass over all the drivers, ignoring software ones
* at first, to deal with cases of drivers that register after
* the software one(s) --- e.g., PCMCIA crypto cards.
*
* XXX We need more smarts here (in real life too, but that's
* XXX another story altogether).
*/
do {
for (hid = 0; hid < crypto_drivers_num; hid++) {
cpc = &crypto_drivers[hid];
/*
* If it's not initialized or has remaining sessions
* referencing it, skip.
*/
if (cpc->cc_newsession == NULL ||
(cpc->cc_flags & CRYPTOCAP_F_CLEANUP))
continue;
if (cpc->cc_flags & CRYPTOCAP_F_SOFTWARE) {
/*
* First round of search, ignore
* software drivers.
*/
if (turn == 0)
continue;
} else { /* !CRYPTOCAP_F_SOFTWARE */
/* Second round of search, only software. */
if (turn == 1)
continue;
}
/* See if all the algorithms are supported. */
for (cr = cri; cr; cr = cr->cri_next) {
if (cpc->cc_alg[cr->cri_alg] == 0)
break;
}
/*
* If even one algorithm is not supported,
* keep searching.
*/
if (cr != NULL)
continue;
/*
* If we had a previous match, see how it compares
* to this one. Keep "remembering" whichever is
* the best of the two.
*/
if (hid2 != -1) {
/*
* Compare session numbers, pick the one
* with the lowest.
* XXX Need better metrics, this will
* XXX just do un-weighted round-robin.
*/
if (crypto_drivers[hid].cc_sessions <=
crypto_drivers[hid2].cc_sessions)
hid2 = hid;
} else {
/*
* Remember this one, for future
* comparisons.
*/
hid2 = hid;
}
}
/*
* If we found something worth remembering, leave. The
* side-effect is that we will always prefer a hardware
* driver over the software one.
*/
if (hid2 != -1)
break;
turn++;
/* If we only want hardware drivers, don't do second pass. */
} while (turn <= 2 && hard == 0);
hid = hid2;
/*
* Can't do everything in one session.
*
* XXX Fix this. We need to inject a "virtual" session
* XXX layer right about here.
*/
if (hid == -1) {
splx(s);
return EINVAL;
}
/* Call the driver initialization routine. */
lid = hid; /* Pass the driver ID. */
err = crypto_drivers[hid].cc_newsession(&lid, cri);
if (err == 0) {
(*sid) = hid;
(*sid) <<= 32;
(*sid) |= (lid & 0xffffffff);
crypto_drivers[hid].cc_sessions++;
}
splx(s);
return err;
}
/*
* Delete an existing session (or a reserved session on an unregistered
* driver).
*/
int
crypto_freesession(u_int64_t sid)
{
int err = 0, s;
u_int32_t hid;
if (crypto_drivers == NULL)
return EINVAL;
/* Determine two IDs. */
hid = (sid >> 32) & 0xffffffff;
if (hid >= crypto_drivers_num)
return ENOENT;
s = splvm();
if (crypto_drivers[hid].cc_sessions)
crypto_drivers[hid].cc_sessions--;
/* Call the driver cleanup routine, if available. */
if (crypto_drivers[hid].cc_freesession)
err = crypto_drivers[hid].cc_freesession(sid);
/*
* If this was the last session of a driver marked as invalid,
* make the entry available for reuse.
*/
if ((crypto_drivers[hid].cc_flags & CRYPTOCAP_F_CLEANUP) &&
crypto_drivers[hid].cc_sessions == 0)
explicit_bzero(&crypto_drivers[hid], sizeof(struct cryptocap));
splx(s);
return err;
}
/*
* Find an empty slot.
*/
int32_t
crypto_get_driverid(u_int8_t flags)
{
struct cryptocap *newdrv;
int i, s;
s = splvm();
if (crypto_drivers_num == 0) {
crypto_drivers_num = CRYPTO_DRIVERS_INITIAL;
crypto_drivers = mallocarray(crypto_drivers_num,
sizeof(struct cryptocap), M_CRYPTO_DATA, M_NOWAIT);
if (crypto_drivers == NULL) {
crypto_drivers_num = 0;
splx(s);
return -1;
}
bzero(crypto_drivers, crypto_drivers_num *
sizeof(struct cryptocap));
}
for (i = 0; i < crypto_drivers_num; i++) {
if (crypto_drivers[i].cc_process == NULL &&
!(crypto_drivers[i].cc_flags & CRYPTOCAP_F_CLEANUP) &&
crypto_drivers[i].cc_sessions == 0) {
crypto_drivers[i].cc_sessions = 1; /* Mark */
crypto_drivers[i].cc_flags = flags;
splx(s);
return i;
}
}
/* Out of entries, allocate some more. */
if (i == crypto_drivers_num) {
if (crypto_drivers_num >= CRYPTO_DRIVERS_MAX) {
splx(s);
return -1;
}
newdrv = mallocarray(crypto_drivers_num,
2 * sizeof(struct cryptocap), M_CRYPTO_DATA, M_NOWAIT);
if (newdrv == NULL) {
splx(s);
return -1;
}
bcopy(crypto_drivers, newdrv,
crypto_drivers_num * sizeof(struct cryptocap));
bzero(&newdrv[crypto_drivers_num],
crypto_drivers_num * sizeof(struct cryptocap));
newdrv[i].cc_sessions = 1; /* Mark */
newdrv[i].cc_flags = flags;
crypto_drivers_num *= 2;
free(crypto_drivers, M_CRYPTO_DATA, 0);
crypto_drivers = newdrv;
splx(s);
return i;
}
/* Shouldn't really get here... */
splx(s);
return -1;
}
/*
* Register a crypto driver. It should be called once for each algorithm
* supported by the driver.
*/
int
crypto_kregister(u_int32_t driverid, int *kalg,
int (*kprocess)(struct cryptkop *))
{
int s, i;
if (driverid >= crypto_drivers_num || kalg == NULL ||
crypto_drivers == NULL)
return EINVAL;
s = splvm();
for (i = 0; i <= CRK_ALGORITHM_MAX; i++) {
/*
* XXX Do some performance testing to determine
* placing. We probably need an auxiliary data
* structure that describes relative performances.
*/
crypto_drivers[driverid].cc_kalg[i] = kalg[i];
}
crypto_drivers[driverid].cc_kprocess = kprocess;
splx(s);
return 0;
}
/* Register a crypto driver. */
int
crypto_register(u_int32_t driverid, int *alg,
int (*newses)(u_int32_t *, struct cryptoini *),
int (*freeses)(u_int64_t), int (*process)(struct cryptop *))
{
int s, i;
if (driverid >= crypto_drivers_num || alg == NULL ||
crypto_drivers == NULL)
return EINVAL;
s = splvm();
for (i = 0; i <= CRYPTO_ALGORITHM_MAX; i++) {
/*
* XXX Do some performance testing to determine
* placing. We probably need an auxiliary data
* structure that describes relative performances.
*/
crypto_drivers[driverid].cc_alg[i] = alg[i];
}
crypto_drivers[driverid].cc_newsession = newses;
crypto_drivers[driverid].cc_process = process;
crypto_drivers[driverid].cc_freesession = freeses;
crypto_drivers[driverid].cc_sessions = 0; /* Unmark */
splx(s);
return 0;
}
/*
* Unregister a crypto driver. If there are pending sessions using it,
* leave enough information around so that subsequent calls using those
* sessions will correctly detect the driver being unregistered and reroute
* the request.
*/
int
crypto_unregister(u_int32_t driverid, int alg)
{
int i = CRYPTO_ALGORITHM_MAX + 1, s;
u_int32_t ses;
s = splvm();
/* Sanity checks. */
if (driverid >= crypto_drivers_num || crypto_drivers == NULL ||
((alg <= 0 || alg > CRYPTO_ALGORITHM_MAX) &&
alg != CRYPTO_ALGORITHM_MAX + 1) ||
crypto_drivers[driverid].cc_alg[alg] == 0) {
splx(s);
return EINVAL;
}
if (alg != CRYPTO_ALGORITHM_MAX + 1) {
crypto_drivers[driverid].cc_alg[alg] = 0;
/* Was this the last algorithm ? */
for (i = 1; i <= CRYPTO_ALGORITHM_MAX; i++)
if (crypto_drivers[driverid].cc_alg[i] != 0)
break;
}
/*
* If a driver unregistered its last algorithm or all of them
* (alg == CRYPTO_ALGORITHM_MAX + 1), cleanup its entry.
*/
if (i == CRYPTO_ALGORITHM_MAX + 1 || alg == CRYPTO_ALGORITHM_MAX + 1) {
ses = crypto_drivers[driverid].cc_sessions;
bzero(&crypto_drivers[driverid], sizeof(struct cryptocap));
if (ses != 0) {
/*
* If there are pending sessions, just mark as invalid.
*/
crypto_drivers[driverid].cc_flags |= CRYPTOCAP_F_CLEANUP;
crypto_drivers[driverid].cc_sessions = ses;
}
}
splx(s);
return 0;
}
/*
* Add crypto request to a queue, to be processed by a kernel thread.
*/
int
crypto_dispatch(struct cryptop *crp)
{
if (crypto_taskq && !(crp->crp_flags & CRYPTO_F_NOQUEUE)) {
task_set(&crp->crp_task, (void (*))crypto_invoke, crp, NULL);
task_add(crypto_taskq, &crp->crp_task);
} else {
crypto_invoke(crp);
}
return 0;
}
int
crypto_kdispatch(struct cryptkop *krp)
{
if (crypto_taskq) {
task_set(&krp->krp_task, (void (*))crypto_kinvoke, krp, NULL);
task_add(crypto_taskq, &krp->krp_task);
} else {
crypto_kinvoke(krp);
}
return 0;
}
/*
* Dispatch an asymmetric crypto request to the appropriate crypto devices.
*/
int
crypto_kinvoke(struct cryptkop *krp)
{
extern int cryptodevallowsoft;
u_int32_t hid;
int error;
int s;
/* Sanity checks. */
if (krp == NULL || krp->krp_callback == NULL)
return (EINVAL);
s = splvm();
for (hid = 0; hid < crypto_drivers_num; hid++) {
if ((crypto_drivers[hid].cc_flags & CRYPTOCAP_F_SOFTWARE) &&
cryptodevallowsoft == 0)
continue;
if (crypto_drivers[hid].cc_kprocess == NULL)
continue;
if ((crypto_drivers[hid].cc_kalg[krp->krp_op] &
CRYPTO_ALG_FLAG_SUPPORTED) == 0)
continue;
break;
}
if (hid == crypto_drivers_num) {
krp->krp_status = ENODEV;
crypto_kdone(krp);
splx(s);
return (0);
}
krp->krp_hid = hid;
crypto_drivers[hid].cc_koperations++;
error = crypto_drivers[hid].cc_kprocess(krp);
if (error) {
krp->krp_status = error;
crypto_kdone(krp);
}
splx(s);
return (0);
}
/*
* Dispatch a crypto request to the appropriate crypto devices.
*/
int
crypto_invoke(struct cryptop *crp)
{
struct cryptodesc *crd;
u_int64_t nid;
u_int32_t hid;
int error;
int s;
/* Sanity checks. */
if (crp == NULL || crp->crp_callback == NULL)
return EINVAL;
s = splvm();
if (crp->crp_desc == NULL || crypto_drivers == NULL) {
crp->crp_etype = EINVAL;
crypto_done(crp);
splx(s);
return 0;
}
hid = (crp->crp_sid >> 32) & 0xffffffff;
if (hid >= crypto_drivers_num)
goto migrate;
if (crypto_drivers[hid].cc_flags & CRYPTOCAP_F_CLEANUP) {
crypto_freesession(crp->crp_sid);
goto migrate;
}
if (crypto_drivers[hid].cc_process == NULL)
goto migrate;
crypto_drivers[hid].cc_operations++;
crypto_drivers[hid].cc_bytes += crp->crp_ilen;
error = crypto_drivers[hid].cc_process(crp);
if (error) {
if (error == ERESTART) {
/* Unregister driver and migrate session. */
crypto_unregister(hid, CRYPTO_ALGORITHM_MAX + 1);
goto migrate;
} else {
crp->crp_etype = error;
}
}
splx(s);
return 0;
migrate:
/* Migrate session. */
for (crd = crp->crp_desc; crd->crd_next; crd = crd->crd_next)
crd->CRD_INI.cri_next = &(crd->crd_next->CRD_INI);
if (crypto_newsession(&nid, &(crp->crp_desc->CRD_INI), 0) == 0)
crp->crp_sid = nid;
crp->crp_etype = EAGAIN;
crypto_done(crp);
splx(s);
return 0;
}
/*
* Release a set of crypto descriptors.
*/
void
crypto_freereq(struct cryptop *crp)
{
struct cryptodesc *crd;
int s;
if (crp == NULL)
return;
s = splvm();
while ((crd = crp->crp_desc) != NULL) {
crp->crp_desc = crd->crd_next;
pool_put(&cryptodesc_pool, crd);
}
pool_put(&cryptop_pool, crp);
splx(s);
}
/*
* Acquire a set of crypto descriptors.
*/
struct cryptop *
crypto_getreq(int num)
{
struct cryptodesc *crd;
struct cryptop *crp;
int s;
s = splvm();
crp = pool_get(&cryptop_pool, PR_NOWAIT);
if (crp == NULL) {
splx(s);
return NULL;
}
bzero(crp, sizeof(struct cryptop));
while (num--) {
crd = pool_get(&cryptodesc_pool, PR_NOWAIT);
if (crd == NULL) {
splx(s);
crypto_freereq(crp);
return NULL;
}
bzero(crd, sizeof(struct cryptodesc));
crd->crd_next = crp->crp_desc;
crp->crp_desc = crd;
}
splx(s);
return crp;
}
void
crypto_init(void)
{
crypto_taskq = taskq_create("crypto", 1, IPL_HIGH);
pool_init(&cryptop_pool, sizeof(struct cryptop), 0, 0,
0, "cryptop", NULL);
pool_init(&cryptodesc_pool, sizeof(struct cryptodesc), 0, 0,
0, "cryptodesc", NULL);
}
/*
* Invoke the callback on behalf of the driver.
*/
void
crypto_done(struct cryptop *crp)
{
crp->crp_flags |= CRYPTO_F_DONE;
if (crp->crp_flags & CRYPTO_F_NOQUEUE) {
/* not from the crypto queue, wakeup the userland process */
crp->crp_callback(crp);
} else {
task_set(&crp->crp_task, (void (*))crp->crp_callback,
crp, NULL);
task_add(crypto_taskq, &crp->crp_task);
}
}
/*
* Invoke the callback on behalf of the driver.
*/
void
crypto_kdone(struct cryptkop *krp)
{
task_set(&krp->krp_task, (void (*))krp->krp_callback, krp, NULL);
task_add(crypto_taskq, &krp->krp_task);
}
int
crypto_getfeat(int *featp)
{
extern int cryptodevallowsoft, userasymcrypto;
int hid, kalg, feat = 0;
if (userasymcrypto == 0)
goto out;
for (hid = 0; hid < crypto_drivers_num; hid++) {
if ((crypto_drivers[hid].cc_flags & CRYPTOCAP_F_SOFTWARE) &&
cryptodevallowsoft == 0) {
continue;
}
if (crypto_drivers[hid].cc_kprocess == NULL)
continue;
for (kalg = 0; kalg <= CRK_ALGORITHM_MAX; kalg++)
if ((crypto_drivers[hid].cc_kalg[kalg] &
CRYPTO_ALG_FLAG_SUPPORTED) != 0)
feat |= 1 << kalg;
}
out:
*featp = feat;
return (0);
}

871
crypto/cryptodev.c
View file

@ -1,169 +1,760 @@
/****************************************************************************
* crypto/cryptodev.c
/* $OpenBSD: cryptodev.c,v 1.82 2014/08/18 05:11:03 dlg Exp $ */
/*
* Copyright (c) 2001 Theo de Raadt
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership. The
* ASF licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the
* License. You may obtain a copy of the License at
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* http://www.apache.org/licenses/LICENSE-2.0
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
****************************************************************************/
* Effort sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F30602-01-2-0537.
*
*/
/****************************************************************************
* Included Files
****************************************************************************/
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/malloc.h>
#include <sys/pool.h>
#include <sys/mbuf.h>
#include <sys/proc.h>
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/errno.h>
#include <dev/rndvar.h>
#include <sys/conf.h>
#include <sys/device.h>
#include <crypto/md5.h>
#include <crypto/sha1.h>
#include <crypto/rmd160.h>
#include <crypto/cast.h>
#include <crypto/blf.h>
#include <crypto/cryptodev.h>
#include <crypto/xform.h>
#include <nuttx/config.h>
extern struct cryptocap *crypto_drivers;
extern int crypto_drivers_num;
#include <sys/types.h>
#include <stdbool.h>
#include <string.h>
#include <poll.h>
#include <errno.h>
struct csession {
TAILQ_ENTRY(csession) next;
u_int64_t sid;
u_int32_t ses;
#include <nuttx/fs/fs.h>
#include <nuttx/drivers/drivers.h>
u_int32_t cipher;
struct enc_xform *txform;
u_int32_t mac;
struct auth_hash *thash;
#include <nuttx/crypto/crypto.h>
#include <nuttx/crypto/cryptodev.h>
caddr_t key;
int keylen;
u_char tmp_iv[EALG_MAX_BLOCK_LEN];
/****************************************************************************
* Pre-processor Definitions
****************************************************************************/
caddr_t mackey;
int mackeylen;
u_char tmp_mac[CRYPTO_MAX_MAC_LEN];
#ifdef CONFIG_CRYPTO_AES
# define AES_CYPHER(mode) \
aes_cypher(op->dst, op->src, op->len, op->iv, ses->key, ses->keylen, \
mode, encrypt)
#endif
/****************************************************************************
* Private Function Prototypes
****************************************************************************/
/* Character driver methods */
static ssize_t cryptodev_read(FAR struct file *filep,
FAR char *buffer,
size_t len);
static ssize_t cryptodev_write(FAR struct file *filep,
FAR const char *buffer,
size_t len);
static int cryptodev_ioctl(FAR struct file *filep,
int cmd,
unsigned long arg);
/****************************************************************************
* Private Data
****************************************************************************/
static const struct file_operations g_cryptodevops =
{
NULL, /* open */
NULL, /* close */
cryptodev_read, /* read */
cryptodev_write, /* write */
NULL, /* seek */
cryptodev_ioctl, /* ioctl */
NULL /* poll */
#ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS
, NULL /* unlink */
#endif
struct iovec iovec[IOV_MAX];
struct uio uio;
int error;
};
/****************************************************************************
* Private Functions
****************************************************************************/
struct fcrypt {
TAILQ_HEAD(csessionlist, csession) csessions;
int sesn;
};
static ssize_t cryptodev_read(FAR struct file *filep,
FAR char *buffer,
size_t len)
void cryptoattach(int);
int cryptof_read(struct file *, off_t *, struct uio *, struct ucred *);
int cryptof_write(struct file *, off_t *, struct uio *, struct ucred *);
int cryptof_ioctl(struct file *, u_long, caddr_t, struct proc *p);
int cryptof_poll(struct file *, int, struct proc *);
int cryptof_kqfilter(struct file *, struct knote *);
int cryptof_stat(struct file *, struct stat *, struct proc *);
int cryptof_close(struct file *, struct proc *);
static struct fileops cryptofops = {
cryptof_read,
cryptof_write,
cryptof_ioctl,
cryptof_poll,
cryptof_kqfilter,
cryptof_stat,
cryptof_close
};
struct csession *csefind(struct fcrypt *, u_int);
int csedelete(struct fcrypt *, struct csession *);
struct csession *cseadd(struct fcrypt *, struct csession *);
struct csession *csecreate(struct fcrypt *, u_int64_t, caddr_t, u_int64_t,
caddr_t, u_int64_t, u_int32_t, u_int32_t, struct enc_xform *,
struct auth_hash *);
int csefree(struct csession *);
int cryptodev_op(struct csession *, struct crypt_op *, struct proc *);
int cryptodev_key(struct crypt_kop *);
int cryptodev_dokey(struct crypt_kop *kop, struct crparam kvp[]);
int cryptodev_cb(struct cryptop *);
int cryptodevkey_cb(struct cryptkop *);
int usercrypto = 0; /* userland may do crypto requests */
int userasymcrypto = 0; /* userland may do asymmetric crypto reqs */
int cryptodevallowsoft = 0; /* only use hardware crypto */
/* ARGSUSED */
int
cryptof_read(struct file *fp, off_t *poff, struct uio *uio, struct ucred *cred)
{
return -EACCES;
return (EIO);
}
static ssize_t cryptodev_write(FAR struct file *filep,
FAR const char *buffer,
size_t len)
/* ARGSUSED */
int
cryptof_write(struct file *fp, off_t *poff, struct uio *uio, struct ucred *cred)
{
return -EACCES;
return (EIO);
}
static int cryptodev_ioctl(FAR struct file *filep,
int cmd,
unsigned long arg)
/* ARGSUSED */
int
cryptof_ioctl(struct file *fp, u_long cmd, caddr_t data, struct proc *p)
{
switch (cmd)
{
case CIOCGSESSION:
{
FAR struct session_op *ses = (FAR struct session_op *)arg;
ses->ses = (uint32_t)ses;
return OK;
}
struct cryptoini cria, crie;
struct fcrypt *fcr = fp->f_data;
struct csession *cse;
struct session_op *sop;
struct crypt_op *cop;
struct enc_xform *txform = NULL;
struct auth_hash *thash = NULL;
u_int64_t sid;
u_int32_t ses;
int error = 0;
case CIOCFSESSION:
{
return OK;
}
switch (cmd) {
case CIOCGSESSION:
sop = (struct session_op *)data;
switch (sop->cipher) {
case 0:
break;
case CRYPTO_DES_CBC:
txform = &enc_xform_des;
break;
case CRYPTO_3DES_CBC:
txform = &enc_xform_3des;
break;
case CRYPTO_BLF_CBC:
txform = &enc_xform_blf;
break;
case CRYPTO_CAST_CBC:
txform = &enc_xform_cast5;
break;
case CRYPTO_AES_CBC:
txform = &enc_xform_rijndael128;
break;
case CRYPTO_AES_CTR:
txform = &enc_xform_aes_ctr;
break;
case CRYPTO_AES_XTS:
txform = &enc_xform_aes_xts;
break;
case CRYPTO_ARC4:
txform = &enc_xform_arc4;
break;
case CRYPTO_NULL:
txform = &enc_xform_null;
break;
default:
return (EINVAL);
}
#ifdef CONFIG_CRYPTO_AES
case CIOCCRYPT:
{
FAR struct crypt_op *op = (FAR struct crypt_op *)arg;
FAR struct session_op *ses = (FAR struct session_op *)op->ses;
int encrypt;
switch (op->op)
{
case COP_ENCRYPT:
encrypt = 1;
break;
case COP_DECRYPT:
encrypt = 0;
break;
default:
return -EINVAL;
}
switch (ses->cipher)
{
case CRYPTO_AES_ECB:
return AES_CYPHER(AES_MODE_ECB);
case CRYPTO_AES_CBC:
return AES_CYPHER(AES_MODE_CBC);
case CRYPTO_AES_CTR:
return AES_CYPHER(AES_MODE_CTR);
default:
return -EINVAL;
}
}
switch (sop->mac) {
case 0:
break;
#if 0
case CRYPTO_MD5_HMAC:
thash = &auth_hash_hmac_md5_96;
break;
case CRYPTO_SHA1_HMAC:
thash = &auth_hash_hmac_sha1_96;
break;
case CRYPTO_RIPEMD160_HMAC:
thash = &auth_hash_hmac_ripemd_160_96;
break;
case CRYPTO_MD5:
thash = &auth_hash_md5;
break;
case CRYPTO_SHA1:
thash = &auth_hash_sha1;
break;
#endif
default:
return (EINVAL);
}
default:
return -ENOTTY;
}
bzero(&crie, sizeof(crie));
bzero(&cria, sizeof(cria));
if (txform) {
crie.cri_alg = txform->type;
crie.cri_klen = sop->keylen * 8;
if (sop->keylen > txform->maxkey ||
sop->keylen < txform->minkey) {
error = EINVAL;
goto bail;
}
crie.cri_key = malloc(crie.cri_klen / 8, M_XDATA,
M_WAITOK);
if ((error = copyin(sop->key, crie.cri_key,
crie.cri_klen / 8)))
goto bail;
if (thash)
crie.cri_next = &cria;
}
if (thash) {
cria.cri_alg = thash->type;
cria.cri_klen = sop->mackeylen * 8;
if (sop->mackeylen != thash->keysize) {
error = EINVAL;
goto bail;
}
if (cria.cri_klen) {
cria.cri_key = malloc(cria.cri_klen / 8,
M_XDATA, M_WAITOK);
if ((error = copyin(sop->mackey, cria.cri_key,
cria.cri_klen / 8)))
goto bail;
}
}
error = crypto_newsession(&sid, (txform ? &crie : &cria),
!cryptodevallowsoft);
if (error)
goto bail;
cse = csecreate(fcr, sid, crie.cri_key, crie.cri_klen,
cria.cri_key, cria.cri_klen, sop->cipher, sop->mac, txform,
thash);
if (cse == NULL) {
crypto_freesession(sid);
error = EINVAL;
goto bail;
}
sop->ses = cse->ses;
bail:
if (error) {
if (crie.cri_key) {
explicit_bzero(crie.cri_key, crie.cri_klen / 8);
free(crie.cri_key, M_XDATA, 0);
}
if (cria.cri_key) {
explicit_bzero(cria.cri_key, cria.cri_klen / 8);
free(cria.cri_key, M_XDATA, 0);
}
}
break;
case CIOCFSESSION:
ses = *(u_int32_t *)data;
cse = csefind(fcr, ses);
if (cse == NULL)
return (EINVAL);
csedelete(fcr, cse);
error = csefree(cse);
break;
case CIOCCRYPT:
cop = (struct crypt_op *)data;
cse = csefind(fcr, cop->ses);
if (cse == NULL)
return (EINVAL);
error = cryptodev_op(cse, cop, p);
break;
case CIOCKEY:
error = cryptodev_key((struct crypt_kop *)data);
break;
case CIOCASYMFEAT:
error = crypto_getfeat((int *)data);
break;
default:
error = EINVAL;
}
return (error);
}
/****************************************************************************
* Public Functions
****************************************************************************/
void devcrypto_register(void)
int
cryptodev_op(struct csession *cse, struct crypt_op *cop, struct proc *p)
{
register_driver("/dev/crypto", &g_cryptodevops, 0666, NULL);
struct cryptop *crp = NULL;
struct cryptodesc *crde = NULL, *crda = NULL;
int s, error;
u_int32_t hid;
if (cop->len > 64*1024-4)
return (E2BIG);
if (cse->txform) {
if (cop->len == 0 || (cop->len % cse->txform->blocksize) != 0)
return (EINVAL);
}
bzero(&cse->uio, sizeof(cse->uio));
cse->uio.uio_iovcnt = 1;
cse->uio.uio_segflg = UIO_SYSSPACE;
cse->uio.uio_rw = UIO_WRITE;
cse->uio.uio_procp = p;
cse->uio.uio_iov = cse->iovec;
bzero(&cse->iovec, sizeof(cse->iovec));
cse->uio.uio_iov[0].iov_len = cop->len;
cse->uio.uio_iov[0].iov_base = dma_alloc(cop->len, M_WAITOK);
cse->uio.uio_resid = cse->uio.uio_iov[0].iov_len;
/* number of requests, not logical and */
crp = crypto_getreq((cse->txform != NULL) + (cse->thash != NULL));
if (crp == NULL) {
error = ENOMEM;
goto bail;
}
if (cse->thash) {
crda = crp->crp_desc;
if (cse->txform)
crde = crda->crd_next;
} else {
if (cse->txform)
crde = crp->crp_desc;
else {
error = EINVAL;
goto bail;
}
}
if ((error = copyin(cop->src, cse->uio.uio_iov[0].iov_base, cop->len)))
goto bail;
if (crda) {
crda->crd_skip = 0;
crda->crd_len = cop->len;
crda->crd_inject = 0; /* ??? */
crda->crd_alg = cse->mac;
crda->crd_key = cse->mackey;
crda->crd_klen = cse->mackeylen * 8;
}
if (crde) {
if (cop->op == COP_ENCRYPT)
crde->crd_flags |= CRD_F_ENCRYPT;
else
crde->crd_flags &= ~CRD_F_ENCRYPT;
crde->crd_len = cop->len;
crde->crd_inject = 0;
crde->crd_alg = cse->cipher;
crde->crd_key = cse->key;
crde->crd_klen = cse->keylen * 8;
}
crp->crp_ilen = cop->len;
crp->crp_buf = (caddr_t)&cse->uio;
crp->crp_callback = cryptodev_cb;
crp->crp_sid = cse->sid;
crp->crp_opaque = cse;
if (cop->iv) {
if (crde == NULL) {
error = EINVAL;
goto bail;
}
if (cse->cipher == CRYPTO_ARC4) { /* XXX use flag? */
error = EINVAL;
goto bail;
}
if ((error = copyin(cop->iv, cse->tmp_iv, cse->txform->blocksize)))
goto bail;
bcopy(cse->tmp_iv, crde->crd_iv, cse->txform->blocksize);
crde->crd_flags |= CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT;
crde->crd_skip = 0;
} else if (cse->cipher == CRYPTO_ARC4) { /* XXX use flag? */
crde->crd_skip = 0;
} else if (crde) {
crde->crd_flags |= CRD_F_IV_PRESENT;
crde->crd_skip = cse->txform->blocksize;
crde->crd_len -= cse->txform->blocksize;
}
if (cop->mac) {
if (crda == NULL) {
error = EINVAL;
goto bail;
}
crp->crp_mac = cse->tmp_mac;
}
/* try the fast path first */
crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_NOQUEUE;
hid = (crp->crp_sid >> 32) & 0xffffffff;
if (hid >= crypto_drivers_num)
goto dispatch;
if (crypto_drivers[hid].cc_flags & CRYPTOCAP_F_SOFTWARE)
goto dispatch;
if (crypto_drivers[hid].cc_process == NULL)
goto dispatch;
error = crypto_drivers[hid].cc_process(crp);
if (error) {
/* clear error */
crp->crp_etype = 0;
goto dispatch;
}
goto processed;
dispatch:
crp->crp_flags = CRYPTO_F_IOV;
crypto_dispatch(crp);
processed:
s = splnet();
while (!(crp->crp_flags & CRYPTO_F_DONE)) {
error = tsleep(cse, PSOCK, "crydev", 0);
}
splx(s);
if (error) {
/* XXX can this happen? if so, how do we recover? */
goto bail;
}
if (cse->error) {
error = cse->error;
goto bail;
}
if (crp->crp_etype != 0) {
error = crp->crp_etype;
goto bail;
}
if (cop->dst &&
(error = copyout(cse->uio.uio_iov[0].iov_base, cop->dst, cop->len)))
goto bail;
if (cop->mac &&
(error = copyout(crp->crp_mac, cop->mac, cse->thash->authsize)))
goto bail;
bail:
if (crp)
crypto_freereq(crp);
if (cse->uio.uio_iov[0].iov_base)
dma_free(cse->uio.uio_iov[0].iov_base, cop->len);
return (error);
}
int
cryptodev_cb(struct cryptop *crp)
{
struct csession *cse = crp->crp_opaque;
cse->error = crp->crp_etype;
if (crp->crp_etype == EAGAIN) {
crp->crp_flags = CRYPTO_F_IOV;
return crypto_dispatch(crp);
}
wakeup(cse);
return (0);
}
int
cryptodevkey_cb(struct cryptkop *krp)
{
wakeup(krp);
return (0);
}
int
cryptodev_key(struct crypt_kop *kop)
{
struct cryptkop *krp = NULL;
int error = EINVAL;
int in, out, size, i;
if (kop->crk_iparams + kop->crk_oparams > CRK_MAXPARAM) {
return (EFBIG);
}
in = kop->crk_iparams;
out = kop->crk_oparams;
switch (kop->crk_op) {
case CRK_MOD_EXP:
if (in == 3 && out == 1)
break;
return (EINVAL);
case CRK_MOD_EXP_CRT:
if (in == 6 && out == 1)
break;
return (EINVAL);
case CRK_DSA_SIGN:
if (in == 5 && out == 2)
break;
return (EINVAL);
case CRK_DSA_VERIFY:
if (in == 7 && out == 0)
break;
return (EINVAL);
case CRK_DH_COMPUTE_KEY:
if (in == 3 && out == 1)
break;
return (EINVAL);
default:
return (EINVAL);
}
krp = malloc(sizeof *krp, M_XDATA, M_WAITOK | M_ZERO);
krp->krp_op = kop->crk_op;
krp->krp_status = kop->crk_status;
krp->krp_iparams = kop->crk_iparams;
krp->krp_oparams = kop->crk_oparams;
krp->krp_status = 0;
krp->krp_callback = cryptodevkey_cb;
for (i = 0; i < CRK_MAXPARAM; i++) {
krp->krp_param[i].crp_nbits = kop->crk_param[i].crp_nbits;
if (kop->crk_param[i].crp_nbits > 65536) {
/* XXX how big do we need to support? */
goto fail;
}
}
for (i = 0; i < krp->krp_iparams + krp->krp_oparams; i++) {
size = (krp->krp_param[i].crp_nbits + 7) / 8;
if (size == 0)
continue;
krp->krp_param[i].crp_p = malloc(size, M_XDATA, M_WAITOK);
if (i >= krp->krp_iparams)
continue;
error = copyin(kop->crk_param[i].crp_p, krp->krp_param[i].crp_p, size);
if (error)
goto fail;
}
error = crypto_kdispatch(krp);
if (error)
goto fail;
error = tsleep(krp, PSOCK, "crydev", 0);
if (error) {
/* XXX can this happen? if so, how do we recover? */
goto fail;
}
if (krp->krp_status != 0) {
error = krp->krp_status;
goto fail;
}
for (i = krp->krp_iparams; i < krp->krp_iparams + krp->krp_oparams; i++) {
size = (krp->krp_param[i].crp_nbits + 7) / 8;
if (size == 0)
continue;
error = copyout(krp->krp_param[i].crp_p, kop->crk_param[i].crp_p, size);
if (error)
goto fail;
}
fail:
if (krp) {
kop->crk_status = krp->krp_status;
for (i = 0; i < CRK_MAXPARAM; i++) {
if (krp->krp_param[i].crp_p) {
explicit_bzero(krp->krp_param[i].crp_p,
(krp->krp_param[i].crp_nbits + 7) / 8);
free(krp->krp_param[i].crp_p, M_XDATA, 0);
}
}
free(krp, M_XDATA, 0);
}
return (error);
}
/* ARGSUSED */
int
cryptof_poll(struct file *fp, int events, struct proc *p)
{
return (0);
}
/* ARGSUSED */
int
cryptof_kqfilter(struct file *fp, struct knote *kn)
{
return (0);
}
/* ARGSUSED */
int
cryptof_stat(struct file *fp, struct stat *sb, struct proc *p)
{
return (EOPNOTSUPP);
}
/* ARGSUSED */
int
cryptof_close(struct file *fp, struct proc *p)
{
struct fcrypt *fcr = fp->f_data;
struct csession *cse;
while ((cse = TAILQ_FIRST(&fcr->csessions))) {
TAILQ_REMOVE(&fcr->csessions, cse, next);
(void)csefree(cse);
}
free(fcr, M_XDATA, 0);
fp->f_data = NULL;
return 0;
}
void
cryptoattach(int n)
{
}
int
cryptoopen(dev_t dev, int flag, int mode, struct proc *p)
{
if (usercrypto == 0)
return (ENXIO);
#ifdef CRYPTO
return (0);
#else
return (ENXIO);
#endif
}
int
cryptoclose(dev_t dev, int flag, int mode, struct proc *p)
{
return (0);
}
int
cryptoioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
{
struct file *f;
struct fcrypt *fcr;
int fd, error;
switch (cmd) {
case CRIOGET:
fcr = malloc(sizeof(struct fcrypt), M_XDATA, M_WAITOK);
TAILQ_INIT(&fcr->csessions);
fcr->sesn = 0;
fdplock(p->p_fd);
error = falloc(p, &f, &fd);
fdpunlock(p->p_fd);
if (error) {
free(fcr, M_XDATA, 0);
return (error);
}
f->f_flag = FREAD | FWRITE;
f->f_type = DTYPE_CRYPTO;
f->f_ops = &cryptofops;
f->f_data = fcr;
*(u_int32_t *)data = fd;
FILE_SET_MATURE(f, p);
break;
default:
error = EINVAL;
break;
}
return (error);
}
struct csession *
csefind(struct fcrypt *fcr, u_int ses)
{
struct csession *cse;
TAILQ_FOREACH(cse, &fcr->csessions, next)
if (cse->ses == ses)
return (cse);
return (NULL);
}
int
csedelete(struct fcrypt *fcr, struct csession *cse_del)
{
struct csession *cse;
TAILQ_FOREACH(cse, &fcr->csessions, next) {
if (cse == cse_del) {
TAILQ_REMOVE(&fcr->csessions, cse, next);
return (1);
}
}
return (0);
}
struct csession *
cseadd(struct fcrypt *fcr, struct csession *cse)
{
TAILQ_INSERT_TAIL(&fcr->csessions, cse, next);
cse->ses = fcr->sesn++;
return (cse);
}
struct csession *
csecreate(struct fcrypt *fcr, u_int64_t sid, caddr_t key, u_int64_t keylen,
caddr_t mackey, u_int64_t mackeylen, u_int32_t cipher, u_int32_t mac,
struct enc_xform *txform, struct auth_hash *thash)
{
struct csession *cse;
cse = malloc(sizeof(struct csession), M_XDATA, M_NOWAIT);
if (cse == NULL)
return NULL;
cse->key = key;
cse->keylen = keylen/8;
cse->mackey = mackey;
cse->mackeylen = mackeylen/8;
cse->sid = sid;
cse->cipher = cipher;
cse->mac = mac;
cse->txform = txform;
cse->thash = thash;
cseadd(fcr, cse);
return (cse);
}
int
csefree(struct csession *cse)
{
int error;
error = crypto_freesession(cse->sid);
if (cse->key)
free(cse->key, M_XDATA, 0);
if (cse->mackey)
free(cse->mackey, M_XDATA, 0);
free(cse, M_XDATA, 0);
return (error);
}

1238
crypto/cryptosoft.c Normal file
View file

File diff suppressed because it is too large Load diff

161
crypto/des_locl.h Normal file
View file

@ -0,0 +1,161 @@
/* $OpenBSD: des_locl.h,v 1.7 2015/12/10 21:00:51 naddy Exp $ */
/* lib/des/des_locl.h */
/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
* All rights reserved.
*
* This file is part of an SSL implementation written
* by Eric Young (eay@mincom.oz.au).
* The implementation was written so as to conform with Netscapes SSL
* specification. This library and applications are
* FREE FOR COMMERCIAL AND NON-COMMERCIAL USE
* as long as the following conditions are aheared to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed. If this code is used in a product,
* Eric Young should be given attribution as the author of the parts used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Eric Young (eay@mincom.oz.au)
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#ifndef HEADER_DES_LOCL_H
#define HEADER_DES_LOCL_H
#include <sys/types.h>
#include <sys/systm.h>
typedef unsigned char des_cblock[8];
typedef struct des_ks_struct
{
union {
des_cblock cblock;
/* make sure things are correct size on machines with
* 8 byte longs */
int32_t pad[2];
} ks;
} des_key_schedule[16];
#define DES_KEY_SZ (sizeof(des_cblock))
#define DES_SCHEDULE_SZ (sizeof(des_key_schedule))
void des_encrypt2(u_int32_t *data,des_key_schedule ks, int enc);
#define ITERATIONS 16
#define HALF_ITERATIONS 8
#define c2l(c,l) (l =((u_int32_t)(*((c)++))) , \
l|=((u_int32_t)(*((c)++)))<< 8L, \
l|=((u_int32_t)(*((c)++)))<<16L, \
l|=((u_int32_t)(*((c)++)))<<24L)
#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
*((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
*((c)++)=(unsigned char)(((l)>>16L)&0xff), \
*((c)++)=(unsigned char)(((l)>>24L)&0xff))
#define D_ENCRYPT(Q,R,S) {\
u=(R^s[S ]); \
t=R^s[S+1]; \
t=((t>>4L)+(t<<28L)); \
Q^= des_SPtrans[1][(t )&0x3f]| \
des_SPtrans[3][(t>> 8L)&0x3f]| \
des_SPtrans[5][(t>>16L)&0x3f]| \
des_SPtrans[7][(t>>24L)&0x3f]| \
des_SPtrans[0][(u )&0x3f]| \
des_SPtrans[2][(u>> 8L)&0x3f]| \
des_SPtrans[4][(u>>16L)&0x3f]| \
des_SPtrans[6][(u>>24L)&0x3f]; }
/* IP and FP
* The problem is more of a geometric problem that random bit fiddling.
0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6
8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4
16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2
24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0
32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7
40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5
48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3
56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1
The output has been subject to swaps of the form
0 1 -> 3 1 but the odd and even bits have been put into
2 3 2 0
different words. The main trick is to remember that
t=((l>>size)^r)&(mask);
r^=t;
l^=(t<<size);
can be used to swap and move bits between words.
So l = 0 1 2 3 r = 16 17 18 19
4 5 6 7 20 21 22 23
8 9 10 11 24 25 26 27
12 13 14 15 28 29 30 31
becomes (for size == 2 and mask == 0x3333)
t = 2^16 3^17 -- -- l = 0 1 16 17 r = 2 3 18 19
6^20 7^21 -- -- 4 5 20 21 6 7 22 23
10^24 11^25 -- -- 8 9 24 25 10 11 24 25
14^28 15^29 -- -- 12 13 28 29 14 15 28 29
Thanks for hints from Richard Outerbridge - he told me IP&FP
could be done in 15 xor, 10 shifts and 5 ands.
When I finally started to think of the problem in 2D
I first got ~42 operations without xors. When I remembered
how to use xors :-) I got it to its final state.
*/
#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
(b)^=(t),\
(a)^=((t)<<(n)))
#define IP(l,r) \
{ \
register u_int32_t tt; \
PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \
PERM_OP(l,r,tt,16,0x0000ffffL); \
PERM_OP(r,l,tt, 2,0x33333333L); \
PERM_OP(l,r,tt, 8,0x00ff00ffL); \
PERM_OP(r,l,tt, 1,0x55555555L); \
}
#define FP(l,r) \
{ \
register u_int32_t tt; \
PERM_OP(l,r,tt, 1,0x55555555L); \
PERM_OP(r,l,tt, 8,0x00ff00ffL); \
PERM_OP(l,r,tt, 2,0x33333333L); \
PERM_OP(r,l,tt,16,0x0000ffffL); \
PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
}
#endif

76
crypto/ecb3_enc.c Normal file
View file

@ -0,0 +1,76 @@
/* $OpenBSD: ecb3_enc.c,v 1.3 2013/11/18 18:49:53 brad Exp $ */
/* lib/des/ecb3_enc.c */
/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
* All rights reserved.
*
* This file is part of an SSL implementation written
* by Eric Young (eay@mincom.oz.au).
* The implementation was written so as to conform with Netscapes SSL
* specification. This library and applications are
* FREE FOR COMMERCIAL AND NON-COMMERCIAL USE
* as long as the following conditions are aheared to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed. If this code is used in a product,
* Eric Young should be given attribution as the author of the parts used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Eric Young (eay@mincom.oz.au)
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include "des_locl.h"
void
des_ecb3_encrypt(des_cblock (*input), des_cblock (*output),
des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3,
int encrypt)
{
register u_int32_t l0, l1;
register unsigned char *in, *out;
u_int32_t ll[2];
in = (unsigned char *) input;
out = (unsigned char *) output;
c2l(in, l0);
c2l(in, l1);
IP(l0, l1);
ll[0] = l0;
ll[1] = l1;
des_encrypt2(ll, ks1, encrypt);
des_encrypt2(ll, ks2, !encrypt);
des_encrypt2(ll, ks3, encrypt);
l0 = ll[0];
l1 = ll[1];
FP(l1, l0);
l2c(l0, out);
l2c(l1, out);
}

102
crypto/ecb_enc.c Normal file
View file

@ -0,0 +1,102 @@
/* $OpenBSD: ecb_enc.c,v 1.6 2015/12/10 21:00:51 naddy Exp $ */
/* lib/des/ecb_enc.c */
/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
* All rights reserved.
*
* This file is part of an SSL implementation written
* by Eric Young (eay@mincom.oz.au).
* The implementation was written so as to conform with Netscapes SSL
* specification. This library and applications are
* FREE FOR COMMERCIAL AND NON-COMMERCIAL USE
* as long as the following conditions are aheared to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed. If this code is used in a product,
* Eric Young should be given attribution as the author of the parts used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Eric Young (eay@mincom.oz.au)
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include "des_locl.h"
#include "spr.h"
void
des_encrypt2(u_int32_t *data, des_key_schedule ks, int encrypt)
{
register u_int32_t l, r, t, u;
#ifdef DES_USE_PTR
register unsigned char *des_SP=(unsigned char *)des_SPtrans;
#endif
register int i;
register u_int32_t *s;
u = data[0];
r = data[1];
/* Things have been modified so that the initial rotate is
* done outside the loop. This required the
* des_SPtrans values in sp.h to be rotated 1 bit to the right.
* One perl script later and things have a 5% speed up on a sparc2.
* Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
* for pointing this out. */
l = (r << 1) | (r >> 31);
r = (u << 1) | (u >> 31);
/* clear the top bits on machines with 8byte longs */
l &= 0xffffffffL;
r &= 0xffffffffL;
s = (u_int32_t *) ks;
/* I don't know if it is worth the effort of loop unrolling the
* inner loop */
if (encrypt) {
for (i = 0; i < 32; i += 4) {
D_ENCRYPT(l, r, i + 0); /* 1 */
D_ENCRYPT(r, l, i + 2); /* 2 */
}
} else {
for (i = 30; i > 0; i -= 4) {
D_ENCRYPT(l, r, i - 0); /* 16 */
D_ENCRYPT(r, l, i - 2); /* 15 */
}
}
l = (l >> 1) | (l << 31);
r = (r >> 1) | (r << 31);
/* clear the top bits on machines with 8byte longs */
l &= 0xffffffffL;
r &= 0xffffffffL;
data[0] = l;
data[1] = r;
l = r = t = u = 0;
}

168
crypto/gmac.c Normal file
View file

@ -0,0 +1,168 @@
/* $OpenBSD: gmac.c,v 1.10 2017/05/02 11:44:32 mikeb Exp $ */
/*
* Copyright (c) 2010 Mike Belopuhov
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* This code implements the Message Authentication part of the
* Galois/Counter Mode (as being described in the RFC 4543) using
* the AES cipher. FIPS SP 800-38D describes the algorithm details.
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <crypto/aes.h>
#include <crypto/gmac.h>
void ghash_gfmul(uint32_t *, uint32_t *, uint32_t *);
void ghash_update_mi(GHASH_CTX *, uint8_t *, size_t);
/* Allow overriding with optimized MD function */
void (*ghash_update)(GHASH_CTX *, uint8_t *, size_t) = ghash_update_mi;
/* Computes a block multiplication in the GF(2^128) */
void
ghash_gfmul(uint32_t *X, uint32_t *Y, uint32_t *product)
{
uint32_t v[4];
uint32_t z[4] = { 0, 0, 0, 0};
uint8_t *x = (uint8_t *)X;
uint32_t mask;
int i;
v[0] = betoh32(Y[0]);
v[1] = betoh32(Y[1]);
v[2] = betoh32(Y[2]);
v[3] = betoh32(Y[3]);
for (i = 0; i < GMAC_BLOCK_LEN * 8; i++) {
/* update Z */
mask = !!(x[i >> 3] & (1 << (~i & 7)));
mask = ~(mask - 1);
z[0] ^= v[0] & mask;
z[1] ^= v[1] & mask;
z[2] ^= v[2] & mask;
z[3] ^= v[3] & mask;
/* update V */
mask = ~((v[3] & 1) - 1);
v[3] = (v[2] << 31) | (v[3] >> 1);
v[2] = (v[1] << 31) | (v[2] >> 1);
v[1] = (v[0] << 31) | (v[1] >> 1);
v[0] = (v[0] >> 1) ^ (0xe1000000 & mask);
}
product[0] = htobe32(z[0]);
product[1] = htobe32(z[1]);
product[2] = htobe32(z[2]);
product[3] = htobe32(z[3]);
}
void
ghash_update_mi(GHASH_CTX *ctx, uint8_t *X, size_t len)
{
uint32_t *x = (uint32_t *)X;
uint32_t *s = (uint32_t *)ctx->S;
uint32_t *y = (uint32_t *)ctx->Z;
int i;
for (i = 0; i < len / GMAC_BLOCK_LEN; i++) {
s[0] = y[0] ^ x[0];
s[1] = y[1] ^ x[1];
s[2] = y[2] ^ x[2];
s[3] = y[3] ^ x[3];
ghash_gfmul((uint32_t *)ctx->S, (uint32_t *)ctx->H,
(uint32_t *)ctx->S);
y = s;
x += 4;
}
bcopy(ctx->S, ctx->Z, GMAC_BLOCK_LEN);
}
#define AESCTR_NONCESIZE 4
void
AES_GMAC_Init(void *xctx)
{
AES_GMAC_CTX *ctx = xctx;
bzero(ctx->ghash.H, GMAC_BLOCK_LEN);
bzero(ctx->ghash.S, GMAC_BLOCK_LEN);
bzero(ctx->ghash.Z, GMAC_BLOCK_LEN);
bzero(ctx->J, GMAC_BLOCK_LEN);
}
void
AES_GMAC_Setkey(void *xctx, const uint8_t *key, uint16_t klen)
{
AES_GMAC_CTX *ctx = xctx;
AES_Setkey(&ctx->K, key, klen - AESCTR_NONCESIZE);
/* copy out salt to the counter block */
bcopy(key + klen - AESCTR_NONCESIZE, ctx->J, AESCTR_NONCESIZE);
/* prepare a hash subkey */
AES_Encrypt(&ctx->K, ctx->ghash.H, ctx->ghash.H);
}
void
AES_GMAC_Reinit(void *xctx, const uint8_t *iv, uint16_t ivlen)
{
AES_GMAC_CTX *ctx = xctx;
/* copy out IV to the counter block */
bcopy(iv, ctx->J + AESCTR_NONCESIZE, ivlen);
}
int
AES_GMAC_Update(void *xctx, const uint8_t *data, uint16_t len)
{
AES_GMAC_CTX *ctx = xctx;
uint32_t blk[4] = { 0, 0, 0, 0 };
int plen;
if (len > 0) {
plen = len % GMAC_BLOCK_LEN;
if (len >= GMAC_BLOCK_LEN)
(*ghash_update)(&ctx->ghash, (uint8_t *)data,
len - plen);
if (plen) {
memcpy((uint8_t *)blk, (uint8_t *)data + (len - plen),
plen);
(*ghash_update)(&ctx->ghash, (uint8_t *)blk,
GMAC_BLOCK_LEN);
}
}
return (0);
}
void
AES_GMAC_Final(uint8_t digest[GMAC_DIGEST_LEN], void *xctx)
{
AES_GMAC_CTX *ctx = xctx;
uint8_t keystream[GMAC_BLOCK_LEN];
int i;
/* do one round of GCTR */
ctx->J[GMAC_BLOCK_LEN - 1] = 1;
AES_Encrypt(&ctx->K, ctx->J, keystream);
for (i = 0; i < GMAC_DIGEST_LEN; i++)
digest[i] = ctx->ghash.S[i] ^ keystream[i];
explicit_bzero(keystream, sizeof(keystream));
}

192
crypto/hmac.c Normal file
View file

@ -0,0 +1,192 @@
/* $OpenBSD: hmac.c,v 1.4 2016/09/19 18:09:40 tedu Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* This code implements the HMAC algorithm described in RFC 2104 using
* the MD5, SHA1 and SHA-256 hash functions.
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <crypto/md5.h>
#include <crypto/sha1.h>
#include <crypto/sha2.h>
#include <crypto/hmac.h>
void
HMAC_MD5_Init(HMAC_MD5_CTX *ctx, const u_int8_t *key, u_int key_len)
{
u_int8_t k_ipad[MD5_BLOCK_LENGTH];
int i;
if (key_len > MD5_BLOCK_LENGTH) {
MD5Init(&ctx->ctx);
MD5Update(&ctx->ctx, key, key_len);
MD5Final(ctx->key, &ctx->ctx);
ctx->key_len = MD5_DIGEST_LENGTH;
} else {
bcopy(key, ctx->key, key_len);
ctx->key_len = key_len;
}
bzero(k_ipad, MD5_BLOCK_LENGTH);
memcpy(k_ipad, ctx->key, ctx->key_len);
for (i = 0; i < MD5_BLOCK_LENGTH; i++)
k_ipad[i] ^= 0x36;
MD5Init(&ctx->ctx);
MD5Update(&ctx->ctx, k_ipad, MD5_BLOCK_LENGTH);
explicit_bzero(k_ipad, sizeof k_ipad);
}
void
HMAC_MD5_Update(HMAC_MD5_CTX *ctx, const u_int8_t *data, u_int len)
{
MD5Update(&ctx->ctx, data, len);
}
void
HMAC_MD5_Final(u_int8_t digest[MD5_DIGEST_LENGTH], HMAC_MD5_CTX *ctx)
{
u_int8_t k_opad[MD5_BLOCK_LENGTH];
int i;
MD5Final(digest, &ctx->ctx);
bzero(k_opad, MD5_BLOCK_LENGTH);
memcpy(k_opad, ctx->key, ctx->key_len);
for (i = 0; i < MD5_BLOCK_LENGTH; i++)
k_opad[i] ^= 0x5c;
MD5Init(&ctx->ctx);
MD5Update(&ctx->ctx, k_opad, MD5_BLOCK_LENGTH);
MD5Update(&ctx->ctx, digest, MD5_DIGEST_LENGTH);
MD5Final(digest, &ctx->ctx);
explicit_bzero(k_opad, sizeof k_opad);
}
void
HMAC_SHA1_Init(HMAC_SHA1_CTX *ctx, const u_int8_t *key, u_int key_len)
{
u_int8_t k_ipad[SHA1_BLOCK_LENGTH];
int i;
if (key_len > SHA1_BLOCK_LENGTH) {
SHA1Init(&ctx->ctx);
SHA1Update(&ctx->ctx, key, key_len);
SHA1Final(ctx->key, &ctx->ctx);
ctx->key_len = SHA1_DIGEST_LENGTH;
} else {
bcopy(key, ctx->key, key_len);
ctx->key_len = key_len;
}
bzero(k_ipad, SHA1_BLOCK_LENGTH);
memcpy(k_ipad, ctx->key, ctx->key_len);
for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
k_ipad[i] ^= 0x36;
SHA1Init(&ctx->ctx);
SHA1Update(&ctx->ctx, k_ipad, SHA1_BLOCK_LENGTH);
explicit_bzero(k_ipad, sizeof k_ipad);
}
void
HMAC_SHA1_Update(HMAC_SHA1_CTX *ctx, const u_int8_t *data, u_int len)
{
SHA1Update(&ctx->ctx, data, len);
}
void
HMAC_SHA1_Final(u_int8_t digest[SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *ctx)
{
u_int8_t k_opad[SHA1_BLOCK_LENGTH];
int i;
SHA1Final(digest, &ctx->ctx);
bzero(k_opad, SHA1_BLOCK_LENGTH);
memcpy(k_opad, ctx->key, ctx->key_len);
for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
k_opad[i] ^= 0x5c;
SHA1Init(&ctx->ctx);
SHA1Update(&ctx->ctx, k_opad, SHA1_BLOCK_LENGTH);
SHA1Update(&ctx->ctx, digest, SHA1_DIGEST_LENGTH);
SHA1Final(digest, &ctx->ctx);
explicit_bzero(k_opad, sizeof k_opad);
}
void
HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const u_int8_t *key, u_int key_len)
{
u_int8_t k_ipad[SHA256_BLOCK_LENGTH];
int i;
if (key_len > SHA256_BLOCK_LENGTH) {
SHA256Init(&ctx->ctx);
SHA256Update(&ctx->ctx, key, key_len);
SHA256Final(ctx->key, &ctx->ctx);
ctx->key_len = SHA256_DIGEST_LENGTH;
} else {
bcopy(key, ctx->key, key_len);
ctx->key_len = key_len;
}
bzero(k_ipad, SHA256_BLOCK_LENGTH);
memcpy(k_ipad, ctx->key, ctx->key_len);
for (i = 0; i < SHA256_BLOCK_LENGTH; i++)
k_ipad[i] ^= 0x36;
SHA256Init(&ctx->ctx);
SHA256Update(&ctx->ctx, k_ipad, SHA256_BLOCK_LENGTH);
explicit_bzero(k_ipad, sizeof k_ipad);
}
void
HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const u_int8_t *data, u_int len)
{
SHA256Update(&ctx->ctx, data, len);
}
void
HMAC_SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *ctx)
{
u_int8_t k_opad[SHA256_BLOCK_LENGTH];
int i;
SHA256Final(digest, &ctx->ctx);
bzero(k_opad, SHA256_BLOCK_LENGTH);
memcpy(k_opad, ctx->key, ctx->key_len);
for (i = 0; i < SHA256_BLOCK_LENGTH; i++)
k_opad[i] ^= 0x5c;
SHA256Init(&ctx->ctx);
SHA256Update(&ctx->ctx, k_opad, SHA256_BLOCK_LENGTH);
SHA256Update(&ctx->ctx, digest, SHA256_DIGEST_LENGTH);
SHA256Final(digest, &ctx->ctx);
explicit_bzero(k_opad, sizeof k_opad);
}

138
crypto/idgen.c Normal file
View file

@ -0,0 +1,138 @@
/* $OpenBSD: idgen.c,v 1.8 2020/07/22 13:54:30 tobhe Exp $ */
/*
* Copyright (c) 2008 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* IDGEN32: non-repeating ID generation covering an almost maximal 32-bit
* range.
*
* IDGEN32 is based on public domain SKIP32 by Greg Rose.
*/
#include <sys/types.h>
#include <sys/systm.h>
#include <sys/time.h>
#include <crypto/idgen.h>
static const u_int8_t idgen32_ftable[256] = {
0xa3, 0xd7, 0x09, 0x83, 0xf8, 0x48, 0xf6, 0xf4,
0xb3, 0x21, 0x15, 0x78, 0x99, 0xb1, 0xaf, 0xf9,
0xe7, 0x2d, 0x4d, 0x8a, 0xce, 0x4c, 0xca, 0x2e,
0x52, 0x95, 0xd9, 0x1e, 0x4e, 0x38, 0x44, 0x28,
0x0a, 0xdf, 0x02, 0xa0, 0x17, 0xf1, 0x60, 0x68,
0x12, 0xb7, 0x7a, 0xc3, 0xe9, 0xfa, 0x3d, 0x53,
0x96, 0x84, 0x6b, 0xba, 0xf2, 0x63, 0x9a, 0x19,
0x7c, 0xae, 0xe5, 0xf5, 0xf7, 0x16, 0x6a, 0xa2,
0x39, 0xb6, 0x7b, 0x0f, 0xc1, 0x93, 0x81, 0x1b,
0xee, 0xb4, 0x1a, 0xea, 0xd0, 0x91, 0x2f, 0xb8,
0x55, 0xb9, 0xda, 0x85, 0x3f, 0x41, 0xbf, 0xe0,
0x5a, 0x58, 0x80, 0x5f, 0x66, 0x0b, 0xd8, 0x90,
0x35, 0xd5, 0xc0, 0xa7, 0x33, 0x06, 0x65, 0x69,
0x45, 0x00, 0x94, 0x56, 0x6d, 0x98, 0x9b, 0x76,
0x97, 0xfc, 0xb2, 0xc2, 0xb0, 0xfe, 0xdb, 0x20,
0xe1, 0xeb, 0xd6, 0xe4, 0xdd, 0x47, 0x4a, 0x1d,
0x42, 0xed, 0x9e, 0x6e, 0x49, 0x3c, 0xcd, 0x43,
0x27, 0xd2, 0x07, 0xd4, 0xde, 0xc7, 0x67, 0x18,
0x89, 0xcb, 0x30, 0x1f, 0x8d, 0xc6, 0x8f, 0xaa,
0xc8, 0x74, 0xdc, 0xc9, 0x5d, 0x5c, 0x31, 0xa4,
0x70, 0x88, 0x61, 0x2c, 0x9f, 0x0d, 0x2b, 0x87,
0x50, 0x82, 0x54, 0x64, 0x26, 0x7d, 0x03, 0x40,
0x34, 0x4b, 0x1c, 0x73, 0xd1, 0xc4, 0xfd, 0x3b,
0xcc, 0xfb, 0x7f, 0xab, 0xe6, 0x3e, 0x5b, 0xa5,
0xad, 0x04, 0x23, 0x9c, 0x14, 0x51, 0x22, 0xf0,
0x29, 0x79, 0x71, 0x7e, 0xff, 0x8c, 0x0e, 0xe2,
0x0c, 0xef, 0xbc, 0x72, 0x75, 0x6f, 0x37, 0xa1,
0xec, 0xd3, 0x8e, 0x62, 0x8b, 0x86, 0x10, 0xe8,
0x08, 0x77, 0x11, 0xbe, 0x92, 0x4f, 0x24, 0xc5,
0x32, 0x36, 0x9d, 0xcf, 0xf3, 0xa6, 0xbb, 0xac,
0x5e, 0x6c, 0xa9, 0x13, 0x57, 0x25, 0xb5, 0xe3,
0xbd, 0xa8, 0x3a, 0x01, 0x05, 0x59, 0x2a, 0x46
};
static u_int16_t
idgen32_g(u_int8_t *key, int k, u_int16_t w)
{
u_int8_t g1, g2, g3, g4, g5, g6;
u_int o = k * 4;
g1 = (w >> 8) & 0xff;
g2 = w & 0xff;
g3 = idgen32_ftable[g2 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g1;
g4 = idgen32_ftable[g3 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g2;
g5 = idgen32_ftable[g4 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g3;
g6 = idgen32_ftable[g5 ^ key[o++ & (IDGEN32_KEYLEN - 1)]] ^ g4;
return (g5 << 8) | g6;
}
static u_int32_t
idgen32_permute(struct idgen32_ctx *ctx, u_int32_t in)
{
u_int i, r;
u_int16_t wl, wr;
wl = (in >> 16) & 0x7fff;
wr = in & 0xffff;
/* Doubled up rounds, with an odd round at the end to swap */
for (i = r = 0; i < IDGEN32_ROUNDS / 2; ++i) {
wr ^= (idgen32_g(ctx->id32_key, r, wl) ^ r);
r++;
wl ^= (idgen32_g(ctx->id32_key, r, wr) ^ r) & 0x7fff;
r++;
}
wr ^= (idgen32_g(ctx->id32_key, r, wl) ^ r);
return (wl << 16) | wr;
}
static void
idgen32_rekey(struct idgen32_ctx *ctx)
{
ctx->id32_counter = 0;
ctx->id32_hibit ^= 0x80000000;
ctx->id32_offset = arc4random();
arc4random_buf(ctx->id32_key, sizeof(ctx->id32_key));
ctx->id32_rekey_time = getuptime() + IDGEN32_REKEY_TIME;
}
void
idgen32_init(struct idgen32_ctx *ctx)
{
bzero(ctx, sizeof(*ctx));
ctx->id32_hibit = arc4random() & 0x80000000;
idgen32_rekey(ctx);
}
u_int32_t
idgen32(struct idgen32_ctx *ctx)
{
u_int32_t ret;
do {
/* Rekey a little early to avoid "card counting" attack */
if (ctx->id32_counter > IDGEN32_REKEY_LIMIT ||
ctx->id32_rekey_time < getuptime())
idgen32_rekey(ctx);
ret = ctx->id32_hibit | idgen32_permute(ctx,
(ctx->id32_offset + ctx->id32_counter++) & 0x7fffffff);
} while (ret == 0); /* Zero IDs are often special, so avoid */
return ret;
}

112
crypto/key_wrap.c Normal file
View file

@ -0,0 +1,112 @@
/* $OpenBSD: key_wrap.c,v 1.5 2017/05/02 17:07:06 mikeb Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* This code implements the AES Key Wrap algorithm described in RFC 3394.
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <crypto/aes.h>
#include <crypto/key_wrap.h>
static const u_int8_t IV[8] =
{ 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6 };
void
aes_key_wrap_set_key(aes_key_wrap_ctx *ctx, const u_int8_t *K, size_t K_len)
{
AES_Setkey(&ctx->ctx, K, K_len);
}
void
aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *ctx, const u_int8_t *K,
size_t K_len)
{
AES_Setkey(&ctx->ctx, K, K_len);
}
void
aes_key_wrap(aes_key_wrap_ctx *ctx, const u_int8_t *P, size_t n, u_int8_t *C)
{
u_int64_t B[2], t;
u_int8_t *A, *R;
size_t i;
int j;
memmove(C + 8, P, n * 8); /* P and C may overlap */
A = C; /* A points to C[0] */
memcpy(A, IV, 8); /* A = IV, an initial value */
for (j = 0, t = 1; j <= 5; j++) {
R = C + 8;
for (i = 1; i <= n; i++, t++) {
/* B = A | R[i] */
memcpy(&B[0], A, 8);
memcpy(&B[1], R, 8);
/* B = AES(K, B) */
AES_Encrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B);
/* MSB(64, B) = MSB(64, B) ^ t */
B[0] ^= htobe64(t);
/* A = MSB(64, B) */
memcpy(A, &B[0], 8);
/* R[i] = LSB(64, B) */
memcpy(R, &B[1], 8);
R += 8;
}
}
explicit_bzero(B, sizeof B);
}
int
aes_key_unwrap(aes_key_wrap_ctx *ctx, const u_int8_t *C, u_int8_t *P, size_t n)
{
u_int64_t B[2], t;
u_int8_t A[8], *R;
size_t i;
int j;
memcpy(A, C, 8); /* A = C[0] */
memmove(P, C + 8, n * 8); /* P and C may overlap */
for (j = 5, t = 6 * n; j >= 0; j--) {
R = P + (n - 1) * 8;
for (i = n; i >= 1; i--, t--) {
/* MSB(64, B) = A */
memcpy(&B[0], A, 8);
/* MSB(64, B) = MSB(64, B) ^ t */
B[0] ^= htobe64(t);
/* B = MSB(64, B) | R[i] */
memcpy(&B[1], R, 8);
/* B = AES-1(K, B) */
AES_Decrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B);
/* A = MSB(64, B) */
memcpy(A, &B[0], 8);
/* R[i] = LSB(64, B) */
memcpy(R, &B[1], 8);
R -= 8;
}
}
explicit_bzero(B, sizeof B);
/* check that A is an appropriate initial value */
return timingsafe_bcmp(A, IV, 8) != 0;
}

238
crypto/md5.c Normal file
View file

@ -0,0 +1,238 @@
/* $OpenBSD: md5.c,v 1.4 2014/12/28 10:04:35 tedu Exp $ */
/*
* This code implements the MD5 message-digest algorithm.
* The algorithm is due to Ron Rivest. This code was
* written by Colin Plumb in 1993, no copyright is claimed.
* This code is in the public domain; do with it what you wish.
*
* Equivalent code is available from RSA Data Security, Inc.
* This code has been tested against that, and is equivalent,
* except that you don't need to include two pages of legalese
* with every copy.
*
* To compute the message digest of a chunk of bytes, declare an
* MD5Context structure, pass it to MD5Init, call MD5Update as
* needed on buffers full of bytes, and then call MD5Final, which
* will fill a supplied 16-byte array with the digest.
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <crypto/md5.h>
#define PUT_64BIT_LE(cp, value) do { \
(cp)[7] = (value) >> 56; \
(cp)[6] = (value) >> 48; \
(cp)[5] = (value) >> 40; \
(cp)[4] = (value) >> 32; \
(cp)[3] = (value) >> 24; \
(cp)[2] = (value) >> 16; \
(cp)[1] = (value) >> 8; \
(cp)[0] = (value); } while (0)
#define PUT_32BIT_LE(cp, value) do { \
(cp)[3] = (value) >> 24; \
(cp)[2] = (value) >> 16; \
(cp)[1] = (value) >> 8; \
(cp)[0] = (value); } while (0)
static u_int8_t PADDING[MD5_BLOCK_LENGTH] = {
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
/*
* Start MD5 accumulation. Set bit count to 0 and buffer to mysterious
* initialization constants.
*/
void
MD5Init(MD5_CTX *ctx)
{
ctx->count = 0;
ctx->state[0] = 0x67452301;
ctx->state[1] = 0xefcdab89;
ctx->state[2] = 0x98badcfe;
ctx->state[3] = 0x10325476;
}
/*
* Update context to reflect the concatenation of another buffer full
* of bytes.
*/
void
MD5Update(MD5_CTX *ctx, const void *inputptr, size_t len)
{
const uint8_t *input = inputptr;
size_t have, need;
/* Check how many bytes we already have and how many more we need. */
have = (size_t)((ctx->count >> 3) & (MD5_BLOCK_LENGTH - 1));
need = MD5_BLOCK_LENGTH - have;
/* Update bitcount */
ctx->count += (u_int64_t)len << 3;
if (len >= need) {
if (have != 0) {
memcpy(ctx->buffer + have, input, need);
MD5Transform(ctx->state, ctx->buffer);
input += need;
len -= need;
have = 0;
}
/* Process data in MD5_BLOCK_LENGTH-byte chunks. */
while (len >= MD5_BLOCK_LENGTH) {
MD5Transform(ctx->state, input);
input += MD5_BLOCK_LENGTH;
len -= MD5_BLOCK_LENGTH;
}
}
/* Handle any remaining bytes of data. */
if (len != 0)
memcpy(ctx->buffer + have, input, len);
}
/*
* Final wrapup - pad to 64-byte boundary with the bit pattern
* 1 0* (64-bit count of bits processed, MSB-first)
*/
void
MD5Final(unsigned char digest[MD5_DIGEST_LENGTH], MD5_CTX *ctx)
{
u_int8_t count[8];
size_t padlen;
int i;
/* Convert count to 8 bytes in little endian order. */
PUT_64BIT_LE(count, ctx->count);
/* Pad out to 56 mod 64. */
padlen = MD5_BLOCK_LENGTH -
((ctx->count >> 3) & (MD5_BLOCK_LENGTH - 1));
if (padlen < 1 + 8)
padlen += MD5_BLOCK_LENGTH;
MD5Update(ctx, PADDING, padlen - 8); /* padlen - 8 <= 64 */
MD5Update(ctx, count, 8);
for (i = 0; i < 4; i++)
PUT_32BIT_LE(digest + i * 4, ctx->state[i]);
explicit_bzero(ctx, sizeof(*ctx)); /* in case it's sensitive */
}
/* The four core functions - F1 is optimized somewhat */
/* #define F1(x, y, z) (x & y | ~x & z) */
#define F1(x, y, z) (z ^ (x & (y ^ z)))
#define F2(x, y, z) F1(z, x, y)
#define F3(x, y, z) (x ^ y ^ z)
#define F4(x, y, z) (y ^ (x | ~z))
/* This is the central step in the MD5 algorithm. */
#define MD5STEP(f, w, x, y, z, data, s) \
( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x )
/*
* The core of the MD5 algorithm, this alters an existing MD5 hash to
* reflect the addition of 16 longwords of new data. MD5Update blocks
* the data and converts bytes into longwords for this routine.
*/
void
MD5Transform(u_int32_t state[4], const u_int8_t block[MD5_BLOCK_LENGTH])
{
u_int32_t a, b, c, d, in[MD5_BLOCK_LENGTH / 4];
#if BYTE_ORDER == LITTLE_ENDIAN
memcpy(in, block, sizeof(in));
#else
for (a = 0; a < MD5_BLOCK_LENGTH / 4; a++) {
in[a] = (u_int32_t)(
(u_int32_t)(block[a * 4 + 0]) |
(u_int32_t)(block[a * 4 + 1]) << 8 |
(u_int32_t)(block[a * 4 + 2]) << 16 |
(u_int32_t)(block[a * 4 + 3]) << 24);
}
#endif
a = state[0];
b = state[1];
c = state[2];
d = state[3];
MD5STEP(F1, a, b, c, d, in[ 0] + 0xd76aa478, 7);
MD5STEP(F1, d, a, b, c, in[ 1] + 0xe8c7b756, 12);
MD5STEP(F1, c, d, a, b, in[ 2] + 0x242070db, 17);
MD5STEP(F1, b, c, d, a, in[ 3] + 0xc1bdceee, 22);
MD5STEP(F1, a, b, c, d, in[ 4] + 0xf57c0faf, 7);
MD5STEP(F1, d, a, b, c, in[ 5] + 0x4787c62a, 12);
MD5STEP(F1, c, d, a, b, in[ 6] + 0xa8304613, 17);
MD5STEP(F1, b, c, d, a, in[ 7] + 0xfd469501, 22);
MD5STEP(F1, a, b, c, d, in[ 8] + 0x698098d8, 7);
MD5STEP(F1, d, a, b, c, in[ 9] + 0x8b44f7af, 12);
MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
MD5STEP(F2, a, b, c, d, in[ 1] + 0xf61e2562, 5);
MD5STEP(F2, d, a, b, c, in[ 6] + 0xc040b340, 9);
MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
MD5STEP(F2, b, c, d, a, in[ 0] + 0xe9b6c7aa, 20);
MD5STEP(F2, a, b, c, d, in[ 5] + 0xd62f105d, 5);
MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
MD5STEP(F2, b, c, d, a, in[ 4] + 0xe7d3fbc8, 20);
MD5STEP(F2, a, b, c, d, in[ 9] + 0x21e1cde6, 5);
MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
MD5STEP(F2, c, d, a, b, in[ 3] + 0xf4d50d87, 14);
MD5STEP(F2, b, c, d, a, in[ 8] + 0x455a14ed, 20);
MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
MD5STEP(F2, d, a, b, c, in[ 2] + 0xfcefa3f8, 9);
MD5STEP(F2, c, d, a, b, in[ 7] + 0x676f02d9, 14);
MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
MD5STEP(F3, a, b, c, d, in[ 5] + 0xfffa3942, 4);
MD5STEP(F3, d, a, b, c, in[ 8] + 0x8771f681, 11);
MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
MD5STEP(F3, a, b, c, d, in[ 1] + 0xa4beea44, 4);
MD5STEP(F3, d, a, b, c, in[ 4] + 0x4bdecfa9, 11);
MD5STEP(F3, c, d, a, b, in[ 7] + 0xf6bb4b60, 16);
MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
MD5STEP(F3, d, a, b, c, in[ 0] + 0xeaa127fa, 11);
MD5STEP(F3, c, d, a, b, in[ 3] + 0xd4ef3085, 16);
MD5STEP(F3, b, c, d, a, in[ 6] + 0x04881d05, 23);
MD5STEP(F3, a, b, c, d, in[ 9] + 0xd9d4d039, 4);
MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
MD5STEP(F3, b, c, d, a, in[2 ] + 0xc4ac5665, 23);
MD5STEP(F4, a, b, c, d, in[ 0] + 0xf4292244, 6);
MD5STEP(F4, d, a, b, c, in[7 ] + 0x432aff97, 10);
MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
MD5STEP(F4, b, c, d, a, in[5 ] + 0xfc93a039, 21);
MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
MD5STEP(F4, d, a, b, c, in[3 ] + 0x8f0ccc92, 10);
MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
MD5STEP(F4, b, c, d, a, in[1 ] + 0x85845dd1, 21);
MD5STEP(F4, a, b, c, d, in[8 ] + 0x6fa87e4f, 6);
MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
MD5STEP(F4, c, d, a, b, in[6 ] + 0xa3014314, 15);
MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
MD5STEP(F4, a, b, c, d, in[4 ] + 0xf7537e82, 6);
MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
MD5STEP(F4, c, d, a, b, in[2 ] + 0x2ad7d2bb, 15);
MD5STEP(F4, b, c, d, a, in[9 ] + 0xeb86d391, 21);
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
}

66
crypto/podd.h Normal file
View file

@ -0,0 +1,66 @@
/* $OpenBSD: podd.h,v 1.1 2000/02/28 23:13:05 deraadt Exp $ */
/* lib/des/podd.h */
/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
* All rights reserved.
*
* This file is part of an SSL implementation written
* by Eric Young (eay@mincom.oz.au).
* The implementation was written so as to conform with Netscapes SSL
* specification. This library and applications are
* FREE FOR COMMERCIAL AND NON-COMMERCIAL USE
* as long as the following conditions are aheared to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed. If this code is used in a product,
* Eric Young should be given attribution as the author of the parts used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Eric Young (eay@mincom.oz.au)
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
static const unsigned char odd_parity[256]={
1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254};

301
crypto/poly1305.c Normal file
View file

@ -0,0 +1,301 @@
/* $OpenBSD: poly1305.c,v 1.2 2020/07/22 13:54:30 tobhe Exp $ */
/*
* Public Domain poly1305 from Andrew Moon
* Based on poly1305-donna.c, poly1305-donna-32.h and poly1305-donna.h from:
* https://github.com/floodyberry/poly1305-donna
*/
#include <sys/types.h>
#include <sys/systm.h>
#include "poly1305.h"
/*
* poly1305 implementation using 32 bit * 32 bit = 64 bit multiplication
* and 64 bit addition.
*/
/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */
static unsigned long
U8TO32(const unsigned char *p)
{
return (((unsigned long)(p[0] & 0xff)) |
((unsigned long)(p[1] & 0xff) << 8) |
((unsigned long)(p[2] & 0xff) << 16) |
((unsigned long)(p[3] & 0xff) << 24));
}
/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */
static void
U32TO8(unsigned char *p, unsigned long v)
{
p[0] = (v) & 0xff;
p[1] = (v >> 8) & 0xff;
p[2] = (v >> 16) & 0xff;
p[3] = (v >> 24) & 0xff;
}
void
poly1305_init(poly1305_state *st, const unsigned char key[32])
{
/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
st->r[0] = (U8TO32(&key[0])) & 0x3ffffff;
st->r[1] = (U8TO32(&key[3]) >> 2) & 0x3ffff03;
st->r[2] = (U8TO32(&key[6]) >> 4) & 0x3ffc0ff;
st->r[3] = (U8TO32(&key[9]) >> 6) & 0x3f03fff;
st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff;
/* h = 0 */
st->h[0] = 0;
st->h[1] = 0;
st->h[2] = 0;
st->h[3] = 0;
st->h[4] = 0;
/* save pad for later */
st->pad[0] = U8TO32(&key[16]);
st->pad[1] = U8TO32(&key[20]);
st->pad[2] = U8TO32(&key[24]);
st->pad[3] = U8TO32(&key[28]);
st->leftover = 0;
st->final = 0;
}
static void
poly1305_blocks(poly1305_state *st, const unsigned char *m, size_t bytes)
{
const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */
unsigned long r0, r1, r2, r3, r4;
unsigned long s1, s2, s3, s4;
unsigned long h0, h1, h2, h3, h4;
unsigned long long d0, d1, d2, d3, d4;
unsigned long c;
r0 = st->r[0];
r1 = st->r[1];
r2 = st->r[2];
r3 = st->r[3];
r4 = st->r[4];
s1 = r1 * 5;
s2 = r2 * 5;
s3 = r3 * 5;
s4 = r4 * 5;
h0 = st->h[0];
h1 = st->h[1];
h2 = st->h[2];
h3 = st->h[3];
h4 = st->h[4];
while (bytes >= poly1305_block_size) {
/* h += m[i] */
h0 += (U8TO32(m + 0)) & 0x3ffffff;
h1 += (U8TO32(m + 3) >> 2) & 0x3ffffff;
h2 += (U8TO32(m + 6) >> 4) & 0x3ffffff;
h3 += (U8TO32(m + 9) >> 6) & 0x3ffffff;
h4 += (U8TO32(m + 12) >> 8) | hibit;
/* h *= r */
d0 = ((unsigned long long)h0 * r0) +
((unsigned long long)h1 * s4) +
((unsigned long long)h2 * s3) +
((unsigned long long)h3 * s2) +
((unsigned long long)h4 * s1);
d1 = ((unsigned long long)h0 * r1) +
((unsigned long long)h1 * r0) +
((unsigned long long)h2 * s4) +
((unsigned long long)h3 * s3) +
((unsigned long long)h4 * s2);
d2 = ((unsigned long long)h0 * r2) +
((unsigned long long)h1 * r1) +
((unsigned long long)h2 * r0) +
((unsigned long long)h3 * s4) +
((unsigned long long)h4 * s3);
d3 = ((unsigned long long)h0 * r3) +
((unsigned long long)h1 * r2) +
((unsigned long long)h2 * r1) +
((unsigned long long)h3 * r0) +
((unsigned long long)h4 * s4);
d4 = ((unsigned long long)h0 * r4) +
((unsigned long long)h1 * r3) +
((unsigned long long)h2 * r2) +
((unsigned long long)h3 * r1) +
((unsigned long long)h4 * r0);
/* (partial) h %= p */
c = (unsigned long)(d0 >> 26);
h0 = (unsigned long)d0 & 0x3ffffff;
d1 += c;
c = (unsigned long)(d1 >> 26);
h1 = (unsigned long)d1 & 0x3ffffff;
d2 += c;
c = (unsigned long)(d2 >> 26);
h2 = (unsigned long)d2 & 0x3ffffff;
d3 += c;
c = (unsigned long)(d3 >> 26);
h3 = (unsigned long)d3 & 0x3ffffff;
d4 += c;
c = (unsigned long)(d4 >> 26);
h4 = (unsigned long)d4 & 0x3ffffff;
h0 += c * 5;
c = (h0 >> 26);
h0 = h0 & 0x3ffffff;
h1 += c;
m += poly1305_block_size;
bytes -= poly1305_block_size;
}
st->h[0] = h0;
st->h[1] = h1;
st->h[2] = h2;
st->h[3] = h3;
st->h[4] = h4;
}
void
poly1305_update(poly1305_state *st, const unsigned char *m, size_t bytes)
{
size_t i;
/* handle leftover */
if (st->leftover) {
size_t want = (poly1305_block_size - st->leftover);
if (want > bytes)
want = bytes;
for (i = 0; i < want; i++)
st->buffer[st->leftover + i] = m[i];
bytes -= want;
m += want;
st->leftover += want;
if (st->leftover < poly1305_block_size)
return;
poly1305_blocks(st, st->buffer, poly1305_block_size);
st->leftover = 0;
}
/* process full blocks */
if (bytes >= poly1305_block_size) {
size_t want = (bytes & ~(poly1305_block_size - 1));
poly1305_blocks(st, m, want);
m += want;
bytes -= want;
}
/* store leftover */
if (bytes) {
for (i = 0; i < bytes; i++)
st->buffer[st->leftover + i] = m[i];
st->leftover += bytes;
}
}
void
poly1305_finish(poly1305_state *st, unsigned char mac[16])
{
unsigned long h0, h1, h2, h3, h4, c;
unsigned long g0, g1, g2, g3, g4;
unsigned long long f;
unsigned long mask;
/* process the remaining block */
if (st->leftover) {
size_t i = st->leftover;
st->buffer[i++] = 1;
for (; i < poly1305_block_size; i++)
st->buffer[i] = 0;
st->final = 1;
poly1305_blocks(st, st->buffer, poly1305_block_size);
}
/* fully carry h */
h0 = st->h[0];
h1 = st->h[1];
h2 = st->h[2];
h3 = st->h[3];
h4 = st->h[4];
c = h1 >> 26;
h1 = h1 & 0x3ffffff;
h2 += c;
c = h2 >> 26;
h2 = h2 & 0x3ffffff;
h3 += c;
c = h3 >> 26;
h3 = h3 & 0x3ffffff;
h4 += c;
c = h4 >> 26;
h4 = h4 & 0x3ffffff;
h0 += c * 5;
c = h0 >> 26;
h0 = h0 & 0x3ffffff;
h1 += c;
/* compute h + -p */
g0 = h0 + 5;
c = g0 >> 26;
g0 &= 0x3ffffff;
g1 = h1 + c;
c = g1 >> 26;
g1 &= 0x3ffffff;
g2 = h2 + c;
c = g2 >> 26;
g2 &= 0x3ffffff;
g3 = h3 + c;
c = g3 >> 26;
g3 &= 0x3ffffff;
g4 = h4 + c - (1 << 26);
/* select h if h < p, or h + -p if h >= p */
mask = (g4 >> ((sizeof(unsigned long) * 8) - 1)) - 1;
g0 &= mask;
g1 &= mask;
g2 &= mask;
g3 &= mask;
g4 &= mask;
mask = ~mask;
h0 = (h0 & mask) | g0;
h1 = (h1 & mask) | g1;
h2 = (h2 & mask) | g2;
h3 = (h3 & mask) | g3;
h4 = (h4 & mask) | g4;
/* h = h % (2^128) */
h0 = ((h0) | (h1 << 26)) & 0xffffffff;
h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;
/* mac = (h + pad) % (2^128) */
f = (unsigned long long)h0 + st->pad[0];
h0 = (unsigned long)f;
f = (unsigned long long)h1 + st->pad[1] + (f >> 32);
h1 = (unsigned long)f;
f = (unsigned long long)h2 + st->pad[2] + (f >> 32);
h2 = (unsigned long)f;
f = (unsigned long long)h3 + st->pad[3] + (f >> 32);
h3 = (unsigned long)f;
U32TO8(mac + 0, h0);
U32TO8(mac + 4, h1);
U32TO8(mac + 8, h2);
U32TO8(mac + 12, h3);
/* zero out the state */
st->h[0] = 0;
st->h[1] = 0;
st->h[2] = 0;
st->h[3] = 0;
st->h[4] = 0;
st->r[0] = 0;
st->r[1] = 0;
st->r[2] = 0;
st->r[3] = 0;
st->r[4] = 0;
st->pad[0] = 0;
st->pad[1] = 0;
st->pad[2] = 0;
st->pad[3] = 0;
}

1167
crypto/rijndael.c Normal file
View file

File diff suppressed because it is too large Load diff

366
crypto/rmd160.c Normal file
View file

@ -0,0 +1,366 @@
/* $OpenBSD: rmd160.c,v 1.5 2011/01/11 15:42:05 deraadt Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Preneel, Bosselaers, Dobbertin, "The Cryptographic Hash Function RIPEMD-160",
* RSA Laboratories, CryptoBytes, Volume 3, Number 2, Autumn 1997,
* ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto3n2.pdf
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/endian.h>
#include <crypto/rmd160.h>
#define PUT_64BIT_LE(cp, value) do { \
(cp)[7] = (value) >> 56; \
(cp)[6] = (value) >> 48; \
(cp)[5] = (value) >> 40; \
(cp)[4] = (value) >> 32; \
(cp)[3] = (value) >> 24; \
(cp)[2] = (value) >> 16; \
(cp)[1] = (value) >> 8; \
(cp)[0] = (value); } while (0)
#define PUT_32BIT_LE(cp, value) do { \
(cp)[3] = (value) >> 24; \
(cp)[2] = (value) >> 16; \
(cp)[1] = (value) >> 8; \
(cp)[0] = (value); } while (0)
#define H0 0x67452301U
#define H1 0xEFCDAB89U
#define H2 0x98BADCFEU
#define H3 0x10325476U
#define H4 0xC3D2E1F0U
#define K0 0x00000000U
#define K1 0x5A827999U
#define K2 0x6ED9EBA1U
#define K3 0x8F1BBCDCU
#define K4 0xA953FD4EU
#define KK0 0x50A28BE6U
#define KK1 0x5C4DD124U
#define KK2 0x6D703EF3U
#define KK3 0x7A6D76E9U
#define KK4 0x00000000U
/* rotate x left n bits. */
#define ROL(n, x) (((x) << (n)) | ((x) >> (32-(n))))
#define F0(x, y, z) ((x) ^ (y) ^ (z))
#define F1(x, y, z) (((x) & (y)) | ((~x) & (z)))
#define F2(x, y, z) (((x) | (~y)) ^ (z))
#define F3(x, y, z) (((x) & (z)) | ((y) & (~z)))
#define F4(x, y, z) ((x) ^ ((y) | (~z)))
#define R(a, b, c, d, e, Fj, Kj, sj, rj) \
do { \
a = ROL(sj, a + Fj(b,c,d) + X(rj) + Kj) + e; \
c = ROL(10, c); \
} while(0)
#define X(i) x[i]
static u_char PADDING[64] = {
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
void
RMD160Init(RMD160_CTX *ctx)
{
ctx->count = 0;
ctx->state[0] = H0;
ctx->state[1] = H1;
ctx->state[2] = H2;
ctx->state[3] = H3;
ctx->state[4] = H4;
}
void
RMD160Update(RMD160_CTX *ctx, const u_char *input, u_int32_t len)
{
u_int32_t have, off, need;
have = (ctx->count/8) % 64;
need = 64 - have;
ctx->count += 8 * len;
off = 0;
if (len >= need) {
if (have) {
memcpy(ctx->buffer + have, input, need);
RMD160Transform(ctx->state, ctx->buffer);
off = need;
have = 0;
}
/* now the buffer is empty */
while (off + 64 <= len) {
RMD160Transform(ctx->state, input+off);
off += 64;
}
}
if (off < len)
memcpy(ctx->buffer + have, input+off, len-off);
}
void
RMD160Final(u_char digest[20], RMD160_CTX *ctx)
{
int i;
u_char size[8];
u_int32_t padlen;
PUT_64BIT_LE(size, ctx->count);
/*
* pad to 64 byte blocks, at least one byte from PADDING plus 8 bytes
* for the size
*/
padlen = 64 - ((ctx->count/8) % 64);
if (padlen < 1 + 8)
padlen += 64;
RMD160Update(ctx, PADDING, padlen - 8); /* padlen - 8 <= 64 */
RMD160Update(ctx, size, 8);
if (digest != NULL)
for (i = 0; i < 5; i++)
PUT_32BIT_LE(digest + i*4, ctx->state[i]);
explicit_bzero(ctx, sizeof (*ctx));
}
void
RMD160Transform(u_int32_t state[5], const u_char block[64])
{
u_int32_t a, b, c, d, e, aa, bb, cc, dd, ee, t, x[16];
#if BYTE_ORDER == LITTLE_ENDIAN
memcpy(x, block, 64);
#else
int i;
for (i = 0; i < 16; i++)
x[i] = (u_int32_t)(
(u_int32_t)(block[i*4 + 0]) |
(u_int32_t)(block[i*4 + 1]) << 8 |
(u_int32_t)(block[i*4 + 2]) << 16 |
(u_int32_t)(block[i*4 + 3]) << 24);
#endif
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
/* Round 1 */
R(a, b, c, d, e, F0, K0, 11, 0);
R(e, a, b, c, d, F0, K0, 14, 1);
R(d, e, a, b, c, F0, K0, 15, 2);
R(c, d, e, a, b, F0, K0, 12, 3);
R(b, c, d, e, a, F0, K0, 5, 4);
R(a, b, c, d, e, F0, K0, 8, 5);
R(e, a, b, c, d, F0, K0, 7, 6);
R(d, e, a, b, c, F0, K0, 9, 7);
R(c, d, e, a, b, F0, K0, 11, 8);
R(b, c, d, e, a, F0, K0, 13, 9);
R(a, b, c, d, e, F0, K0, 14, 10);
R(e, a, b, c, d, F0, K0, 15, 11);
R(d, e, a, b, c, F0, K0, 6, 12);
R(c, d, e, a, b, F0, K0, 7, 13);
R(b, c, d, e, a, F0, K0, 9, 14);
R(a, b, c, d, e, F0, K0, 8, 15); /* #15 */
/* Round 2 */
R(e, a, b, c, d, F1, K1, 7, 7);
R(d, e, a, b, c, F1, K1, 6, 4);
R(c, d, e, a, b, F1, K1, 8, 13);
R(b, c, d, e, a, F1, K1, 13, 1);
R(a, b, c, d, e, F1, K1, 11, 10);
R(e, a, b, c, d, F1, K1, 9, 6);
R(d, e, a, b, c, F1, K1, 7, 15);
R(c, d, e, a, b, F1, K1, 15, 3);
R(b, c, d, e, a, F1, K1, 7, 12);
R(a, b, c, d, e, F1, K1, 12, 0);
R(e, a, b, c, d, F1, K1, 15, 9);
R(d, e, a, b, c, F1, K1, 9, 5);
R(c, d, e, a, b, F1, K1, 11, 2);
R(b, c, d, e, a, F1, K1, 7, 14);
R(a, b, c, d, e, F1, K1, 13, 11);
R(e, a, b, c, d, F1, K1, 12, 8); /* #31 */
/* Round 3 */
R(d, e, a, b, c, F2, K2, 11, 3);
R(c, d, e, a, b, F2, K2, 13, 10);
R(b, c, d, e, a, F2, K2, 6, 14);
R(a, b, c, d, e, F2, K2, 7, 4);
R(e, a, b, c, d, F2, K2, 14, 9);
R(d, e, a, b, c, F2, K2, 9, 15);
R(c, d, e, a, b, F2, K2, 13, 8);
R(b, c, d, e, a, F2, K2, 15, 1);
R(a, b, c, d, e, F2, K2, 14, 2);
R(e, a, b, c, d, F2, K2, 8, 7);
R(d, e, a, b, c, F2, K2, 13, 0);
R(c, d, e, a, b, F2, K2, 6, 6);
R(b, c, d, e, a, F2, K2, 5, 13);
R(a, b, c, d, e, F2, K2, 12, 11);
R(e, a, b, c, d, F2, K2, 7, 5);
R(d, e, a, b, c, F2, K2, 5, 12); /* #47 */
/* Round 4 */
R(c, d, e, a, b, F3, K3, 11, 1);
R(b, c, d, e, a, F3, K3, 12, 9);
R(a, b, c, d, e, F3, K3, 14, 11);
R(e, a, b, c, d, F3, K3, 15, 10);
R(d, e, a, b, c, F3, K3, 14, 0);
R(c, d, e, a, b, F3, K3, 15, 8);
R(b, c, d, e, a, F3, K3, 9, 12);
R(a, b, c, d, e, F3, K3, 8, 4);
R(e, a, b, c, d, F3, K3, 9, 13);
R(d, e, a, b, c, F3, K3, 14, 3);
R(c, d, e, a, b, F3, K3, 5, 7);
R(b, c, d, e, a, F3, K3, 6, 15);
R(a, b, c, d, e, F3, K3, 8, 14);
R(e, a, b, c, d, F3, K3, 6, 5);
R(d, e, a, b, c, F3, K3, 5, 6);
R(c, d, e, a, b, F3, K3, 12, 2); /* #63 */
/* Round 5 */
R(b, c, d, e, a, F4, K4, 9, 4);
R(a, b, c, d, e, F4, K4, 15, 0);
R(e, a, b, c, d, F4, K4, 5, 5);
R(d, e, a, b, c, F4, K4, 11, 9);
R(c, d, e, a, b, F4, K4, 6, 7);
R(b, c, d, e, a, F4, K4, 8, 12);
R(a, b, c, d, e, F4, K4, 13, 2);
R(e, a, b, c, d, F4, K4, 12, 10);
R(d, e, a, b, c, F4, K4, 5, 14);
R(c, d, e, a, b, F4, K4, 12, 1);
R(b, c, d, e, a, F4, K4, 13, 3);
R(a, b, c, d, e, F4, K4, 14, 8);
R(e, a, b, c, d, F4, K4, 11, 11);
R(d, e, a, b, c, F4, K4, 8, 6);
R(c, d, e, a, b, F4, K4, 5, 15);
R(b, c, d, e, a, F4, K4, 6, 13); /* #79 */
aa = a ; bb = b; cc = c; dd = d; ee = e;
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
/* Parallel round 1 */
R(a, b, c, d, e, F4, KK0, 8, 5);
R(e, a, b, c, d, F4, KK0, 9, 14);
R(d, e, a, b, c, F4, KK0, 9, 7);
R(c, d, e, a, b, F4, KK0, 11, 0);
R(b, c, d, e, a, F4, KK0, 13, 9);
R(a, b, c, d, e, F4, KK0, 15, 2);
R(e, a, b, c, d, F4, KK0, 15, 11);
R(d, e, a, b, c, F4, KK0, 5, 4);
R(c, d, e, a, b, F4, KK0, 7, 13);
R(b, c, d, e, a, F4, KK0, 7, 6);
R(a, b, c, d, e, F4, KK0, 8, 15);
R(e, a, b, c, d, F4, KK0, 11, 8);
R(d, e, a, b, c, F4, KK0, 14, 1);
R(c, d, e, a, b, F4, KK0, 14, 10);
R(b, c, d, e, a, F4, KK0, 12, 3);
R(a, b, c, d, e, F4, KK0, 6, 12); /* #15 */
/* Parallel round 2 */
R(e, a, b, c, d, F3, KK1, 9, 6);
R(d, e, a, b, c, F3, KK1, 13, 11);
R(c, d, e, a, b, F3, KK1, 15, 3);
R(b, c, d, e, a, F3, KK1, 7, 7);
R(a, b, c, d, e, F3, KK1, 12, 0);
R(e, a, b, c, d, F3, KK1, 8, 13);
R(d, e, a, b, c, F3, KK1, 9, 5);
R(c, d, e, a, b, F3, KK1, 11, 10);
R(b, c, d, e, a, F3, KK1, 7, 14);
R(a, b, c, d, e, F3, KK1, 7, 15);
R(e, a, b, c, d, F3, KK1, 12, 8);
R(d, e, a, b, c, F3, KK1, 7, 12);
R(c, d, e, a, b, F3, KK1, 6, 4);
R(b, c, d, e, a, F3, KK1, 15, 9);
R(a, b, c, d, e, F3, KK1, 13, 1);
R(e, a, b, c, d, F3, KK1, 11, 2); /* #31 */
/* Parallel round 3 */
R(d, e, a, b, c, F2, KK2, 9, 15);
R(c, d, e, a, b, F2, KK2, 7, 5);
R(b, c, d, e, a, F2, KK2, 15, 1);
R(a, b, c, d, e, F2, KK2, 11, 3);
R(e, a, b, c, d, F2, KK2, 8, 7);
R(d, e, a, b, c, F2, KK2, 6, 14);
R(c, d, e, a, b, F2, KK2, 6, 6);
R(b, c, d, e, a, F2, KK2, 14, 9);
R(a, b, c, d, e, F2, KK2, 12, 11);
R(e, a, b, c, d, F2, KK2, 13, 8);
R(d, e, a, b, c, F2, KK2, 5, 12);
R(c, d, e, a, b, F2, KK2, 14, 2);
R(b, c, d, e, a, F2, KK2, 13, 10);
R(a, b, c, d, e, F2, KK2, 13, 0);
R(e, a, b, c, d, F2, KK2, 7, 4);
R(d, e, a, b, c, F2, KK2, 5, 13); /* #47 */
/* Parallel round 4 */
R(c, d, e, a, b, F1, KK3, 15, 8);
R(b, c, d, e, a, F1, KK3, 5, 6);
R(a, b, c, d, e, F1, KK3, 8, 4);
R(e, a, b, c, d, F1, KK3, 11, 1);
R(d, e, a, b, c, F1, KK3, 14, 3);
R(c, d, e, a, b, F1, KK3, 14, 11);
R(b, c, d, e, a, F1, KK3, 6, 15);
R(a, b, c, d, e, F1, KK3, 14, 0);
R(e, a, b, c, d, F1, KK3, 6, 5);
R(d, e, a, b, c, F1, KK3, 9, 12);
R(c, d, e, a, b, F1, KK3, 12, 2);
R(b, c, d, e, a, F1, KK3, 9, 13);
R(a, b, c, d, e, F1, KK3, 12, 9);
R(e, a, b, c, d, F1, KK3, 5, 7);
R(d, e, a, b, c, F1, KK3, 15, 10);
R(c, d, e, a, b, F1, KK3, 8, 14); /* #63 */
/* Parallel round 5 */
R(b, c, d, e, a, F0, KK4, 8, 12);
R(a, b, c, d, e, F0, KK4, 5, 15);
R(e, a, b, c, d, F0, KK4, 12, 10);
R(d, e, a, b, c, F0, KK4, 9, 4);
R(c, d, e, a, b, F0, KK4, 12, 1);
R(b, c, d, e, a, F0, KK4, 5, 5);
R(a, b, c, d, e, F0, KK4, 14, 8);
R(e, a, b, c, d, F0, KK4, 6, 7);
R(d, e, a, b, c, F0, KK4, 8, 6);
R(c, d, e, a, b, F0, KK4, 13, 2);
R(b, c, d, e, a, F0, KK4, 6, 13);
R(a, b, c, d, e, F0, KK4, 5, 14);
R(e, a, b, c, d, F0, KK4, 15, 0);
R(d, e, a, b, c, F0, KK4, 13, 3);
R(c, d, e, a, b, F0, KK4, 11, 9);
R(b, c, d, e, a, F0, KK4, 11, 11); /* #79 */
t = state[1] + cc + d;
state[1] = state[2] + dd + e;
state[2] = state[3] + ee + a;
state[3] = state[4] + aa + b;
state[4] = state[0] + bb + c;
state[0] = t;
}

214
crypto/set_key.c Normal file
View file

@ -0,0 +1,214 @@
/* $OpenBSD: set_key.c,v 1.5 2021/03/12 10:22:46 jsg Exp $ */
/* lib/des/set_key.c */
/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
* All rights reserved.
*
* This file is part of an SSL implementation written
* by Eric Young (eay@mincom.oz.au).
* The implementation was written so as to conform with Netscapes SSL
* specification. This library and applications are
* FREE FOR COMMERCIAL AND NON-COMMERCIAL USE
* as long as the following conditions are aheared to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed. If this code is used in a product,
* Eric Young should be given attribution as the author of the parts used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Eric Young (eay@mincom.oz.au)
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* set_key.c v 1.4 eay 24/9/91
* 1.4 Speed up by 400% :-)
* 1.3 added register declarations.
* 1.2 unrolled make_key_sched a bit more
* 1.1 added norm_expand_bits
* 1.0 First working version
*/
#include "des_locl.h"
#include "podd.h"
#include "sk.h"
static int check_parity(des_cblock (*key));
int des_check_key=0;
static int
check_parity(des_cblock (*key))
{
int i;
for (i = 0; i < DES_KEY_SZ; i++) {
if ((*key)[i] != odd_parity[(*key)[i]])
return(0);
}
return (1);
}
/* Weak and semi week keys as take from
* %A D.W. Davies
* %A W.L. Price
* %T Security for Computer Networks
* %I John Wiley & Sons
* %D 1984
* Many thanks to smb@ulysses.att.com (Steven Bellovin) for the reference
* (and actual cblock values).
*/
#define NUM_WEAK_KEY 16
static des_cblock weak_keys[NUM_WEAK_KEY]={
/* weak keys */
{0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
{0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE},
{0x1F,0x1F,0x1F,0x1F,0x1F,0x1F,0x1F,0x1F},
{0xE0,0xE0,0xE0,0xE0,0xE0,0xE0,0xE0,0xE0},
/* semi-weak keys */
{0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE},
{0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01},
{0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1},
{0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E},
{0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1},
{0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01},
{0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE},
{0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E},
{0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E},
{0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01},
{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
{0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}};
int
des_is_weak_key(des_cblock (*key))
{
int i;
for (i = 0; i < NUM_WEAK_KEY; i++) {
/* Added == 0 to comparison, I obviously don't run
* this section very often :-(, thanks to
* engineering@MorningStar.Com for the fix
* eay 93/06/29 */
if (bcmp(weak_keys[i], key, sizeof(des_cblock)) == 0)
return (1);
}
return (0);
}
/* NOW DEFINED IN des_local.h
* See ecb_encrypt.c for a pseudo description of these macros.
* #define PERM_OP(a, b, t, n, m) ((t) = ((((a) >> (n))^(b)) & (m)),\
* (b)^=(t),\
* (a) = ((a)^((t) << (n))))
*/
#define HPERM_OP(a, t, n, m) ((t) = ((((a) << (16 - (n)))^(a)) & (m)),\
(a) = (a)^(t)^(t >> (16 - (n))))
static int shifts2[16]={0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0};
/* return 0 if key parity is odd (correct),
* return -1 if key parity error,
* return -2 if illegal weak key.
*/
int
des_set_key(des_cblock (*key), des_key_schedule schedule)
{
register u_int32_t c, d, t, s;
register unsigned char *in;
register u_int32_t *k;
register int i;
if (des_check_key) {
if (!check_parity(key))
return(-1);
if (des_is_weak_key(key))
return(-2);
}
k = (u_int32_t *) schedule;
in = (unsigned char *) key;
c2l(in, c);
c2l(in, d);
/* do PC1 in 60 simple operations */
/* PERM_OP(d, c, t, 4, 0x0f0f0f0fL);
HPERM_OP(c, t, -2, 0xcccc0000L);
HPERM_OP(c, t, -1, 0xaaaa0000L);
HPERM_OP(c, t, 8, 0x00ff0000L);
HPERM_OP(c, t, -1, 0xaaaa0000L);
HPERM_OP(d, t, -8, 0xff000000L);
HPERM_OP(d, t, 8, 0x00ff0000L);
HPERM_OP(d, t, 2, 0x33330000L);
d = ((d & 0x00aa00aaL) << 7L) | ((d & 0x55005500L) >> 7L) | (d & 0xaa55aa55L);
d = (d >> 8) | ((c & 0xf0000000L) >> 4);
c &= 0x0fffffffL; */
/* I now do it in 47 simple operations :-)
* Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
* for the inspiration. :-) */
PERM_OP (d, c, t, 4, 0x0f0f0f0fL);
HPERM_OP(c, t, -2, 0xcccc0000L);
HPERM_OP(d, t, -2, 0xcccc0000L);
PERM_OP (d, c, t, 1, 0x55555555L);
PERM_OP (c, d, t, 8, 0x00ff00ffL);
PERM_OP (d, c, t, 1, 0x55555555L);
d = (((d & 0x000000ffL) << 16L) | (d & 0x0000ff00L) |
((d & 0x00ff0000L) >> 16L) | ((c & 0xf0000000L) >> 4L));
c &= 0x0fffffffL;
for (i = 0; i < ITERATIONS; i++) {
if (shifts2[i])
{ c = ((c >> 2L) | (c << 26L)); d = ((d >> 2L) | (d << 26L)); }
else
{ c = ((c >> 1L) | (c << 27L)); d = ((d >> 1L) | (d << 27L)); }
c &= 0x0fffffffL;
d &= 0x0fffffffL;
/* could be a few less shifts but I am to lazy at this
* point in time to investigate */
s = des_skb[0][ (c ) & 0x3f ]|
des_skb[1][((c >> 6) & 0x03) | ((c >> 7L) & 0x3c)]|
des_skb[2][((c >> 13) & 0x0f) | ((c >> 14L) & 0x30)]|
des_skb[3][((c >> 20) & 0x01) | ((c >> 21L) & 0x06) |
((c >> 22L) & 0x38)];
t = des_skb[4][ (d ) & 0x3f ]|
des_skb[5][((d >> 7L) & 0x03) | ((d >> 8L) & 0x3c)]|
des_skb[6][ (d >> 15L) & 0x3f ]|
des_skb[7][((d >> 21L) & 0x0f) | ((d >> 22L) & 0x30)];
/* table contained 0213 4657 */
*(k++) = ((t << 16L) | (s & 0x0000ffffL)) & 0xffffffffL;
s = ((s >> 16L) | (t & 0xffff0000L));
s = (s << 4L) | (s >> 28L);
*(k++) = s & 0xffffffffL;
}
return (0);
}

169
crypto/sha1.c Normal file
View file

@ -0,0 +1,169 @@
/* $OpenBSD: sha1.c,v 1.11 2014/12/28 10:04:35 tedu Exp $ */
/*
* SHA-1 in C
* By Steve Reid <steve@edmweb.com>
* 100% Public Domain
*
* Test Vectors (from FIPS PUB 180-1)
* "abc"
* A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
* "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
* 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
* A million repetitions of "a"
* 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
*/
/* #define LITTLE_ENDIAN * This should be #define'd already, if true. */
/* #define SHA1HANDSOFF * Copies data before messing with it. */
#define SHA1HANDSOFF
#include <sys/param.h>
#include <sys/systm.h>
#include <crypto/sha1.h>
#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
/* blk0() and blk() perform the initial expand. */
/* I got the idea of expanding during the round function from SSLeay */
#if BYTE_ORDER == LITTLE_ENDIAN
#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
|(rol(block->l[i],8)&0x00FF00FF))
#else
#define blk0(i) block->l[i]
#endif
#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
^block->l[(i+2)&15]^block->l[i&15],1))
/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
/* Hash a single 512-bit block. This is the core of the algorithm. */
void
SHA1Transform(u_int32_t state[5], const unsigned char buffer[SHA1_BLOCK_LENGTH])
{
u_int32_t a, b, c, d, e;
typedef union {
unsigned char c[64];
unsigned int l[16];
} CHAR64LONG16;
CHAR64LONG16* block;
#ifdef SHA1HANDSOFF
unsigned char workspace[SHA1_BLOCK_LENGTH];
block = (CHAR64LONG16 *)workspace;
memcpy(block, buffer, SHA1_BLOCK_LENGTH);
#else
block = (CHAR64LONG16 *)buffer;
#endif
/* Copy context->state[] to working vars */
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
/* 4 rounds of 20 operations each. Loop unrolled. */
R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
/* Add the working vars back into context.state[] */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
state[4] += e;
/* Wipe variables */
a = b = c = d = e = 0;
}
/* SHA1Init - Initialize new context */
void
SHA1Init(SHA1_CTX *context)
{
/* SHA1 initialization constants */
context->count = 0;
context->state[0] = 0x67452301;
context->state[1] = 0xEFCDAB89;
context->state[2] = 0x98BADCFE;
context->state[3] = 0x10325476;
context->state[4] = 0xC3D2E1F0;
}
/* Run your data through this. */
void
SHA1Update(SHA1_CTX *context, const void *dataptr, unsigned int len)
{
const uint8_t *data = dataptr;
unsigned int i;
unsigned int j;
j = (u_int32_t)((context->count >> 3) & 63);
context->count += (len << 3);
if ((j + len) > 63) {
memcpy(&context->buffer[j], data, (i = 64 - j));
SHA1Transform(context->state, context->buffer);
for ( ; i + 63 < len; i += 64) {
SHA1Transform(context->state, &data[i]);
}
j = 0;
}
else i = 0;
memcpy(&context->buffer[j], &data[i], len - i);
}
/* Add padding and return the message digest. */
void
SHA1Final(unsigned char digest[SHA1_DIGEST_LENGTH], SHA1_CTX *context)
{
unsigned int i;
unsigned char finalcount[8];
for (i = 0; i < 8; i++) {
finalcount[i] = (unsigned char)((context->count >>
((7 - (i & 7)) * 8)) & 255); /* Endian independent */
}
SHA1Update(context, "\200", 1);
while ((context->count & 504) != 448) {
SHA1Update(context, "\0", 1);
}
SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */
for (i = 0; i < SHA1_DIGEST_LENGTH; i++) {
digest[i] = (unsigned char)((context->state[i >> 2] >>
((3 - (i & 3)) * 8)) & 255);
}
explicit_bzero(&finalcount, sizeof(finalcount));
explicit_bzero(context, sizeof(*context));
}

855
crypto/sha2.c Normal file
View file

@ -0,0 +1,855 @@
/* $OpenBSD: sha2.c,v 1.19 2021/03/12 10:22:46 jsg Exp $ */
/*
* FILE: sha2.c
* AUTHOR: Aaron D. Gifford <me@aarongifford.com>
*
* Copyright (c) 2000-2001, Aaron D. Gifford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holder nor the names of contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
*/
#include <sys/time.h>
#include <sys/systm.h>
#include <crypto/sha2.h>
/*
* UNROLLED TRANSFORM LOOP NOTE:
* You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
* loop version for the hash transform rounds (defined using macros
* later in this file). Either define on the command line, for example:
*
* cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
*
* or define below:
*
* #define SHA2_UNROLL_TRANSFORM
*
*/
#ifndef SMALL_KERNEL
#if defined(__amd64__) || defined(__i386__)
#define SHA2_UNROLL_TRANSFORM
#endif
#endif
/*** SHA-256/384/512 Machine Architecture Definitions *****************/
/*
* BYTE_ORDER NOTE:
*
* Please make sure that your system defines BYTE_ORDER. If your
* architecture is little-endian, make sure it also defines
* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
* equivalent.
*
* If your system does not define the above, then you can do so by
* hand like this:
*
* #define LITTLE_ENDIAN 1234
* #define BIG_ENDIAN 4321
*
* And for little-endian machines, add:
*
* #define BYTE_ORDER LITTLE_ENDIAN
*
* Or for big-endian machines:
*
* #define BYTE_ORDER BIG_ENDIAN
*
* The FreeBSD machine this was written on defines BYTE_ORDER
* appropriately by including <sys/types.h> (which in turn includes
* <machine/endian.h> where the appropriate definitions are actually
* made).
*/
#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
#endif
/*** SHA-256/384/512 Various Length Definitions ***********************/
/* NOTE: Most of these are in sha2.h */
#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
/*
* Macro for incrementally adding the unsigned 64-bit integer n to the
* unsigned 128-bit integer (represented using a two-element array of
* 64-bit words):
*/
#define ADDINC128(w,n) { \
(w)[0] += (u_int64_t)(n); \
if ((w)[0] < (n)) { \
(w)[1]++; \
} \
}
/*** THE SIX LOGICAL FUNCTIONS ****************************************/
/*
* Bit shifting and rotation (used by the six SHA-XYZ logical functions:
*
* NOTE: The naming of R and S appears backwards here (R is a SHIFT and
* S is a ROTATION) because the SHA-256/384/512 description document
* (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
* same "backwards" definition.
*/
/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
#define R(b,x) ((x) >> (b))
/* 32-bit Rotate-right (used in SHA-256): */
#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
/* Four of six logical functions used in SHA-256: */
#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
/* Four of six logical functions used in SHA-384 and SHA-512: */
#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
/*** INTERNAL FUNCTION PROTOTYPES *************************************/
/* NOTE: These should not be accessed directly from outside this
* library -- they are intended for private internal visibility/use
* only.
*/
void SHA512Last(SHA2_CTX *);
void SHA256Transform(u_int32_t *, const u_int8_t *);
void SHA512Transform(u_int64_t *, const u_int8_t *);
/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
/* Hash constant words K for SHA-256: */
const static u_int32_t K256[64] = {
0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};
/* Initial hash value H for SHA-256: */
const static u_int32_t sha256_initial_hash_value[8] = {
0x6a09e667UL,
0xbb67ae85UL,
0x3c6ef372UL,
0xa54ff53aUL,
0x510e527fUL,
0x9b05688cUL,
0x1f83d9abUL,
0x5be0cd19UL
};
/* Hash constant words K for SHA-384 and SHA-512: */
const static u_int64_t K512[80] = {
0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
};
/* Initial hash value H for SHA-384 */
const static u_int64_t sha384_initial_hash_value[8] = {
0xcbbb9d5dc1059ed8ULL,
0x629a292a367cd507ULL,
0x9159015a3070dd17ULL,
0x152fecd8f70e5939ULL,
0x67332667ffc00b31ULL,
0x8eb44a8768581511ULL,
0xdb0c2e0d64f98fa7ULL,
0x47b5481dbefa4fa4ULL
};
/* Initial hash value H for SHA-512 */
const static u_int64_t sha512_initial_hash_value[8] = {
0x6a09e667f3bcc908ULL,
0xbb67ae8584caa73bULL,
0x3c6ef372fe94f82bULL,
0xa54ff53a5f1d36f1ULL,
0x510e527fade682d1ULL,
0x9b05688c2b3e6c1fULL,
0x1f83d9abfb41bd6bULL,
0x5be0cd19137e2179ULL
};
/*** SHA-256: *********************************************************/
void
SHA256Init(SHA2_CTX *context)
{
memcpy(context->state.st32, sha256_initial_hash_value,
SHA256_DIGEST_LENGTH);
memset(context->buffer, 0, SHA256_BLOCK_LENGTH);
context->bitcount[0] = 0;
}
#ifdef SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-256 round macros: */
#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | \
((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); \
data += 4; \
T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
(d) += T1; \
(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
j++; \
} while(0)
#define ROUND256(a,b,c,d,e,f,g,h) do { \
s0 = W256[(j+1)&0x0f]; \
s0 = sigma0_256(s0); \
s1 = W256[(j+14)&0x0f]; \
s1 = sigma1_256(s1); \
T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
(W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
(d) += T1; \
(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
j++; \
} while(0)
void
SHA256Transform(u_int32_t *state, const u_int8_t *data)
{
u_int32_t a, b, c, d, e, f, g, h, s0, s1;
u_int32_t T1, W256[16];
int j;
/* Initialize registers with the prev. intermediate value */
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
f = state[5];
g = state[6];
h = state[7];
j = 0;
do {
/* Rounds 0 to 15 (unrolled): */
ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
} while (j < 16);
/* Now for the remaining rounds to 64: */
do {
ROUND256(a,b,c,d,e,f,g,h);
ROUND256(h,a,b,c,d,e,f,g);
ROUND256(g,h,a,b,c,d,e,f);
ROUND256(f,g,h,a,b,c,d,e);
ROUND256(e,f,g,h,a,b,c,d);
ROUND256(d,e,f,g,h,a,b,c);
ROUND256(c,d,e,f,g,h,a,b);
ROUND256(b,c,d,e,f,g,h,a);
} while (j < 64);
/* Compute the current intermediate hash value */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
state[4] += e;
state[5] += f;
state[6] += g;
state[7] += h;
/* Clean up */
a = b = c = d = e = f = g = h = T1 = 0;
}
#else /* SHA2_UNROLL_TRANSFORM */
void
SHA256Transform(u_int32_t *state, const u_int8_t *data)
{
u_int32_t a, b, c, d, e, f, g, h, s0, s1;
u_int32_t T1, T2, W256[16];
int j;
/* Initialize registers with the prev. intermediate value */
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
f = state[5];
g = state[6];
h = state[7];
j = 0;
do {
W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |
((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);
data += 4;
/* Apply the SHA-256 compression function to update a..h */
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
T2 = Sigma0_256(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
} while (j < 16);
do {
/* Part of the message block expansion: */
s0 = W256[(j+1)&0x0f];
s0 = sigma0_256(s0);
s1 = W256[(j+14)&0x0f];
s1 = sigma1_256(s1);
/* Apply the SHA-256 compression function to update a..h */
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
(W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
T2 = Sigma0_256(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
} while (j < 64);
/* Compute the current intermediate hash value */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
state[4] += e;
state[5] += f;
state[6] += g;
state[7] += h;
/* Clean up */
a = b = c = d = e = f = g = h = T1 = T2 = 0;
}
#endif /* SHA2_UNROLL_TRANSFORM */
void
SHA256Update(SHA2_CTX *context, const void *dataptr, size_t len)
{
const uint8_t *data = dataptr;
size_t freespace, usedspace;
/* Calling with no data is valid (we do nothing) */
if (len == 0)
return;
usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
if (usedspace > 0) {
/* Calculate how much free space is available in the buffer */
freespace = SHA256_BLOCK_LENGTH - usedspace;
if (len >= freespace) {
/* Fill the buffer completely and process it */
memcpy(&context->buffer[usedspace], data, freespace);
context->bitcount[0] += freespace << 3;
len -= freespace;
data += freespace;
SHA256Transform(context->state.st32, context->buffer);
} else {
/* The buffer is not yet full */
memcpy(&context->buffer[usedspace], data, len);
context->bitcount[0] += len << 3;
/* Clean up: */
usedspace = freespace = 0;
return;
}
}
while (len >= SHA256_BLOCK_LENGTH) {
/* Process as many complete blocks as we can */
SHA256Transform(context->state.st32, data);
context->bitcount[0] += SHA256_BLOCK_LENGTH << 3;
len -= SHA256_BLOCK_LENGTH;
data += SHA256_BLOCK_LENGTH;
}
if (len > 0) {
/* There's left-overs, so save 'em */
memcpy(context->buffer, data, len);
context->bitcount[0] += len << 3;
}
/* Clean up: */
usedspace = freespace = 0;
}
void
SHA256Final(u_int8_t digest[], SHA2_CTX *context)
{
unsigned int usedspace;
usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
#if BYTE_ORDER == LITTLE_ENDIAN
/* Convert FROM host byte order */
context->bitcount[0] = swap64(context->bitcount[0]);
#endif
if (usedspace > 0) {
/* Begin padding with a 1 bit: */
context->buffer[usedspace++] = 0x80;
if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
/* Set-up for the last transform: */
memset(&context->buffer[usedspace], 0,
SHA256_SHORT_BLOCK_LENGTH - usedspace);
} else {
if (usedspace < SHA256_BLOCK_LENGTH) {
memset(&context->buffer[usedspace], 0,
SHA256_BLOCK_LENGTH - usedspace);
}
/* Do second-to-last transform: */
SHA256Transform(context->state.st32, context->buffer);
/* And set-up for the last transform: */
memset(context->buffer, 0,
SHA256_SHORT_BLOCK_LENGTH);
}
} else {
/* Set-up for the last transform: */
memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
/* Begin padding with a 1 bit: */
*context->buffer = 0x80;
}
/* Set the bit count: */
*(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[0];
/* Final transform: */
SHA256Transform(context->state.st32, context->buffer);
#if BYTE_ORDER == LITTLE_ENDIAN
{
/* Convert TO host byte order */
int j;
for (j = 0; j < 8; j++) {
context->state.st32[j] = swap32(context->state.st32[j]);
}
}
#endif
memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH);
/* Clean up state data: */
explicit_bzero(context, sizeof(*context));
usedspace = 0;
}
/*** SHA-512: *********************************************************/
void
SHA512Init(SHA2_CTX *context)
{
memcpy(context->state.st64, sha512_initial_hash_value,
SHA512_DIGEST_LENGTH);
memset(context->buffer, 0, SHA512_BLOCK_LENGTH);
context->bitcount[0] = context->bitcount[1] = 0;
}
#ifdef SHA2_UNROLL_TRANSFORM
/* Unrolled SHA-512 round macros: */
#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | \
((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | \
((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | \
((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); \
data += 8; \
T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
(d) += T1; \
(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
j++; \
} while(0)
#define ROUND512(a,b,c,d,e,f,g,h) do { \
s0 = W512[(j+1)&0x0f]; \
s0 = sigma0_512(s0); \
s1 = W512[(j+14)&0x0f]; \
s1 = sigma1_512(s1); \
T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
(W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
(d) += T1; \
(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
j++; \
} while(0)
void
SHA512Transform(u_int64_t *state, const u_int8_t *data)
{
u_int64_t a, b, c, d, e, f, g, h, s0, s1;
u_int64_t T1, W512[16];
int j;
/* Initialize registers with the prev. intermediate value */
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
f = state[5];
g = state[6];
h = state[7];
j = 0;
do {
ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
} while (j < 16);
/* Now for the remaining rounds up to 79: */
do {
ROUND512(a,b,c,d,e,f,g,h);
ROUND512(h,a,b,c,d,e,f,g);
ROUND512(g,h,a,b,c,d,e,f);
ROUND512(f,g,h,a,b,c,d,e);
ROUND512(e,f,g,h,a,b,c,d);
ROUND512(d,e,f,g,h,a,b,c);
ROUND512(c,d,e,f,g,h,a,b);
ROUND512(b,c,d,e,f,g,h,a);
} while (j < 80);
/* Compute the current intermediate hash value */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
state[4] += e;
state[5] += f;
state[6] += g;
state[7] += h;
/* Clean up */
a = b = c = d = e = f = g = h = T1 = 0;
}
#else /* SHA2_UNROLL_TRANSFORM */
void
SHA512Transform(u_int64_t *state, const u_int8_t *data)
{
u_int64_t a, b, c, d, e, f, g, h, s0, s1;
u_int64_t T1, T2, W512[16];
int j;
/* Initialize registers with the prev. intermediate value */
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
f = state[5];
g = state[6];
h = state[7];
j = 0;
do {
W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) |
((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) |
((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) |
((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56);
data += 8;
/* Apply the SHA-512 compression function to update a..h */
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
T2 = Sigma0_512(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
} while (j < 16);
do {
/* Part of the message block expansion: */
s0 = W512[(j+1)&0x0f];
s0 = sigma0_512(s0);
s1 = W512[(j+14)&0x0f];
s1 = sigma1_512(s1);
/* Apply the SHA-512 compression function to update a..h */
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
(W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
T2 = Sigma0_512(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
} while (j < 80);
/* Compute the current intermediate hash value */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
state[4] += e;
state[5] += f;
state[6] += g;
state[7] += h;
/* Clean up */
a = b = c = d = e = f = g = h = T1 = T2 = 0;
}
#endif /* SHA2_UNROLL_TRANSFORM */
void
SHA512Update(SHA2_CTX *context, const void *dataptr, size_t len)
{
const uint8_t *data = dataptr;
size_t freespace, usedspace;
/* Calling with no data is valid (we do nothing) */
if (len == 0)
return;
usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
if (usedspace > 0) {
/* Calculate how much free space is available in the buffer */
freespace = SHA512_BLOCK_LENGTH - usedspace;
if (len >= freespace) {
/* Fill the buffer completely and process it */
memcpy(&context->buffer[usedspace], data, freespace);
ADDINC128(context->bitcount, freespace << 3);
len -= freespace;
data += freespace;
SHA512Transform(context->state.st64, context->buffer);
} else {
/* The buffer is not yet full */
memcpy(&context->buffer[usedspace], data, len);
ADDINC128(context->bitcount, len << 3);
/* Clean up: */
usedspace = freespace = 0;
return;
}
}
while (len >= SHA512_BLOCK_LENGTH) {
/* Process as many complete blocks as we can */
SHA512Transform(context->state.st64, data);
ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
len -= SHA512_BLOCK_LENGTH;
data += SHA512_BLOCK_LENGTH;
}
if (len > 0) {
/* There's left-overs, so save 'em */
memcpy(context->buffer, data, len);
ADDINC128(context->bitcount, len << 3);
}
/* Clean up: */
usedspace = freespace = 0;
}
void
SHA512Last(SHA2_CTX *context)
{
unsigned int usedspace;
usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
#if BYTE_ORDER == LITTLE_ENDIAN
/* Convert FROM host byte order */
context->bitcount[0] = swap64(context->bitcount[0]);
context->bitcount[1] = swap64(context->bitcount[1]);
#endif
if (usedspace > 0) {
/* Begin padding with a 1 bit: */
context->buffer[usedspace++] = 0x80;
if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
/* Set-up for the last transform: */
memset(&context->buffer[usedspace], 0,
SHA512_SHORT_BLOCK_LENGTH - usedspace);
} else {
if (usedspace < SHA512_BLOCK_LENGTH) {
memset(&context->buffer[usedspace], 0,
SHA512_BLOCK_LENGTH - usedspace);
}
/* Do second-to-last transform: */
SHA512Transform(context->state.st64, context->buffer);
/* And set-up for the last transform: */
memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
}
} else {
/* Prepare for final transform: */
memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
/* Begin padding with a 1 bit: */
*context->buffer = 0x80;
}
/* Store the length of input data (in bits): */
*(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
*(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
/* Final transform: */
SHA512Transform(context->state.st64, context->buffer);
}
void
SHA512Final(u_int8_t digest[], SHA2_CTX *context)
{
SHA512Last(context);
/* Save the hash data for output: */
#if BYTE_ORDER == LITTLE_ENDIAN
{
/* Convert TO host byte order */
int j;
for (j = 0; j < 8; j++) {
context->state.st64[j] = swap64(context->state.st64[j]);
}
}
#endif
memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH);
/* Zero out state data */
explicit_bzero(context, sizeof(*context));
}
/*** SHA-384: *********************************************************/
void
SHA384Init(SHA2_CTX *context)
{
memcpy(context->state.st64, sha384_initial_hash_value,
SHA512_DIGEST_LENGTH);
memset(context->buffer, 0, SHA384_BLOCK_LENGTH);
context->bitcount[0] = context->bitcount[1] = 0;
}
void
SHA384Update(SHA2_CTX *context, const void *data, size_t len)
{
SHA512Update(context, data, len);
}
void
SHA384Final(u_int8_t digest[], SHA2_CTX *context)
{
SHA512Last(context);
/* Save the hash data for output: */
#if BYTE_ORDER == LITTLE_ENDIAN
{
/* Convert TO host byte order */
int j;
for (j = 0; j < 6; j++) {
context->state.st64[j] = swap64(context->state.st64[j]);
}
}
#endif
memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH);
/* Zero out state data */
explicit_bzero(context, sizeof(*context));
}

181
crypto/siphash.c Normal file
View file

@ -0,0 +1,181 @@
/* $OpenBSD: siphash.c,v 1.5 2018/01/05 19:05:09 mikeb Exp $ */
/*-
* Copyright (c) 2013 Andre Oppermann <andre@FreeBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d
* are the number of compression rounds and the number of finalization rounds.
* A compression round is identical to a finalization round and this round
* function is called SipRound. Given a 128-bit key k and a (possibly empty)
* byte string m, SipHash-c-d returns a 64-bit value SipHash-c-d(k; m).
*
* Implemented from the paper "SipHash: a fast short-input PRF", 2012.09.18,
* by Jean-Philippe Aumasson and Daniel J. Bernstein,
* Permanent Document ID b9a943a805fbfc6fde808af9fc0ecdfa
* https://131002.net/siphash/siphash.pdf
* https://131002.net/siphash/
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <crypto/siphash.h>
static void SipHash_CRounds(SIPHASH_CTX *, int);
static void SipHash_Rounds(SIPHASH_CTX *, int);
void
SipHash_Init(SIPHASH_CTX *ctx, const SIPHASH_KEY *key)
{
uint64_t k0, k1;
k0 = lemtoh64(&key->k0);
k1 = lemtoh64(&key->k1);
ctx->v[0] = 0x736f6d6570736575ULL ^ k0;
ctx->v[1] = 0x646f72616e646f6dULL ^ k1;
ctx->v[2] = 0x6c7967656e657261ULL ^ k0;
ctx->v[3] = 0x7465646279746573ULL ^ k1;
memset(ctx->buf, 0, sizeof(ctx->buf));
ctx->bytes = 0;
}
void
SipHash_Update(SIPHASH_CTX *ctx, int rc, int rf, const void *src, size_t len)
{
const uint8_t *ptr = src;
size_t left, used;
if (len == 0)
return;
used = ctx->bytes % sizeof(ctx->buf);
ctx->bytes += len;
if (used > 0) {
left = sizeof(ctx->buf) - used;
if (len >= left) {
memcpy(&ctx->buf[used], ptr, left);
SipHash_CRounds(ctx, rc);
len -= left;
ptr += left;
} else {
memcpy(&ctx->buf[used], ptr, len);
return;
}
}
while (len >= sizeof(ctx->buf)) {
memcpy(ctx->buf, ptr, sizeof(ctx->buf));
SipHash_CRounds(ctx, rc);
len -= sizeof(ctx->buf);
ptr += sizeof(ctx->buf);
}
if (len > 0)
memcpy(ctx->buf, ptr, len);
}
void
SipHash_Final(void *dst, SIPHASH_CTX *ctx, int rc, int rf)
{
uint64_t r;
htolem64(&r, SipHash_End(ctx, rc, rf));
memcpy(dst, &r, sizeof r);
}
uint64_t
SipHash_End(SIPHASH_CTX *ctx, int rc, int rf)
{
uint64_t r;
size_t left, used;
used = ctx->bytes % sizeof(ctx->buf);
left = sizeof(ctx->buf) - used;
memset(&ctx->buf[used], 0, left - 1);
ctx->buf[7] = ctx->bytes;
SipHash_CRounds(ctx, rc);
ctx->v[2] ^= 0xff;
SipHash_Rounds(ctx, rf);
r = (ctx->v[0] ^ ctx->v[1]) ^ (ctx->v[2] ^ ctx->v[3]);
explicit_bzero(ctx, sizeof(*ctx));
return (r);
}
uint64_t
SipHash(const SIPHASH_KEY *key, int rc, int rf, const void *src, size_t len)
{
SIPHASH_CTX ctx;
SipHash_Init(&ctx, key);
SipHash_Update(&ctx, rc, rf, src, len);
return (SipHash_End(&ctx, rc, rf));
}
#define SIP_ROTL(x, b) ((x) << (b)) | ( (x) >> (64 - (b)))
static void
SipHash_Rounds(SIPHASH_CTX *ctx, int rounds)
{
while (rounds--) {
ctx->v[0] += ctx->v[1];
ctx->v[2] += ctx->v[3];
ctx->v[1] = SIP_ROTL(ctx->v[1], 13);
ctx->v[3] = SIP_ROTL(ctx->v[3], 16);
ctx->v[1] ^= ctx->v[0];
ctx->v[3] ^= ctx->v[2];
ctx->v[0] = SIP_ROTL(ctx->v[0], 32);
ctx->v[2] += ctx->v[1];
ctx->v[0] += ctx->v[3];
ctx->v[1] = SIP_ROTL(ctx->v[1], 17);
ctx->v[3] = SIP_ROTL(ctx->v[3], 21);
ctx->v[1] ^= ctx->v[2];
ctx->v[3] ^= ctx->v[0];
ctx->v[2] = SIP_ROTL(ctx->v[2], 32);
}
}
static void
SipHash_CRounds(SIPHASH_CTX *ctx, int rounds)
{
uint64_t m = lemtoh64((uint64_t *)ctx->buf);
ctx->v[3] ^= m;
SipHash_Rounds(ctx, rounds);
ctx->v[0] ^= m;
}

195
crypto/sk.h Normal file
View file

@ -0,0 +1,195 @@
/* $OpenBSD: sk.h,v 1.2 2002/10/27 13:24:26 miod Exp $ */
/* lib/des/sk.h */
/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
* All rights reserved.
*
* This file is part of an SSL implementation written
* by Eric Young (eay@mincom.oz.au).
* The implementation was written so as to conform with Netscapes SSL
* specification. This library and applications are
* FREE FOR COMMERCIAL AND NON-COMMERCIAL USE
* as long as the following conditions are aheared to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed. If this code is used in a product,
* Eric Young should be given attribution as the author of the parts used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Eric Young (eay@mincom.oz.au)
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
static const u_int32_t des_skb[8][64]={
{
/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
0x00000000L,0x00000010L,0x20000000L,0x20000010L,
0x00010000L,0x00010010L,0x20010000L,0x20010010L,
0x00000800L,0x00000810L,0x20000800L,0x20000810L,
0x00010800L,0x00010810L,0x20010800L,0x20010810L,
0x00000020L,0x00000030L,0x20000020L,0x20000030L,
0x00010020L,0x00010030L,0x20010020L,0x20010030L,
0x00000820L,0x00000830L,0x20000820L,0x20000830L,
0x00010820L,0x00010830L,0x20010820L,0x20010830L,
0x00080000L,0x00080010L,0x20080000L,0x20080010L,
0x00090000L,0x00090010L,0x20090000L,0x20090010L,
0x00080800L,0x00080810L,0x20080800L,0x20080810L,
0x00090800L,0x00090810L,0x20090800L,0x20090810L,
0x00080020L,0x00080030L,0x20080020L,0x20080030L,
0x00090020L,0x00090030L,0x20090020L,0x20090030L,
0x00080820L,0x00080830L,0x20080820L,0x20080830L,
0x00090820L,0x00090830L,0x20090820L,0x20090830L,
},{
/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
0x00000000L,0x02000000L,0x00002000L,0x02002000L,
0x00200000L,0x02200000L,0x00202000L,0x02202000L,
0x00000004L,0x02000004L,0x00002004L,0x02002004L,
0x00200004L,0x02200004L,0x00202004L,0x02202004L,
0x00000400L,0x02000400L,0x00002400L,0x02002400L,
0x00200400L,0x02200400L,0x00202400L,0x02202400L,
0x00000404L,0x02000404L,0x00002404L,0x02002404L,
0x00200404L,0x02200404L,0x00202404L,0x02202404L,
0x10000000L,0x12000000L,0x10002000L,0x12002000L,
0x10200000L,0x12200000L,0x10202000L,0x12202000L,
0x10000004L,0x12000004L,0x10002004L,0x12002004L,
0x10200004L,0x12200004L,0x10202004L,0x12202004L,
0x10000400L,0x12000400L,0x10002400L,0x12002400L,
0x10200400L,0x12200400L,0x10202400L,0x12202400L,
0x10000404L,0x12000404L,0x10002404L,0x12002404L,
0x10200404L,0x12200404L,0x10202404L,0x12202404L,
},{
/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
0x00000000L,0x00000001L,0x00040000L,0x00040001L,
0x01000000L,0x01000001L,0x01040000L,0x01040001L,
0x00000002L,0x00000003L,0x00040002L,0x00040003L,
0x01000002L,0x01000003L,0x01040002L,0x01040003L,
0x00000200L,0x00000201L,0x00040200L,0x00040201L,
0x01000200L,0x01000201L,0x01040200L,0x01040201L,
0x00000202L,0x00000203L,0x00040202L,0x00040203L,
0x01000202L,0x01000203L,0x01040202L,0x01040203L,
0x08000000L,0x08000001L,0x08040000L,0x08040001L,
0x09000000L,0x09000001L,0x09040000L,0x09040001L,
0x08000002L,0x08000003L,0x08040002L,0x08040003L,
0x09000002L,0x09000003L,0x09040002L,0x09040003L,
0x08000200L,0x08000201L,0x08040200L,0x08040201L,
0x09000200L,0x09000201L,0x09040200L,0x09040201L,
0x08000202L,0x08000203L,0x08040202L,0x08040203L,
0x09000202L,0x09000203L,0x09040202L,0x09040203L,
},{
/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
0x00000000L,0x00100000L,0x00000100L,0x00100100L,
0x00000008L,0x00100008L,0x00000108L,0x00100108L,
0x00001000L,0x00101000L,0x00001100L,0x00101100L,
0x00001008L,0x00101008L,0x00001108L,0x00101108L,
0x04000000L,0x04100000L,0x04000100L,0x04100100L,
0x04000008L,0x04100008L,0x04000108L,0x04100108L,
0x04001000L,0x04101000L,0x04001100L,0x04101100L,
0x04001008L,0x04101008L,0x04001108L,0x04101108L,
0x00020000L,0x00120000L,0x00020100L,0x00120100L,
0x00020008L,0x00120008L,0x00020108L,0x00120108L,
0x00021000L,0x00121000L,0x00021100L,0x00121100L,
0x00021008L,0x00121008L,0x00021108L,0x00121108L,
0x04020000L,0x04120000L,0x04020100L,0x04120100L,
0x04020008L,0x04120008L,0x04020108L,0x04120108L,
0x04021000L,0x04121000L,0x04021100L,0x04121100L,
0x04021008L,0x04121008L,0x04021108L,0x04121108L,
},{
/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
0x00000000L,0x10000000L,0x00010000L,0x10010000L,
0x00000004L,0x10000004L,0x00010004L,0x10010004L,
0x20000000L,0x30000000L,0x20010000L,0x30010000L,
0x20000004L,0x30000004L,0x20010004L,0x30010004L,
0x00100000L,0x10100000L,0x00110000L,0x10110000L,
0x00100004L,0x10100004L,0x00110004L,0x10110004L,
0x20100000L,0x30100000L,0x20110000L,0x30110000L,
0x20100004L,0x30100004L,0x20110004L,0x30110004L,
0x00001000L,0x10001000L,0x00011000L,0x10011000L,
0x00001004L,0x10001004L,0x00011004L,0x10011004L,
0x20001000L,0x30001000L,0x20011000L,0x30011000L,
0x20001004L,0x30001004L,0x20011004L,0x30011004L,
0x00101000L,0x10101000L,0x00111000L,0x10111000L,
0x00101004L,0x10101004L,0x00111004L,0x10111004L,
0x20101000L,0x30101000L,0x20111000L,0x30111000L,
0x20101004L,0x30101004L,0x20111004L,0x30111004L,
},{
/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
0x00000000L,0x08000000L,0x00000008L,0x08000008L,
0x00000400L,0x08000400L,0x00000408L,0x08000408L,
0x00020000L,0x08020000L,0x00020008L,0x08020008L,
0x00020400L,0x08020400L,0x00020408L,0x08020408L,
0x00000001L,0x08000001L,0x00000009L,0x08000009L,
0x00000401L,0x08000401L,0x00000409L,0x08000409L,
0x00020001L,0x08020001L,0x00020009L,0x08020009L,
0x00020401L,0x08020401L,0x00020409L,0x08020409L,
0x02000000L,0x0A000000L,0x02000008L,0x0A000008L,
0x02000400L,0x0A000400L,0x02000408L,0x0A000408L,
0x02020000L,0x0A020000L,0x02020008L,0x0A020008L,
0x02020400L,0x0A020400L,0x02020408L,0x0A020408L,
0x02000001L,0x0A000001L,0x02000009L,0x0A000009L,
0x02000401L,0x0A000401L,0x02000409L,0x0A000409L,
0x02020001L,0x0A020001L,0x02020009L,0x0A020009L,
0x02020401L,0x0A020401L,0x02020409L,0x0A020409L,
},{
/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
0x00000000L,0x00000100L,0x00080000L,0x00080100L,
0x01000000L,0x01000100L,0x01080000L,0x01080100L,
0x00000010L,0x00000110L,0x00080010L,0x00080110L,
0x01000010L,0x01000110L,0x01080010L,0x01080110L,
0x00200000L,0x00200100L,0x00280000L,0x00280100L,
0x01200000L,0x01200100L,0x01280000L,0x01280100L,
0x00200010L,0x00200110L,0x00280010L,0x00280110L,
0x01200010L,0x01200110L,0x01280010L,0x01280110L,
0x00000200L,0x00000300L,0x00080200L,0x00080300L,
0x01000200L,0x01000300L,0x01080200L,0x01080300L,
0x00000210L,0x00000310L,0x00080210L,0x00080310L,
0x01000210L,0x01000310L,0x01080210L,0x01080310L,
0x00200200L,0x00200300L,0x00280200L,0x00280300L,
0x01200200L,0x01200300L,0x01280200L,0x01280300L,
0x00200210L,0x00200310L,0x00280210L,0x00280310L,
0x01200210L,0x01200310L,0x01280210L,0x01280310L,
},{
/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
0x00000000L,0x04000000L,0x00040000L,0x04040000L,
0x00000002L,0x04000002L,0x00040002L,0x04040002L,
0x00002000L,0x04002000L,0x00042000L,0x04042000L,
0x00002002L,0x04002002L,0x00042002L,0x04042002L,
0x00000020L,0x04000020L,0x00040020L,0x04040020L,
0x00000022L,0x04000022L,0x00040022L,0x04040022L,
0x00002020L,0x04002020L,0x00042020L,0x04042020L,
0x00002022L,0x04002022L,0x00042022L,0x04042022L,
0x00000800L,0x04000800L,0x00040800L,0x04040800L,
0x00000802L,0x04000802L,0x00040802L,0x04040802L,
0x00002800L,0x04002800L,0x00042800L,0x04042800L,
0x00002802L,0x04002802L,0x00042802L,0x04042802L,
0x00000820L,0x04000820L,0x00040820L,0x04040820L,
0x00000822L,0x04000822L,0x00040822L,0x04040822L,
0x00002820L,0x04002820L,0x00042820L,0x04042820L,
0x00002822L,0x04002822L,0x00042822L,0x04042822L,
}};

195
crypto/spr.h Normal file
View file

@ -0,0 +1,195 @@
/* $OpenBSD: spr.h,v 1.2 2002/10/27 13:24:26 miod Exp $ */
/* lib/des/spr.h */
/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
* All rights reserved.
*
* This file is part of an SSL implementation written
* by Eric Young (eay@mincom.oz.au).
* The implementation was written so as to conform with Netscapes SSL
* specification. This library and applications are
* FREE FOR COMMERCIAL AND NON-COMMERCIAL USE
* as long as the following conditions are aheared to.
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed. If this code is used in a product,
* Eric Young should be given attribution as the author of the parts used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Eric Young (eay@mincom.oz.au)
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
static const u_int32_t des_SPtrans[8][64]={
{
/* nibble 0 */
0x00820200L, 0x00020000L, 0x80800000L, 0x80820200L,
0x00800000L, 0x80020200L, 0x80020000L, 0x80800000L,
0x80020200L, 0x00820200L, 0x00820000L, 0x80000200L,
0x80800200L, 0x00800000L, 0x00000000L, 0x80020000L,
0x00020000L, 0x80000000L, 0x00800200L, 0x00020200L,
0x80820200L, 0x00820000L, 0x80000200L, 0x00800200L,
0x80000000L, 0x00000200L, 0x00020200L, 0x80820000L,
0x00000200L, 0x80800200L, 0x80820000L, 0x00000000L,
0x00000000L, 0x80820200L, 0x00800200L, 0x80020000L,
0x00820200L, 0x00020000L, 0x80000200L, 0x00800200L,
0x80820000L, 0x00000200L, 0x00020200L, 0x80800000L,
0x80020200L, 0x80000000L, 0x80800000L, 0x00820000L,
0x80820200L, 0x00020200L, 0x00820000L, 0x80800200L,
0x00800000L, 0x80000200L, 0x80020000L, 0x00000000L,
0x00020000L, 0x00800000L, 0x80800200L, 0x00820200L,
0x80000000L, 0x80820000L, 0x00000200L, 0x80020200L,
},{
/* nibble 1 */
0x10042004L, 0x00000000L, 0x00042000L, 0x10040000L,
0x10000004L, 0x00002004L, 0x10002000L, 0x00042000L,
0x00002000L, 0x10040004L, 0x00000004L, 0x10002000L,
0x00040004L, 0x10042000L, 0x10040000L, 0x00000004L,
0x00040000L, 0x10002004L, 0x10040004L, 0x00002000L,
0x00042004L, 0x10000000L, 0x00000000L, 0x00040004L,
0x10002004L, 0x00042004L, 0x10042000L, 0x10000004L,
0x10000000L, 0x00040000L, 0x00002004L, 0x10042004L,
0x00040004L, 0x10042000L, 0x10002000L, 0x00042004L,
0x10042004L, 0x00040004L, 0x10000004L, 0x00000000L,
0x10000000L, 0x00002004L, 0x00040000L, 0x10040004L,
0x00002000L, 0x10000000L, 0x00042004L, 0x10002004L,
0x10042000L, 0x00002000L, 0x00000000L, 0x10000004L,
0x00000004L, 0x10042004L, 0x00042000L, 0x10040000L,
0x10040004L, 0x00040000L, 0x00002004L, 0x10002000L,
0x10002004L, 0x00000004L, 0x10040000L, 0x00042000L,
},{
/* nibble 2 */
0x41000000L, 0x01010040L, 0x00000040L, 0x41000040L,
0x40010000L, 0x01000000L, 0x41000040L, 0x00010040L,
0x01000040L, 0x00010000L, 0x01010000L, 0x40000000L,
0x41010040L, 0x40000040L, 0x40000000L, 0x41010000L,
0x00000000L, 0x40010000L, 0x01010040L, 0x00000040L,
0x40000040L, 0x41010040L, 0x00010000L, 0x41000000L,
0x41010000L, 0x01000040L, 0x40010040L, 0x01010000L,
0x00010040L, 0x00000000L, 0x01000000L, 0x40010040L,
0x01010040L, 0x00000040L, 0x40000000L, 0x00010000L,
0x40000040L, 0x40010000L, 0x01010000L, 0x41000040L,
0x00000000L, 0x01010040L, 0x00010040L, 0x41010000L,
0x40010000L, 0x01000000L, 0x41010040L, 0x40000000L,
0x40010040L, 0x41000000L, 0x01000000L, 0x41010040L,
0x00010000L, 0x01000040L, 0x41000040L, 0x00010040L,
0x01000040L, 0x00000000L, 0x41010000L, 0x40000040L,
0x41000000L, 0x40010040L, 0x00000040L, 0x01010000L,
},{
/* nibble 3 */
0x00100402L, 0x04000400L, 0x00000002L, 0x04100402L,
0x00000000L, 0x04100000L, 0x04000402L, 0x00100002L,
0x04100400L, 0x04000002L, 0x04000000L, 0x00000402L,
0x04000002L, 0x00100402L, 0x00100000L, 0x04000000L,
0x04100002L, 0x00100400L, 0x00000400L, 0x00000002L,
0x00100400L, 0x04000402L, 0x04100000L, 0x00000400L,
0x00000402L, 0x00000000L, 0x00100002L, 0x04100400L,
0x04000400L, 0x04100002L, 0x04100402L, 0x00100000L,
0x04100002L, 0x00000402L, 0x00100000L, 0x04000002L,
0x00100400L, 0x04000400L, 0x00000002L, 0x04100000L,
0x04000402L, 0x00000000L, 0x00000400L, 0x00100002L,
0x00000000L, 0x04100002L, 0x04100400L, 0x00000400L,
0x04000000L, 0x04100402L, 0x00100402L, 0x00100000L,
0x04100402L, 0x00000002L, 0x04000400L, 0x00100402L,
0x00100002L, 0x00100400L, 0x04100000L, 0x04000402L,
0x00000402L, 0x04000000L, 0x04000002L, 0x04100400L,
},{
/* nibble 4 */
0x02000000L, 0x00004000L, 0x00000100L, 0x02004108L,
0x02004008L, 0x02000100L, 0x00004108L, 0x02004000L,
0x00004000L, 0x00000008L, 0x02000008L, 0x00004100L,
0x02000108L, 0x02004008L, 0x02004100L, 0x00000000L,
0x00004100L, 0x02000000L, 0x00004008L, 0x00000108L,
0x02000100L, 0x00004108L, 0x00000000L, 0x02000008L,
0x00000008L, 0x02000108L, 0x02004108L, 0x00004008L,
0x02004000L, 0x00000100L, 0x00000108L, 0x02004100L,
0x02004100L, 0x02000108L, 0x00004008L, 0x02004000L,
0x00004000L, 0x00000008L, 0x02000008L, 0x02000100L,
0x02000000L, 0x00004100L, 0x02004108L, 0x00000000L,
0x00004108L, 0x02000000L, 0x00000100L, 0x00004008L,
0x02000108L, 0x00000100L, 0x00000000L, 0x02004108L,
0x02004008L, 0x02004100L, 0x00000108L, 0x00004000L,
0x00004100L, 0x02004008L, 0x02000100L, 0x00000108L,
0x00000008L, 0x00004108L, 0x02004000L, 0x02000008L,
},{
/* nibble 5 */
0x20000010L, 0x00080010L, 0x00000000L, 0x20080800L,
0x00080010L, 0x00000800L, 0x20000810L, 0x00080000L,
0x00000810L, 0x20080810L, 0x00080800L, 0x20000000L,
0x20000800L, 0x20000010L, 0x20080000L, 0x00080810L,
0x00080000L, 0x20000810L, 0x20080010L, 0x00000000L,
0x00000800L, 0x00000010L, 0x20080800L, 0x20080010L,
0x20080810L, 0x20080000L, 0x20000000L, 0x00000810L,
0x00000010L, 0x00080800L, 0x00080810L, 0x20000800L,
0x00000810L, 0x20000000L, 0x20000800L, 0x00080810L,
0x20080800L, 0x00080010L, 0x00000000L, 0x20000800L,
0x20000000L, 0x00000800L, 0x20080010L, 0x00080000L,
0x00080010L, 0x20080810L, 0x00080800L, 0x00000010L,
0x20080810L, 0x00080800L, 0x00080000L, 0x20000810L,
0x20000010L, 0x20080000L, 0x00080810L, 0x00000000L,
0x00000800L, 0x20000010L, 0x20000810L, 0x20080800L,
0x20080000L, 0x00000810L, 0x00000010L, 0x20080010L,
},{
/* nibble 6 */
0x00001000L, 0x00000080L, 0x00400080L, 0x00400001L,
0x00401081L, 0x00001001L, 0x00001080L, 0x00000000L,
0x00400000L, 0x00400081L, 0x00000081L, 0x00401000L,
0x00000001L, 0x00401080L, 0x00401000L, 0x00000081L,
0x00400081L, 0x00001000L, 0x00001001L, 0x00401081L,
0x00000000L, 0x00400080L, 0x00400001L, 0x00001080L,
0x00401001L, 0x00001081L, 0x00401080L, 0x00000001L,
0x00001081L, 0x00401001L, 0x00000080L, 0x00400000L,
0x00001081L, 0x00401000L, 0x00401001L, 0x00000081L,
0x00001000L, 0x00000080L, 0x00400000L, 0x00401001L,
0x00400081L, 0x00001081L, 0x00001080L, 0x00000000L,
0x00000080L, 0x00400001L, 0x00000001L, 0x00400080L,
0x00000000L, 0x00400081L, 0x00400080L, 0x00001080L,
0x00000081L, 0x00001000L, 0x00401081L, 0x00400000L,
0x00401080L, 0x00000001L, 0x00001001L, 0x00401081L,
0x00400001L, 0x00401080L, 0x00401000L, 0x00001001L,
},{
/* nibble 7 */
0x08200020L, 0x08208000L, 0x00008020L, 0x00000000L,
0x08008000L, 0x00200020L, 0x08200000L, 0x08208020L,
0x00000020L, 0x08000000L, 0x00208000L, 0x00008020L,
0x00208020L, 0x08008020L, 0x08000020L, 0x08200000L,
0x00008000L, 0x00208020L, 0x00200020L, 0x08008000L,
0x08208020L, 0x08000020L, 0x00000000L, 0x00208000L,
0x08000000L, 0x00200000L, 0x08008020L, 0x08200020L,
0x00200000L, 0x00008000L, 0x08208000L, 0x00000020L,
0x00200000L, 0x00008000L, 0x08000020L, 0x08208020L,
0x00008020L, 0x08000000L, 0x00000000L, 0x00208000L,
0x08200020L, 0x08008020L, 0x08008000L, 0x00200020L,
0x08208000L, 0x00000020L, 0x00200020L, 0x08008000L,
0x08208020L, 0x00200000L, 0x08200000L, 0x08000020L,
0x00208000L, 0x00008020L, 0x08008020L, 0x08200000L,
0x00000020L, 0x08208000L, 0x00208020L, 0x00000000L,
0x08000000L, 0x08200020L, 0x00008000L, 0x00208020L,
}};

613
crypto/xform.c Normal file
View file

@ -0,0 +1,613 @@
/* $OpenBSD: xform.c,v 1.61 2021/10/22 12:30:53 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
* Niels Provos (provos@physnet.uni-hamburg.de),
* Damien Miller (djm@mindrot.org) and
* Mike Belopuhov (mikeb@openbsd.org).
*
* This code was written by John Ioannidis for BSD/OS in Athens, Greece,
* in November 1995.
*
* Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
* by Angelos D. Keromytis.
*
* Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
* and Niels Provos.
*
* Additional features in 1999 by Angelos D. Keromytis.
*
* AES XTS implementation in 2008 by Damien Miller
*
* AES-GCM-16 and Chacha20-Poly1305 AEAD modes by Mike Belopuhov.
*
* Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
* Angelos D. Keromytis and Niels Provos.
*
* Copyright (C) 2001, Angelos D. Keromytis.
*
* Copyright (C) 2008, Damien Miller
*
* Copyright (C) 2010, 2015, Mike Belopuhov
*
* Permission to use, copy, and modify this software with or without fee
* is hereby granted, provided that this entire notice is included in
* all copies of any software which is or includes a copy or
* modification of this software.
* You may use this code under the GNU public license if you so wish. Please
* contribute changes back to the authors under this freer than GPL license
* so that we may further the use of strong encryption without limitations to
* all.
*
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
* PURPOSE.
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/errno.h>
#include <sys/time.h>
#include <sys/kernel.h>
#include <machine/cpu.h>
#include <crypto/md5.h>
#include <crypto/sha1.h>
#include <crypto/sha2.h>
#include <crypto/rmd160.h>
#include <crypto/blf.h>
#include <crypto/cast.h>
#include <crypto/rijndael.h>
#include <crypto/aes.h>
#include <crypto/cryptodev.h>
#include <crypto/xform.h>
#include <crypto/gmac.h>
#include <crypto/chachapoly.h>
extern void des_ecb3_encrypt(caddr_t, caddr_t, caddr_t, caddr_t, caddr_t, int);
int des_set_key(void *, caddr_t);
int des3_setkey(void *, u_int8_t *, int);
int blf_setkey(void *, u_int8_t *, int);
int cast5_setkey(void *, u_int8_t *, int);
int aes_setkey(void *, u_int8_t *, int);
int aes_ctr_setkey(void *, u_int8_t *, int);
int aes_xts_setkey(void *, u_int8_t *, int);
int null_setkey(void *, u_int8_t *, int);
void des3_encrypt(caddr_t, u_int8_t *);
void blf_encrypt(caddr_t, u_int8_t *);
void cast5_encrypt(caddr_t, u_int8_t *);
void aes_encrypt(caddr_t, u_int8_t *);
void null_encrypt(caddr_t, u_int8_t *);
void aes_xts_encrypt(caddr_t, u_int8_t *);
void des3_decrypt(caddr_t, u_int8_t *);
void blf_decrypt(caddr_t, u_int8_t *);
void cast5_decrypt(caddr_t, u_int8_t *);
void aes_decrypt(caddr_t, u_int8_t *);
void null_decrypt(caddr_t, u_int8_t *);
void aes_xts_decrypt(caddr_t, u_int8_t *);
void aes_ctr_crypt(caddr_t, u_int8_t *);
void aes_ctr_reinit(caddr_t, u_int8_t *);
void aes_xts_reinit(caddr_t, u_int8_t *);
void aes_gcm_reinit(caddr_t, u_int8_t *);
int MD5Update_int(void *, const u_int8_t *, u_int16_t);
int SHA1Update_int(void *, const u_int8_t *, u_int16_t);
int RMD160Update_int(void *, const u_int8_t *, u_int16_t);
int SHA256Update_int(void *, const u_int8_t *, u_int16_t);
int SHA384Update_int(void *, const u_int8_t *, u_int16_t);
int SHA512Update_int(void *, const u_int8_t *, u_int16_t);
u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **);
u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **);
struct aes_ctr_ctx {
AES_CTX ac_key;
u_int8_t ac_block[AESCTR_BLOCKSIZE];
};
struct aes_xts_ctx {
rijndael_ctx key1;
rijndael_ctx key2;
u_int8_t tweak[AES_XTS_BLOCKSIZE];
};
/* Helper */
void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int);
/* Encryption instances */
const struct enc_xform enc_xform_3des = {
CRYPTO_3DES_CBC, "3DES",
8, 8, 24, 24, 384,
des3_encrypt,
des3_decrypt,
des3_setkey,
NULL
};
const struct enc_xform enc_xform_blf = {
CRYPTO_BLF_CBC, "Blowfish",
8, 8, 5, 56 /* 448 bits, max key */,
sizeof(blf_ctx),
blf_encrypt,
blf_decrypt,
blf_setkey,
NULL
};
const struct enc_xform enc_xform_cast5 = {
CRYPTO_CAST_CBC, "CAST-128",
8, 8, 5, 16,
sizeof(cast_key),
cast5_encrypt,
cast5_decrypt,
cast5_setkey,
NULL
};
const struct enc_xform enc_xform_aes = {
CRYPTO_AES_CBC, "AES",
16, 16, 16, 32,
sizeof(AES_CTX),
aes_encrypt,
aes_decrypt,
aes_setkey,
NULL
};
const struct enc_xform enc_xform_aes_ctr = {
CRYPTO_AES_CTR, "AES-CTR",
16, 8, 16+4, 32+4,
sizeof(struct aes_ctr_ctx),
aes_ctr_crypt,
aes_ctr_crypt,
aes_ctr_setkey,
aes_ctr_reinit
};
const struct enc_xform enc_xform_aes_gcm = {
CRYPTO_AES_GCM_16, "AES-GCM",
1, 8, 16+4, 32+4,
sizeof(struct aes_ctr_ctx),
aes_ctr_crypt,
aes_ctr_crypt,
aes_ctr_setkey,
aes_gcm_reinit
};
const struct enc_xform enc_xform_aes_gmac = {
CRYPTO_AES_GMAC, "AES-GMAC",
1, 8, 16+4, 32+4, 0,
NULL,
NULL,
NULL,
NULL
};
const struct enc_xform enc_xform_aes_xts = {
CRYPTO_AES_XTS, "AES-XTS",
16, 8, 32, 64,
sizeof(struct aes_xts_ctx),
aes_xts_encrypt,
aes_xts_decrypt,
aes_xts_setkey,
aes_xts_reinit
};
const struct enc_xform enc_xform_chacha20_poly1305 = {
CRYPTO_CHACHA20_POLY1305, "CHACHA20-POLY1305",
1, 8, 32+4, 32+4,
sizeof(struct chacha20_ctx),
chacha20_crypt,
chacha20_crypt,
chacha20_setkey,
chacha20_reinit
};
const struct enc_xform enc_xform_null = {
CRYPTO_NULL, "NULL",
4, 0, 0, 256, 0,
null_encrypt,
null_decrypt,
null_setkey,
NULL
};
/* Authentication instances */
const struct auth_hash auth_hash_hmac_md5_96 = {
CRYPTO_MD5_HMAC, "HMAC-MD5",
16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN,
(void (*) (void *)) MD5Init, NULL, NULL,
MD5Update_int,
(void (*) (u_int8_t *, void *)) MD5Final
};
const struct auth_hash auth_hash_hmac_sha1_96 = {
CRYPTO_SHA1_HMAC, "HMAC-SHA1",
20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN,
(void (*) (void *)) SHA1Init, NULL, NULL,
SHA1Update_int,
(void (*) (u_int8_t *, void *)) SHA1Final
};
const struct auth_hash auth_hash_hmac_ripemd_160_96 = {
CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN,
(void (*)(void *)) RMD160Init, NULL, NULL,
RMD160Update_int,
(void (*)(u_int8_t *, void *)) RMD160Final
};
const struct auth_hash auth_hash_hmac_sha2_256_128 = {
CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN,
(void (*)(void *)) SHA256Init, NULL, NULL,
SHA256Update_int,
(void (*)(u_int8_t *, void *)) SHA256Final
};
const struct auth_hash auth_hash_hmac_sha2_384_192 = {
CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN,
(void (*)(void *)) SHA384Init, NULL, NULL,
SHA384Update_int,
(void (*)(u_int8_t *, void *)) SHA384Final
};
const struct auth_hash auth_hash_hmac_sha2_512_256 = {
CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN,
(void (*)(void *)) SHA512Init, NULL, NULL,
SHA512Update_int,
(void (*)(u_int8_t *, void *)) SHA512Final
};
const struct auth_hash auth_hash_gmac_aes_128 = {
CRYPTO_AES_128_GMAC, "GMAC-AES-128",
16+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX),
AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit,
AES_GMAC_Update, AES_GMAC_Final
};
const struct auth_hash auth_hash_gmac_aes_192 = {
CRYPTO_AES_192_GMAC, "GMAC-AES-192",
24+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX),
AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit,
AES_GMAC_Update, AES_GMAC_Final
};
const struct auth_hash auth_hash_gmac_aes_256 = {
CRYPTO_AES_256_GMAC, "GMAC-AES-256",
32+4, GMAC_BLOCK_LEN, GMAC_DIGEST_LEN, sizeof(AES_GMAC_CTX),
AESCTR_BLOCKSIZE, AES_GMAC_Init, AES_GMAC_Setkey, AES_GMAC_Reinit,
AES_GMAC_Update, AES_GMAC_Final
};
const struct auth_hash auth_hash_chacha20_poly1305 = {
CRYPTO_CHACHA20_POLY1305_MAC, "CHACHA20-POLY1305",
CHACHA20_KEYSIZE+CHACHA20_SALT, POLY1305_BLOCK_LEN, POLY1305_TAGLEN,
sizeof(CHACHA20_POLY1305_CTX), CHACHA20_BLOCK_LEN,
Chacha20_Poly1305_Init, Chacha20_Poly1305_Setkey,
Chacha20_Poly1305_Reinit, Chacha20_Poly1305_Update,
Chacha20_Poly1305_Final
};
/* Compression instance */
const struct comp_algo comp_algo_deflate = {
CRYPTO_DEFLATE_COMP, "Deflate",
90, deflate_compress,
deflate_decompress
};
/*
* Encryption wrapper routines.
*/
void
des3_encrypt(caddr_t key, u_int8_t *blk)
{
des_ecb3_encrypt(blk, blk, key, key + 128, key + 256, 1);
}
void
des3_decrypt(caddr_t key, u_int8_t *blk)
{
des_ecb3_encrypt(blk, blk, key + 256, key + 128, key, 0);
}
int
des3_setkey(void *sched, u_int8_t *key, int len)
{
if (des_set_key(key, sched) < 0 || des_set_key(key + 8, sched + 128)
< 0 || des_set_key(key + 16, sched + 256) < 0)
return -1;
return 0;
}
void
blf_encrypt(caddr_t key, u_int8_t *blk)
{
blf_ecb_encrypt((blf_ctx *) key, blk, 8);
}
void
blf_decrypt(caddr_t key, u_int8_t *blk)
{
blf_ecb_decrypt((blf_ctx *) key, blk, 8);
}
int
blf_setkey(void *sched, u_int8_t *key, int len)
{
blf_key((blf_ctx *)sched, key, len);
return 0;
}
int
null_setkey(void *sched, u_int8_t *key, int len)
{
return 0;
}
void
null_encrypt(caddr_t key, u_int8_t *blk)
{
}
void
null_decrypt(caddr_t key, u_int8_t *blk)
{
}
void
cast5_encrypt(caddr_t key, u_int8_t *blk)
{
cast_encrypt((cast_key *) key, blk, blk);
}
void
cast5_decrypt(caddr_t key, u_int8_t *blk)
{
cast_decrypt((cast_key *) key, blk, blk);
}
int
cast5_setkey(void *sched, u_int8_t *key, int len)
{
cast_setkey((cast_key *)sched, key, len);
return 0;
}
void
aes_encrypt(caddr_t key, u_int8_t *blk)
{
AES_Encrypt((AES_CTX *)key, blk, blk);
}
void
aes_decrypt(caddr_t key, u_int8_t *blk)
{
AES_Decrypt((AES_CTX *)key, blk, blk);
}
int
aes_setkey(void *sched, u_int8_t *key, int len)
{
return AES_Setkey((AES_CTX *)sched, key, len);
}
void
aes_ctr_reinit(caddr_t key, u_int8_t *iv)
{
struct aes_ctr_ctx *ctx;
ctx = (struct aes_ctr_ctx *)key;
bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE);
/* reset counter */
bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4);
}
void
aes_gcm_reinit(caddr_t key, u_int8_t *iv)
{
struct aes_ctr_ctx *ctx;
ctx = (struct aes_ctr_ctx *)key;
bcopy(iv, ctx->ac_block + AESCTR_NONCESIZE, AESCTR_IVSIZE);
/* reset counter */
bzero(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 4);
ctx->ac_block[AESCTR_BLOCKSIZE - 1] = 1; /* GCM starts with 1 */
}
void
aes_ctr_crypt(caddr_t key, u_int8_t *data)
{
struct aes_ctr_ctx *ctx;
u_int8_t keystream[AESCTR_BLOCKSIZE];
int i;
ctx = (struct aes_ctr_ctx *)key;
/* increment counter */
for (i = AESCTR_BLOCKSIZE - 1;
i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--)
if (++ctx->ac_block[i]) /* continue on overflow */
break;
AES_Encrypt(&ctx->ac_key, ctx->ac_block, keystream);
for (i = 0; i < AESCTR_BLOCKSIZE; i++)
data[i] ^= keystream[i];
explicit_bzero(keystream, sizeof(keystream));
}
int
aes_ctr_setkey(void *sched, u_int8_t *key, int len)
{
struct aes_ctr_ctx *ctx;
if (len < AESCTR_NONCESIZE)
return -1;
ctx = (struct aes_ctr_ctx *)sched;
if (AES_Setkey(&ctx->ac_key, key, len - AESCTR_NONCESIZE) != 0)
return -1;
bcopy(key + len - AESCTR_NONCESIZE, ctx->ac_block, AESCTR_NONCESIZE);
return 0;
}
void
aes_xts_reinit(caddr_t key, u_int8_t *iv)
{
struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key;
u_int64_t blocknum;
u_int i;
/*
* Prepare tweak as E_k2(IV). IV is specified as LE representation
* of a 64-bit block number which we allow to be passed in directly.
*/
memcpy(&blocknum, iv, AES_XTS_IVSIZE);
for (i = 0; i < AES_XTS_IVSIZE; i++) {
ctx->tweak[i] = blocknum & 0xff;
blocknum >>= 8;
}
/* Last 64 bits of IV are always zero */
bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE);
rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak);
}
void
aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt)
{
u_int8_t block[AES_XTS_BLOCKSIZE];
u_int i, carry_in, carry_out;
for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
block[i] = data[i] ^ ctx->tweak[i];
if (do_encrypt)
rijndael_encrypt(&ctx->key1, block, data);
else
rijndael_decrypt(&ctx->key1, block, data);
for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
data[i] ^= ctx->tweak[i];
/* Exponentiate tweak */
carry_in = 0;
for (i = 0; i < AES_XTS_BLOCKSIZE; i++) {
carry_out = ctx->tweak[i] & 0x80;
ctx->tweak[i] = (ctx->tweak[i] << 1) | carry_in;
carry_in = carry_out >> 7;
}
ctx->tweak[0] ^= (AES_XTS_ALPHA & -carry_in);
explicit_bzero(block, sizeof(block));
}
void
aes_xts_encrypt(caddr_t key, u_int8_t *data)
{
aes_xts_crypt((struct aes_xts_ctx *)key, data, 1);
}
void
aes_xts_decrypt(caddr_t key, u_int8_t *data)
{
aes_xts_crypt((struct aes_xts_ctx *)key, data, 0);
}
int
aes_xts_setkey(void *sched, u_int8_t *key, int len)
{
struct aes_xts_ctx *ctx;
if (len != 32 && len != 64)
return -1;
ctx = (struct aes_xts_ctx *)sched;
rijndael_set_key(&ctx->key1, key, len * 4);
rijndael_set_key(&ctx->key2, key + (len / 2), len * 4);
return 0;
}
/*
* And now for auth.
*/
int
RMD160Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
{
RMD160Update(ctx, buf, len);
return 0;
}
int
MD5Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
{
MD5Update(ctx, buf, len);
return 0;
}
int
SHA1Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
{
SHA1Update(ctx, buf, len);
return 0;
}
int
SHA256Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
{
SHA256Update(ctx, buf, len);
return 0;
}
int
SHA384Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
{
SHA384Update(ctx, buf, len);
return 0;
}
int
SHA512Update_int(void *ctx, const u_int8_t *buf, u_int16_t len)
{
SHA512Update(ctx, buf, len);
return 0;
}
u_int32_t deflate_global(u_int8_t *, u_int32_t, int, u_int8_t **);
struct deflate_buf {
u_int8_t *out;
u_int32_t size;
int flag;
};
/*
* And compression
*/
u_int32_t
deflate_compress(u_int8_t *data, u_int32_t size, u_int8_t **out)
{
return deflate_global(data, size, 0, out);
}
u_int32_t
deflate_decompress(u_int8_t *data, u_int32_t size, u_int8_t **out)
{
return deflate_global(data, size, 1, out);
}

50
include/crypto/aes.h Normal file
View file

@ -0,0 +1,50 @@
/* $OpenBSD: aes.h,v 1.4 2020/07/22 13:54:30 tobhe Exp $ */
/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
* Copyright (c) 2016 Mike Belopuhov
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef _AES_H_
#define _AES_H_
#ifndef AES_MAXROUNDS
#define AES_MAXROUNDS (14)
#endif
typedef struct aes_ctx {
uint32_t sk[60];
uint32_t sk_exp[120];
unsigned num_rounds;
} AES_CTX;
int AES_Setkey(AES_CTX *, const uint8_t *, int);
void AES_Encrypt(AES_CTX *, const uint8_t *, uint8_t *);
void AES_Decrypt(AES_CTX *, const uint8_t *, uint8_t *);
void AES_Encrypt_ECB(AES_CTX *, const uint8_t *, uint8_t *, size_t);
void AES_Decrypt_ECB(AES_CTX *, const uint8_t *, uint8_t *, size_t);
int AES_KeySetup_Encrypt(uint32_t *, const uint8_t *, int);
int AES_KeySetup_Decrypt(uint32_t *, const uint8_t *, int);
#endif /* _AES_H_ */

79
include/crypto/blf.h Normal file
View file

@ -0,0 +1,79 @@
/* $OpenBSD: blf.h,v 1.7 2021/11/29 01:04:45 djm Exp $ */
/*
* Blowfish - a fast block cipher designed by Bruce Schneier
*
* Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _BLF_H_
#define _BLF_H_
/* Schneier states the maximum key length to be 56 bytes.
* The way how the subkeys are initialized by the key up
* to (N+2)*4 i.e. 72 bytes are utilized.
* Warning: For normal blowfish encryption only 56 bytes
* of the key affect all cipherbits.
*/
#define BLF_N 16 /* Number of Subkeys */
#define BLF_MAXKEYLEN ((BLF_N-2)*4) /* 448 bits */
#define BLF_MAXUTILIZED ((BLF_N+2)*4) /* 576 bits */
/* Blowfish context */
typedef struct BlowfishContext {
u_int32_t S[4][256]; /* S-Boxes */
u_int32_t P[BLF_N + 2]; /* Subkeys */
} blf_ctx;
/* Raw access to customized Blowfish
* blf_key is just:
* Blowfish_initstate( state )
* Blowfish_expand0state( state, key, keylen )
*/
void Blowfish_encipher(blf_ctx *, u_int32_t *);
void Blowfish_decipher(blf_ctx *, u_int32_t *);
void Blowfish_initstate(blf_ctx *);
void Blowfish_expand0state(blf_ctx *, const u_int8_t *, u_int16_t);
void Blowfish_expandstate(blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t);
/* Standard Blowfish */
void blf_key(blf_ctx *, const u_int8_t *, u_int16_t);
void blf_enc(blf_ctx *, u_int32_t *, u_int16_t);
void blf_dec(blf_ctx *, u_int32_t *, u_int16_t);
/* Converts u_int8_t to u_int32_t */
u_int32_t Blowfish_stream2word(const u_int8_t *, u_int16_t ,
u_int16_t *);
void blf_ecb_encrypt(blf_ctx *, u_int8_t *, u_int32_t);
void blf_ecb_decrypt(blf_ctx *, u_int8_t *, u_int32_t);
void blf_cbc_encrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t);
void blf_cbc_decrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t);
#endif

22
include/crypto/cast.h Normal file
View file

@ -0,0 +1,22 @@
/* $OpenBSD: cast.h,v 1.2 2002/03/14 01:26:51 millert Exp $ */
/*
* CAST-128 in C
* Written by Steve Reid <sreid@sea-to-sky.net>
* 100% Public Domain - no warranty
* Released 1997.10.11
*/
#ifndef _CAST_H_
#define _CAST_H_
typedef struct {
u_int32_t xkey[32]; /* Key, after expansion */
int rounds; /* Number of rounds to use, 12 or 16 */
} cast_key;
void cast_setkey(cast_key * key, u_int8_t * rawkey, int keybytes);
void cast_encrypt(cast_key * key, u_int8_t * inblock, u_int8_t * outblock);
void cast_decrypt(cast_key * key, u_int8_t * inblock, u_int8_t * outblock);
#endif /* ifndef _CAST_H_ */

86
include/crypto/chachapoly.h Normal file
View file

@ -0,0 +1,86 @@
/* $OpenBSD: chachapoly.h,v 1.4 2020/07/22 13:54:30 tobhe Exp $ */
/*
* Copyright (c) 2015 Mike Belopuhov
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _CHACHAPOLY_H_
#define _CHACHAPOLY_H_
#define CHACHA20_KEYSIZE 32
#define CHACHA20_CTR 4
#define CHACHA20_SALT 4
#define CHACHA20_NONCE 8
#define CHACHA20_BLOCK_LEN 64
struct chacha20_ctx {
uint8_t block[CHACHA20_BLOCK_LEN];
uint8_t nonce[CHACHA20_NONCE];
};
int chacha20_setkey(void *, u_int8_t *, int);
void chacha20_reinit(caddr_t, u_int8_t *);
void chacha20_crypt(caddr_t, u_int8_t *);
#define POLY1305_KEYLEN 32
#define POLY1305_TAGLEN 16
#define POLY1305_BLOCK_LEN 16
struct poly1305_ctx {
/* r, h, pad, leftover */
unsigned long state[5+5+4];
size_t leftover;
unsigned char buffer[POLY1305_BLOCK_LEN];
unsigned char final;
};
typedef struct {
uint8_t key[POLY1305_KEYLEN];
/* counter, salt */
uint8_t nonce[CHACHA20_NONCE];
struct chacha20_ctx chacha;
struct poly1305_ctx poly;
} CHACHA20_POLY1305_CTX;
void Chacha20_Poly1305_Init(void *);
void Chacha20_Poly1305_Setkey(void *, const uint8_t *, uint16_t);
void Chacha20_Poly1305_Reinit(void *, const uint8_t *, uint16_t);
int Chacha20_Poly1305_Update(void *, const uint8_t *, uint16_t);
void Chacha20_Poly1305_Final(uint8_t[POLY1305_TAGLEN], void *);
/* WireGuard crypto */
#define CHACHA20POLY1305_KEY_SIZE CHACHA20_KEYSIZE
#define CHACHA20POLY1305_AUTHTAG_SIZE POLY1305_TAGLEN
#define XCHACHA20POLY1305_NONCE_SIZE 24
void chacha20poly1305_encrypt(uint8_t *, const uint8_t *, const size_t,
const uint8_t *, const size_t, const uint64_t,
const uint8_t[CHACHA20POLY1305_KEY_SIZE]);
int chacha20poly1305_decrypt(uint8_t *, const uint8_t *, const size_t,
const uint8_t *, const size_t, const uint64_t,
const uint8_t[CHACHA20POLY1305_KEY_SIZE]);
void xchacha20poly1305_encrypt(uint8_t *, const uint8_t *, const size_t,
const uint8_t *, const size_t,
const uint8_t[XCHACHA20POLY1305_NONCE_SIZE],
const uint8_t[CHACHA20POLY1305_KEY_SIZE]);
int xchacha20poly1305_decrypt(uint8_t *, const uint8_t *, const size_t,
const uint8_t *, const size_t,
const uint8_t[XCHACHA20POLY1305_NONCE_SIZE],
const uint8_t[CHACHA20POLY1305_KEY_SIZE]);
#endif /* _CHACHAPOLY_H_ */

41
include/crypto/cmac.h Normal file
View file

@ -0,0 +1,41 @@
/* $OpenBSD: cmac.h,v 1.3 2017/05/02 17:07:06 mikeb Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _CMAC_H_
#define _CMAC_H_
#define AES_CMAC_KEY_LENGTH 16
#define AES_CMAC_DIGEST_LENGTH 16
typedef struct _AES_CMAC_CTX {
AES_CTX aesctx;
u_int8_t X[16];
u_int8_t M_last[16];
u_int M_n;
} AES_CMAC_CTX;
__BEGIN_DECLS
void AES_CMAC_Init(AES_CMAC_CTX *);
void AES_CMAC_SetKey(AES_CMAC_CTX *, const u_int8_t [AES_CMAC_KEY_LENGTH]);
void AES_CMAC_Update(AES_CMAC_CTX *, const u_int8_t *, u_int)
__attribute__((__bounded__(__string__,2,3)));
void AES_CMAC_Final(u_int8_t [AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *)
__attribute__((__bounded__(__minbytes__,1,AES_CMAC_DIGEST_LENGTH)));
__END_DECLS
#endif /* _CMAC_H_ */

345
include/crypto/cryptodev.h Normal file
View file

@ -0,0 +1,345 @@
/* $OpenBSD: cryptodev.h,v 1.58 2013/10/31 10:32:38 mikeb Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
* This code was written by Angelos D. Keromytis in Athens, Greece, in
* February 2000. Network Security Technologies Inc. (NSTI) kindly
* supported the development of this code.
*
* Copyright (c) 2000 Angelos D. Keromytis
*
* Permission to use, copy, and modify this software with or without fee
* is hereby granted, provided that this entire notice is included in
* all source code copies of any software which is or includes a copy or
* modification of this software.
*
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
* PURPOSE.
*
* Copyright (c) 2001 Theo de Raadt
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Effort sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F30602-01-2-0537.
*
*/
#ifndef _CRYPTO_CRYPTO_H_
#define _CRYPTO_CRYPTO_H_
#include <sys/ioccom.h>
#include <sys/task.h>
/* Some initial values */
#define CRYPTO_DRIVERS_INITIAL 4
#define CRYPTO_DRIVERS_MAX 128
#define CRYPTO_SW_SESSIONS 32
/* HMAC values */
#define HMAC_MD5_BLOCK_LEN 64
#define HMAC_SHA1_BLOCK_LEN 64
#define HMAC_RIPEMD160_BLOCK_LEN 64
#define HMAC_SHA2_256_BLOCK_LEN 64
#define HMAC_SHA2_384_BLOCK_LEN 128
#define HMAC_SHA2_512_BLOCK_LEN 128
#define HMAC_MAX_BLOCK_LEN HMAC_SHA2_512_BLOCK_LEN /* keep in sync */
#define HMAC_IPAD_VAL 0x36
#define HMAC_OPAD_VAL 0x5C
/* Encryption algorithm block sizes */
#define DES_BLOCK_LEN 8
#define DES3_BLOCK_LEN 8
#define BLOWFISH_BLOCK_LEN 8
#define CAST128_BLOCK_LEN 8
#define RIJNDAEL128_BLOCK_LEN 16
#define EALG_MAX_BLOCK_LEN 16 /* Keep this updated */
/* Maximum hash algorithm result length */
#define AALG_MAX_RESULT_LEN 64 /* Keep this updated */
#define CRYPTO_DES_CBC 1
#define CRYPTO_3DES_CBC 2
#define CRYPTO_BLF_CBC 3
#define CRYPTO_CAST_CBC 4
#define CRYPTO_MD5_HMAC 6
#define CRYPTO_SHA1_HMAC 7
#define CRYPTO_RIPEMD160_HMAC 8
#define CRYPTO_MD5_KPDK 9
#define CRYPTO_SHA1_KPDK 10
#define CRYPTO_RIJNDAEL128_CBC 11 /* 128 bit blocksize */
#define CRYPTO_AES_CBC 11 /* 128 bit blocksize -- the same as above */
#define CRYPTO_ARC4 12
#define CRYPTO_MD5 13
#define CRYPTO_SHA1 14
#define CRYPTO_DEFLATE_COMP 15 /* Deflate compression algorithm */
#define CRYPTO_NULL 16
#define CRYPTO_LZS_COMP 17 /* LZS compression algorithm */
#define CRYPTO_SHA2_256_HMAC 18
#define CRYPTO_SHA2_384_HMAC 19
#define CRYPTO_SHA2_512_HMAC 20
#define CRYPTO_AES_CTR 21
#define CRYPTO_AES_XTS 22
#define CRYPTO_AES_GCM_16 23
#define CRYPTO_AES_128_GMAC 24
#define CRYPTO_AES_192_GMAC 25
#define CRYPTO_AES_256_GMAC 26
#define CRYPTO_AES_GMAC 27
#define CRYPTO_ESN 28 /* Support for Extended Sequence Numbers */
#define CRYPTO_ALGORITHM_MAX 28 /* Keep updated */
/* Algorithm flags */
#define CRYPTO_ALG_FLAG_SUPPORTED 0x01 /* Algorithm is supported */
#define CRYPTO_ALG_FLAG_RNG_ENABLE 0x02 /* Has HW RNG for DH/DSA */
#define CRYPTO_ALG_FLAG_DSA_SHA 0x04 /* Can do SHA on msg */
/* Standard initialization structure beginning */
struct cryptoini {
int cri_alg; /* Algorithm to use */
int cri_klen; /* Key length, in bits */
int cri_rnd; /* Algorithm rounds, where relevant */
caddr_t cri_key; /* key to use */
union {
u_int8_t iv[EALG_MAX_BLOCK_LEN]; /* IV to use */
u_int8_t esn[4]; /* high-order ESN */
} u;
#define cri_iv u.iv
#define cri_esn u.esn
struct cryptoini *cri_next;
};
/* Describe boundaries of a single crypto operation */
struct cryptodesc {
int crd_skip; /* How many bytes to ignore from start */
int crd_len; /* How many bytes to process */
int crd_inject; /* Where to inject results, if applicable */
int crd_flags;
#define CRD_F_ENCRYPT 0x01 /* Set when doing encryption */
#define CRD_F_IV_PRESENT 0x02 /* When encrypting, IV is already in
place, so don't copy. */
#define CRD_F_IV_EXPLICIT 0x04 /* IV explicitly provided */
#define CRD_F_DSA_SHA_NEEDED 0x08 /* Compute SHA-1 of buffer for DSA */
#define CRD_F_COMP 0x10 /* Set when doing compression */
#define CRD_F_ESN 0x20 /* Set when ESN field is provided */
struct cryptoini CRD_INI; /* Initialization/context data */
#define crd_esn CRD_INI.cri_esn
#define crd_iv CRD_INI.cri_iv
#define crd_key CRD_INI.cri_key
#define crd_rnd CRD_INI.cri_rnd
#define crd_alg CRD_INI.cri_alg
#define crd_klen CRD_INI.cri_klen
struct cryptodesc *crd_next;
};
/* Structure describing complete operation */
struct cryptop {
struct task crp_task;
u_int64_t crp_sid; /* Session ID */
int crp_ilen; /* Input data total length */
int crp_olen; /* Result total length */
int crp_alloctype; /* Type of buf to allocate if needed */
int crp_etype; /*
* Error type (zero means no error).
* All error codes except EAGAIN
* indicate possible data corruption (as in,
* the data have been touched). On all
* errors, the crp_sid may have changed
* (reset to a new one), so the caller
* should always check and use the new
* value on future requests.
*/
int crp_flags;
#define CRYPTO_F_IMBUF 0x0001 /* Input/output are mbuf chains, otherwise contig */
#define CRYPTO_F_IOV 0x0002 /* Input/output are uio */
#define CRYPTO_F_REL 0x0004 /* Must return data in same place */
#define CRYPTO_F_NOQUEUE 0x0008 /* Don't use crypto queue/thread */
#define CRYPTO_F_DONE 0x0010 /* request completed */
void *crp_buf; /* Data to be processed */
void *crp_opaque; /* Opaque pointer, passed along */
struct cryptodesc *crp_desc; /* Linked list of processing descriptors */
int (*crp_callback)(struct cryptop *); /* Callback function */
caddr_t crp_mac;
};
#define CRYPTO_BUF_IOV 0x1
#define CRYPTO_BUF_MBUF 0x2
#define CRYPTO_OP_DECRYPT 0x0
#define CRYPTO_OP_ENCRYPT 0x1
/* bignum parameter, in packed bytes, ... */
struct crparam {
caddr_t crp_p;
u_int crp_nbits;
};
#define CRK_MAXPARAM 8
struct crypt_kop {
u_int crk_op; /* ie. CRK_MOD_EXP or other */
u_int crk_status; /* return status */
u_short crk_iparams; /* # of input parameters */
u_short crk_oparams; /* # of output parameters */
u_int crk_pad1;
struct crparam crk_param[CRK_MAXPARAM];
};
#define CRK_MOD_EXP 0
#define CRK_MOD_EXP_CRT 1
#define CRK_DSA_SIGN 2
#define CRK_DSA_VERIFY 3
#define CRK_DH_COMPUTE_KEY 4
#define CRK_ALGORITHM_MAX 4 /* Keep updated */
#define CRF_MOD_EXP (1 << CRK_MOD_EXP)
#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT)
#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN)
#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY)
#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY)
struct cryptkop {
struct task krp_task;
u_int krp_op; /* ie. CRK_MOD_EXP or other */
u_int krp_status; /* return status */
u_short krp_iparams; /* # of input parameters */
u_short krp_oparams; /* # of output parameters */
u_int32_t krp_hid;
struct crparam krp_param[CRK_MAXPARAM]; /* kvm */
int (*krp_callback)(struct cryptkop *);
};
/* Crypto capabilities structure */
struct cryptocap {
u_int64_t cc_operations; /* Counter of how many ops done */
u_int64_t cc_bytes; /* Counter of how many bytes done */
u_int64_t cc_koperations; /* How many PK ops done */
u_int32_t cc_sessions; /* How many sessions allocated */
/* Symmetric/hash algorithms supported */
int cc_alg[CRYPTO_ALGORITHM_MAX + 1];
/* Asymmetric algorithms supported */
int cc_kalg[CRK_ALGORITHM_MAX + 1];
int cc_queued; /* Operations queued */
u_int8_t cc_flags;
#define CRYPTOCAP_F_CLEANUP 0x01
#define CRYPTOCAP_F_SOFTWARE 0x02
#define CRYPTOCAP_F_ENCRYPT_MAC 0x04 /* Can do encrypt-then-MAC (IPsec) */
#define CRYPTOCAP_F_MAC_ENCRYPT 0x08 /* Can do MAC-then-encrypt (TLS) */
int (*cc_newsession) (u_int32_t *, struct cryptoini *);
int (*cc_process) (struct cryptop *);
int (*cc_freesession) (u_int64_t);
int (*cc_kprocess) (struct cryptkop *);
};
/*
* ioctl parameter to request creation of a session.
*/
struct session_op {
u_int32_t cipher; /* ie. CRYPTO_DES_CBC */
u_int32_t mac; /* ie. CRYPTO_MD5_HMAC */
u_int32_t keylen; /* cipher key */
caddr_t key;
int mackeylen; /* mac key */
caddr_t mackey;
u_int32_t ses; /* returns: session # */
};
/*
* ioctl parameter to request a crypt/decrypt operation against a session.
*/
struct crypt_op {
u_int32_t ses;
u_int16_t op; /* ie. COP_ENCRYPT */
#define COP_ENCRYPT 1
#define COP_DECRYPT 2
u_int16_t flags; /* always 0 */
u_int len;
caddr_t src, dst; /* become iov[] inside kernel */
caddr_t mac; /* must be big enough for chosen MAC */
caddr_t iv;
};
#define CRYPTO_MAX_MAC_LEN 20
/*
* done against open of /dev/crypto, to get a cloned descriptor.
* Please use F_SETFD against the cloned descriptor.
*/
#define CRIOGET _IOWR('c', 100, u_int32_t)
/* the following are done against the cloned descriptor */
#define CIOCGSESSION _IOWR('c', 101, struct session_op)
#define CIOCFSESSION _IOW('c', 102, u_int32_t)
#define CIOCCRYPT _IOWR('c', 103, struct crypt_op)
#define CIOCKEY _IOWR('c', 104, struct crypt_kop)
#define CIOCASYMFEAT _IOR('c', 105, u_int32_t)
#ifdef _KERNEL
int crypto_newsession(u_int64_t *, struct cryptoini *, int);
int crypto_freesession(u_int64_t);
int crypto_dispatch(struct cryptop *);
int crypto_kdispatch(struct cryptkop *);
int crypto_register(u_int32_t, int *,
int (*)(u_int32_t *, struct cryptoini *), int (*)(u_int64_t),
int (*)(struct cryptop *));
int crypto_kregister(u_int32_t, int *, int (*)(struct cryptkop *));
int crypto_unregister(u_int32_t, int);
int32_t crypto_get_driverid(u_int8_t);
int crypto_invoke(struct cryptop *);
int crypto_kinvoke(struct cryptkop *);
void crypto_done(struct cryptop *);
void crypto_kdone(struct cryptkop *);
int crypto_getfeat(int *);
void cuio_copydata(struct uio *, int, int, caddr_t);
void cuio_copyback(struct uio *, int, int, const void *);
int cuio_getptr(struct uio *, int, int *);
int cuio_apply(struct uio *, int, int,
int (*f)(caddr_t, caddr_t, unsigned int), caddr_t);
struct cryptop *crypto_getreq(int);
void crypto_freereq(struct cryptop *);
#endif /* _KERNEL */
#endif /* _CRYPTO_CRYPTO_H_ */

74
include/crypto/cryptosoft.h Normal file
View file

@ -0,0 +1,74 @@
/* $OpenBSD: cryptosoft.h,v 1.14 2012/12/07 17:03:22 mikeb Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
* This code was written by Angelos D. Keromytis in Athens, Greece, in
* February 2000. Network Security Technologies Inc. (NSTI) kindly
* supported the development of this code.
*
* Copyright (c) 2000 Angelos D. Keromytis
*
* Permission to use, copy, and modify this software with or without fee
* is hereby granted, provided that this entire notice is included in
* all source code copies of any software which is or includes a copy or
* modification of this software.
*
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
* PURPOSE.
*/
#ifndef _CRYPTO_CRYPTOSOFT_H_
#define _CRYPTO_CRYPTOSOFT_H_
/* Software session entry */
struct swcr_data {
int sw_alg; /* Algorithm */
union {
struct {
u_int8_t *SW_ictx;
u_int8_t *SW_octx;
u_int32_t SW_klen;
struct auth_hash *SW_axf;
} SWCR_AUTH;
struct {
u_int8_t *SW_kschedule;
struct enc_xform *SW_exf;
} SWCR_ENC;
struct {
u_int32_t SW_size;
struct comp_algo *SW_cxf;
} SWCR_COMP;
} SWCR_UN;
#define sw_ictx SWCR_UN.SWCR_AUTH.SW_ictx
#define sw_octx SWCR_UN.SWCR_AUTH.SW_octx
#define sw_klen SWCR_UN.SWCR_AUTH.SW_klen
#define sw_axf SWCR_UN.SWCR_AUTH.SW_axf
#define sw_kschedule SWCR_UN.SWCR_ENC.SW_kschedule
#define sw_exf SWCR_UN.SWCR_ENC.SW_exf
#define sw_size SWCR_UN.SWCR_COMP.SW_size
#define sw_cxf SWCR_UN.SWCR_COMP.SW_cxf
struct swcr_data *sw_next;
};
#ifdef _KERNEL
extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];
extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
int swcr_authcompute(struct cryptop *, struct cryptodesc *, struct swcr_data *,
caddr_t, int);
int swcr_authenc(struct cryptop *);
int swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
int swcr_process(struct cryptop *);
int swcr_newsession(u_int32_t *, struct cryptoini *);
int swcr_freesession(u_int64_t);
void swcr_init(void);
#endif /* _KERNEL */
#endif /* _CRYPTO_CRYPTO_H_ */

49
include/crypto/gmac.h Normal file
View file

@ -0,0 +1,49 @@
/* $OpenBSD: gmac.h,v 1.6 2017/05/02 11:44:32 mikeb Exp $ */
/*
* Copyright (c) 2010 Mike Belopuhov
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _GMAC_H_
#define _GMAC_H_
#include <crypto/aes.h>
#define GMAC_BLOCK_LEN 16
#define GMAC_DIGEST_LEN 16
typedef struct _GHASH_CTX {
uint8_t H[GMAC_BLOCK_LEN]; /* hash subkey */
uint8_t S[GMAC_BLOCK_LEN]; /* state */
uint8_t Z[GMAC_BLOCK_LEN]; /* initial state */
} GHASH_CTX;
typedef struct _AES_GMAC_CTX {
GHASH_CTX ghash;
AES_CTX K;
uint8_t J[GMAC_BLOCK_LEN]; /* counter block */
} AES_GMAC_CTX;
__BEGIN_DECLS
extern void (*ghash_update)(GHASH_CTX *, uint8_t *, size_t);
void AES_GMAC_Init(void *);
void AES_GMAC_Setkey(void *, const uint8_t *, uint16_t);
void AES_GMAC_Reinit(void *, const uint8_t *, uint16_t);
int AES_GMAC_Update(void *, const uint8_t *, uint16_t);
void AES_GMAC_Final(uint8_t [GMAC_DIGEST_LEN], void *);
__END_DECLS
#endif /* _GMAC_H_ */

65
include/crypto/hmac.h Normal file
View file

@ -0,0 +1,65 @@
/* $OpenBSD: hmac.h,v 1.3 2012/12/05 23:20:15 deraadt Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _HMAC_H_
#define _HMAC_H_
typedef struct _HMAC_MD5_CTX {
MD5_CTX ctx;
u_int8_t key[MD5_BLOCK_LENGTH];
u_int key_len;
} HMAC_MD5_CTX;
typedef struct _HMAC_SHA1_CTX {
SHA1_CTX ctx;
u_int8_t key[SHA1_BLOCK_LENGTH];
u_int key_len;
} HMAC_SHA1_CTX;
typedef struct _HMAC_SHA256_CTX {
SHA2_CTX ctx;
u_int8_t key[SHA256_BLOCK_LENGTH];
u_int key_len;
} HMAC_SHA256_CTX;
__BEGIN_DECLS
void HMAC_MD5_Init(HMAC_MD5_CTX *, const u_int8_t *, u_int)
__attribute__((__bounded__(__string__,2,3)));
void HMAC_MD5_Update(HMAC_MD5_CTX *, const u_int8_t *, u_int)
__attribute__((__bounded__(__string__,2,3)));
void HMAC_MD5_Final(u_int8_t [MD5_DIGEST_LENGTH], HMAC_MD5_CTX *)
__attribute__((__bounded__(__minbytes__,1,MD5_DIGEST_LENGTH)));
void HMAC_SHA1_Init(HMAC_SHA1_CTX *, const u_int8_t *, u_int)
__attribute__((__bounded__(__string__,2,3)));
void HMAC_SHA1_Update(HMAC_SHA1_CTX *, const u_int8_t *, u_int)
__attribute__((__bounded__(__string__,2,3)));
void HMAC_SHA1_Final(u_int8_t [SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *)
__attribute__((__bounded__(__minbytes__,1,SHA1_DIGEST_LENGTH)));
void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const u_int8_t *, u_int)
__attribute__((__bounded__(__string__,2,3)));
void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const u_int8_t *, u_int)
__attribute__((__bounded__(__string__,2,3)));
void HMAC_SHA256_Final(u_int8_t [SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *)
__attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
__END_DECLS
#endif /* _HMAC_H_ */

33
include/crypto/idgen.h Normal file
View file

@ -0,0 +1,33 @@
/* $OpenBSD: idgen.h,v 1.3 2013/06/05 05:45:54 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#define IDGEN32_ROUNDS 31
#define IDGEN32_KEYLEN 32
#define IDGEN32_REKEY_LIMIT 0x60000000
#define IDGEN32_REKEY_TIME 600
struct idgen32_ctx {
u_int32_t id32_counter;
u_int32_t id32_offset;
u_int32_t id32_hibit;
u_int8_t id32_key[IDGEN32_KEYLEN];
time_t id32_rekey_time;
};
void idgen32_init(struct idgen32_ctx *);
u_int32_t idgen32(struct idgen32_ctx *);

36
include/crypto/key_wrap.h Normal file
View file

@ -0,0 +1,36 @@
/* $OpenBSD: key_wrap.h,v 1.3 2017/05/02 17:07:06 mikeb Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _KEY_WRAP_H_
#define _KEY_WRAP_H_
typedef struct _aes_key_wrap_ctx {
AES_CTX ctx;
} aes_key_wrap_ctx;
__BEGIN_DECLS
void aes_key_wrap_set_key(aes_key_wrap_ctx *, const u_int8_t *, size_t);
void aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *, const u_int8_t *,
size_t);
void aes_key_wrap(aes_key_wrap_ctx *, const u_int8_t *, size_t, u_int8_t *);
int aes_key_unwrap(aes_key_wrap_ctx *, const u_int8_t *, u_int8_t *,
size_t);
__END_DECLS
#endif /* _KEY_WRAP_H_ */

38
include/crypto/md5.h Normal file
View file

@ -0,0 +1,38 @@
/* $OpenBSD: md5.h,v 1.3 2014/11/16 17:39:09 tedu Exp $ */
/*
* This code implements the MD5 message-digest algorithm.
* The algorithm is due to Ron Rivest. This code was
* written by Colin Plumb in 1993, no copyright is claimed.
* This code is in the public domain; do with it what you wish.
*
* Equivalent code is available from RSA Data Security, Inc.
* This code has been tested against that, and is equivalent,
* except that you don't need to include two pages of legalese
* with every copy.
*/
#ifndef _MD5_H_
#define _MD5_H_
#define MD5_BLOCK_LENGTH 64
#define MD5_DIGEST_LENGTH 16
typedef struct MD5Context {
u_int32_t state[4]; /* state */
u_int64_t count; /* number of bits, mod 2^64 */
u_int8_t buffer[MD5_BLOCK_LENGTH]; /* input buffer */
} MD5_CTX;
__BEGIN_DECLS
void MD5Init(MD5_CTX *);
void MD5Update(MD5_CTX *, const void *, size_t)
__attribute__((__bounded__(__string__,2,3)));
void MD5Final(u_int8_t [MD5_DIGEST_LENGTH], MD5_CTX *)
__attribute__((__bounded__(__minbytes__,1,MD5_DIGEST_LENGTH)));
void MD5Transform(u_int32_t [4], const u_int8_t [MD5_BLOCK_LENGTH])
__attribute__((__bounded__(__minbytes__,1,4)))
__attribute__((__bounded__(__minbytes__,2,MD5_BLOCK_LENGTH)));
__END_DECLS
#endif /* _MD5_H_ */

27
include/crypto/poly1305.h Normal file
View file

@ -0,0 +1,27 @@
/* $OpenBSD: poly1305.h,v 1.2 2020/07/22 13:54:30 tobhe Exp $ */
/*
* Public Domain poly1305 from Andrew Moon
*
* poly1305 implementation using 32 bit * 32 bit = 64 bit multiplication
* and 64 bit addition from https://github.com/floodyberry/poly1305-donna
*/
#ifndef _POLY1305_H_
#define _POLY1305_H_
#define poly1305_block_size 16
typedef struct poly1305_state {
unsigned long r[5];
unsigned long h[5];
unsigned long pad[4];
size_t leftover;
unsigned char buffer[poly1305_block_size];
unsigned char final;
} poly1305_state;
void poly1305_init(poly1305_state *, const unsigned char[32]);
void poly1305_update(poly1305_state *, const unsigned char *, size_t);
void poly1305_finish(poly1305_state *, unsigned char[16]);
#endif /* _POLY1305_H_ */

58
include/crypto/rijndael.h Normal file
View file

@ -0,0 +1,58 @@
/* $OpenBSD: rijndael.h,v 1.13 2008/06/09 07:49:45 djm Exp $ */
/**
* rijndael-alg-fst.h
*
* @version 3.0 (December 2000)
*
* Optimised ANSI C code for the Rijndael cipher (now AES)
*
* @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
* @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
* @author Paulo Barreto <paulo.barreto@terra.com.br>
*
* This code is hereby placed in the public domain.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __RIJNDAEL_H
#define __RIJNDAEL_H
#define AES_MAXKEYBITS (256)
#define AES_MAXKEYBYTES (AES_MAXKEYBITS/8)
/* for 256-bit keys, fewer for less */
#define AES_MAXROUNDS 14
typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned int u32;
/* The structure for key information */
typedef struct {
int enc_only; /* context contains only encrypt schedule */
int Nr; /* key-length-dependent number of rounds */
u32 ek[4*(AES_MAXROUNDS + 1)]; /* encrypt key schedule */
u32 dk[4*(AES_MAXROUNDS + 1)]; /* decrypt key schedule */
} rijndael_ctx;
int rijndael_set_key(rijndael_ctx *, const u_char *, int);
int rijndael_set_key_enc_only(rijndael_ctx *, const u_char *, int);
void rijndael_decrypt(rijndael_ctx *, const u_char *, u_char *);
void rijndael_encrypt(rijndael_ctx *, const u_char *, u_char *);
int rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int);
int rijndaelKeySetupDec(unsigned int [], const unsigned char [], int);
void rijndaelEncrypt(const unsigned int [], int, const unsigned char [],
unsigned char []);
#endif /* __RIJNDAEL_H */

49
include/crypto/rmd160.h Normal file
View file

@ -0,0 +1,49 @@
/* $OpenBSD: rmd160.h,v 1.5 2009/07/05 19:33:46 millert Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _RMD160_H
#define _RMD160_H
#define RMD160_BLOCK_LENGTH 64
#define RMD160_DIGEST_LENGTH 20
/* RMD160 context. */
typedef struct RMD160Context {
u_int32_t state[5]; /* state */
u_int64_t count; /* number of bits, mod 2^64 */
u_char buffer[RMD160_BLOCK_LENGTH]; /* input buffer */
} RMD160_CTX;
__BEGIN_DECLS
void RMD160Init(RMD160_CTX *);
void RMD160Transform(u_int32_t [5], const u_char [RMD160_BLOCK_LENGTH])
__attribute__((__bounded__(__minbytes__,1,5)))
__attribute__((__bounded__(__minbytes__,2,RMD160_BLOCK_LENGTH)));
void RMD160Update(RMD160_CTX *, const u_char *, u_int32_t)
__attribute__((__bounded__(__string__,2,3)));
void RMD160Final(u_char [RMD160_DIGEST_LENGTH], RMD160_CTX *)
__attribute__((__bounded__(__minbytes__,1,RMD160_DIGEST_LENGTH)));
__END_DECLS
#endif /* _RMD160_H */

26
include/crypto/sha1.h Normal file
View file

@ -0,0 +1,26 @@
/* $OpenBSD: sha1.h,v 1.6 2014/11/16 17:39:09 tedu Exp $ */
/*
* SHA-1 in C
* By Steve Reid <steve@edmweb.com>
* 100% Public Domain
*/
#ifndef _SHA1_H_
#define _SHA1_H_
#define SHA1_BLOCK_LENGTH 64
#define SHA1_DIGEST_LENGTH 20
typedef struct {
u_int32_t state[5];
u_int64_t count;
unsigned char buffer[SHA1_BLOCK_LENGTH];
} SHA1_CTX;
void SHA1Init(SHA1_CTX * context);
void SHA1Transform(u_int32_t state[5], const unsigned char buffer[SHA1_BLOCK_LENGTH]);
void SHA1Update(SHA1_CTX *context, const void *data, unsigned int len);
void SHA1Final(unsigned char digest[SHA1_DIGEST_LENGTH], SHA1_CTX *context);
#endif /* _SHA1_H_ */

83
include/crypto/sha2.h Normal file
View file

@ -0,0 +1,83 @@
/* $OpenBSD: sha2.h,v 1.5 2014/11/16 17:39:09 tedu Exp $ */
/*
* FILE: sha2.h
* AUTHOR: Aaron D. Gifford <me@aarongifford.com>
*
* Copyright (c) 2000-2001, Aaron D. Gifford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holder nor the names of contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
*/
#ifndef _SHA2_H
#define _SHA2_H
/*** SHA-256/384/512 Various Length Definitions ***********************/
#define SHA256_BLOCK_LENGTH 64
#define SHA256_DIGEST_LENGTH 32
#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1)
#define SHA384_BLOCK_LENGTH 128
#define SHA384_DIGEST_LENGTH 48
#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1)
#define SHA512_BLOCK_LENGTH 128
#define SHA512_DIGEST_LENGTH 64
#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1)
/*** SHA-256/384/512 Context Structure *******************************/
typedef struct _SHA2_CTX {
union {
u_int32_t st32[8];
u_int64_t st64[8];
} state;
u_int64_t bitcount[2];
u_int8_t buffer[SHA512_BLOCK_LENGTH];
} SHA2_CTX;
__BEGIN_DECLS
void SHA256Init(SHA2_CTX *);
void SHA256Update(SHA2_CTX *, const void *, size_t)
__attribute__((__bounded__(__string__,2,3)));
void SHA256Final(u_int8_t[SHA256_DIGEST_LENGTH], SHA2_CTX *)
__attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
void SHA384Init(SHA2_CTX *);
void SHA384Update(SHA2_CTX *, const void *, size_t)
__attribute__((__bounded__(__string__,2,3)));
void SHA384Final(u_int8_t[SHA384_DIGEST_LENGTH], SHA2_CTX *)
__attribute__((__bounded__(__minbytes__,1,SHA384_DIGEST_LENGTH)));
void SHA512Init(SHA2_CTX *);
void SHA512Update(SHA2_CTX *, const void *, size_t)
__attribute__((__bounded__(__string__,2,3)));
void SHA512Final(u_int8_t[SHA512_DIGEST_LENGTH], SHA2_CTX *)
__attribute__((__bounded__(__minbytes__,1,SHA512_DIGEST_LENGTH)));
__END_DECLS
#endif /* _SHA2_H */

87
include/crypto/siphash.h Normal file
View file

@ -0,0 +1,87 @@
/* $OpenBSD: siphash.h,v 1.5 2015/02/20 11:51:03 tedu Exp $ */
/*-
* Copyright (c) 2013 Andre Oppermann <andre@FreeBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* SipHash is a family of pseudorandom functions (a.k.a. keyed hash functions)
* optimized for speed on short messages returning a 64bit hash/digest value.
*
* The number of rounds is defined during the initialization:
* SipHash24_Init() for the fast and resonable strong version
* SipHash48_Init() for the strong version (half as fast)
*
* struct SIPHASH_CTX ctx;
* SipHash24_Init(&ctx);
* SipHash_SetKey(&ctx, "16bytes long key");
* SipHash_Update(&ctx, pointer_to_string, length_of_string);
* SipHash_Final(output, &ctx);
*/
#ifndef _SIPHASH_H_
#define _SIPHASH_H_
#define SIPHASH_BLOCK_LENGTH 8
#define SIPHASH_KEY_LENGTH 16
#define SIPHASH_DIGEST_LENGTH 8
typedef struct _SIPHASH_CTX {
uint64_t v[4];
uint8_t buf[SIPHASH_BLOCK_LENGTH];
uint32_t bytes;
} SIPHASH_CTX;
typedef struct {
uint64_t k0;
uint64_t k1;
} SIPHASH_KEY;
void SipHash_Init(SIPHASH_CTX *, const SIPHASH_KEY *);
void SipHash_Update(SIPHASH_CTX *, int, int, const void *, size_t)
__bounded((__buffer__, 4, 5));
uint64_t SipHash_End(SIPHASH_CTX *, int, int);
void SipHash_Final(void *, SIPHASH_CTX *, int, int)
__bounded((__minbytes__, 1, SIPHASH_DIGEST_LENGTH));
uint64_t SipHash(const SIPHASH_KEY *, int, int, const void *, size_t)
__bounded((__buffer__, 4, 5));
#define SipHash24_Init(_c, _k) SipHash_Init((_c), (_k))
#define SipHash24_Update(_c, _p, _l) SipHash_Update((_c), 2, 4, (_p), (_l))
#define SipHash24_End(_d) SipHash_End((_d), 2, 4)
#define SipHash24_Final(_d, _c) SipHash_Final((_d), (_c), 2, 4)
#define SipHash24(_k, _p, _l) SipHash((_k), 2, 4, (_p), (_l))
#define SipHash48_Init(_c, _k) SipHash_Init((_c), (_k))
#define SipHash48_Update(_c, _p, _l) SipHash_Update((_c), 4, 8, (_p), (_l))
#define SipHash48_End(_d) SipHash_End((_d), 4, 8)
#define SipHash48_Final(_d, _c) SipHash_Final((_d), (_c), 4, 8)
#define SipHash48(_k, _p, _l) SipHash((_k), 4, 8, (_p), (_l))
#endif /* _SIPHASH_H_ */

111
include/crypto/xform.h Normal file
View file

@ -0,0 +1,111 @@
/* $OpenBSD: xform.h,v 1.32 2021/10/22 12:30:53 bluhm Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
* This code was written by Angelos D. Keromytis in Athens, Greece, in
* February 2000. Network Security Technologies Inc. (NSTI) kindly
* supported the development of this code.
*
* Copyright (c) 2000 Angelos D. Keromytis
*
* Permission to use, copy, and modify this software with or without fee
* is hereby granted, provided that this entire notice is included in
* all source code copies of any software which is or includes a copy or
* modification of this software.
*
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
* PURPOSE.
*/
#ifndef _CRYPTO_XFORM_H_
#define _CRYPTO_XFORM_H_
#include <crypto/md5.h>
#include <crypto/sha1.h>
#include <crypto/rmd160.h>
#include <crypto/sha2.h>
#include <crypto/gmac.h>
#define AESCTR_NONCESIZE 4
#define AESCTR_IVSIZE 8
#define AESCTR_BLOCKSIZE 16
#define AES_XTS_BLOCKSIZE 16
#define AES_XTS_IVSIZE 8
#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */
/* Declarations */
struct auth_hash {
int type;
char *name;
u_int16_t keysize;
u_int16_t hashsize;
u_int16_t authsize;
u_int16_t ctxsize;
u_int16_t blocksize;
void (*Init) (void *);
void (*Setkey) (void *, const u_int8_t *, u_int16_t);
void (*Reinit) (void *, const u_int8_t *, u_int16_t);
int (*Update) (void *, const u_int8_t *, u_int16_t);
void (*Final) (u_int8_t *, void *);
};
struct enc_xform {
int type;
char *name;
u_int16_t blocksize;
u_int16_t ivsize;
u_int16_t minkey;
u_int16_t maxkey;
u_int16_t ctxsize;
void (*encrypt) (caddr_t, u_int8_t *);
void (*decrypt) (caddr_t, u_int8_t *);
int (*setkey) (void *, u_int8_t *, int len);
void (*reinit) (caddr_t, u_int8_t *);
};
struct comp_algo {
int type;
char *name;
size_t minlen;
u_int32_t (*compress) (u_int8_t *, u_int32_t, u_int8_t **);
u_int32_t (*decompress) (u_int8_t *, u_int32_t, u_int8_t **);
};
union authctx {
MD5_CTX md5ctx;
SHA1_CTX sha1ctx;
RMD160_CTX rmd160ctx;
SHA2_CTX sha2_ctx;
AES_GMAC_CTX aes_gmac_ctx;
};
extern const struct enc_xform enc_xform_3des;
extern const struct enc_xform enc_xform_blf;
extern const struct enc_xform enc_xform_cast5;
extern const struct enc_xform enc_xform_aes;
extern const struct enc_xform enc_xform_aes_ctr;
extern const struct enc_xform enc_xform_aes_gcm;
extern const struct enc_xform enc_xform_aes_gmac;
extern const struct enc_xform enc_xform_aes_xts;
extern const struct enc_xform enc_xform_chacha20_poly1305;
extern const struct enc_xform enc_xform_null;
extern const struct auth_hash auth_hash_hmac_md5_96;
extern const struct auth_hash auth_hash_hmac_sha1_96;
extern const struct auth_hash auth_hash_hmac_ripemd_160_96;
extern const struct auth_hash auth_hash_hmac_sha2_256_128;
extern const struct auth_hash auth_hash_hmac_sha2_384_192;
extern const struct auth_hash auth_hash_hmac_sha2_512_256;
extern const struct auth_hash auth_hash_gmac_aes_128;
extern const struct auth_hash auth_hash_gmac_aes_192;
extern const struct auth_hash auth_hash_gmac_aes_256;
extern const struct auth_hash auth_hash_chacha20_poly1305;
extern const struct comp_algo comp_algo_deflate;
#endif /* _CRYPTO_XFORM_H_ */

171
include/nuttx/crypto/aes.h
View file

@ -1,171 +0,0 @@
/****************************************************************************
* include/nuttx/crypto/aes.h
*
* Copyright (C) 2011 Texas Instruments Incorporated - http://www.ti.com/
* Extracted from the CC3000 Host Driver Implementation.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the
* distribution.
*
* Neither the name of Texas Instruments Incorporated nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
****************************************************************************/
#ifndef __INCLUDE_NUTTX_CRYPTO_AES_H
#define __INCLUDE_NUTTX_CRYPTO_AES_H
/****************************************************************************
* Included Files
****************************************************************************/
#include <nuttx/config.h>
#include <stdint.h>
/****************************************************************************
* Pre-processor Definitions
****************************************************************************/
#define AES128_KEY_SIZE 16
/****************************************************************************
* Public Types
****************************************************************************/
struct aes_state_s
{
uint8_t expanded_key[176];
};
/****************************************************************************
* Public Data
****************************************************************************/
#ifdef __cplusplus
extern "C"
{
#endif
/****************************************************************************
* Public Function Prototypes
****************************************************************************/
/****************************************************************************
* Name: aes_encrypt
*
* Description:
* AES128 encryption: Given AES128 key and 16 bytes plain text, cipher
* text of 16 bytes is computed. The AES implementation is in mode ECB
* (Electronic Code Book).
*
* Input Parameters:
* key AES128 key of size 16 bytes
* state 16 bytes of plain text and cipher text
*
* Returned Value:
* None
*
****************************************************************************/
void aes_encrypt(FAR uint8_t *state, FAR const uint8_t *key);
/****************************************************************************
* Name: aes_decrypt
*
* Description:
* AES128 decryption: Given AES128 key and 16 bytes cipher text, plain
* text of 16 bytes is computed The AES implementation is in mode ECB
* (Electronic Code Book).
*
* Input Parameters:
* key AES128 key of size 16 bytes
* state 16 bytes of plain text and cipher text
*
* Returned Value:
* None
*
****************************************************************************/
void aes_decrypt(FAR uint8_t *state, FAR const uint8_t *key);
/****************************************************************************
* Name: aes_setupkey
*
* Description:
* Configure the given AES context for operation with the selected key.
*
* Input Parameters:
* state an AES context that can be used for AES operations
* key a pointer to a 16-byte buffer holding the AES-128 key
* len length of the key, must be 16
*
* TODO: Support other key lengths of 24 (AES-192) and 32 (AES-256)
*
* Returned Value:
* 0 if OK
* -EINVAL if len is not 16
*
****************************************************************************/
int aes_setupkey(FAR struct aes_state_s *state, FAR const uint8_t *key,
int len);
/****************************************************************************
* Name: aes_encipher
*
* Description:
* Encipher some 16-byte blocks (without any operation mode) using the
* previously defined key. The function can be called multiple times with
* the same state parameter.
*
* Returned Value:
* None
*
****************************************************************************/
void aes_encipher(FAR struct aes_state_s *state, FAR uint8_t *blocks,
int nblk);
/****************************************************************************
* Name: aes_decipher
*
* Description:
* Decipher some 16-byte blocks (without any operation mode) using the
* previously defined key. The function can be called multiple times with
* the same state parameter.
*
* Returned Value:
* None
*
****************************************************************************/
void aes_decipher(FAR struct aes_state_s *state, FAR uint8_t *blocks,
int nblk);
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* __INCLUDE_NUTTX_CRYPTO_AES_H */

80
include/nuttx/crypto/cryptodev.h
View file

@ -1,80 +0,0 @@
/****************************************************************************
* include/nuttx/crypto/cryptodev.h
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership. The
* ASF licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the
* License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*
****************************************************************************/
#ifndef __INCLUDE_NUTTX_CRYPTO_CRYPTODEV_H
#define __INCLUDE_NUTTX_CRYPTO_CRYPTODEV_H
/****************************************************************************
* Included Files
****************************************************************************/
#include <nuttx/config.h>
/****************************************************************************
* Pre-processor Definitions
****************************************************************************/
#define RIJNDAEL128_BLOCK_LEN 16
#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN
#define CRYPTO_ALGORITHM_MIN 1
#define CRYPTO_AES_ECB 1
#define CRYPTO_AES_CBC 2
#define CRYPTO_AES_CTR 3
#define CRYPTO_ALGORITHM_MAX 1
#define CRYPTO_FLAG_HARDWARE 0x01000000 /* hardware accelerated */
#define CRYPTO_FLAG_SOFTWARE 0x02000000 /* software implementation */
#define COP_ENCRYPT 1
#define COP_DECRYPT 2
#define COP_F_BATCH 0x0008 /* Batch op if possible */
#define CIOCGSESSION 101
#define CIOCFSESSION 102
#define CIOCCRYPT 103
typedef char *caddr_t;
struct session_op
{
uint32_t cipher; /* ie. CRYPTO_AES_EBC */
uint32_t mac;
uint32_t keylen; /* cipher key */
caddr_t key;
int mackeylen; /* mac key */
caddr_t mackey;
uint32_t ses; /* returns: session # */
};
struct crypt_op
{
uint32_t ses;
uint16_t op; /* i.e. COP_ENCRYPT */
uint16_t flags;
unsigned len;
caddr_t src, dst; /* become iov[] inside kernel */
caddr_t mac; /* must be big enough for chosen MAC */
caddr_t iv;
};
#endif /* __INCLUDE_NUTTX_CRYPTO_CRYPTODEV_H */