1 /* $KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $ */ 2 3 /* 4 * rijndael-api-fst.c v2.3 April '2000 5 * 6 * Optimised ANSI C code 7 * 8 * authors: v1.0: Antoon Bosselaers 9 * v2.0: Vincent Rijmen 10 * v2.1: Vincent Rijmen 11 * v2.2: Vincent Rijmen 12 * v2.3: Paulo Barreto 13 * v2.4: Vincent Rijmen 14 * 15 * This code is placed in the public domain. 16 */ 17 18 #include <sys/cdefs.h> 19 __FBSDID("$FreeBSD: releng/12.2/sys/crypto/rijndael/rijndael-api-fst.c 274380 2014-11-11 13:37:28Z des $"); 20 21 #include <sys/types.h> 22 #include <sys/param.h> 23 #ifdef _KERNEL 24 #include <sys/systm.h> 25 #else 26 #include <string.h> 27 #endif 28 29 #include <crypto/rijndael/rijndael_local.h> 30 #include <crypto/rijndael/rijndael-api-fst.h> 31 32 #ifndef TRUE 33 #define TRUE 1 34 #endif 35 36 typedef u_int8_t BYTE; 37 38 int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, 39 const char *keyMaterial) { 40 u_int8_t cipherKey[RIJNDAEL_MAXKB]; 41 42 if (key == NULL) { 43 return BAD_KEY_INSTANCE; 44 } 45 46 if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) { 47 key->direction = direction; 48 } else { 49 return BAD_KEY_DIR; 50 } 51 52 if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) { 53 key->keyLen = keyLen; 54 } else { 55 return BAD_KEY_MAT; 56 } 57 58 if (keyMaterial != NULL) { 59 memcpy(key->keyMaterial, keyMaterial, keyLen/8); 60 } 61 62 /* initialize key schedule: */ 63 memcpy(cipherKey, key->keyMaterial, keyLen/8); 64 if (direction == DIR_ENCRYPT) { 65 key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen); 66 } else { 67 key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen); 68 } 69 rijndaelKeySetupEnc(key->ek, cipherKey, keyLen); 70 return TRUE; 71 } 72 73 int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) { 74 if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) { 75 cipher->mode = mode; 76 } else { 77 return BAD_CIPHER_MODE; 78 } 79 if (IV != NULL) { 80 memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE); 81 } else { 82 memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE); 83 } 84 return TRUE; 85 } 86 87 int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, 88 const BYTE *input, int inputLen, BYTE *outBuffer) { 89 int i, k, numBlocks; 90 u_int8_t block[16], iv[4][4]; 91 92 if (cipher == NULL || 93 key == NULL || 94 key->direction == DIR_DECRYPT) { 95 return BAD_CIPHER_STATE; 96 } 97 if (input == NULL || inputLen <= 0) { 98 return 0; /* nothing to do */ 99 } 100 101 numBlocks = inputLen/128; 102 103 switch (cipher->mode) { 104 case MODE_ECB: 105 for (i = numBlocks; i > 0; i--) { 106 rijndaelEncrypt(key->rk, key->Nr, input, outBuffer); 107 input += 16; 108 outBuffer += 16; 109 } 110 break; 111 112 case MODE_CBC: 113 #if 1 /*STRICT_ALIGN*/ 114 memcpy(block, cipher->IV, 16); 115 memcpy(iv, input, 16); 116 ((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0]; 117 ((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1]; 118 ((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2]; 119 ((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3]; 120 #else 121 ((u_int32_t*)block)[0] = ((u_int32_t*)cipher->IV)[0] ^ ((u_int32_t*)input)[0]; 122 ((u_int32_t*)block)[1] = ((u_int32_t*)cipher->IV)[1] ^ ((u_int32_t*)input)[1]; 123 ((u_int32_t*)block)[2] = ((u_int32_t*)cipher->IV)[2] ^ ((u_int32_t*)input)[2]; 124 ((u_int32_t*)block)[3] = ((u_int32_t*)cipher->IV)[3] ^ ((u_int32_t*)input)[3]; 125 #endif 126 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 127 input += 16; 128 for (i = numBlocks - 1; i > 0; i--) { 129 #if 1 /*STRICT_ALIGN*/ 130 memcpy(block, outBuffer, 16); 131 memcpy(iv, input, 16); 132 ((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0]; 133 ((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1]; 134 ((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2]; 135 ((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3]; 136 #else 137 ((u_int32_t*)block)[0] = ((u_int32_t*)outBuffer)[0] ^ ((u_int32_t*)input)[0]; 138 ((u_int32_t*)block)[1] = ((u_int32_t*)outBuffer)[1] ^ ((u_int32_t*)input)[1]; 139 ((u_int32_t*)block)[2] = ((u_int32_t*)outBuffer)[2] ^ ((u_int32_t*)input)[2]; 140 ((u_int32_t*)block)[3] = ((u_int32_t*)outBuffer)[3] ^ ((u_int32_t*)input)[3]; 141 #endif 142 outBuffer += 16; 143 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 144 input += 16; 145 } 146 break; 147 148 case MODE_CFB1: 149 #if 1 /*STRICT_ALIGN*/ 150 memcpy(iv, cipher->IV, 16); 151 #else /* !STRICT_ALIGN */ 152 *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV )); 153 *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 154 *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 155 *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 156 #endif /* ?STRICT_ALIGN */ 157 for (i = numBlocks; i > 0; i--) { 158 for (k = 0; k < 128; k++) { 159 *((u_int32_t*) block ) = *((u_int32_t*)iv[0]); 160 *((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]); 161 *((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]); 162 *((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]); 163 rijndaelEncrypt(key->ek, key->Nr, block, 164 block); 165 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 166 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 167 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 168 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 169 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 170 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 171 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 172 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 173 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 174 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 175 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 176 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 177 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 178 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 179 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 180 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 181 iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1); 182 } 183 } 184 break; 185 186 default: 187 return BAD_CIPHER_STATE; 188 } 189 190 return 128*numBlocks; 191 } 192 193 /** 194 * Encrypt data partitioned in octets, using RFC 2040-like padding. 195 * 196 * @param input data to be encrypted (octet sequence) 197 * @param inputOctets input length in octets (not bits) 198 * @param outBuffer encrypted output data 199 * 200 * @return length in octets (not bits) of the encrypted output buffer. 201 */ 202 int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, 203 const BYTE *input, int inputOctets, BYTE *outBuffer) { 204 int i, numBlocks, padLen; 205 u_int8_t block[16], *iv, *cp; 206 207 if (cipher == NULL || 208 key == NULL || 209 key->direction == DIR_DECRYPT) { 210 return BAD_CIPHER_STATE; 211 } 212 if (input == NULL || inputOctets <= 0) { 213 return 0; /* nothing to do */ 214 } 215 216 numBlocks = inputOctets/16; 217 218 switch (cipher->mode) { 219 case MODE_ECB: 220 for (i = numBlocks; i > 0; i--) { 221 rijndaelEncrypt(key->rk, key->Nr, input, outBuffer); 222 input += 16; 223 outBuffer += 16; 224 } 225 padLen = 16 - (inputOctets - 16*numBlocks); 226 if (padLen <= 0 || padLen > 16) 227 return BAD_CIPHER_STATE; 228 memcpy(block, input, 16 - padLen); 229 for (cp = block + 16 - padLen; cp < block + 16; cp++) 230 *cp = padLen; 231 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 232 break; 233 234 case MODE_CBC: 235 iv = cipher->IV; 236 for (i = numBlocks; i > 0; i--) { 237 ((u_int32_t*)block)[0] = ((const u_int32_t*)input)[0] ^ ((u_int32_t*)iv)[0]; 238 ((u_int32_t*)block)[1] = ((const u_int32_t*)input)[1] ^ ((u_int32_t*)iv)[1]; 239 ((u_int32_t*)block)[2] = ((const u_int32_t*)input)[2] ^ ((u_int32_t*)iv)[2]; 240 ((u_int32_t*)block)[3] = ((const u_int32_t*)input)[3] ^ ((u_int32_t*)iv)[3]; 241 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 242 iv = outBuffer; 243 input += 16; 244 outBuffer += 16; 245 } 246 padLen = 16 - (inputOctets - 16*numBlocks); 247 if (padLen <= 0 || padLen > 16) 248 return BAD_CIPHER_STATE; 249 for (i = 0; i < 16 - padLen; i++) { 250 block[i] = input[i] ^ iv[i]; 251 } 252 for (i = 16 - padLen; i < 16; i++) { 253 block[i] = (BYTE)padLen ^ iv[i]; 254 } 255 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 256 break; 257 258 default: 259 return BAD_CIPHER_STATE; 260 } 261 262 return 16*(numBlocks + 1); 263 } 264 265 int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, 266 const BYTE *input, int inputLen, BYTE *outBuffer) { 267 int i, k, numBlocks; 268 u_int8_t block[16], iv[4][4]; 269 270 if (cipher == NULL || 271 key == NULL || 272 (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) { 273 return BAD_CIPHER_STATE; 274 } 275 if (input == NULL || inputLen <= 0) { 276 return 0; /* nothing to do */ 277 } 278 279 numBlocks = inputLen/128; 280 281 switch (cipher->mode) { 282 case MODE_ECB: 283 for (i = numBlocks; i > 0; i--) { 284 rijndaelDecrypt(key->rk, key->Nr, input, outBuffer); 285 input += 16; 286 outBuffer += 16; 287 } 288 break; 289 290 case MODE_CBC: 291 #if 1 /*STRICT_ALIGN */ 292 memcpy(iv, cipher->IV, 16); 293 #else 294 *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV )); 295 *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 296 *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 297 *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 298 #endif 299 for (i = numBlocks; i > 0; i--) { 300 rijndaelDecrypt(key->rk, key->Nr, input, block); 301 ((u_int32_t*)block)[0] ^= *((u_int32_t*)iv[0]); 302 ((u_int32_t*)block)[1] ^= *((u_int32_t*)iv[1]); 303 ((u_int32_t*)block)[2] ^= *((u_int32_t*)iv[2]); 304 ((u_int32_t*)block)[3] ^= *((u_int32_t*)iv[3]); 305 #if 1 /*STRICT_ALIGN*/ 306 memcpy(iv, input, 16); 307 memcpy(outBuffer, block, 16); 308 #else 309 *((u_int32_t*)iv[0]) = ((u_int32_t*)input)[0]; ((u_int32_t*)outBuffer)[0] = ((u_int32_t*)block)[0]; 310 *((u_int32_t*)iv[1]) = ((u_int32_t*)input)[1]; ((u_int32_t*)outBuffer)[1] = ((u_int32_t*)block)[1]; 311 *((u_int32_t*)iv[2]) = ((u_int32_t*)input)[2]; ((u_int32_t*)outBuffer)[2] = ((u_int32_t*)block)[2]; 312 *((u_int32_t*)iv[3]) = ((u_int32_t*)input)[3]; ((u_int32_t*)outBuffer)[3] = ((u_int32_t*)block)[3]; 313 #endif 314 input += 16; 315 outBuffer += 16; 316 } 317 break; 318 319 case MODE_CFB1: 320 #if 1 /*STRICT_ALIGN */ 321 memcpy(iv, cipher->IV, 16); 322 #else 323 *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV)); 324 *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4)); 325 *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8)); 326 *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12)); 327 #endif 328 for (i = numBlocks; i > 0; i--) { 329 for (k = 0; k < 128; k++) { 330 *((u_int32_t*) block ) = *((u_int32_t*)iv[0]); 331 *((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]); 332 *((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]); 333 *((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]); 334 rijndaelEncrypt(key->ek, key->Nr, block, 335 block); 336 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 337 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 338 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 339 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 340 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 341 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 342 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 343 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 344 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 345 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 346 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 347 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 348 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 349 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 350 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 351 iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1); 352 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 353 } 354 } 355 break; 356 357 default: 358 return BAD_CIPHER_STATE; 359 } 360 361 return 128*numBlocks; 362 } 363 364 int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, 365 const BYTE *input, int inputOctets, BYTE *outBuffer) { 366 int i, numBlocks, padLen; 367 u_int8_t block[16]; 368 u_int32_t iv[4]; 369 370 if (cipher == NULL || 371 key == NULL || 372 key->direction == DIR_ENCRYPT) { 373 return BAD_CIPHER_STATE; 374 } 375 if (input == NULL || inputOctets <= 0) { 376 return 0; /* nothing to do */ 377 } 378 if (inputOctets % 16 != 0) { 379 return BAD_DATA; 380 } 381 382 numBlocks = inputOctets/16; 383 384 switch (cipher->mode) { 385 case MODE_ECB: 386 /* all blocks but last */ 387 for (i = numBlocks - 1; i > 0; i--) { 388 rijndaelDecrypt(key->rk, key->Nr, input, outBuffer); 389 input += 16; 390 outBuffer += 16; 391 } 392 /* last block */ 393 rijndaelDecrypt(key->rk, key->Nr, input, block); 394 padLen = block[15]; 395 if (padLen >= 16) { 396 return BAD_DATA; 397 } 398 for (i = 16 - padLen; i < 16; i++) { 399 if (block[i] != padLen) { 400 return BAD_DATA; 401 } 402 } 403 memcpy(outBuffer, block, 16 - padLen); 404 break; 405 406 case MODE_CBC: 407 memcpy(iv, cipher->IV, 16); 408 /* all blocks but last */ 409 for (i = numBlocks - 1; i > 0; i--) { 410 rijndaelDecrypt(key->rk, key->Nr, input, block); 411 ((u_int32_t*)block)[0] ^= iv[0]; 412 ((u_int32_t*)block)[1] ^= iv[1]; 413 ((u_int32_t*)block)[2] ^= iv[2]; 414 ((u_int32_t*)block)[3] ^= iv[3]; 415 memcpy(iv, input, 16); 416 memcpy(outBuffer, block, 16); 417 input += 16; 418 outBuffer += 16; 419 } 420 /* last block */ 421 rijndaelDecrypt(key->rk, key->Nr, input, block); 422 ((u_int32_t*)block)[0] ^= iv[0]; 423 ((u_int32_t*)block)[1] ^= iv[1]; 424 ((u_int32_t*)block)[2] ^= iv[2]; 425 ((u_int32_t*)block)[3] ^= iv[3]; 426 padLen = block[15]; 427 if (padLen <= 0 || padLen > 16) { 428 return BAD_DATA; 429 } 430 for (i = 16 - padLen; i < 16; i++) { 431 if (block[i] != padLen) { 432 return BAD_DATA; 433 } 434 } 435 memcpy(outBuffer, block, 16 - padLen); 436 break; 437 438 default: 439 return BAD_CIPHER_STATE; 440 } 441 442 return 16*numBlocks - padLen; 443 } 444