1 /* $KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $ */
2
3 /*
4 * rijndael-api-fst.c v2.3 April '2000
5 *
6 * Optimised ANSI C code
7 *
8 * authors: v1.0: Antoon Bosselaers
9 * v2.0: Vincent Rijmen
10 * v2.1: Vincent Rijmen
11 * v2.2: Vincent Rijmen
12 * v2.3: Paulo Barreto
13 * v2.4: Vincent Rijmen
14 *
15 * This code is placed in the public domain.
16 */
17
18 #include <sys/cdefs.h>
19 __FBSDID("$FreeBSD: releng/12.2/sys/crypto/rijndael/rijndael-api-fst.c 274380 2014-11-11 13:37:28Z des $");
20
21 #include <sys/types.h>
22 #include <sys/param.h>
23 #ifdef _KERNEL
24 #include <sys/systm.h>
25 #else
26 #include <string.h>
27 #endif
28
29 #include <crypto/rijndael/rijndael_local.h>
30 #include <crypto/rijndael/rijndael-api-fst.h>
31
32 #ifndef TRUE
33 #define TRUE 1
34 #endif
35
36 typedef u_int8_t BYTE;
37
rijndael_makeKey(keyInstance * key,BYTE direction,int keyLen,const char * keyMaterial)38 int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen,
39 const char *keyMaterial) {
40 u_int8_t cipherKey[RIJNDAEL_MAXKB];
41
42 if (key == NULL) {
43 return BAD_KEY_INSTANCE;
44 }
45
46 if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) {
47 key->direction = direction;
48 } else {
49 return BAD_KEY_DIR;
50 }
51
52 if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) {
53 key->keyLen = keyLen;
54 } else {
55 return BAD_KEY_MAT;
56 }
57
58 if (keyMaterial != NULL) {
59 memcpy(key->keyMaterial, keyMaterial, keyLen/8);
60 }
61
62 /* initialize key schedule: */
63 memcpy(cipherKey, key->keyMaterial, keyLen/8);
64 if (direction == DIR_ENCRYPT) {
65 key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen);
66 } else {
67 key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen);
68 }
69 rijndaelKeySetupEnc(key->ek, cipherKey, keyLen);
70 return TRUE;
71 }
72
rijndael_cipherInit(cipherInstance * cipher,BYTE mode,char * IV)73 int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) {
74 if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) {
75 cipher->mode = mode;
76 } else {
77 return BAD_CIPHER_MODE;
78 }
79 if (IV != NULL) {
80 memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE);
81 } else {
82 memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE);
83 }
84 return TRUE;
85 }
86
rijndael_blockEncrypt(cipherInstance * cipher,keyInstance * key,const BYTE * input,int inputLen,BYTE * outBuffer)87 int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
88 const BYTE *input, int inputLen, BYTE *outBuffer) {
89 int i, k, numBlocks;
90 u_int8_t block[16], iv[4][4];
91
92 if (cipher == NULL ||
93 key == NULL ||
94 key->direction == DIR_DECRYPT) {
95 return BAD_CIPHER_STATE;
96 }
97 if (input == NULL || inputLen <= 0) {
98 return 0; /* nothing to do */
99 }
100
101 numBlocks = inputLen/128;
102
103 switch (cipher->mode) {
104 case MODE_ECB:
105 for (i = numBlocks; i > 0; i--) {
106 rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
107 input += 16;
108 outBuffer += 16;
109 }
110 break;
111
112 case MODE_CBC:
113 #if 1 /*STRICT_ALIGN*/
114 memcpy(block, cipher->IV, 16);
115 memcpy(iv, input, 16);
116 ((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0];
117 ((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1];
118 ((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2];
119 ((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3];
120 #else
121 ((u_int32_t*)block)[0] = ((u_int32_t*)cipher->IV)[0] ^ ((u_int32_t*)input)[0];
122 ((u_int32_t*)block)[1] = ((u_int32_t*)cipher->IV)[1] ^ ((u_int32_t*)input)[1];
123 ((u_int32_t*)block)[2] = ((u_int32_t*)cipher->IV)[2] ^ ((u_int32_t*)input)[2];
124 ((u_int32_t*)block)[3] = ((u_int32_t*)cipher->IV)[3] ^ ((u_int32_t*)input)[3];
125 #endif
126 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
127 input += 16;
128 for (i = numBlocks - 1; i > 0; i--) {
129 #if 1 /*STRICT_ALIGN*/
130 memcpy(block, outBuffer, 16);
131 memcpy(iv, input, 16);
132 ((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0];
133 ((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1];
134 ((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2];
135 ((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3];
136 #else
137 ((u_int32_t*)block)[0] = ((u_int32_t*)outBuffer)[0] ^ ((u_int32_t*)input)[0];
138 ((u_int32_t*)block)[1] = ((u_int32_t*)outBuffer)[1] ^ ((u_int32_t*)input)[1];
139 ((u_int32_t*)block)[2] = ((u_int32_t*)outBuffer)[2] ^ ((u_int32_t*)input)[2];
140 ((u_int32_t*)block)[3] = ((u_int32_t*)outBuffer)[3] ^ ((u_int32_t*)input)[3];
141 #endif
142 outBuffer += 16;
143 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
144 input += 16;
145 }
146 break;
147
148 case MODE_CFB1:
149 #if 1 /*STRICT_ALIGN*/
150 memcpy(iv, cipher->IV, 16);
151 #else /* !STRICT_ALIGN */
152 *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV ));
153 *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4));
154 *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8));
155 *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12));
156 #endif /* ?STRICT_ALIGN */
157 for (i = numBlocks; i > 0; i--) {
158 for (k = 0; k < 128; k++) {
159 *((u_int32_t*) block ) = *((u_int32_t*)iv[0]);
160 *((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]);
161 *((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]);
162 *((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]);
163 rijndaelEncrypt(key->ek, key->Nr, block,
164 block);
165 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
166 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
167 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
168 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
169 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
170 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
171 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
172 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
173 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
174 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
175 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
176 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
177 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
178 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
179 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
180 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
181 iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1);
182 }
183 }
184 break;
185
186 default:
187 return BAD_CIPHER_STATE;
188 }
189
190 return 128*numBlocks;
191 }
192
193 /**
194 * Encrypt data partitioned in octets, using RFC 2040-like padding.
195 *
196 * @param input data to be encrypted (octet sequence)
197 * @param inputOctets input length in octets (not bits)
198 * @param outBuffer encrypted output data
199 *
200 * @return length in octets (not bits) of the encrypted output buffer.
201 */
rijndael_padEncrypt(cipherInstance * cipher,keyInstance * key,const BYTE * input,int inputOctets,BYTE * outBuffer)202 int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
203 const BYTE *input, int inputOctets, BYTE *outBuffer) {
204 int i, numBlocks, padLen;
205 u_int8_t block[16], *iv, *cp;
206
207 if (cipher == NULL ||
208 key == NULL ||
209 key->direction == DIR_DECRYPT) {
210 return BAD_CIPHER_STATE;
211 }
212 if (input == NULL || inputOctets <= 0) {
213 return 0; /* nothing to do */
214 }
215
216 numBlocks = inputOctets/16;
217
218 switch (cipher->mode) {
219 case MODE_ECB:
220 for (i = numBlocks; i > 0; i--) {
221 rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
222 input += 16;
223 outBuffer += 16;
224 }
225 padLen = 16 - (inputOctets - 16*numBlocks);
226 if (padLen <= 0 || padLen > 16)
227 return BAD_CIPHER_STATE;
228 memcpy(block, input, 16 - padLen);
229 for (cp = block + 16 - padLen; cp < block + 16; cp++)
230 *cp = padLen;
231 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
232 break;
233
234 case MODE_CBC:
235 iv = cipher->IV;
236 for (i = numBlocks; i > 0; i--) {
237 ((u_int32_t*)block)[0] = ((const u_int32_t*)input)[0] ^ ((u_int32_t*)iv)[0];
238 ((u_int32_t*)block)[1] = ((const u_int32_t*)input)[1] ^ ((u_int32_t*)iv)[1];
239 ((u_int32_t*)block)[2] = ((const u_int32_t*)input)[2] ^ ((u_int32_t*)iv)[2];
240 ((u_int32_t*)block)[3] = ((const u_int32_t*)input)[3] ^ ((u_int32_t*)iv)[3];
241 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
242 iv = outBuffer;
243 input += 16;
244 outBuffer += 16;
245 }
246 padLen = 16 - (inputOctets - 16*numBlocks);
247 if (padLen <= 0 || padLen > 16)
248 return BAD_CIPHER_STATE;
249 for (i = 0; i < 16 - padLen; i++) {
250 block[i] = input[i] ^ iv[i];
251 }
252 for (i = 16 - padLen; i < 16; i++) {
253 block[i] = (BYTE)padLen ^ iv[i];
254 }
255 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
256 break;
257
258 default:
259 return BAD_CIPHER_STATE;
260 }
261
262 return 16*(numBlocks + 1);
263 }
264
rijndael_blockDecrypt(cipherInstance * cipher,keyInstance * key,const BYTE * input,int inputLen,BYTE * outBuffer)265 int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
266 const BYTE *input, int inputLen, BYTE *outBuffer) {
267 int i, k, numBlocks;
268 u_int8_t block[16], iv[4][4];
269
270 if (cipher == NULL ||
271 key == NULL ||
272 (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) {
273 return BAD_CIPHER_STATE;
274 }
275 if (input == NULL || inputLen <= 0) {
276 return 0; /* nothing to do */
277 }
278
279 numBlocks = inputLen/128;
280
281 switch (cipher->mode) {
282 case MODE_ECB:
283 for (i = numBlocks; i > 0; i--) {
284 rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
285 input += 16;
286 outBuffer += 16;
287 }
288 break;
289
290 case MODE_CBC:
291 #if 1 /*STRICT_ALIGN */
292 memcpy(iv, cipher->IV, 16);
293 #else
294 *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV ));
295 *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4));
296 *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8));
297 *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12));
298 #endif
299 for (i = numBlocks; i > 0; i--) {
300 rijndaelDecrypt(key->rk, key->Nr, input, block);
301 ((u_int32_t*)block)[0] ^= *((u_int32_t*)iv[0]);
302 ((u_int32_t*)block)[1] ^= *((u_int32_t*)iv[1]);
303 ((u_int32_t*)block)[2] ^= *((u_int32_t*)iv[2]);
304 ((u_int32_t*)block)[3] ^= *((u_int32_t*)iv[3]);
305 #if 1 /*STRICT_ALIGN*/
306 memcpy(iv, input, 16);
307 memcpy(outBuffer, block, 16);
308 #else
309 *((u_int32_t*)iv[0]) = ((u_int32_t*)input)[0]; ((u_int32_t*)outBuffer)[0] = ((u_int32_t*)block)[0];
310 *((u_int32_t*)iv[1]) = ((u_int32_t*)input)[1]; ((u_int32_t*)outBuffer)[1] = ((u_int32_t*)block)[1];
311 *((u_int32_t*)iv[2]) = ((u_int32_t*)input)[2]; ((u_int32_t*)outBuffer)[2] = ((u_int32_t*)block)[2];
312 *((u_int32_t*)iv[3]) = ((u_int32_t*)input)[3]; ((u_int32_t*)outBuffer)[3] = ((u_int32_t*)block)[3];
313 #endif
314 input += 16;
315 outBuffer += 16;
316 }
317 break;
318
319 case MODE_CFB1:
320 #if 1 /*STRICT_ALIGN */
321 memcpy(iv, cipher->IV, 16);
322 #else
323 *((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV));
324 *((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4));
325 *((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8));
326 *((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12));
327 #endif
328 for (i = numBlocks; i > 0; i--) {
329 for (k = 0; k < 128; k++) {
330 *((u_int32_t*) block ) = *((u_int32_t*)iv[0]);
331 *((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]);
332 *((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]);
333 *((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]);
334 rijndaelEncrypt(key->ek, key->Nr, block,
335 block);
336 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
337 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
338 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
339 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
340 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
341 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
342 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
343 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
344 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
345 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
346 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
347 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
348 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
349 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
350 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
351 iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1);
352 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
353 }
354 }
355 break;
356
357 default:
358 return BAD_CIPHER_STATE;
359 }
360
361 return 128*numBlocks;
362 }
363
rijndael_padDecrypt(cipherInstance * cipher,keyInstance * key,const BYTE * input,int inputOctets,BYTE * outBuffer)364 int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
365 const BYTE *input, int inputOctets, BYTE *outBuffer) {
366 int i, numBlocks, padLen;
367 u_int8_t block[16];
368 u_int32_t iv[4];
369
370 if (cipher == NULL ||
371 key == NULL ||
372 key->direction == DIR_ENCRYPT) {
373 return BAD_CIPHER_STATE;
374 }
375 if (input == NULL || inputOctets <= 0) {
376 return 0; /* nothing to do */
377 }
378 if (inputOctets % 16 != 0) {
379 return BAD_DATA;
380 }
381
382 numBlocks = inputOctets/16;
383
384 switch (cipher->mode) {
385 case MODE_ECB:
386 /* all blocks but last */
387 for (i = numBlocks - 1; i > 0; i--) {
388 rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
389 input += 16;
390 outBuffer += 16;
391 }
392 /* last block */
393 rijndaelDecrypt(key->rk, key->Nr, input, block);
394 padLen = block[15];
395 if (padLen >= 16) {
396 return BAD_DATA;
397 }
398 for (i = 16 - padLen; i < 16; i++) {
399 if (block[i] != padLen) {
400 return BAD_DATA;
401 }
402 }
403 memcpy(outBuffer, block, 16 - padLen);
404 break;
405
406 case MODE_CBC:
407 memcpy(iv, cipher->IV, 16);
408 /* all blocks but last */
409 for (i = numBlocks - 1; i > 0; i--) {
410 rijndaelDecrypt(key->rk, key->Nr, input, block);
411 ((u_int32_t*)block)[0] ^= iv[0];
412 ((u_int32_t*)block)[1] ^= iv[1];
413 ((u_int32_t*)block)[2] ^= iv[2];
414 ((u_int32_t*)block)[3] ^= iv[3];
415 memcpy(iv, input, 16);
416 memcpy(outBuffer, block, 16);
417 input += 16;
418 outBuffer += 16;
419 }
420 /* last block */
421 rijndaelDecrypt(key->rk, key->Nr, input, block);
422 ((u_int32_t*)block)[0] ^= iv[0];
423 ((u_int32_t*)block)[1] ^= iv[1];
424 ((u_int32_t*)block)[2] ^= iv[2];
425 ((u_int32_t*)block)[3] ^= iv[3];
426 padLen = block[15];
427 if (padLen <= 0 || padLen > 16) {
428 return BAD_DATA;
429 }
430 for (i = 16 - padLen; i < 16; i++) {
431 if (block[i] != padLen) {
432 return BAD_DATA;
433 }
434 }
435 memcpy(outBuffer, block, 16 - padLen);
436 break;
437
438 default:
439 return BAD_CIPHER_STATE;
440 }
441
442 return 16*numBlocks - padLen;
443 }
444