1 /* $KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $ */
2
3 /*
4 * rijndael-api-fst.c v2.3 April '2000
5 *
6 * Optimised ANSI C code
7 *
8 * authors: v1.0: Antoon Bosselaers
9 * v2.0: Vincent Rijmen
10 * v2.1: Vincent Rijmen
11 * v2.2: Vincent Rijmen
12 * v2.3: Paulo Barreto
13 * v2.4: Vincent Rijmen
14 *
15 * This code is placed in the public domain.
16 */
17
18 #include <sys/cdefs.h>
19 __FBSDID("$FreeBSD$");
20
21 #include <sys/types.h>
22 #include <sys/param.h>
23 #ifdef _KERNEL
24 #include <sys/systm.h>
25 #else
26 #include <string.h>
27 #endif
28
29 #include <crypto/rijndael/rijndael_local.h>
30 #include <crypto/rijndael/rijndael-api-fst.h>
31
32 #ifndef TRUE
33 #define TRUE 1
34 #endif
35
36 typedef uint8_t BYTE;
37
rijndael_makeKey(keyInstance * key,BYTE direction,int keyLen,const char * keyMaterial)38 int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen,
39 const char *keyMaterial) {
40
41 if (key == NULL) {
42 return BAD_KEY_INSTANCE;
43 }
44
45 if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) {
46 key->direction = direction;
47 } else {
48 return BAD_KEY_DIR;
49 }
50
51 if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) {
52 key->keyLen = keyLen;
53 } else {
54 return BAD_KEY_MAT;
55 }
56
57 if (keyMaterial != NULL) {
58 memcpy(key->keyMaterial, keyMaterial, keyLen/8);
59 }
60
61 /* initialize key schedule: */
62 if (direction == DIR_ENCRYPT) {
63 key->Nr = rijndaelKeySetupEnc(key->rk, (const u8 *)(key->keyMaterial), keyLen);
64 } else {
65 key->Nr = rijndaelKeySetupDec(key->rk, (const u8 *)(key->keyMaterial), keyLen);
66 }
67 rijndaelKeySetupEnc(key->ek, (const u8 *)(key->keyMaterial), keyLen);
68 return TRUE;
69 }
70
rijndael_cipherInit(cipherInstance * cipher,BYTE mode,char * IV)71 int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) {
72 if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) {
73 cipher->mode = mode;
74 } else {
75 return BAD_CIPHER_MODE;
76 }
77 if (IV != NULL) {
78 memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE);
79 } else {
80 memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE);
81 }
82 return TRUE;
83 }
84
rijndael_blockEncrypt(cipherInstance * cipher,keyInstance * key,const BYTE * input,int inputLen,BYTE * outBuffer)85 int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
86 const BYTE *input, int inputLen, BYTE *outBuffer) {
87 int i, k, numBlocks;
88 uint8_t block[16], iv[4][4];
89
90 if (cipher == NULL ||
91 key == NULL ||
92 key->direction == DIR_DECRYPT) {
93 return BAD_CIPHER_STATE;
94 }
95 if (input == NULL || inputLen <= 0) {
96 return 0; /* nothing to do */
97 }
98
99 numBlocks = inputLen/128;
100
101 switch (cipher->mode) {
102 case MODE_ECB:
103 for (i = numBlocks; i > 0; i--) {
104 rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
105 input += 16;
106 outBuffer += 16;
107 }
108 break;
109
110 case MODE_CBC:
111 #if 1 /*STRICT_ALIGN*/
112 memcpy(block, cipher->IV, 16);
113 memcpy(iv, input, 16);
114 ((uint32_t*)block)[0] ^= ((uint32_t*)iv)[0];
115 ((uint32_t*)block)[1] ^= ((uint32_t*)iv)[1];
116 ((uint32_t*)block)[2] ^= ((uint32_t*)iv)[2];
117 ((uint32_t*)block)[3] ^= ((uint32_t*)iv)[3];
118 #else
119 ((uint32_t*)block)[0] = ((uint32_t*)cipher->IV)[0] ^ ((uint32_t*)input)[0];
120 ((uint32_t*)block)[1] = ((uint32_t*)cipher->IV)[1] ^ ((uint32_t*)input)[1];
121 ((uint32_t*)block)[2] = ((uint32_t*)cipher->IV)[2] ^ ((uint32_t*)input)[2];
122 ((uint32_t*)block)[3] = ((uint32_t*)cipher->IV)[3] ^ ((uint32_t*)input)[3];
123 #endif
124 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
125 input += 16;
126 for (i = numBlocks - 1; i > 0; i--) {
127 #if 1 /*STRICT_ALIGN*/
128 memcpy(block, outBuffer, 16);
129 memcpy(iv, input, 16);
130 ((uint32_t*)block)[0] ^= ((uint32_t*)iv)[0];
131 ((uint32_t*)block)[1] ^= ((uint32_t*)iv)[1];
132 ((uint32_t*)block)[2] ^= ((uint32_t*)iv)[2];
133 ((uint32_t*)block)[3] ^= ((uint32_t*)iv)[3];
134 #else
135 ((uint32_t*)block)[0] = ((uint32_t*)outBuffer)[0] ^ ((uint32_t*)input)[0];
136 ((uint32_t*)block)[1] = ((uint32_t*)outBuffer)[1] ^ ((uint32_t*)input)[1];
137 ((uint32_t*)block)[2] = ((uint32_t*)outBuffer)[2] ^ ((uint32_t*)input)[2];
138 ((uint32_t*)block)[3] = ((uint32_t*)outBuffer)[3] ^ ((uint32_t*)input)[3];
139 #endif
140 outBuffer += 16;
141 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
142 input += 16;
143 }
144 break;
145
146 case MODE_CFB1:
147 #if 1 /*STRICT_ALIGN*/
148 memcpy(iv, cipher->IV, 16);
149 #else /* !STRICT_ALIGN */
150 *((uint32_t*)iv[0]) = *((uint32_t*)(cipher->IV ));
151 *((uint32_t*)iv[1]) = *((uint32_t*)(cipher->IV+ 4));
152 *((uint32_t*)iv[2]) = *((uint32_t*)(cipher->IV+ 8));
153 *((uint32_t*)iv[3]) = *((uint32_t*)(cipher->IV+12));
154 #endif /* ?STRICT_ALIGN */
155 for (i = numBlocks; i > 0; i--) {
156 for (k = 0; k < 128; k++) {
157 *((uint32_t*) block ) = *((uint32_t*)iv[0]);
158 *((uint32_t*)(block+ 4)) = *((uint32_t*)iv[1]);
159 *((uint32_t*)(block+ 8)) = *((uint32_t*)iv[2]);
160 *((uint32_t*)(block+12)) = *((uint32_t*)iv[3]);
161 rijndaelEncrypt(key->ek, key->Nr, block,
162 block);
163 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
164 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
165 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
166 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
167 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
168 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
169 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
170 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
171 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
172 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
173 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
174 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
175 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
176 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
177 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
178 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
179 iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1);
180 }
181 }
182 break;
183
184 default:
185 return BAD_CIPHER_STATE;
186 }
187
188 explicit_bzero(block, sizeof(block));
189 return 128*numBlocks;
190 }
191
192 /**
193 * Encrypt data partitioned in octets, using RFC 2040-like padding.
194 *
195 * @param input data to be encrypted (octet sequence)
196 * @param inputOctets input length in octets (not bits)
197 * @param outBuffer encrypted output data
198 *
199 * @return length in octets (not bits) of the encrypted output buffer.
200 */
rijndael_padEncrypt(cipherInstance * cipher,keyInstance * key,const BYTE * input,int inputOctets,BYTE * outBuffer)201 int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
202 const BYTE *input, int inputOctets, BYTE *outBuffer) {
203 int i, numBlocks, padLen;
204 uint8_t block[16], *iv, *cp;
205
206 if (cipher == NULL ||
207 key == NULL ||
208 key->direction == DIR_DECRYPT) {
209 return BAD_CIPHER_STATE;
210 }
211 if (input == NULL || inputOctets <= 0) {
212 return 0; /* nothing to do */
213 }
214
215 numBlocks = inputOctets/16;
216
217 switch (cipher->mode) {
218 case MODE_ECB:
219 for (i = numBlocks; i > 0; i--) {
220 rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
221 input += 16;
222 outBuffer += 16;
223 }
224 padLen = 16 - (inputOctets - 16*numBlocks);
225 if (padLen <= 0 || padLen > 16)
226 return BAD_CIPHER_STATE;
227 memcpy(block, input, 16 - padLen);
228 for (cp = block + 16 - padLen; cp < block + 16; cp++)
229 *cp = padLen;
230 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
231 break;
232
233 case MODE_CBC:
234 iv = cipher->IV;
235 for (i = numBlocks; i > 0; i--) {
236 ((uint32_t*)block)[0] = ((const uint32_t*)input)[0] ^ ((uint32_t*)iv)[0];
237 ((uint32_t*)block)[1] = ((const uint32_t*)input)[1] ^ ((uint32_t*)iv)[1];
238 ((uint32_t*)block)[2] = ((const uint32_t*)input)[2] ^ ((uint32_t*)iv)[2];
239 ((uint32_t*)block)[3] = ((const uint32_t*)input)[3] ^ ((uint32_t*)iv)[3];
240 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
241 iv = outBuffer;
242 input += 16;
243 outBuffer += 16;
244 }
245 padLen = 16 - (inputOctets - 16*numBlocks);
246 if (padLen <= 0 || padLen > 16)
247 return BAD_CIPHER_STATE;
248 for (i = 0; i < 16 - padLen; i++) {
249 block[i] = input[i] ^ iv[i];
250 }
251 for (i = 16 - padLen; i < 16; i++) {
252 block[i] = (BYTE)padLen ^ iv[i];
253 }
254 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
255 break;
256
257 default:
258 return BAD_CIPHER_STATE;
259 }
260
261 explicit_bzero(block, sizeof(block));
262 return 16*(numBlocks + 1);
263 }
264
rijndael_blockDecrypt(cipherInstance * cipher,keyInstance * key,const BYTE * input,int inputLen,BYTE * outBuffer)265 int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
266 const BYTE *input, int inputLen, BYTE *outBuffer) {
267 int i, k, numBlocks;
268 uint8_t block[16], iv[4][4];
269
270 if (cipher == NULL ||
271 key == NULL ||
272 (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) {
273 return BAD_CIPHER_STATE;
274 }
275 if (input == NULL || inputLen <= 0) {
276 return 0; /* nothing to do */
277 }
278
279 numBlocks = inputLen/128;
280
281 switch (cipher->mode) {
282 case MODE_ECB:
283 for (i = numBlocks; i > 0; i--) {
284 rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
285 input += 16;
286 outBuffer += 16;
287 }
288 break;
289
290 case MODE_CBC:
291 #if 1 /*STRICT_ALIGN */
292 memcpy(iv, cipher->IV, 16);
293 #else
294 *((uint32_t*)iv[0]) = *((uint32_t*)(cipher->IV ));
295 *((uint32_t*)iv[1]) = *((uint32_t*)(cipher->IV+ 4));
296 *((uint32_t*)iv[2]) = *((uint32_t*)(cipher->IV+ 8));
297 *((uint32_t*)iv[3]) = *((uint32_t*)(cipher->IV+12));
298 #endif
299 for (i = numBlocks; i > 0; i--) {
300 rijndaelDecrypt(key->rk, key->Nr, input, block);
301 ((uint32_t*)block)[0] ^= *((uint32_t*)iv[0]);
302 ((uint32_t*)block)[1] ^= *((uint32_t*)iv[1]);
303 ((uint32_t*)block)[2] ^= *((uint32_t*)iv[2]);
304 ((uint32_t*)block)[3] ^= *((uint32_t*)iv[3]);
305 #if 1 /*STRICT_ALIGN*/
306 memcpy(iv, input, 16);
307 memcpy(outBuffer, block, 16);
308 #else
309 *((uint32_t*)iv[0]) = ((uint32_t*)input)[0]; ((uint32_t*)outBuffer)[0] = ((uint32_t*)block)[0];
310 *((uint32_t*)iv[1]) = ((uint32_t*)input)[1]; ((uint32_t*)outBuffer)[1] = ((uint32_t*)block)[1];
311 *((uint32_t*)iv[2]) = ((uint32_t*)input)[2]; ((uint32_t*)outBuffer)[2] = ((uint32_t*)block)[2];
312 *((uint32_t*)iv[3]) = ((uint32_t*)input)[3]; ((uint32_t*)outBuffer)[3] = ((uint32_t*)block)[3];
313 #endif
314 input += 16;
315 outBuffer += 16;
316 }
317 break;
318
319 case MODE_CFB1:
320 #if 1 /*STRICT_ALIGN */
321 memcpy(iv, cipher->IV, 16);
322 #else
323 *((uint32_t*)iv[0]) = *((uint32_t*)(cipher->IV));
324 *((uint32_t*)iv[1]) = *((uint32_t*)(cipher->IV+ 4));
325 *((uint32_t*)iv[2]) = *((uint32_t*)(cipher->IV+ 8));
326 *((uint32_t*)iv[3]) = *((uint32_t*)(cipher->IV+12));
327 #endif
328 for (i = numBlocks; i > 0; i--) {
329 for (k = 0; k < 128; k++) {
330 *((uint32_t*) block ) = *((uint32_t*)iv[0]);
331 *((uint32_t*)(block+ 4)) = *((uint32_t*)iv[1]);
332 *((uint32_t*)(block+ 8)) = *((uint32_t*)iv[2]);
333 *((uint32_t*)(block+12)) = *((uint32_t*)iv[3]);
334 rijndaelEncrypt(key->ek, key->Nr, block,
335 block);
336 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
337 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
338 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
339 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
340 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
341 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
342 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
343 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
344 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
345 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
346 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
347 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
348 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
349 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
350 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
351 iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1);
352 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
353 }
354 }
355 break;
356
357 default:
358 return BAD_CIPHER_STATE;
359 }
360
361 explicit_bzero(block, sizeof(block));
362 return 128*numBlocks;
363 }
364
rijndael_padDecrypt(cipherInstance * cipher,keyInstance * key,const BYTE * input,int inputOctets,BYTE * outBuffer)365 int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
366 const BYTE *input, int inputOctets, BYTE *outBuffer) {
367 int i, numBlocks, padLen, rval;
368 uint8_t block[16];
369 uint32_t iv[4];
370
371 if (cipher == NULL ||
372 key == NULL ||
373 key->direction == DIR_ENCRYPT) {
374 return BAD_CIPHER_STATE;
375 }
376 if (input == NULL || inputOctets <= 0) {
377 return 0; /* nothing to do */
378 }
379 if (inputOctets % 16 != 0) {
380 return BAD_DATA;
381 }
382
383 numBlocks = inputOctets/16;
384
385 switch (cipher->mode) {
386 case MODE_ECB:
387 /* all blocks but last */
388 for (i = numBlocks - 1; i > 0; i--) {
389 rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
390 input += 16;
391 outBuffer += 16;
392 }
393 /* last block */
394 rijndaelDecrypt(key->rk, key->Nr, input, block);
395 padLen = block[15];
396 if (padLen >= 16) {
397 rval = BAD_DATA;
398 goto out;
399 }
400 for (i = 16 - padLen; i < 16; i++) {
401 if (block[i] != padLen) {
402 rval = BAD_DATA;
403 goto out;
404 }
405 }
406 memcpy(outBuffer, block, 16 - padLen);
407 break;
408
409 case MODE_CBC:
410 memcpy(iv, cipher->IV, 16);
411 /* all blocks but last */
412 for (i = numBlocks - 1; i > 0; i--) {
413 rijndaelDecrypt(key->rk, key->Nr, input, block);
414 ((uint32_t*)block)[0] ^= iv[0];
415 ((uint32_t*)block)[1] ^= iv[1];
416 ((uint32_t*)block)[2] ^= iv[2];
417 ((uint32_t*)block)[3] ^= iv[3];
418 memcpy(iv, input, 16);
419 memcpy(outBuffer, block, 16);
420 input += 16;
421 outBuffer += 16;
422 }
423 /* last block */
424 rijndaelDecrypt(key->rk, key->Nr, input, block);
425 ((uint32_t*)block)[0] ^= iv[0];
426 ((uint32_t*)block)[1] ^= iv[1];
427 ((uint32_t*)block)[2] ^= iv[2];
428 ((uint32_t*)block)[3] ^= iv[3];
429 padLen = block[15];
430 if (padLen <= 0 || padLen > 16) {
431 rval = BAD_DATA;
432 goto out;
433 }
434 for (i = 16 - padLen; i < 16; i++) {
435 if (block[i] != padLen) {
436 rval = BAD_DATA;
437 goto out;
438 }
439 }
440 memcpy(outBuffer, block, 16 - padLen);
441 break;
442
443 default:
444 return BAD_CIPHER_STATE;
445 }
446
447 rval = 16*numBlocks - padLen;
448
449 out:
450 explicit_bzero(block, sizeof(block));
451 return rval;
452 }
453