1 /* $KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $ */ 2 3 /* 4 * rijndael-api-fst.c v2.3 April '2000 5 * 6 * Optimised ANSI C code 7 * 8 * authors: v1.0: Antoon Bosselaers 9 * v2.0: Vincent Rijmen 10 * v2.1: Vincent Rijmen 11 * v2.2: Vincent Rijmen 12 * v2.3: Paulo Barreto 13 * v2.4: Vincent Rijmen 14 * 15 * This code is placed in the public domain. 16 */ 17 18 #include <sys/cdefs.h> 19 __FBSDID("$FreeBSD$"); 20 21 #include <sys/types.h> 22 #include <sys/param.h> 23 #ifdef _KERNEL 24 #include <sys/systm.h> 25 #else 26 #include <string.h> 27 #endif 28 29 #include <crypto/rijndael/rijndael_local.h> 30 #include <crypto/rijndael/rijndael-api-fst.h> 31 32 #ifndef TRUE 33 #define TRUE 1 34 #endif 35 36 typedef uint8_t BYTE; 37 38 int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, 39 const char *keyMaterial) { 40 41 if (key == NULL) { 42 return BAD_KEY_INSTANCE; 43 } 44 45 if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) { 46 key->direction = direction; 47 } else { 48 return BAD_KEY_DIR; 49 } 50 51 if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) { 52 key->keyLen = keyLen; 53 } else { 54 return BAD_KEY_MAT; 55 } 56 57 if (keyMaterial != NULL) { 58 memcpy(key->keyMaterial, keyMaterial, keyLen/8); 59 } 60 61 /* initialize key schedule: */ 62 if (direction == DIR_ENCRYPT) { 63 key->Nr = rijndaelKeySetupEnc(key->rk, (const u8 *)(key->keyMaterial), keyLen); 64 } else { 65 key->Nr = rijndaelKeySetupDec(key->rk, (const u8 *)(key->keyMaterial), keyLen); 66 } 67 rijndaelKeySetupEnc(key->ek, (const u8 *)(key->keyMaterial), keyLen); 68 return TRUE; 69 } 70 71 int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) { 72 if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) { 73 cipher->mode = mode; 74 } else { 75 return BAD_CIPHER_MODE; 76 } 77 if (IV != NULL) { 78 memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE); 79 } else { 80 memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE); 81 } 82 return TRUE; 83 } 84 85 int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, 86 const BYTE *input, int inputLen, BYTE *outBuffer) { 87 int i, k, numBlocks; 88 uint8_t block[16], iv[4][4]; 89 90 if (cipher == NULL || 91 key == NULL || 92 key->direction == DIR_DECRYPT) { 93 return BAD_CIPHER_STATE; 94 } 95 if (input == NULL || inputLen <= 0) { 96 return 0; /* nothing to do */ 97 } 98 99 numBlocks = inputLen/128; 100 101 switch (cipher->mode) { 102 case MODE_ECB: 103 for (i = numBlocks; i > 0; i--) { 104 rijndaelEncrypt(key->rk, key->Nr, input, outBuffer); 105 input += 16; 106 outBuffer += 16; 107 } 108 break; 109 110 case MODE_CBC: 111 #if 1 /*STRICT_ALIGN*/ 112 memcpy(block, cipher->IV, 16); 113 memcpy(iv, input, 16); 114 ((uint32_t*)block)[0] ^= ((uint32_t*)iv)[0]; 115 ((uint32_t*)block)[1] ^= ((uint32_t*)iv)[1]; 116 ((uint32_t*)block)[2] ^= ((uint32_t*)iv)[2]; 117 ((uint32_t*)block)[3] ^= ((uint32_t*)iv)[3]; 118 #else 119 ((uint32_t*)block)[0] = ((uint32_t*)cipher->IV)[0] ^ ((uint32_t*)input)[0]; 120 ((uint32_t*)block)[1] = ((uint32_t*)cipher->IV)[1] ^ ((uint32_t*)input)[1]; 121 ((uint32_t*)block)[2] = ((uint32_t*)cipher->IV)[2] ^ ((uint32_t*)input)[2]; 122 ((uint32_t*)block)[3] = ((uint32_t*)cipher->IV)[3] ^ ((uint32_t*)input)[3]; 123 #endif 124 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 125 input += 16; 126 for (i = numBlocks - 1; i > 0; i--) { 127 #if 1 /*STRICT_ALIGN*/ 128 memcpy(block, outBuffer, 16); 129 memcpy(iv, input, 16); 130 ((uint32_t*)block)[0] ^= ((uint32_t*)iv)[0]; 131 ((uint32_t*)block)[1] ^= ((uint32_t*)iv)[1]; 132 ((uint32_t*)block)[2] ^= ((uint32_t*)iv)[2]; 133 ((uint32_t*)block)[3] ^= ((uint32_t*)iv)[3]; 134 #else 135 ((uint32_t*)block)[0] = ((uint32_t*)outBuffer)[0] ^ ((uint32_t*)input)[0]; 136 ((uint32_t*)block)[1] = ((uint32_t*)outBuffer)[1] ^ ((uint32_t*)input)[1]; 137 ((uint32_t*)block)[2] = ((uint32_t*)outBuffer)[2] ^ ((uint32_t*)input)[2]; 138 ((uint32_t*)block)[3] = ((uint32_t*)outBuffer)[3] ^ ((uint32_t*)input)[3]; 139 #endif 140 outBuffer += 16; 141 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 142 input += 16; 143 } 144 break; 145 146 case MODE_CFB1: 147 #if 1 /*STRICT_ALIGN*/ 148 memcpy(iv, cipher->IV, 16); 149 #else /* !STRICT_ALIGN */ 150 *((uint32_t*)iv[0]) = *((uint32_t*)(cipher->IV )); 151 *((uint32_t*)iv[1]) = *((uint32_t*)(cipher->IV+ 4)); 152 *((uint32_t*)iv[2]) = *((uint32_t*)(cipher->IV+ 8)); 153 *((uint32_t*)iv[3]) = *((uint32_t*)(cipher->IV+12)); 154 #endif /* ?STRICT_ALIGN */ 155 for (i = numBlocks; i > 0; i--) { 156 for (k = 0; k < 128; k++) { 157 *((uint32_t*) block ) = *((uint32_t*)iv[0]); 158 *((uint32_t*)(block+ 4)) = *((uint32_t*)iv[1]); 159 *((uint32_t*)(block+ 8)) = *((uint32_t*)iv[2]); 160 *((uint32_t*)(block+12)) = *((uint32_t*)iv[3]); 161 rijndaelEncrypt(key->ek, key->Nr, block, 162 block); 163 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 164 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 165 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 166 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 167 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 168 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 169 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 170 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 171 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 172 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 173 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 174 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 175 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 176 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 177 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 178 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 179 iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1); 180 } 181 } 182 break; 183 184 default: 185 return BAD_CIPHER_STATE; 186 } 187 188 explicit_bzero(block, sizeof(block)); 189 return 128*numBlocks; 190 } 191 192 /** 193 * Encrypt data partitioned in octets, using RFC 2040-like padding. 194 * 195 * @param input data to be encrypted (octet sequence) 196 * @param inputOctets input length in octets (not bits) 197 * @param outBuffer encrypted output data 198 * 199 * @return length in octets (not bits) of the encrypted output buffer. 200 */ 201 int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, 202 const BYTE *input, int inputOctets, BYTE *outBuffer) { 203 int i, numBlocks, padLen; 204 uint8_t block[16], *iv, *cp; 205 206 if (cipher == NULL || 207 key == NULL || 208 key->direction == DIR_DECRYPT) { 209 return BAD_CIPHER_STATE; 210 } 211 if (input == NULL || inputOctets <= 0) { 212 return 0; /* nothing to do */ 213 } 214 215 numBlocks = inputOctets/16; 216 217 switch (cipher->mode) { 218 case MODE_ECB: 219 for (i = numBlocks; i > 0; i--) { 220 rijndaelEncrypt(key->rk, key->Nr, input, outBuffer); 221 input += 16; 222 outBuffer += 16; 223 } 224 padLen = 16 - (inputOctets - 16*numBlocks); 225 if (padLen <= 0 || padLen > 16) 226 return BAD_CIPHER_STATE; 227 memcpy(block, input, 16 - padLen); 228 for (cp = block + 16 - padLen; cp < block + 16; cp++) 229 *cp = padLen; 230 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 231 break; 232 233 case MODE_CBC: 234 iv = cipher->IV; 235 for (i = numBlocks; i > 0; i--) { 236 ((uint32_t*)block)[0] = ((const uint32_t*)input)[0] ^ ((uint32_t*)iv)[0]; 237 ((uint32_t*)block)[1] = ((const uint32_t*)input)[1] ^ ((uint32_t*)iv)[1]; 238 ((uint32_t*)block)[2] = ((const uint32_t*)input)[2] ^ ((uint32_t*)iv)[2]; 239 ((uint32_t*)block)[3] = ((const uint32_t*)input)[3] ^ ((uint32_t*)iv)[3]; 240 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 241 iv = outBuffer; 242 input += 16; 243 outBuffer += 16; 244 } 245 padLen = 16 - (inputOctets - 16*numBlocks); 246 if (padLen <= 0 || padLen > 16) 247 return BAD_CIPHER_STATE; 248 for (i = 0; i < 16 - padLen; i++) { 249 block[i] = input[i] ^ iv[i]; 250 } 251 for (i = 16 - padLen; i < 16; i++) { 252 block[i] = (BYTE)padLen ^ iv[i]; 253 } 254 rijndaelEncrypt(key->rk, key->Nr, block, outBuffer); 255 break; 256 257 default: 258 return BAD_CIPHER_STATE; 259 } 260 261 explicit_bzero(block, sizeof(block)); 262 return 16*(numBlocks + 1); 263 } 264 265 int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, 266 const BYTE *input, int inputLen, BYTE *outBuffer) { 267 int i, k, numBlocks; 268 uint8_t block[16], iv[4][4]; 269 270 if (cipher == NULL || 271 key == NULL || 272 (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) { 273 return BAD_CIPHER_STATE; 274 } 275 if (input == NULL || inputLen <= 0) { 276 return 0; /* nothing to do */ 277 } 278 279 numBlocks = inputLen/128; 280 281 switch (cipher->mode) { 282 case MODE_ECB: 283 for (i = numBlocks; i > 0; i--) { 284 rijndaelDecrypt(key->rk, key->Nr, input, outBuffer); 285 input += 16; 286 outBuffer += 16; 287 } 288 break; 289 290 case MODE_CBC: 291 #if 1 /*STRICT_ALIGN */ 292 memcpy(iv, cipher->IV, 16); 293 #else 294 *((uint32_t*)iv[0]) = *((uint32_t*)(cipher->IV )); 295 *((uint32_t*)iv[1]) = *((uint32_t*)(cipher->IV+ 4)); 296 *((uint32_t*)iv[2]) = *((uint32_t*)(cipher->IV+ 8)); 297 *((uint32_t*)iv[3]) = *((uint32_t*)(cipher->IV+12)); 298 #endif 299 for (i = numBlocks; i > 0; i--) { 300 rijndaelDecrypt(key->rk, key->Nr, input, block); 301 ((uint32_t*)block)[0] ^= *((uint32_t*)iv[0]); 302 ((uint32_t*)block)[1] ^= *((uint32_t*)iv[1]); 303 ((uint32_t*)block)[2] ^= *((uint32_t*)iv[2]); 304 ((uint32_t*)block)[3] ^= *((uint32_t*)iv[3]); 305 #if 1 /*STRICT_ALIGN*/ 306 memcpy(iv, input, 16); 307 memcpy(outBuffer, block, 16); 308 #else 309 *((uint32_t*)iv[0]) = ((uint32_t*)input)[0]; ((uint32_t*)outBuffer)[0] = ((uint32_t*)block)[0]; 310 *((uint32_t*)iv[1]) = ((uint32_t*)input)[1]; ((uint32_t*)outBuffer)[1] = ((uint32_t*)block)[1]; 311 *((uint32_t*)iv[2]) = ((uint32_t*)input)[2]; ((uint32_t*)outBuffer)[2] = ((uint32_t*)block)[2]; 312 *((uint32_t*)iv[3]) = ((uint32_t*)input)[3]; ((uint32_t*)outBuffer)[3] = ((uint32_t*)block)[3]; 313 #endif 314 input += 16; 315 outBuffer += 16; 316 } 317 break; 318 319 case MODE_CFB1: 320 #if 1 /*STRICT_ALIGN */ 321 memcpy(iv, cipher->IV, 16); 322 #else 323 *((uint32_t*)iv[0]) = *((uint32_t*)(cipher->IV)); 324 *((uint32_t*)iv[1]) = *((uint32_t*)(cipher->IV+ 4)); 325 *((uint32_t*)iv[2]) = *((uint32_t*)(cipher->IV+ 8)); 326 *((uint32_t*)iv[3]) = *((uint32_t*)(cipher->IV+12)); 327 #endif 328 for (i = numBlocks; i > 0; i--) { 329 for (k = 0; k < 128; k++) { 330 *((uint32_t*) block ) = *((uint32_t*)iv[0]); 331 *((uint32_t*)(block+ 4)) = *((uint32_t*)iv[1]); 332 *((uint32_t*)(block+ 8)) = *((uint32_t*)iv[2]); 333 *((uint32_t*)(block+12)) = *((uint32_t*)iv[3]); 334 rijndaelEncrypt(key->ek, key->Nr, block, 335 block); 336 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 337 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 338 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 339 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 340 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 341 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 342 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 343 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 344 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 345 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 346 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 347 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 348 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 349 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 350 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 351 iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1); 352 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 353 } 354 } 355 break; 356 357 default: 358 return BAD_CIPHER_STATE; 359 } 360 361 explicit_bzero(block, sizeof(block)); 362 return 128*numBlocks; 363 } 364 365 int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, 366 const BYTE *input, int inputOctets, BYTE *outBuffer) { 367 int i, numBlocks, padLen, rval; 368 uint8_t block[16]; 369 uint32_t iv[4]; 370 371 if (cipher == NULL || 372 key == NULL || 373 key->direction == DIR_ENCRYPT) { 374 return BAD_CIPHER_STATE; 375 } 376 if (input == NULL || inputOctets <= 0) { 377 return 0; /* nothing to do */ 378 } 379 if (inputOctets % 16 != 0) { 380 return BAD_DATA; 381 } 382 383 numBlocks = inputOctets/16; 384 385 switch (cipher->mode) { 386 case MODE_ECB: 387 /* all blocks but last */ 388 for (i = numBlocks - 1; i > 0; i--) { 389 rijndaelDecrypt(key->rk, key->Nr, input, outBuffer); 390 input += 16; 391 outBuffer += 16; 392 } 393 /* last block */ 394 rijndaelDecrypt(key->rk, key->Nr, input, block); 395 padLen = block[15]; 396 if (padLen >= 16) { 397 rval = BAD_DATA; 398 goto out; 399 } 400 for (i = 16 - padLen; i < 16; i++) { 401 if (block[i] != padLen) { 402 rval = BAD_DATA; 403 goto out; 404 } 405 } 406 memcpy(outBuffer, block, 16 - padLen); 407 break; 408 409 case MODE_CBC: 410 memcpy(iv, cipher->IV, 16); 411 /* all blocks but last */ 412 for (i = numBlocks - 1; i > 0; i--) { 413 rijndaelDecrypt(key->rk, key->Nr, input, block); 414 ((uint32_t*)block)[0] ^= iv[0]; 415 ((uint32_t*)block)[1] ^= iv[1]; 416 ((uint32_t*)block)[2] ^= iv[2]; 417 ((uint32_t*)block)[3] ^= iv[3]; 418 memcpy(iv, input, 16); 419 memcpy(outBuffer, block, 16); 420 input += 16; 421 outBuffer += 16; 422 } 423 /* last block */ 424 rijndaelDecrypt(key->rk, key->Nr, input, block); 425 ((uint32_t*)block)[0] ^= iv[0]; 426 ((uint32_t*)block)[1] ^= iv[1]; 427 ((uint32_t*)block)[2] ^= iv[2]; 428 ((uint32_t*)block)[3] ^= iv[3]; 429 padLen = block[15]; 430 if (padLen <= 0 || padLen > 16) { 431 rval = BAD_DATA; 432 goto out; 433 } 434 for (i = 16 - padLen; i < 16; i++) { 435 if (block[i] != padLen) { 436 rval = BAD_DATA; 437 goto out; 438 } 439 } 440 memcpy(outBuffer, block, 16 - padLen); 441 break; 442 443 default: 444 return BAD_CIPHER_STATE; 445 } 446 447 rval = 16*numBlocks - padLen; 448 449 out: 450 explicit_bzero(block, sizeof(block)); 451 return rval; 452 } 453