]> git.saurik.com Git - apple/network_cmds.git/blame_incremental - racoon.tproj/rijndael-api-fst.c
network_cmds-115.tar.gz
[apple/network_cmds.git] / racoon.tproj / rijndael-api-fst.c
... / ...
CommitLineData
1/* $KAME: rijndael-api-fst.c,v 1.1.1.1 2001/08/08 09:56:23 sakane Exp $ */
2
3/*
4 * rijndael-api-fst.c v2.3 April '2000
5 *
6 * Optimised ANSI C code
7 *
8 * authors: v1.0: Antoon Bosselaers
9 * v2.0: Vincent Rijmen
10 * v2.1: Vincent Rijmen
11 * v2.2: Vincent Rijmen
12 * v2.3: Paulo Barreto
13 * v2.4: Vincent Rijmen
14 *
15 * This code is placed in the public domain.
16 */
17
18#include <sys/param.h>
19#include <sys/types.h>
20#ifdef _KERNEL
21#include <sys/time.h>
22#include <sys/systm.h>
23#else
24#include <string.h>
25#endif
26#include <rijndael-alg-fst.h>
27#include <rijndael-api-fst.h>
28#include <rijndael_local.h>
29
30#include <err.h>
31#define bcopy(a, b, c) memcpy(b, a, c)
32#define bzero(a, b) memset(a, 0, b)
33#define panic(a) err(1, (a))
34
35int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial) {
36 word8 k[MAXKC][4];
37 int i;
38 char *keyMat;
39
40 if (key == NULL) {
41 return BAD_KEY_INSTANCE;
42 }
43
44 if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) {
45 key->direction = direction;
46 } else {
47 return BAD_KEY_DIR;
48 }
49
50 if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) {
51 key->keyLen = keyLen;
52 } else {
53 return BAD_KEY_MAT;
54 }
55
56 if (keyMaterial != NULL) {
57 bcopy(keyMaterial, key->keyMaterial, keyLen/8);
58 }
59
60 key->ROUNDS = keyLen/32 + 6;
61
62 /* initialize key schedule: */
63 keyMat = key->keyMaterial;
64 for (i = 0; i < key->keyLen/8; i++) {
65 k[i >> 2][i & 3] = (word8)keyMat[i];
66 }
67 rijndaelKeySched(k, key->keySched, key->ROUNDS);
68 if (direction == DIR_DECRYPT) {
69 rijndaelKeyEncToDec(key->keySched, key->ROUNDS);
70 }
71
72 return TRUE;
73}
74
75int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) {
76 if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) {
77 cipher->mode = mode;
78 } else {
79 return BAD_CIPHER_MODE;
80 }
81 if (IV != NULL) {
82 bcopy(IV, cipher->IV, MAX_IV_SIZE);
83 } else {
84 bzero(cipher->IV, MAX_IV_SIZE);
85 }
86 return TRUE;
87}
88
89int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
90 BYTE *input, int inputLen, BYTE *outBuffer) {
91 int i, k, numBlocks;
92 word8 block[16], iv[4][4];
93
94 if (cipher == NULL ||
95 key == NULL ||
96 key->direction == DIR_DECRYPT) {
97 return BAD_CIPHER_STATE;
98 }
99 if (input == NULL || inputLen <= 0) {
100 return 0; /* nothing to do */
101 }
102
103 numBlocks = inputLen/128;
104
105 switch (cipher->mode) {
106 case MODE_ECB:
107 for (i = numBlocks; i > 0; i--) {
108 rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS);
109 input += 16;
110 outBuffer += 16;
111 }
112 break;
113
114 case MODE_CBC:
115#if 0 /*STRICT_ALIGN*/
116 bcopy(cipher->IV, block, 16);
117 bcopy(input, iv, 16);
118 ((word32*)block)[0] ^= ((word32*)iv)[0];
119 ((word32*)block)[1] ^= ((word32*)iv)[1];
120 ((word32*)block)[2] ^= ((word32*)iv)[2];
121 ((word32*)block)[3] ^= ((word32*)iv)[3];
122#else
123 ((word32*)block)[0] = ((word32*)cipher->IV)[0] ^ ((word32*)input)[0];
124 ((word32*)block)[1] = ((word32*)cipher->IV)[1] ^ ((word32*)input)[1];
125 ((word32*)block)[2] = ((word32*)cipher->IV)[2] ^ ((word32*)input)[2];
126 ((word32*)block)[3] = ((word32*)cipher->IV)[3] ^ ((word32*)input)[3];
127#endif
128 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
129 input += 16;
130 for (i = numBlocks - 1; i > 0; i--) {
131#if 0 /*STRICT_ALIGN*/
132 bcopy(outBuffer, block, 16);
133 ((word32*)block)[0] ^= ((word32*)iv)[0];
134 ((word32*)block)[1] ^= ((word32*)iv)[1];
135 ((word32*)block)[2] ^= ((word32*)iv)[2];
136 ((word32*)block)[3] ^= ((word32*)iv)[3];
137#else
138 ((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word32*)input)[0];
139 ((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word32*)input)[1];
140 ((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word32*)input)[2];
141 ((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word32*)input)[3];
142#endif
143 outBuffer += 16;
144 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
145 input += 16;
146 }
147 break;
148
149 case MODE_CFB1:
150#if 0 /*STRICT_ALIGN*/
151 bcopy(cipher->IV, iv, 16);
152#else /* !STRICT_ALIGN */
153 *((word32*)iv[0]) = *((word32*)(cipher->IV ));
154 *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4));
155 *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8));
156 *((word32*)iv[3]) = *((word32*)(cipher->IV+12));
157#endif /* ?STRICT_ALIGN */
158 for (i = numBlocks; i > 0; i--) {
159 for (k = 0; k < 128; k++) {
160 *((word32*) block ) = *((word32*)iv[0]);
161 *((word32*)(block+ 4)) = *((word32*)iv[1]);
162 *((word32*)(block+ 8)) = *((word32*)iv[2]);
163 *((word32*)(block+12)) = *((word32*)iv[3]);
164 rijndaelEncrypt(block, block, key->keySched, key->ROUNDS);
165 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
166 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
167 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
168 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
169 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
170 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
171 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
172 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
173 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
174 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
175 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
176 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
177 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
178 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
179 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
180 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
181 iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1);
182 }
183 }
184 break;
185
186 default:
187 return BAD_CIPHER_STATE;
188 }
189
190 return 128*numBlocks;
191}
192
193/**
194 * Encrypt data partitioned in octets, using RFC 2040-like padding.
195 *
196 * @param input data to be encrypted (octet sequence)
197 * @param inputOctets input length in octets (not bits)
198 * @param outBuffer encrypted output data
199 *
200 * @return length in octets (not bits) of the encrypted output buffer.
201 */
202int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
203 BYTE *input, int inputOctets, BYTE *outBuffer) {
204 int i, numBlocks, padLen;
205 word8 block[16], *iv, *cp;
206
207 if (cipher == NULL ||
208 key == NULL ||
209 key->direction == DIR_DECRYPT) {
210 return BAD_CIPHER_STATE;
211 }
212 if (input == NULL || inputOctets <= 0) {
213 return 0; /* nothing to do */
214 }
215
216 numBlocks = inputOctets/16;
217
218 switch (cipher->mode) {
219 case MODE_ECB:
220 for (i = numBlocks; i > 0; i--) {
221 rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS);
222 input += 16;
223 outBuffer += 16;
224 }
225 padLen = 16 - (inputOctets - 16*numBlocks);
226 if (padLen > 0 && padLen <= 16)
227 panic("rijndael_padEncrypt(ECB)");
228 bcopy(input, block, 16 - padLen);
229 for (cp = block + 16 - padLen; cp < block + 16; cp++)
230 *cp = padLen;
231 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
232 break;
233
234 case MODE_CBC:
235 iv = cipher->IV;
236 for (i = numBlocks; i > 0; i--) {
237 ((word32*)block)[0] = ((word32*)input)[0] ^ ((word32*)iv)[0];
238 ((word32*)block)[1] = ((word32*)input)[1] ^ ((word32*)iv)[1];
239 ((word32*)block)[2] = ((word32*)input)[2] ^ ((word32*)iv)[2];
240 ((word32*)block)[3] = ((word32*)input)[3] ^ ((word32*)iv)[3];
241 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
242 iv = outBuffer;
243 input += 16;
244 outBuffer += 16;
245 }
246#if 0 /*XXX i'm not sure that is correct. sakane@kame.net */
247 padLen = 16 - (inputOctets - 16*numBlocks);
248#else
249 padLen = 16 - inputOctets % 16;
250 if (padLen == 16)
251 padLen = 0;
252#endif
253 if (padLen > 0 && padLen <= 16)
254 panic("rijndael_padEncrypt(CBC)");
255 for (i = 0; i < 16 - padLen; i++) {
256 block[i] = input[i] ^ iv[i];
257 }
258 for (i = 16 - padLen; i < 16; i++) {
259 block[i] = (BYTE)padLen ^ iv[i];
260 }
261 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
262 break;
263
264 default:
265 return BAD_CIPHER_STATE;
266 }
267
268 return 16*(numBlocks + 1);
269}
270
271int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
272 BYTE *input, int inputLen, BYTE *outBuffer) {
273 int i, k, numBlocks;
274 word8 block[16], iv[4][4];
275
276 if (cipher == NULL ||
277 key == NULL ||
278 (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) {
279 return BAD_CIPHER_STATE;
280 }
281 if (input == NULL || inputLen <= 0) {
282 return 0; /* nothing to do */
283 }
284
285 numBlocks = inputLen/128;
286
287 switch (cipher->mode) {
288 case MODE_ECB:
289 for (i = numBlocks; i > 0; i--) {
290 rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS);
291 input += 16;
292 outBuffer += 16;
293 }
294 break;
295
296 case MODE_CBC:
297#if 0 /*STRICT_ALIGN */
298 bcopy(cipher->IV, iv, 16);
299#else
300 *((word32*)iv[0]) = *((word32*)(cipher->IV ));
301 *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4));
302 *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8));
303 *((word32*)iv[3]) = *((word32*)(cipher->IV+12));
304#endif
305 for (i = numBlocks; i > 0; i--) {
306 rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
307 ((word32*)block)[0] ^= *((word32*)iv[0]);
308 ((word32*)block)[1] ^= *((word32*)iv[1]);
309 ((word32*)block)[2] ^= *((word32*)iv[2]);
310 ((word32*)block)[3] ^= *((word32*)iv[3]);
311#if 0 /*STRICT_ALIGN*/
312 bcopy(input, iv, 16);
313 bcopy(block, outBuffer, 16);
314#else
315 *((word32*)iv[0]) = ((word32*)input)[0]; ((word32*)outBuffer)[0] = ((word32*)block)[0];
316 *((word32*)iv[1]) = ((word32*)input)[1]; ((word32*)outBuffer)[1] = ((word32*)block)[1];
317 *((word32*)iv[2]) = ((word32*)input)[2]; ((word32*)outBuffer)[2] = ((word32*)block)[2];
318 *((word32*)iv[3]) = ((word32*)input)[3]; ((word32*)outBuffer)[3] = ((word32*)block)[3];
319#endif
320 input += 16;
321 outBuffer += 16;
322 }
323 break;
324
325 case MODE_CFB1:
326#if 0 /*STRICT_ALIGN */
327 bcopy(cipher->IV, iv, 16);
328#else
329 *((word32*)iv[0]) = *((word32*)(cipher->IV));
330 *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4));
331 *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8));
332 *((word32*)iv[3]) = *((word32*)(cipher->IV+12));
333#endif
334 for (i = numBlocks; i > 0; i--) {
335 for (k = 0; k < 128; k++) {
336 *((word32*) block ) = *((word32*)iv[0]);
337 *((word32*)(block+ 4)) = *((word32*)iv[1]);
338 *((word32*)(block+ 8)) = *((word32*)iv[2]);
339 *((word32*)(block+12)) = *((word32*)iv[3]);
340 rijndaelEncrypt(block, block, key->keySched, key->ROUNDS);
341 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
342 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
343 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
344 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
345 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
346 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
347 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
348 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
349 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
350 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
351 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
352 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
353 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
354 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
355 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
356 iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1);
357 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
358 }
359 }
360 break;
361
362 default:
363 return BAD_CIPHER_STATE;
364 }
365
366 return 128*numBlocks;
367}
368
369int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
370 BYTE *input, int inputOctets, BYTE *outBuffer) {
371 int i, numBlocks, padLen;
372 word8 block[16];
373 word32 iv[4];
374
375 if (cipher == NULL ||
376 key == NULL ||
377 key->direction == DIR_ENCRYPT) {
378 return BAD_CIPHER_STATE;
379 }
380 if (input == NULL || inputOctets <= 0) {
381 return 0; /* nothing to do */
382 }
383 if (inputOctets % 16 != 0) {
384 return BAD_DATA;
385 }
386
387 numBlocks = inputOctets/16;
388
389 switch (cipher->mode) {
390 case MODE_ECB:
391 /* all blocks but last */
392 for (i = numBlocks - 1; i > 0; i--) {
393 rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS);
394 input += 16;
395 outBuffer += 16;
396 }
397 /* last block */
398 rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
399 padLen = block[15];
400 if (padLen >= 16) {
401 return BAD_DATA;
402 }
403 for (i = 16 - padLen; i < 16; i++) {
404 if (block[i] != padLen) {
405 return BAD_DATA;
406 }
407 }
408 bcopy(block, outBuffer, 16 - padLen);
409 break;
410
411 case MODE_CBC:
412 bcopy(cipher->IV, iv, 16);
413 /* all blocks but last */
414 for (i = numBlocks - 1; i > 0; i--) {
415 rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
416 ((word32*)block)[0] ^= iv[0];
417 ((word32*)block)[1] ^= iv[1];
418 ((word32*)block)[2] ^= iv[2];
419 ((word32*)block)[3] ^= iv[3];
420 bcopy(input, iv, 16);
421 bcopy(block, outBuffer, 16);
422 input += 16;
423 outBuffer += 16;
424 }
425 /* last block */
426 rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
427 ((word32*)block)[0] ^= iv[0];
428 ((word32*)block)[1] ^= iv[1];
429 ((word32*)block)[2] ^= iv[2];
430 ((word32*)block)[3] ^= iv[3];
431 padLen = block[15];
432 if (padLen <= 0 || padLen > 16) {
433 return BAD_DATA;
434 }
435 for (i = 16 - padLen; i < 16; i++) {
436 if (block[i] != padLen) {
437 return BAD_DATA;
438 }
439 }
440 bcopy(block, outBuffer, 16 - padLen);
441 break;
442
443 default:
444 return BAD_CIPHER_STATE;
445 }
446
447 return 16*numBlocks - padLen;
448}
449
450#ifdef INTERMEDIATE_VALUE_KAT
451/**
452 * cipherUpdateRounds:
453 *
454 * Encrypts/Decrypts exactly one full block a specified number of rounds.
455 * Only used in the Intermediate Value Known Answer Test.
456 *
457 * Returns:
458 * TRUE - on success
459 * BAD_CIPHER_STATE - cipher in bad state (e.g., not initialized)
460 */
461int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key,
462 BYTE *input, int inputLen, BYTE *outBuffer, int rounds) {
463 int j;
464 word8 block[4][4];
465
466 if (cipher == NULL || key == NULL) {
467 return BAD_CIPHER_STATE;
468 }
469
470 for (j = 3; j >= 0; j--) {
471 /* parse input stream into rectangular array */
472 *((word32*)block[j]) = *((word32*)(input+4*j));
473 }
474
475 switch (key->direction) {
476 case DIR_ENCRYPT:
477 rijndaelEncryptRound(block, key->keySched, key->ROUNDS, rounds);
478 break;
479
480 case DIR_DECRYPT:
481 rijndaelDecryptRound(block, key->keySched, key->ROUNDS, rounds);
482 break;
483
484 default:
485 return BAD_KEY_DIR;
486 }
487
488 for (j = 3; j >= 0; j--) {
489 /* parse rectangular array into output ciphertext bytes */
490 *((word32*)(outBuffer+4*j)) = *((word32*)block[j]);
491 }
492
493 return TRUE;
494}
495#endif /* INTERMEDIATE_VALUE_KAT */