1 /* $KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $ */ 2 3 /* 4 * rijndael-api-fst.c v2.3 April '2000 5 * 6 * Optimised ANSI C code 7 * 8 * authors: v1.0: Antoon Bosselaers 9 * v2.0: Vincent Rijmen 10 * v2.1: Vincent Rijmen 11 * v2.2: Vincent Rijmen 12 * v2.3: Paulo Barreto 13 * v2.4: Vincent Rijmen 14 * 15 * This code is placed in the public domain. 16 */ 17 18 #include <sys/cdefs.h> 19 __FBSDID("$FreeBSD$"); 20 21 #include <sys/param.h> 22 #include <sys/types.h> 23 #ifdef _KERNEL 24 #include <sys/systm.h> 25 #else 26 #include <string.h> 27 #endif 28 #include <crypto/rijndael/rijndael-alg-fst.h> 29 #include <crypto/rijndael/rijndael-api-fst.h> 30 #include <crypto/rijndael/rijndael_local.h> 31 32 #ifndef TRUE 33 #define TRUE 1 34 #endif 35 36 int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial) { 37 word8 k[MAXKC][4]; 38 int i; 39 char *keyMat; 40 41 if (key == NULL) { 42 return BAD_KEY_INSTANCE; 43 } 44 45 if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) { 46 key->direction = direction; 47 } else { 48 return BAD_KEY_DIR; 49 } 50 51 if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) { 52 key->keyLen = keyLen; 53 } else { 54 return BAD_KEY_MAT; 55 } 56 57 if (keyMaterial != NULL) { 58 bcopy(keyMaterial, key->keyMaterial, keyLen/8); 59 } 60 61 key->ROUNDS = keyLen/32 + 6; 62 63 /* initialize key schedule: */ 64 keyMat = key->keyMaterial; 65 for (i = 0; i < key->keyLen/8; i++) { 66 k[i >> 2][i & 3] = (word8)keyMat[i]; 67 } 68 rijndaelKeySched(k, key->keySched, key->ROUNDS); 69 if (direction == DIR_DECRYPT) { 70 rijndaelKeyEncToDec(key->keySched, key->ROUNDS); 71 } 72 73 return TRUE; 74 } 75 76 int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) { 77 if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) { 78 cipher->mode = mode; 79 } else { 80 return BAD_CIPHER_MODE; 81 } 82 if (IV != NULL) { 83 bcopy(IV, cipher->IV, MAX_IV_SIZE); 84 } else { 85 bzero(cipher->IV, MAX_IV_SIZE); 86 } 87 return TRUE; 88 } 89 90 int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, 91 BYTE *input, int inputLen, BYTE *outBuffer) { 92 int i, k, numBlocks; 93 word8 block[16], iv[4][4]; 94 95 if (cipher == NULL || 96 key == NULL || 97 key->direction == DIR_DECRYPT) { 98 return BAD_CIPHER_STATE; 99 } 100 if (input == NULL || inputLen <= 0) { 101 return 0; /* nothing to do */ 102 } 103 104 numBlocks = inputLen/128; 105 106 switch (cipher->mode) { 107 case MODE_ECB: 108 for (i = numBlocks; i > 0; i--) { 109 rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS); 110 input += 16; 111 outBuffer += 16; 112 } 113 break; 114 115 case MODE_CBC: 116 #if 1 /*STRICT_ALIGN*/ 117 bcopy(cipher->IV, block, 16); 118 bcopy(input, iv, 16); 119 ((word32*)block)[0] ^= ((word32*)iv)[0]; 120 ((word32*)block)[1] ^= ((word32*)iv)[1]; 121 ((word32*)block)[2] ^= ((word32*)iv)[2]; 122 ((word32*)block)[3] ^= ((word32*)iv)[3]; 123 #else 124 ((word32*)block)[0] = ((word32*)cipher->IV)[0] ^ ((word32*)input)[0]; 125 ((word32*)block)[1] = ((word32*)cipher->IV)[1] ^ ((word32*)input)[1]; 126 ((word32*)block)[2] = ((word32*)cipher->IV)[2] ^ ((word32*)input)[2]; 127 ((word32*)block)[3] = ((word32*)cipher->IV)[3] ^ ((word32*)input)[3]; 128 #endif 129 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); 130 input += 16; 131 for (i = numBlocks - 1; i > 0; i--) { 132 #if 1 /*STRICT_ALIGN*/ 133 bcopy(outBuffer, block, 16); 134 bcopy(input, iv, 16); 135 ((word32*)block)[0] ^= ((word32*)iv)[0]; 136 ((word32*)block)[1] ^= ((word32*)iv)[1]; 137 ((word32*)block)[2] ^= ((word32*)iv)[2]; 138 ((word32*)block)[3] ^= ((word32*)iv)[3]; 139 #else 140 ((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word32*)input)[0]; 141 ((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word32*)input)[1]; 142 ((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word32*)input)[2]; 143 ((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word32*)input)[3]; 144 #endif 145 outBuffer += 16; 146 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); 147 input += 16; 148 } 149 break; 150 151 case MODE_CFB1: 152 #if 1 /*STRICT_ALIGN*/ 153 bcopy(cipher->IV, iv, 16); 154 #else /* !STRICT_ALIGN */ 155 *((word32*)iv[0]) = *((word32*)(cipher->IV )); 156 *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); 157 *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); 158 *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); 159 #endif /* ?STRICT_ALIGN */ 160 for (i = numBlocks; i > 0; i--) { 161 for (k = 0; k < 128; k++) { 162 *((word32*) block ) = *((word32*)iv[0]); 163 *((word32*)(block+ 4)) = *((word32*)iv[1]); 164 *((word32*)(block+ 8)) = *((word32*)iv[2]); 165 *((word32*)(block+12)) = *((word32*)iv[3]); 166 rijndaelEncrypt(block, block, key->keySched, key->ROUNDS); 167 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 168 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 169 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 170 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 171 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 172 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 173 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 174 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 175 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 176 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 177 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 178 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 179 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 180 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 181 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 182 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 183 iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1); 184 } 185 } 186 break; 187 188 default: 189 return BAD_CIPHER_STATE; 190 } 191 192 return 128*numBlocks; 193 } 194 195 /** 196 * Encrypt data partitioned in octets, using RFC 2040-like padding. 197 * 198 * @param input data to be encrypted (octet sequence) 199 * @param inputOctets input length in octets (not bits) 200 * @param outBuffer encrypted output data 201 * 202 * @return length in octets (not bits) of the encrypted output buffer. 203 */ 204 int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, 205 BYTE *input, int inputOctets, BYTE *outBuffer) { 206 int i, numBlocks, padLen; 207 word8 block[16], *iv, *cp; 208 209 if (cipher == NULL || 210 key == NULL || 211 key->direction == DIR_DECRYPT) { 212 return BAD_CIPHER_STATE; 213 } 214 if (input == NULL || inputOctets <= 0) { 215 return 0; /* nothing to do */ 216 } 217 218 numBlocks = inputOctets/16; 219 220 switch (cipher->mode) { 221 case MODE_ECB: 222 for (i = numBlocks; i > 0; i--) { 223 rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS); 224 input += 16; 225 outBuffer += 16; 226 } 227 padLen = 16 - (inputOctets - 16*numBlocks); 228 if (padLen <= 0 || padLen > 16) 229 return BAD_CIPHER_STATE; 230 bcopy(input, block, 16 - padLen); 231 for (cp = block + 16 - padLen; cp < block + 16; cp++) 232 *cp = padLen; 233 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); 234 break; 235 236 case MODE_CBC: 237 iv = cipher->IV; 238 for (i = numBlocks; i > 0; i--) { 239 ((word32*)block)[0] = ((word32*)input)[0] ^ ((word32*)iv)[0]; 240 ((word32*)block)[1] = ((word32*)input)[1] ^ ((word32*)iv)[1]; 241 ((word32*)block)[2] = ((word32*)input)[2] ^ ((word32*)iv)[2]; 242 ((word32*)block)[3] = ((word32*)input)[3] ^ ((word32*)iv)[3]; 243 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); 244 iv = outBuffer; 245 input += 16; 246 outBuffer += 16; 247 } 248 padLen = 16 - (inputOctets - 16*numBlocks); 249 if (padLen <= 0 || padLen > 16) 250 return BAD_CIPHER_STATE; 251 for (i = 0; i < 16 - padLen; i++) { 252 block[i] = input[i] ^ iv[i]; 253 } 254 for (i = 16 - padLen; i < 16; i++) { 255 block[i] = (BYTE)padLen ^ iv[i]; 256 } 257 rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); 258 break; 259 260 default: 261 return BAD_CIPHER_STATE; 262 } 263 264 return 16*(numBlocks + 1); 265 } 266 267 int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, 268 BYTE *input, int inputLen, BYTE *outBuffer) { 269 int i, k, numBlocks; 270 word8 block[16], iv[4][4]; 271 272 if (cipher == NULL || 273 key == NULL || 274 (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) { 275 return BAD_CIPHER_STATE; 276 } 277 if (input == NULL || inputLen <= 0) { 278 return 0; /* nothing to do */ 279 } 280 281 numBlocks = inputLen/128; 282 283 switch (cipher->mode) { 284 case MODE_ECB: 285 for (i = numBlocks; i > 0; i--) { 286 rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS); 287 input += 16; 288 outBuffer += 16; 289 } 290 break; 291 292 case MODE_CBC: 293 #if 1 /*STRICT_ALIGN */ 294 bcopy(cipher->IV, iv, 16); 295 #else 296 *((word32*)iv[0]) = *((word32*)(cipher->IV )); 297 *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); 298 *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); 299 *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); 300 #endif 301 for (i = numBlocks; i > 0; i--) { 302 rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); 303 ((word32*)block)[0] ^= *((word32*)iv[0]); 304 ((word32*)block)[1] ^= *((word32*)iv[1]); 305 ((word32*)block)[2] ^= *((word32*)iv[2]); 306 ((word32*)block)[3] ^= *((word32*)iv[3]); 307 #if 1 /*STRICT_ALIGN*/ 308 bcopy(input, iv, 16); 309 bcopy(block, outBuffer, 16); 310 #else 311 *((word32*)iv[0]) = ((word32*)input)[0]; ((word32*)outBuffer)[0] = ((word32*)block)[0]; 312 *((word32*)iv[1]) = ((word32*)input)[1]; ((word32*)outBuffer)[1] = ((word32*)block)[1]; 313 *((word32*)iv[2]) = ((word32*)input)[2]; ((word32*)outBuffer)[2] = ((word32*)block)[2]; 314 *((word32*)iv[3]) = ((word32*)input)[3]; ((word32*)outBuffer)[3] = ((word32*)block)[3]; 315 #endif 316 input += 16; 317 outBuffer += 16; 318 } 319 break; 320 321 case MODE_CFB1: 322 #if 1 /*STRICT_ALIGN */ 323 bcopy(cipher->IV, iv, 16); 324 #else 325 *((word32*)iv[0]) = *((word32*)(cipher->IV)); 326 *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); 327 *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); 328 *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); 329 #endif 330 for (i = numBlocks; i > 0; i--) { 331 for (k = 0; k < 128; k++) { 332 *((word32*) block ) = *((word32*)iv[0]); 333 *((word32*)(block+ 4)) = *((word32*)iv[1]); 334 *((word32*)(block+ 8)) = *((word32*)iv[2]); 335 *((word32*)(block+12)) = *((word32*)iv[3]); 336 rijndaelEncrypt(block, block, key->keySched, key->ROUNDS); 337 iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); 338 iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); 339 iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); 340 iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); 341 iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); 342 iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); 343 iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); 344 iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); 345 iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); 346 iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); 347 iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); 348 iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); 349 iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); 350 iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); 351 iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); 352 iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1); 353 outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); 354 } 355 } 356 break; 357 358 default: 359 return BAD_CIPHER_STATE; 360 } 361 362 return 128*numBlocks; 363 } 364 365 int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, 366 BYTE *input, int inputOctets, BYTE *outBuffer) { 367 int i, numBlocks, padLen; 368 word8 block[16]; 369 word32 iv[4]; 370 371 if (cipher == NULL || 372 key == NULL || 373 key->direction == DIR_ENCRYPT) { 374 return BAD_CIPHER_STATE; 375 } 376 if (input == NULL || inputOctets <= 0) { 377 return 0; /* nothing to do */ 378 } 379 if (inputOctets % 16 != 0) { 380 return BAD_DATA; 381 } 382 383 numBlocks = inputOctets/16; 384 385 switch (cipher->mode) { 386 case MODE_ECB: 387 /* all blocks but last */ 388 for (i = numBlocks - 1; i > 0; i--) { 389 rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS); 390 input += 16; 391 outBuffer += 16; 392 } 393 /* last block */ 394 rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); 395 padLen = block[15]; 396 if (padLen >= 16) { 397 return BAD_DATA; 398 } 399 for (i = 16 - padLen; i < 16; i++) { 400 if (block[i] != padLen) { 401 return BAD_DATA; 402 } 403 } 404 bcopy(block, outBuffer, 16 - padLen); 405 break; 406 407 case MODE_CBC: 408 bcopy(cipher->IV, iv, 16); 409 /* all blocks but last */ 410 for (i = numBlocks - 1; i > 0; i--) { 411 rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); 412 ((word32*)block)[0] ^= iv[0]; 413 ((word32*)block)[1] ^= iv[1]; 414 ((word32*)block)[2] ^= iv[2]; 415 ((word32*)block)[3] ^= iv[3]; 416 bcopy(input, iv, 16); 417 bcopy(block, outBuffer, 16); 418 input += 16; 419 outBuffer += 16; 420 } 421 /* last block */ 422 rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); 423 ((word32*)block)[0] ^= iv[0]; 424 ((word32*)block)[1] ^= iv[1]; 425 ((word32*)block)[2] ^= iv[2]; 426 ((word32*)block)[3] ^= iv[3]; 427 padLen = block[15]; 428 if (padLen <= 0 || padLen > 16) { 429 return BAD_DATA; 430 } 431 for (i = 16 - padLen; i < 16; i++) { 432 if (block[i] != padLen) { 433 return BAD_DATA; 434 } 435 } 436 bcopy(block, outBuffer, 16 - padLen); 437 break; 438 439 default: 440 return BAD_CIPHER_STATE; 441 } 442 443 return 16*numBlocks - padLen; 444 } 445 446 #ifdef INTERMEDIATE_VALUE_KAT 447 /** 448 * cipherUpdateRounds: 449 * 450 * Encrypts/Decrypts exactly one full block a specified number of rounds. 451 * Only used in the Intermediate Value Known Answer Test. 452 * 453 * Returns: 454 * TRUE - on success 455 * BAD_CIPHER_STATE - cipher in bad state (e.g., not initialized) 456 */ 457 int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key, 458 BYTE *input, int inputLen, BYTE *outBuffer, int rounds) { 459 int j; 460 word8 block[4][4]; 461 462 if (cipher == NULL || key == NULL) { 463 return BAD_CIPHER_STATE; 464 } 465 466 for (j = 3; j >= 0; j--) { 467 /* parse input stream into rectangular array */ 468 *((word32*)block[j]) = *((word32*)(input+4*j)); 469 } 470 471 switch (key->direction) { 472 case DIR_ENCRYPT: 473 rijndaelEncryptRound(block, key->keySched, key->ROUNDS, rounds); 474 break; 475 476 case DIR_DECRYPT: 477 rijndaelDecryptRound(block, key->keySched, key->ROUNDS, rounds); 478 break; 479 480 default: 481 return BAD_KEY_DIR; 482 } 483 484 for (j = 3; j >= 0; j--) { 485 /* parse rectangular array into output ciphertext bytes */ 486 *((word32*)(outBuffer+4*j)) = *((word32*)block[j]); 487 } 488 489 return TRUE; 490 } 491 #endif /* INTERMEDIATE_VALUE_KAT */ 492