xref: /freebsd/sys/crypto/rijndael/rijndael-api-fst.c (revision da5069e1f7daaef1e7157876d6044de6f3a08ce2)
1 /*	$KAME: rijndael-api-fst.c,v 1.10 2001/05/27 09:34:18 itojun Exp $	*/
2 
3 /*
4  * rijndael-api-fst.c   v2.3   April '2000
5  *
6  * Optimised ANSI C code
7  *
8  * authors: v1.0: Antoon Bosselaers
9  *          v2.0: Vincent Rijmen
10  *          v2.1: Vincent Rijmen
11  *          v2.2: Vincent Rijmen
12  *          v2.3: Paulo Barreto
13  *          v2.4: Vincent Rijmen
14  *
15  * This code is placed in the public domain.
16  */
17 
18 #include <sys/cdefs.h>
19 __FBSDID("$FreeBSD$");
20 
21 #include <sys/param.h>
22 #ifdef _KERNEL
23 #include <sys/systm.h>
24 #else
25 #include <string.h>
26 #endif
27 
28 #include <crypto/rijndael/rijndael_local.h>
29 #include <crypto/rijndael/rijndael-api-fst.h>
30 
31 #ifndef TRUE
32 #define TRUE 1
33 #endif
34 
35 typedef u_int8_t	BYTE;
36 
37 int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen,
38 	const char *keyMaterial) {
39 
40 	if (key == NULL) {
41 		return BAD_KEY_INSTANCE;
42 	}
43 
44 	if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) {
45 		key->direction = direction;
46 	} else {
47 		return BAD_KEY_DIR;
48 	}
49 
50 	if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) {
51 		key->keyLen = keyLen;
52 	} else {
53 		return BAD_KEY_MAT;
54 	}
55 
56 	if (keyMaterial != NULL) {
57 		memcpy(key->keyMaterial, keyMaterial, keyLen/8);
58 	}
59 
60 	/* initialize key schedule: */
61 	if (direction == DIR_ENCRYPT) {
62 		key->Nr = rijndaelKeySetupEnc(key->rk, key->keyMaterial, keyLen);
63 	} else {
64 		key->Nr = rijndaelKeySetupDec(key->rk, key->keyMaterial, keyLen);
65 	}
66 	rijndaelKeySetupEnc(key->ek, key->keyMaterial, keyLen);
67 	return TRUE;
68 }
69 
70 int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) {
71 	if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) {
72 		cipher->mode = mode;
73 	} else {
74 		return BAD_CIPHER_MODE;
75 	}
76 	if (IV != NULL) {
77 		memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE);
78 	} else {
79 		memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE);
80 	}
81 	return TRUE;
82 }
83 
84 int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
85 		const BYTE *input, int inputLen, BYTE *outBuffer) {
86 	int i, k, numBlocks;
87 	u_int8_t block[16], iv[4][4];
88 
89 	if (cipher == NULL ||
90 		key == NULL ||
91 		key->direction == DIR_DECRYPT) {
92 		return BAD_CIPHER_STATE;
93 	}
94 	if (input == NULL || inputLen <= 0) {
95 		return 0; /* nothing to do */
96 	}
97 
98 	numBlocks = inputLen/128;
99 
100 	switch (cipher->mode) {
101 	case MODE_ECB:
102 		for (i = numBlocks; i > 0; i--) {
103 			rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
104 			input += 16;
105 			outBuffer += 16;
106 		}
107 		break;
108 
109 	case MODE_CBC:
110 #if 1 /*STRICT_ALIGN*/
111 		memcpy(block, cipher->IV, 16);
112 		memcpy(iv, input, 16);
113 		((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0];
114 		((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1];
115 		((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2];
116 		((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3];
117 #else
118 		((u_int32_t*)block)[0] = ((u_int32_t*)cipher->IV)[0] ^ ((u_int32_t*)input)[0];
119 		((u_int32_t*)block)[1] = ((u_int32_t*)cipher->IV)[1] ^ ((u_int32_t*)input)[1];
120 		((u_int32_t*)block)[2] = ((u_int32_t*)cipher->IV)[2] ^ ((u_int32_t*)input)[2];
121 		((u_int32_t*)block)[3] = ((u_int32_t*)cipher->IV)[3] ^ ((u_int32_t*)input)[3];
122 #endif
123 		rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
124 		input += 16;
125 		for (i = numBlocks - 1; i > 0; i--) {
126 #if 1 /*STRICT_ALIGN*/
127 			memcpy(block, outBuffer, 16);
128 			memcpy(iv, input, 16);
129 			((u_int32_t*)block)[0] ^= ((u_int32_t*)iv)[0];
130 			((u_int32_t*)block)[1] ^= ((u_int32_t*)iv)[1];
131 			((u_int32_t*)block)[2] ^= ((u_int32_t*)iv)[2];
132 			((u_int32_t*)block)[3] ^= ((u_int32_t*)iv)[3];
133 #else
134 			((u_int32_t*)block)[0] = ((u_int32_t*)outBuffer)[0] ^ ((u_int32_t*)input)[0];
135 			((u_int32_t*)block)[1] = ((u_int32_t*)outBuffer)[1] ^ ((u_int32_t*)input)[1];
136 			((u_int32_t*)block)[2] = ((u_int32_t*)outBuffer)[2] ^ ((u_int32_t*)input)[2];
137 			((u_int32_t*)block)[3] = ((u_int32_t*)outBuffer)[3] ^ ((u_int32_t*)input)[3];
138 #endif
139 			outBuffer += 16;
140 			rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
141 			input += 16;
142 		}
143 		break;
144 
145 	case MODE_CFB1:
146 #if 1 /*STRICT_ALIGN*/
147 		memcpy(iv, cipher->IV, 16);
148 #else  /* !STRICT_ALIGN */
149 		*((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV   ));
150 		*((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4));
151 		*((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8));
152 		*((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12));
153 #endif /* ?STRICT_ALIGN */
154 		for (i = numBlocks; i > 0; i--) {
155 			for (k = 0; k < 128; k++) {
156 				*((u_int32_t*) block    ) = *((u_int32_t*)iv[0]);
157 				*((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]);
158 				*((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]);
159 				*((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]);
160 				rijndaelEncrypt(key->ek, key->Nr, block,
161 				    block);
162 				outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
163 				iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
164 				iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
165 				iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
166 				iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
167 				iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
168 				iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
169 				iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
170 				iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
171 				iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
172 				iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
173 				iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
174 				iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
175 				iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
176 				iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
177 				iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
178 				iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1);
179 			}
180 		}
181 		break;
182 
183 	default:
184 		return BAD_CIPHER_STATE;
185 	}
186 
187 	explicit_bzero(block, sizeof(block));
188 	return 128*numBlocks;
189 }
190 
191 /**
192  * Encrypt data partitioned in octets, using RFC 2040-like padding.
193  *
194  * @param   input           data to be encrypted (octet sequence)
195  * @param   inputOctets		input length in octets (not bits)
196  * @param   outBuffer       encrypted output data
197  *
198  * @return	length in octets (not bits) of the encrypted output buffer.
199  */
200 int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
201 		const BYTE *input, int inputOctets, BYTE *outBuffer) {
202 	int i, numBlocks, padLen;
203 	u_int8_t block[16], *iv, *cp;
204 
205 	if (cipher == NULL ||
206 		key == NULL ||
207 		key->direction == DIR_DECRYPT) {
208 		return BAD_CIPHER_STATE;
209 	}
210 	if (input == NULL || inputOctets <= 0) {
211 		return 0; /* nothing to do */
212 	}
213 
214 	numBlocks = inputOctets/16;
215 
216 	switch (cipher->mode) {
217 	case MODE_ECB:
218 		for (i = numBlocks; i > 0; i--) {
219 			rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
220 			input += 16;
221 			outBuffer += 16;
222 		}
223 		padLen = 16 - (inputOctets - 16*numBlocks);
224 		if (padLen <= 0 || padLen > 16)
225 			return BAD_CIPHER_STATE;
226 		memcpy(block, input, 16 - padLen);
227 		for (cp = block + 16 - padLen; cp < block + 16; cp++)
228 			*cp = padLen;
229 		rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
230 		break;
231 
232 	case MODE_CBC:
233 		iv = cipher->IV;
234 		for (i = numBlocks; i > 0; i--) {
235 			((u_int32_t*)block)[0] = ((const u_int32_t*)input)[0] ^ ((u_int32_t*)iv)[0];
236 			((u_int32_t*)block)[1] = ((const u_int32_t*)input)[1] ^ ((u_int32_t*)iv)[1];
237 			((u_int32_t*)block)[2] = ((const u_int32_t*)input)[2] ^ ((u_int32_t*)iv)[2];
238 			((u_int32_t*)block)[3] = ((const u_int32_t*)input)[3] ^ ((u_int32_t*)iv)[3];
239 			rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
240 			iv = outBuffer;
241 			input += 16;
242 			outBuffer += 16;
243 		}
244 		padLen = 16 - (inputOctets - 16*numBlocks);
245 		if (padLen <= 0 || padLen > 16)
246 			return BAD_CIPHER_STATE;
247 		for (i = 0; i < 16 - padLen; i++) {
248 			block[i] = input[i] ^ iv[i];
249 		}
250 		for (i = 16 - padLen; i < 16; i++) {
251 			block[i] = (BYTE)padLen ^ iv[i];
252 		}
253 		rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
254 		break;
255 
256 	default:
257 		return BAD_CIPHER_STATE;
258 	}
259 
260 	explicit_bzero(block, sizeof(block));
261 	return 16*(numBlocks + 1);
262 }
263 
264 int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
265 		const BYTE *input, int inputLen, BYTE *outBuffer) {
266 	int i, k, numBlocks;
267 	u_int8_t block[16], iv[4][4];
268 
269 	if (cipher == NULL ||
270 		key == NULL ||
271 		(cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) {
272 		return BAD_CIPHER_STATE;
273 	}
274 	if (input == NULL || inputLen <= 0) {
275 		return 0; /* nothing to do */
276 	}
277 
278 	numBlocks = inputLen/128;
279 
280 	switch (cipher->mode) {
281 	case MODE_ECB:
282 		for (i = numBlocks; i > 0; i--) {
283 			rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
284 			input += 16;
285 			outBuffer += 16;
286 		}
287 		break;
288 
289 	case MODE_CBC:
290 #if 1 /*STRICT_ALIGN */
291 		memcpy(iv, cipher->IV, 16);
292 #else
293 		*((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV   ));
294 		*((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4));
295 		*((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8));
296 		*((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12));
297 #endif
298 		for (i = numBlocks; i > 0; i--) {
299 			rijndaelDecrypt(key->rk, key->Nr, input, block);
300 			((u_int32_t*)block)[0] ^= *((u_int32_t*)iv[0]);
301 			((u_int32_t*)block)[1] ^= *((u_int32_t*)iv[1]);
302 			((u_int32_t*)block)[2] ^= *((u_int32_t*)iv[2]);
303 			((u_int32_t*)block)[3] ^= *((u_int32_t*)iv[3]);
304 #if 1 /*STRICT_ALIGN*/
305 			memcpy(iv, input, 16);
306 			memcpy(outBuffer, block, 16);
307 #else
308 			*((u_int32_t*)iv[0]) = ((u_int32_t*)input)[0]; ((u_int32_t*)outBuffer)[0] = ((u_int32_t*)block)[0];
309 			*((u_int32_t*)iv[1]) = ((u_int32_t*)input)[1]; ((u_int32_t*)outBuffer)[1] = ((u_int32_t*)block)[1];
310 			*((u_int32_t*)iv[2]) = ((u_int32_t*)input)[2]; ((u_int32_t*)outBuffer)[2] = ((u_int32_t*)block)[2];
311 			*((u_int32_t*)iv[3]) = ((u_int32_t*)input)[3]; ((u_int32_t*)outBuffer)[3] = ((u_int32_t*)block)[3];
312 #endif
313 			input += 16;
314 			outBuffer += 16;
315 		}
316 		break;
317 
318 	case MODE_CFB1:
319 #if 1 /*STRICT_ALIGN */
320 		memcpy(iv, cipher->IV, 16);
321 #else
322 		*((u_int32_t*)iv[0]) = *((u_int32_t*)(cipher->IV));
323 		*((u_int32_t*)iv[1]) = *((u_int32_t*)(cipher->IV+ 4));
324 		*((u_int32_t*)iv[2]) = *((u_int32_t*)(cipher->IV+ 8));
325 		*((u_int32_t*)iv[3]) = *((u_int32_t*)(cipher->IV+12));
326 #endif
327 		for (i = numBlocks; i > 0; i--) {
328 			for (k = 0; k < 128; k++) {
329 				*((u_int32_t*) block    ) = *((u_int32_t*)iv[0]);
330 				*((u_int32_t*)(block+ 4)) = *((u_int32_t*)iv[1]);
331 				*((u_int32_t*)(block+ 8)) = *((u_int32_t*)iv[2]);
332 				*((u_int32_t*)(block+12)) = *((u_int32_t*)iv[3]);
333 				rijndaelEncrypt(key->ek, key->Nr, block,
334 				    block);
335 				iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
336 				iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
337 				iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
338 				iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
339 				iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
340 				iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
341 				iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
342 				iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
343 				iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
344 				iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
345 				iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
346 				iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
347 				iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
348 				iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
349 				iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
350 				iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1);
351 				outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
352 			}
353 		}
354 		break;
355 
356 	default:
357 		return BAD_CIPHER_STATE;
358 	}
359 
360 	explicit_bzero(block, sizeof(block));
361 	return 128*numBlocks;
362 }
363 
364 int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
365 		const BYTE *input, int inputOctets, BYTE *outBuffer) {
366 	int i, numBlocks, padLen, rval;
367 	u_int8_t block[16];
368 	u_int32_t iv[4];
369 
370 	if (cipher == NULL ||
371 		key == NULL ||
372 		key->direction == DIR_ENCRYPT) {
373 		return BAD_CIPHER_STATE;
374 	}
375 	if (input == NULL || inputOctets <= 0) {
376 		return 0; /* nothing to do */
377 	}
378 	if (inputOctets % 16 != 0) {
379 		return BAD_DATA;
380 	}
381 
382 	numBlocks = inputOctets/16;
383 
384 	switch (cipher->mode) {
385 	case MODE_ECB:
386 		/* all blocks but last */
387 		for (i = numBlocks - 1; i > 0; i--) {
388 			rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
389 			input += 16;
390 			outBuffer += 16;
391 		}
392 		/* last block */
393 		rijndaelDecrypt(key->rk, key->Nr, input, block);
394 		padLen = block[15];
395 		if (padLen >= 16) {
396 			rval = BAD_DATA;
397 			goto out;
398 		}
399 		for (i = 16 - padLen; i < 16; i++) {
400 			if (block[i] != padLen) {
401 				rval = BAD_DATA;
402 				goto out;
403 			}
404 		}
405 		memcpy(outBuffer, block, 16 - padLen);
406 		break;
407 
408 	case MODE_CBC:
409 		memcpy(iv, cipher->IV, 16);
410 		/* all blocks but last */
411 		for (i = numBlocks - 1; i > 0; i--) {
412 			rijndaelDecrypt(key->rk, key->Nr, input, block);
413 			((u_int32_t*)block)[0] ^= iv[0];
414 			((u_int32_t*)block)[1] ^= iv[1];
415 			((u_int32_t*)block)[2] ^= iv[2];
416 			((u_int32_t*)block)[3] ^= iv[3];
417 			memcpy(iv, input, 16);
418 			memcpy(outBuffer, block, 16);
419 			input += 16;
420 			outBuffer += 16;
421 		}
422 		/* last block */
423 		rijndaelDecrypt(key->rk, key->Nr, input, block);
424 		((u_int32_t*)block)[0] ^= iv[0];
425 		((u_int32_t*)block)[1] ^= iv[1];
426 		((u_int32_t*)block)[2] ^= iv[2];
427 		((u_int32_t*)block)[3] ^= iv[3];
428 		padLen = block[15];
429 		if (padLen <= 0 || padLen > 16) {
430 			rval = BAD_DATA;
431 			goto out;
432 		}
433 		for (i = 16 - padLen; i < 16; i++) {
434 			if (block[i] != padLen) {
435 				rval = BAD_DATA;
436 				goto out;
437 			}
438 		}
439 		memcpy(outBuffer, block, 16 - padLen);
440 		break;
441 
442 	default:
443 		return BAD_CIPHER_STATE;
444 	}
445 
446 	rval = 16*numBlocks - padLen;
447 
448 out:
449 	explicit_bzero(block, sizeof(block));
450 	return rval;
451 }
452