void
rijndael_set_key(rijndael_ctx *ctx, const u_char *key, int bits)
{
ctx->Nr = rijndaelKeySetupEnc(ctx->ek, key, bits);
rijndaelKeySetupDec(ctx->dk, key, bits);
}
/* Perform AES block decryption, including key schedule setup */
void
BCMROMFN(aes_decrypt)(const size_t kl, const uint8 *K, const uint8 *ctxt, uint8 *ptxt)
{
uint32 rk[4 * (AES_MAXROUNDS + 1)];
rijndaelKeySetupDec(rk, K, (int)AES_KEY_BITLEN(kl));
rijndaelDecrypt(rk, (int)AES_ROUNDS(kl), ctxt, ptxt);
}
void rijndaelSpeed(int keyBits) {
int Nr, i;
u32 rk[4*(MAXNR + 1)];
u8 cipherKey[256/8], pt[16], ct[16];
clock_t elapsed;
float sec;
memset(cipherKey, 0, sizeof(cipherKey));
printf("================================\n");
printf("Speed measurement for %d-bit keys:\n", keyBits);
/*
* Encryption key setup timing:
*/
elapsed = -clock();
for (i = 0; i < ITERATIONS; i++) {
Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits);
}
elapsed += clock();
sec = (float)elapsed/CLOCKS_PER_SEC;
printf("Encryption key schedule: %.1f s, %.0f Mbit/s\n",
sec, (float)ITERATIONS*128/sec/1000000);
/*
* Encryption timing:
*/
elapsed = -clock();
for (i = 0; i < ITERATIONS; i++) {
rijndaelEncrypt(rk, Nr, pt, ct);
}
elapsed += clock();
sec = (float)elapsed/CLOCKS_PER_SEC;
printf("Encryption: %.1f s, %.0f Mbit/s\n",
sec, (float)ITERATIONS*128/sec/1000000);
/*
* Decryption key setup timing:
*/
elapsed = -clock();
for (i = 0; i < ITERATIONS; i++) {
Nr = rijndaelKeySetupDec(rk, cipherKey, keyBits);
}
elapsed += clock();
sec = (float)elapsed/CLOCKS_PER_SEC;
printf("Decryption key schedule: %.1f s, %.0f Mbit/s\n",
sec, (float)ITERATIONS*128/sec/1000000);
/*
* Decryption timing:
*/
elapsed = -clock();
for (i = 0; i < ITERATIONS; i++) {
rijndaelDecrypt(rk, Nr, pt, ct);
}
elapsed += clock();
sec = (float)elapsed/CLOCKS_PER_SEC;
printf("Decryption: %.1f s, %.0f Mbit/s\n",
sec, (float)ITERATIONS*128/sec/1000000);
}
int
AES_set_decrypt_key(const unsigned char *userkey, const int bits, AES_KEY *key)
{
key->rounds = rijndaelKeySetupDec(key->key, userkey, bits);
if (key->rounds == 0)
return -1;
return 0;
}
void * aes_decrypt_init(const u8 *key, size_t len)
{
u32 *rk;
if (len != 16)
return NULL;
rk = malloc(4 * 44);
if (rk == NULL)
return NULL;
rijndaelKeySetupDec(rk, key);
return rk;
}
CAMLprim value caml_aes_cook_decrypt_key(value key)
{
CAMLparam1(key);
value ckey = alloc_string(Cooked_key_size);
int nr =
rijndaelKeySetupDec((u32 *) String_val(ckey),
(const u8 *) String_val(key),
8 * string_length(key));
Byte(ckey, Cooked_key_NR_offset) = nr;
CAMLreturn(ckey);
}
void * aes_decrypt_init(const u8 *key, size_t len)
{
u32 *rk;
if (len != 16)
return NULL;
rk = os_zalloc(AES_PRIV_SIZE);
if (rk == NULL)
return NULL;
rijndaelKeySetupDec(rk, key);
return rk;
}
static int my_aes_create_key(KEYINSTANCE *aes_key,
enum encrypt_dir direction, const char *key,
int key_length)
{
uint8 rkey[AES_KEY_LENGTH/8]; /* The real key to be used for encryption */
uint8 *rkey_end=rkey+AES_KEY_LENGTH/8; /* Real key boundary */
uint8 *ptr; /* Start of the real key*/
const char *sptr; /* Start of the working key */
const char *key_end=key+key_length; /* Working key boundary*/
bzero((char*) rkey,AES_KEY_LENGTH/8); /* Set initial key */
for (ptr= rkey, sptr= key; sptr < key_end; ptr++,sptr++)
{
if (ptr == rkey_end)
ptr= rkey; /* Just loop over tmp_key until we used all key */
*ptr^= (uint8) *sptr;
}
#ifdef AES_USE_KEY_BITS
/*
This block is intended to allow more weak encryption if application
build with libmysqld needs to correspond to export regulations
It should be never used in normal distribution as does not give
any speed improvement.
To get worse security define AES_USE_KEY_BITS to number of bits
you want key to be. It should be divisible by 8
WARNING: Changing this value results in changing of enryption for
all key lengths so altering this value will result in impossibility
to decrypt data encrypted with previous value
*/
#define AES_USE_KEY_BYTES (AES_USE_KEY_BITS/8)
/*
To get weaker key we use first AES_USE_KEY_BYTES bytes of created key
and cyclically copy them until we created all required key length
*/
for (ptr= rkey+AES_USE_KEY_BYTES, sptr=rkey ; ptr < rkey_end;
ptr++,sptr++)
{
if (sptr == rkey+AES_USE_KEY_BYTES)
sptr=rkey;
*ptr=*sptr;
}
#endif
if (direction == AES_DECRYPT)
aes_key->nr = rijndaelKeySetupDec(aes_key->rk, rkey, AES_KEY_LENGTH);
else
aes_key->nr = rijndaelKeySetupEnc(aes_key->rk, rkey, AES_KEY_LENGTH);
return 0;
}
void * aes_decrypt_init(const u8 *key, size_t len)
{
u32 *rk;
int res;
rk = os_malloc(AES_PRIV_SIZE);
if (rk == NULL)
return NULL;
res = rijndaelKeySetupDec(rk, key, len * 8);
if (res < 0) {
os_free(rk);
return NULL;
}
rk[AES_PRIV_NR_POS] = res;
return rk;
}
void
reg_proto_decrypt_data(BufferObj *cipherText, BufferObj *iv, BufferObj *encrKey,
BufferObj *authKey, BufferObj *plainText)
{
/* 10 rounds for cbc 128 = (10+1) * 4 uint32 */
uint32 rk[44];
uint8 outBuf[1024];
int plaintext_len;
TUTRACE((TUTRACE_ERR, "RPROTO: calling decryption\n"));
rijndaelKeySetupDec(rk, encrKey->pBase, 128);
plaintext_len = aes_cbc_decrypt_pad(rk, 16, iv->pBase, cipherText->m_dataLength,
cipherText->pBase, outBuf, PAD_LEN_PADDING);
buffobj_Append(plainText, plaintext_len, outBuf);
buffobj_RewindLength(plainText, plainText->m_dataLength);
}
static void do_test(int keybits, u8 * key,
u8 plain[16], u8 cipher[16],
int testno1, int testno2)
{
u32 ckey[4 * (MAXNR + 1)];
u8 temp[16];
int nr;
int ok;
nr = rijndaelKeySetupEnc(ckey, key, keybits);
rijndaelEncrypt(ckey, nr, plain, temp);
ok = memcmp(temp, cipher, 16) == 0;
printf("Encryption test %d %s\n", testno1, ok ? "passed" : "FAILED");
nr = rijndaelKeySetupDec(ckey, key, keybits);
rijndaelDecrypt(ckey, nr, cipher, temp);
ok = memcmp(temp, plain, 16) == 0;
printf("Decryption test %d %s\n", testno2, ok ? "passed" : "FAILED");
}
double test_rijndael(const int keysize) {
if (keysize != 128 && keysize != 192 && keysize != 256)
return 0;
clock_t start, end;
int i, nr;
u64 blocks = MB * 1e6 / RIJNDAEL_BLOCK_SIZE;
blocks >>= 1;
u32 rk[60];
u8 mk[32];
u8 a[16], b[16];
start = clock();
nr = rijndaelKeySetupDec(rk, mk, keysize);
for (i = 0; i < blocks; i++) {
rijndaelEncrypt(rk, nr, a, b);
rijndaelEncrypt(rk, nr, b, a);
}
end = clock();
return ((double)end - (double)start) / (double)CLOCKS_PER_SEC;
}
int
via_padlock_crypto_newsession(void *arg, uint32_t *sidp, struct cryptoini *cri)
{
struct cryptoini *c;
struct via_padlock_softc *sc = arg;
struct via_padlock_session *ses = NULL;
const struct swcr_auth_hash *axf;
struct swcr_data *swd;
int sesn, i, cw0;
KASSERT(sc != NULL /*, ("via_padlock_crypto_freesession: null softc")*/);
if (sc == NULL || sidp == NULL || cri == NULL)
return (EINVAL);
if (sc->sc_sessions == NULL) {
ses = sc->sc_sessions = malloc(sizeof(*ses), M_DEVBUF,
M_NOWAIT);
if (ses == NULL)
return (ENOMEM);
sesn = 0;
sc->sc_nsessions = 1;
} else {
for (sesn = 0; sesn < sc->sc_nsessions; sesn++) {
if (sc->sc_sessions[sesn].ses_used == 0) {
ses = &sc->sc_sessions[sesn];
break;
}
}
if (ses == NULL) {
sesn = sc->sc_nsessions;
ses = malloc((sesn + 1) * sizeof(*ses), M_DEVBUF,
M_NOWAIT);
if (ses == NULL)
return (ENOMEM);
memcpy(ses, sc->sc_sessions, sesn * sizeof(*ses));
memset(sc->sc_sessions, 0, sesn * sizeof(*ses));
free(sc->sc_sessions, M_DEVBUF);
sc->sc_sessions = ses;
ses = &sc->sc_sessions[sesn];
sc->sc_nsessions++;
}
}
memset(ses, 0, sizeof(*ses));
ses->ses_used = 1;
for (c = cri; c != NULL; c = c->cri_next) {
switch (c->cri_alg) {
case CRYPTO_AES_CBC:
switch (c->cri_klen) {
case 128:
cw0 = C3_CRYPT_CWLO_KEY128;
break;
case 192:
cw0 = C3_CRYPT_CWLO_KEY192;
break;
case 256:
cw0 = C3_CRYPT_CWLO_KEY256;
break;
default:
return (EINVAL);
}
cw0 |= C3_CRYPT_CWLO_ALG_AES |
C3_CRYPT_CWLO_KEYGEN_SW |
C3_CRYPT_CWLO_NORMAL;
#ifdef __NetBSD__
rnd_extract_data(ses->ses_iv, sizeof(ses->ses_iv),
RND_EXTRACT_ANY);
#else
get_random_bytes(ses->ses_iv, sizeof(ses->ses_iv));
#endif
ses->ses_klen = c->cri_klen;
ses->ses_cw0 = cw0;
/* Build expanded keys for both directions */
rijndaelKeySetupEnc(ses->ses_ekey, c->cri_key,
c->cri_klen);
rijndaelKeySetupDec(ses->ses_dkey, c->cri_key,
c->cri_klen);
for (i = 0; i < 4 * (RIJNDAEL_MAXNR + 1); i++) {
ses->ses_ekey[i] = ntohl(ses->ses_ekey[i]);
ses->ses_dkey[i] = ntohl(ses->ses_dkey[i]);
}
break;
/* Use hashing implementations from the cryptosoft code. */
case CRYPTO_MD5_HMAC:
axf = &swcr_auth_hash_hmac_md5;
goto authcommon;
case CRYPTO_MD5_HMAC_96:
axf = &swcr_auth_hash_hmac_md5_96;
goto authcommon;
case CRYPTO_SHA1_HMAC:
axf = &swcr_auth_hash_hmac_sha1;
goto authcommon;
case CRYPTO_SHA1_HMAC_96:
axf = &swcr_auth_hash_hmac_sha1_96;
goto authcommon;
case CRYPTO_RIPEMD160_HMAC:
axf = &swcr_auth_hash_hmac_ripemd_160;
goto authcommon;
case CRYPTO_RIPEMD160_HMAC_96:
axf = &swcr_auth_hash_hmac_ripemd_160_96;
goto authcommon;
case CRYPTO_SHA2_HMAC:
if (cri->cri_klen == 256)
axf = &swcr_auth_hash_hmac_sha2_256;
else if (cri->cri_klen == 384)
axf = &swcr_auth_hash_hmac_sha2_384;
else if (cri->cri_klen == 512)
axf = &swcr_auth_hash_hmac_sha2_512;
else {
return EINVAL;
}
authcommon:
MALLOC(swd, struct swcr_data *,
sizeof(struct swcr_data), M_CRYPTO_DATA,
M_NOWAIT);
if (swd == NULL) {
via_padlock_crypto_freesession(sc, sesn);
return (ENOMEM);
}
memset(swd, 0, sizeof(struct swcr_data));
ses->swd = swd;
swd->sw_ictx = malloc(axf->auth_hash->ctxsize,
M_CRYPTO_DATA, M_NOWAIT);
if (swd->sw_ictx == NULL) {
via_padlock_crypto_freesession(sc, sesn);
return (ENOMEM);
}
swd->sw_octx = malloc(axf->auth_hash->ctxsize,
M_CRYPTO_DATA, M_NOWAIT);
if (swd->sw_octx == NULL) {
via_padlock_crypto_freesession(sc, sesn);
return (ENOMEM);
}
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= HMAC_IPAD_VAL;
axf->Init(swd->sw_ictx);
axf->Update(swd->sw_ictx, c->cri_key, c->cri_klen / 8);
axf->Update(swd->sw_ictx, hmac_ipad_buffer,
HMAC_BLOCK_LEN - (c->cri_klen / 8));
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= (HMAC_IPAD_VAL ^
HMAC_OPAD_VAL);
axf->Init(swd->sw_octx);
axf->Update(swd->sw_octx, c->cri_key, c->cri_klen / 8);
axf->Update(swd->sw_octx, hmac_opad_buffer,
HMAC_BLOCK_LEN - (c->cri_klen / 8));
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= HMAC_OPAD_VAL;
swd->sw_axf = axf;
swd->sw_alg = c->cri_alg;
break;
default:
return (EINVAL);
}
}
*sidp = VIAC3_SID(0, sesn);
return (0);
}
void tDecAES::m_init(nOperationModeAES opmode, const u8 key[], nKeyLengthAES keylen,
bool useFastASM)
{
// Set fields.
m_opmode = opmode;
m_keylen = keylen;
m_useASM = useFastASM;
m_expandedKey = NULL;
// Check the opmode.
switch (opmode)
{
case kOpModeECB: break;
case kOpModeCBC: break;
default: throw eInvalidArgument("The opmode parameter is not valid!");
}
// Check the keylen.
switch (keylen)
{
case k128bit: break;
case k192bit: break;
case k256bit: break;
default: throw eInvalidArgument("The keylen parameter is not valid!");
}
// Fast ASM setup:
if (m_useASM)
{
m_expandedKey = s_aligned_malloc(256, 16);
switch (keylen)
{
case k128bit:
{
u8* key_copy = new u8[16];
memcpy(key_copy, key, 16);
iDecExpandKey128(key_copy, m_expandedKey);
delete [] key_copy;
break;
}
case k192bit:
{
u8* key_copy = new u8[24];
memcpy(key_copy, key, 24);
iDecExpandKey192(key_copy, m_expandedKey);
delete [] key_copy;
break;
}
case k256bit:
{
u8* key_copy = new u8[32];
memcpy(key_copy, key, 32);
iDecExpandKey256(key_copy, m_expandedKey);
delete [] key_copy;
break;
}
default: throw eInvalidArgument("The keylen parameter is not valid!");
}
}
// Fallback setup:
else
{
int keybits;
int expectedNr;
switch (keylen)
{
case k128bit: keybits = 128; expectedNr = 10; break;
case k192bit: keybits = 192; expectedNr = 12; break;
case k256bit: keybits = 256; expectedNr = 14; break;
default: throw eInvalidArgument("The keylen parameter is not valid!");
}
m_Nr = rijndaelKeySetupDec(m_rk, key, keybits);
if (m_Nr != expectedNr)
throw eImpossiblePath();
}
}
/* aes_unwrap: perform AES-based key unwrap function defined in RFC3394,
* return 0 on success, 1 on error
* input is il bytes
* output is (il-8) bytes
*/
int
BCMROMFN(aes_unwrap)(size_t kl, uint8 *key, size_t il, uint8 *input, uint8 *output)
{
uint32 rk[4*(AES_MAXROUNDS+1)];
uint8 A[AES_BLOCK_SZ];
uint8 R[AKW_MAX_WRAP_LEN + AKW_BLOCK_LEN];
uint8 B[AES_BLOCK_SZ];
size_t ol = il - AKW_BLOCK_LEN;
int n = (int)(ol/AKW_BLOCK_LEN), i, j, k;
/* validate kl (must be valid AES key length) */
if ((kl != 16) && (kl != 24) && (kl != 32)) {
dbg(("aes_wrap: invlaid key length %lu\n", (unsigned long)kl));
return (1);
}
if (il > (AKW_MAX_WRAP_LEN + AKW_BLOCK_LEN)) {
dbg(("aes_unwrap: input length %lu too large\n", (unsigned long)il));
return (1);
}
if (il % AKW_BLOCK_LEN) {
dbg(("aes_unwrap: input length %lu must be a multiple of block length\n",
(unsigned long)il));
return (1);
}
dbg((" Input:\n"));
dbg((" KEK: "));
for (k = 0; k < (int)kl; k++)
dbg(("%02X", key[k]));
dbg(("\n Data: "));
for (k = 0; k < (int)il; k++)
dbg(("%02X", input[k]));
dbg(("\n\n Unwrap: \n"));
rijndaelKeySetupDec(rk, key, (int)AES_KEY_BITLEN(kl));
/* Set A = C[0] */
memcpy(A, input, AKW_BLOCK_LEN);
/* For i = 1 to n */
/* R[i] = C[i] */
memcpy(R, &input[AKW_BLOCK_LEN], ol);
/* For j = 5 to 0 */
for (j = 5; j >= 0; j--) {
/* For i = n to 1 */
for (i = n - 1; i >= 0; i--) {
dbg(("\n %d\n", (n*j)+i+1));
pinter(" In ", A, ol, R);
/* B = AES - 1 (K, (A ^ t) | R[i]) where t = n * j + i */
A[AKW_BLOCK_LEN - 1] ^= ((n*j)+i+1);
pinter(" XorT ", A, ol, R);
memcpy(&A[AKW_BLOCK_LEN], &R[i*AKW_BLOCK_LEN], AKW_BLOCK_LEN);
aes_block_decrypt((int)AES_ROUNDS(kl), rk, A, B);
/* A = MSB(64, B) */
memcpy(&A[0], &B[0], AKW_BLOCK_LEN);
/* R[i] = LSB(64, B) */
memcpy(&R[i*AKW_BLOCK_LEN], &B[AKW_BLOCK_LEN], AKW_BLOCK_LEN);
pinter(" Dec ", A, ol, R);
}
}
if (!memcmp(A, aeskeywrapIV, AKW_BLOCK_LEN)) {
/* For i = 1 to n */
/* P[i] = R[i] */
memcpy(&output[0], R, ol);
return 0;
} else {
dbg(("aes_unwrap: IV mismatch in unwrapped data\n"));
return 1;
}
}
