1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Damien Miller (djm@mindrot.org).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * AES XTS implementation in 2008 by Damien Miller
20 *
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
23 *
24 * Copyright (C) 2001, Angelos D. Keromytis.
25 *
26 * Copyright (C) 2008, Damien Miller
27 * Copyright (c) 2014 The FreeBSD Foundation
28 * All rights reserved.
29 *
30 * Portions of this software were developed by John-Mark Gurney
31 * under sponsorship of the FreeBSD Foundation and
32 * Rubicon Communications, LLC (Netgate).
33 *
34 * Permission to use, copy, and modify this software with or without fee
35 * is hereby granted, provided that this entire notice is included in
36 * all copies of any software which is or includes a copy or
37 * modification of this software.
38 * You may use this code under the GNU public license if you so wish. Please
39 * contribute changes back to the authors under this freer than GPL license
40 * so that we may further the use of strong encryption without limitations to
41 * all.
42 *
43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
47 * PURPOSE.
48 */
49
50 #include <sys/cdefs.h>
51 #include <opencrypto/cbc_mac.h>
52 #include <opencrypto/gmac.h>
53 #include <opencrypto/xform_enc.h>
54
55 struct aes_gcm_ctx {
56 struct aes_icm_ctx cipher;
57 struct aes_gmac_ctx gmac;
58 };
59
60 struct aes_ccm_ctx {
61 struct aes_icm_ctx cipher;
62 struct aes_cbc_mac_ctx cbc_mac;
63 };
64
65 static int aes_icm_setkey(void *, const uint8_t *, int);
66 static void aes_icm_crypt(void *, const uint8_t *, uint8_t *);
67 static void aes_icm_crypt_multi(void *, const uint8_t *, uint8_t *, size_t);
68 static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t);
69 static void aes_icm_reinit(void *, const uint8_t *, size_t);
70 static int aes_gcm_setkey(void *, const uint8_t *, int);
71 static void aes_gcm_reinit(void *, const uint8_t *, size_t);
72 static int aes_gcm_update(void *, const void *, u_int);
73 static void aes_gcm_final(uint8_t *, void *);
74 static int aes_ccm_setkey(void *, const uint8_t *, int);
75 static void aes_ccm_reinit(void *, const uint8_t *, size_t);
76 static int aes_ccm_update(void *, const void *, u_int);
77 static void aes_ccm_final(uint8_t *, void *);
78
79 /* Encryption instances */
80 const struct enc_xform enc_xform_aes_icm = {
81 .type = CRYPTO_AES_ICM,
82 .name = "AES-ICM",
83 .ctxsize = sizeof(struct aes_icm_ctx),
84 .blocksize = 1,
85 .native_blocksize = AES_BLOCK_LEN,
86 .ivsize = AES_BLOCK_LEN,
87 .minkey = AES_MIN_KEY,
88 .maxkey = AES_MAX_KEY,
89 .setkey = aes_icm_setkey,
90 .reinit = aes_icm_reinit,
91 .encrypt = aes_icm_crypt,
92 .decrypt = aes_icm_crypt,
93 .encrypt_multi = aes_icm_crypt_multi,
94 .decrypt_multi = aes_icm_crypt_multi,
95 .encrypt_last = aes_icm_crypt_last,
96 .decrypt_last = aes_icm_crypt_last,
97 };
98
99 const struct enc_xform enc_xform_aes_nist_gcm = {
100 .type = CRYPTO_AES_NIST_GCM_16,
101 .name = "AES-GCM",
102 .ctxsize = sizeof(struct aes_gcm_ctx),
103 .blocksize = 1,
104 .native_blocksize = AES_BLOCK_LEN,
105 .ivsize = AES_GCM_IV_LEN,
106 .minkey = AES_MIN_KEY,
107 .maxkey = AES_MAX_KEY,
108 .macsize = AES_GMAC_HASH_LEN,
109 .setkey = aes_gcm_setkey,
110 .reinit = aes_gcm_reinit,
111 .encrypt = aes_icm_crypt,
112 .decrypt = aes_icm_crypt,
113 .encrypt_multi = aes_icm_crypt_multi,
114 .decrypt_multi = aes_icm_crypt_multi,
115 .encrypt_last = aes_icm_crypt_last,
116 .decrypt_last = aes_icm_crypt_last,
117 .update = aes_gcm_update,
118 .final = aes_gcm_final,
119 };
120
121 const struct enc_xform enc_xform_ccm = {
122 .type = CRYPTO_AES_CCM_16,
123 .name = "AES-CCM",
124 .ctxsize = sizeof(struct aes_ccm_ctx),
125 .blocksize = 1,
126 .native_blocksize = AES_BLOCK_LEN,
127 .ivsize = AES_CCM_IV_LEN,
128 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
129 .macsize = AES_CBC_MAC_HASH_LEN,
130 .setkey = aes_ccm_setkey,
131 .reinit = aes_ccm_reinit,
132 .encrypt = aes_icm_crypt,
133 .decrypt = aes_icm_crypt,
134 .encrypt_multi = aes_icm_crypt_multi,
135 .decrypt_multi = aes_icm_crypt_multi,
136 .encrypt_last = aes_icm_crypt_last,
137 .decrypt_last = aes_icm_crypt_last,
138 .update = aes_ccm_update,
139 .final = aes_ccm_final,
140 };
141
142 /*
143 * Encryption wrapper routines.
144 */
145 static void
aes_icm_reinit(void * key,const uint8_t * iv,size_t ivlen)146 aes_icm_reinit(void *key, const uint8_t *iv, size_t ivlen)
147 {
148 struct aes_icm_ctx *ctx;
149
150 ctx = key;
151 KASSERT(ivlen <= sizeof(ctx->ac_block),
152 ("%s: ivlen too large", __func__));
153 bcopy(iv, ctx->ac_block, ivlen);
154 }
155
156 static void
aes_gcm_reinit(void * vctx,const uint8_t * iv,size_t ivlen)157 aes_gcm_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
158 {
159 struct aes_gcm_ctx *ctx = vctx;
160
161 KASSERT(ivlen == AES_GCM_IV_LEN,
162 ("%s: invalid IV length", __func__));
163 aes_icm_reinit(&ctx->cipher, iv, ivlen);
164
165 /* GCM starts with 2 as counter 1 is used for final xor of tag. */
166 bzero(&ctx->cipher.ac_block[AESICM_BLOCKSIZE - 4], 4);
167 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 2;
168
169 AES_GMAC_Reinit(&ctx->gmac, iv, ivlen);
170 }
171
172 static void
aes_ccm_reinit(void * vctx,const uint8_t * iv,size_t ivlen)173 aes_ccm_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
174 {
175 struct aes_ccm_ctx *ctx = vctx;
176
177 KASSERT(ivlen >= 7 && ivlen <= 13,
178 ("%s: invalid IV length", __func__));
179
180 /* CCM has flags, then the IV, then the counter, which starts at 1 */
181 bzero(ctx->cipher.ac_block, sizeof(ctx->cipher.ac_block));
182 ctx->cipher.ac_block[0] = (15 - ivlen) - 1;
183 bcopy(iv, ctx->cipher.ac_block + 1, ivlen);
184 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 1;
185
186 AES_CBC_MAC_Reinit(&ctx->cbc_mac, iv, ivlen);
187 }
188
189 static void
aes_icm_crypt(void * key,const uint8_t * in,uint8_t * out)190 aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out)
191 {
192 struct aes_icm_ctx *ctx;
193 int i;
194
195 ctx = key;
196 aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE);
197
198 /* increment counter */
199 for (i = AESICM_BLOCKSIZE - 1;
200 i >= 0; i--)
201 if (++ctx->ac_block[i]) /* continue on overflow */
202 break;
203 }
204
205 static void
aes_icm_crypt_multi(void * key,const uint8_t * in,uint8_t * out,size_t len)206 aes_icm_crypt_multi(void *key, const uint8_t *in, uint8_t *out, size_t len)
207 {
208 struct aes_icm_ctx *ctx = key;
209 uint8_t keystream[AESICM_BLOCKSIZE];
210 int i;
211
212 KASSERT(len % AESICM_BLOCKSIZE == 0, ("%s: invalid length", __func__));
213 while (len > 0) {
214 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
215 for (i = 0; i < AESICM_BLOCKSIZE; i++)
216 out[i] = in[i] ^ keystream[i];
217
218 /* increment counter */
219 for (i = AESICM_BLOCKSIZE - 1; i >= 0; i--)
220 if (++ctx->ac_block[i]) /* continue on overflow */
221 break;
222
223 out += AESICM_BLOCKSIZE;
224 in += AESICM_BLOCKSIZE;
225 len -= AESICM_BLOCKSIZE;
226 }
227 explicit_bzero(keystream, sizeof(keystream));
228 }
229
230 static void
aes_icm_crypt_last(void * key,const uint8_t * in,uint8_t * out,size_t len)231 aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len)
232 {
233 struct aes_icm_ctx *ctx;
234 uint8_t keystream[AESICM_BLOCKSIZE];
235 int i;
236
237 ctx = key;
238 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
239 for (i = 0; i < len; i++)
240 out[i] = in[i] ^ keystream[i];
241 explicit_bzero(keystream, sizeof(keystream));
242 }
243
244 static int
aes_icm_setkey(void * sched,const uint8_t * key,int len)245 aes_icm_setkey(void *sched, const uint8_t *key, int len)
246 {
247 struct aes_icm_ctx *ctx;
248
249 if (len != 16 && len != 24 && len != 32)
250 return (EINVAL);
251
252 ctx = sched;
253 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);
254 return (0);
255 }
256
257 static int
aes_gcm_setkey(void * vctx,const uint8_t * key,int len)258 aes_gcm_setkey(void *vctx, const uint8_t *key, int len)
259 {
260 struct aes_gcm_ctx *ctx = vctx;
261 int error;
262
263 error = aes_icm_setkey(&ctx->cipher, key, len);
264 if (error != 0)
265 return (error);
266
267 AES_GMAC_Setkey(&ctx->gmac, key, len);
268 return (0);
269 }
270
271 static int
aes_ccm_setkey(void * vctx,const uint8_t * key,int len)272 aes_ccm_setkey(void *vctx, const uint8_t *key, int len)
273 {
274 struct aes_ccm_ctx *ctx = vctx;
275 int error;
276
277 error = aes_icm_setkey(&ctx->cipher, key, len);
278 if (error != 0)
279 return (error);
280
281 AES_CBC_MAC_Setkey(&ctx->cbc_mac, key, len);
282 return (0);
283 }
284
285 static int
aes_gcm_update(void * vctx,const void * buf,u_int len)286 aes_gcm_update(void *vctx, const void *buf, u_int len)
287 {
288 struct aes_gcm_ctx *ctx = vctx;
289
290 return (AES_GMAC_Update(&ctx->gmac, buf, len));
291 }
292
293 static int
aes_ccm_update(void * vctx,const void * buf,u_int len)294 aes_ccm_update(void *vctx, const void *buf, u_int len)
295 {
296 struct aes_ccm_ctx *ctx = vctx;
297
298 return (AES_CBC_MAC_Update(&ctx->cbc_mac, buf, len));
299 }
300
301 static void
aes_gcm_final(uint8_t * tag,void * vctx)302 aes_gcm_final(uint8_t *tag, void *vctx)
303 {
304 struct aes_gcm_ctx *ctx = vctx;
305
306 AES_GMAC_Final(tag, &ctx->gmac);
307 }
308
309 static void
aes_ccm_final(uint8_t * tag,void * vctx)310 aes_ccm_final(uint8_t *tag, void *vctx)
311 {
312 struct aes_ccm_ctx *ctx = vctx;
313
314 AES_CBC_MAC_Final(tag, &ctx->cbc_mac);
315 }
316