1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Damien Miller (djm@mindrot.org).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * AES XTS implementation in 2008 by Damien Miller
20 *
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
23 *
24 * Copyright (C) 2001, Angelos D. Keromytis.
25 *
26 * Copyright (C) 2008, Damien Miller
27 * Copyright (c) 2014 The FreeBSD Foundation
28 * All rights reserved.
29 *
30 * Portions of this software were developed by John-Mark Gurney
31 * under sponsorship of the FreeBSD Foundation and
32 * Rubicon Communications, LLC (Netgate).
33 *
34 * Permission to use, copy, and modify this software with or without fee
35 * is hereby granted, provided that this entire notice is included in
36 * all copies of any software which is or includes a copy or
37 * modification of this software.
38 * You may use this code under the GNU public license if you so wish. Please
39 * contribute changes back to the authors under this freer than GPL license
40 * so that we may further the use of strong encryption without limitations to
41 * all.
42 *
43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
47 * PURPOSE.
48 */
49
50 #include <sys/types.h>
51 #include <crypto/rijndael/rijndael.h>
52 #include <opencrypto/xform_enc.h>
53
54 struct aes_cbc_ctx {
55 rijndael_ctx key;
56 char iv[AES_BLOCK_LEN];
57 };
58
59 static int aes_cbc_setkey(void *, const uint8_t *, int);
60 static void aes_cbc_encrypt(void *, const uint8_t *, uint8_t *);
61 static void aes_cbc_decrypt(void *, const uint8_t *, uint8_t *);
62 static void aes_cbc_encrypt_multi(void *, const uint8_t *, uint8_t *, size_t);
63 static void aes_cbc_decrypt_multi(void *, const uint8_t *, uint8_t *, size_t);
64 static void aes_cbc_reinit(void *, const uint8_t *, size_t);
65
66 /* Encryption instances */
67 const struct enc_xform enc_xform_aes_cbc = {
68 .type = CRYPTO_AES_CBC,
69 .name = "AES-CBC",
70 .ctxsize = sizeof(struct aes_cbc_ctx),
71 .blocksize = AES_BLOCK_LEN,
72 .ivsize = AES_BLOCK_LEN,
73 .minkey = AES_MIN_KEY,
74 .maxkey = AES_MAX_KEY,
75 .setkey = aes_cbc_setkey,
76 .reinit = aes_cbc_reinit,
77 .encrypt = aes_cbc_encrypt,
78 .decrypt = aes_cbc_decrypt,
79 .encrypt_multi = aes_cbc_encrypt_multi,
80 .decrypt_multi = aes_cbc_decrypt_multi,
81 };
82
83 /*
84 * Encryption wrapper routines.
85 */
86 static void
aes_cbc_encrypt(void * vctx,const uint8_t * in,uint8_t * out)87 aes_cbc_encrypt(void *vctx, const uint8_t *in, uint8_t *out)
88 {
89 struct aes_cbc_ctx *ctx = vctx;
90
91 for (u_int i = 0; i < AES_BLOCK_LEN; i++)
92 out[i] = in[i] ^ ctx->iv[i];
93 rijndael_encrypt(&ctx->key, out, out);
94 memcpy(ctx->iv, out, AES_BLOCK_LEN);
95 }
96
97 static void
aes_cbc_decrypt(void * vctx,const uint8_t * in,uint8_t * out)98 aes_cbc_decrypt(void *vctx, const uint8_t *in, uint8_t *out)
99 {
100 struct aes_cbc_ctx *ctx = vctx;
101 char block[AES_BLOCK_LEN];
102
103 memcpy(block, in, AES_BLOCK_LEN);
104 rijndael_decrypt(&ctx->key, in, out);
105 for (u_int i = 0; i < AES_BLOCK_LEN; i++)
106 out[i] ^= ctx->iv[i];
107 memcpy(ctx->iv, block, AES_BLOCK_LEN);
108 explicit_bzero(block, sizeof(block));
109 }
110
111 static void
aes_cbc_encrypt_multi(void * vctx,const uint8_t * in,uint8_t * out,size_t len)112 aes_cbc_encrypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len)
113 {
114 struct aes_cbc_ctx *ctx = vctx;
115
116 KASSERT(len % AES_BLOCK_LEN == 0, ("%s: invalid length", __func__));
117 while (len > 0) {
118 for (u_int i = 0; i < AES_BLOCK_LEN; i++)
119 out[i] = in[i] ^ ctx->iv[i];
120 rijndael_encrypt(&ctx->key, out, out);
121 memcpy(ctx->iv, out, AES_BLOCK_LEN);
122 out += AES_BLOCK_LEN;
123 in += AES_BLOCK_LEN;
124 len -= AES_BLOCK_LEN;
125 }
126 }
127
128 static void
aes_cbc_decrypt_multi(void * vctx,const uint8_t * in,uint8_t * out,size_t len)129 aes_cbc_decrypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len)
130 {
131 struct aes_cbc_ctx *ctx = vctx;
132 char block[AES_BLOCK_LEN];
133
134 KASSERT(len % AES_BLOCK_LEN == 0, ("%s: invalid length", __func__));
135 while (len > 0) {
136 memcpy(block, in, AES_BLOCK_LEN);
137 rijndael_decrypt(&ctx->key, in, out);
138 for (u_int i = 0; i < AES_BLOCK_LEN; i++)
139 out[i] ^= ctx->iv[i];
140 memcpy(ctx->iv, block, AES_BLOCK_LEN);
141 out += AES_BLOCK_LEN;
142 in += AES_BLOCK_LEN;
143 len -= AES_BLOCK_LEN;
144 }
145 explicit_bzero(block, sizeof(block));
146 }
147
148 static int
aes_cbc_setkey(void * vctx,const uint8_t * key,int len)149 aes_cbc_setkey(void *vctx, const uint8_t *key, int len)
150 {
151 struct aes_cbc_ctx *ctx = vctx;
152
153 if (len != 16 && len != 24 && len != 32)
154 return (EINVAL);
155
156 rijndael_set_key(&ctx->key, key, len * 8);
157 return (0);
158 }
159
160 static void
aes_cbc_reinit(void * vctx,const uint8_t * iv,size_t iv_len)161 aes_cbc_reinit(void *vctx, const uint8_t *iv, size_t iv_len)
162 {
163 struct aes_cbc_ctx *ctx = vctx;
164
165 KASSERT(iv_len == sizeof(ctx->iv), ("%s: bad IV length", __func__));
166 memcpy(ctx->iv, iv, sizeof(ctx->iv));
167 }
168