xref: /freebsd/contrib/bearssl/src/symcipher/aes_ct64_ctrcbc.c (revision cfd6422a5217410fbd66f7a7a8a64d9d85e61229)
1 /*
2  * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include "inner.h"
26 
27 /* see bearssl_block.h */
28 void
29 br_aes_ct64_ctrcbc_init(br_aes_ct64_ctrcbc_keys *ctx,
30 	const void *key, size_t len)
31 {
32 	ctx->vtable = &br_aes_ct64_ctrcbc_vtable;
33 	ctx->num_rounds = br_aes_ct64_keysched(ctx->skey, key, len);
34 }
35 
36 static void
37 xorbuf(void *dst, const void *src, size_t len)
38 {
39 	unsigned char *d;
40 	const unsigned char *s;
41 
42 	d = dst;
43 	s = src;
44 	while (len -- > 0) {
45 		*d ++ ^= *s ++;
46 	}
47 }
48 
49 /* see bearssl_block.h */
50 void
51 br_aes_ct64_ctrcbc_ctr(const br_aes_ct64_ctrcbc_keys *ctx,
52 	void *ctr, void *data, size_t len)
53 {
54 	unsigned char *buf;
55 	unsigned char *ivbuf;
56 	uint32_t iv0, iv1, iv2, iv3;
57 	uint64_t sk_exp[120];
58 
59 	br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
60 
61 	/*
62 	 * We keep the counter as four 32-bit values, with big-endian
63 	 * convention, because that's what is expected for purposes of
64 	 * incrementing the counter value.
65 	 */
66 	ivbuf = ctr;
67 	iv0 = br_dec32be(ivbuf +  0);
68 	iv1 = br_dec32be(ivbuf +  4);
69 	iv2 = br_dec32be(ivbuf +  8);
70 	iv3 = br_dec32be(ivbuf + 12);
71 
72 	buf = data;
73 	while (len > 0) {
74 		uint64_t q[8];
75 		uint32_t w[16];
76 		unsigned char tmp[64];
77 		int i, j;
78 
79 		/*
80 		 * The bitslice implementation expects values in
81 		 * little-endian convention, so we have to byteswap them.
82 		 */
83 		j = (len >= 64) ? 16 : (int)(len >> 2);
84 		for (i = 0; i < j; i += 4) {
85 			uint32_t carry;
86 
87 			w[i + 0] = br_swap32(iv0);
88 			w[i + 1] = br_swap32(iv1);
89 			w[i + 2] = br_swap32(iv2);
90 			w[i + 3] = br_swap32(iv3);
91 			iv3 ++;
92 			carry = ~(iv3 | -iv3) >> 31;
93 			iv2 += carry;
94 			carry &= -(~(iv2 | -iv2) >> 31);
95 			iv1 += carry;
96 			carry &= -(~(iv1 | -iv1) >> 31);
97 			iv0 += carry;
98 		}
99 		memset(w + i, 0, (16 - i) * sizeof(uint32_t));
100 
101 		for (i = 0; i < 4; i ++) {
102 			br_aes_ct64_interleave_in(
103 				&q[i], &q[i + 4], w + (i << 2));
104 		}
105 		br_aes_ct64_ortho(q);
106 		br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
107 		br_aes_ct64_ortho(q);
108 		for (i = 0; i < 4; i ++) {
109 			br_aes_ct64_interleave_out(
110 				w + (i << 2), q[i], q[i + 4]);
111 		}
112 
113 		br_range_enc32le(tmp, w, 16);
114 		if (len <= 64) {
115 			xorbuf(buf, tmp, len);
116 			break;
117 		}
118 		xorbuf(buf, tmp, 64);
119 		buf += 64;
120 		len -= 64;
121 	}
122 	br_enc32be(ivbuf +  0, iv0);
123 	br_enc32be(ivbuf +  4, iv1);
124 	br_enc32be(ivbuf +  8, iv2);
125 	br_enc32be(ivbuf + 12, iv3);
126 }
127 
128 /* see bearssl_block.h */
129 void
130 br_aes_ct64_ctrcbc_mac(const br_aes_ct64_ctrcbc_keys *ctx,
131 	void *cbcmac, const void *data, size_t len)
132 {
133 	const unsigned char *buf;
134 	uint32_t cm0, cm1, cm2, cm3;
135 	uint64_t q[8];
136 	uint64_t sk_exp[120];
137 
138 	br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
139 
140 	cm0 = br_dec32le((unsigned char *)cbcmac +  0);
141 	cm1 = br_dec32le((unsigned char *)cbcmac +  4);
142 	cm2 = br_dec32le((unsigned char *)cbcmac +  8);
143 	cm3 = br_dec32le((unsigned char *)cbcmac + 12);
144 
145 	buf = data;
146 	memset(q, 0, sizeof q);
147 	while (len > 0) {
148 		uint32_t w[4];
149 
150 		w[0] = cm0 ^ br_dec32le(buf +  0);
151 		w[1] = cm1 ^ br_dec32le(buf +  4);
152 		w[2] = cm2 ^ br_dec32le(buf +  8);
153 		w[3] = cm3 ^ br_dec32le(buf + 12);
154 
155 		br_aes_ct64_interleave_in(&q[0], &q[4], w);
156 		br_aes_ct64_ortho(q);
157 		br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
158 		br_aes_ct64_ortho(q);
159 		br_aes_ct64_interleave_out(w, q[0], q[4]);
160 
161 		cm0 = w[0];
162 		cm1 = w[1];
163 		cm2 = w[2];
164 		cm3 = w[3];
165 		buf += 16;
166 		len -= 16;
167 	}
168 
169 	br_enc32le((unsigned char *)cbcmac +  0, cm0);
170 	br_enc32le((unsigned char *)cbcmac +  4, cm1);
171 	br_enc32le((unsigned char *)cbcmac +  8, cm2);
172 	br_enc32le((unsigned char *)cbcmac + 12, cm3);
173 }
174 
175 /* see bearssl_block.h */
176 void
177 br_aes_ct64_ctrcbc_encrypt(const br_aes_ct64_ctrcbc_keys *ctx,
178 	void *ctr, void *cbcmac, void *data, size_t len)
179 {
180 	/*
181 	 * When encrypting, the CBC-MAC processing must be lagging by
182 	 * one block, since it operates on the encrypted values, so
183 	 * it must wait for that encryption to complete.
184 	 */
185 
186 	unsigned char *buf;
187 	unsigned char *ivbuf;
188 	uint32_t iv0, iv1, iv2, iv3;
189 	uint32_t cm0, cm1, cm2, cm3;
190 	uint64_t sk_exp[120];
191 	uint64_t q[8];
192 	int first_iter;
193 
194 	br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
195 
196 	/*
197 	 * We keep the counter as four 32-bit values, with big-endian
198 	 * convention, because that's what is expected for purposes of
199 	 * incrementing the counter value.
200 	 */
201 	ivbuf = ctr;
202 	iv0 = br_dec32be(ivbuf +  0);
203 	iv1 = br_dec32be(ivbuf +  4);
204 	iv2 = br_dec32be(ivbuf +  8);
205 	iv3 = br_dec32be(ivbuf + 12);
206 
207 	/*
208 	 * The current CBC-MAC value is kept in little-endian convention.
209 	 */
210 	cm0 = br_dec32le((unsigned char *)cbcmac +  0);
211 	cm1 = br_dec32le((unsigned char *)cbcmac +  4);
212 	cm2 = br_dec32le((unsigned char *)cbcmac +  8);
213 	cm3 = br_dec32le((unsigned char *)cbcmac + 12);
214 
215 	buf = data;
216 	first_iter = 1;
217 	memset(q, 0, sizeof q);
218 	while (len > 0) {
219 		uint32_t w[8], carry;
220 
221 		/*
222 		 * The bitslice implementation expects values in
223 		 * little-endian convention, so we have to byteswap them.
224 		 */
225 		w[0] = br_swap32(iv0);
226 		w[1] = br_swap32(iv1);
227 		w[2] = br_swap32(iv2);
228 		w[3] = br_swap32(iv3);
229 		iv3 ++;
230 		carry = ~(iv3 | -iv3) >> 31;
231 		iv2 += carry;
232 		carry &= -(~(iv2 | -iv2) >> 31);
233 		iv1 += carry;
234 		carry &= -(~(iv1 | -iv1) >> 31);
235 		iv0 += carry;
236 
237 		/*
238 		 * The block for CBC-MAC.
239 		 */
240 		w[4] = cm0;
241 		w[5] = cm1;
242 		w[6] = cm2;
243 		w[7] = cm3;
244 
245 		br_aes_ct64_interleave_in(&q[0], &q[4], w);
246 		br_aes_ct64_interleave_in(&q[1], &q[5], w + 4);
247 		br_aes_ct64_ortho(q);
248 		br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
249 		br_aes_ct64_ortho(q);
250 		br_aes_ct64_interleave_out(w, q[0], q[4]);
251 		br_aes_ct64_interleave_out(w + 4, q[1], q[5]);
252 
253 		/*
254 		 * We do the XOR with the plaintext in 32-bit registers,
255 		 * so that the value are available for CBC-MAC processing
256 		 * as well.
257 		 */
258 		w[0] ^= br_dec32le(buf +  0);
259 		w[1] ^= br_dec32le(buf +  4);
260 		w[2] ^= br_dec32le(buf +  8);
261 		w[3] ^= br_dec32le(buf + 12);
262 		br_enc32le(buf +  0, w[0]);
263 		br_enc32le(buf +  4, w[1]);
264 		br_enc32le(buf +  8, w[2]);
265 		br_enc32le(buf + 12, w[3]);
266 
267 		buf += 16;
268 		len -= 16;
269 
270 		/*
271 		 * We set the cm* values to the block to encrypt in the
272 		 * next iteration.
273 		 */
274 		if (first_iter) {
275 			first_iter = 0;
276 			cm0 ^= w[0];
277 			cm1 ^= w[1];
278 			cm2 ^= w[2];
279 			cm3 ^= w[3];
280 		} else {
281 			cm0 = w[0] ^ w[4];
282 			cm1 = w[1] ^ w[5];
283 			cm2 = w[2] ^ w[6];
284 			cm3 = w[3] ^ w[7];
285 		}
286 
287 		/*
288 		 * If this was the last iteration, then compute the
289 		 * extra block encryption to complete CBC-MAC.
290 		 */
291 		if (len == 0) {
292 			w[0] = cm0;
293 			w[1] = cm1;
294 			w[2] = cm2;
295 			w[3] = cm3;
296 			br_aes_ct64_interleave_in(&q[0], &q[4], w);
297 			br_aes_ct64_ortho(q);
298 			br_aes_ct64_bitslice_encrypt(
299 				ctx->num_rounds, sk_exp, q);
300 			br_aes_ct64_ortho(q);
301 			br_aes_ct64_interleave_out(w, q[0], q[4]);
302 			cm0 = w[0];
303 			cm1 = w[1];
304 			cm2 = w[2];
305 			cm3 = w[3];
306 			break;
307 		}
308 	}
309 
310 	br_enc32be(ivbuf +  0, iv0);
311 	br_enc32be(ivbuf +  4, iv1);
312 	br_enc32be(ivbuf +  8, iv2);
313 	br_enc32be(ivbuf + 12, iv3);
314 	br_enc32le((unsigned char *)cbcmac +  0, cm0);
315 	br_enc32le((unsigned char *)cbcmac +  4, cm1);
316 	br_enc32le((unsigned char *)cbcmac +  8, cm2);
317 	br_enc32le((unsigned char *)cbcmac + 12, cm3);
318 }
319 
320 /* see bearssl_block.h */
321 void
322 br_aes_ct64_ctrcbc_decrypt(const br_aes_ct64_ctrcbc_keys *ctx,
323 	void *ctr, void *cbcmac, void *data, size_t len)
324 {
325 	unsigned char *buf;
326 	unsigned char *ivbuf;
327 	uint32_t iv0, iv1, iv2, iv3;
328 	uint32_t cm0, cm1, cm2, cm3;
329 	uint64_t sk_exp[120];
330 	uint64_t q[8];
331 
332 	br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
333 
334 	/*
335 	 * We keep the counter as four 32-bit values, with big-endian
336 	 * convention, because that's what is expected for purposes of
337 	 * incrementing the counter value.
338 	 */
339 	ivbuf = ctr;
340 	iv0 = br_dec32be(ivbuf +  0);
341 	iv1 = br_dec32be(ivbuf +  4);
342 	iv2 = br_dec32be(ivbuf +  8);
343 	iv3 = br_dec32be(ivbuf + 12);
344 
345 	/*
346 	 * The current CBC-MAC value is kept in little-endian convention.
347 	 */
348 	cm0 = br_dec32le((unsigned char *)cbcmac +  0);
349 	cm1 = br_dec32le((unsigned char *)cbcmac +  4);
350 	cm2 = br_dec32le((unsigned char *)cbcmac +  8);
351 	cm3 = br_dec32le((unsigned char *)cbcmac + 12);
352 
353 	buf = data;
354 	memset(q, 0, sizeof q);
355 	while (len > 0) {
356 		uint32_t w[8], carry;
357 		unsigned char tmp[16];
358 
359 		/*
360 		 * The bitslice implementation expects values in
361 		 * little-endian convention, so we have to byteswap them.
362 		 */
363 		w[0] = br_swap32(iv0);
364 		w[1] = br_swap32(iv1);
365 		w[2] = br_swap32(iv2);
366 		w[3] = br_swap32(iv3);
367 		iv3 ++;
368 		carry = ~(iv3 | -iv3) >> 31;
369 		iv2 += carry;
370 		carry &= -(~(iv2 | -iv2) >> 31);
371 		iv1 += carry;
372 		carry &= -(~(iv1 | -iv1) >> 31);
373 		iv0 += carry;
374 
375 		/*
376 		 * The block for CBC-MAC.
377 		 */
378 		w[4] = cm0 ^ br_dec32le(buf +  0);
379 		w[5] = cm1 ^ br_dec32le(buf +  4);
380 		w[6] = cm2 ^ br_dec32le(buf +  8);
381 		w[7] = cm3 ^ br_dec32le(buf + 12);
382 
383 		br_aes_ct64_interleave_in(&q[0], &q[4], w);
384 		br_aes_ct64_interleave_in(&q[1], &q[5], w + 4);
385 		br_aes_ct64_ortho(q);
386 		br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
387 		br_aes_ct64_ortho(q);
388 		br_aes_ct64_interleave_out(w, q[0], q[4]);
389 		br_aes_ct64_interleave_out(w + 4, q[1], q[5]);
390 
391 		br_enc32le(tmp +  0, w[0]);
392 		br_enc32le(tmp +  4, w[1]);
393 		br_enc32le(tmp +  8, w[2]);
394 		br_enc32le(tmp + 12, w[3]);
395 		xorbuf(buf, tmp, 16);
396 		cm0 = w[4];
397 		cm1 = w[5];
398 		cm2 = w[6];
399 		cm3 = w[7];
400 		buf += 16;
401 		len -= 16;
402 	}
403 
404 	br_enc32be(ivbuf +  0, iv0);
405 	br_enc32be(ivbuf +  4, iv1);
406 	br_enc32be(ivbuf +  8, iv2);
407 	br_enc32be(ivbuf + 12, iv3);
408 	br_enc32le((unsigned char *)cbcmac +  0, cm0);
409 	br_enc32le((unsigned char *)cbcmac +  4, cm1);
410 	br_enc32le((unsigned char *)cbcmac +  8, cm2);
411 	br_enc32le((unsigned char *)cbcmac + 12, cm3);
412 }
413 
414 /* see bearssl_block.h */
415 const br_block_ctrcbc_class br_aes_ct64_ctrcbc_vtable = {
416 	sizeof(br_aes_ct64_ctrcbc_keys),
417 	16,
418 	4,
419 	(void (*)(const br_block_ctrcbc_class **, const void *, size_t))
420 		&br_aes_ct64_ctrcbc_init,
421 	(void (*)(const br_block_ctrcbc_class *const *,
422 		void *, void *, void *, size_t))
423 		&br_aes_ct64_ctrcbc_encrypt,
424 	(void (*)(const br_block_ctrcbc_class *const *,
425 		void *, void *, void *, size_t))
426 		&br_aes_ct64_ctrcbc_decrypt,
427 	(void (*)(const br_block_ctrcbc_class *const *,
428 		void *, void *, size_t))
429 		&br_aes_ct64_ctrcbc_ctr,
430 	(void (*)(const br_block_ctrcbc_class *const *,
431 		void *, const void *, size_t))
432 		&br_aes_ct64_ctrcbc_mac
433 };
434