1 /* 2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining 5 * a copy of this software and associated documentation files (the 6 * "Software"), to deal in the Software without restriction, including 7 * without limitation the rights to use, copy, modify, merge, publish, 8 * distribute, sublicense, and/or sell copies of the Software, and to 9 * permit persons to whom the Software is furnished to do so, subject to 10 * the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include "inner.h" 26 27 /* see bearssl_block.h */ 28 void 29 br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx, 30 const void *key, size_t len) 31 { 32 ctx->vtable = &br_aes_ct_ctrcbc_vtable; 33 ctx->num_rounds = br_aes_ct_keysched(ctx->skey, key, len); 34 } 35 36 static void 37 xorbuf(void *dst, const void *src, size_t len) 38 { 39 unsigned char *d; 40 const unsigned char *s; 41 42 d = dst; 43 s = src; 44 while (len -- > 0) { 45 *d ++ ^= *s ++; 46 } 47 } 48 49 /* see bearssl_block.h */ 50 void 51 br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx, 52 void *ctr, void *data, size_t len) 53 { 54 unsigned char *buf; 55 unsigned char *ivbuf; 56 uint32_t iv0, iv1, iv2, iv3; 57 uint32_t sk_exp[120]; 58 59 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); 60 61 /* 62 * We keep the counter as four 32-bit values, with big-endian 63 * convention, because that's what is expected for purposes of 64 * incrementing the counter value. 65 */ 66 ivbuf = ctr; 67 iv0 = br_dec32be(ivbuf + 0); 68 iv1 = br_dec32be(ivbuf + 4); 69 iv2 = br_dec32be(ivbuf + 8); 70 iv3 = br_dec32be(ivbuf + 12); 71 72 buf = data; 73 while (len > 0) { 74 uint32_t q[8], carry; 75 unsigned char tmp[32]; 76 77 /* 78 * The bitslice implementation expects values in 79 * little-endian convention, so we have to byteswap them. 80 */ 81 q[0] = br_swap32(iv0); 82 q[2] = br_swap32(iv1); 83 q[4] = br_swap32(iv2); 84 q[6] = br_swap32(iv3); 85 iv3 ++; 86 carry = ~(iv3 | -iv3) >> 31; 87 iv2 += carry; 88 carry &= -(~(iv2 | -iv2) >> 31); 89 iv1 += carry; 90 carry &= -(~(iv1 | -iv1) >> 31); 91 iv0 += carry; 92 q[1] = br_swap32(iv0); 93 q[3] = br_swap32(iv1); 94 q[5] = br_swap32(iv2); 95 q[7] = br_swap32(iv3); 96 if (len > 16) { 97 iv3 ++; 98 carry = ~(iv3 | -iv3) >> 31; 99 iv2 += carry; 100 carry &= -(~(iv2 | -iv2) >> 31); 101 iv1 += carry; 102 carry &= -(~(iv1 | -iv1) >> 31); 103 iv0 += carry; 104 } 105 106 br_aes_ct_ortho(q); 107 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); 108 br_aes_ct_ortho(q); 109 110 br_enc32le(tmp, q[0]); 111 br_enc32le(tmp + 4, q[2]); 112 br_enc32le(tmp + 8, q[4]); 113 br_enc32le(tmp + 12, q[6]); 114 br_enc32le(tmp + 16, q[1]); 115 br_enc32le(tmp + 20, q[3]); 116 br_enc32le(tmp + 24, q[5]); 117 br_enc32le(tmp + 28, q[7]); 118 119 if (len <= 32) { 120 xorbuf(buf, tmp, len); 121 break; 122 } 123 xorbuf(buf, tmp, 32); 124 buf += 32; 125 len -= 32; 126 } 127 br_enc32be(ivbuf + 0, iv0); 128 br_enc32be(ivbuf + 4, iv1); 129 br_enc32be(ivbuf + 8, iv2); 130 br_enc32be(ivbuf + 12, iv3); 131 } 132 133 /* see bearssl_block.h */ 134 void 135 br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx, 136 void *cbcmac, const void *data, size_t len) 137 { 138 const unsigned char *buf; 139 uint32_t cm0, cm1, cm2, cm3; 140 uint32_t q[8]; 141 uint32_t sk_exp[120]; 142 143 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); 144 145 buf = data; 146 cm0 = br_dec32le((unsigned char *)cbcmac + 0); 147 cm1 = br_dec32le((unsigned char *)cbcmac + 4); 148 cm2 = br_dec32le((unsigned char *)cbcmac + 8); 149 cm3 = br_dec32le((unsigned char *)cbcmac + 12); 150 q[1] = 0; 151 q[3] = 0; 152 q[5] = 0; 153 q[7] = 0; 154 155 while (len > 0) { 156 q[0] = cm0 ^ br_dec32le(buf + 0); 157 q[2] = cm1 ^ br_dec32le(buf + 4); 158 q[4] = cm2 ^ br_dec32le(buf + 8); 159 q[6] = cm3 ^ br_dec32le(buf + 12); 160 161 br_aes_ct_ortho(q); 162 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); 163 br_aes_ct_ortho(q); 164 165 cm0 = q[0]; 166 cm1 = q[2]; 167 cm2 = q[4]; 168 cm3 = q[6]; 169 buf += 16; 170 len -= 16; 171 } 172 173 br_enc32le((unsigned char *)cbcmac + 0, cm0); 174 br_enc32le((unsigned char *)cbcmac + 4, cm1); 175 br_enc32le((unsigned char *)cbcmac + 8, cm2); 176 br_enc32le((unsigned char *)cbcmac + 12, cm3); 177 } 178 179 /* see bearssl_block.h */ 180 void 181 br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx, 182 void *ctr, void *cbcmac, void *data, size_t len) 183 { 184 /* 185 * When encrypting, the CBC-MAC processing must be lagging by 186 * one block, since it operates on the encrypted values, so 187 * it must wait for that encryption to complete. 188 */ 189 190 unsigned char *buf; 191 unsigned char *ivbuf; 192 uint32_t iv0, iv1, iv2, iv3; 193 uint32_t cm0, cm1, cm2, cm3; 194 uint32_t sk_exp[120]; 195 int first_iter; 196 197 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); 198 199 /* 200 * We keep the counter as four 32-bit values, with big-endian 201 * convention, because that's what is expected for purposes of 202 * incrementing the counter value. 203 */ 204 ivbuf = ctr; 205 iv0 = br_dec32be(ivbuf + 0); 206 iv1 = br_dec32be(ivbuf + 4); 207 iv2 = br_dec32be(ivbuf + 8); 208 iv3 = br_dec32be(ivbuf + 12); 209 210 /* 211 * The current CBC-MAC value is kept in little-endian convention. 212 */ 213 cm0 = br_dec32le((unsigned char *)cbcmac + 0); 214 cm1 = br_dec32le((unsigned char *)cbcmac + 4); 215 cm2 = br_dec32le((unsigned char *)cbcmac + 8); 216 cm3 = br_dec32le((unsigned char *)cbcmac + 12); 217 218 buf = data; 219 first_iter = 1; 220 while (len > 0) { 221 uint32_t q[8], carry; 222 223 /* 224 * The bitslice implementation expects values in 225 * little-endian convention, so we have to byteswap them. 226 */ 227 q[0] = br_swap32(iv0); 228 q[2] = br_swap32(iv1); 229 q[4] = br_swap32(iv2); 230 q[6] = br_swap32(iv3); 231 iv3 ++; 232 carry = ~(iv3 | -iv3) >> 31; 233 iv2 += carry; 234 carry &= -(~(iv2 | -iv2) >> 31); 235 iv1 += carry; 236 carry &= -(~(iv1 | -iv1) >> 31); 237 iv0 += carry; 238 239 /* 240 * The odd values are used for CBC-MAC. 241 */ 242 q[1] = cm0; 243 q[3] = cm1; 244 q[5] = cm2; 245 q[7] = cm3; 246 247 br_aes_ct_ortho(q); 248 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); 249 br_aes_ct_ortho(q); 250 251 /* 252 * We do the XOR with the plaintext in 32-bit registers, 253 * so that the value are available for CBC-MAC processing 254 * as well. 255 */ 256 q[0] ^= br_dec32le(buf + 0); 257 q[2] ^= br_dec32le(buf + 4); 258 q[4] ^= br_dec32le(buf + 8); 259 q[6] ^= br_dec32le(buf + 12); 260 br_enc32le(buf + 0, q[0]); 261 br_enc32le(buf + 4, q[2]); 262 br_enc32le(buf + 8, q[4]); 263 br_enc32le(buf + 12, q[6]); 264 265 buf += 16; 266 len -= 16; 267 268 /* 269 * We set the cm* values to the block to encrypt in the 270 * next iteration. 271 */ 272 if (first_iter) { 273 first_iter = 0; 274 cm0 ^= q[0]; 275 cm1 ^= q[2]; 276 cm2 ^= q[4]; 277 cm3 ^= q[6]; 278 } else { 279 cm0 = q[0] ^ q[1]; 280 cm1 = q[2] ^ q[3]; 281 cm2 = q[4] ^ q[5]; 282 cm3 = q[6] ^ q[7]; 283 } 284 285 /* 286 * If this was the last iteration, then compute the 287 * extra block encryption to complete CBC-MAC. 288 */ 289 if (len == 0) { 290 q[0] = cm0; 291 q[2] = cm1; 292 q[4] = cm2; 293 q[6] = cm3; 294 br_aes_ct_ortho(q); 295 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); 296 br_aes_ct_ortho(q); 297 cm0 = q[0]; 298 cm1 = q[2]; 299 cm2 = q[4]; 300 cm3 = q[6]; 301 break; 302 } 303 } 304 305 br_enc32be(ivbuf + 0, iv0); 306 br_enc32be(ivbuf + 4, iv1); 307 br_enc32be(ivbuf + 8, iv2); 308 br_enc32be(ivbuf + 12, iv3); 309 br_enc32le((unsigned char *)cbcmac + 0, cm0); 310 br_enc32le((unsigned char *)cbcmac + 4, cm1); 311 br_enc32le((unsigned char *)cbcmac + 8, cm2); 312 br_enc32le((unsigned char *)cbcmac + 12, cm3); 313 } 314 315 /* see bearssl_block.h */ 316 void 317 br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx, 318 void *ctr, void *cbcmac, void *data, size_t len) 319 { 320 unsigned char *buf; 321 unsigned char *ivbuf; 322 uint32_t iv0, iv1, iv2, iv3; 323 uint32_t cm0, cm1, cm2, cm3; 324 uint32_t sk_exp[120]; 325 326 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); 327 328 /* 329 * We keep the counter as four 32-bit values, with big-endian 330 * convention, because that's what is expected for purposes of 331 * incrementing the counter value. 332 */ 333 ivbuf = ctr; 334 iv0 = br_dec32be(ivbuf + 0); 335 iv1 = br_dec32be(ivbuf + 4); 336 iv2 = br_dec32be(ivbuf + 8); 337 iv3 = br_dec32be(ivbuf + 12); 338 339 /* 340 * The current CBC-MAC value is kept in little-endian convention. 341 */ 342 cm0 = br_dec32le((unsigned char *)cbcmac + 0); 343 cm1 = br_dec32le((unsigned char *)cbcmac + 4); 344 cm2 = br_dec32le((unsigned char *)cbcmac + 8); 345 cm3 = br_dec32le((unsigned char *)cbcmac + 12); 346 347 buf = data; 348 while (len > 0) { 349 uint32_t q[8], carry; 350 unsigned char tmp[16]; 351 352 /* 353 * The bitslice implementation expects values in 354 * little-endian convention, so we have to byteswap them. 355 */ 356 q[0] = br_swap32(iv0); 357 q[2] = br_swap32(iv1); 358 q[4] = br_swap32(iv2); 359 q[6] = br_swap32(iv3); 360 iv3 ++; 361 carry = ~(iv3 | -iv3) >> 31; 362 iv2 += carry; 363 carry &= -(~(iv2 | -iv2) >> 31); 364 iv1 += carry; 365 carry &= -(~(iv1 | -iv1) >> 31); 366 iv0 += carry; 367 368 /* 369 * The odd values are used for CBC-MAC. 370 */ 371 q[1] = cm0 ^ br_dec32le(buf + 0); 372 q[3] = cm1 ^ br_dec32le(buf + 4); 373 q[5] = cm2 ^ br_dec32le(buf + 8); 374 q[7] = cm3 ^ br_dec32le(buf + 12); 375 376 br_aes_ct_ortho(q); 377 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); 378 br_aes_ct_ortho(q); 379 380 br_enc32le(tmp + 0, q[0]); 381 br_enc32le(tmp + 4, q[2]); 382 br_enc32le(tmp + 8, q[4]); 383 br_enc32le(tmp + 12, q[6]); 384 xorbuf(buf, tmp, 16); 385 cm0 = q[1]; 386 cm1 = q[3]; 387 cm2 = q[5]; 388 cm3 = q[7]; 389 buf += 16; 390 len -= 16; 391 } 392 393 br_enc32be(ivbuf + 0, iv0); 394 br_enc32be(ivbuf + 4, iv1); 395 br_enc32be(ivbuf + 8, iv2); 396 br_enc32be(ivbuf + 12, iv3); 397 br_enc32le((unsigned char *)cbcmac + 0, cm0); 398 br_enc32le((unsigned char *)cbcmac + 4, cm1); 399 br_enc32le((unsigned char *)cbcmac + 8, cm2); 400 br_enc32le((unsigned char *)cbcmac + 12, cm3); 401 } 402 403 /* see bearssl_block.h */ 404 const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable = { 405 sizeof(br_aes_ct_ctrcbc_keys), 406 16, 407 4, 408 (void (*)(const br_block_ctrcbc_class **, const void *, size_t)) 409 &br_aes_ct_ctrcbc_init, 410 (void (*)(const br_block_ctrcbc_class *const *, 411 void *, void *, void *, size_t)) 412 &br_aes_ct_ctrcbc_encrypt, 413 (void (*)(const br_block_ctrcbc_class *const *, 414 void *, void *, void *, size_t)) 415 &br_aes_ct_ctrcbc_decrypt, 416 (void (*)(const br_block_ctrcbc_class *const *, 417 void *, void *, size_t)) 418 &br_aes_ct_ctrcbc_ctr, 419 (void (*)(const br_block_ctrcbc_class *const *, 420 void *, const void *, size_t)) 421 &br_aes_ct_ctrcbc_mac 422 }; 423