xref: /freebsd/contrib/bearssl/src/symcipher/aes_ct_ctrcbc.c (revision 2a58b312b62f908ec92311d1bd8536dbaeb8e55b)
1 /*
2  * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include "inner.h"
26 
27 /* see bearssl_block.h */
28 void
29 br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx,
30 	const void *key, size_t len)
31 {
32 	ctx->vtable = &br_aes_ct_ctrcbc_vtable;
33 	ctx->num_rounds = br_aes_ct_keysched(ctx->skey, key, len);
34 }
35 
36 static void
37 xorbuf(void *dst, const void *src, size_t len)
38 {
39 	unsigned char *d;
40 	const unsigned char *s;
41 
42 	d = dst;
43 	s = src;
44 	while (len -- > 0) {
45 		*d ++ ^= *s ++;
46 	}
47 }
48 
49 /* see bearssl_block.h */
50 void
51 br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx,
52 	void *ctr, void *data, size_t len)
53 {
54 	unsigned char *buf;
55 	unsigned char *ivbuf;
56 	uint32_t iv0, iv1, iv2, iv3;
57 	uint32_t sk_exp[120];
58 
59 	br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
60 
61 	/*
62 	 * We keep the counter as four 32-bit values, with big-endian
63 	 * convention, because that's what is expected for purposes of
64 	 * incrementing the counter value.
65 	 */
66 	ivbuf = ctr;
67 	iv0 = br_dec32be(ivbuf +  0);
68 	iv1 = br_dec32be(ivbuf +  4);
69 	iv2 = br_dec32be(ivbuf +  8);
70 	iv3 = br_dec32be(ivbuf + 12);
71 
72 	buf = data;
73 	while (len > 0) {
74 		uint32_t q[8], carry;
75 		unsigned char tmp[32];
76 
77 		/*
78 		 * The bitslice implementation expects values in
79 		 * little-endian convention, so we have to byteswap them.
80 		 */
81 		q[0] = br_swap32(iv0);
82 		q[2] = br_swap32(iv1);
83 		q[4] = br_swap32(iv2);
84 		q[6] = br_swap32(iv3);
85 		iv3 ++;
86 		carry = ~(iv3 | -iv3) >> 31;
87 		iv2 += carry;
88 		carry &= -(~(iv2 | -iv2) >> 31);
89 		iv1 += carry;
90 		carry &= -(~(iv1 | -iv1) >> 31);
91 		iv0 += carry;
92 		q[1] = br_swap32(iv0);
93 		q[3] = br_swap32(iv1);
94 		q[5] = br_swap32(iv2);
95 		q[7] = br_swap32(iv3);
96 		if (len > 16) {
97 			iv3 ++;
98 			carry = ~(iv3 | -iv3) >> 31;
99 			iv2 += carry;
100 			carry &= -(~(iv2 | -iv2) >> 31);
101 			iv1 += carry;
102 			carry &= -(~(iv1 | -iv1) >> 31);
103 			iv0 += carry;
104 		}
105 
106 		br_aes_ct_ortho(q);
107 		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
108 		br_aes_ct_ortho(q);
109 
110 		br_enc32le(tmp, q[0]);
111 		br_enc32le(tmp + 4, q[2]);
112 		br_enc32le(tmp + 8, q[4]);
113 		br_enc32le(tmp + 12, q[6]);
114 		br_enc32le(tmp + 16, q[1]);
115 		br_enc32le(tmp + 20, q[3]);
116 		br_enc32le(tmp + 24, q[5]);
117 		br_enc32le(tmp + 28, q[7]);
118 
119 		if (len <= 32) {
120 			xorbuf(buf, tmp, len);
121 			break;
122 		}
123 		xorbuf(buf, tmp, 32);
124 		buf += 32;
125 		len -= 32;
126 	}
127 	br_enc32be(ivbuf +  0, iv0);
128 	br_enc32be(ivbuf +  4, iv1);
129 	br_enc32be(ivbuf +  8, iv2);
130 	br_enc32be(ivbuf + 12, iv3);
131 }
132 
133 /* see bearssl_block.h */
134 void
135 br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx,
136 	void *cbcmac, const void *data, size_t len)
137 {
138 	const unsigned char *buf;
139 	uint32_t cm0, cm1, cm2, cm3;
140 	uint32_t q[8];
141 	uint32_t sk_exp[120];
142 
143 	br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
144 
145 	buf = data;
146 	cm0 = br_dec32le((unsigned char *)cbcmac +  0);
147 	cm1 = br_dec32le((unsigned char *)cbcmac +  4);
148 	cm2 = br_dec32le((unsigned char *)cbcmac +  8);
149 	cm3 = br_dec32le((unsigned char *)cbcmac + 12);
150 	q[1] = 0;
151 	q[3] = 0;
152 	q[5] = 0;
153 	q[7] = 0;
154 
155 	while (len > 0) {
156 		q[0] = cm0 ^ br_dec32le(buf +  0);
157 		q[2] = cm1 ^ br_dec32le(buf +  4);
158 		q[4] = cm2 ^ br_dec32le(buf +  8);
159 		q[6] = cm3 ^ br_dec32le(buf + 12);
160 
161 		br_aes_ct_ortho(q);
162 		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
163 		br_aes_ct_ortho(q);
164 
165 		cm0 = q[0];
166 		cm1 = q[2];
167 		cm2 = q[4];
168 		cm3 = q[6];
169 		buf += 16;
170 		len -= 16;
171 	}
172 
173 	br_enc32le((unsigned char *)cbcmac +  0, cm0);
174 	br_enc32le((unsigned char *)cbcmac +  4, cm1);
175 	br_enc32le((unsigned char *)cbcmac +  8, cm2);
176 	br_enc32le((unsigned char *)cbcmac + 12, cm3);
177 }
178 
179 /* see bearssl_block.h */
180 void
181 br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx,
182 	void *ctr, void *cbcmac, void *data, size_t len)
183 {
184 	/*
185 	 * When encrypting, the CBC-MAC processing must be lagging by
186 	 * one block, since it operates on the encrypted values, so
187 	 * it must wait for that encryption to complete.
188 	 */
189 
190 	unsigned char *buf;
191 	unsigned char *ivbuf;
192 	uint32_t iv0, iv1, iv2, iv3;
193 	uint32_t cm0, cm1, cm2, cm3;
194 	uint32_t sk_exp[120];
195 	int first_iter;
196 
197 	br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
198 
199 	/*
200 	 * We keep the counter as four 32-bit values, with big-endian
201 	 * convention, because that's what is expected for purposes of
202 	 * incrementing the counter value.
203 	 */
204 	ivbuf = ctr;
205 	iv0 = br_dec32be(ivbuf +  0);
206 	iv1 = br_dec32be(ivbuf +  4);
207 	iv2 = br_dec32be(ivbuf +  8);
208 	iv3 = br_dec32be(ivbuf + 12);
209 
210 	/*
211 	 * The current CBC-MAC value is kept in little-endian convention.
212 	 */
213 	cm0 = br_dec32le((unsigned char *)cbcmac +  0);
214 	cm1 = br_dec32le((unsigned char *)cbcmac +  4);
215 	cm2 = br_dec32le((unsigned char *)cbcmac +  8);
216 	cm3 = br_dec32le((unsigned char *)cbcmac + 12);
217 
218 	buf = data;
219 	first_iter = 1;
220 	while (len > 0) {
221 		uint32_t q[8], carry;
222 
223 		/*
224 		 * The bitslice implementation expects values in
225 		 * little-endian convention, so we have to byteswap them.
226 		 */
227 		q[0] = br_swap32(iv0);
228 		q[2] = br_swap32(iv1);
229 		q[4] = br_swap32(iv2);
230 		q[6] = br_swap32(iv3);
231 		iv3 ++;
232 		carry = ~(iv3 | -iv3) >> 31;
233 		iv2 += carry;
234 		carry &= -(~(iv2 | -iv2) >> 31);
235 		iv1 += carry;
236 		carry &= -(~(iv1 | -iv1) >> 31);
237 		iv0 += carry;
238 
239 		/*
240 		 * The odd values are used for CBC-MAC.
241 		 */
242 		q[1] = cm0;
243 		q[3] = cm1;
244 		q[5] = cm2;
245 		q[7] = cm3;
246 
247 		br_aes_ct_ortho(q);
248 		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
249 		br_aes_ct_ortho(q);
250 
251 		/*
252 		 * We do the XOR with the plaintext in 32-bit registers,
253 		 * so that the value are available for CBC-MAC processing
254 		 * as well.
255 		 */
256 		q[0] ^= br_dec32le(buf +  0);
257 		q[2] ^= br_dec32le(buf +  4);
258 		q[4] ^= br_dec32le(buf +  8);
259 		q[6] ^= br_dec32le(buf + 12);
260 		br_enc32le(buf +  0, q[0]);
261 		br_enc32le(buf +  4, q[2]);
262 		br_enc32le(buf +  8, q[4]);
263 		br_enc32le(buf + 12, q[6]);
264 
265 		buf += 16;
266 		len -= 16;
267 
268 		/*
269 		 * We set the cm* values to the block to encrypt in the
270 		 * next iteration.
271 		 */
272 		if (first_iter) {
273 			first_iter = 0;
274 			cm0 ^= q[0];
275 			cm1 ^= q[2];
276 			cm2 ^= q[4];
277 			cm3 ^= q[6];
278 		} else {
279 			cm0 = q[0] ^ q[1];
280 			cm1 = q[2] ^ q[3];
281 			cm2 = q[4] ^ q[5];
282 			cm3 = q[6] ^ q[7];
283 		}
284 
285 		/*
286 		 * If this was the last iteration, then compute the
287 		 * extra block encryption to complete CBC-MAC.
288 		 */
289 		if (len == 0) {
290 			q[0] = cm0;
291 			q[2] = cm1;
292 			q[4] = cm2;
293 			q[6] = cm3;
294 			br_aes_ct_ortho(q);
295 			br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
296 			br_aes_ct_ortho(q);
297 			cm0 = q[0];
298 			cm1 = q[2];
299 			cm2 = q[4];
300 			cm3 = q[6];
301 			break;
302 		}
303 	}
304 
305 	br_enc32be(ivbuf +  0, iv0);
306 	br_enc32be(ivbuf +  4, iv1);
307 	br_enc32be(ivbuf +  8, iv2);
308 	br_enc32be(ivbuf + 12, iv3);
309 	br_enc32le((unsigned char *)cbcmac +  0, cm0);
310 	br_enc32le((unsigned char *)cbcmac +  4, cm1);
311 	br_enc32le((unsigned char *)cbcmac +  8, cm2);
312 	br_enc32le((unsigned char *)cbcmac + 12, cm3);
313 }
314 
315 /* see bearssl_block.h */
316 void
317 br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx,
318 	void *ctr, void *cbcmac, void *data, size_t len)
319 {
320 	unsigned char *buf;
321 	unsigned char *ivbuf;
322 	uint32_t iv0, iv1, iv2, iv3;
323 	uint32_t cm0, cm1, cm2, cm3;
324 	uint32_t sk_exp[120];
325 
326 	br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
327 
328 	/*
329 	 * We keep the counter as four 32-bit values, with big-endian
330 	 * convention, because that's what is expected for purposes of
331 	 * incrementing the counter value.
332 	 */
333 	ivbuf = ctr;
334 	iv0 = br_dec32be(ivbuf +  0);
335 	iv1 = br_dec32be(ivbuf +  4);
336 	iv2 = br_dec32be(ivbuf +  8);
337 	iv3 = br_dec32be(ivbuf + 12);
338 
339 	/*
340 	 * The current CBC-MAC value is kept in little-endian convention.
341 	 */
342 	cm0 = br_dec32le((unsigned char *)cbcmac +  0);
343 	cm1 = br_dec32le((unsigned char *)cbcmac +  4);
344 	cm2 = br_dec32le((unsigned char *)cbcmac +  8);
345 	cm3 = br_dec32le((unsigned char *)cbcmac + 12);
346 
347 	buf = data;
348 	while (len > 0) {
349 		uint32_t q[8], carry;
350 		unsigned char tmp[16];
351 
352 		/*
353 		 * The bitslice implementation expects values in
354 		 * little-endian convention, so we have to byteswap them.
355 		 */
356 		q[0] = br_swap32(iv0);
357 		q[2] = br_swap32(iv1);
358 		q[4] = br_swap32(iv2);
359 		q[6] = br_swap32(iv3);
360 		iv3 ++;
361 		carry = ~(iv3 | -iv3) >> 31;
362 		iv2 += carry;
363 		carry &= -(~(iv2 | -iv2) >> 31);
364 		iv1 += carry;
365 		carry &= -(~(iv1 | -iv1) >> 31);
366 		iv0 += carry;
367 
368 		/*
369 		 * The odd values are used for CBC-MAC.
370 		 */
371 		q[1] = cm0 ^ br_dec32le(buf +  0);
372 		q[3] = cm1 ^ br_dec32le(buf +  4);
373 		q[5] = cm2 ^ br_dec32le(buf +  8);
374 		q[7] = cm3 ^ br_dec32le(buf + 12);
375 
376 		br_aes_ct_ortho(q);
377 		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
378 		br_aes_ct_ortho(q);
379 
380 		br_enc32le(tmp +  0, q[0]);
381 		br_enc32le(tmp +  4, q[2]);
382 		br_enc32le(tmp +  8, q[4]);
383 		br_enc32le(tmp + 12, q[6]);
384 		xorbuf(buf, tmp, 16);
385 		cm0 = q[1];
386 		cm1 = q[3];
387 		cm2 = q[5];
388 		cm3 = q[7];
389 		buf += 16;
390 		len -= 16;
391 	}
392 
393 	br_enc32be(ivbuf +  0, iv0);
394 	br_enc32be(ivbuf +  4, iv1);
395 	br_enc32be(ivbuf +  8, iv2);
396 	br_enc32be(ivbuf + 12, iv3);
397 	br_enc32le((unsigned char *)cbcmac +  0, cm0);
398 	br_enc32le((unsigned char *)cbcmac +  4, cm1);
399 	br_enc32le((unsigned char *)cbcmac +  8, cm2);
400 	br_enc32le((unsigned char *)cbcmac + 12, cm3);
401 }
402 
403 /* see bearssl_block.h */
404 const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable = {
405 	sizeof(br_aes_ct_ctrcbc_keys),
406 	16,
407 	4,
408 	(void (*)(const br_block_ctrcbc_class **, const void *, size_t))
409 		&br_aes_ct_ctrcbc_init,
410 	(void (*)(const br_block_ctrcbc_class *const *,
411 		void *, void *, void *, size_t))
412 		&br_aes_ct_ctrcbc_encrypt,
413 	(void (*)(const br_block_ctrcbc_class *const *,
414 		void *, void *, void *, size_t))
415 		&br_aes_ct_ctrcbc_decrypt,
416 	(void (*)(const br_block_ctrcbc_class *const *,
417 		void *, void *, size_t))
418 		&br_aes_ct_ctrcbc_ctr,
419 	(void (*)(const br_block_ctrcbc_class *const *,
420 		void *, const void *, size_t))
421 		&br_aes_ct_ctrcbc_mac
422 };
423