xref: /freebsd/sys/crypto/aesni/aesni_ccm.c (revision a4e5e0106ac7145f56eb39a691e302cabb4635be)
1 /*-
2  * Copyright (c) 2014-2021 The FreeBSD Foundation
3  * Copyright (c) 2018 iXsystems, Inc
4  * All rights reserved.
5  *
6  * Portions of this software were developed by John-Mark Gurney
7  * under the sponsorship of the FreeBSD Foundation and
8  * Rubicon Communications, LLC (Netgate).
9  *
10  * Portions of this software were developed by Ararat River
11  * Consulting, LLC under sponsorship of the FreeBSD Foundation.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1.  Redistributions of source code must retain the above copyright
17  *     notice, this list of conditions and the following disclaimer.
18  * 2.  Redistributions in binary form must reproduce the above copyright
19  *     notice, this list of conditions and the following disclaimer in the
20  *     documentation and/or other materials provided with the distribution.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  *
35  * This file implements AES-CCM+CBC-MAC, as described
36  * at https://tools.ietf.org/html/rfc3610, using Intel's
37  * AES-NI instructions.
38  *
39  */
40 
41 #include <sys/types.h>
42 #include <sys/endian.h>
43 #include <sys/param.h>
44 
45 #include <sys/systm.h>
46 #include <crypto/aesni/aesni.h>
47 #include <crypto/aesni/aesni_os.h>
48 #include <crypto/aesni/aesencdec.h>
49 #define AESNI_ENC(d, k, nr)	aesni_enc(nr-1, (const __m128i*)k, d)
50 
51 #include <wmmintrin.h>
52 #include <emmintrin.h>
53 #include <smmintrin.h>
54 
55 /*
56  * Encrypt a single 128-bit block after
57  * doing an xor.  This is also used to
58  * decrypt (yay symmetric encryption).
59  */
60 static inline __m128i
61 xor_and_encrypt(__m128i a, __m128i b, const unsigned char *k, int nr)
62 {
63 	__m128i retval = _mm_xor_si128(a, b);
64 
65 	retval = AESNI_ENC(retval, k, nr);
66 	return (retval);
67 }
68 
69 /*
70  * Put value at the end of block, starting at offset.
71  * (This goes backwards, putting bytes in *until* it
72  * reaches offset.)
73  */
74 static void
75 append_int(size_t value, __m128i *block, size_t offset)
76 {
77 	int indx = sizeof(*block) - 1;
78 	uint8_t *bp = (uint8_t*)block;
79 
80 	while (indx > (sizeof(*block) - offset)) {
81 		bp[indx] = value & 0xff;
82 		indx--;
83 		value >>= 8;
84 	}
85 }
86 
87 /*
88  * Start the CBC-MAC process.  This handles the auth data.
89  */
90 static __m128i
91 cbc_mac_start(const unsigned char *auth_data, size_t auth_len,
92 	     const unsigned char *nonce, size_t nonce_len,
93 	     const unsigned char *key, int nr,
94 	     size_t data_len, size_t tag_len)
95 {
96 	__m128i cbc_block, staging_block;
97 	uint8_t *byte_ptr;
98 	/* This defines where the message length goes */
99 	int L = sizeof(__m128i) - 1 - nonce_len;
100 
101 	/*
102 	 * Set up B0 here.  This has the flags byte,
103 	 * followed by the nonce, followed by the
104 	 * length of the message.
105 	 */
106 	cbc_block = _mm_setzero_si128();
107 	byte_ptr = (uint8_t*)&cbc_block;
108 	byte_ptr[0] = ((auth_len > 0) ? 1 : 0) * 64 |
109 		(((tag_len - 2) / 2) * 8) |
110 		(L - 1);
111 	bcopy(nonce, byte_ptr + 1, nonce_len);
112 	append_int(data_len, &cbc_block, L+1);
113 	cbc_block = AESNI_ENC(cbc_block, key, nr);
114 
115 	if (auth_len != 0) {
116 		/*
117 		 * We need to start by appending the length descriptor.
118 		 */
119 		uint32_t auth_amt;
120 		size_t copy_amt;
121 		const uint8_t *auth_ptr = auth_data;
122 
123 		staging_block = _mm_setzero_si128();
124 
125 		/*
126 		 * The current OCF calling convention means that
127 		 * there can never be more than 4g of authentication
128 		 * data, so we don't handle the 0xffff case.
129 		 */
130 		KASSERT(auth_len < (1ULL << 32),
131 		    ("%s: auth_len (%zu) larger than 4GB",
132 			__FUNCTION__, auth_len));
133 
134 		if (auth_len < ((1 << 16) - (1 << 8))) {
135 			/*
136 			 * If the auth data length is less than
137 			 * 0xff00, we don't need to encode a length
138 			 * specifier, just the length of the auth
139 			 * data.
140 			 */
141 			be16enc(&staging_block, auth_len);
142 			auth_amt = 2;
143 		} else if (auth_len < (1ULL << 32)) {
144 			/*
145 			 * Two bytes for the length prefix, and then
146 			 * four bytes for the length.  This makes a total
147 			 * of 6 bytes to describe the auth data length.
148 			 */
149 			be16enc(&staging_block, 0xfffe);
150 			be32enc((char*)&staging_block + 2, auth_len);
151 			auth_amt = 6;
152 		} else
153 			panic("%s: auth len too large", __FUNCTION__);
154 
155 		/*
156 		 * Need to copy abytes into blocks.  The first block is
157 		 * already partially filled, by auth_amt, so we need
158 		 * to handle that.  The last block needs to be zero padded.
159 		 */
160 		copy_amt = MIN(auth_len,
161 		    sizeof(staging_block) - auth_amt);
162 		byte_ptr = (uint8_t*)&staging_block;
163 		bcopy(auth_ptr, &byte_ptr[auth_amt], copy_amt);
164 		auth_ptr += copy_amt;
165 
166 		cbc_block = xor_and_encrypt(cbc_block, staging_block, key, nr);
167 
168 		while (auth_ptr < auth_data + auth_len) {
169 			copy_amt = MIN((auth_data + auth_len) - auth_ptr,
170 			    sizeof(staging_block));
171 			if (copy_amt < sizeof(staging_block))
172 				bzero(&staging_block, sizeof(staging_block));
173 			bcopy(auth_ptr, &staging_block, copy_amt);
174 			cbc_block = xor_and_encrypt(cbc_block, staging_block,
175 			    key, nr);
176 			auth_ptr += copy_amt;
177 		}
178 	}
179 	return (cbc_block);
180 }
181 
182 /*
183  * Implement AES CCM+CBC-MAC encryption and authentication.
184  *
185  * A couple of notes:
186  * Since abytes is limited to a 32 bit value here, the AAD is
187  * limited to 4 gigabytes or less.
188  */
189 void
190 AES_CCM_encrypt(const unsigned char *in, unsigned char *out,
191 		const unsigned char *addt, const unsigned char *nonce,
192 		unsigned char *tag, uint32_t nbytes, uint32_t abytes, int nlen,
193 		int tag_length, const unsigned char *key, int nr)
194 {
195 	int L;
196 	int counter = 1;	/* S0 has 0, S1 has 1 */
197 	size_t copy_amt, total = 0;
198 	uint8_t *byte_ptr;
199 	__m128i s0, rolling_mac, s_x, staging_block;
200 
201 	/* NIST 800-38c section A.1 says n is [7, 13]. */
202 	if (nlen < 7 || nlen > 13)
203 		panic("%s: bad nonce length %d", __FUNCTION__, nlen);
204 
205 	/*
206 	 * We need to know how many bytes to use to describe
207 	 * the length of the data.  Normally, nlen should be
208 	 * 12, which leaves us 3 bytes to do that -- 16mbytes of
209 	 * data to encrypt.  But it can be longer or shorter;
210 	 * this impacts the length of the message.
211 	 */
212 	L = sizeof(__m128i) - 1 - nlen;
213 
214 	/*
215 	 * Clear out the blocks
216 	 */
217 	s0 = _mm_setzero_si128();
218 
219 	rolling_mac = cbc_mac_start(addt, abytes, nonce, nlen,
220 	    key, nr, nbytes, tag_length);
221 
222 	/* s0 has flags, nonce, and then 0 */
223 	byte_ptr = (uint8_t*)&s0;
224 	byte_ptr[0] = L - 1;	/* but the flags byte only has L' */
225 	bcopy(nonce, &byte_ptr[1], nlen);
226 
227 	/*
228 	 * Now to cycle through the rest of the data.
229 	 */
230 	bcopy(&s0, &s_x, sizeof(s0));
231 
232 	while (total < nbytes) {
233 		/*
234 		 * Copy the plain-text data into staging_block.
235 		 * This may need to be zero-padded.
236 		 */
237 		copy_amt = MIN(nbytes - total, sizeof(staging_block));
238 		bcopy(in+total, &staging_block, copy_amt);
239 		if (copy_amt < sizeof(staging_block)) {
240 			byte_ptr = (uint8_t*)&staging_block;
241 			bzero(&byte_ptr[copy_amt],
242 			    sizeof(staging_block) - copy_amt);
243 		}
244 		rolling_mac = xor_and_encrypt(rolling_mac, staging_block,
245 		    key, nr);
246 		/* Put the counter into the s_x block */
247 		append_int(counter++, &s_x, L+1);
248 		/* Encrypt that */
249 		__m128i X = AESNI_ENC(s_x, key, nr);
250 		/* XOR the plain-text with the encrypted counter block */
251 		staging_block = _mm_xor_si128(staging_block, X);
252 		/* And copy it out */
253 		bcopy(&staging_block, out+total, copy_amt);
254 		total += copy_amt;
255 	}
256 	/*
257 	 * Allegedly done with it!  Except for the tag.
258 	 */
259 	s0 = AESNI_ENC(s0, key, nr);
260 	staging_block = _mm_xor_si128(s0, rolling_mac);
261 	bcopy(&staging_block, tag, tag_length);
262 	explicit_bzero(&s0, sizeof(s0));
263 	explicit_bzero(&staging_block, sizeof(staging_block));
264 	explicit_bzero(&s_x, sizeof(s_x));
265 	explicit_bzero(&rolling_mac, sizeof(rolling_mac));
266 }
267 
268 /*
269  * Implement AES CCM+CBC-MAC decryption and authentication.
270  * Returns 0 on failure, 1 on success.
271  *
272  * The primary difference here is that each encrypted block
273  * needs to be hashed&encrypted after it is decrypted (since
274  * the CBC-MAC is based on the plain text).  This means that
275  * we do the decryption twice -- first to verify the tag,
276  * and second to decrypt and copy it out.
277  *
278  * To avoid annoying code copying, we implement the main
279  * loop as a separate function.
280  *
281  * Call with out as NULL to not store the decrypted results;
282  * call with hashp as NULL to not run the authentication.
283  * Calling with neither as NULL does the decryption and
284  * authentication as a single pass (which is not allowed
285  * per the specification, really).
286  *
287  * If hashp is non-NULL, it points to the post-AAD computed
288  * checksum.
289  */
290 static void
291 decrypt_loop(const unsigned char *in, unsigned char *out, size_t nbytes,
292     __m128i s0, size_t nonce_length, __m128i *macp,
293     const unsigned char *key, int nr)
294 {
295 	size_t total = 0;
296 	__m128i s_x = s0, mac_block;
297 	int counter = 1;
298 	const size_t L = sizeof(__m128i) - 1 - nonce_length;
299 	__m128i pad_block, staging_block;
300 
301 	/*
302 	 * The starting mac (post AAD, if any).
303 	 */
304 	if (macp != NULL)
305 		mac_block = *macp;
306 
307 	while (total < nbytes) {
308 		size_t copy_amt = MIN(nbytes - total, sizeof(staging_block));
309 
310 		if (copy_amt < sizeof(staging_block)) {
311 			staging_block = _mm_setzero_si128();
312 		}
313 		bcopy(in+total, &staging_block, copy_amt);
314 
315 		/*
316 		 * staging_block has the current block of input data,
317 		 * zero-padded if necessary.  This is used in computing
318 		 * both the decrypted data, and the authentication tag.
319 		 */
320 		append_int(counter++, &s_x, L+1);
321 		/*
322 		 * The tag is computed based on the decrypted data.
323 		 */
324 		pad_block = AESNI_ENC(s_x, key, nr);
325 		if (copy_amt < sizeof(staging_block)) {
326 			/*
327 			 * Need to pad out pad_block with 0.
328 			 * (staging_block was set to 0's above.)
329 			 */
330 			uint8_t *end_of_buffer = (uint8_t*)&pad_block;
331 			bzero(end_of_buffer + copy_amt,
332 			    sizeof(pad_block) - copy_amt);
333 		}
334 		staging_block = _mm_xor_si128(staging_block, pad_block);
335 
336 		if (out)
337 			bcopy(&staging_block, out+total, copy_amt);
338 
339 		if (macp)
340 			mac_block = xor_and_encrypt(mac_block, staging_block,
341 			    key, nr);
342 		total += copy_amt;
343 	}
344 
345 	if (macp)
346 		*macp = mac_block;
347 
348 	explicit_bzero(&pad_block, sizeof(pad_block));
349 	explicit_bzero(&staging_block, sizeof(staging_block));
350 	explicit_bzero(&mac_block, sizeof(mac_block));
351 }
352 
353 /*
354  * The exposed decryption routine.  This is practically a
355  * copy of the encryption routine, except that the order
356  * in which the tag is created is changed.
357  * XXX combine the two functions at some point!
358  */
359 int
360 AES_CCM_decrypt(const unsigned char *in, unsigned char *out,
361 		const unsigned char *addt, const unsigned char *nonce,
362 		const unsigned char *tag, uint32_t nbytes, uint32_t abytes, int nlen,
363 		int tag_length, const unsigned char *key, int nr)
364 {
365 	int L;
366 	__m128i s0, rolling_mac, staging_block;
367 	uint8_t *byte_ptr;
368 
369 	if (nlen < 0 || nlen > 15)
370 		panic("%s: bad nonce length %d", __FUNCTION__, nlen);
371 
372 	/*
373 	 * We need to know how many bytes to use to describe
374 	 * the length of the data.  Normally, nlen should be
375 	 * 12, which leaves us 3 bytes to do that -- 16mbytes of
376 	 * data to encrypt.  But it can be longer or shorter.
377 	 */
378 	L = sizeof(__m128i) - 1 - nlen;
379 
380 	/*
381 	 * Clear out the blocks
382 	 */
383 	s0 = _mm_setzero_si128();
384 
385 	rolling_mac = cbc_mac_start(addt, abytes, nonce, nlen,
386 	    key, nr, nbytes, tag_length);
387 	/* s0 has flags, nonce, and then 0 */
388 	byte_ptr = (uint8_t*)&s0;
389 	byte_ptr[0] = L-1;	/* but the flags byte only has L' */
390 	bcopy(nonce, &byte_ptr[1], nlen);
391 
392 	/*
393 	 * Now to cycle through the rest of the data.
394 	 */
395 	decrypt_loop(in, NULL, nbytes, s0, nlen, &rolling_mac, key, nr);
396 
397 	/*
398 	 * Compare the tag.
399 	 */
400 	staging_block = _mm_xor_si128(AESNI_ENC(s0, key, nr), rolling_mac);
401 	if (timingsafe_bcmp(&staging_block, tag, tag_length) != 0) {
402 		return (0);
403 	}
404 
405 	/*
406 	 * Push out the decryption results this time.
407 	 */
408 	decrypt_loop(in, out, nbytes, s0, nlen, NULL, key, nr);
409 	return (1);
410 }
411