1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2 /*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50 #include <sys/types.h> 51 #include <crypto/rijndael/rijndael.h> 52 #include <opencrypto/xform_enc.h> 53 54 struct aes_cbc_ctx { 55 rijndael_ctx key; 56 char iv[AES_BLOCK_LEN]; 57 }; 58 59 static int aes_cbc_setkey(void *, const uint8_t *, int); 60 static void aes_cbc_encrypt(void *, const uint8_t *, uint8_t *); 61 static void aes_cbc_decrypt(void *, const uint8_t *, uint8_t *); 62 static void aes_cbc_encrypt_multi(void *, const uint8_t *, uint8_t *, size_t); 63 static void aes_cbc_decrypt_multi(void *, const uint8_t *, uint8_t *, size_t); 64 static void aes_cbc_reinit(void *, const uint8_t *, size_t); 65 66 /* Encryption instances */ 67 const struct enc_xform enc_xform_aes_cbc = { 68 .type = CRYPTO_AES_CBC, 69 .name = "AES-CBC", 70 .ctxsize = sizeof(struct aes_cbc_ctx), 71 .blocksize = AES_BLOCK_LEN, 72 .ivsize = AES_BLOCK_LEN, 73 .minkey = AES_MIN_KEY, 74 .maxkey = AES_MAX_KEY, 75 .setkey = aes_cbc_setkey, 76 .reinit = aes_cbc_reinit, 77 .encrypt = aes_cbc_encrypt, 78 .decrypt = aes_cbc_decrypt, 79 .encrypt_multi = aes_cbc_encrypt_multi, 80 .decrypt_multi = aes_cbc_decrypt_multi, 81 }; 82 83 /* 84 * Encryption wrapper routines. 85 */ 86 static void 87 aes_cbc_encrypt(void *vctx, const uint8_t *in, uint8_t *out) 88 { 89 struct aes_cbc_ctx *ctx = vctx; 90 91 for (u_int i = 0; i < AES_BLOCK_LEN; i++) 92 out[i] = in[i] ^ ctx->iv[i]; 93 rijndael_encrypt(&ctx->key, out, out); 94 memcpy(ctx->iv, out, AES_BLOCK_LEN); 95 } 96 97 static void 98 aes_cbc_decrypt(void *vctx, const uint8_t *in, uint8_t *out) 99 { 100 struct aes_cbc_ctx *ctx = vctx; 101 char block[AES_BLOCK_LEN]; 102 103 memcpy(block, in, AES_BLOCK_LEN); 104 rijndael_decrypt(&ctx->key, in, out); 105 for (u_int i = 0; i < AES_BLOCK_LEN; i++) 106 out[i] ^= ctx->iv[i]; 107 memcpy(ctx->iv, block, AES_BLOCK_LEN); 108 explicit_bzero(block, sizeof(block)); 109 } 110 111 static void 112 aes_cbc_encrypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len) 113 { 114 struct aes_cbc_ctx *ctx = vctx; 115 116 KASSERT(len % AES_BLOCK_LEN == 0, ("%s: invalid length", __func__)); 117 while (len > 0) { 118 for (u_int i = 0; i < AES_BLOCK_LEN; i++) 119 out[i] = in[i] ^ ctx->iv[i]; 120 rijndael_encrypt(&ctx->key, out, out); 121 memcpy(ctx->iv, out, AES_BLOCK_LEN); 122 out += AES_BLOCK_LEN; 123 in += AES_BLOCK_LEN; 124 len -= AES_BLOCK_LEN; 125 } 126 } 127 128 static void 129 aes_cbc_decrypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len) 130 { 131 struct aes_cbc_ctx *ctx = vctx; 132 char block[AES_BLOCK_LEN]; 133 134 KASSERT(len % AES_BLOCK_LEN == 0, ("%s: invalid length", __func__)); 135 while (len > 0) { 136 memcpy(block, in, AES_BLOCK_LEN); 137 rijndael_decrypt(&ctx->key, in, out); 138 for (u_int i = 0; i < AES_BLOCK_LEN; i++) 139 out[i] ^= ctx->iv[i]; 140 memcpy(ctx->iv, block, AES_BLOCK_LEN); 141 out += AES_BLOCK_LEN; 142 in += AES_BLOCK_LEN; 143 len -= AES_BLOCK_LEN; 144 } 145 explicit_bzero(block, sizeof(block)); 146 } 147 148 static int 149 aes_cbc_setkey(void *vctx, const uint8_t *key, int len) 150 { 151 struct aes_cbc_ctx *ctx = vctx; 152 153 if (len != 16 && len != 24 && len != 32) 154 return (EINVAL); 155 156 rijndael_set_key(&ctx->key, key, len * 8); 157 return (0); 158 } 159 160 static void 161 aes_cbc_reinit(void *vctx, const uint8_t *iv, size_t iv_len) 162 { 163 struct aes_cbc_ctx *ctx = vctx; 164 165 KASSERT(iv_len == sizeof(ctx->iv), ("%s: bad IV length", __func__)); 166 memcpy(ctx->iv, iv, sizeof(ctx->iv)); 167 } 168