xref: /freebsd/sys/opencrypto/xform_aes_icm.c (revision 271171e0d97b88ba2a7c3bf750c9672b484c1c13)
1 /*	$OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $	*/
2 /*-
3  * The authors of this code are John Ioannidis (ji@tla.org),
4  * Angelos D. Keromytis (kermit@csd.uch.gr),
5  * Niels Provos (provos@physnet.uni-hamburg.de) and
6  * Damien Miller (djm@mindrot.org).
7  *
8  * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9  * in November 1995.
10  *
11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12  * by Angelos D. Keromytis.
13  *
14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15  * and Niels Provos.
16  *
17  * Additional features in 1999 by Angelos D. Keromytis.
18  *
19  * AES XTS implementation in 2008 by Damien Miller
20  *
21  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22  * Angelos D. Keromytis and Niels Provos.
23  *
24  * Copyright (C) 2001, Angelos D. Keromytis.
25  *
26  * Copyright (C) 2008, Damien Miller
27  * Copyright (c) 2014 The FreeBSD Foundation
28  * All rights reserved.
29  *
30  * Portions of this software were developed by John-Mark Gurney
31  * under sponsorship of the FreeBSD Foundation and
32  * Rubicon Communications, LLC (Netgate).
33  *
34  * Permission to use, copy, and modify this software with or without fee
35  * is hereby granted, provided that this entire notice is included in
36  * all copies of any software which is or includes a copy or
37  * modification of this software.
38  * You may use this code under the GNU public license if you so wish. Please
39  * contribute changes back to the authors under this freer than GPL license
40  * so that we may further the use of strong encryption without limitations to
41  * all.
42  *
43  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
47  * PURPOSE.
48  */
49 
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
52 
53 #include <opencrypto/cbc_mac.h>
54 #include <opencrypto/gmac.h>
55 #include <opencrypto/xform_enc.h>
56 
57 struct aes_gcm_ctx {
58 	struct aes_icm_ctx cipher;
59 	struct aes_gmac_ctx gmac;
60 };
61 
62 struct aes_ccm_ctx {
63 	struct aes_icm_ctx cipher;
64 	struct aes_cbc_mac_ctx cbc_mac;
65 };
66 
67 static	int aes_icm_setkey(void *, const uint8_t *, int);
68 static	void aes_icm_crypt(void *, const uint8_t *, uint8_t *);
69 static	void aes_icm_crypt_multi(void *, const uint8_t *, uint8_t *, size_t);
70 static	void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t);
71 static	void aes_icm_reinit(void *, const uint8_t *, size_t);
72 static	int aes_gcm_setkey(void *, const uint8_t *, int);
73 static	void aes_gcm_reinit(void *, const uint8_t *, size_t);
74 static	int aes_gcm_update(void *, const void *, u_int);
75 static	void aes_gcm_final(uint8_t *, void *);
76 static	int aes_ccm_setkey(void *, const uint8_t *, int);
77 static	void aes_ccm_reinit(void *, const uint8_t *, size_t);
78 static	int aes_ccm_update(void *, const void *, u_int);
79 static	void aes_ccm_final(uint8_t *, void *);
80 
81 /* Encryption instances */
82 const struct enc_xform enc_xform_aes_icm = {
83 	.type = CRYPTO_AES_ICM,
84 	.name = "AES-ICM",
85 	.ctxsize = sizeof(struct aes_icm_ctx),
86 	.blocksize = 1,
87 	.native_blocksize = AES_BLOCK_LEN,
88 	.ivsize = AES_BLOCK_LEN,
89 	.minkey = AES_MIN_KEY,
90 	.maxkey = AES_MAX_KEY,
91 	.setkey = aes_icm_setkey,
92 	.reinit = aes_icm_reinit,
93 	.encrypt = aes_icm_crypt,
94 	.decrypt = aes_icm_crypt,
95 	.encrypt_multi = aes_icm_crypt_multi,
96 	.decrypt_multi = aes_icm_crypt_multi,
97 	.encrypt_last = aes_icm_crypt_last,
98 	.decrypt_last = aes_icm_crypt_last,
99 };
100 
101 const struct enc_xform enc_xform_aes_nist_gcm = {
102 	.type = CRYPTO_AES_NIST_GCM_16,
103 	.name = "AES-GCM",
104 	.ctxsize = sizeof(struct aes_gcm_ctx),
105 	.blocksize = 1,
106 	.native_blocksize = AES_BLOCK_LEN,
107 	.ivsize = AES_GCM_IV_LEN,
108 	.minkey = AES_MIN_KEY,
109 	.maxkey = AES_MAX_KEY,
110 	.macsize = AES_GMAC_HASH_LEN,
111 	.setkey = aes_gcm_setkey,
112 	.reinit = aes_gcm_reinit,
113 	.encrypt = aes_icm_crypt,
114 	.decrypt = aes_icm_crypt,
115 	.encrypt_multi = aes_icm_crypt_multi,
116 	.decrypt_multi = aes_icm_crypt_multi,
117 	.encrypt_last = aes_icm_crypt_last,
118 	.decrypt_last = aes_icm_crypt_last,
119 	.update = aes_gcm_update,
120 	.final = aes_gcm_final,
121 };
122 
123 const struct enc_xform enc_xform_ccm = {
124 	.type = CRYPTO_AES_CCM_16,
125 	.name = "AES-CCM",
126 	.ctxsize = sizeof(struct aes_ccm_ctx),
127 	.blocksize = 1,
128 	.native_blocksize = AES_BLOCK_LEN,
129 	.ivsize = AES_CCM_IV_LEN,
130 	.minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
131 	.macsize = AES_CBC_MAC_HASH_LEN,
132 	.setkey = aes_ccm_setkey,
133 	.reinit = aes_ccm_reinit,
134 	.encrypt = aes_icm_crypt,
135 	.decrypt = aes_icm_crypt,
136 	.encrypt_multi = aes_icm_crypt_multi,
137 	.decrypt_multi = aes_icm_crypt_multi,
138 	.encrypt_last = aes_icm_crypt_last,
139 	.decrypt_last = aes_icm_crypt_last,
140 	.update = aes_ccm_update,
141 	.final = aes_ccm_final,
142 };
143 
144 /*
145  * Encryption wrapper routines.
146  */
147 static void
148 aes_icm_reinit(void *key, const uint8_t *iv, size_t ivlen)
149 {
150 	struct aes_icm_ctx *ctx;
151 
152 	ctx = key;
153 	KASSERT(ivlen <= sizeof(ctx->ac_block),
154 	    ("%s: ivlen too large", __func__));
155 	bcopy(iv, ctx->ac_block, ivlen);
156 }
157 
158 static void
159 aes_gcm_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
160 {
161 	struct aes_gcm_ctx *ctx = vctx;
162 
163 	KASSERT(ivlen == AES_GCM_IV_LEN,
164 	    ("%s: invalid IV length", __func__));
165 	aes_icm_reinit(&ctx->cipher, iv, ivlen);
166 
167 	/* GCM starts with 2 as counter 1 is used for final xor of tag. */
168 	bzero(&ctx->cipher.ac_block[AESICM_BLOCKSIZE - 4], 4);
169 	ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 2;
170 
171 	AES_GMAC_Reinit(&ctx->gmac, iv, ivlen);
172 }
173 
174 static void
175 aes_ccm_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
176 {
177 	struct aes_ccm_ctx *ctx = vctx;
178 
179 	KASSERT(ivlen >= 7 && ivlen <= 13,
180 	    ("%s: invalid IV length", __func__));
181 
182 	/* CCM has flags, then the IV, then the counter, which starts at 1 */
183 	bzero(ctx->cipher.ac_block, sizeof(ctx->cipher.ac_block));
184 	ctx->cipher.ac_block[0] = (15 - ivlen) - 1;
185 	bcopy(iv, ctx->cipher.ac_block + 1, ivlen);
186 	ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 1;
187 
188 	AES_CBC_MAC_Reinit(&ctx->cbc_mac, iv, ivlen);
189 }
190 
191 static void
192 aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out)
193 {
194 	struct aes_icm_ctx *ctx;
195 	int i;
196 
197 	ctx = key;
198 	aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE);
199 
200 	/* increment counter */
201 	for (i = AESICM_BLOCKSIZE - 1;
202 	     i >= 0; i--)
203 		if (++ctx->ac_block[i])   /* continue on overflow */
204 			break;
205 }
206 
207 static void
208 aes_icm_crypt_multi(void *key, const uint8_t *in, uint8_t *out, size_t len)
209 {
210 	struct aes_icm_ctx *ctx = key;
211 	uint8_t keystream[AESICM_BLOCKSIZE];
212 	int i;
213 
214 	KASSERT(len % AESICM_BLOCKSIZE == 0, ("%s: invalid length", __func__));
215 	while (len > 0) {
216 		rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
217 		for (i = 0; i < AESICM_BLOCKSIZE; i++)
218 			out[i] = in[i] ^ keystream[i];
219 
220 		/* increment counter */
221 		for (i = AESICM_BLOCKSIZE - 1; i >= 0; i--)
222 			if (++ctx->ac_block[i])   /* continue on overflow */
223 				break;
224 
225 		out += AESICM_BLOCKSIZE;
226 		in += AESICM_BLOCKSIZE;
227 		len -= AESICM_BLOCKSIZE;
228 	}
229 	explicit_bzero(keystream, sizeof(keystream));
230 }
231 
232 static void
233 aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len)
234 {
235 	struct aes_icm_ctx *ctx;
236 	uint8_t keystream[AESICM_BLOCKSIZE];
237 	int i;
238 
239 	ctx = key;
240 	rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
241 	for (i = 0; i < len; i++)
242 		out[i] = in[i] ^ keystream[i];
243 	explicit_bzero(keystream, sizeof(keystream));
244 }
245 
246 static int
247 aes_icm_setkey(void *sched, const uint8_t *key, int len)
248 {
249 	struct aes_icm_ctx *ctx;
250 
251 	if (len != 16 && len != 24 && len != 32)
252 		return (EINVAL);
253 
254 	ctx = sched;
255 	ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);
256 	return (0);
257 }
258 
259 static int
260 aes_gcm_setkey(void *vctx, const uint8_t *key, int len)
261 {
262 	struct aes_gcm_ctx *ctx = vctx;
263 	int error;
264 
265 	error = aes_icm_setkey(&ctx->cipher, key, len);
266 	if (error != 0)
267 		return (error);
268 
269 	AES_GMAC_Setkey(&ctx->gmac, key, len);
270 	return (0);
271 }
272 
273 static int
274 aes_ccm_setkey(void *vctx, const uint8_t *key, int len)
275 {
276 	struct aes_ccm_ctx *ctx = vctx;
277 	int error;
278 
279 	error = aes_icm_setkey(&ctx->cipher, key, len);
280 	if (error != 0)
281 		return (error);
282 
283 	AES_CBC_MAC_Setkey(&ctx->cbc_mac, key, len);
284 	return (0);
285 }
286 
287 static int
288 aes_gcm_update(void *vctx, const void *buf, u_int len)
289 {
290 	struct aes_gcm_ctx *ctx = vctx;
291 
292 	return (AES_GMAC_Update(&ctx->gmac, buf, len));
293 }
294 
295 static int
296 aes_ccm_update(void *vctx, const void *buf, u_int len)
297 {
298 	struct aes_ccm_ctx *ctx = vctx;
299 
300 	return (AES_CBC_MAC_Update(&ctx->cbc_mac, buf, len));
301 }
302 
303 static void
304 aes_gcm_final(uint8_t *tag, void *vctx)
305 {
306 	struct aes_gcm_ctx *ctx = vctx;
307 
308 	AES_GMAC_Final(tag, &ctx->gmac);
309 }
310 
311 static void
312 aes_ccm_final(uint8_t *tag, void *vctx)
313 {
314 	struct aes_ccm_ctx *ctx = vctx;
315 
316 	AES_CBC_MAC_Final(tag, &ctx->cbc_mac);
317 }
318