1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2 /*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50 #include <sys/cdefs.h> 51 #include <opencrypto/cbc_mac.h> 52 #include <opencrypto/gmac.h> 53 #include <opencrypto/xform_enc.h> 54 55 struct aes_gcm_ctx { 56 struct aes_icm_ctx cipher; 57 struct aes_gmac_ctx gmac; 58 }; 59 60 struct aes_ccm_ctx { 61 struct aes_icm_ctx cipher; 62 struct aes_cbc_mac_ctx cbc_mac; 63 }; 64 65 static int aes_icm_setkey(void *, const uint8_t *, int); 66 static void aes_icm_crypt(void *, const uint8_t *, uint8_t *); 67 static void aes_icm_crypt_multi(void *, const uint8_t *, uint8_t *, size_t); 68 static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t); 69 static void aes_icm_reinit(void *, const uint8_t *, size_t); 70 static int aes_gcm_setkey(void *, const uint8_t *, int); 71 static void aes_gcm_reinit(void *, const uint8_t *, size_t); 72 static int aes_gcm_update(void *, const void *, u_int); 73 static void aes_gcm_final(uint8_t *, void *); 74 static int aes_ccm_setkey(void *, const uint8_t *, int); 75 static void aes_ccm_reinit(void *, const uint8_t *, size_t); 76 static int aes_ccm_update(void *, const void *, u_int); 77 static void aes_ccm_final(uint8_t *, void *); 78 79 /* Encryption instances */ 80 const struct enc_xform enc_xform_aes_icm = { 81 .type = CRYPTO_AES_ICM, 82 .name = "AES-ICM", 83 .ctxsize = sizeof(struct aes_icm_ctx), 84 .blocksize = 1, 85 .native_blocksize = AES_BLOCK_LEN, 86 .ivsize = AES_BLOCK_LEN, 87 .minkey = AES_MIN_KEY, 88 .maxkey = AES_MAX_KEY, 89 .setkey = aes_icm_setkey, 90 .reinit = aes_icm_reinit, 91 .encrypt = aes_icm_crypt, 92 .decrypt = aes_icm_crypt, 93 .encrypt_multi = aes_icm_crypt_multi, 94 .decrypt_multi = aes_icm_crypt_multi, 95 .encrypt_last = aes_icm_crypt_last, 96 .decrypt_last = aes_icm_crypt_last, 97 }; 98 99 const struct enc_xform enc_xform_aes_nist_gcm = { 100 .type = CRYPTO_AES_NIST_GCM_16, 101 .name = "AES-GCM", 102 .ctxsize = sizeof(struct aes_gcm_ctx), 103 .blocksize = 1, 104 .native_blocksize = AES_BLOCK_LEN, 105 .ivsize = AES_GCM_IV_LEN, 106 .minkey = AES_MIN_KEY, 107 .maxkey = AES_MAX_KEY, 108 .macsize = AES_GMAC_HASH_LEN, 109 .setkey = aes_gcm_setkey, 110 .reinit = aes_gcm_reinit, 111 .encrypt = aes_icm_crypt, 112 .decrypt = aes_icm_crypt, 113 .encrypt_multi = aes_icm_crypt_multi, 114 .decrypt_multi = aes_icm_crypt_multi, 115 .encrypt_last = aes_icm_crypt_last, 116 .decrypt_last = aes_icm_crypt_last, 117 .update = aes_gcm_update, 118 .final = aes_gcm_final, 119 }; 120 121 const struct enc_xform enc_xform_ccm = { 122 .type = CRYPTO_AES_CCM_16, 123 .name = "AES-CCM", 124 .ctxsize = sizeof(struct aes_ccm_ctx), 125 .blocksize = 1, 126 .native_blocksize = AES_BLOCK_LEN, 127 .ivsize = AES_CCM_IV_LEN, 128 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY, 129 .macsize = AES_CBC_MAC_HASH_LEN, 130 .setkey = aes_ccm_setkey, 131 .reinit = aes_ccm_reinit, 132 .encrypt = aes_icm_crypt, 133 .decrypt = aes_icm_crypt, 134 .encrypt_multi = aes_icm_crypt_multi, 135 .decrypt_multi = aes_icm_crypt_multi, 136 .encrypt_last = aes_icm_crypt_last, 137 .decrypt_last = aes_icm_crypt_last, 138 .update = aes_ccm_update, 139 .final = aes_ccm_final, 140 }; 141 142 /* 143 * Encryption wrapper routines. 144 */ 145 static void 146 aes_icm_reinit(void *key, const uint8_t *iv, size_t ivlen) 147 { 148 struct aes_icm_ctx *ctx; 149 150 ctx = key; 151 KASSERT(ivlen <= sizeof(ctx->ac_block), 152 ("%s: ivlen too large", __func__)); 153 bcopy(iv, ctx->ac_block, ivlen); 154 } 155 156 static void 157 aes_gcm_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 158 { 159 struct aes_gcm_ctx *ctx = vctx; 160 161 KASSERT(ivlen == AES_GCM_IV_LEN, 162 ("%s: invalid IV length", __func__)); 163 aes_icm_reinit(&ctx->cipher, iv, ivlen); 164 165 /* GCM starts with 2 as counter 1 is used for final xor of tag. */ 166 bzero(&ctx->cipher.ac_block[AESICM_BLOCKSIZE - 4], 4); 167 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 2; 168 169 AES_GMAC_Reinit(&ctx->gmac, iv, ivlen); 170 } 171 172 static void 173 aes_ccm_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 174 { 175 struct aes_ccm_ctx *ctx = vctx; 176 177 KASSERT(ivlen >= 7 && ivlen <= 13, 178 ("%s: invalid IV length", __func__)); 179 180 /* CCM has flags, then the IV, then the counter, which starts at 1 */ 181 bzero(ctx->cipher.ac_block, sizeof(ctx->cipher.ac_block)); 182 ctx->cipher.ac_block[0] = (15 - ivlen) - 1; 183 bcopy(iv, ctx->cipher.ac_block + 1, ivlen); 184 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 1; 185 186 AES_CBC_MAC_Reinit(&ctx->cbc_mac, iv, ivlen); 187 } 188 189 static void 190 aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out) 191 { 192 struct aes_icm_ctx *ctx; 193 int i; 194 195 ctx = key; 196 aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE); 197 198 /* increment counter */ 199 for (i = AESICM_BLOCKSIZE - 1; 200 i >= 0; i--) 201 if (++ctx->ac_block[i]) /* continue on overflow */ 202 break; 203 } 204 205 static void 206 aes_icm_crypt_multi(void *key, const uint8_t *in, uint8_t *out, size_t len) 207 { 208 struct aes_icm_ctx *ctx = key; 209 uint8_t keystream[AESICM_BLOCKSIZE]; 210 int i; 211 212 KASSERT(len % AESICM_BLOCKSIZE == 0, ("%s: invalid length", __func__)); 213 while (len > 0) { 214 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 215 for (i = 0; i < AESICM_BLOCKSIZE; i++) 216 out[i] = in[i] ^ keystream[i]; 217 218 /* increment counter */ 219 for (i = AESICM_BLOCKSIZE - 1; i >= 0; i--) 220 if (++ctx->ac_block[i]) /* continue on overflow */ 221 break; 222 223 out += AESICM_BLOCKSIZE; 224 in += AESICM_BLOCKSIZE; 225 len -= AESICM_BLOCKSIZE; 226 } 227 explicit_bzero(keystream, sizeof(keystream)); 228 } 229 230 static void 231 aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len) 232 { 233 struct aes_icm_ctx *ctx; 234 uint8_t keystream[AESICM_BLOCKSIZE]; 235 int i; 236 237 ctx = key; 238 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 239 for (i = 0; i < len; i++) 240 out[i] = in[i] ^ keystream[i]; 241 explicit_bzero(keystream, sizeof(keystream)); 242 } 243 244 static int 245 aes_icm_setkey(void *sched, const uint8_t *key, int len) 246 { 247 struct aes_icm_ctx *ctx; 248 249 if (len != 16 && len != 24 && len != 32) 250 return (EINVAL); 251 252 ctx = sched; 253 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8); 254 return (0); 255 } 256 257 static int 258 aes_gcm_setkey(void *vctx, const uint8_t *key, int len) 259 { 260 struct aes_gcm_ctx *ctx = vctx; 261 int error; 262 263 error = aes_icm_setkey(&ctx->cipher, key, len); 264 if (error != 0) 265 return (error); 266 267 AES_GMAC_Setkey(&ctx->gmac, key, len); 268 return (0); 269 } 270 271 static int 272 aes_ccm_setkey(void *vctx, const uint8_t *key, int len) 273 { 274 struct aes_ccm_ctx *ctx = vctx; 275 int error; 276 277 error = aes_icm_setkey(&ctx->cipher, key, len); 278 if (error != 0) 279 return (error); 280 281 AES_CBC_MAC_Setkey(&ctx->cbc_mac, key, len); 282 return (0); 283 } 284 285 static int 286 aes_gcm_update(void *vctx, const void *buf, u_int len) 287 { 288 struct aes_gcm_ctx *ctx = vctx; 289 290 return (AES_GMAC_Update(&ctx->gmac, buf, len)); 291 } 292 293 static int 294 aes_ccm_update(void *vctx, const void *buf, u_int len) 295 { 296 struct aes_ccm_ctx *ctx = vctx; 297 298 return (AES_CBC_MAC_Update(&ctx->cbc_mac, buf, len)); 299 } 300 301 static void 302 aes_gcm_final(uint8_t *tag, void *vctx) 303 { 304 struct aes_gcm_ctx *ctx = vctx; 305 306 AES_GMAC_Final(tag, &ctx->gmac); 307 } 308 309 static void 310 aes_ccm_final(uint8_t *tag, void *vctx) 311 { 312 struct aes_ccm_ctx *ctx = vctx; 313 314 AES_CBC_MAC_Final(tag, &ctx->cbc_mac); 315 } 316