1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2 /*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50 #include <sys/cdefs.h> 51 __FBSDID("$FreeBSD$"); 52 53 #include <opencrypto/cbc_mac.h> 54 #include <opencrypto/gmac.h> 55 #include <opencrypto/xform_enc.h> 56 57 struct aes_gcm_ctx { 58 struct aes_icm_ctx cipher; 59 struct aes_gmac_ctx gmac; 60 }; 61 62 struct aes_ccm_ctx { 63 struct aes_icm_ctx cipher; 64 struct aes_cbc_mac_ctx cbc_mac; 65 }; 66 67 static int aes_icm_setkey(void *, const uint8_t *, int); 68 static void aes_icm_crypt(void *, const uint8_t *, uint8_t *); 69 static void aes_icm_crypt_multi(void *, const uint8_t *, uint8_t *, size_t); 70 static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t); 71 static void aes_icm_reinit(void *, const uint8_t *, size_t); 72 static int aes_gcm_setkey(void *, const uint8_t *, int); 73 static void aes_gcm_reinit(void *, const uint8_t *, size_t); 74 static int aes_gcm_update(void *, const void *, u_int); 75 static void aes_gcm_final(uint8_t *, void *); 76 static int aes_ccm_setkey(void *, const uint8_t *, int); 77 static void aes_ccm_reinit(void *, const uint8_t *, size_t); 78 static int aes_ccm_update(void *, const void *, u_int); 79 static void aes_ccm_final(uint8_t *, void *); 80 81 /* Encryption instances */ 82 const struct enc_xform enc_xform_aes_icm = { 83 .type = CRYPTO_AES_ICM, 84 .name = "AES-ICM", 85 .ctxsize = sizeof(struct aes_icm_ctx), 86 .blocksize = 1, 87 .native_blocksize = AES_BLOCK_LEN, 88 .ivsize = AES_BLOCK_LEN, 89 .minkey = AES_MIN_KEY, 90 .maxkey = AES_MAX_KEY, 91 .setkey = aes_icm_setkey, 92 .reinit = aes_icm_reinit, 93 .encrypt = aes_icm_crypt, 94 .decrypt = aes_icm_crypt, 95 .encrypt_multi = aes_icm_crypt_multi, 96 .decrypt_multi = aes_icm_crypt_multi, 97 .encrypt_last = aes_icm_crypt_last, 98 .decrypt_last = aes_icm_crypt_last, 99 }; 100 101 const struct enc_xform enc_xform_aes_nist_gcm = { 102 .type = CRYPTO_AES_NIST_GCM_16, 103 .name = "AES-GCM", 104 .ctxsize = sizeof(struct aes_gcm_ctx), 105 .blocksize = 1, 106 .native_blocksize = AES_BLOCK_LEN, 107 .ivsize = AES_GCM_IV_LEN, 108 .minkey = AES_MIN_KEY, 109 .maxkey = AES_MAX_KEY, 110 .macsize = AES_GMAC_HASH_LEN, 111 .setkey = aes_gcm_setkey, 112 .reinit = aes_gcm_reinit, 113 .encrypt = aes_icm_crypt, 114 .decrypt = aes_icm_crypt, 115 .encrypt_multi = aes_icm_crypt_multi, 116 .decrypt_multi = aes_icm_crypt_multi, 117 .encrypt_last = aes_icm_crypt_last, 118 .decrypt_last = aes_icm_crypt_last, 119 .update = aes_gcm_update, 120 .final = aes_gcm_final, 121 }; 122 123 const struct enc_xform enc_xform_ccm = { 124 .type = CRYPTO_AES_CCM_16, 125 .name = "AES-CCM", 126 .ctxsize = sizeof(struct aes_ccm_ctx), 127 .blocksize = 1, 128 .native_blocksize = AES_BLOCK_LEN, 129 .ivsize = AES_CCM_IV_LEN, 130 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY, 131 .macsize = AES_CBC_MAC_HASH_LEN, 132 .setkey = aes_ccm_setkey, 133 .reinit = aes_ccm_reinit, 134 .encrypt = aes_icm_crypt, 135 .decrypt = aes_icm_crypt, 136 .encrypt_multi = aes_icm_crypt_multi, 137 .decrypt_multi = aes_icm_crypt_multi, 138 .encrypt_last = aes_icm_crypt_last, 139 .decrypt_last = aes_icm_crypt_last, 140 .update = aes_ccm_update, 141 .final = aes_ccm_final, 142 }; 143 144 /* 145 * Encryption wrapper routines. 146 */ 147 static void 148 aes_icm_reinit(void *key, const uint8_t *iv, size_t ivlen) 149 { 150 struct aes_icm_ctx *ctx; 151 152 ctx = key; 153 KASSERT(ivlen <= sizeof(ctx->ac_block), 154 ("%s: ivlen too large", __func__)); 155 bcopy(iv, ctx->ac_block, ivlen); 156 } 157 158 static void 159 aes_gcm_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 160 { 161 struct aes_gcm_ctx *ctx = vctx; 162 163 KASSERT(ivlen == AES_GCM_IV_LEN, 164 ("%s: invalid IV length", __func__)); 165 aes_icm_reinit(&ctx->cipher, iv, ivlen); 166 167 /* GCM starts with 2 as counter 1 is used for final xor of tag. */ 168 bzero(&ctx->cipher.ac_block[AESICM_BLOCKSIZE - 4], 4); 169 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 2; 170 171 AES_GMAC_Reinit(&ctx->gmac, iv, ivlen); 172 } 173 174 static void 175 aes_ccm_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 176 { 177 struct aes_ccm_ctx *ctx = vctx; 178 179 KASSERT(ivlen >= 7 && ivlen <= 13, 180 ("%s: invalid IV length", __func__)); 181 182 /* CCM has flags, then the IV, then the counter, which starts at 1 */ 183 bzero(ctx->cipher.ac_block, sizeof(ctx->cipher.ac_block)); 184 ctx->cipher.ac_block[0] = (15 - ivlen) - 1; 185 bcopy(iv, ctx->cipher.ac_block + 1, ivlen); 186 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 1; 187 188 AES_CBC_MAC_Reinit(&ctx->cbc_mac, iv, ivlen); 189 } 190 191 static void 192 aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out) 193 { 194 struct aes_icm_ctx *ctx; 195 int i; 196 197 ctx = key; 198 aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE); 199 200 /* increment counter */ 201 for (i = AESICM_BLOCKSIZE - 1; 202 i >= 0; i--) 203 if (++ctx->ac_block[i]) /* continue on overflow */ 204 break; 205 } 206 207 static void 208 aes_icm_crypt_multi(void *key, const uint8_t *in, uint8_t *out, size_t len) 209 { 210 struct aes_icm_ctx *ctx = key; 211 uint8_t keystream[AESICM_BLOCKSIZE]; 212 int i; 213 214 KASSERT(len % AESICM_BLOCKSIZE == 0, ("%s: invalid length", __func__)); 215 while (len > 0) { 216 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 217 for (i = 0; i < AESICM_BLOCKSIZE; i++) 218 out[i] = in[i] ^ keystream[i]; 219 220 /* increment counter */ 221 for (i = AESICM_BLOCKSIZE - 1; i >= 0; i--) 222 if (++ctx->ac_block[i]) /* continue on overflow */ 223 break; 224 225 out += AESICM_BLOCKSIZE; 226 in += AESICM_BLOCKSIZE; 227 len -= AESICM_BLOCKSIZE; 228 } 229 explicit_bzero(keystream, sizeof(keystream)); 230 } 231 232 static void 233 aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len) 234 { 235 struct aes_icm_ctx *ctx; 236 uint8_t keystream[AESICM_BLOCKSIZE]; 237 int i; 238 239 ctx = key; 240 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 241 for (i = 0; i < len; i++) 242 out[i] = in[i] ^ keystream[i]; 243 explicit_bzero(keystream, sizeof(keystream)); 244 } 245 246 static int 247 aes_icm_setkey(void *sched, const uint8_t *key, int len) 248 { 249 struct aes_icm_ctx *ctx; 250 251 if (len != 16 && len != 24 && len != 32) 252 return (EINVAL); 253 254 ctx = sched; 255 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8); 256 return (0); 257 } 258 259 static int 260 aes_gcm_setkey(void *vctx, const uint8_t *key, int len) 261 { 262 struct aes_gcm_ctx *ctx = vctx; 263 int error; 264 265 error = aes_icm_setkey(&ctx->cipher, key, len); 266 if (error != 0) 267 return (error); 268 269 AES_GMAC_Setkey(&ctx->gmac, key, len); 270 return (0); 271 } 272 273 static int 274 aes_ccm_setkey(void *vctx, const uint8_t *key, int len) 275 { 276 struct aes_ccm_ctx *ctx = vctx; 277 int error; 278 279 error = aes_icm_setkey(&ctx->cipher, key, len); 280 if (error != 0) 281 return (error); 282 283 AES_CBC_MAC_Setkey(&ctx->cbc_mac, key, len); 284 return (0); 285 } 286 287 static int 288 aes_gcm_update(void *vctx, const void *buf, u_int len) 289 { 290 struct aes_gcm_ctx *ctx = vctx; 291 292 return (AES_GMAC_Update(&ctx->gmac, buf, len)); 293 } 294 295 static int 296 aes_ccm_update(void *vctx, const void *buf, u_int len) 297 { 298 struct aes_ccm_ctx *ctx = vctx; 299 300 return (AES_CBC_MAC_Update(&ctx->cbc_mac, buf, len)); 301 } 302 303 static void 304 aes_gcm_final(uint8_t *tag, void *vctx) 305 { 306 struct aes_gcm_ctx *ctx = vctx; 307 308 AES_GMAC_Final(tag, &ctx->gmac); 309 } 310 311 static void 312 aes_ccm_final(uint8_t *tag, void *vctx) 313 { 314 struct aes_ccm_ctx *ctx = vctx; 315 316 AES_CBC_MAC_Final(tag, &ctx->cbc_mac); 317 } 318