1/*	$OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $	*/
2/*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Damien Miller (djm@mindrot.org).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * AES XTS implementation in 2008 by Damien Miller
20 *
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
23 *
24 * Copyright (C) 2001, Angelos D. Keromytis.
25 *
26 * Copyright (C) 2008, Damien Miller
27 * Copyright (c) 2014 The FreeBSD Foundation
28 * All rights reserved.
29 *
30 * Portions of this software were developed by John-Mark Gurney
31 * under sponsorship of the FreeBSD Foundation and
32 * Rubicon Communications, LLC (Netgate).
33 *
34 * Permission to use, copy, and modify this software with or without fee
35 * is hereby granted, provided that this entire notice is included in
36 * all copies of any software which is or includes a copy or
37 * modification of this software.
38 * You may use this code under the GNU public license if you so wish. Please
39 * contribute changes back to the authors under this freer than GPL license
40 * so that we may further the use of strong encryption without limitations to
41 * all.
42 *
43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
47 * PURPOSE.
48 */
49
50#include <sys/types.h>
51#include <crypto/rijndael/rijndael.h>
52#include <opencrypto/xform_enc.h>
53
54struct aes_cbc_ctx {
55	rijndael_ctx key;
56	char iv[AES_BLOCK_LEN];
57};
58
59static	int aes_cbc_setkey(void *, const uint8_t *, int);
60static	void aes_cbc_encrypt(void *, const uint8_t *, uint8_t *);
61static	void aes_cbc_decrypt(void *, const uint8_t *, uint8_t *);
62static	void aes_cbc_encrypt_multi(void *, const uint8_t *, uint8_t *, size_t);
63static	void aes_cbc_decrypt_multi(void *, const uint8_t *, uint8_t *, size_t);
64static  void aes_cbc_reinit(void *, const uint8_t *, size_t);
65
66/* Encryption instances */
67const struct enc_xform enc_xform_aes_cbc = {
68	.type = CRYPTO_AES_CBC,
69	.name = "AES-CBC",
70	.ctxsize = sizeof(struct aes_cbc_ctx),
71	.blocksize = AES_BLOCK_LEN,
72	.ivsize = AES_BLOCK_LEN,
73	.minkey = AES_MIN_KEY,
74	.maxkey = AES_MAX_KEY,
75	.setkey = aes_cbc_setkey,
76	.reinit = aes_cbc_reinit,
77	.encrypt = aes_cbc_encrypt,
78	.decrypt = aes_cbc_decrypt,
79	.encrypt_multi = aes_cbc_encrypt_multi,
80	.decrypt_multi = aes_cbc_decrypt_multi,
81};
82
83/*
84 * Encryption wrapper routines.
85 */
86static void
87aes_cbc_encrypt(void *vctx, const uint8_t *in, uint8_t *out)
88{
89	struct aes_cbc_ctx *ctx = vctx;
90
91	for (u_int i = 0; i < AES_BLOCK_LEN; i++)
92		out[i] = in[i] ^ ctx->iv[i];
93	rijndael_encrypt(&ctx->key, out, out);
94	memcpy(ctx->iv, out, AES_BLOCK_LEN);
95}
96
97static void
98aes_cbc_decrypt(void *vctx, const uint8_t *in, uint8_t *out)
99{
100	struct aes_cbc_ctx *ctx = vctx;
101	char block[AES_BLOCK_LEN];
102
103	memcpy(block, in, AES_BLOCK_LEN);
104	rijndael_decrypt(&ctx->key, in, out);
105	for (u_int i = 0; i < AES_BLOCK_LEN; i++)
106		out[i] ^= ctx->iv[i];
107	memcpy(ctx->iv, block, AES_BLOCK_LEN);
108	explicit_bzero(block, sizeof(block));
109}
110
111static void
112aes_cbc_encrypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len)
113{
114	struct aes_cbc_ctx *ctx = vctx;
115
116	KASSERT(len % AES_BLOCK_LEN == 0, ("%s: invalid length", __func__));
117	while (len > 0) {
118		for (u_int i = 0; i < AES_BLOCK_LEN; i++)
119			out[i] = in[i] ^ ctx->iv[i];
120		rijndael_encrypt(&ctx->key, out, out);
121		memcpy(ctx->iv, out, AES_BLOCK_LEN);
122		out += AES_BLOCK_LEN;
123		in += AES_BLOCK_LEN;
124		len -= AES_BLOCK_LEN;
125	}
126}
127
128static void
129aes_cbc_decrypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len)
130{
131	struct aes_cbc_ctx *ctx = vctx;
132	char block[AES_BLOCK_LEN];
133
134	KASSERT(len % AES_BLOCK_LEN == 0, ("%s: invalid length", __func__));
135	while (len > 0) {
136		memcpy(block, in, AES_BLOCK_LEN);
137		rijndael_decrypt(&ctx->key, in, out);
138		for (u_int i = 0; i < AES_BLOCK_LEN; i++)
139			out[i] ^= ctx->iv[i];
140		memcpy(ctx->iv, block, AES_BLOCK_LEN);
141		out += AES_BLOCK_LEN;
142		in += AES_BLOCK_LEN;
143		len -= AES_BLOCK_LEN;
144	}
145	explicit_bzero(block, sizeof(block));
146}
147
148static int
149aes_cbc_setkey(void *vctx, const uint8_t *key, int len)
150{
151	struct aes_cbc_ctx *ctx = vctx;
152
153	if (len != 16 && len != 24 && len != 32)
154		return (EINVAL);
155
156	rijndael_set_key(&ctx->key, key, len * 8);
157	return (0);
158}
159
160static void
161aes_cbc_reinit(void *vctx, const uint8_t *iv, size_t iv_len)
162{
163	struct aes_cbc_ctx *ctx = vctx;
164
165	KASSERT(iv_len == sizeof(ctx->iv), ("%s: bad IV length", __func__));
166	memcpy(ctx->iv, iv, sizeof(ctx->iv));
167}
168