1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50#include <sys/cdefs.h> 51#include <opencrypto/cbc_mac.h> 52#include <opencrypto/gmac.h> 53#include <opencrypto/xform_enc.h> 54 55struct aes_gcm_ctx { 56 struct aes_icm_ctx cipher; 57 struct aes_gmac_ctx gmac; 58}; 59 60struct aes_ccm_ctx { 61 struct aes_icm_ctx cipher; 62 struct aes_cbc_mac_ctx cbc_mac; 63}; 64 65static int aes_icm_setkey(void *, const uint8_t *, int); 66static void aes_icm_crypt(void *, const uint8_t *, uint8_t *); 67static void aes_icm_crypt_multi(void *, const uint8_t *, uint8_t *, size_t); 68static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t); 69static void aes_icm_reinit(void *, const uint8_t *, size_t); 70static int aes_gcm_setkey(void *, const uint8_t *, int); 71static void aes_gcm_reinit(void *, const uint8_t *, size_t); 72static int aes_gcm_update(void *, const void *, u_int); 73static void aes_gcm_final(uint8_t *, void *); 74static int aes_ccm_setkey(void *, const uint8_t *, int); 75static void aes_ccm_reinit(void *, const uint8_t *, size_t); 76static int aes_ccm_update(void *, const void *, u_int); 77static void aes_ccm_final(uint8_t *, void *); 78 79/* Encryption instances */ 80const struct enc_xform enc_xform_aes_icm = { 81 .type = CRYPTO_AES_ICM, 82 .name = "AES-ICM", 83 .ctxsize = sizeof(struct aes_icm_ctx), 84 .blocksize = 1, 85 .native_blocksize = AES_BLOCK_LEN, 86 .ivsize = AES_BLOCK_LEN, 87 .minkey = AES_MIN_KEY, 88 .maxkey = AES_MAX_KEY, 89 .setkey = aes_icm_setkey, 90 .reinit = aes_icm_reinit, 91 .encrypt = aes_icm_crypt, 92 .decrypt = aes_icm_crypt, 93 .encrypt_multi = aes_icm_crypt_multi, 94 .decrypt_multi = aes_icm_crypt_multi, 95 .encrypt_last = aes_icm_crypt_last, 96 .decrypt_last = aes_icm_crypt_last, 97}; 98 99const struct enc_xform enc_xform_aes_nist_gcm = { 100 .type = CRYPTO_AES_NIST_GCM_16, 101 .name = "AES-GCM", 102 .ctxsize = sizeof(struct aes_gcm_ctx), 103 .blocksize = 1, 104 .native_blocksize = AES_BLOCK_LEN, 105 .ivsize = AES_GCM_IV_LEN, 106 .minkey = AES_MIN_KEY, 107 .maxkey = AES_MAX_KEY, 108 .macsize = AES_GMAC_HASH_LEN, 109 .setkey = aes_gcm_setkey, 110 .reinit = aes_gcm_reinit, 111 .encrypt = aes_icm_crypt, 112 .decrypt = aes_icm_crypt, 113 .encrypt_multi = aes_icm_crypt_multi, 114 .decrypt_multi = aes_icm_crypt_multi, 115 .encrypt_last = aes_icm_crypt_last, 116 .decrypt_last = aes_icm_crypt_last, 117 .update = aes_gcm_update, 118 .final = aes_gcm_final, 119}; 120 121const struct enc_xform enc_xform_ccm = { 122 .type = CRYPTO_AES_CCM_16, 123 .name = "AES-CCM", 124 .ctxsize = sizeof(struct aes_ccm_ctx), 125 .blocksize = 1, 126 .native_blocksize = AES_BLOCK_LEN, 127 .ivsize = AES_CCM_IV_LEN, 128 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY, 129 .macsize = AES_CBC_MAC_HASH_LEN, 130 .setkey = aes_ccm_setkey, 131 .reinit = aes_ccm_reinit, 132 .encrypt = aes_icm_crypt, 133 .decrypt = aes_icm_crypt, 134 .encrypt_multi = aes_icm_crypt_multi, 135 .decrypt_multi = aes_icm_crypt_multi, 136 .encrypt_last = aes_icm_crypt_last, 137 .decrypt_last = aes_icm_crypt_last, 138 .update = aes_ccm_update, 139 .final = aes_ccm_final, 140}; 141 142/* 143 * Encryption wrapper routines. 144 */ 145static void 146aes_icm_reinit(void *key, const uint8_t *iv, size_t ivlen) 147{ 148 struct aes_icm_ctx *ctx; 149 150 ctx = key; 151 KASSERT(ivlen <= sizeof(ctx->ac_block), 152 ("%s: ivlen too large", __func__)); 153 bcopy(iv, ctx->ac_block, ivlen); 154} 155 156static void 157aes_gcm_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 158{ 159 struct aes_gcm_ctx *ctx = vctx; 160 161 KASSERT(ivlen == AES_GCM_IV_LEN, 162 ("%s: invalid IV length", __func__)); 163 aes_icm_reinit(&ctx->cipher, iv, ivlen); 164 165 /* GCM starts with 2 as counter 1 is used for final xor of tag. */ 166 bzero(&ctx->cipher.ac_block[AESICM_BLOCKSIZE - 4], 4); 167 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 2; 168 169 AES_GMAC_Reinit(&ctx->gmac, iv, ivlen); 170} 171 172static void 173aes_ccm_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 174{ 175 struct aes_ccm_ctx *ctx = vctx; 176 177 KASSERT(ivlen >= 7 && ivlen <= 13, 178 ("%s: invalid IV length", __func__)); 179 180 /* CCM has flags, then the IV, then the counter, which starts at 1 */ 181 bzero(ctx->cipher.ac_block, sizeof(ctx->cipher.ac_block)); 182 ctx->cipher.ac_block[0] = (15 - ivlen) - 1; 183 bcopy(iv, ctx->cipher.ac_block + 1, ivlen); 184 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 1; 185 186 AES_CBC_MAC_Reinit(&ctx->cbc_mac, iv, ivlen); 187} 188 189static void 190aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out) 191{ 192 struct aes_icm_ctx *ctx; 193 int i; 194 195 ctx = key; 196 aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE); 197 198 /* increment counter */ 199 for (i = AESICM_BLOCKSIZE - 1; 200 i >= 0; i--) 201 if (++ctx->ac_block[i]) /* continue on overflow */ 202 break; 203} 204 205static void 206aes_icm_crypt_multi(void *key, const uint8_t *in, uint8_t *out, size_t len) 207{ 208 struct aes_icm_ctx *ctx = key; 209 uint8_t keystream[AESICM_BLOCKSIZE]; 210 int i; 211 212 KASSERT(len % AESICM_BLOCKSIZE == 0, ("%s: invalid length", __func__)); 213 while (len > 0) { 214 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 215 for (i = 0; i < AESICM_BLOCKSIZE; i++) 216 out[i] = in[i] ^ keystream[i]; 217 218 /* increment counter */ 219 for (i = AESICM_BLOCKSIZE - 1; i >= 0; i--) 220 if (++ctx->ac_block[i]) /* continue on overflow */ 221 break; 222 223 out += AESICM_BLOCKSIZE; 224 in += AESICM_BLOCKSIZE; 225 len -= AESICM_BLOCKSIZE; 226 } 227 explicit_bzero(keystream, sizeof(keystream)); 228} 229 230static void 231aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len) 232{ 233 struct aes_icm_ctx *ctx; 234 uint8_t keystream[AESICM_BLOCKSIZE]; 235 int i; 236 237 ctx = key; 238 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 239 for (i = 0; i < len; i++) 240 out[i] = in[i] ^ keystream[i]; 241 explicit_bzero(keystream, sizeof(keystream)); 242} 243 244static int 245aes_icm_setkey(void *sched, const uint8_t *key, int len) 246{ 247 struct aes_icm_ctx *ctx; 248 249 if (len != 16 && len != 24 && len != 32) 250 return (EINVAL); 251 252 ctx = sched; 253 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8); 254 return (0); 255} 256 257static int 258aes_gcm_setkey(void *vctx, const uint8_t *key, int len) 259{ 260 struct aes_gcm_ctx *ctx = vctx; 261 int error; 262 263 error = aes_icm_setkey(&ctx->cipher, key, len); 264 if (error != 0) 265 return (error); 266 267 AES_GMAC_Setkey(&ctx->gmac, key, len); 268 return (0); 269} 270 271static int 272aes_ccm_setkey(void *vctx, const uint8_t *key, int len) 273{ 274 struct aes_ccm_ctx *ctx = vctx; 275 int error; 276 277 error = aes_icm_setkey(&ctx->cipher, key, len); 278 if (error != 0) 279 return (error); 280 281 AES_CBC_MAC_Setkey(&ctx->cbc_mac, key, len); 282 return (0); 283} 284 285static int 286aes_gcm_update(void *vctx, const void *buf, u_int len) 287{ 288 struct aes_gcm_ctx *ctx = vctx; 289 290 return (AES_GMAC_Update(&ctx->gmac, buf, len)); 291} 292 293static int 294aes_ccm_update(void *vctx, const void *buf, u_int len) 295{ 296 struct aes_ccm_ctx *ctx = vctx; 297 298 return (AES_CBC_MAC_Update(&ctx->cbc_mac, buf, len)); 299} 300 301static void 302aes_gcm_final(uint8_t *tag, void *vctx) 303{ 304 struct aes_gcm_ctx *ctx = vctx; 305 306 AES_GMAC_Final(tag, &ctx->gmac); 307} 308 309static void 310aes_ccm_final(uint8_t *tag, void *vctx) 311{ 312 struct aes_ccm_ctx *ctx = vctx; 313 314 AES_CBC_MAC_Final(tag, &ctx->cbc_mac); 315} 316