1/* 2 * Copyright (c) 2018-2019 iXsystems Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25#include <sys/cdefs.h> 26__FBSDID("$FreeBSD$"); 27 28#include <sys/types.h> 29#include <sys/systm.h> 30#include <sys/param.h> 31#include <sys/endian.h> 32#include <opencrypto/cbc_mac.h> 33#include <opencrypto/xform_auth.h> 34 35/* 36 * Given two CCM_CBC_BLOCK_LEN blocks, xor 37 * them into dst, and then encrypt dst. 38 */ 39static void 40xor_and_encrypt(struct aes_cbc_mac_ctx *ctx, 41 const uint8_t *src, uint8_t *dst) 42{ 43 const uint64_t *b1; 44 uint64_t *b2; 45 uint64_t temp_block[CCM_CBC_BLOCK_LEN/sizeof(uint64_t)]; 46 47 b1 = (const uint64_t*)src; 48 b2 = (uint64_t*)dst; 49 50 for (size_t count = 0; 51 count < CCM_CBC_BLOCK_LEN/sizeof(uint64_t); 52 count++) { 53 temp_block[count] = b1[count] ^ b2[count]; 54 } 55 rijndaelEncrypt(ctx->keysched, ctx->rounds, (void*)temp_block, dst); 56} 57 58void 59AES_CBC_MAC_Init(void *vctx) 60{ 61 struct aes_cbc_mac_ctx *ctx; 62 63 ctx = vctx; 64 bzero(ctx, sizeof(*ctx)); 65} 66 67void 68AES_CBC_MAC_Setkey(void *vctx, const uint8_t *key, u_int klen) 69{ 70 struct aes_cbc_mac_ctx *ctx; 71 72 ctx = vctx; 73 ctx->rounds = rijndaelKeySetupEnc(ctx->keysched, key, klen * 8); 74} 75 76/* 77 * This is called to set the nonce, aka IV. 78 * Before this call, the authDataLength and cryptDataLength fields 79 * MUST have been set. Sadly, there's no way to return an error. 80 * 81 * The CBC-MAC algorithm requires that the first block contain the 82 * nonce, as well as information about the sizes and lengths involved. 83 */ 84void 85AES_CBC_MAC_Reinit(void *vctx, const uint8_t *nonce, u_int nonceLen) 86{ 87 struct aes_cbc_mac_ctx *ctx = vctx; 88 uint8_t b0[CCM_CBC_BLOCK_LEN]; 89 uint8_t *bp = b0, flags = 0; 90 uint8_t L = 0; 91 uint64_t dataLength = ctx->cryptDataLength; 92 93 KASSERT(nonceLen >= 7 && nonceLen <= 13, 94 ("nonceLen must be between 7 and 13 bytes")); 95 96 ctx->nonce = nonce; 97 ctx->nonceLength = nonceLen; 98 99 ctx->authDataCount = 0; 100 ctx->blockIndex = 0; 101 explicit_bzero(ctx->staging_block, sizeof(ctx->staging_block)); 102 103 /* 104 * Need to determine the L field value. This is the number of 105 * bytes needed to specify the length of the message; the length 106 * is whatever is left in the 16 bytes after specifying flags and 107 * the nonce. 108 */ 109 L = 15 - nonceLen; 110 111 flags = ((ctx->authDataLength > 0) << 6) + 112 (((AES_CBC_MAC_HASH_LEN - 2) / 2) << 3) + 113 L - 1; 114 /* 115 * Now we need to set up the first block, which has flags, nonce, 116 * and the message length. 117 */ 118 b0[0] = flags; 119 bcopy(nonce, b0 + 1, nonceLen); 120 bp = b0 + 1 + nonceLen; 121 122 /* Need to copy L' [aka L-1] bytes of cryptDataLength */ 123 for (uint8_t *dst = b0 + sizeof(b0) - 1; dst >= bp; dst--) { 124 *dst = dataLength; 125 dataLength >>= 8; 126 } 127 /* Now need to encrypt b0 */ 128 rijndaelEncrypt(ctx->keysched, ctx->rounds, b0, ctx->block); 129 /* If there is auth data, we need to set up the staging block */ 130 if (ctx->authDataLength) { 131 size_t addLength; 132 if (ctx->authDataLength < ((1<<16) - (1<<8))) { 133 uint16_t sizeVal = htobe16(ctx->authDataLength); 134 bcopy(&sizeVal, ctx->staging_block, sizeof(sizeVal)); 135 addLength = sizeof(sizeVal); 136 } else if (ctx->authDataLength < (1ULL<<32)) { 137 uint32_t sizeVal = htobe32(ctx->authDataLength); 138 ctx->staging_block[0] = 0xff; 139 ctx->staging_block[1] = 0xfe; 140 bcopy(&sizeVal, ctx->staging_block+2, sizeof(sizeVal)); 141 addLength = 2 + sizeof(sizeVal); 142 } else { 143 uint64_t sizeVal = htobe64(ctx->authDataLength); 144 ctx->staging_block[0] = 0xff; 145 ctx->staging_block[1] = 0xff; 146 bcopy(&sizeVal, ctx->staging_block+2, sizeof(sizeVal)); 147 addLength = 2 + sizeof(sizeVal); 148 } 149 ctx->blockIndex = addLength; 150 /* 151 * The length descriptor goes into the AAD buffer, so we 152 * need to account for it. 153 */ 154 ctx->authDataLength += addLength; 155 ctx->authDataCount = addLength; 156 } 157} 158 159int 160AES_CBC_MAC_Update(void *vctx, const void *vdata, u_int length) 161{ 162 struct aes_cbc_mac_ctx *ctx; 163 const uint8_t *data; 164 size_t copy_amt; 165 166 ctx = vctx; 167 data = vdata; 168 169 /* 170 * This will be called in one of two phases: 171 * (1) Applying authentication data, or 172 * (2) Applying the payload data. 173 * 174 * Because CBC-MAC puts the authentication data size before the 175 * data, subsequent calls won't be block-size-aligned. Which 176 * complicates things a fair bit. 177 * 178 * The payload data doesn't have that problem. 179 */ 180 181 if (ctx->authDataCount < ctx->authDataLength) { 182 /* 183 * We need to process data as authentication data. 184 * Since we may be out of sync, we may also need 185 * to pad out the staging block. 186 */ 187 const uint8_t *ptr = data; 188 while (length > 0) { 189 190 copy_amt = MIN(length, 191 sizeof(ctx->staging_block) - ctx->blockIndex); 192 193 bcopy(ptr, ctx->staging_block + ctx->blockIndex, 194 copy_amt); 195 ptr += copy_amt; 196 length -= copy_amt; 197 ctx->authDataCount += copy_amt; 198 ctx->blockIndex += copy_amt; 199 ctx->blockIndex %= sizeof(ctx->staging_block); 200 201 if (ctx->blockIndex == 0 || 202 ctx->authDataCount == ctx->authDataLength) { 203 /* 204 * We're done with this block, so we 205 * xor staging_block with block, and then 206 * encrypt it. 207 */ 208 xor_and_encrypt(ctx, ctx->staging_block, ctx->block); 209 bzero(ctx->staging_block, sizeof(ctx->staging_block)); 210 ctx->blockIndex = 0; 211 if (ctx->authDataCount >= ctx->authDataLength) 212 break; 213 } 214 } 215 /* 216 * We'd like to be able to check length == 0 and return 217 * here, but the way OCF calls us, length is always 218 * blksize (16, in this case). So we have to count on 219 * the fact that OCF calls us separately for the AAD and 220 * for the real data. 221 */ 222 return (0); 223 } 224 /* 225 * If we're here, then we're encoding payload data. 226 * This is marginally easier, except that _Update can 227 * be called with non-aligned update lengths. As a result, 228 * we still need to use the staging block. 229 */ 230 KASSERT((length + ctx->cryptDataCount) <= ctx->cryptDataLength, 231 ("More encryption data than allowed")); 232 233 while (length) { 234 uint8_t *ptr; 235 236 copy_amt = MIN(sizeof(ctx->staging_block) - ctx->blockIndex, 237 length); 238 ptr = ctx->staging_block + ctx->blockIndex; 239 bcopy(data, ptr, copy_amt); 240 data += copy_amt; 241 ctx->blockIndex += copy_amt; 242 ctx->cryptDataCount += copy_amt; 243 length -= copy_amt; 244 if (ctx->blockIndex == sizeof(ctx->staging_block)) { 245 /* We've got a full block */ 246 xor_and_encrypt(ctx, ctx->staging_block, ctx->block); 247 ctx->blockIndex = 0; 248 bzero(ctx->staging_block, sizeof(ctx->staging_block)); 249 } 250 } 251 return (0); 252} 253 254void 255AES_CBC_MAC_Final(uint8_t *buf, void *vctx) 256{ 257 struct aes_cbc_mac_ctx *ctx; 258 uint8_t s0[CCM_CBC_BLOCK_LEN]; 259 260 ctx = vctx; 261 262 /* 263 * We first need to check to see if we've got any data 264 * left over to encrypt. 265 */ 266 if (ctx->blockIndex != 0) { 267 xor_and_encrypt(ctx, ctx->staging_block, ctx->block); 268 ctx->cryptDataCount += ctx->blockIndex; 269 ctx->blockIndex = 0; 270 explicit_bzero(ctx->staging_block, sizeof(ctx->staging_block)); 271 } 272 bzero(s0, sizeof(s0)); 273 s0[0] = (15 - ctx->nonceLength) - 1; 274 bcopy(ctx->nonce, s0 + 1, ctx->nonceLength); 275 rijndaelEncrypt(ctx->keysched, ctx->rounds, s0, s0); 276 for (size_t indx = 0; indx < AES_CBC_MAC_HASH_LEN; indx++) 277 buf[indx] = ctx->block[indx] ^ s0[indx]; 278 explicit_bzero(s0, sizeof(s0)); 279} 280