1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50#include <sys/cdefs.h> 51__FBSDID("$FreeBSD$"); 52 53#include <opencrypto/xform_enc.h> 54 55static int aes_icm_setkey(void *, const uint8_t *, int); 56static void aes_icm_crypt(void *, const uint8_t *, uint8_t *); 57static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t); 58static void aes_icm_reinit(void *, const uint8_t *); 59static void aes_gcm_reinit(void *, const uint8_t *); 60static void aes_ccm_reinit(void *, const uint8_t *); 61 62/* Encryption instances */ 63struct enc_xform enc_xform_aes_icm = { 64 .type = CRYPTO_AES_ICM, 65 .name = "AES-ICM", 66 .ctxsize = sizeof(struct aes_icm_ctx), 67 .blocksize = 1, 68 .native_blocksize = AES_BLOCK_LEN, 69 .ivsize = AES_BLOCK_LEN, 70 .minkey = AES_MIN_KEY, 71 .maxkey = AES_MAX_KEY, 72 .encrypt = aes_icm_crypt, 73 .decrypt = aes_icm_crypt, 74 .setkey = aes_icm_setkey, 75 .reinit = aes_icm_reinit, 76 .encrypt_last = aes_icm_crypt_last, 77 .decrypt_last = aes_icm_crypt_last, 78}; 79 80struct enc_xform enc_xform_aes_nist_gcm = { 81 .type = CRYPTO_AES_NIST_GCM_16, 82 .name = "AES-GCM", 83 .ctxsize = sizeof(struct aes_icm_ctx), 84 .blocksize = 1, 85 .native_blocksize = AES_BLOCK_LEN, 86 .ivsize = AES_GCM_IV_LEN, 87 .minkey = AES_MIN_KEY, 88 .maxkey = AES_MAX_KEY, 89 .encrypt = aes_icm_crypt, 90 .decrypt = aes_icm_crypt, 91 .setkey = aes_icm_setkey, 92 .reinit = aes_gcm_reinit, 93 .encrypt_last = aes_icm_crypt_last, 94 .decrypt_last = aes_icm_crypt_last, 95}; 96 97struct enc_xform enc_xform_ccm = { 98 .type = CRYPTO_AES_CCM_16, 99 .name = "AES-CCM", 100 .ctxsize = sizeof(struct aes_icm_ctx), 101 .blocksize = 1, 102 .native_blocksize = AES_BLOCK_LEN, 103 .ivsize = AES_CCM_IV_LEN, 104 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY, 105 .encrypt = aes_icm_crypt, 106 .decrypt = aes_icm_crypt, 107 .setkey = aes_icm_setkey, 108 .reinit = aes_ccm_reinit, 109 .encrypt_last = aes_icm_crypt_last, 110 .decrypt_last = aes_icm_crypt_last, 111}; 112 113/* 114 * Encryption wrapper routines. 115 */ 116static void 117aes_icm_reinit(void *key, const uint8_t *iv) 118{ 119 struct aes_icm_ctx *ctx; 120 121 ctx = key; 122 bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE); 123} 124 125static void 126aes_gcm_reinit(void *key, const uint8_t *iv) 127{ 128 struct aes_icm_ctx *ctx; 129 130 aes_icm_reinit(key, iv); 131 132 ctx = key; 133 /* GCM starts with 2 as counter 1 is used for final xor of tag. */ 134 bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4); 135 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2; 136} 137 138static void 139aes_ccm_reinit(void *key, const uint8_t *iv) 140{ 141 struct aes_icm_ctx *ctx; 142 143 ctx = key; 144 145 /* CCM has flags, then the IV, then the counter, which starts at 1 */ 146 bzero(ctx->ac_block, sizeof(ctx->ac_block)); 147 /* 3 bytes for length field; this gives a nonce of 12 bytes */ 148 ctx->ac_block[0] = (15 - AES_CCM_IV_LEN) - 1; 149 bcopy(iv, ctx->ac_block+1, AES_CCM_IV_LEN); 150 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 1; 151} 152 153static void 154aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out) 155{ 156 struct aes_icm_ctx *ctx; 157 int i; 158 159 ctx = key; 160 aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE); 161 162 /* increment counter */ 163 for (i = AESICM_BLOCKSIZE - 1; 164 i >= 0; i--) 165 if (++ctx->ac_block[i]) /* continue on overflow */ 166 break; 167} 168 169static void 170aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len) 171{ 172 struct aes_icm_ctx *ctx; 173 uint8_t keystream[AESICM_BLOCKSIZE]; 174 int i; 175 176 ctx = key; 177 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 178 for (i = 0; i < len; i++) 179 out[i] = in[i] ^ keystream[i]; 180 explicit_bzero(keystream, sizeof(keystream)); 181} 182 183static int 184aes_icm_setkey(void *sched, const uint8_t *key, int len) 185{ 186 struct aes_icm_ctx *ctx; 187 188 if (len != 16 && len != 24 && len != 32) 189 return (EINVAL); 190 191 ctx = sched; 192 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8); 193 return (0); 194} 195