Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/opencrypto/cbc_mac.c
39475 views
1
/*

2
 * Copyright (c) 2018-2019 iXsystems Inc.  All rights reserved.

3
 *

4
 * Redistribution and use in source and binary forms, with or without

5
 * modification, are permitted provided that the following conditions

6
 * are met:

7
 * 1. Redistributions of source code must retain the above copyright

8
 *    notice, this list of conditions and the following disclaimer.

9
 * 2. Redistributions in binary form must reproduce the above copyright

10
 *    notice, this list of conditions and the following disclaimer in the

11
 *    documentation and/or other materials provided with the distribution.

12
 *

13
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

14
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

15
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

16
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

17
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

18
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

19
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

20
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

21
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

22
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

23
 */

24


25
#include <sys/types.h>

26
#include <sys/systm.h>

27
#include <sys/param.h>

28
#include <sys/endian.h>

29
#include <opencrypto/cbc_mac.h>

30
#include <opencrypto/xform_auth.h>

31


32
/*

33
 * Given two CCM_CBC_BLOCK_LEN blocks, xor

34
 * them into dst, and then encrypt dst.

35
 */

36
static void

37
xor_and_encrypt(struct aes_cbc_mac_ctx *ctx,

38
		const uint8_t *src, uint8_t *dst)

39
{

40
#define	NWORDS	(CCM_CBC_BLOCK_LEN / sizeof(uint64_t))

41
	uint64_t b1[NWORDS], b2[NWORDS], temp[NWORDS];

42


43
	memcpy(b1, src, CCM_CBC_BLOCK_LEN);

44
	memcpy(b2, dst, CCM_CBC_BLOCK_LEN);

45


46
	for (size_t count = 0; count < NWORDS; count++)

47
		temp[count] = b1[count] ^ b2[count];

48
	rijndaelEncrypt(ctx->keysched, ctx->rounds, (void *)temp, dst);

49
#undef NWORDS

50
}

51


52
void

53
AES_CBC_MAC_Init(void *vctx)

54
{

55
	struct aes_cbc_mac_ctx *ctx;

56


57
	ctx = vctx;

58
	bzero(ctx, sizeof(*ctx));

59
}

60


61
void

62
AES_CBC_MAC_Setkey(void *vctx, const uint8_t *key, u_int klen)

63
{

64
	struct aes_cbc_mac_ctx *ctx;

65


66
	ctx = vctx;

67
	ctx->rounds = rijndaelKeySetupEnc(ctx->keysched, key, klen * 8);

68
}

69


70
/*

71
 * This is called to set the nonce, aka IV.

72
 *

73
 * Note that the caller is responsible for constructing b0 as well

74
 * as the length and padding around the AAD and passing that data

75
 * to _Update.

76
 */

77
void

78
AES_CBC_MAC_Reinit(void *vctx, const uint8_t *nonce, u_int nonceLen)

79
{

80
	struct aes_cbc_mac_ctx *ctx = vctx;

81


82
	ctx->nonce = nonce;

83
	ctx->nonceLength = nonceLen;

84


85
	ctx->blockIndex = 0;

86


87
	/* XOR b0 with all 0's on first call to _Update. */

88
	memset(ctx->block, 0, CCM_CBC_BLOCK_LEN);

89
}

90


91
int

92
AES_CBC_MAC_Update(void *vctx, const void *vdata, u_int length)

93
{

94
	struct aes_cbc_mac_ctx *ctx;

95
	const uint8_t *data;

96
	size_t copy_amt;

97
	

98
	ctx = vctx;

99
	data = vdata;

100


101
	/*

102
	 * _Update can be called with non-aligned update lengths.  Use

103
	 * the staging block when necessary.

104
	 */

105
	while (length != 0) {

106
		uint8_t *ptr;

107


108
		/*

109
		 * If there is no partial block and the length is at

110
		 * least a full block, encrypt the full block without

111
		 * copying to the staging block.

112
		 */

113
		if (ctx->blockIndex == 0 && length >= CCM_CBC_BLOCK_LEN) {

114
			xor_and_encrypt(ctx, data, ctx->block);

115
			length -= CCM_CBC_BLOCK_LEN;

116
			data += CCM_CBC_BLOCK_LEN;

117
			continue;

118
		}

119


120
		copy_amt = MIN(sizeof(ctx->staging_block) - ctx->blockIndex,

121
		    length);

122
		ptr = ctx->staging_block + ctx->blockIndex;

123
		bcopy(data, ptr, copy_amt);

124
		data += copy_amt;

125
		ctx->blockIndex += copy_amt;

126
		length -= copy_amt;

127
		if (ctx->blockIndex == sizeof(ctx->staging_block)) {

128
			/* We've got a full block */

129
			xor_and_encrypt(ctx, ctx->staging_block, ctx->block);

130
			ctx->blockIndex = 0;

131
		}

132
	}

133
	return (0);

134
}

135


136
void

137
AES_CBC_MAC_Final(uint8_t *buf, void *vctx)

138
{

139
	struct aes_cbc_mac_ctx *ctx;

140
	uint8_t s0[CCM_CBC_BLOCK_LEN];

141


142
	ctx = vctx;

143


144
	/*

145
	 * We first need to check to see if we've got any data

146
	 * left over to encrypt.

147
	 */

148
	if (ctx->blockIndex != 0) {

149
		memset(ctx->staging_block + ctx->blockIndex, 0,

150
		    CCM_CBC_BLOCK_LEN - ctx->blockIndex);

151
		xor_and_encrypt(ctx, ctx->staging_block, ctx->block);

152
	}

153
	explicit_bzero(ctx->staging_block, sizeof(ctx->staging_block));

154


155
	bzero(s0, sizeof(s0));

156
	s0[0] = (15 - ctx->nonceLength) - 1;

157
	bcopy(ctx->nonce, s0 + 1, ctx->nonceLength);

158
	rijndaelEncrypt(ctx->keysched, ctx->rounds, s0, s0);

159
	for (size_t indx = 0; indx < AES_CBC_MAC_HASH_LEN; indx++)

160
		buf[indx] = ctx->block[indx] ^ s0[indx];

161
	explicit_bzero(s0, sizeof(s0));

162
}

163


164