CoCalc -- xform_aes

GitHub Repository: freebsd/freebsd-src
Path: blob/main/sys/opencrypto/xform_aes_icm.c
³⁹⁴⁷⁵ views
1
/*	$OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $	*/
2
/*-
3
 * The authors of this code are John Ioannidis ([email protected]),
4
 * Angelos D. Keromytis ([email protected]),
5
 * Niels Provos ([email protected]) and
6
 * Damien Miller ([email protected]).
7
 *
8
 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9
 * in November 1995.
10
 *
11
 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12
 * by Angelos D. Keromytis.
13
 *
14
 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15
 * and Niels Provos.
16
 *
17
 * Additional features in 1999 by Angelos D. Keromytis.
18
 *
19
 * AES XTS implementation in 2008 by Damien Miller
20
 *
21
 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22
 * Angelos D. Keromytis and Niels Provos.
23
 *
24
 * Copyright (C) 2001, Angelos D. Keromytis.
25
 *
26
 * Copyright (C) 2008, Damien Miller
27
 * Copyright (c) 2014 The FreeBSD Foundation
28
 * All rights reserved.
29
 *
30
 * Portions of this software were developed by John-Mark Gurney
31
 * under sponsorship of the FreeBSD Foundation and
32
 * Rubicon Communications, LLC (Netgate).
33
 *
34
 * Permission to use, copy, and modify this software with or without fee
35
 * is hereby granted, provided that this entire notice is included in
36
 * all copies of any software which is or includes a copy or
37
 * modification of this software.
38
 * You may use this code under the GNU public license if you so wish. Please
39
 * contribute changes back to the authors under this freer than GPL license
40
 * so that we may further the use of strong encryption without limitations to
41
 * all.
42
 *
43
 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44
 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45
 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46
 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
47
 * PURPOSE.
48
 */
49

50
#include <sys/cdefs.h>
51
#include <opencrypto/cbc_mac.h>
52
#include <opencrypto/gmac.h>
53
#include <opencrypto/xform_enc.h>
54

55
struct aes_gcm_ctx {
56
	struct aes_icm_ctx cipher;
57
	struct aes_gmac_ctx gmac;
58
};
59

60
struct aes_ccm_ctx {
61
	struct aes_icm_ctx cipher;
62
	struct aes_cbc_mac_ctx cbc_mac;
63
};
64

65
static	int aes_icm_setkey(void *, const uint8_t *, int);
66
static	void aes_icm_crypt(void *, const uint8_t *, uint8_t *);
67
static	void aes_icm_crypt_multi(void *, const uint8_t *, uint8_t *, size_t);
68
static	void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t);
69
static	void aes_icm_reinit(void *, const uint8_t *, size_t);
70
static	int aes_gcm_setkey(void *, const uint8_t *, int);
71
static	void aes_gcm_reinit(void *, const uint8_t *, size_t);
72
static	int aes_gcm_update(void *, const void *, u_int);
73
static	void aes_gcm_final(uint8_t *, void *);
74
static	int aes_ccm_setkey(void *, const uint8_t *, int);
75
static	void aes_ccm_reinit(void *, const uint8_t *, size_t);
76
static	int aes_ccm_update(void *, const void *, u_int);
77
static	void aes_ccm_final(uint8_t *, void *);
78

79
/* Encryption instances */
80
const struct enc_xform enc_xform_aes_icm = {
81
	.type = CRYPTO_AES_ICM,
82
	.name = "AES-ICM",
83
	.ctxsize = sizeof(struct aes_icm_ctx),
84
	.blocksize = 1,
85
	.native_blocksize = AES_BLOCK_LEN,
86
	.ivsize = AES_BLOCK_LEN,
87
	.minkey = AES_MIN_KEY,
88
	.maxkey = AES_MAX_KEY,
89
	.setkey = aes_icm_setkey,
90
	.reinit = aes_icm_reinit,
91
	.encrypt = aes_icm_crypt,
92
	.decrypt = aes_icm_crypt,
93
	.encrypt_multi = aes_icm_crypt_multi,
94
	.decrypt_multi = aes_icm_crypt_multi,
95
	.encrypt_last = aes_icm_crypt_last,
96
	.decrypt_last = aes_icm_crypt_last,
97
};
98

99
const struct enc_xform enc_xform_aes_nist_gcm = {
100
	.type = CRYPTO_AES_NIST_GCM_16,
101
	.name = "AES-GCM",
102
	.ctxsize = sizeof(struct aes_gcm_ctx),
103
	.blocksize = 1,
104
	.native_blocksize = AES_BLOCK_LEN,
105
	.ivsize = AES_GCM_IV_LEN,
106
	.minkey = AES_MIN_KEY,
107
	.maxkey = AES_MAX_KEY,
108
	.macsize = AES_GMAC_HASH_LEN,
109
	.setkey = aes_gcm_setkey,
110
	.reinit = aes_gcm_reinit,
111
	.encrypt = aes_icm_crypt,
112
	.decrypt = aes_icm_crypt,
113
	.encrypt_multi = aes_icm_crypt_multi,
114
	.decrypt_multi = aes_icm_crypt_multi,
115
	.encrypt_last = aes_icm_crypt_last,
116
	.decrypt_last = aes_icm_crypt_last,
117
	.update = aes_gcm_update,
118
	.final = aes_gcm_final,
119
};
120

121
const struct enc_xform enc_xform_ccm = {
122
	.type = CRYPTO_AES_CCM_16,
123
	.name = "AES-CCM",
124
	.ctxsize = sizeof(struct aes_ccm_ctx),
125
	.blocksize = 1,
126
	.native_blocksize = AES_BLOCK_LEN,
127
	.ivsize = AES_CCM_IV_LEN,
128
	.minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
129
	.macsize = AES_CBC_MAC_HASH_LEN,
130
	.setkey = aes_ccm_setkey,
131
	.reinit = aes_ccm_reinit,
132
	.encrypt = aes_icm_crypt,
133
	.decrypt = aes_icm_crypt,
134
	.encrypt_multi = aes_icm_crypt_multi,
135
	.decrypt_multi = aes_icm_crypt_multi,
136
	.encrypt_last = aes_icm_crypt_last,
137
	.decrypt_last = aes_icm_crypt_last,
138
	.update = aes_ccm_update,
139
	.final = aes_ccm_final,
140
};
141

142
/*
143
 * Encryption wrapper routines.
144
 */
145
static void
146
aes_icm_reinit(void *key, const uint8_t *iv, size_t ivlen)
147
{
148
	struct aes_icm_ctx *ctx;
149

150
	ctx = key;
151
	KASSERT(ivlen <= sizeof(ctx->ac_block),
152
	    ("%s: ivlen too large", __func__));
153
	bcopy(iv, ctx->ac_block, ivlen);
154
}
155

156
static void
157
aes_gcm_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
158
{
159
	struct aes_gcm_ctx *ctx = vctx;
160

161
	KASSERT(ivlen == AES_GCM_IV_LEN,
162
	    ("%s: invalid IV length", __func__));
163
	aes_icm_reinit(&ctx->cipher, iv, ivlen);
164

165
	/* GCM starts with 2 as counter 1 is used for final xor of tag. */
166
	bzero(&ctx->cipher.ac_block[AESICM_BLOCKSIZE - 4], 4);
167
	ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 2;
168

169
	AES_GMAC_Reinit(&ctx->gmac, iv, ivlen);
170
}
171

172
static void
173
aes_ccm_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
174
{
175
	struct aes_ccm_ctx *ctx = vctx;
176

177
	KASSERT(ivlen >= 7 && ivlen <= 13,
178
	    ("%s: invalid IV length", __func__));
179

180
	/* CCM has flags, then the IV, then the counter, which starts at 1 */
181
	bzero(ctx->cipher.ac_block, sizeof(ctx->cipher.ac_block));
182
	ctx->cipher.ac_block[0] = (15 - ivlen) - 1;
183
	bcopy(iv, ctx->cipher.ac_block + 1, ivlen);
184
	ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 1;
185

186
	AES_CBC_MAC_Reinit(&ctx->cbc_mac, iv, ivlen);
187
}
188

189
static void
190
aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out)
191
{
192
	struct aes_icm_ctx *ctx;
193
	int i;
194

195
	ctx = key;
196
	aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE);
197

198
	/* increment counter */
199
	for (i = AESICM_BLOCKSIZE - 1;
200
	     i >= 0; i--)
201
		if (++ctx->ac_block[i])   /* continue on overflow */
202
			break;
203
}
204

205
static void
206
aes_icm_crypt_multi(void *key, const uint8_t *in, uint8_t *out, size_t len)
207
{
208
	struct aes_icm_ctx *ctx = key;
209
	uint8_t keystream[AESICM_BLOCKSIZE];
210
	int i;
211

212
	KASSERT(len % AESICM_BLOCKSIZE == 0, ("%s: invalid length", __func__));
213
	while (len > 0) {
214
		rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
215
		for (i = 0; i < AESICM_BLOCKSIZE; i++)
216
			out[i] = in[i] ^ keystream[i];
217

218
		/* increment counter */
219
		for (i = AESICM_BLOCKSIZE - 1; i >= 0; i--)
220
			if (++ctx->ac_block[i])   /* continue on overflow */
221
				break;
222

223
		out += AESICM_BLOCKSIZE;
224
		in += AESICM_BLOCKSIZE;
225
		len -= AESICM_BLOCKSIZE;
226
	}
227
	explicit_bzero(keystream, sizeof(keystream));
228
}
229

230
static void
231
aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len)
232
{
233
	struct aes_icm_ctx *ctx;
234
	uint8_t keystream[AESICM_BLOCKSIZE];
235
	int i;
236

237
	ctx = key;
238
	rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
239
	for (i = 0; i < len; i++)
240
		out[i] = in[i] ^ keystream[i];
241
	explicit_bzero(keystream, sizeof(keystream));
242
}
243

244
static int
245
aes_icm_setkey(void *sched, const uint8_t *key, int len)
246
{
247
	struct aes_icm_ctx *ctx;
248

249
	if (len != 16 && len != 24 && len != 32)
250
		return (EINVAL);
251

252
	ctx = sched;
253
	ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);
254
	return (0);
255
}
256

257
static int
258
aes_gcm_setkey(void *vctx, const uint8_t *key, int len)
259
{
260
	struct aes_gcm_ctx *ctx = vctx;
261
	int error;
262

263
	error = aes_icm_setkey(&ctx->cipher, key, len);
264
	if (error != 0)
265
		return (error);
266

267
	AES_GMAC_Setkey(&ctx->gmac, key, len);
268
	return (0);
269
}
270

271
static int
272
aes_ccm_setkey(void *vctx, const uint8_t *key, int len)
273
{
274
	struct aes_ccm_ctx *ctx = vctx;
275
	int error;
276

277
	error = aes_icm_setkey(&ctx->cipher, key, len);
278
	if (error != 0)
279
		return (error);
280

281
	AES_CBC_MAC_Setkey(&ctx->cbc_mac, key, len);
282
	return (0);
283
}
284

285
static int
286
aes_gcm_update(void *vctx, const void *buf, u_int len)
287
{
288
	struct aes_gcm_ctx *ctx = vctx;
289

290
	return (AES_GMAC_Update(&ctx->gmac, buf, len));
291
}
292

293
static int
294
aes_ccm_update(void *vctx, const void *buf, u_int len)
295
{
296
	struct aes_ccm_ctx *ctx = vctx;
297

298
	return (AES_CBC_MAC_Update(&ctx->cbc_mac, buf, len));
299
}
300

301
static void
302
aes_gcm_final(uint8_t *tag, void *vctx)
303
{
304
	struct aes_gcm_ctx *ctx = vctx;
305

306
	AES_GMAC_Final(tag, &ctx->gmac);
307
}
308

309
static void
310
aes_ccm_final(uint8_t *tag, void *vctx)
311
{
312
	struct aes_ccm_ctx *ctx = vctx;
313

314
	AES_CBC_MAC_Final(tag, &ctx->cbc_mac);
315
}
316

317
Product

Resources

Company
