1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Damien Miller (djm@mindrot.org).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * AES XTS implementation in 2008 by Damien Miller
20 *
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
23 *
24 * Copyright (C) 2001, Angelos D. Keromytis.
25 *
26 * Copyright (C) 2008, Damien Miller
27 * Copyright (c) 2014 The FreeBSD Foundation
28 * All rights reserved.
29 *
30 * Portions of this software were developed by John-Mark Gurney
31 * under sponsorship of the FreeBSD Foundation and
32 * Rubicon Communications, LLC (Netgate).
33 *
34 * Permission to use, copy, and modify this software with or without fee
35 * is hereby granted, provided that this entire notice is included in
36 * all copies of any software which is or includes a copy or
37 * modification of this software.
38 * You may use this code under the GNU public license if you so wish. Please
39 * contribute changes back to the authors under this freer than GPL license
40 * so that we may further the use of strong encryption without limitations to
41 * all.
42 *
43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
47 * PURPOSE.
48 */
49
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
52
53 #include <opencrypto/xform_enc.h>
54
55 static int aes_icm_setkey(u_int8_t **, u_int8_t *, int);
56 static void aes_icm_crypt(caddr_t, u_int8_t *);
57 static void aes_icm_zerokey(u_int8_t **);
58 static void aes_icm_reinit(caddr_t, u_int8_t *);
59 static void aes_gcm_reinit(caddr_t, u_int8_t *);
60 static void aes_ccm_reinit(caddr_t, u_int8_t *);
61
62 /* Encryption instances */
63 struct enc_xform enc_xform_aes_icm = {
64 CRYPTO_AES_ICM, "AES-ICM",
65 AES_BLOCK_LEN, AES_BLOCK_LEN, AES_MIN_KEY, AES_MAX_KEY,
66 aes_icm_crypt,
67 aes_icm_crypt,
68 aes_icm_setkey,
69 aes_icm_zerokey,
70 aes_icm_reinit,
71 };
72
73 struct enc_xform enc_xform_aes_nist_gcm = {
74 CRYPTO_AES_NIST_GCM_16, "AES-GCM",
75 AES_ICM_BLOCK_LEN, AES_GCM_IV_LEN, AES_MIN_KEY, AES_MAX_KEY,
76 aes_icm_crypt,
77 aes_icm_crypt,
78 aes_icm_setkey,
79 aes_icm_zerokey,
80 aes_gcm_reinit,
81 };
82
83 struct enc_xform enc_xform_ccm = {
84 .type = CRYPTO_AES_CCM_16,
85 .name = "AES-CCM",
86 .blocksize = AES_ICM_BLOCK_LEN, .ivsize = AES_CCM_IV_LEN,
87 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
88 .encrypt = aes_icm_crypt,
89 .decrypt = aes_icm_crypt,
90 .setkey = aes_icm_setkey,
91 .zerokey = aes_icm_zerokey,
92 .reinit = aes_ccm_reinit,
93 };
94
95 /*
96 * Encryption wrapper routines.
97 */
98 static void
99 aes_icm_reinit(caddr_t key, u_int8_t *iv)
100 {
101 struct aes_icm_ctx *ctx;
102
103 ctx = (struct aes_icm_ctx *)key;
104 bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE);
105 }
106
107 static void
108 aes_gcm_reinit(caddr_t key, u_int8_t *iv)
109 {
110 struct aes_icm_ctx *ctx;
111
112 aes_icm_reinit(key, iv);
113
114 ctx = (struct aes_icm_ctx *)key;
115 /* GCM starts with 2 as counter 1 is used for final xor of tag. */
116 bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4);
117 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2;
118 }
119
120 static void
121 aes_ccm_reinit(caddr_t key, u_int8_t *iv)
122 {
123 struct aes_icm_ctx *ctx;
124
125 ctx = (struct aes_icm_ctx*)key;
126
127 /* CCM has flags, then the IV, then the counter, which starts at 1 */
128 bzero(ctx->ac_block, sizeof(ctx->ac_block));
129 /* 3 bytes for length field; this gives a nonce of 12 bytes */
130 ctx->ac_block[0] = (15 - AES_CCM_IV_LEN) - 1;
131 bcopy(iv, ctx->ac_block+1, AES_CCM_IV_LEN);
132 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 1;
133 }
134
135 static void
136 aes_icm_crypt(caddr_t key, u_int8_t *data)
137 {
138 struct aes_icm_ctx *ctx;
139 u_int8_t keystream[AESICM_BLOCKSIZE];
140 int i;
141
142 ctx = (struct aes_icm_ctx *)key;
143 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
144 for (i = 0; i < AESICM_BLOCKSIZE; i++)
145 data[i] ^= keystream[i];
146 explicit_bzero(keystream, sizeof(keystream));
147
148 /* increment counter */
149 for (i = AESICM_BLOCKSIZE - 1;
150 i >= 0; i--)
151 if (++ctx->ac_block[i]) /* continue on overflow */
152 break;
153 }
154
155 static int
156 aes_icm_setkey(u_int8_t **sched, u_int8_t *key, int len)
157 {
158 struct aes_icm_ctx *ctx;
159
160 if (len != 16 && len != 24 && len != 32)
161 return EINVAL;
162
163 *sched = KMALLOC(sizeof(struct aes_icm_ctx), M_CRYPTO_DATA,
164 M_NOWAIT | M_ZERO);
165 if (*sched == NULL)
166 return ENOMEM;
167
168 ctx = (struct aes_icm_ctx *)*sched;
169 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key, len * 8);
170 return 0;
171 }
172
173 static void
174 aes_icm_zerokey(u_int8_t **sched)
175 {
176
177 bzero(*sched, sizeof(struct aes_icm_ctx));
178 KFREE(*sched, M_CRYPTO_DATA);
179 *sched = NULL;
180 }
Cache object: f3e4b7a8809aafeda2c2aed51ae06d24
|