1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Damien Miller (djm@mindrot.org).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * AES XTS implementation in 2008 by Damien Miller
20 *
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
23 *
24 * Copyright (C) 2001, Angelos D. Keromytis.
25 *
26 * Copyright (C) 2008, Damien Miller
27 * Copyright (c) 2014 The FreeBSD Foundation
28 * All rights reserved.
29 *
30 * Portions of this software were developed by John-Mark Gurney
31 * under sponsorship of the FreeBSD Foundation and
32 * Rubicon Communications, LLC (Netgate).
33 *
34 * Permission to use, copy, and modify this software with or without fee
35 * is hereby granted, provided that this entire notice is included in
36 * all copies of any software which is or includes a copy or
37 * modification of this software.
38 * You may use this code under the GNU public license if you so wish. Please
39 * contribute changes back to the authors under this freer than GPL license
40 * so that we may further the use of strong encryption without limitations to
41 * all.
42 *
43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
47 * PURPOSE.
48 */
49
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
52
53 #include <opencrypto/xform_enc.h>
54
55 static int aes_icm_setkey(void *, const uint8_t *, int);
56 static void aes_icm_crypt(void *, const uint8_t *, uint8_t *);
57 static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t);
58 static void aes_icm_reinit(void *, const uint8_t *);
59 static void aes_gcm_reinit(void *, const uint8_t *);
60 static void aes_ccm_reinit(void *, const uint8_t *);
61
62 /* Encryption instances */
63 struct enc_xform enc_xform_aes_icm = {
64 .type = CRYPTO_AES_ICM,
65 .name = "AES-ICM",
66 .ctxsize = sizeof(struct aes_icm_ctx),
67 .blocksize = 1,
68 .native_blocksize = AES_BLOCK_LEN,
69 .ivsize = AES_BLOCK_LEN,
70 .minkey = AES_MIN_KEY,
71 .maxkey = AES_MAX_KEY,
72 .encrypt = aes_icm_crypt,
73 .decrypt = aes_icm_crypt,
74 .setkey = aes_icm_setkey,
75 .reinit = aes_icm_reinit,
76 .encrypt_last = aes_icm_crypt_last,
77 .decrypt_last = aes_icm_crypt_last,
78 };
79
80 struct enc_xform enc_xform_aes_nist_gcm = {
81 .type = CRYPTO_AES_NIST_GCM_16,
82 .name = "AES-GCM",
83 .ctxsize = sizeof(struct aes_icm_ctx),
84 .blocksize = 1,
85 .native_blocksize = AES_BLOCK_LEN,
86 .ivsize = AES_GCM_IV_LEN,
87 .minkey = AES_MIN_KEY,
88 .maxkey = AES_MAX_KEY,
89 .encrypt = aes_icm_crypt,
90 .decrypt = aes_icm_crypt,
91 .setkey = aes_icm_setkey,
92 .reinit = aes_gcm_reinit,
93 .encrypt_last = aes_icm_crypt_last,
94 .decrypt_last = aes_icm_crypt_last,
95 };
96
97 struct enc_xform enc_xform_ccm = {
98 .type = CRYPTO_AES_CCM_16,
99 .name = "AES-CCM",
100 .ctxsize = sizeof(struct aes_icm_ctx),
101 .blocksize = 1,
102 .native_blocksize = AES_BLOCK_LEN,
103 .ivsize = AES_CCM_IV_LEN,
104 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
105 .encrypt = aes_icm_crypt,
106 .decrypt = aes_icm_crypt,
107 .setkey = aes_icm_setkey,
108 .reinit = aes_ccm_reinit,
109 .encrypt_last = aes_icm_crypt_last,
110 .decrypt_last = aes_icm_crypt_last,
111 };
112
113 /*
114 * Encryption wrapper routines.
115 */
116 static void
117 aes_icm_reinit(void *key, const uint8_t *iv)
118 {
119 struct aes_icm_ctx *ctx;
120
121 ctx = key;
122 bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE);
123 }
124
125 static void
126 aes_gcm_reinit(void *key, const uint8_t *iv)
127 {
128 struct aes_icm_ctx *ctx;
129
130 aes_icm_reinit(key, iv);
131
132 ctx = key;
133 /* GCM starts with 2 as counter 1 is used for final xor of tag. */
134 bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4);
135 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2;
136 }
137
138 static void
139 aes_ccm_reinit(void *key, const uint8_t *iv)
140 {
141 struct aes_icm_ctx *ctx;
142
143 ctx = key;
144
145 /* CCM has flags, then the IV, then the counter, which starts at 1 */
146 bzero(ctx->ac_block, sizeof(ctx->ac_block));
147 /* 3 bytes for length field; this gives a nonce of 12 bytes */
148 ctx->ac_block[0] = (15 - AES_CCM_IV_LEN) - 1;
149 bcopy(iv, ctx->ac_block+1, AES_CCM_IV_LEN);
150 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 1;
151 }
152
153 static void
154 aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out)
155 {
156 struct aes_icm_ctx *ctx;
157 int i;
158
159 ctx = key;
160 aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE);
161
162 /* increment counter */
163 for (i = AESICM_BLOCKSIZE - 1;
164 i >= 0; i--)
165 if (++ctx->ac_block[i]) /* continue on overflow */
166 break;
167 }
168
169 static void
170 aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len)
171 {
172 struct aes_icm_ctx *ctx;
173 uint8_t keystream[AESICM_BLOCKSIZE];
174 int i;
175
176 ctx = key;
177 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
178 for (i = 0; i < len; i++)
179 out[i] = in[i] ^ keystream[i];
180 explicit_bzero(keystream, sizeof(keystream));
181 }
182
183 static int
184 aes_icm_setkey(void *sched, const uint8_t *key, int len)
185 {
186 struct aes_icm_ctx *ctx;
187
188 if (len != 16 && len != 24 && len != 32)
189 return (EINVAL);
190
191 ctx = sched;
192 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);
193 return (0);
194 }
Cache object: 03fb8edae6e1eba2b194e0f5a645c550
|