2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
27 /* see bearssl_block.h */
29 br_aes_ct64_ctrcbc_init(br_aes_ct64_ctrcbc_keys *ctx,
30 const void *key, size_t len)
32 ctx->vtable = &br_aes_ct64_ctrcbc_vtable;
33 ctx->num_rounds = br_aes_ct64_keysched(ctx->skey, key, len);
37 xorbuf(void *dst, const void *src, size_t len)
40 const unsigned char *s;
49 /* see bearssl_block.h */
51 br_aes_ct64_ctrcbc_ctr(const br_aes_ct64_ctrcbc_keys *ctx,
52 void *ctr, void *data, size_t len)
56 uint32_t iv0, iv1, iv2, iv3;
59 br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
62 * We keep the counter as four 32-bit values, with big-endian
63 * convention, because that's what is expected for purposes of
64 * incrementing the counter value.
67 iv0 = br_dec32be(ivbuf + 0);
68 iv1 = br_dec32be(ivbuf + 4);
69 iv2 = br_dec32be(ivbuf + 8);
70 iv3 = br_dec32be(ivbuf + 12);
76 unsigned char tmp[64];
80 * The bitslice implementation expects values in
81 * little-endian convention, so we have to byteswap them.
83 j = (len >= 64) ? 16 : (int)(len >> 2);
84 for (i = 0; i < j; i += 4) {
87 w[i + 0] = br_swap32(iv0);
88 w[i + 1] = br_swap32(iv1);
89 w[i + 2] = br_swap32(iv2);
90 w[i + 3] = br_swap32(iv3);
92 carry = ~(iv3 | -iv3) >> 31;
94 carry &= -(~(iv2 | -iv2) >> 31);
96 carry &= -(~(iv1 | -iv1) >> 31);
99 memset(w + i, 0, (16 - i) * sizeof(uint32_t));
101 for (i = 0; i < 4; i ++) {
102 br_aes_ct64_interleave_in(
103 &q[i], &q[i + 4], w + (i << 2));
105 br_aes_ct64_ortho(q);
106 br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
107 br_aes_ct64_ortho(q);
108 for (i = 0; i < 4; i ++) {
109 br_aes_ct64_interleave_out(
110 w + (i << 2), q[i], q[i + 4]);
113 br_range_enc32le(tmp, w, 16);
115 xorbuf(buf, tmp, len);
118 xorbuf(buf, tmp, 64);
122 br_enc32be(ivbuf + 0, iv0);
123 br_enc32be(ivbuf + 4, iv1);
124 br_enc32be(ivbuf + 8, iv2);
125 br_enc32be(ivbuf + 12, iv3);
128 /* see bearssl_block.h */
130 br_aes_ct64_ctrcbc_mac(const br_aes_ct64_ctrcbc_keys *ctx,
131 void *cbcmac, const void *data, size_t len)
133 const unsigned char *buf;
134 uint32_t cm0, cm1, cm2, cm3;
136 uint64_t sk_exp[120];
138 br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
140 cm0 = br_dec32le((unsigned char *)cbcmac + 0);
141 cm1 = br_dec32le((unsigned char *)cbcmac + 4);
142 cm2 = br_dec32le((unsigned char *)cbcmac + 8);
143 cm3 = br_dec32le((unsigned char *)cbcmac + 12);
146 memset(q, 0, sizeof q);
150 w[0] = cm0 ^ br_dec32le(buf + 0);
151 w[1] = cm1 ^ br_dec32le(buf + 4);
152 w[2] = cm2 ^ br_dec32le(buf + 8);
153 w[3] = cm3 ^ br_dec32le(buf + 12);
155 br_aes_ct64_interleave_in(&q[0], &q[4], w);
156 br_aes_ct64_ortho(q);
157 br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
158 br_aes_ct64_ortho(q);
159 br_aes_ct64_interleave_out(w, q[0], q[4]);
169 br_enc32le((unsigned char *)cbcmac + 0, cm0);
170 br_enc32le((unsigned char *)cbcmac + 4, cm1);
171 br_enc32le((unsigned char *)cbcmac + 8, cm2);
172 br_enc32le((unsigned char *)cbcmac + 12, cm3);
175 /* see bearssl_block.h */
177 br_aes_ct64_ctrcbc_encrypt(const br_aes_ct64_ctrcbc_keys *ctx,
178 void *ctr, void *cbcmac, void *data, size_t len)
181 * When encrypting, the CBC-MAC processing must be lagging by
182 * one block, since it operates on the encrypted values, so
183 * it must wait for that encryption to complete.
187 unsigned char *ivbuf;
188 uint32_t iv0, iv1, iv2, iv3;
189 uint32_t cm0, cm1, cm2, cm3;
190 uint64_t sk_exp[120];
194 br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
197 * We keep the counter as four 32-bit values, with big-endian
198 * convention, because that's what is expected for purposes of
199 * incrementing the counter value.
202 iv0 = br_dec32be(ivbuf + 0);
203 iv1 = br_dec32be(ivbuf + 4);
204 iv2 = br_dec32be(ivbuf + 8);
205 iv3 = br_dec32be(ivbuf + 12);
208 * The current CBC-MAC value is kept in little-endian convention.
210 cm0 = br_dec32le((unsigned char *)cbcmac + 0);
211 cm1 = br_dec32le((unsigned char *)cbcmac + 4);
212 cm2 = br_dec32le((unsigned char *)cbcmac + 8);
213 cm3 = br_dec32le((unsigned char *)cbcmac + 12);
217 memset(q, 0, sizeof q);
219 uint32_t w[8], carry;
222 * The bitslice implementation expects values in
223 * little-endian convention, so we have to byteswap them.
225 w[0] = br_swap32(iv0);
226 w[1] = br_swap32(iv1);
227 w[2] = br_swap32(iv2);
228 w[3] = br_swap32(iv3);
230 carry = ~(iv3 | -iv3) >> 31;
232 carry &= -(~(iv2 | -iv2) >> 31);
234 carry &= -(~(iv1 | -iv1) >> 31);
238 * The block for CBC-MAC.
245 br_aes_ct64_interleave_in(&q[0], &q[4], w);
246 br_aes_ct64_interleave_in(&q[1], &q[5], w + 4);
247 br_aes_ct64_ortho(q);
248 br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
249 br_aes_ct64_ortho(q);
250 br_aes_ct64_interleave_out(w, q[0], q[4]);
251 br_aes_ct64_interleave_out(w + 4, q[1], q[5]);
254 * We do the XOR with the plaintext in 32-bit registers,
255 * so that the value are available for CBC-MAC processing
258 w[0] ^= br_dec32le(buf + 0);
259 w[1] ^= br_dec32le(buf + 4);
260 w[2] ^= br_dec32le(buf + 8);
261 w[3] ^= br_dec32le(buf + 12);
262 br_enc32le(buf + 0, w[0]);
263 br_enc32le(buf + 4, w[1]);
264 br_enc32le(buf + 8, w[2]);
265 br_enc32le(buf + 12, w[3]);
271 * We set the cm* values to the block to encrypt in the
288 * If this was the last iteration, then compute the
289 * extra block encryption to complete CBC-MAC.
296 br_aes_ct64_interleave_in(&q[0], &q[4], w);
297 br_aes_ct64_ortho(q);
298 br_aes_ct64_bitslice_encrypt(
299 ctx->num_rounds, sk_exp, q);
300 br_aes_ct64_ortho(q);
301 br_aes_ct64_interleave_out(w, q[0], q[4]);
310 br_enc32be(ivbuf + 0, iv0);
311 br_enc32be(ivbuf + 4, iv1);
312 br_enc32be(ivbuf + 8, iv2);
313 br_enc32be(ivbuf + 12, iv3);
314 br_enc32le((unsigned char *)cbcmac + 0, cm0);
315 br_enc32le((unsigned char *)cbcmac + 4, cm1);
316 br_enc32le((unsigned char *)cbcmac + 8, cm2);
317 br_enc32le((unsigned char *)cbcmac + 12, cm3);
320 /* see bearssl_block.h */
322 br_aes_ct64_ctrcbc_decrypt(const br_aes_ct64_ctrcbc_keys *ctx,
323 void *ctr, void *cbcmac, void *data, size_t len)
326 unsigned char *ivbuf;
327 uint32_t iv0, iv1, iv2, iv3;
328 uint32_t cm0, cm1, cm2, cm3;
329 uint64_t sk_exp[120];
332 br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
335 * We keep the counter as four 32-bit values, with big-endian
336 * convention, because that's what is expected for purposes of
337 * incrementing the counter value.
340 iv0 = br_dec32be(ivbuf + 0);
341 iv1 = br_dec32be(ivbuf + 4);
342 iv2 = br_dec32be(ivbuf + 8);
343 iv3 = br_dec32be(ivbuf + 12);
346 * The current CBC-MAC value is kept in little-endian convention.
348 cm0 = br_dec32le((unsigned char *)cbcmac + 0);
349 cm1 = br_dec32le((unsigned char *)cbcmac + 4);
350 cm2 = br_dec32le((unsigned char *)cbcmac + 8);
351 cm3 = br_dec32le((unsigned char *)cbcmac + 12);
354 memset(q, 0, sizeof q);
356 uint32_t w[8], carry;
357 unsigned char tmp[16];
360 * The bitslice implementation expects values in
361 * little-endian convention, so we have to byteswap them.
363 w[0] = br_swap32(iv0);
364 w[1] = br_swap32(iv1);
365 w[2] = br_swap32(iv2);
366 w[3] = br_swap32(iv3);
368 carry = ~(iv3 | -iv3) >> 31;
370 carry &= -(~(iv2 | -iv2) >> 31);
372 carry &= -(~(iv1 | -iv1) >> 31);
376 * The block for CBC-MAC.
378 w[4] = cm0 ^ br_dec32le(buf + 0);
379 w[5] = cm1 ^ br_dec32le(buf + 4);
380 w[6] = cm2 ^ br_dec32le(buf + 8);
381 w[7] = cm3 ^ br_dec32le(buf + 12);
383 br_aes_ct64_interleave_in(&q[0], &q[4], w);
384 br_aes_ct64_interleave_in(&q[1], &q[5], w + 4);
385 br_aes_ct64_ortho(q);
386 br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
387 br_aes_ct64_ortho(q);
388 br_aes_ct64_interleave_out(w, q[0], q[4]);
389 br_aes_ct64_interleave_out(w + 4, q[1], q[5]);
391 br_enc32le(tmp + 0, w[0]);
392 br_enc32le(tmp + 4, w[1]);
393 br_enc32le(tmp + 8, w[2]);
394 br_enc32le(tmp + 12, w[3]);
395 xorbuf(buf, tmp, 16);
404 br_enc32be(ivbuf + 0, iv0);
405 br_enc32be(ivbuf + 4, iv1);
406 br_enc32be(ivbuf + 8, iv2);
407 br_enc32be(ivbuf + 12, iv3);
408 br_enc32le((unsigned char *)cbcmac + 0, cm0);
409 br_enc32le((unsigned char *)cbcmac + 4, cm1);
410 br_enc32le((unsigned char *)cbcmac + 8, cm2);
411 br_enc32le((unsigned char *)cbcmac + 12, cm3);
414 /* see bearssl_block.h */
415 const br_block_ctrcbc_class br_aes_ct64_ctrcbc_vtable = {
416 sizeof(br_aes_ct64_ctrcbc_keys),
419 (void (*)(const br_block_ctrcbc_class **, const void *, size_t))
420 &br_aes_ct64_ctrcbc_init,
421 (void (*)(const br_block_ctrcbc_class *const *,
422 void *, void *, void *, size_t))
423 &br_aes_ct64_ctrcbc_encrypt,
424 (void (*)(const br_block_ctrcbc_class *const *,
425 void *, void *, void *, size_t))
426 &br_aes_ct64_ctrcbc_decrypt,
427 (void (*)(const br_block_ctrcbc_class *const *,
428 void *, void *, size_t))
429 &br_aes_ct64_ctrcbc_ctr,
430 (void (*)(const br_block_ctrcbc_class *const *,
431 void *, const void *, size_t))
432 &br_aes_ct64_ctrcbc_mac