2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
27 /* see bearssl_block.h */
29 br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx,
30 const void *key, size_t len)
32 ctx->vtable = &br_aes_ct_ctrcbc_vtable;
33 ctx->num_rounds = br_aes_ct_keysched(ctx->skey, key, len);
37 xorbuf(void *dst, const void *src, size_t len)
40 const unsigned char *s;
49 /* see bearssl_block.h */
51 br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx,
52 void *ctr, void *data, size_t len)
56 uint32_t iv0, iv1, iv2, iv3;
59 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
62 * We keep the counter as four 32-bit values, with big-endian
63 * convention, because that's what is expected for purposes of
64 * incrementing the counter value.
67 iv0 = br_dec32be(ivbuf + 0);
68 iv1 = br_dec32be(ivbuf + 4);
69 iv2 = br_dec32be(ivbuf + 8);
70 iv3 = br_dec32be(ivbuf + 12);
75 unsigned char tmp[32];
78 * The bitslice implementation expects values in
79 * little-endian convention, so we have to byteswap them.
81 q[0] = br_swap32(iv0);
82 q[2] = br_swap32(iv1);
83 q[4] = br_swap32(iv2);
84 q[6] = br_swap32(iv3);
86 carry = ~(iv3 | -iv3) >> 31;
88 carry &= -(~(iv2 | -iv2) >> 31);
90 carry &= -(~(iv1 | -iv1) >> 31);
92 q[1] = br_swap32(iv0);
93 q[3] = br_swap32(iv1);
94 q[5] = br_swap32(iv2);
95 q[7] = br_swap32(iv3);
98 carry = ~(iv3 | -iv3) >> 31;
100 carry &= -(~(iv2 | -iv2) >> 31);
102 carry &= -(~(iv1 | -iv1) >> 31);
107 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
110 br_enc32le(tmp, q[0]);
111 br_enc32le(tmp + 4, q[2]);
112 br_enc32le(tmp + 8, q[4]);
113 br_enc32le(tmp + 12, q[6]);
114 br_enc32le(tmp + 16, q[1]);
115 br_enc32le(tmp + 20, q[3]);
116 br_enc32le(tmp + 24, q[5]);
117 br_enc32le(tmp + 28, q[7]);
120 xorbuf(buf, tmp, len);
123 xorbuf(buf, tmp, 32);
127 br_enc32be(ivbuf + 0, iv0);
128 br_enc32be(ivbuf + 4, iv1);
129 br_enc32be(ivbuf + 8, iv2);
130 br_enc32be(ivbuf + 12, iv3);
133 /* see bearssl_block.h */
135 br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx,
136 void *cbcmac, const void *data, size_t len)
138 const unsigned char *buf;
139 uint32_t cm0, cm1, cm2, cm3;
141 uint32_t sk_exp[120];
143 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
146 cm0 = br_dec32le((unsigned char *)cbcmac + 0);
147 cm1 = br_dec32le((unsigned char *)cbcmac + 4);
148 cm2 = br_dec32le((unsigned char *)cbcmac + 8);
149 cm3 = br_dec32le((unsigned char *)cbcmac + 12);
156 q[0] = cm0 ^ br_dec32le(buf + 0);
157 q[2] = cm1 ^ br_dec32le(buf + 4);
158 q[4] = cm2 ^ br_dec32le(buf + 8);
159 q[6] = cm3 ^ br_dec32le(buf + 12);
162 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
173 br_enc32le((unsigned char *)cbcmac + 0, cm0);
174 br_enc32le((unsigned char *)cbcmac + 4, cm1);
175 br_enc32le((unsigned char *)cbcmac + 8, cm2);
176 br_enc32le((unsigned char *)cbcmac + 12, cm3);
179 /* see bearssl_block.h */
181 br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx,
182 void *ctr, void *cbcmac, void *data, size_t len)
185 * When encrypting, the CBC-MAC processing must be lagging by
186 * one block, since it operates on the encrypted values, so
187 * it must wait for that encryption to complete.
191 unsigned char *ivbuf;
192 uint32_t iv0, iv1, iv2, iv3;
193 uint32_t cm0, cm1, cm2, cm3;
194 uint32_t sk_exp[120];
197 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
200 * We keep the counter as four 32-bit values, with big-endian
201 * convention, because that's what is expected for purposes of
202 * incrementing the counter value.
205 iv0 = br_dec32be(ivbuf + 0);
206 iv1 = br_dec32be(ivbuf + 4);
207 iv2 = br_dec32be(ivbuf + 8);
208 iv3 = br_dec32be(ivbuf + 12);
211 * The current CBC-MAC value is kept in little-endian convention.
213 cm0 = br_dec32le((unsigned char *)cbcmac + 0);
214 cm1 = br_dec32le((unsigned char *)cbcmac + 4);
215 cm2 = br_dec32le((unsigned char *)cbcmac + 8);
216 cm3 = br_dec32le((unsigned char *)cbcmac + 12);
221 uint32_t q[8], carry;
224 * The bitslice implementation expects values in
225 * little-endian convention, so we have to byteswap them.
227 q[0] = br_swap32(iv0);
228 q[2] = br_swap32(iv1);
229 q[4] = br_swap32(iv2);
230 q[6] = br_swap32(iv3);
232 carry = ~(iv3 | -iv3) >> 31;
234 carry &= -(~(iv2 | -iv2) >> 31);
236 carry &= -(~(iv1 | -iv1) >> 31);
240 * The odd values are used for CBC-MAC.
248 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
252 * We do the XOR with the plaintext in 32-bit registers,
253 * so that the value are available for CBC-MAC processing
256 q[0] ^= br_dec32le(buf + 0);
257 q[2] ^= br_dec32le(buf + 4);
258 q[4] ^= br_dec32le(buf + 8);
259 q[6] ^= br_dec32le(buf + 12);
260 br_enc32le(buf + 0, q[0]);
261 br_enc32le(buf + 4, q[2]);
262 br_enc32le(buf + 8, q[4]);
263 br_enc32le(buf + 12, q[6]);
269 * We set the cm* values to the block to encrypt in the
286 * If this was the last iteration, then compute the
287 * extra block encryption to complete CBC-MAC.
295 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
305 br_enc32be(ivbuf + 0, iv0);
306 br_enc32be(ivbuf + 4, iv1);
307 br_enc32be(ivbuf + 8, iv2);
308 br_enc32be(ivbuf + 12, iv3);
309 br_enc32le((unsigned char *)cbcmac + 0, cm0);
310 br_enc32le((unsigned char *)cbcmac + 4, cm1);
311 br_enc32le((unsigned char *)cbcmac + 8, cm2);
312 br_enc32le((unsigned char *)cbcmac + 12, cm3);
315 /* see bearssl_block.h */
317 br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx,
318 void *ctr, void *cbcmac, void *data, size_t len)
321 unsigned char *ivbuf;
322 uint32_t iv0, iv1, iv2, iv3;
323 uint32_t cm0, cm1, cm2, cm3;
324 uint32_t sk_exp[120];
326 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
329 * We keep the counter as four 32-bit values, with big-endian
330 * convention, because that's what is expected for purposes of
331 * incrementing the counter value.
334 iv0 = br_dec32be(ivbuf + 0);
335 iv1 = br_dec32be(ivbuf + 4);
336 iv2 = br_dec32be(ivbuf + 8);
337 iv3 = br_dec32be(ivbuf + 12);
340 * The current CBC-MAC value is kept in little-endian convention.
342 cm0 = br_dec32le((unsigned char *)cbcmac + 0);
343 cm1 = br_dec32le((unsigned char *)cbcmac + 4);
344 cm2 = br_dec32le((unsigned char *)cbcmac + 8);
345 cm3 = br_dec32le((unsigned char *)cbcmac + 12);
349 uint32_t q[8], carry;
350 unsigned char tmp[16];
353 * The bitslice implementation expects values in
354 * little-endian convention, so we have to byteswap them.
356 q[0] = br_swap32(iv0);
357 q[2] = br_swap32(iv1);
358 q[4] = br_swap32(iv2);
359 q[6] = br_swap32(iv3);
361 carry = ~(iv3 | -iv3) >> 31;
363 carry &= -(~(iv2 | -iv2) >> 31);
365 carry &= -(~(iv1 | -iv1) >> 31);
369 * The odd values are used for CBC-MAC.
371 q[1] = cm0 ^ br_dec32le(buf + 0);
372 q[3] = cm1 ^ br_dec32le(buf + 4);
373 q[5] = cm2 ^ br_dec32le(buf + 8);
374 q[7] = cm3 ^ br_dec32le(buf + 12);
377 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
380 br_enc32le(tmp + 0, q[0]);
381 br_enc32le(tmp + 4, q[2]);
382 br_enc32le(tmp + 8, q[4]);
383 br_enc32le(tmp + 12, q[6]);
384 xorbuf(buf, tmp, 16);
393 br_enc32be(ivbuf + 0, iv0);
394 br_enc32be(ivbuf + 4, iv1);
395 br_enc32be(ivbuf + 8, iv2);
396 br_enc32be(ivbuf + 12, iv3);
397 br_enc32le((unsigned char *)cbcmac + 0, cm0);
398 br_enc32le((unsigned char *)cbcmac + 4, cm1);
399 br_enc32le((unsigned char *)cbcmac + 8, cm2);
400 br_enc32le((unsigned char *)cbcmac + 12, cm3);
403 /* see bearssl_block.h */
404 const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable = {
405 sizeof(br_aes_ct_ctrcbc_keys),
408 (void (*)(const br_block_ctrcbc_class **, const void *, size_t))
409 &br_aes_ct_ctrcbc_init,
410 (void (*)(const br_block_ctrcbc_class *const *,
411 void *, void *, void *, size_t))
412 &br_aes_ct_ctrcbc_encrypt,
413 (void (*)(const br_block_ctrcbc_class *const *,
414 void *, void *, void *, size_t))
415 &br_aes_ct_ctrcbc_decrypt,
416 (void (*)(const br_block_ctrcbc_class *const *,
417 void *, void *, size_t))
418 &br_aes_ct_ctrcbc_ctr,
419 (void (*)(const br_block_ctrcbc_class *const *,
420 void *, const void *, size_t))
421 &br_aes_ct_ctrcbc_mac