1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Damien Miller (djm@mindrot.org).
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
17 * Additional features in 1999 by Angelos D. Keromytis.
19 * AES XTS implementation in 2008 by Damien Miller
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
24 * Copyright (C) 2001, Angelos D. Keromytis.
26 * Copyright (C) 2008, Damien Miller
27 * Copyright (c) 2014 The FreeBSD Foundation
28 * All rights reserved.
30 * Portions of this software were developed by John-Mark Gurney
31 * under sponsorship of the FreeBSD Foundation and
32 * Rubicon Communications, LLC (Netgate).
34 * Permission to use, copy, and modify this software with or without fee
35 * is hereby granted, provided that this entire notice is included in
36 * all copies of any software which is or includes a copy or
37 * modification of this software.
38 * You may use this code under the GNU public license if you so wish. Please
39 * contribute changes back to the authors under this freer than GPL license
40 * so that we may further the use of strong encryption without limitations to
43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
53 #include <opencrypto/xform_enc.h>
55 static int aes_icm_setkey(void *, const uint8_t *, int);
56 static void aes_icm_crypt(void *, const uint8_t *, uint8_t *);
57 static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t);
58 static void aes_icm_reinit(void *, const uint8_t *);
59 static void aes_gcm_reinit(void *, const uint8_t *);
60 static void aes_ccm_reinit(void *, const uint8_t *);
62 /* Encryption instances */
63 struct enc_xform enc_xform_aes_icm = {
64 .type = CRYPTO_AES_ICM,
66 .ctxsize = sizeof(struct aes_icm_ctx),
68 .native_blocksize = AES_BLOCK_LEN,
69 .ivsize = AES_BLOCK_LEN,
70 .minkey = AES_MIN_KEY,
71 .maxkey = AES_MAX_KEY,
72 .encrypt = aes_icm_crypt,
73 .decrypt = aes_icm_crypt,
74 .setkey = aes_icm_setkey,
75 .reinit = aes_icm_reinit,
76 .encrypt_last = aes_icm_crypt_last,
77 .decrypt_last = aes_icm_crypt_last,
80 struct enc_xform enc_xform_aes_nist_gcm = {
81 .type = CRYPTO_AES_NIST_GCM_16,
83 .ctxsize = sizeof(struct aes_icm_ctx),
85 .native_blocksize = AES_BLOCK_LEN,
86 .ivsize = AES_GCM_IV_LEN,
87 .minkey = AES_MIN_KEY,
88 .maxkey = AES_MAX_KEY,
89 .encrypt = aes_icm_crypt,
90 .decrypt = aes_icm_crypt,
91 .setkey = aes_icm_setkey,
92 .reinit = aes_gcm_reinit,
93 .encrypt_last = aes_icm_crypt_last,
94 .decrypt_last = aes_icm_crypt_last,
97 struct enc_xform enc_xform_ccm = {
98 .type = CRYPTO_AES_CCM_16,
100 .ctxsize = sizeof(struct aes_icm_ctx),
102 .native_blocksize = AES_BLOCK_LEN,
103 .ivsize = AES_CCM_IV_LEN,
104 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
105 .encrypt = aes_icm_crypt,
106 .decrypt = aes_icm_crypt,
107 .setkey = aes_icm_setkey,
108 .reinit = aes_ccm_reinit,
109 .encrypt_last = aes_icm_crypt_last,
110 .decrypt_last = aes_icm_crypt_last,
114 * Encryption wrapper routines.
117 aes_icm_reinit(void *key, const uint8_t *iv)
119 struct aes_icm_ctx *ctx;
122 bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE);
126 aes_gcm_reinit(void *key, const uint8_t *iv)
128 struct aes_icm_ctx *ctx;
130 aes_icm_reinit(key, iv);
133 /* GCM starts with 2 as counter 1 is used for final xor of tag. */
134 bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4);
135 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2;
139 aes_ccm_reinit(void *key, const uint8_t *iv)
141 struct aes_icm_ctx *ctx;
145 /* CCM has flags, then the IV, then the counter, which starts at 1 */
146 bzero(ctx->ac_block, sizeof(ctx->ac_block));
147 /* 3 bytes for length field; this gives a nonce of 12 bytes */
148 ctx->ac_block[0] = (15 - AES_CCM_IV_LEN) - 1;
149 bcopy(iv, ctx->ac_block+1, AES_CCM_IV_LEN);
150 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 1;
154 aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out)
156 struct aes_icm_ctx *ctx;
160 aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE);
162 /* increment counter */
163 for (i = AESICM_BLOCKSIZE - 1;
165 if (++ctx->ac_block[i]) /* continue on overflow */
170 aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len)
172 struct aes_icm_ctx *ctx;
173 uint8_t keystream[AESICM_BLOCKSIZE];
177 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
178 for (i = 0; i < len; i++)
179 out[i] = in[i] ^ keystream[i];
180 explicit_bzero(keystream, sizeof(keystream));
184 aes_icm_setkey(void *sched, const uint8_t *key, int len)
186 struct aes_icm_ctx *ctx;
188 if (len != 16 && len != 24 && len != 32)
192 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);