1 /* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr),
5 * Niels Provos (provos@physnet.uni-hamburg.de) and
6 * Damien Miller (djm@mindrot.org).
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
17 * Additional features in 1999 by Angelos D. Keromytis.
19 * AES XTS implementation in 2008 by Damien Miller
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
24 * Copyright (C) 2001, Angelos D. Keromytis.
26 * Copyright (C) 2008, Damien Miller
27 * Copyright (c) 2014 The FreeBSD Foundation
28 * All rights reserved.
30 * Portions of this software were developed by John-Mark Gurney
31 * under sponsorship of the FreeBSD Foundation and
32 * Rubicon Communications, LLC (Netgate).
34 * Permission to use, copy, and modify this software with or without fee
35 * is hereby granted, provided that this entire notice is included in
36 * all copies of any software which is or includes a copy or
37 * modification of this software.
38 * You may use this code under the GNU public license if you so wish. Please
39 * contribute changes back to the authors under this freer than GPL license
40 * so that we may further the use of strong encryption without limitations to
43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
53 #include <opencrypto/cbc_mac.h>
54 #include <opencrypto/gmac.h>
55 #include <opencrypto/xform_enc.h>
58 struct aes_icm_ctx cipher;
59 struct aes_gmac_ctx gmac;
63 struct aes_icm_ctx cipher;
64 struct aes_cbc_mac_ctx cbc_mac;
67 static int aes_icm_setkey(void *, const uint8_t *, int);
68 static void aes_icm_crypt(void *, const uint8_t *, uint8_t *);
69 static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t);
70 static void aes_icm_reinit(void *, const uint8_t *, size_t);
71 static int aes_gcm_setkey(void *, const uint8_t *, int);
72 static void aes_gcm_reinit(void *, const uint8_t *, size_t);
73 static int aes_gcm_update(void *, const void *, u_int);
74 static void aes_gcm_final(uint8_t *, void *);
75 static int aes_ccm_setkey(void *, const uint8_t *, int);
76 static void aes_ccm_reinit(void *, const uint8_t *, size_t);
77 static int aes_ccm_update(void *, const void *, u_int);
78 static void aes_ccm_final(uint8_t *, void *);
80 /* Encryption instances */
81 const struct enc_xform enc_xform_aes_icm = {
82 .type = CRYPTO_AES_ICM,
84 .ctxsize = sizeof(struct aes_icm_ctx),
86 .native_blocksize = AES_BLOCK_LEN,
87 .ivsize = AES_BLOCK_LEN,
88 .minkey = AES_MIN_KEY,
89 .maxkey = AES_MAX_KEY,
90 .encrypt = aes_icm_crypt,
91 .decrypt = aes_icm_crypt,
92 .setkey = aes_icm_setkey,
93 .reinit = aes_icm_reinit,
94 .encrypt_last = aes_icm_crypt_last,
95 .decrypt_last = aes_icm_crypt_last,
98 const struct enc_xform enc_xform_aes_nist_gcm = {
99 .type = CRYPTO_AES_NIST_GCM_16,
101 .ctxsize = sizeof(struct aes_gcm_ctx),
103 .native_blocksize = AES_BLOCK_LEN,
104 .ivsize = AES_GCM_IV_LEN,
105 .minkey = AES_MIN_KEY,
106 .maxkey = AES_MAX_KEY,
107 .macsize = AES_GMAC_HASH_LEN,
108 .encrypt = aes_icm_crypt,
109 .decrypt = aes_icm_crypt,
110 .setkey = aes_gcm_setkey,
111 .reinit = aes_gcm_reinit,
112 .encrypt_last = aes_icm_crypt_last,
113 .decrypt_last = aes_icm_crypt_last,
114 .update = aes_gcm_update,
115 .final = aes_gcm_final,
118 const struct enc_xform enc_xform_ccm = {
119 .type = CRYPTO_AES_CCM_16,
121 .ctxsize = sizeof(struct aes_ccm_ctx),
123 .native_blocksize = AES_BLOCK_LEN,
124 .ivsize = AES_CCM_IV_LEN,
125 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
126 .macsize = AES_CBC_MAC_HASH_LEN,
127 .encrypt = aes_icm_crypt,
128 .decrypt = aes_icm_crypt,
129 .setkey = aes_ccm_setkey,
130 .reinit = aes_ccm_reinit,
131 .encrypt_last = aes_icm_crypt_last,
132 .decrypt_last = aes_icm_crypt_last,
133 .update = aes_ccm_update,
134 .final = aes_ccm_final,
138 * Encryption wrapper routines.
141 aes_icm_reinit(void *key, const uint8_t *iv, size_t ivlen)
143 struct aes_icm_ctx *ctx;
146 KASSERT(ivlen <= sizeof(ctx->ac_block),
147 ("%s: ivlen too large", __func__));
148 bcopy(iv, ctx->ac_block, ivlen);
152 aes_gcm_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
154 struct aes_gcm_ctx *ctx = vctx;
156 KASSERT(ivlen == AES_GCM_IV_LEN,
157 ("%s: invalid IV length", __func__));
158 aes_icm_reinit(&ctx->cipher, iv, ivlen);
160 /* GCM starts with 2 as counter 1 is used for final xor of tag. */
161 bzero(&ctx->cipher.ac_block[AESICM_BLOCKSIZE - 4], 4);
162 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 2;
164 AES_GMAC_Reinit(&ctx->gmac, iv, ivlen);
168 aes_ccm_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
170 struct aes_ccm_ctx *ctx = vctx;
172 KASSERT(ivlen >= 7 && ivlen <= 13,
173 ("%s: invalid IV length", __func__));
175 /* CCM has flags, then the IV, then the counter, which starts at 1 */
176 bzero(ctx->cipher.ac_block, sizeof(ctx->cipher.ac_block));
177 ctx->cipher.ac_block[0] = (15 - ivlen) - 1;
178 bcopy(iv, ctx->cipher.ac_block + 1, ivlen);
179 ctx->cipher.ac_block[AESICM_BLOCKSIZE - 1] = 1;
181 AES_CBC_MAC_Reinit(&ctx->cbc_mac, iv, ivlen);
185 aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out)
187 struct aes_icm_ctx *ctx;
191 aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE);
193 /* increment counter */
194 for (i = AESICM_BLOCKSIZE - 1;
196 if (++ctx->ac_block[i]) /* continue on overflow */
201 aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len)
203 struct aes_icm_ctx *ctx;
204 uint8_t keystream[AESICM_BLOCKSIZE];
208 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
209 for (i = 0; i < len; i++)
210 out[i] = in[i] ^ keystream[i];
211 explicit_bzero(keystream, sizeof(keystream));
215 aes_icm_setkey(void *sched, const uint8_t *key, int len)
217 struct aes_icm_ctx *ctx;
219 if (len != 16 && len != 24 && len != 32)
223 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);
228 aes_gcm_setkey(void *vctx, const uint8_t *key, int len)
230 struct aes_gcm_ctx *ctx = vctx;
233 error = aes_icm_setkey(&ctx->cipher, key, len);
237 AES_GMAC_Setkey(&ctx->gmac, key, len);
242 aes_ccm_setkey(void *vctx, const uint8_t *key, int len)
244 struct aes_ccm_ctx *ctx = vctx;
247 error = aes_icm_setkey(&ctx->cipher, key, len);
251 AES_CBC_MAC_Setkey(&ctx->cbc_mac, key, len);
256 aes_gcm_update(void *vctx, const void *buf, u_int len)
258 struct aes_gcm_ctx *ctx = vctx;
260 return (AES_GMAC_Update(&ctx->gmac, buf, len));
264 aes_ccm_update(void *vctx, const void *buf, u_int len)
266 struct aes_ccm_ctx *ctx = vctx;
268 return (AES_CBC_MAC_Update(&ctx->cbc_mac, buf, len));
272 aes_gcm_final(uint8_t *tag, void *vctx)
274 struct aes_gcm_ctx *ctx = vctx;
276 AES_GMAC_Final(tag, &ctx->gmac);
280 aes_ccm_final(uint8_t *tag, void *vctx)
282 struct aes_ccm_ctx *ctx = vctx;
284 AES_CBC_MAC_Final(tag, &ctx->cbc_mac);