src/crypto/aes-siv.c

281681Srpaulo/*
281681Srpaulo * AES SIV (RFC 5297)
281681Srpaulo * Copyright (c) 2013 Cozybit, Inc.
281681Srpaulo *
281681Srpaulo * This software may be distributed under the terms of the BSD license.
281681Srpaulo * See README for more details.
281681Srpaulo */
281681Srpaulo
281681Srpaulo#include "includes.h"
281681Srpaulo
281681Srpaulo#include "common.h"
281681Srpaulo#include "aes.h"
281681Srpaulo#include "aes_wrap.h"
281681Srpaulo#include "aes_siv.h"
281681Srpaulo
281681Srpaulo
281681Srpaulostatic const u8 zero[AES_BLOCK_SIZE];
281681Srpaulo
281681Srpaulo
281681Srpaulostatic void dbl(u8 *pad)
281681Srpaulo{
281681Srpaulo	int i, carry;
281681Srpaulo
281681Srpaulo	carry = pad[0] & 0x80;
281681Srpaulo	for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
281681Srpaulo		pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
281681Srpaulo	pad[AES_BLOCK_SIZE - 1] <<= 1;
281681Srpaulo	if (carry)
281681Srpaulo		pad[AES_BLOCK_SIZE - 1] ^= 0x87;
281681Srpaulo}
281681Srpaulo
281681Srpaulo
281681Srpaulostatic void xor(u8 *a, const u8 *b)
281681Srpaulo{
281681Srpaulo	int i;
281681Srpaulo
281681Srpaulo	for (i = 0; i < AES_BLOCK_SIZE; i++)
281681Srpaulo		*a++ ^= *b++;
281681Srpaulo}
281681Srpaulo
281681Srpaulo
281681Srpaulostatic void xorend(u8 *a, int alen, const u8 *b, int blen)
281681Srpaulo{
281681Srpaulo	int i;
281681Srpaulo
281681Srpaulo	if (alen < blen)
281681Srpaulo		return;
281681Srpaulo
281681Srpaulo	for (i = 0; i < blen; i++)
281681Srpaulo		a[alen - blen + i] ^= b[i];
281681Srpaulo}
281681Srpaulo
281681Srpaulo
281681Srpaulostatic void pad_block(u8 *pad, const u8 *addr, size_t len)
281681Srpaulo{
281681Srpaulo	os_memset(pad, 0, AES_BLOCK_SIZE);
281681Srpaulo	os_memcpy(pad, addr, len);
281681Srpaulo
281681Srpaulo	if (len < AES_BLOCK_SIZE)
281681Srpaulo		pad[len] = 0x80;
281681Srpaulo}
281681Srpaulo
281681Srpaulo
281681Srpaulostatic int aes_s2v(const u8 *key, size_t num_elem, const u8 *addr[],
281681Srpaulo		   size_t *len, u8 *mac)
281681Srpaulo{
281681Srpaulo	u8 tmp[AES_BLOCK_SIZE], tmp2[AES_BLOCK_SIZE];
281681Srpaulo	u8 *buf = NULL;
281681Srpaulo	int ret;
281681Srpaulo	size_t i;
281681Srpaulo
281681Srpaulo	if (!num_elem) {
281681Srpaulo		os_memcpy(tmp, zero, sizeof(zero));
281681Srpaulo		tmp[AES_BLOCK_SIZE - 1] = 1;
281681Srpaulo		return omac1_aes_128(key, tmp, sizeof(tmp), mac);
281681Srpaulo	}
281681Srpaulo
281681Srpaulo	ret = omac1_aes_128(key, zero, sizeof(zero), tmp);
281681Srpaulo	if (ret)
281681Srpaulo		return ret;
281681Srpaulo
281681Srpaulo	for (i = 0; i < num_elem - 1; i++) {
281681Srpaulo		ret = omac1_aes_128(key, addr[i], len[i], tmp2);
281681Srpaulo		if (ret)
281681Srpaulo			return ret;
281681Srpaulo
281681Srpaulo		dbl(tmp);
281681Srpaulo		xor(tmp, tmp2);
281681Srpaulo	}
281681Srpaulo	if (len[i] >= AES_BLOCK_SIZE) {
281681Srpaulo		buf = os_malloc(len[i]);
281681Srpaulo		if (!buf)
281681Srpaulo			return -ENOMEM;
281681Srpaulo
281681Srpaulo		os_memcpy(buf, addr[i], len[i]);
281681Srpaulo		xorend(buf, len[i], tmp, AES_BLOCK_SIZE);
281681Srpaulo		ret = omac1_aes_128(key, buf, len[i], mac);
281681Srpaulo		bin_clear_free(buf, len[i]);
281681Srpaulo		return ret;
281681Srpaulo	}
281681Srpaulo
281681Srpaulo	dbl(tmp);
281681Srpaulo	pad_block(tmp2, addr[i], len[i]);
281681Srpaulo	xor(tmp, tmp2);
281681Srpaulo
281681Srpaulo	return omac1_aes_128(key, tmp, sizeof(tmp), mac);
281681Srpaulo}
281681Srpaulo
281681Srpaulo
281681Srpauloint aes_siv_encrypt(const u8 *key, const u8 *pw,
281681Srpaulo		    size_t pwlen, size_t num_elem,
281681Srpaulo		    const u8 *addr[], const size_t *len, u8 *out)
281681Srpaulo{
281681Srpaulo	const u8 *_addr[6];
281681Srpaulo	size_t _len[6];
281681Srpaulo	const u8 *k1 = key, *k2 = key + 16;
281681Srpaulo	u8 v[AES_BLOCK_SIZE];
281681Srpaulo	size_t i;
281681Srpaulo	u8 *iv, *crypt_pw;
281681Srpaulo
281681Srpaulo	if (num_elem > ARRAY_SIZE(_addr) - 1)
281681Srpaulo		return -1;
281681Srpaulo
281681Srpaulo	for (i = 0; i < num_elem; i++) {
281681Srpaulo		_addr[i] = addr[i];
281681Srpaulo		_len[i] = len[i];
281681Srpaulo	}
281681Srpaulo	_addr[num_elem] = pw;
281681Srpaulo	_len[num_elem] = pwlen;
281681Srpaulo
281681Srpaulo	if (aes_s2v(k1, num_elem + 1, _addr, _len, v))
281681Srpaulo		return -1;
281681Srpaulo
281681Srpaulo	iv = out;
281681Srpaulo	crypt_pw = out + AES_BLOCK_SIZE;
281681Srpaulo
281681Srpaulo	os_memcpy(iv, v, AES_BLOCK_SIZE);
281681Srpaulo	os_memcpy(crypt_pw, pw, pwlen);
281681Srpaulo
281681Srpaulo	/* zero out 63rd and 31st bits of ctr (from right) */
281681Srpaulo	v[8] &= 0x7f;
281681Srpaulo	v[12] &= 0x7f;
281681Srpaulo	return aes_128_ctr_encrypt(k2, v, crypt_pw, pwlen);
281681Srpaulo}
281681Srpaulo
281681Srpaulo
281681Srpauloint aes_siv_decrypt(const u8 *key, const u8 *iv_crypt, size_t iv_c_len,
281681Srpaulo		    size_t num_elem, const u8 *addr[], const size_t *len,
281681Srpaulo		    u8 *out)
281681Srpaulo{
281681Srpaulo	const u8 *_addr[6];
281681Srpaulo	size_t _len[6];
281681Srpaulo	const u8 *k1 = key, *k2 = key + 16;
281681Srpaulo	size_t crypt_len;
281681Srpaulo	size_t i;
281681Srpaulo	int ret;
281681Srpaulo	u8 iv[AES_BLOCK_SIZE];
281681Srpaulo	u8 check[AES_BLOCK_SIZE];
281681Srpaulo
281681Srpaulo	if (iv_c_len < AES_BLOCK_SIZE || num_elem > ARRAY_SIZE(_addr) - 1)
281681Srpaulo		return -1;
281681Srpaulo	crypt_len = iv_c_len - AES_BLOCK_SIZE;
281681Srpaulo
281681Srpaulo	for (i = 0; i < num_elem; i++) {
281681Srpaulo		_addr[i] = addr[i];
281681Srpaulo		_len[i] = len[i];
281681Srpaulo	}
281681Srpaulo	_addr[num_elem] = out;
281681Srpaulo	_len[num_elem] = crypt_len;
281681Srpaulo
281681Srpaulo	os_memcpy(iv, iv_crypt, AES_BLOCK_SIZE);
281681Srpaulo	os_memcpy(out, iv_crypt + AES_BLOCK_SIZE, crypt_len);
281681Srpaulo
281681Srpaulo	iv[8] &= 0x7f;
281681Srpaulo	iv[12] &= 0x7f;
281681Srpaulo
281681Srpaulo	ret = aes_128_ctr_encrypt(k2, iv, out, crypt_len);
281681Srpaulo	if (ret)
281681Srpaulo		return ret;
281681Srpaulo
281681Srpaulo	ret = aes_s2v(k1, num_elem + 1, _addr, _len, check);
281681Srpaulo	if (ret)
281681Srpaulo		return ret;
281681Srpaulo	if (os_memcmp(check, iv_crypt, AES_BLOCK_SIZE) == 0)
281681Srpaulo		return 0;
281681Srpaulo
281681Srpaulo	return -1;
281681Srpaulo}