1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * Copyright (c) 2014 The FreeBSD Foundation 28 * All rights reserved. 29 * 30 * Portions of this software were developed by John-Mark Gurney 31 * under sponsorship of the FreeBSD Foundation and 32 * Rubicon Communications, LLC (Netgate). 33 * 34 * Permission to use, copy, and modify this software with or without fee 35 * is hereby granted, provided that this entire notice is included in 36 * all copies of any software which is or includes a copy or 37 * modification of this software. 38 * You may use this code under the GNU public license if you so wish. Please 39 * contribute changes back to the authors under this freer than GPL license 40 * so that we may further the use of strong encryption without limitations to 41 * all. 42 * 43 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 44 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 45 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 46 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 47 * PURPOSE. 48 */ 49 50#include <sys/cdefs.h> 51__FBSDID("$FreeBSD$"); 52 53#include <opencrypto/xform_enc.h> 54 55static int aes_icm_setkey(u_int8_t **, u_int8_t *, int); 56static void aes_icm_crypt(caddr_t, u_int8_t *); 57static void aes_icm_zerokey(u_int8_t **); 58static void aes_icm_reinit(caddr_t, u_int8_t *); 59static void aes_gcm_reinit(caddr_t, u_int8_t *); 60static void aes_ccm_reinit(caddr_t, u_int8_t *); 61 62/* Encryption instances */ 63struct enc_xform enc_xform_aes_icm = { 64 CRYPTO_AES_ICM, "AES-ICM", 65 AES_BLOCK_LEN, AES_BLOCK_LEN, AES_MIN_KEY, AES_MAX_KEY, 66 aes_icm_crypt, 67 aes_icm_crypt, 68 aes_icm_setkey, 69 aes_icm_zerokey, 70 aes_icm_reinit, 71}; 72 73struct enc_xform enc_xform_aes_nist_gcm = { 74 CRYPTO_AES_NIST_GCM_16, "AES-GCM", 75 AES_ICM_BLOCK_LEN, AES_GCM_IV_LEN, AES_MIN_KEY, AES_MAX_KEY, 76 aes_icm_crypt, 77 aes_icm_crypt, 78 aes_icm_setkey, 79 aes_icm_zerokey, 80 aes_gcm_reinit, 81}; 82 83struct enc_xform enc_xform_ccm = { 84 .type = CRYPTO_AES_CCM_16, 85 .name = "AES-CCM", 86 .blocksize = AES_ICM_BLOCK_LEN, .ivsize = AES_CCM_IV_LEN, 87 .minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY, 88 .encrypt = aes_icm_crypt, 89 .decrypt = aes_icm_crypt, 90 .setkey = aes_icm_setkey, 91 .zerokey = aes_icm_zerokey, 92 .reinit = aes_ccm_reinit, 93}; 94 95/* 96 * Encryption wrapper routines. 97 */ 98static void 99aes_icm_reinit(caddr_t key, u_int8_t *iv) 100{ 101 struct aes_icm_ctx *ctx; 102 103 ctx = (struct aes_icm_ctx *)key; 104 bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE); 105} 106 107static void 108aes_gcm_reinit(caddr_t key, u_int8_t *iv) 109{ 110 struct aes_icm_ctx *ctx; 111 112 aes_icm_reinit(key, iv); 113 114 ctx = (struct aes_icm_ctx *)key; 115 /* GCM starts with 2 as counter 1 is used for final xor of tag. */ 116 bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4); 117 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2; 118} 119 120static void 121aes_ccm_reinit(caddr_t key, u_int8_t *iv) 122{ 123 struct aes_icm_ctx *ctx; 124 125 ctx = (struct aes_icm_ctx*)key; 126 127 /* CCM has flags, then the IV, then the counter, which starts at 1 */ 128 bzero(ctx->ac_block, sizeof(ctx->ac_block)); 129 /* 3 bytes for length field; this gives a nonce of 12 bytes */ 130 ctx->ac_block[0] = (15 - AES_CCM_IV_LEN) - 1; 131 bcopy(iv, ctx->ac_block+1, AES_CCM_IV_LEN); 132 ctx->ac_block[AESICM_BLOCKSIZE - 1] = 1; 133} 134 135static void 136aes_icm_crypt(caddr_t key, u_int8_t *data) 137{ 138 struct aes_icm_ctx *ctx; 139 u_int8_t keystream[AESICM_BLOCKSIZE]; 140 int i; 141 142 ctx = (struct aes_icm_ctx *)key; 143 rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream); 144 for (i = 0; i < AESICM_BLOCKSIZE; i++) 145 data[i] ^= keystream[i]; 146 explicit_bzero(keystream, sizeof(keystream)); 147 148 /* increment counter */ 149 for (i = AESICM_BLOCKSIZE - 1; 150 i >= 0; i--) 151 if (++ctx->ac_block[i]) /* continue on overflow */ 152 break; 153} 154 155static int 156aes_icm_setkey(u_int8_t **sched, u_int8_t *key, int len) 157{ 158 struct aes_icm_ctx *ctx; 159 160 if (len != 16 && len != 24 && len != 32) 161 return EINVAL; 162 163 *sched = KMALLOC(sizeof(struct aes_icm_ctx), M_CRYPTO_DATA, 164 M_NOWAIT | M_ZERO); 165 if (*sched == NULL) 166 return ENOMEM; 167 168 ctx = (struct aes_icm_ctx *)*sched; 169 ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (u_char *)key, len * 8); 170 return 0; 171} 172 173static void 174aes_icm_zerokey(u_int8_t **sched) 175{ 176 177 bzero(*sched, sizeof(struct aes_icm_ctx)); 178 KFREE(*sched, M_CRYPTO_DATA); 179 *sched = NULL; 180} 181