1/* $NetBSD: gmac.c,v 1.2 2011/06/08 10:14:16 drochner Exp $ */
2/* OpenBSD: gmac.c,v 1.3 2011/01/11 15:44:23 deraadt Exp */
3
4/*
5 * Copyright (c) 2010 Mike Belopuhov <mike@vantronix.net>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20/*
21 * This code implements the Message Authentication part of the
22 * Galois/Counter Mode (as being described in the RFC 4543) using
23 * the AES cipher.  FIPS SP 800-38D describes the algorithm details.
24 */
25
26#include <sys/param.h>
27#include <sys/systm.h>
28
29#include <crypto/rijndael/rijndael.h>
30#include <opencrypto/gmac.h>
31
32void	ghash_gfmul(const GMAC_INT *, const GMAC_INT *, GMAC_INT *);
33void	ghash_update(GHASH_CTX *, const uint8_t *, size_t);
34
35/* Computes a block multiplication in the GF(2^128) */
36void
37ghash_gfmul(const GMAC_INT *X, const GMAC_INT *Y, GMAC_INT *product)
38{
39	GMAC_INT	v[GMAC_BLOCK_LEN/GMAC_INTLEN];
40	uint32_t	mul;
41	int		i;
42
43	memcpy(v, Y, GMAC_BLOCK_LEN);
44	memset(product, 0, GMAC_BLOCK_LEN);
45
46	for (i = 0; i < GMAC_BLOCK_LEN * 8; i++) {
47		/* update Z */
48#if GMAC_INTLEN == 8
49		if (X[i >> 6] & (1ULL << (~i & 63))) {
50			product[0] ^= v[0];
51			product[1] ^= v[1];
52		} /* else: we preserve old values */
53#else
54		if (X[i >> 5] & (1 << (~i & 31))) {
55			product[0] ^= v[0];
56			product[1] ^= v[1];
57			product[2] ^= v[2];
58			product[3] ^= v[3];
59		} /* else: we preserve old values */
60#endif
61		/* update V */
62#if GMAC_INTLEN == 8
63		mul = v[1] & 1;
64		v[1] = (v[0] << 63) | (v[1] >> 1);
65		v[0] = (v[0] >> 1) ^ (0xe100000000000000ULL * mul);
66#else
67		mul = v[3] & 1;
68		v[3] = (v[2] << 31) | (v[3] >> 1);
69		v[2] = (v[1] << 31) | (v[2] >> 1);
70		v[1] = (v[0] << 31) | (v[1] >> 1);
71		v[0] = (v[0] >> 1) ^ (0xe1000000 * mul);
72#endif
73	}
74}
75
76void
77ghash_update(GHASH_CTX *ctx, const uint8_t *X, size_t len)
78{
79	GMAC_INT x;
80	GMAC_INT *s = ctx->S;
81	GMAC_INT *y = ctx->Z;
82	int i, j, k;
83
84	for (i = 0; i < len / GMAC_BLOCK_LEN; i++) {
85		for (j = 0; j < GMAC_BLOCK_LEN/GMAC_INTLEN; j++) {
86			x = 0;
87			for (k = 0; k < GMAC_INTLEN; k++) {
88				x <<= 8;
89				x |= X[k];
90			}
91			s[j] = y[j] ^ x;
92			X += GMAC_INTLEN;
93		}
94
95		ghash_gfmul(ctx->H, ctx->S, ctx->S);
96
97		y = s;
98	}
99
100	memcpy(ctx->Z, ctx->S, GMAC_BLOCK_LEN);
101}
102
103#define AESCTR_NONCESIZE	4
104
105void
106AES_GMAC_Init(AES_GMAC_CTX *ctx)
107{
108
109	memset(ctx, 0, sizeof(AES_GMAC_CTX));
110}
111
112void
113AES_GMAC_Setkey(AES_GMAC_CTX *ctx, const uint8_t *key, uint16_t klen)
114{
115	int i;
116
117	ctx->rounds = rijndaelKeySetupEnc(ctx->K, (const u_char *)key,
118	    (klen - AESCTR_NONCESIZE) * 8);
119	/* copy out salt to the counter block */
120	memcpy(ctx->J, key + klen - AESCTR_NONCESIZE, AESCTR_NONCESIZE);
121	/* prepare a hash subkey */
122	rijndaelEncrypt(ctx->K, ctx->rounds, (void *)ctx->ghash.H,
123			(void *)ctx->ghash.H);
124#if GMAC_INTLEN == 8
125	for (i = 0; i < 2; i++)
126		ctx->ghash.H[i] = be64toh(ctx->ghash.H[i]);
127#else
128	for (i = 0; i < 4; i++)
129		ctx->ghash.H[i] = be32toh(ctx->ghash.H[i]);
130#endif
131}
132
133void
134AES_GMAC_Reinit(AES_GMAC_CTX *ctx, const uint8_t *iv, uint16_t ivlen)
135{
136	/* copy out IV to the counter block */
137	memcpy(ctx->J + AESCTR_NONCESIZE, iv, ivlen);
138}
139
140int
141AES_GMAC_Update(AES_GMAC_CTX *ctx, const uint8_t *data, uint16_t len)
142{
143	uint8_t		blk[16] = { 0 };
144	int		plen;
145
146	if (len > 0) {
147		plen = len % GMAC_BLOCK_LEN;
148		if (len >= GMAC_BLOCK_LEN)
149			ghash_update(&ctx->ghash, data, len - plen);
150		if (plen) {
151			memcpy(blk, data + (len - plen), plen);
152			ghash_update(&ctx->ghash, blk, GMAC_BLOCK_LEN);
153		}
154	}
155	return (0);
156}
157
158void
159AES_GMAC_Final(uint8_t digest[GMAC_DIGEST_LEN], AES_GMAC_CTX *ctx)
160{
161	uint8_t		keystream[GMAC_BLOCK_LEN], *k, *d;
162	int		i;
163
164	/* do one round of GCTR */
165	ctx->J[GMAC_BLOCK_LEN - 1] = 1;
166	rijndaelEncrypt(ctx->K, ctx->rounds, ctx->J, keystream);
167	k = keystream;
168	d = digest;
169#if GMAC_INTLEN == 8
170	for (i = 0; i < GMAC_DIGEST_LEN/8; i++) {
171		d[0] = (uint8_t)(ctx->ghash.S[i] >> 56) ^ k[0];
172		d[1] = (uint8_t)(ctx->ghash.S[i] >> 48) ^ k[1];
173		d[2] = (uint8_t)(ctx->ghash.S[i] >> 40) ^ k[2];
174		d[3] = (uint8_t)(ctx->ghash.S[i] >> 32) ^ k[3];
175		d[4] = (uint8_t)(ctx->ghash.S[i] >> 24) ^ k[4];
176		d[5] = (uint8_t)(ctx->ghash.S[i] >> 16) ^ k[5];
177		d[6] = (uint8_t)(ctx->ghash.S[i] >> 8) ^ k[6];
178		d[7] = (uint8_t)ctx->ghash.S[i] ^ k[7];
179		d += 8;
180		k += 8;
181	}
182#else
183	for (i = 0; i < GMAC_DIGEST_LEN/4; i++) {
184		d[0] = (uint8_t)(ctx->ghash.S[i] >> 24) ^ k[0];
185		d[1] = (uint8_t)(ctx->ghash.S[i] >> 16) ^ k[1];
186		d[2] = (uint8_t)(ctx->ghash.S[i] >> 8) ^ k[2];
187		d[3] = (uint8_t)ctx->ghash.S[i] ^ k[3];
188		d += 4;
189		k += 4;
190	}
191#endif
192	memset(keystream, 0, sizeof(keystream));
193}
194