1 /*
2 * Copyright (c) 2012 Vincent Hanquez <vincent@snarc.org>
3 *
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of the author nor the names of his contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31 #include "cpu.h"
32 #include "aes.h"
33 #include "aes_generic.h"
34 #include "bitfn.h"
35 #include <string.h>
36 #include <stdio.h>
37
38 #include "gf.h"
39 #include "aes_x86ni.h"
40
41 void aes_generic_encrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks);
42 void aes_generic_decrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks);
43 void aes_generic_encrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks);
44 void aes_generic_decrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks);
45 void aes_generic_encrypt_ctr(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t length);
46 void aes_generic_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
47 uint32_t spoint, aes_block *input, uint32_t nb_blocks);
48 void aes_generic_decrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
49 uint32_t spoint, aes_block *input, uint32_t nb_blocks);
50 void aes_generic_gcm_encrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length);
51 void aes_generic_gcm_decrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length);
52 void aes_generic_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
53 void aes_generic_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
54
55 enum {
56 /* init */
57 INIT_128, INIT_192, INIT_256,
58 /* single block */
59 ENCRYPT_BLOCK_128, ENCRYPT_BLOCK_192, ENCRYPT_BLOCK_256,
60 DECRYPT_BLOCK_128, DECRYPT_BLOCK_192, DECRYPT_BLOCK_256,
61 /* ecb */
62 ENCRYPT_ECB_128, ENCRYPT_ECB_192, ENCRYPT_ECB_256,
63 DECRYPT_ECB_128, DECRYPT_ECB_192, DECRYPT_ECB_256,
64 /* cbc */
65 ENCRYPT_CBC_128, ENCRYPT_CBC_192, ENCRYPT_CBC_256,
66 DECRYPT_CBC_128, DECRYPT_CBC_192, DECRYPT_CBC_256,
67 /* ctr */
68 ENCRYPT_CTR_128, ENCRYPT_CTR_192, ENCRYPT_CTR_256,
69 /* xts */
70 ENCRYPT_XTS_128, ENCRYPT_XTS_192, ENCRYPT_XTS_256,
71 DECRYPT_XTS_128, DECRYPT_XTS_192, DECRYPT_XTS_256,
72 /* gcm */
73 ENCRYPT_GCM_128, ENCRYPT_GCM_192, ENCRYPT_GCM_256,
74 DECRYPT_GCM_128, DECRYPT_GCM_192, DECRYPT_GCM_256,
75 /* ocb */
76 ENCRYPT_OCB_128, ENCRYPT_OCB_192, ENCRYPT_OCB_256,
77 DECRYPT_OCB_128, DECRYPT_OCB_192, DECRYPT_OCB_256,
78 };
79
80 void *branch_table[] = {
81 /* INIT */
82 [INIT_128] = aes_generic_init,
83 [INIT_192] = aes_generic_init,
84 [INIT_256] = aes_generic_init,
85 /* BLOCK */
86 [ENCRYPT_BLOCK_128] = aes_generic_encrypt_block,
87 [ENCRYPT_BLOCK_192] = aes_generic_encrypt_block,
88 [ENCRYPT_BLOCK_256] = aes_generic_encrypt_block,
89 [DECRYPT_BLOCK_128] = aes_generic_decrypt_block,
90 [DECRYPT_BLOCK_192] = aes_generic_decrypt_block,
91 [DECRYPT_BLOCK_256] = aes_generic_decrypt_block,
92 /* ECB */
93 [ENCRYPT_ECB_128] = aes_generic_encrypt_ecb,
94 [ENCRYPT_ECB_192] = aes_generic_encrypt_ecb,
95 [ENCRYPT_ECB_256] = aes_generic_encrypt_ecb,
96 [DECRYPT_ECB_128] = aes_generic_decrypt_ecb,
97 [DECRYPT_ECB_192] = aes_generic_decrypt_ecb,
98 [DECRYPT_ECB_256] = aes_generic_decrypt_ecb,
99 /* CBC */
100 [ENCRYPT_CBC_128] = aes_generic_encrypt_cbc,
101 [ENCRYPT_CBC_192] = aes_generic_encrypt_cbc,
102 [ENCRYPT_CBC_256] = aes_generic_encrypt_cbc,
103 [DECRYPT_CBC_128] = aes_generic_decrypt_cbc,
104 [DECRYPT_CBC_192] = aes_generic_decrypt_cbc,
105 [DECRYPT_CBC_256] = aes_generic_decrypt_cbc,
106 /* CTR */
107 [ENCRYPT_CTR_128] = aes_generic_encrypt_ctr,
108 [ENCRYPT_CTR_192] = aes_generic_encrypt_ctr,
109 [ENCRYPT_CTR_256] = aes_generic_encrypt_ctr,
110 /* XTS */
111 [ENCRYPT_XTS_128] = aes_generic_encrypt_xts,
112 [ENCRYPT_XTS_192] = aes_generic_encrypt_xts,
113 [ENCRYPT_XTS_256] = aes_generic_encrypt_xts,
114 [DECRYPT_XTS_128] = aes_generic_decrypt_xts,
115 [DECRYPT_XTS_192] = aes_generic_decrypt_xts,
116 [DECRYPT_XTS_256] = aes_generic_decrypt_xts,
117 /* GCM */
118 [ENCRYPT_GCM_128] = aes_generic_gcm_encrypt,
119 [ENCRYPT_GCM_192] = aes_generic_gcm_encrypt,
120 [ENCRYPT_GCM_256] = aes_generic_gcm_encrypt,
121 [DECRYPT_GCM_128] = aes_generic_gcm_decrypt,
122 [DECRYPT_GCM_192] = aes_generic_gcm_decrypt,
123 [DECRYPT_GCM_256] = aes_generic_gcm_decrypt,
124 /* OCB */
125 [ENCRYPT_OCB_128] = aes_generic_ocb_encrypt,
126 [ENCRYPT_OCB_192] = aes_generic_ocb_encrypt,
127 [ENCRYPT_OCB_256] = aes_generic_ocb_encrypt,
128 [DECRYPT_OCB_128] = aes_generic_ocb_decrypt,
129 [DECRYPT_OCB_192] = aes_generic_ocb_decrypt,
130 [DECRYPT_OCB_256] = aes_generic_ocb_decrypt,
131 };
132
133 typedef void (*init_f)(aes_key *, uint8_t *, uint8_t);
134 typedef void (*ecb_f)(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks);
135 typedef void (*cbc_f)(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks);
136 typedef void (*ctr_f)(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t length);
137 typedef void (*xts_f)(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit, uint32_t spoint, aes_block *input, uint32_t nb_blocks);
138 typedef void (*gcm_crypt_f)(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length);
139 typedef void (*ocb_crypt_f)(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
140 typedef void (*block_f)(aes_block *output, aes_key *key, aes_block *input);
141
142 #ifdef WITH_AESNI
143 #define GET_INIT(strength) \
144 ((init_f) (branch_table[INIT_128 + strength]))
145 #define GET_ECB_ENCRYPT(strength) \
146 ((ecb_f) (branch_table[ENCRYPT_ECB_128 + strength]))
147 #define GET_ECB_DECRYPT(strength) \
148 ((ecb_f) (branch_table[DECRYPT_ECB_128 + strength]))
149 #define GET_CBC_ENCRYPT(strength) \
150 ((cbc_f) (branch_table[ENCRYPT_CBC_128 + strength]))
151 #define GET_CBC_DECRYPT(strength) \
152 ((cbc_f) (branch_table[DECRYPT_CBC_128 + strength]))
153 #define GET_CTR_ENCRYPT(strength) \
154 ((ctr_f) (branch_table[ENCRYPT_CTR_128 + strength]))
155 #define GET_XTS_ENCRYPT(strength) \
156 ((xts_f) (branch_table[ENCRYPT_XTS_128 + strength]))
157 #define GET_XTS_DECRYPT(strength) \
158 ((xts_f) (branch_table[DECRYPT_XTS_128 + strength]))
159 #define GET_GCM_ENCRYPT(strength) \
160 ((gcm_crypt_f) (branch_table[ENCRYPT_GCM_128 + strength]))
161 #define GET_GCM_DECRYPT(strength) \
162 ((gcm_crypt_f) (branch_table[DECRYPT_GCM_128 + strength]))
163 #define GET_OCB_ENCRYPT(strength) \
164 ((ocb_crypt_f) (branch_table[ENCRYPT_OCB_128 + strength]))
165 #define GET_OCB_DECRYPT(strength) \
166 ((ocb_crypt_f) (branch_table[DECRYPT_OCB_128 + strength]))
167 #define aes_encrypt_block(o,k,i) \
168 (((block_f) (branch_table[ENCRYPT_BLOCK_128 + k->strength]))(o,k,i))
169 #define aes_decrypt_block(o,k,i) \
170 (((block_f) (branch_table[DECRYPT_BLOCK_128 + k->strength]))(o,k,i))
171 #else
172 #define GET_INIT(strength) aes_generic_init
173 #define GET_ECB_ENCRYPT(strength) aes_generic_encrypt_ecb
174 #define GET_ECB_DECRYPT(strength) aes_generic_decrypt_ecb
175 #define GET_CBC_ENCRYPT(strength) aes_generic_encrypt_cbc
176 #define GET_CBC_DECRYPT(strength) aes_generic_decrypt_cbc
177 #define GET_CTR_ENCRYPT(strength) aes_generic_encrypt_ctr
178 #define GET_XTS_ENCRYPT(strength) aes_generic_encrypt_xts
179 #define GET_XTS_DECRYPT(strength) aes_generic_decrypt_xts
180 #define GET_GCM_ENCRYPT(strength) aes_generic_gcm_encrypt
181 #define GET_GCM_DECRYPT(strength) aes_generic_gcm_decrypt
182 #define GET_OCB_ENCRYPT(strength) aes_generic_ocb_encrypt
183 #define GET_OCB_DECRYPT(strength) aes_generic_ocb_decrypt
184 #define aes_encrypt_block(o,k,i) aes_generic_encrypt_block(o,k,i)
185 #define aes_decrypt_block(o,k,i) aes_generic_decrypt_block(o,k,i)
186 #endif
187
188 #if defined(ARCH_X86) && defined(WITH_AESNI)
initialize_table_ni(int aesni,int pclmul)189 void initialize_table_ni(int aesni, int pclmul)
190 {
191 if (!aesni)
192 return;
193 branch_table[INIT_128] = aes_ni_init;
194 branch_table[INIT_256] = aes_ni_init;
195
196 branch_table[ENCRYPT_BLOCK_128] = aes_ni_encrypt_block128;
197 branch_table[DECRYPT_BLOCK_128] = aes_ni_decrypt_block128;
198 branch_table[ENCRYPT_BLOCK_256] = aes_ni_encrypt_block256;
199 branch_table[DECRYPT_BLOCK_256] = aes_ni_decrypt_block256;
200 /* ECB */
201 branch_table[ENCRYPT_ECB_128] = aes_ni_encrypt_ecb128;
202 branch_table[DECRYPT_ECB_128] = aes_ni_decrypt_ecb128;
203 branch_table[ENCRYPT_ECB_256] = aes_ni_encrypt_ecb256;
204 branch_table[DECRYPT_ECB_256] = aes_ni_decrypt_ecb256;
205 /* CBC */
206 branch_table[ENCRYPT_CBC_128] = aes_ni_encrypt_cbc128;
207 branch_table[DECRYPT_CBC_128] = aes_ni_decrypt_cbc128;
208 branch_table[ENCRYPT_CBC_256] = aes_ni_encrypt_cbc256;
209 branch_table[DECRYPT_CBC_256] = aes_ni_decrypt_cbc256;
210 /* CTR */
211 branch_table[ENCRYPT_CTR_128] = aes_ni_encrypt_ctr128;
212 branch_table[ENCRYPT_CTR_256] = aes_ni_encrypt_ctr256;
213 /* XTS */
214 branch_table[ENCRYPT_XTS_128] = aes_ni_encrypt_xts128;
215 branch_table[ENCRYPT_XTS_256] = aes_ni_encrypt_xts256;
216 /* GCM */
217 branch_table[ENCRYPT_GCM_128] = aes_ni_gcm_encrypt128;
218 branch_table[ENCRYPT_GCM_256] = aes_ni_gcm_encrypt256;
219 /* OCB */
220 /*
221 branch_table[ENCRYPT_OCB_128] = aes_ni_ocb_encrypt128;
222 branch_table[ENCRYPT_OCB_256] = aes_ni_ocb_encrypt256;
223 */
224 }
225 #endif
226
aes_initkey(aes_key * key,uint8_t * origkey,uint8_t size)227 void aes_initkey(aes_key *key, uint8_t *origkey, uint8_t size)
228 {
229 switch (size) {
230 case 16: key->nbr = 10; key->strength = 0; break;
231 case 24: key->nbr = 12; key->strength = 1; break;
232 case 32: key->nbr = 14; key->strength = 2; break;
233 }
234 #if defined(ARCH_X86) && defined(WITH_AESNI)
235 initialize_hw(initialize_table_ni);
236 #endif
237 init_f _init = GET_INIT(key->strength);
238 _init(key, origkey, size);
239 }
240
aes_encrypt_ecb(aes_block * output,aes_key * key,aes_block * input,uint32_t nb_blocks)241 void aes_encrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks)
242 {
243 ecb_f e = GET_ECB_ENCRYPT(key->strength);
244 e(output, key, input, nb_blocks);
245 }
246
aes_decrypt_ecb(aes_block * output,aes_key * key,aes_block * input,uint32_t nb_blocks)247 void aes_decrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks)
248 {
249 ecb_f d = GET_ECB_DECRYPT(key->strength);
250 d(output, key, input, nb_blocks);
251 }
252
aes_encrypt_cbc(aes_block * output,aes_key * key,aes_block * iv,aes_block * input,uint32_t nb_blocks)253 void aes_encrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks)
254 {
255 cbc_f e = GET_CBC_ENCRYPT(key->strength);
256 e(output, key, iv, input, nb_blocks);
257 }
258
aes_decrypt_cbc(aes_block * output,aes_key * key,aes_block * iv,aes_block * input,uint32_t nb_blocks)259 void aes_decrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks)
260 {
261 cbc_f d = GET_CBC_DECRYPT(key->strength);
262 d(output, key, iv, input, nb_blocks);
263 }
264
aes_gen_ctr(aes_block * output,aes_key * key,const aes_block * iv,uint32_t nb_blocks)265 void aes_gen_ctr(aes_block *output, aes_key *key, const aes_block *iv, uint32_t nb_blocks)
266 {
267 aes_block block;
268
269 /* preload IV in block */
270 block128_copy(&block, iv);
271
272 for ( ; nb_blocks-- > 0; output++, block128_inc_be(&block)) {
273 aes_encrypt_block(output, key, &block);
274 }
275 }
276
aes_gen_ctr_cont(aes_block * output,aes_key * key,aes_block * iv,uint32_t nb_blocks)277 void aes_gen_ctr_cont(aes_block *output, aes_key *key, aes_block *iv, uint32_t nb_blocks)
278 {
279 aes_block block;
280
281 /* preload IV in block */
282 block128_copy(&block, iv);
283
284 for ( ; nb_blocks-- > 0; output++, block128_inc_be(&block)) {
285 aes_encrypt_block(output, key, &block);
286 }
287
288 /* copy back the IV */
289 block128_copy(iv, &block);
290 }
291
aes_encrypt_ctr(uint8_t * output,aes_key * key,aes_block * iv,uint8_t * input,uint32_t len)292 void aes_encrypt_ctr(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t len)
293 {
294 ctr_f e = GET_CTR_ENCRYPT(key->strength);
295 e(output, key, iv, input, len);
296 }
297
aes_encrypt_xts(aes_block * output,aes_key * k1,aes_key * k2,aes_block * dataunit,uint32_t spoint,aes_block * input,uint32_t nb_blocks)298 void aes_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
299 uint32_t spoint, aes_block *input, uint32_t nb_blocks)
300 {
301 xts_f e = GET_XTS_ENCRYPT(k1->strength);
302 e(output, k1, k2, dataunit, spoint, input, nb_blocks);
303 }
304
aes_decrypt_xts(aes_block * output,aes_key * k1,aes_key * k2,aes_block * dataunit,uint32_t spoint,aes_block * input,uint32_t nb_blocks)305 void aes_decrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
306 uint32_t spoint, aes_block *input, uint32_t nb_blocks)
307 {
308 aes_generic_decrypt_xts(output, k1, k2, dataunit, spoint, input, nb_blocks);
309 }
310
aes_gcm_encrypt(uint8_t * output,aes_gcm * gcm,aes_key * key,uint8_t * input,uint32_t length)311 void aes_gcm_encrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length)
312 {
313 gcm_crypt_f e = GET_GCM_ENCRYPT(key->strength);
314 e(output, gcm, key, input, length);
315 }
316
aes_gcm_decrypt(uint8_t * output,aes_gcm * gcm,aes_key * key,uint8_t * input,uint32_t length)317 void aes_gcm_decrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length)
318 {
319 gcm_crypt_f d = GET_GCM_DECRYPT(key->strength);
320 d(output, gcm, key, input, length);
321 }
322
aes_ocb_encrypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)323 void aes_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
324 {
325 ocb_crypt_f e = GET_OCB_ENCRYPT(key->strength);
326 e(output, ocb, key, input, length);
327 }
328
aes_ocb_decrypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)329 void aes_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
330 {
331 ocb_crypt_f d = GET_OCB_DECRYPT(key->strength);
332 d(output, ocb, key, input, length);
333 }
334
gcm_ghash_add(aes_gcm * gcm,block128 * b)335 static void gcm_ghash_add(aes_gcm *gcm, block128 *b)
336 {
337 block128_xor(&gcm->tag, b);
338 gf_mul(&gcm->tag, &gcm->h);
339 }
340
aes_gcm_init(aes_gcm * gcm,aes_key * key,uint8_t * iv,uint32_t len)341 void aes_gcm_init(aes_gcm *gcm, aes_key *key, uint8_t *iv, uint32_t len)
342 {
343 gcm->length_aad = 0;
344 gcm->length_input = 0;
345
346 block128_zero(&gcm->h);
347 block128_zero(&gcm->tag);
348 block128_zero(&gcm->iv);
349
350 /* prepare H : encrypt_K(0^128) */
351 aes_encrypt_block(&gcm->h, key, &gcm->h);
352
353 if (len == 12) {
354 block128_copy_bytes(&gcm->iv, iv, 12);
355 gcm->iv.b[15] = 0x01;
356 } else {
357 uint32_t origlen = len << 3;
358 int i;
359 for (; len >= 16; len -= 16, iv += 16) {
360 block128_xor(&gcm->iv, (block128 *) iv);
361 gf_mul(&gcm->iv, &gcm->h);
362 }
363 if (len > 0) {
364 block128_xor_bytes(&gcm->iv, iv, len);
365 gf_mul(&gcm->iv, &gcm->h);
366 }
367 for (i = 15; origlen; --i, origlen >>= 8)
368 gcm->iv.b[i] ^= (uint8_t) origlen;
369 gf_mul(&gcm->iv, &gcm->h);
370 }
371
372 block128_copy(&gcm->civ, &gcm->iv);
373 }
374
aes_gcm_aad(aes_gcm * gcm,uint8_t * input,uint32_t length)375 void aes_gcm_aad(aes_gcm *gcm, uint8_t *input, uint32_t length)
376 {
377 gcm->length_aad += length;
378 for (; length >= 16; input += 16, length -= 16) {
379 gcm_ghash_add(gcm, (block128 *) input);
380 }
381 if (length > 0) {
382 aes_block tmp;
383 block128_zero(&tmp);
384 block128_copy_bytes(&tmp, input, length);
385 gcm_ghash_add(gcm, &tmp);
386 }
387
388 }
389
aes_gcm_finish(uint8_t * tag,aes_gcm * gcm,aes_key * key)390 void aes_gcm_finish(uint8_t *tag, aes_gcm *gcm, aes_key *key)
391 {
392 aes_block lblock;
393 int i;
394
395 /* tag = (tag-1 xor (lenbits(a) | lenbits(c)) ) . H */
396 lblock.q[0] = cpu_to_be64(gcm->length_aad << 3);
397 lblock.q[1] = cpu_to_be64(gcm->length_input << 3);
398 gcm_ghash_add(gcm, &lblock);
399
400 aes_encrypt_block(&lblock, key, &gcm->iv);
401 block128_xor(&gcm->tag, &lblock);
402
403 for (i = 0; i < 16; i++) {
404 tag[i] = gcm->tag.b[i];
405 }
406 }
407
ocb_block_double(block128 * d,block128 * s)408 static inline void ocb_block_double(block128 *d, block128 *s)
409 {
410 unsigned int i;
411 uint8_t tmp = s->b[0];
412
413 for (i=0; i<15; i++)
414 d->b[i] = (s->b[i] << 1) | (s->b[i+1] >> 7);
415 d->b[15] = (s->b[15] << 1) ^ ((tmp >> 7) * 0x87);
416 }
417
ocb_get_L_i(block128 * l,block128 * lis,unsigned int i)418 static void ocb_get_L_i(block128 *l, block128 *lis, unsigned int i)
419 {
420 #define L_CACHED 4
421 i = bitfn_ntz(i);
422 if (i < L_CACHED) {
423 block128_copy(l, &lis[i]);
424 } else {
425 i -= (L_CACHED - 1);
426 block128_copy(l, &lis[L_CACHED - 1]);
427 while (i--) {
428 ocb_block_double(l, l);
429 }
430 }
431 #undef L_CACHED
432 }
433
aes_ocb_init(aes_ocb * ocb,aes_key * key,uint8_t * iv,uint32_t len)434 void aes_ocb_init(aes_ocb *ocb, aes_key *key, uint8_t *iv, uint32_t len)
435 {
436 block128 tmp, nonce, ktop;
437 unsigned char stretch[24];
438 unsigned bottom, byteshift, bitshift, i;
439
440 /* we don't accept more than 15 bytes, any bytes higher will be ignored. */
441 if (len > 15) {
442 len = 15;
443 }
444
445 /* create L*, and L$,L0,L1,L2,L3 */
446 block128_zero(&tmp);
447 aes_encrypt_block(&ocb->lstar, key, &tmp);
448
449 ocb_block_double(&ocb->ldollar, &ocb->lstar);
450 ocb_block_double(&ocb->li[0], &ocb->ldollar);
451 ocb_block_double(&ocb->li[1], &ocb->li[0]);
452 ocb_block_double(&ocb->li[2], &ocb->li[1]);
453 ocb_block_double(&ocb->li[3], &ocb->li[2]);
454
455 /* create strech from the nonce */
456 block128_zero(&nonce);
457 memcpy(nonce.b + 4, iv, 12);
458 nonce.b[0] = (unsigned char)(((16 * 8) % 128) << 1);
459 nonce.b[16-12-1] |= 0x01;
460 bottom = nonce.b[15] & 0x3F;
461 nonce.b[15] &= 0xC0;
462 aes_encrypt_block(&ktop, key, &nonce);
463 memcpy(stretch, ktop.b, 16);
464
465 memcpy(tmp.b, ktop.b + 1, 8);
466 block128_xor(&tmp, &ktop);
467 memcpy(stretch + 16, tmp.b, 8);
468
469 /* initialize the encryption offset from stretch */
470 byteshift = bottom / 8;
471 bitshift = bottom % 8;
472 if (bitshift != 0)
473 for (i = 0; i < 16; i++)
474 ocb->offset_enc.b[i] = (stretch[i+byteshift] << bitshift)
475 | (stretch[i+byteshift+1] >> (8-bitshift));
476 else
477 for (i = 0; i < 16; i++)
478 ocb->offset_enc.b[i] = stretch[i+byteshift];
479 /* initialize checksum for aad and encryption, and the aad offset */
480 block128_zero(&ocb->sum_aad);
481 block128_zero(&ocb->sum_enc);
482 block128_zero(&ocb->offset_aad);
483 }
484
aes_ocb_aad(aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)485 void aes_ocb_aad(aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
486 {
487 block128 tmp;
488 unsigned int i;
489
490 for (i=1; i<= length/16; i++, input=input+16) {
491 ocb_get_L_i(&tmp, ocb->li, i);
492 block128_xor(&ocb->offset_aad, &tmp);
493
494 block128_vxor(&tmp, &ocb->offset_aad, (block128 *) input);
495 aes_encrypt_block(&tmp, key, &tmp);
496 block128_xor(&ocb->sum_aad, &tmp);
497 }
498
499 length = length % 16; /* Bytes in final block */
500 if (length > 0) {
501 block128_xor(&ocb->offset_aad, &ocb->lstar);
502 block128_zero(&tmp);
503 block128_copy_bytes(&tmp, input, length);
504 tmp.b[length] = 0x80;
505 block128_xor(&tmp, &ocb->offset_aad);
506 aes_encrypt_block(&tmp, key, &tmp);
507 block128_xor(&ocb->sum_aad, &tmp);
508 }
509 }
510
aes_ocb_finish(uint8_t * tag,aes_ocb * ocb,aes_key * key)511 void aes_ocb_finish(uint8_t *tag, aes_ocb *ocb, aes_key *key)
512 {
513 block128 tmp;
514
515 block128_vxor(&tmp, &ocb->sum_enc, &ocb->offset_enc);
516 block128_xor(&tmp, &ocb->ldollar);
517 aes_encrypt_block((block128 *) tag, key, &tmp);
518 block128_xor((block128 *) tag, &ocb->sum_aad);
519 }
520
aes_generic_encrypt_ecb(aes_block * output,aes_key * key,aes_block * input,uint32_t nb_blocks)521 void aes_generic_encrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks)
522 {
523 for ( ; nb_blocks-- > 0; input++, output++) {
524 aes_generic_encrypt_block(output, key, input);
525 }
526 }
527
aes_generic_decrypt_ecb(aes_block * output,aes_key * key,aes_block * input,uint32_t nb_blocks)528 void aes_generic_decrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks)
529 {
530 for ( ; nb_blocks-- > 0; input++, output++) {
531 aes_generic_decrypt_block(output, key, input);
532 }
533 }
534
aes_generic_encrypt_cbc(aes_block * output,aes_key * key,aes_block * iv,aes_block * input,uint32_t nb_blocks)535 void aes_generic_encrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks)
536 {
537 aes_block block;
538
539 /* preload IV in block */
540 block128_copy(&block, iv);
541 for ( ; nb_blocks-- > 0; input++, output++) {
542 block128_xor(&block, (block128 *) input);
543 aes_generic_encrypt_block(&block, key, &block);
544 block128_copy((block128 *) output, &block);
545 }
546 }
547
aes_generic_decrypt_cbc(aes_block * output,aes_key * key,aes_block * ivini,aes_block * input,uint32_t nb_blocks)548 void aes_generic_decrypt_cbc(aes_block *output, aes_key *key, aes_block *ivini, aes_block *input, uint32_t nb_blocks)
549 {
550 aes_block block, blocko;
551 aes_block iv;
552
553 /* preload IV in block */
554 block128_copy(&iv, ivini);
555 for ( ; nb_blocks-- > 0; input++, output++) {
556 block128_copy(&block, (block128 *) input);
557 aes_generic_decrypt_block(&blocko, key, &block);
558 block128_vxor((block128 *) output, &blocko, &iv);
559 block128_copy(&iv, &block);
560 }
561 }
562
aes_generic_encrypt_ctr(uint8_t * output,aes_key * key,aes_block * iv,uint8_t * input,uint32_t len)563 void aes_generic_encrypt_ctr(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t len)
564 {
565 aes_block block, o;
566 uint32_t nb_blocks = len / 16;
567 int i;
568
569 /* preload IV in block */
570 block128_copy(&block, iv);
571
572 for ( ; nb_blocks-- > 0; block128_inc_be(&block), output += 16, input += 16) {
573 aes_encrypt_block(&o, key, &block);
574 block128_vxor((block128 *) output, &o, (block128 *) input);
575 }
576
577 if ((len % 16) != 0) {
578 aes_encrypt_block(&o, key, &block);
579 for (i = 0; i < (len % 16); i++) {
580 *output = ((uint8_t *) &o)[i] ^ *input;
581 output++;
582 input++;
583 }
584 }
585 }
586
aes_generic_encrypt_xts(aes_block * output,aes_key * k1,aes_key * k2,aes_block * dataunit,uint32_t spoint,aes_block * input,uint32_t nb_blocks)587 void aes_generic_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
588 uint32_t spoint, aes_block *input, uint32_t nb_blocks)
589 {
590 aes_block block, tweak;
591
592 /* load IV and encrypt it using k2 as the tweak */
593 block128_copy(&tweak, dataunit);
594 aes_encrypt_block(&tweak, k2, &tweak);
595
596 /* TO OPTIMISE: this is really inefficient way to do that */
597 while (spoint-- > 0)
598 gf_mulx(&tweak);
599
600 for ( ; nb_blocks-- > 0; input++, output++, gf_mulx(&tweak)) {
601 block128_vxor(&block, input, &tweak);
602 aes_encrypt_block(&block, k1, &block);
603 block128_vxor(output, &block, &tweak);
604 }
605 }
606
aes_generic_decrypt_xts(aes_block * output,aes_key * k1,aes_key * k2,aes_block * dataunit,uint32_t spoint,aes_block * input,uint32_t nb_blocks)607 void aes_generic_decrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
608 uint32_t spoint, aes_block *input, uint32_t nb_blocks)
609 {
610 aes_block block, tweak;
611
612 /* load IV and encrypt it using k2 as the tweak */
613 block128_copy(&tweak, dataunit);
614 aes_encrypt_block(&tweak, k2, &tweak);
615
616 /* TO OPTIMISE: this is really inefficient way to do that */
617 while (spoint-- > 0)
618 gf_mulx(&tweak);
619
620 for ( ; nb_blocks-- > 0; input++, output++, gf_mulx(&tweak)) {
621 block128_vxor(&block, input, &tweak);
622 aes_decrypt_block(&block, k1, &block);
623 block128_vxor(output, &block, &tweak);
624 }
625 }
626
aes_generic_gcm_encrypt(uint8_t * output,aes_gcm * gcm,aes_key * key,uint8_t * input,uint32_t length)627 void aes_generic_gcm_encrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length)
628 {
629 aes_block out;
630
631 gcm->length_input += length;
632 for (; length >= 16; input += 16, output += 16, length -= 16) {
633 block128_inc_be(&gcm->civ);
634
635 aes_encrypt_block(&out, key, &gcm->civ);
636 block128_xor(&out, (block128 *) input);
637 gcm_ghash_add(gcm, &out);
638 block128_copy((block128 *) output, &out);
639 }
640 if (length > 0) {
641 aes_block tmp;
642 int i;
643
644 block128_inc_be(&gcm->civ);
645 /* create e(civ) in out */
646 aes_encrypt_block(&out, key, &gcm->civ);
647 /* initialize a tmp as input and xor it to e(civ) */
648 block128_zero(&tmp);
649 block128_copy_bytes(&tmp, input, length);
650 block128_xor_bytes(&tmp, out.b, length);
651
652 gcm_ghash_add(gcm, &tmp);
653
654 for (i = 0; i < length; i++) {
655 output[i] = tmp.b[i];
656 }
657 }
658 }
659
aes_generic_gcm_decrypt(uint8_t * output,aes_gcm * gcm,aes_key * key,uint8_t * input,uint32_t length)660 void aes_generic_gcm_decrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length)
661 {
662 aes_block out;
663
664 gcm->length_input += length;
665 for (; length >= 16; input += 16, output += 16, length -= 16) {
666 block128_inc_be(&gcm->civ);
667
668 aes_encrypt_block(&out, key, &gcm->civ);
669 gcm_ghash_add(gcm, (block128 *) input);
670 block128_xor(&out, (block128 *) input);
671 block128_copy((block128 *) output, &out);
672 }
673 if (length > 0) {
674 aes_block tmp;
675 int i;
676
677 block128_inc_be(&gcm->civ);
678
679 block128_zero(&tmp);
680 block128_copy_bytes(&tmp, input, length);
681 gcm_ghash_add(gcm, &tmp);
682
683 aes_encrypt_block(&out, key, &gcm->civ);
684 block128_xor_bytes(&tmp, out.b, length);
685
686 for (i = 0; i < length; i++) {
687 output[i] = tmp.b[i];
688 }
689 }
690 }
691
ocb_generic_crypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length,int encrypt)692 static void ocb_generic_crypt(uint8_t *output, aes_ocb *ocb, aes_key *key,
693 uint8_t *input, uint32_t length, int encrypt)
694 {
695 block128 tmp, pad;
696 unsigned int i;
697
698 for (i = 1; i <= length/16; i++, input += 16, output += 16) {
699 /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
700 ocb_get_L_i(&tmp, ocb->li, i);
701 block128_xor(&ocb->offset_enc, &tmp);
702
703 block128_vxor(&tmp, &ocb->offset_enc, (block128 *) input);
704 if (encrypt) {
705 aes_encrypt_block(&tmp, key, &tmp);
706 block128_vxor((block128 *) output, &ocb->offset_enc, &tmp);
707 block128_xor(&ocb->sum_enc, (block128 *) input);
708 } else {
709 aes_decrypt_block(&tmp, key, &tmp);
710 block128_vxor((block128 *) output, &ocb->offset_enc, &tmp);
711 block128_xor(&ocb->sum_enc, (block128 *) output);
712 }
713 }
714
715 /* process the last partial block if any */
716 length = length % 16;
717 if (length > 0) {
718 block128_xor(&ocb->offset_enc, &ocb->lstar);
719 aes_encrypt_block(&pad, key, &ocb->offset_enc);
720
721 if (encrypt) {
722 block128_zero(&tmp);
723 block128_copy_bytes(&tmp, input, length);
724 tmp.b[length] = 0x80;
725 block128_xor(&ocb->sum_enc, &tmp);
726 block128_xor(&pad, &tmp);
727 memcpy(output, pad.b, length);
728 output += length;
729 } else {
730 block128_copy(&tmp, &pad);
731 block128_copy_bytes(&tmp, input, length);
732 block128_xor(&tmp, &pad);
733 tmp.b[length] = 0x80;
734 memcpy(output, tmp.b, length);
735 block128_xor(&ocb->sum_enc, &tmp);
736 input += length;
737 }
738 }
739 }
740
aes_generic_ocb_encrypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)741 void aes_generic_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
742 {
743 ocb_generic_crypt(output, ocb, key, input, length, 1);
744 }
745
aes_generic_ocb_decrypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)746 void aes_generic_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
747 {
748 ocb_generic_crypt(output, ocb, key, input, length, 0);
749 }
750