1 /*
2 * Copyright (c) 2012 Vincent Hanquez <vincent@snarc.org>
3 *
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of the author nor the names of his contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31 #include <string.h>
32 #include <stdio.h>
33
34 #include <cryptonite_cpu.h>
35 #include <cryptonite_aes.h>
36 #include <cryptonite_bitfn.h>
37
38 #include <aes/generic.h>
39 #include <aes/gf.h>
40 #include <aes/x86ni.h>
41
42 void cryptonite_aes_generic_encrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks);
43 void cryptonite_aes_generic_decrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks);
44 void cryptonite_aes_generic_encrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks);
45 void cryptonite_aes_generic_decrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks);
46 void cryptonite_aes_generic_encrypt_ctr(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t length);
47 void cryptonite_aes_generic_encrypt_c32(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t length);
48 void cryptonite_aes_generic_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
49 uint32_t spoint, aes_block *input, uint32_t nb_blocks);
50 void cryptonite_aes_generic_decrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
51 uint32_t spoint, aes_block *input, uint32_t nb_blocks);
52 void cryptonite_aes_generic_gcm_encrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length);
53 void cryptonite_aes_generic_gcm_decrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length);
54 void cryptonite_aes_generic_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
55 void cryptonite_aes_generic_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
56 void cryptonite_aes_generic_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
57 void cryptonite_aes_generic_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
58
59 enum {
60 /* init */
61 INIT_128, INIT_192, INIT_256,
62 /* single block */
63 ENCRYPT_BLOCK_128, ENCRYPT_BLOCK_192, ENCRYPT_BLOCK_256,
64 DECRYPT_BLOCK_128, DECRYPT_BLOCK_192, DECRYPT_BLOCK_256,
65 /* ecb */
66 ENCRYPT_ECB_128, ENCRYPT_ECB_192, ENCRYPT_ECB_256,
67 DECRYPT_ECB_128, DECRYPT_ECB_192, DECRYPT_ECB_256,
68 /* cbc */
69 ENCRYPT_CBC_128, ENCRYPT_CBC_192, ENCRYPT_CBC_256,
70 DECRYPT_CBC_128, DECRYPT_CBC_192, DECRYPT_CBC_256,
71 /* ctr */
72 ENCRYPT_CTR_128, ENCRYPT_CTR_192, ENCRYPT_CTR_256,
73 /* ctr with 32-bit wrapping */
74 ENCRYPT_C32_128, ENCRYPT_C32_192, ENCRYPT_C32_256,
75 /* xts */
76 ENCRYPT_XTS_128, ENCRYPT_XTS_192, ENCRYPT_XTS_256,
77 DECRYPT_XTS_128, DECRYPT_XTS_192, DECRYPT_XTS_256,
78 /* gcm */
79 ENCRYPT_GCM_128, ENCRYPT_GCM_192, ENCRYPT_GCM_256,
80 DECRYPT_GCM_128, DECRYPT_GCM_192, DECRYPT_GCM_256,
81 /* ocb */
82 ENCRYPT_OCB_128, ENCRYPT_OCB_192, ENCRYPT_OCB_256,
83 DECRYPT_OCB_128, DECRYPT_OCB_192, DECRYPT_OCB_256,
84 /* ccm */
85 ENCRYPT_CCM_128, ENCRYPT_CCM_192, ENCRYPT_CCM_256,
86 DECRYPT_CCM_128, DECRYPT_CCM_192, DECRYPT_CCM_256,
87 /* ghash */
88 GHASH_HINIT, GHASH_GF_MUL,
89 };
90
91 void *cryptonite_aes_branch_table[] = {
92 /* INIT */
93 [INIT_128] = cryptonite_aes_generic_init,
94 [INIT_192] = cryptonite_aes_generic_init,
95 [INIT_256] = cryptonite_aes_generic_init,
96 /* BLOCK */
97 [ENCRYPT_BLOCK_128] = cryptonite_aes_generic_encrypt_block,
98 [ENCRYPT_BLOCK_192] = cryptonite_aes_generic_encrypt_block,
99 [ENCRYPT_BLOCK_256] = cryptonite_aes_generic_encrypt_block,
100 [DECRYPT_BLOCK_128] = cryptonite_aes_generic_decrypt_block,
101 [DECRYPT_BLOCK_192] = cryptonite_aes_generic_decrypt_block,
102 [DECRYPT_BLOCK_256] = cryptonite_aes_generic_decrypt_block,
103 /* ECB */
104 [ENCRYPT_ECB_128] = cryptonite_aes_generic_encrypt_ecb,
105 [ENCRYPT_ECB_192] = cryptonite_aes_generic_encrypt_ecb,
106 [ENCRYPT_ECB_256] = cryptonite_aes_generic_encrypt_ecb,
107 [DECRYPT_ECB_128] = cryptonite_aes_generic_decrypt_ecb,
108 [DECRYPT_ECB_192] = cryptonite_aes_generic_decrypt_ecb,
109 [DECRYPT_ECB_256] = cryptonite_aes_generic_decrypt_ecb,
110 /* CBC */
111 [ENCRYPT_CBC_128] = cryptonite_aes_generic_encrypt_cbc,
112 [ENCRYPT_CBC_192] = cryptonite_aes_generic_encrypt_cbc,
113 [ENCRYPT_CBC_256] = cryptonite_aes_generic_encrypt_cbc,
114 [DECRYPT_CBC_128] = cryptonite_aes_generic_decrypt_cbc,
115 [DECRYPT_CBC_192] = cryptonite_aes_generic_decrypt_cbc,
116 [DECRYPT_CBC_256] = cryptonite_aes_generic_decrypt_cbc,
117 /* CTR */
118 [ENCRYPT_CTR_128] = cryptonite_aes_generic_encrypt_ctr,
119 [ENCRYPT_CTR_192] = cryptonite_aes_generic_encrypt_ctr,
120 [ENCRYPT_CTR_256] = cryptonite_aes_generic_encrypt_ctr,
121 /* CTR with 32-bit wrapping */
122 [ENCRYPT_C32_128] = cryptonite_aes_generic_encrypt_c32,
123 [ENCRYPT_C32_192] = cryptonite_aes_generic_encrypt_c32,
124 [ENCRYPT_C32_256] = cryptonite_aes_generic_encrypt_c32,
125 /* XTS */
126 [ENCRYPT_XTS_128] = cryptonite_aes_generic_encrypt_xts,
127 [ENCRYPT_XTS_192] = cryptonite_aes_generic_encrypt_xts,
128 [ENCRYPT_XTS_256] = cryptonite_aes_generic_encrypt_xts,
129 [DECRYPT_XTS_128] = cryptonite_aes_generic_decrypt_xts,
130 [DECRYPT_XTS_192] = cryptonite_aes_generic_decrypt_xts,
131 [DECRYPT_XTS_256] = cryptonite_aes_generic_decrypt_xts,
132 /* GCM */
133 [ENCRYPT_GCM_128] = cryptonite_aes_generic_gcm_encrypt,
134 [ENCRYPT_GCM_192] = cryptonite_aes_generic_gcm_encrypt,
135 [ENCRYPT_GCM_256] = cryptonite_aes_generic_gcm_encrypt,
136 [DECRYPT_GCM_128] = cryptonite_aes_generic_gcm_decrypt,
137 [DECRYPT_GCM_192] = cryptonite_aes_generic_gcm_decrypt,
138 [DECRYPT_GCM_256] = cryptonite_aes_generic_gcm_decrypt,
139 /* OCB */
140 [ENCRYPT_OCB_128] = cryptonite_aes_generic_ocb_encrypt,
141 [ENCRYPT_OCB_192] = cryptonite_aes_generic_ocb_encrypt,
142 [ENCRYPT_OCB_256] = cryptonite_aes_generic_ocb_encrypt,
143 [DECRYPT_OCB_128] = cryptonite_aes_generic_ocb_decrypt,
144 [DECRYPT_OCB_192] = cryptonite_aes_generic_ocb_decrypt,
145 [DECRYPT_OCB_256] = cryptonite_aes_generic_ocb_decrypt,
146 /* CCM */
147 [ENCRYPT_CCM_128] = cryptonite_aes_generic_ccm_encrypt,
148 [ENCRYPT_CCM_192] = cryptonite_aes_generic_ccm_encrypt,
149 [ENCRYPT_CCM_256] = cryptonite_aes_generic_ccm_encrypt,
150 [DECRYPT_CCM_128] = cryptonite_aes_generic_ccm_decrypt,
151 [DECRYPT_CCM_192] = cryptonite_aes_generic_ccm_decrypt,
152 [DECRYPT_CCM_256] = cryptonite_aes_generic_ccm_decrypt,
153 /* GHASH */
154 [GHASH_HINIT] = cryptonite_aes_generic_hinit,
155 [GHASH_GF_MUL] = cryptonite_aes_generic_gf_mul,
156 };
157
158 typedef void (*init_f)(aes_key *, uint8_t *, uint8_t);
159 typedef void (*ecb_f)(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks);
160 typedef void (*cbc_f)(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks);
161 typedef void (*ctr_f)(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t length);
162 typedef void (*xts_f)(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit, uint32_t spoint, aes_block *input, uint32_t nb_blocks);
163 typedef void (*gcm_crypt_f)(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length);
164 typedef void (*ocb_crypt_f)(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
165 typedef void (*ccm_crypt_f)(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
166 typedef void (*block_f)(aes_block *output, aes_key *key, aes_block *input);
167 typedef void (*hinit_f)(table_4bit htable, const block128 *h);
168 typedef void (*gf_mul_f)(block128 *a, const table_4bit htable);
169
170 #ifdef WITH_AESNI
171 #define GET_INIT(strength) \
172 ((init_f) (cryptonite_aes_branch_table[INIT_128 + strength]))
173 #define GET_ECB_ENCRYPT(strength) \
174 ((ecb_f) (cryptonite_aes_branch_table[ENCRYPT_ECB_128 + strength]))
175 #define GET_ECB_DECRYPT(strength) \
176 ((ecb_f) (cryptonite_aes_branch_table[DECRYPT_ECB_128 + strength]))
177 #define GET_CBC_ENCRYPT(strength) \
178 ((cbc_f) (cryptonite_aes_branch_table[ENCRYPT_CBC_128 + strength]))
179 #define GET_CBC_DECRYPT(strength) \
180 ((cbc_f) (cryptonite_aes_branch_table[DECRYPT_CBC_128 + strength]))
181 #define GET_CTR_ENCRYPT(strength) \
182 ((ctr_f) (cryptonite_aes_branch_table[ENCRYPT_CTR_128 + strength]))
183 #define GET_C32_ENCRYPT(strength) \
184 ((ctr_f) (cryptonite_aes_branch_table[ENCRYPT_C32_128 + strength]))
185 #define GET_XTS_ENCRYPT(strength) \
186 ((xts_f) (cryptonite_aes_branch_table[ENCRYPT_XTS_128 + strength]))
187 #define GET_XTS_DECRYPT(strength) \
188 ((xts_f) (cryptonite_aes_branch_table[DECRYPT_XTS_128 + strength]))
189 #define GET_GCM_ENCRYPT(strength) \
190 ((gcm_crypt_f) (cryptonite_aes_branch_table[ENCRYPT_GCM_128 + strength]))
191 #define GET_GCM_DECRYPT(strength) \
192 ((gcm_crypt_f) (cryptonite_aes_branch_table[DECRYPT_GCM_128 + strength]))
193 #define GET_OCB_ENCRYPT(strength) \
194 ((ocb_crypt_f) (cryptonite_aes_branch_table[ENCRYPT_OCB_128 + strength]))
195 #define GET_OCB_DECRYPT(strength) \
196 ((ocb_crypt_f) (cryptonite_aes_branch_table[DECRYPT_OCB_128 + strength]))
197 #define GET_CCM_ENCRYPT(strength) \
198 ((ccm_crypt_f) (cryptonite_aes_branch_table[ENCRYPT_CCM_128 + strength]))
199 #define GET_CCM_DECRYPT(strength) \
200 ((ccm_crypt_f) (cryptonite_aes_branch_table[DECRYPT_CCM_128 + strength]))
201 #define cryptonite_aes_encrypt_block(o,k,i) \
202 (((block_f) (cryptonite_aes_branch_table[ENCRYPT_BLOCK_128 + k->strength]))(o,k,i))
203 #define cryptonite_aes_decrypt_block(o,k,i) \
204 (((block_f) (cryptonite_aes_branch_table[DECRYPT_BLOCK_128 + k->strength]))(o,k,i))
205 #define cryptonite_hinit(t,h) \
206 (((hinit_f) (cryptonite_aes_branch_table[GHASH_HINIT]))(t,h))
207 #define cryptonite_gf_mul(a,t) \
208 (((gf_mul_f) (cryptonite_aes_branch_table[GHASH_GF_MUL]))(a,t))
209 #else
210 #define GET_INIT(strenght) cryptonite_aes_generic_init
211 #define GET_ECB_ENCRYPT(strength) cryptonite_aes_generic_encrypt_ecb
212 #define GET_ECB_DECRYPT(strength) cryptonite_aes_generic_decrypt_ecb
213 #define GET_CBC_ENCRYPT(strength) cryptonite_aes_generic_encrypt_cbc
214 #define GET_CBC_DECRYPT(strength) cryptonite_aes_generic_decrypt_cbc
215 #define GET_CTR_ENCRYPT(strength) cryptonite_aes_generic_encrypt_ctr
216 #define GET_C32_ENCRYPT(strength) cryptonite_aes_generic_encrypt_c32
217 #define GET_XTS_ENCRYPT(strength) cryptonite_aes_generic_encrypt_xts
218 #define GET_XTS_DECRYPT(strength) cryptonite_aes_generic_decrypt_xts
219 #define GET_GCM_ENCRYPT(strength) cryptonite_aes_generic_gcm_encrypt
220 #define GET_GCM_DECRYPT(strength) cryptonite_aes_generic_gcm_decrypt
221 #define GET_OCB_ENCRYPT(strength) cryptonite_aes_generic_ocb_encrypt
222 #define GET_OCB_DECRYPT(strength) cryptonite_aes_generic_ocb_decrypt
223 #define GET_CCM_ENCRYPT(strength) cryptonite_aes_generic_ccm_encrypt
224 #define GET_CCM_DECRYPT(strength) cryptonite_aes_generic_ccm_decrypt
225 #define cryptonite_aes_encrypt_block(o,k,i) cryptonite_aes_generic_encrypt_block(o,k,i)
226 #define cryptonite_aes_decrypt_block(o,k,i) cryptonite_aes_generic_decrypt_block(o,k,i)
227 #define cryptonite_hinit(t,h) cryptonite_aes_generic_hinit(t,h)
228 #define cryptonite_gf_mul(a,t) cryptonite_aes_generic_gf_mul(a,t)
229 #endif
230
231 #define CPU_AESNI 0
232 #define CPU_PCLMUL 1
233 #define CPU_OPTION_COUNT 2
234
235 static uint8_t cryptonite_aes_cpu_options[CPU_OPTION_COUNT] = {};
236
237 #if defined(ARCH_X86) && defined(WITH_AESNI)
initialize_table_ni(int aesni,int pclmul)238 static void initialize_table_ni(int aesni, int pclmul)
239 {
240 if (!aesni)
241 return;
242 cryptonite_aes_cpu_options[CPU_AESNI] = 1;
243
244 cryptonite_aes_branch_table[INIT_128] = cryptonite_aesni_init;
245 cryptonite_aes_branch_table[INIT_256] = cryptonite_aesni_init;
246
247 cryptonite_aes_branch_table[ENCRYPT_BLOCK_128] = cryptonite_aesni_encrypt_block128;
248 cryptonite_aes_branch_table[DECRYPT_BLOCK_128] = cryptonite_aesni_decrypt_block128;
249 cryptonite_aes_branch_table[ENCRYPT_BLOCK_256] = cryptonite_aesni_encrypt_block256;
250 cryptonite_aes_branch_table[DECRYPT_BLOCK_256] = cryptonite_aesni_decrypt_block256;
251 /* ECB */
252 cryptonite_aes_branch_table[ENCRYPT_ECB_128] = cryptonite_aesni_encrypt_ecb128;
253 cryptonite_aes_branch_table[DECRYPT_ECB_128] = cryptonite_aesni_decrypt_ecb128;
254 cryptonite_aes_branch_table[ENCRYPT_ECB_256] = cryptonite_aesni_encrypt_ecb256;
255 cryptonite_aes_branch_table[DECRYPT_ECB_256] = cryptonite_aesni_decrypt_ecb256;
256 /* CBC */
257 cryptonite_aes_branch_table[ENCRYPT_CBC_128] = cryptonite_aesni_encrypt_cbc128;
258 cryptonite_aes_branch_table[DECRYPT_CBC_128] = cryptonite_aesni_decrypt_cbc128;
259 cryptonite_aes_branch_table[ENCRYPT_CBC_256] = cryptonite_aesni_encrypt_cbc256;
260 cryptonite_aes_branch_table[DECRYPT_CBC_256] = cryptonite_aesni_decrypt_cbc256;
261 /* CTR */
262 cryptonite_aes_branch_table[ENCRYPT_CTR_128] = cryptonite_aesni_encrypt_ctr128;
263 cryptonite_aes_branch_table[ENCRYPT_CTR_256] = cryptonite_aesni_encrypt_ctr256;
264 /* CTR with 32-bit wrapping */
265 cryptonite_aes_branch_table[ENCRYPT_C32_128] = cryptonite_aesni_encrypt_c32_128;
266 cryptonite_aes_branch_table[ENCRYPT_C32_256] = cryptonite_aesni_encrypt_c32_256;
267 /* XTS */
268 cryptonite_aes_branch_table[ENCRYPT_XTS_128] = cryptonite_aesni_encrypt_xts128;
269 cryptonite_aes_branch_table[ENCRYPT_XTS_256] = cryptonite_aesni_encrypt_xts256;
270 /* GCM */
271 cryptonite_aes_branch_table[ENCRYPT_GCM_128] = cryptonite_aesni_gcm_encrypt128;
272 cryptonite_aes_branch_table[ENCRYPT_GCM_256] = cryptonite_aesni_gcm_encrypt256;
273 /* OCB */
274 /*
275 cryptonite_aes_branch_table[ENCRYPT_OCB_128] = cryptonite_aesni_ocb_encrypt128;
276 cryptonite_aes_branch_table[ENCRYPT_OCB_256] = cryptonite_aesni_ocb_encrypt256;
277 */
278 #ifdef WITH_PCLMUL
279 if (!pclmul)
280 return;
281 cryptonite_aes_cpu_options[CPU_PCLMUL] = 1;
282
283 /* GHASH */
284 cryptonite_aes_branch_table[GHASH_HINIT] = cryptonite_aesni_hinit_pclmul,
285 cryptonite_aes_branch_table[GHASH_GF_MUL] = cryptonite_aesni_gf_mul_pclmul,
286 cryptonite_aesni_init_pclmul();
287 #endif
288 }
289 #endif
290
cryptonite_aes_cpu_init(void)291 uint8_t *cryptonite_aes_cpu_init(void)
292 {
293 #if defined(ARCH_X86) && defined(WITH_AESNI)
294 cryptonite_aesni_initialize_hw(initialize_table_ni);
295 #endif
296 return cryptonite_aes_cpu_options;
297 }
298
cryptonite_aes_initkey(aes_key * key,uint8_t * origkey,uint8_t size)299 void cryptonite_aes_initkey(aes_key *key, uint8_t *origkey, uint8_t size)
300 {
301 switch (size) {
302 case 16: key->nbr = 10; key->strength = 0; break;
303 case 24: key->nbr = 12; key->strength = 1; break;
304 case 32: key->nbr = 14; key->strength = 2; break;
305 }
306 cryptonite_aes_cpu_init();
307 init_f _init = GET_INIT(key->strength);
308 _init(key, origkey, size);
309 }
310
cryptonite_aes_encrypt_ecb(aes_block * output,aes_key * key,aes_block * input,uint32_t nb_blocks)311 void cryptonite_aes_encrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks)
312 {
313 ecb_f e = GET_ECB_ENCRYPT(key->strength);
314 e(output, key, input, nb_blocks);
315 }
316
cryptonite_aes_decrypt_ecb(aes_block * output,aes_key * key,aes_block * input,uint32_t nb_blocks)317 void cryptonite_aes_decrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks)
318 {
319 ecb_f d = GET_ECB_DECRYPT(key->strength);
320 d(output, key, input, nb_blocks);
321 }
322
cryptonite_aes_encrypt_cbc(aes_block * output,aes_key * key,aes_block * iv,aes_block * input,uint32_t nb_blocks)323 void cryptonite_aes_encrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks)
324 {
325 cbc_f e = GET_CBC_ENCRYPT(key->strength);
326 e(output, key, iv, input, nb_blocks);
327 }
328
cryptonite_aes_decrypt_cbc(aes_block * output,aes_key * key,aes_block * iv,aes_block * input,uint32_t nb_blocks)329 void cryptonite_aes_decrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks)
330 {
331 cbc_f d = GET_CBC_DECRYPT(key->strength);
332 d(output, key, iv, input, nb_blocks);
333 }
334
cryptonite_aes_gen_ctr(aes_block * output,aes_key * key,const aes_block * iv,uint32_t nb_blocks)335 void cryptonite_aes_gen_ctr(aes_block *output, aes_key *key, const aes_block *iv, uint32_t nb_blocks)
336 {
337 aes_block block;
338
339 /* preload IV in block */
340 block128_copy(&block, iv);
341
342 for ( ; nb_blocks-- > 0; output++, block128_inc_be(&block)) {
343 cryptonite_aes_encrypt_block(output, key, &block);
344 }
345 }
346
cryptonite_aes_gen_ctr_cont(aes_block * output,aes_key * key,aes_block * iv,uint32_t nb_blocks)347 void cryptonite_aes_gen_ctr_cont(aes_block *output, aes_key *key, aes_block *iv, uint32_t nb_blocks)
348 {
349 aes_block block;
350
351 /* preload IV in block */
352 block128_copy(&block, iv);
353
354 for ( ; nb_blocks-- > 0; output++, block128_inc_be(&block)) {
355 cryptonite_aes_encrypt_block(output, key, &block);
356 }
357
358 /* copy back the IV */
359 block128_copy(iv, &block);
360 }
361
cryptonite_aes_encrypt_ctr(uint8_t * output,aes_key * key,aes_block * iv,uint8_t * input,uint32_t len)362 void cryptonite_aes_encrypt_ctr(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t len)
363 {
364 ctr_f e = GET_CTR_ENCRYPT(key->strength);
365 e(output, key, iv, input, len);
366 }
367
cryptonite_aes_encrypt_c32(uint8_t * output,aes_key * key,aes_block * iv,uint8_t * input,uint32_t len)368 void cryptonite_aes_encrypt_c32(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t len)
369 {
370 ctr_f e = GET_C32_ENCRYPT(key->strength);
371 e(output, key, iv, input, len);
372 }
373
cryptonite_aes_encrypt_xts(aes_block * output,aes_key * k1,aes_key * k2,aes_block * dataunit,uint32_t spoint,aes_block * input,uint32_t nb_blocks)374 void cryptonite_aes_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
375 uint32_t spoint, aes_block *input, uint32_t nb_blocks)
376 {
377 xts_f e = GET_XTS_ENCRYPT(k1->strength);
378 e(output, k1, k2, dataunit, spoint, input, nb_blocks);
379 }
380
cryptonite_aes_decrypt_xts(aes_block * output,aes_key * k1,aes_key * k2,aes_block * dataunit,uint32_t spoint,aes_block * input,uint32_t nb_blocks)381 void cryptonite_aes_decrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
382 uint32_t spoint, aes_block *input, uint32_t nb_blocks)
383 {
384 cryptonite_aes_generic_decrypt_xts(output, k1, k2, dataunit, spoint, input, nb_blocks);
385 }
386
cryptonite_aes_gcm_encrypt(uint8_t * output,aes_gcm * gcm,aes_key * key,uint8_t * input,uint32_t length)387 void cryptonite_aes_gcm_encrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length)
388 {
389 gcm_crypt_f e = GET_GCM_ENCRYPT(key->strength);
390 e(output, gcm, key, input, length);
391 }
392
cryptonite_aes_gcm_decrypt(uint8_t * output,aes_gcm * gcm,aes_key * key,uint8_t * input,uint32_t length)393 void cryptonite_aes_gcm_decrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length)
394 {
395 gcm_crypt_f d = GET_GCM_DECRYPT(key->strength);
396 d(output, gcm, key, input, length);
397 }
398
cryptonite_aes_ccm_encrypt(uint8_t * output,aes_ccm * ccm,aes_key * key,uint8_t * input,uint32_t length)399 void cryptonite_aes_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
400 {
401 ccm_crypt_f e = GET_CCM_ENCRYPT(key->strength);
402 e(output, ccm, key, input, length);
403 }
404
cryptonite_aes_ccm_decrypt(uint8_t * output,aes_ccm * ccm,aes_key * key,uint8_t * input,uint32_t length)405 void cryptonite_aes_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
406 {
407 ccm_crypt_f d = GET_CCM_DECRYPT(key->strength);
408 d(output, ccm, key, input, length);
409 }
410
cryptonite_aes_ocb_encrypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)411 void cryptonite_aes_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
412 {
413 ocb_crypt_f e = GET_OCB_ENCRYPT(key->strength);
414 e(output, ocb, key, input, length);
415 }
416
cryptonite_aes_ocb_decrypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)417 void cryptonite_aes_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
418 {
419 ocb_crypt_f d = GET_OCB_DECRYPT(key->strength);
420 d(output, ocb, key, input, length);
421 }
422
gcm_ghash_add(aes_gcm * gcm,block128 * b)423 static void gcm_ghash_add(aes_gcm *gcm, block128 *b)
424 {
425 block128_xor(&gcm->tag, b);
426 cryptonite_gf_mul(&gcm->tag, gcm->htable);
427 }
428
cryptonite_aes_gcm_init(aes_gcm * gcm,aes_key * key,uint8_t * iv,uint32_t len)429 void cryptonite_aes_gcm_init(aes_gcm *gcm, aes_key *key, uint8_t *iv, uint32_t len)
430 {
431 block128 h;
432 gcm->length_aad = 0;
433 gcm->length_input = 0;
434
435 block128_zero(&h);
436 block128_zero(&gcm->tag);
437 block128_zero(&gcm->iv);
438
439 /* prepare H : encrypt_K(0^128) */
440 cryptonite_aes_encrypt_block(&h, key, &h);
441 cryptonite_hinit(gcm->htable, &h);
442
443 if (len == 12) {
444 block128_copy_bytes(&gcm->iv, iv, 12);
445 gcm->iv.b[15] = 0x01;
446 } else {
447 uint32_t origlen = len << 3;
448 int i;
449 for (; len >= 16; len -= 16, iv += 16) {
450 block128_xor(&gcm->iv, (block128 *) iv);
451 cryptonite_gf_mul(&gcm->iv, gcm->htable);
452 }
453 if (len > 0) {
454 block128_xor_bytes(&gcm->iv, iv, len);
455 cryptonite_gf_mul(&gcm->iv, gcm->htable);
456 }
457 for (i = 15; origlen; --i, origlen >>= 8)
458 gcm->iv.b[i] ^= (uint8_t) origlen;
459 cryptonite_gf_mul(&gcm->iv, gcm->htable);
460 }
461
462 block128_copy_aligned(&gcm->civ, &gcm->iv);
463 }
464
cryptonite_aes_gcm_aad(aes_gcm * gcm,uint8_t * input,uint32_t length)465 void cryptonite_aes_gcm_aad(aes_gcm *gcm, uint8_t *input, uint32_t length)
466 {
467 gcm->length_aad += length;
468 for (; length >= 16; input += 16, length -= 16) {
469 gcm_ghash_add(gcm, (block128 *) input);
470 }
471 if (length > 0) {
472 aes_block tmp;
473 block128_zero(&tmp);
474 block128_copy_bytes(&tmp, input, length);
475 gcm_ghash_add(gcm, &tmp);
476 }
477
478 }
479
cryptonite_aes_gcm_finish(uint8_t * tag,aes_gcm * gcm,aes_key * key)480 void cryptonite_aes_gcm_finish(uint8_t *tag, aes_gcm *gcm, aes_key *key)
481 {
482 aes_block lblock;
483 int i;
484
485 /* tag = (tag-1 xor (lenbits(a) | lenbits(c)) ) . H */
486 lblock.q[0] = cpu_to_be64(gcm->length_aad << 3);
487 lblock.q[1] = cpu_to_be64(gcm->length_input << 3);
488 gcm_ghash_add(gcm, &lblock);
489
490 cryptonite_aes_encrypt_block(&lblock, key, &gcm->iv);
491 block128_xor_aligned(&gcm->tag, &lblock);
492
493 for (i = 0; i < 16; i++) {
494 tag[i] = gcm->tag.b[i];
495 }
496 }
497
ccm_b0_flags(uint32_t has_adata,uint32_t m,uint32_t l)498 static inline uint8_t ccm_b0_flags(uint32_t has_adata, uint32_t m, uint32_t l)
499 {
500 return 8*m + l + (has_adata? 64: 0);
501 }
502
503 /* depends on input size */
ccm_encode_b0(block128 * output,aes_ccm * ccm,uint32_t has_adata)504 static void ccm_encode_b0(block128* output, aes_ccm* ccm, uint32_t has_adata)
505 {
506 int last = 15;
507 uint32_t m = ccm->length_M;
508 uint32_t l = ccm->length_L;
509 uint32_t msg_len = ccm->length_input;
510
511 block128_zero(output);
512 block128_copy_aligned(output, &ccm->nonce);
513 output->b[0] = ccm_b0_flags(has_adata, (m-2)/2, l-1);
514 while (msg_len > 0) {
515 output->b[last--] = msg_len & 0xff;
516 msg_len >>= 8;
517 }
518 }
519
520 /* encode adata length */
ccm_encode_la(block128 * output,uint32_t la)521 static int ccm_encode_la(block128* output, uint32_t la)
522 {
523 if (la < ( (1 << 16) - (1 << 8)) ) {
524 output->b[0] = (la >> 8) & 0xff;
525 output->b[1] = la & 0xff;
526 return 2;
527 } else {
528 output->b[0] = 0xff;
529 output->b[1] = 0xfe;
530 output->b[2] = (la >> 24) & 0xff;
531 output->b[3] = (la >> 16) & 0xff;
532 output->b[4] = (la >> 8) & 0xff;
533 output->b[5] = la & 0xff;
534 return 6;
535 }
536 }
537
ccm_encode_ctr(block128 * out,aes_ccm * ccm,unsigned int cnt)538 static void ccm_encode_ctr(block128* out, aes_ccm* ccm, unsigned int cnt)
539 {
540 int last = 15;
541 block128_copy_aligned(out, &ccm->nonce);
542 out->b[0] = ccm->length_L - 1;
543
544 while (cnt > 0) {
545 out->b[last--] = cnt & 0xff;
546 cnt >>= 8;
547 }
548 }
549
ccm_cbcmac_add(aes_ccm * ccm,aes_key * key,block128 * bi)550 static void ccm_cbcmac_add(aes_ccm* ccm, aes_key* key, block128* bi)
551 {
552 block128_xor_aligned(&ccm->xi, bi);
553 cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->xi);
554 }
555
556 /* even though it is possible to support message size as large as 2^64, we support up to 2^32 only */
cryptonite_aes_ccm_init(aes_ccm * ccm,aes_key * key,uint8_t * nonce,uint32_t nonce_len,uint32_t input_size,int m,int l)557 void cryptonite_aes_ccm_init(aes_ccm *ccm, aes_key *key, uint8_t *nonce, uint32_t nonce_len, uint32_t input_size, int m, int l)
558 {
559 memset(ccm, 0, sizeof(aes_ccm));
560
561 if (l < 2 || l > 4) return;
562 if (m != 4 && m != 6 && m != 8 && m != 10
563 && m != 12 && m != 14 && m != 16) return;
564
565 if (nonce_len > 15 - l) {
566 nonce_len = 15 - l;
567 }
568
569 if (l <= 4) {
570 if (input_size >= (1ull << (8*l))) return;
571 }
572
573 ccm->length_L = l;
574 ccm->length_M = m;
575 ccm->length_input = input_size;
576
577 memcpy(&ccm->nonce.b[1], nonce, nonce_len);
578
579 ccm_encode_b0(&ccm->b0, ccm, 1); /* assume aad is present */
580 cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);
581 }
582
583 /* even though l(a) can be as large as 2^64, we only handle aad up to 2 ^ 32 for practical reasons.
584 Also we don't support incremental aad add, because the 1st encoded adata has length information
585 */
cryptonite_aes_ccm_aad(aes_ccm * ccm,aes_key * key,uint8_t * input,uint32_t length)586 void cryptonite_aes_ccm_aad(aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
587 {
588 block128 tmp;
589
590 if (ccm->length_aad != 0) return;
591
592 ccm->length_aad = length;
593 int len_len;
594
595 block128_zero(&tmp);
596 len_len = ccm_encode_la(&tmp, length);
597
598 if (length < 16 - len_len) {
599 memcpy(&tmp.b[len_len], input, length);
600 length = 0;
601 } else {
602 memcpy(&tmp.b[len_len], input, 16 - len_len);
603 input += 16 - len_len;
604 length -= 16 - len_len;
605 }
606
607 ccm_cbcmac_add(ccm, key, &tmp);
608
609 for (; length >= 16; input += 16, length -= 16) {
610 block128_copy(&tmp, (block128*)input);
611 ccm_cbcmac_add(ccm, key, &tmp);
612
613 }
614 if (length > 0) {
615 block128_zero(&tmp);
616 block128_copy_bytes(&tmp, input, length);
617 ccm_cbcmac_add(ccm, key, &tmp);
618 }
619 block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);
620 }
621
cryptonite_aes_ccm_finish(uint8_t * tag,aes_ccm * ccm,aes_key * key)622 void cryptonite_aes_ccm_finish(uint8_t *tag, aes_ccm *ccm, aes_key *key)
623 {
624 block128 iv, s0;
625
626 block128_zero(&iv);
627 ccm_encode_ctr(&iv, ccm, 0);
628 cryptonite_aes_encrypt_block(&s0, key, &iv);
629 block128_vxor((block128*)tag, &ccm->xi, &s0);
630 }
631
ocb_block_double(block128 * d,block128 * s)632 static inline void ocb_block_double(block128 *d, block128 *s)
633 {
634 unsigned int i;
635 uint8_t tmp = s->b[0];
636
637 for (i=0; i<15; i++)
638 d->b[i] = (s->b[i] << 1) | (s->b[i+1] >> 7);
639 d->b[15] = (s->b[15] << 1) ^ ((tmp >> 7) * 0x87);
640 }
641
ocb_get_L_i(block128 * l,block128 * lis,unsigned int i)642 static void ocb_get_L_i(block128 *l, block128 *lis, unsigned int i)
643 {
644 #define L_CACHED 4
645 i = bitfn_ntz(i);
646 if (i < L_CACHED) {
647 block128_copy(l, &lis[i]);
648 } else {
649 i -= (L_CACHED - 1);
650 block128_copy(l, &lis[L_CACHED - 1]);
651 while (i--) {
652 ocb_block_double(l, l);
653 }
654 }
655 #undef L_CACHED
656 }
657
cryptonite_aes_ocb_init(aes_ocb * ocb,aes_key * key,uint8_t * iv,uint32_t len)658 void cryptonite_aes_ocb_init(aes_ocb *ocb, aes_key *key, uint8_t *iv, uint32_t len)
659 {
660 block128 tmp, nonce, ktop;
661 unsigned char stretch[24];
662 unsigned bottom, byteshift, bitshift, i;
663
664 /* we don't accept more than 15 bytes, any bytes higher will be ignored. */
665 if (len > 15) {
666 len = 15;
667 }
668
669 /* create L*, and L$,L0,L1,L2,L3 */
670 block128_zero(&tmp);
671 cryptonite_aes_encrypt_block(&ocb->lstar, key, &tmp);
672
673 ocb_block_double(&ocb->ldollar, &ocb->lstar);
674 ocb_block_double(&ocb->li[0], &ocb->ldollar);
675 ocb_block_double(&ocb->li[1], &ocb->li[0]);
676 ocb_block_double(&ocb->li[2], &ocb->li[1]);
677 ocb_block_double(&ocb->li[3], &ocb->li[2]);
678
679 /* create strech from the nonce */
680 block128_zero(&nonce);
681 memcpy(nonce.b + 4, iv, 12);
682 nonce.b[0] = (unsigned char)(((16 * 8) % 128) << 1);
683 nonce.b[16-12-1] |= 0x01;
684 bottom = nonce.b[15] & 0x3F;
685 nonce.b[15] &= 0xC0;
686 cryptonite_aes_encrypt_block(&ktop, key, &nonce);
687 memcpy(stretch, ktop.b, 16);
688
689 memcpy(tmp.b, ktop.b + 1, 8);
690 block128_xor_aligned(&tmp, &ktop);
691 memcpy(stretch + 16, tmp.b, 8);
692
693 /* initialize the encryption offset from stretch */
694 byteshift = bottom / 8;
695 bitshift = bottom % 8;
696 if (bitshift != 0)
697 for (i = 0; i < 16; i++)
698 ocb->offset_enc.b[i] = (stretch[i+byteshift] << bitshift)
699 | (stretch[i+byteshift+1] >> (8-bitshift));
700 else
701 for (i = 0; i < 16; i++)
702 ocb->offset_enc.b[i] = stretch[i+byteshift];
703 /* initialize checksum for aad and encryption, and the aad offset */
704 block128_zero(&ocb->sum_aad);
705 block128_zero(&ocb->sum_enc);
706 block128_zero(&ocb->offset_aad);
707 }
708
cryptonite_aes_ocb_aad(aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)709 void cryptonite_aes_ocb_aad(aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
710 {
711 block128 tmp;
712 unsigned int i;
713
714 for (i=1; i<= length/16; i++, input=input+16) {
715 ocb_get_L_i(&tmp, ocb->li, i);
716 block128_xor_aligned(&ocb->offset_aad, &tmp);
717
718 block128_vxor(&tmp, &ocb->offset_aad, (block128 *) input);
719 cryptonite_aes_encrypt_block(&tmp, key, &tmp);
720 block128_xor_aligned(&ocb->sum_aad, &tmp);
721 }
722
723 length = length % 16; /* Bytes in final block */
724 if (length > 0) {
725 block128_xor_aligned(&ocb->offset_aad, &ocb->lstar);
726 block128_zero(&tmp);
727 block128_copy_bytes(&tmp, input, length);
728 tmp.b[length] = 0x80;
729 block128_xor_aligned(&tmp, &ocb->offset_aad);
730 cryptonite_aes_encrypt_block(&tmp, key, &tmp);
731 block128_xor_aligned(&ocb->sum_aad, &tmp);
732 }
733 }
734
cryptonite_aes_ocb_finish(uint8_t * tag,aes_ocb * ocb,aes_key * key)735 void cryptonite_aes_ocb_finish(uint8_t *tag, aes_ocb *ocb, aes_key *key)
736 {
737 block128 tmp;
738
739 block128_vxor_aligned(&tmp, &ocb->sum_enc, &ocb->offset_enc);
740 block128_xor_aligned(&tmp, &ocb->ldollar);
741 cryptonite_aes_encrypt_block((block128 *) tag, key, &tmp);
742 block128_xor((block128 *) tag, &ocb->sum_aad);
743 }
744
cryptonite_aes_generic_encrypt_ecb(aes_block * output,aes_key * key,aes_block * input,uint32_t nb_blocks)745 void cryptonite_aes_generic_encrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks)
746 {
747 for ( ; nb_blocks-- > 0; input++, output++) {
748 cryptonite_aes_generic_encrypt_block(output, key, input);
749 }
750 }
751
cryptonite_aes_generic_decrypt_ecb(aes_block * output,aes_key * key,aes_block * input,uint32_t nb_blocks)752 void cryptonite_aes_generic_decrypt_ecb(aes_block *output, aes_key *key, aes_block *input, uint32_t nb_blocks)
753 {
754 for ( ; nb_blocks-- > 0; input++, output++) {
755 cryptonite_aes_generic_decrypt_block(output, key, input);
756 }
757 }
758
cryptonite_aes_generic_encrypt_cbc(aes_block * output,aes_key * key,aes_block * iv,aes_block * input,uint32_t nb_blocks)759 void cryptonite_aes_generic_encrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks)
760 {
761 aes_block block;
762
763 /* preload IV in block */
764 block128_copy(&block, iv);
765 for ( ; nb_blocks-- > 0; input++, output++) {
766 block128_xor(&block, (block128 *) input);
767 cryptonite_aes_generic_encrypt_block(&block, key, &block);
768 block128_copy((block128 *) output, &block);
769 }
770 }
771
cryptonite_aes_generic_decrypt_cbc(aes_block * output,aes_key * key,aes_block * ivini,aes_block * input,uint32_t nb_blocks)772 void cryptonite_aes_generic_decrypt_cbc(aes_block *output, aes_key *key, aes_block *ivini, aes_block *input, uint32_t nb_blocks)
773 {
774 aes_block block, blocko;
775 aes_block iv;
776
777 /* preload IV in block */
778 block128_copy(&iv, ivini);
779 for ( ; nb_blocks-- > 0; input++, output++) {
780 block128_copy(&block, (block128 *) input);
781 cryptonite_aes_generic_decrypt_block(&blocko, key, &block);
782 block128_vxor((block128 *) output, &blocko, &iv);
783 block128_copy(&iv, &block);
784 }
785 }
786
cryptonite_aes_generic_encrypt_ctr(uint8_t * output,aes_key * key,aes_block * iv,uint8_t * input,uint32_t len)787 void cryptonite_aes_generic_encrypt_ctr(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t len)
788 {
789 aes_block block, o;
790 uint32_t nb_blocks = len / 16;
791 int i;
792
793 /* preload IV in block */
794 block128_copy(&block, iv);
795
796 for ( ; nb_blocks-- > 0; block128_inc_be(&block), output += 16, input += 16) {
797 cryptonite_aes_encrypt_block(&o, key, &block);
798 block128_vxor((block128 *) output, &o, (block128 *) input);
799 }
800
801 if ((len % 16) != 0) {
802 cryptonite_aes_encrypt_block(&o, key, &block);
803 for (i = 0; i < (len % 16); i++) {
804 *output = ((uint8_t *) &o)[i] ^ *input;
805 output++;
806 input++;
807 }
808 }
809 }
810
cryptonite_aes_generic_encrypt_c32(uint8_t * output,aes_key * key,aes_block * iv,uint8_t * input,uint32_t len)811 void cryptonite_aes_generic_encrypt_c32(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t len)
812 {
813 aes_block block, o;
814 uint32_t nb_blocks = len / 16;
815 int i;
816
817 /* preload IV in block */
818 block128_copy(&block, iv);
819
820 for ( ; nb_blocks-- > 0; block128_inc32_le(&block), output += 16, input += 16) {
821 cryptonite_aes_encrypt_block(&o, key, &block);
822 block128_vxor((block128 *) output, &o, (block128 *) input);
823 }
824
825 if ((len % 16) != 0) {
826 cryptonite_aes_encrypt_block(&o, key, &block);
827 for (i = 0; i < (len % 16); i++) {
828 *output = ((uint8_t *) &o)[i] ^ *input;
829 output++;
830 input++;
831 }
832 }
833 }
834
cryptonite_aes_generic_encrypt_xts(aes_block * output,aes_key * k1,aes_key * k2,aes_block * dataunit,uint32_t spoint,aes_block * input,uint32_t nb_blocks)835 void cryptonite_aes_generic_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
836 uint32_t spoint, aes_block *input, uint32_t nb_blocks)
837 {
838 aes_block block, tweak;
839
840 /* load IV and encrypt it using k2 as the tweak */
841 block128_copy(&tweak, dataunit);
842 cryptonite_aes_encrypt_block(&tweak, k2, &tweak);
843
844 /* TO OPTIMISE: this is really inefficient way to do that */
845 while (spoint-- > 0)
846 cryptonite_aes_generic_gf_mulx(&tweak);
847
848 for ( ; nb_blocks-- > 0; input++, output++, cryptonite_aes_generic_gf_mulx(&tweak)) {
849 block128_vxor(&block, input, &tweak);
850 cryptonite_aes_encrypt_block(&block, k1, &block);
851 block128_vxor(output, &block, &tweak);
852 }
853 }
854
cryptonite_aes_generic_decrypt_xts(aes_block * output,aes_key * k1,aes_key * k2,aes_block * dataunit,uint32_t spoint,aes_block * input,uint32_t nb_blocks)855 void cryptonite_aes_generic_decrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,
856 uint32_t spoint, aes_block *input, uint32_t nb_blocks)
857 {
858 aes_block block, tweak;
859
860 /* load IV and encrypt it using k2 as the tweak */
861 block128_copy(&tweak, dataunit);
862 cryptonite_aes_encrypt_block(&tweak, k2, &tweak);
863
864 /* TO OPTIMISE: this is really inefficient way to do that */
865 while (spoint-- > 0)
866 cryptonite_aes_generic_gf_mulx(&tweak);
867
868 for ( ; nb_blocks-- > 0; input++, output++, cryptonite_aes_generic_gf_mulx(&tweak)) {
869 block128_vxor(&block, input, &tweak);
870 cryptonite_aes_decrypt_block(&block, k1, &block);
871 block128_vxor(output, &block, &tweak);
872 }
873 }
874
cryptonite_aes_generic_gcm_encrypt(uint8_t * output,aes_gcm * gcm,aes_key * key,uint8_t * input,uint32_t length)875 void cryptonite_aes_generic_gcm_encrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length)
876 {
877 aes_block out;
878
879 gcm->length_input += length;
880 for (; length >= 16; input += 16, output += 16, length -= 16) {
881 block128_inc32_be(&gcm->civ);
882
883 cryptonite_aes_encrypt_block(&out, key, &gcm->civ);
884 block128_xor(&out, (block128 *) input);
885 gcm_ghash_add(gcm, &out);
886 block128_copy((block128 *) output, &out);
887 }
888 if (length > 0) {
889 aes_block tmp;
890 int i;
891
892 block128_inc32_be(&gcm->civ);
893 /* create e(civ) in out */
894 cryptonite_aes_encrypt_block(&out, key, &gcm->civ);
895 /* initialize a tmp as input and xor it to e(civ) */
896 block128_zero(&tmp);
897 block128_copy_bytes(&tmp, input, length);
898 block128_xor_bytes(&tmp, out.b, length);
899
900 gcm_ghash_add(gcm, &tmp);
901
902 for (i = 0; i < length; i++) {
903 output[i] = tmp.b[i];
904 }
905 }
906 }
907
cryptonite_aes_generic_gcm_decrypt(uint8_t * output,aes_gcm * gcm,aes_key * key,uint8_t * input,uint32_t length)908 void cryptonite_aes_generic_gcm_decrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length)
909 {
910 aes_block out;
911
912 gcm->length_input += length;
913 for (; length >= 16; input += 16, output += 16, length -= 16) {
914 block128_inc32_be(&gcm->civ);
915
916 cryptonite_aes_encrypt_block(&out, key, &gcm->civ);
917 gcm_ghash_add(gcm, (block128 *) input);
918 block128_xor(&out, (block128 *) input);
919 block128_copy((block128 *) output, &out);
920 }
921 if (length > 0) {
922 aes_block tmp;
923 int i;
924
925 block128_inc32_be(&gcm->civ);
926
927 block128_zero(&tmp);
928 block128_copy_bytes(&tmp, input, length);
929 gcm_ghash_add(gcm, &tmp);
930
931 cryptonite_aes_encrypt_block(&out, key, &gcm->civ);
932 block128_xor_bytes(&tmp, out.b, length);
933
934 for (i = 0; i < length; i++) {
935 output[i] = tmp.b[i];
936 }
937 }
938 }
939
ocb_generic_crypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length,int encrypt)940 static void ocb_generic_crypt(uint8_t *output, aes_ocb *ocb, aes_key *key,
941 uint8_t *input, uint32_t length, int encrypt)
942 {
943 block128 tmp, pad;
944 unsigned int i;
945
946 for (i = 1; i <= length/16; i++, input += 16, output += 16) {
947 /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
948 ocb_get_L_i(&tmp, ocb->li, i);
949 block128_xor_aligned(&ocb->offset_enc, &tmp);
950
951 block128_vxor(&tmp, &ocb->offset_enc, (block128 *) input);
952 if (encrypt) {
953 cryptonite_aes_encrypt_block(&tmp, key, &tmp);
954 block128_vxor((block128 *) output, &ocb->offset_enc, &tmp);
955 block128_xor(&ocb->sum_enc, (block128 *) input);
956 } else {
957 cryptonite_aes_decrypt_block(&tmp, key, &tmp);
958 block128_vxor((block128 *) output, &ocb->offset_enc, &tmp);
959 block128_xor(&ocb->sum_enc, (block128 *) output);
960 }
961 }
962
963 /* process the last partial block if any */
964 length = length % 16;
965 if (length > 0) {
966 block128_xor_aligned(&ocb->offset_enc, &ocb->lstar);
967 cryptonite_aes_encrypt_block(&pad, key, &ocb->offset_enc);
968
969 if (encrypt) {
970 block128_zero(&tmp);
971 block128_copy_bytes(&tmp, input, length);
972 tmp.b[length] = 0x80;
973 block128_xor_aligned(&ocb->sum_enc, &tmp);
974 block128_xor_aligned(&pad, &tmp);
975 memcpy(output, pad.b, length);
976 output += length;
977 } else {
978 block128_copy_aligned(&tmp, &pad);
979 block128_copy_bytes(&tmp, input, length);
980 block128_xor_aligned(&tmp, &pad);
981 tmp.b[length] = 0x80;
982 memcpy(output, tmp.b, length);
983 block128_xor_aligned(&ocb->sum_enc, &tmp);
984 input += length;
985 }
986 }
987 }
988
cryptonite_aes_generic_ccm_encrypt(uint8_t * output,aes_ccm * ccm,aes_key * key,uint8_t * input,uint32_t length)989 void cryptonite_aes_generic_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
990 {
991 block128 tmp, ctr;
992
993 /* when aad is absent, reset b0 block */
994 if (ccm->length_aad == 0) {
995 ccm_encode_b0(&ccm->b0, ccm, 0); /* assume aad is present */
996 cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);
997 block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);
998 }
999
1000 if (length != ccm->length_input) {
1001 return;
1002 }
1003
1004 ccm_encode_ctr(&ctr, ccm, 1);
1005 cryptonite_aes_encrypt_ctr(output, key, &ctr, input, length);
1006
1007 for (;length >= 16; input += 16, length -= 16) {
1008 block128_copy(&tmp, (block128*)input);
1009 ccm_cbcmac_add(ccm, key, &tmp);
1010 }
1011 if (length > 0) {
1012 block128_zero(&tmp);
1013 block128_copy_bytes(&tmp, input, length);
1014 ccm_cbcmac_add(ccm, key, &tmp);
1015 }
1016 }
1017
cryptonite_aes_generic_ccm_decrypt(uint8_t * output,aes_ccm * ccm,aes_key * key,uint8_t * input,uint32_t length)1018 void cryptonite_aes_generic_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
1019 {
1020 block128 tmp, ctr;
1021
1022 if (length != ccm->length_input) {
1023 return;
1024 }
1025
1026 /* when aad is absent, reset b0 block */
1027 if (ccm->length_aad == 0) {
1028 ccm_encode_b0(&ccm->b0, ccm, 0); /* assume aad is present */
1029 cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);
1030 block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);
1031 }
1032
1033 ccm_encode_ctr(&ctr, ccm, 1);
1034 cryptonite_aes_encrypt_ctr(output, key, &ctr, input, length);
1035 block128_copy_aligned(&ccm->xi, &ccm->header_cbcmac);
1036 input = output;
1037
1038 for (;length >= 16; input += 16, length -= 16) {
1039 block128_copy(&tmp, (block128*)input);
1040 ccm_cbcmac_add(ccm, key, &tmp);
1041 }
1042 if (length > 0) {
1043 block128_zero(&tmp);
1044 block128_copy_bytes(&tmp, input, length);
1045 ccm_cbcmac_add(ccm, key, &tmp);
1046 }
1047 }
1048
cryptonite_aes_generic_ocb_encrypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)1049 void cryptonite_aes_generic_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
1050 {
1051 ocb_generic_crypt(output, ocb, key, input, length, 1);
1052 }
1053
cryptonite_aes_generic_ocb_decrypt(uint8_t * output,aes_ocb * ocb,aes_key * key,uint8_t * input,uint32_t length)1054 void cryptonite_aes_generic_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
1055 {
1056 ocb_generic_crypt(output, ocb, key, input, length, 0);
1057 }
1058
gf_mulx_rev(block128 * a,const block128 * h)1059 static inline void gf_mulx_rev(block128 *a, const block128 *h)
1060 {
1061 uint64_t v1 = cpu_to_le64(h->q[0]);
1062 uint64_t v0 = cpu_to_le64(h->q[1]);
1063 a->q[1] = cpu_to_be64(v1 >> 1 | v0 << 63);
1064 a->q[0] = cpu_to_be64(v0 >> 1 ^ ((0-(v1 & 1)) & 0xe100000000000000ULL));
1065 }
1066
cryptonite_aes_polyval_init(aes_polyval * ctx,const aes_block * h)1067 void cryptonite_aes_polyval_init(aes_polyval *ctx, const aes_block *h)
1068 {
1069 aes_block r;
1070
1071 /* ByteReverse(S_0) = 0 */
1072 block128_zero(&ctx->s);
1073
1074 /* ByteReverse(H) * x */
1075 gf_mulx_rev(&r, h);
1076 cryptonite_hinit(ctx->htable, &r);
1077 }
1078
cryptonite_aes_polyval_update(aes_polyval * ctx,const uint8_t * input,uint32_t length)1079 void cryptonite_aes_polyval_update(aes_polyval *ctx, const uint8_t *input, uint32_t length)
1080 {
1081 aes_block r;
1082 const uint8_t *p;
1083 uint32_t sz;
1084
1085 /* This automatically pads with zeros if input is not a multiple of the
1086 block size. */
1087 for (p = input; length > 0; p += 16, length -= sz)
1088 {
1089 sz = length < 16 ? length : 16;
1090
1091 /* ByteReverse(X_j) */
1092 block128_zero(&r);
1093 memcpy(&r, p, sz);
1094 block128_byte_reverse(&r);
1095
1096 /* ByteReverse(S_{j-1}) + ByteReverse(X_j) */
1097 block128_xor_aligned(&ctx->s, &r);
1098
1099 /* ByteReverse(S_j) */
1100 cryptonite_gf_mul(&ctx->s, ctx->htable);
1101 }
1102 }
1103
cryptonite_aes_polyval_finalize(aes_polyval * ctx,aes_block * dst)1104 void cryptonite_aes_polyval_finalize(aes_polyval *ctx, aes_block *dst)
1105 {
1106 /* S_s */
1107 block128_copy_aligned(dst, &ctx->s);
1108 block128_byte_reverse(dst);
1109 }
1110