Home | History | Annotate | Download | only in crypto 
      1 /*
      2  * AES SIV (RFC 5297)
      3  * Copyright (c) 2013 Cozybit, Inc.
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "aes.h"
     13 #include "aes_wrap.h"
     14 #include "aes_siv.h"
     15 
     16 
     17 static const u8 zero[AES_BLOCK_SIZE];
     18 
     19 
     20 static void dbl(u8 *pad)
     21 {
     22 	int i, carry;
     23 
     24 	carry = pad[0] & 0x80;
     25 	for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
     26 		pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
     27 	pad[AES_BLOCK_SIZE - 1] <<= 1;
     28 	if (carry)
     29 		pad[AES_BLOCK_SIZE - 1] ^= 0x87;
     30 }
     31 
     32 
     33 static void xor(u8 *a, const u8 *b)
     34 {
     35 	int i;
     36 
     37 	for (i = 0; i < AES_BLOCK_SIZE; i++)
     38 		*a++ ^= *b++;
     39 }
     40 
     41 
     42 static void xorend(u8 *a, int alen, const u8 *b, int blen)
     43 {
     44 	int i;
     45 
     46 	if (alen < blen)
     47 		return;
     48 
     49 	for (i = 0; i < blen; i++)
     50 		a[alen - blen + i] ^= b[i];
     51 }
     52 
     53 
     54 static void pad_block(u8 *pad, const u8 *addr, size_t len)
     55 {
     56 	os_memset(pad, 0, AES_BLOCK_SIZE);
     57 	os_memcpy(pad, addr, len);
     58 
     59 	if (len < AES_BLOCK_SIZE)
     60 		pad[len] = 0x80;
     61 }
     62 
     63 
     64 static int aes_s2v(const u8 *key, size_t key_len,
     65 		   size_t num_elem, const u8 *addr[], size_t *len, u8 *mac)
     66 {
     67 	u8 tmp[AES_BLOCK_SIZE], tmp2[AES_BLOCK_SIZE];
     68 	u8 *buf = NULL;
     69 	int ret;
     70 	size_t i;
     71 	const u8 *data[1];
     72 	size_t data_len[1];
     73 
     74 	if (!num_elem) {
     75 		os_memcpy(tmp, zero, sizeof(zero));
     76 		tmp[AES_BLOCK_SIZE - 1] = 1;
     77 		data[0] = tmp;
     78 		data_len[0] = sizeof(tmp);
     79 		return omac1_aes_vector(key, key_len, 1, data, data_len, mac);
     80 	}
     81 
     82 	data[0] = zero;
     83 	data_len[0] = sizeof(zero);
     84 	ret = omac1_aes_vector(key, key_len, 1, data, data_len, tmp);
     85 	if (ret)
     86 		return ret;
     87 
     88 	for (i = 0; i < num_elem - 1; i++) {
     89 		ret = omac1_aes_vector(key, key_len, 1, &addr[i], &len[i],
     90 				       tmp2);
     91 		if (ret)
     92 			return ret;
     93 
     94 		dbl(tmp);
     95 		xor(tmp, tmp2);
     96 	}
     97 	if (len[i] >= AES_BLOCK_SIZE) {
     98 		buf = os_malloc(len[i]);
     99 		if (!buf)
    100 			return -ENOMEM;
    101 
    102 		os_memcpy(buf, addr[i], len[i]);
    103 		xorend(buf, len[i], tmp, AES_BLOCK_SIZE);
    104 		data[0] = buf;
    105 		ret = omac1_aes_vector(key, key_len, 1, data, &len[i], mac);
    106 		bin_clear_free(buf, len[i]);
    107 		return ret;
    108 	}
    109 
    110 	dbl(tmp);
    111 	pad_block(tmp2, addr[i], len[i]);
    112 	xor(tmp, tmp2);
    113 
    114 	data[0] = tmp;
    115 	data_len[0] = sizeof(tmp);
    116 	return omac1_aes_vector(key, key_len, 1, data, data_len, mac);
    117 }
    118 
    119 
    120 int aes_siv_encrypt(const u8 *key, size_t key_len,
    121 		    const u8 *pw, size_t pwlen,
    122 		    size_t num_elem, const u8 *addr[], const size_t *len,
    123 		    u8 *out)
    124 {
    125 	const u8 *_addr[6];
    126 	size_t _len[6];
    127 	const u8 *k1, *k2;
    128 	u8 v[AES_BLOCK_SIZE];
    129 	size_t i;
    130 	u8 *iv, *crypt_pw;
    131 
    132 	if (num_elem > ARRAY_SIZE(_addr) - 1 ||
    133 	    (key_len != 32 && key_len != 48 && key_len != 64))
    134 		return -1;
    135 
    136 	key_len /= 2;
    137 	k1 = key;
    138 	k2 = key + key_len;
    139 
    140 	for (i = 0; i < num_elem; i++) {
    141 		_addr[i] = addr[i];
    142 		_len[i] = len[i];
    143 	}
    144 	_addr[num_elem] = pw;
    145 	_len[num_elem] = pwlen;
    146 
    147 	if (aes_s2v(k1, key_len, num_elem + 1, _addr, _len, v))
    148 		return -1;
    149 
    150 	iv = out;
    151 	crypt_pw = out + AES_BLOCK_SIZE;
    152 
    153 	os_memcpy(iv, v, AES_BLOCK_SIZE);
    154 	os_memcpy(crypt_pw, pw, pwlen);
    155 
    156 	/* zero out 63rd and 31st bits of ctr (from right) */
    157 	v[8] &= 0x7f;
    158 	v[12] &= 0x7f;
    159 	return aes_ctr_encrypt(k2, key_len, v, crypt_pw, pwlen);
    160 }
    161 
    162 
    163 int aes_siv_decrypt(const u8 *key, size_t key_len,
    164 		    const u8 *iv_crypt, size_t iv_c_len,
    165 		    size_t num_elem, const u8 *addr[], const size_t *len,
    166 		    u8 *out)
    167 {
    168 	const u8 *_addr[6];
    169 	size_t _len[6];
    170 	const u8 *k1, *k2;
    171 	size_t crypt_len;
    172 	size_t i;
    173 	int ret;
    174 	u8 iv[AES_BLOCK_SIZE];
    175 	u8 check[AES_BLOCK_SIZE];
    176 
    177 	if (iv_c_len < AES_BLOCK_SIZE || num_elem > ARRAY_SIZE(_addr) - 1 ||
    178 	    (key_len != 32 && key_len != 48 && key_len != 64))
    179 		return -1;
    180 	crypt_len = iv_c_len - AES_BLOCK_SIZE;
    181 	key_len /= 2;
    182 	k1 = key;
    183 	k2 = key + key_len;
    184 
    185 	for (i = 0; i < num_elem; i++) {
    186 		_addr[i] = addr[i];
    187 		_len[i] = len[i];
    188 	}
    189 	_addr[num_elem] = out;
    190 	_len[num_elem] = crypt_len;
    191 
    192 	os_memcpy(iv, iv_crypt, AES_BLOCK_SIZE);
    193 	os_memcpy(out, iv_crypt + AES_BLOCK_SIZE, crypt_len);
    194 
    195 	iv[8] &= 0x7f;
    196 	iv[12] &= 0x7f;
    197 
    198 	ret = aes_ctr_encrypt(k2, key_len, iv, out, crypt_len);
    199 	if (ret)
    200 		return ret;
    201 
    202 	ret = aes_s2v(k1, key_len, num_elem + 1, _addr, _len, check);
    203 	if (ret)
    204 		return ret;
    205 	if (os_memcmp(check, iv_crypt, AES_BLOCK_SIZE) == 0)
    206 		return 0;
    207 
    208 	return -1;
    209 }
    210