Home | History | Annotate | Line # | Download | only in opencrypto
aesxcbcmac.c revision 1.2 
      1  1.2  christos /* $NetBSD: aesxcbcmac.c,v 1.2 2016/09/26 14:50:54 christos Exp $ */
      2  1.1  drochner 
      3  1.1  drochner /*
      4  1.1  drochner  * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
      5  1.1  drochner  * All rights reserved.
      6  1.1  drochner  *
      7  1.1  drochner  * Redistribution and use in source and binary forms, with or without
      8  1.1  drochner  * modification, are permitted provided that the following conditions
      9  1.1  drochner  * are met:
     10  1.1  drochner  * 1. Redistributions of source code must retain the above copyright
     11  1.1  drochner  *    notice, this list of conditions and the following disclaimer.
     12  1.1  drochner  * 2. Redistributions in binary form must reproduce the above copyright
     13  1.1  drochner  *    notice, this list of conditions and the following disclaimer in the
     14  1.1  drochner  *    documentation and/or other materials provided with the distribution.
     15  1.1  drochner  * 3. Neither the name of the project nor the names of its contributors
     16  1.1  drochner  *    may be used to endorse or promote products derived from this software
     17  1.1  drochner  *    without specific prior written permission.
     18  1.1  drochner  *
     19  1.1  drochner  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     20  1.1  drochner  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     21  1.1  drochner  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     22  1.1  drochner  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     23  1.1  drochner  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     24  1.1  drochner  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     25  1.1  drochner  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     26  1.1  drochner  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     27  1.1  drochner  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     28  1.1  drochner  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     29  1.1  drochner  * SUCH DAMAGE.
     30  1.1  drochner  */
     31  1.1  drochner 
     32  1.1  drochner #include <sys/cdefs.h>
     33  1.2  christos __KERNEL_RCSID(0, "$NetBSD: aesxcbcmac.c,v 1.2 2016/09/26 14:50:54 christos Exp $");
     34  1.1  drochner 
     35  1.1  drochner #include <sys/param.h>
     36  1.1  drochner #include <sys/systm.h>
     37  1.1  drochner #include <crypto/rijndael/rijndael.h>
     38  1.1  drochner 
     39  1.1  drochner #include <opencrypto/aesxcbcmac.h>
     40  1.1  drochner 
     41  1.1  drochner int
     42  1.2  christos aes_xcbc_mac_init(void *vctx, const uint8_t *key, u_int16_t keylen)
     43  1.1  drochner {
     44  1.2  christos 	static const uint8_t k1seed[AES_BLOCKSIZE] =
     45  1.2  christos 	    { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 };
     46  1.2  christos 	static const uint8_t k2seed[AES_BLOCKSIZE] =
     47  1.2  christos 	    { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 };
     48  1.2  christos 	static const uint8_t k3seed[AES_BLOCKSIZE] =
     49  1.2  christos 	    { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 };
     50  1.1  drochner 	u_int32_t r_ks[(RIJNDAEL_MAXNR+1)*4];
     51  1.1  drochner 	aesxcbc_ctx *ctx;
     52  1.2  christos 	uint8_t k1[AES_BLOCKSIZE];
     53  1.1  drochner 
     54  1.2  christos 	ctx = vctx;
     55  1.2  christos 	memset(ctx, 0, sizeof(*ctx));
     56  1.1  drochner 
     57  1.1  drochner 	if ((ctx->r_nr = rijndaelKeySetupEnc(r_ks, key, keylen * 8)) == 0)
     58  1.1  drochner 		return -1;
     59  1.1  drochner 	rijndaelEncrypt(r_ks, ctx->r_nr, k1seed, k1);
     60  1.1  drochner 	rijndaelEncrypt(r_ks, ctx->r_nr, k2seed, ctx->k2);
     61  1.1  drochner 	rijndaelEncrypt(r_ks, ctx->r_nr, k3seed, ctx->k3);
     62  1.1  drochner 	if (rijndaelKeySetupEnc(ctx->r_k1s, k1, AES_BLOCKSIZE * 8) == 0)
     63  1.1  drochner 		return -1;
     64  1.1  drochner 	if (rijndaelKeySetupEnc(ctx->r_k2s, ctx->k2, AES_BLOCKSIZE * 8) == 0)
     65  1.1  drochner 		return -1;
     66  1.1  drochner 	if (rijndaelKeySetupEnc(ctx->r_k3s, ctx->k3, AES_BLOCKSIZE * 8) == 0)
     67  1.1  drochner 		return -1;
     68  1.1  drochner 
     69  1.1  drochner 	return 0;
     70  1.1  drochner }
     71  1.1  drochner 
     72  1.1  drochner int
     73  1.2  christos aes_xcbc_mac_loop(void *vctx, const uint8_t *addr, u_int16_t len)
     74  1.1  drochner {
     75  1.2  christos 	uint8_t buf[AES_BLOCKSIZE];
     76  1.1  drochner 	aesxcbc_ctx *ctx;
     77  1.2  christos 	const uint8_t *ep;
     78  1.1  drochner 	int i;
     79  1.1  drochner 
     80  1.2  christos 	ctx = vctx;
     81  1.1  drochner 	ep = addr + len;
     82  1.1  drochner 
     83  1.1  drochner 	if (ctx->buflen == sizeof(ctx->buf)) {
     84  1.1  drochner 		for (i = 0; i < sizeof(ctx->e); i++)
     85  1.1  drochner 			ctx->buf[i] ^= ctx->e[i];
     86  1.1  drochner 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
     87  1.1  drochner 		ctx->buflen = 0;
     88  1.1  drochner 	}
     89  1.1  drochner 	if (ctx->buflen + len < sizeof(ctx->buf)) {
     90  1.1  drochner 		memcpy(ctx->buf + ctx->buflen, addr, len);
     91  1.1  drochner 		ctx->buflen += len;
     92  1.1  drochner 		return 0;
     93  1.1  drochner 	}
     94  1.1  drochner 	if (ctx->buflen && ctx->buflen + len > sizeof(ctx->buf)) {
     95  1.1  drochner 		memcpy(ctx->buf + ctx->buflen, addr,
     96  1.1  drochner 		    sizeof(ctx->buf) - ctx->buflen);
     97  1.1  drochner 		for (i = 0; i < sizeof(ctx->e); i++)
     98  1.1  drochner 			ctx->buf[i] ^= ctx->e[i];
     99  1.1  drochner 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
    100  1.1  drochner 		addr += sizeof(ctx->buf) - ctx->buflen;
    101  1.1  drochner 		ctx->buflen = 0;
    102  1.1  drochner 	}
    103  1.1  drochner 	/* due to the special processing for M[n], "=" case is not included */
    104  1.2  christos 	while (ep - addr > AES_BLOCKSIZE) {
    105  1.1  drochner 		memcpy(buf, addr, AES_BLOCKSIZE);
    106  1.1  drochner 		for (i = 0; i < sizeof(buf); i++)
    107  1.1  drochner 			buf[i] ^= ctx->e[i];
    108  1.1  drochner 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, buf, ctx->e);
    109  1.1  drochner 		addr += AES_BLOCKSIZE;
    110  1.1  drochner 	}
    111  1.1  drochner 	if (addr < ep) {
    112  1.1  drochner 		memcpy(ctx->buf + ctx->buflen, addr, ep - addr);
    113  1.1  drochner 		ctx->buflen += ep - addr;
    114  1.1  drochner 	}
    115  1.1  drochner 	return 0;
    116  1.1  drochner }
    117  1.1  drochner 
    118  1.1  drochner void
    119  1.2  christos aes_xcbc_mac_result(uint8_t *addr, void *vctx)
    120  1.1  drochner {
    121  1.2  christos 	uint8_t digest[AES_BLOCKSIZE];
    122  1.1  drochner 	aesxcbc_ctx *ctx;
    123  1.1  drochner 	int i;
    124  1.1  drochner 
    125  1.2  christos 	ctx = vctx;
    126  1.1  drochner 
    127  1.1  drochner 	if (ctx->buflen == sizeof(ctx->buf)) {
    128  1.1  drochner 		for (i = 0; i < sizeof(ctx->buf); i++) {
    129  1.1  drochner 			ctx->buf[i] ^= ctx->e[i];
    130  1.1  drochner 			ctx->buf[i] ^= ctx->k2[i];
    131  1.1  drochner 		}
    132  1.1  drochner 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
    133  1.1  drochner 	} else {
    134  1.1  drochner 		for (i = ctx->buflen; i < sizeof(ctx->buf); i++)
    135  1.1  drochner 			ctx->buf[i] = (i == ctx->buflen) ? 0x80 : 0x00;
    136  1.1  drochner 		for (i = 0; i < sizeof(ctx->buf); i++) {
    137  1.1  drochner 			ctx->buf[i] ^= ctx->e[i];
    138  1.1  drochner 			ctx->buf[i] ^= ctx->k3[i];
    139  1.1  drochner 		}
    140  1.1  drochner 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
    141  1.1  drochner 	}
    142  1.1  drochner 
    143  1.1  drochner 	memcpy(addr, digest, sizeof(digest));
    144  1.1  drochner }
    145