xref: /netbsd-src/sys/opencrypto/aesxcbcmac.c (revision 413d532bcc3f62d122e56d92e13ac64825a40baf) 
1 /* $NetBSD: aesxcbcmac.c,v 1.1 2011/05/24 19:10:08 drochner Exp $ */
2 
3 /*
4  * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the project nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 __KERNEL_RCSID(0, "$NetBSD: aesxcbcmac.c,v 1.1 2011/05/24 19:10:08 drochner Exp $");
34 
35 #include <sys/param.h>
36 #include <sys/systm.h>
37 #include <crypto/rijndael/rijndael.h>
38 
39 #include <opencrypto/aesxcbcmac.h>
40 
41 int
42 aes_xcbc_mac_init(void *vctx, const u_int8_t *key, u_int16_t keylen)
43 {
44 	u_int8_t k1seed[AES_BLOCKSIZE] = { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 };
45 	u_int8_t k2seed[AES_BLOCKSIZE] = { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 };
46 	u_int8_t k3seed[AES_BLOCKSIZE] = { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 };
47 	u_int32_t r_ks[(RIJNDAEL_MAXNR+1)*4];
48 	aesxcbc_ctx *ctx;
49 	u_int8_t k1[AES_BLOCKSIZE];
50 
51 	ctx = (aesxcbc_ctx *)vctx;
52 	memset(ctx, 0, sizeof(aesxcbc_ctx));
53 
54 	if ((ctx->r_nr = rijndaelKeySetupEnc(r_ks, key, keylen * 8)) == 0)
55 		return -1;
56 	rijndaelEncrypt(r_ks, ctx->r_nr, k1seed, k1);
57 	rijndaelEncrypt(r_ks, ctx->r_nr, k2seed, ctx->k2);
58 	rijndaelEncrypt(r_ks, ctx->r_nr, k3seed, ctx->k3);
59 	if (rijndaelKeySetupEnc(ctx->r_k1s, k1, AES_BLOCKSIZE * 8) == 0)
60 		return -1;
61 	if (rijndaelKeySetupEnc(ctx->r_k2s, ctx->k2, AES_BLOCKSIZE * 8) == 0)
62 		return -1;
63 	if (rijndaelKeySetupEnc(ctx->r_k3s, ctx->k3, AES_BLOCKSIZE * 8) == 0)
64 		return -1;
65 
66 	return 0;
67 }
68 
69 int
70 aes_xcbc_mac_loop(void *vctx, const u_int8_t *addr, u_int16_t len)
71 {
72 	u_int8_t buf[AES_BLOCKSIZE];
73 	aesxcbc_ctx *ctx;
74 	const u_int8_t *ep;
75 	int i;
76 
77 	ctx = (aesxcbc_ctx *)vctx;
78 	ep = addr + len;
79 
80 	if (ctx->buflen == sizeof(ctx->buf)) {
81 		for (i = 0; i < sizeof(ctx->e); i++)
82 			ctx->buf[i] ^= ctx->e[i];
83 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
84 		ctx->buflen = 0;
85 	}
86 	if (ctx->buflen + len < sizeof(ctx->buf)) {
87 		memcpy(ctx->buf + ctx->buflen, addr, len);
88 		ctx->buflen += len;
89 		return 0;
90 	}
91 	if (ctx->buflen && ctx->buflen + len > sizeof(ctx->buf)) {
92 		memcpy(ctx->buf + ctx->buflen, addr,
93 		    sizeof(ctx->buf) - ctx->buflen);
94 		for (i = 0; i < sizeof(ctx->e); i++)
95 			ctx->buf[i] ^= ctx->e[i];
96 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
97 		addr += sizeof(ctx->buf) - ctx->buflen;
98 		ctx->buflen = 0;
99 	}
100 	/* due to the special processing for M[n], "=" case is not included */
101 	while (addr + AES_BLOCKSIZE < ep) {
102 		memcpy(buf, addr, AES_BLOCKSIZE);
103 		for (i = 0; i < sizeof(buf); i++)
104 			buf[i] ^= ctx->e[i];
105 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, buf, ctx->e);
106 		addr += AES_BLOCKSIZE;
107 	}
108 	if (addr < ep) {
109 		memcpy(ctx->buf + ctx->buflen, addr, ep - addr);
110 		ctx->buflen += ep - addr;
111 	}
112 	return 0;
113 }
114 
115 void
116 aes_xcbc_mac_result(u_int8_t *addr, void *vctx)
117 {
118 	u_char digest[AES_BLOCKSIZE];
119 	aesxcbc_ctx *ctx;
120 	int i;
121 
122 	ctx = (aesxcbc_ctx *)vctx;
123 
124 	if (ctx->buflen == sizeof(ctx->buf)) {
125 		for (i = 0; i < sizeof(ctx->buf); i++) {
126 			ctx->buf[i] ^= ctx->e[i];
127 			ctx->buf[i] ^= ctx->k2[i];
128 		}
129 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
130 	} else {
131 		for (i = ctx->buflen; i < sizeof(ctx->buf); i++)
132 			ctx->buf[i] = (i == ctx->buflen) ? 0x80 : 0x00;
133 		for (i = 0; i < sizeof(ctx->buf); i++) {
134 			ctx->buf[i] ^= ctx->e[i];
135 			ctx->buf[i] ^= ctx->k3[i];
136 		}
137 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
138 	}
139 
140 	memcpy(addr, digest, sizeof(digest));
141 }
142