xref: /netbsd-src/sys/opencrypto/aesxcbcmac.c (revision bdc22b2e01993381dcefeff2bc9b56ca75a4235c) 
1 /* $NetBSD: aesxcbcmac.c,v 1.2 2016/09/26 14:50:54 christos Exp $ */
2 
3 /*
4  * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the project nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 __KERNEL_RCSID(0, "$NetBSD: aesxcbcmac.c,v 1.2 2016/09/26 14:50:54 christos Exp $");
34 
35 #include <sys/param.h>
36 #include <sys/systm.h>
37 #include <crypto/rijndael/rijndael.h>
38 
39 #include <opencrypto/aesxcbcmac.h>
40 
41 int
42 aes_xcbc_mac_init(void *vctx, const uint8_t *key, u_int16_t keylen)
43 {
44 	static const uint8_t k1seed[AES_BLOCKSIZE] =
45 	    { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 };
46 	static const uint8_t k2seed[AES_BLOCKSIZE] =
47 	    { 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 };
48 	static const uint8_t k3seed[AES_BLOCKSIZE] =
49 	    { 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 };
50 	u_int32_t r_ks[(RIJNDAEL_MAXNR+1)*4];
51 	aesxcbc_ctx *ctx;
52 	uint8_t k1[AES_BLOCKSIZE];
53 
54 	ctx = vctx;
55 	memset(ctx, 0, sizeof(*ctx));
56 
57 	if ((ctx->r_nr = rijndaelKeySetupEnc(r_ks, key, keylen * 8)) == 0)
58 		return -1;
59 	rijndaelEncrypt(r_ks, ctx->r_nr, k1seed, k1);
60 	rijndaelEncrypt(r_ks, ctx->r_nr, k2seed, ctx->k2);
61 	rijndaelEncrypt(r_ks, ctx->r_nr, k3seed, ctx->k3);
62 	if (rijndaelKeySetupEnc(ctx->r_k1s, k1, AES_BLOCKSIZE * 8) == 0)
63 		return -1;
64 	if (rijndaelKeySetupEnc(ctx->r_k2s, ctx->k2, AES_BLOCKSIZE * 8) == 0)
65 		return -1;
66 	if (rijndaelKeySetupEnc(ctx->r_k3s, ctx->k3, AES_BLOCKSIZE * 8) == 0)
67 		return -1;
68 
69 	return 0;
70 }
71 
72 int
73 aes_xcbc_mac_loop(void *vctx, const uint8_t *addr, u_int16_t len)
74 {
75 	uint8_t buf[AES_BLOCKSIZE];
76 	aesxcbc_ctx *ctx;
77 	const uint8_t *ep;
78 	int i;
79 
80 	ctx = vctx;
81 	ep = addr + len;
82 
83 	if (ctx->buflen == sizeof(ctx->buf)) {
84 		for (i = 0; i < sizeof(ctx->e); i++)
85 			ctx->buf[i] ^= ctx->e[i];
86 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
87 		ctx->buflen = 0;
88 	}
89 	if (ctx->buflen + len < sizeof(ctx->buf)) {
90 		memcpy(ctx->buf + ctx->buflen, addr, len);
91 		ctx->buflen += len;
92 		return 0;
93 	}
94 	if (ctx->buflen && ctx->buflen + len > sizeof(ctx->buf)) {
95 		memcpy(ctx->buf + ctx->buflen, addr,
96 		    sizeof(ctx->buf) - ctx->buflen);
97 		for (i = 0; i < sizeof(ctx->e); i++)
98 			ctx->buf[i] ^= ctx->e[i];
99 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
100 		addr += sizeof(ctx->buf) - ctx->buflen;
101 		ctx->buflen = 0;
102 	}
103 	/* due to the special processing for M[n], "=" case is not included */
104 	while (ep - addr > AES_BLOCKSIZE) {
105 		memcpy(buf, addr, AES_BLOCKSIZE);
106 		for (i = 0; i < sizeof(buf); i++)
107 			buf[i] ^= ctx->e[i];
108 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, buf, ctx->e);
109 		addr += AES_BLOCKSIZE;
110 	}
111 	if (addr < ep) {
112 		memcpy(ctx->buf + ctx->buflen, addr, ep - addr);
113 		ctx->buflen += ep - addr;
114 	}
115 	return 0;
116 }
117 
118 void
119 aes_xcbc_mac_result(uint8_t *addr, void *vctx)
120 {
121 	uint8_t digest[AES_BLOCKSIZE];
122 	aesxcbc_ctx *ctx;
123 	int i;
124 
125 	ctx = vctx;
126 
127 	if (ctx->buflen == sizeof(ctx->buf)) {
128 		for (i = 0; i < sizeof(ctx->buf); i++) {
129 			ctx->buf[i] ^= ctx->e[i];
130 			ctx->buf[i] ^= ctx->k2[i];
131 		}
132 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
133 	} else {
134 		for (i = ctx->buflen; i < sizeof(ctx->buf); i++)
135 			ctx->buf[i] = (i == ctx->buflen) ? 0x80 : 0x00;
136 		for (i = 0; i < sizeof(ctx->buf); i++) {
137 			ctx->buf[i] ^= ctx->e[i];
138 			ctx->buf[i] ^= ctx->k3[i];
139 		}
140 		rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
141 	}
142 
143 	memcpy(addr, digest, sizeof(digest));
144 }
145