723d87648e
Add a 'native_blocksize' member to 'struct enc_xform' that ciphers can use if they support a partial final block. This is particular useful for stream ciphers, but can also apply to other ciphers. cryptosoft will only pass in native blocks to the encrypt and decrypt hooks. For the final partial block, 'struct enc_xform' now has new encrypt_last/decrypt_last hooks which accept the length of the final block. The multi_block methods are also retired. Mark AES-ICM (AES-CTR) as a stream cipher. This has some interesting effects on IPsec in that FreeBSD can now properly receive all packets sent by Linux when using AES-CTR, but FreeBSD can no longer interoperate with OpenBSD and older verisons of FreeBSD which assume AES-CTR packets have a payload padded to a 16-byte boundary. Kornel has offered to work on a patch to add a compatiblity sysctl to enforce additional padding for AES-CTR in esp_output to permit compatibility with OpenBSD and older versions of FreeBSD. AES-XTS continues to use a block size of a single AES block length. It is possible to adjust it to support partial final blocks by implementing cipher text stealing via encrypt_last/decrypt_last hooks, but I have not done so. Reviewed by: cem (earlier version) Tested by: Kornel Dulęba <mindal@semihalf.com> (AES-CTR with IPsec) Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24906
195 lines
5.3 KiB
C
195 lines
5.3 KiB
C
/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */
|
|
/*-
|
|
* The authors of this code are John Ioannidis (ji@tla.org),
|
|
* Angelos D. Keromytis (kermit@csd.uch.gr),
|
|
* Niels Provos (provos@physnet.uni-hamburg.de) and
|
|
* Damien Miller (djm@mindrot.org).
|
|
*
|
|
* This code was written by John Ioannidis for BSD/OS in Athens, Greece,
|
|
* in November 1995.
|
|
*
|
|
* Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
|
|
* by Angelos D. Keromytis.
|
|
*
|
|
* Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
|
|
* and Niels Provos.
|
|
*
|
|
* Additional features in 1999 by Angelos D. Keromytis.
|
|
*
|
|
* AES XTS implementation in 2008 by Damien Miller
|
|
*
|
|
* Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
|
|
* Angelos D. Keromytis and Niels Provos.
|
|
*
|
|
* Copyright (C) 2001, Angelos D. Keromytis.
|
|
*
|
|
* Copyright (C) 2008, Damien Miller
|
|
* Copyright (c) 2014 The FreeBSD Foundation
|
|
* All rights reserved.
|
|
*
|
|
* Portions of this software were developed by John-Mark Gurney
|
|
* under sponsorship of the FreeBSD Foundation and
|
|
* Rubicon Communications, LLC (Netgate).
|
|
*
|
|
* Permission to use, copy, and modify this software with or without fee
|
|
* is hereby granted, provided that this entire notice is included in
|
|
* all copies of any software which is or includes a copy or
|
|
* modification of this software.
|
|
* You may use this code under the GNU public license if you so wish. Please
|
|
* contribute changes back to the authors under this freer than GPL license
|
|
* so that we may further the use of strong encryption without limitations to
|
|
* all.
|
|
*
|
|
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
|
|
* IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
|
|
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
|
|
* MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
|
|
* PURPOSE.
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
#include <opencrypto/xform_enc.h>
|
|
|
|
static int aes_icm_setkey(void *, const uint8_t *, int);
|
|
static void aes_icm_crypt(void *, const uint8_t *, uint8_t *);
|
|
static void aes_icm_crypt_last(void *, const uint8_t *, uint8_t *, size_t);
|
|
static void aes_icm_reinit(void *, const uint8_t *);
|
|
static void aes_gcm_reinit(void *, const uint8_t *);
|
|
static void aes_ccm_reinit(void *, const uint8_t *);
|
|
|
|
/* Encryption instances */
|
|
struct enc_xform enc_xform_aes_icm = {
|
|
.type = CRYPTO_AES_ICM,
|
|
.name = "AES-ICM",
|
|
.ctxsize = sizeof(struct aes_icm_ctx),
|
|
.blocksize = 1,
|
|
.native_blocksize = AES_BLOCK_LEN,
|
|
.ivsize = AES_BLOCK_LEN,
|
|
.minkey = AES_MIN_KEY,
|
|
.maxkey = AES_MAX_KEY,
|
|
.encrypt = aes_icm_crypt,
|
|
.decrypt = aes_icm_crypt,
|
|
.setkey = aes_icm_setkey,
|
|
.reinit = aes_icm_reinit,
|
|
.encrypt_last = aes_icm_crypt_last,
|
|
.decrypt_last = aes_icm_crypt_last,
|
|
};
|
|
|
|
struct enc_xform enc_xform_aes_nist_gcm = {
|
|
.type = CRYPTO_AES_NIST_GCM_16,
|
|
.name = "AES-GCM",
|
|
.ctxsize = sizeof(struct aes_icm_ctx),
|
|
.blocksize = 1,
|
|
.native_blocksize = AES_BLOCK_LEN,
|
|
.ivsize = AES_GCM_IV_LEN,
|
|
.minkey = AES_MIN_KEY,
|
|
.maxkey = AES_MAX_KEY,
|
|
.encrypt = aes_icm_crypt,
|
|
.decrypt = aes_icm_crypt,
|
|
.setkey = aes_icm_setkey,
|
|
.reinit = aes_gcm_reinit,
|
|
.encrypt_last = aes_icm_crypt_last,
|
|
.decrypt_last = aes_icm_crypt_last,
|
|
};
|
|
|
|
struct enc_xform enc_xform_ccm = {
|
|
.type = CRYPTO_AES_CCM_16,
|
|
.name = "AES-CCM",
|
|
.ctxsize = sizeof(struct aes_icm_ctx),
|
|
.blocksize = 1,
|
|
.native_blocksize = AES_BLOCK_LEN,
|
|
.ivsize = AES_CCM_IV_LEN,
|
|
.minkey = AES_MIN_KEY, .maxkey = AES_MAX_KEY,
|
|
.encrypt = aes_icm_crypt,
|
|
.decrypt = aes_icm_crypt,
|
|
.setkey = aes_icm_setkey,
|
|
.reinit = aes_ccm_reinit,
|
|
.encrypt_last = aes_icm_crypt_last,
|
|
.decrypt_last = aes_icm_crypt_last,
|
|
};
|
|
|
|
/*
|
|
* Encryption wrapper routines.
|
|
*/
|
|
static void
|
|
aes_icm_reinit(void *key, const uint8_t *iv)
|
|
{
|
|
struct aes_icm_ctx *ctx;
|
|
|
|
ctx = key;
|
|
bcopy(iv, ctx->ac_block, AESICM_BLOCKSIZE);
|
|
}
|
|
|
|
static void
|
|
aes_gcm_reinit(void *key, const uint8_t *iv)
|
|
{
|
|
struct aes_icm_ctx *ctx;
|
|
|
|
aes_icm_reinit(key, iv);
|
|
|
|
ctx = key;
|
|
/* GCM starts with 2 as counter 1 is used for final xor of tag. */
|
|
bzero(&ctx->ac_block[AESICM_BLOCKSIZE - 4], 4);
|
|
ctx->ac_block[AESICM_BLOCKSIZE - 1] = 2;
|
|
}
|
|
|
|
static void
|
|
aes_ccm_reinit(void *key, const uint8_t *iv)
|
|
{
|
|
struct aes_icm_ctx *ctx;
|
|
|
|
ctx = key;
|
|
|
|
/* CCM has flags, then the IV, then the counter, which starts at 1 */
|
|
bzero(ctx->ac_block, sizeof(ctx->ac_block));
|
|
/* 3 bytes for length field; this gives a nonce of 12 bytes */
|
|
ctx->ac_block[0] = (15 - AES_CCM_IV_LEN) - 1;
|
|
bcopy(iv, ctx->ac_block+1, AES_CCM_IV_LEN);
|
|
ctx->ac_block[AESICM_BLOCKSIZE - 1] = 1;
|
|
}
|
|
|
|
static void
|
|
aes_icm_crypt(void *key, const uint8_t *in, uint8_t *out)
|
|
{
|
|
struct aes_icm_ctx *ctx;
|
|
int i;
|
|
|
|
ctx = key;
|
|
aes_icm_crypt_last(key, in, out, AESICM_BLOCKSIZE);
|
|
|
|
/* increment counter */
|
|
for (i = AESICM_BLOCKSIZE - 1;
|
|
i >= 0; i--)
|
|
if (++ctx->ac_block[i]) /* continue on overflow */
|
|
break;
|
|
}
|
|
|
|
static void
|
|
aes_icm_crypt_last(void *key, const uint8_t *in, uint8_t *out, size_t len)
|
|
{
|
|
struct aes_icm_ctx *ctx;
|
|
uint8_t keystream[AESICM_BLOCKSIZE];
|
|
int i;
|
|
|
|
ctx = key;
|
|
rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
|
|
for (i = 0; i < len; i++)
|
|
out[i] = in[i] ^ keystream[i];
|
|
explicit_bzero(keystream, sizeof(keystream));
|
|
}
|
|
|
|
static int
|
|
aes_icm_setkey(void *sched, const uint8_t *key, int len)
|
|
{
|
|
struct aes_icm_ctx *ctx;
|
|
|
|
if (len != 16 && len != 24 && len != 32)
|
|
return (EINVAL);
|
|
|
|
ctx = sched;
|
|
ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, key, len * 8);
|
|
return (0);
|
|
}
|