1 /* Copyright (C) 2009-2012, Martin Johansson <martin@fatbob.nu>
2 Copyright (C) 2005-2012, Thorvald Natvig <thorvald@natvig.com>
6 Redistribution and use in source and binary forms, with or without
7 modification, are permitted provided that the following conditions
10 - Redistributions of source code must retain the above copyright notice,
11 this list of conditions and the following disclaimer.
12 - Redistributions in binary form must reproduce the above copyright notice,
13 this list of conditions and the following disclaimer in the documentation
14 and/or other materials provided with the distribution.
15 - Neither the name of the Developers nor the names of its contributors may
16 be used to endorse or promote products derived from this software without
17 specific prior written permission.
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
23 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
27 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
28 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
29 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 * This code implements OCB-AES128.
34 * In the US, OCB is covered by patents. The inventor has given a license
35 * to all programs distributed under the GPL.
36 * uMurmur is BSD (revised) licensed, meaning you can use the code in a
37 * closed-source program. If you do, you'll have to either replace
38 * OCB with something else or get yourself a license.
42 #include <arpa/inet.h>
47 #include <polarssl/havege.h>
48 extern havege_state hs;
51 static void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag);
52 static void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag);
54 void CryptState_init(cryptState_t *cs)
56 memset(cs->decrypt_history, 0, 0xff);
57 memset(cs->raw_key, 0, AES_BLOCK_SIZE);
58 memset(cs->encrypt_iv, 0, AES_BLOCK_SIZE);
59 memset(cs->decrypt_iv, 0, AES_BLOCK_SIZE);
61 cs->uiGood = cs->uiLate = cs->uiLost = cs->uiResync = 0;
62 cs->uiRemoteGood = cs->uiRemoteLate = cs->uiRemoteLost = cs->uiRemoteResync = 0;
63 Timer_init(&cs->tLastGood);
64 Timer_init(&cs->tLastRequest);
67 bool_t CryptState_isValid(cryptState_t *cs)
72 void CryptState_genKey(cryptState_t *cs) {
73 RAND_bytes(cs->raw_key, AES_BLOCK_SIZE);
74 RAND_bytes(cs->encrypt_iv, AES_BLOCK_SIZE);
75 RAND_bytes(cs->decrypt_iv, AES_BLOCK_SIZE);
77 AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key);
78 AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
80 aes_setkey_enc(&cs->aes_enc, cs->raw_key, 128);
81 aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
86 void CryptState_setKey(cryptState_t *cs, const unsigned char *rkey, const unsigned char *eiv, const unsigned char *div)
88 memcpy(cs->raw_key, rkey, AES_BLOCK_SIZE);
89 memcpy(cs->encrypt_iv, eiv, AES_BLOCK_SIZE);
90 memcpy(cs->decrypt_iv, div, AES_BLOCK_SIZE);
92 AES_set_encrypt_key(cs->decrypt_iv, 128, &cs->encrypt_key);
93 AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
95 aes_setkey_enc(&cs->aes_enc, cs->decrypt_iv, 128);
96 aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
101 void CryptState_setDecryptIV(cryptState_t *cs, const unsigned char *iv)
103 memcpy(cs->decrypt_iv, iv, AES_BLOCK_SIZE);
106 void CryptState_encrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int plain_length)
108 unsigned char tag[AES_BLOCK_SIZE];
110 // First, increase our IV.
111 for (i = 0; i < AES_BLOCK_SIZE; i++)
112 if (++cs->encrypt_iv[i])
115 CryptState_ocb_encrypt(cs, source, dst+4, plain_length, cs->encrypt_iv, tag);
117 dst[0] = cs->encrypt_iv[0];
123 bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int crypted_length)
125 if (crypted_length < 4)
128 unsigned int plain_length = crypted_length - 4;
130 unsigned char saveiv[AES_BLOCK_SIZE];
131 unsigned char ivbyte = source[0];
132 bool_t restore = false;
133 unsigned char tag[AES_BLOCK_SIZE];
138 memcpy(saveiv, cs->decrypt_iv, AES_BLOCK_SIZE);
140 if (((cs->decrypt_iv[0] + 1) & 0xFF) == ivbyte) {
141 // In order as expected.
142 if (ivbyte > cs->decrypt_iv[0]) {
143 cs->decrypt_iv[0] = ivbyte;
144 } else if (ivbyte < cs->decrypt_iv[0]) {
146 cs->decrypt_iv[0] = ivbyte;
147 for (i = 1; i < AES_BLOCK_SIZE; i++)
148 if (++cs->decrypt_iv[i])
154 // This is either out of order or a repeat.
156 int diff = ivbyte - cs->decrypt_iv[0];
159 else if (diff < -128)
162 if ((ivbyte < cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
163 // Late packet, but no wraparound.
166 cs->decrypt_iv[0] = ivbyte;
168 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
170 // Last was 0x02, here comes 0xff from last round
173 cs->decrypt_iv[0] = ivbyte;
174 for (i = 1; i < AES_BLOCK_SIZE; i++)
175 if (cs->decrypt_iv[i]--)
178 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > 0)) {
179 // Lost a few packets, but beyond that we're good.
180 lost = ivbyte - cs->decrypt_iv[0] - 1;
181 cs->decrypt_iv[0] = ivbyte;
182 } else if ((ivbyte < cs->decrypt_iv[0]) && (diff > 0)) {
184 // Lost a few packets, and wrapped around
185 lost = 256 - cs->decrypt_iv[0] + ivbyte - 1;
186 cs->decrypt_iv[0] = ivbyte;
187 for (i = 1; i < AES_BLOCK_SIZE; i++)
188 if (++cs->decrypt_iv[i])
194 if (cs->decrypt_history[cs->decrypt_iv[0]] == cs->decrypt_iv[1]) {
195 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
200 CryptState_ocb_decrypt(cs, source+4, dst, plain_length, cs->decrypt_iv, tag);
202 if (memcmp(tag, source+1, 3) != 0) {
203 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
206 cs->decrypt_history[cs->decrypt_iv[0]] = cs->decrypt_iv[1];
209 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
215 Timer_restart(&cs->tLastGood);
219 #if defined(__LP64__)
222 typedef uint64_t subblock;
224 #if __BYTE_ORDER == __BIG_ENDIAN
225 #define SWAPPED(x) (x)
228 #define SWAPPED(x) ({register uint64_t __out, __in = (x); __asm__("bswap %q0" : "=r"(__out) : "0"(__in)); __out;})
230 #include <byteswap.h>
231 #define SWAPPED(x) bswap_64(x)
239 typedef uint32_t subblock;
240 #define SWAPPED(x) htonl(x)
244 #define HIGHBIT (1<<SHIFTBITS);
247 static void inline XOR(subblock *dst, const subblock *a, const subblock *b) {
249 for (i=0;i<BLOCKSIZE;i++) {
250 dst[i] = a[i] ^ b[i];
254 static void inline S2(subblock *block) {
255 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
257 for (i=0;i<BLOCKSIZE-1;i++)
258 block[i] = SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
259 block[BLOCKSIZE-1] = SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
262 static void inline S3(subblock *block) {
263 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
265 for (i=0;i<BLOCKSIZE-1;i++)
266 block[i] ^= SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
267 block[BLOCKSIZE-1] ^= SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
270 static void inline ZERO(subblock *block) {
272 for (i=0;i<BLOCKSIZE;i++)
277 #define AESencrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_enc, AES_ENCRYPT, (unsigned char *)(src), (unsigned char *)(dst));
278 #define AESdecrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_dec, AES_DECRYPT, (unsigned char *)(src), (unsigned char *)(dst));
280 #define AESencrypt(src, dst, cryptstate) AES_encrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->encrypt_key);
281 #define AESdecrypt(src, dst, cryptstate) AES_decrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->decrypt_key);
284 void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
285 subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
288 AESencrypt(nonce, delta, cs);
291 while (len > AES_BLOCK_SIZE) {
293 XOR(tmp, delta, (const subblock *)(plain));
294 AESencrypt(tmp, tmp, cs);
295 XOR((subblock *)(encrypted), delta, tmp);
296 XOR(checksum, checksum, (subblock *)(plain));
297 len -= AES_BLOCK_SIZE;
298 plain += AES_BLOCK_SIZE;
299 encrypted += AES_BLOCK_SIZE;
304 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
305 XOR(tmp, tmp, delta);
306 AESencrypt(tmp, pad, cs);
307 memcpy(tmp, plain, len);
308 memcpy((unsigned char *)tmp + len, (unsigned char *)pad + len, AES_BLOCK_SIZE - len);
309 XOR(checksum, checksum, tmp);
311 memcpy(encrypted, tmp, len);
314 XOR(tmp, delta, checksum);
315 AESencrypt(tmp, tag, cs);
318 void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
319 subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
321 AESencrypt(nonce, delta, cs);
324 while (len > AES_BLOCK_SIZE) {
326 XOR(tmp, delta, (const subblock *)(encrypted));
327 AESdecrypt(tmp, tmp, cs);
328 XOR((subblock *)(plain), delta, tmp);
329 XOR(checksum, checksum, (const subblock *)(plain));
330 len -= AES_BLOCK_SIZE;
331 plain += AES_BLOCK_SIZE;
332 encrypted += AES_BLOCK_SIZE;
337 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
338 XOR(tmp, tmp, delta);
339 AESencrypt(tmp, pad, cs);
340 memset(tmp, 0, AES_BLOCK_SIZE);
341 memcpy(tmp, encrypted, len);
343 XOR(checksum, checksum, tmp);
344 memcpy(plain, tmp, len);
347 XOR(tmp, delta, checksum);
348 AESencrypt(tmp, tag, cs);