1 /* Copyright (C) 2009-2011, Martin Johansson <martin@fatbob.nu>
2 Copyright (C) 2005-2011, Thorvald Natvig <thorvald@natvig.com>
6 Redistribution and use in source and binary forms, with or without
7 modification, are permitted provided that the following conditions
10 - Redistributions of source code must retain the above copyright notice,
11 this list of conditions and the following disclaimer.
12 - Redistributions in binary form must reproduce the above copyright notice,
13 this list of conditions and the following disclaimer in the documentation
14 and/or other materials provided with the distribution.
15 - Neither the name of the Developers nor the names of its contributors may
16 be used to endorse or promote products derived from this software without
17 specific prior written permission.
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
23 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
27 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
28 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
29 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 * This code implements OCB-AES128.
34 * In the US, OCB is covered by patents. The inventor has given a license
35 * to all programs distributed under the GPL.
36 * uMurmur is BSD (revised) licensed, meaning you can use the code in a
37 * closed-source program. If you do, you'll have to either replace
38 * OCB with something else or get yourself a license.
42 #include <arpa/inet.h>
46 #include <polarssl/havege.h>
47 #define RAND_bytes(_dst_, _size_) do { \
49 for (i = 0; i < _size_; i++) { \
50 _dst_[i] = havege_rand(&hs); \
54 extern havege_state hs;
57 static void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag);
58 static void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag);
60 void CryptState_init(cryptState_t *cs)
62 memset(cs->decrypt_history, 0, 0xff);
63 memset(cs->raw_key, 0, AES_BLOCK_SIZE);
64 memset(cs->encrypt_iv, 0, AES_BLOCK_SIZE);
65 memset(cs->decrypt_iv, 0, AES_BLOCK_SIZE);
67 cs->uiGood = cs->uiLate = cs->uiLost = cs->uiResync = 0;
68 cs->uiRemoteGood = cs->uiRemoteLate = cs->uiRemoteLost = cs->uiRemoteResync = 0;
69 Timer_init(&cs->tLastGood);
70 Timer_init(&cs->tLastRequest);
73 bool_t CryptState_isValid(cryptState_t *cs)
78 void CryptState_genKey(cryptState_t *cs) {
79 RAND_bytes(cs->raw_key, AES_BLOCK_SIZE);
80 RAND_bytes(cs->encrypt_iv, AES_BLOCK_SIZE);
81 RAND_bytes(cs->decrypt_iv, AES_BLOCK_SIZE);
83 AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key);
84 AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
86 aes_setkey_enc(&cs->aes_enc, cs->raw_key, 128);
87 aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
92 void CryptState_setKey(cryptState_t *cs, const unsigned char *rkey, const unsigned char *eiv, const unsigned char *div)
94 memcpy(cs->raw_key, rkey, AES_BLOCK_SIZE);
95 memcpy(cs->encrypt_iv, eiv, AES_BLOCK_SIZE);
96 memcpy(cs->decrypt_iv, div, AES_BLOCK_SIZE);
98 AES_set_encrypt_key(cs->decrypt_iv, 128, &cs->encrypt_key);
99 AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
101 aes_setkey_enc(&cs->aes_enc, cs->decrypt_iv, 128);
102 aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
107 void CryptState_setDecryptIV(cryptState_t *cs, const unsigned char *iv)
109 memcpy(cs->decrypt_iv, iv, AES_BLOCK_SIZE);
112 void CryptState_encrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int plain_length)
114 unsigned char tag[AES_BLOCK_SIZE];
116 // First, increase our IV.
117 for (i = 0; i < AES_BLOCK_SIZE; i++)
118 if (++cs->encrypt_iv[i])
121 CryptState_ocb_encrypt(cs, source, dst+4, plain_length, cs->encrypt_iv, tag);
123 dst[0] = cs->encrypt_iv[0];
129 bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int crypted_length)
131 if (crypted_length < 4)
134 unsigned int plain_length = crypted_length - 4;
136 unsigned char saveiv[AES_BLOCK_SIZE];
137 unsigned char ivbyte = source[0];
138 bool_t restore = false;
139 unsigned char tag[AES_BLOCK_SIZE];
144 memcpy(saveiv, cs->decrypt_iv, AES_BLOCK_SIZE);
146 if (((cs->decrypt_iv[0] + 1) & 0xFF) == ivbyte) {
147 // In order as expected.
148 if (ivbyte > cs->decrypt_iv[0]) {
149 cs->decrypt_iv[0] = ivbyte;
150 } else if (ivbyte < cs->decrypt_iv[0]) {
152 cs->decrypt_iv[0] = ivbyte;
153 for (i = 1; i < AES_BLOCK_SIZE; i++)
154 if (++cs->decrypt_iv[i])
160 // This is either out of order or a repeat.
162 int diff = ivbyte - cs->decrypt_iv[0];
165 else if (diff < -128)
168 if ((ivbyte < cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
169 // Late packet, but no wraparound.
172 cs->decrypt_iv[0] = ivbyte;
174 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
176 // Last was 0x02, here comes 0xff from last round
179 cs->decrypt_iv[0] = ivbyte;
180 for (i = 1; i < AES_BLOCK_SIZE; i++)
181 if (cs->decrypt_iv[i]--)
184 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > 0)) {
185 // Lost a few packets, but beyond that we're good.
186 lost = ivbyte - cs->decrypt_iv[0] - 1;
187 cs->decrypt_iv[0] = ivbyte;
188 } else if ((ivbyte < cs->decrypt_iv[0]) && (diff > 0)) {
190 // Lost a few packets, and wrapped around
191 lost = 256 - cs->decrypt_iv[0] + ivbyte - 1;
192 cs->decrypt_iv[0] = ivbyte;
193 for (i = 1; i < AES_BLOCK_SIZE; i++)
194 if (++cs->decrypt_iv[i])
200 if (cs->decrypt_history[cs->decrypt_iv[0]] == cs->decrypt_iv[1]) {
201 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
206 CryptState_ocb_decrypt(cs, source+4, dst, plain_length, cs->decrypt_iv, tag);
208 if (memcmp(tag, source+1, 3) != 0) {
209 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
212 cs->decrypt_history[cs->decrypt_iv[0]] = cs->decrypt_iv[1];
215 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
221 Timer_restart(&cs->tLastGood);
225 #if defined(__LP64__)
228 typedef uint64_t subblock;
230 #if __BYTE_ORDER == __BIG_ENDIAN
231 #define SWAPPED(x) (x)
234 #define SWAPPED(x) ({register uint64_t __out, __in = (x); __asm__("bswap %q0" : "=r"(__out) : "0"(__in)); __out;})
236 #include <byteswap.h>
237 #define SWAPPED(x) bswap_64(x)
245 typedef uint32_t subblock;
246 #define SWAPPED(x) htonl(x)
250 #define HIGHBIT (1<<SHIFTBITS);
253 static void inline XOR(subblock *dst, const subblock *a, const subblock *b) {
255 for (i=0;i<BLOCKSIZE;i++) {
256 dst[i] = a[i] ^ b[i];
260 static void inline S2(subblock *block) {
261 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
263 for (i=0;i<BLOCKSIZE-1;i++)
264 block[i] = SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
265 block[BLOCKSIZE-1] = SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
268 static void inline S3(subblock *block) {
269 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
271 for (i=0;i<BLOCKSIZE-1;i++)
272 block[i] ^= SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
273 block[BLOCKSIZE-1] ^= SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
276 static void inline ZERO(subblock *block) {
278 for (i=0;i<BLOCKSIZE;i++)
283 #define AESencrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_enc, AES_ENCRYPT, (unsigned char *)(src), (unsigned char *)(dst));
284 #define AESdecrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_dec, AES_DECRYPT, (unsigned char *)(src), (unsigned char *)(dst));
286 #define AESencrypt(src, dst, cryptstate) AES_encrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->encrypt_key);
287 #define AESdecrypt(src, dst, cryptstate) AES_decrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->decrypt_key);
290 void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
291 subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
294 AESencrypt(nonce, delta, cs);
297 while (len > AES_BLOCK_SIZE) {
299 XOR(tmp, delta, (const subblock *)(plain));
300 AESencrypt(tmp, tmp, cs);
301 XOR((subblock *)(encrypted), delta, tmp);
302 XOR(checksum, checksum, (subblock *)(plain));
303 len -= AES_BLOCK_SIZE;
304 plain += AES_BLOCK_SIZE;
305 encrypted += AES_BLOCK_SIZE;
310 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
311 XOR(tmp, tmp, delta);
312 AESencrypt(tmp, pad, cs);
313 memcpy(tmp, plain, len);
314 memcpy((unsigned char *)tmp + len, (unsigned char *)pad + len, AES_BLOCK_SIZE - len);
315 XOR(checksum, checksum, tmp);
317 memcpy(encrypted, tmp, len);
320 XOR(tmp, delta, checksum);
321 AESencrypt(tmp, tag, cs);
324 void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
325 subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
327 AESencrypt(nonce, delta, cs);
330 while (len > AES_BLOCK_SIZE) {
332 XOR(tmp, delta, (const subblock *)(encrypted));
333 AESdecrypt(tmp, tmp, cs);
334 XOR((subblock *)(plain), delta, tmp);
335 XOR(checksum, checksum, (const subblock *)(plain));
336 len -= AES_BLOCK_SIZE;
337 plain += AES_BLOCK_SIZE;
338 encrypted += AES_BLOCK_SIZE;
343 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
344 XOR(tmp, tmp, delta);
345 AESencrypt(tmp, pad, cs);
346 memset(tmp, 0, AES_BLOCK_SIZE);
347 memcpy(tmp, encrypted, len);
349 XOR(checksum, checksum, tmp);
350 memcpy(plain, tmp, len);
353 XOR(tmp, delta, checksum);
354 AESencrypt(tmp, tag, cs);