1 /* Copyright (C) 2009-2014, Martin Johansson <martin@fatbob.nu>
2 Copyright (C) 2005-2014, Thorvald Natvig <thorvald@natvig.com>
6 Redistribution and use in source and binary forms, with or without
7 modification, are permitted provided that the following conditions
10 - Redistributions of source code must retain the above copyright notice,
11 this list of conditions and the following disclaimer.
12 - Redistributions in binary form must reproduce the above copyright notice,
13 this list of conditions and the following disclaimer in the documentation
14 and/or other materials provided with the distribution.
15 - Neither the name of the Developers nor the names of its contributors may
16 be used to endorse or promote products derived from this software without
17 specific prior written permission.
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
23 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
27 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
28 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
29 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 * This code implements OCB-AES128.
34 * In the US, OCB is covered by patents. The inventor has given a license
35 * to all programs distributed under the GPL.
36 * uMurmur is BSD (revised) licensed, meaning you can use the code in a
37 * closed-source program. If you do, you'll have to either replace
38 * OCB with something else or get yourself a license.
42 #include <arpa/inet.h>
46 #ifdef USE_POLARSSL_HAVEGE
47 extern havege_state hs;
50 static void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag);
51 static void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag);
53 void CryptState_init(cryptState_t *cs)
55 memset(cs->decrypt_history, 0, 0xff);
56 memset(cs->raw_key, 0, AES_BLOCK_SIZE);
57 memset(cs->encrypt_iv, 0, AES_BLOCK_SIZE);
58 memset(cs->decrypt_iv, 0, AES_BLOCK_SIZE);
60 cs->uiGood = cs->uiLate = cs->uiLost = cs->uiResync = 0;
61 cs->uiRemoteGood = cs->uiRemoteLate = cs->uiRemoteLost = cs->uiRemoteResync = 0;
62 Timer_init(&cs->tLastGood);
63 Timer_init(&cs->tLastRequest);
66 bool_t CryptState_isValid(cryptState_t *cs)
71 void CryptState_genKey(cryptState_t *cs) {
72 RAND_bytes(cs->raw_key, AES_BLOCK_SIZE);
73 RAND_bytes(cs->encrypt_iv, AES_BLOCK_SIZE);
74 RAND_bytes(cs->decrypt_iv, AES_BLOCK_SIZE);
76 AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key);
77 AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
79 aes_setkey_enc(&cs->aes_enc, cs->raw_key, 128);
80 aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
85 void CryptState_setKey(cryptState_t *cs, const unsigned char *rkey, const unsigned char *eiv, const unsigned char *div)
87 memcpy(cs->raw_key, rkey, AES_BLOCK_SIZE);
88 memcpy(cs->encrypt_iv, eiv, AES_BLOCK_SIZE);
89 memcpy(cs->decrypt_iv, div, AES_BLOCK_SIZE);
91 AES_set_encrypt_key(cs->decrypt_iv, 128, &cs->encrypt_key);
92 AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
94 aes_setkey_enc(&cs->aes_enc, cs->decrypt_iv, 128);
95 aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
100 void CryptState_setDecryptIV(cryptState_t *cs, const unsigned char *iv)
102 memcpy(cs->decrypt_iv, iv, AES_BLOCK_SIZE);
105 void CryptState_encrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int plain_length)
107 unsigned char tag[AES_BLOCK_SIZE];
109 // First, increase our IV.
110 for (i = 0; i < AES_BLOCK_SIZE; i++)
111 if (++cs->encrypt_iv[i])
114 CryptState_ocb_encrypt(cs, source, dst+4, plain_length, cs->encrypt_iv, tag);
116 dst[0] = cs->encrypt_iv[0];
122 bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int crypted_length)
124 if (crypted_length < 4)
127 unsigned int plain_length = crypted_length - 4;
129 unsigned char saveiv[AES_BLOCK_SIZE];
130 unsigned char ivbyte = source[0];
131 bool_t restore = false;
132 unsigned char tag[AES_BLOCK_SIZE];
137 memcpy(saveiv, cs->decrypt_iv, AES_BLOCK_SIZE);
139 if (((cs->decrypt_iv[0] + 1) & 0xFF) == ivbyte) {
140 // In order as expected.
141 if (ivbyte > cs->decrypt_iv[0]) {
142 cs->decrypt_iv[0] = ivbyte;
143 } else if (ivbyte < cs->decrypt_iv[0]) {
145 cs->decrypt_iv[0] = ivbyte;
146 for (i = 1; i < AES_BLOCK_SIZE; i++)
147 if (++cs->decrypt_iv[i])
153 // This is either out of order or a repeat.
155 int diff = ivbyte - cs->decrypt_iv[0];
158 else if (diff < -128)
161 if ((ivbyte < cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
162 // Late packet, but no wraparound.
165 cs->decrypt_iv[0] = ivbyte;
167 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
169 // Last was 0x02, here comes 0xff from last round
172 cs->decrypt_iv[0] = ivbyte;
173 for (i = 1; i < AES_BLOCK_SIZE; i++)
174 if (cs->decrypt_iv[i]--)
177 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > 0)) {
178 // Lost a few packets, but beyond that we're good.
179 lost = ivbyte - cs->decrypt_iv[0] - 1;
180 cs->decrypt_iv[0] = ivbyte;
181 } else if ((ivbyte < cs->decrypt_iv[0]) && (diff > 0)) {
183 // Lost a few packets, and wrapped around
184 lost = 256 - cs->decrypt_iv[0] + ivbyte - 1;
185 cs->decrypt_iv[0] = ivbyte;
186 for (i = 1; i < AES_BLOCK_SIZE; i++)
187 if (++cs->decrypt_iv[i])
193 if (cs->decrypt_history[cs->decrypt_iv[0]] == cs->decrypt_iv[1]) {
194 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
199 CryptState_ocb_decrypt(cs, source+4, dst, plain_length, cs->decrypt_iv, tag);
201 if (memcmp(tag, source+1, 3) != 0) {
202 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
205 cs->decrypt_history[cs->decrypt_iv[0]] = cs->decrypt_iv[1];
208 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
214 Timer_restart(&cs->tLastGood);
218 static void inline XOR(subblock *dst, const subblock *a, const subblock *b) {
220 for (i=0;i<BLOCKSIZE;i++) {
221 dst[i] = a[i] ^ b[i];
225 static void inline S2(subblock *block) {
226 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
228 for (i=0;i<BLOCKSIZE-1;i++)
229 block[i] = SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
230 block[BLOCKSIZE-1] = SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
233 static void inline S3(subblock *block) {
234 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
236 for (i=0;i<BLOCKSIZE-1;i++)
237 block[i] ^= SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
238 block[BLOCKSIZE-1] ^= SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
241 static void inline ZERO(subblock *block) {
243 for (i=0;i<BLOCKSIZE;i++)
248 #define AESencrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_enc, AES_ENCRYPT, (unsigned char *)(src), (unsigned char *)(dst));
249 #define AESdecrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_dec, AES_DECRYPT, (unsigned char *)(src), (unsigned char *)(dst));
251 #define AESencrypt(src, dst, cryptstate) AES_encrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->encrypt_key);
252 #define AESdecrypt(src, dst, cryptstate) AES_decrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->decrypt_key);
255 void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
256 subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
259 AESencrypt(nonce, delta, cs);
262 while (len > AES_BLOCK_SIZE) {
264 XOR(tmp, delta, (const subblock *)(plain));
265 AESencrypt(tmp, tmp, cs);
266 XOR((subblock *)(encrypted), delta, tmp);
267 XOR(checksum, checksum, (subblock *)(plain));
268 len -= AES_BLOCK_SIZE;
269 plain += AES_BLOCK_SIZE;
270 encrypted += AES_BLOCK_SIZE;
275 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
276 XOR(tmp, tmp, delta);
277 AESencrypt(tmp, pad, cs);
278 memcpy(tmp, plain, len);
279 memcpy((unsigned char *)tmp + len, (unsigned char *)pad + len, AES_BLOCK_SIZE - len);
280 XOR(checksum, checksum, tmp);
282 memcpy(encrypted, tmp, len);
285 XOR(tmp, delta, checksum);
286 AESencrypt(tmp, tag, cs);
289 void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
290 subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
292 AESencrypt(nonce, delta, cs);
295 while (len > AES_BLOCK_SIZE) {
297 XOR(tmp, delta, (const subblock *)(encrypted));
298 AESdecrypt(tmp, tmp, cs);
299 XOR((subblock *)(plain), delta, tmp);
300 XOR(checksum, checksum, (const subblock *)(plain));
301 len -= AES_BLOCK_SIZE;
302 plain += AES_BLOCK_SIZE;
303 encrypted += AES_BLOCK_SIZE;
308 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
309 XOR(tmp, tmp, delta);
310 AESencrypt(tmp, pad, cs);
311 memset(tmp, 0, AES_BLOCK_SIZE);
312 memcpy(tmp, encrypted, len);
314 XOR(checksum, checksum, tmp);
315 memcpy(plain, tmp, len);
318 XOR(tmp, delta, checksum);
319 AESencrypt(tmp, tag, cs);