1 /* Copyright (C) 2009-2014, Martin Johansson <martin@fatbob.nu>
2 Copyright (C) 2005-2014, Thorvald Natvig <thorvald@natvig.com>
6 Redistribution and use in source and binary forms, with or without
7 modification, are permitted provided that the following conditions
10 - Redistributions of source code must retain the above copyright notice,
11 this list of conditions and the following disclaimer.
12 - Redistributions in binary form must reproduce the above copyright notice,
13 this list of conditions and the following disclaimer in the documentation
14 and/or other materials provided with the distribution.
15 - Neither the name of the Developers nor the names of its contributors may
16 be used to endorse or promote products derived from this software without
17 specific prior written permission.
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
23 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
27 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
28 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
29 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 * This code implements OCB-AES128.
34 * In the US, OCB is covered by patents. The inventor has given a license
35 * to all programs distributed under the GPL.
36 * uMurmur is BSD (revised) licensed, meaning you can use the code in a
37 * closed-source program. If you do, you'll have to either replace
38 * OCB with something else or get yourself a license.
42 #include <arpa/inet.h>
46 #ifdef USE_POLARSSL_HAVEGE
47 extern havege_state hs;
50 static void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag);
51 static void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag);
53 void CryptState_init(cryptState_t *cs)
55 memset(cs->decrypt_history, 0, 0xff);
56 memset(cs->raw_key, 0, AES_BLOCK_SIZE);
57 memset(cs->encrypt_iv, 0, AES_BLOCK_SIZE);
58 memset(cs->decrypt_iv, 0, AES_BLOCK_SIZE);
60 cs->uiGood = cs->uiLate = cs->uiLost = cs->uiResync = 0;
61 cs->uiRemoteGood = cs->uiRemoteLate = cs->uiRemoteLost = cs->uiRemoteResync = 0;
62 Timer_init(&cs->tLastGood);
63 Timer_init(&cs->tLastRequest);
66 bool_t CryptState_isValid(cryptState_t *cs)
71 void CryptState_genKey(cryptState_t *cs) {
72 RAND_bytes(cs->raw_key, AES_BLOCK_SIZE);
73 RAND_bytes(cs->encrypt_iv, AES_BLOCK_SIZE);
74 RAND_bytes(cs->decrypt_iv, AES_BLOCK_SIZE);
76 AES_set_encrypt_key(cs->raw_key, 128, &cs->encrypt_key);
77 AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
79 aes_setkey_enc(&cs->aes_enc, cs->raw_key, 128);
80 aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
85 void CryptState_setKey(cryptState_t *cs, const unsigned char *rkey, const unsigned char *eiv, const unsigned char *div)
87 memcpy(cs->raw_key, rkey, AES_BLOCK_SIZE);
88 memcpy(cs->encrypt_iv, eiv, AES_BLOCK_SIZE);
89 memcpy(cs->decrypt_iv, div, AES_BLOCK_SIZE);
91 AES_set_encrypt_key(cs->decrypt_iv, 128, &cs->encrypt_key);
92 AES_set_decrypt_key(cs->raw_key, 128, &cs->decrypt_key);
94 aes_setkey_enc(&cs->aes_enc, cs->decrypt_iv, 128);
95 aes_setkey_dec(&cs->aes_dec, cs->raw_key, 128);
100 void CryptState_setDecryptIV(cryptState_t *cs, const unsigned char *iv)
102 memcpy(cs->decrypt_iv, iv, AES_BLOCK_SIZE);
105 void CryptState_encrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int plain_length)
107 unsigned char tag[AES_BLOCK_SIZE];
109 // First, increase our IV.
110 for (i = 0; i < AES_BLOCK_SIZE; i++)
111 if (++cs->encrypt_iv[i])
114 CryptState_ocb_encrypt(cs, source, dst+4, plain_length, cs->encrypt_iv, tag);
116 dst[0] = cs->encrypt_iv[0];
122 bool_t CryptState_decrypt(cryptState_t *cs, const unsigned char *source, unsigned char *dst, unsigned int crypted_length)
124 if (crypted_length < 4)
127 unsigned int plain_length = crypted_length - 4;
129 unsigned char saveiv[AES_BLOCK_SIZE];
130 unsigned char ivbyte = source[0];
131 bool_t restore = false;
132 unsigned char tag[AES_BLOCK_SIZE];
137 memcpy(saveiv, cs->decrypt_iv, AES_BLOCK_SIZE);
139 if (((cs->decrypt_iv[0] + 1) & 0xFF) == ivbyte) {
140 // In order as expected.
141 if (ivbyte > cs->decrypt_iv[0]) {
142 cs->decrypt_iv[0] = ivbyte;
143 } else if (ivbyte < cs->decrypt_iv[0]) {
145 cs->decrypt_iv[0] = ivbyte;
146 for (i = 1; i < AES_BLOCK_SIZE; i++)
147 if (++cs->decrypt_iv[i])
153 // This is either out of order or a repeat.
155 int diff = ivbyte - cs->decrypt_iv[0];
158 else if (diff < -128)
161 if ((ivbyte < cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
162 // Late packet, but no wraparound.
165 cs->decrypt_iv[0] = ivbyte;
167 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
169 // Last was 0x02, here comes 0xff from last round
172 cs->decrypt_iv[0] = ivbyte;
173 for (i = 1; i < AES_BLOCK_SIZE; i++)
174 if (cs->decrypt_iv[i]--)
177 } else if ((ivbyte > cs->decrypt_iv[0]) && (diff > 0)) {
178 // Lost a few packets, but beyond that we're good.
179 lost = ivbyte - cs->decrypt_iv[0] - 1;
180 cs->decrypt_iv[0] = ivbyte;
181 } else if ((ivbyte < cs->decrypt_iv[0]) && (diff > 0)) {
183 // Lost a few packets, and wrapped around
184 lost = 256 - cs->decrypt_iv[0] + ivbyte - 1;
185 cs->decrypt_iv[0] = ivbyte;
186 for (i = 1; i < AES_BLOCK_SIZE; i++)
187 if (++cs->decrypt_iv[i])
193 if (cs->decrypt_history[cs->decrypt_iv[0]] == cs->decrypt_iv[1]) {
194 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
199 CryptState_ocb_decrypt(cs, source+4, dst, plain_length, cs->decrypt_iv, tag);
201 if (memcmp(tag, source+1, 3) != 0) {
202 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
205 cs->decrypt_history[cs->decrypt_iv[0]] = cs->decrypt_iv[1];
208 memcpy(cs->decrypt_iv, saveiv, AES_BLOCK_SIZE);
214 Timer_restart(&cs->tLastGood);
218 #if defined(__LP64__)
221 typedef uint64_t subblock;
223 #if __BYTE_ORDER == __BIG_ENDIAN
224 #define SWAPPED(x) (x)
227 #define SWAPPED(x) ({register uint64_t __out, __in = (x); __asm__("bswap %q0" : "=r"(__out) : "0"(__in)); __out;})
229 #include <byteswap.h>
230 #define SWAPPED(x) bswap_64(x)
238 typedef uint32_t subblock;
239 #define SWAPPED(x) htonl(x)
243 #define HIGHBIT (1<<SHIFTBITS);
246 static void inline XOR(subblock *dst, const subblock *a, const subblock *b) {
248 for (i=0;i<BLOCKSIZE;i++) {
249 dst[i] = a[i] ^ b[i];
253 static void inline S2(subblock *block) {
254 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
256 for (i=0;i<BLOCKSIZE-1;i++)
257 block[i] = SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
258 block[BLOCKSIZE-1] = SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
261 static void inline S3(subblock *block) {
262 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
264 for (i=0;i<BLOCKSIZE-1;i++)
265 block[i] ^= SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
266 block[BLOCKSIZE-1] ^= SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
269 static void inline ZERO(subblock *block) {
271 for (i=0;i<BLOCKSIZE;i++)
276 #define AESencrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_enc, AES_ENCRYPT, (unsigned char *)(src), (unsigned char *)(dst));
277 #define AESdecrypt(src, dst, cryptstate) aes_crypt_ecb(&(cryptstate)->aes_dec, AES_DECRYPT, (unsigned char *)(src), (unsigned char *)(dst));
279 #define AESencrypt(src, dst, cryptstate) AES_encrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->encrypt_key);
280 #define AESdecrypt(src, dst, cryptstate) AES_decrypt((unsigned char *)(src), (unsigned char *)(dst), &(cryptstate)->decrypt_key);
283 void CryptState_ocb_encrypt(cryptState_t *cs, const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
284 subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
287 AESencrypt(nonce, delta, cs);
290 while (len > AES_BLOCK_SIZE) {
292 XOR(tmp, delta, (const subblock *)(plain));
293 AESencrypt(tmp, tmp, cs);
294 XOR((subblock *)(encrypted), delta, tmp);
295 XOR(checksum, checksum, (subblock *)(plain));
296 len -= AES_BLOCK_SIZE;
297 plain += AES_BLOCK_SIZE;
298 encrypted += AES_BLOCK_SIZE;
303 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
304 XOR(tmp, tmp, delta);
305 AESencrypt(tmp, pad, cs);
306 memcpy(tmp, plain, len);
307 memcpy((unsigned char *)tmp + len, (unsigned char *)pad + len, AES_BLOCK_SIZE - len);
308 XOR(checksum, checksum, tmp);
310 memcpy(encrypted, tmp, len);
313 XOR(tmp, delta, checksum);
314 AESencrypt(tmp, tag, cs);
317 void CryptState_ocb_decrypt(cryptState_t *cs, const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
318 subblock checksum[BLOCKSIZE], delta[BLOCKSIZE], tmp[BLOCKSIZE], pad[BLOCKSIZE];
320 AESencrypt(nonce, delta, cs);
323 while (len > AES_BLOCK_SIZE) {
325 XOR(tmp, delta, (const subblock *)(encrypted));
326 AESdecrypt(tmp, tmp, cs);
327 XOR((subblock *)(plain), delta, tmp);
328 XOR(checksum, checksum, (const subblock *)(plain));
329 len -= AES_BLOCK_SIZE;
330 plain += AES_BLOCK_SIZE;
331 encrypted += AES_BLOCK_SIZE;
336 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
337 XOR(tmp, tmp, delta);
338 AESencrypt(tmp, pad, cs);
339 memset(tmp, 0, AES_BLOCK_SIZE);
340 memcpy(tmp, encrypted, len);
342 XOR(checksum, checksum, tmp);
343 memcpy(plain, tmp, len);
346 XOR(tmp, delta, checksum);
347 AESencrypt(tmp, tag, cs);