diff options
author | Renato Botelho <renato@netgate.com> | 2015-08-17 13:53:21 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2015-08-17 13:53:21 -0300 |
commit | 46e99a8858f1c843c1774e472c11d422ca2163ae (patch) | |
tree | 485743dc4862158e7bb3b19eccf8f9b54fb8927b /sys/opencrypto/gmac.c | |
parent | fb8160d0fb248c35e8bc74d67dcca6c22e974db3 (diff) | |
download | FreeBSD-src-46e99a8858f1c843c1774e472c11d422ca2163ae.zip FreeBSD-src-46e99a8858f1c843c1774e472c11d422ca2163ae.tar.gz |
Importing pfSense patch aesgcm.soft.1.patch
Diffstat (limited to 'sys/opencrypto/gmac.c')
-rw-r--r-- | sys/opencrypto/gmac.c | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/sys/opencrypto/gmac.c b/sys/opencrypto/gmac.c new file mode 100644 index 0000000..b95e3bb --- /dev/null +++ b/sys/opencrypto/gmac.c @@ -0,0 +1,165 @@ +/* $OpenBSD: gmac.c,v 1.3 2011/01/11 15:44:23 deraadt Exp $ */ + +/* + * Copyright (c) 2010 Mike Belopuhov <mike@vantronix.net> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the Message Authentication part of the + * Galois/Counter Mode (as being described in the RFC 4543) using + * the AES cipher. FIPS SP 800-38D describes the algorithm details. + */ + +#ifdef _KERNEL +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/endian.h> +#else +#include <sys/types.h> +#include <sys/endian.h> +#include <stdint.h> +#include <string.h> +#endif + +#include <crypto/rijndael/rijndael.h> +#include <opencrypto/gmac.h> + +void ghash_gfmul(uint32_t *, uint32_t *, uint32_t *); +void ghash_update(GHASH_CTX *, uint8_t *, size_t); + +/* Computes a block multiplication in the GF(2^128) */ +void +ghash_gfmul(uint32_t *X, uint32_t *Y, uint32_t *product) +{ + uint32_t v[4]; + uint32_t z[4] = { 0, 0, 0, 0}; + uint8_t *x = (uint8_t *)X; + uint32_t mul; + int i; + + v[0] = be32toh(Y[0]); + v[1] = be32toh(Y[1]); + v[2] = be32toh(Y[2]); + v[3] = be32toh(Y[3]); + + for (i = 0; i < GMAC_BLOCK_LEN * 8; i++) { + /* update Z */ + if (x[i >> 3] & (1 << (~i & 7))) { + z[0] ^= v[0]; + z[1] ^= v[1]; + z[2] ^= v[2]; + z[3] ^= v[3]; + } /* else: we preserve old values */ + + /* update V */ + mul = v[3] & 1; + v[3] = (v[2] << 31) | (v[3] >> 1); + v[2] = (v[1] << 31) | (v[2] >> 1); + v[1] = (v[0] << 31) | (v[1] >> 1); + v[0] = (v[0] >> 1) ^ (0xe1000000 * mul); + } + + product[0] = htobe32(z[0]); + product[1] = htobe32(z[1]); + product[2] = htobe32(z[2]); + product[3] = htobe32(z[3]); +} + +void +ghash_update(GHASH_CTX *ctx, uint8_t *X, size_t len) +{ + uint32_t *x = (uint32_t *)X; + uint32_t *s = (uint32_t *)ctx->S; + uint32_t *y = (uint32_t *)ctx->Z; + int i; + + for (i = 0; i < len / GMAC_BLOCK_LEN; i++) { + s[0] = y[0] ^ x[0]; + s[1] = y[1] ^ x[1]; + s[2] = y[2] ^ x[2]; + s[3] = y[3] ^ x[3]; + + ghash_gfmul((uint32_t *)ctx->S, (uint32_t *)ctx->H, + (uint32_t *)ctx->S); + + y = s; + x += 4; + } + + bcopy(ctx->S, ctx->Z, GMAC_BLOCK_LEN); +} + +#ifndef AESCTR_NONCESIZE +#define AESCTR_NONCESIZE 4 +#endif + +void +AES_GMAC_Init(AES_GMAC_CTX *ctx) +{ + bzero(ctx->ghash.H, GMAC_BLOCK_LEN); + bzero(ctx->ghash.S, GMAC_BLOCK_LEN); + bzero(ctx->ghash.Z, GMAC_BLOCK_LEN); + bzero(ctx->J, GMAC_BLOCK_LEN); +} + +void +AES_GMAC_Setkey(AES_GMAC_CTX *ctx, const uint8_t *key, uint16_t klen) +{ + ctx->rounds = rijndaelKeySetupEnc(ctx->K, (u_char *)key, + (klen - AESCTR_NONCESIZE) * 8); + /* copy out salt to the counter block */ + bcopy(key + klen - AESCTR_NONCESIZE, ctx->J, AESCTR_NONCESIZE); + /* prepare a hash subkey */ + rijndaelEncrypt(ctx->K, ctx->rounds, ctx->ghash.H, ctx->ghash.H); +} + +void +AES_GMAC_Reinit(AES_GMAC_CTX *ctx, const uint8_t *iv, uint16_t ivlen) +{ + /* copy out IV to the counter block */ + bcopy(iv, ctx->J + AESCTR_NONCESIZE, ivlen); +} + +int +AES_GMAC_Update(AES_GMAC_CTX *ctx, const uint8_t *data, uint16_t len) +{ + uint8_t blk[16] = {}; + int plen; + + if (len > 0) { + plen = len % GMAC_BLOCK_LEN; + if (len >= GMAC_BLOCK_LEN) + ghash_update(&ctx->ghash, (uint8_t *)data, len - plen); + if (plen) { + bcopy((uint8_t *)data + (len - plen), blk, plen); + ghash_update(&ctx->ghash, blk, GMAC_BLOCK_LEN); + } + } + return (0); +} + +void +AES_GMAC_Final(uint8_t digest[GMAC_DIGEST_LEN], AES_GMAC_CTX *ctx) +{ + uint8_t keystream[GMAC_BLOCK_LEN]; + int i; + + /* do one round of GCTR */ + ctx->J[GMAC_BLOCK_LEN - 1] = 1; + rijndaelEncrypt(ctx->K, ctx->rounds, ctx->J, keystream); + for (i = 0; i < GMAC_DIGEST_LEN; i++) + digest[i] = ctx->ghash.S[i] ^ keystream[i]; + bzero(keystream, sizeof(keystream)); +} |