2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
27 /* see bearssl_block.h */
29 br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys
*ctx
,
30 const void *key
, size_t len
)
32 ctx
->vtable
= &br_aes_ct_ctrcbc_vtable
;
33 ctx
->num_rounds
= br_aes_ct_keysched(ctx
->skey
, key
, len
);
37 xorbuf(void *dst
, const void *src
, size_t len
)
40 const unsigned char *s
;
49 /* see bearssl_block.h */
51 br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys
*ctx
,
52 void *ctr
, void *data
, size_t len
)
56 uint32_t iv0
, iv1
, iv2
, iv3
;
59 br_aes_ct_skey_expand(sk_exp
, ctx
->num_rounds
, ctx
->skey
);
62 * We keep the counter as four 32-bit values, with big-endian
63 * convention, because that's what is expected for purposes of
64 * incrementing the counter value.
67 iv0
= br_dec32be(ivbuf
+ 0);
68 iv1
= br_dec32be(ivbuf
+ 4);
69 iv2
= br_dec32be(ivbuf
+ 8);
70 iv3
= br_dec32be(ivbuf
+ 12);
75 unsigned char tmp
[32];
78 * The bitslice implementation expects values in
79 * little-endian convention, so we have to byteswap them.
81 q
[0] = br_swap32(iv0
);
82 q
[2] = br_swap32(iv1
);
83 q
[4] = br_swap32(iv2
);
84 q
[6] = br_swap32(iv3
);
86 carry
= ~(iv3
| -iv3
) >> 31;
88 carry
&= -(~(iv2
| -iv2
) >> 31);
90 carry
&= -(~(iv1
| -iv1
) >> 31);
92 q
[1] = br_swap32(iv0
);
93 q
[3] = br_swap32(iv1
);
94 q
[5] = br_swap32(iv2
);
95 q
[7] = br_swap32(iv3
);
98 carry
= ~(iv3
| -iv3
) >> 31;
100 carry
&= -(~(iv2
| -iv2
) >> 31);
102 carry
&= -(~(iv1
| -iv1
) >> 31);
107 br_aes_ct_bitslice_encrypt(ctx
->num_rounds
, sk_exp
, q
);
110 br_enc32le(tmp
, q
[0]);
111 br_enc32le(tmp
+ 4, q
[2]);
112 br_enc32le(tmp
+ 8, q
[4]);
113 br_enc32le(tmp
+ 12, q
[6]);
114 br_enc32le(tmp
+ 16, q
[1]);
115 br_enc32le(tmp
+ 20, q
[3]);
116 br_enc32le(tmp
+ 24, q
[5]);
117 br_enc32le(tmp
+ 28, q
[7]);
120 xorbuf(buf
, tmp
, len
);
123 xorbuf(buf
, tmp
, 32);
127 br_enc32be(ivbuf
+ 0, iv0
);
128 br_enc32be(ivbuf
+ 4, iv1
);
129 br_enc32be(ivbuf
+ 8, iv2
);
130 br_enc32be(ivbuf
+ 12, iv3
);
133 /* see bearssl_block.h */
135 br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys
*ctx
,
136 void *cbcmac
, const void *data
, size_t len
)
138 const unsigned char *buf
;
139 uint32_t cm0
, cm1
, cm2
, cm3
;
141 uint32_t sk_exp
[120];
143 br_aes_ct_skey_expand(sk_exp
, ctx
->num_rounds
, ctx
->skey
);
146 cm0
= br_dec32le((unsigned char *)cbcmac
+ 0);
147 cm1
= br_dec32le((unsigned char *)cbcmac
+ 4);
148 cm2
= br_dec32le((unsigned char *)cbcmac
+ 8);
149 cm3
= br_dec32le((unsigned char *)cbcmac
+ 12);
156 q
[0] = cm0
^ br_dec32le(buf
+ 0);
157 q
[2] = cm1
^ br_dec32le(buf
+ 4);
158 q
[4] = cm2
^ br_dec32le(buf
+ 8);
159 q
[6] = cm3
^ br_dec32le(buf
+ 12);
162 br_aes_ct_bitslice_encrypt(ctx
->num_rounds
, sk_exp
, q
);
173 br_enc32le((unsigned char *)cbcmac
+ 0, cm0
);
174 br_enc32le((unsigned char *)cbcmac
+ 4, cm1
);
175 br_enc32le((unsigned char *)cbcmac
+ 8, cm2
);
176 br_enc32le((unsigned char *)cbcmac
+ 12, cm3
);
179 /* see bearssl_block.h */
181 br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys
*ctx
,
182 void *ctr
, void *cbcmac
, void *data
, size_t len
)
185 * When encrypting, the CBC-MAC processing must be lagging by
186 * one block, since it operates on the encrypted values, so
187 * it must wait for that encryption to complete.
191 unsigned char *ivbuf
;
192 uint32_t iv0
, iv1
, iv2
, iv3
;
193 uint32_t cm0
, cm1
, cm2
, cm3
;
194 uint32_t sk_exp
[120];
197 br_aes_ct_skey_expand(sk_exp
, ctx
->num_rounds
, ctx
->skey
);
200 * We keep the counter as four 32-bit values, with big-endian
201 * convention, because that's what is expected for purposes of
202 * incrementing the counter value.
205 iv0
= br_dec32be(ivbuf
+ 0);
206 iv1
= br_dec32be(ivbuf
+ 4);
207 iv2
= br_dec32be(ivbuf
+ 8);
208 iv3
= br_dec32be(ivbuf
+ 12);
211 * The current CBC-MAC value is kept in little-endian convention.
213 cm0
= br_dec32le((unsigned char *)cbcmac
+ 0);
214 cm1
= br_dec32le((unsigned char *)cbcmac
+ 4);
215 cm2
= br_dec32le((unsigned char *)cbcmac
+ 8);
216 cm3
= br_dec32le((unsigned char *)cbcmac
+ 12);
221 uint32_t q
[8], carry
;
224 * The bitslice implementation expects values in
225 * little-endian convention, so we have to byteswap them.
227 q
[0] = br_swap32(iv0
);
228 q
[2] = br_swap32(iv1
);
229 q
[4] = br_swap32(iv2
);
230 q
[6] = br_swap32(iv3
);
232 carry
= ~(iv3
| -iv3
) >> 31;
234 carry
&= -(~(iv2
| -iv2
) >> 31);
236 carry
&= -(~(iv1
| -iv1
) >> 31);
240 * The odd values are used for CBC-MAC.
248 br_aes_ct_bitslice_encrypt(ctx
->num_rounds
, sk_exp
, q
);
252 * We do the XOR with the plaintext in 32-bit registers,
253 * so that the value are available for CBC-MAC processing
256 q
[0] ^= br_dec32le(buf
+ 0);
257 q
[2] ^= br_dec32le(buf
+ 4);
258 q
[4] ^= br_dec32le(buf
+ 8);
259 q
[6] ^= br_dec32le(buf
+ 12);
260 br_enc32le(buf
+ 0, q
[0]);
261 br_enc32le(buf
+ 4, q
[2]);
262 br_enc32le(buf
+ 8, q
[4]);
263 br_enc32le(buf
+ 12, q
[6]);
269 * We set the cm* values to the block to encrypt in the
286 * If this was the last iteration, then compute the
287 * extra block encryption to complete CBC-MAC.
295 br_aes_ct_bitslice_encrypt(ctx
->num_rounds
, sk_exp
, q
);
305 br_enc32be(ivbuf
+ 0, iv0
);
306 br_enc32be(ivbuf
+ 4, iv1
);
307 br_enc32be(ivbuf
+ 8, iv2
);
308 br_enc32be(ivbuf
+ 12, iv3
);
309 br_enc32le((unsigned char *)cbcmac
+ 0, cm0
);
310 br_enc32le((unsigned char *)cbcmac
+ 4, cm1
);
311 br_enc32le((unsigned char *)cbcmac
+ 8, cm2
);
312 br_enc32le((unsigned char *)cbcmac
+ 12, cm3
);
315 /* see bearssl_block.h */
317 br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys
*ctx
,
318 void *ctr
, void *cbcmac
, void *data
, size_t len
)
321 unsigned char *ivbuf
;
322 uint32_t iv0
, iv1
, iv2
, iv3
;
323 uint32_t cm0
, cm1
, cm2
, cm3
;
324 uint32_t sk_exp
[120];
326 br_aes_ct_skey_expand(sk_exp
, ctx
->num_rounds
, ctx
->skey
);
329 * We keep the counter as four 32-bit values, with big-endian
330 * convention, because that's what is expected for purposes of
331 * incrementing the counter value.
334 iv0
= br_dec32be(ivbuf
+ 0);
335 iv1
= br_dec32be(ivbuf
+ 4);
336 iv2
= br_dec32be(ivbuf
+ 8);
337 iv3
= br_dec32be(ivbuf
+ 12);
340 * The current CBC-MAC value is kept in little-endian convention.
342 cm0
= br_dec32le((unsigned char *)cbcmac
+ 0);
343 cm1
= br_dec32le((unsigned char *)cbcmac
+ 4);
344 cm2
= br_dec32le((unsigned char *)cbcmac
+ 8);
345 cm3
= br_dec32le((unsigned char *)cbcmac
+ 12);
349 uint32_t q
[8], carry
;
350 unsigned char tmp
[16];
353 * The bitslice implementation expects values in
354 * little-endian convention, so we have to byteswap them.
356 q
[0] = br_swap32(iv0
);
357 q
[2] = br_swap32(iv1
);
358 q
[4] = br_swap32(iv2
);
359 q
[6] = br_swap32(iv3
);
361 carry
= ~(iv3
| -iv3
) >> 31;
363 carry
&= -(~(iv2
| -iv2
) >> 31);
365 carry
&= -(~(iv1
| -iv1
) >> 31);
369 * The odd values are used for CBC-MAC.
371 q
[1] = cm0
^ br_dec32le(buf
+ 0);
372 q
[3] = cm1
^ br_dec32le(buf
+ 4);
373 q
[5] = cm2
^ br_dec32le(buf
+ 8);
374 q
[7] = cm3
^ br_dec32le(buf
+ 12);
377 br_aes_ct_bitslice_encrypt(ctx
->num_rounds
, sk_exp
, q
);
380 br_enc32le(tmp
+ 0, q
[0]);
381 br_enc32le(tmp
+ 4, q
[2]);
382 br_enc32le(tmp
+ 8, q
[4]);
383 br_enc32le(tmp
+ 12, q
[6]);
384 xorbuf(buf
, tmp
, 16);
393 br_enc32be(ivbuf
+ 0, iv0
);
394 br_enc32be(ivbuf
+ 4, iv1
);
395 br_enc32be(ivbuf
+ 8, iv2
);
396 br_enc32be(ivbuf
+ 12, iv3
);
397 br_enc32le((unsigned char *)cbcmac
+ 0, cm0
);
398 br_enc32le((unsigned char *)cbcmac
+ 4, cm1
);
399 br_enc32le((unsigned char *)cbcmac
+ 8, cm2
);
400 br_enc32le((unsigned char *)cbcmac
+ 12, cm3
);
403 /* see bearssl_block.h */
404 const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable
= {
405 sizeof(br_aes_ct_ctrcbc_keys
),
408 (void (*)(const br_block_ctrcbc_class
**, const void *, size_t))
409 &br_aes_ct_ctrcbc_init
,
410 (void (*)(const br_block_ctrcbc_class
*const *,
411 void *, void *, void *, size_t))
412 &br_aes_ct_ctrcbc_encrypt
,
413 (void (*)(const br_block_ctrcbc_class
*const *,
414 void *, void *, void *, size_t))
415 &br_aes_ct_ctrcbc_decrypt
,
416 (void (*)(const br_block_ctrcbc_class
*const *,
417 void *, void *, size_t))
418 &br_aes_ct_ctrcbc_ctr
,
419 (void (*)(const br_block_ctrcbc_class
*const *,
420 void *, const void *, size_t))
421 &br_aes_ct_ctrcbc_mac