1 /*
2  * aes_icm.c
3  *
4  * AES Integer Counter Mode
5  *
6  * David A. McGrew
7  * Cisco Systems, Inc.
8  */
9 
10 /*
11  *
12  * Copyright (c) 2001-2006, Cisco Systems, Inc.
13  * All rights reserved.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  *
19  *   Redistributions of source code must retain the above copyright
20  *   notice, this list of conditions and the following disclaimer.
21  *
22  *   Redistributions in binary form must reproduce the above
23  *   copyright notice, this list of conditions and the following
24  *   disclaimer in the documentation and/or other materials provided
25  *   with the distribution.
26  *
27  *   Neither the name of the Cisco Systems, Inc. nor the names of its
28  *   contributors may be used to endorse or promote products derived
29  *   from this software without specific prior written permission.
30  *
31  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
32  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
33  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
34  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
35  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
36  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
37  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
38  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
40  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
41  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
42  * OF THE POSSIBILITY OF SUCH DAMAGE.
43  *
44  */
45 
46 
47 #define ALIGN_32 0
48 
49 #include "aes_icm.h"
50 #include "alloc.h"
51 
52 
53 debug_module_t mod_aes_icm = {
54   0,                 /* debugging is off by default */
55   "aes icm"          /* printable module name       */
56 };
57 
58 /*
59  * integer counter mode works as follows:
60  *
61  * 16 bits
62  * <----->
63  * +------+------+------+------+------+------+------+------+
64  * |           nonce           |    pakcet index    |  ctr |---+
65  * +------+------+------+------+------+------+------+------+   |
66  *                                                             |
67  * +------+------+------+------+------+------+------+------+   v
68  * |                      salt                      |000000|->(+)
69  * +------+------+------+------+------+------+------+------+   |
70  *                                                             |
71  *                                                        +---------+
72  *							  | encrypt |
73  *							  +---------+
74  *							       |
75  * +------+------+------+------+------+------+------+------+   |
76  * |                    keystream block                    |<--+
77  * +------+------+------+------+------+------+------+------+
78  *
79  * All fields are big-endian
80  *
81  * ctr is the block counter, which increments from zero for
82  * each packet (16 bits wide)
83  *
84  * packet index is distinct for each packet (48 bits wide)
85  *
86  * nonce can be distinct across many uses of the same key, or
87  * can be a fixed value per key, or can be per-packet randomness
88  * (64 bits)
89  *
90  */
91 
92 err_status_t
aes_icm_alloc_ismacryp(cipher_t ** c,int key_len,int forIsmacryp)93 aes_icm_alloc_ismacryp(cipher_t **c, int key_len, int forIsmacryp) {
94   extern cipher_type_t aes_icm;
95   uint8_t *pointer;
96   int tmp;
97 
98   debug_print(mod_aes_icm,
99             "allocating cipher with key length %d", key_len);
100 
101   /*
102    * Ismacryp, for example, uses 16 byte key + 8 byte
103    * salt  so this function is called with key_len = 24.
104    * The check for key_len = 30 does not apply. Our usage
105    * of aes functions with key_len = values other than 30
106    * has not broken anything. Don't know what would be the
107    * effect of skipping this check for srtp in general.
108    */
109   if (!forIsmacryp && key_len != 30)
110     return err_status_bad_param;
111 
112   /* allocate memory a cipher of type aes_icm */
113   tmp = (sizeof(aes_icm_ctx_t) + sizeof(cipher_t));
114   pointer = (uint8_t*)crypto_alloc(tmp);
115   if (pointer == NULL)
116     return err_status_alloc_fail;
117 
118   /* set pointers */
119   *c = (cipher_t *)pointer;
120   (*c)->type = &aes_icm;
121   (*c)->state = pointer + sizeof(cipher_t);
122 
123   /* increment ref_count */
124   aes_icm.ref_count++;
125 
126   /* set key size        */
127   (*c)->key_len = key_len;
128 
129   return err_status_ok;
130 }
131 
aes_icm_alloc(cipher_t ** c,int key_len,int forIsmacryp)132 err_status_t aes_icm_alloc(cipher_t **c, int key_len, int forIsmacryp) {
133   return aes_icm_alloc_ismacryp(c, key_len, 0);
134 }
135 
136 err_status_t
aes_icm_dealloc(cipher_t * c)137 aes_icm_dealloc(cipher_t *c) {
138   extern cipher_type_t aes_icm;
139 
140   /* zeroize entire state*/
141   octet_string_set_to_zero((uint8_t *)c,
142 			   sizeof(aes_icm_ctx_t) + sizeof(cipher_t));
143 
144   /* free memory */
145   crypto_free(c);
146 
147   /* decrement ref_count */
148   aes_icm.ref_count--;
149 
150   return err_status_ok;
151 }
152 
153 
154 /*
155  * aes_icm_context_init(...) initializes the aes_icm_context
156  * using the value in key[].
157  *
158  * the key is the secret key
159  *
160  * the salt is unpredictable (but not necessarily secret) data which
161  * randomizes the starting point in the keystream
162  */
163 
164 err_status_t
aes_icm_context_init(aes_icm_ctx_t * c,const uint8_t * key)165 aes_icm_context_init(aes_icm_ctx_t *c, const uint8_t *key) {
166   v128_t tmp_key;
167   int i;
168 
169   /* set counter and initial values to 'offset' value */
170   /* FIX!!! this assumes the salt is at key + 16, and thus that the */
171   /* FIX!!! cipher key length is 16! */
172   for (i = 0; i < 14; i++) {
173     c->counter.v8[i] = key[16 + i];
174     c->offset.v8[i] = key[16 + i];
175   }
176 
177   /* force last two octets of the offset to zero (for srtp compatibility) */
178   c->offset.v8[14] = c->offset.v8[15] = 0;
179   c->counter.v8[14] = c->counter.v8[15] = 0;
180 
181   /* set tmp_key (for alignment) */
182   v128_copy_octet_string(&tmp_key, key);
183 
184   debug_print(mod_aes_icm,
185 	      "key:  %s", v128_hex_string(&tmp_key));
186   debug_print(mod_aes_icm,
187 	      "offset: %s", v128_hex_string(&c->offset));
188 
189   /* expand key */
190   aes_expand_encryption_key(&tmp_key, c->expanded_key);
191 
192   /* indicate that the keystream_buffer is empty */
193   c->bytes_in_buffer = 0;
194 
195   return err_status_ok;
196 }
197 
198 /*
199  * aes_icm_set_octet(c, i) sets the counter of the context which it is
200  * passed so that the next octet of keystream that will be generated
201  * is the ith octet
202  */
203 
204 err_status_t
aes_icm_set_octet(aes_icm_ctx_t * c,uint64_t octet_num)205 aes_icm_set_octet(aes_icm_ctx_t *c,
206 		  uint64_t octet_num) {
207 
208 #ifdef NO_64BIT_MATH
209   int tail_num       = low32(octet_num) & 0x0f;
210   /* 64-bit right-shift 4 */
211   uint64_t block_num = make64(high32(octet_num) >> 4,
212 							  ((high32(octet_num) & 0x0f)<<(32-4)) |
213 							   (low32(octet_num) >> 4));
214 #else
215   int tail_num       = (int)(octet_num % 16);
216   uint64_t block_num = octet_num / 16;
217 #endif
218 
219 
220   /* set counter value */
221   /* FIX - There's no way this is correct */
222   c->counter.v64[0] = c->offset.v64[0];
223 #ifdef NO_64BIT_MATH
224   c->counter.v64[0] = make64(high32(c->offset.v64[0]) ^ high32(block_num),
225 							 low32(c->offset.v64[0])  ^ low32(block_num));
226 #else
227   c->counter.v64[0] = c->offset.v64[0] ^ block_num;
228 #endif
229 
230   debug_print(mod_aes_icm,
231 	      "set_octet: %s", v128_hex_string(&c->counter));
232 
233   /* fill keystream buffer, if needed */
234   if (tail_num) {
235     v128_copy(&c->keystream_buffer, &c->counter);
236     aes_encrypt(&c->keystream_buffer, c->expanded_key);
237     c->bytes_in_buffer = sizeof(v128_t);
238 
239     debug_print(mod_aes_icm, "counter:    %s",
240 	      v128_hex_string(&c->counter));
241     debug_print(mod_aes_icm, "ciphertext: %s",
242 	      v128_hex_string(&c->keystream_buffer));
243 
244     /*  indicate number of bytes in keystream_buffer  */
245     c->bytes_in_buffer = sizeof(v128_t) - tail_num;
246 
247   } else {
248 
249     /* indicate that keystream_buffer is empty */
250     c->bytes_in_buffer = 0;
251   }
252 
253   return err_status_ok;
254 }
255 
256 /*
257  * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with
258  * the offset
259  */
260 
261 err_status_t
aes_icm_set_iv(aes_icm_ctx_t * c,void * iv)262 aes_icm_set_iv(aes_icm_ctx_t *c, void *iv) {
263   v128_t *nonce = (v128_t *) iv;
264 
265   debug_print(mod_aes_icm,
266 	      "setting iv: %s", v128_hex_string(nonce));
267 
268   v128_xor(&c->counter, &c->offset, nonce);
269 
270   debug_print(mod_aes_icm,
271 	      "set_counter: %s", v128_hex_string(&c->counter));
272 
273   /* indicate that the keystream_buffer is empty */
274   c->bytes_in_buffer = 0;
275 
276   return err_status_ok;
277 }
278 
279 
280 
281 /*
282  * aes_icm_advance(...) refills the keystream_buffer and
283  * advances the block index of the sicm_context forward by one
284  *
285  * this is an internal, hopefully inlined function
286  */
287 
288 static inline void
aes_icm_advance_ismacryp(aes_icm_ctx_t * c,uint8_t forIsmacryp)289 aes_icm_advance_ismacryp(aes_icm_ctx_t *c, uint8_t forIsmacryp) {
290   /* fill buffer with new keystream */
291   v128_copy(&c->keystream_buffer, &c->counter);
292   aes_encrypt(&c->keystream_buffer, c->expanded_key);
293   c->bytes_in_buffer = sizeof(v128_t);
294 
295   debug_print(mod_aes_icm, "counter:    %s",
296 	      v128_hex_string(&c->counter));
297   debug_print(mod_aes_icm, "ciphertext: %s",
298 	      v128_hex_string(&c->keystream_buffer));
299 
300   /* clock counter forward */
301 
302   if (forIsmacryp) {
303     uint32_t temp;
304     //alex's clock counter forward
305     temp = ntohl(c->counter.v32[3]);
306     c->counter.v32[3] = htonl(++temp);
307   } else {
308     if (!++(c->counter.v8[15]))
309       ++(c->counter.v8[14]);
310   }
311 }
312 
aes_icm_advance(aes_icm_ctx_t * c)313 inline void aes_icm_advance(aes_icm_ctx_t *c) {
314   aes_icm_advance_ismacryp(c, 0);
315 }
316 
317 
318 /*e
319  * icm_encrypt deals with the following cases:
320  *
321  * bytes_to_encr < bytes_in_buffer
322  *  - add keystream into data
323  *
324  * bytes_to_encr > bytes_in_buffer
325  *  - add keystream into data until keystream_buffer is depleted
326  *  - loop over blocks, filling keystream_buffer and then
327  *    adding keystream into data
328  *  - fill buffer then add in remaining (< 16) bytes of keystream
329  */
330 
331 err_status_t
aes_icm_encrypt_ismacryp(aes_icm_ctx_t * c,unsigned char * buf,unsigned int * enc_len,int forIsmacryp)332 aes_icm_encrypt_ismacryp(aes_icm_ctx_t *c,
333               unsigned char *buf, unsigned int *enc_len,
334               int forIsmacryp) {
335   unsigned int bytes_to_encr = *enc_len;
336   unsigned int i;
337   uint32_t *b;
338 
339   /* check that there's enough segment left but not for ismacryp*/
340   if (!forIsmacryp && (bytes_to_encr + htons(c->counter.v16[7])) > 0xffff)
341     return err_status_terminus;
342 
343  debug_print(mod_aes_icm, "block index: %d",
344            htons(c->counter.v16[7]));
345   if (bytes_to_encr <= (unsigned int)c->bytes_in_buffer) {
346 
347     /* deal with odd case of small bytes_to_encr */
348     for (i = (sizeof(v128_t) - c->bytes_in_buffer);
349 		 i < (sizeof(v128_t) - c->bytes_in_buffer + bytes_to_encr); i++)
350 	{
351       *buf++ ^= c->keystream_buffer.v8[i];
352 	}
353 
354     c->bytes_in_buffer -= bytes_to_encr;
355 
356     /* return now to avoid the main loop */
357     return err_status_ok;
358 
359   } else {
360 
361     /* encrypt bytes until the remaining data is 16-byte aligned */
362     for (i=(sizeof(v128_t) - c->bytes_in_buffer); i < sizeof(v128_t); i++)
363       *buf++ ^= c->keystream_buffer.v8[i];
364 
365     bytes_to_encr -= c->bytes_in_buffer;
366     c->bytes_in_buffer = 0;
367 
368   }
369 
370   /* now loop over entire 16-byte blocks of keystream */
371   for (i=0; i < (bytes_to_encr/sizeof(v128_t)); i++) {
372 
373     /* fill buffer with new keystream */
374     aes_icm_advance_ismacryp(c, forIsmacryp);
375 
376     /*
377      * add keystream into the data buffer (this would be a lot faster
378      * if we could assume 32-bit alignment!)
379      */
380 
381 #if ALIGN_32
382     b = (uint32_t *)buf;
383     *b++ ^= c->keystream_buffer.v32[0];
384     *b++ ^= c->keystream_buffer.v32[1];
385     *b++ ^= c->keystream_buffer.v32[2];
386     *b++ ^= c->keystream_buffer.v32[3];
387     buf = (uint8_t *)b;
388 #else
389     if ((((unsigned long) buf) & 0x03) != 0) {
390       *buf++ ^= c->keystream_buffer.v8[0];
391       *buf++ ^= c->keystream_buffer.v8[1];
392       *buf++ ^= c->keystream_buffer.v8[2];
393       *buf++ ^= c->keystream_buffer.v8[3];
394       *buf++ ^= c->keystream_buffer.v8[4];
395       *buf++ ^= c->keystream_buffer.v8[5];
396       *buf++ ^= c->keystream_buffer.v8[6];
397       *buf++ ^= c->keystream_buffer.v8[7];
398       *buf++ ^= c->keystream_buffer.v8[8];
399       *buf++ ^= c->keystream_buffer.v8[9];
400       *buf++ ^= c->keystream_buffer.v8[10];
401       *buf++ ^= c->keystream_buffer.v8[11];
402       *buf++ ^= c->keystream_buffer.v8[12];
403       *buf++ ^= c->keystream_buffer.v8[13];
404       *buf++ ^= c->keystream_buffer.v8[14];
405       *buf++ ^= c->keystream_buffer.v8[15];
406     } else {
407       b = (uint32_t *)buf;
408       *b++ ^= c->keystream_buffer.v32[0];
409       *b++ ^= c->keystream_buffer.v32[1];
410       *b++ ^= c->keystream_buffer.v32[2];
411       *b++ ^= c->keystream_buffer.v32[3];
412       buf = (uint8_t *)b;
413     }
414 #endif /* #if ALIGN_32 */
415 
416   }
417 
418   /* if there is a tail end of the data, process it */
419   if ((bytes_to_encr & 0xf) != 0) {
420 
421     /* fill buffer with new keystream */
422     aes_icm_advance_ismacryp(c, forIsmacryp);
423 
424     for (i=0; i < (bytes_to_encr & 0xf); i++)
425       *buf++ ^= c->keystream_buffer.v8[i];
426 
427     /* reset the keystream buffer size to right value */
428     c->bytes_in_buffer = sizeof(v128_t) - i;
429   } else {
430 
431     /* no tail, so just reset the keystream buffer size to zero */
432     c->bytes_in_buffer = 0;
433 
434   }
435 
436   return err_status_ok;
437 }
438 
439 err_status_t
aes_icm_encrypt(aes_icm_ctx_t * c,unsigned char * buf,unsigned int * enc_len)440 aes_icm_encrypt(aes_icm_ctx_t *c, unsigned char *buf, unsigned int *enc_len) {
441   return aes_icm_encrypt_ismacryp(c, buf, enc_len, 0);
442 }
443 
444 err_status_t
aes_icm_output(aes_icm_ctx_t * c,uint8_t * buffer,int num_octets_to_output)445 aes_icm_output(aes_icm_ctx_t *c, uint8_t *buffer, int num_octets_to_output) {
446   unsigned int len = num_octets_to_output;
447 
448   /* zeroize the buffer */
449   octet_string_set_to_zero(buffer, num_octets_to_output);
450 
451   /* exor keystream into buffer */
452   return aes_icm_encrypt(c, buffer, &len);
453 }
454 
455 
456 char
457 aes_icm_description[] = "aes integer counter mode";
458 
459 uint8_t aes_icm_test_case_0_key[30] = {
460   0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
461   0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
462   0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
463   0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
464 };
465 
466 uint8_t aes_icm_test_case_0_nonce[16] = {
467   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
468   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
469 };
470 
471 uint8_t aes_icm_test_case_0_plaintext[32] =  {
472   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
473   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
474   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
475   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
476 };
477 
478 uint8_t aes_icm_test_case_0_ciphertext[32] = {
479   0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80,
480   0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4,
481   0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7,
482   0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab
483 };
484 
485 cipher_test_case_t aes_icm_test_case_0 = {
486   30,                                    /* octets in key            */
487   aes_icm_test_case_0_key,               /* key                      */
488   aes_icm_test_case_0_nonce,             /* packet index             */
489   32,                                    /* octets in plaintext      */
490   aes_icm_test_case_0_plaintext,         /* plaintext                */
491   32,                                    /* octets in ciphertext     */
492   aes_icm_test_case_0_ciphertext,        /* ciphertext               */
493   NULL                                   /* pointer to next testcase */
494 };
495 
496 
497 /*
498  * note: the encrypt function is identical to the decrypt function
499  */
500 
501 cipher_type_t aes_icm = {
502   (cipher_alloc_func_t)          aes_icm_alloc,
503   (cipher_dealloc_func_t)        aes_icm_dealloc,
504   (cipher_init_func_t)           aes_icm_context_init,
505   (cipher_encrypt_func_t)        aes_icm_encrypt,
506   (cipher_decrypt_func_t)        aes_icm_encrypt,
507   (cipher_set_iv_func_t)         aes_icm_set_iv,
508   (char *)                       aes_icm_description,
509   (int)                          0,   /* instance count */
510   (cipher_test_case_t *)        &aes_icm_test_case_0,
511   (debug_module_t *)            &mod_aes_icm
512 };
513