1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/freebl/aeskeywrap.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,383 @@
1.4 +/*
1.5 + * aeskeywrap.c - implement AES Key Wrap algorithm from RFC 3394
1.6 + *
1.7 + * This Source Code Form is subject to the terms of the Mozilla Public
1.8 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.9 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.10 +
1.11 +#ifdef FREEBL_NO_DEPEND
1.12 +#include "stubs.h"
1.13 +#endif
1.14 +
1.15 +#include "prcpucfg.h"
1.16 +#if defined(IS_LITTLE_ENDIAN) || defined(SHA_NO_LONG_LONG)
1.17 +#define BIG_ENDIAN_WITH_64_BIT_REGISTERS 0
1.18 +#else
1.19 +#define BIG_ENDIAN_WITH_64_BIT_REGISTERS 1
1.20 +#endif
1.21 +#include "prtypes.h" /* for PRUintXX */
1.22 +#include "secport.h" /* for PORT_XXX */
1.23 +#include "secerr.h"
1.24 +#include "blapi.h" /* for AES_ functions */
1.25 +#include "rijndael.h"
1.26 +
1.27 +struct AESKeyWrapContextStr {
1.28 + unsigned char iv[AES_KEY_WRAP_IV_BYTES];
1.29 + AESContext aescx;
1.30 +};
1.31 +
1.32 +/******************************************/
1.33 +/*
1.34 +** AES key wrap algorithm, RFC 3394
1.35 +*/
1.36 +
1.37 +AESKeyWrapContext *
1.38 +AESKeyWrap_AllocateContext(void)
1.39 +{
1.40 + AESKeyWrapContext * cx = PORT_New(AESKeyWrapContext);
1.41 + return cx;
1.42 +}
1.43 +
1.44 +SECStatus
1.45 +AESKeyWrap_InitContext(AESKeyWrapContext *cx,
1.46 + const unsigned char *key,
1.47 + unsigned int keylen,
1.48 + const unsigned char *iv,
1.49 + int x1,
1.50 + unsigned int encrypt,
1.51 + unsigned int x2)
1.52 +{
1.53 + SECStatus rv = SECFailure;
1.54 + if (!cx) {
1.55 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.56 + return SECFailure;
1.57 + }
1.58 + if (iv) {
1.59 + memcpy(cx->iv, iv, sizeof cx->iv);
1.60 + } else {
1.61 + memset(cx->iv, 0xA6, sizeof cx->iv);
1.62 + }
1.63 + rv = AES_InitContext(&cx->aescx, key, keylen, NULL, NSS_AES, encrypt,
1.64 + AES_BLOCK_SIZE);
1.65 + return rv;
1.66 +}
1.67 +
1.68 +/*
1.69 +** Create a new AES context suitable for AES encryption/decryption.
1.70 +** "key" raw key data
1.71 +** "keylen" the number of bytes of key data (16, 24, or 32)
1.72 +*/
1.73 +extern AESKeyWrapContext *
1.74 +AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv,
1.75 + int encrypt, unsigned int keylen)
1.76 +{
1.77 + SECStatus rv;
1.78 + AESKeyWrapContext * cx = AESKeyWrap_AllocateContext();
1.79 + if (!cx)
1.80 + return NULL; /* error is already set */
1.81 + rv = AESKeyWrap_InitContext(cx, key, keylen, iv, 0, encrypt, 0);
1.82 + if (rv != SECSuccess) {
1.83 + PORT_Free(cx);
1.84 + cx = NULL; /* error should already be set */
1.85 + }
1.86 + return cx;
1.87 +}
1.88 +
1.89 +/*
1.90 +** Destroy a AES KeyWrap context.
1.91 +** "cx" the context
1.92 +** "freeit" if PR_TRUE then free the object as well as its sub-objects
1.93 +*/
1.94 +extern void
1.95 +AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit)
1.96 +{
1.97 + if (cx) {
1.98 + AES_DestroyContext(&cx->aescx, PR_FALSE);
1.99 +/* memset(cx, 0, sizeof *cx); */
1.100 + if (freeit)
1.101 + PORT_Free(cx);
1.102 + }
1.103 +}
1.104 +
1.105 +#if !BIG_ENDIAN_WITH_64_BIT_REGISTERS
1.106 +
1.107 +/* The AES Key Wrap algorithm has 64-bit values that are ALWAYS big-endian
1.108 +** (Most significant byte first) in memory. The only ALU operations done
1.109 +** on them are increment, decrement, and XOR. So, on little-endian CPUs,
1.110 +** and on CPUs that lack 64-bit registers, these big-endian 64-bit operations
1.111 +** are simulated in the following code. This is thought to be faster and
1.112 +** simpler than trying to convert the data to little-endian and back.
1.113 +*/
1.114 +
1.115 +/* A and T point to two 64-bit values stored most signficant byte first
1.116 +** (big endian). This function increments the 64-bit value T, and then
1.117 +** XORs it with A, changing A.
1.118 +*/
1.119 +static void
1.120 +increment_and_xor(unsigned char *A, unsigned char *T)
1.121 +{
1.122 + if (!++T[7])
1.123 + if (!++T[6])
1.124 + if (!++T[5])
1.125 + if (!++T[4])
1.126 + if (!++T[3])
1.127 + if (!++T[2])
1.128 + if (!++T[1])
1.129 + ++T[0];
1.130 +
1.131 + A[0] ^= T[0];
1.132 + A[1] ^= T[1];
1.133 + A[2] ^= T[2];
1.134 + A[3] ^= T[3];
1.135 + A[4] ^= T[4];
1.136 + A[5] ^= T[5];
1.137 + A[6] ^= T[6];
1.138 + A[7] ^= T[7];
1.139 +}
1.140 +
1.141 +/* A and T point to two 64-bit values stored most signficant byte first
1.142 +** (big endian). This function XORs T with A, giving a new A, then
1.143 +** decrements the 64-bit value T.
1.144 +*/
1.145 +static void
1.146 +xor_and_decrement(unsigned char *A, unsigned char *T)
1.147 +{
1.148 + A[0] ^= T[0];
1.149 + A[1] ^= T[1];
1.150 + A[2] ^= T[2];
1.151 + A[3] ^= T[3];
1.152 + A[4] ^= T[4];
1.153 + A[5] ^= T[5];
1.154 + A[6] ^= T[6];
1.155 + A[7] ^= T[7];
1.156 +
1.157 + if (!T[7]--)
1.158 + if (!T[6]--)
1.159 + if (!T[5]--)
1.160 + if (!T[4]--)
1.161 + if (!T[3]--)
1.162 + if (!T[2]--)
1.163 + if (!T[1]--)
1.164 + T[0]--;
1.165 +
1.166 +}
1.167 +
1.168 +/* Given an unsigned long t (in host byte order), store this value as a
1.169 +** 64-bit big-endian value (MSB first) in *pt.
1.170 +*/
1.171 +static void
1.172 +set_t(unsigned char *pt, unsigned long t)
1.173 +{
1.174 + pt[7] = (unsigned char)t; t >>= 8;
1.175 + pt[6] = (unsigned char)t; t >>= 8;
1.176 + pt[5] = (unsigned char)t; t >>= 8;
1.177 + pt[4] = (unsigned char)t; t >>= 8;
1.178 + pt[3] = (unsigned char)t; t >>= 8;
1.179 + pt[2] = (unsigned char)t; t >>= 8;
1.180 + pt[1] = (unsigned char)t; t >>= 8;
1.181 + pt[0] = (unsigned char)t;
1.182 +}
1.183 +
1.184 +#endif
1.185 +
1.186 +/*
1.187 +** Perform AES key wrap.
1.188 +** "cx" the context
1.189 +** "output" the output buffer to store the encrypted data.
1.190 +** "outputLen" how much data is stored in "output". Set by the routine
1.191 +** after some data is stored in output.
1.192 +** "maxOutputLen" the maximum amount of data that can ever be
1.193 +** stored in "output"
1.194 +** "input" the input data
1.195 +** "inputLen" the amount of input data
1.196 +*/
1.197 +extern SECStatus
1.198 +AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
1.199 + unsigned int *pOutputLen, unsigned int maxOutputLen,
1.200 + const unsigned char *input, unsigned int inputLen)
1.201 +{
1.202 + PRUint64 * R = NULL;
1.203 + unsigned int nBlocks;
1.204 + unsigned int i, j;
1.205 + unsigned int aesLen = AES_BLOCK_SIZE;
1.206 + unsigned int outLen = inputLen + AES_KEY_WRAP_BLOCK_SIZE;
1.207 + SECStatus s = SECFailure;
1.208 + /* These PRUint64s are ALWAYS big endian, regardless of CPU orientation. */
1.209 + PRUint64 t;
1.210 + PRUint64 B[2];
1.211 +
1.212 +#define A B[0]
1.213 +
1.214 + /* Check args */
1.215 + if (!inputLen || 0 != inputLen % AES_KEY_WRAP_BLOCK_SIZE) {
1.216 + PORT_SetError(SEC_ERROR_INPUT_LEN);
1.217 + return s;
1.218 + }
1.219 +#ifdef maybe
1.220 + if (!output && pOutputLen) { /* caller is asking for output size */
1.221 + *pOutputLen = outLen;
1.222 + return SECSuccess;
1.223 + }
1.224 +#endif
1.225 + if (maxOutputLen < outLen) {
1.226 + PORT_SetError(SEC_ERROR_OUTPUT_LEN);
1.227 + return s;
1.228 + }
1.229 + if (cx == NULL || output == NULL || input == NULL) {
1.230 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.231 + return s;
1.232 + }
1.233 + nBlocks = inputLen / AES_KEY_WRAP_BLOCK_SIZE;
1.234 + R = PORT_NewArray(PRUint64, nBlocks + 1);
1.235 + if (!R)
1.236 + return s; /* error is already set. */
1.237 + /*
1.238 + ** 1) Initialize variables.
1.239 + */
1.240 + memcpy(&A, cx->iv, AES_KEY_WRAP_IV_BYTES);
1.241 + memcpy(&R[1], input, inputLen);
1.242 +#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
1.243 + t = 0;
1.244 +#else
1.245 + memset(&t, 0, sizeof t);
1.246 +#endif
1.247 + /*
1.248 + ** 2) Calculate intermediate values.
1.249 + */
1.250 + for (j = 0; j < 6; ++j) {
1.251 + for (i = 1; i <= nBlocks; ++i) {
1.252 + B[1] = R[i];
1.253 + s = AES_Encrypt(&cx->aescx, (unsigned char *)B, &aesLen,
1.254 + sizeof B, (unsigned char *)B, sizeof B);
1.255 + if (s != SECSuccess)
1.256 + break;
1.257 + R[i] = B[1];
1.258 + /* here, increment t and XOR A with t (in big endian order); */
1.259 +#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
1.260 + A ^= ++t;
1.261 +#else
1.262 + increment_and_xor((unsigned char *)&A, (unsigned char *)&t);
1.263 +#endif
1.264 + }
1.265 + }
1.266 + /*
1.267 + ** 3) Output the results.
1.268 + */
1.269 + if (s == SECSuccess) {
1.270 + R[0] = A;
1.271 + memcpy(output, &R[0], outLen);
1.272 + if (pOutputLen)
1.273 + *pOutputLen = outLen;
1.274 + } else if (pOutputLen) {
1.275 + *pOutputLen = 0;
1.276 + }
1.277 + PORT_ZFree(R, outLen);
1.278 + return s;
1.279 +}
1.280 +#undef A
1.281 +
1.282 +/*
1.283 +** Perform AES key unwrap.
1.284 +** "cx" the context
1.285 +** "output" the output buffer to store the decrypted data.
1.286 +** "outputLen" how much data is stored in "output". Set by the routine
1.287 +** after some data is stored in output.
1.288 +** "maxOutputLen" the maximum amount of data that can ever be
1.289 +** stored in "output"
1.290 +** "input" the input data
1.291 +** "inputLen" the amount of input data
1.292 +*/
1.293 +extern SECStatus
1.294 +AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
1.295 + unsigned int *pOutputLen, unsigned int maxOutputLen,
1.296 + const unsigned char *input, unsigned int inputLen)
1.297 +{
1.298 + PRUint64 * R = NULL;
1.299 + unsigned int nBlocks;
1.300 + unsigned int i, j;
1.301 + unsigned int aesLen = AES_BLOCK_SIZE;
1.302 + unsigned int outLen;
1.303 + SECStatus s = SECFailure;
1.304 + /* These PRUint64s are ALWAYS big endian, regardless of CPU orientation. */
1.305 + PRUint64 t;
1.306 + PRUint64 B[2];
1.307 +
1.308 +#define A B[0]
1.309 +
1.310 + /* Check args */
1.311 + if (inputLen < 3 * AES_KEY_WRAP_BLOCK_SIZE ||
1.312 + 0 != inputLen % AES_KEY_WRAP_BLOCK_SIZE) {
1.313 + PORT_SetError(SEC_ERROR_INPUT_LEN);
1.314 + return s;
1.315 + }
1.316 + outLen = inputLen - AES_KEY_WRAP_BLOCK_SIZE;
1.317 +#ifdef maybe
1.318 + if (!output && pOutputLen) { /* caller is asking for output size */
1.319 + *pOutputLen = outLen;
1.320 + return SECSuccess;
1.321 + }
1.322 +#endif
1.323 + if (maxOutputLen < outLen) {
1.324 + PORT_SetError(SEC_ERROR_OUTPUT_LEN);
1.325 + return s;
1.326 + }
1.327 + if (cx == NULL || output == NULL || input == NULL) {
1.328 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.329 + return s;
1.330 + }
1.331 + nBlocks = inputLen / AES_KEY_WRAP_BLOCK_SIZE;
1.332 + R = PORT_NewArray(PRUint64, nBlocks);
1.333 + if (!R)
1.334 + return s; /* error is already set. */
1.335 + nBlocks--;
1.336 + /*
1.337 + ** 1) Initialize variables.
1.338 + */
1.339 + memcpy(&R[0], input, inputLen);
1.340 + A = R[0];
1.341 +#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
1.342 + t = 6UL * nBlocks;
1.343 +#else
1.344 + set_t((unsigned char *)&t, 6UL * nBlocks);
1.345 +#endif
1.346 + /*
1.347 + ** 2) Calculate intermediate values.
1.348 + */
1.349 + for (j = 0; j < 6; ++j) {
1.350 + for (i = nBlocks; i; --i) {
1.351 + /* here, XOR A with t (in big endian order) and decrement t; */
1.352 +#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
1.353 + A ^= t--;
1.354 +#else
1.355 + xor_and_decrement((unsigned char *)&A, (unsigned char *)&t);
1.356 +#endif
1.357 + B[1] = R[i];
1.358 + s = AES_Decrypt(&cx->aescx, (unsigned char *)B, &aesLen,
1.359 + sizeof B, (unsigned char *)B, sizeof B);
1.360 + if (s != SECSuccess)
1.361 + break;
1.362 + R[i] = B[1];
1.363 + }
1.364 + }
1.365 + /*
1.366 + ** 3) Output the results.
1.367 + */
1.368 + if (s == SECSuccess) {
1.369 + int bad = memcmp(&A, cx->iv, AES_KEY_WRAP_IV_BYTES);
1.370 + if (!bad) {
1.371 + memcpy(output, &R[1], outLen);
1.372 + if (pOutputLen)
1.373 + *pOutputLen = outLen;
1.374 + } else {
1.375 + s = SECFailure;
1.376 + PORT_SetError(SEC_ERROR_BAD_DATA);
1.377 + if (pOutputLen)
1.378 + *pOutputLen = 0;
1.379 + }
1.380 + } else if (pOutputLen) {
1.381 + *pOutputLen = 0;
1.382 + }
1.383 + PORT_ZFree(R, inputLen);
1.384 + return s;
1.385 +}
1.386 +#undef A
