netwerk/srtp/src/crypto/cipher/aes_cbc.c@6474c204b198
netwerk/srtp/src/crypto/cipher/aes_cbc.c
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 /*
2 * aes_cbc.c
3 *
4 * AES Cipher Block Chaining Mode
5 *
6 * David A. McGrew
7 * Cisco Systems, Inc.
8 */
10 /*
11 *
12 * Copyright (c) 2001-2006, Cisco Systems, Inc.
13 * All rights reserved.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 *
19 * Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 *
22 * Redistributions in binary form must reproduce the above
23 * copyright notice, this list of conditions and the following
24 * disclaimer in the documentation and/or other materials provided
25 * with the distribution.
26 *
27 * Neither the name of the Cisco Systems, Inc. nor the names of its
28 * contributors may be used to endorse or promote products derived
29 * from this software without specific prior written permission.
30 *
31 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
32 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
33 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
34 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
35 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
36 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
37 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
38 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
40 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
41 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
42 * OF THE POSSIBILITY OF SUCH DAMAGE.
43 *
44 */
47 #include "aes_cbc.h"
48 #include "alloc.h"
50 debug_module_t mod_aes_cbc = {
51 0, /* debugging is off by default */
52 "aes cbc" /* printable module name */
53 };
57 err_status_t
58 aes_cbc_alloc(cipher_t **c, int key_len) {
59 extern cipher_type_t aes_cbc;
60 uint8_t *pointer;
61 int tmp;
63 debug_print(mod_aes_cbc,
64 "allocating cipher with key length %d", key_len);
66 if (key_len != 16 && key_len != 24 && key_len != 32)
67 return err_status_bad_param;
69 /* allocate memory a cipher of type aes_cbc */
70 tmp = (sizeof(aes_cbc_ctx_t) + sizeof(cipher_t));
71 pointer = (uint8_t*)crypto_alloc(tmp);
72 if (pointer == NULL)
73 return err_status_alloc_fail;
75 /* set pointers */
76 *c = (cipher_t *)pointer;
77 (*c)->type = &aes_cbc;
78 (*c)->state = pointer + sizeof(cipher_t);
80 /* increment ref_count */
81 aes_cbc.ref_count++;
83 /* set key size */
84 (*c)->key_len = key_len;
86 return err_status_ok;
87 }
89 err_status_t
90 aes_cbc_dealloc(cipher_t *c) {
91 extern cipher_type_t aes_cbc;
93 /* zeroize entire state*/
94 octet_string_set_to_zero((uint8_t *)c,
95 sizeof(aes_cbc_ctx_t) + sizeof(cipher_t));
97 /* free memory */
98 crypto_free(c);
100 /* decrement ref_count */
101 aes_cbc.ref_count--;
103 return err_status_ok;
104 }
106 err_status_t
107 aes_cbc_context_init(aes_cbc_ctx_t *c, const uint8_t *key, int key_len,
108 cipher_direction_t dir) {
109 err_status_t status;
111 debug_print(mod_aes_cbc,
112 "key: %s", octet_string_hex_string(key, key_len));
114 /* expand key for the appropriate direction */
115 switch (dir) {
116 case (direction_encrypt):
117 status = aes_expand_encryption_key(key, key_len, &c->expanded_key);
118 if (status)
119 return status;
120 break;
121 case (direction_decrypt):
122 status = aes_expand_decryption_key(key, key_len, &c->expanded_key);
123 if (status)
124 return status;
125 break;
126 default:
127 return err_status_bad_param;
128 }
131 return err_status_ok;
132 }
135 err_status_t
136 aes_cbc_set_iv(aes_cbc_ctx_t *c, void *iv) {
137 int i;
138 /* v128_t *input = iv; */
139 uint8_t *input = (uint8_t*) iv;
141 /* set state and 'previous' block to iv */
142 for (i=0; i < 16; i++)
143 c->previous.v8[i] = c->state.v8[i] = input[i];
145 debug_print(mod_aes_cbc, "setting iv: %s", v128_hex_string(&c->state));
147 return err_status_ok;
148 }
150 err_status_t
151 aes_cbc_encrypt(aes_cbc_ctx_t *c,
152 unsigned char *data,
153 unsigned int *bytes_in_data) {
154 int i;
155 unsigned char *input = data; /* pointer to data being read */
156 unsigned char *output = data; /* pointer to data being written */
157 int bytes_to_encr = *bytes_in_data;
159 /*
160 * verify that we're 16-octet aligned
161 */
162 if (*bytes_in_data & 0xf)
163 return err_status_bad_param;
165 /*
166 * note that we assume that the initialization vector has already
167 * been set, e.g. by calling aes_cbc_set_iv()
168 */
169 debug_print(mod_aes_cbc, "iv: %s",
170 v128_hex_string(&c->state));
172 /*
173 * loop over plaintext blocks, exoring state into plaintext then
174 * encrypting and writing to output
175 */
176 while (bytes_to_encr > 0) {
178 /* exor plaintext into state */
179 for (i=0; i < 16; i++)
180 c->state.v8[i] ^= *input++;
182 debug_print(mod_aes_cbc, "inblock: %s",
183 v128_hex_string(&c->state));
185 aes_encrypt(&c->state, &c->expanded_key);
187 debug_print(mod_aes_cbc, "outblock: %s",
188 v128_hex_string(&c->state));
190 /* copy ciphertext to output */
191 for (i=0; i < 16; i++)
192 *output++ = c->state.v8[i];
194 bytes_to_encr -= 16;
195 }
197 return err_status_ok;
198 }
200 err_status_t
201 aes_cbc_decrypt(aes_cbc_ctx_t *c,
202 unsigned char *data,
203 unsigned int *bytes_in_data) {
204 int i;
205 v128_t state, previous;
206 unsigned char *input = data; /* pointer to data being read */
207 unsigned char *output = data; /* pointer to data being written */
208 int bytes_to_encr = *bytes_in_data;
209 uint8_t tmp;
211 /*
212 * verify that we're 16-octet aligned
213 */
214 if (*bytes_in_data & 0x0f)
215 return err_status_bad_param;
217 /* set 'previous' block to iv*/
218 for (i=0; i < 16; i++) {
219 previous.v8[i] = c->previous.v8[i];
220 }
222 debug_print(mod_aes_cbc, "iv: %s",
223 v128_hex_string(&previous));
225 /*
226 * loop over ciphertext blocks, decrypting then exoring with state
227 * then writing plaintext to output
228 */
229 while (bytes_to_encr > 0) {
231 /* set state to ciphertext input block */
232 for (i=0; i < 16; i++) {
233 state.v8[i] = *input++;
234 }
236 debug_print(mod_aes_cbc, "inblock: %s",
237 v128_hex_string(&state));
239 /* decrypt state */
240 aes_decrypt(&state, &c->expanded_key);
242 debug_print(mod_aes_cbc, "outblock: %s",
243 v128_hex_string(&state));
245 /*
246 * exor previous ciphertext block out of plaintext, and write new
247 * plaintext block to output, while copying old ciphertext block
248 * to the 'previous' block
249 */
250 for (i=0; i < 16; i++) {
251 tmp = *output;
252 *output++ = state.v8[i] ^ previous.v8[i];
253 previous.v8[i] = tmp;
254 }
256 bytes_to_encr -= 16;
257 }
259 return err_status_ok;
260 }
263 err_status_t
264 aes_cbc_nist_encrypt(aes_cbc_ctx_t *c,
265 unsigned char *data,
266 unsigned int *bytes_in_data) {
267 int i;
268 unsigned char *pad_start;
269 int num_pad_bytes;
270 err_status_t status;
272 /*
273 * determine the number of padding bytes that we need to add -
274 * this value is always between 1 and 16, inclusive.
275 */
276 num_pad_bytes = 16 - (*bytes_in_data & 0xf);
277 pad_start = data;
278 pad_start += *bytes_in_data;
279 *pad_start++ = 0xa0;
280 for (i=0; i < num_pad_bytes; i++)
281 *pad_start++ = 0x00;
283 /*
284 * increment the data size
285 */
286 *bytes_in_data += num_pad_bytes;
288 /*
289 * now cbc encrypt the padded data
290 */
291 status = aes_cbc_encrypt(c, data, bytes_in_data);
292 if (status)
293 return status;
295 return err_status_ok;
296 }
299 err_status_t
300 aes_cbc_nist_decrypt(aes_cbc_ctx_t *c,
301 unsigned char *data,
302 unsigned int *bytes_in_data) {
303 unsigned char *pad_end;
304 int num_pad_bytes;
305 err_status_t status;
307 /*
308 * cbc decrypt the padded data
309 */
310 status = aes_cbc_decrypt(c, data, bytes_in_data);
311 if (status)
312 return status;
314 /*
315 * determine the number of padding bytes in the decrypted plaintext
316 * - this value is always between 1 and 16, inclusive.
317 */
318 num_pad_bytes = 1;
319 pad_end = data + (*bytes_in_data - 1);
320 while (*pad_end != 0xa0) { /* note: should check padding correctness */
321 pad_end--;
322 num_pad_bytes++;
323 }
325 /* decrement data size */
326 *bytes_in_data -= num_pad_bytes;
328 return err_status_ok;
329 }
332 char
333 aes_cbc_description[] = "aes cipher block chaining (cbc) mode";
335 /*
336 * Test case 0 is derived from FIPS 197 Appendix C; it uses an
337 * all-zero IV, so that the first block encryption matches the test
338 * case in that appendix. This property provides a check of the base
339 * AES encryption and decryption algorithms; if CBC fails on some
340 * particular platform, then you should print out AES intermediate
341 * data and compare with the detailed info provided in that appendix.
342 *
343 */
346 uint8_t aes_cbc_test_case_0_key[16] = {
347 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
348 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
349 };
351 uint8_t aes_cbc_test_case_0_plaintext[64] = {
352 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
353 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
354 };
356 uint8_t aes_cbc_test_case_0_ciphertext[80] = {
357 0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30,
358 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a,
359 0x03, 0x35, 0xed, 0x27, 0x67, 0xf2, 0x6d, 0xf1,
360 0x64, 0x83, 0x2e, 0x23, 0x44, 0x38, 0x70, 0x8b
362 };
364 uint8_t aes_cbc_test_case_0_iv[16] = {
365 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
366 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
367 };
370 cipher_test_case_t aes_cbc_test_case_0 = {
371 16, /* octets in key */
372 aes_cbc_test_case_0_key, /* key */
373 aes_cbc_test_case_0_iv, /* initialization vector */
374 16, /* octets in plaintext */
375 aes_cbc_test_case_0_plaintext, /* plaintext */
376 32, /* octets in ciphertext */
377 aes_cbc_test_case_0_ciphertext, /* ciphertext */
378 NULL /* pointer to next testcase */
379 };
382 /*
383 * this test case is taken directly from Appendix F.2 of NIST Special
384 * Publication SP 800-38A
385 */
387 uint8_t aes_cbc_test_case_1_key[16] = {
388 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
389 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
390 };
392 uint8_t aes_cbc_test_case_1_plaintext[64] = {
393 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
394 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
395 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
396 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
397 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
398 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
399 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
400 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
401 };
403 uint8_t aes_cbc_test_case_1_ciphertext[80] = {
404 0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46,
405 0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
406 0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee,
407 0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2,
408 0x73, 0xbe, 0xd6, 0xb8, 0xe3, 0xc1, 0x74, 0x3b,
409 0x71, 0x16, 0xe6, 0x9e, 0x22, 0x22, 0x95, 0x16,
410 0x3f, 0xf1, 0xca, 0xa1, 0x68, 0x1f, 0xac, 0x09,
411 0x12, 0x0e, 0xca, 0x30, 0x75, 0x86, 0xe1, 0xa7,
412 0x39, 0x34, 0x07, 0x03, 0x36, 0xd0, 0x77, 0x99,
413 0xe0, 0xc4, 0x2f, 0xdd, 0xa8, 0xdf, 0x4c, 0xa3
414 };
416 uint8_t aes_cbc_test_case_1_iv[16] = {
417 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
418 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
419 };
421 cipher_test_case_t aes_cbc_test_case_1 = {
422 16, /* octets in key */
423 aes_cbc_test_case_1_key, /* key */
424 aes_cbc_test_case_1_iv, /* initialization vector */
425 64, /* octets in plaintext */
426 aes_cbc_test_case_1_plaintext, /* plaintext */
427 80, /* octets in ciphertext */
428 aes_cbc_test_case_1_ciphertext, /* ciphertext */
429 &aes_cbc_test_case_0 /* pointer to next testcase */
430 };
432 /*
433 * Test case 2 is like test case 0, but for 256-bit keys. (FIPS 197
434 * appendix C.3).
435 */
438 uint8_t aes_cbc_test_case_2_key[32] = {
439 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
440 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
441 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
442 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
443 };
445 uint8_t aes_cbc_test_case_2_plaintext[64] = {
446 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
447 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
448 };
450 uint8_t aes_cbc_test_case_2_ciphertext[80] = {
451 0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf,
452 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89,
453 0x72, 0x72, 0x6e, 0xe7, 0x71, 0x39, 0xbf, 0x11,
454 0xe5, 0x40, 0xe2, 0x7c, 0x54, 0x65, 0x1d, 0xee
455 };
457 uint8_t aes_cbc_test_case_2_iv[16] = {
458 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
460 };
462 cipher_test_case_t aes_cbc_test_case_2 = {
463 32, /* octets in key */
464 aes_cbc_test_case_2_key, /* key */
465 aes_cbc_test_case_2_iv, /* initialization vector */
466 16, /* octets in plaintext */
467 aes_cbc_test_case_2_plaintext, /* plaintext */
468 32, /* octets in ciphertext */
469 aes_cbc_test_case_2_ciphertext, /* ciphertext */
470 &aes_cbc_test_case_1 /* pointer to next testcase */
471 };
474 /*
475 * this test case is taken directly from Appendix F.2 of NIST Special
476 * Publication SP 800-38A
477 */
479 uint8_t aes_cbc_test_case_3_key[32] = {
480 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
481 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
482 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
483 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
484 };
486 uint8_t aes_cbc_test_case_3_plaintext[64] = {
487 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
488 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
489 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
490 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
491 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
492 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
493 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
494 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
495 };
497 uint8_t aes_cbc_test_case_3_ciphertext[80] = {
498 0xf5, 0x8c, 0x4c, 0x04, 0xd6, 0xe5, 0xf1, 0xba,
499 0x77, 0x9e, 0xab, 0xfb, 0x5f, 0x7b, 0xfb, 0xd6,
500 0x9c, 0xfc, 0x4e, 0x96, 0x7e, 0xdb, 0x80, 0x8d,
501 0x67, 0x9f, 0x77, 0x7b, 0xc6, 0x70, 0x2c, 0x7d,
502 0x39, 0xf2, 0x33, 0x69, 0xa9, 0xd9, 0xba, 0xcf,
503 0xa5, 0x30, 0xe2, 0x63, 0x04, 0x23, 0x14, 0x61,
504 0xb2, 0xeb, 0x05, 0xe2, 0xc3, 0x9b, 0xe9, 0xfc,
505 0xda, 0x6c, 0x19, 0x07, 0x8c, 0x6a, 0x9d, 0x1b,
506 0xfb, 0x98, 0x20, 0x2c, 0x45, 0xb2, 0xe4, 0xa0,
507 0x63, 0xc4, 0x68, 0xba, 0x84, 0x39, 0x16, 0x5a
508 };
510 uint8_t aes_cbc_test_case_3_iv[16] = {
511 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
512 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
513 };
515 cipher_test_case_t aes_cbc_test_case_3 = {
516 32, /* octets in key */
517 aes_cbc_test_case_3_key, /* key */
518 aes_cbc_test_case_3_iv, /* initialization vector */
519 64, /* octets in plaintext */
520 aes_cbc_test_case_3_plaintext, /* plaintext */
521 80, /* octets in ciphertext */
522 aes_cbc_test_case_3_ciphertext, /* ciphertext */
523 &aes_cbc_test_case_2 /* pointer to next testcase */
524 };
526 cipher_type_t aes_cbc = {
527 (cipher_alloc_func_t) aes_cbc_alloc,
528 (cipher_dealloc_func_t) aes_cbc_dealloc,
529 (cipher_init_func_t) aes_cbc_context_init,
530 (cipher_encrypt_func_t) aes_cbc_nist_encrypt,
531 (cipher_decrypt_func_t) aes_cbc_nist_decrypt,
532 (cipher_set_iv_func_t) aes_cbc_set_iv,
533 (char *) aes_cbc_description,
534 (int) 0, /* instance count */
535 (cipher_test_case_t *) &aes_cbc_test_case_3,
536 (debug_module_t *) &mod_aes_cbc,
537 (cipher_type_id_t) AES_CBC
538 };
