1 /*
2 * Galois/Counter Mode (GCM) and GMAC with AES
3 *
4 * Copyright (c) 2012, Jouni Malinen <j@w1.fi>
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "rtw_crypto_wrap.h"
11
12 #include "aes.h"
13 #include "aes_wrap.h"
14
inc32(u8 * block)15 static void inc32(u8 *block)
16 {
17 u32 val;
18 val = WPA_GET_BE32(block + AES_BLOCK_SIZE - 4);
19 val++;
20 WPA_PUT_BE32(block + AES_BLOCK_SIZE - 4, val);
21 }
22
23
xor_block(u8 * dst,const u8 * src)24 static void xor_block(u8 *dst, const u8 *src)
25 {
26 u32 *d = (u32 *) dst;
27 u32 *s = (u32 *) src;
28 *d++ ^= *s++;
29 *d++ ^= *s++;
30 *d++ ^= *s++;
31 *d++ ^= *s++;
32 }
33
34
shift_right_block(u8 * v)35 static void shift_right_block(u8 *v)
36 {
37 u32 val;
38
39 val = WPA_GET_BE32(v + 12);
40 val >>= 1;
41 if (v[11] & 0x01)
42 val |= 0x80000000;
43 WPA_PUT_BE32(v + 12, val);
44
45 val = WPA_GET_BE32(v + 8);
46 val >>= 1;
47 if (v[7] & 0x01)
48 val |= 0x80000000;
49 WPA_PUT_BE32(v + 8, val);
50
51 val = WPA_GET_BE32(v + 4);
52 val >>= 1;
53 if (v[3] & 0x01)
54 val |= 0x80000000;
55 WPA_PUT_BE32(v + 4, val);
56
57 val = WPA_GET_BE32(v);
58 val >>= 1;
59 WPA_PUT_BE32(v, val);
60 }
61
62
63 /* Multiplication in GF(2^128) */
gf_mult(const u8 * x,const u8 * y,u8 * z)64 static void gf_mult(const u8 *x, const u8 *y, u8 *z)
65 {
66 u8 v[16];
67 int i, j;
68
69 os_memset(z, 0, 16); /* Z_0 = 0^128 */
70 os_memcpy(v, y, 16); /* V_0 = Y */
71
72 for (i = 0; i < 16; i++) {
73 for (j = 0; j < 8; j++) {
74 if (x[i] & BIT(7 - j)) {
75 /* Z_(i + 1) = Z_i XOR V_i */
76 xor_block(z, v);
77 } else {
78 /* Z_(i + 1) = Z_i */
79 }
80
81 if (v[15] & 0x01) {
82 /* V_(i + 1) = (V_i >> 1) XOR R */
83 shift_right_block(v);
84 /* R = 11100001 || 0^120 */
85 v[0] ^= 0xe1;
86 } else {
87 /* V_(i + 1) = V_i >> 1 */
88 shift_right_block(v);
89 }
90 }
91 }
92 }
93
94
ghash_start(u8 * y)95 static void ghash_start(u8 *y)
96 {
97 /* Y_0 = 0^128 */
98 os_memset(y, 0, 16);
99 }
100
101
ghash(const u8 * h,const u8 * x,size_t xlen,u8 * y)102 static void ghash(const u8 *h, const u8 *x, size_t xlen, u8 *y)
103 {
104 size_t m, i;
105 const u8 *xpos = x;
106 u8 tmp[16];
107
108 m = xlen / 16;
109
110 for (i = 0; i < m; i++) {
111 /* Y_i = (Y^(i-1) XOR X_i) dot H */
112 xor_block(y, xpos);
113 xpos += 16;
114
115 /* dot operation:
116 * multiplication operation for binary Galois (finite) field of
117 * 2^128 elements */
118 gf_mult(y, h, tmp);
119 os_memcpy(y, tmp, 16);
120 }
121
122 if (x + xlen > xpos) {
123 /* Add zero padded last block */
124 size_t last = x + xlen - xpos;
125 os_memcpy(tmp, xpos, last);
126 os_memset(tmp + last, 0, sizeof(tmp) - last);
127
128 /* Y_i = (Y^(i-1) XOR X_i) dot H */
129 xor_block(y, tmp);
130
131 /* dot operation:
132 * multiplication operation for binary Galois (finite) field of
133 * 2^128 elements */
134 gf_mult(y, h, tmp);
135 os_memcpy(y, tmp, 16);
136 }
137
138 /* Return Y_m */
139 }
140
141
aes_gctr(void * aes,const u8 * icb,const u8 * x,size_t xlen,u8 * y)142 static void aes_gctr(void *aes, const u8 *icb, const u8 *x, size_t xlen, u8 *y)
143 {
144 size_t i, n, last;
145 u8 cb[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE];
146 const u8 *xpos = x;
147 u8 *ypos = y;
148
149 if (xlen == 0)
150 return;
151
152 n = xlen / 16;
153
154 os_memcpy(cb, icb, AES_BLOCK_SIZE);
155 /* Full blocks */
156 for (i = 0; i < n; i++) {
157 aes_encrypt(aes, cb, ypos);
158 xor_block(ypos, xpos);
159 xpos += AES_BLOCK_SIZE;
160 ypos += AES_BLOCK_SIZE;
161 inc32(cb);
162 }
163
164 last = x + xlen - xpos;
165 if (last) {
166 /* Last, partial block */
167 aes_encrypt(aes, cb, tmp);
168 for (i = 0; i < last; i++)
169 *ypos++ = *xpos++ ^ tmp[i];
170 }
171 }
172
173
aes_gcm_init_hash_subkey(const u8 * key,size_t key_len,u8 * H)174 static void * aes_gcm_init_hash_subkey(const u8 *key, size_t key_len, u8 *H)
175 {
176 void *aes;
177
178 aes = aes_encrypt_init(key, key_len);
179 if (aes == NULL)
180 return NULL;
181
182 /* Generate hash subkey H = AES_K(0^128) */
183 os_memset(H, 0, AES_BLOCK_SIZE);
184 aes_encrypt(aes, H, H);
185 wpa_hexdump_key(_MSG_EXCESSIVE_, "Hash subkey H for GHASH",
186 H, AES_BLOCK_SIZE);
187 return aes;
188 }
189
190
aes_gcm_prepare_j0(const u8 * iv,size_t iv_len,const u8 * H,u8 * J0)191 static void aes_gcm_prepare_j0(const u8 *iv, size_t iv_len, const u8 *H, u8 *J0)
192 {
193 u8 len_buf[16];
194
195 if (iv_len == 12) {
196 /* Prepare block J_0 = IV || 0^31 || 1 [len(IV) = 96] */
197 os_memcpy(J0, iv, iv_len);
198 os_memset(J0 + iv_len, 0, AES_BLOCK_SIZE - iv_len);
199 J0[AES_BLOCK_SIZE - 1] = 0x01;
200 } else {
201 /*
202 * s = 128 * ceil(len(IV)/128) - len(IV)
203 * J_0 = GHASH_H(IV || 0^(s+64) || [len(IV)]_64)
204 */
205 ghash_start(J0);
206 ghash(H, iv, iv_len, J0);
207 WPA_PUT_BE64(len_buf, 0);
208 WPA_PUT_BE64(len_buf + 8, iv_len * 8);
209 ghash(H, len_buf, sizeof(len_buf), J0);
210 }
211 }
212
213
aes_gcm_gctr(void * aes,const u8 * J0,const u8 * in,size_t len,u8 * out)214 static void aes_gcm_gctr(void *aes, const u8 *J0, const u8 *in, size_t len,
215 u8 *out)
216 {
217 u8 J0inc[AES_BLOCK_SIZE];
218
219 if (len == 0)
220 return;
221
222 os_memcpy(J0inc, J0, AES_BLOCK_SIZE);
223 inc32(J0inc);
224 aes_gctr(aes, J0inc, in, len, out);
225 }
226
227
aes_gcm_ghash(const u8 * H,const u8 * aad,size_t aad_len,const u8 * crypt,size_t crypt_len,u8 * S)228 static void aes_gcm_ghash(const u8 *H, const u8 *aad, size_t aad_len,
229 const u8 *crypt, size_t crypt_len, u8 *S)
230 {
231 u8 len_buf[16];
232
233 /*
234 * u = 128 * ceil[len(C)/128] - len(C)
235 * v = 128 * ceil[len(A)/128] - len(A)
236 * S = GHASH_H(A || 0^v || C || 0^u || [len(A)]64 || [len(C)]64)
237 * (i.e., zero padded to block size A || C and lengths of each in bits)
238 */
239 ghash_start(S);
240 ghash(H, aad, aad_len, S);
241 ghash(H, crypt, crypt_len, S);
242 WPA_PUT_BE64(len_buf, aad_len * 8);
243 WPA_PUT_BE64(len_buf + 8, crypt_len * 8);
244 ghash(H, len_buf, sizeof(len_buf), S);
245
246 wpa_hexdump_key(_MSG_EXCESSIVE_, "S = GHASH_H(...)", S, 16);
247 }
248
249
250 /**
251 * aes_gcm_ae - GCM-AE_K(IV, P, A)
252 */
aes_gcm_ae(const u8 * key,size_t key_len,const u8 * iv,size_t iv_len,const u8 * plain,size_t plain_len,const u8 * aad,size_t aad_len,u8 * crypt,u8 * tag)253 int aes_gcm_ae(const u8 *key, size_t key_len, const u8 *iv, size_t iv_len,
254 const u8 *plain, size_t plain_len,
255 const u8 *aad, size_t aad_len, u8 *crypt, u8 *tag)
256 {
257 u8 H[AES_BLOCK_SIZE];
258 u8 J0[AES_BLOCK_SIZE];
259 u8 S[16];
260 void *aes;
261
262 aes = aes_gcm_init_hash_subkey(key, key_len, H);
263 if (aes == NULL)
264 return -1;
265
266 aes_gcm_prepare_j0(iv, iv_len, H, J0);
267
268 /* C = GCTR_K(inc_32(J_0), P) */
269 aes_gcm_gctr(aes, J0, plain, plain_len, crypt);
270
271 aes_gcm_ghash(H, aad, aad_len, crypt, plain_len, S);
272
273 /* T = MSB_t(GCTR_K(J_0, S)) */
274 aes_gctr(aes, J0, S, sizeof(S), tag);
275
276 /* Return (C, T) */
277
278 aes_encrypt_deinit(aes);
279
280 return 0;
281 }
282
283
284 /**
285 * aes_gcm_ad - GCM-AD_K(IV, C, A, T)
286 */
aes_gcm_ad(const u8 * key,size_t key_len,const u8 * iv,size_t iv_len,const u8 * crypt,size_t crypt_len,const u8 * aad,size_t aad_len,const u8 * tag,u8 * plain)287 int aes_gcm_ad(const u8 *key, size_t key_len, const u8 *iv, size_t iv_len,
288 const u8 *crypt, size_t crypt_len,
289 const u8 *aad, size_t aad_len, const u8 *tag, u8 *plain)
290 {
291 u8 H[AES_BLOCK_SIZE];
292 u8 J0[AES_BLOCK_SIZE];
293 u8 S[16], T[16];
294 void *aes;
295
296 aes = aes_gcm_init_hash_subkey(key, key_len, H);
297 if (aes == NULL)
298 return -1;
299
300 aes_gcm_prepare_j0(iv, iv_len, H, J0);
301
302 /* P = GCTR_K(inc_32(J_0), C) */
303 aes_gcm_gctr(aes, J0, crypt, crypt_len, plain);
304
305 aes_gcm_ghash(H, aad, aad_len, crypt, crypt_len, S);
306
307 /* T' = MSB_t(GCTR_K(J_0, S)) */
308 aes_gctr(aes, J0, S, sizeof(S), T);
309
310 aes_encrypt_deinit(aes);
311
312 if (os_memcmp_const(tag, T, 16) != 0) {
313 wpa_printf(_MSG_EXCESSIVE_, "GCM: Tag mismatch");
314 return -1;
315 }
316
317 return 0;
318 }
319
320
aes_gmac(const u8 * key,size_t key_len,const u8 * iv,size_t iv_len,const u8 * aad,size_t aad_len,u8 * tag)321 int aes_gmac(const u8 *key, size_t key_len, const u8 *iv, size_t iv_len,
322 const u8 *aad, size_t aad_len, u8 *tag)
323 {
324 return aes_gcm_ae(key, key_len, iv, iv_len, NULL, 0, aad, aad_len, NULL,
325 tag);
326 }
327