crypto/aes/aes_ige.c

   1 /* crypto/aes/aes_ige.c -*- mode:C; c-file-style: "eay" -*- */
   2 /* ====================================================================
   3  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in
  14  *    the documentation and/or other materials provided with the
  15  *    distribution.
  16  *
  17  * 3. All advertising materials mentioning features or use of this
  18  *    software must display the following acknowledgment:
  19  *    "This product includes software developed by the OpenSSL Project
  20  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  21  *
  22  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  23  *    endorse or promote products derived from this software without
  24  *    prior written permission. For written permission, please contact
  25  *    openssl-core@openssl.org.
  26  *
  27  * 5. Products derived from this software may not be called "OpenSSL"
  28  *    nor may "OpenSSL" appear in their names without prior written
  29  *    permission of the OpenSSL Project.
  30  *
  31  * 6. Redistributions of any form whatsoever must retain the following
  32  *    acknowledgment:
  33  *    "This product includes software developed by the OpenSSL Project
  34  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  35  *
  36  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  37  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  38  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  39  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  40  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  41  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  42  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  43  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  44  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  45  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  46  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  47  * OF THE POSSIBILITY OF SUCH DAMAGE.
  48  * ====================================================================
  49  *
  50  */
  51
  52 #include "cryptlib.h"
  53
  54 #include <openssl/aes.h>
  55 #include "aes_locl.h"
  56
  57 #define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
  58 typedef struct {
  59         unsigned long data[N_WORDS];
  60 } aes_block_t;
  61
  62 /* XXX: probably some better way to do this */
  63 #if defined(__i386__) || defined(__x86_64__)
  64 #define UNALIGNED_MEMOPS_ARE_FAST 1
  65 #endif
  66
  67 #ifdef UNALIGNED_MEMOPS_ARE_FAST
  68 #define load_block(d, s)        (d) = *(const aes_block_t *)(s)
  69 #define store_block(d, s)       *(aes_block_t *)(d) = (s)
  70 #else
  71 #define load_block(d, s)        memcpy((d).data, (s), AES_BLOCK_SIZE)
  72 #define store_block(d, s)       memcpy((d), (s).data, AES_BLOCK_SIZE)
  73 #endif
  74
  75 /* N.B. The IV for this mode is _twice_ the block size */
  76
  77 void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
  78                                          const unsigned long length, const AES_KEY *key,
  79                                          unsigned char *ivec, const int enc)
  80         {
  81         unsigned long n;
  82         unsigned long len;
  83
  84         OPENSSL_assert(in && out && key && ivec);
  85         OPENSSL_assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
  86         OPENSSL_assert((length%AES_BLOCK_SIZE) == 0);
  87
  88         len = length / AES_BLOCK_SIZE;
  89
  90         if (AES_ENCRYPT == enc)
  91                 {
  92                 if (in != out)
  93                         {
  94                         aes_block_t *ivp = (aes_block_t *)ivec;
  95                         aes_block_t *iv2p = (aes_block_t *)(ivec + AES_BLOCK_SIZE);
  96
  97                         while (len)
  98                                 {
  99                                 aes_block_t *inp = (aes_block_t *)in;
 100                                 aes_block_t *outp = (aes_block_t *)out;
 101
 102                                 for(n=0 ; n < N_WORDS; ++n)
 103                                         outp->data[n] = inp->data[n] ^ ivp->data[n];
 104                                 AES_encrypt((unsigned char *)outp->data, (unsigned char *)outp->data, key);
 105                                 for(n=0 ; n < N_WORDS; ++n)
 106                                         outp->data[n] ^= iv2p->data[n];
 107                                 ivp = outp;
 108                                 iv2p = inp;
 109                                 --len;
 110                                 in += AES_BLOCK_SIZE;
 111                                 out += AES_BLOCK_SIZE;
 112                                 }
 113                         memcpy(ivec, ivp->data, AES_BLOCK_SIZE);
 114                         memcpy(ivec + AES_BLOCK_SIZE, iv2p->data, AES_BLOCK_SIZE);
 115                         }
 116                 else
 117                         {
 118                         aes_block_t tmp, tmp2;
 119                         aes_block_t iv;
 120                         aes_block_t iv2;
 121
 122                         load_block(iv, ivec);
 123                         load_block(iv2, ivec + AES_BLOCK_SIZE);
 124
 125                         while (len)
 126                                 {
 127                                 load_block(tmp, in);
 128                                 for(n=0 ; n < N_WORDS; ++n)
 129                                         tmp2.data[n] = tmp.data[n] ^ iv.data[n];
 130                                 AES_encrypt((unsigned char *)tmp2.data, (unsigned char *)tmp2.data, key);
 131                                 for(n=0 ; n < N_WORDS; ++n)
 132                                         tmp2.data[n] ^= iv2.data[n];
 133                                 store_block(out, tmp2);
 134                                 iv = tmp2;
 135                                 iv2 = tmp;
 136                                 --len;
 137                                 in += AES_BLOCK_SIZE;
 138                                 out += AES_BLOCK_SIZE;
 139                                 }
 140                         memcpy(ivec, iv.data, AES_BLOCK_SIZE);
 141                         memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
 142                         }
 143                 }
 144         else
 145                 {
 146                 if(in != out)
 147                         {
 148                         aes_block_t *ivp = (aes_block_t *)ivec;
 149                         aes_block_t *iv2p = (aes_block_t *)(ivec + AES_BLOCK_SIZE);
 150
 151                         while (len)
 152                                 {
 153                                 aes_block_t tmp;
 154                                 aes_block_t *inp = (aes_block_t *)in;
 155                                 aes_block_t *outp = (aes_block_t *)out;
 156
 157                                 for(n=0 ; n < N_WORDS; ++n)
 158                                         tmp.data[n] = inp->data[n] ^ iv2p->data[n];
 159                                 AES_decrypt((unsigned char *)tmp.data, (unsigned char *)outp->data, key);
 160                                 for(n=0 ; n < N_WORDS; ++n)
 161                                         outp->data[n] ^= ivp->data[n];
 162                                 ivp = inp;
 163                                 iv2p = outp;
 164                                 --len;
 165                                 in += AES_BLOCK_SIZE;
 166                                 out += AES_BLOCK_SIZE;
 167                                 }
 168                         memcpy(ivec, ivp->data, AES_BLOCK_SIZE);
 169                         memcpy(ivec + AES_BLOCK_SIZE, iv2p->data, AES_BLOCK_SIZE);
 170                         }
 171                 else
 172                         {
 173                         aes_block_t tmp, tmp2;
 174                         aes_block_t iv;
 175                         aes_block_t iv2;
 176
 177                         load_block(iv, ivec);
 178                         load_block(iv2, ivec + AES_BLOCK_SIZE);
 179
 180                         while (len)
 181                                 {
 182                                 load_block(tmp, in);
 183                                 tmp2 = tmp;
 184                                 for(n=0 ; n < N_WORDS; ++n)
 185                                         tmp.data[n] ^= iv2.data[n];
 186                                 AES_decrypt((unsigned char *)tmp.data, (unsigned char *)tmp.data, key);
 187                                 for(n=0 ; n < N_WORDS; ++n)
 188                                         tmp.data[n] ^= iv.data[n];
 189                                 store_block(out, tmp);
 190                                 iv = tmp2;
 191                                 iv2 = tmp;
 192                                 --len;
 193                                 in += AES_BLOCK_SIZE;
 194                                 out += AES_BLOCK_SIZE;
 195                                 }
 196                         memcpy(ivec, iv.data, AES_BLOCK_SIZE);
 197                         memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
 198                         }
 199                 }
 200         }
 201
 202 /*
 203  * Note that its effectively impossible to do biIGE in anything other
 204  * than a single pass, so no provision is made for chaining.
 205  */
 206
 207 /* N.B. The IV for this mode is _four times_ the block size */
 208
 209 void AES_bi_ige_encrypt(const unsigned char *in, unsigned char *out,
 210                                                 const unsigned long length, const AES_KEY *key,
 211                                                 const AES_KEY *key2, const unsigned char *ivec,
 212                                                 const int enc)
 213         {
 214         unsigned long n;
 215         unsigned long len = length;
 216         unsigned char tmp[AES_BLOCK_SIZE];
 217         unsigned char tmp2[AES_BLOCK_SIZE];
 218         unsigned char tmp3[AES_BLOCK_SIZE];
 219         unsigned char prev[AES_BLOCK_SIZE];
 220         const unsigned char *iv;
 221         const unsigned char *iv2;
 222
 223         OPENSSL_assert(in && out && key && ivec);
 224         OPENSSL_assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
 225         OPENSSL_assert((length%AES_BLOCK_SIZE) == 0);
 226
 227         if (AES_ENCRYPT == enc)
 228                 {
 229                 /* XXX: Do a separate case for when in != out (strictly should
 230                    check for overlap, too) */
 231
 232                 /* First the forward pass */
 233                 iv = ivec;
 234                 iv2 = ivec + AES_BLOCK_SIZE;
 235                 while (len >= AES_BLOCK_SIZE)
 236                         {
 237                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
 238                                 out[n] = in[n] ^ iv[n];
 239                         AES_encrypt(out, out, key);
 240                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
 241                                 out[n] ^= iv2[n];
 242                         iv = out;
 243                         memcpy(prev, in, AES_BLOCK_SIZE);
 244                         iv2 = prev;
 245                         len -= AES_BLOCK_SIZE;
 246                         in += AES_BLOCK_SIZE;
 247                         out += AES_BLOCK_SIZE;
 248                         }
 249
 250                 /* And now backwards */
 251                 iv = ivec + AES_BLOCK_SIZE*2;
 252                 iv2 = ivec + AES_BLOCK_SIZE*3;
 253                 len = length;
 254                 while(len >= AES_BLOCK_SIZE)
 255                         {
 256                         out -= AES_BLOCK_SIZE;
 257                         /* XXX: reduce copies by alternating between buffers */
 258                         memcpy(tmp, out, AES_BLOCK_SIZE);
 259                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
 260                                 out[n] ^= iv[n];
 261                         /*                      hexdump(stdout, "out ^ iv", out, AES_BLOCK_SIZE); */
 262                         AES_encrypt(out, out, key);
 263                         /*                      hexdump(stdout,"enc", out, AES_BLOCK_SIZE); */
 264                         /*                      hexdump(stdout,"iv2", iv2, AES_BLOCK_SIZE); */
 265                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
 266                                 out[n] ^= iv2[n];
 267                         /*                      hexdump(stdout,"out", out, AES_BLOCK_SIZE); */
 268                         iv = out;
 269                         memcpy(prev, tmp, AES_BLOCK_SIZE);
 270                         iv2 = prev;
 271                         len -= AES_BLOCK_SIZE;
 272                         }
 273                 }
 274         else
 275                 {
 276                 /* First backwards */
 277                 iv = ivec + AES_BLOCK_SIZE*2;
 278                 iv2 = ivec + AES_BLOCK_SIZE*3;
 279                 in += length;
 280                 out += length;
 281                 while (len >= AES_BLOCK_SIZE)
 282                         {
 283                         in -= AES_BLOCK_SIZE;
 284                         out -= AES_BLOCK_SIZE;
 285                         memcpy(tmp, in, AES_BLOCK_SIZE);
 286                         memcpy(tmp2, in, AES_BLOCK_SIZE);
 287                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
 288                                 tmp[n] ^= iv2[n];
 289                         AES_decrypt(tmp, out, key);
 290                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
 291                                 out[n] ^= iv[n];
 292                         memcpy(tmp3, tmp2, AES_BLOCK_SIZE);
 293                         iv = tmp3;
 294                         iv2 = out;
 295                         len -= AES_BLOCK_SIZE;
 296                         }
 297
 298                 /* And now forwards */
 299                 iv = ivec;
 300                 iv2 = ivec + AES_BLOCK_SIZE;
 301                 len = length;
 302                 while (len >= AES_BLOCK_SIZE)
 303                         {
 304                         memcpy(tmp, out, AES_BLOCK_SIZE);
 305                         memcpy(tmp2, out, AES_BLOCK_SIZE);
 306                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
 307                                 tmp[n] ^= iv2[n];
 308                         AES_decrypt(tmp, out, key);
 309                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
 310                                 out[n] ^= iv[n];
 311                         memcpy(tmp3, tmp2, AES_BLOCK_SIZE);
 312                         iv = tmp3;
 313                         iv2 = out;
 314                         len -= AES_BLOCK_SIZE;
 315                         in += AES_BLOCK_SIZE;
 316                         out += AES_BLOCK_SIZE;
 317                         }
 318                 }
 319         }