4
* AES Cipher Block Chaining Mode
12
* Copyright (c) 2001-2006, Cisco Systems, Inc.
13
* All rights reserved.
15
* Redistribution and use in source and binary forms, with or without
16
* modification, are permitted provided that the following conditions
19
* Redistributions of source code must retain the above copyright
20
* notice, this list of conditions and the following disclaimer.
22
* Redistributions in binary form must reproduce the above
23
* copyright notice, this list of conditions and the following
24
* disclaimer in the documentation and/or other materials provided
25
* with the distribution.
27
* Neither the name of the Cisco Systems, Inc. nor the names of its
28
* contributors may be used to endorse or promote products derived
29
* from this software without specific prior written permission.
31
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
32
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
33
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
34
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
35
* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
36
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
37
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
38
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
40
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
41
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
42
* OF THE POSSIBILITY OF SUCH DAMAGE.
50
debug_module_t mod_aes_cbc = {
51
0, /* debugging is off by default */
52
"aes cbc" /* printable module name */
58
aes_cbc_alloc(cipher_t **c, int key_len) {
59
extern cipher_type_t aes_cbc;
63
debug_print(mod_aes_cbc,
64
"allocating cipher with key length %d", key_len);
67
return err_status_bad_param;
69
/* allocate memory a cipher of type aes_icm */
70
tmp = (sizeof(aes_cbc_ctx_t) + sizeof(cipher_t));
71
pointer = (uint8_t*)crypto_alloc(tmp);
73
return err_status_alloc_fail;
76
*c = (cipher_t *)pointer;
77
(*c)->type = &aes_cbc;
78
(*c)->state = pointer + sizeof(cipher_t);
80
/* increment ref_count */
84
(*c)->key_len = key_len;
90
aes_cbc_dealloc(cipher_t *c) {
91
extern cipher_type_t aes_cbc;
93
/* zeroize entire state*/
94
octet_string_set_to_zero((uint8_t *)c,
95
sizeof(aes_cbc_ctx_t) + sizeof(cipher_t));
100
/* decrement ref_count */
103
return err_status_ok;
107
aes_cbc_context_init(aes_cbc_ctx_t *c, const uint8_t *key,
108
cipher_direction_t dir) {
111
/* set tmp_key (for alignment) */
112
v128_copy_octet_string(&tmp_key, key);
114
debug_print(mod_aes_cbc,
115
"key: %s", v128_hex_string(&tmp_key));
117
/* expand key for the appropriate direction */
119
case (direction_encrypt):
120
aes_expand_encryption_key(&tmp_key, c->expanded_key);
122
case (direction_decrypt):
123
aes_expand_decryption_key(&tmp_key, c->expanded_key);
126
return err_status_bad_param;
130
return err_status_ok;
135
aes_cbc_set_iv(aes_cbc_ctx_t *c, void *iv) {
137
/* v128_t *input = iv; */
138
uint8_t *input = (uint8_t*) iv;
140
/* set state and 'previous' block to iv */
141
for (i=0; i < 16; i++)
142
c->previous.v8[i] = c->state.v8[i] = input[i];
144
debug_print(mod_aes_cbc, "setting iv: %s", v128_hex_string(&c->state));
146
return err_status_ok;
150
aes_cbc_encrypt(aes_cbc_ctx_t *c,
152
unsigned int *bytes_in_data) {
154
unsigned char *input = data; /* pointer to data being read */
155
unsigned char *output = data; /* pointer to data being written */
156
int bytes_to_encr = *bytes_in_data;
159
* verify that we're 16-octet aligned
161
if (*bytes_in_data & 0xf)
162
return err_status_bad_param;
165
* note that we assume that the initialization vector has already
166
* been set, e.g. by calling aes_cbc_set_iv()
168
debug_print(mod_aes_cbc, "iv: %s",
169
v128_hex_string(&c->state));
172
* loop over plaintext blocks, exoring state into plaintext then
173
* encrypting and writing to output
175
while (bytes_to_encr > 0) {
177
/* exor plaintext into state */
178
for (i=0; i < 16; i++)
179
c->state.v8[i] ^= *input++;
181
debug_print(mod_aes_cbc, "inblock: %s",
182
v128_hex_string(&c->state));
184
aes_encrypt(&c->state, c->expanded_key);
186
debug_print(mod_aes_cbc, "outblock: %s",
187
v128_hex_string(&c->state));
189
/* copy ciphertext to output */
190
for (i=0; i < 16; i++)
191
*output++ = c->state.v8[i];
196
return err_status_ok;
200
aes_cbc_decrypt(aes_cbc_ctx_t *c,
202
unsigned int *bytes_in_data) {
204
v128_t state, previous;
205
unsigned char *input = data; /* pointer to data being read */
206
unsigned char *output = data; /* pointer to data being written */
207
int bytes_to_encr = *bytes_in_data;
211
* verify that we're 16-octet aligned
213
if (*bytes_in_data & 0x0f)
214
return err_status_bad_param;
216
/* set 'previous' block to iv*/
217
for (i=0; i < 16; i++) {
218
previous.v8[i] = c->previous.v8[i];
221
debug_print(mod_aes_cbc, "iv: %s",
222
v128_hex_string(&previous));
225
* loop over ciphertext blocks, decrypting then exoring with state
226
* then writing plaintext to output
228
while (bytes_to_encr > 0) {
230
/* set state to ciphertext input block */
231
for (i=0; i < 16; i++) {
232
state.v8[i] = *input++;
235
debug_print(mod_aes_cbc, "inblock: %s",
236
v128_hex_string(&state));
239
aes_decrypt(&state, c->expanded_key);
241
debug_print(mod_aes_cbc, "outblock: %s",
242
v128_hex_string(&state));
245
* exor previous ciphertext block out of plaintext, and write new
246
* plaintext block to output, while copying old ciphertext block
247
* to the 'previous' block
249
for (i=0; i < 16; i++) {
251
*output++ = state.v8[i] ^ previous.v8[i];
252
previous.v8[i] = tmp;
258
return err_status_ok;
263
aes_cbc_nist_encrypt(aes_cbc_ctx_t *c,
265
unsigned int *bytes_in_data) {
267
unsigned char *pad_start;
272
* determine the number of padding bytes that we need to add -
273
* this value is always between 1 and 16, inclusive.
275
num_pad_bytes = 16 - (*bytes_in_data & 0xf);
277
pad_start += *bytes_in_data;
279
for (i=0; i < num_pad_bytes; i++)
283
* increment the data size
285
*bytes_in_data += num_pad_bytes;
288
* now cbc encrypt the padded data
290
status = aes_cbc_encrypt(c, data, bytes_in_data);
294
return err_status_ok;
299
aes_cbc_nist_decrypt(aes_cbc_ctx_t *c,
301
unsigned int *bytes_in_data) {
302
unsigned char *pad_end;
307
* cbc decrypt the padded data
309
status = aes_cbc_decrypt(c, data, bytes_in_data);
314
* determine the number of padding bytes in the decrypted plaintext
315
* - this value is always between 1 and 16, inclusive.
318
pad_end = data + (*bytes_in_data - 1);
319
while (*pad_end != 0xa0) { /* note: should check padding correctness */
324
/* decrement data size */
325
*bytes_in_data -= num_pad_bytes;
327
return err_status_ok;
332
aes_cbc_description[] = "aes cipher block chaining (cbc) mode";
335
* Test case 0 is derived from FIPS 197 Appendix A; it uses an
336
* all-zero IV, so that the first block encryption matches the test
337
* case in that appendix. This property provides a check of the base
338
* AES encryption and decryption algorithms; if CBC fails on some
339
* particular platform, then you should print out AES intermediate
340
* data and compare with the detailed info provided in that appendix.
345
uint8_t aes_cbc_test_case_0_key[16] = {
346
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
347
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
350
uint8_t aes_cbc_test_case_0_plaintext[64] = {
351
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
352
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
355
uint8_t aes_cbc_test_case_0_ciphertext[80] = {
356
0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30,
357
0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a,
358
0x03, 0x35, 0xed, 0x27, 0x67, 0xf2, 0x6d, 0xf1,
359
0x64, 0x83, 0x2e, 0x23, 0x44, 0x38, 0x70, 0x8b
363
uint8_t aes_cbc_test_case_0_iv[16] = {
364
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
365
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
369
cipher_test_case_t aes_cbc_test_case_0 = {
370
16, /* octets in key */
371
aes_cbc_test_case_0_key, /* key */
372
aes_cbc_test_case_0_iv, /* initialization vector */
373
16, /* octets in plaintext */
374
aes_cbc_test_case_0_plaintext, /* plaintext */
375
32, /* octets in ciphertext */
376
aes_cbc_test_case_0_ciphertext, /* ciphertext */
377
NULL /* pointer to next testcase */
382
* this test case is taken directly from Appendix F.2 of NIST Special
383
* Publication SP 800-38A
386
uint8_t aes_cbc_test_case_1_key[16] = {
387
0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
388
0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
391
uint8_t aes_cbc_test_case_1_plaintext[64] = {
392
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
393
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
394
0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
395
0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
396
0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
397
0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
398
0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
399
0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
402
uint8_t aes_cbc_test_case_1_ciphertext[80] = {
403
0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46,
404
0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
405
0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee,
406
0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2,
407
0x73, 0xbe, 0xd6, 0xb8, 0xe3, 0xc1, 0x74, 0x3b,
408
0x71, 0x16, 0xe6, 0x9e, 0x22, 0x22, 0x95, 0x16,
409
0x3f, 0xf1, 0xca, 0xa1, 0x68, 0x1f, 0xac, 0x09,
410
0x12, 0x0e, 0xca, 0x30, 0x75, 0x86, 0xe1, 0xa7,
411
0x39, 0x34, 0x07, 0x03, 0x36, 0xd0, 0x77, 0x99,
412
0xe0, 0xc4, 0x2f, 0xdd, 0xa8, 0xdf, 0x4c, 0xa3
415
uint8_t aes_cbc_test_case_1_iv[16] = {
416
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
417
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
420
cipher_test_case_t aes_cbc_test_case_1 = {
421
16, /* octets in key */
422
aes_cbc_test_case_1_key, /* key */
423
aes_cbc_test_case_1_iv, /* initialization vector */
424
64, /* octets in plaintext */
425
aes_cbc_test_case_1_plaintext, /* plaintext */
426
80, /* octets in ciphertext */
427
aes_cbc_test_case_1_ciphertext, /* ciphertext */
428
&aes_cbc_test_case_0 /* pointer to next testcase */
431
cipher_type_t aes_cbc = {
432
(cipher_alloc_func_t) aes_cbc_alloc,
433
(cipher_dealloc_func_t) aes_cbc_dealloc,
434
(cipher_init_func_t) aes_cbc_context_init,
435
(cipher_encrypt_func_t) aes_cbc_nist_encrypt,
436
(cipher_decrypt_func_t) aes_cbc_nist_decrypt,
437
(cipher_set_iv_func_t) aes_cbc_set_iv,
438
(char *) aes_cbc_description,
439
(int) 0, /* instance count */
440
(cipher_test_case_t *) &aes_cbc_test_case_0,
441
(debug_module_t *) &mod_aes_cbc