/src/libsrtp/crypto/cipher/aes_icm.c
Line | Count | Source |
1 | | /* |
2 | | * aes_icm.c |
3 | | * |
4 | | * AES Integer Counter Mode |
5 | | * |
6 | | * David A. McGrew |
7 | | * Cisco Systems, Inc. |
8 | | */ |
9 | | |
10 | | /* |
11 | | * |
12 | | * Copyright (c) 2001-2017 Cisco Systems, Inc. |
13 | | * All rights reserved. |
14 | | * |
15 | | * Redistribution and use in source and binary forms, with or without |
16 | | * modification, are permitted provided that the following conditions |
17 | | * are met: |
18 | | * |
19 | | * Redistributions of source code must retain the above copyright |
20 | | * notice, this list of conditions and the following disclaimer. |
21 | | * |
22 | | * Redistributions in binary form must reproduce the above |
23 | | * copyright notice, this list of conditions and the following |
24 | | * disclaimer in the documentation and/or other materials provided |
25 | | * with the distribution. |
26 | | * |
27 | | * Neither the name of the Cisco Systems, Inc. nor the names of its |
28 | | * contributors may be used to endorse or promote products derived |
29 | | * from this software without specific prior written permission. |
30 | | * |
31 | | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
32 | | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
33 | | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
34 | | * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
35 | | * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, |
36 | | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
37 | | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
38 | | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
39 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
40 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
41 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
42 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
43 | | * |
44 | | */ |
45 | | |
46 | | #ifdef HAVE_CONFIG_H |
47 | | #include <config.h> |
48 | | #endif |
49 | | |
50 | | #define ALIGN_32 0 |
51 | | |
52 | | #include "aes_icm.h" |
53 | | #include "alloc.h" |
54 | | #include "cipher_types.h" |
55 | | #include "cipher_test_cases.h" |
56 | | |
57 | | srtp_debug_module_t srtp_mod_aes_icm = { |
58 | | false, /* debugging is off by default */ |
59 | | "aes icm" /* printable module name */ |
60 | | }; |
61 | | |
62 | | /* |
63 | | * integer counter mode works as follows: |
64 | | * |
65 | | * 16 bits |
66 | | * <-----> |
67 | | * +------+------+------+------+------+------+------+------+ |
68 | | * | nonce | pakcet index | ctr |---+ |
69 | | * +------+------+------+------+------+------+------+------+ | |
70 | | * | |
71 | | * +------+------+------+------+------+------+------+------+ v |
72 | | * | salt |000000|->(+) |
73 | | * +------+------+------+------+------+------+------+------+ | |
74 | | * | |
75 | | * +---------+ |
76 | | * | encrypt | |
77 | | * +---------+ |
78 | | * | |
79 | | * +------+------+------+------+------+------+------+------+ | |
80 | | * | keystream block |<--+ |
81 | | * +------+------+------+------+------+------+------+------+ |
82 | | * |
83 | | * All fields are big-endian |
84 | | * |
85 | | * ctr is the block counter, which increments from zero for |
86 | | * each packet (16 bits wide) |
87 | | * |
88 | | * packet index is distinct for each packet (48 bits wide) |
89 | | * |
90 | | * nonce can be distinct across many uses of the same key, or |
91 | | * can be a fixed value per key, or can be per-packet randomness |
92 | | * (64 bits) |
93 | | * |
94 | | */ |
95 | | |
96 | | static srtp_err_status_t srtp_aes_icm_alloc(srtp_cipher_t **c, |
97 | | size_t key_len, |
98 | | size_t tlen) |
99 | 4.11k | { |
100 | 4.11k | srtp_aes_icm_ctx_t *icm; |
101 | 4.11k | (void)tlen; |
102 | | |
103 | 4.11k | debug_print(srtp_mod_aes_icm, "allocating cipher with key length %zu", |
104 | 4.11k | key_len); |
105 | | |
106 | | /* |
107 | | * The check for key_len = 30/46 does not apply. Our usage |
108 | | * of aes functions with key_len = values other than 30 |
109 | | * has not broken anything. Don't know what would be the |
110 | | * effect of skipping this check for srtp in general. |
111 | | */ |
112 | 4.11k | if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT && |
113 | 2.49k | key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) { |
114 | 0 | return srtp_err_status_bad_param; |
115 | 0 | } |
116 | | |
117 | | /* allocate memory a cipher of type aes_icm */ |
118 | 4.11k | *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t)); |
119 | 4.11k | if (*c == NULL) { |
120 | 0 | return srtp_err_status_alloc_fail; |
121 | 0 | } |
122 | | |
123 | 4.11k | icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t)); |
124 | 4.11k | if (icm == NULL) { |
125 | 0 | srtp_crypto_free(*c); |
126 | 0 | *c = NULL; |
127 | 0 | return srtp_err_status_alloc_fail; |
128 | 0 | } |
129 | | |
130 | | /* set pointers */ |
131 | 4.11k | (*c)->state = icm; |
132 | | |
133 | 4.11k | switch (key_len) { |
134 | 2.49k | case SRTP_AES_ICM_256_KEY_LEN_WSALT: |
135 | 2.49k | (*c)->algorithm = SRTP_AES_ICM_256; |
136 | 2.49k | (*c)->type = &srtp_aes_icm_256; |
137 | 2.49k | break; |
138 | 1.61k | default: |
139 | 1.61k | (*c)->algorithm = SRTP_AES_ICM_128; |
140 | 1.61k | (*c)->type = &srtp_aes_icm_128; |
141 | 1.61k | break; |
142 | 4.11k | } |
143 | | |
144 | | /* set key size */ |
145 | 4.11k | icm->key_size = key_len; |
146 | 4.11k | (*c)->key_len = key_len; |
147 | | |
148 | 4.11k | return srtp_err_status_ok; |
149 | 4.11k | } |
150 | | |
151 | | static srtp_err_status_t srtp_aes_icm_dealloc(srtp_cipher_t *c) |
152 | 4.11k | { |
153 | 4.11k | srtp_aes_icm_ctx_t *ctx; |
154 | | |
155 | 4.11k | if (c == NULL) { |
156 | 0 | return srtp_err_status_bad_param; |
157 | 0 | } |
158 | | |
159 | 4.11k | ctx = (srtp_aes_icm_ctx_t *)c->state; |
160 | 4.11k | if (ctx) { |
161 | | /* zeroize the key material */ |
162 | 4.11k | octet_string_set_to_zero(ctx, sizeof(srtp_aes_icm_ctx_t)); |
163 | 4.11k | srtp_crypto_free(ctx); |
164 | 4.11k | } |
165 | | |
166 | | /* free the cipher context */ |
167 | 4.11k | srtp_crypto_free(c); |
168 | | |
169 | 4.11k | return srtp_err_status_ok; |
170 | 4.11k | } |
171 | | |
172 | | /* |
173 | | * aes_icm_context_init(...) initializes the aes_icm_context |
174 | | * using the value in key[]. |
175 | | * |
176 | | * the key is the secret key |
177 | | * |
178 | | * the salt is unpredictable (but not necessarily secret) data which |
179 | | * randomizes the starting point in the keystream |
180 | | */ |
181 | | |
182 | | static srtp_err_status_t srtp_aes_icm_context_init(void *cv, const uint8_t *key) |
183 | 5.13k | { |
184 | 5.13k | srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; |
185 | 5.13k | srtp_err_status_t status; |
186 | 5.13k | size_t base_key_len, copy_len; |
187 | | |
188 | 5.13k | if (c->key_size == SRTP_AES_ICM_128_KEY_LEN_WSALT || |
189 | 5.13k | c->key_size == SRTP_AES_ICM_256_KEY_LEN_WSALT) { |
190 | 5.13k | base_key_len = c->key_size - SRTP_SALT_LEN; |
191 | 5.13k | } else { |
192 | 0 | return srtp_err_status_bad_param; |
193 | 0 | } |
194 | | |
195 | | /* |
196 | | * set counter and initial values to 'offset' value, being careful not to |
197 | | * go past the end of the key buffer |
198 | | */ |
199 | 5.13k | v128_set_to_zero(&c->counter); |
200 | 5.13k | v128_set_to_zero(&c->offset); |
201 | | |
202 | 5.13k | copy_len = c->key_size - base_key_len; |
203 | | /* force last two octets of the offset to be left zero (for srtp |
204 | | * compatibility) */ |
205 | 5.13k | if (copy_len > SRTP_SALT_LEN) { |
206 | 0 | copy_len = SRTP_SALT_LEN; |
207 | 0 | } |
208 | | |
209 | 5.13k | memcpy(&c->counter, key + base_key_len, copy_len); |
210 | 5.13k | memcpy(&c->offset, key + base_key_len, copy_len); |
211 | | |
212 | 5.13k | debug_print(srtp_mod_aes_icm, "key: %s", |
213 | 5.13k | srtp_octet_string_hex_string(key, base_key_len)); |
214 | 5.13k | debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset)); |
215 | | |
216 | | /* expand key */ |
217 | 5.13k | status = |
218 | 5.13k | srtp_aes_expand_encryption_key(key, base_key_len, &c->expanded_key); |
219 | 5.13k | if (status) { |
220 | 0 | octet_string_set_to_zero(&c->expanded_key, sizeof(c->expanded_key)); |
221 | 0 | v128_set_to_zero(&c->counter); |
222 | 0 | v128_set_to_zero(&c->offset); |
223 | 0 | return status; |
224 | 0 | } |
225 | | |
226 | | /* indicate that the keystream_buffer is empty */ |
227 | 5.13k | c->bytes_in_buffer = 0; |
228 | | |
229 | 5.13k | return srtp_err_status_ok; |
230 | 5.13k | } |
231 | | |
232 | | /* |
233 | | * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with |
234 | | * the offset |
235 | | */ |
236 | | |
237 | | static srtp_err_status_t srtp_aes_icm_set_iv(void *cv, |
238 | | uint8_t *iv, |
239 | | srtp_cipher_direction_t direction) |
240 | 12.7k | { |
241 | 12.7k | srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; |
242 | 12.7k | v128_t nonce; |
243 | 12.7k | (void)direction; |
244 | | |
245 | | /* set nonce (for alignment) */ |
246 | 12.7k | v128_copy_octet_string(&nonce, iv); |
247 | | |
248 | 12.7k | debug_print(srtp_mod_aes_icm, "setting iv: %s", v128_hex_string(&nonce)); |
249 | | |
250 | 12.7k | v128_xor(&c->counter, &c->offset, &nonce); |
251 | | |
252 | 12.7k | debug_print(srtp_mod_aes_icm, "set_counter: %s", |
253 | 12.7k | v128_hex_string(&c->counter)); |
254 | | |
255 | | /* indicate that the keystream_buffer is empty */ |
256 | 12.7k | c->bytes_in_buffer = 0; |
257 | | |
258 | 12.7k | return srtp_err_status_ok; |
259 | 12.7k | } |
260 | | |
261 | | /* |
262 | | * aes_icm_advance(...) refills the keystream_buffer and |
263 | | * advances the block index of the sicm_context forward by one |
264 | | * |
265 | | * this is an internal, hopefully inlined function |
266 | | */ |
267 | | static void srtp_aes_icm_advance(srtp_aes_icm_ctx_t *c) |
268 | 19.6k | { |
269 | | /* fill buffer with new keystream */ |
270 | 19.6k | v128_copy(&c->keystream_buffer, &c->counter); |
271 | 19.6k | srtp_aes_encrypt(&c->keystream_buffer, &c->expanded_key); |
272 | 19.6k | c->bytes_in_buffer = sizeof(v128_t); |
273 | | |
274 | 19.6k | debug_print(srtp_mod_aes_icm, "counter: %s", |
275 | 19.6k | v128_hex_string(&c->counter)); |
276 | 19.6k | debug_print(srtp_mod_aes_icm, "ciphertext: %s", |
277 | 19.6k | v128_hex_string(&c->keystream_buffer)); |
278 | | |
279 | | /* clock counter forward */ |
280 | 19.6k | if (!++(c->counter.v8[15])) { |
281 | 0 | ++(c->counter.v8[14]); |
282 | 0 | } |
283 | 19.6k | } |
284 | | |
285 | | /* |
286 | | * icm_encrypt deals with the following cases: |
287 | | * |
288 | | * bytes_to_encr < bytes_in_buffer |
289 | | * - add keystream into data |
290 | | * |
291 | | * bytes_to_encr > bytes_in_buffer |
292 | | * - add keystream into data until keystream_buffer is depleted |
293 | | * - loop over blocks, filling keystream_buffer and then |
294 | | * adding keystream into data |
295 | | * - fill buffer then add in remaining (< 16) bytes of keystream |
296 | | */ |
297 | | |
298 | | static srtp_err_status_t srtp_aes_icm_encrypt(void *cv, |
299 | | const uint8_t *src, |
300 | | size_t src_len, |
301 | | uint8_t *dst, |
302 | | size_t *dst_len) |
303 | 12.7k | { |
304 | 12.7k | srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; |
305 | 12.7k | size_t bytes_to_encr = src_len; |
306 | 12.7k | uint32_t *b; |
307 | 12.7k | const uint32_t *s; |
308 | | |
309 | 12.7k | if (*dst_len < src_len) { |
310 | 0 | return srtp_err_status_buffer_small; |
311 | 0 | } |
312 | | |
313 | 12.7k | *dst_len = src_len; |
314 | | |
315 | 12.7k | unsigned char *buf = dst; |
316 | | |
317 | | /* check that there's enough segment left*/ |
318 | 12.7k | size_t bytes_of_new_keystream = bytes_to_encr - c->bytes_in_buffer; |
319 | 12.7k | size_t blocks_of_new_keystream = (bytes_of_new_keystream + 15) >> 4; |
320 | 12.7k | if (blocks_of_new_keystream > (size_t)0xffff - htons(c->counter.v16[7])) { |
321 | 0 | return srtp_err_status_terminus; |
322 | 0 | } |
323 | | |
324 | 12.7k | debug_print(srtp_mod_aes_icm, "block index: %d", htons(c->counter.v16[7])); |
325 | 12.7k | if (bytes_to_encr <= c->bytes_in_buffer) { |
326 | | /* deal with odd case of small bytes_to_encr */ |
327 | 1.77k | for (size_t i = (sizeof(v128_t) - c->bytes_in_buffer); |
328 | 1.77k | i < (sizeof(v128_t) - c->bytes_in_buffer + bytes_to_encr); i++) { |
329 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[i]; |
330 | 0 | } |
331 | | |
332 | 1.77k | c->bytes_in_buffer -= bytes_to_encr; |
333 | | |
334 | | /* return now to avoid the main loop */ |
335 | 1.77k | return srtp_err_status_ok; |
336 | | |
337 | 10.9k | } else { |
338 | | /* encrypt bytes until the remaining data is 16-byte aligned */ |
339 | 10.9k | for (size_t i = (sizeof(v128_t) - c->bytes_in_buffer); |
340 | 10.9k | i < sizeof(v128_t); i++) { |
341 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[i]; |
342 | 0 | } |
343 | | |
344 | 10.9k | bytes_to_encr -= c->bytes_in_buffer; |
345 | 10.9k | c->bytes_in_buffer = 0; |
346 | 10.9k | } |
347 | | |
348 | | /* now loop over entire 16-byte blocks of keystream */ |
349 | 21.9k | for (size_t i = 0; i < (bytes_to_encr / sizeof(v128_t)); i++) { |
350 | | /* fill buffer with new keystream */ |
351 | 10.9k | srtp_aes_icm_advance(c); |
352 | | |
353 | | /* |
354 | | * add keystream into the data buffer (this would be a lot faster |
355 | | * if we could assume 32-bit alignment!) |
356 | | */ |
357 | | |
358 | | #if ALIGN_32 |
359 | | b = (uint32_t *)buf; |
360 | | s = (const uint32_t *)src; |
361 | | *b++ = *s++ ^ c->keystream_buffer.v32[0]; |
362 | | *b++ = *s++ ^ c->keystream_buffer.v32[1]; |
363 | | *b++ = *s++ ^ c->keystream_buffer.v32[2]; |
364 | | *b++ = *s++ ^ c->keystream_buffer.v32[3]; |
365 | | buf = (uint8_t *)b; |
366 | | src = (const uint8_t *)s; |
367 | | #else |
368 | 10.9k | if ((((uintptr_t)buf) & 0x03) != 0) { |
369 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[0]; |
370 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[1]; |
371 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[2]; |
372 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[3]; |
373 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[4]; |
374 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[5]; |
375 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[6]; |
376 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[7]; |
377 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[8]; |
378 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[9]; |
379 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[10]; |
380 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[11]; |
381 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[12]; |
382 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[13]; |
383 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[14]; |
384 | 0 | *buf++ = *src++ ^ c->keystream_buffer.v8[15]; |
385 | 10.9k | } else { |
386 | 10.9k | b = (uint32_t *)buf; |
387 | 10.9k | s = (const uint32_t *)src; |
388 | 10.9k | *b++ = *s++ ^ c->keystream_buffer.v32[0]; |
389 | 10.9k | *b++ = *s++ ^ c->keystream_buffer.v32[1]; |
390 | 10.9k | *b++ = *s++ ^ c->keystream_buffer.v32[2]; |
391 | 10.9k | *b++ = *s++ ^ c->keystream_buffer.v32[3]; |
392 | 10.9k | buf = (uint8_t *)b; |
393 | 10.9k | src = (const uint8_t *)s; |
394 | 10.9k | } |
395 | 10.9k | #endif /* #if ALIGN_32 */ |
396 | 10.9k | } |
397 | | |
398 | | /* if there is a tail end of the data, process it */ |
399 | 10.9k | if ((bytes_to_encr & 0xf) != 0) { |
400 | | /* fill buffer with new keystream */ |
401 | 8.67k | srtp_aes_icm_advance(c); |
402 | | |
403 | 86.5k | for (size_t i = 0; i < (bytes_to_encr & 0xf); i++) { |
404 | 77.8k | *buf++ = *src++ ^ c->keystream_buffer.v8[i]; |
405 | 77.8k | } |
406 | | |
407 | | /* reset the keystream buffer size to right value */ |
408 | 8.67k | c->bytes_in_buffer = sizeof(v128_t) - (bytes_to_encr & 0xf); |
409 | 8.67k | } else { |
410 | | /* no tail, so just reset the keystream buffer size to zero */ |
411 | 2.31k | c->bytes_in_buffer = 0; |
412 | 2.31k | } |
413 | | |
414 | 10.9k | return srtp_err_status_ok; |
415 | 12.7k | } |
416 | | |
417 | | static const char srtp_aes_icm_128_description[] = |
418 | | "AES-128 integer counter mode"; |
419 | | static const char srtp_aes_icm_256_description[] = |
420 | | "AES-256 integer counter mode"; |
421 | | |
422 | | /* |
423 | | * note: the encrypt function is identical to the decrypt function |
424 | | */ |
425 | | |
426 | | const srtp_cipher_type_t srtp_aes_icm_128 = { |
427 | | srtp_aes_icm_alloc, /* */ |
428 | | srtp_aes_icm_dealloc, /* */ |
429 | | srtp_aes_icm_context_init, /* */ |
430 | | 0, /* set_aad */ |
431 | | srtp_aes_icm_encrypt, /* */ |
432 | | srtp_aes_icm_encrypt, /* */ |
433 | | srtp_aes_icm_set_iv, /* */ |
434 | | srtp_aes_icm_128_description, /* */ |
435 | | &srtp_aes_icm_128_test_case_0, /* */ |
436 | | SRTP_AES_ICM_128 /* */ |
437 | | }; |
438 | | |
439 | | const srtp_cipher_type_t srtp_aes_icm_256 = { |
440 | | srtp_aes_icm_alloc, /* */ |
441 | | srtp_aes_icm_dealloc, /* */ |
442 | | srtp_aes_icm_context_init, /* */ |
443 | | 0, /* set_aad */ |
444 | | srtp_aes_icm_encrypt, /* */ |
445 | | srtp_aes_icm_encrypt, /* */ |
446 | | srtp_aes_icm_set_iv, /* */ |
447 | | srtp_aes_icm_256_description, /* */ |
448 | | &srtp_aes_icm_256_test_case_0, /* */ |
449 | | SRTP_AES_ICM_256 /* */ |
450 | | }; |