aes_ige.c 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301
  1. /*
  2. * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * AES_encrypt/AES_decrypt are deprecated - but we need to use them to implement
  11. * these functions
  12. */
  13. #include "internal/deprecated.h"
  14. #include "internal/cryptlib.h"
  15. #include <openssl/aes.h>
  16. #include "aes_local.h"
  17. /* XXX: probably some better way to do this */
  18. #if defined(__i386__) || defined(__x86_64__)
  19. # define UNALIGNED_MEMOPS_ARE_FAST 1
  20. #else
  21. # define UNALIGNED_MEMOPS_ARE_FAST 0
  22. #endif
  23. #define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
  24. typedef struct {
  25. unsigned long data[N_WORDS];
  26. #if defined(__GNUC__) && UNALIGNED_MEMOPS_ARE_FAST
  27. } aes_block_t __attribute((__aligned__(1)));
  28. #else
  29. } aes_block_t;
  30. #endif
  31. #if UNALIGNED_MEMOPS_ARE_FAST
  32. # define load_block(d, s) (d) = *(const aes_block_t *)(s)
  33. # define store_block(d, s) *(aes_block_t *)(d) = (s)
  34. #else
  35. # define load_block(d, s) memcpy((d).data, (s), AES_BLOCK_SIZE)
  36. # define store_block(d, s) memcpy((d), (s).data, AES_BLOCK_SIZE)
  37. #endif
  38. /* N.B. The IV for this mode is _twice_ the block size */
  39. /* Use of this function is deprecated. */
  40. void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
  41. size_t length, const AES_KEY *key,
  42. unsigned char *ivec, const int enc)
  43. {
  44. size_t n;
  45. size_t len = length / AES_BLOCK_SIZE;
  46. if (length == 0)
  47. return;
  48. OPENSSL_assert(in && out && key && ivec);
  49. OPENSSL_assert((AES_ENCRYPT == enc) || (AES_DECRYPT == enc));
  50. OPENSSL_assert((length % AES_BLOCK_SIZE) == 0);
  51. if (AES_ENCRYPT == enc) {
  52. if (in != out &&
  53. (UNALIGNED_MEMOPS_ARE_FAST
  54. || ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(long) ==
  55. 0)) {
  56. aes_block_t *ivp = (aes_block_t *) ivec;
  57. aes_block_t *iv2p = (aes_block_t *) (ivec + AES_BLOCK_SIZE);
  58. while (len) {
  59. aes_block_t *inp = (aes_block_t *) in;
  60. aes_block_t *outp = (aes_block_t *) out;
  61. for (n = 0; n < N_WORDS; ++n)
  62. outp->data[n] = inp->data[n] ^ ivp->data[n];
  63. AES_encrypt((unsigned char *)outp->data,
  64. (unsigned char *)outp->data, key);
  65. for (n = 0; n < N_WORDS; ++n)
  66. outp->data[n] ^= iv2p->data[n];
  67. ivp = outp;
  68. iv2p = inp;
  69. --len;
  70. in += AES_BLOCK_SIZE;
  71. out += AES_BLOCK_SIZE;
  72. }
  73. memcpy(ivec, ivp->data, AES_BLOCK_SIZE);
  74. memcpy(ivec + AES_BLOCK_SIZE, iv2p->data, AES_BLOCK_SIZE);
  75. } else {
  76. aes_block_t tmp, tmp2;
  77. aes_block_t iv;
  78. aes_block_t iv2;
  79. load_block(iv, ivec);
  80. load_block(iv2, ivec + AES_BLOCK_SIZE);
  81. while (len) {
  82. load_block(tmp, in);
  83. for (n = 0; n < N_WORDS; ++n)
  84. tmp2.data[n] = tmp.data[n] ^ iv.data[n];
  85. AES_encrypt((unsigned char *)tmp2.data,
  86. (unsigned char *)tmp2.data, key);
  87. for (n = 0; n < N_WORDS; ++n)
  88. tmp2.data[n] ^= iv2.data[n];
  89. store_block(out, tmp2);
  90. iv = tmp2;
  91. iv2 = tmp;
  92. --len;
  93. in += AES_BLOCK_SIZE;
  94. out += AES_BLOCK_SIZE;
  95. }
  96. memcpy(ivec, iv.data, AES_BLOCK_SIZE);
  97. memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
  98. }
  99. } else {
  100. if (in != out &&
  101. (UNALIGNED_MEMOPS_ARE_FAST
  102. || ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(long) ==
  103. 0)) {
  104. aes_block_t *ivp = (aes_block_t *) ivec;
  105. aes_block_t *iv2p = (aes_block_t *) (ivec + AES_BLOCK_SIZE);
  106. while (len) {
  107. aes_block_t tmp;
  108. aes_block_t *inp = (aes_block_t *) in;
  109. aes_block_t *outp = (aes_block_t *) out;
  110. for (n = 0; n < N_WORDS; ++n)
  111. tmp.data[n] = inp->data[n] ^ iv2p->data[n];
  112. AES_decrypt((unsigned char *)tmp.data,
  113. (unsigned char *)outp->data, key);
  114. for (n = 0; n < N_WORDS; ++n)
  115. outp->data[n] ^= ivp->data[n];
  116. ivp = inp;
  117. iv2p = outp;
  118. --len;
  119. in += AES_BLOCK_SIZE;
  120. out += AES_BLOCK_SIZE;
  121. }
  122. memcpy(ivec, ivp->data, AES_BLOCK_SIZE);
  123. memcpy(ivec + AES_BLOCK_SIZE, iv2p->data, AES_BLOCK_SIZE);
  124. } else {
  125. aes_block_t tmp, tmp2;
  126. aes_block_t iv;
  127. aes_block_t iv2;
  128. load_block(iv, ivec);
  129. load_block(iv2, ivec + AES_BLOCK_SIZE);
  130. while (len) {
  131. load_block(tmp, in);
  132. tmp2 = tmp;
  133. for (n = 0; n < N_WORDS; ++n)
  134. tmp.data[n] ^= iv2.data[n];
  135. AES_decrypt((unsigned char *)tmp.data,
  136. (unsigned char *)tmp.data, key);
  137. for (n = 0; n < N_WORDS; ++n)
  138. tmp.data[n] ^= iv.data[n];
  139. store_block(out, tmp);
  140. iv = tmp2;
  141. iv2 = tmp;
  142. --len;
  143. in += AES_BLOCK_SIZE;
  144. out += AES_BLOCK_SIZE;
  145. }
  146. memcpy(ivec, iv.data, AES_BLOCK_SIZE);
  147. memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
  148. }
  149. }
  150. }
  151. /*
  152. * Note that its effectively impossible to do biIGE in anything other
  153. * than a single pass, so no provision is made for chaining.
  154. *
  155. * NB: The implementation of AES_bi_ige_encrypt has a bug. It is supposed to use
  156. * 2 AES keys, but in fact only one is ever used. This bug has been present
  157. * since this code was first implemented. It is believed to have minimal
  158. * security impact in practice and has therefore not been fixed for backwards
  159. * compatibility reasons.
  160. *
  161. * Use of this function is deprecated.
  162. */
  163. /* N.B. The IV for this mode is _four times_ the block size */
  164. void AES_bi_ige_encrypt(const unsigned char *in, unsigned char *out,
  165. size_t length, const AES_KEY *key,
  166. const AES_KEY *key2, const unsigned char *ivec,
  167. const int enc)
  168. {
  169. size_t n;
  170. size_t len = length;
  171. unsigned char tmp[AES_BLOCK_SIZE];
  172. unsigned char tmp2[AES_BLOCK_SIZE];
  173. unsigned char tmp3[AES_BLOCK_SIZE];
  174. unsigned char prev[AES_BLOCK_SIZE];
  175. const unsigned char *iv;
  176. const unsigned char *iv2;
  177. OPENSSL_assert(in && out && key && ivec);
  178. OPENSSL_assert((AES_ENCRYPT == enc) || (AES_DECRYPT == enc));
  179. OPENSSL_assert((length % AES_BLOCK_SIZE) == 0);
  180. if (AES_ENCRYPT == enc) {
  181. /*
  182. * XXX: Do a separate case for when in != out (strictly should check
  183. * for overlap, too)
  184. */
  185. /* First the forward pass */
  186. iv = ivec;
  187. iv2 = ivec + AES_BLOCK_SIZE;
  188. while (len >= AES_BLOCK_SIZE) {
  189. for (n = 0; n < AES_BLOCK_SIZE; ++n)
  190. out[n] = in[n] ^ iv[n];
  191. AES_encrypt(out, out, key);
  192. for (n = 0; n < AES_BLOCK_SIZE; ++n)
  193. out[n] ^= iv2[n];
  194. iv = out;
  195. memcpy(prev, in, AES_BLOCK_SIZE);
  196. iv2 = prev;
  197. len -= AES_BLOCK_SIZE;
  198. in += AES_BLOCK_SIZE;
  199. out += AES_BLOCK_SIZE;
  200. }
  201. /* And now backwards */
  202. iv = ivec + AES_BLOCK_SIZE * 2;
  203. iv2 = ivec + AES_BLOCK_SIZE * 3;
  204. len = length;
  205. while (len >= AES_BLOCK_SIZE) {
  206. out -= AES_BLOCK_SIZE;
  207. /*
  208. * XXX: reduce copies by alternating between buffers
  209. */
  210. memcpy(tmp, out, AES_BLOCK_SIZE);
  211. for (n = 0; n < AES_BLOCK_SIZE; ++n)
  212. out[n] ^= iv[n];
  213. /*
  214. * hexdump(stdout, "out ^ iv", out, AES_BLOCK_SIZE);
  215. */
  216. AES_encrypt(out, out, key);
  217. /*
  218. * hexdump(stdout,"enc", out, AES_BLOCK_SIZE);
  219. */
  220. /*
  221. * hexdump(stdout,"iv2", iv2, AES_BLOCK_SIZE);
  222. */
  223. for (n = 0; n < AES_BLOCK_SIZE; ++n)
  224. out[n] ^= iv2[n];
  225. /*
  226. * hexdump(stdout,"out", out, AES_BLOCK_SIZE);
  227. */
  228. iv = out;
  229. memcpy(prev, tmp, AES_BLOCK_SIZE);
  230. iv2 = prev;
  231. len -= AES_BLOCK_SIZE;
  232. }
  233. } else {
  234. /* First backwards */
  235. iv = ivec + AES_BLOCK_SIZE * 2;
  236. iv2 = ivec + AES_BLOCK_SIZE * 3;
  237. in += length;
  238. out += length;
  239. while (len >= AES_BLOCK_SIZE) {
  240. in -= AES_BLOCK_SIZE;
  241. out -= AES_BLOCK_SIZE;
  242. memcpy(tmp, in, AES_BLOCK_SIZE);
  243. memcpy(tmp2, in, AES_BLOCK_SIZE);
  244. for (n = 0; n < AES_BLOCK_SIZE; ++n)
  245. tmp[n] ^= iv2[n];
  246. AES_decrypt(tmp, out, key);
  247. for (n = 0; n < AES_BLOCK_SIZE; ++n)
  248. out[n] ^= iv[n];
  249. memcpy(tmp3, tmp2, AES_BLOCK_SIZE);
  250. iv = tmp3;
  251. iv2 = out;
  252. len -= AES_BLOCK_SIZE;
  253. }
  254. /* And now forwards */
  255. iv = ivec;
  256. iv2 = ivec + AES_BLOCK_SIZE;
  257. len = length;
  258. while (len >= AES_BLOCK_SIZE) {
  259. memcpy(tmp, out, AES_BLOCK_SIZE);
  260. memcpy(tmp2, out, AES_BLOCK_SIZE);
  261. for (n = 0; n < AES_BLOCK_SIZE; ++n)
  262. tmp[n] ^= iv2[n];
  263. AES_decrypt(tmp, out, key);
  264. for (n = 0; n < AES_BLOCK_SIZE; ++n)
  265. out[n] ^= iv[n];
  266. memcpy(tmp3, tmp2, AES_BLOCK_SIZE);
  267. iv = tmp3;
  268. iv2 = out;
  269. len -= AES_BLOCK_SIZE;
  270. in += AES_BLOCK_SIZE;
  271. out += AES_BLOCK_SIZE;
  272. }
  273. }
  274. }