static void test_aes_perf(void) { #if 0 /* this did not seem to work with new compiler?! */ #ifdef __i386__ #define rdtscll(val) \ __asm__ __volatile__("rdtsc" : "=A" (val)) const int num_iters = 10; int i; unsigned int start, end; u8 key[16], pt[16], ct[16]; void *ctx; printf("keySetupEnc:"); for (i = 0; i < num_iters; i++) { rdtscll(start); ctx = aes_encrypt_init(key, 16); rdtscll(end); aes_encrypt_deinit(ctx); printf(" %d", end - start); } printf("\n"); printf("Encrypt:"); ctx = aes_encrypt_init(key, 16); for (i = 0; i < num_iters; i++) { rdtscll(start); aes_encrypt(ctx, pt, ct); rdtscll(end); printf(" %d", end - start); } aes_encrypt_deinit(ctx); printf("\n"); #endif /* __i386__ */ #endif }
/** * aes_128_ctr_encrypt - AES-128 CTR mode encryption * @key: Key for encryption (16 bytes) * @nonce: Nonce for counter mode (16 bytes) * @data: Data to encrypt in-place * @data_len: Length of data in bytes * Returns: 0 on success, -1 on failure */ int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce, u8 *data, size_t data_len) { void *ctx; size_t j, len, left = data_len; int i; u8 *pos = data; u8 counter[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE]; ctx = aes_encrypt_init(key, 16); if (ctx == NULL) { return -1; } os_memcpy(counter, nonce, AES_BLOCK_SIZE); while (left > 0) { aes_encrypt(ctx, counter, buf); len = (left < AES_BLOCK_SIZE) ? left : AES_BLOCK_SIZE; for (j = 0; j < len; j++) { pos[j] ^= buf[j]; } pos += len; left -= len; for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) { counter[i]++; if (counter[i]) { break; } } } aes_encrypt_deinit(ctx); return 0; }
struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, const u8 *iv, const u8 *key, size_t key_len) { struct crypto_cipher *ctx; ctx = os_zalloc(sizeof(*ctx)); if (ctx == NULL) return NULL; ctx->alg = alg; switch (alg) { case CRYPTO_CIPHER_ALG_RC4: if (key_len > sizeof(ctx->u.rc4.key)) { os_free(ctx); return NULL; } ctx->u.rc4.keylen = key_len; os_memcpy(ctx->u.rc4.key, key, key_len); break; case CRYPTO_CIPHER_ALG_AES: ctx->u.aes.ctx_enc = aes_encrypt_init(key, key_len); if (ctx->u.aes.ctx_enc == NULL) { os_free(ctx); return NULL; } ctx->u.aes.ctx_dec = aes_decrypt_init(key, key_len); if (ctx->u.aes.ctx_dec == NULL) { aes_encrypt_deinit(ctx->u.aes.ctx_enc); os_free(ctx); return NULL; } os_memcpy(ctx->u.aes.cbc, iv, AES_BLOCK_SIZE); break; case CRYPTO_CIPHER_ALG_3DES: if (key_len != 24) { os_free(ctx); return NULL; } des3_key_setup(key, &ctx->u.des3.key); os_memcpy(ctx->u.des3.cbc, iv, 8); break; case CRYPTO_CIPHER_ALG_DES: if (key_len != 8) { os_free(ctx); return NULL; } des_key_setup(key, ctx->u.des.ek, ctx->u.des.dk); os_memcpy(ctx->u.des.cbc, iv, 8); break; default: os_free(ctx); return NULL; } return ctx; }
/** * aes_128_encrypt_block - Perform one AES 128-bit block operation * @key: Key for AES * @in: Input data (16 bytes) * @out: Output of the AES block operation (16 bytes) * Returns: 0 on success, -1 on failure */ int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out) { void *ctx; ctx = aes_encrypt_init(key, 16); if (ctx == NULL) return -1; aes_encrypt(ctx, in, out); aes_encrypt_deinit(ctx); return 0; }
/** * aes_wrap - Wrap keys with AES Key Wrap Algorithm (RFC3394) * @kek: Key encryption key (KEK) * @kek_len: Length of KEK in octets * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 * bytes * @plain: Plaintext key to be wrapped, n * 64 bits * @cipher: Wrapped key, (n + 1) * 64 bits * Returns: 0 on success, -1 on failure */ int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) { u8 *a, *r, b[AES_BLOCK_SIZE]; int i, j; void *ctx; unsigned int t; a = cipher; r = cipher + 8; /* 1) Initialize variables. */ os_memset(a, 0xa6, 8); os_memcpy(r, plain, 8 * n); ctx = aes_encrypt_init(kek, kek_len); if (ctx == NULL) { return -1; } /* 2) Calculate intermediate values. * For j = 0 to 5 * For i=1 to n * B = AES(K, A | R[i]) * A = MSB(64, B) ^ t where t = (n*j)+i * R[i] = LSB(64, B) */ for (j = 0; j <= 5; j++) { r = cipher + 8; for (i = 1; i <= n; i++) { os_memcpy(b, a, 8); os_memcpy(b + 8, r, 8); aes_encrypt(ctx, b, b); os_memcpy(a, b, 8); t = n * j + i; a[7] ^= t; a[6] ^= t >> 8; a[5] ^= t >> 16; a[4] ^= t >> 24; os_memcpy(r, b + 8, 8); r += 8; } } aes_encrypt_deinit(ctx); /* 3) Output the results. * * These are already in @cipher due to the location of temporary * variables. */ return 0; }
static void * aes_gcm_init_hash_subkey(const aes_uchar *key, size_t key_len, aes_uchar *H) { void *aes; aes = aes_encrypt_init(key, key_len); if (aes == NULL) return NULL; /* Generate hash subkey H = AES_K(0^128) */ memset(H, 0, AES_BLOCK_SIZE); aes_encrypt(aes, H, H); aes_hexdump_key(MSG_EXCESSIVE, "Hash subkey H for GHASH", H, AES_BLOCK_SIZE); return aes; }
static void aes_gcm_init_hash_subkey( void *aes, // DHD20150614 const u8 *key, size_t key_len, u8 *H) { // void *aes; // DHD20150614 aes_encrypt_init(aes, key, key_len); // aes = aes_encrypt_init(key, key_len); // DHD20150614 // if (aes == NULL) // DHD20150614 // return NULL; // DHD20150614 /* Generate hash subkey H = AES_K(0^128) */ os_memset(H, 0, AES_BLOCK_SIZE); aes_encrypt(aes, H, H); /* wpa_hexdump_key(MSG_EXCESSIVE, "Hash subkey H for GHASH", H, AES_BLOCK_SIZE); */ // return aes; // DHD20150614 }
/** * aes_128_cbc_encrypt - AES-128 CBC encryption * @key: Encryption key * @iv: Encryption IV for CBC mode (16 bytes) * @data: Data to encrypt in-place * @data_len: Length of data in bytes (must be divisible by 16) * Returns: 0 on success, -1 on failure */ int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) { void *ctx; u8 cbc[AES_BLOCK_SIZE]; u8 *pos = data; int i, j, blocks; ctx = aes_encrypt_init(key, 16); if (ctx == NULL) return -1; os_memcpy(cbc, iv, AES_BLOCK_SIZE); blocks = data_len / AES_BLOCK_SIZE; for (i = 0; i < blocks; i++) { for (j = 0; j < AES_BLOCK_SIZE; j++) cbc[j] ^= pos[j]; aes_encrypt(ctx, cbc, cbc); os_memcpy(pos, cbc, AES_BLOCK_SIZE); pos += AES_BLOCK_SIZE; } aes_encrypt_deinit(ctx); return 0; }
void * aes_decrypt_init(const u8 *key, size_t len) { return aes_encrypt_init(key, len); }
u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr, const u8 *data, size_t data_len, size_t *decrypted_len) { u8 aad[2 + 30], nonce[13]; size_t aad_len; u8 b[AES_BLOCK_SIZE], x[AES_BLOCK_SIZE], a[AES_BLOCK_SIZE]; void *aes; const u8 *m, *mpos, *mic; size_t mlen, last; int i; u8 *plain, *ppos; u8 t[8]; if (data_len < 8 + 8) return NULL; plain = os_malloc(data_len + AES_BLOCK_SIZE); if (plain == NULL) return NULL; aes = aes_encrypt_init(tk, 16); if (aes == NULL) { os_free(plain); return NULL; } m = data + 8; mlen = data_len - 8 - 8; last = mlen % AES_BLOCK_SIZE; os_memset(aad, 0, sizeof(aad)); ccmp_aad_nonce(hdr, data, &aad[2], &aad_len, nonce); WPA_PUT_BE16(aad, aad_len); wpa_hexdump(MSG_EXCESSIVE, "CCMP AAD", &aad[2], aad_len); wpa_hexdump(MSG_EXCESSIVE, "CCMP nonce", nonce, 13); /* CCM: M=8 L=2, Adata=1, M' = (M-2)/2 = 3, L' = L-1 = 1 */ /* A_i = Flags | Nonce N | Counter i */ a[0] = 0x01; /* Flags = L' */ os_memcpy(&a[1], nonce, 13); /* Decryption */ mic = data + data_len - 8; wpa_hexdump(MSG_EXCESSIVE, "CCMP U", mic, 8); /* U = T XOR S_0; S_0 = E(K, A_0) */ WPA_PUT_BE16(&a[14], 0); aes_encrypt(aes, a, x); for (i = 0; i < 8; i++) t[i] = mic[i] ^ x[i]; wpa_hexdump(MSG_EXCESSIVE, "CCMP T", t, 8); /* plaintext = msg XOR (S_1 | S_2 | ... | S_n) */ ppos = plain; mpos = m; for (i = 1; i <= mlen / AES_BLOCK_SIZE; i++) { WPA_PUT_BE16(&a[14], i); /* S_i = E(K, A_i) */ aes_encrypt(aes, a, ppos); xor_aes_block(ppos, mpos); ppos += AES_BLOCK_SIZE; mpos += AES_BLOCK_SIZE; } if (last) { WPA_PUT_BE16(&a[14], i); aes_encrypt(aes, a, ppos); /* XOR zero-padded last block */ for (i = 0; i < last; i++) *ppos++ ^= *mpos++; } wpa_hexdump(MSG_EXCESSIVE, "CCMP decrypted", plain, mlen); /* Authentication */ /* B_0: Flags | Nonce N | l(m) */ b[0] = 0x40 /* Adata */ | (3 /* M' */ << 3) | 1 /* L' */; os_memcpy(&b[1], nonce, 13); WPA_PUT_BE16(&b[14], mlen); wpa_hexdump(MSG_EXCESSIVE, "CCMP B_0", b, AES_BLOCK_SIZE); aes_encrypt(aes, b, x); /* X_1 = E(K, B_0) */ wpa_hexdump(MSG_EXCESSIVE, "CCMP B_1", aad, AES_BLOCK_SIZE); xor_aes_block(aad, x); aes_encrypt(aes, aad, x); /* X_2 = E(K, X_1 XOR B_1) */ wpa_hexdump(MSG_EXCESSIVE, "CCMP B_2", &aad[AES_BLOCK_SIZE], AES_BLOCK_SIZE); xor_aes_block(&aad[AES_BLOCK_SIZE], x); aes_encrypt(aes, &aad[AES_BLOCK_SIZE], x); /* X_3 = E(K, X_2 XOR B_2) */ ppos = plain; for (i = 0; i < mlen / AES_BLOCK_SIZE; i++) { /* X_i+1 = E(K, X_i XOR B_i) */ xor_aes_block(x, ppos); ppos += AES_BLOCK_SIZE; aes_encrypt(aes, x, x); } if (last) { /* XOR zero-padded last block */ for (i = 0; i < last; i++) x[i] ^= *ppos++; aes_encrypt(aes, x, x); } aes_encrypt_deinit(aes); if (os_memcmp(x, t, 8) != 0) { u16 seq_ctrl = le_to_host16(hdr->seq_ctrl); wpa_printf(MSG_INFO, "Invalid CCMP MIC in frame: A1=" MACSTR " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u", MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), MAC2STR(hdr->addr3), WLAN_GET_SEQ_SEQ(seq_ctrl), WLAN_GET_SEQ_FRAG(seq_ctrl)); wpa_hexdump(MSG_DEBUG, "CCMP decrypted", plain, mlen); os_free(plain); return NULL; } *decrypted_len = mlen; return plain; }
u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos, u8 *pn, int keyid, size_t *encrypted_len) { u8 aad[2 + 30], nonce[13]; size_t aad_len; u8 b[AES_BLOCK_SIZE], x[AES_BLOCK_SIZE], a[AES_BLOCK_SIZE]; void *aes; u8 *crypt, *pos, *ppos, *mpos; size_t plen, last; struct ieee80211_hdr *hdr; int i; if (len < hdrlen || hdrlen < 24) return NULL; plen = len - hdrlen; last = plen % AES_BLOCK_SIZE; crypt = os_malloc(hdrlen + 8 + plen + 8 + AES_BLOCK_SIZE); if (crypt == NULL) return NULL; os_memcpy(crypt, frame, hdrlen); hdr = (struct ieee80211_hdr *) crypt; hdr->frame_control |= host_to_le16(WLAN_FC_ISWEP); pos = crypt + hdrlen; *pos++ = pn[5]; /* PN0 */ *pos++ = pn[4]; /* PN1 */ *pos++ = 0x00; /* Rsvd */ *pos++ = 0x20 | (keyid << 6); *pos++ = pn[3]; /* PN2 */ *pos++ = pn[2]; /* PN3 */ *pos++ = pn[1]; /* PN4 */ *pos++ = pn[0]; /* PN5 */ aes = aes_encrypt_init(tk, 16); if (aes == NULL) { os_free(crypt); return NULL; } os_memset(aad, 0, sizeof(aad)); ccmp_aad_nonce(hdr, crypt + hdrlen, &aad[2], &aad_len, nonce); WPA_PUT_BE16(aad, aad_len); wpa_hexdump(MSG_EXCESSIVE, "CCMP AAD", &aad[2], aad_len); wpa_hexdump(MSG_EXCESSIVE, "CCMP nonce", nonce, 13); /* Authentication */ /* B_0: Flags | Nonce N | l(m) */ b[0] = 0x40 /* Adata */ | (3 /* M' */ << 3) | 1 /* L' */; os_memcpy(&b[1], nonce, 13); WPA_PUT_BE16(&b[14], plen); wpa_hexdump(MSG_EXCESSIVE, "CCMP B_0", b, AES_BLOCK_SIZE); aes_encrypt(aes, b, x); /* X_1 = E(K, B_0) */ wpa_hexdump(MSG_EXCESSIVE, "CCMP B_1", aad, AES_BLOCK_SIZE); xor_aes_block(aad, x); aes_encrypt(aes, aad, x); /* X_2 = E(K, X_1 XOR B_1) */ wpa_hexdump(MSG_EXCESSIVE, "CCMP B_2", &aad[AES_BLOCK_SIZE], AES_BLOCK_SIZE); xor_aes_block(&aad[AES_BLOCK_SIZE], x); aes_encrypt(aes, &aad[AES_BLOCK_SIZE], x); /* X_3 = E(K, X_2 XOR B_2) */ ppos = frame + hdrlen; for (i = 0; i < plen / AES_BLOCK_SIZE; i++) { /* X_i+1 = E(K, X_i XOR B_i) */ xor_aes_block(x, ppos); ppos += AES_BLOCK_SIZE; aes_encrypt(aes, x, x); } if (last) { /* XOR zero-padded last block */ for (i = 0; i < last; i++) x[i] ^= *ppos++; aes_encrypt(aes, x, x); } /* Encryption */ /* CCM: M=8 L=2, Adata=1, M' = (M-2)/2 = 3, L' = L-1 = 1 */ /* A_i = Flags | Nonce N | Counter i */ a[0] = 0x01; /* Flags = L' */ os_memcpy(&a[1], nonce, 13); ppos = crypt + hdrlen + 8; /* crypt = msg XOR (S_1 | S_2 | ... | S_n) */ mpos = frame + hdrlen; for (i = 1; i <= plen / AES_BLOCK_SIZE; i++) { WPA_PUT_BE16(&a[14], i); /* S_i = E(K, A_i) */ aes_encrypt(aes, a, ppos); xor_aes_block(ppos, mpos); ppos += AES_BLOCK_SIZE; mpos += AES_BLOCK_SIZE; } if (last) { WPA_PUT_BE16(&a[14], i); aes_encrypt(aes, a, ppos); /* XOR zero-padded last block */ for (i = 0; i < last; i++) *ppos++ ^= *mpos++; } wpa_hexdump(MSG_EXCESSIVE, "CCMP T", x, 8); /* U = T XOR S_0; S_0 = E(K, A_0) */ WPA_PUT_BE16(&a[14], 0); aes_encrypt(aes, a, b); for (i = 0; i < 8; i++) ppos[i] = x[i] ^ b[i]; wpa_hexdump(MSG_EXCESSIVE, "CCMP U", ppos, 8); wpa_hexdump(MSG_EXCESSIVE, "CCMP encrypted", crypt + hdrlen + 8, plen); aes_encrypt_deinit(aes); *encrypted_len = hdrlen + 8 + plen + 8; return crypt; }