int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv, const u8 *crypt, u8 *plain, size_t len) { struct crypto_cipher *cipher; int encr_alg; switch (alg) { case ENCR_3DES: encr_alg = CRYPTO_CIPHER_ALG_3DES; break; case ENCR_AES_CBC: encr_alg = CRYPTO_CIPHER_ALG_AES; break; default: wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg); return -1; } cipher = crypto_cipher_init(encr_alg, iv, key, key_len); if (cipher == NULL) { wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher"); return -1; } if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) { wpa_printf(MSG_INFO, "IKEV2: Decryption failed"); crypto_cipher_deinit(cipher); return -1; } crypto_cipher_deinit(cipher); return 0; }
// //This method should be called ONLY by tsiPending TLS_SESSION_INFO extern "C" JNIEXPORT jint JNICALL Java_com_att_aro_pcap_AROCryptoAdapter_cryptocipherinit (JNIEnv *env, jobject obj, jint alg, jbyteArray temp1, jbyteArray temp2, jint key_material, jint bClient) { int ret = ARO_CRYPTO_ERROR; int i_alg = (int)alg; enum crypto_cipher_alg e_alg = (enum crypto_cipher_alg)i_alg; jbyte* temp1buff = NULL; temp1buff = env->GetByteArrayElements(temp1, NULL); jbyte* temp2buff = NULL; temp2buff = env->GetByteArrayElements(temp2, NULL); if(!temp1buff || !temp2buff) return ret; int i_key_material = (int)key_material; int i_bClient = (int)bClient; struct crypto_cipher* ctx = NULL; ctx = crypto_cipher_init(e_alg, (const BYTE*)temp1buff, (const BYTE*)temp2buff, i_key_material); env->ReleaseByteArrayElements(temp1, temp1buff, 0); env->ReleaseByteArrayElements(temp2, temp2buff, 0); if(ctx == NULL) return ret; if(i_bClient == 1) tsipending_ctx_client = ctx; else tsipending_ctx_server = ctx; ret = 0; return ret; }
static TEE_Result aes_ecb(uint8_t out[TEE_AES_BLOCK_SIZE], const uint8_t in[TEE_AES_BLOCK_SIZE], const uint8_t *key, size_t key_size) { TEE_Result res; void *ctx = NULL; const uint32_t algo = TEE_ALG_AES_ECB_NOPAD; res = crypto_cipher_alloc_ctx(&ctx, algo); if (res != TEE_SUCCESS) return res; res = crypto_cipher_init(ctx, algo, TEE_MODE_ENCRYPT, key, key_size, NULL, 0, NULL, 0); if (res != TEE_SUCCESS) goto out; res = crypto_cipher_update(ctx, algo, TEE_MODE_ENCRYPT, true, in, TEE_AES_BLOCK_SIZE, out); if (res != TEE_SUCCESS) goto out; crypto_cipher_final(ctx, algo); res = TEE_SUCCESS; out: crypto_cipher_free_ctx(ctx, algo); return res; }
TEE_Result tee_fs_fek_crypt(const TEE_UUID *uuid, TEE_OperationMode mode, const uint8_t *in_key, size_t size, uint8_t *out_key) { TEE_Result res; void *ctx = NULL; uint8_t tsk[TEE_FS_KM_TSK_SIZE]; uint8_t dst_key[size]; if (!in_key || !out_key) return TEE_ERROR_BAD_PARAMETERS; if (size != TEE_FS_KM_FEK_SIZE) return TEE_ERROR_BAD_PARAMETERS; if (tee_fs_ssk.is_init == 0) return TEE_ERROR_GENERIC; if (uuid) { res = do_hmac(tsk, sizeof(tsk), tee_fs_ssk.key, TEE_FS_KM_SSK_SIZE, uuid, sizeof(*uuid)); if (res != TEE_SUCCESS) return res; } else { /* * Pick something of a different size than TEE_UUID to * guarantee that there's never a conflict. */ uint8_t dummy[1] = { 0 }; res = do_hmac(tsk, sizeof(tsk), tee_fs_ssk.key, TEE_FS_KM_SSK_SIZE, dummy, sizeof(dummy)); if (res != TEE_SUCCESS) return res; } res = crypto_cipher_alloc_ctx(&ctx, TEE_FS_KM_ENC_FEK_ALG); if (res != TEE_SUCCESS) return res; res = crypto_cipher_init(ctx, TEE_FS_KM_ENC_FEK_ALG, mode, tsk, sizeof(tsk), NULL, 0, NULL, 0); if (res != TEE_SUCCESS) goto exit; res = crypto_cipher_update(ctx, TEE_FS_KM_ENC_FEK_ALG, mode, true, in_key, size, dst_key); if (res != TEE_SUCCESS) goto exit; crypto_cipher_final(ctx, TEE_FS_KM_ENC_FEK_ALG); memcpy(out_key, dst_key, sizeof(dst_key)); exit: crypto_cipher_free_ctx(ctx, TEE_FS_KM_ENC_FEK_ALG); return res; }
int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv, const u8 *plain, u8 *crypt, size_t len) { struct crypto_cipher *cipher; int encr_alg; #ifdef CCNS_PL if (alg == ENCR_3DES) { struct des3_key_s des3key; size_t i, blocks; u8 *pos; /* ECB mode is used incorrectly for 3DES!? */ if (key_len != 24) { wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length"); return -1; } des3_key_setup(key, &des3key); blocks = len / 8; pos = crypt; for (i = 0; i < blocks; i++) { des3_encrypt(pos, &des3key, pos); pos += 8; } } else { #endif /* CCNS_PL */ switch (alg) { case ENCR_3DES: encr_alg = CRYPTO_CIPHER_ALG_3DES; break; case ENCR_AES_CBC: encr_alg = CRYPTO_CIPHER_ALG_AES; break; default: wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg); return -1; } cipher = crypto_cipher_init(encr_alg, iv, key, key_len); if (cipher == NULL) { wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher"); return -1; } if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) { wpa_printf(MSG_INFO, "IKEV2: Encryption failed"); crypto_cipher_deinit(cipher); return -1; } crypto_cipher_deinit(cipher); #ifdef CCNS_PL } #endif /* CCNS_PL */ return 0; }
/* * Encryption/decryption of RPMB FS file data. This is AES CBC with ESSIV. */ TEE_Result tee_fs_crypt_block(const TEE_UUID *uuid, uint8_t *out, const uint8_t *in, size_t size, uint16_t blk_idx, const uint8_t *encrypted_fek, TEE_OperationMode mode) { TEE_Result res; uint8_t fek[TEE_FS_KM_FEK_SIZE]; uint8_t iv[TEE_AES_BLOCK_SIZE]; void *ctx; const uint32_t algo = TEE_ALG_AES_CBC_NOPAD; DMSG("%scrypt block #%u", (mode == TEE_MODE_ENCRYPT) ? "En" : "De", blk_idx); /* Decrypt FEK */ res = tee_fs_fek_crypt(uuid, TEE_MODE_DECRYPT, encrypted_fek, TEE_FS_KM_FEK_SIZE, fek); if (res != TEE_SUCCESS) return res; /* Compute initialization vector for this block */ res = essiv(iv, fek, blk_idx); if (res != TEE_SUCCESS) return res; /* Run AES CBC */ res = crypto_cipher_alloc_ctx(&ctx, algo); if (res != TEE_SUCCESS) return res; res = crypto_cipher_init(ctx, algo, mode, fek, sizeof(fek), NULL, 0, iv, TEE_AES_BLOCK_SIZE); if (res != TEE_SUCCESS) goto exit; res = crypto_cipher_update(ctx, algo, mode, true, in, size, out); if (res != TEE_SUCCESS) goto exit; crypto_cipher_final(ctx, algo); exit: crypto_cipher_free_ctx(ctx, algo); return res; }
/** * tlsv1_record_change_read_cipher - TLS record layer: Change read cipher * @rl: Pointer to TLS record layer data * Returns: 0 on success (cipher changed), -1 on failure * * This function changes TLS record layer to use the new cipher suite * configured with tlsv1_record_set_cipher_suite() for reading. */ int tlsv1_record_change_read_cipher(struct tlsv1_record_layer *rl) { wpa_printf(MSG_DEBUG, "TLSv1: Record Layer - New read cipher suite " "0x%04x", rl->cipher_suite); rl->read_cipher_suite = rl->cipher_suite; os_memset(rl->read_seq_num, 0, TLS_SEQ_NUM_LEN); if (rl->read_cbc) { crypto_cipher_deinit(rl->read_cbc); rl->read_cbc = NULL; } if (rl->cipher_alg != CRYPTO_CIPHER_NULL) { rl->read_cbc = crypto_cipher_init(rl->cipher_alg, rl->read_iv, rl->read_key, rl->key_material_len); if (rl->read_cbc == NULL) { wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize " "cipher"); return -1; } } return 0; }