aes.h 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161
  1. /*
  2. * Definitions likely to be helpful to multiple AES implementations.
  3. */
  4. /*
  5. * The 'extra' structure used by AES implementations is used to
  6. * include information about how to check if a given implementation is
  7. * available at run time, and whether we've already checked.
  8. */
  9. struct aes_extra_mutable;
  10. struct aes_extra {
  11. /* Function to check availability. Might be expensive, so we don't
  12. * want to call it more than once. */
  13. bool (*check_available)(void);
  14. /* Point to a writable substructure. */
  15. struct aes_extra_mutable *mut;
  16. /* Extra API function specific to AES, to encrypt a single block
  17. * in ECB mode without touching the IV. Used by AES-GCM MAC
  18. * setup. */
  19. void (*encrypt_ecb_block)(ssh_cipher *, void *);
  20. };
  21. struct aes_extra_mutable {
  22. bool checked_availability;
  23. bool is_available;
  24. };
  25. static inline bool check_availability(const struct aes_extra *extra)
  26. {
  27. if (!extra->mut->checked_availability) {
  28. extra->mut->is_available = extra->check_available();
  29. extra->mut->checked_availability = true;
  30. }
  31. return extra->mut->is_available;
  32. }
  33. /* Shared stub function for all the AES-GCM vtables. */
  34. void aesgcm_cipher_crypt_length(
  35. ssh_cipher *cipher, void *blk, int len, unsigned long seq);
  36. /* External entry point for the encrypt_ecb_block function. */
  37. static inline void aes_encrypt_ecb_block(ssh_cipher *ciph, void *blk)
  38. {
  39. const struct aes_extra *extra = ciph->vt->extra;
  40. extra->encrypt_ecb_block(ciph, blk);
  41. }
  42. /*
  43. * Macros to define vtables for AES variants. There are a lot of
  44. * these, because of the cross product between cipher modes, key
  45. * sizes, and assorted HW/SW implementations, so it's worth spending
  46. * some effort here to reduce the boilerplate in the sub-files.
  47. */
  48. #define AES_EXTRA_BITS(impl_c, bits) \
  49. static struct aes_extra_mutable aes ## impl_c ## _extra_mut; \
  50. static const struct aes_extra aes ## bits ## impl_c ## _extra = { \
  51. .check_available = aes ## impl_c ## _available, \
  52. .mut = &aes ## impl_c ## _extra_mut, \
  53. .encrypt_ecb_block = &aes ## bits ## impl_c ## _encrypt_ecb_block, \
  54. }
  55. #define AES_EXTRA(impl_c) \
  56. AES_EXTRA_BITS(impl_c, 128); \
  57. AES_EXTRA_BITS(impl_c, 192); \
  58. AES_EXTRA_BITS(impl_c, 256)
  59. #define AES_CBC_VTABLE(impl_c, impl_display, bits) \
  60. const ssh_cipheralg ssh_aes ## bits ## _cbc ## impl_c = { \
  61. .new = aes ## impl_c ## _new, \
  62. .free = aes ## impl_c ## _free, \
  63. .setiv = aes ## impl_c ## _setiv_cbc, \
  64. .setkey = aes ## impl_c ## _setkey, \
  65. .encrypt = aes ## bits ## impl_c ## _cbc_encrypt, \
  66. .decrypt = aes ## bits ## impl_c ## _cbc_decrypt, \
  67. .next_message = nullcipher_next_message, \
  68. .ssh2_id = "aes" #bits "-cbc", \
  69. .blksize = 16, \
  70. .real_keybits = bits, \
  71. .padded_keybytes = bits/8, \
  72. .flags = SSH_CIPHER_IS_CBC, \
  73. .text_name = "AES-" #bits " CBC (" impl_display ")", \
  74. .extra = &aes ## bits ## impl_c ## _extra, \
  75. }
  76. #define AES_SDCTR_VTABLE(impl_c, impl_display, bits) \
  77. const ssh_cipheralg ssh_aes ## bits ## _sdctr ## impl_c = { \
  78. .new = aes ## impl_c ## _new, \
  79. .free = aes ## impl_c ## _free, \
  80. .setiv = aes ## impl_c ## _setiv_sdctr, \
  81. .setkey = aes ## impl_c ## _setkey, \
  82. .encrypt = aes ## bits ## impl_c ## _sdctr, \
  83. .decrypt = aes ## bits ## impl_c ## _sdctr, \
  84. .next_message = nullcipher_next_message, \
  85. .ssh2_id = "aes" #bits "-ctr", \
  86. .blksize = 16, \
  87. .real_keybits = bits, \
  88. .padded_keybytes = bits/8, \
  89. .flags = 0, \
  90. .text_name = "AES-" #bits " SDCTR (" impl_display ")", \
  91. .extra = &aes ## bits ## impl_c ## _extra, \
  92. }
  93. #define AES_GCM_VTABLE(impl_c, impl_display, bits) \
  94. const ssh_cipheralg ssh_aes ## bits ## _gcm ## impl_c = { \
  95. .new = aes ## impl_c ## _new, \
  96. .free = aes ## impl_c ## _free, \
  97. .setiv = aes ## impl_c ## _setiv_gcm, \
  98. .setkey = aes ## impl_c ## _setkey, \
  99. .encrypt = aes ## bits ## impl_c ## _gcm, \
  100. .decrypt = aes ## bits ## impl_c ## _gcm, \
  101. .encrypt_length = aesgcm_cipher_crypt_length, \
  102. .decrypt_length = aesgcm_cipher_crypt_length, \
  103. .next_message = aes ## impl_c ## _next_message_gcm, \
  104. /* 192-bit AES-GCM is included only so that testcrypt can run \
  105. * standard test vectors against it. OpenSSH doesn't define a \
  106. * protocol id for it. So we set its ssh2_id to NULL. */ \
  107. .ssh2_id = bits==192 ? NULL : "aes" #bits "-gcm@openssh.com", \
  108. .blksize = 16, \
  109. .real_keybits = bits, \
  110. .padded_keybytes = bits/8, \
  111. .flags = SSH_CIPHER_SEPARATE_LENGTH, \
  112. .text_name = "AES-" #bits " GCM (" impl_display ")", \
  113. .required_mac = &ssh2_aesgcm_mac, \
  114. .extra = &aes ## bits ## impl_c ## _extra, \
  115. }
  116. #define AES_ALL_VTABLES(impl_c, impl_display) \
  117. AES_CBC_VTABLE(impl_c, impl_display, 128); \
  118. AES_CBC_VTABLE(impl_c, impl_display, 192); \
  119. AES_CBC_VTABLE(impl_c, impl_display, 256); \
  120. AES_SDCTR_VTABLE(impl_c, impl_display, 128); \
  121. AES_SDCTR_VTABLE(impl_c, impl_display, 192); \
  122. AES_SDCTR_VTABLE(impl_c, impl_display, 256); \
  123. AES_GCM_VTABLE(impl_c, impl_display, 128); \
  124. AES_GCM_VTABLE(impl_c, impl_display, 192); \
  125. AES_GCM_VTABLE(impl_c, impl_display, 256)
  126. /*
  127. * Macros to repeat a piece of code particular numbers of times that
  128. * correspond to 1 fewer than the number of AES rounds. (Because the
  129. * last round is different.)
  130. */
  131. #define REP2(x) x x
  132. #define REP4(x) REP2(REP2(x))
  133. #define REP8(x) REP2(REP4(x))
  134. #define REP9(x) REP8(x) x
  135. #define REP11(x) REP8(x) REP2(x) x
  136. #define REP13(x) REP8(x) REP4(x) x
  137. /*
  138. * The round constants used in key schedule expansion.
  139. */
  140. extern const uint8_t aes_key_setup_round_constants[10];
  141. /*
  142. * The largest number of round keys ever needed.
  143. */
  144. #define MAXROUNDKEYS 15