1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
/*
* Definitions likely to be helpful to multiple AES implementations.
*/
/*
* The 'extra' structure used by AES implementations is used to
* include information about how to check if a given implementation is
* available at run time, and whether we've already checked.
*/
struct aes_extra_mutable;
struct aes_extra {
/* Function to check availability. Might be expensive, so we don't
* want to call it more than once. */
bool (*check_available)(void);
/* Point to a writable substructure. */
struct aes_extra_mutable *mut;
/* Extra API function specific to AES, to encrypt a single block
* in ECB mode without touching the IV. Used by AES-GCM MAC
* setup. */
void (*encrypt_ecb_block)(ssh_cipher *, void *);
};
struct aes_extra_mutable {
bool checked_availability;
bool is_available;
};
static inline bool check_availability(const struct aes_extra *extra)
{
if (!extra->mut->checked_availability) {
extra->mut->is_available = extra->check_available();
extra->mut->checked_availability = true;
}
return extra->mut->is_available;
}
/* Shared stub function for all the AES-GCM vtables. */
void aesgcm_cipher_crypt_length(
ssh_cipher *cipher, void *blk, int len, unsigned long seq);
/* External entry point for the encrypt_ecb_block function. */
static inline void aes_encrypt_ecb_block(ssh_cipher *ciph, void *blk)
{
const struct aes_extra *extra = ciph->vt->extra;
extra->encrypt_ecb_block(ciph, blk);
}
/*
* Macros to define vtables for AES variants. There are a lot of
* these, because of the cross product between cipher modes, key
* sizes, and assorted HW/SW implementations, so it's worth spending
* some effort here to reduce the boilerplate in the sub-files.
*/
#define AES_EXTRA_BITS(impl_c, bits) \
static struct aes_extra_mutable aes ## impl_c ## _extra_mut; \
static const struct aes_extra aes ## bits ## impl_c ## _extra = { \
.check_available = aes ## impl_c ## _available, \
.mut = &aes ## impl_c ## _extra_mut, \
.encrypt_ecb_block = &aes ## bits ## impl_c ## _encrypt_ecb_block, \
}
#define AES_EXTRA(impl_c) \
AES_EXTRA_BITS(impl_c, 128); \
AES_EXTRA_BITS(impl_c, 192); \
AES_EXTRA_BITS(impl_c, 256)
#define AES_CBC_VTABLE(impl_c, impl_display, bits) \
const ssh_cipheralg ssh_aes ## bits ## _cbc ## impl_c = { \
.new = aes ## impl_c ## _new, \
.free = aes ## impl_c ## _free, \
.setiv = aes ## impl_c ## _setiv_cbc, \
.setkey = aes ## impl_c ## _setkey, \
.encrypt = aes ## bits ## impl_c ## _cbc_encrypt, \
.decrypt = aes ## bits ## impl_c ## _cbc_decrypt, \
.next_message = nullcipher_next_message, \
.ssh2_id = "aes" #bits "-cbc", \
.blksize = 16, \
.real_keybits = bits, \
.padded_keybytes = bits/8, \
.flags = SSH_CIPHER_IS_CBC, \
.text_name = "AES-" #bits " CBC (" impl_display ")", \
.extra = &aes ## bits ## impl_c ## _extra, \
}
#define AES_SDCTR_VTABLE(impl_c, impl_display, bits) \
const ssh_cipheralg ssh_aes ## bits ## _sdctr ## impl_c = { \
.new = aes ## impl_c ## _new, \
.free = aes ## impl_c ## _free, \
.setiv = aes ## impl_c ## _setiv_sdctr, \
.setkey = aes ## impl_c ## _setkey, \
.encrypt = aes ## bits ## impl_c ## _sdctr, \
.decrypt = aes ## bits ## impl_c ## _sdctr, \
.next_message = nullcipher_next_message, \
.ssh2_id = "aes" #bits "-ctr", \
.blksize = 16, \
.real_keybits = bits, \
.padded_keybytes = bits/8, \
.flags = 0, \
.text_name = "AES-" #bits " SDCTR (" impl_display ")", \
.extra = &aes ## bits ## impl_c ## _extra, \
}
#define AES_GCM_VTABLE(impl_c, impl_display, bits) \
const ssh_cipheralg ssh_aes ## bits ## _gcm ## impl_c = { \
.new = aes ## impl_c ## _new, \
.free = aes ## impl_c ## _free, \
.setiv = aes ## impl_c ## _setiv_gcm, \
.setkey = aes ## impl_c ## _setkey, \
.encrypt = aes ## bits ## impl_c ## _gcm, \
.decrypt = aes ## bits ## impl_c ## _gcm, \
.encrypt_length = aesgcm_cipher_crypt_length, \
.decrypt_length = aesgcm_cipher_crypt_length, \
.next_message = aes ## impl_c ## _next_message_gcm, \
/* 192-bit AES-GCM is included only so that testcrypt can run \
* standard test vectors against it. OpenSSH doesn't define a \
* protocol id for it. So we set its ssh2_id to NULL. */ \
.ssh2_id = bits==192 ? NULL : "aes" #bits "-gcm@openssh.com", \
.blksize = 16, \
.real_keybits = bits, \
.padded_keybytes = bits/8, \
.flags = SSH_CIPHER_SEPARATE_LENGTH, \
.text_name = "AES-" #bits " GCM (" impl_display ")", \
.required_mac = &ssh2_aesgcm_mac, \
.extra = &aes ## bits ## impl_c ## _extra, \
}
#define AES_ALL_VTABLES(impl_c, impl_display) \
AES_CBC_VTABLE(impl_c, impl_display, 128); \
AES_CBC_VTABLE(impl_c, impl_display, 192); \
AES_CBC_VTABLE(impl_c, impl_display, 256); \
AES_SDCTR_VTABLE(impl_c, impl_display, 128); \
AES_SDCTR_VTABLE(impl_c, impl_display, 192); \
AES_SDCTR_VTABLE(impl_c, impl_display, 256); \
AES_GCM_VTABLE(impl_c, impl_display, 128); \
AES_GCM_VTABLE(impl_c, impl_display, 192); \
AES_GCM_VTABLE(impl_c, impl_display, 256)
/*
* Macros to repeat a piece of code particular numbers of times that
* correspond to 1 fewer than the number of AES rounds. (Because the
* last round is different.)
*/
#define REP2(x) x x
#define REP4(x) REP2(REP2(x))
#define REP8(x) REP2(REP4(x))
#define REP9(x) REP8(x) x
#define REP11(x) REP8(x) REP2(x) x
#define REP13(x) REP8(x) REP4(x) x
/*
* The round constants used in key schedule expansion.
*/
extern const uint8_t aes_key_setup_round_constants[10];
/*
* The largest number of round keys ever needed.
*/
#define MAXROUNDKEYS 15
|
