1 #include <inttypes.h>
2 #include <mini-os/byteorder.h>
3 #include <polarssl/aes.h>
4 #include <polarssl/sha2.h>
5 #include <polarssl/ctr_drbg.h>
6
7 #include "log.h"
8 #include "vtpmmgr.h"
9 #include "vtpm_disk.h"
10 #include "disk_io.h"
11 #include "disk_crypto.h"
12
13 // XXX defining this stubs out all disk encryption for easier debugging
14 #undef DISK_IS_PLAINTEXT
15
do_random(void * buf,size_t size)16 void do_random(void *buf, size_t size)
17 {
18 int rc = ctr_drbg_random(&vtpm_globals.ctr_drbg, buf, size);
19 if (rc) abort();
20 }
21
aes_setup(aes_context * ctx,const struct key128 * key)22 void aes_setup(aes_context *ctx, const struct key128 *key)
23 {
24 aes_setkey_enc(ctx, (void*)key, 128);
25 }
26
aes_encrypt_ecb(void * target,const void * src,const aes_context * key_e)27 static void aes_encrypt_ecb(void *target, const void *src, const aes_context *key_e)
28 {
29 aes_crypt_ecb((void*)key_e, AES_ENCRYPT, src, target);
30 }
31
aes_encrypt_one(void * target,const void * src,const struct key128 * key)32 void aes_encrypt_one(void *target, const void *src, const struct key128 *key)
33 {
34 aes_context ctx;
35 aes_setkey_enc(&ctx, (void*)key, 128);
36 aes_crypt_ecb(&ctx, AES_ENCRYPT, src, target);
37 }
38
aes_decrypt_one(void * target,const void * src,const struct key128 * key)39 void aes_decrypt_one(void *target, const void *src, const struct key128 *key)
40 {
41 aes_context ctx;
42 aes_setkey_dec(&ctx, (void*)key, 128);
43 aes_crypt_ecb(&ctx, AES_DECRYPT, src, target);
44 }
45
aes_ctr_one(uint64_t out[2],uint64_t ctr[2],const aes_context * key_e)46 static void aes_ctr_one(uint64_t out[2], uint64_t ctr[2], const aes_context *key_e)
47 {
48 #ifdef DISK_IS_PLAINTEXT
49 memset(out, 0, 16);
50 #else
51 aes_encrypt_ecb(out, ctr, key_e);
52 #endif
53 ctr[1]++;
54 }
55
aes_encrypt_ctr(void * target,size_t target_size,const void * srcv,size_t pt_size,const aes_context * key_e)56 void aes_encrypt_ctr(void *target, size_t target_size, const void *srcv, size_t pt_size, const aes_context *key_e)
57 {
58 uint64_t ctr[2];
59 uint64_t tmp[2];
60 uint64_t *dst = target;
61 const uint64_t *src = srcv;
62
63 do_random(ctr, sizeof(ctr));
64 dst[0] = ctr[0];
65 dst[1] = ctr[1];
66 dst += 2;
67 target_size -= 16;
68
69 if (pt_size > target_size)
70 abort(); // invalid argument: target too small for plaintext
71
72 while (pt_size >= 16) {
73 aes_ctr_one(tmp, ctr, key_e);
74
75 dst[0] = tmp[0] ^ src[0];
76 dst[1] = tmp[1] ^ src[1];
77
78 dst += 2;
79 src += 2;
80 pt_size -= 16;
81 target_size -= 16;
82 }
83 if (pt_size) {
84 uint64_t stmp[2];
85 uint64_t dtmp[2];
86 memset(stmp, 0, 16);
87 memcpy(stmp, src, pt_size);
88
89 aes_ctr_one(tmp, ctr, key_e);
90
91 dtmp[0] = tmp[0] ^ stmp[0];
92 dtmp[1] = tmp[1] ^ stmp[1];
93 if (target_size < 16) {
94 memcpy(dst, dtmp, target_size);
95 return;
96 } else {
97 memcpy(dst, dtmp, 16);
98 target_size -= 16;
99 }
100 }
101 while (target_size >= 16) {
102 aes_ctr_one(dst, ctr, key_e);
103
104 dst += 2;
105 target_size -= 16;
106 }
107 if (target_size)
108 abort(); // invalid argument: overlarge target size is not a full block
109 }
110
aes_decrypt_ctr(void * target,size_t pt_size,const void * srcv,size_t src_size,const aes_context * key_e)111 void aes_decrypt_ctr(void *target, size_t pt_size, const void *srcv, size_t src_size, const aes_context *key_e)
112 {
113 uint64_t ctr[2];
114 uint64_t tmp[2];
115 uint64_t *dst = target;
116 const uint64_t *src = srcv;
117
118 ctr[0] = src[0];
119 ctr[1] = src[1];
120 src += 2;
121 src_size -= 16;
122
123 if (pt_size > src_size)
124 abort(); // invalid argument: source too small for plaintext
125 // we discard src_size now
126
127 while (pt_size >= 16) {
128 aes_ctr_one(tmp, ctr, key_e);
129 dst[0] = tmp[0] ^ src[0];
130 dst[1] = tmp[1] ^ src[1];
131
132 dst += 2;
133 src += 2;
134 pt_size -= 16;
135 }
136 if (pt_size) {
137 uint64_t stmp[2];
138 uint64_t dtmp[2];
139 memset(stmp, 0, 16);
140 memcpy(stmp, src, pt_size);
141
142 aes_ctr_one(tmp, ctr, key_e);
143
144 dtmp[0] = tmp[0] ^ stmp[0];
145 dtmp[1] = tmp[1] ^ stmp[1];
146 memcpy(dst, dtmp, pt_size);
147 }
148 }
149
shl_128_mod_hex87(struct mac128 * dst,const struct mac128 * src)150 static void shl_128_mod_hex87(struct mac128 *dst, const struct mac128 *src)
151 {
152 int i;
153 int carry = 0x87 * !!(src->bits[0] & 0x80);
154 for(i=0; i < 15; i++)
155 dst->bits[i] = (src->bits[i] << 1) | (src->bits[i+1] >> 7);
156 dst->bits[15] = (src->bits[15] << 1) ^ carry;
157 }
158
xor128(struct mac128 * dst,const struct mac128 * s1,const struct mac128 * s2)159 static void xor128(struct mac128 *dst, const struct mac128 *s1, const struct mac128 *s2)
160 {
161 int i;
162 for(i=0; i < 16; i++)
163 dst->bits[i] = s1->bits[i] ^ s2->bits[i];
164 }
165
aes_cmac(struct mac128 * target,const void * src,size_t size,const aes_context * key)166 void aes_cmac(struct mac128 *target, const void *src, size_t size, const aes_context *key)
167 {
168 const struct mac128 *M = src;
169 struct mac128 x, y, L, K1, K2;
170 int i;
171 size_t bsize = (size - 1) / 16;
172
173 memset(&x, 0, sizeof(x));
174 aes_encrypt_ecb(&L, &x, key);
175 shl_128_mod_hex87(&K1, &L);
176 shl_128_mod_hex87(&K2, &K1);
177
178 for(i=0; i < bsize; i++) {
179 xor128(&y, &x, &M[i]);
180 aes_encrypt_ecb(&x, &y, key);
181 }
182 if (size & 0xF) {
183 struct mac128 z;
184 memset(&z, 0, sizeof(z));
185 memcpy(&z, M + bsize, size & 0xF);
186 xor128(&y, &x, &K2);
187 xor128(&x, &y, &z);
188 } else {
189 xor128(&y, &x, &K1);
190 xor128(&x, &y, M + bsize);
191 }
192 aes_encrypt_ecb(target, &x, key);
193 }
194
verify_128(const void * a,const void * b)195 static int verify_128(const void *a, const void* b)
196 {
197 const volatile uint64_t *x = a;
198 const volatile uint64_t *y = b;
199 if ((x[0] ^ y[0]) | (x[1] ^ y[1]))
200 return 1;
201 return 0;
202 }
203
aes_cmac_verify(const struct mac128 * target,const void * src,size_t size,const aes_context * key)204 int aes_cmac_verify(const struct mac128 *target, const void *src, size_t size, const aes_context *key)
205 {
206 struct mac128 mac;
207 aes_cmac(&mac, src, size, key);
208 return verify_128(&mac, target);
209 }
210
verify_256(const void * a,const void * b)211 static int verify_256(const void *a, const void* b)
212 {
213 const volatile uint64_t *x = a;
214 const volatile uint64_t *y = b;
215 if ((x[0] ^ y[0]) | (x[1] ^ y[1]) | (x[2] ^ y[2]) | (x[3] ^ y[3]))
216 return 1;
217 return 0;
218 }
219
sha256(struct hash256 * target,const void * src,size_t size)220 void sha256(struct hash256 *target, const void *src, size_t size)
221 {
222 void* dst = target;
223 sha2(src, size, dst, 0);
224 }
225
sha256_verify(const struct hash256 * targ,const void * data,size_t size)226 int sha256_verify(const struct hash256 *targ, const void *data, size_t size)
227 {
228 struct hash256 hash;
229 sha256(&hash, data, size);
230 return verify_256(&hash, targ);
231 }
232