4 Copyright (C) Stefan Metzmacher 2012
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "lib/crypto/aes.h"
22 #include "lib/crypto/aes_ccm_128.h"
23 #include "lib/util/byteorder.h"
25 #define M_ ((AES_CCM_128_M - 2) / 2)
26 #define L_ (AES_CCM_128_L - 1)
28 void aes_ccm_128_init(struct aes_ccm_128_context *ctx,
29 const uint8_t K[AES_BLOCK_SIZE],
30 const uint8_t N[AES_CCM_128_NONCE_SIZE],
31 size_t a_total, size_t m_total)
35 AES_set_encrypt_key(K, 128, &ctx->aes_key);
36 memcpy(ctx->nonce, N, AES_CCM_128_NONCE_SIZE);
37 ctx->a_remain = a_total;
38 ctx->m_remain = m_total;
44 ctx->B_i[0] += 8 * M_;
48 memcpy(&ctx->B_i[1], ctx->nonce, AES_CCM_128_NONCE_SIZE);
49 RSIVAL(ctx->B_i, (AES_BLOCK_SIZE - AES_CCM_128_L), m_total);
54 AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key);
59 ZERO_STRUCT(ctx->B_i);
60 if (a_total >= UINT32_MAX) {
61 RSSVAL(ctx->B_i, 0, 0xFFFF);
62 RSBVAL(ctx->B_i, 2, (uint64_t)a_total);
64 } else if (a_total >= 0xFF00) {
65 RSSVAL(ctx->B_i, 0, 0xFFFE);
66 RSIVAL(ctx->B_i, 2, a_total);
68 } else if (a_total > 0) {
69 RSSVAL(ctx->B_i, 0, a_total);
77 memcpy(&ctx->A_i[1], ctx->nonce, AES_CCM_128_NONCE_SIZE);
79 ctx->S_i_ofs = AES_BLOCK_SIZE;
82 void aes_ccm_128_update(struct aes_ccm_128_context *ctx,
83 const uint8_t *v, size_t v_len)
91 if (ctx->a_remain > 0) {
92 remain = &ctx->a_remain;
94 remain = &ctx->m_remain;
97 if (unlikely(v_len > *remain)) {
101 if (ctx->B_i_ofs > 0) {
102 size_t n = MIN(AES_BLOCK_SIZE - ctx->B_i_ofs, v_len);
104 memcpy(&ctx->B_i[ctx->B_i_ofs], v, n);
111 if ((ctx->B_i_ofs == AES_BLOCK_SIZE) || (*remain == 0)) {
112 aes_block_xor(ctx->X_i, ctx->B_i, ctx->B_i);
113 AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key);
117 while (v_len >= AES_BLOCK_SIZE) {
118 aes_block_xor(ctx->X_i, v, ctx->B_i);
119 AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key);
121 v_len -= AES_BLOCK_SIZE;
122 *remain -= AES_BLOCK_SIZE;
126 ZERO_STRUCT(ctx->B_i);
127 memcpy(ctx->B_i, v, v_len);
128 ctx->B_i_ofs += v_len;
138 if (ctx->B_i_ofs > 0) {
139 aes_block_xor(ctx->X_i, ctx->B_i, ctx->B_i);
140 AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key);
145 static inline void aes_ccm_128_S_i(struct aes_ccm_128_context *ctx,
146 uint8_t S_i[AES_BLOCK_SIZE],
149 RSIVAL(ctx->A_i, (AES_BLOCK_SIZE - AES_CCM_128_L), i);
150 AES_encrypt(ctx->A_i, S_i, &ctx->aes_key);
153 void aes_ccm_128_crypt(struct aes_ccm_128_context *ctx,
154 uint8_t *m, size_t m_len)
157 if (ctx->S_i_ofs == AES_BLOCK_SIZE) {
159 aes_ccm_128_S_i(ctx, ctx->S_i, ctx->S_i_ctr);
163 if (likely(ctx->S_i_ofs == 0 && m_len >= AES_BLOCK_SIZE)) {
164 aes_block_xor(m, ctx->S_i, m);
166 m_len -= AES_BLOCK_SIZE;
168 aes_ccm_128_S_i(ctx, ctx->S_i, ctx->S_i_ctr);
172 m[0] ^= ctx->S_i[ctx->S_i_ofs];
179 void aes_ccm_128_digest(struct aes_ccm_128_context *ctx,
180 uint8_t digest[AES_BLOCK_SIZE])
182 if (unlikely(ctx->a_remain != 0)) {
185 if (unlikely(ctx->m_remain != 0)) {
190 aes_ccm_128_S_i(ctx, ctx->S_i, 0);
195 aes_block_xor(ctx->X_i, ctx->S_i, digest);