lib/crypto/aes_ccm_128.c

   1 /*
   2    AES-CCM-128 (rfc 3610)
   3
   4    Copyright (C) Stefan Metzmacher 2012
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "replace.h"
  21 #include "../lib/crypto/crypto.h"
  22 #include "lib/util/byteorder.h"
  23
  24 #define M_ ((AES_CCM_128_M - 2) / 2)
  25 #define L_ (AES_CCM_128_L - 1)
  26
  27 static inline void aes_ccm_128_xor(const uint8_t in1[AES_BLOCK_SIZE],
  28                                    const uint8_t in2[AES_BLOCK_SIZE],
  29                                    uint8_t out[AES_BLOCK_SIZE])
  30 {
  31         uint8_t i;
  32
  33         for (i = 0; i < AES_BLOCK_SIZE; i++) {
  34                 out[i] = in1[i] ^ in2[i];
  35         }
  36 }
  37
  38 void aes_ccm_128_init(struct aes_ccm_128_context *ctx,
  39                       const uint8_t K[AES_BLOCK_SIZE],
  40                       const uint8_t N[AES_CCM_128_NONCE_SIZE],
  41                       size_t a_total, size_t m_total)
  42 {
  43         uint8_t B_0[AES_BLOCK_SIZE];
  44
  45         ZERO_STRUCTP(ctx);
  46
  47         AES_set_encrypt_key(K, 128, &ctx->aes_key);
  48         memcpy(ctx->nonce, N, AES_CCM_128_NONCE_SIZE);
  49         ctx->a_remain = a_total;
  50         ctx->m_remain = m_total;
  51
  52         /*
  53          * prepare B_0
  54          */
  55         B_0[0]  = L_;
  56         B_0[0] += 8 * M_;
  57         if (a_total > 0) {
  58                 B_0[0] += 64;
  59         }
  60         memcpy(&B_0[1], ctx->nonce, AES_CCM_128_NONCE_SIZE);
  61         RSIVAL(B_0, (AES_BLOCK_SIZE - AES_CCM_128_L), m_total);
  62
  63         /*
  64          * prepare X_1
  65          */
  66         AES_encrypt(B_0, ctx->X_i, &ctx->aes_key);
  67
  68         /*
  69          * prepare B_1
  70          */
  71         if (a_total >= UINT32_MAX) {
  72                 RSSVAL(ctx->B_i, 0, 0xFFFF);
  73                 RSBVAL(ctx->B_i, 2, (uint64_t)a_total);
  74                 ctx->B_i_ofs = 10;
  75         } else if (a_total >= 0xFF00) {
  76                 RSSVAL(ctx->B_i, 0, 0xFFFE);
  77                 RSIVAL(ctx->B_i, 2, a_total);
  78                 ctx->B_i_ofs = 6;
  79         } else if (a_total > 0) {
  80                 RSSVAL(ctx->B_i, 0, a_total);
  81                 ctx->B_i_ofs = 2;
  82         }
  83
  84         ctx->S_i_ofs = AES_BLOCK_SIZE;
  85 }
  86
  87 void aes_ccm_128_update(struct aes_ccm_128_context *ctx,
  88                         const uint8_t *v, size_t v_len)
  89 {
  90         size_t *remain;
  91
  92         if (ctx->a_remain > 0) {
  93                 remain = &ctx->a_remain;
  94         } else {
  95                 remain = &ctx->m_remain;
  96         }
  97
  98         while (v_len > 0) {
  99                 size_t n = MIN(AES_BLOCK_SIZE - ctx->B_i_ofs, v_len);
 100                 bool more = true;
 101
 102                 memcpy(&ctx->B_i[ctx->B_i_ofs], v, n);
 103                 v += n;
 104                 v_len -= n;
 105                 ctx->B_i_ofs += n;
 106                 *remain -= n;
 107
 108                 if (ctx->B_i_ofs == AES_BLOCK_SIZE) {
 109                         more = false;
 110                 } else if (*remain == 0) {
 111                         more = false;
 112                 }
 113
 114                 if (more) {
 115                         continue;
 116                 }
 117
 118                 aes_ccm_128_xor(ctx->X_i, ctx->B_i, ctx->B_i);
 119                 AES_encrypt(ctx->B_i, ctx->X_i, &ctx->aes_key);
 120
 121                 ZERO_STRUCT(ctx->B_i);
 122                 ctx->B_i_ofs = 0;
 123         }
 124 }
 125
 126 static void aes_ccm_128_S_i(struct aes_ccm_128_context *ctx,
 127                             uint8_t S_i[AES_BLOCK_SIZE],
 128                             size_t i)
 129 {
 130         uint8_t A_i[AES_BLOCK_SIZE];
 131
 132         A_i[0]  = L_;
 133         memcpy(&A_i[1], ctx->nonce, AES_CCM_128_NONCE_SIZE);
 134         RSIVAL(A_i, (AES_BLOCK_SIZE - AES_CCM_128_L), i);
 135
 136         AES_encrypt(A_i, S_i, &ctx->aes_key);
 137 }
 138
 139 void aes_ccm_128_crypt(struct aes_ccm_128_context *ctx,
 140                        uint8_t *m, size_t m_len)
 141 {
 142         while (m_len > 0) {
 143                 if (ctx->S_i_ofs == AES_BLOCK_SIZE) {
 144                         ctx->S_i_ctr += 1;
 145                         aes_ccm_128_S_i(ctx, ctx->S_i, ctx->S_i_ctr);
 146                         ctx->S_i_ofs = 0;
 147                 }
 148
 149                 m[0] ^= ctx->S_i[ctx->S_i_ofs];
 150                 m += 1;
 151                 m_len -= 1;
 152                 ctx->S_i_ofs += 1;
 153         }
 154 }
 155
 156 void aes_ccm_128_digest(struct aes_ccm_128_context *ctx,
 157                         uint8_t digest[AES_BLOCK_SIZE])
 158 {
 159         uint8_t S_0[AES_BLOCK_SIZE];
 160
 161         aes_ccm_128_S_i(ctx, S_0, 0);
 162
 163         /*
 164          * note X_i is T here
 165          */
 166         aes_ccm_128_xor(ctx->X_i, S_0, digest);
 167
 168         ZERO_STRUCT(S_0);
 169         ZERO_STRUCTP(ctx);
 170 }