ccm128.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432
  1. /*
  2. * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/crypto.h>
  11. #include "crypto/modes.h"
  12. /*
  13. * First you setup M and L parameters and pass the key schedule. This is
  14. * called once per session setup...
  15. */
  16. void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
  17. unsigned int M, unsigned int L, void *key,
  18. block128_f block)
  19. {
  20. memset(ctx->nonce.c, 0, sizeof(ctx->nonce.c));
  21. ctx->nonce.c[0] = ((u8)(L - 1) & 7) | (u8)(((M - 2) / 2) & 7) << 3;
  22. ctx->blocks = 0;
  23. ctx->block = block;
  24. ctx->key = key;
  25. }
  26. /* !!! Following interfaces are to be called *once* per packet !!! */
  27. /* Then you setup per-message nonce and pass the length of the message */
  28. int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
  29. const unsigned char *nonce, size_t nlen, size_t mlen)
  30. {
  31. unsigned int L = ctx->nonce.c[0] & 7; /* the L parameter */
  32. if (nlen < (14 - L))
  33. return -1; /* nonce is too short */
  34. if (sizeof(mlen) == 8 && L >= 3) {
  35. ctx->nonce.c[8] = (u8)(mlen >> (56 % (sizeof(mlen) * 8)));
  36. ctx->nonce.c[9] = (u8)(mlen >> (48 % (sizeof(mlen) * 8)));
  37. ctx->nonce.c[10] = (u8)(mlen >> (40 % (sizeof(mlen) * 8)));
  38. ctx->nonce.c[11] = (u8)(mlen >> (32 % (sizeof(mlen) * 8)));
  39. } else
  40. ctx->nonce.u[1] = 0;
  41. ctx->nonce.c[12] = (u8)(mlen >> 24);
  42. ctx->nonce.c[13] = (u8)(mlen >> 16);
  43. ctx->nonce.c[14] = (u8)(mlen >> 8);
  44. ctx->nonce.c[15] = (u8)mlen;
  45. ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */
  46. memcpy(&ctx->nonce.c[1], nonce, 14 - L);
  47. return 0;
  48. }
  49. /* Then you pass additional authentication data, this is optional */
  50. void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
  51. const unsigned char *aad, size_t alen)
  52. {
  53. unsigned int i;
  54. block128_f block = ctx->block;
  55. if (alen == 0)
  56. return;
  57. ctx->nonce.c[0] |= 0x40; /* set Adata flag */
  58. (*block) (ctx->nonce.c, ctx->cmac.c, ctx->key), ctx->blocks++;
  59. if (alen < (0x10000 - 0x100)) {
  60. ctx->cmac.c[0] ^= (u8)(alen >> 8);
  61. ctx->cmac.c[1] ^= (u8)alen;
  62. i = 2;
  63. } else if (sizeof(alen) == 8
  64. && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
  65. ctx->cmac.c[0] ^= 0xFF;
  66. ctx->cmac.c[1] ^= 0xFF;
  67. ctx->cmac.c[2] ^= (u8)(alen >> (56 % (sizeof(alen) * 8)));
  68. ctx->cmac.c[3] ^= (u8)(alen >> (48 % (sizeof(alen) * 8)));
  69. ctx->cmac.c[4] ^= (u8)(alen >> (40 % (sizeof(alen) * 8)));
  70. ctx->cmac.c[5] ^= (u8)(alen >> (32 % (sizeof(alen) * 8)));
  71. ctx->cmac.c[6] ^= (u8)(alen >> 24);
  72. ctx->cmac.c[7] ^= (u8)(alen >> 16);
  73. ctx->cmac.c[8] ^= (u8)(alen >> 8);
  74. ctx->cmac.c[9] ^= (u8)alen;
  75. i = 10;
  76. } else {
  77. ctx->cmac.c[0] ^= 0xFF;
  78. ctx->cmac.c[1] ^= 0xFE;
  79. ctx->cmac.c[2] ^= (u8)(alen >> 24);
  80. ctx->cmac.c[3] ^= (u8)(alen >> 16);
  81. ctx->cmac.c[4] ^= (u8)(alen >> 8);
  82. ctx->cmac.c[5] ^= (u8)alen;
  83. i = 6;
  84. }
  85. do {
  86. for (; i < 16 && alen; ++i, ++aad, --alen)
  87. ctx->cmac.c[i] ^= *aad;
  88. (*block) (ctx->cmac.c, ctx->cmac.c, ctx->key), ctx->blocks++;
  89. i = 0;
  90. } while (alen);
  91. }
  92. /* Finally you encrypt or decrypt the message */
  93. /*
  94. * counter part of nonce may not be larger than L*8 bits, L is not larger
  95. * than 8, therefore 64-bit counter...
  96. */
  97. static void ctr64_inc(unsigned char *counter)
  98. {
  99. unsigned int n = 8;
  100. u8 c;
  101. counter += 8;
  102. do {
  103. --n;
  104. c = counter[n];
  105. ++c;
  106. counter[n] = c;
  107. if (c)
  108. return;
  109. } while (n);
  110. }
  111. int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
  112. const unsigned char *inp, unsigned char *out,
  113. size_t len)
  114. {
  115. size_t n;
  116. unsigned int i, L;
  117. unsigned char flags0 = ctx->nonce.c[0];
  118. block128_f block = ctx->block;
  119. void *key = ctx->key;
  120. union {
  121. u64 u[2];
  122. u8 c[16];
  123. } scratch;
  124. if (!(flags0 & 0x40))
  125. (*block) (ctx->nonce.c, ctx->cmac.c, key), ctx->blocks++;
  126. ctx->nonce.c[0] = L = flags0 & 7;
  127. for (n = 0, i = 15 - L; i < 15; ++i) {
  128. n |= ctx->nonce.c[i];
  129. ctx->nonce.c[i] = 0;
  130. n <<= 8;
  131. }
  132. n |= ctx->nonce.c[15]; /* reconstructed length */
  133. ctx->nonce.c[15] = 1;
  134. if (n != len)
  135. return -1; /* length mismatch */
  136. ctx->blocks += ((len + 15) >> 3) | 1;
  137. if (ctx->blocks > (U64(1) << 61))
  138. return -2; /* too much data */
  139. while (len >= 16) {
  140. #if defined(STRICT_ALIGNMENT)
  141. union {
  142. u64 u[2];
  143. u8 c[16];
  144. } temp;
  145. memcpy(temp.c, inp, 16);
  146. ctx->cmac.u[0] ^= temp.u[0];
  147. ctx->cmac.u[1] ^= temp.u[1];
  148. #else
  149. ctx->cmac.u[0] ^= ((u64 *)inp)[0];
  150. ctx->cmac.u[1] ^= ((u64 *)inp)[1];
  151. #endif
  152. (*block) (ctx->cmac.c, ctx->cmac.c, key);
  153. (*block) (ctx->nonce.c, scratch.c, key);
  154. ctr64_inc(ctx->nonce.c);
  155. #if defined(STRICT_ALIGNMENT)
  156. temp.u[0] ^= scratch.u[0];
  157. temp.u[1] ^= scratch.u[1];
  158. memcpy(out, temp.c, 16);
  159. #else
  160. ((u64 *)out)[0] = scratch.u[0] ^ ((u64 *)inp)[0];
  161. ((u64 *)out)[1] = scratch.u[1] ^ ((u64 *)inp)[1];
  162. #endif
  163. inp += 16;
  164. out += 16;
  165. len -= 16;
  166. }
  167. if (len) {
  168. for (i = 0; i < len; ++i)
  169. ctx->cmac.c[i] ^= inp[i];
  170. (*block) (ctx->cmac.c, ctx->cmac.c, key);
  171. (*block) (ctx->nonce.c, scratch.c, key);
  172. for (i = 0; i < len; ++i)
  173. out[i] = scratch.c[i] ^ inp[i];
  174. }
  175. for (i = 15 - L; i < 16; ++i)
  176. ctx->nonce.c[i] = 0;
  177. (*block) (ctx->nonce.c, scratch.c, key);
  178. ctx->cmac.u[0] ^= scratch.u[0];
  179. ctx->cmac.u[1] ^= scratch.u[1];
  180. ctx->nonce.c[0] = flags0;
  181. return 0;
  182. }
  183. int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
  184. const unsigned char *inp, unsigned char *out,
  185. size_t len)
  186. {
  187. size_t n;
  188. unsigned int i, L;
  189. unsigned char flags0 = ctx->nonce.c[0];
  190. block128_f block = ctx->block;
  191. void *key = ctx->key;
  192. union {
  193. u64 u[2];
  194. u8 c[16];
  195. } scratch;
  196. if (!(flags0 & 0x40))
  197. (*block) (ctx->nonce.c, ctx->cmac.c, key);
  198. ctx->nonce.c[0] = L = flags0 & 7;
  199. for (n = 0, i = 15 - L; i < 15; ++i) {
  200. n |= ctx->nonce.c[i];
  201. ctx->nonce.c[i] = 0;
  202. n <<= 8;
  203. }
  204. n |= ctx->nonce.c[15]; /* reconstructed length */
  205. ctx->nonce.c[15] = 1;
  206. if (n != len)
  207. return -1;
  208. while (len >= 16) {
  209. #if defined(STRICT_ALIGNMENT)
  210. union {
  211. u64 u[2];
  212. u8 c[16];
  213. } temp;
  214. #endif
  215. (*block) (ctx->nonce.c, scratch.c, key);
  216. ctr64_inc(ctx->nonce.c);
  217. #if defined(STRICT_ALIGNMENT)
  218. memcpy(temp.c, inp, 16);
  219. ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
  220. ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
  221. memcpy(out, scratch.c, 16);
  222. #else
  223. ctx->cmac.u[0] ^= (((u64 *)out)[0] = scratch.u[0] ^ ((u64 *)inp)[0]);
  224. ctx->cmac.u[1] ^= (((u64 *)out)[1] = scratch.u[1] ^ ((u64 *)inp)[1]);
  225. #endif
  226. (*block) (ctx->cmac.c, ctx->cmac.c, key);
  227. inp += 16;
  228. out += 16;
  229. len -= 16;
  230. }
  231. if (len) {
  232. (*block) (ctx->nonce.c, scratch.c, key);
  233. for (i = 0; i < len; ++i)
  234. ctx->cmac.c[i] ^= (out[i] = scratch.c[i] ^ inp[i]);
  235. (*block) (ctx->cmac.c, ctx->cmac.c, key);
  236. }
  237. for (i = 15 - L; i < 16; ++i)
  238. ctx->nonce.c[i] = 0;
  239. (*block) (ctx->nonce.c, scratch.c, key);
  240. ctx->cmac.u[0] ^= scratch.u[0];
  241. ctx->cmac.u[1] ^= scratch.u[1];
  242. ctx->nonce.c[0] = flags0;
  243. return 0;
  244. }
  245. static void ctr64_add(unsigned char *counter, size_t inc)
  246. {
  247. size_t n = 8, val = 0;
  248. counter += 8;
  249. do {
  250. --n;
  251. val += counter[n] + (inc & 0xff);
  252. counter[n] = (unsigned char)val;
  253. val >>= 8; /* carry bit */
  254. inc >>= 8;
  255. } while (n && (inc || val));
  256. }
  257. int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
  258. const unsigned char *inp, unsigned char *out,
  259. size_t len, ccm128_f stream)
  260. {
  261. size_t n;
  262. unsigned int i, L;
  263. unsigned char flags0 = ctx->nonce.c[0];
  264. block128_f block = ctx->block;
  265. void *key = ctx->key;
  266. union {
  267. u64 u[2];
  268. u8 c[16];
  269. } scratch;
  270. if (!(flags0 & 0x40))
  271. (*block) (ctx->nonce.c, ctx->cmac.c, key), ctx->blocks++;
  272. ctx->nonce.c[0] = L = flags0 & 7;
  273. for (n = 0, i = 15 - L; i < 15; ++i) {
  274. n |= ctx->nonce.c[i];
  275. ctx->nonce.c[i] = 0;
  276. n <<= 8;
  277. }
  278. n |= ctx->nonce.c[15]; /* reconstructed length */
  279. ctx->nonce.c[15] = 1;
  280. if (n != len)
  281. return -1; /* length mismatch */
  282. ctx->blocks += ((len + 15) >> 3) | 1;
  283. if (ctx->blocks > (U64(1) << 61))
  284. return -2; /* too much data */
  285. if ((n = len / 16)) {
  286. (*stream) (inp, out, n, key, ctx->nonce.c, ctx->cmac.c);
  287. n *= 16;
  288. inp += n;
  289. out += n;
  290. len -= n;
  291. if (len)
  292. ctr64_add(ctx->nonce.c, n / 16);
  293. }
  294. if (len) {
  295. for (i = 0; i < len; ++i)
  296. ctx->cmac.c[i] ^= inp[i];
  297. (*block) (ctx->cmac.c, ctx->cmac.c, key);
  298. (*block) (ctx->nonce.c, scratch.c, key);
  299. for (i = 0; i < len; ++i)
  300. out[i] = scratch.c[i] ^ inp[i];
  301. }
  302. for (i = 15 - L; i < 16; ++i)
  303. ctx->nonce.c[i] = 0;
  304. (*block) (ctx->nonce.c, scratch.c, key);
  305. ctx->cmac.u[0] ^= scratch.u[0];
  306. ctx->cmac.u[1] ^= scratch.u[1];
  307. ctx->nonce.c[0] = flags0;
  308. return 0;
  309. }
  310. int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
  311. const unsigned char *inp, unsigned char *out,
  312. size_t len, ccm128_f stream)
  313. {
  314. size_t n;
  315. unsigned int i, L;
  316. unsigned char flags0 = ctx->nonce.c[0];
  317. block128_f block = ctx->block;
  318. void *key = ctx->key;
  319. union {
  320. u64 u[2];
  321. u8 c[16];
  322. } scratch;
  323. if (!(flags0 & 0x40))
  324. (*block) (ctx->nonce.c, ctx->cmac.c, key);
  325. ctx->nonce.c[0] = L = flags0 & 7;
  326. for (n = 0, i = 15 - L; i < 15; ++i) {
  327. n |= ctx->nonce.c[i];
  328. ctx->nonce.c[i] = 0;
  329. n <<= 8;
  330. }
  331. n |= ctx->nonce.c[15]; /* reconstructed length */
  332. ctx->nonce.c[15] = 1;
  333. if (n != len)
  334. return -1;
  335. if ((n = len / 16)) {
  336. (*stream) (inp, out, n, key, ctx->nonce.c, ctx->cmac.c);
  337. n *= 16;
  338. inp += n;
  339. out += n;
  340. len -= n;
  341. if (len)
  342. ctr64_add(ctx->nonce.c, n / 16);
  343. }
  344. if (len) {
  345. (*block) (ctx->nonce.c, scratch.c, key);
  346. for (i = 0; i < len; ++i)
  347. ctx->cmac.c[i] ^= (out[i] = scratch.c[i] ^ inp[i]);
  348. (*block) (ctx->cmac.c, ctx->cmac.c, key);
  349. }
  350. for (i = 15 - L; i < 16; ++i)
  351. ctx->nonce.c[i] = 0;
  352. (*block) (ctx->nonce.c, scratch.c, key);
  353. ctx->cmac.u[0] ^= scratch.u[0];
  354. ctx->cmac.u[1] ^= scratch.u[1];
  355. ctx->nonce.c[0] = flags0;
  356. return 0;
  357. }
  358. size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx, unsigned char *tag, size_t len)
  359. {
  360. unsigned int M = (ctx->nonce.c[0] >> 3) & 7; /* the M parameter */
  361. M *= 2;
  362. M += 2;
  363. if (len != M)
  364. return 0;
  365. memcpy(tag, ctx->cmac.c, M);
  366. return M;
  367. }