1 /* ====================================================================
2 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
30 * 6. Redistributions of any form whatsoever must retain the following
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ====================================================================
50 #include <openssl/crypto.h>
51 #include "modes_lcl.h"
62 * First you setup M and L parameters and pass the key schedule. This is
63 * called once per session setup...
65 void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
66 unsigned int M, unsigned int L, void *key,
69 memset(ctx->nonce.c, 0, sizeof(ctx->nonce.c));
70 ctx->nonce.c[0] = ((u8)(L - 1) & 7) | (u8)(((M - 2) / 2) & 7) << 3;
76 /* !!! Following interfaces are to be called *once* per packet !!! */
78 /* Then you setup per-message nonce and pass the length of the message */
79 int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
80 const unsigned char *nonce, size_t nlen, size_t mlen)
82 unsigned int L = ctx->nonce.c[0] & 7; /* the L parameter */
85 return -1; /* nonce is too short */
87 if (sizeof(mlen) == 8 && L >= 3) {
88 ctx->nonce.c[8] = (u8)(mlen >> (56 % (sizeof(mlen) * 8)));
89 ctx->nonce.c[9] = (u8)(mlen >> (48 % (sizeof(mlen) * 8)));
90 ctx->nonce.c[10] = (u8)(mlen >> (40 % (sizeof(mlen) * 8)));
91 ctx->nonce.c[11] = (u8)(mlen >> (32 % (sizeof(mlen) * 8)));
95 ctx->nonce.c[12] = (u8)(mlen >> 24);
96 ctx->nonce.c[13] = (u8)(mlen >> 16);
97 ctx->nonce.c[14] = (u8)(mlen >> 8);
98 ctx->nonce.c[15] = (u8)mlen;
100 ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */
101 memcpy(&ctx->nonce.c[1], nonce, 14 - L);
106 /* Then you pass additional authentication data, this is optional */
107 void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
108 const unsigned char *aad, size_t alen)
111 block128_f block = ctx->block;
116 ctx->nonce.c[0] |= 0x40; /* set Adata flag */
117 (*block) (ctx->nonce.c, ctx->cmac.c, ctx->key), ctx->blocks++;
119 if (alen < (0x10000 - 0x100)) {
120 ctx->cmac.c[0] ^= (u8)(alen >> 8);
121 ctx->cmac.c[1] ^= (u8)alen;
123 } else if (sizeof(alen) == 8
124 && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
125 ctx->cmac.c[0] ^= 0xFF;
126 ctx->cmac.c[1] ^= 0xFF;
127 ctx->cmac.c[2] ^= (u8)(alen >> (56 % (sizeof(alen) * 8)));
128 ctx->cmac.c[3] ^= (u8)(alen >> (48 % (sizeof(alen) * 8)));
129 ctx->cmac.c[4] ^= (u8)(alen >> (40 % (sizeof(alen) * 8)));
130 ctx->cmac.c[5] ^= (u8)(alen >> (32 % (sizeof(alen) * 8)));
131 ctx->cmac.c[6] ^= (u8)(alen >> 24);
132 ctx->cmac.c[7] ^= (u8)(alen >> 16);
133 ctx->cmac.c[8] ^= (u8)(alen >> 8);
134 ctx->cmac.c[9] ^= (u8)alen;
137 ctx->cmac.c[0] ^= 0xFF;
138 ctx->cmac.c[1] ^= 0xFE;
139 ctx->cmac.c[2] ^= (u8)(alen >> 24);
140 ctx->cmac.c[3] ^= (u8)(alen >> 16);
141 ctx->cmac.c[4] ^= (u8)(alen >> 8);
142 ctx->cmac.c[5] ^= (u8)alen;
147 for (; i < 16 && alen; ++i, ++aad, --alen)
148 ctx->cmac.c[i] ^= *aad;
149 (*block) (ctx->cmac.c, ctx->cmac.c, ctx->key), ctx->blocks++;
154 /* Finally you encrypt or decrypt the message */
157 * counter part of nonce may not be larger than L*8 bits, L is not larger
158 * than 8, therefore 64-bit counter...
160 static void ctr64_inc(unsigned char *counter)
176 int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
177 const unsigned char *inp, unsigned char *out,
182 unsigned char flags0 = ctx->nonce.c[0];
183 block128_f block = ctx->block;
184 void *key = ctx->key;
190 if (!(flags0 & 0x40))
191 (*block) (ctx->nonce.c, ctx->cmac.c, key), ctx->blocks++;
193 ctx->nonce.c[0] = L = flags0 & 7;
194 for (n = 0, i = 15 - L; i < 15; ++i) {
195 n |= ctx->nonce.c[i];
199 n |= ctx->nonce.c[15]; /* reconstructed length */
200 ctx->nonce.c[15] = 1;
203 return -1; /* length mismatch */
205 ctx->blocks += ((len + 15) >> 3) | 1;
206 if (ctx->blocks > (U64(1) << 61))
207 return -2; /* too much data */
210 #if defined(STRICT_ALIGNMENT)
216 memcpy(temp.c, inp, 16);
217 ctx->cmac.u[0] ^= temp.u[0];
218 ctx->cmac.u[1] ^= temp.u[1];
220 ctx->cmac.u[0] ^= ((u64 *)inp)[0];
221 ctx->cmac.u[1] ^= ((u64 *)inp)[1];
223 (*block) (ctx->cmac.c, ctx->cmac.c, key);
224 (*block) (ctx->nonce.c, scratch.c, key);
225 ctr64_inc(ctx->nonce.c);
226 #if defined(STRICT_ALIGNMENT)
227 temp.u[0] ^= scratch.u[0];
228 temp.u[1] ^= scratch.u[1];
229 memcpy(out, temp.c, 16);
231 ((u64 *)out)[0] = scratch.u[0] ^ ((u64 *)inp)[0];
232 ((u64 *)out)[1] = scratch.u[1] ^ ((u64 *)inp)[1];
240 for (i = 0; i < len; ++i)
241 ctx->cmac.c[i] ^= inp[i];
242 (*block) (ctx->cmac.c, ctx->cmac.c, key);
243 (*block) (ctx->nonce.c, scratch.c, key);
244 for (i = 0; i < len; ++i)
245 out[i] = scratch.c[i] ^ inp[i];
248 for (i = 15 - L; i < 16; ++i)
251 (*block) (ctx->nonce.c, scratch.c, key);
252 ctx->cmac.u[0] ^= scratch.u[0];
253 ctx->cmac.u[1] ^= scratch.u[1];
255 ctx->nonce.c[0] = flags0;
260 int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
261 const unsigned char *inp, unsigned char *out,
266 unsigned char flags0 = ctx->nonce.c[0];
267 block128_f block = ctx->block;
268 void *key = ctx->key;
274 if (!(flags0 & 0x40))
275 (*block) (ctx->nonce.c, ctx->cmac.c, key);
277 ctx->nonce.c[0] = L = flags0 & 7;
278 for (n = 0, i = 15 - L; i < 15; ++i) {
279 n |= ctx->nonce.c[i];
283 n |= ctx->nonce.c[15]; /* reconstructed length */
284 ctx->nonce.c[15] = 1;
290 #if defined(STRICT_ALIGNMENT)
296 (*block) (ctx->nonce.c, scratch.c, key);
297 ctr64_inc(ctx->nonce.c);
298 #if defined(STRICT_ALIGNMENT)
299 memcpy(temp.c, inp, 16);
300 ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
301 ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
302 memcpy(out, scratch.c, 16);
304 ctx->cmac.u[0] ^= (((u64 *)out)[0] = scratch.u[0] ^ ((u64 *)inp)[0]);
305 ctx->cmac.u[1] ^= (((u64 *)out)[1] = scratch.u[1] ^ ((u64 *)inp)[1]);
307 (*block) (ctx->cmac.c, ctx->cmac.c, key);
315 (*block) (ctx->nonce.c, scratch.c, key);
316 for (i = 0; i < len; ++i)
317 ctx->cmac.c[i] ^= (out[i] = scratch.c[i] ^ inp[i]);
318 (*block) (ctx->cmac.c, ctx->cmac.c, key);
321 for (i = 15 - L; i < 16; ++i)
324 (*block) (ctx->nonce.c, scratch.c, key);
325 ctx->cmac.u[0] ^= scratch.u[0];
326 ctx->cmac.u[1] ^= scratch.u[1];
328 ctx->nonce.c[0] = flags0;
333 static void ctr64_add(unsigned char *counter, size_t inc)
335 size_t n = 8, val = 0;
340 val += counter[n] + (inc & 0xff);
341 counter[n] = (unsigned char)val;
342 val >>= 8; /* carry bit */
344 } while (n && (inc || val));
347 int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
348 const unsigned char *inp, unsigned char *out,
349 size_t len, ccm128_f stream)
353 unsigned char flags0 = ctx->nonce.c[0];
354 block128_f block = ctx->block;
355 void *key = ctx->key;
361 if (!(flags0 & 0x40))
362 (*block) (ctx->nonce.c, ctx->cmac.c, key), ctx->blocks++;
364 ctx->nonce.c[0] = L = flags0 & 7;
365 for (n = 0, i = 15 - L; i < 15; ++i) {
366 n |= ctx->nonce.c[i];
370 n |= ctx->nonce.c[15]; /* reconstructed length */
371 ctx->nonce.c[15] = 1;
374 return -1; /* length mismatch */
376 ctx->blocks += ((len + 15) >> 3) | 1;
377 if (ctx->blocks > (U64(1) << 61))
378 return -2; /* too much data */
380 if ((n = len / 16)) {
381 (*stream) (inp, out, n, key, ctx->nonce.c, ctx->cmac.c);
387 ctr64_add(ctx->nonce.c, n / 16);
391 for (i = 0; i < len; ++i)
392 ctx->cmac.c[i] ^= inp[i];
393 (*block) (ctx->cmac.c, ctx->cmac.c, key);
394 (*block) (ctx->nonce.c, scratch.c, key);
395 for (i = 0; i < len; ++i)
396 out[i] = scratch.c[i] ^ inp[i];
399 for (i = 15 - L; i < 16; ++i)
402 (*block) (ctx->nonce.c, scratch.c, key);
403 ctx->cmac.u[0] ^= scratch.u[0];
404 ctx->cmac.u[1] ^= scratch.u[1];
406 ctx->nonce.c[0] = flags0;
411 int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
412 const unsigned char *inp, unsigned char *out,
413 size_t len, ccm128_f stream)
417 unsigned char flags0 = ctx->nonce.c[0];
418 block128_f block = ctx->block;
419 void *key = ctx->key;
425 if (!(flags0 & 0x40))
426 (*block) (ctx->nonce.c, ctx->cmac.c, key);
428 ctx->nonce.c[0] = L = flags0 & 7;
429 for (n = 0, i = 15 - L; i < 15; ++i) {
430 n |= ctx->nonce.c[i];
434 n |= ctx->nonce.c[15]; /* reconstructed length */
435 ctx->nonce.c[15] = 1;
440 if ((n = len / 16)) {
441 (*stream) (inp, out, n, key, ctx->nonce.c, ctx->cmac.c);
447 ctr64_add(ctx->nonce.c, n / 16);
451 (*block) (ctx->nonce.c, scratch.c, key);
452 for (i = 0; i < len; ++i)
453 ctx->cmac.c[i] ^= (out[i] = scratch.c[i] ^ inp[i]);
454 (*block) (ctx->cmac.c, ctx->cmac.c, key);
457 for (i = 15 - L; i < 16; ++i)
460 (*block) (ctx->nonce.c, scratch.c, key);
461 ctx->cmac.u[0] ^= scratch.u[0];
462 ctx->cmac.u[1] ^= scratch.u[1];
464 ctx->nonce.c[0] = flags0;
469 size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx, unsigned char *tag, size_t len)
471 unsigned int M = (ctx->nonce.c[0] >> 3) & 7; /* the M parameter */
477 memcpy(tag, ctx->cmac.c, M);