OLD | NEW |
| (Empty) |
1 /* ==================================================================== | |
2 * Copyright (c) 2011 The OpenSSL Project. All rights reserved. | |
3 * | |
4 * Redistribution and use in source and binary forms, with or without | |
5 * modification, are permitted provided that the following conditions | |
6 * are met: | |
7 * | |
8 * 1. Redistributions of source code must retain the above copyright | |
9 * notice, this list of conditions and the following disclaimer. | |
10 * | |
11 * 2. Redistributions in binary form must reproduce the above copyright | |
12 * notice, this list of conditions and the following disclaimer in | |
13 * the documentation and/or other materials provided with the | |
14 * distribution. | |
15 * | |
16 * 3. All advertising materials mentioning features or use of this | |
17 * software must display the following acknowledgment: | |
18 * "This product includes software developed by the OpenSSL Project | |
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
20 * | |
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
22 * endorse or promote products derived from this software without | |
23 * prior written permission. For written permission, please contact | |
24 * openssl-core@openssl.org. | |
25 * | |
26 * 5. Products derived from this software may not be called "OpenSSL" | |
27 * nor may "OpenSSL" appear in their names without prior written | |
28 * permission of the OpenSSL Project. | |
29 * | |
30 * 6. Redistributions of any form whatsoever must retain the following | |
31 * acknowledgment: | |
32 * "This product includes software developed by the OpenSSL Project | |
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
34 * | |
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
46 * OF THE POSSIBILITY OF SUCH DAMAGE. | |
47 * ==================================================================== | |
48 */ | |
49 | |
50 #include <openssl/crypto.h> | |
51 #include "modes_lcl.h" | |
52 #include <string.h> | |
53 | |
54 #ifndef MODES_DEBUG | |
55 # ifndef NDEBUG | |
56 # define NDEBUG | |
57 # endif | |
58 #endif | |
59 #include <assert.h> | |
60 | |
61 /* First you setup M and L parameters and pass the key schedule. | |
62 * This is called once per session setup... */ | |
63 void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx, | |
64 unsigned int M,unsigned int L,void *key,block128_f block) | |
65 { | |
66 memset(ctx->nonce.c,0,sizeof(ctx->nonce.c)); | |
67 ctx->nonce.c[0] = ((u8)(L-1)&7) | (u8)(((M-2)/2)&7)<<3; | |
68 ctx->blocks = 0; | |
69 ctx->block = block; | |
70 ctx->key = key; | |
71 } | |
72 | |
73 /* !!! Following interfaces are to be called *once* per packet !!! */ | |
74 | |
75 /* Then you setup per-message nonce and pass the length of the message */ | |
76 int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx, | |
77 const unsigned char *nonce,size_t nlen,size_t mlen) | |
78 { | |
79 unsigned int L = ctx->nonce.c[0]&7; /* the L parameter */ | |
80 | |
81 if (nlen<(14-L)) return -1; /* nonce is too short */ | |
82 | |
83 if (sizeof(mlen)==8 && L>=3) { | |
84 ctx->nonce.c[8] = (u8)(mlen>>(56%(sizeof(mlen)*8))); | |
85 ctx->nonce.c[9] = (u8)(mlen>>(48%(sizeof(mlen)*8))); | |
86 ctx->nonce.c[10] = (u8)(mlen>>(40%(sizeof(mlen)*8))); | |
87 ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8))); | |
88 } | |
89 else | |
90 *(u32*)(&ctx->nonce.c[8]) = 0; | |
91 | |
92 ctx->nonce.c[12] = (u8)(mlen>>24); | |
93 ctx->nonce.c[13] = (u8)(mlen>>16); | |
94 ctx->nonce.c[14] = (u8)(mlen>>8); | |
95 ctx->nonce.c[15] = (u8)mlen; | |
96 | |
97 ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */ | |
98 memcpy(&ctx->nonce.c[1],nonce,14-L); | |
99 | |
100 return 0; | |
101 } | |
102 | |
103 /* Then you pass additional authentication data, this is optional */ | |
104 void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx, | |
105 const unsigned char *aad,size_t alen) | |
106 { unsigned int i; | |
107 block128_f block = ctx->block; | |
108 | |
109 if (alen==0) return; | |
110 | |
111 ctx->nonce.c[0] |= 0x40; /* set Adata flag */ | |
112 (*block)(ctx->nonce.c,ctx->cmac.c,ctx->key), | |
113 ctx->blocks++; | |
114 | |
115 if (alen<(0x10000-0x100)) { | |
116 ctx->cmac.c[0] ^= (u8)(alen>>8); | |
117 ctx->cmac.c[1] ^= (u8)alen; | |
118 i=2; | |
119 } | |
120 else if (sizeof(alen)==8 && alen>=(size_t)1<<(32%(sizeof(alen)*8))) { | |
121 ctx->cmac.c[0] ^= 0xFF; | |
122 ctx->cmac.c[1] ^= 0xFF; | |
123 ctx->cmac.c[2] ^= (u8)(alen>>(56%(sizeof(alen)*8))); | |
124 ctx->cmac.c[3] ^= (u8)(alen>>(48%(sizeof(alen)*8))); | |
125 ctx->cmac.c[4] ^= (u8)(alen>>(40%(sizeof(alen)*8))); | |
126 ctx->cmac.c[5] ^= (u8)(alen>>(32%(sizeof(alen)*8))); | |
127 ctx->cmac.c[6] ^= (u8)(alen>>24); | |
128 ctx->cmac.c[7] ^= (u8)(alen>>16); | |
129 ctx->cmac.c[8] ^= (u8)(alen>>8); | |
130 ctx->cmac.c[9] ^= (u8)alen; | |
131 i=10; | |
132 } | |
133 else { | |
134 ctx->cmac.c[0] ^= 0xFF; | |
135 ctx->cmac.c[1] ^= 0xFE; | |
136 ctx->cmac.c[2] ^= (u8)(alen>>24); | |
137 ctx->cmac.c[3] ^= (u8)(alen>>16); | |
138 ctx->cmac.c[4] ^= (u8)(alen>>8); | |
139 ctx->cmac.c[5] ^= (u8)alen; | |
140 i=6; | |
141 } | |
142 | |
143 do { | |
144 for(;i<16 && alen;++i,++aad,--alen) | |
145 ctx->cmac.c[i] ^= *aad; | |
146 (*block)(ctx->cmac.c,ctx->cmac.c,ctx->key), | |
147 ctx->blocks++; | |
148 i=0; | |
149 } while (alen); | |
150 } | |
151 | |
152 /* Finally you encrypt or decrypt the message */ | |
153 | |
154 /* counter part of nonce may not be larger than L*8 bits, | |
155 * L is not larger than 8, therefore 64-bit counter... */ | |
156 static void ctr64_inc(unsigned char *counter) { | |
157 unsigned int n=8; | |
158 u8 c; | |
159 | |
160 counter += 8; | |
161 do { | |
162 --n; | |
163 c = counter[n]; | |
164 ++c; | |
165 counter[n] = c; | |
166 if (c) return; | |
167 } while (n); | |
168 } | |
169 | |
170 int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx, | |
171 const unsigned char *inp, unsigned char *out, | |
172 size_t len) | |
173 { | |
174 size_t n; | |
175 unsigned int i,L; | |
176 unsigned char flags0 = ctx->nonce.c[0]; | |
177 block128_f block = ctx->block; | |
178 void * key = ctx->key; | |
179 union { u64 u[2]; u8 c[16]; } scratch; | |
180 | |
181 if (!(flags0&0x40)) | |
182 (*block)(ctx->nonce.c,ctx->cmac.c,key), | |
183 ctx->blocks++; | |
184 | |
185 ctx->nonce.c[0] = L = flags0&7; | |
186 for (n=0,i=15-L;i<15;++i) { | |
187 n |= ctx->nonce.c[i]; | |
188 ctx->nonce.c[i]=0; | |
189 n <<= 8; | |
190 } | |
191 n |= ctx->nonce.c[15]; /* reconstructed length */ | |
192 ctx->nonce.c[15]=1; | |
193 | |
194 if (n!=len) return -1; /* length mismatch */ | |
195 | |
196 ctx->blocks += ((len+15)>>3)|1; | |
197 if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */ | |
198 | |
199 while (len>=16) { | |
200 #if defined(STRICT_ALIGNMENT) | |
201 union { u64 u[2]; u8 c[16]; } temp; | |
202 | |
203 memcpy (temp.c,inp,16); | |
204 ctx->cmac.u[0] ^= temp.u[0]; | |
205 ctx->cmac.u[1] ^= temp.u[1]; | |
206 #else | |
207 ctx->cmac.u[0] ^= ((u64*)inp)[0]; | |
208 ctx->cmac.u[1] ^= ((u64*)inp)[1]; | |
209 #endif | |
210 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
211 (*block)(ctx->nonce.c,scratch.c,key); | |
212 ctr64_inc(ctx->nonce.c); | |
213 #if defined(STRICT_ALIGNMENT) | |
214 temp.u[0] ^= scratch.u[0]; | |
215 temp.u[1] ^= scratch.u[1]; | |
216 memcpy(out,temp.c,16); | |
217 #else | |
218 ((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]; | |
219 ((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]; | |
220 #endif | |
221 inp += 16; | |
222 out += 16; | |
223 len -= 16; | |
224 } | |
225 | |
226 if (len) { | |
227 for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i]; | |
228 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
229 (*block)(ctx->nonce.c,scratch.c,key); | |
230 for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i]; | |
231 } | |
232 | |
233 for (i=15-L;i<16;++i) | |
234 ctx->nonce.c[i]=0; | |
235 | |
236 (*block)(ctx->nonce.c,scratch.c,key); | |
237 ctx->cmac.u[0] ^= scratch.u[0]; | |
238 ctx->cmac.u[1] ^= scratch.u[1]; | |
239 | |
240 ctx->nonce.c[0] = flags0; | |
241 | |
242 return 0; | |
243 } | |
244 | |
245 int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx, | |
246 const unsigned char *inp, unsigned char *out, | |
247 size_t len) | |
248 { | |
249 size_t n; | |
250 unsigned int i,L; | |
251 unsigned char flags0 = ctx->nonce.c[0]; | |
252 block128_f block = ctx->block; | |
253 void * key = ctx->key; | |
254 union { u64 u[2]; u8 c[16]; } scratch; | |
255 | |
256 if (!(flags0&0x40)) | |
257 (*block)(ctx->nonce.c,ctx->cmac.c,key); | |
258 | |
259 ctx->nonce.c[0] = L = flags0&7; | |
260 for (n=0,i=15-L;i<15;++i) { | |
261 n |= ctx->nonce.c[i]; | |
262 ctx->nonce.c[i]=0; | |
263 n <<= 8; | |
264 } | |
265 n |= ctx->nonce.c[15]; /* reconstructed length */ | |
266 ctx->nonce.c[15]=1; | |
267 | |
268 if (n!=len) return -1; | |
269 | |
270 while (len>=16) { | |
271 #if defined(STRICT_ALIGNMENT) | |
272 union { u64 u[2]; u8 c[16]; } temp; | |
273 #endif | |
274 (*block)(ctx->nonce.c,scratch.c,key); | |
275 ctr64_inc(ctx->nonce.c); | |
276 #if defined(STRICT_ALIGNMENT) | |
277 memcpy (temp.c,inp,16); | |
278 ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]); | |
279 ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]); | |
280 memcpy (out,scratch.c,16); | |
281 #else | |
282 ctx->cmac.u[0] ^= (((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0])
; | |
283 ctx->cmac.u[1] ^= (((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1])
; | |
284 #endif | |
285 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
286 | |
287 inp += 16; | |
288 out += 16; | |
289 len -= 16; | |
290 } | |
291 | |
292 if (len) { | |
293 (*block)(ctx->nonce.c,scratch.c,key); | |
294 for (i=0; i<len; ++i) | |
295 ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]); | |
296 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
297 } | |
298 | |
299 for (i=15-L;i<16;++i) | |
300 ctx->nonce.c[i]=0; | |
301 | |
302 (*block)(ctx->nonce.c,scratch.c,key); | |
303 ctx->cmac.u[0] ^= scratch.u[0]; | |
304 ctx->cmac.u[1] ^= scratch.u[1]; | |
305 | |
306 ctx->nonce.c[0] = flags0; | |
307 | |
308 return 0; | |
309 } | |
310 | |
311 static void ctr64_add (unsigned char *counter,size_t inc) | |
312 { size_t n=8, val=0; | |
313 | |
314 counter += 8; | |
315 do { | |
316 --n; | |
317 val += counter[n] + (inc&0xff); | |
318 counter[n] = (unsigned char)val; | |
319 val >>= 8; /* carry bit */ | |
320 inc >>= 8; | |
321 } while(n && (inc || val)); | |
322 } | |
323 | |
324 int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx, | |
325 const unsigned char *inp, unsigned char *out, | |
326 size_t len,ccm128_f stream) | |
327 { | |
328 size_t n; | |
329 unsigned int i,L; | |
330 unsigned char flags0 = ctx->nonce.c[0]; | |
331 block128_f block = ctx->block; | |
332 void * key = ctx->key; | |
333 union { u64 u[2]; u8 c[16]; } scratch; | |
334 | |
335 if (!(flags0&0x40)) | |
336 (*block)(ctx->nonce.c,ctx->cmac.c,key), | |
337 ctx->blocks++; | |
338 | |
339 ctx->nonce.c[0] = L = flags0&7; | |
340 for (n=0,i=15-L;i<15;++i) { | |
341 n |= ctx->nonce.c[i]; | |
342 ctx->nonce.c[i]=0; | |
343 n <<= 8; | |
344 } | |
345 n |= ctx->nonce.c[15]; /* reconstructed length */ | |
346 ctx->nonce.c[15]=1; | |
347 | |
348 if (n!=len) return -1; /* length mismatch */ | |
349 | |
350 ctx->blocks += ((len+15)>>3)|1; | |
351 if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */ | |
352 | |
353 if ((n=len/16)) { | |
354 (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c); | |
355 n *= 16; | |
356 inp += n; | |
357 out += n; | |
358 len -= n; | |
359 if (len) ctr64_add(ctx->nonce.c,n/16); | |
360 } | |
361 | |
362 if (len) { | |
363 for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i]; | |
364 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
365 (*block)(ctx->nonce.c,scratch.c,key); | |
366 for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i]; | |
367 } | |
368 | |
369 for (i=15-L;i<16;++i) | |
370 ctx->nonce.c[i]=0; | |
371 | |
372 (*block)(ctx->nonce.c,scratch.c,key); | |
373 ctx->cmac.u[0] ^= scratch.u[0]; | |
374 ctx->cmac.u[1] ^= scratch.u[1]; | |
375 | |
376 ctx->nonce.c[0] = flags0; | |
377 | |
378 return 0; | |
379 } | |
380 | |
381 int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx, | |
382 const unsigned char *inp, unsigned char *out, | |
383 size_t len,ccm128_f stream) | |
384 { | |
385 size_t n; | |
386 unsigned int i,L; | |
387 unsigned char flags0 = ctx->nonce.c[0]; | |
388 block128_f block = ctx->block; | |
389 void * key = ctx->key; | |
390 union { u64 u[2]; u8 c[16]; } scratch; | |
391 | |
392 if (!(flags0&0x40)) | |
393 (*block)(ctx->nonce.c,ctx->cmac.c,key); | |
394 | |
395 ctx->nonce.c[0] = L = flags0&7; | |
396 for (n=0,i=15-L;i<15;++i) { | |
397 n |= ctx->nonce.c[i]; | |
398 ctx->nonce.c[i]=0; | |
399 n <<= 8; | |
400 } | |
401 n |= ctx->nonce.c[15]; /* reconstructed length */ | |
402 ctx->nonce.c[15]=1; | |
403 | |
404 if (n!=len) return -1; | |
405 | |
406 if ((n=len/16)) { | |
407 (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c); | |
408 n *= 16; | |
409 inp += n; | |
410 out += n; | |
411 len -= n; | |
412 if (len) ctr64_add(ctx->nonce.c,n/16); | |
413 } | |
414 | |
415 if (len) { | |
416 (*block)(ctx->nonce.c,scratch.c,key); | |
417 for (i=0; i<len; ++i) | |
418 ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]); | |
419 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
420 } | |
421 | |
422 for (i=15-L;i<16;++i) | |
423 ctx->nonce.c[i]=0; | |
424 | |
425 (*block)(ctx->nonce.c,scratch.c,key); | |
426 ctx->cmac.u[0] ^= scratch.u[0]; | |
427 ctx->cmac.u[1] ^= scratch.u[1]; | |
428 | |
429 ctx->nonce.c[0] = flags0; | |
430 | |
431 return 0; | |
432 } | |
433 | |
434 size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx,unsigned char *tag,size_t len) | |
435 { unsigned int M = (ctx->nonce.c[0]>>3)&7; /* the M parameter */ | |
436 | |
437 M *= 2; M += 2; | |
438 if (len<M) return 0; | |
439 memcpy(tag,ctx->cmac.c,M); | |
440 return M; | |
441 } | |
OLD | NEW |