| OLD | NEW |
|---|
| (Empty) |
| 1 /* ==================================================================== | |
| 2 * Copyright (c) 2011 The OpenSSL Project. All rights reserved. | |
| 3 * | |
| 4 * Redistribution and use in source and binary forms, with or without | |
| 5 * modification, are permitted provided that the following conditions | |
| 6 * are met: | |
| 7 * | |
| 8 * 1. Redistributions of source code must retain the above copyright | |
| 9 * notice, this list of conditions and the following disclaimer. | |
| 10 * | |
| 11 * 2. Redistributions in binary form must reproduce the above copyright | |
| 12 * notice, this list of conditions and the following disclaimer in | |
| 13 * the documentation and/or other materials provided with the | |
| 14 * distribution. | |
| 15 * | |
| 16 * 3. All advertising materials mentioning features or use of this | |
| 17 * software must display the following acknowledgment: | |
| 18 * "This product includes software developed by the OpenSSL Project | |
| 19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
| 20 * | |
| 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
| 22 * endorse or promote products derived from this software without | |
| 23 * prior written permission. For written permission, please contact | |
| 24 * openssl-core@openssl.org. | |
| 25 * | |
| 26 * 5. Products derived from this software may not be called "OpenSSL" | |
| 27 * nor may "OpenSSL" appear in their names without prior written | |
| 28 * permission of the OpenSSL Project. | |
| 29 * | |
| 30 * 6. Redistributions of any form whatsoever must retain the following | |
| 31 * acknowledgment: | |
| 32 * "This product includes software developed by the OpenSSL Project | |
| 33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
| 34 * | |
| 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
| 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
| 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
| 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
| 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
| 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
| 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
| 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
| 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
| 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
| 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
| 46 * OF THE POSSIBILITY OF SUCH DAMAGE. | |
| 47 * ==================================================================== | |
| 48 */ | |
| 49 | |
| 50 #include <openssl/crypto.h> | |
| 51 #include "modes_lcl.h" | |
| 52 #include <string.h> | |
| 53 | |
| 54 #ifndef MODES_DEBUG | |
| 55 # ifndef NDEBUG | |
| 56 # define NDEBUG | |
| 57 # endif | |
| 58 #endif | |
| 59 #include <assert.h> | |
| 60 | |
| 61 /* First you setup M and L parameters and pass the key schedule. | |
| 62 * This is called once per session setup... */ | |
| 63 void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx, | |
| 64 unsigned int M,unsigned int L,void *key,block128_f block) | |
| 65 { | |
| 66 memset(ctx->nonce.c,0,sizeof(ctx->nonce.c)); | |
| 67 ctx->nonce.c[0] = ((u8)(L-1)&7) | (u8)(((M-2)/2)&7)<<3; | |
| 68 ctx->blocks = 0; | |
| 69 ctx->block = block; | |
| 70 ctx->key = key; | |
| 71 } | |
| 72 | |
| 73 /* !!! Following interfaces are to be called *once* per packet !!! */ | |
| 74 | |
| 75 /* Then you setup per-message nonce and pass the length of the message */ | |
| 76 int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx, | |
| 77 const unsigned char *nonce,size_t nlen,size_t mlen) | |
| 78 { | |
| 79 unsigned int L = ctx->nonce.c[0]&7; /* the L parameter */ | |
| 80 | |
| 81 if (nlen<(14-L)) return -1; /* nonce is too short */ | |
| 82 | |
| 83 if (sizeof(mlen)==8 && L>=3) { | |
| 84 ctx->nonce.c[8] = (u8)(mlen>>(56%(sizeof(mlen)*8))); | |
| 85 ctx->nonce.c[9] = (u8)(mlen>>(48%(sizeof(mlen)*8))); | |
| 86 ctx->nonce.c[10] = (u8)(mlen>>(40%(sizeof(mlen)*8))); | |
| 87 ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8))); | |
| 88 } | |
| 89 else | |
| 90 *(u32*)(&ctx->nonce.c[8]) = 0; | |
| 91 | |
| 92 ctx->nonce.c[12] = (u8)(mlen>>24); | |
| 93 ctx->nonce.c[13] = (u8)(mlen>>16); | |
| 94 ctx->nonce.c[14] = (u8)(mlen>>8); | |
| 95 ctx->nonce.c[15] = (u8)mlen; | |
| 96 | |
| 97 ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */ | |
| 98 memcpy(&ctx->nonce.c[1],nonce,14-L); | |
| 99 | |
| 100 return 0; | |
| 101 } | |
| 102 | |
| 103 /* Then you pass additional authentication data, this is optional */ | |
| 104 void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx, | |
| 105 const unsigned char *aad,size_t alen) | |
| 106 { unsigned int i; | |
| 107 block128_f block = ctx->block; | |
| 108 | |
| 109 if (alen==0) return; | |
| 110 | |
| 111 ctx->nonce.c[0] |= 0x40; /* set Adata flag */ | |
| 112 (*block)(ctx->nonce.c,ctx->cmac.c,ctx->key), | |
| 113 ctx->blocks++; | |
| 114 | |
| 115 if (alen<(0x10000-0x100)) { | |
| 116 ctx->cmac.c[0] ^= (u8)(alen>>8); | |
| 117 ctx->cmac.c[1] ^= (u8)alen; | |
| 118 i=2; | |
| 119 } | |
| 120 else if (sizeof(alen)==8 && alen>=(size_t)1<<(32%(sizeof(alen)*8))) { | |
| 121 ctx->cmac.c[0] ^= 0xFF; | |
| 122 ctx->cmac.c[1] ^= 0xFF; | |
| 123 ctx->cmac.c[2] ^= (u8)(alen>>(56%(sizeof(alen)*8))); | |
| 124 ctx->cmac.c[3] ^= (u8)(alen>>(48%(sizeof(alen)*8))); | |
| 125 ctx->cmac.c[4] ^= (u8)(alen>>(40%(sizeof(alen)*8))); | |
| 126 ctx->cmac.c[5] ^= (u8)(alen>>(32%(sizeof(alen)*8))); | |
| 127 ctx->cmac.c[6] ^= (u8)(alen>>24); | |
| 128 ctx->cmac.c[7] ^= (u8)(alen>>16); | |
| 129 ctx->cmac.c[8] ^= (u8)(alen>>8); | |
| 130 ctx->cmac.c[9] ^= (u8)alen; | |
| 131 i=10; | |
| 132 } | |
| 133 else { | |
| 134 ctx->cmac.c[0] ^= 0xFF; | |
| 135 ctx->cmac.c[1] ^= 0xFE; | |
| 136 ctx->cmac.c[2] ^= (u8)(alen>>24); | |
| 137 ctx->cmac.c[3] ^= (u8)(alen>>16); | |
| 138 ctx->cmac.c[4] ^= (u8)(alen>>8); | |
| 139 ctx->cmac.c[5] ^= (u8)alen; | |
| 140 i=6; | |
| 141 } | |
| 142 | |
| 143 do { | |
| 144 for(;i<16 && alen;++i,++aad,--alen) | |
| 145 ctx->cmac.c[i] ^= *aad; | |
| 146 (*block)(ctx->cmac.c,ctx->cmac.c,ctx->key), | |
| 147 ctx->blocks++; | |
| 148 i=0; | |
| 149 } while (alen); | |
| 150 } | |
| 151 | |
| 152 /* Finally you encrypt or decrypt the message */ | |
| 153 | |
| 154 /* counter part of nonce may not be larger than L*8 bits, | |
| 155 * L is not larger than 8, therefore 64-bit counter... */ | |
| 156 static void ctr64_inc(unsigned char *counter) { | |
| 157 unsigned int n=8; | |
| 158 u8 c; | |
| 159 | |
| 160 counter += 8; | |
| 161 do { | |
| 162 --n; | |
| 163 c = counter[n]; | |
| 164 ++c; | |
| 165 counter[n] = c; | |
| 166 if (c) return; | |
| 167 } while (n); | |
| 168 } | |
| 169 | |
| 170 int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx, | |
| 171 const unsigned char *inp, unsigned char *out, | |
| 172 size_t len) | |
| 173 { | |
| 174 size_t n; | |
| 175 unsigned int i,L; | |
| 176 unsigned char flags0 = ctx->nonce.c[0]; | |
| 177 block128_f block = ctx->block; | |
| 178 void * key = ctx->key; | |
| 179 union { u64 u[2]; u8 c[16]; } scratch; | |
| 180 | |
| 181 if (!(flags0&0x40)) | |
| 182 (*block)(ctx->nonce.c,ctx->cmac.c,key), | |
| 183 ctx->blocks++; | |
| 184 | |
| 185 ctx->nonce.c[0] = L = flags0&7; | |
| 186 for (n=0,i=15-L;i<15;++i) { | |
| 187 n |= ctx->nonce.c[i]; | |
| 188 ctx->nonce.c[i]=0; | |
| 189 n <<= 8; | |
| 190 } | |
| 191 n |= ctx->nonce.c[15]; /* reconstructed length */ | |
| 192 ctx->nonce.c[15]=1; | |
| 193 | |
| 194 if (n!=len) return -1; /* length mismatch */ | |
| 195 | |
| 196 ctx->blocks += ((len+15)>>3)|1; | |
| 197 if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */ | |
| 198 | |
| 199 while (len>=16) { | |
| 200 #if defined(STRICT_ALIGNMENT) | |
| 201 union { u64 u[2]; u8 c[16]; } temp; | |
| 202 | |
| 203 memcpy (temp.c,inp,16); | |
| 204 ctx->cmac.u[0] ^= temp.u[0]; | |
| 205 ctx->cmac.u[1] ^= temp.u[1]; | |
| 206 #else | |
| 207 ctx->cmac.u[0] ^= ((u64*)inp)[0]; | |
| 208 ctx->cmac.u[1] ^= ((u64*)inp)[1]; | |
| 209 #endif | |
| 210 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
| 211 (*block)(ctx->nonce.c,scratch.c,key); | |
| 212 ctr64_inc(ctx->nonce.c); | |
| 213 #if defined(STRICT_ALIGNMENT) | |
| 214 temp.u[0] ^= scratch.u[0]; | |
| 215 temp.u[1] ^= scratch.u[1]; | |
| 216 memcpy(out,temp.c,16); | |
| 217 #else | |
| 218 ((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]; | |
| 219 ((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]; | |
| 220 #endif | |
| 221 inp += 16; | |
| 222 out += 16; | |
| 223 len -= 16; | |
| 224 } | |
| 225 | |
| 226 if (len) { | |
| 227 for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i]; | |
| 228 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
| 229 (*block)(ctx->nonce.c,scratch.c,key); | |
| 230 for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i]; | |
| 231 } | |
| 232 | |
| 233 for (i=15-L;i<16;++i) | |
| 234 ctx->nonce.c[i]=0; | |
| 235 | |
| 236 (*block)(ctx->nonce.c,scratch.c,key); | |
| 237 ctx->cmac.u[0] ^= scratch.u[0]; | |
| 238 ctx->cmac.u[1] ^= scratch.u[1]; | |
| 239 | |
| 240 ctx->nonce.c[0] = flags0; | |
| 241 | |
| 242 return 0; | |
| 243 } | |
| 244 | |
| 245 int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx, | |
| 246 const unsigned char *inp, unsigned char *out, | |
| 247 size_t len) | |
| 248 { | |
| 249 size_t n; | |
| 250 unsigned int i,L; | |
| 251 unsigned char flags0 = ctx->nonce.c[0]; | |
| 252 block128_f block = ctx->block; | |
| 253 void * key = ctx->key; | |
| 254 union { u64 u[2]; u8 c[16]; } scratch; | |
| 255 | |
| 256 if (!(flags0&0x40)) | |
| 257 (*block)(ctx->nonce.c,ctx->cmac.c,key); | |
| 258 | |
| 259 ctx->nonce.c[0] = L = flags0&7; | |
| 260 for (n=0,i=15-L;i<15;++i) { | |
| 261 n |= ctx->nonce.c[i]; | |
| 262 ctx->nonce.c[i]=0; | |
| 263 n <<= 8; | |
| 264 } | |
| 265 n |= ctx->nonce.c[15]; /* reconstructed length */ | |
| 266 ctx->nonce.c[15]=1; | |
| 267 | |
| 268 if (n!=len) return -1; | |
| 269 | |
| 270 while (len>=16) { | |
| 271 #if defined(STRICT_ALIGNMENT) | |
| 272 union { u64 u[2]; u8 c[16]; } temp; | |
| 273 #endif | |
| 274 (*block)(ctx->nonce.c,scratch.c,key); | |
| 275 ctr64_inc(ctx->nonce.c); | |
| 276 #if defined(STRICT_ALIGNMENT) | |
| 277 memcpy (temp.c,inp,16); | |
| 278 ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]); | |
| 279 ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]); | |
| 280 memcpy (out,scratch.c,16); | |
| 281 #else | |
| 282 ctx->cmac.u[0] ^= (((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0])
; | |
| 283 ctx->cmac.u[1] ^= (((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1])
; | |
| 284 #endif | |
| 285 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
| 286 | |
| 287 inp += 16; | |
| 288 out += 16; | |
| 289 len -= 16; | |
| 290 } | |
| 291 | |
| 292 if (len) { | |
| 293 (*block)(ctx->nonce.c,scratch.c,key); | |
| 294 for (i=0; i<len; ++i) | |
| 295 ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]); | |
| 296 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
| 297 } | |
| 298 | |
| 299 for (i=15-L;i<16;++i) | |
| 300 ctx->nonce.c[i]=0; | |
| 301 | |
| 302 (*block)(ctx->nonce.c,scratch.c,key); | |
| 303 ctx->cmac.u[0] ^= scratch.u[0]; | |
| 304 ctx->cmac.u[1] ^= scratch.u[1]; | |
| 305 | |
| 306 ctx->nonce.c[0] = flags0; | |
| 307 | |
| 308 return 0; | |
| 309 } | |
| 310 | |
| 311 static void ctr64_add (unsigned char *counter,size_t inc) | |
| 312 { size_t n=8, val=0; | |
| 313 | |
| 314 counter += 8; | |
| 315 do { | |
| 316 --n; | |
| 317 val += counter[n] + (inc&0xff); | |
| 318 counter[n] = (unsigned char)val; | |
| 319 val >>= 8; /* carry bit */ | |
| 320 inc >>= 8; | |
| 321 } while(n && (inc || val)); | |
| 322 } | |
| 323 | |
| 324 int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx, | |
| 325 const unsigned char *inp, unsigned char *out, | |
| 326 size_t len,ccm128_f stream) | |
| 327 { | |
| 328 size_t n; | |
| 329 unsigned int i,L; | |
| 330 unsigned char flags0 = ctx->nonce.c[0]; | |
| 331 block128_f block = ctx->block; | |
| 332 void * key = ctx->key; | |
| 333 union { u64 u[2]; u8 c[16]; } scratch; | |
| 334 | |
| 335 if (!(flags0&0x40)) | |
| 336 (*block)(ctx->nonce.c,ctx->cmac.c,key), | |
| 337 ctx->blocks++; | |
| 338 | |
| 339 ctx->nonce.c[0] = L = flags0&7; | |
| 340 for (n=0,i=15-L;i<15;++i) { | |
| 341 n |= ctx->nonce.c[i]; | |
| 342 ctx->nonce.c[i]=0; | |
| 343 n <<= 8; | |
| 344 } | |
| 345 n |= ctx->nonce.c[15]; /* reconstructed length */ | |
| 346 ctx->nonce.c[15]=1; | |
| 347 | |
| 348 if (n!=len) return -1; /* length mismatch */ | |
| 349 | |
| 350 ctx->blocks += ((len+15)>>3)|1; | |
| 351 if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */ | |
| 352 | |
| 353 if ((n=len/16)) { | |
| 354 (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c); | |
| 355 n *= 16; | |
| 356 inp += n; | |
| 357 out += n; | |
| 358 len -= n; | |
| 359 if (len) ctr64_add(ctx->nonce.c,n/16); | |
| 360 } | |
| 361 | |
| 362 if (len) { | |
| 363 for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i]; | |
| 364 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
| 365 (*block)(ctx->nonce.c,scratch.c,key); | |
| 366 for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i]; | |
| 367 } | |
| 368 | |
| 369 for (i=15-L;i<16;++i) | |
| 370 ctx->nonce.c[i]=0; | |
| 371 | |
| 372 (*block)(ctx->nonce.c,scratch.c,key); | |
| 373 ctx->cmac.u[0] ^= scratch.u[0]; | |
| 374 ctx->cmac.u[1] ^= scratch.u[1]; | |
| 375 | |
| 376 ctx->nonce.c[0] = flags0; | |
| 377 | |
| 378 return 0; | |
| 379 } | |
| 380 | |
| 381 int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx, | |
| 382 const unsigned char *inp, unsigned char *out, | |
| 383 size_t len,ccm128_f stream) | |
| 384 { | |
| 385 size_t n; | |
| 386 unsigned int i,L; | |
| 387 unsigned char flags0 = ctx->nonce.c[0]; | |
| 388 block128_f block = ctx->block; | |
| 389 void * key = ctx->key; | |
| 390 union { u64 u[2]; u8 c[16]; } scratch; | |
| 391 | |
| 392 if (!(flags0&0x40)) | |
| 393 (*block)(ctx->nonce.c,ctx->cmac.c,key); | |
| 394 | |
| 395 ctx->nonce.c[0] = L = flags0&7; | |
| 396 for (n=0,i=15-L;i<15;++i) { | |
| 397 n |= ctx->nonce.c[i]; | |
| 398 ctx->nonce.c[i]=0; | |
| 399 n <<= 8; | |
| 400 } | |
| 401 n |= ctx->nonce.c[15]; /* reconstructed length */ | |
| 402 ctx->nonce.c[15]=1; | |
| 403 | |
| 404 if (n!=len) return -1; | |
| 405 | |
| 406 if ((n=len/16)) { | |
| 407 (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c); | |
| 408 n *= 16; | |
| 409 inp += n; | |
| 410 out += n; | |
| 411 len -= n; | |
| 412 if (len) ctr64_add(ctx->nonce.c,n/16); | |
| 413 } | |
| 414 | |
| 415 if (len) { | |
| 416 (*block)(ctx->nonce.c,scratch.c,key); | |
| 417 for (i=0; i<len; ++i) | |
| 418 ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]); | |
| 419 (*block)(ctx->cmac.c,ctx->cmac.c,key); | |
| 420 } | |
| 421 | |
| 422 for (i=15-L;i<16;++i) | |
| 423 ctx->nonce.c[i]=0; | |
| 424 | |
| 425 (*block)(ctx->nonce.c,scratch.c,key); | |
| 426 ctx->cmac.u[0] ^= scratch.u[0]; | |
| 427 ctx->cmac.u[1] ^= scratch.u[1]; | |
| 428 | |
| 429 ctx->nonce.c[0] = flags0; | |
| 430 | |
| 431 return 0; | |
| 432 } | |
| 433 | |
| 434 size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx,unsigned char *tag,size_t len) | |
| 435 { unsigned int M = (ctx->nonce.c[0]>>3)&7; /* the M parameter */ | |
| 436 | |
| 437 M *= 2; M += 2; | |
| 438 if (len<M) return 0; | |
| 439 memcpy(tag,ctx->cmac.c,M); | |
| 440 return M; | |
| 441 } | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2072073002:
Delete bundled copy of OpenSSL and replace with README. (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/openssl@master