1 |
|
|
/* $OpenBSD: ccm128.c,v 1.4 2015/02/10 09:46:30 miod Exp $ */ |
2 |
|
|
/* ==================================================================== |
3 |
|
|
* Copyright (c) 2011 The OpenSSL Project. All rights reserved. |
4 |
|
|
* |
5 |
|
|
* Redistribution and use in source and binary forms, with or without |
6 |
|
|
* modification, are permitted provided that the following conditions |
7 |
|
|
* are met: |
8 |
|
|
* |
9 |
|
|
* 1. Redistributions of source code must retain the above copyright |
10 |
|
|
* notice, this list of conditions and the following disclaimer. |
11 |
|
|
* |
12 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
13 |
|
|
* notice, this list of conditions and the following disclaimer in |
14 |
|
|
* the documentation and/or other materials provided with the |
15 |
|
|
* distribution. |
16 |
|
|
* |
17 |
|
|
* 3. All advertising materials mentioning features or use of this |
18 |
|
|
* software must display the following acknowledgment: |
19 |
|
|
* "This product includes software developed by the OpenSSL Project |
20 |
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
21 |
|
|
* |
22 |
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
23 |
|
|
* endorse or promote products derived from this software without |
24 |
|
|
* prior written permission. For written permission, please contact |
25 |
|
|
* openssl-core@openssl.org. |
26 |
|
|
* |
27 |
|
|
* 5. Products derived from this software may not be called "OpenSSL" |
28 |
|
|
* nor may "OpenSSL" appear in their names without prior written |
29 |
|
|
* permission of the OpenSSL Project. |
30 |
|
|
* |
31 |
|
|
* 6. Redistributions of any form whatsoever must retain the following |
32 |
|
|
* acknowledgment: |
33 |
|
|
* "This product includes software developed by the OpenSSL Project |
34 |
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
35 |
|
|
* |
36 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
37 |
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
38 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
39 |
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
40 |
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
41 |
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
42 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
43 |
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
44 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
45 |
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
46 |
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
47 |
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE. |
48 |
|
|
* ==================================================================== |
49 |
|
|
*/ |
50 |
|
|
|
51 |
|
|
#include <openssl/crypto.h> |
52 |
|
|
#include "modes_lcl.h" |
53 |
|
|
#include <string.h> |
54 |
|
|
|
55 |
|
|
#ifndef MODES_DEBUG |
56 |
|
|
# ifndef NDEBUG |
57 |
|
|
# define NDEBUG |
58 |
|
|
# endif |
59 |
|
|
#endif |
60 |
|
|
|
61 |
|
|
/* First you setup M and L parameters and pass the key schedule. |
62 |
|
|
* This is called once per session setup... */ |
63 |
|
|
void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx, |
64 |
|
|
unsigned int M,unsigned int L,void *key,block128_f block) |
65 |
|
|
{ |
66 |
|
|
memset(ctx->nonce.c,0,sizeof(ctx->nonce.c)); |
67 |
|
|
ctx->nonce.c[0] = ((u8)(L-1)&7) | (u8)(((M-2)/2)&7)<<3; |
68 |
|
|
ctx->blocks = 0; |
69 |
|
|
ctx->block = block; |
70 |
|
|
ctx->key = key; |
71 |
|
|
} |
72 |
|
|
|
73 |
|
|
/* !!! Following interfaces are to be called *once* per packet !!! */ |
74 |
|
|
|
75 |
|
|
/* Then you setup per-message nonce and pass the length of the message */ |
76 |
|
|
int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx, |
77 |
|
|
const unsigned char *nonce,size_t nlen,size_t mlen) |
78 |
|
|
{ |
79 |
|
|
unsigned int L = ctx->nonce.c[0]&7; /* the L parameter */ |
80 |
|
|
|
81 |
|
|
if (nlen<(14-L)) return -1; /* nonce is too short */ |
82 |
|
|
|
83 |
|
|
if (sizeof(mlen)==8 && L>=3) { |
84 |
|
|
ctx->nonce.c[8] = (u8)(mlen>>(56%(sizeof(mlen)*8))); |
85 |
|
|
ctx->nonce.c[9] = (u8)(mlen>>(48%(sizeof(mlen)*8))); |
86 |
|
|
ctx->nonce.c[10] = (u8)(mlen>>(40%(sizeof(mlen)*8))); |
87 |
|
|
ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8))); |
88 |
|
|
} |
89 |
|
|
else |
90 |
|
|
ctx->nonce.u[1] = 0; |
91 |
|
|
|
92 |
|
|
ctx->nonce.c[12] = (u8)(mlen>>24); |
93 |
|
|
ctx->nonce.c[13] = (u8)(mlen>>16); |
94 |
|
|
ctx->nonce.c[14] = (u8)(mlen>>8); |
95 |
|
|
ctx->nonce.c[15] = (u8)mlen; |
96 |
|
|
|
97 |
|
|
ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */ |
98 |
|
|
memcpy(&ctx->nonce.c[1],nonce,14-L); |
99 |
|
|
|
100 |
|
|
return 0; |
101 |
|
|
} |
102 |
|
|
|
103 |
|
|
/* Then you pass additional authentication data, this is optional */ |
104 |
|
|
void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx, |
105 |
|
|
const unsigned char *aad,size_t alen) |
106 |
|
|
{ unsigned int i; |
107 |
|
|
block128_f block = ctx->block; |
108 |
|
|
|
109 |
|
|
if (alen==0) return; |
110 |
|
|
|
111 |
|
|
ctx->nonce.c[0] |= 0x40; /* set Adata flag */ |
112 |
|
|
(*block)(ctx->nonce.c,ctx->cmac.c,ctx->key), |
113 |
|
|
ctx->blocks++; |
114 |
|
|
|
115 |
|
|
if (alen<(0x10000-0x100)) { |
116 |
|
|
ctx->cmac.c[0] ^= (u8)(alen>>8); |
117 |
|
|
ctx->cmac.c[1] ^= (u8)alen; |
118 |
|
|
i=2; |
119 |
|
|
} |
120 |
|
|
else if (sizeof(alen)==8 && alen>=(size_t)1<<(32%(sizeof(alen)*8))) { |
121 |
|
|
ctx->cmac.c[0] ^= 0xFF; |
122 |
|
|
ctx->cmac.c[1] ^= 0xFF; |
123 |
|
|
ctx->cmac.c[2] ^= (u8)(alen>>(56%(sizeof(alen)*8))); |
124 |
|
|
ctx->cmac.c[3] ^= (u8)(alen>>(48%(sizeof(alen)*8))); |
125 |
|
|
ctx->cmac.c[4] ^= (u8)(alen>>(40%(sizeof(alen)*8))); |
126 |
|
|
ctx->cmac.c[5] ^= (u8)(alen>>(32%(sizeof(alen)*8))); |
127 |
|
|
ctx->cmac.c[6] ^= (u8)(alen>>24); |
128 |
|
|
ctx->cmac.c[7] ^= (u8)(alen>>16); |
129 |
|
|
ctx->cmac.c[8] ^= (u8)(alen>>8); |
130 |
|
|
ctx->cmac.c[9] ^= (u8)alen; |
131 |
|
|
i=10; |
132 |
|
|
} |
133 |
|
|
else { |
134 |
|
|
ctx->cmac.c[0] ^= 0xFF; |
135 |
|
|
ctx->cmac.c[1] ^= 0xFE; |
136 |
|
|
ctx->cmac.c[2] ^= (u8)(alen>>24); |
137 |
|
|
ctx->cmac.c[3] ^= (u8)(alen>>16); |
138 |
|
|
ctx->cmac.c[4] ^= (u8)(alen>>8); |
139 |
|
|
ctx->cmac.c[5] ^= (u8)alen; |
140 |
|
|
i=6; |
141 |
|
|
} |
142 |
|
|
|
143 |
|
|
do { |
144 |
|
|
for(;i<16 && alen;++i,++aad,--alen) |
145 |
|
|
ctx->cmac.c[i] ^= *aad; |
146 |
|
|
(*block)(ctx->cmac.c,ctx->cmac.c,ctx->key), |
147 |
|
|
ctx->blocks++; |
148 |
|
|
i=0; |
149 |
|
|
} while (alen); |
150 |
|
|
} |
151 |
|
|
|
152 |
|
|
/* Finally you encrypt or decrypt the message */ |
153 |
|
|
|
154 |
|
|
/* counter part of nonce may not be larger than L*8 bits, |
155 |
|
|
* L is not larger than 8, therefore 64-bit counter... */ |
156 |
|
|
static void ctr64_inc(unsigned char *counter) { |
157 |
|
|
unsigned int n=8; |
158 |
|
|
u8 c; |
159 |
|
|
|
160 |
|
|
counter += 8; |
161 |
|
|
do { |
162 |
|
|
--n; |
163 |
|
|
c = counter[n]; |
164 |
|
|
++c; |
165 |
|
|
counter[n] = c; |
166 |
|
|
if (c) return; |
167 |
|
|
} while (n); |
168 |
|
|
} |
169 |
|
|
|
170 |
|
|
int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx, |
171 |
|
|
const unsigned char *inp, unsigned char *out, |
172 |
|
|
size_t len) |
173 |
|
|
{ |
174 |
|
|
size_t n; |
175 |
|
|
unsigned int i,L; |
176 |
|
|
unsigned char flags0 = ctx->nonce.c[0]; |
177 |
|
|
block128_f block = ctx->block; |
178 |
|
|
void * key = ctx->key; |
179 |
|
|
union { u64 u[2]; u8 c[16]; } scratch; |
180 |
|
|
|
181 |
|
|
if (!(flags0&0x40)) |
182 |
|
|
(*block)(ctx->nonce.c,ctx->cmac.c,key), |
183 |
|
|
ctx->blocks++; |
184 |
|
|
|
185 |
|
|
ctx->nonce.c[0] = L = flags0&7; |
186 |
|
|
for (n=0,i=15-L;i<15;++i) { |
187 |
|
|
n |= ctx->nonce.c[i]; |
188 |
|
|
ctx->nonce.c[i]=0; |
189 |
|
|
n <<= 8; |
190 |
|
|
} |
191 |
|
|
n |= ctx->nonce.c[15]; /* reconstructed length */ |
192 |
|
|
ctx->nonce.c[15]=1; |
193 |
|
|
|
194 |
|
|
if (n!=len) return -1; /* length mismatch */ |
195 |
|
|
|
196 |
|
|
ctx->blocks += ((len+15)>>3)|1; |
197 |
|
|
if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */ |
198 |
|
|
|
199 |
|
|
while (len>=16) { |
200 |
|
|
#ifdef __STRICT_ALIGNMENT |
201 |
|
|
union { u64 u[2]; u8 c[16]; } temp; |
202 |
|
|
|
203 |
|
|
memcpy (temp.c,inp,16); |
204 |
|
|
ctx->cmac.u[0] ^= temp.u[0]; |
205 |
|
|
ctx->cmac.u[1] ^= temp.u[1]; |
206 |
|
|
#else |
207 |
|
|
ctx->cmac.u[0] ^= ((u64*)inp)[0]; |
208 |
|
|
ctx->cmac.u[1] ^= ((u64*)inp)[1]; |
209 |
|
|
#endif |
210 |
|
|
(*block)(ctx->cmac.c,ctx->cmac.c,key); |
211 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
212 |
|
|
ctr64_inc(ctx->nonce.c); |
213 |
|
|
#ifdef __STRICT_ALIGNMENT |
214 |
|
|
temp.u[0] ^= scratch.u[0]; |
215 |
|
|
temp.u[1] ^= scratch.u[1]; |
216 |
|
|
memcpy(out,temp.c,16); |
217 |
|
|
#else |
218 |
|
|
((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]; |
219 |
|
|
((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]; |
220 |
|
|
#endif |
221 |
|
|
inp += 16; |
222 |
|
|
out += 16; |
223 |
|
|
len -= 16; |
224 |
|
|
} |
225 |
|
|
|
226 |
|
|
if (len) { |
227 |
|
|
for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i]; |
228 |
|
|
(*block)(ctx->cmac.c,ctx->cmac.c,key); |
229 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
230 |
|
|
for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i]; |
231 |
|
|
} |
232 |
|
|
|
233 |
|
|
for (i=15-L;i<16;++i) |
234 |
|
|
ctx->nonce.c[i]=0; |
235 |
|
|
|
236 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
237 |
|
|
ctx->cmac.u[0] ^= scratch.u[0]; |
238 |
|
|
ctx->cmac.u[1] ^= scratch.u[1]; |
239 |
|
|
|
240 |
|
|
ctx->nonce.c[0] = flags0; |
241 |
|
|
|
242 |
|
|
return 0; |
243 |
|
|
} |
244 |
|
|
|
245 |
|
|
int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx, |
246 |
|
|
const unsigned char *inp, unsigned char *out, |
247 |
|
|
size_t len) |
248 |
|
|
{ |
249 |
|
|
size_t n; |
250 |
|
|
unsigned int i,L; |
251 |
|
|
unsigned char flags0 = ctx->nonce.c[0]; |
252 |
|
|
block128_f block = ctx->block; |
253 |
|
|
void * key = ctx->key; |
254 |
|
|
union { u64 u[2]; u8 c[16]; } scratch; |
255 |
|
|
|
256 |
|
|
if (!(flags0&0x40)) |
257 |
|
|
(*block)(ctx->nonce.c,ctx->cmac.c,key); |
258 |
|
|
|
259 |
|
|
ctx->nonce.c[0] = L = flags0&7; |
260 |
|
|
for (n=0,i=15-L;i<15;++i) { |
261 |
|
|
n |= ctx->nonce.c[i]; |
262 |
|
|
ctx->nonce.c[i]=0; |
263 |
|
|
n <<= 8; |
264 |
|
|
} |
265 |
|
|
n |= ctx->nonce.c[15]; /* reconstructed length */ |
266 |
|
|
ctx->nonce.c[15]=1; |
267 |
|
|
|
268 |
|
|
if (n!=len) return -1; |
269 |
|
|
|
270 |
|
|
while (len>=16) { |
271 |
|
|
#ifdef __STRICT_ALIGNMENT |
272 |
|
|
union { u64 u[2]; u8 c[16]; } temp; |
273 |
|
|
#endif |
274 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
275 |
|
|
ctr64_inc(ctx->nonce.c); |
276 |
|
|
#ifdef __STRICT_ALIGNMENT |
277 |
|
|
memcpy (temp.c,inp,16); |
278 |
|
|
ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]); |
279 |
|
|
ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]); |
280 |
|
|
memcpy (out,scratch.c,16); |
281 |
|
|
#else |
282 |
|
|
ctx->cmac.u[0] ^= (((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]); |
283 |
|
|
ctx->cmac.u[1] ^= (((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]); |
284 |
|
|
#endif |
285 |
|
|
(*block)(ctx->cmac.c,ctx->cmac.c,key); |
286 |
|
|
|
287 |
|
|
inp += 16; |
288 |
|
|
out += 16; |
289 |
|
|
len -= 16; |
290 |
|
|
} |
291 |
|
|
|
292 |
|
|
if (len) { |
293 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
294 |
|
|
for (i=0; i<len; ++i) |
295 |
|
|
ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]); |
296 |
|
|
(*block)(ctx->cmac.c,ctx->cmac.c,key); |
297 |
|
|
} |
298 |
|
|
|
299 |
|
|
for (i=15-L;i<16;++i) |
300 |
|
|
ctx->nonce.c[i]=0; |
301 |
|
|
|
302 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
303 |
|
|
ctx->cmac.u[0] ^= scratch.u[0]; |
304 |
|
|
ctx->cmac.u[1] ^= scratch.u[1]; |
305 |
|
|
|
306 |
|
|
ctx->nonce.c[0] = flags0; |
307 |
|
|
|
308 |
|
|
return 0; |
309 |
|
|
} |
310 |
|
|
|
311 |
|
|
static void ctr64_add (unsigned char *counter,size_t inc) |
312 |
|
|
{ size_t n=8, val=0; |
313 |
|
|
|
314 |
|
|
counter += 8; |
315 |
|
|
do { |
316 |
|
|
--n; |
317 |
|
|
val += counter[n] + (inc&0xff); |
318 |
|
|
counter[n] = (unsigned char)val; |
319 |
|
|
val >>= 8; /* carry bit */ |
320 |
|
|
inc >>= 8; |
321 |
|
|
} while(n && (inc || val)); |
322 |
|
|
} |
323 |
|
|
|
324 |
|
|
int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx, |
325 |
|
|
const unsigned char *inp, unsigned char *out, |
326 |
|
|
size_t len,ccm128_f stream) |
327 |
|
|
{ |
328 |
|
|
size_t n; |
329 |
|
|
unsigned int i,L; |
330 |
|
|
unsigned char flags0 = ctx->nonce.c[0]; |
331 |
|
|
block128_f block = ctx->block; |
332 |
|
|
void * key = ctx->key; |
333 |
|
|
union { u64 u[2]; u8 c[16]; } scratch; |
334 |
|
|
|
335 |
|
|
if (!(flags0&0x40)) |
336 |
|
|
(*block)(ctx->nonce.c,ctx->cmac.c,key), |
337 |
|
|
ctx->blocks++; |
338 |
|
|
|
339 |
|
|
ctx->nonce.c[0] = L = flags0&7; |
340 |
|
|
for (n=0,i=15-L;i<15;++i) { |
341 |
|
|
n |= ctx->nonce.c[i]; |
342 |
|
|
ctx->nonce.c[i]=0; |
343 |
|
|
n <<= 8; |
344 |
|
|
} |
345 |
|
|
n |= ctx->nonce.c[15]; /* reconstructed length */ |
346 |
|
|
ctx->nonce.c[15]=1; |
347 |
|
|
|
348 |
|
|
if (n!=len) return -1; /* length mismatch */ |
349 |
|
|
|
350 |
|
|
ctx->blocks += ((len+15)>>3)|1; |
351 |
|
|
if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */ |
352 |
|
|
|
353 |
|
|
if ((n=len/16)) { |
354 |
|
|
(*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c); |
355 |
|
|
n *= 16; |
356 |
|
|
inp += n; |
357 |
|
|
out += n; |
358 |
|
|
len -= n; |
359 |
|
|
if (len) ctr64_add(ctx->nonce.c,n/16); |
360 |
|
|
} |
361 |
|
|
|
362 |
|
|
if (len) { |
363 |
|
|
for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i]; |
364 |
|
|
(*block)(ctx->cmac.c,ctx->cmac.c,key); |
365 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
366 |
|
|
for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i]; |
367 |
|
|
} |
368 |
|
|
|
369 |
|
|
for (i=15-L;i<16;++i) |
370 |
|
|
ctx->nonce.c[i]=0; |
371 |
|
|
|
372 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
373 |
|
|
ctx->cmac.u[0] ^= scratch.u[0]; |
374 |
|
|
ctx->cmac.u[1] ^= scratch.u[1]; |
375 |
|
|
|
376 |
|
|
ctx->nonce.c[0] = flags0; |
377 |
|
|
|
378 |
|
|
return 0; |
379 |
|
|
} |
380 |
|
|
|
381 |
|
|
int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx, |
382 |
|
|
const unsigned char *inp, unsigned char *out, |
383 |
|
|
size_t len,ccm128_f stream) |
384 |
|
|
{ |
385 |
|
|
size_t n; |
386 |
|
|
unsigned int i,L; |
387 |
|
|
unsigned char flags0 = ctx->nonce.c[0]; |
388 |
|
|
block128_f block = ctx->block; |
389 |
|
|
void * key = ctx->key; |
390 |
|
|
union { u64 u[2]; u8 c[16]; } scratch; |
391 |
|
|
|
392 |
|
|
if (!(flags0&0x40)) |
393 |
|
|
(*block)(ctx->nonce.c,ctx->cmac.c,key); |
394 |
|
|
|
395 |
|
|
ctx->nonce.c[0] = L = flags0&7; |
396 |
|
|
for (n=0,i=15-L;i<15;++i) { |
397 |
|
|
n |= ctx->nonce.c[i]; |
398 |
|
|
ctx->nonce.c[i]=0; |
399 |
|
|
n <<= 8; |
400 |
|
|
} |
401 |
|
|
n |= ctx->nonce.c[15]; /* reconstructed length */ |
402 |
|
|
ctx->nonce.c[15]=1; |
403 |
|
|
|
404 |
|
|
if (n!=len) return -1; |
405 |
|
|
|
406 |
|
|
if ((n=len/16)) { |
407 |
|
|
(*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c); |
408 |
|
|
n *= 16; |
409 |
|
|
inp += n; |
410 |
|
|
out += n; |
411 |
|
|
len -= n; |
412 |
|
|
if (len) ctr64_add(ctx->nonce.c,n/16); |
413 |
|
|
} |
414 |
|
|
|
415 |
|
|
if (len) { |
416 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
417 |
|
|
for (i=0; i<len; ++i) |
418 |
|
|
ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]); |
419 |
|
|
(*block)(ctx->cmac.c,ctx->cmac.c,key); |
420 |
|
|
} |
421 |
|
|
|
422 |
|
|
for (i=15-L;i<16;++i) |
423 |
|
|
ctx->nonce.c[i]=0; |
424 |
|
|
|
425 |
|
|
(*block)(ctx->nonce.c,scratch.c,key); |
426 |
|
|
ctx->cmac.u[0] ^= scratch.u[0]; |
427 |
|
|
ctx->cmac.u[1] ^= scratch.u[1]; |
428 |
|
|
|
429 |
|
|
ctx->nonce.c[0] = flags0; |
430 |
|
|
|
431 |
|
|
return 0; |
432 |
|
|
} |
433 |
|
|
|
434 |
|
|
size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx,unsigned char *tag,size_t len) |
435 |
|
|
{ unsigned int M = (ctx->nonce.c[0]>>3)&7; /* the M parameter */ |
436 |
|
|
|
437 |
|
|
M *= 2; M += 2; |
438 |
|
|
if (len<M) return 0; |
439 |
|
|
memcpy(tag,ctx->cmac.c,M); |
440 |
|
|
return M; |
441 |
|
|
} |