Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame^] | 1 | /* ==================================================================== |
| 2 | * Copyright (c) 2008 The OpenSSL Project. All rights reserved. |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 3 | * |
Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame^] | 4 | * Redistribution and use in source and binary forms, with or without |
| 5 | * modification, are permitted provided that the following conditions |
| 6 | * are met: |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 7 | * |
Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame^] | 8 | * 1. Redistributions of source code must retain the above copyright |
| 9 | * notice, this list of conditions and the following disclaimer. |
| 10 | * |
| 11 | * 2. Redistributions in binary form must reproduce the above copyright |
| 12 | * notice, this list of conditions and the following disclaimer in |
| 13 | * the documentation and/or other materials provided with the |
| 14 | * distribution. |
| 15 | * |
| 16 | * 3. All advertising materials mentioning features or use of this |
| 17 | * software must display the following acknowledgment: |
| 18 | * "This product includes software developed by the OpenSSL Project |
| 19 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 20 | * |
| 21 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 22 | * endorse or promote products derived from this software without |
| 23 | * prior written permission. For written permission, please contact |
| 24 | * openssl-core@openssl.org. |
| 25 | * |
| 26 | * 5. Products derived from this software may not be called "OpenSSL" |
| 27 | * nor may "OpenSSL" appear in their names without prior written |
| 28 | * permission of the OpenSSL Project. |
| 29 | * |
| 30 | * 6. Redistributions of any form whatsoever must retain the following |
| 31 | * acknowledgment: |
| 32 | * "This product includes software developed by the OpenSSL Project |
| 33 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 34 | * |
| 35 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 36 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 37 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 38 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 39 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 40 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 41 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 42 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 43 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 44 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 45 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 46 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 47 | * ==================================================================== */ |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 48 | |
| 49 | #include <openssl/aead.h> |
| 50 | |
| 51 | #include <assert.h> |
| 52 | |
Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame^] | 53 | #include <openssl/cpu.h> |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 54 | #include <openssl/cipher.h> |
| 55 | #include <openssl/err.h> |
| 56 | #include <openssl/mem.h> |
| 57 | |
| 58 | #include "../fipsmodule/cipher/internal.h" |
| 59 | |
| 60 | |
Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame^] | 61 | struct ccm128_context { |
| 62 | block128_f block; |
| 63 | ctr128_f ctr; |
| 64 | unsigned M, L; |
| 65 | }; |
| 66 | |
| 67 | struct ccm128_state { |
| 68 | union { |
| 69 | uint64_t u[2]; |
| 70 | uint8_t c[16]; |
| 71 | } nonce, cmac; |
| 72 | }; |
| 73 | |
| 74 | static int CRYPTO_ccm128_init(struct ccm128_context *ctx, const AES_KEY *key, |
| 75 | block128_f block, ctr128_f ctr, unsigned M, |
| 76 | unsigned L) { |
| 77 | if (M < 4 || M > 16 || (M & 1) != 0 || L < 2 || L > 8) { |
| 78 | return 0; |
| 79 | } |
| 80 | ctx->block = block; |
| 81 | ctx->ctr = ctr; |
| 82 | ctx->M = M; |
| 83 | ctx->L = L; |
| 84 | return 1; |
| 85 | } |
| 86 | |
| 87 | static size_t CRYPTO_ccm128_max_input(const struct ccm128_context *ctx) { |
| 88 | return ctx->L >= sizeof(size_t) ? (size_t)-1 |
| 89 | : (((size_t)1) << (ctx->L * 8)) - 1; |
| 90 | } |
| 91 | |
| 92 | static int ccm128_init_state(const struct ccm128_context *ctx, |
| 93 | struct ccm128_state *state, const AES_KEY *key, |
| 94 | const uint8_t *nonce, size_t nonce_len, |
| 95 | const uint8_t *aad, size_t aad_len, |
| 96 | size_t plaintext_len) { |
| 97 | const block128_f block = ctx->block; |
| 98 | const unsigned M = ctx->M; |
| 99 | const unsigned L = ctx->L; |
| 100 | |
| 101 | // |L| determines the expected |nonce_len| and the limit for |plaintext_len|. |
| 102 | if (plaintext_len > CRYPTO_ccm128_max_input(ctx) || |
| 103 | nonce_len != 15 - L) { |
| 104 | return 0; |
| 105 | } |
| 106 | |
| 107 | // Assemble the first block for computing the MAC. |
| 108 | OPENSSL_memset(state, 0, sizeof(*state)); |
| 109 | state->nonce.c[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3); |
| 110 | if (aad_len != 0) { |
| 111 | state->nonce.c[0] |= 0x40; // Set AAD Flag |
| 112 | } |
| 113 | OPENSSL_memcpy(&state->nonce.c[1], nonce, nonce_len); |
| 114 | for (unsigned i = 0; i < L; i++) { |
| 115 | state->nonce.c[15 - i] = (uint8_t)(plaintext_len >> (8 * i)); |
| 116 | } |
| 117 | |
| 118 | (*block)(state->nonce.c, state->cmac.c, key); |
| 119 | size_t blocks = 1; |
| 120 | |
| 121 | if (aad_len != 0) { |
| 122 | unsigned i; |
| 123 | // Cast to u64 to avoid the compiler complaining about invalid shifts. |
| 124 | uint64_t aad_len_u64 = aad_len; |
| 125 | if (aad_len_u64 < 0x10000 - 0x100) { |
| 126 | state->cmac.c[0] ^= (uint8_t)(aad_len_u64 >> 8); |
| 127 | state->cmac.c[1] ^= (uint8_t)aad_len_u64; |
| 128 | i = 2; |
| 129 | } else if (aad_len_u64 <= 0xffffffff) { |
| 130 | state->cmac.c[0] ^= 0xff; |
| 131 | state->cmac.c[1] ^= 0xfe; |
| 132 | state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 24); |
| 133 | state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 16); |
| 134 | state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 8); |
| 135 | state->cmac.c[5] ^= (uint8_t)aad_len_u64; |
| 136 | i = 6; |
| 137 | } else { |
| 138 | state->cmac.c[0] ^= 0xff; |
| 139 | state->cmac.c[1] ^= 0xff; |
| 140 | state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 56); |
| 141 | state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 48); |
| 142 | state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 40); |
| 143 | state->cmac.c[5] ^= (uint8_t)(aad_len_u64 >> 32); |
| 144 | state->cmac.c[6] ^= (uint8_t)(aad_len_u64 >> 24); |
| 145 | state->cmac.c[7] ^= (uint8_t)(aad_len_u64 >> 16); |
| 146 | state->cmac.c[8] ^= (uint8_t)(aad_len_u64 >> 8); |
| 147 | state->cmac.c[9] ^= (uint8_t)aad_len_u64; |
| 148 | i = 10; |
| 149 | } |
| 150 | |
| 151 | do { |
| 152 | for (; i < 16 && aad_len != 0; i++) { |
| 153 | state->cmac.c[i] ^= *aad; |
| 154 | aad++; |
| 155 | aad_len--; |
| 156 | } |
| 157 | (*block)(state->cmac.c, state->cmac.c, key); |
| 158 | blocks++; |
| 159 | i = 0; |
| 160 | } while (aad_len != 0); |
| 161 | } |
| 162 | |
| 163 | // Per RFC 3610, section 2.6, the total number of block cipher operations done |
| 164 | // must not exceed 2^61. There are two block cipher operations remaining per |
| 165 | // message block, plus one block at the end to encrypt the MAC. |
| 166 | size_t remaining_blocks = 2 * ((plaintext_len + 15) / 16) + 1; |
| 167 | if (plaintext_len + 15 < plaintext_len || |
| 168 | remaining_blocks + blocks < blocks || |
| 169 | (uint64_t) remaining_blocks + blocks > UINT64_C(1) << 61) { |
| 170 | return 0; |
| 171 | } |
| 172 | |
| 173 | // Assemble the first block for encrypting and decrypting. The bottom |L| |
| 174 | // bytes are replaced with a counter and all bit the encoding of |L| is |
| 175 | // cleared in the first byte. |
| 176 | state->nonce.c[0] &= 7; |
| 177 | return 1; |
| 178 | } |
| 179 | |
| 180 | static int ccm128_encrypt(const struct ccm128_context *ctx, |
| 181 | struct ccm128_state *state, const AES_KEY *key, |
| 182 | uint8_t *out, const uint8_t *in, size_t len) { |
| 183 | // The counter for encryption begins at one. |
| 184 | for (unsigned i = 0; i < ctx->L; i++) { |
| 185 | state->nonce.c[15 - i] = 0; |
| 186 | } |
| 187 | state->nonce.c[15] = 1; |
| 188 | |
| 189 | uint8_t partial_buf[16]; |
| 190 | unsigned num = 0; |
| 191 | if (ctx->ctr != NULL) { |
| 192 | CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce.c, partial_buf, |
| 193 | &num, ctx->ctr); |
| 194 | } else { |
| 195 | CRYPTO_ctr128_encrypt(in, out, len, key, state->nonce.c, partial_buf, &num, |
| 196 | ctx->block); |
| 197 | } |
| 198 | return 1; |
| 199 | } |
| 200 | |
| 201 | static int ccm128_compute_mac(const struct ccm128_context *ctx, |
| 202 | struct ccm128_state *state, const AES_KEY *key, |
| 203 | uint8_t *out_tag, size_t tag_len, |
| 204 | const uint8_t *in, size_t len) { |
| 205 | block128_f block = ctx->block; |
| 206 | if (tag_len != ctx->M) { |
| 207 | return 0; |
| 208 | } |
| 209 | |
| 210 | // Incorporate |in| into the MAC. |
| 211 | union { |
| 212 | uint64_t u[2]; |
| 213 | uint8_t c[16]; |
| 214 | } tmp; |
| 215 | while (len >= 16) { |
| 216 | OPENSSL_memcpy(tmp.c, in, 16); |
| 217 | state->cmac.u[0] ^= tmp.u[0]; |
| 218 | state->cmac.u[1] ^= tmp.u[1]; |
| 219 | (*block)(state->cmac.c, state->cmac.c, key); |
| 220 | in += 16; |
| 221 | len -= 16; |
| 222 | } |
| 223 | if (len > 0) { |
| 224 | for (size_t i = 0; i < len; i++) { |
| 225 | state->cmac.c[i] ^= in[i]; |
| 226 | } |
| 227 | (*block)(state->cmac.c, state->cmac.c, key); |
| 228 | } |
| 229 | |
| 230 | // Encrypt the MAC with counter zero. |
| 231 | for (unsigned i = 0; i < ctx->L; i++) { |
| 232 | state->nonce.c[15 - i] = 0; |
| 233 | } |
| 234 | (*block)(state->nonce.c, tmp.c, key); |
| 235 | state->cmac.u[0] ^= tmp.u[0]; |
| 236 | state->cmac.u[1] ^= tmp.u[1]; |
| 237 | |
| 238 | OPENSSL_memcpy(out_tag, state->cmac.c, tag_len); |
| 239 | return 1; |
| 240 | } |
| 241 | |
| 242 | static int CRYPTO_ccm128_encrypt(const struct ccm128_context *ctx, |
| 243 | const AES_KEY *key, uint8_t *out, |
| 244 | uint8_t *out_tag, size_t tag_len, |
| 245 | const uint8_t *nonce, size_t nonce_len, |
| 246 | const uint8_t *in, size_t len, |
| 247 | const uint8_t *aad, size_t aad_len) { |
| 248 | struct ccm128_state state; |
| 249 | return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len, |
| 250 | len) && |
| 251 | ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, in, len) && |
| 252 | ccm128_encrypt(ctx, &state, key, out, in, len); |
| 253 | } |
| 254 | |
| 255 | static int CRYPTO_ccm128_decrypt(const struct ccm128_context *ctx, |
| 256 | const AES_KEY *key, uint8_t *out, |
| 257 | uint8_t *out_tag, size_t tag_len, |
| 258 | const uint8_t *nonce, size_t nonce_len, |
| 259 | const uint8_t *in, size_t len, |
| 260 | const uint8_t *aad, size_t aad_len) { |
| 261 | struct ccm128_state state; |
| 262 | return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len, |
| 263 | len) && |
| 264 | ccm128_encrypt(ctx, &state, key, out, in, len) && |
| 265 | ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, out, len); |
| 266 | } |
| 267 | |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 268 | #define EVP_AEAD_AES_CCM_MAX_TAG_LEN 16 |
| 269 | |
| 270 | struct aead_aes_ccm_ctx { |
| 271 | union { |
| 272 | double align; |
| 273 | AES_KEY ks; |
| 274 | } ks; |
Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame^] | 275 | struct ccm128_context ccm; |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 276 | }; |
| 277 | |
Robert Sloan | c9abfe4 | 2018-11-26 12:19:07 -0800 | [diff] [blame] | 278 | OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= |
| 279 | sizeof(struct aead_aes_ccm_ctx), |
| 280 | "AEAD state is too small"); |
Robert Sloan | 5bdaadb | 2018-10-30 16:00:26 -0700 | [diff] [blame] | 281 | #if defined(__GNUC__) || defined(__clang__) |
Robert Sloan | c9abfe4 | 2018-11-26 12:19:07 -0800 | [diff] [blame] | 282 | OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >= |
| 283 | alignof(struct aead_aes_ccm_ctx), |
| 284 | "AEAD state has insufficient alignment"); |
Robert Sloan | 5bdaadb | 2018-10-30 16:00:26 -0700 | [diff] [blame] | 285 | #endif |
| 286 | |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 287 | static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
| 288 | size_t key_len, size_t tag_len, unsigned M, |
| 289 | unsigned L) { |
| 290 | assert(M == EVP_AEAD_max_overhead(ctx->aead)); |
| 291 | assert(M == EVP_AEAD_max_tag_len(ctx->aead)); |
| 292 | assert(15 - L == EVP_AEAD_nonce_length(ctx->aead)); |
| 293 | |
| 294 | if (key_len != EVP_AEAD_key_length(ctx->aead)) { |
| 295 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); |
| 296 | return 0; // EVP_AEAD_CTX_init should catch this. |
| 297 | } |
| 298 | |
| 299 | if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) { |
| 300 | tag_len = M; |
| 301 | } |
| 302 | |
| 303 | if (tag_len != M) { |
| 304 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); |
| 305 | return 0; |
| 306 | } |
| 307 | |
Robert Sloan | 5bdaadb | 2018-10-30 16:00:26 -0700 | [diff] [blame] | 308 | struct aead_aes_ccm_ctx *ccm_ctx = (struct aead_aes_ccm_ctx *)&ctx->state; |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 309 | |
| 310 | block128_f block; |
Robert Sloan | 59e9950 | 2019-03-25 12:33:16 -0700 | [diff] [blame] | 311 | ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len); |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 312 | ctx->tag_len = tag_len; |
| 313 | if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) { |
| 314 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR); |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 315 | return 0; |
| 316 | } |
| 317 | |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 318 | return 1; |
| 319 | } |
| 320 | |
Robert Sloan | 5bdaadb | 2018-10-30 16:00:26 -0700 | [diff] [blame] | 321 | static void aead_aes_ccm_cleanup(EVP_AEAD_CTX *ctx) {} |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 322 | |
| 323 | static int aead_aes_ccm_seal_scatter( |
| 324 | const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, |
| 325 | size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, |
| 326 | size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, |
| 327 | size_t extra_in_len, const uint8_t *ad, size_t ad_len) { |
Robert Sloan | 5bdaadb | 2018-10-30 16:00:26 -0700 | [diff] [blame] | 328 | const struct aead_aes_ccm_ctx *ccm_ctx = |
| 329 | (struct aead_aes_ccm_ctx *)&ctx->state; |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 330 | |
| 331 | if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) { |
| 332 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
| 333 | return 0; |
| 334 | } |
| 335 | |
| 336 | if (max_out_tag_len < ctx->tag_len) { |
| 337 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
| 338 | return 0; |
| 339 | } |
| 340 | |
| 341 | if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { |
| 342 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
| 343 | return 0; |
| 344 | } |
| 345 | |
| 346 | if (!CRYPTO_ccm128_encrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, out_tag, |
| 347 | ctx->tag_len, nonce, nonce_len, in, in_len, ad, |
| 348 | ad_len)) { |
| 349 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
| 350 | return 0; |
| 351 | } |
| 352 | |
| 353 | *out_tag_len = ctx->tag_len; |
| 354 | return 1; |
| 355 | } |
| 356 | |
| 357 | static int aead_aes_ccm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out, |
| 358 | const uint8_t *nonce, size_t nonce_len, |
| 359 | const uint8_t *in, size_t in_len, |
| 360 | const uint8_t *in_tag, size_t in_tag_len, |
| 361 | const uint8_t *ad, size_t ad_len) { |
Robert Sloan | 5bdaadb | 2018-10-30 16:00:26 -0700 | [diff] [blame] | 362 | const struct aead_aes_ccm_ctx *ccm_ctx = |
| 363 | (struct aead_aes_ccm_ctx *)&ctx->state; |
Robert Sloan | ab8b888 | 2018-03-26 11:39:51 -0700 | [diff] [blame] | 364 | |
| 365 | if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) { |
| 366 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
| 367 | return 0; |
| 368 | } |
| 369 | |
| 370 | if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { |
| 371 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
| 372 | return 0; |
| 373 | } |
| 374 | |
| 375 | if (in_tag_len != ctx->tag_len) { |
| 376 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
| 377 | return 0; |
| 378 | } |
| 379 | |
| 380 | uint8_t tag[EVP_AEAD_AES_CCM_MAX_TAG_LEN]; |
| 381 | assert(ctx->tag_len <= EVP_AEAD_AES_CCM_MAX_TAG_LEN); |
| 382 | if (!CRYPTO_ccm128_decrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, tag, |
| 383 | ctx->tag_len, nonce, nonce_len, in, in_len, ad, |
| 384 | ad_len)) { |
| 385 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
| 386 | return 0; |
| 387 | } |
| 388 | |
| 389 | if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) { |
| 390 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
| 391 | return 0; |
| 392 | } |
| 393 | |
| 394 | return 1; |
| 395 | } |
| 396 | |
| 397 | static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
| 398 | size_t key_len, size_t tag_len) { |
| 399 | return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2); |
| 400 | } |
| 401 | |
| 402 | static const EVP_AEAD aead_aes_128_ccm_bluetooth = { |
| 403 | 16, // key length (AES-128) |
| 404 | 13, // nonce length |
| 405 | 4, // overhead |
| 406 | 4, // max tag length |
| 407 | 0, // seal_scatter_supports_extra_in |
| 408 | |
| 409 | aead_aes_ccm_bluetooth_init, |
| 410 | NULL /* init_with_direction */, |
| 411 | aead_aes_ccm_cleanup, |
| 412 | NULL /* open */, |
| 413 | aead_aes_ccm_seal_scatter, |
| 414 | aead_aes_ccm_open_gather, |
| 415 | NULL /* get_iv */, |
| 416 | NULL /* tag_len */, |
| 417 | }; |
| 418 | |
| 419 | const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void) { |
| 420 | return &aead_aes_128_ccm_bluetooth; |
| 421 | } |
| 422 | |
| 423 | static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
| 424 | size_t key_len, size_t tag_len) { |
| 425 | return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2); |
| 426 | } |
| 427 | |
| 428 | static const EVP_AEAD aead_aes_128_ccm_bluetooth_8 = { |
| 429 | 16, // key length (AES-128) |
| 430 | 13, // nonce length |
| 431 | 8, // overhead |
| 432 | 8, // max tag length |
| 433 | 0, // seal_scatter_supports_extra_in |
| 434 | |
| 435 | aead_aes_ccm_bluetooth_8_init, |
| 436 | NULL /* init_with_direction */, |
| 437 | aead_aes_ccm_cleanup, |
| 438 | NULL /* open */, |
| 439 | aead_aes_ccm_seal_scatter, |
| 440 | aead_aes_ccm_open_gather, |
| 441 | NULL /* get_iv */, |
| 442 | NULL /* tag_len */, |
| 443 | }; |
| 444 | |
| 445 | const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void) { |
| 446 | return &aead_aes_128_ccm_bluetooth_8; |
| 447 | } |