Roy Want
/
beaconCompileReadyFork
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
source/aes_eax.cpp@0:ed0152b5c495, 2016-09-19 (annotated)
- Committer:
- roywant
- Date:
- Mon Sep 19 00:59:11 2016 +0000
- Revision:
- 0:ed0152b5c495
Initial commit
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| roywant | 0:ed0152b5c495 | 1 | /* |
| roywant | 0:ed0152b5c495 | 2 | * Copyright (c) 2016, Google Inc, All Rights Reserved |
| roywant | 0:ed0152b5c495 | 3 | * SPDX-License-Identifier: Apache-2.0 |
| roywant | 0:ed0152b5c495 | 4 | * |
| roywant | 0:ed0152b5c495 | 5 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| roywant | 0:ed0152b5c495 | 6 | * not use this file except in compliance with the License. |
| roywant | 0:ed0152b5c495 | 7 | * You may obtain a copy of the License at |
| roywant | 0:ed0152b5c495 | 8 | * |
| roywant | 0:ed0152b5c495 | 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
| roywant | 0:ed0152b5c495 | 10 | * |
| roywant | 0:ed0152b5c495 | 11 | * Unless required by applicable law or agreed to in writing, software |
| roywant | 0:ed0152b5c495 | 12 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| roywant | 0:ed0152b5c495 | 13 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| roywant | 0:ed0152b5c495 | 14 | * See the License for the specific language governing permissions and |
| roywant | 0:ed0152b5c495 | 15 | * limitations under the License. |
| roywant | 0:ed0152b5c495 | 16 | */ |
| roywant | 0:ed0152b5c495 | 17 | |
| roywant | 0:ed0152b5c495 | 18 | #include <string.h> |
| roywant | 0:ed0152b5c495 | 19 | |
| roywant | 0:ed0152b5c495 | 20 | // #include "aes_eax.h" |
| roywant | 0:ed0152b5c495 | 21 | // set defines before loading aes.h |
| roywant | 0:ed0152b5c495 | 22 | #define MBEDTLS_CIPHER_MODE_CBC |
| roywant | 0:ed0152b5c495 | 23 | #define MBEDTLS_CIPHER_MODE_CTR |
| roywant | 0:ed0152b5c495 | 24 | #include "aes.h" |
| roywant | 0:ed0152b5c495 | 25 | |
| roywant | 0:ed0152b5c495 | 26 | #define EDDY_ERR_EAX_AUTH_FAILED -0x000F /**< Authenticated decryption failed. */ |
| roywant | 0:ed0152b5c495 | 27 | |
| roywant | 0:ed0152b5c495 | 28 | void gf128_double_( unsigned char val[16] ) |
| roywant | 0:ed0152b5c495 | 29 | { |
| roywant | 0:ed0152b5c495 | 30 | int i; |
| roywant | 0:ed0152b5c495 | 31 | int carry = val[0] >> 7; |
| roywant | 0:ed0152b5c495 | 32 | int xv = (-carry) & 0x87; |
| roywant | 0:ed0152b5c495 | 33 | for (i = 15; i >= 0; i--) { |
| roywant | 0:ed0152b5c495 | 34 | carry = val[i] >> 7; |
| roywant | 0:ed0152b5c495 | 35 | val[i] = (val[i] << 1) ^ xv; |
| roywant | 0:ed0152b5c495 | 36 | xv = carry; |
| roywant | 0:ed0152b5c495 | 37 | } |
| roywant | 0:ed0152b5c495 | 38 | } |
| roywant | 0:ed0152b5c495 | 39 | |
| roywant | 0:ed0152b5c495 | 40 | int compute_cmac_( mbedtls_aes_context *ctx, |
| roywant | 0:ed0152b5c495 | 41 | const unsigned char *input, |
| roywant | 0:ed0152b5c495 | 42 | size_t length, |
| roywant | 0:ed0152b5c495 | 43 | unsigned char param, |
| roywant | 0:ed0152b5c495 | 44 | unsigned char mac[16] ) |
| roywant | 0:ed0152b5c495 | 45 | { |
| roywant | 0:ed0152b5c495 | 46 | unsigned char buf[16], iv[16]; |
| roywant | 0:ed0152b5c495 | 47 | memset(buf, 0, sizeof(buf)); |
| roywant | 0:ed0152b5c495 | 48 | buf[15] = param; |
| roywant | 0:ed0152b5c495 | 49 | memset(iv, 0, sizeof(iv)); |
| roywant | 0:ed0152b5c495 | 50 | length += 16; |
| roywant | 0:ed0152b5c495 | 51 | |
| roywant | 0:ed0152b5c495 | 52 | unsigned char pad[16]; |
| roywant | 0:ed0152b5c495 | 53 | memset(pad, 0, sizeof(pad)); |
| roywant | 0:ed0152b5c495 | 54 | mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, pad, pad); |
| roywant | 0:ed0152b5c495 | 55 | gf128_double_(pad); |
| roywant | 0:ed0152b5c495 | 56 | if (length & 15) { |
| roywant | 0:ed0152b5c495 | 57 | gf128_double_(pad); |
| roywant | 0:ed0152b5c495 | 58 | pad[length & 15] ^= 0x80; |
| roywant | 0:ed0152b5c495 | 59 | } |
| roywant | 0:ed0152b5c495 | 60 | |
| roywant | 0:ed0152b5c495 | 61 | const unsigned char *tmp_input = buf; |
| roywant | 0:ed0152b5c495 | 62 | while (length > 16) { |
| roywant | 0:ed0152b5c495 | 63 | mbedtls_aes_crypt_cbc(ctx, MBEDTLS_AES_ENCRYPT, 16, iv, tmp_input, buf); |
| roywant | 0:ed0152b5c495 | 64 | if (tmp_input == buf) { |
| roywant | 0:ed0152b5c495 | 65 | tmp_input = input; |
| roywant | 0:ed0152b5c495 | 66 | } else { |
| roywant | 0:ed0152b5c495 | 67 | tmp_input += 16; |
| roywant | 0:ed0152b5c495 | 68 | } |
| roywant | 0:ed0152b5c495 | 69 | length -= 16; |
| roywant | 0:ed0152b5c495 | 70 | } |
| roywant | 0:ed0152b5c495 | 71 | |
| roywant | 0:ed0152b5c495 | 72 | size_t i; |
| roywant | 0:ed0152b5c495 | 73 | for (i = 0; i < length; i++) |
| roywant | 0:ed0152b5c495 | 74 | pad[i] ^= tmp_input[i]; |
| roywant | 0:ed0152b5c495 | 75 | |
| roywant | 0:ed0152b5c495 | 76 | mbedtls_aes_crypt_cbc(ctx, MBEDTLS_AES_ENCRYPT, 16, iv, pad, mac); |
| roywant | 0:ed0152b5c495 | 77 | return 0; |
| roywant | 0:ed0152b5c495 | 78 | } |
| roywant | 0:ed0152b5c495 | 79 | |
| roywant | 0:ed0152b5c495 | 80 | int eddy_aes_authcrypt_eax( mbedtls_aes_context *ctx, |
| roywant | 0:ed0152b5c495 | 81 | int mode, |
| roywant | 0:ed0152b5c495 | 82 | const unsigned char *nonce, |
| roywant | 0:ed0152b5c495 | 83 | size_t nonce_length, |
| roywant | 0:ed0152b5c495 | 84 | const unsigned char *header, |
| roywant | 0:ed0152b5c495 | 85 | size_t header_length, |
| roywant | 0:ed0152b5c495 | 86 | size_t message_length, |
| roywant | 0:ed0152b5c495 | 87 | const unsigned char *input, |
| roywant | 0:ed0152b5c495 | 88 | unsigned char *output, |
| roywant | 0:ed0152b5c495 | 89 | unsigned char *tag, |
| roywant | 0:ed0152b5c495 | 90 | size_t tag_length ) |
| roywant | 0:ed0152b5c495 | 91 | { |
| roywant | 0:ed0152b5c495 | 92 | unsigned char header_mac[16]; |
| roywant | 0:ed0152b5c495 | 93 | unsigned char nonce_mac[16]; |
| roywant | 0:ed0152b5c495 | 94 | unsigned char ciphertext_mac[16]; |
| roywant | 0:ed0152b5c495 | 95 | uint8_t i; |
| roywant | 0:ed0152b5c495 | 96 | compute_cmac_(ctx, header, header_length, 1, header_mac); |
| roywant | 0:ed0152b5c495 | 97 | compute_cmac_(ctx, nonce, nonce_length, 0, nonce_mac); |
| roywant | 0:ed0152b5c495 | 98 | if (mode == MBEDTLS_AES_DECRYPT) { |
| roywant | 0:ed0152b5c495 | 99 | compute_cmac_(ctx, input, message_length, 2, ciphertext_mac); |
| roywant | 0:ed0152b5c495 | 100 | unsigned char n_ok = 0; |
| roywant | 0:ed0152b5c495 | 101 | for (i = 0; i < tag_length; i++) { |
| roywant | 0:ed0152b5c495 | 102 | ciphertext_mac[i] ^= header_mac[i]; |
| roywant | 0:ed0152b5c495 | 103 | ciphertext_mac[i] ^= nonce_mac[i]; |
| roywant | 0:ed0152b5c495 | 104 | ciphertext_mac[i] ^= tag[i]; |
| roywant | 0:ed0152b5c495 | 105 | n_ok |= ciphertext_mac[i]; |
| roywant | 0:ed0152b5c495 | 106 | } |
| roywant | 0:ed0152b5c495 | 107 | if (n_ok) |
| roywant | 0:ed0152b5c495 | 108 | return EDDY_ERR_EAX_AUTH_FAILED; |
| roywant | 0:ed0152b5c495 | 109 | } |
| roywant | 0:ed0152b5c495 | 110 | size_t nc_off = 0; |
| roywant | 0:ed0152b5c495 | 111 | unsigned char nonce_copy[16]; |
| roywant | 0:ed0152b5c495 | 112 | memcpy(nonce_copy, nonce_mac, sizeof(nonce_mac)); |
| roywant | 0:ed0152b5c495 | 113 | unsigned char sb[16]; |
| roywant | 0:ed0152b5c495 | 114 | mbedtls_aes_crypt_ctr(ctx, message_length, &nc_off, nonce_copy, sb, input, output); |
| roywant | 0:ed0152b5c495 | 115 | if (mode == MBEDTLS_AES_ENCRYPT) { |
| roywant | 0:ed0152b5c495 | 116 | compute_cmac_(ctx, output, message_length, 2, ciphertext_mac); |
| roywant | 0:ed0152b5c495 | 117 | for (i = 0; i < tag_length; i++) |
| roywant | 0:ed0152b5c495 | 118 | tag[i] = header_mac[i] ^ nonce_mac[i] ^ ciphertext_mac[i]; |
| roywant | 0:ed0152b5c495 | 119 | } |
| roywant | 0:ed0152b5c495 | 120 | return 0; |
| roywant | 0:ed0152b5c495 | 121 | } |