1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4 #include "sm4_core.h"
5
6
7 #define CCM_DEBUG 0
8 #if 1
9
10 typedef void (*ccm128_f)(const unsigned char *in, unsigned char *out,
11 size_t blocks, const void *key,
12 const unsigned char ivec[16],unsigned char cmac[16]);
13
14
15 struct ccm128_context {
16 union { u64 u[2]; u8 c[16]; } nonce, cmac;
17 u64 blocks;
18 block128_f block;
19 void *key;
20 };
21
22 //#define U64(C) C##UL
23
24 typedef struct ccm128_context CCM128_CONTEXT;
25
26
27 /* First you setup M and L parameters and pass the key schedule.
28 * This is called once per session setup... */
rk_crypto_ccm128_init(CCM128_CONTEXT * ctx,unsigned int M,unsigned int L,void * key,block128_f block)29 static void rk_crypto_ccm128_init(CCM128_CONTEXT *ctx,
30 unsigned int M,unsigned int L,void *key,block128_f block)
31 {
32 // printf("m = %d,L = %d\n",M,L);
33 memset(ctx->nonce.c,0,sizeof(ctx->nonce.c));
34 ctx->nonce.c[0] = ((u8)(L-1)&7) | (u8)(((M-2)/2)&7)<<3;
35 ctx->blocks = 0;
36 ctx->block = block;
37 ctx->key = key;
38 }
39
40 /* !!! Following interfaces are to be called *once* per packet !!! */
41
42 /* Then you setup per-message nonce and pass the length of the message */
rk_crypto_ccm128_setiv(CCM128_CONTEXT * ctx,const unsigned char * nonce,size_t nlen,size_t mlen)43 static int rk_crypto_ccm128_setiv(CCM128_CONTEXT *ctx,
44 const unsigned char *nonce,size_t nlen,size_t mlen)
45 {
46 unsigned int L = ctx->nonce.c[0]&7; /* the L parameter */
47
48 if (nlen<(14-L)) return -1; /* nonce is too short */
49
50 if (sizeof(mlen)==8 && L>=3) {
51 ctx->nonce.c[8] = (u8)(mlen>>(56%(sizeof(mlen)*8)));
52 ctx->nonce.c[9] = (u8)(mlen>>(48%(sizeof(mlen)*8)));
53 ctx->nonce.c[10] = (u8)(mlen>>(40%(sizeof(mlen)*8)));
54 ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8)));
55 }
56 else
57 ctx->nonce.u[1] = 0;
58
59 ctx->nonce.c[12] = (u8)(mlen>>24);
60 ctx->nonce.c[13] = (u8)(mlen>>16);
61 ctx->nonce.c[14] = (u8)(mlen>>8);
62 ctx->nonce.c[15] = (u8)mlen;
63
64 ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */
65 memcpy(&ctx->nonce.c[1],nonce,14-L);
66
67 return 0;
68 }
69
70 /* Then you pass additional authentication data, this is optional */
rk_crypto_ccm128_aad(CCM128_CONTEXT * ctx,const unsigned char * aad,size_t alen)71 static void rk_crypto_ccm128_aad(CCM128_CONTEXT *ctx,
72 const unsigned char *aad,size_t alen)
73 { unsigned int i;
74 block128_f block = ctx->block;
75
76 if (alen==0) return;
77
78 ctx->nonce.c[0] |= 0x40; /* set Adata flag */
79 (*block)(ctx->nonce.c,ctx->cmac.c,ctx->key),
80 ctx->blocks++;
81
82 if (alen<(0x10000-0x100)) {
83 ctx->cmac.c[0] ^= (u8)(alen>>8);
84 ctx->cmac.c[1] ^= (u8)alen;
85 i=2;
86 }
87 else if (sizeof(alen)==8 && alen>=(size_t)1<<(32%(sizeof(alen)*8))) {
88 ctx->cmac.c[0] ^= 0xFF;
89 ctx->cmac.c[1] ^= 0xFF;
90 ctx->cmac.c[2] ^= (u8)(alen>>(56%(sizeof(alen)*8)));
91 ctx->cmac.c[3] ^= (u8)(alen>>(48%(sizeof(alen)*8)));
92 ctx->cmac.c[4] ^= (u8)(alen>>(40%(sizeof(alen)*8)));
93 ctx->cmac.c[5] ^= (u8)(alen>>(32%(sizeof(alen)*8)));
94 ctx->cmac.c[6] ^= (u8)(alen>>24);
95 ctx->cmac.c[7] ^= (u8)(alen>>16);
96 ctx->cmac.c[8] ^= (u8)(alen>>8);
97 ctx->cmac.c[9] ^= (u8)alen;
98 i=10;
99 }
100 else {
101 ctx->cmac.c[0] ^= 0xFF;
102 ctx->cmac.c[1] ^= 0xFE;
103 ctx->cmac.c[2] ^= (u8)(alen>>24);
104 ctx->cmac.c[3] ^= (u8)(alen>>16);
105 ctx->cmac.c[4] ^= (u8)(alen>>8);
106 ctx->cmac.c[5] ^= (u8)alen;
107 i=6;
108 }
109
110 do {
111 for(;i<16 && alen;++i,++aad,--alen)
112 ctx->cmac.c[i] ^= *aad;
113 (*block)(ctx->cmac.c,ctx->cmac.c,ctx->key),
114 ctx->blocks++;
115 i=0;
116 } while (alen);
117 }
118
119 /* Finally you encrypt or decrypt the message */
120
121 /* counter part of nonce may not be larger than L*8 bits,
122 * L is not larger than 8, therefore 64-bit counter... */
rk_ctr64_inc(unsigned char * counter)123 static void rk_ctr64_inc(unsigned char *counter) {
124 unsigned int n=8;
125 u8 c;
126
127 counter += 8;
128 do {
129 --n;
130 c = counter[n];
131 ++c;
132 counter[n] = c;
133 if (c) return;
134 } while (n);
135 }
136
rk_crypto_ccm128_encrypt(CCM128_CONTEXT * ctx,const unsigned char * inp,unsigned char * out,size_t len)137 int rk_crypto_ccm128_encrypt(CCM128_CONTEXT *ctx,
138 const unsigned char *inp, unsigned char *out,
139 size_t len)
140 {
141 size_t n;
142 unsigned int i,L;
143 unsigned char flags0 = ctx->nonce.c[0];
144 block128_f block = ctx->block;
145 void * key = ctx->key;
146 union { u64 u[2]; u8 c[16]; } scratch;
147
148 if (!(flags0&0x40))
149 (*block)(ctx->nonce.c,ctx->cmac.c,key),
150 ctx->blocks++;
151
152 ctx->nonce.c[0] = L = flags0&7;
153 for (n=0,i=15-L;i<15;++i) {
154 n |= ctx->nonce.c[i];
155 ctx->nonce.c[i]=0;
156 n <<= 8;
157 }
158 n |= ctx->nonce.c[15]; /* reconstructed length */
159 ctx->nonce.c[15]=1;
160
161 // printf("n = %d,len = %d\n",n,len);
162
163 if (n!=len) return -1; /* length mismatch */
164
165 ctx->blocks += ((len+15)>>3)|1;
166 if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */
167
168 while (len>=16) {
169 #if defined(STRICT_ALIGNMENT)
170 union { u64 u[2]; u8 c[16]; } temp;
171
172 memcpy (temp.c,inp,16);
173 ctx->cmac.u[0] ^= temp.u[0];
174 ctx->cmac.u[1] ^= temp.u[1];
175 #else
176 ctx->cmac.u[0] ^= ((u64*)inp)[0];
177 ctx->cmac.u[1] ^= ((u64*)inp)[1];
178 #endif
179 (*block)(ctx->cmac.c,ctx->cmac.c,key);
180 (*block)(ctx->nonce.c,scratch.c,key);
181 rk_ctr64_inc(ctx->nonce.c);
182 #if defined(STRICT_ALIGNMENT)
183 temp.u[0] ^= scratch.u[0];
184 temp.u[1] ^= scratch.u[1];
185 memcpy(out,temp.c,16);
186 #else
187 ((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0];
188 ((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1];
189 #endif
190 inp += 16;
191 out += 16;
192 len -= 16;
193 }
194
195 if (len) {
196 for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i];
197 (*block)(ctx->cmac.c,ctx->cmac.c,key);
198 (*block)(ctx->nonce.c,scratch.c,key);
199 for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i];
200 }
201
202 for (i=15-L;i<16;++i)
203 ctx->nonce.c[i]=0;
204
205 (*block)(ctx->nonce.c,scratch.c,key);
206 ctx->cmac.u[0] ^= scratch.u[0];
207 ctx->cmac.u[1] ^= scratch.u[1];
208
209 ctx->nonce.c[0] = flags0;
210
211 return 0;
212 }
213
rk_crypto_ccm128_decrypt(CCM128_CONTEXT * ctx,const unsigned char * inp,unsigned char * out,size_t len)214 static int rk_crypto_ccm128_decrypt(CCM128_CONTEXT *ctx,
215 const unsigned char *inp, unsigned char *out,
216 size_t len)
217 {
218 size_t n;
219 unsigned int i,L;
220 unsigned char flags0 = ctx->nonce.c[0];
221 block128_f block = ctx->block;
222 void * key = ctx->key;
223 union { u64 u[2]; u8 c[16]; } scratch;
224
225 if (!(flags0&0x40))
226 (*block)(ctx->nonce.c,ctx->cmac.c,key);
227
228 ctx->nonce.c[0] = L = flags0&7;
229 for (n=0,i=15-L;i<15;++i) {
230 n |= ctx->nonce.c[i];
231 ctx->nonce.c[i]=0;
232 n <<= 8;
233 }
234 n |= ctx->nonce.c[15]; /* reconstructed length */
235 ctx->nonce.c[15]=1;
236
237 // printf("n = %d,len = %d\n",n,len);
238
239 if (n!=len) return -1;
240
241 while (len>=16) {
242 #if defined(STRICT_ALIGNMENT)
243 union { u64 u[2]; u8 c[16]; } temp;
244 #endif
245 (*block)(ctx->nonce.c,scratch.c,key);
246 rk_ctr64_inc(ctx->nonce.c);
247 #if defined(STRICT_ALIGNMENT)
248 memcpy (temp.c,inp,16);
249 ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
250 ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
251 memcpy (out,scratch.c,16);
252 #else
253 ctx->cmac.u[0] ^= (((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]);
254 ctx->cmac.u[1] ^= (((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]);
255 #endif
256 (*block)(ctx->cmac.c,ctx->cmac.c,key);
257
258 inp += 16;
259 out += 16;
260 len -= 16;
261 }
262
263 if (len) {
264 (*block)(ctx->nonce.c,scratch.c,key);
265 for (i=0; i<len; ++i)
266 ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]);
267 (*block)(ctx->cmac.c,ctx->cmac.c,key);
268 }
269
270 for (i=15-L;i<16;++i)
271 ctx->nonce.c[i]=0;
272
273 (*block)(ctx->nonce.c,scratch.c,key);
274 ctx->cmac.u[0] ^= scratch.u[0];
275 ctx->cmac.u[1] ^= scratch.u[1];
276
277 ctx->nonce.c[0] = flags0;
278
279 return 0;
280 }
281
rk_ctr64_add(unsigned char * counter,size_t inc)282 static void rk_ctr64_add (unsigned char *counter,size_t inc)
283 { size_t n=8, val=0;
284
285 counter += 8;
286 do {
287 --n;
288 val += counter[n] + (inc&0xff);
289 counter[n] = (unsigned char)val;
290 val >>= 8; /* carry bit */
291 inc >>= 8;
292 } while(n && (inc || val));
293 }
294
rk_crypto_ccm128_encrypt_ccm64(CCM128_CONTEXT * ctx,const unsigned char * inp,unsigned char * out,size_t len,ccm128_f stream)295 static int rk_crypto_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
296 const unsigned char *inp, unsigned char *out,
297 size_t len,ccm128_f stream)
298 {
299 size_t n;
300 unsigned int i,L;
301 unsigned char flags0 = ctx->nonce.c[0];
302 block128_f block = ctx->block;
303 void * key = ctx->key;
304 union { u64 u[2]; u8 c[16]; } scratch;
305
306 if (!(flags0&0x40))
307 (*block)(ctx->nonce.c,ctx->cmac.c,key),
308 ctx->blocks++;
309
310 ctx->nonce.c[0] = L = flags0&7;
311 for (n=0,i=15-L;i<15;++i) {
312 n |= ctx->nonce.c[i];
313 ctx->nonce.c[i]=0;
314 n <<= 8;
315 }
316 n |= ctx->nonce.c[15]; /* reconstructed length */
317 ctx->nonce.c[15]=1;
318
319 if (n!=len) return -1; /* length mismatch */
320
321 ctx->blocks += ((len+15)>>3)|1;
322 if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */
323
324 n=len/16;
325 if (n) {
326 (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c);
327 n *= 16;
328 inp += n;
329 out += n;
330 len -= n;
331 if (len) rk_ctr64_add(ctx->nonce.c,n/16);
332 }
333
334 if (len) {
335 for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i];
336 (*block)(ctx->cmac.c,ctx->cmac.c,key);
337 (*block)(ctx->nonce.c,scratch.c,key);
338 for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i];
339 }
340
341 for (i=15-L;i<16;++i)
342 ctx->nonce.c[i]=0;
343
344 (*block)(ctx->nonce.c,scratch.c,key);
345 ctx->cmac.u[0] ^= scratch.u[0];
346 ctx->cmac.u[1] ^= scratch.u[1];
347
348 ctx->nonce.c[0] = flags0;
349
350 return 0;
351 }
352
rk_crypto_ccm128_decrypt_ccm64(CCM128_CONTEXT * ctx,const unsigned char * inp,unsigned char * out,size_t len,ccm128_f stream)353 static int rk_crypto_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
354 const unsigned char *inp, unsigned char *out,
355 size_t len,ccm128_f stream)
356 {
357 size_t n;
358 unsigned int i,L;
359 unsigned char flags0 = ctx->nonce.c[0];
360 block128_f block = ctx->block;
361 void * key = ctx->key;
362 union { u64 u[2]; u8 c[16]; } scratch;
363
364 if (!(flags0&0x40))
365 (*block)(ctx->nonce.c,ctx->cmac.c,key);
366
367 ctx->nonce.c[0] = L = flags0&7;
368 for (n=0,i=15-L;i<15;++i) {
369 n |= ctx->nonce.c[i];
370 ctx->nonce.c[i]=0;
371 n <<= 8;
372 }
373 n |= ctx->nonce.c[15]; /* reconstructed length */
374 ctx->nonce.c[15]=1;
375
376 if (n!=len) return -1;
377
378 n=len/16;
379 if (n) {
380 (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c);
381 n *= 16;
382 inp += n;
383 out += n;
384 len -= n;
385 if (len) rk_ctr64_add(ctx->nonce.c,n/16);
386 }
387
388 if (len) {
389 (*block)(ctx->nonce.c,scratch.c,key);
390 for (i=0; i<len; ++i)
391 ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]);
392 (*block)(ctx->cmac.c,ctx->cmac.c,key);
393 }
394
395 for (i=15-L;i<16;++i)
396 ctx->nonce.c[i]=0;
397
398 (*block)(ctx->nonce.c,scratch.c,key);
399 ctx->cmac.u[0] ^= scratch.u[0];
400 ctx->cmac.u[1] ^= scratch.u[1];
401
402 ctx->nonce.c[0] = flags0;
403
404 return 0;
405 }
406
rk_crypto_ccm128_tag(CCM128_CONTEXT * ctx,unsigned char * tag,size_t len)407 static size_t rk_crypto_ccm128_tag(CCM128_CONTEXT *ctx,unsigned char *tag,size_t len)
408 { unsigned int M = (ctx->nonce.c[0]>>3)&7; /* the M parameter */
409
410 M *= 2; M += 2;
411 if (len<M) return 0;
412 memcpy(tag,ctx->cmac.c,M);
413 return M;
414 }
415
416 #endif
417
418
419
420
421 /*m is the lengh of tag*/
422
423 #if 0
424 int rk_aes_ccm_op(struct sm4_ae_in *in, struct sm4_ae_out *out, const int enc)
425 {
426 int time = 0;
427 int i = 0;
428 RK_AES_KEY ks1, ks2;
429 CCM128_CONTEXT ctx;
430 int ret = 0;
431 //unsigned int m = 12;
432 unsigned int l = 0;
433
434 if (in->key == NULL || in->iv == NULL || in->src == NULL || in->aad == NULL)
435 return -1;
436
437 if (in->key_len!= 128/8 && in->key_len != 192/8 && in->key_len != 256/8)
438 return -2;
439
440 if(in->src_len % 16 != 0)
441 return -3;
442
443 if(out->dest == NULL || out->tag == NULL)
444 return -4;
445 printf("-----param sucess-----\n");
446
447
448 l = out->dest_len;/* dest_len = inlength */
449
450 ret = rk_aes_set_encrypt_key(in->key, in->key_len * 8, &ks1);
451 if(ret != 0)
452 printf("-----set_encrypt_key fail-----\n");
453
454 rk_crypto_ccm128_init(&ctx, in->tag_size, l, &ks1, (block128_f)rk_aes_encrypt);
455
456 ret = rk_crypto_ccm128_setiv(&ctx, in->iv, in->iv_len, l);/*l ?*/
457 if (ret != 0)
458 printf("========rk_crypto_ccm128_setiv ret = %d================\n",ret);
459
460 rk_crypto_ccm128_aad(&ctx, in->aad, in->aad_len);
461
462 if(enc){
463 if((ret = rk_crypto_ccm128_encrypt(&ctx, in->src , out->dest,in->src_len)) != 0)
464 printf("=========rk_crypto_ccm128_encrypt ret = %d===\n",ret);
465 rk_crypto_ccm128_tag(&ctx, out->tag, 12); /*tag is length*/
466 }
467 else{if((ret = rk_crypto_ccm128_decrypt(&ctx, out->dest, in->src, out->dest_len)) != 0)
468 printf("=========rk_crypto_ccm128_decrypt ret = %d===\n",ret);
469
470 }
471
472 printf("----op done------------");
473
474 return 0;
475 }
476 #endif
477
compare_string(char * a,char * b,unsigned int len)478 static int compare_string(char *a, char *b, unsigned int len)
479 {
480 unsigned int i;
481
482 if((len <= 0) || (a == NULL) || (b == NULL))
483 return -1;
484
485 for (i = 0; i < len; i++){
486 if(*a != *b)
487 return -1;
488 a++;
489 b++;
490 }
491 return 0;
492 }
493
494
dump_hex(char * var_name,unsigned char * data,unsigned int len)495 static void dump_hex(char *var_name, unsigned char *data, unsigned int len)
496 {
497 unsigned int i;
498 printf("LINE:%d %s:", __LINE__, var_name);
499 for (i = 0; i < len; i++) {
500 if(i % 16 == 0)
501 printf("\n");
502 printf("%02x ", data[i]);
503 }
504 printf("\n");
505 }
506
rk_sm4_ccm_op(struct sm4_ae_in * in,struct sm4_ae_out * out,const int enc)507 int rk_sm4_ccm_op(struct sm4_ae_in *in, struct sm4_ae_out *out, const int enc)
508 {
509 sm4_context sm4_ctx;
510 CCM128_CONTEXT ctx;
511 int ret = 0;
512
513 unsigned int m = 0;
514 unsigned int l = 0;
515
516 unsigned char tag_tmp[16]= {0};
517
518 if (in->key == NULL || in->iv == NULL || in->src == NULL || in->aad == NULL)
519 return -1;
520
521 if (in->key_len!= 16)
522 return -2;
523
524 if(in->src_len % 16 != 0)
525 return -3;
526
527 if(out->dest == NULL || out->tag == NULL)
528 return -4;
529
530 m = in->tag_size;
531 // tag_tmp = malloc(m);
532
533 l = 15 - in->iv_len; /* l + iv_len = 15 */
534 rk_sm4_setkey_enc(&sm4_ctx, in->key);
535 if(ret != 0)
536 printf("-----set_encrypt_key fail-----\n");
537
538
539 /* M :tag size ,L = 8? src_Len*/
540 rk_crypto_ccm128_init(&ctx, in->tag_size, l, &sm4_ctx, rk_rk_sm4_crypt_ecb);
541
542
543
544 // ret = rk_crypto_ccm128_setiv(&ctx, in->iv, in->iv_len, l);/*l ?*/
545 ret = rk_crypto_ccm128_setiv(&ctx, in->iv, in->iv_len, in->src_len);
546
547
548 if (ret != 0)
549 printf("========rk_crypto_ccm128_setiv ret = %d================\n",ret);
550
551 rk_crypto_ccm128_aad(&ctx, in->aad, in->aad_len);
552
553 /* verify tag */
554 if (enc == 2){
555 if((ret = rk_crypto_ccm128_encrypt(&ctx, in->src , out->dest,in->src_len)) != 0)
556 printf("=========rk_crypto_ccm128_encrypt ret = %d===\n",ret);
557
558 rk_crypto_ccm128_tag(&ctx, tag_tmp, m); /*tag is length*/
559 ret = compare_string((char*)tag_tmp,out->tag,m);
560 if (ret!=0){
561 dump_hex("verify tag_tmp:",tag_tmp,m);
562 dump_hex("verify out->tag:",out->tag,m);
563 printf("=======ccm verify failed========\n");
564 return ret;
565 }
566 return ret;
567 }
568 if(enc == 1){
569 if((ret = rk_crypto_ccm128_encrypt(&ctx, in->src , out->dest,in->src_len)) != 0)
570 printf("=========rk_crypto_ccm128_encrypt ret = %d===\n",ret);
571
572
573 rk_crypto_ccm128_tag(&ctx, out->tag, m); /*tag is length*/
574 #if CCM_DEBUG
575 dump_hex("rk: out->dest:",out->dest,in->src_len);
576 dump_hex("cmm --out->tag:",out->tag,m);
577 #endif
578 }
579 if(enc == 0){
580 if((ret = rk_crypto_ccm128_decrypt(&ctx, out->dest, in->src, out->dest_len)) != 0)
581 printf("=========rk_crypto_ccm128_decrypt ret = %d===\n",ret);
582
583 }
584
585 return ret;
586 }
587
588
589
590