[thirdparty/openssl.git] / crypto / modes / ccm128.c

/*
 * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <openssl/crypto.h>
#include "crypto/modes.h"

#ifndef STRICT_ALIGNMENT
# ifdef __GNUC__
typedef u64 u64_a1 __attribute((__aligned__(1)));
# else
typedef u64 u64_a1;
# endif
#endif

/*
 * First you setup M and L parameters and pass the key schedule. This is
 * called once per session setup...
 */
void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
                        unsigned int M, unsigned int L, void *key,
                        block128_f block)
{
    memset(ctx->nonce.c, 0, sizeof(ctx->nonce.c));
    ctx->nonce.c[0] = ((u8)(L - 1) & 7) | (u8)(((M - 2) / 2) & 7) << 3;
    ctx->blocks = 0;
    ctx->block = block;
    ctx->key = key;
}

/* !!! Following interfaces are to be called *once* per packet !!! */

/* Then you setup per-message nonce and pass the length of the message */
int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
                        const unsigned char *nonce, size_t nlen, size_t mlen)
{
    unsigned int L = ctx->nonce.c[0] & 7; /* the L parameter */

    if (nlen < (14 - L))
        return -1;              /* nonce is too short */

    if (sizeof(mlen) == 8 && L >= 3) {
        ctx->nonce.c[8] = (u8)(mlen >> (56 % (sizeof(mlen) * 8)));
        ctx->nonce.c[9] = (u8)(mlen >> (48 % (sizeof(mlen) * 8)));
        ctx->nonce.c[10] = (u8)(mlen >> (40 % (sizeof(mlen) * 8)));
        ctx->nonce.c[11] = (u8)(mlen >> (32 % (sizeof(mlen) * 8)));
    } else
        ctx->nonce.u[1] = 0;

    ctx->nonce.c[12] = (u8)(mlen >> 24);
    ctx->nonce.c[13] = (u8)(mlen >> 16);
    ctx->nonce.c[14] = (u8)(mlen >> 8);
    ctx->nonce.c[15] = (u8)mlen;

    ctx->nonce.c[0] &= ~0x40;   /* clear Adata flag */
    memcpy(&ctx->nonce.c[1], nonce, 14 - L);

    return 0;
}

/* Then you pass additional authentication data, this is optional */
void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
                       const unsigned char *aad, size_t alen)
{
    unsigned int i;
    block128_f block = ctx->block;

    if (alen == 0)
        return;

    ctx->nonce.c[0] |= 0x40;    /* set Adata flag */
    (*block) (ctx->nonce.c, ctx->cmac.c, ctx->key), ctx->blocks++;

    if (alen < (0x10000 - 0x100)) {
        ctx->cmac.c[0] ^= (u8)(alen >> 8);
        ctx->cmac.c[1] ^= (u8)alen;
        i = 2;
    } else if (sizeof(alen) == 8
               && alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
        ctx->cmac.c[0] ^= 0xFF;
        ctx->cmac.c[1] ^= 0xFF;
        ctx->cmac.c[2] ^= (u8)(alen >> (56 % (sizeof(alen) * 8)));
        ctx->cmac.c[3] ^= (u8)(alen >> (48 % (sizeof(alen) * 8)));
        ctx->cmac.c[4] ^= (u8)(alen >> (40 % (sizeof(alen) * 8)));
        ctx->cmac.c[5] ^= (u8)(alen >> (32 % (sizeof(alen) * 8)));
        ctx->cmac.c[6] ^= (u8)(alen >> 24);
        ctx->cmac.c[7] ^= (u8)(alen >> 16);
        ctx->cmac.c[8] ^= (u8)(alen >> 8);
        ctx->cmac.c[9] ^= (u8)alen;
        i = 10;
    } else {
        ctx->cmac.c[0] ^= 0xFF;
        ctx->cmac.c[1] ^= 0xFE;
        ctx->cmac.c[2] ^= (u8)(alen >> 24);
        ctx->cmac.c[3] ^= (u8)(alen >> 16);
        ctx->cmac.c[4] ^= (u8)(alen >> 8);
        ctx->cmac.c[5] ^= (u8)alen;
        i = 6;
    }

    do {
        for (; i < 16 && alen; ++i, ++aad, --alen)
            ctx->cmac.c[i] ^= *aad;
        (*block) (ctx->cmac.c, ctx->cmac.c, ctx->key), ctx->blocks++;
        i = 0;
    } while (alen);
}

/* Finally you encrypt or decrypt the message */

/*
 * counter part of nonce may not be larger than L*8 bits, L is not larger
 * than 8, therefore 64-bit counter...
 */
static void ctr64_inc(unsigned char *counter)
{
    unsigned int n = 8;
    u8 c;

    counter += 8;
    do {
        --n;
        c = counter[n];
        ++c;
        counter[n] = c;
        if (c)
            return;
    } while (n);
}

int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
                          const unsigned char *inp, unsigned char *out,
                          size_t len)
{
    size_t n;
    unsigned int i, L;
    unsigned char flags0 = ctx->nonce.c[0];
    block128_f block = ctx->block;
    void *key = ctx->key;
    union {
        u64 u[2];
        u8 c[16];
    } scratch;

    if (!(flags0 & 0x40))
        (*block) (ctx->nonce.c, ctx->cmac.c, key), ctx->blocks++;

    ctx->nonce.c[0] = L = flags0 & 7;
    for (n = 0, i = 15 - L; i < 15; ++i) {
        n |= ctx->nonce.c[i];
        ctx->nonce.c[i] = 0;
        n <<= 8;
    }
    n |= ctx->nonce.c[15];      /* reconstructed length */
    ctx->nonce.c[15] = 1;

    if (n != len)
        return -1;              /* length mismatch */

    ctx->blocks += ((len + 15) >> 3) | 1;
    if (ctx->blocks > (U64(1) << 61))
        return -2;              /* too much data */

    while (len >= 16) {
#if defined(STRICT_ALIGNMENT)
        union {
            u64 u[2];
            u8 c[16];
        } temp;

        memcpy(temp.c, inp, 16);
        ctx->cmac.u[0] ^= temp.u[0];
        ctx->cmac.u[1] ^= temp.u[1];
#else
        ctx->cmac.u[0] ^= ((u64_a1 *)inp)[0];
        ctx->cmac.u[1] ^= ((u64_a1 *)inp)[1];
#endif
        (*block) (ctx->cmac.c, ctx->cmac.c, key);
        (*block) (ctx->nonce.c, scratch.c, key);
        ctr64_inc(ctx->nonce.c);
#if defined(STRICT_ALIGNMENT)
        temp.u[0] ^= scratch.u[0];
        temp.u[1] ^= scratch.u[1];
        memcpy(out, temp.c, 16);
#else
        ((u64_a1 *)out)[0] = scratch.u[0] ^ ((u64_a1 *)inp)[0];
        ((u64_a1 *)out)[1] = scratch.u[1] ^ ((u64_a1 *)inp)[1];
#endif
        inp += 16;
        out += 16;
        len -= 16;
    }

    if (len) {
        for (i = 0; i < len; ++i)
            ctx->cmac.c[i] ^= inp[i];
        (*block) (ctx->cmac.c, ctx->cmac.c, key);
        (*block) (ctx->nonce.c, scratch.c, key);
        for (i = 0; i < len; ++i)
            out[i] = scratch.c[i] ^ inp[i];
    }

    for (i = 15 - L; i < 16; ++i)
        ctx->nonce.c[i] = 0;

    (*block) (ctx->nonce.c, scratch.c, key);
    ctx->cmac.u[0] ^= scratch.u[0];
    ctx->cmac.u[1] ^= scratch.u[1];

    ctx->nonce.c[0] = flags0;

    return 0;
}

int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
                          const unsigned char *inp, unsigned char *out,
                          size_t len)
{
    size_t n;
    unsigned int i, L;
    unsigned char flags0 = ctx->nonce.c[0];
    block128_f block = ctx->block;
    void *key = ctx->key;
    union {
        u64 u[2];
        u8 c[16];
    } scratch;

    if (!(flags0 & 0x40))
        (*block) (ctx->nonce.c, ctx->cmac.c, key);

    ctx->nonce.c[0] = L = flags0 & 7;
    for (n = 0, i = 15 - L; i < 15; ++i) {
        n |= ctx->nonce.c[i];
        ctx->nonce.c[i] = 0;
        n <<= 8;
    }
    n |= ctx->nonce.c[15];      /* reconstructed length */
    ctx->nonce.c[15] = 1;

    if (n != len)
        return -1;

    while (len >= 16) {
#if defined(STRICT_ALIGNMENT)
        union {
            u64 u[2];
            u8 c[16];
        } temp;
#endif
        (*block) (ctx->nonce.c, scratch.c, key);
        ctr64_inc(ctx->nonce.c);
#if defined(STRICT_ALIGNMENT)
        memcpy(temp.c, inp, 16);
        ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
        ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
        memcpy(out, scratch.c, 16);
#else
        ctx->cmac.u[0] ^= (((u64_a1 *)out)[0]
                            = scratch.u[0] ^ ((u64_a1 *)inp)[0]);
        ctx->cmac.u[1] ^= (((u64_a1 *)out)[1]
                            = scratch.u[1] ^ ((u64_a1 *)inp)[1]);
#endif
        (*block) (ctx->cmac.c, ctx->cmac.c, key);

        inp += 16;
        out += 16;
        len -= 16;
    }

    if (len) {
        (*block) (ctx->nonce.c, scratch.c, key);
        for (i = 0; i < len; ++i)
            ctx->cmac.c[i] ^= (out[i] = scratch.c[i] ^ inp[i]);
        (*block) (ctx->cmac.c, ctx->cmac.c, key);
    }

    for (i = 15 - L; i < 16; ++i)
        ctx->nonce.c[i] = 0;

    (*block) (ctx->nonce.c, scratch.c, key);
    ctx->cmac.u[0] ^= scratch.u[0];
    ctx->cmac.u[1] ^= scratch.u[1];

    ctx->nonce.c[0] = flags0;

    return 0;
}

static void ctr64_add(unsigned char *counter, size_t inc)
{
    size_t n = 8, val = 0;

    counter += 8;
    do {
        --n;
        val += counter[n] + (inc & 0xff);
        counter[n] = (unsigned char)val;
        val >>= 8;              /* carry bit */
        inc >>= 8;
    } while (n && (inc || val));
}

int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
                                const unsigned char *inp, unsigned char *out,
                                size_t len, ccm128_f stream)
{
    size_t n;
    unsigned int i, L;
    unsigned char flags0 = ctx->nonce.c[0];
    block128_f block = ctx->block;
    void *key = ctx->key;
    union {
        u64 u[2];
        u8 c[16];
    } scratch;

    if (!(flags0 & 0x40))
        (*block) (ctx->nonce.c, ctx->cmac.c, key), ctx->blocks++;

    ctx->nonce.c[0] = L = flags0 & 7;
    for (n = 0, i = 15 - L; i < 15; ++i) {
        n |= ctx->nonce.c[i];
        ctx->nonce.c[i] = 0;
        n <<= 8;
    }
    n |= ctx->nonce.c[15];      /* reconstructed length */
    ctx->nonce.c[15] = 1;

    if (n != len)
        return -1;              /* length mismatch */

    ctx->blocks += ((len + 15) >> 3) | 1;
    if (ctx->blocks > (U64(1) << 61))
        return -2;              /* too much data */

    if ((n = len / 16)) {
        (*stream) (inp, out, n, key, ctx->nonce.c, ctx->cmac.c);
        n *= 16;
        inp += n;
        out += n;
        len -= n;
        if (len)
            ctr64_add(ctx->nonce.c, n / 16);
    }

    if (len) {
        for (i = 0; i < len; ++i)
            ctx->cmac.c[i] ^= inp[i];
        (*block) (ctx->cmac.c, ctx->cmac.c, key);
        (*block) (ctx->nonce.c, scratch.c, key);
        for (i = 0; i < len; ++i)
            out[i] = scratch.c[i] ^ inp[i];
    }

    for (i = 15 - L; i < 16; ++i)
        ctx->nonce.c[i] = 0;

    (*block) (ctx->nonce.c, scratch.c, key);
    ctx->cmac.u[0] ^= scratch.u[0];
    ctx->cmac.u[1] ^= scratch.u[1];

    ctx->nonce.c[0] = flags0;

    return 0;
}

int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
                                const unsigned char *inp, unsigned char *out,
                                size_t len, ccm128_f stream)
{
    size_t n;
    unsigned int i, L;
    unsigned char flags0 = ctx->nonce.c[0];
    block128_f block = ctx->block;
    void *key = ctx->key;
    union {
        u64 u[2];
        u8 c[16];
    } scratch;

    if (!(flags0 & 0x40))
        (*block) (ctx->nonce.c, ctx->cmac.c, key);

    ctx->nonce.c[0] = L = flags0 & 7;
    for (n = 0, i = 15 - L; i < 15; ++i) {
        n |= ctx->nonce.c[i];
        ctx->nonce.c[i] = 0;
        n <<= 8;
    }
    n |= ctx->nonce.c[15];      /* reconstructed length */
    ctx->nonce.c[15] = 1;

    if (n != len)
        return -1;

    if ((n = len / 16)) {
        (*stream) (inp, out, n, key, ctx->nonce.c, ctx->cmac.c);
        n *= 16;
        inp += n;
        out += n;
        len -= n;
        if (len)
            ctr64_add(ctx->nonce.c, n / 16);
    }

    if (len) {
        (*block) (ctx->nonce.c, scratch.c, key);
        for (i = 0; i < len; ++i)
            ctx->cmac.c[i] ^= (out[i] = scratch.c[i] ^ inp[i]);
        (*block) (ctx->cmac.c, ctx->cmac.c, key);
    }

    for (i = 15 - L; i < 16; ++i)
        ctx->nonce.c[i] = 0;

    (*block) (ctx->nonce.c, scratch.c, key);
    ctx->cmac.u[0] ^= scratch.u[0];
    ctx->cmac.u[1] ^= scratch.u[1];

    ctx->nonce.c[0] = flags0;

    return 0;
}

size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    unsigned int M = (ctx->nonce.c[0] >> 3) & 7; /* the M parameter */

    M *= 2;
    M += 2;
    if (len != M)
        return 0;
    memcpy(tag, ctx->cmac.c, M);
    return M;
}
Commit	Line	Data
4f22f405	1	/*
00c405b3	2	* Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
d3fad7cb	3	*
81cae8ce	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
4f22f405 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
d3fad7cb AP	8	*/
d3fad7cb AP	9
d3fad7cb	10	#include <string.h>
459b15d4	11	#include <openssl/crypto.h>
25f2138b	12	#include "crypto/modes.h"
d3fad7cb	13
77286fe3 BE	14	#ifndef STRICT_ALIGNMENT
	15	# ifdef __GNUC__
	16	typedef u64 u64_a1 __attribute((__aligned__(1)));
	17	# else
	18	typedef u64 u64_a1;
	19	# endif
	20	#endif
	21
0f113f3e MC	22	/*
	23	* First you setup M and L parameters and pass the key schedule. This is
	24	* called once per session setup...
	25	*/
d3fad7cb	26	void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
0f113f3e MC	27	unsigned int M, unsigned int L, void *key,
0f113f3e MC	28	block128_f block)
d3fad7cb	29	{
0f113f3e MC	30	memset(ctx->nonce.c, 0, sizeof(ctx->nonce.c));
	31	ctx->nonce.c[0] = ((u8)(L - 1) & 7) \| (u8)(((M - 2) / 2) & 7) << 3;
	32	ctx->blocks = 0;
	33	ctx->block = block;
	34	ctx->key = key;
d3fad7cb AP	35	}
	36
	37	/* !!! Following interfaces are to be called once per packet !!! */
	38
	39	/* Then you setup per-message nonce and pass the length of the message */
	40	int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
0f113f3e	41	const unsigned char *nonce, size_t nlen, size_t mlen)
d3fad7cb	42	{
0f113f3e	43	unsigned int L = ctx->nonce.c[0] & 7; /* the L parameter */
d3fad7cb	44
0f113f3e MC	45	if (nlen < (14 - L))
0f113f3e MC	46	return -1; /* nonce is too short */
d3fad7cb	47
0f113f3e MC	48	if (sizeof(mlen) == 8 && L >= 3) {
	49	ctx->nonce.c[8] = (u8)(mlen >> (56 % (sizeof(mlen) * 8)));
	50	ctx->nonce.c[9] = (u8)(mlen >> (48 % (sizeof(mlen) * 8)));
	51	ctx->nonce.c[10] = (u8)(mlen >> (40 % (sizeof(mlen) * 8)));
	52	ctx->nonce.c[11] = (u8)(mlen >> (32 % (sizeof(mlen) * 8)));
	53	} else
	54	ctx->nonce.u[1] = 0;
d3fad7cb	55
0f113f3e MC	56	ctx->nonce.c[12] = (u8)(mlen >> 24);
	57	ctx->nonce.c[13] = (u8)(mlen >> 16);
	58	ctx->nonce.c[14] = (u8)(mlen >> 8);
	59	ctx->nonce.c[15] = (u8)mlen;
d3fad7cb	60
0f113f3e MC	61	ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */
0f113f3e MC	62	memcpy(&ctx->nonce.c[1], nonce, 14 - L);
d3fad7cb	63
0f113f3e	64	return 0;
d3fad7cb AP	65	}
	66
	67	/* Then you pass additional authentication data, this is optional */
	68	void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
0f113f3e MC	69	const unsigned char *aad, size_t alen)
	70	{
	71	unsigned int i;
	72	block128_f block = ctx->block;
	73
	74	if (alen == 0)
	75	return;
	76
	77	ctx->nonce.c[0] \|= 0x40; /* set Adata flag */
	78	(*block) (ctx->nonce.c, ctx->cmac.c, ctx->key), ctx->blocks++;
	79
	80	if (alen < (0x10000 - 0x100)) {
	81	ctx->cmac.c[0] ^= (u8)(alen >> 8);
	82	ctx->cmac.c[1] ^= (u8)alen;
	83	i = 2;
	84	} else if (sizeof(alen) == 8
	85	&& alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
	86	ctx->cmac.c[0] ^= 0xFF;
	87	ctx->cmac.c[1] ^= 0xFF;
	88	ctx->cmac.c[2] ^= (u8)(alen >> (56 % (sizeof(alen) * 8)));
	89	ctx->cmac.c[3] ^= (u8)(alen >> (48 % (sizeof(alen) * 8)));
	90	ctx->cmac.c[4] ^= (u8)(alen >> (40 % (sizeof(alen) * 8)));
	91	ctx->cmac.c[5] ^= (u8)(alen >> (32 % (sizeof(alen) * 8)));
	92	ctx->cmac.c[6] ^= (u8)(alen >> 24);
	93	ctx->cmac.c[7] ^= (u8)(alen >> 16);
	94	ctx->cmac.c[8] ^= (u8)(alen >> 8);
	95	ctx->cmac.c[9] ^= (u8)alen;
	96	i = 10;
	97	} else {
	98	ctx->cmac.c[0] ^= 0xFF;
	99	ctx->cmac.c[1] ^= 0xFE;
	100	ctx->cmac.c[2] ^= (u8)(alen >> 24);
	101	ctx->cmac.c[3] ^= (u8)(alen >> 16);
	102	ctx->cmac.c[4] ^= (u8)(alen >> 8);
	103	ctx->cmac.c[5] ^= (u8)alen;
	104	i = 6;
	105	}
	106
	107	do {
	108	for (; i < 16 && alen; ++i, ++aad, --alen)
	109	ctx->cmac.c[i] ^= *aad;
	110	(*block) (ctx->cmac.c, ctx->cmac.c, ctx->key), ctx->blocks++;
	111	i = 0;
	112	} while (alen);
d3fad7cb AP	113	}
	114
	115	/* Finally you encrypt or decrypt the message */
	116
0f113f3e MC	117	/*
	118	* counter part of nonce may not be larger than L*8 bits, L is not larger
	119	* than 8, therefore 64-bit counter...
	120	*/
	121	static void ctr64_inc(unsigned char *counter)
	122	{
	123	unsigned int n = 8;
	124	u8 c;
	125
	126	counter += 8;
	127	do {
	128	--n;
	129	c = counter[n];
	130	++c;
	131	counter[n] = c;
	132	if (c)
	133	return;
	134	} while (n);
d3fad7cb AP	135	}
	136
	137	int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
0f113f3e MC	138	const unsigned char inp, unsigned char out,
0f113f3e MC	139	size_t len)
d3fad7cb	140	{
0f113f3e MC	141	size_t n;
	142	unsigned int i, L;
	143	unsigned char flags0 = ctx->nonce.c[0];
	144	block128_f block = ctx->block;
	145	void *key = ctx->key;
	146	union {
	147	u64 u[2];
	148	u8 c[16];
	149	} scratch;
	150
	151	if (!(flags0 & 0x40))
	152	(*block) (ctx->nonce.c, ctx->cmac.c, key), ctx->blocks++;
	153
	154	ctx->nonce.c[0] = L = flags0 & 7;
	155	for (n = 0, i = 15 - L; i < 15; ++i) {
	156	n \|= ctx->nonce.c[i];
	157	ctx->nonce.c[i] = 0;
	158	n <<= 8;
	159	}
	160	n \|= ctx->nonce.c[15]; /* reconstructed length */
	161	ctx->nonce.c[15] = 1;
	162
	163	if (n != len)
	164	return -1; /* length mismatch */
	165
	166	ctx->blocks += ((len + 15) >> 3) \| 1;
	167	if (ctx->blocks > (U64(1) << 61))
	168	return -2; /* too much data */
	169
	170	while (len >= 16) {
d3fad7cb	171	#if defined(STRICT_ALIGNMENT)
0f113f3e MC	172	union {
	173	u64 u[2];
	174	u8 c[16];
	175	} temp;
	176
	177	memcpy(temp.c, inp, 16);
	178	ctx->cmac.u[0] ^= temp.u[0];
	179	ctx->cmac.u[1] ^= temp.u[1];
d3fad7cb	180	#else
77286fe3 BE	181	ctx->cmac.u[0] ^= ((u64_a1 *)inp)[0];
77286fe3 BE	182	ctx->cmac.u[1] ^= ((u64_a1 *)inp)[1];
d3fad7cb	183	#endif
0f113f3e MC	184	(*block) (ctx->cmac.c, ctx->cmac.c, key);
	185	(*block) (ctx->nonce.c, scratch.c, key);
	186	ctr64_inc(ctx->nonce.c);
d3fad7cb	187	#if defined(STRICT_ALIGNMENT)
0f113f3e MC	188	temp.u[0] ^= scratch.u[0];
	189	temp.u[1] ^= scratch.u[1];
	190	memcpy(out, temp.c, 16);
d3fad7cb	191	#else
77286fe3 BE	192	((u64_a1 )out)[0] = scratch.u[0] ^ ((u64_a1 )inp)[0];
77286fe3 BE	193	((u64_a1 )out)[1] = scratch.u[1] ^ ((u64_a1 )inp)[1];
d3fad7cb	194	#endif
0f113f3e MC	195	inp += 16;
	196	out += 16;
	197	len -= 16;
	198	}
	199
	200	if (len) {
	201	for (i = 0; i < len; ++i)
	202	ctx->cmac.c[i] ^= inp[i];
	203	(*block) (ctx->cmac.c, ctx->cmac.c, key);
	204	(*block) (ctx->nonce.c, scratch.c, key);
	205	for (i = 0; i < len; ++i)
	206	out[i] = scratch.c[i] ^ inp[i];
	207	}
	208
	209	for (i = 15 - L; i < 16; ++i)
	210	ctx->nonce.c[i] = 0;
	211
	212	(*block) (ctx->nonce.c, scratch.c, key);
	213	ctx->cmac.u[0] ^= scratch.u[0];
	214	ctx->cmac.u[1] ^= scratch.u[1];
	215
	216	ctx->nonce.c[0] = flags0;
	217
	218	return 0;
d3fad7cb AP	219	}
	220
	221	int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
0f113f3e MC	222	const unsigned char inp, unsigned char out,
0f113f3e MC	223	size_t len)
d3fad7cb	224	{
0f113f3e MC	225	size_t n;
	226	unsigned int i, L;
	227	unsigned char flags0 = ctx->nonce.c[0];
	228	block128_f block = ctx->block;
	229	void *key = ctx->key;
	230	union {
	231	u64 u[2];
	232	u8 c[16];
	233	} scratch;
	234
	235	if (!(flags0 & 0x40))
	236	(*block) (ctx->nonce.c, ctx->cmac.c, key);
	237
	238	ctx->nonce.c[0] = L = flags0 & 7;
	239	for (n = 0, i = 15 - L; i < 15; ++i) {
	240	n \|= ctx->nonce.c[i];
	241	ctx->nonce.c[i] = 0;
	242	n <<= 8;
	243	}
	244	n \|= ctx->nonce.c[15]; /* reconstructed length */
	245	ctx->nonce.c[15] = 1;
	246
	247	if (n != len)
	248	return -1;
	249
	250	while (len >= 16) {
5f1b10ed	251	#if defined(STRICT_ALIGNMENT)
0f113f3e MC	252	union {
	253	u64 u[2];
	254	u8 c[16];
	255	} temp;
5f1b10ed	256	#endif
0f113f3e MC	257	(*block) (ctx->nonce.c, scratch.c, key);
0f113f3e MC	258	ctr64_inc(ctx->nonce.c);
d3fad7cb	259	#if defined(STRICT_ALIGNMENT)
0f113f3e MC	260	memcpy(temp.c, inp, 16);
	261	ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
	262	ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
	263	memcpy(out, scratch.c, 16);
d3fad7cb	264	#else
77286fe3 BE	265	ctx->cmac.u[0] ^= (((u64_a1 *)out)[0]
	266	= scratch.u[0] ^ ((u64_a1 *)inp)[0]);
	267	ctx->cmac.u[1] ^= (((u64_a1 *)out)[1]
	268	= scratch.u[1] ^ ((u64_a1 *)inp)[1]);
d3fad7cb	269	#endif
0f113f3e	270	(*block) (ctx->cmac.c, ctx->cmac.c, key);
d3fad7cb	271
0f113f3e MC	272	inp += 16;
	273	out += 16;
	274	len -= 16;
	275	}
d3fad7cb	276
0f113f3e MC	277	if (len) {
	278	(*block) (ctx->nonce.c, scratch.c, key);
	279	for (i = 0; i < len; ++i)
	280	ctx->cmac.c[i] ^= (out[i] = scratch.c[i] ^ inp[i]);
	281	(*block) (ctx->cmac.c, ctx->cmac.c, key);
	282	}
d3fad7cb	283
0f113f3e MC	284	for (i = 15 - L; i < 16; ++i)
0f113f3e MC	285	ctx->nonce.c[i] = 0;
d3fad7cb	286
0f113f3e MC	287	(*block) (ctx->nonce.c, scratch.c, key);
	288	ctx->cmac.u[0] ^= scratch.u[0];
	289	ctx->cmac.u[1] ^= scratch.u[1];
f855b9d7	290
0f113f3e	291	ctx->nonce.c[0] = flags0;
f855b9d7	292
0f113f3e	293	return 0;
f855b9d7 AP	294	}
f855b9d7 AP	295
0f113f3e MC	296	static void ctr64_add(unsigned char *counter, size_t inc)
	297	{
	298	size_t n = 8, val = 0;
	299
	300	counter += 8;
	301	do {
	302	--n;
	303	val += counter[n] + (inc & 0xff);
	304	counter[n] = (unsigned char)val;
	305	val >>= 8; /* carry bit */
	306	inc >>= 8;
	307	} while (n && (inc \|\| val));
f855b9d7 AP	308	}
	309
	310	int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
0f113f3e MC	311	const unsigned char inp, unsigned char out,
0f113f3e MC	312	size_t len, ccm128_f stream)
f855b9d7	313	{
0f113f3e MC	314	size_t n;
	315	unsigned int i, L;
	316	unsigned char flags0 = ctx->nonce.c[0];
	317	block128_f block = ctx->block;
	318	void *key = ctx->key;
	319	union {
	320	u64 u[2];
	321	u8 c[16];
	322	} scratch;
	323
	324	if (!(flags0 & 0x40))
	325	(*block) (ctx->nonce.c, ctx->cmac.c, key), ctx->blocks++;
	326
	327	ctx->nonce.c[0] = L = flags0 & 7;
	328	for (n = 0, i = 15 - L; i < 15; ++i) {
	329	n \|= ctx->nonce.c[i];
	330	ctx->nonce.c[i] = 0;
	331	n <<= 8;
	332	}
	333	n \|= ctx->nonce.c[15]; /* reconstructed length */
	334	ctx->nonce.c[15] = 1;
	335
	336	if (n != len)
	337	return -1; /* length mismatch */
	338
	339	ctx->blocks += ((len + 15) >> 3) \| 1;
	340	if (ctx->blocks > (U64(1) << 61))
	341	return -2; /* too much data */
	342
	343	if ((n = len / 16)) {
	344	(*stream) (inp, out, n, key, ctx->nonce.c, ctx->cmac.c);
	345	n *= 16;
	346	inp += n;
	347	out += n;
	348	len -= n;
	349	if (len)
	350	ctr64_add(ctx->nonce.c, n / 16);
	351	}
	352
	353	if (len) {
	354	for (i = 0; i < len; ++i)
	355	ctx->cmac.c[i] ^= inp[i];
	356	(*block) (ctx->cmac.c, ctx->cmac.c, key);
	357	(*block) (ctx->nonce.c, scratch.c, key);
	358	for (i = 0; i < len; ++i)
	359	out[i] = scratch.c[i] ^ inp[i];
	360	}
	361
	362	for (i = 15 - L; i < 16; ++i)
	363	ctx->nonce.c[i] = 0;
	364
	365	(*block) (ctx->nonce.c, scratch.c, key);
	366	ctx->cmac.u[0] ^= scratch.u[0];
	367	ctx->cmac.u[1] ^= scratch.u[1];
	368
	369	ctx->nonce.c[0] = flags0;
	370
	371	return 0;
f855b9d7 AP	372	}
	373
	374	int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
0f113f3e MC	375	const unsigned char inp, unsigned char out,
0f113f3e MC	376	size_t len, ccm128_f stream)
f855b9d7	377	{
0f113f3e MC	378	size_t n;
	379	unsigned int i, L;
	380	unsigned char flags0 = ctx->nonce.c[0];
	381	block128_f block = ctx->block;
	382	void *key = ctx->key;
	383	union {
	384	u64 u[2];
	385	u8 c[16];
	386	} scratch;
	387
	388	if (!(flags0 & 0x40))
	389	(*block) (ctx->nonce.c, ctx->cmac.c, key);
	390
	391	ctx->nonce.c[0] = L = flags0 & 7;
	392	for (n = 0, i = 15 - L; i < 15; ++i) {
	393	n \|= ctx->nonce.c[i];
	394	ctx->nonce.c[i] = 0;
	395	n <<= 8;
	396	}
	397	n \|= ctx->nonce.c[15]; /* reconstructed length */
	398	ctx->nonce.c[15] = 1;
	399
	400	if (n != len)
	401	return -1;
	402
	403	if ((n = len / 16)) {
	404	(*stream) (inp, out, n, key, ctx->nonce.c, ctx->cmac.c);
	405	n *= 16;
	406	inp += n;
	407	out += n;
	408	len -= n;
	409	if (len)
	410	ctr64_add(ctx->nonce.c, n / 16);
	411	}
	412
	413	if (len) {
	414	(*block) (ctx->nonce.c, scratch.c, key);
	415	for (i = 0; i < len; ++i)
	416	ctx->cmac.c[i] ^= (out[i] = scratch.c[i] ^ inp[i]);
	417	(*block) (ctx->cmac.c, ctx->cmac.c, key);
	418	}
	419
	420	for (i = 15 - L; i < 16; ++i)
	421	ctx->nonce.c[i] = 0;
	422
	423	(*block) (ctx->nonce.c, scratch.c, key);
	424	ctx->cmac.u[0] ^= scratch.u[0];
	425	ctx->cmac.u[1] ^= scratch.u[1];
	426
	427	ctx->nonce.c[0] = flags0;
	428
	429	return 0;
d3fad7cb AP	430	}
d3fad7cb AP	431
0f113f3e MC	432	size_t CRYPTO_ccm128_tag(CCM128_CONTEXT ctx, unsigned char tag, size_t len)
	433	{
	434	unsigned int M = (ctx->nonce.c[0] >> 3) & 7; /* the M parameter */
	435
	436	M *= 2;
	437	M += 2;
514c9da4	438	if (len != M)
0f113f3e MC	439	return 0;
	440	memcpy(tag, ctx->cmac.c, M);
	441	return M;
d3fad7cb	442	}