1 files changed, 441 insertions, 0 deletions
diff --git a/src/lib/libcrypto/modes/ccm128.c b/src/lib/libcrypto/modes/ccm128.c
new file mode 100644
index 0000000000..c9b35e5b35
--- /dev/null
+++ b/src/lib/libcrypto/modes/ccm128.c
@@ -0,0 +1,441 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+#include <openssl/crypto.h>
+#include "modes_lcl.h"
+#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+/* First you setup M and L parameters and pass the key schedule.
+ * This is called once per session setup... */
+void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
+        unsigned int M,unsigned int L,void *key,block128_f block)
+{
+        memset(ctx->nonce.c,0,sizeof(ctx->nonce.c));
+        ctx->nonce.c[0] = ((u8)(L-1)&7) | (u8)(((M-2)/2)&7)<<3;
+        ctx->blocks = 0;
+        ctx->block = block;
+        ctx->key = key;
+}
+/* !!! Following interfaces are to be called *once* per packet !!! */
+/* Then you setup per-message nonce and pass the length of the message */
+int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
+        const unsigned char *nonce,size_t nlen,size_t mlen)
+{
+        unsigned int L = ctx->nonce.c[0]&7;     /* the L parameter */
+        if (nlen<(14-L)) return -1;             /* nonce is too short */
+        if (sizeof(mlen)==8 && L>=3) {
+                ctx->nonce.c[8]  = (u8)(mlen>>(56%(sizeof(mlen)*8)));
+                ctx->nonce.c[9]  = (u8)(mlen>>(48%(sizeof(mlen)*8)));
+                ctx->nonce.c[10] = (u8)(mlen>>(40%(sizeof(mlen)*8)));
+                ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8)));
+        }
+        else
+                *(u32*)(&ctx->nonce.c[8]) = 0;
+        ctx->nonce.c[12] = (u8)(mlen>>24);
+        ctx->nonce.c[13] = (u8)(mlen>>16);
+        ctx->nonce.c[14] = (u8)(mlen>>8);
+        ctx->nonce.c[15] = (u8)mlen;
+        ctx->nonce.c[0] &= ~0x40;       /* clear Adata flag */
+        memcpy(&ctx->nonce.c[1],nonce,14-L);
+        return 0;
+}
+/* Then you pass additional authentication data, this is optional */
+void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
+        const unsigned char *aad,size_t alen)
+{       unsigned int i;
+        block128_f block = ctx->block;
+        if (alen==0) return;
+        ctx->nonce.c[0] |= 0x40;        /* set Adata flag */
+        (*block)(ctx->nonce.c,ctx->cmac.c,ctx->key),
+        ctx->blocks++;
+        if (alen<(0x10000-0x100)) {
+                ctx->cmac.c[0] ^= (u8)(alen>>8);
+                ctx->cmac.c[1] ^= (u8)alen;
+                i=2;
+        }
+        else if (sizeof(alen)==8 && alen>=(size_t)1<<(32%(sizeof(alen)*8))) {
+                ctx->cmac.c[0] ^= 0xFF;
+                ctx->cmac.c[1] ^= 0xFF;
+                ctx->cmac.c[2] ^= (u8)(alen>>(56%(sizeof(alen)*8)));
+                ctx->cmac.c[3] ^= (u8)(alen>>(48%(sizeof(alen)*8)));
+                ctx->cmac.c[4] ^= (u8)(alen>>(40%(sizeof(alen)*8)));
+                ctx->cmac.c[5] ^= (u8)(alen>>(32%(sizeof(alen)*8)));
+                ctx->cmac.c[6] ^= (u8)(alen>>24);
+                ctx->cmac.c[7] ^= (u8)(alen>>16);
+                ctx->cmac.c[8] ^= (u8)(alen>>8);
+                ctx->cmac.c[9] ^= (u8)alen;
+                i=10;
+        }
+        else {
+                ctx->cmac.c[0] ^= 0xFF;
+                ctx->cmac.c[1] ^= 0xFE;
+                ctx->cmac.c[2] ^= (u8)(alen>>24);
+                ctx->cmac.c[3] ^= (u8)(alen>>16);
+                ctx->cmac.c[4] ^= (u8)(alen>>8);
+                ctx->cmac.c[5] ^= (u8)alen;
+                i=6;
+        }
+        do {
+                for(;i<16 && alen;++i,++aad,--alen)
+                        ctx->cmac.c[i] ^= *aad;
+                (*block)(ctx->cmac.c,ctx->cmac.c,ctx->key),
+                ctx->blocks++;
+                i=0;
+        } while (alen);
+}
+/* Finally you encrypt or decrypt the message */
+/* counter part of nonce may not be larger than L*8 bits,
+ * L is not larger than 8, therefore 64-bit counter... */
+static void ctr64_inc(unsigned char *counter) {
+        unsigned int n=8;
+        u8  c;
+        counter += 8;
+        do {
+                --n;
+                c = counter[n];
+                ++c;
+                counter[n] = c;
+                if (c) return;
+        } while (n);
+}
+int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
+        const unsigned char *inp, unsigned char *out,
+        size_t len)
+{
+        size_t          n;
+        unsigned int    i,L;
+        unsigned char   flags0  = ctx->nonce.c[0];
+        block128_f      block   = ctx->block;
+        void *          key     = ctx->key;
+        union { u64 u[2]; u8 c[16]; } scratch;
+        if (!(flags0&0x40))
+                (*block)(ctx->nonce.c,ctx->cmac.c,key),
+                ctx->blocks++;
+        ctx->nonce.c[0] = L = flags0&7;
+        for (n=0,i=15-L;i<15;++i) {
+                n |= ctx->nonce.c[i];
+                ctx->nonce.c[i]=0;
+                n <<= 8;
+        }
+        n |= ctx->nonce.c[15];  /* reconstructed length */
+        ctx->nonce.c[15]=1;
+        if (n!=len) return -1;  /* length mismatch */
+        ctx->blocks += ((len+15)>>3)|1;
+        if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */
+        while (len>=16) {
+#if defined(STRICT_ALIGNMENT)
+                union { u64 u[2]; u8 c[16]; } temp;
+                memcpy (temp.c,inp,16);
+                ctx->cmac.u[0] ^= temp.u[0];
+                ctx->cmac.u[1] ^= temp.u[1];
+#else
+                ctx->cmac.u[0] ^= ((u64*)inp)[0];
+                ctx->cmac.u[1] ^= ((u64*)inp)[1];
+#endif
+                (*block)(ctx->cmac.c,ctx->cmac.c,key);
+                (*block)(ctx->nonce.c,scratch.c,key);
+                ctr64_inc(ctx->nonce.c);
+#if defined(STRICT_ALIGNMENT)
+                temp.u[0] ^= scratch.u[0];
+                temp.u[1] ^= scratch.u[1];
+                memcpy(out,temp.c,16);
+#else
+                ((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0];
+                ((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1];
+#endif
+                inp += 16;
+                out += 16;
+                len -= 16;
+        }
+        if (len) {
+                for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i];
+                (*block)(ctx->cmac.c,ctx->cmac.c,key);
+                (*block)(ctx->nonce.c,scratch.c,key);
+                for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i];
+        }
+        for (i=15-L;i<16;++i)
+                ctx->nonce.c[i]=0;
+        (*block)(ctx->nonce.c,scratch.c,key);
+        ctx->cmac.u[0] ^= scratch.u[0];
+        ctx->cmac.u[1] ^= scratch.u[1];
+        ctx->nonce.c[0] = flags0;
+        return 0;
+}
+int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
+        const unsigned char *inp, unsigned char *out,
+        size_t len)
+{
+        size_t          n;
+        unsigned int    i,L;
+        unsigned char   flags0  = ctx->nonce.c[0];
+        block128_f      block   = ctx->block;
+        void *          key     = ctx->key;
+        union { u64 u[2]; u8 c[16]; } scratch;
+        if (!(flags0&0x40))
+                (*block)(ctx->nonce.c,ctx->cmac.c,key);
+        ctx->nonce.c[0] = L = flags0&7;
+        for (n=0,i=15-L;i<15;++i) {
+                n |= ctx->nonce.c[i];
+                ctx->nonce.c[i]=0;
+                n <<= 8;
+        }
+        n |= ctx->nonce.c[15];  /* reconstructed length */
+        ctx->nonce.c[15]=1;
+        if (n!=len) return -1;
+        while (len>=16) {
+#if defined(STRICT_ALIGNMENT)
+                union { u64 u[2]; u8 c[16]; } temp;
+#endif
+                (*block)(ctx->nonce.c,scratch.c,key);
+                ctr64_inc(ctx->nonce.c);
+#if defined(STRICT_ALIGNMENT)
+                memcpy (temp.c,inp,16);
+                ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
+                ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
+                memcpy (out,scratch.c,16);
+#else
+                ctx->cmac.u[0] ^= (((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]);
+                ctx->cmac.u[1] ^= (((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]);
+#endif
+                (*block)(ctx->cmac.c,ctx->cmac.c,key);
+                inp += 16;
+                out += 16;
+                len -= 16;
+        }
+        if (len) {
+                (*block)(ctx->nonce.c,scratch.c,key);
+                for (i=0; i<len; ++i)
+                        ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]);
+                (*block)(ctx->cmac.c,ctx->cmac.c,key);
+        }
+        for (i=15-L;i<16;++i)
+                ctx->nonce.c[i]=0;
+        (*block)(ctx->nonce.c,scratch.c,key);
+        ctx->cmac.u[0] ^= scratch.u[0];
+        ctx->cmac.u[1] ^= scratch.u[1];
+        ctx->nonce.c[0] = flags0;
+        return 0;
+}
+static void ctr64_add (unsigned char *counter,size_t inc)
+{       size_t n=8, val=0;
+        counter += 8;
+        do {
+                --n;
+                val += counter[n] + (inc&0xff);
+                counter[n] = (unsigned char)val;
+                val >>= 8;      /* carry bit */
+                inc >>= 8;
+        } while(n && (inc || val));
+}
+int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
+        const unsigned char *inp, unsigned char *out,
+        size_t len,ccm128_f stream)
+{
+        size_t          n;
+        unsigned int    i,L;
+        unsigned char   flags0  = ctx->nonce.c[0];
+        block128_f      block   = ctx->block;
+        void *          key     = ctx->key;
+        union { u64 u[2]; u8 c[16]; } scratch;
+        if (!(flags0&0x40))
+                (*block)(ctx->nonce.c,ctx->cmac.c,key),
+                ctx->blocks++;
+        ctx->nonce.c[0] = L = flags0&7;
+        for (n=0,i=15-L;i<15;++i) {
+                n |= ctx->nonce.c[i];
+                ctx->nonce.c[i]=0;
+                n <<= 8;
+        }
+        n |= ctx->nonce.c[15];  /* reconstructed length */
+        ctx->nonce.c[15]=1;
+        if (n!=len) return -1;  /* length mismatch */
+        ctx->blocks += ((len+15)>>3)|1;
+        if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */
+        if ((n=len/16)) {
+                (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c);
+                n   *= 16;
+                inp += n;
+                out += n;
+                len -= n;
+                if (len) ctr64_add(ctx->nonce.c,n/16);
+        }
+        if (len) {
+                for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i];
+                (*block)(ctx->cmac.c,ctx->cmac.c,key);
+                (*block)(ctx->nonce.c,scratch.c,key);
+                for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i];
+        }
+        for (i=15-L;i<16;++i)
+                ctx->nonce.c[i]=0;
+        (*block)(ctx->nonce.c,scratch.c,key);
+        ctx->cmac.u[0] ^= scratch.u[0];
+        ctx->cmac.u[1] ^= scratch.u[1];
+        ctx->nonce.c[0] = flags0;
+        return 0;
+}
+int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
+        const unsigned char *inp, unsigned char *out,
+        size_t len,ccm128_f stream)
+{
+        size_t          n;
+        unsigned int    i,L;
+        unsigned char   flags0  = ctx->nonce.c[0];
+        block128_f      block   = ctx->block;
+        void *          key     = ctx->key;
+        union { u64 u[2]; u8 c[16]; } scratch;
+        if (!(flags0&0x40))
+                (*block)(ctx->nonce.c,ctx->cmac.c,key);
+        ctx->nonce.c[0] = L = flags0&7;
+        for (n=0,i=15-L;i<15;++i) {
+                n |= ctx->nonce.c[i];
+                ctx->nonce.c[i]=0;
+                n <<= 8;
+        }
+        n |= ctx->nonce.c[15];  /* reconstructed length */
+        ctx->nonce.c[15]=1;
+        if (n!=len) return -1;
+        if ((n=len/16)) {
+                (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c);
+                n   *= 16;
+                inp += n;
+                out += n;
+                len -= n;
+                if (len) ctr64_add(ctx->nonce.c,n/16);
+        }
+        if (len) {
+                (*block)(ctx->nonce.c,scratch.c,key);
+                for (i=0; i<len; ++i)
+                        ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]);
+                (*block)(ctx->cmac.c,ctx->cmac.c,key);
+        }
+        for (i=15-L;i<16;++i)
+                ctx->nonce.c[i]=0;
+        (*block)(ctx->nonce.c,scratch.c,key);
+        ctx->cmac.u[0] ^= scratch.u[0];
+        ctx->cmac.u[1] ^= scratch.u[1];
+        ctx->nonce.c[0] = flags0;
+        return 0;
+}
+size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx,unsigned char *tag,size_t len)
+{       unsigned int M = (ctx->nonce.c[0]>>3)&7;        /* the M parameter */
+        M *= 2; M += 2;
+        if (len<M)      return 0;
+        memcpy(tag,ctx->cmac.c,M);
+        return M;
+}

diff --git a/src/lib/libcrypto/modes/ccm128.c b/src/lib/libcrypto/modes/ccm128.c new file mode 100644 index 0000000000..c9b35e5b35 --- /dev/null +++ b/src/lib/libcrypto/modes/ccm128.c
@@ -0,0 +1,441 @@
	1	/* ====================================================================
	2	* Copyright (c) 2011 The OpenSSL Project. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	*
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	*
	11	* 2. Redistributions in binary form must reproduce the above copyright
	12	* notice, this list of conditions and the following disclaimer in
	13	* the documentation and/or other materials provided with the
	14	* distribution.
	15	*
	16	* 3. All advertising materials mentioning features or use of this
	17	* software must display the following acknowledgment:
	18	* "This product includes software developed by the OpenSSL Project
	19	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
	20	*
	21	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	22	* endorse or promote products derived from this software without
	23	* prior written permission. For written permission, please contact
	24	* openssl-core@openssl.org.
	25	*
	26	* 5. Products derived from this software may not be called "OpenSSL"
	27	* nor may "OpenSSL" appear in their names without prior written
	28	* permission of the OpenSSL Project.
	29	*
	30	* 6. Redistributions of any form whatsoever must retain the following
	31	* acknowledgment:
	32	* "This product includes software developed by the OpenSSL Project
	33	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
	34	*
	35	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	36	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	37	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	38	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	39	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	40	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	41	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	42	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	43	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	44	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	45	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	46	* OF THE POSSIBILITY OF SUCH DAMAGE.
	47	* ====================================================================
	48	*/
	49
	50	#include <openssl/crypto.h>
	51	#include "modes_lcl.h"
	52	#include <string.h>
	53
	54	#ifndef MODES_DEBUG
	55	# ifndef NDEBUG
	56	# define NDEBUG
	57	# endif
	58	#endif
	59	#include <assert.h>
	60
	61	/* First you setup M and L parameters and pass the key schedule.
	62	* This is called once per session setup... */
	63	void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
	64	unsigned int M,unsigned int L,void *key,block128_f block)
	65	{
	66	memset(ctx->nonce.c,0,sizeof(ctx->nonce.c));
	67	ctx->nonce.c[0] = ((u8)(L-1)&7) \| (u8)(((M-2)/2)&7)<<3;
	68	ctx->blocks = 0;
	69	ctx->block = block;
	70	ctx->key = key;
	71	}
	72
	73	/* !!! Following interfaces are to be called once per packet !!! */
	74
	75	/* Then you setup per-message nonce and pass the length of the message */
	76	int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
	77	const unsigned char *nonce,size_t nlen,size_t mlen)
	78	{
	79	unsigned int L = ctx->nonce.c[0]&7; /* the L parameter */
	80
	81	if (nlen<(14-L)) return -1; /* nonce is too short */
	82
	83	if (sizeof(mlen)==8 && L>=3) {
	84	ctx->nonce.c[8] = (u8)(mlen>>(56%(sizeof(mlen)*8)));
	85	ctx->nonce.c[9] = (u8)(mlen>>(48%(sizeof(mlen)*8)));
	86	ctx->nonce.c[10] = (u8)(mlen>>(40%(sizeof(mlen)*8)));
	87	ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8)));
	88	}
	89	else
	90	(u32)(&ctx->nonce.c[8]) = 0;
	91
	92	ctx->nonce.c[12] = (u8)(mlen>>24);
	93	ctx->nonce.c[13] = (u8)(mlen>>16);
	94	ctx->nonce.c[14] = (u8)(mlen>>8);
	95	ctx->nonce.c[15] = (u8)mlen;
	96
	97	ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */
	98	memcpy(&ctx->nonce.c[1],nonce,14-L);
	99
	100	return 0;
	101	}
	102
	103	/* Then you pass additional authentication data, this is optional */
	104	void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
	105	const unsigned char *aad,size_t alen)
	106	{ unsigned int i;
	107	block128_f block = ctx->block;
	108
	109	if (alen==0) return;
	110
	111	ctx->nonce.c[0] \|= 0x40; /* set Adata flag */
	112	(*block)(ctx->nonce.c,ctx->cmac.c,ctx->key),
	113	ctx->blocks++;
	114
	115	if (alen<(0x10000-0x100)) {
	116	ctx->cmac.c[0] ^= (u8)(alen>>8);
	117	ctx->cmac.c[1] ^= (u8)alen;
	118	i=2;
	119	}
	120	else if (sizeof(alen)==8 && alen>=(size_t)1<<(32%(sizeof(alen)*8))) {
	121	ctx->cmac.c[0] ^= 0xFF;
	122	ctx->cmac.c[1] ^= 0xFF;
	123	ctx->cmac.c[2] ^= (u8)(alen>>(56%(sizeof(alen)*8)));
	124	ctx->cmac.c[3] ^= (u8)(alen>>(48%(sizeof(alen)*8)));
	125	ctx->cmac.c[4] ^= (u8)(alen>>(40%(sizeof(alen)*8)));
	126	ctx->cmac.c[5] ^= (u8)(alen>>(32%(sizeof(alen)*8)));
	127	ctx->cmac.c[6] ^= (u8)(alen>>24);
	128	ctx->cmac.c[7] ^= (u8)(alen>>16);
	129	ctx->cmac.c[8] ^= (u8)(alen>>8);
	130	ctx->cmac.c[9] ^= (u8)alen;
	131	i=10;
	132	}
	133	else {
	134	ctx->cmac.c[0] ^= 0xFF;
	135	ctx->cmac.c[1] ^= 0xFE;
	136	ctx->cmac.c[2] ^= (u8)(alen>>24);
	137	ctx->cmac.c[3] ^= (u8)(alen>>16);
	138	ctx->cmac.c[4] ^= (u8)(alen>>8);
	139	ctx->cmac.c[5] ^= (u8)alen;
	140	i=6;
	141	}
	142
	143	do {
	144	for(;i<16 && alen;++i,++aad,--alen)
	145	ctx->cmac.c[i] ^= *aad;
	146	(*block)(ctx->cmac.c,ctx->cmac.c,ctx->key),
	147	ctx->blocks++;
	148	i=0;
	149	} while (alen);
	150	}
	151
	152	/* Finally you encrypt or decrypt the message */
	153
	154	/* counter part of nonce may not be larger than L*8 bits,
	155	* L is not larger than 8, therefore 64-bit counter... */
	156	static void ctr64_inc(unsigned char *counter) {
	157	unsigned int n=8;
	158	u8 c;
	159
	160	counter += 8;
	161	do {
	162	--n;
	163	c = counter[n];
	164	++c;
	165	counter[n] = c;
	166	if (c) return;
	167	} while (n);
	168	}
	169
	170	int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
	171	const unsigned char inp, unsigned char out,
	172	size_t len)
	173	{
	174	size_t n;
	175	unsigned int i,L;
	176	unsigned char flags0 = ctx->nonce.c[0];
	177	block128_f block = ctx->block;
	178	void * key = ctx->key;
	179	union { u64 u[2]; u8 c[16]; } scratch;
	180
	181	if (!(flags0&0x40))
	182	(*block)(ctx->nonce.c,ctx->cmac.c,key),
	183	ctx->blocks++;
	184
	185	ctx->nonce.c[0] = L = flags0&7;
	186	for (n=0,i=15-L;i<15;++i) {
	187	n \|= ctx->nonce.c[i];
	188	ctx->nonce.c[i]=0;
	189	n <<= 8;
	190	}
	191	n \|= ctx->nonce.c[15]; /* reconstructed length */
	192	ctx->nonce.c[15]=1;
	193
	194	if (n!=len) return -1; /* length mismatch */
	195
	196	ctx->blocks += ((len+15)>>3)\|1;
	197	if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */
	198
	199	while (len>=16) {
	200	#if defined(STRICT_ALIGNMENT)
	201	union { u64 u[2]; u8 c[16]; } temp;
	202
	203	memcpy (temp.c,inp,16);
	204	ctx->cmac.u[0] ^= temp.u[0];
	205	ctx->cmac.u[1] ^= temp.u[1];
	206	#else
	207	ctx->cmac.u[0] ^= ((u64*)inp)[0];
	208	ctx->cmac.u[1] ^= ((u64*)inp)[1];
	209	#endif
	210	(*block)(ctx->cmac.c,ctx->cmac.c,key);
	211	(*block)(ctx->nonce.c,scratch.c,key);
	212	ctr64_inc(ctx->nonce.c);
	213	#if defined(STRICT_ALIGNMENT)
	214	temp.u[0] ^= scratch.u[0];
	215	temp.u[1] ^= scratch.u[1];
	216	memcpy(out,temp.c,16);
	217	#else
	218	((u64)out)[0] = scratch.u[0]^((u64)inp)[0];
	219	((u64)out)[1] = scratch.u[1]^((u64)inp)[1];
	220	#endif
	221	inp += 16;
	222	out += 16;
	223	len -= 16;
	224	}
	225
	226	if (len) {
	227	for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i];
	228	(*block)(ctx->cmac.c,ctx->cmac.c,key);
	229	(*block)(ctx->nonce.c,scratch.c,key);
	230	for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i];
	231	}
	232
	233	for (i=15-L;i<16;++i)
	234	ctx->nonce.c[i]=0;
	235
	236	(*block)(ctx->nonce.c,scratch.c,key);
	237	ctx->cmac.u[0] ^= scratch.u[0];
	238	ctx->cmac.u[1] ^= scratch.u[1];
	239
	240	ctx->nonce.c[0] = flags0;
	241
	242	return 0;
	243	}
	244
	245	int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
	246	const unsigned char inp, unsigned char out,
	247	size_t len)
	248	{
	249	size_t n;
	250	unsigned int i,L;
	251	unsigned char flags0 = ctx->nonce.c[0];
	252	block128_f block = ctx->block;
	253	void * key = ctx->key;
	254	union { u64 u[2]; u8 c[16]; } scratch;
	255
	256	if (!(flags0&0x40))
	257	(*block)(ctx->nonce.c,ctx->cmac.c,key);
	258
	259	ctx->nonce.c[0] = L = flags0&7;
	260	for (n=0,i=15-L;i<15;++i) {
	261	n \|= ctx->nonce.c[i];
	262	ctx->nonce.c[i]=0;
	263	n <<= 8;
	264	}
	265	n \|= ctx->nonce.c[15]; /* reconstructed length */
	266	ctx->nonce.c[15]=1;
	267
	268	if (n!=len) return -1;
	269
	270	while (len>=16) {
	271	#if defined(STRICT_ALIGNMENT)
	272	union { u64 u[2]; u8 c[16]; } temp;
	273	#endif
	274	(*block)(ctx->nonce.c,scratch.c,key);
	275	ctr64_inc(ctx->nonce.c);
	276	#if defined(STRICT_ALIGNMENT)
	277	memcpy (temp.c,inp,16);
	278	ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
	279	ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
	280	memcpy (out,scratch.c,16);
	281	#else
	282	ctx->cmac.u[0] ^= (((u64)out)[0] = scratch.u[0]^((u64)inp)[0]);
	283	ctx->cmac.u[1] ^= (((u64)out)[1] = scratch.u[1]^((u64)inp)[1]);
	284	#endif
	285	(*block)(ctx->cmac.c,ctx->cmac.c,key);
	286
	287	inp += 16;
	288	out += 16;
	289	len -= 16;
	290	}
	291
	292	if (len) {
	293	(*block)(ctx->nonce.c,scratch.c,key);
	294	for (i=0; i<len; ++i)
	295	ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]);
	296	(*block)(ctx->cmac.c,ctx->cmac.c,key);
	297	}
	298
	299	for (i=15-L;i<16;++i)
	300	ctx->nonce.c[i]=0;
	301
	302	(*block)(ctx->nonce.c,scratch.c,key);
	303	ctx->cmac.u[0] ^= scratch.u[0];
	304	ctx->cmac.u[1] ^= scratch.u[1];
	305
	306	ctx->nonce.c[0] = flags0;
	307
	308	return 0;
	309	}
	310
	311	static void ctr64_add (unsigned char *counter,size_t inc)
	312	{ size_t n=8, val=0;
	313
	314	counter += 8;
	315	do {
	316	--n;
	317	val += counter[n] + (inc&0xff);
	318	counter[n] = (unsigned char)val;
	319	val >>= 8; /* carry bit */
	320	inc >>= 8;
	321	} while(n && (inc \|\| val));
	322	}
	323
	324	int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
	325	const unsigned char inp, unsigned char out,
	326	size_t len,ccm128_f stream)
	327	{
	328	size_t n;
	329	unsigned int i,L;
	330	unsigned char flags0 = ctx->nonce.c[0];
	331	block128_f block = ctx->block;
	332	void * key = ctx->key;
	333	union { u64 u[2]; u8 c[16]; } scratch;
	334
	335	if (!(flags0&0x40))
	336	(*block)(ctx->nonce.c,ctx->cmac.c,key),
	337	ctx->blocks++;
	338
	339	ctx->nonce.c[0] = L = flags0&7;
	340	for (n=0,i=15-L;i<15;++i) {
	341	n \|= ctx->nonce.c[i];
	342	ctx->nonce.c[i]=0;
	343	n <<= 8;
	344	}
	345	n \|= ctx->nonce.c[15]; /* reconstructed length */
	346	ctx->nonce.c[15]=1;
	347
	348	if (n!=len) return -1; /* length mismatch */
	349
	350	ctx->blocks += ((len+15)>>3)\|1;
	351	if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */
	352
	353	if ((n=len/16)) {
	354	(*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c);
	355	n *= 16;
	356	inp += n;
	357	out += n;
	358	len -= n;
	359	if (len) ctr64_add(ctx->nonce.c,n/16);
	360	}
	361
	362	if (len) {
	363	for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i];
	364	(*block)(ctx->cmac.c,ctx->cmac.c,key);
	365	(*block)(ctx->nonce.c,scratch.c,key);
	366	for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i];
	367	}
	368
	369	for (i=15-L;i<16;++i)
	370	ctx->nonce.c[i]=0;
	371
	372	(*block)(ctx->nonce.c,scratch.c,key);
	373	ctx->cmac.u[0] ^= scratch.u[0];
	374	ctx->cmac.u[1] ^= scratch.u[1];
	375
	376	ctx->nonce.c[0] = flags0;
	377
	378	return 0;
	379	}
	380
	381	int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
	382	const unsigned char inp, unsigned char out,
	383	size_t len,ccm128_f stream)
	384	{
	385	size_t n;
	386	unsigned int i,L;
	387	unsigned char flags0 = ctx->nonce.c[0];
	388	block128_f block = ctx->block;
	389	void * key = ctx->key;
	390	union { u64 u[2]; u8 c[16]; } scratch;
	391
	392	if (!(flags0&0x40))
	393	(*block)(ctx->nonce.c,ctx->cmac.c,key);
	394
	395	ctx->nonce.c[0] = L = flags0&7;
	396	for (n=0,i=15-L;i<15;++i) {
	397	n \|= ctx->nonce.c[i];
	398	ctx->nonce.c[i]=0;
	399	n <<= 8;
	400	}
	401	n \|= ctx->nonce.c[15]; /* reconstructed length */
	402	ctx->nonce.c[15]=1;
	403
	404	if (n!=len) return -1;
	405
	406	if ((n=len/16)) {
	407	(*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c);
	408	n *= 16;
	409	inp += n;
	410	out += n;
	411	len -= n;
	412	if (len) ctr64_add(ctx->nonce.c,n/16);
	413	}
	414
	415	if (len) {
	416	(*block)(ctx->nonce.c,scratch.c,key);
	417	for (i=0; i<len; ++i)
	418	ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]);
	419	(*block)(ctx->cmac.c,ctx->cmac.c,key);
	420	}
	421
	422	for (i=15-L;i<16;++i)
	423	ctx->nonce.c[i]=0;
	424
	425	(*block)(ctx->nonce.c,scratch.c,key);
	426	ctx->cmac.u[0] ^= scratch.u[0];
	427	ctx->cmac.u[1] ^= scratch.u[1];
	428
	429	ctx->nonce.c[0] = flags0;
	430
	431	return 0;
	432	}
	433
	434	size_t CRYPTO_ccm128_tag(CCM128_CONTEXT ctx,unsigned char tag,size_t len)
	435	{ unsigned int M = (ctx->nonce.c[0]>>3)&7; /* the M parameter */
	436
	437	M *= 2; M += 2;
	438	if (len<M) return 0;
	439	memcpy(tag,ctx->cmac.c,M);
	440	return M;
	441	}