232 lines
4.8 KiB
C
232 lines
4.8 KiB
C
/*
|
|
* Copyright (c) 2020 Nordic Semiconductor ASA
|
|
* Copyright (c) 2017 Intel Corporation
|
|
*
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*/
|
|
|
|
#include <string.h>
|
|
|
|
#include <zephyr.h>
|
|
#include <sys/byteorder.h>
|
|
#include <bluetooth/crypto.h>
|
|
|
|
#define BT_DBG_ENABLED IS_ENABLED(CONFIG_BT_DEBUG_HCI_CORE)
|
|
#define LOG_MODULE_NAME bt_aes_ccm
|
|
#include "common/log.h"
|
|
|
|
static inline void xor16(uint8_t *dst, const uint8_t *a, const uint8_t *b)
|
|
{
|
|
dst[0] = a[0] ^ b[0];
|
|
dst[1] = a[1] ^ b[1];
|
|
dst[2] = a[2] ^ b[2];
|
|
dst[3] = a[3] ^ b[3];
|
|
dst[4] = a[4] ^ b[4];
|
|
dst[5] = a[5] ^ b[5];
|
|
dst[6] = a[6] ^ b[6];
|
|
dst[7] = a[7] ^ b[7];
|
|
dst[8] = a[8] ^ b[8];
|
|
dst[9] = a[9] ^ b[9];
|
|
dst[10] = a[10] ^ b[10];
|
|
dst[11] = a[11] ^ b[11];
|
|
dst[12] = a[12] ^ b[12];
|
|
dst[13] = a[13] ^ b[13];
|
|
dst[14] = a[14] ^ b[14];
|
|
dst[15] = a[15] ^ b[15];
|
|
}
|
|
|
|
/* pmsg is assumed to have the nonce already present in bytes 1-13 */
|
|
static int ccm_calculate_X0(const uint8_t key[16], const uint8_t *aad, uint8_t aad_len,
|
|
size_t mic_size, uint8_t msg_len, uint8_t b[16],
|
|
uint8_t X0[16])
|
|
{
|
|
int i, j, err;
|
|
|
|
/* X_0 = e(AppKey, flags || nonce || length) */
|
|
b[0] = (((mic_size - 2) / 2) << 3) | ((!!aad_len) << 6) | 0x01;
|
|
|
|
sys_put_be16(msg_len, b + 14);
|
|
|
|
err = bt_encrypt_be(key, b, X0);
|
|
if (err) {
|
|
return err;
|
|
}
|
|
|
|
/* If AAD is being used to authenticate, include it here */
|
|
if (aad_len) {
|
|
sys_put_be16(aad_len, b);
|
|
|
|
for (i = 0; i < sizeof(uint16_t); i++) {
|
|
b[i] = X0[i] ^ b[i];
|
|
}
|
|
|
|
j = 0;
|
|
aad_len += sizeof(uint16_t);
|
|
while (aad_len > 16) {
|
|
do {
|
|
b[i] = X0[i] ^ aad[j];
|
|
i++, j++;
|
|
} while (i < 16);
|
|
|
|
aad_len -= 16;
|
|
i = 0;
|
|
|
|
err = bt_encrypt_be(key, b, X0);
|
|
if (err) {
|
|
return err;
|
|
}
|
|
}
|
|
|
|
for (; i < aad_len; i++, j++) {
|
|
b[i] = X0[i] ^ aad[j];
|
|
}
|
|
|
|
for (i = aad_len; i < 16; i++) {
|
|
b[i] = X0[i];
|
|
}
|
|
|
|
err = bt_encrypt_be(key, b, X0);
|
|
if (err) {
|
|
return err;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int ccm_auth(const uint8_t key[16], uint8_t nonce[13],
|
|
const uint8_t *cleartext_msg, size_t msg_len, const uint8_t *aad,
|
|
size_t aad_len, uint8_t *mic, size_t mic_size)
|
|
{
|
|
uint8_t b[16], Xn[16], s0[16];
|
|
uint16_t blk_cnt, last_blk;
|
|
int err, j, i;
|
|
|
|
last_blk = msg_len % 16;
|
|
blk_cnt = (msg_len + 15) / 16;
|
|
if (!last_blk) {
|
|
last_blk = 16U;
|
|
}
|
|
|
|
b[0] = 0x01;
|
|
memcpy(b + 1, nonce, 13);
|
|
|
|
/* S[0] = e(AppKey, 0x01 || nonce || 0x0000) */
|
|
sys_put_be16(0x0000, &b[14]);
|
|
|
|
err = bt_encrypt_be(key, b, s0);
|
|
if (err) {
|
|
return err;
|
|
}
|
|
|
|
ccm_calculate_X0(key, aad, aad_len, mic_size, msg_len, b, Xn);
|
|
|
|
for (j = 0; j < blk_cnt; j++) {
|
|
/* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */
|
|
if (j + 1 == blk_cnt) {
|
|
for (i = 0; i < last_blk; i++) {
|
|
b[i] = Xn[i] ^ cleartext_msg[(j * 16) + i];
|
|
}
|
|
|
|
memcpy(&b[i], &Xn[i], 16 - i);
|
|
} else {
|
|
xor16(b, Xn, &cleartext_msg[j * 16]);
|
|
}
|
|
|
|
err = bt_encrypt_be(key, b, Xn);
|
|
if (err) {
|
|
return err;
|
|
}
|
|
}
|
|
|
|
/* MIC = C_mic ^ X_1 */
|
|
for (i = 0; i < mic_size; i++) {
|
|
mic[i] = s0[i] ^ Xn[i];
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int ccm_crypt(const uint8_t key[16], const uint8_t nonce[13],
|
|
const uint8_t *in_msg, uint8_t *out_msg, size_t msg_len)
|
|
{
|
|
uint8_t a_i[16], s_i[16];
|
|
uint16_t last_blk, blk_cnt;
|
|
size_t i, j;
|
|
int err;
|
|
|
|
last_blk = msg_len % 16;
|
|
blk_cnt = (msg_len + 15) / 16;
|
|
if (!last_blk) {
|
|
last_blk = 16U;
|
|
}
|
|
|
|
a_i[0] = 0x01;
|
|
memcpy(&a_i[1], nonce, 13);
|
|
|
|
for (j = 0; j < blk_cnt; j++) {
|
|
/* S_1 = e(AppKey, 0x01 || nonce || 0x0001) */
|
|
sys_put_be16(j + 1, &a_i[14]);
|
|
|
|
err = bt_encrypt_be(key, a_i, s_i);
|
|
if (err) {
|
|
return err;
|
|
}
|
|
|
|
/* Encrypted = Payload[0-15] ^ C_1 */
|
|
if (j < blk_cnt - 1) {
|
|
xor16(&out_msg[j * 16], s_i, &in_msg[j * 16]);
|
|
} else {
|
|
for (i = 0; i < last_blk; i++) {
|
|
out_msg[(j * 16) + i] =
|
|
in_msg[(j * 16) + i] ^ s_i[i];
|
|
}
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
int bt_ccm_decrypt(const uint8_t key[16], uint8_t nonce[13],
|
|
const uint8_t *enc_data, size_t len, const uint8_t *aad,
|
|
size_t aad_len, uint8_t *plaintext, size_t mic_size)
|
|
{
|
|
uint8_t mic[16];
|
|
|
|
if (aad_len >= 0xff00 || mic_size > sizeof(mic)) {
|
|
return -EINVAL;
|
|
}
|
|
|
|
ccm_crypt(key, nonce, enc_data, plaintext, len);
|
|
|
|
ccm_auth(key, nonce, plaintext, len, aad, aad_len, mic, mic_size);
|
|
|
|
if (memcmp(mic, enc_data + len, mic_size)) {
|
|
return -EBADMSG;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int bt_ccm_encrypt(const uint8_t key[16], uint8_t nonce[13],
|
|
const uint8_t *plaintext, size_t len, const uint8_t *aad,
|
|
size_t aad_len, uint8_t *enc_data, size_t mic_size)
|
|
{
|
|
uint8_t *mic = enc_data + len;
|
|
|
|
BT_DBG("key %s", bt_hex(key, 16));
|
|
BT_DBG("nonce %s", bt_hex(nonce, 13));
|
|
BT_DBG("msg (len %zu) %s", len, bt_hex(plaintext, len));
|
|
BT_DBG("aad_len %zu mic_size %zu", aad_len, mic_size);
|
|
|
|
/* Unsupported AAD size */
|
|
if (aad_len >= 0xff00 || mic_size > 16) {
|
|
return -EINVAL;
|
|
}
|
|
|
|
ccm_auth(key, nonce, plaintext, len, aad, aad_len, mic, mic_size);
|
|
|
|
ccm_crypt(key, nonce, plaintext, enc_data, len);
|
|
|
|
return 0;
|
|
}
|