Mercurial > dropbear
comparison libtomcrypt/src/encauth/ccm/ccm_add_nonce.c @ 1471:6dba84798cd5
Update to libtomcrypt 1.18.1, merged with Dropbear changes
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Fri, 09 Feb 2018 21:44:05 +0800 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 1470:8bba51a55704 | 1471:6dba84798cd5 |
|---|---|
| 1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis | |
| 2 * | |
| 3 * LibTomCrypt is a library that provides various cryptographic | |
| 4 * algorithms in a highly modular and flexible manner. | |
| 5 * | |
| 6 * The library is free for all purposes without any express | |
| 7 * guarantee it works. | |
| 8 */ | |
| 9 #include "tomcrypt.h" | |
| 10 | |
| 11 #ifdef LTC_CCM_MODE | |
| 12 | |
| 13 /** | |
| 14 Add nonce data to the CCM state | |
| 15 @param ccm The CCM state | |
| 16 @param nonce The nonce data to add | |
| 17 @param noncelen The length of the nonce | |
| 18 @return CRYPT_OK on success | |
| 19 */ | |
| 20 int ccm_add_nonce(ccm_state *ccm, | |
| 21 const unsigned char *nonce, unsigned long noncelen) | |
| 22 { | |
| 23 unsigned long x, y, len; | |
| 24 int err; | |
| 25 | |
| 26 LTC_ARGCHK(ccm != NULL); | |
| 27 LTC_ARGCHK(nonce != NULL); | |
| 28 | |
| 29 /* increase L to match the nonce len */ | |
| 30 ccm->noncelen = (noncelen > 13) ? 13 : noncelen; | |
| 31 if ((15 - ccm->noncelen) > ccm->L) { | |
| 32 ccm->L = 15 - ccm->noncelen; | |
| 33 } | |
| 34 | |
| 35 /* decrease noncelen to match L */ | |
| 36 if ((ccm->noncelen + ccm->L) > 15) { | |
| 37 ccm->noncelen = 15 - ccm->L; | |
| 38 } | |
| 39 | |
| 40 /* form B_0 == flags | Nonce N | l(m) */ | |
| 41 x = 0; | |
| 42 ccm->PAD[x++] = (unsigned char)(((ccm->aadlen > 0) ? (1<<6) : 0) | | |
| 43 (((ccm->taglen - 2)>>1)<<3) | | |
| 44 (ccm->L-1)); | |
| 45 | |
| 46 /* nonce */ | |
| 47 for (y = 0; y < (16 - (ccm->L + 1)); y++) { | |
| 48 ccm->PAD[x++] = nonce[y]; | |
| 49 } | |
| 50 | |
| 51 /* store len */ | |
| 52 len = ccm->ptlen; | |
| 53 | |
| 54 /* shift len so the upper bytes of len are the contents of the length */ | |
| 55 for (y = ccm->L; y < 4; y++) { | |
| 56 len <<= 8; | |
| 57 } | |
| 58 | |
| 59 /* store l(m) (only store 32-bits) */ | |
| 60 for (y = 0; ccm->L > 4 && (ccm->L-y)>4; y++) { | |
| 61 ccm->PAD[x++] = 0; | |
| 62 } | |
| 63 for (; y < ccm->L; y++) { | |
| 64 ccm->PAD[x++] = (unsigned char)((len >> 24) & 255); | |
| 65 len <<= 8; | |
| 66 } | |
| 67 | |
| 68 /* encrypt PAD */ | |
| 69 if ((err = cipher_descriptor[ccm->cipher].ecb_encrypt(ccm->PAD, ccm->PAD, &ccm->K)) != CRYPT_OK) { | |
| 70 return err; | |
| 71 } | |
| 72 | |
| 73 /* handle header */ | |
| 74 ccm->x = 0; | |
| 75 if (ccm->aadlen > 0) { | |
| 76 /* store length */ | |
| 77 if (ccm->aadlen < ((1UL<<16) - (1UL<<8))) { | |
| 78 ccm->PAD[ccm->x++] ^= (ccm->aadlen>>8) & 255; | |
| 79 ccm->PAD[ccm->x++] ^= ccm->aadlen & 255; | |
| 80 } else { | |
| 81 ccm->PAD[ccm->x++] ^= 0xFF; | |
| 82 ccm->PAD[ccm->x++] ^= 0xFE; | |
| 83 ccm->PAD[ccm->x++] ^= (ccm->aadlen>>24) & 255; | |
| 84 ccm->PAD[ccm->x++] ^= (ccm->aadlen>>16) & 255; | |
| 85 ccm->PAD[ccm->x++] ^= (ccm->aadlen>>8) & 255; | |
| 86 ccm->PAD[ccm->x++] ^= ccm->aadlen & 255; | |
| 87 } | |
| 88 } | |
| 89 | |
| 90 /* setup the ctr counter */ | |
| 91 x = 0; | |
| 92 | |
| 93 /* flags */ | |
| 94 ccm->ctr[x++] = (unsigned char)ccm->L-1; | |
| 95 | |
| 96 /* nonce */ | |
| 97 for (y = 0; y < (16 - (ccm->L+1)); ++y) { | |
| 98 ccm->ctr[x++] = nonce[y]; | |
| 99 } | |
| 100 /* offset */ | |
| 101 while (x < 16) { | |
| 102 ccm->ctr[x++] = 0; | |
| 103 } | |
| 104 | |
| 105 ccm->CTRlen = 16; | |
| 106 return CRYPT_OK; | |
| 107 } | |
| 108 | |
| 109 #endif | |
| 110 | |
| 111 /* ref: $Format:%D$ */ | |
| 112 /* git commit: $Format:%H$ */ | |
| 113 /* commit time: $Format:%ai$ */ |