#include <stdio.h> #include <stdlib.h> #include <string.h> #include "sm4_core.h" #define CCM_DEBUG 0 #if 1 typedef void (*ccm128_f)(const unsigned char *in, unsigned char *out, size_t blocks, const void *key, const unsigned char ivec[16],unsigned char cmac[16]); struct ccm128_context { union { u64 u[2]; u8 c[16]; } nonce, cmac; u64 blocks; block128_f block; void *key; }; //#define U64(C) C##UL typedef struct ccm128_context CCM128_CONTEXT; /* First you setup M and L parameters and pass the key schedule. * This is called once per session setup... */ static void rk_crypto_ccm128_init(CCM128_CONTEXT *ctx, unsigned int M,unsigned int L,void *key,block128_f block) { // printf("m = %d,L = %d\n",M,L); memset(ctx->nonce.c,0,sizeof(ctx->nonce.c)); ctx->nonce.c[0] = ((u8)(L-1)&7) | (u8)(((M-2)/2)&7)<<3; ctx->blocks = 0; ctx->block = block; ctx->key = key; } /* !!! Following interfaces are to be called *once* per packet !!! */ /* Then you setup per-message nonce and pass the length of the message */ static int rk_crypto_ccm128_setiv(CCM128_CONTEXT *ctx, const unsigned char *nonce,size_t nlen,size_t mlen) { unsigned int L = ctx->nonce.c[0]&7; /* the L parameter */ if (nlen<(14-L)) return -1; /* nonce is too short */ if (sizeof(mlen)==8 && L>=3) { ctx->nonce.c[8] = (u8)(mlen>>(56%(sizeof(mlen)*8))); ctx->nonce.c[9] = (u8)(mlen>>(48%(sizeof(mlen)*8))); ctx->nonce.c[10] = (u8)(mlen>>(40%(sizeof(mlen)*8))); ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8))); } else ctx->nonce.u[1] = 0; ctx->nonce.c[12] = (u8)(mlen>>24); ctx->nonce.c[13] = (u8)(mlen>>16); ctx->nonce.c[14] = (u8)(mlen>>8); ctx->nonce.c[15] = (u8)mlen; ctx->nonce.c[0] &= ~0x40; /* clear Adata flag */ memcpy(&ctx->nonce.c[1],nonce,14-L); return 0; } /* Then you pass additional authentication data, this is optional */ static void rk_crypto_ccm128_aad(CCM128_CONTEXT *ctx, const unsigned char *aad,size_t alen) { unsigned int i; block128_f block = ctx->block; if (alen==0) return; ctx->nonce.c[0] |= 0x40; /* set Adata flag */ (*block)(ctx->nonce.c,ctx->cmac.c,ctx->key), ctx->blocks++; if (alen<(0x10000-0x100)) { ctx->cmac.c[0] ^= (u8)(alen>>8); ctx->cmac.c[1] ^= (u8)alen; i=2; } else if (sizeof(alen)==8 && alen>=(size_t)1<<(32%(sizeof(alen)*8))) { ctx->cmac.c[0] ^= 0xFF; ctx->cmac.c[1] ^= 0xFF; ctx->cmac.c[2] ^= (u8)(alen>>(56%(sizeof(alen)*8))); ctx->cmac.c[3] ^= (u8)(alen>>(48%(sizeof(alen)*8))); ctx->cmac.c[4] ^= (u8)(alen>>(40%(sizeof(alen)*8))); ctx->cmac.c[5] ^= (u8)(alen>>(32%(sizeof(alen)*8))); ctx->cmac.c[6] ^= (u8)(alen>>24); ctx->cmac.c[7] ^= (u8)(alen>>16); ctx->cmac.c[8] ^= (u8)(alen>>8); ctx->cmac.c[9] ^= (u8)alen; i=10; } else { ctx->cmac.c[0] ^= 0xFF; ctx->cmac.c[1] ^= 0xFE; ctx->cmac.c[2] ^= (u8)(alen>>24); ctx->cmac.c[3] ^= (u8)(alen>>16); ctx->cmac.c[4] ^= (u8)(alen>>8); ctx->cmac.c[5] ^= (u8)alen; i=6; } do { for(;i<16 && alen;++i,++aad,--alen) ctx->cmac.c[i] ^= *aad; (*block)(ctx->cmac.c,ctx->cmac.c,ctx->key), ctx->blocks++; i=0; } while (alen); } /* Finally you encrypt or decrypt the message */ /* counter part of nonce may not be larger than L*8 bits, * L is not larger than 8, therefore 64-bit counter... */ static void rk_ctr64_inc(unsigned char *counter) { unsigned int n=8; u8 c; counter += 8; do { --n; c = counter[n]; ++c; counter[n] = c; if (c) return; } while (n); } int rk_crypto_ccm128_encrypt(CCM128_CONTEXT *ctx, const unsigned char *inp, unsigned char *out, size_t len) { size_t n; unsigned int i,L; unsigned char flags0 = ctx->nonce.c[0]; block128_f block = ctx->block; void * key = ctx->key; union { u64 u[2]; u8 c[16]; } scratch; if (!(flags0&0x40)) (*block)(ctx->nonce.c,ctx->cmac.c,key), ctx->blocks++; ctx->nonce.c[0] = L = flags0&7; for (n=0,i=15-L;i<15;++i) { n |= ctx->nonce.c[i]; ctx->nonce.c[i]=0; n <<= 8; } n |= ctx->nonce.c[15]; /* reconstructed length */ ctx->nonce.c[15]=1; // printf("n = %d,len = %d\n",n,len); if (n!=len) return -1; /* length mismatch */ ctx->blocks += ((len+15)>>3)|1; if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */ while (len>=16) { #if defined(STRICT_ALIGNMENT) union { u64 u[2]; u8 c[16]; } temp; memcpy (temp.c,inp,16); ctx->cmac.u[0] ^= temp.u[0]; ctx->cmac.u[1] ^= temp.u[1]; #else ctx->cmac.u[0] ^= ((u64*)inp)[0]; ctx->cmac.u[1] ^= ((u64*)inp)[1]; #endif (*block)(ctx->cmac.c,ctx->cmac.c,key); (*block)(ctx->nonce.c,scratch.c,key); rk_ctr64_inc(ctx->nonce.c); #if defined(STRICT_ALIGNMENT) temp.u[0] ^= scratch.u[0]; temp.u[1] ^= scratch.u[1]; memcpy(out,temp.c,16); #else ((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]; ((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]; #endif inp += 16; out += 16; len -= 16; } if (len) { for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i]; (*block)(ctx->cmac.c,ctx->cmac.c,key); (*block)(ctx->nonce.c,scratch.c,key); for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i]; } for (i=15-L;i<16;++i) ctx->nonce.c[i]=0; (*block)(ctx->nonce.c,scratch.c,key); ctx->cmac.u[0] ^= scratch.u[0]; ctx->cmac.u[1] ^= scratch.u[1]; ctx->nonce.c[0] = flags0; return 0; } static int rk_crypto_ccm128_decrypt(CCM128_CONTEXT *ctx, const unsigned char *inp, unsigned char *out, size_t len) { size_t n; unsigned int i,L; unsigned char flags0 = ctx->nonce.c[0]; block128_f block = ctx->block; void * key = ctx->key; union { u64 u[2]; u8 c[16]; } scratch; if (!(flags0&0x40)) (*block)(ctx->nonce.c,ctx->cmac.c,key); ctx->nonce.c[0] = L = flags0&7; for (n=0,i=15-L;i<15;++i) { n |= ctx->nonce.c[i]; ctx->nonce.c[i]=0; n <<= 8; } n |= ctx->nonce.c[15]; /* reconstructed length */ ctx->nonce.c[15]=1; // printf("n = %d,len = %d\n",n,len); if (n!=len) return -1; while (len>=16) { #if defined(STRICT_ALIGNMENT) union { u64 u[2]; u8 c[16]; } temp; #endif (*block)(ctx->nonce.c,scratch.c,key); rk_ctr64_inc(ctx->nonce.c); #if defined(STRICT_ALIGNMENT) memcpy (temp.c,inp,16); ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]); ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]); memcpy (out,scratch.c,16); #else ctx->cmac.u[0] ^= (((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]); ctx->cmac.u[1] ^= (((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]); #endif (*block)(ctx->cmac.c,ctx->cmac.c,key); inp += 16; out += 16; len -= 16; } if (len) { (*block)(ctx->nonce.c,scratch.c,key); for (i=0; i<len; ++i) ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]); (*block)(ctx->cmac.c,ctx->cmac.c,key); } for (i=15-L;i<16;++i) ctx->nonce.c[i]=0; (*block)(ctx->nonce.c,scratch.c,key); ctx->cmac.u[0] ^= scratch.u[0]; ctx->cmac.u[1] ^= scratch.u[1]; ctx->nonce.c[0] = flags0; return 0; } static void rk_ctr64_add (unsigned char *counter,size_t inc) { size_t n=8, val=0; counter += 8; do { --n; val += counter[n] + (inc&0xff); counter[n] = (unsigned char)val; val >>= 8; /* carry bit */ inc >>= 8; } while(n && (inc || val)); } static int rk_crypto_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx, const unsigned char *inp, unsigned char *out, size_t len,ccm128_f stream) { size_t n; unsigned int i,L; unsigned char flags0 = ctx->nonce.c[0]; block128_f block = ctx->block; void * key = ctx->key; union { u64 u[2]; u8 c[16]; } scratch; if (!(flags0&0x40)) (*block)(ctx->nonce.c,ctx->cmac.c,key), ctx->blocks++; ctx->nonce.c[0] = L = flags0&7; for (n=0,i=15-L;i<15;++i) { n |= ctx->nonce.c[i]; ctx->nonce.c[i]=0; n <<= 8; } n |= ctx->nonce.c[15]; /* reconstructed length */ ctx->nonce.c[15]=1; if (n!=len) return -1; /* length mismatch */ ctx->blocks += ((len+15)>>3)|1; if (ctx->blocks > (U64(1)<<61)) return -2; /* too much data */ n=len/16; if (n) { (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c); n *= 16; inp += n; out += n; len -= n; if (len) rk_ctr64_add(ctx->nonce.c,n/16); } if (len) { for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i]; (*block)(ctx->cmac.c,ctx->cmac.c,key); (*block)(ctx->nonce.c,scratch.c,key); for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i]; } for (i=15-L;i<16;++i) ctx->nonce.c[i]=0; (*block)(ctx->nonce.c,scratch.c,key); ctx->cmac.u[0] ^= scratch.u[0]; ctx->cmac.u[1] ^= scratch.u[1]; ctx->nonce.c[0] = flags0; return 0; } static int rk_crypto_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx, const unsigned char *inp, unsigned char *out, size_t len,ccm128_f stream) { size_t n; unsigned int i,L; unsigned char flags0 = ctx->nonce.c[0]; block128_f block = ctx->block; void * key = ctx->key; union { u64 u[2]; u8 c[16]; } scratch; if (!(flags0&0x40)) (*block)(ctx->nonce.c,ctx->cmac.c,key); ctx->nonce.c[0] = L = flags0&7; for (n=0,i=15-L;i<15;++i) { n |= ctx->nonce.c[i]; ctx->nonce.c[i]=0; n <<= 8; } n |= ctx->nonce.c[15]; /* reconstructed length */ ctx->nonce.c[15]=1; if (n!=len) return -1; n=len/16; if (n) { (*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c); n *= 16; inp += n; out += n; len -= n; if (len) rk_ctr64_add(ctx->nonce.c,n/16); } if (len) { (*block)(ctx->nonce.c,scratch.c,key); for (i=0; i<len; ++i) ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]); (*block)(ctx->cmac.c,ctx->cmac.c,key); } for (i=15-L;i<16;++i) ctx->nonce.c[i]=0; (*block)(ctx->nonce.c,scratch.c,key); ctx->cmac.u[0] ^= scratch.u[0]; ctx->cmac.u[1] ^= scratch.u[1]; ctx->nonce.c[0] = flags0; return 0; } static size_t rk_crypto_ccm128_tag(CCM128_CONTEXT *ctx,unsigned char *tag,size_t len) { unsigned int M = (ctx->nonce.c[0]>>3)&7; /* the M parameter */ M *= 2; M += 2; if (len<M) return 0; memcpy(tag,ctx->cmac.c,M); return M; } #endif /*m is the lengh of tag*/ #if 0 int rk_aes_ccm_op(struct sm4_ae_in *in, struct sm4_ae_out *out, const int enc) { int time = 0; int i = 0; RK_AES_KEY ks1, ks2; CCM128_CONTEXT ctx; int ret = 0; //unsigned int m = 12; unsigned int l = 0; if (in->key == NULL || in->iv == NULL || in->src == NULL || in->aad == NULL) return -1; if (in->key_len!= 128/8 && in->key_len != 192/8 && in->key_len != 256/8) return -2; if(in->src_len % 16 != 0) return -3; if(out->dest == NULL || out->tag == NULL) return -4; printf("-----param sucess-----\n"); l = out->dest_len;/* dest_len = inlength */ ret = rk_aes_set_encrypt_key(in->key, in->key_len * 8, &ks1); if(ret != 0) printf("-----set_encrypt_key fail-----\n"); rk_crypto_ccm128_init(&ctx, in->tag_size, l, &ks1, (block128_f)rk_aes_encrypt); ret = rk_crypto_ccm128_setiv(&ctx, in->iv, in->iv_len, l);/*l ?*/ if (ret != 0) printf("========rk_crypto_ccm128_setiv ret = %d================\n",ret); rk_crypto_ccm128_aad(&ctx, in->aad, in->aad_len); if(enc){ if((ret = rk_crypto_ccm128_encrypt(&ctx, in->src , out->dest,in->src_len)) != 0) printf("=========rk_crypto_ccm128_encrypt ret = %d===\n",ret); rk_crypto_ccm128_tag(&ctx, out->tag, 12); /*tag is length*/ } else{if((ret = rk_crypto_ccm128_decrypt(&ctx, out->dest, in->src, out->dest_len)) != 0) printf("=========rk_crypto_ccm128_decrypt ret = %d===\n",ret); } printf("----op done------------"); return 0; } #endif static int compare_string(char *a, char *b, unsigned int len) { unsigned int i; if((len <= 0) || (a == NULL) || (b == NULL)) return -1; for (i = 0; i < len; i++){ if(*a != *b) return -1; a++; b++; } return 0; } static void dump_hex(char *var_name, unsigned char *data, unsigned int len) { unsigned int i; printf("LINE:%d %s:", __LINE__, var_name); for (i = 0; i < len; i++) { if(i % 16 == 0) printf("\n"); printf("%02x ", data[i]); } printf("\n"); } int rk_sm4_ccm_op(struct sm4_ae_in *in, struct sm4_ae_out *out, const int enc) { sm4_context sm4_ctx; CCM128_CONTEXT ctx; int ret = 0; unsigned int m = 0; unsigned int l = 0; unsigned char tag_tmp[16]= {0}; if (in->key == NULL || in->iv == NULL || in->src == NULL || in->aad == NULL) return -1; if (in->key_len!= 16) return -2; if(in->src_len % 16 != 0) return -3; if(out->dest == NULL || out->tag == NULL) return -4; m = in->tag_size; // tag_tmp = malloc(m); l = 15 - in->iv_len; /* l + iv_len = 15 */ rk_sm4_setkey_enc(&sm4_ctx, in->key); if(ret != 0) printf("-----set_encrypt_key fail-----\n"); /* M :tag size ,L = 8? src_Len*/ rk_crypto_ccm128_init(&ctx, in->tag_size, l, &sm4_ctx, rk_rk_sm4_crypt_ecb); // ret = rk_crypto_ccm128_setiv(&ctx, in->iv, in->iv_len, l);/*l ?*/ ret = rk_crypto_ccm128_setiv(&ctx, in->iv, in->iv_len, in->src_len); if (ret != 0) printf("========rk_crypto_ccm128_setiv ret = %d================\n",ret); rk_crypto_ccm128_aad(&ctx, in->aad, in->aad_len); /* verify tag */ if (enc == 2){ if((ret = rk_crypto_ccm128_encrypt(&ctx, in->src , out->dest,in->src_len)) != 0) printf("=========rk_crypto_ccm128_encrypt ret = %d===\n",ret); rk_crypto_ccm128_tag(&ctx, tag_tmp, m); /*tag is length*/ ret = compare_string((char*)tag_tmp,out->tag,m); if (ret!=0){ dump_hex("verify tag_tmp:",tag_tmp,m); dump_hex("verify out->tag:",out->tag,m); printf("=======ccm verify failed========\n"); return ret; } return ret; } if(enc == 1){ if((ret = rk_crypto_ccm128_encrypt(&ctx, in->src , out->dest,in->src_len)) != 0) printf("=========rk_crypto_ccm128_encrypt ret = %d===\n",ret); rk_crypto_ccm128_tag(&ctx, out->tag, m); /*tag is length*/ #if CCM_DEBUG dump_hex("rk: out->dest:",out->dest,in->src_len); dump_hex("cmm --out->tag:",out->tag,m); #endif } if(enc == 0){ if((ret = rk_crypto_ccm128_decrypt(&ctx, out->dest, in->src, out->dest_len)) != 0) printf("=========rk_crypto_ccm128_decrypt ret = %d===\n",ret); } return ret; }