ledger-secure-sdk/cx__aes__siv_8c_source.html

/* @BANNER@ */


#ifdef HAVE_AES_SIV

#if defined(HAVE_AES) && defined(HAVE_CMAC)

#include "cx_cmac.h"

#include "cx_utils.h"

#include "lcx_cmac.h"

#include "lcx_aes_siv.h"


static void cx_clear_bits(uint8_t *input)

{

    input[8] &= 0x7f;

    input[12] &= 0x7f;

}


cx_err_t cx_aes_siv_init(cx_aes_siv_context_t *ctx)

{

    cx_err_t error;

    CX_CHECK(cx_cipher_init(ctx->cipher_ctx));


end:

    return error;

}


cx_err_t cx_aes_siv_reset(cx_aes_siv_context_t *ctx)

{

    cx_err_t error = CX_INVALID_PARAMETER_VALUE;

    if (ctx->cipher_ctx == NULL) {

        goto end;

    }

    if (ctx->cipher_ctx->cipher_info == NULL) {

        goto clear_ctx;

    }


    CX_CHECK(ctx->cipher_ctx->cipher_info->base->ctx_reset());


clear_ctx:

    cx_cipher_reset(ctx->cipher_ctx);


end:

    return error;

}


cx_err_t cx_aes_siv_set_key(cx_aes_siv_context_t *ctx, const uint8_t *key, size_t key_bitlen)

{

    // AES SIV uses two keys of either 128, 192 or 256 bits each

    if (key_bitlen > AES_SIV_MAX_KEY_LEN * AES_SIV_KEY_NUMBER * 8) {

        return CX_INVALID_PARAMETER_SIZE;

    }


    ctx->key_len = key_bitlen / 2;

    memcpy(ctx->key1, key, ctx->key_len / 8);

    memcpy(ctx->key2, key + ctx->key_len / 8, ctx->key_len / 8);

    return CX_OK;

}


cx_err_t cx_aes_siv_start(cx_aes_siv_context_t *ctx,

                          uint32_t              mode,

                          const uint8_t        *iv,

                          size_t                iv_len)

{

    uint8_t  iv_used[CX_AES_BLOCK_SIZE] = {0};

    cx_err_t error;


    // Set up cipher to be used for CMAC computation

    CX_CHECK(cx_cipher_setup(ctx->cipher_ctx, ctx->cipher_type, CX_CHAIN_ECB));

    CX_CHECK(cx_cmac_start(ctx->cipher_ctx, ctx->key1, ctx->key_len));

    CX_CHECK(cx_cmac_update(ctx->cipher_ctx, iv_used, CX_AES_BLOCK_SIZE));

    CX_CHECK(cx_cmac_finish(ctx->cipher_ctx, ctx->tag_state));


    if (CX_DECRYPT == mode) {

        // Prepare for the AES-CTR computation

        memcpy(iv_used, iv, iv_len);

        cx_clear_bits(iv_used);

        CX_CHECK(cx_cipher_setup(ctx->cipher_ctx, ctx->cipher_type, CX_CHAIN_CTR));

        CX_CHECK(cx_cipher_setkey(ctx->cipher_ctx, ctx->key2, ctx->key_len, CX_ENCRYPT));

        CX_CHECK(cx_cipher_setiv(ctx->cipher_ctx, iv_used, CX_AES_BLOCK_SIZE));

    }

    ctx->mode = mode;


end:

    return error;

}


cx_err_t cx_aes_siv_update_aad(cx_aes_siv_context_t *ctx, const uint8_t *aad, size_t aad_len)

{

    uint8_t  tmp[CX_AES_BLOCK_SIZE] = {0};

    cx_err_t error;


    CX_CHECK(cx_cipher_setup(ctx->cipher_ctx, ctx->cipher_type, CX_CHAIN_ECB));

    CX_CHECK(cx_cmac_start(ctx->cipher_ctx, ctx->key1, ctx->key_len));


    if (NULL == aad) {

        return CX_OK;

    }


    CX_CHECK(cx_cmac_shift_and_xor(tmp, ctx->tag_state, CX_AES_BLOCK_SIZE));

    CX_CHECK(cx_cmac_update(ctx->cipher_ctx, aad, aad_len));

    CX_CHECK(cx_cmac_finish(ctx->cipher_ctx, ctx->tag_state));

    cx_memxor(ctx->tag_state, tmp, CX_AES_BLOCK_SIZE);

    CX_CHECK(cx_cmac_start(ctx->cipher_ctx, ctx->key1, ctx->key_len));


end:

    return error;

}


cx_err_t cx_aes_siv_update_mac(cx_aes_siv_context_t *ctx, const uint8_t *input, size_t in_len)

{

    return cx_cmac_update(ctx->cipher_ctx, input, in_len);

}


cx_err_t cx_aes_siv_update(cx_aes_siv_context_t *ctx,

                           const uint8_t        *input,

                           uint8_t              *output,

                           size_t                len)

{

    size_t   out_len = len;

    cx_err_t error;

    CX_CHECK(cx_cipher_update(ctx->cipher_ctx, input, len, output, &out_len));


end:

    return error;

}


static cx_err_t cx_aes_siv_check_tag(cx_aes_siv_context_t *ctx, const uint8_t *tag)

{

    uint8_t diff;

    diff = cx_constant_time_eq(tag, ctx->tag_state, CX_AES_BLOCK_SIZE);

    return diff * CX_INVALID_PARAMETER_VALUE + (1 - diff) * CX_OK;

}


cx_err_t cx_aes_siv_finish(cx_aes_siv_context_t *ctx,

                           const uint8_t        *input,

                           size_t                in_len,

                           uint8_t              *tag)

{

    uint8_t  tmp[CX_AES_BLOCK_SIZE] = {0};

    cx_err_t error;


    if (in_len < CX_AES_BLOCK_SIZE) {

        CX_CHECK(cx_cmac_shift_and_xor(tmp, ctx->tag_state, CX_AES_BLOCK_SIZE));

        memset(ctx->tag_state, 0, CX_AES_BLOCK_SIZE);

        memcpy(ctx->tag_state, input, in_len);

        add_one_and_zeros_padding(ctx->tag_state, CX_AES_BLOCK_SIZE, in_len);

        cx_memxor(tmp, ctx->tag_state, CX_AES_BLOCK_SIZE);

        CX_CHECK(cx_cmac_update(ctx->cipher_ctx, tmp, CX_AES_BLOCK_SIZE));

        CX_CHECK(cx_cmac_finish(ctx->cipher_ctx, ctx->tag_state));

    }

    else {

        CX_CHECK(cx_cmac_update(ctx->cipher_ctx, input, in_len - CX_AES_BLOCK_SIZE));

        cx_memxor(ctx->tag_state, input + in_len - CX_AES_BLOCK_SIZE, CX_AES_BLOCK_SIZE);

        CX_CHECK(cx_cmac_update(ctx->cipher_ctx, ctx->tag_state, CX_AES_BLOCK_SIZE));

        CX_CHECK(cx_cmac_finish(ctx->cipher_ctx, ctx->tag_state));

    }

    if (CX_DECRYPT == ctx->mode) {

        return cx_aes_siv_check_tag(ctx, tag);

    }

    memcpy(tag, ctx->tag_state, CX_AES_BLOCK_SIZE);

    // Prepare for the AES-CTR computation

    cx_clear_bits(ctx->tag_state);

    CX_CHECK(cx_cipher_setup(ctx->cipher_ctx, ctx->cipher_type, CX_CHAIN_CTR));

    CX_CHECK(cx_cipher_setkey(ctx->cipher_ctx, ctx->key2, ctx->key_len, CX_ENCRYPT));

    CX_CHECK(cx_cipher_setiv(ctx->cipher_ctx, ctx->tag_state, CX_AES_BLOCK_SIZE));


end:

    return error;

}


cx_err_t cx_aes_siv_encrypt(cx_aes_siv_context_t *ctx,

                            const uint8_t        *input,

                            size_t                in_len,

                            const uint8_t        *aad,

                            size_t                aad_len,

                            uint8_t              *output,

                            uint8_t              *tag)

{

    cx_err_t error;

    cx_err_t err_reset = CX_INTERNAL_ERROR;

    CX_CHECK(cx_aes_siv_start(ctx, CX_ENCRYPT, NULL, 0));

    CX_CHECK(cx_aes_siv_update_aad(ctx, aad, aad_len));

    CX_CHECK(cx_aes_siv_finish(ctx, input, in_len, tag));

    CX_CHECK(cx_aes_siv_update(ctx, input, output, in_len));

end:

    err_reset = cx_aes_siv_reset(ctx);

    return error == CX_OK ? err_reset : error;

}


cx_err_t cx_aes_siv_decrypt(cx_aes_siv_context_t *ctx,

                            const uint8_t        *input,

                            size_t                in_len,

                            const uint8_t        *aad,

                            size_t                aad_len,

                            uint8_t              *output,

                            uint8_t              *tag)

{

    cx_err_t error;

    cx_err_t err_reset = CX_INTERNAL_ERROR;

    CX_CHECK(cx_aes_siv_start(ctx, CX_DECRYPT, tag, CX_AES_BLOCK_SIZE));

    CX_CHECK(cx_aes_siv_update(ctx, input, output, in_len));

    CX_CHECK(cx_aes_siv_reset(ctx));

    CX_CHECK(cx_aes_siv_update_aad(ctx, aad, aad_len));

    CX_CHECK(cx_aes_siv_finish(ctx, output, in_len, tag));


end:

    err_reset = cx_aes_siv_reset(ctx);

    return error == CX_OK ? err_reset : error;

}


#endif  // HAVE_AES && HAVE_CMAC

#endif  // HAVE_AES_SIV

cx_cmac.h

cx_constant_time_eq
uint8_t cx_constant_time_eq(const uint8_t *buf1, uint8_t *buf2, size_t len)
Definition cx_utils.c:181

cx_memxor
void cx_memxor(uint8_t *buf1, const uint8_t *buf2, size_t len)
Definition cx_utils.c:173

cx_utils.h

lcx_aes_siv.h
Advanced Encryption Standard with Synthetic Initialization Vector (AES-SIV).

cx_cipher_reset
void cx_cipher_reset(cx_cipher_context_t *ctx)
Definition cx_cipher.c:516

add_one_and_zeros_padding
void add_one_and_zeros_padding(uint8_t *output, size_t out_len, size_t data_len)
Definition cx_cipher.c:79

cx_cipher_update
WARN_UNUSED_RESULT cx_err_t cx_cipher_update(cx_cipher_context_t *ctx, const uint8_t *input, size_t in_len, uint8_t *output, size_t *out_len)
Encrypt or decrypt with the given context.
Definition cx_cipher.c:324

cx_cipher_setkey
WARN_UNUSED_RESULT cx_err_t cx_cipher_setkey(cx_cipher_context_t *ctx, const uint8_t *key, uint32_t key_bitlen, uint32_t operation)
Set the key to use.
Definition cx_cipher.c:253

cx_cipher_setiv
WARN_UNUSED_RESULT cx_err_t cx_cipher_setiv(cx_cipher_context_t *ctx, const uint8_t *iv, size_t iv_len)
Set the initialization vector.
Definition cx_cipher.c:276

cx_cipher_init
WARN_UNUSED_RESULT cx_err_t cx_cipher_init(cx_cipher_context_t *ctx)
Initialize a cipher context as NONE.
Definition cx_cipher.c:209

cx_cipher_setup
WARN_UNUSED_RESULT cx_err_t cx_cipher_setup(cx_cipher_context_t *ctx, const cx_cipher_id_t type, uint32_t mode)
Initialize and fill the context structure given the cipher info.
Definition cx_cipher.c:218

lcx_cmac.h
CMAC (Cipher-based Message Authentication Code).

CX_CHAIN_CTR
#define CX_CHAIN_CTR
Definition lcx_common.h:148

CX_ENCRYPT
#define CX_ENCRYPT
Definition lcx_common.h:126

CX_DECRYPT
#define CX_DECRYPT
Definition lcx_common.h:127

CX_CHAIN_ECB
#define CX_CHAIN_ECB
Definition lcx_common.h:146