xref: /btstack/test/crypto/aes_cmac.c (revision 9f087478e061aa0ee7aa0554f4961bfdbedba008) 
1bdcc259dSMatthias Ringwald #include "aes_cmac.h"
2bdcc259dSMatthias Ringwald #include "rijndael.h"
3bdcc259dSMatthias Ringwald 
4bdcc259dSMatthias Ringwald #include <string.h>
5bdcc259dSMatthias Ringwald 
sm_shift_left_by_one_bit_inplace(int len,uint8_t * data)6bdcc259dSMatthias Ringwald static void sm_shift_left_by_one_bit_inplace(int len, uint8_t * data){
7bdcc259dSMatthias Ringwald     int i;
8bdcc259dSMatthias Ringwald     int carry = 0;
9bdcc259dSMatthias Ringwald     for (i=len-1; i >= 0 ; i--){
10bdcc259dSMatthias Ringwald         int new_carry = data[i] >> 7;
11bdcc259dSMatthias Ringwald         data[i] = data[i] << 1 | carry;
12bdcc259dSMatthias Ringwald         carry = new_carry;
13bdcc259dSMatthias Ringwald     }
14bdcc259dSMatthias Ringwald }
15bdcc259dSMatthias Ringwald 
aes128_calc_cyphertext(const uint8_t key[16],const uint8_t plaintext[16],uint8_t cyphertext[16])16bdcc259dSMatthias Ringwald void aes128_calc_cyphertext(const uint8_t key[16], const uint8_t plaintext[16], uint8_t cyphertext[16]){
17bdcc259dSMatthias Ringwald 	uint32_t rk[RKLENGTH(KEYBITS)];
18bdcc259dSMatthias Ringwald 	int nrounds = rijndaelSetupEncrypt(rk, &key[0], KEYBITS);
19bdcc259dSMatthias Ringwald 	rijndaelEncrypt(rk, nrounds, plaintext, cyphertext);
20bdcc259dSMatthias Ringwald }
21bdcc259dSMatthias Ringwald 
aes_cmac_calc_subkeys(sm_key_t k0,sm_key_t k1,sm_key_t k2)22bdcc259dSMatthias Ringwald void aes_cmac_calc_subkeys(sm_key_t k0, sm_key_t k1, sm_key_t k2){
23bdcc259dSMatthias Ringwald     memcpy(k1, k0, 16);
24bdcc259dSMatthias Ringwald     sm_shift_left_by_one_bit_inplace(16, k1);
25bdcc259dSMatthias Ringwald     if (k0[0] & 0x80){
26bdcc259dSMatthias Ringwald         k1[15] ^= 0x87;
27bdcc259dSMatthias Ringwald     }
28bdcc259dSMatthias Ringwald     memcpy(k2, k1, 16);
29bdcc259dSMatthias Ringwald     sm_shift_left_by_one_bit_inplace(16, k2);
30bdcc259dSMatthias Ringwald     if (k1[0] & 0x80){
31bdcc259dSMatthias Ringwald         k2[15] ^= 0x87;
32bdcc259dSMatthias Ringwald     }
33bdcc259dSMatthias Ringwald }
34bdcc259dSMatthias Ringwald 
aes_cmac(sm_key_t aes_cmac,const sm_key_t key,const uint8_t * data,int sm_cmac_message_len)35bdcc259dSMatthias Ringwald void aes_cmac(sm_key_t aes_cmac, const sm_key_t key, const uint8_t * data, int sm_cmac_message_len){
368e361704SMatthias Ringwald     unsigned int i;
37bdcc259dSMatthias Ringwald 	sm_key_t k0, k1, k2, zero;
38bdcc259dSMatthias Ringwald 	memset(zero, 0, 16);
39bdcc259dSMatthias Ringwald 
40bdcc259dSMatthias Ringwald 	aes128_calc_cyphertext(key, zero, k0);
41bdcc259dSMatthias Ringwald 	aes_cmac_calc_subkeys(k0, k1, k2);
42bdcc259dSMatthias Ringwald 
43bdcc259dSMatthias Ringwald     int sm_cmac_block_count = (sm_cmac_message_len + 15) / 16;
44bdcc259dSMatthias Ringwald 
45bdcc259dSMatthias Ringwald     // step 3: ..
46bdcc259dSMatthias Ringwald     if (sm_cmac_block_count==0){
47bdcc259dSMatthias Ringwald         sm_cmac_block_count = 1;
48bdcc259dSMatthias Ringwald     }
49bdcc259dSMatthias Ringwald 
508e361704SMatthias Ringwald     // printf("sm_cmac_start: len %u, block count %u\n", sm_cmac_message_len, sm_cmac_block_count);
518e361704SMatthias Ringwald     // LOG_KEY(sm_cmac_m_last);
528e361704SMatthias Ringwald 
538e361704SMatthias Ringwald     // Step 5
548e361704SMatthias Ringwald     sm_key_t sm_cmac_x;
558e361704SMatthias Ringwald     memset(sm_cmac_x, 0, 16);
568e361704SMatthias Ringwald 
578e361704SMatthias Ringwald     // Step 6
588e361704SMatthias Ringwald     sm_key_t sm_cmac_y;
59*9f087478SMatthias Ringwald     int block;
60*9f087478SMatthias Ringwald     for (block = 0 ; block < sm_cmac_block_count-1 ; block++){
618e361704SMatthias Ringwald         for (i=0;i<16;i++){
628e361704SMatthias Ringwald         	sm_cmac_y[i] = sm_cmac_x[i] ^ data[block * 16 + i];
638e361704SMatthias Ringwald         }
648e361704SMatthias Ringwald         aes128_calc_cyphertext(key, sm_cmac_y, sm_cmac_x);
658e361704SMatthias Ringwald     }
668e361704SMatthias Ringwald 
67bdcc259dSMatthias Ringwald     // step 4: set m_last
68bdcc259dSMatthias Ringwald     sm_key_t sm_cmac_m_last;
69bdcc259dSMatthias Ringwald     int sm_cmac_last_block_complete = sm_cmac_message_len != 0 && (sm_cmac_message_len & 0x0f) == 0;
70bdcc259dSMatthias Ringwald     if (sm_cmac_last_block_complete){
71bdcc259dSMatthias Ringwald         for (i=0;i<16;i++){
72bdcc259dSMatthias Ringwald             sm_cmac_m_last[i] = data[sm_cmac_message_len - 16 + i] ^ k1[i];
73bdcc259dSMatthias Ringwald         }
74bdcc259dSMatthias Ringwald     } else {
75bdcc259dSMatthias Ringwald         int valid_octets_in_last_block = sm_cmac_message_len & 0x0f;
76bdcc259dSMatthias Ringwald         for (i=0;i<16;i++){
77bdcc259dSMatthias Ringwald             if (i < valid_octets_in_last_block){
78bdcc259dSMatthias Ringwald                 sm_cmac_m_last[i] = data[(sm_cmac_message_len & 0xfff0) + i] ^ k2[i];
79bdcc259dSMatthias Ringwald                 continue;
80bdcc259dSMatthias Ringwald             }
81bdcc259dSMatthias Ringwald             if (i == valid_octets_in_last_block){
82bdcc259dSMatthias Ringwald                 sm_cmac_m_last[i] = 0x80 ^ k2[i];
83bdcc259dSMatthias Ringwald                 continue;
84bdcc259dSMatthias Ringwald             }
85bdcc259dSMatthias Ringwald             sm_cmac_m_last[i] = k2[i];
86bdcc259dSMatthias Ringwald         }
87bdcc259dSMatthias Ringwald     }
88bdcc259dSMatthias Ringwald 
89bdcc259dSMatthias Ringwald     for (i=0;i<16;i++){
90bdcc259dSMatthias Ringwald 		sm_cmac_y[i] = sm_cmac_x[i] ^ sm_cmac_m_last[i];
91bdcc259dSMatthias Ringwald     }
92bdcc259dSMatthias Ringwald 
93bdcc259dSMatthias Ringwald 	// Step 7
94bdcc259dSMatthias Ringwald     aes128_calc_cyphertext(key, sm_cmac_y, aes_cmac);
95bdcc259dSMatthias Ringwald }