1*bdcc259dSMatthias Ringwald #include "aes_cmac.h" 2*bdcc259dSMatthias Ringwald #include "rijndael.h" 3*bdcc259dSMatthias Ringwald 4*bdcc259dSMatthias Ringwald #include <string.h> 5*bdcc259dSMatthias Ringwald 6*bdcc259dSMatthias Ringwald static void sm_shift_left_by_one_bit_inplace(int len, uint8_t * data){ 7*bdcc259dSMatthias Ringwald int i; 8*bdcc259dSMatthias Ringwald int carry = 0; 9*bdcc259dSMatthias Ringwald for (i=len-1; i >= 0 ; i--){ 10*bdcc259dSMatthias Ringwald int new_carry = data[i] >> 7; 11*bdcc259dSMatthias Ringwald data[i] = data[i] << 1 | carry; 12*bdcc259dSMatthias Ringwald carry = new_carry; 13*bdcc259dSMatthias Ringwald } 14*bdcc259dSMatthias Ringwald } 15*bdcc259dSMatthias Ringwald 16*bdcc259dSMatthias Ringwald void aes128_calc_cyphertext(const uint8_t key[16], const uint8_t plaintext[16], uint8_t cyphertext[16]){ 17*bdcc259dSMatthias Ringwald uint32_t rk[RKLENGTH(KEYBITS)]; 18*bdcc259dSMatthias Ringwald int nrounds = rijndaelSetupEncrypt(rk, &key[0], KEYBITS); 19*bdcc259dSMatthias Ringwald rijndaelEncrypt(rk, nrounds, plaintext, cyphertext); 20*bdcc259dSMatthias Ringwald } 21*bdcc259dSMatthias Ringwald 22*bdcc259dSMatthias Ringwald void aes_cmac_calc_subkeys(sm_key_t k0, sm_key_t k1, sm_key_t k2){ 23*bdcc259dSMatthias Ringwald memcpy(k1, k0, 16); 24*bdcc259dSMatthias Ringwald sm_shift_left_by_one_bit_inplace(16, k1); 25*bdcc259dSMatthias Ringwald if (k0[0] & 0x80){ 26*bdcc259dSMatthias Ringwald k1[15] ^= 0x87; 27*bdcc259dSMatthias Ringwald } 28*bdcc259dSMatthias Ringwald memcpy(k2, k1, 16); 29*bdcc259dSMatthias Ringwald sm_shift_left_by_one_bit_inplace(16, k2); 30*bdcc259dSMatthias Ringwald if (k1[0] & 0x80){ 31*bdcc259dSMatthias Ringwald k2[15] ^= 0x87; 32*bdcc259dSMatthias Ringwald } 33*bdcc259dSMatthias Ringwald } 34*bdcc259dSMatthias Ringwald 35*bdcc259dSMatthias Ringwald void aes_cmac(sm_key_t aes_cmac, const sm_key_t key, const uint8_t * data, int sm_cmac_message_len){ 36*bdcc259dSMatthias Ringwald sm_key_t k0, k1, k2, zero; 37*bdcc259dSMatthias Ringwald memset(zero, 0, 16); 38*bdcc259dSMatthias Ringwald 39*bdcc259dSMatthias Ringwald aes128_calc_cyphertext(key, zero, k0); 40*bdcc259dSMatthias Ringwald aes_cmac_calc_subkeys(k0, k1, k2); 41*bdcc259dSMatthias Ringwald 42*bdcc259dSMatthias Ringwald int sm_cmac_block_count = (sm_cmac_message_len + 15) / 16; 43*bdcc259dSMatthias Ringwald 44*bdcc259dSMatthias Ringwald // step 3: .. 45*bdcc259dSMatthias Ringwald if (sm_cmac_block_count==0){ 46*bdcc259dSMatthias Ringwald sm_cmac_block_count = 1; 47*bdcc259dSMatthias Ringwald } 48*bdcc259dSMatthias Ringwald 49*bdcc259dSMatthias Ringwald // step 4: set m_last 50*bdcc259dSMatthias Ringwald sm_key_t sm_cmac_m_last; 51*bdcc259dSMatthias Ringwald int sm_cmac_last_block_complete = sm_cmac_message_len != 0 && (sm_cmac_message_len & 0x0f) == 0; 52*bdcc259dSMatthias Ringwald int i; 53*bdcc259dSMatthias Ringwald if (sm_cmac_last_block_complete){ 54*bdcc259dSMatthias Ringwald for (i=0;i<16;i++){ 55*bdcc259dSMatthias Ringwald sm_cmac_m_last[i] = data[sm_cmac_message_len - 16 + i] ^ k1[i]; 56*bdcc259dSMatthias Ringwald } 57*bdcc259dSMatthias Ringwald } else { 58*bdcc259dSMatthias Ringwald int valid_octets_in_last_block = sm_cmac_message_len & 0x0f; 59*bdcc259dSMatthias Ringwald for (i=0;i<16;i++){ 60*bdcc259dSMatthias Ringwald if (i < valid_octets_in_last_block){ 61*bdcc259dSMatthias Ringwald sm_cmac_m_last[i] = data[(sm_cmac_message_len & 0xfff0) + i] ^ k2[i]; 62*bdcc259dSMatthias Ringwald continue; 63*bdcc259dSMatthias Ringwald } 64*bdcc259dSMatthias Ringwald if (i == valid_octets_in_last_block){ 65*bdcc259dSMatthias Ringwald sm_cmac_m_last[i] = 0x80 ^ k2[i]; 66*bdcc259dSMatthias Ringwald continue; 67*bdcc259dSMatthias Ringwald } 68*bdcc259dSMatthias Ringwald sm_cmac_m_last[i] = k2[i]; 69*bdcc259dSMatthias Ringwald } 70*bdcc259dSMatthias Ringwald } 71*bdcc259dSMatthias Ringwald 72*bdcc259dSMatthias Ringwald // printf("sm_cmac_start: len %u, block count %u\n", sm_cmac_message_len, sm_cmac_block_count); 73*bdcc259dSMatthias Ringwald // LOG_KEY(sm_cmac_m_last); 74*bdcc259dSMatthias Ringwald 75*bdcc259dSMatthias Ringwald // Step 5 76*bdcc259dSMatthias Ringwald sm_key_t sm_cmac_x; 77*bdcc259dSMatthias Ringwald memset(sm_cmac_x, 0, 16); 78*bdcc259dSMatthias Ringwald 79*bdcc259dSMatthias Ringwald // Step 6 80*bdcc259dSMatthias Ringwald sm_key_t sm_cmac_y; 81*bdcc259dSMatthias Ringwald for (int block = 0 ; block < sm_cmac_block_count-1 ; block++){ 82*bdcc259dSMatthias Ringwald for (i=0;i<16;i++){ 83*bdcc259dSMatthias Ringwald sm_cmac_y[i] = sm_cmac_x[i] ^ data[block * 16 + i]; 84*bdcc259dSMatthias Ringwald } 85*bdcc259dSMatthias Ringwald aes128_calc_cyphertext(key, sm_cmac_y, sm_cmac_x); 86*bdcc259dSMatthias Ringwald } 87*bdcc259dSMatthias Ringwald for (i=0;i<16;i++){ 88*bdcc259dSMatthias Ringwald sm_cmac_y[i] = sm_cmac_x[i] ^ sm_cmac_m_last[i]; 89*bdcc259dSMatthias Ringwald } 90*bdcc259dSMatthias Ringwald 91*bdcc259dSMatthias Ringwald // Step 7 92*bdcc259dSMatthias Ringwald aes128_calc_cyphertext(key, sm_cmac_y, aes_cmac); 93*bdcc259dSMatthias Ringwald }