2016-09-26 21:37:39 +08:00
|
|
|
/******************************************************************************
|
|
|
|
*
|
|
|
|
* Copyright (C) 2008-2012 Broadcom Corporation
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at:
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*
|
|
|
|
******************************************************************************/
|
|
|
|
|
|
|
|
/******************************************************************************
|
|
|
|
*
|
|
|
|
* This file contains the implementation of the AES128 CMAC algorithm.
|
|
|
|
*
|
|
|
|
******************************************************************************/
|
|
|
|
|
2018-04-08 12:10:50 +08:00
|
|
|
#include "common/bt_target.h"
|
|
|
|
#include "osi/allocator.h"
|
2016-09-26 21:37:39 +08:00
|
|
|
|
|
|
|
#if SMP_INCLUDED == TRUE
|
|
|
|
// #include <stdio.h>
|
2016-11-25 02:10:15 +08:00
|
|
|
#include <string.h>
|
2016-09-26 21:37:39 +08:00
|
|
|
|
2018-04-08 12:10:50 +08:00
|
|
|
#include "stack/btm_ble_api.h"
|
2016-11-25 02:10:15 +08:00
|
|
|
#include "smp_int.h"
|
2018-04-08 12:10:50 +08:00
|
|
|
#include "stack/hcimsgs.h"
|
2016-09-26 21:37:39 +08:00
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
typedef struct {
|
2016-09-26 21:37:39 +08:00
|
|
|
UINT8 *text;
|
|
|
|
UINT16 len;
|
|
|
|
UINT16 round;
|
2016-11-25 02:10:15 +08:00
|
|
|
} tCMAC_CB;
|
2016-09-26 21:37:39 +08:00
|
|
|
|
|
|
|
tCMAC_CB cmac_cb;
|
|
|
|
|
|
|
|
/* Rb for AES-128 as block cipher, LSB as [0] */
|
2018-11-06 15:34:38 +08:00
|
|
|
const BT_OCTET16 const_Rb = {
|
2016-09-26 21:37:39 +08:00
|
|
|
0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
|
|
};
|
|
|
|
|
|
|
|
void print128(BT_OCTET16 x, const UINT8 *key_name)
|
|
|
|
{
|
|
|
|
#if SMP_DEBUG == TRUE && SMP_DEBUG_VERBOSE == TRUE
|
|
|
|
UINT8 *p = (UINT8 *)x;
|
|
|
|
UINT8 i;
|
|
|
|
|
|
|
|
SMP_TRACE_WARNING("%s(MSB ~ LSB) = ", key_name);
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
for (i = 0; i < 4; i ++) {
|
2016-09-26 21:37:39 +08:00
|
|
|
SMP_TRACE_WARNING("%02x %02x %02x %02x",
|
2016-11-25 02:10:15 +08:00
|
|
|
p[BT_OCTET16_LEN - i * 4 - 1], p[BT_OCTET16_LEN - i * 4 - 2],
|
|
|
|
p[BT_OCTET16_LEN - i * 4 - 3], p[BT_OCTET16_LEN - i * 4 - 4]);
|
2016-09-26 21:37:39 +08:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
/*******************************************************************************
|
|
|
|
**
|
|
|
|
** Function padding
|
|
|
|
**
|
|
|
|
** Description utility function to padding the given text to be a 128 bits
|
|
|
|
** data. The parameter dest is input and output parameter, it
|
|
|
|
** must point to a BT_OCTET16_LEN memory space; where include
|
|
|
|
** length bytes valid data.
|
|
|
|
**
|
|
|
|
** Returns void
|
|
|
|
**
|
|
|
|
*******************************************************************************/
|
|
|
|
static void padding ( BT_OCTET16 dest, UINT8 length )
|
|
|
|
{
|
|
|
|
UINT8 i, *p = dest;
|
|
|
|
/* original last block */
|
2016-11-25 02:10:15 +08:00
|
|
|
for ( i = length ; i < BT_OCTET16_LEN; i++ ) {
|
2016-09-26 21:37:39 +08:00
|
|
|
p[BT_OCTET16_LEN - i - 1] = ( i == length ) ? 0x80 : 0;
|
2016-11-25 02:10:15 +08:00
|
|
|
}
|
2016-09-26 21:37:39 +08:00
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
|
|
**
|
|
|
|
** Function leftshift_onebit
|
|
|
|
**
|
|
|
|
** Description utility function to left shift one bit for a 128 bits value.
|
|
|
|
**
|
|
|
|
** Returns void
|
|
|
|
**
|
|
|
|
*******************************************************************************/
|
|
|
|
static void leftshift_onebit(UINT8 *input, UINT8 *output)
|
|
|
|
{
|
|
|
|
UINT8 i, overflow = 0 , next_overflow = 0;
|
|
|
|
SMP_TRACE_EVENT ("leftshift_onebit ");
|
|
|
|
/* input[0] is LSB */
|
2016-11-25 02:10:15 +08:00
|
|
|
for ( i = 0; i < BT_OCTET16_LEN ; i ++ ) {
|
|
|
|
next_overflow = (input[i] & 0x80) ? 1 : 0;
|
2016-09-26 21:37:39 +08:00
|
|
|
output[i] = (input[i] << 1) | overflow;
|
|
|
|
overflow = next_overflow;
|
|
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
|
|
**
|
|
|
|
** Function cmac_aes_cleanup
|
|
|
|
**
|
|
|
|
** Description clean up function for AES_CMAC algorithm.
|
|
|
|
**
|
|
|
|
** Returns void
|
|
|
|
**
|
|
|
|
*******************************************************************************/
|
|
|
|
static void cmac_aes_cleanup(void)
|
|
|
|
{
|
2016-11-25 02:10:15 +08:00
|
|
|
if (cmac_cb.text != NULL) {
|
2017-08-17 21:13:45 +08:00
|
|
|
osi_free(cmac_cb.text);
|
2016-09-26 21:37:39 +08:00
|
|
|
}
|
|
|
|
memset(&cmac_cb, 0, sizeof(tCMAC_CB));
|
|
|
|
}
|
|
|
|
|
|
|
|
/*******************************************************************************
|
|
|
|
**
|
|
|
|
** Function cmac_aes_k_calculate
|
|
|
|
**
|
|
|
|
** Description This function is the calculation of block cipher using AES-128.
|
|
|
|
**
|
|
|
|
** Returns void
|
|
|
|
**
|
|
|
|
*******************************************************************************/
|
|
|
|
static BOOLEAN cmac_aes_k_calculate(BT_OCTET16 key, UINT8 *p_signature, UINT16 tlen)
|
|
|
|
{
|
|
|
|
tSMP_ENC output;
|
|
|
|
UINT8 i = 1, err = 0;
|
|
|
|
UINT8 x[16] = {0};
|
|
|
|
UINT8 *p_mac;
|
|
|
|
|
|
|
|
SMP_TRACE_EVENT ("cmac_aes_k_calculate ");
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
while (i <= cmac_cb.round) {
|
2016-09-26 21:37:39 +08:00
|
|
|
smp_xor_128(&cmac_cb.text[(cmac_cb.round - i)*BT_OCTET16_LEN], x); /* Mi' := Mi (+) X */
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
if (!SMP_Encrypt(key, BT_OCTET16_LEN, &cmac_cb.text[(cmac_cb.round - i)*BT_OCTET16_LEN], BT_OCTET16_LEN, &output)) {
|
2016-09-26 21:37:39 +08:00
|
|
|
err = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
memcpy(x, output.param_buf, BT_OCTET16_LEN);
|
|
|
|
i ++;
|
|
|
|
}
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
if (!err) {
|
2016-09-26 21:37:39 +08:00
|
|
|
p_mac = output.param_buf + (BT_OCTET16_LEN - tlen);
|
|
|
|
memcpy(p_signature, p_mac, tlen);
|
|
|
|
|
2016-12-07 14:11:40 +08:00
|
|
|
SMP_TRACE_DEBUG("tlen = %d p_mac = %p", tlen, p_mac);
|
2016-09-26 21:37:39 +08:00
|
|
|
SMP_TRACE_DEBUG("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x",
|
2016-11-25 02:10:15 +08:00
|
|
|
*p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
|
2016-09-26 21:37:39 +08:00
|
|
|
SMP_TRACE_DEBUG("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x",
|
2016-11-25 02:10:15 +08:00
|
|
|
*(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
|
2016-09-26 21:37:39 +08:00
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
} else {
|
2016-09-26 21:37:39 +08:00
|
|
|
return FALSE;
|
2016-11-25 02:10:15 +08:00
|
|
|
}
|
2016-09-26 21:37:39 +08:00
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
|
|
**
|
|
|
|
** Function cmac_prepare_last_block
|
|
|
|
**
|
|
|
|
** Description This function proceeed to prepare the last block of message
|
|
|
|
** Mn depending on the size of the message.
|
|
|
|
**
|
|
|
|
** Returns void
|
|
|
|
**
|
|
|
|
*******************************************************************************/
|
|
|
|
static void cmac_prepare_last_block (BT_OCTET16 k1, BT_OCTET16 k2)
|
|
|
|
{
|
|
|
|
// UINT8 x[16] = {0};
|
|
|
|
BOOLEAN flag;
|
|
|
|
|
|
|
|
SMP_TRACE_EVENT ("cmac_prepare_last_block ");
|
|
|
|
/* last block is a complete block set flag to 1 */
|
|
|
|
flag = ((cmac_cb.len % BT_OCTET16_LEN) == 0 && cmac_cb.len != 0) ? TRUE : FALSE;
|
|
|
|
|
2017-11-02 17:49:48 +08:00
|
|
|
SMP_TRACE_DEBUG("flag = %d round = %d", flag, cmac_cb.round);
|
2016-09-26 21:37:39 +08:00
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
if ( flag ) {
|
|
|
|
/* last block is complete block */
|
2016-09-26 21:37:39 +08:00
|
|
|
smp_xor_128(&cmac_cb.text[0], k1);
|
2016-11-25 02:10:15 +08:00
|
|
|
} else { /* padding then xor with k2 */
|
2016-09-26 21:37:39 +08:00
|
|
|
padding(&cmac_cb.text[0], (UINT8)(cmac_cb.len % 16));
|
|
|
|
|
|
|
|
smp_xor_128(&cmac_cb.text[0], k2);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
|
|
**
|
|
|
|
** Function cmac_subkey_cont
|
|
|
|
**
|
|
|
|
** Description This is the callback function when CIPHk(0[128]) is completed.
|
|
|
|
**
|
|
|
|
** Returns void
|
|
|
|
**
|
|
|
|
*******************************************************************************/
|
|
|
|
static void cmac_subkey_cont(tSMP_ENC *p)
|
|
|
|
{
|
|
|
|
UINT8 k1[BT_OCTET16_LEN], k2[BT_OCTET16_LEN];
|
|
|
|
UINT8 *pp = p->param_buf;
|
|
|
|
SMP_TRACE_EVENT ("cmac_subkey_cont ");
|
|
|
|
print128(pp, (const UINT8 *)"K1 before shift");
|
|
|
|
|
|
|
|
/* If MSB(L) = 0, then K1 = L << 1 */
|
2016-11-25 02:10:15 +08:00
|
|
|
if ( (pp[BT_OCTET16_LEN - 1] & 0x80) != 0 ) {
|
2016-09-26 21:37:39 +08:00
|
|
|
/* Else K1 = ( L << 1 ) (+) Rb */
|
|
|
|
leftshift_onebit(pp, k1);
|
|
|
|
smp_xor_128(k1, const_Rb);
|
2016-11-25 02:10:15 +08:00
|
|
|
} else {
|
2016-09-26 21:37:39 +08:00
|
|
|
leftshift_onebit(pp, k1);
|
|
|
|
}
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
if ( (k1[BT_OCTET16_LEN - 1] & 0x80) != 0 ) {
|
2016-09-26 21:37:39 +08:00
|
|
|
/* K2 = (K1 << 1) (+) Rb */
|
|
|
|
leftshift_onebit(k1, k2);
|
|
|
|
smp_xor_128(k2, const_Rb);
|
2016-11-25 02:10:15 +08:00
|
|
|
} else {
|
2016-09-26 21:37:39 +08:00
|
|
|
/* If MSB(K1) = 0, then K2 = K1 << 1 */
|
|
|
|
leftshift_onebit(k1, k2);
|
|
|
|
}
|
|
|
|
|
|
|
|
print128(k1, (const UINT8 *)"K1");
|
|
|
|
print128(k2, (const UINT8 *)"K2");
|
|
|
|
|
|
|
|
cmac_prepare_last_block (k1, k2);
|
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
|
|
**
|
|
|
|
** Function cmac_generate_subkey
|
|
|
|
**
|
|
|
|
** Description This is the function to generate the two subkeys.
|
|
|
|
**
|
|
|
|
** Parameters key - CMAC key, expect SRK when used by SMP.
|
|
|
|
**
|
|
|
|
** Returns void
|
|
|
|
**
|
|
|
|
*******************************************************************************/
|
|
|
|
static BOOLEAN cmac_generate_subkey(BT_OCTET16 key)
|
|
|
|
{
|
|
|
|
BT_OCTET16 z = {0};
|
|
|
|
BOOLEAN ret = TRUE;
|
|
|
|
tSMP_ENC output;
|
|
|
|
SMP_TRACE_EVENT (" cmac_generate_subkey");
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
if (SMP_Encrypt(key, BT_OCTET16_LEN, z, BT_OCTET16_LEN, &output)) {
|
2016-09-26 21:37:39 +08:00
|
|
|
cmac_subkey_cont(&output);;
|
2016-11-25 02:10:15 +08:00
|
|
|
} else {
|
2016-09-26 21:37:39 +08:00
|
|
|
ret = FALSE;
|
2016-11-25 02:10:15 +08:00
|
|
|
}
|
2016-09-26 21:37:39 +08:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
|
|
**
|
|
|
|
** Function aes_cipher_msg_auth_code
|
|
|
|
**
|
|
|
|
** Description This is the AES-CMAC Generation Function with tlen implemented.
|
|
|
|
**
|
|
|
|
** Parameters key - CMAC key in little endian order, expect SRK when used by SMP.
|
|
|
|
** input - text to be signed in little endian byte order.
|
|
|
|
** length - length of the input in byte.
|
|
|
|
** tlen - lenth of mac desired
|
|
|
|
** p_signature - data pointer to where signed data to be stored, tlen long.
|
|
|
|
**
|
|
|
|
** Returns FALSE if out of resources, TRUE in other cases.
|
|
|
|
**
|
|
|
|
*******************************************************************************/
|
|
|
|
BOOLEAN aes_cipher_msg_auth_code(BT_OCTET16 key, UINT8 *input, UINT16 length,
|
|
|
|
UINT16 tlen, UINT8 *p_signature)
|
|
|
|
{
|
|
|
|
UINT16 len, diff;
|
|
|
|
UINT16 n = (length + BT_OCTET16_LEN - 1) / BT_OCTET16_LEN; /* n is number of rounds */
|
|
|
|
BOOLEAN ret = FALSE;
|
|
|
|
|
|
|
|
SMP_TRACE_EVENT ("%s", __func__);
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
if (n == 0) {
|
|
|
|
n = 1;
|
|
|
|
}
|
2016-09-26 21:37:39 +08:00
|
|
|
len = n * BT_OCTET16_LEN;
|
|
|
|
|
2017-11-02 17:49:48 +08:00
|
|
|
SMP_TRACE_DEBUG("AES128_CMAC started, allocate buffer size = %d", len);
|
2016-09-26 21:37:39 +08:00
|
|
|
/* allocate a memory space of multiple of 16 bytes to hold text */
|
2017-08-17 21:13:45 +08:00
|
|
|
if ((cmac_cb.text = (UINT8 *)osi_malloc(len)) != NULL) {
|
2016-09-26 21:37:39 +08:00
|
|
|
cmac_cb.round = n;
|
|
|
|
|
|
|
|
memset(cmac_cb.text, 0, len);
|
|
|
|
diff = len - length;
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
if (input != NULL && length > 0) {
|
2016-09-26 21:37:39 +08:00
|
|
|
memcpy(&cmac_cb.text[diff] , input, (int)length);
|
|
|
|
cmac_cb.len = length;
|
2016-11-25 02:10:15 +08:00
|
|
|
} else {
|
2016-09-26 21:37:39 +08:00
|
|
|
cmac_cb.len = 0;
|
2016-11-25 02:10:15 +08:00
|
|
|
}
|
2016-09-26 21:37:39 +08:00
|
|
|
|
|
|
|
/* prepare calculation for subkey s and last block of data */
|
2016-11-25 02:10:15 +08:00
|
|
|
if (cmac_generate_subkey(key)) {
|
2016-09-26 21:37:39 +08:00
|
|
|
/* start calculation */
|
|
|
|
ret = cmac_aes_k_calculate(key, p_signature, tlen);
|
|
|
|
}
|
|
|
|
/* clean up */
|
|
|
|
cmac_aes_cleanup();
|
2016-11-25 02:10:15 +08:00
|
|
|
} else {
|
2016-09-26 21:37:39 +08:00
|
|
|
ret = FALSE;
|
|
|
|
SMP_TRACE_ERROR("No resources");
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
#if 0 /* testing code, sample data from spec */
|
2016-09-26 21:37:39 +08:00
|
|
|
void test_cmac_cback(UINT8 *p_mac, UINT16 tlen)
|
|
|
|
{
|
|
|
|
SMP_TRACE_EVENT ("test_cmac_cback ");
|
|
|
|
SMP_TRACE_ERROR("test_cmac_cback");
|
|
|
|
}
|
|
|
|
|
|
|
|
void test_cmac(void)
|
|
|
|
{
|
|
|
|
SMP_TRACE_EVENT ("test_cmac ");
|
|
|
|
UINT8 M[64] = {
|
|
|
|
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
|
|
|
|
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
|
|
|
|
0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
|
|
|
|
0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
|
|
|
|
0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
|
|
|
|
0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
|
|
|
|
0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
|
|
|
|
0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
|
|
|
|
};
|
|
|
|
|
|
|
|
UINT8 key[16] = {
|
|
|
|
0x3c, 0x4f, 0xcf, 0x09, 0x88, 0x15, 0xf7, 0xab,
|
|
|
|
0xa6, 0xd2, 0xae, 0x28, 0x16, 0x15, 0x7e, 0x2b
|
|
|
|
};
|
2016-11-25 02:10:15 +08:00
|
|
|
UINT8 i = 0, tmp;
|
2016-09-26 21:37:39 +08:00
|
|
|
UINT16 len;
|
|
|
|
|
|
|
|
len = 64;
|
|
|
|
|
2016-11-25 02:10:15 +08:00
|
|
|
for (i = 0; i < len / 2; i ++) {
|
2016-09-26 21:37:39 +08:00
|
|
|
tmp = M[i];
|
2016-11-25 02:10:15 +08:00
|
|
|
M[i] = M[len - 1 - i];
|
|
|
|
M[len - 1 - i] = tmp;
|
2016-09-26 21:37:39 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
memset(&cmac_cb, 0, sizeof(tCMAC_CB));
|
|
|
|
|
|
|
|
SMP_TRACE_WARNING("\n Example 1: len = %d\n", len);
|
|
|
|
|
|
|
|
aes_cipher_msg_auth_code(key, M, len, 128, test_cmac_cback, 0);
|
|
|
|
|
|
|
|
}
|
2016-11-25 02:10:15 +08:00
|
|
|
#endif
|
2016-09-26 21:37:39 +08:00
|
|
|
#endif
|