The Bluetooth Mesh spec uses both apparently. Also extract a pile of test vectors from that document (thanks to Kyle Lund for showing me which to extract). Change-Id: I04a04fafb7386ca28adfe1446fa388e841778931 Reviewed-on: https://boringssl-review.googlesource.com/26324 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>kris/onging/CECPQ3_patch15
@@ -95,6 +95,8 @@ static const struct KnownAEAD kAEADs[] = { | |||
"aes_256_ctr_hmac_sha256.txt", false, true, 0}, | |||
{"AES_128_CCM_BLUETOOTH", EVP_aead_aes_128_ccm_bluetooth, | |||
"aes_128_ccm_bluetooth_tests.txt", false, false, 0}, | |||
{"AES_128_CCM_BLUETOOTH_8", EVP_aead_aes_128_ccm_bluetooth_8, | |||
"aes_128_ccm_bluetooth_8_tests.txt", false, false, 0}, | |||
}; | |||
class PerAEADTest : public testing::TestWithParam<KnownAEAD> { | |||
@@ -23,9 +23,6 @@ | |||
#include "../fipsmodule/cipher/internal.h" | |||
#define EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN 4 | |||
#define EVP_AEAD_AES_CCM_BLUETOOTH_NONCE_LEN 13 | |||
#define EVP_AEAD_AES_CCM_MAX_TAG_LEN 16 | |||
struct aead_aes_ccm_ctx { | |||
@@ -36,18 +33,23 @@ struct aead_aes_ccm_ctx { | |||
CCM128_CONTEXT ccm; | |||
}; | |||
static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key, | |||
size_t key_len, size_t tag_len) { | |||
if (key_len != 16) { | |||
static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, | |||
size_t key_len, size_t tag_len, unsigned M, | |||
unsigned L) { | |||
assert(M == EVP_AEAD_max_overhead(ctx->aead)); | |||
assert(M == EVP_AEAD_max_tag_len(ctx->aead)); | |||
assert(15 - L == EVP_AEAD_nonce_length(ctx->aead)); | |||
if (key_len != EVP_AEAD_key_length(ctx->aead)) { | |||
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); | |||
return 0; // EVP_AEAD_CTX_init should catch this. | |||
} | |||
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) { | |||
tag_len = EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN; | |||
tag_len = M; | |||
} | |||
if (tag_len != EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN) { | |||
if (tag_len != M) { | |||
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); | |||
return 0; | |||
} | |||
@@ -62,8 +64,7 @@ static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key, | |||
block128_f block; | |||
ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len); | |||
ctx->tag_len = tag_len; | |||
if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, tag_len, | |||
15 - EVP_AEAD_AES_CCM_BLUETOOTH_NONCE_LEN)) { | |||
if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) { | |||
OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR); | |||
OPENSSL_free(ccm_ctx); | |||
return 0; | |||
@@ -149,12 +150,17 @@ static int aead_aes_ccm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out, | |||
return 1; | |||
} | |||
static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key, | |||
size_t key_len, size_t tag_len) { | |||
return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2); | |||
} | |||
static const EVP_AEAD aead_aes_128_ccm_bluetooth = { | |||
16, | |||
EVP_AEAD_AES_CCM_BLUETOOTH_NONCE_LEN, // nonce length | |||
EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN, // overhead | |||
EVP_AEAD_AES_CCM_BLUETOOTH_TAG_LEN, // max tag length | |||
0, // seal_scatter_supports_extra_in | |||
16, // key length (AES-128) | |||
13, // nonce length | |||
4, // overhead | |||
4, // max tag length | |||
0, // seal_scatter_supports_extra_in | |||
aead_aes_ccm_bluetooth_init, | |||
NULL /* init_with_direction */, | |||
@@ -169,3 +175,29 @@ static const EVP_AEAD aead_aes_128_ccm_bluetooth = { | |||
const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void) { | |||
return &aead_aes_128_ccm_bluetooth; | |||
} | |||
static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key, | |||
size_t key_len, size_t tag_len) { | |||
return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2); | |||
} | |||
static const EVP_AEAD aead_aes_128_ccm_bluetooth_8 = { | |||
16, // key length (AES-128) | |||
13, // nonce length | |||
8, // overhead | |||
8, // max tag length | |||
0, // seal_scatter_supports_extra_in | |||
aead_aes_ccm_bluetooth_8_init, | |||
NULL /* init_with_direction */, | |||
aead_aes_ccm_cleanup, | |||
NULL /* open */, | |||
aead_aes_ccm_seal_scatter, | |||
aead_aes_ccm_open_gather, | |||
NULL /* get_iv */, | |||
NULL /* tag_len */, | |||
}; | |||
const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void) { | |||
return &aead_aes_128_ccm_bluetooth_8; | |||
} |
@@ -0,0 +1,105 @@ | |||
# From the Bluetooth Mesh Profile Specification v1.0. | |||
# | |||
# The relevant AES-CCM calls are: | |||
# | |||
# KEY: EncryptionKey | |||
# NONCE: Network Nonce | |||
# IN: DST || TransportPDU | |||
# AD: (none) | |||
# CT: EncTransportPDU | |||
# TAG: NetMIC | |||
# | |||
# KEY: DevKey if present, otherwise AppKey | |||
# NONCE: Application Nonce | |||
# IN: Access Payload | |||
# AD: Label UUID, if present | |||
# CT: EncAccessPayload | |||
# TAG: TransMIC | |||
# Section 8.3.1. | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00800000011201000012345678 | |||
IN: fffd034b50057e400000010000 | |||
AD: | |||
CT: b5e5bfdacbaf6cb7fb6bff871f | |||
TAG: 035444ce83a670df | |||
# Section 8.3.2 | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00800148202345000012345678 | |||
IN: 120104320308ba072f | |||
AD: | |||
CT: 79d7dbc0c9b4d43eeb | |||
TAG: ec129d20a620d01e | |||
# Section 8.3.3. | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00802b38322fe3000012345678 | |||
IN: 120104fa0205a6000a | |||
AD: | |||
CT: 53273086b8c5ee00bd | |||
TAG: d9cfcc62a2ddf572 | |||
# Section 8.3.4. | |||
KEY: be635105434859f484fc798e043ce40e | |||
NONCE: 00800000021201000012345678 | |||
IN: 23450100 | |||
AD: | |||
CT: b0e5d0ad | |||
TAG: 970d579a4e88051c | |||
# Section 8.3.5. | |||
KEY: be635105434859f484fc798e043ce40e | |||
NONCE: 00800148342345000012345678 | |||
IN: 120102001234567800 | |||
AD: | |||
CT: 5c39da1792b1fee9ec | |||
TAG: 74b786c56d3a9dee | |||
# Section 8.3.7. | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 008b0148352345000012345678 | |||
IN: 000300a6ac00000002 | |||
AD: | |||
CT: 0d0d730f94d7f3509d | |||
TAG: f987bb417eb7c05f | |||
# Section 8.3.9. | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 008b0148362345000012345678 | |||
IN: 000300a6ac00000003 | |||
AD: | |||
CT: d85d806bbed248614f | |||
TAG: 938067b0d983bb7b | |||
# Section 8.3.10. | |||
KEY: be635105434859f484fc798e043ce40e | |||
NONCE: 00800000031201000012345678 | |||
IN: 23450101 | |||
AD: | |||
CT: 7777ed35 | |||
TAG: 5afaf66d899c1e3d | |||
# Section 8.3.12. | |||
KEY: be635105434859f484fc798e043ce40e | |||
NONCE: 00800000041201000012345678 | |||
IN: 23450101 | |||
AD: | |||
CT: ae214660 | |||
TAG: 87599c2426ce9a35 | |||
# Section 8.3.14. | |||
KEY: be635105434859f484fc798e043ce40e | |||
NONCE: 00800000051201000012345678 | |||
IN: 23450100 | |||
AD: | |||
CT: 7d3ae62a | |||
TAG: 3c75dff683dce24e | |||
# Section 8.3.24. | |||
KEY: 63964771734fbd76e3b40519d1d94a48 | |||
NONCE: 010007080d1234973612345677 | |||
IN: ea0a00576f726c64 | |||
AD: f4a002c7fb1e4ca0a469a021de0db875 | |||
CT: de1547118463123e | |||
TAG: 5f6a17b99dbca387 |
@@ -18,3 +18,191 @@ IN: 202122232425262728292a2b2c2d2e2f | |||
AD: | |||
CT: 69915dad1e84c6376a68c2967e4dab61 | |||
TAG: c4630026 | |||
# From the Bluetooth Mesh Profile Specification v1.0. | |||
# | |||
# The relevant AES-CCM calls are: | |||
# | |||
# KEY: EncryptionKey | |||
# NONCE: Network Nonce | |||
# IN: DST || TransportPDU | |||
# AD: (none) | |||
# CT: EncTransportPDU | |||
# TAG: NetMIC | |||
# | |||
# KEY: DevKey if present, otherwise AppKey | |||
# NONCE: Application Nonce | |||
# IN: Access Payload | |||
# AD: Label UUID, if present | |||
# CT: EncAccessPayload | |||
# TAG: TransMIC | |||
# Section 8.3.6. | |||
KEY: 9d6dd0e96eb25dc19a40ed9914f8f03f | |||
NONCE: 02003129ab0003120112345678 | |||
IN: 0056341263964771734fbd76e3b40519d1d94a48 | |||
AD: | |||
CT: ee9dddfd2169326d23f3afdfcfdc18c52fdef772 | |||
TAG: e0e17308 | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00043129ab0003000012345678 | |||
IN: 12018026ac01ee9dddfd2169326d23f3afdf | |||
AD: | |||
CT: 0afba8c63d4e686364979deaf4fd40961145 | |||
TAG: 939cda0e | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00043129ac0003000012345678 | |||
IN: 12018026ac21cfdc18c52fdef772e0e17308 | |||
AD: | |||
CT: 6cae0c032bf0746f44f1b8cc8ce5edc57e55 | |||
TAG: beed49c0 | |||
# Section 8.3.8. | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00043129ad0003000012345678 | |||
IN: 12018026ac01ee9dddfd2169326d23f3afdf | |||
AD: | |||
CT: 0e2f91add6f06e66006844cec97f973105ae | |||
TAG: 2534f958 | |||
# Section 8.3.11. | |||
KEY: be635105434859f484fc798e043ce40e | |||
NONCE: 00033129ad0003000012345678 | |||
IN: 1201c026ac01ee9dddfd2169326d23f3afdf | |||
AD: | |||
CT: d5e748a20ecfd98ddfd32de80befb400213d | |||
TAG: 113813b5 | |||
# Section 8.3.13's test vector is identical to 8.3.11. | |||
# Section 8.3.15. | |||
KEY: be635105434859f484fc798e043ce40e | |||
NONCE: 00033129ac0003000012345678 | |||
IN: 12018026ac21cfdc18c52fdef772e0e17308 | |||
AD: | |||
CT: f1d29805664d235eacd707217dedfe78497f | |||
TAG: efec7391 | |||
# Section 8.3.16. | |||
KEY: 9d6dd0e96eb25dc19a40ed9914f8f03f | |||
NONCE: 02000000061201000312345678 | |||
IN: 800300563412 | |||
AD: | |||
CT: 89511bf1d1a8 | |||
TAG: 1c11dcef | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 000b0000061201000012345678 | |||
IN: 00030089511bf1d1a81c11dcef | |||
AD: | |||
CT: 6b9be7f5a642f2f98680e61c3a | |||
TAG: 8b47f228 | |||
# Section 8.3.17's test vector is identical to 8.3.16. | |||
# Section 8.3.18. | |||
KEY: 63964771734fbd76e3b40519d1d94a48 | |||
NONCE: 01000000071201ffff12345678 | |||
IN: 0400000000 | |||
AD: | |||
CT: 5a8bde6d91 | |||
TAG: 06ea078a | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00030000071201000012345678 | |||
IN: ffff665a8bde6d9106ea078a | |||
AD: | |||
CT: 5673728a627fb938535508e2 | |||
TAG: 1a6baf57 | |||
# Section 8.3.19. | |||
KEY: 63964771734fbd76e3b40519d1d94a48 | |||
NONCE: 01000000091201ffff12345678 | |||
IN: 04000000010703 | |||
AD: | |||
CT: ca6cd88e698d12 | |||
TAG: 65f43fc5 | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00030000091201000012345678 | |||
IN: ffff66ca6cd88e698d1265f43fc5 | |||
AD: | |||
CT: 3010a05e1b23a926023da75d25ba | |||
TAG: 91793736 | |||
# Section 8.3.20. | |||
KEY: 63964771734fbd76e3b40519d1d94a48 | |||
NONCE: 01000708091234ffff12345677 | |||
IN: 04000000010703 | |||
AD: | |||
CT: 9c9803e110fea9 | |||
TAG: 29e9542d | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 00030708091234000012345677 | |||
IN: ffff669c9803e110fea929e9542d | |||
AD: | |||
CT: 8c3dc87344a16c787f6b08cc897c | |||
TAG: 941a5368 | |||
# Section 8.3.21. | |||
KEY: 63964771734fbd76e3b40519d1d94a48 | |||
NONCE: 010007080a1234810512345677 | |||
IN: d50a0048656c6c6f | |||
AD: | |||
CT: 2fa730fd98f6e4bd | |||
TAG: 120ea9d6 | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 000307080a1234000012345677 | |||
IN: 8105662fa730fd98f6e4bd120ea9d6 | |||
AD: | |||
CT: e4d611358eaf17796a6c98977f69e5 | |||
TAG: 872c4620 | |||
# Section 8.3.22. | |||
KEY: 63964771734fbd76e3b40519d1d94a48 | |||
NONCE: 010007080b1234b52912345677 | |||
IN: d50a0048656c6c6f | |||
AD: 0073e7e4d8b9440faf8415df4c56c0e1 | |||
CT: 3871b904d4315263 | |||
TAG: 16ca48a0 | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 000307080b1234000012345677 | |||
IN: b529663871b904d431526316ca48a0 | |||
AD: | |||
CT: ed31f3fdcf88a411135fea55df730b | |||
TAG: 6b28e255 | |||
# Section 8.3.23. | |||
KEY: 63964771734fbd76e3b40519d1d94a48 | |||
NONCE: 010007080c1234973612345677 | |||
IN: d50a0048656c6c6f | |||
AD: f4a002c7fb1e4ca0a469a021de0db875 | |||
CT: 2456db5e3100eef6 | |||
TAG: 5daa7a38 | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 000307080c1234000012345677 | |||
IN: 9736662456db5e3100eef65daa7a38 | |||
AD: | |||
CT: 7a9d696d3dd16a75489696f0b70c71 | |||
TAG: 1b881385 | |||
# Section 8.3.24. | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 000307080d1234000012345677 | |||
IN: 9736e6a03401de1547118463123e5f6a17b9 | |||
AD: | |||
CT: 94e998b4081f5a7308ce3edbb3b06cdecd02 | |||
TAG: 8e307f1c | |||
KEY: 0953fa93e7caac9638f58820220a398e | |||
NONCE: 000307080e1234000012345677 | |||
IN: 9736e6a034219dbca387 | |||
AD: | |||
CT: dc2f4dd6fb4d32870129 | |||
TAG: 1be4aafe |
@@ -117,10 +117,16 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void); | |||
// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 | |||
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void); | |||
// EVP_aead_aes_128_ccm_bluetooth is AES-128-CCM with M=4 and L=2, as decribed | |||
// in the Bluetooth Core Specification v5.0, Volume 6, Part E, Section 1. | |||
// EVP_aead_aes_128_ccm_bluetooth is AES-128-CCM with M=4 and L=2 (4-byte tags | |||
// and 13-byte nonces), as decribed in the Bluetooth Core Specification v5.0, | |||
// Volume 6, Part E, Section 1. | |||
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void); | |||
// EVP_aead_aes_128_ccm_bluetooth_8 is AES-128-CCM with M=8 and L=2 (8-byte tags | |||
// and 13-byte nonces), as used in the Bluetooth Mesh Networking Specification | |||
// v1.0. | |||
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void); | |||
// EVP_has_aes_hardware returns one if we enable hardware support for fast and | |||
// constant-time AES-GCM. | |||
OPENSSL_EXPORT int EVP_has_aes_hardware(void); | |||
@@ -11,6 +11,7 @@ set( | |||
crypto/cipher_extra/test/aes_128_cbc_sha1_tls_tests.txt | |||
crypto/cipher_extra/test/aes_128_cbc_sha256_tls_tests.txt | |||
crypto/cipher_extra/test/aes_128_ccm_bluetooth_tests.txt | |||
crypto/cipher_extra/test/aes_128_ccm_bluetooth_8_tests.txt | |||
crypto/cipher_extra/test/aes_128_ctr_hmac_sha256.txt | |||
crypto/cipher_extra/test/aes_128_gcm_siv_tests.txt | |||
crypto/cipher_extra/test/aes_128_gcm_tests.txt | |||