btstack_crypto: use software aes128 for cmac message [a2473]

src/btstack_crypto.c

@@ -178,6 +178,98 @@ static void btstack_crypto_done(btstack_crypto_t * btstack_crypto){
     (*btstack_crypto->context_callback.callback)(btstack_crypto->context_callback.context);
 }
 
+static void btstack_crypto_cmac_shift_left_by_one_bit_inplace(int len, uint8_t * data){
+    int i;
+    int carry = 0;
+    for (i=len-1; i >= 0 ; i--){
+        int new_carry = data[i] >> 7;
+        data[i] = (data[i] << 1) | carry;
+        carry = new_carry;
+    }
+}
+
+
+#ifdef USE_BTSTACK_AES128
+
+static void btstack_crypto_cmac_calc_subkeys(sm_key_t k0, sm_key_t k1, sm_key_t k2){
+    memcpy(k1, k0, 16);
+    btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k1);
+    if (k0[0] & 0x80){
+        k1[15] ^= 0x87;
+    }
+    memcpy(k2, k1, 16);
+    btstack_crypto_cmac_shift_left_by_one_bit_inplace(16, k2);
+    if (k1[0] & 0x80){
+        k2[15] ^= 0x87;
+    } 
+}
+
+static void btstack_crypto_cmac_calc(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac) {
+    sm_key_t k0, k1, k2;
+
+    btstack_aes128_calc(btstack_crypto_cmac->key, zero, k0);
+    btstack_crypto_cmac_calc_subkeys(k0, k1, k2);
+
+    uint16_t cmac_block_count = (btstack_crypto_cmac->size + 15) / 16;
+
+    // step 3: ..
+    if (cmac_block_count==0){
+        cmac_block_count = 1;
+    }
+
+    // step 4: set m_last
+    sm_key_t cmac_m_last;
+    bool last_block_complete = btstack_crypto_cmac->size != 0 && (btstack_crypto_cmac->size & 0x0f) == 0;
+    uint16_t i;
+    if (last_block_complete){
+        for (i=0;i<16;i++){
+            cmac_m_last[i] = btstack_crypto_cmac->data.message[btstack_crypto_cmac->size - 16 + i] ^ k1[i];
+        }
+    } else {
+        uint16_t valid_octets_in_last_block = btstack_crypto_cmac->size & 0x0f;
+        for (i=0;i<16;i++){
+            if (i < valid_octets_in_last_block){
+                cmac_m_last[i] = btstack_crypto_cmac->data.message[(btstack_crypto_cmac->size & 0xfff0) + i] ^ k2[i];
+                continue;
+            }
+            if (i == valid_octets_in_last_block){
+                cmac_m_last[i] = 0x80 ^ k2[i];
+                continue;
+            }
+            cmac_m_last[i] = k2[i];
+        }
+    }
+
+    // Step 5
+    sm_key_t cmac_x;
+    memset(cmac_x, 0, 16);
+
+    // Step 6
+    sm_key_t cmac_y;
+    for (int block = 0 ; block < cmac_block_count-1 ; block++){
+        for (i=0;i<16;i++){
+            cmac_y[i] = cmac_x[i] ^ btstack_crypto_cmac->data.message[block * 16 + i];
+        }
+        btstack_aes128_calc(btstack_crypto_cmac->key, cmac_y, cmac_x);
+    }
+    for (i=0;i<16;i++){
+        cmac_y[i] = cmac_x[i] ^ cmac_m_last[i];
+    }
+
+    // Step 7
+    btstack_aes128_calc(btstack_crypto_cmac->key, cmac_y, btstack_crypto_cmac->hash);
+}
+#else
+
+static void btstack_crypto_aes128_start(const sm_key_t key, const sm_key_t plaintext){
+    uint8_t key_flipped[16];
+    uint8_t plaintext_flipped[16];
+    reverse_128(key, key_flipped);
+    reverse_128(plaintext, plaintext_flipped);
+    btstack_crypto_wait_for_hci_result = 1;
+    hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped);
+}
+
 static inline void btstack_crypto_cmac_next_state(void){
     btstack_crypto_cmac_state = (btstack_crypto_cmac_state_t) (((int)btstack_crypto_cmac_state) + 1);
 }
@@ -188,15 +280,6 @@ static int btstack_crypto_cmac_last_block_complete(btstack_crypto_aes128_cmac_t
     return (len & 0x0f) == 0;
 }
 
-static void btstack_crypto_aes128_start(const sm_key_t key, const sm_key_t plaintext){
- 	uint8_t key_flipped[16];
- 	uint8_t plaintext_flipped[16];
-    reverse_128(key, key_flipped);
-    reverse_128(plaintext, plaintext_flipped);
- 	btstack_crypto_wait_for_hci_result = 1;
-    hci_send_cmd(&hci_le_encrypt, key_flipped, plaintext_flipped);
-}
-
 static uint8_t btstack_crypto_cmac_get_byte(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, uint16_t pos){
 	if (btstack_crypto_cmac->btstack_crypto.operation == BTSTACK_CRYPTO_CMAC_GENERATOR){
 		return (*btstack_crypto_cmac->data.get_byte_callback)(pos);
@@ -208,10 +291,8 @@ static uint8_t btstack_crypto_cmac_get_byte(btstack_crypto_aes128_cmac_t * btsta
 static void btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac){
     switch (btstack_crypto_cmac_state){
         case CMAC_CALC_SUBKEYS: {
-            sm_key_t const_zero;
-            memset(const_zero, 0, 16);
             btstack_crypto_cmac_next_state();
-            btstack_crypto_aes128_start(btstack_crypto_cmac_k, const_zero);
+            btstack_crypto_aes128_start(btstack_crypto_cmac_k, zero);
             break;
         }
         case CMAC_CALC_MI: {
@@ -242,16 +323,6 @@ static void btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_aes128_cm
     }
 }
 
-static void btstack_crypto_cmac_shift_left_by_one_bit_inplace(int len, uint8_t * data){
-    int i;
-    int carry = 0;
-    for (i=len-1; i >= 0 ; i--){
-        int new_carry = data[i] >> 7;
-        data[i] = (data[i] << 1) | carry;
-        carry = new_carry;
-    }
-}
-
 static void btstack_crypto_cmac_handle_encryption_result(btstack_crypto_aes128_cmac_t * btstack_crypto_cmac, sm_key_t data){
     switch (btstack_crypto_cmac_state){
         case CMAC_W4_SUBKEYS: {
@@ -337,6 +408,7 @@ static void btstack_crypto_cmac_start(btstack_crypto_aes128_cmac_t * btstack_cry
     // let's go
     btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac);
 }
+#endif
 
 #ifndef USE_BTSTACK_AES128
 
@@ -576,7 +648,6 @@ static void btstack_crypto_ccm_calc_xn(btstack_crypto_ccm_t * btstack_crypto_ccm
 
     btstack_crypto_aes128_start(btstack_crypto_ccm->key, btstack_crypto_ccm_buffer);
 }
-#endif
 
 static void btstack_crypto_ccm_calc_aad_xn(btstack_crypto_ccm_t * btstack_crypto_ccm){
     // store length
@@ -659,6 +730,7 @@ static void btstack_crypto_ccm_next_block(btstack_crypto_ccm_t * btstack_crypto_
         }
     }
 }
+#endif
 
 static void btstack_crypto_run(void){
 
@@ -700,15 +772,29 @@ static void btstack_crypto_run(void){
                 btstack_crypto_aes128_start(btstack_crypto_aes128->key, btstack_crypto_aes128->plaintext);
 #endif
     		    break;
+
+#ifdef USE_BTSTACK_AES128
+            case BTSTACK_CRYPTO_CMAC_MESSAGE:
+                btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t *) btstack_crypto;
+                btstack_crypto_cmac_calc( btstack_crypto_cmac );
+                btstack_crypto_done(btstack_crypto);
+                break;
+            case BTSTACK_CRYPTO_CMAC_GENERATOR:
+                UNUSED(btstack_crypto_cmac);
+                // NOTE: infinite output of this message
+                log_error("cmac with not implemented for software aes128 yet");
+                break;
+#else                
     		case BTSTACK_CRYPTO_CMAC_MESSAGE:
     		case BTSTACK_CRYPTO_CMAC_GENERATOR:
+                btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t *) btstack_crypto;
     			btstack_crypto_wait_for_hci_result = 1;
-    			btstack_crypto_cmac = (btstack_crypto_aes128_cmac_t *) btstack_crypto;
     			if (btstack_crypto_cmac_state == CMAC_IDLE){
     				btstack_crypto_cmac_start(btstack_crypto_cmac);
     			} else {
     				btstack_crypto_cmac_handle_aes_engine_ready(btstack_crypto_cmac);
     			}
+#endif
     			break;
 
             case BTSTACK_CRYPTO_CCM_DIGEST_BLOCK:
@@ -837,6 +923,7 @@ static void btstack_crypto_handle_random_data(const uint8_t * data, uint16_t len
 	btstack_crypto_run();
 }
 
+#ifndef USE_BTSTACK_AES128
 static void btstack_crypto_handle_encryption_result(const uint8_t * data){
 	btstack_crypto_aes128_t      * btstack_crypto_aes128;
 	btstack_crypto_aes128_cmac_t * btstack_crypto_cmac;
@@ -961,6 +1048,7 @@ static void btstack_crypto_handle_encryption_result(const uint8_t * data){
 			break;
 	}
 }
+#endif
 
 static void btstack_crypto_event_handler(uint8_t packet_type, uint16_t cid, uint8_t *packet, uint16_t size){
     UNUSED(cid);         // ok: there is no channel
@@ -984,11 +1072,13 @@ static void btstack_crypto_event_handler(uint8_t packet_type, uint16_t cid, uint
             break;
 
         case HCI_EVENT_COMMAND_COMPLETE:
+#ifndef USE_BTSTACK_AES128
     	    if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_encrypt)){
                 if (!btstack_crypto_wait_for_hci_result) return;
                 btstack_crypto_wait_for_hci_result = 0;
     	        btstack_crypto_handle_encryption_result(&packet[6]);
     	    }
+#endif
     	    if (HCI_EVENT_IS_COMMAND_COMPLETE(packet, hci_le_rand)){
                 if (!btstack_crypto_wait_for_hci_result) return;
                 btstack_crypto_wait_for_hci_result = 0;

src/btstack_crypto.h

@@ -46,6 +46,7 @@
 #define BTSTACK_CTRYPTO_H
 
 #include "btstack_defines.h"
+#include "btstack_config.h"
 
 #if defined __cplusplus
 extern "C" {
@@ -270,7 +271,7 @@ void btstack_crypto_ccm_encrypt_block(btstack_crypto_ccm_t * request, uint16_t l
  */
 void btstack_crypto_ccm_decrypt_block(btstack_crypto_ccm_t * request, uint16_t len, const uint8_t * ciphertext, uint8_t * plaintext, void (* callback)(void * arg), void * callback_arg);
 
-#ifdef HAVE_AES128
+#if defined(ENABLE_SOFTWARE_AES128) || defined (HAVE_AES128)
 /** 
  * Encrypt plaintext using AES128
  * @note Prototype for custom AES128 implementation