Merge pull request #642 from LedgerHQ/aes-siv-update-mac

Add a function to add input data to AES-CMAC

include/cx_stubs.h

@@ -140,3 +140,8 @@
 #define _NR_cx_eddsa_update_hash                 0x88
 #define _NR_cx_eddsa_verify_init_hash            0x89
 #define _NR_cx_eddsa_verify_hash                 0x8a
+#define _NR_cx_aes_siv_update_mac                0x8b
+#define _NR_cx_cipher_reset                      0x8c
+#define _NR_cx_cmac_start                        0x8d
+#define _NR_cx_cmac_update                       0x8e
+#define _NR_cx_cmac_finish                       0x8f

lib_cxng/cx.export

@@ -143,3 +143,8 @@ cx_eddsa_sign_hash
 cx_eddsa_update_hash
 cx_eddsa_verify_init_hash
 cx_eddsa_verify_hash
+cx_aes_siv_update_mac
+cx_cipher_reset
+cx_cmac_start
+cx_cmac_update
+cx_cmac_finish

lib_cxng/include/lcx_aes_siv.h

@@ -104,6 +104,8 @@ WARN_UNUSED_RESULT cx_err_t cx_aes_siv_update_aad(cx_aes_siv_context_t *ctx,
                                                   const uint8_t        *aad,
                                                   size_t                aad_len);
 
+cx_err_t cx_aes_siv_update_mac(cx_aes_siv_context_t *ctx, const uint8_t *input, size_t in_len);
+
 /**
  * @brief Processes plaintext or ciphertext with AES-CTR.
  *

lib_cxng/src/cx_aes_siv.c

@@ -68,21 +68,28 @@ cx_err_t cx_aes_siv_update_aad(cx_aes_siv_context_t *ctx, const uint8_t *aad, si
     uint8_t  tmp[CX_AES_BLOCK_SIZE] = {0};
     cx_err_t error;
 
+    CX_CHECK(cx_cipher_setup(ctx->cipher_ctx, ctx->cipher_type, CX_CHAIN_ECB));
+    CX_CHECK(cx_cmac_start(ctx->cipher_ctx, ctx->key1, ctx->key_len));
+
     if (NULL == aad) {
         return CX_OK;
     }
 
-    CX_CHECK(cx_cipher_setup(ctx->cipher_ctx, ctx->cipher_type, CX_CHAIN_ECB));
     CX_CHECK(cx_cmac_shift_and_xor(tmp, ctx->tag_state, CX_AES_BLOCK_SIZE));
-    CX_CHECK(cx_cmac_start(ctx->cipher_ctx, ctx->key1, ctx->key_len));
     CX_CHECK(cx_cmac_update(ctx->cipher_ctx, aad, aad_len));
     CX_CHECK(cx_cmac_finish(ctx->cipher_ctx, ctx->tag_state));
     cx_memxor(ctx->tag_state, tmp, CX_AES_BLOCK_SIZE);
+    CX_CHECK(cx_cmac_start(ctx->cipher_ctx, ctx->key1, ctx->key_len));
 
 end:
     return error;
 }
 
+cx_err_t cx_aes_siv_update_mac(cx_aes_siv_context_t *ctx, const uint8_t *input, size_t in_len)
+{
+    return cx_cmac_update(ctx->cipher_ctx, input, in_len);
+}
+
 cx_err_t cx_aes_siv_update(cx_aes_siv_context_t *ctx,
                            const uint8_t        *input,
                            uint8_t              *output,
@@ -91,7 +98,6 @@ cx_err_t cx_aes_siv_update(cx_aes_siv_context_t *ctx,
     size_t   out_len = len;
     cx_err_t error;
     CX_CHECK(cx_cipher_update(ctx->cipher_ctx, input, len, output, &out_len));
-    cx_cipher_reset(ctx->cipher_ctx);
 
 end:
     return error;
@@ -112,19 +118,16 @@ cx_err_t cx_aes_siv_finish(cx_aes_siv_context_t *ctx,
     uint8_t  tmp[CX_AES_BLOCK_SIZE] = {0};
     cx_err_t error;
 
-    CX_CHECK(cx_cipher_setup(ctx->cipher_ctx, ctx->cipher_type, CX_CHAIN_ECB));
     if (in_len < CX_AES_BLOCK_SIZE) {
         CX_CHECK(cx_cmac_shift_and_xor(tmp, ctx->tag_state, CX_AES_BLOCK_SIZE));
         memset(ctx->tag_state, 0, CX_AES_BLOCK_SIZE);
         memcpy(ctx->tag_state, input, in_len);
         add_one_and_zeros_padding(ctx->tag_state, CX_AES_BLOCK_SIZE, in_len);
         cx_memxor(tmp, ctx->tag_state, CX_AES_BLOCK_SIZE);
-        CX_CHECK(cx_cmac_start(ctx->cipher_ctx, ctx->key1, ctx->key_len));
         CX_CHECK(cx_cmac_update(ctx->cipher_ctx, tmp, CX_AES_BLOCK_SIZE));
         CX_CHECK(cx_cmac_finish(ctx->cipher_ctx, ctx->tag_state));
     }
     else {
-        CX_CHECK(cx_cmac_start(ctx->cipher_ctx, ctx->key1, ctx->key_len));
         CX_CHECK(cx_cmac_update(ctx->cipher_ctx, input, in_len - CX_AES_BLOCK_SIZE));
         cx_memxor(ctx->tag_state, input + in_len - CX_AES_BLOCK_SIZE, CX_AES_BLOCK_SIZE);
         CX_CHECK(cx_cmac_update(ctx->cipher_ctx, ctx->tag_state, CX_AES_BLOCK_SIZE));
@@ -172,6 +175,7 @@ cx_err_t cx_aes_siv_decrypt(cx_aes_siv_context_t *ctx,
     cx_err_t error;
     CX_CHECK(cx_aes_siv_start(ctx, CX_DECRYPT, tag, CX_AES_BLOCK_SIZE));
     CX_CHECK(cx_aes_siv_update(ctx, input, output, in_len));
+    cx_cipher_reset(ctx->cipher_ctx);
     CX_CHECK(cx_aes_siv_update_aad(ctx, aad, aad_len));
     CX_CHECK(cx_aes_siv_finish(ctx, output, in_len, tag));
 

lib_cxng/src/cx_exported_functions.c

@@ -164,4 +164,9 @@ unsigned long __attribute((section("._cx_exported_functions"))) cx_exported_func
     [_NR_cx_eddsa_update_hash]            = (unsigned long) cx_eddsa_update_hash,
     [_NR_cx_eddsa_verify_init_hash]       = (unsigned long) cx_eddsa_verify_init_hash,
     [_NR_cx_eddsa_verify_hash]            = (unsigned long) cx_eddsa_verify_hash,
+    [_NR_cx_aes_siv_update_mac]           = (unsigned long) cx_aes_siv_update_mac,
+    [_NR_cx_cipher_reset]                 = (unsigned long) cx_cipher_reset,
+    [_NR_cx_cmac_start]                   = (unsigned long) cx_cmac_start,
+    [_NR_cx_cmac_update]                  = (unsigned long) cx_cmac_update,
+    [_NR_cx_cmac_finish]                  = (unsigned long) cx_cmac_finish,
 };

src/cx_stubs.S

@@ -155,6 +155,11 @@ CX_TRAMPOLINE _NR_cx_eddsa_sign_hash                       cx_eddsa_sign_hash
 CX_TRAMPOLINE _NR_cx_eddsa_update_hash                     cx_eddsa_update_hash
 CX_TRAMPOLINE _NR_cx_eddsa_verify_init_hash                cx_eddsa_verify_init_hash
 CX_TRAMPOLINE _NR_cx_eddsa_verify_hash                     cx_eddsa_verify_hash
+CX_TRAMPOLINE _NR_cx_aes_siv_update_mac                    cx_aes_siv_update_mac
+CX_TRAMPOLINE _NR_cx_cipher_reset                          cx_cipher_reset
+CX_TRAMPOLINE _NR_cx_cmac_start                            cx_cmac_start
+CX_TRAMPOLINE _NR_cx_cmac_update                           cx_cmac_update
+CX_TRAMPOLINE _NR_cx_cmac_finish                           cx_cmac_finish
 
 .thumb_func
 cx_trampoline_helper: