20 static inline void xor16(uint8_t *dst, const uint8_t *a, const uint8_t *b)  in xor16()  argument
22 	dst[0] = a[0] ^ b[0];  in xor16()
23 	dst[1] = a[1] ^ b[1];  in xor16()
24 	dst[2] = a[2] ^ b[2];  in xor16()
25 	dst[3] = a[3] ^ b[3];  in xor16()
26 	dst[4] = a[4] ^ b[4];  in xor16()
27 	dst[5] = a[5] ^ b[5];  in xor16()
28 	dst[6] = a[6] ^ b[6];  in xor16()
29 	dst[7] = a[7] ^ b[7];  in xor16()
30 	dst[8] = a[8] ^ b[8];  in xor16()
31 	dst[9] = a[9] ^ b[9];  in xor16()
32 	dst[10] = a[10] ^ b[10];  in xor16()
33 	dst[11] = a[11] ^ b[11];  in xor16()
34 	dst[12] = a[12] ^ b[12];  in xor16()
35 	dst[13] = a[13] ^ b[13];  in xor16()
36 	dst[14] = a[14] ^ b[14];  in xor16()
37 	dst[15] = a[15] ^ b[15];  in xor16()
40 /* b field is assumed to have the nonce already present in bytes 1-13 */
42 			    size_t mic_size, uint16_t msg_len, uint8_t b[16],  in ccm_calculate_X0()
48 	b[0] = (((mic_size - 2) / 2) << 3) | ((!!aad_len) << 6) | 0x01;  in ccm_calculate_X0()
50 	sys_put_be16(msg_len, b + 14);  in ccm_calculate_X0()
52 	err = bt_encrypt_be(key, b, X0);  in ccm_calculate_X0()
59 		sys_put_be16(aad_len, b);  in ccm_calculate_X0()
62 			b[i] = X0[i] ^ b[i];  in ccm_calculate_X0()
69 				b[i] = X0[i] ^ aad[j];  in ccm_calculate_X0()
76 			err = bt_encrypt_be(key, b, X0);  in ccm_calculate_X0()
83 			b[i] = X0[i] ^ aad[j];  in ccm_calculate_X0()
87 			b[i] = X0[i];  in ccm_calculate_X0()
90 		err = bt_encrypt_be(key, b, X0);  in ccm_calculate_X0()
103 	uint8_t b[16], Xn[16], s0[16];  in ccm_auth()  local
113 	b[0] = 0x01;  in ccm_auth()
114 	memcpy(b + 1, nonce, 13);  in ccm_auth()
117 	sys_put_be16(0x0000, &b[14]);  in ccm_auth()
119 	err = bt_encrypt_be(key, b, s0);  in ccm_auth()
124 	ccm_calculate_X0(key, aad, aad_len, mic_size, msg_len, b, Xn);  in ccm_auth()
130 				b[i] = Xn[i] ^ cleartext_msg[(j * 16) + i];  in ccm_auth()
133 			memcpy(&b[i], &Xn[i], 16 - i);  in ccm_auth()
135 			xor16(b, Xn, &cleartext_msg[j * 16]);  in ccm_auth()
138 		err = bt_encrypt_be(key, b, Xn);  in ccm_auth()