5  * SPDX-License-Identifier: Apache-2.0
20 static inline void xor16(uint8_t *dst, const uint8_t *a, const uint8_t *b)  in xor16()  argument
22 	dst[0] = a[0] ^ b[0];  in xor16()
23 	dst[1] = a[1] ^ b[1];  in xor16()
24 	dst[2] = a[2] ^ b[2];  in xor16()
25 	dst[3] = a[3] ^ b[3];  in xor16()
26 	dst[4] = a[4] ^ b[4];  in xor16()
27 	dst[5] = a[5] ^ b[5];  in xor16()
28 	dst[6] = a[6] ^ b[6];  in xor16()
29 	dst[7] = a[7] ^ b[7];  in xor16()
30 	dst[8] = a[8] ^ b[8];  in xor16()
31 	dst[9] = a[9] ^ b[9];  in xor16()
32 	dst[10] = a[10] ^ b[10];  in xor16()
33 	dst[11] = a[11] ^ b[11];  in xor16()
34 	dst[12] = a[12] ^ b[12];  in xor16()
35 	dst[13] = a[13] ^ b[13];  in xor16()
36 	dst[14] = a[14] ^ b[14];  in xor16()
37 	dst[15] = a[15] ^ b[15];  in xor16()
40 /* b field is assumed to have the nonce already present in bytes 1-13 */
41 static int ccm_calculate_X0(const uint8_t key[16], const uint8_t *aad, uint8_t aad_len,  in ccm_calculate_X0()
42 			    size_t mic_size, uint16_t msg_len, uint8_t b[16],  in ccm_calculate_X0()
45 	int i, j, err;  in ccm_calculate_X0()
48 	b[0] = (((mic_size - 2) / 2) << 3) | ((!!aad_len) << 6) | 0x01;  in ccm_calculate_X0()
50 	sys_put_be16(msg_len, b + 14);  in ccm_calculate_X0()
52 	err = bt_encrypt_be(key, b, X0);  in ccm_calculate_X0()
59 		sys_put_be16(aad_len, b);  in ccm_calculate_X0()
62 			b[i] = X0[i] ^ b[i];  in ccm_calculate_X0()
69 				b[i] = X0[i] ^ aad[j];  in ccm_calculate_X0()
73 			aad_len -= 16;  in ccm_calculate_X0()
76 			err = bt_encrypt_be(key, b, X0);  in ccm_calculate_X0()
83 			b[i] = X0[i] ^ aad[j];  in ccm_calculate_X0()
87 			b[i] = X0[i];  in ccm_calculate_X0()
90 		err = bt_encrypt_be(key, b, X0);  in ccm_calculate_X0()
99 static int ccm_auth(const uint8_t key[16], uint8_t nonce[13],  in ccm_auth()
103 	uint8_t b[16], Xn[16], s0[16];  in ccm_auth()  local
105 	int err, j, i;  in ccm_auth()
113 	b[0] = 0x01;  in ccm_auth()
114 	memcpy(b + 1, nonce, 13);  in ccm_auth()
117 	sys_put_be16(0x0000, &b[14]);  in ccm_auth()
119 	err = bt_encrypt_be(key, b, s0);  in ccm_auth()
124 	ccm_calculate_X0(key, aad, aad_len, mic_size, msg_len, b, Xn);  in ccm_auth()
127 		/* X_1 = e(AppKey, X_0 ^ Payload[0-15]) */  in ccm_auth()
130 				b[i] = Xn[i] ^ cleartext_msg[(j * 16) + i];  in ccm_auth()
133 			memcpy(&b[i], &Xn[i], 16 - i);  in ccm_auth()
135 			xor16(b, Xn, &cleartext_msg[j * 16]);  in ccm_auth()
138 		err = bt_encrypt_be(key, b, Xn);  in ccm_auth()
152 static int ccm_crypt(const uint8_t key[16], const uint8_t nonce[13],  in ccm_crypt()
158 	int err;  in ccm_crypt()
178 		/* Encrypted = Payload[0-15] ^ C_1 */  in ccm_crypt()
179 		if (j < blk_cnt - 1) {  in ccm_crypt()
191 int bt_ccm_decrypt(const uint8_t key[16], uint8_t nonce[13],  in bt_ccm_decrypt()
198 		return -EINVAL;  in bt_ccm_decrypt()
206 		return -EBADMSG;  in bt_ccm_decrypt()
212 int bt_ccm_encrypt(const uint8_t key[16], uint8_t nonce[13],  in bt_ccm_encrypt()
225 		return -EINVAL;  in bt_ccm_encrypt()