Page MenuHomeFreeBSD

cryptosoft: Fix support for variable tag lengths in AES-CCM.

Authored by jhb on Sep 24 2021, 6:05 PM.
Referenced Files
Unknown Object (File)
Wed, Feb 21, 9:04 AM
Unknown Object (File)
Thu, Feb 8, 8:48 PM
Unknown Object (File)
Thu, Feb 1, 12:58 AM
Unknown Object (File)
Dec 24 2023, 8:39 PM
Unknown Object (File)
Dec 23 2023, 4:30 PM
Unknown Object (File)
Dec 23 2023, 4:30 PM
Unknown Object (File)
Dec 22 2023, 10:50 PM
Unknown Object (File)
Dec 22 2023, 10:45 PM



The tag length is included as one of the values in the flags byte of
block 0 passed to CBC_MAC, so merely copying the first N bytes is

To avoid adding more sideband data to the CBC MAC software context,
pull the generation of block 0, the AAD length, and AAD padding out of
cbc_mac.c and into cryptosoft.c. This matches how GCM/GMAC are
handled where the length block is constructed in cryptosoft.c and
passed as an input to the Update callback. As a result, the CBC MAC
Update() routine is now much simpler and simply performs the
XOR-and-encrypt step on each input block.

While here, avoid a copy to the staging block in the Update routine
when one or more full blocks are passed as input to the Update

Sponsored by: The FreeBSD Foundation

Diff Detail

rG FreeBSD src repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Sep 24 2021, 6:05 PM

Tested via the AES-CCM NIST KAT vectors.


These are duplicated only to mimic cryptosoft.c. I should probably change ccr at some point to allocate an internal software crypto session and feed requests into that rather than duplicating the code here.


It is might be worth exposing some variant of these functions publicly as ccr, aesni, and safexcel all have their own routines to build b0 and the AAD length words (not counting that ccr duplicates these exact functions again in its software fallback). Public versions could perhaps take the crp as an argument rather than all the broken out fields. added a subscriber:

I approve of simplifying my code.

This revision is now accepted and ready to land.Sep 27 2021, 9:47 PM