> -----Original Message----- > From: Boris Pismenny <[email protected]> > Sent: Tuesday, March 19, 2019 10:36 PM > To: Vakul Garg <[email protected]>; [email protected] > Cc: Aviad Yehezkel <[email protected]>; [email protected]; > [email protected]; [email protected] > Subject: Re: [PATCH net-next] net/tls: Add support of AES128-CCM based > ciphers > > > On 3/19/2019 7:15 AM, Vakul Garg wrote: > > Added support for AES128-CCM based record encryption. AES128-CCM is > > similar to AES128-GCM. Both of them have same salt/iv/mac size. The > > notable difference between the two is that while invoking AES128-CCM > > operation, the salt||nonce (which is passed as IV) has to be prefixed > > with a hardcoded value '2'. Further, CCM implementation in kernel > > requires IV passed in crypto_aead_request() to be full '16' bytes. > > Therefore, the record structure 'struct tls_rec' has been modified to > > reserve '16' bytes for IV. This works for both GCM and CCM based cipher. > > > > Can you explain what is the source of the hardcoded '2'? e.g. Why do we > need a hardcoded constant?
The first bytes of IV is called B0 byte. It encodes width of 'length' field in CCM-IV. (which defines length of payload that can be encrypted). In this case, width of 'length' field = 3 bytes. IV[16 bytes] = B0 (1byte) || Fixed implicit Salt (4 bytes) || Explicit IV (8 bytes) || length field (3 bytes) The 'length' field, is encoded as 'length field width - 1' in B0. Hence B0 contains '2'.
