> -----Original Message----- > From: Boris Pismenny <bor...@mellanox.com> > Sent: Tuesday, March 19, 2019 10:36 PM > To: Vakul Garg <vakul.g...@nxp.com>; netdev@vger.kernel.org > Cc: Aviad Yehezkel <avia...@mellanox.com>; davejwat...@fb.com; > da...@davemloft.net; doro...@fb.com > Subject: Re: [PATCH net-next] net/tls: Add support of AES128-CCM based > ciphers > > > On 3/19/2019 7:15 AM, Vakul Garg wrote: > > Added support for AES128-CCM based record encryption. AES128-CCM is > > similar to AES128-GCM. Both of them have same salt/iv/mac size. The > > notable difference between the two is that while invoking AES128-CCM > > operation, the salt||nonce (which is passed as IV) has to be prefixed > > with a hardcoded value '2'. Further, CCM implementation in kernel > > requires IV passed in crypto_aead_request() to be full '16' bytes. > > Therefore, the record structure 'struct tls_rec' has been modified to > > reserve '16' bytes for IV. This works for both GCM and CCM based cipher. > > > > Can you explain what is the source of the hardcoded '2'? e.g. Why do we > need a hardcoded constant?
The first bytes of IV is called B0 byte. It encodes width of 'length' field in CCM-IV. (which defines length of payload that can be encrypted). In this case, width of 'length' field = 3 bytes. IV[16 bytes] = B0 (1byte) || Fixed implicit Salt (4 bytes) || Explicit IV (8 bytes) || length field (3 bytes) The 'length' field, is encoded as 'length field width - 1' in B0. Hence B0 contains '2'.
