Cryptography Reference
In-Depth Information
AES-GCM with associated data is even easier; there's no length to prepend to
the associated data, so you can just incorporate the associated data processing
into the MAC just before encryption starts, as shown in Listing 9-23:
Listing 9-23:
“aes.c” aes_gcm_process with associated data support
int aes_gcm_process( const unsigned char *input,
int input_len,
const unsigned char *addl_data,
unsigned short addldata_len,
unsigned char *output,
void *iv,
const unsigned char *key,
int decrypt )
{
…
original_input_len = htonl( process_len << 3 ); // remember this for final
block
while ( addldata_len )
{
block_size = ( addldata_len < AES_BLOCK_SIZE ) ?
addldata_len : AES_BLOCK_SIZE;
memset( input_block, '\0', AES_BLOCK_SIZE );
memcpy( input_block, addl_data, block_size );
xor( input_block, mac_block, AES_BLOCK_SIZE );
gf_multiply( input_block, H, mac_block );
addl_data += block_size;
addldata_len -= block_size;
}
next_nonce = htonl( 1 );
…
However, remember from the previous section that the GCM MAC itself
included a trailer block whose last eight bytes was the length, in bits, of the
MAC'ed data. If you start including additional data in the MAC, you must declare
that length as well. Because the trailer block is 16 bytes long, and the last 8 bytes
are the length of the ciphertext, you can probably guess that the fi rst 8 bytes are
the length of the additional data. Modify
aes_gcm_process
as shown in Listing
9-24 to account for this.
Listing 9-24:
“aes.c” aes_gcm_process with associated data length declaration
int original_input_len,
original_addl_len
;
…
original_input_len = htonl( process_len << 3 ); // remember this for final block
Search WWH ::
Custom Search