kris
/
boringssl
1
0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 활동
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4677 커밋
12 브랜치
38 MiB
 
 
 
 
 
 
트리: 01f26f3f32
브랜치 태그
${ item.name }
${ searchTerm } 브랜치 생성
from '01f26f3f32'
${ noResults }
boringssl/crypto/cmac/cmac.c

242 lines
7.3 KiB
Raw Blame 히스토리 

  1. /* ====================================================================

  2.  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.

  3.  *

  4.  * Redistribution and use in source and binary forms, with or without

  5.  * modification, are permitted provided that the following conditions

  6.  * are met:

  7.  *

  8.  * 1. Redistributions of source code must retain the above copyright

  9.  *    notice, this list of conditions and the following disclaimer.

  10.  *

  11.  * 2. Redistributions in binary form must reproduce the above copyright

  12.  *    notice, this list of conditions and the following disclaimer in

  13.  *    the documentation and/or other materials provided with the

  14.  *    distribution.

  15.  *

  16.  * 3. All advertising materials mentioning features or use of this

  17.  *    software must display the following acknowledgment:

  18.  *    "This product includes software developed by the OpenSSL Project

  19.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  20.  *

  21.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  22.  *    endorse or promote products derived from this software without

  23.  *    prior written permission. For written permission, please contact

  24.  *    licensing@OpenSSL.org.

  25.  *

  26.  * 5. Products derived from this software may not be called "OpenSSL"

  27.  *    nor may "OpenSSL" appear in their names without prior written

  28.  *    permission of the OpenSSL Project.

  29.  *

  30.  * 6. Redistributions of any form whatsoever must retain the following

  31.  *    acknowledgment:

  32.  *    "This product includes software developed by the OpenSSL Project

  33.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  34.  *

  35.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  36.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  37.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  38.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  39.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  40.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  41.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  42.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  43.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  44.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  45.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  46.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  47.  * ==================================================================== */

  48. 

  49. #include <openssl/cmac.h>

  50. 

  51. #include <assert.h>

  52. #include <string.h>

  53. 

  54. #include <openssl/aes.h>

  55. #include <openssl/cipher.h>

  56. #include <openssl/mem.h>

  57. 

  58. #include "../internal.h"

  59. 

  60. 

  61. struct cmac_ctx_st {

  62.   EVP_CIPHER_CTX cipher_ctx;

  63.   // k1 and k2 are the CMAC subkeys. See

  64.   // https://tools.ietf.org/html/rfc4493#section-2.3

  65.   uint8_t k1[AES_BLOCK_SIZE];

  66.   uint8_t k2[AES_BLOCK_SIZE];

  67.   // Last (possibly partial) scratch

  68.   uint8_t block[AES_BLOCK_SIZE];

  69.   // block_used contains the number of valid bytes in |block|.

  70.   unsigned block_used;

  71. };

  72. 

  73. static void CMAC_CTX_init(CMAC_CTX *ctx) {

  74.   EVP_CIPHER_CTX_init(&ctx->cipher_ctx);

  75. }

  76. 

  77. static void CMAC_CTX_cleanup(CMAC_CTX *ctx) {

  78.   EVP_CIPHER_CTX_cleanup(&ctx->cipher_ctx);

  79.   OPENSSL_cleanse(ctx->k1, sizeof(ctx->k1));

  80.   OPENSSL_cleanse(ctx->k2, sizeof(ctx->k2));

  81.   OPENSSL_cleanse(ctx->block, sizeof(ctx->block));

  82. }

  83. 

  84. int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,

  85.              const uint8_t *in, size_t in_len) {

  86.   const EVP_CIPHER *cipher;

  87.   switch (key_len) {

  88.     case 16:

  89.       cipher = EVP_aes_128_cbc();

  90.       break;

  91.     case 32:

  92.       cipher = EVP_aes_256_cbc();

  93.       break;

  94.     default:

  95.       return 0;

  96.   }

  97. 

  98.   size_t scratch_out_len;

  99.   CMAC_CTX ctx;

  100.   CMAC_CTX_init(&ctx);

  101. 

  102.   const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&

  103.                  CMAC_Update(&ctx, in, in_len) &&

  104.                  CMAC_Final(&ctx, out, &scratch_out_len);

  105. 

  106.   CMAC_CTX_cleanup(&ctx);

  107.   return ok;

  108. }

  109. 

  110. CMAC_CTX *CMAC_CTX_new(void) {

  111.   CMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));

  112.   if (ctx != NULL) {

  113.     CMAC_CTX_init(ctx);

  114.   }

  115.   return ctx;

  116. }

  117. 

  118. void CMAC_CTX_free(CMAC_CTX *ctx) {

  119.   if (ctx == NULL) {

  120.     return;

  121.   }

  122. 

  123.   CMAC_CTX_cleanup(ctx);

  124.   OPENSSL_free(ctx);

  125. }

  126. 

  127. // binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)

  128. // with a hard-coded reduction polynomial and sets |out| as x times the

  129. // input.

  130. //

  131. // See https://tools.ietf.org/html/rfc4493#section-2.3

  132. static void binary_field_mul_x(uint8_t out[16], const uint8_t in[16]) {

  133.   unsigned i;

  134. 

  135.   // Shift |in| to left, including carry.

  136.   for (i = 0; i < 15; i++) {

  137.     out[i] = (in[i] << 1) | (in[i+1] >> 7);

  138.   }

  139. 

  140.   // If MSB set fixup with R.

  141.   const uint8_t carry = in[0] >> 7;

  142.   out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);

  143. }

  144. 

  145. static const uint8_t kZeroIV[AES_BLOCK_SIZE] = {0};

  146. 

  147. int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,

  148.               const EVP_CIPHER *cipher, ENGINE *engine) {

  149.   uint8_t scratch[AES_BLOCK_SIZE];

  150. 

  151.   if (EVP_CIPHER_block_size(cipher) != AES_BLOCK_SIZE ||

  152.       EVP_CIPHER_key_length(cipher) != key_len ||

  153.       !EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||

  154.       !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, AES_BLOCK_SIZE) ||

  155.       // Reset context again ready for first data.

  156.       !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {

  157.     return 0;

  158.   }

  159. 

  160.   binary_field_mul_x(ctx->k1, scratch);

  161.   binary_field_mul_x(ctx->k2, ctx->k1);

  162.   ctx->block_used = 0;

  163. 

  164.   return 1;

  165. }

  166. 

  167. int CMAC_Reset(CMAC_CTX *ctx) {

  168.   ctx->block_used = 0;

  169.   return EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV);

  170. }

  171. 

  172. int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {

  173.   uint8_t scratch[AES_BLOCK_SIZE];

  174. 

  175.   if (ctx->block_used > 0) {

  176.     size_t todo = AES_BLOCK_SIZE - ctx->block_used;

  177.     if (in_len < todo) {

  178.       todo = in_len;

  179.     }

  180. 

  181.     OPENSSL_memcpy(ctx->block + ctx->block_used, in, todo);

  182.     in += todo;

  183.     in_len -= todo;

  184.     ctx->block_used += todo;

  185. 

  186.     // If |in_len| is zero then either |ctx->block_used| is less than

  187.     // |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|

  188.     // is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the

  189.     // latter case we don't want to process this block now because it might be

  190.     // the last block and that block is treated specially.

  191.     if (in_len == 0) {

  192.       return 1;

  193.     }

  194. 

  195.     assert(ctx->block_used == AES_BLOCK_SIZE);

  196. 

  197.     if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, AES_BLOCK_SIZE)) {

  198.       return 0;

  199.     }

  200.   }

  201. 

  202.   // Encrypt all but one of the remaining blocks.

  203.   while (in_len > AES_BLOCK_SIZE) {

  204.     if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, AES_BLOCK_SIZE)) {

  205.       return 0;

  206.     }

  207.     in += AES_BLOCK_SIZE;

  208.     in_len -= AES_BLOCK_SIZE;

  209.   }

  210. 

  211.   OPENSSL_memcpy(ctx->block, in, in_len);

  212.   ctx->block_used = in_len;

  213. 

  214.   return 1;

  215. }

  216. 

  217. int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {

  218.   *out_len = AES_BLOCK_SIZE;

  219.   if (out == NULL) {

  220.     return 1;

  221.   }

  222. 

  223.   const uint8_t *mask = ctx->k1;

  224. 

  225.   if (ctx->block_used != AES_BLOCK_SIZE) {

  226.     // If the last block is incomplete, terminate it with a single 'one' bit

  227.     // followed by zeros.

  228.     ctx->block[ctx->block_used] = 0x80;

  229.     OPENSSL_memset(ctx->block + ctx->block_used + 1, 0,

  230.                    AES_BLOCK_SIZE - (ctx->block_used + 1));

  231. 

  232.     mask = ctx->k2;

  233.   }

  234. 

  235.   unsigned i;

  236.   for (i = 0; i < AES_BLOCK_SIZE; i++) {

  237.     out[i] = ctx->block[i] ^ mask[i];

  238.   }

  239. 

  240.   return EVP_Cipher(&ctx->cipher_ctx, out, out, AES_BLOCK_SIZE);

  241. }