kris
/
boringssl
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
5554 Revize
12 Větve
38 MiB
 
 
 
 
 
 
Strom: 045ee41928
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „045ee41928“
${ noResults }
boringssl/crypto/cmac/cmac.c

279 řádky
8.5 KiB
Surový Blame Historie 

  1. /* ====================================================================

  2.  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.

  3.  *

  4.  * Redistribution and use in source and binary forms, with or without

  5.  * modification, are permitted provided that the following conditions

  6.  * are met:

  7.  *

  8.  * 1. Redistributions of source code must retain the above copyright

  9.  *    notice, this list of conditions and the following disclaimer.

  10.  *

  11.  * 2. Redistributions in binary form must reproduce the above copyright

  12.  *    notice, this list of conditions and the following disclaimer in

  13.  *    the documentation and/or other materials provided with the

  14.  *    distribution.

  15.  *

  16.  * 3. All advertising materials mentioning features or use of this

  17.  *    software must display the following acknowledgment:

  18.  *    "This product includes software developed by the OpenSSL Project

  19.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  20.  *

  21.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  22.  *    endorse or promote products derived from this software without

  23.  *    prior written permission. For written permission, please contact

  24.  *    licensing@OpenSSL.org.

  25.  *

  26.  * 5. Products derived from this software may not be called "OpenSSL"

  27.  *    nor may "OpenSSL" appear in their names without prior written

  28.  *    permission of the OpenSSL Project.

  29.  *

  30.  * 6. Redistributions of any form whatsoever must retain the following

  31.  *    acknowledgment:

  32.  *    "This product includes software developed by the OpenSSL Project

  33.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  34.  *

  35.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  36.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  37.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  38.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  39.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  40.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  41.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  42.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  43.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  44.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  45.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  46.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  47.  * ==================================================================== */

  48. 

  49. #include <openssl/cmac.h>

  50. 

  51. #include <assert.h>

  52. #include <string.h>

  53. 

  54. #include <openssl/aes.h>

  55. #include <openssl/cipher.h>

  56. #include <openssl/mem.h>

  57. 

  58. #include "../internal.h"

  59. 

  60. 

  61. struct cmac_ctx_st {

  62.   EVP_CIPHER_CTX cipher_ctx;

  63.   // k1 and k2 are the CMAC subkeys. See

  64.   // https://tools.ietf.org/html/rfc4493#section-2.3

  65.   uint8_t k1[AES_BLOCK_SIZE];

  66.   uint8_t k2[AES_BLOCK_SIZE];

  67.   // Last (possibly partial) scratch

  68.   uint8_t block[AES_BLOCK_SIZE];

  69.   // block_used contains the number of valid bytes in |block|.

  70.   unsigned block_used;

  71. };

  72. 

  73. static void CMAC_CTX_init(CMAC_CTX *ctx) {

  74.   EVP_CIPHER_CTX_init(&ctx->cipher_ctx);

  75. }

  76. 

  77. static void CMAC_CTX_cleanup(CMAC_CTX *ctx) {

  78.   EVP_CIPHER_CTX_cleanup(&ctx->cipher_ctx);

  79.   OPENSSL_cleanse(ctx->k1, sizeof(ctx->k1));

  80.   OPENSSL_cleanse(ctx->k2, sizeof(ctx->k2));

  81.   OPENSSL_cleanse(ctx->block, sizeof(ctx->block));

  82. }

  83. 

  84. int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,

  85.              const uint8_t *in, size_t in_len) {

  86.   const EVP_CIPHER *cipher;

  87.   switch (key_len) {

  88.     case 16:

  89.       cipher = EVP_aes_128_cbc();

  90.       break;

  91.     case 32:

  92.       cipher = EVP_aes_256_cbc();

  93.       break;

  94.     default:

  95.       return 0;

  96.   }

  97. 

  98.   size_t scratch_out_len;

  99.   CMAC_CTX ctx;

  100.   CMAC_CTX_init(&ctx);

  101. 

  102.   const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&

  103.                  CMAC_Update(&ctx, in, in_len) &&

  104.                  CMAC_Final(&ctx, out, &scratch_out_len);

  105. 

  106.   CMAC_CTX_cleanup(&ctx);

  107.   return ok;

  108. }

  109. 

  110. CMAC_CTX *CMAC_CTX_new(void) {

  111.   CMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));

  112.   if (ctx != NULL) {

  113.     CMAC_CTX_init(ctx);

  114.   }

  115.   return ctx;

  116. }

  117. 

  118. void CMAC_CTX_free(CMAC_CTX *ctx) {

  119.   if (ctx == NULL) {

  120.     return;

  121.   }

  122. 

  123.   CMAC_CTX_cleanup(ctx);

  124.   OPENSSL_free(ctx);

  125. }

  126. 

  127. int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in) {

  128.   if (!EVP_CIPHER_CTX_copy(&out->cipher_ctx, &in->cipher_ctx)) {

  129.     return 0;

  130.   }

  131.   OPENSSL_memcpy(out->k1, in->k1, AES_BLOCK_SIZE);

  132.   OPENSSL_memcpy(out->k2, in->k2, AES_BLOCK_SIZE);

  133.   OPENSSL_memcpy(out->block, in->block, AES_BLOCK_SIZE);

  134.   out->block_used = in->block_used;

  135.   return 1;

  136. }

  137. 

  138. // binary_field_mul_x_128 treats the 128 bits at |in| as an element of GF(2¹²⁸)

  139. // with a hard-coded reduction polynomial and sets |out| as x times the input.

  140. //

  141. // See https://tools.ietf.org/html/rfc4493#section-2.3

  142. static void binary_field_mul_x_128(uint8_t out[16], const uint8_t in[16]) {

  143.   unsigned i;

  144. 

  145.   // Shift |in| to left, including carry.

  146.   for (i = 0; i < 15; i++) {

  147.     out[i] = (in[i] << 1) | (in[i+1] >> 7);

  148.   }

  149. 

  150.   // If MSB set fixup with R.

  151.   const uint8_t carry = in[0] >> 7;

  152.   out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);

  153. }

  154. 

  155. // binary_field_mul_x_64 behaves like |binary_field_mul_x_128| but acts on an

  156. // element of GF(2⁶⁴).

  157. //

  158. // See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf

  159. static void binary_field_mul_x_64(uint8_t out[8], const uint8_t in[8]) {

  160.   unsigned i;

  161. 

  162.   // Shift |in| to left, including carry.

  163.   for (i = 0; i < 7; i++) {

  164.     out[i] = (in[i] << 1) | (in[i+1] >> 7);

  165.   }

  166. 

  167.   // If MSB set fixup with R.

  168.   const uint8_t carry = in[0] >> 7;

  169.   out[i] = (in[i] << 1) ^ ((0 - carry) & 0x1b);

  170. }

  171. 

  172. static const uint8_t kZeroIV[AES_BLOCK_SIZE] = {0};

  173. 

  174. int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,

  175.               const EVP_CIPHER *cipher, ENGINE *engine) {

  176.   uint8_t scratch[AES_BLOCK_SIZE];

  177. 

  178.   size_t block_size = EVP_CIPHER_block_size(cipher);

  179.   if ((block_size != AES_BLOCK_SIZE && block_size != 8 /* 3-DES */) ||

  180.       EVP_CIPHER_key_length(cipher) != key_len ||

  181.       !EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||

  182.       !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, block_size) ||

  183.       // Reset context again ready for first data.

  184.       !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {

  185.     return 0;

  186.   }

  187. 

  188.   if (block_size == AES_BLOCK_SIZE) {

  189.     binary_field_mul_x_128(ctx->k1, scratch);

  190.     binary_field_mul_x_128(ctx->k2, ctx->k1);

  191.   } else {

  192.     binary_field_mul_x_64(ctx->k1, scratch);

  193.     binary_field_mul_x_64(ctx->k2, ctx->k1);

  194.   }

  195.   ctx->block_used = 0;

  196. 

  197.   return 1;

  198. }

  199. 

  200. int CMAC_Reset(CMAC_CTX *ctx) {

  201.   ctx->block_used = 0;

  202.   return EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV);

  203. }

  204. 

  205. int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {

  206.   size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx);

  207.   assert(block_size <= AES_BLOCK_SIZE);

  208.   uint8_t scratch[AES_BLOCK_SIZE];

  209. 

  210.   if (ctx->block_used > 0) {

  211.     size_t todo = block_size - ctx->block_used;

  212.     if (in_len < todo) {

  213.       todo = in_len;

  214.     }

  215. 

  216.     OPENSSL_memcpy(ctx->block + ctx->block_used, in, todo);

  217.     in += todo;

  218.     in_len -= todo;

  219.     ctx->block_used += todo;

  220. 

  221.     // If |in_len| is zero then either |ctx->block_used| is less than

  222.     // |block_size|, in which case we can stop here, or |ctx->block_used| is

  223.     // exactly |block_size| but there's no more data to process. In the latter

  224.     // case we don't want to process this block now because it might be the last

  225.     // block and that block is treated specially.

  226.     if (in_len == 0) {

  227.       return 1;

  228.     }

  229. 

  230.     assert(ctx->block_used == block_size);

  231. 

  232.     if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, block_size)) {

  233.       return 0;

  234.     }

  235.   }

  236. 

  237.   // Encrypt all but one of the remaining blocks.

  238.   while (in_len > block_size) {

  239.     if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, block_size)) {

  240.       return 0;

  241.     }

  242.     in += block_size;

  243.     in_len -= block_size;

  244.   }

  245. 

  246.   OPENSSL_memcpy(ctx->block, in, in_len);

  247.   ctx->block_used = in_len;

  248. 

  249.   return 1;

  250. }

  251. 

  252. int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {

  253.   size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx);

  254.   assert(block_size <= AES_BLOCK_SIZE);

  255. 

  256.   *out_len = block_size;

  257.   if (out == NULL) {

  258.     return 1;

  259.   }

  260. 

  261.   const uint8_t *mask = ctx->k1;

  262. 

  263.   if (ctx->block_used != block_size) {

  264.     // If the last block is incomplete, terminate it with a single 'one' bit

  265.     // followed by zeros.

  266.     ctx->block[ctx->block_used] = 0x80;

  267.     OPENSSL_memset(ctx->block + ctx->block_used + 1, 0,

  268.                    block_size - (ctx->block_used + 1));

  269. 

  270.     mask = ctx->k2;

  271.   }

  272. 

  273.   for (unsigned i = 0; i < block_size; i++) {

  274.     out[i] = ctx->block[i] ^ mask[i];

  275.   }

  276. 

  277.   return EVP_Cipher(&ctx->cipher_ctx, out, out, block_size);

  278. }