kris
/
boringssl
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3295 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: f99f2448bd
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'f99f2448bd'
${ noResults }
boringssl/crypto/cmac/cmac.c

240 regels
7.3 KiB
Ruw Blame Geschiedenis 

  1. /* ====================================================================

  2.  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.

  3.  *

  4.  * Redistribution and use in source and binary forms, with or without

  5.  * modification, are permitted provided that the following conditions

  6.  * are met:

  7.  *

  8.  * 1. Redistributions of source code must retain the above copyright

  9.  *    notice, this list of conditions and the following disclaimer.

  10.  *

  11.  * 2. Redistributions in binary form must reproduce the above copyright

  12.  *    notice, this list of conditions and the following disclaimer in

  13.  *    the documentation and/or other materials provided with the

  14.  *    distribution.

  15.  *

  16.  * 3. All advertising materials mentioning features or use of this

  17.  *    software must display the following acknowledgment:

  18.  *    "This product includes software developed by the OpenSSL Project

  19.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  20.  *

  21.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  22.  *    endorse or promote products derived from this software without

  23.  *    prior written permission. For written permission, please contact

  24.  *    licensing@OpenSSL.org.

  25.  *

  26.  * 5. Products derived from this software may not be called "OpenSSL"

  27.  *    nor may "OpenSSL" appear in their names without prior written

  28.  *    permission of the OpenSSL Project.

  29.  *

  30.  * 6. Redistributions of any form whatsoever must retain the following

  31.  *    acknowledgment:

  32.  *    "This product includes software developed by the OpenSSL Project

  33.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  34.  *

  35.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  36.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  37.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  38.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  39.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  40.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  41.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  42.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  43.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  44.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  45.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  46.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  47.  * ==================================================================== */

  48. 

  49. #include <openssl/cmac.h>

  50. 

  51. #include <assert.h>

  52. #include <string.h>

  53. 

  54. #include <openssl/aes.h>

  55. #include <openssl/cipher.h>

  56. #include <openssl/mem.h>

  57. 

  58. 

  59. struct cmac_ctx_st {

  60.   EVP_CIPHER_CTX cipher_ctx;

  61.   /* k1 and k2 are the CMAC subkeys. See

  62.    * https://tools.ietf.org/html/rfc4493#section-2.3 */

  63.   uint8_t k1[AES_BLOCK_SIZE];

  64.   uint8_t k2[AES_BLOCK_SIZE];

  65.   /* Last (possibly partial) scratch */

  66.   uint8_t block[AES_BLOCK_SIZE];

  67.   /* block_used contains the number of valid bytes in |block|. */

  68.   unsigned block_used;

  69. };

  70. 

  71. static void CMAC_CTX_init(CMAC_CTX *ctx) {

  72.   EVP_CIPHER_CTX_init(&ctx->cipher_ctx);

  73. }

  74. 

  75. static void CMAC_CTX_cleanup(CMAC_CTX *ctx) {

  76.   EVP_CIPHER_CTX_cleanup(&ctx->cipher_ctx);

  77.   OPENSSL_cleanse(ctx->k1, sizeof(ctx->k1));

  78.   OPENSSL_cleanse(ctx->k2, sizeof(ctx->k2));

  79.   OPENSSL_cleanse(ctx->block, sizeof(ctx->block));

  80. }

  81. 

  82. int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,

  83.              const uint8_t *in, size_t in_len) {

  84.   const EVP_CIPHER *cipher;

  85.   switch (key_len) {

  86.     case 16:

  87.       cipher = EVP_aes_128_cbc();

  88.       break;

  89.     case 32:

  90.       cipher = EVP_aes_256_cbc();

  91.       break;

  92.     default:

  93.       return 0;

  94.   }

  95. 

  96.   size_t scratch_out_len;

  97.   CMAC_CTX ctx;

  98.   CMAC_CTX_init(&ctx);

  99. 

  100.   const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&

  101.                  CMAC_Update(&ctx, in, in_len) &&

  102.                  CMAC_Final(&ctx, out, &scratch_out_len);

  103. 

  104.   CMAC_CTX_cleanup(&ctx);

  105.   return ok;

  106. }

  107. 

  108. CMAC_CTX *CMAC_CTX_new(void) {

  109.   CMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));

  110.   if (ctx != NULL) {

  111.     CMAC_CTX_init(ctx);

  112.   }

  113.   return ctx;

  114. }

  115. 

  116. void CMAC_CTX_free(CMAC_CTX *ctx) {

  117.   if (ctx == NULL) {

  118.     return;

  119.   }

  120. 

  121.   CMAC_CTX_cleanup(ctx);

  122.   OPENSSL_free(ctx);

  123. }

  124. 

  125. /* binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)

  126.  * with a hard-coded reduction polynomial and sets |out| as x times the

  127.  * input.

  128.  *

  129.  * See https://tools.ietf.org/html/rfc4493#section-2.3 */

  130. static void binary_field_mul_x(uint8_t out[16], const uint8_t in[16]) {

  131.   unsigned i;

  132. 

  133.   /* Shift |in| to left, including carry. */

  134.   for (i = 0; i < 15; i++) {

  135.     out[i] = (in[i] << 1) | (in[i+1] >> 7);

  136.   }

  137. 

  138.   /* If MSB set fixup with R. */

  139.   const uint8_t carry = in[0] >> 7;

  140.   out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);

  141. }

  142. 

  143. static const uint8_t kZeroIV[AES_BLOCK_SIZE] = {0};

  144. 

  145. int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,

  146.               const EVP_CIPHER *cipher, ENGINE *engine) {

  147.   uint8_t scratch[AES_BLOCK_SIZE];

  148. 

  149.   if (EVP_CIPHER_block_size(cipher) != AES_BLOCK_SIZE ||

  150.       EVP_CIPHER_key_length(cipher) != key_len ||

  151.       !EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||

  152.       !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, AES_BLOCK_SIZE) ||

  153.       /* Reset context again ready for first data. */

  154.       !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {

  155.     return 0;

  156.   }

  157. 

  158.   binary_field_mul_x(ctx->k1, scratch);

  159.   binary_field_mul_x(ctx->k2, ctx->k1);

  160.   ctx->block_used = 0;

  161. 

  162.   return 1;

  163. }

  164. 

  165. int CMAC_Reset(CMAC_CTX *ctx) {

  166.   ctx->block_used = 0;

  167.   return EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV);

  168. }

  169. 

  170. int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {

  171.   uint8_t scratch[AES_BLOCK_SIZE];

  172. 

  173.   if (ctx->block_used > 0) {

  174.     size_t todo = AES_BLOCK_SIZE - ctx->block_used;

  175.     if (in_len < todo) {

  176.       todo = in_len;

  177.     }

  178. 

  179.     memcpy(ctx->block + ctx->block_used, in, todo);

  180.     in += todo;

  181.     in_len -= todo;

  182.     ctx->block_used += todo;

  183. 

  184.     /* If |in_len| is zero then either |ctx->block_used| is less than

  185.      * |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|

  186.      * is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the

  187.      * latter case we don't want to process this block now because it might be

  188.      * the last block and that block is treated specially. */

  189.     if (in_len == 0) {

  190.       return 1;

  191.     }

  192. 

  193.     assert(ctx->block_used == AES_BLOCK_SIZE);

  194. 

  195.     if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, AES_BLOCK_SIZE)) {

  196.       return 0;

  197.     }

  198.   }

  199. 

  200.   /* Encrypt all but one of the remaining blocks. */

  201.   while (in_len > AES_BLOCK_SIZE) {

  202.     if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, AES_BLOCK_SIZE)) {

  203.       return 0;

  204.     }

  205.     in += AES_BLOCK_SIZE;

  206.     in_len -= AES_BLOCK_SIZE;

  207.   }

  208. 

  209.   memcpy(ctx->block, in, in_len);

  210.   ctx->block_used = in_len;

  211. 

  212.   return 1;

  213. }

  214. 

  215. int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {

  216.   *out_len = AES_BLOCK_SIZE;

  217.   if (out == NULL) {

  218.     return 1;

  219.   }

  220. 

  221.   const uint8_t *mask = ctx->k1;

  222. 

  223.   if (ctx->block_used != AES_BLOCK_SIZE) {

  224.     /* If the last block is incomplete, terminate it with a single 'one' bit

  225.      * followed by zeros. */

  226.     ctx->block[ctx->block_used] = 0x80;

  227.     memset(ctx->block + ctx->block_used + 1, 0,

  228.            AES_BLOCK_SIZE - (ctx->block_used + 1));

  229. 

  230.     mask = ctx->k2;

  231.   }

  232. 

  233.   unsigned i;

  234.   for (i = 0; i < AES_BLOCK_SIZE; i++) {

  235.     out[i] = ctx->block[i] ^ mask[i];

  236.   }

  237. 

  238.   return EVP_Cipher(&ctx->cipher_ctx, out, out, AES_BLOCK_SIZE);

  239. }