cmac.c 7.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249
  1. /*
  2. * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * CMAC low level APIs are deprecated for public use, but still ok for internal
  11. * use.
  12. */
  13. #include "internal/deprecated.h"
  14. #include <stdio.h>
  15. #include <stdlib.h>
  16. #include <string.h>
  17. #include "internal/cryptlib.h"
  18. #include <openssl/cmac.h>
  19. #include <openssl/err.h>
  20. struct CMAC_CTX_st {
  21. /* Cipher context to use */
  22. EVP_CIPHER_CTX *cctx;
  23. /* Keys k1 and k2 */
  24. unsigned char k1[EVP_MAX_BLOCK_LENGTH];
  25. unsigned char k2[EVP_MAX_BLOCK_LENGTH];
  26. /* Temporary block */
  27. unsigned char tbl[EVP_MAX_BLOCK_LENGTH];
  28. /* Last (possibly partial) block */
  29. unsigned char last_block[EVP_MAX_BLOCK_LENGTH];
  30. /* Number of bytes in last block: -1 means context not initialised */
  31. int nlast_block;
  32. };
  33. /* Make temporary keys K1 and K2 */
  34. static void make_kn(unsigned char *k1, const unsigned char *l, int bl)
  35. {
  36. int i;
  37. unsigned char c = l[0], carry = c >> 7, cnext;
  38. /* Shift block to left, including carry */
  39. for (i = 0; i < bl - 1; i++, c = cnext)
  40. k1[i] = (c << 1) | ((cnext = l[i + 1]) >> 7);
  41. /* If MSB set fixup with R */
  42. k1[i] = (c << 1) ^ ((0 - carry) & (bl == 16 ? 0x87 : 0x1b));
  43. }
  44. CMAC_CTX *CMAC_CTX_new(void)
  45. {
  46. CMAC_CTX *ctx;
  47. if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL) {
  48. CRYPTOerr(CRYPTO_F_CMAC_CTX_NEW, ERR_R_MALLOC_FAILURE);
  49. return NULL;
  50. }
  51. ctx->cctx = EVP_CIPHER_CTX_new();
  52. if (ctx->cctx == NULL) {
  53. OPENSSL_free(ctx);
  54. return NULL;
  55. }
  56. ctx->nlast_block = -1;
  57. return ctx;
  58. }
  59. void CMAC_CTX_cleanup(CMAC_CTX *ctx)
  60. {
  61. EVP_CIPHER_CTX_reset(ctx->cctx);
  62. OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
  63. OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
  64. OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH);
  65. OPENSSL_cleanse(ctx->last_block, EVP_MAX_BLOCK_LENGTH);
  66. ctx->nlast_block = -1;
  67. }
  68. EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx)
  69. {
  70. return ctx->cctx;
  71. }
  72. void CMAC_CTX_free(CMAC_CTX *ctx)
  73. {
  74. if (!ctx)
  75. return;
  76. CMAC_CTX_cleanup(ctx);
  77. EVP_CIPHER_CTX_free(ctx->cctx);
  78. OPENSSL_free(ctx);
  79. }
  80. int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in)
  81. {
  82. int bl;
  83. if (in->nlast_block == -1)
  84. return 0;
  85. if ((bl = EVP_CIPHER_CTX_block_size(in->cctx)) < 0)
  86. return 0;
  87. if (!EVP_CIPHER_CTX_copy(out->cctx, in->cctx))
  88. return 0;
  89. memcpy(out->k1, in->k1, bl);
  90. memcpy(out->k2, in->k2, bl);
  91. memcpy(out->tbl, in->tbl, bl);
  92. memcpy(out->last_block, in->last_block, bl);
  93. out->nlast_block = in->nlast_block;
  94. return 1;
  95. }
  96. int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
  97. const EVP_CIPHER *cipher, ENGINE *impl)
  98. {
  99. static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 };
  100. /* All zeros means restart */
  101. if (!key && !cipher && !impl && keylen == 0) {
  102. /* Not initialised */
  103. if (ctx->nlast_block == -1)
  104. return 0;
  105. if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv))
  106. return 0;
  107. memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(ctx->cctx));
  108. ctx->nlast_block = 0;
  109. return 1;
  110. }
  111. /* Initialise context */
  112. if (cipher != NULL) {
  113. /* Ensure we can't use this ctx until we also have a key */
  114. ctx->nlast_block = -1;
  115. if (!EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL))
  116. return 0;
  117. }
  118. /* Non-NULL key means initialisation complete */
  119. if (key != NULL) {
  120. int bl;
  121. /* If anything fails then ensure we can't use this ctx */
  122. ctx->nlast_block = -1;
  123. if (!EVP_CIPHER_CTX_cipher(ctx->cctx))
  124. return 0;
  125. if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen))
  126. return 0;
  127. if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv))
  128. return 0;
  129. if ((bl = EVP_CIPHER_CTX_block_size(ctx->cctx)) < 0)
  130. return 0;
  131. if (EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl) <= 0)
  132. return 0;
  133. make_kn(ctx->k1, ctx->tbl, bl);
  134. make_kn(ctx->k2, ctx->k1, bl);
  135. OPENSSL_cleanse(ctx->tbl, bl);
  136. /* Reset context again ready for first data block */
  137. if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv))
  138. return 0;
  139. /* Zero tbl so resume works */
  140. memset(ctx->tbl, 0, bl);
  141. ctx->nlast_block = 0;
  142. }
  143. return 1;
  144. }
  145. int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
  146. {
  147. const unsigned char *data = in;
  148. int bl;
  149. if (ctx->nlast_block == -1)
  150. return 0;
  151. if (dlen == 0)
  152. return 1;
  153. if ((bl = EVP_CIPHER_CTX_block_size(ctx->cctx)) < 0)
  154. return 0;
  155. /* Copy into partial block if we need to */
  156. if (ctx->nlast_block > 0) {
  157. size_t nleft;
  158. nleft = bl - ctx->nlast_block;
  159. if (dlen < nleft)
  160. nleft = dlen;
  161. memcpy(ctx->last_block + ctx->nlast_block, data, nleft);
  162. dlen -= nleft;
  163. ctx->nlast_block += nleft;
  164. /* If no more to process return */
  165. if (dlen == 0)
  166. return 1;
  167. data += nleft;
  168. /* Else not final block so encrypt it */
  169. if (EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl) <= 0)
  170. return 0;
  171. }
  172. /* Encrypt all but one of the complete blocks left */
  173. while (dlen > (size_t)bl) {
  174. if (EVP_Cipher(ctx->cctx, ctx->tbl, data, bl) <= 0)
  175. return 0;
  176. dlen -= bl;
  177. data += bl;
  178. }
  179. /* Copy any data left to last block buffer */
  180. memcpy(ctx->last_block, data, dlen);
  181. ctx->nlast_block = dlen;
  182. return 1;
  183. }
  184. int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
  185. {
  186. int i, bl, lb;
  187. if (ctx->nlast_block == -1)
  188. return 0;
  189. if ((bl = EVP_CIPHER_CTX_block_size(ctx->cctx)) < 0)
  190. return 0;
  191. if (poutlen != NULL)
  192. *poutlen = (size_t)bl;
  193. if (!out)
  194. return 1;
  195. lb = ctx->nlast_block;
  196. /* Is last block complete? */
  197. if (lb == bl) {
  198. for (i = 0; i < bl; i++)
  199. out[i] = ctx->last_block[i] ^ ctx->k1[i];
  200. } else {
  201. ctx->last_block[lb] = 0x80;
  202. if (bl - lb > 1)
  203. memset(ctx->last_block + lb + 1, 0, bl - lb - 1);
  204. for (i = 0; i < bl; i++)
  205. out[i] = ctx->last_block[i] ^ ctx->k2[i];
  206. }
  207. if (!EVP_Cipher(ctx->cctx, out, out, bl)) {
  208. OPENSSL_cleanse(out, bl);
  209. return 0;
  210. }
  211. return 1;
  212. }
  213. int CMAC_resume(CMAC_CTX *ctx)
  214. {
  215. if (ctx->nlast_block == -1)
  216. return 0;
  217. /*
  218. * The buffer "tbl" contains the last fully encrypted block which is the
  219. * last IV (or all zeroes if no last encrypted block). The last block has
  220. * not been modified since CMAC_final(). So reinitialising using the last
  221. * decrypted block will allow CMAC to continue after calling
  222. * CMAC_Final().
  223. */
  224. return EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, ctx->tbl);
  225. }