1 /* 2 * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include "internal/cryptlib.h" 14 #include <openssl/cmac.h> 15 #include <openssl/err.h> 16 17 struct CMAC_CTX_st { 18 /* Cipher context to use */ 19 EVP_CIPHER_CTX *cctx; 20 /* Keys k1 and k2 */ 21 unsigned char k1[EVP_MAX_BLOCK_LENGTH]; 22 unsigned char k2[EVP_MAX_BLOCK_LENGTH]; 23 /* Temporary block */ 24 unsigned char tbl[EVP_MAX_BLOCK_LENGTH]; 25 /* Last (possibly partial) block */ 26 unsigned char last_block[EVP_MAX_BLOCK_LENGTH]; 27 /* Number of bytes in last block: -1 means context not initialised */ 28 int nlast_block; 29 }; 30 31 /* Make temporary keys K1 and K2 */ 32 33 static void make_kn(unsigned char *k1, const unsigned char *l, int bl) 34 { 35 int i; 36 unsigned char c = l[0], carry = c >> 7, cnext; 37 38 /* Shift block to left, including carry */ 39 for (i = 0; i < bl - 1; i++, c = cnext) 40 k1[i] = (c << 1) | ((cnext = l[i + 1]) >> 7); 41 42 /* If MSB set fixup with R */ 43 k1[i] = (c << 1) ^ ((0 - carry) & (bl == 16 ? 0x87 : 0x1b)); 44 } 45 46 CMAC_CTX *CMAC_CTX_new(void) 47 { 48 CMAC_CTX *ctx; 49 50 if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL) { 51 CRYPTOerr(CRYPTO_F_CMAC_CTX_NEW, ERR_R_MALLOC_FAILURE); 52 return NULL; 53 } 54 ctx->cctx = EVP_CIPHER_CTX_new(); 55 if (ctx->cctx == NULL) { 56 OPENSSL_free(ctx); 57 return NULL; 58 } 59 ctx->nlast_block = -1; 60 return ctx; 61 } 62 63 void CMAC_CTX_cleanup(CMAC_CTX *ctx) 64 { 65 EVP_CIPHER_CTX_reset(ctx->cctx); 66 OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); 67 OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); 68 OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH); 69 OPENSSL_cleanse(ctx->last_block, EVP_MAX_BLOCK_LENGTH); 70 ctx->nlast_block = -1; 71 } 72 73 EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx) 74 { 75 return ctx->cctx; 76 } 77 78 void CMAC_CTX_free(CMAC_CTX *ctx) 79 { 80 if (!ctx) 81 return; 82 CMAC_CTX_cleanup(ctx); 83 EVP_CIPHER_CTX_free(ctx->cctx); 84 OPENSSL_free(ctx); 85 } 86 87 int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in) 88 { 89 int bl; 90 if (in->nlast_block == -1) 91 return 0; 92 if (!EVP_CIPHER_CTX_copy(out->cctx, in->cctx)) 93 return 0; 94 bl = EVP_CIPHER_CTX_block_size(in->cctx); 95 memcpy(out->k1, in->k1, bl); 96 memcpy(out->k2, in->k2, bl); 97 memcpy(out->tbl, in->tbl, bl); 98 memcpy(out->last_block, in->last_block, bl); 99 out->nlast_block = in->nlast_block; 100 return 1; 101 } 102 103 int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, 104 const EVP_CIPHER *cipher, ENGINE *impl) 105 { 106 static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 }; 107 /* All zeros means restart */ 108 if (!key && !cipher && !impl && keylen == 0) { 109 /* Not initialised */ 110 if (ctx->nlast_block == -1) 111 return 0; 112 if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv)) 113 return 0; 114 memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(ctx->cctx)); 115 ctx->nlast_block = 0; 116 return 1; 117 } 118 /* Initialise context */ 119 if (cipher && !EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL)) 120 return 0; 121 /* Non-NULL key means initialisation complete */ 122 if (key) { 123 int bl; 124 if (!EVP_CIPHER_CTX_cipher(ctx->cctx)) 125 return 0; 126 if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen)) 127 return 0; 128 if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv)) 129 return 0; 130 bl = EVP_CIPHER_CTX_block_size(ctx->cctx); 131 if (!EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl)) 132 return 0; 133 make_kn(ctx->k1, ctx->tbl, bl); 134 make_kn(ctx->k2, ctx->k1, bl); 135 OPENSSL_cleanse(ctx->tbl, bl); 136 /* Reset context again ready for first data block */ 137 if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv)) 138 return 0; 139 /* Zero tbl so resume works */ 140 memset(ctx->tbl, 0, bl); 141 ctx->nlast_block = 0; 142 } 143 return 1; 144 } 145 146 int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) 147 { 148 const unsigned char *data = in; 149 size_t bl; 150 if (ctx->nlast_block == -1) 151 return 0; 152 if (dlen == 0) 153 return 1; 154 bl = EVP_CIPHER_CTX_block_size(ctx->cctx); 155 /* Copy into partial block if we need to */ 156 if (ctx->nlast_block > 0) { 157 size_t nleft; 158 nleft = bl - ctx->nlast_block; 159 if (dlen < nleft) 160 nleft = dlen; 161 memcpy(ctx->last_block + ctx->nlast_block, data, nleft); 162 dlen -= nleft; 163 ctx->nlast_block += nleft; 164 /* If no more to process return */ 165 if (dlen == 0) 166 return 1; 167 data += nleft; 168 /* Else not final block so encrypt it */ 169 if (!EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl)) 170 return 0; 171 } 172 /* Encrypt all but one of the complete blocks left */ 173 while (dlen > bl) { 174 if (!EVP_Cipher(ctx->cctx, ctx->tbl, data, bl)) 175 return 0; 176 dlen -= bl; 177 data += bl; 178 } 179 /* Copy any data left to last block buffer */ 180 memcpy(ctx->last_block, data, dlen); 181 ctx->nlast_block = dlen; 182 return 1; 183 184 } 185 186 int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) 187 { 188 int i, bl, lb; 189 if (ctx->nlast_block == -1) 190 return 0; 191 bl = EVP_CIPHER_CTX_block_size(ctx->cctx); 192 *poutlen = (size_t)bl; 193 if (!out) 194 return 1; 195 lb = ctx->nlast_block; 196 /* Is last block complete? */ 197 if (lb == bl) { 198 for (i = 0; i < bl; i++) 199 out[i] = ctx->last_block[i] ^ ctx->k1[i]; 200 } else { 201 ctx->last_block[lb] = 0x80; 202 if (bl - lb > 1) 203 memset(ctx->last_block + lb + 1, 0, bl - lb - 1); 204 for (i = 0; i < bl; i++) 205 out[i] = ctx->last_block[i] ^ ctx->k2[i]; 206 } 207 if (!EVP_Cipher(ctx->cctx, out, out, bl)) { 208 OPENSSL_cleanse(out, bl); 209 return 0; 210 } 211 return 1; 212 } 213 214 int CMAC_resume(CMAC_CTX *ctx) 215 { 216 if (ctx->nlast_block == -1) 217 return 0; 218 /* 219 * The buffer "tbl" contains the last fully encrypted block which is the 220 * last IV (or all zeroes if no last encrypted block). The last block has 221 * not been modified since CMAC_final(). So reinitialising using the last 222 * decrypted block will allow CMAC to continue after calling 223 * CMAC_Final(). 224 */ 225 return EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, ctx->tbl); 226 } 227