1 /* 2 * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * CMAC low level APIs are deprecated for public use, but still ok for internal 12 * use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <stdio.h> 17 #include <stdlib.h> 18 #include <string.h> 19 #include "internal/cryptlib.h" 20 #include <openssl/cmac.h> 21 #include <openssl/err.h> 22 23 struct CMAC_CTX_st { 24 /* Cipher context to use */ 25 EVP_CIPHER_CTX *cctx; 26 /* Keys k1 and k2 */ 27 unsigned char k1[EVP_MAX_BLOCK_LENGTH]; 28 unsigned char k2[EVP_MAX_BLOCK_LENGTH]; 29 /* Temporary block */ 30 unsigned char tbl[EVP_MAX_BLOCK_LENGTH]; 31 /* Last (possibly partial) block */ 32 unsigned char last_block[EVP_MAX_BLOCK_LENGTH]; 33 /* Number of bytes in last block: -1 means context not initialised */ 34 int nlast_block; 35 }; 36 37 /* Make temporary keys K1 and K2 */ 38 39 static void make_kn(unsigned char *k1, const unsigned char *l, int bl) 40 { 41 int i; 42 unsigned char c = l[0], carry = c >> 7, cnext; 43 44 /* Shift block to left, including carry */ 45 for (i = 0; i < bl - 1; i++, c = cnext) 46 k1[i] = (c << 1) | ((cnext = l[i + 1]) >> 7); 47 48 /* If MSB set fixup with R */ 49 k1[i] = (c << 1) ^ ((0 - carry) & (bl == 16 ? 0x87 : 0x1b)); 50 } 51 52 CMAC_CTX *CMAC_CTX_new(void) 53 { 54 CMAC_CTX *ctx; 55 56 if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL) { 57 ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); 58 return NULL; 59 } 60 ctx->cctx = EVP_CIPHER_CTX_new(); 61 if (ctx->cctx == NULL) { 62 OPENSSL_free(ctx); 63 return NULL; 64 } 65 ctx->nlast_block = -1; 66 return ctx; 67 } 68 69 void CMAC_CTX_cleanup(CMAC_CTX *ctx) 70 { 71 EVP_CIPHER_CTX_reset(ctx->cctx); 72 OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); 73 OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); 74 OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH); 75 OPENSSL_cleanse(ctx->last_block, EVP_MAX_BLOCK_LENGTH); 76 ctx->nlast_block = -1; 77 } 78 79 EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx) 80 { 81 return ctx->cctx; 82 } 83 84 void CMAC_CTX_free(CMAC_CTX *ctx) 85 { 86 if (!ctx) 87 return; 88 CMAC_CTX_cleanup(ctx); 89 EVP_CIPHER_CTX_free(ctx->cctx); 90 OPENSSL_free(ctx); 91 } 92 93 int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in) 94 { 95 int bl; 96 97 if (in->nlast_block == -1) 98 return 0; 99 if ((bl = EVP_CIPHER_CTX_get_block_size(in->cctx)) < 0) 100 return 0; 101 if (!EVP_CIPHER_CTX_copy(out->cctx, in->cctx)) 102 return 0; 103 memcpy(out->k1, in->k1, bl); 104 memcpy(out->k2, in->k2, bl); 105 memcpy(out->tbl, in->tbl, bl); 106 memcpy(out->last_block, in->last_block, bl); 107 out->nlast_block = in->nlast_block; 108 return 1; 109 } 110 111 int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, 112 const EVP_CIPHER *cipher, ENGINE *impl) 113 { 114 static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 }; 115 116 /* All zeros means restart */ 117 if (!key && !cipher && !impl && keylen == 0) { 118 /* Not initialised */ 119 if (ctx->nlast_block == -1) 120 return 0; 121 if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv)) 122 return 0; 123 memset(ctx->tbl, 0, EVP_CIPHER_CTX_get_block_size(ctx->cctx)); 124 ctx->nlast_block = 0; 125 return 1; 126 } 127 /* Initialise context */ 128 if (cipher != NULL) { 129 /* Ensure we can't use this ctx until we also have a key */ 130 ctx->nlast_block = -1; 131 if (!EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL)) 132 return 0; 133 } 134 /* Non-NULL key means initialisation complete */ 135 if (key != NULL) { 136 int bl; 137 138 /* If anything fails then ensure we can't use this ctx */ 139 ctx->nlast_block = -1; 140 if (EVP_CIPHER_CTX_get0_cipher(ctx->cctx) == NULL) 141 return 0; 142 if (EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen) <= 0) 143 return 0; 144 if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv)) 145 return 0; 146 if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) < 0) 147 return 0; 148 if (EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl) <= 0) 149 return 0; 150 make_kn(ctx->k1, ctx->tbl, bl); 151 make_kn(ctx->k2, ctx->k1, bl); 152 OPENSSL_cleanse(ctx->tbl, bl); 153 /* Reset context again ready for first data block */ 154 if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv)) 155 return 0; 156 /* Zero tbl so resume works */ 157 memset(ctx->tbl, 0, bl); 158 ctx->nlast_block = 0; 159 } 160 return 1; 161 } 162 163 int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) 164 { 165 const unsigned char *data = in; 166 int bl; 167 168 if (ctx->nlast_block == -1) 169 return 0; 170 if (dlen == 0) 171 return 1; 172 if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) < 0) 173 return 0; 174 /* Copy into partial block if we need to */ 175 if (ctx->nlast_block > 0) { 176 size_t nleft; 177 178 nleft = bl - ctx->nlast_block; 179 if (dlen < nleft) 180 nleft = dlen; 181 memcpy(ctx->last_block + ctx->nlast_block, data, nleft); 182 dlen -= nleft; 183 ctx->nlast_block += nleft; 184 /* If no more to process return */ 185 if (dlen == 0) 186 return 1; 187 data += nleft; 188 /* Else not final block so encrypt it */ 189 if (EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl) <= 0) 190 return 0; 191 } 192 /* Encrypt all but one of the complete blocks left */ 193 while (dlen > (size_t)bl) { 194 if (EVP_Cipher(ctx->cctx, ctx->tbl, data, bl) <= 0) 195 return 0; 196 dlen -= bl; 197 data += bl; 198 } 199 /* Copy any data left to last block buffer */ 200 memcpy(ctx->last_block, data, dlen); 201 ctx->nlast_block = dlen; 202 return 1; 203 204 } 205 206 int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) 207 { 208 int i, bl, lb; 209 210 if (ctx->nlast_block == -1) 211 return 0; 212 if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) < 0) 213 return 0; 214 if (poutlen != NULL) 215 *poutlen = (size_t)bl; 216 if (!out) 217 return 1; 218 lb = ctx->nlast_block; 219 /* Is last block complete? */ 220 if (lb == bl) { 221 for (i = 0; i < bl; i++) 222 out[i] = ctx->last_block[i] ^ ctx->k1[i]; 223 } else { 224 ctx->last_block[lb] = 0x80; 225 if (bl - lb > 1) 226 memset(ctx->last_block + lb + 1, 0, bl - lb - 1); 227 for (i = 0; i < bl; i++) 228 out[i] = ctx->last_block[i] ^ ctx->k2[i]; 229 } 230 if (EVP_Cipher(ctx->cctx, out, out, bl) <= 0) { 231 OPENSSL_cleanse(out, bl); 232 return 0; 233 } 234 return 1; 235 } 236 237 int CMAC_resume(CMAC_CTX *ctx) 238 { 239 if (ctx->nlast_block == -1) 240 return 0; 241 /* 242 * The buffer "tbl" contains the last fully encrypted block which is the 243 * last IV (or all zeroes if no last encrypted block). The last block has 244 * not been modified since CMAC_final(). So reinitialising using the last 245 * decrypted block will allow CMAC to continue after calling 246 * CMAC_Final(). 247 */ 248 return EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, ctx->tbl); 249 } 250