]>
git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/cmac/cmac.c
1 /* crypto/cmac/cmac.c */
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6 /* ====================================================================
7 * Copyright (c) 2010 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
58 #include "internal/cryptlib.h"
59 #include <openssl/cmac.h>
62 /* Cipher context to use */
65 unsigned char k1
[EVP_MAX_BLOCK_LENGTH
];
66 unsigned char k2
[EVP_MAX_BLOCK_LENGTH
];
68 unsigned char tbl
[EVP_MAX_BLOCK_LENGTH
];
69 /* Last (possibly partial) block */
70 unsigned char last_block
[EVP_MAX_BLOCK_LENGTH
];
71 /* Number of bytes in last block: -1 means context not initialised */
75 /* Make temporary keys K1 and K2 */
77 static void make_kn(unsigned char *k1
, const unsigned char *l
, int bl
)
80 unsigned char c
= l
[0], carry
= c
>> 7, cnext
;
82 /* Shift block to left, including carry */
83 for (i
= 0; i
< bl
- 1; i
++, c
= cnext
)
84 k1
[i
] = (c
<< 1) | ((cnext
= l
[i
+ 1]) >> 7);
86 /* If MSB set fixup with R */
87 k1
[i
] = (c
<< 1) ^ ((0 - carry
) & (bl
== 16 ? 0x87 : 0x1b));
90 CMAC_CTX
*CMAC_CTX_new(void)
94 ctx
= OPENSSL_malloc(sizeof(*ctx
));
97 EVP_CIPHER_CTX_init(&ctx
->cctx
);
98 ctx
->nlast_block
= -1;
102 void CMAC_CTX_cleanup(CMAC_CTX
*ctx
)
104 EVP_CIPHER_CTX_cleanup(&ctx
->cctx
);
105 OPENSSL_cleanse(ctx
->tbl
, EVP_MAX_BLOCK_LENGTH
);
106 OPENSSL_cleanse(ctx
->k1
, EVP_MAX_BLOCK_LENGTH
);
107 OPENSSL_cleanse(ctx
->k2
, EVP_MAX_BLOCK_LENGTH
);
108 OPENSSL_cleanse(ctx
->last_block
, EVP_MAX_BLOCK_LENGTH
);
109 ctx
->nlast_block
= -1;
112 EVP_CIPHER_CTX
*CMAC_CTX_get0_cipher_ctx(CMAC_CTX
*ctx
)
117 void CMAC_CTX_free(CMAC_CTX
*ctx
)
121 CMAC_CTX_cleanup(ctx
);
125 int CMAC_CTX_copy(CMAC_CTX
*out
, const CMAC_CTX
*in
)
128 if (in
->nlast_block
== -1)
130 if (!EVP_CIPHER_CTX_copy(&out
->cctx
, &in
->cctx
))
132 bl
= M_EVP_CIPHER_CTX_block_size(&in
->cctx
);
133 memcpy(out
->k1
, in
->k1
, bl
);
134 memcpy(out
->k2
, in
->k2
, bl
);
135 memcpy(out
->tbl
, in
->tbl
, bl
);
136 memcpy(out
->last_block
, in
->last_block
, bl
);
137 out
->nlast_block
= in
->nlast_block
;
141 int CMAC_Init(CMAC_CTX
*ctx
, const void *key
, size_t keylen
,
142 const EVP_CIPHER
*cipher
, ENGINE
*impl
)
144 static const unsigned char zero_iv
[EVP_MAX_BLOCK_LENGTH
] = { 0 };
145 /* All zeros means restart */
146 if (!key
&& !cipher
&& !impl
&& keylen
== 0) {
147 /* Not initialised */
148 if (ctx
->nlast_block
== -1)
150 if (!M_EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, zero_iv
))
152 memset(ctx
->tbl
, 0, M_EVP_CIPHER_CTX_block_size(&ctx
->cctx
));
153 ctx
->nlast_block
= 0;
156 /* Initialiase context */
157 if (cipher
&& !M_EVP_EncryptInit_ex(&ctx
->cctx
, cipher
, impl
, NULL
, NULL
))
159 /* Non-NULL key means initialisation complete */
162 if (!M_EVP_CIPHER_CTX_cipher(&ctx
->cctx
))
164 if (!EVP_CIPHER_CTX_set_key_length(&ctx
->cctx
, keylen
))
166 if (!M_EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, key
, zero_iv
))
168 bl
= M_EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
169 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, zero_iv
, bl
))
171 make_kn(ctx
->k1
, ctx
->tbl
, bl
);
172 make_kn(ctx
->k2
, ctx
->k1
, bl
);
173 OPENSSL_cleanse(ctx
->tbl
, bl
);
174 /* Reset context again ready for first data block */
175 if (!M_EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, zero_iv
))
177 /* Zero tbl so resume works */
178 memset(ctx
->tbl
, 0, bl
);
179 ctx
->nlast_block
= 0;
184 int CMAC_Update(CMAC_CTX
*ctx
, const void *in
, size_t dlen
)
186 const unsigned char *data
= in
;
188 if (ctx
->nlast_block
== -1)
192 bl
= M_EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
193 /* Copy into partial block if we need to */
194 if (ctx
->nlast_block
> 0) {
196 nleft
= bl
- ctx
->nlast_block
;
199 memcpy(ctx
->last_block
+ ctx
->nlast_block
, data
, nleft
);
201 ctx
->nlast_block
+= nleft
;
202 /* If no more to process return */
206 /* Else not final block so encrypt it */
207 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, ctx
->last_block
, bl
))
210 /* Encrypt all but one of the complete blocks left */
212 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, data
, bl
))
217 /* Copy any data left to last block buffer */
218 memcpy(ctx
->last_block
, data
, dlen
);
219 ctx
->nlast_block
= dlen
;
224 int CMAC_Final(CMAC_CTX
*ctx
, unsigned char *out
, size_t *poutlen
)
227 if (ctx
->nlast_block
== -1)
229 bl
= M_EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
230 *poutlen
= (size_t)bl
;
233 lb
= ctx
->nlast_block
;
234 /* Is last block complete? */
236 for (i
= 0; i
< bl
; i
++)
237 out
[i
] = ctx
->last_block
[i
] ^ ctx
->k1
[i
];
239 ctx
->last_block
[lb
] = 0x80;
241 memset(ctx
->last_block
+ lb
+ 1, 0, bl
- lb
- 1);
242 for (i
= 0; i
< bl
; i
++)
243 out
[i
] = ctx
->last_block
[i
] ^ ctx
->k2
[i
];
245 if (!EVP_Cipher(&ctx
->cctx
, out
, out
, bl
)) {
246 OPENSSL_cleanse(out
, bl
);
252 int CMAC_resume(CMAC_CTX
*ctx
)
254 if (ctx
->nlast_block
== -1)
257 * The buffer "tbl" containes the last fully encrypted block which is the
258 * last IV (or all zeroes if no last encrypted block). The last block has
259 * not been modified since CMAC_final(). So reinitliasing using the last
260 * decrypted block will allow CMAC to continue after calling
263 return M_EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, ctx
->tbl
);