xref: /freebsd/crypto/openssl/crypto/cmac/cmac.c (revision b077aed33b7b6aefca7b17ddb250cf521f938613)
1 /*
2  * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * CMAC low level APIs are deprecated for public use, but still ok for internal
12  * use.
13  */
14 #include "internal/deprecated.h"
15 
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <string.h>
19 #include "internal/cryptlib.h"
20 #include <openssl/cmac.h>
21 #include <openssl/err.h>
22 
23 struct CMAC_CTX_st {
24     /* Cipher context to use */
25     EVP_CIPHER_CTX *cctx;
26     /* Keys k1 and k2 */
27     unsigned char k1[EVP_MAX_BLOCK_LENGTH];
28     unsigned char k2[EVP_MAX_BLOCK_LENGTH];
29     /* Temporary block */
30     unsigned char tbl[EVP_MAX_BLOCK_LENGTH];
31     /* Last (possibly partial) block */
32     unsigned char last_block[EVP_MAX_BLOCK_LENGTH];
33     /* Number of bytes in last block: -1 means context not initialised */
34     int nlast_block;
35 };
36 
37 /* Make temporary keys K1 and K2 */
38 
make_kn(unsigned char * k1,const unsigned char * l,int bl)39 static void make_kn(unsigned char *k1, const unsigned char *l, int bl)
40 {
41     int i;
42     unsigned char c = l[0], carry = c >> 7, cnext;
43 
44     /* Shift block to left, including carry */
45     for (i = 0; i < bl - 1; i++, c = cnext)
46         k1[i] = (c << 1) | ((cnext = l[i + 1]) >> 7);
47 
48     /* If MSB set fixup with R */
49     k1[i] = (c << 1) ^ ((0 - carry) & (bl == 16 ? 0x87 : 0x1b));
50 }
51 
CMAC_CTX_new(void)52 CMAC_CTX *CMAC_CTX_new(void)
53 {
54     CMAC_CTX *ctx;
55 
56     if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL) {
57         ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
58         return NULL;
59     }
60     ctx->cctx = EVP_CIPHER_CTX_new();
61     if (ctx->cctx == NULL) {
62         OPENSSL_free(ctx);
63         return NULL;
64     }
65     ctx->nlast_block = -1;
66     return ctx;
67 }
68 
CMAC_CTX_cleanup(CMAC_CTX * ctx)69 void CMAC_CTX_cleanup(CMAC_CTX *ctx)
70 {
71     EVP_CIPHER_CTX_reset(ctx->cctx);
72     OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
73     OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
74     OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH);
75     OPENSSL_cleanse(ctx->last_block, EVP_MAX_BLOCK_LENGTH);
76     ctx->nlast_block = -1;
77 }
78 
CMAC_CTX_get0_cipher_ctx(CMAC_CTX * ctx)79 EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx)
80 {
81     return ctx->cctx;
82 }
83 
CMAC_CTX_free(CMAC_CTX * ctx)84 void CMAC_CTX_free(CMAC_CTX *ctx)
85 {
86     if (!ctx)
87         return;
88     CMAC_CTX_cleanup(ctx);
89     EVP_CIPHER_CTX_free(ctx->cctx);
90     OPENSSL_free(ctx);
91 }
92 
CMAC_CTX_copy(CMAC_CTX * out,const CMAC_CTX * in)93 int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in)
94 {
95     int bl;
96 
97     if (in->nlast_block == -1)
98         return 0;
99     if ((bl = EVP_CIPHER_CTX_get_block_size(in->cctx)) < 0)
100         return 0;
101     if (!EVP_CIPHER_CTX_copy(out->cctx, in->cctx))
102         return 0;
103     memcpy(out->k1, in->k1, bl);
104     memcpy(out->k2, in->k2, bl);
105     memcpy(out->tbl, in->tbl, bl);
106     memcpy(out->last_block, in->last_block, bl);
107     out->nlast_block = in->nlast_block;
108     return 1;
109 }
110 
CMAC_Init(CMAC_CTX * ctx,const void * key,size_t keylen,const EVP_CIPHER * cipher,ENGINE * impl)111 int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
112               const EVP_CIPHER *cipher, ENGINE *impl)
113 {
114     static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 };
115 
116     /* All zeros means restart */
117     if (!key && !cipher && !impl && keylen == 0) {
118         /* Not initialised */
119         if (ctx->nlast_block == -1)
120             return 0;
121         if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv))
122             return 0;
123         memset(ctx->tbl, 0, EVP_CIPHER_CTX_get_block_size(ctx->cctx));
124         ctx->nlast_block = 0;
125         return 1;
126     }
127     /* Initialise context */
128     if (cipher != NULL) {
129         /* Ensure we can't use this ctx until we also have a key */
130         ctx->nlast_block = -1;
131         if (!EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL))
132             return 0;
133     }
134     /* Non-NULL key means initialisation complete */
135     if (key != NULL) {
136         int bl;
137 
138         /* If anything fails then ensure we can't use this ctx */
139         ctx->nlast_block = -1;
140         if (EVP_CIPHER_CTX_get0_cipher(ctx->cctx) == NULL)
141             return 0;
142         if (EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen) <= 0)
143             return 0;
144         if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv))
145             return 0;
146         if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) < 0)
147             return 0;
148         if (EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl) <= 0)
149             return 0;
150         make_kn(ctx->k1, ctx->tbl, bl);
151         make_kn(ctx->k2, ctx->k1, bl);
152         OPENSSL_cleanse(ctx->tbl, bl);
153         /* Reset context again ready for first data block */
154         if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv))
155             return 0;
156         /* Zero tbl so resume works */
157         memset(ctx->tbl, 0, bl);
158         ctx->nlast_block = 0;
159     }
160     return 1;
161 }
162 
CMAC_Update(CMAC_CTX * ctx,const void * in,size_t dlen)163 int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
164 {
165     const unsigned char *data = in;
166     int bl;
167 
168     if (ctx->nlast_block == -1)
169         return 0;
170     if (dlen == 0)
171         return 1;
172     if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) < 0)
173         return 0;
174     /* Copy into partial block if we need to */
175     if (ctx->nlast_block > 0) {
176         size_t nleft;
177 
178         nleft = bl - ctx->nlast_block;
179         if (dlen < nleft)
180             nleft = dlen;
181         memcpy(ctx->last_block + ctx->nlast_block, data, nleft);
182         dlen -= nleft;
183         ctx->nlast_block += nleft;
184         /* If no more to process return */
185         if (dlen == 0)
186             return 1;
187         data += nleft;
188         /* Else not final block so encrypt it */
189         if (EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl) <= 0)
190             return 0;
191     }
192     /* Encrypt all but one of the complete blocks left */
193     while (dlen > (size_t)bl) {
194         if (EVP_Cipher(ctx->cctx, ctx->tbl, data, bl) <= 0)
195             return 0;
196         dlen -= bl;
197         data += bl;
198     }
199     /* Copy any data left to last block buffer */
200     memcpy(ctx->last_block, data, dlen);
201     ctx->nlast_block = dlen;
202     return 1;
203 
204 }
205 
CMAC_Final(CMAC_CTX * ctx,unsigned char * out,size_t * poutlen)206 int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
207 {
208     int i, bl, lb;
209 
210     if (ctx->nlast_block == -1)
211         return 0;
212     if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) < 0)
213         return 0;
214     if (poutlen != NULL)
215         *poutlen = (size_t)bl;
216     if (!out)
217         return 1;
218     lb = ctx->nlast_block;
219     /* Is last block complete? */
220     if (lb == bl) {
221         for (i = 0; i < bl; i++)
222             out[i] = ctx->last_block[i] ^ ctx->k1[i];
223     } else {
224         ctx->last_block[lb] = 0x80;
225         if (bl - lb > 1)
226             memset(ctx->last_block + lb + 1, 0, bl - lb - 1);
227         for (i = 0; i < bl; i++)
228             out[i] = ctx->last_block[i] ^ ctx->k2[i];
229     }
230     if (EVP_Cipher(ctx->cctx, out, out, bl) <= 0) {
231         OPENSSL_cleanse(out, bl);
232         return 0;
233     }
234     return 1;
235 }
236 
CMAC_resume(CMAC_CTX * ctx)237 int CMAC_resume(CMAC_CTX *ctx)
238 {
239     if (ctx->nlast_block == -1)
240         return 0;
241     /*
242      * The buffer "tbl" contains the last fully encrypted block which is the
243      * last IV (or all zeroes if no last encrypted block). The last block has
244      * not been modified since CMAC_final(). So reinitialising using the last
245      * decrypted block will allow CMAC to continue after calling
246      * CMAC_Final().
247      */
248     return EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, ctx->tbl);
249 }
250