1 /* $OpenBSD: cmac.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 2010 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
58 #include <openssl/cmac.h>
61 /* Cipher context to use */
64 unsigned char k1
[EVP_MAX_BLOCK_LENGTH
];
65 unsigned char k2
[EVP_MAX_BLOCK_LENGTH
];
67 unsigned char tbl
[EVP_MAX_BLOCK_LENGTH
];
68 /* Last (possibly partial) block */
69 unsigned char last_block
[EVP_MAX_BLOCK_LENGTH
];
70 /* Number of bytes in last block: -1 means context not initialised */
75 /* Make temporary keys K1 and K2 */
78 make_kn(unsigned char *k1
, unsigned char *l
, int bl
)
82 /* Shift block to left, including carry */
83 for (i
= 0; i
< bl
; i
++) {
85 if (i
< bl
- 1 && l
[i
+ 1] & 0x80)
88 /* If MSB set fixup with R */
90 k1
[bl
- 1] ^= bl
== 16 ? 0x87 : 0x1b;
98 ctx
= malloc(sizeof(CMAC_CTX
));
101 EVP_CIPHER_CTX_init(&ctx
->cctx
);
102 ctx
->nlast_block
= -1;
107 CMAC_CTX_cleanup(CMAC_CTX
*ctx
)
109 EVP_CIPHER_CTX_cleanup(&ctx
->cctx
);
110 explicit_bzero(ctx
->tbl
, EVP_MAX_BLOCK_LENGTH
);
111 explicit_bzero(ctx
->k1
, EVP_MAX_BLOCK_LENGTH
);
112 explicit_bzero(ctx
->k2
, EVP_MAX_BLOCK_LENGTH
);
113 explicit_bzero(ctx
->last_block
, EVP_MAX_BLOCK_LENGTH
);
114 ctx
->nlast_block
= -1;
118 CMAC_CTX_get0_cipher_ctx(CMAC_CTX
*ctx
)
124 CMAC_CTX_free(CMAC_CTX
*ctx
)
129 CMAC_CTX_cleanup(ctx
);
134 CMAC_CTX_copy(CMAC_CTX
*out
, const CMAC_CTX
*in
)
138 if (in
->nlast_block
== -1)
140 if (!EVP_CIPHER_CTX_copy(&out
->cctx
, &in
->cctx
))
142 bl
= EVP_CIPHER_CTX_block_size(&in
->cctx
);
143 memcpy(out
->k1
, in
->k1
, bl
);
144 memcpy(out
->k2
, in
->k2
, bl
);
145 memcpy(out
->tbl
, in
->tbl
, bl
);
146 memcpy(out
->last_block
, in
->last_block
, bl
);
147 out
->nlast_block
= in
->nlast_block
;
152 CMAC_Init(CMAC_CTX
*ctx
, const void *key
, size_t keylen
,
153 const EVP_CIPHER
*cipher
, ENGINE
*impl
)
155 static unsigned char zero_iv
[EVP_MAX_BLOCK_LENGTH
];
157 /* All zeros means restart */
158 if (!key
&& !cipher
&& !impl
&& keylen
== 0) {
159 /* Not initialised */
160 if (ctx
->nlast_block
== -1)
162 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, zero_iv
))
164 memset(ctx
->tbl
, 0, EVP_CIPHER_CTX_block_size(&ctx
->cctx
));
165 ctx
->nlast_block
= 0;
168 /* Initialiase context */
169 if (cipher
&& !EVP_EncryptInit_ex(&ctx
->cctx
, cipher
, impl
, NULL
, NULL
))
171 /* Non-NULL key means initialisation complete */
175 if (!EVP_CIPHER_CTX_cipher(&ctx
->cctx
))
177 if (!EVP_CIPHER_CTX_set_key_length(&ctx
->cctx
, keylen
))
179 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, key
, zero_iv
))
181 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
182 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, zero_iv
, bl
))
184 make_kn(ctx
->k1
, ctx
->tbl
, bl
);
185 make_kn(ctx
->k2
, ctx
->k1
, bl
);
186 explicit_bzero(ctx
->tbl
, bl
);
187 /* Reset context again ready for first data block */
188 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, zero_iv
))
190 /* Zero tbl so resume works */
191 memset(ctx
->tbl
, 0, bl
);
192 ctx
->nlast_block
= 0;
198 CMAC_Update(CMAC_CTX
*ctx
, const void *in
, size_t dlen
)
200 const unsigned char *data
= in
;
203 if (ctx
->nlast_block
== -1)
207 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
208 /* Copy into partial block if we need to */
209 if (ctx
->nlast_block
> 0) {
212 nleft
= bl
- ctx
->nlast_block
;
215 memcpy(ctx
->last_block
+ ctx
->nlast_block
, data
, nleft
);
217 ctx
->nlast_block
+= nleft
;
218 /* If no more to process return */
222 /* Else not final block so encrypt it */
223 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, ctx
->last_block
, bl
))
226 /* Encrypt all but one of the complete blocks left */
228 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, data
, bl
))
233 /* Copy any data left to last block buffer */
234 memcpy(ctx
->last_block
, data
, dlen
);
235 ctx
->nlast_block
= dlen
;
240 CMAC_Final(CMAC_CTX
*ctx
, unsigned char *out
, size_t *poutlen
)
244 if (ctx
->nlast_block
== -1)
246 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
247 *poutlen
= (size_t)bl
;
250 lb
= ctx
->nlast_block
;
251 /* Is last block complete? */
253 for (i
= 0; i
< bl
; i
++)
254 out
[i
] = ctx
->last_block
[i
] ^ ctx
->k1
[i
];
256 ctx
->last_block
[lb
] = 0x80;
258 memset(ctx
->last_block
+ lb
+ 1, 0, bl
- lb
- 1);
259 for (i
= 0; i
< bl
; i
++)
260 out
[i
] = ctx
->last_block
[i
] ^ ctx
->k2
[i
];
262 if (!EVP_Cipher(&ctx
->cctx
, out
, out
, bl
)) {
263 explicit_bzero(out
, bl
);
270 CMAC_resume(CMAC_CTX
*ctx
)
272 if (ctx
->nlast_block
== -1)
274 /* The buffer "tbl" containes the last fully encrypted block
275 * which is the last IV (or all zeroes if no last encrypted block).
276 * The last block has not been modified since CMAC_final().
277 * So reinitialising using the last decrypted block will allow
278 * CMAC to continue after calling CMAC_Final().
280 return EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, ctx
->tbl
);