lib/crypto/aes_cmac_128.c

   1 /*
   2    AES-CMAC-128 (rfc 4493)
   3    Copyright (C) Stefan Metzmacher 2012
   4    Copyright (C) Jeremy Allison 2012
   5    Copyright (C) Michael Adam 2012
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "replace.h"
  22 #include "../lib/crypto/crypto.h"
  23
  24 static const uint8_t const_Zero[] = {
  25         0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00,
  26         0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00
  27 };
  28
  29 static const uint8_t const_Rb[] = {
  30         0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00,
  31         0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x87
  32 };
  33
  34 #define _MSB(x) (((x)[0] & 0x80)?1:0)
  35
  36 static inline void aes_cmac_128_left_shift_1(const uint8_t in[AES_BLOCK_SIZE],
  37                                              uint8_t out[AES_BLOCK_SIZE])
  38 {
  39         uint8_t overflow = 0;
  40         int8_t i;
  41
  42         for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
  43                 out[i] = in[i] << 1;
  44
  45                 out[i] |= overflow;
  46
  47                 overflow = _MSB(&in[i]);
  48         }
  49 }
  50
  51 static inline void aes_cmac_128_xor(const uint8_t in1[AES_BLOCK_SIZE],
  52                                     const uint8_t in2[AES_BLOCK_SIZE],
  53                                     uint8_t out[AES_BLOCK_SIZE])
  54 {
  55         uint8_t i;
  56
  57         for (i = 0; i < AES_BLOCK_SIZE; i++) {
  58                 out[i] = in1[i] ^ in2[i];
  59         }
  60 }
  61
  62 void aes_cmac_128_init(struct aes_cmac_128_context *ctx,
  63                        const uint8_t K[AES_BLOCK_SIZE])
  64 {
  65         uint8_t L[AES_BLOCK_SIZE];
  66
  67         ZERO_STRUCTP(ctx);
  68
  69         AES_set_encrypt_key(K, 128, &ctx->aes_key);
  70
  71         /* step 1 - generate subkeys k1 and k2 */
  72
  73         AES_encrypt(const_Zero, L, &ctx->aes_key);
  74
  75         if (_MSB(L) == 0) {
  76                 aes_cmac_128_left_shift_1(L, ctx->K1);
  77         } else {
  78                 uint8_t tmp_block[AES_BLOCK_SIZE];
  79
  80                 aes_cmac_128_left_shift_1(L, tmp_block);
  81                 aes_cmac_128_xor(tmp_block, const_Rb, ctx->K1);
  82                 ZERO_STRUCT(tmp_block);
  83         }
  84
  85         if (_MSB(ctx->K1) == 0) {
  86                 aes_cmac_128_left_shift_1(ctx->K1, ctx->K2);
  87         } else {
  88                 uint8_t tmp_block[AES_BLOCK_SIZE];
  89
  90                 aes_cmac_128_left_shift_1(ctx->K1, tmp_block);
  91                 aes_cmac_128_xor(tmp_block, const_Rb, ctx->K2);
  92                 ZERO_STRUCT(tmp_block);
  93         }
  94
  95         ZERO_STRUCT(L);
  96 }
  97
  98 void aes_cmac_128_update(struct aes_cmac_128_context *ctx,
  99                          const uint8_t *_msg, size_t _msg_len)
 100 {
 101         uint8_t tmp_block[AES_BLOCK_SIZE];
 102         uint8_t Y[AES_BLOCK_SIZE];
 103         const uint8_t *msg = _msg;
 104         size_t msg_len = _msg_len;
 105
 106         /*
 107          * copy the remembered last block
 108          */
 109         ZERO_STRUCT(tmp_block);
 110         if (ctx->last_len) {
 111                 memcpy(tmp_block, ctx->last, ctx->last_len);
 112         }
 113
 114         /*
 115          * check if we expand the block
 116          */
 117         if (ctx->last_len < AES_BLOCK_SIZE) {
 118                 size_t len = MIN(AES_BLOCK_SIZE - ctx->last_len, msg_len);
 119
 120                 memcpy(&tmp_block[ctx->last_len], msg, len);
 121                 memcpy(ctx->last, tmp_block, AES_BLOCK_SIZE);
 122                 msg += len;
 123                 msg_len -= len;
 124                 ctx->last_len += len;
 125         }
 126
 127         if (msg_len == 0) {
 128                 /* if it is still the last block, we are done */
 129                 ZERO_STRUCT(tmp_block);
 130                 return;
 131         }
 132
 133         /*
 134          * It is not the last block anymore
 135          */
 136         ZERO_STRUCT(ctx->last);
 137         ctx->last_len = 0;
 138
 139         /*
 140          * now checksum everything but the last block
 141          */
 142         aes_cmac_128_xor(ctx->X, tmp_block, Y);
 143         AES_encrypt(Y, ctx->X, &ctx->aes_key);
 144
 145         while (msg_len > AES_BLOCK_SIZE) {
 146                 memcpy(tmp_block, msg, AES_BLOCK_SIZE);
 147                 msg += AES_BLOCK_SIZE;
 148                 msg_len -= AES_BLOCK_SIZE;
 149
 150                 aes_cmac_128_xor(ctx->X, tmp_block, Y);
 151                 AES_encrypt(Y, ctx->X, &ctx->aes_key);
 152         }
 153
 154         /*
 155          * copy the last block, it will be processed in
 156          * aes_cmac_128_final().
 157          */
 158         memcpy(ctx->last, msg, msg_len);
 159         ctx->last_len = msg_len;
 160
 161         ZERO_STRUCT(tmp_block);
 162         ZERO_STRUCT(Y);
 163 }
 164
 165 void aes_cmac_128_final(struct aes_cmac_128_context *ctx,
 166                         uint8_t T[AES_BLOCK_SIZE])
 167 {
 168         uint8_t tmp_block[AES_BLOCK_SIZE];
 169         uint8_t Y[AES_BLOCK_SIZE];
 170
 171         if (ctx->last_len < AES_BLOCK_SIZE) {
 172                 ctx->last[ctx->last_len] = 0x80;
 173                 aes_cmac_128_xor(ctx->last, ctx->K2, tmp_block);
 174         } else {
 175                 aes_cmac_128_xor(ctx->last, ctx->K1, tmp_block);
 176         }
 177
 178         aes_cmac_128_xor(tmp_block, ctx->X, Y);
 179         AES_encrypt(Y, T, &ctx->aes_key);
 180
 181         ZERO_STRUCT(tmp_block);
 182         ZERO_STRUCT(Y);
 183         ZERO_STRUCTP(ctx);
 184 }