search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:torture: call fault_setup() to get usage backtraces
[Samba/gebeck_regimport.git] / lib / crypto / aes_cmac_128.c
blobb630eeacd4ec1770315a08ab49ef58bd3c5d8946
1 /*
2 AES-CMAC-128 (rfc 4493)
3 Copyright (C) Stefan Metzmacher 2012
4 Copyright (C) Jeremy Allison 2012
5 Copyright (C) Michael Adam 2012
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "replace.h"
22 #include "../lib/crypto/crypto.h"
23
24 static const uint8_t const_Zero[] = {
25 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
26 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
27 };
28
29 static const uint8_t const_Rb[] = {
30 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
31 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87
32 };
33
34 #define _MSB(x) (((x)[0] & 0x80)?1:0)
35
36 static inline void aes_cmac_128_left_shift_1(const uint8_t in[AES_BLOCK_SIZE],
37 uint8_t out[AES_BLOCK_SIZE])
38 {
39 uint8_t overflow = 0;
40 int8_t i;
41
42 for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
43 out[i] = in[i] << 1;
44
45 out[i] |= overflow;
46
47 overflow = _MSB(&in[i]);
48 }
49 }
50
51 static inline void aes_cmac_128_xor(const uint8_t in1[AES_BLOCK_SIZE],
52 const uint8_t in2[AES_BLOCK_SIZE],
53 uint8_t out[AES_BLOCK_SIZE])
54 {
55 uint8_t i;
56
57 for (i = 0; i < AES_BLOCK_SIZE; i++) {
58 out[i] = in1[i] ^ in2[i];
59 }
60 }
61
62 void aes_cmac_128_init(struct aes_cmac_128_context *ctx,
63 const uint8_t K[AES_BLOCK_SIZE])
64 {
65 uint8_t L[AES_BLOCK_SIZE];
66
67 ZERO_STRUCTP(ctx);
68
69 AES_set_encrypt_key(K, 128, &ctx->aes_key);
70
71 /* step 1 - generate subkeys k1 and k2 */
72
73 AES_encrypt(const_Zero, L, &ctx->aes_key);
74
75 if (_MSB(L) == 0) {
76 aes_cmac_128_left_shift_1(L, ctx->K1);
77 } else {
78 uint8_t tmp_block[AES_BLOCK_SIZE];
79
80 aes_cmac_128_left_shift_1(L, tmp_block);
81 aes_cmac_128_xor(tmp_block, const_Rb, ctx->K1);
82 ZERO_STRUCT(tmp_block);
83 }
84
85 if (_MSB(ctx->K1) == 0) {
86 aes_cmac_128_left_shift_1(ctx->K1, ctx->K2);
87 } else {
88 uint8_t tmp_block[AES_BLOCK_SIZE];
89
90 aes_cmac_128_left_shift_1(ctx->K1, tmp_block);
91 aes_cmac_128_xor(tmp_block, const_Rb, ctx->K2);
92 ZERO_STRUCT(tmp_block);
93 }
94
95 ZERO_STRUCT(L);
96 }
97
98 void aes_cmac_128_update(struct aes_cmac_128_context *ctx,
99 const uint8_t *_msg, size_t _msg_len)
100 {
101 uint8_t tmp_block[AES_BLOCK_SIZE];
102 uint8_t Y[AES_BLOCK_SIZE];
103 const uint8_t *msg = _msg;
104 size_t msg_len = _msg_len;
105
106 /*
107 * copy the remembered last block
108 */
109 ZERO_STRUCT(tmp_block);
110 if (ctx->last_len) {
111 memcpy(tmp_block, ctx->last, ctx->last_len);
112 }
113
114 /*
115 * check if we expand the block
116 */
117 if (ctx->last_len < AES_BLOCK_SIZE) {
118 size_t len = MIN(AES_BLOCK_SIZE - ctx->last_len, msg_len);
119
120 memcpy(&tmp_block[ctx->last_len], msg, len);
121 memcpy(ctx->last, tmp_block, AES_BLOCK_SIZE);
122 msg += len;
123 msg_len -= len;
124 ctx->last_len += len;
125 }
126
127 if (msg_len == 0) {
128 /* if it is still the last block, we are done */
129 ZERO_STRUCT(tmp_block);
130 return;
131 }
132
133 /*
134 * It is not the last block anymore
135 */
136 ZERO_STRUCT(ctx->last);
137 ctx->last_len = 0;
138
139 /*
140 * now checksum everything but the last block
141 */
142 aes_cmac_128_xor(ctx->X, tmp_block, Y);
143 AES_encrypt(Y, ctx->X, &ctx->aes_key);
144
145 while (msg_len > AES_BLOCK_SIZE) {
146 memcpy(tmp_block, msg, AES_BLOCK_SIZE);
147 msg += AES_BLOCK_SIZE;
148 msg_len -= AES_BLOCK_SIZE;
149
150 aes_cmac_128_xor(ctx->X, tmp_block, Y);
151 AES_encrypt(Y, ctx->X, &ctx->aes_key);
152 }
153
154 /*
155 * copy the last block, it will be processed in
156 * aes_cmac_128_final().
157 */
158 memcpy(ctx->last, msg, msg_len);
159 ctx->last_len = msg_len;
160
161 ZERO_STRUCT(tmp_block);
162 ZERO_STRUCT(Y);
163 }
164
165 void aes_cmac_128_final(struct aes_cmac_128_context *ctx,
166 uint8_t T[AES_BLOCK_SIZE])
167 {
168 uint8_t tmp_block[AES_BLOCK_SIZE];
169 uint8_t Y[AES_BLOCK_SIZE];
170
171 if (ctx->last_len < AES_BLOCK_SIZE) {
172 ctx->last[ctx->last_len] = 0x80;
173 aes_cmac_128_xor(ctx->last, ctx->K2, tmp_block);
174 } else {
175 aes_cmac_128_xor(ctx->last, ctx->K1, tmp_block);
176 }
177
178 aes_cmac_128_xor(tmp_block, ctx->X, Y);
179 AES_encrypt(Y, T, &ctx->aes_key);
180
181 ZERO_STRUCT(tmp_block);
182 ZERO_STRUCT(Y);
183 ZERO_STRUCTP(ctx);
184 }
reg import