1 /* crypto/cmac/cmac.c */
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6 /* ====================================================================
7 * Copyright (c) 2010 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
59 #include <openssl/cmac.h>
62 # include <openssl/fips.h>
66 /* Cipher context to use */
69 unsigned char k1
[EVP_MAX_BLOCK_LENGTH
];
70 unsigned char k2
[EVP_MAX_BLOCK_LENGTH
];
72 unsigned char tbl
[EVP_MAX_BLOCK_LENGTH
];
73 /* Last (possibly partial) block */
74 unsigned char last_block
[EVP_MAX_BLOCK_LENGTH
];
75 /* Number of bytes in last block: -1 means context not initialised */
79 /* Make temporary keys K1 and K2 */
81 static void make_kn(unsigned char *k1
, unsigned char *l
, int bl
)
84 /* Shift block to left, including carry */
85 for (i
= 0; i
< bl
; i
++) {
87 if (i
< bl
- 1 && l
[i
+ 1] & 0x80)
90 /* If MSB set fixup with R */
92 k1
[bl
- 1] ^= bl
== 16 ? 0x87 : 0x1b;
95 CMAC_CTX
*CMAC_CTX_new(void)
98 ctx
= OPENSSL_malloc(sizeof(CMAC_CTX
));
101 EVP_CIPHER_CTX_init(&ctx
->cctx
);
102 ctx
->nlast_block
= -1;
106 void CMAC_CTX_cleanup(CMAC_CTX
*ctx
)
109 if (FIPS_mode() && !ctx
->cctx
.engine
) {
110 FIPS_cmac_ctx_cleanup(ctx
);
114 EVP_CIPHER_CTX_cleanup(&ctx
->cctx
);
115 OPENSSL_cleanse(ctx
->tbl
, EVP_MAX_BLOCK_LENGTH
);
116 OPENSSL_cleanse(ctx
->k1
, EVP_MAX_BLOCK_LENGTH
);
117 OPENSSL_cleanse(ctx
->k2
, EVP_MAX_BLOCK_LENGTH
);
118 OPENSSL_cleanse(ctx
->last_block
, EVP_MAX_BLOCK_LENGTH
);
119 ctx
->nlast_block
= -1;
122 EVP_CIPHER_CTX
*CMAC_CTX_get0_cipher_ctx(CMAC_CTX
*ctx
)
127 void CMAC_CTX_free(CMAC_CTX
*ctx
)
131 CMAC_CTX_cleanup(ctx
);
135 int CMAC_CTX_copy(CMAC_CTX
*out
, const CMAC_CTX
*in
)
138 if (in
->nlast_block
== -1)
140 if (!EVP_CIPHER_CTX_copy(&out
->cctx
, &in
->cctx
))
142 bl
= EVP_CIPHER_CTX_block_size(&in
->cctx
);
143 memcpy(out
->k1
, in
->k1
, bl
);
144 memcpy(out
->k2
, in
->k2
, bl
);
145 memcpy(out
->tbl
, in
->tbl
, bl
);
146 memcpy(out
->last_block
, in
->last_block
, bl
);
147 out
->nlast_block
= in
->nlast_block
;
151 int CMAC_Init(CMAC_CTX
*ctx
, const void *key
, size_t keylen
,
152 const EVP_CIPHER
*cipher
, ENGINE
*impl
)
154 static unsigned char zero_iv
[EVP_MAX_BLOCK_LENGTH
];
157 /* If we have an ENGINE need to allow non FIPS */
158 if ((impl
|| ctx
->cctx
.engine
)
159 && !(ctx
->cctx
.flags
& EVP_CIPH_FLAG_NON_FIPS_ALLOW
)) {
160 EVPerr(EVP_F_CMAC_INIT
, EVP_R_DISABLED_FOR_FIPS
);
164 * Other algorithm blocking will be done in FIPS_cmac_init, via
167 if (!impl
&& !ctx
->cctx
.engine
)
168 return FIPS_cmac_init(ctx
, key
, keylen
, cipher
, NULL
);
171 /* All zeros means restart */
172 if (!key
&& !cipher
&& !impl
&& keylen
== 0) {
173 /* Not initialised */
174 if (ctx
->nlast_block
== -1)
176 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, zero_iv
))
178 memset(ctx
->tbl
, 0, EVP_CIPHER_CTX_block_size(&ctx
->cctx
));
179 ctx
->nlast_block
= 0;
182 /* Initialiase context */
183 if (cipher
&& !EVP_EncryptInit_ex(&ctx
->cctx
, cipher
, impl
, NULL
, NULL
))
185 /* Non-NULL key means initialisation complete */
188 if (!EVP_CIPHER_CTX_cipher(&ctx
->cctx
))
190 if (!EVP_CIPHER_CTX_set_key_length(&ctx
->cctx
, keylen
))
192 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, key
, zero_iv
))
194 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
195 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, zero_iv
, bl
))
197 make_kn(ctx
->k1
, ctx
->tbl
, bl
);
198 make_kn(ctx
->k2
, ctx
->k1
, bl
);
199 OPENSSL_cleanse(ctx
->tbl
, bl
);
200 /* Reset context again ready for first data block */
201 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, zero_iv
))
203 /* Zero tbl so resume works */
204 memset(ctx
->tbl
, 0, bl
);
205 ctx
->nlast_block
= 0;
210 int CMAC_Update(CMAC_CTX
*ctx
, const void *in
, size_t dlen
)
212 const unsigned char *data
= in
;
215 if (FIPS_mode() && !ctx
->cctx
.engine
)
216 return FIPS_cmac_update(ctx
, in
, dlen
);
218 if (ctx
->nlast_block
== -1)
222 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
223 /* Copy into partial block if we need to */
224 if (ctx
->nlast_block
> 0) {
226 nleft
= bl
- ctx
->nlast_block
;
229 memcpy(ctx
->last_block
+ ctx
->nlast_block
, data
, nleft
);
231 ctx
->nlast_block
+= nleft
;
232 /* If no more to process return */
236 /* Else not final block so encrypt it */
237 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, ctx
->last_block
, bl
))
240 /* Encrypt all but one of the complete blocks left */
242 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, data
, bl
))
247 /* Copy any data left to last block buffer */
248 memcpy(ctx
->last_block
, data
, dlen
);
249 ctx
->nlast_block
= dlen
;
254 int CMAC_Final(CMAC_CTX
*ctx
, unsigned char *out
, size_t *poutlen
)
258 if (FIPS_mode() && !ctx
->cctx
.engine
)
259 return FIPS_cmac_final(ctx
, out
, poutlen
);
261 if (ctx
->nlast_block
== -1)
263 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
264 *poutlen
= (size_t)bl
;
267 lb
= ctx
->nlast_block
;
268 /* Is last block complete? */
270 for (i
= 0; i
< bl
; i
++)
271 out
[i
] = ctx
->last_block
[i
] ^ ctx
->k1
[i
];
273 ctx
->last_block
[lb
] = 0x80;
275 memset(ctx
->last_block
+ lb
+ 1, 0, bl
- lb
- 1);
276 for (i
= 0; i
< bl
; i
++)
277 out
[i
] = ctx
->last_block
[i
] ^ ctx
->k2
[i
];
279 if (!EVP_Cipher(&ctx
->cctx
, out
, out
, bl
)) {
280 OPENSSL_cleanse(out
, bl
);
286 int CMAC_resume(CMAC_CTX
*ctx
)
288 if (ctx
->nlast_block
== -1)
291 * The buffer "tbl" containes the last fully encrypted block which is the
292 * last IV (or all zeroes if no last encrypted block). The last block has
293 * not been modified since CMAC_final(). So reinitliasing using the last
294 * decrypted block will allow CMAC to continue after calling
297 return EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, ctx
->tbl
);