1 /* crypto/cmac/cmac.c */
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6 /* ====================================================================
7 * Copyright (c) 2010 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
59 #include <openssl/cmac.h>
62 # include <openssl/fips.h>
66 /* Cipher context to use */
69 unsigned char k1
[EVP_MAX_BLOCK_LENGTH
];
70 unsigned char k2
[EVP_MAX_BLOCK_LENGTH
];
72 unsigned char tbl
[EVP_MAX_BLOCK_LENGTH
];
73 /* Last (possibly partial) block */
74 unsigned char last_block
[EVP_MAX_BLOCK_LENGTH
];
75 /* Number of bytes in last block: -1 means context not initialised */
79 /* Make temporary keys K1 and K2 */
81 static void make_kn(unsigned char *k1
, unsigned char *l
, int bl
)
84 /* Shift block to left, including carry */
85 for (i
= 0; i
< bl
; i
++) {
87 if (i
< bl
- 1 && l
[i
+ 1] & 0x80)
90 /* If MSB set fixup with R */
92 k1
[bl
- 1] ^= bl
== 16 ? 0x87 : 0x1b;
95 CMAC_CTX
*CMAC_CTX_new(void)
98 ctx
= OPENSSL_malloc(sizeof(CMAC_CTX
));
101 EVP_CIPHER_CTX_init(&ctx
->cctx
);
102 ctx
->nlast_block
= -1;
106 void CMAC_CTX_cleanup(CMAC_CTX
*ctx
)
109 if (FIPS_mode() && !ctx
->cctx
.engine
) {
110 FIPS_cmac_ctx_cleanup(ctx
);
114 EVP_CIPHER_CTX_cleanup(&ctx
->cctx
);
115 OPENSSL_cleanse(ctx
->tbl
, EVP_MAX_BLOCK_LENGTH
);
116 OPENSSL_cleanse(ctx
->k1
, EVP_MAX_BLOCK_LENGTH
);
117 OPENSSL_cleanse(ctx
->k2
, EVP_MAX_BLOCK_LENGTH
);
118 OPENSSL_cleanse(ctx
->last_block
, EVP_MAX_BLOCK_LENGTH
);
119 ctx
->nlast_block
= -1;
122 EVP_CIPHER_CTX
*CMAC_CTX_get0_cipher_ctx(CMAC_CTX
*ctx
)
127 void CMAC_CTX_free(CMAC_CTX
*ctx
)
131 CMAC_CTX_cleanup(ctx
);
135 int CMAC_CTX_copy(CMAC_CTX
*out
, const CMAC_CTX
*in
)
138 if (in
->nlast_block
== -1)
140 if (!EVP_CIPHER_CTX_copy(&out
->cctx
, &in
->cctx
))
142 bl
= EVP_CIPHER_CTX_block_size(&in
->cctx
);
143 memcpy(out
->k1
, in
->k1
, bl
);
144 memcpy(out
->k2
, in
->k2
, bl
);
145 memcpy(out
->tbl
, in
->tbl
, bl
);
146 memcpy(out
->last_block
, in
->last_block
, bl
);
147 out
->nlast_block
= in
->nlast_block
;
151 int CMAC_Init(CMAC_CTX
*ctx
, const void *key
, size_t keylen
,
152 const EVP_CIPHER
*cipher
, ENGINE
*impl
)
154 static unsigned char zero_iv
[EVP_MAX_BLOCK_LENGTH
];
157 /* If we have an ENGINE need to allow non FIPS */
158 if ((impl
|| ctx
->cctx
.engine
)
159 && !(ctx
->cctx
.flags
& EVP_CIPH_FLAG_NON_FIPS_ALLOW
)) {
160 EVPerr(EVP_F_CMAC_INIT
, EVP_R_DISABLED_FOR_FIPS
);
164 /* Switch to FIPS cipher implementation if possible */
165 if (cipher
!= NULL
) {
166 const EVP_CIPHER
*fcipher
;
167 fcipher
= FIPS_get_cipherbynid(EVP_CIPHER_nid(cipher
));
172 * Other algorithm blocking will be done in FIPS_cmac_init, via
175 if (!impl
&& !ctx
->cctx
.engine
)
176 return FIPS_cmac_init(ctx
, key
, keylen
, cipher
, NULL
);
179 /* All zeros means restart */
180 if (!key
&& !cipher
&& !impl
&& keylen
== 0) {
181 /* Not initialised */
182 if (ctx
->nlast_block
== -1)
184 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, zero_iv
))
186 memset(ctx
->tbl
, 0, EVP_CIPHER_CTX_block_size(&ctx
->cctx
));
187 ctx
->nlast_block
= 0;
190 /* Initialiase context */
191 if (cipher
&& !EVP_EncryptInit_ex(&ctx
->cctx
, cipher
, impl
, NULL
, NULL
))
193 /* Non-NULL key means initialisation complete */
196 if (!EVP_CIPHER_CTX_cipher(&ctx
->cctx
))
198 if (!EVP_CIPHER_CTX_set_key_length(&ctx
->cctx
, keylen
))
200 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, key
, zero_iv
))
202 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
203 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, zero_iv
, bl
))
205 make_kn(ctx
->k1
, ctx
->tbl
, bl
);
206 make_kn(ctx
->k2
, ctx
->k1
, bl
);
207 OPENSSL_cleanse(ctx
->tbl
, bl
);
208 /* Reset context again ready for first data block */
209 if (!EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, zero_iv
))
211 /* Zero tbl so resume works */
212 memset(ctx
->tbl
, 0, bl
);
213 ctx
->nlast_block
= 0;
218 int CMAC_Update(CMAC_CTX
*ctx
, const void *in
, size_t dlen
)
220 const unsigned char *data
= in
;
223 if (FIPS_mode() && !ctx
->cctx
.engine
)
224 return FIPS_cmac_update(ctx
, in
, dlen
);
226 if (ctx
->nlast_block
== -1)
230 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
231 /* Copy into partial block if we need to */
232 if (ctx
->nlast_block
> 0) {
234 nleft
= bl
- ctx
->nlast_block
;
237 memcpy(ctx
->last_block
+ ctx
->nlast_block
, data
, nleft
);
239 ctx
->nlast_block
+= nleft
;
240 /* If no more to process return */
244 /* Else not final block so encrypt it */
245 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, ctx
->last_block
, bl
))
248 /* Encrypt all but one of the complete blocks left */
250 if (!EVP_Cipher(&ctx
->cctx
, ctx
->tbl
, data
, bl
))
255 /* Copy any data left to last block buffer */
256 memcpy(ctx
->last_block
, data
, dlen
);
257 ctx
->nlast_block
= dlen
;
262 int CMAC_Final(CMAC_CTX
*ctx
, unsigned char *out
, size_t *poutlen
)
266 if (FIPS_mode() && !ctx
->cctx
.engine
)
267 return FIPS_cmac_final(ctx
, out
, poutlen
);
269 if (ctx
->nlast_block
== -1)
271 bl
= EVP_CIPHER_CTX_block_size(&ctx
->cctx
);
272 *poutlen
= (size_t)bl
;
275 lb
= ctx
->nlast_block
;
276 /* Is last block complete? */
278 for (i
= 0; i
< bl
; i
++)
279 out
[i
] = ctx
->last_block
[i
] ^ ctx
->k1
[i
];
281 ctx
->last_block
[lb
] = 0x80;
283 memset(ctx
->last_block
+ lb
+ 1, 0, bl
- lb
- 1);
284 for (i
= 0; i
< bl
; i
++)
285 out
[i
] = ctx
->last_block
[i
] ^ ctx
->k2
[i
];
287 if (!EVP_Cipher(&ctx
->cctx
, out
, out
, bl
)) {
288 OPENSSL_cleanse(out
, bl
);
294 int CMAC_resume(CMAC_CTX
*ctx
)
296 if (ctx
->nlast_block
== -1)
299 * The buffer "tbl" containes the last fully encrypted block which is the
300 * last IV (or all zeroes if no last encrypted block). The last block has
301 * not been modified since CMAC_final(). So reinitliasing using the last
302 * decrypted block will allow CMAC to continue after calling
305 return EVP_EncryptInit_ex(&ctx
->cctx
, NULL
, NULL
, NULL
, ctx
->tbl
);