/* * Copyright (C) 2012 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #include #include "cmac.h" #include #include #include #include typedef struct private_mac_t private_mac_t; /** * Private data of a mac_t object. * * The variable names are the same as in the RFC. */ struct private_mac_t { /** * Public interface. */ mac_t public; /** * Block size, in bytes */ uint8_t b; /** * Crypter with key K */ crypter_t *k; /** * K1 */ uint8_t *k1; /** * K2 */ uint8_t *k2; /** * T */ uint8_t *t; /** * remaining, unprocessed bytes in append mode */ uint8_t *remaining; /** * number of bytes in remaining */ int remaining_bytes; }; /** * process supplied data, but do not run final operation */ static bool update(private_mac_t *this, chunk_t data) { chunk_t iv; if (this->remaining_bytes + data.len <= this->b) { /* no complete block (or last block), just copy into remaining */ memcpy(this->remaining + this->remaining_bytes, data.ptr, data.len); this->remaining_bytes += data.len; return TRUE; } iv = chunk_alloca(this->b); memset(iv.ptr, 0, iv.len); /* T := 0x00000000000000000000000000000000 (initially) * for each block M_i (except the last) * X := T XOR M_i; * T := AES-128(K, X); */ /* append data to remaining bytes, process block M_1 */ memcpy(this->remaining + this->remaining_bytes, data.ptr, this->b - this->remaining_bytes); data = chunk_skip(data, this->b - this->remaining_bytes); memxor(this->t, this->remaining, this->b); if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL)) { return FALSE; } /* process blocks M_2 ... M_n-1 */ while (data.len > this->b) { memcpy(this->remaining, data.ptr, this->b); data = chunk_skip(data, this->b); memxor(this->t, this->remaining, this->b); if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL)) { return FALSE; } } /* store remaining bytes of block M_n */ memcpy(this->remaining, data.ptr, data.len); this->remaining_bytes = data.len; return TRUE; } /** * process last block M_last */ static bool final(private_mac_t *this, uint8_t *out) { chunk_t iv; iv = chunk_alloca(this->b); memset(iv.ptr, 0, iv.len); /* if last block is complete * M_last := M_n XOR K1; * else * M_last := padding(M_n) XOR K2; */ if (this->remaining_bytes == this->b) { memxor(this->remaining, this->k1, this->b); } else { /* padding(x) = x || 10^i where i is 128-8*r-1 * That is, padding(x) is the concatenation of x and a single '1', * followed by the minimum number of '0's, so that the total length is * equal to 128 bits. */ if (this->remaining_bytes < this->b) { this->remaining[this->remaining_bytes] = 0x80; while (++this->remaining_bytes < this->b) { this->remaining[this->remaining_bytes] = 0x00; } } memxor(this->remaining, this->k2, this->b); } /* T := M_last XOR T; * T := AES-128(K,T); */ memxor(this->t, this->remaining, this->b); if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL)) { return FALSE; } memcpy(out, this->t, this->b); /* reset state */ memset(this->t, 0, this->b); this->remaining_bytes = 0; return TRUE; } METHOD(mac_t, get_mac, bool, private_mac_t *this, chunk_t data, uint8_t *out) { /* update T, do not process last block */ if (!update(this, data)) { return FALSE; } if (out) { /* if not in append mode, process last block and output result */ return final(this, out); } return TRUE; } METHOD(mac_t, get_mac_size, size_t, private_mac_t *this) { return this->b; } /** * Left-shift the given chunk by one bit. */ static void bit_shift(chunk_t chunk) { size_t i; for (i = 0; i < chunk.len; i++) { chunk.ptr[i] <<= 1; if (i < chunk.len - 1 && chunk.ptr[i + 1] & 0x80) { chunk.ptr[i] |= 0x01; } } } /** * Apply the following key derivation (in-place): * if MSB(C) == 0 * C := C << 1 * else * C := (C << 1) XOR 0x00000000000000000000000000000087 */ static void derive_key(chunk_t chunk) { if (chunk.ptr[0] & 0x80) { chunk_t rb; rb = chunk_alloca(chunk.len); memset(rb.ptr, 0, rb.len); rb.ptr[rb.len - 1] = 0x87; bit_shift(chunk); memxor(chunk.ptr, rb.ptr, chunk.len); } else { bit_shift(chunk); } } METHOD(mac_t, set_key, bool, private_mac_t *this, chunk_t key) { chunk_t resized, iv, l; memset(this->t, 0, this->b); this->remaining_bytes = 0; /* we support variable keys as defined in RFC 4615 */ if (key.len == this->b) { resized = key; } else { /* use cmac recursively to resize longer or shorter keys */ resized = chunk_alloca(this->b); memset(resized.ptr, 0, resized.len); if (!set_key(this, resized) || !get_mac(this, key, resized.ptr)) { return FALSE; } } /* * Rb = 0x00000000000000000000000000000087 * L = 0x00000000000000000000000000000000 encrypted with K * if MSB(L) == 0 * K1 = L << 1 * else * K1 = (L << 1) XOR Rb * if MSB(K1) == 0 * K2 = K1 << 1 * else * K2 = (K1 << 1) XOR Rb */ iv = chunk_alloca(this->b); memset(iv.ptr, 0, iv.len); l = chunk_alloca(this->b); memset(l.ptr, 0, l.len); if (!this->k->set_key(this->k, resized) || !this->k->encrypt(this->k, l, iv, NULL)) { return FALSE; } derive_key(l); memcpy(this->k1, l.ptr, l.len); derive_key(l); memcpy(this->k2, l.ptr, l.len); memwipe(l.ptr, l.len); return TRUE; } METHOD(mac_t, destroy, void, private_mac_t *this) { this->k->destroy(this->k); memwipe(this->k1, this->b); free(this->k1); memwipe(this->k2, this->b); free(this->k2); free(this->t); free(this->remaining); free(this); } /* * Described in header */ mac_t *cmac_create(encryption_algorithm_t algo, size_t key_size) { private_mac_t *this; crypter_t *crypter; uint8_t b; crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size); if (!crypter) { return NULL; } b = crypter->get_block_size(crypter); /* input and output of crypter must be equal for cmac */ if (b != key_size) { crypter->destroy(crypter); return NULL; } INIT(this, .public = { .get_mac = _get_mac, .get_mac_size = _get_mac_size, .set_key = _set_key, .destroy = _destroy, }, .b = b, .k = crypter, .k1 = malloc(b), .k2 = malloc(b), .t = malloc(b), .remaining = malloc(b), ); memset(this->t, 0, b); return &this->public; } /* * Described in header. */ prf_t *cmac_prf_create(pseudo_random_function_t algo) { mac_t *cmac; switch (algo) { case PRF_AES128_CMAC: cmac = cmac_create(ENCR_AES_CBC, 16); break; default: return NULL; } if (cmac) { return mac_prf_create(cmac); } return NULL; } /* * Described in header */ signer_t *cmac_signer_create(integrity_algorithm_t algo) { size_t truncation; mac_t *cmac; switch (algo) { case AUTH_AES_CMAC_96: cmac = cmac_create(ENCR_AES_CBC, 16); truncation = 12; break; default: return NULL; } if (cmac) { return mac_signer_create(cmac, truncation); } return NULL; }