/*
* Copyright (C) 2012 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <string.h>
#include "cmac.h"
#include <utils/debug.h>
#include <crypto/mac.h>
#include <crypto/prfs/mac_prf.h>
#include <crypto/signers/mac_signer.h>
typedef struct private_mac_t private_mac_t;
/**
* Private data of a mac_t object.
*
* The variable names are the same as in the RFC.
*/
struct private_mac_t {
/**
* Public interface.
*/
mac_t public;
/**
* Block size, in bytes
*/
uint8_t b;
/**
* Crypter with key K
*/
crypter_t *k;
/**
* K1
*/
uint8_t *k1;
/**
* K2
*/
uint8_t *k2;
/**
* T
*/
uint8_t *t;
/**
* remaining, unprocessed bytes in append mode
*/
uint8_t *remaining;
/**
* number of bytes in remaining
*/
int remaining_bytes;
};
/**
* process supplied data, but do not run final operation
*/
static bool update(private_mac_t *this, chunk_t data)
{
chunk_t iv;
if (this->remaining_bytes + data.len <= this->b)
{ /* no complete block (or last block), just copy into remaining */
memcpy(this->remaining + this->remaining_bytes, data.ptr, data.len);
this->remaining_bytes += data.len;
return TRUE;
}
iv = chunk_alloca(this->b);
memset(iv.ptr, 0, iv.len);
/* T := 0x00000000000000000000000000000000 (initially)
* for each block M_i (except the last)
* X := T XOR M_i;
* T := AES-128(K, X);
*/
/* append data to remaining bytes, process block M_1 */
memcpy(this->remaining + this->remaining_bytes, data.ptr,
this->b - this->remaining_bytes);
data = chunk_skip(data, this->b - this->remaining_bytes);
memxor(this->t, this->remaining, this->b);
if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL))
{
return FALSE;
}
/* process blocks M_2 ... M_n-1 */
while (data.len > this->b)
{
memcpy(this->remaining, data.ptr, this->b);
data = chunk_skip(data, this->b);
memxor(this->t, this->remaining, this->b);
if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL))
{
return FALSE;
}
}
/* store remaining bytes of block M_n */
memcpy(this->remaining, data.ptr, data.len);
this->remaining_bytes = data.len;
return TRUE;
}
/**
* process last block M_last
*/
static bool final(private_mac_t *this, uint8_t *out)
{
chunk_t iv;
iv = chunk_alloca(this->b);
memset(iv.ptr, 0, iv.len);
/* if last block is complete
* M_last := M_n XOR K1;
* else
* M_last := padding(M_n) XOR K2;
*/
if (this->remaining_bytes == this->b)
{
memxor(this->remaining, this->k1, this->b);
}
else
{
/* padding(x) = x || 10^i where i is 128-8*r-1
* That is, padding(x) is the concatenation of x and a single '1',
* followed by the minimum number of '0's, so that the total length is
* equal to 128 bits.
*/
if (this->remaining_bytes < this->b)
{
this->remaining[this->remaining_bytes] = 0x80;
while (++this->remaining_bytes < this->b)
{
this->remaining[this->remaining_bytes] = 0x00;
}
}
memxor(this->remaining, this->k2, this->b);
}
/* T := M_last XOR T;
* T := AES-128(K,T);
*/
memxor(this->t, this->remaining, this->b);
if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL))
{
return FALSE;
}
memcpy(out, this->t, this->b);
/* reset state */
memset(this->t, 0, this->b);
this->remaining_bytes = 0;
return TRUE;
}
METHOD(mac_t, get_mac, bool,
private_mac_t *this, chunk_t data, uint8_t *out)
{
/* update T, do not process last block */
if (!update(this, data))
{
return FALSE;
}
if (out)
{ /* if not in append mode, process last block and output result */
return final(this, out);
}
return TRUE;
}
METHOD(mac_t, get_mac_size, size_t,
private_mac_t *this)
{
return this->b;
}
/**
* Left-shift the given chunk by one bit.
*/
static void bit_shift(chunk_t chunk)
{
size_t i;
for (i = 0; i < chunk.len; i++)
{
chunk.ptr[i] <<= 1;
if (i < chunk.len - 1 && chunk.ptr[i + 1] & 0x80)
{
chunk.ptr[i] |= 0x01;
}
}
}
/**
* Apply the following key derivation (in-place):
* if MSB(C) == 0
* C := C << 1
* else
* C := (C << 1) XOR 0x00000000000000000000000000000087
*/
static void derive_key(chunk_t chunk)
{
if (chunk.ptr[0] & 0x80)
{
chunk_t rb;
rb = chunk_alloca(chunk.len);
memset(rb.ptr, 0, rb.len);
rb.ptr[rb.len - 1] = 0x87;
bit_shift(chunk);
memxor(chunk.ptr, rb.ptr, chunk.len);
}
else
{
bit_shift(chunk);
}
}
METHOD(mac_t, set_key, bool,
private_mac_t *this, chunk_t key)
{
chunk_t resized, iv, l;
memset(this->t, 0, this->b);
this->remaining_bytes = 0;
/* we support variable keys as defined in RFC 4615 */
if (key.len == this->b)
{
resized = key;
}
else
{ /* use cmac recursively to resize longer or shorter keys */
resized = chunk_alloca(this->b);
memset(resized.ptr, 0, resized.len);
if (!set_key(this, resized) ||
!get_mac(this, key, resized.ptr))
{
return FALSE;
}
}
/*
* Rb = 0x00000000000000000000000000000087
* L = 0x00000000000000000000000000000000 encrypted with K
* if MSB(L) == 0
* K1 = L << 1
* else
* K1 = (L << 1) XOR Rb
* if MSB(K1) == 0
* K2 = K1 << 1
* else
* K2 = (K1 << 1) XOR Rb
*/
iv = chunk_alloca(this->b);
memset(iv.ptr, 0, iv.len);
l = chunk_alloca(this->b);
memset(l.ptr, 0, l.len);
if (!this->k->set_key(this->k, resized) ||
!this->k->encrypt(this->k, l, iv, NULL))
{
return FALSE;
}
derive_key(l);
memcpy(this->k1, l.ptr, l.len);
derive_key(l);
memcpy(this->k2, l.ptr, l.len);
memwipe(l.ptr, l.len);
return TRUE;
}
METHOD(mac_t, destroy, void,
private_mac_t *this)
{
this->k->destroy(this->k);
memwipe(this->k1, this->b);
free(this->k1);
memwipe(this->k2, this->b);
free(this->k2);
free(this->t);
free(this->remaining);
free(this);
}
/*
* Described in header
*/
mac_t *cmac_create(encryption_algorithm_t algo, size_t key_size)
{
private_mac_t *this;
crypter_t *crypter;
uint8_t b;
crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size);
if (!crypter)
{
return NULL;
}
b = crypter->get_block_size(crypter);
/* input and output of crypter must be equal for cmac */
if (b != key_size)
{
crypter->destroy(crypter);
return NULL;
}
INIT(this,
.public = {
.get_mac = _get_mac,
.get_mac_size = _get_mac_size,
.set_key = _set_key,
.destroy = _destroy,
},
.b = b,
.k = crypter,
.k1 = malloc(b),
.k2 = malloc(b),
.t = malloc(b),
.remaining = malloc(b),
);
memset(this->t, 0, b);
return &this->public;
}
/*
* Described in header.
*/
prf_t *cmac_prf_create(pseudo_random_function_t algo)
{
mac_t *cmac;
switch (algo)
{
case PRF_AES128_CMAC:
cmac = cmac_create(ENCR_AES_CBC, 16);
break;
default:
return NULL;
}
if (cmac)
{
return mac_prf_create(cmac);
}
return NULL;
}
/*
* Described in header
*/
signer_t *cmac_signer_create(integrity_algorithm_t algo)
{
size_t truncation;
mac_t *cmac;
switch (algo)
{
case AUTH_AES_CMAC_96:
cmac = cmac_create(ENCR_AES_CBC, 16);
truncation = 12;
break;
default:
return NULL;
}
if (cmac)
{
return mac_signer_create(cmac, truncation);
}
return NULL;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to cmac.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / plugins / cmac