Branch data Line data Source code
1 : : /* cmac_mode.c - TinyCrypt CMAC mode implementation */
2 : :
3 : : /*
4 : : * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
5 : : *
6 : : * Redistribution and use in source and binary forms, with or without
7 : : * modification, are permitted provided that the following conditions are met:
8 : : *
9 : : * - Redistributions of source code must retain the above copyright notice,
10 : : * this list of conditions and the following disclaimer.
11 : : *
12 : : * - Redistributions in binary form must reproduce the above copyright
13 : : * notice, this list of conditions and the following disclaimer in the
14 : : * documentation and/or other materials provided with the distribution.
15 : : *
16 : : * - Neither the name of Intel Corporation nor the names of its contributors
17 : : * may be used to endorse or promote products derived from this software
18 : : * without specific prior written permission.
19 : : *
20 : : * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 : : * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 : : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 : : * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 : : * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 : : * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 : : * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 : : * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 : : * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 : : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 : : * POSSIBILITY OF SUCH DAMAGE.
31 : : */
32 : :
33 : : #include <tinycrypt/aes.h>
34 : : #include <tinycrypt/cmac_mode.h>
35 : : #include <tinycrypt/constants.h>
36 : : #include <tinycrypt/utils.h>
37 : :
38 : : /* max number of calls until change the key (2^48).*/
39 : : static const uint64_t MAX_CALLS = ((uint64_t)1 << 48);
40 : :
41 : : /*
42 : : * gf_wrap -- In our implementation, GF(2^128) is represented as a 16 byte
43 : : * array with byte 0 the most significant and byte 15 the least significant.
44 : : * High bit carry reduction is based on the primitive polynomial
45 : : *
46 : : * X^128 + X^7 + X^2 + X + 1,
47 : : *
48 : : * which leads to the reduction formula X^128 = X^7 + X^2 + X + 1. Indeed,
49 : : * since 0 = (X^128 + X^7 + X^2 + 1) mod (X^128 + X^7 + X^2 + X + 1) and since
50 : : * addition of polynomials with coefficients in Z/Z(2) is just XOR, we can
51 : : * add X^128 to both sides to get
52 : : *
53 : : * X^128 = (X^7 + X^2 + X + 1) mod (X^128 + X^7 + X^2 + X + 1)
54 : : *
55 : : * and the coefficients of the polynomial on the right hand side form the
56 : : * string 1000 0111 = 0x87, which is the value of gf_wrap.
57 : : *
58 : : * This gets used in the following way. Doubling in GF(2^128) is just a left
59 : : * shift by 1 bit, except when the most significant bit is 1. In the latter
60 : : * case, the relation X^128 = X^7 + X^2 + X + 1 says that the high order bit
61 : : * that overflows beyond 128 bits can be replaced by addition of
62 : : * X^7 + X^2 + X + 1 <--> 0x87 to the low order 128 bits. Since addition
63 : : * in GF(2^128) is represented by XOR, we therefore only have to XOR 0x87
64 : : * into the low order byte after a left shift when the starting high order
65 : : * bit is 1.
66 : : */
67 : : const unsigned char gf_wrap = 0x87;
68 : :
69 : : /*
70 : : * assumes: out != NULL and points to a GF(2^n) value to receive the
71 : : * doubled value;
72 : : * in != NULL and points to a 16 byte GF(2^n) value
73 : : * to double;
74 : : * the in and out buffers do not overlap.
75 : : * effects: doubles the GF(2^n) value pointed to by "in" and places
76 : : * the result in the GF(2^n) value pointed to by "out."
77 : : */
78 : 0 : void gf_double(uint8_t *out, uint8_t *in)
79 : : {
80 : :
81 : : /* start with low order byte */
82 : 0 : uint8_t *x = in + (TC_AES_BLOCK_SIZE - 1);
83 : :
84 : : /* if msb == 1, we need to add the gf_wrap value, otherwise add 0 */
85 [ # # ]: 0 : uint8_t carry = (in[0] >> 7) ? gf_wrap : 0;
86 : :
87 : 0 : out += (TC_AES_BLOCK_SIZE - 1);
88 : 0 : for (;;) {
89 : 0 : *out-- = (*x << 1) ^ carry;
90 [ # # ]: 0 : if (x == in) {
91 : : break;
92 : : }
93 : 0 : carry = *x-- >> 7;
94 : : }
95 : 0 : }
96 : :
97 : 0 : int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched)
98 : : {
99 : :
100 : : /* input sanity check: */
101 : 0 : if (s == (TCCmacState_t) 0 ||
102 [ # # ]: 0 : key == (const uint8_t *) 0) {
103 : : return TC_CRYPTO_FAIL;
104 : : }
105 : :
106 : : /* put s into a known state */
107 : 0 : _set(s, 0, sizeof(*s));
108 : 0 : s->sched = sched;
109 : :
110 : : /* configure the encryption key used by the underlying block cipher */
111 : 0 : tc_aes128_set_encrypt_key(s->sched, key);
112 : :
113 : : /* compute s->K1 and s->K2 from s->iv using s->keyid */
114 : 0 : _set(s->iv, 0, TC_AES_BLOCK_SIZE);
115 : 0 : tc_aes_encrypt(s->iv, s->iv, s->sched);
116 : 0 : gf_double (s->K1, s->iv);
117 : 0 : gf_double (s->K2, s->K1);
118 : :
119 : : /* reset s->iv to 0 in case someone wants to compute now */
120 : 0 : tc_cmac_init(s);
121 : :
122 : 0 : return TC_CRYPTO_SUCCESS;
123 : : }
124 : :
125 : 0 : int tc_cmac_erase(TCCmacState_t s)
126 : : {
127 [ # # ]: 0 : if (s == (TCCmacState_t) 0) {
128 : : return TC_CRYPTO_FAIL;
129 : : }
130 : :
131 : : /* destroy the current state */
132 : 0 : _set(s, 0, sizeof(*s));
133 : :
134 : 0 : return TC_CRYPTO_SUCCESS;
135 : : }
136 : :
137 : 0 : int tc_cmac_init(TCCmacState_t s)
138 : : {
139 : : /* input sanity check: */
140 [ # # ]: 0 : if (s == (TCCmacState_t) 0) {
141 : : return TC_CRYPTO_FAIL;
142 : : }
143 : :
144 : : /* CMAC starts with an all zero initialization vector */
145 : 0 : _set(s->iv, 0, TC_AES_BLOCK_SIZE);
146 : :
147 : : /* and the leftover buffer is empty */
148 : 0 : _set(s->leftover, 0, TC_AES_BLOCK_SIZE);
149 : 0 : s->leftover_offset = 0;
150 : :
151 : : /* Set countdown to max number of calls allowed before re-keying: */
152 : 0 : s->countdown = MAX_CALLS;
153 : :
154 : 0 : return TC_CRYPTO_SUCCESS;
155 : : }
156 : :
157 : 0 : int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length)
158 : : {
159 : 0 : unsigned int i;
160 : :
161 : : /* input sanity check: */
162 [ # # ]: 0 : if (s == (TCCmacState_t) 0) {
163 : : return TC_CRYPTO_FAIL;
164 : : }
165 [ # # ]: 0 : if (data_length == 0) {
166 : : return TC_CRYPTO_SUCCESS;
167 : : }
168 [ # # ]: 0 : if (data == (const uint8_t *) 0) {
169 : : return TC_CRYPTO_FAIL;
170 : : }
171 : :
172 [ # # ]: 0 : if (s->countdown == 0) {
173 : : return TC_CRYPTO_FAIL;
174 : : }
175 : :
176 : 0 : s->countdown--;
177 : :
178 [ # # ]: 0 : if (s->leftover_offset > 0) {
179 : : /* last data added to s didn't end on a TC_AES_BLOCK_SIZE byte boundary */
180 : 0 : size_t remaining_space = TC_AES_BLOCK_SIZE - s->leftover_offset;
181 : :
182 [ # # ]: 0 : if (data_length < remaining_space) {
183 : : /* still not enough data to encrypt this time either */
184 : 0 : _copy(&s->leftover[s->leftover_offset], data_length, data, data_length);
185 : 0 : s->leftover_offset += data_length;
186 : 0 : return TC_CRYPTO_SUCCESS;
187 : : }
188 : : /* leftover block is now full; encrypt it first */
189 : 0 : _copy(&s->leftover[s->leftover_offset],
190 : : remaining_space,
191 : : data,
192 : : remaining_space);
193 : 0 : data_length -= remaining_space;
194 : 0 : data += remaining_space;
195 : 0 : s->leftover_offset = 0;
196 : :
197 [ # # ]: 0 : for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
198 : 0 : s->iv[i] ^= s->leftover[i];
199 : : }
200 : 0 : tc_aes_encrypt(s->iv, s->iv, s->sched);
201 : : }
202 : :
203 : : /* CBC encrypt each (except the last) of the data blocks */
204 [ # # ]: 0 : while (data_length > TC_AES_BLOCK_SIZE) {
205 [ # # ]: 0 : for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
206 : 0 : s->iv[i] ^= data[i];
207 : : }
208 : 0 : tc_aes_encrypt(s->iv, s->iv, s->sched);
209 : 0 : data += TC_AES_BLOCK_SIZE;
210 : 0 : data_length -= TC_AES_BLOCK_SIZE;
211 : : }
212 : :
213 [ # # ]: 0 : if (data_length > 0) {
214 : : /* save leftover data for next time */
215 : 0 : _copy(s->leftover, data_length, data, data_length);
216 : 0 : s->leftover_offset = data_length;
217 : : }
218 : :
219 : : return TC_CRYPTO_SUCCESS;
220 : : }
221 : :
222 : 0 : int tc_cmac_final(uint8_t *tag, TCCmacState_t s)
223 : : {
224 : 0 : uint8_t *k;
225 : 0 : unsigned int i;
226 : :
227 : : /* input sanity check: */
228 : 0 : if (tag == (uint8_t *) 0 ||
229 [ # # ]: 0 : s == (TCCmacState_t) 0) {
230 : : return TC_CRYPTO_FAIL;
231 : : }
232 : :
233 [ # # ]: 0 : if (s->leftover_offset == TC_AES_BLOCK_SIZE) {
234 : : /* the last message block is a full-sized block */
235 : 0 : k = (uint8_t *) s->K1;
236 : : } else {
237 : : /* the final message block is not a full-sized block */
238 : 0 : size_t remaining = TC_AES_BLOCK_SIZE - s->leftover_offset;
239 : :
240 : 0 : _set(&s->leftover[s->leftover_offset], 0, remaining);
241 : 0 : s->leftover[s->leftover_offset] = TC_CMAC_PADDING;
242 : 0 : k = (uint8_t *) s->K2;
243 : : }
244 [ # # ]: 0 : for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
245 : 0 : s->iv[i] ^= s->leftover[i] ^ k[i];
246 : : }
247 : :
248 : 0 : tc_aes_encrypt(tag, s->iv, s->sched);
249 : :
250 : : /* erasing state: */
251 : 0 : tc_cmac_erase(s);
252 : :
253 : 0 : return TC_CRYPTO_SUCCESS;
254 : : }
|
