255 lines
7.6 KiB
C
255 lines
7.6 KiB
C
/* cmac_mode.c - TinyCrypt CMAC mode implementation */
|
|
|
|
/*
|
|
* Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
*
|
|
* - Redistributions of source code must retain the above copyright notice,
|
|
* this list of conditions and the following disclaimer.
|
|
*
|
|
* - Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* - Neither the name of Intel Corporation nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <tinycrypt/aes.h>
|
|
#include <tinycrypt/cmac_mode.h>
|
|
#include <tinycrypt/constants.h>
|
|
#include <tinycrypt/utils.h>
|
|
|
|
/* max number of calls until change the key (2^48).*/
|
|
static const uint64_t MAX_CALLS = ((uint64_t)1 << 48);
|
|
|
|
/*
|
|
* gf_wrap -- In our implementation, GF(2^128) is represented as a 16 byte
|
|
* array with byte 0 the most significant and byte 15 the least significant.
|
|
* High bit carry reduction is based on the primitive polynomial
|
|
*
|
|
* X^128 + X^7 + X^2 + X + 1,
|
|
*
|
|
* which leads to the reduction formula X^128 = X^7 + X^2 + X + 1. Indeed,
|
|
* since 0 = (X^128 + X^7 + X^2 + 1) mod (X^128 + X^7 + X^2 + X + 1) and since
|
|
* addition of polynomials with coefficients in Z/Z(2) is just XOR, we can
|
|
* add X^128 to both sides to get
|
|
*
|
|
* X^128 = (X^7 + X^2 + X + 1) mod (X^128 + X^7 + X^2 + X + 1)
|
|
*
|
|
* and the coefficients of the polynomial on the right hand side form the
|
|
* string 1000 0111 = 0x87, which is the value of gf_wrap.
|
|
*
|
|
* This gets used in the following way. Doubling in GF(2^128) is just a left
|
|
* shift by 1 bit, except when the most significant bit is 1. In the latter
|
|
* case, the relation X^128 = X^7 + X^2 + X + 1 says that the high order bit
|
|
* that overflows beyond 128 bits can be replaced by addition of
|
|
* X^7 + X^2 + X + 1 <--> 0x87 to the low order 128 bits. Since addition
|
|
* in GF(2^128) is represented by XOR, we therefore only have to XOR 0x87
|
|
* into the low order byte after a left shift when the starting high order
|
|
* bit is 1.
|
|
*/
|
|
const unsigned char gf_wrap = 0x87;
|
|
|
|
/*
|
|
* assumes: out != NULL and points to a GF(2^n) value to receive the
|
|
* doubled value;
|
|
* in != NULL and points to a 16 byte GF(2^n) value
|
|
* to double;
|
|
* the in and out buffers do not overlap.
|
|
* effects: doubles the GF(2^n) value pointed to by "in" and places
|
|
* the result in the GF(2^n) value pointed to by "out."
|
|
*/
|
|
void gf_double(uint8_t *out, uint8_t *in)
|
|
{
|
|
|
|
/* start with low order byte */
|
|
uint8_t *x = in + (TC_AES_BLOCK_SIZE - 1);
|
|
|
|
/* if msb == 1, we need to add the gf_wrap value, otherwise add 0 */
|
|
uint8_t carry = (in[0] >> 7) ? gf_wrap : 0;
|
|
|
|
out += (TC_AES_BLOCK_SIZE - 1);
|
|
for (;;) {
|
|
*out-- = (*x << 1) ^ carry;
|
|
if (x == in) {
|
|
break;
|
|
}
|
|
carry = *x-- >> 7;
|
|
}
|
|
}
|
|
|
|
int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched)
|
|
{
|
|
|
|
/* input sanity check: */
|
|
if (s == (TCCmacState_t) 0 ||
|
|
key == (const uint8_t *) 0) {
|
|
return TC_CRYPTO_FAIL;
|
|
}
|
|
|
|
/* put s into a known state */
|
|
_set(s, 0, sizeof(*s));
|
|
s->sched = sched;
|
|
|
|
/* configure the encryption key used by the underlying block cipher */
|
|
tc_aes128_set_encrypt_key(s->sched, key);
|
|
|
|
/* compute s->K1 and s->K2 from s->iv using s->keyid */
|
|
_set(s->iv, 0, TC_AES_BLOCK_SIZE);
|
|
tc_aes_encrypt(s->iv, s->iv, s->sched);
|
|
gf_double (s->K1, s->iv);
|
|
gf_double (s->K2, s->K1);
|
|
|
|
/* reset s->iv to 0 in case someone wants to compute now */
|
|
tc_cmac_init(s);
|
|
|
|
return TC_CRYPTO_SUCCESS;
|
|
}
|
|
|
|
int tc_cmac_erase(TCCmacState_t s)
|
|
{
|
|
if (s == (TCCmacState_t) 0) {
|
|
return TC_CRYPTO_FAIL;
|
|
}
|
|
|
|
/* destroy the current state */
|
|
_set(s, 0, sizeof(*s));
|
|
|
|
return TC_CRYPTO_SUCCESS;
|
|
}
|
|
|
|
int tc_cmac_init(TCCmacState_t s)
|
|
{
|
|
/* input sanity check: */
|
|
if (s == (TCCmacState_t) 0) {
|
|
return TC_CRYPTO_FAIL;
|
|
}
|
|
|
|
/* CMAC starts with an all zero initialization vector */
|
|
_set(s->iv, 0, TC_AES_BLOCK_SIZE);
|
|
|
|
/* and the leftover buffer is empty */
|
|
_set(s->leftover, 0, TC_AES_BLOCK_SIZE);
|
|
s->leftover_offset = 0;
|
|
|
|
/* Set countdown to max number of calls allowed before re-keying: */
|
|
s->countdown = MAX_CALLS;
|
|
|
|
return TC_CRYPTO_SUCCESS;
|
|
}
|
|
|
|
int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length)
|
|
{
|
|
unsigned int i;
|
|
|
|
/* input sanity check: */
|
|
if (s == (TCCmacState_t) 0) {
|
|
return TC_CRYPTO_FAIL;
|
|
}
|
|
if (data_length == 0) {
|
|
return TC_CRYPTO_SUCCESS;
|
|
}
|
|
if (data == (const uint8_t *) 0) {
|
|
return TC_CRYPTO_FAIL;
|
|
}
|
|
|
|
if (s->countdown == 0) {
|
|
return TC_CRYPTO_FAIL;
|
|
}
|
|
|
|
s->countdown--;
|
|
|
|
if (s->leftover_offset > 0) {
|
|
/* last data added to s didn't end on a TC_AES_BLOCK_SIZE byte boundary */
|
|
size_t remaining_space = TC_AES_BLOCK_SIZE - s->leftover_offset;
|
|
|
|
if (data_length < remaining_space) {
|
|
/* still not enough data to encrypt this time either */
|
|
_copy(&s->leftover[s->leftover_offset], data_length, data, data_length);
|
|
s->leftover_offset += data_length;
|
|
return TC_CRYPTO_SUCCESS;
|
|
}
|
|
/* leftover block is now full; encrypt it first */
|
|
_copy(&s->leftover[s->leftover_offset],
|
|
remaining_space,
|
|
data,
|
|
remaining_space);
|
|
data_length -= remaining_space;
|
|
data += remaining_space;
|
|
s->leftover_offset = 0;
|
|
|
|
for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
|
|
s->iv[i] ^= s->leftover[i];
|
|
}
|
|
tc_aes_encrypt(s->iv, s->iv, s->sched);
|
|
}
|
|
|
|
/* CBC encrypt each (except the last) of the data blocks */
|
|
while (data_length > TC_AES_BLOCK_SIZE) {
|
|
for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
|
|
s->iv[i] ^= data[i];
|
|
}
|
|
tc_aes_encrypt(s->iv, s->iv, s->sched);
|
|
data += TC_AES_BLOCK_SIZE;
|
|
data_length -= TC_AES_BLOCK_SIZE;
|
|
}
|
|
|
|
if (data_length > 0) {
|
|
/* save leftover data for next time */
|
|
_copy(s->leftover, data_length, data, data_length);
|
|
s->leftover_offset = data_length;
|
|
}
|
|
|
|
return TC_CRYPTO_SUCCESS;
|
|
}
|
|
|
|
int tc_cmac_final(uint8_t *tag, TCCmacState_t s)
|
|
{
|
|
uint8_t *k;
|
|
unsigned int i;
|
|
|
|
/* input sanity check: */
|
|
if (tag == (uint8_t *) 0 ||
|
|
s == (TCCmacState_t) 0) {
|
|
return TC_CRYPTO_FAIL;
|
|
}
|
|
|
|
if (s->leftover_offset == TC_AES_BLOCK_SIZE) {
|
|
/* the last message block is a full-sized block */
|
|
k = (uint8_t *) s->K1;
|
|
} else {
|
|
/* the final message block is not a full-sized block */
|
|
size_t remaining = TC_AES_BLOCK_SIZE - s->leftover_offset;
|
|
|
|
_set(&s->leftover[s->leftover_offset], 0, remaining);
|
|
s->leftover[s->leftover_offset] = TC_CMAC_PADDING;
|
|
k = (uint8_t *) s->K2;
|
|
}
|
|
for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
|
|
s->iv[i] ^= s->leftover[i] ^ k[i];
|
|
}
|
|
|
|
tc_aes_encrypt(tag, s->iv, s->sched);
|
|
|
|
/* erasing state: */
|
|
tc_cmac_erase(s);
|
|
|
|
return TC_CRYPTO_SUCCESS;
|
|
}
|