Coverage Report

Created: 2025-12-31 06:58

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/openssl33/crypto/cmac/cmac.c
Line
Count
Source
1
/*
2
 * Copyright 2010-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
/*
11
 * CMAC low level APIs are deprecated for public use, but still ok for internal
12
 * use.
13
 */
14
#include "internal/deprecated.h"
15
16
#include <stdio.h>
17
#include <stdlib.h>
18
#include <string.h>
19
#include "internal/cryptlib.h"
20
#include <openssl/cmac.h>
21
#include <openssl/err.h>
22
23
660
#define LOCAL_BUF_SIZE 2048
24
struct CMAC_CTX_st {
25
    /* Cipher context to use */
26
    EVP_CIPHER_CTX *cctx;
27
    /* Keys k1 and k2 */
28
    unsigned char k1[EVP_MAX_BLOCK_LENGTH];
29
    unsigned char k2[EVP_MAX_BLOCK_LENGTH];
30
    /* Temporary block */
31
    unsigned char tbl[EVP_MAX_BLOCK_LENGTH];
32
    /* Last (possibly partial) block */
33
    unsigned char last_block[EVP_MAX_BLOCK_LENGTH];
34
    /* Number of bytes in last block: -1 means context not initialised */
35
    int nlast_block;
36
};
37
38
/* Make temporary keys K1 and K2 */
39
40
static void make_kn(unsigned char *k1, const unsigned char *l, int bl)
41
294
{
42
294
    int i;
43
294
    unsigned char c = l[0], carry = c >> 7, cnext;
44
45
    /* Shift block to left, including carry */
46
3.40k
    for (i = 0; i < bl - 1; i++, c = cnext)
47
3.11k
        k1[i] = (c << 1) | ((cnext = l[i + 1]) >> 7);
48
49
    /* If MSB set fixup with R */
50
294
    k1[i] = (c << 1) ^ ((0 - carry) & (bl == 16 ? 0x87 : 0x1b));
51
294
}
52
53
CMAC_CTX *CMAC_CTX_new(void)
54
547
{
55
547
    CMAC_CTX *ctx;
56
57
547
    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL)
58
0
        return NULL;
59
547
    ctx->cctx = EVP_CIPHER_CTX_new();
60
547
    if (ctx->cctx == NULL) {
61
0
        OPENSSL_free(ctx);
62
0
        return NULL;
63
0
    }
64
547
    ctx->nlast_block = -1;
65
547
    return ctx;
66
547
}
67
68
void CMAC_CTX_cleanup(CMAC_CTX *ctx)
69
547
{
70
547
    EVP_CIPHER_CTX_reset(ctx->cctx);
71
547
    OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
72
547
    OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
73
547
    OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH);
74
547
    OPENSSL_cleanse(ctx->last_block, EVP_MAX_BLOCK_LENGTH);
75
547
    ctx->nlast_block = -1;
76
547
}
77
78
EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx)
79
294
{
80
294
    return ctx->cctx;
81
294
}
82
83
void CMAC_CTX_free(CMAC_CTX *ctx)
84
547
{
85
547
    if (!ctx)
86
0
        return;
87
547
    CMAC_CTX_cleanup(ctx);
88
547
    EVP_CIPHER_CTX_free(ctx->cctx);
89
547
    OPENSSL_free(ctx);
90
547
}
91
92
int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in)
93
218
{
94
218
    int bl;
95
96
218
    if (in->nlast_block == -1)
97
0
        return 0;
98
218
    if ((bl = EVP_CIPHER_CTX_get_block_size(in->cctx)) == 0)
99
0
        return 0;
100
218
    if (!EVP_CIPHER_CTX_copy(out->cctx, in->cctx))
101
0
        return 0;
102
218
    memcpy(out->k1, in->k1, bl);
103
218
    memcpy(out->k2, in->k2, bl);
104
218
    memcpy(out->tbl, in->tbl, bl);
105
218
    memcpy(out->last_block, in->last_block, bl);
106
218
    out->nlast_block = in->nlast_block;
107
218
    return 1;
108
218
}
109
110
int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
111
    const EVP_CIPHER *cipher, ENGINE *impl)
112
0
{
113
0
    static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 };
114
0
    int block_len;
115
116
    /* All zeros means restart */
117
0
    if (!key && !cipher && !impl && keylen == 0) {
118
        /* Not initialised */
119
0
        if (ctx->nlast_block == -1)
120
0
            return 0;
121
0
        if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv))
122
0
            return 0;
123
0
        block_len = EVP_CIPHER_CTX_get_block_size(ctx->cctx);
124
0
        if (block_len == 0)
125
0
            return 0;
126
0
        memset(ctx->tbl, 0, block_len);
127
0
        ctx->nlast_block = 0;
128
0
        return 1;
129
0
    }
130
    /* Initialise context */
131
0
    if (cipher != NULL) {
132
        /* Ensure we can't use this ctx until we also have a key */
133
0
        ctx->nlast_block = -1;
134
0
        if (!EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL))
135
0
            return 0;
136
0
    }
137
    /* Non-NULL key means initialisation complete */
138
0
    if (key != NULL) {
139
0
        int bl;
140
141
        /* If anything fails then ensure we can't use this ctx */
142
0
        ctx->nlast_block = -1;
143
0
        if (EVP_CIPHER_CTX_get0_cipher(ctx->cctx) == NULL)
144
0
            return 0;
145
0
        if (EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen) <= 0)
146
0
            return 0;
147
0
        if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv))
148
0
            return 0;
149
0
        if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) < 0)
150
0
            return 0;
151
0
        if (EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl) <= 0)
152
0
            return 0;
153
0
        make_kn(ctx->k1, ctx->tbl, bl);
154
0
        make_kn(ctx->k2, ctx->k1, bl);
155
0
        OPENSSL_cleanse(ctx->tbl, bl);
156
        /* Reset context again ready for first data block */
157
0
        if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv))
158
0
            return 0;
159
        /* Zero tbl so resume works */
160
0
        memset(ctx->tbl, 0, bl);
161
0
        ctx->nlast_block = 0;
162
0
    }
163
0
    return 1;
164
0
}
165
166
int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
167
814
{
168
814
    const unsigned char *data = in;
169
814
    int bl;
170
814
    size_t max_burst_blocks, cipher_blocks;
171
814
    unsigned char buf[LOCAL_BUF_SIZE];
172
173
814
    if (ctx->nlast_block == -1)
174
0
        return 0;
175
814
    if (dlen == 0)
176
22
        return 1;
177
792
    if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) == 0)
178
0
        return 0;
179
    /* Copy into partial block if we need to */
180
792
    if (ctx->nlast_block > 0) {
181
574
        size_t nleft;
182
183
574
        nleft = bl - ctx->nlast_block;
184
574
        if (dlen < nleft)
185
124
            nleft = dlen;
186
574
        memcpy(ctx->last_block + ctx->nlast_block, data, nleft);
187
574
        dlen -= nleft;
188
574
        ctx->nlast_block += nleft;
189
        /* If no more to process return */
190
574
        if (dlen == 0)
191
132
            return 1;
192
442
        data += nleft;
193
        /* Else not final block so encrypt it */
194
442
        if (EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl) <= 0)
195
0
            return 0;
196
442
    }
197
    /* Encrypt all but one of the complete blocks left */
198
199
660
    max_burst_blocks = LOCAL_BUF_SIZE / bl;
200
660
    cipher_blocks = (dlen - 1) / bl;
201
660
    if (max_burst_blocks == 0) {
202
        /*
203
         * When block length is greater than local buffer size,
204
         * use ctx->tbl as cipher output.
205
         */
206
0
        while (dlen > (size_t)bl) {
207
0
            if (EVP_Cipher(ctx->cctx, ctx->tbl, data, bl) <= 0)
208
0
                return 0;
209
0
            dlen -= bl;
210
0
            data += bl;
211
0
        }
212
660
    } else {
213
4.72k
        while (cipher_blocks > max_burst_blocks) {
214
4.06k
            if (EVP_Cipher(ctx->cctx, buf, data, max_burst_blocks * bl) <= 0)
215
0
                return 0;
216
4.06k
            dlen -= max_burst_blocks * bl;
217
4.06k
            data += max_burst_blocks * bl;
218
4.06k
            cipher_blocks -= max_burst_blocks;
219
4.06k
        }
220
660
        if (cipher_blocks > 0) {
221
366
            if (EVP_Cipher(ctx->cctx, buf, data, cipher_blocks * bl) <= 0)
222
0
                return 0;
223
366
            dlen -= cipher_blocks * bl;
224
366
            data += cipher_blocks * bl;
225
366
            memcpy(ctx->tbl, &buf[(cipher_blocks - 1) * bl], bl);
226
366
        }
227
660
    }
228
    /* Copy any data left to last block buffer */
229
660
    memcpy(ctx->last_block, data, dlen);
230
660
    ctx->nlast_block = dlen;
231
660
    return 1;
232
660
}
233
234
int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
235
218
{
236
218
    int i, bl, lb;
237
238
218
    if (ctx->nlast_block == -1)
239
0
        return 0;
240
218
    if ((bl = EVP_CIPHER_CTX_get_block_size(ctx->cctx)) == 0)
241
0
        return 0;
242
218
    if (poutlen != NULL)
243
218
        *poutlen = (size_t)bl;
244
218
    if (!out)
245
0
        return 1;
246
218
    lb = ctx->nlast_block;
247
    /* Is last block complete? */
248
218
    if (lb == bl) {
249
282
        for (i = 0; i < bl; i++)
250
256
            out[i] = ctx->last_block[i] ^ ctx->k1[i];
251
192
    } else {
252
192
        ctx->last_block[lb] = 0x80;
253
192
        if (bl - lb > 1)
254
166
            memset(ctx->last_block + lb + 1, 0, bl - lb - 1);
255
2.20k
        for (i = 0; i < bl; i++)
256
2.01k
            out[i] = ctx->last_block[i] ^ ctx->k2[i];
257
192
    }
258
218
    if (EVP_Cipher(ctx->cctx, out, out, bl) <= 0) {
259
0
        OPENSSL_cleanse(out, bl);
260
0
        return 0;
261
0
    }
262
218
    return 1;
263
218
}
264
265
int CMAC_resume(CMAC_CTX *ctx)
266
0
{
267
0
    if (ctx->nlast_block == -1)
268
0
        return 0;
269
    /*
270
     * The buffer "tbl" contains the last fully encrypted block which is the
271
     * last IV (or all zeroes if no last encrypted block). The last block has
272
     * not been modified since CMAC_final(). So reinitialising using the last
273
     * decrypted block will allow CMAC to continue after calling
274
     * CMAC_Final().
275
     */
276
0
    return EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, ctx->tbl);
277
0
}