| Line | Count | Source (jump to first uncovered line) | 
| 1 |  | /* | 
| 2 |  |    CMAC-64, NIST SP 800-38B | 
| 3 |  |    Copyright (C) Stefan Metzmacher 2012 | 
| 4 |  |    Copyright (C) Jeremy Allison 2012 | 
| 5 |  |    Copyright (C) Michael Adam 2012 | 
| 6 |  |    Copyright (C) 2017, Red Hat Inc. | 
| 7 |  |    Copyright (C) 2019, Dmitry Eremin-Solenikov | 
| 8 |  |  | 
| 9 |  |    This file is part of GNU Nettle. | 
| 10 |  |  | 
| 11 |  |    GNU Nettle is free software: you can redistribute it and/or | 
| 12 |  |    modify it under the terms of either: | 
| 13 |  |  | 
| 14 |  |      * the GNU Lesser General Public License as published by the Free | 
| 15 |  |        Software Foundation; either version 3 of the License, or (at your | 
| 16 |  |        option) any later version. | 
| 17 |  |  | 
| 18 |  |    or | 
| 19 |  |  | 
| 20 |  |      * the GNU General Public License as published by the Free | 
| 21 |  |        Software Foundation; either version 2 of the License, or (at your | 
| 22 |  |        option) any later version. | 
| 23 |  |  | 
| 24 |  |    or both in parallel, as here. | 
| 25 |  |  | 
| 26 |  |    GNU Nettle is distributed in the hope that it will be useful, | 
| 27 |  |    but WITHOUT ANY WARRANTY; without even the implied warranty of | 
| 28 |  |    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU | 
| 29 |  |    General Public License for more details. | 
| 30 |  |  | 
| 31 |  |    You should have received copies of the GNU General Public License and | 
| 32 |  |    the GNU Lesser General Public License along with this program.  If | 
| 33 |  |    not, see http://www.gnu.org/licenses/. | 
| 34 |  | */ | 
| 35 |  |  | 
| 36 |  | #if HAVE_CONFIG_H | 
| 37 |  | # include "config.h" | 
| 38 |  | #endif | 
| 39 |  |  | 
| 40 |  | #include <assert.h> | 
| 41 |  | #include <stdlib.h> | 
| 42 |  | #include <string.h> | 
| 43 |  |  | 
| 44 |  | #include "cmac.h" | 
| 45 |  |  | 
| 46 |  | #include "nettle-internal.h" | 
| 47 |  | #include "block-internal.h" | 
| 48 |  | #include "macros.h" | 
| 49 |  |  | 
| 50 |  | void | 
| 51 |  | cmac64_set_key(struct cmac64_key *key, const void *cipher, | 
| 52 |  |          nettle_cipher_func *encrypt) | 
| 53 | 0 | { | 
| 54 | 0 |   static const union nettle_block8 zero_block; | 
| 55 | 0 |   union nettle_block8 L; | 
| 56 |  |  | 
| 57 |  |   /* step 1 - generate subkeys k1 and k2 */ | 
| 58 | 0 |   encrypt(cipher, 8, L.b, zero_block.b); | 
| 59 |  | 
 | 
| 60 | 0 |   block8_mulx_be(&key->K1, &L); | 
| 61 | 0 |   block8_mulx_be(&key->K2, &key->K1); | 
| 62 | 0 | } | 
| 63 |  |  | 
| 64 |  | void | 
| 65 |  | cmac64_init(struct cmac64_ctx *ctx) | 
| 66 | 0 | { | 
| 67 | 0 |   memset(&ctx->X, 0, sizeof(ctx->X)); | 
| 68 | 0 |   ctx->index = 0; | 
| 69 | 0 | } | 
| 70 |  |  | 
| 71 | 0 | #define MIN(x,y) ((x)<(y)?(x):(y)) | 
| 72 |  |  | 
| 73 |  | void | 
| 74 |  | cmac64_update(struct cmac64_ctx *ctx, const void *cipher, | 
| 75 |  |         nettle_cipher_func *encrypt, | 
| 76 |  |         size_t msg_len, const uint8_t *msg) | 
| 77 | 0 | { | 
| 78 | 0 |   union nettle_block8 Y; | 
| 79 |  |   /* | 
| 80 |  |    * check if we expand the block | 
| 81 |  |    */ | 
| 82 | 0 |   if (ctx->index < 8) | 
| 83 | 0 |     { | 
| 84 | 0 |       size_t len = MIN(8 - ctx->index, msg_len); | 
| 85 | 0 |       memcpy(&ctx->block.b[ctx->index], msg, len); | 
| 86 | 0 |       msg += len; | 
| 87 | 0 |       msg_len -= len; | 
| 88 | 0 |       ctx->index += len; | 
| 89 | 0 |     } | 
| 90 |  | 
 | 
| 91 | 0 |   if (msg_len == 0) { | 
| 92 |  |     /* if it is still the last block, we are done */ | 
| 93 | 0 |     return; | 
| 94 | 0 |   } | 
| 95 |  |  | 
| 96 |  |   /* | 
| 97 |  |    * now checksum everything but the last block | 
| 98 |  |    */ | 
| 99 | 0 |   block8_xor3(&Y, &ctx->X, &ctx->block); | 
| 100 | 0 |   encrypt(cipher, 8, ctx->X.b, Y.b); | 
| 101 |  | 
 | 
| 102 | 0 |   while (msg_len > 8) | 
| 103 | 0 |     { | 
| 104 | 0 |       block8_xor_bytes(&Y, &ctx->X, msg); | 
| 105 | 0 |       encrypt(cipher, 8, ctx->X.b, Y.b); | 
| 106 | 0 |       msg += 8; | 
| 107 | 0 |       msg_len -= 8; | 
| 108 | 0 |     } | 
| 109 |  |  | 
| 110 |  |   /* | 
| 111 |  |    * copy the last block, it will be processed in | 
| 112 |  |    * cmac64_digest(). | 
| 113 |  |    */ | 
| 114 | 0 |   memcpy(ctx->block.b, msg, msg_len); | 
| 115 | 0 |   ctx->index = msg_len; | 
| 116 | 0 | } | 
| 117 |  |  | 
| 118 |  | void | 
| 119 |  | cmac64_digest(struct cmac64_ctx *ctx, const struct cmac64_key *key, | 
| 120 |  |         const void *cipher, nettle_cipher_func *encrypt, | 
| 121 |  |         unsigned length, uint8_t *dst) | 
| 122 | 0 | { | 
| 123 | 0 |   union nettle_block8 Y; | 
| 124 |  | 
 | 
| 125 | 0 |   memset(ctx->block.b+ctx->index, 0, sizeof(ctx->block.b)-ctx->index); | 
| 126 |  |  | 
| 127 |  |   /* re-use ctx->block for memxor output */ | 
| 128 | 0 |   if (ctx->index < 8) | 
| 129 | 0 |     { | 
| 130 | 0 |       ctx->block.b[ctx->index] = 0x80; | 
| 131 | 0 |       block8_xor(&ctx->block, &key->K2); | 
| 132 | 0 |     } | 
| 133 | 0 |   else | 
| 134 | 0 |     { | 
| 135 | 0 |       block8_xor(&ctx->block, &key->K1); | 
| 136 | 0 |     } | 
| 137 |  | 
 | 
| 138 | 0 |   block8_xor3(&Y, &ctx->block, &ctx->X); | 
| 139 |  | 
 | 
| 140 | 0 |   assert(length <= 8); | 
| 141 | 0 |   if (length == 8) | 
| 142 | 0 |     { | 
| 143 | 0 |       encrypt(cipher, 8, dst, Y.b); | 
| 144 | 0 |     } | 
| 145 | 0 |   else | 
| 146 | 0 |     { | 
| 147 | 0 |       encrypt(cipher, 8, ctx->block.b, Y.b); | 
| 148 | 0 |       memcpy(dst, ctx->block.b, length); | 
| 149 | 0 |     } | 
| 150 |  |  | 
| 151 |  |   /* reset state for re-use */ | 
| 152 | 0 |   memset(&ctx->X, 0, sizeof(ctx->X)); | 
| 153 | 0 |   ctx->index = 0; | 
| 154 | 0 | } |