Coverage Report

Created: 2022-08-24 06:28

/src/wolfssl-normal-math/wolfcrypt/src/cmac.c
Line
Count
Source (jump to first uncovered line)
1
/* cmac.c
2
 *
3
 * Copyright (C) 2006-2022 wolfSSL Inc.
4
 *
5
 * This file is part of wolfSSL.
6
 *
7
 * wolfSSL is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 2 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * wolfSSL is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20
 */
21
22
23
#ifdef HAVE_CONFIG_H
24
    #include <config.h>
25
#endif
26
27
#include <wolfssl/wolfcrypt/settings.h>
28
#ifdef WOLFSSL_QNX_CAAM
29
#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
30
#endif
31
#if defined(WOLFSSL_HASH_KEEP)
32
#include <wolfssl/wolfcrypt/hash.h>
33
#endif
34
35
#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
36
37
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
38
    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
39
    #define FIPS_NO_WRAPPERS
40
41
    #ifdef USE_WINDOWS_API
42
        #pragma code_seg(".fipsA$n")
43
        #pragma const_seg(".fipsB$n")
44
    #endif
45
#endif
46
47
#ifdef NO_INLINE
48
    #include <wolfssl/wolfcrypt/misc.h>
49
#else
50
    #define WOLFSSL_MISC_INCLUDED
51
    #include <wolfcrypt/src/misc.c>
52
#endif
53
54
#include <wolfssl/wolfcrypt/error-crypt.h>
55
#include <wolfssl/wolfcrypt/aes.h>
56
#include <wolfssl/wolfcrypt/cmac.h>
57
58
#ifdef WOLF_CRYPTO_CB
59
    #include <wolfssl/wolfcrypt/cryptocb.h>
60
#endif
61
62
#ifdef WOLFSSL_HASH_KEEP
63
/* Some hardware have issues with update, this function stores the data to be
64
 * hashed into an array. Once ready, the Final operation is called on all of the
65
 * data to be hashed at once.
66
 * returns 0 on success
67
 */
68
int wc_CMAC_Grow(Cmac* cmac, const byte* in, int inSz)
69
{
70
    return _wc_Hash_Grow(&cmac->msg, &cmac->used, &cmac->len, in, inSz, NULL);
71
}
72
#endif /* WOLFSSL_HASH_KEEP */
73
74
75
/* Used by AES-SIV. See aes.c. */
76
void ShiftAndXorRb(byte* out, byte* in)
77
0
{
78
0
    int i, j, xorRb;
79
0
    int mask = 0, last = 0;
80
0
    byte Rb = 0x87;
81
82
0
    xorRb = (in[0] & 0x80) != 0;
83
84
0
    for (i = 1, j = AES_BLOCK_SIZE - 1; i <= AES_BLOCK_SIZE; i++, j--) {
85
0
        last = (in[j] & 0x80) ? 1 : 0;
86
0
        out[j] = (byte)((in[j] << 1) | mask);
87
0
        mask = last;
88
0
        if (xorRb) {
89
0
            out[j] ^= Rb;
90
0
            Rb = 0;
91
0
        }
92
0
    }
93
0
}
94
95
/* returns 0 on success */
96
int wc_InitCmac_ex(Cmac* cmac, const byte* key, word32 keySz,
97
                int type, void* unused, void* heap, int devId)
98
0
{
99
0
    int ret;
100
101
0
    (void)unused;
102
0
    (void)heap;
103
104
0
    if (cmac == NULL || type != WC_CMAC_AES) {
105
0
        return BAD_FUNC_ARG;
106
0
    }
107
108
0
    XMEMSET(cmac, 0, sizeof(Cmac));
109
110
0
#ifdef WOLF_CRYPTO_CB
111
0
    if (devId != INVALID_DEVID) {
112
0
        cmac->devId = devId;
113
0
        cmac->devCtx = NULL;
114
115
0
        ret = wc_CryptoCb_Cmac(cmac, key, keySz, NULL, 0, NULL, NULL,
116
0
                type, unused);
117
0
        if (ret != CRYPTOCB_UNAVAILABLE)
118
0
            return ret;
119
        /* fall-through when unavailable */
120
0
    }
121
#else
122
    (void)devId;
123
#endif
124
125
0
    if (key == NULL || keySz == 0) {
126
0
        return BAD_FUNC_ARG;
127
0
    }
128
129
0
    ret = wc_AesSetKey(&cmac->aes, key, keySz, NULL, AES_ENCRYPTION);
130
0
    if (ret == 0) {
131
0
        byte l[AES_BLOCK_SIZE];
132
133
0
        XMEMSET(l, 0, AES_BLOCK_SIZE);
134
0
        ret = wc_AesEncryptDirect(&cmac->aes, l, l);
135
0
        if (ret == 0) {
136
0
            ShiftAndXorRb(cmac->k1, l);
137
0
            ShiftAndXorRb(cmac->k2, cmac->k1);
138
0
            ForceZero(l, AES_BLOCK_SIZE);
139
0
        }
140
0
    }
141
0
    return ret;
142
0
}
143
144
145
int wc_InitCmac(Cmac* cmac, const byte* key, word32 keySz,
146
                int type, void* unused)
147
0
{
148
#ifdef WOLFSSL_QNX_CAAM
149
    int devId = WOLFSSL_CAAM_DEVID;
150
#else
151
0
    int devId = INVALID_DEVID;
152
0
#endif
153
0
    return wc_InitCmac_ex(cmac, key, keySz, type, unused, NULL, devId);
154
0
}
155
156
157
158
int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz)
159
0
{
160
0
    int ret = 0;
161
162
0
    if ((cmac == NULL) || (in == NULL && inSz != 0)) {
163
0
        return BAD_FUNC_ARG;
164
0
    }
165
166
0
#ifdef WOLF_CRYPTO_CB
167
0
    if (cmac->devId != INVALID_DEVID) {
168
0
        ret = wc_CryptoCb_Cmac(cmac, NULL, 0, in, inSz,
169
0
                NULL, NULL, 0, NULL);
170
0
        if (ret != CRYPTOCB_UNAVAILABLE)
171
0
            return ret;
172
        /* fall-through when unavailable */
173
0
        ret = 0; /* reset error code */
174
0
    }
175
0
#endif
176
177
0
    while (inSz != 0) {
178
0
        word32 add = min(inSz, AES_BLOCK_SIZE - cmac->bufferSz);
179
0
        XMEMCPY(&cmac->buffer[cmac->bufferSz], in, add);
180
181
0
        cmac->bufferSz += add;
182
0
        in += add;
183
0
        inSz -= add;
184
185
0
        if (cmac->bufferSz == AES_BLOCK_SIZE && inSz != 0) {
186
0
            if (cmac->totalSz != 0) {
187
0
                xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
188
0
            }
189
0
            ret = wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer);
190
0
            if (ret == 0) {
191
0
                cmac->totalSz += AES_BLOCK_SIZE;
192
0
                cmac->bufferSz = 0;
193
0
            }
194
0
        }
195
0
    }
196
197
0
    return ret;
198
0
}
199
200
201
int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
202
0
{
203
0
    int ret;
204
0
    const byte* subKey;
205
206
0
    if (cmac == NULL || out == NULL || outSz == NULL) {
207
0
        return BAD_FUNC_ARG;
208
0
    }
209
0
    if (*outSz < WC_CMAC_TAG_MIN_SZ || *outSz > WC_CMAC_TAG_MAX_SZ) {
210
0
        return BUFFER_E;
211
0
    }
212
213
0
#ifdef WOLF_CRYPTO_CB
214
0
    if (cmac->devId != INVALID_DEVID) {
215
0
        ret = wc_CryptoCb_Cmac(cmac, NULL, 0, NULL, 0, out, outSz, 0, NULL);
216
0
        if (ret != CRYPTOCB_UNAVAILABLE)
217
0
            return ret;
218
        /* fall-through when unavailable */
219
0
    }
220
0
#endif
221
222
0
    if (cmac->bufferSz == AES_BLOCK_SIZE) {
223
0
        subKey = cmac->k1;
224
0
    }
225
0
    else {
226
0
        word32 remainder = AES_BLOCK_SIZE - cmac->bufferSz;
227
228
0
        if (remainder == 0) {
229
0
            remainder = AES_BLOCK_SIZE;
230
0
        }
231
0
        if (remainder > 1) {
232
0
            XMEMSET(cmac->buffer + AES_BLOCK_SIZE - remainder, 0, remainder);
233
0
        }
234
0
        cmac->buffer[AES_BLOCK_SIZE - remainder] = 0x80;
235
0
        subKey = cmac->k2;
236
0
    }
237
0
    xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
238
0
    xorbuf(cmac->buffer, subKey, AES_BLOCK_SIZE);
239
0
    ret = wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer);
240
0
    if (ret == 0) {
241
0
        XMEMCPY(out, cmac->digest, *outSz);
242
0
    }
243
244
#if defined(WOLFSSL_HASH_KEEP)
245
    /* TODO: msg is leaked if wc_CmacFinal() is not called
246
     * e.g. when multiple calls to wc_CmacUpdate() and one fails but
247
     * wc_CmacFinal() not called. */
248
    if (cmac->msg != NULL) {
249
        XFREE(cmac->msg, cmac->heap, DYNAMIC_TYPE_TMP_BUFFER);
250
        cmac->msg = NULL;
251
    }
252
#endif
253
0
    wc_AesFree(&cmac->aes);
254
0
    ForceZero(cmac, sizeof(Cmac));
255
256
0
    return ret;
257
0
}
258
259
260
int wc_AesCmacGenerate(byte* out, word32* outSz,
261
                       const byte* in, word32 inSz,
262
                       const byte* key, word32 keySz)
263
0
{
264
0
    int ret;
265
0
#ifdef WOLFSSL_SMALL_STACK
266
0
    Cmac *cmac;
267
#else
268
    Cmac cmac[1];
269
#endif
270
271
0
    if (out == NULL || (in == NULL && inSz > 0) || key == NULL || keySz == 0) {
272
0
        return BAD_FUNC_ARG;
273
0
    }
274
275
0
#ifdef WOLFSSL_SMALL_STACK
276
0
    if ((cmac = (Cmac *)XMALLOC(sizeof *cmac, NULL,
277
0
                                DYNAMIC_TYPE_CMAC)) == NULL) {
278
0
        return MEMORY_E;
279
0
    }
280
0
#endif
281
#ifdef WOLFSSL_CHECK_MEM_ZERO
282
    /* Aes part is checked by wc_AesFree. */
283
    wc_MemZero_Add("wc_AesCmacGenerate cmac",
284
        ((unsigned char *)cmac) + sizeof(Aes), sizeof(Cmac) - sizeof(Aes));
285
#endif
286
287
0
    ret = wc_InitCmac(cmac, key, keySz, WC_CMAC_AES, NULL);
288
0
    if (ret == 0) {
289
0
        ret = wc_CmacUpdate(cmac, in, inSz);
290
0
    }
291
0
    if (ret == 0) {
292
0
        ret = wc_CmacFinal(cmac, out, outSz);
293
0
    }
294
295
0
#ifdef WOLFSSL_SMALL_STACK
296
0
    if (cmac) {
297
0
        XFREE(cmac, NULL, DYNAMIC_TYPE_CMAC);
298
0
    }
299
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
300
    wc_MemZero_Check(cmac, sizeof(Cmac));
301
#endif
302
303
0
    return ret;
304
0
}
305
306
307
int wc_AesCmacVerify(const byte* check, word32 checkSz,
308
                     const byte* in, word32 inSz,
309
                     const byte* key, word32 keySz)
310
0
{
311
0
    int ret;
312
0
    byte a[AES_BLOCK_SIZE];
313
0
    word32 aSz = sizeof(a);
314
0
    int compareRet;
315
316
0
    if (check == NULL || checkSz == 0 || (in == NULL && inSz != 0) ||
317
0
        key == NULL || keySz == 0) {
318
0
        return BAD_FUNC_ARG;
319
0
    }
320
321
0
    XMEMSET(a, 0, aSz);
322
0
    ret = wc_AesCmacGenerate(a, &aSz, in, inSz, key, keySz);
323
0
    compareRet = ConstantCompare(check, a, min(checkSz, aSz));
324
325
0
    if (ret == 0)
326
0
        ret = compareRet ? 1 : 0;
327
328
0
    return ret;
329
0
}
330
331
332
#endif /* WOLFSSL_CMAC && NO_AES && WOLFSSL_AES_DIRECT */