/src/wolfssl-normal-math/wolfcrypt/src/cmac.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* cmac.c |
2 | | * |
3 | | * Copyright (C) 2006-2022 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 2 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | |
23 | | #ifdef HAVE_CONFIG_H |
24 | | #include <config.h> |
25 | | #endif |
26 | | |
27 | | #include <wolfssl/wolfcrypt/settings.h> |
28 | | #ifdef WOLFSSL_QNX_CAAM |
29 | | #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h> |
30 | | #endif |
31 | | #if defined(WOLFSSL_HASH_KEEP) |
32 | | #include <wolfssl/wolfcrypt/hash.h> |
33 | | #endif |
34 | | |
35 | | #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) |
36 | | |
37 | | #if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) |
38 | | /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ |
39 | | #define FIPS_NO_WRAPPERS |
40 | | |
41 | | #ifdef USE_WINDOWS_API |
42 | | #pragma code_seg(".fipsA$n") |
43 | | #pragma const_seg(".fipsB$n") |
44 | | #endif |
45 | | #endif |
46 | | |
47 | | #ifdef NO_INLINE |
48 | | #include <wolfssl/wolfcrypt/misc.h> |
49 | | #else |
50 | | #define WOLFSSL_MISC_INCLUDED |
51 | | #include <wolfcrypt/src/misc.c> |
52 | | #endif |
53 | | |
54 | | #include <wolfssl/wolfcrypt/error-crypt.h> |
55 | | #include <wolfssl/wolfcrypt/aes.h> |
56 | | #include <wolfssl/wolfcrypt/cmac.h> |
57 | | |
58 | | #ifdef WOLF_CRYPTO_CB |
59 | | #include <wolfssl/wolfcrypt/cryptocb.h> |
60 | | #endif |
61 | | |
62 | | #ifdef WOLFSSL_HASH_KEEP |
63 | | /* Some hardware have issues with update, this function stores the data to be |
64 | | * hashed into an array. Once ready, the Final operation is called on all of the |
65 | | * data to be hashed at once. |
66 | | * returns 0 on success |
67 | | */ |
68 | | int wc_CMAC_Grow(Cmac* cmac, const byte* in, int inSz) |
69 | | { |
70 | | return _wc_Hash_Grow(&cmac->msg, &cmac->used, &cmac->len, in, inSz, NULL); |
71 | | } |
72 | | #endif /* WOLFSSL_HASH_KEEP */ |
73 | | |
74 | | |
75 | | /* Used by AES-SIV. See aes.c. */ |
76 | | void ShiftAndXorRb(byte* out, byte* in) |
77 | 0 | { |
78 | 0 | int i, j, xorRb; |
79 | 0 | int mask = 0, last = 0; |
80 | 0 | byte Rb = 0x87; |
81 | |
|
82 | 0 | xorRb = (in[0] & 0x80) != 0; |
83 | |
|
84 | 0 | for (i = 1, j = AES_BLOCK_SIZE - 1; i <= AES_BLOCK_SIZE; i++, j--) { |
85 | 0 | last = (in[j] & 0x80) ? 1 : 0; |
86 | 0 | out[j] = (byte)((in[j] << 1) | mask); |
87 | 0 | mask = last; |
88 | 0 | if (xorRb) { |
89 | 0 | out[j] ^= Rb; |
90 | 0 | Rb = 0; |
91 | 0 | } |
92 | 0 | } |
93 | 0 | } |
94 | | |
95 | | /* returns 0 on success */ |
96 | | int wc_InitCmac_ex(Cmac* cmac, const byte* key, word32 keySz, |
97 | | int type, void* unused, void* heap, int devId) |
98 | 0 | { |
99 | 0 | int ret; |
100 | |
|
101 | 0 | (void)unused; |
102 | 0 | (void)heap; |
103 | |
|
104 | 0 | if (cmac == NULL || type != WC_CMAC_AES) { |
105 | 0 | return BAD_FUNC_ARG; |
106 | 0 | } |
107 | | |
108 | 0 | XMEMSET(cmac, 0, sizeof(Cmac)); |
109 | |
|
110 | 0 | #ifdef WOLF_CRYPTO_CB |
111 | 0 | if (devId != INVALID_DEVID) { |
112 | 0 | cmac->devId = devId; |
113 | 0 | cmac->devCtx = NULL; |
114 | |
|
115 | 0 | ret = wc_CryptoCb_Cmac(cmac, key, keySz, NULL, 0, NULL, NULL, |
116 | 0 | type, unused); |
117 | 0 | if (ret != CRYPTOCB_UNAVAILABLE) |
118 | 0 | return ret; |
119 | | /* fall-through when unavailable */ |
120 | 0 | } |
121 | | #else |
122 | | (void)devId; |
123 | | #endif |
124 | | |
125 | 0 | if (key == NULL || keySz == 0) { |
126 | 0 | return BAD_FUNC_ARG; |
127 | 0 | } |
128 | | |
129 | 0 | ret = wc_AesSetKey(&cmac->aes, key, keySz, NULL, AES_ENCRYPTION); |
130 | 0 | if (ret == 0) { |
131 | 0 | byte l[AES_BLOCK_SIZE]; |
132 | |
|
133 | 0 | XMEMSET(l, 0, AES_BLOCK_SIZE); |
134 | 0 | ret = wc_AesEncryptDirect(&cmac->aes, l, l); |
135 | 0 | if (ret == 0) { |
136 | 0 | ShiftAndXorRb(cmac->k1, l); |
137 | 0 | ShiftAndXorRb(cmac->k2, cmac->k1); |
138 | 0 | ForceZero(l, AES_BLOCK_SIZE); |
139 | 0 | } |
140 | 0 | } |
141 | 0 | return ret; |
142 | 0 | } |
143 | | |
144 | | |
145 | | int wc_InitCmac(Cmac* cmac, const byte* key, word32 keySz, |
146 | | int type, void* unused) |
147 | 0 | { |
148 | | #ifdef WOLFSSL_QNX_CAAM |
149 | | int devId = WOLFSSL_CAAM_DEVID; |
150 | | #else |
151 | 0 | int devId = INVALID_DEVID; |
152 | 0 | #endif |
153 | 0 | return wc_InitCmac_ex(cmac, key, keySz, type, unused, NULL, devId); |
154 | 0 | } |
155 | | |
156 | | |
157 | | |
158 | | int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz) |
159 | 0 | { |
160 | 0 | int ret = 0; |
161 | |
|
162 | 0 | if ((cmac == NULL) || (in == NULL && inSz != 0)) { |
163 | 0 | return BAD_FUNC_ARG; |
164 | 0 | } |
165 | | |
166 | 0 | #ifdef WOLF_CRYPTO_CB |
167 | 0 | if (cmac->devId != INVALID_DEVID) { |
168 | 0 | ret = wc_CryptoCb_Cmac(cmac, NULL, 0, in, inSz, |
169 | 0 | NULL, NULL, 0, NULL); |
170 | 0 | if (ret != CRYPTOCB_UNAVAILABLE) |
171 | 0 | return ret; |
172 | | /* fall-through when unavailable */ |
173 | 0 | ret = 0; /* reset error code */ |
174 | 0 | } |
175 | 0 | #endif |
176 | | |
177 | 0 | while (inSz != 0) { |
178 | 0 | word32 add = min(inSz, AES_BLOCK_SIZE - cmac->bufferSz); |
179 | 0 | XMEMCPY(&cmac->buffer[cmac->bufferSz], in, add); |
180 | |
|
181 | 0 | cmac->bufferSz += add; |
182 | 0 | in += add; |
183 | 0 | inSz -= add; |
184 | |
|
185 | 0 | if (cmac->bufferSz == AES_BLOCK_SIZE && inSz != 0) { |
186 | 0 | if (cmac->totalSz != 0) { |
187 | 0 | xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE); |
188 | 0 | } |
189 | 0 | ret = wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer); |
190 | 0 | if (ret == 0) { |
191 | 0 | cmac->totalSz += AES_BLOCK_SIZE; |
192 | 0 | cmac->bufferSz = 0; |
193 | 0 | } |
194 | 0 | } |
195 | 0 | } |
196 | |
|
197 | 0 | return ret; |
198 | 0 | } |
199 | | |
200 | | |
201 | | int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz) |
202 | 0 | { |
203 | 0 | int ret; |
204 | 0 | const byte* subKey; |
205 | |
|
206 | 0 | if (cmac == NULL || out == NULL || outSz == NULL) { |
207 | 0 | return BAD_FUNC_ARG; |
208 | 0 | } |
209 | 0 | if (*outSz < WC_CMAC_TAG_MIN_SZ || *outSz > WC_CMAC_TAG_MAX_SZ) { |
210 | 0 | return BUFFER_E; |
211 | 0 | } |
212 | | |
213 | 0 | #ifdef WOLF_CRYPTO_CB |
214 | 0 | if (cmac->devId != INVALID_DEVID) { |
215 | 0 | ret = wc_CryptoCb_Cmac(cmac, NULL, 0, NULL, 0, out, outSz, 0, NULL); |
216 | 0 | if (ret != CRYPTOCB_UNAVAILABLE) |
217 | 0 | return ret; |
218 | | /* fall-through when unavailable */ |
219 | 0 | } |
220 | 0 | #endif |
221 | | |
222 | 0 | if (cmac->bufferSz == AES_BLOCK_SIZE) { |
223 | 0 | subKey = cmac->k1; |
224 | 0 | } |
225 | 0 | else { |
226 | 0 | word32 remainder = AES_BLOCK_SIZE - cmac->bufferSz; |
227 | |
|
228 | 0 | if (remainder == 0) { |
229 | 0 | remainder = AES_BLOCK_SIZE; |
230 | 0 | } |
231 | 0 | if (remainder > 1) { |
232 | 0 | XMEMSET(cmac->buffer + AES_BLOCK_SIZE - remainder, 0, remainder); |
233 | 0 | } |
234 | 0 | cmac->buffer[AES_BLOCK_SIZE - remainder] = 0x80; |
235 | 0 | subKey = cmac->k2; |
236 | 0 | } |
237 | 0 | xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE); |
238 | 0 | xorbuf(cmac->buffer, subKey, AES_BLOCK_SIZE); |
239 | 0 | ret = wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer); |
240 | 0 | if (ret == 0) { |
241 | 0 | XMEMCPY(out, cmac->digest, *outSz); |
242 | 0 | } |
243 | |
|
244 | | #if defined(WOLFSSL_HASH_KEEP) |
245 | | /* TODO: msg is leaked if wc_CmacFinal() is not called |
246 | | * e.g. when multiple calls to wc_CmacUpdate() and one fails but |
247 | | * wc_CmacFinal() not called. */ |
248 | | if (cmac->msg != NULL) { |
249 | | XFREE(cmac->msg, cmac->heap, DYNAMIC_TYPE_TMP_BUFFER); |
250 | | cmac->msg = NULL; |
251 | | } |
252 | | #endif |
253 | 0 | wc_AesFree(&cmac->aes); |
254 | 0 | ForceZero(cmac, sizeof(Cmac)); |
255 | |
|
256 | 0 | return ret; |
257 | 0 | } |
258 | | |
259 | | |
260 | | int wc_AesCmacGenerate(byte* out, word32* outSz, |
261 | | const byte* in, word32 inSz, |
262 | | const byte* key, word32 keySz) |
263 | 0 | { |
264 | 0 | int ret; |
265 | 0 | #ifdef WOLFSSL_SMALL_STACK |
266 | 0 | Cmac *cmac; |
267 | | #else |
268 | | Cmac cmac[1]; |
269 | | #endif |
270 | |
|
271 | 0 | if (out == NULL || (in == NULL && inSz > 0) || key == NULL || keySz == 0) { |
272 | 0 | return BAD_FUNC_ARG; |
273 | 0 | } |
274 | | |
275 | 0 | #ifdef WOLFSSL_SMALL_STACK |
276 | 0 | if ((cmac = (Cmac *)XMALLOC(sizeof *cmac, NULL, |
277 | 0 | DYNAMIC_TYPE_CMAC)) == NULL) { |
278 | 0 | return MEMORY_E; |
279 | 0 | } |
280 | 0 | #endif |
281 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
282 | | /* Aes part is checked by wc_AesFree. */ |
283 | | wc_MemZero_Add("wc_AesCmacGenerate cmac", |
284 | | ((unsigned char *)cmac) + sizeof(Aes), sizeof(Cmac) - sizeof(Aes)); |
285 | | #endif |
286 | | |
287 | 0 | ret = wc_InitCmac(cmac, key, keySz, WC_CMAC_AES, NULL); |
288 | 0 | if (ret == 0) { |
289 | 0 | ret = wc_CmacUpdate(cmac, in, inSz); |
290 | 0 | } |
291 | 0 | if (ret == 0) { |
292 | 0 | ret = wc_CmacFinal(cmac, out, outSz); |
293 | 0 | } |
294 | |
|
295 | 0 | #ifdef WOLFSSL_SMALL_STACK |
296 | 0 | if (cmac) { |
297 | 0 | XFREE(cmac, NULL, DYNAMIC_TYPE_CMAC); |
298 | 0 | } |
299 | | #elif defined(WOLFSSL_CHECK_MEM_ZERO) |
300 | | wc_MemZero_Check(cmac, sizeof(Cmac)); |
301 | | #endif |
302 | |
|
303 | 0 | return ret; |
304 | 0 | } |
305 | | |
306 | | |
307 | | int wc_AesCmacVerify(const byte* check, word32 checkSz, |
308 | | const byte* in, word32 inSz, |
309 | | const byte* key, word32 keySz) |
310 | 0 | { |
311 | 0 | int ret; |
312 | 0 | byte a[AES_BLOCK_SIZE]; |
313 | 0 | word32 aSz = sizeof(a); |
314 | 0 | int compareRet; |
315 | |
|
316 | 0 | if (check == NULL || checkSz == 0 || (in == NULL && inSz != 0) || |
317 | 0 | key == NULL || keySz == 0) { |
318 | 0 | return BAD_FUNC_ARG; |
319 | 0 | } |
320 | | |
321 | 0 | XMEMSET(a, 0, aSz); |
322 | 0 | ret = wc_AesCmacGenerate(a, &aSz, in, inSz, key, keySz); |
323 | 0 | compareRet = ConstantCompare(check, a, min(checkSz, aSz)); |
324 | |
|
325 | 0 | if (ret == 0) |
326 | 0 | ret = compareRet ? 1 : 0; |
327 | |
|
328 | 0 | return ret; |
329 | 0 | } |
330 | | |
331 | | |
332 | | #endif /* WOLFSSL_CMAC && NO_AES && WOLFSSL_AES_DIRECT */ |