/src/wolfssl-normal-math/wolfcrypt/src/cmac.c

Source (jump to first uncovered line)
/* cmac.c
 *
 * Copyright (C) 2006-2022 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */


#ifdef HAVE_CONFIG_H
    #include <config.h>
#endif

#include <wolfssl/wolfcrypt/settings.h>
#ifdef WOLFSSL_QNX_CAAM
#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
#endif
#if defined(WOLFSSL_HASH_KEEP)
#include <wolfssl/wolfcrypt/hash.h>
#endif

#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)

#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
    #define FIPS_NO_WRAPPERS

    #ifdef USE_WINDOWS_API
        #pragma code_seg(".fipsA$n")
        #pragma const_seg(".fipsB$n")
    #endif
#endif

#ifdef NO_INLINE
    #include <wolfssl/wolfcrypt/misc.h>
#else
    #define WOLFSSL_MISC_INCLUDED
    #include <wolfcrypt/src/misc.c>
#endif

#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/aes.h>
#include <wolfssl/wolfcrypt/cmac.h>

#ifdef WOLF_CRYPTO_CB
    #include <wolfssl/wolfcrypt/cryptocb.h>
#endif

#ifdef WOLFSSL_HASH_KEEP
/* Some hardware have issues with update, this function stores the data to be
 * hashed into an array. Once ready, the Final operation is called on all of the
 * data to be hashed at once.
 * returns 0 on success
 */
int wc_CMAC_Grow(Cmac* cmac, const byte* in, int inSz)
{
    return _wc_Hash_Grow(&cmac->msg, &cmac->used, &cmac->len, in, inSz, NULL);
}
#endif /* WOLFSSL_HASH_KEEP */


/* Used by AES-SIV. See aes.c. */
void ShiftAndXorRb(byte* out, byte* in)
{
    int i, j, xorRb;
    int mask = 0, last = 0;
    byte Rb = 0x87;

    xorRb = (in[0] & 0x80) != 0;

    for (i = 1, j = AES_BLOCK_SIZE - 1; i <= AES_BLOCK_SIZE; i++, j--) {
        last = (in[j] & 0x80) ? 1 : 0;
        out[j] = (byte)((in[j] << 1) | mask);
        mask = last;
        if (xorRb) {
            out[j] ^= Rb;
            Rb = 0;
        }
    }
}

/* returns 0 on success */
int wc_InitCmac_ex(Cmac* cmac, const byte* key, word32 keySz,
                int type, void* unused, void* heap, int devId)
{
    int ret;

    (void)unused;
    (void)heap;

    if (cmac == NULL || type != WC_CMAC_AES) {
        return BAD_FUNC_ARG;
    }

    XMEMSET(cmac, 0, sizeof(Cmac));

#ifdef WOLF_CRYPTO_CB
    if (devId != INVALID_DEVID) {
        cmac->devId = devId;
        cmac->devCtx = NULL;

        ret = wc_CryptoCb_Cmac(cmac, key, keySz, NULL, 0, NULL, NULL,
                type, unused);
        if (ret != CRYPTOCB_UNAVAILABLE)
            return ret;
        /* fall-through when unavailable */
    }
#else
    (void)devId;
#endif

    if (key == NULL || keySz == 0) {
        return BAD_FUNC_ARG;
    }

    ret = wc_AesSetKey(&cmac->aes, key, keySz, NULL, AES_ENCRYPTION);
    if (ret == 0) {
        byte l[AES_BLOCK_SIZE];

        XMEMSET(l, 0, AES_BLOCK_SIZE);
        ret = wc_AesEncryptDirect(&cmac->aes, l, l);
        if (ret == 0) {
            ShiftAndXorRb(cmac->k1, l);
            ShiftAndXorRb(cmac->k2, cmac->k1);
            ForceZero(l, AES_BLOCK_SIZE);
        }
    }
    return ret;
}


int wc_InitCmac(Cmac* cmac, const byte* key, word32 keySz,
                int type, void* unused)
{
#ifdef WOLFSSL_QNX_CAAM
    int devId = WOLFSSL_CAAM_DEVID;
#else
    int devId = INVALID_DEVID;
#endif
    return wc_InitCmac_ex(cmac, key, keySz, type, unused, NULL, devId);
}



int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz)
{
    int ret = 0;

    if ((cmac == NULL) || (in == NULL && inSz != 0)) {
        return BAD_FUNC_ARG;
    }

#ifdef WOLF_CRYPTO_CB
    if (cmac->devId != INVALID_DEVID) {
        ret = wc_CryptoCb_Cmac(cmac, NULL, 0, in, inSz,
                NULL, NULL, 0, NULL);
        if (ret != CRYPTOCB_UNAVAILABLE)
            return ret;
        /* fall-through when unavailable */
        ret = 0; /* reset error code */
    }
#endif

    while (inSz != 0) {
        word32 add = min(inSz, AES_BLOCK_SIZE - cmac->bufferSz);
        XMEMCPY(&cmac->buffer[cmac->bufferSz], in, add);

        cmac->bufferSz += add;
        in += add;
        inSz -= add;

        if (cmac->bufferSz == AES_BLOCK_SIZE && inSz != 0) {
            if (cmac->totalSz != 0) {
                xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
            }
            ret = wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer);
            if (ret == 0) {
                cmac->totalSz += AES_BLOCK_SIZE;
                cmac->bufferSz = 0;
            }
        }
    }

    return ret;
}


int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
{
    int ret;
    const byte* subKey;

    if (cmac == NULL || out == NULL || outSz == NULL) {
        return BAD_FUNC_ARG;
    }
    if (*outSz < WC_CMAC_TAG_MIN_SZ || *outSz > WC_CMAC_TAG_MAX_SZ) {
        return BUFFER_E;
    }

#ifdef WOLF_CRYPTO_CB
    if (cmac->devId != INVALID_DEVID) {
        ret = wc_CryptoCb_Cmac(cmac, NULL, 0, NULL, 0, out, outSz, 0, NULL);
        if (ret != CRYPTOCB_UNAVAILABLE)
            return ret;
        /* fall-through when unavailable */
    }
#endif

    if (cmac->bufferSz == AES_BLOCK_SIZE) {
        subKey = cmac->k1;
    }
    else {
        word32 remainder = AES_BLOCK_SIZE - cmac->bufferSz;

        if (remainder == 0) {
            remainder = AES_BLOCK_SIZE;
        }
        if (remainder > 1) {
            XMEMSET(cmac->buffer + AES_BLOCK_SIZE - remainder, 0, remainder);
        }
        cmac->buffer[AES_BLOCK_SIZE - remainder] = 0x80;
        subKey = cmac->k2;
    }
    xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
    xorbuf(cmac->buffer, subKey, AES_BLOCK_SIZE);
    ret = wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer);
    if (ret == 0) {
        XMEMCPY(out, cmac->digest, *outSz);
    }

#if defined(WOLFSSL_HASH_KEEP)
    /* TODO: msg is leaked if wc_CmacFinal() is not called
     * e.g. when multiple calls to wc_CmacUpdate() and one fails but
     * wc_CmacFinal() not called. */
    if (cmac->msg != NULL) {
        XFREE(cmac->msg, cmac->heap, DYNAMIC_TYPE_TMP_BUFFER);
        cmac->msg = NULL;
    }
#endif
    wc_AesFree(&cmac->aes);
    ForceZero(cmac, sizeof(Cmac));

    return ret;
}


int wc_AesCmacGenerate(byte* out, word32* outSz,
                       const byte* in, word32 inSz,
                       const byte* key, word32 keySz)
{
    int ret;
#ifdef WOLFSSL_SMALL_STACK
    Cmac *cmac;
#else
    Cmac cmac[1];
#endif

    if (out == NULL || (in == NULL && inSz > 0) || key == NULL || keySz == 0) {
        return BAD_FUNC_ARG;
    }

#ifdef WOLFSSL_SMALL_STACK
    if ((cmac = (Cmac *)XMALLOC(sizeof *cmac, NULL,
                                DYNAMIC_TYPE_CMAC)) == NULL) {
        return MEMORY_E;
    }
#endif
#ifdef WOLFSSL_CHECK_MEM_ZERO
    /* Aes part is checked by wc_AesFree. */
    wc_MemZero_Add("wc_AesCmacGenerate cmac",
        ((unsigned char *)cmac) + sizeof(Aes), sizeof(Cmac) - sizeof(Aes));
#endif

    ret = wc_InitCmac(cmac, key, keySz, WC_CMAC_AES, NULL);
    if (ret == 0) {
        ret = wc_CmacUpdate(cmac, in, inSz);
    }
    if (ret == 0) {
        ret = wc_CmacFinal(cmac, out, outSz);
    }

#ifdef WOLFSSL_SMALL_STACK
    if (cmac) {
        XFREE(cmac, NULL, DYNAMIC_TYPE_CMAC);
    }
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
    wc_MemZero_Check(cmac, sizeof(Cmac));
#endif

    return ret;
}


int wc_AesCmacVerify(const byte* check, word32 checkSz,
                     const byte* in, word32 inSz,
                     const byte* key, word32 keySz)
{
    int ret;
    byte a[AES_BLOCK_SIZE];
    word32 aSz = sizeof(a);
    int compareRet;

    if (check == NULL || checkSz == 0 || (in == NULL && inSz != 0) ||
        key == NULL || keySz == 0) {
        return BAD_FUNC_ARG;
    }

    XMEMSET(a, 0, aSz);
    ret = wc_AesCmacGenerate(a, &aSz, in, inSz, key, keySz);
    compareRet = ConstantCompare(check, a, min(checkSz, aSz));

    if (ret == 0)
        ret = compareRet ? 1 : 0;

    return ret;
}


#endif /* WOLFSSL_CMAC && NO_AES && WOLFSSL_AES_DIRECT */

Coverage Report

Created: 2022-08-24 06:28

Line	Count	Source (jump to first uncovered line)
1		/* cmac.c
2		*
3		* Copyright (C) 2006-2022 wolfSSL Inc.
4		*
5		* This file is part of wolfSSL.
6		*
7		* wolfSSL is free software; you can redistribute it and/or modify
8		* it under the terms of the GNU General Public License as published by
9		* the Free Software Foundation; either version 2 of the License, or
10		* (at your option) any later version.
11		*
12		* wolfSSL is distributed in the hope that it will be useful,
13		* but WITHOUT ANY WARRANTY; without even the implied warranty of
14		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15		* GNU General Public License for more details.
16		*
17		* You should have received a copy of the GNU General Public License
18		* along with this program; if not, write to the Free Software
19		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20		*/
21
22
23		#ifdef HAVE_CONFIG_H
24		#include <config.h>
25		#endif
26
27		#include <wolfssl/wolfcrypt/settings.h>
28		#ifdef WOLFSSL_QNX_CAAM
29		#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
30		#endif
31		#if defined(WOLFSSL_HASH_KEEP)
32		#include <wolfssl/wolfcrypt/hash.h>
33		#endif
34
35		#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
36
37		#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
38		/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
39		#define FIPS_NO_WRAPPERS
40
41		#ifdef USE_WINDOWS_API
42		#pragma code_seg(".fipsA$n")
43		#pragma const_seg(".fipsB$n")
44		#endif
45		#endif
46
47		#ifdef NO_INLINE
48		#include <wolfssl/wolfcrypt/misc.h>
49		#else
50		#define WOLFSSL_MISC_INCLUDED
51		#include <wolfcrypt/src/misc.c>
52		#endif
53
54		#include <wolfssl/wolfcrypt/error-crypt.h>
55		#include <wolfssl/wolfcrypt/aes.h>
56		#include <wolfssl/wolfcrypt/cmac.h>
57
58		#ifdef WOLF_CRYPTO_CB
59		#include <wolfssl/wolfcrypt/cryptocb.h>
60		#endif
61
62		#ifdef WOLFSSL_HASH_KEEP
63		/* Some hardware have issues with update, this function stores the data to be
64		* hashed into an array. Once ready, the Final operation is called on all of the
65		* data to be hashed at once.
66		* returns 0 on success
67		*/
68		int wc_CMAC_Grow(Cmac* cmac, const byte* in, int inSz)
69		{
70		return _wc_Hash_Grow(&cmac->msg, &cmac->used, &cmac->len, in, inSz, NULL);
71		}
72		#endif /* WOLFSSL_HASH_KEEP */
73
74
75		/* Used by AES-SIV. See aes.c. */
76		void ShiftAndXorRb(byte* out, byte* in)
77	0	{
78	0	int i, j, xorRb;
79	0	int mask = 0, last = 0;
80	0	byte Rb = 0x87;
81
82	0	xorRb = (in[0] & 0x80) != 0;
83
84	0	for (i = 1, j = AES_BLOCK_SIZE - 1; i <= AES_BLOCK_SIZE; i++, j--) {
85	0	last = (in[j] & 0x80) ? 1 : 0;
86	0	out[j] = (byte)((in[j] << 1) \| mask);
87	0	mask = last;
88	0	if (xorRb) {
89	0	out[j] ^= Rb;
90	0	Rb = 0;
91	0	}
92	0	}
93	0	}
94
95		/* returns 0 on success */
96		int wc_InitCmac_ex(Cmac* cmac, const byte* key, word32 keySz,
97		int type, void* unused, void* heap, int devId)
98	0	{
99	0	int ret;
100
101	0	(void)unused;
102	0	(void)heap;
103
104	0	if (cmac == NULL \|\| type != WC_CMAC_AES) {
105	0	return BAD_FUNC_ARG;
106	0	}
107
108	0	XMEMSET(cmac, 0, sizeof(Cmac));
109
110	0	#ifdef WOLF_CRYPTO_CB
111	0	if (devId != INVALID_DEVID) {
112	0	cmac->devId = devId;
113	0	cmac->devCtx = NULL;
114
115	0	ret = wc_CryptoCb_Cmac(cmac, key, keySz, NULL, 0, NULL, NULL,
116	0	type, unused);
117	0	if (ret != CRYPTOCB_UNAVAILABLE)
118	0	return ret;
119		/* fall-through when unavailable */
120	0	}
121		#else
122		(void)devId;
123		#endif
124
125	0	if (key == NULL \|\| keySz == 0) {
126	0	return BAD_FUNC_ARG;
127	0	}
128
129	0	ret = wc_AesSetKey(&cmac->aes, key, keySz, NULL, AES_ENCRYPTION);
130	0	if (ret == 0) {
131	0	byte l[AES_BLOCK_SIZE];
132
133	0	XMEMSET(l, 0, AES_BLOCK_SIZE);
134	0	ret = wc_AesEncryptDirect(&cmac->aes, l, l);
135	0	if (ret == 0) {
136	0	ShiftAndXorRb(cmac->k1, l);
137	0	ShiftAndXorRb(cmac->k2, cmac->k1);
138	0	ForceZero(l, AES_BLOCK_SIZE);
139	0	}
140	0	}
141	0	return ret;
142	0	}
143
144
145		int wc_InitCmac(Cmac* cmac, const byte* key, word32 keySz,
146		int type, void* unused)
147	0	{
148		#ifdef WOLFSSL_QNX_CAAM
149		int devId = WOLFSSL_CAAM_DEVID;
150		#else
151	0	int devId = INVALID_DEVID;
152	0	#endif
153	0	return wc_InitCmac_ex(cmac, key, keySz, type, unused, NULL, devId);
154	0	}
155
156
157
158		int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz)
159	0	{
160	0	int ret = 0;
161
162	0	if ((cmac == NULL) \|\| (in == NULL && inSz != 0)) {
163	0	return BAD_FUNC_ARG;
164	0	}
165
166	0	#ifdef WOLF_CRYPTO_CB
167	0	if (cmac->devId != INVALID_DEVID) {
168	0	ret = wc_CryptoCb_Cmac(cmac, NULL, 0, in, inSz,
169	0	NULL, NULL, 0, NULL);
170	0	if (ret != CRYPTOCB_UNAVAILABLE)
171	0	return ret;
172		/* fall-through when unavailable */
173	0	ret = 0; /* reset error code */
174	0	}
175	0	#endif
176
177	0	while (inSz != 0) {
178	0	word32 add = min(inSz, AES_BLOCK_SIZE - cmac->bufferSz);
179	0	XMEMCPY(&cmac->buffer[cmac->bufferSz], in, add);
180
181	0	cmac->bufferSz += add;
182	0	in += add;
183	0	inSz -= add;
184
185	0	if (cmac->bufferSz == AES_BLOCK_SIZE && inSz != 0) {
186	0	if (cmac->totalSz != 0) {
187	0	xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
188	0	}
189	0	ret = wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer);
190	0	if (ret == 0) {
191	0	cmac->totalSz += AES_BLOCK_SIZE;
192	0	cmac->bufferSz = 0;
193	0	}
194	0	}
195	0	}
196
197	0	return ret;
198	0	}
199
200
201		int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
202	0	{
203	0	int ret;
204	0	const byte* subKey;
205
206	0	if (cmac == NULL \|\| out == NULL \|\| outSz == NULL) {
207	0	return BAD_FUNC_ARG;
208	0	}
209	0	if (outSz < WC_CMAC_TAG_MIN_SZ \|\| outSz > WC_CMAC_TAG_MAX_SZ) {
210	0	return BUFFER_E;
211	0	}
212
213	0	#ifdef WOLF_CRYPTO_CB
214	0	if (cmac->devId != INVALID_DEVID) {
215	0	ret = wc_CryptoCb_Cmac(cmac, NULL, 0, NULL, 0, out, outSz, 0, NULL);
216	0	if (ret != CRYPTOCB_UNAVAILABLE)
217	0	return ret;
218		/* fall-through when unavailable */
219	0	}
220	0	#endif
221
222	0	if (cmac->bufferSz == AES_BLOCK_SIZE) {
223	0	subKey = cmac->k1;
224	0	}
225	0	else {
226	0	word32 remainder = AES_BLOCK_SIZE - cmac->bufferSz;
227
228	0	if (remainder == 0) {
229	0	remainder = AES_BLOCK_SIZE;
230	0	}
231	0	if (remainder > 1) {
232	0	XMEMSET(cmac->buffer + AES_BLOCK_SIZE - remainder, 0, remainder);
233	0	}
234	0	cmac->buffer[AES_BLOCK_SIZE - remainder] = 0x80;
235	0	subKey = cmac->k2;
236	0	}
237	0	xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
238	0	xorbuf(cmac->buffer, subKey, AES_BLOCK_SIZE);
239	0	ret = wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer);
240	0	if (ret == 0) {
241	0	XMEMCPY(out, cmac->digest, *outSz);
242	0	}
243
244		#if defined(WOLFSSL_HASH_KEEP)
245		/* TODO: msg is leaked if wc_CmacFinal() is not called
246		* e.g. when multiple calls to wc_CmacUpdate() and one fails but
247		* wc_CmacFinal() not called. */
248		if (cmac->msg != NULL) {
249		XFREE(cmac->msg, cmac->heap, DYNAMIC_TYPE_TMP_BUFFER);
250		cmac->msg = NULL;
251		}
252		#endif
253	0	wc_AesFree(&cmac->aes);
254	0	ForceZero(cmac, sizeof(Cmac));
255
256	0	return ret;
257	0	}
258
259
260		int wc_AesCmacGenerate(byte* out, word32* outSz,
261		const byte* in, word32 inSz,
262		const byte* key, word32 keySz)
263	0	{
264	0	int ret;
265	0	#ifdef WOLFSSL_SMALL_STACK
266	0	Cmac *cmac;
267		#else
268		Cmac cmac[1];
269		#endif
270
271	0	if (out == NULL \|\| (in == NULL && inSz > 0) \|\| key == NULL \|\| keySz == 0) {
272	0	return BAD_FUNC_ARG;
273	0	}
274
275	0	#ifdef WOLFSSL_SMALL_STACK
276	0	if ((cmac = (Cmac )XMALLOC(sizeof cmac, NULL,
277	0	DYNAMIC_TYPE_CMAC)) == NULL) {
278	0	return MEMORY_E;
279	0	}
280	0	#endif
281		#ifdef WOLFSSL_CHECK_MEM_ZERO
282		/* Aes part is checked by wc_AesFree. */
283		wc_MemZero_Add("wc_AesCmacGenerate cmac",
284		((unsigned char *)cmac) + sizeof(Aes), sizeof(Cmac) - sizeof(Aes));
285		#endif
286
287	0	ret = wc_InitCmac(cmac, key, keySz, WC_CMAC_AES, NULL);
288	0	if (ret == 0) {
289	0	ret = wc_CmacUpdate(cmac, in, inSz);
290	0	}
291	0	if (ret == 0) {
292	0	ret = wc_CmacFinal(cmac, out, outSz);
293	0	}
294
295	0	#ifdef WOLFSSL_SMALL_STACK
296	0	if (cmac) {
297	0	XFREE(cmac, NULL, DYNAMIC_TYPE_CMAC);
298	0	}
299		#elif defined(WOLFSSL_CHECK_MEM_ZERO)
300		wc_MemZero_Check(cmac, sizeof(Cmac));
301		#endif
302
303	0	return ret;
304	0	}
305
306
307		int wc_AesCmacVerify(const byte* check, word32 checkSz,
308		const byte* in, word32 inSz,
309		const byte* key, word32 keySz)
310	0	{
311	0	int ret;
312	0	byte a[AES_BLOCK_SIZE];
313	0	word32 aSz = sizeof(a);
314	0	int compareRet;
315
316	0	if (check == NULL \|\| checkSz == 0 \|\| (in == NULL && inSz != 0) \|\|
317	0	key == NULL \|\| keySz == 0) {
318	0	return BAD_FUNC_ARG;
319	0	}
320
321	0	XMEMSET(a, 0, aSz);
322	0	ret = wc_AesCmacGenerate(a, &aSz, in, inSz, key, keySz);
323	0	compareRet = ConstantCompare(check, a, min(checkSz, aSz));
324
325	0	if (ret == 0)
326	0	ret = compareRet ? 1 : 0;
327
328	0	return ret;
329	0	}
330
331
332		#endif /* WOLFSSL_CMAC && NO_AES && WOLFSSL_AES_DIRECT */