apache / mynewt-documentation / 94c47ae2bc67c54a68d227abbb47c27ae97cc232 / . / versions / v1_4_0 / mynewt-nimble / ext / tinycrypt / src / cmac_mode.c

/* cmac_mode.c - TinyCrypt CMAC mode implementation */ | |

/* | |

* Copyright (C) 2017 by Intel Corporation, All Rights Reserved. | |

* | |

* Redistribution and use in source and binary forms, with or without | |

* modification, are permitted provided that the following conditions are met: | |

* | |

* - Redistributions of source code must retain the above copyright notice, | |

* this list of conditions and the following disclaimer. | |

* | |

* - Redistributions in binary form must reproduce the above copyright | |

* notice, this list of conditions and the following disclaimer in the | |

* documentation and/or other materials provided with the distribution. | |

* | |

* - Neither the name of Intel Corporation nor the names of its contributors | |

* may be used to endorse or promote products derived from this software | |

* without specific prior written permission. | |

* | |

* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |

* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |

* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | |

* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |

* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |

* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |

* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |

* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |

* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |

* POSSIBILITY OF SUCH DAMAGE. | |

*/ | |

#include <tinycrypt/aes.h> | |

#include <tinycrypt/cmac_mode.h> | |

#include <tinycrypt/constants.h> | |

#include <tinycrypt/utils.h> | |

/* max number of calls until change the key (2^48).*/ | |

const static uint64_t MAX_CALLS = ((uint64_t)1 << 48); | |

/* | |

* gf_wrap -- In our implementation, GF(2^128) is represented as a 16 byte | |

* array with byte 0 the most significant and byte 15 the least significant. | |

* High bit carry reduction is based on the primitive polynomial | |

* | |

* X^128 + X^7 + X^2 + X + 1, | |

* | |

* which leads to the reduction formula X^128 = X^7 + X^2 + X + 1. Indeed, | |

* since 0 = (X^128 + X^7 + X^2 + 1) mod (X^128 + X^7 + X^2 + X + 1) and since | |

* addition of polynomials with coefficients in Z/Z(2) is just XOR, we can | |

* add X^128 to both sides to get | |

* | |

* X^128 = (X^7 + X^2 + X + 1) mod (X^128 + X^7 + X^2 + X + 1) | |

* | |

* and the coefficients of the polynomial on the right hand side form the | |

* string 1000 0111 = 0x87, which is the value of gf_wrap. | |

* | |

* This gets used in the following way. Doubling in GF(2^128) is just a left | |

* shift by 1 bit, except when the most significant bit is 1. In the latter | |

* case, the relation X^128 = X^7 + X^2 + X + 1 says that the high order bit | |

* that overflows beyond 128 bits can be replaced by addition of | |

* X^7 + X^2 + X + 1 <--> 0x87 to the low order 128 bits. Since addition | |

* in GF(2^128) is represented by XOR, we therefore only have to XOR 0x87 | |

* into the low order byte after a left shift when the starting high order | |

* bit is 1. | |

*/ | |

const unsigned char gf_wrap = 0x87; | |

/* | |

* assumes: out != NULL and points to a GF(2^n) value to receive the | |

* doubled value; | |

* in != NULL and points to a 16 byte GF(2^n) value | |

* to double; | |

* the in and out buffers do not overlap. | |

* effects: doubles the GF(2^n) value pointed to by "in" and places | |

* the result in the GF(2^n) value pointed to by "out." | |

*/ | |

void gf_double(uint8_t *out, uint8_t *in) | |

{ | |

/* start with low order byte */ | |

uint8_t *x = in + (TC_AES_BLOCK_SIZE - 1); | |

/* if msb == 1, we need to add the gf_wrap value, otherwise add 0 */ | |

uint8_t carry = (in[0] >> 7) ? gf_wrap : 0; | |

out += (TC_AES_BLOCK_SIZE - 1); | |

for (;;) { | |

*out-- = (*x << 1) ^ carry; | |

if (x == in) { | |

break; | |

} | |

carry = *x-- >> 7; | |

} | |

} | |

int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched) | |

{ | |

/* input sanity check: */ | |

if (s == (TCCmacState_t) 0 || | |

key == (const uint8_t *) 0) { | |

return TC_CRYPTO_FAIL; | |

} | |

/* put s into a known state */ | |

_set(s, 0, sizeof(*s)); | |

s->sched = sched; | |

/* configure the encryption key used by the underlying block cipher */ | |

tc_aes128_set_encrypt_key(s->sched, key); | |

/* compute s->K1 and s->K2 from s->iv using s->keyid */ | |

_set(s->iv, 0, TC_AES_BLOCK_SIZE); | |

tc_aes_encrypt(s->iv, s->iv, s->sched); | |

gf_double (s->K1, s->iv); | |

gf_double (s->K2, s->K1); | |

/* reset s->iv to 0 in case someone wants to compute now */ | |

tc_cmac_init(s); | |

return TC_CRYPTO_SUCCESS; | |

} | |

int tc_cmac_erase(TCCmacState_t s) | |

{ | |

if (s == (TCCmacState_t) 0) { | |

return TC_CRYPTO_FAIL; | |

} | |

/* destroy the current state */ | |

_set(s, 0, sizeof(*s)); | |

return TC_CRYPTO_SUCCESS; | |

} | |

int tc_cmac_init(TCCmacState_t s) | |

{ | |

/* input sanity check: */ | |

if (s == (TCCmacState_t) 0) { | |

return TC_CRYPTO_FAIL; | |

} | |

/* CMAC starts with an all zero initialization vector */ | |

_set(s->iv, 0, TC_AES_BLOCK_SIZE); | |

/* and the leftover buffer is empty */ | |

_set(s->leftover, 0, TC_AES_BLOCK_SIZE); | |

s->leftover_offset = 0; | |

/* Set countdown to max number of calls allowed before re-keying: */ | |

s->countdown = MAX_CALLS; | |

return TC_CRYPTO_SUCCESS; | |

} | |

int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length) | |

{ | |

unsigned int i; | |

/* input sanity check: */ | |

if (s == (TCCmacState_t) 0) { | |

return TC_CRYPTO_FAIL; | |

} | |

if (data_length == 0) { | |

return TC_CRYPTO_SUCCESS; | |

} | |

if (data == (const uint8_t *) 0) { | |

return TC_CRYPTO_FAIL; | |

} | |

if (s->countdown == 0) { | |

return TC_CRYPTO_FAIL; | |

} | |

s->countdown--; | |

if (s->leftover_offset > 0) { | |

/* last data added to s didn't end on a TC_AES_BLOCK_SIZE byte boundary */ | |

size_t remaining_space = TC_AES_BLOCK_SIZE - s->leftover_offset; | |

if (data_length < remaining_space) { | |

/* still not enough data to encrypt this time either */ | |

_copy(&s->leftover[s->leftover_offset], data_length, data, data_length); | |

s->leftover_offset += data_length; | |

return TC_CRYPTO_SUCCESS; | |

} | |

/* leftover block is now full; encrypt it first */ | |

_copy(&s->leftover[s->leftover_offset], | |

remaining_space, | |

data, | |

remaining_space); | |

data_length -= remaining_space; | |

data += remaining_space; | |

s->leftover_offset = 0; | |

for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) { | |

s->iv[i] ^= s->leftover[i]; | |

} | |

tc_aes_encrypt(s->iv, s->iv, s->sched); | |

} | |

/* CBC encrypt each (except the last) of the data blocks */ | |

while (data_length > TC_AES_BLOCK_SIZE) { | |

for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) { | |

s->iv[i] ^= data[i]; | |

} | |

tc_aes_encrypt(s->iv, s->iv, s->sched); | |

data += TC_AES_BLOCK_SIZE; | |

data_length -= TC_AES_BLOCK_SIZE; | |

} | |

if (data_length > 0) { | |

/* save leftover data for next time */ | |

_copy(s->leftover, data_length, data, data_length); | |

s->leftover_offset = data_length; | |

} | |

return TC_CRYPTO_SUCCESS; | |

} | |

int tc_cmac_final(uint8_t *tag, TCCmacState_t s) | |

{ | |

uint8_t *k; | |

unsigned int i; | |

/* input sanity check: */ | |

if (tag == (uint8_t *) 0 || | |

s == (TCCmacState_t) 0) { | |

return TC_CRYPTO_FAIL; | |

} | |

if (s->leftover_offset == TC_AES_BLOCK_SIZE) { | |

/* the last message block is a full-sized block */ | |

k = (uint8_t *) s->K1; | |

} else { | |

/* the final message block is not a full-sized block */ | |

size_t remaining = TC_AES_BLOCK_SIZE - s->leftover_offset; | |

_set(&s->leftover[s->leftover_offset], 0, remaining); | |

s->leftover[s->leftover_offset] = TC_CMAC_PADDING; | |

k = (uint8_t *) s->K2; | |

} | |

for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) { | |

s->iv[i] ^= s->leftover[i] ^ k[i]; | |

} | |

tc_aes_encrypt(tag, s->iv, s->sched); | |

/* erasing state: */ | |

tc_cmac_erase(s); | |

return TC_CRYPTO_SUCCESS; | |

} |