2017-04-24 17:39:47 +02:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2016 Fundación Inria Chile
|
|
|
|
*
|
|
|
|
* This file is subject to the terms and conditions of the GNU Lesser
|
|
|
|
* General Public License v2.1. See the file LICENSE in the top level
|
|
|
|
* directory for more details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
2022-08-31 08:50:33 +02:00
|
|
|
* @ingroup sys_hashes_aes128_cmac
|
2017-04-24 17:39:47 +02:00
|
|
|
* @{
|
|
|
|
*
|
|
|
|
* @file
|
2022-08-31 08:50:33 +02:00
|
|
|
* @brief AES128_CMAC implementation
|
2017-04-24 17:39:47 +02:00
|
|
|
*
|
|
|
|
* @author José Ignacio Alamos <jose.alamos@inria.cl>
|
|
|
|
*
|
|
|
|
* @}
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <inttypes.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include "crypto/ciphers.h"
|
2022-08-31 08:50:33 +02:00
|
|
|
#include "hashes/aes128_cmac.h"
|
2017-04-24 17:39:47 +02:00
|
|
|
|
|
|
|
#define MIN(a, b) a < b ? a : b
|
|
|
|
|
|
|
|
static void _xor128(uint8_t *x, uint8_t *y)
|
|
|
|
{
|
|
|
|
for (unsigned i = 0; i < 16; i++) {
|
|
|
|
y[i] = x[i] ^ y[i];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void _leftshift(uint8_t *x, uint8_t *y)
|
|
|
|
{
|
|
|
|
for (unsigned i = 0; i < 15; i++) {
|
|
|
|
y[i] = (x[i] << 1) | (x[i + 1] >> 7);
|
|
|
|
}
|
|
|
|
y[15] = x[15] << 1;
|
|
|
|
}
|
|
|
|
|
2022-08-31 08:50:33 +02:00
|
|
|
int aes128_cmac_init(aes128_cmac_context_t *ctx,
|
|
|
|
const uint8_t *key, uint8_t key_size)
|
2017-04-24 17:39:47 +02:00
|
|
|
{
|
2022-08-31 08:50:33 +02:00
|
|
|
if (key_size != AES128_CMAC_BLOCK_SIZE) {
|
2017-04-24 17:39:47 +02:00
|
|
|
return CIPHER_ERR_INVALID_KEY_SIZE;
|
|
|
|
}
|
|
|
|
|
2022-08-31 08:50:33 +02:00
|
|
|
memset(ctx, 0, sizeof(aes128_cmac_context_t));
|
|
|
|
return cipher_init(&(ctx->aes128_ctx), CIPHER_AES, key, key_size);
|
2017-04-24 17:39:47 +02:00
|
|
|
}
|
|
|
|
|
2022-08-31 08:50:33 +02:00
|
|
|
void aes128_cmac_update(aes128_cmac_context_t *ctx,
|
|
|
|
const void *data, size_t len)
|
2017-04-24 17:39:47 +02:00
|
|
|
{
|
|
|
|
uint8_t d[16];
|
|
|
|
|
|
|
|
while (len) {
|
|
|
|
uint8_t c;
|
|
|
|
if (ctx->M_n == 16) {
|
|
|
|
ctx->M_n = 0;
|
|
|
|
_xor128(ctx->M_last, ctx->X);
|
2022-08-31 08:50:33 +02:00
|
|
|
cipher_encrypt(&ctx->aes128_ctx, ctx->X, d);
|
|
|
|
memcpy(ctx->X, d, AES128_CMAC_BLOCK_SIZE);
|
2017-04-24 17:39:47 +02:00
|
|
|
}
|
2022-08-31 08:50:33 +02:00
|
|
|
c = MIN(AES128_CMAC_BLOCK_SIZE - ctx->M_n, len);
|
2017-04-24 17:39:47 +02:00
|
|
|
memcpy(ctx->M_last + ctx->M_n, data, c);
|
|
|
|
ctx->M_n += c;
|
|
|
|
len -= c;
|
|
|
|
data = (void *) (((uint8_t *) data) + c);
|
|
|
|
|
2022-08-31 08:50:33 +02:00
|
|
|
if (ctx->M_n < AES128_CMAC_BLOCK_SIZE) {
|
2017-04-24 17:39:47 +02:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-31 08:50:33 +02:00
|
|
|
void aes128_cmac_final(aes128_cmac_context_t *ctx, void *digest)
|
2017-04-24 17:39:47 +02:00
|
|
|
{
|
|
|
|
/* Generate subkeys */
|
2022-08-31 08:50:33 +02:00
|
|
|
uint8_t K[AES128_CMAC_BLOCK_SIZE];
|
|
|
|
uint8_t L[AES128_CMAC_BLOCK_SIZE];
|
2017-04-24 17:39:47 +02:00
|
|
|
|
2022-08-31 08:50:33 +02:00
|
|
|
memset(K, 0, AES128_CMAC_BLOCK_SIZE);
|
|
|
|
cipher_encrypt(&ctx->aes128_ctx, K, L);
|
2017-04-24 17:39:47 +02:00
|
|
|
|
|
|
|
if (L[0] & 0x80) {
|
|
|
|
_leftshift(L, K);
|
|
|
|
K[15] ^= 0x87;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
_leftshift(L, K);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ctx->M_n != 16) {
|
|
|
|
/* Generate K2 */
|
|
|
|
if (K[0] & 0x80) {
|
|
|
|
_leftshift(K, K);
|
|
|
|
K[15] ^= 0x87;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
_leftshift(K, K);
|
|
|
|
}
|
|
|
|
/* Padding */
|
2022-08-31 08:50:33 +02:00
|
|
|
memset(ctx->M_last + ctx->M_n, 0, AES128_CMAC_BLOCK_SIZE - ctx->M_n);
|
2017-04-24 17:39:47 +02:00
|
|
|
ctx->M_last[ctx->M_n] = 0x80;
|
|
|
|
}
|
|
|
|
_xor128(K, ctx->M_last);
|
|
|
|
_xor128(ctx->M_last, ctx->X);
|
2022-08-31 08:50:33 +02:00
|
|
|
cipher_encrypt(&ctx->aes128_ctx, ctx->X, L);
|
|
|
|
memcpy(digest, L, AES128_CMAC_BLOCK_SIZE);
|
2017-04-24 17:39:47 +02:00
|
|
|
}
|