• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* cmac_mode.c - TinyCrypt CMAC mode implementation */
2 
3 /*
4  *  Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
5  *
6  *  Redistribution and use in source and binary forms, with or without
7  *  modification, are permitted provided that the following conditions are met:
8  *
9  *    - Redistributions of source code must retain the above copyright notice,
10  *     this list of conditions and the following disclaimer.
11  *
12  *    - Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  *    - Neither the name of Intel Corporation nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30  *  POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include <tinycrypt/aes.h>
34 #include <tinycrypt/cmac_mode.h>
35 #include <tinycrypt/constants.h>
36 #include <tinycrypt/utils.h>
37 
38 /* max number of calls until change the key (2^48). */
39 const static uint64_t MAX_CALLS = ((uint64_t)1 << 48); // 48:byte alignment
40 
41 /*
42  *  gf_wrap -- In our implementation, GF(2^128) is represented as a 16 byte
43  *  array with byte 0 the most significant and byte 15 the least significant.
44  *  High bit carry reduction is based on the primitive polynomial
45  *
46  *                     X^128 + X^7 + X^2 + X + 1,
47  *
48  *  which leads to the reduction formula X^128 = X^7 + X^2 + X + 1. Indeed,
49  *  since 0 = (X^128 + X^7 + X^2 + 1) mod (X^128 + X^7 + X^2 + X + 1) and since
50  *  addition of polynomials with coefficients in Z/Z(2) is just XOR, we can
51  *  add X^128 to both sides to get
52  *
53  *       X^128 = (X^7 + X^2 + X + 1) mod (X^128 + X^7 + X^2 + X + 1)
54  *
55  *  and the coefficients of the polynomial on the right hand side form the
56  *  string 1000 0111 = 0x87, which is the value of gf_wrap.
57  *
58  *  This gets used in the following way. Doubling in GF(2^128) is just a left
59  *  shift by 1 bit, except when the most significant bit is 1. In the latter
60  *  case, the relation X^128 = X^7 + X^2 + X + 1 says that the high order bit
61  *  that overflows beyond 128 bits can be replaced by addition of
62  *  X^7 + X^2 + X + 1 <--> 0x87 to the low order 128 bits. Since addition
63  *  in GF(2^128) is represented by XOR, we therefore only have to XOR 0x87
64  *  into the low order byte after a left shift when the starting high order
65  *  bit is 1.
66  */
67 const unsigned char gf_wrap = 0x87;
68 
69 /*
70  *  assumes: out != NULL and points to a GF(2^n) value to receive the
71  *            doubled value;
72  *           in != NULL and points to a 16 byte GF(2^n) value
73  *            to double;
74  *           the in and out buffers do not overlap.
75  *  effects: doubles the GF(2^n) value pointed to by "in" and places
76  *           the result in the GF(2^n) value pointed to by "out."
77  */
gf_double(uint8_t * out,uint8_t * in)78 void gf_double(uint8_t *out, uint8_t *in)
79 {
80     /* start with low order byte */
81     uint8_t *x = in + (TC_AES_BLOCK_SIZE - 1);
82     /* if msb == 1, we need to add the gf_wrap value, otherwise add 0 */
83     uint8_t carry = (in[0] >> 7) ? gf_wrap : 0;
84     out += (TC_AES_BLOCK_SIZE - 1);
85 
86     for (;;) {
87         *out-- = (*x << 1) ^ carry;
88 
89         if (x == in) {
90             break;
91         }
92 
93         carry = *x-- >> 7; // 7:byte alignment
94     }
95 }
96 
tc_cmac_setup(TCCmacState_t s,const uint8_t * key,TCAesKeySched_t sched)97 int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched)
98 {
99     /* input sanity check: */
100     if (s == (TCCmacState_t) 0 ||
101             key == (const uint8_t *) 0) {
102         return TC_CRYPTO_FAIL;
103     }
104 
105     /* put s into a known state */
106     _set(s, 0, sizeof(*s));
107     s->sched = sched;
108     /* configure the encryption key used by the underlying block cipher */
109     tc_aes128_set_encrypt_key(s->sched, key);
110     /* compute s->K1 and s->K2 from s->iv using s->keyid */
111     _set(s->iv, 0, TC_AES_BLOCK_SIZE);
112     tc_aes_encrypt(s->iv, s->iv, s->sched);
113     gf_double(s->K1, s->iv);
114     gf_double(s->K2, s->K1);
115     /* reset s->iv to 0 in case someone wants to compute now */
116     tc_cmac_init(s);
117     return TC_CRYPTO_SUCCESS;
118 }
119 
tc_cmac_erase(TCCmacState_t s)120 int tc_cmac_erase(TCCmacState_t s)
121 {
122     if (s == (TCCmacState_t) 0) {
123         return TC_CRYPTO_FAIL;
124     }
125 
126     /* destroy the current state */
127     _set(s, 0, sizeof(*s));
128     return TC_CRYPTO_SUCCESS;
129 }
130 
tc_cmac_init(TCCmacState_t s)131 int tc_cmac_init(TCCmacState_t s)
132 {
133     /* input sanity check: */
134     if (s == (TCCmacState_t) 0) {
135         return TC_CRYPTO_FAIL;
136     }
137 
138     /* CMAC starts with an all zero initialization vector */
139     _set(s->iv, 0, TC_AES_BLOCK_SIZE);
140     /* and the leftover buffer is empty */
141     _set(s->leftover, 0, TC_AES_BLOCK_SIZE);
142     s->leftover_offset = 0;
143     /* Set countdown to max number of calls allowed before re-keying: */
144     s->countdown = MAX_CALLS;
145     return TC_CRYPTO_SUCCESS;
146 }
147 
tc_cmac_update(TCCmacState_t s,const uint8_t * data,size_t data_length)148 int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length)
149 {
150     unsigned int i;
151 
152     /* input sanity check: */
153     if (s == (TCCmacState_t) 0) {
154         return TC_CRYPTO_FAIL;
155     }
156 
157     if (data_length == 0) {
158         return  TC_CRYPTO_SUCCESS;
159     }
160 
161     if (data == (const uint8_t *) 0) {
162         return TC_CRYPTO_FAIL;
163     }
164 
165     if (s->countdown == 0) {
166         return TC_CRYPTO_FAIL;
167     }
168 
169     s->countdown--;
170 
171     if (s->leftover_offset > 0) {
172         /* last data added to s didn't end on a TC_AES_BLOCK_SIZE byte boundary */
173         size_t remaining_space = TC_AES_BLOCK_SIZE - s->leftover_offset;
174 
175         if (data_length < remaining_space) {
176             /* still not enough data to encrypt this time either */
177             _copy(&s->leftover[s->leftover_offset], data_length, data, data_length);
178             s->leftover_offset += data_length;
179             return TC_CRYPTO_SUCCESS;
180         }
181 
182         /* leftover block is now full; encrypt it first */
183         _copy(&s->leftover[s->leftover_offset],
184               remaining_space,
185               data,
186               remaining_space);
187         data_length -= remaining_space;
188         data += remaining_space;
189         s->leftover_offset = 0;
190 
191         for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
192             s->iv[i] ^= s->leftover[i];
193         }
194 
195         tc_aes_encrypt(s->iv, s->iv, s->sched);
196     }
197 
198     /* CBC encrypt each (except the last) of the data blocks */
199     while (data_length > TC_AES_BLOCK_SIZE) {
200         for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
201             s->iv[i] ^= data[i];
202         }
203 
204         tc_aes_encrypt(s->iv, s->iv, s->sched);
205         data += TC_AES_BLOCK_SIZE;
206         data_length  -= TC_AES_BLOCK_SIZE;
207     }
208 
209     if (data_length > 0) {
210         /* save leftover data for next time */
211         _copy(s->leftover, data_length, data, data_length);
212         s->leftover_offset = data_length;
213     }
214 
215     return TC_CRYPTO_SUCCESS;
216 }
217 
tc_cmac_final(uint8_t * tag,TCCmacState_t s)218 int tc_cmac_final(uint8_t *tag, TCCmacState_t s)
219 {
220     uint8_t *k;
221     unsigned int i;
222 
223     /* input sanity check: */
224     if (tag == (uint8_t *) 0 ||
225             s == (TCCmacState_t) 0) {
226         return TC_CRYPTO_FAIL;
227     }
228 
229     if (s->leftover_offset == TC_AES_BLOCK_SIZE) {
230         /* the last message block is a full-sized block */
231         k = (uint8_t *) s->K1;
232     } else {
233         /* the final message block is not a full-sized  block */
234         size_t remaining = TC_AES_BLOCK_SIZE - s->leftover_offset;
235         _set(&s->leftover[s->leftover_offset], 0, remaining);
236         s->leftover[s->leftover_offset] = TC_CMAC_PADDING;
237         k = (uint8_t *) s->K2;
238     }
239 
240     for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
241         s->iv[i] ^= s->leftover[i] ^ k[i];
242     }
243 
244     tc_aes_encrypt(tag, s->iv, s->sched);
245     /* erasing state: */
246     tc_cmac_erase(s);
247     return TC_CRYPTO_SUCCESS;
248 }