2017-01-27 12:05:45 +00:00
|
|
|
// cmac.cpp - originally written and placed in the public domain by Wei Dai
|
2009-03-02 02:39:17 +00:00
|
|
|
|
|
|
|
#include "pch.h"
|
|
|
|
|
|
|
|
#ifndef CRYPTOPP_IMPORTS
|
|
|
|
|
|
|
|
#include "cmac.h"
|
2019-10-12 11:14:38 +00:00
|
|
|
#include "misc.h"
|
2009-03-02 02:39:17 +00:00
|
|
|
|
2019-10-12 11:14:38 +00:00
|
|
|
ANONYMOUS_NAMESPACE_BEGIN
|
|
|
|
|
|
|
|
using CryptoPP::byte;
|
|
|
|
using CryptoPP::IsPowerOf2;
|
2009-03-02 02:39:17 +00:00
|
|
|
|
2019-10-12 11:14:38 +00:00
|
|
|
void MulU(byte *k, unsigned int len)
|
2009-03-02 02:39:17 +00:00
|
|
|
{
|
|
|
|
byte carry = 0;
|
2019-10-12 11:14:38 +00:00
|
|
|
for (int i=len-1; i>=1; i-=2)
|
2009-03-02 02:39:17 +00:00
|
|
|
{
|
|
|
|
byte carry2 = k[i] >> 7;
|
|
|
|
k[i] += k[i] + carry;
|
|
|
|
carry = k[i-1] >> 7;
|
|
|
|
k[i-1] += k[i-1] + carry2;
|
|
|
|
}
|
|
|
|
|
2019-10-12 11:14:38 +00:00
|
|
|
#ifndef CRYPTOPP_CMAC_WIDE_BLOCK_CIPHERS
|
|
|
|
CRYPTOPP_ASSERT(len == 16);
|
|
|
|
|
2009-03-02 02:39:17 +00:00
|
|
|
if (carry)
|
|
|
|
{
|
2019-10-12 11:14:38 +00:00
|
|
|
k[15] ^= 0x87;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
CRYPTOPP_ASSERT(IsPowerOf2(len));
|
|
|
|
CRYPTOPP_ASSERT(len >= 8);
|
|
|
|
CRYPTOPP_ASSERT(len <= 128);
|
|
|
|
|
|
|
|
if (carry)
|
|
|
|
{
|
|
|
|
switch (len)
|
2009-03-02 02:39:17 +00:00
|
|
|
{
|
|
|
|
case 8:
|
|
|
|
k[7] ^= 0x1b;
|
|
|
|
break;
|
|
|
|
case 16:
|
|
|
|
k[15] ^= 0x87;
|
|
|
|
break;
|
|
|
|
case 32:
|
2017-05-13 23:23:24 +00:00
|
|
|
// https://crypto.stackexchange.com/q/9815/10496
|
2017-09-13 12:41:39 +00:00
|
|
|
// Polynomial x^256 + x^10 + x^5 + x^2 + 1
|
2016-09-10 08:57:48 +00:00
|
|
|
k[30] ^= 4;
|
2017-09-13 12:41:39 +00:00
|
|
|
k[31] ^= 0x25;
|
2009-03-02 02:39:17 +00:00
|
|
|
break;
|
2017-05-13 21:36:29 +00:00
|
|
|
case 64:
|
|
|
|
// https://crypto.stackexchange.com/q/9815/10496
|
2017-05-13 23:23:24 +00:00
|
|
|
// Polynomial x^512 + x^8 + x^5 + x^2 + 1
|
2017-05-13 21:36:29 +00:00
|
|
|
k[62] ^= 1;
|
|
|
|
k[63] ^= 0x25;
|
|
|
|
break;
|
2017-05-13 23:23:24 +00:00
|
|
|
case 128:
|
|
|
|
// https://crypto.stackexchange.com/q/9815/10496
|
|
|
|
// Polynomial x^1024 + x^19 + x^6 + x + 1
|
|
|
|
k[125] ^= 8;
|
|
|
|
k[126] ^= 0x00;
|
|
|
|
k[127] ^= 0x43;
|
|
|
|
break;
|
2009-03-02 02:39:17 +00:00
|
|
|
default:
|
2019-10-12 11:14:38 +00:00
|
|
|
CRYPTOPP_ASSERT(0);
|
2009-03-02 02:39:17 +00:00
|
|
|
}
|
|
|
|
}
|
2019-10-12 11:14:38 +00:00
|
|
|
#endif // CRYPTOPP_CMAC_WIDE_BLOCK_CIPHERS
|
2009-03-02 02:39:17 +00:00
|
|
|
}
|
|
|
|
|
2019-10-12 11:14:38 +00:00
|
|
|
ANONYMOUS_NAMESPACE_END
|
|
|
|
|
|
|
|
NAMESPACE_BEGIN(CryptoPP)
|
|
|
|
|
2009-03-02 02:39:17 +00:00
|
|
|
void CMAC_Base::UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms)
|
|
|
|
{
|
|
|
|
BlockCipher &cipher = AccessCipher();
|
|
|
|
cipher.SetKey(key, length, params);
|
2017-05-13 20:28:05 +00:00
|
|
|
|
|
|
|
unsigned int blockSize = cipher.BlockSize();
|
2009-03-02 02:39:17 +00:00
|
|
|
m_reg.CleanNew(3*blockSize);
|
|
|
|
m_counter = 0;
|
|
|
|
|
|
|
|
cipher.ProcessBlock(m_reg, m_reg+blockSize);
|
|
|
|
MulU(m_reg+blockSize, blockSize);
|
2023-04-15 20:45:02 +00:00
|
|
|
std::memcpy(m_reg+2*blockSize, m_reg+blockSize, blockSize);
|
2009-03-02 02:39:17 +00:00
|
|
|
MulU(m_reg+2*blockSize, blockSize);
|
|
|
|
}
|
|
|
|
|
|
|
|
void CMAC_Base::Update(const byte *input, size_t length)
|
|
|
|
{
|
2016-09-16 15:27:15 +00:00
|
|
|
CRYPTOPP_ASSERT((input && length) || !(input || length));
|
2009-03-02 02:39:17 +00:00
|
|
|
if (!length)
|
|
|
|
return;
|
|
|
|
|
|
|
|
BlockCipher &cipher = AccessCipher();
|
2017-09-05 20:28:00 +00:00
|
|
|
unsigned int blockSize = cipher.BlockSize();
|
2009-03-02 02:39:17 +00:00
|
|
|
|
|
|
|
if (m_counter > 0)
|
|
|
|
{
|
2015-11-18 20:32:28 +00:00
|
|
|
const unsigned int len = UnsignedMin(blockSize - m_counter, length);
|
|
|
|
if (len)
|
|
|
|
{
|
|
|
|
xorbuf(m_reg+m_counter, input, len);
|
|
|
|
length -= len;
|
|
|
|
input += len;
|
|
|
|
m_counter += len;
|
|
|
|
}
|
2009-03-02 02:39:17 +00:00
|
|
|
|
|
|
|
if (m_counter == blockSize && length > 0)
|
|
|
|
{
|
|
|
|
cipher.ProcessBlock(m_reg);
|
|
|
|
m_counter = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (length > blockSize)
|
|
|
|
{
|
2016-09-16 15:27:15 +00:00
|
|
|
CRYPTOPP_ASSERT(m_counter == 0);
|
2017-09-05 20:28:00 +00:00
|
|
|
size_t leftOver = 1 + cipher.AdvancedProcessBlocks(m_reg, input, m_reg, length-1, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
|
2009-03-02 02:39:17 +00:00
|
|
|
input += (length - leftOver);
|
|
|
|
length = leftOver;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (length > 0)
|
|
|
|
{
|
2016-09-16 15:27:15 +00:00
|
|
|
CRYPTOPP_ASSERT(m_counter + length <= blockSize);
|
2009-03-02 02:39:17 +00:00
|
|
|
xorbuf(m_reg+m_counter, input, length);
|
|
|
|
m_counter += (unsigned int)length;
|
|
|
|
}
|
|
|
|
|
2016-09-16 15:27:15 +00:00
|
|
|
CRYPTOPP_ASSERT(m_counter > 0);
|
2009-03-02 02:39:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void CMAC_Base::TruncatedFinal(byte *mac, size_t size)
|
|
|
|
{
|
|
|
|
ThrowIfInvalidTruncatedSize(size);
|
|
|
|
|
|
|
|
BlockCipher &cipher = AccessCipher();
|
|
|
|
unsigned int blockSize = cipher.BlockSize();
|
|
|
|
|
|
|
|
if (m_counter < blockSize)
|
|
|
|
{
|
|
|
|
m_reg[m_counter] ^= 0x80;
|
|
|
|
cipher.AdvancedProcessBlocks(m_reg, m_reg+2*blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
cipher.AdvancedProcessBlocks(m_reg, m_reg+blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
|
|
|
|
|
2021-04-20 05:23:01 +00:00
|
|
|
// UBsan finding
|
|
|
|
if (mac)
|
2023-04-15 20:45:02 +00:00
|
|
|
std::memcpy(mac, m_reg, size);
|
2009-03-02 02:39:17 +00:00
|
|
|
|
|
|
|
m_counter = 0;
|
2023-04-15 20:45:02 +00:00
|
|
|
std::memset(m_reg, 0, blockSize);
|
2009-03-02 02:39:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
NAMESPACE_END
|
|
|
|
|
|
|
|
#endif
|