2 AES-CMAC-128 (rfc 4493)
3 Copyright (C) Stefan Metzmacher 2012
4 Copyright (C) Jeremy Allison 2012
5 Copyright (C) Michael Adam 2012
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "../lib/crypto/crypto.h"
24 static const uint8_t const_Zero[] = {
25 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
26 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
29 static const uint8_t const_Rb[] = {
30 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
31 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87
34 #define _MSB(x) (((x)[0] & 0x80)?1:0)
36 static inline void aes_cmac_128_left_shift_1(const uint8_t in[AES_BLOCK_SIZE],
37 uint8_t out[AES_BLOCK_SIZE])
42 for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
47 overflow = _MSB(&in[i]);
51 static inline void aes_cmac_128_xor(const uint8_t in1[AES_BLOCK_SIZE],
52 const uint8_t in2[AES_BLOCK_SIZE],
53 uint8_t out[AES_BLOCK_SIZE])
57 for (i = 0; i < AES_BLOCK_SIZE; i++) {
58 out[i] = in1[i] ^ in2[i];
62 void aes_cmac_128_init(struct aes_cmac_128_context *ctx,
63 const uint8_t K[AES_BLOCK_SIZE])
65 uint8_t L[AES_BLOCK_SIZE];
69 AES_set_encrypt_key(K, 128, &ctx->aes_key);
71 /* step 1 - generate subkeys k1 and k2 */
73 AES_encrypt(const_Zero, L, &ctx->aes_key);
76 aes_cmac_128_left_shift_1(L, ctx->K1);
78 uint8_t tmp_block[AES_BLOCK_SIZE];
80 aes_cmac_128_left_shift_1(L, tmp_block);
81 aes_cmac_128_xor(tmp_block, const_Rb, ctx->K1);
82 ZERO_STRUCT(tmp_block);
85 if (_MSB(ctx->K1) == 0) {
86 aes_cmac_128_left_shift_1(ctx->K1, ctx->K2);
88 uint8_t tmp_block[AES_BLOCK_SIZE];
90 aes_cmac_128_left_shift_1(ctx->K1, tmp_block);
91 aes_cmac_128_xor(tmp_block, const_Rb, ctx->K2);
92 ZERO_STRUCT(tmp_block);
98 void aes_cmac_128_update(struct aes_cmac_128_context *ctx,
99 const uint8_t *_msg, size_t _msg_len)
101 uint8_t tmp_block[AES_BLOCK_SIZE];
102 uint8_t Y[AES_BLOCK_SIZE];
103 const uint8_t *msg = _msg;
104 size_t msg_len = _msg_len;
107 * copy the remembered last block
109 ZERO_STRUCT(tmp_block);
111 memcpy(tmp_block, ctx->last, ctx->last_len);
115 * check if we expand the block
117 if (ctx->last_len < AES_BLOCK_SIZE) {
118 size_t len = MIN(AES_BLOCK_SIZE - ctx->last_len, msg_len);
120 memcpy(&tmp_block[ctx->last_len], msg, len);
121 memcpy(ctx->last, tmp_block, AES_BLOCK_SIZE);
124 ctx->last_len += len;
128 /* if it is still the last block, we are done */
129 ZERO_STRUCT(tmp_block);
134 * It is not the last block anymore
136 ZERO_STRUCT(ctx->last);
140 * now checksum everything but the last block
142 aes_cmac_128_xor(ctx->X, tmp_block, Y);
143 AES_encrypt(Y, ctx->X, &ctx->aes_key);
145 while (msg_len > AES_BLOCK_SIZE) {
146 memcpy(tmp_block, msg, AES_BLOCK_SIZE);
147 msg += AES_BLOCK_SIZE;
148 msg_len -= AES_BLOCK_SIZE;
150 aes_cmac_128_xor(ctx->X, tmp_block, Y);
151 AES_encrypt(Y, ctx->X, &ctx->aes_key);
155 * copy the last block, it will be processed in
156 * aes_cmac_128_final().
158 memcpy(ctx->last, msg, msg_len);
159 ctx->last_len = msg_len;
161 ZERO_STRUCT(tmp_block);
165 void aes_cmac_128_final(struct aes_cmac_128_context *ctx,
166 uint8_t T[AES_BLOCK_SIZE])
168 uint8_t tmp_block[AES_BLOCK_SIZE];
169 uint8_t Y[AES_BLOCK_SIZE];
171 if (ctx->last_len < AES_BLOCK_SIZE) {
172 ctx->last[ctx->last_len] = 0x80;
173 aes_cmac_128_xor(ctx->last, ctx->K2, tmp_block);
175 aes_cmac_128_xor(ctx->last, ctx->K1, tmp_block);
178 aes_cmac_128_xor(tmp_block, ctx->X, Y);
179 AES_encrypt(Y, T, &ctx->aes_key);
181 ZERO_STRUCT(tmp_block);
git.samba.org / samba.git / blob