2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 * Implementation Notes
29 * ====================
31 * The combined CTR + CBC-MAC functions can only handle full blocks,
32 * so some buffering is necessary. Moreover, EAX has a special padding
33 * rule for CBC-MAC, which implies that we cannot compute the MAC over
34 * the last received full block until we know whether we are at the
35 * end of the data or not.
37 * - 'ptr' contains a value from 1 to 16, which is the number of bytes
38 * accumulated in buf[] that still needs to be processed with the
39 * current OMAC computation. Beware that this can go to 16: a
40 * complete block cannot be processed until it is known whether it
41 * is the last block or not. However, it can never be 0, because
42 * OMAC^t works on an input that is at least one-block long.
44 * - When processing the message itself, CTR encryption/decryption is
45 * also done at the same time. The first 'ptr' bytes of buf[] then
46 * contains the encrypted bytes, while the last '16 - ptr' bytes of
47 * buf[] are the remnants of the stream block, to be used against
48 * the next input bytes, when available.
50 * - The current counter and running CBC-MAC values are kept in 'ctr'
51 * and 'cbcmac', respectively.
53 * - The derived keys for padding are kept in L2 and L4 (double and
54 * quadruple of Enc_K(0^n), in GF(2^128), respectively).
58 * Start an OMAC computation; the first block is the big-endian
59 * representation of the provided value ('val' must fit on one byte).
60 * We make it a delayed block because it may also be the last one,
63 omac_start(br_eax_context *ctx, unsigned val)
65 memset(ctx->cbcmac, 0, sizeof ctx->cbcmac);
66 memset(ctx->buf, 0, sizeof ctx->buf);
72 * Double a value in finite field GF(2^128), defined with modulus
76 double_gf128(unsigned char *dst, const unsigned char *src)
81 cc = 0x87 & -((unsigned)src[0] >> 7);
82 for (i = 15; i >= 0; i --) {
85 z = (src[i] << 1) ^ cc;
87 dst[i] = (unsigned char)z;
92 * Apply padding to the last block, currently in ctx->buf (with
93 * ctx->ptr bytes), and finalize OMAC computation.
96 do_pad(br_eax_context *ctx)
105 ctx->buf[ptr ++] = 0x80;
106 memset(ctx->buf + ptr, 0x00, 16 - ptr);
109 for (u = 0; u < sizeof ctx->buf; u ++) {
110 ctx->buf[u] ^= pad[u];
112 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, ctx->buf, sizeof ctx->buf);
116 * Apply CBC-MAC on the provided data, with buffering management.
118 * Upon entry, two situations are acceptable:
120 * ctx->ptr == 0: there is no data to process in ctx->buf
121 * ctx->ptr == 16: there is a full block of unprocessed data in ctx->buf
123 * Upon exit, ctx->ptr may be zero only if it was already zero on entry,
124 * and len == 0. In all other situations, ctx->ptr will be non-zero on
125 * exit (and may have value 16).
128 do_cbcmac_chunk(br_eax_context *ctx, const void *data, size_t len)
135 ptr = len & (size_t)15;
142 if (ctx->ptr == 16) {
143 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
144 ctx->buf, sizeof ctx->buf);
146 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, data, len);
147 memcpy(ctx->buf, (const unsigned char *)data + len, ptr);
151 /* see bearssl_aead.h */
153 br_eax_init(br_eax_context *ctx, const br_block_ctrcbc_class **bctx)
155 unsigned char tmp[16], iv[16];
157 ctx->vtable = &br_eax_vtable;
161 * Encrypt a whole-zero block to compute L2 and L4.
163 memset(tmp, 0, sizeof tmp);
164 memset(iv, 0, sizeof iv);
165 (*bctx)->ctr(bctx, iv, tmp, sizeof tmp);
166 double_gf128(ctx->L2, tmp);
167 double_gf128(ctx->L4, ctx->L2);
170 /* see bearssl_aead.h */
172 br_eax_capture(const br_eax_context *ctx, br_eax_state *st)
175 * We capture the three OMAC* states _after_ processing the
176 * initial block (assuming that nonce, message and AAD are
181 memset(st->st, 0, sizeof st->st);
182 for (i = 0; i < 3; i ++) {
183 unsigned char tmp[16];
185 memset(tmp, 0, sizeof tmp);
186 tmp[15] = (unsigned char)i;
187 (*ctx->bctx)->mac(ctx->bctx, st->st[i], tmp, sizeof tmp);
191 /* see bearssl_aead.h */
193 br_eax_reset(br_eax_context *ctx, const void *nonce, size_t len)
196 * Process nonce with OMAC^0.
199 do_cbcmac_chunk(ctx, nonce, len);
201 memcpy(ctx->nonce, ctx->cbcmac, sizeof ctx->cbcmac);
204 * Start OMAC^1 for the AAD ("header" in the EAX specification).
209 * We use ctx->head[0] as temporary flag to mark that we are
210 * using a "normal" reset().
215 /* see bearssl_aead.h */
217 br_eax_reset_pre_aad(br_eax_context *ctx, const br_eax_state *st,
218 const void *nonce, size_t len)
223 memcpy(ctx->cbcmac, st->st[0], sizeof ctx->cbcmac);
225 do_cbcmac_chunk(ctx, nonce, len);
228 memcpy(ctx->nonce, ctx->cbcmac, sizeof ctx->cbcmac);
230 memcpy(ctx->cbcmac, st->st[1], sizeof ctx->cbcmac);
233 memcpy(ctx->ctr, st->st[2], sizeof ctx->ctr);
236 * We use ctx->head[0] as a flag to indicate that we use a
237 * a recorded state, with ctx->ctr containing the preprocessed
238 * first block for OMAC^2.
243 /* see bearssl_aead.h */
245 br_eax_reset_post_aad(br_eax_context *ctx, const br_eax_state *st,
246 const void *nonce, size_t len)
251 memcpy(ctx->cbcmac, st->st[0], sizeof ctx->cbcmac);
253 do_cbcmac_chunk(ctx, nonce, len);
256 memcpy(ctx->nonce, ctx->cbcmac, sizeof ctx->cbcmac);
257 memcpy(ctx->ctr, ctx->nonce, sizeof ctx->nonce);
259 memcpy(ctx->head, st->st[1], sizeof ctx->head);
261 memcpy(ctx->cbcmac, st->st[2], sizeof ctx->cbcmac);
265 /* see bearssl_aead.h */
267 br_eax_aad_inject(br_eax_context *ctx, const void *data, size_t len)
274 * If there is a partial block, first complete it.
281 memcpy(ctx->buf + ptr, data, len);
282 ctx->ptr = ptr + len;
285 memcpy(ctx->buf + ptr, data, clen);
286 data = (const unsigned char *)data + clen;
291 * We now have a full block in buf[], and this is not the last
294 do_cbcmac_chunk(ctx, data, len);
297 /* see bearssl_aead.h */
299 br_eax_flip(br_eax_context *ctx)
304 * ctx->head[0] may be non-zero if the context was reset with
305 * a pre-AAD captured state. In that case, ctx->ctr[] contains
306 * the state for OMAC^2 _after_ processing the first block.
308 from_capture = ctx->head[0];
311 * Complete the OMAC computation on the AAD.
314 memcpy(ctx->head, ctx->cbcmac, sizeof ctx->cbcmac);
317 * Start OMAC^2 for the encrypted data.
318 * If the context was initialized from a captured state, then
319 * the OMAC^2 value is in the ctr[] array.
322 memcpy(ctx->cbcmac, ctx->ctr, sizeof ctx->cbcmac);
329 * Initial counter value for CTR is the processed nonce.
331 memcpy(ctx->ctr, ctx->nonce, sizeof ctx->nonce);
334 /* see bearssl_aead.h */
336 br_eax_run(br_eax_context *ctx, int encrypt, void *data, size_t len)
342 * Ensure that there is actual data to process.
352 * We may have ptr == 0 here if we initialized from a captured
353 * state. In that case, there is no partially consumed block
354 * or unprocessed data.
356 if (ptr != 0 && ptr != 16) {
358 * We have a partially consumed block.
367 for (u = 0; u < clen; u ++) {
368 ctx->buf[ptr + u] ^= dbuf[u];
370 memcpy(dbuf, ctx->buf + ptr, clen);
372 for (u = 0; u < clen; u ++) {
375 sx = ctx->buf[ptr + u];
377 ctx->buf[ptr + u] = dx;
383 ctx->ptr = ptr + clen;
391 * We now have a complete encrypted block in buf[] that must still
392 * be processed with OMAC, and this is not the final buf.
393 * Exception: when ptr == 0, no block has been produced yet.
396 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
397 ctx->buf, sizeof ctx->buf);
401 * Do CTR encryption or decryption and CBC-MAC for all full blocks
404 ptr = len & (size_t)15;
412 (*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
415 (*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
421 * Compute next block of CTR stream, and use it to finish
422 * encrypting or decrypting the data.
424 memset(ctx->buf, 0, sizeof ctx->buf);
425 (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr, ctx->buf, sizeof ctx->buf);
429 for (u = 0; u < ptr; u ++) {
430 ctx->buf[u] ^= dbuf[u];
432 memcpy(dbuf, ctx->buf, ptr);
436 for (u = 0; u < ptr; u ++) {
449 * Complete tag computation. The final tag is written in ctx->cbcmac.
452 do_final(br_eax_context *ctx)
459 * Authentication tag is the XOR of the three OMAC outputs for
460 * the nonce, AAD and encrypted data.
462 for (u = 0; u < 16; u ++) {
463 ctx->cbcmac[u] ^= ctx->nonce[u] ^ ctx->head[u];
467 /* see bearssl_aead.h */
469 br_eax_get_tag(br_eax_context *ctx, void *tag)
472 memcpy(tag, ctx->cbcmac, sizeof ctx->cbcmac);
475 /* see bearssl_aead.h */
477 br_eax_get_tag_trunc(br_eax_context *ctx, void *tag, size_t len)
480 memcpy(tag, ctx->cbcmac, len);
483 /* see bearssl_aead.h */
485 br_eax_check_tag_trunc(br_eax_context *ctx, const void *tag, size_t len)
487 unsigned char tmp[16];
491 br_eax_get_tag(ctx, tmp);
493 for (u = 0; u < len; u ++) {
494 x |= tmp[u] ^ ((const unsigned char *)tag)[u];
499 /* see bearssl_aead.h */
501 br_eax_check_tag(br_eax_context *ctx, const void *tag)
503 return br_eax_check_tag_trunc(ctx, tag, 16);
506 /* see bearssl_aead.h */
507 const br_aead_class br_eax_vtable = {
509 (void (*)(const br_aead_class **, const void *, size_t))
511 (void (*)(const br_aead_class **, const void *, size_t))
513 (void (*)(const br_aead_class **))
515 (void (*)(const br_aead_class **, int, void *, size_t))
517 (void (*)(const br_aead_class **, void *))
519 (uint32_t (*)(const br_aead_class **, const void *))
521 (void (*)(const br_aead_class **, void *, size_t))
522 &br_eax_get_tag_trunc,
523 (uint32_t (*)(const br_aead_class **, const void *, size_t))
524 &br_eax_check_tag_trunc