Commit be5b2eda authored by Niels Möller's avatar Niels Möller

Merge branch 'cmac-support'

parents 9a14e981 073fdc22
2018-02-20 Niels Möller <nisse@lysator.liu.se>
* testsuite/cmac-test.c (test_cmac_hash): Deallocate ctx properly.
2018-02-19 Niels Möller <nisse@lysator.liu.se>
Mostly aesthetic changes. Besides indentation:
* cmac.h (struct cmac128): Rename, to cmac128_ctx.
(CMAC128_CTX): Rename first member from data to ctx.
* cmac.c: Use const void * as the type for cipher arguments.
(block_mulx): Un-inline.
(cmac128_set_key): Make a constant function local.
* testsuite/cmac-test.c: Delete local typedefs.
2018-02-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
Add support for CMAC.
* cmac.h: New file.
(struct cmac128): New struct.
* cmac.c (block_mulx, cmac128_set_key, cmac128_update)
(cmac128_digest): New file, new functions.
* cmac-aes128.c (cmac_aes128_set_key, cmac_aes128_update)
(cmac_aes128_digest): New file, new functions.
* cmac-aes256.c (cmac_aes256_set_key, cmac_aes256_update)
(cmac_aes256_digest): New file, new functions.
* Makefile.in (nettle_SOURCES): Added cmac.c cmac-aes128.c cmac-aes256.c.
(HEADERS): Added cmac.h.
* testsuite/cmac-test.c: New tests.
* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add cmac-test.c.
* examples/nettle-benchmark.c (time_cmac): New function.
(main): Use it.
* nettle.texinfo: Document CMAC.
2018-02-20 Niels Möller <nisse@lysator.liu.se>
* testsuite/cbc-test.c (test_cbc_bulk): Use struct
......
......@@ -100,6 +100,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
gcm-aes256.c gcm-aes256-meta.c \
gcm-camellia128.c gcm-camellia128-meta.c \
gcm-camellia256.c gcm-camellia256-meta.c \
cmac.c cmac-aes128.c cmac-aes256.c \
gosthash94.c gosthash94-meta.c \
hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \
hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \
......@@ -192,6 +193,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \
gcm.h gosthash94.h hmac.h \
knuth-lfib.h hkdf.h \
macros.h \
cmac.h \
md2.h md4.h \
md5.h md5-compat.h \
memops.h memxor.h \
......
/* cmac-aes128.c
CMAC using AES128 as the underlying cipher.
Copyright (C) 2017 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include "cmac.h"
void
cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key)
{
CMAC128_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key);
}
void
cmac_aes128_update (struct cmac_aes128_ctx *ctx,
size_t length, const uint8_t *data)
{
CMAC128_UPDATE (ctx, aes128_encrypt, length, data);
}
void
cmac_aes128_digest(struct cmac_aes128_ctx *ctx,
size_t length, uint8_t *digest)
{
CMAC128_DIGEST(ctx, aes128_encrypt, length, digest);
}
/* cmac-aes256.c
CMAC using AES256 as the underlying cipher.
Copyright (C) 2017 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include "cmac.h"
void
cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key)
{
CMAC128_SET_KEY(ctx, aes256_set_encrypt_key, aes256_encrypt, key);
}
void
cmac_aes256_update (struct cmac_aes256_ctx *ctx,
size_t length, const uint8_t *data)
{
CMAC128_UPDATE (ctx, aes256_encrypt, length, data);
}
void
cmac_aes256_digest(struct cmac_aes256_ctx *ctx,
size_t length, uint8_t *digest)
{
CMAC128_DIGEST(ctx, aes256_encrypt, length, digest);
}
/*
AES-CMAC-128 (rfc 4493)
Copyright (C) Stefan Metzmacher 2012
Copyright (C) Jeremy Allison 2012
Copyright (C) Michael Adam 2012
Copyright (C) 2017, Red Hat Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include "cmac.h"
#include "memxor.h"
#include "nettle-internal.h"
#include "macros.h"
/* shift one and XOR with 0x87. */
static void
block_mulx(union nettle_block16 *dst,
const union nettle_block16 *src)
{
uint64_t b1 = READ_UINT64(src->b);
uint64_t b2 = READ_UINT64(src->b+8);
b1 = (b1 << 1) | (b2 >> 63);
b2 <<= 1;
if (src->b[0] & 0x80)
b2 ^= 0x87;
WRITE_UINT64(dst->b, b1);
WRITE_UINT64(dst->b+8, b2);
}
void
cmac128_set_key(struct cmac128_ctx *ctx, const void *cipher,
nettle_cipher_func *encrypt)
{
static const uint8_t const_zero[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
union nettle_block16 *L = &ctx->block;
memset(ctx, 0, sizeof(*ctx));
/* step 1 - generate subkeys k1 and k2 */
encrypt(cipher, 16, L->b, const_zero);
block_mulx(&ctx->K1, L);
block_mulx(&ctx->K2, &ctx->K1);
}
#define MIN(x,y) ((x)<(y)?(x):(y))
void
cmac128_update(struct cmac128_ctx *ctx, const void *cipher,
nettle_cipher_func *encrypt,
size_t msg_len, const uint8_t *msg)
{
union nettle_block16 Y;
/*
* check if we expand the block
*/
if (ctx->index < 16)
{
size_t len = MIN(16 - ctx->index, msg_len);
memcpy(&ctx->block.b[ctx->index], msg, len);
msg += len;
msg_len -= len;
ctx->index += len;
}
if (msg_len == 0) {
/* if it is still the last block, we are done */
return;
}
/*
* now checksum everything but the last block
*/
memxor3(Y.b, ctx->X.b, ctx->block.b, 16);
encrypt(cipher, 16, ctx->X.b, Y.b);
while (msg_len > 16)
{
memxor3(Y.b, ctx->X.b, msg, 16);
encrypt(cipher, 16, ctx->X.b, Y.b);
msg += 16;
msg_len -= 16;
}
/*
* copy the last block, it will be processed in
* cmac128_digest().
*/
memcpy(ctx->block.b, msg, msg_len);
ctx->index = msg_len;
}
void
cmac128_digest(struct cmac128_ctx *ctx, const void *cipher,
nettle_cipher_func *encrypt,
unsigned length,
uint8_t *dst)
{
union nettle_block16 Y;
memset(ctx->block.b+ctx->index, 0, sizeof(ctx->block.b)-ctx->index);
/* re-use ctx->block for memxor output */
if (ctx->index < 16)
{
ctx->block.b[ctx->index] = 0x80;
memxor(ctx->block.b, ctx->K2.b, 16);
}
else
{
memxor(ctx->block.b, ctx->K1.b, 16);
}
memxor3(Y.b, ctx->block.b, ctx->X.b, 16);
assert(length <= 16);
if (length == 16)
{
encrypt(cipher, 16, dst, Y.b);
}
else
{
encrypt(cipher, 16, ctx->block.b, Y.b);
memcpy(dst, ctx->block.b, length);
}
/* reset state for re-use */
memset(&ctx->X, 0, sizeof(ctx->X));
ctx->index = 0;
}
/* cmac.h
CMAC mode, as specified in RFC4493
Copyright (C) 2017 Red Hat, Inc.
Contributed by Nikos Mavrogiannopoulos
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#ifndef NETTLE_CMAC_H_INCLUDED
#define NETTLE_CMAC_H_INCLUDED
#include "aes.h"
#include "nettle-types.h"
#ifdef __cplusplus
extern "C" {
#endif
#define CMAC128_DIGEST_SIZE 16
#define cmac128_set_key nettle_cmac128_set_key
#define cmac128_update nettle_cmac128_update
#define cmac128_digest nettle_cmac128_digest
#define cmac_aes128_set_key nettle_cmac_aes128_set_key
#define cmac_aes128_update nettle_cmac_aes128_update
#define cmac_aes128_digest nettle_cmac_aes128_digest
#define cmac_aes256_set_key nettle_cmac_aes256_set_key
#define cmac_aes256_update nettle_cmac_aes256_update
#define cmac_aes256_digest nettle_cmac_aes256_digest
struct cmac128_ctx
{
/* Key */
union nettle_block16 K1;
union nettle_block16 K2;
/* MAC state */
union nettle_block16 X;
/* Block buffer */
union nettle_block16 block;
size_t index;
};
void
cmac128_set_key(struct cmac128_ctx *ctx, const void *cipher,
nettle_cipher_func *encrypt);
void
cmac128_update(struct cmac128_ctx *ctx, const void *cipher,
nettle_cipher_func *encrypt,
size_t msg_len, const uint8_t *msg);
void
cmac128_digest(struct cmac128_ctx *ctx, const void *cipher,
nettle_cipher_func *encrypt,
unsigned length,
uint8_t *digest);
#define CMAC128_CTX(type) \
{ struct cmac128_ctx ctx; type cipher; }
/* NOTE: Avoid using NULL, as we don't include anything defining it. */
#define CMAC128_SET_KEY(self, set_key, encrypt, cmac_key) \
do { \
(set_key)(&(self)->cipher, (cmac_key)); \
if (0) (encrypt)(&(self)->cipher, ~(size_t) 0, \
(uint8_t *) 0, (const uint8_t *) 0); \
cmac128_set_key(&(self)->ctx, &(self)->cipher, \
(nettle_cipher_func *) (encrypt)); \
} while (0)
#define CMAC128_UPDATE(self, encrypt, length, src) \
cmac128_update(&(self)->ctx, &(self)->cipher, \
(nettle_cipher_func *)encrypt, (length), (src))
#define CMAC128_DIGEST(self, encrypt, length, digest) \
(0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \
(uint8_t *) 0, (const uint8_t *) 0) \
: cmac128_digest(&(self)->ctx, &(self)->cipher, \
(nettle_cipher_func *) (encrypt), \
(length), (digest)))
struct cmac_aes128_ctx CMAC128_CTX(struct aes128_ctx);
void
cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key);
void
cmac_aes128_update(struct cmac_aes128_ctx *ctx,
size_t length, const uint8_t *data);
void
cmac_aes128_digest(struct cmac_aes128_ctx *ctx,
size_t length, uint8_t *digest);
struct cmac_aes256_ctx CMAC128_CTX(struct aes256_ctx);
void
cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key);
void
cmac_aes256_update(struct cmac_aes256_ctx *ctx,
size_t length, const uint8_t *data);
void
cmac_aes256_digest(struct cmac_aes256_ctx *ctx,
size_t length, uint8_t *digest);
#ifdef __cplusplus
}
#endif
#endif /* CMAC_H_INCLUDED */
......@@ -64,6 +64,7 @@
#include "sha3.h"
#include "twofish.h"
#include "umac.h"
#include "cmac.h"
#include "poly1305.h"
#include "nettle-meta.h"
......@@ -403,7 +404,7 @@ time_umac(void)
struct umac64_ctx ctx64;
struct umac96_ctx ctx96;
struct umac128_ctx ctx128;
uint8_t key[16];
umac32_set_key (&ctx32, key);
......@@ -439,6 +440,24 @@ time_umac(void)
time_function(bench_hash, &info));
}
static void
time_cmac(void)
{
static uint8_t data[BENCH_BLOCK];
struct bench_hash_info info;
struct cmac_aes128_ctx ctx;
uint8_t key[16];
cmac_aes128_set_key (&ctx, key);
info.ctx = &ctx;
info.update = (nettle_hash_update_func *) cmac_aes128_update;
info.data = data;
display("cmac-aes128", "update", AES_BLOCK_SIZE,
time_function(bench_hash, &info));
}
static void
time_poly1305_aes(void)
{
......@@ -849,6 +868,9 @@ main(int argc, char **argv)
if (!alg || strstr ("umac", alg))
time_umac();
if (!alg || strstr ("cmac", alg))
time_cmac();
if (!alg || strstr ("poly1305-aes", alg))
time_poly1305_aes();
......
......@@ -101,6 +101,7 @@ Keyed Hash Functions
* HMAC::
* UMAC::
* CMAC::
Public-key algorithms
......@@ -271,6 +272,9 @@ The implementation of the TWOFISH cipher is written by Ruud de Rooij.
@item UMAC
Written by @value{AUTHOR}.
@item CMAC
Written by Nikos Mavrogiannopoulos, @value{AUTHOR}, Jeremy Allison, Michael Adam and Stefan Metzmacher.
@item RSA
Written by @value{AUTHOR}. Uses the GMP library for bignum operations.
......@@ -3159,6 +3163,7 @@ as well.
@menu
* HMAC::
* UMAC::
* CMAC::
* Poly1305::
@end menu
......@@ -3501,7 +3506,60 @@ as described above, the new value is used unless you call the
@code{_set_nonce} function explicitly for each message.
@end deftypefun
@node Poly1305,, UMAC, Keyed hash functions
@node CMAC,, UMAC, Keyed hash functions
@subsection @acronym{CMAC}
@cindex CMAC
@acronym{CMAC} is a message authentication code based on CBC encryption
mode. It is suitable for systems where block ciphers are preferrable
and perform better than hash functions. @acronym{CMAC} is specified in
@cite{RFC4493}. The block size is always 128 bits (16 octets).
Nettle provides helper functions for @acronym{CMAC } with
the @acronym{AES} block cipher.
Nettle defines @acronym{CMAC} in @file{<nettle/cmac.h>}.
@deftp {Context struct} {struct cmac128_ctx}
@end deftp
@defvr Constant CMAC128_DIGEST_SIZE
The size of an CMAC digest, 16.
@end defvr
@deftypefun void cmac_aes128_set_key (struct cmac_aes128_ctx *@var{ctx}, const uint8_t *@var{key})
This function initializes the @acronym{CMAC} context struct for AES-128.
@end deftypefun
@deftypefun void cmac_aes128_update (struct cmac_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
This function is called zero or more times to process the message.
@end deftypefun
@deftypefun void cmac_aes128_digest (struct cmac_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Extracts the @acronym{MAC} of the message, writing it to @var{digest}.
@var{length} is usually equal to the specified output size, but if you
provide a smaller value, only the first @var{length} octets of the
@acronym{MAC} are written. This function resets the context for
processing of a new message with the same key.
@end deftypefun
@deftypefun void cmac_aes256_set_key (struct cmac_aes256_ctx *@var{ctx}, const uint8_t *@var{key})
This function initializes the @acronym{CMAC} context struct for AES-256.
@end deftypefun
@deftypefun void cmac_aes256_update (struct cmac_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
This function is called zero or more times to process the message.
@end deftypefun
@deftypefun void cmac_aes256_digest (struct cmac_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Extracts the @acronym{MAC} of the message, writing it to @var{digest}.
@var{length} is usually equal to the specified output size, but if you
provide a smaller value, only the first @var{length} octets of the
@acronym{MAC} are written. This function resets the context for
processing of a new message with the same key.
@end deftypefun
@node Poly1305,, CMAC, Keyed hash functions
@comment node-name, next, previous, up
@subsection Poly1305
......
......@@ -130,6 +130,9 @@ eax-test$(EXEEXT): eax-test.$(OBJEXT)
ccm-test$(EXEEXT): ccm-test.$(OBJEXT)
$(LINK) ccm-test.$(OBJEXT) $(TEST_OBJS) -o ccm-test$(EXEEXT)
cmac-test$(EXEEXT): cmac-test.$(OBJEXT)
$(LINK) cmac-test.$(OBJEXT) $(TEST_OBJS) -o cmac-test$(EXEEXT)
poly1305-test$(EXEEXT): poly1305-test.$(OBJEXT)
$(LINK) poly1305-test.$(OBJEXT) $(TEST_OBJS) -o poly1305-test$(EXEEXT)
......
......@@ -26,6 +26,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
serpent-test.c twofish-test.c version-test.c \
knuth-lfib-test.c \
cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \
cmac-test.c \
poly1305-test.c chacha-poly1305-test.c \
hmac-test.c umac-test.c \
meta-hash-test.c meta-cipher-test.c\
......
#include "testutils.h"
#include "nettle-internal.h"
#include "cmac.h"
#define test_cmac_aes128(key, msg, ref) \
test_cmac_hash ((nettle_set_key_func*) cmac_aes128_set_key, \
(nettle_hash_update_func*) cmac_aes128_update, \
(nettle_hash_digest_func*) cmac_aes128_digest, \
sizeof(struct cmac_aes128_ctx), \
key, msg, ref)
#define test_cmac_aes256(key, msg, ref) \
test_cmac_hash ((nettle_set_key_func*) cmac_aes256_set_key, \
(nettle_hash_update_func*) cmac_aes256_update, \
(nettle_hash_digest_func*) cmac_aes256_digest, \
sizeof(struct cmac_aes256_ctx), \
key, msg, ref)
static void
test_cmac_hash (nettle_set_key_func *set_key,
nettle_hash_update_func *update,
nettle_hash_digest_func *digest, size_t ctx_size,
const struct tstring *key, const struct tstring *msg,
const struct tstring *ref)
{
void *ctx;
uint8_t hash[16];
unsigned i;