xref: /aosp_15_r20/external/tink/cc/subtle/aes_cmac_boringssl.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2017 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #include "tink/subtle/aes_cmac_boringssl.h"
18 
19 #include <cstdint>
20 #include <memory>
21 #include <string>
22 #include <utility>
23 
24 #include "absl/memory/memory.h"
25 #include "absl/status/status.h"
26 #include "openssl/cmac.h"
27 #include "openssl/evp.h"
28 #include "tink/internal/aes_util.h"
29 #include "tink/internal/ssl_unique_ptr.h"
30 #include "tink/internal/util.h"
31 #include "tink/subtle/subtle_util.h"
32 #include "tink/util/errors.h"
33 #include "tink/util/status.h"
34 #include "tink/util/statusor.h"
35 
36 namespace crypto {
37 namespace tink {
38 namespace subtle {
39 // CMAC key sizes in bytes.
40 // The small key size is used only to check RFC 4493's test vectors due to
41 // the attack described in
42 // https://www.math.uwaterloo.ca/~ajmeneze/publications/tightness.pdf. We
43 // check this restriction in AesCmacManager.
44 static constexpr size_t kSmallKeySize = 16;
45 static constexpr size_t kBigKeySize = 32;
46 static constexpr size_t kMaxTagSize = 16;
47 
48 // static
New(util::SecretData key,uint32_t tag_size)49 util::StatusOr<std::unique_ptr<Mac>> AesCmacBoringSsl::New(util::SecretData key,
50                                                            uint32_t tag_size) {
51   auto status = internal::CheckFipsCompatibility<AesCmacBoringSsl>();
52   if (!status.ok()) return status;
53 
54   if (key.size() != kSmallKeySize && key.size() != kBigKeySize) {
55     return ToStatusF(absl::StatusCode::kInvalidArgument,
56                      "Invalid key size: expected %d or %d, found %d",
57                      kSmallKeySize, kBigKeySize, key.size());
58   }
59   if (tag_size > kMaxTagSize) {
60     return ToStatusF(absl::StatusCode::kInvalidArgument,
61                      "Invalid tag size: expected lower than %d, found %d",
62                      kMaxTagSize, tag_size);
63   }
64   return {absl::WrapUnique(new AesCmacBoringSsl(std::move(key), tag_size))};
65 }
66 
ComputeMac(absl::string_view data) const67 util::StatusOr<std::string> AesCmacBoringSsl::ComputeMac(
68     absl::string_view data) const {
69   // BoringSSL expects a non-null pointer for data,
70   // regardless of whether the size is 0.
71   data = internal::EnsureStringNonNull(data);
72 
73   std::string result;
74   ResizeStringUninitialized(&result, kMaxTagSize);
75   internal::SslUniquePtr<CMAC_CTX> context(CMAC_CTX_new());
76   util::StatusOr<const EVP_CIPHER*> cipher =
77       internal::GetAesCbcCipherForKeySize(key_.size());
78   if (!cipher.ok()) {
79     return cipher.status();
80   }
81   size_t len = 0;
82   const uint8_t* key_ptr = reinterpret_cast<const uint8_t*>(&key_[0]);
83   const uint8_t* data_ptr = reinterpret_cast<const uint8_t*>(data.data());
84   uint8_t* result_ptr = reinterpret_cast<uint8_t*>(&result[0]);
85   if (CMAC_Init(context.get(), key_ptr, key_.size(), *cipher, nullptr) <= 0 ||
86       CMAC_Update(context.get(), data_ptr, data.size()) <= 0 ||
87       CMAC_Final(context.get(), result_ptr, &len) == 0) {
88     return util::Status(absl::StatusCode::kInternal, "Failed to compute CMAC");
89   }
90 
91   result.resize(tag_size_);
92   return result;
93 }
94 
VerifyMac(absl::string_view mac,absl::string_view data) const95 util::Status AesCmacBoringSsl::VerifyMac(absl::string_view mac,
96                                          absl::string_view data) const {
97   if (mac.size() != tag_size_) {
98     return ToStatusF(absl::StatusCode::kInvalidArgument,
99                      "Incorrect tag size: expected %d, found %d", tag_size_,
100                      mac.size());
101   }
102   util::StatusOr<std::string> computed_mac = ComputeMac(data);
103   if (!computed_mac.ok()) return computed_mac.status();
104   if (CRYPTO_memcmp(computed_mac->data(), mac.data(), tag_size_) != 0) {
105     return util::Status(absl::StatusCode::kInvalidArgument,
106                         "CMAC verification failed");
107   }
108   return util::OkStatus();
109 }
110 
111 }  // namespace subtle
112 }  // namespace tink
113 }  // namespace crypto
114