package org.bouncycastle.crypto.macs;
/*
* This is a modified version of Bouncycastles Bcrypt,
* that allows block sizes > 128.
* This class was modified for Peafactory, but the
* modification may become a part of Bouncycastle later.
*/
import org.bouncycastle.crypto.BlockCipher;
import org.bouncycastle.crypto.CipherParameters;
import org.bouncycastle.crypto.Mac;
import org.bouncycastle.crypto.modes.CBCBlockCipher;
import org.bouncycastle.crypto.paddings.ISO7816d4Padding;
import org.bouncycastle.crypto.params.KeyParameter;
/**
* CMAC - as specified at www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html
* <p>
* CMAC is analogous to OMAC1 - see also en.wikipedia.org/wiki/CMAC
* </p><p>
* CMAC is a NIST recomendation - see
* csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38B.pdf
* </p><p>
* CMAC/OMAC1 is a blockcipher-based message authentication code designed and
* analyzed by Tetsu Iwata and Kaoru Kurosawa.
* </p><p>
* CMAC/OMAC1 is a simple variant of the CBC MAC (Cipher Block Chaining Message
* Authentication Code). OMAC stands for One-Key CBC MAC.
* </p><p>
* It supports 128- or 64-bits block ciphers, with any key size, and returns
* a MAC with dimension less or equal to the block size of the underlying
* cipher.
* </p>
*/
public class CMac implements Mac
{
private static final byte CONSTANT_64 = (byte)0x1b;
private static final byte CONSTANT_128 = (byte)0x87;
//========================================================
//=================== this was modified: =================
// for constants see http://www.hpl.hp.com/techreports/98/HPL-98-135.pdf
private static final byte CONSTANT_160 = (byte)0x2d;//Rijndael(160)
private static final byte CONSTANT_192 = (byte)0x87;//Rijndael(192)
private static final byte CONSTANT_224a = (byte)0x3;//Rijndael(224)
private static final byte CONSTANT_224b = (byte)0x9;
private static final byte CONSTANT_256a = (byte)0x4;//Threefish, Shacal-2, Rijndael(256)
private static final byte CONSTANT_256b = (byte)0x425;
private static final byte CONSTANT_512a = (byte)0x1;//Threefish(512)
private static final byte CONSTANT_512b = (byte)0x25;
private static final byte CONSTANT_1024a = (byte)0x8;//Threefish(1024)
private static final byte CONSTANT_1024b = (byte)0x0;
private static final byte CONSTANT_1024c = (byte)0x43;
private byte[] ZEROES;
private byte[] mac;
private byte[] buf;
private int bufOff;
private BlockCipher cipher;
private int macSize;
private byte[] L, Lu, Lu2;
/**
* create a standard MAC based on a CBC block cipher (64 or 128 bit block).
* This will produce an authentication code the length of the block size
* of the cipher.
*
* @param cipher the cipher to be used as the basis of the MAC generation.
*/
public CMac(BlockCipher cipher)
{
this(cipher, cipher.getBlockSize() * 8);
}
/**
* create a standard MAC based on a block cipher with the size of the
* MAC been given in bits.
* <p>
* Note: the size of the MAC must be at least 24 bits (FIPS Publication 81),
* or 16 bits if being used as a data authenticator (FIPS Publication 113),
* and in general should be less than the size of the block cipher as it reduces
* the chance of an exhaustive attack (see Handbook of Applied Cryptography).
*
* @param cipher the cipher to be used as the basis of the MAC generation.
* @param macSizeInBits the size of the MAC in bits, must be a multiple of 8 and <= 128.
*/
public CMac(BlockCipher cipher, int macSizeInBits)
{
if ((macSizeInBits % 8) != 0)
{
throw new IllegalArgumentException("MAC size must be multiple of 8");
}
if (macSizeInBits > (cipher.getBlockSize() * 8))
{
throw new IllegalArgumentException(
"MAC size must be less or equal to "
+ (cipher.getBlockSize() * 8));
}
//========================================================
//=================== this was modified: =================
int blockSize = cipher.getBlockSize();
if (blockSize != 8 && blockSize != 16
&& blockSize != 20 && blockSize != 24
&& blockSize != 28 && blockSize != 32
&& blockSize != 64 && blockSize != 128)
{
throw new IllegalArgumentException(
"Block size must be 64, 128, 160, 192, 224, 256, 512 or 1024 bits");
}
this.cipher = new CBCBlockCipher(cipher);
this.macSize = macSizeInBits / 8;
mac = new byte[cipher.getBlockSize()];
buf = new byte[cipher.getBlockSize()];
ZEROES = new byte[cipher.getBlockSize()];
bufOff = 0;
}
public String getAlgorithmName()
{
return cipher.getAlgorithmName();
}
private static int shiftLeft(byte[] block, byte[] output)
{
int i = block.length;
int bit = 0;
while (--i >= 0)
{
int b = block[i] & 0xff;
output[i] = (byte)((b << 1) | bit);
bit = (b >>> 7) & 1;
}
return bit;
}
//========================================================
//=================== this was modified: =================
private static byte[] doubleLu(byte[] in)
{
byte[] ret = new byte[in.length];
int carry = shiftLeft(in, ret);
int xor = 0;
switch(in.length)
{
case 8:
{
/*
* NOTE: This construction is an attempt at a constant-time implementation.
*/
xor = 0xff & CONSTANT_64;
ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
break;
// not constant-time:
// if(carry != 0) ret[in.length - 1] ^= CONSTANT_64;
}
case 16:
{
xor = 0xff & CONSTANT_128;
ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
break;
}
case 20:
{
xor = 0xff & CONSTANT_160;
ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
break;
}
case 24:
{
xor = 0xff & CONSTANT_192;
ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
break;
}
case 28:
{
xor = 0xff & CONSTANT_224a;
ret[in.length - 2] ^= (xor >>> ((1 - carry) << 3));
xor = 0xff & CONSTANT_224b;
ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
break;
}
case 32:
{
xor = 0xff & CONSTANT_256a;
ret[in.length - 2] ^= (xor >>> ((1 - carry) << 3));
xor = 0xff & CONSTANT_256b;
ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
break;
}
case 64:
{
xor = 0xff & CONSTANT_512a;
ret[in.length - 2] ^= (xor >>> ((1 - carry) << 3));
xor = 0xff & CONSTANT_512b;
ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
break;
}
case 128:
{
xor = 0xff & CONSTANT_1024a;
ret[in.length - 3] ^= (xor >>> ((1 - carry) << 3));
xor = 0xff & CONSTANT_1024b;
ret[in.length - 2] ^= (xor >>> ((1 - carry) << 3));
xor = 0xff & CONSTANT_1024c;
ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
break;
}
default: // this was checked before...
{
throw new IllegalArgumentException("Invalid block size.");
}
}
return ret;
}
public void init(CipherParameters params)
{
validate(params);
cipher.init(true, params);
//initializes the L, Lu, Lu2 numbers
L = new byte[ZEROES.length];
cipher.processBlock(ZEROES, 0, L, 0);
Lu = doubleLu(L);
Lu2 = doubleLu(Lu);
reset();
}
void validate(CipherParameters params)
{
if (params != null)
{
if (!(params instanceof KeyParameter))
{
// CMAC mode does not permit IV to underlying CBC mode
throw new IllegalArgumentException("CMac mode only permits key to be set.");
}
}
}
public int getMacSize()
{
return macSize;
}
public void update(byte in)
{
if (bufOff == buf.length)
{
cipher.processBlock(buf, 0, mac, 0);
bufOff = 0;
}
buf[bufOff++] = in;
}
public void update(byte[] in, int inOff, int len)
{
if (len < 0)
{
throw new IllegalArgumentException(
"Can't have a negative input length!");
}
int blockSize = cipher.getBlockSize();
int gapLen = blockSize - bufOff;
if (len > gapLen)
{
System.arraycopy(in, inOff, buf, bufOff, gapLen);
cipher.processBlock(buf, 0, mac, 0);
bufOff = 0;
len -= gapLen;
inOff += gapLen;
while (len > blockSize)
{
cipher.processBlock(in, inOff, mac, 0);
len -= blockSize;
inOff += blockSize;
}
}
System.arraycopy(in, inOff, buf, bufOff, len);
bufOff += len;
}
public int doFinal(byte[] out, int outOff)
{
int blockSize = cipher.getBlockSize();
byte[] lu;
if (bufOff == blockSize)
{
lu = Lu;
}
else
{
new ISO7816d4Padding().addPadding(buf, bufOff);
lu = Lu2;
}
for (int i = 0; i < mac.length; i++)
{
buf[i] ^= lu[i];
}
cipher.processBlock(buf, 0, mac, 0);
System.arraycopy(mac, 0, out, outOff, macSize);
reset();
return macSize;
}
/**
* Reset the mac generator.
*/
public void reset()
{
/*
* clean the buffer.
*/
for (int i = 0; i < buf.length; i++)
{
buf[i] = 0;
}
bufOff = 0;
/*
* reset the underlying cipher.
*/
cipher.reset();
}
}