diff options
Diffstat (limited to 'lib/std/crypto/cbc_mac.zig')
| -rw-r--r-- | lib/std/crypto/cbc_mac.zig | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/lib/std/crypto/cbc_mac.zig b/lib/std/crypto/cbc_mac.zig new file mode 100644 index 0000000000..a62f647f92 --- /dev/null +++ b/lib/std/crypto/cbc_mac.zig @@ -0,0 +1,152 @@ +const std = @import("std"); +const crypto = std.crypto; +const mem = std.mem; + +/// CBC-MAC with AES-128 - FIPS 113 https://csrc.nist.gov/publications/detail/fips/113/archive/1985-05-30 +pub const CbcMacAes128 = CbcMac(crypto.core.aes.Aes128); + +/// FIPS 113 (1985): Computer Data Authentication +/// https://csrc.nist.gov/publications/detail/fips/113/archive/1985-05-30 +/// +/// WARNING: CBC-MAC is insecure for variable-length messages without additional +/// protection. Only use when required by protocols like CCM that mitigate this. +pub fn CbcMac(comptime BlockCipher: type) type { + const BlockCipherCtx = @typeInfo(@TypeOf(BlockCipher.initEnc)).@"fn".return_type.?; + const Block = [BlockCipher.block.block_length]u8; + + return struct { + const Self = @This(); + pub const key_length = BlockCipher.key_bits / 8; + pub const block_length = BlockCipher.block.block_length; + pub const mac_length = block_length; + + cipher_ctx: BlockCipherCtx, + buf: Block = [_]u8{0} ** block_length, + pos: usize = 0, + + pub fn create(out: *[mac_length]u8, msg: []const u8, key: *const [key_length]u8) void { + var ctx = Self.init(key); + ctx.update(msg); + ctx.final(out); + } + + pub fn init(key: *const [key_length]u8) Self { + return Self{ + .cipher_ctx = BlockCipher.initEnc(key.*), + }; + } + + pub fn update(self: *Self, msg: []const u8) void { + const left = block_length - self.pos; + var m = msg; + + // Partial buffer exists from previous update. Complete the block. + if (m.len > left) { + for (self.buf[self.pos..], 0..) |*b, i| b.* ^= m[i]; + m = m[left..]; + self.cipher_ctx.encrypt(&self.buf, &self.buf); + self.pos = 0; + } + + // Full blocks. + while (m.len > block_length) { + for (self.buf[0..block_length], 0..) |*b, i| b.* ^= m[i]; + m = m[block_length..]; + self.cipher_ctx.encrypt(&self.buf, &self.buf); + self.pos = 0; + } + + // Copy any remainder for next pass. + if (m.len > 0) { + for (self.buf[self.pos..][0..m.len], 0..) |*b, i| b.* ^= m[i]; + self.pos += m.len; + } + } + + pub fn final(self: *Self, out: *[mac_length]u8) void { + // CBC-MAC: encrypt the current buffer state. + // Partial blocks are implicitly zero-padded: buf[pos..] contains zeros from initialization. + self.cipher_ctx.encrypt(out, &self.buf); + } + }; +} + +const testing = std.testing; + +test "CbcMacAes128 - Empty message" { + const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; + var msg: [0]u8 = undefined; + + // CBC-MAC of empty message = Encrypt(0) + const expected = [_]u8{ 0x7d, 0xf7, 0x6b, 0x0c, 0x1a, 0xb8, 0x99, 0xb3, 0x3e, 0x42, 0xf0, 0x47, 0xb9, 0x1b, 0x54, 0x6f }; + + var out: [CbcMacAes128.mac_length]u8 = undefined; + CbcMacAes128.create(&out, &msg, &key); + try testing.expectEqualSlices(u8, &out, &expected); +} + +test "CbcMacAes128 - Single block (16 bytes)" { + const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; + const msg = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a }; + + // CBC-MAC = Encrypt(msg XOR 0) + const expected = [_]u8{ 0x3a, 0xd7, 0x7b, 0xb4, 0x0d, 0x7a, 0x36, 0x60, 0xa8, 0x9e, 0xca, 0xf3, 0x24, 0x66, 0xef, 0x97 }; + + var out: [CbcMacAes128.mac_length]u8 = undefined; + CbcMacAes128.create(&out, &msg, &key); + try testing.expectEqualSlices(u8, &out, &expected); +} + +test "CbcMacAes128 - Multiple blocks (40 bytes)" { + const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; + const msg = [_]u8{ + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, + 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, + 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, + }; + + // CBC-MAC processes: block1 | block2 | block3 (last 8 bytes zero-padded) + const expected = [_]u8{ 0x07, 0xd1, 0x92, 0xe3, 0xe6, 0xf0, 0x99, 0xed, 0xcc, 0x39, 0xfd, 0xe6, 0xd0, 0x9c, 0x76, 0x2d }; + + var out: [CbcMacAes128.mac_length]u8 = undefined; + CbcMacAes128.create(&out, &msg, &key); + try testing.expectEqualSlices(u8, &out, &expected); +} + +test "CbcMacAes128 - Incremental update" { + const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; + const msg = [_]u8{ + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, + 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, + }; + + // Process in chunks + var ctx = CbcMacAes128.init(&key); + ctx.update(msg[0..10]); + ctx.update(msg[10..20]); + ctx.update(msg[20..]); + + var out1: [CbcMacAes128.mac_length]u8 = undefined; + ctx.final(&out1); + + // Compare with one-shot processing + var out2: [CbcMacAes128.mac_length]u8 = undefined; + CbcMacAes128.create(&out2, &msg, &key); + + try testing.expectEqualSlices(u8, &out1, &out2); +} + +test "CbcMacAes128 - Different from CMAC" { + // Verify that CBC-MAC and CMAC produce different outputs + const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; + const msg = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a }; + + var cbc_mac_out: [CbcMacAes128.mac_length]u8 = undefined; + CbcMacAes128.create(&cbc_mac_out, &msg, &key); + + // CMAC output for same input (from RFC 4493) + const cmac_out = [_]u8{ 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c }; + + // They should be different + try testing.expect(!mem.eql(u8, &cbc_mac_out, &cmac_out)); +} |