mirror of
https://github.com/ziglang/zig.git
synced 2025-12-06 06:13:07 +00:00
2f3234c76a
* std.crypto: add AES-CCM and CBC-MAC Add AES-CCM (Counter with CBC-MAC) authenticated encryption and CBC-MAC message authentication code implementations to the standard library. AES-CCM combines CTR mode encryption with CBC-MAC authentication as specified in NIST SP 800-38C and RFC 3610. It provides authenticated encryption with support for additional authenticated data (AAD). CBC-MAC is a simple MAC construction used internally by CCM, specified in FIPS 113 and ISO/IEC 9797-1. Includes comprehensive test vectors from RFC 3610 and NIST SP 800-38C. * std.crypto: add CCM* (encryption-only) support to AES-CCM Implements CCM* mode per IEEE 802.15.4 specification, extending AES-CCM to support encryption-only mode when tag_len=0. This is required by protocols like ZigBee, Thread, and WirelessHART. Changes: - Allow tag_len=0 for encryption-only mode (no authentication) - Skip CBC-MAC computation when tag_len=0 in encrypt/decrypt - Correctly encode M'=0 in B0 block for CCM* mode - Add Aes128Ccm0 and Aes256Ccm0 convenience instances - Add IEEE 802.15.4 test vectors and CCM* tests * std.crypto: add doc comments for AES-CCM variants
153 lines
6.1 KiB
Zig
153 lines
6.1 KiB
Zig
const std = @import("std");
|
|
const crypto = std.crypto;
|
|
const mem = std.mem;
|
|
|
|
/// CBC-MAC with AES-128 - FIPS 113 https://csrc.nist.gov/publications/detail/fips/113/archive/1985-05-30
|
|
pub const CbcMacAes128 = CbcMac(crypto.core.aes.Aes128);
|
|
|
|
/// FIPS 113 (1985): Computer Data Authentication
|
|
/// https://csrc.nist.gov/publications/detail/fips/113/archive/1985-05-30
|
|
///
|
|
/// WARNING: CBC-MAC is insecure for variable-length messages without additional
|
|
/// protection. Only use when required by protocols like CCM that mitigate this.
|
|
pub fn CbcMac(comptime BlockCipher: type) type {
|
|
const BlockCipherCtx = @typeInfo(@TypeOf(BlockCipher.initEnc)).@"fn".return_type.?;
|
|
const Block = [BlockCipher.block.block_length]u8;
|
|
|
|
return struct {
|
|
const Self = @This();
|
|
pub const key_length = BlockCipher.key_bits / 8;
|
|
pub const block_length = BlockCipher.block.block_length;
|
|
pub const mac_length = block_length;
|
|
|
|
cipher_ctx: BlockCipherCtx,
|
|
buf: Block = [_]u8{0} ** block_length,
|
|
pos: usize = 0,
|
|
|
|
pub fn create(out: *[mac_length]u8, msg: []const u8, key: *const [key_length]u8) void {
|
|
var ctx = Self.init(key);
|
|
ctx.update(msg);
|
|
ctx.final(out);
|
|
}
|
|
|
|
pub fn init(key: *const [key_length]u8) Self {
|
|
return Self{
|
|
.cipher_ctx = BlockCipher.initEnc(key.*),
|
|
};
|
|
}
|
|
|
|
pub fn update(self: *Self, msg: []const u8) void {
|
|
const left = block_length - self.pos;
|
|
var m = msg;
|
|
|
|
// Partial buffer exists from previous update. Complete the block.
|
|
if (m.len > left) {
|
|
for (self.buf[self.pos..], 0..) |*b, i| b.* ^= m[i];
|
|
m = m[left..];
|
|
self.cipher_ctx.encrypt(&self.buf, &self.buf);
|
|
self.pos = 0;
|
|
}
|
|
|
|
// Full blocks.
|
|
while (m.len > block_length) {
|
|
for (self.buf[0..block_length], 0..) |*b, i| b.* ^= m[i];
|
|
m = m[block_length..];
|
|
self.cipher_ctx.encrypt(&self.buf, &self.buf);
|
|
self.pos = 0;
|
|
}
|
|
|
|
// Copy any remainder for next pass.
|
|
if (m.len > 0) {
|
|
for (self.buf[self.pos..][0..m.len], 0..) |*b, i| b.* ^= m[i];
|
|
self.pos += m.len;
|
|
}
|
|
}
|
|
|
|
pub fn final(self: *Self, out: *[mac_length]u8) void {
|
|
// CBC-MAC: encrypt the current buffer state.
|
|
// Partial blocks are implicitly zero-padded: buf[pos..] contains zeros from initialization.
|
|
self.cipher_ctx.encrypt(out, &self.buf);
|
|
}
|
|
};
|
|
}
|
|
|
|
const testing = std.testing;
|
|
|
|
test "CbcMacAes128 - Empty message" {
|
|
const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
|
|
var msg: [0]u8 = undefined;
|
|
|
|
// CBC-MAC of empty message = Encrypt(0)
|
|
const expected = [_]u8{ 0x7d, 0xf7, 0x6b, 0x0c, 0x1a, 0xb8, 0x99, 0xb3, 0x3e, 0x42, 0xf0, 0x47, 0xb9, 0x1b, 0x54, 0x6f };
|
|
|
|
var out: [CbcMacAes128.mac_length]u8 = undefined;
|
|
CbcMacAes128.create(&out, &msg, &key);
|
|
try testing.expectEqualSlices(u8, &out, &expected);
|
|
}
|
|
|
|
test "CbcMacAes128 - Single block (16 bytes)" {
|
|
const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
|
|
const msg = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a };
|
|
|
|
// CBC-MAC = Encrypt(msg XOR 0)
|
|
const expected = [_]u8{ 0x3a, 0xd7, 0x7b, 0xb4, 0x0d, 0x7a, 0x36, 0x60, 0xa8, 0x9e, 0xca, 0xf3, 0x24, 0x66, 0xef, 0x97 };
|
|
|
|
var out: [CbcMacAes128.mac_length]u8 = undefined;
|
|
CbcMacAes128.create(&out, &msg, &key);
|
|
try testing.expectEqualSlices(u8, &out, &expected);
|
|
}
|
|
|
|
test "CbcMacAes128 - Multiple blocks (40 bytes)" {
|
|
const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
|
|
const msg = [_]u8{
|
|
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
|
|
0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
|
|
0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
|
|
};
|
|
|
|
// CBC-MAC processes: block1 | block2 | block3 (last 8 bytes zero-padded)
|
|
const expected = [_]u8{ 0x07, 0xd1, 0x92, 0xe3, 0xe6, 0xf0, 0x99, 0xed, 0xcc, 0x39, 0xfd, 0xe6, 0xd0, 0x9c, 0x76, 0x2d };
|
|
|
|
var out: [CbcMacAes128.mac_length]u8 = undefined;
|
|
CbcMacAes128.create(&out, &msg, &key);
|
|
try testing.expectEqualSlices(u8, &out, &expected);
|
|
}
|
|
|
|
test "CbcMacAes128 - Incremental update" {
|
|
const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
|
|
const msg = [_]u8{
|
|
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
|
|
0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
|
|
};
|
|
|
|
// Process in chunks
|
|
var ctx = CbcMacAes128.init(&key);
|
|
ctx.update(msg[0..10]);
|
|
ctx.update(msg[10..20]);
|
|
ctx.update(msg[20..]);
|
|
|
|
var out1: [CbcMacAes128.mac_length]u8 = undefined;
|
|
ctx.final(&out1);
|
|
|
|
// Compare with one-shot processing
|
|
var out2: [CbcMacAes128.mac_length]u8 = undefined;
|
|
CbcMacAes128.create(&out2, &msg, &key);
|
|
|
|
try testing.expectEqualSlices(u8, &out1, &out2);
|
|
}
|
|
|
|
test "CbcMacAes128 - Different from CMAC" {
|
|
// Verify that CBC-MAC and CMAC produce different outputs
|
|
const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
|
|
const msg = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a };
|
|
|
|
var cbc_mac_out: [CbcMacAes128.mac_length]u8 = undefined;
|
|
CbcMacAes128.create(&cbc_mac_out, &msg, &key);
|
|
|
|
// CMAC output for same input (from RFC 4493)
|
|
const cmac_out = [_]u8{ 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c };
|
|
|
|
// They should be different
|
|
try testing.expect(!mem.eql(u8, &cbc_mac_out, &cmac_out));
|
|
}
|