1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8 */
9
10 /*
11 * References:
12 *
13 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
14 * CMAC Mode for Authentication
15 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
16 *
17 * - RFC 4493 - The AES-CMAC Algorithm
18 * https://tools.ietf.org/html/rfc4493
19 *
20 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
21 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
22 * Algorithm for the Internet Key Exchange Protocol (IKE)
23 * https://tools.ietf.org/html/rfc4615
24 *
25 * Additional test vectors: ISO/IEC 9797-1
26 *
27 */
28
29 #include "common.h"
30
31 #if defined(MBEDTLS_CMAC_C)
32
33 #include "mbedtls/cmac.h"
34 #include "mbedtls/platform_util.h"
35 #include "mbedtls/error.h"
36 #include "mbedtls/platform.h"
37 #include "constant_time_internal.h"
38
39 #include <string.h>
40
41 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
42
43 /*
44 * Multiplication by u in the Galois field of GF(2^n)
45 *
46 * As explained in NIST SP 800-38B, this can be computed:
47 *
48 * If MSB(p) = 0, then p = (p << 1)
49 * If MSB(p) = 1, then p = (p << 1) ^ R_n
50 * with R_64 = 0x1B and R_128 = 0x87
51 *
52 * Input and output MUST NOT point to the same buffer
53 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
54 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)55 static int cmac_multiply_by_u(unsigned char *output,
56 const unsigned char *input,
57 size_t blocksize)
58 {
59 const unsigned char R_128 = 0x87;
60 unsigned char R_n;
61 uint32_t overflow = 0x00;
62 int i;
63
64 if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
65 R_n = R_128;
66 }
67 #if defined(MBEDTLS_DES_C)
68 else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
69 const unsigned char R_64 = 0x1B;
70 R_n = R_64;
71 }
72 #endif
73 else {
74 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
75 }
76
77 for (i = (int) blocksize - 4; i >= 0; i -= 4) {
78 uint32_t i32 = MBEDTLS_GET_UINT32_BE(&input[i], 0);
79 uint32_t new_overflow = i32 >> 31;
80 i32 = (i32 << 1) | overflow;
81 MBEDTLS_PUT_UINT32_BE(i32, &output[i], 0);
82 overflow = new_overflow;
83 }
84
85 R_n = (unsigned char) mbedtls_ct_uint_if_else_0(mbedtls_ct_bool(input[0] >> 7), R_n);
86 output[blocksize - 1] ^= R_n;
87
88 return 0;
89 }
90
91 /*
92 * Generate subkeys
93 *
94 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
95 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)96 static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
97 unsigned char *K1, unsigned char *K2)
98 {
99 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
100 unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
101 size_t olen, block_size;
102
103 mbedtls_platform_zeroize(L, sizeof(L));
104
105 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
106
107 /* Calculate Ek(0) */
108 if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
109 goto exit;
110 }
111
112 /*
113 * Generate K1 and K2
114 */
115 if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) {
116 goto exit;
117 }
118
119 if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) {
120 goto exit;
121 }
122
123 exit:
124 mbedtls_platform_zeroize(L, sizeof(L));
125
126 return ret;
127 }
128 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
129
130 #if !defined(MBEDTLS_CMAC_ALT)
131
132 /*
133 * Create padded last block from (partial) last block.
134 *
135 * We can't use the padding option from the cipher layer, as it only works for
136 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
137 */
cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)138 static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
139 size_t padded_block_len,
140 const unsigned char *last_block,
141 size_t last_block_len)
142 {
143 size_t j;
144
145 for (j = 0; j < padded_block_len; j++) {
146 if (j < last_block_len) {
147 padded_block[j] = last_block[j];
148 } else if (j == last_block_len) {
149 padded_block[j] = 0x80;
150 } else {
151 padded_block[j] = 0x00;
152 }
153 }
154 }
155
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)156 int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
157 const unsigned char *key, size_t keybits)
158 {
159 mbedtls_cipher_type_t type;
160 mbedtls_cmac_context_t *cmac_ctx;
161 int retval;
162
163 if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) {
164 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
165 }
166
167 if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits,
168 MBEDTLS_ENCRYPT)) != 0) {
169 return retval;
170 }
171
172 type = mbedtls_cipher_info_get_type(ctx->cipher_info);
173
174 switch (type) {
175 case MBEDTLS_CIPHER_AES_128_ECB:
176 case MBEDTLS_CIPHER_AES_192_ECB:
177 case MBEDTLS_CIPHER_AES_256_ECB:
178 case MBEDTLS_CIPHER_DES_EDE3_ECB:
179 break;
180 default:
181 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
182 }
183
184 /* Allocated and initialise in the cipher context memory for the CMAC
185 * context */
186 cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
187 if (cmac_ctx == NULL) {
188 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
189 }
190
191 ctx->cmac_ctx = cmac_ctx;
192
193 mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
194
195 return 0;
196 }
197
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)198 int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
199 const unsigned char *input, size_t ilen)
200 {
201 mbedtls_cmac_context_t *cmac_ctx;
202 unsigned char *state;
203 int ret = 0;
204 size_t n, j, olen, block_size;
205
206 if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
207 ctx->cmac_ctx == NULL) {
208 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
209 }
210
211 cmac_ctx = ctx->cmac_ctx;
212 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
213 state = ctx->cmac_ctx->state;
214
215 /* Without the MBEDTLS_ASSUME below, gcc -O3 will generate a warning of the form
216 * error: writing 16 bytes into a region of size 0 [-Werror=stringop-overflow=] */
217 MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE);
218
219 /* Is there data still to process from the last call, that's greater in
220 * size than a block? */
221 if (cmac_ctx->unprocessed_len > 0 &&
222 ilen > block_size - cmac_ctx->unprocessed_len) {
223 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
224 input,
225 block_size - cmac_ctx->unprocessed_len);
226
227 mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size);
228
229 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
230 &olen)) != 0) {
231 goto exit;
232 }
233
234 input += block_size - cmac_ctx->unprocessed_len;
235 ilen -= block_size - cmac_ctx->unprocessed_len;
236 cmac_ctx->unprocessed_len = 0;
237 }
238
239 /* n is the number of blocks including any final partial block */
240 n = (ilen + block_size - 1) / block_size;
241
242 /* Iterate across the input data in block sized chunks, excluding any
243 * final partial or complete block */
244 for (j = 1; j < n; j++) {
245 mbedtls_xor_no_simd(state, input, state, block_size);
246
247 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
248 &olen)) != 0) {
249 goto exit;
250 }
251
252 ilen -= block_size;
253 input += block_size;
254 }
255
256 /* If there is data left over that wasn't aligned to a block */
257 if (ilen > 0) {
258 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
259 input,
260 ilen);
261 cmac_ctx->unprocessed_len += ilen;
262 }
263
264 exit:
265 return ret;
266 }
267
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)268 int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
269 unsigned char *output)
270 {
271 mbedtls_cmac_context_t *cmac_ctx;
272 unsigned char *state, *last_block;
273 unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
274 unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
275 unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
276 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
277 size_t olen, block_size;
278
279 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
280 output == NULL) {
281 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
282 }
283
284 cmac_ctx = ctx->cmac_ctx;
285 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
286 MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE); // silence GCC warning
287 state = cmac_ctx->state;
288
289 mbedtls_platform_zeroize(K1, sizeof(K1));
290 mbedtls_platform_zeroize(K2, sizeof(K2));
291 cmac_generate_subkeys(ctx, K1, K2);
292
293 last_block = cmac_ctx->unprocessed_block;
294
295 /* Calculate last block */
296 if (cmac_ctx->unprocessed_len < block_size) {
297 cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
298 mbedtls_xor(M_last, M_last, K2, block_size);
299 } else {
300 /* Last block is complete block */
301 mbedtls_xor(M_last, last_block, K1, block_size);
302 }
303
304
305 mbedtls_xor(state, M_last, state, block_size);
306 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
307 &olen)) != 0) {
308 goto exit;
309 }
310
311 memcpy(output, state, block_size);
312
313 exit:
314 /* Wipe the generated keys on the stack, and any other transients to avoid
315 * side channel leakage */
316 mbedtls_platform_zeroize(K1, sizeof(K1));
317 mbedtls_platform_zeroize(K2, sizeof(K2));
318
319 cmac_ctx->unprocessed_len = 0;
320 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
321 sizeof(cmac_ctx->unprocessed_block));
322
323 mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
324 return ret;
325 }
326
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)327 int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx)
328 {
329 mbedtls_cmac_context_t *cmac_ctx;
330
331 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) {
332 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
333 }
334
335 cmac_ctx = ctx->cmac_ctx;
336
337 /* Reset the internal state */
338 cmac_ctx->unprocessed_len = 0;
339 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
340 sizeof(cmac_ctx->unprocessed_block));
341 mbedtls_platform_zeroize(cmac_ctx->state,
342 sizeof(cmac_ctx->state));
343
344 return 0;
345 }
346
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)347 int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
348 const unsigned char *key, size_t keylen,
349 const unsigned char *input, size_t ilen,
350 unsigned char *output)
351 {
352 mbedtls_cipher_context_t ctx;
353 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
354
355 if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) {
356 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
357 }
358
359 mbedtls_cipher_init(&ctx);
360
361 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
362 goto exit;
363 }
364
365 ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
366 if (ret != 0) {
367 goto exit;
368 }
369
370 ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
371 if (ret != 0) {
372 goto exit;
373 }
374
375 ret = mbedtls_cipher_cmac_finish(&ctx, output);
376
377 exit:
378 mbedtls_cipher_free(&ctx);
379
380 return ret;
381 }
382
383 #if defined(MBEDTLS_AES_C)
384 /*
385 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
386 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char output[16])387 int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
388 const unsigned char *input, size_t in_len,
389 unsigned char output[16])
390 {
391 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
392 const mbedtls_cipher_info_t *cipher_info;
393 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
394 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
395
396 if (key == NULL || input == NULL || output == NULL) {
397 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
398 }
399
400 cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
401 if (cipher_info == NULL) {
402 /* Failing at this point must be due to a build issue */
403 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
404 goto exit;
405 }
406
407 if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
408 /* Use key as is */
409 memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
410 } else {
411 memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
412
413 ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
414 key_length, int_key);
415 if (ret != 0) {
416 goto exit;
417 }
418 }
419
420 ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
421 output);
422
423 exit:
424 mbedtls_platform_zeroize(int_key, sizeof(int_key));
425
426 return ret;
427 }
428 #endif /* MBEDTLS_AES_C */
429
430 #endif /* !MBEDTLS_CMAC_ALT */
431
432 #if defined(MBEDTLS_SELF_TEST)
433 /*
434 * CMAC test data for SP800-38B
435 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
436 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
437 *
438 * AES-CMAC-PRF-128 test data from RFC 4615
439 * https://tools.ietf.org/html/rfc4615#page-4
440 */
441
442 #define NB_CMAC_TESTS_PER_KEY 4
443 #define NB_PRF_TESTS 3
444
445 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
446 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
447 static const unsigned char test_message[] = {
448 /* PT */
449 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
450 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
451 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
452 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
453 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
454 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
455 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
456 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
457 };
458 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
459
460 #if defined(MBEDTLS_AES_C)
461 /* Truncation point of message for AES CMAC tests */
462 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
463 /* Mlen */
464 0,
465 16,
466 20,
467 64
468 };
469
470 /* CMAC-AES128 Test Data */
471 static const unsigned char aes_128_key[16] = {
472 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
473 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
474 };
475 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
476 {
477 /* K1 */
478 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
479 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
480 },
481 {
482 /* K2 */
483 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
484 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
485 }
486 };
487 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
488 {
489 {
490 /* Example #1 */
491 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
492 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
493 },
494 {
495 /* Example #2 */
496 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
497 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
498 },
499 {
500 /* Example #3 */
501 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
502 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
503 },
504 {
505 /* Example #4 */
506 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
507 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
508 }
509 };
510
511 /* CMAC-AES192 Test Data */
512 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
513 static const unsigned char aes_192_key[24] = {
514 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
515 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
516 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
517 };
518 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
519 {
520 /* K1 */
521 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
522 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
523 },
524 {
525 /* K2 */
526 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
527 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
528 }
529 };
530 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
531 {
532 {
533 /* Example #1 */
534 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
535 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
536 },
537 {
538 /* Example #2 */
539 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
540 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
541 },
542 {
543 /* Example #3 */
544 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
545 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
546 },
547 {
548 /* Example #4 */
549 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
550 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
551 }
552 };
553 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
554
555 /* CMAC-AES256 Test Data */
556 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
557 static const unsigned char aes_256_key[32] = {
558 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
559 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
560 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
561 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
562 };
563 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
564 {
565 /* K1 */
566 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
567 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
568 },
569 {
570 /* K2 */
571 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
572 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
573 }
574 };
575 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
576 {
577 {
578 /* Example #1 */
579 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
580 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
581 },
582 {
583 /* Example #2 */
584 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
585 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
586 },
587 {
588 /* Example #3 */
589 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
590 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
591 },
592 {
593 /* Example #4 */
594 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
595 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
596 }
597 };
598 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
599 #endif /* MBEDTLS_AES_C */
600
601 #if defined(MBEDTLS_DES_C)
602 /* Truncation point of message for 3DES CMAC tests */
603 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
604 0,
605 16,
606 20,
607 32
608 };
609
610 /* CMAC-TDES (Generation) - 2 Key Test Data */
611 static const unsigned char des3_2key_key[24] = {
612 /* Key1 */
613 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
614 /* Key2 */
615 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
616 /* Key3 */
617 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
618 };
619 static const unsigned char des3_2key_subkeys[2][8] = {
620 {
621 /* K1 */
622 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
623 },
624 {
625 /* K2 */
626 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
627 }
628 };
629 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
630 = {
631 {
632 /* Sample #1 */
633 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
634 },
635 {
636 /* Sample #2 */
637 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
638 },
639 {
640 /* Sample #3 */
641 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
642 },
643 {
644 /* Sample #4 */
645 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
646 }
647 };
648
649 /* CMAC-TDES (Generation) - 3 Key Test Data */
650 static const unsigned char des3_3key_key[24] = {
651 /* Key1 */
652 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
653 /* Key2 */
654 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
655 /* Key3 */
656 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
657 };
658 static const unsigned char des3_3key_subkeys[2][8] = {
659 {
660 /* K1 */
661 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
662 },
663 {
664 /* K2 */
665 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
666 }
667 };
668 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
669 = {
670 {
671 /* Sample #1 */
672 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
673 },
674 {
675 /* Sample #2 */
676 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
677 },
678 {
679 /* Sample #3 */
680 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
681 },
682 {
683 /* Sample #4 */
684 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
685 }
686 };
687
688 #endif /* MBEDTLS_DES_C */
689
690 #if defined(MBEDTLS_AES_C)
691 /* AES AES-CMAC-PRF-128 Test Data */
692 static const unsigned char PRFK[] = {
693 /* Key */
694 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
695 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
696 0xed, 0xcb
697 };
698
699 /* Sizes in bytes */
700 static const size_t PRFKlen[NB_PRF_TESTS] = {
701 18,
702 16,
703 10
704 };
705
706 /* Message */
707 static const unsigned char PRFM[] = {
708 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
709 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
710 0x10, 0x11, 0x12, 0x13
711 };
712
713 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
714 {
715 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
716 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
717 },
718 {
719 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
720 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
721 },
722 {
723 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
724 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
725 }
726 };
727 #endif /* MBEDTLS_AES_C */
728
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)729 static int cmac_test_subkeys(int verbose,
730 const char *testname,
731 const unsigned char *key,
732 int keybits,
733 const unsigned char *subkeys,
734 mbedtls_cipher_type_t cipher_type,
735 int block_size,
736 int num_tests)
737 {
738 int i, ret = 0;
739 mbedtls_cipher_context_t ctx;
740 const mbedtls_cipher_info_t *cipher_info;
741 unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
742 unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
743
744 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
745 if (cipher_info == NULL) {
746 /* Failing at this point must be due to a build issue */
747 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
748 }
749
750 for (i = 0; i < num_tests; i++) {
751 if (verbose != 0) {
752 mbedtls_printf(" %s CMAC subkey #%d: ", testname, i + 1);
753 }
754
755 mbedtls_cipher_init(&ctx);
756
757 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
758 if (verbose != 0) {
759 mbedtls_printf("test execution failed\n");
760 }
761
762 goto cleanup;
763 }
764
765 if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
766 MBEDTLS_ENCRYPT)) != 0) {
767 /* When CMAC is implemented by an alternative implementation, or
768 * the underlying primitive itself is implemented alternatively,
769 * AES-192 may be unavailable. This should not cause the selftest
770 * function to fail. */
771 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
772 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
773 cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
774 if (verbose != 0) {
775 mbedtls_printf("skipped\n");
776 }
777 goto next_test;
778 }
779
780 if (verbose != 0) {
781 mbedtls_printf("test execution failed\n");
782 }
783
784 goto cleanup;
785 }
786
787 ret = cmac_generate_subkeys(&ctx, K1, K2);
788 if (ret != 0) {
789 if (verbose != 0) {
790 mbedtls_printf("failed\n");
791 }
792
793 goto cleanup;
794 }
795
796 if ((ret = memcmp(K1, subkeys, block_size)) != 0 ||
797 (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
798 if (verbose != 0) {
799 mbedtls_printf("failed\n");
800 }
801
802 goto cleanup;
803 }
804
805 if (verbose != 0) {
806 mbedtls_printf("passed\n");
807 }
808
809 next_test:
810 mbedtls_cipher_free(&ctx);
811 }
812
813 ret = 0;
814 goto exit;
815
816 cleanup:
817 mbedtls_cipher_free(&ctx);
818
819 exit:
820 return ret;
821 }
822
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)823 static int cmac_test_wth_cipher(int verbose,
824 const char *testname,
825 const unsigned char *key,
826 int keybits,
827 const unsigned char *messages,
828 const unsigned int message_lengths[4],
829 const unsigned char *expected_result,
830 mbedtls_cipher_type_t cipher_type,
831 int block_size,
832 int num_tests)
833 {
834 const mbedtls_cipher_info_t *cipher_info;
835 int i, ret = 0;
836 unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
837
838 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
839 if (cipher_info == NULL) {
840 /* Failing at this point must be due to a build issue */
841 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
842 goto exit;
843 }
844
845 for (i = 0; i < num_tests; i++) {
846 if (verbose != 0) {
847 mbedtls_printf(" %s CMAC #%d: ", testname, i + 1);
848 }
849
850 if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
851 message_lengths[i], output)) != 0) {
852 /* When CMAC is implemented by an alternative implementation, or
853 * the underlying primitive itself is implemented alternatively,
854 * AES-192 and/or 3DES may be unavailable. This should not cause
855 * the selftest function to fail. */
856 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
857 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
858 (cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
859 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) {
860 if (verbose != 0) {
861 mbedtls_printf("skipped\n");
862 }
863 continue;
864 }
865
866 if (verbose != 0) {
867 mbedtls_printf("failed\n");
868 }
869 goto exit;
870 }
871
872 if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
873 if (verbose != 0) {
874 mbedtls_printf("failed\n");
875 }
876 goto exit;
877 }
878
879 if (verbose != 0) {
880 mbedtls_printf("passed\n");
881 }
882 }
883 ret = 0;
884
885 exit:
886 return ret;
887 }
888
889 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)890 static int test_aes128_cmac_prf(int verbose)
891 {
892 int i;
893 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
894 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
895
896 for (i = 0; i < NB_PRF_TESTS; i++) {
897 mbedtls_printf(" AES CMAC 128 PRF #%d: ", i);
898 ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
899 if (ret != 0 ||
900 memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
901
902 if (verbose != 0) {
903 mbedtls_printf("failed\n");
904 }
905
906 return ret;
907 } else if (verbose != 0) {
908 mbedtls_printf("passed\n");
909 }
910 }
911 return ret;
912 }
913 #endif /* MBEDTLS_AES_C */
914
mbedtls_cmac_self_test(int verbose)915 int mbedtls_cmac_self_test(int verbose)
916 {
917 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
918
919 #if defined(MBEDTLS_AES_C)
920 /* AES-128 */
921 if ((ret = cmac_test_subkeys(verbose,
922 "AES 128",
923 aes_128_key,
924 128,
925 (const unsigned char *) aes_128_subkeys,
926 MBEDTLS_CIPHER_AES_128_ECB,
927 MBEDTLS_AES_BLOCK_SIZE,
928 NB_CMAC_TESTS_PER_KEY)) != 0) {
929 return ret;
930 }
931
932 if ((ret = cmac_test_wth_cipher(verbose,
933 "AES 128",
934 aes_128_key,
935 128,
936 test_message,
937 aes_message_lengths,
938 (const unsigned char *) aes_128_expected_result,
939 MBEDTLS_CIPHER_AES_128_ECB,
940 MBEDTLS_AES_BLOCK_SIZE,
941 NB_CMAC_TESTS_PER_KEY)) != 0) {
942 return ret;
943 }
944
945 /* AES-192 */
946 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
947 if ((ret = cmac_test_subkeys(verbose,
948 "AES 192",
949 aes_192_key,
950 192,
951 (const unsigned char *) aes_192_subkeys,
952 MBEDTLS_CIPHER_AES_192_ECB,
953 MBEDTLS_AES_BLOCK_SIZE,
954 NB_CMAC_TESTS_PER_KEY)) != 0) {
955 return ret;
956 }
957
958 if ((ret = cmac_test_wth_cipher(verbose,
959 "AES 192",
960 aes_192_key,
961 192,
962 test_message,
963 aes_message_lengths,
964 (const unsigned char *) aes_192_expected_result,
965 MBEDTLS_CIPHER_AES_192_ECB,
966 MBEDTLS_AES_BLOCK_SIZE,
967 NB_CMAC_TESTS_PER_KEY)) != 0) {
968 return ret;
969 }
970 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
971
972 /* AES-256 */
973 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
974 if ((ret = cmac_test_subkeys(verbose,
975 "AES 256",
976 aes_256_key,
977 256,
978 (const unsigned char *) aes_256_subkeys,
979 MBEDTLS_CIPHER_AES_256_ECB,
980 MBEDTLS_AES_BLOCK_SIZE,
981 NB_CMAC_TESTS_PER_KEY)) != 0) {
982 return ret;
983 }
984
985 if ((ret = cmac_test_wth_cipher(verbose,
986 "AES 256",
987 aes_256_key,
988 256,
989 test_message,
990 aes_message_lengths,
991 (const unsigned char *) aes_256_expected_result,
992 MBEDTLS_CIPHER_AES_256_ECB,
993 MBEDTLS_AES_BLOCK_SIZE,
994 NB_CMAC_TESTS_PER_KEY)) != 0) {
995 return ret;
996 }
997 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
998 #endif /* MBEDTLS_AES_C */
999
1000 #if defined(MBEDTLS_DES_C)
1001 /* 3DES 2 key */
1002 if ((ret = cmac_test_subkeys(verbose,
1003 "3DES 2 key",
1004 des3_2key_key,
1005 192,
1006 (const unsigned char *) des3_2key_subkeys,
1007 MBEDTLS_CIPHER_DES_EDE3_ECB,
1008 MBEDTLS_DES3_BLOCK_SIZE,
1009 NB_CMAC_TESTS_PER_KEY)) != 0) {
1010 return ret;
1011 }
1012
1013 if ((ret = cmac_test_wth_cipher(verbose,
1014 "3DES 2 key",
1015 des3_2key_key,
1016 192,
1017 test_message,
1018 des3_message_lengths,
1019 (const unsigned char *) des3_2key_expected_result,
1020 MBEDTLS_CIPHER_DES_EDE3_ECB,
1021 MBEDTLS_DES3_BLOCK_SIZE,
1022 NB_CMAC_TESTS_PER_KEY)) != 0) {
1023 return ret;
1024 }
1025
1026 /* 3DES 3 key */
1027 if ((ret = cmac_test_subkeys(verbose,
1028 "3DES 3 key",
1029 des3_3key_key,
1030 192,
1031 (const unsigned char *) des3_3key_subkeys,
1032 MBEDTLS_CIPHER_DES_EDE3_ECB,
1033 MBEDTLS_DES3_BLOCK_SIZE,
1034 NB_CMAC_TESTS_PER_KEY)) != 0) {
1035 return ret;
1036 }
1037
1038 if ((ret = cmac_test_wth_cipher(verbose,
1039 "3DES 3 key",
1040 des3_3key_key,
1041 192,
1042 test_message,
1043 des3_message_lengths,
1044 (const unsigned char *) des3_3key_expected_result,
1045 MBEDTLS_CIPHER_DES_EDE3_ECB,
1046 MBEDTLS_DES3_BLOCK_SIZE,
1047 NB_CMAC_TESTS_PER_KEY)) != 0) {
1048 return ret;
1049 }
1050 #endif /* MBEDTLS_DES_C */
1051
1052 #if defined(MBEDTLS_AES_C)
1053 if ((ret = test_aes128_cmac_prf(verbose)) != 0) {
1054 return ret;
1055 }
1056 #endif /* MBEDTLS_AES_C */
1057
1058 if (verbose != 0) {
1059 mbedtls_printf("\n");
1060 }
1061
1062 return 0;
1063 }
1064
1065 #endif /* MBEDTLS_SELF_TEST */
1066
1067 #endif /* MBEDTLS_CMAC_C */
1068
