1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21
22 /*
23 * References:
24 *
25 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
26 * CMAC Mode for Authentication
27 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
28 *
29 * - RFC 4493 - The AES-CMAC Algorithm
30 * https://tools.ietf.org/html/rfc4493
31 *
32 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
33 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
34 * Algorithm for the Internet Key Exchange Protocol (IKE)
35 * https://tools.ietf.org/html/rfc4615
36 *
37 * Additional test vectors: ISO/IEC 9797-1
38 *
39 */
40
41 #include "common.h"
42
43 #if defined(MBEDTLS_CMAC_C)
44
45 #include "mbedtls/cmac.h"
46 #include "mbedtls/platform_util.h"
47 #include "mbedtls/error.h"
48 #include "mbedtls/platform.h"
49
50 #include <string.h>
51
52 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
53
54 /*
55 * Multiplication by u in the Galois field of GF(2^n)
56 *
57 * As explained in NIST SP 800-38B, this can be computed:
58 *
59 * If MSB(p) = 0, then p = (p << 1)
60 * If MSB(p) = 1, then p = (p << 1) ^ R_n
61 * with R_64 = 0x1B and R_128 = 0x87
62 *
63 * Input and output MUST NOT point to the same buffer
64 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
65 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)66 static int cmac_multiply_by_u(unsigned char *output,
67 const unsigned char *input,
68 size_t blocksize)
69 {
70 const unsigned char R_128 = 0x87;
71 const unsigned char R_64 = 0x1B;
72 unsigned char R_n, mask;
73 unsigned char overflow = 0x00;
74 int i;
75
76 if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
77 R_n = R_128;
78 } else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
79 R_n = R_64;
80 } else {
81 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
82 }
83
84 for (i = (int) blocksize - 1; i >= 0; i--) {
85 output[i] = input[i] << 1 | overflow;
86 overflow = input[i] >> 7;
87 }
88
89 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
90 * using bit operations to avoid branches */
91
92 /* MSVC has a warning about unary minus on unsigned, but this is
93 * well-defined and precisely what we want to do here */
94 #if defined(_MSC_VER)
95 #pragma warning( push )
96 #pragma warning( disable : 4146 )
97 #endif
98 mask = -(input[0] >> 7);
99 #if defined(_MSC_VER)
100 #pragma warning( pop )
101 #endif
102
103 output[blocksize - 1] ^= R_n & mask;
104
105 return 0;
106 }
107
108 /*
109 * Generate subkeys
110 *
111 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
112 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)113 static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
114 unsigned char *K1, unsigned char *K2)
115 {
116 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
117 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
118 size_t olen, block_size;
119
120 mbedtls_platform_zeroize(L, sizeof(L));
121
122 block_size = ctx->cipher_info->block_size;
123
124 /* Calculate Ek(0) */
125 if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
126 goto exit;
127 }
128
129 /*
130 * Generate K1 and K2
131 */
132 if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) {
133 goto exit;
134 }
135
136 if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) {
137 goto exit;
138 }
139
140 exit:
141 mbedtls_platform_zeroize(L, sizeof(L));
142
143 return ret;
144 }
145 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
146
147 #if !defined(MBEDTLS_CMAC_ALT)
148
149 /*
150 * Create padded last block from (partial) last block.
151 *
152 * We can't use the padding option from the cipher layer, as it only works for
153 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
154 */
cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)155 static void cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
156 size_t padded_block_len,
157 const unsigned char *last_block,
158 size_t last_block_len)
159 {
160 size_t j;
161
162 for (j = 0; j < padded_block_len; j++) {
163 if (j < last_block_len) {
164 padded_block[j] = last_block[j];
165 } else if (j == last_block_len) {
166 padded_block[j] = 0x80;
167 } else {
168 padded_block[j] = 0x00;
169 }
170 }
171 }
172
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)173 int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
174 const unsigned char *key, size_t keybits)
175 {
176 mbedtls_cipher_type_t type;
177 mbedtls_cmac_context_t *cmac_ctx;
178 int retval;
179
180 if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) {
181 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
182 }
183
184 if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits,
185 MBEDTLS_ENCRYPT)) != 0) {
186 return retval;
187 }
188
189 type = ctx->cipher_info->type;
190
191 switch (type) {
192 case MBEDTLS_CIPHER_AES_128_ECB:
193 case MBEDTLS_CIPHER_AES_192_ECB:
194 case MBEDTLS_CIPHER_AES_256_ECB:
195 case MBEDTLS_CIPHER_DES_EDE3_ECB:
196 break;
197 default:
198 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
199 }
200
201 /* Allocated and initialise in the cipher context memory for the CMAC
202 * context */
203 cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
204 if (cmac_ctx == NULL) {
205 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
206 }
207
208 ctx->cmac_ctx = cmac_ctx;
209
210 mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
211
212 return 0;
213 }
214
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)215 int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
216 const unsigned char *input, size_t ilen)
217 {
218 mbedtls_cmac_context_t *cmac_ctx;
219 unsigned char *state;
220 int ret = 0;
221 size_t n, j, olen, block_size;
222
223 if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
224 ctx->cmac_ctx == NULL) {
225 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
226 }
227
228 cmac_ctx = ctx->cmac_ctx;
229 block_size = ctx->cipher_info->block_size;
230 state = ctx->cmac_ctx->state;
231
232 /* Is there data still to process from the last call, that's greater in
233 * size than a block? */
234 if (cmac_ctx->unprocessed_len > 0 &&
235 ilen > block_size - cmac_ctx->unprocessed_len) {
236 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
237 input,
238 block_size - cmac_ctx->unprocessed_len);
239
240 mbedtls_xor(state, cmac_ctx->unprocessed_block, state, block_size);
241
242 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
243 &olen)) != 0) {
244 goto exit;
245 }
246
247 input += block_size - cmac_ctx->unprocessed_len;
248 ilen -= block_size - cmac_ctx->unprocessed_len;
249 cmac_ctx->unprocessed_len = 0;
250 }
251
252 /* n is the number of blocks including any final partial block */
253 n = (ilen + block_size - 1) / block_size;
254
255 /* Iterate across the input data in block sized chunks, excluding any
256 * final partial or complete block */
257 for (j = 1; j < n; j++) {
258 mbedtls_xor(state, input, state, block_size);
259
260 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
261 &olen)) != 0) {
262 goto exit;
263 }
264
265 ilen -= block_size;
266 input += block_size;
267 }
268
269 /* If there is data left over that wasn't aligned to a block */
270 if (ilen > 0) {
271 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
272 input,
273 ilen);
274 cmac_ctx->unprocessed_len += ilen;
275 }
276
277 exit:
278 return ret;
279 }
280
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)281 int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
282 unsigned char *output)
283 {
284 mbedtls_cmac_context_t *cmac_ctx;
285 unsigned char *state, *last_block;
286 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
287 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
288 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
289 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
290 size_t olen, block_size;
291
292 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
293 output == NULL) {
294 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
295 }
296
297 cmac_ctx = ctx->cmac_ctx;
298 block_size = ctx->cipher_info->block_size;
299 state = cmac_ctx->state;
300
301 mbedtls_platform_zeroize(K1, sizeof(K1));
302 mbedtls_platform_zeroize(K2, sizeof(K2));
303 cmac_generate_subkeys(ctx, K1, K2);
304
305 last_block = cmac_ctx->unprocessed_block;
306
307 /* Calculate last block */
308 if (cmac_ctx->unprocessed_len < block_size) {
309 cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
310 mbedtls_xor(M_last, M_last, K2, block_size);
311 } else {
312 /* Last block is complete block */
313 mbedtls_xor(M_last, last_block, K1, block_size);
314 }
315
316
317 mbedtls_xor(state, M_last, state, block_size);
318 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
319 &olen)) != 0) {
320 goto exit;
321 }
322
323 memcpy(output, state, block_size);
324
325 exit:
326 /* Wipe the generated keys on the stack, and any other transients to avoid
327 * side channel leakage */
328 mbedtls_platform_zeroize(K1, sizeof(K1));
329 mbedtls_platform_zeroize(K2, sizeof(K2));
330
331 cmac_ctx->unprocessed_len = 0;
332 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
333 sizeof(cmac_ctx->unprocessed_block));
334
335 mbedtls_platform_zeroize(state, MBEDTLS_CIPHER_BLKSIZE_MAX);
336 return ret;
337 }
338
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)339 int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx)
340 {
341 mbedtls_cmac_context_t *cmac_ctx;
342
343 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) {
344 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
345 }
346
347 cmac_ctx = ctx->cmac_ctx;
348
349 /* Reset the internal state */
350 cmac_ctx->unprocessed_len = 0;
351 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
352 sizeof(cmac_ctx->unprocessed_block));
353 mbedtls_platform_zeroize(cmac_ctx->state,
354 sizeof(cmac_ctx->state));
355
356 return 0;
357 }
358
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)359 int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
360 const unsigned char *key, size_t keylen,
361 const unsigned char *input, size_t ilen,
362 unsigned char *output)
363 {
364 mbedtls_cipher_context_t ctx;
365 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
366
367 if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) {
368 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
369 }
370
371 mbedtls_cipher_init(&ctx);
372
373 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
374 goto exit;
375 }
376
377 ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
378 if (ret != 0) {
379 goto exit;
380 }
381
382 ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
383 if (ret != 0) {
384 goto exit;
385 }
386
387 ret = mbedtls_cipher_cmac_finish(&ctx, output);
388
389 exit:
390 mbedtls_cipher_free(&ctx);
391
392 return ret;
393 }
394
395 #if defined(MBEDTLS_AES_C)
396 /*
397 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
398 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char output[16])399 int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
400 const unsigned char *input, size_t in_len,
401 unsigned char output[16])
402 {
403 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
404 const mbedtls_cipher_info_t *cipher_info;
405 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
406 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
407
408 if (key == NULL || input == NULL || output == NULL) {
409 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
410 }
411
412 cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
413 if (cipher_info == NULL) {
414 /* Failing at this point must be due to a build issue */
415 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
416 goto exit;
417 }
418
419 if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
420 /* Use key as is */
421 memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
422 } else {
423 memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
424
425 ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
426 key_length, int_key);
427 if (ret != 0) {
428 goto exit;
429 }
430 }
431
432 ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
433 output);
434
435 exit:
436 mbedtls_platform_zeroize(int_key, sizeof(int_key));
437
438 return ret;
439 }
440 #endif /* MBEDTLS_AES_C */
441
442 #endif /* !MBEDTLS_CMAC_ALT */
443
444 #if defined(MBEDTLS_SELF_TEST)
445 /*
446 * CMAC test data for SP800-38B
447 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
448 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
449 *
450 * AES-CMAC-PRF-128 test data from RFC 4615
451 * https://tools.ietf.org/html/rfc4615#page-4
452 */
453
454 #define NB_CMAC_TESTS_PER_KEY 4
455 #define NB_PRF_TESTS 3
456
457 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
458 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
459 static const unsigned char test_message[] = {
460 /* PT */
461 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
462 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
463 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
464 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
465 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
466 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
467 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
468 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
469 };
470 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
471
472 #if defined(MBEDTLS_AES_C)
473 /* Truncation point of message for AES CMAC tests */
474 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
475 /* Mlen */
476 0,
477 16,
478 20,
479 64
480 };
481
482 /* CMAC-AES128 Test Data */
483 static const unsigned char aes_128_key[16] = {
484 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
485 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
486 };
487 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
488 {
489 /* K1 */
490 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
491 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
492 },
493 {
494 /* K2 */
495 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
496 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
497 }
498 };
499 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
500 {
501 {
502 /* Example #1 */
503 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
504 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
505 },
506 {
507 /* Example #2 */
508 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
509 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
510 },
511 {
512 /* Example #3 */
513 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
514 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
515 },
516 {
517 /* Example #4 */
518 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
519 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
520 }
521 };
522
523 /* CMAC-AES192 Test Data */
524 static const unsigned char aes_192_key[24] = {
525 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
526 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
527 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
528 };
529 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
530 {
531 /* K1 */
532 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
533 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
534 },
535 {
536 /* K2 */
537 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
538 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
539 }
540 };
541 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
542 {
543 {
544 /* Example #1 */
545 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
546 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
547 },
548 {
549 /* Example #2 */
550 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
551 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
552 },
553 {
554 /* Example #3 */
555 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
556 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
557 },
558 {
559 /* Example #4 */
560 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
561 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
562 }
563 };
564
565 /* CMAC-AES256 Test Data */
566 static const unsigned char aes_256_key[32] = {
567 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
568 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
569 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
570 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
571 };
572 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
573 {
574 /* K1 */
575 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
576 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
577 },
578 {
579 /* K2 */
580 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
581 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
582 }
583 };
584 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
585 {
586 {
587 /* Example #1 */
588 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
589 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
590 },
591 {
592 /* Example #2 */
593 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
594 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
595 },
596 {
597 /* Example #3 */
598 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
599 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
600 },
601 {
602 /* Example #4 */
603 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
604 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
605 }
606 };
607 #endif /* MBEDTLS_AES_C */
608
609 #if defined(MBEDTLS_DES_C)
610 /* Truncation point of message for 3DES CMAC tests */
611 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
612 0,
613 16,
614 20,
615 32
616 };
617
618 /* CMAC-TDES (Generation) - 2 Key Test Data */
619 static const unsigned char des3_2key_key[24] = {
620 /* Key1 */
621 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
622 /* Key2 */
623 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
624 /* Key3 */
625 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
626 };
627 static const unsigned char des3_2key_subkeys[2][8] = {
628 {
629 /* K1 */
630 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
631 },
632 {
633 /* K2 */
634 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
635 }
636 };
637 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
638 = {
639 {
640 /* Sample #1 */
641 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
642 },
643 {
644 /* Sample #2 */
645 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
646 },
647 {
648 /* Sample #3 */
649 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
650 },
651 {
652 /* Sample #4 */
653 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
654 }
655 };
656
657 /* CMAC-TDES (Generation) - 3 Key Test Data */
658 static const unsigned char des3_3key_key[24] = {
659 /* Key1 */
660 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
661 /* Key2 */
662 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
663 /* Key3 */
664 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
665 };
666 static const unsigned char des3_3key_subkeys[2][8] = {
667 {
668 /* K1 */
669 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
670 },
671 {
672 /* K2 */
673 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
674 }
675 };
676 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
677 = {
678 {
679 /* Sample #1 */
680 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
681 },
682 {
683 /* Sample #2 */
684 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
685 },
686 {
687 /* Sample #3 */
688 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
689 },
690 {
691 /* Sample #4 */
692 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
693 }
694 };
695
696 #endif /* MBEDTLS_DES_C */
697
698 #if defined(MBEDTLS_AES_C)
699 /* AES AES-CMAC-PRF-128 Test Data */
700 static const unsigned char PRFK[] = {
701 /* Key */
702 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
703 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
704 0xed, 0xcb
705 };
706
707 /* Sizes in bytes */
708 static const size_t PRFKlen[NB_PRF_TESTS] = {
709 18,
710 16,
711 10
712 };
713
714 /* Message */
715 static const unsigned char PRFM[] = {
716 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
717 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
718 0x10, 0x11, 0x12, 0x13
719 };
720
721 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
722 {
723 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
724 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
725 },
726 {
727 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
728 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
729 },
730 {
731 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
732 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
733 }
734 };
735 #endif /* MBEDTLS_AES_C */
736
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)737 static int cmac_test_subkeys(int verbose,
738 const char *testname,
739 const unsigned char *key,
740 int keybits,
741 const unsigned char *subkeys,
742 mbedtls_cipher_type_t cipher_type,
743 int block_size,
744 int num_tests)
745 {
746 int i, ret = 0;
747 mbedtls_cipher_context_t ctx;
748 const mbedtls_cipher_info_t *cipher_info;
749 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
750 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
751
752 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
753 if (cipher_info == NULL) {
754 /* Failing at this point must be due to a build issue */
755 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
756 }
757
758 for (i = 0; i < num_tests; i++) {
759 if (verbose != 0) {
760 mbedtls_printf(" %s CMAC subkey #%d: ", testname, i + 1);
761 }
762
763 mbedtls_cipher_init(&ctx);
764
765 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
766 if (verbose != 0) {
767 mbedtls_printf("test execution failed\n");
768 }
769
770 goto cleanup;
771 }
772
773 if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
774 MBEDTLS_ENCRYPT)) != 0) {
775 /* When CMAC is implemented by an alternative implementation, or
776 * the underlying primitive itself is implemented alternatively,
777 * AES-192 may be unavailable. This should not cause the selftest
778 * function to fail. */
779 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
780 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
781 cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
782 if (verbose != 0) {
783 mbedtls_printf("skipped\n");
784 }
785 goto next_test;
786 }
787
788 if (verbose != 0) {
789 mbedtls_printf("test execution failed\n");
790 }
791
792 goto cleanup;
793 }
794
795 ret = cmac_generate_subkeys(&ctx, K1, K2);
796 if (ret != 0) {
797 if (verbose != 0) {
798 mbedtls_printf("failed\n");
799 }
800
801 goto cleanup;
802 }
803
804 if ((ret = memcmp(K1, subkeys, block_size)) != 0 ||
805 (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
806 if (verbose != 0) {
807 mbedtls_printf("failed\n");
808 }
809
810 goto cleanup;
811 }
812
813 if (verbose != 0) {
814 mbedtls_printf("passed\n");
815 }
816
817 next_test:
818 mbedtls_cipher_free(&ctx);
819 }
820
821 ret = 0;
822 goto exit;
823
824 cleanup:
825 mbedtls_cipher_free(&ctx);
826
827 exit:
828 return ret;
829 }
830
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)831 static int cmac_test_wth_cipher(int verbose,
832 const char *testname,
833 const unsigned char *key,
834 int keybits,
835 const unsigned char *messages,
836 const unsigned int message_lengths[4],
837 const unsigned char *expected_result,
838 mbedtls_cipher_type_t cipher_type,
839 int block_size,
840 int num_tests)
841 {
842 const mbedtls_cipher_info_t *cipher_info;
843 int i, ret = 0;
844 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
845
846 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
847 if (cipher_info == NULL) {
848 /* Failing at this point must be due to a build issue */
849 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
850 goto exit;
851 }
852
853 for (i = 0; i < num_tests; i++) {
854 if (verbose != 0) {
855 mbedtls_printf(" %s CMAC #%d: ", testname, i + 1);
856 }
857
858 if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
859 message_lengths[i], output)) != 0) {
860 /* When CMAC is implemented by an alternative implementation, or
861 * the underlying primitive itself is implemented alternatively,
862 * AES-192 and/or 3DES may be unavailable. This should not cause
863 * the selftest function to fail. */
864 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
865 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
866 (cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
867 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) {
868 if (verbose != 0) {
869 mbedtls_printf("skipped\n");
870 }
871 continue;
872 }
873
874 if (verbose != 0) {
875 mbedtls_printf("failed\n");
876 }
877 goto exit;
878 }
879
880 if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
881 if (verbose != 0) {
882 mbedtls_printf("failed\n");
883 }
884 goto exit;
885 }
886
887 if (verbose != 0) {
888 mbedtls_printf("passed\n");
889 }
890 }
891 ret = 0;
892
893 exit:
894 return ret;
895 }
896
897 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)898 static int test_aes128_cmac_prf(int verbose)
899 {
900 int i;
901 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
902 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
903
904 for (i = 0; i < NB_PRF_TESTS; i++) {
905 mbedtls_printf(" AES CMAC 128 PRF #%d: ", i);
906 ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
907 if (ret != 0 ||
908 memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
909
910 if (verbose != 0) {
911 mbedtls_printf("failed\n");
912 }
913
914 return ret;
915 } else if (verbose != 0) {
916 mbedtls_printf("passed\n");
917 }
918 }
919 return ret;
920 }
921 #endif /* MBEDTLS_AES_C */
922
mbedtls_cmac_self_test(int verbose)923 int mbedtls_cmac_self_test(int verbose)
924 {
925 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
926
927 #if defined(MBEDTLS_AES_C)
928 /* AES-128 */
929 if ((ret = cmac_test_subkeys(verbose,
930 "AES 128",
931 aes_128_key,
932 128,
933 (const unsigned char *) aes_128_subkeys,
934 MBEDTLS_CIPHER_AES_128_ECB,
935 MBEDTLS_AES_BLOCK_SIZE,
936 NB_CMAC_TESTS_PER_KEY)) != 0) {
937 return ret;
938 }
939
940 if ((ret = cmac_test_wth_cipher(verbose,
941 "AES 128",
942 aes_128_key,
943 128,
944 test_message,
945 aes_message_lengths,
946 (const unsigned char *) aes_128_expected_result,
947 MBEDTLS_CIPHER_AES_128_ECB,
948 MBEDTLS_AES_BLOCK_SIZE,
949 NB_CMAC_TESTS_PER_KEY)) != 0) {
950 return ret;
951 }
952
953 /* AES-192 */
954 if ((ret = cmac_test_subkeys(verbose,
955 "AES 192",
956 aes_192_key,
957 192,
958 (const unsigned char *) aes_192_subkeys,
959 MBEDTLS_CIPHER_AES_192_ECB,
960 MBEDTLS_AES_BLOCK_SIZE,
961 NB_CMAC_TESTS_PER_KEY)) != 0) {
962 return ret;
963 }
964
965 if ((ret = cmac_test_wth_cipher(verbose,
966 "AES 192",
967 aes_192_key,
968 192,
969 test_message,
970 aes_message_lengths,
971 (const unsigned char *) aes_192_expected_result,
972 MBEDTLS_CIPHER_AES_192_ECB,
973 MBEDTLS_AES_BLOCK_SIZE,
974 NB_CMAC_TESTS_PER_KEY)) != 0) {
975 return ret;
976 }
977
978 /* AES-256 */
979 if ((ret = cmac_test_subkeys(verbose,
980 "AES 256",
981 aes_256_key,
982 256,
983 (const unsigned char *) aes_256_subkeys,
984 MBEDTLS_CIPHER_AES_256_ECB,
985 MBEDTLS_AES_BLOCK_SIZE,
986 NB_CMAC_TESTS_PER_KEY)) != 0) {
987 return ret;
988 }
989
990 if ((ret = cmac_test_wth_cipher(verbose,
991 "AES 256",
992 aes_256_key,
993 256,
994 test_message,
995 aes_message_lengths,
996 (const unsigned char *) aes_256_expected_result,
997 MBEDTLS_CIPHER_AES_256_ECB,
998 MBEDTLS_AES_BLOCK_SIZE,
999 NB_CMAC_TESTS_PER_KEY)) != 0) {
1000 return ret;
1001 }
1002 #endif /* MBEDTLS_AES_C */
1003
1004 #if defined(MBEDTLS_DES_C)
1005 /* 3DES 2 key */
1006 if ((ret = cmac_test_subkeys(verbose,
1007 "3DES 2 key",
1008 des3_2key_key,
1009 192,
1010 (const unsigned char *) des3_2key_subkeys,
1011 MBEDTLS_CIPHER_DES_EDE3_ECB,
1012 MBEDTLS_DES3_BLOCK_SIZE,
1013 NB_CMAC_TESTS_PER_KEY)) != 0) {
1014 return ret;
1015 }
1016
1017 if ((ret = cmac_test_wth_cipher(verbose,
1018 "3DES 2 key",
1019 des3_2key_key,
1020 192,
1021 test_message,
1022 des3_message_lengths,
1023 (const unsigned char *) des3_2key_expected_result,
1024 MBEDTLS_CIPHER_DES_EDE3_ECB,
1025 MBEDTLS_DES3_BLOCK_SIZE,
1026 NB_CMAC_TESTS_PER_KEY)) != 0) {
1027 return ret;
1028 }
1029
1030 /* 3DES 3 key */
1031 if ((ret = cmac_test_subkeys(verbose,
1032 "3DES 3 key",
1033 des3_3key_key,
1034 192,
1035 (const unsigned char *) des3_3key_subkeys,
1036 MBEDTLS_CIPHER_DES_EDE3_ECB,
1037 MBEDTLS_DES3_BLOCK_SIZE,
1038 NB_CMAC_TESTS_PER_KEY)) != 0) {
1039 return ret;
1040 }
1041
1042 if ((ret = cmac_test_wth_cipher(verbose,
1043 "3DES 3 key",
1044 des3_3key_key,
1045 192,
1046 test_message,
1047 des3_message_lengths,
1048 (const unsigned char *) des3_3key_expected_result,
1049 MBEDTLS_CIPHER_DES_EDE3_ECB,
1050 MBEDTLS_DES3_BLOCK_SIZE,
1051 NB_CMAC_TESTS_PER_KEY)) != 0) {
1052 return ret;
1053 }
1054 #endif /* MBEDTLS_DES_C */
1055
1056 #if defined(MBEDTLS_AES_C)
1057 if ((ret = test_aes128_cmac_prf(verbose)) != 0) {
1058 return ret;
1059 }
1060 #endif /* MBEDTLS_AES_C */
1061
1062 if (verbose != 0) {
1063 mbedtls_printf("\n");
1064 }
1065
1066 return 0;
1067 }
1068
1069 #endif /* MBEDTLS_SELF_TEST */
1070
1071 #endif /* MBEDTLS_CMAC_C */
1072
