1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21
22 /*
23 * References:
24 *
25 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
26 * CMAC Mode for Authentication
27 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
28 *
29 * - RFC 4493 - The AES-CMAC Algorithm
30 * https://tools.ietf.org/html/rfc4493
31 *
32 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
33 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
34 * Algorithm for the Internet Key Exchange Protocol (IKE)
35 * https://tools.ietf.org/html/rfc4615
36 *
37 * Additional test vectors: ISO/IEC 9797-1
38 *
39 */
40
41 #include "common.h"
42
43 #if defined(MBEDTLS_CMAC_C)
44
45 #include "mbedtls/cmac.h"
46 #include "mbedtls/platform_util.h"
47 #include "mbedtls/error.h"
48
49 #include <string.h>
50
51
52 #if defined(MBEDTLS_PLATFORM_C)
53 #include "mbedtls/platform.h"
54 #else
55 #include <stdlib.h>
56 #define mbedtls_calloc calloc
57 #define mbedtls_free free
58 #if defined(MBEDTLS_SELF_TEST)
59 #include <stdio.h>
60 #define mbedtls_printf printf
61 #endif /* MBEDTLS_SELF_TEST */
62 #endif /* MBEDTLS_PLATFORM_C */
63
64 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
65
66 /*
67 * Multiplication by u in the Galois field of GF(2^n)
68 *
69 * As explained in NIST SP 800-38B, this can be computed:
70 *
71 * If MSB(p) = 0, then p = (p << 1)
72 * If MSB(p) = 1, then p = (p << 1) ^ R_n
73 * with R_64 = 0x1B and R_128 = 0x87
74 *
75 * Input and output MUST NOT point to the same buffer
76 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
77 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)78 static int cmac_multiply_by_u( unsigned char *output,
79 const unsigned char *input,
80 size_t blocksize )
81 {
82 const unsigned char R_128 = 0x87;
83 const unsigned char R_64 = 0x1B;
84 unsigned char R_n, mask;
85 unsigned char overflow = 0x00;
86 int i;
87
88 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
89 {
90 R_n = R_128;
91 }
92 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
93 {
94 R_n = R_64;
95 }
96 else
97 {
98 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
99 }
100
101 for( i = (int)blocksize - 1; i >= 0; i-- )
102 {
103 output[i] = input[i] << 1 | overflow;
104 overflow = input[i] >> 7;
105 }
106
107 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
108 * using bit operations to avoid branches */
109
110 /* MSVC has a warning about unary minus on unsigned, but this is
111 * well-defined and precisely what we want to do here */
112 #if defined(_MSC_VER)
113 #pragma warning( push )
114 #pragma warning( disable : 4146 )
115 #endif
116 mask = - ( input[0] >> 7 );
117 #if defined(_MSC_VER)
118 #pragma warning( pop )
119 #endif
120
121 output[ blocksize - 1 ] ^= R_n & mask;
122
123 return( 0 );
124 }
125
126 /*
127 * Generate subkeys
128 *
129 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
130 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)131 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
132 unsigned char* K1, unsigned char* K2 )
133 {
134 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
135 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
136 size_t olen, block_size;
137
138 mbedtls_platform_zeroize( L, sizeof( L ) );
139
140 block_size = ctx->cipher_info->block_size;
141
142 /* Calculate Ek(0) */
143 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
144 goto exit;
145
146 /*
147 * Generate K1 and K2
148 */
149 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
150 goto exit;
151
152 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
153 goto exit;
154
155 exit:
156 mbedtls_platform_zeroize( L, sizeof( L ) );
157
158 return( ret );
159 }
160 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
161
162 #if !defined(MBEDTLS_CMAC_ALT)
cmac_xor_block(unsigned char * output,const unsigned char * input1,const unsigned char * input2,const size_t block_size)163 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
164 const unsigned char *input2,
165 const size_t block_size )
166 {
167 size_t idx;
168
169 for( idx = 0; idx < block_size; idx++ )
170 output[ idx ] = input1[ idx ] ^ input2[ idx ];
171 }
172
173 /*
174 * Create padded last block from (partial) last block.
175 *
176 * We can't use the padding option from the cipher layer, as it only works for
177 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
178 */
cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)179 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
180 size_t padded_block_len,
181 const unsigned char *last_block,
182 size_t last_block_len )
183 {
184 size_t j;
185
186 for( j = 0; j < padded_block_len; j++ )
187 {
188 if( j < last_block_len )
189 padded_block[j] = last_block[j];
190 else if( j == last_block_len )
191 padded_block[j] = 0x80;
192 else
193 padded_block[j] = 0x00;
194 }
195 }
196
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)197 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
198 const unsigned char *key, size_t keybits )
199 {
200 mbedtls_cipher_type_t type;
201 mbedtls_cmac_context_t *cmac_ctx;
202 int retval;
203
204 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
205 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
206
207 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
208 MBEDTLS_ENCRYPT ) ) != 0 )
209 return( retval );
210
211 type = ctx->cipher_info->type;
212
213 switch( type )
214 {
215 case MBEDTLS_CIPHER_AES_128_ECB:
216 case MBEDTLS_CIPHER_AES_192_ECB:
217 case MBEDTLS_CIPHER_AES_256_ECB:
218 case MBEDTLS_CIPHER_DES_EDE3_ECB:
219 break;
220 default:
221 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
222 }
223
224 /* Allocated and initialise in the cipher context memory for the CMAC
225 * context */
226 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
227 if( cmac_ctx == NULL )
228 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
229
230 ctx->cmac_ctx = cmac_ctx;
231
232 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
233
234 return 0;
235 }
236
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)237 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
238 const unsigned char *input, size_t ilen )
239 {
240 mbedtls_cmac_context_t* cmac_ctx;
241 unsigned char *state;
242 int ret = 0;
243 size_t n, j, olen, block_size;
244
245 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
246 ctx->cmac_ctx == NULL )
247 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
248
249 cmac_ctx = ctx->cmac_ctx;
250 block_size = ctx->cipher_info->block_size;
251 state = ctx->cmac_ctx->state;
252
253 /* Is there data still to process from the last call, that's greater in
254 * size than a block? */
255 if( cmac_ctx->unprocessed_len > 0 &&
256 ilen > block_size - cmac_ctx->unprocessed_len )
257 {
258 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
259 input,
260 block_size - cmac_ctx->unprocessed_len );
261
262 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
263
264 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
265 &olen ) ) != 0 )
266 {
267 goto exit;
268 }
269
270 input += block_size - cmac_ctx->unprocessed_len;
271 ilen -= block_size - cmac_ctx->unprocessed_len;
272 cmac_ctx->unprocessed_len = 0;
273 }
274
275 /* n is the number of blocks including any final partial block */
276 n = ( ilen + block_size - 1 ) / block_size;
277
278 /* Iterate across the input data in block sized chunks, excluding any
279 * final partial or complete block */
280 for( j = 1; j < n; j++ )
281 {
282 cmac_xor_block( state, input, state, block_size );
283
284 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
285 &olen ) ) != 0 )
286 goto exit;
287
288 ilen -= block_size;
289 input += block_size;
290 }
291
292 /* If there is data left over that wasn't aligned to a block */
293 if( ilen > 0 )
294 {
295 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
296 input,
297 ilen );
298 cmac_ctx->unprocessed_len += ilen;
299 }
300
301 exit:
302 return( ret );
303 }
304
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)305 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
306 unsigned char *output )
307 {
308 mbedtls_cmac_context_t* cmac_ctx;
309 unsigned char *state, *last_block;
310 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
311 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
312 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
313 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
314 size_t olen, block_size;
315
316 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
317 output == NULL )
318 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
319
320 cmac_ctx = ctx->cmac_ctx;
321 block_size = ctx->cipher_info->block_size;
322 state = cmac_ctx->state;
323
324 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
325 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
326 cmac_generate_subkeys( ctx, K1, K2 );
327
328 last_block = cmac_ctx->unprocessed_block;
329
330 /* Calculate last block */
331 if( cmac_ctx->unprocessed_len < block_size )
332 {
333 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
334 cmac_xor_block( M_last, M_last, K2, block_size );
335 }
336 else
337 {
338 /* Last block is complete block */
339 cmac_xor_block( M_last, last_block, K1, block_size );
340 }
341
342
343 cmac_xor_block( state, M_last, state, block_size );
344 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
345 &olen ) ) != 0 )
346 {
347 goto exit;
348 }
349
350 memcpy( output, state, block_size );
351
352 exit:
353 /* Wipe the generated keys on the stack, and any other transients to avoid
354 * side channel leakage */
355 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
356 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
357
358 cmac_ctx->unprocessed_len = 0;
359 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
360 sizeof( cmac_ctx->unprocessed_block ) );
361
362 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
363 return( ret );
364 }
365
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)366 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
367 {
368 mbedtls_cmac_context_t* cmac_ctx;
369
370 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
371 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
372
373 cmac_ctx = ctx->cmac_ctx;
374
375 /* Reset the internal state */
376 cmac_ctx->unprocessed_len = 0;
377 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
378 sizeof( cmac_ctx->unprocessed_block ) );
379 mbedtls_platform_zeroize( cmac_ctx->state,
380 sizeof( cmac_ctx->state ) );
381
382 return( 0 );
383 }
384
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)385 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
386 const unsigned char *key, size_t keylen,
387 const unsigned char *input, size_t ilen,
388 unsigned char *output )
389 {
390 mbedtls_cipher_context_t ctx;
391 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
392
393 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
394 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
395
396 mbedtls_cipher_init( &ctx );
397
398 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
399 goto exit;
400
401 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
402 if( ret != 0 )
403 goto exit;
404
405 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
406 if( ret != 0 )
407 goto exit;
408
409 ret = mbedtls_cipher_cmac_finish( &ctx, output );
410
411 exit:
412 mbedtls_cipher_free( &ctx );
413
414 return( ret );
415 }
416
417 #if defined(MBEDTLS_AES_C)
418 /*
419 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
420 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char output[16])421 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
422 const unsigned char *input, size_t in_len,
423 unsigned char output[16] )
424 {
425 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
426 const mbedtls_cipher_info_t *cipher_info;
427 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
428 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
429
430 if( key == NULL || input == NULL || output == NULL )
431 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
432
433 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
434 if( cipher_info == NULL )
435 {
436 /* Failing at this point must be due to a build issue */
437 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
438 goto exit;
439 }
440
441 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
442 {
443 /* Use key as is */
444 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
445 }
446 else
447 {
448 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
449
450 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
451 key_length, int_key );
452 if( ret != 0 )
453 goto exit;
454 }
455
456 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
457 output );
458
459 exit:
460 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
461
462 return( ret );
463 }
464 #endif /* MBEDTLS_AES_C */
465
466 #endif /* !MBEDTLS_CMAC_ALT */
467
468 #if defined(MBEDTLS_SELF_TEST)
469 /*
470 * CMAC test data for SP800-38B
471 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
472 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
473 *
474 * AES-CMAC-PRF-128 test data from RFC 4615
475 * https://tools.ietf.org/html/rfc4615#page-4
476 */
477
478 #define NB_CMAC_TESTS_PER_KEY 4
479 #define NB_PRF_TESTS 3
480
481 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
482 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
483 static const unsigned char test_message[] = {
484 /* PT */
485 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
486 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
487 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
488 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
489 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
490 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
491 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
492 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
493 };
494 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
495
496 #if defined(MBEDTLS_AES_C)
497 /* Truncation point of message for AES CMAC tests */
498 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
499 /* Mlen */
500 0,
501 16,
502 20,
503 64
504 };
505
506 /* CMAC-AES128 Test Data */
507 static const unsigned char aes_128_key[16] = {
508 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
509 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
510 };
511 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
512 {
513 /* K1 */
514 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
515 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
516 },
517 {
518 /* K2 */
519 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
520 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
521 }
522 };
523 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
524 {
525 /* Example #1 */
526 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
527 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
528 },
529 {
530 /* Example #2 */
531 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
532 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
533 },
534 {
535 /* Example #3 */
536 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
537 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
538 },
539 {
540 /* Example #4 */
541 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
542 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
543 }
544 };
545
546 /* CMAC-AES192 Test Data */
547 static const unsigned char aes_192_key[24] = {
548 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
549 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
550 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
551 };
552 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
553 {
554 /* K1 */
555 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
556 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
557 },
558 {
559 /* K2 */
560 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
561 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
562 }
563 };
564 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
565 {
566 /* Example #1 */
567 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
568 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
569 },
570 {
571 /* Example #2 */
572 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
573 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
574 },
575 {
576 /* Example #3 */
577 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
578 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
579 },
580 {
581 /* Example #4 */
582 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
583 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
584 }
585 };
586
587 /* CMAC-AES256 Test Data */
588 static const unsigned char aes_256_key[32] = {
589 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
590 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
591 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
592 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
593 };
594 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
595 {
596 /* K1 */
597 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
598 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
599 },
600 {
601 /* K2 */
602 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
603 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
604 }
605 };
606 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
607 {
608 /* Example #1 */
609 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
610 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
611 },
612 {
613 /* Example #2 */
614 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
615 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
616 },
617 {
618 /* Example #3 */
619 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
620 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
621 },
622 {
623 /* Example #4 */
624 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
625 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
626 }
627 };
628 #endif /* MBEDTLS_AES_C */
629
630 #if defined(MBEDTLS_DES_C)
631 /* Truncation point of message for 3DES CMAC tests */
632 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
633 0,
634 16,
635 20,
636 32
637 };
638
639 /* CMAC-TDES (Generation) - 2 Key Test Data */
640 static const unsigned char des3_2key_key[24] = {
641 /* Key1 */
642 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
643 /* Key2 */
644 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
645 /* Key3 */
646 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
647 };
648 static const unsigned char des3_2key_subkeys[2][8] = {
649 {
650 /* K1 */
651 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
652 },
653 {
654 /* K2 */
655 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
656 }
657 };
658 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
659 {
660 /* Sample #1 */
661 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
662 },
663 {
664 /* Sample #2 */
665 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
666 },
667 {
668 /* Sample #3 */
669 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
670 },
671 {
672 /* Sample #4 */
673 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
674 }
675 };
676
677 /* CMAC-TDES (Generation) - 3 Key Test Data */
678 static const unsigned char des3_3key_key[24] = {
679 /* Key1 */
680 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
681 /* Key2 */
682 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
683 /* Key3 */
684 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
685 };
686 static const unsigned char des3_3key_subkeys[2][8] = {
687 {
688 /* K1 */
689 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
690 },
691 {
692 /* K2 */
693 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
694 }
695 };
696 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
697 {
698 /* Sample #1 */
699 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
700 },
701 {
702 /* Sample #2 */
703 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
704 },
705 {
706 /* Sample #3 */
707 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
708 },
709 {
710 /* Sample #4 */
711 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
712 }
713 };
714
715 #endif /* MBEDTLS_DES_C */
716
717 #if defined(MBEDTLS_AES_C)
718 /* AES AES-CMAC-PRF-128 Test Data */
719 static const unsigned char PRFK[] = {
720 /* Key */
721 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
722 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
723 0xed, 0xcb
724 };
725
726 /* Sizes in bytes */
727 static const size_t PRFKlen[NB_PRF_TESTS] = {
728 18,
729 16,
730 10
731 };
732
733 /* Message */
734 static const unsigned char PRFM[] = {
735 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
736 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
737 0x10, 0x11, 0x12, 0x13
738 };
739
740 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
741 {
742 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
743 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
744 },
745 {
746 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
747 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
748 },
749 {
750 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
751 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
752 }
753 };
754 #endif /* MBEDTLS_AES_C */
755
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)756 static int cmac_test_subkeys( int verbose,
757 const char* testname,
758 const unsigned char* key,
759 int keybits,
760 const unsigned char* subkeys,
761 mbedtls_cipher_type_t cipher_type,
762 int block_size,
763 int num_tests )
764 {
765 int i, ret = 0;
766 mbedtls_cipher_context_t ctx;
767 const mbedtls_cipher_info_t *cipher_info;
768 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
769 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
770
771 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
772 if( cipher_info == NULL )
773 {
774 /* Failing at this point must be due to a build issue */
775 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
776 }
777
778 for( i = 0; i < num_tests; i++ )
779 {
780 if( verbose != 0 )
781 mbedtls_printf( " %s CMAC subkey #%d: ", testname, i + 1 );
782
783 mbedtls_cipher_init( &ctx );
784
785 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
786 {
787 if( verbose != 0 )
788 mbedtls_printf( "test execution failed\n" );
789
790 goto cleanup;
791 }
792
793 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
794 MBEDTLS_ENCRYPT ) ) != 0 )
795 {
796 if( verbose != 0 )
797 mbedtls_printf( "test execution failed\n" );
798
799 goto cleanup;
800 }
801
802 ret = cmac_generate_subkeys( &ctx, K1, K2 );
803 if( ret != 0 )
804 {
805 if( verbose != 0 )
806 mbedtls_printf( "failed\n" );
807
808 goto cleanup;
809 }
810
811 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
812 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
813 {
814 if( verbose != 0 )
815 mbedtls_printf( "failed\n" );
816
817 goto cleanup;
818 }
819
820 if( verbose != 0 )
821 mbedtls_printf( "passed\n" );
822
823 mbedtls_cipher_free( &ctx );
824 }
825
826 ret = 0;
827 goto exit;
828
829 cleanup:
830 mbedtls_cipher_free( &ctx );
831
832 exit:
833 return( ret );
834 }
835
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)836 static int cmac_test_wth_cipher( int verbose,
837 const char* testname,
838 const unsigned char* key,
839 int keybits,
840 const unsigned char* messages,
841 const unsigned int message_lengths[4],
842 const unsigned char* expected_result,
843 mbedtls_cipher_type_t cipher_type,
844 int block_size,
845 int num_tests )
846 {
847 const mbedtls_cipher_info_t *cipher_info;
848 int i, ret = 0;
849 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
850
851 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
852 if( cipher_info == NULL )
853 {
854 /* Failing at this point must be due to a build issue */
855 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
856 goto exit;
857 }
858
859 for( i = 0; i < num_tests; i++ )
860 {
861 if( verbose != 0 )
862 mbedtls_printf( " %s CMAC #%d: ", testname, i + 1 );
863
864 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
865 message_lengths[i], output ) ) != 0 )
866 {
867 if( verbose != 0 )
868 mbedtls_printf( "failed\n" );
869 goto exit;
870 }
871
872 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
873 {
874 if( verbose != 0 )
875 mbedtls_printf( "failed\n" );
876 goto exit;
877 }
878
879 if( verbose != 0 )
880 mbedtls_printf( "passed\n" );
881 }
882 ret = 0;
883
884 exit:
885 return( ret );
886 }
887
888 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)889 static int test_aes128_cmac_prf( int verbose )
890 {
891 int i;
892 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
893 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
894
895 for( i = 0; i < NB_PRF_TESTS; i++ )
896 {
897 mbedtls_printf( " AES CMAC 128 PRF #%d: ", i );
898 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
899 if( ret != 0 ||
900 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
901 {
902
903 if( verbose != 0 )
904 mbedtls_printf( "failed\n" );
905
906 return( ret );
907 }
908 else if( verbose != 0 )
909 {
910 mbedtls_printf( "passed\n" );
911 }
912 }
913 return( ret );
914 }
915 #endif /* MBEDTLS_AES_C */
916
mbedtls_cmac_self_test(int verbose)917 int mbedtls_cmac_self_test( int verbose )
918 {
919 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
920
921 #if defined(MBEDTLS_AES_C)
922 /* AES-128 */
923 if( ( ret = cmac_test_subkeys( verbose,
924 "AES 128",
925 aes_128_key,
926 128,
927 (const unsigned char*)aes_128_subkeys,
928 MBEDTLS_CIPHER_AES_128_ECB,
929 MBEDTLS_AES_BLOCK_SIZE,
930 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
931 {
932 return( ret );
933 }
934
935 if( ( ret = cmac_test_wth_cipher( verbose,
936 "AES 128",
937 aes_128_key,
938 128,
939 test_message,
940 aes_message_lengths,
941 (const unsigned char*)aes_128_expected_result,
942 MBEDTLS_CIPHER_AES_128_ECB,
943 MBEDTLS_AES_BLOCK_SIZE,
944 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
945 {
946 return( ret );
947 }
948
949 /* AES-192 */
950 if( ( ret = cmac_test_subkeys( verbose,
951 "AES 192",
952 aes_192_key,
953 192,
954 (const unsigned char*)aes_192_subkeys,
955 MBEDTLS_CIPHER_AES_192_ECB,
956 MBEDTLS_AES_BLOCK_SIZE,
957 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
958 {
959 return( ret );
960 }
961
962 if( ( ret = cmac_test_wth_cipher( verbose,
963 "AES 192",
964 aes_192_key,
965 192,
966 test_message,
967 aes_message_lengths,
968 (const unsigned char*)aes_192_expected_result,
969 MBEDTLS_CIPHER_AES_192_ECB,
970 MBEDTLS_AES_BLOCK_SIZE,
971 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
972 {
973 return( ret );
974 }
975
976 /* AES-256 */
977 if( ( ret = cmac_test_subkeys( verbose,
978 "AES 256",
979 aes_256_key,
980 256,
981 (const unsigned char*)aes_256_subkeys,
982 MBEDTLS_CIPHER_AES_256_ECB,
983 MBEDTLS_AES_BLOCK_SIZE,
984 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
985 {
986 return( ret );
987 }
988
989 if( ( ret = cmac_test_wth_cipher ( verbose,
990 "AES 256",
991 aes_256_key,
992 256,
993 test_message,
994 aes_message_lengths,
995 (const unsigned char*)aes_256_expected_result,
996 MBEDTLS_CIPHER_AES_256_ECB,
997 MBEDTLS_AES_BLOCK_SIZE,
998 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
999 {
1000 return( ret );
1001 }
1002 #endif /* MBEDTLS_AES_C */
1003
1004 #if defined(MBEDTLS_DES_C)
1005 /* 3DES 2 key */
1006 if( ( ret = cmac_test_subkeys( verbose,
1007 "3DES 2 key",
1008 des3_2key_key,
1009 192,
1010 (const unsigned char*)des3_2key_subkeys,
1011 MBEDTLS_CIPHER_DES_EDE3_ECB,
1012 MBEDTLS_DES3_BLOCK_SIZE,
1013 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1014 {
1015 return( ret );
1016 }
1017
1018 if( ( ret = cmac_test_wth_cipher( verbose,
1019 "3DES 2 key",
1020 des3_2key_key,
1021 192,
1022 test_message,
1023 des3_message_lengths,
1024 (const unsigned char*)des3_2key_expected_result,
1025 MBEDTLS_CIPHER_DES_EDE3_ECB,
1026 MBEDTLS_DES3_BLOCK_SIZE,
1027 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1028 {
1029 return( ret );
1030 }
1031
1032 /* 3DES 3 key */
1033 if( ( ret = cmac_test_subkeys( verbose,
1034 "3DES 3 key",
1035 des3_3key_key,
1036 192,
1037 (const unsigned char*)des3_3key_subkeys,
1038 MBEDTLS_CIPHER_DES_EDE3_ECB,
1039 MBEDTLS_DES3_BLOCK_SIZE,
1040 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1041 {
1042 return( ret );
1043 }
1044
1045 if( ( ret = cmac_test_wth_cipher( verbose,
1046 "3DES 3 key",
1047 des3_3key_key,
1048 192,
1049 test_message,
1050 des3_message_lengths,
1051 (const unsigned char*)des3_3key_expected_result,
1052 MBEDTLS_CIPHER_DES_EDE3_ECB,
1053 MBEDTLS_DES3_BLOCK_SIZE,
1054 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1055 {
1056 return( ret );
1057 }
1058 #endif /* MBEDTLS_DES_C */
1059
1060 #if defined(MBEDTLS_AES_C)
1061 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1062 return( ret );
1063 #endif /* MBEDTLS_AES_C */
1064
1065 if( verbose != 0 )
1066 mbedtls_printf( "\n" );
1067
1068 return( 0 );
1069 }
1070
1071 #endif /* MBEDTLS_SELF_TEST */
1072
1073 #endif /* MBEDTLS_CMAC_C */
1074
