1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21
22 /*
23 * References:
24 *
25 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
26 * CMAC Mode for Authentication
27 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
28 *
29 * - RFC 4493 - The AES-CMAC Algorithm
30 * https://tools.ietf.org/html/rfc4493
31 *
32 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
33 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
34 * Algorithm for the Internet Key Exchange Protocol (IKE)
35 * https://tools.ietf.org/html/rfc4615
36 *
37 * Additional test vectors: ISO/IEC 9797-1
38 *
39 */
40
41 #include "common.h"
42
43 #if defined(MBEDTLS_CMAC_C)
44
45 #include "mbedtls/cmac.h"
46 #include "mbedtls/platform_util.h"
47 #include "mbedtls/error.h"
48 #include "mbedtls/platform.h"
49
50 #include <string.h>
51
52 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
53
54 /*
55 * Multiplication by u in the Galois field of GF(2^n)
56 *
57 * As explained in NIST SP 800-38B, this can be computed:
58 *
59 * If MSB(p) = 0, then p = (p << 1)
60 * If MSB(p) = 1, then p = (p << 1) ^ R_n
61 * with R_64 = 0x1B and R_128 = 0x87
62 *
63 * Input and output MUST NOT point to the same buffer
64 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
65 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)66 static int cmac_multiply_by_u( unsigned char *output,
67 const unsigned char *input,
68 size_t blocksize )
69 {
70 const unsigned char R_128 = 0x87;
71 const unsigned char R_64 = 0x1B;
72 unsigned char R_n, mask;
73 unsigned char overflow = 0x00;
74 int i;
75
76 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
77 {
78 R_n = R_128;
79 }
80 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
81 {
82 R_n = R_64;
83 }
84 else
85 {
86 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
87 }
88
89 for( i = (int)blocksize - 1; i >= 0; i-- )
90 {
91 output[i] = input[i] << 1 | overflow;
92 overflow = input[i] >> 7;
93 }
94
95 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
96 * using bit operations to avoid branches */
97
98 /* MSVC has a warning about unary minus on unsigned, but this is
99 * well-defined and precisely what we want to do here */
100 #if defined(_MSC_VER)
101 #pragma warning( push )
102 #pragma warning( disable : 4146 )
103 #endif
104 mask = - ( input[0] >> 7 );
105 #if defined(_MSC_VER)
106 #pragma warning( pop )
107 #endif
108
109 output[ blocksize - 1 ] ^= R_n & mask;
110
111 return( 0 );
112 }
113
114 /*
115 * Generate subkeys
116 *
117 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
118 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)119 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
120 unsigned char* K1, unsigned char* K2 )
121 {
122 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
123 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
124 size_t olen, block_size;
125
126 mbedtls_platform_zeroize( L, sizeof( L ) );
127
128 block_size = ctx->cipher_info->block_size;
129
130 /* Calculate Ek(0) */
131 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
132 goto exit;
133
134 /*
135 * Generate K1 and K2
136 */
137 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
138 goto exit;
139
140 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
141 goto exit;
142
143 exit:
144 mbedtls_platform_zeroize( L, sizeof( L ) );
145
146 return( ret );
147 }
148 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
149
150 #if !defined(MBEDTLS_CMAC_ALT)
cmac_xor_block(unsigned char * output,const unsigned char * input1,const unsigned char * input2,const size_t block_size)151 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
152 const unsigned char *input2,
153 const size_t block_size )
154 {
155 size_t idx;
156
157 for( idx = 0; idx < block_size; idx++ )
158 output[ idx ] = input1[ idx ] ^ input2[ idx ];
159 }
160
161 /*
162 * Create padded last block from (partial) last block.
163 *
164 * We can't use the padding option from the cipher layer, as it only works for
165 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
166 */
cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)167 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
168 size_t padded_block_len,
169 const unsigned char *last_block,
170 size_t last_block_len )
171 {
172 size_t j;
173
174 for( j = 0; j < padded_block_len; j++ )
175 {
176 if( j < last_block_len )
177 padded_block[j] = last_block[j];
178 else if( j == last_block_len )
179 padded_block[j] = 0x80;
180 else
181 padded_block[j] = 0x00;
182 }
183 }
184
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)185 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
186 const unsigned char *key, size_t keybits )
187 {
188 mbedtls_cipher_type_t type;
189 mbedtls_cmac_context_t *cmac_ctx;
190 int retval;
191
192 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
193 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
194
195 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
196 MBEDTLS_ENCRYPT ) ) != 0 )
197 return( retval );
198
199 type = ctx->cipher_info->type;
200
201 switch( type )
202 {
203 case MBEDTLS_CIPHER_AES_128_ECB:
204 case MBEDTLS_CIPHER_AES_192_ECB:
205 case MBEDTLS_CIPHER_AES_256_ECB:
206 case MBEDTLS_CIPHER_DES_EDE3_ECB:
207 break;
208 default:
209 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
210 }
211
212 /* Allocated and initialise in the cipher context memory for the CMAC
213 * context */
214 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
215 if( cmac_ctx == NULL )
216 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
217
218 ctx->cmac_ctx = cmac_ctx;
219
220 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
221
222 return 0;
223 }
224
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)225 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
226 const unsigned char *input, size_t ilen )
227 {
228 mbedtls_cmac_context_t* cmac_ctx;
229 unsigned char *state;
230 int ret = 0;
231 size_t n, j, olen, block_size;
232
233 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
234 ctx->cmac_ctx == NULL )
235 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
236
237 cmac_ctx = ctx->cmac_ctx;
238 block_size = ctx->cipher_info->block_size;
239 state = ctx->cmac_ctx->state;
240
241 /* Is there data still to process from the last call, that's greater in
242 * size than a block? */
243 if( cmac_ctx->unprocessed_len > 0 &&
244 ilen > block_size - cmac_ctx->unprocessed_len )
245 {
246 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
247 input,
248 block_size - cmac_ctx->unprocessed_len );
249
250 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
251
252 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
253 &olen ) ) != 0 )
254 {
255 goto exit;
256 }
257
258 input += block_size - cmac_ctx->unprocessed_len;
259 ilen -= block_size - cmac_ctx->unprocessed_len;
260 cmac_ctx->unprocessed_len = 0;
261 }
262
263 /* n is the number of blocks including any final partial block */
264 n = ( ilen + block_size - 1 ) / block_size;
265
266 /* Iterate across the input data in block sized chunks, excluding any
267 * final partial or complete block */
268 for( j = 1; j < n; j++ )
269 {
270 cmac_xor_block( state, input, state, block_size );
271
272 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
273 &olen ) ) != 0 )
274 goto exit;
275
276 ilen -= block_size;
277 input += block_size;
278 }
279
280 /* If there is data left over that wasn't aligned to a block */
281 if( ilen > 0 )
282 {
283 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
284 input,
285 ilen );
286 cmac_ctx->unprocessed_len += ilen;
287 }
288
289 exit:
290 return( ret );
291 }
292
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)293 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
294 unsigned char *output )
295 {
296 mbedtls_cmac_context_t* cmac_ctx;
297 unsigned char *state, *last_block;
298 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
299 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
300 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
301 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
302 size_t olen, block_size;
303
304 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
305 output == NULL )
306 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
307
308 cmac_ctx = ctx->cmac_ctx;
309 block_size = ctx->cipher_info->block_size;
310 state = cmac_ctx->state;
311
312 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
313 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
314 cmac_generate_subkeys( ctx, K1, K2 );
315
316 last_block = cmac_ctx->unprocessed_block;
317
318 /* Calculate last block */
319 if( cmac_ctx->unprocessed_len < block_size )
320 {
321 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
322 cmac_xor_block( M_last, M_last, K2, block_size );
323 }
324 else
325 {
326 /* Last block is complete block */
327 cmac_xor_block( M_last, last_block, K1, block_size );
328 }
329
330
331 cmac_xor_block( state, M_last, state, block_size );
332 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
333 &olen ) ) != 0 )
334 {
335 goto exit;
336 }
337
338 memcpy( output, state, block_size );
339
340 exit:
341 /* Wipe the generated keys on the stack, and any other transients to avoid
342 * side channel leakage */
343 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
344 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
345
346 cmac_ctx->unprocessed_len = 0;
347 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
348 sizeof( cmac_ctx->unprocessed_block ) );
349
350 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
351 return( ret );
352 }
353
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)354 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
355 {
356 mbedtls_cmac_context_t* cmac_ctx;
357
358 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
359 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
360
361 cmac_ctx = ctx->cmac_ctx;
362
363 /* Reset the internal state */
364 cmac_ctx->unprocessed_len = 0;
365 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
366 sizeof( cmac_ctx->unprocessed_block ) );
367 mbedtls_platform_zeroize( cmac_ctx->state,
368 sizeof( cmac_ctx->state ) );
369
370 return( 0 );
371 }
372
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)373 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
374 const unsigned char *key, size_t keylen,
375 const unsigned char *input, size_t ilen,
376 unsigned char *output )
377 {
378 mbedtls_cipher_context_t ctx;
379 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
380
381 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
382 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
383
384 mbedtls_cipher_init( &ctx );
385
386 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
387 goto exit;
388
389 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
390 if( ret != 0 )
391 goto exit;
392
393 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
394 if( ret != 0 )
395 goto exit;
396
397 ret = mbedtls_cipher_cmac_finish( &ctx, output );
398
399 exit:
400 mbedtls_cipher_free( &ctx );
401
402 return( ret );
403 }
404
405 #if defined(MBEDTLS_AES_C)
406 /*
407 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
408 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char output[16])409 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
410 const unsigned char *input, size_t in_len,
411 unsigned char output[16] )
412 {
413 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
414 const mbedtls_cipher_info_t *cipher_info;
415 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
416 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
417
418 if( key == NULL || input == NULL || output == NULL )
419 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
420
421 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
422 if( cipher_info == NULL )
423 {
424 /* Failing at this point must be due to a build issue */
425 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
426 goto exit;
427 }
428
429 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
430 {
431 /* Use key as is */
432 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
433 }
434 else
435 {
436 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
437
438 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
439 key_length, int_key );
440 if( ret != 0 )
441 goto exit;
442 }
443
444 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
445 output );
446
447 exit:
448 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
449
450 return( ret );
451 }
452 #endif /* MBEDTLS_AES_C */
453
454 #endif /* !MBEDTLS_CMAC_ALT */
455
456 #if defined(MBEDTLS_SELF_TEST)
457 /*
458 * CMAC test data for SP800-38B
459 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
460 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
461 *
462 * AES-CMAC-PRF-128 test data from RFC 4615
463 * https://tools.ietf.org/html/rfc4615#page-4
464 */
465
466 #define NB_CMAC_TESTS_PER_KEY 4
467 #define NB_PRF_TESTS 3
468
469 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
470 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
471 static const unsigned char test_message[] = {
472 /* PT */
473 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
474 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
475 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
476 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
477 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
478 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
479 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
480 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
481 };
482 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
483
484 #if defined(MBEDTLS_AES_C)
485 /* Truncation point of message for AES CMAC tests */
486 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
487 /* Mlen */
488 0,
489 16,
490 20,
491 64
492 };
493
494 /* CMAC-AES128 Test Data */
495 static const unsigned char aes_128_key[16] = {
496 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
497 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
498 };
499 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
500 {
501 /* K1 */
502 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
503 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
504 },
505 {
506 /* K2 */
507 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
508 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
509 }
510 };
511 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
512 {
513 /* Example #1 */
514 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
515 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
516 },
517 {
518 /* Example #2 */
519 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
520 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
521 },
522 {
523 /* Example #3 */
524 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
525 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
526 },
527 {
528 /* Example #4 */
529 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
530 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
531 }
532 };
533
534 /* CMAC-AES192 Test Data */
535 static const unsigned char aes_192_key[24] = {
536 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
537 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
538 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
539 };
540 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
541 {
542 /* K1 */
543 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
544 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
545 },
546 {
547 /* K2 */
548 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
549 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
550 }
551 };
552 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
553 {
554 /* Example #1 */
555 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
556 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
557 },
558 {
559 /* Example #2 */
560 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
561 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
562 },
563 {
564 /* Example #3 */
565 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
566 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
567 },
568 {
569 /* Example #4 */
570 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
571 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
572 }
573 };
574
575 /* CMAC-AES256 Test Data */
576 static const unsigned char aes_256_key[32] = {
577 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
578 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
579 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
580 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
581 };
582 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
583 {
584 /* K1 */
585 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
586 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
587 },
588 {
589 /* K2 */
590 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
591 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
592 }
593 };
594 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
595 {
596 /* Example #1 */
597 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
598 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
599 },
600 {
601 /* Example #2 */
602 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
603 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
604 },
605 {
606 /* Example #3 */
607 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
608 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
609 },
610 {
611 /* Example #4 */
612 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
613 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
614 }
615 };
616 #endif /* MBEDTLS_AES_C */
617
618 #if defined(MBEDTLS_DES_C)
619 /* Truncation point of message for 3DES CMAC tests */
620 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
621 0,
622 16,
623 20,
624 32
625 };
626
627 /* CMAC-TDES (Generation) - 2 Key Test Data */
628 static const unsigned char des3_2key_key[24] = {
629 /* Key1 */
630 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
631 /* Key2 */
632 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
633 /* Key3 */
634 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
635 };
636 static const unsigned char des3_2key_subkeys[2][8] = {
637 {
638 /* K1 */
639 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
640 },
641 {
642 /* K2 */
643 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
644 }
645 };
646 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
647 {
648 /* Sample #1 */
649 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
650 },
651 {
652 /* Sample #2 */
653 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
654 },
655 {
656 /* Sample #3 */
657 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
658 },
659 {
660 /* Sample #4 */
661 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
662 }
663 };
664
665 /* CMAC-TDES (Generation) - 3 Key Test Data */
666 static const unsigned char des3_3key_key[24] = {
667 /* Key1 */
668 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
669 /* Key2 */
670 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
671 /* Key3 */
672 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
673 };
674 static const unsigned char des3_3key_subkeys[2][8] = {
675 {
676 /* K1 */
677 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
678 },
679 {
680 /* K2 */
681 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
682 }
683 };
684 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
685 {
686 /* Sample #1 */
687 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
688 },
689 {
690 /* Sample #2 */
691 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
692 },
693 {
694 /* Sample #3 */
695 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
696 },
697 {
698 /* Sample #4 */
699 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
700 }
701 };
702
703 #endif /* MBEDTLS_DES_C */
704
705 #if defined(MBEDTLS_AES_C)
706 /* AES AES-CMAC-PRF-128 Test Data */
707 static const unsigned char PRFK[] = {
708 /* Key */
709 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
710 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
711 0xed, 0xcb
712 };
713
714 /* Sizes in bytes */
715 static const size_t PRFKlen[NB_PRF_TESTS] = {
716 18,
717 16,
718 10
719 };
720
721 /* Message */
722 static const unsigned char PRFM[] = {
723 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
724 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
725 0x10, 0x11, 0x12, 0x13
726 };
727
728 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
729 {
730 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
731 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
732 },
733 {
734 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
735 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
736 },
737 {
738 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
739 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
740 }
741 };
742 #endif /* MBEDTLS_AES_C */
743
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)744 static int cmac_test_subkeys( int verbose,
745 const char* testname,
746 const unsigned char* key,
747 int keybits,
748 const unsigned char* subkeys,
749 mbedtls_cipher_type_t cipher_type,
750 int block_size,
751 int num_tests )
752 {
753 int i, ret = 0;
754 mbedtls_cipher_context_t ctx;
755 const mbedtls_cipher_info_t *cipher_info;
756 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
757 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
758
759 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
760 if( cipher_info == NULL )
761 {
762 /* Failing at this point must be due to a build issue */
763 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
764 }
765
766 for( i = 0; i < num_tests; i++ )
767 {
768 if( verbose != 0 )
769 mbedtls_printf( " %s CMAC subkey #%d: ", testname, i + 1 );
770
771 mbedtls_cipher_init( &ctx );
772
773 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
774 {
775 if( verbose != 0 )
776 mbedtls_printf( "test execution failed\n" );
777
778 goto cleanup;
779 }
780
781 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
782 MBEDTLS_ENCRYPT ) ) != 0 )
783 {
784 /* When CMAC is implemented by an alternative implementation, or
785 * the underlying primitive itself is implemented alternatively,
786 * AES-192 may be unavailable. This should not cause the selftest
787 * function to fail. */
788 if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
789 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
790 cipher_type == MBEDTLS_CIPHER_AES_192_ECB ) {
791 if( verbose != 0 )
792 mbedtls_printf( "skipped\n" );
793 goto next_test;
794 }
795
796 if( verbose != 0 )
797 mbedtls_printf( "test execution failed\n" );
798
799 goto cleanup;
800 }
801
802 ret = cmac_generate_subkeys( &ctx, K1, K2 );
803 if( ret != 0 )
804 {
805 if( verbose != 0 )
806 mbedtls_printf( "failed\n" );
807
808 goto cleanup;
809 }
810
811 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
812 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
813 {
814 if( verbose != 0 )
815 mbedtls_printf( "failed\n" );
816
817 goto cleanup;
818 }
819
820 if( verbose != 0 )
821 mbedtls_printf( "passed\n" );
822
823 next_test:
824 mbedtls_cipher_free( &ctx );
825 }
826
827 ret = 0;
828 goto exit;
829
830 cleanup:
831 mbedtls_cipher_free( &ctx );
832
833 exit:
834 return( ret );
835 }
836
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)837 static int cmac_test_wth_cipher( int verbose,
838 const char* testname,
839 const unsigned char* key,
840 int keybits,
841 const unsigned char* messages,
842 const unsigned int message_lengths[4],
843 const unsigned char* expected_result,
844 mbedtls_cipher_type_t cipher_type,
845 int block_size,
846 int num_tests )
847 {
848 const mbedtls_cipher_info_t *cipher_info;
849 int i, ret = 0;
850 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
851
852 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
853 if( cipher_info == NULL )
854 {
855 /* Failing at this point must be due to a build issue */
856 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
857 goto exit;
858 }
859
860 for( i = 0; i < num_tests; i++ )
861 {
862 if( verbose != 0 )
863 mbedtls_printf( " %s CMAC #%d: ", testname, i + 1 );
864
865 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
866 message_lengths[i], output ) ) != 0 )
867 {
868 /* When CMAC is implemented by an alternative implementation, or
869 * the underlying primitive itself is implemented alternatively,
870 * AES-192 and/or 3DES may be unavailable. This should not cause
871 * the selftest function to fail. */
872 if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
873 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
874 ( cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
875 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB ) ) {
876 if( verbose != 0 )
877 mbedtls_printf( "skipped\n" );
878 continue;
879 }
880
881 if( verbose != 0 )
882 mbedtls_printf( "failed\n" );
883 goto exit;
884 }
885
886 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
887 {
888 if( verbose != 0 )
889 mbedtls_printf( "failed\n" );
890 goto exit;
891 }
892
893 if( verbose != 0 )
894 mbedtls_printf( "passed\n" );
895 }
896 ret = 0;
897
898 exit:
899 return( ret );
900 }
901
902 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)903 static int test_aes128_cmac_prf( int verbose )
904 {
905 int i;
906 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
907 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
908
909 for( i = 0; i < NB_PRF_TESTS; i++ )
910 {
911 mbedtls_printf( " AES CMAC 128 PRF #%d: ", i );
912 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
913 if( ret != 0 ||
914 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
915 {
916
917 if( verbose != 0 )
918 mbedtls_printf( "failed\n" );
919
920 return( ret );
921 }
922 else if( verbose != 0 )
923 {
924 mbedtls_printf( "passed\n" );
925 }
926 }
927 return( ret );
928 }
929 #endif /* MBEDTLS_AES_C */
930
mbedtls_cmac_self_test(int verbose)931 int mbedtls_cmac_self_test( int verbose )
932 {
933 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
934
935 #if defined(MBEDTLS_AES_C)
936 /* AES-128 */
937 if( ( ret = cmac_test_subkeys( verbose,
938 "AES 128",
939 aes_128_key,
940 128,
941 (const unsigned char*)aes_128_subkeys,
942 MBEDTLS_CIPHER_AES_128_ECB,
943 MBEDTLS_AES_BLOCK_SIZE,
944 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
945 {
946 return( ret );
947 }
948
949 if( ( ret = cmac_test_wth_cipher( verbose,
950 "AES 128",
951 aes_128_key,
952 128,
953 test_message,
954 aes_message_lengths,
955 (const unsigned char*)aes_128_expected_result,
956 MBEDTLS_CIPHER_AES_128_ECB,
957 MBEDTLS_AES_BLOCK_SIZE,
958 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
959 {
960 return( ret );
961 }
962
963 /* AES-192 */
964 if( ( ret = cmac_test_subkeys( verbose,
965 "AES 192",
966 aes_192_key,
967 192,
968 (const unsigned char*)aes_192_subkeys,
969 MBEDTLS_CIPHER_AES_192_ECB,
970 MBEDTLS_AES_BLOCK_SIZE,
971 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
972 {
973 return( ret );
974 }
975
976 if( ( ret = cmac_test_wth_cipher( verbose,
977 "AES 192",
978 aes_192_key,
979 192,
980 test_message,
981 aes_message_lengths,
982 (const unsigned char*)aes_192_expected_result,
983 MBEDTLS_CIPHER_AES_192_ECB,
984 MBEDTLS_AES_BLOCK_SIZE,
985 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
986 {
987 return( ret );
988 }
989
990 /* AES-256 */
991 if( ( ret = cmac_test_subkeys( verbose,
992 "AES 256",
993 aes_256_key,
994 256,
995 (const unsigned char*)aes_256_subkeys,
996 MBEDTLS_CIPHER_AES_256_ECB,
997 MBEDTLS_AES_BLOCK_SIZE,
998 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
999 {
1000 return( ret );
1001 }
1002
1003 if( ( ret = cmac_test_wth_cipher ( verbose,
1004 "AES 256",
1005 aes_256_key,
1006 256,
1007 test_message,
1008 aes_message_lengths,
1009 (const unsigned char*)aes_256_expected_result,
1010 MBEDTLS_CIPHER_AES_256_ECB,
1011 MBEDTLS_AES_BLOCK_SIZE,
1012 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1013 {
1014 return( ret );
1015 }
1016 #endif /* MBEDTLS_AES_C */
1017
1018 #if defined(MBEDTLS_DES_C)
1019 /* 3DES 2 key */
1020 if( ( ret = cmac_test_subkeys( verbose,
1021 "3DES 2 key",
1022 des3_2key_key,
1023 192,
1024 (const unsigned char*)des3_2key_subkeys,
1025 MBEDTLS_CIPHER_DES_EDE3_ECB,
1026 MBEDTLS_DES3_BLOCK_SIZE,
1027 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1028 {
1029 return( ret );
1030 }
1031
1032 if( ( ret = cmac_test_wth_cipher( verbose,
1033 "3DES 2 key",
1034 des3_2key_key,
1035 192,
1036 test_message,
1037 des3_message_lengths,
1038 (const unsigned char*)des3_2key_expected_result,
1039 MBEDTLS_CIPHER_DES_EDE3_ECB,
1040 MBEDTLS_DES3_BLOCK_SIZE,
1041 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1042 {
1043 return( ret );
1044 }
1045
1046 /* 3DES 3 key */
1047 if( ( ret = cmac_test_subkeys( verbose,
1048 "3DES 3 key",
1049 des3_3key_key,
1050 192,
1051 (const unsigned char*)des3_3key_subkeys,
1052 MBEDTLS_CIPHER_DES_EDE3_ECB,
1053 MBEDTLS_DES3_BLOCK_SIZE,
1054 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1055 {
1056 return( ret );
1057 }
1058
1059 if( ( ret = cmac_test_wth_cipher( verbose,
1060 "3DES 3 key",
1061 des3_3key_key,
1062 192,
1063 test_message,
1064 des3_message_lengths,
1065 (const unsigned char*)des3_3key_expected_result,
1066 MBEDTLS_CIPHER_DES_EDE3_ECB,
1067 MBEDTLS_DES3_BLOCK_SIZE,
1068 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1069 {
1070 return( ret );
1071 }
1072 #endif /* MBEDTLS_DES_C */
1073
1074 #if defined(MBEDTLS_AES_C)
1075 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1076 return( ret );
1077 #endif /* MBEDTLS_AES_C */
1078
1079 if( verbose != 0 )
1080 mbedtls_printf( "\n" );
1081
1082 return( 0 );
1083 }
1084
1085 #endif /* MBEDTLS_SELF_TEST */
1086
1087 #endif /* MBEDTLS_CMAC_C */
1088
