1 /*
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24 /*
25 * References:
26 *
27 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
28 * CMAC Mode for Authentication
29 * http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38b.pdf
30 *
31 * - RFC 4493 - The AES-CMAC Algorithm
32 * https://tools.ietf.org/html/rfc4493
33 *
34 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
35 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
36 * Algorithm for the Internet Key Exchange Protocol (IKE)
37 * https://tools.ietf.org/html/rfc4615
38 *
39 * Additional test vectors: ISO/IEC 9797-1
40 *
41 */
42
43 #if !defined(MBEDTLS_CONFIG_FILE)
44 #include "mbedtls/config.h"
45 #else
46 #include MBEDTLS_CONFIG_FILE
47 #endif
48
49 #if defined(MBEDTLS_CMAC_C)
50
51 #include "mbedtls/cmac.h"
52
53 #include <string.h>
54
55
56 #if defined(MBEDTLS_PLATFORM_C)
57 #include "mbedtls/platform.h"
58 #else
59 #include <stdlib.h>
60 #define mbedtls_calloc calloc
61 #define mbedtls_free free
62 #if defined(MBEDTLS_SELF_TEST)
63 #include <stdio.h>
64 #define mbedtls_printf printf
65 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C || MBEDTLS_DES_C */
66 #endif /* MBEDTLS_PLATFORM_C */
67
68 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)69 static void mbedtls_zeroize( void *v, size_t n ) {
70 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
71 }
72
73 /*
74 * Multiplication by u in the Galois field of GF(2^n)
75 *
76 * As explained in NIST SP 800-38B, this can be computed:
77 *
78 * If MSB(p) = 0, then p = (p << 1)
79 * If MSB(p) = 1, then p = (p << 1) ^ R_n
80 * with R_64 = 0x1B and R_128 = 0x87
81 *
82 * Input and output MUST NOT point to the same buffer
83 * Block size must be 8 byes or 16 bytes - the block sizes for DES and AES.
84 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)85 static int cmac_multiply_by_u( unsigned char *output,
86 const unsigned char *input,
87 size_t blocksize )
88 {
89 const unsigned char R_128 = 0x87;
90 const unsigned char R_64 = 0x1B;
91 unsigned char R_n, mask;
92 unsigned char overflow = 0x00;
93 int i;
94
95 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
96 {
97 R_n = R_128;
98 }
99 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
100 {
101 R_n = R_64;
102 }
103 else
104 {
105 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
106 }
107
108 for( i = blocksize - 1; i >= 0; i-- )
109 {
110 output[i] = input[i] << 1 | overflow;
111 overflow = input[i] >> 7;
112 }
113
114 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
115 * using bit operations to avoid branches */
116
117 /* MSVC has a warning about unary minus on unsigned, but this is
118 * well-defined and precisely what we want to do here */
119 #if defined(_MSC_VER)
120 #pragma warning( push )
121 #pragma warning( disable : 4146 )
122 #endif
123 mask = - ( input[0] >> 7 );
124 #if defined(_MSC_VER)
125 #pragma warning( pop )
126 #endif
127
128 output[ blocksize - 1 ] ^= R_n & mask;
129
130 return( 0 );
131 }
132
133 /*
134 * Generate subkeys
135 *
136 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
137 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)138 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
139 unsigned char* K1, unsigned char* K2 )
140 {
141 int ret;
142 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
143 size_t olen, block_size;
144
145 mbedtls_zeroize( L, sizeof( L ) );
146
147 block_size = ctx->cipher_info->block_size;
148
149 /* Calculate Ek(0) */
150 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
151 goto exit;
152
153 /*
154 * Generate K1 and K2
155 */
156 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
157 goto exit;
158
159 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
160 goto exit;
161
162 exit:
163 mbedtls_zeroize( L, sizeof( L ) );
164
165 return( ret );
166 }
167
cmac_xor_block(unsigned char * output,const unsigned char * input1,const unsigned char * input2,const size_t block_size)168 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
169 const unsigned char *input2,
170 const size_t block_size )
171 {
172 size_t index;
173
174 for( index = 0; index < block_size; index++ )
175 output[ index ] = input1[ index ] ^ input2[ index ];
176 }
177
178 /*
179 * Create padded last block from (partial) last block.
180 *
181 * We can't use the padding option from the cipher layer, as it only works for
182 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
183 */
cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)184 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
185 size_t padded_block_len,
186 const unsigned char *last_block,
187 size_t last_block_len )
188 {
189 size_t j;
190
191 for( j = 0; j < padded_block_len; j++ )
192 {
193 if( j < last_block_len )
194 padded_block[j] = last_block[j];
195 else if( j == last_block_len )
196 padded_block[j] = 0x80;
197 else
198 padded_block[j] = 0x00;
199 }
200 }
201
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)202 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
203 const unsigned char *key, size_t keybits )
204 {
205 mbedtls_cipher_type_t type;
206 mbedtls_cmac_context_t *cmac_ctx;
207 int retval;
208
209 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
210 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
211
212 if( ( retval = mbedtls_cipher_setkey( ctx, key, keybits,
213 MBEDTLS_ENCRYPT ) ) != 0 )
214 return( retval );
215
216 type = ctx->cipher_info->type;
217
218 switch( type )
219 {
220 case MBEDTLS_CIPHER_AES_128_ECB:
221 case MBEDTLS_CIPHER_AES_192_ECB:
222 case MBEDTLS_CIPHER_AES_256_ECB:
223 case MBEDTLS_CIPHER_DES_EDE3_ECB:
224 break;
225 default:
226 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
227 }
228
229 /* Allocated and initialise in the cipher context memory for the CMAC
230 * context */
231 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
232 if( cmac_ctx == NULL )
233 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
234
235 ctx->cmac_ctx = cmac_ctx;
236
237 mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
238
239 return 0;
240 }
241
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)242 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
243 const unsigned char *input, size_t ilen )
244 {
245 mbedtls_cmac_context_t* cmac_ctx;
246 unsigned char *state;
247 int n, j, ret = 0;
248 size_t olen, block_size;
249
250 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
251 ctx->cmac_ctx == NULL )
252 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
253
254 cmac_ctx = ctx->cmac_ctx;
255 block_size = ctx->cipher_info->block_size;
256 state = ctx->cmac_ctx->state;
257
258 /* Is there data still to process from the last call, that's greater in
259 * size than a block? */
260 if( cmac_ctx->unprocessed_len > 0 &&
261 ilen > block_size - cmac_ctx->unprocessed_len )
262 {
263 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
264 input,
265 block_size - cmac_ctx->unprocessed_len );
266
267 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
268
269 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
270 &olen ) ) != 0 )
271 {
272 goto exit;
273 }
274
275 input += block_size - cmac_ctx->unprocessed_len;
276 ilen -= block_size - cmac_ctx->unprocessed_len;
277 cmac_ctx->unprocessed_len = 0;
278 }
279
280 /* n is the number of blocks including any final partial block */
281 n = ( ilen + block_size - 1 ) / block_size;
282
283 /* Iterate across the input data in block sized chunks */
284 for( j = 0; j < n - 1; j++ )
285 {
286 cmac_xor_block( state, input, state, block_size );
287
288 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
289 &olen ) ) != 0 )
290 goto exit;
291
292 ilen -= block_size;
293 input += block_size;
294 }
295
296 /* If there is data left over that wasn't aligned to a block */
297 if( ilen > 0 )
298 {
299 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
300 input,
301 ilen );
302 cmac_ctx->unprocessed_len += ilen;
303 }
304
305 exit:
306 return( ret );
307 }
308
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)309 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
310 unsigned char *output )
311 {
312 mbedtls_cmac_context_t* cmac_ctx;
313 unsigned char *state, *last_block;
314 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
315 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
316 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
317 int ret;
318 size_t olen, block_size;
319
320 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
321 output == NULL )
322 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
323
324 cmac_ctx = ctx->cmac_ctx;
325 block_size = ctx->cipher_info->block_size;
326 state = cmac_ctx->state;
327
328 mbedtls_zeroize( K1, sizeof( K1 ) );
329 mbedtls_zeroize( K2, sizeof( K2 ) );
330 cmac_generate_subkeys( ctx, K1, K2 );
331
332 last_block = cmac_ctx->unprocessed_block;
333
334 /* Calculate last block */
335 if( cmac_ctx->unprocessed_len < block_size )
336 {
337 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
338 cmac_xor_block( M_last, M_last, K2, block_size );
339 }
340 else
341 {
342 /* Last block is complete block */
343 cmac_xor_block( M_last, last_block, K1, block_size );
344 }
345
346
347 cmac_xor_block( state, M_last, state, block_size );
348 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
349 &olen ) ) != 0 )
350 {
351 goto exit;
352 }
353
354 memcpy( output, state, block_size );
355
356 exit:
357 /* Wipe the generated keys on the stack, and any other transients to avoid
358 * side channel leakage */
359 mbedtls_zeroize( K1, sizeof( K1 ) );
360 mbedtls_zeroize( K2, sizeof( K2 ) );
361
362 cmac_ctx->unprocessed_len = 0;
363 mbedtls_zeroize( cmac_ctx->unprocessed_block,
364 sizeof( cmac_ctx->unprocessed_block ) );
365
366 mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
367 return( ret );
368 }
369
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)370 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
371 {
372 mbedtls_cmac_context_t* cmac_ctx;
373
374 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
375 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
376
377 cmac_ctx = ctx->cmac_ctx;
378
379 /* Reset the internal state */
380 cmac_ctx->unprocessed_len = 0;
381 mbedtls_zeroize( cmac_ctx->unprocessed_block,
382 sizeof( cmac_ctx->unprocessed_block ) );
383 mbedtls_zeroize( cmac_ctx->state,
384 sizeof( cmac_ctx->state ) );
385
386 return( 0 );
387 }
388
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)389 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
390 const unsigned char *key, size_t keylen,
391 const unsigned char *input, size_t ilen,
392 unsigned char *output )
393 {
394 mbedtls_cipher_context_t ctx;
395 int ret;
396
397 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
398 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
399
400 mbedtls_cipher_init( &ctx );
401
402 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
403 goto exit;
404
405 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
406 if( ret != 0 )
407 goto exit;
408
409 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
410 if( ret != 0 )
411 goto exit;
412
413 ret = mbedtls_cipher_cmac_finish( &ctx, output );
414
415 exit:
416 mbedtls_cipher_free( &ctx );
417
418 return( ret );
419 }
420
421 #if defined(MBEDTLS_AES_C)
422 /*
423 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
424 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char * output)425 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
426 const unsigned char *input, size_t in_len,
427 unsigned char *output )
428 {
429 int ret;
430 const mbedtls_cipher_info_t *cipher_info;
431 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
432 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
433
434 if( key == NULL || input == NULL || output == NULL )
435 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
436
437 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
438 if( cipher_info == NULL )
439 {
440 /* Failing at this point must be due to a build issue */
441 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
442 goto exit;
443 }
444
445 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
446 {
447 /* Use key as is */
448 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
449 }
450 else
451 {
452 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
453
454 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
455 key_length, int_key );
456 if( ret != 0 )
457 goto exit;
458 }
459
460 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
461 output );
462
463 exit:
464 mbedtls_zeroize( int_key, sizeof( int_key ) );
465
466 return( ret );
467 }
468 #endif /* MBEDTLS_AES_C */
469
470 #if defined(MBEDTLS_SELF_TEST)
471 /*
472 * CMAC test data from SP800-38B Appendix D.1 (corrected)
473 * http://csrc.nist.gov/publications/nistpubs/800-38B/Updated_CMAC_Examples.pdf
474 *
475 * AES-CMAC-PRF-128 test data from RFC 4615
476 * https://tools.ietf.org/html/rfc4615#page-4
477 */
478
479 #define NB_CMAC_TESTS_PER_KEY 4
480 #define NB_PRF_TESTS 3
481
482 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
483 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
484 static const unsigned char test_message[] = {
485 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
486 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
487 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
488 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
489 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
490 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
491 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
492 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
493 };
494 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
495
496 #if defined(MBEDTLS_AES_C)
497 /* Truncation point of message for AES CMAC tests */
498 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
499 0,
500 16,
501 40,
502 64
503 };
504
505 /* AES 128 CMAC Test Data */
506 static const unsigned char aes_128_key[16] = {
507 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
508 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
509 };
510 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
511 {
512 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
513 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
514 },
515 {
516 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
517 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
518 }
519 };
520 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
521 {
522 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
523 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
524 },
525 {
526 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
527 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
528 },
529 {
530 0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
531 0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27
532 },
533 {
534 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
535 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
536 }
537 };
538
539 /* AES 192 CMAC Test Data */
540 static const unsigned char aes_192_key[24] = {
541 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
542 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
543 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
544 };
545 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
546 {
547 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
548 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
549 },
550 {
551 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
552 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
553 }
554 };
555 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
556 {
557 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
558 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
559 },
560 {
561 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
562 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
563 },
564 {
565 0x8a, 0x1d, 0xe5, 0xbe, 0x2e, 0xb3, 0x1a, 0xad,
566 0x08, 0x9a, 0x82, 0xe6, 0xee, 0x90, 0x8b, 0x0e
567 },
568 {
569 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
570 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
571 }
572 };
573
574 /* AES 256 CMAC Test Data */
575 static const unsigned char aes_256_key[32] = {
576 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
577 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
578 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
579 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
580 };
581 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
582 {
583 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
584 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
585 },
586 {
587 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
588 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
589 }
590 };
591 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
592 {
593 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
594 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
595 },
596 {
597 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
598 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
599 },
600 {
601 0xaa, 0xf3, 0xd8, 0xf1, 0xde, 0x56, 0x40, 0xc2,
602 0x32, 0xf5, 0xb1, 0x69, 0xb9, 0xc9, 0x11, 0xe6
603 },
604 {
605 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
606 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
607 }
608 };
609 #endif /* MBEDTLS_AES_C */
610
611 #if defined(MBEDTLS_DES_C)
612 /* Truncation point of message for 3DES CMAC tests */
613 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
614 0,
615 8,
616 20,
617 32
618 };
619
620 /* 3DES 2 Key CMAC Test Data */
621 static const unsigned char des3_2key_key[24] = {
622 0x4c, 0xf1, 0x51, 0x34, 0xa2, 0x85, 0x0d, 0xd5,
623 0x8a, 0x3d, 0x10, 0xba, 0x80, 0x57, 0x0d, 0x38,
624 0x4c, 0xf1, 0x51, 0x34, 0xa2, 0x85, 0x0d, 0xd5
625 };
626 static const unsigned char des3_2key_subkeys[2][8] = {
627 {
628 0x8e, 0xcf, 0x37, 0x3e, 0xd7, 0x1a, 0xfa, 0xef
629 },
630 {
631 0x1d, 0x9e, 0x6e, 0x7d, 0xae, 0x35, 0xf5, 0xc5
632 }
633 };
634 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
635 {
636 0xbd, 0x2e, 0xbf, 0x9a, 0x3b, 0xa0, 0x03, 0x61
637 },
638 {
639 0x4f, 0xf2, 0xab, 0x81, 0x3c, 0x53, 0xce, 0x83
640 },
641 {
642 0x62, 0xdd, 0x1b, 0x47, 0x19, 0x02, 0xbd, 0x4e
643 },
644 {
645 0x31, 0xb1, 0xe4, 0x31, 0xda, 0xbc, 0x4e, 0xb8
646 }
647 };
648
649 /* 3DES 3 Key CMAC Test Data */
650 static const unsigned char des3_3key_key[24] = {
651 0x8a, 0xa8, 0x3b, 0xf8, 0xcb, 0xda, 0x10, 0x62,
652 0x0b, 0xc1, 0xbf, 0x19, 0xfb, 0xb6, 0xcd, 0x58,
653 0xbc, 0x31, 0x3d, 0x4a, 0x37, 0x1c, 0xa8, 0xb5
654 };
655 static const unsigned char des3_3key_subkeys[2][8] = {
656 {
657 0x91, 0x98, 0xe9, 0xd3, 0x14, 0xe6, 0x53, 0x5f
658 },
659 {
660 0x23, 0x31, 0xd3, 0xa6, 0x29, 0xcc, 0xa6, 0xa5
661 }
662 };
663 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
664 {
665 0xb7, 0xa6, 0x88, 0xe1, 0x22, 0xff, 0xaf, 0x95
666 },
667 {
668 0x8e, 0x8f, 0x29, 0x31, 0x36, 0x28, 0x37, 0x97
669 },
670 {
671 0x74, 0x3d, 0xdb, 0xe0, 0xce, 0x2d, 0xc2, 0xed
672 },
673 {
674 0x33, 0xe6, 0xb1, 0x09, 0x24, 0x00, 0xea, 0xe5
675 }
676 };
677
678 #endif /* MBEDTLS_DES_C */
679
680 #if defined(MBEDTLS_AES_C)
681 /* AES AES-CMAC-PRF-128 Test Data */
682 static const unsigned char PRFK[] = {
683 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
684 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
685 0xed, 0xcb
686 };
687
688 /* Sizes in bytes */
689 static const size_t PRFKlen[NB_PRF_TESTS] = {
690 18,
691 16,
692 10
693 };
694
695 /* PRF M */
696 static const unsigned char PRFM[] = {
697 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
698 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
699 0x10, 0x11, 0x12, 0x13
700 };
701
702 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
703 {
704 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
705 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
706 },
707 {
708 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
709 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
710 },
711 {
712 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
713 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
714 }
715 };
716 #endif /* MBEDTLS_AES_C */
717
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)718 static int cmac_test_subkeys( int verbose,
719 const char* testname,
720 const unsigned char* key,
721 int keybits,
722 const unsigned char* subkeys,
723 mbedtls_cipher_type_t cipher_type,
724 int block_size,
725 int num_tests )
726 {
727 int i, ret;
728 mbedtls_cipher_context_t ctx;
729 const mbedtls_cipher_info_t *cipher_info;
730 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
731 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
732
733 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
734 if( cipher_info == NULL )
735 {
736 /* Failing at this point must be due to a build issue */
737 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
738 }
739
740 for( i = 0; i < num_tests; i++ )
741 {
742 if( verbose != 0 )
743 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
744
745 mbedtls_cipher_init( &ctx );
746
747 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
748 {
749 if( verbose != 0 )
750 mbedtls_printf( "test execution failed\n" );
751
752 goto cleanup;
753 }
754
755 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
756 MBEDTLS_ENCRYPT ) ) != 0 )
757 {
758 if( verbose != 0 )
759 mbedtls_printf( "test execution failed\n" );
760
761 goto cleanup;
762 }
763
764 ret = cmac_generate_subkeys( &ctx, K1, K2 );
765 if( ret != 0 )
766 {
767 if( verbose != 0 )
768 mbedtls_printf( "failed\n" );
769
770 goto cleanup;
771 }
772
773 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
774 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
775 {
776 if( verbose != 0 )
777 mbedtls_printf( "failed\n" );
778
779 goto cleanup;
780 }
781
782 if( verbose != 0 )
783 mbedtls_printf( "passed\n" );
784
785 mbedtls_cipher_free( &ctx );
786 }
787
788 goto exit;
789
790 cleanup:
791 mbedtls_cipher_free( &ctx );
792
793 exit:
794 return( ret );
795 }
796
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)797 static int cmac_test_wth_cipher( int verbose,
798 const char* testname,
799 const unsigned char* key,
800 int keybits,
801 const unsigned char* messages,
802 const unsigned int message_lengths[4],
803 const unsigned char* expected_result,
804 mbedtls_cipher_type_t cipher_type,
805 int block_size,
806 int num_tests )
807 {
808 const mbedtls_cipher_info_t *cipher_info;
809 int i, ret;
810 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
811
812 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
813 if( cipher_info == NULL )
814 {
815 /* Failing at this point must be due to a build issue */
816 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
817 goto exit;
818 }
819
820 for( i = 0; i < num_tests; i++ )
821 {
822 if( verbose != 0 )
823 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
824
825 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
826 message_lengths[i], output ) ) != 0 )
827 {
828 if( verbose != 0 )
829 mbedtls_printf( "failed\n" );
830 goto exit;
831 }
832
833 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
834 {
835 if( verbose != 0 )
836 mbedtls_printf( "failed\n" );
837 goto exit;
838 }
839
840 if( verbose != 0 )
841 mbedtls_printf( "passed\n" );
842 }
843
844 exit:
845 return( ret );
846 }
847
848 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)849 static int test_aes128_cmac_prf( int verbose )
850 {
851 int i;
852 int ret;
853 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
854
855 for( i = 0; i < NB_PRF_TESTS; i++ )
856 {
857 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
858 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
859 if( ret != 0 ||
860 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
861 {
862
863 if( verbose != 0 )
864 mbedtls_printf( "failed\n" );
865
866 return( ret );
867 }
868 else if( verbose != 0 )
869 {
870 mbedtls_printf( "passed\n" );
871 }
872 }
873 return( ret );
874 }
875 #endif /* MBEDTLS_AES_C */
876
mbedtls_cmac_self_test(int verbose)877 int mbedtls_cmac_self_test( int verbose )
878 {
879 int ret;
880
881 #if defined(MBEDTLS_AES_C)
882 /* AES-128 */
883 if( ( ret = cmac_test_subkeys( verbose,
884 "AES 128",
885 aes_128_key,
886 128,
887 (const unsigned char*)aes_128_subkeys,
888 MBEDTLS_CIPHER_AES_128_ECB,
889 MBEDTLS_AES_BLOCK_SIZE,
890 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
891 {
892 return( ret );
893 }
894
895 if( ( ret = cmac_test_wth_cipher( verbose,
896 "AES 128",
897 aes_128_key,
898 128,
899 test_message,
900 aes_message_lengths,
901 (const unsigned char*)aes_128_expected_result,
902 MBEDTLS_CIPHER_AES_128_ECB,
903 MBEDTLS_AES_BLOCK_SIZE,
904 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
905 {
906 return( ret );
907 }
908
909 /* AES-192 */
910 if( ( ret = cmac_test_subkeys( verbose,
911 "AES 192",
912 aes_192_key,
913 192,
914 (const unsigned char*)aes_192_subkeys,
915 MBEDTLS_CIPHER_AES_192_ECB,
916 MBEDTLS_AES_BLOCK_SIZE,
917 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
918 {
919 return( ret );
920 }
921
922 if( ( ret = cmac_test_wth_cipher( verbose,
923 "AES 192",
924 aes_192_key,
925 192,
926 test_message,
927 aes_message_lengths,
928 (const unsigned char*)aes_192_expected_result,
929 MBEDTLS_CIPHER_AES_192_ECB,
930 MBEDTLS_AES_BLOCK_SIZE,
931 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
932 {
933 return( ret );
934 }
935
936 /* AES-256 */
937 if( ( ret = cmac_test_subkeys( verbose,
938 "AES 256",
939 aes_256_key,
940 256,
941 (const unsigned char*)aes_256_subkeys,
942 MBEDTLS_CIPHER_AES_256_ECB,
943 MBEDTLS_AES_BLOCK_SIZE,
944 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
945 {
946 return( ret );
947 }
948
949 if( ( ret = cmac_test_wth_cipher ( verbose,
950 "AES 256",
951 aes_256_key,
952 256,
953 test_message,
954 aes_message_lengths,
955 (const unsigned char*)aes_256_expected_result,
956 MBEDTLS_CIPHER_AES_256_ECB,
957 MBEDTLS_AES_BLOCK_SIZE,
958 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
959 {
960 return( ret );
961 }
962 #endif /* MBEDTLS_AES_C */
963
964 #if defined(MBEDTLS_DES_C)
965 /* 3DES 2 key */
966 if( ( ret = cmac_test_subkeys( verbose,
967 "3DES 2 key",
968 des3_2key_key,
969 192,
970 (const unsigned char*)des3_2key_subkeys,
971 MBEDTLS_CIPHER_DES_EDE3_ECB,
972 MBEDTLS_DES3_BLOCK_SIZE,
973 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
974 {
975 return( ret );
976 }
977
978 if( ( ret = cmac_test_wth_cipher( verbose,
979 "3DES 2 key",
980 des3_2key_key,
981 192,
982 test_message,
983 des3_message_lengths,
984 (const unsigned char*)des3_2key_expected_result,
985 MBEDTLS_CIPHER_DES_EDE3_ECB,
986 MBEDTLS_DES3_BLOCK_SIZE,
987 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
988 {
989 return( ret );
990 }
991
992 /* 3DES 3 key */
993 if( ( ret = cmac_test_subkeys( verbose,
994 "3DES 3 key",
995 des3_3key_key,
996 192,
997 (const unsigned char*)des3_3key_subkeys,
998 MBEDTLS_CIPHER_DES_EDE3_ECB,
999 MBEDTLS_DES3_BLOCK_SIZE,
1000 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1001 {
1002 return( ret );
1003 }
1004
1005 if( ( ret = cmac_test_wth_cipher( verbose,
1006 "3DES 3 key",
1007 des3_3key_key,
1008 192,
1009 test_message,
1010 des3_message_lengths,
1011 (const unsigned char*)des3_3key_expected_result,
1012 MBEDTLS_CIPHER_DES_EDE3_ECB,
1013 MBEDTLS_DES3_BLOCK_SIZE,
1014 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1015 {
1016 return( ret );
1017 }
1018 #endif /* MBEDTLS_DES_C */
1019
1020 #if defined(MBEDTLS_AES_C)
1021 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1022 return( ret );
1023 #endif /* MBEDTLS_AES_C */
1024
1025 if( verbose != 0 )
1026 mbedtls_printf( "\n" );
1027
1028 return( 0 );
1029 }
1030
1031 #endif /* MBEDTLS_SELF_TEST */
1032
1033 #endif /* MBEDTLS_CMAC_C */
1034
