1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: GPL-2.0
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 *
23 * This file is part of mbed TLS (https://tls.mbed.org)
24 */
25
26 /*
27 * References:
28 *
29 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
30 * CMAC Mode for Authentication
31 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
32 *
33 * - RFC 4493 - The AES-CMAC Algorithm
34 * https://tools.ietf.org/html/rfc4493
35 *
36 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
37 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
38 * Algorithm for the Internet Key Exchange Protocol (IKE)
39 * https://tools.ietf.org/html/rfc4615
40 *
41 * Additional test vectors: ISO/IEC 9797-1
42 *
43 */
44
45 #if !defined(MBEDTLS_CONFIG_FILE)
46 #include "mbedtls/config.h"
47 #else
48 #include MBEDTLS_CONFIG_FILE
49 #endif
50
51 #if defined(MBEDTLS_CMAC_C)
52
53 #include "mbedtls/cmac.h"
54 #include "mbedtls/platform_util.h"
55
56 #include <string.h>
57
58
59 #if defined(MBEDTLS_PLATFORM_C)
60 #include "mbedtls/platform.h"
61 #else
62 #include <stdlib.h>
63 #define mbedtls_calloc calloc
64 #define mbedtls_free free
65 #if defined(MBEDTLS_SELF_TEST)
66 #include <stdio.h>
67 #define mbedtls_printf printf
68 #endif /* MBEDTLS_SELF_TEST */
69 #endif /* MBEDTLS_PLATFORM_C */
70
71 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
72
73 /*
74 * Multiplication by u in the Galois field of GF(2^n)
75 *
76 * As explained in NIST SP 800-38B, this can be computed:
77 *
78 * If MSB(p) = 0, then p = (p << 1)
79 * If MSB(p) = 1, then p = (p << 1) ^ R_n
80 * with R_64 = 0x1B and R_128 = 0x87
81 *
82 * Input and output MUST NOT point to the same buffer
83 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
84 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)85 static int cmac_multiply_by_u( unsigned char *output,
86 const unsigned char *input,
87 size_t blocksize )
88 {
89 const unsigned char R_128 = 0x87;
90 const unsigned char R_64 = 0x1B;
91 unsigned char R_n, mask;
92 unsigned char overflow = 0x00;
93 int i;
94
95 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
96 {
97 R_n = R_128;
98 }
99 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
100 {
101 R_n = R_64;
102 }
103 else
104 {
105 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
106 }
107
108 for( i = (int)blocksize - 1; i >= 0; i-- )
109 {
110 output[i] = input[i] << 1 | overflow;
111 overflow = input[i] >> 7;
112 }
113
114 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
115 * using bit operations to avoid branches */
116
117 /* MSVC has a warning about unary minus on unsigned, but this is
118 * well-defined and precisely what we want to do here */
119 #if defined(_MSC_VER)
120 #pragma warning( push )
121 #pragma warning( disable : 4146 )
122 #endif
123 mask = - ( input[0] >> 7 );
124 #if defined(_MSC_VER)
125 #pragma warning( pop )
126 #endif
127
128 output[ blocksize - 1 ] ^= R_n & mask;
129
130 return( 0 );
131 }
132
133 /*
134 * Generate subkeys
135 *
136 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
137 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)138 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
139 unsigned char* K1, unsigned char* K2 )
140 {
141 int ret;
142 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
143 size_t olen, block_size;
144
145 mbedtls_platform_zeroize( L, sizeof( L ) );
146
147 block_size = ctx->cipher_info->block_size;
148
149 /* Calculate Ek(0) */
150 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
151 goto exit;
152
153 /*
154 * Generate K1 and K2
155 */
156 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
157 goto exit;
158
159 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
160 goto exit;
161
162 exit:
163 mbedtls_platform_zeroize( L, sizeof( L ) );
164
165 return( ret );
166 }
167 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
168
169 #if !defined(MBEDTLS_CMAC_ALT)
cmac_xor_block(unsigned char * output,const unsigned char * input1,const unsigned char * input2,const size_t block_size)170 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
171 const unsigned char *input2,
172 const size_t block_size )
173 {
174 size_t idx;
175
176 for( idx = 0; idx < block_size; idx++ )
177 output[ idx ] = input1[ idx ] ^ input2[ idx ];
178 }
179
180 /*
181 * Create padded last block from (partial) last block.
182 *
183 * We can't use the padding option from the cipher layer, as it only works for
184 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
185 */
cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)186 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
187 size_t padded_block_len,
188 const unsigned char *last_block,
189 size_t last_block_len )
190 {
191 size_t j;
192
193 for( j = 0; j < padded_block_len; j++ )
194 {
195 if( j < last_block_len )
196 padded_block[j] = last_block[j];
197 else if( j == last_block_len )
198 padded_block[j] = 0x80;
199 else
200 padded_block[j] = 0x00;
201 }
202 }
203
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)204 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
205 const unsigned char *key, size_t keybits )
206 {
207 mbedtls_cipher_type_t type;
208 mbedtls_cmac_context_t *cmac_ctx;
209 int retval;
210
211 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
212 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
213
214 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
215 MBEDTLS_ENCRYPT ) ) != 0 )
216 return( retval );
217
218 type = ctx->cipher_info->type;
219
220 switch( type )
221 {
222 case MBEDTLS_CIPHER_AES_128_ECB:
223 case MBEDTLS_CIPHER_AES_192_ECB:
224 case MBEDTLS_CIPHER_AES_256_ECB:
225 case MBEDTLS_CIPHER_DES_EDE3_ECB:
226 break;
227 default:
228 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
229 }
230
231 /* Allocated and initialise in the cipher context memory for the CMAC
232 * context */
233 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
234 if( cmac_ctx == NULL )
235 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
236
237 ctx->cmac_ctx = cmac_ctx;
238
239 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
240
241 return 0;
242 }
243
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)244 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
245 const unsigned char *input, size_t ilen )
246 {
247 mbedtls_cmac_context_t* cmac_ctx;
248 unsigned char *state;
249 int ret = 0;
250 size_t n, j, olen, block_size;
251
252 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
253 ctx->cmac_ctx == NULL )
254 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
255
256 cmac_ctx = ctx->cmac_ctx;
257 block_size = ctx->cipher_info->block_size;
258 state = ctx->cmac_ctx->state;
259
260 /* Is there data still to process from the last call, that's greater in
261 * size than a block? */
262 if( cmac_ctx->unprocessed_len > 0 &&
263 ilen > block_size - cmac_ctx->unprocessed_len )
264 {
265 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
266 input,
267 block_size - cmac_ctx->unprocessed_len );
268
269 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
270
271 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
272 &olen ) ) != 0 )
273 {
274 goto exit;
275 }
276
277 input += block_size - cmac_ctx->unprocessed_len;
278 ilen -= block_size - cmac_ctx->unprocessed_len;
279 cmac_ctx->unprocessed_len = 0;
280 }
281
282 /* n is the number of blocks including any final partial block */
283 n = ( ilen + block_size - 1 ) / block_size;
284
285 /* Iterate across the input data in block sized chunks, excluding any
286 * final partial or complete block */
287 for( j = 1; j < n; j++ )
288 {
289 cmac_xor_block( state, input, state, block_size );
290
291 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
292 &olen ) ) != 0 )
293 goto exit;
294
295 ilen -= block_size;
296 input += block_size;
297 }
298
299 /* If there is data left over that wasn't aligned to a block */
300 if( ilen > 0 )
301 {
302 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
303 input,
304 ilen );
305 cmac_ctx->unprocessed_len += ilen;
306 }
307
308 exit:
309 return( ret );
310 }
311
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)312 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
313 unsigned char *output )
314 {
315 mbedtls_cmac_context_t* cmac_ctx;
316 unsigned char *state, *last_block;
317 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
318 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
319 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
320 int ret;
321 size_t olen, block_size;
322
323 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
324 output == NULL )
325 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
326
327 cmac_ctx = ctx->cmac_ctx;
328 block_size = ctx->cipher_info->block_size;
329 state = cmac_ctx->state;
330
331 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
332 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
333 cmac_generate_subkeys( ctx, K1, K2 );
334
335 last_block = cmac_ctx->unprocessed_block;
336
337 /* Calculate last block */
338 if( cmac_ctx->unprocessed_len < block_size )
339 {
340 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
341 cmac_xor_block( M_last, M_last, K2, block_size );
342 }
343 else
344 {
345 /* Last block is complete block */
346 cmac_xor_block( M_last, last_block, K1, block_size );
347 }
348
349
350 cmac_xor_block( state, M_last, state, block_size );
351 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
352 &olen ) ) != 0 )
353 {
354 goto exit;
355 }
356
357 memcpy( output, state, block_size );
358
359 exit:
360 /* Wipe the generated keys on the stack, and any other transients to avoid
361 * side channel leakage */
362 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
363 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
364
365 cmac_ctx->unprocessed_len = 0;
366 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
367 sizeof( cmac_ctx->unprocessed_block ) );
368
369 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
370 return( ret );
371 }
372
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)373 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
374 {
375 mbedtls_cmac_context_t* cmac_ctx;
376
377 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
378 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
379
380 cmac_ctx = ctx->cmac_ctx;
381
382 /* Reset the internal state */
383 cmac_ctx->unprocessed_len = 0;
384 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
385 sizeof( cmac_ctx->unprocessed_block ) );
386 mbedtls_platform_zeroize( cmac_ctx->state,
387 sizeof( cmac_ctx->state ) );
388
389 return( 0 );
390 }
391
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)392 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
393 const unsigned char *key, size_t keylen,
394 const unsigned char *input, size_t ilen,
395 unsigned char *output )
396 {
397 mbedtls_cipher_context_t ctx;
398 int ret;
399
400 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
401 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
402
403 mbedtls_cipher_init( &ctx );
404
405 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
406 goto exit;
407
408 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
409 if( ret != 0 )
410 goto exit;
411
412 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
413 if( ret != 0 )
414 goto exit;
415
416 ret = mbedtls_cipher_cmac_finish( &ctx, output );
417
418 exit:
419 mbedtls_cipher_free( &ctx );
420
421 return( ret );
422 }
423
424 #if defined(MBEDTLS_AES_C)
425 /*
426 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
427 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char * output)428 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
429 const unsigned char *input, size_t in_len,
430 unsigned char *output )
431 {
432 int ret;
433 const mbedtls_cipher_info_t *cipher_info;
434 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
435 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
436
437 if( key == NULL || input == NULL || output == NULL )
438 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
439
440 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
441 if( cipher_info == NULL )
442 {
443 /* Failing at this point must be due to a build issue */
444 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
445 goto exit;
446 }
447
448 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
449 {
450 /* Use key as is */
451 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
452 }
453 else
454 {
455 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
456
457 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
458 key_length, int_key );
459 if( ret != 0 )
460 goto exit;
461 }
462
463 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
464 output );
465
466 exit:
467 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
468
469 return( ret );
470 }
471 #endif /* MBEDTLS_AES_C */
472
473 #endif /* !MBEDTLS_CMAC_ALT */
474
475 #if defined(MBEDTLS_SELF_TEST)
476 /*
477 * CMAC test data for SP800-38B
478 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
479 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
480 *
481 * AES-CMAC-PRF-128 test data from RFC 4615
482 * https://tools.ietf.org/html/rfc4615#page-4
483 */
484
485 #define NB_CMAC_TESTS_PER_KEY 4
486 #define NB_PRF_TESTS 3
487
488 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
489 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
490 static const unsigned char test_message[] = {
491 /* PT */
492 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
493 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
494 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
495 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
496 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
497 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
498 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
499 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
500 };
501 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
502
503 #if defined(MBEDTLS_AES_C)
504 /* Truncation point of message for AES CMAC tests */
505 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
506 /* Mlen */
507 0,
508 16,
509 20,
510 64
511 };
512
513 /* CMAC-AES128 Test Data */
514 static const unsigned char aes_128_key[16] = {
515 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
516 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
517 };
518 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
519 {
520 /* K1 */
521 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
522 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
523 },
524 {
525 /* K2 */
526 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
527 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
528 }
529 };
530 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
531 {
532 /* Example #1 */
533 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
534 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
535 },
536 {
537 /* Example #2 */
538 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
539 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
540 },
541 {
542 /* Example #3 */
543 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
544 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
545 },
546 {
547 /* Example #4 */
548 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
549 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
550 }
551 };
552
553 /* CMAC-AES192 Test Data */
554 static const unsigned char aes_192_key[24] = {
555 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
556 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
557 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
558 };
559 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
560 {
561 /* K1 */
562 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
563 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
564 },
565 {
566 /* K2 */
567 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
568 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
569 }
570 };
571 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
572 {
573 /* Example #1 */
574 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
575 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
576 },
577 {
578 /* Example #2 */
579 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
580 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
581 },
582 {
583 /* Example #3 */
584 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
585 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
586 },
587 {
588 /* Example #4 */
589 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
590 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
591 }
592 };
593
594 /* CMAC-AES256 Test Data */
595 static const unsigned char aes_256_key[32] = {
596 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
597 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
598 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
599 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
600 };
601 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
602 {
603 /* K1 */
604 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
605 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
606 },
607 {
608 /* K2 */
609 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
610 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
611 }
612 };
613 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
614 {
615 /* Example #1 */
616 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
617 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
618 },
619 {
620 /* Example #2 */
621 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
622 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
623 },
624 {
625 /* Example #3 */
626 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
627 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
628 },
629 {
630 /* Example #4 */
631 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
632 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
633 }
634 };
635 #endif /* MBEDTLS_AES_C */
636
637 #if defined(MBEDTLS_DES_C)
638 /* Truncation point of message for 3DES CMAC tests */
639 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
640 0,
641 16,
642 20,
643 32
644 };
645
646 /* CMAC-TDES (Generation) - 2 Key Test Data */
647 static const unsigned char des3_2key_key[24] = {
648 /* Key1 */
649 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
650 /* Key2 */
651 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
652 /* Key3 */
653 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
654 };
655 static const unsigned char des3_2key_subkeys[2][8] = {
656 {
657 /* K1 */
658 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
659 },
660 {
661 /* K2 */
662 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
663 }
664 };
665 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
666 {
667 /* Sample #1 */
668 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
669 },
670 {
671 /* Sample #2 */
672 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
673 },
674 {
675 /* Sample #3 */
676 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
677 },
678 {
679 /* Sample #4 */
680 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
681 }
682 };
683
684 /* CMAC-TDES (Generation) - 3 Key Test Data */
685 static const unsigned char des3_3key_key[24] = {
686 /* Key1 */
687 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
688 /* Key2 */
689 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
690 /* Key3 */
691 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
692 };
693 static const unsigned char des3_3key_subkeys[2][8] = {
694 {
695 /* K1 */
696 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
697 },
698 {
699 /* K2 */
700 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
701 }
702 };
703 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
704 {
705 /* Sample #1 */
706 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
707 },
708 {
709 /* Sample #2 */
710 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
711 },
712 {
713 /* Sample #3 */
714 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
715 },
716 {
717 /* Sample #4 */
718 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
719 }
720 };
721
722 #endif /* MBEDTLS_DES_C */
723
724 #if defined(MBEDTLS_AES_C)
725 /* AES AES-CMAC-PRF-128 Test Data */
726 static const unsigned char PRFK[] = {
727 /* Key */
728 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
729 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
730 0xed, 0xcb
731 };
732
733 /* Sizes in bytes */
734 static const size_t PRFKlen[NB_PRF_TESTS] = {
735 18,
736 16,
737 10
738 };
739
740 /* Message */
741 static const unsigned char PRFM[] = {
742 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
743 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
744 0x10, 0x11, 0x12, 0x13
745 };
746
747 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
748 {
749 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
750 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
751 },
752 {
753 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
754 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
755 },
756 {
757 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
758 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
759 }
760 };
761 #endif /* MBEDTLS_AES_C */
762
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)763 static int cmac_test_subkeys( int verbose,
764 const char* testname,
765 const unsigned char* key,
766 int keybits,
767 const unsigned char* subkeys,
768 mbedtls_cipher_type_t cipher_type,
769 int block_size,
770 int num_tests )
771 {
772 int i, ret = 0;
773 mbedtls_cipher_context_t ctx;
774 const mbedtls_cipher_info_t *cipher_info;
775 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
776 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
777
778 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
779 if( cipher_info == NULL )
780 {
781 /* Failing at this point must be due to a build issue */
782 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
783 }
784
785 for( i = 0; i < num_tests; i++ )
786 {
787 if( verbose != 0 )
788 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
789
790 mbedtls_cipher_init( &ctx );
791
792 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
793 {
794 if( verbose != 0 )
795 mbedtls_printf( "test execution failed\n" );
796
797 goto cleanup;
798 }
799
800 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
801 MBEDTLS_ENCRYPT ) ) != 0 )
802 {
803 if( verbose != 0 )
804 mbedtls_printf( "test execution failed\n" );
805
806 goto cleanup;
807 }
808
809 ret = cmac_generate_subkeys( &ctx, K1, K2 );
810 if( ret != 0 )
811 {
812 if( verbose != 0 )
813 mbedtls_printf( "failed\n" );
814
815 goto cleanup;
816 }
817
818 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
819 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
820 {
821 if( verbose != 0 )
822 mbedtls_printf( "failed\n" );
823
824 goto cleanup;
825 }
826
827 if( verbose != 0 )
828 mbedtls_printf( "passed\n" );
829
830 mbedtls_cipher_free( &ctx );
831 }
832
833 ret = 0;
834 goto exit;
835
836 cleanup:
837 mbedtls_cipher_free( &ctx );
838
839 exit:
840 return( ret );
841 }
842
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)843 static int cmac_test_wth_cipher( int verbose,
844 const char* testname,
845 const unsigned char* key,
846 int keybits,
847 const unsigned char* messages,
848 const unsigned int message_lengths[4],
849 const unsigned char* expected_result,
850 mbedtls_cipher_type_t cipher_type,
851 int block_size,
852 int num_tests )
853 {
854 const mbedtls_cipher_info_t *cipher_info;
855 int i, ret = 0;
856 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
857
858 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
859 if( cipher_info == NULL )
860 {
861 /* Failing at this point must be due to a build issue */
862 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
863 goto exit;
864 }
865
866 for( i = 0; i < num_tests; i++ )
867 {
868 if( verbose != 0 )
869 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
870
871 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
872 message_lengths[i], output ) ) != 0 )
873 {
874 if( verbose != 0 )
875 mbedtls_printf( "failed\n" );
876 goto exit;
877 }
878
879 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
880 {
881 if( verbose != 0 )
882 mbedtls_printf( "failed\n" );
883 goto exit;
884 }
885
886 if( verbose != 0 )
887 mbedtls_printf( "passed\n" );
888 }
889 ret = 0;
890
891 exit:
892 return( ret );
893 }
894
895 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)896 static int test_aes128_cmac_prf( int verbose )
897 {
898 int i;
899 int ret;
900 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
901
902 for( i = 0; i < NB_PRF_TESTS; i++ )
903 {
904 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
905 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
906 if( ret != 0 ||
907 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
908 {
909
910 if( verbose != 0 )
911 mbedtls_printf( "failed\n" );
912
913 return( ret );
914 }
915 else if( verbose != 0 )
916 {
917 mbedtls_printf( "passed\n" );
918 }
919 }
920 return( ret );
921 }
922 #endif /* MBEDTLS_AES_C */
923
mbedtls_cmac_self_test(int verbose)924 int mbedtls_cmac_self_test( int verbose )
925 {
926 int ret;
927
928 #if defined(MBEDTLS_AES_C)
929 /* AES-128 */
930 if( ( ret = cmac_test_subkeys( verbose,
931 "AES 128",
932 aes_128_key,
933 128,
934 (const unsigned char*)aes_128_subkeys,
935 MBEDTLS_CIPHER_AES_128_ECB,
936 MBEDTLS_AES_BLOCK_SIZE,
937 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
938 {
939 return( ret );
940 }
941
942 if( ( ret = cmac_test_wth_cipher( verbose,
943 "AES 128",
944 aes_128_key,
945 128,
946 test_message,
947 aes_message_lengths,
948 (const unsigned char*)aes_128_expected_result,
949 MBEDTLS_CIPHER_AES_128_ECB,
950 MBEDTLS_AES_BLOCK_SIZE,
951 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
952 {
953 return( ret );
954 }
955
956 /* AES-192 */
957 if( ( ret = cmac_test_subkeys( verbose,
958 "AES 192",
959 aes_192_key,
960 192,
961 (const unsigned char*)aes_192_subkeys,
962 MBEDTLS_CIPHER_AES_192_ECB,
963 MBEDTLS_AES_BLOCK_SIZE,
964 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
965 {
966 return( ret );
967 }
968
969 if( ( ret = cmac_test_wth_cipher( verbose,
970 "AES 192",
971 aes_192_key,
972 192,
973 test_message,
974 aes_message_lengths,
975 (const unsigned char*)aes_192_expected_result,
976 MBEDTLS_CIPHER_AES_192_ECB,
977 MBEDTLS_AES_BLOCK_SIZE,
978 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
979 {
980 return( ret );
981 }
982
983 /* AES-256 */
984 if( ( ret = cmac_test_subkeys( verbose,
985 "AES 256",
986 aes_256_key,
987 256,
988 (const unsigned char*)aes_256_subkeys,
989 MBEDTLS_CIPHER_AES_256_ECB,
990 MBEDTLS_AES_BLOCK_SIZE,
991 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
992 {
993 return( ret );
994 }
995
996 if( ( ret = cmac_test_wth_cipher ( verbose,
997 "AES 256",
998 aes_256_key,
999 256,
1000 test_message,
1001 aes_message_lengths,
1002 (const unsigned char*)aes_256_expected_result,
1003 MBEDTLS_CIPHER_AES_256_ECB,
1004 MBEDTLS_AES_BLOCK_SIZE,
1005 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1006 {
1007 return( ret );
1008 }
1009 #endif /* MBEDTLS_AES_C */
1010
1011 #if defined(MBEDTLS_DES_C)
1012 /* 3DES 2 key */
1013 if( ( ret = cmac_test_subkeys( verbose,
1014 "3DES 2 key",
1015 des3_2key_key,
1016 192,
1017 (const unsigned char*)des3_2key_subkeys,
1018 MBEDTLS_CIPHER_DES_EDE3_ECB,
1019 MBEDTLS_DES3_BLOCK_SIZE,
1020 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1021 {
1022 return( ret );
1023 }
1024
1025 if( ( ret = cmac_test_wth_cipher( verbose,
1026 "3DES 2 key",
1027 des3_2key_key,
1028 192,
1029 test_message,
1030 des3_message_lengths,
1031 (const unsigned char*)des3_2key_expected_result,
1032 MBEDTLS_CIPHER_DES_EDE3_ECB,
1033 MBEDTLS_DES3_BLOCK_SIZE,
1034 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1035 {
1036 return( ret );
1037 }
1038
1039 /* 3DES 3 key */
1040 if( ( ret = cmac_test_subkeys( verbose,
1041 "3DES 3 key",
1042 des3_3key_key,
1043 192,
1044 (const unsigned char*)des3_3key_subkeys,
1045 MBEDTLS_CIPHER_DES_EDE3_ECB,
1046 MBEDTLS_DES3_BLOCK_SIZE,
1047 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1048 {
1049 return( ret );
1050 }
1051
1052 if( ( ret = cmac_test_wth_cipher( verbose,
1053 "3DES 3 key",
1054 des3_3key_key,
1055 192,
1056 test_message,
1057 des3_message_lengths,
1058 (const unsigned char*)des3_3key_expected_result,
1059 MBEDTLS_CIPHER_DES_EDE3_ECB,
1060 MBEDTLS_DES3_BLOCK_SIZE,
1061 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1062 {
1063 return( ret );
1064 }
1065 #endif /* MBEDTLS_DES_C */
1066
1067 #if defined(MBEDTLS_AES_C)
1068 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1069 return( ret );
1070 #endif /* MBEDTLS_AES_C */
1071
1072 if( verbose != 0 )
1073 mbedtls_printf( "\n" );
1074
1075 return( 0 );
1076 }
1077
1078 #endif /* MBEDTLS_SELF_TEST */
1079
1080 #endif /* MBEDTLS_CMAC_C */
1081