1 /** 2 * \file cmac.c 3 * 4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES 5 * 6 * Copyright The Mbed TLS Contributors 7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 8 * 9 * This file is provided under the Apache License 2.0, or the 10 * GNU General Public License v2.0 or later. 11 * 12 * ********** 13 * Apache License 2.0: 14 * 15 * Licensed under the Apache License, Version 2.0 (the "License"); you may 16 * not use this file except in compliance with the License. 17 * You may obtain a copy of the License at 18 * 19 * http://www.apache.org/licenses/LICENSE-2.0 20 * 21 * Unless required by applicable law or agreed to in writing, software 22 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 23 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 24 * See the License for the specific language governing permissions and 25 * limitations under the License. 26 * 27 * ********** 28 * 29 * ********** 30 * GNU General Public License v2.0 or later: 31 * 32 * This program is free software; you can redistribute it and/or modify 33 * it under the terms of the GNU General Public License as published by 34 * the Free Software Foundation; either version 2 of the License, or 35 * (at your option) any later version. 36 * 37 * This program is distributed in the hope that it will be useful, 38 * but WITHOUT ANY WARRANTY; without even the implied warranty of 39 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 40 * GNU General Public License for more details. 41 * 42 * You should have received a copy of the GNU General Public License along 43 * with this program; if not, write to the Free Software Foundation, Inc., 44 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 45 * 46 * ********** 47 */ 48 49 /* 50 * References: 51 * 52 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The 53 * CMAC Mode for Authentication 54 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf 55 * 56 * - RFC 4493 - The AES-CMAC Algorithm 57 * https://tools.ietf.org/html/rfc4493 58 * 59 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message 60 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) 61 * Algorithm for the Internet Key Exchange Protocol (IKE) 62 * https://tools.ietf.org/html/rfc4615 63 * 64 * Additional test vectors: ISO/IEC 9797-1 65 * 66 */ 67 68 #if !defined(MBEDTLS_CONFIG_FILE) 69 #include "mbedtls/config.h" 70 #else 71 #include MBEDTLS_CONFIG_FILE 72 #endif 73 74 #if defined(MBEDTLS_CMAC_C) 75 76 #include "mbedtls/cmac.h" 77 #include "mbedtls/platform_util.h" 78 79 #include <string.h> 80 81 82 #if defined(MBEDTLS_PLATFORM_C) 83 #include "mbedtls/platform.h" 84 #else 85 #include <stdlib.h> 86 #define mbedtls_calloc calloc 87 #define mbedtls_free free 88 #if defined(MBEDTLS_SELF_TEST) 89 #include <stdio.h> 90 #define mbedtls_printf printf 91 #endif /* MBEDTLS_SELF_TEST */ 92 #endif /* MBEDTLS_PLATFORM_C */ 93 94 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) 95 96 /* 97 * Multiplication by u in the Galois field of GF(2^n) 98 * 99 * As explained in NIST SP 800-38B, this can be computed: 100 * 101 * If MSB(p) = 0, then p = (p << 1) 102 * If MSB(p) = 1, then p = (p << 1) ^ R_n 103 * with R_64 = 0x1B and R_128 = 0x87 104 * 105 * Input and output MUST NOT point to the same buffer 106 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES. 107 */ 108 static int cmac_multiply_by_u( unsigned char *output, 109 const unsigned char *input, 110 size_t blocksize ) 111 { 112 const unsigned char R_128 = 0x87; 113 const unsigned char R_64 = 0x1B; 114 unsigned char R_n, mask; 115 unsigned char overflow = 0x00; 116 int i; 117 118 if( blocksize == MBEDTLS_AES_BLOCK_SIZE ) 119 { 120 R_n = R_128; 121 } 122 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE ) 123 { 124 R_n = R_64; 125 } 126 else 127 { 128 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 129 } 130 131 for( i = (int)blocksize - 1; i >= 0; i-- ) 132 { 133 output[i] = input[i] << 1 | overflow; 134 overflow = input[i] >> 7; 135 } 136 137 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00 138 * using bit operations to avoid branches */ 139 140 /* MSVC has a warning about unary minus on unsigned, but this is 141 * well-defined and precisely what we want to do here */ 142 #if defined(_MSC_VER) 143 #pragma warning( push ) 144 #pragma warning( disable : 4146 ) 145 #endif 146 mask = - ( input[0] >> 7 ); 147 #if defined(_MSC_VER) 148 #pragma warning( pop ) 149 #endif 150 151 output[ blocksize - 1 ] ^= R_n & mask; 152 153 return( 0 ); 154 } 155 156 /* 157 * Generate subkeys 158 * 159 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm 160 */ 161 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx, 162 unsigned char* K1, unsigned char* K2 ) 163 { 164 int ret; 165 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX]; 166 size_t olen, block_size; 167 168 mbedtls_platform_zeroize( L, sizeof( L ) ); 169 170 block_size = ctx->cipher_info->block_size; 171 172 /* Calculate Ek(0) */ 173 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 ) 174 goto exit; 175 176 /* 177 * Generate K1 and K2 178 */ 179 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 ) 180 goto exit; 181 182 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 ) 183 goto exit; 184 185 exit: 186 mbedtls_platform_zeroize( L, sizeof( L ) ); 187 188 return( ret ); 189 } 190 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ 191 192 #if !defined(MBEDTLS_CMAC_ALT) 193 static void cmac_xor_block( unsigned char *output, const unsigned char *input1, 194 const unsigned char *input2, 195 const size_t block_size ) 196 { 197 size_t idx; 198 199 for( idx = 0; idx < block_size; idx++ ) 200 output[ idx ] = input1[ idx ] ^ input2[ idx ]; 201 } 202 203 /* 204 * Create padded last block from (partial) last block. 205 * 206 * We can't use the padding option from the cipher layer, as it only works for 207 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. 208 */ 209 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX], 210 size_t padded_block_len, 211 const unsigned char *last_block, 212 size_t last_block_len ) 213 { 214 size_t j; 215 216 for( j = 0; j < padded_block_len; j++ ) 217 { 218 if( j < last_block_len ) 219 padded_block[j] = last_block[j]; 220 else if( j == last_block_len ) 221 padded_block[j] = 0x80; 222 else 223 padded_block[j] = 0x00; 224 } 225 } 226 227 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, 228 const unsigned char *key, size_t keybits ) 229 { 230 mbedtls_cipher_type_t type; 231 mbedtls_cmac_context_t *cmac_ctx; 232 int retval; 233 234 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL ) 235 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 236 237 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits, 238 MBEDTLS_ENCRYPT ) ) != 0 ) 239 return( retval ); 240 241 type = ctx->cipher_info->type; 242 243 switch( type ) 244 { 245 case MBEDTLS_CIPHER_AES_128_ECB: 246 case MBEDTLS_CIPHER_AES_192_ECB: 247 case MBEDTLS_CIPHER_AES_256_ECB: 248 case MBEDTLS_CIPHER_DES_EDE3_ECB: 249 break; 250 default: 251 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 252 } 253 254 /* Allocated and initialise in the cipher context memory for the CMAC 255 * context */ 256 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) ); 257 if( cmac_ctx == NULL ) 258 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 259 260 ctx->cmac_ctx = cmac_ctx; 261 262 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) ); 263 264 return 0; 265 } 266 267 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, 268 const unsigned char *input, size_t ilen ) 269 { 270 mbedtls_cmac_context_t* cmac_ctx; 271 unsigned char *state; 272 int ret = 0; 273 size_t n, j, olen, block_size; 274 275 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL || 276 ctx->cmac_ctx == NULL ) 277 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 278 279 cmac_ctx = ctx->cmac_ctx; 280 block_size = ctx->cipher_info->block_size; 281 state = ctx->cmac_ctx->state; 282 283 /* Is there data still to process from the last call, that's greater in 284 * size than a block? */ 285 if( cmac_ctx->unprocessed_len > 0 && 286 ilen > block_size - cmac_ctx->unprocessed_len ) 287 { 288 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 289 input, 290 block_size - cmac_ctx->unprocessed_len ); 291 292 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size ); 293 294 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 295 &olen ) ) != 0 ) 296 { 297 goto exit; 298 } 299 300 input += block_size - cmac_ctx->unprocessed_len; 301 ilen -= block_size - cmac_ctx->unprocessed_len; 302 cmac_ctx->unprocessed_len = 0; 303 } 304 305 /* n is the number of blocks including any final partial block */ 306 n = ( ilen + block_size - 1 ) / block_size; 307 308 /* Iterate across the input data in block sized chunks, excluding any 309 * final partial or complete block */ 310 for( j = 1; j < n; j++ ) 311 { 312 cmac_xor_block( state, input, state, block_size ); 313 314 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 315 &olen ) ) != 0 ) 316 goto exit; 317 318 ilen -= block_size; 319 input += block_size; 320 } 321 322 /* If there is data left over that wasn't aligned to a block */ 323 if( ilen > 0 ) 324 { 325 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 326 input, 327 ilen ); 328 cmac_ctx->unprocessed_len += ilen; 329 } 330 331 exit: 332 return( ret ); 333 } 334 335 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, 336 unsigned char *output ) 337 { 338 mbedtls_cmac_context_t* cmac_ctx; 339 unsigned char *state, *last_block; 340 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 341 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 342 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX]; 343 int ret; 344 size_t olen, block_size; 345 346 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL || 347 output == NULL ) 348 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 349 350 cmac_ctx = ctx->cmac_ctx; 351 block_size = ctx->cipher_info->block_size; 352 state = cmac_ctx->state; 353 354 mbedtls_platform_zeroize( K1, sizeof( K1 ) ); 355 mbedtls_platform_zeroize( K2, sizeof( K2 ) ); 356 cmac_generate_subkeys( ctx, K1, K2 ); 357 358 last_block = cmac_ctx->unprocessed_block; 359 360 /* Calculate last block */ 361 if( cmac_ctx->unprocessed_len < block_size ) 362 { 363 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len ); 364 cmac_xor_block( M_last, M_last, K2, block_size ); 365 } 366 else 367 { 368 /* Last block is complete block */ 369 cmac_xor_block( M_last, last_block, K1, block_size ); 370 } 371 372 373 cmac_xor_block( state, M_last, state, block_size ); 374 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 375 &olen ) ) != 0 ) 376 { 377 goto exit; 378 } 379 380 memcpy( output, state, block_size ); 381 382 exit: 383 /* Wipe the generated keys on the stack, and any other transients to avoid 384 * side channel leakage */ 385 mbedtls_platform_zeroize( K1, sizeof( K1 ) ); 386 mbedtls_platform_zeroize( K2, sizeof( K2 ) ); 387 388 cmac_ctx->unprocessed_len = 0; 389 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block, 390 sizeof( cmac_ctx->unprocessed_block ) ); 391 392 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX ); 393 return( ret ); 394 } 395 396 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx ) 397 { 398 mbedtls_cmac_context_t* cmac_ctx; 399 400 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ) 401 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 402 403 cmac_ctx = ctx->cmac_ctx; 404 405 /* Reset the internal state */ 406 cmac_ctx->unprocessed_len = 0; 407 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block, 408 sizeof( cmac_ctx->unprocessed_block ) ); 409 mbedtls_platform_zeroize( cmac_ctx->state, 410 sizeof( cmac_ctx->state ) ); 411 412 return( 0 ); 413 } 414 415 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, 416 const unsigned char *key, size_t keylen, 417 const unsigned char *input, size_t ilen, 418 unsigned char *output ) 419 { 420 mbedtls_cipher_context_t ctx; 421 int ret; 422 423 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL ) 424 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 425 426 mbedtls_cipher_init( &ctx ); 427 428 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 429 goto exit; 430 431 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen ); 432 if( ret != 0 ) 433 goto exit; 434 435 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen ); 436 if( ret != 0 ) 437 goto exit; 438 439 ret = mbedtls_cipher_cmac_finish( &ctx, output ); 440 441 exit: 442 mbedtls_cipher_free( &ctx ); 443 444 return( ret ); 445 } 446 447 #if defined(MBEDTLS_AES_C) 448 /* 449 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615 450 */ 451 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length, 452 const unsigned char *input, size_t in_len, 453 unsigned char output[16] ) 454 { 455 int ret; 456 const mbedtls_cipher_info_t *cipher_info; 457 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE]; 458 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE]; 459 460 if( key == NULL || input == NULL || output == NULL ) 461 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 462 463 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB ); 464 if( cipher_info == NULL ) 465 { 466 /* Failing at this point must be due to a build issue */ 467 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 468 goto exit; 469 } 470 471 if( key_length == MBEDTLS_AES_BLOCK_SIZE ) 472 { 473 /* Use key as is */ 474 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE ); 475 } 476 else 477 { 478 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE ); 479 480 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key, 481 key_length, int_key ); 482 if( ret != 0 ) 483 goto exit; 484 } 485 486 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len, 487 output ); 488 489 exit: 490 mbedtls_platform_zeroize( int_key, sizeof( int_key ) ); 491 492 return( ret ); 493 } 494 #endif /* MBEDTLS_AES_C */ 495 496 #endif /* !MBEDTLS_CMAC_ALT */ 497 498 #if defined(MBEDTLS_SELF_TEST) 499 /* 500 * CMAC test data for SP800-38B 501 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf 502 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf 503 * 504 * AES-CMAC-PRF-128 test data from RFC 4615 505 * https://tools.ietf.org/html/rfc4615#page-4 506 */ 507 508 #define NB_CMAC_TESTS_PER_KEY 4 509 #define NB_PRF_TESTS 3 510 511 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) 512 /* All CMAC test inputs are truncated from the same 64 byte buffer. */ 513 static const unsigned char test_message[] = { 514 /* PT */ 515 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 516 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 517 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 518 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 519 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 520 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 521 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 522 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 523 }; 524 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */ 525 526 #if defined(MBEDTLS_AES_C) 527 /* Truncation point of message for AES CMAC tests */ 528 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 529 /* Mlen */ 530 0, 531 16, 532 20, 533 64 534 }; 535 536 /* CMAC-AES128 Test Data */ 537 static const unsigned char aes_128_key[16] = { 538 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 539 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c 540 }; 541 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 542 { 543 /* K1 */ 544 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66, 545 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde 546 }, 547 { 548 /* K2 */ 549 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc, 550 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b 551 } 552 }; 553 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 554 { 555 /* Example #1 */ 556 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28, 557 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 558 }, 559 { 560 /* Example #2 */ 561 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 562 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c 563 }, 564 { 565 /* Example #3 */ 566 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8, 567 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde 568 }, 569 { 570 /* Example #4 */ 571 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92, 572 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe 573 } 574 }; 575 576 /* CMAC-AES192 Test Data */ 577 static const unsigned char aes_192_key[24] = { 578 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 579 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, 580 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b 581 }; 582 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 583 { 584 /* K1 */ 585 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27, 586 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96 587 }, 588 { 589 /* K2 */ 590 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e, 591 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c 592 } 593 }; 594 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 595 { 596 /* Example #1 */ 597 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5, 598 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67 599 }, 600 { 601 /* Example #2 */ 602 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90, 603 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84 604 }, 605 { 606 /* Example #3 */ 607 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04, 608 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8 609 }, 610 { 611 /* Example #4 */ 612 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79, 613 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11 614 } 615 }; 616 617 /* CMAC-AES256 Test Data */ 618 static const unsigned char aes_256_key[32] = { 619 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 620 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 621 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 622 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 623 }; 624 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 625 { 626 /* K1 */ 627 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac, 628 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f 629 }, 630 { 631 /* K2 */ 632 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58, 633 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9 634 } 635 }; 636 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 637 { 638 /* Example #1 */ 639 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e, 640 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83 641 }, 642 { 643 /* Example #2 */ 644 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82, 645 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c 646 }, 647 { 648 /* Example #3 */ 649 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a, 650 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93 651 }, 652 { 653 /* Example #4 */ 654 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5, 655 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10 656 } 657 }; 658 #endif /* MBEDTLS_AES_C */ 659 660 #if defined(MBEDTLS_DES_C) 661 /* Truncation point of message for 3DES CMAC tests */ 662 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 663 0, 664 16, 665 20, 666 32 667 }; 668 669 /* CMAC-TDES (Generation) - 2 Key Test Data */ 670 static const unsigned char des3_2key_key[24] = { 671 /* Key1 */ 672 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 673 /* Key2 */ 674 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01, 675 /* Key3 */ 676 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef 677 }; 678 static const unsigned char des3_2key_subkeys[2][8] = { 679 { 680 /* K1 */ 681 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9 682 }, 683 { 684 /* K2 */ 685 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2 686 } 687 }; 688 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 689 { 690 /* Sample #1 */ 691 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60 692 }, 693 { 694 /* Sample #2 */ 695 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b 696 }, 697 { 698 /* Sample #3 */ 699 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69 700 }, 701 { 702 /* Sample #4 */ 703 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb 704 } 705 }; 706 707 /* CMAC-TDES (Generation) - 3 Key Test Data */ 708 static const unsigned char des3_3key_key[24] = { 709 /* Key1 */ 710 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef, 711 /* Key2 */ 712 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 713 /* Key3 */ 714 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23 715 }; 716 static const unsigned char des3_3key_subkeys[2][8] = { 717 { 718 /* K1 */ 719 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0 720 }, 721 { 722 /* K2 */ 723 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b 724 } 725 }; 726 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 727 { 728 /* Sample #1 */ 729 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50 730 }, 731 { 732 /* Sample #2 */ 733 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09 734 }, 735 { 736 /* Sample #3 */ 737 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2 738 }, 739 { 740 /* Sample #4 */ 741 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5 742 } 743 }; 744 745 #endif /* MBEDTLS_DES_C */ 746 747 #if defined(MBEDTLS_AES_C) 748 /* AES AES-CMAC-PRF-128 Test Data */ 749 static const unsigned char PRFK[] = { 750 /* Key */ 751 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 752 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 753 0xed, 0xcb 754 }; 755 756 /* Sizes in bytes */ 757 static const size_t PRFKlen[NB_PRF_TESTS] = { 758 18, 759 16, 760 10 761 }; 762 763 /* Message */ 764 static const unsigned char PRFM[] = { 765 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 766 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 767 0x10, 0x11, 0x12, 0x13 768 }; 769 770 static const unsigned char PRFT[NB_PRF_TESTS][16] = { 771 { 772 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b, 773 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a 774 }, 775 { 776 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52, 777 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d 778 }, 779 { 780 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee, 781 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d 782 } 783 }; 784 #endif /* MBEDTLS_AES_C */ 785 786 static int cmac_test_subkeys( int verbose, 787 const char* testname, 788 const unsigned char* key, 789 int keybits, 790 const unsigned char* subkeys, 791 mbedtls_cipher_type_t cipher_type, 792 int block_size, 793 int num_tests ) 794 { 795 int i, ret = 0; 796 mbedtls_cipher_context_t ctx; 797 const mbedtls_cipher_info_t *cipher_info; 798 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 799 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 800 801 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 802 if( cipher_info == NULL ) 803 { 804 /* Failing at this point must be due to a build issue */ 805 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 806 } 807 808 for( i = 0; i < num_tests; i++ ) 809 { 810 if( verbose != 0 ) 811 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 ); 812 813 mbedtls_cipher_init( &ctx ); 814 815 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 816 { 817 if( verbose != 0 ) 818 mbedtls_printf( "test execution failed\n" ); 819 820 goto cleanup; 821 } 822 823 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits, 824 MBEDTLS_ENCRYPT ) ) != 0 ) 825 { 826 if( verbose != 0 ) 827 mbedtls_printf( "test execution failed\n" ); 828 829 goto cleanup; 830 } 831 832 ret = cmac_generate_subkeys( &ctx, K1, K2 ); 833 if( ret != 0 ) 834 { 835 if( verbose != 0 ) 836 mbedtls_printf( "failed\n" ); 837 838 goto cleanup; 839 } 840 841 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 || 842 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 ) 843 { 844 if( verbose != 0 ) 845 mbedtls_printf( "failed\n" ); 846 847 goto cleanup; 848 } 849 850 if( verbose != 0 ) 851 mbedtls_printf( "passed\n" ); 852 853 mbedtls_cipher_free( &ctx ); 854 } 855 856 ret = 0; 857 goto exit; 858 859 cleanup: 860 mbedtls_cipher_free( &ctx ); 861 862 exit: 863 return( ret ); 864 } 865 866 static int cmac_test_wth_cipher( int verbose, 867 const char* testname, 868 const unsigned char* key, 869 int keybits, 870 const unsigned char* messages, 871 const unsigned int message_lengths[4], 872 const unsigned char* expected_result, 873 mbedtls_cipher_type_t cipher_type, 874 int block_size, 875 int num_tests ) 876 { 877 const mbedtls_cipher_info_t *cipher_info; 878 int i, ret = 0; 879 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX]; 880 881 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 882 if( cipher_info == NULL ) 883 { 884 /* Failing at this point must be due to a build issue */ 885 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 886 goto exit; 887 } 888 889 for( i = 0; i < num_tests; i++ ) 890 { 891 if( verbose != 0 ) 892 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 ); 893 894 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages, 895 message_lengths[i], output ) ) != 0 ) 896 { 897 if( verbose != 0 ) 898 mbedtls_printf( "failed\n" ); 899 goto exit; 900 } 901 902 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 ) 903 { 904 if( verbose != 0 ) 905 mbedtls_printf( "failed\n" ); 906 goto exit; 907 } 908 909 if( verbose != 0 ) 910 mbedtls_printf( "passed\n" ); 911 } 912 ret = 0; 913 914 exit: 915 return( ret ); 916 } 917 918 #if defined(MBEDTLS_AES_C) 919 static int test_aes128_cmac_prf( int verbose ) 920 { 921 int i; 922 int ret; 923 unsigned char output[MBEDTLS_AES_BLOCK_SIZE]; 924 925 for( i = 0; i < NB_PRF_TESTS; i++ ) 926 { 927 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i ); 928 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output ); 929 if( ret != 0 || 930 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 ) 931 { 932 933 if( verbose != 0 ) 934 mbedtls_printf( "failed\n" ); 935 936 return( ret ); 937 } 938 else if( verbose != 0 ) 939 { 940 mbedtls_printf( "passed\n" ); 941 } 942 } 943 return( ret ); 944 } 945 #endif /* MBEDTLS_AES_C */ 946 947 int mbedtls_cmac_self_test( int verbose ) 948 { 949 int ret; 950 951 #if defined(MBEDTLS_AES_C) 952 /* AES-128 */ 953 if( ( ret = cmac_test_subkeys( verbose, 954 "AES 128", 955 aes_128_key, 956 128, 957 (const unsigned char*)aes_128_subkeys, 958 MBEDTLS_CIPHER_AES_128_ECB, 959 MBEDTLS_AES_BLOCK_SIZE, 960 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 961 { 962 return( ret ); 963 } 964 965 if( ( ret = cmac_test_wth_cipher( verbose, 966 "AES 128", 967 aes_128_key, 968 128, 969 test_message, 970 aes_message_lengths, 971 (const unsigned char*)aes_128_expected_result, 972 MBEDTLS_CIPHER_AES_128_ECB, 973 MBEDTLS_AES_BLOCK_SIZE, 974 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 975 { 976 return( ret ); 977 } 978 979 /* AES-192 */ 980 if( ( ret = cmac_test_subkeys( verbose, 981 "AES 192", 982 aes_192_key, 983 192, 984 (const unsigned char*)aes_192_subkeys, 985 MBEDTLS_CIPHER_AES_192_ECB, 986 MBEDTLS_AES_BLOCK_SIZE, 987 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 988 { 989 return( ret ); 990 } 991 992 if( ( ret = cmac_test_wth_cipher( verbose, 993 "AES 192", 994 aes_192_key, 995 192, 996 test_message, 997 aes_message_lengths, 998 (const unsigned char*)aes_192_expected_result, 999 MBEDTLS_CIPHER_AES_192_ECB, 1000 MBEDTLS_AES_BLOCK_SIZE, 1001 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1002 { 1003 return( ret ); 1004 } 1005 1006 /* AES-256 */ 1007 if( ( ret = cmac_test_subkeys( verbose, 1008 "AES 256", 1009 aes_256_key, 1010 256, 1011 (const unsigned char*)aes_256_subkeys, 1012 MBEDTLS_CIPHER_AES_256_ECB, 1013 MBEDTLS_AES_BLOCK_SIZE, 1014 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1015 { 1016 return( ret ); 1017 } 1018 1019 if( ( ret = cmac_test_wth_cipher ( verbose, 1020 "AES 256", 1021 aes_256_key, 1022 256, 1023 test_message, 1024 aes_message_lengths, 1025 (const unsigned char*)aes_256_expected_result, 1026 MBEDTLS_CIPHER_AES_256_ECB, 1027 MBEDTLS_AES_BLOCK_SIZE, 1028 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1029 { 1030 return( ret ); 1031 } 1032 #endif /* MBEDTLS_AES_C */ 1033 1034 #if defined(MBEDTLS_DES_C) 1035 /* 3DES 2 key */ 1036 if( ( ret = cmac_test_subkeys( verbose, 1037 "3DES 2 key", 1038 des3_2key_key, 1039 192, 1040 (const unsigned char*)des3_2key_subkeys, 1041 MBEDTLS_CIPHER_DES_EDE3_ECB, 1042 MBEDTLS_DES3_BLOCK_SIZE, 1043 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1044 { 1045 return( ret ); 1046 } 1047 1048 if( ( ret = cmac_test_wth_cipher( verbose, 1049 "3DES 2 key", 1050 des3_2key_key, 1051 192, 1052 test_message, 1053 des3_message_lengths, 1054 (const unsigned char*)des3_2key_expected_result, 1055 MBEDTLS_CIPHER_DES_EDE3_ECB, 1056 MBEDTLS_DES3_BLOCK_SIZE, 1057 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1058 { 1059 return( ret ); 1060 } 1061 1062 /* 3DES 3 key */ 1063 if( ( ret = cmac_test_subkeys( verbose, 1064 "3DES 3 key", 1065 des3_3key_key, 1066 192, 1067 (const unsigned char*)des3_3key_subkeys, 1068 MBEDTLS_CIPHER_DES_EDE3_ECB, 1069 MBEDTLS_DES3_BLOCK_SIZE, 1070 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1071 { 1072 return( ret ); 1073 } 1074 1075 if( ( ret = cmac_test_wth_cipher( verbose, 1076 "3DES 3 key", 1077 des3_3key_key, 1078 192, 1079 test_message, 1080 des3_message_lengths, 1081 (const unsigned char*)des3_3key_expected_result, 1082 MBEDTLS_CIPHER_DES_EDE3_ECB, 1083 MBEDTLS_DES3_BLOCK_SIZE, 1084 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1085 { 1086 return( ret ); 1087 } 1088 #endif /* MBEDTLS_DES_C */ 1089 1090 #if defined(MBEDTLS_AES_C) 1091 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 ) 1092 return( ret ); 1093 #endif /* MBEDTLS_AES_C */ 1094 1095 if( verbose != 0 ) 1096 mbedtls_printf( "\n" ); 1097 1098 return( 0 ); 1099 } 1100 1101 #endif /* MBEDTLS_SELF_TEST */ 1102 1103 #endif /* MBEDTLS_CMAC_C */ 1104