1 /** 2 * \file cmac.c 3 * 4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES 5 * 6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved 7 * SPDX-License-Identifier: GPL-2.0 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License along 20 * with this program; if not, write to the Free Software Foundation, Inc., 21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 * 23 * This file is part of mbed TLS (https://tls.mbed.org) 24 */ 25 26 /* 27 * References: 28 * 29 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The 30 * CMAC Mode for Authentication 31 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf 32 * 33 * - RFC 4493 - The AES-CMAC Algorithm 34 * https://tools.ietf.org/html/rfc4493 35 * 36 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message 37 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) 38 * Algorithm for the Internet Key Exchange Protocol (IKE) 39 * https://tools.ietf.org/html/rfc4615 40 * 41 * Additional test vectors: ISO/IEC 9797-1 42 * 43 */ 44 45 #if !defined(MBEDTLS_CONFIG_FILE) 46 #include "mbedtls/config.h" 47 #else 48 #include MBEDTLS_CONFIG_FILE 49 #endif 50 51 #if defined(MBEDTLS_CMAC_C) 52 53 #include "mbedtls/cmac.h" 54 55 #include <string.h> 56 57 58 #if defined(MBEDTLS_PLATFORM_C) 59 #include "mbedtls/platform.h" 60 #else 61 #include <stdlib.h> 62 #define mbedtls_calloc calloc 63 #define mbedtls_free free 64 #if defined(MBEDTLS_SELF_TEST) 65 #include <stdio.h> 66 #define mbedtls_printf printf 67 #endif /* MBEDTLS_SELF_TEST */ 68 #endif /* MBEDTLS_PLATFORM_C */ 69 70 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) 71 72 /* Implementation that should never be optimized out by the compiler */ 73 static void mbedtls_zeroize( void *v, size_t n ) { 74 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 75 } 76 77 /* 78 * Multiplication by u in the Galois field of GF(2^n) 79 * 80 * As explained in NIST SP 800-38B, this can be computed: 81 * 82 * If MSB(p) = 0, then p = (p << 1) 83 * If MSB(p) = 1, then p = (p << 1) ^ R_n 84 * with R_64 = 0x1B and R_128 = 0x87 85 * 86 * Input and output MUST NOT point to the same buffer 87 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES. 88 */ 89 static int cmac_multiply_by_u( unsigned char *output, 90 const unsigned char *input, 91 size_t blocksize ) 92 { 93 const unsigned char R_128 = 0x87; 94 const unsigned char R_64 = 0x1B; 95 unsigned char R_n, mask; 96 unsigned char overflow = 0x00; 97 int i; 98 99 if( blocksize == MBEDTLS_AES_BLOCK_SIZE ) 100 { 101 R_n = R_128; 102 } 103 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE ) 104 { 105 R_n = R_64; 106 } 107 else 108 { 109 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 110 } 111 112 for( i = (int)blocksize - 1; i >= 0; i-- ) 113 { 114 output[i] = input[i] << 1 | overflow; 115 overflow = input[i] >> 7; 116 } 117 118 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00 119 * using bit operations to avoid branches */ 120 121 /* MSVC has a warning about unary minus on unsigned, but this is 122 * well-defined and precisely what we want to do here */ 123 #if defined(_MSC_VER) 124 #pragma warning( push ) 125 #pragma warning( disable : 4146 ) 126 #endif 127 mask = - ( input[0] >> 7 ); 128 #if defined(_MSC_VER) 129 #pragma warning( pop ) 130 #endif 131 132 output[ blocksize - 1 ] ^= R_n & mask; 133 134 return( 0 ); 135 } 136 137 /* 138 * Generate subkeys 139 * 140 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm 141 */ 142 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx, 143 unsigned char* K1, unsigned char* K2 ) 144 { 145 int ret; 146 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX]; 147 size_t olen, block_size; 148 149 mbedtls_zeroize( L, sizeof( L ) ); 150 151 block_size = ctx->cipher_info->block_size; 152 153 /* Calculate Ek(0) */ 154 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 ) 155 goto exit; 156 157 /* 158 * Generate K1 and K2 159 */ 160 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 ) 161 goto exit; 162 163 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 ) 164 goto exit; 165 166 exit: 167 mbedtls_zeroize( L, sizeof( L ) ); 168 169 return( ret ); 170 } 171 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ 172 173 #if !defined(MBEDTLS_CMAC_ALT) 174 static void cmac_xor_block( unsigned char *output, const unsigned char *input1, 175 const unsigned char *input2, 176 const size_t block_size ) 177 { 178 size_t idx; 179 180 for( idx = 0; idx < block_size; idx++ ) 181 output[ idx ] = input1[ idx ] ^ input2[ idx ]; 182 } 183 184 /* 185 * Create padded last block from (partial) last block. 186 * 187 * We can't use the padding option from the cipher layer, as it only works for 188 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. 189 */ 190 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX], 191 size_t padded_block_len, 192 const unsigned char *last_block, 193 size_t last_block_len ) 194 { 195 size_t j; 196 197 for( j = 0; j < padded_block_len; j++ ) 198 { 199 if( j < last_block_len ) 200 padded_block[j] = last_block[j]; 201 else if( j == last_block_len ) 202 padded_block[j] = 0x80; 203 else 204 padded_block[j] = 0x00; 205 } 206 } 207 208 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, 209 const unsigned char *key, size_t keybits ) 210 { 211 mbedtls_cipher_type_t type; 212 mbedtls_cmac_context_t *cmac_ctx; 213 int retval; 214 215 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL ) 216 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 217 218 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits, 219 MBEDTLS_ENCRYPT ) ) != 0 ) 220 return( retval ); 221 222 type = ctx->cipher_info->type; 223 224 switch( type ) 225 { 226 case MBEDTLS_CIPHER_AES_128_ECB: 227 case MBEDTLS_CIPHER_AES_192_ECB: 228 case MBEDTLS_CIPHER_AES_256_ECB: 229 case MBEDTLS_CIPHER_DES_EDE3_ECB: 230 break; 231 default: 232 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 233 } 234 235 /* Allocated and initialise in the cipher context memory for the CMAC 236 * context */ 237 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) ); 238 if( cmac_ctx == NULL ) 239 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 240 241 ctx->cmac_ctx = cmac_ctx; 242 243 mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) ); 244 245 return 0; 246 } 247 248 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, 249 const unsigned char *input, size_t ilen ) 250 { 251 mbedtls_cmac_context_t* cmac_ctx; 252 unsigned char *state; 253 int ret = 0; 254 size_t n, j, olen, block_size; 255 256 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL || 257 ctx->cmac_ctx == NULL ) 258 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 259 260 cmac_ctx = ctx->cmac_ctx; 261 block_size = ctx->cipher_info->block_size; 262 state = ctx->cmac_ctx->state; 263 264 /* Is there data still to process from the last call, that's greater in 265 * size than a block? */ 266 if( cmac_ctx->unprocessed_len > 0 && 267 ilen > block_size - cmac_ctx->unprocessed_len ) 268 { 269 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 270 input, 271 block_size - cmac_ctx->unprocessed_len ); 272 273 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size ); 274 275 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 276 &olen ) ) != 0 ) 277 { 278 goto exit; 279 } 280 281 input += block_size - cmac_ctx->unprocessed_len; 282 ilen -= block_size - cmac_ctx->unprocessed_len; 283 cmac_ctx->unprocessed_len = 0; 284 } 285 286 /* n is the number of blocks including any final partial block */ 287 n = ( ilen + block_size - 1 ) / block_size; 288 289 /* Iterate across the input data in block sized chunks, excluding any 290 * final partial or complete block */ 291 for( j = 1; j < n; j++ ) 292 { 293 cmac_xor_block( state, input, state, block_size ); 294 295 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 296 &olen ) ) != 0 ) 297 goto exit; 298 299 ilen -= block_size; 300 input += block_size; 301 } 302 303 /* If there is data left over that wasn't aligned to a block */ 304 if( ilen > 0 ) 305 { 306 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 307 input, 308 ilen ); 309 cmac_ctx->unprocessed_len += ilen; 310 } 311 312 exit: 313 return( ret ); 314 } 315 316 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, 317 unsigned char *output ) 318 { 319 mbedtls_cmac_context_t* cmac_ctx; 320 unsigned char *state, *last_block; 321 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 322 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 323 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX]; 324 int ret; 325 size_t olen, block_size; 326 327 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL || 328 output == NULL ) 329 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 330 331 cmac_ctx = ctx->cmac_ctx; 332 block_size = ctx->cipher_info->block_size; 333 state = cmac_ctx->state; 334 335 mbedtls_zeroize( K1, sizeof( K1 ) ); 336 mbedtls_zeroize( K2, sizeof( K2 ) ); 337 cmac_generate_subkeys( ctx, K1, K2 ); 338 339 last_block = cmac_ctx->unprocessed_block; 340 341 /* Calculate last block */ 342 if( cmac_ctx->unprocessed_len < block_size ) 343 { 344 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len ); 345 cmac_xor_block( M_last, M_last, K2, block_size ); 346 } 347 else 348 { 349 /* Last block is complete block */ 350 cmac_xor_block( M_last, last_block, K1, block_size ); 351 } 352 353 354 cmac_xor_block( state, M_last, state, block_size ); 355 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 356 &olen ) ) != 0 ) 357 { 358 goto exit; 359 } 360 361 memcpy( output, state, block_size ); 362 363 exit: 364 /* Wipe the generated keys on the stack, and any other transients to avoid 365 * side channel leakage */ 366 mbedtls_zeroize( K1, sizeof( K1 ) ); 367 mbedtls_zeroize( K2, sizeof( K2 ) ); 368 369 cmac_ctx->unprocessed_len = 0; 370 mbedtls_zeroize( cmac_ctx->unprocessed_block, 371 sizeof( cmac_ctx->unprocessed_block ) ); 372 373 mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX ); 374 return( ret ); 375 } 376 377 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx ) 378 { 379 mbedtls_cmac_context_t* cmac_ctx; 380 381 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ) 382 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 383 384 cmac_ctx = ctx->cmac_ctx; 385 386 /* Reset the internal state */ 387 cmac_ctx->unprocessed_len = 0; 388 mbedtls_zeroize( cmac_ctx->unprocessed_block, 389 sizeof( cmac_ctx->unprocessed_block ) ); 390 mbedtls_zeroize( cmac_ctx->state, 391 sizeof( cmac_ctx->state ) ); 392 393 return( 0 ); 394 } 395 396 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, 397 const unsigned char *key, size_t keylen, 398 const unsigned char *input, size_t ilen, 399 unsigned char *output ) 400 { 401 mbedtls_cipher_context_t ctx; 402 int ret; 403 404 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL ) 405 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 406 407 mbedtls_cipher_init( &ctx ); 408 409 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 410 goto exit; 411 412 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen ); 413 if( ret != 0 ) 414 goto exit; 415 416 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen ); 417 if( ret != 0 ) 418 goto exit; 419 420 ret = mbedtls_cipher_cmac_finish( &ctx, output ); 421 422 exit: 423 mbedtls_cipher_free( &ctx ); 424 425 return( ret ); 426 } 427 428 #if defined(MBEDTLS_AES_C) 429 /* 430 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615 431 */ 432 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length, 433 const unsigned char *input, size_t in_len, 434 unsigned char *output ) 435 { 436 int ret; 437 const mbedtls_cipher_info_t *cipher_info; 438 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE]; 439 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE]; 440 441 if( key == NULL || input == NULL || output == NULL ) 442 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 443 444 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB ); 445 if( cipher_info == NULL ) 446 { 447 /* Failing at this point must be due to a build issue */ 448 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 449 goto exit; 450 } 451 452 if( key_length == MBEDTLS_AES_BLOCK_SIZE ) 453 { 454 /* Use key as is */ 455 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE ); 456 } 457 else 458 { 459 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE ); 460 461 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key, 462 key_length, int_key ); 463 if( ret != 0 ) 464 goto exit; 465 } 466 467 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len, 468 output ); 469 470 exit: 471 mbedtls_zeroize( int_key, sizeof( int_key ) ); 472 473 return( ret ); 474 } 475 #endif /* MBEDTLS_AES_C */ 476 477 #endif /* !MBEDTLS_CMAC_ALT */ 478 479 #if defined(MBEDTLS_SELF_TEST) 480 /* 481 * CMAC test data for SP800-38B 482 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf 483 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf 484 * 485 * AES-CMAC-PRF-128 test data from RFC 4615 486 * https://tools.ietf.org/html/rfc4615#page-4 487 */ 488 489 #define NB_CMAC_TESTS_PER_KEY 4 490 #define NB_PRF_TESTS 3 491 492 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) 493 /* All CMAC test inputs are truncated from the same 64 byte buffer. */ 494 static const unsigned char test_message[] = { 495 /* PT */ 496 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 497 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 498 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 499 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 500 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 501 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 502 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 503 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 504 }; 505 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */ 506 507 #if defined(MBEDTLS_AES_C) 508 /* Truncation point of message for AES CMAC tests */ 509 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 510 /* Mlen */ 511 0, 512 16, 513 20, 514 64 515 }; 516 517 /* CMAC-AES128 Test Data */ 518 static const unsigned char aes_128_key[16] = { 519 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 520 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c 521 }; 522 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 523 { 524 /* K1 */ 525 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66, 526 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde 527 }, 528 { 529 /* K2 */ 530 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc, 531 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b 532 } 533 }; 534 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 535 { 536 /* Example #1 */ 537 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28, 538 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 539 }, 540 { 541 /* Example #2 */ 542 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 543 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c 544 }, 545 { 546 /* Example #3 */ 547 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8, 548 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde 549 }, 550 { 551 /* Example #4 */ 552 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92, 553 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe 554 } 555 }; 556 557 /* CMAC-AES192 Test Data */ 558 static const unsigned char aes_192_key[24] = { 559 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 560 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, 561 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b 562 }; 563 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 564 { 565 /* K1 */ 566 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27, 567 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96 568 }, 569 { 570 /* K2 */ 571 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e, 572 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c 573 } 574 }; 575 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 576 { 577 /* Example #1 */ 578 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5, 579 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67 580 }, 581 { 582 /* Example #2 */ 583 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90, 584 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84 585 }, 586 { 587 /* Example #3 */ 588 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04, 589 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8 590 }, 591 { 592 /* Example #4 */ 593 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79, 594 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11 595 } 596 }; 597 598 /* CMAC-AES256 Test Data */ 599 static const unsigned char aes_256_key[32] = { 600 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 601 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 602 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 603 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 604 }; 605 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 606 { 607 /* K1 */ 608 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac, 609 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f 610 }, 611 { 612 /* K2 */ 613 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58, 614 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9 615 } 616 }; 617 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 618 { 619 /* Example #1 */ 620 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e, 621 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83 622 }, 623 { 624 /* Example #2 */ 625 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82, 626 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c 627 }, 628 { 629 /* Example #3 */ 630 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a, 631 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93 632 }, 633 { 634 /* Example #4 */ 635 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5, 636 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10 637 } 638 }; 639 #endif /* MBEDTLS_AES_C */ 640 641 #if defined(MBEDTLS_DES_C) 642 /* Truncation point of message for 3DES CMAC tests */ 643 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 644 0, 645 16, 646 20, 647 32 648 }; 649 650 /* CMAC-TDES (Generation) - 2 Key Test Data */ 651 static const unsigned char des3_2key_key[24] = { 652 /* Key1 */ 653 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 654 /* Key2 */ 655 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01, 656 /* Key3 */ 657 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef 658 }; 659 static const unsigned char des3_2key_subkeys[2][8] = { 660 { 661 /* K1 */ 662 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9 663 }, 664 { 665 /* K2 */ 666 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2 667 } 668 }; 669 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 670 { 671 /* Sample #1 */ 672 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60 673 }, 674 { 675 /* Sample #2 */ 676 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b 677 }, 678 { 679 /* Sample #3 */ 680 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69 681 }, 682 { 683 /* Sample #4 */ 684 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb 685 } 686 }; 687 688 /* CMAC-TDES (Generation) - 3 Key Test Data */ 689 static const unsigned char des3_3key_key[24] = { 690 /* Key1 */ 691 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef, 692 /* Key2 */ 693 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 694 /* Key3 */ 695 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23 696 }; 697 static const unsigned char des3_3key_subkeys[2][8] = { 698 { 699 /* K1 */ 700 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0 701 }, 702 { 703 /* K2 */ 704 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b 705 } 706 }; 707 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 708 { 709 /* Sample #1 */ 710 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50 711 }, 712 { 713 /* Sample #2 */ 714 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09 715 }, 716 { 717 /* Sample #3 */ 718 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2 719 }, 720 { 721 /* Sample #4 */ 722 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5 723 } 724 }; 725 726 #endif /* MBEDTLS_DES_C */ 727 728 #if defined(MBEDTLS_AES_C) 729 /* AES AES-CMAC-PRF-128 Test Data */ 730 static const unsigned char PRFK[] = { 731 /* Key */ 732 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 733 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 734 0xed, 0xcb 735 }; 736 737 /* Sizes in bytes */ 738 static const size_t PRFKlen[NB_PRF_TESTS] = { 739 18, 740 16, 741 10 742 }; 743 744 /* Message */ 745 static const unsigned char PRFM[] = { 746 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 747 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 748 0x10, 0x11, 0x12, 0x13 749 }; 750 751 static const unsigned char PRFT[NB_PRF_TESTS][16] = { 752 { 753 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b, 754 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a 755 }, 756 { 757 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52, 758 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d 759 }, 760 { 761 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee, 762 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d 763 } 764 }; 765 #endif /* MBEDTLS_AES_C */ 766 767 static int cmac_test_subkeys( int verbose, 768 const char* testname, 769 const unsigned char* key, 770 int keybits, 771 const unsigned char* subkeys, 772 mbedtls_cipher_type_t cipher_type, 773 int block_size, 774 int num_tests ) 775 { 776 int i, ret = 0; 777 mbedtls_cipher_context_t ctx; 778 const mbedtls_cipher_info_t *cipher_info; 779 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 780 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 781 782 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 783 if( cipher_info == NULL ) 784 { 785 /* Failing at this point must be due to a build issue */ 786 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 787 } 788 789 for( i = 0; i < num_tests; i++ ) 790 { 791 if( verbose != 0 ) 792 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 ); 793 794 mbedtls_cipher_init( &ctx ); 795 796 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 797 { 798 if( verbose != 0 ) 799 mbedtls_printf( "test execution failed\n" ); 800 801 goto cleanup; 802 } 803 804 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits, 805 MBEDTLS_ENCRYPT ) ) != 0 ) 806 { 807 if( verbose != 0 ) 808 mbedtls_printf( "test execution failed\n" ); 809 810 goto cleanup; 811 } 812 813 ret = cmac_generate_subkeys( &ctx, K1, K2 ); 814 if( ret != 0 ) 815 { 816 if( verbose != 0 ) 817 mbedtls_printf( "failed\n" ); 818 819 goto cleanup; 820 } 821 822 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 || 823 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 ) 824 { 825 if( verbose != 0 ) 826 mbedtls_printf( "failed\n" ); 827 828 goto cleanup; 829 } 830 831 if( verbose != 0 ) 832 mbedtls_printf( "passed\n" ); 833 834 mbedtls_cipher_free( &ctx ); 835 } 836 837 ret = 0; 838 goto exit; 839 840 cleanup: 841 mbedtls_cipher_free( &ctx ); 842 843 exit: 844 return( ret ); 845 } 846 847 static int cmac_test_wth_cipher( int verbose, 848 const char* testname, 849 const unsigned char* key, 850 int keybits, 851 const unsigned char* messages, 852 const unsigned int message_lengths[4], 853 const unsigned char* expected_result, 854 mbedtls_cipher_type_t cipher_type, 855 int block_size, 856 int num_tests ) 857 { 858 const mbedtls_cipher_info_t *cipher_info; 859 int i, ret = 0; 860 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX]; 861 862 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 863 if( cipher_info == NULL ) 864 { 865 /* Failing at this point must be due to a build issue */ 866 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 867 goto exit; 868 } 869 870 for( i = 0; i < num_tests; i++ ) 871 { 872 if( verbose != 0 ) 873 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 ); 874 875 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages, 876 message_lengths[i], output ) ) != 0 ) 877 { 878 if( verbose != 0 ) 879 mbedtls_printf( "failed\n" ); 880 goto exit; 881 } 882 883 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 ) 884 { 885 if( verbose != 0 ) 886 mbedtls_printf( "failed\n" ); 887 goto exit; 888 } 889 890 if( verbose != 0 ) 891 mbedtls_printf( "passed\n" ); 892 } 893 ret = 0; 894 895 exit: 896 return( ret ); 897 } 898 899 #if defined(MBEDTLS_AES_C) 900 static int test_aes128_cmac_prf( int verbose ) 901 { 902 int i; 903 int ret; 904 unsigned char output[MBEDTLS_AES_BLOCK_SIZE]; 905 906 for( i = 0; i < NB_PRF_TESTS; i++ ) 907 { 908 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i ); 909 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output ); 910 if( ret != 0 || 911 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 ) 912 { 913 914 if( verbose != 0 ) 915 mbedtls_printf( "failed\n" ); 916 917 return( ret ); 918 } 919 else if( verbose != 0 ) 920 { 921 mbedtls_printf( "passed\n" ); 922 } 923 } 924 return( ret ); 925 } 926 #endif /* MBEDTLS_AES_C */ 927 928 int mbedtls_cmac_self_test( int verbose ) 929 { 930 int ret; 931 932 #if defined(MBEDTLS_AES_C) 933 /* AES-128 */ 934 if( ( ret = cmac_test_subkeys( verbose, 935 "AES 128", 936 aes_128_key, 937 128, 938 (const unsigned char*)aes_128_subkeys, 939 MBEDTLS_CIPHER_AES_128_ECB, 940 MBEDTLS_AES_BLOCK_SIZE, 941 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 942 { 943 return( ret ); 944 } 945 946 if( ( ret = cmac_test_wth_cipher( verbose, 947 "AES 128", 948 aes_128_key, 949 128, 950 test_message, 951 aes_message_lengths, 952 (const unsigned char*)aes_128_expected_result, 953 MBEDTLS_CIPHER_AES_128_ECB, 954 MBEDTLS_AES_BLOCK_SIZE, 955 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 956 { 957 return( ret ); 958 } 959 960 /* AES-192 */ 961 if( ( ret = cmac_test_subkeys( verbose, 962 "AES 192", 963 aes_192_key, 964 192, 965 (const unsigned char*)aes_192_subkeys, 966 MBEDTLS_CIPHER_AES_192_ECB, 967 MBEDTLS_AES_BLOCK_SIZE, 968 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 969 { 970 return( ret ); 971 } 972 973 if( ( ret = cmac_test_wth_cipher( verbose, 974 "AES 192", 975 aes_192_key, 976 192, 977 test_message, 978 aes_message_lengths, 979 (const unsigned char*)aes_192_expected_result, 980 MBEDTLS_CIPHER_AES_192_ECB, 981 MBEDTLS_AES_BLOCK_SIZE, 982 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 983 { 984 return( ret ); 985 } 986 987 /* AES-256 */ 988 if( ( ret = cmac_test_subkeys( verbose, 989 "AES 256", 990 aes_256_key, 991 256, 992 (const unsigned char*)aes_256_subkeys, 993 MBEDTLS_CIPHER_AES_256_ECB, 994 MBEDTLS_AES_BLOCK_SIZE, 995 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 996 { 997 return( ret ); 998 } 999 1000 if( ( ret = cmac_test_wth_cipher ( verbose, 1001 "AES 256", 1002 aes_256_key, 1003 256, 1004 test_message, 1005 aes_message_lengths, 1006 (const unsigned char*)aes_256_expected_result, 1007 MBEDTLS_CIPHER_AES_256_ECB, 1008 MBEDTLS_AES_BLOCK_SIZE, 1009 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1010 { 1011 return( ret ); 1012 } 1013 #endif /* MBEDTLS_AES_C */ 1014 1015 #if defined(MBEDTLS_DES_C) 1016 /* 3DES 2 key */ 1017 if( ( ret = cmac_test_subkeys( verbose, 1018 "3DES 2 key", 1019 des3_2key_key, 1020 192, 1021 (const unsigned char*)des3_2key_subkeys, 1022 MBEDTLS_CIPHER_DES_EDE3_ECB, 1023 MBEDTLS_DES3_BLOCK_SIZE, 1024 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1025 { 1026 return( ret ); 1027 } 1028 1029 if( ( ret = cmac_test_wth_cipher( verbose, 1030 "3DES 2 key", 1031 des3_2key_key, 1032 192, 1033 test_message, 1034 des3_message_lengths, 1035 (const unsigned char*)des3_2key_expected_result, 1036 MBEDTLS_CIPHER_DES_EDE3_ECB, 1037 MBEDTLS_DES3_BLOCK_SIZE, 1038 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1039 { 1040 return( ret ); 1041 } 1042 1043 /* 3DES 3 key */ 1044 if( ( ret = cmac_test_subkeys( verbose, 1045 "3DES 3 key", 1046 des3_3key_key, 1047 192, 1048 (const unsigned char*)des3_3key_subkeys, 1049 MBEDTLS_CIPHER_DES_EDE3_ECB, 1050 MBEDTLS_DES3_BLOCK_SIZE, 1051 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1052 { 1053 return( ret ); 1054 } 1055 1056 if( ( ret = cmac_test_wth_cipher( verbose, 1057 "3DES 3 key", 1058 des3_3key_key, 1059 192, 1060 test_message, 1061 des3_message_lengths, 1062 (const unsigned char*)des3_3key_expected_result, 1063 MBEDTLS_CIPHER_DES_EDE3_ECB, 1064 MBEDTLS_DES3_BLOCK_SIZE, 1065 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1066 { 1067 return( ret ); 1068 } 1069 #endif /* MBEDTLS_DES_C */ 1070 1071 #if defined(MBEDTLS_AES_C) 1072 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 ) 1073 return( ret ); 1074 #endif /* MBEDTLS_AES_C */ 1075 1076 if( verbose != 0 ) 1077 mbedtls_printf( "\n" ); 1078 1079 return( 0 ); 1080 } 1081 1082 #endif /* MBEDTLS_SELF_TEST */ 1083 1084 #endif /* MBEDTLS_CMAC_C */ 1085