1 /** 2 * \file cmac.c 3 * 4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES 5 * 6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved 7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 8 * 9 * This file is provided under the Apache License 2.0, or the 10 * GNU General Public License v2.0 or later. 11 * 12 * ********** 13 * Apache License 2.0: 14 * 15 * Licensed under the Apache License, Version 2.0 (the "License"); you may 16 * not use this file except in compliance with the License. 17 * You may obtain a copy of the License at 18 * 19 * http://www.apache.org/licenses/LICENSE-2.0 20 * 21 * Unless required by applicable law or agreed to in writing, software 22 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 23 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 24 * See the License for the specific language governing permissions and 25 * limitations under the License. 26 * 27 * ********** 28 * 29 * ********** 30 * GNU General Public License v2.0 or later: 31 * 32 * This program is free software; you can redistribute it and/or modify 33 * it under the terms of the GNU General Public License as published by 34 * the Free Software Foundation; either version 2 of the License, or 35 * (at your option) any later version. 36 * 37 * This program is distributed in the hope that it will be useful, 38 * but WITHOUT ANY WARRANTY; without even the implied warranty of 39 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 40 * GNU General Public License for more details. 41 * 42 * You should have received a copy of the GNU General Public License along 43 * with this program; if not, write to the Free Software Foundation, Inc., 44 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 45 * 46 * ********** 47 * 48 * This file is part of mbed TLS (https://tls.mbed.org) 49 */ 50 51 /* 52 * References: 53 * 54 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The 55 * CMAC Mode for Authentication 56 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf 57 * 58 * - RFC 4493 - The AES-CMAC Algorithm 59 * https://tools.ietf.org/html/rfc4493 60 * 61 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message 62 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) 63 * Algorithm for the Internet Key Exchange Protocol (IKE) 64 * https://tools.ietf.org/html/rfc4615 65 * 66 * Additional test vectors: ISO/IEC 9797-1 67 * 68 */ 69 70 #if !defined(MBEDTLS_CONFIG_FILE) 71 #include "mbedtls/config.h" 72 #else 73 #include MBEDTLS_CONFIG_FILE 74 #endif 75 76 #if defined(MBEDTLS_CMAC_C) 77 78 #include "mbedtls/cmac.h" 79 80 #include <string.h> 81 82 83 #if defined(MBEDTLS_PLATFORM_C) 84 #include "mbedtls/platform.h" 85 #else 86 #include <stdlib.h> 87 #define mbedtls_calloc calloc 88 #define mbedtls_free free 89 #if defined(MBEDTLS_SELF_TEST) 90 #include <stdio.h> 91 #define mbedtls_printf printf 92 #endif /* MBEDTLS_SELF_TEST */ 93 #endif /* MBEDTLS_PLATFORM_C */ 94 95 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) 96 97 /* Implementation that should never be optimized out by the compiler */ 98 static void mbedtls_zeroize( void *v, size_t n ) { 99 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 100 } 101 102 /* 103 * Multiplication by u in the Galois field of GF(2^n) 104 * 105 * As explained in NIST SP 800-38B, this can be computed: 106 * 107 * If MSB(p) = 0, then p = (p << 1) 108 * If MSB(p) = 1, then p = (p << 1) ^ R_n 109 * with R_64 = 0x1B and R_128 = 0x87 110 * 111 * Input and output MUST NOT point to the same buffer 112 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES. 113 */ 114 static int cmac_multiply_by_u( unsigned char *output, 115 const unsigned char *input, 116 size_t blocksize ) 117 { 118 const unsigned char R_128 = 0x87; 119 const unsigned char R_64 = 0x1B; 120 unsigned char R_n, mask; 121 unsigned char overflow = 0x00; 122 int i; 123 124 if( blocksize == MBEDTLS_AES_BLOCK_SIZE ) 125 { 126 R_n = R_128; 127 } 128 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE ) 129 { 130 R_n = R_64; 131 } 132 else 133 { 134 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 135 } 136 137 for( i = (int)blocksize - 1; i >= 0; i-- ) 138 { 139 output[i] = input[i] << 1 | overflow; 140 overflow = input[i] >> 7; 141 } 142 143 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00 144 * using bit operations to avoid branches */ 145 146 /* MSVC has a warning about unary minus on unsigned, but this is 147 * well-defined and precisely what we want to do here */ 148 #if defined(_MSC_VER) 149 #pragma warning( push ) 150 #pragma warning( disable : 4146 ) 151 #endif 152 mask = - ( input[0] >> 7 ); 153 #if defined(_MSC_VER) 154 #pragma warning( pop ) 155 #endif 156 157 output[ blocksize - 1 ] ^= R_n & mask; 158 159 return( 0 ); 160 } 161 162 /* 163 * Generate subkeys 164 * 165 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm 166 */ 167 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx, 168 unsigned char* K1, unsigned char* K2 ) 169 { 170 int ret; 171 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX]; 172 size_t olen, block_size; 173 174 mbedtls_zeroize( L, sizeof( L ) ); 175 176 block_size = ctx->cipher_info->block_size; 177 178 /* Calculate Ek(0) */ 179 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 ) 180 goto exit; 181 182 /* 183 * Generate K1 and K2 184 */ 185 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 ) 186 goto exit; 187 188 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 ) 189 goto exit; 190 191 exit: 192 mbedtls_zeroize( L, sizeof( L ) ); 193 194 return( ret ); 195 } 196 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ 197 198 #if !defined(MBEDTLS_CMAC_ALT) 199 static void cmac_xor_block( unsigned char *output, const unsigned char *input1, 200 const unsigned char *input2, 201 const size_t block_size ) 202 { 203 size_t idx; 204 205 for( idx = 0; idx < block_size; idx++ ) 206 output[ idx ] = input1[ idx ] ^ input2[ idx ]; 207 } 208 209 /* 210 * Create padded last block from (partial) last block. 211 * 212 * We can't use the padding option from the cipher layer, as it only works for 213 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. 214 */ 215 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX], 216 size_t padded_block_len, 217 const unsigned char *last_block, 218 size_t last_block_len ) 219 { 220 size_t j; 221 222 for( j = 0; j < padded_block_len; j++ ) 223 { 224 if( j < last_block_len ) 225 padded_block[j] = last_block[j]; 226 else if( j == last_block_len ) 227 padded_block[j] = 0x80; 228 else 229 padded_block[j] = 0x00; 230 } 231 } 232 233 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, 234 const unsigned char *key, size_t keybits ) 235 { 236 mbedtls_cipher_type_t type; 237 mbedtls_cmac_context_t *cmac_ctx; 238 int retval; 239 240 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL ) 241 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 242 243 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits, 244 MBEDTLS_ENCRYPT ) ) != 0 ) 245 return( retval ); 246 247 type = ctx->cipher_info->type; 248 249 switch( type ) 250 { 251 case MBEDTLS_CIPHER_AES_128_ECB: 252 case MBEDTLS_CIPHER_AES_192_ECB: 253 case MBEDTLS_CIPHER_AES_256_ECB: 254 case MBEDTLS_CIPHER_DES_EDE3_ECB: 255 break; 256 default: 257 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 258 } 259 260 /* Allocated and initialise in the cipher context memory for the CMAC 261 * context */ 262 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) ); 263 if( cmac_ctx == NULL ) 264 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 265 266 ctx->cmac_ctx = cmac_ctx; 267 268 mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) ); 269 270 return 0; 271 } 272 273 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, 274 const unsigned char *input, size_t ilen ) 275 { 276 mbedtls_cmac_context_t* cmac_ctx; 277 unsigned char *state; 278 int ret = 0; 279 size_t n, j, olen, block_size; 280 281 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL || 282 ctx->cmac_ctx == NULL ) 283 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 284 285 cmac_ctx = ctx->cmac_ctx; 286 block_size = ctx->cipher_info->block_size; 287 state = ctx->cmac_ctx->state; 288 289 /* Is there data still to process from the last call, that's greater in 290 * size than a block? */ 291 if( cmac_ctx->unprocessed_len > 0 && 292 ilen > block_size - cmac_ctx->unprocessed_len ) 293 { 294 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 295 input, 296 block_size - cmac_ctx->unprocessed_len ); 297 298 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size ); 299 300 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 301 &olen ) ) != 0 ) 302 { 303 goto exit; 304 } 305 306 input += block_size - cmac_ctx->unprocessed_len; 307 ilen -= block_size - cmac_ctx->unprocessed_len; 308 cmac_ctx->unprocessed_len = 0; 309 } 310 311 /* n is the number of blocks including any final partial block */ 312 n = ( ilen + block_size - 1 ) / block_size; 313 314 /* Iterate across the input data in block sized chunks, excluding any 315 * final partial or complete block */ 316 for( j = 1; j < n; j++ ) 317 { 318 cmac_xor_block( state, input, state, block_size ); 319 320 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 321 &olen ) ) != 0 ) 322 goto exit; 323 324 ilen -= block_size; 325 input += block_size; 326 } 327 328 /* If there is data left over that wasn't aligned to a block */ 329 if( ilen > 0 ) 330 { 331 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 332 input, 333 ilen ); 334 cmac_ctx->unprocessed_len += ilen; 335 } 336 337 exit: 338 return( ret ); 339 } 340 341 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, 342 unsigned char *output ) 343 { 344 mbedtls_cmac_context_t* cmac_ctx; 345 unsigned char *state, *last_block; 346 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 347 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 348 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX]; 349 int ret; 350 size_t olen, block_size; 351 352 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL || 353 output == NULL ) 354 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 355 356 cmac_ctx = ctx->cmac_ctx; 357 block_size = ctx->cipher_info->block_size; 358 state = cmac_ctx->state; 359 360 mbedtls_zeroize( K1, sizeof( K1 ) ); 361 mbedtls_zeroize( K2, sizeof( K2 ) ); 362 cmac_generate_subkeys( ctx, K1, K2 ); 363 364 last_block = cmac_ctx->unprocessed_block; 365 366 /* Calculate last block */ 367 if( cmac_ctx->unprocessed_len < block_size ) 368 { 369 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len ); 370 cmac_xor_block( M_last, M_last, K2, block_size ); 371 } 372 else 373 { 374 /* Last block is complete block */ 375 cmac_xor_block( M_last, last_block, K1, block_size ); 376 } 377 378 379 cmac_xor_block( state, M_last, state, block_size ); 380 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 381 &olen ) ) != 0 ) 382 { 383 goto exit; 384 } 385 386 memcpy( output, state, block_size ); 387 388 exit: 389 /* Wipe the generated keys on the stack, and any other transients to avoid 390 * side channel leakage */ 391 mbedtls_zeroize( K1, sizeof( K1 ) ); 392 mbedtls_zeroize( K2, sizeof( K2 ) ); 393 394 cmac_ctx->unprocessed_len = 0; 395 mbedtls_zeroize( cmac_ctx->unprocessed_block, 396 sizeof( cmac_ctx->unprocessed_block ) ); 397 398 mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX ); 399 return( ret ); 400 } 401 402 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx ) 403 { 404 mbedtls_cmac_context_t* cmac_ctx; 405 406 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ) 407 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 408 409 cmac_ctx = ctx->cmac_ctx; 410 411 /* Reset the internal state */ 412 cmac_ctx->unprocessed_len = 0; 413 mbedtls_zeroize( cmac_ctx->unprocessed_block, 414 sizeof( cmac_ctx->unprocessed_block ) ); 415 mbedtls_zeroize( cmac_ctx->state, 416 sizeof( cmac_ctx->state ) ); 417 418 return( 0 ); 419 } 420 421 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, 422 const unsigned char *key, size_t keylen, 423 const unsigned char *input, size_t ilen, 424 unsigned char *output ) 425 { 426 mbedtls_cipher_context_t ctx; 427 int ret; 428 429 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL ) 430 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 431 432 mbedtls_cipher_init( &ctx ); 433 434 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 435 goto exit; 436 437 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen ); 438 if( ret != 0 ) 439 goto exit; 440 441 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen ); 442 if( ret != 0 ) 443 goto exit; 444 445 ret = mbedtls_cipher_cmac_finish( &ctx, output ); 446 447 exit: 448 mbedtls_cipher_free( &ctx ); 449 450 return( ret ); 451 } 452 453 #if defined(MBEDTLS_AES_C) 454 /* 455 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615 456 */ 457 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length, 458 const unsigned char *input, size_t in_len, 459 unsigned char *output ) 460 { 461 int ret; 462 const mbedtls_cipher_info_t *cipher_info; 463 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE]; 464 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE]; 465 466 if( key == NULL || input == NULL || output == NULL ) 467 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 468 469 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB ); 470 if( cipher_info == NULL ) 471 { 472 /* Failing at this point must be due to a build issue */ 473 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 474 goto exit; 475 } 476 477 if( key_length == MBEDTLS_AES_BLOCK_SIZE ) 478 { 479 /* Use key as is */ 480 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE ); 481 } 482 else 483 { 484 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE ); 485 486 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key, 487 key_length, int_key ); 488 if( ret != 0 ) 489 goto exit; 490 } 491 492 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len, 493 output ); 494 495 exit: 496 mbedtls_zeroize( int_key, sizeof( int_key ) ); 497 498 return( ret ); 499 } 500 #endif /* MBEDTLS_AES_C */ 501 502 #endif /* !MBEDTLS_CMAC_ALT */ 503 504 #if defined(MBEDTLS_SELF_TEST) 505 /* 506 * CMAC test data for SP800-38B 507 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf 508 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf 509 * 510 * AES-CMAC-PRF-128 test data from RFC 4615 511 * https://tools.ietf.org/html/rfc4615#page-4 512 */ 513 514 #define NB_CMAC_TESTS_PER_KEY 4 515 #define NB_PRF_TESTS 3 516 517 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) 518 /* All CMAC test inputs are truncated from the same 64 byte buffer. */ 519 static const unsigned char test_message[] = { 520 /* PT */ 521 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 522 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 523 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 524 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 525 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 526 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 527 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 528 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 529 }; 530 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */ 531 532 #if defined(MBEDTLS_AES_C) 533 /* Truncation point of message for AES CMAC tests */ 534 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 535 /* Mlen */ 536 0, 537 16, 538 20, 539 64 540 }; 541 542 /* CMAC-AES128 Test Data */ 543 static const unsigned char aes_128_key[16] = { 544 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 545 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c 546 }; 547 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 548 { 549 /* K1 */ 550 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66, 551 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde 552 }, 553 { 554 /* K2 */ 555 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc, 556 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b 557 } 558 }; 559 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 560 { 561 /* Example #1 */ 562 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28, 563 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 564 }, 565 { 566 /* Example #2 */ 567 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 568 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c 569 }, 570 { 571 /* Example #3 */ 572 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8, 573 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde 574 }, 575 { 576 /* Example #4 */ 577 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92, 578 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe 579 } 580 }; 581 582 /* CMAC-AES192 Test Data */ 583 static const unsigned char aes_192_key[24] = { 584 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 585 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, 586 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b 587 }; 588 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 589 { 590 /* K1 */ 591 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27, 592 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96 593 }, 594 { 595 /* K2 */ 596 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e, 597 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c 598 } 599 }; 600 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 601 { 602 /* Example #1 */ 603 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5, 604 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67 605 }, 606 { 607 /* Example #2 */ 608 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90, 609 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84 610 }, 611 { 612 /* Example #3 */ 613 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04, 614 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8 615 }, 616 { 617 /* Example #4 */ 618 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79, 619 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11 620 } 621 }; 622 623 /* CMAC-AES256 Test Data */ 624 static const unsigned char aes_256_key[32] = { 625 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 626 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 627 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 628 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 629 }; 630 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 631 { 632 /* K1 */ 633 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac, 634 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f 635 }, 636 { 637 /* K2 */ 638 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58, 639 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9 640 } 641 }; 642 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 643 { 644 /* Example #1 */ 645 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e, 646 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83 647 }, 648 { 649 /* Example #2 */ 650 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82, 651 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c 652 }, 653 { 654 /* Example #3 */ 655 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a, 656 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93 657 }, 658 { 659 /* Example #4 */ 660 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5, 661 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10 662 } 663 }; 664 #endif /* MBEDTLS_AES_C */ 665 666 #if defined(MBEDTLS_DES_C) 667 /* Truncation point of message for 3DES CMAC tests */ 668 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 669 0, 670 16, 671 20, 672 32 673 }; 674 675 /* CMAC-TDES (Generation) - 2 Key Test Data */ 676 static const unsigned char des3_2key_key[24] = { 677 /* Key1 */ 678 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 679 /* Key2 */ 680 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01, 681 /* Key3 */ 682 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef 683 }; 684 static const unsigned char des3_2key_subkeys[2][8] = { 685 { 686 /* K1 */ 687 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9 688 }, 689 { 690 /* K2 */ 691 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2 692 } 693 }; 694 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 695 { 696 /* Sample #1 */ 697 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60 698 }, 699 { 700 /* Sample #2 */ 701 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b 702 }, 703 { 704 /* Sample #3 */ 705 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69 706 }, 707 { 708 /* Sample #4 */ 709 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb 710 } 711 }; 712 713 /* CMAC-TDES (Generation) - 3 Key Test Data */ 714 static const unsigned char des3_3key_key[24] = { 715 /* Key1 */ 716 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef, 717 /* Key2 */ 718 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 719 /* Key3 */ 720 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23 721 }; 722 static const unsigned char des3_3key_subkeys[2][8] = { 723 { 724 /* K1 */ 725 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0 726 }, 727 { 728 /* K2 */ 729 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b 730 } 731 }; 732 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 733 { 734 /* Sample #1 */ 735 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50 736 }, 737 { 738 /* Sample #2 */ 739 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09 740 }, 741 { 742 /* Sample #3 */ 743 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2 744 }, 745 { 746 /* Sample #4 */ 747 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5 748 } 749 }; 750 751 #endif /* MBEDTLS_DES_C */ 752 753 #if defined(MBEDTLS_AES_C) 754 /* AES AES-CMAC-PRF-128 Test Data */ 755 static const unsigned char PRFK[] = { 756 /* Key */ 757 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 758 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 759 0xed, 0xcb 760 }; 761 762 /* Sizes in bytes */ 763 static const size_t PRFKlen[NB_PRF_TESTS] = { 764 18, 765 16, 766 10 767 }; 768 769 /* Message */ 770 static const unsigned char PRFM[] = { 771 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 772 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 773 0x10, 0x11, 0x12, 0x13 774 }; 775 776 static const unsigned char PRFT[NB_PRF_TESTS][16] = { 777 { 778 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b, 779 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a 780 }, 781 { 782 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52, 783 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d 784 }, 785 { 786 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee, 787 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d 788 } 789 }; 790 #endif /* MBEDTLS_AES_C */ 791 792 static int cmac_test_subkeys( int verbose, 793 const char* testname, 794 const unsigned char* key, 795 int keybits, 796 const unsigned char* subkeys, 797 mbedtls_cipher_type_t cipher_type, 798 int block_size, 799 int num_tests ) 800 { 801 int i, ret = 0; 802 mbedtls_cipher_context_t ctx; 803 const mbedtls_cipher_info_t *cipher_info; 804 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 805 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 806 807 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 808 if( cipher_info == NULL ) 809 { 810 /* Failing at this point must be due to a build issue */ 811 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 812 } 813 814 for( i = 0; i < num_tests; i++ ) 815 { 816 if( verbose != 0 ) 817 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 ); 818 819 mbedtls_cipher_init( &ctx ); 820 821 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 822 { 823 if( verbose != 0 ) 824 mbedtls_printf( "test execution failed\n" ); 825 826 goto cleanup; 827 } 828 829 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits, 830 MBEDTLS_ENCRYPT ) ) != 0 ) 831 { 832 if( verbose != 0 ) 833 mbedtls_printf( "test execution failed\n" ); 834 835 goto cleanup; 836 } 837 838 ret = cmac_generate_subkeys( &ctx, K1, K2 ); 839 if( ret != 0 ) 840 { 841 if( verbose != 0 ) 842 mbedtls_printf( "failed\n" ); 843 844 goto cleanup; 845 } 846 847 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 || 848 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 ) 849 { 850 if( verbose != 0 ) 851 mbedtls_printf( "failed\n" ); 852 853 goto cleanup; 854 } 855 856 if( verbose != 0 ) 857 mbedtls_printf( "passed\n" ); 858 859 mbedtls_cipher_free( &ctx ); 860 } 861 862 ret = 0; 863 goto exit; 864 865 cleanup: 866 mbedtls_cipher_free( &ctx ); 867 868 exit: 869 return( ret ); 870 } 871 872 static int cmac_test_wth_cipher( int verbose, 873 const char* testname, 874 const unsigned char* key, 875 int keybits, 876 const unsigned char* messages, 877 const unsigned int message_lengths[4], 878 const unsigned char* expected_result, 879 mbedtls_cipher_type_t cipher_type, 880 int block_size, 881 int num_tests ) 882 { 883 const mbedtls_cipher_info_t *cipher_info; 884 int i, ret = 0; 885 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX]; 886 887 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 888 if( cipher_info == NULL ) 889 { 890 /* Failing at this point must be due to a build issue */ 891 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 892 goto exit; 893 } 894 895 for( i = 0; i < num_tests; i++ ) 896 { 897 if( verbose != 0 ) 898 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 ); 899 900 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages, 901 message_lengths[i], output ) ) != 0 ) 902 { 903 if( verbose != 0 ) 904 mbedtls_printf( "failed\n" ); 905 goto exit; 906 } 907 908 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 ) 909 { 910 if( verbose != 0 ) 911 mbedtls_printf( "failed\n" ); 912 goto exit; 913 } 914 915 if( verbose != 0 ) 916 mbedtls_printf( "passed\n" ); 917 } 918 ret = 0; 919 920 exit: 921 return( ret ); 922 } 923 924 #if defined(MBEDTLS_AES_C) 925 static int test_aes128_cmac_prf( int verbose ) 926 { 927 int i; 928 int ret; 929 unsigned char output[MBEDTLS_AES_BLOCK_SIZE]; 930 931 for( i = 0; i < NB_PRF_TESTS; i++ ) 932 { 933 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i ); 934 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output ); 935 if( ret != 0 || 936 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 ) 937 { 938 939 if( verbose != 0 ) 940 mbedtls_printf( "failed\n" ); 941 942 return( ret ); 943 } 944 else if( verbose != 0 ) 945 { 946 mbedtls_printf( "passed\n" ); 947 } 948 } 949 return( ret ); 950 } 951 #endif /* MBEDTLS_AES_C */ 952 953 int mbedtls_cmac_self_test( int verbose ) 954 { 955 int ret; 956 957 #if defined(MBEDTLS_AES_C) 958 /* AES-128 */ 959 if( ( ret = cmac_test_subkeys( verbose, 960 "AES 128", 961 aes_128_key, 962 128, 963 (const unsigned char*)aes_128_subkeys, 964 MBEDTLS_CIPHER_AES_128_ECB, 965 MBEDTLS_AES_BLOCK_SIZE, 966 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 967 { 968 return( ret ); 969 } 970 971 if( ( ret = cmac_test_wth_cipher( verbose, 972 "AES 128", 973 aes_128_key, 974 128, 975 test_message, 976 aes_message_lengths, 977 (const unsigned char*)aes_128_expected_result, 978 MBEDTLS_CIPHER_AES_128_ECB, 979 MBEDTLS_AES_BLOCK_SIZE, 980 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 981 { 982 return( ret ); 983 } 984 985 /* AES-192 */ 986 if( ( ret = cmac_test_subkeys( verbose, 987 "AES 192", 988 aes_192_key, 989 192, 990 (const unsigned char*)aes_192_subkeys, 991 MBEDTLS_CIPHER_AES_192_ECB, 992 MBEDTLS_AES_BLOCK_SIZE, 993 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 994 { 995 return( ret ); 996 } 997 998 if( ( ret = cmac_test_wth_cipher( verbose, 999 "AES 192", 1000 aes_192_key, 1001 192, 1002 test_message, 1003 aes_message_lengths, 1004 (const unsigned char*)aes_192_expected_result, 1005 MBEDTLS_CIPHER_AES_192_ECB, 1006 MBEDTLS_AES_BLOCK_SIZE, 1007 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1008 { 1009 return( ret ); 1010 } 1011 1012 /* AES-256 */ 1013 if( ( ret = cmac_test_subkeys( verbose, 1014 "AES 256", 1015 aes_256_key, 1016 256, 1017 (const unsigned char*)aes_256_subkeys, 1018 MBEDTLS_CIPHER_AES_256_ECB, 1019 MBEDTLS_AES_BLOCK_SIZE, 1020 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1021 { 1022 return( ret ); 1023 } 1024 1025 if( ( ret = cmac_test_wth_cipher ( verbose, 1026 "AES 256", 1027 aes_256_key, 1028 256, 1029 test_message, 1030 aes_message_lengths, 1031 (const unsigned char*)aes_256_expected_result, 1032 MBEDTLS_CIPHER_AES_256_ECB, 1033 MBEDTLS_AES_BLOCK_SIZE, 1034 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1035 { 1036 return( ret ); 1037 } 1038 #endif /* MBEDTLS_AES_C */ 1039 1040 #if defined(MBEDTLS_DES_C) 1041 /* 3DES 2 key */ 1042 if( ( ret = cmac_test_subkeys( verbose, 1043 "3DES 2 key", 1044 des3_2key_key, 1045 192, 1046 (const unsigned char*)des3_2key_subkeys, 1047 MBEDTLS_CIPHER_DES_EDE3_ECB, 1048 MBEDTLS_DES3_BLOCK_SIZE, 1049 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1050 { 1051 return( ret ); 1052 } 1053 1054 if( ( ret = cmac_test_wth_cipher( verbose, 1055 "3DES 2 key", 1056 des3_2key_key, 1057 192, 1058 test_message, 1059 des3_message_lengths, 1060 (const unsigned char*)des3_2key_expected_result, 1061 MBEDTLS_CIPHER_DES_EDE3_ECB, 1062 MBEDTLS_DES3_BLOCK_SIZE, 1063 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1064 { 1065 return( ret ); 1066 } 1067 1068 /* 3DES 3 key */ 1069 if( ( ret = cmac_test_subkeys( verbose, 1070 "3DES 3 key", 1071 des3_3key_key, 1072 192, 1073 (const unsigned char*)des3_3key_subkeys, 1074 MBEDTLS_CIPHER_DES_EDE3_ECB, 1075 MBEDTLS_DES3_BLOCK_SIZE, 1076 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1077 { 1078 return( ret ); 1079 } 1080 1081 if( ( ret = cmac_test_wth_cipher( verbose, 1082 "3DES 3 key", 1083 des3_3key_key, 1084 192, 1085 test_message, 1086 des3_message_lengths, 1087 (const unsigned char*)des3_3key_expected_result, 1088 MBEDTLS_CIPHER_DES_EDE3_ECB, 1089 MBEDTLS_DES3_BLOCK_SIZE, 1090 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1091 { 1092 return( ret ); 1093 } 1094 #endif /* MBEDTLS_DES_C */ 1095 1096 #if defined(MBEDTLS_AES_C) 1097 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 ) 1098 return( ret ); 1099 #endif /* MBEDTLS_AES_C */ 1100 1101 if( verbose != 0 ) 1102 mbedtls_printf( "\n" ); 1103 1104 return( 0 ); 1105 } 1106 1107 #endif /* MBEDTLS_SELF_TEST */ 1108 1109 #endif /* MBEDTLS_CMAC_C */ 1110