xref: /reactos/dll/3rdparty/mbedtls/cmac.c (revision b5218987)
1 /**
2  * \file cmac.c
3  *
4  * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5  *
6  *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8  *
9  *  This file is provided under the Apache License 2.0, or the
10  *  GNU General Public License v2.0 or later.
11  *
12  *  **********
13  *  Apache License 2.0:
14  *
15  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
16  *  not use this file except in compliance with the License.
17  *  You may obtain a copy of the License at
18  *
19  *  http://www.apache.org/licenses/LICENSE-2.0
20  *
21  *  Unless required by applicable law or agreed to in writing, software
22  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
23  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24  *  See the License for the specific language governing permissions and
25  *  limitations under the License.
26  *
27  *  **********
28  *
29  *  **********
30  *  GNU General Public License v2.0 or later:
31  *
32  *  This program is free software; you can redistribute it and/or modify
33  *  it under the terms of the GNU General Public License as published by
34  *  the Free Software Foundation; either version 2 of the License, or
35  *  (at your option) any later version.
36  *
37  *  This program is distributed in the hope that it will be useful,
38  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
39  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
40  *  GNU General Public License for more details.
41  *
42  *  You should have received a copy of the GNU General Public License along
43  *  with this program; if not, write to the Free Software Foundation, Inc.,
44  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
45  *
46  *  **********
47  *
48  *  This file is part of mbed TLS (https://tls.mbed.org)
49  */
50 
51 /*
52  * References:
53  *
54  * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
55  *      CMAC Mode for Authentication
56  *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
57  *
58  * - RFC 4493 - The AES-CMAC Algorithm
59  *   https://tools.ietf.org/html/rfc4493
60  *
61  * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
62  *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
63  *      Algorithm for the Internet Key Exchange Protocol (IKE)
64  *   https://tools.ietf.org/html/rfc4615
65  *
66  *   Additional test vectors: ISO/IEC 9797-1
67  *
68  */
69 
70 #if !defined(MBEDTLS_CONFIG_FILE)
71 #include "mbedtls/config.h"
72 #else
73 #include MBEDTLS_CONFIG_FILE
74 #endif
75 
76 #if defined(MBEDTLS_CMAC_C)
77 
78 #include "mbedtls/cmac.h"
79 
80 #include <string.h>
81 
82 
83 #if defined(MBEDTLS_PLATFORM_C)
84 #include "mbedtls/platform.h"
85 #else
86 #include <stdlib.h>
87 #define mbedtls_calloc     calloc
88 #define mbedtls_free       free
89 #if defined(MBEDTLS_SELF_TEST)
90 #include <stdio.h>
91 #define mbedtls_printf     printf
92 #endif /* MBEDTLS_SELF_TEST */
93 #endif /* MBEDTLS_PLATFORM_C */
94 
95 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
96 
97 /* Implementation that should never be optimized out by the compiler */
98 static void mbedtls_zeroize( void *v, size_t n ) {
99     volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
100 }
101 
102 /*
103  * Multiplication by u in the Galois field of GF(2^n)
104  *
105  * As explained in NIST SP 800-38B, this can be computed:
106  *
107  *   If MSB(p) = 0, then p = (p << 1)
108  *   If MSB(p) = 1, then p = (p << 1) ^ R_n
109  *   with R_64 = 0x1B and  R_128 = 0x87
110  *
111  * Input and output MUST NOT point to the same buffer
112  * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
113  */
114 static int cmac_multiply_by_u( unsigned char *output,
115                                const unsigned char *input,
116                                size_t blocksize )
117 {
118     const unsigned char R_128 = 0x87;
119     const unsigned char R_64 = 0x1B;
120     unsigned char R_n, mask;
121     unsigned char overflow = 0x00;
122     int i;
123 
124     if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
125     {
126         R_n = R_128;
127     }
128     else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
129     {
130         R_n = R_64;
131     }
132     else
133     {
134         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
135     }
136 
137     for( i = (int)blocksize - 1; i >= 0; i-- )
138     {
139         output[i] = input[i] << 1 | overflow;
140         overflow = input[i] >> 7;
141     }
142 
143     /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
144      * using bit operations to avoid branches */
145 
146     /* MSVC has a warning about unary minus on unsigned, but this is
147      * well-defined and precisely what we want to do here */
148 #if defined(_MSC_VER)
149 #pragma warning( push )
150 #pragma warning( disable : 4146 )
151 #endif
152     mask = - ( input[0] >> 7 );
153 #if defined(_MSC_VER)
154 #pragma warning( pop )
155 #endif
156 
157     output[ blocksize - 1 ] ^= R_n & mask;
158 
159     return( 0 );
160 }
161 
162 /*
163  * Generate subkeys
164  *
165  * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
166  */
167 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
168                                   unsigned char* K1, unsigned char* K2 )
169 {
170     int ret;
171     unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
172     size_t olen, block_size;
173 
174     mbedtls_zeroize( L, sizeof( L ) );
175 
176     block_size = ctx->cipher_info->block_size;
177 
178     /* Calculate Ek(0) */
179     if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
180         goto exit;
181 
182     /*
183      * Generate K1 and K2
184      */
185     if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
186         goto exit;
187 
188     if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
189         goto exit;
190 
191 exit:
192     mbedtls_zeroize( L, sizeof( L ) );
193 
194     return( ret );
195 }
196 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
197 
198 #if !defined(MBEDTLS_CMAC_ALT)
199 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
200                             const unsigned char *input2,
201                             const size_t block_size )
202 {
203     size_t idx;
204 
205     for( idx = 0; idx < block_size; idx++ )
206         output[ idx ] = input1[ idx ] ^ input2[ idx ];
207 }
208 
209 /*
210  * Create padded last block from (partial) last block.
211  *
212  * We can't use the padding option from the cipher layer, as it only works for
213  * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
214  */
215 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
216                       size_t padded_block_len,
217                       const unsigned char *last_block,
218                       size_t last_block_len )
219 {
220     size_t j;
221 
222     for( j = 0; j < padded_block_len; j++ )
223     {
224         if( j < last_block_len )
225             padded_block[j] = last_block[j];
226         else if( j == last_block_len )
227             padded_block[j] = 0x80;
228         else
229             padded_block[j] = 0x00;
230     }
231 }
232 
233 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
234                                 const unsigned char *key, size_t keybits )
235 {
236     mbedtls_cipher_type_t type;
237     mbedtls_cmac_context_t *cmac_ctx;
238     int retval;
239 
240     if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
241         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
242 
243     if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
244                                           MBEDTLS_ENCRYPT ) ) != 0 )
245         return( retval );
246 
247     type = ctx->cipher_info->type;
248 
249     switch( type )
250     {
251         case MBEDTLS_CIPHER_AES_128_ECB:
252         case MBEDTLS_CIPHER_AES_192_ECB:
253         case MBEDTLS_CIPHER_AES_256_ECB:
254         case MBEDTLS_CIPHER_DES_EDE3_ECB:
255             break;
256         default:
257             return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
258     }
259 
260     /* Allocated and initialise in the cipher context memory for the CMAC
261      * context */
262     cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
263     if( cmac_ctx == NULL )
264         return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
265 
266     ctx->cmac_ctx = cmac_ctx;
267 
268     mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
269 
270     return 0;
271 }
272 
273 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
274                                 const unsigned char *input, size_t ilen )
275 {
276     mbedtls_cmac_context_t* cmac_ctx;
277     unsigned char *state;
278     int ret = 0;
279     size_t n, j, olen, block_size;
280 
281     if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
282         ctx->cmac_ctx == NULL )
283         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
284 
285     cmac_ctx = ctx->cmac_ctx;
286     block_size = ctx->cipher_info->block_size;
287     state = ctx->cmac_ctx->state;
288 
289     /* Is there data still to process from the last call, that's greater in
290      * size than a block? */
291     if( cmac_ctx->unprocessed_len > 0 &&
292         ilen > block_size - cmac_ctx->unprocessed_len )
293     {
294         memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
295                 input,
296                 block_size - cmac_ctx->unprocessed_len );
297 
298         cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
299 
300         if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
301                                            &olen ) ) != 0 )
302         {
303            goto exit;
304         }
305 
306         input += block_size - cmac_ctx->unprocessed_len;
307         ilen -= block_size - cmac_ctx->unprocessed_len;
308         cmac_ctx->unprocessed_len = 0;
309     }
310 
311     /* n is the number of blocks including any final partial block */
312     n = ( ilen + block_size - 1 ) / block_size;
313 
314     /* Iterate across the input data in block sized chunks, excluding any
315      * final partial or complete block */
316     for( j = 1; j < n; j++ )
317     {
318         cmac_xor_block( state, input, state, block_size );
319 
320         if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
321                                            &olen ) ) != 0 )
322            goto exit;
323 
324         ilen -= block_size;
325         input += block_size;
326     }
327 
328     /* If there is data left over that wasn't aligned to a block */
329     if( ilen > 0 )
330     {
331         memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
332                 input,
333                 ilen );
334         cmac_ctx->unprocessed_len += ilen;
335     }
336 
337 exit:
338     return( ret );
339 }
340 
341 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
342                                 unsigned char *output )
343 {
344     mbedtls_cmac_context_t* cmac_ctx;
345     unsigned char *state, *last_block;
346     unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
347     unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
348     unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
349     int ret;
350     size_t olen, block_size;
351 
352     if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
353         output == NULL )
354         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
355 
356     cmac_ctx = ctx->cmac_ctx;
357     block_size = ctx->cipher_info->block_size;
358     state = cmac_ctx->state;
359 
360     mbedtls_zeroize( K1, sizeof( K1 ) );
361     mbedtls_zeroize( K2, sizeof( K2 ) );
362     cmac_generate_subkeys( ctx, K1, K2 );
363 
364     last_block = cmac_ctx->unprocessed_block;
365 
366     /* Calculate last block */
367     if( cmac_ctx->unprocessed_len < block_size )
368     {
369         cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
370         cmac_xor_block( M_last, M_last, K2, block_size );
371     }
372     else
373     {
374         /* Last block is complete block */
375         cmac_xor_block( M_last, last_block, K1, block_size );
376     }
377 
378 
379     cmac_xor_block( state, M_last, state, block_size );
380     if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
381                                        &olen ) ) != 0 )
382     {
383         goto exit;
384     }
385 
386     memcpy( output, state, block_size );
387 
388 exit:
389     /* Wipe the generated keys on the stack, and any other transients to avoid
390      * side channel leakage */
391     mbedtls_zeroize( K1, sizeof( K1 ) );
392     mbedtls_zeroize( K2, sizeof( K2 ) );
393 
394     cmac_ctx->unprocessed_len = 0;
395     mbedtls_zeroize( cmac_ctx->unprocessed_block,
396                      sizeof( cmac_ctx->unprocessed_block ) );
397 
398     mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
399     return( ret );
400 }
401 
402 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
403 {
404     mbedtls_cmac_context_t* cmac_ctx;
405 
406     if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
407         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
408 
409     cmac_ctx = ctx->cmac_ctx;
410 
411     /* Reset the internal state */
412     cmac_ctx->unprocessed_len = 0;
413     mbedtls_zeroize( cmac_ctx->unprocessed_block,
414                      sizeof( cmac_ctx->unprocessed_block ) );
415     mbedtls_zeroize( cmac_ctx->state,
416                      sizeof( cmac_ctx->state ) );
417 
418     return( 0 );
419 }
420 
421 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
422                          const unsigned char *key, size_t keylen,
423                          const unsigned char *input, size_t ilen,
424                          unsigned char *output )
425 {
426     mbedtls_cipher_context_t ctx;
427     int ret;
428 
429     if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
430         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
431 
432     mbedtls_cipher_init( &ctx );
433 
434     if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
435         goto exit;
436 
437     ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
438     if( ret != 0 )
439         goto exit;
440 
441     ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
442     if( ret != 0 )
443         goto exit;
444 
445     ret = mbedtls_cipher_cmac_finish( &ctx, output );
446 
447 exit:
448     mbedtls_cipher_free( &ctx );
449 
450     return( ret );
451 }
452 
453 #if defined(MBEDTLS_AES_C)
454 /*
455  * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
456  */
457 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
458                               const unsigned char *input, size_t in_len,
459                               unsigned char *output )
460 {
461     int ret;
462     const mbedtls_cipher_info_t *cipher_info;
463     unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
464     unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
465 
466     if( key == NULL || input == NULL || output == NULL )
467         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
468 
469     cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
470     if( cipher_info == NULL )
471     {
472         /* Failing at this point must be due to a build issue */
473         ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
474         goto exit;
475     }
476 
477     if( key_length == MBEDTLS_AES_BLOCK_SIZE )
478     {
479         /* Use key as is */
480         memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
481     }
482     else
483     {
484         memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
485 
486         ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
487                                    key_length, int_key );
488         if( ret != 0 )
489             goto exit;
490     }
491 
492     ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
493                                output );
494 
495 exit:
496     mbedtls_zeroize( int_key, sizeof( int_key ) );
497 
498     return( ret );
499 }
500 #endif /* MBEDTLS_AES_C */
501 
502 #endif /* !MBEDTLS_CMAC_ALT */
503 
504 #if defined(MBEDTLS_SELF_TEST)
505 /*
506  * CMAC test data for SP800-38B
507  * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
508  * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
509  *
510  * AES-CMAC-PRF-128 test data from RFC 4615
511  * https://tools.ietf.org/html/rfc4615#page-4
512  */
513 
514 #define NB_CMAC_TESTS_PER_KEY 4
515 #define NB_PRF_TESTS 3
516 
517 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
518 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
519 static const unsigned char test_message[] = {
520     /* PT */
521     0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
522     0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
523     0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
524     0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
525     0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
526     0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
527     0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
528     0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
529 };
530 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
531 
532 #if defined(MBEDTLS_AES_C)
533 /* Truncation point of message for AES CMAC tests  */
534 static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
535     /* Mlen */
536     0,
537     16,
538     20,
539     64
540 };
541 
542 /* CMAC-AES128 Test Data */
543 static const unsigned char aes_128_key[16] = {
544     0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
545     0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
546 };
547 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
548     {
549         /* K1 */
550         0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
551         0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
552     },
553     {
554         /* K2 */
555         0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
556         0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
557     }
558 };
559 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
560     {
561         /* Example #1 */
562         0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
563         0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
564     },
565     {
566         /* Example #2 */
567         0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
568         0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
569     },
570     {
571         /* Example #3 */
572         0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
573         0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
574     },
575     {
576         /* Example #4 */
577         0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
578         0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
579     }
580 };
581 
582 /* CMAC-AES192 Test Data */
583 static const unsigned char aes_192_key[24] = {
584     0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
585     0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
586     0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
587 };
588 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
589     {
590         /* K1 */
591         0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
592         0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
593     },
594     {
595         /* K2 */
596         0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
597         0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
598     }
599 };
600 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
601     {
602         /* Example #1 */
603         0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
604         0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
605     },
606     {
607         /* Example #2 */
608         0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
609         0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
610     },
611     {
612         /* Example #3 */
613         0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
614         0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
615     },
616     {
617         /* Example #4 */
618         0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
619         0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
620     }
621 };
622 
623 /* CMAC-AES256 Test Data */
624 static const unsigned char aes_256_key[32] = {
625     0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
626     0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
627     0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
628     0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
629 };
630 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
631     {
632         /* K1 */
633         0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
634         0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
635     },
636     {
637         /* K2 */
638         0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
639         0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
640     }
641 };
642 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
643     {
644         /* Example #1 */
645         0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
646         0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
647     },
648     {
649         /* Example #2 */
650         0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
651         0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
652     },
653     {
654         /* Example #3 */
655         0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
656         0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
657     },
658     {
659         /* Example #4 */
660         0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
661         0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
662     }
663 };
664 #endif /* MBEDTLS_AES_C */
665 
666 #if defined(MBEDTLS_DES_C)
667 /* Truncation point of message for 3DES CMAC tests  */
668 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
669     0,
670     16,
671     20,
672     32
673 };
674 
675 /* CMAC-TDES (Generation) - 2 Key Test Data */
676 static const unsigned char des3_2key_key[24] = {
677     /* Key1 */
678     0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
679     /* Key2 */
680     0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
681     /* Key3 */
682     0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
683 };
684 static const unsigned char des3_2key_subkeys[2][8] = {
685     {
686         /* K1 */
687         0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
688     },
689     {
690         /* K2 */
691         0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
692     }
693 };
694 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
695     {
696         /* Sample #1 */
697         0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
698     },
699     {
700         /* Sample #2 */
701         0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
702     },
703     {
704         /* Sample #3 */
705         0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
706     },
707     {
708         /* Sample #4 */
709         0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
710     }
711 };
712 
713 /* CMAC-TDES (Generation) - 3 Key Test Data */
714 static const unsigned char des3_3key_key[24] = {
715     /* Key1 */
716     0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
717     /* Key2 */
718     0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
719     /* Key3 */
720     0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
721 };
722 static const unsigned char des3_3key_subkeys[2][8] = {
723     {
724         /* K1 */
725         0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
726     },
727     {
728         /* K2 */
729         0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
730     }
731 };
732 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
733     {
734         /* Sample #1 */
735         0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
736     },
737     {
738         /* Sample #2 */
739         0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
740     },
741     {
742         /* Sample #3 */
743         0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
744     },
745     {
746         /* Sample #4 */
747         0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
748     }
749 };
750 
751 #endif /* MBEDTLS_DES_C */
752 
753 #if defined(MBEDTLS_AES_C)
754 /* AES AES-CMAC-PRF-128 Test Data */
755 static const unsigned char PRFK[] = {
756     /* Key */
757     0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
758     0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
759     0xed, 0xcb
760 };
761 
762 /* Sizes in bytes */
763 static const size_t PRFKlen[NB_PRF_TESTS] = {
764     18,
765     16,
766     10
767 };
768 
769 /* Message */
770 static const unsigned char PRFM[] = {
771     0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
772     0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
773     0x10, 0x11, 0x12, 0x13
774 };
775 
776 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
777     {
778         0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
779         0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
780     },
781     {
782         0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
783         0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
784     },
785     {
786         0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
787         0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
788     }
789 };
790 #endif /* MBEDTLS_AES_C */
791 
792 static int cmac_test_subkeys( int verbose,
793                               const char* testname,
794                               const unsigned char* key,
795                               int keybits,
796                               const unsigned char* subkeys,
797                               mbedtls_cipher_type_t cipher_type,
798                               int block_size,
799                               int num_tests )
800 {
801     int i, ret = 0;
802     mbedtls_cipher_context_t ctx;
803     const mbedtls_cipher_info_t *cipher_info;
804     unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
805     unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
806 
807     cipher_info = mbedtls_cipher_info_from_type( cipher_type );
808     if( cipher_info == NULL )
809     {
810         /* Failing at this point must be due to a build issue */
811         return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
812     }
813 
814     for( i = 0; i < num_tests; i++ )
815     {
816         if( verbose != 0 )
817             mbedtls_printf( "  %s CMAC subkey #%u: ", testname, i + 1 );
818 
819         mbedtls_cipher_init( &ctx );
820 
821         if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
822         {
823             if( verbose != 0 )
824                 mbedtls_printf( "test execution failed\n" );
825 
826             goto cleanup;
827         }
828 
829         if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
830                                        MBEDTLS_ENCRYPT ) ) != 0 )
831         {
832             if( verbose != 0 )
833                 mbedtls_printf( "test execution failed\n" );
834 
835             goto cleanup;
836         }
837 
838         ret = cmac_generate_subkeys( &ctx, K1, K2 );
839         if( ret != 0 )
840         {
841            if( verbose != 0 )
842                 mbedtls_printf( "failed\n" );
843 
844             goto cleanup;
845         }
846 
847         if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0  ||
848             ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
849         {
850             if( verbose != 0 )
851                 mbedtls_printf( "failed\n" );
852 
853             goto cleanup;
854         }
855 
856         if( verbose != 0 )
857             mbedtls_printf( "passed\n" );
858 
859         mbedtls_cipher_free( &ctx );
860     }
861 
862     ret = 0;
863     goto exit;
864 
865 cleanup:
866     mbedtls_cipher_free( &ctx );
867 
868 exit:
869     return( ret );
870 }
871 
872 static int cmac_test_wth_cipher( int verbose,
873                                  const char* testname,
874                                  const unsigned char* key,
875                                  int keybits,
876                                  const unsigned char* messages,
877                                  const unsigned int message_lengths[4],
878                                  const unsigned char* expected_result,
879                                  mbedtls_cipher_type_t cipher_type,
880                                  int block_size,
881                                  int num_tests )
882 {
883     const mbedtls_cipher_info_t *cipher_info;
884     int i, ret = 0;
885     unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
886 
887     cipher_info = mbedtls_cipher_info_from_type( cipher_type );
888     if( cipher_info == NULL )
889     {
890         /* Failing at this point must be due to a build issue */
891         ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
892         goto exit;
893     }
894 
895     for( i = 0; i < num_tests; i++ )
896     {
897         if( verbose != 0 )
898             mbedtls_printf( "  %s CMAC #%u: ", testname, i + 1 );
899 
900         if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
901                                          message_lengths[i], output ) ) != 0 )
902         {
903             if( verbose != 0 )
904                 mbedtls_printf( "failed\n" );
905             goto exit;
906         }
907 
908         if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
909         {
910             if( verbose != 0 )
911                 mbedtls_printf( "failed\n" );
912             goto exit;
913         }
914 
915         if( verbose != 0 )
916             mbedtls_printf( "passed\n" );
917     }
918     ret = 0;
919 
920 exit:
921     return( ret );
922 }
923 
924 #if defined(MBEDTLS_AES_C)
925 static int test_aes128_cmac_prf( int verbose )
926 {
927     int i;
928     int ret;
929     unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
930 
931     for( i = 0; i < NB_PRF_TESTS; i++ )
932     {
933         mbedtls_printf( "  AES CMAC 128 PRF #%u: ", i );
934         ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
935         if( ret != 0 ||
936             memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
937         {
938 
939             if( verbose != 0 )
940                 mbedtls_printf( "failed\n" );
941 
942             return( ret );
943         }
944         else if( verbose != 0 )
945         {
946             mbedtls_printf( "passed\n" );
947         }
948     }
949     return( ret );
950 }
951 #endif /* MBEDTLS_AES_C */
952 
953 int mbedtls_cmac_self_test( int verbose )
954 {
955     int ret;
956 
957 #if defined(MBEDTLS_AES_C)
958     /* AES-128 */
959     if( ( ret = cmac_test_subkeys( verbose,
960                                    "AES 128",
961                                    aes_128_key,
962                                    128,
963                                    (const unsigned char*)aes_128_subkeys,
964                                    MBEDTLS_CIPHER_AES_128_ECB,
965                                    MBEDTLS_AES_BLOCK_SIZE,
966                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
967     {
968         return( ret );
969     }
970 
971     if( ( ret = cmac_test_wth_cipher( verbose,
972                                       "AES 128",
973                                       aes_128_key,
974                                       128,
975                                       test_message,
976                                       aes_message_lengths,
977                                       (const unsigned char*)aes_128_expected_result,
978                                       MBEDTLS_CIPHER_AES_128_ECB,
979                                       MBEDTLS_AES_BLOCK_SIZE,
980                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
981     {
982         return( ret );
983     }
984 
985     /* AES-192 */
986     if( ( ret = cmac_test_subkeys( verbose,
987                                    "AES 192",
988                                    aes_192_key,
989                                    192,
990                                    (const unsigned char*)aes_192_subkeys,
991                                    MBEDTLS_CIPHER_AES_192_ECB,
992                                    MBEDTLS_AES_BLOCK_SIZE,
993                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
994     {
995         return( ret );
996     }
997 
998     if( ( ret = cmac_test_wth_cipher( verbose,
999                                       "AES 192",
1000                                       aes_192_key,
1001                                       192,
1002                                       test_message,
1003                                       aes_message_lengths,
1004                                       (const unsigned char*)aes_192_expected_result,
1005                                       MBEDTLS_CIPHER_AES_192_ECB,
1006                                       MBEDTLS_AES_BLOCK_SIZE,
1007                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1008     {
1009         return( ret );
1010     }
1011 
1012     /* AES-256 */
1013     if( ( ret = cmac_test_subkeys( verbose,
1014                                    "AES 256",
1015                                    aes_256_key,
1016                                    256,
1017                                    (const unsigned char*)aes_256_subkeys,
1018                                    MBEDTLS_CIPHER_AES_256_ECB,
1019                                    MBEDTLS_AES_BLOCK_SIZE,
1020                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1021     {
1022         return( ret );
1023     }
1024 
1025     if( ( ret = cmac_test_wth_cipher ( verbose,
1026                                        "AES 256",
1027                                        aes_256_key,
1028                                        256,
1029                                        test_message,
1030                                        aes_message_lengths,
1031                                        (const unsigned char*)aes_256_expected_result,
1032                                        MBEDTLS_CIPHER_AES_256_ECB,
1033                                        MBEDTLS_AES_BLOCK_SIZE,
1034                                        NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1035     {
1036         return( ret );
1037     }
1038 #endif /* MBEDTLS_AES_C */
1039 
1040 #if defined(MBEDTLS_DES_C)
1041     /* 3DES 2 key */
1042     if( ( ret = cmac_test_subkeys( verbose,
1043                                    "3DES 2 key",
1044                                    des3_2key_key,
1045                                    192,
1046                                    (const unsigned char*)des3_2key_subkeys,
1047                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
1048                                    MBEDTLS_DES3_BLOCK_SIZE,
1049                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1050     {
1051         return( ret );
1052     }
1053 
1054     if( ( ret = cmac_test_wth_cipher( verbose,
1055                                       "3DES 2 key",
1056                                       des3_2key_key,
1057                                       192,
1058                                       test_message,
1059                                       des3_message_lengths,
1060                                       (const unsigned char*)des3_2key_expected_result,
1061                                       MBEDTLS_CIPHER_DES_EDE3_ECB,
1062                                       MBEDTLS_DES3_BLOCK_SIZE,
1063                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1064     {
1065         return( ret );
1066     }
1067 
1068     /* 3DES 3 key */
1069     if( ( ret = cmac_test_subkeys( verbose,
1070                                    "3DES 3 key",
1071                                    des3_3key_key,
1072                                    192,
1073                                    (const unsigned char*)des3_3key_subkeys,
1074                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
1075                                    MBEDTLS_DES3_BLOCK_SIZE,
1076                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1077     {
1078         return( ret );
1079     }
1080 
1081     if( ( ret = cmac_test_wth_cipher( verbose,
1082                                       "3DES 3 key",
1083                                       des3_3key_key,
1084                                       192,
1085                                       test_message,
1086                                       des3_message_lengths,
1087                                       (const unsigned char*)des3_3key_expected_result,
1088                                       MBEDTLS_CIPHER_DES_EDE3_ECB,
1089                                       MBEDTLS_DES3_BLOCK_SIZE,
1090                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1091     {
1092         return( ret );
1093     }
1094 #endif /* MBEDTLS_DES_C */
1095 
1096 #if defined(MBEDTLS_AES_C)
1097     if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1098         return( ret );
1099 #endif /* MBEDTLS_AES_C */
1100 
1101     if( verbose != 0 )
1102         mbedtls_printf( "\n" );
1103 
1104     return( 0 );
1105 }
1106 
1107 #endif /* MBEDTLS_SELF_TEST */
1108 
1109 #endif /* MBEDTLS_CMAC_C */
1110