cmac.c 32 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078
  1. /**
  2. * \file cmac.c
  3. *
  4. * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
  5. *
  6. * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
  7. * SPDX-License-Identifier: Apache-2.0
  8. *
  9. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  10. * not use this file except in compliance with the License.
  11. * You may obtain a copy of the License at
  12. *
  13. * http://www.apache.org/licenses/LICENSE-2.0
  14. *
  15. * Unless required by applicable law or agreed to in writing, software
  16. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  17. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  18. * See the License for the specific language governing permissions and
  19. * limitations under the License.
  20. *
  21. * This file is part of mbed TLS (https://tls.mbed.org)
  22. */
  23. /*
  24. * References:
  25. *
  26. * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
  27. * CMAC Mode for Authentication
  28. * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
  29. *
  30. * - RFC 4493 - The AES-CMAC Algorithm
  31. * https://tools.ietf.org/html/rfc4493
  32. *
  33. * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
  34. * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
  35. * Algorithm for the Internet Key Exchange Protocol (IKE)
  36. * https://tools.ietf.org/html/rfc4615
  37. *
  38. * Additional test vectors: ISO/IEC 9797-1
  39. *
  40. */
  41. #if !defined(MBEDTLS_CONFIG_FILE)
  42. #include "mbedtls/config.h"
  43. #else
  44. #include MBEDTLS_CONFIG_FILE
  45. #endif
  46. #if defined(MBEDTLS_CMAC_C)
  47. #include "mbedtls/cmac.h"
  48. #include "mbedtls/platform_util.h"
  49. #include <string.h>
  50. #if defined(MBEDTLS_PLATFORM_C)
  51. #include "mbedtls/platform.h"
  52. #else
  53. #include <stdlib.h>
  54. #define mbedtls_calloc calloc
  55. #define mbedtls_free free
  56. #if defined(MBEDTLS_SELF_TEST)
  57. #include <stdio.h>
  58. #define mbedtls_printf printf
  59. #endif /* MBEDTLS_SELF_TEST */
  60. #endif /* MBEDTLS_PLATFORM_C */
  61. #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
  62. /*
  63. * Multiplication by u in the Galois field of GF(2^n)
  64. *
  65. * As explained in NIST SP 800-38B, this can be computed:
  66. *
  67. * If MSB(p) = 0, then p = (p << 1)
  68. * If MSB(p) = 1, then p = (p << 1) ^ R_n
  69. * with R_64 = 0x1B and R_128 = 0x87
  70. *
  71. * Input and output MUST NOT point to the same buffer
  72. * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
  73. */
  74. static int cmac_multiply_by_u( unsigned char *output,
  75. const unsigned char *input,
  76. size_t blocksize )
  77. {
  78. const unsigned char R_128 = 0x87;
  79. const unsigned char R_64 = 0x1B;
  80. unsigned char R_n, mask;
  81. unsigned char overflow = 0x00;
  82. int i;
  83. if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
  84. {
  85. R_n = R_128;
  86. }
  87. else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
  88. {
  89. R_n = R_64;
  90. }
  91. else
  92. {
  93. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  94. }
  95. for( i = (int)blocksize - 1; i >= 0; i-- )
  96. {
  97. output[i] = input[i] << 1 | overflow;
  98. overflow = input[i] >> 7;
  99. }
  100. /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
  101. * using bit operations to avoid branches */
  102. /* MSVC has a warning about unary minus on unsigned, but this is
  103. * well-defined and precisely what we want to do here */
  104. #if defined(_MSC_VER)
  105. #pragma warning( push )
  106. #pragma warning( disable : 4146 )
  107. #endif
  108. mask = - ( input[0] >> 7 );
  109. #if defined(_MSC_VER)
  110. #pragma warning( pop )
  111. #endif
  112. output[ blocksize - 1 ] ^= R_n & mask;
  113. return( 0 );
  114. }
  115. /*
  116. * Generate subkeys
  117. *
  118. * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
  119. */
  120. static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
  121. unsigned char* K1, unsigned char* K2 )
  122. {
  123. int ret;
  124. unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
  125. size_t olen, block_size;
  126. mbedtls_platform_zeroize( L, sizeof( L ) );
  127. block_size = ctx->cipher_info->block_size;
  128. /* Calculate Ek(0) */
  129. if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
  130. goto exit;
  131. /*
  132. * Generate K1 and K2
  133. */
  134. if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
  135. goto exit;
  136. if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
  137. goto exit;
  138. exit:
  139. mbedtls_platform_zeroize( L, sizeof( L ) );
  140. return( ret );
  141. }
  142. #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
  143. #if !defined(MBEDTLS_CMAC_ALT)
  144. static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
  145. const unsigned char *input2,
  146. const size_t block_size )
  147. {
  148. size_t idx;
  149. for( idx = 0; idx < block_size; idx++ )
  150. output[ idx ] = input1[ idx ] ^ input2[ idx ];
  151. }
  152. /*
  153. * Create padded last block from (partial) last block.
  154. *
  155. * We can't use the padding option from the cipher layer, as it only works for
  156. * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
  157. */
  158. static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
  159. size_t padded_block_len,
  160. const unsigned char *last_block,
  161. size_t last_block_len )
  162. {
  163. size_t j;
  164. for( j = 0; j < padded_block_len; j++ )
  165. {
  166. if( j < last_block_len )
  167. padded_block[j] = last_block[j];
  168. else if( j == last_block_len )
  169. padded_block[j] = 0x80;
  170. else
  171. padded_block[j] = 0x00;
  172. }
  173. }
  174. int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
  175. const unsigned char *key, size_t keybits )
  176. {
  177. mbedtls_cipher_type_t type;
  178. mbedtls_cmac_context_t *cmac_ctx;
  179. int retval;
  180. if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
  181. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  182. if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
  183. MBEDTLS_ENCRYPT ) ) != 0 )
  184. return( retval );
  185. type = ctx->cipher_info->type;
  186. switch( type )
  187. {
  188. case MBEDTLS_CIPHER_AES_128_ECB:
  189. case MBEDTLS_CIPHER_AES_192_ECB:
  190. case MBEDTLS_CIPHER_AES_256_ECB:
  191. case MBEDTLS_CIPHER_DES_EDE3_ECB:
  192. break;
  193. default:
  194. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  195. }
  196. /* Allocated and initialise in the cipher context memory for the CMAC
  197. * context */
  198. cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
  199. if( cmac_ctx == NULL )
  200. return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
  201. ctx->cmac_ctx = cmac_ctx;
  202. mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
  203. return 0;
  204. }
  205. int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
  206. const unsigned char *input, size_t ilen )
  207. {
  208. mbedtls_cmac_context_t* cmac_ctx;
  209. unsigned char *state;
  210. int ret = 0;
  211. size_t n, j, olen, block_size;
  212. if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
  213. ctx->cmac_ctx == NULL )
  214. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  215. cmac_ctx = ctx->cmac_ctx;
  216. block_size = ctx->cipher_info->block_size;
  217. state = ctx->cmac_ctx->state;
  218. /* Is there data still to process from the last call, that's greater in
  219. * size than a block? */
  220. if( cmac_ctx->unprocessed_len > 0 &&
  221. ilen > block_size - cmac_ctx->unprocessed_len )
  222. {
  223. memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
  224. input,
  225. block_size - cmac_ctx->unprocessed_len );
  226. cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
  227. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  228. &olen ) ) != 0 )
  229. {
  230. goto exit;
  231. }
  232. input += block_size - cmac_ctx->unprocessed_len;
  233. ilen -= block_size - cmac_ctx->unprocessed_len;
  234. cmac_ctx->unprocessed_len = 0;
  235. }
  236. /* n is the number of blocks including any final partial block */
  237. n = ( ilen + block_size - 1 ) / block_size;
  238. /* Iterate across the input data in block sized chunks, excluding any
  239. * final partial or complete block */
  240. for( j = 1; j < n; j++ )
  241. {
  242. cmac_xor_block( state, input, state, block_size );
  243. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  244. &olen ) ) != 0 )
  245. goto exit;
  246. ilen -= block_size;
  247. input += block_size;
  248. }
  249. /* If there is data left over that wasn't aligned to a block */
  250. if( ilen > 0 )
  251. {
  252. memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
  253. input,
  254. ilen );
  255. cmac_ctx->unprocessed_len += ilen;
  256. }
  257. exit:
  258. return( ret );
  259. }
  260. int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
  261. unsigned char *output )
  262. {
  263. mbedtls_cmac_context_t* cmac_ctx;
  264. unsigned char *state, *last_block;
  265. unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
  266. unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
  267. unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
  268. int ret;
  269. size_t olen, block_size;
  270. if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
  271. output == NULL )
  272. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  273. cmac_ctx = ctx->cmac_ctx;
  274. block_size = ctx->cipher_info->block_size;
  275. state = cmac_ctx->state;
  276. mbedtls_platform_zeroize( K1, sizeof( K1 ) );
  277. mbedtls_platform_zeroize( K2, sizeof( K2 ) );
  278. cmac_generate_subkeys( ctx, K1, K2 );
  279. last_block = cmac_ctx->unprocessed_block;
  280. /* Calculate last block */
  281. if( cmac_ctx->unprocessed_len < block_size )
  282. {
  283. cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
  284. cmac_xor_block( M_last, M_last, K2, block_size );
  285. }
  286. else
  287. {
  288. /* Last block is complete block */
  289. cmac_xor_block( M_last, last_block, K1, block_size );
  290. }
  291. cmac_xor_block( state, M_last, state, block_size );
  292. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  293. &olen ) ) != 0 )
  294. {
  295. goto exit;
  296. }
  297. memcpy( output, state, block_size );
  298. exit:
  299. /* Wipe the generated keys on the stack, and any other transients to avoid
  300. * side channel leakage */
  301. mbedtls_platform_zeroize( K1, sizeof( K1 ) );
  302. mbedtls_platform_zeroize( K2, sizeof( K2 ) );
  303. cmac_ctx->unprocessed_len = 0;
  304. mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
  305. sizeof( cmac_ctx->unprocessed_block ) );
  306. mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
  307. return( ret );
  308. }
  309. int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
  310. {
  311. mbedtls_cmac_context_t* cmac_ctx;
  312. if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
  313. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  314. cmac_ctx = ctx->cmac_ctx;
  315. /* Reset the internal state */
  316. cmac_ctx->unprocessed_len = 0;
  317. mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
  318. sizeof( cmac_ctx->unprocessed_block ) );
  319. mbedtls_platform_zeroize( cmac_ctx->state,
  320. sizeof( cmac_ctx->state ) );
  321. return( 0 );
  322. }
  323. int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
  324. const unsigned char *key, size_t keylen,
  325. const unsigned char *input, size_t ilen,
  326. unsigned char *output )
  327. {
  328. mbedtls_cipher_context_t ctx;
  329. int ret;
  330. if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
  331. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  332. mbedtls_cipher_init( &ctx );
  333. if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
  334. goto exit;
  335. ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
  336. if( ret != 0 )
  337. goto exit;
  338. ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
  339. if( ret != 0 )
  340. goto exit;
  341. ret = mbedtls_cipher_cmac_finish( &ctx, output );
  342. exit:
  343. mbedtls_cipher_free( &ctx );
  344. return( ret );
  345. }
  346. #if defined(MBEDTLS_AES_C)
  347. /*
  348. * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
  349. */
  350. int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
  351. const unsigned char *input, size_t in_len,
  352. unsigned char *output )
  353. {
  354. int ret;
  355. const mbedtls_cipher_info_t *cipher_info;
  356. unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
  357. unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
  358. if( key == NULL || input == NULL || output == NULL )
  359. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  360. cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
  361. if( cipher_info == NULL )
  362. {
  363. /* Failing at this point must be due to a build issue */
  364. ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
  365. goto exit;
  366. }
  367. if( key_length == MBEDTLS_AES_BLOCK_SIZE )
  368. {
  369. /* Use key as is */
  370. memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
  371. }
  372. else
  373. {
  374. memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
  375. ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
  376. key_length, int_key );
  377. if( ret != 0 )
  378. goto exit;
  379. }
  380. ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
  381. output );
  382. exit:
  383. mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
  384. return( ret );
  385. }
  386. #endif /* MBEDTLS_AES_C */
  387. #endif /* !MBEDTLS_CMAC_ALT */
  388. #if defined(MBEDTLS_SELF_TEST)
  389. /*
  390. * CMAC test data for SP800-38B
  391. * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
  392. * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
  393. *
  394. * AES-CMAC-PRF-128 test data from RFC 4615
  395. * https://tools.ietf.org/html/rfc4615#page-4
  396. */
  397. #define NB_CMAC_TESTS_PER_KEY 4
  398. #define NB_PRF_TESTS 3
  399. #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
  400. /* All CMAC test inputs are truncated from the same 64 byte buffer. */
  401. static const unsigned char test_message[] = {
  402. /* PT */
  403. 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
  404. 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
  405. 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
  406. 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
  407. 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
  408. 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
  409. 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
  410. 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
  411. };
  412. #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
  413. #if defined(MBEDTLS_AES_C)
  414. /* Truncation point of message for AES CMAC tests */
  415. static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
  416. /* Mlen */
  417. 0,
  418. 16,
  419. 20,
  420. 64
  421. };
  422. /* CMAC-AES128 Test Data */
  423. static const unsigned char aes_128_key[16] = {
  424. 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
  425. 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
  426. };
  427. static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  428. {
  429. /* K1 */
  430. 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
  431. 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
  432. },
  433. {
  434. /* K2 */
  435. 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
  436. 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
  437. }
  438. };
  439. static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  440. {
  441. /* Example #1 */
  442. 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
  443. 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
  444. },
  445. {
  446. /* Example #2 */
  447. 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
  448. 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
  449. },
  450. {
  451. /* Example #3 */
  452. 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
  453. 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
  454. },
  455. {
  456. /* Example #4 */
  457. 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
  458. 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
  459. }
  460. };
  461. /* CMAC-AES192 Test Data */
  462. static const unsigned char aes_192_key[24] = {
  463. 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
  464. 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
  465. 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
  466. };
  467. static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  468. {
  469. /* K1 */
  470. 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
  471. 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
  472. },
  473. {
  474. /* K2 */
  475. 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
  476. 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
  477. }
  478. };
  479. static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  480. {
  481. /* Example #1 */
  482. 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
  483. 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
  484. },
  485. {
  486. /* Example #2 */
  487. 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
  488. 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
  489. },
  490. {
  491. /* Example #3 */
  492. 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
  493. 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
  494. },
  495. {
  496. /* Example #4 */
  497. 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
  498. 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
  499. }
  500. };
  501. /* CMAC-AES256 Test Data */
  502. static const unsigned char aes_256_key[32] = {
  503. 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
  504. 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
  505. 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
  506. 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
  507. };
  508. static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  509. {
  510. /* K1 */
  511. 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
  512. 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
  513. },
  514. {
  515. /* K2 */
  516. 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
  517. 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
  518. }
  519. };
  520. static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  521. {
  522. /* Example #1 */
  523. 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
  524. 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
  525. },
  526. {
  527. /* Example #2 */
  528. 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
  529. 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
  530. },
  531. {
  532. /* Example #3 */
  533. 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
  534. 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
  535. },
  536. {
  537. /* Example #4 */
  538. 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
  539. 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
  540. }
  541. };
  542. #endif /* MBEDTLS_AES_C */
  543. #if defined(MBEDTLS_DES_C)
  544. /* Truncation point of message for 3DES CMAC tests */
  545. static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
  546. 0,
  547. 16,
  548. 20,
  549. 32
  550. };
  551. /* CMAC-TDES (Generation) - 2 Key Test Data */
  552. static const unsigned char des3_2key_key[24] = {
  553. /* Key1 */
  554. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
  555. /* Key2 */
  556. 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
  557. /* Key3 */
  558. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
  559. };
  560. static const unsigned char des3_2key_subkeys[2][8] = {
  561. {
  562. /* K1 */
  563. 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
  564. },
  565. {
  566. /* K2 */
  567. 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
  568. }
  569. };
  570. static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
  571. {
  572. /* Sample #1 */
  573. 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
  574. },
  575. {
  576. /* Sample #2 */
  577. 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
  578. },
  579. {
  580. /* Sample #3 */
  581. 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
  582. },
  583. {
  584. /* Sample #4 */
  585. 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
  586. }
  587. };
  588. /* CMAC-TDES (Generation) - 3 Key Test Data */
  589. static const unsigned char des3_3key_key[24] = {
  590. /* Key1 */
  591. 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
  592. /* Key2 */
  593. 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
  594. /* Key3 */
  595. 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
  596. };
  597. static const unsigned char des3_3key_subkeys[2][8] = {
  598. {
  599. /* K1 */
  600. 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
  601. },
  602. {
  603. /* K2 */
  604. 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
  605. }
  606. };
  607. static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
  608. {
  609. /* Sample #1 */
  610. 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
  611. },
  612. {
  613. /* Sample #2 */
  614. 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
  615. },
  616. {
  617. /* Sample #3 */
  618. 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
  619. },
  620. {
  621. /* Sample #4 */
  622. 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
  623. }
  624. };
  625. #endif /* MBEDTLS_DES_C */
  626. #if defined(MBEDTLS_AES_C)
  627. /* AES AES-CMAC-PRF-128 Test Data */
  628. static const unsigned char PRFK[] = {
  629. /* Key */
  630. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  631. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  632. 0xed, 0xcb
  633. };
  634. /* Sizes in bytes */
  635. static const size_t PRFKlen[NB_PRF_TESTS] = {
  636. 18,
  637. 16,
  638. 10
  639. };
  640. /* Message */
  641. static const unsigned char PRFM[] = {
  642. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  643. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  644. 0x10, 0x11, 0x12, 0x13
  645. };
  646. static const unsigned char PRFT[NB_PRF_TESTS][16] = {
  647. {
  648. 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
  649. 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
  650. },
  651. {
  652. 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
  653. 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
  654. },
  655. {
  656. 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
  657. 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
  658. }
  659. };
  660. #endif /* MBEDTLS_AES_C */
  661. static int cmac_test_subkeys( int verbose,
  662. const char* testname,
  663. const unsigned char* key,
  664. int keybits,
  665. const unsigned char* subkeys,
  666. mbedtls_cipher_type_t cipher_type,
  667. int block_size,
  668. int num_tests )
  669. {
  670. int i, ret = 0;
  671. mbedtls_cipher_context_t ctx;
  672. const mbedtls_cipher_info_t *cipher_info;
  673. unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
  674. unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
  675. cipher_info = mbedtls_cipher_info_from_type( cipher_type );
  676. if( cipher_info == NULL )
  677. {
  678. /* Failing at this point must be due to a build issue */
  679. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  680. }
  681. for( i = 0; i < num_tests; i++ )
  682. {
  683. if( verbose != 0 )
  684. mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
  685. mbedtls_cipher_init( &ctx );
  686. if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
  687. {
  688. if( verbose != 0 )
  689. mbedtls_printf( "test execution failed\n" );
  690. goto cleanup;
  691. }
  692. if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
  693. MBEDTLS_ENCRYPT ) ) != 0 )
  694. {
  695. if( verbose != 0 )
  696. mbedtls_printf( "test execution failed\n" );
  697. goto cleanup;
  698. }
  699. ret = cmac_generate_subkeys( &ctx, K1, K2 );
  700. if( ret != 0 )
  701. {
  702. if( verbose != 0 )
  703. mbedtls_printf( "failed\n" );
  704. goto cleanup;
  705. }
  706. if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
  707. ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
  708. {
  709. if( verbose != 0 )
  710. mbedtls_printf( "failed\n" );
  711. goto cleanup;
  712. }
  713. if( verbose != 0 )
  714. mbedtls_printf( "passed\n" );
  715. mbedtls_cipher_free( &ctx );
  716. }
  717. ret = 0;
  718. goto exit;
  719. cleanup:
  720. mbedtls_cipher_free( &ctx );
  721. exit:
  722. return( ret );
  723. }
  724. static int cmac_test_wth_cipher( int verbose,
  725. const char* testname,
  726. const unsigned char* key,
  727. int keybits,
  728. const unsigned char* messages,
  729. const unsigned int message_lengths[4],
  730. const unsigned char* expected_result,
  731. mbedtls_cipher_type_t cipher_type,
  732. int block_size,
  733. int num_tests )
  734. {
  735. const mbedtls_cipher_info_t *cipher_info;
  736. int i, ret = 0;
  737. unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
  738. cipher_info = mbedtls_cipher_info_from_type( cipher_type );
  739. if( cipher_info == NULL )
  740. {
  741. /* Failing at this point must be due to a build issue */
  742. ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
  743. goto exit;
  744. }
  745. for( i = 0; i < num_tests; i++ )
  746. {
  747. if( verbose != 0 )
  748. mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
  749. if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
  750. message_lengths[i], output ) ) != 0 )
  751. {
  752. if( verbose != 0 )
  753. mbedtls_printf( "failed\n" );
  754. goto exit;
  755. }
  756. if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
  757. {
  758. if( verbose != 0 )
  759. mbedtls_printf( "failed\n" );
  760. goto exit;
  761. }
  762. if( verbose != 0 )
  763. mbedtls_printf( "passed\n" );
  764. }
  765. ret = 0;
  766. exit:
  767. return( ret );
  768. }
  769. #if defined(MBEDTLS_AES_C)
  770. static int test_aes128_cmac_prf( int verbose )
  771. {
  772. int i;
  773. int ret;
  774. unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
  775. for( i = 0; i < NB_PRF_TESTS; i++ )
  776. {
  777. mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
  778. ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
  779. if( ret != 0 ||
  780. memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
  781. {
  782. if( verbose != 0 )
  783. mbedtls_printf( "failed\n" );
  784. return( ret );
  785. }
  786. else if( verbose != 0 )
  787. {
  788. mbedtls_printf( "passed\n" );
  789. }
  790. }
  791. return( ret );
  792. }
  793. #endif /* MBEDTLS_AES_C */
  794. int mbedtls_cmac_self_test( int verbose )
  795. {
  796. int ret;
  797. #if defined(MBEDTLS_AES_C)
  798. /* AES-128 */
  799. if( ( ret = cmac_test_subkeys( verbose,
  800. "AES 128",
  801. aes_128_key,
  802. 128,
  803. (const unsigned char*)aes_128_subkeys,
  804. MBEDTLS_CIPHER_AES_128_ECB,
  805. MBEDTLS_AES_BLOCK_SIZE,
  806. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  807. {
  808. return( ret );
  809. }
  810. if( ( ret = cmac_test_wth_cipher( verbose,
  811. "AES 128",
  812. aes_128_key,
  813. 128,
  814. test_message,
  815. aes_message_lengths,
  816. (const unsigned char*)aes_128_expected_result,
  817. MBEDTLS_CIPHER_AES_128_ECB,
  818. MBEDTLS_AES_BLOCK_SIZE,
  819. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  820. {
  821. return( ret );
  822. }
  823. /* AES-192 */
  824. if( ( ret = cmac_test_subkeys( verbose,
  825. "AES 192",
  826. aes_192_key,
  827. 192,
  828. (const unsigned char*)aes_192_subkeys,
  829. MBEDTLS_CIPHER_AES_192_ECB,
  830. MBEDTLS_AES_BLOCK_SIZE,
  831. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  832. {
  833. return( ret );
  834. }
  835. if( ( ret = cmac_test_wth_cipher( verbose,
  836. "AES 192",
  837. aes_192_key,
  838. 192,
  839. test_message,
  840. aes_message_lengths,
  841. (const unsigned char*)aes_192_expected_result,
  842. MBEDTLS_CIPHER_AES_192_ECB,
  843. MBEDTLS_AES_BLOCK_SIZE,
  844. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  845. {
  846. return( ret );
  847. }
  848. /* AES-256 */
  849. if( ( ret = cmac_test_subkeys( verbose,
  850. "AES 256",
  851. aes_256_key,
  852. 256,
  853. (const unsigned char*)aes_256_subkeys,
  854. MBEDTLS_CIPHER_AES_256_ECB,
  855. MBEDTLS_AES_BLOCK_SIZE,
  856. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  857. {
  858. return( ret );
  859. }
  860. if( ( ret = cmac_test_wth_cipher ( verbose,
  861. "AES 256",
  862. aes_256_key,
  863. 256,
  864. test_message,
  865. aes_message_lengths,
  866. (const unsigned char*)aes_256_expected_result,
  867. MBEDTLS_CIPHER_AES_256_ECB,
  868. MBEDTLS_AES_BLOCK_SIZE,
  869. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  870. {
  871. return( ret );
  872. }
  873. #endif /* MBEDTLS_AES_C */
  874. #if defined(MBEDTLS_DES_C)
  875. /* 3DES 2 key */
  876. if( ( ret = cmac_test_subkeys( verbose,
  877. "3DES 2 key",
  878. des3_2key_key,
  879. 192,
  880. (const unsigned char*)des3_2key_subkeys,
  881. MBEDTLS_CIPHER_DES_EDE3_ECB,
  882. MBEDTLS_DES3_BLOCK_SIZE,
  883. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  884. {
  885. return( ret );
  886. }
  887. if( ( ret = cmac_test_wth_cipher( verbose,
  888. "3DES 2 key",
  889. des3_2key_key,
  890. 192,
  891. test_message,
  892. des3_message_lengths,
  893. (const unsigned char*)des3_2key_expected_result,
  894. MBEDTLS_CIPHER_DES_EDE3_ECB,
  895. MBEDTLS_DES3_BLOCK_SIZE,
  896. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  897. {
  898. return( ret );
  899. }
  900. /* 3DES 3 key */
  901. if( ( ret = cmac_test_subkeys( verbose,
  902. "3DES 3 key",
  903. des3_3key_key,
  904. 192,
  905. (const unsigned char*)des3_3key_subkeys,
  906. MBEDTLS_CIPHER_DES_EDE3_ECB,
  907. MBEDTLS_DES3_BLOCK_SIZE,
  908. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  909. {
  910. return( ret );
  911. }
  912. if( ( ret = cmac_test_wth_cipher( verbose,
  913. "3DES 3 key",
  914. des3_3key_key,
  915. 192,
  916. test_message,
  917. des3_message_lengths,
  918. (const unsigned char*)des3_3key_expected_result,
  919. MBEDTLS_CIPHER_DES_EDE3_ECB,
  920. MBEDTLS_DES3_BLOCK_SIZE,
  921. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  922. {
  923. return( ret );
  924. }
  925. #endif /* MBEDTLS_DES_C */
  926. #if defined(MBEDTLS_AES_C)
  927. if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
  928. return( ret );
  929. #endif /* MBEDTLS_AES_C */
  930. if( verbose != 0 )
  931. mbedtls_printf( "\n" );
  932. return( 0 );
  933. }
  934. #endif /* MBEDTLS_SELF_TEST */
  935. #endif /* MBEDTLS_CMAC_C */