cmac.c 33 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088
  1. /**
  2. * \file cmac.c
  3. *
  4. * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
  5. *
  6. * Copyright The Mbed TLS Contributors
  7. * SPDX-License-Identifier: Apache-2.0
  8. *
  9. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  10. * not use this file except in compliance with the License.
  11. * You may obtain a copy of the License at
  12. *
  13. * http://www.apache.org/licenses/LICENSE-2.0
  14. *
  15. * Unless required by applicable law or agreed to in writing, software
  16. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  17. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  18. * See the License for the specific language governing permissions and
  19. * limitations under the License.
  20. */
  21. /*
  22. * References:
  23. *
  24. * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
  25. * CMAC Mode for Authentication
  26. * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
  27. *
  28. * - RFC 4493 - The AES-CMAC Algorithm
  29. * https://tools.ietf.org/html/rfc4493
  30. *
  31. * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
  32. * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
  33. * Algorithm for the Internet Key Exchange Protocol (IKE)
  34. * https://tools.ietf.org/html/rfc4615
  35. *
  36. * Additional test vectors: ISO/IEC 9797-1
  37. *
  38. */
  39. #include "common.h"
  40. #if defined(MBEDTLS_CMAC_C)
  41. #include "mbedtls/cmac.h"
  42. #include "mbedtls/platform_util.h"
  43. #include "mbedtls/error.h"
  44. #include "mbedtls/platform.h"
  45. #include <string.h>
  46. #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
  47. /*
  48. * Multiplication by u in the Galois field of GF(2^n)
  49. *
  50. * As explained in NIST SP 800-38B, this can be computed:
  51. *
  52. * If MSB(p) = 0, then p = (p << 1)
  53. * If MSB(p) = 1, then p = (p << 1) ^ R_n
  54. * with R_64 = 0x1B and R_128 = 0x87
  55. *
  56. * Input and output MUST NOT point to the same buffer
  57. * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
  58. */
  59. static int cmac_multiply_by_u( unsigned char *output,
  60. const unsigned char *input,
  61. size_t blocksize )
  62. {
  63. const unsigned char R_128 = 0x87;
  64. const unsigned char R_64 = 0x1B;
  65. unsigned char R_n, mask;
  66. unsigned char overflow = 0x00;
  67. int i;
  68. if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
  69. {
  70. R_n = R_128;
  71. }
  72. else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
  73. {
  74. R_n = R_64;
  75. }
  76. else
  77. {
  78. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  79. }
  80. for( i = (int)blocksize - 1; i >= 0; i-- )
  81. {
  82. output[i] = input[i] << 1 | overflow;
  83. overflow = input[i] >> 7;
  84. }
  85. /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
  86. * using bit operations to avoid branches */
  87. /* MSVC has a warning about unary minus on unsigned, but this is
  88. * well-defined and precisely what we want to do here */
  89. #if defined(_MSC_VER)
  90. #pragma warning( push )
  91. #pragma warning( disable : 4146 )
  92. #endif
  93. mask = - ( input[0] >> 7 );
  94. #if defined(_MSC_VER)
  95. #pragma warning( pop )
  96. #endif
  97. output[ blocksize - 1 ] ^= R_n & mask;
  98. return( 0 );
  99. }
  100. /*
  101. * Generate subkeys
  102. *
  103. * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
  104. */
  105. static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
  106. unsigned char* K1, unsigned char* K2 )
  107. {
  108. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  109. unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
  110. size_t olen, block_size;
  111. mbedtls_platform_zeroize( L, sizeof( L ) );
  112. block_size = ctx->cipher_info->block_size;
  113. /* Calculate Ek(0) */
  114. if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
  115. goto exit;
  116. /*
  117. * Generate K1 and K2
  118. */
  119. if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
  120. goto exit;
  121. if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
  122. goto exit;
  123. exit:
  124. mbedtls_platform_zeroize( L, sizeof( L ) );
  125. return( ret );
  126. }
  127. #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
  128. #if !defined(MBEDTLS_CMAC_ALT)
  129. static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
  130. const unsigned char *input2,
  131. const size_t block_size )
  132. {
  133. size_t idx;
  134. for( idx = 0; idx < block_size; idx++ )
  135. output[ idx ] = input1[ idx ] ^ input2[ idx ];
  136. }
  137. /*
  138. * Create padded last block from (partial) last block.
  139. *
  140. * We can't use the padding option from the cipher layer, as it only works for
  141. * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
  142. */
  143. static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
  144. size_t padded_block_len,
  145. const unsigned char *last_block,
  146. size_t last_block_len )
  147. {
  148. size_t j;
  149. for( j = 0; j < padded_block_len; j++ )
  150. {
  151. if( j < last_block_len )
  152. padded_block[j] = last_block[j];
  153. else if( j == last_block_len )
  154. padded_block[j] = 0x80;
  155. else
  156. padded_block[j] = 0x00;
  157. }
  158. }
  159. int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
  160. const unsigned char *key, size_t keybits )
  161. {
  162. mbedtls_cipher_type_t type;
  163. mbedtls_cmac_context_t *cmac_ctx;
  164. int retval;
  165. if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
  166. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  167. if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
  168. MBEDTLS_ENCRYPT ) ) != 0 )
  169. return( retval );
  170. type = ctx->cipher_info->type;
  171. switch( type )
  172. {
  173. case MBEDTLS_CIPHER_AES_128_ECB:
  174. case MBEDTLS_CIPHER_AES_192_ECB:
  175. case MBEDTLS_CIPHER_AES_256_ECB:
  176. case MBEDTLS_CIPHER_DES_EDE3_ECB:
  177. break;
  178. default:
  179. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  180. }
  181. /* Allocated and initialise in the cipher context memory for the CMAC
  182. * context */
  183. cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
  184. if( cmac_ctx == NULL )
  185. return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
  186. ctx->cmac_ctx = cmac_ctx;
  187. mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
  188. return 0;
  189. }
  190. int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
  191. const unsigned char *input, size_t ilen )
  192. {
  193. mbedtls_cmac_context_t* cmac_ctx;
  194. unsigned char *state;
  195. int ret = 0;
  196. size_t n, j, olen, block_size;
  197. if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
  198. ctx->cmac_ctx == NULL )
  199. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  200. cmac_ctx = ctx->cmac_ctx;
  201. block_size = ctx->cipher_info->block_size;
  202. state = ctx->cmac_ctx->state;
  203. /* Is there data still to process from the last call, that's greater in
  204. * size than a block? */
  205. if( cmac_ctx->unprocessed_len > 0 &&
  206. ilen > block_size - cmac_ctx->unprocessed_len )
  207. {
  208. memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
  209. input,
  210. block_size - cmac_ctx->unprocessed_len );
  211. cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
  212. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  213. &olen ) ) != 0 )
  214. {
  215. goto exit;
  216. }
  217. input += block_size - cmac_ctx->unprocessed_len;
  218. ilen -= block_size - cmac_ctx->unprocessed_len;
  219. cmac_ctx->unprocessed_len = 0;
  220. }
  221. /* n is the number of blocks including any final partial block */
  222. n = ( ilen + block_size - 1 ) / block_size;
  223. /* Iterate across the input data in block sized chunks, excluding any
  224. * final partial or complete block */
  225. for( j = 1; j < n; j++ )
  226. {
  227. cmac_xor_block( state, input, state, block_size );
  228. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  229. &olen ) ) != 0 )
  230. goto exit;
  231. ilen -= block_size;
  232. input += block_size;
  233. }
  234. /* If there is data left over that wasn't aligned to a block */
  235. if( ilen > 0 )
  236. {
  237. memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
  238. input,
  239. ilen );
  240. cmac_ctx->unprocessed_len += ilen;
  241. }
  242. exit:
  243. return( ret );
  244. }
  245. int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
  246. unsigned char *output )
  247. {
  248. mbedtls_cmac_context_t* cmac_ctx;
  249. unsigned char *state, *last_block;
  250. unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
  251. unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
  252. unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
  253. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  254. size_t olen, block_size;
  255. if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
  256. output == NULL )
  257. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  258. cmac_ctx = ctx->cmac_ctx;
  259. block_size = ctx->cipher_info->block_size;
  260. state = cmac_ctx->state;
  261. mbedtls_platform_zeroize( K1, sizeof( K1 ) );
  262. mbedtls_platform_zeroize( K2, sizeof( K2 ) );
  263. cmac_generate_subkeys( ctx, K1, K2 );
  264. last_block = cmac_ctx->unprocessed_block;
  265. /* Calculate last block */
  266. if( cmac_ctx->unprocessed_len < block_size )
  267. {
  268. cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
  269. cmac_xor_block( M_last, M_last, K2, block_size );
  270. }
  271. else
  272. {
  273. /* Last block is complete block */
  274. cmac_xor_block( M_last, last_block, K1, block_size );
  275. }
  276. cmac_xor_block( state, M_last, state, block_size );
  277. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  278. &olen ) ) != 0 )
  279. {
  280. goto exit;
  281. }
  282. memcpy( output, state, block_size );
  283. exit:
  284. /* Wipe the generated keys on the stack, and any other transients to avoid
  285. * side channel leakage */
  286. mbedtls_platform_zeroize( K1, sizeof( K1 ) );
  287. mbedtls_platform_zeroize( K2, sizeof( K2 ) );
  288. cmac_ctx->unprocessed_len = 0;
  289. mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
  290. sizeof( cmac_ctx->unprocessed_block ) );
  291. mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
  292. return( ret );
  293. }
  294. int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
  295. {
  296. mbedtls_cmac_context_t* cmac_ctx;
  297. if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
  298. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  299. cmac_ctx = ctx->cmac_ctx;
  300. /* Reset the internal state */
  301. cmac_ctx->unprocessed_len = 0;
  302. mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
  303. sizeof( cmac_ctx->unprocessed_block ) );
  304. mbedtls_platform_zeroize( cmac_ctx->state,
  305. sizeof( cmac_ctx->state ) );
  306. return( 0 );
  307. }
  308. int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
  309. const unsigned char *key, size_t keylen,
  310. const unsigned char *input, size_t ilen,
  311. unsigned char *output )
  312. {
  313. mbedtls_cipher_context_t ctx;
  314. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  315. if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
  316. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  317. mbedtls_cipher_init( &ctx );
  318. if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
  319. goto exit;
  320. ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
  321. if( ret != 0 )
  322. goto exit;
  323. ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
  324. if( ret != 0 )
  325. goto exit;
  326. ret = mbedtls_cipher_cmac_finish( &ctx, output );
  327. exit:
  328. mbedtls_cipher_free( &ctx );
  329. return( ret );
  330. }
  331. #if defined(MBEDTLS_AES_C)
  332. /*
  333. * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
  334. */
  335. int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
  336. const unsigned char *input, size_t in_len,
  337. unsigned char output[16] )
  338. {
  339. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  340. const mbedtls_cipher_info_t *cipher_info;
  341. unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
  342. unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
  343. if( key == NULL || input == NULL || output == NULL )
  344. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  345. cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
  346. if( cipher_info == NULL )
  347. {
  348. /* Failing at this point must be due to a build issue */
  349. ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
  350. goto exit;
  351. }
  352. if( key_length == MBEDTLS_AES_BLOCK_SIZE )
  353. {
  354. /* Use key as is */
  355. memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
  356. }
  357. else
  358. {
  359. memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
  360. ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
  361. key_length, int_key );
  362. if( ret != 0 )
  363. goto exit;
  364. }
  365. ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
  366. output );
  367. exit:
  368. mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
  369. return( ret );
  370. }
  371. #endif /* MBEDTLS_AES_C */
  372. #endif /* !MBEDTLS_CMAC_ALT */
  373. #if defined(MBEDTLS_SELF_TEST)
  374. /*
  375. * CMAC test data for SP800-38B
  376. * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
  377. * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
  378. *
  379. * AES-CMAC-PRF-128 test data from RFC 4615
  380. * https://tools.ietf.org/html/rfc4615#page-4
  381. */
  382. #define NB_CMAC_TESTS_PER_KEY 4
  383. #define NB_PRF_TESTS 3
  384. #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
  385. /* All CMAC test inputs are truncated from the same 64 byte buffer. */
  386. static const unsigned char test_message[] = {
  387. /* PT */
  388. 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
  389. 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
  390. 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
  391. 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
  392. 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
  393. 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
  394. 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
  395. 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
  396. };
  397. #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
  398. #if defined(MBEDTLS_AES_C)
  399. /* Truncation point of message for AES CMAC tests */
  400. static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
  401. /* Mlen */
  402. 0,
  403. 16,
  404. 20,
  405. 64
  406. };
  407. /* CMAC-AES128 Test Data */
  408. static const unsigned char aes_128_key[16] = {
  409. 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
  410. 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
  411. };
  412. static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  413. {
  414. /* K1 */
  415. 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
  416. 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
  417. },
  418. {
  419. /* K2 */
  420. 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
  421. 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
  422. }
  423. };
  424. static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  425. {
  426. /* Example #1 */
  427. 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
  428. 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
  429. },
  430. {
  431. /* Example #2 */
  432. 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
  433. 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
  434. },
  435. {
  436. /* Example #3 */
  437. 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
  438. 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
  439. },
  440. {
  441. /* Example #4 */
  442. 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
  443. 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
  444. }
  445. };
  446. /* CMAC-AES192 Test Data */
  447. static const unsigned char aes_192_key[24] = {
  448. 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
  449. 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
  450. 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
  451. };
  452. static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  453. {
  454. /* K1 */
  455. 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
  456. 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
  457. },
  458. {
  459. /* K2 */
  460. 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
  461. 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
  462. }
  463. };
  464. static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  465. {
  466. /* Example #1 */
  467. 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
  468. 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
  469. },
  470. {
  471. /* Example #2 */
  472. 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
  473. 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
  474. },
  475. {
  476. /* Example #3 */
  477. 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
  478. 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
  479. },
  480. {
  481. /* Example #4 */
  482. 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
  483. 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
  484. }
  485. };
  486. /* CMAC-AES256 Test Data */
  487. static const unsigned char aes_256_key[32] = {
  488. 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
  489. 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
  490. 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
  491. 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
  492. };
  493. static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  494. {
  495. /* K1 */
  496. 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
  497. 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
  498. },
  499. {
  500. /* K2 */
  501. 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
  502. 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
  503. }
  504. };
  505. static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  506. {
  507. /* Example #1 */
  508. 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
  509. 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
  510. },
  511. {
  512. /* Example #2 */
  513. 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
  514. 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
  515. },
  516. {
  517. /* Example #3 */
  518. 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
  519. 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
  520. },
  521. {
  522. /* Example #4 */
  523. 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
  524. 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
  525. }
  526. };
  527. #endif /* MBEDTLS_AES_C */
  528. #if defined(MBEDTLS_DES_C)
  529. /* Truncation point of message for 3DES CMAC tests */
  530. static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
  531. 0,
  532. 16,
  533. 20,
  534. 32
  535. };
  536. /* CMAC-TDES (Generation) - 2 Key Test Data */
  537. static const unsigned char des3_2key_key[24] = {
  538. /* Key1 */
  539. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
  540. /* Key2 */
  541. 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
  542. /* Key3 */
  543. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
  544. };
  545. static const unsigned char des3_2key_subkeys[2][8] = {
  546. {
  547. /* K1 */
  548. 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
  549. },
  550. {
  551. /* K2 */
  552. 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
  553. }
  554. };
  555. static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
  556. {
  557. /* Sample #1 */
  558. 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
  559. },
  560. {
  561. /* Sample #2 */
  562. 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
  563. },
  564. {
  565. /* Sample #3 */
  566. 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
  567. },
  568. {
  569. /* Sample #4 */
  570. 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
  571. }
  572. };
  573. /* CMAC-TDES (Generation) - 3 Key Test Data */
  574. static const unsigned char des3_3key_key[24] = {
  575. /* Key1 */
  576. 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
  577. /* Key2 */
  578. 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
  579. /* Key3 */
  580. 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
  581. };
  582. static const unsigned char des3_3key_subkeys[2][8] = {
  583. {
  584. /* K1 */
  585. 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
  586. },
  587. {
  588. /* K2 */
  589. 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
  590. }
  591. };
  592. static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
  593. {
  594. /* Sample #1 */
  595. 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
  596. },
  597. {
  598. /* Sample #2 */
  599. 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
  600. },
  601. {
  602. /* Sample #3 */
  603. 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
  604. },
  605. {
  606. /* Sample #4 */
  607. 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
  608. }
  609. };
  610. #endif /* MBEDTLS_DES_C */
  611. #if defined(MBEDTLS_AES_C)
  612. /* AES AES-CMAC-PRF-128 Test Data */
  613. static const unsigned char PRFK[] = {
  614. /* Key */
  615. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  616. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  617. 0xed, 0xcb
  618. };
  619. /* Sizes in bytes */
  620. static const size_t PRFKlen[NB_PRF_TESTS] = {
  621. 18,
  622. 16,
  623. 10
  624. };
  625. /* Message */
  626. static const unsigned char PRFM[] = {
  627. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  628. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  629. 0x10, 0x11, 0x12, 0x13
  630. };
  631. static const unsigned char PRFT[NB_PRF_TESTS][16] = {
  632. {
  633. 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
  634. 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
  635. },
  636. {
  637. 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
  638. 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
  639. },
  640. {
  641. 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
  642. 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
  643. }
  644. };
  645. #endif /* MBEDTLS_AES_C */
  646. static int cmac_test_subkeys( int verbose,
  647. const char* testname,
  648. const unsigned char* key,
  649. int keybits,
  650. const unsigned char* subkeys,
  651. mbedtls_cipher_type_t cipher_type,
  652. int block_size,
  653. int num_tests )
  654. {
  655. int i, ret = 0;
  656. mbedtls_cipher_context_t ctx;
  657. const mbedtls_cipher_info_t *cipher_info;
  658. unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
  659. unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
  660. cipher_info = mbedtls_cipher_info_from_type( cipher_type );
  661. if( cipher_info == NULL )
  662. {
  663. /* Failing at this point must be due to a build issue */
  664. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  665. }
  666. for( i = 0; i < num_tests; i++ )
  667. {
  668. if( verbose != 0 )
  669. mbedtls_printf( " %s CMAC subkey #%d: ", testname, i + 1 );
  670. mbedtls_cipher_init( &ctx );
  671. if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
  672. {
  673. if( verbose != 0 )
  674. mbedtls_printf( "test execution failed\n" );
  675. goto cleanup;
  676. }
  677. if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
  678. MBEDTLS_ENCRYPT ) ) != 0 )
  679. {
  680. /* When CMAC is implemented by an alternative implementation, or
  681. * the underlying primitive itself is implemented alternatively,
  682. * AES-192 may be unavailable. This should not cause the selftest
  683. * function to fail. */
  684. if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
  685. ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
  686. cipher_type == MBEDTLS_CIPHER_AES_192_ECB ) {
  687. if( verbose != 0 )
  688. mbedtls_printf( "skipped\n" );
  689. goto next_test;
  690. }
  691. if( verbose != 0 )
  692. mbedtls_printf( "test execution failed\n" );
  693. goto cleanup;
  694. }
  695. ret = cmac_generate_subkeys( &ctx, K1, K2 );
  696. if( ret != 0 )
  697. {
  698. if( verbose != 0 )
  699. mbedtls_printf( "failed\n" );
  700. goto cleanup;
  701. }
  702. if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
  703. ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
  704. {
  705. if( verbose != 0 )
  706. mbedtls_printf( "failed\n" );
  707. goto cleanup;
  708. }
  709. if( verbose != 0 )
  710. mbedtls_printf( "passed\n" );
  711. next_test:
  712. mbedtls_cipher_free( &ctx );
  713. }
  714. ret = 0;
  715. goto exit;
  716. cleanup:
  717. mbedtls_cipher_free( &ctx );
  718. exit:
  719. return( ret );
  720. }
  721. static int cmac_test_wth_cipher( int verbose,
  722. const char* testname,
  723. const unsigned char* key,
  724. int keybits,
  725. const unsigned char* messages,
  726. const unsigned int message_lengths[4],
  727. const unsigned char* expected_result,
  728. mbedtls_cipher_type_t cipher_type,
  729. int block_size,
  730. int num_tests )
  731. {
  732. const mbedtls_cipher_info_t *cipher_info;
  733. int i, ret = 0;
  734. unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
  735. cipher_info = mbedtls_cipher_info_from_type( cipher_type );
  736. if( cipher_info == NULL )
  737. {
  738. /* Failing at this point must be due to a build issue */
  739. ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
  740. goto exit;
  741. }
  742. for( i = 0; i < num_tests; i++ )
  743. {
  744. if( verbose != 0 )
  745. mbedtls_printf( " %s CMAC #%d: ", testname, i + 1 );
  746. if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
  747. message_lengths[i], output ) ) != 0 )
  748. {
  749. /* When CMAC is implemented by an alternative implementation, or
  750. * the underlying primitive itself is implemented alternatively,
  751. * AES-192 and/or 3DES may be unavailable. This should not cause
  752. * the selftest function to fail. */
  753. if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
  754. ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
  755. ( cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
  756. cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB ) ) {
  757. if( verbose != 0 )
  758. mbedtls_printf( "skipped\n" );
  759. continue;
  760. }
  761. if( verbose != 0 )
  762. mbedtls_printf( "failed\n" );
  763. goto exit;
  764. }
  765. if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
  766. {
  767. if( verbose != 0 )
  768. mbedtls_printf( "failed\n" );
  769. goto exit;
  770. }
  771. if( verbose != 0 )
  772. mbedtls_printf( "passed\n" );
  773. }
  774. ret = 0;
  775. exit:
  776. return( ret );
  777. }
  778. #if defined(MBEDTLS_AES_C)
  779. static int test_aes128_cmac_prf( int verbose )
  780. {
  781. int i;
  782. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  783. unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
  784. for( i = 0; i < NB_PRF_TESTS; i++ )
  785. {
  786. mbedtls_printf( " AES CMAC 128 PRF #%d: ", i );
  787. ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
  788. if( ret != 0 ||
  789. memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
  790. {
  791. if( verbose != 0 )
  792. mbedtls_printf( "failed\n" );
  793. return( ret );
  794. }
  795. else if( verbose != 0 )
  796. {
  797. mbedtls_printf( "passed\n" );
  798. }
  799. }
  800. return( ret );
  801. }
  802. #endif /* MBEDTLS_AES_C */
  803. int mbedtls_cmac_self_test( int verbose )
  804. {
  805. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  806. #if defined(MBEDTLS_AES_C)
  807. /* AES-128 */
  808. if( ( ret = cmac_test_subkeys( verbose,
  809. "AES 128",
  810. aes_128_key,
  811. 128,
  812. (const unsigned char*)aes_128_subkeys,
  813. MBEDTLS_CIPHER_AES_128_ECB,
  814. MBEDTLS_AES_BLOCK_SIZE,
  815. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  816. {
  817. return( ret );
  818. }
  819. if( ( ret = cmac_test_wth_cipher( verbose,
  820. "AES 128",
  821. aes_128_key,
  822. 128,
  823. test_message,
  824. aes_message_lengths,
  825. (const unsigned char*)aes_128_expected_result,
  826. MBEDTLS_CIPHER_AES_128_ECB,
  827. MBEDTLS_AES_BLOCK_SIZE,
  828. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  829. {
  830. return( ret );
  831. }
  832. /* AES-192 */
  833. if( ( ret = cmac_test_subkeys( verbose,
  834. "AES 192",
  835. aes_192_key,
  836. 192,
  837. (const unsigned char*)aes_192_subkeys,
  838. MBEDTLS_CIPHER_AES_192_ECB,
  839. MBEDTLS_AES_BLOCK_SIZE,
  840. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  841. {
  842. return( ret );
  843. }
  844. if( ( ret = cmac_test_wth_cipher( verbose,
  845. "AES 192",
  846. aes_192_key,
  847. 192,
  848. test_message,
  849. aes_message_lengths,
  850. (const unsigned char*)aes_192_expected_result,
  851. MBEDTLS_CIPHER_AES_192_ECB,
  852. MBEDTLS_AES_BLOCK_SIZE,
  853. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  854. {
  855. return( ret );
  856. }
  857. /* AES-256 */
  858. if( ( ret = cmac_test_subkeys( verbose,
  859. "AES 256",
  860. aes_256_key,
  861. 256,
  862. (const unsigned char*)aes_256_subkeys,
  863. MBEDTLS_CIPHER_AES_256_ECB,
  864. MBEDTLS_AES_BLOCK_SIZE,
  865. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  866. {
  867. return( ret );
  868. }
  869. if( ( ret = cmac_test_wth_cipher ( verbose,
  870. "AES 256",
  871. aes_256_key,
  872. 256,
  873. test_message,
  874. aes_message_lengths,
  875. (const unsigned char*)aes_256_expected_result,
  876. MBEDTLS_CIPHER_AES_256_ECB,
  877. MBEDTLS_AES_BLOCK_SIZE,
  878. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  879. {
  880. return( ret );
  881. }
  882. #endif /* MBEDTLS_AES_C */
  883. #if defined(MBEDTLS_DES_C)
  884. /* 3DES 2 key */
  885. if( ( ret = cmac_test_subkeys( verbose,
  886. "3DES 2 key",
  887. des3_2key_key,
  888. 192,
  889. (const unsigned char*)des3_2key_subkeys,
  890. MBEDTLS_CIPHER_DES_EDE3_ECB,
  891. MBEDTLS_DES3_BLOCK_SIZE,
  892. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  893. {
  894. return( ret );
  895. }
  896. if( ( ret = cmac_test_wth_cipher( verbose,
  897. "3DES 2 key",
  898. des3_2key_key,
  899. 192,
  900. test_message,
  901. des3_message_lengths,
  902. (const unsigned char*)des3_2key_expected_result,
  903. MBEDTLS_CIPHER_DES_EDE3_ECB,
  904. MBEDTLS_DES3_BLOCK_SIZE,
  905. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  906. {
  907. return( ret );
  908. }
  909. /* 3DES 3 key */
  910. if( ( ret = cmac_test_subkeys( verbose,
  911. "3DES 3 key",
  912. des3_3key_key,
  913. 192,
  914. (const unsigned char*)des3_3key_subkeys,
  915. MBEDTLS_CIPHER_DES_EDE3_ECB,
  916. MBEDTLS_DES3_BLOCK_SIZE,
  917. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  918. {
  919. return( ret );
  920. }
  921. if( ( ret = cmac_test_wth_cipher( verbose,
  922. "3DES 3 key",
  923. des3_3key_key,
  924. 192,
  925. test_message,
  926. des3_message_lengths,
  927. (const unsigned char*)des3_3key_expected_result,
  928. MBEDTLS_CIPHER_DES_EDE3_ECB,
  929. MBEDTLS_DES3_BLOCK_SIZE,
  930. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  931. {
  932. return( ret );
  933. }
  934. #endif /* MBEDTLS_DES_C */
  935. #if defined(MBEDTLS_AES_C)
  936. if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
  937. return( ret );
  938. #endif /* MBEDTLS_AES_C */
  939. if( verbose != 0 )
  940. mbedtls_printf( "\n" );
  941. return( 0 );
  942. }
  943. #endif /* MBEDTLS_SELF_TEST */
  944. #endif /* MBEDTLS_CMAC_C */