1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8 */
9
10 /*
11 * References:
12 *
13 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
14 * CMAC Mode for Authentication
15 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
16 *
17 * - RFC 4493 - The AES-CMAC Algorithm
18 * https://tools.ietf.org/html/rfc4493
19 *
20 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
21 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
22 * Algorithm for the Internet Key Exchange Protocol (IKE)
23 * https://tools.ietf.org/html/rfc4615
24 *
25 * Additional test vectors: ISO/IEC 9797-1
26 *
27 */
28
29 #include "common.h"
30
31 #if defined(MBEDTLS_CMAC_C)
32
33 #include "mbedtls/cmac.h"
34 #include "mbedtls/platform_util.h"
35 #include "mbedtls/error.h"
36 #include "mbedtls/platform.h"
37 #include "constant_time_internal.h"
38
39 #include <string.h>
40
41 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
42
43 /*
44 * Multiplication by u in the Galois field of GF(2^n)
45 *
46 * As explained in NIST SP 800-38B, this can be computed:
47 *
48 * If MSB(p) = 0, then p = (p << 1)
49 * If MSB(p) = 1, then p = (p << 1) ^ R_n
50 * with R_64 = 0x1B and R_128 = 0x87
51 *
52 * Input and output MUST NOT point to the same buffer
53 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
54 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)55 static int cmac_multiply_by_u(unsigned char *output,
56 const unsigned char *input,
57 size_t blocksize)
58 {
59 const unsigned char R_128 = 0x87;
60 unsigned char R_n;
61 uint32_t overflow = 0x00;
62 int i;
63
64 if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
65 R_n = R_128;
66 }
67 #if defined(MBEDTLS_DES_C)
68 else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
69 const unsigned char R_64 = 0x1B;
70 R_n = R_64;
71 }
72 #endif
73 else {
74 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
75 }
76
77 for (i = (int) blocksize - 4; i >= 0; i -= 4) {
78 uint32_t i32 = MBEDTLS_GET_UINT32_BE(&input[i], 0);
79 uint32_t new_overflow = i32 >> 31;
80 i32 = (i32 << 1) | overflow;
81 MBEDTLS_PUT_UINT32_BE(i32, &output[i], 0);
82 overflow = new_overflow;
83 }
84
85 R_n = (unsigned char) mbedtls_ct_uint_if_else_0(mbedtls_ct_bool(input[0] >> 7), R_n);
86 output[blocksize - 1] ^= R_n;
87
88 return 0;
89 }
90
91 /*
92 * Generate subkeys
93 *
94 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
95 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)96 static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
97 unsigned char *K1, unsigned char *K2)
98 {
99 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
100 unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
101 size_t olen, block_size;
102
103 mbedtls_platform_zeroize(L, sizeof(L));
104
105 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
106
107 /* Calculate Ek(0) */
108 if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
109 goto exit;
110 }
111
112 /*
113 * Generate K1 and K2
114 */
115 if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) {
116 goto exit;
117 }
118
119 if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) {
120 goto exit;
121 }
122
123 exit:
124 mbedtls_platform_zeroize(L, sizeof(L));
125
126 return ret;
127 }
128 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
129
130 #if !defined(MBEDTLS_CMAC_ALT)
131
132 /*
133 * Create padded last block from (partial) last block.
134 *
135 * We can't use the padding option from the cipher layer, as it only works for
136 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
137 */
cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)138 static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
139 size_t padded_block_len,
140 const unsigned char *last_block,
141 size_t last_block_len)
142 {
143 size_t j;
144
145 for (j = 0; j < padded_block_len; j++) {
146 if (j < last_block_len) {
147 padded_block[j] = last_block[j];
148 } else if (j == last_block_len) {
149 padded_block[j] = 0x80;
150 } else {
151 padded_block[j] = 0x00;
152 }
153 }
154 }
155
mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t * ctx)156 int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx)
157 {
158 mbedtls_cmac_context_t *cmac_ctx;
159
160 /*
161 * Allocate and initialise in the cipher context memory for the CMAC
162 * context
163 */
164 cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
165 if (cmac_ctx == NULL)
166 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
167
168 ctx->cmac_ctx = cmac_ctx;
169
170 mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
171 return 0;
172 }
173
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)174 int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
175 const unsigned char *key, size_t keybits)
176 {
177 mbedtls_cipher_type_t type;
178 int retval;
179
180 if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) {
181 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
182 }
183
184 if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits,
185 MBEDTLS_ENCRYPT)) != 0) {
186 return retval;
187 }
188
189 type = mbedtls_cipher_info_get_type(ctx->cipher_info);
190
191 switch (type) {
192 case MBEDTLS_CIPHER_AES_128_ECB:
193 case MBEDTLS_CIPHER_AES_192_ECB:
194 case MBEDTLS_CIPHER_AES_256_ECB:
195 case MBEDTLS_CIPHER_DES_EDE3_ECB:
196 break;
197 default:
198 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
199 }
200
201 /* Check if cmac ctx had been allocated by mbedtls_cipher_cmac_setup() */
202 if( ctx->cmac_ctx != NULL )
203 return 0;
204
205 return mbedtls_cipher_cmac_setup( ctx );
206 }
207
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)208 int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
209 const unsigned char *input, size_t ilen)
210 {
211 mbedtls_cmac_context_t *cmac_ctx;
212 unsigned char *state;
213 int ret = 0;
214 size_t n, j, olen, block_size;
215
216 if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
217 ctx->cmac_ctx == NULL) {
218 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
219 }
220
221 cmac_ctx = ctx->cmac_ctx;
222 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
223 state = ctx->cmac_ctx->state;
224
225 /* Without the MBEDTLS_ASSUME below, gcc -O3 will generate a warning of the form
226 * error: writing 16 bytes into a region of size 0 [-Werror=stringop-overflow=] */
227 MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE);
228
229 /* Is there data still to process from the last call, that's greater in
230 * size than a block? */
231 if (cmac_ctx->unprocessed_len > 0 &&
232 ilen > block_size - cmac_ctx->unprocessed_len) {
233 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
234 input,
235 block_size - cmac_ctx->unprocessed_len);
236
237 mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size);
238
239 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
240 &olen)) != 0) {
241 goto exit;
242 }
243
244 input += block_size - cmac_ctx->unprocessed_len;
245 ilen -= block_size - cmac_ctx->unprocessed_len;
246 cmac_ctx->unprocessed_len = 0;
247 }
248
249 /* n is the number of blocks including any final partial block */
250 n = (ilen + block_size - 1) / block_size;
251
252 /* Iterate across the input data in block sized chunks, excluding any
253 * final partial or complete block */
254 for (j = 1; j < n; j++) {
255 mbedtls_xor_no_simd(state, input, state, block_size);
256
257 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
258 &olen)) != 0) {
259 goto exit;
260 }
261
262 ilen -= block_size;
263 input += block_size;
264 }
265
266 /* If there is data left over that wasn't aligned to a block */
267 if (ilen > 0) {
268 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
269 input,
270 ilen);
271 cmac_ctx->unprocessed_len += ilen;
272 }
273
274 exit:
275 return ret;
276 }
277
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)278 int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
279 unsigned char *output)
280 {
281 mbedtls_cmac_context_t *cmac_ctx;
282 unsigned char *state, *last_block;
283 unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
284 unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
285 unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
286 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
287 size_t olen, block_size;
288
289 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
290 output == NULL) {
291 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
292 }
293
294 cmac_ctx = ctx->cmac_ctx;
295 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
296 MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE); // silence GCC warning
297 state = cmac_ctx->state;
298
299 mbedtls_platform_zeroize(K1, sizeof(K1));
300 mbedtls_platform_zeroize(K2, sizeof(K2));
301 cmac_generate_subkeys(ctx, K1, K2);
302
303 last_block = cmac_ctx->unprocessed_block;
304
305 /* Calculate last block */
306 if (cmac_ctx->unprocessed_len < block_size) {
307 cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
308 mbedtls_xor(M_last, M_last, K2, block_size);
309 } else {
310 /* Last block is complete block */
311 mbedtls_xor(M_last, last_block, K1, block_size);
312 }
313
314
315 mbedtls_xor(state, M_last, state, block_size);
316 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
317 &olen)) != 0) {
318 goto exit;
319 }
320
321 memcpy(output, state, block_size);
322
323 exit:
324 /* Wipe the generated keys on the stack, and any other transients to avoid
325 * side channel leakage */
326 mbedtls_platform_zeroize(K1, sizeof(K1));
327 mbedtls_platform_zeroize(K2, sizeof(K2));
328
329 cmac_ctx->unprocessed_len = 0;
330 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
331 sizeof(cmac_ctx->unprocessed_block));
332
333 mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
334 return ret;
335 }
336
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)337 int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx)
338 {
339 mbedtls_cmac_context_t *cmac_ctx;
340
341 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) {
342 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
343 }
344
345 cmac_ctx = ctx->cmac_ctx;
346
347 /* Reset the internal state */
348 cmac_ctx->unprocessed_len = 0;
349 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
350 sizeof(cmac_ctx->unprocessed_block));
351 mbedtls_platform_zeroize(cmac_ctx->state,
352 sizeof(cmac_ctx->state));
353
354 return 0;
355 }
356
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)357 int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
358 const unsigned char *key, size_t keylen,
359 const unsigned char *input, size_t ilen,
360 unsigned char *output)
361 {
362 mbedtls_cipher_context_t ctx;
363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
364
365 if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) {
366 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
367 }
368
369 mbedtls_cipher_init(&ctx);
370
371 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
372 goto exit;
373 }
374
375 ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
376 if (ret != 0) {
377 goto exit;
378 }
379
380 ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
381 if (ret != 0) {
382 goto exit;
383 }
384
385 ret = mbedtls_cipher_cmac_finish(&ctx, output);
386
387 exit:
388 mbedtls_cipher_free(&ctx);
389
390 return ret;
391 }
392
393 #if defined(MBEDTLS_AES_C)
394 /*
395 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
396 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char output[16])397 int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
398 const unsigned char *input, size_t in_len,
399 unsigned char output[16])
400 {
401 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
402 const mbedtls_cipher_info_t *cipher_info;
403 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
404 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
405
406 if (key == NULL || input == NULL || output == NULL) {
407 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
408 }
409
410 cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
411 if (cipher_info == NULL) {
412 /* Failing at this point must be due to a build issue */
413 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
414 goto exit;
415 }
416
417 if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
418 /* Use key as is */
419 memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
420 } else {
421 memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
422
423 ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
424 key_length, int_key);
425 if (ret != 0) {
426 goto exit;
427 }
428 }
429
430 ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
431 output);
432
433 exit:
434 mbedtls_platform_zeroize(int_key, sizeof(int_key));
435
436 return ret;
437 }
438 #endif /* MBEDTLS_AES_C */
439
440 #endif /* !MBEDTLS_CMAC_ALT */
441
442 #if defined(MBEDTLS_SELF_TEST)
443 /*
444 * CMAC test data for SP800-38B
445 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
446 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
447 *
448 * AES-CMAC-PRF-128 test data from RFC 4615
449 * https://tools.ietf.org/html/rfc4615#page-4
450 */
451
452 #define NB_CMAC_TESTS_PER_KEY 4
453 #define NB_PRF_TESTS 3
454
455 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
456 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
457 static const unsigned char test_message[] = {
458 /* PT */
459 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
460 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
461 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
462 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
463 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
464 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
465 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
466 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
467 };
468 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
469
470 #if defined(MBEDTLS_AES_C)
471 /* Truncation point of message for AES CMAC tests */
472 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
473 /* Mlen */
474 0,
475 16,
476 20,
477 64
478 };
479
480 /* CMAC-AES128 Test Data */
481 static const unsigned char aes_128_key[16] = {
482 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
483 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
484 };
485 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
486 {
487 /* K1 */
488 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
489 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
490 },
491 {
492 /* K2 */
493 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
494 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
495 }
496 };
497 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
498 {
499 {
500 /* Example #1 */
501 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
502 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
503 },
504 {
505 /* Example #2 */
506 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
507 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
508 },
509 {
510 /* Example #3 */
511 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
512 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
513 },
514 {
515 /* Example #4 */
516 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
517 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
518 }
519 };
520
521 /* CMAC-AES192 Test Data */
522 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
523 static const unsigned char aes_192_key[24] = {
524 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
525 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
526 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
527 };
528 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
529 {
530 /* K1 */
531 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
532 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
533 },
534 {
535 /* K2 */
536 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
537 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
538 }
539 };
540 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
541 {
542 {
543 /* Example #1 */
544 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
545 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
546 },
547 {
548 /* Example #2 */
549 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
550 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
551 },
552 {
553 /* Example #3 */
554 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
555 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
556 },
557 {
558 /* Example #4 */
559 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
560 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
561 }
562 };
563 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
564
565 /* CMAC-AES256 Test Data */
566 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
567 static const unsigned char aes_256_key[32] = {
568 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
569 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
570 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
571 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
572 };
573 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
574 {
575 /* K1 */
576 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
577 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
578 },
579 {
580 /* K2 */
581 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
582 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
583 }
584 };
585 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
586 {
587 {
588 /* Example #1 */
589 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
590 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
591 },
592 {
593 /* Example #2 */
594 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
595 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
596 },
597 {
598 /* Example #3 */
599 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
600 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
601 },
602 {
603 /* Example #4 */
604 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
605 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
606 }
607 };
608 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
609 #endif /* MBEDTLS_AES_C */
610
611 #if defined(MBEDTLS_DES_C)
612 /* Truncation point of message for 3DES CMAC tests */
613 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
614 0,
615 16,
616 20,
617 32
618 };
619
620 /* CMAC-TDES (Generation) - 2 Key Test Data */
621 static const unsigned char des3_2key_key[24] = {
622 /* Key1 */
623 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
624 /* Key2 */
625 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
626 /* Key3 */
627 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
628 };
629 static const unsigned char des3_2key_subkeys[2][8] = {
630 {
631 /* K1 */
632 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
633 },
634 {
635 /* K2 */
636 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
637 }
638 };
639 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
640 = {
641 {
642 /* Sample #1 */
643 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
644 },
645 {
646 /* Sample #2 */
647 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
648 },
649 {
650 /* Sample #3 */
651 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
652 },
653 {
654 /* Sample #4 */
655 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
656 }
657 };
658
659 /* CMAC-TDES (Generation) - 3 Key Test Data */
660 static const unsigned char des3_3key_key[24] = {
661 /* Key1 */
662 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
663 /* Key2 */
664 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
665 /* Key3 */
666 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
667 };
668 static const unsigned char des3_3key_subkeys[2][8] = {
669 {
670 /* K1 */
671 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
672 },
673 {
674 /* K2 */
675 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
676 }
677 };
678 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
679 = {
680 {
681 /* Sample #1 */
682 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
683 },
684 {
685 /* Sample #2 */
686 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
687 },
688 {
689 /* Sample #3 */
690 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
691 },
692 {
693 /* Sample #4 */
694 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
695 }
696 };
697
698 #endif /* MBEDTLS_DES_C */
699
700 #if defined(MBEDTLS_AES_C)
701 /* AES AES-CMAC-PRF-128 Test Data */
702 static const unsigned char PRFK[] = {
703 /* Key */
704 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
705 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
706 0xed, 0xcb
707 };
708
709 /* Sizes in bytes */
710 static const size_t PRFKlen[NB_PRF_TESTS] = {
711 18,
712 16,
713 10
714 };
715
716 /* Message */
717 static const unsigned char PRFM[] = {
718 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
719 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
720 0x10, 0x11, 0x12, 0x13
721 };
722
723 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
724 {
725 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
726 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
727 },
728 {
729 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
730 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
731 },
732 {
733 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
734 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
735 }
736 };
737 #endif /* MBEDTLS_AES_C */
738
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)739 static int cmac_test_subkeys(int verbose,
740 const char *testname,
741 const unsigned char *key,
742 int keybits,
743 const unsigned char *subkeys,
744 mbedtls_cipher_type_t cipher_type,
745 int block_size,
746 int num_tests)
747 {
748 int i, ret = 0;
749 mbedtls_cipher_context_t ctx;
750 const mbedtls_cipher_info_t *cipher_info;
751 unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
752 unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
753
754 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
755 if (cipher_info == NULL) {
756 /* Failing at this point must be due to a build issue */
757 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
758 }
759
760 for (i = 0; i < num_tests; i++) {
761 if (verbose != 0) {
762 mbedtls_printf(" %s CMAC subkey #%d: ", testname, i + 1);
763 }
764
765 mbedtls_cipher_init(&ctx);
766
767 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
768 if (verbose != 0) {
769 mbedtls_printf("test execution failed\n");
770 }
771
772 goto cleanup;
773 }
774
775 if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
776 MBEDTLS_ENCRYPT)) != 0) {
777 /* When CMAC is implemented by an alternative implementation, or
778 * the underlying primitive itself is implemented alternatively,
779 * AES-192 may be unavailable. This should not cause the selftest
780 * function to fail. */
781 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
782 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
783 cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
784 if (verbose != 0) {
785 mbedtls_printf("skipped\n");
786 }
787 goto next_test;
788 }
789
790 if (verbose != 0) {
791 mbedtls_printf("test execution failed\n");
792 }
793
794 goto cleanup;
795 }
796
797 ret = cmac_generate_subkeys(&ctx, K1, K2);
798 if (ret != 0) {
799 if (verbose != 0) {
800 mbedtls_printf("failed\n");
801 }
802
803 goto cleanup;
804 }
805
806 if ((ret = memcmp(K1, subkeys, block_size)) != 0 ||
807 (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
808 if (verbose != 0) {
809 mbedtls_printf("failed\n");
810 }
811
812 goto cleanup;
813 }
814
815 if (verbose != 0) {
816 mbedtls_printf("passed\n");
817 }
818
819 next_test:
820 mbedtls_cipher_free(&ctx);
821 }
822
823 ret = 0;
824 goto exit;
825
826 cleanup:
827 mbedtls_cipher_free(&ctx);
828
829 exit:
830 return ret;
831 }
832
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)833 static int cmac_test_wth_cipher(int verbose,
834 const char *testname,
835 const unsigned char *key,
836 int keybits,
837 const unsigned char *messages,
838 const unsigned int message_lengths[4],
839 const unsigned char *expected_result,
840 mbedtls_cipher_type_t cipher_type,
841 int block_size,
842 int num_tests)
843 {
844 const mbedtls_cipher_info_t *cipher_info;
845 int i, ret = 0;
846 unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
847
848 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
849 if (cipher_info == NULL) {
850 /* Failing at this point must be due to a build issue */
851 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
852 goto exit;
853 }
854
855 for (i = 0; i < num_tests; i++) {
856 if (verbose != 0) {
857 mbedtls_printf(" %s CMAC #%d: ", testname, i + 1);
858 }
859
860 if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
861 message_lengths[i], output)) != 0) {
862 /* When CMAC is implemented by an alternative implementation, or
863 * the underlying primitive itself is implemented alternatively,
864 * AES-192 and/or 3DES may be unavailable. This should not cause
865 * the selftest function to fail. */
866 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
867 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
868 (cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
869 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) {
870 if (verbose != 0) {
871 mbedtls_printf("skipped\n");
872 }
873 continue;
874 }
875
876 if (verbose != 0) {
877 mbedtls_printf("failed\n");
878 }
879 goto exit;
880 }
881
882 if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
883 if (verbose != 0) {
884 mbedtls_printf("failed\n");
885 }
886 goto exit;
887 }
888
889 if (verbose != 0) {
890 mbedtls_printf("passed\n");
891 }
892 }
893 ret = 0;
894
895 exit:
896 return ret;
897 }
898
899 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)900 static int test_aes128_cmac_prf(int verbose)
901 {
902 int i;
903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
904 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
905
906 for (i = 0; i < NB_PRF_TESTS; i++) {
907 mbedtls_printf(" AES CMAC 128 PRF #%d: ", i);
908 ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
909 if (ret != 0 ||
910 memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
911
912 if (verbose != 0) {
913 mbedtls_printf("failed\n");
914 }
915
916 return ret;
917 } else if (verbose != 0) {
918 mbedtls_printf("passed\n");
919 }
920 }
921 return ret;
922 }
923 #endif /* MBEDTLS_AES_C */
924
mbedtls_cmac_self_test(int verbose)925 int mbedtls_cmac_self_test(int verbose)
926 {
927 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
928
929 #if defined(MBEDTLS_AES_C)
930 /* AES-128 */
931 if ((ret = cmac_test_subkeys(verbose,
932 "AES 128",
933 aes_128_key,
934 128,
935 (const unsigned char *) aes_128_subkeys,
936 MBEDTLS_CIPHER_AES_128_ECB,
937 MBEDTLS_AES_BLOCK_SIZE,
938 NB_CMAC_TESTS_PER_KEY)) != 0) {
939 return ret;
940 }
941
942 if ((ret = cmac_test_wth_cipher(verbose,
943 "AES 128",
944 aes_128_key,
945 128,
946 test_message,
947 aes_message_lengths,
948 (const unsigned char *) aes_128_expected_result,
949 MBEDTLS_CIPHER_AES_128_ECB,
950 MBEDTLS_AES_BLOCK_SIZE,
951 NB_CMAC_TESTS_PER_KEY)) != 0) {
952 return ret;
953 }
954
955 /* AES-192 */
956 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
957 if ((ret = cmac_test_subkeys(verbose,
958 "AES 192",
959 aes_192_key,
960 192,
961 (const unsigned char *) aes_192_subkeys,
962 MBEDTLS_CIPHER_AES_192_ECB,
963 MBEDTLS_AES_BLOCK_SIZE,
964 NB_CMAC_TESTS_PER_KEY)) != 0) {
965 return ret;
966 }
967
968 if ((ret = cmac_test_wth_cipher(verbose,
969 "AES 192",
970 aes_192_key,
971 192,
972 test_message,
973 aes_message_lengths,
974 (const unsigned char *) aes_192_expected_result,
975 MBEDTLS_CIPHER_AES_192_ECB,
976 MBEDTLS_AES_BLOCK_SIZE,
977 NB_CMAC_TESTS_PER_KEY)) != 0) {
978 return ret;
979 }
980 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
981
982 /* AES-256 */
983 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
984 if ((ret = cmac_test_subkeys(verbose,
985 "AES 256",
986 aes_256_key,
987 256,
988 (const unsigned char *) aes_256_subkeys,
989 MBEDTLS_CIPHER_AES_256_ECB,
990 MBEDTLS_AES_BLOCK_SIZE,
991 NB_CMAC_TESTS_PER_KEY)) != 0) {
992 return ret;
993 }
994
995 if ((ret = cmac_test_wth_cipher(verbose,
996 "AES 256",
997 aes_256_key,
998 256,
999 test_message,
1000 aes_message_lengths,
1001 (const unsigned char *) aes_256_expected_result,
1002 MBEDTLS_CIPHER_AES_256_ECB,
1003 MBEDTLS_AES_BLOCK_SIZE,
1004 NB_CMAC_TESTS_PER_KEY)) != 0) {
1005 return ret;
1006 }
1007 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
1008 #endif /* MBEDTLS_AES_C */
1009
1010 #if defined(MBEDTLS_DES_C)
1011 /* 3DES 2 key */
1012 if ((ret = cmac_test_subkeys(verbose,
1013 "3DES 2 key",
1014 des3_2key_key,
1015 192,
1016 (const unsigned char *) des3_2key_subkeys,
1017 MBEDTLS_CIPHER_DES_EDE3_ECB,
1018 MBEDTLS_DES3_BLOCK_SIZE,
1019 NB_CMAC_TESTS_PER_KEY)) != 0) {
1020 return ret;
1021 }
1022
1023 if ((ret = cmac_test_wth_cipher(verbose,
1024 "3DES 2 key",
1025 des3_2key_key,
1026 192,
1027 test_message,
1028 des3_message_lengths,
1029 (const unsigned char *) des3_2key_expected_result,
1030 MBEDTLS_CIPHER_DES_EDE3_ECB,
1031 MBEDTLS_DES3_BLOCK_SIZE,
1032 NB_CMAC_TESTS_PER_KEY)) != 0) {
1033 return ret;
1034 }
1035
1036 /* 3DES 3 key */
1037 if ((ret = cmac_test_subkeys(verbose,
1038 "3DES 3 key",
1039 des3_3key_key,
1040 192,
1041 (const unsigned char *) des3_3key_subkeys,
1042 MBEDTLS_CIPHER_DES_EDE3_ECB,
1043 MBEDTLS_DES3_BLOCK_SIZE,
1044 NB_CMAC_TESTS_PER_KEY)) != 0) {
1045 return ret;
1046 }
1047
1048 if ((ret = cmac_test_wth_cipher(verbose,
1049 "3DES 3 key",
1050 des3_3key_key,
1051 192,
1052 test_message,
1053 des3_message_lengths,
1054 (const unsigned char *) des3_3key_expected_result,
1055 MBEDTLS_CIPHER_DES_EDE3_ECB,
1056 MBEDTLS_DES3_BLOCK_SIZE,
1057 NB_CMAC_TESTS_PER_KEY)) != 0) {
1058 return ret;
1059 }
1060 #endif /* MBEDTLS_DES_C */
1061
1062 #if defined(MBEDTLS_AES_C)
1063 if ((ret = test_aes128_cmac_prf(verbose)) != 0) {
1064 return ret;
1065 }
1066 #endif /* MBEDTLS_AES_C */
1067
1068 if (verbose != 0) {
1069 mbedtls_printf("\n");
1070 }
1071
1072 return 0;
1073 }
1074
1075 #endif /* MBEDTLS_SELF_TEST */
1076
1077 #endif /* MBEDTLS_CMAC_C */
1078