1 // SPDX-License-Identifier: Apache-2.0 2 /** 3 * \file cmac.c 4 * 5 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES 6 * 7 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved 8 * 9 * Licensed under the Apache License, Version 2.0 (the "License"); you may 10 * not use this file except in compliance with the License. 11 * You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, software 16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 * See the License for the specific language governing permissions and 19 * limitations under the License. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 24 /* 25 * References: 26 * 27 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The 28 * CMAC Mode for Authentication 29 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf 30 * 31 * - RFC 4493 - The AES-CMAC Algorithm 32 * https://tools.ietf.org/html/rfc4493 33 * 34 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message 35 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) 36 * Algorithm for the Internet Key Exchange Protocol (IKE) 37 * https://tools.ietf.org/html/rfc4615 38 * 39 * Additional test vectors: ISO/IEC 9797-1 40 * 41 */ 42 43 #if !defined(MBEDTLS_CONFIG_FILE) 44 #include "mbedtls/config.h" 45 #else 46 #include MBEDTLS_CONFIG_FILE 47 #endif 48 49 #if defined(MBEDTLS_CMAC_C) 50 51 #include "mbedtls/cmac.h" 52 #include "mbedtls/platform_util.h" 53 #include "mbedtls/error.h" 54 55 #include <string.h> 56 57 #if defined(MBEDTLS_PLATFORM_C) 58 #include "mbedtls/platform.h" 59 #else 60 #include <stdlib.h> 61 #define mbedtls_calloc calloc 62 #define mbedtls_free free 63 #if defined(MBEDTLS_SELF_TEST) 64 #include <stdio.h> 65 #define mbedtls_printf printf 66 #endif /* MBEDTLS_SELF_TEST */ 67 #endif /* MBEDTLS_PLATFORM_C */ 68 69 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) 70 71 /* 72 * Multiplication by u in the Galois field of GF(2^n) 73 * 74 * As explained in NIST SP 800-38B, this can be computed: 75 * 76 * If MSB(p) = 0, then p = (p << 1) 77 * If MSB(p) = 1, then p = (p << 1) ^ R_n 78 * with R_64 = 0x1B and R_128 = 0x87 79 * 80 * Input and output MUST NOT point to the same buffer 81 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES. 82 */ 83 static int cmac_multiply_by_u( unsigned char *output, 84 const unsigned char *input, 85 size_t blocksize ) 86 { 87 const unsigned char R_128 = 0x87; 88 const unsigned char R_64 = 0x1B; 89 unsigned char R_n, mask; 90 unsigned char overflow = 0x00; 91 int i; 92 93 if( blocksize == MBEDTLS_AES_BLOCK_SIZE ) 94 { 95 R_n = R_128; 96 } 97 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE ) 98 { 99 R_n = R_64; 100 } 101 else 102 { 103 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 104 } 105 106 for( i = (int)blocksize - 1; i >= 0; i-- ) 107 { 108 output[i] = input[i] << 1 | overflow; 109 overflow = input[i] >> 7; 110 } 111 112 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00 113 * using bit operations to avoid branches */ 114 115 /* MSVC has a warning about unary minus on unsigned, but this is 116 * well-defined and precisely what we want to do here */ 117 #if defined(_MSC_VER) 118 #pragma warning( push ) 119 #pragma warning( disable : 4146 ) 120 #endif 121 mask = - ( input[0] >> 7 ); 122 #if defined(_MSC_VER) 123 #pragma warning( pop ) 124 #endif 125 126 output[ blocksize - 1 ] ^= R_n & mask; 127 128 return( 0 ); 129 } 130 131 /* 132 * Generate subkeys 133 * 134 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm 135 */ 136 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx, 137 unsigned char* K1, unsigned char* K2 ) 138 { 139 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 140 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX]; 141 size_t olen, block_size; 142 143 mbedtls_platform_zeroize( L, sizeof( L ) ); 144 145 block_size = ctx->cipher_info->block_size; 146 147 /* Calculate Ek(0) */ 148 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 ) 149 goto exit; 150 151 /* 152 * Generate K1 and K2 153 */ 154 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 ) 155 goto exit; 156 157 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 ) 158 goto exit; 159 160 exit: 161 mbedtls_platform_zeroize( L, sizeof( L ) ); 162 163 return( ret ); 164 } 165 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ 166 167 #if !defined(MBEDTLS_CMAC_ALT) 168 static void cmac_xor_block( unsigned char *output, const unsigned char *input1, 169 const unsigned char *input2, 170 const size_t block_size ) 171 { 172 size_t idx; 173 174 for( idx = 0; idx < block_size; idx++ ) 175 output[ idx ] = input1[ idx ] ^ input2[ idx ]; 176 } 177 178 /* 179 * Create padded last block from (partial) last block. 180 * 181 * We can't use the padding option from the cipher layer, as it only works for 182 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. 183 */ 184 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX], 185 size_t padded_block_len, 186 const unsigned char *last_block, 187 size_t last_block_len ) 188 { 189 size_t j; 190 191 for( j = 0; j < padded_block_len; j++ ) 192 { 193 if( j < last_block_len ) 194 padded_block[j] = last_block[j]; 195 else if( j == last_block_len ) 196 padded_block[j] = 0x80; 197 else 198 padded_block[j] = 0x00; 199 } 200 } 201 202 int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx) 203 { 204 mbedtls_cmac_context_t *cmac_ctx; 205 206 /* Allocated and initialise in the cipher context memory for the CMAC 207 * context */ 208 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) ); 209 if( cmac_ctx == NULL ) 210 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 211 212 ctx->cmac_ctx = cmac_ctx; 213 214 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) ); 215 return 0; 216 } 217 218 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, 219 const unsigned char *key, size_t keybits ) 220 { 221 mbedtls_cipher_type_t type; 222 int retval; 223 224 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL ) 225 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 226 227 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits, 228 MBEDTLS_ENCRYPT ) ) != 0 ) 229 return( retval ); 230 231 type = ctx->cipher_info->type; 232 233 switch( type ) 234 { 235 case MBEDTLS_CIPHER_AES_128_ECB: 236 case MBEDTLS_CIPHER_AES_192_ECB: 237 case MBEDTLS_CIPHER_AES_256_ECB: 238 case MBEDTLS_CIPHER_DES_EDE3_ECB: 239 break; 240 default: 241 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 242 } 243 244 /* Check if cmac ctx had been allocated by mbedtls_cipher_cmac_setup() */ 245 if( ctx->cmac_ctx != NULL ) 246 return 0; 247 248 return mbedtls_cipher_cmac_setup( ctx ); 249 } 250 251 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, 252 const unsigned char *input, size_t ilen ) 253 { 254 mbedtls_cmac_context_t* cmac_ctx; 255 unsigned char *state; 256 int ret = 0; 257 size_t n, j, olen, block_size; 258 259 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL || 260 ctx->cmac_ctx == NULL ) 261 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 262 263 cmac_ctx = ctx->cmac_ctx; 264 block_size = ctx->cipher_info->block_size; 265 state = ctx->cmac_ctx->state; 266 267 /* Is there data still to process from the last call, that's greater in 268 * size than a block? */ 269 if( cmac_ctx->unprocessed_len > 0 && 270 ilen > block_size - cmac_ctx->unprocessed_len ) 271 { 272 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 273 input, 274 block_size - cmac_ctx->unprocessed_len ); 275 276 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size ); 277 278 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 279 &olen ) ) != 0 ) 280 { 281 goto exit; 282 } 283 284 input += block_size - cmac_ctx->unprocessed_len; 285 ilen -= block_size - cmac_ctx->unprocessed_len; 286 cmac_ctx->unprocessed_len = 0; 287 } 288 289 /* n is the number of blocks including any final partial block */ 290 n = ( ilen + block_size - 1 ) / block_size; 291 292 /* Iterate across the input data in block sized chunks, excluding any 293 * final partial or complete block */ 294 for( j = 1; j < n; j++ ) 295 { 296 cmac_xor_block( state, input, state, block_size ); 297 298 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 299 &olen ) ) != 0 ) 300 goto exit; 301 302 ilen -= block_size; 303 input += block_size; 304 } 305 306 /* If there is data left over that wasn't aligned to a block */ 307 if( ilen > 0 ) 308 { 309 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 310 input, 311 ilen ); 312 cmac_ctx->unprocessed_len += ilen; 313 } 314 315 exit: 316 return( ret ); 317 } 318 319 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, 320 unsigned char *output ) 321 { 322 mbedtls_cmac_context_t* cmac_ctx; 323 unsigned char *state, *last_block; 324 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 325 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 326 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX]; 327 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 328 size_t olen, block_size; 329 330 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL || 331 output == NULL ) 332 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 333 334 cmac_ctx = ctx->cmac_ctx; 335 block_size = ctx->cipher_info->block_size; 336 state = cmac_ctx->state; 337 338 mbedtls_platform_zeroize( K1, sizeof( K1 ) ); 339 mbedtls_platform_zeroize( K2, sizeof( K2 ) ); 340 cmac_generate_subkeys( ctx, K1, K2 ); 341 342 last_block = cmac_ctx->unprocessed_block; 343 344 /* Calculate last block */ 345 if( cmac_ctx->unprocessed_len < block_size ) 346 { 347 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len ); 348 cmac_xor_block( M_last, M_last, K2, block_size ); 349 } 350 else 351 { 352 /* Last block is complete block */ 353 cmac_xor_block( M_last, last_block, K1, block_size ); 354 } 355 356 357 cmac_xor_block( state, M_last, state, block_size ); 358 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 359 &olen ) ) != 0 ) 360 { 361 goto exit; 362 } 363 364 memcpy( output, state, block_size ); 365 366 exit: 367 /* Wipe the generated keys on the stack, and any other transients to avoid 368 * side channel leakage */ 369 mbedtls_platform_zeroize( K1, sizeof( K1 ) ); 370 mbedtls_platform_zeroize( K2, sizeof( K2 ) ); 371 372 cmac_ctx->unprocessed_len = 0; 373 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block, 374 sizeof( cmac_ctx->unprocessed_block ) ); 375 376 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX ); 377 return( ret ); 378 } 379 380 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx ) 381 { 382 mbedtls_cmac_context_t* cmac_ctx; 383 384 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ) 385 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 386 387 cmac_ctx = ctx->cmac_ctx; 388 389 /* Reset the internal state */ 390 cmac_ctx->unprocessed_len = 0; 391 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block, 392 sizeof( cmac_ctx->unprocessed_block ) ); 393 mbedtls_platform_zeroize( cmac_ctx->state, 394 sizeof( cmac_ctx->state ) ); 395 396 return( 0 ); 397 } 398 399 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, 400 const unsigned char *key, size_t keylen, 401 const unsigned char *input, size_t ilen, 402 unsigned char *output ) 403 { 404 mbedtls_cipher_context_t ctx; 405 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 406 407 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL ) 408 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 409 410 mbedtls_cipher_init( &ctx ); 411 412 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 413 goto exit; 414 415 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen ); 416 if( ret != 0 ) 417 goto exit; 418 419 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen ); 420 if( ret != 0 ) 421 goto exit; 422 423 ret = mbedtls_cipher_cmac_finish( &ctx, output ); 424 425 exit: 426 mbedtls_cipher_free( &ctx ); 427 428 return( ret ); 429 } 430 431 #if defined(MBEDTLS_AES_C) 432 /* 433 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615 434 */ 435 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length, 436 const unsigned char *input, size_t in_len, 437 unsigned char *output ) 438 { 439 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 440 const mbedtls_cipher_info_t *cipher_info; 441 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE]; 442 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE]; 443 444 if( key == NULL || input == NULL || output == NULL ) 445 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 446 447 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB ); 448 if( cipher_info == NULL ) 449 { 450 /* Failing at this point must be due to a build issue */ 451 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 452 goto exit; 453 } 454 455 if( key_length == MBEDTLS_AES_BLOCK_SIZE ) 456 { 457 /* Use key as is */ 458 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE ); 459 } 460 else 461 { 462 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE ); 463 464 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key, 465 key_length, int_key ); 466 if( ret != 0 ) 467 goto exit; 468 } 469 470 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len, 471 output ); 472 473 exit: 474 mbedtls_platform_zeroize( int_key, sizeof( int_key ) ); 475 476 return( ret ); 477 } 478 #endif /* MBEDTLS_AES_C */ 479 480 #endif /* !MBEDTLS_CMAC_ALT */ 481 482 #if defined(MBEDTLS_SELF_TEST) 483 /* 484 * CMAC test data for SP800-38B 485 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf 486 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf 487 * 488 * AES-CMAC-PRF-128 test data from RFC 4615 489 * https://tools.ietf.org/html/rfc4615#page-4 490 */ 491 492 #define NB_CMAC_TESTS_PER_KEY 4 493 #define NB_PRF_TESTS 3 494 495 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) 496 /* All CMAC test inputs are truncated from the same 64 byte buffer. */ 497 static const unsigned char test_message[] = { 498 /* PT */ 499 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 500 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 501 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 502 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 503 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 504 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 505 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 506 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 507 }; 508 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */ 509 510 #if defined(MBEDTLS_AES_C) 511 /* Truncation point of message for AES CMAC tests */ 512 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 513 /* Mlen */ 514 0, 515 16, 516 20, 517 64 518 }; 519 520 /* CMAC-AES128 Test Data */ 521 static const unsigned char aes_128_key[16] = { 522 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 523 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c 524 }; 525 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 526 { 527 /* K1 */ 528 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66, 529 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde 530 }, 531 { 532 /* K2 */ 533 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc, 534 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b 535 } 536 }; 537 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 538 { 539 /* Example #1 */ 540 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28, 541 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 542 }, 543 { 544 /* Example #2 */ 545 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 546 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c 547 }, 548 { 549 /* Example #3 */ 550 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8, 551 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde 552 }, 553 { 554 /* Example #4 */ 555 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92, 556 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe 557 } 558 }; 559 560 /* CMAC-AES192 Test Data */ 561 static const unsigned char aes_192_key[24] = { 562 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 563 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, 564 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b 565 }; 566 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 567 { 568 /* K1 */ 569 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27, 570 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96 571 }, 572 { 573 /* K2 */ 574 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e, 575 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c 576 } 577 }; 578 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 579 { 580 /* Example #1 */ 581 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5, 582 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67 583 }, 584 { 585 /* Example #2 */ 586 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90, 587 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84 588 }, 589 { 590 /* Example #3 */ 591 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04, 592 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8 593 }, 594 { 595 /* Example #4 */ 596 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79, 597 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11 598 } 599 }; 600 601 /* CMAC-AES256 Test Data */ 602 static const unsigned char aes_256_key[32] = { 603 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 604 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 605 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 606 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 607 }; 608 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 609 { 610 /* K1 */ 611 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac, 612 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f 613 }, 614 { 615 /* K2 */ 616 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58, 617 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9 618 } 619 }; 620 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 621 { 622 /* Example #1 */ 623 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e, 624 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83 625 }, 626 { 627 /* Example #2 */ 628 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82, 629 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c 630 }, 631 { 632 /* Example #3 */ 633 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a, 634 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93 635 }, 636 { 637 /* Example #4 */ 638 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5, 639 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10 640 } 641 }; 642 #endif /* MBEDTLS_AES_C */ 643 644 #if defined(MBEDTLS_DES_C) 645 /* Truncation point of message for 3DES CMAC tests */ 646 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 647 0, 648 16, 649 20, 650 32 651 }; 652 653 /* CMAC-TDES (Generation) - 2 Key Test Data */ 654 static const unsigned char des3_2key_key[24] = { 655 /* Key1 */ 656 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 657 /* Key2 */ 658 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01, 659 /* Key3 */ 660 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef 661 }; 662 static const unsigned char des3_2key_subkeys[2][8] = { 663 { 664 /* K1 */ 665 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9 666 }, 667 { 668 /* K2 */ 669 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2 670 } 671 }; 672 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 673 { 674 /* Sample #1 */ 675 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60 676 }, 677 { 678 /* Sample #2 */ 679 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b 680 }, 681 { 682 /* Sample #3 */ 683 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69 684 }, 685 { 686 /* Sample #4 */ 687 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb 688 } 689 }; 690 691 /* CMAC-TDES (Generation) - 3 Key Test Data */ 692 static const unsigned char des3_3key_key[24] = { 693 /* Key1 */ 694 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef, 695 /* Key2 */ 696 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 697 /* Key3 */ 698 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23 699 }; 700 static const unsigned char des3_3key_subkeys[2][8] = { 701 { 702 /* K1 */ 703 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0 704 }, 705 { 706 /* K2 */ 707 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b 708 } 709 }; 710 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 711 { 712 /* Sample #1 */ 713 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50 714 }, 715 { 716 /* Sample #2 */ 717 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09 718 }, 719 { 720 /* Sample #3 */ 721 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2 722 }, 723 { 724 /* Sample #4 */ 725 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5 726 } 727 }; 728 729 #endif /* MBEDTLS_DES_C */ 730 731 #if defined(MBEDTLS_AES_C) 732 /* AES AES-CMAC-PRF-128 Test Data */ 733 static const unsigned char PRFK[] = { 734 /* Key */ 735 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 736 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 737 0xed, 0xcb 738 }; 739 740 /* Sizes in bytes */ 741 static const size_t PRFKlen[NB_PRF_TESTS] = { 742 18, 743 16, 744 10 745 }; 746 747 /* Message */ 748 static const unsigned char PRFM[] = { 749 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 750 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 751 0x10, 0x11, 0x12, 0x13 752 }; 753 754 static const unsigned char PRFT[NB_PRF_TESTS][16] = { 755 { 756 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b, 757 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a 758 }, 759 { 760 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52, 761 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d 762 }, 763 { 764 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee, 765 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d 766 } 767 }; 768 #endif /* MBEDTLS_AES_C */ 769 770 static int cmac_test_subkeys( int verbose, 771 const char* testname, 772 const unsigned char* key, 773 int keybits, 774 const unsigned char* subkeys, 775 mbedtls_cipher_type_t cipher_type, 776 int block_size, 777 int num_tests ) 778 { 779 int i, ret = 0; 780 mbedtls_cipher_context_t ctx; 781 const mbedtls_cipher_info_t *cipher_info; 782 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 783 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 784 785 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 786 if( cipher_info == NULL ) 787 { 788 /* Failing at this point must be due to a build issue */ 789 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 790 } 791 792 for( i = 0; i < num_tests; i++ ) 793 { 794 if( verbose != 0 ) 795 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 ); 796 797 mbedtls_cipher_init( &ctx ); 798 799 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 800 { 801 if( verbose != 0 ) 802 mbedtls_printf( "test execution failed\n" ); 803 804 goto cleanup; 805 } 806 807 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits, 808 MBEDTLS_ENCRYPT ) ) != 0 ) 809 { 810 if( verbose != 0 ) 811 mbedtls_printf( "test execution failed\n" ); 812 813 goto cleanup; 814 } 815 816 ret = cmac_generate_subkeys( &ctx, K1, K2 ); 817 if( ret != 0 ) 818 { 819 if( verbose != 0 ) 820 mbedtls_printf( "failed\n" ); 821 822 goto cleanup; 823 } 824 825 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 || 826 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 ) 827 { 828 if( verbose != 0 ) 829 mbedtls_printf( "failed\n" ); 830 831 goto cleanup; 832 } 833 834 if( verbose != 0 ) 835 mbedtls_printf( "passed\n" ); 836 837 mbedtls_cipher_free( &ctx ); 838 } 839 840 ret = 0; 841 goto exit; 842 843 cleanup: 844 mbedtls_cipher_free( &ctx ); 845 846 exit: 847 return( ret ); 848 } 849 850 static int cmac_test_wth_cipher( int verbose, 851 const char* testname, 852 const unsigned char* key, 853 int keybits, 854 const unsigned char* messages, 855 const unsigned int message_lengths[4], 856 const unsigned char* expected_result, 857 mbedtls_cipher_type_t cipher_type, 858 int block_size, 859 int num_tests ) 860 { 861 const mbedtls_cipher_info_t *cipher_info; 862 int i, ret = 0; 863 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX]; 864 865 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 866 if( cipher_info == NULL ) 867 { 868 /* Failing at this point must be due to a build issue */ 869 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 870 goto exit; 871 } 872 873 for( i = 0; i < num_tests; i++ ) 874 { 875 if( verbose != 0 ) 876 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 ); 877 878 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages, 879 message_lengths[i], output ) ) != 0 ) 880 { 881 if( verbose != 0 ) 882 mbedtls_printf( "failed\n" ); 883 goto exit; 884 } 885 886 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 ) 887 { 888 if( verbose != 0 ) 889 mbedtls_printf( "failed\n" ); 890 goto exit; 891 } 892 893 if( verbose != 0 ) 894 mbedtls_printf( "passed\n" ); 895 } 896 ret = 0; 897 898 exit: 899 return( ret ); 900 } 901 902 #if defined(MBEDTLS_AES_C) 903 static int test_aes128_cmac_prf( int verbose ) 904 { 905 int i; 906 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 907 unsigned char output[MBEDTLS_AES_BLOCK_SIZE]; 908 909 for( i = 0; i < NB_PRF_TESTS; i++ ) 910 { 911 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i ); 912 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output ); 913 if( ret != 0 || 914 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 ) 915 { 916 917 if( verbose != 0 ) 918 mbedtls_printf( "failed\n" ); 919 920 return( ret ); 921 } 922 else if( verbose != 0 ) 923 { 924 mbedtls_printf( "passed\n" ); 925 } 926 } 927 return( ret ); 928 } 929 #endif /* MBEDTLS_AES_C */ 930 931 int mbedtls_cmac_self_test( int verbose ) 932 { 933 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 934 935 #if defined(MBEDTLS_AES_C) 936 /* AES-128 */ 937 if( ( ret = cmac_test_subkeys( verbose, 938 "AES 128", 939 aes_128_key, 940 128, 941 (const unsigned char*)aes_128_subkeys, 942 MBEDTLS_CIPHER_AES_128_ECB, 943 MBEDTLS_AES_BLOCK_SIZE, 944 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 945 { 946 return( ret ); 947 } 948 949 if( ( ret = cmac_test_wth_cipher( verbose, 950 "AES 128", 951 aes_128_key, 952 128, 953 test_message, 954 aes_message_lengths, 955 (const unsigned char*)aes_128_expected_result, 956 MBEDTLS_CIPHER_AES_128_ECB, 957 MBEDTLS_AES_BLOCK_SIZE, 958 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 959 { 960 return( ret ); 961 } 962 963 /* AES-192 */ 964 if( ( ret = cmac_test_subkeys( verbose, 965 "AES 192", 966 aes_192_key, 967 192, 968 (const unsigned char*)aes_192_subkeys, 969 MBEDTLS_CIPHER_AES_192_ECB, 970 MBEDTLS_AES_BLOCK_SIZE, 971 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 972 { 973 return( ret ); 974 } 975 976 if( ( ret = cmac_test_wth_cipher( verbose, 977 "AES 192", 978 aes_192_key, 979 192, 980 test_message, 981 aes_message_lengths, 982 (const unsigned char*)aes_192_expected_result, 983 MBEDTLS_CIPHER_AES_192_ECB, 984 MBEDTLS_AES_BLOCK_SIZE, 985 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 986 { 987 return( ret ); 988 } 989 990 /* AES-256 */ 991 if( ( ret = cmac_test_subkeys( verbose, 992 "AES 256", 993 aes_256_key, 994 256, 995 (const unsigned char*)aes_256_subkeys, 996 MBEDTLS_CIPHER_AES_256_ECB, 997 MBEDTLS_AES_BLOCK_SIZE, 998 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 999 { 1000 return( ret ); 1001 } 1002 1003 if( ( ret = cmac_test_wth_cipher ( verbose, 1004 "AES 256", 1005 aes_256_key, 1006 256, 1007 test_message, 1008 aes_message_lengths, 1009 (const unsigned char*)aes_256_expected_result, 1010 MBEDTLS_CIPHER_AES_256_ECB, 1011 MBEDTLS_AES_BLOCK_SIZE, 1012 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1013 { 1014 return( ret ); 1015 } 1016 #endif /* MBEDTLS_AES_C */ 1017 1018 #if defined(MBEDTLS_DES_C) 1019 /* 3DES 2 key */ 1020 if( ( ret = cmac_test_subkeys( verbose, 1021 "3DES 2 key", 1022 des3_2key_key, 1023 192, 1024 (const unsigned char*)des3_2key_subkeys, 1025 MBEDTLS_CIPHER_DES_EDE3_ECB, 1026 MBEDTLS_DES3_BLOCK_SIZE, 1027 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1028 { 1029 return( ret ); 1030 } 1031 1032 if( ( ret = cmac_test_wth_cipher( verbose, 1033 "3DES 2 key", 1034 des3_2key_key, 1035 192, 1036 test_message, 1037 des3_message_lengths, 1038 (const unsigned char*)des3_2key_expected_result, 1039 MBEDTLS_CIPHER_DES_EDE3_ECB, 1040 MBEDTLS_DES3_BLOCK_SIZE, 1041 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1042 { 1043 return( ret ); 1044 } 1045 1046 /* 3DES 3 key */ 1047 if( ( ret = cmac_test_subkeys( verbose, 1048 "3DES 3 key", 1049 des3_3key_key, 1050 192, 1051 (const unsigned char*)des3_3key_subkeys, 1052 MBEDTLS_CIPHER_DES_EDE3_ECB, 1053 MBEDTLS_DES3_BLOCK_SIZE, 1054 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1055 { 1056 return( ret ); 1057 } 1058 1059 if( ( ret = cmac_test_wth_cipher( verbose, 1060 "3DES 3 key", 1061 des3_3key_key, 1062 192, 1063 test_message, 1064 des3_message_lengths, 1065 (const unsigned char*)des3_3key_expected_result, 1066 MBEDTLS_CIPHER_DES_EDE3_ECB, 1067 MBEDTLS_DES3_BLOCK_SIZE, 1068 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1069 { 1070 return( ret ); 1071 } 1072 #endif /* MBEDTLS_DES_C */ 1073 1074 #if defined(MBEDTLS_AES_C) 1075 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 ) 1076 return( ret ); 1077 #endif /* MBEDTLS_AES_C */ 1078 1079 if( verbose != 0 ) 1080 mbedtls_printf( "\n" ); 1081 1082 return( 0 ); 1083 } 1084 1085 #endif /* MBEDTLS_SELF_TEST */ 1086 1087 #endif /* MBEDTLS_CMAC_C */ 1088