1 // SPDX-License-Identifier: Apache-2.0 2 /** 3 * \file cmac.c 4 * 5 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES 6 * 7 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved 8 * 9 * Licensed under the Apache License, Version 2.0 (the "License"); you may 10 * not use this file except in compliance with the License. 11 * You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, software 16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 * See the License for the specific language governing permissions and 19 * limitations under the License. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 24 /* 25 * References: 26 * 27 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The 28 * CMAC Mode for Authentication 29 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf 30 * 31 * - RFC 4493 - The AES-CMAC Algorithm 32 * https://tools.ietf.org/html/rfc4493 33 * 34 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message 35 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) 36 * Algorithm for the Internet Key Exchange Protocol (IKE) 37 * https://tools.ietf.org/html/rfc4615 38 * 39 * Additional test vectors: ISO/IEC 9797-1 40 * 41 */ 42 43 #if !defined(MBEDTLS_CONFIG_FILE) 44 #include "mbedtls/config.h" 45 #else 46 #include MBEDTLS_CONFIG_FILE 47 #endif 48 49 #if defined(MBEDTLS_CMAC_C) 50 51 #include "mbedtls/cmac.h" 52 #include "mbedtls/platform_util.h" 53 54 #include <string.h> 55 56 #if defined(MBEDTLS_PLATFORM_C) 57 #include "mbedtls/platform.h" 58 #else 59 #include <stdlib.h> 60 #define mbedtls_calloc calloc 61 #define mbedtls_free free 62 #if defined(MBEDTLS_SELF_TEST) 63 #include <stdio.h> 64 #define mbedtls_printf printf 65 #endif /* MBEDTLS_SELF_TEST */ 66 #endif /* MBEDTLS_PLATFORM_C */ 67 68 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) 69 70 /* 71 * Multiplication by u in the Galois field of GF(2^n) 72 * 73 * As explained in NIST SP 800-38B, this can be computed: 74 * 75 * If MSB(p) = 0, then p = (p << 1) 76 * If MSB(p) = 1, then p = (p << 1) ^ R_n 77 * with R_64 = 0x1B and R_128 = 0x87 78 * 79 * Input and output MUST NOT point to the same buffer 80 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES. 81 */ 82 static int cmac_multiply_by_u( unsigned char *output, 83 const unsigned char *input, 84 size_t blocksize ) 85 { 86 const unsigned char R_128 = 0x87; 87 const unsigned char R_64 = 0x1B; 88 unsigned char R_n, mask; 89 unsigned char overflow = 0x00; 90 int i; 91 92 if( blocksize == MBEDTLS_AES_BLOCK_SIZE ) 93 { 94 R_n = R_128; 95 } 96 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE ) 97 { 98 R_n = R_64; 99 } 100 else 101 { 102 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 103 } 104 105 for( i = (int)blocksize - 1; i >= 0; i-- ) 106 { 107 output[i] = input[i] << 1 | overflow; 108 overflow = input[i] >> 7; 109 } 110 111 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00 112 * using bit operations to avoid branches */ 113 114 /* MSVC has a warning about unary minus on unsigned, but this is 115 * well-defined and precisely what we want to do here */ 116 #if defined(_MSC_VER) 117 #pragma warning( push ) 118 #pragma warning( disable : 4146 ) 119 #endif 120 mask = - ( input[0] >> 7 ); 121 #if defined(_MSC_VER) 122 #pragma warning( pop ) 123 #endif 124 125 output[ blocksize - 1 ] ^= R_n & mask; 126 127 return( 0 ); 128 } 129 130 /* 131 * Generate subkeys 132 * 133 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm 134 */ 135 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx, 136 unsigned char* K1, unsigned char* K2 ) 137 { 138 int ret; 139 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX]; 140 size_t olen, block_size; 141 142 mbedtls_platform_zeroize( L, sizeof( L ) ); 143 144 block_size = ctx->cipher_info->block_size; 145 146 /* Calculate Ek(0) */ 147 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 ) 148 goto exit; 149 150 /* 151 * Generate K1 and K2 152 */ 153 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 ) 154 goto exit; 155 156 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 ) 157 goto exit; 158 159 exit: 160 mbedtls_platform_zeroize( L, sizeof( L ) ); 161 162 return( ret ); 163 } 164 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ 165 166 #if !defined(MBEDTLS_CMAC_ALT) 167 static void cmac_xor_block( unsigned char *output, const unsigned char *input1, 168 const unsigned char *input2, 169 const size_t block_size ) 170 { 171 size_t idx; 172 173 for( idx = 0; idx < block_size; idx++ ) 174 output[ idx ] = input1[ idx ] ^ input2[ idx ]; 175 } 176 177 /* 178 * Create padded last block from (partial) last block. 179 * 180 * We can't use the padding option from the cipher layer, as it only works for 181 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. 182 */ 183 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX], 184 size_t padded_block_len, 185 const unsigned char *last_block, 186 size_t last_block_len ) 187 { 188 size_t j; 189 190 for( j = 0; j < padded_block_len; j++ ) 191 { 192 if( j < last_block_len ) 193 padded_block[j] = last_block[j]; 194 else if( j == last_block_len ) 195 padded_block[j] = 0x80; 196 else 197 padded_block[j] = 0x00; 198 } 199 } 200 201 int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx) 202 { 203 mbedtls_cmac_context_t *cmac_ctx; 204 205 /* Allocated and initialise in the cipher context memory for the CMAC 206 * context */ 207 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) ); 208 if( cmac_ctx == NULL ) 209 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 210 211 ctx->cmac_ctx = cmac_ctx; 212 213 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) ); 214 return 0; 215 } 216 217 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, 218 const unsigned char *key, size_t keybits ) 219 { 220 mbedtls_cipher_type_t type; 221 int retval; 222 223 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL ) 224 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 225 226 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits, 227 MBEDTLS_ENCRYPT ) ) != 0 ) 228 return( retval ); 229 230 type = ctx->cipher_info->type; 231 232 switch( type ) 233 { 234 case MBEDTLS_CIPHER_AES_128_ECB: 235 case MBEDTLS_CIPHER_AES_192_ECB: 236 case MBEDTLS_CIPHER_AES_256_ECB: 237 case MBEDTLS_CIPHER_DES_EDE3_ECB: 238 break; 239 default: 240 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 241 } 242 243 /* Check if cmac ctx had been allocated by mbedtls_cipher_cmac_setup() */ 244 if( ctx->cmac_ctx != NULL ) 245 return 0; 246 247 return mbedtls_cipher_cmac_setup( ctx ); 248 } 249 250 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, 251 const unsigned char *input, size_t ilen ) 252 { 253 mbedtls_cmac_context_t* cmac_ctx; 254 unsigned char *state; 255 int ret = 0; 256 size_t n, j, olen, block_size; 257 258 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL || 259 ctx->cmac_ctx == NULL ) 260 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 261 262 cmac_ctx = ctx->cmac_ctx; 263 block_size = ctx->cipher_info->block_size; 264 state = ctx->cmac_ctx->state; 265 266 /* Is there data still to process from the last call, that's greater in 267 * size than a block? */ 268 if( cmac_ctx->unprocessed_len > 0 && 269 ilen > block_size - cmac_ctx->unprocessed_len ) 270 { 271 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 272 input, 273 block_size - cmac_ctx->unprocessed_len ); 274 275 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size ); 276 277 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 278 &olen ) ) != 0 ) 279 { 280 goto exit; 281 } 282 283 input += block_size - cmac_ctx->unprocessed_len; 284 ilen -= block_size - cmac_ctx->unprocessed_len; 285 cmac_ctx->unprocessed_len = 0; 286 } 287 288 /* n is the number of blocks including any final partial block */ 289 n = ( ilen + block_size - 1 ) / block_size; 290 291 /* Iterate across the input data in block sized chunks, excluding any 292 * final partial or complete block */ 293 for( j = 1; j < n; j++ ) 294 { 295 cmac_xor_block( state, input, state, block_size ); 296 297 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 298 &olen ) ) != 0 ) 299 goto exit; 300 301 ilen -= block_size; 302 input += block_size; 303 } 304 305 /* If there is data left over that wasn't aligned to a block */ 306 if( ilen > 0 ) 307 { 308 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 309 input, 310 ilen ); 311 cmac_ctx->unprocessed_len += ilen; 312 } 313 314 exit: 315 return( ret ); 316 } 317 318 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, 319 unsigned char *output ) 320 { 321 mbedtls_cmac_context_t* cmac_ctx; 322 unsigned char *state, *last_block; 323 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 324 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 325 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX]; 326 int ret; 327 size_t olen, block_size; 328 329 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL || 330 output == NULL ) 331 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 332 333 cmac_ctx = ctx->cmac_ctx; 334 block_size = ctx->cipher_info->block_size; 335 state = cmac_ctx->state; 336 337 mbedtls_platform_zeroize( K1, sizeof( K1 ) ); 338 mbedtls_platform_zeroize( K2, sizeof( K2 ) ); 339 cmac_generate_subkeys( ctx, K1, K2 ); 340 341 last_block = cmac_ctx->unprocessed_block; 342 343 /* Calculate last block */ 344 if( cmac_ctx->unprocessed_len < block_size ) 345 { 346 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len ); 347 cmac_xor_block( M_last, M_last, K2, block_size ); 348 } 349 else 350 { 351 /* Last block is complete block */ 352 cmac_xor_block( M_last, last_block, K1, block_size ); 353 } 354 355 356 cmac_xor_block( state, M_last, state, block_size ); 357 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 358 &olen ) ) != 0 ) 359 { 360 goto exit; 361 } 362 363 memcpy( output, state, block_size ); 364 365 exit: 366 /* Wipe the generated keys on the stack, and any other transients to avoid 367 * side channel leakage */ 368 mbedtls_platform_zeroize( K1, sizeof( K1 ) ); 369 mbedtls_platform_zeroize( K2, sizeof( K2 ) ); 370 371 cmac_ctx->unprocessed_len = 0; 372 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block, 373 sizeof( cmac_ctx->unprocessed_block ) ); 374 375 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX ); 376 return( ret ); 377 } 378 379 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx ) 380 { 381 mbedtls_cmac_context_t* cmac_ctx; 382 383 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ) 384 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 385 386 cmac_ctx = ctx->cmac_ctx; 387 388 /* Reset the internal state */ 389 cmac_ctx->unprocessed_len = 0; 390 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block, 391 sizeof( cmac_ctx->unprocessed_block ) ); 392 mbedtls_platform_zeroize( cmac_ctx->state, 393 sizeof( cmac_ctx->state ) ); 394 395 return( 0 ); 396 } 397 398 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, 399 const unsigned char *key, size_t keylen, 400 const unsigned char *input, size_t ilen, 401 unsigned char *output ) 402 { 403 mbedtls_cipher_context_t ctx; 404 int ret; 405 406 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL ) 407 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 408 409 mbedtls_cipher_init( &ctx ); 410 411 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 412 goto exit; 413 414 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen ); 415 if( ret != 0 ) 416 goto exit; 417 418 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen ); 419 if( ret != 0 ) 420 goto exit; 421 422 ret = mbedtls_cipher_cmac_finish( &ctx, output ); 423 424 exit: 425 mbedtls_cipher_free( &ctx ); 426 427 return( ret ); 428 } 429 430 #if defined(MBEDTLS_AES_C) 431 /* 432 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615 433 */ 434 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length, 435 const unsigned char *input, size_t in_len, 436 unsigned char *output ) 437 { 438 int ret; 439 const mbedtls_cipher_info_t *cipher_info; 440 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE]; 441 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE]; 442 443 if( key == NULL || input == NULL || output == NULL ) 444 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 445 446 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB ); 447 if( cipher_info == NULL ) 448 { 449 /* Failing at this point must be due to a build issue */ 450 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 451 goto exit; 452 } 453 454 if( key_length == MBEDTLS_AES_BLOCK_SIZE ) 455 { 456 /* Use key as is */ 457 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE ); 458 } 459 else 460 { 461 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE ); 462 463 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key, 464 key_length, int_key ); 465 if( ret != 0 ) 466 goto exit; 467 } 468 469 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len, 470 output ); 471 472 exit: 473 mbedtls_platform_zeroize( int_key, sizeof( int_key ) ); 474 475 return( ret ); 476 } 477 #endif /* MBEDTLS_AES_C */ 478 479 #endif /* !MBEDTLS_CMAC_ALT */ 480 481 #if defined(MBEDTLS_SELF_TEST) 482 /* 483 * CMAC test data for SP800-38B 484 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf 485 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf 486 * 487 * AES-CMAC-PRF-128 test data from RFC 4615 488 * https://tools.ietf.org/html/rfc4615#page-4 489 */ 490 491 #define NB_CMAC_TESTS_PER_KEY 4 492 #define NB_PRF_TESTS 3 493 494 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) 495 /* All CMAC test inputs are truncated from the same 64 byte buffer. */ 496 static const unsigned char test_message[] = { 497 /* PT */ 498 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 499 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 500 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 501 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 502 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 503 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 504 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 505 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 506 }; 507 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */ 508 509 #if defined(MBEDTLS_AES_C) 510 /* Truncation point of message for AES CMAC tests */ 511 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 512 /* Mlen */ 513 0, 514 16, 515 20, 516 64 517 }; 518 519 /* CMAC-AES128 Test Data */ 520 static const unsigned char aes_128_key[16] = { 521 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 522 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c 523 }; 524 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 525 { 526 /* K1 */ 527 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66, 528 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde 529 }, 530 { 531 /* K2 */ 532 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc, 533 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b 534 } 535 }; 536 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 537 { 538 /* Example #1 */ 539 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28, 540 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 541 }, 542 { 543 /* Example #2 */ 544 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 545 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c 546 }, 547 { 548 /* Example #3 */ 549 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8, 550 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde 551 }, 552 { 553 /* Example #4 */ 554 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92, 555 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe 556 } 557 }; 558 559 /* CMAC-AES192 Test Data */ 560 static const unsigned char aes_192_key[24] = { 561 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 562 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, 563 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b 564 }; 565 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 566 { 567 /* K1 */ 568 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27, 569 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96 570 }, 571 { 572 /* K2 */ 573 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e, 574 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c 575 } 576 }; 577 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 578 { 579 /* Example #1 */ 580 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5, 581 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67 582 }, 583 { 584 /* Example #2 */ 585 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90, 586 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84 587 }, 588 { 589 /* Example #3 */ 590 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04, 591 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8 592 }, 593 { 594 /* Example #4 */ 595 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79, 596 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11 597 } 598 }; 599 600 /* CMAC-AES256 Test Data */ 601 static const unsigned char aes_256_key[32] = { 602 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 603 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 604 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 605 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 606 }; 607 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 608 { 609 /* K1 */ 610 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac, 611 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f 612 }, 613 { 614 /* K2 */ 615 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58, 616 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9 617 } 618 }; 619 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 620 { 621 /* Example #1 */ 622 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e, 623 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83 624 }, 625 { 626 /* Example #2 */ 627 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82, 628 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c 629 }, 630 { 631 /* Example #3 */ 632 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a, 633 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93 634 }, 635 { 636 /* Example #4 */ 637 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5, 638 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10 639 } 640 }; 641 #endif /* MBEDTLS_AES_C */ 642 643 #if defined(MBEDTLS_DES_C) 644 /* Truncation point of message for 3DES CMAC tests */ 645 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 646 0, 647 16, 648 20, 649 32 650 }; 651 652 /* CMAC-TDES (Generation) - 2 Key Test Data */ 653 static const unsigned char des3_2key_key[24] = { 654 /* Key1 */ 655 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 656 /* Key2 */ 657 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01, 658 /* Key3 */ 659 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef 660 }; 661 static const unsigned char des3_2key_subkeys[2][8] = { 662 { 663 /* K1 */ 664 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9 665 }, 666 { 667 /* K2 */ 668 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2 669 } 670 }; 671 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 672 { 673 /* Sample #1 */ 674 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60 675 }, 676 { 677 /* Sample #2 */ 678 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b 679 }, 680 { 681 /* Sample #3 */ 682 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69 683 }, 684 { 685 /* Sample #4 */ 686 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb 687 } 688 }; 689 690 /* CMAC-TDES (Generation) - 3 Key Test Data */ 691 static const unsigned char des3_3key_key[24] = { 692 /* Key1 */ 693 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef, 694 /* Key2 */ 695 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 696 /* Key3 */ 697 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23 698 }; 699 static const unsigned char des3_3key_subkeys[2][8] = { 700 { 701 /* K1 */ 702 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0 703 }, 704 { 705 /* K2 */ 706 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b 707 } 708 }; 709 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 710 { 711 /* Sample #1 */ 712 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50 713 }, 714 { 715 /* Sample #2 */ 716 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09 717 }, 718 { 719 /* Sample #3 */ 720 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2 721 }, 722 { 723 /* Sample #4 */ 724 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5 725 } 726 }; 727 728 #endif /* MBEDTLS_DES_C */ 729 730 #if defined(MBEDTLS_AES_C) 731 /* AES AES-CMAC-PRF-128 Test Data */ 732 static const unsigned char PRFK[] = { 733 /* Key */ 734 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 735 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 736 0xed, 0xcb 737 }; 738 739 /* Sizes in bytes */ 740 static const size_t PRFKlen[NB_PRF_TESTS] = { 741 18, 742 16, 743 10 744 }; 745 746 /* Message */ 747 static const unsigned char PRFM[] = { 748 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 749 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 750 0x10, 0x11, 0x12, 0x13 751 }; 752 753 static const unsigned char PRFT[NB_PRF_TESTS][16] = { 754 { 755 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b, 756 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a 757 }, 758 { 759 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52, 760 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d 761 }, 762 { 763 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee, 764 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d 765 } 766 }; 767 #endif /* MBEDTLS_AES_C */ 768 769 static int cmac_test_subkeys( int verbose, 770 const char* testname, 771 const unsigned char* key, 772 int keybits, 773 const unsigned char* subkeys, 774 mbedtls_cipher_type_t cipher_type, 775 int block_size, 776 int num_tests ) 777 { 778 int i, ret = 0; 779 mbedtls_cipher_context_t ctx; 780 const mbedtls_cipher_info_t *cipher_info; 781 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 782 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 783 784 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 785 if( cipher_info == NULL ) 786 { 787 /* Failing at this point must be due to a build issue */ 788 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 789 } 790 791 for( i = 0; i < num_tests; i++ ) 792 { 793 if( verbose != 0 ) 794 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 ); 795 796 mbedtls_cipher_init( &ctx ); 797 798 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 799 { 800 if( verbose != 0 ) 801 mbedtls_printf( "test execution failed\n" ); 802 803 goto cleanup; 804 } 805 806 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits, 807 MBEDTLS_ENCRYPT ) ) != 0 ) 808 { 809 if( verbose != 0 ) 810 mbedtls_printf( "test execution failed\n" ); 811 812 goto cleanup; 813 } 814 815 ret = cmac_generate_subkeys( &ctx, K1, K2 ); 816 if( ret != 0 ) 817 { 818 if( verbose != 0 ) 819 mbedtls_printf( "failed\n" ); 820 821 goto cleanup; 822 } 823 824 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 || 825 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 ) 826 { 827 if( verbose != 0 ) 828 mbedtls_printf( "failed\n" ); 829 830 goto cleanup; 831 } 832 833 if( verbose != 0 ) 834 mbedtls_printf( "passed\n" ); 835 836 mbedtls_cipher_free( &ctx ); 837 } 838 839 ret = 0; 840 goto exit; 841 842 cleanup: 843 mbedtls_cipher_free( &ctx ); 844 845 exit: 846 return( ret ); 847 } 848 849 static int cmac_test_wth_cipher( int verbose, 850 const char* testname, 851 const unsigned char* key, 852 int keybits, 853 const unsigned char* messages, 854 const unsigned int message_lengths[4], 855 const unsigned char* expected_result, 856 mbedtls_cipher_type_t cipher_type, 857 int block_size, 858 int num_tests ) 859 { 860 const mbedtls_cipher_info_t *cipher_info; 861 int i, ret = 0; 862 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX]; 863 864 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 865 if( cipher_info == NULL ) 866 { 867 /* Failing at this point must be due to a build issue */ 868 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 869 goto exit; 870 } 871 872 for( i = 0; i < num_tests; i++ ) 873 { 874 if( verbose != 0 ) 875 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 ); 876 877 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages, 878 message_lengths[i], output ) ) != 0 ) 879 { 880 if( verbose != 0 ) 881 mbedtls_printf( "failed\n" ); 882 goto exit; 883 } 884 885 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 ) 886 { 887 if( verbose != 0 ) 888 mbedtls_printf( "failed\n" ); 889 goto exit; 890 } 891 892 if( verbose != 0 ) 893 mbedtls_printf( "passed\n" ); 894 } 895 ret = 0; 896 897 exit: 898 return( ret ); 899 } 900 901 #if defined(MBEDTLS_AES_C) 902 static int test_aes128_cmac_prf( int verbose ) 903 { 904 int i; 905 int ret; 906 unsigned char output[MBEDTLS_AES_BLOCK_SIZE]; 907 908 for( i = 0; i < NB_PRF_TESTS; i++ ) 909 { 910 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i ); 911 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output ); 912 if( ret != 0 || 913 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 ) 914 { 915 916 if( verbose != 0 ) 917 mbedtls_printf( "failed\n" ); 918 919 return( ret ); 920 } 921 else if( verbose != 0 ) 922 { 923 mbedtls_printf( "passed\n" ); 924 } 925 } 926 return( ret ); 927 } 928 #endif /* MBEDTLS_AES_C */ 929 930 int mbedtls_cmac_self_test( int verbose ) 931 { 932 int ret; 933 934 #if defined(MBEDTLS_AES_C) 935 /* AES-128 */ 936 if( ( ret = cmac_test_subkeys( verbose, 937 "AES 128", 938 aes_128_key, 939 128, 940 (const unsigned char*)aes_128_subkeys, 941 MBEDTLS_CIPHER_AES_128_ECB, 942 MBEDTLS_AES_BLOCK_SIZE, 943 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 944 { 945 return( ret ); 946 } 947 948 if( ( ret = cmac_test_wth_cipher( verbose, 949 "AES 128", 950 aes_128_key, 951 128, 952 test_message, 953 aes_message_lengths, 954 (const unsigned char*)aes_128_expected_result, 955 MBEDTLS_CIPHER_AES_128_ECB, 956 MBEDTLS_AES_BLOCK_SIZE, 957 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 958 { 959 return( ret ); 960 } 961 962 /* AES-192 */ 963 if( ( ret = cmac_test_subkeys( verbose, 964 "AES 192", 965 aes_192_key, 966 192, 967 (const unsigned char*)aes_192_subkeys, 968 MBEDTLS_CIPHER_AES_192_ECB, 969 MBEDTLS_AES_BLOCK_SIZE, 970 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 971 { 972 return( ret ); 973 } 974 975 if( ( ret = cmac_test_wth_cipher( verbose, 976 "AES 192", 977 aes_192_key, 978 192, 979 test_message, 980 aes_message_lengths, 981 (const unsigned char*)aes_192_expected_result, 982 MBEDTLS_CIPHER_AES_192_ECB, 983 MBEDTLS_AES_BLOCK_SIZE, 984 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 985 { 986 return( ret ); 987 } 988 989 /* AES-256 */ 990 if( ( ret = cmac_test_subkeys( verbose, 991 "AES 256", 992 aes_256_key, 993 256, 994 (const unsigned char*)aes_256_subkeys, 995 MBEDTLS_CIPHER_AES_256_ECB, 996 MBEDTLS_AES_BLOCK_SIZE, 997 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 998 { 999 return( ret ); 1000 } 1001 1002 if( ( ret = cmac_test_wth_cipher ( verbose, 1003 "AES 256", 1004 aes_256_key, 1005 256, 1006 test_message, 1007 aes_message_lengths, 1008 (const unsigned char*)aes_256_expected_result, 1009 MBEDTLS_CIPHER_AES_256_ECB, 1010 MBEDTLS_AES_BLOCK_SIZE, 1011 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1012 { 1013 return( ret ); 1014 } 1015 #endif /* MBEDTLS_AES_C */ 1016 1017 #if defined(MBEDTLS_DES_C) 1018 /* 3DES 2 key */ 1019 if( ( ret = cmac_test_subkeys( verbose, 1020 "3DES 2 key", 1021 des3_2key_key, 1022 192, 1023 (const unsigned char*)des3_2key_subkeys, 1024 MBEDTLS_CIPHER_DES_EDE3_ECB, 1025 MBEDTLS_DES3_BLOCK_SIZE, 1026 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1027 { 1028 return( ret ); 1029 } 1030 1031 if( ( ret = cmac_test_wth_cipher( verbose, 1032 "3DES 2 key", 1033 des3_2key_key, 1034 192, 1035 test_message, 1036 des3_message_lengths, 1037 (const unsigned char*)des3_2key_expected_result, 1038 MBEDTLS_CIPHER_DES_EDE3_ECB, 1039 MBEDTLS_DES3_BLOCK_SIZE, 1040 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1041 { 1042 return( ret ); 1043 } 1044 1045 /* 3DES 3 key */ 1046 if( ( ret = cmac_test_subkeys( verbose, 1047 "3DES 3 key", 1048 des3_3key_key, 1049 192, 1050 (const unsigned char*)des3_3key_subkeys, 1051 MBEDTLS_CIPHER_DES_EDE3_ECB, 1052 MBEDTLS_DES3_BLOCK_SIZE, 1053 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1054 { 1055 return( ret ); 1056 } 1057 1058 if( ( ret = cmac_test_wth_cipher( verbose, 1059 "3DES 3 key", 1060 des3_3key_key, 1061 192, 1062 test_message, 1063 des3_message_lengths, 1064 (const unsigned char*)des3_3key_expected_result, 1065 MBEDTLS_CIPHER_DES_EDE3_ECB, 1066 MBEDTLS_DES3_BLOCK_SIZE, 1067 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1068 { 1069 return( ret ); 1070 } 1071 #endif /* MBEDTLS_DES_C */ 1072 1073 #if defined(MBEDTLS_AES_C) 1074 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 ) 1075 return( ret ); 1076 #endif /* MBEDTLS_AES_C */ 1077 1078 if( verbose != 0 ) 1079 mbedtls_printf( "\n" ); 1080 1081 return( 0 ); 1082 } 1083 1084 #endif /* MBEDTLS_SELF_TEST */ 1085 1086 #endif /* MBEDTLS_CMAC_C */ 1087