1 /** 2 * \file cmac.c 3 * 4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES 5 * 6 * Copyright The Mbed TLS Contributors 7 * SPDX-License-Identifier: Apache-2.0 8 * 9 * Licensed under the Apache License, Version 2.0 (the "License"); you may 10 * not use this file except in compliance with the License. 11 * You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, software 16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 * See the License for the specific language governing permissions and 19 * limitations under the License. 20 */ 21 22 /* 23 * References: 24 * 25 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The 26 * CMAC Mode for Authentication 27 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf 28 * 29 * - RFC 4493 - The AES-CMAC Algorithm 30 * https://tools.ietf.org/html/rfc4493 31 * 32 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message 33 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) 34 * Algorithm for the Internet Key Exchange Protocol (IKE) 35 * https://tools.ietf.org/html/rfc4615 36 * 37 * Additional test vectors: ISO/IEC 9797-1 38 * 39 */ 40 41 #include "common.h" 42 43 #if defined(MBEDTLS_CMAC_C) 44 45 #include "mbedtls/cmac.h" 46 #include "mbedtls/platform_util.h" 47 #include "mbedtls/error.h" 48 #include "mbedtls/platform.h" 49 50 #include <string.h> 51 52 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) 53 54 /* 55 * Multiplication by u in the Galois field of GF(2^n) 56 * 57 * As explained in NIST SP 800-38B, this can be computed: 58 * 59 * If MSB(p) = 0, then p = (p << 1) 60 * If MSB(p) = 1, then p = (p << 1) ^ R_n 61 * with R_64 = 0x1B and R_128 = 0x87 62 * 63 * Input and output MUST NOT point to the same buffer 64 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES. 65 */ 66 static int cmac_multiply_by_u( unsigned char *output, 67 const unsigned char *input, 68 size_t blocksize ) 69 { 70 const unsigned char R_128 = 0x87; 71 const unsigned char R_64 = 0x1B; 72 unsigned char R_n, mask; 73 unsigned char overflow = 0x00; 74 int i; 75 76 if( blocksize == MBEDTLS_AES_BLOCK_SIZE ) 77 { 78 R_n = R_128; 79 } 80 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE ) 81 { 82 R_n = R_64; 83 } 84 else 85 { 86 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 87 } 88 89 for( i = (int)blocksize - 1; i >= 0; i-- ) 90 { 91 output[i] = input[i] << 1 | overflow; 92 overflow = input[i] >> 7; 93 } 94 95 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00 96 * using bit operations to avoid branches */ 97 98 /* MSVC has a warning about unary minus on unsigned, but this is 99 * well-defined and precisely what we want to do here */ 100 #if defined(_MSC_VER) 101 #pragma warning( push ) 102 #pragma warning( disable : 4146 ) 103 #endif 104 mask = - ( input[0] >> 7 ); 105 #if defined(_MSC_VER) 106 #pragma warning( pop ) 107 #endif 108 109 output[ blocksize - 1 ] ^= R_n & mask; 110 111 return( 0 ); 112 } 113 114 /* 115 * Generate subkeys 116 * 117 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm 118 */ 119 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx, 120 unsigned char* K1, unsigned char* K2 ) 121 { 122 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 123 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX]; 124 size_t olen, block_size; 125 126 mbedtls_platform_zeroize( L, sizeof( L ) ); 127 128 block_size = ctx->cipher_info->block_size; 129 130 /* Calculate Ek(0) */ 131 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 ) 132 goto exit; 133 134 /* 135 * Generate K1 and K2 136 */ 137 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 ) 138 goto exit; 139 140 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 ) 141 goto exit; 142 143 exit: 144 mbedtls_platform_zeroize( L, sizeof( L ) ); 145 146 return( ret ); 147 } 148 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ 149 150 #if !defined(MBEDTLS_CMAC_ALT) 151 static void cmac_xor_block( unsigned char *output, const unsigned char *input1, 152 const unsigned char *input2, 153 const size_t block_size ) 154 { 155 size_t idx; 156 157 for( idx = 0; idx < block_size; idx++ ) 158 output[ idx ] = input1[ idx ] ^ input2[ idx ]; 159 } 160 161 /* 162 * Create padded last block from (partial) last block. 163 * 164 * We can't use the padding option from the cipher layer, as it only works for 165 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. 166 */ 167 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX], 168 size_t padded_block_len, 169 const unsigned char *last_block, 170 size_t last_block_len ) 171 { 172 size_t j; 173 174 for( j = 0; j < padded_block_len; j++ ) 175 { 176 if( j < last_block_len ) 177 padded_block[j] = last_block[j]; 178 else if( j == last_block_len ) 179 padded_block[j] = 0x80; 180 else 181 padded_block[j] = 0x00; 182 } 183 } 184 185 int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx) 186 { 187 mbedtls_cmac_context_t *cmac_ctx; 188 189 /* Allocated and initialise in the cipher context memory for the CMAC 190 * context */ 191 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) ); 192 if( cmac_ctx == NULL ) 193 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 194 195 ctx->cmac_ctx = cmac_ctx; 196 197 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) ); 198 return 0; 199 } 200 201 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, 202 const unsigned char *key, size_t keybits ) 203 { 204 mbedtls_cipher_type_t type; 205 int retval; 206 207 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL ) 208 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 209 210 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits, 211 MBEDTLS_ENCRYPT ) ) != 0 ) 212 return( retval ); 213 214 type = ctx->cipher_info->type; 215 216 switch( type ) 217 { 218 case MBEDTLS_CIPHER_AES_128_ECB: 219 case MBEDTLS_CIPHER_AES_192_ECB: 220 case MBEDTLS_CIPHER_AES_256_ECB: 221 case MBEDTLS_CIPHER_DES_EDE3_ECB: 222 break; 223 default: 224 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 225 } 226 227 /* Check if cmac ctx had been allocated by mbedtls_cipher_cmac_setup() */ 228 if( ctx->cmac_ctx != NULL ) 229 return 0; 230 231 return mbedtls_cipher_cmac_setup( ctx ); 232 } 233 234 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, 235 const unsigned char *input, size_t ilen ) 236 { 237 mbedtls_cmac_context_t* cmac_ctx; 238 unsigned char *state; 239 int ret = 0; 240 size_t n, j, olen, block_size; 241 242 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL || 243 ctx->cmac_ctx == NULL ) 244 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 245 246 cmac_ctx = ctx->cmac_ctx; 247 block_size = ctx->cipher_info->block_size; 248 state = ctx->cmac_ctx->state; 249 250 /* Is there data still to process from the last call, that's greater in 251 * size than a block? */ 252 if( cmac_ctx->unprocessed_len > 0 && 253 ilen > block_size - cmac_ctx->unprocessed_len ) 254 { 255 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 256 input, 257 block_size - cmac_ctx->unprocessed_len ); 258 259 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size ); 260 261 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 262 &olen ) ) != 0 ) 263 { 264 goto exit; 265 } 266 267 input += block_size - cmac_ctx->unprocessed_len; 268 ilen -= block_size - cmac_ctx->unprocessed_len; 269 cmac_ctx->unprocessed_len = 0; 270 } 271 272 /* n is the number of blocks including any final partial block */ 273 n = ( ilen + block_size - 1 ) / block_size; 274 275 /* Iterate across the input data in block sized chunks, excluding any 276 * final partial or complete block */ 277 for( j = 1; j < n; j++ ) 278 { 279 cmac_xor_block( state, input, state, block_size ); 280 281 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 282 &olen ) ) != 0 ) 283 goto exit; 284 285 ilen -= block_size; 286 input += block_size; 287 } 288 289 /* If there is data left over that wasn't aligned to a block */ 290 if( ilen > 0 ) 291 { 292 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 293 input, 294 ilen ); 295 cmac_ctx->unprocessed_len += ilen; 296 } 297 298 exit: 299 return( ret ); 300 } 301 302 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, 303 unsigned char *output ) 304 { 305 mbedtls_cmac_context_t* cmac_ctx; 306 unsigned char *state, *last_block; 307 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 308 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 309 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX]; 310 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 311 size_t olen, block_size; 312 313 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL || 314 output == NULL ) 315 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 316 317 cmac_ctx = ctx->cmac_ctx; 318 block_size = ctx->cipher_info->block_size; 319 state = cmac_ctx->state; 320 321 mbedtls_platform_zeroize( K1, sizeof( K1 ) ); 322 mbedtls_platform_zeroize( K2, sizeof( K2 ) ); 323 cmac_generate_subkeys( ctx, K1, K2 ); 324 325 last_block = cmac_ctx->unprocessed_block; 326 327 /* Calculate last block */ 328 if( cmac_ctx->unprocessed_len < block_size ) 329 { 330 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len ); 331 cmac_xor_block( M_last, M_last, K2, block_size ); 332 } 333 else 334 { 335 /* Last block is complete block */ 336 cmac_xor_block( M_last, last_block, K1, block_size ); 337 } 338 339 340 cmac_xor_block( state, M_last, state, block_size ); 341 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state, 342 &olen ) ) != 0 ) 343 { 344 goto exit; 345 } 346 347 memcpy( output, state, block_size ); 348 349 exit: 350 /* Wipe the generated keys on the stack, and any other transients to avoid 351 * side channel leakage */ 352 mbedtls_platform_zeroize( K1, sizeof( K1 ) ); 353 mbedtls_platform_zeroize( K2, sizeof( K2 ) ); 354 355 cmac_ctx->unprocessed_len = 0; 356 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block, 357 sizeof( cmac_ctx->unprocessed_block ) ); 358 359 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX ); 360 return( ret ); 361 } 362 363 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx ) 364 { 365 mbedtls_cmac_context_t* cmac_ctx; 366 367 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ) 368 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 369 370 cmac_ctx = ctx->cmac_ctx; 371 372 /* Reset the internal state */ 373 cmac_ctx->unprocessed_len = 0; 374 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block, 375 sizeof( cmac_ctx->unprocessed_block ) ); 376 mbedtls_platform_zeroize( cmac_ctx->state, 377 sizeof( cmac_ctx->state ) ); 378 379 return( 0 ); 380 } 381 382 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, 383 const unsigned char *key, size_t keylen, 384 const unsigned char *input, size_t ilen, 385 unsigned char *output ) 386 { 387 mbedtls_cipher_context_t ctx; 388 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 389 390 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL ) 391 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 392 393 mbedtls_cipher_init( &ctx ); 394 395 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 396 goto exit; 397 398 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen ); 399 if( ret != 0 ) 400 goto exit; 401 402 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen ); 403 if( ret != 0 ) 404 goto exit; 405 406 ret = mbedtls_cipher_cmac_finish( &ctx, output ); 407 408 exit: 409 mbedtls_cipher_free( &ctx ); 410 411 return( ret ); 412 } 413 414 #if defined(MBEDTLS_AES_C) 415 /* 416 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615 417 */ 418 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length, 419 const unsigned char *input, size_t in_len, 420 unsigned char output[16] ) 421 { 422 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 423 const mbedtls_cipher_info_t *cipher_info; 424 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE]; 425 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE]; 426 427 if( key == NULL || input == NULL || output == NULL ) 428 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 429 430 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB ); 431 if( cipher_info == NULL ) 432 { 433 /* Failing at this point must be due to a build issue */ 434 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 435 goto exit; 436 } 437 438 if( key_length == MBEDTLS_AES_BLOCK_SIZE ) 439 { 440 /* Use key as is */ 441 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE ); 442 } 443 else 444 { 445 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE ); 446 447 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key, 448 key_length, int_key ); 449 if( ret != 0 ) 450 goto exit; 451 } 452 453 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len, 454 output ); 455 456 exit: 457 mbedtls_platform_zeroize( int_key, sizeof( int_key ) ); 458 459 return( ret ); 460 } 461 #endif /* MBEDTLS_AES_C */ 462 463 #endif /* !MBEDTLS_CMAC_ALT */ 464 465 #if defined(MBEDTLS_SELF_TEST) 466 /* 467 * CMAC test data for SP800-38B 468 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf 469 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf 470 * 471 * AES-CMAC-PRF-128 test data from RFC 4615 472 * https://tools.ietf.org/html/rfc4615#page-4 473 */ 474 475 #define NB_CMAC_TESTS_PER_KEY 4 476 #define NB_PRF_TESTS 3 477 478 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) 479 /* All CMAC test inputs are truncated from the same 64 byte buffer. */ 480 static const unsigned char test_message[] = { 481 /* PT */ 482 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 483 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 484 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 485 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 486 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 487 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 488 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 489 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 490 }; 491 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */ 492 493 #if defined(MBEDTLS_AES_C) 494 /* Truncation point of message for AES CMAC tests */ 495 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 496 /* Mlen */ 497 0, 498 16, 499 20, 500 64 501 }; 502 503 /* CMAC-AES128 Test Data */ 504 static const unsigned char aes_128_key[16] = { 505 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 506 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c 507 }; 508 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 509 { 510 /* K1 */ 511 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66, 512 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde 513 }, 514 { 515 /* K2 */ 516 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc, 517 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b 518 } 519 }; 520 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 521 { 522 /* Example #1 */ 523 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28, 524 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 525 }, 526 { 527 /* Example #2 */ 528 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 529 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c 530 }, 531 { 532 /* Example #3 */ 533 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8, 534 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde 535 }, 536 { 537 /* Example #4 */ 538 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92, 539 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe 540 } 541 }; 542 543 /* CMAC-AES192 Test Data */ 544 static const unsigned char aes_192_key[24] = { 545 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 546 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, 547 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b 548 }; 549 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 550 { 551 /* K1 */ 552 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27, 553 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96 554 }, 555 { 556 /* K2 */ 557 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e, 558 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c 559 } 560 }; 561 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 562 { 563 /* Example #1 */ 564 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5, 565 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67 566 }, 567 { 568 /* Example #2 */ 569 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90, 570 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84 571 }, 572 { 573 /* Example #3 */ 574 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04, 575 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8 576 }, 577 { 578 /* Example #4 */ 579 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79, 580 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11 581 } 582 }; 583 584 /* CMAC-AES256 Test Data */ 585 static const unsigned char aes_256_key[32] = { 586 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 587 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 588 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 589 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 590 }; 591 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 592 { 593 /* K1 */ 594 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac, 595 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f 596 }, 597 { 598 /* K2 */ 599 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58, 600 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9 601 } 602 }; 603 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = { 604 { 605 /* Example #1 */ 606 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e, 607 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83 608 }, 609 { 610 /* Example #2 */ 611 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82, 612 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c 613 }, 614 { 615 /* Example #3 */ 616 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a, 617 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93 618 }, 619 { 620 /* Example #4 */ 621 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5, 622 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10 623 } 624 }; 625 #endif /* MBEDTLS_AES_C */ 626 627 #if defined(MBEDTLS_DES_C) 628 /* Truncation point of message for 3DES CMAC tests */ 629 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 630 0, 631 16, 632 20, 633 32 634 }; 635 636 /* CMAC-TDES (Generation) - 2 Key Test Data */ 637 static const unsigned char des3_2key_key[24] = { 638 /* Key1 */ 639 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 640 /* Key2 */ 641 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01, 642 /* Key3 */ 643 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef 644 }; 645 static const unsigned char des3_2key_subkeys[2][8] = { 646 { 647 /* K1 */ 648 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9 649 }, 650 { 651 /* K2 */ 652 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2 653 } 654 }; 655 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 656 { 657 /* Sample #1 */ 658 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60 659 }, 660 { 661 /* Sample #2 */ 662 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b 663 }, 664 { 665 /* Sample #3 */ 666 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69 667 }, 668 { 669 /* Sample #4 */ 670 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb 671 } 672 }; 673 674 /* CMAC-TDES (Generation) - 3 Key Test Data */ 675 static const unsigned char des3_3key_key[24] = { 676 /* Key1 */ 677 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef, 678 /* Key2 */ 679 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 680 /* Key3 */ 681 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23 682 }; 683 static const unsigned char des3_3key_subkeys[2][8] = { 684 { 685 /* K1 */ 686 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0 687 }, 688 { 689 /* K2 */ 690 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b 691 } 692 }; 693 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { 694 { 695 /* Sample #1 */ 696 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50 697 }, 698 { 699 /* Sample #2 */ 700 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09 701 }, 702 { 703 /* Sample #3 */ 704 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2 705 }, 706 { 707 /* Sample #4 */ 708 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5 709 } 710 }; 711 712 #endif /* MBEDTLS_DES_C */ 713 714 #if defined(MBEDTLS_AES_C) 715 /* AES AES-CMAC-PRF-128 Test Data */ 716 static const unsigned char PRFK[] = { 717 /* Key */ 718 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 719 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 720 0xed, 0xcb 721 }; 722 723 /* Sizes in bytes */ 724 static const size_t PRFKlen[NB_PRF_TESTS] = { 725 18, 726 16, 727 10 728 }; 729 730 /* Message */ 731 static const unsigned char PRFM[] = { 732 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 733 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 734 0x10, 0x11, 0x12, 0x13 735 }; 736 737 static const unsigned char PRFT[NB_PRF_TESTS][16] = { 738 { 739 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b, 740 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a 741 }, 742 { 743 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52, 744 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d 745 }, 746 { 747 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee, 748 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d 749 } 750 }; 751 #endif /* MBEDTLS_AES_C */ 752 753 static int cmac_test_subkeys( int verbose, 754 const char* testname, 755 const unsigned char* key, 756 int keybits, 757 const unsigned char* subkeys, 758 mbedtls_cipher_type_t cipher_type, 759 int block_size, 760 int num_tests ) 761 { 762 int i, ret = 0; 763 mbedtls_cipher_context_t ctx; 764 const mbedtls_cipher_info_t *cipher_info; 765 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; 766 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; 767 768 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 769 if( cipher_info == NULL ) 770 { 771 /* Failing at this point must be due to a build issue */ 772 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 773 } 774 775 for( i = 0; i < num_tests; i++ ) 776 { 777 if( verbose != 0 ) 778 mbedtls_printf( " %s CMAC subkey #%d: ", testname, i + 1 ); 779 780 mbedtls_cipher_init( &ctx ); 781 782 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 ) 783 { 784 if( verbose != 0 ) 785 mbedtls_printf( "test execution failed\n" ); 786 787 goto cleanup; 788 } 789 790 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits, 791 MBEDTLS_ENCRYPT ) ) != 0 ) 792 { 793 /* When CMAC is implemented by an alternative implementation, or 794 * the underlying primitive itself is implemented alternatively, 795 * AES-192 may be unavailable. This should not cause the selftest 796 * function to fail. */ 797 if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED || 798 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) && 799 cipher_type == MBEDTLS_CIPHER_AES_192_ECB ) { 800 if( verbose != 0 ) 801 mbedtls_printf( "skipped\n" ); 802 goto next_test; 803 } 804 805 if( verbose != 0 ) 806 mbedtls_printf( "test execution failed\n" ); 807 808 goto cleanup; 809 } 810 811 ret = cmac_generate_subkeys( &ctx, K1, K2 ); 812 if( ret != 0 ) 813 { 814 if( verbose != 0 ) 815 mbedtls_printf( "failed\n" ); 816 817 goto cleanup; 818 } 819 820 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 || 821 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 ) 822 { 823 if( verbose != 0 ) 824 mbedtls_printf( "failed\n" ); 825 826 goto cleanup; 827 } 828 829 if( verbose != 0 ) 830 mbedtls_printf( "passed\n" ); 831 832 next_test: 833 mbedtls_cipher_free( &ctx ); 834 } 835 836 ret = 0; 837 goto exit; 838 839 cleanup: 840 mbedtls_cipher_free( &ctx ); 841 842 exit: 843 return( ret ); 844 } 845 846 static int cmac_test_wth_cipher( int verbose, 847 const char* testname, 848 const unsigned char* key, 849 int keybits, 850 const unsigned char* messages, 851 const unsigned int message_lengths[4], 852 const unsigned char* expected_result, 853 mbedtls_cipher_type_t cipher_type, 854 int block_size, 855 int num_tests ) 856 { 857 const mbedtls_cipher_info_t *cipher_info; 858 int i, ret = 0; 859 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX]; 860 861 cipher_info = mbedtls_cipher_info_from_type( cipher_type ); 862 if( cipher_info == NULL ) 863 { 864 /* Failing at this point must be due to a build issue */ 865 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 866 goto exit; 867 } 868 869 for( i = 0; i < num_tests; i++ ) 870 { 871 if( verbose != 0 ) 872 mbedtls_printf( " %s CMAC #%d: ", testname, i + 1 ); 873 874 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages, 875 message_lengths[i], output ) ) != 0 ) 876 { 877 /* When CMAC is implemented by an alternative implementation, or 878 * the underlying primitive itself is implemented alternatively, 879 * AES-192 and/or 3DES may be unavailable. This should not cause 880 * the selftest function to fail. */ 881 if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED || 882 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) && 883 ( cipher_type == MBEDTLS_CIPHER_AES_192_ECB || 884 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB ) ) { 885 if( verbose != 0 ) 886 mbedtls_printf( "skipped\n" ); 887 continue; 888 } 889 890 if( verbose != 0 ) 891 mbedtls_printf( "failed\n" ); 892 goto exit; 893 } 894 895 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 ) 896 { 897 if( verbose != 0 ) 898 mbedtls_printf( "failed\n" ); 899 goto exit; 900 } 901 902 if( verbose != 0 ) 903 mbedtls_printf( "passed\n" ); 904 } 905 ret = 0; 906 907 exit: 908 return( ret ); 909 } 910 911 #if defined(MBEDTLS_AES_C) 912 static int test_aes128_cmac_prf( int verbose ) 913 { 914 int i; 915 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 916 unsigned char output[MBEDTLS_AES_BLOCK_SIZE]; 917 918 for( i = 0; i < NB_PRF_TESTS; i++ ) 919 { 920 mbedtls_printf( " AES CMAC 128 PRF #%d: ", i ); 921 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output ); 922 if( ret != 0 || 923 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 ) 924 { 925 926 if( verbose != 0 ) 927 mbedtls_printf( "failed\n" ); 928 929 return( ret ); 930 } 931 else if( verbose != 0 ) 932 { 933 mbedtls_printf( "passed\n" ); 934 } 935 } 936 return( ret ); 937 } 938 #endif /* MBEDTLS_AES_C */ 939 940 int mbedtls_cmac_self_test( int verbose ) 941 { 942 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 943 944 #if defined(MBEDTLS_AES_C) 945 /* AES-128 */ 946 if( ( ret = cmac_test_subkeys( verbose, 947 "AES 128", 948 aes_128_key, 949 128, 950 (const unsigned char*)aes_128_subkeys, 951 MBEDTLS_CIPHER_AES_128_ECB, 952 MBEDTLS_AES_BLOCK_SIZE, 953 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 954 { 955 return( ret ); 956 } 957 958 if( ( ret = cmac_test_wth_cipher( verbose, 959 "AES 128", 960 aes_128_key, 961 128, 962 test_message, 963 aes_message_lengths, 964 (const unsigned char*)aes_128_expected_result, 965 MBEDTLS_CIPHER_AES_128_ECB, 966 MBEDTLS_AES_BLOCK_SIZE, 967 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 968 { 969 return( ret ); 970 } 971 972 /* AES-192 */ 973 if( ( ret = cmac_test_subkeys( verbose, 974 "AES 192", 975 aes_192_key, 976 192, 977 (const unsigned char*)aes_192_subkeys, 978 MBEDTLS_CIPHER_AES_192_ECB, 979 MBEDTLS_AES_BLOCK_SIZE, 980 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 981 { 982 return( ret ); 983 } 984 985 if( ( ret = cmac_test_wth_cipher( verbose, 986 "AES 192", 987 aes_192_key, 988 192, 989 test_message, 990 aes_message_lengths, 991 (const unsigned char*)aes_192_expected_result, 992 MBEDTLS_CIPHER_AES_192_ECB, 993 MBEDTLS_AES_BLOCK_SIZE, 994 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 995 { 996 return( ret ); 997 } 998 999 /* AES-256 */ 1000 if( ( ret = cmac_test_subkeys( verbose, 1001 "AES 256", 1002 aes_256_key, 1003 256, 1004 (const unsigned char*)aes_256_subkeys, 1005 MBEDTLS_CIPHER_AES_256_ECB, 1006 MBEDTLS_AES_BLOCK_SIZE, 1007 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1008 { 1009 return( ret ); 1010 } 1011 1012 if( ( ret = cmac_test_wth_cipher ( verbose, 1013 "AES 256", 1014 aes_256_key, 1015 256, 1016 test_message, 1017 aes_message_lengths, 1018 (const unsigned char*)aes_256_expected_result, 1019 MBEDTLS_CIPHER_AES_256_ECB, 1020 MBEDTLS_AES_BLOCK_SIZE, 1021 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1022 { 1023 return( ret ); 1024 } 1025 #endif /* MBEDTLS_AES_C */ 1026 1027 #if defined(MBEDTLS_DES_C) 1028 /* 3DES 2 key */ 1029 if( ( ret = cmac_test_subkeys( verbose, 1030 "3DES 2 key", 1031 des3_2key_key, 1032 192, 1033 (const unsigned char*)des3_2key_subkeys, 1034 MBEDTLS_CIPHER_DES_EDE3_ECB, 1035 MBEDTLS_DES3_BLOCK_SIZE, 1036 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1037 { 1038 return( ret ); 1039 } 1040 1041 if( ( ret = cmac_test_wth_cipher( verbose, 1042 "3DES 2 key", 1043 des3_2key_key, 1044 192, 1045 test_message, 1046 des3_message_lengths, 1047 (const unsigned char*)des3_2key_expected_result, 1048 MBEDTLS_CIPHER_DES_EDE3_ECB, 1049 MBEDTLS_DES3_BLOCK_SIZE, 1050 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1051 { 1052 return( ret ); 1053 } 1054 1055 /* 3DES 3 key */ 1056 if( ( ret = cmac_test_subkeys( verbose, 1057 "3DES 3 key", 1058 des3_3key_key, 1059 192, 1060 (const unsigned char*)des3_3key_subkeys, 1061 MBEDTLS_CIPHER_DES_EDE3_ECB, 1062 MBEDTLS_DES3_BLOCK_SIZE, 1063 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1064 { 1065 return( ret ); 1066 } 1067 1068 if( ( ret = cmac_test_wth_cipher( verbose, 1069 "3DES 3 key", 1070 des3_3key_key, 1071 192, 1072 test_message, 1073 des3_message_lengths, 1074 (const unsigned char*)des3_3key_expected_result, 1075 MBEDTLS_CIPHER_DES_EDE3_ECB, 1076 MBEDTLS_DES3_BLOCK_SIZE, 1077 NB_CMAC_TESTS_PER_KEY ) ) != 0 ) 1078 { 1079 return( ret ); 1080 } 1081 #endif /* MBEDTLS_DES_C */ 1082 1083 #if defined(MBEDTLS_AES_C) 1084 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 ) 1085 return( ret ); 1086 #endif /* MBEDTLS_AES_C */ 1087 1088 if( verbose != 0 ) 1089 mbedtls_printf( "\n" ); 1090 1091 return( 0 ); 1092 } 1093 1094 #endif /* MBEDTLS_SELF_TEST */ 1095 1096 #endif /* MBEDTLS_CMAC_C */ 1097