1 /** 2 * \file cmac.c 3 * 4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES 5 * 6 * Copyright The Mbed TLS Contributors 7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 8 */ 9 10 /* 11 * References: 12 * 13 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The 14 * CMAC Mode for Authentication 15 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf 16 * 17 * - RFC 4493 - The AES-CMAC Algorithm 18 * https://tools.ietf.org/html/rfc4493 19 * 20 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message 21 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) 22 * Algorithm for the Internet Key Exchange Protocol (IKE) 23 * https://tools.ietf.org/html/rfc4615 24 * 25 * Additional test vectors: ISO/IEC 9797-1 26 * 27 */ 28 29 #include "common.h" 30 31 #if defined(MBEDTLS_CMAC_C) 32 33 #include "mbedtls/cmac.h" 34 #include "mbedtls/platform_util.h" 35 #include "mbedtls/error.h" 36 #include "mbedtls/platform.h" 37 #include "constant_time_internal.h" 38 39 #include <string.h> 40 41 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) 42 43 /* 44 * Multiplication by u in the Galois field of GF(2^n) 45 * 46 * As explained in NIST SP 800-38B, this can be computed: 47 * 48 * If MSB(p) = 0, then p = (p << 1) 49 * If MSB(p) = 1, then p = (p << 1) ^ R_n 50 * with R_64 = 0x1B and R_128 = 0x87 51 * 52 * Input and output MUST NOT point to the same buffer 53 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES. 54 */ 55 static int cmac_multiply_by_u(unsigned char *output, 56 const unsigned char *input, 57 size_t blocksize) 58 { 59 const unsigned char R_128 = 0x87; 60 unsigned char R_n; 61 uint32_t overflow = 0x00; 62 int i; 63 64 if (blocksize == MBEDTLS_AES_BLOCK_SIZE) { 65 R_n = R_128; 66 } 67 #if defined(MBEDTLS_DES_C) 68 else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) { 69 const unsigned char R_64 = 0x1B; 70 R_n = R_64; 71 } 72 #endif 73 else { 74 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 75 } 76 77 for (i = (int) blocksize - 4; i >= 0; i -= 4) { 78 uint32_t i32 = MBEDTLS_GET_UINT32_BE(&input[i], 0); 79 uint32_t new_overflow = i32 >> 31; 80 i32 = (i32 << 1) | overflow; 81 MBEDTLS_PUT_UINT32_BE(i32, &output[i], 0); 82 overflow = new_overflow; 83 } 84 85 R_n = (unsigned char) mbedtls_ct_uint_if_else_0(mbedtls_ct_bool(input[0] >> 7), R_n); 86 output[blocksize - 1] ^= R_n; 87 88 return 0; 89 } 90 91 /* 92 * Generate subkeys 93 * 94 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm 95 */ 96 static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx, 97 unsigned char *K1, unsigned char *K2) 98 { 99 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 100 unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE]; 101 size_t olen, block_size; 102 103 mbedtls_platform_zeroize(L, sizeof(L)); 104 105 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info); 106 107 /* Calculate Ek(0) */ 108 if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) { 109 goto exit; 110 } 111 112 /* 113 * Generate K1 and K2 114 */ 115 if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) { 116 goto exit; 117 } 118 119 if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) { 120 goto exit; 121 } 122 123 exit: 124 mbedtls_platform_zeroize(L, sizeof(L)); 125 126 return ret; 127 } 128 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ 129 130 #if !defined(MBEDTLS_CMAC_ALT) 131 132 /* 133 * Create padded last block from (partial) last block. 134 * 135 * We can't use the padding option from the cipher layer, as it only works for 136 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. 137 */ 138 static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE], 139 size_t padded_block_len, 140 const unsigned char *last_block, 141 size_t last_block_len) 142 { 143 size_t j; 144 145 for (j = 0; j < padded_block_len; j++) { 146 if (j < last_block_len) { 147 padded_block[j] = last_block[j]; 148 } else if (j == last_block_len) { 149 padded_block[j] = 0x80; 150 } else { 151 padded_block[j] = 0x00; 152 } 153 } 154 } 155 156 int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx) 157 { 158 mbedtls_cmac_context_t *cmac_ctx; 159 160 /* 161 * Allocate and initialise in the cipher context memory for the CMAC 162 * context 163 */ 164 cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t)); 165 if (cmac_ctx == NULL) 166 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 167 168 ctx->cmac_ctx = cmac_ctx; 169 170 mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state)); 171 return 0; 172 } 173 174 int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx, 175 const unsigned char *key, size_t keybits) 176 { 177 mbedtls_cipher_type_t type; 178 int retval; 179 180 if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) { 181 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 182 } 183 184 if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits, 185 MBEDTLS_ENCRYPT)) != 0) { 186 return retval; 187 } 188 189 type = mbedtls_cipher_info_get_type(ctx->cipher_info); 190 191 switch (type) { 192 case MBEDTLS_CIPHER_AES_128_ECB: 193 case MBEDTLS_CIPHER_AES_192_ECB: 194 case MBEDTLS_CIPHER_AES_256_ECB: 195 case MBEDTLS_CIPHER_DES_EDE3_ECB: 196 break; 197 default: 198 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 199 } 200 201 /* Check if cmac ctx had been allocated by mbedtls_cipher_cmac_setup() */ 202 if( ctx->cmac_ctx != NULL ) 203 return 0; 204 205 return mbedtls_cipher_cmac_setup( ctx ); 206 } 207 208 int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx, 209 const unsigned char *input, size_t ilen) 210 { 211 mbedtls_cmac_context_t *cmac_ctx; 212 unsigned char *state; 213 int ret = 0; 214 size_t n, j, olen, block_size; 215 216 if (ctx == NULL || ctx->cipher_info == NULL || input == NULL || 217 ctx->cmac_ctx == NULL) { 218 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 219 } 220 221 cmac_ctx = ctx->cmac_ctx; 222 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info); 223 state = ctx->cmac_ctx->state; 224 225 /* Without the MBEDTLS_ASSUME below, gcc -O3 will generate a warning of the form 226 * error: writing 16 bytes into a region of size 0 [-Werror=stringop-overflow=] */ 227 MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE); 228 229 /* Is there data still to process from the last call, that's greater in 230 * size than a block? */ 231 if (cmac_ctx->unprocessed_len > 0 && 232 ilen > block_size - cmac_ctx->unprocessed_len) { 233 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 234 input, 235 block_size - cmac_ctx->unprocessed_len); 236 237 mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size); 238 239 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state, 240 &olen)) != 0) { 241 goto exit; 242 } 243 244 input += block_size - cmac_ctx->unprocessed_len; 245 ilen -= block_size - cmac_ctx->unprocessed_len; 246 cmac_ctx->unprocessed_len = 0; 247 } 248 249 /* n is the number of blocks including any final partial block */ 250 n = (ilen + block_size - 1) / block_size; 251 252 /* Iterate across the input data in block sized chunks, excluding any 253 * final partial or complete block */ 254 for (j = 1; j < n; j++) { 255 mbedtls_xor_no_simd(state, input, state, block_size); 256 257 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state, 258 &olen)) != 0) { 259 goto exit; 260 } 261 262 ilen -= block_size; 263 input += block_size; 264 } 265 266 /* If there is data left over that wasn't aligned to a block */ 267 if (ilen > 0) { 268 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len], 269 input, 270 ilen); 271 cmac_ctx->unprocessed_len += ilen; 272 } 273 274 exit: 275 return ret; 276 } 277 278 int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx, 279 unsigned char *output) 280 { 281 mbedtls_cmac_context_t *cmac_ctx; 282 unsigned char *state, *last_block; 283 unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE]; 284 unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE]; 285 unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE]; 286 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 287 size_t olen, block_size; 288 289 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL || 290 output == NULL) { 291 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 292 } 293 294 cmac_ctx = ctx->cmac_ctx; 295 block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info); 296 MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE); // silence GCC warning 297 state = cmac_ctx->state; 298 299 mbedtls_platform_zeroize(K1, sizeof(K1)); 300 mbedtls_platform_zeroize(K2, sizeof(K2)); 301 cmac_generate_subkeys(ctx, K1, K2); 302 303 last_block = cmac_ctx->unprocessed_block; 304 305 /* Calculate last block */ 306 if (cmac_ctx->unprocessed_len < block_size) { 307 cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len); 308 mbedtls_xor(M_last, M_last, K2, block_size); 309 } else { 310 /* Last block is complete block */ 311 mbedtls_xor(M_last, last_block, K1, block_size); 312 } 313 314 315 mbedtls_xor(state, M_last, state, block_size); 316 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state, 317 &olen)) != 0) { 318 goto exit; 319 } 320 321 memcpy(output, state, block_size); 322 323 exit: 324 /* Wipe the generated keys on the stack, and any other transients to avoid 325 * side channel leakage */ 326 mbedtls_platform_zeroize(K1, sizeof(K1)); 327 mbedtls_platform_zeroize(K2, sizeof(K2)); 328 329 cmac_ctx->unprocessed_len = 0; 330 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block, 331 sizeof(cmac_ctx->unprocessed_block)); 332 333 mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE); 334 return ret; 335 } 336 337 int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx) 338 { 339 mbedtls_cmac_context_t *cmac_ctx; 340 341 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) { 342 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 343 } 344 345 cmac_ctx = ctx->cmac_ctx; 346 347 /* Reset the internal state */ 348 cmac_ctx->unprocessed_len = 0; 349 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block, 350 sizeof(cmac_ctx->unprocessed_block)); 351 mbedtls_platform_zeroize(cmac_ctx->state, 352 sizeof(cmac_ctx->state)); 353 354 return 0; 355 } 356 357 int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info, 358 const unsigned char *key, size_t keylen, 359 const unsigned char *input, size_t ilen, 360 unsigned char *output) 361 { 362 mbedtls_cipher_context_t ctx; 363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 364 365 if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) { 366 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 367 } 368 369 mbedtls_cipher_init(&ctx); 370 371 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) { 372 goto exit; 373 } 374 375 ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen); 376 if (ret != 0) { 377 goto exit; 378 } 379 380 ret = mbedtls_cipher_cmac_update(&ctx, input, ilen); 381 if (ret != 0) { 382 goto exit; 383 } 384 385 ret = mbedtls_cipher_cmac_finish(&ctx, output); 386 387 exit: 388 mbedtls_cipher_free(&ctx); 389 390 return ret; 391 } 392 393 #if defined(MBEDTLS_AES_C) 394 /* 395 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615 396 */ 397 int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length, 398 const unsigned char *input, size_t in_len, 399 unsigned char output[16]) 400 { 401 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 402 const mbedtls_cipher_info_t *cipher_info; 403 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE]; 404 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE]; 405 406 if (key == NULL || input == NULL || output == NULL) { 407 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 408 } 409 410 cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB); 411 if (cipher_info == NULL) { 412 /* Failing at this point must be due to a build issue */ 413 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 414 goto exit; 415 } 416 417 if (key_length == MBEDTLS_AES_BLOCK_SIZE) { 418 /* Use key as is */ 419 memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE); 420 } else { 421 memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE); 422 423 ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key, 424 key_length, int_key); 425 if (ret != 0) { 426 goto exit; 427 } 428 } 429 430 ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len, 431 output); 432 433 exit: 434 mbedtls_platform_zeroize(int_key, sizeof(int_key)); 435 436 return ret; 437 } 438 #endif /* MBEDTLS_AES_C */ 439 440 #endif /* !MBEDTLS_CMAC_ALT */ 441 442 #if defined(MBEDTLS_SELF_TEST) 443 /* 444 * CMAC test data for SP800-38B 445 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf 446 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf 447 * 448 * AES-CMAC-PRF-128 test data from RFC 4615 449 * https://tools.ietf.org/html/rfc4615#page-4 450 */ 451 452 #define NB_CMAC_TESTS_PER_KEY 4 453 #define NB_PRF_TESTS 3 454 455 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) 456 /* All CMAC test inputs are truncated from the same 64 byte buffer. */ 457 static const unsigned char test_message[] = { 458 /* PT */ 459 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 460 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 461 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 462 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 463 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 464 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, 465 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 466 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 467 }; 468 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */ 469 470 #if defined(MBEDTLS_AES_C) 471 /* Truncation point of message for AES CMAC tests */ 472 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 473 /* Mlen */ 474 0, 475 16, 476 20, 477 64 478 }; 479 480 /* CMAC-AES128 Test Data */ 481 static const unsigned char aes_128_key[16] = { 482 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 483 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c 484 }; 485 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 486 { 487 /* K1 */ 488 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66, 489 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde 490 }, 491 { 492 /* K2 */ 493 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc, 494 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b 495 } 496 }; 497 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = 498 { 499 { 500 /* Example #1 */ 501 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28, 502 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46 503 }, 504 { 505 /* Example #2 */ 506 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 507 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c 508 }, 509 { 510 /* Example #3 */ 511 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8, 512 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde 513 }, 514 { 515 /* Example #4 */ 516 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92, 517 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe 518 } 519 }; 520 521 /* CMAC-AES192 Test Data */ 522 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 523 static const unsigned char aes_192_key[24] = { 524 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 525 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, 526 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b 527 }; 528 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 529 { 530 /* K1 */ 531 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27, 532 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96 533 }, 534 { 535 /* K2 */ 536 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e, 537 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c 538 } 539 }; 540 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = 541 { 542 { 543 /* Example #1 */ 544 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5, 545 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67 546 }, 547 { 548 /* Example #2 */ 549 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90, 550 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84 551 }, 552 { 553 /* Example #3 */ 554 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04, 555 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8 556 }, 557 { 558 /* Example #4 */ 559 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79, 560 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11 561 } 562 }; 563 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ 564 565 /* CMAC-AES256 Test Data */ 566 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 567 static const unsigned char aes_256_key[32] = { 568 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 569 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, 570 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 571 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4 572 }; 573 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = { 574 { 575 /* K1 */ 576 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac, 577 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f 578 }, 579 { 580 /* K2 */ 581 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58, 582 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9 583 } 584 }; 585 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = 586 { 587 { 588 /* Example #1 */ 589 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e, 590 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83 591 }, 592 { 593 /* Example #2 */ 594 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82, 595 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c 596 }, 597 { 598 /* Example #3 */ 599 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a, 600 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93 601 }, 602 { 603 /* Example #4 */ 604 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5, 605 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10 606 } 607 }; 608 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ 609 #endif /* MBEDTLS_AES_C */ 610 611 #if defined(MBEDTLS_DES_C) 612 /* Truncation point of message for 3DES CMAC tests */ 613 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 614 0, 615 16, 616 20, 617 32 618 }; 619 620 /* CMAC-TDES (Generation) - 2 Key Test Data */ 621 static const unsigned char des3_2key_key[24] = { 622 /* Key1 */ 623 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 624 /* Key2 */ 625 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01, 626 /* Key3 */ 627 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef 628 }; 629 static const unsigned char des3_2key_subkeys[2][8] = { 630 { 631 /* K1 */ 632 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9 633 }, 634 { 635 /* K2 */ 636 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2 637 } 638 }; 639 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] 640 = { 641 { 642 /* Sample #1 */ 643 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60 644 }, 645 { 646 /* Sample #2 */ 647 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b 648 }, 649 { 650 /* Sample #3 */ 651 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69 652 }, 653 { 654 /* Sample #4 */ 655 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb 656 } 657 }; 658 659 /* CMAC-TDES (Generation) - 3 Key Test Data */ 660 static const unsigned char des3_3key_key[24] = { 661 /* Key1 */ 662 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef, 663 /* Key2 */ 664 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 665 /* Key3 */ 666 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23 667 }; 668 static const unsigned char des3_3key_subkeys[2][8] = { 669 { 670 /* K1 */ 671 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0 672 }, 673 { 674 /* K2 */ 675 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b 676 } 677 }; 678 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] 679 = { 680 { 681 /* Sample #1 */ 682 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50 683 }, 684 { 685 /* Sample #2 */ 686 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09 687 }, 688 { 689 /* Sample #3 */ 690 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2 691 }, 692 { 693 /* Sample #4 */ 694 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5 695 } 696 }; 697 698 #endif /* MBEDTLS_DES_C */ 699 700 #if defined(MBEDTLS_AES_C) 701 /* AES AES-CMAC-PRF-128 Test Data */ 702 static const unsigned char PRFK[] = { 703 /* Key */ 704 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 705 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 706 0xed, 0xcb 707 }; 708 709 /* Sizes in bytes */ 710 static const size_t PRFKlen[NB_PRF_TESTS] = { 711 18, 712 16, 713 10 714 }; 715 716 /* Message */ 717 static const unsigned char PRFM[] = { 718 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 719 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 720 0x10, 0x11, 0x12, 0x13 721 }; 722 723 static const unsigned char PRFT[NB_PRF_TESTS][16] = { 724 { 725 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b, 726 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a 727 }, 728 { 729 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52, 730 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d 731 }, 732 { 733 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee, 734 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d 735 } 736 }; 737 #endif /* MBEDTLS_AES_C */ 738 739 static int cmac_test_subkeys(int verbose, 740 const char *testname, 741 const unsigned char *key, 742 int keybits, 743 const unsigned char *subkeys, 744 mbedtls_cipher_type_t cipher_type, 745 int block_size, 746 int num_tests) 747 { 748 int i, ret = 0; 749 mbedtls_cipher_context_t ctx; 750 const mbedtls_cipher_info_t *cipher_info; 751 unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE]; 752 unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE]; 753 754 cipher_info = mbedtls_cipher_info_from_type(cipher_type); 755 if (cipher_info == NULL) { 756 /* Failing at this point must be due to a build issue */ 757 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 758 } 759 760 for (i = 0; i < num_tests; i++) { 761 if (verbose != 0) { 762 mbedtls_printf(" %s CMAC subkey #%d: ", testname, i + 1); 763 } 764 765 mbedtls_cipher_init(&ctx); 766 767 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) { 768 if (verbose != 0) { 769 mbedtls_printf("test execution failed\n"); 770 } 771 772 goto cleanup; 773 } 774 775 if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits, 776 MBEDTLS_ENCRYPT)) != 0) { 777 /* When CMAC is implemented by an alternative implementation, or 778 * the underlying primitive itself is implemented alternatively, 779 * AES-192 may be unavailable. This should not cause the selftest 780 * function to fail. */ 781 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED || 782 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) && 783 cipher_type == MBEDTLS_CIPHER_AES_192_ECB) { 784 if (verbose != 0) { 785 mbedtls_printf("skipped\n"); 786 } 787 goto next_test; 788 } 789 790 if (verbose != 0) { 791 mbedtls_printf("test execution failed\n"); 792 } 793 794 goto cleanup; 795 } 796 797 ret = cmac_generate_subkeys(&ctx, K1, K2); 798 if (ret != 0) { 799 if (verbose != 0) { 800 mbedtls_printf("failed\n"); 801 } 802 803 goto cleanup; 804 } 805 806 if ((ret = memcmp(K1, subkeys, block_size)) != 0 || 807 (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) { 808 if (verbose != 0) { 809 mbedtls_printf("failed\n"); 810 } 811 812 goto cleanup; 813 } 814 815 if (verbose != 0) { 816 mbedtls_printf("passed\n"); 817 } 818 819 next_test: 820 mbedtls_cipher_free(&ctx); 821 } 822 823 ret = 0; 824 goto exit; 825 826 cleanup: 827 mbedtls_cipher_free(&ctx); 828 829 exit: 830 return ret; 831 } 832 833 static int cmac_test_wth_cipher(int verbose, 834 const char *testname, 835 const unsigned char *key, 836 int keybits, 837 const unsigned char *messages, 838 const unsigned int message_lengths[4], 839 const unsigned char *expected_result, 840 mbedtls_cipher_type_t cipher_type, 841 int block_size, 842 int num_tests) 843 { 844 const mbedtls_cipher_info_t *cipher_info; 845 int i, ret = 0; 846 unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE]; 847 848 cipher_info = mbedtls_cipher_info_from_type(cipher_type); 849 if (cipher_info == NULL) { 850 /* Failing at this point must be due to a build issue */ 851 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 852 goto exit; 853 } 854 855 for (i = 0; i < num_tests; i++) { 856 if (verbose != 0) { 857 mbedtls_printf(" %s CMAC #%d: ", testname, i + 1); 858 } 859 860 if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages, 861 message_lengths[i], output)) != 0) { 862 /* When CMAC is implemented by an alternative implementation, or 863 * the underlying primitive itself is implemented alternatively, 864 * AES-192 and/or 3DES may be unavailable. This should not cause 865 * the selftest function to fail. */ 866 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED || 867 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) && 868 (cipher_type == MBEDTLS_CIPHER_AES_192_ECB || 869 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) { 870 if (verbose != 0) { 871 mbedtls_printf("skipped\n"); 872 } 873 continue; 874 } 875 876 if (verbose != 0) { 877 mbedtls_printf("failed\n"); 878 } 879 goto exit; 880 } 881 882 if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) { 883 if (verbose != 0) { 884 mbedtls_printf("failed\n"); 885 } 886 goto exit; 887 } 888 889 if (verbose != 0) { 890 mbedtls_printf("passed\n"); 891 } 892 } 893 ret = 0; 894 895 exit: 896 return ret; 897 } 898 899 #if defined(MBEDTLS_AES_C) 900 static int test_aes128_cmac_prf(int verbose) 901 { 902 int i; 903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 904 unsigned char output[MBEDTLS_AES_BLOCK_SIZE]; 905 906 for (i = 0; i < NB_PRF_TESTS; i++) { 907 mbedtls_printf(" AES CMAC 128 PRF #%d: ", i); 908 ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output); 909 if (ret != 0 || 910 memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) { 911 912 if (verbose != 0) { 913 mbedtls_printf("failed\n"); 914 } 915 916 return ret; 917 } else if (verbose != 0) { 918 mbedtls_printf("passed\n"); 919 } 920 } 921 return ret; 922 } 923 #endif /* MBEDTLS_AES_C */ 924 925 int mbedtls_cmac_self_test(int verbose) 926 { 927 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 928 929 #if defined(MBEDTLS_AES_C) 930 /* AES-128 */ 931 if ((ret = cmac_test_subkeys(verbose, 932 "AES 128", 933 aes_128_key, 934 128, 935 (const unsigned char *) aes_128_subkeys, 936 MBEDTLS_CIPHER_AES_128_ECB, 937 MBEDTLS_AES_BLOCK_SIZE, 938 NB_CMAC_TESTS_PER_KEY)) != 0) { 939 return ret; 940 } 941 942 if ((ret = cmac_test_wth_cipher(verbose, 943 "AES 128", 944 aes_128_key, 945 128, 946 test_message, 947 aes_message_lengths, 948 (const unsigned char *) aes_128_expected_result, 949 MBEDTLS_CIPHER_AES_128_ECB, 950 MBEDTLS_AES_BLOCK_SIZE, 951 NB_CMAC_TESTS_PER_KEY)) != 0) { 952 return ret; 953 } 954 955 /* AES-192 */ 956 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 957 if ((ret = cmac_test_subkeys(verbose, 958 "AES 192", 959 aes_192_key, 960 192, 961 (const unsigned char *) aes_192_subkeys, 962 MBEDTLS_CIPHER_AES_192_ECB, 963 MBEDTLS_AES_BLOCK_SIZE, 964 NB_CMAC_TESTS_PER_KEY)) != 0) { 965 return ret; 966 } 967 968 if ((ret = cmac_test_wth_cipher(verbose, 969 "AES 192", 970 aes_192_key, 971 192, 972 test_message, 973 aes_message_lengths, 974 (const unsigned char *) aes_192_expected_result, 975 MBEDTLS_CIPHER_AES_192_ECB, 976 MBEDTLS_AES_BLOCK_SIZE, 977 NB_CMAC_TESTS_PER_KEY)) != 0) { 978 return ret; 979 } 980 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ 981 982 /* AES-256 */ 983 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 984 if ((ret = cmac_test_subkeys(verbose, 985 "AES 256", 986 aes_256_key, 987 256, 988 (const unsigned char *) aes_256_subkeys, 989 MBEDTLS_CIPHER_AES_256_ECB, 990 MBEDTLS_AES_BLOCK_SIZE, 991 NB_CMAC_TESTS_PER_KEY)) != 0) { 992 return ret; 993 } 994 995 if ((ret = cmac_test_wth_cipher(verbose, 996 "AES 256", 997 aes_256_key, 998 256, 999 test_message, 1000 aes_message_lengths, 1001 (const unsigned char *) aes_256_expected_result, 1002 MBEDTLS_CIPHER_AES_256_ECB, 1003 MBEDTLS_AES_BLOCK_SIZE, 1004 NB_CMAC_TESTS_PER_KEY)) != 0) { 1005 return ret; 1006 } 1007 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ 1008 #endif /* MBEDTLS_AES_C */ 1009 1010 #if defined(MBEDTLS_DES_C) 1011 /* 3DES 2 key */ 1012 if ((ret = cmac_test_subkeys(verbose, 1013 "3DES 2 key", 1014 des3_2key_key, 1015 192, 1016 (const unsigned char *) des3_2key_subkeys, 1017 MBEDTLS_CIPHER_DES_EDE3_ECB, 1018 MBEDTLS_DES3_BLOCK_SIZE, 1019 NB_CMAC_TESTS_PER_KEY)) != 0) { 1020 return ret; 1021 } 1022 1023 if ((ret = cmac_test_wth_cipher(verbose, 1024 "3DES 2 key", 1025 des3_2key_key, 1026 192, 1027 test_message, 1028 des3_message_lengths, 1029 (const unsigned char *) des3_2key_expected_result, 1030 MBEDTLS_CIPHER_DES_EDE3_ECB, 1031 MBEDTLS_DES3_BLOCK_SIZE, 1032 NB_CMAC_TESTS_PER_KEY)) != 0) { 1033 return ret; 1034 } 1035 1036 /* 3DES 3 key */ 1037 if ((ret = cmac_test_subkeys(verbose, 1038 "3DES 3 key", 1039 des3_3key_key, 1040 192, 1041 (const unsigned char *) des3_3key_subkeys, 1042 MBEDTLS_CIPHER_DES_EDE3_ECB, 1043 MBEDTLS_DES3_BLOCK_SIZE, 1044 NB_CMAC_TESTS_PER_KEY)) != 0) { 1045 return ret; 1046 } 1047 1048 if ((ret = cmac_test_wth_cipher(verbose, 1049 "3DES 3 key", 1050 des3_3key_key, 1051 192, 1052 test_message, 1053 des3_message_lengths, 1054 (const unsigned char *) des3_3key_expected_result, 1055 MBEDTLS_CIPHER_DES_EDE3_ECB, 1056 MBEDTLS_DES3_BLOCK_SIZE, 1057 NB_CMAC_TESTS_PER_KEY)) != 0) { 1058 return ret; 1059 } 1060 #endif /* MBEDTLS_DES_C */ 1061 1062 #if defined(MBEDTLS_AES_C) 1063 if ((ret = test_aes128_cmac_prf(verbose)) != 0) { 1064 return ret; 1065 } 1066 #endif /* MBEDTLS_AES_C */ 1067 1068 if (verbose != 0) { 1069 mbedtls_printf("\n"); 1070 } 1071 1072 return 0; 1073 } 1074 1075 #endif /* MBEDTLS_SELF_TEST */ 1076 1077 #endif /* MBEDTLS_CMAC_C */ 1078