cmac.c 32 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073
  1. /*
  2. * \file cmac.c
  3. *
  4. * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
  5. *
  6. * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
  7. * SPDX-License-Identifier: Apache-2.0
  8. *
  9. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  10. * not use this file except in compliance with the License.
  11. * You may obtain a copy of the License at
  12. *
  13. * http://www.apache.org/licenses/LICENSE-2.0
  14. *
  15. * Unless required by applicable law or agreed to in writing, software
  16. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  17. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  18. * See the License for the specific language governing permissions and
  19. * limitations under the License.
  20. *
  21. * This file is part of mbed TLS (https://tls.mbed.org)
  22. */
  23. /*
  24. * References:
  25. *
  26. * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
  27. * CMAC Mode for Authentication
  28. * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
  29. *
  30. * - RFC 4493 - The AES-CMAC Algorithm
  31. * https://tools.ietf.org/html/rfc4493
  32. *
  33. * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
  34. * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
  35. * Algorithm for the Internet Key Exchange Protocol (IKE)
  36. * https://tools.ietf.org/html/rfc4615
  37. *
  38. * Additional test vectors: ISO/IEC 9797-1
  39. *
  40. */
  41. #if !defined(MBEDTLS_CONFIG_FILE)
  42. #include "mbedtls/config.h"
  43. #else
  44. #include MBEDTLS_CONFIG_FILE
  45. #endif
  46. #if defined(MBEDTLS_CMAC_C)
  47. #include "mbedtls/cmac.h"
  48. #if defined(MBEDTLS_PLATFORM_C)
  49. #include "mbedtls/platform.h"
  50. #else
  51. #include <string.h>
  52. #include <stdlib.h>
  53. #define mbedtls_calloc calloc
  54. #define mbedtls_free free
  55. #if defined(MBEDTLS_SELF_TEST)
  56. #include <stdio.h>
  57. #define mbedtls_printf printf
  58. #endif /* MBEDTLS_SELF_TEST */
  59. #endif /* MBEDTLS_PLATFORM_C */
  60. /* Implementation that should never be optimized out by the compiler */
  61. static void mbedtls_zeroize( void *v, size_t n ) {
  62. volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
  63. }
  64. /*
  65. * Multiplication by u in the Galois field of GF(2^n)
  66. *
  67. * As explained in NIST SP 800-38B, this can be computed:
  68. *
  69. * If MSB(p) = 0, then p = (p << 1)
  70. * If MSB(p) = 1, then p = (p << 1) ^ R_n
  71. * with R_64 = 0x1B and R_128 = 0x87
  72. *
  73. * Input and output MUST NOT point to the same buffer
  74. * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
  75. */
  76. static int cmac_multiply_by_u( unsigned char *output,
  77. const unsigned char *input,
  78. size_t blocksize )
  79. {
  80. const unsigned char R_128 = 0x87;
  81. const unsigned char R_64 = 0x1B;
  82. unsigned char R_n, mask;
  83. unsigned char overflow = 0x00;
  84. int i;
  85. if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
  86. {
  87. R_n = R_128;
  88. }
  89. else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
  90. {
  91. R_n = R_64;
  92. }
  93. else
  94. {
  95. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  96. }
  97. for( i = (int)blocksize - 1; i >= 0; i-- )
  98. {
  99. output[i] = input[i] << 1 | overflow;
  100. overflow = input[i] >> 7;
  101. }
  102. /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
  103. * using bit operations to avoid branches */
  104. /* MSVC has a warning about unary minus on unsigned, but this is
  105. * well-defined and precisely what we want to do here */
  106. #if defined(_MSC_VER)
  107. #pragma warning( push )
  108. #pragma warning( disable : 4146 )
  109. #endif
  110. mask = - ( input[0] >> 7 );
  111. #if defined(_MSC_VER)
  112. #pragma warning( pop )
  113. #endif
  114. output[ blocksize - 1 ] ^= R_n & mask;
  115. return( 0 );
  116. }
  117. /*
  118. * Generate subkeys
  119. *
  120. * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
  121. */
  122. static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
  123. unsigned char* K1, unsigned char* K2 )
  124. {
  125. int ret;
  126. unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
  127. size_t olen, block_size;
  128. mbedtls_zeroize( L, sizeof( L ) );
  129. block_size = ctx->cipher_info->block_size;
  130. /* Calculate Ek(0) */
  131. if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
  132. goto exit;
  133. /*
  134. * Generate K1 and K2
  135. */
  136. if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
  137. goto exit;
  138. if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
  139. goto exit;
  140. exit:
  141. mbedtls_zeroize( L, sizeof( L ) );
  142. return( ret );
  143. }
  144. static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
  145. const unsigned char *input2,
  146. const size_t block_size )
  147. {
  148. size_t index;
  149. for( index = 0; index < block_size; index++ )
  150. output[ index ] = input1[ index ] ^ input2[ index ];
  151. }
  152. /*
  153. * Create padded last block from (partial) last block.
  154. *
  155. * We can't use the padding option from the cipher layer, as it only works for
  156. * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
  157. */
  158. static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
  159. size_t padded_block_len,
  160. const unsigned char *last_block,
  161. size_t last_block_len )
  162. {
  163. size_t j;
  164. for( j = 0; j < padded_block_len; j++ )
  165. {
  166. if( j < last_block_len )
  167. padded_block[j] = last_block[j];
  168. else if( j == last_block_len )
  169. padded_block[j] = 0x80;
  170. else
  171. padded_block[j] = 0x00;
  172. }
  173. }
  174. int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
  175. const unsigned char *key, size_t keybits )
  176. {
  177. mbedtls_cipher_type_t type;
  178. mbedtls_cmac_context_t *cmac_ctx;
  179. int retval;
  180. if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
  181. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  182. if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
  183. MBEDTLS_ENCRYPT ) ) != 0 )
  184. return( retval );
  185. type = ctx->cipher_info->type;
  186. switch( type )
  187. {
  188. case MBEDTLS_CIPHER_AES_128_ECB:
  189. case MBEDTLS_CIPHER_AES_192_ECB:
  190. case MBEDTLS_CIPHER_AES_256_ECB:
  191. case MBEDTLS_CIPHER_DES_EDE3_ECB:
  192. break;
  193. default:
  194. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  195. }
  196. /* Allocated and initialise in the cipher context memory for the CMAC
  197. * context */
  198. cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
  199. if( cmac_ctx == NULL )
  200. return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
  201. ctx->cmac_ctx = cmac_ctx;
  202. mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
  203. return 0;
  204. }
  205. int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
  206. const unsigned char *input, size_t ilen )
  207. {
  208. mbedtls_cmac_context_t* cmac_ctx;
  209. unsigned char *state;
  210. int ret = 0;
  211. size_t n, j, olen, block_size;
  212. if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
  213. ctx->cmac_ctx == NULL )
  214. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  215. cmac_ctx = ctx->cmac_ctx;
  216. block_size = ctx->cipher_info->block_size;
  217. state = ctx->cmac_ctx->state;
  218. /* Is there data still to process from the last call, that's greater in
  219. * size than a block? */
  220. if( cmac_ctx->unprocessed_len > 0 &&
  221. ilen > block_size - cmac_ctx->unprocessed_len )
  222. {
  223. memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
  224. input,
  225. block_size - cmac_ctx->unprocessed_len );
  226. cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
  227. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  228. &olen ) ) != 0 )
  229. {
  230. goto exit;
  231. }
  232. input += block_size - cmac_ctx->unprocessed_len;
  233. ilen -= block_size - cmac_ctx->unprocessed_len;
  234. cmac_ctx->unprocessed_len = 0;
  235. }
  236. /* n is the number of blocks including any final partial block */
  237. n = ( ilen + block_size - 1 ) / block_size;
  238. /* Iterate across the input data in block sized chunks, excluding any
  239. * final partial or complete block */
  240. for( j = 1; j < n; j++ )
  241. {
  242. cmac_xor_block( state, input, state, block_size );
  243. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  244. &olen ) ) != 0 )
  245. goto exit;
  246. ilen -= block_size;
  247. input += block_size;
  248. }
  249. /* If there is data left over that wasn't aligned to a block */
  250. if( ilen > 0 )
  251. {
  252. memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
  253. input,
  254. ilen );
  255. cmac_ctx->unprocessed_len += ilen;
  256. }
  257. exit:
  258. return( ret );
  259. }
  260. int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
  261. unsigned char *output )
  262. {
  263. mbedtls_cmac_context_t* cmac_ctx;
  264. unsigned char *state, *last_block;
  265. unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
  266. unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
  267. unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
  268. int ret;
  269. size_t olen, block_size;
  270. if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
  271. output == NULL )
  272. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  273. cmac_ctx = ctx->cmac_ctx;
  274. block_size = ctx->cipher_info->block_size;
  275. state = cmac_ctx->state;
  276. mbedtls_zeroize( K1, sizeof( K1 ) );
  277. mbedtls_zeroize( K2, sizeof( K2 ) );
  278. cmac_generate_subkeys( ctx, K1, K2 );
  279. last_block = cmac_ctx->unprocessed_block;
  280. /* Calculate last block */
  281. if( cmac_ctx->unprocessed_len < block_size )
  282. {
  283. cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
  284. cmac_xor_block( M_last, M_last, K2, block_size );
  285. }
  286. else
  287. {
  288. /* Last block is complete block */
  289. cmac_xor_block( M_last, last_block, K1, block_size );
  290. }
  291. cmac_xor_block( state, M_last, state, block_size );
  292. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  293. &olen ) ) != 0 )
  294. {
  295. goto exit;
  296. }
  297. memcpy( output, state, block_size );
  298. exit:
  299. /* Wipe the generated keys on the stack, and any other transients to avoid
  300. * side channel leakage */
  301. mbedtls_zeroize( K1, sizeof( K1 ) );
  302. mbedtls_zeroize( K2, sizeof( K2 ) );
  303. cmac_ctx->unprocessed_len = 0;
  304. mbedtls_zeroize( cmac_ctx->unprocessed_block,
  305. sizeof( cmac_ctx->unprocessed_block ) );
  306. mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
  307. return( ret );
  308. }
  309. int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
  310. {
  311. mbedtls_cmac_context_t* cmac_ctx;
  312. if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
  313. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  314. cmac_ctx = ctx->cmac_ctx;
  315. /* Reset the internal state */
  316. cmac_ctx->unprocessed_len = 0;
  317. mbedtls_zeroize( cmac_ctx->unprocessed_block,
  318. sizeof( cmac_ctx->unprocessed_block ) );
  319. mbedtls_zeroize( cmac_ctx->state,
  320. sizeof( cmac_ctx->state ) );
  321. return( 0 );
  322. }
  323. int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
  324. const unsigned char *key, size_t keylen,
  325. const unsigned char *input, size_t ilen,
  326. unsigned char *output )
  327. {
  328. mbedtls_cipher_context_t ctx;
  329. int ret;
  330. if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
  331. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  332. mbedtls_cipher_init( &ctx );
  333. if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
  334. goto exit;
  335. ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
  336. if( ret != 0 )
  337. goto exit;
  338. ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
  339. if( ret != 0 )
  340. goto exit;
  341. ret = mbedtls_cipher_cmac_finish( &ctx, output );
  342. exit:
  343. mbedtls_cipher_free( &ctx );
  344. return( ret );
  345. }
  346. #if defined(MBEDTLS_AES_C)
  347. /*
  348. * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
  349. */
  350. int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
  351. const unsigned char *input, size_t in_len,
  352. unsigned char *output )
  353. {
  354. int ret;
  355. const mbedtls_cipher_info_t *cipher_info;
  356. unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
  357. unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
  358. if( key == NULL || input == NULL || output == NULL )
  359. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  360. cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
  361. if( cipher_info == NULL )
  362. {
  363. /* Failing at this point must be due to a build issue */
  364. ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
  365. goto exit;
  366. }
  367. if( key_length == MBEDTLS_AES_BLOCK_SIZE )
  368. {
  369. /* Use key as is */
  370. memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
  371. }
  372. else
  373. {
  374. memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
  375. ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
  376. key_length, int_key );
  377. if( ret != 0 )
  378. goto exit;
  379. }
  380. ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
  381. output );
  382. exit:
  383. mbedtls_zeroize( int_key, sizeof( int_key ) );
  384. return( ret );
  385. }
  386. #endif /* MBEDTLS_AES_C */
  387. #if defined(MBEDTLS_SELF_TEST)
  388. /*
  389. * CMAC test data for SP800-38B
  390. * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
  391. * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
  392. *
  393. * AES-CMAC-PRF-128 test data from RFC 4615
  394. * https://tools.ietf.org/html/rfc4615#page-4
  395. */
  396. #define NB_CMAC_TESTS_PER_KEY 4
  397. #define NB_PRF_TESTS 3
  398. #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
  399. /* All CMAC test inputs are truncated from the same 64 byte buffer. */
  400. static const unsigned char test_message[] = {
  401. /* PT */
  402. 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
  403. 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
  404. 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
  405. 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
  406. 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
  407. 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
  408. 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
  409. 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
  410. };
  411. #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
  412. #if defined(MBEDTLS_AES_C)
  413. /* Truncation point of message for AES CMAC tests */
  414. static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
  415. /* Mlen */
  416. 0,
  417. 16,
  418. 20,
  419. 64
  420. };
  421. /* CMAC-AES128 Test Data */
  422. static const unsigned char aes_128_key[16] = {
  423. 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
  424. 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
  425. };
  426. static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  427. {
  428. /* K1 */
  429. 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
  430. 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
  431. },
  432. {
  433. /* K2 */
  434. 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
  435. 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
  436. }
  437. };
  438. static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  439. {
  440. /* Example #1 */
  441. 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
  442. 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
  443. },
  444. {
  445. /* Example #2 */
  446. 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
  447. 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
  448. },
  449. {
  450. /* Example #3 */
  451. 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
  452. 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
  453. },
  454. {
  455. /* Example #4 */
  456. 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
  457. 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
  458. }
  459. };
  460. /* CMAC-AES192 Test Data */
  461. static const unsigned char aes_192_key[24] = {
  462. 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
  463. 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
  464. 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
  465. };
  466. static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  467. {
  468. /* K1 */
  469. 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
  470. 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
  471. },
  472. {
  473. /* K2 */
  474. 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
  475. 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
  476. }
  477. };
  478. static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  479. {
  480. /* Example #1 */
  481. 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
  482. 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
  483. },
  484. {
  485. /* Example #2 */
  486. 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
  487. 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
  488. },
  489. {
  490. /* Example #3 */
  491. 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
  492. 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
  493. },
  494. {
  495. /* Example #4 */
  496. 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
  497. 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
  498. }
  499. };
  500. /* CMAC-AES256 Test Data */
  501. static const unsigned char aes_256_key[32] = {
  502. 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
  503. 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
  504. 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
  505. 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
  506. };
  507. static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  508. {
  509. /* K1 */
  510. 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
  511. 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
  512. },
  513. {
  514. /* K2 */
  515. 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
  516. 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
  517. }
  518. };
  519. static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  520. {
  521. /* Example #1 */
  522. 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
  523. 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
  524. },
  525. {
  526. /* Example #2 */
  527. 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
  528. 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
  529. },
  530. {
  531. /* Example #3 */
  532. 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
  533. 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
  534. },
  535. {
  536. /* Example #4 */
  537. 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
  538. 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
  539. }
  540. };
  541. #endif /* MBEDTLS_AES_C */
  542. #if defined(MBEDTLS_DES_C)
  543. /* Truncation point of message for 3DES CMAC tests */
  544. static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
  545. 0,
  546. 16,
  547. 20,
  548. 32
  549. };
  550. /* CMAC-TDES (Generation) - 2 Key Test Data */
  551. static const unsigned char des3_2key_key[24] = {
  552. /* Key1 */
  553. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
  554. /* Key2 */
  555. 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
  556. /* Key3 */
  557. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
  558. };
  559. static const unsigned char des3_2key_subkeys[2][8] = {
  560. {
  561. /* K1 */
  562. 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
  563. },
  564. {
  565. /* K2 */
  566. 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
  567. }
  568. };
  569. static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
  570. {
  571. /* Sample #1 */
  572. 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
  573. },
  574. {
  575. /* Sample #2 */
  576. 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
  577. },
  578. {
  579. /* Sample #3 */
  580. 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
  581. },
  582. {
  583. /* Sample #4 */
  584. 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
  585. }
  586. };
  587. /* CMAC-TDES (Generation) - 3 Key Test Data */
  588. static const unsigned char des3_3key_key[24] = {
  589. /* Key1 */
  590. 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
  591. /* Key2 */
  592. 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
  593. /* Key3 */
  594. 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
  595. };
  596. static const unsigned char des3_3key_subkeys[2][8] = {
  597. {
  598. /* K1 */
  599. 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
  600. },
  601. {
  602. /* K2 */
  603. 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
  604. }
  605. };
  606. static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
  607. {
  608. /* Sample #1 */
  609. 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
  610. },
  611. {
  612. /* Sample #2 */
  613. 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
  614. },
  615. {
  616. /* Sample #3 */
  617. 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
  618. },
  619. {
  620. /* Sample #4 */
  621. 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
  622. }
  623. };
  624. #endif /* MBEDTLS_DES_C */
  625. #if defined(MBEDTLS_AES_C)
  626. /* AES AES-CMAC-PRF-128 Test Data */
  627. static const unsigned char PRFK[] = {
  628. /* Key */
  629. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  630. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  631. 0xed, 0xcb
  632. };
  633. /* Sizes in bytes */
  634. static const size_t PRFKlen[NB_PRF_TESTS] = {
  635. 18,
  636. 16,
  637. 10
  638. };
  639. /* Message */
  640. static const unsigned char PRFM[] = {
  641. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  642. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  643. 0x10, 0x11, 0x12, 0x13
  644. };
  645. static const unsigned char PRFT[NB_PRF_TESTS][16] = {
  646. {
  647. 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
  648. 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
  649. },
  650. {
  651. 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
  652. 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
  653. },
  654. {
  655. 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
  656. 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
  657. }
  658. };
  659. #endif /* MBEDTLS_AES_C */
  660. static int cmac_test_subkeys( int verbose,
  661. const char* testname,
  662. const unsigned char* key,
  663. int keybits,
  664. const unsigned char* subkeys,
  665. mbedtls_cipher_type_t cipher_type,
  666. int block_size,
  667. int num_tests )
  668. {
  669. int i, ret;
  670. mbedtls_cipher_context_t ctx;
  671. const mbedtls_cipher_info_t *cipher_info;
  672. unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
  673. unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
  674. cipher_info = mbedtls_cipher_info_from_type( cipher_type );
  675. if( cipher_info == NULL )
  676. {
  677. /* Failing at this point must be due to a build issue */
  678. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  679. }
  680. for( i = 0; i < num_tests; i++ )
  681. {
  682. if( verbose != 0 )
  683. mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
  684. mbedtls_cipher_init( &ctx );
  685. if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
  686. {
  687. if( verbose != 0 )
  688. mbedtls_printf( "test execution failed\n" );
  689. goto cleanup;
  690. }
  691. if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
  692. MBEDTLS_ENCRYPT ) ) != 0 )
  693. {
  694. if( verbose != 0 )
  695. mbedtls_printf( "test execution failed\n" );
  696. goto cleanup;
  697. }
  698. ret = cmac_generate_subkeys( &ctx, K1, K2 );
  699. if( ret != 0 )
  700. {
  701. if( verbose != 0 )
  702. mbedtls_printf( "failed\n" );
  703. goto cleanup;
  704. }
  705. if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
  706. ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
  707. {
  708. if( verbose != 0 )
  709. mbedtls_printf( "failed\n" );
  710. goto cleanup;
  711. }
  712. if( verbose != 0 )
  713. mbedtls_printf( "passed\n" );
  714. mbedtls_cipher_free( &ctx );
  715. }
  716. goto exit;
  717. cleanup:
  718. mbedtls_cipher_free( &ctx );
  719. exit:
  720. return( ret );
  721. }
  722. static int cmac_test_wth_cipher( int verbose,
  723. const char* testname,
  724. const unsigned char* key,
  725. int keybits,
  726. const unsigned char* messages,
  727. const unsigned int message_lengths[4],
  728. const unsigned char* expected_result,
  729. mbedtls_cipher_type_t cipher_type,
  730. int block_size,
  731. int num_tests )
  732. {
  733. const mbedtls_cipher_info_t *cipher_info;
  734. int i, ret;
  735. unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
  736. cipher_info = mbedtls_cipher_info_from_type( cipher_type );
  737. if( cipher_info == NULL )
  738. {
  739. /* Failing at this point must be due to a build issue */
  740. ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
  741. goto exit;
  742. }
  743. for( i = 0; i < num_tests; i++ )
  744. {
  745. if( verbose != 0 )
  746. mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
  747. if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
  748. message_lengths[i], output ) ) != 0 )
  749. {
  750. if( verbose != 0 )
  751. mbedtls_printf( "failed\n" );
  752. goto exit;
  753. }
  754. if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
  755. {
  756. if( verbose != 0 )
  757. mbedtls_printf( "failed\n" );
  758. goto exit;
  759. }
  760. if( verbose != 0 )
  761. mbedtls_printf( "passed\n" );
  762. }
  763. exit:
  764. return( ret );
  765. }
  766. #if defined(MBEDTLS_AES_C)
  767. static int test_aes128_cmac_prf( int verbose )
  768. {
  769. int i;
  770. int ret;
  771. unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
  772. for( i = 0; i < NB_PRF_TESTS; i++ )
  773. {
  774. mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
  775. ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
  776. if( ret != 0 ||
  777. memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
  778. {
  779. if( verbose != 0 )
  780. mbedtls_printf( "failed\n" );
  781. return( ret );
  782. }
  783. else if( verbose != 0 )
  784. {
  785. mbedtls_printf( "passed\n" );
  786. }
  787. }
  788. return( ret );
  789. }
  790. #endif /* MBEDTLS_AES_C */
  791. int mbedtls_cmac_self_test( int verbose )
  792. {
  793. int ret;
  794. #if defined(MBEDTLS_AES_C)
  795. /* AES-128 */
  796. if( ( ret = cmac_test_subkeys( verbose,
  797. "AES 128",
  798. aes_128_key,
  799. 128,
  800. (const unsigned char*)aes_128_subkeys,
  801. MBEDTLS_CIPHER_AES_128_ECB,
  802. MBEDTLS_AES_BLOCK_SIZE,
  803. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  804. {
  805. return( ret );
  806. }
  807. if( ( ret = cmac_test_wth_cipher( verbose,
  808. "AES 128",
  809. aes_128_key,
  810. 128,
  811. test_message,
  812. aes_message_lengths,
  813. (const unsigned char*)aes_128_expected_result,
  814. MBEDTLS_CIPHER_AES_128_ECB,
  815. MBEDTLS_AES_BLOCK_SIZE,
  816. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  817. {
  818. return( ret );
  819. }
  820. /* AES-192 */
  821. if( ( ret = cmac_test_subkeys( verbose,
  822. "AES 192",
  823. aes_192_key,
  824. 192,
  825. (const unsigned char*)aes_192_subkeys,
  826. MBEDTLS_CIPHER_AES_192_ECB,
  827. MBEDTLS_AES_BLOCK_SIZE,
  828. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  829. {
  830. return( ret );
  831. }
  832. if( ( ret = cmac_test_wth_cipher( verbose,
  833. "AES 192",
  834. aes_192_key,
  835. 192,
  836. test_message,
  837. aes_message_lengths,
  838. (const unsigned char*)aes_192_expected_result,
  839. MBEDTLS_CIPHER_AES_192_ECB,
  840. MBEDTLS_AES_BLOCK_SIZE,
  841. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  842. {
  843. return( ret );
  844. }
  845. /* AES-256 */
  846. if( ( ret = cmac_test_subkeys( verbose,
  847. "AES 256",
  848. aes_256_key,
  849. 256,
  850. (const unsigned char*)aes_256_subkeys,
  851. MBEDTLS_CIPHER_AES_256_ECB,
  852. MBEDTLS_AES_BLOCK_SIZE,
  853. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  854. {
  855. return( ret );
  856. }
  857. if( ( ret = cmac_test_wth_cipher ( verbose,
  858. "AES 256",
  859. aes_256_key,
  860. 256,
  861. test_message,
  862. aes_message_lengths,
  863. (const unsigned char*)aes_256_expected_result,
  864. MBEDTLS_CIPHER_AES_256_ECB,
  865. MBEDTLS_AES_BLOCK_SIZE,
  866. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  867. {
  868. return( ret );
  869. }
  870. #endif /* MBEDTLS_AES_C */
  871. #if defined(MBEDTLS_DES_C)
  872. /* 3DES 2 key */
  873. if( ( ret = cmac_test_subkeys( verbose,
  874. "3DES 2 key",
  875. des3_2key_key,
  876. 192,
  877. (const unsigned char*)des3_2key_subkeys,
  878. MBEDTLS_CIPHER_DES_EDE3_ECB,
  879. MBEDTLS_DES3_BLOCK_SIZE,
  880. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  881. {
  882. return( ret );
  883. }
  884. if( ( ret = cmac_test_wth_cipher( verbose,
  885. "3DES 2 key",
  886. des3_2key_key,
  887. 192,
  888. test_message,
  889. des3_message_lengths,
  890. (const unsigned char*)des3_2key_expected_result,
  891. MBEDTLS_CIPHER_DES_EDE3_ECB,
  892. MBEDTLS_DES3_BLOCK_SIZE,
  893. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  894. {
  895. return( ret );
  896. }
  897. /* 3DES 3 key */
  898. if( ( ret = cmac_test_subkeys( verbose,
  899. "3DES 3 key",
  900. des3_3key_key,
  901. 192,
  902. (const unsigned char*)des3_3key_subkeys,
  903. MBEDTLS_CIPHER_DES_EDE3_ECB,
  904. MBEDTLS_DES3_BLOCK_SIZE,
  905. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  906. {
  907. return( ret );
  908. }
  909. if( ( ret = cmac_test_wth_cipher( verbose,
  910. "3DES 3 key",
  911. des3_3key_key,
  912. 192,
  913. test_message,
  914. des3_message_lengths,
  915. (const unsigned char*)des3_3key_expected_result,
  916. MBEDTLS_CIPHER_DES_EDE3_ECB,
  917. MBEDTLS_DES3_BLOCK_SIZE,
  918. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  919. {
  920. return( ret );
  921. }
  922. #endif /* MBEDTLS_DES_C */
  923. #if defined(MBEDTLS_AES_C)
  924. if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
  925. return( ret );
  926. #endif /* MBEDTLS_AES_C */
  927. if( verbose != 0 )
  928. mbedtls_printf( "\n" );
  929. return( 0 );
  930. }
  931. #endif /* MBEDTLS_SELF_TEST */
  932. #endif /* MBEDTLS_CMAC_C */