1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21
22 /*
23 * References:
24 *
25 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
26 * CMAC Mode for Authentication
27 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
28 *
29 * - RFC 4493 - The AES-CMAC Algorithm
30 * https://tools.ietf.org/html/rfc4493
31 *
32 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
33 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
34 * Algorithm for the Internet Key Exchange Protocol (IKE)
35 * https://tools.ietf.org/html/rfc4615
36 *
37 * Additional test vectors: ISO/IEC 9797-1
38 *
39 */
40
41 #include "common.h"
42
43 #if defined(MBEDTLS_CMAC_C)
44
45 #include "mbedtls/cmac.h"
46 #include "mbedtls/platform_util.h"
47 #include "mbedtls/error.h"
48 #include "mbedtls/platform.h"
49
50 #include <string.h>
51
52 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
53
54 /*
55 * Multiplication by u in the Galois field of GF(2^n)
56 *
57 * As explained in NIST SP 800-38B, this can be computed:
58 *
59 * If MSB(p) = 0, then p = (p << 1)
60 * If MSB(p) = 1, then p = (p << 1) ^ R_n
61 * with R_64 = 0x1B and R_128 = 0x87
62 *
63 * Input and output MUST NOT point to the same buffer
64 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
65 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)66 static int cmac_multiply_by_u( unsigned char *output,
67 const unsigned char *input,
68 size_t blocksize )
69 {
70 const unsigned char R_128 = 0x87;
71 const unsigned char R_64 = 0x1B;
72 unsigned char R_n, mask;
73 unsigned char overflow = 0x00;
74 int i;
75
76 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
77 {
78 R_n = R_128;
79 }
80 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
81 {
82 R_n = R_64;
83 }
84 else
85 {
86 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
87 }
88
89 for( i = (int)blocksize - 1; i >= 0; i-- )
90 {
91 output[i] = input[i] << 1 | overflow;
92 overflow = input[i] >> 7;
93 }
94
95 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
96 * using bit operations to avoid branches */
97
98 /* MSVC has a warning about unary minus on unsigned, but this is
99 * well-defined and precisely what we want to do here */
100 #if defined(_MSC_VER)
101 #pragma warning( push )
102 #pragma warning( disable : 4146 )
103 #endif
104 mask = - ( input[0] >> 7 );
105 #if defined(_MSC_VER)
106 #pragma warning( pop )
107 #endif
108
109 output[ blocksize - 1 ] ^= R_n & mask;
110
111 return( 0 );
112 }
113
114 /*
115 * Generate subkeys
116 *
117 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
118 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)119 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
120 unsigned char* K1, unsigned char* K2 )
121 {
122 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
123 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
124 size_t olen, block_size;
125
126 mbedtls_platform_zeroize( L, sizeof( L ) );
127
128 block_size = ctx->cipher_info->block_size;
129
130 /* Calculate Ek(0) */
131 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
132 goto exit;
133
134 /*
135 * Generate K1 and K2
136 */
137 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
138 goto exit;
139
140 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
141 goto exit;
142
143 exit:
144 mbedtls_platform_zeroize( L, sizeof( L ) );
145
146 return( ret );
147 }
148 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
149
150 #if !defined(MBEDTLS_CMAC_ALT)
cmac_xor_block(unsigned char * output,const unsigned char * input1,const unsigned char * input2,const size_t block_size)151 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
152 const unsigned char *input2,
153 const size_t block_size )
154 {
155 size_t idx;
156
157 for( idx = 0; idx < block_size; idx++ )
158 output[ idx ] = input1[ idx ] ^ input2[ idx ];
159 }
160
161 /*
162 * Create padded last block from (partial) last block.
163 *
164 * We can't use the padding option from the cipher layer, as it only works for
165 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
166 */
cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)167 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
168 size_t padded_block_len,
169 const unsigned char *last_block,
170 size_t last_block_len )
171 {
172 size_t j;
173
174 for( j = 0; j < padded_block_len; j++ )
175 {
176 if( j < last_block_len )
177 padded_block[j] = last_block[j];
178 else if( j == last_block_len )
179 padded_block[j] = 0x80;
180 else
181 padded_block[j] = 0x00;
182 }
183 }
184
mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t * ctx)185 int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx)
186 {
187 mbedtls_cmac_context_t *cmac_ctx;
188
189 /* Allocated and initialise in the cipher context memory for the CMAC
190 * context */
191 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
192 if( cmac_ctx == NULL )
193 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
194
195 ctx->cmac_ctx = cmac_ctx;
196
197 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
198 return 0;
199 }
200
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)201 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
202 const unsigned char *key, size_t keybits )
203 {
204 mbedtls_cipher_type_t type;
205 int retval;
206
207 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
208 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
209
210 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
211 MBEDTLS_ENCRYPT ) ) != 0 )
212 return( retval );
213
214 type = ctx->cipher_info->type;
215
216 switch( type )
217 {
218 case MBEDTLS_CIPHER_AES_128_ECB:
219 case MBEDTLS_CIPHER_AES_192_ECB:
220 case MBEDTLS_CIPHER_AES_256_ECB:
221 case MBEDTLS_CIPHER_DES_EDE3_ECB:
222 break;
223 default:
224 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
225 }
226
227 /* Check if cmac ctx had been allocated by mbedtls_cipher_cmac_setup() */
228 if( ctx->cmac_ctx != NULL )
229 return 0;
230
231 return mbedtls_cipher_cmac_setup( ctx );
232 }
233
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)234 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
235 const unsigned char *input, size_t ilen )
236 {
237 mbedtls_cmac_context_t* cmac_ctx;
238 unsigned char *state;
239 int ret = 0;
240 size_t n, j, olen, block_size;
241
242 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
243 ctx->cmac_ctx == NULL )
244 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
245
246 cmac_ctx = ctx->cmac_ctx;
247 block_size = ctx->cipher_info->block_size;
248 state = ctx->cmac_ctx->state;
249
250 /* Is there data still to process from the last call, that's greater in
251 * size than a block? */
252 if( cmac_ctx->unprocessed_len > 0 &&
253 ilen > block_size - cmac_ctx->unprocessed_len )
254 {
255 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
256 input,
257 block_size - cmac_ctx->unprocessed_len );
258
259 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
260
261 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
262 &olen ) ) != 0 )
263 {
264 goto exit;
265 }
266
267 input += block_size - cmac_ctx->unprocessed_len;
268 ilen -= block_size - cmac_ctx->unprocessed_len;
269 cmac_ctx->unprocessed_len = 0;
270 }
271
272 /* n is the number of blocks including any final partial block */
273 n = ( ilen + block_size - 1 ) / block_size;
274
275 /* Iterate across the input data in block sized chunks, excluding any
276 * final partial or complete block */
277 for( j = 1; j < n; j++ )
278 {
279 cmac_xor_block( state, input, state, block_size );
280
281 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
282 &olen ) ) != 0 )
283 goto exit;
284
285 ilen -= block_size;
286 input += block_size;
287 }
288
289 /* If there is data left over that wasn't aligned to a block */
290 if( ilen > 0 )
291 {
292 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
293 input,
294 ilen );
295 cmac_ctx->unprocessed_len += ilen;
296 }
297
298 exit:
299 return( ret );
300 }
301
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)302 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
303 unsigned char *output )
304 {
305 mbedtls_cmac_context_t* cmac_ctx;
306 unsigned char *state, *last_block;
307 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
308 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
309 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
310 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
311 size_t olen, block_size;
312
313 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
314 output == NULL )
315 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
316
317 cmac_ctx = ctx->cmac_ctx;
318 block_size = ctx->cipher_info->block_size;
319 state = cmac_ctx->state;
320
321 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
322 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
323 cmac_generate_subkeys( ctx, K1, K2 );
324
325 last_block = cmac_ctx->unprocessed_block;
326
327 /* Calculate last block */
328 if( cmac_ctx->unprocessed_len < block_size )
329 {
330 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
331 cmac_xor_block( M_last, M_last, K2, block_size );
332 }
333 else
334 {
335 /* Last block is complete block */
336 cmac_xor_block( M_last, last_block, K1, block_size );
337 }
338
339
340 cmac_xor_block( state, M_last, state, block_size );
341 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
342 &olen ) ) != 0 )
343 {
344 goto exit;
345 }
346
347 memcpy( output, state, block_size );
348
349 exit:
350 /* Wipe the generated keys on the stack, and any other transients to avoid
351 * side channel leakage */
352 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
353 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
354
355 cmac_ctx->unprocessed_len = 0;
356 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
357 sizeof( cmac_ctx->unprocessed_block ) );
358
359 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
360 return( ret );
361 }
362
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)363 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
364 {
365 mbedtls_cmac_context_t* cmac_ctx;
366
367 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
368 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
369
370 cmac_ctx = ctx->cmac_ctx;
371
372 /* Reset the internal state */
373 cmac_ctx->unprocessed_len = 0;
374 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
375 sizeof( cmac_ctx->unprocessed_block ) );
376 mbedtls_platform_zeroize( cmac_ctx->state,
377 sizeof( cmac_ctx->state ) );
378
379 return( 0 );
380 }
381
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)382 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
383 const unsigned char *key, size_t keylen,
384 const unsigned char *input, size_t ilen,
385 unsigned char *output )
386 {
387 mbedtls_cipher_context_t ctx;
388 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
389
390 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
391 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
392
393 mbedtls_cipher_init( &ctx );
394
395 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
396 goto exit;
397
398 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
399 if( ret != 0 )
400 goto exit;
401
402 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
403 if( ret != 0 )
404 goto exit;
405
406 ret = mbedtls_cipher_cmac_finish( &ctx, output );
407
408 exit:
409 mbedtls_cipher_free( &ctx );
410
411 return( ret );
412 }
413
414 #if defined(MBEDTLS_AES_C)
415 /*
416 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
417 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char output[16])418 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
419 const unsigned char *input, size_t in_len,
420 unsigned char output[16] )
421 {
422 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
423 const mbedtls_cipher_info_t *cipher_info;
424 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
425 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
426
427 if( key == NULL || input == NULL || output == NULL )
428 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
429
430 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
431 if( cipher_info == NULL )
432 {
433 /* Failing at this point must be due to a build issue */
434 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
435 goto exit;
436 }
437
438 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
439 {
440 /* Use key as is */
441 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
442 }
443 else
444 {
445 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
446
447 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
448 key_length, int_key );
449 if( ret != 0 )
450 goto exit;
451 }
452
453 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
454 output );
455
456 exit:
457 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
458
459 return( ret );
460 }
461 #endif /* MBEDTLS_AES_C */
462
463 #endif /* !MBEDTLS_CMAC_ALT */
464
465 #if defined(MBEDTLS_SELF_TEST)
466 /*
467 * CMAC test data for SP800-38B
468 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
469 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
470 *
471 * AES-CMAC-PRF-128 test data from RFC 4615
472 * https://tools.ietf.org/html/rfc4615#page-4
473 */
474
475 #define NB_CMAC_TESTS_PER_KEY 4
476 #define NB_PRF_TESTS 3
477
478 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
479 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
480 static const unsigned char test_message[] = {
481 /* PT */
482 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
483 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
484 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
485 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
486 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
487 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
488 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
489 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
490 };
491 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
492
493 #if defined(MBEDTLS_AES_C)
494 /* Truncation point of message for AES CMAC tests */
495 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
496 /* Mlen */
497 0,
498 16,
499 20,
500 64
501 };
502
503 /* CMAC-AES128 Test Data */
504 static const unsigned char aes_128_key[16] = {
505 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
506 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
507 };
508 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
509 {
510 /* K1 */
511 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
512 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
513 },
514 {
515 /* K2 */
516 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
517 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
518 }
519 };
520 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
521 {
522 /* Example #1 */
523 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
524 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
525 },
526 {
527 /* Example #2 */
528 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
529 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
530 },
531 {
532 /* Example #3 */
533 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
534 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
535 },
536 {
537 /* Example #4 */
538 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
539 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
540 }
541 };
542
543 /* CMAC-AES192 Test Data */
544 static const unsigned char aes_192_key[24] = {
545 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
546 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
547 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
548 };
549 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
550 {
551 /* K1 */
552 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
553 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
554 },
555 {
556 /* K2 */
557 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
558 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
559 }
560 };
561 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
562 {
563 /* Example #1 */
564 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
565 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
566 },
567 {
568 /* Example #2 */
569 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
570 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
571 },
572 {
573 /* Example #3 */
574 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
575 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
576 },
577 {
578 /* Example #4 */
579 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
580 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
581 }
582 };
583
584 /* CMAC-AES256 Test Data */
585 static const unsigned char aes_256_key[32] = {
586 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
587 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
588 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
589 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
590 };
591 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
592 {
593 /* K1 */
594 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
595 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
596 },
597 {
598 /* K2 */
599 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
600 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
601 }
602 };
603 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
604 {
605 /* Example #1 */
606 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
607 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
608 },
609 {
610 /* Example #2 */
611 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
612 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
613 },
614 {
615 /* Example #3 */
616 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
617 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
618 },
619 {
620 /* Example #4 */
621 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
622 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
623 }
624 };
625 #endif /* MBEDTLS_AES_C */
626
627 #if defined(MBEDTLS_DES_C)
628 /* Truncation point of message for 3DES CMAC tests */
629 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
630 0,
631 16,
632 20,
633 32
634 };
635
636 /* CMAC-TDES (Generation) - 2 Key Test Data */
637 static const unsigned char des3_2key_key[24] = {
638 /* Key1 */
639 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
640 /* Key2 */
641 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
642 /* Key3 */
643 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
644 };
645 static const unsigned char des3_2key_subkeys[2][8] = {
646 {
647 /* K1 */
648 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
649 },
650 {
651 /* K2 */
652 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
653 }
654 };
655 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
656 {
657 /* Sample #1 */
658 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
659 },
660 {
661 /* Sample #2 */
662 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
663 },
664 {
665 /* Sample #3 */
666 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
667 },
668 {
669 /* Sample #4 */
670 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
671 }
672 };
673
674 /* CMAC-TDES (Generation) - 3 Key Test Data */
675 static const unsigned char des3_3key_key[24] = {
676 /* Key1 */
677 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
678 /* Key2 */
679 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
680 /* Key3 */
681 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
682 };
683 static const unsigned char des3_3key_subkeys[2][8] = {
684 {
685 /* K1 */
686 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
687 },
688 {
689 /* K2 */
690 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
691 }
692 };
693 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
694 {
695 /* Sample #1 */
696 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
697 },
698 {
699 /* Sample #2 */
700 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
701 },
702 {
703 /* Sample #3 */
704 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
705 },
706 {
707 /* Sample #4 */
708 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
709 }
710 };
711
712 #endif /* MBEDTLS_DES_C */
713
714 #if defined(MBEDTLS_AES_C)
715 /* AES AES-CMAC-PRF-128 Test Data */
716 static const unsigned char PRFK[] = {
717 /* Key */
718 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
719 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
720 0xed, 0xcb
721 };
722
723 /* Sizes in bytes */
724 static const size_t PRFKlen[NB_PRF_TESTS] = {
725 18,
726 16,
727 10
728 };
729
730 /* Message */
731 static const unsigned char PRFM[] = {
732 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
733 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
734 0x10, 0x11, 0x12, 0x13
735 };
736
737 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
738 {
739 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
740 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
741 },
742 {
743 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
744 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
745 },
746 {
747 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
748 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
749 }
750 };
751 #endif /* MBEDTLS_AES_C */
752
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)753 static int cmac_test_subkeys( int verbose,
754 const char* testname,
755 const unsigned char* key,
756 int keybits,
757 const unsigned char* subkeys,
758 mbedtls_cipher_type_t cipher_type,
759 int block_size,
760 int num_tests )
761 {
762 int i, ret = 0;
763 mbedtls_cipher_context_t ctx;
764 const mbedtls_cipher_info_t *cipher_info;
765 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
766 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
767
768 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
769 if( cipher_info == NULL )
770 {
771 /* Failing at this point must be due to a build issue */
772 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
773 }
774
775 for( i = 0; i < num_tests; i++ )
776 {
777 if( verbose != 0 )
778 mbedtls_printf( " %s CMAC subkey #%d: ", testname, i + 1 );
779
780 mbedtls_cipher_init( &ctx );
781
782 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
783 {
784 if( verbose != 0 )
785 mbedtls_printf( "test execution failed\n" );
786
787 goto cleanup;
788 }
789
790 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
791 MBEDTLS_ENCRYPT ) ) != 0 )
792 {
793 /* When CMAC is implemented by an alternative implementation, or
794 * the underlying primitive itself is implemented alternatively,
795 * AES-192 may be unavailable. This should not cause the selftest
796 * function to fail. */
797 if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
798 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
799 cipher_type == MBEDTLS_CIPHER_AES_192_ECB ) {
800 if( verbose != 0 )
801 mbedtls_printf( "skipped\n" );
802 goto next_test;
803 }
804
805 if( verbose != 0 )
806 mbedtls_printf( "test execution failed\n" );
807
808 goto cleanup;
809 }
810
811 ret = cmac_generate_subkeys( &ctx, K1, K2 );
812 if( ret != 0 )
813 {
814 if( verbose != 0 )
815 mbedtls_printf( "failed\n" );
816
817 goto cleanup;
818 }
819
820 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
821 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
822 {
823 if( verbose != 0 )
824 mbedtls_printf( "failed\n" );
825
826 goto cleanup;
827 }
828
829 if( verbose != 0 )
830 mbedtls_printf( "passed\n" );
831
832 next_test:
833 mbedtls_cipher_free( &ctx );
834 }
835
836 ret = 0;
837 goto exit;
838
839 cleanup:
840 mbedtls_cipher_free( &ctx );
841
842 exit:
843 return( ret );
844 }
845
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)846 static int cmac_test_wth_cipher( int verbose,
847 const char* testname,
848 const unsigned char* key,
849 int keybits,
850 const unsigned char* messages,
851 const unsigned int message_lengths[4],
852 const unsigned char* expected_result,
853 mbedtls_cipher_type_t cipher_type,
854 int block_size,
855 int num_tests )
856 {
857 const mbedtls_cipher_info_t *cipher_info;
858 int i, ret = 0;
859 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
860
861 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
862 if( cipher_info == NULL )
863 {
864 /* Failing at this point must be due to a build issue */
865 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
866 goto exit;
867 }
868
869 for( i = 0; i < num_tests; i++ )
870 {
871 if( verbose != 0 )
872 mbedtls_printf( " %s CMAC #%d: ", testname, i + 1 );
873
874 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
875 message_lengths[i], output ) ) != 0 )
876 {
877 /* When CMAC is implemented by an alternative implementation, or
878 * the underlying primitive itself is implemented alternatively,
879 * AES-192 and/or 3DES may be unavailable. This should not cause
880 * the selftest function to fail. */
881 if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
882 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
883 ( cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
884 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB ) ) {
885 if( verbose != 0 )
886 mbedtls_printf( "skipped\n" );
887 continue;
888 }
889
890 if( verbose != 0 )
891 mbedtls_printf( "failed\n" );
892 goto exit;
893 }
894
895 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
896 {
897 if( verbose != 0 )
898 mbedtls_printf( "failed\n" );
899 goto exit;
900 }
901
902 if( verbose != 0 )
903 mbedtls_printf( "passed\n" );
904 }
905 ret = 0;
906
907 exit:
908 return( ret );
909 }
910
911 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)912 static int test_aes128_cmac_prf( int verbose )
913 {
914 int i;
915 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
916 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
917
918 for( i = 0; i < NB_PRF_TESTS; i++ )
919 {
920 mbedtls_printf( " AES CMAC 128 PRF #%d: ", i );
921 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
922 if( ret != 0 ||
923 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
924 {
925
926 if( verbose != 0 )
927 mbedtls_printf( "failed\n" );
928
929 return( ret );
930 }
931 else if( verbose != 0 )
932 {
933 mbedtls_printf( "passed\n" );
934 }
935 }
936 return( ret );
937 }
938 #endif /* MBEDTLS_AES_C */
939
mbedtls_cmac_self_test(int verbose)940 int mbedtls_cmac_self_test( int verbose )
941 {
942 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
943
944 #if defined(MBEDTLS_AES_C)
945 /* AES-128 */
946 if( ( ret = cmac_test_subkeys( verbose,
947 "AES 128",
948 aes_128_key,
949 128,
950 (const unsigned char*)aes_128_subkeys,
951 MBEDTLS_CIPHER_AES_128_ECB,
952 MBEDTLS_AES_BLOCK_SIZE,
953 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
954 {
955 return( ret );
956 }
957
958 if( ( ret = cmac_test_wth_cipher( verbose,
959 "AES 128",
960 aes_128_key,
961 128,
962 test_message,
963 aes_message_lengths,
964 (const unsigned char*)aes_128_expected_result,
965 MBEDTLS_CIPHER_AES_128_ECB,
966 MBEDTLS_AES_BLOCK_SIZE,
967 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
968 {
969 return( ret );
970 }
971
972 /* AES-192 */
973 if( ( ret = cmac_test_subkeys( verbose,
974 "AES 192",
975 aes_192_key,
976 192,
977 (const unsigned char*)aes_192_subkeys,
978 MBEDTLS_CIPHER_AES_192_ECB,
979 MBEDTLS_AES_BLOCK_SIZE,
980 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
981 {
982 return( ret );
983 }
984
985 if( ( ret = cmac_test_wth_cipher( verbose,
986 "AES 192",
987 aes_192_key,
988 192,
989 test_message,
990 aes_message_lengths,
991 (const unsigned char*)aes_192_expected_result,
992 MBEDTLS_CIPHER_AES_192_ECB,
993 MBEDTLS_AES_BLOCK_SIZE,
994 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
995 {
996 return( ret );
997 }
998
999 /* AES-256 */
1000 if( ( ret = cmac_test_subkeys( verbose,
1001 "AES 256",
1002 aes_256_key,
1003 256,
1004 (const unsigned char*)aes_256_subkeys,
1005 MBEDTLS_CIPHER_AES_256_ECB,
1006 MBEDTLS_AES_BLOCK_SIZE,
1007 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1008 {
1009 return( ret );
1010 }
1011
1012 if( ( ret = cmac_test_wth_cipher ( verbose,
1013 "AES 256",
1014 aes_256_key,
1015 256,
1016 test_message,
1017 aes_message_lengths,
1018 (const unsigned char*)aes_256_expected_result,
1019 MBEDTLS_CIPHER_AES_256_ECB,
1020 MBEDTLS_AES_BLOCK_SIZE,
1021 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1022 {
1023 return( ret );
1024 }
1025 #endif /* MBEDTLS_AES_C */
1026
1027 #if defined(MBEDTLS_DES_C)
1028 /* 3DES 2 key */
1029 if( ( ret = cmac_test_subkeys( verbose,
1030 "3DES 2 key",
1031 des3_2key_key,
1032 192,
1033 (const unsigned char*)des3_2key_subkeys,
1034 MBEDTLS_CIPHER_DES_EDE3_ECB,
1035 MBEDTLS_DES3_BLOCK_SIZE,
1036 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1037 {
1038 return( ret );
1039 }
1040
1041 if( ( ret = cmac_test_wth_cipher( verbose,
1042 "3DES 2 key",
1043 des3_2key_key,
1044 192,
1045 test_message,
1046 des3_message_lengths,
1047 (const unsigned char*)des3_2key_expected_result,
1048 MBEDTLS_CIPHER_DES_EDE3_ECB,
1049 MBEDTLS_DES3_BLOCK_SIZE,
1050 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1051 {
1052 return( ret );
1053 }
1054
1055 /* 3DES 3 key */
1056 if( ( ret = cmac_test_subkeys( verbose,
1057 "3DES 3 key",
1058 des3_3key_key,
1059 192,
1060 (const unsigned char*)des3_3key_subkeys,
1061 MBEDTLS_CIPHER_DES_EDE3_ECB,
1062 MBEDTLS_DES3_BLOCK_SIZE,
1063 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1064 {
1065 return( ret );
1066 }
1067
1068 if( ( ret = cmac_test_wth_cipher( verbose,
1069 "3DES 3 key",
1070 des3_3key_key,
1071 192,
1072 test_message,
1073 des3_message_lengths,
1074 (const unsigned char*)des3_3key_expected_result,
1075 MBEDTLS_CIPHER_DES_EDE3_ECB,
1076 MBEDTLS_DES3_BLOCK_SIZE,
1077 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1078 {
1079 return( ret );
1080 }
1081 #endif /* MBEDTLS_DES_C */
1082
1083 #if defined(MBEDTLS_AES_C)
1084 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1085 return( ret );
1086 #endif /* MBEDTLS_AES_C */
1087
1088 if( verbose != 0 )
1089 mbedtls_printf( "\n" );
1090
1091 return( 0 );
1092 }
1093
1094 #endif /* MBEDTLS_SELF_TEST */
1095
1096 #endif /* MBEDTLS_CMAC_C */
1097