cmac.c 32 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074
  1. /*
  2. * \file cmac.c
  3. *
  4. * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
  5. *
  6. * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
  7. * SPDX-License-Identifier: Apache-2.0
  8. *
  9. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  10. * not use this file except in compliance with the License.
  11. * You may obtain a copy of the License at
  12. *
  13. * http://www.apache.org/licenses/LICENSE-2.0
  14. *
  15. * Unless required by applicable law or agreed to in writing, software
  16. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  17. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  18. * See the License for the specific language governing permissions and
  19. * limitations under the License.
  20. *
  21. * This file is part of mbed TLS (https://tls.mbed.org)
  22. */
  23. /*
  24. * References:
  25. *
  26. * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
  27. * CMAC Mode for Authentication
  28. * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
  29. *
  30. * - RFC 4493 - The AES-CMAC Algorithm
  31. * https://tools.ietf.org/html/rfc4493
  32. *
  33. * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
  34. * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
  35. * Algorithm for the Internet Key Exchange Protocol (IKE)
  36. * https://tools.ietf.org/html/rfc4615
  37. *
  38. * Additional test vectors: ISO/IEC 9797-1
  39. *
  40. */
  41. #if !defined(MBEDTLS_CONFIG_FILE)
  42. #include "mbedtls/config.h"
  43. #else
  44. #include MBEDTLS_CONFIG_FILE
  45. #endif
  46. #if defined(MBEDTLS_CMAC_C)
  47. #include "mbedtls/cmac.h"
  48. #include <string.h>
  49. #if defined(MBEDTLS_PLATFORM_C)
  50. #include "mbedtls/platform.h"
  51. #else
  52. #include <stdlib.h>
  53. #define mbedtls_calloc calloc
  54. #define mbedtls_free free
  55. #if defined(MBEDTLS_SELF_TEST)
  56. #include <stdio.h>
  57. #define mbedtls_printf printf
  58. #endif /* MBEDTLS_SELF_TEST */
  59. #endif /* MBEDTLS_PLATFORM_C */
  60. /* Implementation that should never be optimized out by the compiler */
  61. static void mbedtls_zeroize( void *v, size_t n ) {
  62. volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
  63. }
  64. /*
  65. * Multiplication by u in the Galois field of GF(2^n)
  66. *
  67. * As explained in NIST SP 800-38B, this can be computed:
  68. *
  69. * If MSB(p) = 0, then p = (p << 1)
  70. * If MSB(p) = 1, then p = (p << 1) ^ R_n
  71. * with R_64 = 0x1B and R_128 = 0x87
  72. *
  73. * Input and output MUST NOT point to the same buffer
  74. * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
  75. */
  76. static int cmac_multiply_by_u( unsigned char *output,
  77. const unsigned char *input,
  78. size_t blocksize )
  79. {
  80. const unsigned char R_128 = 0x87;
  81. const unsigned char R_64 = 0x1B;
  82. unsigned char R_n, mask;
  83. unsigned char overflow = 0x00;
  84. int i;
  85. if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
  86. {
  87. R_n = R_128;
  88. }
  89. else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
  90. {
  91. R_n = R_64;
  92. }
  93. else
  94. {
  95. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  96. }
  97. for( i = (int)blocksize - 1; i >= 0; i-- )
  98. {
  99. output[i] = input[i] << 1 | overflow;
  100. overflow = input[i] >> 7;
  101. }
  102. /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
  103. * using bit operations to avoid branches */
  104. /* MSVC has a warning about unary minus on unsigned, but this is
  105. * well-defined and precisely what we want to do here */
  106. #if defined(_MSC_VER)
  107. #pragma warning( push )
  108. #pragma warning( disable : 4146 )
  109. #endif
  110. mask = - ( input[0] >> 7 );
  111. #if defined(_MSC_VER)
  112. #pragma warning( pop )
  113. #endif
  114. output[ blocksize - 1 ] ^= R_n & mask;
  115. return( 0 );
  116. }
  117. /*
  118. * Generate subkeys
  119. *
  120. * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
  121. */
  122. static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
  123. unsigned char* K1, unsigned char* K2 )
  124. {
  125. int ret;
  126. unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
  127. size_t olen, block_size;
  128. mbedtls_zeroize( L, sizeof( L ) );
  129. block_size = ctx->cipher_info->block_size;
  130. /* Calculate Ek(0) */
  131. if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
  132. goto exit;
  133. /*
  134. * Generate K1 and K2
  135. */
  136. if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
  137. goto exit;
  138. if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
  139. goto exit;
  140. exit:
  141. mbedtls_zeroize( L, sizeof( L ) );
  142. return( ret );
  143. }
  144. static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
  145. const unsigned char *input2,
  146. const size_t block_size )
  147. {
  148. size_t index;
  149. for( index = 0; index < block_size; index++ )
  150. output[ index ] = input1[ index ] ^ input2[ index ];
  151. }
  152. /*
  153. * Create padded last block from (partial) last block.
  154. *
  155. * We can't use the padding option from the cipher layer, as it only works for
  156. * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
  157. */
  158. static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
  159. size_t padded_block_len,
  160. const unsigned char *last_block,
  161. size_t last_block_len )
  162. {
  163. size_t j;
  164. for( j = 0; j < padded_block_len; j++ )
  165. {
  166. if( j < last_block_len )
  167. padded_block[j] = last_block[j];
  168. else if( j == last_block_len )
  169. padded_block[j] = 0x80;
  170. else
  171. padded_block[j] = 0x00;
  172. }
  173. }
  174. int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
  175. const unsigned char *key, size_t keybits )
  176. {
  177. mbedtls_cipher_type_t type;
  178. mbedtls_cmac_context_t *cmac_ctx;
  179. int retval;
  180. if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
  181. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  182. if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
  183. MBEDTLS_ENCRYPT ) ) != 0 )
  184. return( retval );
  185. type = ctx->cipher_info->type;
  186. switch( type )
  187. {
  188. case MBEDTLS_CIPHER_AES_128_ECB:
  189. case MBEDTLS_CIPHER_AES_192_ECB:
  190. case MBEDTLS_CIPHER_AES_256_ECB:
  191. case MBEDTLS_CIPHER_DES_EDE3_ECB:
  192. break;
  193. default:
  194. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  195. }
  196. /* Allocated and initialise in the cipher context memory for the CMAC
  197. * context */
  198. cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
  199. if( cmac_ctx == NULL )
  200. return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
  201. ctx->cmac_ctx = cmac_ctx;
  202. mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
  203. return 0;
  204. }
  205. int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
  206. const unsigned char *input, size_t ilen )
  207. {
  208. mbedtls_cmac_context_t* cmac_ctx;
  209. unsigned char *state;
  210. int ret = 0;
  211. size_t n, j, olen, block_size;
  212. if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
  213. ctx->cmac_ctx == NULL )
  214. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  215. cmac_ctx = ctx->cmac_ctx;
  216. block_size = ctx->cipher_info->block_size;
  217. state = ctx->cmac_ctx->state;
  218. /* Is there data still to process from the last call, that's greater in
  219. * size than a block? */
  220. if( cmac_ctx->unprocessed_len > 0 &&
  221. ilen > block_size - cmac_ctx->unprocessed_len )
  222. {
  223. memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
  224. input,
  225. block_size - cmac_ctx->unprocessed_len );
  226. cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
  227. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  228. &olen ) ) != 0 )
  229. {
  230. goto exit;
  231. }
  232. input += block_size - cmac_ctx->unprocessed_len;
  233. ilen -= block_size - cmac_ctx->unprocessed_len;
  234. cmac_ctx->unprocessed_len = 0;
  235. }
  236. /* n is the number of blocks including any final partial block */
  237. n = ( ilen + block_size - 1 ) / block_size;
  238. /* Iterate across the input data in block sized chunks, excluding any
  239. * final partial or complete block */
  240. for( j = 1; j < n; j++ )
  241. {
  242. cmac_xor_block( state, input, state, block_size );
  243. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  244. &olen ) ) != 0 )
  245. goto exit;
  246. ilen -= block_size;
  247. input += block_size;
  248. }
  249. /* If there is data left over that wasn't aligned to a block */
  250. if( ilen > 0 )
  251. {
  252. memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
  253. input,
  254. ilen );
  255. cmac_ctx->unprocessed_len += ilen;
  256. }
  257. exit:
  258. return( ret );
  259. }
  260. int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
  261. unsigned char *output )
  262. {
  263. mbedtls_cmac_context_t* cmac_ctx;
  264. unsigned char *state, *last_block;
  265. unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
  266. unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
  267. unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
  268. int ret;
  269. size_t olen, block_size;
  270. if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
  271. output == NULL )
  272. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  273. cmac_ctx = ctx->cmac_ctx;
  274. block_size = ctx->cipher_info->block_size;
  275. state = cmac_ctx->state;
  276. mbedtls_zeroize( K1, sizeof( K1 ) );
  277. mbedtls_zeroize( K2, sizeof( K2 ) );
  278. cmac_generate_subkeys( ctx, K1, K2 );
  279. last_block = cmac_ctx->unprocessed_block;
  280. /* Calculate last block */
  281. if( cmac_ctx->unprocessed_len < block_size )
  282. {
  283. cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
  284. cmac_xor_block( M_last, M_last, K2, block_size );
  285. }
  286. else
  287. {
  288. /* Last block is complete block */
  289. cmac_xor_block( M_last, last_block, K1, block_size );
  290. }
  291. cmac_xor_block( state, M_last, state, block_size );
  292. if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
  293. &olen ) ) != 0 )
  294. {
  295. goto exit;
  296. }
  297. memcpy( output, state, block_size );
  298. exit:
  299. /* Wipe the generated keys on the stack, and any other transients to avoid
  300. * side channel leakage */
  301. mbedtls_zeroize( K1, sizeof( K1 ) );
  302. mbedtls_zeroize( K2, sizeof( K2 ) );
  303. cmac_ctx->unprocessed_len = 0;
  304. mbedtls_zeroize( cmac_ctx->unprocessed_block,
  305. sizeof( cmac_ctx->unprocessed_block ) );
  306. mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
  307. return( ret );
  308. }
  309. int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
  310. {
  311. mbedtls_cmac_context_t* cmac_ctx;
  312. if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
  313. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  314. cmac_ctx = ctx->cmac_ctx;
  315. /* Reset the internal state */
  316. cmac_ctx->unprocessed_len = 0;
  317. mbedtls_zeroize( cmac_ctx->unprocessed_block,
  318. sizeof( cmac_ctx->unprocessed_block ) );
  319. mbedtls_zeroize( cmac_ctx->state,
  320. sizeof( cmac_ctx->state ) );
  321. return( 0 );
  322. }
  323. int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
  324. const unsigned char *key, size_t keylen,
  325. const unsigned char *input, size_t ilen,
  326. unsigned char *output )
  327. {
  328. mbedtls_cipher_context_t ctx;
  329. int ret;
  330. if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
  331. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  332. mbedtls_cipher_init( &ctx );
  333. if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
  334. goto exit;
  335. ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
  336. if( ret != 0 )
  337. goto exit;
  338. ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
  339. if( ret != 0 )
  340. goto exit;
  341. ret = mbedtls_cipher_cmac_finish( &ctx, output );
  342. exit:
  343. mbedtls_cipher_free( &ctx );
  344. return( ret );
  345. }
  346. #if defined(MBEDTLS_AES_C)
  347. /*
  348. * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
  349. */
  350. int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
  351. const unsigned char *input, size_t in_len,
  352. unsigned char *output )
  353. {
  354. int ret;
  355. const mbedtls_cipher_info_t *cipher_info;
  356. unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
  357. unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
  358. if( key == NULL || input == NULL || output == NULL )
  359. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  360. cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
  361. if( cipher_info == NULL )
  362. {
  363. /* Failing at this point must be due to a build issue */
  364. ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
  365. goto exit;
  366. }
  367. if( key_length == MBEDTLS_AES_BLOCK_SIZE )
  368. {
  369. /* Use key as is */
  370. memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
  371. }
  372. else
  373. {
  374. memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
  375. ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
  376. key_length, int_key );
  377. if( ret != 0 )
  378. goto exit;
  379. }
  380. ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
  381. output );
  382. exit:
  383. mbedtls_zeroize( int_key, sizeof( int_key ) );
  384. return( ret );
  385. }
  386. #endif /* MBEDTLS_AES_C */
  387. #if defined(MBEDTLS_SELF_TEST)
  388. /*
  389. * CMAC test data for SP800-38B
  390. * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
  391. * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
  392. *
  393. * AES-CMAC-PRF-128 test data from RFC 4615
  394. * https://tools.ietf.org/html/rfc4615#page-4
  395. */
  396. #define NB_CMAC_TESTS_PER_KEY 4
  397. #define NB_PRF_TESTS 3
  398. #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
  399. /* All CMAC test inputs are truncated from the same 64 byte buffer. */
  400. static const unsigned char test_message[] = {
  401. /* PT */
  402. 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
  403. 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
  404. 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
  405. 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
  406. 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
  407. 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
  408. 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
  409. 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
  410. };
  411. #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
  412. #if defined(MBEDTLS_AES_C)
  413. /* Truncation point of message for AES CMAC tests */
  414. static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
  415. /* Mlen */
  416. 0,
  417. 16,
  418. 20,
  419. 64
  420. };
  421. /* CMAC-AES128 Test Data */
  422. static const unsigned char aes_128_key[16] = {
  423. 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
  424. 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
  425. };
  426. static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  427. {
  428. /* K1 */
  429. 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
  430. 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
  431. },
  432. {
  433. /* K2 */
  434. 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
  435. 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
  436. }
  437. };
  438. static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  439. {
  440. /* Example #1 */
  441. 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
  442. 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
  443. },
  444. {
  445. /* Example #2 */
  446. 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
  447. 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
  448. },
  449. {
  450. /* Example #3 */
  451. 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
  452. 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
  453. },
  454. {
  455. /* Example #4 */
  456. 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
  457. 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
  458. }
  459. };
  460. /* CMAC-AES192 Test Data */
  461. static const unsigned char aes_192_key[24] = {
  462. 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
  463. 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
  464. 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
  465. };
  466. static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  467. {
  468. /* K1 */
  469. 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
  470. 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
  471. },
  472. {
  473. /* K2 */
  474. 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
  475. 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
  476. }
  477. };
  478. static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  479. {
  480. /* Example #1 */
  481. 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
  482. 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
  483. },
  484. {
  485. /* Example #2 */
  486. 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
  487. 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
  488. },
  489. {
  490. /* Example #3 */
  491. 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
  492. 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
  493. },
  494. {
  495. /* Example #4 */
  496. 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
  497. 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
  498. }
  499. };
  500. /* CMAC-AES256 Test Data */
  501. static const unsigned char aes_256_key[32] = {
  502. 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
  503. 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
  504. 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
  505. 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
  506. };
  507. static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
  508. {
  509. /* K1 */
  510. 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
  511. 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
  512. },
  513. {
  514. /* K2 */
  515. 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
  516. 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
  517. }
  518. };
  519. static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
  520. {
  521. /* Example #1 */
  522. 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
  523. 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
  524. },
  525. {
  526. /* Example #2 */
  527. 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
  528. 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
  529. },
  530. {
  531. /* Example #3 */
  532. 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
  533. 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
  534. },
  535. {
  536. /* Example #4 */
  537. 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
  538. 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
  539. }
  540. };
  541. #endif /* MBEDTLS_AES_C */
  542. #if defined(MBEDTLS_DES_C)
  543. /* Truncation point of message for 3DES CMAC tests */
  544. static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
  545. 0,
  546. 16,
  547. 20,
  548. 32
  549. };
  550. /* CMAC-TDES (Generation) - 2 Key Test Data */
  551. static const unsigned char des3_2key_key[24] = {
  552. /* Key1 */
  553. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
  554. /* Key2 */
  555. 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
  556. /* Key3 */
  557. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
  558. };
  559. static const unsigned char des3_2key_subkeys[2][8] = {
  560. {
  561. /* K1 */
  562. 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
  563. },
  564. {
  565. /* K2 */
  566. 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
  567. }
  568. };
  569. static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
  570. {
  571. /* Sample #1 */
  572. 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
  573. },
  574. {
  575. /* Sample #2 */
  576. 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
  577. },
  578. {
  579. /* Sample #3 */
  580. 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
  581. },
  582. {
  583. /* Sample #4 */
  584. 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
  585. }
  586. };
  587. /* CMAC-TDES (Generation) - 3 Key Test Data */
  588. static const unsigned char des3_3key_key[24] = {
  589. /* Key1 */
  590. 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
  591. /* Key2 */
  592. 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
  593. /* Key3 */
  594. 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
  595. };
  596. static const unsigned char des3_3key_subkeys[2][8] = {
  597. {
  598. /* K1 */
  599. 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
  600. },
  601. {
  602. /* K2 */
  603. 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
  604. }
  605. };
  606. static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
  607. {
  608. /* Sample #1 */
  609. 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
  610. },
  611. {
  612. /* Sample #2 */
  613. 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
  614. },
  615. {
  616. /* Sample #3 */
  617. 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
  618. },
  619. {
  620. /* Sample #4 */
  621. 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
  622. }
  623. };
  624. #endif /* MBEDTLS_DES_C */
  625. #if defined(MBEDTLS_AES_C)
  626. /* AES AES-CMAC-PRF-128 Test Data */
  627. static const unsigned char PRFK[] = {
  628. /* Key */
  629. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  630. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  631. 0xed, 0xcb
  632. };
  633. /* Sizes in bytes */
  634. static const size_t PRFKlen[NB_PRF_TESTS] = {
  635. 18,
  636. 16,
  637. 10
  638. };
  639. /* Message */
  640. static const unsigned char PRFM[] = {
  641. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  642. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  643. 0x10, 0x11, 0x12, 0x13
  644. };
  645. static const unsigned char PRFT[NB_PRF_TESTS][16] = {
  646. {
  647. 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
  648. 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
  649. },
  650. {
  651. 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
  652. 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
  653. },
  654. {
  655. 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
  656. 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
  657. }
  658. };
  659. #endif /* MBEDTLS_AES_C */
  660. static int cmac_test_subkeys( int verbose,
  661. const char* testname,
  662. const unsigned char* key,
  663. int keybits,
  664. const unsigned char* subkeys,
  665. mbedtls_cipher_type_t cipher_type,
  666. int block_size,
  667. int num_tests )
  668. {
  669. int i, ret;
  670. mbedtls_cipher_context_t ctx;
  671. const mbedtls_cipher_info_t *cipher_info;
  672. unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
  673. unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
  674. cipher_info = mbedtls_cipher_info_from_type( cipher_type );
  675. if( cipher_info == NULL )
  676. {
  677. /* Failing at this point must be due to a build issue */
  678. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  679. }
  680. for( i = 0; i < num_tests; i++ )
  681. {
  682. if( verbose != 0 )
  683. mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
  684. mbedtls_cipher_init( &ctx );
  685. if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
  686. {
  687. if( verbose != 0 )
  688. mbedtls_printf( "test execution failed\n" );
  689. goto cleanup;
  690. }
  691. if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
  692. MBEDTLS_ENCRYPT ) ) != 0 )
  693. {
  694. if( verbose != 0 )
  695. mbedtls_printf( "test execution failed\n" );
  696. goto cleanup;
  697. }
  698. ret = cmac_generate_subkeys( &ctx, K1, K2 );
  699. if( ret != 0 )
  700. {
  701. if( verbose != 0 )
  702. mbedtls_printf( "failed\n" );
  703. goto cleanup;
  704. }
  705. if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
  706. ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
  707. {
  708. if( verbose != 0 )
  709. mbedtls_printf( "failed\n" );
  710. goto cleanup;
  711. }
  712. if( verbose != 0 )
  713. mbedtls_printf( "passed\n" );
  714. mbedtls_cipher_free( &ctx );
  715. }
  716. goto exit;
  717. cleanup:
  718. mbedtls_cipher_free( &ctx );
  719. exit:
  720. return( ret );
  721. }
  722. static int cmac_test_wth_cipher( int verbose,
  723. const char* testname,
  724. const unsigned char* key,
  725. int keybits,
  726. const unsigned char* messages,
  727. const unsigned int message_lengths[4],
  728. const unsigned char* expected_result,
  729. mbedtls_cipher_type_t cipher_type,
  730. int block_size,
  731. int num_tests )
  732. {
  733. const mbedtls_cipher_info_t *cipher_info;
  734. int i, ret;
  735. unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
  736. cipher_info = mbedtls_cipher_info_from_type( cipher_type );
  737. if( cipher_info == NULL )
  738. {
  739. /* Failing at this point must be due to a build issue */
  740. ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
  741. goto exit;
  742. }
  743. for( i = 0; i < num_tests; i++ )
  744. {
  745. if( verbose != 0 )
  746. mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
  747. if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
  748. message_lengths[i], output ) ) != 0 )
  749. {
  750. if( verbose != 0 )
  751. mbedtls_printf( "failed\n" );
  752. goto exit;
  753. }
  754. if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
  755. {
  756. if( verbose != 0 )
  757. mbedtls_printf( "failed\n" );
  758. goto exit;
  759. }
  760. if( verbose != 0 )
  761. mbedtls_printf( "passed\n" );
  762. }
  763. exit:
  764. return( ret );
  765. }
  766. #if defined(MBEDTLS_AES_C)
  767. static int test_aes128_cmac_prf( int verbose )
  768. {
  769. int i;
  770. int ret;
  771. unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
  772. for( i = 0; i < NB_PRF_TESTS; i++ )
  773. {
  774. mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
  775. ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
  776. if( ret != 0 ||
  777. memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
  778. {
  779. if( verbose != 0 )
  780. mbedtls_printf( "failed\n" );
  781. return( ret );
  782. }
  783. else if( verbose != 0 )
  784. {
  785. mbedtls_printf( "passed\n" );
  786. }
  787. }
  788. return( ret );
  789. }
  790. #endif /* MBEDTLS_AES_C */
  791. int mbedtls_cmac_self_test( int verbose )
  792. {
  793. int ret;
  794. #if defined(MBEDTLS_AES_C)
  795. /* AES-128 */
  796. if( ( ret = cmac_test_subkeys( verbose,
  797. "AES 128",
  798. aes_128_key,
  799. 128,
  800. (const unsigned char*)aes_128_subkeys,
  801. MBEDTLS_CIPHER_AES_128_ECB,
  802. MBEDTLS_AES_BLOCK_SIZE,
  803. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  804. {
  805. return( ret );
  806. }
  807. if( ( ret = cmac_test_wth_cipher( verbose,
  808. "AES 128",
  809. aes_128_key,
  810. 128,
  811. test_message,
  812. aes_message_lengths,
  813. (const unsigned char*)aes_128_expected_result,
  814. MBEDTLS_CIPHER_AES_128_ECB,
  815. MBEDTLS_AES_BLOCK_SIZE,
  816. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  817. {
  818. return( ret );
  819. }
  820. /* AES-192 */
  821. if( ( ret = cmac_test_subkeys( verbose,
  822. "AES 192",
  823. aes_192_key,
  824. 192,
  825. (const unsigned char*)aes_192_subkeys,
  826. MBEDTLS_CIPHER_AES_192_ECB,
  827. MBEDTLS_AES_BLOCK_SIZE,
  828. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  829. {
  830. return( ret );
  831. }
  832. if( ( ret = cmac_test_wth_cipher( verbose,
  833. "AES 192",
  834. aes_192_key,
  835. 192,
  836. test_message,
  837. aes_message_lengths,
  838. (const unsigned char*)aes_192_expected_result,
  839. MBEDTLS_CIPHER_AES_192_ECB,
  840. MBEDTLS_AES_BLOCK_SIZE,
  841. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  842. {
  843. return( ret );
  844. }
  845. /* AES-256 */
  846. if( ( ret = cmac_test_subkeys( verbose,
  847. "AES 256",
  848. aes_256_key,
  849. 256,
  850. (const unsigned char*)aes_256_subkeys,
  851. MBEDTLS_CIPHER_AES_256_ECB,
  852. MBEDTLS_AES_BLOCK_SIZE,
  853. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  854. {
  855. return( ret );
  856. }
  857. if( ( ret = cmac_test_wth_cipher ( verbose,
  858. "AES 256",
  859. aes_256_key,
  860. 256,
  861. test_message,
  862. aes_message_lengths,
  863. (const unsigned char*)aes_256_expected_result,
  864. MBEDTLS_CIPHER_AES_256_ECB,
  865. MBEDTLS_AES_BLOCK_SIZE,
  866. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  867. {
  868. return( ret );
  869. }
  870. #endif /* MBEDTLS_AES_C */
  871. #if defined(MBEDTLS_DES_C)
  872. /* 3DES 2 key */
  873. if( ( ret = cmac_test_subkeys( verbose,
  874. "3DES 2 key",
  875. des3_2key_key,
  876. 192,
  877. (const unsigned char*)des3_2key_subkeys,
  878. MBEDTLS_CIPHER_DES_EDE3_ECB,
  879. MBEDTLS_DES3_BLOCK_SIZE,
  880. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  881. {
  882. return( ret );
  883. }
  884. if( ( ret = cmac_test_wth_cipher( verbose,
  885. "3DES 2 key",
  886. des3_2key_key,
  887. 192,
  888. test_message,
  889. des3_message_lengths,
  890. (const unsigned char*)des3_2key_expected_result,
  891. MBEDTLS_CIPHER_DES_EDE3_ECB,
  892. MBEDTLS_DES3_BLOCK_SIZE,
  893. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  894. {
  895. return( ret );
  896. }
  897. /* 3DES 3 key */
  898. if( ( ret = cmac_test_subkeys( verbose,
  899. "3DES 3 key",
  900. des3_3key_key,
  901. 192,
  902. (const unsigned char*)des3_3key_subkeys,
  903. MBEDTLS_CIPHER_DES_EDE3_ECB,
  904. MBEDTLS_DES3_BLOCK_SIZE,
  905. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  906. {
  907. return( ret );
  908. }
  909. if( ( ret = cmac_test_wth_cipher( verbose,
  910. "3DES 3 key",
  911. des3_3key_key,
  912. 192,
  913. test_message,
  914. des3_message_lengths,
  915. (const unsigned char*)des3_3key_expected_result,
  916. MBEDTLS_CIPHER_DES_EDE3_ECB,
  917. MBEDTLS_DES3_BLOCK_SIZE,
  918. NB_CMAC_TESTS_PER_KEY ) ) != 0 )
  919. {
  920. return( ret );
  921. }
  922. #endif /* MBEDTLS_DES_C */
  923. #if defined(MBEDTLS_AES_C)
  924. if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
  925. return( ret );
  926. #endif /* MBEDTLS_AES_C */
  927. if( verbose != 0 )
  928. mbedtls_printf( "\n" );
  929. return( 0 );
  930. }
  931. #endif /* MBEDTLS_SELF_TEST */
  932. #endif /* MBEDTLS_CMAC_C */