• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file cmac.c
3  *
4  * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5  *
6  *  Copyright The Mbed TLS Contributors
7  *  SPDX-License-Identifier: Apache-2.0
8  *
9  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
10  *  not use this file except in compliance with the License.
11  *  You may obtain a copy of the License at
12  *
13  *  http://www.apache.org/licenses/LICENSE-2.0
14  *
15  *  Unless required by applicable law or agreed to in writing, software
16  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18  *  See the License for the specific language governing permissions and
19  *  limitations under the License.
20  */
21 
22 /*
23  * References:
24  *
25  * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
26  *      CMAC Mode for Authentication
27  *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
28  *
29  * - RFC 4493 - The AES-CMAC Algorithm
30  *   https://tools.ietf.org/html/rfc4493
31  *
32  * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
33  *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
34  *      Algorithm for the Internet Key Exchange Protocol (IKE)
35  *   https://tools.ietf.org/html/rfc4615
36  *
37  *   Additional test vectors: ISO/IEC 9797-1
38  *
39  */
40 
41 #include "common.h"
42 
43 #if defined(MBEDTLS_CMAC_C)
44 
45 #include "mbedtls/cmac.h"
46 #include "mbedtls/platform_util.h"
47 #include "mbedtls/error.h"
48 #include "mbedtls/platform.h"
49 
50 #include <string.h>
51 
52 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
53 
54 /*
55  * Multiplication by u in the Galois field of GF(2^n)
56  *
57  * As explained in NIST SP 800-38B, this can be computed:
58  *
59  *   If MSB(p) = 0, then p = (p << 1)
60  *   If MSB(p) = 1, then p = (p << 1) ^ R_n
61  *   with R_64 = 0x1B and  R_128 = 0x87
62  *
63  * Input and output MUST NOT point to the same buffer
64  * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
65  */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)66 static int cmac_multiply_by_u( unsigned char *output,
67                                const unsigned char *input,
68                                size_t blocksize )
69 {
70     const unsigned char R_128 = 0x87;
71     const unsigned char R_64 = 0x1B;
72     unsigned char R_n, mask;
73     unsigned char overflow = 0x00;
74     int i;
75 
76     if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
77     {
78         R_n = R_128;
79     }
80     else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
81     {
82         R_n = R_64;
83     }
84     else
85     {
86         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
87     }
88 
89     for( i = (int)blocksize - 1; i >= 0; i-- )
90     {
91         output[i] = input[i] << 1 | overflow;
92         overflow = input[i] >> 7;
93     }
94 
95     /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
96      * using bit operations to avoid branches */
97 
98     /* MSVC has a warning about unary minus on unsigned, but this is
99      * well-defined and precisely what we want to do here */
100 #if defined(_MSC_VER)
101 #pragma warning( push )
102 #pragma warning( disable : 4146 )
103 #endif
104     mask = - ( input[0] >> 7 );
105 #if defined(_MSC_VER)
106 #pragma warning( pop )
107 #endif
108 
109     output[ blocksize - 1 ] ^= R_n & mask;
110 
111     return( 0 );
112 }
113 
114 /*
115  * Generate subkeys
116  *
117  * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
118  */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)119 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
120                                   unsigned char* K1, unsigned char* K2 )
121 {
122     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
123     unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
124     size_t olen, block_size;
125 
126     mbedtls_platform_zeroize( L, sizeof( L ) );
127 
128     block_size = ctx->cipher_info->block_size;
129 
130     /* Calculate Ek(0) */
131     if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
132         goto exit;
133 
134     /*
135      * Generate K1 and K2
136      */
137     if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
138         goto exit;
139 
140     if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
141         goto exit;
142 
143 exit:
144     mbedtls_platform_zeroize( L, sizeof( L ) );
145 
146     return( ret );
147 }
148 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
149 
150 #if !defined(MBEDTLS_CMAC_ALT)
cmac_xor_block(unsigned char * output,const unsigned char * input1,const unsigned char * input2,const size_t block_size)151 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
152                             const unsigned char *input2,
153                             const size_t block_size )
154 {
155     size_t idx;
156 
157     for( idx = 0; idx < block_size; idx++ )
158         output[ idx ] = input1[ idx ] ^ input2[ idx ];
159 }
160 
161 /*
162  * Create padded last block from (partial) last block.
163  *
164  * We can't use the padding option from the cipher layer, as it only works for
165  * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
166  */
cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)167 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
168                       size_t padded_block_len,
169                       const unsigned char *last_block,
170                       size_t last_block_len )
171 {
172     size_t j;
173 
174     for( j = 0; j < padded_block_len; j++ )
175     {
176         if( j < last_block_len )
177             padded_block[j] = last_block[j];
178         else if( j == last_block_len )
179             padded_block[j] = 0x80;
180         else
181             padded_block[j] = 0x00;
182     }
183 }
184 
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)185 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
186                                 const unsigned char *key, size_t keybits )
187 {
188     mbedtls_cipher_type_t type;
189     mbedtls_cmac_context_t *cmac_ctx;
190     int retval;
191 
192     if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
193         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
194 
195     if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
196                                           MBEDTLS_ENCRYPT ) ) != 0 )
197         return( retval );
198 
199     type = ctx->cipher_info->type;
200 
201     switch( type )
202     {
203         case MBEDTLS_CIPHER_AES_128_ECB:
204         case MBEDTLS_CIPHER_AES_192_ECB:
205         case MBEDTLS_CIPHER_AES_256_ECB:
206         case MBEDTLS_CIPHER_DES_EDE3_ECB:
207             break;
208         default:
209             return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
210     }
211 
212     /* Allocated and initialise in the cipher context memory for the CMAC
213      * context */
214     cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
215     if( cmac_ctx == NULL )
216         return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
217 
218     ctx->cmac_ctx = cmac_ctx;
219 
220     mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
221 
222     return 0;
223 }
224 
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)225 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
226                                 const unsigned char *input, size_t ilen )
227 {
228     mbedtls_cmac_context_t* cmac_ctx;
229     unsigned char *state;
230     int ret = 0;
231     size_t n, j, olen, block_size;
232 
233     if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
234         ctx->cmac_ctx == NULL )
235         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
236 
237     cmac_ctx = ctx->cmac_ctx;
238     block_size = ctx->cipher_info->block_size;
239     state = ctx->cmac_ctx->state;
240 
241     /* Is there data still to process from the last call, that's greater in
242      * size than a block? */
243     if( cmac_ctx->unprocessed_len > 0 &&
244         ilen > block_size - cmac_ctx->unprocessed_len )
245     {
246         memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
247                 input,
248                 block_size - cmac_ctx->unprocessed_len );
249 
250         cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
251 
252         if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
253                                            &olen ) ) != 0 )
254         {
255            goto exit;
256         }
257 
258         input += block_size - cmac_ctx->unprocessed_len;
259         ilen -= block_size - cmac_ctx->unprocessed_len;
260         cmac_ctx->unprocessed_len = 0;
261     }
262 
263     /* n is the number of blocks including any final partial block */
264     n = ( ilen + block_size - 1 ) / block_size;
265 
266     /* Iterate across the input data in block sized chunks, excluding any
267      * final partial or complete block */
268     for( j = 1; j < n; j++ )
269     {
270         cmac_xor_block( state, input, state, block_size );
271 
272         if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
273                                            &olen ) ) != 0 )
274            goto exit;
275 
276         ilen -= block_size;
277         input += block_size;
278     }
279 
280     /* If there is data left over that wasn't aligned to a block */
281     if( ilen > 0 )
282     {
283         memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
284                 input,
285                 ilen );
286         cmac_ctx->unprocessed_len += ilen;
287     }
288 
289 exit:
290     return( ret );
291 }
292 
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)293 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
294                                 unsigned char *output )
295 {
296     mbedtls_cmac_context_t* cmac_ctx;
297     unsigned char *state, *last_block;
298     unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
299     unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
300     unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
301     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
302     size_t olen, block_size;
303 
304     if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
305         output == NULL )
306         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
307 
308     cmac_ctx = ctx->cmac_ctx;
309     block_size = ctx->cipher_info->block_size;
310     state = cmac_ctx->state;
311 
312     mbedtls_platform_zeroize( K1, sizeof( K1 ) );
313     mbedtls_platform_zeroize( K2, sizeof( K2 ) );
314     cmac_generate_subkeys( ctx, K1, K2 );
315 
316     last_block = cmac_ctx->unprocessed_block;
317 
318     /* Calculate last block */
319     if( cmac_ctx->unprocessed_len < block_size )
320     {
321         cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
322         cmac_xor_block( M_last, M_last, K2, block_size );
323     }
324     else
325     {
326         /* Last block is complete block */
327         cmac_xor_block( M_last, last_block, K1, block_size );
328     }
329 
330 
331     cmac_xor_block( state, M_last, state, block_size );
332     if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
333                                        &olen ) ) != 0 )
334     {
335         goto exit;
336     }
337 
338     memcpy( output, state, block_size );
339 
340 exit:
341     /* Wipe the generated keys on the stack, and any other transients to avoid
342      * side channel leakage */
343     mbedtls_platform_zeroize( K1, sizeof( K1 ) );
344     mbedtls_platform_zeroize( K2, sizeof( K2 ) );
345 
346     cmac_ctx->unprocessed_len = 0;
347     mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
348                               sizeof( cmac_ctx->unprocessed_block ) );
349 
350     mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
351     return( ret );
352 }
353 
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)354 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
355 {
356     mbedtls_cmac_context_t* cmac_ctx;
357 
358     if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
359         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
360 
361     cmac_ctx = ctx->cmac_ctx;
362 
363     /* Reset the internal state */
364     cmac_ctx->unprocessed_len = 0;
365     mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
366                               sizeof( cmac_ctx->unprocessed_block ) );
367     mbedtls_platform_zeroize( cmac_ctx->state,
368                               sizeof( cmac_ctx->state ) );
369 
370     return( 0 );
371 }
372 
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)373 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
374                          const unsigned char *key, size_t keylen,
375                          const unsigned char *input, size_t ilen,
376                          unsigned char *output )
377 {
378     mbedtls_cipher_context_t ctx;
379     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
380 
381     if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
382         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
383 
384     mbedtls_cipher_init( &ctx );
385 
386     if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
387         goto exit;
388 
389     ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
390     if( ret != 0 )
391         goto exit;
392 
393     ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
394     if( ret != 0 )
395         goto exit;
396 
397     ret = mbedtls_cipher_cmac_finish( &ctx, output );
398 
399 exit:
400     mbedtls_cipher_free( &ctx );
401 
402     return( ret );
403 }
404 
405 #if defined(MBEDTLS_AES_C)
406 /*
407  * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
408  */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char output[16])409 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
410                               const unsigned char *input, size_t in_len,
411                               unsigned char output[16] )
412 {
413     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
414     const mbedtls_cipher_info_t *cipher_info;
415     unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
416     unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
417 
418     if( key == NULL || input == NULL || output == NULL )
419         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
420 
421     cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
422     if( cipher_info == NULL )
423     {
424         /* Failing at this point must be due to a build issue */
425         ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
426         goto exit;
427     }
428 
429     if( key_length == MBEDTLS_AES_BLOCK_SIZE )
430     {
431         /* Use key as is */
432         memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
433     }
434     else
435     {
436         memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
437 
438         ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
439                                    key_length, int_key );
440         if( ret != 0 )
441             goto exit;
442     }
443 
444     ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
445                                output );
446 
447 exit:
448     mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
449 
450     return( ret );
451 }
452 #endif /* MBEDTLS_AES_C */
453 
454 #endif /* !MBEDTLS_CMAC_ALT */
455 
456 #if defined(MBEDTLS_SELF_TEST)
457 /*
458  * CMAC test data for SP800-38B
459  * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
460  * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
461  *
462  * AES-CMAC-PRF-128 test data from RFC 4615
463  * https://tools.ietf.org/html/rfc4615#page-4
464  */
465 
466 #define NB_CMAC_TESTS_PER_KEY 4
467 #define NB_PRF_TESTS 3
468 
469 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
470 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
471 static const unsigned char test_message[] = {
472     /* PT */
473     0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
474     0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
475     0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
476     0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
477     0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
478     0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
479     0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
480     0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
481 };
482 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
483 
484 #if defined(MBEDTLS_AES_C)
485 /* Truncation point of message for AES CMAC tests  */
486 static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
487     /* Mlen */
488     0,
489     16,
490     20,
491     64
492 };
493 
494 /* CMAC-AES128 Test Data */
495 static const unsigned char aes_128_key[16] = {
496     0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
497     0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
498 };
499 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
500     {
501         /* K1 */
502         0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
503         0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
504     },
505     {
506         /* K2 */
507         0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
508         0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
509     }
510 };
511 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
512     {
513         /* Example #1 */
514         0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
515         0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
516     },
517     {
518         /* Example #2 */
519         0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
520         0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
521     },
522     {
523         /* Example #3 */
524         0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
525         0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
526     },
527     {
528         /* Example #4 */
529         0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
530         0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
531     }
532 };
533 
534 /* CMAC-AES192 Test Data */
535 static const unsigned char aes_192_key[24] = {
536     0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
537     0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
538     0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
539 };
540 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
541     {
542         /* K1 */
543         0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
544         0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
545     },
546     {
547         /* K2 */
548         0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
549         0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
550     }
551 };
552 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
553     {
554         /* Example #1 */
555         0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
556         0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
557     },
558     {
559         /* Example #2 */
560         0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
561         0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
562     },
563     {
564         /* Example #3 */
565         0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
566         0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
567     },
568     {
569         /* Example #4 */
570         0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
571         0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
572     }
573 };
574 
575 /* CMAC-AES256 Test Data */
576 static const unsigned char aes_256_key[32] = {
577     0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
578     0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
579     0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
580     0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
581 };
582 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
583     {
584         /* K1 */
585         0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
586         0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
587     },
588     {
589         /* K2 */
590         0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
591         0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
592     }
593 };
594 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
595     {
596         /* Example #1 */
597         0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
598         0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
599     },
600     {
601         /* Example #2 */
602         0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
603         0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
604     },
605     {
606         /* Example #3 */
607         0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
608         0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
609     },
610     {
611         /* Example #4 */
612         0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
613         0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
614     }
615 };
616 #endif /* MBEDTLS_AES_C */
617 
618 #if defined(MBEDTLS_DES_C)
619 /* Truncation point of message for 3DES CMAC tests  */
620 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
621     0,
622     16,
623     20,
624     32
625 };
626 
627 /* CMAC-TDES (Generation) - 2 Key Test Data */
628 static const unsigned char des3_2key_key[24] = {
629     /* Key1 */
630     0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
631     /* Key2 */
632     0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
633     /* Key3 */
634     0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
635 };
636 static const unsigned char des3_2key_subkeys[2][8] = {
637     {
638         /* K1 */
639         0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
640     },
641     {
642         /* K2 */
643         0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
644     }
645 };
646 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
647     {
648         /* Sample #1 */
649         0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
650     },
651     {
652         /* Sample #2 */
653         0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
654     },
655     {
656         /* Sample #3 */
657         0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
658     },
659     {
660         /* Sample #4 */
661         0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
662     }
663 };
664 
665 /* CMAC-TDES (Generation) - 3 Key Test Data */
666 static const unsigned char des3_3key_key[24] = {
667     /* Key1 */
668     0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
669     /* Key2 */
670     0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
671     /* Key3 */
672     0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
673 };
674 static const unsigned char des3_3key_subkeys[2][8] = {
675     {
676         /* K1 */
677         0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
678     },
679     {
680         /* K2 */
681         0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
682     }
683 };
684 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
685     {
686         /* Sample #1 */
687         0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
688     },
689     {
690         /* Sample #2 */
691         0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
692     },
693     {
694         /* Sample #3 */
695         0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
696     },
697     {
698         /* Sample #4 */
699         0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
700     }
701 };
702 
703 #endif /* MBEDTLS_DES_C */
704 
705 #if defined(MBEDTLS_AES_C)
706 /* AES AES-CMAC-PRF-128 Test Data */
707 static const unsigned char PRFK[] = {
708     /* Key */
709     0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
710     0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
711     0xed, 0xcb
712 };
713 
714 /* Sizes in bytes */
715 static const size_t PRFKlen[NB_PRF_TESTS] = {
716     18,
717     16,
718     10
719 };
720 
721 /* Message */
722 static const unsigned char PRFM[] = {
723     0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
724     0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
725     0x10, 0x11, 0x12, 0x13
726 };
727 
728 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
729     {
730         0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
731         0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
732     },
733     {
734         0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
735         0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
736     },
737     {
738         0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
739         0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
740     }
741 };
742 #endif /* MBEDTLS_AES_C */
743 
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)744 static int cmac_test_subkeys( int verbose,
745                               const char* testname,
746                               const unsigned char* key,
747                               int keybits,
748                               const unsigned char* subkeys,
749                               mbedtls_cipher_type_t cipher_type,
750                               int block_size,
751                               int num_tests )
752 {
753     int i, ret = 0;
754     mbedtls_cipher_context_t ctx;
755     const mbedtls_cipher_info_t *cipher_info;
756     unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
757     unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
758 
759     cipher_info = mbedtls_cipher_info_from_type( cipher_type );
760     if( cipher_info == NULL )
761     {
762         /* Failing at this point must be due to a build issue */
763         return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
764     }
765 
766     for( i = 0; i < num_tests; i++ )
767     {
768         if( verbose != 0 )
769             mbedtls_printf( "  %s CMAC subkey #%d: ", testname, i + 1 );
770 
771         mbedtls_cipher_init( &ctx );
772 
773         if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
774         {
775             if( verbose != 0 )
776                 mbedtls_printf( "test execution failed\n" );
777 
778             goto cleanup;
779         }
780 
781         if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
782                                        MBEDTLS_ENCRYPT ) ) != 0 )
783         {
784             /* When CMAC is implemented by an alternative implementation, or
785              * the underlying primitive itself is implemented alternatively,
786              * AES-192 may be unavailable. This should not cause the selftest
787              * function to fail. */
788             if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
789                   ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
790                   cipher_type == MBEDTLS_CIPHER_AES_192_ECB ) {
791                 if( verbose != 0 )
792                     mbedtls_printf( "skipped\n" );
793                 goto next_test;
794             }
795 
796             if( verbose != 0 )
797                 mbedtls_printf( "test execution failed\n" );
798 
799             goto cleanup;
800         }
801 
802         ret = cmac_generate_subkeys( &ctx, K1, K2 );
803         if( ret != 0 )
804         {
805            if( verbose != 0 )
806                 mbedtls_printf( "failed\n" );
807 
808             goto cleanup;
809         }
810 
811         if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0  ||
812             ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
813         {
814             if( verbose != 0 )
815                 mbedtls_printf( "failed\n" );
816 
817             goto cleanup;
818         }
819 
820         if( verbose != 0 )
821             mbedtls_printf( "passed\n" );
822 
823 next_test:
824         mbedtls_cipher_free( &ctx );
825     }
826 
827     ret = 0;
828     goto exit;
829 
830 cleanup:
831     mbedtls_cipher_free( &ctx );
832 
833 exit:
834     return( ret );
835 }
836 
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)837 static int cmac_test_wth_cipher( int verbose,
838                                  const char* testname,
839                                  const unsigned char* key,
840                                  int keybits,
841                                  const unsigned char* messages,
842                                  const unsigned int message_lengths[4],
843                                  const unsigned char* expected_result,
844                                  mbedtls_cipher_type_t cipher_type,
845                                  int block_size,
846                                  int num_tests )
847 {
848     const mbedtls_cipher_info_t *cipher_info;
849     int i, ret = 0;
850     unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
851 
852     cipher_info = mbedtls_cipher_info_from_type( cipher_type );
853     if( cipher_info == NULL )
854     {
855         /* Failing at this point must be due to a build issue */
856         ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
857         goto exit;
858     }
859 
860     for( i = 0; i < num_tests; i++ )
861     {
862         if( verbose != 0 )
863             mbedtls_printf( "  %s CMAC #%d: ", testname, i + 1 );
864 
865         if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
866                                          message_lengths[i], output ) ) != 0 )
867         {
868             /* When CMAC is implemented by an alternative implementation, or
869              * the underlying primitive itself is implemented alternatively,
870              * AES-192 and/or 3DES may be unavailable. This should not cause
871              * the selftest function to fail. */
872             if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
873                   ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
874                 ( cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
875                   cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB ) ) {
876                 if( verbose != 0 )
877                     mbedtls_printf( "skipped\n" );
878                 continue;
879             }
880 
881             if( verbose != 0 )
882                 mbedtls_printf( "failed\n" );
883             goto exit;
884         }
885 
886         if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
887         {
888             if( verbose != 0 )
889                 mbedtls_printf( "failed\n" );
890             goto exit;
891         }
892 
893         if( verbose != 0 )
894             mbedtls_printf( "passed\n" );
895     }
896     ret = 0;
897 
898 exit:
899     return( ret );
900 }
901 
902 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)903 static int test_aes128_cmac_prf( int verbose )
904 {
905     int i;
906     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
907     unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
908 
909     for( i = 0; i < NB_PRF_TESTS; i++ )
910     {
911         mbedtls_printf( "  AES CMAC 128 PRF #%d: ", i );
912         ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
913         if( ret != 0 ||
914             memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
915         {
916 
917             if( verbose != 0 )
918                 mbedtls_printf( "failed\n" );
919 
920             return( ret );
921         }
922         else if( verbose != 0 )
923         {
924             mbedtls_printf( "passed\n" );
925         }
926     }
927     return( ret );
928 }
929 #endif /* MBEDTLS_AES_C */
930 
mbedtls_cmac_self_test(int verbose)931 int mbedtls_cmac_self_test( int verbose )
932 {
933     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
934 
935 #if defined(MBEDTLS_AES_C)
936     /* AES-128 */
937     if( ( ret = cmac_test_subkeys( verbose,
938                                    "AES 128",
939                                    aes_128_key,
940                                    128,
941                                    (const unsigned char*)aes_128_subkeys,
942                                    MBEDTLS_CIPHER_AES_128_ECB,
943                                    MBEDTLS_AES_BLOCK_SIZE,
944                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
945     {
946         return( ret );
947     }
948 
949     if( ( ret = cmac_test_wth_cipher( verbose,
950                                       "AES 128",
951                                       aes_128_key,
952                                       128,
953                                       test_message,
954                                       aes_message_lengths,
955                                       (const unsigned char*)aes_128_expected_result,
956                                       MBEDTLS_CIPHER_AES_128_ECB,
957                                       MBEDTLS_AES_BLOCK_SIZE,
958                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
959     {
960         return( ret );
961     }
962 
963     /* AES-192 */
964     if( ( ret = cmac_test_subkeys( verbose,
965                                    "AES 192",
966                                    aes_192_key,
967                                    192,
968                                    (const unsigned char*)aes_192_subkeys,
969                                    MBEDTLS_CIPHER_AES_192_ECB,
970                                    MBEDTLS_AES_BLOCK_SIZE,
971                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
972     {
973         return( ret );
974     }
975 
976     if( ( ret = cmac_test_wth_cipher( verbose,
977                                       "AES 192",
978                                       aes_192_key,
979                                       192,
980                                       test_message,
981                                       aes_message_lengths,
982                                       (const unsigned char*)aes_192_expected_result,
983                                       MBEDTLS_CIPHER_AES_192_ECB,
984                                       MBEDTLS_AES_BLOCK_SIZE,
985                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
986     {
987         return( ret );
988     }
989 
990     /* AES-256 */
991     if( ( ret = cmac_test_subkeys( verbose,
992                                    "AES 256",
993                                    aes_256_key,
994                                    256,
995                                    (const unsigned char*)aes_256_subkeys,
996                                    MBEDTLS_CIPHER_AES_256_ECB,
997                                    MBEDTLS_AES_BLOCK_SIZE,
998                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
999     {
1000         return( ret );
1001     }
1002 
1003     if( ( ret = cmac_test_wth_cipher ( verbose,
1004                                        "AES 256",
1005                                        aes_256_key,
1006                                        256,
1007                                        test_message,
1008                                        aes_message_lengths,
1009                                        (const unsigned char*)aes_256_expected_result,
1010                                        MBEDTLS_CIPHER_AES_256_ECB,
1011                                        MBEDTLS_AES_BLOCK_SIZE,
1012                                        NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1013     {
1014         return( ret );
1015     }
1016 #endif /* MBEDTLS_AES_C */
1017 
1018 #if defined(MBEDTLS_DES_C)
1019     /* 3DES 2 key */
1020     if( ( ret = cmac_test_subkeys( verbose,
1021                                    "3DES 2 key",
1022                                    des3_2key_key,
1023                                    192,
1024                                    (const unsigned char*)des3_2key_subkeys,
1025                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
1026                                    MBEDTLS_DES3_BLOCK_SIZE,
1027                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1028     {
1029         return( ret );
1030     }
1031 
1032     if( ( ret = cmac_test_wth_cipher( verbose,
1033                                       "3DES 2 key",
1034                                       des3_2key_key,
1035                                       192,
1036                                       test_message,
1037                                       des3_message_lengths,
1038                                       (const unsigned char*)des3_2key_expected_result,
1039                                       MBEDTLS_CIPHER_DES_EDE3_ECB,
1040                                       MBEDTLS_DES3_BLOCK_SIZE,
1041                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1042     {
1043         return( ret );
1044     }
1045 
1046     /* 3DES 3 key */
1047     if( ( ret = cmac_test_subkeys( verbose,
1048                                    "3DES 3 key",
1049                                    des3_3key_key,
1050                                    192,
1051                                    (const unsigned char*)des3_3key_subkeys,
1052                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
1053                                    MBEDTLS_DES3_BLOCK_SIZE,
1054                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1055     {
1056         return( ret );
1057     }
1058 
1059     if( ( ret = cmac_test_wth_cipher( verbose,
1060                                       "3DES 3 key",
1061                                       des3_3key_key,
1062                                       192,
1063                                       test_message,
1064                                       des3_message_lengths,
1065                                       (const unsigned char*)des3_3key_expected_result,
1066                                       MBEDTLS_CIPHER_DES_EDE3_ECB,
1067                                       MBEDTLS_DES3_BLOCK_SIZE,
1068                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1069     {
1070         return( ret );
1071     }
1072 #endif /* MBEDTLS_DES_C */
1073 
1074 #if defined(MBEDTLS_AES_C)
1075     if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1076         return( ret );
1077 #endif /* MBEDTLS_AES_C */
1078 
1079     if( verbose != 0 )
1080         mbedtls_printf( "\n" );
1081 
1082     return( 0 );
1083 }
1084 
1085 #endif /* MBEDTLS_SELF_TEST */
1086 
1087 #endif /* MBEDTLS_CMAC_C */
1088