1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8 */
9
10 /*
11 * References:
12 *
13 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
14 * CMAC Mode for Authentication
15 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
16 *
17 * - RFC 4493 - The AES-CMAC Algorithm
18 * https://tools.ietf.org/html/rfc4493
19 *
20 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
21 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
22 * Algorithm for the Internet Key Exchange Protocol (IKE)
23 * https://tools.ietf.org/html/rfc4615
24 *
25 * Additional test vectors: ISO/IEC 9797-1
26 *
27 */
28
29 #include "common.h"
30
31 #if defined(MBEDTLS_CMAC_C)
32
33 #include "mbedtls/cmac.h"
34 #include "mbedtls/platform_util.h"
35 #include "mbedtls/error.h"
36 #include "mbedtls/platform.h"
37
38 #include <string.h>
39
40 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
41
42 /*
43 * Multiplication by u in the Galois field of GF(2^n)
44 *
45 * As explained in NIST SP 800-38B, this can be computed:
46 *
47 * If MSB(p) = 0, then p = (p << 1)
48 * If MSB(p) = 1, then p = (p << 1) ^ R_n
49 * with R_64 = 0x1B and R_128 = 0x87
50 *
51 * Input and output MUST NOT point to the same buffer
52 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
53 */
cmac_multiply_by_u(unsigned char * output,const unsigned char * input,size_t blocksize)54 static int cmac_multiply_by_u(unsigned char *output,
55 const unsigned char *input,
56 size_t blocksize)
57 {
58 const unsigned char R_128 = 0x87;
59 const unsigned char R_64 = 0x1B;
60 unsigned char R_n, mask;
61 unsigned char overflow = 0x00;
62 int i;
63
64 if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
65 R_n = R_128;
66 } else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
67 R_n = R_64;
68 } else {
69 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
70 }
71
72 for (i = (int) blocksize - 1; i >= 0; i--) {
73 output[i] = input[i] << 1 | overflow;
74 overflow = input[i] >> 7;
75 }
76
77 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
78 * using bit operations to avoid branches */
79
80 /* MSVC has a warning about unary minus on unsigned, but this is
81 * well-defined and precisely what we want to do here */
82 #if defined(_MSC_VER)
83 #pragma warning( push )
84 #pragma warning( disable : 4146 )
85 #endif
86 mask = -(input[0] >> 7);
87 #if defined(_MSC_VER)
88 #pragma warning( pop )
89 #endif
90
91 output[blocksize - 1] ^= R_n & mask;
92
93 return 0;
94 }
95
96 /*
97 * Generate subkeys
98 *
99 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
100 */
cmac_generate_subkeys(mbedtls_cipher_context_t * ctx,unsigned char * K1,unsigned char * K2)101 static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
102 unsigned char *K1, unsigned char *K2)
103 {
104 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
105 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
106 size_t olen, block_size;
107
108 mbedtls_platform_zeroize(L, sizeof(L));
109
110 block_size = ctx->cipher_info->block_size;
111
112 /* Calculate Ek(0) */
113 if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
114 goto exit;
115 }
116
117 /*
118 * Generate K1 and K2
119 */
120 if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) {
121 goto exit;
122 }
123
124 if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) {
125 goto exit;
126 }
127
128 exit:
129 mbedtls_platform_zeroize(L, sizeof(L));
130
131 return ret;
132 }
133 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
134
135 #if !defined(MBEDTLS_CMAC_ALT)
cmac_xor_block(unsigned char * output,const unsigned char * input1,const unsigned char * input2,const size_t block_size)136 static void cmac_xor_block(unsigned char *output, const unsigned char *input1,
137 const unsigned char *input2,
138 const size_t block_size)
139 {
140 size_t idx;
141
142 for (idx = 0; idx < block_size; idx++) {
143 output[idx] = input1[idx] ^ input2[idx];
144 }
145 }
146
147 /*
148 * Create padded last block from (partial) last block.
149 *
150 * We can't use the padding option from the cipher layer, as it only works for
151 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
152 */
cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],size_t padded_block_len,const unsigned char * last_block,size_t last_block_len)153 static void cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
154 size_t padded_block_len,
155 const unsigned char *last_block,
156 size_t last_block_len)
157 {
158 size_t j;
159
160 for (j = 0; j < padded_block_len; j++) {
161 if (j < last_block_len) {
162 padded_block[j] = last_block[j];
163 } else if (j == last_block_len) {
164 padded_block[j] = 0x80;
165 } else {
166 padded_block[j] = 0x00;
167 }
168 }
169 }
170
mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t * ctx,const unsigned char * key,size_t keybits)171 int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
172 const unsigned char *key, size_t keybits)
173 {
174 mbedtls_cipher_type_t type;
175 mbedtls_cmac_context_t *cmac_ctx;
176 int retval;
177
178 if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) {
179 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
180 }
181
182 if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits,
183 MBEDTLS_ENCRYPT)) != 0) {
184 return retval;
185 }
186
187 type = ctx->cipher_info->type;
188
189 switch (type) {
190 case MBEDTLS_CIPHER_AES_128_ECB:
191 case MBEDTLS_CIPHER_AES_192_ECB:
192 case MBEDTLS_CIPHER_AES_256_ECB:
193 case MBEDTLS_CIPHER_DES_EDE3_ECB:
194 break;
195 default:
196 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
197 }
198
199 /* Allocated and initialise in the cipher context memory for the CMAC
200 * context */
201 cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
202 if (cmac_ctx == NULL) {
203 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
204 }
205
206 ctx->cmac_ctx = cmac_ctx;
207
208 mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
209
210 return 0;
211 }
212
mbedtls_cipher_cmac_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen)213 int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
214 const unsigned char *input, size_t ilen)
215 {
216 mbedtls_cmac_context_t *cmac_ctx;
217 unsigned char *state;
218 int ret = 0;
219 size_t n, j, olen, block_size;
220
221 if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
222 ctx->cmac_ctx == NULL) {
223 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
224 }
225
226 cmac_ctx = ctx->cmac_ctx;
227 block_size = ctx->cipher_info->block_size;
228 state = ctx->cmac_ctx->state;
229
230 /* Is there data still to process from the last call, that's greater in
231 * size than a block? */
232 if (cmac_ctx->unprocessed_len > 0 &&
233 ilen > block_size - cmac_ctx->unprocessed_len) {
234 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
235 input,
236 block_size - cmac_ctx->unprocessed_len);
237
238 cmac_xor_block(state, cmac_ctx->unprocessed_block, state, block_size);
239
240 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
241 &olen)) != 0) {
242 goto exit;
243 }
244
245 input += block_size - cmac_ctx->unprocessed_len;
246 ilen -= block_size - cmac_ctx->unprocessed_len;
247 cmac_ctx->unprocessed_len = 0;
248 }
249
250 /* n is the number of blocks including any final partial block */
251 n = (ilen + block_size - 1) / block_size;
252
253 /* Iterate across the input data in block sized chunks, excluding any
254 * final partial or complete block */
255 for (j = 1; j < n; j++) {
256 cmac_xor_block(state, input, state, block_size);
257
258 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
259 &olen)) != 0) {
260 goto exit;
261 }
262
263 ilen -= block_size;
264 input += block_size;
265 }
266
267 /* If there is data left over that wasn't aligned to a block */
268 if (ilen > 0) {
269 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
270 input,
271 ilen);
272 cmac_ctx->unprocessed_len += ilen;
273 }
274
275 exit:
276 return ret;
277 }
278
mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t * ctx,unsigned char * output)279 int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
280 unsigned char *output)
281 {
282 mbedtls_cmac_context_t *cmac_ctx;
283 unsigned char *state, *last_block;
284 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
285 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
286 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
287 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
288 size_t olen, block_size;
289
290 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
291 output == NULL) {
292 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
293 }
294
295 cmac_ctx = ctx->cmac_ctx;
296 block_size = ctx->cipher_info->block_size;
297 state = cmac_ctx->state;
298
299 mbedtls_platform_zeroize(K1, sizeof(K1));
300 mbedtls_platform_zeroize(K2, sizeof(K2));
301 cmac_generate_subkeys(ctx, K1, K2);
302
303 last_block = cmac_ctx->unprocessed_block;
304
305 /* Calculate last block */
306 if (cmac_ctx->unprocessed_len < block_size) {
307 cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
308 cmac_xor_block(M_last, M_last, K2, block_size);
309 } else {
310 /* Last block is complete block */
311 cmac_xor_block(M_last, last_block, K1, block_size);
312 }
313
314
315 cmac_xor_block(state, M_last, state, block_size);
316 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
317 &olen)) != 0) {
318 goto exit;
319 }
320
321 memcpy(output, state, block_size);
322
323 exit:
324 /* Wipe the generated keys on the stack, and any other transients to avoid
325 * side channel leakage */
326 mbedtls_platform_zeroize(K1, sizeof(K1));
327 mbedtls_platform_zeroize(K2, sizeof(K2));
328
329 cmac_ctx->unprocessed_len = 0;
330 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
331 sizeof(cmac_ctx->unprocessed_block));
332
333 mbedtls_platform_zeroize(state, MBEDTLS_CIPHER_BLKSIZE_MAX);
334 return ret;
335 }
336
mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t * ctx)337 int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx)
338 {
339 mbedtls_cmac_context_t *cmac_ctx;
340
341 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) {
342 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
343 }
344
345 cmac_ctx = ctx->cmac_ctx;
346
347 /* Reset the internal state */
348 cmac_ctx->unprocessed_len = 0;
349 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
350 sizeof(cmac_ctx->unprocessed_block));
351 mbedtls_platform_zeroize(cmac_ctx->state,
352 sizeof(cmac_ctx->state));
353
354 return 0;
355 }
356
mbedtls_cipher_cmac(const mbedtls_cipher_info_t * cipher_info,const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)357 int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
358 const unsigned char *key, size_t keylen,
359 const unsigned char *input, size_t ilen,
360 unsigned char *output)
361 {
362 mbedtls_cipher_context_t ctx;
363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
364
365 if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) {
366 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
367 }
368
369 mbedtls_cipher_init(&ctx);
370
371 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
372 goto exit;
373 }
374
375 ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
376 if (ret != 0) {
377 goto exit;
378 }
379
380 ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
381 if (ret != 0) {
382 goto exit;
383 }
384
385 ret = mbedtls_cipher_cmac_finish(&ctx, output);
386
387 exit:
388 mbedtls_cipher_free(&ctx);
389
390 return ret;
391 }
392
393 #if defined(MBEDTLS_AES_C)
394 /*
395 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
396 */
mbedtls_aes_cmac_prf_128(const unsigned char * key,size_t key_length,const unsigned char * input,size_t in_len,unsigned char output[16])397 int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
398 const unsigned char *input, size_t in_len,
399 unsigned char output[16])
400 {
401 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
402 const mbedtls_cipher_info_t *cipher_info;
403 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
404 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
405
406 if (key == NULL || input == NULL || output == NULL) {
407 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
408 }
409
410 cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
411 if (cipher_info == NULL) {
412 /* Failing at this point must be due to a build issue */
413 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
414 goto exit;
415 }
416
417 if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
418 /* Use key as is */
419 memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
420 } else {
421 memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
422
423 ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
424 key_length, int_key);
425 if (ret != 0) {
426 goto exit;
427 }
428 }
429
430 ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
431 output);
432
433 exit:
434 mbedtls_platform_zeroize(int_key, sizeof(int_key));
435
436 return ret;
437 }
438 #endif /* MBEDTLS_AES_C */
439
440 #endif /* !MBEDTLS_CMAC_ALT */
441
442 #if defined(MBEDTLS_SELF_TEST)
443 /*
444 * CMAC test data for SP800-38B
445 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
446 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
447 *
448 * AES-CMAC-PRF-128 test data from RFC 4615
449 * https://tools.ietf.org/html/rfc4615#page-4
450 */
451
452 #define NB_CMAC_TESTS_PER_KEY 4
453 #define NB_PRF_TESTS 3
454
455 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
456 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
457 static const unsigned char test_message[] = {
458 /* PT */
459 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
460 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
461 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
462 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
463 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
464 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
465 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
466 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
467 };
468 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
469
470 #if defined(MBEDTLS_AES_C)
471 /* Truncation point of message for AES CMAC tests */
472 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
473 /* Mlen */
474 0,
475 16,
476 20,
477 64
478 };
479
480 /* CMAC-AES128 Test Data */
481 static const unsigned char aes_128_key[16] = {
482 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
483 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
484 };
485 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
486 {
487 /* K1 */
488 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
489 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
490 },
491 {
492 /* K2 */
493 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
494 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
495 }
496 };
497 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
498 {
499 {
500 /* Example #1 */
501 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
502 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
503 },
504 {
505 /* Example #2 */
506 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
507 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
508 },
509 {
510 /* Example #3 */
511 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
512 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
513 },
514 {
515 /* Example #4 */
516 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
517 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
518 }
519 };
520
521 /* CMAC-AES192 Test Data */
522 static const unsigned char aes_192_key[24] = {
523 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
524 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
525 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
526 };
527 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
528 {
529 /* K1 */
530 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
531 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
532 },
533 {
534 /* K2 */
535 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
536 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
537 }
538 };
539 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
540 {
541 {
542 /* Example #1 */
543 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
544 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
545 },
546 {
547 /* Example #2 */
548 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
549 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
550 },
551 {
552 /* Example #3 */
553 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
554 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
555 },
556 {
557 /* Example #4 */
558 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
559 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
560 }
561 };
562
563 /* CMAC-AES256 Test Data */
564 static const unsigned char aes_256_key[32] = {
565 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
566 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
567 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
568 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
569 };
570 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
571 {
572 /* K1 */
573 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
574 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
575 },
576 {
577 /* K2 */
578 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
579 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
580 }
581 };
582 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
583 {
584 {
585 /* Example #1 */
586 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
587 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
588 },
589 {
590 /* Example #2 */
591 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
592 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
593 },
594 {
595 /* Example #3 */
596 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
597 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
598 },
599 {
600 /* Example #4 */
601 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
602 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
603 }
604 };
605 #endif /* MBEDTLS_AES_C */
606
607 #if defined(MBEDTLS_DES_C)
608 /* Truncation point of message for 3DES CMAC tests */
609 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
610 0,
611 16,
612 20,
613 32
614 };
615
616 /* CMAC-TDES (Generation) - 2 Key Test Data */
617 static const unsigned char des3_2key_key[24] = {
618 /* Key1 */
619 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
620 /* Key2 */
621 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
622 /* Key3 */
623 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
624 };
625 static const unsigned char des3_2key_subkeys[2][8] = {
626 {
627 /* K1 */
628 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
629 },
630 {
631 /* K2 */
632 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
633 }
634 };
635 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
636 = {
637 {
638 /* Sample #1 */
639 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
640 },
641 {
642 /* Sample #2 */
643 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
644 },
645 {
646 /* Sample #3 */
647 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
648 },
649 {
650 /* Sample #4 */
651 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
652 }
653 };
654
655 /* CMAC-TDES (Generation) - 3 Key Test Data */
656 static const unsigned char des3_3key_key[24] = {
657 /* Key1 */
658 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
659 /* Key2 */
660 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
661 /* Key3 */
662 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
663 };
664 static const unsigned char des3_3key_subkeys[2][8] = {
665 {
666 /* K1 */
667 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
668 },
669 {
670 /* K2 */
671 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
672 }
673 };
674 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
675 = {
676 {
677 /* Sample #1 */
678 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
679 },
680 {
681 /* Sample #2 */
682 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
683 },
684 {
685 /* Sample #3 */
686 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
687 },
688 {
689 /* Sample #4 */
690 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
691 }
692 };
693
694 #endif /* MBEDTLS_DES_C */
695
696 #if defined(MBEDTLS_AES_C)
697 /* AES AES-CMAC-PRF-128 Test Data */
698 static const unsigned char PRFK[] = {
699 /* Key */
700 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
701 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
702 0xed, 0xcb
703 };
704
705 /* Sizes in bytes */
706 static const size_t PRFKlen[NB_PRF_TESTS] = {
707 18,
708 16,
709 10
710 };
711
712 /* Message */
713 static const unsigned char PRFM[] = {
714 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
715 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
716 0x10, 0x11, 0x12, 0x13
717 };
718
719 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
720 {
721 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
722 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
723 },
724 {
725 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
726 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
727 },
728 {
729 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
730 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
731 }
732 };
733 #endif /* MBEDTLS_AES_C */
734
cmac_test_subkeys(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * subkeys,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)735 static int cmac_test_subkeys(int verbose,
736 const char *testname,
737 const unsigned char *key,
738 int keybits,
739 const unsigned char *subkeys,
740 mbedtls_cipher_type_t cipher_type,
741 int block_size,
742 int num_tests)
743 {
744 int i, ret = 0;
745 mbedtls_cipher_context_t ctx;
746 const mbedtls_cipher_info_t *cipher_info;
747 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
748 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
749
750 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
751 if (cipher_info == NULL) {
752 /* Failing at this point must be due to a build issue */
753 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
754 }
755
756 for (i = 0; i < num_tests; i++) {
757 if (verbose != 0) {
758 mbedtls_printf(" %s CMAC subkey #%d: ", testname, i + 1);
759 }
760
761 mbedtls_cipher_init(&ctx);
762
763 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
764 if (verbose != 0) {
765 mbedtls_printf("test execution failed\n");
766 }
767
768 goto cleanup;
769 }
770
771 if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
772 MBEDTLS_ENCRYPT)) != 0) {
773 /* When CMAC is implemented by an alternative implementation, or
774 * the underlying primitive itself is implemented alternatively,
775 * AES-192 may be unavailable. This should not cause the selftest
776 * function to fail. */
777 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
778 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
779 cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
780 if (verbose != 0) {
781 mbedtls_printf("skipped\n");
782 }
783 goto next_test;
784 }
785
786 if (verbose != 0) {
787 mbedtls_printf("test execution failed\n");
788 }
789
790 goto cleanup;
791 }
792
793 ret = cmac_generate_subkeys(&ctx, K1, K2);
794 if (ret != 0) {
795 if (verbose != 0) {
796 mbedtls_printf("failed\n");
797 }
798
799 goto cleanup;
800 }
801
802 if ((ret = memcmp(K1, subkeys, block_size)) != 0 ||
803 (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
804 if (verbose != 0) {
805 mbedtls_printf("failed\n");
806 }
807
808 goto cleanup;
809 }
810
811 if (verbose != 0) {
812 mbedtls_printf("passed\n");
813 }
814
815 next_test:
816 mbedtls_cipher_free(&ctx);
817 }
818
819 ret = 0;
820 goto exit;
821
822 cleanup:
823 mbedtls_cipher_free(&ctx);
824
825 exit:
826 return ret;
827 }
828
cmac_test_wth_cipher(int verbose,const char * testname,const unsigned char * key,int keybits,const unsigned char * messages,const unsigned int message_lengths[4],const unsigned char * expected_result,mbedtls_cipher_type_t cipher_type,int block_size,int num_tests)829 static int cmac_test_wth_cipher(int verbose,
830 const char *testname,
831 const unsigned char *key,
832 int keybits,
833 const unsigned char *messages,
834 const unsigned int message_lengths[4],
835 const unsigned char *expected_result,
836 mbedtls_cipher_type_t cipher_type,
837 int block_size,
838 int num_tests)
839 {
840 const mbedtls_cipher_info_t *cipher_info;
841 int i, ret = 0;
842 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
843
844 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
845 if (cipher_info == NULL) {
846 /* Failing at this point must be due to a build issue */
847 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
848 goto exit;
849 }
850
851 for (i = 0; i < num_tests; i++) {
852 if (verbose != 0) {
853 mbedtls_printf(" %s CMAC #%d: ", testname, i + 1);
854 }
855
856 if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
857 message_lengths[i], output)) != 0) {
858 /* When CMAC is implemented by an alternative implementation, or
859 * the underlying primitive itself is implemented alternatively,
860 * AES-192 and/or 3DES may be unavailable. This should not cause
861 * the selftest function to fail. */
862 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
863 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
864 (cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
865 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) {
866 if (verbose != 0) {
867 mbedtls_printf("skipped\n");
868 }
869 continue;
870 }
871
872 if (verbose != 0) {
873 mbedtls_printf("failed\n");
874 }
875 goto exit;
876 }
877
878 if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
879 if (verbose != 0) {
880 mbedtls_printf("failed\n");
881 }
882 goto exit;
883 }
884
885 if (verbose != 0) {
886 mbedtls_printf("passed\n");
887 }
888 }
889 ret = 0;
890
891 exit:
892 return ret;
893 }
894
895 #if defined(MBEDTLS_AES_C)
test_aes128_cmac_prf(int verbose)896 static int test_aes128_cmac_prf(int verbose)
897 {
898 int i;
899 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
900 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
901
902 for (i = 0; i < NB_PRF_TESTS; i++) {
903 mbedtls_printf(" AES CMAC 128 PRF #%d: ", i);
904 ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
905 if (ret != 0 ||
906 memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
907
908 if (verbose != 0) {
909 mbedtls_printf("failed\n");
910 }
911
912 return ret;
913 } else if (verbose != 0) {
914 mbedtls_printf("passed\n");
915 }
916 }
917 return ret;
918 }
919 #endif /* MBEDTLS_AES_C */
920
mbedtls_cmac_self_test(int verbose)921 int mbedtls_cmac_self_test(int verbose)
922 {
923 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
924
925 #if defined(MBEDTLS_AES_C)
926 /* AES-128 */
927 if ((ret = cmac_test_subkeys(verbose,
928 "AES 128",
929 aes_128_key,
930 128,
931 (const unsigned char *) aes_128_subkeys,
932 MBEDTLS_CIPHER_AES_128_ECB,
933 MBEDTLS_AES_BLOCK_SIZE,
934 NB_CMAC_TESTS_PER_KEY)) != 0) {
935 return ret;
936 }
937
938 if ((ret = cmac_test_wth_cipher(verbose,
939 "AES 128",
940 aes_128_key,
941 128,
942 test_message,
943 aes_message_lengths,
944 (const unsigned char *) aes_128_expected_result,
945 MBEDTLS_CIPHER_AES_128_ECB,
946 MBEDTLS_AES_BLOCK_SIZE,
947 NB_CMAC_TESTS_PER_KEY)) != 0) {
948 return ret;
949 }
950
951 /* AES-192 */
952 if ((ret = cmac_test_subkeys(verbose,
953 "AES 192",
954 aes_192_key,
955 192,
956 (const unsigned char *) aes_192_subkeys,
957 MBEDTLS_CIPHER_AES_192_ECB,
958 MBEDTLS_AES_BLOCK_SIZE,
959 NB_CMAC_TESTS_PER_KEY)) != 0) {
960 return ret;
961 }
962
963 if ((ret = cmac_test_wth_cipher(verbose,
964 "AES 192",
965 aes_192_key,
966 192,
967 test_message,
968 aes_message_lengths,
969 (const unsigned char *) aes_192_expected_result,
970 MBEDTLS_CIPHER_AES_192_ECB,
971 MBEDTLS_AES_BLOCK_SIZE,
972 NB_CMAC_TESTS_PER_KEY)) != 0) {
973 return ret;
974 }
975
976 /* AES-256 */
977 if ((ret = cmac_test_subkeys(verbose,
978 "AES 256",
979 aes_256_key,
980 256,
981 (const unsigned char *) aes_256_subkeys,
982 MBEDTLS_CIPHER_AES_256_ECB,
983 MBEDTLS_AES_BLOCK_SIZE,
984 NB_CMAC_TESTS_PER_KEY)) != 0) {
985 return ret;
986 }
987
988 if ((ret = cmac_test_wth_cipher(verbose,
989 "AES 256",
990 aes_256_key,
991 256,
992 test_message,
993 aes_message_lengths,
994 (const unsigned char *) aes_256_expected_result,
995 MBEDTLS_CIPHER_AES_256_ECB,
996 MBEDTLS_AES_BLOCK_SIZE,
997 NB_CMAC_TESTS_PER_KEY)) != 0) {
998 return ret;
999 }
1000 #endif /* MBEDTLS_AES_C */
1001
1002 #if defined(MBEDTLS_DES_C)
1003 /* 3DES 2 key */
1004 if ((ret = cmac_test_subkeys(verbose,
1005 "3DES 2 key",
1006 des3_2key_key,
1007 192,
1008 (const unsigned char *) des3_2key_subkeys,
1009 MBEDTLS_CIPHER_DES_EDE3_ECB,
1010 MBEDTLS_DES3_BLOCK_SIZE,
1011 NB_CMAC_TESTS_PER_KEY)) != 0) {
1012 return ret;
1013 }
1014
1015 if ((ret = cmac_test_wth_cipher(verbose,
1016 "3DES 2 key",
1017 des3_2key_key,
1018 192,
1019 test_message,
1020 des3_message_lengths,
1021 (const unsigned char *) des3_2key_expected_result,
1022 MBEDTLS_CIPHER_DES_EDE3_ECB,
1023 MBEDTLS_DES3_BLOCK_SIZE,
1024 NB_CMAC_TESTS_PER_KEY)) != 0) {
1025 return ret;
1026 }
1027
1028 /* 3DES 3 key */
1029 if ((ret = cmac_test_subkeys(verbose,
1030 "3DES 3 key",
1031 des3_3key_key,
1032 192,
1033 (const unsigned char *) des3_3key_subkeys,
1034 MBEDTLS_CIPHER_DES_EDE3_ECB,
1035 MBEDTLS_DES3_BLOCK_SIZE,
1036 NB_CMAC_TESTS_PER_KEY)) != 0) {
1037 return ret;
1038 }
1039
1040 if ((ret = cmac_test_wth_cipher(verbose,
1041 "3DES 3 key",
1042 des3_3key_key,
1043 192,
1044 test_message,
1045 des3_message_lengths,
1046 (const unsigned char *) des3_3key_expected_result,
1047 MBEDTLS_CIPHER_DES_EDE3_ECB,
1048 MBEDTLS_DES3_BLOCK_SIZE,
1049 NB_CMAC_TESTS_PER_KEY)) != 0) {
1050 return ret;
1051 }
1052 #endif /* MBEDTLS_DES_C */
1053
1054 #if defined(MBEDTLS_AES_C)
1055 if ((ret = test_aes128_cmac_prf(verbose)) != 0) {
1056 return ret;
1057 }
1058 #endif /* MBEDTLS_AES_C */
1059
1060 if (verbose != 0) {
1061 mbedtls_printf("\n");
1062 }
1063
1064 return 0;
1065 }
1066
1067 #endif /* MBEDTLS_SELF_TEST */
1068
1069 #endif /* MBEDTLS_CMAC_C */
1070