TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 11fa71b9ddb429088f325cfda430183003ccd1db / . / lib / libmbedtls / mbedtls / library / cmac.c
blob: c879674858293a90483f3235d363880d2405e370 [file] [log] [blame]
Edison Aic6672fd2018-02-28 15:01:47 +0800[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2/**
3 * \file cmac.c
4 *
5 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
6 *
7 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24/*
25 * References:
26 *
27 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
28 * CMAC Mode for Authentication
29 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
30 *
31 * - RFC 4493 - The AES-CMAC Algorithm
32 * https://tools.ietf.org/html/rfc4493
33 *
34 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
35 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
36 * Algorithm for the Internet Key Exchange Protocol (IKE)
37 * https://tools.ietf.org/html/rfc4615
38 *
39 * Additional test vectors: ISO/IEC 9797-1
40 *
41 */
42
43#if !defined(MBEDTLS_CONFIG_FILE)
44#include "mbedtls/config.h"
45#else
46#include MBEDTLS_CONFIG_FILE
47#endif
48
49#if defined(MBEDTLS_CMAC_C)
50
51#include "mbedtls/cmac.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]52#include "mbedtls/platform_util.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame^]53#include "mbedtls/error.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]54
55#include <string.h>
56
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]57#if defined(MBEDTLS_PLATFORM_C)
58#include "mbedtls/platform.h"
59#else
60#include <stdlib.h>
61#define mbedtls_calloc calloc
62#define mbedtls_free free
63#if defined(MBEDTLS_SELF_TEST)
64#include <stdio.h>
65#define mbedtls_printf printf
66#endif /* MBEDTLS_SELF_TEST */
67#endif /* MBEDTLS_PLATFORM_C */
68
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]69#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]70
71/*
72 * Multiplication by u in the Galois field of GF(2^n)
73 *
74 * As explained in NIST SP 800-38B, this can be computed:
75 *
76 * If MSB(p) = 0, then p = (p << 1)
77 * If MSB(p) = 1, then p = (p << 1) ^ R_n
78 * with R_64 = 0x1B and R_128 = 0x87
79 *
80 * Input and output MUST NOT point to the same buffer
81 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
82 */
83static int cmac_multiply_by_u( unsigned char *output,
84 const unsigned char *input,
85 size_t blocksize )
86{
87 const unsigned char R_128 = 0x87;
88 const unsigned char R_64 = 0x1B;
89 unsigned char R_n, mask;
90 unsigned char overflow = 0x00;
91 int i;
92
93 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
94 {
95 R_n = R_128;
96 }
97 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
98 {
99 R_n = R_64;
100 }
101 else
102 {
103 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
104 }
105
106 for( i = (int)blocksize - 1; i >= 0; i-- )
107 {
108 output[i] = input[i] << 1 | overflow;
109 overflow = input[i] >> 7;
110 }
111
112 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
113 * using bit operations to avoid branches */
114
115 /* MSVC has a warning about unary minus on unsigned, but this is
116 * well-defined and precisely what we want to do here */
117#if defined(_MSC_VER)
118#pragma warning( push )
119#pragma warning( disable : 4146 )
120#endif
121 mask = - ( input[0] >> 7 );
122#if defined(_MSC_VER)
123#pragma warning( pop )
124#endif
125
126 output[ blocksize - 1 ] ^= R_n & mask;
127
128 return( 0 );
129}
130
131/*
132 * Generate subkeys
133 *
134 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
135 */
136static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
137 unsigned char* K1, unsigned char* K2 )
138{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame^]139 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]140 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
141 size_t olen, block_size;
142
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]143 mbedtls_platform_zeroize( L, sizeof( L ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]144
145 block_size = ctx->cipher_info->block_size;
146
147 /* Calculate Ek(0) */
148 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
149 goto exit;
150
151 /*
152 * Generate K1 and K2
153 */
154 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
155 goto exit;
156
157 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
158 goto exit;
159
160exit:
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]161 mbedtls_platform_zeroize( L, sizeof( L ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]162
163 return( ret );
164}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]165#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]166
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]167#if !defined(MBEDTLS_CMAC_ALT)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]168static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
169 const unsigned char *input2,
170 const size_t block_size )
171{
172 size_t idx;
173
174 for( idx = 0; idx < block_size; idx++ )
175 output[ idx ] = input1[ idx ] ^ input2[ idx ];
176}
177
178/*
179 * Create padded last block from (partial) last block.
180 *
181 * We can't use the padding option from the cipher layer, as it only works for
182 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
183 */
184static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
185 size_t padded_block_len,
186 const unsigned char *last_block,
187 size_t last_block_len )
188{
189 size_t j;
190
191 for( j = 0; j < padded_block_len; j++ )
192 {
193 if( j < last_block_len )
194 padded_block[j] = last_block[j];
195 else if( j == last_block_len )
196 padded_block[j] = 0x80;
197 else
198 padded_block[j] = 0x00;
199 }
200}
201
Edison Ai12484fc2018-12-19 15:36:28 +0800[diff] [blame]202int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx)
203{
204 mbedtls_cmac_context_t *cmac_ctx;
205
206 /* Allocated and initialise in the cipher context memory for the CMAC
207 * context */
208 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
209 if( cmac_ctx == NULL )
210 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
211
212 ctx->cmac_ctx = cmac_ctx;
213
214 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
215 return 0;
216}
217
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]218int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
219 const unsigned char *key, size_t keybits )
220{
221 mbedtls_cipher_type_t type;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]222 int retval;
223
224 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
225 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
226
227 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
228 MBEDTLS_ENCRYPT ) ) != 0 )
229 return( retval );
230
231 type = ctx->cipher_info->type;
232
233 switch( type )
234 {
235 case MBEDTLS_CIPHER_AES_128_ECB:
236 case MBEDTLS_CIPHER_AES_192_ECB:
237 case MBEDTLS_CIPHER_AES_256_ECB:
238 case MBEDTLS_CIPHER_DES_EDE3_ECB:
239 break;
240 default:
241 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
242 }
243
Edison Ai12484fc2018-12-19 15:36:28 +0800[diff] [blame]244 /* Check if cmac ctx had been allocated by mbedtls_cipher_cmac_setup() */
245 if( ctx->cmac_ctx != NULL )
246 return 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]247
Edison Ai12484fc2018-12-19 15:36:28 +0800[diff] [blame]248 return mbedtls_cipher_cmac_setup( ctx );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]249}
250
251int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
252 const unsigned char *input, size_t ilen )
253{
254 mbedtls_cmac_context_t* cmac_ctx;
255 unsigned char *state;
256 int ret = 0;
257 size_t n, j, olen, block_size;
258
259 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
260 ctx->cmac_ctx == NULL )
261 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
262
263 cmac_ctx = ctx->cmac_ctx;
264 block_size = ctx->cipher_info->block_size;
265 state = ctx->cmac_ctx->state;
266
267 /* Is there data still to process from the last call, that's greater in
268 * size than a block? */
269 if( cmac_ctx->unprocessed_len > 0 &&
270 ilen > block_size - cmac_ctx->unprocessed_len )
271 {
272 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
273 input,
274 block_size - cmac_ctx->unprocessed_len );
275
276 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
277
278 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
279 &olen ) ) != 0 )
280 {
281 goto exit;
282 }
283
284 input += block_size - cmac_ctx->unprocessed_len;
285 ilen -= block_size - cmac_ctx->unprocessed_len;
286 cmac_ctx->unprocessed_len = 0;
287 }
288
289 /* n is the number of blocks including any final partial block */
290 n = ( ilen + block_size - 1 ) / block_size;
291
292 /* Iterate across the input data in block sized chunks, excluding any
293 * final partial or complete block */
294 for( j = 1; j < n; j++ )
295 {
296 cmac_xor_block( state, input, state, block_size );
297
298 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
299 &olen ) ) != 0 )
300 goto exit;
301
302 ilen -= block_size;
303 input += block_size;
304 }
305
306 /* If there is data left over that wasn't aligned to a block */
307 if( ilen > 0 )
308 {
309 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
310 input,
311 ilen );
312 cmac_ctx->unprocessed_len += ilen;
313 }
314
315exit:
316 return( ret );
317}
318
319int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
320 unsigned char *output )
321{
322 mbedtls_cmac_context_t* cmac_ctx;
323 unsigned char *state, *last_block;
324 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
325 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
326 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame^]327 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]328 size_t olen, block_size;
329
330 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
331 output == NULL )
332 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
333
334 cmac_ctx = ctx->cmac_ctx;
335 block_size = ctx->cipher_info->block_size;
336 state = cmac_ctx->state;
337
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]338 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
339 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]340 cmac_generate_subkeys( ctx, K1, K2 );
341
342 last_block = cmac_ctx->unprocessed_block;
343
344 /* Calculate last block */
345 if( cmac_ctx->unprocessed_len < block_size )
346 {
347 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
348 cmac_xor_block( M_last, M_last, K2, block_size );
349 }
350 else
351 {
352 /* Last block is complete block */
353 cmac_xor_block( M_last, last_block, K1, block_size );
354 }
355
356
357 cmac_xor_block( state, M_last, state, block_size );
358 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
359 &olen ) ) != 0 )
360 {
361 goto exit;
362 }
363
364 memcpy( output, state, block_size );
365
366exit:
367 /* Wipe the generated keys on the stack, and any other transients to avoid
368 * side channel leakage */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]369 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
370 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]371
372 cmac_ctx->unprocessed_len = 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]373 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
374 sizeof( cmac_ctx->unprocessed_block ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]375
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]376 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]377 return( ret );
378}
379
380int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
381{
382 mbedtls_cmac_context_t* cmac_ctx;
383
384 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
385 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
386
387 cmac_ctx = ctx->cmac_ctx;
388
389 /* Reset the internal state */
390 cmac_ctx->unprocessed_len = 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]391 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
392 sizeof( cmac_ctx->unprocessed_block ) );
393 mbedtls_platform_zeroize( cmac_ctx->state,
394 sizeof( cmac_ctx->state ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]395
396 return( 0 );
397}
398
399int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
400 const unsigned char *key, size_t keylen,
401 const unsigned char *input, size_t ilen,
402 unsigned char *output )
403{
404 mbedtls_cipher_context_t ctx;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame^]405 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]406
407 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
408 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
409
410 mbedtls_cipher_init( &ctx );
411
412 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
413 goto exit;
414
415 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
416 if( ret != 0 )
417 goto exit;
418
419 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
420 if( ret != 0 )
421 goto exit;
422
423 ret = mbedtls_cipher_cmac_finish( &ctx, output );
424
425exit:
426 mbedtls_cipher_free( &ctx );
427
428 return( ret );
429}
430
431#if defined(MBEDTLS_AES_C)
432/*
433 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
434 */
435int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
436 const unsigned char *input, size_t in_len,
437 unsigned char *output )
438{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame^]439 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]440 const mbedtls_cipher_info_t *cipher_info;
441 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
442 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
443
444 if( key == NULL || input == NULL || output == NULL )
445 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
446
447 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
448 if( cipher_info == NULL )
449 {
450 /* Failing at this point must be due to a build issue */
451 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
452 goto exit;
453 }
454
455 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
456 {
457 /* Use key as is */
458 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
459 }
460 else
461 {
462 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
463
464 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
465 key_length, int_key );
466 if( ret != 0 )
467 goto exit;
468 }
469
470 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
471 output );
472
473exit:
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]474 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]475
476 return( ret );
477}
478#endif /* MBEDTLS_AES_C */
479
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]480#endif /* !MBEDTLS_CMAC_ALT */
481
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]482#if defined(MBEDTLS_SELF_TEST)
483/*
484 * CMAC test data for SP800-38B
485 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
486 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
487 *
488 * AES-CMAC-PRF-128 test data from RFC 4615
489 * https://tools.ietf.org/html/rfc4615#page-4
490 */
491
492#define NB_CMAC_TESTS_PER_KEY 4
493#define NB_PRF_TESTS 3
494
495#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
496/* All CMAC test inputs are truncated from the same 64 byte buffer. */
497static const unsigned char test_message[] = {
498 /* PT */
499 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
500 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
501 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
502 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
503 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
504 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
505 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
506 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
507};
508#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
509
510#if defined(MBEDTLS_AES_C)
511/* Truncation point of message for AES CMAC tests */
512static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
513 /* Mlen */
514 0,
515 16,
516 20,
517 64
518};
519
520/* CMAC-AES128 Test Data */
521static const unsigned char aes_128_key[16] = {
522 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
523 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
524};
525static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
526 {
527 /* K1 */
528 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
529 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
530 },
531 {
532 /* K2 */
533 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
534 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
535 }
536};
537static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
538 {
539 /* Example #1 */
540 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
541 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
542 },
543 {
544 /* Example #2 */
545 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
546 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
547 },
548 {
549 /* Example #3 */
550 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
551 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
552 },
553 {
554 /* Example #4 */
555 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
556 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
557 }
558};
559
560/* CMAC-AES192 Test Data */
561static const unsigned char aes_192_key[24] = {
562 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
563 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
564 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
565};
566static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
567 {
568 /* K1 */
569 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
570 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
571 },
572 {
573 /* K2 */
574 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
575 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
576 }
577};
578static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
579 {
580 /* Example #1 */
581 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
582 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
583 },
584 {
585 /* Example #2 */
586 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
587 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
588 },
589 {
590 /* Example #3 */
591 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
592 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
593 },
594 {
595 /* Example #4 */
596 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
597 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
598 }
599};
600
601/* CMAC-AES256 Test Data */
602static const unsigned char aes_256_key[32] = {
603 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
604 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
605 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
606 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
607};
608static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
609 {
610 /* K1 */
611 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
612 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
613 },
614 {
615 /* K2 */
616 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
617 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
618 }
619};
620static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
621 {
622 /* Example #1 */
623 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
624 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
625 },
626 {
627 /* Example #2 */
628 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
629 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
630 },
631 {
632 /* Example #3 */
633 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
634 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
635 },
636 {
637 /* Example #4 */
638 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
639 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
640 }
641};
642#endif /* MBEDTLS_AES_C */
643
644#if defined(MBEDTLS_DES_C)
645/* Truncation point of message for 3DES CMAC tests */
646static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
647 0,
648 16,
649 20,
650 32
651};
652
653/* CMAC-TDES (Generation) - 2 Key Test Data */
654static const unsigned char des3_2key_key[24] = {
655 /* Key1 */
656 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
657 /* Key2 */
658 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
659 /* Key3 */
660 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
661};
662static const unsigned char des3_2key_subkeys[2][8] = {
663 {
664 /* K1 */
665 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
666 },
667 {
668 /* K2 */
669 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
670 }
671};
672static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
673 {
674 /* Sample #1 */
675 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
676 },
677 {
678 /* Sample #2 */
679 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
680 },
681 {
682 /* Sample #3 */
683 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
684 },
685 {
686 /* Sample #4 */
687 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
688 }
689};
690
691/* CMAC-TDES (Generation) - 3 Key Test Data */
692static const unsigned char des3_3key_key[24] = {
693 /* Key1 */
694 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
695 /* Key2 */
696 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
697 /* Key3 */
698 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
699};
700static const unsigned char des3_3key_subkeys[2][8] = {
701 {
702 /* K1 */
703 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
704 },
705 {
706 /* K2 */
707 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
708 }
709};
710static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
711 {
712 /* Sample #1 */
713 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
714 },
715 {
716 /* Sample #2 */
717 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
718 },
719 {
720 /* Sample #3 */
721 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
722 },
723 {
724 /* Sample #4 */
725 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
726 }
727};
728
729#endif /* MBEDTLS_DES_C */
730
731#if defined(MBEDTLS_AES_C)
732/* AES AES-CMAC-PRF-128 Test Data */
733static const unsigned char PRFK[] = {
734 /* Key */
735 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
736 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
737 0xed, 0xcb
738};
739
740/* Sizes in bytes */
741static const size_t PRFKlen[NB_PRF_TESTS] = {
742 18,
743 16,
744 10
745};
746
747/* Message */
748static const unsigned char PRFM[] = {
749 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
750 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
751 0x10, 0x11, 0x12, 0x13
752};
753
754static const unsigned char PRFT[NB_PRF_TESTS][16] = {
755 {
756 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
757 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
758 },
759 {
760 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
761 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
762 },
763 {
764 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
765 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
766 }
767};
768#endif /* MBEDTLS_AES_C */
769
770static int cmac_test_subkeys( int verbose,
771 const char* testname,
772 const unsigned char* key,
773 int keybits,
774 const unsigned char* subkeys,
775 mbedtls_cipher_type_t cipher_type,
776 int block_size,
777 int num_tests )
778{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]779 int i, ret = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]780 mbedtls_cipher_context_t ctx;
781 const mbedtls_cipher_info_t *cipher_info;
782 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
783 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
784
785 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
786 if( cipher_info == NULL )
787 {
788 /* Failing at this point must be due to a build issue */
789 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
790 }
791
792 for( i = 0; i < num_tests; i++ )
793 {
794 if( verbose != 0 )
795 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
796
797 mbedtls_cipher_init( &ctx );
798
799 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
800 {
801 if( verbose != 0 )
802 mbedtls_printf( "test execution failed\n" );
803
804 goto cleanup;
805 }
806
807 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
808 MBEDTLS_ENCRYPT ) ) != 0 )
809 {
810 if( verbose != 0 )
811 mbedtls_printf( "test execution failed\n" );
812
813 goto cleanup;
814 }
815
816 ret = cmac_generate_subkeys( &ctx, K1, K2 );
817 if( ret != 0 )
818 {
819 if( verbose != 0 )
820 mbedtls_printf( "failed\n" );
821
822 goto cleanup;
823 }
824
825 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
826 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
827 {
828 if( verbose != 0 )
829 mbedtls_printf( "failed\n" );
830
831 goto cleanup;
832 }
833
834 if( verbose != 0 )
835 mbedtls_printf( "passed\n" );
836
837 mbedtls_cipher_free( &ctx );
838 }
839
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]840 ret = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]841 goto exit;
842
843cleanup:
844 mbedtls_cipher_free( &ctx );
845
846exit:
847 return( ret );
848}
849
850static int cmac_test_wth_cipher( int verbose,
851 const char* testname,
852 const unsigned char* key,
853 int keybits,
854 const unsigned char* messages,
855 const unsigned int message_lengths[4],
856 const unsigned char* expected_result,
857 mbedtls_cipher_type_t cipher_type,
858 int block_size,
859 int num_tests )
860{
861 const mbedtls_cipher_info_t *cipher_info;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]862 int i, ret = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]863 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
864
865 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
866 if( cipher_info == NULL )
867 {
868 /* Failing at this point must be due to a build issue */
869 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
870 goto exit;
871 }
872
873 for( i = 0; i < num_tests; i++ )
874 {
875 if( verbose != 0 )
876 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
877
878 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
879 message_lengths[i], output ) ) != 0 )
880 {
881 if( verbose != 0 )
882 mbedtls_printf( "failed\n" );
883 goto exit;
884 }
885
886 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
887 {
888 if( verbose != 0 )
889 mbedtls_printf( "failed\n" );
890 goto exit;
891 }
892
893 if( verbose != 0 )
894 mbedtls_printf( "passed\n" );
895 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]896 ret = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]897
898exit:
899 return( ret );
900}
901
902#if defined(MBEDTLS_AES_C)
903static int test_aes128_cmac_prf( int verbose )
904{
905 int i;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame^]906 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]907 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
908
909 for( i = 0; i < NB_PRF_TESTS; i++ )
910 {
911 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
912 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
913 if( ret != 0 ||
914 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
915 {
916
917 if( verbose != 0 )
918 mbedtls_printf( "failed\n" );
919
920 return( ret );
921 }
922 else if( verbose != 0 )
923 {
924 mbedtls_printf( "passed\n" );
925 }
926 }
927 return( ret );
928}
929#endif /* MBEDTLS_AES_C */
930
931int mbedtls_cmac_self_test( int verbose )
932{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame^]933 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]934
935#if defined(MBEDTLS_AES_C)
936 /* AES-128 */
937 if( ( ret = cmac_test_subkeys( verbose,
938 "AES 128",
939 aes_128_key,
940 128,
941 (const unsigned char*)aes_128_subkeys,
942 MBEDTLS_CIPHER_AES_128_ECB,
943 MBEDTLS_AES_BLOCK_SIZE,
944 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
945 {
946 return( ret );
947 }
948
949 if( ( ret = cmac_test_wth_cipher( verbose,
950 "AES 128",
951 aes_128_key,
952 128,
953 test_message,
954 aes_message_lengths,
955 (const unsigned char*)aes_128_expected_result,
956 MBEDTLS_CIPHER_AES_128_ECB,
957 MBEDTLS_AES_BLOCK_SIZE,
958 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
959 {
960 return( ret );
961 }
962
963 /* AES-192 */
964 if( ( ret = cmac_test_subkeys( verbose,
965 "AES 192",
966 aes_192_key,
967 192,
968 (const unsigned char*)aes_192_subkeys,
969 MBEDTLS_CIPHER_AES_192_ECB,
970 MBEDTLS_AES_BLOCK_SIZE,
971 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
972 {
973 return( ret );
974 }
975
976 if( ( ret = cmac_test_wth_cipher( verbose,
977 "AES 192",
978 aes_192_key,
979 192,
980 test_message,
981 aes_message_lengths,
982 (const unsigned char*)aes_192_expected_result,
983 MBEDTLS_CIPHER_AES_192_ECB,
984 MBEDTLS_AES_BLOCK_SIZE,
985 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
986 {
987 return( ret );
988 }
989
990 /* AES-256 */
991 if( ( ret = cmac_test_subkeys( verbose,
992 "AES 256",
993 aes_256_key,
994 256,
995 (const unsigned char*)aes_256_subkeys,
996 MBEDTLS_CIPHER_AES_256_ECB,
997 MBEDTLS_AES_BLOCK_SIZE,
998 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
999 {
1000 return( ret );
1001 }
1002
1003 if( ( ret = cmac_test_wth_cipher ( verbose,
1004 "AES 256",
1005 aes_256_key,
1006 256,
1007 test_message,
1008 aes_message_lengths,
1009 (const unsigned char*)aes_256_expected_result,
1010 MBEDTLS_CIPHER_AES_256_ECB,
1011 MBEDTLS_AES_BLOCK_SIZE,
1012 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1013 {
1014 return( ret );
1015 }
1016#endif /* MBEDTLS_AES_C */
1017
1018#if defined(MBEDTLS_DES_C)
1019 /* 3DES 2 key */
1020 if( ( ret = cmac_test_subkeys( verbose,
1021 "3DES 2 key",
1022 des3_2key_key,
1023 192,
1024 (const unsigned char*)des3_2key_subkeys,
1025 MBEDTLS_CIPHER_DES_EDE3_ECB,
1026 MBEDTLS_DES3_BLOCK_SIZE,
1027 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1028 {
1029 return( ret );
1030 }
1031
1032 if( ( ret = cmac_test_wth_cipher( verbose,
1033 "3DES 2 key",
1034 des3_2key_key,
1035 192,
1036 test_message,
1037 des3_message_lengths,
1038 (const unsigned char*)des3_2key_expected_result,
1039 MBEDTLS_CIPHER_DES_EDE3_ECB,
1040 MBEDTLS_DES3_BLOCK_SIZE,
1041 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1042 {
1043 return( ret );
1044 }
1045
1046 /* 3DES 3 key */
1047 if( ( ret = cmac_test_subkeys( verbose,
1048 "3DES 3 key",
1049 des3_3key_key,
1050 192,
1051 (const unsigned char*)des3_3key_subkeys,
1052 MBEDTLS_CIPHER_DES_EDE3_ECB,
1053 MBEDTLS_DES3_BLOCK_SIZE,
1054 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1055 {
1056 return( ret );
1057 }
1058
1059 if( ( ret = cmac_test_wth_cipher( verbose,
1060 "3DES 3 key",
1061 des3_3key_key,
1062 192,
1063 test_message,
1064 des3_message_lengths,
1065 (const unsigned char*)des3_3key_expected_result,
1066 MBEDTLS_CIPHER_DES_EDE3_ECB,
1067 MBEDTLS_DES3_BLOCK_SIZE,
1068 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1069 {
1070 return( ret );
1071 }
1072#endif /* MBEDTLS_DES_C */
1073
1074#if defined(MBEDTLS_AES_C)
1075 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1076 return( ret );
1077#endif /* MBEDTLS_AES_C */
1078
1079 if( verbose != 0 )
1080 mbedtls_printf( "\n" );
1081
1082 return( 0 );
1083}
1084
1085#endif /* MBEDTLS_SELF_TEST */
1086
1087#endif /* MBEDTLS_CMAC_C */