TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / f58facc63757b67661cdfcd45dd65e41d665771d / . / lib / libmbedtls / mbedtls / library / cmac.c
blob: 9a9b6a290480aaf72ac14aeb916ff30b985739a2 [file] [log] [blame]
Edison Ai7b079202018-02-28 15:01:47 +0800[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2/**
3 * \file cmac.c
4 *
5 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
6 *
7 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24/*
25 * References:
26 *
27 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
28 * CMAC Mode for Authentication
29 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
30 *
31 * - RFC 4493 - The AES-CMAC Algorithm
32 * https://tools.ietf.org/html/rfc4493
33 *
34 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
35 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
36 * Algorithm for the Internet Key Exchange Protocol (IKE)
37 * https://tools.ietf.org/html/rfc4615
38 *
39 * Additional test vectors: ISO/IEC 9797-1
40 *
41 */
42
43#if !defined(MBEDTLS_CONFIG_FILE)
44#include "mbedtls/config.h"
45#else
46#include MBEDTLS_CONFIG_FILE
47#endif
48
49#if defined(MBEDTLS_CMAC_C)
50
51#include "mbedtls/cmac.h"
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]52#include "mbedtls/platform_util.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]53
54#include <string.h>
55
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]56#if defined(MBEDTLS_PLATFORM_C)
57#include "mbedtls/platform.h"
58#else
59#include <stdlib.h>
60#define mbedtls_calloc calloc
61#define mbedtls_free free
62#if defined(MBEDTLS_SELF_TEST)
63#include <stdio.h>
64#define mbedtls_printf printf
65#endif /* MBEDTLS_SELF_TEST */
66#endif /* MBEDTLS_PLATFORM_C */
67
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]68#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]69
70/*
71 * Multiplication by u in the Galois field of GF(2^n)
72 *
73 * As explained in NIST SP 800-38B, this can be computed:
74 *
75 * If MSB(p) = 0, then p = (p << 1)
76 * If MSB(p) = 1, then p = (p << 1) ^ R_n
77 * with R_64 = 0x1B and R_128 = 0x87
78 *
79 * Input and output MUST NOT point to the same buffer
80 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
81 */
82static int cmac_multiply_by_u( unsigned char *output,
83 const unsigned char *input,
84 size_t blocksize )
85{
86 const unsigned char R_128 = 0x87;
87 const unsigned char R_64 = 0x1B;
88 unsigned char R_n, mask;
89 unsigned char overflow = 0x00;
90 int i;
91
92 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
93 {
94 R_n = R_128;
95 }
96 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
97 {
98 R_n = R_64;
99 }
100 else
101 {
102 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
103 }
104
105 for( i = (int)blocksize - 1; i >= 0; i-- )
106 {
107 output[i] = input[i] << 1 | overflow;
108 overflow = input[i] >> 7;
109 }
110
111 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
112 * using bit operations to avoid branches */
113
114 /* MSVC has a warning about unary minus on unsigned, but this is
115 * well-defined and precisely what we want to do here */
116#if defined(_MSC_VER)
117#pragma warning( push )
118#pragma warning( disable : 4146 )
119#endif
120 mask = - ( input[0] >> 7 );
121#if defined(_MSC_VER)
122#pragma warning( pop )
123#endif
124
125 output[ blocksize - 1 ] ^= R_n & mask;
126
127 return( 0 );
128}
129
130/*
131 * Generate subkeys
132 *
133 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
134 */
135static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
136 unsigned char* K1, unsigned char* K2 )
137{
138 int ret;
139 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
140 size_t olen, block_size;
141
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]142 mbedtls_platform_zeroize( L, sizeof( L ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]143
144 block_size = ctx->cipher_info->block_size;
145
146 /* Calculate Ek(0) */
147 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
148 goto exit;
149
150 /*
151 * Generate K1 and K2
152 */
153 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
154 goto exit;
155
156 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
157 goto exit;
158
159exit:
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]160 mbedtls_platform_zeroize( L, sizeof( L ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]161
162 return( ret );
163}
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]164#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]165
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]166#if !defined(MBEDTLS_CMAC_ALT)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]167static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
168 const unsigned char *input2,
169 const size_t block_size )
170{
171 size_t idx;
172
173 for( idx = 0; idx < block_size; idx++ )
174 output[ idx ] = input1[ idx ] ^ input2[ idx ];
175}
176
177/*
178 * Create padded last block from (partial) last block.
179 *
180 * We can't use the padding option from the cipher layer, as it only works for
181 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
182 */
183static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
184 size_t padded_block_len,
185 const unsigned char *last_block,
186 size_t last_block_len )
187{
188 size_t j;
189
190 for( j = 0; j < padded_block_len; j++ )
191 {
192 if( j < last_block_len )
193 padded_block[j] = last_block[j];
194 else if( j == last_block_len )
195 padded_block[j] = 0x80;
196 else
197 padded_block[j] = 0x00;
198 }
199}
200
Edison Aiac347342018-12-19 15:36:28 +0800[diff] [blame]201int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx)
202{
203 mbedtls_cmac_context_t *cmac_ctx;
204
205 /* Allocated and initialise in the cipher context memory for the CMAC
206 * context */
207 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
208 if( cmac_ctx == NULL )
209 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
210
211 ctx->cmac_ctx = cmac_ctx;
212
213 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
214 return 0;
215}
216
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]217int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
218 const unsigned char *key, size_t keybits )
219{
220 mbedtls_cipher_type_t type;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]221 int retval;
222
223 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
224 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
225
226 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
227 MBEDTLS_ENCRYPT ) ) != 0 )
228 return( retval );
229
230 type = ctx->cipher_info->type;
231
232 switch( type )
233 {
234 case MBEDTLS_CIPHER_AES_128_ECB:
235 case MBEDTLS_CIPHER_AES_192_ECB:
236 case MBEDTLS_CIPHER_AES_256_ECB:
237 case MBEDTLS_CIPHER_DES_EDE3_ECB:
238 break;
239 default:
240 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
241 }
242
Edison Aiac347342018-12-19 15:36:28 +0800[diff] [blame]243 /* Check if cmac ctx had been allocated by mbedtls_cipher_cmac_setup() */
244 if( ctx->cmac_ctx != NULL )
245 return 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]246
Edison Aiac347342018-12-19 15:36:28 +0800[diff] [blame]247 return mbedtls_cipher_cmac_setup( ctx );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]248}
249
250int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
251 const unsigned char *input, size_t ilen )
252{
253 mbedtls_cmac_context_t* cmac_ctx;
254 unsigned char *state;
255 int ret = 0;
256 size_t n, j, olen, block_size;
257
258 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
259 ctx->cmac_ctx == NULL )
260 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
261
262 cmac_ctx = ctx->cmac_ctx;
263 block_size = ctx->cipher_info->block_size;
264 state = ctx->cmac_ctx->state;
265
266 /* Is there data still to process from the last call, that's greater in
267 * size than a block? */
268 if( cmac_ctx->unprocessed_len > 0 &&
269 ilen > block_size - cmac_ctx->unprocessed_len )
270 {
271 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
272 input,
273 block_size - cmac_ctx->unprocessed_len );
274
275 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
276
277 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
278 &olen ) ) != 0 )
279 {
280 goto exit;
281 }
282
283 input += block_size - cmac_ctx->unprocessed_len;
284 ilen -= block_size - cmac_ctx->unprocessed_len;
285 cmac_ctx->unprocessed_len = 0;
286 }
287
288 /* n is the number of blocks including any final partial block */
289 n = ( ilen + block_size - 1 ) / block_size;
290
291 /* Iterate across the input data in block sized chunks, excluding any
292 * final partial or complete block */
293 for( j = 1; j < n; j++ )
294 {
295 cmac_xor_block( state, input, state, block_size );
296
297 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
298 &olen ) ) != 0 )
299 goto exit;
300
301 ilen -= block_size;
302 input += block_size;
303 }
304
305 /* If there is data left over that wasn't aligned to a block */
306 if( ilen > 0 )
307 {
308 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
309 input,
310 ilen );
311 cmac_ctx->unprocessed_len += ilen;
312 }
313
314exit:
315 return( ret );
316}
317
318int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
319 unsigned char *output )
320{
321 mbedtls_cmac_context_t* cmac_ctx;
322 unsigned char *state, *last_block;
323 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
324 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
325 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
326 int ret;
327 size_t olen, block_size;
328
329 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
330 output == NULL )
331 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
332
333 cmac_ctx = ctx->cmac_ctx;
334 block_size = ctx->cipher_info->block_size;
335 state = cmac_ctx->state;
336
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]337 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
338 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]339 cmac_generate_subkeys( ctx, K1, K2 );
340
341 last_block = cmac_ctx->unprocessed_block;
342
343 /* Calculate last block */
344 if( cmac_ctx->unprocessed_len < block_size )
345 {
346 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
347 cmac_xor_block( M_last, M_last, K2, block_size );
348 }
349 else
350 {
351 /* Last block is complete block */
352 cmac_xor_block( M_last, last_block, K1, block_size );
353 }
354
355
356 cmac_xor_block( state, M_last, state, block_size );
357 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
358 &olen ) ) != 0 )
359 {
360 goto exit;
361 }
362
363 memcpy( output, state, block_size );
364
365exit:
366 /* Wipe the generated keys on the stack, and any other transients to avoid
367 * side channel leakage */
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]368 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
369 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]370
371 cmac_ctx->unprocessed_len = 0;
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]372 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
373 sizeof( cmac_ctx->unprocessed_block ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]374
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]375 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]376 return( ret );
377}
378
379int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
380{
381 mbedtls_cmac_context_t* cmac_ctx;
382
383 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
384 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
385
386 cmac_ctx = ctx->cmac_ctx;
387
388 /* Reset the internal state */
389 cmac_ctx->unprocessed_len = 0;
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]390 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
391 sizeof( cmac_ctx->unprocessed_block ) );
392 mbedtls_platform_zeroize( cmac_ctx->state,
393 sizeof( cmac_ctx->state ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]394
395 return( 0 );
396}
397
398int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
399 const unsigned char *key, size_t keylen,
400 const unsigned char *input, size_t ilen,
401 unsigned char *output )
402{
403 mbedtls_cipher_context_t ctx;
404 int ret;
405
406 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
407 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
408
409 mbedtls_cipher_init( &ctx );
410
411 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
412 goto exit;
413
414 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
415 if( ret != 0 )
416 goto exit;
417
418 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
419 if( ret != 0 )
420 goto exit;
421
422 ret = mbedtls_cipher_cmac_finish( &ctx, output );
423
424exit:
425 mbedtls_cipher_free( &ctx );
426
427 return( ret );
428}
429
430#if defined(MBEDTLS_AES_C)
431/*
432 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
433 */
434int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
435 const unsigned char *input, size_t in_len,
436 unsigned char *output )
437{
438 int ret;
439 const mbedtls_cipher_info_t *cipher_info;
440 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
441 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
442
443 if( key == NULL || input == NULL || output == NULL )
444 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
445
446 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
447 if( cipher_info == NULL )
448 {
449 /* Failing at this point must be due to a build issue */
450 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
451 goto exit;
452 }
453
454 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
455 {
456 /* Use key as is */
457 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
458 }
459 else
460 {
461 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
462
463 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
464 key_length, int_key );
465 if( ret != 0 )
466 goto exit;
467 }
468
469 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
470 output );
471
472exit:
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]473 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]474
475 return( ret );
476}
477#endif /* MBEDTLS_AES_C */
478
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]479#endif /* !MBEDTLS_CMAC_ALT */
480
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]481#if defined(MBEDTLS_SELF_TEST)
482/*
483 * CMAC test data for SP800-38B
484 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
485 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
486 *
487 * AES-CMAC-PRF-128 test data from RFC 4615
488 * https://tools.ietf.org/html/rfc4615#page-4
489 */
490
491#define NB_CMAC_TESTS_PER_KEY 4
492#define NB_PRF_TESTS 3
493
494#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
495/* All CMAC test inputs are truncated from the same 64 byte buffer. */
496static const unsigned char test_message[] = {
497 /* PT */
498 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
499 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
500 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
501 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
502 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
503 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
504 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
505 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
506};
507#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
508
509#if defined(MBEDTLS_AES_C)
510/* Truncation point of message for AES CMAC tests */
511static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
512 /* Mlen */
513 0,
514 16,
515 20,
516 64
517};
518
519/* CMAC-AES128 Test Data */
520static const unsigned char aes_128_key[16] = {
521 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
522 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
523};
524static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
525 {
526 /* K1 */
527 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
528 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
529 },
530 {
531 /* K2 */
532 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
533 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
534 }
535};
536static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
537 {
538 /* Example #1 */
539 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
540 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
541 },
542 {
543 /* Example #2 */
544 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
545 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
546 },
547 {
548 /* Example #3 */
549 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
550 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
551 },
552 {
553 /* Example #4 */
554 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
555 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
556 }
557};
558
559/* CMAC-AES192 Test Data */
560static const unsigned char aes_192_key[24] = {
561 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
562 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
563 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
564};
565static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
566 {
567 /* K1 */
568 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
569 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
570 },
571 {
572 /* K2 */
573 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
574 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
575 }
576};
577static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
578 {
579 /* Example #1 */
580 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
581 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
582 },
583 {
584 /* Example #2 */
585 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
586 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
587 },
588 {
589 /* Example #3 */
590 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
591 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
592 },
593 {
594 /* Example #4 */
595 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
596 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
597 }
598};
599
600/* CMAC-AES256 Test Data */
601static const unsigned char aes_256_key[32] = {
602 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
603 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
604 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
605 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
606};
607static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
608 {
609 /* K1 */
610 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
611 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
612 },
613 {
614 /* K2 */
615 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
616 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
617 }
618};
619static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
620 {
621 /* Example #1 */
622 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
623 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
624 },
625 {
626 /* Example #2 */
627 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
628 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
629 },
630 {
631 /* Example #3 */
632 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
633 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
634 },
635 {
636 /* Example #4 */
637 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
638 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
639 }
640};
641#endif /* MBEDTLS_AES_C */
642
643#if defined(MBEDTLS_DES_C)
644/* Truncation point of message for 3DES CMAC tests */
645static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
646 0,
647 16,
648 20,
649 32
650};
651
652/* CMAC-TDES (Generation) - 2 Key Test Data */
653static const unsigned char des3_2key_key[24] = {
654 /* Key1 */
655 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
656 /* Key2 */
657 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
658 /* Key3 */
659 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
660};
661static const unsigned char des3_2key_subkeys[2][8] = {
662 {
663 /* K1 */
664 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
665 },
666 {
667 /* K2 */
668 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
669 }
670};
671static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
672 {
673 /* Sample #1 */
674 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
675 },
676 {
677 /* Sample #2 */
678 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
679 },
680 {
681 /* Sample #3 */
682 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
683 },
684 {
685 /* Sample #4 */
686 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
687 }
688};
689
690/* CMAC-TDES (Generation) - 3 Key Test Data */
691static const unsigned char des3_3key_key[24] = {
692 /* Key1 */
693 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
694 /* Key2 */
695 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
696 /* Key3 */
697 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
698};
699static const unsigned char des3_3key_subkeys[2][8] = {
700 {
701 /* K1 */
702 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
703 },
704 {
705 /* K2 */
706 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
707 }
708};
709static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
710 {
711 /* Sample #1 */
712 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
713 },
714 {
715 /* Sample #2 */
716 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
717 },
718 {
719 /* Sample #3 */
720 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
721 },
722 {
723 /* Sample #4 */
724 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
725 }
726};
727
728#endif /* MBEDTLS_DES_C */
729
730#if defined(MBEDTLS_AES_C)
731/* AES AES-CMAC-PRF-128 Test Data */
732static const unsigned char PRFK[] = {
733 /* Key */
734 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
735 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
736 0xed, 0xcb
737};
738
739/* Sizes in bytes */
740static const size_t PRFKlen[NB_PRF_TESTS] = {
741 18,
742 16,
743 10
744};
745
746/* Message */
747static const unsigned char PRFM[] = {
748 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
749 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
750 0x10, 0x11, 0x12, 0x13
751};
752
753static const unsigned char PRFT[NB_PRF_TESTS][16] = {
754 {
755 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
756 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
757 },
758 {
759 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
760 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
761 },
762 {
763 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
764 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
765 }
766};
767#endif /* MBEDTLS_AES_C */
768
769static int cmac_test_subkeys( int verbose,
770 const char* testname,
771 const unsigned char* key,
772 int keybits,
773 const unsigned char* subkeys,
774 mbedtls_cipher_type_t cipher_type,
775 int block_size,
776 int num_tests )
777{
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]778 int i, ret = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]779 mbedtls_cipher_context_t ctx;
780 const mbedtls_cipher_info_t *cipher_info;
781 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
782 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
783
784 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
785 if( cipher_info == NULL )
786 {
787 /* Failing at this point must be due to a build issue */
788 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
789 }
790
791 for( i = 0; i < num_tests; i++ )
792 {
793 if( verbose != 0 )
794 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
795
796 mbedtls_cipher_init( &ctx );
797
798 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
799 {
800 if( verbose != 0 )
801 mbedtls_printf( "test execution failed\n" );
802
803 goto cleanup;
804 }
805
806 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
807 MBEDTLS_ENCRYPT ) ) != 0 )
808 {
809 if( verbose != 0 )
810 mbedtls_printf( "test execution failed\n" );
811
812 goto cleanup;
813 }
814
815 ret = cmac_generate_subkeys( &ctx, K1, K2 );
816 if( ret != 0 )
817 {
818 if( verbose != 0 )
819 mbedtls_printf( "failed\n" );
820
821 goto cleanup;
822 }
823
824 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
825 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
826 {
827 if( verbose != 0 )
828 mbedtls_printf( "failed\n" );
829
830 goto cleanup;
831 }
832
833 if( verbose != 0 )
834 mbedtls_printf( "passed\n" );
835
836 mbedtls_cipher_free( &ctx );
837 }
838
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]839 ret = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]840 goto exit;
841
842cleanup:
843 mbedtls_cipher_free( &ctx );
844
845exit:
846 return( ret );
847}
848
849static int cmac_test_wth_cipher( int verbose,
850 const char* testname,
851 const unsigned char* key,
852 int keybits,
853 const unsigned char* messages,
854 const unsigned int message_lengths[4],
855 const unsigned char* expected_result,
856 mbedtls_cipher_type_t cipher_type,
857 int block_size,
858 int num_tests )
859{
860 const mbedtls_cipher_info_t *cipher_info;
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]861 int i, ret = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]862 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
863
864 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
865 if( cipher_info == NULL )
866 {
867 /* Failing at this point must be due to a build issue */
868 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
869 goto exit;
870 }
871
872 for( i = 0; i < num_tests; i++ )
873 {
874 if( verbose != 0 )
875 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
876
877 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
878 message_lengths[i], output ) ) != 0 )
879 {
880 if( verbose != 0 )
881 mbedtls_printf( "failed\n" );
882 goto exit;
883 }
884
885 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
886 {
887 if( verbose != 0 )
888 mbedtls_printf( "failed\n" );
889 goto exit;
890 }
891
892 if( verbose != 0 )
893 mbedtls_printf( "passed\n" );
894 }
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame]895 ret = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]896
897exit:
898 return( ret );
899}
900
901#if defined(MBEDTLS_AES_C)
902static int test_aes128_cmac_prf( int verbose )
903{
904 int i;
905 int ret;
906 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
907
908 for( i = 0; i < NB_PRF_TESTS; i++ )
909 {
910 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
911 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
912 if( ret != 0 ||
913 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
914 {
915
916 if( verbose != 0 )
917 mbedtls_printf( "failed\n" );
918
919 return( ret );
920 }
921 else if( verbose != 0 )
922 {
923 mbedtls_printf( "passed\n" );
924 }
925 }
926 return( ret );
927}
928#endif /* MBEDTLS_AES_C */
929
930int mbedtls_cmac_self_test( int verbose )
931{
932 int ret;
933
934#if defined(MBEDTLS_AES_C)
935 /* AES-128 */
936 if( ( ret = cmac_test_subkeys( verbose,
937 "AES 128",
938 aes_128_key,
939 128,
940 (const unsigned char*)aes_128_subkeys,
941 MBEDTLS_CIPHER_AES_128_ECB,
942 MBEDTLS_AES_BLOCK_SIZE,
943 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
944 {
945 return( ret );
946 }
947
948 if( ( ret = cmac_test_wth_cipher( verbose,
949 "AES 128",
950 aes_128_key,
951 128,
952 test_message,
953 aes_message_lengths,
954 (const unsigned char*)aes_128_expected_result,
955 MBEDTLS_CIPHER_AES_128_ECB,
956 MBEDTLS_AES_BLOCK_SIZE,
957 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
958 {
959 return( ret );
960 }
961
962 /* AES-192 */
963 if( ( ret = cmac_test_subkeys( verbose,
964 "AES 192",
965 aes_192_key,
966 192,
967 (const unsigned char*)aes_192_subkeys,
968 MBEDTLS_CIPHER_AES_192_ECB,
969 MBEDTLS_AES_BLOCK_SIZE,
970 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
971 {
972 return( ret );
973 }
974
975 if( ( ret = cmac_test_wth_cipher( verbose,
976 "AES 192",
977 aes_192_key,
978 192,
979 test_message,
980 aes_message_lengths,
981 (const unsigned char*)aes_192_expected_result,
982 MBEDTLS_CIPHER_AES_192_ECB,
983 MBEDTLS_AES_BLOCK_SIZE,
984 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
985 {
986 return( ret );
987 }
988
989 /* AES-256 */
990 if( ( ret = cmac_test_subkeys( verbose,
991 "AES 256",
992 aes_256_key,
993 256,
994 (const unsigned char*)aes_256_subkeys,
995 MBEDTLS_CIPHER_AES_256_ECB,
996 MBEDTLS_AES_BLOCK_SIZE,
997 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
998 {
999 return( ret );
1000 }
1001
1002 if( ( ret = cmac_test_wth_cipher ( verbose,
1003 "AES 256",
1004 aes_256_key,
1005 256,
1006 test_message,
1007 aes_message_lengths,
1008 (const unsigned char*)aes_256_expected_result,
1009 MBEDTLS_CIPHER_AES_256_ECB,
1010 MBEDTLS_AES_BLOCK_SIZE,
1011 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1012 {
1013 return( ret );
1014 }
1015#endif /* MBEDTLS_AES_C */
1016
1017#if defined(MBEDTLS_DES_C)
1018 /* 3DES 2 key */
1019 if( ( ret = cmac_test_subkeys( verbose,
1020 "3DES 2 key",
1021 des3_2key_key,
1022 192,
1023 (const unsigned char*)des3_2key_subkeys,
1024 MBEDTLS_CIPHER_DES_EDE3_ECB,
1025 MBEDTLS_DES3_BLOCK_SIZE,
1026 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1027 {
1028 return( ret );
1029 }
1030
1031 if( ( ret = cmac_test_wth_cipher( verbose,
1032 "3DES 2 key",
1033 des3_2key_key,
1034 192,
1035 test_message,
1036 des3_message_lengths,
1037 (const unsigned char*)des3_2key_expected_result,
1038 MBEDTLS_CIPHER_DES_EDE3_ECB,
1039 MBEDTLS_DES3_BLOCK_SIZE,
1040 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1041 {
1042 return( ret );
1043 }
1044
1045 /* 3DES 3 key */
1046 if( ( ret = cmac_test_subkeys( verbose,
1047 "3DES 3 key",
1048 des3_3key_key,
1049 192,
1050 (const unsigned char*)des3_3key_subkeys,
1051 MBEDTLS_CIPHER_DES_EDE3_ECB,
1052 MBEDTLS_DES3_BLOCK_SIZE,
1053 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1054 {
1055 return( ret );
1056 }
1057
1058 if( ( ret = cmac_test_wth_cipher( verbose,
1059 "3DES 3 key",
1060 des3_3key_key,
1061 192,
1062 test_message,
1063 des3_message_lengths,
1064 (const unsigned char*)des3_3key_expected_result,
1065 MBEDTLS_CIPHER_DES_EDE3_ECB,
1066 MBEDTLS_DES3_BLOCK_SIZE,
1067 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1068 {
1069 return( ret );
1070 }
1071#endif /* MBEDTLS_DES_C */
1072
1073#if defined(MBEDTLS_AES_C)
1074 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1075 return( ret );
1076#endif /* MBEDTLS_AES_C */
1077
1078 if( verbose != 0 )
1079 mbedtls_printf( "\n" );
1080
1081 return( 0 );
1082}
1083
1084#endif /* MBEDTLS_SELF_TEST */
1085
1086#endif /* MBEDTLS_CMAC_C */