TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / refs/heads/dev/mbed-crypto-0.1.0-alpha / . / library / cmac.c
blob: e12f7bdc3850b4bc974f35d395c25296ea288051 [file] [log] [blame]
Jaeden Ameroe54e6932018-08-06 16:19:58 +0100[diff] [blame]1/**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 *
21 * This file is part of Mbed Crypto (https://tls.mbed.org)
22 */
23
24/*
25 * References:
26 *
27 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
28 * CMAC Mode for Authentication
29 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
30 *
31 * - RFC 4493 - The AES-CMAC Algorithm
32 * https://tools.ietf.org/html/rfc4493
33 *
34 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
35 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
36 * Algorithm for the Internet Key Exchange Protocol (IKE)
37 * https://tools.ietf.org/html/rfc4615
38 *
39 * Additional test vectors: ISO/IEC 9797-1
40 *
41 */
42
43#if !defined(MBEDCRYPTO_CONFIG_FILE)
44#include "mbedcrypto/config.h"
45#else
46#include MBEDCRYPTO_CONFIG_FILE
47#endif
48
49#if defined(MBEDCRYPTO_CMAC_C)
50
51#include "mbedcrypto/cmac.h"
52#include "mbedcrypto/platform_util.h"
53
54#include <string.h>
55
56
57#if defined(MBEDCRYPTO_PLATFORM_C)
58#include "mbedcrypto/platform.h"
59#else
60#include <stdlib.h>
61#define mbedcrypto_calloc calloc
62#define mbedcrypto_free free
63#if defined(MBEDCRYPTO_SELF_TEST)
64#include <stdio.h>
65#define mbedcrypto_printf printf
66#endif /* MBEDCRYPTO_SELF_TEST */
67#endif /* MBEDCRYPTO_PLATFORM_C */
68
69#if !defined(MBEDCRYPTO_CMAC_ALT) || defined(MBEDCRYPTO_SELF_TEST)
70
71/*
72 * Multiplication by u in the Galois field of GF(2^n)
73 *
74 * As explained in NIST SP 800-38B, this can be computed:
75 *
76 * If MSB(p) = 0, then p = (p << 1)
77 * If MSB(p) = 1, then p = (p << 1) ^ R_n
78 * with R_64 = 0x1B and R_128 = 0x87
79 *
80 * Input and output MUST NOT point to the same buffer
81 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
82 */
83static int cmac_multiply_by_u( unsigned char *output,
84 const unsigned char *input,
85 size_t blocksize )
86{
87 const unsigned char R_128 = 0x87;
88 const unsigned char R_64 = 0x1B;
89 unsigned char R_n, mask;
90 unsigned char overflow = 0x00;
91 int i;
92
93 if( blocksize == MBEDCRYPTO_AES_BLOCK_SIZE )
94 {
95 R_n = R_128;
96 }
97 else if( blocksize == MBEDCRYPTO_DES3_BLOCK_SIZE )
98 {
99 R_n = R_64;
100 }
101 else
102 {
103 return( MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA );
104 }
105
106 for( i = (int)blocksize - 1; i >= 0; i-- )
107 {
108 output[i] = input[i] << 1 | overflow;
109 overflow = input[i] >> 7;
110 }
111
112 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
113 * using bit operations to avoid branches */
114
115 /* MSVC has a warning about unary minus on unsigned, but this is
116 * well-defined and precisely what we want to do here */
117#if defined(_MSC_VER)
118#pragma warning( push )
119#pragma warning( disable : 4146 )
120#endif
121 mask = - ( input[0] >> 7 );
122#if defined(_MSC_VER)
123#pragma warning( pop )
124#endif
125
126 output[ blocksize - 1 ] ^= R_n & mask;
127
128 return( 0 );
129}
130
131/*
132 * Generate subkeys
133 *
134 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
135 */
136static int cmac_generate_subkeys( mbedcrypto_cipher_context_t *ctx,
137 unsigned char* K1, unsigned char* K2 )
138{
139 int ret;
140 unsigned char L[MBEDCRYPTO_CIPHER_BLKSIZE_MAX];
141 size_t olen, block_size;
142
143 mbedcrypto_platform_zeroize( L, sizeof( L ) );
144
145 block_size = ctx->cipher_info->block_size;
146
147 /* Calculate Ek(0) */
148 if( ( ret = mbedcrypto_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
149 goto exit;
150
151 /*
152 * Generate K1 and K2
153 */
154 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
155 goto exit;
156
157 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
158 goto exit;
159
160exit:
161 mbedcrypto_platform_zeroize( L, sizeof( L ) );
162
163 return( ret );
164}
165#endif /* !defined(MBEDCRYPTO_CMAC_ALT) || defined(MBEDCRYPTO_SELF_TEST) */
166
167#if !defined(MBEDCRYPTO_CMAC_ALT)
168static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
169 const unsigned char *input2,
170 const size_t block_size )
171{
172 size_t idx;
173
174 for( idx = 0; idx < block_size; idx++ )
175 output[ idx ] = input1[ idx ] ^ input2[ idx ];
176}
177
178/*
179 * Create padded last block from (partial) last block.
180 *
181 * We can't use the padding option from the cipher layer, as it only works for
182 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
183 */
184static void cmac_pad( unsigned char padded_block[MBEDCRYPTO_CIPHER_BLKSIZE_MAX],
185 size_t padded_block_len,
186 const unsigned char *last_block,
187 size_t last_block_len )
188{
189 size_t j;
190
191 for( j = 0; j < padded_block_len; j++ )
192 {
193 if( j < last_block_len )
194 padded_block[j] = last_block[j];
195 else if( j == last_block_len )
196 padded_block[j] = 0x80;
197 else
198 padded_block[j] = 0x00;
199 }
200}
201
202int mbedcrypto_cipher_cmac_starts( mbedcrypto_cipher_context_t *ctx,
203 const unsigned char *key, size_t keybits )
204{
205 mbedcrypto_cipher_type_t type;
206 mbedcrypto_cmac_context_t *cmac_ctx;
207 int retval;
208
209 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
210 return( MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA );
211
212 if( ( retval = mbedcrypto_cipher_setkey( ctx, key, (int)keybits,
213 MBEDCRYPTO_ENCRYPT ) ) != 0 )
214 return( retval );
215
216 type = ctx->cipher_info->type;
217
218 switch( type )
219 {
220 case MBEDCRYPTO_CIPHER_AES_128_ECB:
221 case MBEDCRYPTO_CIPHER_AES_192_ECB:
222 case MBEDCRYPTO_CIPHER_AES_256_ECB:
223 case MBEDCRYPTO_CIPHER_DES_EDE3_ECB:
224 break;
225 default:
226 return( MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA );
227 }
228
229 /* Allocated and initialise in the cipher context memory for the CMAC
230 * context */
231 cmac_ctx = mbedcrypto_calloc( 1, sizeof( mbedcrypto_cmac_context_t ) );
232 if( cmac_ctx == NULL )
233 return( MBEDCRYPTO_ERR_CIPHER_ALLOC_FAILED );
234
235 ctx->cmac_ctx = cmac_ctx;
236
237 mbedcrypto_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
238
239 return 0;
240}
241
242int mbedcrypto_cipher_cmac_update( mbedcrypto_cipher_context_t *ctx,
243 const unsigned char *input, size_t ilen )
244{
245 mbedcrypto_cmac_context_t* cmac_ctx;
246 unsigned char *state;
247 int ret = 0;
248 size_t n, j, olen, block_size;
249
250 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
251 ctx->cmac_ctx == NULL )
252 return( MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA );
253
254 cmac_ctx = ctx->cmac_ctx;
255 block_size = ctx->cipher_info->block_size;
256 state = ctx->cmac_ctx->state;
257
258 /* Is there data still to process from the last call, that's greater in
259 * size than a block? */
260 if( cmac_ctx->unprocessed_len > 0 &&
261 ilen > block_size - cmac_ctx->unprocessed_len )
262 {
263 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
264 input,
265 block_size - cmac_ctx->unprocessed_len );
266
267 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
268
269 if( ( ret = mbedcrypto_cipher_update( ctx, state, block_size, state,
270 &olen ) ) != 0 )
271 {
272 goto exit;
273 }
274
275 input += block_size - cmac_ctx->unprocessed_len;
276 ilen -= block_size - cmac_ctx->unprocessed_len;
277 cmac_ctx->unprocessed_len = 0;
278 }
279
280 /* n is the number of blocks including any final partial block */
281 n = ( ilen + block_size - 1 ) / block_size;
282
283 /* Iterate across the input data in block sized chunks, excluding any
284 * final partial or complete block */
285 for( j = 1; j < n; j++ )
286 {
287 cmac_xor_block( state, input, state, block_size );
288
289 if( ( ret = mbedcrypto_cipher_update( ctx, state, block_size, state,
290 &olen ) ) != 0 )
291 goto exit;
292
293 ilen -= block_size;
294 input += block_size;
295 }
296
297 /* If there is data left over that wasn't aligned to a block */
298 if( ilen > 0 )
299 {
300 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
301 input,
302 ilen );
303 cmac_ctx->unprocessed_len += ilen;
304 }
305
306exit:
307 return( ret );
308}
309
310int mbedcrypto_cipher_cmac_finish( mbedcrypto_cipher_context_t *ctx,
311 unsigned char *output )
312{
313 mbedcrypto_cmac_context_t* cmac_ctx;
314 unsigned char *state, *last_block;
315 unsigned char K1[MBEDCRYPTO_CIPHER_BLKSIZE_MAX];
316 unsigned char K2[MBEDCRYPTO_CIPHER_BLKSIZE_MAX];
317 unsigned char M_last[MBEDCRYPTO_CIPHER_BLKSIZE_MAX];
318 int ret;
319 size_t olen, block_size;
320
321 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
322 output == NULL )
323 return( MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA );
324
325 cmac_ctx = ctx->cmac_ctx;
326 block_size = ctx->cipher_info->block_size;
327 state = cmac_ctx->state;
328
329 mbedcrypto_platform_zeroize( K1, sizeof( K1 ) );
330 mbedcrypto_platform_zeroize( K2, sizeof( K2 ) );
331 cmac_generate_subkeys( ctx, K1, K2 );
332
333 last_block = cmac_ctx->unprocessed_block;
334
335 /* Calculate last block */
336 if( cmac_ctx->unprocessed_len < block_size )
337 {
338 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
339 cmac_xor_block( M_last, M_last, K2, block_size );
340 }
341 else
342 {
343 /* Last block is complete block */
344 cmac_xor_block( M_last, last_block, K1, block_size );
345 }
346
347
348 cmac_xor_block( state, M_last, state, block_size );
349 if( ( ret = mbedcrypto_cipher_update( ctx, state, block_size, state,
350 &olen ) ) != 0 )
351 {
352 goto exit;
353 }
354
355 memcpy( output, state, block_size );
356
357exit:
358 /* Wipe the generated keys on the stack, and any other transients to avoid
359 * side channel leakage */
360 mbedcrypto_platform_zeroize( K1, sizeof( K1 ) );
361 mbedcrypto_platform_zeroize( K2, sizeof( K2 ) );
362
363 cmac_ctx->unprocessed_len = 0;
364 mbedcrypto_platform_zeroize( cmac_ctx->unprocessed_block,
365 sizeof( cmac_ctx->unprocessed_block ) );
366
367 mbedcrypto_platform_zeroize( state, MBEDCRYPTO_CIPHER_BLKSIZE_MAX );
368 return( ret );
369}
370
371int mbedcrypto_cipher_cmac_reset( mbedcrypto_cipher_context_t *ctx )
372{
373 mbedcrypto_cmac_context_t* cmac_ctx;
374
375 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
376 return( MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA );
377
378 cmac_ctx = ctx->cmac_ctx;
379
380 /* Reset the internal state */
381 cmac_ctx->unprocessed_len = 0;
382 mbedcrypto_platform_zeroize( cmac_ctx->unprocessed_block,
383 sizeof( cmac_ctx->unprocessed_block ) );
384 mbedcrypto_platform_zeroize( cmac_ctx->state,
385 sizeof( cmac_ctx->state ) );
386
387 return( 0 );
388}
389
390int mbedcrypto_cipher_cmac( const mbedcrypto_cipher_info_t *cipher_info,
391 const unsigned char *key, size_t keylen,
392 const unsigned char *input, size_t ilen,
393 unsigned char *output )
394{
395 mbedcrypto_cipher_context_t ctx;
396 int ret;
397
398 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
399 return( MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA );
400
401 mbedcrypto_cipher_init( &ctx );
402
403 if( ( ret = mbedcrypto_cipher_setup( &ctx, cipher_info ) ) != 0 )
404 goto exit;
405
406 ret = mbedcrypto_cipher_cmac_starts( &ctx, key, keylen );
407 if( ret != 0 )
408 goto exit;
409
410 ret = mbedcrypto_cipher_cmac_update( &ctx, input, ilen );
411 if( ret != 0 )
412 goto exit;
413
414 ret = mbedcrypto_cipher_cmac_finish( &ctx, output );
415
416exit:
417 mbedcrypto_cipher_free( &ctx );
418
419 return( ret );
420}
421
422#if defined(MBEDCRYPTO_AES_C)
423/*
424 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
425 */
426int mbedcrypto_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
427 const unsigned char *input, size_t in_len,
428 unsigned char *output )
429{
430 int ret;
431 const mbedcrypto_cipher_info_t *cipher_info;
432 unsigned char zero_key[MBEDCRYPTO_AES_BLOCK_SIZE];
433 unsigned char int_key[MBEDCRYPTO_AES_BLOCK_SIZE];
434
435 if( key == NULL || input == NULL || output == NULL )
436 return( MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA );
437
438 cipher_info = mbedcrypto_cipher_info_from_type( MBEDCRYPTO_CIPHER_AES_128_ECB );
439 if( cipher_info == NULL )
440 {
441 /* Failing at this point must be due to a build issue */
442 ret = MBEDCRYPTO_ERR_CIPHER_FEATURE_UNAVAILABLE;
443 goto exit;
444 }
445
446 if( key_length == MBEDCRYPTO_AES_BLOCK_SIZE )
447 {
448 /* Use key as is */
449 memcpy( int_key, key, MBEDCRYPTO_AES_BLOCK_SIZE );
450 }
451 else
452 {
453 memset( zero_key, 0, MBEDCRYPTO_AES_BLOCK_SIZE );
454
455 ret = mbedcrypto_cipher_cmac( cipher_info, zero_key, 128, key,
456 key_length, int_key );
457 if( ret != 0 )
458 goto exit;
459 }
460
461 ret = mbedcrypto_cipher_cmac( cipher_info, int_key, 128, input, in_len,
462 output );
463
464exit:
465 mbedcrypto_platform_zeroize( int_key, sizeof( int_key ) );
466
467 return( ret );
468}
469#endif /* MBEDCRYPTO_AES_C */
470
471#endif /* !MBEDCRYPTO_CMAC_ALT */
472
473#if defined(MBEDCRYPTO_SELF_TEST)
474/*
475 * CMAC test data for SP800-38B
476 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
477 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
478 *
479 * AES-CMAC-PRF-128 test data from RFC 4615
480 * https://tools.ietf.org/html/rfc4615#page-4
481 */
482
483#define NB_CMAC_TESTS_PER_KEY 4
484#define NB_PRF_TESTS 3
485
486#if defined(MBEDCRYPTO_AES_C) || defined(MBEDCRYPTO_DES_C)
487/* All CMAC test inputs are truncated from the same 64 byte buffer. */
488static const unsigned char test_message[] = {
489 /* PT */
490 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
491 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
492 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
493 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
494 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
495 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
496 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
497 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
498};
499#endif /* MBEDCRYPTO_AES_C || MBEDCRYPTO_DES_C */
500
501#if defined(MBEDCRYPTO_AES_C)
502/* Truncation point of message for AES CMAC tests */
503static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
504 /* Mlen */
505 0,
506 16,
507 20,
508 64
509};
510
511/* CMAC-AES128 Test Data */
512static const unsigned char aes_128_key[16] = {
513 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
514 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
515};
516static const unsigned char aes_128_subkeys[2][MBEDCRYPTO_AES_BLOCK_SIZE] = {
517 {
518 /* K1 */
519 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
520 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
521 },
522 {
523 /* K2 */
524 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
525 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
526 }
527};
528static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDCRYPTO_AES_BLOCK_SIZE] = {
529 {
530 /* Example #1 */
531 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
532 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
533 },
534 {
535 /* Example #2 */
536 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
537 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
538 },
539 {
540 /* Example #3 */
541 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
542 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
543 },
544 {
545 /* Example #4 */
546 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
547 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
548 }
549};
550
551/* CMAC-AES192 Test Data */
552static const unsigned char aes_192_key[24] = {
553 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
554 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
555 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
556};
557static const unsigned char aes_192_subkeys[2][MBEDCRYPTO_AES_BLOCK_SIZE] = {
558 {
559 /* K1 */
560 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
561 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
562 },
563 {
564 /* K2 */
565 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
566 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
567 }
568};
569static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDCRYPTO_AES_BLOCK_SIZE] = {
570 {
571 /* Example #1 */
572 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
573 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
574 },
575 {
576 /* Example #2 */
577 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
578 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
579 },
580 {
581 /* Example #3 */
582 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
583 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
584 },
585 {
586 /* Example #4 */
587 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
588 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
589 }
590};
591
592/* CMAC-AES256 Test Data */
593static const unsigned char aes_256_key[32] = {
594 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
595 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
596 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
597 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
598};
599static const unsigned char aes_256_subkeys[2][MBEDCRYPTO_AES_BLOCK_SIZE] = {
600 {
601 /* K1 */
602 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
603 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
604 },
605 {
606 /* K2 */
607 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
608 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
609 }
610};
611static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDCRYPTO_AES_BLOCK_SIZE] = {
612 {
613 /* Example #1 */
614 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
615 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
616 },
617 {
618 /* Example #2 */
619 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
620 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
621 },
622 {
623 /* Example #3 */
624 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
625 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
626 },
627 {
628 /* Example #4 */
629 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
630 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
631 }
632};
633#endif /* MBEDCRYPTO_AES_C */
634
635#if defined(MBEDCRYPTO_DES_C)
636/* Truncation point of message for 3DES CMAC tests */
637static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
638 0,
639 16,
640 20,
641 32
642};
643
644/* CMAC-TDES (Generation) - 2 Key Test Data */
645static const unsigned char des3_2key_key[24] = {
646 /* Key1 */
647 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
648 /* Key2 */
649 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
650 /* Key3 */
651 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
652};
653static const unsigned char des3_2key_subkeys[2][8] = {
654 {
655 /* K1 */
656 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
657 },
658 {
659 /* K2 */
660 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
661 }
662};
663static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDCRYPTO_DES3_BLOCK_SIZE] = {
664 {
665 /* Sample #1 */
666 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
667 },
668 {
669 /* Sample #2 */
670 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
671 },
672 {
673 /* Sample #3 */
674 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
675 },
676 {
677 /* Sample #4 */
678 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
679 }
680};
681
682/* CMAC-TDES (Generation) - 3 Key Test Data */
683static const unsigned char des3_3key_key[24] = {
684 /* Key1 */
685 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
686 /* Key2 */
687 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
688 /* Key3 */
689 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
690};
691static const unsigned char des3_3key_subkeys[2][8] = {
692 {
693 /* K1 */
694 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
695 },
696 {
697 /* K2 */
698 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
699 }
700};
701static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDCRYPTO_DES3_BLOCK_SIZE] = {
702 {
703 /* Sample #1 */
704 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
705 },
706 {
707 /* Sample #2 */
708 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
709 },
710 {
711 /* Sample #3 */
712 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
713 },
714 {
715 /* Sample #4 */
716 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
717 }
718};
719
720#endif /* MBEDCRYPTO_DES_C */
721
722#if defined(MBEDCRYPTO_AES_C)
723/* AES AES-CMAC-PRF-128 Test Data */
724static const unsigned char PRFK[] = {
725 /* Key */
726 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
727 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
728 0xed, 0xcb
729};
730
731/* Sizes in bytes */
732static const size_t PRFKlen[NB_PRF_TESTS] = {
733 18,
734 16,
735 10
736};
737
738/* Message */
739static const unsigned char PRFM[] = {
740 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
741 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
742 0x10, 0x11, 0x12, 0x13
743};
744
745static const unsigned char PRFT[NB_PRF_TESTS][16] = {
746 {
747 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
748 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
749 },
750 {
751 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
752 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
753 },
754 {
755 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
756 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
757 }
758};
759#endif /* MBEDCRYPTO_AES_C */
760
761static int cmac_test_subkeys( int verbose,
762 const char* testname,
763 const unsigned char* key,
764 int keybits,
765 const unsigned char* subkeys,
766 mbedcrypto_cipher_type_t cipher_type,
767 int block_size,
768 int num_tests )
769{
770 int i, ret = 0;
771 mbedcrypto_cipher_context_t ctx;
772 const mbedcrypto_cipher_info_t *cipher_info;
773 unsigned char K1[MBEDCRYPTO_CIPHER_BLKSIZE_MAX];
774 unsigned char K2[MBEDCRYPTO_CIPHER_BLKSIZE_MAX];
775
776 cipher_info = mbedcrypto_cipher_info_from_type( cipher_type );
777 if( cipher_info == NULL )
778 {
779 /* Failing at this point must be due to a build issue */
780 return( MBEDCRYPTO_ERR_CIPHER_FEATURE_UNAVAILABLE );
781 }
782
783 for( i = 0; i < num_tests; i++ )
784 {
785 if( verbose != 0 )
786 mbedcrypto_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
787
788 mbedcrypto_cipher_init( &ctx );
789
790 if( ( ret = mbedcrypto_cipher_setup( &ctx, cipher_info ) ) != 0 )
791 {
792 if( verbose != 0 )
793 mbedcrypto_printf( "test execution failed\n" );
794
795 goto cleanup;
796 }
797
798 if( ( ret = mbedcrypto_cipher_setkey( &ctx, key, keybits,
799 MBEDCRYPTO_ENCRYPT ) ) != 0 )
800 {
801 if( verbose != 0 )
802 mbedcrypto_printf( "test execution failed\n" );
803
804 goto cleanup;
805 }
806
807 ret = cmac_generate_subkeys( &ctx, K1, K2 );
808 if( ret != 0 )
809 {
810 if( verbose != 0 )
811 mbedcrypto_printf( "failed\n" );
812
813 goto cleanup;
814 }
815
816 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
817 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
818 {
819 if( verbose != 0 )
820 mbedcrypto_printf( "failed\n" );
821
822 goto cleanup;
823 }
824
825 if( verbose != 0 )
826 mbedcrypto_printf( "passed\n" );
827
828 mbedcrypto_cipher_free( &ctx );
829 }
830
831 goto exit;
832
833cleanup:
834 mbedcrypto_cipher_free( &ctx );
835
836exit:
837 return( ret );
838}
839
840static int cmac_test_wth_cipher( int verbose,
841 const char* testname,
842 const unsigned char* key,
843 int keybits,
844 const unsigned char* messages,
845 const unsigned int message_lengths[4],
846 const unsigned char* expected_result,
847 mbedcrypto_cipher_type_t cipher_type,
848 int block_size,
849 int num_tests )
850{
851 const mbedcrypto_cipher_info_t *cipher_info;
852 int i, ret = 0;
853 unsigned char output[MBEDCRYPTO_CIPHER_BLKSIZE_MAX];
854
855 cipher_info = mbedcrypto_cipher_info_from_type( cipher_type );
856 if( cipher_info == NULL )
857 {
858 /* Failing at this point must be due to a build issue */
859 ret = MBEDCRYPTO_ERR_CIPHER_FEATURE_UNAVAILABLE;
860 goto exit;
861 }
862
863 for( i = 0; i < num_tests; i++ )
864 {
865 if( verbose != 0 )
866 mbedcrypto_printf( " %s CMAC #%u: ", testname, i + 1 );
867
868 if( ( ret = mbedcrypto_cipher_cmac( cipher_info, key, keybits, messages,
869 message_lengths[i], output ) ) != 0 )
870 {
871 if( verbose != 0 )
872 mbedcrypto_printf( "failed\n" );
873 goto exit;
874 }
875
876 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
877 {
878 if( verbose != 0 )
879 mbedcrypto_printf( "failed\n" );
880 goto exit;
881 }
882
883 if( verbose != 0 )
884 mbedcrypto_printf( "passed\n" );
885 }
886
887exit:
888 return( ret );
889}
890
891#if defined(MBEDCRYPTO_AES_C)
892static int test_aes128_cmac_prf( int verbose )
893{
894 int i;
895 int ret;
896 unsigned char output[MBEDCRYPTO_AES_BLOCK_SIZE];
897
898 for( i = 0; i < NB_PRF_TESTS; i++ )
899 {
900 mbedcrypto_printf( " AES CMAC 128 PRF #%u: ", i );
901 ret = mbedcrypto_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
902 if( ret != 0 ||
903 memcmp( output, PRFT[i], MBEDCRYPTO_AES_BLOCK_SIZE ) != 0 )
904 {
905
906 if( verbose != 0 )
907 mbedcrypto_printf( "failed\n" );
908
909 return( ret );
910 }
911 else if( verbose != 0 )
912 {
913 mbedcrypto_printf( "passed\n" );
914 }
915 }
916 return( ret );
917}
918#endif /* MBEDCRYPTO_AES_C */
919
920int mbedcrypto_cmac_self_test( int verbose )
921{
922 int ret;
923
924#if defined(MBEDCRYPTO_AES_C)
925 /* AES-128 */
926 if( ( ret = cmac_test_subkeys( verbose,
927 "AES 128",
928 aes_128_key,
929 128,
930 (const unsigned char*)aes_128_subkeys,
931 MBEDCRYPTO_CIPHER_AES_128_ECB,
932 MBEDCRYPTO_AES_BLOCK_SIZE,
933 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
934 {
935 return( ret );
936 }
937
938 if( ( ret = cmac_test_wth_cipher( verbose,
939 "AES 128",
940 aes_128_key,
941 128,
942 test_message,
943 aes_message_lengths,
944 (const unsigned char*)aes_128_expected_result,
945 MBEDCRYPTO_CIPHER_AES_128_ECB,
946 MBEDCRYPTO_AES_BLOCK_SIZE,
947 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
948 {
949 return( ret );
950 }
951
952 /* AES-192 */
953 if( ( ret = cmac_test_subkeys( verbose,
954 "AES 192",
955 aes_192_key,
956 192,
957 (const unsigned char*)aes_192_subkeys,
958 MBEDCRYPTO_CIPHER_AES_192_ECB,
959 MBEDCRYPTO_AES_BLOCK_SIZE,
960 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
961 {
962 return( ret );
963 }
964
965 if( ( ret = cmac_test_wth_cipher( verbose,
966 "AES 192",
967 aes_192_key,
968 192,
969 test_message,
970 aes_message_lengths,
971 (const unsigned char*)aes_192_expected_result,
972 MBEDCRYPTO_CIPHER_AES_192_ECB,
973 MBEDCRYPTO_AES_BLOCK_SIZE,
974 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
975 {
976 return( ret );
977 }
978
979 /* AES-256 */
980 if( ( ret = cmac_test_subkeys( verbose,
981 "AES 256",
982 aes_256_key,
983 256,
984 (const unsigned char*)aes_256_subkeys,
985 MBEDCRYPTO_CIPHER_AES_256_ECB,
986 MBEDCRYPTO_AES_BLOCK_SIZE,
987 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
988 {
989 return( ret );
990 }
991
992 if( ( ret = cmac_test_wth_cipher ( verbose,
993 "AES 256",
994 aes_256_key,
995 256,
996 test_message,
997 aes_message_lengths,
998 (const unsigned char*)aes_256_expected_result,
999 MBEDCRYPTO_CIPHER_AES_256_ECB,
1000 MBEDCRYPTO_AES_BLOCK_SIZE,
1001 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1002 {
1003 return( ret );
1004 }
1005#endif /* MBEDCRYPTO_AES_C */
1006
1007#if defined(MBEDCRYPTO_DES_C)
1008 /* 3DES 2 key */
1009 if( ( ret = cmac_test_subkeys( verbose,
1010 "3DES 2 key",
1011 des3_2key_key,
1012 192,
1013 (const unsigned char*)des3_2key_subkeys,
1014 MBEDCRYPTO_CIPHER_DES_EDE3_ECB,
1015 MBEDCRYPTO_DES3_BLOCK_SIZE,
1016 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1017 {
1018 return( ret );
1019 }
1020
1021 if( ( ret = cmac_test_wth_cipher( verbose,
1022 "3DES 2 key",
1023 des3_2key_key,
1024 192,
1025 test_message,
1026 des3_message_lengths,
1027 (const unsigned char*)des3_2key_expected_result,
1028 MBEDCRYPTO_CIPHER_DES_EDE3_ECB,
1029 MBEDCRYPTO_DES3_BLOCK_SIZE,
1030 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1031 {
1032 return( ret );
1033 }
1034
1035 /* 3DES 3 key */
1036 if( ( ret = cmac_test_subkeys( verbose,
1037 "3DES 3 key",
1038 des3_3key_key,
1039 192,
1040 (const unsigned char*)des3_3key_subkeys,
1041 MBEDCRYPTO_CIPHER_DES_EDE3_ECB,
1042 MBEDCRYPTO_DES3_BLOCK_SIZE,
1043 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1044 {
1045 return( ret );
1046 }
1047
1048 if( ( ret = cmac_test_wth_cipher( verbose,
1049 "3DES 3 key",
1050 des3_3key_key,
1051 192,
1052 test_message,
1053 des3_message_lengths,
1054 (const unsigned char*)des3_3key_expected_result,
1055 MBEDCRYPTO_CIPHER_DES_EDE3_ECB,
1056 MBEDCRYPTO_DES3_BLOCK_SIZE,
1057 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1058 {
1059 return( ret );
1060 }
1061#endif /* MBEDCRYPTO_DES_C */
1062
1063#if defined(MBEDCRYPTO_AES_C)
1064 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1065 return( ret );
1066#endif /* MBEDCRYPTO_AES_C */
1067
1068 if( verbose != 0 )
1069 mbedcrypto_printf( "\n" );
1070
1071 return( 0 );
1072}
1073
1074#endif /* MBEDCRYPTO_SELF_TEST */
1075
1076#endif /* MBEDCRYPTO_CMAC_C */