CoCalc -- cmac.c

GitHub Repository: godotengine/godot
Path: blob/master/thirdparty/mbedtls/library/cmac.c
⁹⁸⁹⁸ views
1
/**
2
 * \file cmac.c
3
 *
4
 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5
 *
6
 *  Copyright The Mbed TLS Contributors
7
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8
 */
9

10
/*
11
 * References:
12
 *
13
 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
14
 *      CMAC Mode for Authentication
15
 *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
16
 *
17
 * - RFC 4493 - The AES-CMAC Algorithm
18
 *   https://tools.ietf.org/html/rfc4493
19
 *
20
 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
21
 *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
22
 *      Algorithm for the Internet Key Exchange Protocol (IKE)
23
 *   https://tools.ietf.org/html/rfc4615
24
 *
25
 *   Additional test vectors: ISO/IEC 9797-1
26
 *
27
 */
28

29
#include "common.h"
30

31
#if defined(MBEDTLS_CMAC_C)
32

33
#include "mbedtls/cmac.h"
34
#include "mbedtls/platform_util.h"
35
#include "mbedtls/error.h"
36
#include "mbedtls/platform.h"
37
#include "constant_time_internal.h"
38

39
#include <string.h>
40

41
#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
42

43
/*
44
 * Multiplication by u in the Galois field of GF(2^n)
45
 *
46
 * As explained in NIST SP 800-38B, this can be computed:
47
 *
48
 *   If MSB(p) = 0, then p = (p << 1)
49
 *   If MSB(p) = 1, then p = (p << 1) ^ R_n
50
 *   with R_64 = 0x1B and  R_128 = 0x87
51
 *
52
 * Input and output MUST NOT point to the same buffer
53
 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
54
 */
55
static int cmac_multiply_by_u(unsigned char *output,
56
                              const unsigned char *input,
57
                              size_t blocksize)
58
{
59
    const unsigned char R_128 = 0x87;
60
    unsigned char R_n;
61
    uint32_t overflow = 0x00;
62
    int i;
63

64
    if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
65
        R_n = R_128;
66
    }
67
#if defined(MBEDTLS_DES_C)
68
    else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
69
        const unsigned char R_64 = 0x1B;
70
        R_n = R_64;
71
    }
72
#endif
73
    else {
74
        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
75
    }
76

77
    for (i = (int) blocksize - 4; i >= 0; i -= 4) {
78
        uint32_t i32 = MBEDTLS_GET_UINT32_BE(&input[i], 0);
79
        uint32_t new_overflow = i32 >> 31;
80
        i32 = (i32 << 1) | overflow;
81
        MBEDTLS_PUT_UINT32_BE(i32, &output[i], 0);
82
        overflow = new_overflow;
83
    }
84

85
    R_n = (unsigned char) mbedtls_ct_uint_if_else_0(mbedtls_ct_bool(input[0] >> 7), R_n);
86
    output[blocksize - 1] ^= R_n;
87

88
    return 0;
89
}
90

91
/*
92
 * Generate subkeys
93
 *
94
 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
95
 */
96
static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
97
                                 unsigned char *K1, unsigned char *K2)
98
{
99
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
100
    unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
101
    size_t olen, block_size;
102

103
    mbedtls_platform_zeroize(L, sizeof(L));
104

105
    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
106

107
    /* Calculate Ek(0) */
108
    if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
109
        goto exit;
110
    }
111

112
    /*
113
     * Generate K1 and K2
114
     */
115
    if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) {
116
        goto exit;
117
    }
118

119
    if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) {
120
        goto exit;
121
    }
122

123
exit:
124
    mbedtls_platform_zeroize(L, sizeof(L));
125

126
    return ret;
127
}
128
#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
129

130
#if !defined(MBEDTLS_CMAC_ALT)
131

132
/*
133
 * Create padded last block from (partial) last block.
134
 *
135
 * We can't use the padding option from the cipher layer, as it only works for
136
 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
137
 */
138
static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
139
                     size_t padded_block_len,
140
                     const unsigned char *last_block,
141
                     size_t last_block_len)
142
{
143
    size_t j;
144

145
    for (j = 0; j < padded_block_len; j++) {
146
        if (j < last_block_len) {
147
            padded_block[j] = last_block[j];
148
        } else if (j == last_block_len) {
149
            padded_block[j] = 0x80;
150
        } else {
151
            padded_block[j] = 0x00;
152
        }
153
    }
154
}
155

156
int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
157
                               const unsigned char *key, size_t keybits)
158
{
159
    mbedtls_cipher_type_t type;
160
    mbedtls_cmac_context_t *cmac_ctx;
161
    int retval;
162

163
    if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) {
164
        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
165
    }
166

167
    if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits,
168
                                        MBEDTLS_ENCRYPT)) != 0) {
169
        return retval;
170
    }
171

172
    type = mbedtls_cipher_info_get_type(ctx->cipher_info);
173

174
    switch (type) {
175
        case MBEDTLS_CIPHER_AES_128_ECB:
176
        case MBEDTLS_CIPHER_AES_192_ECB:
177
        case MBEDTLS_CIPHER_AES_256_ECB:
178
        case MBEDTLS_CIPHER_DES_EDE3_ECB:
179
            break;
180
        default:
181
            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
182
    }
183

184
    /* Allocated and initialise in the cipher context memory for the CMAC
185
     * context */
186
    cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
187
    if (cmac_ctx == NULL) {
188
        return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
189
    }
190

191
    ctx->cmac_ctx = cmac_ctx;
192

193
    mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
194

195
    return 0;
196
}
197

198
int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
199
                               const unsigned char *input, size_t ilen)
200
{
201
    mbedtls_cmac_context_t *cmac_ctx;
202
    unsigned char *state;
203
    int ret = 0;
204
    size_t n, j, olen, block_size;
205

206
    if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
207
        ctx->cmac_ctx == NULL) {
208
        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
209
    }
210

211
    cmac_ctx = ctx->cmac_ctx;
212
    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
213
    state = ctx->cmac_ctx->state;
214

215
    /* Without the MBEDTLS_ASSUME below, gcc -O3 will generate a warning of the form
216
     * error: writing 16 bytes into a region of size 0 [-Werror=stringop-overflow=] */
217
    MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE);
218

219
    /* Is there data still to process from the last call, that's greater in
220
     * size than a block? */
221
    if (cmac_ctx->unprocessed_len > 0 &&
222
        ilen > block_size - cmac_ctx->unprocessed_len) {
223
        memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
224
               input,
225
               block_size - cmac_ctx->unprocessed_len);
226

227
        mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size);
228

229
        if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
230
                                         &olen)) != 0) {
231
            goto exit;
232
        }
233

234
        input += block_size - cmac_ctx->unprocessed_len;
235
        ilen -= block_size - cmac_ctx->unprocessed_len;
236
        cmac_ctx->unprocessed_len = 0;
237
    }
238

239
    /* n is the number of blocks including any final partial block */
240
    n = (ilen + block_size - 1) / block_size;
241

242
    /* Iterate across the input data in block sized chunks, excluding any
243
     * final partial or complete block */
244
    for (j = 1; j < n; j++) {
245
        mbedtls_xor_no_simd(state, input, state, block_size);
246

247
        if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
248
                                         &olen)) != 0) {
249
            goto exit;
250
        }
251

252
        ilen -= block_size;
253
        input += block_size;
254
    }
255

256
    /* If there is data left over that wasn't aligned to a block */
257
    if (ilen > 0) {
258
        memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
259
               input,
260
               ilen);
261
        cmac_ctx->unprocessed_len += ilen;
262
    }
263

264
exit:
265
    return ret;
266
}
267

268
int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
269
                               unsigned char *output)
270
{
271
    mbedtls_cmac_context_t *cmac_ctx;
272
    unsigned char *state, *last_block;
273
    unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
274
    unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
275
    unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
276
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
277
    size_t olen, block_size;
278

279
    if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
280
        output == NULL) {
281
        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
282
    }
283

284
    cmac_ctx = ctx->cmac_ctx;
285
    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
286
    MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE); // silence GCC warning
287
    state = cmac_ctx->state;
288

289
    mbedtls_platform_zeroize(K1, sizeof(K1));
290
    mbedtls_platform_zeroize(K2, sizeof(K2));
291
    cmac_generate_subkeys(ctx, K1, K2);
292

293
    last_block = cmac_ctx->unprocessed_block;
294

295
    /* Calculate last block */
296
    if (cmac_ctx->unprocessed_len < block_size) {
297
        cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
298
        mbedtls_xor(M_last, M_last, K2, block_size);
299
    } else {
300
        /* Last block is complete block */
301
        mbedtls_xor(M_last, last_block, K1, block_size);
302
    }
303

304

305
    mbedtls_xor(state, M_last, state, block_size);
306
    if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
307
                                     &olen)) != 0) {
308
        goto exit;
309
    }
310

311
    memcpy(output, state, block_size);
312

313
exit:
314
    /* Wipe the generated keys on the stack, and any other transients to avoid
315
     * side channel leakage */
316
    mbedtls_platform_zeroize(K1, sizeof(K1));
317
    mbedtls_platform_zeroize(K2, sizeof(K2));
318

319
    cmac_ctx->unprocessed_len = 0;
320
    mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
321
                             sizeof(cmac_ctx->unprocessed_block));
322

323
    mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
324
    return ret;
325
}
326

327
int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx)
328
{
329
    mbedtls_cmac_context_t *cmac_ctx;
330

331
    if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) {
332
        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
333
    }
334

335
    cmac_ctx = ctx->cmac_ctx;
336

337
    /* Reset the internal state */
338
    cmac_ctx->unprocessed_len = 0;
339
    mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
340
                             sizeof(cmac_ctx->unprocessed_block));
341
    mbedtls_platform_zeroize(cmac_ctx->state,
342
                             sizeof(cmac_ctx->state));
343

344
    return 0;
345
}
346

347
int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
348
                        const unsigned char *key, size_t keylen,
349
                        const unsigned char *input, size_t ilen,
350
                        unsigned char *output)
351
{
352
    mbedtls_cipher_context_t ctx;
353
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
354

355
    if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) {
356
        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
357
    }
358

359
    mbedtls_cipher_init(&ctx);
360

361
    if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
362
        goto exit;
363
    }
364

365
    ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
366
    if (ret != 0) {
367
        goto exit;
368
    }
369

370
    ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
371
    if (ret != 0) {
372
        goto exit;
373
    }
374

375
    ret = mbedtls_cipher_cmac_finish(&ctx, output);
376

377
exit:
378
    mbedtls_cipher_free(&ctx);
379

380
    return ret;
381
}
382

383
#if defined(MBEDTLS_AES_C)
384
/*
385
 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
386
 */
387
int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
388
                             const unsigned char *input, size_t in_len,
389
                             unsigned char output[16])
390
{
391
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
392
    const mbedtls_cipher_info_t *cipher_info;
393
    unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
394
    unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
395

396
    if (key == NULL || input == NULL || output == NULL) {
397
        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
398
    }
399

400
    cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
401
    if (cipher_info == NULL) {
402
        /* Failing at this point must be due to a build issue */
403
        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
404
        goto exit;
405
    }
406

407
    if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
408
        /* Use key as is */
409
        memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
410
    } else {
411
        memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
412

413
        ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
414
                                  key_length, int_key);
415
        if (ret != 0) {
416
            goto exit;
417
        }
418
    }
419

420
    ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
421
                              output);
422

423
exit:
424
    mbedtls_platform_zeroize(int_key, sizeof(int_key));
425

426
    return ret;
427
}
428
#endif /* MBEDTLS_AES_C */
429

430
#endif /* !MBEDTLS_CMAC_ALT */
431

432
#if defined(MBEDTLS_SELF_TEST)
433
/*
434
 * CMAC test data for SP800-38B
435
 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
436
 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
437
 *
438
 * AES-CMAC-PRF-128 test data from RFC 4615
439
 * https://tools.ietf.org/html/rfc4615#page-4
440
 */
441

442
#define NB_CMAC_TESTS_PER_KEY 4
443
#define NB_PRF_TESTS 3
444

445
#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
446
/* All CMAC test inputs are truncated from the same 64 byte buffer. */
447
static const unsigned char test_message[] = {
448
    /* PT */
449
    0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
450
    0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
451
    0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
452
    0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
453
    0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
454
    0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
455
    0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
456
    0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
457
};
458
#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
459

460
#if defined(MBEDTLS_AES_C)
461
/* Truncation point of message for AES CMAC tests  */
462
static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
463
    /* Mlen */
464
    0,
465
    16,
466
    20,
467
    64
468
};
469

470
/* CMAC-AES128 Test Data */
471
static const unsigned char aes_128_key[16] = {
472
    0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
473
    0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
474
};
475
static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
476
    {
477
        /* K1 */
478
        0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
479
        0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
480
    },
481
    {
482
        /* K2 */
483
        0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
484
        0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
485
    }
486
};
487
static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
488
{
489
    {
490
        /* Example #1 */
491
        0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
492
        0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
493
    },
494
    {
495
        /* Example #2 */
496
        0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
497
        0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
498
    },
499
    {
500
        /* Example #3 */
501
        0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
502
        0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
503
    },
504
    {
505
        /* Example #4 */
506
        0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
507
        0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
508
    }
509
};
510

511
/* CMAC-AES192 Test Data */
512
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
513
static const unsigned char aes_192_key[24] = {
514
    0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
515
    0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
516
    0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
517
};
518
static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
519
    {
520
        /* K1 */
521
        0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
522
        0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
523
    },
524
    {
525
        /* K2 */
526
        0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
527
        0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
528
    }
529
};
530
static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
531
{
532
    {
533
        /* Example #1 */
534
        0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
535
        0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
536
    },
537
    {
538
        /* Example #2 */
539
        0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
540
        0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
541
    },
542
    {
543
        /* Example #3 */
544
        0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
545
        0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
546
    },
547
    {
548
        /* Example #4 */
549
        0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
550
        0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
551
    }
552
};
553
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
554

555
/* CMAC-AES256 Test Data */
556
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
557
static const unsigned char aes_256_key[32] = {
558
    0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
559
    0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
560
    0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
561
    0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
562
};
563
static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
564
    {
565
        /* K1 */
566
        0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
567
        0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
568
    },
569
    {
570
        /* K2 */
571
        0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
572
        0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
573
    }
574
};
575
static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
576
{
577
    {
578
        /* Example #1 */
579
        0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
580
        0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
581
    },
582
    {
583
        /* Example #2 */
584
        0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
585
        0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
586
    },
587
    {
588
        /* Example #3 */
589
        0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
590
        0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
591
    },
592
    {
593
        /* Example #4 */
594
        0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
595
        0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
596
    }
597
};
598
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
599
#endif /* MBEDTLS_AES_C */
600

601
#if defined(MBEDTLS_DES_C)
602
/* Truncation point of message for 3DES CMAC tests  */
603
static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
604
    0,
605
    16,
606
    20,
607
    32
608
};
609

610
/* CMAC-TDES (Generation) - 2 Key Test Data */
611
static const unsigned char des3_2key_key[24] = {
612
    /* Key1 */
613
    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
614
    /* Key2 */
615
    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
616
    /* Key3 */
617
    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
618
};
619
static const unsigned char des3_2key_subkeys[2][8] = {
620
    {
621
        /* K1 */
622
        0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
623
    },
624
    {
625
        /* K2 */
626
        0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
627
    }
628
};
629
static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
630
    = {
631
    {
632
        /* Sample #1 */
633
        0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
634
    },
635
    {
636
        /* Sample #2 */
637
        0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
638
    },
639
    {
640
        /* Sample #3 */
641
        0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
642
    },
643
    {
644
        /* Sample #4 */
645
        0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
646
    }
647
    };
648

649
/* CMAC-TDES (Generation) - 3 Key Test Data */
650
static const unsigned char des3_3key_key[24] = {
651
    /* Key1 */
652
    0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
653
    /* Key2 */
654
    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
655
    /* Key3 */
656
    0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
657
};
658
static const unsigned char des3_3key_subkeys[2][8] = {
659
    {
660
        /* K1 */
661
        0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
662
    },
663
    {
664
        /* K2 */
665
        0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
666
    }
667
};
668
static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
669
    = {
670
    {
671
        /* Sample #1 */
672
        0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
673
    },
674
    {
675
        /* Sample #2 */
676
        0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
677
    },
678
    {
679
        /* Sample #3 */
680
        0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
681
    },
682
    {
683
        /* Sample #4 */
684
        0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
685
    }
686
    };
687

688
#endif /* MBEDTLS_DES_C */
689

690
#if defined(MBEDTLS_AES_C)
691
/* AES AES-CMAC-PRF-128 Test Data */
692
static const unsigned char PRFK[] = {
693
    /* Key */
694
    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
695
    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
696
    0xed, 0xcb
697
};
698

699
/* Sizes in bytes */
700
static const size_t PRFKlen[NB_PRF_TESTS] = {
701
    18,
702
    16,
703
    10
704
};
705

706
/* Message */
707
static const unsigned char PRFM[] = {
708
    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
709
    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
710
    0x10, 0x11, 0x12, 0x13
711
};
712

713
static const unsigned char PRFT[NB_PRF_TESTS][16] = {
714
    {
715
        0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
716
        0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
717
    },
718
    {
719
        0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
720
        0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
721
    },
722
    {
723
        0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
724
        0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
725
    }
726
};
727
#endif /* MBEDTLS_AES_C */
728

729
static int cmac_test_subkeys(int verbose,
730
                             const char *testname,
731
                             const unsigned char *key,
732
                             int keybits,
733
                             const unsigned char *subkeys,
734
                             mbedtls_cipher_type_t cipher_type,
735
                             int block_size,
736
                             int num_tests)
737
{
738
    int i, ret = 0;
739
    mbedtls_cipher_context_t ctx;
740
    const mbedtls_cipher_info_t *cipher_info;
741
    unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
742
    unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
743

744
    cipher_info = mbedtls_cipher_info_from_type(cipher_type);
745
    if (cipher_info == NULL) {
746
        /* Failing at this point must be due to a build issue */
747
        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
748
    }
749

750
    for (i = 0; i < num_tests; i++) {
751
        if (verbose != 0) {
752
            mbedtls_printf("  %s CMAC subkey #%d: ", testname, i + 1);
753
        }
754

755
        mbedtls_cipher_init(&ctx);
756

757
        if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
758
            if (verbose != 0) {
759
                mbedtls_printf("test execution failed\n");
760
            }
761

762
            goto cleanup;
763
        }
764

765
        if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
766
                                         MBEDTLS_ENCRYPT)) != 0) {
767
            /* When CMAC is implemented by an alternative implementation, or
768
             * the underlying primitive itself is implemented alternatively,
769
             * AES-192 may be unavailable. This should not cause the selftest
770
             * function to fail. */
771
            if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
772
                 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
773
                cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
774
                if (verbose != 0) {
775
                    mbedtls_printf("skipped\n");
776
                }
777
                goto next_test;
778
            }
779

780
            if (verbose != 0) {
781
                mbedtls_printf("test execution failed\n");
782
            }
783

784
            goto cleanup;
785
        }
786

787
        ret = cmac_generate_subkeys(&ctx, K1, K2);
788
        if (ret != 0) {
789
            if (verbose != 0) {
790
                mbedtls_printf("failed\n");
791
            }
792

793
            goto cleanup;
794
        }
795

796
        if ((ret = memcmp(K1, subkeys, block_size)) != 0  ||
797
            (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
798
            if (verbose != 0) {
799
                mbedtls_printf("failed\n");
800
            }
801

802
            goto cleanup;
803
        }
804

805
        if (verbose != 0) {
806
            mbedtls_printf("passed\n");
807
        }
808

809
next_test:
810
        mbedtls_cipher_free(&ctx);
811
    }
812

813
    ret = 0;
814
    goto exit;
815

816
cleanup:
817
    mbedtls_cipher_free(&ctx);
818

819
exit:
820
    return ret;
821
}
822

823
static int cmac_test_wth_cipher(int verbose,
824
                                const char *testname,
825
                                const unsigned char *key,
826
                                int keybits,
827
                                const unsigned char *messages,
828
                                const unsigned int message_lengths[4],
829
                                const unsigned char *expected_result,
830
                                mbedtls_cipher_type_t cipher_type,
831
                                int block_size,
832
                                int num_tests)
833
{
834
    const mbedtls_cipher_info_t *cipher_info;
835
    int i, ret = 0;
836
    unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
837

838
    cipher_info = mbedtls_cipher_info_from_type(cipher_type);
839
    if (cipher_info == NULL) {
840
        /* Failing at this point must be due to a build issue */
841
        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
842
        goto exit;
843
    }
844

845
    for (i = 0; i < num_tests; i++) {
846
        if (verbose != 0) {
847
            mbedtls_printf("  %s CMAC #%d: ", testname, i + 1);
848
        }
849

850
        if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
851
                                       message_lengths[i], output)) != 0) {
852
            /* When CMAC is implemented by an alternative implementation, or
853
             * the underlying primitive itself is implemented alternatively,
854
             * AES-192 and/or 3DES may be unavailable. This should not cause
855
             * the selftest function to fail. */
856
            if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
857
                 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
858
                (cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
859
                 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) {
860
                if (verbose != 0) {
861
                    mbedtls_printf("skipped\n");
862
                }
863
                continue;
864
            }
865

866
            if (verbose != 0) {
867
                mbedtls_printf("failed\n");
868
            }
869
            goto exit;
870
        }
871

872
        if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
873
            if (verbose != 0) {
874
                mbedtls_printf("failed\n");
875
            }
876
            goto exit;
877
        }
878

879
        if (verbose != 0) {
880
            mbedtls_printf("passed\n");
881
        }
882
    }
883
    ret = 0;
884

885
exit:
886
    return ret;
887
}
888

889
#if defined(MBEDTLS_AES_C)
890
static int test_aes128_cmac_prf(int verbose)
891
{
892
    int i;
893
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
894
    unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
895

896
    for (i = 0; i < NB_PRF_TESTS; i++) {
897
        mbedtls_printf("  AES CMAC 128 PRF #%d: ", i);
898
        ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
899
        if (ret != 0 ||
900
            memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
901

902
            if (verbose != 0) {
903
                mbedtls_printf("failed\n");
904
            }
905

906
            return ret;
907
        } else if (verbose != 0) {
908
            mbedtls_printf("passed\n");
909
        }
910
    }
911
    return ret;
912
}
913
#endif /* MBEDTLS_AES_C */
914

915
int mbedtls_cmac_self_test(int verbose)
916
{
917
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
918

919
#if defined(MBEDTLS_AES_C)
920
    /* AES-128 */
921
    if ((ret = cmac_test_subkeys(verbose,
922
                                 "AES 128",
923
                                 aes_128_key,
924
                                 128,
925
                                 (const unsigned char *) aes_128_subkeys,
926
                                 MBEDTLS_CIPHER_AES_128_ECB,
927
                                 MBEDTLS_AES_BLOCK_SIZE,
928
                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
929
        return ret;
930
    }
931

932
    if ((ret = cmac_test_wth_cipher(verbose,
933
                                    "AES 128",
934
                                    aes_128_key,
935
                                    128,
936
                                    test_message,
937
                                    aes_message_lengths,
938
                                    (const unsigned char *) aes_128_expected_result,
939
                                    MBEDTLS_CIPHER_AES_128_ECB,
940
                                    MBEDTLS_AES_BLOCK_SIZE,
941
                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
942
        return ret;
943
    }
944

945
    /* AES-192 */
946
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
947
    if ((ret = cmac_test_subkeys(verbose,
948
                                 "AES 192",
949
                                 aes_192_key,
950
                                 192,
951
                                 (const unsigned char *) aes_192_subkeys,
952
                                 MBEDTLS_CIPHER_AES_192_ECB,
953
                                 MBEDTLS_AES_BLOCK_SIZE,
954
                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
955
        return ret;
956
    }
957

958
    if ((ret = cmac_test_wth_cipher(verbose,
959
                                    "AES 192",
960
                                    aes_192_key,
961
                                    192,
962
                                    test_message,
963
                                    aes_message_lengths,
964
                                    (const unsigned char *) aes_192_expected_result,
965
                                    MBEDTLS_CIPHER_AES_192_ECB,
966
                                    MBEDTLS_AES_BLOCK_SIZE,
967
                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
968
        return ret;
969
    }
970
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
971

972
    /* AES-256 */
973
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
974
    if ((ret = cmac_test_subkeys(verbose,
975
                                 "AES 256",
976
                                 aes_256_key,
977
                                 256,
978
                                 (const unsigned char *) aes_256_subkeys,
979
                                 MBEDTLS_CIPHER_AES_256_ECB,
980
                                 MBEDTLS_AES_BLOCK_SIZE,
981
                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
982
        return ret;
983
    }
984

985
    if ((ret = cmac_test_wth_cipher(verbose,
986
                                    "AES 256",
987
                                    aes_256_key,
988
                                    256,
989
                                    test_message,
990
                                    aes_message_lengths,
991
                                    (const unsigned char *) aes_256_expected_result,
992
                                    MBEDTLS_CIPHER_AES_256_ECB,
993
                                    MBEDTLS_AES_BLOCK_SIZE,
994
                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
995
        return ret;
996
    }
997
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
998
#endif /* MBEDTLS_AES_C */
999

1000
#if defined(MBEDTLS_DES_C)
1001
    /* 3DES 2 key */
1002
    if ((ret = cmac_test_subkeys(verbose,
1003
                                 "3DES 2 key",
1004
                                 des3_2key_key,
1005
                                 192,
1006
                                 (const unsigned char *) des3_2key_subkeys,
1007
                                 MBEDTLS_CIPHER_DES_EDE3_ECB,
1008
                                 MBEDTLS_DES3_BLOCK_SIZE,
1009
                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
1010
        return ret;
1011
    }
1012

1013
    if ((ret = cmac_test_wth_cipher(verbose,
1014
                                    "3DES 2 key",
1015
                                    des3_2key_key,
1016
                                    192,
1017
                                    test_message,
1018
                                    des3_message_lengths,
1019
                                    (const unsigned char *) des3_2key_expected_result,
1020
                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
1021
                                    MBEDTLS_DES3_BLOCK_SIZE,
1022
                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
1023
        return ret;
1024
    }
1025

1026
    /* 3DES 3 key */
1027
    if ((ret = cmac_test_subkeys(verbose,
1028
                                 "3DES 3 key",
1029
                                 des3_3key_key,
1030
                                 192,
1031
                                 (const unsigned char *) des3_3key_subkeys,
1032
                                 MBEDTLS_CIPHER_DES_EDE3_ECB,
1033
                                 MBEDTLS_DES3_BLOCK_SIZE,
1034
                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
1035
        return ret;
1036
    }
1037

1038
    if ((ret = cmac_test_wth_cipher(verbose,
1039
                                    "3DES 3 key",
1040
                                    des3_3key_key,
1041
                                    192,
1042
                                    test_message,
1043
                                    des3_message_lengths,
1044
                                    (const unsigned char *) des3_3key_expected_result,
1045
                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
1046
                                    MBEDTLS_DES3_BLOCK_SIZE,
1047
                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
1048
        return ret;
1049
    }
1050
#endif /* MBEDTLS_DES_C */
1051

1052
#if defined(MBEDTLS_AES_C)
1053
    if ((ret = test_aes128_cmac_prf(verbose)) != 0) {
1054
        return ret;
1055
    }
1056
#endif /* MBEDTLS_AES_C */
1057

1058
    if (verbose != 0) {
1059
        mbedtls_printf("\n");
1060
    }
1061

1062
    return 0;
1063
}
1064

1065
#endif /* MBEDTLS_SELF_TEST */
1066

1067
#endif /* MBEDTLS_CMAC_C */
1068

1069
Product

Resources

Company
