search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / common / mbedtls / cmac.c
blob32a5937b07818a3e6715a09647071ec0734b2b1f
1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21
22 /*
23 * References:
24 *
25 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
26 * CMAC Mode for Authentication
27 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
28 *
29 * - RFC 4493 - The AES-CMAC Algorithm
30 * https://tools.ietf.org/html/rfc4493
31 *
32 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
33 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
34 * Algorithm for the Internet Key Exchange Protocol (IKE)
35 * https://tools.ietf.org/html/rfc4615
36 *
37 * Additional test vectors: ISO/IEC 9797-1
38 *
39 */
40
41 #include "common.h"
42
43 #if defined(MBEDTLS_CMAC_C)
44
45 #include "mbedtls/cmac.h"
46 #include "mbedtls/platform_util.h"
47 #include "mbedtls/error.h"
48 #include "mbedtls/platform.h"
49
50 #include <string.h>
51
52 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
53
54 /*
55 * Multiplication by u in the Galois field of GF(2^n)
56 *
57 * As explained in NIST SP 800-38B, this can be computed:
58 *
59 * If MSB(p) = 0, then p = (p << 1)
60 * If MSB(p) = 1, then p = (p << 1) ^ R_n
61 * with R_64 = 0x1B and R_128 = 0x87
62 *
63 * Input and output MUST NOT point to the same buffer
64 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
65 */
66 static int cmac_multiply_by_u(unsigned char *output,
67 const unsigned char *input,
68 size_t blocksize) {
69 const unsigned char R_128 = 0x87;
70 const unsigned char R_64 = 0x1B;
71 unsigned char R_n, mask;
72 unsigned char overflow = 0x00;
73 int i;
74
75 if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
76 R_n = R_128;
77 } else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
78 R_n = R_64;
79 } else {
80 return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
81 }
82
83 for (i = (int)blocksize - 1; i >= 0; i--) {
84 output[i] = input[i] << 1 | overflow;
85 overflow = input[i] >> 7;
86 }
87
88 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
89 * using bit operations to avoid branches */
90
91 /* MSVC has a warning about unary minus on unsigned, but this is
92 * well-defined and precisely what we want to do here */
93 #if defined(_MSC_VER)
94 #pragma warning( push )
95 #pragma warning( disable : 4146 )
96 #endif
97 mask = - (input[0] >> 7);
98 #if defined(_MSC_VER)
99 #pragma warning( pop )
100 #endif
101
102 output[ blocksize - 1 ] ^= R_n & mask;
103
104 return (0);
105 }
106
107 /*
108 * Generate subkeys
109 *
110 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
111 */
112 static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
113 unsigned char *K1, unsigned char *K2) {
114 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
115 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
116 size_t olen, block_size;
117
118 mbedtls_platform_zeroize(L, sizeof(L));
119
120 block_size = ctx->cipher_info->block_size;
121
122 /* Calculate Ek(0) */
123 if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0)
124 goto exit;
125
126 /*
127 * Generate K1 and K2
128 */
129 if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0)
130 goto exit;
131
132 if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0)
133 goto exit;
134
135 exit:
136 mbedtls_platform_zeroize(L, sizeof(L));
137
138 return (ret);
139 }
140 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
141
142 #if !defined(MBEDTLS_CMAC_ALT)
143 static void cmac_xor_block(unsigned char *output, const unsigned char *input1,
144 const unsigned char *input2,
145 const size_t block_size) {
146 size_t idx;
147
148 for (idx = 0; idx < block_size; idx++)
149 output[ idx ] = input1[ idx ] ^ input2[ idx ];
150 }
151
152 /*
153 * Create padded last block from (partial) last block.
154 *
155 * We can't use the padding option from the cipher layer, as it only works for
156 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
157 */
158 static void cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
159 size_t padded_block_len,
160 const unsigned char *last_block,
161 size_t last_block_len) {
162 size_t j;
163
164 for (j = 0; j < padded_block_len; j++) {
165 if (j < last_block_len)
166 padded_block[j] = last_block[j];
167 else if (j == last_block_len)
168 padded_block[j] = 0x80;
169 else
170 padded_block[j] = 0x00;
171 }
172 }
173
174 int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
175 const unsigned char *key, size_t keybits) {
176 mbedtls_cipher_type_t type;
177 mbedtls_cmac_context_t *cmac_ctx;
178 int retval;
179
180 if (ctx == NULL || ctx->cipher_info == NULL || key == NULL)
181 return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
182
183 if ((retval = mbedtls_cipher_setkey(ctx, key, (int)keybits,
184 MBEDTLS_ENCRYPT)) != 0)
185 return (retval);
186
187 type = ctx->cipher_info->type;
188
189 switch (type) {
190 case MBEDTLS_CIPHER_AES_128_ECB:
191 case MBEDTLS_CIPHER_AES_192_ECB:
192 case MBEDTLS_CIPHER_AES_256_ECB:
193 case MBEDTLS_CIPHER_DES_EDE3_ECB:
194 break;
195 default:
196 return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
197 }
198
199 /* Allocated and initialise in the cipher context memory for the CMAC
200 * context */
201 cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
202 if (cmac_ctx == NULL)
203 return (MBEDTLS_ERR_CIPHER_ALLOC_FAILED);
204
205 ctx->cmac_ctx = cmac_ctx;
206
207 mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
208
209 return 0;
210 }
211
212 int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
213 const unsigned char *input, size_t ilen) {
214 mbedtls_cmac_context_t *cmac_ctx;
215 unsigned char *state;
216 int ret = 0;
217 size_t n, j, olen, block_size;
218
219 if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
220 ctx->cmac_ctx == NULL)
221 return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
222
223 cmac_ctx = ctx->cmac_ctx;
224 block_size = ctx->cipher_info->block_size;
225 state = ctx->cmac_ctx->state;
226
227 /* Is there data still to process from the last call, that's greater in
228 * size than a block? */
229 if (cmac_ctx->unprocessed_len > 0 &&
230 ilen > block_size - cmac_ctx->unprocessed_len) {
231 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
232 input,
233 block_size - cmac_ctx->unprocessed_len);
234
235 cmac_xor_block(state, cmac_ctx->unprocessed_block, state, block_size);
236
237 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
238 &olen)) != 0) {
239 goto exit;
240 }
241
242 input += block_size - cmac_ctx->unprocessed_len;
243 ilen -= block_size - cmac_ctx->unprocessed_len;
244 cmac_ctx->unprocessed_len = 0;
245 }
246
247 /* n is the number of blocks including any final partial block */
248 n = (ilen + block_size - 1) / block_size;
249
250 /* Iterate across the input data in block sized chunks, excluding any
251 * final partial or complete block */
252 for (j = 1; j < n; j++) {
253 cmac_xor_block(state, input, state, block_size);
254
255 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
256 &olen)) != 0)
257 goto exit;
258
259 ilen -= block_size;
260 input += block_size;
261 }
262
263 /* If there is data left over that wasn't aligned to a block */
264 if (ilen > 0) {
265 memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
266 input,
267 ilen);
268 cmac_ctx->unprocessed_len += ilen;
269 }
270
271 exit:
272 return (ret);
273 }
274
275 int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
276 unsigned char *output) {
277 mbedtls_cmac_context_t *cmac_ctx;
278 unsigned char *state, *last_block;
279 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
280 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
281 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
282 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
283 size_t olen, block_size;
284
285 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
286 output == NULL)
287 return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
288
289 cmac_ctx = ctx->cmac_ctx;
290 block_size = ctx->cipher_info->block_size;
291 state = cmac_ctx->state;
292
293 mbedtls_platform_zeroize(K1, sizeof(K1));
294 mbedtls_platform_zeroize(K2, sizeof(K2));
295 cmac_generate_subkeys(ctx, K1, K2);
296
297 last_block = cmac_ctx->unprocessed_block;
298
299 /* Calculate last block */
300 if (cmac_ctx->unprocessed_len < block_size) {
301 cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
302 cmac_xor_block(M_last, M_last, K2, block_size);
303 } else {
304 /* Last block is complete block */
305 cmac_xor_block(M_last, last_block, K1, block_size);
306 }
307
308
309 cmac_xor_block(state, M_last, state, block_size);
310 if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
311 &olen)) != 0) {
312 goto exit;
313 }
314
315 memcpy(output, state, block_size);
316
317 exit:
318 /* Wipe the generated keys on the stack, and any other transients to avoid
319 * side channel leakage */
320 mbedtls_platform_zeroize(K1, sizeof(K1));
321 mbedtls_platform_zeroize(K2, sizeof(K2));
322
323 cmac_ctx->unprocessed_len = 0;
324 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
325 sizeof(cmac_ctx->unprocessed_block));
326
327 mbedtls_platform_zeroize(state, MBEDTLS_CIPHER_BLKSIZE_MAX);
328 return (ret);
329 }
330
331 int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx) {
332 mbedtls_cmac_context_t *cmac_ctx;
333
334 if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL)
335 return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
336
337 cmac_ctx = ctx->cmac_ctx;
338
339 /* Reset the internal state */
340 cmac_ctx->unprocessed_len = 0;
341 mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
342 sizeof(cmac_ctx->unprocessed_block));
343 mbedtls_platform_zeroize(cmac_ctx->state,
344 sizeof(cmac_ctx->state));
345
346 return (0);
347 }
348
349 int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
350 const unsigned char *key, size_t keylen,
351 const unsigned char *input, size_t ilen,
352 unsigned char *output) {
353 mbedtls_cipher_context_t ctx;
354 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
355
356 if (cipher_info == NULL || key == NULL || input == NULL || output == NULL)
357 return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
358
359 mbedtls_cipher_init(&ctx);
360
361 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0)
362 goto exit;
363
364 ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
365 if (ret != 0)
366 goto exit;
367
368 ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
369 if (ret != 0)
370 goto exit;
371
372 ret = mbedtls_cipher_cmac_finish(&ctx, output);
373
374 exit:
375 mbedtls_cipher_free(&ctx);
376
377 return (ret);
378 }
379
380 #if defined(MBEDTLS_AES_C)
381 /*
382 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
383 */
384 int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
385 const unsigned char *input, size_t in_len,
386 unsigned char output[16]) {
387 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
388 const mbedtls_cipher_info_t *cipher_info;
389 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
390 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
391
392 if (key == NULL || input == NULL || output == NULL)
393 return (MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA);
394
395 cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
396 if (cipher_info == NULL) {
397 /* Failing at this point must be due to a build issue */
398 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
399 goto exit;
400 }
401
402 if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
403 /* Use key as is */
404 memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
405 } else {
406 memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
407
408 ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
409 key_length, int_key);
410 if (ret != 0)
411 goto exit;
412 }
413
414 ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
415 output);
416
417 exit:
418 mbedtls_platform_zeroize(int_key, sizeof(int_key));
419
420 return (ret);
421 }
422 #endif /* MBEDTLS_AES_C */
423
424 #endif /* !MBEDTLS_CMAC_ALT */
425
426 #if defined(MBEDTLS_SELF_TEST)
427 /*
428 * CMAC test data for SP800-38B
429 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
430 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
431 *
432 * AES-CMAC-PRF-128 test data from RFC 4615
433 * https://tools.ietf.org/html/rfc4615#page-4
434 */
435
436 #define NB_CMAC_TESTS_PER_KEY 4
437 #define NB_PRF_TESTS 3
438
439 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
440 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
441 static const unsigned char test_message[] = {
442 /* PT */
443 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
444 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
445 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
446 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
447 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
448 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
449 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
450 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
451 };
452 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
453
454 #if defined(MBEDTLS_AES_C)
455 /* Truncation point of message for AES CMAC tests */
456 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
457 /* Mlen */
458 0,
459 16,
460 20,
461 64
462 };
463
464 /* CMAC-AES128 Test Data */
465 static const unsigned char aes_128_key[16] = {
466 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
467 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
468 };
469 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
470 {
471 /* K1 */
472 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
473 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
474 },
475 {
476 /* K2 */
477 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
478 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
479 }
480 };
481 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
482 {
483 /* Example #1 */
484 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
485 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
486 },
487 {
488 /* Example #2 */
489 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
490 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
491 },
492 {
493 /* Example #3 */
494 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
495 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
496 },
497 {
498 /* Example #4 */
499 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
500 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
501 }
502 };
503
504 /* CMAC-AES192 Test Data */
505 static const unsigned char aes_192_key[24] = {
506 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
507 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
508 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
509 };
510 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
511 {
512 /* K1 */
513 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
514 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
515 },
516 {
517 /* K2 */
518 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
519 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
520 }
521 };
522 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
523 {
524 /* Example #1 */
525 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
526 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
527 },
528 {
529 /* Example #2 */
530 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
531 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
532 },
533 {
534 /* Example #3 */
535 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
536 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
537 },
538 {
539 /* Example #4 */
540 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
541 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
542 }
543 };
544
545 /* CMAC-AES256 Test Data */
546 static const unsigned char aes_256_key[32] = {
547 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
548 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
549 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
550 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
551 };
552 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
553 {
554 /* K1 */
555 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
556 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
557 },
558 {
559 /* K2 */
560 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
561 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
562 }
563 };
564 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
565 {
566 /* Example #1 */
567 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
568 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
569 },
570 {
571 /* Example #2 */
572 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
573 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
574 },
575 {
576 /* Example #3 */
577 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
578 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
579 },
580 {
581 /* Example #4 */
582 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
583 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
584 }
585 };
586 #endif /* MBEDTLS_AES_C */
587
588 #if defined(MBEDTLS_DES_C)
589 /* Truncation point of message for 3DES CMAC tests */
590 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
591 0,
592 16,
593 20,
594 32
595 };
596
597 /* CMAC-TDES (Generation) - 2 Key Test Data */
598 static const unsigned char des3_2key_key[24] = {
599 /* Key1 */
600 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
601 /* Key2 */
602 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
603 /* Key3 */
604 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
605 };
606 static const unsigned char des3_2key_subkeys[2][8] = {
607 {
608 /* K1 */
609 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
610 },
611 {
612 /* K2 */
613 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
614 }
615 };
616 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
617 {
618 /* Sample #1 */
619 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
620 },
621 {
622 /* Sample #2 */
623 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
624 },
625 {
626 /* Sample #3 */
627 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
628 },
629 {
630 /* Sample #4 */
631 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
632 }
633 };
634
635 /* CMAC-TDES (Generation) - 3 Key Test Data */
636 static const unsigned char des3_3key_key[24] = {
637 /* Key1 */
638 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
639 /* Key2 */
640 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
641 /* Key3 */
642 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
643 };
644 static const unsigned char des3_3key_subkeys[2][8] = {
645 {
646 /* K1 */
647 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
648 },
649 {
650 /* K2 */
651 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
652 }
653 };
654 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
655 {
656 /* Sample #1 */
657 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
658 },
659 {
660 /* Sample #2 */
661 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
662 },
663 {
664 /* Sample #3 */
665 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
666 },
667 {
668 /* Sample #4 */
669 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
670 }
671 };
672
673 #endif /* MBEDTLS_DES_C */
674
675 #if defined(MBEDTLS_AES_C)
676 /* AES AES-CMAC-PRF-128 Test Data */
677 static const unsigned char PRFK[] = {
678 /* Key */
679 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
680 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
681 0xed, 0xcb
682 };
683
684 /* Sizes in bytes */
685 static const size_t PRFKlen[NB_PRF_TESTS] = {
686 18,
687 16,
688 10
689 };
690
691 /* Message */
692 static const unsigned char PRFM[] = {
693 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
694 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
695 0x10, 0x11, 0x12, 0x13
696 };
697
698 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
699 {
700 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
701 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
702 },
703 {
704 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
705 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
706 },
707 {
708 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
709 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
710 }
711 };
712 #endif /* MBEDTLS_AES_C */
713
714 static int cmac_test_subkeys(int verbose,
715 const char *testname,
716 const unsigned char *key,
717 int keybits,
718 const unsigned char *subkeys,
719 mbedtls_cipher_type_t cipher_type,
720 int block_size,
721 int num_tests) {
722 int i, ret = 0;
723 mbedtls_cipher_context_t ctx;
724 const mbedtls_cipher_info_t *cipher_info;
725 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
726 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
727
728 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
729 if (cipher_info == NULL) {
730 /* Failing at this point must be due to a build issue */
731 return (MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE);
732 }
733
734 for (i = 0; i < num_tests; i++) {
735 if (verbose != 0)
736 mbedtls_printf(" %s CMAC subkey #%d: ", testname, i + 1);
737
738 mbedtls_cipher_init(&ctx);
739
740 if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
741 if (verbose != 0)
742 mbedtls_printf("test execution failed\n");
743
744 goto cleanup;
745 }
746
747 if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
748 MBEDTLS_ENCRYPT)) != 0) {
749 /* When CMAC is implemented by an alternative implementation, or
750 * the underlying primitive itself is implemented alternatively,
751 * AES-192 may be unavailable. This should not cause the selftest
752 * function to fail. */
753 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
754 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
755 cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
756 if (verbose != 0)
757 mbedtls_printf("skipped\n");
758 goto next_test;
759 }
760
761 if (verbose != 0)
762 mbedtls_printf("test execution failed\n");
763
764 goto cleanup;
765 }
766
767 ret = cmac_generate_subkeys(&ctx, K1, K2);
768 if (ret != 0) {
769 if (verbose != 0)
770 mbedtls_printf("failed\n");
771
772 goto cleanup;
773 }
774
775 if ((ret = memcmp(K1, subkeys, block_size)) != 0 ||
776 (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
777 if (verbose != 0)
778 mbedtls_printf("failed\n");
779
780 goto cleanup;
781 }
782
783 if (verbose != 0)
784 mbedtls_printf("passed\n");
785
786 next_test:
787 mbedtls_cipher_free(&ctx);
788 }
789
790 ret = 0;
791 goto exit;
792
793 cleanup:
794 mbedtls_cipher_free(&ctx);
795
796 exit:
797 return (ret);
798 }
799
800 static int cmac_test_wth_cipher(int verbose,
801 const char *testname,
802 const unsigned char *key,
803 int keybits,
804 const unsigned char *messages,
805 const unsigned int message_lengths[4],
806 const unsigned char *expected_result,
807 mbedtls_cipher_type_t cipher_type,
808 int block_size,
809 int num_tests) {
810 const mbedtls_cipher_info_t *cipher_info;
811 int i, ret = 0;
812 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
813
814 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
815 if (cipher_info == NULL) {
816 /* Failing at this point must be due to a build issue */
817 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
818 goto exit;
819 }
820
821 for (i = 0; i < num_tests; i++) {
822 if (verbose != 0)
823 mbedtls_printf(" %s CMAC #%d: ", testname, i + 1);
824
825 if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
826 message_lengths[i], output)) != 0) {
827 /* When CMAC is implemented by an alternative implementation, or
828 * the underlying primitive itself is implemented alternatively,
829 * AES-192 may be unavailable. This should not cause the selftest
830 * function to fail. */
831 if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
832 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
833 cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
834 if (verbose != 0)
835 mbedtls_printf("skipped\n");
836 continue;
837 }
838
839 if (verbose != 0)
840 mbedtls_printf("failed\n");
841 goto exit;
842 }
843
844 if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
845 if (verbose != 0)
846 mbedtls_printf("failed\n");
847 goto exit;
848 }
849
850 if (verbose != 0)
851 mbedtls_printf("passed\n");
852 }
853 ret = 0;
854
855 exit:
856 return (ret);
857 }
858
859 #if defined(MBEDTLS_AES_C)
860 static int test_aes128_cmac_prf(int verbose) {
861 int i;
862 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
863 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
864
865 for (i = 0; i < NB_PRF_TESTS; i++) {
866 mbedtls_printf(" AES CMAC 128 PRF #%d: ", i);
867 ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
868 if (ret != 0 ||
869 memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
870
871 if (verbose != 0)
872 mbedtls_printf("failed\n");
873
874 return (ret);
875 } else if (verbose != 0) {
876 mbedtls_printf("passed\n");
877 }
878 }
879 return (ret);
880 }
881 #endif /* MBEDTLS_AES_C */
882
883 int mbedtls_cmac_self_test(int verbose) {
884 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
885
886 #if defined(MBEDTLS_AES_C)
887 /* AES-128 */
888 if ((ret = cmac_test_subkeys(verbose,
889 "AES 128",
890 aes_128_key,
891 128,
892 (const unsigned char *)aes_128_subkeys,
893 MBEDTLS_CIPHER_AES_128_ECB,
894 MBEDTLS_AES_BLOCK_SIZE,
895 NB_CMAC_TESTS_PER_KEY)) != 0) {
896 return (ret);
897 }
898
899 if ((ret = cmac_test_wth_cipher(verbose,
900 "AES 128",
901 aes_128_key,
902 128,
903 test_message,
904 aes_message_lengths,
905 (const unsigned char *)aes_128_expected_result,
906 MBEDTLS_CIPHER_AES_128_ECB,
907 MBEDTLS_AES_BLOCK_SIZE,
908 NB_CMAC_TESTS_PER_KEY)) != 0) {
909 return (ret);
910 }
911
912 /* AES-192 */
913 if ((ret = cmac_test_subkeys(verbose,
914 "AES 192",
915 aes_192_key,
916 192,
917 (const unsigned char *)aes_192_subkeys,
918 MBEDTLS_CIPHER_AES_192_ECB,
919 MBEDTLS_AES_BLOCK_SIZE,
920 NB_CMAC_TESTS_PER_KEY)) != 0) {
921 return (ret);
922 }
923
924 if ((ret = cmac_test_wth_cipher(verbose,
925 "AES 192",
926 aes_192_key,
927 192,
928 test_message,
929 aes_message_lengths,
930 (const unsigned char *)aes_192_expected_result,
931 MBEDTLS_CIPHER_AES_192_ECB,
932 MBEDTLS_AES_BLOCK_SIZE,
933 NB_CMAC_TESTS_PER_KEY)) != 0) {
934 return (ret);
935 }
936
937 /* AES-256 */
938 if ((ret = cmac_test_subkeys(verbose,
939 "AES 256",
940 aes_256_key,
941 256,
942 (const unsigned char *)aes_256_subkeys,
943 MBEDTLS_CIPHER_AES_256_ECB,
944 MBEDTLS_AES_BLOCK_SIZE,
945 NB_CMAC_TESTS_PER_KEY)) != 0) {
946 return (ret);
947 }
948
949 if ((ret = cmac_test_wth_cipher(verbose,
950 "AES 256",
951 aes_256_key,
952 256,
953 test_message,
954 aes_message_lengths,
955 (const unsigned char *)aes_256_expected_result,
956 MBEDTLS_CIPHER_AES_256_ECB,
957 MBEDTLS_AES_BLOCK_SIZE,
958 NB_CMAC_TESTS_PER_KEY)) != 0) {
959 return (ret);
960 }
961 #endif /* MBEDTLS_AES_C */
962
963 #if defined(MBEDTLS_DES_C)
964 /* 3DES 2 key */
965 if ((ret = cmac_test_subkeys(verbose,
966 "3DES 2 key",
967 des3_2key_key,
968 192,
969 (const unsigned char *)des3_2key_subkeys,
970 MBEDTLS_CIPHER_DES_EDE3_ECB,
971 MBEDTLS_DES3_BLOCK_SIZE,
972 NB_CMAC_TESTS_PER_KEY)) != 0) {
973 return (ret);
974 }
975
976 if ((ret = cmac_test_wth_cipher(verbose,
977 "3DES 2 key",
978 des3_2key_key,
979 192,
980 test_message,
981 des3_message_lengths,
982 (const unsigned char *)des3_2key_expected_result,
983 MBEDTLS_CIPHER_DES_EDE3_ECB,
984 MBEDTLS_DES3_BLOCK_SIZE,
985 NB_CMAC_TESTS_PER_KEY)) != 0) {
986 return (ret);
987 }
988
989 /* 3DES 3 key */
990 if ((ret = cmac_test_subkeys(verbose,
991 "3DES 3 key",
992 des3_3key_key,
993 192,
994 (const unsigned char *)des3_3key_subkeys,
995 MBEDTLS_CIPHER_DES_EDE3_ECB,
996 MBEDTLS_DES3_BLOCK_SIZE,
997 NB_CMAC_TESTS_PER_KEY)) != 0) {
998 return (ret);
999 }
1000
1001 if ((ret = cmac_test_wth_cipher(verbose,
1002 "3DES 3 key",
1003 des3_3key_key,
1004 192,
1005 test_message,
1006 des3_message_lengths,
1007 (const unsigned char *)des3_3key_expected_result,
1008 MBEDTLS_CIPHER_DES_EDE3_ECB,
1009 MBEDTLS_DES3_BLOCK_SIZE,
1010 NB_CMAC_TESTS_PER_KEY)) != 0) {
1011 return (ret);
1012 }
1013 #endif /* MBEDTLS_DES_C */
1014
1015 #if defined(MBEDTLS_AES_C)
1016 if ((ret = test_aes128_cmac_prf(verbose)) != 0)
1017 return (ret);
1018 #endif /* MBEDTLS_AES_C */
1019
1020 if (verbose != 0)
1021 mbedtls_printf("\n");
1022
1023 return (0);
1024 }
1025
1026 #endif /* MBEDTLS_SELF_TEST */
1027
1028 #endif /* MBEDTLS_CMAC_C */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware