Cleanup armsrc/string.c and string.h (#964)
[legacy-proxmark3.git] / common / mbedtls / cmac.c
blobdb4a71d7212f914d9e0cfa689d76e2ce1a4fc532
1 /**
2 * \file cmac.c
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: GPL-2.0
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 * This file is part of mbed TLS (https://tls.mbed.org)
27 * References:
29 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
30 * CMAC Mode for Authentication
31 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
33 * - RFC 4493 - The AES-CMAC Algorithm
34 * https://tools.ietf.org/html/rfc4493
36 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
37 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
38 * Algorithm for the Internet Key Exchange Protocol (IKE)
39 * https://tools.ietf.org/html/rfc4615
41 * Additional test vectors: ISO/IEC 9797-1
45 #if !defined(MBEDTLS_CONFIG_FILE)
46 #include "mbedtls/config.h"
47 #else
48 #include MBEDTLS_CONFIG_FILE
49 #endif
51 #if defined(MBEDTLS_CMAC_C)
53 #include "mbedtls/cmac.h"
54 #include "mbedtls/platform_util.h"
56 #include <string.h>
59 #if defined(MBEDTLS_PLATFORM_C)
60 #include "mbedtls/platform.h"
61 #else
62 #include <stdlib.h>
63 #define mbedtls_calloc calloc
64 #define mbedtls_free free
65 #if defined(MBEDTLS_SELF_TEST)
66 #include <stdio.h>
67 #define mbedtls_printf printf
68 #endif /* MBEDTLS_SELF_TEST */
69 #endif /* MBEDTLS_PLATFORM_C */
71 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
74 * Multiplication by u in the Galois field of GF(2^n)
76 * As explained in NIST SP 800-38B, this can be computed:
78 * If MSB(p) = 0, then p = (p << 1)
79 * If MSB(p) = 1, then p = (p << 1) ^ R_n
80 * with R_64 = 0x1B and R_128 = 0x87
82 * Input and output MUST NOT point to the same buffer
83 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
85 static int cmac_multiply_by_u( unsigned char *output,
86 const unsigned char *input,
87 size_t blocksize )
89 const unsigned char R_128 = 0x87;
90 const unsigned char R_64 = 0x1B;
91 unsigned char R_n, mask;
92 unsigned char overflow = 0x00;
93 int i;
95 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
97 R_n = R_128;
99 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
101 R_n = R_64;
103 else
105 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
108 for( i = (int)blocksize - 1; i >= 0; i-- )
110 output[i] = input[i] << 1 | overflow;
111 overflow = input[i] >> 7;
114 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
115 * using bit operations to avoid branches */
117 /* MSVC has a warning about unary minus on unsigned, but this is
118 * well-defined and precisely what we want to do here */
119 #if defined(_MSC_VER)
120 #pragma warning( push )
121 #pragma warning( disable : 4146 )
122 #endif
123 mask = - ( input[0] >> 7 );
124 #if defined(_MSC_VER)
125 #pragma warning( pop )
126 #endif
128 output[ blocksize - 1 ] ^= R_n & mask;
130 return( 0 );
134 * Generate subkeys
136 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
138 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
139 unsigned char* K1, unsigned char* K2 )
141 int ret;
142 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
143 size_t olen, block_size;
145 mbedtls_platform_zeroize( L, sizeof( L ) );
147 block_size = ctx->cipher_info->block_size;
149 /* Calculate Ek(0) */
150 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
151 goto exit;
154 * Generate K1 and K2
156 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
157 goto exit;
159 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
160 goto exit;
162 exit:
163 mbedtls_platform_zeroize( L, sizeof( L ) );
165 return( ret );
167 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
169 #if !defined(MBEDTLS_CMAC_ALT)
170 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
171 const unsigned char *input2,
172 const size_t block_size )
174 size_t idx;
176 for( idx = 0; idx < block_size; idx++ )
177 output[ idx ] = input1[ idx ] ^ input2[ idx ];
181 * Create padded last block from (partial) last block.
183 * We can't use the padding option from the cipher layer, as it only works for
184 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
186 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
187 size_t padded_block_len,
188 const unsigned char *last_block,
189 size_t last_block_len )
191 size_t j;
193 for( j = 0; j < padded_block_len; j++ )
195 if( j < last_block_len )
196 padded_block[j] = last_block[j];
197 else if( j == last_block_len )
198 padded_block[j] = 0x80;
199 else
200 padded_block[j] = 0x00;
204 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
205 const unsigned char *key, size_t keybits )
207 mbedtls_cipher_type_t type;
208 mbedtls_cmac_context_t *cmac_ctx;
209 int retval;
211 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
212 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
214 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
215 MBEDTLS_ENCRYPT ) ) != 0 )
216 return( retval );
218 type = ctx->cipher_info->type;
220 switch( type )
222 case MBEDTLS_CIPHER_AES_128_ECB:
223 case MBEDTLS_CIPHER_AES_192_ECB:
224 case MBEDTLS_CIPHER_AES_256_ECB:
225 case MBEDTLS_CIPHER_DES_EDE3_ECB:
226 break;
227 default:
228 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
231 /* Allocated and initialise in the cipher context memory for the CMAC
232 * context */
233 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
234 if( cmac_ctx == NULL )
235 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
237 ctx->cmac_ctx = cmac_ctx;
239 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
241 return 0;
244 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
245 const unsigned char *input, size_t ilen )
247 mbedtls_cmac_context_t* cmac_ctx;
248 unsigned char *state;
249 int ret = 0;
250 size_t n, j, olen, block_size;
252 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
253 ctx->cmac_ctx == NULL )
254 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
256 cmac_ctx = ctx->cmac_ctx;
257 block_size = ctx->cipher_info->block_size;
258 state = ctx->cmac_ctx->state;
260 /* Is there data still to process from the last call, that's greater in
261 * size than a block? */
262 if( cmac_ctx->unprocessed_len > 0 &&
263 ilen > block_size - cmac_ctx->unprocessed_len )
265 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
266 input,
267 block_size - cmac_ctx->unprocessed_len );
269 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
271 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
272 &olen ) ) != 0 )
274 goto exit;
277 input += block_size - cmac_ctx->unprocessed_len;
278 ilen -= block_size - cmac_ctx->unprocessed_len;
279 cmac_ctx->unprocessed_len = 0;
282 /* n is the number of blocks including any final partial block */
283 n = ( ilen + block_size - 1 ) / block_size;
285 /* Iterate across the input data in block sized chunks, excluding any
286 * final partial or complete block */
287 for( j = 1; j < n; j++ )
289 cmac_xor_block( state, input, state, block_size );
291 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
292 &olen ) ) != 0 )
293 goto exit;
295 ilen -= block_size;
296 input += block_size;
299 /* If there is data left over that wasn't aligned to a block */
300 if( ilen > 0 )
302 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
303 input,
304 ilen );
305 cmac_ctx->unprocessed_len += ilen;
308 exit:
309 return( ret );
312 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
313 unsigned char *output )
315 mbedtls_cmac_context_t* cmac_ctx;
316 unsigned char *state, *last_block;
317 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
318 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
319 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
320 int ret;
321 size_t olen, block_size;
323 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
324 output == NULL )
325 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
327 cmac_ctx = ctx->cmac_ctx;
328 block_size = ctx->cipher_info->block_size;
329 state = cmac_ctx->state;
331 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
332 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
333 cmac_generate_subkeys( ctx, K1, K2 );
335 last_block = cmac_ctx->unprocessed_block;
337 /* Calculate last block */
338 if( cmac_ctx->unprocessed_len < block_size )
340 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
341 cmac_xor_block( M_last, M_last, K2, block_size );
343 else
345 /* Last block is complete block */
346 cmac_xor_block( M_last, last_block, K1, block_size );
350 cmac_xor_block( state, M_last, state, block_size );
351 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
352 &olen ) ) != 0 )
354 goto exit;
357 memcpy( output, state, block_size );
359 exit:
360 /* Wipe the generated keys on the stack, and any other transients to avoid
361 * side channel leakage */
362 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
363 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
365 cmac_ctx->unprocessed_len = 0;
366 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
367 sizeof( cmac_ctx->unprocessed_block ) );
369 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
370 return( ret );
373 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
375 mbedtls_cmac_context_t* cmac_ctx;
377 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
378 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
380 cmac_ctx = ctx->cmac_ctx;
382 /* Reset the internal state */
383 cmac_ctx->unprocessed_len = 0;
384 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
385 sizeof( cmac_ctx->unprocessed_block ) );
386 mbedtls_platform_zeroize( cmac_ctx->state,
387 sizeof( cmac_ctx->state ) );
389 return( 0 );
392 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
393 const unsigned char *key, size_t keylen,
394 const unsigned char *input, size_t ilen,
395 unsigned char *output )
397 mbedtls_cipher_context_t ctx;
398 int ret;
400 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
401 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
403 mbedtls_cipher_init( &ctx );
405 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
406 goto exit;
408 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
409 if( ret != 0 )
410 goto exit;
412 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
413 if( ret != 0 )
414 goto exit;
416 ret = mbedtls_cipher_cmac_finish( &ctx, output );
418 exit:
419 mbedtls_cipher_free( &ctx );
421 return( ret );
424 #if defined(MBEDTLS_AES_C)
426 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
428 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
429 const unsigned char *input, size_t in_len,
430 unsigned char *output )
432 int ret;
433 const mbedtls_cipher_info_t *cipher_info;
434 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
435 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
437 if( key == NULL || input == NULL || output == NULL )
438 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
440 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
441 if( cipher_info == NULL )
443 /* Failing at this point must be due to a build issue */
444 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
445 goto exit;
448 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
450 /* Use key as is */
451 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
453 else
455 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
457 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
458 key_length, int_key );
459 if( ret != 0 )
460 goto exit;
463 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
464 output );
466 exit:
467 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
469 return( ret );
471 #endif /* MBEDTLS_AES_C */
473 #endif /* !MBEDTLS_CMAC_ALT */
475 #if defined(MBEDTLS_SELF_TEST)
477 * CMAC test data for SP800-38B
478 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
479 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
481 * AES-CMAC-PRF-128 test data from RFC 4615
482 * https://tools.ietf.org/html/rfc4615#page-4
485 #define NB_CMAC_TESTS_PER_KEY 4
486 #define NB_PRF_TESTS 3
488 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
489 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
490 static const unsigned char test_message[] = {
491 /* PT */
492 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
493 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
494 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
495 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
496 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
497 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
498 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
499 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
501 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
503 #if defined(MBEDTLS_AES_C)
504 /* Truncation point of message for AES CMAC tests */
505 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
506 /* Mlen */
513 /* CMAC-AES128 Test Data */
514 static const unsigned char aes_128_key[16] = {
515 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
516 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
518 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
520 /* K1 */
521 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
522 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
525 /* K2 */
526 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
527 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
530 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
532 /* Example #1 */
533 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
534 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
537 /* Example #2 */
538 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
539 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
542 /* Example #3 */
543 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
544 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
547 /* Example #4 */
548 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
549 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
553 /* CMAC-AES192 Test Data */
554 static const unsigned char aes_192_key[24] = {
555 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
556 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
557 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
559 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
561 /* K1 */
562 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
563 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
566 /* K2 */
567 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
568 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
571 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
573 /* Example #1 */
574 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
575 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
578 /* Example #2 */
579 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
580 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
583 /* Example #3 */
584 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
585 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
588 /* Example #4 */
589 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
590 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
594 /* CMAC-AES256 Test Data */
595 static const unsigned char aes_256_key[32] = {
596 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
597 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
598 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
599 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
601 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
603 /* K1 */
604 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
605 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
608 /* K2 */
609 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
610 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
613 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
615 /* Example #1 */
616 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
617 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
620 /* Example #2 */
621 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
622 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
625 /* Example #3 */
626 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
627 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
630 /* Example #4 */
631 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
632 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
635 #endif /* MBEDTLS_AES_C */
637 #if defined(MBEDTLS_DES_C)
638 /* Truncation point of message for 3DES CMAC tests */
639 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
646 /* CMAC-TDES (Generation) - 2 Key Test Data */
647 static const unsigned char des3_2key_key[24] = {
648 /* Key1 */
649 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
650 /* Key2 */
651 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
652 /* Key3 */
653 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
655 static const unsigned char des3_2key_subkeys[2][8] = {
657 /* K1 */
658 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
661 /* K2 */
662 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
665 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
667 /* Sample #1 */
668 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
671 /* Sample #2 */
672 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
675 /* Sample #3 */
676 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
679 /* Sample #4 */
680 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
684 /* CMAC-TDES (Generation) - 3 Key Test Data */
685 static const unsigned char des3_3key_key[24] = {
686 /* Key1 */
687 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
688 /* Key2 */
689 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
690 /* Key3 */
691 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
693 static const unsigned char des3_3key_subkeys[2][8] = {
695 /* K1 */
696 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
699 /* K2 */
700 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
703 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
705 /* Sample #1 */
706 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
709 /* Sample #2 */
710 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
713 /* Sample #3 */
714 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
717 /* Sample #4 */
718 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
722 #endif /* MBEDTLS_DES_C */
724 #if defined(MBEDTLS_AES_C)
725 /* AES AES-CMAC-PRF-128 Test Data */
726 static const unsigned char PRFK[] = {
727 /* Key */
728 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
729 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
730 0xed, 0xcb
733 /* Sizes in bytes */
734 static const size_t PRFKlen[NB_PRF_TESTS] = {
740 /* Message */
741 static const unsigned char PRFM[] = {
742 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
743 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
744 0x10, 0x11, 0x12, 0x13
747 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
749 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
750 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
753 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
754 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
757 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
758 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
761 #endif /* MBEDTLS_AES_C */
763 static int cmac_test_subkeys( int verbose,
764 const char* testname,
765 const unsigned char* key,
766 int keybits,
767 const unsigned char* subkeys,
768 mbedtls_cipher_type_t cipher_type,
769 int block_size,
770 int num_tests )
772 int i, ret = 0;
773 mbedtls_cipher_context_t ctx;
774 const mbedtls_cipher_info_t *cipher_info;
775 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
776 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
778 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
779 if( cipher_info == NULL )
781 /* Failing at this point must be due to a build issue */
782 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
785 for( i = 0; i < num_tests; i++ )
787 if( verbose != 0 )
788 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
790 mbedtls_cipher_init( &ctx );
792 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
794 if( verbose != 0 )
795 mbedtls_printf( "test execution failed\n" );
797 goto cleanup;
800 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
801 MBEDTLS_ENCRYPT ) ) != 0 )
803 if( verbose != 0 )
804 mbedtls_printf( "test execution failed\n" );
806 goto cleanup;
809 ret = cmac_generate_subkeys( &ctx, K1, K2 );
810 if( ret != 0 )
812 if( verbose != 0 )
813 mbedtls_printf( "failed\n" );
815 goto cleanup;
818 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
819 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
821 if( verbose != 0 )
822 mbedtls_printf( "failed\n" );
824 goto cleanup;
827 if( verbose != 0 )
828 mbedtls_printf( "passed\n" );
830 mbedtls_cipher_free( &ctx );
833 ret = 0;
834 goto exit;
836 cleanup:
837 mbedtls_cipher_free( &ctx );
839 exit:
840 return( ret );
843 static int cmac_test_wth_cipher( int verbose,
844 const char* testname,
845 const unsigned char* key,
846 int keybits,
847 const unsigned char* messages,
848 const unsigned int message_lengths[4],
849 const unsigned char* expected_result,
850 mbedtls_cipher_type_t cipher_type,
851 int block_size,
852 int num_tests )
854 const mbedtls_cipher_info_t *cipher_info;
855 int i, ret = 0;
856 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
858 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
859 if( cipher_info == NULL )
861 /* Failing at this point must be due to a build issue */
862 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
863 goto exit;
866 for( i = 0; i < num_tests; i++ )
868 if( verbose != 0 )
869 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
871 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
872 message_lengths[i], output ) ) != 0 )
874 if( verbose != 0 )
875 mbedtls_printf( "failed\n" );
876 goto exit;
879 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
881 if( verbose != 0 )
882 mbedtls_printf( "failed\n" );
883 goto exit;
886 if( verbose != 0 )
887 mbedtls_printf( "passed\n" );
889 ret = 0;
891 exit:
892 return( ret );
895 #if defined(MBEDTLS_AES_C)
896 static int test_aes128_cmac_prf( int verbose )
898 int i;
899 int ret;
900 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
902 for( i = 0; i < NB_PRF_TESTS; i++ )
904 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
905 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
906 if( ret != 0 ||
907 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
910 if( verbose != 0 )
911 mbedtls_printf( "failed\n" );
913 return( ret );
915 else if( verbose != 0 )
917 mbedtls_printf( "passed\n" );
920 return( ret );
922 #endif /* MBEDTLS_AES_C */
924 int mbedtls_cmac_self_test( int verbose )
926 int ret;
928 #if defined(MBEDTLS_AES_C)
929 /* AES-128 */
930 if( ( ret = cmac_test_subkeys( verbose,
931 "AES 128",
932 aes_128_key,
933 128,
934 (const unsigned char*)aes_128_subkeys,
935 MBEDTLS_CIPHER_AES_128_ECB,
936 MBEDTLS_AES_BLOCK_SIZE,
937 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
939 return( ret );
942 if( ( ret = cmac_test_wth_cipher( verbose,
943 "AES 128",
944 aes_128_key,
945 128,
946 test_message,
947 aes_message_lengths,
948 (const unsigned char*)aes_128_expected_result,
949 MBEDTLS_CIPHER_AES_128_ECB,
950 MBEDTLS_AES_BLOCK_SIZE,
951 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
953 return( ret );
956 /* AES-192 */
957 if( ( ret = cmac_test_subkeys( verbose,
958 "AES 192",
959 aes_192_key,
960 192,
961 (const unsigned char*)aes_192_subkeys,
962 MBEDTLS_CIPHER_AES_192_ECB,
963 MBEDTLS_AES_BLOCK_SIZE,
964 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
966 return( ret );
969 if( ( ret = cmac_test_wth_cipher( verbose,
970 "AES 192",
971 aes_192_key,
972 192,
973 test_message,
974 aes_message_lengths,
975 (const unsigned char*)aes_192_expected_result,
976 MBEDTLS_CIPHER_AES_192_ECB,
977 MBEDTLS_AES_BLOCK_SIZE,
978 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
980 return( ret );
983 /* AES-256 */
984 if( ( ret = cmac_test_subkeys( verbose,
985 "AES 256",
986 aes_256_key,
987 256,
988 (const unsigned char*)aes_256_subkeys,
989 MBEDTLS_CIPHER_AES_256_ECB,
990 MBEDTLS_AES_BLOCK_SIZE,
991 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
993 return( ret );
996 if( ( ret = cmac_test_wth_cipher ( verbose,
997 "AES 256",
998 aes_256_key,
999 256,
1000 test_message,
1001 aes_message_lengths,
1002 (const unsigned char*)aes_256_expected_result,
1003 MBEDTLS_CIPHER_AES_256_ECB,
1004 MBEDTLS_AES_BLOCK_SIZE,
1005 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1007 return( ret );
1009 #endif /* MBEDTLS_AES_C */
1011 #if defined(MBEDTLS_DES_C)
1012 /* 3DES 2 key */
1013 if( ( ret = cmac_test_subkeys( verbose,
1014 "3DES 2 key",
1015 des3_2key_key,
1016 192,
1017 (const unsigned char*)des3_2key_subkeys,
1018 MBEDTLS_CIPHER_DES_EDE3_ECB,
1019 MBEDTLS_DES3_BLOCK_SIZE,
1020 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1022 return( ret );
1025 if( ( ret = cmac_test_wth_cipher( verbose,
1026 "3DES 2 key",
1027 des3_2key_key,
1028 192,
1029 test_message,
1030 des3_message_lengths,
1031 (const unsigned char*)des3_2key_expected_result,
1032 MBEDTLS_CIPHER_DES_EDE3_ECB,
1033 MBEDTLS_DES3_BLOCK_SIZE,
1034 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1036 return( ret );
1039 /* 3DES 3 key */
1040 if( ( ret = cmac_test_subkeys( verbose,
1041 "3DES 3 key",
1042 des3_3key_key,
1043 192,
1044 (const unsigned char*)des3_3key_subkeys,
1045 MBEDTLS_CIPHER_DES_EDE3_ECB,
1046 MBEDTLS_DES3_BLOCK_SIZE,
1047 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1049 return( ret );
1052 if( ( ret = cmac_test_wth_cipher( verbose,
1053 "3DES 3 key",
1054 des3_3key_key,
1055 192,
1056 test_message,
1057 des3_message_lengths,
1058 (const unsigned char*)des3_3key_expected_result,
1059 MBEDTLS_CIPHER_DES_EDE3_ECB,
1060 MBEDTLS_DES3_BLOCK_SIZE,
1061 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1063 return( ret );
1065 #endif /* MBEDTLS_DES_C */
1067 #if defined(MBEDTLS_AES_C)
1068 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1069 return( ret );
1070 #endif /* MBEDTLS_AES_C */
1072 if( verbose != 0 )
1073 mbedtls_printf( "\n" );
1075 return( 0 );
1078 #endif /* MBEDTLS_SELF_TEST */
1080 #endif /* MBEDTLS_CMAC_C */