projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[SHELL] IPersistFolder2::GetCurFolder takes a PIDLIST_ABSOLUTE*. CORE-16385
[reactos.git] / dll / 3rdparty / mbedtls / cmac.c
1 /**
2 * \file cmac.c
3 *
4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5 *
6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: GPL-2.0
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 *
23 * This file is part of mbed TLS (https://tls.mbed.org)
24 */
25
26 /*
27 * References:
28 *
29 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
30 * CMAC Mode for Authentication
31 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
32 *
33 * - RFC 4493 - The AES-CMAC Algorithm
34 * https://tools.ietf.org/html/rfc4493
35 *
36 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
37 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
38 * Algorithm for the Internet Key Exchange Protocol (IKE)
39 * https://tools.ietf.org/html/rfc4615
40 *
41 * Additional test vectors: ISO/IEC 9797-1
42 *
43 */
44
45 #if !defined(MBEDTLS_CONFIG_FILE)
46 #include "mbedtls/config.h"
47 #else
48 #include MBEDTLS_CONFIG_FILE
49 #endif
50
51 #if defined(MBEDTLS_CMAC_C)
52
53 #include "mbedtls/cmac.h"
54
55 #include <string.h>
56
57
58 #if defined(MBEDTLS_PLATFORM_C)
59 #include "mbedtls/platform.h"
60 #else
61 #include <stdlib.h>
62 #define mbedtls_calloc calloc
63 #define mbedtls_free free
64 #if defined(MBEDTLS_SELF_TEST)
65 #include <stdio.h>
66 #define mbedtls_printf printf
67 #endif /* MBEDTLS_SELF_TEST */
68 #endif /* MBEDTLS_PLATFORM_C */
69
70 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
71
72 /* Implementation that should never be optimized out by the compiler */
73 static void mbedtls_zeroize( void *v, size_t n ) {
74 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
75 }
76
77 /*
78 * Multiplication by u in the Galois field of GF(2^n)
79 *
80 * As explained in NIST SP 800-38B, this can be computed:
81 *
82 * If MSB(p) = 0, then p = (p << 1)
83 * If MSB(p) = 1, then p = (p << 1) ^ R_n
84 * with R_64 = 0x1B and R_128 = 0x87
85 *
86 * Input and output MUST NOT point to the same buffer
87 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
88 */
89 static int cmac_multiply_by_u( unsigned char *output,
90 const unsigned char *input,
91 size_t blocksize )
92 {
93 const unsigned char R_128 = 0x87;
94 const unsigned char R_64 = 0x1B;
95 unsigned char R_n, mask;
96 unsigned char overflow = 0x00;
97 int i;
98
99 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
100 {
101 R_n = R_128;
102 }
103 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
104 {
105 R_n = R_64;
106 }
107 else
108 {
109 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
110 }
111
112 for( i = (int)blocksize - 1; i >= 0; i-- )
113 {
114 output[i] = input[i] << 1 | overflow;
115 overflow = input[i] >> 7;
116 }
117
118 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
119 * using bit operations to avoid branches */
120
121 /* MSVC has a warning about unary minus on unsigned, but this is
122 * well-defined and precisely what we want to do here */
123 #if defined(_MSC_VER)
124 #pragma warning( push )
125 #pragma warning( disable : 4146 )
126 #endif
127 mask = - ( input[0] >> 7 );
128 #if defined(_MSC_VER)
129 #pragma warning( pop )
130 #endif
131
132 output[ blocksize - 1 ] ^= R_n & mask;
133
134 return( 0 );
135 }
136
137 /*
138 * Generate subkeys
139 *
140 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
141 */
142 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
143 unsigned char* K1, unsigned char* K2 )
144 {
145 int ret;
146 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
147 size_t olen, block_size;
148
149 mbedtls_zeroize( L, sizeof( L ) );
150
151 block_size = ctx->cipher_info->block_size;
152
153 /* Calculate Ek(0) */
154 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
155 goto exit;
156
157 /*
158 * Generate K1 and K2
159 */
160 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
161 goto exit;
162
163 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
164 goto exit;
165
166 exit:
167 mbedtls_zeroize( L, sizeof( L ) );
168
169 return( ret );
170 }
171 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
172
173 #if !defined(MBEDTLS_CMAC_ALT)
174 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
175 const unsigned char *input2,
176 const size_t block_size )
177 {
178 size_t idx;
179
180 for( idx = 0; idx < block_size; idx++ )
181 output[ idx ] = input1[ idx ] ^ input2[ idx ];
182 }
183
184 /*
185 * Create padded last block from (partial) last block.
186 *
187 * We can't use the padding option from the cipher layer, as it only works for
188 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
189 */
190 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
191 size_t padded_block_len,
192 const unsigned char *last_block,
193 size_t last_block_len )
194 {
195 size_t j;
196
197 for( j = 0; j < padded_block_len; j++ )
198 {
199 if( j < last_block_len )
200 padded_block[j] = last_block[j];
201 else if( j == last_block_len )
202 padded_block[j] = 0x80;
203 else
204 padded_block[j] = 0x00;
205 }
206 }
207
208 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
209 const unsigned char *key, size_t keybits )
210 {
211 mbedtls_cipher_type_t type;
212 mbedtls_cmac_context_t *cmac_ctx;
213 int retval;
214
215 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
216 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
217
218 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
219 MBEDTLS_ENCRYPT ) ) != 0 )
220 return( retval );
221
222 type = ctx->cipher_info->type;
223
224 switch( type )
225 {
226 case MBEDTLS_CIPHER_AES_128_ECB:
227 case MBEDTLS_CIPHER_AES_192_ECB:
228 case MBEDTLS_CIPHER_AES_256_ECB:
229 case MBEDTLS_CIPHER_DES_EDE3_ECB:
230 break;
231 default:
232 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
233 }
234
235 /* Allocated and initialise in the cipher context memory for the CMAC
236 * context */
237 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
238 if( cmac_ctx == NULL )
239 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
240
241 ctx->cmac_ctx = cmac_ctx;
242
243 mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
244
245 return 0;
246 }
247
248 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
249 const unsigned char *input, size_t ilen )
250 {
251 mbedtls_cmac_context_t* cmac_ctx;
252 unsigned char *state;
253 int ret = 0;
254 size_t n, j, olen, block_size;
255
256 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
257 ctx->cmac_ctx == NULL )
258 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
259
260 cmac_ctx = ctx->cmac_ctx;
261 block_size = ctx->cipher_info->block_size;
262 state = ctx->cmac_ctx->state;
263
264 /* Is there data still to process from the last call, that's greater in
265 * size than a block? */
266 if( cmac_ctx->unprocessed_len > 0 &&
267 ilen > block_size - cmac_ctx->unprocessed_len )
268 {
269 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
270 input,
271 block_size - cmac_ctx->unprocessed_len );
272
273 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
274
275 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
276 &olen ) ) != 0 )
277 {
278 goto exit;
279 }
280
281 input += block_size - cmac_ctx->unprocessed_len;
282 ilen -= block_size - cmac_ctx->unprocessed_len;
283 cmac_ctx->unprocessed_len = 0;
284 }
285
286 /* n is the number of blocks including any final partial block */
287 n = ( ilen + block_size - 1 ) / block_size;
288
289 /* Iterate across the input data in block sized chunks, excluding any
290 * final partial or complete block */
291 for( j = 1; j < n; j++ )
292 {
293 cmac_xor_block( state, input, state, block_size );
294
295 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
296 &olen ) ) != 0 )
297 goto exit;
298
299 ilen -= block_size;
300 input += block_size;
301 }
302
303 /* If there is data left over that wasn't aligned to a block */
304 if( ilen > 0 )
305 {
306 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
307 input,
308 ilen );
309 cmac_ctx->unprocessed_len += ilen;
310 }
311
312 exit:
313 return( ret );
314 }
315
316 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
317 unsigned char *output )
318 {
319 mbedtls_cmac_context_t* cmac_ctx;
320 unsigned char *state, *last_block;
321 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
322 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
323 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
324 int ret;
325 size_t olen, block_size;
326
327 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
328 output == NULL )
329 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
330
331 cmac_ctx = ctx->cmac_ctx;
332 block_size = ctx->cipher_info->block_size;
333 state = cmac_ctx->state;
334
335 mbedtls_zeroize( K1, sizeof( K1 ) );
336 mbedtls_zeroize( K2, sizeof( K2 ) );
337 cmac_generate_subkeys( ctx, K1, K2 );
338
339 last_block = cmac_ctx->unprocessed_block;
340
341 /* Calculate last block */
342 if( cmac_ctx->unprocessed_len < block_size )
343 {
344 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
345 cmac_xor_block( M_last, M_last, K2, block_size );
346 }
347 else
348 {
349 /* Last block is complete block */
350 cmac_xor_block( M_last, last_block, K1, block_size );
351 }
352
353
354 cmac_xor_block( state, M_last, state, block_size );
355 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
356 &olen ) ) != 0 )
357 {
358 goto exit;
359 }
360
361 memcpy( output, state, block_size );
362
363 exit:
364 /* Wipe the generated keys on the stack, and any other transients to avoid
365 * side channel leakage */
366 mbedtls_zeroize( K1, sizeof( K1 ) );
367 mbedtls_zeroize( K2, sizeof( K2 ) );
368
369 cmac_ctx->unprocessed_len = 0;
370 mbedtls_zeroize( cmac_ctx->unprocessed_block,
371 sizeof( cmac_ctx->unprocessed_block ) );
372
373 mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
374 return( ret );
375 }
376
377 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
378 {
379 mbedtls_cmac_context_t* cmac_ctx;
380
381 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
382 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
383
384 cmac_ctx = ctx->cmac_ctx;
385
386 /* Reset the internal state */
387 cmac_ctx->unprocessed_len = 0;
388 mbedtls_zeroize( cmac_ctx->unprocessed_block,
389 sizeof( cmac_ctx->unprocessed_block ) );
390 mbedtls_zeroize( cmac_ctx->state,
391 sizeof( cmac_ctx->state ) );
392
393 return( 0 );
394 }
395
396 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
397 const unsigned char *key, size_t keylen,
398 const unsigned char *input, size_t ilen,
399 unsigned char *output )
400 {
401 mbedtls_cipher_context_t ctx;
402 int ret;
403
404 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
405 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
406
407 mbedtls_cipher_init( &ctx );
408
409 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
410 goto exit;
411
412 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
413 if( ret != 0 )
414 goto exit;
415
416 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
417 if( ret != 0 )
418 goto exit;
419
420 ret = mbedtls_cipher_cmac_finish( &ctx, output );
421
422 exit:
423 mbedtls_cipher_free( &ctx );
424
425 return( ret );
426 }
427
428 #if defined(MBEDTLS_AES_C)
429 /*
430 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
431 */
432 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
433 const unsigned char *input, size_t in_len,
434 unsigned char *output )
435 {
436 int ret;
437 const mbedtls_cipher_info_t *cipher_info;
438 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
439 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
440
441 if( key == NULL || input == NULL || output == NULL )
442 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
443
444 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
445 if( cipher_info == NULL )
446 {
447 /* Failing at this point must be due to a build issue */
448 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
449 goto exit;
450 }
451
452 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
453 {
454 /* Use key as is */
455 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
456 }
457 else
458 {
459 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
460
461 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
462 key_length, int_key );
463 if( ret != 0 )
464 goto exit;
465 }
466
467 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
468 output );
469
470 exit:
471 mbedtls_zeroize( int_key, sizeof( int_key ) );
472
473 return( ret );
474 }
475 #endif /* MBEDTLS_AES_C */
476
477 #endif /* !MBEDTLS_CMAC_ALT */
478
479 #if defined(MBEDTLS_SELF_TEST)
480 /*
481 * CMAC test data for SP800-38B
482 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
483 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
484 *
485 * AES-CMAC-PRF-128 test data from RFC 4615
486 * https://tools.ietf.org/html/rfc4615#page-4
487 */
488
489 #define NB_CMAC_TESTS_PER_KEY 4
490 #define NB_PRF_TESTS 3
491
492 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
493 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
494 static const unsigned char test_message[] = {
495 /* PT */
496 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
497 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
498 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
499 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
500 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
501 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
502 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
503 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
504 };
505 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
506
507 #if defined(MBEDTLS_AES_C)
508 /* Truncation point of message for AES CMAC tests */
509 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
510 /* Mlen */
511 0,
512 16,
513 20,
514 64
515 };
516
517 /* CMAC-AES128 Test Data */
518 static const unsigned char aes_128_key[16] = {
519 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
520 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
521 };
522 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
523 {
524 /* K1 */
525 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
526 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
527 },
528 {
529 /* K2 */
530 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
531 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
532 }
533 };
534 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
535 {
536 /* Example #1 */
537 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
538 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
539 },
540 {
541 /* Example #2 */
542 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
543 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
544 },
545 {
546 /* Example #3 */
547 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
548 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
549 },
550 {
551 /* Example #4 */
552 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
553 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
554 }
555 };
556
557 /* CMAC-AES192 Test Data */
558 static const unsigned char aes_192_key[24] = {
559 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
560 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
561 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
562 };
563 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
564 {
565 /* K1 */
566 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
567 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
568 },
569 {
570 /* K2 */
571 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
572 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
573 }
574 };
575 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
576 {
577 /* Example #1 */
578 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
579 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
580 },
581 {
582 /* Example #2 */
583 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
584 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
585 },
586 {
587 /* Example #3 */
588 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
589 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
590 },
591 {
592 /* Example #4 */
593 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
594 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
595 }
596 };
597
598 /* CMAC-AES256 Test Data */
599 static const unsigned char aes_256_key[32] = {
600 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
601 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
602 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
603 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
604 };
605 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
606 {
607 /* K1 */
608 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
609 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
610 },
611 {
612 /* K2 */
613 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
614 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
615 }
616 };
617 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
618 {
619 /* Example #1 */
620 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
621 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
622 },
623 {
624 /* Example #2 */
625 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
626 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
627 },
628 {
629 /* Example #3 */
630 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
631 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
632 },
633 {
634 /* Example #4 */
635 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
636 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
637 }
638 };
639 #endif /* MBEDTLS_AES_C */
640
641 #if defined(MBEDTLS_DES_C)
642 /* Truncation point of message for 3DES CMAC tests */
643 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
644 0,
645 16,
646 20,
647 32
648 };
649
650 /* CMAC-TDES (Generation) - 2 Key Test Data */
651 static const unsigned char des3_2key_key[24] = {
652 /* Key1 */
653 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
654 /* Key2 */
655 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
656 /* Key3 */
657 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
658 };
659 static const unsigned char des3_2key_subkeys[2][8] = {
660 {
661 /* K1 */
662 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
663 },
664 {
665 /* K2 */
666 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
667 }
668 };
669 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
670 {
671 /* Sample #1 */
672 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
673 },
674 {
675 /* Sample #2 */
676 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
677 },
678 {
679 /* Sample #3 */
680 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
681 },
682 {
683 /* Sample #4 */
684 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
685 }
686 };
687
688 /* CMAC-TDES (Generation) - 3 Key Test Data */
689 static const unsigned char des3_3key_key[24] = {
690 /* Key1 */
691 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
692 /* Key2 */
693 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
694 /* Key3 */
695 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
696 };
697 static const unsigned char des3_3key_subkeys[2][8] = {
698 {
699 /* K1 */
700 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
701 },
702 {
703 /* K2 */
704 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
705 }
706 };
707 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
708 {
709 /* Sample #1 */
710 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
711 },
712 {
713 /* Sample #2 */
714 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
715 },
716 {
717 /* Sample #3 */
718 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
719 },
720 {
721 /* Sample #4 */
722 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
723 }
724 };
725
726 #endif /* MBEDTLS_DES_C */
727
728 #if defined(MBEDTLS_AES_C)
729 /* AES AES-CMAC-PRF-128 Test Data */
730 static const unsigned char PRFK[] = {
731 /* Key */
732 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
733 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
734 0xed, 0xcb
735 };
736
737 /* Sizes in bytes */
738 static const size_t PRFKlen[NB_PRF_TESTS] = {
739 18,
740 16,
741 10
742 };
743
744 /* Message */
745 static const unsigned char PRFM[] = {
746 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
747 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
748 0x10, 0x11, 0x12, 0x13
749 };
750
751 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
752 {
753 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
754 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
755 },
756 {
757 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
758 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
759 },
760 {
761 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
762 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
763 }
764 };
765 #endif /* MBEDTLS_AES_C */
766
767 static int cmac_test_subkeys( int verbose,
768 const char* testname,
769 const unsigned char* key,
770 int keybits,
771 const unsigned char* subkeys,
772 mbedtls_cipher_type_t cipher_type,
773 int block_size,
774 int num_tests )
775 {
776 int i, ret = 0;
777 mbedtls_cipher_context_t ctx;
778 const mbedtls_cipher_info_t *cipher_info;
779 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
780 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
781
782 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
783 if( cipher_info == NULL )
784 {
785 /* Failing at this point must be due to a build issue */
786 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
787 }
788
789 for( i = 0; i < num_tests; i++ )
790 {
791 if( verbose != 0 )
792 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
793
794 mbedtls_cipher_init( &ctx );
795
796 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
797 {
798 if( verbose != 0 )
799 mbedtls_printf( "test execution failed\n" );
800
801 goto cleanup;
802 }
803
804 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
805 MBEDTLS_ENCRYPT ) ) != 0 )
806 {
807 if( verbose != 0 )
808 mbedtls_printf( "test execution failed\n" );
809
810 goto cleanup;
811 }
812
813 ret = cmac_generate_subkeys( &ctx, K1, K2 );
814 if( ret != 0 )
815 {
816 if( verbose != 0 )
817 mbedtls_printf( "failed\n" );
818
819 goto cleanup;
820 }
821
822 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
823 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
824 {
825 if( verbose != 0 )
826 mbedtls_printf( "failed\n" );
827
828 goto cleanup;
829 }
830
831 if( verbose != 0 )
832 mbedtls_printf( "passed\n" );
833
834 mbedtls_cipher_free( &ctx );
835 }
836
837 ret = 0;
838 goto exit;
839
840 cleanup:
841 mbedtls_cipher_free( &ctx );
842
843 exit:
844 return( ret );
845 }
846
847 static int cmac_test_wth_cipher( int verbose,
848 const char* testname,
849 const unsigned char* key,
850 int keybits,
851 const unsigned char* messages,
852 const unsigned int message_lengths[4],
853 const unsigned char* expected_result,
854 mbedtls_cipher_type_t cipher_type,
855 int block_size,
856 int num_tests )
857 {
858 const mbedtls_cipher_info_t *cipher_info;
859 int i, ret = 0;
860 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
861
862 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
863 if( cipher_info == NULL )
864 {
865 /* Failing at this point must be due to a build issue */
866 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
867 goto exit;
868 }
869
870 for( i = 0; i < num_tests; i++ )
871 {
872 if( verbose != 0 )
873 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
874
875 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
876 message_lengths[i], output ) ) != 0 )
877 {
878 if( verbose != 0 )
879 mbedtls_printf( "failed\n" );
880 goto exit;
881 }
882
883 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
884 {
885 if( verbose != 0 )
886 mbedtls_printf( "failed\n" );
887 goto exit;
888 }
889
890 if( verbose != 0 )
891 mbedtls_printf( "passed\n" );
892 }
893 ret = 0;
894
895 exit:
896 return( ret );
897 }
898
899 #if defined(MBEDTLS_AES_C)
900 static int test_aes128_cmac_prf( int verbose )
901 {
902 int i;
903 int ret;
904 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
905
906 for( i = 0; i < NB_PRF_TESTS; i++ )
907 {
908 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
909 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
910 if( ret != 0 ||
911 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
912 {
913
914 if( verbose != 0 )
915 mbedtls_printf( "failed\n" );
916
917 return( ret );
918 }
919 else if( verbose != 0 )
920 {
921 mbedtls_printf( "passed\n" );
922 }
923 }
924 return( ret );
925 }
926 #endif /* MBEDTLS_AES_C */
927
928 int mbedtls_cmac_self_test( int verbose )
929 {
930 int ret;
931
932 #if defined(MBEDTLS_AES_C)
933 /* AES-128 */
934 if( ( ret = cmac_test_subkeys( verbose,
935 "AES 128",
936 aes_128_key,
937 128,
938 (const unsigned char*)aes_128_subkeys,
939 MBEDTLS_CIPHER_AES_128_ECB,
940 MBEDTLS_AES_BLOCK_SIZE,
941 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
942 {
943 return( ret );
944 }
945
946 if( ( ret = cmac_test_wth_cipher( verbose,
947 "AES 128",
948 aes_128_key,
949 128,
950 test_message,
951 aes_message_lengths,
952 (const unsigned char*)aes_128_expected_result,
953 MBEDTLS_CIPHER_AES_128_ECB,
954 MBEDTLS_AES_BLOCK_SIZE,
955 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
956 {
957 return( ret );
958 }
959
960 /* AES-192 */
961 if( ( ret = cmac_test_subkeys( verbose,
962 "AES 192",
963 aes_192_key,
964 192,
965 (const unsigned char*)aes_192_subkeys,
966 MBEDTLS_CIPHER_AES_192_ECB,
967 MBEDTLS_AES_BLOCK_SIZE,
968 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
969 {
970 return( ret );
971 }
972
973 if( ( ret = cmac_test_wth_cipher( verbose,
974 "AES 192",
975 aes_192_key,
976 192,
977 test_message,
978 aes_message_lengths,
979 (const unsigned char*)aes_192_expected_result,
980 MBEDTLS_CIPHER_AES_192_ECB,
981 MBEDTLS_AES_BLOCK_SIZE,
982 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
983 {
984 return( ret );
985 }
986
987 /* AES-256 */
988 if( ( ret = cmac_test_subkeys( verbose,
989 "AES 256",
990 aes_256_key,
991 256,
992 (const unsigned char*)aes_256_subkeys,
993 MBEDTLS_CIPHER_AES_256_ECB,
994 MBEDTLS_AES_BLOCK_SIZE,
995 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
996 {
997 return( ret );
998 }
999
1000 if( ( ret = cmac_test_wth_cipher ( verbose,
1001 "AES 256",
1002 aes_256_key,
1003 256,
1004 test_message,
1005 aes_message_lengths,
1006 (const unsigned char*)aes_256_expected_result,
1007 MBEDTLS_CIPHER_AES_256_ECB,
1008 MBEDTLS_AES_BLOCK_SIZE,
1009 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1010 {
1011 return( ret );
1012 }
1013 #endif /* MBEDTLS_AES_C */
1014
1015 #if defined(MBEDTLS_DES_C)
1016 /* 3DES 2 key */
1017 if( ( ret = cmac_test_subkeys( verbose,
1018 "3DES 2 key",
1019 des3_2key_key,
1020 192,
1021 (const unsigned char*)des3_2key_subkeys,
1022 MBEDTLS_CIPHER_DES_EDE3_ECB,
1023 MBEDTLS_DES3_BLOCK_SIZE,
1024 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1025 {
1026 return( ret );
1027 }
1028
1029 if( ( ret = cmac_test_wth_cipher( verbose,
1030 "3DES 2 key",
1031 des3_2key_key,
1032 192,
1033 test_message,
1034 des3_message_lengths,
1035 (const unsigned char*)des3_2key_expected_result,
1036 MBEDTLS_CIPHER_DES_EDE3_ECB,
1037 MBEDTLS_DES3_BLOCK_SIZE,
1038 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1039 {
1040 return( ret );
1041 }
1042
1043 /* 3DES 3 key */
1044 if( ( ret = cmac_test_subkeys( verbose,
1045 "3DES 3 key",
1046 des3_3key_key,
1047 192,
1048 (const unsigned char*)des3_3key_subkeys,
1049 MBEDTLS_CIPHER_DES_EDE3_ECB,
1050 MBEDTLS_DES3_BLOCK_SIZE,
1051 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1052 {
1053 return( ret );
1054 }
1055
1056 if( ( ret = cmac_test_wth_cipher( verbose,
1057 "3DES 3 key",
1058 des3_3key_key,
1059 192,
1060 test_message,
1061 des3_message_lengths,
1062 (const unsigned char*)des3_3key_expected_result,
1063 MBEDTLS_CIPHER_DES_EDE3_ECB,
1064 MBEDTLS_DES3_BLOCK_SIZE,
1065 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1066 {
1067 return( ret );
1068 }
1069 #endif /* MBEDTLS_DES_C */
1070
1071 #if defined(MBEDTLS_AES_C)
1072 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1073 return( ret );
1074 #endif /* MBEDTLS_AES_C */
1075
1076 if( verbose != 0 )
1077 mbedtls_printf( "\n" );
1078
1079 return( 0 );
1080 }
1081
1082 #endif /* MBEDTLS_SELF_TEST */
1083
1084 #endif /* MBEDTLS_CMAC_C */
A free Windows-compatible Operating System