4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: GPL-2.0
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 * This file is part of mbed TLS (https://tls.mbed.org)
29 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
30 * CMAC Mode for Authentication
31 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
33 * - RFC 4493 - The AES-CMAC Algorithm
34 * https://tools.ietf.org/html/rfc4493
36 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
37 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
38 * Algorithm for the Internet Key Exchange Protocol (IKE)
39 * https://tools.ietf.org/html/rfc4615
41 * Additional test vectors: ISO/IEC 9797-1
45 #if !defined(MBEDTLS_CONFIG_FILE)
46 #include "mbedtls/config.h"
48 #include MBEDTLS_CONFIG_FILE
51 #if defined(MBEDTLS_CMAC_C)
53 #include "mbedtls/cmac.h"
58 #if defined(MBEDTLS_PLATFORM_C)
59 #include "mbedtls/platform.h"
62 #define mbedtls_calloc calloc
63 #define mbedtls_free free
64 #if defined(MBEDTLS_SELF_TEST)
66 #define mbedtls_printf printf
67 #endif /* MBEDTLS_SELF_TEST */
68 #endif /* MBEDTLS_PLATFORM_C */
70 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
72 /* Implementation that should never be optimized out by the compiler */
73 static void mbedtls_zeroize( void *v
, size_t n
) {
74 volatile unsigned char *p
= (unsigned char*)v
; while( n
-- ) *p
++ = 0;
78 * Multiplication by u in the Galois field of GF(2^n)
80 * As explained in NIST SP 800-38B, this can be computed:
82 * If MSB(p) = 0, then p = (p << 1)
83 * If MSB(p) = 1, then p = (p << 1) ^ R_n
84 * with R_64 = 0x1B and R_128 = 0x87
86 * Input and output MUST NOT point to the same buffer
87 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
89 static int cmac_multiply_by_u( unsigned char *output
,
90 const unsigned char *input
,
93 const unsigned char R_128
= 0x87;
94 const unsigned char R_64
= 0x1B;
95 unsigned char R_n
, mask
;
96 unsigned char overflow
= 0x00;
99 if( blocksize
== MBEDTLS_AES_BLOCK_SIZE
)
103 else if( blocksize
== MBEDTLS_DES3_BLOCK_SIZE
)
109 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
112 for( i
= (int)blocksize
- 1; i
>= 0; i
-- )
114 output
[i
] = input
[i
] << 1 | overflow
;
115 overflow
= input
[i
] >> 7;
118 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
119 * using bit operations to avoid branches */
121 /* MSVC has a warning about unary minus on unsigned, but this is
122 * well-defined and precisely what we want to do here */
123 #if defined(_MSC_VER)
124 #pragma warning( push )
125 #pragma warning( disable : 4146 )
127 mask
= - ( input
[0] >> 7 );
128 #if defined(_MSC_VER)
129 #pragma warning( pop )
132 output
[ blocksize
- 1 ] ^= R_n
& mask
;
140 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
142 static int cmac_generate_subkeys( mbedtls_cipher_context_t
*ctx
,
143 unsigned char* K1
, unsigned char* K2
)
146 unsigned char L
[MBEDTLS_CIPHER_BLKSIZE_MAX
];
147 size_t olen
, block_size
;
149 mbedtls_zeroize( L
, sizeof( L
) );
151 block_size
= ctx
->cipher_info
->block_size
;
153 /* Calculate Ek(0) */
154 if( ( ret
= mbedtls_cipher_update( ctx
, L
, block_size
, L
, &olen
) ) != 0 )
160 if( ( ret
= cmac_multiply_by_u( K1
, L
, block_size
) ) != 0 )
163 if( ( ret
= cmac_multiply_by_u( K2
, K1
, block_size
) ) != 0 )
167 mbedtls_zeroize( L
, sizeof( L
) );
171 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
173 #if !defined(MBEDTLS_CMAC_ALT)
174 static void cmac_xor_block( unsigned char *output
, const unsigned char *input1
,
175 const unsigned char *input2
,
176 const size_t block_size
)
180 for( idx
= 0; idx
< block_size
; idx
++ )
181 output
[ idx
] = input1
[ idx
] ^ input2
[ idx
];
185 * Create padded last block from (partial) last block.
187 * We can't use the padding option from the cipher layer, as it only works for
188 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
190 static void cmac_pad( unsigned char padded_block
[MBEDTLS_CIPHER_BLKSIZE_MAX
],
191 size_t padded_block_len
,
192 const unsigned char *last_block
,
193 size_t last_block_len
)
197 for( j
= 0; j
< padded_block_len
; j
++ )
199 if( j
< last_block_len
)
200 padded_block
[j
] = last_block
[j
];
201 else if( j
== last_block_len
)
202 padded_block
[j
] = 0x80;
204 padded_block
[j
] = 0x00;
208 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t
*ctx
,
209 const unsigned char *key
, size_t keybits
)
211 mbedtls_cipher_type_t type
;
212 mbedtls_cmac_context_t
*cmac_ctx
;
215 if( ctx
== NULL
|| ctx
->cipher_info
== NULL
|| key
== NULL
)
216 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
218 if( ( retval
= mbedtls_cipher_setkey( ctx
, key
, (int)keybits
,
219 MBEDTLS_ENCRYPT
) ) != 0 )
222 type
= ctx
->cipher_info
->type
;
226 case MBEDTLS_CIPHER_AES_128_ECB
:
227 case MBEDTLS_CIPHER_AES_192_ECB
:
228 case MBEDTLS_CIPHER_AES_256_ECB
:
229 case MBEDTLS_CIPHER_DES_EDE3_ECB
:
232 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
235 /* Allocated and initialise in the cipher context memory for the CMAC
237 cmac_ctx
= mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t
) );
238 if( cmac_ctx
== NULL
)
239 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED
);
241 ctx
->cmac_ctx
= cmac_ctx
;
243 mbedtls_zeroize( cmac_ctx
->state
, sizeof( cmac_ctx
->state
) );
248 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t
*ctx
,
249 const unsigned char *input
, size_t ilen
)
251 mbedtls_cmac_context_t
* cmac_ctx
;
252 unsigned char *state
;
254 size_t n
, j
, olen
, block_size
;
256 if( ctx
== NULL
|| ctx
->cipher_info
== NULL
|| input
== NULL
||
257 ctx
->cmac_ctx
== NULL
)
258 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
260 cmac_ctx
= ctx
->cmac_ctx
;
261 block_size
= ctx
->cipher_info
->block_size
;
262 state
= ctx
->cmac_ctx
->state
;
264 /* Is there data still to process from the last call, that's greater in
265 * size than a block? */
266 if( cmac_ctx
->unprocessed_len
> 0 &&
267 ilen
> block_size
- cmac_ctx
->unprocessed_len
)
269 memcpy( &cmac_ctx
->unprocessed_block
[cmac_ctx
->unprocessed_len
],
271 block_size
- cmac_ctx
->unprocessed_len
);
273 cmac_xor_block( state
, cmac_ctx
->unprocessed_block
, state
, block_size
);
275 if( ( ret
= mbedtls_cipher_update( ctx
, state
, block_size
, state
,
281 input
+= block_size
- cmac_ctx
->unprocessed_len
;
282 ilen
-= block_size
- cmac_ctx
->unprocessed_len
;
283 cmac_ctx
->unprocessed_len
= 0;
286 /* n is the number of blocks including any final partial block */
287 n
= ( ilen
+ block_size
- 1 ) / block_size
;
289 /* Iterate across the input data in block sized chunks, excluding any
290 * final partial or complete block */
291 for( j
= 1; j
< n
; j
++ )
293 cmac_xor_block( state
, input
, state
, block_size
);
295 if( ( ret
= mbedtls_cipher_update( ctx
, state
, block_size
, state
,
303 /* If there is data left over that wasn't aligned to a block */
306 memcpy( &cmac_ctx
->unprocessed_block
[cmac_ctx
->unprocessed_len
],
309 cmac_ctx
->unprocessed_len
+= ilen
;
316 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t
*ctx
,
317 unsigned char *output
)
319 mbedtls_cmac_context_t
* cmac_ctx
;
320 unsigned char *state
, *last_block
;
321 unsigned char K1
[MBEDTLS_CIPHER_BLKSIZE_MAX
];
322 unsigned char K2
[MBEDTLS_CIPHER_BLKSIZE_MAX
];
323 unsigned char M_last
[MBEDTLS_CIPHER_BLKSIZE_MAX
];
325 size_t olen
, block_size
;
327 if( ctx
== NULL
|| ctx
->cipher_info
== NULL
|| ctx
->cmac_ctx
== NULL
||
329 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
331 cmac_ctx
= ctx
->cmac_ctx
;
332 block_size
= ctx
->cipher_info
->block_size
;
333 state
= cmac_ctx
->state
;
335 mbedtls_zeroize( K1
, sizeof( K1
) );
336 mbedtls_zeroize( K2
, sizeof( K2
) );
337 cmac_generate_subkeys( ctx
, K1
, K2
);
339 last_block
= cmac_ctx
->unprocessed_block
;
341 /* Calculate last block */
342 if( cmac_ctx
->unprocessed_len
< block_size
)
344 cmac_pad( M_last
, block_size
, last_block
, cmac_ctx
->unprocessed_len
);
345 cmac_xor_block( M_last
, M_last
, K2
, block_size
);
349 /* Last block is complete block */
350 cmac_xor_block( M_last
, last_block
, K1
, block_size
);
354 cmac_xor_block( state
, M_last
, state
, block_size
);
355 if( ( ret
= mbedtls_cipher_update( ctx
, state
, block_size
, state
,
361 memcpy( output
, state
, block_size
);
364 /* Wipe the generated keys on the stack, and any other transients to avoid
365 * side channel leakage */
366 mbedtls_zeroize( K1
, sizeof( K1
) );
367 mbedtls_zeroize( K2
, sizeof( K2
) );
369 cmac_ctx
->unprocessed_len
= 0;
370 mbedtls_zeroize( cmac_ctx
->unprocessed_block
,
371 sizeof( cmac_ctx
->unprocessed_block
) );
373 mbedtls_zeroize( state
, MBEDTLS_CIPHER_BLKSIZE_MAX
);
377 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t
*ctx
)
379 mbedtls_cmac_context_t
* cmac_ctx
;
381 if( ctx
== NULL
|| ctx
->cipher_info
== NULL
|| ctx
->cmac_ctx
== NULL
)
382 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
384 cmac_ctx
= ctx
->cmac_ctx
;
386 /* Reset the internal state */
387 cmac_ctx
->unprocessed_len
= 0;
388 mbedtls_zeroize( cmac_ctx
->unprocessed_block
,
389 sizeof( cmac_ctx
->unprocessed_block
) );
390 mbedtls_zeroize( cmac_ctx
->state
,
391 sizeof( cmac_ctx
->state
) );
396 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t
*cipher_info
,
397 const unsigned char *key
, size_t keylen
,
398 const unsigned char *input
, size_t ilen
,
399 unsigned char *output
)
401 mbedtls_cipher_context_t ctx
;
404 if( cipher_info
== NULL
|| key
== NULL
|| input
== NULL
|| output
== NULL
)
405 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
407 mbedtls_cipher_init( &ctx
);
409 if( ( ret
= mbedtls_cipher_setup( &ctx
, cipher_info
) ) != 0 )
412 ret
= mbedtls_cipher_cmac_starts( &ctx
, key
, keylen
);
416 ret
= mbedtls_cipher_cmac_update( &ctx
, input
, ilen
);
420 ret
= mbedtls_cipher_cmac_finish( &ctx
, output
);
423 mbedtls_cipher_free( &ctx
);
428 #if defined(MBEDTLS_AES_C)
430 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
432 int mbedtls_aes_cmac_prf_128( const unsigned char *key
, size_t key_length
,
433 const unsigned char *input
, size_t in_len
,
434 unsigned char *output
)
437 const mbedtls_cipher_info_t
*cipher_info
;
438 unsigned char zero_key
[MBEDTLS_AES_BLOCK_SIZE
];
439 unsigned char int_key
[MBEDTLS_AES_BLOCK_SIZE
];
441 if( key
== NULL
|| input
== NULL
|| output
== NULL
)
442 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
444 cipher_info
= mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB
);
445 if( cipher_info
== NULL
)
447 /* Failing at this point must be due to a build issue */
448 ret
= MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
;
452 if( key_length
== MBEDTLS_AES_BLOCK_SIZE
)
455 memcpy( int_key
, key
, MBEDTLS_AES_BLOCK_SIZE
);
459 memset( zero_key
, 0, MBEDTLS_AES_BLOCK_SIZE
);
461 ret
= mbedtls_cipher_cmac( cipher_info
, zero_key
, 128, key
,
462 key_length
, int_key
);
467 ret
= mbedtls_cipher_cmac( cipher_info
, int_key
, 128, input
, in_len
,
471 mbedtls_zeroize( int_key
, sizeof( int_key
) );
475 #endif /* MBEDTLS_AES_C */
477 #endif /* !MBEDTLS_CMAC_ALT */
479 #if defined(MBEDTLS_SELF_TEST)
481 * CMAC test data for SP800-38B
482 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
483 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
485 * AES-CMAC-PRF-128 test data from RFC 4615
486 * https://tools.ietf.org/html/rfc4615#page-4
489 #define NB_CMAC_TESTS_PER_KEY 4
490 #define NB_PRF_TESTS 3
492 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
493 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
494 static const unsigned char test_message
[] = {
496 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
497 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
498 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
499 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
500 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
501 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
502 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
503 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
505 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
507 #if defined(MBEDTLS_AES_C)
508 /* Truncation point of message for AES CMAC tests */
509 static const unsigned int aes_message_lengths
[NB_CMAC_TESTS_PER_KEY
] = {
517 /* CMAC-AES128 Test Data */
518 static const unsigned char aes_128_key
[16] = {
519 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
520 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
522 static const unsigned char aes_128_subkeys
[2][MBEDTLS_AES_BLOCK_SIZE
] = {
525 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
526 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
530 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
531 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
534 static const unsigned char aes_128_expected_result
[NB_CMAC_TESTS_PER_KEY
][MBEDTLS_AES_BLOCK_SIZE
] = {
537 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
538 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
542 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
543 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
547 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
548 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
552 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
553 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
557 /* CMAC-AES192 Test Data */
558 static const unsigned char aes_192_key
[24] = {
559 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
560 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
561 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
563 static const unsigned char aes_192_subkeys
[2][MBEDTLS_AES_BLOCK_SIZE
] = {
566 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
567 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
571 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
572 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
575 static const unsigned char aes_192_expected_result
[NB_CMAC_TESTS_PER_KEY
][MBEDTLS_AES_BLOCK_SIZE
] = {
578 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
579 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
583 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
584 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
588 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
589 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
593 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
594 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
598 /* CMAC-AES256 Test Data */
599 static const unsigned char aes_256_key
[32] = {
600 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
601 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
602 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
603 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
605 static const unsigned char aes_256_subkeys
[2][MBEDTLS_AES_BLOCK_SIZE
] = {
608 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
609 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
613 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
614 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
617 static const unsigned char aes_256_expected_result
[NB_CMAC_TESTS_PER_KEY
][MBEDTLS_AES_BLOCK_SIZE
] = {
620 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
621 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
625 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
626 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
630 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
631 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
635 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
636 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
639 #endif /* MBEDTLS_AES_C */
641 #if defined(MBEDTLS_DES_C)
642 /* Truncation point of message for 3DES CMAC tests */
643 static const unsigned int des3_message_lengths
[NB_CMAC_TESTS_PER_KEY
] = {
650 /* CMAC-TDES (Generation) - 2 Key Test Data */
651 static const unsigned char des3_2key_key
[24] = {
653 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
655 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
657 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
659 static const unsigned char des3_2key_subkeys
[2][8] = {
662 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
666 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
669 static const unsigned char des3_2key_expected_result
[NB_CMAC_TESTS_PER_KEY
][MBEDTLS_DES3_BLOCK_SIZE
] = {
672 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
676 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
680 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
684 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
688 /* CMAC-TDES (Generation) - 3 Key Test Data */
689 static const unsigned char des3_3key_key
[24] = {
691 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
693 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
695 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
697 static const unsigned char des3_3key_subkeys
[2][8] = {
700 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
704 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
707 static const unsigned char des3_3key_expected_result
[NB_CMAC_TESTS_PER_KEY
][MBEDTLS_DES3_BLOCK_SIZE
] = {
710 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
714 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
718 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
722 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
726 #endif /* MBEDTLS_DES_C */
728 #if defined(MBEDTLS_AES_C)
729 /* AES AES-CMAC-PRF-128 Test Data */
730 static const unsigned char PRFK
[] = {
732 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
733 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
738 static const size_t PRFKlen
[NB_PRF_TESTS
] = {
745 static const unsigned char PRFM
[] = {
746 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
747 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
748 0x10, 0x11, 0x12, 0x13
751 static const unsigned char PRFT
[NB_PRF_TESTS
][16] = {
753 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
754 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
757 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
758 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
761 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
762 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
765 #endif /* MBEDTLS_AES_C */
767 static int cmac_test_subkeys( int verbose
,
768 const char* testname
,
769 const unsigned char* key
,
771 const unsigned char* subkeys
,
772 mbedtls_cipher_type_t cipher_type
,
777 mbedtls_cipher_context_t ctx
;
778 const mbedtls_cipher_info_t
*cipher_info
;
779 unsigned char K1
[MBEDTLS_CIPHER_BLKSIZE_MAX
];
780 unsigned char K2
[MBEDTLS_CIPHER_BLKSIZE_MAX
];
782 cipher_info
= mbedtls_cipher_info_from_type( cipher_type
);
783 if( cipher_info
== NULL
)
785 /* Failing at this point must be due to a build issue */
786 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
);
789 for( i
= 0; i
< num_tests
; i
++ )
792 mbedtls_printf( " %s CMAC subkey #%u: ", testname
, i
+ 1 );
794 mbedtls_cipher_init( &ctx
);
796 if( ( ret
= mbedtls_cipher_setup( &ctx
, cipher_info
) ) != 0 )
799 mbedtls_printf( "test execution failed\n" );
804 if( ( ret
= mbedtls_cipher_setkey( &ctx
, key
, keybits
,
805 MBEDTLS_ENCRYPT
) ) != 0 )
808 mbedtls_printf( "test execution failed\n" );
813 ret
= cmac_generate_subkeys( &ctx
, K1
, K2
);
817 mbedtls_printf( "failed\n" );
822 if( ( ret
= memcmp( K1
, subkeys
, block_size
) ) != 0 ||
823 ( ret
= memcmp( K2
, &subkeys
[block_size
], block_size
) ) != 0 )
826 mbedtls_printf( "failed\n" );
832 mbedtls_printf( "passed\n" );
834 mbedtls_cipher_free( &ctx
);
841 mbedtls_cipher_free( &ctx
);
847 static int cmac_test_wth_cipher( int verbose
,
848 const char* testname
,
849 const unsigned char* key
,
851 const unsigned char* messages
,
852 const unsigned int message_lengths
[4],
853 const unsigned char* expected_result
,
854 mbedtls_cipher_type_t cipher_type
,
858 const mbedtls_cipher_info_t
*cipher_info
;
860 unsigned char output
[MBEDTLS_CIPHER_BLKSIZE_MAX
];
862 cipher_info
= mbedtls_cipher_info_from_type( cipher_type
);
863 if( cipher_info
== NULL
)
865 /* Failing at this point must be due to a build issue */
866 ret
= MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
;
870 for( i
= 0; i
< num_tests
; i
++ )
873 mbedtls_printf( " %s CMAC #%u: ", testname
, i
+ 1 );
875 if( ( ret
= mbedtls_cipher_cmac( cipher_info
, key
, keybits
, messages
,
876 message_lengths
[i
], output
) ) != 0 )
879 mbedtls_printf( "failed\n" );
883 if( ( ret
= memcmp( output
, &expected_result
[i
* block_size
], block_size
) ) != 0 )
886 mbedtls_printf( "failed\n" );
891 mbedtls_printf( "passed\n" );
899 #if defined(MBEDTLS_AES_C)
900 static int test_aes128_cmac_prf( int verbose
)
904 unsigned char output
[MBEDTLS_AES_BLOCK_SIZE
];
906 for( i
= 0; i
< NB_PRF_TESTS
; i
++ )
908 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i
);
909 ret
= mbedtls_aes_cmac_prf_128( PRFK
, PRFKlen
[i
], PRFM
, 20, output
);
911 memcmp( output
, PRFT
[i
], MBEDTLS_AES_BLOCK_SIZE
) != 0 )
915 mbedtls_printf( "failed\n" );
919 else if( verbose
!= 0 )
921 mbedtls_printf( "passed\n" );
926 #endif /* MBEDTLS_AES_C */
928 int mbedtls_cmac_self_test( int verbose
)
932 #if defined(MBEDTLS_AES_C)
934 if( ( ret
= cmac_test_subkeys( verbose
,
938 (const unsigned char*)aes_128_subkeys
,
939 MBEDTLS_CIPHER_AES_128_ECB
,
940 MBEDTLS_AES_BLOCK_SIZE
,
941 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
946 if( ( ret
= cmac_test_wth_cipher( verbose
,
952 (const unsigned char*)aes_128_expected_result
,
953 MBEDTLS_CIPHER_AES_128_ECB
,
954 MBEDTLS_AES_BLOCK_SIZE
,
955 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
961 if( ( ret
= cmac_test_subkeys( verbose
,
965 (const unsigned char*)aes_192_subkeys
,
966 MBEDTLS_CIPHER_AES_192_ECB
,
967 MBEDTLS_AES_BLOCK_SIZE
,
968 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
973 if( ( ret
= cmac_test_wth_cipher( verbose
,
979 (const unsigned char*)aes_192_expected_result
,
980 MBEDTLS_CIPHER_AES_192_ECB
,
981 MBEDTLS_AES_BLOCK_SIZE
,
982 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
988 if( ( ret
= cmac_test_subkeys( verbose
,
992 (const unsigned char*)aes_256_subkeys
,
993 MBEDTLS_CIPHER_AES_256_ECB
,
994 MBEDTLS_AES_BLOCK_SIZE
,
995 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
1000 if( ( ret
= cmac_test_wth_cipher ( verbose
,
1005 aes_message_lengths
,
1006 (const unsigned char*)aes_256_expected_result
,
1007 MBEDTLS_CIPHER_AES_256_ECB
,
1008 MBEDTLS_AES_BLOCK_SIZE
,
1009 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
1013 #endif /* MBEDTLS_AES_C */
1015 #if defined(MBEDTLS_DES_C)
1017 if( ( ret
= cmac_test_subkeys( verbose
,
1021 (const unsigned char*)des3_2key_subkeys
,
1022 MBEDTLS_CIPHER_DES_EDE3_ECB
,
1023 MBEDTLS_DES3_BLOCK_SIZE
,
1024 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
1029 if( ( ret
= cmac_test_wth_cipher( verbose
,
1034 des3_message_lengths
,
1035 (const unsigned char*)des3_2key_expected_result
,
1036 MBEDTLS_CIPHER_DES_EDE3_ECB
,
1037 MBEDTLS_DES3_BLOCK_SIZE
,
1038 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
1044 if( ( ret
= cmac_test_subkeys( verbose
,
1048 (const unsigned char*)des3_3key_subkeys
,
1049 MBEDTLS_CIPHER_DES_EDE3_ECB
,
1050 MBEDTLS_DES3_BLOCK_SIZE
,
1051 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
1056 if( ( ret
= cmac_test_wth_cipher( verbose
,
1061 des3_message_lengths
,
1062 (const unsigned char*)des3_3key_expected_result
,
1063 MBEDTLS_CIPHER_DES_EDE3_ECB
,
1064 MBEDTLS_DES3_BLOCK_SIZE
,
1065 NB_CMAC_TESTS_PER_KEY
) ) != 0 )
1069 #endif /* MBEDTLS_DES_C */
1071 #if defined(MBEDTLS_AES_C)
1072 if( ( ret
= test_aes128_cmac_prf( verbose
) ) != 0 )
1074 #endif /* MBEDTLS_AES_C */
1077 mbedtls_printf( "\n" );
1082 #endif /* MBEDTLS_SELF_TEST */
1084 #endif /* MBEDTLS_CMAC_C */