4 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: Apache-2.0
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
21 * This file is part of mbed TLS (https://tls.mbed.org)
27 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
28 * CMAC Mode for Authentication
29 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
31 * - RFC 4493 - The AES-CMAC Algorithm
32 * https://tools.ietf.org/html/rfc4493
34 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
35 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
36 * Algorithm for the Internet Key Exchange Protocol (IKE)
37 * https://tools.ietf.org/html/rfc4615
39 * Additional test vectors: ISO/IEC 9797-1
43 #if !defined(MBEDTLS_CONFIG_FILE)
44 #include "mbedtls/config.h"
46 #include MBEDTLS_CONFIG_FILE
49 #if defined(MBEDTLS_CMAC_C)
51 #include "mbedtls/cmac.h"
52 #include "mbedtls/platform_util.h"
57 #if defined(MBEDTLS_PLATFORM_C)
58 #include "mbedtls/platform.h"
61 #define mbedtls_calloc calloc
62 #define mbedtls_free free
63 #if defined(MBEDTLS_SELF_TEST)
65 #define mbedtls_printf printf
66 #endif /* MBEDTLS_SELF_TEST */
67 #endif /* MBEDTLS_PLATFORM_C */
69 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
72 * Multiplication by u in the Galois field of GF(2^n)
74 * As explained in NIST SP 800-38B, this can be computed:
76 * If MSB(p) = 0, then p = (p << 1)
77 * If MSB(p) = 1, then p = (p << 1) ^ R_n
78 * with R_64 = 0x1B and R_128 = 0x87
80 * Input and output MUST NOT point to the same buffer
81 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
83 static int cmac_multiply_by_u( unsigned char *output,
84 const unsigned char *input,
87 const unsigned char R_128 = 0x87;
88 const unsigned char R_64 = 0x1B;
89 unsigned char R_n, mask;
90 unsigned char overflow = 0x00;
93 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
97 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
103 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
106 for( i = (int)blocksize - 1; i >= 0; i-- )
108 output[i] = input[i] << 1 | overflow;
109 overflow = input[i] >> 7;
112 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
113 * using bit operations to avoid branches */
115 /* MSVC has a warning about unary minus on unsigned, but this is
116 * well-defined and precisely what we want to do here */
117 #if defined(_MSC_VER)
118 #pragma warning( push )
119 #pragma warning( disable : 4146 )
121 mask = - ( input[0] >> 7 );
122 #if defined(_MSC_VER)
123 #pragma warning( pop )
126 output[ blocksize - 1 ] ^= R_n & mask;
134 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
136 static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
137 unsigned char* K1, unsigned char* K2 )
140 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
141 size_t olen, block_size;
143 mbedtls_platform_zeroize( L, sizeof( L ) );
145 block_size = ctx->cipher_info->block_size;
147 /* Calculate Ek(0) */
148 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
154 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
157 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
161 mbedtls_platform_zeroize( L, sizeof( L ) );
165 #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
167 #if !defined(MBEDTLS_CMAC_ALT)
168 static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
169 const unsigned char *input2,
170 const size_t block_size )
174 for( idx = 0; idx < block_size; idx++ )
175 output[ idx ] = input1[ idx ] ^ input2[ idx ];
179 * Create padded last block from (partial) last block.
181 * We can't use the padding option from the cipher layer, as it only works for
182 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
184 static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
185 size_t padded_block_len,
186 const unsigned char *last_block,
187 size_t last_block_len )
191 for( j = 0; j < padded_block_len; j++ )
193 if( j < last_block_len )
194 padded_block[j] = last_block[j];
195 else if( j == last_block_len )
196 padded_block[j] = 0x80;
198 padded_block[j] = 0x00;
202 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
203 const unsigned char *key, size_t keybits )
205 mbedtls_cipher_type_t type;
206 mbedtls_cmac_context_t *cmac_ctx;
209 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
210 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
212 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
213 MBEDTLS_ENCRYPT ) ) != 0 )
216 type = ctx->cipher_info->type;
220 case MBEDTLS_CIPHER_AES_128_ECB:
221 case MBEDTLS_CIPHER_AES_192_ECB:
222 case MBEDTLS_CIPHER_AES_256_ECB:
223 case MBEDTLS_CIPHER_DES_EDE3_ECB:
226 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
229 /* Allocated and initialise in the cipher context memory for the CMAC
231 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
232 if( cmac_ctx == NULL )
233 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
235 ctx->cmac_ctx = cmac_ctx;
237 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
242 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
243 const unsigned char *input, size_t ilen )
245 mbedtls_cmac_context_t* cmac_ctx;
246 unsigned char *state;
248 size_t n, j, olen, block_size;
250 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
251 ctx->cmac_ctx == NULL )
252 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
254 cmac_ctx = ctx->cmac_ctx;
255 block_size = ctx->cipher_info->block_size;
256 state = ctx->cmac_ctx->state;
258 /* Is there data still to process from the last call, that's greater in
259 * size than a block? */
260 if( cmac_ctx->unprocessed_len > 0 &&
261 ilen > block_size - cmac_ctx->unprocessed_len )
263 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
265 block_size - cmac_ctx->unprocessed_len );
267 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
269 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
275 input += block_size - cmac_ctx->unprocessed_len;
276 ilen -= block_size - cmac_ctx->unprocessed_len;
277 cmac_ctx->unprocessed_len = 0;
280 /* n is the number of blocks including any final partial block */
281 n = ( ilen + block_size - 1 ) / block_size;
283 /* Iterate across the input data in block sized chunks, excluding any
284 * final partial or complete block */
285 for( j = 1; j < n; j++ )
287 cmac_xor_block( state, input, state, block_size );
289 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
297 /* If there is data left over that wasn't aligned to a block */
300 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
303 cmac_ctx->unprocessed_len += ilen;
310 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
311 unsigned char *output )
313 mbedtls_cmac_context_t* cmac_ctx;
314 unsigned char *state, *last_block;
315 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
316 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
317 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
319 size_t olen, block_size;
321 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
323 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
325 cmac_ctx = ctx->cmac_ctx;
326 block_size = ctx->cipher_info->block_size;
327 state = cmac_ctx->state;
329 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
330 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
331 cmac_generate_subkeys( ctx, K1, K2 );
333 last_block = cmac_ctx->unprocessed_block;
335 /* Calculate last block */
336 if( cmac_ctx->unprocessed_len < block_size )
338 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
339 cmac_xor_block( M_last, M_last, K2, block_size );
343 /* Last block is complete block */
344 cmac_xor_block( M_last, last_block, K1, block_size );
348 cmac_xor_block( state, M_last, state, block_size );
349 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
355 memcpy( output, state, block_size );
358 /* Wipe the generated keys on the stack, and any other transients to avoid
359 * side channel leakage */
360 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
361 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
363 cmac_ctx->unprocessed_len = 0;
364 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
365 sizeof( cmac_ctx->unprocessed_block ) );
367 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
371 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
373 mbedtls_cmac_context_t* cmac_ctx;
375 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
376 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
378 cmac_ctx = ctx->cmac_ctx;
380 /* Reset the internal state */
381 cmac_ctx->unprocessed_len = 0;
382 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
383 sizeof( cmac_ctx->unprocessed_block ) );
384 mbedtls_platform_zeroize( cmac_ctx->state,
385 sizeof( cmac_ctx->state ) );
390 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
391 const unsigned char *key, size_t keylen,
392 const unsigned char *input, size_t ilen,
393 unsigned char *output )
395 mbedtls_cipher_context_t ctx;
398 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
399 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
401 mbedtls_cipher_init( &ctx );
403 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
406 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
410 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
414 ret = mbedtls_cipher_cmac_finish( &ctx, output );
417 mbedtls_cipher_free( &ctx );
422 #if defined(MBEDTLS_AES_C)
424 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
426 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
427 const unsigned char *input, size_t in_len,
428 unsigned char *output )
431 const mbedtls_cipher_info_t *cipher_info;
432 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
433 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
435 if( key == NULL || input == NULL || output == NULL )
436 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
438 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
439 if( cipher_info == NULL )
441 /* Failing at this point must be due to a build issue */
442 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
446 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
449 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
453 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
455 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
456 key_length, int_key );
461 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
465 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
469 #endif /* MBEDTLS_AES_C */
471 #endif /* !MBEDTLS_CMAC_ALT */
473 #if defined(MBEDTLS_SELF_TEST)
475 * CMAC test data for SP800-38B
476 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
477 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
479 * AES-CMAC-PRF-128 test data from RFC 4615
480 * https://tools.ietf.org/html/rfc4615#page-4
483 #define NB_CMAC_TESTS_PER_KEY 4
484 #define NB_PRF_TESTS 3
486 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
487 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
488 static const unsigned char test_message[] = {
490 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
491 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
492 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
493 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
494 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
495 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
496 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
497 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
499 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
501 #if defined(MBEDTLS_AES_C)
502 /* Truncation point of message for AES CMAC tests */
503 static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
511 /* CMAC-AES128 Test Data */
512 static const unsigned char aes_128_key[16] = {
513 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
514 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
516 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
519 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
520 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
524 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
525 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
528 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
531 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
532 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
536 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
537 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
541 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
542 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
546 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
547 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
551 /* CMAC-AES192 Test Data */
552 static const unsigned char aes_192_key[24] = {
553 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
554 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
555 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
557 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
560 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
561 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
565 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
566 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
569 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
572 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
573 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
577 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
578 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
582 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
583 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
587 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
588 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
592 /* CMAC-AES256 Test Data */
593 static const unsigned char aes_256_key[32] = {
594 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
595 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
596 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
597 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
599 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
602 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
603 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
607 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
608 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
611 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
614 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
615 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
619 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
620 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
624 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
625 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
629 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
630 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
633 #endif /* MBEDTLS_AES_C */
635 #if defined(MBEDTLS_DES_C)
636 /* Truncation point of message for 3DES CMAC tests */
637 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
644 /* CMAC-TDES (Generation) - 2 Key Test Data */
645 static const unsigned char des3_2key_key[24] = {
647 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
649 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
651 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
653 static const unsigned char des3_2key_subkeys[2][8] = {
656 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
660 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
663 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
666 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
670 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
674 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
678 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
682 /* CMAC-TDES (Generation) - 3 Key Test Data */
683 static const unsigned char des3_3key_key[24] = {
685 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
687 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
689 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
691 static const unsigned char des3_3key_subkeys[2][8] = {
694 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
698 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
701 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
704 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
708 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
712 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
716 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
720 #endif /* MBEDTLS_DES_C */
722 #if defined(MBEDTLS_AES_C)
723 /* AES AES-CMAC-PRF-128 Test Data */
724 static const unsigned char PRFK[] = {
726 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
727 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
732 static const size_t PRFKlen[NB_PRF_TESTS] = {
739 static const unsigned char PRFM[] = {
740 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
741 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
742 0x10, 0x11, 0x12, 0x13
745 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
747 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
748 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
751 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
752 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
755 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
756 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
759 #endif /* MBEDTLS_AES_C */
761 static int cmac_test_subkeys( int verbose,
762 const char* testname,
763 const unsigned char* key,
765 const unsigned char* subkeys,
766 mbedtls_cipher_type_t cipher_type,
771 mbedtls_cipher_context_t ctx;
772 const mbedtls_cipher_info_t *cipher_info;
773 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
774 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
776 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
777 if( cipher_info == NULL )
779 /* Failing at this point must be due to a build issue */
780 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
783 for( i = 0; i < num_tests; i++ )
786 mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
788 mbedtls_cipher_init( &ctx );
790 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
793 mbedtls_printf( "test execution failed\n" );
798 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
799 MBEDTLS_ENCRYPT ) ) != 0 )
802 mbedtls_printf( "test execution failed\n" );
807 ret = cmac_generate_subkeys( &ctx, K1, K2 );
811 mbedtls_printf( "failed\n" );
816 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
817 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
820 mbedtls_printf( "failed\n" );
826 mbedtls_printf( "passed\n" );
828 mbedtls_cipher_free( &ctx );
835 mbedtls_cipher_free( &ctx );
841 static int cmac_test_wth_cipher( int verbose,
842 const char* testname,
843 const unsigned char* key,
845 const unsigned char* messages,
846 const unsigned int message_lengths[4],
847 const unsigned char* expected_result,
848 mbedtls_cipher_type_t cipher_type,
852 const mbedtls_cipher_info_t *cipher_info;
854 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
856 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
857 if( cipher_info == NULL )
859 /* Failing at this point must be due to a build issue */
860 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
864 for( i = 0; i < num_tests; i++ )
867 mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
869 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
870 message_lengths[i], output ) ) != 0 )
873 mbedtls_printf( "failed\n" );
877 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
880 mbedtls_printf( "failed\n" );
885 mbedtls_printf( "passed\n" );
893 #if defined(MBEDTLS_AES_C)
894 static int test_aes128_cmac_prf( int verbose )
898 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
900 for( i = 0; i < NB_PRF_TESTS; i++ )
902 mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
903 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
905 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
909 mbedtls_printf( "failed\n" );
913 else if( verbose != 0 )
915 mbedtls_printf( "passed\n" );
920 #endif /* MBEDTLS_AES_C */
922 int mbedtls_cmac_self_test( int verbose )
926 #if defined(MBEDTLS_AES_C)
928 if( ( ret = cmac_test_subkeys( verbose,
932 (const unsigned char*)aes_128_subkeys,
933 MBEDTLS_CIPHER_AES_128_ECB,
934 MBEDTLS_AES_BLOCK_SIZE,
935 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
940 if( ( ret = cmac_test_wth_cipher( verbose,
946 (const unsigned char*)aes_128_expected_result,
947 MBEDTLS_CIPHER_AES_128_ECB,
948 MBEDTLS_AES_BLOCK_SIZE,
949 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
955 if( ( ret = cmac_test_subkeys( verbose,
959 (const unsigned char*)aes_192_subkeys,
960 MBEDTLS_CIPHER_AES_192_ECB,
961 MBEDTLS_AES_BLOCK_SIZE,
962 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
967 if( ( ret = cmac_test_wth_cipher( verbose,
973 (const unsigned char*)aes_192_expected_result,
974 MBEDTLS_CIPHER_AES_192_ECB,
975 MBEDTLS_AES_BLOCK_SIZE,
976 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
982 if( ( ret = cmac_test_subkeys( verbose,
986 (const unsigned char*)aes_256_subkeys,
987 MBEDTLS_CIPHER_AES_256_ECB,
988 MBEDTLS_AES_BLOCK_SIZE,
989 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
994 if( ( ret = cmac_test_wth_cipher ( verbose,
1000 (const unsigned char*)aes_256_expected_result,
1001 MBEDTLS_CIPHER_AES_256_ECB,
1002 MBEDTLS_AES_BLOCK_SIZE,
1003 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1007 #endif /* MBEDTLS_AES_C */
1009 #if defined(MBEDTLS_DES_C)
1011 if( ( ret = cmac_test_subkeys( verbose,
1015 (const unsigned char*)des3_2key_subkeys,
1016 MBEDTLS_CIPHER_DES_EDE3_ECB,
1017 MBEDTLS_DES3_BLOCK_SIZE,
1018 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1023 if( ( ret = cmac_test_wth_cipher( verbose,
1028 des3_message_lengths,
1029 (const unsigned char*)des3_2key_expected_result,
1030 MBEDTLS_CIPHER_DES_EDE3_ECB,
1031 MBEDTLS_DES3_BLOCK_SIZE,
1032 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1038 if( ( ret = cmac_test_subkeys( verbose,
1042 (const unsigned char*)des3_3key_subkeys,
1043 MBEDTLS_CIPHER_DES_EDE3_ECB,
1044 MBEDTLS_DES3_BLOCK_SIZE,
1045 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1050 if( ( ret = cmac_test_wth_cipher( verbose,
1055 des3_message_lengths,
1056 (const unsigned char*)des3_3key_expected_result,
1057 MBEDTLS_CIPHER_DES_EDE3_ECB,
1058 MBEDTLS_DES3_BLOCK_SIZE,
1059 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1063 #endif /* MBEDTLS_DES_C */
1065 #if defined(MBEDTLS_AES_C)
1066 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1068 #endif /* MBEDTLS_AES_C */
1071 mbedtls_printf( "\n" );
1076 #endif /* MBEDTLS_SELF_TEST */
1078 #endif /* MBEDTLS_CMAC_C */