Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

cmac.c@ 398

Last change on this file since 398 was 398, checked in by coas-nagasima, 5 years ago
mbedTLS版Azure IoT Hub接続サンプルのソースコードを追加
Property svn:eol-style set to `native` Property svn:mime-type set to `text/x-csrc;charset=UTF-8`
File size: 32.3 KB

Line
1	/**
2	* \file cmac.c
3	*
4	* \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
5	*
6	* Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7	* SPDX-License-Identifier: Apache-2.0
8	*
9	* Licensed under the Apache License, Version 2.0 (the "License"); you may
10	* not use this file except in compliance with the License.
11	* You may obtain a copy of the License at
12	*
13	* http://www.apache.org/licenses/LICENSE-2.0
14	*
15	* Unless required by applicable law or agreed to in writing, software
16	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18	* See the License for the specific language governing permissions and
19	* limitations under the License.
20	*
21	* This file is part of mbed TLS (https://tls.mbed.org)
22	*/
23
24	/*
25	* References:
26	*
27	* - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
28	* CMAC Mode for Authentication
29	* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
30	*
31	* - RFC 4493 - The AES-CMAC Algorithm
32	* https://tools.ietf.org/html/rfc4493
33	*
34	* - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
35	* Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
36	* Algorithm for the Internet Key Exchange Protocol (IKE)
37	* https://tools.ietf.org/html/rfc4615
38	*
39	* Additional test vectors: ISO/IEC 9797-1
40	*
41	*/
42
43	#if !defined(MBEDTLS_CONFIG_FILE)
44	#include "mbedtls/config.h"
45	#else
46	#include MBEDTLS_CONFIG_FILE
47	#endif
48
49	#if defined(MBEDTLS_CMAC_C)
50
51	#include "mbedtls/cmac.h"
52	#include "mbedtls/platform_util.h"
53
54	#include <string.h>
55
56
57	#if defined(MBEDTLS_PLATFORM_C)
58	#include "mbedtls/platform.h"
59	#else
60	#include <stdlib.h>
61	#define mbedtls_calloc calloc
62	#define mbedtls_free free
63	#if defined(MBEDTLS_SELF_TEST)
64	#include <stdio.h>
65	#define mbedtls_printf printf
66	#endif /* MBEDTLS_SELF_TEST */
67	#endif /* MBEDTLS_PLATFORM_C */
68
69	#if !defined(MBEDTLS_CMAC_ALT) \|\| defined(MBEDTLS_SELF_TEST)
70
71	/*
72	* Multiplication by u in the Galois field of GF(2^n)
73	*
74	* As explained in NIST SP 800-38B, this can be computed:
75	*
76	* If MSB(p) = 0, then p = (p << 1)
77	* If MSB(p) = 1, then p = (p << 1) ^ R_n
78	* with R_64 = 0x1B and R_128 = 0x87
79	*
80	* Input and output MUST NOT point to the same buffer
81	* Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
82	*/
83	static int cmac_multiply_by_u( unsigned char *output,
84	const unsigned char *input,
85	size_t blocksize )
86	{
87	const unsigned char R_128 = 0x87;
88	const unsigned char R_64 = 0x1B;
89	unsigned char R_n, mask;
90	unsigned char overflow = 0x00;
91	int i;
92
93	if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
94	{
95	R_n = R_128;
96	}
97	else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
98	{
99	R_n = R_64;
100	}
101	else
102	{
103	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
104	}
105
106	for( i = (int)blocksize - 1; i >= 0; i-- )
107	{
108	output[i] = input[i] << 1 \| overflow;
109	overflow = input[i] >> 7;
110	}
111
112	/* mask = ( input[0] >> 7 ) ? 0xff : 0x00
113	* using bit operations to avoid branches */
114
115	/* MSVC has a warning about unary minus on unsigned, but this is
116	* well-defined and precisely what we want to do here */
117	#if defined(_MSC_VER)
118	#pragma warning( push )
119	#pragma warning( disable : 4146 )
120	#endif
121	mask = - ( input[0] >> 7 );
122	#if defined(_MSC_VER)
123	#pragma warning( pop )
124	#endif
125
126	output[ blocksize - 1 ] ^= R_n & mask;
127
128	return( 0 );
129	}
130
131	/*
132	* Generate subkeys
133	*
134	* - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
135	*/
136	static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
137	unsigned char* K1, unsigned char* K2 )
138	{
139	int ret;
140	unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
141	size_t olen, block_size;
142
143	mbedtls_platform_zeroize( L, sizeof( L ) );
144
145	block_size = ctx->cipher_info->block_size;
146
147	/* Calculate Ek(0) */
148	if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
149	goto exit;
150
151	/*
152	* Generate K1 and K2
153	*/
154	if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
155	goto exit;
156
157	if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
158	goto exit;
159
160	exit:
161	mbedtls_platform_zeroize( L, sizeof( L ) );
162
163	return( ret );
164	}
165	#endif /* !defined(MBEDTLS_CMAC_ALT) \|\| defined(MBEDTLS_SELF_TEST) */
166
167	#if !defined(MBEDTLS_CMAC_ALT)
168	static void cmac_xor_block( unsigned char output, const unsigned char input1,
169	const unsigned char *input2,
170	const size_t block_size )
171	{
172	size_t idx;
173
174	for( idx = 0; idx < block_size; idx++ )
175	output[ idx ] = input1[ idx ] ^ input2[ idx ];
176	}
177
178	/*
179	* Create padded last block from (partial) last block.
180	*
181	* We can't use the padding option from the cipher layer, as it only works for
182	* CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
183	*/
184	static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
185	size_t padded_block_len,
186	const unsigned char *last_block,
187	size_t last_block_len )
188	{
189	size_t j;
190
191	for( j = 0; j < padded_block_len; j++ )
192	{
193	if( j < last_block_len )
194	padded_block[j] = last_block[j];
195	else if( j == last_block_len )
196	padded_block[j] = 0x80;
197	else
198	padded_block[j] = 0x00;
199	}
200	}
201
202	int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
203	const unsigned char *key, size_t keybits )
204	{
205	mbedtls_cipher_type_t type;
206	mbedtls_cmac_context_t *cmac_ctx;
207	int retval;
208
209	if( ctx == NULL \|\| ctx->cipher_info == NULL \|\| key == NULL )
210	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
211
212	if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
213	MBEDTLS_ENCRYPT ) ) != 0 )
214	return( retval );
215
216	type = ctx->cipher_info->type;
217
218	switch( type )
219	{
220	case MBEDTLS_CIPHER_AES_128_ECB:
221	case MBEDTLS_CIPHER_AES_192_ECB:
222	case MBEDTLS_CIPHER_AES_256_ECB:
223	case MBEDTLS_CIPHER_DES_EDE3_ECB:
224	break;
225	default:
226	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
227	}
228
229	/* Allocated and initialise in the cipher context memory for the CMAC
230	* context */
231	cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
232	if( cmac_ctx == NULL )
233	return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
234
235	ctx->cmac_ctx = cmac_ctx;
236
237	mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
238
239	return 0;
240	}
241
242	int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
243	const unsigned char *input, size_t ilen )
244	{
245	mbedtls_cmac_context_t* cmac_ctx;
246	unsigned char *state;
247	int ret = 0;
248	size_t n, j, olen, block_size;
249
250	if( ctx == NULL \|\| ctx->cipher_info == NULL \|\| input == NULL \|\|
251	ctx->cmac_ctx == NULL )
252	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
253
254	cmac_ctx = ctx->cmac_ctx;
255	block_size = ctx->cipher_info->block_size;
256	state = ctx->cmac_ctx->state;
257
258	/* Is there data still to process from the last call, that's greater in
259	* size than a block? */
260	if( cmac_ctx->unprocessed_len > 0 &&
261	ilen > block_size - cmac_ctx->unprocessed_len )
262	{
263	memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
264	input,
265	block_size - cmac_ctx->unprocessed_len );
266
267	cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
268
269	if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
270	&olen ) ) != 0 )
271	{
272	goto exit;
273	}
274
275	input += block_size - cmac_ctx->unprocessed_len;
276	ilen -= block_size - cmac_ctx->unprocessed_len;
277	cmac_ctx->unprocessed_len = 0;
278	}
279
280	/* n is the number of blocks including any final partial block */
281	n = ( ilen + block_size - 1 ) / block_size;
282
283	/* Iterate across the input data in block sized chunks, excluding any
284	* final partial or complete block */
285	for( j = 1; j < n; j++ )
286	{
287	cmac_xor_block( state, input, state, block_size );
288
289	if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
290	&olen ) ) != 0 )
291	goto exit;
292
293	ilen -= block_size;
294	input += block_size;
295	}
296
297	/* If there is data left over that wasn't aligned to a block */
298	if( ilen > 0 )
299	{
300	memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
301	input,
302	ilen );
303	cmac_ctx->unprocessed_len += ilen;
304	}
305
306	exit:
307	return( ret );
308	}
309
310	int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
311	unsigned char *output )
312	{
313	mbedtls_cmac_context_t* cmac_ctx;
314	unsigned char state, last_block;
315	unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
316	unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
317	unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
318	int ret;
319	size_t olen, block_size;
320
321	if( ctx == NULL \|\| ctx->cipher_info == NULL \|\| ctx->cmac_ctx == NULL \|\|
322	output == NULL )
323	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
324
325	cmac_ctx = ctx->cmac_ctx;
326	block_size = ctx->cipher_info->block_size;
327	state = cmac_ctx->state;
328
329	mbedtls_platform_zeroize( K1, sizeof( K1 ) );
330	mbedtls_platform_zeroize( K2, sizeof( K2 ) );
331	cmac_generate_subkeys( ctx, K1, K2 );
332
333	last_block = cmac_ctx->unprocessed_block;
334
335	/* Calculate last block */
336	if( cmac_ctx->unprocessed_len < block_size )
337	{
338	cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
339	cmac_xor_block( M_last, M_last, K2, block_size );
340	}
341	else
342	{
343	/* Last block is complete block */
344	cmac_xor_block( M_last, last_block, K1, block_size );
345	}
346
347
348	cmac_xor_block( state, M_last, state, block_size );
349	if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
350	&olen ) ) != 0 )
351	{
352	goto exit;
353	}
354
355	memcpy( output, state, block_size );
356
357	exit:
358	/* Wipe the generated keys on the stack, and any other transients to avoid
359	* side channel leakage */
360	mbedtls_platform_zeroize( K1, sizeof( K1 ) );
361	mbedtls_platform_zeroize( K2, sizeof( K2 ) );
362
363	cmac_ctx->unprocessed_len = 0;
364	mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
365	sizeof( cmac_ctx->unprocessed_block ) );
366
367	mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
368	return( ret );
369	}
370
371	int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
372	{
373	mbedtls_cmac_context_t* cmac_ctx;
374
375	if( ctx == NULL \|\| ctx->cipher_info == NULL \|\| ctx->cmac_ctx == NULL )
376	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
377
378	cmac_ctx = ctx->cmac_ctx;
379
380	/* Reset the internal state */
381	cmac_ctx->unprocessed_len = 0;
382	mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
383	sizeof( cmac_ctx->unprocessed_block ) );
384	mbedtls_platform_zeroize( cmac_ctx->state,
385	sizeof( cmac_ctx->state ) );
386
387	return( 0 );
388	}
389
390	int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
391	const unsigned char *key, size_t keylen,
392	const unsigned char *input, size_t ilen,
393	unsigned char *output )
394	{
395	mbedtls_cipher_context_t ctx;
396	int ret;
397
398	if( cipher_info == NULL \|\| key == NULL \|\| input == NULL \|\| output == NULL )
399	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
400
401	mbedtls_cipher_init( &ctx );
402
403	if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
404	goto exit;
405
406	ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
407	if( ret != 0 )
408	goto exit;
409
410	ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
411	if( ret != 0 )
412	goto exit;
413
414	ret = mbedtls_cipher_cmac_finish( &ctx, output );
415
416	exit:
417	mbedtls_cipher_free( &ctx );
418
419	return( ret );
420	}
421
422	#if defined(MBEDTLS_AES_C)
423	/*
424	* Implementation of AES-CMAC-PRF-128 defined in RFC 4615
425	*/
426	int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
427	const unsigned char *input, size_t in_len,
428	unsigned char *output )
429	{
430	int ret;
431	const mbedtls_cipher_info_t *cipher_info;
432	unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
433	unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
434
435	if( key == NULL \|\| input == NULL \|\| output == NULL )
436	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
437
438	cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
439	if( cipher_info == NULL )
440	{
441	/* Failing at this point must be due to a build issue */
442	ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
443	goto exit;
444	}
445
446	if( key_length == MBEDTLS_AES_BLOCK_SIZE )
447	{
448	/* Use key as is */
449	memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
450	}
451	else
452	{
453	memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
454
455	ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
456	key_length, int_key );
457	if( ret != 0 )
458	goto exit;
459	}
460
461	ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
462	output );
463
464	exit:
465	mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
466
467	return( ret );
468	}
469	#endif /* MBEDTLS_AES_C */
470
471	#endif /* !MBEDTLS_CMAC_ALT */
472
473	#if defined(MBEDTLS_SELF_TEST)
474	/*
475	* CMAC test data for SP800-38B
476	* http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
477	* http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
478	*
479	* AES-CMAC-PRF-128 test data from RFC 4615
480	* https://tools.ietf.org/html/rfc4615#page-4
481	*/
482
483	#define NB_CMAC_TESTS_PER_KEY 4
484	#define NB_PRF_TESTS 3
485
486	#if defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_DES_C)
487	/* All CMAC test inputs are truncated from the same 64 byte buffer. */
488	static const unsigned char test_message[] = {
489	/* PT */
490	0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
491	0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
492	0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
493	0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
494	0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
495	0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
496	0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
497	0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
498	};
499	#endif /* MBEDTLS_AES_C \|\| MBEDTLS_DES_C */
500
501	#if defined(MBEDTLS_AES_C)
502	/* Truncation point of message for AES CMAC tests */
503	static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
504	/* Mlen */
505	0,
506	16,
507	20,
508	64
509	};
510
511	/* CMAC-AES128 Test Data */
512	static const unsigned char aes_128_key[16] = {
513	0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
514	0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
515	};
516	static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
517	{
518	/* K1 */
519	0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
520	0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
521	},
522	{
523	/* K2 */
524	0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
525	0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
526	}
527	};
528	static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
529	{
530	/* Example #1 */
531	0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
532	0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
533	},
534	{
535	/* Example #2 */
536	0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
537	0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
538	},
539	{
540	/* Example #3 */
541	0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
542	0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
543	},
544	{
545	/* Example #4 */
546	0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
547	0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
548	}
549	};
550
551	/* CMAC-AES192 Test Data */
552	static const unsigned char aes_192_key[24] = {
553	0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
554	0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
555	0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
556	};
557	static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
558	{
559	/* K1 */
560	0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
561	0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
562	},
563	{
564	/* K2 */
565	0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
566	0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
567	}
568	};
569	static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
570	{
571	/* Example #1 */
572	0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
573	0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
574	},
575	{
576	/* Example #2 */
577	0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
578	0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
579	},
580	{
581	/* Example #3 */
582	0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
583	0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
584	},
585	{
586	/* Example #4 */
587	0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
588	0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
589	}
590	};
591
592	/* CMAC-AES256 Test Data */
593	static const unsigned char aes_256_key[32] = {
594	0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
595	0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
596	0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
597	0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
598	};
599	static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
600	{
601	/* K1 */
602	0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
603	0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
604	},
605	{
606	/* K2 */
607	0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
608	0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
609	}
610	};
611	static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
612	{
613	/* Example #1 */
614	0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
615	0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
616	},
617	{
618	/* Example #2 */
619	0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
620	0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
621	},
622	{
623	/* Example #3 */
624	0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
625	0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
626	},
627	{
628	/* Example #4 */
629	0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
630	0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
631	}
632	};
633	#endif /* MBEDTLS_AES_C */
634
635	#if defined(MBEDTLS_DES_C)
636	/* Truncation point of message for 3DES CMAC tests */
637	static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
638	0,
639	16,
640	20,
641	32
642	};
643
644	/* CMAC-TDES (Generation) - 2 Key Test Data */
645	static const unsigned char des3_2key_key[24] = {
646	/* Key1 */
647	0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
648	/* Key2 */
649	0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
650	/* Key3 */
651	0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
652	};
653	static const unsigned char des3_2key_subkeys[2][8] = {
654	{
655	/* K1 */
656	0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
657	},
658	{
659	/* K2 */
660	0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
661	}
662	};
663	static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
664	{
665	/* Sample #1 */
666	0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
667	},
668	{
669	/* Sample #2 */
670	0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
671	},
672	{
673	/* Sample #3 */
674	0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
675	},
676	{
677	/* Sample #4 */
678	0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
679	}
680	};
681
682	/* CMAC-TDES (Generation) - 3 Key Test Data */
683	static const unsigned char des3_3key_key[24] = {
684	/* Key1 */
685	0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
686	/* Key2 */
687	0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
688	/* Key3 */
689	0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
690	};
691	static const unsigned char des3_3key_subkeys[2][8] = {
692	{
693	/* K1 */
694	0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
695	},
696	{
697	/* K2 */
698	0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
699	}
700	};
701	static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
702	{
703	/* Sample #1 */
704	0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
705	},
706	{
707	/* Sample #2 */
708	0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
709	},
710	{
711	/* Sample #3 */
712	0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
713	},
714	{
715	/* Sample #4 */
716	0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
717	}
718	};
719
720	#endif /* MBEDTLS_DES_C */
721
722	#if defined(MBEDTLS_AES_C)
723	/* AES AES-CMAC-PRF-128 Test Data */
724	static const unsigned char PRFK[] = {
725	/* Key */
726	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
727	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
728	0xed, 0xcb
729	};
730
731	/* Sizes in bytes */
732	static const size_t PRFKlen[NB_PRF_TESTS] = {
733	18,
734	16,
735	10
736	};
737
738	/* Message */
739	static const unsigned char PRFM[] = {
740	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
741	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
742	0x10, 0x11, 0x12, 0x13
743	};
744
745	static const unsigned char PRFT[NB_PRF_TESTS][16] = {
746	{
747	0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
748	0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
749	},
750	{
751	0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
752	0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
753	},
754	{
755	0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
756	0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
757	}
758	};
759	#endif /* MBEDTLS_AES_C */
760
761	static int cmac_test_subkeys( int verbose,
762	const char* testname,
763	const unsigned char* key,
764	int keybits,
765	const unsigned char* subkeys,
766	mbedtls_cipher_type_t cipher_type,
767	int block_size,
768	int num_tests )
769	{
770	int i, ret = 0;
771	mbedtls_cipher_context_t ctx;
772	const mbedtls_cipher_info_t *cipher_info;
773	unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
774	unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
775
776	cipher_info = mbedtls_cipher_info_from_type( cipher_type );
777	if( cipher_info == NULL )
778	{
779	/* Failing at this point must be due to a build issue */
780	return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
781	}
782
783	for( i = 0; i < num_tests; i++ )
784	{
785	if( verbose != 0 )
786	mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
787
788	mbedtls_cipher_init( &ctx );
789
790	if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
791	{
792	if( verbose != 0 )
793	mbedtls_printf( "test execution failed\n" );
794
795	goto cleanup;
796	}
797
798	if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
799	MBEDTLS_ENCRYPT ) ) != 0 )
800	{
801	if( verbose != 0 )
802	mbedtls_printf( "test execution failed\n" );
803
804	goto cleanup;
805	}
806
807	ret = cmac_generate_subkeys( &ctx, K1, K2 );
808	if( ret != 0 )
809	{
810	if( verbose != 0 )
811	mbedtls_printf( "failed\n" );
812
813	goto cleanup;
814	}
815
816	if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 \|\|
817	( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
818	{
819	if( verbose != 0 )
820	mbedtls_printf( "failed\n" );
821
822	goto cleanup;
823	}
824
825	if( verbose != 0 )
826	mbedtls_printf( "passed\n" );
827
828	mbedtls_cipher_free( &ctx );
829	}
830
831	ret = 0;
832	goto exit;
833
834	cleanup:
835	mbedtls_cipher_free( &ctx );
836
837	exit:
838	return( ret );
839	}
840
841	static int cmac_test_wth_cipher( int verbose,
842	const char* testname,
843	const unsigned char* key,
844	int keybits,
845	const unsigned char* messages,
846	const unsigned int message_lengths[4],
847	const unsigned char* expected_result,
848	mbedtls_cipher_type_t cipher_type,
849	int block_size,
850	int num_tests )
851	{
852	const mbedtls_cipher_info_t *cipher_info;
853	int i, ret = 0;
854	unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
855
856	cipher_info = mbedtls_cipher_info_from_type( cipher_type );
857	if( cipher_info == NULL )
858	{
859	/* Failing at this point must be due to a build issue */
860	ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
861	goto exit;
862	}
863
864	for( i = 0; i < num_tests; i++ )
865	{
866	if( verbose != 0 )
867	mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
868
869	if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
870	message_lengths[i], output ) ) != 0 )
871	{
872	if( verbose != 0 )
873	mbedtls_printf( "failed\n" );
874	goto exit;
875	}
876
877	if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
878	{
879	if( verbose != 0 )
880	mbedtls_printf( "failed\n" );
881	goto exit;
882	}
883
884	if( verbose != 0 )
885	mbedtls_printf( "passed\n" );
886	}
887	ret = 0;
888
889	exit:
890	return( ret );
891	}
892
893	#if defined(MBEDTLS_AES_C)
894	static int test_aes128_cmac_prf( int verbose )
895	{
896	int i;
897	int ret;
898	unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
899
900	for( i = 0; i < NB_PRF_TESTS; i++ )
901	{
902	mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
903	ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
904	if( ret != 0 \|\|
905	memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
906	{
907
908	if( verbose != 0 )
909	mbedtls_printf( "failed\n" );
910
911	return( ret );
912	}
913	else if( verbose != 0 )
914	{
915	mbedtls_printf( "passed\n" );
916	}
917	}
918	return( ret );
919	}
920	#endif /* MBEDTLS_AES_C */
921
922	int mbedtls_cmac_self_test( int verbose )
923	{
924	int ret;
925
926	#if defined(MBEDTLS_AES_C)
927	/* AES-128 */
928	if( ( ret = cmac_test_subkeys( verbose,
929	"AES 128",
930	aes_128_key,
931	128,
932	(const unsigned char*)aes_128_subkeys,
933	MBEDTLS_CIPHER_AES_128_ECB,
934	MBEDTLS_AES_BLOCK_SIZE,
935	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
936	{
937	return( ret );
938	}
939
940	if( ( ret = cmac_test_wth_cipher( verbose,
941	"AES 128",
942	aes_128_key,
943	128,
944	test_message,
945	aes_message_lengths,
946	(const unsigned char*)aes_128_expected_result,
947	MBEDTLS_CIPHER_AES_128_ECB,
948	MBEDTLS_AES_BLOCK_SIZE,
949	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
950	{
951	return( ret );
952	}
953
954	/* AES-192 */
955	if( ( ret = cmac_test_subkeys( verbose,
956	"AES 192",
957	aes_192_key,
958	192,
959	(const unsigned char*)aes_192_subkeys,
960	MBEDTLS_CIPHER_AES_192_ECB,
961	MBEDTLS_AES_BLOCK_SIZE,
962	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
963	{
964	return( ret );
965	}
966
967	if( ( ret = cmac_test_wth_cipher( verbose,
968	"AES 192",
969	aes_192_key,
970	192,
971	test_message,
972	aes_message_lengths,
973	(const unsigned char*)aes_192_expected_result,
974	MBEDTLS_CIPHER_AES_192_ECB,
975	MBEDTLS_AES_BLOCK_SIZE,
976	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
977	{
978	return( ret );
979	}
980
981	/* AES-256 */
982	if( ( ret = cmac_test_subkeys( verbose,
983	"AES 256",
984	aes_256_key,
985	256,
986	(const unsigned char*)aes_256_subkeys,
987	MBEDTLS_CIPHER_AES_256_ECB,
988	MBEDTLS_AES_BLOCK_SIZE,
989	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
990	{
991	return( ret );
992	}
993
994	if( ( ret = cmac_test_wth_cipher ( verbose,
995	"AES 256",
996	aes_256_key,
997	256,
998	test_message,
999	aes_message_lengths,
1000	(const unsigned char*)aes_256_expected_result,
1001	MBEDTLS_CIPHER_AES_256_ECB,
1002	MBEDTLS_AES_BLOCK_SIZE,
1003	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1004	{
1005	return( ret );
1006	}
1007	#endif /* MBEDTLS_AES_C */
1008
1009	#if defined(MBEDTLS_DES_C)
1010	/* 3DES 2 key */
1011	if( ( ret = cmac_test_subkeys( verbose,
1012	"3DES 2 key",
1013	des3_2key_key,
1014	192,
1015	(const unsigned char*)des3_2key_subkeys,
1016	MBEDTLS_CIPHER_DES_EDE3_ECB,
1017	MBEDTLS_DES3_BLOCK_SIZE,
1018	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1019	{
1020	return( ret );
1021	}
1022
1023	if( ( ret = cmac_test_wth_cipher( verbose,
1024	"3DES 2 key",
1025	des3_2key_key,
1026	192,
1027	test_message,
1028	des3_message_lengths,
1029	(const unsigned char*)des3_2key_expected_result,
1030	MBEDTLS_CIPHER_DES_EDE3_ECB,
1031	MBEDTLS_DES3_BLOCK_SIZE,
1032	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1033	{
1034	return( ret );
1035	}
1036
1037	/* 3DES 3 key */
1038	if( ( ret = cmac_test_subkeys( verbose,
1039	"3DES 3 key",
1040	des3_3key_key,
1041	192,
1042	(const unsigned char*)des3_3key_subkeys,
1043	MBEDTLS_CIPHER_DES_EDE3_ECB,
1044	MBEDTLS_DES3_BLOCK_SIZE,
1045	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1046	{
1047	return( ret );
1048	}
1049
1050	if( ( ret = cmac_test_wth_cipher( verbose,
1051	"3DES 3 key",
1052	des3_3key_key,
1053	192,
1054	test_message,
1055	des3_message_lengths,
1056	(const unsigned char*)des3_3key_expected_result,
1057	MBEDTLS_CIPHER_DES_EDE3_ECB,
1058	MBEDTLS_DES3_BLOCK_SIZE,
1059	NB_CMAC_TESTS_PER_KEY ) ) != 0 )
1060	{
1061	return( ret );
1062	}
1063	#endif /* MBEDTLS_DES_C */
1064
1065	#if defined(MBEDTLS_AES_C)
1066	if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
1067	return( ret );
1068	#endif /* MBEDTLS_AES_C */
1069
1070	if( verbose != 0 )
1071	mbedtls_printf( "\n" );
1072
1073	return( 0 );
1074	}
1075
1076	#endif /* MBEDTLS_SELF_TEST */
1077
1078	#endif /* MBEDTLS_CMAC_C */

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: azure_iot_hub_mbedtls/trunk/mbedtls-2.16.1/library/cmac.c@ 398

Download in other formats: