/** * \file cmac.c * * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ /* * References: * * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The * CMAC Mode for Authentication * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf * * - RFC 4493 - The AES-CMAC Algorithm * https://tools.ietf.org/html/rfc4493 * * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) * Algorithm for the Internet Key Exchange Protocol (IKE) * https://tools.ietf.org/html/rfc4615 * * Additional test vectors: ISO/IEC 9797-1 * */ #include "common.h" #if defined(MBEDTLS_CMAC_C) #include "mbedtls/cmac.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" #include "mbedtls/platform.h" #include "constant_time_internal.h" #include <string.h> #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) /* * Multiplication by u in the Galois field of GF(2^n) * * As explained in NIST SP 800-38B, this can be computed: * * If MSB(p) = 0, then p = (p << 1) * If MSB(p) = 1, then p = (p << 1) ^ R_n * with R_64 = 0x1B and R_128 = 0x87 * * Input and output MUST NOT point to the same buffer * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES. */ static int cmac_multiply_by_u(unsigned char *output, const unsigned char *input, size_t blocksize) { … } /* * Generate subkeys * * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm */ static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx, unsigned char *K1, unsigned char *K2) { … } #endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ #if !defined(MBEDTLS_CMAC_ALT) /* * Create padded last block from (partial) last block. * * We can't use the padding option from the cipher layer, as it only works for * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. */ static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE], size_t padded_block_len, const unsigned char *last_block, size_t last_block_len) { … } int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx, const unsigned char *key, size_t keybits) { … } int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, size_t ilen) { … } int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx, unsigned char *output) { … } int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx) { … } int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info, const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char *output) { … } #if defined(MBEDTLS_AES_C) /* * Implementation of AES-CMAC-PRF-128 defined in RFC 4615 */ int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length, const unsigned char *input, size_t in_len, unsigned char output[16]) { … } #endif /* MBEDTLS_AES_C */ #endif /* !MBEDTLS_CMAC_ALT */ #if defined(MBEDTLS_SELF_TEST) /* * CMAC test data for SP800-38B * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf * * AES-CMAC-PRF-128 test data from RFC 4615 * https://tools.ietf.org/html/rfc4615#page-4 */ #define NB_CMAC_TESTS_PER_KEY … #define NB_PRF_TESTS … #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) /* All CMAC test inputs are truncated from the same 64 byte buffer. */ static const unsigned char test_message[] = …; #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */ #if defined(MBEDTLS_AES_C) /* Truncation point of message for AES CMAC tests */ static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = …; /* CMAC-AES128 Test Data */ static const unsigned char aes_128_key[16] = …; static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = …; static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = …; /* CMAC-AES192 Test Data */ #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) static const unsigned char aes_192_key[24] = …; static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = …; static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = …; #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ /* CMAC-AES256 Test Data */ #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) static const unsigned char aes_256_key[32] = …; static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = …; static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = …; #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ #endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_DES_C) /* Truncation point of message for 3DES CMAC tests */ static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = { 0, 16, 20, 32 }; /* CMAC-TDES (Generation) - 2 Key Test Data */ static const unsigned char des3_2key_key[24] = { /* Key1 */ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, /* Key2 */ 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01, /* Key3 */ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef }; static const unsigned char des3_2key_subkeys[2][8] = { { /* K1 */ 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9 }, { /* K2 */ 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2 } }; static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { { /* Sample #1 */ 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60 }, { /* Sample #2 */ 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b }, { /* Sample #3 */ 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69 }, { /* Sample #4 */ 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb } }; /* CMAC-TDES (Generation) - 3 Key Test Data */ static const unsigned char des3_3key_key[24] = { /* Key1 */ 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef, /* Key2 */ 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, /* Key3 */ 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23 }; static const unsigned char des3_3key_subkeys[2][8] = { { /* K1 */ 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0 }, { /* K2 */ 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b } }; static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = { { /* Sample #1 */ 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50 }, { /* Sample #2 */ 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09 }, { /* Sample #3 */ 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2 }, { /* Sample #4 */ 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5 } }; #endif /* MBEDTLS_DES_C */ #if defined(MBEDTLS_AES_C) /* AES AES-CMAC-PRF-128 Test Data */ static const unsigned char PRFK[] = …; /* Sizes in bytes */ static const size_t PRFKlen[NB_PRF_TESTS] = …; /* Message */ static const unsigned char PRFM[] = …; static const unsigned char PRFT[NB_PRF_TESTS][16] = …; #endif /* MBEDTLS_AES_C */ static int cmac_test_subkeys(int verbose, const char *testname, const unsigned char *key, int keybits, const unsigned char *subkeys, mbedtls_cipher_type_t cipher_type, int block_size, int num_tests) { … } static int cmac_test_wth_cipher(int verbose, const char *testname, const unsigned char *key, int keybits, const unsigned char *messages, const unsigned int message_lengths[4], const unsigned char *expected_result, mbedtls_cipher_type_t cipher_type, int block_size, int num_tests) { … } #if defined(MBEDTLS_AES_C) static int test_aes128_cmac_prf(int verbose) { … } #endif /* MBEDTLS_AES_C */ int mbedtls_cmac_self_test(int verbose) { … } #endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_CMAC_C */
Codebase Browser
godot