blob: 2d23be5ffe26a7f01d8be3fc098252b08b3d2d6c [file] [log] [blame]
Andres Amaya Garciaaf610a02016-12-14 10:13:43 +00001/**
Brian Murray53e23b62016-09-13 14:00:15 -07002 * \file cmac.c
Simon Butcher327398a2016-10-05 14:09:11 +01003 *
Simon Butcher69283e52016-10-06 12:49:58 +01004 * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
Robert Cragie3d23b1d2015-12-15 07:38:11 +00005 *
Brian Murray53e23b62016-09-13 14:00:15 -07006 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
Robert Cragie3d23b1d2015-12-15 07:38:11 +00007 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24/*
Brian Murray53e23b62016-09-13 14:00:15 -070025 * References:
Simon Butcher327398a2016-10-05 14:09:11 +010026 *
27 * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
28 * CMAC Mode for Authentication
Janos Follathcd13bd22016-12-13 11:51:04 +000029 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
Simon Butcher327398a2016-10-05 14:09:11 +010030 *
31 * - RFC 4493 - The AES-CMAC Algorithm
32 * https://tools.ietf.org/html/rfc4493
33 *
34 * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
35 * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
36 * Algorithm for the Internet Key Exchange Protocol (IKE)
37 * https://tools.ietf.org/html/rfc4615
38 *
39 * Additional test vectors: ISO/IEC 9797-1
40 *
Robert Cragie3d23b1d2015-12-15 07:38:11 +000041 */
42
43#if !defined(MBEDTLS_CONFIG_FILE)
44#include "mbedtls/config.h"
45#else
46#include MBEDTLS_CONFIG_FILE
47#endif
48
49#if defined(MBEDTLS_CMAC_C)
50
51#include "mbedtls/cmac.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050052#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +000053#include "mbedtls/error.h"
Robert Cragie3d23b1d2015-12-15 07:38:11 +000054
55#include <string.h>
56
Brian Murray8b4111c2016-09-13 15:58:46 -070057
Robert Cragie3d23b1d2015-12-15 07:38:11 +000058#if defined(MBEDTLS_PLATFORM_C)
59#include "mbedtls/platform.h"
60#else
Brian Murray8b4111c2016-09-13 15:58:46 -070061#include <stdlib.h>
62#define mbedtls_calloc calloc
63#define mbedtls_free free
Simon Butcherd241f1c2016-10-06 10:39:49 +010064#if defined(MBEDTLS_SELF_TEST)
Robert Cragie3d23b1d2015-12-15 07:38:11 +000065#include <stdio.h>
Brian Murray8b4111c2016-09-13 15:58:46 -070066#define mbedtls_printf printf
Brian J Murray2adecba2016-11-06 04:45:15 -080067#endif /* MBEDTLS_SELF_TEST */
Robert Cragie3d23b1d2015-12-15 07:38:11 +000068#endif /* MBEDTLS_PLATFORM_C */
Brian Murray8b4111c2016-09-13 15:58:46 -070069
Ron Eldor621080d2017-12-21 10:57:43 +020070#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
Steven Cooreman63342772017-04-04 11:47:16 +020071
Robert Cragie3d23b1d2015-12-15 07:38:11 +000072/*
Brian Murrayb0c3c432016-05-18 14:29:51 -070073 * Multiplication by u in the Galois field of GF(2^n)
Manuel Pégourié-Gonnarda610b4c2016-01-13 11:28:16 +000074 *
Brian Murray72b69e32016-09-13 14:21:01 -070075 * As explained in NIST SP 800-38B, this can be computed:
Manuel Pégourié-Gonnarda610b4c2016-01-13 11:28:16 +000076 *
Simon Butcher327398a2016-10-05 14:09:11 +010077 * If MSB(p) = 0, then p = (p << 1)
78 * If MSB(p) = 1, then p = (p << 1) ^ R_n
79 * with R_64 = 0x1B and R_128 = 0x87
80 *
81 * Input and output MUST NOT point to the same buffer
Brian J Murray2adecba2016-11-06 04:45:15 -080082 * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
Robert Cragie3d23b1d2015-12-15 07:38:11 +000083 */
Brian Murrayb0c3c432016-05-18 14:29:51 -070084static int cmac_multiply_by_u( unsigned char *output,
85 const unsigned char *input,
Brian Murray53e23b62016-09-13 14:00:15 -070086 size_t blocksize )
Robert Cragie3d23b1d2015-12-15 07:38:11 +000087{
Brian Murrayb0c3c432016-05-18 14:29:51 -070088 const unsigned char R_128 = 0x87;
89 const unsigned char R_64 = 0x1B;
90 unsigned char R_n, mask;
91 unsigned char overflow = 0x00;
Simon Butcher327398a2016-10-05 14:09:11 +010092 int i;
Brian Murrayb0c3c432016-05-18 14:29:51 -070093
Simon Butcher69283e52016-10-06 12:49:58 +010094 if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
Brian Murray6a3c0d22016-05-20 18:25:43 -070095 {
Brian Murrayb0c3c432016-05-18 14:29:51 -070096 R_n = R_128;
Simon Butcher327398a2016-10-05 14:09:11 +010097 }
Simon Butcher69283e52016-10-06 12:49:58 +010098 else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
Brian Murray6a3c0d22016-05-20 18:25:43 -070099 {
Brian Murrayb0c3c432016-05-18 14:29:51 -0700100 R_n = R_64;
Simon Butcher327398a2016-10-05 14:09:11 +0100101 }
102 else
Brian Murray6a3c0d22016-05-20 18:25:43 -0700103 {
Simon Butcher327398a2016-10-05 14:09:11 +0100104 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Brian Murrayb0c3c432016-05-18 14:29:51 -0700105 }
106
Simon B3249cb72016-11-03 01:11:37 +0000107 for( i = (int)blocksize - 1; i >= 0; i-- )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000108 {
Manuel Pégourié-Gonnarda610b4c2016-01-13 11:28:16 +0000109 output[i] = input[i] << 1 | overflow;
110 overflow = input[i] >> 7;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000111 }
Manuel Pégourié-Gonnard3da54022016-01-13 11:00:47 +0000112
Manuel Pégourié-Gonnard475f06f2016-01-13 13:05:03 +0000113 /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
114 * using bit operations to avoid branches */
Simon Butcher327398a2016-10-05 14:09:11 +0100115
Manuel Pégourié-Gonnard475f06f2016-01-13 13:05:03 +0000116 /* MSVC has a warning about unary minus on unsigned, but this is
117 * well-defined and precisely what we want to do here */
118#if defined(_MSC_VER)
119#pragma warning( push )
120#pragma warning( disable : 4146 )
121#endif
122 mask = - ( input[0] >> 7 );
123#if defined(_MSC_VER)
124#pragma warning( pop )
125#endif
126
Simon Butcher327398a2016-10-05 14:09:11 +0100127 output[ blocksize - 1 ] ^= R_n & mask;
128
Brian Murrayb439d452016-05-19 16:02:42 -0700129 return( 0 );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000130}
131
132/*
133 * Generate subkeys
Simon Butcher327398a2016-10-05 14:09:11 +0100134 *
135 * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000136 */
Simon Butcher327398a2016-10-05 14:09:11 +0100137static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
138 unsigned char* K1, unsigned char* K2 )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000139{
Janos Follath24eed8d2019-11-22 13:21:35 +0000140 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher69283e52016-10-06 12:49:58 +0100141 unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
Brian Murrayb0c3c432016-05-18 14:29:51 -0700142 size_t olen, block_size;
143
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500144 mbedtls_platform_zeroize( L, sizeof( L ) );
Brian Murrayb0c3c432016-05-18 14:29:51 -0700145
Simon Butcher327398a2016-10-05 14:09:11 +0100146 block_size = ctx->cipher_info->block_size;
147
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000148 /* Calculate Ek(0) */
Simon Butcher327398a2016-10-05 14:09:11 +0100149 if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
Brian Murrayb0c3c432016-05-18 14:29:51 -0700150 goto exit;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000151
Manuel Pégourié-Gonnard3da54022016-01-13 11:00:47 +0000152 /*
Manuel Pégourié-Gonnarda610b4c2016-01-13 11:28:16 +0000153 * Generate K1 and K2
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000154 */
Simon Butcher327398a2016-10-05 14:09:11 +0100155 if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
Brian Murrayb0c3c432016-05-18 14:29:51 -0700156 goto exit;
Manuel Pégourié-Gonnard3da54022016-01-13 11:00:47 +0000157
Simon Butcher327398a2016-10-05 14:09:11 +0100158 if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
159 goto exit;
160
161exit:
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500162 mbedtls_platform_zeroize( L, sizeof( L ) );
Simon Butcher327398a2016-10-05 14:09:11 +0100163
164 return( ret );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000165}
Ron Eldor621080d2017-12-21 10:57:43 +0200166#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000167
Ron Eldor621080d2017-12-21 10:57:43 +0200168#if !defined(MBEDTLS_CMAC_ALT)
Simon Butcher69283e52016-10-06 12:49:58 +0100169static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
170 const unsigned char *input2,
171 const size_t block_size )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000172{
Hanno Becker61937d42017-04-26 15:01:23 +0100173 size_t idx;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000174
Hanno Becker61937d42017-04-26 15:01:23 +0100175 for( idx = 0; idx < block_size; idx++ )
176 output[ idx ] = input1[ idx ] ^ input2[ idx ];
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000177}
178
Manuel Pégourié-Gonnardd2c3d3e2016-01-13 13:14:04 +0000179/*
180 * Create padded last block from (partial) last block.
181 *
182 * We can't use the padding option from the cipher layer, as it only works for
183 * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
184 */
Simon Butcher69283e52016-10-06 12:49:58 +0100185static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
Brian Murray53e23b62016-09-13 14:00:15 -0700186 size_t padded_block_len,
Manuel Pégourié-Gonnard7b555f22016-01-13 15:09:09 +0000187 const unsigned char *last_block,
Brian Murrayb0c3c432016-05-18 14:29:51 -0700188 size_t last_block_len )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000189{
190 size_t j;
191
Brian Murrayb0c3c432016-05-18 14:29:51 -0700192 for( j = 0; j < padded_block_len; j++ )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000193 {
Brian Murrayb0c3c432016-05-18 14:29:51 -0700194 if( j < last_block_len )
Manuel Pégourié-Gonnardd2c3d3e2016-01-13 13:14:04 +0000195 padded_block[j] = last_block[j];
Brian Murrayb0c3c432016-05-18 14:29:51 -0700196 else if( j == last_block_len )
Manuel Pégourié-Gonnardd2c3d3e2016-01-13 13:14:04 +0000197 padded_block[j] = 0x80;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000198 else
Manuel Pégourié-Gonnardd2c3d3e2016-01-13 13:14:04 +0000199 padded_block[j] = 0x00;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000200 }
201}
202
Simon Butcher327398a2016-10-05 14:09:11 +0100203int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
Simon Butcher94ffde72016-10-05 15:33:53 +0100204 const unsigned char *key, size_t keybits )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000205{
Simon Butcher327398a2016-10-05 14:09:11 +0100206 mbedtls_cipher_type_t type;
207 mbedtls_cmac_context_t *cmac_ctx;
Simon Butcher327398a2016-10-05 14:09:11 +0100208 int retval;
209
210 if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
211 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
212
Simon B3249cb72016-11-03 01:11:37 +0000213 if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
Simon Butcher327398a2016-10-05 14:09:11 +0100214 MBEDTLS_ENCRYPT ) ) != 0 )
215 return( retval );
216
Simon Butcher327398a2016-10-05 14:09:11 +0100217 type = ctx->cipher_info->type;
218
219 switch( type )
220 {
221 case MBEDTLS_CIPHER_AES_128_ECB:
222 case MBEDTLS_CIPHER_AES_192_ECB:
223 case MBEDTLS_CIPHER_AES_256_ECB:
224 case MBEDTLS_CIPHER_DES_EDE3_ECB:
225 break;
226 default:
227 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
228 }
229
230 /* Allocated and initialise in the cipher context memory for the CMAC
231 * context */
232 cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
233 if( cmac_ctx == NULL )
234 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
235
236 ctx->cmac_ctx = cmac_ctx;
237
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500238 mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
Simon Butcher327398a2016-10-05 14:09:11 +0100239
240 return 0;
241}
242
243int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
244 const unsigned char *input, size_t ilen )
245{
246 mbedtls_cmac_context_t* cmac_ctx;
Brian Murrayb0c3c432016-05-18 14:29:51 -0700247 unsigned char *state;
Simon B3249cb72016-11-03 01:11:37 +0000248 int ret = 0;
249 size_t n, j, olen, block_size;
Brian Murrayb0c3c432016-05-18 14:29:51 -0700250
Simon Butcher327398a2016-10-05 14:09:11 +0100251 if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
252 ctx->cmac_ctx == NULL )
253 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Brian Murrayb0c3c432016-05-18 14:29:51 -0700254
Simon Butcher327398a2016-10-05 14:09:11 +0100255 cmac_ctx = ctx->cmac_ctx;
256 block_size = ctx->cipher_info->block_size;
257 state = ctx->cmac_ctx->state;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000258
Simon Butcher6b0774a2016-10-10 21:37:42 +0100259 /* Is there data still to process from the last call, that's greater in
260 * size than a block? */
Simon Butcher327398a2016-10-05 14:09:11 +0100261 if( cmac_ctx->unprocessed_len > 0 &&
Andres AGa592dcc2016-10-06 15:23:39 +0100262 ilen > block_size - cmac_ctx->unprocessed_len )
Brian Murray57863ad2016-05-19 16:38:36 -0700263 {
Simon Butcher327398a2016-10-05 14:09:11 +0100264 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
265 input,
266 block_size - cmac_ctx->unprocessed_len );
267
268 cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
269
270 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
271 &olen ) ) != 0 )
272 {
273 goto exit;
274 }
275
Simon Butcher6b0774a2016-10-10 21:37:42 +0100276 input += block_size - cmac_ctx->unprocessed_len;
277 ilen -= block_size - cmac_ctx->unprocessed_len;
Simon Butcher327398a2016-10-05 14:09:11 +0100278 cmac_ctx->unprocessed_len = 0;
Brian Murray57863ad2016-05-19 16:38:36 -0700279 }
280
Simon Butcher327398a2016-10-05 14:09:11 +0100281 /* n is the number of blocks including any final partial block */
282 n = ( ilen + block_size - 1 ) / block_size;
283
Simon B3249cb72016-11-03 01:11:37 +0000284 /* Iterate across the input data in block sized chunks, excluding any
285 * final partial or complete block */
286 for( j = 1; j < n; j++ )
Brian Murray57863ad2016-05-19 16:38:36 -0700287 {
Simon Butcher327398a2016-10-05 14:09:11 +0100288 cmac_xor_block( state, input, state, block_size );
289
290 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
291 &olen ) ) != 0 )
292 goto exit;
293
294 ilen -= block_size;
295 input += block_size;
Brian Murray57863ad2016-05-19 16:38:36 -0700296 }
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000297
Simon Butcher327398a2016-10-05 14:09:11 +0100298 /* If there is data left over that wasn't aligned to a block */
299 if( ilen > 0 )
300 {
Simon Butcher6b0774a2016-10-10 21:37:42 +0100301 memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
302 input,
303 ilen );
304 cmac_ctx->unprocessed_len += ilen;
Simon Butcher327398a2016-10-05 14:09:11 +0100305 }
306
307exit:
308 return( ret );
309}
310
311int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
312 unsigned char *output )
313{
314 mbedtls_cmac_context_t* cmac_ctx;
Simon Butcher69283e52016-10-06 12:49:58 +0100315 unsigned char *state, *last_block;
316 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
317 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
318 unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
Janos Follath24eed8d2019-11-22 13:21:35 +0000319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher327398a2016-10-05 14:09:11 +0100320 size_t olen, block_size;
321
322 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
323 output == NULL )
324 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
325
326 cmac_ctx = ctx->cmac_ctx;
327 block_size = ctx->cipher_info->block_size;
328 state = cmac_ctx->state;
329
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500330 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
331 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
Simon Butcher327398a2016-10-05 14:09:11 +0100332 cmac_generate_subkeys( ctx, K1, K2 );
333
Simon Butcher69283e52016-10-06 12:49:58 +0100334 last_block = cmac_ctx->unprocessed_block;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000335
336 /* Calculate last block */
Janos Follathe3d882a2016-10-11 10:49:26 +0100337 if( cmac_ctx->unprocessed_len < block_size )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000338 {
Simon Butcher327398a2016-10-05 14:09:11 +0100339 cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
340 cmac_xor_block( M_last, M_last, K2, block_size );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000341 }
342 else
343 {
Manuel Pégourié-Gonnard2c063062016-01-13 14:27:55 +0000344 /* Last block is complete block */
Simon Butcher327398a2016-10-05 14:09:11 +0100345 cmac_xor_block( M_last, last_block, K1, block_size );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000346 }
347
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000348
Simon Butcher327398a2016-10-05 14:09:11 +0100349 cmac_xor_block( state, M_last, state, block_size );
350 if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
351 &olen ) ) != 0 )
352 {
353 goto exit;
354 }
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000355
Simon Butcher327398a2016-10-05 14:09:11 +0100356 memcpy( output, state, block_size );
357
358exit:
359 /* Wipe the generated keys on the stack, and any other transients to avoid
360 * side channel leakage */
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500361 mbedtls_platform_zeroize( K1, sizeof( K1 ) );
362 mbedtls_platform_zeroize( K2, sizeof( K2 ) );
Simon Butcher327398a2016-10-05 14:09:11 +0100363
364 cmac_ctx->unprocessed_len = 0;
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500365 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
366 sizeof( cmac_ctx->unprocessed_block ) );
Simon Butcher327398a2016-10-05 14:09:11 +0100367
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500368 mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
Simon Butcher327398a2016-10-05 14:09:11 +0100369 return( ret );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000370}
371
Simon Butcher327398a2016-10-05 14:09:11 +0100372int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000373{
Simon Butcher327398a2016-10-05 14:09:11 +0100374 mbedtls_cmac_context_t* cmac_ctx;
Manuel Pégourié-Gonnard3da54022016-01-13 11:00:47 +0000375
Simon Butcher327398a2016-10-05 14:09:11 +0100376 if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
377 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Brian Murrayb0c3c432016-05-18 14:29:51 -0700378
Simon Butcher327398a2016-10-05 14:09:11 +0100379 cmac_ctx = ctx->cmac_ctx;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000380
Simon Butcher327398a2016-10-05 14:09:11 +0100381 /* Reset the internal state */
382 cmac_ctx->unprocessed_len = 0;
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500383 mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
384 sizeof( cmac_ctx->unprocessed_block ) );
385 mbedtls_platform_zeroize( cmac_ctx->state,
386 sizeof( cmac_ctx->state ) );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000387
Simon Butcher327398a2016-10-05 14:09:11 +0100388 return( 0 );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000389}
390
Simon Butcher327398a2016-10-05 14:09:11 +0100391int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
392 const unsigned char *key, size_t keylen,
393 const unsigned char *input, size_t ilen,
394 unsigned char *output )
395{
396 mbedtls_cipher_context_t ctx;
Janos Follath24eed8d2019-11-22 13:21:35 +0000397 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher327398a2016-10-05 14:09:11 +0100398
399 if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
400 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
401
402 mbedtls_cipher_init( &ctx );
403
404 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
405 goto exit;
406
407 ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
Simon Butcher327398a2016-10-05 14:09:11 +0100408 if( ret != 0 )
409 goto exit;
Simon Butcher327398a2016-10-05 14:09:11 +0100410
411 ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
412 if( ret != 0 )
413 goto exit;
414
Simon Butcher69283e52016-10-06 12:49:58 +0100415 ret = mbedtls_cipher_cmac_finish( &ctx, output );
Simon Butcher327398a2016-10-05 14:09:11 +0100416
417exit:
Simon Butcher69283e52016-10-06 12:49:58 +0100418 mbedtls_cipher_free( &ctx );
419
Simon Butcher327398a2016-10-05 14:09:11 +0100420 return( ret );
421}
Simon Butcher327398a2016-10-05 14:09:11 +0100422
Simon Butcher69283e52016-10-06 12:49:58 +0100423#if defined(MBEDTLS_AES_C)
Manuel Pégourié-Gonnard7b555f22016-01-13 15:09:09 +0000424/*
Simon Butcher69283e52016-10-06 12:49:58 +0100425 * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
Manuel Pégourié-Gonnard7b555f22016-01-13 15:09:09 +0000426 */
Brian Murrayb0c3c432016-05-18 14:29:51 -0700427int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
Manuel Pégourié-Gonnard690083c2016-01-13 10:48:02 +0000428 const unsigned char *input, size_t in_len,
Simon Butcher327398a2016-10-05 14:09:11 +0100429 unsigned char *output )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000430{
Janos Follath24eed8d2019-11-22 13:21:35 +0000431 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher327398a2016-10-05 14:09:11 +0100432 const mbedtls_cipher_info_t *cipher_info;
Simon Butcher69283e52016-10-06 12:49:58 +0100433 unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
434 unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
435
436 if( key == NULL || input == NULL || output == NULL )
437 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000438
Simon Butcher327398a2016-10-05 14:09:11 +0100439 cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
440 if( cipher_info == NULL )
441 {
442 /* Failing at this point must be due to a build issue */
443 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
444 goto exit;
445 }
Brian Murrayb0c3c432016-05-18 14:29:51 -0700446
Simon Butcher69283e52016-10-06 12:49:58 +0100447 if( key_length == MBEDTLS_AES_BLOCK_SIZE )
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000448 {
449 /* Use key as is */
Simon Butcher69283e52016-10-06 12:49:58 +0100450 memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000451 }
452 else
453 {
Simon Butcher69283e52016-10-06 12:49:58 +0100454 memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
Manuel Pégourié-Gonnard7b555f22016-01-13 15:09:09 +0000455
Simon Butcher327398a2016-10-05 14:09:11 +0100456 ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
457 key_length, int_key );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000458 if( ret != 0 )
Brian Murrayb0c3c432016-05-18 14:29:51 -0700459 goto exit;
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000460 }
461
Simon Butcher327398a2016-10-05 14:09:11 +0100462 ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
463 output );
Manuel Pégourié-Gonnardd6cf7542016-01-13 11:30:00 +0000464
Simon Butcher327398a2016-10-05 14:09:11 +0100465exit:
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500466 mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
Brian Murrayb0c3c432016-05-18 14:29:51 -0700467
Simon Butcher327398a2016-10-05 14:09:11 +0100468 return( ret );
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000469}
Brian Murrayb439d452016-05-19 16:02:42 -0700470#endif /* MBEDTLS_AES_C */
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000471
Steven Cooreman63342772017-04-04 11:47:16 +0200472#endif /* !MBEDTLS_CMAC_ALT */
473
Simon Butcher69283e52016-10-06 12:49:58 +0100474#if defined(MBEDTLS_SELF_TEST)
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000475/*
Janos Follathcd13bd22016-12-13 11:51:04 +0000476 * CMAC test data for SP800-38B
477 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
478 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
Brian Murray0f6af732016-05-19 15:59:23 -0700479 *
480 * AES-CMAC-PRF-128 test data from RFC 4615
481 * https://tools.ietf.org/html/rfc4615#page-4
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000482 */
483
Brian Murray0f6af732016-05-19 15:59:23 -0700484#define NB_CMAC_TESTS_PER_KEY 4
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000485#define NB_PRF_TESTS 3
Simon Butcher327398a2016-10-05 14:09:11 +0100486
Brian Murray0f6af732016-05-19 15:59:23 -0700487#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
488/* All CMAC test inputs are truncated from the same 64 byte buffer. */
489static const unsigned char test_message[] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000490 /* PT */
491 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
492 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
493 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
494 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
495 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
496 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
497 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
498 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000499};
Simon Butcher69283e52016-10-06 12:49:58 +0100500#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
Brian Murray0cf14c12016-05-23 12:49:50 -0700501
Simon Butcher69283e52016-10-06 12:49:58 +0100502#if defined(MBEDTLS_AES_C)
Brian Murray0f6af732016-05-19 15:59:23 -0700503/* Truncation point of message for AES CMAC tests */
Brian Murray57863ad2016-05-19 16:38:36 -0700504static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000505 /* Mlen */
Brian Murray0f6af732016-05-19 15:59:23 -0700506 0,
507 16,
Janos Follathcd13bd22016-12-13 11:51:04 +0000508 20,
Brian Murray0f6af732016-05-19 15:59:23 -0700509 64
510};
511
Janos Follathcd13bd22016-12-13 11:51:04 +0000512/* CMAC-AES128 Test Data */
Brian Murray57863ad2016-05-19 16:38:36 -0700513static const unsigned char aes_128_key[16] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000514 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
515 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
Brian Murray0f6af732016-05-19 15:59:23 -0700516};
Simon Butcher69283e52016-10-06 12:49:58 +0100517static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
Brian Murray0f6af732016-05-19 15:59:23 -0700518 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000519 /* K1 */
520 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
521 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
Brian Murray0f6af732016-05-19 15:59:23 -0700522 },
523 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000524 /* K2 */
525 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
526 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
Brian Murray0f6af732016-05-19 15:59:23 -0700527 }
528};
Simon Butcher69283e52016-10-06 12:49:58 +0100529static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000530 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000531 /* Example #1 */
532 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
533 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000534 },
535 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000536 /* Example #2 */
537 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
538 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000539 },
540 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000541 /* Example #3 */
542 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
543 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000544 },
545 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000546 /* Example #4 */
547 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
548 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000549 }
550};
551
Janos Follathcd13bd22016-12-13 11:51:04 +0000552/* CMAC-AES192 Test Data */
Brian Murray57863ad2016-05-19 16:38:36 -0700553static const unsigned char aes_192_key[24] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000554 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
555 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
556 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000557};
Simon Butcher69283e52016-10-06 12:49:58 +0100558static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
Brian Murrayb0c3c432016-05-18 14:29:51 -0700559 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000560 /* K1 */
561 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
562 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
Brian Murrayb0c3c432016-05-18 14:29:51 -0700563 },
564 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000565 /* K2 */
566 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
567 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
Brian Murrayb0c3c432016-05-18 14:29:51 -0700568 }
569};
Simon Butcher69283e52016-10-06 12:49:58 +0100570static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
Brian Murrayb0c3c432016-05-18 14:29:51 -0700571 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000572 /* Example #1 */
573 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
574 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
Brian Murrayb0c3c432016-05-18 14:29:51 -0700575 },
576 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000577 /* Example #2 */
578 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
579 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
Brian Murrayb0c3c432016-05-18 14:29:51 -0700580 },
581 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000582 /* Example #3 */
583 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
584 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
Brian Murrayb0c3c432016-05-18 14:29:51 -0700585 },
586 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000587 /* Example #4 */
588 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
589 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
Brian Murrayb0c3c432016-05-18 14:29:51 -0700590 }
591};
592
Janos Follathcd13bd22016-12-13 11:51:04 +0000593/* CMAC-AES256 Test Data */
Brian Murray57863ad2016-05-19 16:38:36 -0700594static const unsigned char aes_256_key[32] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000595 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
596 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
597 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
598 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
Brian Murray0f6af732016-05-19 15:59:23 -0700599};
Simon Butcher69283e52016-10-06 12:49:58 +0100600static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
Brian Murray0f6af732016-05-19 15:59:23 -0700601 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000602 /* K1 */
603 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
604 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
Brian Murray0f6af732016-05-19 15:59:23 -0700605 },
606 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000607 /* K2 */
608 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
609 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
Brian Murray0f6af732016-05-19 15:59:23 -0700610 }
611};
Simon Butcher69283e52016-10-06 12:49:58 +0100612static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
Brian Murray0f6af732016-05-19 15:59:23 -0700613 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000614 /* Example #1 */
615 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
616 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
Brian Murray0f6af732016-05-19 15:59:23 -0700617 },
618 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000619 /* Example #2 */
620 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
621 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
Brian Murray0f6af732016-05-19 15:59:23 -0700622 },
623 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000624 /* Example #3 */
625 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
626 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
Brian Murray0f6af732016-05-19 15:59:23 -0700627 },
628 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000629 /* Example #4 */
630 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
631 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
Brian Murray0f6af732016-05-19 15:59:23 -0700632 }
633};
634#endif /* MBEDTLS_AES_C */
635
Simon Butcher69283e52016-10-06 12:49:58 +0100636#if defined(MBEDTLS_DES_C)
Brian Murray0f6af732016-05-19 15:59:23 -0700637/* Truncation point of message for 3DES CMAC tests */
Brian Murray57863ad2016-05-19 16:38:36 -0700638static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
Brian Murray0f6af732016-05-19 15:59:23 -0700639 0,
Janos Follathcd13bd22016-12-13 11:51:04 +0000640 16,
Brian Murray0f6af732016-05-19 15:59:23 -0700641 20,
642 32
643};
644
Janos Follathcd13bd22016-12-13 11:51:04 +0000645/* CMAC-TDES (Generation) - 2 Key Test Data */
Brian Murray57863ad2016-05-19 16:38:36 -0700646static const unsigned char des3_2key_key[24] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000647 /* Key1 */
648 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
649 /* Key2 */
650 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
651 /* Key3 */
652 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
Brian Murray0f6af732016-05-19 15:59:23 -0700653};
654static const unsigned char des3_2key_subkeys[2][8] = {
655 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000656 /* K1 */
657 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
Brian Murray0f6af732016-05-19 15:59:23 -0700658 },
659 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000660 /* K2 */
661 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
Brian Murray0f6af732016-05-19 15:59:23 -0700662 }
663};
Simon Butcher69283e52016-10-06 12:49:58 +0100664static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
Brian Murrayb0c3c432016-05-18 14:29:51 -0700665 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000666 /* Sample #1 */
667 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
Brian Murrayb0c3c432016-05-18 14:29:51 -0700668 },
669 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000670 /* Sample #2 */
671 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
Brian Murrayb0c3c432016-05-18 14:29:51 -0700672 },
673 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000674 /* Sample #3 */
675 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
Brian Murrayb0c3c432016-05-18 14:29:51 -0700676 },
677 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000678 /* Sample #4 */
679 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
Brian Murrayb0c3c432016-05-18 14:29:51 -0700680 }
681};
682
Janos Follathcd13bd22016-12-13 11:51:04 +0000683/* CMAC-TDES (Generation) - 3 Key Test Data */
Brian Murray57863ad2016-05-19 16:38:36 -0700684static const unsigned char des3_3key_key[24] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000685 /* Key1 */
686 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
687 /* Key2 */
688 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
689 /* Key3 */
690 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
Brian Murray0f6af732016-05-19 15:59:23 -0700691};
692static const unsigned char des3_3key_subkeys[2][8] = {
693 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000694 /* K1 */
695 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
Brian Murray0f6af732016-05-19 15:59:23 -0700696 },
697 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000698 /* K2 */
699 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
Brian Murray0f6af732016-05-19 15:59:23 -0700700 }
701};
Simon Butcher69283e52016-10-06 12:49:58 +0100702static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
Brian Murrayb0c3c432016-05-18 14:29:51 -0700703 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000704 /* Sample #1 */
705 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
Brian Murrayb0c3c432016-05-18 14:29:51 -0700706 },
707 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000708 /* Sample #2 */
709 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
Brian Murrayb0c3c432016-05-18 14:29:51 -0700710 },
711 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000712 /* Sample #3 */
713 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
Brian Murrayb0c3c432016-05-18 14:29:51 -0700714 },
715 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000716 /* Sample #4 */
717 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
Brian Murrayb0c3c432016-05-18 14:29:51 -0700718 }
719};
720
Brian Murray0f6af732016-05-19 15:59:23 -0700721#endif /* MBEDTLS_DES_C */
Brian Murrayb0c3c432016-05-18 14:29:51 -0700722
Simon Butcher69283e52016-10-06 12:49:58 +0100723#if defined(MBEDTLS_AES_C)
Brian Murray0f6af732016-05-19 15:59:23 -0700724/* AES AES-CMAC-PRF-128 Test Data */
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000725static const unsigned char PRFK[] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000726 /* Key */
727 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
728 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000729 0xed, 0xcb
730};
731
732/* Sizes in bytes */
733static const size_t PRFKlen[NB_PRF_TESTS] = {
734 18,
735 16,
736 10
737};
738
Janos Follathcd13bd22016-12-13 11:51:04 +0000739/* Message */
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000740static const unsigned char PRFM[] = {
Janos Follathcd13bd22016-12-13 11:51:04 +0000741 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
742 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
Manuel Pégourié-Gonnard3da54022016-01-13 11:00:47 +0000743 0x10, 0x11, 0x12, 0x13
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000744};
745
746static const unsigned char PRFT[NB_PRF_TESTS][16] = {
747 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000748 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
749 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000750 },
751 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000752 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
753 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000754 },
755 {
Janos Follathcd13bd22016-12-13 11:51:04 +0000756 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
757 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000758 }
759};
Brian Murray0f6af732016-05-19 15:59:23 -0700760#endif /* MBEDTLS_AES_C */
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000761
Simon Butcher327398a2016-10-05 14:09:11 +0100762static int cmac_test_subkeys( int verbose,
763 const char* testname,
764 const unsigned char* key,
765 int keybits,
766 const unsigned char* subkeys,
767 mbedtls_cipher_type_t cipher_type,
768 int block_size,
769 int num_tests )
770{
Brian Murray2fab5c92016-12-15 18:51:13 -0800771 int i, ret = 0;
Simon Butcher327398a2016-10-05 14:09:11 +0100772 mbedtls_cipher_context_t ctx;
773 const mbedtls_cipher_info_t *cipher_info;
Simon Butcher69283e52016-10-06 12:49:58 +0100774 unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
775 unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
Simon Butcher327398a2016-10-05 14:09:11 +0100776
777 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
778 if( cipher_info == NULL )
779 {
780 /* Failing at this point must be due to a build issue */
Simon Butcher69283e52016-10-06 12:49:58 +0100781 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
Simon Butcher327398a2016-10-05 14:09:11 +0100782 }
783
784 for( i = 0; i < num_tests; i++ )
785 {
786 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200787 mbedtls_printf( " %s CMAC subkey #%d: ", testname, i + 1 );
Simon Butcher327398a2016-10-05 14:09:11 +0100788
Janos Follathd4443582016-10-12 10:00:42 +0100789 mbedtls_cipher_init( &ctx );
790
Simon Butcher327398a2016-10-05 14:09:11 +0100791 if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
792 {
793 if( verbose != 0 )
794 mbedtls_printf( "test execution failed\n" );
795
Janos Follathd4443582016-10-12 10:00:42 +0100796 goto cleanup;
Simon Butcher327398a2016-10-05 14:09:11 +0100797 }
798
799 if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
800 MBEDTLS_ENCRYPT ) ) != 0 )
801 {
802 if( verbose != 0 )
803 mbedtls_printf( "test execution failed\n" );
804
Janos Follathd4443582016-10-12 10:00:42 +0100805 goto cleanup;
Simon Butcher327398a2016-10-05 14:09:11 +0100806 }
807
808 ret = cmac_generate_subkeys( &ctx, K1, K2 );
809 if( ret != 0 )
810 {
811 if( verbose != 0 )
812 mbedtls_printf( "failed\n" );
Janos Follathd4443582016-10-12 10:00:42 +0100813
814 goto cleanup;
Simon Butcher327398a2016-10-05 14:09:11 +0100815 }
816
Simon Butcher420be4e2016-10-07 12:55:43 +0100817 if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0 ||
818 ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
Simon Butcher327398a2016-10-05 14:09:11 +0100819 {
820 if( verbose != 0 )
821 mbedtls_printf( "failed\n" );
Janos Follathd4443582016-10-12 10:00:42 +0100822
823 goto cleanup;
Simon Butcher327398a2016-10-05 14:09:11 +0100824 }
825
826 if( verbose != 0 )
827 mbedtls_printf( "passed\n" );
Janos Follathd4443582016-10-12 10:00:42 +0100828
829 mbedtls_cipher_free( &ctx );
Simon Butcher327398a2016-10-05 14:09:11 +0100830 }
831
Gilles Peskinedf761d52018-03-01 22:18:14 +0100832 ret = 0;
Janos Follathd4443582016-10-12 10:00:42 +0100833 goto exit;
834
835cleanup:
Simon Butcher69283e52016-10-06 12:49:58 +0100836 mbedtls_cipher_free( &ctx );
837
Janos Follathd4443582016-10-12 10:00:42 +0100838exit:
Simon Butcher327398a2016-10-05 14:09:11 +0100839 return( ret );
840}
841
Simon Butcher69283e52016-10-06 12:49:58 +0100842static int cmac_test_wth_cipher( int verbose,
843 const char* testname,
844 const unsigned char* key,
845 int keybits,
846 const unsigned char* messages,
847 const unsigned int message_lengths[4],
848 const unsigned char* expected_result,
849 mbedtls_cipher_type_t cipher_type,
850 int block_size,
851 int num_tests )
Brian Murray00dc5f02016-05-19 14:23:50 -0700852{
Simon Butcher327398a2016-10-05 14:09:11 +0100853 const mbedtls_cipher_info_t *cipher_info;
Brian Murray2fab5c92016-12-15 18:51:13 -0800854 int i, ret = 0;
Simon Butcher69283e52016-10-06 12:49:58 +0100855 unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
Brian Murray57863ad2016-05-19 16:38:36 -0700856
Simon Butcher327398a2016-10-05 14:09:11 +0100857 cipher_info = mbedtls_cipher_info_from_type( cipher_type );
858 if( cipher_info == NULL )
Brian Murray00dc5f02016-05-19 14:23:50 -0700859 {
Simon Butcher327398a2016-10-05 14:09:11 +0100860 /* Failing at this point must be due to a build issue */
861 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
Brian Murray00dc5f02016-05-19 14:23:50 -0700862 goto exit;
863 }
864
865 for( i = 0; i < num_tests; i++ )
866 {
867 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200868 mbedtls_printf( " %s CMAC #%d: ", testname, i + 1 );
Brian Murray00dc5f02016-05-19 14:23:50 -0700869
Simon Butcher327398a2016-10-05 14:09:11 +0100870 if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
871 message_lengths[i], output ) ) != 0 )
Brian Murray00dc5f02016-05-19 14:23:50 -0700872 {
873 if( verbose != 0 )
874 mbedtls_printf( "failed\n" );
875 goto exit;
876 }
Brian Murray9ce2e092016-05-24 22:46:43 -0700877
Simon Butcher327398a2016-10-05 14:09:11 +0100878 if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
Brian Murray00dc5f02016-05-19 14:23:50 -0700879 {
880 if( verbose != 0 )
881 mbedtls_printf( "failed\n" );
882 goto exit;
883 }
884
Brian Murray9ce2e092016-05-24 22:46:43 -0700885 if( verbose != 0 )
886 mbedtls_printf( "passed\n" );
Brian Murray00dc5f02016-05-19 14:23:50 -0700887 }
Gilles Peskinedf761d52018-03-01 22:18:14 +0100888 ret = 0;
Simon Butcher327398a2016-10-05 14:09:11 +0100889
Simon Butcher69283e52016-10-06 12:49:58 +0100890exit:
Simon Butcher327398a2016-10-05 14:09:11 +0100891 return( ret );
Brian Murray00dc5f02016-05-19 14:23:50 -0700892}
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000893
Simon Butcher69283e52016-10-06 12:49:58 +0100894#if defined(MBEDTLS_AES_C)
895static int test_aes128_cmac_prf( int verbose )
Brian Murray6a3c0d22016-05-20 18:25:43 -0700896{
Robert Cragie3d23b1d2015-12-15 07:38:11 +0000897 int i;
Janos Follath24eed8d2019-11-22 13:21:35 +0000898 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher69283e52016-10-06 12:49:58 +0100899 unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
Simon Butcher327398a2016-10-05 14:09:11 +0100900
Brian Murrayb0c3c432016-05-18 14:29:51 -0700901 for( i = 0; i < NB_PRF_TESTS; i++ )
902 {
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200903 mbedtls_printf( " AES CMAC 128 PRF #%d: ", i );
Simon Butcher327398a2016-10-05 14:09:11 +0100904 ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
Brian Murrayb0c3c432016-05-18 14:29:51 -0700905 if( ret != 0 ||
Simon Butcher69283e52016-10-06 12:49:58 +0100906 memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
Brian Murrayb0c3c432016-05-18 14:29:51 -0700907 {
Simon Butcher327398a2016-10-05 14:09:11 +0100908
Brian Murrayb0c3c432016-05-18 14:29:51 -0700909 if( verbose != 0 )
910 mbedtls_printf( "failed\n" );
911
Brian Murray0f6af732016-05-19 15:59:23 -0700912 return( ret );
Simon Butcher69283e52016-10-06 12:49:58 +0100913 }
914 else if( verbose != 0 )
Brian Murrayb0c3c432016-05-18 14:29:51 -0700915 {
916 mbedtls_printf( "passed\n" );
917 }
918 }
Brian Murray0f6af732016-05-19 15:59:23 -0700919 return( ret );
920}
921#endif /* MBEDTLS_AES_C */
922
923int mbedtls_cmac_self_test( int verbose )
924{
Janos Follath24eed8d2019-11-22 13:21:35 +0000925 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher327398a2016-10-05 14:09:11 +0100926
Simon Butcher69283e52016-10-06 12:49:58 +0100927#if defined(MBEDTLS_AES_C)
Simon Butcher327398a2016-10-05 14:09:11 +0100928 /* AES-128 */
929 if( ( ret = cmac_test_subkeys( verbose,
Simon Butcher69283e52016-10-06 12:49:58 +0100930 "AES 128",
931 aes_128_key,
932 128,
933 (const unsigned char*)aes_128_subkeys,
934 MBEDTLS_CIPHER_AES_128_ECB,
935 MBEDTLS_AES_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +0100936 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Simon Butcher327398a2016-10-05 14:09:11 +0100937 {
938 return( ret );
939 }
940
Brian Murrayae1cb122016-05-23 15:01:59 -0700941 if( ( ret = cmac_test_wth_cipher( verbose,
942 "AES 128",
943 aes_128_key,
944 128,
945 test_message,
946 aes_message_lengths,
Simon Butcher69283e52016-10-06 12:49:58 +0100947 (const unsigned char*)aes_128_expected_result,
Simon Butcher327398a2016-10-05 14:09:11 +0100948 MBEDTLS_CIPHER_AES_128_ECB,
Simon Butcher69283e52016-10-06 12:49:58 +0100949 MBEDTLS_AES_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +0100950 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Simon Butcher327398a2016-10-05 14:09:11 +0100951 {
952 return( ret );
953 }
954
955 /* AES-192 */
956 if( ( ret = cmac_test_subkeys( verbose,
Simon Butcher69283e52016-10-06 12:49:58 +0100957 "AES 192",
958 aes_192_key,
959 192,
960 (const unsigned char*)aes_192_subkeys,
961 MBEDTLS_CIPHER_AES_192_ECB,
962 MBEDTLS_AES_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +0100963 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Brian Murray9044b022016-05-19 16:36:56 -0700964 {
965 return( ret );
966 }
Brian Murray0f6af732016-05-19 15:59:23 -0700967
Brian Murrayae1cb122016-05-23 15:01:59 -0700968 if( ( ret = cmac_test_wth_cipher( verbose,
969 "AES 192",
970 aes_192_key,
971 192,
972 test_message,
973 aes_message_lengths,
Simon Butcher69283e52016-10-06 12:49:58 +0100974 (const unsigned char*)aes_192_expected_result,
Simon Butcher327398a2016-10-05 14:09:11 +0100975 MBEDTLS_CIPHER_AES_192_ECB,
Simon Butcher69283e52016-10-06 12:49:58 +0100976 MBEDTLS_AES_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +0100977 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Simon Butcher327398a2016-10-05 14:09:11 +0100978 {
Simon Butcher327398a2016-10-05 14:09:11 +0100979 return( ret );
980 }
981
982 /* AES-256 */
983 if( ( ret = cmac_test_subkeys( verbose,
Simon Butcher69283e52016-10-06 12:49:58 +0100984 "AES 256",
985 aes_256_key,
986 256,
987 (const unsigned char*)aes_256_subkeys,
988 MBEDTLS_CIPHER_AES_256_ECB,
989 MBEDTLS_AES_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +0100990 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Brian Murray9044b022016-05-19 16:36:56 -0700991 {
992 return( ret );
993 }
Brian Murray0f6af732016-05-19 15:59:23 -0700994
Simon Butcher69283e52016-10-06 12:49:58 +0100995 if( ( ret = cmac_test_wth_cipher ( verbose,
Brian Murrayae1cb122016-05-23 15:01:59 -0700996 "AES 256",
997 aes_256_key,
998 256,
999 test_message,
1000 aes_message_lengths,
Simon Butcher69283e52016-10-06 12:49:58 +01001001 (const unsigned char*)aes_256_expected_result,
Simon Butcher327398a2016-10-05 14:09:11 +01001002 MBEDTLS_CIPHER_AES_256_ECB,
Simon Butcher69283e52016-10-06 12:49:58 +01001003 MBEDTLS_AES_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +01001004 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Brian Murray9044b022016-05-19 16:36:56 -07001005 {
1006 return( ret );
1007 }
Brian Murray0f6af732016-05-19 15:59:23 -07001008#endif /* MBEDTLS_AES_C */
1009
Simon Butcher69283e52016-10-06 12:49:58 +01001010#if defined(MBEDTLS_DES_C)
Simon Butcher327398a2016-10-05 14:09:11 +01001011 /* 3DES 2 key */
1012 if( ( ret = cmac_test_subkeys( verbose,
Simon Butcher69283e52016-10-06 12:49:58 +01001013 "3DES 2 key",
1014 des3_2key_key,
1015 192,
1016 (const unsigned char*)des3_2key_subkeys,
1017 MBEDTLS_CIPHER_DES_EDE3_ECB,
1018 MBEDTLS_DES3_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +01001019 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Simon Butcher327398a2016-10-05 14:09:11 +01001020 {
1021 return( ret );
1022 }
1023
Brian Murrayae1cb122016-05-23 15:01:59 -07001024 if( ( ret = cmac_test_wth_cipher( verbose,
1025 "3DES 2 key",
1026 des3_2key_key,
1027 192,
1028 test_message,
1029 des3_message_lengths,
Simon Butcher69283e52016-10-06 12:49:58 +01001030 (const unsigned char*)des3_2key_expected_result,
Simon Butcher327398a2016-10-05 14:09:11 +01001031 MBEDTLS_CIPHER_DES_EDE3_ECB,
Simon Butcher69283e52016-10-06 12:49:58 +01001032 MBEDTLS_DES3_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +01001033 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Brian Murray9044b022016-05-19 16:36:56 -07001034 {
1035 return( ret );
1036 }
Brian Murray0f6af732016-05-19 15:59:23 -07001037
Simon Butcher327398a2016-10-05 14:09:11 +01001038 /* 3DES 3 key */
1039 if( ( ret = cmac_test_subkeys( verbose,
Simon Butcher69283e52016-10-06 12:49:58 +01001040 "3DES 3 key",
1041 des3_3key_key,
1042 192,
1043 (const unsigned char*)des3_3key_subkeys,
1044 MBEDTLS_CIPHER_DES_EDE3_ECB,
1045 MBEDTLS_DES3_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +01001046 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Simon Butcher327398a2016-10-05 14:09:11 +01001047 {
1048 return( ret );
1049 }
1050
Brian Murrayae1cb122016-05-23 15:01:59 -07001051 if( ( ret = cmac_test_wth_cipher( verbose,
1052 "3DES 3 key",
1053 des3_3key_key,
1054 192,
1055 test_message,
1056 des3_message_lengths,
Simon Butcher69283e52016-10-06 12:49:58 +01001057 (const unsigned char*)des3_3key_expected_result,
Simon Butcher327398a2016-10-05 14:09:11 +01001058 MBEDTLS_CIPHER_DES_EDE3_ECB,
Simon Butcher69283e52016-10-06 12:49:58 +01001059 MBEDTLS_DES3_BLOCK_SIZE,
Simon Butcher420be4e2016-10-07 12:55:43 +01001060 NB_CMAC_TESTS_PER_KEY ) ) != 0 )
Brian Murray9044b022016-05-19 16:36:56 -07001061 {
1062 return( ret );
1063 }
Brian Murray0f6af732016-05-19 15:59:23 -07001064#endif /* MBEDTLS_DES_C */
1065
Simon Butcher69283e52016-10-06 12:49:58 +01001066#if defined(MBEDTLS_AES_C)
Simon Butcher420be4e2016-10-07 12:55:43 +01001067 if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
Brian Murray9044b022016-05-19 16:36:56 -07001068 return( ret );
Brian Murray0f6af732016-05-19 15:59:23 -07001069#endif /* MBEDTLS_AES_C */
Brian Murrayb0c3c432016-05-18 14:29:51 -07001070
Robert Cragie3d23b1d2015-12-15 07:38:11 +00001071 if( verbose != 0 )
1072 mbedtls_printf( "\n" );
Brian Murray0f6af732016-05-19 15:59:23 -07001073
Robert Cragie3d23b1d2015-12-15 07:38:11 +00001074 return( 0 );
1075}
1076
Brian Murray0f6af732016-05-19 15:59:23 -07001077#endif /* MBEDTLS_SELF_TEST */
Robert Cragie3d23b1d2015-12-15 07:38:11 +00001078
1079#endif /* MBEDTLS_CMAC_C */