Startsida Utforska Hjälp
Logga in
rotek
/
bt-67xx_universal_hw
2
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Träd: 819593d773
Grenar Taggar
bt-67xx_univers...
/
thirdparty
/
mbedTLS
/
library
/
cmac.c

cmac.c 31 KB
Historik

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033 
  1. /*
    2. 

  2.  * \file cmac.c
    3. 

  3.  *
    4. 

  4.  * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
    5. 

  5.  *
    6. 

  6.  *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
    7. 

  7.  *  SPDX-License-Identifier: Apache-2.0
    8. 

  8.  *
    9. 

  9.  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
    10. 

  10.  *  not use this file except in compliance with the License.
    11. 

  11.  *  You may obtain a copy of the License at
    12. 

  12.  *
    13. 

  13.  *  http://www.apache.org/licenses/LICENSE-2.0
    14. 

  14.  *
    15. 

  15.  *  Unless required by applicable law or agreed to in writing, software
    16. 

  16.  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    17. 

  17.  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    18. 

  18.  *  See the License for the specific language governing permissions and
    19. 

  19.  *  limitations under the License.
    20. 

  20.  *
    21. 

  21.  *  This file is part of mbed TLS (https://tls.mbed.org)
    22. 

  22.  */
    23. 

  23. 

  24. /*
    25. 

  25.  * References:
    26. 

  26.  *
    27. 

  27.  * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
    28. 

  28.  *      CMAC Mode for Authentication
    29. 

  29.  *   http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38b.pdf
    30. 

  30.  *
    31. 

  31.  * - RFC 4493 - The AES-CMAC Algorithm
    32. 

  32.  *   https://tools.ietf.org/html/rfc4493
    33. 

  33.  *
    34. 

  34.  * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
    35. 

  35.  *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
    36. 

  36.  *      Algorithm for the Internet Key Exchange Protocol (IKE)
    37. 

  37.  *   https://tools.ietf.org/html/rfc4615
    38. 

  38.  *
    39. 

  39.  *   Additional test vectors: ISO/IEC 9797-1
    40. 

  40.  *
    41. 

  41.  */
    42. 

  42. 

  43. #if !defined(MBEDTLS_CONFIG_FILE)
    44. 

  44. #include "mbedtls/config.h"
    45. 

  45. #else
    46. 

  46. #include MBEDTLS_CONFIG_FILE
    47. 

  47. #endif
    48. 

  48. 

  49. #if defined(MBEDTLS_CMAC_C)
    50. 

  50. 

  51. #include "mbedtls/cmac.h"
    52. 

  52. 

  53. #include <string.h>
    54. 

  54. 

  55. 

  56. #if defined(MBEDTLS_PLATFORM_C)
    57. 

  57. #include "mbedtls/platform.h"
    58. 

  58. #else
    59. 

  59. #include <stdlib.h>
    60. 

  60. #define mbedtls_calloc     calloc
    61. 

  61. #define mbedtls_free       free
    62. 

  62. #if defined(MBEDTLS_SELF_TEST)
    63. 

  63. #include <stdio.h>
    64. 

  64. #define mbedtls_printf     printf
    65. 

  65. #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C || MBEDTLS_DES_C */
    66. 

  66. #endif /* MBEDTLS_PLATFORM_C */
    67. 

  67. 

  68. /* Implementation that should never be optimized out by the compiler */
    69. 

  69. static void mbedtls_zeroize( void *v, size_t n ) {
    70. 

  70.     volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
    71. 

  71. }
    72. 

  72. 

  73. /*
    74. 

  74.  * Multiplication by u in the Galois field of GF(2^n)
    75. 

  75.  *
    76. 

  76.  * As explained in NIST SP 800-38B, this can be computed:
    77. 

  77.  *
    78. 

  78.  *   If MSB(p) = 0, then p = (p << 1)
    79. 

  79.  *   If MSB(p) = 1, then p = (p << 1) ^ R_n
    80. 

  80.  *   with R_64 = 0x1B and  R_128 = 0x87
    81. 

  81.  *
    82. 

  82.  * Input and output MUST NOT point to the same buffer
    83. 

  83.  * Block size must be 8 byes or 16 bytes - the block sizes for DES and AES.
    84. 

  84.  */
    85. 

  85. static int cmac_multiply_by_u( unsigned char *output,
    86. 

  86.                                const unsigned char *input,
    87. 

  87.                                size_t blocksize )
    88. 

  88. {
    89. 

  89.     const unsigned char R_128 = 0x87;
    90. 

  90.     const unsigned char R_64 = 0x1B;
    91. 

  91.     unsigned char R_n, mask;
    92. 

  92.     unsigned char overflow = 0x00;
    93. 

  93.     int i;
    94. 

  94. 

  95.     if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
    96. 

  96.     {
    97. 

  97.         R_n = R_128;
    98. 

  98.     }
    99. 

  99.     else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
    100. 

  100.     {
    101. 

  101.         R_n = R_64;
    102. 

  102.     }
    103. 

  103.     else
    104. 

  104.     {
    105. 

  105.         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
    106. 

  106.     }
    107. 

  107. 

  108.     for( i = blocksize - 1; i >= 0; i-- )
    109. 

  109.     {
    110. 

  110.         output[i] = input[i] << 1 | overflow;
    111. 

  111.         overflow = input[i] >> 7;
    112. 

  112.     }
    113. 

  113. 

  114.     /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
    115. 

  115.      * using bit operations to avoid branches */
    116. 

  116. 

  117.     /* MSVC has a warning about unary minus on unsigned, but this is
    118. 

  118.      * well-defined and precisely what we want to do here */
    119. 

  119. #if defined(_MSC_VER)
    120. 

  120. #pragma warning( push )
    121. 

  121. #pragma warning( disable : 4146 )
    122. 

  122. #endif
    123. 

  123.     mask = - ( input[0] >> 7 );
    124. 

  124. #if defined(_MSC_VER)
    125. 

  125. #pragma warning( pop )
    126. 

  126. #endif
    127. 

  127. 

  128.     output[ blocksize - 1 ] ^= R_n & mask;
    129. 

  129. 

  130.     return( 0 );
    131. 

  131. }
    132. 

  132. 

  133. /*
    134. 

  134.  * Generate subkeys
    135. 

  135.  *
    136. 

  136.  * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
    137. 

  137.  */
    138. 

  138. static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
    139. 

  139.                                   unsigned char* K1, unsigned char* K2 )
    140. 

  140. {
    141. 

  141.     int ret;
    142. 

  142.     unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
    143. 

  143.     size_t olen, block_size;
    144. 

  144. 

  145.     mbedtls_zeroize( L, sizeof( L ) );
    146. 

  146. 

  147.     block_size = ctx->cipher_info->block_size;
    148. 

  148. 

  149.     /* Calculate Ek(0) */
    150. 

  150.     if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
    151. 

  151.         goto exit;
    152. 

  152. 

  153.     /*
    154. 

  154.      * Generate K1 and K2
    155. 

  155.      */
    156. 

  156.     if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
    157. 

  157.         goto exit;
    158. 

  158. 

  159.     if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
    160. 

  160.         goto exit;
    161. 

  161. 

  162. exit:
    163. 

  163.     mbedtls_zeroize( L, sizeof( L ) );
    164. 

  164. 

  165.     return( ret );
    166. 

  166. }
    167. 

  167. 

  168. static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
    169. 

  169.                             const unsigned char *input2,
    170. 

  170.                             const size_t block_size )
    171. 

  171. {
    172. 

  172.     size_t index;
    173. 

  173. 

  174.     for( index = 0; index < block_size; index++ )
    175. 

  175.         output[ index ] = input1[ index ] ^ input2[ index ];
    176. 

  176. }
    177. 

  177. 

  178. /*
    179. 

  179.  * Create padded last block from (partial) last block.
    180. 

  180.  *
    181. 

  181.  * We can't use the padding option from the cipher layer, as it only works for
    182. 

  182.  * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
    183. 

  183.  */
    184. 

  184. static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
    185. 

  185.                       size_t padded_block_len,
    186. 

  186.                       const unsigned char *last_block,
    187. 

  187.                       size_t last_block_len )
    188. 

  188. {
    189. 

  189.     size_t j;
    190. 

  190. 

  191.     for( j = 0; j < padded_block_len; j++ )
    192. 

  192.     {
    193. 

  193.         if( j < last_block_len )
    194. 

  194.             padded_block[j] = last_block[j];
    195. 

  195.         else if( j == last_block_len )
    196. 

  196.             padded_block[j] = 0x80;
    197. 

  197.         else
    198. 

  198.             padded_block[j] = 0x00;
    199. 

  199.     }
    200. 

  200. }
    201. 

  201. 

  202. int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
    203. 

  203.                                 const unsigned char *key, size_t keybits )
    204. 

  204. {
    205. 

  205.     mbedtls_cipher_type_t type;
    206. 

  206.     mbedtls_cmac_context_t *cmac_ctx;
    207. 

  207.     int retval;
    208. 

  208. 

  209.     if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
    210. 

  210.         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
    211. 

  211. 

  212.     if( ( retval = mbedtls_cipher_setkey( ctx, key, keybits,
    213. 

  213.                                           MBEDTLS_ENCRYPT ) ) != 0 )
    214. 

  214.         return( retval );
    215. 

  215. 

  216.     type = ctx->cipher_info->type;
    217. 

  217. 

  218.     switch( type )
    219. 

  219.     {
    220. 

  220.         case MBEDTLS_CIPHER_AES_128_ECB:
    221. 

  221.         case MBEDTLS_CIPHER_AES_192_ECB:
    222. 

  222.         case MBEDTLS_CIPHER_AES_256_ECB:
    223. 

  223.         case MBEDTLS_CIPHER_DES_EDE3_ECB:
    224. 

  224.             break;
    225. 

  225.         default:
    226. 

  226.             return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
    227. 

  227.     }
    228. 

  228. 

  229.     /* Allocated and initialise in the cipher context memory for the CMAC
    230. 

  230.      * context */
    231. 

  231.     cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
    232. 

  232.     if( cmac_ctx == NULL )
    233. 

  233.         return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
    234. 

  234. 

  235.     ctx->cmac_ctx = cmac_ctx;
    236. 

  236. 

  237.     mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
    238. 

  238. 

  239.     return 0;
    240. 

  240. }
    241. 

  241. 

  242. int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
    243. 

  243.                                 const unsigned char *input, size_t ilen )
    244. 

  244. {
    245. 

  245.     mbedtls_cmac_context_t* cmac_ctx;
    246. 

  246.     unsigned char *state;
    247. 

  247.     int n, j, ret = 0;
    248. 

  248.     size_t olen, block_size;
    249. 

  249. 

  250.     if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
    251. 

  251.         ctx->cmac_ctx == NULL )
    252. 

  252.         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
    253. 

  253. 

  254.     cmac_ctx = ctx->cmac_ctx;
    255. 

  255.     block_size = ctx->cipher_info->block_size;
    256. 

  256.     state = ctx->cmac_ctx->state;
    257. 

  257. 

  258.     /* Is there data still to process from the last call, that's greater in
    259. 

  259.      * size than a block? */
    260. 

  260.     if( cmac_ctx->unprocessed_len > 0 &&
    261. 

  261.         ilen > block_size - cmac_ctx->unprocessed_len )
    262. 

  262.     {
    263. 

  263.         memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
    264. 

  264.                 input,
    265. 

  265.                 block_size - cmac_ctx->unprocessed_len );
    266. 

  266. 

  267.         cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
    268. 

  268. 

  269.         if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
    270. 

  270.                                            &olen ) ) != 0 )
    271. 

  271.         {
    272. 

  272.            goto exit;
    273. 

  273.         }
    274. 

  274. 

  275.         input += block_size - cmac_ctx->unprocessed_len;
    276. 

  276.         ilen -= block_size - cmac_ctx->unprocessed_len;
    277. 

  277.         cmac_ctx->unprocessed_len = 0;
    278. 

  278.     }
    279. 

  279. 

  280.     /* n is the number of blocks including any final partial block */
    281. 

  281.     n = ( ilen + block_size - 1 ) / block_size;
    282. 

  282. 

  283.    /* Iterate across the input data in block sized chunks */
    284. 

  284.     for( j = 0; j < n - 1; j++ )
    285. 

  285.     {
    286. 

  286.         cmac_xor_block( state, input, state, block_size );
    287. 

  287. 

  288.         if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
    289. 

  289.                                            &olen ) ) != 0 )
    290. 

  290.            goto exit;
    291. 

  291. 

  292.         ilen -= block_size;
    293. 

  293.         input += block_size;
    294. 

  294.     }
    295. 

  295. 

  296.     /* If there is data left over that wasn't aligned to a block */
    297. 

  297.     if( ilen > 0 )
    298. 

  298.     {
    299. 

  299.         memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
    300. 

  300.                 input,
    301. 

  301.                 ilen );
    302. 

  302.         cmac_ctx->unprocessed_len += ilen;
    303. 

  303.     }
    304. 

  304. 

  305. exit:
    306. 

  306.     return( ret );
    307. 

  307. }
    308. 

  308. 

  309. int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
    310. 

  310.                                 unsigned char *output )
    311. 

  311. {
    312. 

  312.     mbedtls_cmac_context_t* cmac_ctx;
    313. 

  313.     unsigned char *state, *last_block;
    314. 

  314.     unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
    315. 

  315.     unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
    316. 

  316.     unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
    317. 

  317.     int ret;
    318. 

  318.     size_t olen, block_size;
    319. 

  319. 

  320.     if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
    321. 

  321.         output == NULL )
    322. 

  322.         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
    323. 

  323. 

  324.     cmac_ctx = ctx->cmac_ctx;
    325. 

  325.     block_size = ctx->cipher_info->block_size;
    326. 

  326.     state = cmac_ctx->state;
    327. 

  327. 

  328.     mbedtls_zeroize( K1, sizeof( K1 ) );
    329. 

  329.     mbedtls_zeroize( K2, sizeof( K2 ) );
    330. 

  330.     cmac_generate_subkeys( ctx, K1, K2 );
    331. 

  331. 

  332.     last_block = cmac_ctx->unprocessed_block;
    333. 

  333. 

  334.     /* Calculate last block */
    335. 

  335.     if( cmac_ctx->unprocessed_len < block_size )
    336. 

  336.     {
    337. 

  337.         cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
    338. 

  338.         cmac_xor_block( M_last, M_last, K2, block_size );
    339. 

  339.     }
    340. 

  340.     else
    341. 

  341.     {
    342. 

  342.         /* Last block is complete block */
    343. 

  343.         cmac_xor_block( M_last, last_block, K1, block_size );
    344. 

  344.     }
    345. 

  345. 

  346. 

  347.     cmac_xor_block( state, M_last, state, block_size );
    348. 

  348.     if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
    349. 

  349.                                        &olen ) ) != 0 )
    350. 

  350.     {
    351. 

  351.         goto exit;
    352. 

  352.     }
    353. 

  353. 

  354.     memcpy( output, state, block_size );
    355. 

  355. 

  356. exit:
    357. 

  357.     /* Wipe the generated keys on the stack, and any other transients to avoid
    358. 

  358.      * side channel leakage */
    359. 

  359.     mbedtls_zeroize( K1, sizeof( K1 ) );
    360. 

  360.     mbedtls_zeroize( K2, sizeof( K2 ) );
    361. 

  361. 

  362.     cmac_ctx->unprocessed_len = 0;
    363. 

  363.     mbedtls_zeroize( cmac_ctx->unprocessed_block,
    364. 

  364.                      sizeof( cmac_ctx->unprocessed_block ) );
    365. 

  365. 

  366.     mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
    367. 

  367.     return( ret );
    368. 

  368. }
    369. 

  369. 

  370. int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
    371. 

  371. {
    372. 

  372.     mbedtls_cmac_context_t* cmac_ctx;
    373. 

  373. 

  374.     if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
    375. 

  375.         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
    376. 

  376. 

  377.     cmac_ctx = ctx->cmac_ctx;
    378. 

  378. 

  379.     /* Reset the internal state */
    380. 

  380.     cmac_ctx->unprocessed_len = 0;
    381. 

  381.     mbedtls_zeroize( cmac_ctx->unprocessed_block,
    382. 

  382.                      sizeof( cmac_ctx->unprocessed_block ) );
    383. 

  383.     mbedtls_zeroize( cmac_ctx->state,
    384. 

  384.                      sizeof( cmac_ctx->state ) );
    385. 

  385. 

  386.     return( 0 );
    387. 

  387. }
    388. 

  388. 

  389. int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
    390. 

  390.                          const unsigned char *key, size_t keylen,
    391. 

  391.                          const unsigned char *input, size_t ilen,
    392. 

  392.                          unsigned char *output )
    393. 

  393. {
    394. 

  394.     mbedtls_cipher_context_t ctx;
    395. 

  395.     int ret;
    396. 

  396. 

  397.     if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
    398. 

  398.         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
    399. 

  399. 

  400.     mbedtls_cipher_init( &ctx );
    401. 

  401. 

  402.     if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
    403. 

  403.         goto exit;
    404. 

  404. 

  405.     ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
    406. 

  406.     if( ret != 0 )
    407. 

  407.         goto exit;
    408. 

  408. 

  409.     ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
    410. 

  410.     if( ret != 0 )
    411. 

  411.         goto exit;
    412. 

  412. 

  413.     ret = mbedtls_cipher_cmac_finish( &ctx, output );
    414. 

  414. 

  415. exit:
    416. 

  416.     mbedtls_cipher_free( &ctx );
    417. 

  417. 

  418.     return( ret );
    419. 

  419. }
    420. 

  420. 

  421. #if defined(MBEDTLS_AES_C)
    422. 

  422. /*
    423. 

  423.  * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
    424. 

  424.  */
    425. 

  425. int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
    426. 

  426.                               const unsigned char *input, size_t in_len,
    427. 

  427.                               unsigned char *output )
    428. 

  428. {
    429. 

  429.     int ret;
    430. 

  430.     const mbedtls_cipher_info_t *cipher_info;
    431. 

  431.     unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
    432. 

  432.     unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
    433. 

  433. 

  434.     if( key == NULL || input == NULL || output == NULL )
    435. 

  435.         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
    436. 

  436. 

  437.     cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
    438. 

  438.     if( cipher_info == NULL )
    439. 

  439.     {
    440. 

  440.         /* Failing at this point must be due to a build issue */
    441. 

  441.         ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
    442. 

  442.         goto exit;
    443. 

  443.     }
    444. 

  444. 

  445.     if( key_length == MBEDTLS_AES_BLOCK_SIZE )
    446. 

  446.     {
    447. 

  447.         /* Use key as is */
    448. 

  448.         memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
    449. 

  449.     }
    450. 

  450.     else
    451. 

  451.     {
    452. 

  452.         memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
    453. 

  453. 

  454.         ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
    455. 

  455.                                    key_length, int_key );
    456. 

  456.         if( ret != 0 )
    457. 

  457.             goto exit;
    458. 

  458.     }
    459. 

  459. 

  460.     ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
    461. 

  461.                                output );
    462. 

  462. 

  463. exit:
    464. 

  464.     mbedtls_zeroize( int_key, sizeof( int_key ) );
    465. 

  465. 

  466.     return( ret );
    467. 

  467. }
    468. 

  468. #endif /* MBEDTLS_AES_C */
    469. 

  469. 

  470. #if defined(MBEDTLS_SELF_TEST)
    471. 

  471. /*
    472. 

  472.  * CMAC test data from SP800-38B Appendix D.1 (corrected)
    473. 

  473.  * http://csrc.nist.gov/publications/nistpubs/800-38B/Updated_CMAC_Examples.pdf
    474. 

  474.  *
    475. 

  475.  * AES-CMAC-PRF-128 test data from RFC 4615
    476. 

  476.  * https://tools.ietf.org/html/rfc4615#page-4
    477. 

  477.  */
    478. 

  478. 

  479. #define NB_CMAC_TESTS_PER_KEY 4
    480. 

  480. #define NB_PRF_TESTS 3
    481. 

  481. 

  482. #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
    483. 

  483. /* All CMAC test inputs are truncated from the same 64 byte buffer. */
    484. 

  484. static const unsigned char test_message[] = {
    485. 

  485.     0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
    486. 

  486.     0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
    487. 

  487.     0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
    488. 

  488.     0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
    489. 

  489.     0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
    490. 

  490.     0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
    491. 

  491.     0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
    492. 

  492.     0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
    493. 

  493. };
    494. 

  494. #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
    495. 

  495. 

  496. #if defined(MBEDTLS_AES_C)
    497. 

  497. /* Truncation point of message for AES CMAC tests  */
    498. 

  498. static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
    499. 

  499.     0,
    500. 

  500.     16,
    501. 

  501.     40,
    502. 

  502.     64
    503. 

  503. };
    504. 

  504. 

  505. /* AES 128 CMAC Test Data */
    506. 

  506. static const unsigned char aes_128_key[16] = {
    507. 

  507.     0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
    508. 

  508.     0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
    509. 

  509. };
    510. 

  510. static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
    511. 

  511.     {
    512. 

  512.         0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
    513. 

  513.         0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
    514. 

  514.     },
    515. 

  515.     {
    516. 

  516.         0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
    517. 

  517.         0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
    518. 

  518.     }
    519. 

  519. };
    520. 

  520. static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
    521. 

  521.     {
    522. 

  522.         0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
    523. 

  523.         0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
    524. 

  524.     },
    525. 

  525.     {
    526. 

  526.         0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
    527. 

  527.         0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
    528. 

  528.     },
    529. 

  529.     {
    530. 

  530.         0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
    531. 

  531.         0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27
    532. 

  532.     },
    533. 

  533.     {
    534. 

  534.         0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
    535. 

  535.         0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
    536. 

  536.     }
    537. 

  537. };
    538. 

  538. 

  539. /* AES 192 CMAC Test Data */
    540. 

  540. static const unsigned char aes_192_key[24] = {
    541. 

  541.     0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
    542. 

  542.     0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
    543. 

  543.     0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
    544. 

  544. };
    545. 

  545. static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
    546. 

  546.     {
    547. 

  547.         0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
    548. 

  548.         0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
    549. 

  549.     },
    550. 

  550.     {
    551. 

  551.         0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
    552. 

  552.         0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
    553. 

  553.     }
    554. 

  554. };
    555. 

  555. static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
    556. 

  556.     {
    557. 

  557.         0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
    558. 

  558.         0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
    559. 

  559.     },
    560. 

  560.     {
    561. 

  561.         0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
    562. 

  562.         0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
    563. 

  563.     },
    564. 

  564.     {
    565. 

  565.         0x8a, 0x1d, 0xe5, 0xbe, 0x2e, 0xb3, 0x1a, 0xad,
    566. 

  566.         0x08, 0x9a, 0x82, 0xe6, 0xee, 0x90, 0x8b, 0x0e
    567. 

  567.     },
    568. 

  568.     {
    569. 

  569.         0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
    570. 

  570.         0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
    571. 

  571.     }
    572. 

  572. };
    573. 

  573. 

  574. /* AES 256 CMAC Test Data */
    575. 

  575. static const unsigned char aes_256_key[32] = {
    576. 

  576.     0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
    577. 

  577.     0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
    578. 

  578.     0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
    579. 

  579.     0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
    580. 

  580. };
    581. 

  581. static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
    582. 

  582.     {
    583. 

  583.         0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
    584. 

  584.         0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
    585. 

  585.     },
    586. 

  586.     {
    587. 

  587.         0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
    588. 

  588.         0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
    589. 

  589.     }
    590. 

  590. };
    591. 

  591. static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
    592. 

  592.     {
    593. 

  593.         0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
    594. 

  594.         0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
    595. 

  595.     },
    596. 

  596.     {
    597. 

  597.         0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
    598. 

  598.         0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
    599. 

  599.     },
    600. 

  600.     {
    601. 

  601.         0xaa, 0xf3, 0xd8, 0xf1, 0xde, 0x56, 0x40, 0xc2,
    602. 

  602.         0x32, 0xf5, 0xb1, 0x69, 0xb9, 0xc9, 0x11, 0xe6
    603. 

  603.     },
    604. 

  604.     {
    605. 

  605.         0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
    606. 

  606.         0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
    607. 

  607.     }
    608. 

  608. };
    609. 

  609. #endif /* MBEDTLS_AES_C */
    610. 

  610. 

  611. #if defined(MBEDTLS_DES_C)
    612. 

  612. /* Truncation point of message for 3DES CMAC tests  */
    613. 

  613. static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
    614. 

  614.     0,
    615. 

  615.     8,
    616. 

  616.     20,
    617. 

  617.     32
    618. 

  618. };
    619. 

  619. 

  620. /* 3DES 2 Key CMAC Test Data */
    621. 

  621. static const unsigned char des3_2key_key[24] = {
    622. 

  622.     0x4c, 0xf1, 0x51, 0x34, 0xa2, 0x85, 0x0d, 0xd5,
    623. 

  623.     0x8a, 0x3d, 0x10, 0xba, 0x80, 0x57, 0x0d, 0x38,
    624. 

  624.     0x4c, 0xf1, 0x51, 0x34, 0xa2, 0x85, 0x0d, 0xd5
    625. 

  625. };
    626. 

  626. static const unsigned char des3_2key_subkeys[2][8] = {
    627. 

  627.     {
    628. 

  628.         0x8e, 0xcf, 0x37, 0x3e, 0xd7, 0x1a, 0xfa, 0xef
    629. 

  629.     },
    630. 

  630.     {
    631. 

  631.         0x1d, 0x9e, 0x6e, 0x7d, 0xae, 0x35, 0xf5, 0xc5
    632. 

  632.     }
    633. 

  633. };
    634. 

  634. static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
    635. 

  635.     {
    636. 

  636.         0xbd, 0x2e, 0xbf, 0x9a, 0x3b, 0xa0, 0x03, 0x61
    637. 

  637.     },
    638. 

  638.     {
    639. 

  639.         0x4f, 0xf2, 0xab, 0x81, 0x3c, 0x53, 0xce, 0x83
    640. 

  640.     },
    641. 

  641.     {
    642. 

  642.         0x62, 0xdd, 0x1b, 0x47, 0x19, 0x02, 0xbd, 0x4e
    643. 

  643.     },
    644. 

  644.     {
    645. 

  645.         0x31, 0xb1, 0xe4, 0x31, 0xda, 0xbc, 0x4e, 0xb8
    646. 

  646.     }
    647. 

  647. };
    648. 

  648. 

  649. /* 3DES 3 Key CMAC Test Data */
    650. 

  650. static const unsigned char des3_3key_key[24] = {
    651. 

  651.     0x8a, 0xa8, 0x3b, 0xf8, 0xcb, 0xda, 0x10, 0x62,
    652. 

  652.     0x0b, 0xc1, 0xbf, 0x19, 0xfb, 0xb6, 0xcd, 0x58,
    653. 

  653.     0xbc, 0x31, 0x3d, 0x4a, 0x37, 0x1c, 0xa8, 0xb5
    654. 

  654. };
    655. 

  655. static const unsigned char des3_3key_subkeys[2][8] = {
    656. 

  656.     {
    657. 

  657.         0x91, 0x98, 0xe9, 0xd3, 0x14, 0xe6, 0x53, 0x5f
    658. 

  658.     },
    659. 

  659.     {
    660. 

  660.         0x23, 0x31, 0xd3, 0xa6, 0x29, 0xcc, 0xa6, 0xa5
    661. 

  661.     }
    662. 

  662. };
    663. 

  663. static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
    664. 

  664.     {
    665. 

  665.         0xb7, 0xa6, 0x88, 0xe1, 0x22, 0xff, 0xaf, 0x95
    666. 

  666.     },
    667. 

  667.     {
    668. 

  668.         0x8e, 0x8f, 0x29, 0x31, 0x36, 0x28, 0x37, 0x97
    669. 

  669.     },
    670. 

  670.     {
    671. 

  671.         0x74, 0x3d, 0xdb, 0xe0, 0xce, 0x2d, 0xc2, 0xed
    672. 

  672.     },
    673. 

  673.     {
    674. 

  674.         0x33, 0xe6, 0xb1, 0x09, 0x24, 0x00, 0xea, 0xe5
    675. 

  675.     }
    676. 

  676. };
    677. 

  677. 

  678. #endif /* MBEDTLS_DES_C */
    679. 

  679. 

  680. #if defined(MBEDTLS_AES_C)
    681. 

  681. /* AES AES-CMAC-PRF-128 Test Data */
    682. 

  682. static const unsigned char PRFK[] = {
    683. 

  683.     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
    684. 

  684.     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
    685. 

  685.     0xed, 0xcb
    686. 

  686. };
    687. 

  687. 

  688. /* Sizes in bytes */
    689. 

  689. static const size_t PRFKlen[NB_PRF_TESTS] = {
    690. 

  690.     18,
    691. 

  691.     16,
    692. 

  692.     10
    693. 

  693. };
    694. 

  694. 

  695. /* PRF M */
    696. 

  696. static const unsigned char PRFM[] = {
    697. 

  697.     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
    698. 

  698.     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
    699. 

  699.     0x10, 0x11, 0x12, 0x13
    700. 

  700. };
    701. 

  701. 

  702. static const unsigned char PRFT[NB_PRF_TESTS][16] = {
    703. 

  703.     {
    704. 

  704.         0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
    705. 

  705.         0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
    706. 

  706.     },
    707. 

  707.     {
    708. 

  708.         0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
    709. 

  709.         0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
    710. 

  710.     },
    711. 

  711.     {
    712. 

  712.         0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
    713. 

  713.         0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
    714. 

  714.     }
    715. 

  715. };
    716. 

  716. #endif /* MBEDTLS_AES_C */
    717. 

  717. 

  718. static int cmac_test_subkeys( int verbose,
    719. 

  719.                               const char* testname,
    720. 

  720.                               const unsigned char* key,
    721. 

  721.                               int keybits,
    722. 

  722.                               const unsigned char* subkeys,
    723. 

  723.                               mbedtls_cipher_type_t cipher_type,
    724. 

  724.                               int block_size,
    725. 

  725.                               int num_tests )
    726. 

  726. {
    727. 

  727.     int i, ret;
    728. 

  728.     mbedtls_cipher_context_t ctx;
    729. 

  729.     const mbedtls_cipher_info_t *cipher_info;
    730. 

  730.     unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
    731. 

  731.     unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
    732. 

  732. 

  733.     cipher_info = mbedtls_cipher_info_from_type( cipher_type );
    734. 

  734.     if( cipher_info == NULL )
    735. 

  735.     {
    736. 

  736.         /* Failing at this point must be due to a build issue */
    737. 

  737.         return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
    738. 

  738.     }
    739. 

  739. 

  740.     for( i = 0; i < num_tests; i++ )
    741. 

  741.     {
    742. 

  742.         if( verbose != 0 )
    743. 

  743.             mbedtls_printf( "  %s CMAC subkey #%u: ", testname, i + 1 );
    744. 

  744. 

  745.         mbedtls_cipher_init( &ctx );
    746. 

  746. 

  747.         if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
    748. 

  748.         {
    749. 

  749.             if( verbose != 0 )
    750. 

  750.                 mbedtls_printf( "test execution failed\n" );
    751. 

  751. 

  752.             goto cleanup;
    753. 

  753.         }
    754. 

  754. 

  755.         if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
    756. 

  756.                                        MBEDTLS_ENCRYPT ) ) != 0 )
    757. 

  757.         {
    758. 

  758.             if( verbose != 0 )
    759. 

  759.                 mbedtls_printf( "test execution failed\n" );
    760. 

  760. 

  761.             goto cleanup;
    762. 

  762.         }
    763. 

  763. 

  764.         ret = cmac_generate_subkeys( &ctx, K1, K2 );
    765. 

  765.         if( ret != 0 )
    766. 

  766.         {
    767. 

  767.            if( verbose != 0 )
    768. 

  768.                 mbedtls_printf( "failed\n" );
    769. 

  769. 

  770.             goto cleanup;
    771. 

  771.         }
    772. 

  772. 

  773.         if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0  ||
    774. 

  774.             ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
    775. 

  775.         {
    776. 

  776.             if( verbose != 0 )
    777. 

  777.                 mbedtls_printf( "failed\n" );
    778. 

  778. 

  779.             goto cleanup;
    780. 

  780.         }
    781. 

  781. 

  782.         if( verbose != 0 )
    783. 

  783.             mbedtls_printf( "passed\n" );
    784. 

  784. 

  785.         mbedtls_cipher_free( &ctx );
    786. 

  786.     }
    787. 

  787. 

  788.     goto exit;
    789. 

  789. 

  790. cleanup:
    791. 

  791.     mbedtls_cipher_free( &ctx );
    792. 

  792. 

  793. exit:
    794. 

  794.     return( ret );
    795. 

  795. }
    796. 

  796. 

  797. static int cmac_test_wth_cipher( int verbose,
    798. 

  798.                                  const char* testname,
    799. 

  799.                                  const unsigned char* key,
    800. 

  800.                                  int keybits,
    801. 

  801.                                  const unsigned char* messages,
    802. 

  802.                                  const unsigned int message_lengths[4],
    803. 

  803.                                  const unsigned char* expected_result,
    804. 

  804.                                  mbedtls_cipher_type_t cipher_type,
    805. 

  805.                                  int block_size,
    806. 

  806.                                  int num_tests )
    807. 

  807. {
    808. 

  808.     const mbedtls_cipher_info_t *cipher_info;
    809. 

  809.     int i, ret;
    810. 

  810.     unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
    811. 

  811. 

  812.     cipher_info = mbedtls_cipher_info_from_type( cipher_type );
    813. 

  813.     if( cipher_info == NULL )
    814. 

  814.     {
    815. 

  815.         /* Failing at this point must be due to a build issue */
    816. 

  816.         ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
    817. 

  817.         goto exit;
    818. 

  818.     }
    819. 

  819. 

  820.     for( i = 0; i < num_tests; i++ )
    821. 

  821.     {
    822. 

  822.         if( verbose != 0 )
    823. 

  823.             mbedtls_printf( "  %s CMAC #%u: ", testname, i + 1 );
    824. 

  824. 

  825.         if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
    826. 

  826.                                          message_lengths[i], output ) ) != 0 )
    827. 

  827.         {
    828. 

  828.             if( verbose != 0 )
    829. 

  829.                 mbedtls_printf( "failed\n" );
    830. 

  830.             goto exit;
    831. 

  831.         }
    832. 

  832. 

  833.         if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
    834. 

  834.         {
    835. 

  835.             if( verbose != 0 )
    836. 

  836.                 mbedtls_printf( "failed\n" );
    837. 

  837.             goto exit;
    838. 

  838.         }
    839. 

  839. 

  840.         if( verbose != 0 )
    841. 

  841.             mbedtls_printf( "passed\n" );
    842. 

  842.     }
    843. 

  843. 

  844. exit:
    845. 

  845.     return( ret );
    846. 

  846. }
    847. 

  847. 

  848. #if defined(MBEDTLS_AES_C)
    849. 

  849. static int test_aes128_cmac_prf( int verbose )
    850. 

  850. {
    851. 

  851.     int i;
    852. 

  852.     int ret;
    853. 

  853.     unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
    854. 

  854. 

  855.     for( i = 0; i < NB_PRF_TESTS; i++ )
    856. 

  856.     {
    857. 

  857.         mbedtls_printf( "  AES CMAC 128 PRF #%u: ", i );
    858. 

  858.         ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
    859. 

  859.         if( ret != 0 ||
    860. 

  860.             memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
    861. 

  861.         {
    862. 

  862. 

  863.             if( verbose != 0 )
    864. 

  864.                 mbedtls_printf( "failed\n" );
    865. 

  865. 

  866.             return( ret );
    867. 

  867.         }
    868. 

  868.         else if( verbose != 0 )
    869. 

  869.         {
    870. 

  870.             mbedtls_printf( "passed\n" );
    871. 

  871.         }
    872. 

  872.     }
    873. 

  873.     return( ret );
    874. 

  874. }
    875. 

  875. #endif /* MBEDTLS_AES_C */
    876. 

  876. 

  877. int mbedtls_cmac_self_test( int verbose )
    878. 

  878. {
    879. 

  879.     int ret;
    880. 

  880. 

  881. #if defined(MBEDTLS_AES_C)
    882. 

  882.     /* AES-128 */
    883. 

  883.     if( ( ret = cmac_test_subkeys( verbose,
    884. 

  884.                                    "AES 128",
    885. 

  885.                                    aes_128_key,
    886. 

  886.                                    128,
    887. 

  887.                                    (const unsigned char*)aes_128_subkeys,
    888. 

  888.                                    MBEDTLS_CIPHER_AES_128_ECB,
    889. 

  889.                                    MBEDTLS_AES_BLOCK_SIZE,
    890. 

  890.                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    891. 

  891.     {
    892. 

  892.         return( ret );
    893. 

  893.     }
    894. 

  894. 

  895.     if( ( ret = cmac_test_wth_cipher( verbose,
    896. 

  896.                                       "AES 128",
    897. 

  897.                                       aes_128_key,
    898. 

  898.                                       128,
    899. 

  899.                                       test_message,
    900. 

  900.                                       aes_message_lengths,
    901. 

  901.                                       (const unsigned char*)aes_128_expected_result,
    902. 

  902.                                       MBEDTLS_CIPHER_AES_128_ECB,
    903. 

  903.                                       MBEDTLS_AES_BLOCK_SIZE,
    904. 

  904.                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    905. 

  905.     {
    906. 

  906.         return( ret );
    907. 

  907.     }
    908. 

  908. 

  909.     /* AES-192 */
    910. 

  910.     if( ( ret = cmac_test_subkeys( verbose,
    911. 

  911.                                    "AES 192",
    912. 

  912.                                    aes_192_key,
    913. 

  913.                                    192,
    914. 

  914.                                    (const unsigned char*)aes_192_subkeys,
    915. 

  915.                                    MBEDTLS_CIPHER_AES_192_ECB,
    916. 

  916.                                    MBEDTLS_AES_BLOCK_SIZE,
    917. 

  917.                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    918. 

  918.     {
    919. 

  919.         return( ret );
    920. 

  920.     }
    921. 

  921. 

  922.     if( ( ret = cmac_test_wth_cipher( verbose,
    923. 

  923.                                       "AES 192",
    924. 

  924.                                       aes_192_key,
    925. 

  925.                                       192,
    926. 

  926.                                       test_message,
    927. 

  927.                                       aes_message_lengths,
    928. 

  928.                                       (const unsigned char*)aes_192_expected_result,
    929. 

  929.                                       MBEDTLS_CIPHER_AES_192_ECB,
    930. 

  930.                                       MBEDTLS_AES_BLOCK_SIZE,
    931. 

  931.                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    932. 

  932.     {
    933. 

  933.         return( ret );
    934. 

  934.     }
    935. 

  935. 

  936.     /* AES-256 */
    937. 

  937.     if( ( ret = cmac_test_subkeys( verbose,
    938. 

  938.                                    "AES 256",
    939. 

  939.                                    aes_256_key,
    940. 

  940.                                    256,
    941. 

  941.                                    (const unsigned char*)aes_256_subkeys,
    942. 

  942.                                    MBEDTLS_CIPHER_AES_256_ECB,
    943. 

  943.                                    MBEDTLS_AES_BLOCK_SIZE,
    944. 

  944.                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    945. 

  945.     {
    946. 

  946.         return( ret );
    947. 

  947.     }
    948. 

  948. 

  949.     if( ( ret = cmac_test_wth_cipher ( verbose,
    950. 

  950.                                        "AES 256",
    951. 

  951.                                        aes_256_key,
    952. 

  952.                                        256,
    953. 

  953.                                        test_message,
    954. 

  954.                                        aes_message_lengths,
    955. 

  955.                                        (const unsigned char*)aes_256_expected_result,
    956. 

  956.                                        MBEDTLS_CIPHER_AES_256_ECB,
    957. 

  957.                                        MBEDTLS_AES_BLOCK_SIZE,
    958. 

  958.                                        NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    959. 

  959.     {
    960. 

  960.         return( ret );
    961. 

  961.     }
    962. 

  962. #endif /* MBEDTLS_AES_C */
    963. 

  963. 

  964. #if defined(MBEDTLS_DES_C)
    965. 

  965.     /* 3DES 2 key */
    966. 

  966.     if( ( ret = cmac_test_subkeys( verbose,
    967. 

  967.                                    "3DES 2 key",
    968. 

  968.                                    des3_2key_key,
    969. 

  969.                                    192,
    970. 

  970.                                    (const unsigned char*)des3_2key_subkeys,
    971. 

  971.                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
    972. 

  972.                                    MBEDTLS_DES3_BLOCK_SIZE,
    973. 

  973.                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    974. 

  974.     {
    975. 

  975.         return( ret );
    976. 

  976.     }
    977. 

  977. 

  978.     if( ( ret = cmac_test_wth_cipher( verbose,
    979. 

  979.                                       "3DES 2 key",
    980. 

  980.                                       des3_2key_key,
    981. 

  981.                                       192,
    982. 

  982.                                       test_message,
    983. 

  983.                                       des3_message_lengths,
    984. 

  984.                                       (const unsigned char*)des3_2key_expected_result,
    985. 

  985.                                       MBEDTLS_CIPHER_DES_EDE3_ECB,
    986. 

  986.                                       MBEDTLS_DES3_BLOCK_SIZE,
    987. 

  987.                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    988. 

  988.     {
    989. 

  989.         return( ret );
    990. 

  990.     }
    991. 

  991. 

  992.     /* 3DES 3 key */
    993. 

  993.     if( ( ret = cmac_test_subkeys( verbose,
    994. 

  994.                                    "3DES 3 key",
    995. 

  995.                                    des3_3key_key,
    996. 

  996.                                    192,
    997. 

  997.                                    (const unsigned char*)des3_3key_subkeys,
    998. 

  998.                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
    999. 

  999.                                    MBEDTLS_DES3_BLOCK_SIZE,
    1000. 

  1000.                                    NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    1001. 

  1001.     {
    1002. 

  1002.         return( ret );
    1003. 

  1003.     }
    1004. 

  1004. 

  1005.     if( ( ret = cmac_test_wth_cipher( verbose,
    1006. 

  1006.                                       "3DES 3 key",
    1007. 

  1007.                                       des3_3key_key,
    1008. 

  1008.                                       192,
    1009. 

  1009.                                       test_message,
    1010. 

  1010.                                       des3_message_lengths,
    1011. 

  1011.                                       (const unsigned char*)des3_3key_expected_result,
    1012. 

  1012.                                       MBEDTLS_CIPHER_DES_EDE3_ECB,
    1013. 

  1013.                                       MBEDTLS_DES3_BLOCK_SIZE,
    1014. 

  1014.                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
    1015. 

  1015.     {
    1016. 

  1016.         return( ret );
    1017. 

  1017.     }
    1018. 

  1018. #endif /* MBEDTLS_DES_C */
    1019. 

  1019. 

  1020. #if defined(MBEDTLS_AES_C)
    1021. 

  1021.     if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
    1022. 

  1022.         return( ret );
    1023. 

  1023. #endif /* MBEDTLS_AES_C */
    1024. 

  1024. 

  1025.     if( verbose != 0 )
    1026. 

  1026.         mbedtls_printf( "\n" );
    1027. 

  1027. 

  1028.     return( 0 );
    1029. 

  1029. }
    1030. 

  1030. 

  1031. #endif /* MBEDTLS_SELF_TEST */
    1032. 

  1032. 

  1033. #endif /* MBEDTLS_CMAC_C */
    1034.