From f419e785669b86d8aa940f05ee8dbeffdceed6bd Mon Sep 17 00:00:00 2001
From: Sun Yimin <emmansun@users.noreply.github.com>
Date: Mon, 2 Dec 2024 17:57:51 +0800
Subject: [PATCH] Support CBC-MAC and its variants #281

---
 cbcmac/cbcmac.go      | 391 ++++++++++++++++++++++++++++++++++++++++++
 cbcmac/cbcmac_test.go | 256 +++++++++++++++++++++++++++
 2 files changed, 647 insertions(+)
 create mode 100644 cbcmac/cbcmac.go
 create mode 100644 cbcmac/cbcmac_test.go

diff --git a/cbcmac/cbcmac.go b/cbcmac/cbcmac.go
new file mode 100644
index 0000000..312595a
--- /dev/null
+++ b/cbcmac/cbcmac.go
@@ -0,0 +1,391 @@
+// Package cbcmac implements the Message Authentication Code with the block chipher mechanisms.
+package cbcmac
+
+import (
+	"crypto/cipher"
+
+	"github.com/emmansun/gmsm/internal/subtle"
+	"github.com/emmansun/gmsm/padding"
+)
+
+// Reference: GB/T 15821.1-2020 Security techniques - Message authentication codes - Part 1: Mechanisms using block ciphers
+
+// BockCipherMAC is the interface that wraps the basic MAC method.
+type BockCipherMAC interface {
+	// Size returns the MAC value's number of bytes.
+	Size() int
+
+	// MAC calculates the MAC of the given data.
+	// The MAC value's number of bytes is returned by Size.
+	// Intercept message authentication code as needed.
+	MAC(src []byte) []byte
+}
+
+// cbcmac implements the basic CBC-MAC mode of operation for block ciphers.
+type cbcmac struct {
+	b    cipher.Block
+	pad  padding.Padding
+	size int
+}
+
+// NewCBCMAC returns a CBC-MAC instance that implements the MAC with the given block cipher.
+// The padding scheme is ISO/IEC 9797-1 method 2.
+// GB/T 15821.1-2020 MAC scheme 1
+func NewCBCMAC(b cipher.Block, size int) BockCipherMAC {
+	if size <= 0 || size > b.BlockSize() {
+		panic("cbcmac: invalid size")
+	}
+	return &cbcmac{b: b, pad: padding.NewISO9797M2Padding(uint(b.BlockSize())), size: size}
+}
+
+// Size returns the size of the MAC.
+// The returned value is the same as the block size of the block cipher.
+func (c *cbcmac) Size() int {
+	return c.size
+}
+
+// MAC calculates the MAC of the given data.
+// The data is padded with the padding scheme of the block cipher before processing.
+func (c *cbcmac) MAC(src []byte) []byte {
+	src = c.pad.Pad(src)
+	blockSize := c.b.BlockSize()
+	tag := make([]byte, blockSize)
+	for len(src) > 0 {
+		subtle.XORBytes(tag, tag, src[:blockSize])
+		c.b.Encrypt(tag, tag)
+		src = src[blockSize:]
+	}
+	return tag[:c.size]
+}
+
+// emac implements the EMAC mode of operation for block ciphers.
+type emac struct {
+	pad    padding.Padding
+	b1, b2 cipher.Block
+	size   int
+}
+
+// NewEMAC returns an EMAC instance that implements MAC with the given block cipher.
+// The padding scheme is ISO/IEC 9797-1 method 2.
+// GB/T 15821.1-2020 MAC scheme 2
+func NewEMAC(creator func(key []byte) (cipher.Block, error), key1, key2 []byte, size int) BockCipherMAC {
+	var b1, b2 cipher.Block
+	var err error
+	if b1, err = creator(key1); err != nil {
+		panic(err)
+	}
+	if size <= 0 || size > b1.BlockSize() {
+		panic("cbcmac: invalid size")
+	}
+	if b2, err = creator(key2); err != nil {
+		panic(err)
+	}
+	return &emac{pad: padding.NewISO9797M2Padding(uint(b1.BlockSize())), b1: b1, b2: b2, size: size}
+}
+
+func (e *emac) Size() int {
+	return e.size
+}
+
+func (e *emac) MAC(src []byte) []byte {
+	src = e.pad.Pad(src)
+	blockSize := e.b1.BlockSize()
+	tag := make([]byte, blockSize)
+	for len(src) > 0 {
+		subtle.XORBytes(tag, tag, src[:blockSize])
+		e.b1.Encrypt(tag, tag)
+		src = src[blockSize:]
+	}
+	e.b2.Encrypt(tag, tag)
+	return tag[:e.size]
+}
+
+type ansiRetailMAC emac
+
+// NewANSIRetailMAC returns an ANSI Retail MAC instance that implements MAC with the given block cipher.
+// The padding scheme is ISO/IEC 9797-1 method 2.
+// GB/T 15821.1-2020 MAC scheme 3
+func NewANSIRetailMAC(creator func(key []byte) (cipher.Block, error), key1, key2 []byte, size int) BockCipherMAC {
+	return (*ansiRetailMAC)(NewEMAC(creator, key1, key2, size).(*emac))
+}
+
+func (e *ansiRetailMAC) Size() int {
+	return e.size
+}
+
+func (e *ansiRetailMAC) MAC(src []byte) []byte {
+	src = e.pad.Pad(src)
+	blockSize := e.b1.BlockSize()
+	tag := make([]byte, blockSize)
+	for len(src) > 0 {
+		subtle.XORBytes(tag, tag, src[:blockSize])
+		e.b1.Encrypt(tag, tag)
+		src = src[blockSize:]
+	}
+	e.b2.Decrypt(tag, tag)
+	e.b1.Encrypt(tag, tag)
+	return tag[:e.size]
+}
+
+type macDES struct {
+	pad        padding.Padding
+	b1, b2, b3 cipher.Block
+	size       int
+}
+
+// NewMACDES returns a MAC-DES instance that implements MAC with the given block cipher.
+// The padding scheme is ISO/IEC 9797-1 method 2.
+// GB/T 15821.1-2020 MAC scheme 4
+func NewMACDES(creator func(key []byte) (cipher.Block, error), key1, key2 []byte, size int) BockCipherMAC {
+	var b1, b2, b3 cipher.Block
+	var err error
+	if b1, err = creator(key1); err != nil {
+		panic(err)
+	}
+	if size <= 0 || size > b1.BlockSize() {
+		panic("cbcmac: invalid size")
+	}
+	if b2, err = creator(key2); err != nil {
+		panic(err)
+	}
+	key3 := make([]byte, len(key2))
+	copy(key3, key2)
+	for i := 0; i < len(key3); i++ {
+		key3[i] ^= 0xF0
+	}
+	if b3, err = creator(key3); err != nil {
+		panic(err)
+	}
+	return &macDES{pad: padding.NewISO9797M2Padding(uint(b1.BlockSize())), b1: b1, b2: b2, b3: b3, size: size}
+}
+
+func (m *macDES) Size() int {
+	return m.size
+}
+
+func (m *macDES) MAC(src []byte) []byte {
+	src = m.pad.Pad(src)
+	blockSize := m.b1.BlockSize()
+	tag := make([]byte, blockSize)
+	copy(tag, src[:blockSize])
+	m.b1.Encrypt(tag, tag)
+	m.b3.Encrypt(tag, tag)
+	src = src[blockSize:]
+	for len(src) > 0 {
+		subtle.XORBytes(tag, tag, src[:blockSize])
+		m.b1.Encrypt(tag, tag)
+		src = src[blockSize:]
+	}
+	m.b2.Encrypt(tag, tag)
+	return tag[:m.size]
+}
+
+type cmac struct {
+	b      cipher.Block
+	k1, k2 []byte
+	size   int
+}
+
+// NewCMAC returns a CMAC instance that implements MAC with the given block cipher.
+// GB/T 15821.1-2020 MAC scheme 5
+func NewCMAC(b cipher.Block, size int) BockCipherMAC {
+	if size <= 0 || size > b.BlockSize() {
+		panic("cbcmac: invalid size")
+	}
+	blockSize := b.BlockSize()
+	k1 := make([]byte, blockSize)
+	k2 := make([]byte, blockSize)
+	b.Encrypt(k1, k1)
+	msb := shiftLeft(k1)
+	k1[len(k1)-1] ^= msb * 0b10000111
+
+	copy(k2, k1)
+	msb = shiftLeft(k2)
+	k2[len(k2)-1] ^= msb * 0b10000111
+
+	return &cmac{b: b, k1: k1, k2: k2, size: size}
+}
+
+func (c *cmac) Size() int {
+	return c.size
+}
+
+func (c *cmac) MAC(src []byte) []byte {
+	blockSize := c.b.BlockSize()
+	tag := make([]byte, blockSize)
+	if len(src) == 0 {
+		// Special-cased as a single empty partial final block.
+		copy(tag, c.k2)
+		tag[len(src)] ^= 0b10000000
+		c.b.Encrypt(tag, tag)
+		return tag
+	}
+	for len(src) >= blockSize {
+		subtle.XORBytes(tag, src[:blockSize], tag)
+		if len(src) == blockSize {
+			// Final complete block.
+			subtle.XORBytes(tag, c.k1, tag)
+		}
+		c.b.Encrypt(tag, tag)
+		src = src[blockSize:]
+	}
+	if len(src) > 0 {
+		// Final incomplete block.
+		subtle.XORBytes(tag, src, tag)
+		subtle.XORBytes(tag, c.k2, tag)
+		tag[len(src)] ^= 0b10000000
+		c.b.Encrypt(tag, tag)
+	}
+	return tag[:c.size]
+}
+
+// shiftLeft sets x to x << 1, and returns MSB₁(x).
+func shiftLeft(x []byte) byte {
+	var msb byte
+	for i := len(x) - 1; i >= 0; i-- {
+		msb, x[i] = x[i]>>7, x[i]<<1|msb
+	}
+	return msb
+}
+
+type lmac struct {
+	b1, b2 cipher.Block
+	pad    padding.Padding
+	size   int
+}
+
+// NewLMAC returns an LMAC instance that implements MAC with the given block cipher.
+// GB/T 15821.1-2020 MAC scheme 6
+func NewLMAC(creator func(key []byte) (cipher.Block, error), key []byte, size int) BockCipherMAC {
+	var b, b1, b2 cipher.Block
+	var err error
+	if b, err = creator(key); err != nil {
+		panic(err)
+	}
+	if size <= 0 || size > b.BlockSize() {
+		panic("cbcmac: invalid size")
+	}
+	blockSize := b.BlockSize()
+	key1 := make([]byte, blockSize)
+	key1[blockSize-1] = 0x01
+	key2 := make([]byte, blockSize)
+	key2[blockSize-1] = 0x02
+	b.Encrypt(key1, key1)
+	b.Encrypt(key2, key2)
+	if b1, err = creator(key1); err != nil {
+		panic(err)
+	}
+	if b2, err = creator(key2); err != nil {
+		panic(err)
+	}
+
+	return &lmac{b1: b1, b2: b2, pad: padding.NewISO9797M2Padding(uint(blockSize)), size: size}
+}
+
+func (l *lmac) Size() int {
+	return l.b1.BlockSize()
+}
+
+func (l *lmac) MAC(src []byte) []byte {
+	src = l.pad.Pad(src)
+	blockSize := l.b1.BlockSize()
+	tag := make([]byte, blockSize)
+	for len(src) > blockSize {
+		subtle.XORBytes(tag, tag, src[:blockSize])
+		l.b1.Encrypt(tag, tag)
+		src = src[blockSize:]
+	}
+	subtle.XORBytes(tag, tag, src[:blockSize])
+	l.b2.Encrypt(tag, tag)
+	return tag
+}
+
+type trCBCMAC struct {
+	b    cipher.Block
+	size int
+}
+
+// NewTRCBCMAC returns a TR-CBC-MAC instance that implements MAC with the given block cipher.
+// GB/T 15821.1-2020 MAC scheme 7
+func NewTRCBCMAC(b cipher.Block, size int) BockCipherMAC {
+	if size <= 0 || size > b.BlockSize() {
+		panic("cbcmac: invalid size")
+	}
+	return &trCBCMAC{b: b, size: size}
+}
+
+func (t *trCBCMAC) Size() int {
+	return t.size
+}
+
+func (t *trCBCMAC) MAC(src []byte) []byte {
+	blockSize := t.b.BlockSize()
+	tag := make([]byte, blockSize)
+	padded := false
+	if len(src) == 0 || len(src)%blockSize != 0 {
+		pad := padding.NewISO9797M2Padding(uint(blockSize))
+		src = pad.Pad(src)
+		padded = true
+	}
+	for len(src) > 0 {
+		subtle.XORBytes(tag, tag, src[:blockSize])
+		t.b.Encrypt(tag, tag)
+		src = src[blockSize:]
+	}
+	if padded {
+		return tag[blockSize-t.size:]
+	}
+	return tag[:t.size]
+}
+
+type cbcrMAC struct {
+	b    cipher.Block
+	size int
+}
+
+// NewCBCRMAC returns a CBCRMAC instance that implements MAC with the given block cipher.
+// GB/T 15821.1-2020 MAC scheme 8
+func NewCBCRMAC(b cipher.Block, size int) BockCipherMAC {
+	if size <= 0 || size > b.BlockSize() {
+		panic("cbcmac: invalid size")
+	}
+	return &cbcrMAC{b: b, size: size}
+}
+
+func (c *cbcrMAC) Size() int {
+	return c.size
+}
+
+func (c *cbcrMAC) MAC(src []byte) []byte {
+	blockSize := c.b.BlockSize()
+	tag := make([]byte, blockSize)
+	c.b.Encrypt(tag, tag)
+	padded := false
+	if len(src) == 0 || len(src)%blockSize != 0 {
+		pad := padding.NewISO9797M2Padding(uint(blockSize))
+		src = pad.Pad(src)
+		padded = true
+	}
+
+	for len(src) > blockSize {
+		subtle.XORBytes(tag, tag, src[:blockSize])
+		c.b.Encrypt(tag, tag)
+		src = src[blockSize:]
+	}
+	subtle.XORBytes(tag, tag, src[:blockSize])
+	if padded {
+		shiftLeft(tag)
+	} else {
+		shiftRight(tag)
+	}
+	c.b.Encrypt(tag, tag)
+	return tag[:c.size]
+}
+
+func shiftRight(x []byte) {
+	var lsb byte
+	for i := 0; i < len(x); i++ {
+		lsb, x[i] = x[i]<<7, x[i]>>1|lsb
+	}
+	x[0] ^= lsb
+}
diff --git a/cbcmac/cbcmac_test.go b/cbcmac/cbcmac_test.go
new file mode 100644
index 0000000..8f60a99
--- /dev/null
+++ b/cbcmac/cbcmac_test.go
@@ -0,0 +1,256 @@
+package cbcmac
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/emmansun/gmsm/sm4"
+)
+
+func TestCBCMAC(t *testing.T) {
+	// Test vectors from GB/T 15821.1-2020 Appendix B.
+	cases := []struct {
+		key []byte
+		src []byte
+		tag []byte
+	}{
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message for mac"),
+			[]byte{0x4b, 0x65, 0x53, 0xaf, 0x3c, 0x4e, 0x27, 0x44, 0x84, 0x12, 0x31, 0x5a, 0xc7, 0x84, 0x95, 0x35},
+		},
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message "),
+			[]byte{0x42, 0x1a, 0xd1, 0x69, 0x0a, 0xa1, 0x52, 0xe2, 0x84, 0x6f, 0xa2, 0xa5, 0xd8, 0x34, 0x45, 0xa9},
+		},
+	}
+
+	for i, c := range cases {
+		block, err := sm4.NewCipher(c.key)
+		if err != nil {
+			t.Errorf("#%d: failed to create cipher: %v", i, err)
+		}
+		mac := NewCBCMAC(block, len(c.tag))
+		tag := mac.MAC(c.src)
+		if !bytes.Equal(tag, c.tag) {
+			t.Errorf("#%d: expect tag %x, got %x", i, c.tag, tag)
+		}
+	}
+}
+
+func TestEMAC(t *testing.T) {
+	// Test vectors from GB/T 15821.1-2020 Appendix B.
+	cases := []struct {
+		key1 []byte
+		key2 []byte
+		src  []byte
+		tag  []byte
+	}{
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte{0x41, 0x49, 0xd2, 0xad, 0xed, 0x94, 0x56, 0x68, 0x1e, 0xc8, 0xb5, 0x11, 0xd9, 0xe7, 0xee, 0x04},
+			[]byte("This is the test message for mac"),
+			[]byte{0xe4, 0x23, 0xe3, 0x55, 0x99, 0xaf, 0xd9, 0x48, 0xae, 0xc5, 0x0b, 0xde, 0xe8, 0x38, 0xe9, 0xea},
+		},
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte{0x41, 0x49, 0xd2, 0xad, 0xed, 0x94, 0x56, 0x68, 0x1e, 0xc8, 0xb5, 0x11, 0xd9, 0xe7, 0xee, 0x04},
+			[]byte("This is the test message "),
+			[]byte{0xf0, 0x26, 0x25, 0xce, 0xad, 0x00, 0x8d, 0x4e, 0xfb, 0xf3, 0xf0, 0xb2, 0xb0, 0xc2, 0xa7, 0x5b},
+		},
+	}
+
+	for i, c := range cases {
+		mac := NewEMAC(sm4.NewCipher, c.key1, c.key2, len(c.tag))
+		tag := mac.MAC(c.src)
+		if !bytes.Equal(tag, c.tag) {
+			t.Errorf("#%d: expect tag %x, got %x", i, c.tag, tag)
+		}
+	}
+}
+
+func TestANSIRetailMAC(t *testing.T) {
+	// Test vectors from GB/T 15821.1-2020 Appendix B.
+	cases := []struct {
+		key1 []byte
+		key2 []byte
+		src  []byte
+		tag  []byte
+	}{
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte{0x41, 0x49, 0xd2, 0xad, 0xed, 0x94, 0x56, 0x68, 0x1e, 0xc8, 0xb5, 0x11, 0xd9, 0xe7, 0xee, 0x04},
+			[]byte("This is the test message for mac"),
+			[]byte{0x51, 0xe9, 0x92, 0x8c, 0x22, 0x38, 0x33, 0x0c, 0x32, 0x31, 0xb8, 0x75, 0x2a, 0x9a, 0xfd, 0x7f},
+		},
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte{0x41, 0x49, 0xd2, 0xad, 0xed, 0x94, 0x56, 0x68, 0x1e, 0xc8, 0xb5, 0x11, 0xd9, 0xe7, 0xee, 0x04},
+			[]byte("This is the test message "),
+			[]byte{0x19, 0x72, 0x47, 0x22, 0x9c, 0xe9, 0xd7, 0xb6, 0xae, 0x40, 0x5b, 0xf8, 0x85, 0xb2, 0x70, 0x57},
+		},
+	}
+
+	for i, c := range cases {
+		mac := NewANSIRetailMAC(sm4.NewCipher, c.key1, c.key2, len(c.tag))
+		tag := mac.MAC(c.src)
+		if !bytes.Equal(tag, c.tag) {
+			t.Errorf("#%d: expect tag %x, got %x", i, c.tag, tag)
+		}
+	}
+}
+
+func TestMACDES(t *testing.T) {
+	// Test vectors from GB/T 15821.1-2020 Appendix B.
+	cases := []struct {
+		key1 []byte
+		key2 []byte
+		src  []byte
+		tag  []byte
+	}{
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte{0x41, 0x49, 0xd2, 0xad, 0xed, 0x94, 0x56, 0x68, 0x1e, 0xc8, 0xb5, 0x11, 0xd9, 0xe7, 0xee, 0x04},
+			[]byte("This is the test message for mac"),
+			[]byte{0x7e, 0x1a, 0x9a, 0x5e, 0x0e, 0xf0, 0x94, 0x7f, 0x25, 0xcb, 0x94, 0x85, 0x26, 0x1c, 0x98, 0x5c},
+		},
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte{0x41, 0x49, 0xd2, 0xad, 0xed, 0x94, 0x56, 0x68, 0x1e, 0xc8, 0xb5, 0x11, 0xd9, 0xe7, 0xee, 0x04},
+			[]byte("This is the test message "),
+			[]byte{0x94, 0x94, 0x76, 0xd3, 0x5f, 0x17, 0x26, 0x1e, 0x1f, 0xb8, 0xc4, 0x39, 0x6d, 0x62, 0xdc, 0x05},
+		},
+	}
+
+	for i, c := range cases {
+		mac := NewMACDES(sm4.NewCipher, c.key1, c.key2, 16)
+		tag := mac.MAC(c.src)
+		if !bytes.Equal(tag, c.tag) {
+			t.Errorf("#%d: expect tag %x, got %x", i, c.tag, tag)
+		}
+	}
+}
+
+func TestCMAC(t *testing.T) {
+	// Test vectors from GB/T 15821.1-2020 Appendix B.
+	cases := []struct {
+		key []byte
+		src []byte
+		tag []byte
+	}{
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message for mac"),
+			[]byte{0x69, 0x2c, 0x43, 0x71, 0x00, 0xf3, 0xb5, 0xee, 0x2b, 0x8a, 0xbc, 0xef, 0x37, 0x3d, 0x99, 0x0c},
+		},
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message "),
+			[]byte{0x47, 0x38, 0xa6, 0xc7, 0x60, 0xb2, 0x80, 0xfc, 0x0c, 0x8a, 0x8a, 0xf3, 0x88, 0x6e, 0x9f, 0x5d},
+		},
+	}
+	for i, c := range cases {
+		block, err := sm4.NewCipher(c.key)
+		if err != nil {
+			t.Errorf("#%d: failed to create cipher: %v", i, err)
+		}
+		mac := NewCMAC(block, 16)
+		tag := mac.MAC(c.src)
+		if !bytes.Equal(tag, c.tag) {
+			t.Errorf("#%d: expect tag %x, got %x", i, c.tag, tag)
+		}
+	}
+}
+
+func TestLMAC(t *testing.T) {
+	// Test vectors from GB/T 15821.1-2020 Appendix B.
+	cases := []struct {
+		key []byte
+		src []byte
+		tag []byte
+	}{
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message for mac"),
+			[]byte{0xa0, 0xc4, 0x65, 0xee, 0x58, 0x96, 0x97, 0x2f, 0x83, 0x37, 0xaa, 0x1f, 0x92, 0xc9, 0x9d, 0x10},
+		},
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message "),
+			[]byte{0x60, 0xdd, 0x95, 0x5e, 0xd0, 0xca, 0x3d, 0x7a, 0x64, 0x22, 0x71, 0x74, 0xdd, 0x98, 0xdd, 0x81},
+		},
+	}
+
+	for i, c := range cases {
+		mac := NewLMAC(sm4.NewCipher, c.key, 16)
+		tag := mac.MAC(c.src)
+		if !bytes.Equal(tag, c.tag) {
+			t.Errorf("#%d: expect tag %x, got %x", i, c.tag, tag)
+		}
+	}
+}
+
+func TestTRCBCMAC(t *testing.T) {
+	// Test vectors from GB/T 15821.1-2020 Appendix B.
+	cases := []struct {
+		key []byte
+		src []byte
+		tag []byte
+	}{
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message for mac"),
+			[]byte{0x16, 0xe0, 0x29, 0x04, 0xef, 0xb7, 0x65, 0xb7},
+		},
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message "),
+			[]byte{0x84, 0x6f, 0xa2, 0xa5, 0xd8, 0x34, 0x45, 0xa9},
+		},
+	}
+
+	for i, c := range cases {
+		block, err := sm4.NewCipher(c.key)
+		if err != nil {
+			t.Errorf("#%d: failed to create cipher: %v", i, err)
+		}
+		mac := NewTRCBCMAC(block, len(c.tag))
+		tag := mac.MAC(c.src)
+		if !bytes.Equal(tag, c.tag) {
+			t.Errorf("#%d: expect tag %x, got %x", i, c.tag, tag)
+		}
+	}
+}
+
+func TestCBCRMAC(t *testing.T) {
+	// Test vectors from GB/T 15821.1-2020 Appendix B.
+	cases := []struct {
+		key []byte
+		src []byte
+		tag []byte
+	}{
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message for mac"),
+			[]byte{0xe4, 0x0e, 0xd7, 0x9c, 0x31, 0x49, 0xa1, 0xc9, 0xd4, 0x2f, 0x04, 0xc4, 0x23, 0x04, 0x99, 0x35},
+		},
+		{
+			[]byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10},
+			[]byte("This is the test message "),
+			[]byte{0xa9, 0x9d, 0x13, 0x01, 0x3e, 0x89, 0x2e, 0xe2, 0xc2, 0x5b, 0xe2, 0xda, 0xaa, 0x6c, 0x82, 0xe8},
+		},
+	}
+
+	for i, c := range cases {
+		block, err := sm4.NewCipher(c.key)
+		if err != nil {
+			t.Errorf("#%d: failed to create cipher: %v", i, err)
+		}
+		mac := NewCBCRMAC(block, 16)
+		tag := mac.MAC(c.src)
+		if !bytes.Equal(tag, c.tag) {
+			t.Errorf("#%d: expect tag %x, got %x", i, c.tag, tag)
+		}
+	}
+}