4
* - AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
5
* - One-Key CBC MAC (OMAC1, i.e., CMAC) hash with AES-128
6
* - AES-128 CTR mode encryption
7
* - AES-128 EAX mode encryption/decryption
10
* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
12
* This program is free software; you can redistribute it and/or modify
13
* it under the terms of the GNU General Public License version 2 as
14
* published by the Free Software Foundation.
16
* Alternatively, this software may be distributed under the terms of BSD
19
* See README and COPYING for more details.
28
#ifndef CONFIG_NO_AES_WRAP
31
* aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
32
* @kek: 16-octet Key encryption key (KEK)
33
* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
35
* @plain: Plaintext key to be wrapped, n * 64 bits
36
* @cipher: Wrapped key, (n + 1) * 64 bits
37
* Returns: 0 on success, -1 on failure
39
int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
48
/* 1) Initialize variables. */
49
os_memset(a, 0xa6, 8);
50
os_memcpy(r, plain, 8 * n);
52
ctx = aes_encrypt_init(kek, 16);
56
/* 2) Calculate intermediate values.
59
* B = AES(K, A | R[i])
60
* A = MSB(64, B) ^ t where t = (n*j)+i
63
for (j = 0; j <= 5; j++) {
65
for (i = 1; i <= n; i++) {
67
os_memcpy(b + 8, r, 8);
68
aes_encrypt(ctx, b, b);
71
os_memcpy(r, b + 8, 8);
75
aes_encrypt_deinit(ctx);
77
/* 3) Output the results.
79
* These are already in @cipher due to the location of temporary
86
#endif /* CONFIG_NO_AES_WRAP */
89
#ifndef CONFIG_NO_AES_UNWRAP
92
* aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
93
* @kek: Key encryption key (KEK)
94
* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
96
* @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
97
* @plain: Plaintext key, n * 64 bits
98
* Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
100
int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
106
/* 1) Initialize variables. */
107
os_memcpy(a, cipher, 8);
109
os_memcpy(r, cipher + 8, 8 * n);
111
ctx = aes_decrypt_init(kek, 16);
115
/* 2) Compute intermediate values.
118
* B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
122
for (j = 5; j >= 0; j--) {
123
r = plain + (n - 1) * 8;
124
for (i = n; i >= 1; i--) {
128
os_memcpy(b + 8, r, 8);
129
aes_decrypt(ctx, b, b);
131
os_memcpy(r, b + 8, 8);
135
aes_decrypt_deinit(ctx);
137
/* 3) Output results.
139
* These are already in @plain due to the location of temporary
140
* variables. Just verify that the IV matches with the expected value.
142
for (i = 0; i < 8; i++) {
150
#endif /* CONFIG_NO_AES_UNWRAP */
153
#define BLOCK_SIZE 16
155
#ifndef CONFIG_NO_AES_OMAC1
157
static void gf_mulx(u8 *pad)
161
carry = pad[0] & 0x80;
162
for (i = 0; i < BLOCK_SIZE - 1; i++)
163
pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
164
pad[BLOCK_SIZE - 1] <<= 1;
166
pad[BLOCK_SIZE - 1] ^= 0x87;
171
* omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
172
* @key: 128-bit key for the hash operation
173
* @num_elem: Number of elements in the data vector
174
* @addr: Pointers to the data areas
175
* @len: Lengths of the data blocks
176
* @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
177
* Returns: 0 on success, -1 on failure
179
* This is a mode for using block cipher (AES in this case) for authentication.
180
* OMAC1 was standardized with the name CMAC by NIST in a Special Publication
183
int omac1_aes_128_vector(const u8 *key, size_t num_elem,
184
const u8 *addr[], const size_t *len, u8 *mac)
187
u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE];
189
size_t i, e, left, total_len;
191
ctx = aes_encrypt_init(key, 16);
194
os_memset(cbc, 0, BLOCK_SIZE);
197
for (e = 0; e < num_elem; e++)
205
while (left >= BLOCK_SIZE) {
206
for (i = 0; i < BLOCK_SIZE; i++) {
214
if (left > BLOCK_SIZE)
215
aes_encrypt(ctx, cbc, cbc);
219
os_memset(pad, 0, BLOCK_SIZE);
220
aes_encrypt(ctx, pad, pad);
223
if (left || total_len == 0) {
224
for (i = 0; i < left; i++) {
236
for (i = 0; i < BLOCK_SIZE; i++)
238
aes_encrypt(ctx, pad, mac);
239
aes_encrypt_deinit(ctx);
245
* omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
246
* @key: 128-bit key for the hash operation
247
* @data: Data buffer for which a MAC is determined
248
* @data_len: Length of data buffer in bytes
249
* @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
250
* Returns: 0 on success, -1 on failure
252
* This is a mode for using block cipher (AES in this case) for authentication.
253
* OMAC1 was standardized with the name CMAC by NIST in a Special Publication
256
int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
258
return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
261
#endif /* CONFIG_NO_AES_OMAC1 */
264
#ifndef CONFIG_NO_AES_ENCRYPT_BLOCK
266
* aes_128_encrypt_block - Perform one AES 128-bit block operation
268
* @in: Input data (16 bytes)
269
* @out: Output of the AES block operation (16 bytes)
270
* Returns: 0 on success, -1 on failure
272
int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
275
ctx = aes_encrypt_init(key, 16);
278
aes_encrypt(ctx, in, out);
279
aes_encrypt_deinit(ctx);
282
#endif /* CONFIG_NO_AES_ENCRYPT_BLOCK */
285
#ifndef CONFIG_NO_AES_CTR
288
* aes_128_ctr_encrypt - AES-128 CTR mode encryption
289
* @key: Key for encryption (16 bytes)
290
* @nonce: Nonce for counter mode (16 bytes)
291
* @data: Data to encrypt in-place
292
* @data_len: Length of data in bytes
293
* Returns: 0 on success, -1 on failure
295
int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
296
u8 *data, size_t data_len)
299
size_t j, len, left = data_len;
302
u8 counter[BLOCK_SIZE], buf[BLOCK_SIZE];
304
ctx = aes_encrypt_init(key, 16);
307
os_memcpy(counter, nonce, BLOCK_SIZE);
310
aes_encrypt(ctx, counter, buf);
312
len = (left < BLOCK_SIZE) ? left : BLOCK_SIZE;
313
for (j = 0; j < len; j++)
318
for (i = BLOCK_SIZE - 1; i >= 0; i--) {
324
aes_encrypt_deinit(ctx);
328
#endif /* CONFIG_NO_AES_CTR */
331
#ifndef CONFIG_NO_AES_EAX
334
* aes_128_eax_encrypt - AES-128 EAX mode encryption
335
* @key: Key for encryption (16 bytes)
336
* @nonce: Nonce for counter mode
337
* @nonce_len: Nonce length in bytes
338
* @hdr: Header data to be authenticity protected
339
* @hdr_len: Length of the header data bytes
340
* @data: Data to encrypt in-place
341
* @data_len: Length of data in bytes
342
* @tag: 16-byte tag value
343
* Returns: 0 on success, -1 on failure
345
int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
346
const u8 *hdr, size_t hdr_len,
347
u8 *data, size_t data_len, u8 *tag)
351
u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
354
if (nonce_len > data_len)
358
if (hdr_len > buf_len)
362
buf = os_malloc(buf_len);
366
os_memset(buf, 0, 15);
369
os_memcpy(buf + 16, nonce, nonce_len);
370
if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac))
374
os_memcpy(buf + 16, hdr, hdr_len);
375
if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac))
378
if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len))
381
os_memcpy(buf + 16, data, data_len);
382
if (omac1_aes_128(key, buf, 16 + data_len, data_mac))
385
for (i = 0; i < BLOCK_SIZE; i++)
386
tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i];
397
* aes_128_eax_decrypt - AES-128 EAX mode decryption
398
* @key: Key for decryption (16 bytes)
399
* @nonce: Nonce for counter mode
400
* @nonce_len: Nonce length in bytes
401
* @hdr: Header data to be authenticity protected
402
* @hdr_len: Length of the header data bytes
403
* @data: Data to encrypt in-place
404
* @data_len: Length of data in bytes
405
* @tag: 16-byte tag value
406
* Returns: 0 on success, -1 on failure, -2 if tag does not match
408
int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
409
const u8 *hdr, size_t hdr_len,
410
u8 *data, size_t data_len, const u8 *tag)
414
u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
417
if (nonce_len > data_len)
421
if (hdr_len > buf_len)
425
buf = os_malloc(buf_len);
429
os_memset(buf, 0, 15);
432
os_memcpy(buf + 16, nonce, nonce_len);
433
if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) {
439
os_memcpy(buf + 16, hdr, hdr_len);
440
if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) {
446
os_memcpy(buf + 16, data, data_len);
447
if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) {
454
for (i = 0; i < BLOCK_SIZE; i++) {
455
if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]))
459
return aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
462
#endif /* CONFIG_NO_AES_EAX */
465
#ifndef CONFIG_NO_AES_CBC
468
* aes_128_cbc_encrypt - AES-128 CBC encryption
469
* @key: Encryption key
470
* @iv: Encryption IV for CBC mode (16 bytes)
471
* @data: Data to encrypt in-place
472
* @data_len: Length of data in bytes (must be divisible by 16)
473
* Returns: 0 on success, -1 on failure
475
int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
482
ctx = aes_encrypt_init(key, 16);
485
os_memcpy(cbc, iv, BLOCK_SIZE);
487
blocks = data_len / BLOCK_SIZE;
488
for (i = 0; i < blocks; i++) {
489
for (j = 0; j < BLOCK_SIZE; j++)
491
aes_encrypt(ctx, cbc, cbc);
492
os_memcpy(pos, cbc, BLOCK_SIZE);
495
aes_encrypt_deinit(ctx);
501
* aes_128_cbc_decrypt - AES-128 CBC decryption
502
* @key: Decryption key
503
* @iv: Decryption IV for CBC mode (16 bytes)
504
* @data: Data to decrypt in-place
505
* @data_len: Length of data in bytes (must be divisible by 16)
506
* Returns: 0 on success, -1 on failure
508
int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
511
u8 cbc[BLOCK_SIZE], tmp[BLOCK_SIZE];
515
ctx = aes_decrypt_init(key, 16);
518
os_memcpy(cbc, iv, BLOCK_SIZE);
520
blocks = data_len / BLOCK_SIZE;
521
for (i = 0; i < blocks; i++) {
522
os_memcpy(tmp, pos, BLOCK_SIZE);
523
aes_decrypt(ctx, pos, pos);
524
for (j = 0; j < BLOCK_SIZE; j++)
526
os_memcpy(cbc, tmp, BLOCK_SIZE);
529
aes_decrypt_deinit(ctx);
533
#endif /* CONFIG_NO_AES_CBC */