search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / dist / wpa / src / crypto / aes_wrap.c
blobb8b79719f20c8a8650277eb9d73fc7e77ebe4914
1 /*
2 * AES-based functions
3 *
4 * - AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
5 * - One-Key CBC MAC (OMAC1, i.e., CMAC) hash with AES-128
6 * - AES-128 CTR mode encryption
7 * - AES-128 EAX mode encryption/decryption
8 * - AES-128 CBC
9 *
10 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2 as
14 * published by the Free Software Foundation.
15 *
16 * Alternatively, this software may be distributed under the terms of BSD
17 * license.
18 *
19 * See README and COPYING for more details.
20 */
21
22 #include "includes.h"
23
24 #include "common.h"
25 #include "aes_wrap.h"
26 #include "crypto.h"
27
28 #ifndef CONFIG_NO_AES_WRAP
29
30 /**
31 * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
32 * @kek: 16-octet Key encryption key (KEK)
33 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
34 * bytes
35 * @plain: Plaintext key to be wrapped, n * 64 bits
36 * @cipher: Wrapped key, (n + 1) * 64 bits
37 * Returns: 0 on success, -1 on failure
38 */
39 int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
40 {
41 u8 *a, *r, b[16];
42 int i, j;
43 void *ctx;
44
45 a = cipher;
46 r = cipher + 8;
47
48 /* 1) Initialize variables. */
49 os_memset(a, 0xa6, 8);
50 os_memcpy(r, plain, 8 * n);
51
52 ctx = aes_encrypt_init(kek, 16);
53 if (ctx == NULL)
54 return -1;
55
56 /* 2) Calculate intermediate values.
57 * For j = 0 to 5
58 * For i=1 to n
59 * B = AES(K, A | R[i])
60 * A = MSB(64, B) ^ t where t = (n*j)+i
61 * R[i] = LSB(64, B)
62 */
63 for (j = 0; j <= 5; j++) {
64 r = cipher + 8;
65 for (i = 1; i <= n; i++) {
66 os_memcpy(b, a, 8);
67 os_memcpy(b + 8, r, 8);
68 aes_encrypt(ctx, b, b);
69 os_memcpy(a, b, 8);
70 a[7] ^= n * j + i;
71 os_memcpy(r, b + 8, 8);
72 r += 8;
73 }
74 }
75 aes_encrypt_deinit(ctx);
76
77 /* 3) Output the results.
78 *
79 * These are already in @cipher due to the location of temporary
80 * variables.
81 */
82
83 return 0;
84 }
85
86 #endif /* CONFIG_NO_AES_WRAP */
87
88
89 /**
90 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
91 * @kek: Key encryption key (KEK)
92 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
93 * bytes
94 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
95 * @plain: Plaintext key, n * 64 bits
96 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
97 */
98 int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
99 {
100 u8 a[8], *r, b[16];
101 int i, j;
102 void *ctx;
103
104 /* 1) Initialize variables. */
105 os_memcpy(a, cipher, 8);
106 r = plain;
107 os_memcpy(r, cipher + 8, 8 * n);
108
109 ctx = aes_decrypt_init(kek, 16);
110 if (ctx == NULL)
111 return -1;
112
113 /* 2) Compute intermediate values.
114 * For j = 5 to 0
115 * For i = n to 1
116 * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
117 * A = MSB(64, B)
118 * R[i] = LSB(64, B)
119 */
120 for (j = 5; j >= 0; j--) {
121 r = plain + (n - 1) * 8;
122 for (i = n; i >= 1; i--) {
123 os_memcpy(b, a, 8);
124 b[7] ^= n * j + i;
125
126 os_memcpy(b + 8, r, 8);
127 aes_decrypt(ctx, b, b);
128 os_memcpy(a, b, 8);
129 os_memcpy(r, b + 8, 8);
130 r -= 8;
131 }
132 }
133 aes_decrypt_deinit(ctx);
134
135 /* 3) Output results.
136 *
137 * These are already in @plain due to the location of temporary
138 * variables. Just verify that the IV matches with the expected value.
139 */
140 for (i = 0; i < 8; i++) {
141 if (a[i] != 0xa6)
142 return -1;
143 }
144
145 return 0;
146 }
147
148
149 #define BLOCK_SIZE 16
150
151 #ifndef CONFIG_NO_AES_OMAC1
152
153 static void gf_mulx(u8 *pad)
154 {
155 int i, carry;
156
157 carry = pad[0] & 0x80;
158 for (i = 0; i < BLOCK_SIZE - 1; i++)
159 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
160 pad[BLOCK_SIZE - 1] <<= 1;
161 if (carry)
162 pad[BLOCK_SIZE - 1] ^= 0x87;
163 }
164
165
166 /**
167 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
168 * @key: 128-bit key for the hash operation
169 * @num_elem: Number of elements in the data vector
170 * @addr: Pointers to the data areas
171 * @len: Lengths of the data blocks
172 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
173 * Returns: 0 on success, -1 on failure
174 *
175 * This is a mode for using block cipher (AES in this case) for authentication.
176 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
177 * (SP) 800-38B.
178 */
179 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
180 const u8 *addr[], const size_t *len, u8 *mac)
181 {
182 void *ctx;
183 u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE];
184 const u8 *pos, *end;
185 size_t i, e, left, total_len;
186
187 ctx = aes_encrypt_init(key, 16);
188 if (ctx == NULL)
189 return -1;
190 os_memset(cbc, 0, BLOCK_SIZE);
191
192 total_len = 0;
193 for (e = 0; e < num_elem; e++)
194 total_len += len[e];
195 left = total_len;
196
197 e = 0;
198 pos = addr[0];
199 end = pos + len[0];
200
201 while (left >= BLOCK_SIZE) {
202 for (i = 0; i < BLOCK_SIZE; i++) {
203 cbc[i] ^= *pos++;
204 if (pos >= end) {
205 e++;
206 pos = addr[e];
207 end = pos + len[e];
208 }
209 }
210 if (left > BLOCK_SIZE)
211 aes_encrypt(ctx, cbc, cbc);
212 left -= BLOCK_SIZE;
213 }
214
215 os_memset(pad, 0, BLOCK_SIZE);
216 aes_encrypt(ctx, pad, pad);
217 gf_mulx(pad);
218
219 if (left || total_len == 0) {
220 for (i = 0; i < left; i++) {
221 cbc[i] ^= *pos++;
222 if (pos >= end) {
223 e++;
224 pos = addr[e];
225 end = pos + len[e];
226 }
227 }
228 cbc[left] ^= 0x80;
229 gf_mulx(pad);
230 }
231
232 for (i = 0; i < BLOCK_SIZE; i++)
233 pad[i] ^= cbc[i];
234 aes_encrypt(ctx, pad, mac);
235 aes_encrypt_deinit(ctx);
236 return 0;
237 }
238
239
240 /**
241 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
242 * @key: 128-bit key for the hash operation
243 * @data: Data buffer for which a MAC is determined
244 * @data_len: Length of data buffer in bytes
245 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
246 * Returns: 0 on success, -1 on failure
247 *
248 * This is a mode for using block cipher (AES in this case) for authentication.
249 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
250 * (SP) 800-38B.
251 */
252 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
253 {
254 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
255 }
256
257 #endif /* CONFIG_NO_AES_OMAC1 */
258
259
260 #ifndef CONFIG_NO_AES_ENCRYPT_BLOCK
261 /**
262 * aes_128_encrypt_block - Perform one AES 128-bit block operation
263 * @key: Key for AES
264 * @in: Input data (16 bytes)
265 * @out: Output of the AES block operation (16 bytes)
266 * Returns: 0 on success, -1 on failure
267 */
268 int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
269 {
270 void *ctx;
271 ctx = aes_encrypt_init(key, 16);
272 if (ctx == NULL)
273 return -1;
274 aes_encrypt(ctx, in, out);
275 aes_encrypt_deinit(ctx);
276 return 0;
277 }
278 #endif /* CONFIG_NO_AES_ENCRYPT_BLOCK */
279
280
281 #ifndef CONFIG_NO_AES_CTR
282
283 /**
284 * aes_128_ctr_encrypt - AES-128 CTR mode encryption
285 * @key: Key for encryption (16 bytes)
286 * @nonce: Nonce for counter mode (16 bytes)
287 * @data: Data to encrypt in-place
288 * @data_len: Length of data in bytes
289 * Returns: 0 on success, -1 on failure
290 */
291 int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
292 u8 *data, size_t data_len)
293 {
294 void *ctx;
295 size_t j, len, left = data_len;
296 int i;
297 u8 *pos = data;
298 u8 counter[BLOCK_SIZE], buf[BLOCK_SIZE];
299
300 ctx = aes_encrypt_init(key, 16);
301 if (ctx == NULL)
302 return -1;
303 os_memcpy(counter, nonce, BLOCK_SIZE);
304
305 while (left > 0) {
306 aes_encrypt(ctx, counter, buf);
307
308 len = (left < BLOCK_SIZE) ? left : BLOCK_SIZE;
309 for (j = 0; j < len; j++)
310 pos[j] ^= buf[j];
311 pos += len;
312 left -= len;
313
314 for (i = BLOCK_SIZE - 1; i >= 0; i--) {
315 counter[i]++;
316 if (counter[i])
317 break;
318 }
319 }
320 aes_encrypt_deinit(ctx);
321 return 0;
322 }
323
324 #endif /* CONFIG_NO_AES_CTR */
325
326
327 #ifndef CONFIG_NO_AES_EAX
328
329 /**
330 * aes_128_eax_encrypt - AES-128 EAX mode encryption
331 * @key: Key for encryption (16 bytes)
332 * @nonce: Nonce for counter mode
333 * @nonce_len: Nonce length in bytes
334 * @hdr: Header data to be authenticity protected
335 * @hdr_len: Length of the header data bytes
336 * @data: Data to encrypt in-place
337 * @data_len: Length of data in bytes
338 * @tag: 16-byte tag value
339 * Returns: 0 on success, -1 on failure
340 */
341 int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
342 const u8 *hdr, size_t hdr_len,
343 u8 *data, size_t data_len, u8 *tag)
344 {
345 u8 *buf;
346 size_t buf_len;
347 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
348 int i, ret = -1;
349
350 if (nonce_len > data_len)
351 buf_len = nonce_len;
352 else
353 buf_len = data_len;
354 if (hdr_len > buf_len)
355 buf_len = hdr_len;
356 buf_len += 16;
357
358 buf = os_malloc(buf_len);
359 if (buf == NULL)
360 return -1;
361
362 os_memset(buf, 0, 15);
363
364 buf[15] = 0;
365 os_memcpy(buf + 16, nonce, nonce_len);
366 if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac))
367 goto fail;
368
369 buf[15] = 1;
370 os_memcpy(buf + 16, hdr, hdr_len);
371 if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac))
372 goto fail;
373
374 if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len))
375 goto fail;
376 buf[15] = 2;
377 os_memcpy(buf + 16, data, data_len);
378 if (omac1_aes_128(key, buf, 16 + data_len, data_mac))
379 goto fail;
380
381 for (i = 0; i < BLOCK_SIZE; i++)
382 tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i];
383
384 ret = 0;
385 fail:
386 os_free(buf);
387
388 return ret;
389 }
390
391
392 /**
393 * aes_128_eax_decrypt - AES-128 EAX mode decryption
394 * @key: Key for decryption (16 bytes)
395 * @nonce: Nonce for counter mode
396 * @nonce_len: Nonce length in bytes
397 * @hdr: Header data to be authenticity protected
398 * @hdr_len: Length of the header data bytes
399 * @data: Data to encrypt in-place
400 * @data_len: Length of data in bytes
401 * @tag: 16-byte tag value
402 * Returns: 0 on success, -1 on failure, -2 if tag does not match
403 */
404 int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
405 const u8 *hdr, size_t hdr_len,
406 u8 *data, size_t data_len, const u8 *tag)
407 {
408 u8 *buf;
409 size_t buf_len;
410 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
411 int i;
412
413 if (nonce_len > data_len)
414 buf_len = nonce_len;
415 else
416 buf_len = data_len;
417 if (hdr_len > buf_len)
418 buf_len = hdr_len;
419 buf_len += 16;
420
421 buf = os_malloc(buf_len);
422 if (buf == NULL)
423 return -1;
424
425 os_memset(buf, 0, 15);
426
427 buf[15] = 0;
428 os_memcpy(buf + 16, nonce, nonce_len);
429 if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) {
430 os_free(buf);
431 return -1;
432 }
433
434 buf[15] = 1;
435 os_memcpy(buf + 16, hdr, hdr_len);
436 if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) {
437 os_free(buf);
438 return -1;
439 }
440
441 buf[15] = 2;
442 os_memcpy(buf + 16, data, data_len);
443 if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) {
444 os_free(buf);
445 return -1;
446 }
447
448 os_free(buf);
449
450 for (i = 0; i < BLOCK_SIZE; i++) {
451 if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]))
452 return -2;
453 }
454
455 return aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
456 }
457
458 #endif /* CONFIG_NO_AES_EAX */
459
460
461 #ifndef CONFIG_NO_AES_CBC
462
463 /**
464 * aes_128_cbc_encrypt - AES-128 CBC encryption
465 * @key: Encryption key
466 * @iv: Encryption IV for CBC mode (16 bytes)
467 * @data: Data to encrypt in-place
468 * @data_len: Length of data in bytes (must be divisible by 16)
469 * Returns: 0 on success, -1 on failure
470 */
471 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
472 {
473 void *ctx;
474 u8 cbc[BLOCK_SIZE];
475 u8 *pos = data;
476 int i, j, blocks;
477
478 ctx = aes_encrypt_init(key, 16);
479 if (ctx == NULL)
480 return -1;
481 os_memcpy(cbc, iv, BLOCK_SIZE);
482
483 blocks = data_len / BLOCK_SIZE;
484 for (i = 0; i < blocks; i++) {
485 for (j = 0; j < BLOCK_SIZE; j++)
486 cbc[j] ^= pos[j];
487 aes_encrypt(ctx, cbc, cbc);
488 os_memcpy(pos, cbc, BLOCK_SIZE);
489 pos += BLOCK_SIZE;
490 }
491 aes_encrypt_deinit(ctx);
492 return 0;
493 }
494
495
496 /**
497 * aes_128_cbc_decrypt - AES-128 CBC decryption
498 * @key: Decryption key
499 * @iv: Decryption IV for CBC mode (16 bytes)
500 * @data: Data to decrypt in-place
501 * @data_len: Length of data in bytes (must be divisible by 16)
502 * Returns: 0 on success, -1 on failure
503 */
504 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
505 {
506 void *ctx;
507 u8 cbc[BLOCK_SIZE], tmp[BLOCK_SIZE];
508 u8 *pos = data;
509 int i, j, blocks;
510
511 ctx = aes_decrypt_init(key, 16);
512 if (ctx == NULL)
513 return -1;
514 os_memcpy(cbc, iv, BLOCK_SIZE);
515
516 blocks = data_len / BLOCK_SIZE;
517 for (i = 0; i < blocks; i++) {
518 os_memcpy(tmp, pos, BLOCK_SIZE);
519 aes_decrypt(ctx, pos, pos);
520 for (j = 0; j < BLOCK_SIZE; j++)
521 pos[j] ^= cbc[j];
522 os_memcpy(cbc, tmp, BLOCK_SIZE);
523 pos += BLOCK_SIZE;
524 }
525 aes_decrypt_deinit(ctx);
526 return 0;
527 }
528
529 #endif /* CONFIG_NO_AES_CBC */
NetBSD on the FriendlyARM MINI2440