4 * - AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
5 * - One-Key CBC MAC (OMAC1, i.e., CMAC) hash with AES-128
6 * - AES-128 CTR mode encryption
7 * - AES-128 EAX mode encryption/decryption
10 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2 as
14 * published by the Free Software Foundation.
16 * Alternatively, this software may be distributed under the terms of BSD
19 * See README and COPYING for more details.
28 #ifndef CONFIG_NO_AES_WRAP
31 * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
32 * @kek: 16-octet Key encryption key (KEK)
33 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
35 * @plain: Plaintext key to be wrapped, n * 64 bits
36 * @cipher: Wrapped key, (n + 1) * 64 bits
37 * Returns: 0 on success, -1 on failure
39 int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
48 /* 1) Initialize variables. */
49 os_memset(a, 0xa6, 8);
50 os_memcpy(r, plain, 8 * n);
52 ctx = aes_encrypt_init(kek, 16);
56 /* 2) Calculate intermediate values.
59 * B = AES(K, A | R[i])
60 * A = MSB(64, B) ^ t where t = (n*j)+i
63 for (j = 0; j <= 5; j++) {
65 for (i = 1; i <= n; i++) {
67 os_memcpy(b + 8, r, 8);
68 aes_encrypt(ctx, b, b);
71 os_memcpy(r, b + 8, 8);
75 aes_encrypt_deinit(ctx);
77 /* 3) Output the results.
79 * These are already in @cipher due to the location of temporary
86 #endif /* CONFIG_NO_AES_WRAP */
90 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
91 * @kek: Key encryption key (KEK)
92 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
94 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
95 * @plain: Plaintext key, n * 64 bits
96 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
98 int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
104 /* 1) Initialize variables. */
105 os_memcpy(a, cipher, 8);
107 os_memcpy(r, cipher + 8, 8 * n);
109 ctx = aes_decrypt_init(kek, 16);
113 /* 2) Compute intermediate values.
116 * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
120 for (j = 5; j >= 0; j--) {
121 r = plain + (n - 1) * 8;
122 for (i = n; i >= 1; i--) {
126 os_memcpy(b + 8, r, 8);
127 aes_decrypt(ctx, b, b);
129 os_memcpy(r, b + 8, 8);
133 aes_decrypt_deinit(ctx);
135 /* 3) Output results.
137 * These are already in @plain due to the location of temporary
138 * variables. Just verify that the IV matches with the expected value.
140 for (i = 0; i < 8; i++) {
149 #define BLOCK_SIZE 16
151 #ifndef CONFIG_NO_AES_OMAC1
153 static void gf_mulx(u8 *pad)
157 carry = pad[0] & 0x80;
158 for (i = 0; i < BLOCK_SIZE - 1; i++)
159 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
160 pad[BLOCK_SIZE - 1] <<= 1;
162 pad[BLOCK_SIZE - 1] ^= 0x87;
167 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
168 * @key: 128-bit key for the hash operation
169 * @num_elem: Number of elements in the data vector
170 * @addr: Pointers to the data areas
171 * @len: Lengths of the data blocks
172 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
173 * Returns: 0 on success, -1 on failure
175 * This is a mode for using block cipher (AES in this case) for authentication.
176 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
179 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
180 const u8 *addr[], const size_t *len, u8 *mac)
183 u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE];
185 size_t i, e, left, total_len;
187 ctx = aes_encrypt_init(key, 16);
190 os_memset(cbc, 0, BLOCK_SIZE);
193 for (e = 0; e < num_elem; e++)
201 while (left >= BLOCK_SIZE) {
202 for (i = 0; i < BLOCK_SIZE; i++) {
210 if (left > BLOCK_SIZE)
211 aes_encrypt(ctx, cbc, cbc);
215 os_memset(pad, 0, BLOCK_SIZE);
216 aes_encrypt(ctx, pad, pad);
219 if (left || total_len == 0) {
220 for (i = 0; i < left; i++) {
232 for (i = 0; i < BLOCK_SIZE; i++)
234 aes_encrypt(ctx, pad, mac);
235 aes_encrypt_deinit(ctx);
241 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
242 * @key: 128-bit key for the hash operation
243 * @data: Data buffer for which a MAC is determined
244 * @data_len: Length of data buffer in bytes
245 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
246 * Returns: 0 on success, -1 on failure
248 * This is a mode for using block cipher (AES in this case) for authentication.
249 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
252 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
254 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
257 #endif /* CONFIG_NO_AES_OMAC1 */
260 #ifndef CONFIG_NO_AES_ENCRYPT_BLOCK
262 * aes_128_encrypt_block - Perform one AES 128-bit block operation
264 * @in: Input data (16 bytes)
265 * @out: Output of the AES block operation (16 bytes)
266 * Returns: 0 on success, -1 on failure
268 int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
271 ctx = aes_encrypt_init(key, 16);
274 aes_encrypt(ctx, in, out);
275 aes_encrypt_deinit(ctx);
278 #endif /* CONFIG_NO_AES_ENCRYPT_BLOCK */
281 #ifndef CONFIG_NO_AES_CTR
284 * aes_128_ctr_encrypt - AES-128 CTR mode encryption
285 * @key: Key for encryption (16 bytes)
286 * @nonce: Nonce for counter mode (16 bytes)
287 * @data: Data to encrypt in-place
288 * @data_len: Length of data in bytes
289 * Returns: 0 on success, -1 on failure
291 int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
292 u8 *data, size_t data_len)
295 size_t j, len, left = data_len;
298 u8 counter[BLOCK_SIZE], buf[BLOCK_SIZE];
300 ctx = aes_encrypt_init(key, 16);
303 os_memcpy(counter, nonce, BLOCK_SIZE);
306 aes_encrypt(ctx, counter, buf);
308 len = (left < BLOCK_SIZE) ? left : BLOCK_SIZE;
309 for (j = 0; j < len; j++)
314 for (i = BLOCK_SIZE - 1; i >= 0; i--) {
320 aes_encrypt_deinit(ctx);
324 #endif /* CONFIG_NO_AES_CTR */
327 #ifndef CONFIG_NO_AES_EAX
330 * aes_128_eax_encrypt - AES-128 EAX mode encryption
331 * @key: Key for encryption (16 bytes)
332 * @nonce: Nonce for counter mode
333 * @nonce_len: Nonce length in bytes
334 * @hdr: Header data to be authenticity protected
335 * @hdr_len: Length of the header data bytes
336 * @data: Data to encrypt in-place
337 * @data_len: Length of data in bytes
338 * @tag: 16-byte tag value
339 * Returns: 0 on success, -1 on failure
341 int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
342 const u8 *hdr, size_t hdr_len,
343 u8 *data, size_t data_len, u8 *tag)
347 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
350 if (nonce_len > data_len)
354 if (hdr_len > buf_len)
358 buf = os_malloc(buf_len);
362 os_memset(buf, 0, 15);
365 os_memcpy(buf + 16, nonce, nonce_len);
366 if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac))
370 os_memcpy(buf + 16, hdr, hdr_len);
371 if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac))
374 if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len))
377 os_memcpy(buf + 16, data, data_len);
378 if (omac1_aes_128(key, buf, 16 + data_len, data_mac))
381 for (i = 0; i < BLOCK_SIZE; i++)
382 tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i];
393 * aes_128_eax_decrypt - AES-128 EAX mode decryption
394 * @key: Key for decryption (16 bytes)
395 * @nonce: Nonce for counter mode
396 * @nonce_len: Nonce length in bytes
397 * @hdr: Header data to be authenticity protected
398 * @hdr_len: Length of the header data bytes
399 * @data: Data to encrypt in-place
400 * @data_len: Length of data in bytes
401 * @tag: 16-byte tag value
402 * Returns: 0 on success, -1 on failure, -2 if tag does not match
404 int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
405 const u8 *hdr, size_t hdr_len,
406 u8 *data, size_t data_len, const u8 *tag)
410 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
413 if (nonce_len > data_len)
417 if (hdr_len > buf_len)
421 buf = os_malloc(buf_len);
425 os_memset(buf, 0, 15);
428 os_memcpy(buf + 16, nonce, nonce_len);
429 if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) {
435 os_memcpy(buf + 16, hdr, hdr_len);
436 if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) {
442 os_memcpy(buf + 16, data, data_len);
443 if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) {
450 for (i = 0; i < BLOCK_SIZE; i++) {
451 if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]))
455 return aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
458 #endif /* CONFIG_NO_AES_EAX */
461 #ifndef CONFIG_NO_AES_CBC
464 * aes_128_cbc_encrypt - AES-128 CBC encryption
465 * @key: Encryption key
466 * @iv: Encryption IV for CBC mode (16 bytes)
467 * @data: Data to encrypt in-place
468 * @data_len: Length of data in bytes (must be divisible by 16)
469 * Returns: 0 on success, -1 on failure
471 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
478 ctx = aes_encrypt_init(key, 16);
481 os_memcpy(cbc, iv, BLOCK_SIZE);
483 blocks = data_len / BLOCK_SIZE;
484 for (i = 0; i < blocks; i++) {
485 for (j = 0; j < BLOCK_SIZE; j++)
487 aes_encrypt(ctx, cbc, cbc);
488 os_memcpy(pos, cbc, BLOCK_SIZE);
491 aes_encrypt_deinit(ctx);
497 * aes_128_cbc_decrypt - AES-128 CBC decryption
498 * @key: Decryption key
499 * @iv: Decryption IV for CBC mode (16 bytes)
500 * @data: Data to decrypt in-place
501 * @data_len: Length of data in bytes (must be divisible by 16)
502 * Returns: 0 on success, -1 on failure
504 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
507 u8 cbc[BLOCK_SIZE], tmp[BLOCK_SIZE];
511 ctx = aes_decrypt_init(key, 16);
514 os_memcpy(cbc, iv, BLOCK_SIZE);
516 blocks = data_len / BLOCK_SIZE;
517 for (i = 0; i < blocks; i++) {
518 os_memcpy(tmp, pos, BLOCK_SIZE);
519 aes_decrypt(ctx, pos, pos);
520 for (j = 0; j < BLOCK_SIZE; j++)
522 os_memcpy(cbc, tmp, BLOCK_SIZE);
525 aes_decrypt_deinit(ctx);
529 #endif /* CONFIG_NO_AES_CBC */