1 /* 2 * AES-based functions 3 * 4 * - AES Key Wrap Algorithm (128-bit KEK) (RFC3394) 5 * - One-Key CBC MAC (OMAC1) hash with AES-128 6 * - AES-128 CTR mode encryption 7 * - AES-128 EAX mode encryption/decryption 8 * - AES-128 CBC 9 * 10 * Copyright (c) 2003-2007, Jouni Malinen <j (at) w1.fi> 11 * 12 * This program is free software; you can redistribute it and/or modify 13 * it under the terms of the GNU General Public License version 2 as 14 * published by the Free Software Foundation. 15 * 16 * Alternatively, this software may be distributed under the terms of BSD 17 * license. 18 * 19 * See README and COPYING for more details. 20 */ 21 22 #include "includes.h" 23 24 #include "common.h" 25 #include "aes_wrap.h" 26 #include "crypto.h" 27 28 #ifdef INTERNAL_AES 29 #include "aes.c" 30 #endif /* INTERNAL_AES */ 31 32 33 #ifndef CONFIG_NO_AES_WRAP 34 35 /** 36 * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) 37 * @kek: 16-octet Key encryption key (KEK) 38 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 39 * bytes 40 * @plain: Plaintext key to be wrapped, n * 64 bits 41 * @cipher: Wrapped key, (n + 1) * 64 bits 42 * Returns: 0 on success, -1 on failure 43 */ 44 int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher) 45 { 46 u8 *a, *r, b[16]; 47 int i, j; 48 void *ctx; 49 50 a = cipher; 51 r = cipher + 8; 52 53 /* 1) Initialize variables. */ 54 os_memset(a, 0xa6, 8); 55 os_memcpy(r, plain, 8 * n); 56 57 ctx = aes_encrypt_init(kek, 16); 58 if (ctx == NULL) 59 return -1; 60 61 /* 2) Calculate intermediate values. 62 * For j = 0 to 5 63 * For i=1 to n 64 * B = AES(K, A | R[i]) 65 * A = MSB(64, B) ^ t where t = (n*j)+i 66 * R[i] = LSB(64, B) 67 */ 68 for (j = 0; j <= 5; j++) { 69 r = cipher + 8; 70 for (i = 1; i <= n; i++) { 71 os_memcpy(b, a, 8); 72 os_memcpy(b + 8, r, 8); 73 aes_encrypt(ctx, b, b); 74 os_memcpy(a, b, 8); 75 a[7] ^= n * j + i; 76 os_memcpy(r, b + 8, 8); 77 r += 8; 78 } 79 } 80 aes_encrypt_deinit(ctx); 81 82 /* 3) Output the results. 83 * 84 * These are already in @cipher due to the location of temporary 85 * variables. 86 */ 87 88 return 0; 89 } 90 91 #endif /* CONFIG_NO_AES_WRAP */ 92 93 94 /** 95 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) 96 * @kek: Key encryption key (KEK) 97 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 98 * bytes 99 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits 100 * @plain: Plaintext key, n * 64 bits 101 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed) 102 */ 103 int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain) 104 { 105 u8 a[8], *r, b[16]; 106 int i, j; 107 void *ctx; 108 109 /* 1) Initialize variables. */ 110 os_memcpy(a, cipher, 8); 111 r = plain; 112 os_memcpy(r, cipher + 8, 8 * n); 113 114 ctx = aes_decrypt_init(kek, 16); 115 if (ctx == NULL) 116 return -1; 117 118 /* 2) Compute intermediate values. 119 * For j = 5 to 0 120 * For i = n to 1 121 * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i 122 * A = MSB(64, B) 123 * R[i] = LSB(64, B) 124 */ 125 for (j = 5; j >= 0; j--) { 126 r = plain + (n - 1) * 8; 127 for (i = n; i >= 1; i--) { 128 os_memcpy(b, a, 8); 129 b[7] ^= n * j + i; 130 131 os_memcpy(b + 8, r, 8); 132 aes_decrypt(ctx, b, b); 133 os_memcpy(a, b, 8); 134 os_memcpy(r, b + 8, 8); 135 r -= 8; 136 } 137 } 138 aes_decrypt_deinit(ctx); 139 140 /* 3) Output results. 141 * 142 * These are already in @plain due to the location of temporary 143 * variables. Just verify that the IV matches with the expected value. 144 */ 145 for (i = 0; i < 8; i++) { 146 if (a[i] != 0xa6) 147 return -1; 148 } 149 150 return 0; 151 } 152 153 154 #define BLOCK_SIZE 16 155 156 #ifndef CONFIG_NO_AES_OMAC1 157 158 static void gf_mulx(u8 *pad) 159 { 160 int i, carry; 161 162 carry = pad[0] & 0x80; 163 for (i = 0; i < BLOCK_SIZE - 1; i++) 164 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7); 165 pad[BLOCK_SIZE - 1] <<= 1; 166 if (carry) 167 pad[BLOCK_SIZE - 1] ^= 0x87; 168 } 169 170 171 /** 172 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 173 * @key: 128-bit key for the hash operation 174 * @num_elem: Number of elements in the data vector 175 * @addr: Pointers to the data areas 176 * @len: Lengths of the data blocks 177 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 178 * Returns: 0 on success, -1 on failure 179 */ 180 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 181 const u8 *addr[], const size_t *len, u8 *mac) 182 { 183 void *ctx; 184 u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE]; 185 const u8 *pos, *end; 186 size_t i, e, left, total_len; 187 188 ctx = aes_encrypt_init(key, 16); 189 if (ctx == NULL) 190 return -1; 191 os_memset(cbc, 0, BLOCK_SIZE); 192 193 total_len = 0; 194 for (e = 0; e < num_elem; e++) 195 total_len += len[e]; 196 left = total_len; 197 198 e = 0; 199 pos = addr[0]; 200 end = pos + len[0]; 201 202 while (left >= BLOCK_SIZE) { 203 for (i = 0; i < BLOCK_SIZE; i++) { 204 cbc[i] ^= *pos++; 205 if (pos >= end) { 206 e++; 207 pos = addr[e]; 208 end = pos + len[e]; 209 } 210 } 211 if (left > BLOCK_SIZE) 212 aes_encrypt(ctx, cbc, cbc); 213 left -= BLOCK_SIZE; 214 } 215 216 os_memset(pad, 0, BLOCK_SIZE); 217 aes_encrypt(ctx, pad, pad); 218 gf_mulx(pad); 219 220 if (left || total_len == 0) { 221 for (i = 0; i < left; i++) { 222 cbc[i] ^= *pos++; 223 if (pos >= end) { 224 e++; 225 pos = addr[e]; 226 end = pos + len[e]; 227 } 228 } 229 cbc[left] ^= 0x80; 230 gf_mulx(pad); 231 } 232 233 for (i = 0; i < BLOCK_SIZE; i++) 234 pad[i] ^= cbc[i]; 235 aes_encrypt(ctx, pad, mac); 236 aes_encrypt_deinit(ctx); 237 return 0; 238 } 239 240 241 /** 242 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) 243 * @key: 128-bit key for the hash operation 244 * @data: Data buffer for which a MAC is determined 245 * @data_len: Length of data buffer in bytes 246 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 247 * Returns: 0 on success, -1 on failure 248 * 249 * This is a mode for using block cipher (AES in this case) for authentication. 250 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 251 * (SP) 800-38B. 252 */ 253 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 254 { 255 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 256 } 257 258 #endif /* CONFIG_NO_AES_OMAC1 */ 259 260 261 /** 262 * aes_128_encrypt_block - Perform one AES 128-bit block operation 263 * @key: Key for AES 264 * @in: Input data (16 bytes) 265 * @out: Output of the AES block operation (16 bytes) 266 * Returns: 0 on success, -1 on failure 267 */ 268 int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out) 269 { 270 void *ctx; 271 ctx = aes_encrypt_init(key, 16); 272 if (ctx == NULL) 273 return -1; 274 aes_encrypt(ctx, in, out); 275 aes_encrypt_deinit(ctx); 276 return 0; 277 } 278 279 280 #ifndef CONFIG_NO_AES_CTR 281 282 /** 283 * aes_128_ctr_encrypt - AES-128 CTR mode encryption 284 * @key: Key for encryption (16 bytes) 285 * @nonce: Nonce for counter mode (16 bytes) 286 * @data: Data to encrypt in-place 287 * @data_len: Length of data in bytes 288 * Returns: 0 on success, -1 on failure 289 */ 290 int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce, 291 u8 *data, size_t data_len) 292 { 293 void *ctx; 294 size_t j, len, left = data_len; 295 int i; 296 u8 *pos = data; 297 u8 counter[BLOCK_SIZE], buf[BLOCK_SIZE]; 298 299 ctx = aes_encrypt_init(key, 16); 300 if (ctx == NULL) 301 return -1; 302 os_memcpy(counter, nonce, BLOCK_SIZE); 303 304 while (left > 0) { 305 aes_encrypt(ctx, counter, buf); 306 307 len = (left < BLOCK_SIZE) ? left : BLOCK_SIZE; 308 for (j = 0; j < len; j++) 309 pos[j] ^= buf[j]; 310 pos += len; 311 left -= len; 312 313 for (i = BLOCK_SIZE - 1; i >= 0; i--) { 314 counter[i]++; 315 if (counter[i]) 316 break; 317 } 318 } 319 aes_encrypt_deinit(ctx); 320 return 0; 321 } 322 323 #endif /* CONFIG_NO_AES_CTR */ 324 325 326 #ifndef CONFIG_NO_AES_EAX 327 328 /** 329 * aes_128_eax_encrypt - AES-128 EAX mode encryption 330 * @key: Key for encryption (16 bytes) 331 * @nonce: Nonce for counter mode 332 * @nonce_len: Nonce length in bytes 333 * @hdr: Header data to be authenticity protected 334 * @hdr_len: Length of the header data bytes 335 * @data: Data to encrypt in-place 336 * @data_len: Length of data in bytes 337 * @tag: 16-byte tag value 338 * Returns: 0 on success, -1 on failure 339 */ 340 int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 341 const u8 *hdr, size_t hdr_len, 342 u8 *data, size_t data_len, u8 *tag) 343 { 344 u8 *buf; 345 size_t buf_len; 346 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE]; 347 int i; 348 349 if (nonce_len > data_len) 350 buf_len = nonce_len; 351 else 352 buf_len = data_len; 353 if (hdr_len > buf_len) 354 buf_len = hdr_len; 355 buf_len += 16; 356 357 buf = os_malloc(buf_len); 358 if (buf == NULL) 359 return -1; 360 361 os_memset(buf, 0, 15); 362 363 buf[15] = 0; 364 os_memcpy(buf + 16, nonce, nonce_len); 365 omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac); 366 367 buf[15] = 1; 368 os_memcpy(buf + 16, hdr, hdr_len); 369 omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac); 370 371 aes_128_ctr_encrypt(key, nonce_mac, data, data_len); 372 buf[15] = 2; 373 os_memcpy(buf + 16, data, data_len); 374 omac1_aes_128(key, buf, 16 + data_len, data_mac); 375 376 os_free(buf); 377 378 for (i = 0; i < BLOCK_SIZE; i++) 379 tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]; 380 381 return 0; 382 } 383 384 385 /** 386 * aes_128_eax_decrypt - AES-128 EAX mode decryption 387 * @key: Key for decryption (16 bytes) 388 * @nonce: Nonce for counter mode 389 * @nonce_len: Nonce length in bytes 390 * @hdr: Header data to be authenticity protected 391 * @hdr_len: Length of the header data bytes 392 * @data: Data to encrypt in-place 393 * @data_len: Length of data in bytes 394 * @tag: 16-byte tag value 395 * Returns: 0 on success, -1 on failure, -2 if tag does not match 396 */ 397 int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 398 const u8 *hdr, size_t hdr_len, 399 u8 *data, size_t data_len, const u8 *tag) 400 { 401 u8 *buf; 402 size_t buf_len; 403 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE]; 404 int i; 405 406 if (nonce_len > data_len) 407 buf_len = nonce_len; 408 else 409 buf_len = data_len; 410 if (hdr_len > buf_len) 411 buf_len = hdr_len; 412 buf_len += 16; 413 414 buf = os_malloc(buf_len); 415 if (buf == NULL) 416 return -1; 417 418 os_memset(buf, 0, 15); 419 420 buf[15] = 0; 421 os_memcpy(buf + 16, nonce, nonce_len); 422 omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac); 423 424 buf[15] = 1; 425 os_memcpy(buf + 16, hdr, hdr_len); 426 omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac); 427 428 buf[15] = 2; 429 os_memcpy(buf + 16, data, data_len); 430 omac1_aes_128(key, buf, 16 + data_len, data_mac); 431 432 os_free(buf); 433 434 for (i = 0; i < BLOCK_SIZE; i++) { 435 if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i])) 436 return -2; 437 } 438 439 aes_128_ctr_encrypt(key, nonce_mac, data, data_len); 440 441 return 0; 442 } 443 444 #endif /* CONFIG_NO_AES_EAX */ 445 446 447 #ifndef CONFIG_NO_AES_CBC 448 449 /** 450 * aes_128_cbc_encrypt - AES-128 CBC encryption 451 * @key: Encryption key 452 * @iv: Encryption IV for CBC mode (16 bytes) 453 * @data: Data to encrypt in-place 454 * @data_len: Length of data in bytes (must be divisible by 16) 455 * Returns: 0 on success, -1 on failure 456 */ 457 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 458 { 459 void *ctx; 460 u8 cbc[BLOCK_SIZE]; 461 u8 *pos = data; 462 int i, j, blocks; 463 464 ctx = aes_encrypt_init(key, 16); 465 if (ctx == NULL) 466 return -1; 467 os_memcpy(cbc, iv, BLOCK_SIZE); 468 469 blocks = data_len / BLOCK_SIZE; 470 for (i = 0; i < blocks; i++) { 471 for (j = 0; j < BLOCK_SIZE; j++) 472 cbc[j] ^= pos[j]; 473 aes_encrypt(ctx, cbc, cbc); 474 os_memcpy(pos, cbc, BLOCK_SIZE); 475 pos += BLOCK_SIZE; 476 } 477 aes_encrypt_deinit(ctx); 478 return 0; 479 } 480 481 482 /** 483 * aes_128_cbc_decrypt - AES-128 CBC decryption 484 * @key: Decryption key 485 * @iv: Decryption IV for CBC mode (16 bytes) 486 * @data: Data to decrypt in-place 487 * @data_len: Length of data in bytes (must be divisible by 16) 488 * Returns: 0 on success, -1 on failure 489 */ 490 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 491 { 492 void *ctx; 493 u8 cbc[BLOCK_SIZE], tmp[BLOCK_SIZE]; 494 u8 *pos = data; 495 int i, j, blocks; 496 497 ctx = aes_decrypt_init(key, 16); 498 if (ctx == NULL) 499 return -1; 500 os_memcpy(cbc, iv, BLOCK_SIZE); 501 502 blocks = data_len / BLOCK_SIZE; 503 for (i = 0; i < blocks; i++) { 504 os_memcpy(tmp, pos, BLOCK_SIZE); 505 aes_decrypt(ctx, pos, pos); 506 for (j = 0; j < BLOCK_SIZE; j++) 507 pos[j] ^= cbc[j]; 508 os_memcpy(cbc, tmp, BLOCK_SIZE); 509 pos += BLOCK_SIZE; 510 } 511 aes_decrypt_deinit(ctx); 512 return 0; 513 } 514 515 #endif /* CONFIG_NO_AES_CBC */ 516
