[thirdparty/hostap.git] / src / crypto / aes-omac1.c

/*
 * One-key CBC MAC (OMAC1) hash with AES
 *
 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "aes.h"
#include "aes_wrap.h"

static void gf_mulx(u8 *pad)
{
	int i, carry;

	carry = pad[0] & 0x80;
	for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
		pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
	pad[AES_BLOCK_SIZE - 1] <<= 1;
	if (carry)
		pad[AES_BLOCK_SIZE - 1] ^= 0x87;
}


/**
 * omac1_aes_vector - One-Key CBC MAC (OMAC1) hash with AES
 * @key: Key for the hash operation
 * @key_len: Key length in octets
 * @num_elem: Number of elements in the data vector
 * @addr: Pointers to the data areas
 * @len: Lengths of the data blocks
 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
 * Returns: 0 on success, -1 on failure
 *
 * This is a mode for using block cipher (AES in this case) for authentication.
 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
 * (SP) 800-38B.
 */
int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
		     const u8 *addr[], const size_t *len, u8 *mac)
{
	void *ctx;
	u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE];
	const u8 *pos, *end;
	size_t i, e, left, total_len;

	if (TEST_FAIL())
		return -1;

	ctx = aes_encrypt_init(key, key_len);
	if (ctx == NULL)
		return -1;
	os_memset(cbc, 0, AES_BLOCK_SIZE);

	total_len = 0;
	for (e = 0; e < num_elem; e++)
		total_len += len[e];
	left = total_len;

	e = 0;
	pos = addr[0];
	end = pos + len[0];

	while (left >= AES_BLOCK_SIZE) {
		for (i = 0; i < AES_BLOCK_SIZE; i++) {
			cbc[i] ^= *pos++;
			if (pos >= end) {
				/*
				 * Stop if there are no more bytes to process
				 * since there are no more entries in the array.
				 */
				if (i + 1 == AES_BLOCK_SIZE &&
				    left == AES_BLOCK_SIZE)
					break;
				e++;
				pos = addr[e];
				end = pos + len[e];
			}
		}
		if (left > AES_BLOCK_SIZE)
			aes_encrypt(ctx, cbc, cbc);
		left -= AES_BLOCK_SIZE;
	}

	os_memset(pad, 0, AES_BLOCK_SIZE);
	aes_encrypt(ctx, pad, pad);
	gf_mulx(pad);

	if (left || total_len == 0) {
		for (i = 0; i < left; i++) {
			cbc[i] ^= *pos++;
			if (pos >= end) {
				/*
				 * Stop if there are no more bytes to process
				 * since there are no more entries in the array.
				 */
				if (i + 1 == left)
					break;
				e++;
				pos = addr[e];
				end = pos + len[e];
			}
		}
		cbc[left] ^= 0x80;
		gf_mulx(pad);
	}

	for (i = 0; i < AES_BLOCK_SIZE; i++)
		pad[i] ^= cbc[i];
	aes_encrypt(ctx, pad, mac);
	aes_encrypt_deinit(ctx);
	return 0;
}


/**
 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
 * @key: 128-bit key for the hash operation
 * @num_elem: Number of elements in the data vector
 * @addr: Pointers to the data areas
 * @len: Lengths of the data blocks
 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
 * Returns: 0 on success, -1 on failure
 *
 * This is a mode for using block cipher (AES in this case) for authentication.
 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
 * (SP) 800-38B.
 */
int omac1_aes_128_vector(const u8 *key, size_t num_elem,
			 const u8 *addr[], const size_t *len, u8 *mac)
{
	return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
}


/**
 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
 * @key: 128-bit key for the hash operation
 * @data: Data buffer for which a MAC is determined
 * @data_len: Length of data buffer in bytes
 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
 * Returns: 0 on success, -1 on failure
 *
 * This is a mode for using block cipher (AES in this case) for authentication.
 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
 * (SP) 800-38B.
 */
int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
{
	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
}


/**
 * omac1_aes_256 - One-Key CBC MAC (OMAC1) hash with AES-256 (aka AES-CMAC)
 * @key: 256-bit key for the hash operation
 * @data: Data buffer for which a MAC is determined
 * @data_len: Length of data buffer in bytes
 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
 * Returns: 0 on success, -1 on failure
 *
 * This is a mode for using block cipher (AES in this case) for authentication.
 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
 * (SP) 800-38B.
 */
int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
{
	return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
}
Commit	Line	Data
4c9e03e0	1	/*
30bff1d0	2	* One-key CBC MAC (OMAC1) hash with AES
4c9e03e0 JB	3	*
	4	* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
	5	*
0f3d578e JM	6	* This software may be distributed under the terms of the BSD license.
0f3d578e JM	7	* See README for more details.
4c9e03e0 JB	8	*/
	9
	10	#include "includes.h"
	11
	12	#include "common.h"
1ba787b9	13	#include "aes.h"
8e2c104f	14	#include "aes_wrap.h"
4c9e03e0 JB	15
	16	static void gf_mulx(u8 *pad)
	17	{
	18	int i, carry;
	19
	20	carry = pad[0] & 0x80;
1ba787b9	21	for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
4c9e03e0	22	pad[i] = (pad[i] << 1) \| (pad[i + 1] >> 7);
1ba787b9	23	pad[AES_BLOCK_SIZE - 1] <<= 1;
4c9e03e0	24	if (carry)
1ba787b9	25	pad[AES_BLOCK_SIZE - 1] ^= 0x87;
4c9e03e0 JB	26	}
	27
	28
	29	/**
30bff1d0 JM	30	* omac1_aes_vector - One-Key CBC MAC (OMAC1) hash with AES
	31	* @key: Key for the hash operation
	32	* @key_len: Key length in octets
4c9e03e0 JB	33	* @num_elem: Number of elements in the data vector
	34	* @addr: Pointers to the data areas
	35	* @len: Lengths of the data blocks
	36	* @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
	37	* Returns: 0 on success, -1 on failure
	38	*
	39	* This is a mode for using block cipher (AES in this case) for authentication.
	40	* OMAC1 was standardized with the name CMAC by NIST in a Special Publication
	41	* (SP) 800-38B.
	42	*/
30bff1d0 JM	43	int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
30bff1d0 JM	44	const u8 addr[], const size_t len, u8 *mac)
4c9e03e0 JB	45	{
4c9e03e0 JB	46	void *ctx;
1ba787b9	47	u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE];
4c9e03e0 JB	48	const u8 pos, end;
	49	size_t i, e, left, total_len;
	50
cc4f3d6e JM	51	if (TEST_FAIL())
	52	return -1;
	53
30bff1d0	54	ctx = aes_encrypt_init(key, key_len);
4c9e03e0 JB	55	if (ctx == NULL)
4c9e03e0 JB	56	return -1;
1ba787b9	57	os_memset(cbc, 0, AES_BLOCK_SIZE);
4c9e03e0 JB	58
	59	total_len = 0;
	60	for (e = 0; e < num_elem; e++)
	61	total_len += len[e];
	62	left = total_len;
	63
	64	e = 0;
	65	pos = addr[0];
	66	end = pos + len[0];
	67
1ba787b9 JM	68	while (left >= AES_BLOCK_SIZE) {
1ba787b9 JM	69	for (i = 0; i < AES_BLOCK_SIZE; i++) {
4c9e03e0 JB	70	cbc[i] ^= *pos++;
4c9e03e0 JB	71	if (pos >= end) {
0a11409c JM	72	/*
	73	* Stop if there are no more bytes to process
	74	* since there are no more entries in the array.
	75	*/
	76	if (i + 1 == AES_BLOCK_SIZE &&
	77	left == AES_BLOCK_SIZE)
	78	break;
4c9e03e0 JB	79	e++;
	80	pos = addr[e];
	81	end = pos + len[e];
	82	}
	83	}
1ba787b9	84	if (left > AES_BLOCK_SIZE)
4c9e03e0	85	aes_encrypt(ctx, cbc, cbc);
1ba787b9	86	left -= AES_BLOCK_SIZE;
4c9e03e0 JB	87	}
4c9e03e0 JB	88
1ba787b9	89	os_memset(pad, 0, AES_BLOCK_SIZE);
4c9e03e0 JB	90	aes_encrypt(ctx, pad, pad);
	91	gf_mulx(pad);
	92
	93	if (left \|\| total_len == 0) {
	94	for (i = 0; i < left; i++) {
	95	cbc[i] ^= *pos++;
	96	if (pos >= end) {
0a11409c JM	97	/*
	98	* Stop if there are no more bytes to process
	99	* since there are no more entries in the array.
	100	*/
	101	if (i + 1 == left)
	102	break;
4c9e03e0 JB	103	e++;
	104	pos = addr[e];
	105	end = pos + len[e];
	106	}
	107	}
	108	cbc[left] ^= 0x80;
	109	gf_mulx(pad);
	110	}
	111
1ba787b9	112	for (i = 0; i < AES_BLOCK_SIZE; i++)
4c9e03e0 JB	113	pad[i] ^= cbc[i];
	114	aes_encrypt(ctx, pad, mac);
	115	aes_encrypt_deinit(ctx);
	116	return 0;
	117	}
	118
	119
30bff1d0 JM	120	/**
	121	* omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
	122	* @key: 128-bit key for the hash operation
	123	* @num_elem: Number of elements in the data vector
	124	* @addr: Pointers to the data areas
	125	* @len: Lengths of the data blocks
	126	* @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
	127	* Returns: 0 on success, -1 on failure
	128	*
	129	* This is a mode for using block cipher (AES in this case) for authentication.
	130	* OMAC1 was standardized with the name CMAC by NIST in a Special Publication
	131	* (SP) 800-38B.
	132	*/
	133	int omac1_aes_128_vector(const u8 *key, size_t num_elem,
	134	const u8 addr[], const size_t len, u8 *mac)
	135	{
	136	return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
	137	}
	138
	139
4c9e03e0 JB	140	/**
	141	* omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
	142	* @key: 128-bit key for the hash operation
	143	* @data: Data buffer for which a MAC is determined
	144	* @data_len: Length of data buffer in bytes
	145	* @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
	146	* Returns: 0 on success, -1 on failure
	147	*
	148	* This is a mode for using block cipher (AES in this case) for authentication.
	149	* OMAC1 was standardized with the name CMAC by NIST in a Special Publication
	150	* (SP) 800-38B.
	151	*/
	152	int omac1_aes_128(const u8 key, const u8 data, size_t data_len, u8 *mac)
	153	{
	154	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
	155	}
30bff1d0 JM	156
	157
	158	/**
	159	* omac1_aes_256 - One-Key CBC MAC (OMAC1) hash with AES-256 (aka AES-CMAC)
	160	* @key: 256-bit key for the hash operation
	161	* @data: Data buffer for which a MAC is determined
	162	* @data_len: Length of data buffer in bytes
	163	* @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
	164	* Returns: 0 on success, -1 on failure
	165	*
	166	* This is a mode for using block cipher (AES in this case) for authentication.
	167	* OMAC1 was standardized with the name CMAC by NIST in a Special Publication
	168	* (SP) 800-38B.
	169	*/
	170	int omac1_aes_256(const u8 key, const u8 data, size_t data_len, u8 *mac)
	171	{
	172	return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
	173	}