1 /*
2 * AES-based functions
3 *
4 * - AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
5 * - One-Key CBC MAC (OMAC1) hash with AES-128
6 * - AES-128 CTR mode encryption
7 * - AES-128 EAX mode encryption/decryption
8 * - AES-128 CBC
9 *
10 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2 as
14 * published by the Free Software Foundation.
15 *
16 * Alternatively, this software may be distributed under the terms of BSD
17 * license.
18 *
19 * See README and COPYING for more details.
20 */
21
22 #include "includes.h"
23
24 #include "common.h"
25 #include "aes_wrap.h"
26 #include "crypto.h"
27
28 #ifdef INTERNAL_AES
29 #include "aes.c"
30 #endif /* INTERNAL_AES */
31
32
33 #ifndef CONFIG_NO_AES_WRAP
34
35 /**
36 * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
37 * @kek: 16-octet Key encryption key (KEK)
38 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
39 * bytes
40 * @plain: Plaintext key to be wrapped, n * 64 bits
41 * @cipher: Wrapped key, (n + 1) * 64 bits
42 * Returns: 0 on success, -1 on failure
43 */
aes_wrap(const u8 * kek,int n,const u8 * plain,u8 * cipher)44 int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
45 {
46 u8 *a, *r, b[16];
47 int i, j;
48 void *ctx;
49
50 a = cipher;
51 r = cipher + 8;
52
53 /* 1) Initialize variables. */
54 os_memset(a, 0xa6, 8);
55 os_memcpy(r, plain, 8 * n);
56
57 ctx = aes_encrypt_init(kek, 16);
58 if (ctx == NULL)
59 return -1;
60
61 /* 2) Calculate intermediate values.
62 * For j = 0 to 5
63 * For i=1 to n
64 * B = AES(K, A | R[i])
65 * A = MSB(64, B) ^ t where t = (n*j)+i
66 * R[i] = LSB(64, B)
67 */
68 for (j = 0; j <= 5; j++) {
69 r = cipher + 8;
70 for (i = 1; i <= n; i++) {
71 os_memcpy(b, a, 8);
72 os_memcpy(b + 8, r, 8);
73 aes_encrypt(ctx, b, b);
74 os_memcpy(a, b, 8);
75 a[7] ^= n * j + i;
76 os_memcpy(r, b + 8, 8);
77 r += 8;
78 }
79 }
80 aes_encrypt_deinit(ctx);
81
82 /* 3) Output the results.
83 *
84 * These are already in @cipher due to the location of temporary
85 * variables.
86 */
87
88 return 0;
89 }
90
91 #endif /* CONFIG_NO_AES_WRAP */
92
93
94 /**
95 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
96 * @kek: Key encryption key (KEK)
97 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
98 * bytes
99 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
100 * @plain: Plaintext key, n * 64 bits
101 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
102 */
aes_unwrap(const u8 * kek,int n,const u8 * cipher,u8 * plain)103 int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
104 {
105 u8 a[8], *r, b[16];
106 int i, j;
107 void *ctx;
108
109 /* 1) Initialize variables. */
110 os_memcpy(a, cipher, 8);
111 r = plain;
112 os_memcpy(r, cipher + 8, 8 * n);
113
114 ctx = aes_decrypt_init(kek, 16);
115 if (ctx == NULL)
116 return -1;
117
118 /* 2) Compute intermediate values.
119 * For j = 5 to 0
120 * For i = n to 1
121 * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
122 * A = MSB(64, B)
123 * R[i] = LSB(64, B)
124 */
125 for (j = 5; j >= 0; j--) {
126 r = plain + (n - 1) * 8;
127 for (i = n; i >= 1; i--) {
128 os_memcpy(b, a, 8);
129 b[7] ^= n * j + i;
130
131 os_memcpy(b + 8, r, 8);
132 aes_decrypt(ctx, b, b);
133 os_memcpy(a, b, 8);
134 os_memcpy(r, b + 8, 8);
135 r -= 8;
136 }
137 }
138 aes_decrypt_deinit(ctx);
139
140 /* 3) Output results.
141 *
142 * These are already in @plain due to the location of temporary
143 * variables. Just verify that the IV matches with the expected value.
144 */
145 for (i = 0; i < 8; i++) {
146 if (a[i] != 0xa6)
147 return -1;
148 }
149
150 return 0;
151 }
152
153
154 #define BLOCK_SIZE 16
155
156 #ifndef CONFIG_NO_AES_OMAC1
157
gf_mulx(u8 * pad)158 static void gf_mulx(u8 *pad)
159 {
160 int i, carry;
161
162 carry = pad[0] & 0x80;
163 for (i = 0; i < BLOCK_SIZE - 1; i++)
164 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
165 pad[BLOCK_SIZE - 1] <<= 1;
166 if (carry)
167 pad[BLOCK_SIZE - 1] ^= 0x87;
168 }
169
170
171 /**
172 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
173 * @key: 128-bit key for the hash operation
174 * @num_elem: Number of elements in the data vector
175 * @addr: Pointers to the data areas
176 * @len: Lengths of the data blocks
177 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
178 * Returns: 0 on success, -1 on failure
179 */
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)180 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
181 const u8 *addr[], const size_t *len, u8 *mac)
182 {
183 void *ctx;
184 u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE];
185 const u8 *pos, *end;
186 size_t i, e, left, total_len;
187
188 ctx = aes_encrypt_init(key, 16);
189 if (ctx == NULL)
190 return -1;
191 os_memset(cbc, 0, BLOCK_SIZE);
192
193 total_len = 0;
194 for (e = 0; e < num_elem; e++)
195 total_len += len[e];
196 left = total_len;
197
198 e = 0;
199 pos = addr[0];
200 end = pos + len[0];
201
202 while (left >= BLOCK_SIZE) {
203 for (i = 0; i < BLOCK_SIZE; i++) {
204 cbc[i] ^= *pos++;
205 if (pos >= end) {
206 e++;
207 pos = addr[e];
208 end = pos + len[e];
209 }
210 }
211 if (left > BLOCK_SIZE)
212 aes_encrypt(ctx, cbc, cbc);
213 left -= BLOCK_SIZE;
214 }
215
216 os_memset(pad, 0, BLOCK_SIZE);
217 aes_encrypt(ctx, pad, pad);
218 gf_mulx(pad);
219
220 if (left || total_len == 0) {
221 for (i = 0; i < left; i++) {
222 cbc[i] ^= *pos++;
223 if (pos >= end) {
224 e++;
225 pos = addr[e];
226 end = pos + len[e];
227 }
228 }
229 cbc[left] ^= 0x80;
230 gf_mulx(pad);
231 }
232
233 for (i = 0; i < BLOCK_SIZE; i++)
234 pad[i] ^= cbc[i];
235 aes_encrypt(ctx, pad, mac);
236 aes_encrypt_deinit(ctx);
237 return 0;
238 }
239
240
241 /**
242 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
243 * @key: 128-bit key for the hash operation
244 * @data: Data buffer for which a MAC is determined
245 * @data_len: Length of data buffer in bytes
246 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
247 * Returns: 0 on success, -1 on failure
248 *
249 * This is a mode for using block cipher (AES in this case) for authentication.
250 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
251 * (SP) 800-38B.
252 */
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)253 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
254 {
255 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
256 }
257
258 #endif /* CONFIG_NO_AES_OMAC1 */
259
260
261 /**
262 * aes_128_encrypt_block - Perform one AES 128-bit block operation
263 * @key: Key for AES
264 * @in: Input data (16 bytes)
265 * @out: Output of the AES block operation (16 bytes)
266 * Returns: 0 on success, -1 on failure
267 */
aes_128_encrypt_block(const u8 * key,const u8 * in,u8 * out)268 int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
269 {
270 void *ctx;
271 ctx = aes_encrypt_init(key, 16);
272 if (ctx == NULL)
273 return -1;
274 aes_encrypt(ctx, in, out);
275 aes_encrypt_deinit(ctx);
276 return 0;
277 }
278
279
280 #ifndef CONFIG_NO_AES_CTR
281
282 /**
283 * aes_128_ctr_encrypt - AES-128 CTR mode encryption
284 * @key: Key for encryption (16 bytes)
285 * @nonce: Nonce for counter mode (16 bytes)
286 * @data: Data to encrypt in-place
287 * @data_len: Length of data in bytes
288 * Returns: 0 on success, -1 on failure
289 */
aes_128_ctr_encrypt(const u8 * key,const u8 * nonce,u8 * data,size_t data_len)290 int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
291 u8 *data, size_t data_len)
292 {
293 void *ctx;
294 size_t j, len, left = data_len;
295 int i;
296 u8 *pos = data;
297 u8 counter[BLOCK_SIZE], buf[BLOCK_SIZE];
298
299 ctx = aes_encrypt_init(key, 16);
300 if (ctx == NULL)
301 return -1;
302 os_memcpy(counter, nonce, BLOCK_SIZE);
303
304 while (left > 0) {
305 aes_encrypt(ctx, counter, buf);
306
307 len = (left < BLOCK_SIZE) ? left : BLOCK_SIZE;
308 for (j = 0; j < len; j++)
309 pos[j] ^= buf[j];
310 pos += len;
311 left -= len;
312
313 for (i = BLOCK_SIZE - 1; i >= 0; i--) {
314 counter[i]++;
315 if (counter[i])
316 break;
317 }
318 }
319 aes_encrypt_deinit(ctx);
320 return 0;
321 }
322
323 #endif /* CONFIG_NO_AES_CTR */
324
325
326 #ifndef CONFIG_NO_AES_EAX
327
328 /**
329 * aes_128_eax_encrypt - AES-128 EAX mode encryption
330 * @key: Key for encryption (16 bytes)
331 * @nonce: Nonce for counter mode
332 * @nonce_len: Nonce length in bytes
333 * @hdr: Header data to be authenticity protected
334 * @hdr_len: Length of the header data bytes
335 * @data: Data to encrypt in-place
336 * @data_len: Length of data in bytes
337 * @tag: 16-byte tag value
338 * Returns: 0 on success, -1 on failure
339 */
aes_128_eax_encrypt(const u8 * key,const u8 * nonce,size_t nonce_len,const u8 * hdr,size_t hdr_len,u8 * data,size_t data_len,u8 * tag)340 int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
341 const u8 *hdr, size_t hdr_len,
342 u8 *data, size_t data_len, u8 *tag)
343 {
344 u8 *buf;
345 size_t buf_len;
346 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
347 int i;
348
349 if (nonce_len > data_len)
350 buf_len = nonce_len;
351 else
352 buf_len = data_len;
353 if (hdr_len > buf_len)
354 buf_len = hdr_len;
355 buf_len += 16;
356
357 buf = os_malloc(buf_len);
358 if (buf == NULL)
359 return -1;
360
361 os_memset(buf, 0, 15);
362
363 buf[15] = 0;
364 os_memcpy(buf + 16, nonce, nonce_len);
365 omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac);
366
367 buf[15] = 1;
368 os_memcpy(buf + 16, hdr, hdr_len);
369 omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac);
370
371 aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
372 buf[15] = 2;
373 os_memcpy(buf + 16, data, data_len);
374 omac1_aes_128(key, buf, 16 + data_len, data_mac);
375
376 os_free(buf);
377
378 for (i = 0; i < BLOCK_SIZE; i++)
379 tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i];
380
381 return 0;
382 }
383
384
385 /**
386 * aes_128_eax_decrypt - AES-128 EAX mode decryption
387 * @key: Key for decryption (16 bytes)
388 * @nonce: Nonce for counter mode
389 * @nonce_len: Nonce length in bytes
390 * @hdr: Header data to be authenticity protected
391 * @hdr_len: Length of the header data bytes
392 * @data: Data to encrypt in-place
393 * @data_len: Length of data in bytes
394 * @tag: 16-byte tag value
395 * Returns: 0 on success, -1 on failure, -2 if tag does not match
396 */
aes_128_eax_decrypt(const u8 * key,const u8 * nonce,size_t nonce_len,const u8 * hdr,size_t hdr_len,u8 * data,size_t data_len,const u8 * tag)397 int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
398 const u8 *hdr, size_t hdr_len,
399 u8 *data, size_t data_len, const u8 *tag)
400 {
401 u8 *buf;
402 size_t buf_len;
403 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
404 int i;
405
406 if (nonce_len > data_len)
407 buf_len = nonce_len;
408 else
409 buf_len = data_len;
410 if (hdr_len > buf_len)
411 buf_len = hdr_len;
412 buf_len += 16;
413
414 buf = os_malloc(buf_len);
415 if (buf == NULL)
416 return -1;
417
418 os_memset(buf, 0, 15);
419
420 buf[15] = 0;
421 os_memcpy(buf + 16, nonce, nonce_len);
422 omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac);
423
424 buf[15] = 1;
425 os_memcpy(buf + 16, hdr, hdr_len);
426 omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac);
427
428 buf[15] = 2;
429 os_memcpy(buf + 16, data, data_len);
430 omac1_aes_128(key, buf, 16 + data_len, data_mac);
431
432 os_free(buf);
433
434 for (i = 0; i < BLOCK_SIZE; i++) {
435 if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]))
436 return -2;
437 }
438
439 aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
440
441 return 0;
442 }
443
444 #endif /* CONFIG_NO_AES_EAX */
445
446
447 #ifndef CONFIG_NO_AES_CBC
448
449 /**
450 * aes_128_cbc_encrypt - AES-128 CBC encryption
451 * @key: Encryption key
452 * @iv: Encryption IV for CBC mode (16 bytes)
453 * @data: Data to encrypt in-place
454 * @data_len: Length of data in bytes (must be divisible by 16)
455 * Returns: 0 on success, -1 on failure
456 */
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)457 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
458 {
459 void *ctx;
460 u8 cbc[BLOCK_SIZE];
461 u8 *pos = data;
462 int i, j, blocks;
463
464 ctx = aes_encrypt_init(key, 16);
465 if (ctx == NULL)
466 return -1;
467 os_memcpy(cbc, iv, BLOCK_SIZE);
468
469 blocks = data_len / BLOCK_SIZE;
470 for (i = 0; i < blocks; i++) {
471 for (j = 0; j < BLOCK_SIZE; j++)
472 cbc[j] ^= pos[j];
473 aes_encrypt(ctx, cbc, cbc);
474 os_memcpy(pos, cbc, BLOCK_SIZE);
475 pos += BLOCK_SIZE;
476 }
477 aes_encrypt_deinit(ctx);
478 return 0;
479 }
480
481
482 /**
483 * aes_128_cbc_decrypt - AES-128 CBC decryption
484 * @key: Decryption key
485 * @iv: Decryption IV for CBC mode (16 bytes)
486 * @data: Data to decrypt in-place
487 * @data_len: Length of data in bytes (must be divisible by 16)
488 * Returns: 0 on success, -1 on failure
489 */
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)490 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
491 {
492 void *ctx;
493 u8 cbc[BLOCK_SIZE], tmp[BLOCK_SIZE];
494 u8 *pos = data;
495 int i, j, blocks;
496
497 ctx = aes_decrypt_init(key, 16);
498 if (ctx == NULL)
499 return -1;
500 os_memcpy(cbc, iv, BLOCK_SIZE);
501
502 blocks = data_len / BLOCK_SIZE;
503 for (i = 0; i < blocks; i++) {
504 os_memcpy(tmp, pos, BLOCK_SIZE);
505 aes_decrypt(ctx, pos, pos);
506 for (j = 0; j < BLOCK_SIZE; j++)
507 pos[j] ^= cbc[j];
508 os_memcpy(cbc, tmp, BLOCK_SIZE);
509 pos += BLOCK_SIZE;
510 }
511 aes_decrypt_deinit(ctx);
512 return 0;
513 }
514
515 #endif /* CONFIG_NO_AES_CBC */
516