1 /*
2 * One-key CBC MAC (OMAC1) hash with AES
3 *
4 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "aes.h"
14 #include "aes_wrap.h"
15
gf_mulx(u8 * pad)16 static void gf_mulx(u8 *pad)
17 {
18 int i, carry;
19
20 carry = pad[0] & 0x80;
21 for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
22 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
23 pad[AES_BLOCK_SIZE - 1] <<= 1;
24 if (carry)
25 pad[AES_BLOCK_SIZE - 1] ^= 0x87;
26 }
27
28
29 /**
30 * omac1_aes_vector - One-Key CBC MAC (OMAC1) hash with AES
31 * @key: Key for the hash operation
32 * @key_len: Key length in octets
33 * @num_elem: Number of elements in the data vector
34 * @addr: Pointers to the data areas
35 * @len: Lengths of the data blocks
36 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
37 * Returns: 0 on success, -1 on failure
38 *
39 * This is a mode for using block cipher (AES in this case) for authentication.
40 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
41 * (SP) 800-38B.
42 */
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)43 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
44 const u8 *addr[], const size_t *len, u8 *mac)
45 {
46 void *ctx;
47 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE];
48 const u8 *pos, *end;
49 size_t i, e, left, total_len;
50
51 if (TEST_FAIL())
52 return -1;
53
54 ctx = aes_encrypt_init(key, key_len);
55 if (ctx == NULL)
56 return -1;
57 os_memset(cbc, 0, AES_BLOCK_SIZE);
58
59 total_len = 0;
60 for (e = 0; e < num_elem; e++)
61 total_len += len[e];
62 left = total_len;
63
64 e = 0;
65 pos = addr[0];
66 end = pos + len[0];
67
68 while (left >= AES_BLOCK_SIZE) {
69 for (i = 0; i < AES_BLOCK_SIZE; i++) {
70 cbc[i] ^= *pos++;
71 if (pos >= end) {
72 /*
73 * Stop if there are no more bytes to process
74 * since there are no more entries in the array.
75 */
76 if (i + 1 == AES_BLOCK_SIZE &&
77 left == AES_BLOCK_SIZE)
78 break;
79 e++;
80 pos = addr[e];
81 end = pos + len[e];
82 }
83 }
84 if (left > AES_BLOCK_SIZE)
85 aes_encrypt(ctx, cbc, cbc);
86 left -= AES_BLOCK_SIZE;
87 }
88
89 os_memset(pad, 0, AES_BLOCK_SIZE);
90 aes_encrypt(ctx, pad, pad);
91 gf_mulx(pad);
92
93 if (left || total_len == 0) {
94 for (i = 0; i < left; i++) {
95 cbc[i] ^= *pos++;
96 if (pos >= end) {
97 /*
98 * Stop if there are no more bytes to process
99 * since there are no more entries in the array.
100 */
101 if (i + 1 == left)
102 break;
103 e++;
104 pos = addr[e];
105 end = pos + len[e];
106 }
107 }
108 cbc[left] ^= 0x80;
109 gf_mulx(pad);
110 }
111
112 for (i = 0; i < AES_BLOCK_SIZE; i++)
113 pad[i] ^= cbc[i];
114 aes_encrypt(ctx, pad, mac);
115 aes_encrypt_deinit(ctx);
116 return 0;
117 }
118
119
120 /**
121 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
122 * @key: 128-bit key for the hash operation
123 * @num_elem: Number of elements in the data vector
124 * @addr: Pointers to the data areas
125 * @len: Lengths of the data blocks
126 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
127 * Returns: 0 on success, -1 on failure
128 *
129 * This is a mode for using block cipher (AES in this case) for authentication.
130 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
131 * (SP) 800-38B.
132 */
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)133 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
134 const u8 *addr[], const size_t *len, u8 *mac)
135 {
136 return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
137 }
138
139
140 /**
141 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
142 * @key: 128-bit key for the hash operation
143 * @data: Data buffer for which a MAC is determined
144 * @data_len: Length of data buffer in bytes
145 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
146 * Returns: 0 on success, -1 on failure
147 *
148 * This is a mode for using block cipher (AES in this case) for authentication.
149 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
150 * (SP) 800-38B.
151 */
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)152 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
153 {
154 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
155 }
156
157
158 /**
159 * omac1_aes_256 - One-Key CBC MAC (OMAC1) hash with AES-256 (aka AES-CMAC)
160 * @key: 256-bit key for the hash operation
161 * @data: Data buffer for which a MAC is determined
162 * @data_len: Length of data buffer in bytes
163 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
164 * Returns: 0 on success, -1 on failure
165 *
166 * This is a mode for using block cipher (AES in this case) for authentication.
167 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
168 * (SP) 800-38B.
169 */
omac1_aes_256(const u8 * key,const u8 * data,size_t data_len,u8 * mac)170 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
171 {
172 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
173 }
174