4 * - AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
5 * - One-Key CBC MAC (OMAC1) hash with AES-128
6 * - AES-128 CTR mode encryption
7 * - AES-128 EAX mode encryption/decryption
10 * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi>
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2 as
14 * published by the Free Software Foundation.
16 * Alternatively, this software may be distributed under the terms of BSD
19 * See README and COPYING for more details.
30 #endif /* INTERNAL_AES */
33 #ifndef CONFIG_NO_AES_WRAP
36 * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
37 * @kek: Key encryption key (KEK)
38 * @n: Length of the wrapped key in 64-bit units; e.g., 2 = 128-bit = 16 bytes
39 * @plain: Plaintext key to be wrapped, n * 64 bit
40 * @cipher: Wrapped key, (n + 1) * 64 bit
41 * Returns: 0 on success, -1 on failure
43 int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
52 /* 1) Initialize variables. */
53 os_memset(a, 0xa6, 8);
54 os_memcpy(r, plain, 8 * n);
56 ctx = aes_encrypt_init(kek, 16);
60 /* 2) Calculate intermediate values.
63 * B = AES(K, A | R[i])
64 * A = MSB(64, B) ^ t where t = (n*j)+i
67 for (j = 0; j <= 5; j++) {
69 for (i = 1; i <= n; i++) {
71 os_memcpy(b + 8, r, 8);
72 aes_encrypt(ctx, b, b);
75 os_memcpy(r, b + 8, 8);
79 aes_encrypt_deinit(ctx);
81 /* 3) Output the results.
83 * These are already in @cipher due to the location of temporary
90 #endif /* CONFIG_NO_AES_WRAP */
94 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
95 * @kek: Key encryption key (KEK)
96 * @n: Length of the wrapped key in 64-bit units; e.g., 2 = 128-bit = 16 bytes
97 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bit
98 * @plain: Plaintext key, n * 64 bit
99 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
101 int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
107 /* 1) Initialize variables. */
108 os_memcpy(a, cipher, 8);
110 os_memcpy(r, cipher + 8, 8 * n);
112 ctx = aes_decrypt_init(kek, 16);
116 /* 2) Compute intermediate values.
119 * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
123 for (j = 5; j >= 0; j--) {
124 r = plain + (n - 1) * 8;
125 for (i = n; i >= 1; i--) {
129 os_memcpy(b + 8, r, 8);
130 aes_decrypt(ctx, b, b);
132 os_memcpy(r, b + 8, 8);
136 aes_decrypt_deinit(ctx);
138 /* 3) Output results.
140 * These are already in @plain due to the location of temporary
141 * variables. Just verify that the IV matches with the expected value.
143 for (i = 0; i < 8; i++) {
152 #define BLOCK_SIZE 16
154 #ifndef CONFIG_NO_AES_OMAC1
156 static void gf_mulx(u8 *pad)
160 carry = pad[0] & 0x80;
161 for (i = 0; i < BLOCK_SIZE - 1; i++)
162 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
163 pad[BLOCK_SIZE - 1] <<= 1;
165 pad[BLOCK_SIZE - 1] ^= 0x87;
170 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
171 * @key: 128-bit key for the hash operation
172 * @data: Data buffer for which a MAC is determined
173 * @data: Length of data buffer in bytes
174 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
175 * Returns: 0 on success, -1 on failure
177 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
180 u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE];
181 const u8 *pos = data;
182 size_t i, left = data_len;
184 ctx = aes_encrypt_init(key, 16);
187 os_memset(cbc, 0, BLOCK_SIZE);
189 while (left >= BLOCK_SIZE) {
190 for (i = 0; i < BLOCK_SIZE; i++)
192 if (left > BLOCK_SIZE)
193 aes_encrypt(ctx, cbc, cbc);
197 os_memset(pad, 0, BLOCK_SIZE);
198 aes_encrypt(ctx, pad, pad);
201 if (left || data_len == 0) {
202 for (i = 0; i < left; i++)
208 for (i = 0; i < BLOCK_SIZE; i++)
210 aes_encrypt(ctx, pad, mac);
211 aes_encrypt_deinit(ctx);
215 #endif /* CONFIG_NO_AES_OMAC1 */
219 * aes_128_encrypt_block - Perform one AES 128-bit block operation
221 * @in: Input data (16 bytes)
222 * @out: Output of the AES block operation (16 bytes)
223 * Returns: 0 on success, -1 on failure
225 int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
228 ctx = aes_encrypt_init(key, 16);
231 aes_encrypt(ctx, in, out);
232 aes_encrypt_deinit(ctx);
237 #ifndef CONFIG_NO_AES_CTR
240 * aes_128_ctr_encrypt - AES-128 CTR mode encryption
241 * @key: Key for encryption (16 bytes)
242 * @nonce: Nonce for counter mode (16 bytes)
243 * @data: Data to encrypt in-place
244 * @data_len: Length of data in bytes
245 * Returns: 0 on success, -1 on failure
247 int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
248 u8 *data, size_t data_len)
251 size_t j, len, left = data_len;
254 u8 counter[BLOCK_SIZE], buf[BLOCK_SIZE];
256 ctx = aes_encrypt_init(key, 16);
259 os_memcpy(counter, nonce, BLOCK_SIZE);
262 aes_encrypt(ctx, counter, buf);
264 len = (left < BLOCK_SIZE) ? left : BLOCK_SIZE;
265 for (j = 0; j < len; j++)
270 for (i = BLOCK_SIZE - 1; i >= 0; i--) {
276 aes_encrypt_deinit(ctx);
280 #endif /* CONFIG_NO_AES_CTR */
283 #ifndef CONFIG_NO_AES_EAX
286 * aes_128_eax_encrypt - AES-128 EAX mode encryption
287 * @key: Key for encryption (16 bytes)
288 * @nonce: Nonce for counter mode
289 * @nonce_len: Nonce length in bytes
290 * @hdr: Header data to be authenticity protected
291 * @hdr_len: Length of the header data bytes
292 * @data: Data to encrypt in-place
293 * @data_len: Length of data in bytes
294 * @tag: 16-byte tag value
295 * Returns: 0 on success, -1 on failure
297 int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
298 const u8 *hdr, size_t hdr_len,
299 u8 *data, size_t data_len, u8 *tag)
303 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
306 if (nonce_len > data_len)
310 if (hdr_len > buf_len)
314 buf = os_malloc(buf_len);
318 os_memset(buf, 0, 15);
321 os_memcpy(buf + 16, nonce, nonce_len);
322 omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac);
325 os_memcpy(buf + 16, hdr, hdr_len);
326 omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac);
328 aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
330 os_memcpy(buf + 16, data, data_len);
331 omac1_aes_128(key, buf, 16 + data_len, data_mac);
335 for (i = 0; i < BLOCK_SIZE; i++)
336 tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i];
343 * aes_128_eax_decrypt - AES-128 EAX mode decryption
344 * @key: Key for decryption (16 bytes)
345 * @nonce: Nonce for counter mode
346 * @nonce_len: Nonce length in bytes
347 * @hdr: Header data to be authenticity protected
348 * @hdr_len: Length of the header data bytes
349 * @data: Data to encrypt in-place
350 * @data_len: Length of data in bytes
351 * @tag: 16-byte tag value
352 * Returns: 0 on success, -1 on failure, -2 if tag does not match
354 int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
355 const u8 *hdr, size_t hdr_len,
356 u8 *data, size_t data_len, const u8 *tag)
360 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE];
363 if (nonce_len > data_len)
367 if (hdr_len > buf_len)
371 buf = os_malloc(buf_len);
375 os_memset(buf, 0, 15);
378 os_memcpy(buf + 16, nonce, nonce_len);
379 omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac);
382 os_memcpy(buf + 16, hdr, hdr_len);
383 omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac);
386 os_memcpy(buf + 16, data, data_len);
387 omac1_aes_128(key, buf, 16 + data_len, data_mac);
391 for (i = 0; i < BLOCK_SIZE; i++) {
392 if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]))
396 aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
401 #endif /* CONFIG_NO_AES_EAX */
404 #ifndef CONFIG_NO_AES_CBC
407 * aes_128_cbc_encrypt - AES-128 CBC encryption
408 * @key: Encryption key
409 * @iv: Encryption IV for CBC mode (16 bytes)
410 * @data: Data to encrypt in-place
411 * @data_len: Length of data in bytes (must be divisible by 16)
412 * Returns: 0 on success, -1 on failure
414 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
421 ctx = aes_encrypt_init(key, 16);
424 os_memcpy(cbc, iv, BLOCK_SIZE);
426 blocks = data_len / BLOCK_SIZE;
427 for (i = 0; i < blocks; i++) {
428 for (j = 0; j < BLOCK_SIZE; j++)
430 aes_encrypt(ctx, cbc, cbc);
431 os_memcpy(pos, cbc, BLOCK_SIZE);
434 aes_encrypt_deinit(ctx);
440 * aes_128_cbc_decrypt - AES-128 CBC decryption
441 * @key: Decryption key
442 * @iv: Decryption IV for CBC mode (16 bytes)
443 * @data: Data to decrypt in-place
444 * @data_len: Length of data in bytes (must be divisible by 16)
445 * Returns: 0 on success, -1 on failure
447 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
450 u8 cbc[BLOCK_SIZE], tmp[BLOCK_SIZE];
454 ctx = aes_decrypt_init(key, 16);
457 os_memcpy(cbc, iv, BLOCK_SIZE);
459 blocks = data_len / BLOCK_SIZE;
460 for (i = 0; i < blocks; i++) {
461 os_memcpy(tmp, pos, BLOCK_SIZE);
462 aes_decrypt(ctx, pos, pos);
463 for (j = 0; j < BLOCK_SIZE; j++)
465 os_memcpy(cbc, tmp, BLOCK_SIZE);
468 aes_decrypt_deinit(ctx);
472 #endif /* CONFIG_NO_AES_CBC */