1/* 2 * One-key CBC MAC (OMAC1) hash with AES-128 3 * 4 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 2 as 8 * published by the Free Software Foundation. 9 * 10 * Alternatively, this software may be distributed under the terms of BSD 11 * license. 12 * 13 * See README and COPYING for more details. 14 */ 15 16#include "includes.h" 17 18#include "common.h" 19#include "aes.h" 20#include "aes_wrap.h" 21 22static void gf_mulx(u8 *pad) 23{ 24 int i, carry; 25 26 carry = pad[0] & 0x80; 27 for (i = 0; i < AES_BLOCK_SIZE - 1; i++) 28 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7); 29 pad[AES_BLOCK_SIZE - 1] <<= 1; 30 if (carry) 31 pad[AES_BLOCK_SIZE - 1] ^= 0x87; 32} 33 34 35/** 36 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 37 * @key: 128-bit key for the hash operation 38 * @num_elem: Number of elements in the data vector 39 * @addr: Pointers to the data areas 40 * @len: Lengths of the data blocks 41 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 42 * Returns: 0 on success, -1 on failure 43 * 44 * This is a mode for using block cipher (AES in this case) for authentication. 45 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 46 * (SP) 800-38B. 47 */ 48int omac1_aes_128_vector(const u8 *key, size_t num_elem, 49 const u8 *addr[], const size_t *len, u8 *mac) 50{ 51 void *ctx; 52 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE]; 53 const u8 *pos, *end; 54 size_t i, e, left, total_len; 55 56 ctx = aes_encrypt_init(key, 16); 57 if (ctx == NULL) 58 return -1; 59 os_memset(cbc, 0, AES_BLOCK_SIZE); 60 61 total_len = 0; 62 for (e = 0; e < num_elem; e++) 63 total_len += len[e]; 64 left = total_len; 65 66 e = 0; 67 pos = addr[0]; 68 end = pos + len[0]; 69 70 while (left >= AES_BLOCK_SIZE) { 71 for (i = 0; i < AES_BLOCK_SIZE; i++) { 72 cbc[i] ^= *pos++; 73 if (pos >= end) { 74 e++; 75 pos = addr[e]; 76 end = pos + len[e]; 77 } 78 } 79 if (left > AES_BLOCK_SIZE) 80 aes_encrypt(ctx, cbc, cbc); 81 left -= AES_BLOCK_SIZE; 82 } 83 84 os_memset(pad, 0, AES_BLOCK_SIZE); 85 aes_encrypt(ctx, pad, pad); 86 gf_mulx(pad); 87 88 if (left || total_len == 0) { 89 for (i = 0; i < left; i++) { 90 cbc[i] ^= *pos++; 91 if (pos >= end) { 92 e++; 93 pos = addr[e]; 94 end = pos + len[e]; 95 } 96 } 97 cbc[left] ^= 0x80; 98 gf_mulx(pad); 99 } 100 101 for (i = 0; i < AES_BLOCK_SIZE; i++) 102 pad[i] ^= cbc[i]; 103 aes_encrypt(ctx, pad, mac); 104 aes_encrypt_deinit(ctx); 105 return 0; 106} 107 108 109/** 110 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) 111 * @key: 128-bit key for the hash operation 112 * @data: Data buffer for which a MAC is determined 113 * @data_len: Length of data buffer in bytes 114 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 115 * Returns: 0 on success, -1 on failure 116 * 117 * This is a mode for using block cipher (AES in this case) for authentication. 118 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 119 * (SP) 800-38B. 120 */ 121int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 122{ 123 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 124} 125