18d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt/* 28d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * AES-128 EAX 38d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * 48d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> 58d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * 6c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt * This software may be distributed under the terms of the BSD license. 7c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt * See README for more details. 88d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt */ 98d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "includes.h" 118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "common.h" 138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "aes.h" 148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "aes_wrap.h" 158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt/** 178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * aes_128_eax_encrypt - AES-128 EAX mode encryption 188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @key: Key for encryption (16 bytes) 198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @nonce: Nonce for counter mode 208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @nonce_len: Nonce length in bytes 218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @hdr: Header data to be authenticity protected 228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @hdr_len: Length of the header data bytes 238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @data: Data to encrypt in-place 248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @data_len: Length of data in bytes 258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @tag: 16-byte tag value 268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * Returns: 0 on success, -1 on failure 278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt */ 288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const u8 *hdr, size_t hdr_len, 308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 *data, size_t data_len, u8 *tag) 318d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 *buf; 338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt size_t buf_len; 348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE], 358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt data_mac[AES_BLOCK_SIZE]; 368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int i, ret = -1; 378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (nonce_len > data_len) 398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf_len = nonce_len; 408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt else 418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf_len = data_len; 428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (hdr_len > buf_len) 438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf_len = hdr_len; 448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf_len += 16; 458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 468d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf = os_malloc(buf_len); 478d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (buf == NULL) 488d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 498d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 508d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_memset(buf, 0, 15); 518d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 528d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf[15] = 0; 538d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_memcpy(buf + 16, nonce, nonce_len); 548d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) 558d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt goto fail; 568d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 578d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf[15] = 1; 588d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_memcpy(buf + 16, hdr, hdr_len); 598d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) 608d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt goto fail; 618d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 628d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len)) 638d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt goto fail; 648d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf[15] = 2; 658d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_memcpy(buf + 16, data, data_len); 668d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) 678d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt goto fail; 688d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 698d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt for (i = 0; i < AES_BLOCK_SIZE; i++) 708d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]; 718d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 728d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt ret = 0; 738d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtfail: 748d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(buf); 758d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 768d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return ret; 778d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 788d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 798d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 808d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt/** 818d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * aes_128_eax_decrypt - AES-128 EAX mode decryption 828d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @key: Key for decryption (16 bytes) 838d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @nonce: Nonce for counter mode 848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @nonce_len: Nonce length in bytes 858d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @hdr: Header data to be authenticity protected 868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @hdr_len: Length of the header data bytes 878d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @data: Data to encrypt in-place 888d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @data_len: Length of data in bytes 898d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * @tag: 16-byte tag value 908d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * Returns: 0 on success, -1 on failure, -2 if tag does not match 918d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt */ 928d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 938d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const u8 *hdr, size_t hdr_len, 948d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 *data, size_t data_len, const u8 *tag) 958d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 968d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 *buf; 978d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt size_t buf_len; 988d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE], 998d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt data_mac[AES_BLOCK_SIZE]; 1008d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int i; 1018d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1028d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (nonce_len > data_len) 1038d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf_len = nonce_len; 1048d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt else 1058d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf_len = data_len; 1068d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (hdr_len > buf_len) 1078d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf_len = hdr_len; 1088d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf_len += 16; 1098d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf = os_malloc(buf_len); 1118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (buf == NULL) 1128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_memset(buf, 0, 15); 1158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf[15] = 0; 1178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_memcpy(buf + 16, nonce, nonce_len); 1188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) { 1198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(buf); 1208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf[15] = 1; 1248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_memcpy(buf + 16, hdr, hdr_len); 1258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) { 1268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(buf); 1278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf[15] = 2; 1318d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_memcpy(buf + 16, data, data_len); 1328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) { 1338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(buf); 1348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(buf); 1388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt for (i = 0; i < AES_BLOCK_SIZE; i++) { 1408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i])) 1418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -2; 1428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return aes_128_ctr_encrypt(key, nonce_mac, data, data_len); 1458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 146