1 /* 2 * One-key CBC MAC (OMAC1) hash with AES 3 * 4 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> 5 * 6 * This software may be distributed under the terms of the BSD license. 7 * See README for more details. 8 */ 9 10 #include "includes.h" 11 12 #include "common.h" 13 #include "aes.h" 14 #include "aes_wrap.h" 15 16 static void gf_mulx(u8 *pad) 17 { 18 int i, carry; 19 20 carry = pad[0] & 0x80; 21 for (i = 0; i < AES_BLOCK_SIZE - 1; i++) 22 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7); 23 pad[AES_BLOCK_SIZE - 1] <<= 1; 24 if (carry) 25 pad[AES_BLOCK_SIZE - 1] ^= 0x87; 26 } 27 28 29 /** 30 * omac1_aes_vector - One-Key CBC MAC (OMAC1) hash with AES 31 * @key: Key for the hash operation 32 * @key_len: Key length in octets 33 * @num_elem: Number of elements in the data vector 34 * @addr: Pointers to the data areas 35 * @len: Lengths of the data blocks 36 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 37 * Returns: 0 on success, -1 on failure 38 * 39 * This is a mode for using block cipher (AES in this case) for authentication. 40 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 41 * (SP) 800-38B. 42 */ 43 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, 44 const u8 *addr[], const size_t *len, u8 *mac) 45 { 46 void *ctx; 47 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE]; 48 const u8 *pos, *end; 49 size_t i, e, left, total_len; 50 51 if (TEST_FAIL()) 52 return -1; 53 54 ctx = aes_encrypt_init(key, key_len); 55 if (ctx == NULL) 56 return -1; 57 os_memset(cbc, 0, AES_BLOCK_SIZE); 58 59 total_len = 0; 60 for (e = 0; e < num_elem; e++) 61 total_len += len[e]; 62 left = total_len; 63 64 e = 0; 65 pos = addr[0]; 66 end = pos + len[0]; 67 68 while (left >= AES_BLOCK_SIZE) { 69 for (i = 0; i < AES_BLOCK_SIZE; i++) { 70 cbc[i] ^= *pos++; 71 if (pos >= end) { 72 /* 73 * Stop if there are no more bytes to process 74 * since there are no more entries in the array. 75 */ 76 if (i + 1 == AES_BLOCK_SIZE && 77 left == AES_BLOCK_SIZE) 78 break; 79 e++; 80 pos = addr[e]; 81 end = pos + len[e]; 82 } 83 } 84 if (left > AES_BLOCK_SIZE) 85 aes_encrypt(ctx, cbc, cbc); 86 left -= AES_BLOCK_SIZE; 87 } 88 89 os_memset(pad, 0, AES_BLOCK_SIZE); 90 aes_encrypt(ctx, pad, pad); 91 gf_mulx(pad); 92 93 if (left || total_len == 0) { 94 for (i = 0; i < left; i++) { 95 cbc[i] ^= *pos++; 96 if (pos >= end) { 97 /* 98 * Stop if there are no more bytes to process 99 * since there are no more entries in the array. 100 */ 101 if (i + 1 == left) 102 break; 103 e++; 104 pos = addr[e]; 105 end = pos + len[e]; 106 } 107 } 108 cbc[left] ^= 0x80; 109 gf_mulx(pad); 110 } 111 112 for (i = 0; i < AES_BLOCK_SIZE; i++) 113 pad[i] ^= cbc[i]; 114 aes_encrypt(ctx, pad, mac); 115 aes_encrypt_deinit(ctx); 116 return 0; 117 } 118 119 120 /** 121 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 122 * @key: 128-bit key for the hash operation 123 * @num_elem: Number of elements in the data vector 124 * @addr: Pointers to the data areas 125 * @len: Lengths of the data blocks 126 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 127 * Returns: 0 on success, -1 on failure 128 * 129 * This is a mode for using block cipher (AES in this case) for authentication. 130 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 131 * (SP) 800-38B. 132 */ 133 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 134 const u8 *addr[], const size_t *len, u8 *mac) 135 { 136 return omac1_aes_vector(key, 16, num_elem, addr, len, mac); 137 } 138 139 140 /** 141 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) 142 * @key: 128-bit key for the hash operation 143 * @data: Data buffer for which a MAC is determined 144 * @data_len: Length of data buffer in bytes 145 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 146 * Returns: 0 on success, -1 on failure 147 * 148 * This is a mode for using block cipher (AES in this case) for authentication. 149 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 150 * (SP) 800-38B. 151 */ 152 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 153 { 154 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 155 } 156 157 158 /** 159 * omac1_aes_256 - One-Key CBC MAC (OMAC1) hash with AES-256 (aka AES-CMAC) 160 * @key: 256-bit key for the hash operation 161 * @data: Data buffer for which a MAC is determined 162 * @data_len: Length of data buffer in bytes 163 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 164 * Returns: 0 on success, -1 on failure 165 * 166 * This is a mode for using block cipher (AES in this case) for authentication. 167 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 168 * (SP) 800-38B. 169 */ 170 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 171 { 172 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); 173 } 174