The Android Open Source Project | 845e012 | 2009-03-03 19:31:34 -0800 | [diff] [blame] | 1 | /* |
| 2 | * AES-based functions |
| 3 | * |
| 4 | * - AES Key Wrap Algorithm (128-bit KEK) (RFC3394) |
| 5 | * - One-Key CBC MAC (OMAC1) hash with AES-128 |
| 6 | * - AES-128 CTR mode encryption |
| 7 | * - AES-128 EAX mode encryption/decryption |
| 8 | * - AES-128 CBC |
| 9 | * |
| 10 | * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> |
| 11 | * |
| 12 | * This program is free software; you can redistribute it and/or modify |
| 13 | * it under the terms of the GNU General Public License version 2 as |
| 14 | * published by the Free Software Foundation. |
| 15 | * |
| 16 | * Alternatively, this software may be distributed under the terms of BSD |
| 17 | * license. |
| 18 | * |
| 19 | * See README and COPYING for more details. |
| 20 | */ |
| 21 | |
| 22 | #include "includes.h" |
| 23 | |
| 24 | #include "common.h" |
| 25 | #include "aes_wrap.h" |
| 26 | #include "crypto.h" |
| 27 | |
| 28 | #ifdef INTERNAL_AES |
| 29 | #include "aes.c" |
| 30 | #endif /* INTERNAL_AES */ |
| 31 | |
| 32 | |
| 33 | #ifndef CONFIG_NO_AES_WRAP |
| 34 | |
| 35 | /** |
| 36 | * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) |
| 37 | * @kek: 16-octet Key encryption key (KEK) |
| 38 | * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 |
| 39 | * bytes |
| 40 | * @plain: Plaintext key to be wrapped, n * 64 bits |
| 41 | * @cipher: Wrapped key, (n + 1) * 64 bits |
| 42 | * Returns: 0 on success, -1 on failure |
| 43 | */ |
| 44 | int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher) |
| 45 | { |
| 46 | u8 *a, *r, b[16]; |
| 47 | int i, j; |
| 48 | void *ctx; |
| 49 | |
| 50 | a = cipher; |
| 51 | r = cipher + 8; |
| 52 | |
| 53 | /* 1) Initialize variables. */ |
| 54 | os_memset(a, 0xa6, 8); |
| 55 | os_memcpy(r, plain, 8 * n); |
| 56 | |
| 57 | ctx = aes_encrypt_init(kek, 16); |
| 58 | if (ctx == NULL) |
| 59 | return -1; |
| 60 | |
| 61 | /* 2) Calculate intermediate values. |
| 62 | * For j = 0 to 5 |
| 63 | * For i=1 to n |
| 64 | * B = AES(K, A | R[i]) |
| 65 | * A = MSB(64, B) ^ t where t = (n*j)+i |
| 66 | * R[i] = LSB(64, B) |
| 67 | */ |
| 68 | for (j = 0; j <= 5; j++) { |
| 69 | r = cipher + 8; |
| 70 | for (i = 1; i <= n; i++) { |
| 71 | os_memcpy(b, a, 8); |
| 72 | os_memcpy(b + 8, r, 8); |
| 73 | aes_encrypt(ctx, b, b); |
| 74 | os_memcpy(a, b, 8); |
| 75 | a[7] ^= n * j + i; |
| 76 | os_memcpy(r, b + 8, 8); |
| 77 | r += 8; |
| 78 | } |
| 79 | } |
| 80 | aes_encrypt_deinit(ctx); |
| 81 | |
| 82 | /* 3) Output the results. |
| 83 | * |
| 84 | * These are already in @cipher due to the location of temporary |
| 85 | * variables. |
| 86 | */ |
| 87 | |
| 88 | return 0; |
| 89 | } |
| 90 | |
| 91 | #endif /* CONFIG_NO_AES_WRAP */ |
| 92 | |
| 93 | |
| 94 | /** |
| 95 | * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) |
| 96 | * @kek: Key encryption key (KEK) |
| 97 | * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 |
| 98 | * bytes |
| 99 | * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits |
| 100 | * @plain: Plaintext key, n * 64 bits |
| 101 | * Returns: 0 on success, -1 on failure (e.g., integrity verification failed) |
| 102 | */ |
| 103 | int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain) |
| 104 | { |
| 105 | u8 a[8], *r, b[16]; |
| 106 | int i, j; |
| 107 | void *ctx; |
| 108 | |
| 109 | /* 1) Initialize variables. */ |
| 110 | os_memcpy(a, cipher, 8); |
| 111 | r = plain; |
| 112 | os_memcpy(r, cipher + 8, 8 * n); |
| 113 | |
| 114 | ctx = aes_decrypt_init(kek, 16); |
| 115 | if (ctx == NULL) |
| 116 | return -1; |
| 117 | |
| 118 | /* 2) Compute intermediate values. |
| 119 | * For j = 5 to 0 |
| 120 | * For i = n to 1 |
| 121 | * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i |
| 122 | * A = MSB(64, B) |
| 123 | * R[i] = LSB(64, B) |
| 124 | */ |
| 125 | for (j = 5; j >= 0; j--) { |
| 126 | r = plain + (n - 1) * 8; |
| 127 | for (i = n; i >= 1; i--) { |
| 128 | os_memcpy(b, a, 8); |
| 129 | b[7] ^= n * j + i; |
| 130 | |
| 131 | os_memcpy(b + 8, r, 8); |
| 132 | aes_decrypt(ctx, b, b); |
| 133 | os_memcpy(a, b, 8); |
| 134 | os_memcpy(r, b + 8, 8); |
| 135 | r -= 8; |
| 136 | } |
| 137 | } |
| 138 | aes_decrypt_deinit(ctx); |
| 139 | |
| 140 | /* 3) Output results. |
| 141 | * |
| 142 | * These are already in @plain due to the location of temporary |
| 143 | * variables. Just verify that the IV matches with the expected value. |
| 144 | */ |
| 145 | for (i = 0; i < 8; i++) { |
| 146 | if (a[i] != 0xa6) |
| 147 | return -1; |
| 148 | } |
| 149 | |
| 150 | return 0; |
| 151 | } |
| 152 | |
| 153 | |
| 154 | #define BLOCK_SIZE 16 |
| 155 | |
| 156 | #ifndef CONFIG_NO_AES_OMAC1 |
| 157 | |
| 158 | static void gf_mulx(u8 *pad) |
| 159 | { |
| 160 | int i, carry; |
| 161 | |
| 162 | carry = pad[0] & 0x80; |
| 163 | for (i = 0; i < BLOCK_SIZE - 1; i++) |
| 164 | pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7); |
| 165 | pad[BLOCK_SIZE - 1] <<= 1; |
| 166 | if (carry) |
| 167 | pad[BLOCK_SIZE - 1] ^= 0x87; |
| 168 | } |
| 169 | |
| 170 | |
| 171 | /** |
| 172 | * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 |
| 173 | * @key: 128-bit key for the hash operation |
| 174 | * @num_elem: Number of elements in the data vector |
| 175 | * @addr: Pointers to the data areas |
| 176 | * @len: Lengths of the data blocks |
| 177 | * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) |
| 178 | * Returns: 0 on success, -1 on failure |
| 179 | */ |
| 180 | int omac1_aes_128_vector(const u8 *key, size_t num_elem, |
| 181 | const u8 *addr[], const size_t *len, u8 *mac) |
| 182 | { |
| 183 | void *ctx; |
| 184 | u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE]; |
| 185 | const u8 *pos, *end; |
| 186 | size_t i, e, left, total_len; |
| 187 | |
| 188 | ctx = aes_encrypt_init(key, 16); |
| 189 | if (ctx == NULL) |
| 190 | return -1; |
| 191 | os_memset(cbc, 0, BLOCK_SIZE); |
| 192 | |
| 193 | total_len = 0; |
| 194 | for (e = 0; e < num_elem; e++) |
| 195 | total_len += len[e]; |
| 196 | left = total_len; |
| 197 | |
| 198 | e = 0; |
| 199 | pos = addr[0]; |
| 200 | end = pos + len[0]; |
| 201 | |
| 202 | while (left >= BLOCK_SIZE) { |
| 203 | for (i = 0; i < BLOCK_SIZE; i++) { |
| 204 | cbc[i] ^= *pos++; |
| 205 | if (pos >= end) { |
| 206 | e++; |
| 207 | pos = addr[e]; |
| 208 | end = pos + len[e]; |
| 209 | } |
| 210 | } |
| 211 | if (left > BLOCK_SIZE) |
| 212 | aes_encrypt(ctx, cbc, cbc); |
| 213 | left -= BLOCK_SIZE; |
| 214 | } |
| 215 | |
| 216 | os_memset(pad, 0, BLOCK_SIZE); |
| 217 | aes_encrypt(ctx, pad, pad); |
| 218 | gf_mulx(pad); |
| 219 | |
| 220 | if (left || total_len == 0) { |
| 221 | for (i = 0; i < left; i++) { |
| 222 | cbc[i] ^= *pos++; |
| 223 | if (pos >= end) { |
| 224 | e++; |
| 225 | pos = addr[e]; |
| 226 | end = pos + len[e]; |
| 227 | } |
| 228 | } |
| 229 | cbc[left] ^= 0x80; |
| 230 | gf_mulx(pad); |
| 231 | } |
| 232 | |
| 233 | for (i = 0; i < BLOCK_SIZE; i++) |
| 234 | pad[i] ^= cbc[i]; |
| 235 | aes_encrypt(ctx, pad, mac); |
| 236 | aes_encrypt_deinit(ctx); |
| 237 | return 0; |
| 238 | } |
| 239 | |
| 240 | |
| 241 | /** |
| 242 | * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) |
| 243 | * @key: 128-bit key for the hash operation |
| 244 | * @data: Data buffer for which a MAC is determined |
| 245 | * @data_len: Length of data buffer in bytes |
| 246 | * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) |
| 247 | * Returns: 0 on success, -1 on failure |
| 248 | * |
| 249 | * This is a mode for using block cipher (AES in this case) for authentication. |
| 250 | * OMAC1 was standardized with the name CMAC by NIST in a Special Publication |
| 251 | * (SP) 800-38B. |
| 252 | */ |
| 253 | int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) |
| 254 | { |
| 255 | return omac1_aes_128_vector(key, 1, &data, &data_len, mac); |
| 256 | } |
| 257 | |
| 258 | #endif /* CONFIG_NO_AES_OMAC1 */ |
| 259 | |
| 260 | |
| 261 | /** |
| 262 | * aes_128_encrypt_block - Perform one AES 128-bit block operation |
| 263 | * @key: Key for AES |
| 264 | * @in: Input data (16 bytes) |
| 265 | * @out: Output of the AES block operation (16 bytes) |
| 266 | * Returns: 0 on success, -1 on failure |
| 267 | */ |
| 268 | int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out) |
| 269 | { |
| 270 | void *ctx; |
| 271 | ctx = aes_encrypt_init(key, 16); |
| 272 | if (ctx == NULL) |
| 273 | return -1; |
| 274 | aes_encrypt(ctx, in, out); |
| 275 | aes_encrypt_deinit(ctx); |
| 276 | return 0; |
| 277 | } |
| 278 | |
| 279 | |
| 280 | #ifndef CONFIG_NO_AES_CTR |
| 281 | |
| 282 | /** |
| 283 | * aes_128_ctr_encrypt - AES-128 CTR mode encryption |
| 284 | * @key: Key for encryption (16 bytes) |
| 285 | * @nonce: Nonce for counter mode (16 bytes) |
| 286 | * @data: Data to encrypt in-place |
| 287 | * @data_len: Length of data in bytes |
| 288 | * Returns: 0 on success, -1 on failure |
| 289 | */ |
| 290 | int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce, |
| 291 | u8 *data, size_t data_len) |
| 292 | { |
| 293 | void *ctx; |
| 294 | size_t j, len, left = data_len; |
| 295 | int i; |
| 296 | u8 *pos = data; |
| 297 | u8 counter[BLOCK_SIZE], buf[BLOCK_SIZE]; |
| 298 | |
| 299 | ctx = aes_encrypt_init(key, 16); |
| 300 | if (ctx == NULL) |
| 301 | return -1; |
| 302 | os_memcpy(counter, nonce, BLOCK_SIZE); |
| 303 | |
| 304 | while (left > 0) { |
| 305 | aes_encrypt(ctx, counter, buf); |
| 306 | |
| 307 | len = (left < BLOCK_SIZE) ? left : BLOCK_SIZE; |
| 308 | for (j = 0; j < len; j++) |
| 309 | pos[j] ^= buf[j]; |
| 310 | pos += len; |
| 311 | left -= len; |
| 312 | |
| 313 | for (i = BLOCK_SIZE - 1; i >= 0; i--) { |
| 314 | counter[i]++; |
| 315 | if (counter[i]) |
| 316 | break; |
| 317 | } |
| 318 | } |
| 319 | aes_encrypt_deinit(ctx); |
| 320 | return 0; |
| 321 | } |
| 322 | |
| 323 | #endif /* CONFIG_NO_AES_CTR */ |
| 324 | |
| 325 | |
| 326 | #ifndef CONFIG_NO_AES_EAX |
| 327 | |
| 328 | /** |
| 329 | * aes_128_eax_encrypt - AES-128 EAX mode encryption |
| 330 | * @key: Key for encryption (16 bytes) |
| 331 | * @nonce: Nonce for counter mode |
| 332 | * @nonce_len: Nonce length in bytes |
| 333 | * @hdr: Header data to be authenticity protected |
| 334 | * @hdr_len: Length of the header data bytes |
| 335 | * @data: Data to encrypt in-place |
| 336 | * @data_len: Length of data in bytes |
| 337 | * @tag: 16-byte tag value |
| 338 | * Returns: 0 on success, -1 on failure |
| 339 | */ |
| 340 | int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len, |
| 341 | const u8 *hdr, size_t hdr_len, |
| 342 | u8 *data, size_t data_len, u8 *tag) |
| 343 | { |
| 344 | u8 *buf; |
| 345 | size_t buf_len; |
| 346 | u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE]; |
| 347 | int i; |
| 348 | |
| 349 | if (nonce_len > data_len) |
| 350 | buf_len = nonce_len; |
| 351 | else |
| 352 | buf_len = data_len; |
| 353 | if (hdr_len > buf_len) |
| 354 | buf_len = hdr_len; |
| 355 | buf_len += 16; |
| 356 | |
| 357 | buf = os_malloc(buf_len); |
| 358 | if (buf == NULL) |
| 359 | return -1; |
| 360 | |
| 361 | os_memset(buf, 0, 15); |
| 362 | |
| 363 | buf[15] = 0; |
| 364 | os_memcpy(buf + 16, nonce, nonce_len); |
| 365 | omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac); |
| 366 | |
| 367 | buf[15] = 1; |
| 368 | os_memcpy(buf + 16, hdr, hdr_len); |
| 369 | omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac); |
| 370 | |
| 371 | aes_128_ctr_encrypt(key, nonce_mac, data, data_len); |
| 372 | buf[15] = 2; |
| 373 | os_memcpy(buf + 16, data, data_len); |
| 374 | omac1_aes_128(key, buf, 16 + data_len, data_mac); |
| 375 | |
| 376 | os_free(buf); |
| 377 | |
| 378 | for (i = 0; i < BLOCK_SIZE; i++) |
| 379 | tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]; |
| 380 | |
| 381 | return 0; |
| 382 | } |
| 383 | |
| 384 | |
| 385 | /** |
| 386 | * aes_128_eax_decrypt - AES-128 EAX mode decryption |
| 387 | * @key: Key for decryption (16 bytes) |
| 388 | * @nonce: Nonce for counter mode |
| 389 | * @nonce_len: Nonce length in bytes |
| 390 | * @hdr: Header data to be authenticity protected |
| 391 | * @hdr_len: Length of the header data bytes |
| 392 | * @data: Data to encrypt in-place |
| 393 | * @data_len: Length of data in bytes |
| 394 | * @tag: 16-byte tag value |
| 395 | * Returns: 0 on success, -1 on failure, -2 if tag does not match |
| 396 | */ |
| 397 | int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len, |
| 398 | const u8 *hdr, size_t hdr_len, |
| 399 | u8 *data, size_t data_len, const u8 *tag) |
| 400 | { |
| 401 | u8 *buf; |
| 402 | size_t buf_len; |
| 403 | u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE]; |
| 404 | int i; |
| 405 | |
| 406 | if (nonce_len > data_len) |
| 407 | buf_len = nonce_len; |
| 408 | else |
| 409 | buf_len = data_len; |
| 410 | if (hdr_len > buf_len) |
| 411 | buf_len = hdr_len; |
| 412 | buf_len += 16; |
| 413 | |
| 414 | buf = os_malloc(buf_len); |
| 415 | if (buf == NULL) |
| 416 | return -1; |
| 417 | |
| 418 | os_memset(buf, 0, 15); |
| 419 | |
| 420 | buf[15] = 0; |
| 421 | os_memcpy(buf + 16, nonce, nonce_len); |
| 422 | omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac); |
| 423 | |
| 424 | buf[15] = 1; |
| 425 | os_memcpy(buf + 16, hdr, hdr_len); |
| 426 | omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac); |
| 427 | |
| 428 | buf[15] = 2; |
| 429 | os_memcpy(buf + 16, data, data_len); |
| 430 | omac1_aes_128(key, buf, 16 + data_len, data_mac); |
| 431 | |
| 432 | os_free(buf); |
| 433 | |
| 434 | for (i = 0; i < BLOCK_SIZE; i++) { |
| 435 | if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i])) |
| 436 | return -2; |
| 437 | } |
| 438 | |
| 439 | aes_128_ctr_encrypt(key, nonce_mac, data, data_len); |
| 440 | |
| 441 | return 0; |
| 442 | } |
| 443 | |
| 444 | #endif /* CONFIG_NO_AES_EAX */ |
| 445 | |
| 446 | |
| 447 | #ifndef CONFIG_NO_AES_CBC |
| 448 | |
| 449 | /** |
| 450 | * aes_128_cbc_encrypt - AES-128 CBC encryption |
| 451 | * @key: Encryption key |
| 452 | * @iv: Encryption IV for CBC mode (16 bytes) |
| 453 | * @data: Data to encrypt in-place |
| 454 | * @data_len: Length of data in bytes (must be divisible by 16) |
| 455 | * Returns: 0 on success, -1 on failure |
| 456 | */ |
| 457 | int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) |
| 458 | { |
| 459 | void *ctx; |
| 460 | u8 cbc[BLOCK_SIZE]; |
| 461 | u8 *pos = data; |
| 462 | int i, j, blocks; |
| 463 | |
| 464 | ctx = aes_encrypt_init(key, 16); |
| 465 | if (ctx == NULL) |
| 466 | return -1; |
| 467 | os_memcpy(cbc, iv, BLOCK_SIZE); |
| 468 | |
| 469 | blocks = data_len / BLOCK_SIZE; |
| 470 | for (i = 0; i < blocks; i++) { |
| 471 | for (j = 0; j < BLOCK_SIZE; j++) |
| 472 | cbc[j] ^= pos[j]; |
| 473 | aes_encrypt(ctx, cbc, cbc); |
| 474 | os_memcpy(pos, cbc, BLOCK_SIZE); |
| 475 | pos += BLOCK_SIZE; |
| 476 | } |
| 477 | aes_encrypt_deinit(ctx); |
| 478 | return 0; |
| 479 | } |
| 480 | |
| 481 | |
| 482 | /** |
| 483 | * aes_128_cbc_decrypt - AES-128 CBC decryption |
| 484 | * @key: Decryption key |
| 485 | * @iv: Decryption IV for CBC mode (16 bytes) |
| 486 | * @data: Data to decrypt in-place |
| 487 | * @data_len: Length of data in bytes (must be divisible by 16) |
| 488 | * Returns: 0 on success, -1 on failure |
| 489 | */ |
| 490 | int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) |
| 491 | { |
| 492 | void *ctx; |
| 493 | u8 cbc[BLOCK_SIZE], tmp[BLOCK_SIZE]; |
| 494 | u8 *pos = data; |
| 495 | int i, j, blocks; |
| 496 | |
| 497 | ctx = aes_decrypt_init(key, 16); |
| 498 | if (ctx == NULL) |
| 499 | return -1; |
| 500 | os_memcpy(cbc, iv, BLOCK_SIZE); |
| 501 | |
| 502 | blocks = data_len / BLOCK_SIZE; |
| 503 | for (i = 0; i < blocks; i++) { |
| 504 | os_memcpy(tmp, pos, BLOCK_SIZE); |
| 505 | aes_decrypt(ctx, pos, pos); |
| 506 | for (j = 0; j < BLOCK_SIZE; j++) |
| 507 | pos[j] ^= cbc[j]; |
| 508 | os_memcpy(cbc, tmp, BLOCK_SIZE); |
| 509 | pos += BLOCK_SIZE; |
| 510 | } |
| 511 | aes_decrypt_deinit(ctx); |
| 512 | return 0; |
| 513 | } |
| 514 | |
| 515 | #endif /* CONFIG_NO_AES_CBC */ |