aes-eax.c revision 267654 
1156952Sume/*
2156952Sume * AES-128 EAX
3156952Sume *
4156952Sume * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5156952Sume *
6156952Sume * This program is free software; you can redistribute it and/or modify
7156952Sume * it under the terms of the GNU General Public License version 2 as
8156952Sume * published by the Free Software Foundation.
9156952Sume *
10156952Sume * Alternatively, this software may be distributed under the terms of BSD
11156952Sume * license.
12156952Sume *
13156952Sume * See README and COPYING for more details.
14156952Sume */
15156952Sume
16156952Sume#include "includes.h"
17156952Sume
18156952Sume#include "common.h"
19156952Sume#include "aes.h"
20156952Sume#include "aes_wrap.h"
21156952Sume
22156952Sume/**
23156952Sume * aes_128_eax_encrypt - AES-128 EAX mode encryption
24156952Sume * @key: Key for encryption (16 bytes)
25156956Sume * @nonce: Nonce for counter mode
26156956Sume * @nonce_len: Nonce length in bytes
27156952Sume * @hdr: Header data to be authenticity protected
28156952Sume * @hdr_len: Length of the header data bytes
29156952Sume * @data: Data to encrypt in-place
30156952Sume * @data_len: Length of data in bytes
31156956Sume * @tag: 16-byte tag value
32156952Sume * Returns: 0 on success, -1 on failure
33156956Sume */
34156952Sumeint aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
35156952Sume			const u8 *hdr, size_t hdr_len,
36156952Sume			u8 *data, size_t data_len, u8 *tag)
37156956Sume{
38156952Sume	u8 *buf;
39156956Sume	size_t buf_len;
40156952Sume	u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE],
41156952Sume		data_mac[AES_BLOCK_SIZE];
42156952Sume	int i, ret = -1;
43156952Sume
44156952Sume	if (nonce_len > data_len)
45156952Sume		buf_len = nonce_len;
46156952Sume	else
47156952Sume		buf_len = data_len;
48156952Sume	if (hdr_len > buf_len)
49156952Sume		buf_len = hdr_len;
50156952Sume	buf_len += 16;
51156952Sume
52156956Sume	buf = os_malloc(buf_len);
53156956Sume	if (buf == NULL)
54156956Sume		return -1;
55156952Sume
56156952Sume	os_memset(buf, 0, 15);
57156952Sume
58156952Sume	buf[15] = 0;
59156952Sume	os_memcpy(buf + 16, nonce, nonce_len);
60156952Sume	if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac))
61156952Sume		goto fail;
62156952Sume
63156952Sume	buf[15] = 1;
64156952Sume	os_memcpy(buf + 16, hdr, hdr_len);
65156952Sume	if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac))
66156952Sume		goto fail;
67156952Sume
68156952Sume	if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len))
69156952Sume		goto fail;
70156956Sume	buf[15] = 2;
71156952Sume	os_memcpy(buf + 16, data, data_len);
72156952Sume	if (omac1_aes_128(key, buf, 16 + data_len, data_mac))
73156952Sume		goto fail;
74156952Sume
75156952Sume	for (i = 0; i < AES_BLOCK_SIZE; i++)
76156952Sume		tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i];
77156952Sume
78156952Sume	ret = 0;
79156952Sumefail:
80156952Sume	os_free(buf);
81156952Sume
82156952Sume	return ret;
83156952Sume}
84156952Sume
85156952Sume
86156952Sume/**
87156952Sume * aes_128_eax_decrypt - AES-128 EAX mode decryption
88156952Sume * @key: Key for decryption (16 bytes)
89156952Sume * @nonce: Nonce for counter mode
90156952Sume * @nonce_len: Nonce length in bytes
91156952Sume * @hdr: Header data to be authenticity protected
92156952Sume * @hdr_len: Length of the header data bytes
93156952Sume * @data: Data to encrypt in-place
94156952Sume * @data_len: Length of data in bytes
95156952Sume * @tag: 16-byte tag value
96156952Sume * Returns: 0 on success, -1 on failure, -2 if tag does not match
97156952Sume */
98156952Sumeint aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
99156952Sume			const u8 *hdr, size_t hdr_len,
100156952Sume			u8 *data, size_t data_len, const u8 *tag)
101156952Sume{
102156952Sume	u8 *buf;
103156952Sume	size_t buf_len;
104156952Sume	u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE],
105156952Sume		data_mac[AES_BLOCK_SIZE];
106156952Sume	int i;
107156952Sume
108156952Sume	if (nonce_len > data_len)
109156952Sume		buf_len = nonce_len;
110156952Sume	else
111156952Sume		buf_len = data_len;
112156952Sume	if (hdr_len > buf_len)
113156952Sume		buf_len = hdr_len;
114156952Sume	buf_len += 16;
115156952Sume
116156952Sume	buf = os_malloc(buf_len);
117156952Sume	if (buf == NULL)
118156952Sume		return -1;
119156952Sume
120156952Sume	os_memset(buf, 0, 15);
121156952Sume
122156952Sume	buf[15] = 0;
123156952Sume	os_memcpy(buf + 16, nonce, nonce_len);
124156952Sume	if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) {
125156952Sume		os_free(buf);
126156952Sume		return -1;
127156952Sume	}
128156952Sume
129156952Sume	buf[15] = 1;
130156952Sume	os_memcpy(buf + 16, hdr, hdr_len);
131156952Sume	if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) {
132156952Sume		os_free(buf);
133156952Sume		return -1;
134156952Sume	}
135156952Sume
136156952Sume	buf[15] = 2;
137156952Sume	os_memcpy(buf + 16, data, data_len);
138156952Sume	if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) {
139156952Sume		os_free(buf);
140156952Sume		return -1;
141156952Sume	}
142156952Sume
143156952Sume	os_free(buf);
144156952Sume
145156952Sume	for (i = 0; i < AES_BLOCK_SIZE; i++) {
146156952Sume		if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]))
147156952Sume			return -2;
148156952Sume	}
149156952Sume
150156952Sume	return aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
151156956Sume}
152156952Sume