aes-eax.c revision 267654
1156952Sume/* 2156952Sume * AES-128 EAX 3156952Sume * 4156952Sume * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> 5156952Sume * 6156952Sume * This program is free software; you can redistribute it and/or modify 7156952Sume * it under the terms of the GNU General Public License version 2 as 8156952Sume * published by the Free Software Foundation. 9156952Sume * 10156952Sume * Alternatively, this software may be distributed under the terms of BSD 11156952Sume * license. 12156952Sume * 13156952Sume * See README and COPYING for more details. 14156952Sume */ 15156952Sume 16156952Sume#include "includes.h" 17156952Sume 18156952Sume#include "common.h" 19156952Sume#include "aes.h" 20156952Sume#include "aes_wrap.h" 21156952Sume 22156952Sume/** 23156952Sume * aes_128_eax_encrypt - AES-128 EAX mode encryption 24156952Sume * @key: Key for encryption (16 bytes) 25156956Sume * @nonce: Nonce for counter mode 26156956Sume * @nonce_len: Nonce length in bytes 27156952Sume * @hdr: Header data to be authenticity protected 28156952Sume * @hdr_len: Length of the header data bytes 29156952Sume * @data: Data to encrypt in-place 30156952Sume * @data_len: Length of data in bytes 31156956Sume * @tag: 16-byte tag value 32156952Sume * Returns: 0 on success, -1 on failure 33156956Sume */ 34156952Sumeint aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 35156952Sume const u8 *hdr, size_t hdr_len, 36156952Sume u8 *data, size_t data_len, u8 *tag) 37156956Sume{ 38156952Sume u8 *buf; 39156956Sume size_t buf_len; 40156952Sume u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE], 41156952Sume data_mac[AES_BLOCK_SIZE]; 42156952Sume int i, ret = -1; 43156952Sume 44156952Sume if (nonce_len > data_len) 45156952Sume buf_len = nonce_len; 46156952Sume else 47156952Sume buf_len = data_len; 48156952Sume if (hdr_len > buf_len) 49156952Sume buf_len = hdr_len; 50156952Sume buf_len += 16; 51156952Sume 52156956Sume buf = os_malloc(buf_len); 53156956Sume if (buf == NULL) 54156956Sume return -1; 55156952Sume 56156952Sume os_memset(buf, 0, 15); 57156952Sume 58156952Sume buf[15] = 0; 59156952Sume os_memcpy(buf + 16, nonce, nonce_len); 60156952Sume if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) 61156952Sume goto fail; 62156952Sume 63156952Sume buf[15] = 1; 64156952Sume os_memcpy(buf + 16, hdr, hdr_len); 65156952Sume if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) 66156952Sume goto fail; 67156952Sume 68156952Sume if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len)) 69156952Sume goto fail; 70156956Sume buf[15] = 2; 71156952Sume os_memcpy(buf + 16, data, data_len); 72156952Sume if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) 73156952Sume goto fail; 74156952Sume 75156952Sume for (i = 0; i < AES_BLOCK_SIZE; i++) 76156952Sume tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]; 77156952Sume 78156952Sume ret = 0; 79156952Sumefail: 80156952Sume os_free(buf); 81156952Sume 82156952Sume return ret; 83156952Sume} 84156952Sume 85156952Sume 86156952Sume/** 87156952Sume * aes_128_eax_decrypt - AES-128 EAX mode decryption 88156952Sume * @key: Key for decryption (16 bytes) 89156952Sume * @nonce: Nonce for counter mode 90156952Sume * @nonce_len: Nonce length in bytes 91156952Sume * @hdr: Header data to be authenticity protected 92156952Sume * @hdr_len: Length of the header data bytes 93156952Sume * @data: Data to encrypt in-place 94156952Sume * @data_len: Length of data in bytes 95156952Sume * @tag: 16-byte tag value 96156952Sume * Returns: 0 on success, -1 on failure, -2 if tag does not match 97156952Sume */ 98156952Sumeint aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 99156952Sume const u8 *hdr, size_t hdr_len, 100156952Sume u8 *data, size_t data_len, const u8 *tag) 101156952Sume{ 102156952Sume u8 *buf; 103156952Sume size_t buf_len; 104156952Sume u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE], 105156952Sume data_mac[AES_BLOCK_SIZE]; 106156952Sume int i; 107156952Sume 108156952Sume if (nonce_len > data_len) 109156952Sume buf_len = nonce_len; 110156952Sume else 111156952Sume buf_len = data_len; 112156952Sume if (hdr_len > buf_len) 113156952Sume buf_len = hdr_len; 114156952Sume buf_len += 16; 115156952Sume 116156952Sume buf = os_malloc(buf_len); 117156952Sume if (buf == NULL) 118156952Sume return -1; 119156952Sume 120156952Sume os_memset(buf, 0, 15); 121156952Sume 122156952Sume buf[15] = 0; 123156952Sume os_memcpy(buf + 16, nonce, nonce_len); 124156952Sume if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) { 125156952Sume os_free(buf); 126156952Sume return -1; 127156952Sume } 128156952Sume 129156952Sume buf[15] = 1; 130156952Sume os_memcpy(buf + 16, hdr, hdr_len); 131156952Sume if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) { 132156952Sume os_free(buf); 133156952Sume return -1; 134156952Sume } 135156952Sume 136156952Sume buf[15] = 2; 137156952Sume os_memcpy(buf + 16, data, data_len); 138156952Sume if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) { 139156952Sume os_free(buf); 140156952Sume return -1; 141156952Sume } 142156952Sume 143156952Sume os_free(buf); 144156952Sume 145156952Sume for (i = 0; i < AES_BLOCK_SIZE; i++) { 146156952Sume if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i])) 147156952Sume return -2; 148156952Sume } 149156952Sume 150156952Sume return aes_128_ctr_encrypt(key, nonce_mac, data, data_len); 151156956Sume} 152156952Sume