1/*
2 * One-key CBC MAC (OMAC1) hash with AES-128
3 *
4 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 *
10 * Alternatively, this software may be distributed under the terms of BSD
11 * license.
12 *
13 * See README and COPYING for more details.
14 */
15
16#include "includes.h"
17
18#include "common.h"
19#include "aes.h"
20#include "aes_wrap.h"
21
22static void gf_mulx(u8 *pad)
23{
24	int i, carry;
25
26	carry = pad[0] & 0x80;
27	for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
28		pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
29	pad[AES_BLOCK_SIZE - 1] <<= 1;
30	if (carry)
31		pad[AES_BLOCK_SIZE - 1] ^= 0x87;
32}
33
34
35/**
36 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
37 * @key: 128-bit key for the hash operation
38 * @num_elem: Number of elements in the data vector
39 * @addr: Pointers to the data areas
40 * @len: Lengths of the data blocks
41 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
42 * Returns: 0 on success, -1 on failure
43 *
44 * This is a mode for using block cipher (AES in this case) for authentication.
45 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
46 * (SP) 800-38B.
47 */
48int omac1_aes_128_vector(const u8 *key, size_t num_elem,
49			 const u8 *addr[], const size_t *len, u8 *mac)
50{
51	void *ctx;
52	u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE];
53	const u8 *pos, *end;
54	size_t i, e, left, total_len;
55
56	ctx = aes_encrypt_init(key, 16);
57	if (ctx == NULL)
58		return -1;
59	os_memset(cbc, 0, AES_BLOCK_SIZE);
60
61	total_len = 0;
62	for (e = 0; e < num_elem; e++)
63		total_len += len[e];
64	left = total_len;
65
66	e = 0;
67	pos = addr[0];
68	end = pos + len[0];
69
70	while (left >= AES_BLOCK_SIZE) {
71		for (i = 0; i < AES_BLOCK_SIZE; i++) {
72			cbc[i] ^= *pos++;
73			if (pos >= end) {
74				e++;
75				pos = addr[e];
76				end = pos + len[e];
77			}
78		}
79		if (left > AES_BLOCK_SIZE)
80			aes_encrypt(ctx, cbc, cbc);
81		left -= AES_BLOCK_SIZE;
82	}
83
84	os_memset(pad, 0, AES_BLOCK_SIZE);
85	aes_encrypt(ctx, pad, pad);
86	gf_mulx(pad);
87
88	if (left || total_len == 0) {
89		for (i = 0; i < left; i++) {
90			cbc[i] ^= *pos++;
91			if (pos >= end) {
92				e++;
93				pos = addr[e];
94				end = pos + len[e];
95			}
96		}
97		cbc[left] ^= 0x80;
98		gf_mulx(pad);
99	}
100
101	for (i = 0; i < AES_BLOCK_SIZE; i++)
102		pad[i] ^= cbc[i];
103	aes_encrypt(ctx, pad, mac);
104	aes_encrypt_deinit(ctx);
105	return 0;
106}
107
108
109/**
110 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
111 * @key: 128-bit key for the hash operation
112 * @data: Data buffer for which a MAC is determined
113 * @data_len: Length of data buffer in bytes
114 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
115 * Returns: 0 on success, -1 on failure
116 *
117 * This is a mode for using block cipher (AES in this case) for authentication.
118 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
119 * (SP) 800-38B.
120 */
121int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
122{
123	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
124}
125