xref: /freebsd/contrib/wpa/src/crypto/aes-eax.c (revision 416ba5c74546f32a993436a99516d35008e9f384) 
1e28a4053SRui Paulo /*
2e28a4053SRui Paulo  * AES-128 EAX
3e28a4053SRui Paulo  *
4e28a4053SRui Paulo  * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5e28a4053SRui Paulo  *
6f05cddf9SRui Paulo  * This software may be distributed under the terms of the BSD license.
7f05cddf9SRui Paulo  * See README for more details.
8e28a4053SRui Paulo  */
9e28a4053SRui Paulo 
10e28a4053SRui Paulo #include "includes.h"
11e28a4053SRui Paulo 
12e28a4053SRui Paulo #include "common.h"
13e28a4053SRui Paulo #include "aes.h"
14e28a4053SRui Paulo #include "aes_wrap.h"
15e28a4053SRui Paulo 
16e28a4053SRui Paulo /**
17e28a4053SRui Paulo  * aes_128_eax_encrypt - AES-128 EAX mode encryption
18e28a4053SRui Paulo  * @key: Key for encryption (16 bytes)
19e28a4053SRui Paulo  * @nonce: Nonce for counter mode
20e28a4053SRui Paulo  * @nonce_len: Nonce length in bytes
21e28a4053SRui Paulo  * @hdr: Header data to be authenticity protected
22e28a4053SRui Paulo  * @hdr_len: Length of the header data bytes
23e28a4053SRui Paulo  * @data: Data to encrypt in-place
24e28a4053SRui Paulo  * @data_len: Length of data in bytes
25e28a4053SRui Paulo  * @tag: 16-byte tag value
26e28a4053SRui Paulo  * Returns: 0 on success, -1 on failure
27e28a4053SRui Paulo  */
aes_128_eax_encrypt(const u8 * key,const u8 * nonce,size_t nonce_len,const u8 * hdr,size_t hdr_len,u8 * data,size_t data_len,u8 * tag)28e28a4053SRui Paulo int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
29e28a4053SRui Paulo 			const u8 *hdr, size_t hdr_len,
30e28a4053SRui Paulo 			u8 *data, size_t data_len, u8 *tag)
31e28a4053SRui Paulo {
32e28a4053SRui Paulo 	u8 *buf;
33e28a4053SRui Paulo 	size_t buf_len;
34e28a4053SRui Paulo 	u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE],
35e28a4053SRui Paulo 		data_mac[AES_BLOCK_SIZE];
36e28a4053SRui Paulo 	int i, ret = -1;
37e28a4053SRui Paulo 
38e28a4053SRui Paulo 	if (nonce_len > data_len)
39e28a4053SRui Paulo 		buf_len = nonce_len;
40e28a4053SRui Paulo 	else
41e28a4053SRui Paulo 		buf_len = data_len;
42e28a4053SRui Paulo 	if (hdr_len > buf_len)
43e28a4053SRui Paulo 		buf_len = hdr_len;
44e28a4053SRui Paulo 	buf_len += 16;
45e28a4053SRui Paulo 
46e28a4053SRui Paulo 	buf = os_malloc(buf_len);
47e28a4053SRui Paulo 	if (buf == NULL)
48e28a4053SRui Paulo 		return -1;
49e28a4053SRui Paulo 
50e28a4053SRui Paulo 	os_memset(buf, 0, 15);
51e28a4053SRui Paulo 
52e28a4053SRui Paulo 	buf[15] = 0;
53e28a4053SRui Paulo 	os_memcpy(buf + 16, nonce, nonce_len);
54e28a4053SRui Paulo 	if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac))
55e28a4053SRui Paulo 		goto fail;
56e28a4053SRui Paulo 
57e28a4053SRui Paulo 	buf[15] = 1;
58e28a4053SRui Paulo 	os_memcpy(buf + 16, hdr, hdr_len);
59e28a4053SRui Paulo 	if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac))
60e28a4053SRui Paulo 		goto fail;
61e28a4053SRui Paulo 
62e28a4053SRui Paulo 	if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len))
63e28a4053SRui Paulo 		goto fail;
64e28a4053SRui Paulo 	buf[15] = 2;
65e28a4053SRui Paulo 	os_memcpy(buf + 16, data, data_len);
66e28a4053SRui Paulo 	if (omac1_aes_128(key, buf, 16 + data_len, data_mac))
67e28a4053SRui Paulo 		goto fail;
68e28a4053SRui Paulo 
69e28a4053SRui Paulo 	for (i = 0; i < AES_BLOCK_SIZE; i++)
70e28a4053SRui Paulo 		tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i];
71e28a4053SRui Paulo 
72e28a4053SRui Paulo 	ret = 0;
73e28a4053SRui Paulo fail:
74*5b9c547cSRui Paulo 	bin_clear_free(buf, buf_len);
75e28a4053SRui Paulo 
76e28a4053SRui Paulo 	return ret;
77e28a4053SRui Paulo }
78e28a4053SRui Paulo 
79e28a4053SRui Paulo 
80e28a4053SRui Paulo /**
81e28a4053SRui Paulo  * aes_128_eax_decrypt - AES-128 EAX mode decryption
82e28a4053SRui Paulo  * @key: Key for decryption (16 bytes)
83e28a4053SRui Paulo  * @nonce: Nonce for counter mode
84e28a4053SRui Paulo  * @nonce_len: Nonce length in bytes
85e28a4053SRui Paulo  * @hdr: Header data to be authenticity protected
86e28a4053SRui Paulo  * @hdr_len: Length of the header data bytes
87e28a4053SRui Paulo  * @data: Data to encrypt in-place
88e28a4053SRui Paulo  * @data_len: Length of data in bytes
89e28a4053SRui Paulo  * @tag: 16-byte tag value
90e28a4053SRui Paulo  * Returns: 0 on success, -1 on failure, -2 if tag does not match
91e28a4053SRui Paulo  */
aes_128_eax_decrypt(const u8 * key,const u8 * nonce,size_t nonce_len,const u8 * hdr,size_t hdr_len,u8 * data,size_t data_len,const u8 * tag)92e28a4053SRui Paulo int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len,
93e28a4053SRui Paulo 			const u8 *hdr, size_t hdr_len,
94e28a4053SRui Paulo 			u8 *data, size_t data_len, const u8 *tag)
95e28a4053SRui Paulo {
96e28a4053SRui Paulo 	u8 *buf;
97e28a4053SRui Paulo 	size_t buf_len;
98e28a4053SRui Paulo 	u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE],
99e28a4053SRui Paulo 		data_mac[AES_BLOCK_SIZE];
100e28a4053SRui Paulo 	int i;
101e28a4053SRui Paulo 
102e28a4053SRui Paulo 	if (nonce_len > data_len)
103e28a4053SRui Paulo 		buf_len = nonce_len;
104e28a4053SRui Paulo 	else
105e28a4053SRui Paulo 		buf_len = data_len;
106e28a4053SRui Paulo 	if (hdr_len > buf_len)
107e28a4053SRui Paulo 		buf_len = hdr_len;
108e28a4053SRui Paulo 	buf_len += 16;
109e28a4053SRui Paulo 
110e28a4053SRui Paulo 	buf = os_malloc(buf_len);
111e28a4053SRui Paulo 	if (buf == NULL)
112e28a4053SRui Paulo 		return -1;
113e28a4053SRui Paulo 
114e28a4053SRui Paulo 	os_memset(buf, 0, 15);
115e28a4053SRui Paulo 
116e28a4053SRui Paulo 	buf[15] = 0;
117e28a4053SRui Paulo 	os_memcpy(buf + 16, nonce, nonce_len);
118e28a4053SRui Paulo 	if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) {
119e28a4053SRui Paulo 		os_free(buf);
120e28a4053SRui Paulo 		return -1;
121e28a4053SRui Paulo 	}
122e28a4053SRui Paulo 
123e28a4053SRui Paulo 	buf[15] = 1;
124e28a4053SRui Paulo 	os_memcpy(buf + 16, hdr, hdr_len);
125e28a4053SRui Paulo 	if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) {
126e28a4053SRui Paulo 		os_free(buf);
127e28a4053SRui Paulo 		return -1;
128e28a4053SRui Paulo 	}
129e28a4053SRui Paulo 
130e28a4053SRui Paulo 	buf[15] = 2;
131e28a4053SRui Paulo 	os_memcpy(buf + 16, data, data_len);
132e28a4053SRui Paulo 	if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) {
133e28a4053SRui Paulo 		os_free(buf);
134e28a4053SRui Paulo 		return -1;
135e28a4053SRui Paulo 	}
136e28a4053SRui Paulo 
137e28a4053SRui Paulo 	os_free(buf);
138e28a4053SRui Paulo 
139e28a4053SRui Paulo 	for (i = 0; i < AES_BLOCK_SIZE; i++) {
140e28a4053SRui Paulo 		if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]))
141e28a4053SRui Paulo 			return -2;
142e28a4053SRui Paulo 	}
143e28a4053SRui Paulo 
144e28a4053SRui Paulo 	return aes_128_ctr_encrypt(key, nonce_mac, data, data_len);
145e28a4053SRui Paulo }
146