xref: /freebsd/contrib/wpa/src/crypto/aes-omac1.c (revision 5dd76dd0cc19450133aa379ce0ce4a68ae07fb39)
1 /*
2  * One-key CBC MAC (OMAC1) hash with AES-128
3  *
4  * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5  *
6  * This software may be distributed under the terms of the BSD license.
7  * See README for more details.
8  */
9 
10 #include "includes.h"
11 
12 #include "common.h"
13 #include "aes.h"
14 #include "aes_wrap.h"
15 
16 static void gf_mulx(u8 *pad)
17 {
18 	int i, carry;
19 
20 	carry = pad[0] & 0x80;
21 	for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
22 		pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
23 	pad[AES_BLOCK_SIZE - 1] <<= 1;
24 	if (carry)
25 		pad[AES_BLOCK_SIZE - 1] ^= 0x87;
26 }
27 
28 
29 /**
30  * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
31  * @key: 128-bit key for the hash operation
32  * @num_elem: Number of elements in the data vector
33  * @addr: Pointers to the data areas
34  * @len: Lengths of the data blocks
35  * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
36  * Returns: 0 on success, -1 on failure
37  *
38  * This is a mode for using block cipher (AES in this case) for authentication.
39  * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
40  * (SP) 800-38B.
41  */
42 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
43 			 const u8 *addr[], const size_t *len, u8 *mac)
44 {
45 	void *ctx;
46 	u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE];
47 	const u8 *pos, *end;
48 	size_t i, e, left, total_len;
49 
50 	ctx = aes_encrypt_init(key, 16);
51 	if (ctx == NULL)
52 		return -1;
53 	os_memset(cbc, 0, AES_BLOCK_SIZE);
54 
55 	total_len = 0;
56 	for (e = 0; e < num_elem; e++)
57 		total_len += len[e];
58 	left = total_len;
59 
60 	e = 0;
61 	pos = addr[0];
62 	end = pos + len[0];
63 
64 	while (left >= AES_BLOCK_SIZE) {
65 		for (i = 0; i < AES_BLOCK_SIZE; i++) {
66 			cbc[i] ^= *pos++;
67 			if (pos >= end) {
68 				e++;
69 				pos = addr[e];
70 				end = pos + len[e];
71 			}
72 		}
73 		if (left > AES_BLOCK_SIZE)
74 			aes_encrypt(ctx, cbc, cbc);
75 		left -= AES_BLOCK_SIZE;
76 	}
77 
78 	os_memset(pad, 0, AES_BLOCK_SIZE);
79 	aes_encrypt(ctx, pad, pad);
80 	gf_mulx(pad);
81 
82 	if (left || total_len == 0) {
83 		for (i = 0; i < left; i++) {
84 			cbc[i] ^= *pos++;
85 			if (pos >= end) {
86 				e++;
87 				pos = addr[e];
88 				end = pos + len[e];
89 			}
90 		}
91 		cbc[left] ^= 0x80;
92 		gf_mulx(pad);
93 	}
94 
95 	for (i = 0; i < AES_BLOCK_SIZE; i++)
96 		pad[i] ^= cbc[i];
97 	aes_encrypt(ctx, pad, mac);
98 	aes_encrypt_deinit(ctx);
99 	return 0;
100 }
101 
102 
103 /**
104  * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
105  * @key: 128-bit key for the hash operation
106  * @data: Data buffer for which a MAC is determined
107  * @data_len: Length of data buffer in bytes
108  * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
109  * Returns: 0 on success, -1 on failure
110  *
111  * This is a mode for using block cipher (AES in this case) for authentication.
112  * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
113  * (SP) 800-38B.
114  */
115 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
116 {
117 	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
118 }
119