xref: /freebsd/contrib/wpa/src/crypto/aes-omac1.c (revision bb15ca603fa442c72dde3f3cb8b46db6970e3950)
1 /*
2  * One-key CBC MAC (OMAC1) hash with AES-128
3  *
4  * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License version 2 as
8  * published by the Free Software Foundation.
9  *
10  * Alternatively, this software may be distributed under the terms of BSD
11  * license.
12  *
13  * See README and COPYING for more details.
14  */
15 
16 #include "includes.h"
17 
18 #include "common.h"
19 #include "aes.h"
20 #include "aes_wrap.h"
21 
22 static void gf_mulx(u8 *pad)
23 {
24 	int i, carry;
25 
26 	carry = pad[0] & 0x80;
27 	for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
28 		pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
29 	pad[AES_BLOCK_SIZE - 1] <<= 1;
30 	if (carry)
31 		pad[AES_BLOCK_SIZE - 1] ^= 0x87;
32 }
33 
34 
35 /**
36  * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
37  * @key: 128-bit key for the hash operation
38  * @num_elem: Number of elements in the data vector
39  * @addr: Pointers to the data areas
40  * @len: Lengths of the data blocks
41  * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
42  * Returns: 0 on success, -1 on failure
43  *
44  * This is a mode for using block cipher (AES in this case) for authentication.
45  * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
46  * (SP) 800-38B.
47  */
48 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
49 			 const u8 *addr[], const size_t *len, u8 *mac)
50 {
51 	void *ctx;
52 	u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE];
53 	const u8 *pos, *end;
54 	size_t i, e, left, total_len;
55 
56 	ctx = aes_encrypt_init(key, 16);
57 	if (ctx == NULL)
58 		return -1;
59 	os_memset(cbc, 0, AES_BLOCK_SIZE);
60 
61 	total_len = 0;
62 	for (e = 0; e < num_elem; e++)
63 		total_len += len[e];
64 	left = total_len;
65 
66 	e = 0;
67 	pos = addr[0];
68 	end = pos + len[0];
69 
70 	while (left >= AES_BLOCK_SIZE) {
71 		for (i = 0; i < AES_BLOCK_SIZE; i++) {
72 			cbc[i] ^= *pos++;
73 			if (pos >= end) {
74 				e++;
75 				pos = addr[e];
76 				end = pos + len[e];
77 			}
78 		}
79 		if (left > AES_BLOCK_SIZE)
80 			aes_encrypt(ctx, cbc, cbc);
81 		left -= AES_BLOCK_SIZE;
82 	}
83 
84 	os_memset(pad, 0, AES_BLOCK_SIZE);
85 	aes_encrypt(ctx, pad, pad);
86 	gf_mulx(pad);
87 
88 	if (left || total_len == 0) {
89 		for (i = 0; i < left; i++) {
90 			cbc[i] ^= *pos++;
91 			if (pos >= end) {
92 				e++;
93 				pos = addr[e];
94 				end = pos + len[e];
95 			}
96 		}
97 		cbc[left] ^= 0x80;
98 		gf_mulx(pad);
99 	}
100 
101 	for (i = 0; i < AES_BLOCK_SIZE; i++)
102 		pad[i] ^= cbc[i];
103 	aes_encrypt(ctx, pad, mac);
104 	aes_encrypt_deinit(ctx);
105 	return 0;
106 }
107 
108 
109 /**
110  * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
111  * @key: 128-bit key for the hash operation
112  * @data: Data buffer for which a MAC is determined
113  * @data_len: Length of data buffer in bytes
114  * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
115  * Returns: 0 on success, -1 on failure
116  *
117  * This is a mode for using block cipher (AES in this case) for authentication.
118  * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
119  * (SP) 800-38B.
120  */
121 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
122 {
123 	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
124 }
125