1 /* 2 * One-key CBC MAC (OMAC1) hash with AES-128 3 * 4 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> 5 * 6 * This software may be distributed under the terms of the BSD license. 7 * See README for more details. 8 */ 9 10 #include "includes.h" 11 12 #include "common.h" 13 #include "aes.h" 14 #include "aes_wrap.h" 15 16 static void gf_mulx(u8 *pad) 17 { 18 int i, carry; 19 20 carry = pad[0] & 0x80; 21 for (i = 0; i < AES_BLOCK_SIZE - 1; i++) 22 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7); 23 pad[AES_BLOCK_SIZE - 1] <<= 1; 24 if (carry) 25 pad[AES_BLOCK_SIZE - 1] ^= 0x87; 26 } 27 28 29 /** 30 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 31 * @key: 128-bit key for the hash operation 32 * @num_elem: Number of elements in the data vector 33 * @addr: Pointers to the data areas 34 * @len: Lengths of the data blocks 35 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 36 * Returns: 0 on success, -1 on failure 37 * 38 * This is a mode for using block cipher (AES in this case) for authentication. 39 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 40 * (SP) 800-38B. 41 */ 42 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 43 const u8 *addr[], const size_t *len, u8 *mac) 44 { 45 void *ctx; 46 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE]; 47 const u8 *pos, *end; 48 size_t i, e, left, total_len; 49 50 ctx = aes_encrypt_init(key, 16); 51 if (ctx == NULL) 52 return -1; 53 os_memset(cbc, 0, AES_BLOCK_SIZE); 54 55 total_len = 0; 56 for (e = 0; e < num_elem; e++) 57 total_len += len[e]; 58 left = total_len; 59 60 e = 0; 61 pos = addr[0]; 62 end = pos + len[0]; 63 64 while (left >= AES_BLOCK_SIZE) { 65 for (i = 0; i < AES_BLOCK_SIZE; i++) { 66 cbc[i] ^= *pos++; 67 if (pos >= end) { 68 e++; 69 pos = addr[e]; 70 end = pos + len[e]; 71 } 72 } 73 if (left > AES_BLOCK_SIZE) 74 aes_encrypt(ctx, cbc, cbc); 75 left -= AES_BLOCK_SIZE; 76 } 77 78 os_memset(pad, 0, AES_BLOCK_SIZE); 79 aes_encrypt(ctx, pad, pad); 80 gf_mulx(pad); 81 82 if (left || total_len == 0) { 83 for (i = 0; i < left; i++) { 84 cbc[i] ^= *pos++; 85 if (pos >= end) { 86 e++; 87 pos = addr[e]; 88 end = pos + len[e]; 89 } 90 } 91 cbc[left] ^= 0x80; 92 gf_mulx(pad); 93 } 94 95 for (i = 0; i < AES_BLOCK_SIZE; i++) 96 pad[i] ^= cbc[i]; 97 aes_encrypt(ctx, pad, mac); 98 aes_encrypt_deinit(ctx); 99 return 0; 100 } 101 102 103 /** 104 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) 105 * @key: 128-bit key for the hash operation 106 * @data: Data buffer for which a MAC is determined 107 * @data_len: Length of data buffer in bytes 108 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 109 * Returns: 0 on success, -1 on failure 110 * 111 * This is a mode for using block cipher (AES in this case) for authentication. 112 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 113 * (SP) 800-38B. 114 */ 115 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 116 { 117 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 118 } 119