1214501Srpaulo/* 2214501Srpaulo * AES-128 EAX 3214501Srpaulo * 4214501Srpaulo * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> 5214501Srpaulo * 6252726Srpaulo * This software may be distributed under the terms of the BSD license. 7252726Srpaulo * See README for more details. 8214501Srpaulo */ 9214501Srpaulo 10214501Srpaulo#include "includes.h" 11214501Srpaulo 12214501Srpaulo#include "common.h" 13214501Srpaulo#include "aes.h" 14214501Srpaulo#include "aes_wrap.h" 15214501Srpaulo 16214501Srpaulo/** 17214501Srpaulo * aes_128_eax_encrypt - AES-128 EAX mode encryption 18214501Srpaulo * @key: Key for encryption (16 bytes) 19214501Srpaulo * @nonce: Nonce for counter mode 20214501Srpaulo * @nonce_len: Nonce length in bytes 21214501Srpaulo * @hdr: Header data to be authenticity protected 22214501Srpaulo * @hdr_len: Length of the header data bytes 23214501Srpaulo * @data: Data to encrypt in-place 24214501Srpaulo * @data_len: Length of data in bytes 25214501Srpaulo * @tag: 16-byte tag value 26214501Srpaulo * Returns: 0 on success, -1 on failure 27214501Srpaulo */ 28214501Srpauloint aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 29214501Srpaulo const u8 *hdr, size_t hdr_len, 30214501Srpaulo u8 *data, size_t data_len, u8 *tag) 31214501Srpaulo{ 32214501Srpaulo u8 *buf; 33214501Srpaulo size_t buf_len; 34214501Srpaulo u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE], 35214501Srpaulo data_mac[AES_BLOCK_SIZE]; 36214501Srpaulo int i, ret = -1; 37214501Srpaulo 38214501Srpaulo if (nonce_len > data_len) 39214501Srpaulo buf_len = nonce_len; 40214501Srpaulo else 41214501Srpaulo buf_len = data_len; 42214501Srpaulo if (hdr_len > buf_len) 43214501Srpaulo buf_len = hdr_len; 44214501Srpaulo buf_len += 16; 45214501Srpaulo 46214501Srpaulo buf = os_malloc(buf_len); 47214501Srpaulo if (buf == NULL) 48214501Srpaulo return -1; 49214501Srpaulo 50214501Srpaulo os_memset(buf, 0, 15); 51214501Srpaulo 52214501Srpaulo buf[15] = 0; 53214501Srpaulo os_memcpy(buf + 16, nonce, nonce_len); 54214501Srpaulo if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) 55214501Srpaulo goto fail; 56214501Srpaulo 57214501Srpaulo buf[15] = 1; 58214501Srpaulo os_memcpy(buf + 16, hdr, hdr_len); 59214501Srpaulo if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) 60214501Srpaulo goto fail; 61214501Srpaulo 62214501Srpaulo if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len)) 63214501Srpaulo goto fail; 64214501Srpaulo buf[15] = 2; 65214501Srpaulo os_memcpy(buf + 16, data, data_len); 66214501Srpaulo if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) 67214501Srpaulo goto fail; 68214501Srpaulo 69214501Srpaulo for (i = 0; i < AES_BLOCK_SIZE; i++) 70214501Srpaulo tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]; 71214501Srpaulo 72214501Srpaulo ret = 0; 73214501Srpaulofail: 74214501Srpaulo os_free(buf); 75214501Srpaulo 76214501Srpaulo return ret; 77214501Srpaulo} 78214501Srpaulo 79214501Srpaulo 80214501Srpaulo/** 81214501Srpaulo * aes_128_eax_decrypt - AES-128 EAX mode decryption 82214501Srpaulo * @key: Key for decryption (16 bytes) 83214501Srpaulo * @nonce: Nonce for counter mode 84214501Srpaulo * @nonce_len: Nonce length in bytes 85214501Srpaulo * @hdr: Header data to be authenticity protected 86214501Srpaulo * @hdr_len: Length of the header data bytes 87214501Srpaulo * @data: Data to encrypt in-place 88214501Srpaulo * @data_len: Length of data in bytes 89214501Srpaulo * @tag: 16-byte tag value 90214501Srpaulo * Returns: 0 on success, -1 on failure, -2 if tag does not match 91214501Srpaulo */ 92214501Srpauloint aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 93214501Srpaulo const u8 *hdr, size_t hdr_len, 94214501Srpaulo u8 *data, size_t data_len, const u8 *tag) 95214501Srpaulo{ 96214501Srpaulo u8 *buf; 97214501Srpaulo size_t buf_len; 98214501Srpaulo u8 nonce_mac[AES_BLOCK_SIZE], hdr_mac[AES_BLOCK_SIZE], 99214501Srpaulo data_mac[AES_BLOCK_SIZE]; 100214501Srpaulo int i; 101214501Srpaulo 102214501Srpaulo if (nonce_len > data_len) 103214501Srpaulo buf_len = nonce_len; 104214501Srpaulo else 105214501Srpaulo buf_len = data_len; 106214501Srpaulo if (hdr_len > buf_len) 107214501Srpaulo buf_len = hdr_len; 108214501Srpaulo buf_len += 16; 109214501Srpaulo 110214501Srpaulo buf = os_malloc(buf_len); 111214501Srpaulo if (buf == NULL) 112214501Srpaulo return -1; 113214501Srpaulo 114214501Srpaulo os_memset(buf, 0, 15); 115214501Srpaulo 116214501Srpaulo buf[15] = 0; 117214501Srpaulo os_memcpy(buf + 16, nonce, nonce_len); 118214501Srpaulo if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) { 119214501Srpaulo os_free(buf); 120214501Srpaulo return -1; 121214501Srpaulo } 122214501Srpaulo 123214501Srpaulo buf[15] = 1; 124214501Srpaulo os_memcpy(buf + 16, hdr, hdr_len); 125214501Srpaulo if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) { 126214501Srpaulo os_free(buf); 127214501Srpaulo return -1; 128214501Srpaulo } 129214501Srpaulo 130214501Srpaulo buf[15] = 2; 131214501Srpaulo os_memcpy(buf + 16, data, data_len); 132214501Srpaulo if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) { 133214501Srpaulo os_free(buf); 134214501Srpaulo return -1; 135214501Srpaulo } 136214501Srpaulo 137214501Srpaulo os_free(buf); 138214501Srpaulo 139214501Srpaulo for (i = 0; i < AES_BLOCK_SIZE; i++) { 140214501Srpaulo if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i])) 141214501Srpaulo return -2; 142214501Srpaulo } 143214501Srpaulo 144214501Srpaulo return aes_128_ctr_encrypt(key, nonce_mac, data, data_len); 145214501Srpaulo} 146