Extend AES-SIV implementation to support different key lengths

The previous implementation was hardcoded to use 128-bit AES key
(AEAD_AES_SIV_CMAC_256). Extend this by allowing AEAD_AES_SIV_CMAC_384
and AEAD_AES_SIV_CMAC_512 with 192-bit and 256-bit AES keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

src/crypto/aes-ctr.c

@@ -1,5 +1,5 @@
 /*
- * AES-128 CTR
+ * AES-128/192/256 CTR
  *
  * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
  *
@@ -14,15 +14,16 @@
 #include "aes_wrap.h"
 
 /**
- * aes_128_ctr_encrypt - AES-128 CTR mode encryption
- * @key: Key for encryption (16 bytes)
+ * aes_ctr_encrypt - AES-128/192/256 CTR mode encryption
+ * @key: Key for encryption (key_len bytes)
+ * @key_len: Length of the key (16, 24, or 32 bytes)
  * @nonce: Nonce for counter mode (16 bytes)
  * @data: Data to encrypt in-place
  * @data_len: Length of data in bytes
  * Returns: 0 on success, -1 on failure
  */
-int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
-			u8 *data, size_t data_len)
+int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
+		    u8 *data, size_t data_len)
 {
 	void *ctx;
 	size_t j, len, left = data_len;
@@ -30,7 +31,7 @@ int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
 	u8 *pos = data;
 	u8 counter[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
 
-	ctx = aes_encrypt_init(key, 16);
+	ctx = aes_encrypt_init(key, key_len);
 	if (ctx == NULL)
 		return -1;
 	os_memcpy(counter, nonce, AES_BLOCK_SIZE);
@@ -53,3 +54,18 @@ int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
 	aes_encrypt_deinit(ctx);
 	return 0;
 }
+
+
+/**
+ * aes_128_ctr_encrypt - AES-128 CTR mode encryption
+ * @key: Key for encryption (key_len bytes)
+ * @nonce: Nonce for counter mode (16 bytes)
+ * @data: Data to encrypt in-place
+ * @data_len: Length of data in bytes
+ * Returns: 0 on success, -1 on failure
+ */
+int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
+			u8 *data, size_t data_len)
+{
+	return aes_ctr_encrypt(key, 16, nonce, data, data_len);
+}

src/crypto/aes-siv.c

@@ -61,26 +61,33 @@ static void pad_block(u8 *pad, const u8 *addr, size_t len)
 }
 
 
-static int aes_s2v(const u8 *key, size_t num_elem, const u8 *addr[],
-		   size_t *len, u8 *mac)
+static int aes_s2v(const u8 *key, size_t key_len,
+		   size_t num_elem, const u8 *addr[], size_t *len, u8 *mac)
 {
 	u8 tmp[AES_BLOCK_SIZE], tmp2[AES_BLOCK_SIZE];
 	u8 *buf = NULL;
 	int ret;
 	size_t i;
+	const u8 *data[1];
+	size_t data_len[1];
 
 	if (!num_elem) {
 		os_memcpy(tmp, zero, sizeof(zero));
 		tmp[AES_BLOCK_SIZE - 1] = 1;
-		return omac1_aes_128(key, tmp, sizeof(tmp), mac);
+		data[0] = tmp;
+		data_len[0] = sizeof(tmp);
+		return omac1_aes_vector(key, key_len, 1, data, data_len, mac);
 	}
 
-	ret = omac1_aes_128(key, zero, sizeof(zero), tmp);
+	data[0] = zero;
+	data_len[0] = sizeof(zero);
+	ret = omac1_aes_vector(key, key_len, 1, data, data_len, tmp);
 	if (ret)
 		return ret;
 
 	for (i = 0; i < num_elem - 1; i++) {
-		ret = omac1_aes_128(key, addr[i], len[i], tmp2);
+		ret = omac1_aes_vector(key, key_len, 1, &addr[i], &len[i],
+				       tmp2);
 		if (ret)
 			return ret;
 
@@ -94,7 +101,8 @@ static int aes_s2v(const u8 *key, size_t num_elem, const u8 *addr[],
 
 		os_memcpy(buf, addr[i], len[i]);
 		xorend(buf, len[i], tmp, AES_BLOCK_SIZE);
-		ret = omac1_aes_128(key, buf, len[i], mac);
+		data[0] = buf;
+		ret = omac1_aes_vector(key, key_len, 1, data, &len[i], mac);
 		bin_clear_free(buf, len[i]);
 		return ret;
 	}
@@ -103,24 +111,32 @@ static int aes_s2v(const u8 *key, size_t num_elem, const u8 *addr[],
 	pad_block(tmp2, addr[i], len[i]);
 	xor(tmp, tmp2);
 
-	return omac1_aes_128(key, tmp, sizeof(tmp), mac);
+	data[0] = tmp;
+	data_len[0] = sizeof(tmp);
+	return omac1_aes_vector(key, key_len, 1, data, data_len, mac);
 }
 
 
-int aes_siv_encrypt(const u8 *key, const u8 *pw,
-		    size_t pwlen, size_t num_elem,
-		    const u8 *addr[], const size_t *len, u8 *out)
+int aes_siv_encrypt(const u8 *key, size_t key_len,
+		    const u8 *pw, size_t pwlen,
+		    size_t num_elem, const u8 *addr[], const size_t *len,
+		    u8 *out)
 {
 	const u8 *_addr[6];
 	size_t _len[6];
-	const u8 *k1 = key, *k2 = key + 16;
+	const u8 *k1, *k2;
 	u8 v[AES_BLOCK_SIZE];
 	size_t i;
 	u8 *iv, *crypt_pw;
 
-	if (num_elem > ARRAY_SIZE(_addr) - 1)
+	if (num_elem > ARRAY_SIZE(_addr) - 1 ||
+	    (key_len != 32 && key_len != 48 && key_len != 64))
 		return -1;
 
+	key_len /= 2;
+	k1 = key;
+	k2 = key + key_len;
+
 	for (i = 0; i < num_elem; i++) {
 		_addr[i] = addr[i];
 		_len[i] = len[i];
@@ -128,7 +144,7 @@ int aes_siv_encrypt(const u8 *key, const u8 *pw,
 	_addr[num_elem] = pw;
 	_len[num_elem] = pwlen;
 
-	if (aes_s2v(k1, num_elem + 1, _addr, _len, v))
+	if (aes_s2v(k1, key_len, num_elem + 1, _addr, _len, v))
 		return -1;
 
 	iv = out;
@@ -140,26 +156,31 @@ int aes_siv_encrypt(const u8 *key, const u8 *pw,
 	/* zero out 63rd and 31st bits of ctr (from right) */
 	v[8] &= 0x7f;
 	v[12] &= 0x7f;
-	return aes_128_ctr_encrypt(k2, v, crypt_pw, pwlen);
+	return aes_ctr_encrypt(k2, key_len, v, crypt_pw, pwlen);
 }
 
 
-int aes_siv_decrypt(const u8 *key, const u8 *iv_crypt, size_t iv_c_len,
+int aes_siv_decrypt(const u8 *key, size_t key_len,
+		    const u8 *iv_crypt, size_t iv_c_len,
 		    size_t num_elem, const u8 *addr[], const size_t *len,
 		    u8 *out)
 {
 	const u8 *_addr[6];
 	size_t _len[6];
-	const u8 *k1 = key, *k2 = key + 16;
+	const u8 *k1, *k2;
 	size_t crypt_len;
 	size_t i;
 	int ret;
 	u8 iv[AES_BLOCK_SIZE];
 	u8 check[AES_BLOCK_SIZE];
 
-	if (iv_c_len < AES_BLOCK_SIZE || num_elem > ARRAY_SIZE(_addr) - 1)
+	if (iv_c_len < AES_BLOCK_SIZE || num_elem > ARRAY_SIZE(_addr) - 1 ||
+	    (key_len != 32 && key_len != 48 && key_len != 64))
 		return -1;
 	crypt_len = iv_c_len - AES_BLOCK_SIZE;
+	key_len /= 2;
+	k1 = key;
+	k2 = key + key_len;
 
 	for (i = 0; i < num_elem; i++) {
 		_addr[i] = addr[i];
@@ -174,11 +195,11 @@ int aes_siv_decrypt(const u8 *key, const u8 *iv_crypt, size_t iv_c_len,
 	iv[8] &= 0x7f;
 	iv[12] &= 0x7f;
 
-	ret = aes_128_ctr_encrypt(k2, iv, out, crypt_len);
+	ret = aes_ctr_encrypt(k2, key_len, iv, out, crypt_len);
 	if (ret)
 		return ret;
 
-	ret = aes_s2v(k1, num_elem + 1, _addr, _len, check);
+	ret = aes_s2v(k1, key_len, num_elem + 1, _addr, _len, check);
 	if (ret)
 		return ret;
 	if (os_memcmp(check, iv_crypt, AES_BLOCK_SIZE) == 0)

src/crypto/aes_siv.h

@@ -9,10 +9,12 @@
 #ifndef AES_SIV_H
 #define AES_SIV_H
 
-int aes_siv_encrypt(const u8 *key, const u8 *pw,
-		    size_t pwlen, size_t num_elem,
-		    const u8 *addr[], const size_t *len, u8 *out);
-int aes_siv_decrypt(const u8 *key, const u8 *iv_crypt, size_t iv_c_len,
+int aes_siv_encrypt(const u8 *key, size_t key_len,
+		    const u8 *pw, size_t pwlen,
+		    size_t num_elem, const u8 *addr[], const size_t *len,
+		    u8 *out);
+int aes_siv_decrypt(const u8 *key, size_t key_len,
+		    const u8 *iv_crypt, size_t iv_c_len,
 		    size_t num_elem, const u8 *addr[], const size_t *len,
 		    u8 *out);
 

src/crypto/aes_wrap.h

@@ -3,7 +3,7 @@
  *
  * - AES Key Wrap Algorithm (RFC3394)
  * - One-Key CBC MAC (OMAC1) hash with AES-128 and AES-256
- * - AES-128 CTR mode encryption
+ * - AES-128/192/256 CTR mode encryption
  * - AES-128 EAX mode encryption/decryption
  * - AES-128 CBC
  * - AES-GCM
@@ -33,6 +33,8 @@ int __must_check omac1_aes_128(const u8 *key, const u8 *data, size_t data_len,
 int __must_check omac1_aes_256(const u8 *key, const u8 *data, size_t data_len,
 			       u8 *mac);
 int __must_check aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out);
+int __must_check aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
+				 u8 *data, size_t data_len);
 int __must_check aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
 				     u8 *data, size_t data_len);
 int __must_check aes_128_eax_encrypt(const u8 *key,

src/crypto/crypto_module_tests.c

@@ -92,7 +92,7 @@ static int test_siv(void)
 	addr[0] = ad;
 	len[0] = sizeof(ad);
 
-	if (aes_siv_encrypt(key, plaintext, sizeof(plaintext),
+	if (aes_siv_encrypt(key, sizeof(key), plaintext, sizeof(plaintext),
 			    1, addr, len, out)) {
 		wpa_printf(MSG_ERROR, "AES-SIV mode encryption failed");
 		return 1;
@@ -103,7 +103,8 @@ static int test_siv(void)
 		return 1;
 	}
 
-	if (aes_siv_decrypt(key, iv_c, sizeof(iv_c), 1, addr, len, out)) {
+	if (aes_siv_decrypt(key, sizeof(key), iv_c, sizeof(iv_c),
+			    1, addr, len, out)) {
 		wpa_printf(MSG_ERROR, "AES-SIV mode decryption failed");
 		return 1;
 	}
@@ -121,7 +122,8 @@ static int test_siv(void)
 	addr[2] = nonce_2;
 	len[2] = sizeof(nonce_2);
 
-	if (aes_siv_encrypt(key_2, plaintext_2, sizeof(plaintext_2),
+	if (aes_siv_encrypt(key_2, sizeof(key_2),
+			    plaintext_2, sizeof(plaintext_2),
 			    3, addr, len, out)) {
 		wpa_printf(MSG_ERROR, "AES-SIV mode encryption failed");
 		return 1;
@@ -132,7 +134,8 @@ static int test_siv(void)
 		return 1;
 	}
 
-	if (aes_siv_decrypt(key_2, iv_c_2, sizeof(iv_c_2), 3, addr, len, out)) {
+	if (aes_siv_decrypt(key_2, sizeof(key_2), iv_c_2, sizeof(iv_c_2),
+			    3, addr, len, out)) {
 		wpa_printf(MSG_ERROR, "AES-SIV mode decryption failed");
 		return 1;
 	}

wpa_supplicant/mesh_rsn.c

@@ -579,7 +579,7 @@ skip_keys:
 	/* encrypt after MIC */
 	mic_payload = wpabuf_put(buf, 2 + len + AES_BLOCK_SIZE);
 
-	if (aes_siv_encrypt(sta->aek, ampe_ie, 2 + len, 3,
+	if (aes_siv_encrypt(sta->aek, sizeof(sta->aek), ampe_ie, 2 + len, 3,
 			    aad, aad_len, mic_payload)) {
 		wpa_printf(MSG_ERROR, "protect frame: failed to encrypt");
 		ret = -ENOMEM;
@@ -650,7 +650,7 @@ int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta,
 
 	os_memcpy(crypt, elems->mic, crypt_len);
 
-	if (aes_siv_decrypt(sta->aek, crypt, crypt_len, 3,
+	if (aes_siv_decrypt(sta->aek, sizeof(sta->aek), crypt, crypt_len, 3,
 			    aad, aad_len, ampe_buf)) {
 		wpa_printf(MSG_ERROR, "Mesh RSN: frame verification failed!");
 		ret = -2;