From f7072600be1ed59bb904b850d1ae92f8e8b70401 Mon Sep 17 00:00:00 2001 From: Bob Copeland Date: Mon, 1 Sep 2014 00:23:28 -0400 Subject: [PATCH] Implement RFC 5297 AES-SIV Add an implementation of Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES). This mode of AES is used to protect peering frames when using the authenticated mesh peering exchange. Signed-off-by: Javier Lopez Signed-off-by: Jason Mobarak Signed-off-by: Bob Copeland --- src/crypto/Makefile | 1 + src/crypto/aes-siv.c | 187 ++++++++++++++++++++++++++++++++++++++ src/crypto/aes_siv.h | 19 ++++ wpa_supplicant/Android.mk | 3 + wpa_supplicant/Makefile | 3 + 5 files changed, 213 insertions(+) create mode 100644 src/crypto/aes-siv.c create mode 100644 src/crypto/aes_siv.h diff --git a/src/crypto/Makefile b/src/crypto/Makefile index 2a921098c..3e90350c1 100644 --- a/src/crypto/Makefile +++ b/src/crypto/Makefile @@ -26,6 +26,7 @@ LIB_OBJS= \ aes-internal-dec.o \ aes-internal-enc.o \ aes-omac1.o \ + aes-siv.o \ aes-unwrap.o \ aes-wrap.o \ des-internal.o \ diff --git a/src/crypto/aes-siv.c b/src/crypto/aes-siv.c new file mode 100644 index 000000000..bd619b45b --- /dev/null +++ b/src/crypto/aes-siv.c @@ -0,0 +1,187 @@ +/* + * AES SIV (RFC 5297) + * Copyright (c) 2013 Cozybit, Inc. + * + * This software may be distributed under the terms of the BSD license. + * See README for more details. + */ + +#include "includes.h" + +#include "common.h" +#include "aes.h" +#include "aes_wrap.h" + + +static const u8 zero[AES_BLOCK_SIZE]; + + +static void dbl(u8 *pad) +{ + int i, carry; + + carry = pad[0] & 0x80; + for (i = 0; i < AES_BLOCK_SIZE - 1; i++) + pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7); + pad[AES_BLOCK_SIZE - 1] <<= 1; + if (carry) + pad[AES_BLOCK_SIZE - 1] ^= 0x87; +} + + +static void xor(u8 *a, const u8 *b) +{ + int i; + + for (i = 0; i < AES_BLOCK_SIZE; i++) + *a++ ^= *b++; +} + + +static void xorend(u8 *a, int alen, const u8 *b, int blen) +{ + int i; + + if (alen < blen) + return; + + for (i = 0; i < blen; i++) + a[alen - blen + i] ^= b[i]; +} + + +static void pad(u8 *pad, const u8 *addr, size_t len) +{ + os_memset(pad, 0, AES_BLOCK_SIZE); + os_memcpy(pad, addr, len); + + if (len < AES_BLOCK_SIZE) + pad[len] = 0x80; +} + + +int aes_s2v(const u8 *key, size_t num_elem, const u8 *addr[], + size_t *len, u8 *mac) +{ + u8 tmp[AES_BLOCK_SIZE], tmp2[AES_BLOCK_SIZE]; + u8 *buf = NULL; + int ret; + size_t i; + + if (!num_elem) { + os_memcpy(tmp, zero, sizeof(zero)); + tmp[AES_BLOCK_SIZE - 1] = 1; + return omac1_aes_128(key, tmp, sizeof(tmp), mac); + } + + ret = omac1_aes_128(key, zero, sizeof(zero), tmp); + if (ret) + return ret; + + for (i = 0; i < num_elem - 1; i++) { + ret = omac1_aes_128(key, addr[i], len[i], tmp2); + if (ret) + return ret; + + dbl(tmp); + xor(tmp, tmp2); + } + if (len[i] >= AES_BLOCK_SIZE) { + buf = os_malloc(len[i]); + if (!buf) + return -ENOMEM; + + os_memcpy(buf, addr[i], len[i]); + xorend(buf, len[i], tmp, AES_BLOCK_SIZE); + ret = omac1_aes_128(key, buf, len[i], mac); + os_free(buf); + return ret; + } + + dbl(tmp); + pad(tmp2, addr[i], len[i]); + xor(tmp, tmp2); + + return omac1_aes_128(key, tmp, sizeof(tmp), mac); +} + + +int aes_siv_encrypt(const u8 *key, const u8 *pw, + size_t pwlen, size_t num_elem, + const u8 *addr[], const size_t *len, u8 *out) +{ + const u8 *_addr[6]; + size_t _len[6]; + const u8 *k1 = key, *k2 = key + 16; + u8 v[AES_BLOCK_SIZE]; + size_t i; + u8 *iv, *crypt_pw; + + if (num_elem > ARRAY_SIZE(_addr) - 1) + return -1; + + for (i = 0; i < num_elem; i++) { + _addr[i] = addr[i]; + _len[i] = len[i]; + } + _addr[num_elem] = pw; + _len[num_elem] = pwlen; + + if (aes_s2v(k1, num_elem + 1, _addr, _len, v)) + return -1; + + iv = out; + crypt_pw = out + AES_BLOCK_SIZE; + + os_memcpy(iv, v, AES_BLOCK_SIZE); + os_memcpy(crypt_pw, pw, pwlen); + + /* zero out 63rd and 31st bits of ctr (from right) */ + v[8] &= 0x7f; + v[12] &= 0x7f; + return aes_128_ctr_encrypt(k2, v, crypt_pw, pwlen); +} + + +int aes_siv_decrypt(const u8 *key, const u8 *iv_crypt, size_t iv_c_len, + size_t num_elem, const u8 *addr[], const size_t *len, + u8 *out) +{ + const u8 *_addr[6]; + size_t _len[6]; + const u8 *k1 = key, *k2 = key + 16; + size_t crypt_len; + size_t i; + int ret; + u8 iv[AES_BLOCK_SIZE]; + u8 check[AES_BLOCK_SIZE]; + + if (iv_c_len < AES_BLOCK_SIZE || num_elem > ARRAY_SIZE(_addr) - 1) + return -1; + crypt_len = iv_c_len - AES_BLOCK_SIZE; + + for (i = 0; i < num_elem; i++) { + _addr[i] = addr[i]; + _len[i] = len[i]; + } + _addr[num_elem] = out; + _len[num_elem] = crypt_len; + + os_memcpy(iv, iv_crypt, AES_BLOCK_SIZE); + os_memcpy(out, iv_crypt + AES_BLOCK_SIZE, crypt_len); + + iv[8] &= 0x7f; + iv[12] &= 0x7f; + + ret = aes_128_ctr_encrypt(k2, iv, out, crypt_len); + if (ret) + return ret; + + ret = aes_s2v(k1, num_elem + 1, _addr, _len, check); + if (ret) + return ret; + if (os_memcmp(check, iv_crypt, AES_BLOCK_SIZE) == 0) + return 0; + + return -1; +} diff --git a/src/crypto/aes_siv.h b/src/crypto/aes_siv.h new file mode 100644 index 000000000..463cf6536 --- /dev/null +++ b/src/crypto/aes_siv.h @@ -0,0 +1,19 @@ +/* + * AES SIV (RFC 5297) + * Copyright (c) 2013 Cozybit, Inc. + * + * This software may be distributed under the terms of the BSD license. + * See README for more details. + */ + +#ifndef AES_SIV_H +#define AES_SIV_H + +int aes_siv_encrypt(const u8 *key, const u8 *pw, + size_t pwlen, size_t num_elem, + const u8 *addr[], const size_t *len, u8 *out); +int aes_siv_decrypt(const u8 *key, const u8 *iv_crypt, size_t iv_c_len, + size_t num_elem, const u8 *addr[], const size_t *len, + u8 *out); + +#endif /* AES_SIV_H */ diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 3e028f938..d78ba78eb 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -1143,6 +1143,9 @@ ifdef CONFIG_INTERNAL_AES AESOBJS += src/crypto/aes-internal-enc.c endif endif +ifdef NEED_AES_SIV +AESOBJS += src/crypto/aes-siv.c +endif ifdef NEED_AES OBJS += $(AESOBJS) endif diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 7851fa348..7a6824697 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1145,6 +1145,9 @@ else AESOBJS += ../src/crypto/aes-omac1.o endif endif +ifdef NEED_AES_SIV +AESOBJS += ../src/crypto/aes-siv.o +endif ifdef NEED_AES_WRAP NEED_AES_ENC=y AESOBJS += ../src/crypto/aes-wrap.o