5 * AES-XCBC-MAC-96 message authentication, per rfc3566.
7 static uchar basekey[3][16] = {
9 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
10 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
13 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
14 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
17 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
18 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
23 setupAESXCBCstate(AESstate *s) /* was setupmac96 */
26 uint q[16 / sizeof(uint)];
29 assert(s->keybytes == 16);
30 for(i = 0; i < 3; i++)
31 aes_encrypt(s->ekey, s->rounds, basekey[i],
32 s->mackey + AESbsize*i);
35 memset(q, 0, AESbsize);
38 * put the in the right endian. once figured, probably better
39 * to use some fcall macros.
40 * keys for encryption in local endianness for the algorithm...
41 * only key1 is used for encryption;
42 * BUG!!: I think this is what I got wrong.
44 for(i = 0; i < 16 / sizeof(uint); i ++){
45 for(j = 0; j < sizeof(uint); j++)
46 q[i] |= p[sizeof(uint)-j-1] << 8*j;
49 memmove(s->mackey, q, 16);
53 * Not dealing with > 128-bit keys, not dealing with strange corner cases like
54 * empty message. Should be fine for AES-XCBC-MAC-96.
57 aesXCBCmac(uchar *p, int len, AESstate *s)
59 uchar *p2, *ip, *eip, *mackey;
62 assert(s->keybytes == 16); /* more complicated for bigger */
63 memset(s->ivec, 0, AESbsize); /* E[0] is 0+ */
65 for(; len > AESbsize; len -= AESbsize){
66 memmove(q, p, AESbsize);
69 for(eip = ip + AESbsize; ip < eip; )
71 aes_encrypt((ulong *)s->mackey, s->rounds, q, s->ivec);
79 mackey = s->mackey + AESbsize; /* k2 */
81 mackey = s->mackey+2*AESbsize; /* k3 */
82 *p2++ = 1 << 7; /* padding */
83 len = AESbsize - len - 1;
89 for(eip = ip + AESbsize; ip < eip; )
90 *p2++ ^= *ip++ ^ *mackey++;
91 aes_encrypt((ulong *)s->mackey, s->rounds, q, s->ivec);
92 return s->ivec; /* only the 12 bytes leftmost */