Line data Source code
1 : /*
2 : * AES key unwrap (128-bit KEK, RFC3394)
3 : *
4 : * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5 : *
6 : * This software may be distributed under the terms of the BSD license.
7 : * See README for more details.
8 : */
9 :
10 : #include "includes.h"
11 :
12 : #include "common.h"
13 : #include "aes.h"
14 : #include "aes_wrap.h"
15 :
16 : /**
17 : * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
18 : * @kek: Key encryption key (KEK)
19 : * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
20 : * bytes
21 : * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
22 : * @plain: Plaintext key, n * 64 bits
23 : * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
24 : */
25 663 : int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
26 : {
27 : u8 a[8], *r, b[16];
28 : int i, j;
29 : void *ctx;
30 :
31 : /* 1) Initialize variables. */
32 663 : os_memcpy(a, cipher, 8);
33 663 : r = plain;
34 663 : os_memcpy(r, cipher + 8, 8 * n);
35 :
36 663 : ctx = aes_decrypt_init(kek, 16);
37 663 : if (ctx == NULL)
38 0 : return -1;
39 :
40 : /* 2) Compute intermediate values.
41 : * For j = 5 to 0
42 : * For i = n to 1
43 : * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
44 : * A = MSB(64, B)
45 : * R[i] = LSB(64, B)
46 : */
47 4641 : for (j = 5; j >= 0; j--) {
48 3978 : r = plain + (n - 1) * 8;
49 32322 : for (i = n; i >= 1; i--) {
50 28344 : os_memcpy(b, a, 8);
51 28344 : b[7] ^= n * j + i;
52 :
53 28344 : os_memcpy(b + 8, r, 8);
54 28344 : aes_decrypt(ctx, b, b);
55 28344 : os_memcpy(a, b, 8);
56 28344 : os_memcpy(r, b + 8, 8);
57 28344 : r -= 8;
58 : }
59 : }
60 663 : aes_decrypt_deinit(ctx);
61 :
62 : /* 3) Output results.
63 : *
64 : * These are already in @plain due to the location of temporary
65 : * variables. Just verify that the IV matches with the expected value.
66 : */
67 5943 : for (i = 0; i < 8; i++) {
68 5283 : if (a[i] != 0xa6)
69 3 : return -1;
70 : }
71 :
72 660 : return 0;
73 : }
|