Line data Source code
1 : /* $OpenBSD: key_wrap.c,v 1.5 2017/05/02 17:07:06 mikeb Exp $ */
2 :
3 : /*-
4 : * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
5 : *
6 : * Permission to use, copy, modify, and distribute this software for any
7 : * purpose with or without fee is hereby granted, provided that the above
8 : * copyright notice and this permission notice appear in all copies.
9 : *
10 : * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 : * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 : * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 : * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 : * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 : * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 : * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 : */
18 :
19 : /*
20 : * This code implements the AES Key Wrap algorithm described in RFC 3394.
21 : */
22 :
23 : #include <sys/param.h>
24 : #include <sys/systm.h>
25 :
26 : #include <crypto/aes.h>
27 : #include <crypto/key_wrap.h>
28 :
29 : static const u_int8_t IV[8] =
30 : { 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6 };
31 :
32 : void
33 0 : aes_key_wrap_set_key(aes_key_wrap_ctx *ctx, const u_int8_t *K, size_t K_len)
34 : {
35 0 : AES_Setkey(&ctx->ctx, K, K_len);
36 0 : }
37 :
38 : void
39 0 : aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *ctx, const u_int8_t *K,
40 : size_t K_len)
41 : {
42 0 : AES_Setkey(&ctx->ctx, K, K_len);
43 0 : }
44 :
45 : void
46 0 : aes_key_wrap(aes_key_wrap_ctx *ctx, const u_int8_t *P, size_t n, u_int8_t *C)
47 : {
48 0 : u_int64_t B[2], t;
49 : u_int8_t *A, *R;
50 : size_t i;
51 : int j;
52 :
53 0 : memmove(C + 8, P, n * 8); /* P and C may overlap */
54 : A = C; /* A points to C[0] */
55 0 : memcpy(A, IV, 8); /* A = IV, an initial value */
56 :
57 0 : for (j = 0, t = 1; j <= 5; j++) {
58 : R = C + 8;
59 0 : for (i = 1; i <= n; i++, t++) {
60 : /* B = A | R[i] */
61 0 : memcpy(&B[0], A, 8);
62 0 : memcpy(&B[1], R, 8);
63 : /* B = AES(K, B) */
64 0 : AES_Encrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B);
65 : /* MSB(64, B) = MSB(64, B) ^ t */
66 0 : B[0] ^= htobe64(t);
67 : /* A = MSB(64, B) */
68 0 : memcpy(A, &B[0], 8);
69 : /* R[i] = LSB(64, B) */
70 0 : memcpy(R, &B[1], 8);
71 :
72 0 : R += 8;
73 : }
74 : }
75 0 : explicit_bzero(B, sizeof B);
76 0 : }
77 :
78 : int
79 0 : aes_key_unwrap(aes_key_wrap_ctx *ctx, const u_int8_t *C, u_int8_t *P, size_t n)
80 : {
81 0 : u_int64_t B[2], t;
82 0 : u_int8_t A[8], *R;
83 : size_t i;
84 : int j;
85 :
86 0 : memcpy(A, C, 8); /* A = C[0] */
87 0 : memmove(P, C + 8, n * 8); /* P and C may overlap */
88 :
89 0 : for (j = 5, t = 6 * n; j >= 0; j--) {
90 0 : R = P + (n - 1) * 8;
91 0 : for (i = n; i >= 1; i--, t--) {
92 : /* MSB(64, B) = A */
93 0 : memcpy(&B[0], A, 8);
94 : /* MSB(64, B) = MSB(64, B) ^ t */
95 0 : B[0] ^= htobe64(t);
96 : /* B = MSB(64, B) | R[i] */
97 0 : memcpy(&B[1], R, 8);
98 : /* B = AES-1(K, B) */
99 0 : AES_Decrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B);
100 : /* A = MSB(64, B) */
101 0 : memcpy(A, &B[0], 8);
102 : /* R[i] = LSB(64, B) */
103 0 : memcpy(R, &B[1], 8);
104 :
105 0 : R -= 8;
106 : }
107 : }
108 0 : explicit_bzero(B, sizeof B);
109 :
110 : /* check that A is an appropriate initial value */
111 0 : return timingsafe_bcmp(A, IV, 8) != 0;
112 0 : }
|
