Home | History | Annotate | Download | only in crypto
      1 /*
      2  * AES key unwrap (128-bit KEK, RFC3394)
      3  *
      4  * Copyright (c) 2003-2007, Jouni Malinen <j (at) w1.fi>
      5  *
      6  * This program is free software; you can redistribute it and/or modify
      7  * it under the terms of the GNU General Public License version 2 as
      8  * published by the Free Software Foundation.
      9  *
     10  * Alternatively, this software may be distributed under the terms of BSD
     11  * license.
     12  *
     13  * See README and COPYING for more details.
     14  */
     15 
     16 #include "includes.h"
     17 
     18 #include "common.h"
     19 #include "aes.h"
     20 #include "aes_wrap.h"
     21 
     22 /**
     23  * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
     24  * @kek: Key encryption key (KEK)
     25  * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
     26  * bytes
     27  * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
     28  * @plain: Plaintext key, n * 64 bits
     29  * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
     30  */
     31 int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
     32 {
     33 	u8 a[8], *r, b[16];
     34 	int i, j;
     35 	void *ctx;
     36 
     37 	/* 1) Initialize variables. */
     38 	os_memcpy(a, cipher, 8);
     39 	r = plain;
     40 	os_memcpy(r, cipher + 8, 8 * n);
     41 
     42 	ctx = aes_decrypt_init(kek, 16);
     43 	if (ctx == NULL)
     44 		return -1;
     45 
     46 	/* 2) Compute intermediate values.
     47 	 * For j = 5 to 0
     48 	 *     For i = n to 1
     49 	 *         B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
     50 	 *         A = MSB(64, B)
     51 	 *         R[i] = LSB(64, B)
     52 	 */
     53 	for (j = 5; j >= 0; j--) {
     54 		r = plain + (n - 1) * 8;
     55 		for (i = n; i >= 1; i--) {
     56 			os_memcpy(b, a, 8);
     57 			b[7] ^= n * j + i;
     58 
     59 			os_memcpy(b + 8, r, 8);
     60 			aes_decrypt(ctx, b, b);
     61 			os_memcpy(a, b, 8);
     62 			os_memcpy(r, b + 8, 8);
     63 			r -= 8;
     64 		}
     65 	}
     66 	aes_decrypt_deinit(ctx);
     67 
     68 	/* 3) Output results.
     69 	 *
     70 	 * These are already in @plain due to the location of temporary
     71 	 * variables. Just verify that the IV matches with the expected value.
     72 	 */
     73 	for (i = 0; i < 8; i++) {
     74 		if (a[i] != 0xa6)
     75 			return -1;
     76 	}
     77 
     78 	return 0;
     79 }
     80