1 /* $OpenBSD: aes_wrap.c,v 1.9 2014/07/11 08:44:47 jsing Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 */ 53 54 #include <string.h> 55 56 #include <openssl/aes.h> 57 #include <openssl/bio.h> 58 59 static const unsigned char default_iv[] = { 60 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 61 }; 62 63 int 64 AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, 65 const unsigned char *in, unsigned int inlen) 66 { 67 unsigned char *A, B[16], *R; 68 unsigned int i, j, t; 69 if ((inlen & 0x7) || (inlen < 8)) 70 return -1; 71 A = B; 72 t = 1; 73 memcpy(out + 8, in, inlen); 74 if (!iv) 75 iv = default_iv; 76 77 memcpy(A, iv, 8); 78 79 for (j = 0; j < 6; j++) { 80 R = out + 8; 81 for (i = 0; i < inlen; i += 8, t++, R += 8) { 82 memcpy(B + 8, R, 8); 83 AES_encrypt(B, B, key); 84 A[7] ^= (unsigned char)(t & 0xff); 85 if (t > 0xff) { 86 A[6] ^= (unsigned char)((t >> 8) & 0xff); 87 A[5] ^= (unsigned char)((t >> 16) & 0xff); 88 A[4] ^= (unsigned char)((t >> 24) & 0xff); 89 } 90 memcpy(R, B + 8, 8); 91 } 92 } 93 memcpy(out, A, 8); 94 return inlen + 8; 95 } 96 97 int 98 AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, 99 const unsigned char *in, unsigned int inlen) 100 { 101 unsigned char *A, B[16], *R; 102 unsigned int i, j, t; 103 inlen -= 8; 104 if (inlen & 0x7) 105 return -1; 106 if (inlen < 8) 107 return -1; 108 A = B; 109 t = 6 * (inlen >> 3); 110 memcpy(A, in, 8); 111 memcpy(out, in + 8, inlen); 112 for (j = 0; j < 6; j++) { 113 R = out + inlen - 8; 114 for (i = 0; i < inlen; i += 8, t--, R -= 8) { 115 A[7] ^= (unsigned char)(t & 0xff); 116 if (t > 0xff) { 117 A[6] ^= (unsigned char)((t >> 8) & 0xff); 118 A[5] ^= (unsigned char)((t >> 16) & 0xff); 119 A[4] ^= (unsigned char)((t >> 24) & 0xff); 120 } 121 memcpy(B + 8, R, 8); 122 AES_decrypt(B, B, key); 123 memcpy(R, B + 8, 8); 124 } 125 } 126 if (!iv) 127 iv = default_iv; 128 if (memcmp(A, iv, 8)) { 129 explicit_bzero(out, inlen); 130 return 0; 131 } 132 return inlen; 133 } 134