1 /* $OpenBSD: aes_wrap.c,v 1.12 2018/11/07 18:31:16 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2008 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 */ 53 54 #include <string.h> 55 56 #include <openssl/aes.h> 57 #include <openssl/bio.h> 58 59 static const unsigned char default_iv[] = { 60 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 61 }; 62 63 int 64 AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, 65 const unsigned char *in, unsigned int inlen) 66 { 67 unsigned char *A, B[16], *R; 68 unsigned int i, j, t; 69 70 if ((inlen & 0x7) || (inlen < 16)) 71 return -1; 72 A = B; 73 t = 1; 74 memmove(out + 8, in, inlen); 75 if (!iv) 76 iv = default_iv; 77 78 memcpy(A, iv, 8); 79 80 for (j = 0; j < 6; j++) { 81 R = out + 8; 82 for (i = 0; i < inlen; i += 8, t++, R += 8) { 83 memcpy(B + 8, R, 8); 84 AES_encrypt(B, B, key); 85 A[7] ^= (unsigned char)(t & 0xff); 86 if (t > 0xff) { 87 A[6] ^= (unsigned char)((t >> 8) & 0xff); 88 A[5] ^= (unsigned char)((t >> 16) & 0xff); 89 A[4] ^= (unsigned char)((t >> 24) & 0xff); 90 } 91 memcpy(R, B + 8, 8); 92 } 93 } 94 memcpy(out, A, 8); 95 return inlen + 8; 96 } 97 98 int 99 AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, 100 const unsigned char *in, unsigned int inlen) 101 { 102 unsigned char *A, B[16], *R; 103 unsigned int i, j, t; 104 105 if ((inlen & 0x7) || (inlen < 24)) 106 return -1; 107 inlen -= 8; 108 A = B; 109 t = 6 * (inlen >> 3); 110 memcpy(A, in, 8); 111 memmove(out, in + 8, inlen); 112 for (j = 0; j < 6; j++) { 113 R = out + inlen - 8; 114 for (i = 0; i < inlen; i += 8, t--, R -= 8) { 115 A[7] ^= (unsigned char)(t & 0xff); 116 if (t > 0xff) { 117 A[6] ^= (unsigned char)((t >> 8) & 0xff); 118 A[5] ^= (unsigned char)((t >> 16) & 0xff); 119 A[4] ^= (unsigned char)((t >> 24) & 0xff); 120 } 121 memcpy(B + 8, R, 8); 122 AES_decrypt(B, B, key); 123 memcpy(R, B + 8, 8); 124 } 125 } 126 if (!iv) 127 iv = default_iv; 128 if (memcmp(A, iv, 8)) { 129 explicit_bzero(out, inlen); 130 return 0; 131 } 132 return inlen; 133 } 134