18dbcf02cSchristos /*
2*3c260e60Schristos * AES key unwrap (RFC3394)
38dbcf02cSchristos *
48dbcf02cSchristos * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
58dbcf02cSchristos *
6e604d861Schristos * This software may be distributed under the terms of the BSD license.
7e604d861Schristos * See README for more details.
88dbcf02cSchristos */
98dbcf02cSchristos
108dbcf02cSchristos #include "includes.h"
118dbcf02cSchristos
128dbcf02cSchristos #include "common.h"
138dbcf02cSchristos #include "aes.h"
148dbcf02cSchristos #include "aes_wrap.h"
158dbcf02cSchristos
168dbcf02cSchristos /**
17*3c260e60Schristos * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (RFC3394)
188dbcf02cSchristos * @kek: Key encryption key (KEK)
19*3c260e60Schristos * @kek_len: Length of KEK in octets
208dbcf02cSchristos * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
218dbcf02cSchristos * bytes
228dbcf02cSchristos * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
238dbcf02cSchristos * @plain: Plaintext key, n * 64 bits
248dbcf02cSchristos * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
258dbcf02cSchristos */
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)26*3c260e60Schristos int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
27*3c260e60Schristos u8 *plain)
288dbcf02cSchristos {
29*3c260e60Schristos u8 a[8], *r, b[AES_BLOCK_SIZE];
308dbcf02cSchristos int i, j;
318dbcf02cSchristos void *ctx;
32*3c260e60Schristos unsigned int t;
338dbcf02cSchristos
348dbcf02cSchristos /* 1) Initialize variables. */
358dbcf02cSchristos os_memcpy(a, cipher, 8);
368dbcf02cSchristos r = plain;
378dbcf02cSchristos os_memcpy(r, cipher + 8, 8 * n);
388dbcf02cSchristos
39*3c260e60Schristos ctx = aes_decrypt_init(kek, kek_len);
408dbcf02cSchristos if (ctx == NULL)
418dbcf02cSchristos return -1;
428dbcf02cSchristos
438dbcf02cSchristos /* 2) Compute intermediate values.
448dbcf02cSchristos * For j = 5 to 0
458dbcf02cSchristos * For i = n to 1
468dbcf02cSchristos * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
478dbcf02cSchristos * A = MSB(64, B)
488dbcf02cSchristos * R[i] = LSB(64, B)
498dbcf02cSchristos */
508dbcf02cSchristos for (j = 5; j >= 0; j--) {
518dbcf02cSchristos r = plain + (n - 1) * 8;
528dbcf02cSchristos for (i = n; i >= 1; i--) {
538dbcf02cSchristos os_memcpy(b, a, 8);
54*3c260e60Schristos t = n * j + i;
55*3c260e60Schristos b[7] ^= t;
56*3c260e60Schristos b[6] ^= t >> 8;
57*3c260e60Schristos b[5] ^= t >> 16;
58*3c260e60Schristos b[4] ^= t >> 24;
598dbcf02cSchristos
608dbcf02cSchristos os_memcpy(b + 8, r, 8);
618dbcf02cSchristos aes_decrypt(ctx, b, b);
628dbcf02cSchristos os_memcpy(a, b, 8);
638dbcf02cSchristos os_memcpy(r, b + 8, 8);
648dbcf02cSchristos r -= 8;
658dbcf02cSchristos }
668dbcf02cSchristos }
678dbcf02cSchristos aes_decrypt_deinit(ctx);
688dbcf02cSchristos
698dbcf02cSchristos /* 3) Output results.
708dbcf02cSchristos *
718dbcf02cSchristos * These are already in @plain due to the location of temporary
728dbcf02cSchristos * variables. Just verify that the IV matches with the expected value.
738dbcf02cSchristos */
748dbcf02cSchristos for (i = 0; i < 8; i++) {
758dbcf02cSchristos if (a[i] != 0xa6)
768dbcf02cSchristos return -1;
778dbcf02cSchristos }
788dbcf02cSchristos
798dbcf02cSchristos return 0;
808dbcf02cSchristos }
81