1/**********************************************************************
2 *                          keywrap.c                                 *
3 *             Copyright (c) 2005-2006 Cryptocom LTD                  *
4 *         This file is distributed under the same license as OpenSSL *
5 *                                                                    *
6 * Implementation of CryptoPro key wrap algorithm, as defined in      *
7 *               RFC 4357 p 6.3 and 6.4                               *
8 *                  Doesn't need OpenSSL                              *
9 **********************************************************************/
10#include <string.h>
11#include "gost89.h"
12#include "gost_keywrap.h"
13
14/* Diversifies key using random UserKey Material
15 * Implements RFC 4357 p 6.5 key diversification algorithm
16 *
17 * inputKey - 32byte key to be diversified
18 * ukm - 8byte user key material
19 * outputKey - 32byte buffer to store diversified key
20 *
21 */
22void keyDiversifyCryptoPro(gost_ctx *ctx,const unsigned char *inputKey, const unsigned char *ukm, unsigned char *outputKey)
23	{
24
25	u4 k,s1,s2;
26	int i,j,mask;
27	unsigned char S[8];
28	memcpy(outputKey,inputKey,32);
29	for (i=0;i<8;i++)
30		{
31		/* Make array of integers from key */
32		/* Compute IV S*/
33		s1=0,s2=0;
34		for (j=0,mask=1;j<8;j++,mask<<=1)
35			{
36			k=((u4)outputKey[4*j])|(outputKey[4*j+1]<<8)|
37				(outputKey[4*j+2]<<16)|(outputKey[4*j+3]<<24);
38			if (mask & ukm[i])
39				{
40				s1+=k;
41				}
42			else
43				{
44				s2+=k;
45				}
46			}
47		S[0]=(unsigned char)(s1&0xff);
48		S[1]=(unsigned char)((s1>>8)&0xff);
49		S[2]=(unsigned char)((s1>>16)&0xff);
50		S[3]=(unsigned char)((s1>>24)&0xff);
51		S[4]=(unsigned char)(s2&0xff);
52		S[5]=(unsigned char)((s2>>8)&0xff);
53		S[6]=(unsigned char)((s2>>16)&0xff);
54		S[7]=(unsigned char)((s2>>24)&0xff);
55		gost_key(ctx,outputKey);
56		gost_enc_cfb(ctx,S,outputKey,outputKey,4);
57		}
58	}
59
60
61/*
62 * Wraps key using RFC 4357 6.3
63 * ctx - gost encryption context, initialized with some S-boxes
64 * keyExchangeKey (KEK) 32-byte (256-bit) shared key
65 * ukm - 8 byte (64 bit) user key material,
66 * sessionKey - 32-byte (256-bit) key to be wrapped
67 * wrappedKey - 44-byte buffer to store wrapped key
68 */
69
70int keyWrapCryptoPro(gost_ctx *ctx,const unsigned char *keyExchangeKey, const unsigned char *ukm,
71	const	unsigned char *sessionKey, unsigned char *wrappedKey)
72	{
73	unsigned char kek_ukm[32];
74	keyDiversifyCryptoPro(ctx,keyExchangeKey,ukm,kek_ukm);
75	gost_key(ctx,kek_ukm);
76	memcpy(wrappedKey,ukm,8);
77	gost_enc(ctx,sessionKey,wrappedKey+8,4);
78	gost_mac_iv(ctx,32,ukm,sessionKey,32,wrappedKey+40);
79	return 1;
80	}
81/*
82 * Unwraps key using RFC 4357 6.4
83 * ctx - gost encryption context, initialized with some S-boxes
84 * keyExchangeKey 32-byte shared key
85 * wrappedKey  44 byte key to be unwrapped (concatenation of 8-byte UKM,
86 * 32 byte  encrypted key and 4 byte MAC
87 *
88 * sessionKEy - 32byte buffer to store sessionKey in
89 * Returns 1 if key is decrypted successfully, and 0 if MAC doesn't match
90 */
91
92int keyUnwrapCryptoPro(gost_ctx *ctx,const unsigned char *keyExchangeKey,
93	const unsigned char *wrappedKey, unsigned char *sessionKey)
94	{
95	unsigned char kek_ukm[32],cek_mac[4];
96	keyDiversifyCryptoPro(ctx,keyExchangeKey,wrappedKey
97		/* First 8 bytes of wrapped Key is ukm */
98		,kek_ukm);
99	gost_key(ctx,kek_ukm);
100	gost_dec(ctx,wrappedKey+8,sessionKey,4);
101	gost_mac_iv(ctx,32,wrappedKey,sessionKey,32,cek_mac);
102	if (memcmp(cek_mac,wrappedKey+40,4))
103		{
104		return 0;
105		}
106	return 1;
107	}
108
109
110