1/********************************************************************** 2 * keywrap.c * 3 * Copyright (c) 2005-2006 Cryptocom LTD * 4 * This file is distributed under the same license as OpenSSL * 5 * * 6 * Implementation of CryptoPro key wrap algorithm, as defined in * 7 * RFC 4357 p 6.3 and 6.4 * 8 * Doesn't need OpenSSL * 9 **********************************************************************/ 10#include <string.h> 11#include "gost89.h" 12#include "gost_keywrap.h" 13 14/*- 15 * Diversifies key using random UserKey Material 16 * Implements RFC 4357 p 6.5 key diversification algorithm 17 * 18 * inputKey - 32byte key to be diversified 19 * ukm - 8byte user key material 20 * outputKey - 32byte buffer to store diversified key 21 * 22 */ 23void keyDiversifyCryptoPro(gost_ctx * ctx, const unsigned char *inputKey, 24 const unsigned char *ukm, unsigned char *outputKey) 25{ 26 27 u4 k, s1, s2; 28 int i, j, mask; 29 unsigned char S[8]; 30 memcpy(outputKey, inputKey, 32); 31 for (i = 0; i < 8; i++) { 32 /* Make array of integers from key */ 33 /* Compute IV S */ 34 s1 = 0, s2 = 0; 35 for (j = 0, mask = 1; j < 8; j++, mask <<= 1) { 36 k = ((u4) outputKey[4 * j]) | (outputKey[4 * j + 1] << 8) | 37 (outputKey[4 * j + 2] << 16) | (outputKey[4 * j + 3] << 24); 38 if (mask & ukm[i]) { 39 s1 += k; 40 } else { 41 s2 += k; 42 } 43 } 44 S[0] = (unsigned char)(s1 & 0xff); 45 S[1] = (unsigned char)((s1 >> 8) & 0xff); 46 S[2] = (unsigned char)((s1 >> 16) & 0xff); 47 S[3] = (unsigned char)((s1 >> 24) & 0xff); 48 S[4] = (unsigned char)(s2 & 0xff); 49 S[5] = (unsigned char)((s2 >> 8) & 0xff); 50 S[6] = (unsigned char)((s2 >> 16) & 0xff); 51 S[7] = (unsigned char)((s2 >> 24) & 0xff); 52 gost_key(ctx, outputKey); 53 gost_enc_cfb(ctx, S, outputKey, outputKey, 4); 54 } 55} 56 57/*- 58 * Wraps key using RFC 4357 6.3 59 * ctx - gost encryption context, initialized with some S-boxes 60 * keyExchangeKey (KEK) 32-byte (256-bit) shared key 61 * ukm - 8 byte (64 bit) user key material, 62 * sessionKey - 32-byte (256-bit) key to be wrapped 63 * wrappedKey - 44-byte buffer to store wrapped key 64 */ 65 66int keyWrapCryptoPro(gost_ctx * ctx, const unsigned char *keyExchangeKey, 67 const unsigned char *ukm, 68 const unsigned char *sessionKey, 69 unsigned char *wrappedKey) 70{ 71 unsigned char kek_ukm[32]; 72 keyDiversifyCryptoPro(ctx, keyExchangeKey, ukm, kek_ukm); 73 gost_key(ctx, kek_ukm); 74 memcpy(wrappedKey, ukm, 8); 75 gost_enc(ctx, sessionKey, wrappedKey + 8, 4); 76 gost_mac_iv(ctx, 32, ukm, sessionKey, 32, wrappedKey + 40); 77 return 1; 78} 79 80/*- 81 * Unwraps key using RFC 4357 6.4 82 * ctx - gost encryption context, initialized with some S-boxes 83 * keyExchangeKey 32-byte shared key 84 * wrappedKey 44 byte key to be unwrapped (concatenation of 8-byte UKM, 85 * 32 byte encrypted key and 4 byte MAC 86 * 87 * sessionKEy - 32byte buffer to store sessionKey in 88 * Returns 1 if key is decrypted successfully, and 0 if MAC doesn't match 89 */ 90 91int keyUnwrapCryptoPro(gost_ctx * ctx, const unsigned char *keyExchangeKey, 92 const unsigned char *wrappedKey, 93 unsigned char *sessionKey) 94{ 95 unsigned char kek_ukm[32], cek_mac[4]; 96 keyDiversifyCryptoPro(ctx, keyExchangeKey, wrappedKey 97 /* First 8 bytes of wrapped Key is ukm */ 98 , kek_ukm); 99 gost_key(ctx, kek_ukm); 100 gost_dec(ctx, wrappedKey + 8, sessionKey, 4); 101 gost_mac_iv(ctx, 32, wrappedKey, sessionKey, 32, cek_mac); 102 if (memcmp(cek_mac, wrappedKey + 40, 4)) { 103 return 0; 104 } 105 return 1; 106} 107