1214501Srpaulo/* 2214501Srpaulo * AES key unwrap (128-bit KEK, RFC3394) 3214501Srpaulo * 4214501Srpaulo * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> 5214501Srpaulo * 6214501Srpaulo * This program is free software; you can redistribute it and/or modify 7214501Srpaulo * it under the terms of the GNU General Public License version 2 as 8214501Srpaulo * published by the Free Software Foundation. 9214501Srpaulo * 10214501Srpaulo * Alternatively, this software may be distributed under the terms of BSD 11214501Srpaulo * license. 12214501Srpaulo * 13214501Srpaulo * See README and COPYING for more details. 14214501Srpaulo */ 15214501Srpaulo 16214501Srpaulo#include "includes.h" 17214501Srpaulo 18214501Srpaulo#include "common.h" 19214501Srpaulo#include "aes.h" 20214501Srpaulo#include "aes_wrap.h" 21214501Srpaulo 22214501Srpaulo/** 23214501Srpaulo * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) 24214501Srpaulo * @kek: Key encryption key (KEK) 25214501Srpaulo * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 26214501Srpaulo * bytes 27214501Srpaulo * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits 28214501Srpaulo * @plain: Plaintext key, n * 64 bits 29214501Srpaulo * Returns: 0 on success, -1 on failure (e.g., integrity verification failed) 30214501Srpaulo */ 31214501Srpauloint aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain) 32214501Srpaulo{ 33214501Srpaulo u8 a[8], *r, b[16]; 34214501Srpaulo int i, j; 35214501Srpaulo void *ctx; 36214501Srpaulo 37214501Srpaulo /* 1) Initialize variables. */ 38214501Srpaulo os_memcpy(a, cipher, 8); 39214501Srpaulo r = plain; 40214501Srpaulo os_memcpy(r, cipher + 8, 8 * n); 41214501Srpaulo 42214501Srpaulo ctx = aes_decrypt_init(kek, 16); 43214501Srpaulo if (ctx == NULL) 44214501Srpaulo return -1; 45214501Srpaulo 46214501Srpaulo /* 2) Compute intermediate values. 47214501Srpaulo * For j = 5 to 0 48214501Srpaulo * For i = n to 1 49214501Srpaulo * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i 50214501Srpaulo * A = MSB(64, B) 51214501Srpaulo * R[i] = LSB(64, B) 52214501Srpaulo */ 53214501Srpaulo for (j = 5; j >= 0; j--) { 54214501Srpaulo r = plain + (n - 1) * 8; 55214501Srpaulo for (i = n; i >= 1; i--) { 56214501Srpaulo os_memcpy(b, a, 8); 57214501Srpaulo b[7] ^= n * j + i; 58214501Srpaulo 59214501Srpaulo os_memcpy(b + 8, r, 8); 60214501Srpaulo aes_decrypt(ctx, b, b); 61214501Srpaulo os_memcpy(a, b, 8); 62214501Srpaulo os_memcpy(r, b + 8, 8); 63214501Srpaulo r -= 8; 64214501Srpaulo } 65214501Srpaulo } 66214501Srpaulo aes_decrypt_deinit(ctx); 67214501Srpaulo 68214501Srpaulo /* 3) Output results. 69214501Srpaulo * 70214501Srpaulo * These are already in @plain due to the location of temporary 71214501Srpaulo * variables. Just verify that the IV matches with the expected value. 72214501Srpaulo */ 73214501Srpaulo for (i = 0; i < 8; i++) { 74214501Srpaulo if (a[i] != 0xa6) 75214501Srpaulo return -1; 76214501Srpaulo } 77214501Srpaulo 78214501Srpaulo return 0; 79214501Srpaulo} 80