2016-11-04 02:12:21 -04:00
|
|
|
/*
|
|
|
|
* AES key unwrap (128-bit KEK, RFC3394)
|
|
|
|
*
|
|
|
|
* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
* Alternatively, this software may be distributed under the terms of BSD
|
|
|
|
* license.
|
|
|
|
*
|
|
|
|
* See README and COPYING for more details.
|
|
|
|
*/
|
2019-07-03 08:09:52 -04:00
|
|
|
/*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Hardware crypto support Copyright 2017-2019 Espressif Systems (Shanghai) PTE LTD
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
2016-11-04 02:12:21 -04:00
|
|
|
|
2018-08-13 04:37:56 -04:00
|
|
|
#include "utils/includes.h"
|
2016-11-04 02:12:21 -04:00
|
|
|
|
2018-08-13 04:37:56 -04:00
|
|
|
#include "utils/common.h"
|
2019-07-03 08:09:52 -04:00
|
|
|
#ifdef USE_MBEDTLS_CRYPTO
|
|
|
|
#include "mbedtls/aes.h"
|
|
|
|
#else /* USE_MBEDTLS_CRYPTO */
|
2019-08-06 07:40:16 -04:00
|
|
|
#include "aes.h"
|
|
|
|
#include "aes_wrap.h"
|
2019-07-03 08:09:52 -04:00
|
|
|
#endif /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
|
|
|
|
/**
|
|
|
|
* aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
|
|
|
|
* @kek: Key encryption key (KEK)
|
|
|
|
* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
|
|
|
|
* bytes
|
|
|
|
* @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
|
|
|
|
* @plain: Plaintext key, n * 64 bits
|
|
|
|
* Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
|
|
|
|
*/
|
2020-11-10 02:40:01 -05:00
|
|
|
int
|
2016-11-04 02:12:21 -04:00
|
|
|
aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
|
|
|
|
{
|
|
|
|
u8 a[8], *r, b[16];
|
|
|
|
int i, j;
|
2019-07-03 08:09:52 -04:00
|
|
|
#ifdef USE_MBEDTLS_CRYPTO
|
|
|
|
int32_t ret = 0;
|
|
|
|
mbedtls_aes_context ctx;
|
|
|
|
#else /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
void *ctx;
|
2019-07-03 08:09:52 -04:00
|
|
|
#endif /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
|
|
|
|
/* 1) Initialize variables. */
|
|
|
|
os_memcpy(a, cipher, 8);
|
|
|
|
r = plain;
|
|
|
|
os_memcpy(r, cipher + 8, 8 * n);
|
|
|
|
|
2019-07-03 08:09:52 -04:00
|
|
|
#ifdef USE_MBEDTLS_CRYPTO
|
|
|
|
mbedtls_aes_init(&ctx);
|
|
|
|
ret = mbedtls_aes_setkey_dec(&ctx, kek, 128);
|
|
|
|
if (ret < 0) {
|
|
|
|
mbedtls_aes_free(&ctx);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#else /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
ctx = aes_decrypt_init(kek, 16);
|
|
|
|
if (ctx == NULL)
|
|
|
|
return -1;
|
2019-07-03 08:09:52 -04:00
|
|
|
#endif /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
|
|
|
|
/* 2) Compute intermediate values.
|
|
|
|
* For j = 5 to 0
|
|
|
|
* For i = n to 1
|
|
|
|
* B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
|
|
|
|
* A = MSB(64, B)
|
|
|
|
* R[i] = LSB(64, B)
|
|
|
|
*/
|
|
|
|
for (j = 5; j >= 0; j--) {
|
|
|
|
r = plain + (n - 1) * 8;
|
|
|
|
for (i = n; i >= 1; i--) {
|
|
|
|
os_memcpy(b, a, 8);
|
|
|
|
b[7] ^= n * j + i;
|
|
|
|
|
|
|
|
os_memcpy(b + 8, r, 8);
|
2019-07-03 08:09:52 -04:00
|
|
|
#ifdef USE_MBEDTLS_CRYPTO
|
|
|
|
ret = mbedtls_internal_aes_decrypt(&ctx, b, b);
|
|
|
|
#else /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
aes_decrypt(ctx, b, b);
|
2019-07-03 08:09:52 -04:00
|
|
|
#endif /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
os_memcpy(a, b, 8);
|
|
|
|
os_memcpy(r, b + 8, 8);
|
|
|
|
r -= 8;
|
|
|
|
}
|
|
|
|
}
|
2019-07-03 08:09:52 -04:00
|
|
|
#ifdef USE_MBEDTLS_CRYPTO
|
|
|
|
mbedtls_aes_free(&ctx);
|
|
|
|
#else /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
aes_decrypt_deinit(ctx);
|
2019-07-03 08:09:52 -04:00
|
|
|
#endif /* USE_MBEDTLS_CRYPTO */
|
2016-11-04 02:12:21 -04:00
|
|
|
|
|
|
|
/* 3) Output results.
|
|
|
|
*
|
|
|
|
* These are already in @plain due to the location of temporary
|
|
|
|
* variables. Just verify that the IV matches with the expected value.
|
|
|
|
*/
|
|
|
|
for (i = 0; i < 8; i++) {
|
|
|
|
if (a[i] != 0xa6)
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|