wrap128.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331
  1. /*
  2. * Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /** Beware!
  10. *
  11. * Following wrapping modes were designed for AES but this implementation
  12. * allows you to use them for any 128 bit block cipher.
  13. */
  14. #include "internal/cryptlib.h"
  15. #include <openssl/modes.h>
  16. /** RFC 3394 section 2.2.3.1 Default Initial Value */
  17. static const unsigned char default_iv[] = {
  18. 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
  19. };
  20. /** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
  21. static const unsigned char default_aiv[] = {
  22. 0xA6, 0x59, 0x59, 0xA6
  23. };
  24. /** Input size limit: lower than maximum of standards but far larger than
  25. * anything that will be used in practice.
  26. */
  27. #define CRYPTO128_WRAP_MAX (1UL << 31)
  28. /** Wrapping according to RFC 3394 section 2.2.1.
  29. *
  30. * @param[in] key Key value.
  31. * @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
  32. * @param[in] in Plaintext as n 64-bit blocks, n >= 2.
  33. * @param[in] inlen Length of in.
  34. * @param[out] out Ciphertext. Minimal buffer length = (inlen + 8) bytes.
  35. * Input and output buffers can overlap if block function
  36. * supports that.
  37. * @param[in] block Block processing function.
  38. * @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
  39. * or if inlen > CRYPTO128_WRAP_MAX.
  40. * Output length if wrapping succeeded.
  41. */
  42. size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
  43. unsigned char *out,
  44. const unsigned char *in, size_t inlen,
  45. block128_f block)
  46. {
  47. unsigned char *A, B[16], *R;
  48. size_t i, j, t;
  49. if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
  50. return 0;
  51. A = B;
  52. t = 1;
  53. memmove(out + 8, in, inlen);
  54. if (!iv)
  55. iv = default_iv;
  56. memcpy(A, iv, 8);
  57. for (j = 0; j < 6; j++) {
  58. R = out + 8;
  59. for (i = 0; i < inlen; i += 8, t++, R += 8) {
  60. memcpy(B + 8, R, 8);
  61. block(B, B, key);
  62. A[7] ^= (unsigned char)(t & 0xff);
  63. if (t > 0xff) {
  64. A[6] ^= (unsigned char)((t >> 8) & 0xff);
  65. A[5] ^= (unsigned char)((t >> 16) & 0xff);
  66. A[4] ^= (unsigned char)((t >> 24) & 0xff);
  67. }
  68. memcpy(R, B + 8, 8);
  69. }
  70. }
  71. memcpy(out, A, 8);
  72. return inlen + 8;
  73. }
  74. /** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
  75. * The IV check (step 3) is responsibility of the caller.
  76. *
  77. * @param[in] key Key value.
  78. * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
  79. * @param[out] out Plaintext without IV.
  80. * Minimal buffer length = (inlen - 8) bytes.
  81. * Input and output buffers can overlap if block function
  82. * supports that.
  83. * @param[in] in Ciphertext as n 64-bit blocks.
  84. * @param[in] inlen Length of in.
  85. * @param[in] block Block processing function.
  86. * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
  87. * or if inlen is not a multiple of 8.
  88. * Output length otherwise.
  89. */
  90. static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
  91. unsigned char *out,
  92. const unsigned char *in, size_t inlen,
  93. block128_f block)
  94. {
  95. unsigned char *A, B[16], *R;
  96. size_t i, j, t;
  97. inlen -= 8;
  98. if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
  99. return 0;
  100. A = B;
  101. t = 6 * (inlen >> 3);
  102. memcpy(A, in, 8);
  103. memmove(out, in + 8, inlen);
  104. for (j = 0; j < 6; j++) {
  105. R = out + inlen - 8;
  106. for (i = 0; i < inlen; i += 8, t--, R -= 8) {
  107. A[7] ^= (unsigned char)(t & 0xff);
  108. if (t > 0xff) {
  109. A[6] ^= (unsigned char)((t >> 8) & 0xff);
  110. A[5] ^= (unsigned char)((t >> 16) & 0xff);
  111. A[4] ^= (unsigned char)((t >> 24) & 0xff);
  112. }
  113. memcpy(B + 8, R, 8);
  114. block(B, B, key);
  115. memcpy(R, B + 8, 8);
  116. }
  117. }
  118. memcpy(iv, A, 8);
  119. return inlen;
  120. }
  121. /** Unwrapping according to RFC 3394 section 2.2.2, including the IV check.
  122. * The first block of plaintext has to match the supplied IV, otherwise an
  123. * error is returned.
  124. *
  125. * @param[in] key Key value.
  126. * @param[out] iv IV value to match against. Length = 8 bytes.
  127. * NULL = use default_iv.
  128. * @param[out] out Plaintext without IV.
  129. * Minimal buffer length = (inlen - 8) bytes.
  130. * Input and output buffers can overlap if block function
  131. * supports that.
  132. * @param[in] in Ciphertext as n 64-bit blocks.
  133. * @param[in] inlen Length of in.
  134. * @param[in] block Block processing function.
  135. * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
  136. * or if inlen is not a multiple of 8
  137. * or if IV doesn't match expected value.
  138. * Output length otherwise.
  139. */
  140. size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
  141. unsigned char *out, const unsigned char *in,
  142. size_t inlen, block128_f block)
  143. {
  144. size_t ret;
  145. unsigned char got_iv[8];
  146. ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
  147. if (ret == 0)
  148. return 0;
  149. if (!iv)
  150. iv = default_iv;
  151. if (CRYPTO_memcmp(got_iv, iv, 8)) {
  152. OPENSSL_cleanse(out, ret);
  153. return 0;
  154. }
  155. return ret;
  156. }
  157. /** Wrapping according to RFC 5649 section 4.1.
  158. *
  159. * @param[in] key Key value.
  160. * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
  161. * @param[out] out Ciphertext. Minimal buffer length = (inlen + 15) bytes.
  162. * Input and output buffers can overlap if block function
  163. * supports that.
  164. * @param[in] in Plaintext as n 64-bit blocks, n >= 2.
  165. * @param[in] inlen Length of in.
  166. * @param[in] block Block processing function.
  167. * @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
  168. * Output length if wrapping succeeded.
  169. */
  170. size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
  171. unsigned char *out,
  172. const unsigned char *in, size_t inlen,
  173. block128_f block)
  174. {
  175. /* n: number of 64-bit blocks in the padded key data
  176. *
  177. * If length of plain text is not a multiple of 8, pad the plain text octet
  178. * string on the right with octets of zeros, where final length is the
  179. * smallest multiple of 8 that is greater than length of plain text.
  180. * If length of plain text is a multiple of 8, then there is no padding. */
  181. const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */
  182. const size_t padded_len = blocks_padded * 8;
  183. const size_t padding_len = padded_len - inlen;
  184. /* RFC 5649 section 3: Alternative Initial Value */
  185. unsigned char aiv[8];
  186. int ret;
  187. /* Section 1: use 32-bit fixed field for plaintext octet length */
  188. if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
  189. return 0;
  190. /* Section 3: Alternative Initial Value */
  191. if (!icv)
  192. memcpy(aiv, default_aiv, 4);
  193. else
  194. memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
  195. aiv[4] = (inlen >> 24) & 0xFF;
  196. aiv[5] = (inlen >> 16) & 0xFF;
  197. aiv[6] = (inlen >> 8) & 0xFF;
  198. aiv[7] = inlen & 0xFF;
  199. if (padded_len == 8) {
  200. /*
  201. * Section 4.1 - special case in step 2: If the padded plaintext
  202. * contains exactly eight octets, then prepend the AIV and encrypt
  203. * the resulting 128-bit block using AES in ECB mode.
  204. */
  205. memmove(out + 8, in, inlen);
  206. memcpy(out, aiv, 8);
  207. memset(out + 8 + inlen, 0, padding_len);
  208. block(out, out, key);
  209. ret = 16; /* AIV + padded input */
  210. } else {
  211. memmove(out, in, inlen);
  212. memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
  213. ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
  214. }
  215. return ret;
  216. }
  217. /** Unwrapping according to RFC 5649 section 4.2.
  218. *
  219. * @param[in] key Key value.
  220. * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
  221. * @param[out] out Plaintext. Minimal buffer length = (inlen - 8) bytes.
  222. * Input and output buffers can overlap if block function
  223. * supports that.
  224. * @param[in] in Ciphertext as n 64-bit blocks.
  225. * @param[in] inlen Length of in.
  226. * @param[in] block Block processing function.
  227. * @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
  228. * or if inlen is not a multiple of 8
  229. * or if IV and message length indicator doesn't match.
  230. * Output length if unwrapping succeeded and IV matches.
  231. */
  232. size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
  233. unsigned char *out,
  234. const unsigned char *in, size_t inlen,
  235. block128_f block)
  236. {
  237. /* n: number of 64-bit blocks in the padded key data */
  238. size_t n = inlen / 8 - 1;
  239. size_t padded_len;
  240. size_t padding_len;
  241. size_t ptext_len;
  242. /* RFC 5649 section 3: Alternative Initial Value */
  243. unsigned char aiv[8];
  244. static unsigned char zeros[8] = { 0x0 };
  245. size_t ret;
  246. /* Section 4.2: Ciphertext length has to be (n+1) 64-bit blocks. */
  247. if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
  248. return 0;
  249. if (inlen == 16) {
  250. /*
  251. * Section 4.2 - special case in step 1: When n=1, the ciphertext
  252. * contains exactly two 64-bit blocks and they are decrypted as a
  253. * single AES block using AES in ECB mode: AIV | P[1] = DEC(K, C[0] |
  254. * C[1])
  255. */
  256. unsigned char buff[16];
  257. block(in, buff, key);
  258. memcpy(aiv, buff, 8);
  259. /* Remove AIV */
  260. memcpy(out, buff + 8, 8);
  261. padded_len = 8;
  262. OPENSSL_cleanse(buff, inlen);
  263. } else {
  264. padded_len = inlen - 8;
  265. ret = crypto_128_unwrap_raw(key, aiv, out, in, inlen, block);
  266. if (padded_len != ret) {
  267. OPENSSL_cleanse(out, inlen);
  268. return 0;
  269. }
  270. }
  271. /*
  272. * Section 3: AIV checks: Check that MSB(32,A) = A65959A6. Optionally a
  273. * user-supplied value can be used (even if standard doesn't mention
  274. * this).
  275. */
  276. if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
  277. || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
  278. OPENSSL_cleanse(out, inlen);
  279. return 0;
  280. }
  281. /*
  282. * Check that 8*(n-1) < LSB(32,AIV) <= 8*n. If so, let ptext_len =
  283. * LSB(32,AIV).
  284. */
  285. ptext_len = ((unsigned int)aiv[4] << 24)
  286. | ((unsigned int)aiv[5] << 16)
  287. | ((unsigned int)aiv[6] << 8)
  288. | (unsigned int)aiv[7];
  289. if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
  290. OPENSSL_cleanse(out, inlen);
  291. return 0;
  292. }
  293. /*
  294. * Check that the rightmost padding_len octets of the output data are
  295. * zero.
  296. */
  297. padding_len = padded_len - ptext_len;
  298. if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
  299. OPENSSL_cleanse(out, inlen);
  300. return 0;
  301. }
  302. /* Section 4.2 step 3: Remove padding */
  303. return ptext_len;
  304. }