From: damien Date: Tue, 12 Aug 2008 15:43:00 +0000 (+0000) Subject: Implementation of the HMAC-MD5, HMAC-SHA1, HMAC-SHA256, AES-128-CMAC X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=88d04b3728d07174da03e903c69d1ff6cbf683a8;p=openbsd Implementation of the HMAC-MD5, HMAC-SHA1, HMAC-SHA256, AES-128-CMAC and AES Key Wrap algorithms. They will replace/extend the non-generic implementation in net80211. AES-128-CMAC tested by sobrado@ (AlphaServer 1200), naddy@ (alpha/sparc64) and sthen@ (sparc64, armish). HMAC-* reviewed by hshoexer@ ok and hints from djm@ --- diff --git a/sys/conf/files b/sys/conf/files index 95a4f23fd4a..c6c54dbd983 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,4 +1,4 @@ -# $OpenBSD: files,v 1.438 2008/07/21 19:05:21 damien Exp $ +# $OpenBSD: files,v 1.439 2008/08/12 15:43:00 damien Exp $ # $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 @@ -832,7 +832,7 @@ file crypto/rijndael.c (inet & ipsec) | crypto | uvm_swap_encrypt | wlan file crypto/md5.c file crypto/rmd160.c (inet & ipsec) | crypto file crypto/sha1.c (inet & ipsec) | crypto | carp | wlan -file crypto/sha2.c (inet & ipsec) | crypto +file crypto/sha2.c (inet & ipsec) | crypto | wlan file crypto/blf.c (inet & ipsec) | crypto | vnd file crypto/cast.c (inet & ipsec) | crypto file crypto/skipjack.c (inet & ipsec) | crypto @@ -847,6 +847,9 @@ file crypto/xform.c (inet & ipsec) | crypto file crypto/deflate.c (inet & ipsec) | crypto file crypto/arc4.c file crypto/michael.c wlan +file crypto/cmac.c wlan +file crypto/hmac.c wlan +file crypto/key_wrap.c wlan file crypto/idgen.c inet6 | nfsclient | nfsserver file netatalk/aarp.c netatalk file netatalk/at_control.c netatalk diff --git a/sys/crypto/cmac.c b/sys/crypto/cmac.c new file mode 100644 index 00000000000..81ab6af204c --- /dev/null +++ b/sys/crypto/cmac.c @@ -0,0 +1,120 @@ +/* $OpenBSD: cmac.c,v 1.1 2008/08/12 15:43:00 damien Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the CMAC (Cipher-based Message Authentication) + * algorithm described in FIPS SP800-38B using the AES-128 cipher. + */ + +#include +#include + +#include +#include + +#define LSHIFT(v, r) do { \ + int i; \ + for (i = 0; i < 15; i++) \ + (r)[i] = (v)[i] << 1 | (v)[i + 1] >> 7; \ + (r)[15] = (v)[15] << 1; \ +} while (0) + +#define XOR(v, r) do { \ + int i; \ + for (i = 0; i < 16; i++) \ + (r)[i] ^= (v)[i]; \ +} while (0) + +void +AES_CMAC_Init(AES_CMAC_CTX *ctx) +{ + memset(ctx->X, 0, sizeof ctx->X); + ctx->M_n = 0; +} + +void +AES_CMAC_SetKey(AES_CMAC_CTX *ctx, const u_int8_t key[AES_CMAC_KEY_LENGTH]) +{ + rijndael_set_key_enc_only(&ctx->rijndael, key, 128); +} + +void +AES_CMAC_Update(AES_CMAC_CTX *ctx, const u_int8_t *data, u_int len) +{ + u_int mlen; + + if (ctx->M_n > 0) { + mlen = MIN(16 - ctx->M_n, len); + memcpy(ctx->M_last + ctx->M_n, data, mlen); + ctx->M_n += mlen; + if (ctx->M_n < 16 || len == mlen) + return; + XOR(ctx->M_last, ctx->X); + rijndael_encrypt(&ctx->rijndael, ctx->X, ctx->X); + data += mlen; + len -= mlen; + } + while (len > 16) { /* not last block */ + XOR(data, ctx->X); + rijndael_encrypt(&ctx->rijndael, ctx->X, ctx->X); + data += 16; + len -= 16; + } + /* potential last block, save it */ + memcpy(ctx->M_last, data, len); + ctx->M_n = len; +} + +void +AES_CMAC_Final(u_int8_t digest[AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *ctx) +{ + u_int8_t K[16]; + + /* generate subkey K1 */ + memset(K, 0, sizeof K); + rijndael_encrypt(&ctx->rijndael, K, K); + + if (K[0] & 0x80) { + LSHIFT(K, K); + K[15] ^= 0x87; + } else + LSHIFT(K, K); + + if (ctx->M_n == 16) { + /* last block was a complete block */ + XOR(K, ctx->M_last); + } else { + /* generate subkey K2 */ + if (K[0] & 0x80) { + LSHIFT(K, K); + K[15] ^= 0x87; + } else + LSHIFT(K, K); + + /* padding(M_last) */ + ctx->M_last[ctx->M_n] = 0x80; + while (++ctx->M_n < 16) + ctx->M_last[ctx->M_n] = 0; + + XOR(K, ctx->M_last); + } + XOR(ctx->M_last, ctx->X); + rijndael_encrypt(&ctx->rijndael, ctx->X, digest); + + memset(K, 0, sizeof K); +} diff --git a/sys/crypto/cmac.h b/sys/crypto/cmac.h new file mode 100644 index 00000000000..d90ff1cabe2 --- /dev/null +++ b/sys/crypto/cmac.h @@ -0,0 +1,43 @@ +/* $OpenBSD: cmac.h,v 1.1 2008/08/12 15:43:00 damien Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _CMAC_H_ +#define _CMAC_H_ + +#define AES_CMAC_KEY_LENGTH 16 +#define AES_CMAC_DIGEST_LENGTH 16 + +typedef struct _AES_CMAC_CTX { + rijndael_ctx rijndael; + u_int8_t X[16]; + u_int8_t M_last[16]; + u_int M_n; +} AES_CMAC_CTX; + +#include + +__BEGIN_DECLS +void AES_CMAC_Init(AES_CMAC_CTX *); +void AES_CMAC_SetKey(AES_CMAC_CTX *, const u_int8_t [AES_CMAC_KEY_LENGTH]); +void AES_CMAC_Update(AES_CMAC_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void AES_CMAC_Final(u_int8_t [AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *) + __attribute__((__bounded__(__minbytes__,1,AES_CMAC_DIGEST_LENGTH))); +__END_DECLS + +#endif /* _CMAC_H_ */ diff --git a/sys/crypto/hmac.c b/sys/crypto/hmac.c new file mode 100644 index 00000000000..00aa18bc8de --- /dev/null +++ b/sys/crypto/hmac.c @@ -0,0 +1,192 @@ +/* $OpenBSD: hmac.c,v 1.1 2008/08/12 15:43:00 damien Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the HMAC algorithm described in RFC 2104 using + * the MD5, SHA1 and SHA-256 hash functions. + */ + +#include +#include + +#include +#include +#include +#include + +void +HMAC_MD5_Init(HMAC_MD5_CTX *ctx, const u_int8_t *key, u_int key_len) +{ + u_int8_t k_ipad[MD5_BLOCK_LENGTH]; + int i; + + if (key_len > MD5_BLOCK_LENGTH) { + MD5Init(&ctx->ctx); + MD5Update(&ctx->ctx, key, key_len); + MD5Final(ctx->key, &ctx->ctx); + ctx->key_len = MD5_DIGEST_LENGTH; + } else { + bcopy(key, ctx->key, key_len); + ctx->key_len = key_len; + } + + bzero(k_ipad, MD5_BLOCK_LENGTH); + bcopy(ctx->key, k_ipad, ctx->key_len); + for (i = 0; i < MD5_BLOCK_LENGTH; i++) + k_ipad[i] ^= 0x36; + + MD5Init(&ctx->ctx); + MD5Update(&ctx->ctx, k_ipad, MD5_BLOCK_LENGTH); + + bzero(k_ipad, sizeof k_ipad); +} + +void +HMAC_MD5_Update(HMAC_MD5_CTX *ctx, const u_int8_t *data, u_int len) +{ + MD5Update(&ctx->ctx, data, len); +} + +void +HMAC_MD5_Final(u_int8_t digest[MD5_DIGEST_LENGTH], HMAC_MD5_CTX *ctx) +{ + u_int8_t k_opad[MD5_BLOCK_LENGTH]; + int i; + + MD5Final(digest, &ctx->ctx); + + bzero(k_opad, MD5_BLOCK_LENGTH); + bcopy(ctx->key, k_opad, ctx->key_len); + for (i = 0; i < MD5_BLOCK_LENGTH; i++) + k_opad[i] ^= 0x5c; + + MD5Init(&ctx->ctx); + MD5Update(&ctx->ctx, k_opad, MD5_BLOCK_LENGTH); + MD5Update(&ctx->ctx, digest, MD5_DIGEST_LENGTH); + MD5Final(digest, &ctx->ctx); + + bzero(k_opad, sizeof k_opad); +} + +void +HMAC_SHA1_Init(HMAC_SHA1_CTX *ctx, const u_int8_t *key, u_int key_len) +{ + u_int8_t k_ipad[SHA1_BLOCK_LENGTH]; + int i; + + if (key_len > SHA1_BLOCK_LENGTH) { + SHA1Init(&ctx->ctx); + SHA1Update(&ctx->ctx, key, key_len); + SHA1Final(ctx->key, &ctx->ctx); + ctx->key_len = SHA1_DIGEST_LENGTH; + } else { + bcopy(key, ctx->key, key_len); + ctx->key_len = key_len; + } + + bzero(k_ipad, SHA1_BLOCK_LENGTH); + bcopy(ctx->key, k_ipad, ctx->key_len); + for (i = 0; i < SHA1_BLOCK_LENGTH; i++) + k_ipad[i] ^= 0x36; + + SHA1Init(&ctx->ctx); + SHA1Update(&ctx->ctx, k_ipad, SHA1_BLOCK_LENGTH); + + bzero(k_ipad, sizeof k_ipad); +} + +void +HMAC_SHA1_Update(HMAC_SHA1_CTX *ctx, const u_int8_t *data, u_int len) +{ + SHA1Update(&ctx->ctx, data, len); +} + +void +HMAC_SHA1_Final(u_int8_t digest[SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *ctx) +{ + u_int8_t k_opad[SHA1_BLOCK_LENGTH]; + int i; + + SHA1Final(digest, &ctx->ctx); + + bzero(k_opad, SHA1_BLOCK_LENGTH); + bcopy(ctx->key, k_opad, ctx->key_len); + for (i = 0; i < SHA1_BLOCK_LENGTH; i++) + k_opad[i] ^= 0x5c; + + SHA1Init(&ctx->ctx); + SHA1Update(&ctx->ctx, k_opad, SHA1_BLOCK_LENGTH); + SHA1Update(&ctx->ctx, digest, SHA1_DIGEST_LENGTH); + SHA1Final(digest, &ctx->ctx); + + bzero(k_opad, sizeof k_opad); +} + +void +HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const u_int8_t *key, u_int key_len) +{ + u_int8_t k_ipad[SHA256_BLOCK_LENGTH]; + int i; + + if (key_len > SHA256_BLOCK_LENGTH) { + SHA256_Init(&ctx->ctx); + SHA256_Update(&ctx->ctx, key, key_len); + SHA256_Final(ctx->key, &ctx->ctx); + ctx->key_len = SHA256_DIGEST_LENGTH; + } else { + bcopy(key, ctx->key, key_len); + ctx->key_len = key_len; + } + + bzero(k_ipad, SHA256_BLOCK_LENGTH); + bcopy(ctx->key, k_ipad, ctx->key_len); + for (i = 0; i < SHA256_BLOCK_LENGTH; i++) + k_ipad[i] ^= 0x36; + + SHA256_Init(&ctx->ctx); + SHA256_Update(&ctx->ctx, k_ipad, SHA256_BLOCK_LENGTH); + + bzero(k_ipad, sizeof k_ipad); +} + +void +HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const u_int8_t *data, u_int len) +{ + SHA256_Update(&ctx->ctx, data, len); +} + +void +HMAC_SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *ctx) +{ + u_int8_t k_opad[SHA256_BLOCK_LENGTH]; + int i; + + SHA256_Final(digest, &ctx->ctx); + + bzero(k_opad, SHA256_BLOCK_LENGTH); + bcopy(ctx->key, k_opad, ctx->key_len); + for (i = 0; i < SHA256_BLOCK_LENGTH; i++) + k_opad[i] ^= 0x5c; + + SHA256_Init(&ctx->ctx); + SHA256_Update(&ctx->ctx, k_opad, SHA256_BLOCK_LENGTH); + SHA256_Update(&ctx->ctx, digest, SHA256_DIGEST_LENGTH); + SHA256_Final(digest, &ctx->ctx); + + bzero(k_opad, sizeof k_opad); +} diff --git a/sys/crypto/hmac.h b/sys/crypto/hmac.h new file mode 100644 index 00000000000..677f9d4598b --- /dev/null +++ b/sys/crypto/hmac.h @@ -0,0 +1,67 @@ +/* $OpenBSD: hmac.h,v 1.1 2008/08/12 15:43:00 damien Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _HMAC_H_ +#define _HMAC_H_ + +typedef struct _HMAC_MD5_CTX { + MD5_CTX ctx; + u_int8_t key[MD5_BLOCK_LENGTH]; + u_int key_len; +} HMAC_MD5_CTX; + +typedef struct _HMAC_SHA1_CTX { + SHA1_CTX ctx; + u_int8_t key[SHA1_BLOCK_LENGTH]; + u_int key_len; +} HMAC_SHA1_CTX; + +typedef struct _HMAC_SHA256_CTX { + SHA256_CTX ctx; + u_int8_t key[SHA256_BLOCK_LENGTH]; + u_int key_len; +} HMAC_SHA256_CTX; + +#include + +__BEGIN_DECLS + +void HMAC_MD5_Init(HMAC_MD5_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_MD5_Update(HMAC_MD5_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_MD5_Final(u_int8_t [MD5_DIGEST_LENGTH], HMAC_MD5_CTX *) + __attribute__((__bounded__(__minbytes__,1,MD5_DIGEST_LENGTH))); + +void HMAC_SHA1_Init(HMAC_SHA1_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_SHA1_Update(HMAC_SHA1_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_SHA1_Final(u_int8_t [SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *) + __attribute__((__bounded__(__minbytes__,1,SHA1_DIGEST_LENGTH))); + +void HMAC_SHA256_Init(HMAC_SHA256_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_SHA256_Update(HMAC_SHA256_CTX *, const u_int8_t *, u_int) + __attribute__((__bounded__(__string__,2,3))); +void HMAC_SHA256_Final(u_int8_t [SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *) + __attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH))); + +__END_DECLS + +#endif /* _HMAC_H_ */ diff --git a/sys/crypto/key_wrap.c b/sys/crypto/key_wrap.c new file mode 100644 index 00000000000..e99e74b9df2 --- /dev/null +++ b/sys/crypto/key_wrap.c @@ -0,0 +1,112 @@ +/* $OpenBSD: key_wrap.c,v 1.1 2008/08/12 15:43:00 damien Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code implements the AES Key Wrap algorithm described in RFC 3394. + */ + +#include +#include + +#include +#include + +static const u_int8_t IV[8] = + { 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6 }; + +void +aes_key_wrap_set_key(aes_key_wrap_ctx *ctx, const u_int8_t *K, size_t K_len) +{ + rijndael_set_key(&ctx->ctx, K, K_len * NBBY); +} + +void +aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *ctx, const u_int8_t *K, + size_t K_len) +{ + rijndael_set_key_enc_only(&ctx->ctx, K, K_len * NBBY); +} + +void +aes_key_wrap(aes_key_wrap_ctx *ctx, const u_int8_t *P, size_t n, u_int8_t *C) +{ + u_int64_t B[2], t; + u_int8_t *A, *R; + size_t i; + int j; + + ovbcopy(P, C + 8, n * 8); /* P and C may overlap */ + A = C; /* A points to C[0] */ + memcpy(A, IV, 8); /* A = IV, an initial value */ + + for (j = 0, t = 1; j <= 5; j++) { + R = C + 8; + for (i = 1; i <= n; i++, t++) { + /* B = A | R[i] */ + memcpy(&B[0], A, 8); + memcpy(&B[1], R, 8); + /* B = AES(K, B) */ + rijndael_encrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B); + /* MSB(64, B) = MSB(64, B) ^ t */ + B[0] ^= htobe64(t); + /* A = MSB(64, B) */ + memcpy(A, &B[0], 8); + /* R[i] = LSB(64, B) */ + memcpy(R, &B[1], 8); + + R += 8; + } + } + memset(B, 0, sizeof B); +} + +int +aes_key_unwrap(aes_key_wrap_ctx *ctx, const u_int8_t *C, u_int8_t *P, size_t n) +{ + u_int64_t B[2], t; + u_int8_t A[8], *R; + size_t i; + int j; + + memcpy(A, C, 8); /* A = C[0] */ + ovbcopy(C + 8, P, n * 8); /* P and C may overlap */ + + for (j = 5, t = 6 * n; j >= 0; j--) { + R = P + (n - 1) * 8; + for (i = n; i >= 1; i--, t--) { + /* MSB(64, B) = A */ + memcpy(&B[0], A, 8); + /* MSB(64, B) = MSB(64, B) ^ t */ + B[0] ^= htobe64(t); + /* B = MSB(64, B) | R[i] */ + memcpy(&B[1], R, 8); + /* B = AES-1(K, B) */ + rijndael_decrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B); + /* A = MSB(64, B) */ + memcpy(A, &B[0], 8); + /* R[i] = LSB(64, B) */ + memcpy(R, &B[1], 8); + + R -= 8; + } + } + memset(B, 0, sizeof B); + + /* check that A is an appropriate initial value */ + return memcmp(A, IV, 8) != 0; +} diff --git a/sys/crypto/key_wrap.h b/sys/crypto/key_wrap.h new file mode 100644 index 00000000000..4c984e13d9d --- /dev/null +++ b/sys/crypto/key_wrap.h @@ -0,0 +1,38 @@ +/* $OpenBSD: key_wrap.h,v 1.1 2008/08/12 15:43:00 damien Exp $ */ + +/*- + * Copyright (c) 2008 Damien Bergamini + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _KEY_WRAP_H_ +#define _KEY_WRAP_H_ + +typedef struct _aes_key_wrap_ctx { + rijndael_ctx ctx; +} aes_key_wrap_ctx; + +#include + +__BEGIN_DECLS + +void aes_key_wrap_set_key(aes_key_wrap_ctx *, const u_int8_t *, size_t); +void aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *, const u_int8_t *, + size_t); +void aes_key_wrap(aes_key_wrap_ctx *, const u_int8_t *, size_t, u_int8_t *); +int aes_key_unwrap(aes_key_wrap_ctx *, const u_int8_t *, u_int8_t *, + size_t); +__END_DECLS + +#endif /* _KEY_WRAP_H_ */