From 88d04b3728d07174da03e903c69d1ff6cbf683a8 Mon Sep 17 00:00:00 2001
From: damien <damien@openbsd.org>
Date: Tue, 12 Aug 2008 15:43:00 +0000
Subject: [PATCH] Implementation of the HMAC-MD5, HMAC-SHA1, HMAC-SHA256,
 AES-128-CMAC and AES Key Wrap algorithms. They will replace/extend the
 non-generic implementation in net80211.

AES-128-CMAC tested by sobrado@ (AlphaServer 1200),
naddy@ (alpha/sparc64) and sthen@ (sparc64, armish).
HMAC-* reviewed by hshoexer@

ok and hints from djm@
---
 sys/conf/files        |   7 +-
 sys/crypto/cmac.c     | 120 ++++++++++++++++++++++++++
 sys/crypto/cmac.h     |  43 ++++++++++
 sys/crypto/hmac.c     | 192 ++++++++++++++++++++++++++++++++++++++++++
 sys/crypto/hmac.h     |  67 +++++++++++++++
 sys/crypto/key_wrap.c | 112 ++++++++++++++++++++++++
 sys/crypto/key_wrap.h |  38 +++++++++
 7 files changed, 577 insertions(+), 2 deletions(-)
 create mode 100644 sys/crypto/cmac.c
 create mode 100644 sys/crypto/cmac.h
 create mode 100644 sys/crypto/hmac.c
 create mode 100644 sys/crypto/hmac.h
 create mode 100644 sys/crypto/key_wrap.c
 create mode 100644 sys/crypto/key_wrap.h

diff --git a/sys/conf/files b/sys/conf/files
index 95a4f23fd4a..c6c54dbd983 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -1,4 +1,4 @@
-#	$OpenBSD: files,v 1.438 2008/07/21 19:05:21 damien Exp $
+#	$OpenBSD: files,v 1.439 2008/08/12 15:43:00 damien Exp $
 #	$NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $
 
 #	@(#)files.newconf	7.5 (Berkeley) 5/10/93
@@ -832,7 +832,7 @@ file crypto/rijndael.c			(inet & ipsec) | crypto | uvm_swap_encrypt | wlan
 file crypto/md5.c
 file crypto/rmd160.c			(inet & ipsec) | crypto
 file crypto/sha1.c			(inet & ipsec) | crypto | carp | wlan
-file crypto/sha2.c			(inet & ipsec) | crypto
+file crypto/sha2.c			(inet & ipsec) | crypto | wlan
 file crypto/blf.c			(inet & ipsec) | crypto | vnd
 file crypto/cast.c			(inet & ipsec) | crypto
 file crypto/skipjack.c			(inet & ipsec) | crypto
@@ -847,6 +847,9 @@ file crypto/xform.c			(inet & ipsec) | crypto
 file crypto/deflate.c			(inet & ipsec) | crypto
 file crypto/arc4.c			
 file crypto/michael.c			wlan
+file crypto/cmac.c			wlan
+file crypto/hmac.c			wlan
+file crypto/key_wrap.c			wlan
 file crypto/idgen.c			inet6 | nfsclient | nfsserver
 file netatalk/aarp.c			netatalk
 file netatalk/at_control.c		netatalk
diff --git a/sys/crypto/cmac.c b/sys/crypto/cmac.c
new file mode 100644
index 00000000000..81ab6af204c
--- /dev/null
+++ b/sys/crypto/cmac.c
@@ -0,0 +1,120 @@
+/*	$OpenBSD: cmac.c,v 1.1 2008/08/12 15:43:00 damien Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This code implements the CMAC (Cipher-based Message Authentication)
+ * algorithm described in FIPS SP800-38B using the AES-128 cipher.
+ */
+
+#include <sys/param.h>
+#include <sys/systm.h>
+
+#include <crypto/rijndael.h>
+#include <crypto/cmac.h>
+
+#define LSHIFT(v, r) do {					\
+	int i;							\
+	for (i = 0; i < 15; i++)				\
+		(r)[i] = (v)[i] << 1 | (v)[i + 1] >> 7;		\
+	(r)[15] = (v)[15] << 1;					\
+} while (0)
+
+#define XOR(v, r) do {						\
+	int i;							\
+	for (i = 0; i < 16; i++)				\
+		(r)[i] ^= (v)[i];				\
+} while (0)
+
+void
+AES_CMAC_Init(AES_CMAC_CTX *ctx)
+{
+	memset(ctx->X, 0, sizeof ctx->X);
+	ctx->M_n = 0;
+}
+
+void
+AES_CMAC_SetKey(AES_CMAC_CTX *ctx, const u_int8_t key[AES_CMAC_KEY_LENGTH])
+{
+	rijndael_set_key_enc_only(&ctx->rijndael, key, 128);
+}
+
+void
+AES_CMAC_Update(AES_CMAC_CTX *ctx, const u_int8_t *data, u_int len)
+{
+	u_int mlen;
+
+	if (ctx->M_n > 0) {
+		mlen = MIN(16 - ctx->M_n, len);
+		memcpy(ctx->M_last + ctx->M_n, data, mlen);
+		ctx->M_n += mlen;
+		if (ctx->M_n < 16 || len == mlen)
+			return;
+		XOR(ctx->M_last, ctx->X);
+		rijndael_encrypt(&ctx->rijndael, ctx->X, ctx->X);
+		data += mlen;
+		len -= mlen;
+	}
+	while (len > 16) {	/* not last block */
+		XOR(data, ctx->X);
+		rijndael_encrypt(&ctx->rijndael, ctx->X, ctx->X);
+		data += 16;
+		len -= 16;
+	}
+	/* potential last block, save it */
+	memcpy(ctx->M_last, data, len);
+	ctx->M_n = len;
+}
+
+void
+AES_CMAC_Final(u_int8_t digest[AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *ctx)
+{
+	u_int8_t K[16];
+
+	/* generate subkey K1 */
+	memset(K, 0, sizeof K);
+	rijndael_encrypt(&ctx->rijndael, K, K);
+
+	if (K[0] & 0x80) {
+		LSHIFT(K, K);
+		K[15] ^= 0x87;
+	} else
+		LSHIFT(K, K);
+
+	if (ctx->M_n == 16) {
+		/* last block was a complete block */
+		XOR(K, ctx->M_last);
+	} else {
+		/* generate subkey K2 */
+		if (K[0] & 0x80) {
+			LSHIFT(K, K);
+			K[15] ^= 0x87;
+		} else
+			LSHIFT(K, K);
+
+		/* padding(M_last) */
+		ctx->M_last[ctx->M_n] = 0x80;
+		while (++ctx->M_n < 16)
+			ctx->M_last[ctx->M_n] = 0;
+
+		XOR(K, ctx->M_last);
+	}
+	XOR(ctx->M_last, ctx->X);
+	rijndael_encrypt(&ctx->rijndael, ctx->X, digest);
+
+	memset(K, 0, sizeof K);
+}
diff --git a/sys/crypto/cmac.h b/sys/crypto/cmac.h
new file mode 100644
index 00000000000..d90ff1cabe2
--- /dev/null
+++ b/sys/crypto/cmac.h
@@ -0,0 +1,43 @@
+/*	$OpenBSD: cmac.h,v 1.1 2008/08/12 15:43:00 damien Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _CMAC_H_
+#define _CMAC_H_
+
+#define AES_CMAC_KEY_LENGTH	16
+#define AES_CMAC_DIGEST_LENGTH	16
+
+typedef struct _AES_CMAC_CTX {
+	rijndael_ctx	rijndael;
+	u_int8_t	X[16];
+	u_int8_t	M_last[16];
+	u_int		M_n;
+} AES_CMAC_CTX;
+
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+void	 AES_CMAC_Init(AES_CMAC_CTX *);
+void	 AES_CMAC_SetKey(AES_CMAC_CTX *, const u_int8_t [AES_CMAC_KEY_LENGTH]);
+void	 AES_CMAC_Update(AES_CMAC_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 AES_CMAC_Final(u_int8_t [AES_CMAC_DIGEST_LENGTH], AES_CMAC_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,AES_CMAC_DIGEST_LENGTH)));
+__END_DECLS
+
+#endif /* _CMAC_H_ */
diff --git a/sys/crypto/hmac.c b/sys/crypto/hmac.c
new file mode 100644
index 00000000000..00aa18bc8de
--- /dev/null
+++ b/sys/crypto/hmac.c
@@ -0,0 +1,192 @@
+/*	$OpenBSD: hmac.c,v 1.1 2008/08/12 15:43:00 damien Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This code implements the HMAC algorithm described in RFC 2104 using
+ * the MD5, SHA1 and SHA-256 hash functions.
+ */
+
+#include <sys/param.h>
+#include <sys/systm.h>
+
+#include <crypto/md5.h>
+#include <crypto/sha1.h>
+#include <crypto/sha2.h>
+#include <crypto/hmac.h>
+
+void
+HMAC_MD5_Init(HMAC_MD5_CTX *ctx, const u_int8_t *key, u_int key_len)
+{
+	u_int8_t k_ipad[MD5_BLOCK_LENGTH];
+	int i;
+
+	if (key_len > MD5_BLOCK_LENGTH) {
+		MD5Init(&ctx->ctx);
+		MD5Update(&ctx->ctx, key, key_len);
+		MD5Final(ctx->key, &ctx->ctx);
+		ctx->key_len = MD5_DIGEST_LENGTH;
+	} else {
+		bcopy(key, ctx->key, key_len);
+		ctx->key_len = key_len;
+	}
+
+	bzero(k_ipad, MD5_BLOCK_LENGTH);
+	bcopy(ctx->key, k_ipad, ctx->key_len);
+	for (i = 0; i < MD5_BLOCK_LENGTH; i++)
+		k_ipad[i] ^= 0x36;
+
+	MD5Init(&ctx->ctx);
+	MD5Update(&ctx->ctx, k_ipad, MD5_BLOCK_LENGTH);
+
+	bzero(k_ipad, sizeof k_ipad);
+}
+
+void
+HMAC_MD5_Update(HMAC_MD5_CTX *ctx, const u_int8_t *data, u_int len)
+{
+	MD5Update(&ctx->ctx, data, len);
+}
+
+void
+HMAC_MD5_Final(u_int8_t digest[MD5_DIGEST_LENGTH], HMAC_MD5_CTX *ctx)
+{
+	u_int8_t k_opad[MD5_BLOCK_LENGTH];
+	int i;
+
+	MD5Final(digest, &ctx->ctx);
+
+	bzero(k_opad, MD5_BLOCK_LENGTH);
+	bcopy(ctx->key, k_opad, ctx->key_len);
+	for (i = 0; i < MD5_BLOCK_LENGTH; i++)
+		k_opad[i] ^= 0x5c;
+
+	MD5Init(&ctx->ctx);
+	MD5Update(&ctx->ctx, k_opad, MD5_BLOCK_LENGTH);
+	MD5Update(&ctx->ctx, digest, MD5_DIGEST_LENGTH);
+	MD5Final(digest, &ctx->ctx);
+
+	bzero(k_opad, sizeof k_opad);
+}
+
+void
+HMAC_SHA1_Init(HMAC_SHA1_CTX *ctx, const u_int8_t *key, u_int key_len)
+{
+	u_int8_t k_ipad[SHA1_BLOCK_LENGTH];
+	int i;
+
+	if (key_len > SHA1_BLOCK_LENGTH) {
+		SHA1Init(&ctx->ctx);
+		SHA1Update(&ctx->ctx, key, key_len);
+		SHA1Final(ctx->key, &ctx->ctx);
+		ctx->key_len = SHA1_DIGEST_LENGTH;
+	} else {
+		bcopy(key, ctx->key, key_len);
+		ctx->key_len = key_len;
+	}
+
+	bzero(k_ipad, SHA1_BLOCK_LENGTH);
+	bcopy(ctx->key, k_ipad, ctx->key_len);
+	for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
+		k_ipad[i] ^= 0x36;
+
+	SHA1Init(&ctx->ctx);
+	SHA1Update(&ctx->ctx, k_ipad, SHA1_BLOCK_LENGTH);
+
+	bzero(k_ipad, sizeof k_ipad);
+}
+
+void
+HMAC_SHA1_Update(HMAC_SHA1_CTX *ctx, const u_int8_t *data, u_int len)
+{
+	SHA1Update(&ctx->ctx, data, len);
+}
+
+void
+HMAC_SHA1_Final(u_int8_t digest[SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *ctx)
+{
+	u_int8_t k_opad[SHA1_BLOCK_LENGTH];
+	int i;
+
+	SHA1Final(digest, &ctx->ctx);
+
+	bzero(k_opad, SHA1_BLOCK_LENGTH);
+	bcopy(ctx->key, k_opad, ctx->key_len);
+	for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
+		k_opad[i] ^= 0x5c;
+
+	SHA1Init(&ctx->ctx);
+	SHA1Update(&ctx->ctx, k_opad, SHA1_BLOCK_LENGTH);
+	SHA1Update(&ctx->ctx, digest, SHA1_DIGEST_LENGTH);
+	SHA1Final(digest, &ctx->ctx);
+
+	bzero(k_opad, sizeof k_opad);
+}
+
+void
+HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const u_int8_t *key, u_int key_len)
+{
+	u_int8_t k_ipad[SHA256_BLOCK_LENGTH];
+	int i;
+
+	if (key_len > SHA256_BLOCK_LENGTH) {
+		SHA256_Init(&ctx->ctx);
+		SHA256_Update(&ctx->ctx, key, key_len);
+		SHA256_Final(ctx->key, &ctx->ctx);
+		ctx->key_len = SHA256_DIGEST_LENGTH;
+	} else {
+		bcopy(key, ctx->key, key_len);
+		ctx->key_len = key_len;
+	}
+
+	bzero(k_ipad, SHA256_BLOCK_LENGTH);
+	bcopy(ctx->key, k_ipad, ctx->key_len);
+	for (i = 0; i < SHA256_BLOCK_LENGTH; i++)
+		k_ipad[i] ^= 0x36;
+
+	SHA256_Init(&ctx->ctx);
+	SHA256_Update(&ctx->ctx, k_ipad, SHA256_BLOCK_LENGTH);
+
+	bzero(k_ipad, sizeof k_ipad);
+}
+
+void
+HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const u_int8_t *data, u_int len)
+{
+	SHA256_Update(&ctx->ctx, data, len);
+}
+
+void
+HMAC_SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *ctx)
+{
+	u_int8_t k_opad[SHA256_BLOCK_LENGTH];
+	int i;
+
+	SHA256_Final(digest, &ctx->ctx);
+
+	bzero(k_opad, SHA256_BLOCK_LENGTH);
+	bcopy(ctx->key, k_opad, ctx->key_len);
+	for (i = 0; i < SHA256_BLOCK_LENGTH; i++)
+		k_opad[i] ^= 0x5c;
+
+	SHA256_Init(&ctx->ctx);
+	SHA256_Update(&ctx->ctx, k_opad, SHA256_BLOCK_LENGTH);
+	SHA256_Update(&ctx->ctx, digest, SHA256_DIGEST_LENGTH);
+	SHA256_Final(digest, &ctx->ctx);
+
+	bzero(k_opad, sizeof k_opad);
+}
diff --git a/sys/crypto/hmac.h b/sys/crypto/hmac.h
new file mode 100644
index 00000000000..677f9d4598b
--- /dev/null
+++ b/sys/crypto/hmac.h
@@ -0,0 +1,67 @@
+/*	$OpenBSD: hmac.h,v 1.1 2008/08/12 15:43:00 damien Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _HMAC_H_
+#define _HMAC_H_
+
+typedef struct _HMAC_MD5_CTX {
+	MD5_CTX		ctx;
+	u_int8_t	key[MD5_BLOCK_LENGTH];
+	u_int		key_len;
+} HMAC_MD5_CTX;
+
+typedef struct _HMAC_SHA1_CTX {
+	SHA1_CTX	ctx;
+	u_int8_t	key[SHA1_BLOCK_LENGTH];
+	u_int		key_len;
+} HMAC_SHA1_CTX;
+
+typedef struct _HMAC_SHA256_CTX {
+	SHA256_CTX	ctx;
+	u_int8_t	key[SHA256_BLOCK_LENGTH];
+	u_int		key_len;
+} HMAC_SHA256_CTX;
+
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+
+void	 HMAC_MD5_Init(HMAC_MD5_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_MD5_Update(HMAC_MD5_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_MD5_Final(u_int8_t [MD5_DIGEST_LENGTH], HMAC_MD5_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,MD5_DIGEST_LENGTH)));
+
+void	 HMAC_SHA1_Init(HMAC_SHA1_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_SHA1_Update(HMAC_SHA1_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_SHA1_Final(u_int8_t [SHA1_DIGEST_LENGTH], HMAC_SHA1_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,SHA1_DIGEST_LENGTH)));
+
+void	 HMAC_SHA256_Init(HMAC_SHA256_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_SHA256_Update(HMAC_SHA256_CTX *, const u_int8_t *, u_int)
+		__attribute__((__bounded__(__string__,2,3)));
+void	 HMAC_SHA256_Final(u_int8_t [SHA256_DIGEST_LENGTH], HMAC_SHA256_CTX *)
+		__attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
+
+__END_DECLS
+
+#endif	/* _HMAC_H_ */
diff --git a/sys/crypto/key_wrap.c b/sys/crypto/key_wrap.c
new file mode 100644
index 00000000000..e99e74b9df2
--- /dev/null
+++ b/sys/crypto/key_wrap.c
@@ -0,0 +1,112 @@
+/*	$OpenBSD: key_wrap.c,v 1.1 2008/08/12 15:43:00 damien Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This code implements the AES Key Wrap algorithm described in RFC 3394.
+ */
+
+#include <sys/param.h>
+#include <sys/systm.h>
+
+#include <crypto/rijndael.h>
+#include <crypto/key_wrap.h>
+
+static const u_int8_t IV[8] =
+	{ 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6 };
+
+void
+aes_key_wrap_set_key(aes_key_wrap_ctx *ctx, const u_int8_t *K, size_t K_len)
+{
+	rijndael_set_key(&ctx->ctx, K, K_len * NBBY);
+}
+
+void
+aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *ctx, const u_int8_t *K,
+    size_t K_len)
+{
+	rijndael_set_key_enc_only(&ctx->ctx, K, K_len * NBBY);
+}
+
+void
+aes_key_wrap(aes_key_wrap_ctx *ctx, const u_int8_t *P, size_t n, u_int8_t *C)
+{
+	u_int64_t B[2], t;
+	u_int8_t *A, *R;
+	size_t i;
+	int j;
+
+	ovbcopy(P, C + 8, n * 8);	/* P and C may overlap */
+	A = C;				/* A points to C[0] */
+	memcpy(A, IV, 8);		/* A = IV, an initial value */
+
+	for (j = 0, t = 1; j <= 5; j++) {
+		R = C + 8;
+		for (i = 1; i <= n; i++, t++) {
+			/* B = A | R[i] */
+			memcpy(&B[0], A, 8);
+			memcpy(&B[1], R, 8);
+			/* B = AES(K, B) */
+			rijndael_encrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B);
+			/* MSB(64, B) = MSB(64, B) ^ t */
+			B[0] ^= htobe64(t);
+			/* A = MSB(64, B) */
+			memcpy(A, &B[0], 8);
+			/* R[i] = LSB(64, B) */
+			memcpy(R, &B[1], 8);
+
+			R += 8;
+		}
+	}
+	memset(B, 0, sizeof B);
+}
+
+int
+aes_key_unwrap(aes_key_wrap_ctx *ctx, const u_int8_t *C, u_int8_t *P, size_t n)
+{
+	u_int64_t B[2], t;
+	u_int8_t A[8], *R;
+	size_t i;
+	int j;
+
+	memcpy(A, C, 8);		/* A = C[0] */
+	ovbcopy(C + 8, P, n * 8);	/* P and C may overlap */
+
+	for (j = 5, t = 6 * n; j >= 0; j--) {
+		R = P + (n - 1) * 8;
+		for (i = n; i >= 1; i--, t--) {
+			/* MSB(64, B) = A */
+			memcpy(&B[0], A, 8);
+			/* MSB(64, B) = MSB(64, B) ^ t */
+			B[0] ^= htobe64(t);
+			/* B = MSB(64, B) | R[i] */
+			memcpy(&B[1], R, 8);
+			/* B = AES-1(K, B) */
+			rijndael_decrypt(&ctx->ctx, (caddr_t)B, (caddr_t)B);
+			/* A = MSB(64, B) */
+			memcpy(A, &B[0], 8);
+			/* R[i] = LSB(64, B) */
+			memcpy(R, &B[1], 8);
+
+			R -= 8;
+		}
+	}
+	memset(B, 0, sizeof B);
+
+	/* check that A is an appropriate initial value */
+	return memcmp(A, IV, 8) != 0;
+}
diff --git a/sys/crypto/key_wrap.h b/sys/crypto/key_wrap.h
new file mode 100644
index 00000000000..4c984e13d9d
--- /dev/null
+++ b/sys/crypto/key_wrap.h
@@ -0,0 +1,38 @@
+/*	$OpenBSD: key_wrap.h,v 1.1 2008/08/12 15:43:00 damien Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _KEY_WRAP_H_
+#define _KEY_WRAP_H_
+
+typedef struct _aes_key_wrap_ctx {
+	rijndael_ctx	ctx;
+} aes_key_wrap_ctx;
+
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+
+void	aes_key_wrap_set_key(aes_key_wrap_ctx *, const u_int8_t *, size_t);
+void	aes_key_wrap_set_key_wrap_only(aes_key_wrap_ctx *, const u_int8_t *,
+	    size_t);
+void	aes_key_wrap(aes_key_wrap_ctx *, const u_int8_t *, size_t, u_int8_t *);
+int	aes_key_unwrap(aes_key_wrap_ctx *, const u_int8_t *, u_int8_t *,
+	    size_t);
+__END_DECLS
+
+#endif /* _KEY_WRAP_H_ */
-- 
2.20.1