1214501Srpaulo/*
2214501Srpaulo * AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
3214501Srpaulo *
4214501Srpaulo * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5214501Srpaulo *
6252726Srpaulo * This software may be distributed under the terms of the BSD license.
7252726Srpaulo * See README for more details.
8214501Srpaulo */
9214501Srpaulo
10214501Srpaulo#include "includes.h"
11214501Srpaulo
12214501Srpaulo#include "common.h"
13214501Srpaulo#include "aes.h"
14214501Srpaulo#include "aes_wrap.h"
15214501Srpaulo
16214501Srpaulo/**
17214501Srpaulo * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
18214501Srpaulo * @kek: 16-octet Key encryption key (KEK)
19214501Srpaulo * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
20214501Srpaulo * bytes
21214501Srpaulo * @plain: Plaintext key to be wrapped, n * 64 bits
22214501Srpaulo * @cipher: Wrapped key, (n + 1) * 64 bits
23214501Srpaulo * Returns: 0 on success, -1 on failure
24214501Srpaulo */
25214501Srpauloint aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
26214501Srpaulo{
27214501Srpaulo	u8 *a, *r, b[16];
28214501Srpaulo	int i, j;
29214501Srpaulo	void *ctx;
30214501Srpaulo
31214501Srpaulo	a = cipher;
32214501Srpaulo	r = cipher + 8;
33214501Srpaulo
34214501Srpaulo	/* 1) Initialize variables. */
35214501Srpaulo	os_memset(a, 0xa6, 8);
36214501Srpaulo	os_memcpy(r, plain, 8 * n);
37214501Srpaulo
38214501Srpaulo	ctx = aes_encrypt_init(kek, 16);
39214501Srpaulo	if (ctx == NULL)
40214501Srpaulo		return -1;
41214501Srpaulo
42214501Srpaulo	/* 2) Calculate intermediate values.
43214501Srpaulo	 * For j = 0 to 5
44214501Srpaulo	 *     For i=1 to n
45214501Srpaulo	 *         B = AES(K, A | R[i])
46214501Srpaulo	 *         A = MSB(64, B) ^ t where t = (n*j)+i
47214501Srpaulo	 *         R[i] = LSB(64, B)
48214501Srpaulo	 */
49214501Srpaulo	for (j = 0; j <= 5; j++) {
50214501Srpaulo		r = cipher + 8;
51214501Srpaulo		for (i = 1; i <= n; i++) {
52214501Srpaulo			os_memcpy(b, a, 8);
53214501Srpaulo			os_memcpy(b + 8, r, 8);
54214501Srpaulo			aes_encrypt(ctx, b, b);
55214501Srpaulo			os_memcpy(a, b, 8);
56214501Srpaulo			a[7] ^= n * j + i;
57214501Srpaulo			os_memcpy(r, b + 8, 8);
58214501Srpaulo			r += 8;
59214501Srpaulo		}
60214501Srpaulo	}
61214501Srpaulo	aes_encrypt_deinit(ctx);
62214501Srpaulo
63214501Srpaulo	/* 3) Output the results.
64214501Srpaulo	 *
65214501Srpaulo	 * These are already in @cipher due to the location of temporary
66214501Srpaulo	 * variables.
67214501Srpaulo	 */
68214501Srpaulo
69214501Srpaulo	return 0;
70214501Srpaulo}
71