2 * AES key unwrap (128-bit KEK, RFC3394)
4 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
10 * Alternatively, this software may be distributed under the terms of BSD
13 * See README and COPYING for more details.
23 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
24 * @kek: Key encryption key (KEK)
25 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
27 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
28 * @plain: Plaintext key, n * 64 bits
29 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
31 int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
37 /* 1) Initialize variables. */
38 os_memcpy(a, cipher, 8);
40 os_memcpy(r, cipher + 8, 8 * n);
42 ctx = aes_decrypt_init(kek, 16);
46 /* 2) Compute intermediate values.
49 * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
53 for (j = 5; j >= 0; j--) {
54 r = plain + (n - 1) * 8;
55 for (i = n; i >= 1; i--) {
59 os_memcpy(b + 8, r, 8);
60 aes_decrypt(ctx, b, b);
62 os_memcpy(r, b + 8, 8);
66 aes_decrypt_deinit(ctx);
70 * These are already in @plain due to the location of temporary
71 * variables. Just verify that the IV matches with the expected value.
73 for (i = 0; i < 8; i++) {