/src/openssl/crypto/modes/wrap128.c

Source
/*
 * Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/**  Beware!
 *
 *  Following wrapping modes were designed for AES but this implementation
 *  allows you to use them for any 128 bit block cipher.
 */

#include "internal/cryptlib.h"
#include <openssl/modes.h>

/** RFC 3394 section 2.2.3.1 Default Initial Value */
static const unsigned char default_iv[] = {
    0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6
};

/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
static const unsigned char default_aiv[] = {
    0xA6, 0x59, 0x59, 0xA6
};

/** Input size limit: lower than maximum of standards but far larger than
 *  anything that will be used in practice.
 */
#define CRYPTO128_WRAP_MAX (1UL << 31)

/** Wrapping according to RFC 3394 section 2.2.1.
 *
 *  @param[in]  key    Key value.
 *  @param[in]  iv     IV value. Length = 8 bytes. NULL = use default_iv.
 *  @param[in]  in     Plaintext as n 64-bit blocks, n >= 2.
 *  @param[in]  inlen  Length of in.
 *  @param[out] out    Ciphertext. Minimal buffer length = (inlen + 8) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen does not consist of n 64-bit blocks, n >= 2.
 *                     or if inlen > CRYPTO128_WRAP_MAX.
 *                     Output length if wrapping succeeded.
 */
size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
    unsigned char *out,
    const unsigned char *in, size_t inlen,
    block128_f block)
{
    unsigned char *A, B[16], *R;
    size_t i, j, t;
    if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
        return 0;
    A = B;
    t = 1;
    memmove(out + 8, in, inlen);
    if (!iv)
        iv = default_iv;

    memcpy(A, iv, 8);

    for (j = 0; j < 6; j++) {
        R = out + 8;
        for (i = 0; i < inlen; i += 8, t++, R += 8) {
            memcpy(B + 8, R, 8);
            block(B, B, key);
            A[7] ^= (unsigned char)(t & 0xff);
            if (t > 0xff) {
                A[6] ^= (unsigned char)((t >> 8) & 0xff);
                A[5] ^= (unsigned char)((t >> 16) & 0xff);
                A[4] ^= (unsigned char)((t >> 24) & 0xff);
            }
            memcpy(R, B + 8, 8);
        }
    }
    memcpy(out, A, 8);
    return inlen + 8;
}

/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
 *  The IV check (step 3) is responsibility of the caller.
 *
 *  @param[in]  key    Key value.
 *  @param[out] iv     Unchecked IV value. Minimal buffer length = 8 bytes.
 *  @param[out] out    Plaintext without IV.
 *                     Minimal buffer length = (inlen - 8) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  in     Ciphertext as n 64-bit blocks.
 *  @param[in]  inlen  Length of in.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
 *                     or if inlen is not a multiple of 8.
 *                     Output length otherwise.
 */
static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
    unsigned char *out,
    const unsigned char *in, size_t inlen,
    block128_f block)
{
    unsigned char *A, B[16], *R;
    size_t i, j, t;
    inlen -= 8;
    if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
        return 0;
    A = B;
    t = 6 * (inlen >> 3);
    memcpy(A, in, 8);
    memmove(out, in + 8, inlen);
    for (j = 0; j < 6; j++) {
        R = out + inlen - 8;
        for (i = 0; i < inlen; i += 8, t--, R -= 8) {
            A[7] ^= (unsigned char)(t & 0xff);
            if (t > 0xff) {
                A[6] ^= (unsigned char)((t >> 8) & 0xff);
                A[5] ^= (unsigned char)((t >> 16) & 0xff);
                A[4] ^= (unsigned char)((t >> 24) & 0xff);
            }
            memcpy(B + 8, R, 8);
            block(B, B, key);
            memcpy(R, B + 8, 8);
        }
    }
    memcpy(iv, A, 8);
    return inlen;
}

/** Unwrapping according to RFC 3394 section 2.2.2, including the IV check.
 *  The first block of plaintext has to match the supplied IV, otherwise an
 *  error is returned.
 *
 *  @param[in]  key    Key value.
 *  @param[out] iv     IV value to match against. Length = 8 bytes.
 *                     NULL = use default_iv.
 *  @param[out] out    Plaintext without IV.
 *                     Minimal buffer length = (inlen - 8) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  in     Ciphertext as n 64-bit blocks.
 *  @param[in]  inlen  Length of in.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
 *                     or if inlen is not a multiple of 8
 *                     or if IV doesn't match expected value.
 *                     Output length otherwise.
 */
size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
    unsigned char *out, const unsigned char *in,
    size_t inlen, block128_f block)
{
    size_t ret;
    unsigned char got_iv[8];

    ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
    if (ret == 0)
        return 0;

    if (!iv)
        iv = default_iv;
    if (CRYPTO_memcmp(got_iv, iv, 8)) {
        OPENSSL_cleanse(out, ret);
        return 0;
    }
    return ret;
}

/** Wrapping according to RFC 5649 section 4.1.
 *
 *  @param[in]  key    Key value.
 *  @param[in]  icv    (Non-standard) IV, 4 bytes. NULL = use default_aiv.
 *  @param[out] out    Ciphertext. Minimal buffer length =
 *                     (inlen rounded up to 8 + 8) bytes, i.e.
 *                     ((inlen + 7) / 8) * 8 + 8.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  in     Plaintext as n 64-bit blocks, n >= 2.
 *  @param[in]  inlen  Length of in.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
 *                     Output length if wrapping succeeded.
 */
size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
    unsigned char *out,
    const unsigned char *in, size_t inlen,
    block128_f block)
{
    /* n: number of 64-bit blocks in the padded key data
     *
     * If length of plain text is not a multiple of 8, pad the plain text octet
     * string on the right with octets of zeros, where final length is the
     * smallest multiple of 8 that is greater than length of plain text.
     * If length of plain text is a multiple of 8, then there is no padding. */
    const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */
    const size_t padded_len = blocks_padded * 8;
    const size_t padding_len = padded_len - inlen;
    /* RFC 5649 section 3: Alternative Initial Value */
    unsigned char aiv[8];
    size_t ret;

    /* Section 1: use 32-bit fixed field for plaintext octet length */
    if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
        return 0;

    /* Section 3: Alternative Initial Value */
    if (!icv)
        memcpy(aiv, default_aiv, 4);
    else
        memcpy(aiv, icv, 4); /* Standard doesn't mention this. */

    aiv[4] = (inlen >> 24) & 0xFF;
    aiv[5] = (inlen >> 16) & 0xFF;
    aiv[6] = (inlen >> 8) & 0xFF;
    aiv[7] = inlen & 0xFF;

    if (padded_len == 8) {
        /*
         * Section 4.1 - special case in step 2: If the padded plaintext
         * contains exactly eight octets, then prepend the AIV and encrypt
         * the resulting 128-bit block using AES in ECB mode.
         */
        memmove(out + 8, in, inlen);
        memcpy(out, aiv, 8);
        memset(out + 8 + inlen, 0, padding_len);
        block(out, out, key);
        ret = 16; /* AIV + padded input */
    } else {
        memmove(out, in, inlen);
        memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
        ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
    }

    return ret;
}

/** Unwrapping according to RFC 5649 section 4.2.
 *
 *  @param[in]  key    Key value.
 *  @param[in]  icv    (Non-standard) IV, 4 bytes. NULL = use default_aiv.
 *  @param[out] out    Plaintext. Minimal buffer length = (inlen - 8) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  in     Ciphertext as n 64-bit blocks.
 *  @param[in]  inlen  Length of in.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
 *                     or if inlen is not a multiple of 8
 *                     or if IV and message length indicator doesn't match.
 *                     Output length if unwrapping succeeded and IV matches.
 */
size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
    unsigned char *out,
    const unsigned char *in, size_t inlen,
    block128_f block)
{
    /* n: number of 64-bit blocks in the padded key data */
    size_t n = inlen / 8 - 1;
    size_t padded_len;
    size_t padding_len;
    size_t ptext_len;
    /* RFC 5649 section 3: Alternative Initial Value */
    unsigned char aiv[8];
    static unsigned char zeros[8] = { 0x0 };
    size_t ret;

    /* Section 4.2: Ciphertext length has to be (n+1) 64-bit blocks. */
    if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
        return 0;

    if (inlen == 16) {
        /*
         * Section 4.2 - special case in step 1: When n=1, the ciphertext
         * contains exactly two 64-bit blocks and they are decrypted as a
         * single AES block using AES in ECB mode: AIV | P[1] = DEC(K, C[0] |
         * C[1])
         */
        unsigned char buff[16];

        block(in, buff, key);
        memcpy(aiv, buff, 8);
        /* Remove AIV */
        memcpy(out, buff + 8, 8);
        padded_len = 8;
        OPENSSL_cleanse(buff, inlen);
    } else {
        padded_len = inlen - 8;
        ret = crypto_128_unwrap_raw(key, aiv, out, in, inlen, block);
        if (padded_len != ret) {
            OPENSSL_cleanse(out, inlen);
            return 0;
        }
    }

    /*
     * Section 3: AIV checks: Check that MSB(32,A) = A65959A6. Optionally a
     * user-supplied value can be used (even if standard doesn't mention
     * this).
     */
    if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
        || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
        OPENSSL_cleanse(out, inlen);
        return 0;
    }

    /*
     * Check that 8*(n-1) < LSB(32,AIV) <= 8*n. If so, let ptext_len =
     * LSB(32,AIV).
     */

    ptext_len = ((unsigned int)aiv[4] << 24)
        | ((unsigned int)aiv[5] << 16)
        | ((unsigned int)aiv[6] << 8)
        | (unsigned int)aiv[7];
    if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
        OPENSSL_cleanse(out, inlen);
        return 0;
    }

    /*
     * Check that the rightmost padding_len octets of the output data are
     * zero.
     */
    padding_len = padded_len - ptext_len;
    if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
        OPENSSL_cleanse(out, inlen);
        return 0;
    }

    /* Section 4.2 step 3: Remove padding */
    return ptext_len;
}

Coverage Report

Created: 2026-06-08 06:07

Line	Count	Source
1		/*
2		* Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/** Beware!
11		*
12		* Following wrapping modes were designed for AES but this implementation
13		* allows you to use them for any 128 bit block cipher.
14		*/
15
16		#include "internal/cryptlib.h"
17		#include <openssl/modes.h>
18
19		/** RFC 3394 section 2.2.3.1 Default Initial Value */
20		static const unsigned char default_iv[] = {
21		0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6
22		};
23
24		/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
25		static const unsigned char default_aiv[] = {
26		0xA6, 0x59, 0x59, 0xA6
27		};
28
29		/** Input size limit: lower than maximum of standards but far larger than
30		* anything that will be used in practice.
31		*/
32	0	#define CRYPTO128_WRAP_MAX (1UL << 31)
33
34		/** Wrapping according to RFC 3394 section 2.2.1.
35		*
36		* @param[in] key Key value.
37		* @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
38		* @param[in] in Plaintext as n 64-bit blocks, n >= 2.
39		* @param[in] inlen Length of in.
40		* @param[out] out Ciphertext. Minimal buffer length = (inlen + 8) bytes.
41		* Input and output buffers can overlap if block function
42		* supports that.
43		* @param[in] block Block processing function.
44		* @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
45		* or if inlen > CRYPTO128_WRAP_MAX.
46		* Output length if wrapping succeeded.
47		*/
48		size_t CRYPTO_128_wrap(void key, const unsigned char iv,
49		unsigned char *out,
50		const unsigned char *in, size_t inlen,
51		block128_f block)
52	0	{
53	0	unsigned char A, B[16], R;
54	0	size_t i, j, t;
55	0	if ((inlen & 0x7) \|\| (inlen < 16) \|\| (inlen > CRYPTO128_WRAP_MAX))
56	0	return 0;
57	0	A = B;
58	0	t = 1;
59	0	memmove(out + 8, in, inlen);
60	0	if (!iv)
61	0	iv = default_iv;
62
63	0	memcpy(A, iv, 8);
64
65	0	for (j = 0; j < 6; j++) {
66	0	R = out + 8;
67	0	for (i = 0; i < inlen; i += 8, t++, R += 8) {
68	0	memcpy(B + 8, R, 8);
69	0	block(B, B, key);
70	0	A[7] ^= (unsigned char)(t & 0xff);
71	0	if (t > 0xff) {
72	0	A[6] ^= (unsigned char)((t >> 8) & 0xff);
73	0	A[5] ^= (unsigned char)((t >> 16) & 0xff);
74	0	A[4] ^= (unsigned char)((t >> 24) & 0xff);
75	0	}
76	0	memcpy(R, B + 8, 8);
77	0	}
78	0	}
79	0	memcpy(out, A, 8);
80	0	return inlen + 8;
81	0	}
82
83		/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
84		* The IV check (step 3) is responsibility of the caller.
85		*
86		* @param[in] key Key value.
87		* @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
88		* @param[out] out Plaintext without IV.
89		* Minimal buffer length = (inlen - 8) bytes.
90		* Input and output buffers can overlap if block function
91		* supports that.
92		* @param[in] in Ciphertext as n 64-bit blocks.
93		* @param[in] inlen Length of in.
94		* @param[in] block Block processing function.
95		* @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
96		* or if inlen is not a multiple of 8.
97		* Output length otherwise.
98		*/
99		static size_t crypto_128_unwrap_raw(void key, unsigned char iv,
100		unsigned char *out,
101		const unsigned char *in, size_t inlen,
102		block128_f block)
103	0	{
104	0	unsigned char A, B[16], R;
105	0	size_t i, j, t;
106	0	inlen -= 8;
107	0	if ((inlen & 0x7) \|\| (inlen < 16) \|\| (inlen > CRYPTO128_WRAP_MAX))
108	0	return 0;
109	0	A = B;
110	0	t = 6 * (inlen >> 3);
111	0	memcpy(A, in, 8);
112	0	memmove(out, in + 8, inlen);
113	0	for (j = 0; j < 6; j++) {
114	0	R = out + inlen - 8;
115	0	for (i = 0; i < inlen; i += 8, t--, R -= 8) {
116	0	A[7] ^= (unsigned char)(t & 0xff);
117	0	if (t > 0xff) {
118	0	A[6] ^= (unsigned char)((t >> 8) & 0xff);
119	0	A[5] ^= (unsigned char)((t >> 16) & 0xff);
120	0	A[4] ^= (unsigned char)((t >> 24) & 0xff);
121	0	}
122	0	memcpy(B + 8, R, 8);
123	0	block(B, B, key);
124	0	memcpy(R, B + 8, 8);
125	0	}
126	0	}
127	0	memcpy(iv, A, 8);
128	0	return inlen;
129	0	}
130
131		/** Unwrapping according to RFC 3394 section 2.2.2, including the IV check.
132		* The first block of plaintext has to match the supplied IV, otherwise an
133		* error is returned.
134		*
135		* @param[in] key Key value.
136		* @param[out] iv IV value to match against. Length = 8 bytes.
137		* NULL = use default_iv.
138		* @param[out] out Plaintext without IV.
139		* Minimal buffer length = (inlen - 8) bytes.
140		* Input and output buffers can overlap if block function
141		* supports that.
142		* @param[in] in Ciphertext as n 64-bit blocks.
143		* @param[in] inlen Length of in.
144		* @param[in] block Block processing function.
145		* @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
146		* or if inlen is not a multiple of 8
147		* or if IV doesn't match expected value.
148		* Output length otherwise.
149		*/
150		size_t CRYPTO_128_unwrap(void key, const unsigned char iv,
151		unsigned char out, const unsigned char in,
152		size_t inlen, block128_f block)
153	0	{
154	0	size_t ret;
155	0	unsigned char got_iv[8];
156
157	0	ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
158	0	if (ret == 0)
159	0	return 0;
160
161	0	if (!iv)
162	0	iv = default_iv;
163	0	if (CRYPTO_memcmp(got_iv, iv, 8)) {
164	0	OPENSSL_cleanse(out, ret);
165	0	return 0;
166	0	}
167	0	return ret;
168	0	}
169
170		/** Wrapping according to RFC 5649 section 4.1.
171		*
172		* @param[in] key Key value.
173		* @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
174		* @param[out] out Ciphertext. Minimal buffer length =
175		* (inlen rounded up to 8 + 8) bytes, i.e.
176		* ((inlen + 7) / 8) * 8 + 8.
177		* Input and output buffers can overlap if block function
178		* supports that.
179		* @param[in] in Plaintext as n 64-bit blocks, n >= 2.
180		* @param[in] inlen Length of in.
181		* @param[in] block Block processing function.
182		* @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
183		* Output length if wrapping succeeded.
184		*/
185		size_t CRYPTO_128_wrap_pad(void key, const unsigned char icv,
186		unsigned char *out,
187		const unsigned char *in, size_t inlen,
188		block128_f block)
189	0	{
190		/* n: number of 64-bit blocks in the padded key data
191		*
192		* If length of plain text is not a multiple of 8, pad the plain text octet
193		* string on the right with octets of zeros, where final length is the
194		* smallest multiple of 8 that is greater than length of plain text.
195		* If length of plain text is a multiple of 8, then there is no padding. */
196	0	const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */
197	0	const size_t padded_len = blocks_padded * 8;
198	0	const size_t padding_len = padded_len - inlen;
199		/* RFC 5649 section 3: Alternative Initial Value */
200	0	unsigned char aiv[8];
201	0	size_t ret;
202
203		/* Section 1: use 32-bit fixed field for plaintext octet length */
204	0	if (inlen == 0 \|\| inlen >= CRYPTO128_WRAP_MAX)
205	0	return 0;
206
207		/* Section 3: Alternative Initial Value */
208	0	if (!icv)
209	0	memcpy(aiv, default_aiv, 4);
210	0	else
211	0	memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
212
213	0	aiv[4] = (inlen >> 24) & 0xFF;
214	0	aiv[5] = (inlen >> 16) & 0xFF;
215	0	aiv[6] = (inlen >> 8) & 0xFF;
216	0	aiv[7] = inlen & 0xFF;
217
218	0	if (padded_len == 8) {
219		/*
220		* Section 4.1 - special case in step 2: If the padded plaintext
221		* contains exactly eight octets, then prepend the AIV and encrypt
222		* the resulting 128-bit block using AES in ECB mode.
223		*/
224	0	memmove(out + 8, in, inlen);
225	0	memcpy(out, aiv, 8);
226	0	memset(out + 8 + inlen, 0, padding_len);
227	0	block(out, out, key);
228	0	ret = 16; /* AIV + padded input */
229	0	} else {
230	0	memmove(out, in, inlen);
231	0	memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
232	0	ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
233	0	}
234
235	0	return ret;
236	0	}
237
238		/** Unwrapping according to RFC 5649 section 4.2.
239		*
240		* @param[in] key Key value.
241		* @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
242		* @param[out] out Plaintext. Minimal buffer length = (inlen - 8) bytes.
243		* Input and output buffers can overlap if block function
244		* supports that.
245		* @param[in] in Ciphertext as n 64-bit blocks.
246		* @param[in] inlen Length of in.
247		* @param[in] block Block processing function.
248		* @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
249		* or if inlen is not a multiple of 8
250		* or if IV and message length indicator doesn't match.
251		* Output length if unwrapping succeeded and IV matches.
252		*/
253		size_t CRYPTO_128_unwrap_pad(void key, const unsigned char icv,
254		unsigned char *out,
255		const unsigned char *in, size_t inlen,
256		block128_f block)
257	0	{
258		/* n: number of 64-bit blocks in the padded key data */
259	0	size_t n = inlen / 8 - 1;
260	0	size_t padded_len;
261	0	size_t padding_len;
262	0	size_t ptext_len;
263		/* RFC 5649 section 3: Alternative Initial Value */
264	0	unsigned char aiv[8];
265	0	static unsigned char zeros[8] = { 0x0 };
266	0	size_t ret;
267
268		/* Section 4.2: Ciphertext length has to be (n+1) 64-bit blocks. */
269	0	if ((inlen & 0x7) != 0 \|\| inlen < 16 \|\| inlen >= CRYPTO128_WRAP_MAX)
270	0	return 0;
271
272	0	if (inlen == 16) {
273		/*
274		* Section 4.2 - special case in step 1: When n=1, the ciphertext
275		* contains exactly two 64-bit blocks and they are decrypted as a
276		* single AES block using AES in ECB mode: AIV \| P[1] = DEC(K, C[0] \|
277		* C[1])
278		*/
279	0	unsigned char buff[16];
280
281	0	block(in, buff, key);
282	0	memcpy(aiv, buff, 8);
283		/* Remove AIV */
284	0	memcpy(out, buff + 8, 8);
285	0	padded_len = 8;
286	0	OPENSSL_cleanse(buff, inlen);
287	0	} else {
288	0	padded_len = inlen - 8;
289	0	ret = crypto_128_unwrap_raw(key, aiv, out, in, inlen, block);
290	0	if (padded_len != ret) {
291	0	OPENSSL_cleanse(out, inlen);
292	0	return 0;
293	0	}
294	0	}
295
296		/*
297		* Section 3: AIV checks: Check that MSB(32,A) = A65959A6. Optionally a
298		* user-supplied value can be used (even if standard doesn't mention
299		* this).
300		*/
301	0	if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
302	0	\|\| (icv && CRYPTO_memcmp(aiv, icv, 4))) {
303	0	OPENSSL_cleanse(out, inlen);
304	0	return 0;
305	0	}
306
307		/*
308		* Check that 8(n-1) < LSB(32,AIV) <= 8n. If so, let ptext_len =
309		* LSB(32,AIV).
310		*/
311
312	0	ptext_len = ((unsigned int)aiv[4] << 24)
313	0	\| ((unsigned int)aiv[5] << 16)
314	0	\| ((unsigned int)aiv[6] << 8)
315	0	\| (unsigned int)aiv[7];
316	0	if (8 * (n - 1) >= ptext_len \|\| ptext_len > 8 * n) {
317	0	OPENSSL_cleanse(out, inlen);
318	0	return 0;
319	0	}
320
321		/*
322		* Check that the rightmost padding_len octets of the output data are
323		* zero.
324		*/
325	0	padding_len = padded_len - ptext_len;
326	0	if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
327	0	OPENSSL_cleanse(out, inlen);
328	0	return 0;
329	0	}
330
331		/* Section 4.2 step 3: Remove padding */
332	0	return ptext_len;
333	0	}