/src/openssl/crypto/modes/wrap128.c

Source
/*
 * Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/**  Beware!
 *
 *  Following wrapping modes were designed for AES but this implementation
 *  allows you to use them for any 128 bit block cipher.
 */

#include "internal/cryptlib.h"
#include <openssl/modes.h>

/** RFC 3394 section 2.2.3.1 Default Initial Value */
static const unsigned char default_iv[] = {
    0xA6,
    0xA6,
    0xA6,
    0xA6,
    0xA6,
    0xA6,
    0xA6,
    0xA6,
};

/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
static const unsigned char default_aiv[] = {
    0xA6, 0x59, 0x59, 0xA6
};

/** Input size limit: lower than maximum of standards but far larger than
 *  anything that will be used in practice.
 */
#define CRYPTO128_WRAP_MAX (1UL << 31)

/** Wrapping according to RFC 3394 section 2.2.1.
 *
 *  @param[in]  key    Key value.
 *  @param[in]  iv     IV value. Length = 8 bytes. NULL = use default_iv.
 *  @param[in]  in     Plaintext as n 64-bit blocks, n >= 2.
 *  @param[in]  inlen  Length of in.
 *  @param[out] out    Ciphertext. Minimal buffer length = (inlen + 8) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen does not consist of n 64-bit blocks, n >= 2.
 *                     or if inlen > CRYPTO128_WRAP_MAX.
 *                     Output length if wrapping succeeded.
 */
size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
    unsigned char *out,
    const unsigned char *in, size_t inlen,
    block128_f block)
{
    unsigned char *A, B[16], *R;
    size_t i, j, t;
    if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
        return 0;
    A = B;
    t = 1;
    memmove(out + 8, in, inlen);
    if (!iv)
        iv = default_iv;

    memcpy(A, iv, 8);

    for (j = 0; j < 6; j++) {
        R = out + 8;
        for (i = 0; i < inlen; i += 8, t++, R += 8) {
            memcpy(B + 8, R, 8);
            block(B, B, key);
            A[7] ^= (unsigned char)(t & 0xff);
            if (t > 0xff) {
                A[6] ^= (unsigned char)((t >> 8) & 0xff);
                A[5] ^= (unsigned char)((t >> 16) & 0xff);
                A[4] ^= (unsigned char)((t >> 24) & 0xff);
            }
            memcpy(R, B + 8, 8);
        }
    }
    memcpy(out, A, 8);
    return inlen + 8;
}

/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
 *  The IV check (step 3) is responsibility of the caller.
 *
 *  @param[in]  key    Key value.
 *  @param[out] iv     Unchecked IV value. Minimal buffer length = 8 bytes.
 *  @param[out] out    Plaintext without IV.
 *                     Minimal buffer length = (inlen - 8) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  in     Ciphertext as n 64-bit blocks.
 *  @param[in]  inlen  Length of in.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
 *                     or if inlen is not a multiple of 8.
 *                     Output length otherwise.
 */
static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
    unsigned char *out,
    const unsigned char *in, size_t inlen,
    block128_f block)
{
    unsigned char *A, B[16], *R;
    size_t i, j, t;
    inlen -= 8;
    if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
        return 0;
    A = B;
    t = 6 * (inlen >> 3);
    memcpy(A, in, 8);
    memmove(out, in + 8, inlen);
    for (j = 0; j < 6; j++) {
        R = out + inlen - 8;
        for (i = 0; i < inlen; i += 8, t--, R -= 8) {
            A[7] ^= (unsigned char)(t & 0xff);
            if (t > 0xff) {
                A[6] ^= (unsigned char)((t >> 8) & 0xff);
                A[5] ^= (unsigned char)((t >> 16) & 0xff);
                A[4] ^= (unsigned char)((t >> 24) & 0xff);
            }
            memcpy(B + 8, R, 8);
            block(B, B, key);
            memcpy(R, B + 8, 8);
        }
    }
    memcpy(iv, A, 8);
    return inlen;
}

/** Unwrapping according to RFC 3394 section 2.2.2, including the IV check.
 *  The first block of plaintext has to match the supplied IV, otherwise an
 *  error is returned.
 *
 *  @param[in]  key    Key value.
 *  @param[out] iv     IV value to match against. Length = 8 bytes.
 *                     NULL = use default_iv.
 *  @param[out] out    Plaintext without IV.
 *                     Minimal buffer length = (inlen - 8) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  in     Ciphertext as n 64-bit blocks.
 *  @param[in]  inlen  Length of in.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
 *                     or if inlen is not a multiple of 8
 *                     or if IV doesn't match expected value.
 *                     Output length otherwise.
 */
size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
    unsigned char *out, const unsigned char *in,
    size_t inlen, block128_f block)
{
    size_t ret;
    unsigned char got_iv[8];

    ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
    if (ret == 0)
        return 0;

    if (!iv)
        iv = default_iv;
    if (CRYPTO_memcmp(got_iv, iv, 8)) {
        OPENSSL_cleanse(out, ret);
        return 0;
    }
    return ret;
}

/** Wrapping according to RFC 5649 section 4.1.
 *
 *  @param[in]  key    Key value.
 *  @param[in]  icv    (Non-standard) IV, 4 bytes. NULL = use default_aiv.
 *  @param[out] out    Ciphertext. Minimal buffer length = (inlen + 15) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  in     Plaintext as n 64-bit blocks, n >= 2.
 *  @param[in]  inlen  Length of in.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
 *                     Output length if wrapping succeeded.
 */
size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
    unsigned char *out,
    const unsigned char *in, size_t inlen,
    block128_f block)
{
    /* n: number of 64-bit blocks in the padded key data
     *
     * If length of plain text is not a multiple of 8, pad the plain text octet
     * string on the right with octets of zeros, where final length is the
     * smallest multiple of 8 that is greater than length of plain text.
     * If length of plain text is a multiple of 8, then there is no padding. */
    const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */
    const size_t padded_len = blocks_padded * 8;
    const size_t padding_len = padded_len - inlen;
    /* RFC 5649 section 3: Alternative Initial Value */
    unsigned char aiv[8];
    size_t ret;

    /* Section 1: use 32-bit fixed field for plaintext octet length */
    if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
        return 0;

    /* Section 3: Alternative Initial Value */
    if (!icv)
        memcpy(aiv, default_aiv, 4);
    else
        memcpy(aiv, icv, 4); /* Standard doesn't mention this. */

    aiv[4] = (inlen >> 24) & 0xFF;
    aiv[5] = (inlen >> 16) & 0xFF;
    aiv[6] = (inlen >> 8) & 0xFF;
    aiv[7] = inlen & 0xFF;

    if (padded_len == 8) {
        /*
         * Section 4.1 - special case in step 2: If the padded plaintext
         * contains exactly eight octets, then prepend the AIV and encrypt
         * the resulting 128-bit block using AES in ECB mode.
         */
        memmove(out + 8, in, inlen);
        memcpy(out, aiv, 8);
        memset(out + 8 + inlen, 0, padding_len);
        block(out, out, key);
        ret = 16; /* AIV + padded input */
    } else {
        memmove(out, in, inlen);
        memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
        ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
    }

    return ret;
}

/** Unwrapping according to RFC 5649 section 4.2.
 *
 *  @param[in]  key    Key value.
 *  @param[in]  icv    (Non-standard) IV, 4 bytes. NULL = use default_aiv.
 *  @param[out] out    Plaintext. Minimal buffer length = (inlen - 8) bytes.
 *                     Input and output buffers can overlap if block function
 *                     supports that.
 *  @param[in]  in     Ciphertext as n 64-bit blocks.
 *  @param[in]  inlen  Length of in.
 *  @param[in]  block  Block processing function.
 *  @return            0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
 *                     or if inlen is not a multiple of 8
 *                     or if IV and message length indicator doesn't match.
 *                     Output length if unwrapping succeeded and IV matches.
 */
size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
    unsigned char *out,
    const unsigned char *in, size_t inlen,
    block128_f block)
{
    /* n: number of 64-bit blocks in the padded key data */
    size_t n = inlen / 8 - 1;
    size_t padded_len;
    size_t padding_len;
    size_t ptext_len;
    /* RFC 5649 section 3: Alternative Initial Value */
    unsigned char aiv[8];
    static unsigned char zeros[8] = { 0x0 };
    size_t ret;

    /* Section 4.2: Ciphertext length has to be (n+1) 64-bit blocks. */
    if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
        return 0;

    if (inlen == 16) {
        /*
         * Section 4.2 - special case in step 1: When n=1, the ciphertext
         * contains exactly two 64-bit blocks and they are decrypted as a
         * single AES block using AES in ECB mode: AIV | P[1] = DEC(K, C[0] |
         * C[1])
         */
        unsigned char buff[16];

        block(in, buff, key);
        memcpy(aiv, buff, 8);
        /* Remove AIV */
        memcpy(out, buff + 8, 8);
        padded_len = 8;
        OPENSSL_cleanse(buff, inlen);
    } else {
        padded_len = inlen - 8;
        ret = crypto_128_unwrap_raw(key, aiv, out, in, inlen, block);
        if (padded_len != ret) {
            OPENSSL_cleanse(out, inlen);
            return 0;
        }
    }

    /*
     * Section 3: AIV checks: Check that MSB(32,A) = A65959A6. Optionally a
     * user-supplied value can be used (even if standard doesn't mention
     * this).
     */
    if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
        || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
        OPENSSL_cleanse(out, inlen);
        return 0;
    }

    /*
     * Check that 8*(n-1) < LSB(32,AIV) <= 8*n. If so, let ptext_len =
     * LSB(32,AIV).
     */

    ptext_len = ((unsigned int)aiv[4] << 24)
        | ((unsigned int)aiv[5] << 16)
        | ((unsigned int)aiv[6] << 8)
        | (unsigned int)aiv[7];
    if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
        OPENSSL_cleanse(out, inlen);
        return 0;
    }

    /*
     * Check that the rightmost padding_len octets of the output data are
     * zero.
     */
    padding_len = padded_len - ptext_len;
    if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
        OPENSSL_cleanse(out, inlen);
        return 0;
    }

    /* Section 4.2 step 3: Remove padding */
    return ptext_len;
}

Coverage Report

Created: 2025-12-10 06:24

Line	Count	Source
1		/*
2		* Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/** Beware!
11		*
12		* Following wrapping modes were designed for AES but this implementation
13		* allows you to use them for any 128 bit block cipher.
14		*/
15
16		#include "internal/cryptlib.h"
17		#include <openssl/modes.h>
18
19		/** RFC 3394 section 2.2.3.1 Default Initial Value */
20		static const unsigned char default_iv[] = {
21		0xA6,
22		0xA6,
23		0xA6,
24		0xA6,
25		0xA6,
26		0xA6,
27		0xA6,
28		0xA6,
29		};
30
31		/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
32		static const unsigned char default_aiv[] = {
33		0xA6, 0x59, 0x59, 0xA6
34		};
35
36		/** Input size limit: lower than maximum of standards but far larger than
37		* anything that will be used in practice.
38		*/
39	0	#define CRYPTO128_WRAP_MAX (1UL << 31)
40
41		/** Wrapping according to RFC 3394 section 2.2.1.
42		*
43		* @param[in] key Key value.
44		* @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
45		* @param[in] in Plaintext as n 64-bit blocks, n >= 2.
46		* @param[in] inlen Length of in.
47		* @param[out] out Ciphertext. Minimal buffer length = (inlen + 8) bytes.
48		* Input and output buffers can overlap if block function
49		* supports that.
50		* @param[in] block Block processing function.
51		* @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
52		* or if inlen > CRYPTO128_WRAP_MAX.
53		* Output length if wrapping succeeded.
54		*/
55		size_t CRYPTO_128_wrap(void key, const unsigned char iv,
56		unsigned char *out,
57		const unsigned char *in, size_t inlen,
58		block128_f block)
59	0	{
60	0	unsigned char A, B[16], R;
61	0	size_t i, j, t;
62	0	if ((inlen & 0x7) \|\| (inlen < 16) \|\| (inlen > CRYPTO128_WRAP_MAX))
63	0	return 0;
64	0	A = B;
65	0	t = 1;
66	0	memmove(out + 8, in, inlen);
67	0	if (!iv)
68	0	iv = default_iv;
69
70	0	memcpy(A, iv, 8);
71
72	0	for (j = 0; j < 6; j++) {
73	0	R = out + 8;
74	0	for (i = 0; i < inlen; i += 8, t++, R += 8) {
75	0	memcpy(B + 8, R, 8);
76	0	block(B, B, key);
77	0	A[7] ^= (unsigned char)(t & 0xff);
78	0	if (t > 0xff) {
79	0	A[6] ^= (unsigned char)((t >> 8) & 0xff);
80	0	A[5] ^= (unsigned char)((t >> 16) & 0xff);
81	0	A[4] ^= (unsigned char)((t >> 24) & 0xff);
82	0	}
83	0	memcpy(R, B + 8, 8);
84	0	}
85	0	}
86	0	memcpy(out, A, 8);
87	0	return inlen + 8;
88	0	}
89
90		/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
91		* The IV check (step 3) is responsibility of the caller.
92		*
93		* @param[in] key Key value.
94		* @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
95		* @param[out] out Plaintext without IV.
96		* Minimal buffer length = (inlen - 8) bytes.
97		* Input and output buffers can overlap if block function
98		* supports that.
99		* @param[in] in Ciphertext as n 64-bit blocks.
100		* @param[in] inlen Length of in.
101		* @param[in] block Block processing function.
102		* @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
103		* or if inlen is not a multiple of 8.
104		* Output length otherwise.
105		*/
106		static size_t crypto_128_unwrap_raw(void key, unsigned char iv,
107		unsigned char *out,
108		const unsigned char *in, size_t inlen,
109		block128_f block)
110	0	{
111	0	unsigned char A, B[16], R;
112	0	size_t i, j, t;
113	0	inlen -= 8;
114	0	if ((inlen & 0x7) \|\| (inlen < 16) \|\| (inlen > CRYPTO128_WRAP_MAX))
115	0	return 0;
116	0	A = B;
117	0	t = 6 * (inlen >> 3);
118	0	memcpy(A, in, 8);
119	0	memmove(out, in + 8, inlen);
120	0	for (j = 0; j < 6; j++) {
121	0	R = out + inlen - 8;
122	0	for (i = 0; i < inlen; i += 8, t--, R -= 8) {
123	0	A[7] ^= (unsigned char)(t & 0xff);
124	0	if (t > 0xff) {
125	0	A[6] ^= (unsigned char)((t >> 8) & 0xff);
126	0	A[5] ^= (unsigned char)((t >> 16) & 0xff);
127	0	A[4] ^= (unsigned char)((t >> 24) & 0xff);
128	0	}
129	0	memcpy(B + 8, R, 8);
130	0	block(B, B, key);
131	0	memcpy(R, B + 8, 8);
132	0	}
133	0	}
134	0	memcpy(iv, A, 8);
135	0	return inlen;
136	0	}
137
138		/** Unwrapping according to RFC 3394 section 2.2.2, including the IV check.
139		* The first block of plaintext has to match the supplied IV, otherwise an
140		* error is returned.
141		*
142		* @param[in] key Key value.
143		* @param[out] iv IV value to match against. Length = 8 bytes.
144		* NULL = use default_iv.
145		* @param[out] out Plaintext without IV.
146		* Minimal buffer length = (inlen - 8) bytes.
147		* Input and output buffers can overlap if block function
148		* supports that.
149		* @param[in] in Ciphertext as n 64-bit blocks.
150		* @param[in] inlen Length of in.
151		* @param[in] block Block processing function.
152		* @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
153		* or if inlen is not a multiple of 8
154		* or if IV doesn't match expected value.
155		* Output length otherwise.
156		*/
157		size_t CRYPTO_128_unwrap(void key, const unsigned char iv,
158		unsigned char out, const unsigned char in,
159		size_t inlen, block128_f block)
160	0	{
161	0	size_t ret;
162	0	unsigned char got_iv[8];
163
164	0	ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
165	0	if (ret == 0)
166	0	return 0;
167
168	0	if (!iv)
169	0	iv = default_iv;
170	0	if (CRYPTO_memcmp(got_iv, iv, 8)) {
171	0	OPENSSL_cleanse(out, ret);
172	0	return 0;
173	0	}
174	0	return ret;
175	0	}
176
177		/** Wrapping according to RFC 5649 section 4.1.
178		*
179		* @param[in] key Key value.
180		* @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
181		* @param[out] out Ciphertext. Minimal buffer length = (inlen + 15) bytes.
182		* Input and output buffers can overlap if block function
183		* supports that.
184		* @param[in] in Plaintext as n 64-bit blocks, n >= 2.
185		* @param[in] inlen Length of in.
186		* @param[in] block Block processing function.
187		* @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
188		* Output length if wrapping succeeded.
189		*/
190		size_t CRYPTO_128_wrap_pad(void key, const unsigned char icv,
191		unsigned char *out,
192		const unsigned char *in, size_t inlen,
193		block128_f block)
194	0	{
195		/* n: number of 64-bit blocks in the padded key data
196		*
197		* If length of plain text is not a multiple of 8, pad the plain text octet
198		* string on the right with octets of zeros, where final length is the
199		* smallest multiple of 8 that is greater than length of plain text.
200		* If length of plain text is a multiple of 8, then there is no padding. */
201	0	const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */
202	0	const size_t padded_len = blocks_padded * 8;
203	0	const size_t padding_len = padded_len - inlen;
204		/* RFC 5649 section 3: Alternative Initial Value */
205	0	unsigned char aiv[8];
206	0	size_t ret;
207
208		/* Section 1: use 32-bit fixed field for plaintext octet length */
209	0	if (inlen == 0 \|\| inlen >= CRYPTO128_WRAP_MAX)
210	0	return 0;
211
212		/* Section 3: Alternative Initial Value */
213	0	if (!icv)
214	0	memcpy(aiv, default_aiv, 4);
215	0	else
216	0	memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
217
218	0	aiv[4] = (inlen >> 24) & 0xFF;
219	0	aiv[5] = (inlen >> 16) & 0xFF;
220	0	aiv[6] = (inlen >> 8) & 0xFF;
221	0	aiv[7] = inlen & 0xFF;
222
223	0	if (padded_len == 8) {
224		/*
225		* Section 4.1 - special case in step 2: If the padded plaintext
226		* contains exactly eight octets, then prepend the AIV and encrypt
227		* the resulting 128-bit block using AES in ECB mode.
228		*/
229	0	memmove(out + 8, in, inlen);
230	0	memcpy(out, aiv, 8);
231	0	memset(out + 8 + inlen, 0, padding_len);
232	0	block(out, out, key);
233	0	ret = 16; /* AIV + padded input */
234	0	} else {
235	0	memmove(out, in, inlen);
236	0	memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
237	0	ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
238	0	}
239
240	0	return ret;
241	0	}
242
243		/** Unwrapping according to RFC 5649 section 4.2.
244		*
245		* @param[in] key Key value.
246		* @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
247		* @param[out] out Plaintext. Minimal buffer length = (inlen - 8) bytes.
248		* Input and output buffers can overlap if block function
249		* supports that.
250		* @param[in] in Ciphertext as n 64-bit blocks.
251		* @param[in] inlen Length of in.
252		* @param[in] block Block processing function.
253		* @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
254		* or if inlen is not a multiple of 8
255		* or if IV and message length indicator doesn't match.
256		* Output length if unwrapping succeeded and IV matches.
257		*/
258		size_t CRYPTO_128_unwrap_pad(void key, const unsigned char icv,
259		unsigned char *out,
260		const unsigned char *in, size_t inlen,
261		block128_f block)
262	0	{
263		/* n: number of 64-bit blocks in the padded key data */
264	0	size_t n = inlen / 8 - 1;
265	0	size_t padded_len;
266	0	size_t padding_len;
267	0	size_t ptext_len;
268		/* RFC 5649 section 3: Alternative Initial Value */
269	0	unsigned char aiv[8];
270	0	static unsigned char zeros[8] = { 0x0 };
271	0	size_t ret;
272
273		/* Section 4.2: Ciphertext length has to be (n+1) 64-bit blocks. */
274	0	if ((inlen & 0x7) != 0 \|\| inlen < 16 \|\| inlen >= CRYPTO128_WRAP_MAX)
275	0	return 0;
276
277	0	if (inlen == 16) {
278		/*
279		* Section 4.2 - special case in step 1: When n=1, the ciphertext
280		* contains exactly two 64-bit blocks and they are decrypted as a
281		* single AES block using AES in ECB mode: AIV \| P[1] = DEC(K, C[0] \|
282		* C[1])
283		*/
284	0	unsigned char buff[16];
285
286	0	block(in, buff, key);
287	0	memcpy(aiv, buff, 8);
288		/* Remove AIV */
289	0	memcpy(out, buff + 8, 8);
290	0	padded_len = 8;
291	0	OPENSSL_cleanse(buff, inlen);
292	0	} else {
293	0	padded_len = inlen - 8;
294	0	ret = crypto_128_unwrap_raw(key, aiv, out, in, inlen, block);
295	0	if (padded_len != ret) {
296	0	OPENSSL_cleanse(out, inlen);
297	0	return 0;
298	0	}
299	0	}
300
301		/*
302		* Section 3: AIV checks: Check that MSB(32,A) = A65959A6. Optionally a
303		* user-supplied value can be used (even if standard doesn't mention
304		* this).
305		*/
306	0	if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
307	0	\|\| (icv && CRYPTO_memcmp(aiv, icv, 4))) {
308	0	OPENSSL_cleanse(out, inlen);
309	0	return 0;
310	0	}
311
312		/*
313		* Check that 8(n-1) < LSB(32,AIV) <= 8n. If so, let ptext_len =
314		* LSB(32,AIV).
315		*/
316
317	0	ptext_len = ((unsigned int)aiv[4] << 24)
318	0	\| ((unsigned int)aiv[5] << 16)
319	0	\| ((unsigned int)aiv[6] << 8)
320	0	\| (unsigned int)aiv[7];
321	0	if (8 * (n - 1) >= ptext_len \|\| ptext_len > 8 * n) {
322	0	OPENSSL_cleanse(out, inlen);
323	0	return 0;
324	0	}
325
326		/*
327		* Check that the rightmost padding_len octets of the output data are
328		* zero.
329		*/
330	0	padding_len = padded_len - ptext_len;
331	0	if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
332	0	OPENSSL_cleanse(out, inlen);
333	0	return 0;
334	0	}
335
336		/* Section 4.2 step 3: Remove padding */
337	0	return ptext_len;
338	0	}