/src/hostap/src/crypto/aes-unwrap.c

Source (jump to first uncovered line)
/*
 * AES key unwrap (RFC3394)
 *
 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "aes.h"
#include "aes_wrap.h"

/**
 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (RFC3394)
 * @kek: Key encryption key (KEK)
 * @kek_len: Length of KEK in octets
 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
 * bytes
 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
 * @plain: Plaintext key, n * 64 bits
 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
 */
int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
         u8 *plain)
{
  u8 a[8], *r, b[AES_BLOCK_SIZE];
  int i, j;
  void *ctx;
  unsigned int t;

  /* 1) Initialize variables. */
  os_memcpy(a, cipher, 8);
  r = plain;
  os_memcpy(r, cipher + 8, 8 * n);

  ctx = aes_decrypt_init(kek, kek_len);
  if (ctx == NULL)
    return -1;

  /* 2) Compute intermediate values.
   * For j = 5 to 0
   *     For i = n to 1
   *         B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
   *         A = MSB(64, B)
   *         R[i] = LSB(64, B)
   */
  for (j = 5; j >= 0; j--) {
    r = plain + (n - 1) * 8;
    for (i = n; i >= 1; i--) {
      os_memcpy(b, a, 8);
      t = n * j + i;
      b[7] ^= t;
      b[6] ^= t >> 8;
      b[5] ^= t >> 16;
      b[4] ^= t >> 24;

      os_memcpy(b + 8, r, 8);
      aes_decrypt(ctx, b, b);
      os_memcpy(a, b, 8);
      os_memcpy(r, b + 8, 8);
      r -= 8;
    }
  }
  aes_decrypt_deinit(ctx);

  /* 3) Output results.
   *
   * These are already in @plain due to the location of temporary
   * variables. Just verify that the IV matches with the expected value.
   */
  for (i = 0; i < 8; i++) {
    if (a[i] != 0xa6)
      return -1;
  }

  return 0;
}

Coverage Report

Created: 2025-04-24 06:18

Line	Count	Source (jump to first uncovered line)
1		/*
2		* AES key unwrap (RFC3394)
3		*
4		* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
5		*
6		* This software may be distributed under the terms of the BSD license.
7		* See README for more details.
8		*/
9
10		#include "includes.h"
11
12		#include "common.h"
13		#include "aes.h"
14		#include "aes_wrap.h"
15
16		/**
17		* aes_unwrap - Unwrap key with AES Key Wrap Algorithm (RFC3394)
18		* @kek: Key encryption key (KEK)
19		* @kek_len: Length of KEK in octets
20		* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
21		* bytes
22		* @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
23		* @plain: Plaintext key, n * 64 bits
24		* Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
25		*/
26		int aes_unwrap(const u8 kek, size_t kek_len, int n, const u8 cipher,
27		u8 *plain)
28	0	{
29	0	u8 a[8], *r, b[AES_BLOCK_SIZE];
30	0	int i, j;
31	0	void *ctx;
32	0	unsigned int t;
33
34		/* 1) Initialize variables. */
35	0	os_memcpy(a, cipher, 8);
36	0	r = plain;
37	0	os_memcpy(r, cipher + 8, 8 * n);
38
39	0	ctx = aes_decrypt_init(kek, kek_len);
40	0	if (ctx == NULL)
41	0	return -1;
42
43		/* 2) Compute intermediate values.
44		* For j = 5 to 0
45		* For i = n to 1
46		* B = AES-1(K, (A ^ t) \| R[i]) where t = n*j+i
47		* A = MSB(64, B)
48		* R[i] = LSB(64, B)
49		*/
50	0	for (j = 5; j >= 0; j--) {
51	0	r = plain + (n - 1) * 8;
52	0	for (i = n; i >= 1; i--) {
53	0	os_memcpy(b, a, 8);
54	0	t = n * j + i;
55	0	b[7] ^= t;
56	0	b[6] ^= t >> 8;
57	0	b[5] ^= t >> 16;
58	0	b[4] ^= t >> 24;
59
60	0	os_memcpy(b + 8, r, 8);
61	0	aes_decrypt(ctx, b, b);
62	0	os_memcpy(a, b, 8);
63	0	os_memcpy(r, b + 8, 8);
64	0	r -= 8;
65	0	}
66	0	}
67	0	aes_decrypt_deinit(ctx);
68
69		/* 3) Output results.
70		*
71		* These are already in @plain due to the location of temporary
72		* variables. Just verify that the IV matches with the expected value.
73		*/
74	0	for (i = 0; i < 8; i++) {
75	0	if (a[i] != 0xa6)
76	0	return -1;
77	0	}
78
79	0	return 0;
80	0	}