From a256506ddc279a730c38e3ecdc1d86e6ef23cbeb Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 7 Oct 2014 14:45:22 +0300 Subject: [PATCH] AES: Extend key wrap implementation to support longer data This extends the "XOR t" operation in aes_wrap() and aes_unwrap() to handle up to four octets of the n*h+i value instead of just the least significant octet. This allows the plaintext be longer than 336 octets which was the previous limit. Signed-off-by: Jouni Malinen --- src/crypto/aes-unwrap.c | 7 ++++++- src/crypto/aes-wrap.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/crypto/aes-unwrap.c b/src/crypto/aes-unwrap.c index c2b46b791..ec793d9db 100644 --- a/src/crypto/aes-unwrap.c +++ b/src/crypto/aes-unwrap.c @@ -29,6 +29,7 @@ int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, u8 a[8], *r, b[AES_BLOCK_SIZE]; int i, j; void *ctx; + unsigned int t; /* 1) Initialize variables. */ os_memcpy(a, cipher, 8); @@ -50,7 +51,11 @@ int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, r = plain + (n - 1) * 8; for (i = n; i >= 1; i--) { os_memcpy(b, a, 8); - b[7] ^= n * j + i; + t = n * j + i; + b[7] ^= t; + b[6] ^= t >> 8; + b[5] ^= t >> 16; + b[4] ^= t >> 24; os_memcpy(b + 8, r, 8); aes_decrypt(ctx, b, b); diff --git a/src/crypto/aes-wrap.c b/src/crypto/aes-wrap.c index f72437a7a..7ed34e803 100644 --- a/src/crypto/aes-wrap.c +++ b/src/crypto/aes-wrap.c @@ -28,6 +28,7 @@ int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) u8 *a, *r, b[AES_BLOCK_SIZE]; int i, j; void *ctx; + unsigned int t; a = cipher; r = cipher + 8; @@ -54,7 +55,11 @@ int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) os_memcpy(b + 8, r, 8); aes_encrypt(ctx, b, b); os_memcpy(a, b, 8); - a[7] ^= n * j + i; + t = n * j + i; + a[7] ^= t; + a[6] ^= t >> 8; + a[5] ^= t >> 16; + a[4] ^= t >> 24; os_memcpy(r, b + 8, 8); r += 8; }