OVMS3-idf/components/wpa_supplicant/src/crypto/aes-unwrap.c

/*
 * AES key unwrap (128-bit KEK, RFC3394)
 *
 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Alternatively, this software may be distributed under the terms of BSD
 * license.
 *
 * See README and COPYING for more details.
 */
/*
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Hardware crypto support Copyright 2017-2019 Espressif Systems (Shanghai) PTE LTD
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "utils/includes.h"

#include "utils/common.h"
#ifdef USE_MBEDTLS_CRYPTO
#include "mbedtls/aes.h"
#else /* USE_MBEDTLS_CRYPTO */
#include "aes.h"
#include "aes_wrap.h"
#endif /* USE_MBEDTLS_CRYPTO */

/**
 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
 * @kek: Key encryption key (KEK)
 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
 * bytes
 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
 * @plain: Plaintext key, n * 64 bits
 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
 */
int 
aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
{
	u8 a[8], *r, b[16];
	int i, j;
#ifdef USE_MBEDTLS_CRYPTO
	int32_t ret = 0;
	mbedtls_aes_context ctx;
#else /* USE_MBEDTLS_CRYPTO */
	void *ctx;
#endif /* USE_MBEDTLS_CRYPTO */

	/* 1) Initialize variables. */
	os_memcpy(a, cipher, 8);
	r = plain;
	os_memcpy(r, cipher + 8, 8 * n);

#ifdef USE_MBEDTLS_CRYPTO
	mbedtls_aes_init(&ctx);
	ret = mbedtls_aes_setkey_dec(&ctx, kek, 128);
	if (ret < 0) {
		mbedtls_aes_free(&ctx);
		return ret;
	}
#else /* USE_MBEDTLS_CRYPTO */
	ctx = aes_decrypt_init(kek, 16);
	if (ctx == NULL)
		return -1;
#endif /* USE_MBEDTLS_CRYPTO */

	/* 2) Compute intermediate values.
	 * For j = 5 to 0
	 *     For i = n to 1
	 *         B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
	 *         A = MSB(64, B)
	 *         R[i] = LSB(64, B)
	 */
	for (j = 5; j >= 0; j--) {
		r = plain + (n - 1) * 8;
		for (i = n; i >= 1; i--) {
			os_memcpy(b, a, 8);
			b[7] ^= n * j + i;

			os_memcpy(b + 8, r, 8);
#ifdef USE_MBEDTLS_CRYPTO
			ret = mbedtls_internal_aes_decrypt(&ctx, b, b);
#else /* USE_MBEDTLS_CRYPTO */
			aes_decrypt(ctx, b, b);
#endif /* USE_MBEDTLS_CRYPTO */
			os_memcpy(a, b, 8);
			os_memcpy(r, b + 8, 8);
			r -= 8;
		}
	}
#ifdef USE_MBEDTLS_CRYPTO
	mbedtls_aes_free(&ctx);
#else /* USE_MBEDTLS_CRYPTO */
	aes_decrypt_deinit(ctx);
#endif /* USE_MBEDTLS_CRYPTO */

	/* 3) Output results.
	 *
	 * These are already in @plain due to the location of temporary
	 * variables. Just verify that the IV matches with the expected value.
	 */
	for (i = 0; i < 8; i++) {
		if (a[i] != 0xa6)
			return -1;
	}

	return 0;
}
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00			`/*`
			`* AES key unwrap (128-bit KEK, RFC3394)`
			`*`
			`* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License version 2 as`
			`* published by the Free Software Foundation.`
			`*`
			`* Alternatively, this software may be distributed under the terms of BSD`
			`* license.`
			`*`
			`* See README and COPYING for more details.`
			`*/`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`/*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Hardware crypto support Copyright 2017-2019 Espressif Systems (Shanghai) PTE LTD`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00
supplicant/esp_wifi: move supplicant to idf Move supplicant to idf and do following refactoring: 1. Make the folder structure consitent with supplicant upstream 2. Remove duplicated header files and minimize the public header files 3. Refactor for WiFi/supplicant interfaces 2018-08-13 08:37:56 +00:00			`#include "utils/includes.h"`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00
supplicant/esp_wifi: move supplicant to idf Move supplicant to idf and do following refactoring: 1. Make the folder structure consitent with supplicant upstream 2. Remove duplicated header files and minimize the public header files 3. Refactor for WiFi/supplicant interfaces 2018-08-13 08:37:56 +00:00			`#include "utils/common.h"`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#ifdef USE_MBEDTLS_CRYPTO`
			`#include "mbedtls/aes.h"`
			`#else /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: Make internally used crypto headers private A lot of internally used crypto headers are publicly includeable in user projects. This leads to bug reports when these headers are incorrectly used or the API's are not used as intended. Move all crypto headers into private crypto src folder, also move crypto_ops into Supplicant to remove dependecy on crypto headers. Closes IDF-476 2019-08-06 11:40:16 +00:00			`#include "aes.h"`
			`#include "aes_wrap.h"`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#endif /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00
			`/**`
			`* aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)`
			`* @kek: Key encryption key (KEK)`
			`* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16`
			`* bytes`
			`* @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits`
			`* @plain: Plaintext key, n * 64 bits`
			`* Returns: 0 on success, -1 on failure (e.g., integrity verification failed)`
			`*/`
			`int`
			`aes_unwrap(const u8 kek, int n, const u8 cipher, u8 *plain)`
			`{`
			`u8 a[8], *r, b[16];`
			`int i, j;`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#ifdef USE_MBEDTLS_CRYPTO`
			`int32_t ret = 0;`
			`mbedtls_aes_context ctx;`
			`#else /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00			`void *ctx;`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#endif /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00
			`/* 1) Initialize variables. */`
			`os_memcpy(a, cipher, 8);`
			`r = plain;`
			`os_memcpy(r, cipher + 8, 8 * n);`

wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#ifdef USE_MBEDTLS_CRYPTO`
			`mbedtls_aes_init(&ctx);`
			`ret = mbedtls_aes_setkey_dec(&ctx, kek, 128);`
			`if (ret < 0) {`
			`mbedtls_aes_free(&ctx);`
			`return ret;`
			`}`
			`#else /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00			`ctx = aes_decrypt_init(kek, 16);`
			`if (ctx == NULL)`
			`return -1;`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#endif /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00
			`/* 2) Compute intermediate values.`
			`* For j = 5 to 0`
			`* For i = n to 1`
			`* B = AES-1(K, (A ^ t) \| R[i]) where t = n*j+i`
			`* A = MSB(64, B)`
			`* R[i] = LSB(64, B)`
			`*/`
			`for (j = 5; j >= 0; j--) {`
			`r = plain + (n - 1) * 8;`
			`for (i = n; i >= 1; i--) {`
			`os_memcpy(b, a, 8);`
			`b[7] ^= n * j + i;`

			`os_memcpy(b + 8, r, 8);`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#ifdef USE_MBEDTLS_CRYPTO`
			`ret = mbedtls_internal_aes_decrypt(&ctx, b, b);`
			`#else /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00			`aes_decrypt(ctx, b, b);`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#endif /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00			`os_memcpy(a, b, 8);`
			`os_memcpy(r, b + 8, 8);`
			`r -= 8;`
			`}`
			`}`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#ifdef USE_MBEDTLS_CRYPTO`
			`mbedtls_aes_free(&ctx);`
			`#else /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00			`aes_decrypt_deinit(ctx);`
wpa_supplicant: Cleanup fast_xxx modules that use duplicate code wpa_supplicant is using MbedTLS API's for crypto algorithms. For calling them a duplicate set of modules is maintained prepended with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO instead to separate modules calling MbedTLS API's from native implementation. 2019-07-03 12:09:52 +00:00			`#endif /* USE_MBEDTLS_CRYPTO */`
wpa_supplicant: replace pre-built crypto library with source code 2016-11-04 06:12:21 +00:00
			`/* 3) Output results.`
			`*`
			`* These are already in @plain due to the location of temporary`
			`* variables. Just verify that the IV matches with the expected value.`
			`*/`
			`for (i = 0; i < 8; i++) {`
			`if (a[i] != 0xa6)`
			`return -1;`
			`}`

			`return 0;`
			`}`