From: Petr Spacek Date: Mon, 26 Jan 2015 13:39:50 +0000 (+0100) Subject: Fix key wrapping mode with padding to conform to RFC 5649. X-Git-Tag: OpenSSL_1_1_0-pre1~1545 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=ffa75828dd13decb41d075576db676c81c1198f1;hp=b5f07d6a66df963e45a5f7fe23329009b12bdf87 Fix key wrapping mode with padding to conform to RFC 5649. According to RFC 5649 section 4.1 step 1) we should not add padding if plaintext length is multiply of 8 ockets. This matches pseudo-code in http://dx.doi.org/10.6028/NIST.SP.800-38F on page 15, section 6.3 KWP, algorithm 5 KWP-AE, step 2. PR#3675 Reviewed-by: Stephen Henson Reviewed-by: Andy Polyakov --- diff --git a/crypto/modes/wrap128.c b/crypto/modes/wrap128.c index 2f65314cfa..ccb58c5a0b 100644 --- a/crypto/modes/wrap128.c +++ b/crypto/modes/wrap128.c @@ -230,8 +230,13 @@ size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv, const unsigned char *in, size_t inlen, block128_f block) { - /* n: number of 64-bit blocks in the padded key data */ - const size_t blocks_padded = (inlen + 8) / 8; + /* n: number of 64-bit blocks in the padded key data + * + * If length of plain text is not a multiple of 8, pad the plain text octet + * string on the right with octets of zeros, where final length is the + * smallest multiple of 8 that is greater than length of plain text. + * If length of plain text is a multiple of 8, then there is no padding. */ + const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */ const size_t padded_len = blocks_padded * 8; const size_t padding_len = padded_len - inlen; /* RFC 5649 section 3: Alternative Initial Value */