1 /**********************************************************************
2  *                          keywrap.c                                 *
3  *             Copyright (c) 2005-2006 Cryptocom LTD                  *
4  *         This file is distributed under the same license as OpenSSL *
5  *                                                                    *
6  * Implementation of CryptoPro key wrap algorithm, as defined in      *
7  *               RFC 4357 p 6.3 and 6.4                               *
8  *                  Doesn't need OpenSSL                              *
9  **********************************************************************/
10 #include <string.h>
11 #include "gost89.h"
12 #include "keywrap.h"
14 /* Diversifies key using random UserKey Material
15  * Implements RFC 4357 p 6.5 key diversification algorithm
16  *
17  * inputKey - 32byte key to be diversified
18  * ukm - 8byte user key material
19  * outputKey - 32byte buffer to store diversified key
20  *
21  */
22 void keyDiversifyCryptoPro(gost_ctx *ctx,const unsigned char *inputKey, const unsigned char *ukm, unsigned char *outputKey)
23 {
25         u4 k,s1,s2;
27         unsigned char S[8];
28         memcpy(outputKey,inputKey,32);
29         for (i=0;i<8;i++) {
30                 /* Make array of integers from key */
31                 /* Compute IV S*/
32                 s1=0,s2=0;
34                         k=((u4)outputKey[4*j])|(outputKey[4*j+1]<<8)|
35                                 (outputKey[4*j+2]<<16)|(outputKey[4*j+3]<<24);
36                         if (mask & ukm[i]) {
37                                 s1+=k;
38                         } else {
39                                 s2+=k;
40                         }
41                 }
42                 S[0]=s1&0xff; S[1]=(s1>>8)&0xff; S[2]=(s1>>16)&0xff; S[3]=(s1>>24)&0xff;
43                 S[4]=s2&0xff; S[5]=(s2>>8)&0xff; S[6]=(s2>>16)&0xff; S[7]=(s2>>24)&0xff;
44                 gost_key(ctx,outputKey);
45                 gost_enc_cfb(ctx,S,outputKey,outputKey,4);
46         }
47 }
50 /*
51  * Wraps key using RFC 4357 6.3
52  * ctx - gost encryption context, initialized with some S-boxes
53  * keyExchangeKey (KEK) 32-byte (256-bit) shared key
54  * ukm - 8 byte (64 bit) user key material,
55  * sessionKey - 32-byte (256-bit) key to be wrapped
56  * wrappedKey - 44-byte buffer to store wrapped key
57  */
59 int keyWrapCryptoPro(gost_ctx *ctx,const unsigned char *keyExchangeKey, const unsigned char *ukm,
60         const   unsigned char *sessionKey, unsigned char *wrappedKey)
61 {
62         unsigned char kek_ukm[32];
63         keyDiversifyCryptoPro(ctx,keyExchangeKey,ukm,kek_ukm);
64         gost_key(ctx,kek_ukm);
65         memcpy(wrappedKey,ukm,8);
66         gost_enc(ctx,sessionKey,wrappedKey+8,4);
67         gost_mac_iv(ctx,32,ukm,sessionKey,32,wrappedKey+40);
68         return 1;
69 }
70 /*
71  * Unwraps key using RFC 4357 6.4
72  * ctx - gost encryption context, initialized with some S-boxes
73  * keyExchangeKey 32-byte shared key
74  * wrappedKey  44 byte key to be unwrapped (concatenation of 8-byte UKM,
75  * 32 byte  encrypted key and 4 byte MAC
76  *
77  * sessionKEy - 32byte buffer to store sessionKey in
78  * Returns 1 if key is decrypted successfully, and 0 if MAC doesn't match
79  */
81 int keyUnwrapCryptoPro(gost_ctx *ctx,const unsigned char *keyExchangeKey,
82                 const unsigned char *wrappedKey, unsigned char *sessionKey)
83 {
84         unsigned char kek_ukm[32],cek_mac[4];
85         keyDiversifyCryptoPro(ctx,keyExchangeKey,wrappedKey
86                         /* First 8 bytes of wrapped Key is ukm */
87                         ,kek_ukm);
88         gost_key(ctx,kek_ukm);
89         gost_dec(ctx,wrappedKey+8,sessionKey,4);
90         gost_mac_iv(ctx,32,wrappedKey,sessionKey,32,cek_mac);
91         if (memcmp(cek_mac,wrappedKey+40,4)) {
92                         return 0;
93         }
94         return 1;
95 }