2 files changed, 57 insertions, 0 deletions

diff --git a/src/lib/ffi/ffi.cpp b/src/lib/ffi/ffi.cpp
index d99569778..d5bbe4896 100644
--- a/src/lib/ffi/ffi.cpp
+++ b/src/lib/ffi/ffi.cpp
@@ -90,6 +90,10 @@
   #include <botan/tls_server.h>
 #endif
 
+#if defined(BOTAN_HAS_RFC3394_KEYWRAP)
+   #include <botan/rfc3394.h>
+#endif
+
 namespace {
 
 #define BOTAN_ASSERT_ARG_NON_NULL(p) \
@@ -2665,6 +2669,48 @@ int botan_mceies_encrypt(botan_pubkey_t mce_key_obj,
       }
    }
 
+int botan_key_wrap3394( uint8_t key[], size_t key_len,
+                        uint8_t kek[], size_t kek_len,
+                        uint8_t wrapped_key[], size_t *wrapped_key_len)
+{
+#if defined(BOTAN_HAS_RFC3394_KEYWRAP)
+   try
+      {
+         const Botan::SymmetricKey kek_sym(kek, kek_len);
+         const Botan::secure_vector<uint8_t> key_pt(key, key + key_len);
+         const Botan::secure_vector<uint8_t> key_ct = Botan::rfc3394_keywrap(key_pt, kek_sym);
+         return write_vec_output(wrapped_key, wrapped_key_len, key_ct);
+      }
+   catch(std::exception &e)
+      {
+         return ffi_error_exception_thrown(e.what());
+      }
+#else
+   return BOTAN_FFI_ERROR_NOT_IMPLEMENTED;
+#endif
+}
+
+int botan_key_unwrap3394(  uint8_t wrapped_key[], size_t wrapped_key_len,
+                           uint8_t kek[], size_t kek_len,
+                           uint8_t key[], size_t *key_len)
+{
+#if defined(BOTAN_HAS_RFC3394_KEYWRAP)
+   try
+      {
+         const Botan::SymmetricKey kek_sym(kek, kek_len);
+         const Botan::secure_vector<uint8_t> key_ct(wrapped_key, wrapped_key + wrapped_key_len);
+         const Botan::secure_vector<uint8_t> key_pt = Botan::rfc3394_keyunwrap(key_ct, kek_sym);
+         return write_vec_output(key, key_len, key_pt);
+      }
+   catch(std::exception &e)
+      {
+         return ffi_error_exception_thrown(e.what());
+      }
+#else
+   return BOTAN_FFI_ERROR_NOT_IMPLEMENTED;
+#endif
+}
+
 /*
 int botan_tls_channel_init_client(botan_tls_channel_t* channel,
                                   botan_tls_channel_output_fn output_fn,
diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h
index 4a7723974..cbe883f8d 100644
--- a/src/lib/ffi/ffi.h
+++ b/src/lib/ffi/ffi.h
@@ -1049,6 +1049,17 @@ enum botan_x509_cert_key_constraints {
 
 BOTAN_DLL int botan_x509_cert_allowed_usage(botan_x509_cert_t cert, unsigned int key_usage);
 
+/**
+ * Key wrapping as per RFC 3394
+ */
+BOTAN_DLL int botan_key_wrap3394(uint8_t key[], size_t key_len,
+                                 uint8_t kek[], size_t kek_len,
+                                 uint8_t wrapped_key[], size_t *wrapped_key_len);
+
+BOTAN_DLL int botan_key_unwrap3394( uint8_t wrapped_key[], size_t wrapped_key_len,
+                                    uint8_t kek[], size_t kek_len,
+                                    uint8_t key[], size_t *key_len);
+
 /*
 * TLS (WIP)
 */