diff options
| -rw-r--r-- | checks/validate.cpp | 86 | ||||
| -rw-r--r-- | doc/log.txt | 1 | ||||
| -rw-r--r-- | src/constructs/rfc3394/info.txt | 1 | ||||
| -rw-r--r-- | src/constructs/rfc3394/rfc3394.cpp | 121 | ||||
| -rw-r--r-- | src/constructs/rfc3394/rfc3394.h | 44 |
5 files changed, 253 insertions, 0 deletions
diff --git a/checks/validate.cpp b/checks/validate.cpp index dd23eadc3..1f7a9013d 100644 --- a/checks/validate.cpp +++ b/checks/validate.cpp @@ -27,6 +27,10 @@ #include <botan/cryptobox.h> #endif +#if defined(BOTAN_HAS_RFC3394_KEYWRAP) + #include <botan/rfc3394.h> +#endif + using namespace Botan; #include "validate.h" @@ -94,6 +98,82 @@ bool test_cryptobox(RandomNumberGenerator& rng) return true; } +bool keywrap_test(const char* key_str, + const char* expected_str, + const char* kek_str) + { + std::cout << '.' << std::flush; + + bool ok = true; + + try + { + SymmetricKey key(key_str); + SymmetricKey expected(expected_str); + SymmetricKey kek(kek_str); + + Algorithm_Factory& af = global_state().algorithm_factory(); + + SecureVector<byte> enc = rfc3394_keywrap(key.bits_of(), kek, af); + + if(enc != expected.bits_of()) + { + std::cout << "NIST key wrap encryption failure: " + << hex_encode(enc) << " != " << hex_encode(expected.bits_of()) << "\n"; + ok = false; + } + + SecureVector<byte> dec = rfc3394_keyunwrap(expected.bits_of(), kek, af); + + if(dec != key.bits_of()) + { + std::cout << "NIST key wrap decryption failure: " + << hex_encode(dec) << " != " << hex_encode(key.bits_of()) << "\n"; + ok = false; + } + } + catch(std::exception& e) + { + std::cout << e.what() << "\n"; + } + + return ok; + } + +bool test_keywrap() + { + std::cout << "Testing NIST keywrap: " << std::flush; + + bool ok = true; + + ok &= keywrap_test("00112233445566778899AABBCCDDEEFF", + "1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5", + "000102030405060708090A0B0C0D0E0F"); + + ok &= keywrap_test("00112233445566778899AABBCCDDEEFF", + "96778B25AE6CA435F92B5B97C050AED2468AB8A17AD84E5D", + "000102030405060708090A0B0C0D0E0F1011121314151617"); + + ok &= keywrap_test("00112233445566778899AABBCCDDEEFF", + "64E8C3F9CE0F5BA263E9777905818A2A93C8191E7D6E8AE7", + "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"); + + ok &= keywrap_test("00112233445566778899AABBCCDDEEFF0001020304050607", + "031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2", + "000102030405060708090A0B0C0D0E0F1011121314151617"); + + ok &= keywrap_test("00112233445566778899AABBCCDDEEFF0001020304050607", + "A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1", + "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"); + + ok &= keywrap_test("00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F", + "28C9F404C4B810F4CBCCB35CFB87F8263F5786E2D80ED326CBC7F0E71A99F43BFB988B9B7A02DD21", + "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"); + + std::cout << "\n"; + return ok; + } + bool test_passhash(RandomNumberGenerator& rng) { #if defined(BOTAN_HAS_PASSHASH9) @@ -265,6 +345,12 @@ u32bit do_validation_tests(const std::string& filename, errors++; } + if(should_pass && !test_keywrap()) + { + std::cout << "NIST keywrap tests failed" << std::endl; + errors++; + } + if(should_pass && !test_cryptobox(rng)) { std::cout << "Cryptobox tests failed" << std::endl; diff --git a/doc/log.txt b/doc/log.txt index 3fa6e6d6b..760b9531a 100644 --- a/doc/log.txt +++ b/doc/log.txt @@ -1,5 +1,6 @@ * 1.9.14-dev, ????-??-?? + - Add support for NIST's AES key wrapping algorithm * 1.9.13, 2011-02-19 - Update Keccak to the round 3 variant diff --git a/src/constructs/rfc3394/info.txt b/src/constructs/rfc3394/info.txt new file mode 100644 index 000000000..496f3e138 --- /dev/null +++ b/src/constructs/rfc3394/info.txt @@ -0,0 +1 @@ +define RFC3394_KEYWRAP diff --git a/src/constructs/rfc3394/rfc3394.cpp b/src/constructs/rfc3394/rfc3394.cpp new file mode 100644 index 000000000..d6909c94a --- /dev/null +++ b/src/constructs/rfc3394/rfc3394.cpp @@ -0,0 +1,121 @@ +/* +* AES Key Wrap (RFC 3394) +* (C) 2011 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/rfc3394.h> +#include <botan/block_cipher.h> +#include <botan/loadstor.h> +#include <botan/exceptn.h> +#include <botan/internal/xor_buf.h> +#include <memory> + +namespace Botan { + +namespace { + +BlockCipher* make_aes(size_t keylength, + Algorithm_Factory& af) + { + if(keylength == 16) + return af.make_block_cipher("AES-128"); + else if(keylength == 24) + return af.make_block_cipher("AES-192"); + else if(keylength == 32) + return af.make_block_cipher("AES-256"); + else + throw std::invalid_argument("Bad KEK length for NIST keywrap"); + } + +} + +SecureVector<byte> rfc3394_keywrap(const MemoryRegion<byte>& key, + const SymmetricKey& kek, + Algorithm_Factory& af) + { + if(key.size() % 8 != 0) + throw std::invalid_argument("Bad input key size for NIST key wrap"); + + std::auto_ptr<BlockCipher> aes(make_aes(kek.length(), af)); + aes->set_key(kek); + + const size_t n = key.size() / 8; + + SecureVector<byte> R((n + 1) * 8); + SecureVector<byte> A(16); + + for(size_t i = 0; i != 8; ++i) + A[i] = 0xA6; + + copy_mem(&R[8], key.begin(), key.size()); + + for(size_t j = 0; j <= 5; ++j) + { + for(size_t i = 1; i <= n; ++i) + { + const u32bit t = (n * j) + i; + + copy_mem(&A[8], &R[8*i], 8); + + aes->encrypt(&A[0]); + copy_mem(&R[8*i], &A[8], 8); + + byte t_buf[4] = { 0 }; + store_be(t, t_buf); + xor_buf(&A[4], &t_buf[0], 4); + } + } + + copy_mem(&R[0], &A[0], 8); + + return R; + } + +SecureVector<byte> rfc3394_keyunwrap(const MemoryRegion<byte>& key, + const SymmetricKey& kek, + Algorithm_Factory& af) + { + if(key.size() < 16 || key.size() % 8 != 0) + throw std::invalid_argument("Bad input key size for NIST key unwrap"); + + std::auto_ptr<BlockCipher> aes(make_aes(kek.length(), af)); + aes->set_key(kek); + + const size_t n = (key.size() - 8) / 8; + + SecureVector<byte> R(n * 8); + SecureVector<byte> A(16); + + for(size_t i = 0; i != 8; ++i) + A[i] = key[i]; + + copy_mem(&R[0], key.begin() + 8, key.size() - 8); + + for(size_t j = 0; j <= 5; ++j) + { + for(size_t i = n; i != 0; --i) + { + const u32bit t = (5 - j) * n + i; + + byte t_buf[4] = { 0 }; + store_be(t, t_buf); + + xor_buf(&A[4], &t_buf[0], 4); + + copy_mem(&A[8], &R[8*(i-1)], 8); + + aes->decrypt(&A[0]); + + copy_mem(&R[8*(i-1)], &A[8], 8); + } + } + + if(load_be<u64bit>(&A[0], 0) != 0xA6A6A6A6A6A6A6A6) + throw Integrity_Failure("NIST key unwrap failed"); + + return R; + } + +} diff --git a/src/constructs/rfc3394/rfc3394.h b/src/constructs/rfc3394/rfc3394.h new file mode 100644 index 000000000..7a4668735 --- /dev/null +++ b/src/constructs/rfc3394/rfc3394.h @@ -0,0 +1,44 @@ +/* +* AES Key Wrap (RFC 3394) +* (C) 2011 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_AES_KEY_WRAP_H__ +#define BOTAN_AES_KEY_WRAP_H__ + +#include <botan/symkey.h> +#include <botan/algo_factory.h> + +namespace Botan { + +/** +* Encrypt a key under a key encryption key using the algorithm +* described in RFC 3394 +* +* @param key the plaintext key to encrypt +* @param kek the key encryption key +* @param af an algorithm factory +* @return key encrypted under kek +*/ +SecureVector<byte> BOTAN_DLL rfc3394_keywrap(const MemoryRegion<byte>& key, + const SymmetricKey& kek, + Algorithm_Factory& af); + +/** +* Decrypt a key under a key encryption key using the algorithm +* described in RFC 3394 +* +* @param key the encrypted key to decrypt +* @param kek the key encryption key +* @param af an algorithm factory +* @return key decrypted under kek +*/ +SecureVector<byte> BOTAN_DLL rfc3394_keyunwrap(const MemoryRegion<byte>& key, + const SymmetricKey& kek, + Algorithm_Factory& af); + +} + +#endif |