forked from gost-engine/engine
-
Notifications
You must be signed in to change notification settings - Fork 2
/
gost_keywrap.c
106 lines (100 loc) · 3.9 KB
/
gost_keywrap.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/**********************************************************************
* keywrap.c *
* Copyright (c) 2005-2006 Cryptocom LTD *
* This file is distributed under the same license as OpenSSL *
* *
* Implementation of CryptoPro key wrap algorithm, as defined in *
* RFC 4357 p 6.3 and 6.4 *
* Doesn't need OpenSSL *
**********************************************************************/
#include <string.h>
#include "gost89.h"
#include "gost_keywrap.h"
/*-
* Diversifies key using random UserKey Material
* Implements RFC 4357 p 6.5 key diversification algorithm
*
* inputKey - 32byte key to be diversified
* ukm - 8byte user key material
* outputKey - 32byte buffer to store diversified key
*
*/
void keyDiversifyCryptoPro(gost_ctx * ctx, const unsigned char *inputKey,
const unsigned char *ukm, unsigned char *outputKey)
{
u4 k, s1, s2;
int i, j, mask;
unsigned char S[8];
memcpy(outputKey, inputKey, 32);
for (i = 0; i < 8; i++) {
/* Make array of integers from key */
/* Compute IV S */
s1 = 0, s2 = 0;
for (j = 0, mask = 1; j < 8; j++, mask <<= 1) {
k = ((u4) outputKey[4 * j]) | (outputKey[4 * j + 1] << 8) |
(outputKey[4 * j + 2] << 16) | (outputKey[4 * j + 3] << 24);
if (mask & ukm[i]) {
s1 += k;
} else {
s2 += k;
}
}
S[0] = (unsigned char)(s1 & 0xff);
S[1] = (unsigned char)((s1 >> 8) & 0xff);
S[2] = (unsigned char)((s1 >> 16) & 0xff);
S[3] = (unsigned char)((s1 >> 24) & 0xff);
S[4] = (unsigned char)(s2 & 0xff);
S[5] = (unsigned char)((s2 >> 8) & 0xff);
S[6] = (unsigned char)((s2 >> 16) & 0xff);
S[7] = (unsigned char)((s2 >> 24) & 0xff);
gost_key(ctx, outputKey);
gost_enc_cfb(ctx, S, outputKey, outputKey, 4);
}
}
/*-
* Wraps key using RFC 4357 6.3
* ctx - gost encryption context, initialized with some S-boxes
* keyExchangeKey (KEK) 32-byte (256-bit) shared key
* ukm - 8 byte (64 bit) user key material,
* sessionKey - 32-byte (256-bit) key to be wrapped
* wrappedKey - 44-byte buffer to store wrapped key
*/
int keyWrapCryptoPro(gost_ctx * ctx, const unsigned char *keyExchangeKey,
const unsigned char *ukm,
const unsigned char *sessionKey,
unsigned char *wrappedKey)
{
unsigned char kek_ukm[32];
keyDiversifyCryptoPro(ctx, keyExchangeKey, ukm, kek_ukm);
gost_key(ctx, kek_ukm);
memcpy(wrappedKey, ukm, 8);
gost_enc(ctx, sessionKey, wrappedKey + 8, 4);
gost_mac_iv(ctx, 32, ukm, sessionKey, 32, wrappedKey + 40);
return 1;
}
/*-
* Unwraps key using RFC 4357 6.4
* ctx - gost encryption context, initialized with some S-boxes
* keyExchangeKey 32-byte shared key
* wrappedKey 44 byte key to be unwrapped (concatenation of 8-byte UKM,
* 32 byte encrypted key and 4 byte MAC
*
* sessionKEy - 32byte buffer to store sessionKey in
* Returns 1 if key is decrypted successfully, and 0 if MAC doesn't match
*/
int keyUnwrapCryptoPro(gost_ctx * ctx, const unsigned char *keyExchangeKey,
const unsigned char *wrappedKey,
unsigned char *sessionKey)
{
unsigned char kek_ukm[32], cek_mac[4];
keyDiversifyCryptoPro(ctx, keyExchangeKey, wrappedKey
/* First 8 bytes of wrapped Key is ukm */
, kek_ukm);
gost_key(ctx, kek_ukm);
gost_dec(ctx, wrappedKey + 8, sessionKey, 4);
gost_mac_iv(ctx, 32, wrappedKey, sessionKey, 32, cek_mac);
if (memcmp(cek_mac, wrappedKey + 40, 4)) {
return 0;
}
return 1;
}