AES: Extend key wrap design to support longer AES keys
This adds kek_len argument to aes_wrap() and aes_unwrap() functions and allows AES to be initialized with 192 and 256 bit KEK in addition to the previously supported 128 bit KEK. The test vectors in test-aes.c are extended to cover all the test vectors from RFC 3394. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
98a1571d88
commit
eefec1e40b
11 changed files with 292 additions and 57 deletions
|
|
@ -1390,7 +1390,8 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
|
|||
if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
|
||||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
|
||||
version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
|
||||
if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf,
|
||||
if (aes_wrap(sm->PTK.kek, 16,
|
||||
(key_data_len - 8) / 8, buf,
|
||||
(u8 *) (key + 1))) {
|
||||
os_free(hdr);
|
||||
os_free(buf);
|
||||
|
|
|
|||
|
|
@ -344,7 +344,8 @@ static int wpa_ft_pull_pmk_r1(struct wpa_state_machine *sm,
|
|||
os_memcpy(f.s1kh_id, sm->addr, ETH_ALEN);
|
||||
os_memset(f.pad, 0, sizeof(f.pad));
|
||||
|
||||
if (aes_wrap(r0kh->key, (FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8,
|
||||
if (aes_wrap(r0kh->key, sizeof(r0kh->key),
|
||||
(FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8,
|
||||
f.nonce, frame.nonce) < 0)
|
||||
return -1;
|
||||
|
||||
|
|
@ -459,7 +460,7 @@ static u8 * wpa_ft_gtk_subelem(struct wpa_state_machine *sm, size_t *len)
|
|||
WPA_PUT_LE16(&subelem[2], gsm->GN & 0x03);
|
||||
subelem[4] = gsm->GTK_len;
|
||||
wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, subelem + 5);
|
||||
if (aes_wrap(sm->PTK.kek, key_len / 8, key, subelem + 13)) {
|
||||
if (aes_wrap(sm->PTK.kek, 16, key_len / 8, key, subelem + 13)) {
|
||||
os_free(subelem);
|
||||
return NULL;
|
||||
}
|
||||
|
|
@ -491,7 +492,7 @@ static u8 * wpa_ft_igtk_subelem(struct wpa_state_machine *sm, size_t *len)
|
|||
wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos);
|
||||
pos += 6;
|
||||
*pos++ = WPA_IGTK_LEN;
|
||||
if (aes_wrap(sm->PTK.kek, WPA_IGTK_LEN / 8,
|
||||
if (aes_wrap(sm->PTK.kek, 16, WPA_IGTK_LEN / 8,
|
||||
gsm->IGTK[gsm->GN_igtk - 4], pos)) {
|
||||
os_free(subelem);
|
||||
return NULL;
|
||||
|
|
@ -1336,7 +1337,8 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
|
|||
frame = (struct ft_r0kh_r1kh_pull_frame *) data;
|
||||
/* aes_unwrap() does not support inplace decryption, so use a temporary
|
||||
* buffer for the data. */
|
||||
if (aes_unwrap(r1kh->key, (FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8,
|
||||
if (aes_unwrap(r1kh->key, sizeof(r1kh->key),
|
||||
(FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8,
|
||||
frame->nonce, f.nonce) < 0) {
|
||||
wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 pull "
|
||||
"request from " MACSTR, MAC2STR(src_addr));
|
||||
|
|
@ -1376,7 +1378,8 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
|
|||
r.pairwise = host_to_le16(pairwise);
|
||||
os_memset(r.pad, 0, sizeof(r.pad));
|
||||
|
||||
if (aes_wrap(r1kh->key, (FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8,
|
||||
if (aes_wrap(r1kh->key, sizeof(r1kh->key),
|
||||
(FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8,
|
||||
r.nonce, resp.nonce) < 0) {
|
||||
os_memset(pmk_r0, 0, PMK_LEN);
|
||||
return -1;
|
||||
|
|
@ -1464,7 +1467,8 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth,
|
|||
frame = (struct ft_r0kh_r1kh_resp_frame *) data;
|
||||
/* aes_unwrap() does not support inplace decryption, so use a temporary
|
||||
* buffer for the data. */
|
||||
if (aes_unwrap(r0kh->key, (FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8,
|
||||
if (aes_unwrap(r0kh->key, sizeof(r0kh->key),
|
||||
(FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8,
|
||||
frame->nonce, f.nonce) < 0) {
|
||||
wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 pull "
|
||||
"response from " MACSTR, MAC2STR(src_addr));
|
||||
|
|
@ -1530,7 +1534,8 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth,
|
|||
frame = (struct ft_r0kh_r1kh_push_frame *) data;
|
||||
/* aes_unwrap() does not support inplace decryption, so use a temporary
|
||||
* buffer for the data. */
|
||||
if (aes_unwrap(r0kh->key, (FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8,
|
||||
if (aes_unwrap(r0kh->key, sizeof(r0kh->key),
|
||||
(FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8,
|
||||
frame->timestamp, f.timestamp) < 0) {
|
||||
wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 push from "
|
||||
MACSTR, MAC2STR(src_addr));
|
||||
|
|
@ -1727,7 +1732,8 @@ static void wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth,
|
|||
WPA_PUT_LE32(f.timestamp, now.sec);
|
||||
f.pairwise = host_to_le16(pairwise);
|
||||
os_memset(f.pad, 0, sizeof(f.pad));
|
||||
if (aes_wrap(r1kh->key, (FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8,
|
||||
if (aes_wrap(r1kh->key, sizeof(r1kh->key),
|
||||
(FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8,
|
||||
f.timestamp, frame.timestamp) < 0)
|
||||
return;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* AES key unwrap (128-bit KEK, RFC3394)
|
||||
* AES key unwrap (RFC3394)
|
||||
*
|
||||
* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
|
|
@ -14,17 +14,19 @@
|
|||
#include "aes_wrap.h"
|
||||
|
||||
/**
|
||||
* aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
|
||||
* aes_unwrap - Unwrap key with AES Key Wrap Algorithm (RFC3394)
|
||||
* @kek: Key encryption key (KEK)
|
||||
* @kek_len: Length of KEK in octets
|
||||
* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
|
||||
* bytes
|
||||
* @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
|
||||
* @plain: Plaintext key, n * 64 bits
|
||||
* Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
|
||||
*/
|
||||
int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
|
||||
int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
|
||||
u8 *plain)
|
||||
{
|
||||
u8 a[8], *r, b[16];
|
||||
u8 a[8], *r, b[AES_BLOCK_SIZE];
|
||||
int i, j;
|
||||
void *ctx;
|
||||
|
||||
|
|
@ -33,7 +35,7 @@ int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
|
|||
r = plain;
|
||||
os_memcpy(r, cipher + 8, 8 * n);
|
||||
|
||||
ctx = aes_decrypt_init(kek, 16);
|
||||
ctx = aes_decrypt_init(kek, kek_len);
|
||||
if (ctx == NULL)
|
||||
return -1;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
|
||||
* AES Key Wrap Algorithm (RFC3394)
|
||||
*
|
||||
* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
|
|
@ -14,17 +14,18 @@
|
|||
#include "aes_wrap.h"
|
||||
|
||||
/**
|
||||
* aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
|
||||
* @kek: 16-octet Key encryption key (KEK)
|
||||
* aes_wrap - Wrap keys with AES Key Wrap Algorithm (RFC3394)
|
||||
* @kek: Key encryption key (KEK)
|
||||
* @kek_len: Length of KEK in octets
|
||||
* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
|
||||
* bytes
|
||||
* @plain: Plaintext key to be wrapped, n * 64 bits
|
||||
* @cipher: Wrapped key, (n + 1) * 64 bits
|
||||
* Returns: 0 on success, -1 on failure
|
||||
*/
|
||||
int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
|
||||
int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
|
||||
{
|
||||
u8 *a, *r, b[16];
|
||||
u8 *a, *r, b[AES_BLOCK_SIZE];
|
||||
int i, j;
|
||||
void *ctx;
|
||||
|
||||
|
|
@ -35,7 +36,7 @@ int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
|
|||
os_memset(a, 0xa6, 8);
|
||||
os_memcpy(r, plain, 8 * n);
|
||||
|
||||
ctx = aes_encrypt_init(kek, 16);
|
||||
ctx = aes_encrypt_init(kek, kek_len);
|
||||
if (ctx == NULL)
|
||||
return -1;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* AES-based functions
|
||||
*
|
||||
* - AES Key Wrap Algorithm (128-bit KEK) (RFC3394)
|
||||
* - AES Key Wrap Algorithm (RFC3394)
|
||||
* - One-Key CBC MAC (OMAC1) hash with AES-128
|
||||
* - AES-128 CTR mode encryption
|
||||
* - AES-128 EAX mode encryption/decryption
|
||||
|
|
@ -18,8 +18,10 @@
|
|||
#ifndef AES_WRAP_H
|
||||
#define AES_WRAP_H
|
||||
|
||||
int __must_check aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher);
|
||||
int __must_check aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain);
|
||||
int __must_check aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain,
|
||||
u8 *cipher);
|
||||
int __must_check aes_unwrap(const u8 *kek, size_t kek_len, int n,
|
||||
const u8 *cipher, u8 *plain);
|
||||
int __must_check omac1_aes_128_vector(const u8 *key, size_t num_elem,
|
||||
const u8 *addr[], const size_t *len,
|
||||
u8 *mac);
|
||||
|
|
|
|||
|
|
@ -161,8 +161,8 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (aes_unwrap(data->pac_opaque_encr, (pac_opaque_len - 8) / 8,
|
||||
pac_opaque, buf) < 0) {
|
||||
if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr),
|
||||
(pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) {
|
||||
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt "
|
||||
"PAC-Opaque");
|
||||
os_free(buf);
|
||||
|
|
@ -731,8 +731,8 @@ static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm,
|
|||
os_free(pac_buf);
|
||||
return NULL;
|
||||
}
|
||||
if (aes_wrap(data->pac_opaque_encr, pac_len / 8, pac_buf,
|
||||
pac_opaque) < 0) {
|
||||
if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr),
|
||||
pac_len / 8, pac_buf, pac_opaque) < 0) {
|
||||
os_free(pac_buf);
|
||||
os_free(pac_opaque);
|
||||
return NULL;
|
||||
|
|
|
|||
|
|
@ -1451,7 +1451,7 @@ ieee802_1x_mka_encode_dist_sak_body(
|
|||
os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN);
|
||||
sak_pos = CS_ID_LEN;
|
||||
}
|
||||
if (aes_wrap(participant->kek.key,
|
||||
if (aes_wrap(participant->kek.key, 16,
|
||||
cipher_suite_tbl[cs_index].sak_len / 8,
|
||||
sak->key, body->sak + sak_pos)) {
|
||||
wpa_printf(MSG_ERROR, "KaY: AES wrap failed");
|
||||
|
|
@ -1611,7 +1611,7 @@ ieee802_1x_mka_decode_dist_sak_body(
|
|||
wpa_printf(MSG_ERROR, "KaY-%s: Out of memory", __func__);
|
||||
return -1;
|
||||
}
|
||||
if (aes_unwrap(participant->kek.key, sak_len >> 3, wrap_sak,
|
||||
if (aes_unwrap(participant->kek.key, 16, sak_len >> 3, wrap_sak,
|
||||
unwrap_sak)) {
|
||||
wpa_printf(MSG_ERROR, "KaY: AES unwrap failed");
|
||||
os_free(unwrap_sak);
|
||||
|
|
|
|||
|
|
@ -1295,7 +1295,8 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
|
|||
(unsigned long) maxkeylen);
|
||||
return -1;
|
||||
}
|
||||
if (aes_unwrap(sm->ptk.kek, maxkeylen / 8, key_data, gd->gtk)) {
|
||||
if (aes_unwrap(sm->ptk.kek, 16, maxkeylen / 8, key_data,
|
||||
gd->gtk)) {
|
||||
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
|
||||
"WPA: AES unwrap failed - could not decrypt "
|
||||
"GTK");
|
||||
|
|
@ -1503,7 +1504,7 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
|
|||
"WPA: No memory for AES-UNWRAP buffer");
|
||||
return -1;
|
||||
}
|
||||
if (aes_unwrap(sm->ptk.kek, *key_data_len / 8,
|
||||
if (aes_unwrap(sm->ptk.kek, 16, *key_data_len / 8,
|
||||
key_data, buf)) {
|
||||
os_free(buf);
|
||||
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
|
||||
|
|
|
|||
|
|
@ -566,7 +566,7 @@ static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
|
|||
return -1;
|
||||
}
|
||||
gtk_len = gtk_elem_len - 19;
|
||||
if (aes_unwrap(sm->ptk.kek, gtk_len / 8, gtk_elem + 11, gtk)) {
|
||||
if (aes_unwrap(sm->ptk.kek, 16, gtk_len / 8, gtk_elem + 11, gtk)) {
|
||||
wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
|
||||
"decrypt GTK");
|
||||
return -1;
|
||||
|
|
@ -645,7 +645,8 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
|
|||
return -1;
|
||||
}
|
||||
|
||||
if (aes_unwrap(sm->ptk.kek, WPA_IGTK_LEN / 8, igtk_elem + 9, igtk)) {
|
||||
if (aes_unwrap(sm->ptk.kek, 16, WPA_IGTK_LEN / 8, igtk_elem + 9, igtk))
|
||||
{
|
||||
wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
|
||||
"decrypt IGTK");
|
||||
return -1;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue