AES: Extend key wrap design to support longer AES keys

This adds kek_len argument to aes_wrap() and aes_unwrap() functions and
allows AES to be initialized with 192 and 256 bit KEK in addition to
the previously supported 128 bit KEK.

The test vectors in test-aes.c are extended to cover all the test
vectors from RFC 3394.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-10-07 13:48:45 +03:00
parent 98a1571d88
commit eefec1e40b
11 changed files with 292 additions and 57 deletions

View file

@ -1390,7 +1390,8 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf, if (aes_wrap(sm->PTK.kek, 16,
(key_data_len - 8) / 8, buf,
(u8 *) (key + 1))) { (u8 *) (key + 1))) {
os_free(hdr); os_free(hdr);
os_free(buf); os_free(buf);

View file

@ -344,7 +344,8 @@ static int wpa_ft_pull_pmk_r1(struct wpa_state_machine *sm,
os_memcpy(f.s1kh_id, sm->addr, ETH_ALEN); os_memcpy(f.s1kh_id, sm->addr, ETH_ALEN);
os_memset(f.pad, 0, sizeof(f.pad)); os_memset(f.pad, 0, sizeof(f.pad));
if (aes_wrap(r0kh->key, (FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8, if (aes_wrap(r0kh->key, sizeof(r0kh->key),
(FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8,
f.nonce, frame.nonce) < 0) f.nonce, frame.nonce) < 0)
return -1; return -1;
@ -459,7 +460,7 @@ static u8 * wpa_ft_gtk_subelem(struct wpa_state_machine *sm, size_t *len)
WPA_PUT_LE16(&subelem[2], gsm->GN & 0x03); WPA_PUT_LE16(&subelem[2], gsm->GN & 0x03);
subelem[4] = gsm->GTK_len; subelem[4] = gsm->GTK_len;
wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, subelem + 5); wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, subelem + 5);
if (aes_wrap(sm->PTK.kek, key_len / 8, key, subelem + 13)) { if (aes_wrap(sm->PTK.kek, 16, key_len / 8, key, subelem + 13)) {
os_free(subelem); os_free(subelem);
return NULL; return NULL;
} }
@ -491,7 +492,7 @@ static u8 * wpa_ft_igtk_subelem(struct wpa_state_machine *sm, size_t *len)
wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos); wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos);
pos += 6; pos += 6;
*pos++ = WPA_IGTK_LEN; *pos++ = WPA_IGTK_LEN;
if (aes_wrap(sm->PTK.kek, WPA_IGTK_LEN / 8, if (aes_wrap(sm->PTK.kek, 16, WPA_IGTK_LEN / 8,
gsm->IGTK[gsm->GN_igtk - 4], pos)) { gsm->IGTK[gsm->GN_igtk - 4], pos)) {
os_free(subelem); os_free(subelem);
return NULL; return NULL;
@ -1336,7 +1337,8 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
frame = (struct ft_r0kh_r1kh_pull_frame *) data; frame = (struct ft_r0kh_r1kh_pull_frame *) data;
/* aes_unwrap() does not support inplace decryption, so use a temporary /* aes_unwrap() does not support inplace decryption, so use a temporary
* buffer for the data. */ * buffer for the data. */
if (aes_unwrap(r1kh->key, (FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8, if (aes_unwrap(r1kh->key, sizeof(r1kh->key),
(FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8,
frame->nonce, f.nonce) < 0) { frame->nonce, f.nonce) < 0) {
wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 pull " wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 pull "
"request from " MACSTR, MAC2STR(src_addr)); "request from " MACSTR, MAC2STR(src_addr));
@ -1376,7 +1378,8 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
r.pairwise = host_to_le16(pairwise); r.pairwise = host_to_le16(pairwise);
os_memset(r.pad, 0, sizeof(r.pad)); os_memset(r.pad, 0, sizeof(r.pad));
if (aes_wrap(r1kh->key, (FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8, if (aes_wrap(r1kh->key, sizeof(r1kh->key),
(FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8,
r.nonce, resp.nonce) < 0) { r.nonce, resp.nonce) < 0) {
os_memset(pmk_r0, 0, PMK_LEN); os_memset(pmk_r0, 0, PMK_LEN);
return -1; return -1;
@ -1464,7 +1467,8 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth,
frame = (struct ft_r0kh_r1kh_resp_frame *) data; frame = (struct ft_r0kh_r1kh_resp_frame *) data;
/* aes_unwrap() does not support inplace decryption, so use a temporary /* aes_unwrap() does not support inplace decryption, so use a temporary
* buffer for the data. */ * buffer for the data. */
if (aes_unwrap(r0kh->key, (FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8, if (aes_unwrap(r0kh->key, sizeof(r0kh->key),
(FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8,
frame->nonce, f.nonce) < 0) { frame->nonce, f.nonce) < 0) {
wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 pull " wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 pull "
"response from " MACSTR, MAC2STR(src_addr)); "response from " MACSTR, MAC2STR(src_addr));
@ -1530,7 +1534,8 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth,
frame = (struct ft_r0kh_r1kh_push_frame *) data; frame = (struct ft_r0kh_r1kh_push_frame *) data;
/* aes_unwrap() does not support inplace decryption, so use a temporary /* aes_unwrap() does not support inplace decryption, so use a temporary
* buffer for the data. */ * buffer for the data. */
if (aes_unwrap(r0kh->key, (FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8, if (aes_unwrap(r0kh->key, sizeof(r0kh->key),
(FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8,
frame->timestamp, f.timestamp) < 0) { frame->timestamp, f.timestamp) < 0) {
wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 push from " wpa_printf(MSG_DEBUG, "FT: Failed to decrypt PMK-R1 push from "
MACSTR, MAC2STR(src_addr)); MACSTR, MAC2STR(src_addr));
@ -1727,7 +1732,8 @@ static void wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth,
WPA_PUT_LE32(f.timestamp, now.sec); WPA_PUT_LE32(f.timestamp, now.sec);
f.pairwise = host_to_le16(pairwise); f.pairwise = host_to_le16(pairwise);
os_memset(f.pad, 0, sizeof(f.pad)); os_memset(f.pad, 0, sizeof(f.pad));
if (aes_wrap(r1kh->key, (FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8, if (aes_wrap(r1kh->key, sizeof(r1kh->key),
(FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8,
f.timestamp, frame.timestamp) < 0) f.timestamp, frame.timestamp) < 0)
return; return;

View file

@ -1,5 +1,5 @@
/* /*
* AES key unwrap (128-bit KEK, RFC3394) * AES key unwrap (RFC3394)
* *
* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
* *
@ -14,17 +14,19 @@
#include "aes_wrap.h" #include "aes_wrap.h"
/** /**
* aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (RFC3394)
* @kek: Key encryption key (KEK) * @kek: Key encryption key (KEK)
* @kek_len: Length of KEK in octets
* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
* bytes * bytes
* @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits
* @plain: Plaintext key, n * 64 bits * @plain: Plaintext key, n * 64 bits
* Returns: 0 on success, -1 on failure (e.g., integrity verification failed) * Returns: 0 on success, -1 on failure (e.g., integrity verification failed)
*/ */
int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain) int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
u8 *plain)
{ {
u8 a[8], *r, b[16]; u8 a[8], *r, b[AES_BLOCK_SIZE];
int i, j; int i, j;
void *ctx; void *ctx;
@ -33,7 +35,7 @@ int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain)
r = plain; r = plain;
os_memcpy(r, cipher + 8, 8 * n); os_memcpy(r, cipher + 8, 8 * n);
ctx = aes_decrypt_init(kek, 16); ctx = aes_decrypt_init(kek, kek_len);
if (ctx == NULL) if (ctx == NULL)
return -1; return -1;

View file

@ -1,5 +1,5 @@
/* /*
* AES Key Wrap Algorithm (128-bit KEK) (RFC3394) * AES Key Wrap Algorithm (RFC3394)
* *
* Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
* *
@ -14,17 +14,18 @@
#include "aes_wrap.h" #include "aes_wrap.h"
/** /**
* aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) * aes_wrap - Wrap keys with AES Key Wrap Algorithm (RFC3394)
* @kek: 16-octet Key encryption key (KEK) * @kek: Key encryption key (KEK)
* @kek_len: Length of KEK in octets
* @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16
* bytes * bytes
* @plain: Plaintext key to be wrapped, n * 64 bits * @plain: Plaintext key to be wrapped, n * 64 bits
* @cipher: Wrapped key, (n + 1) * 64 bits * @cipher: Wrapped key, (n + 1) * 64 bits
* Returns: 0 on success, -1 on failure * Returns: 0 on success, -1 on failure
*/ */
int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher) int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
{ {
u8 *a, *r, b[16]; u8 *a, *r, b[AES_BLOCK_SIZE];
int i, j; int i, j;
void *ctx; void *ctx;
@ -35,7 +36,7 @@ int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher)
os_memset(a, 0xa6, 8); os_memset(a, 0xa6, 8);
os_memcpy(r, plain, 8 * n); os_memcpy(r, plain, 8 * n);
ctx = aes_encrypt_init(kek, 16); ctx = aes_encrypt_init(kek, kek_len);
if (ctx == NULL) if (ctx == NULL)
return -1; return -1;

View file

@ -1,7 +1,7 @@
/* /*
* AES-based functions * AES-based functions
* *
* - AES Key Wrap Algorithm (128-bit KEK) (RFC3394) * - AES Key Wrap Algorithm (RFC3394)
* - One-Key CBC MAC (OMAC1) hash with AES-128 * - One-Key CBC MAC (OMAC1) hash with AES-128
* - AES-128 CTR mode encryption * - AES-128 CTR mode encryption
* - AES-128 EAX mode encryption/decryption * - AES-128 EAX mode encryption/decryption
@ -18,8 +18,10 @@
#ifndef AES_WRAP_H #ifndef AES_WRAP_H
#define AES_WRAP_H #define AES_WRAP_H
int __must_check aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher); int __must_check aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain,
int __must_check aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain); u8 *cipher);
int __must_check aes_unwrap(const u8 *kek, size_t kek_len, int n,
const u8 *cipher, u8 *plain);
int __must_check omac1_aes_128_vector(const u8 *key, size_t num_elem, int __must_check omac1_aes_128_vector(const u8 *key, size_t num_elem,
const u8 *addr[], const size_t *len, const u8 *addr[], const size_t *len,
u8 *mac); u8 *mac);

View file

@ -161,8 +161,8 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
return 0; return 0;
} }
if (aes_unwrap(data->pac_opaque_encr, (pac_opaque_len - 8) / 8, if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr),
pac_opaque, buf) < 0) { (pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt " wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt "
"PAC-Opaque"); "PAC-Opaque");
os_free(buf); os_free(buf);
@ -731,8 +731,8 @@ static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm,
os_free(pac_buf); os_free(pac_buf);
return NULL; return NULL;
} }
if (aes_wrap(data->pac_opaque_encr, pac_len / 8, pac_buf, if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr),
pac_opaque) < 0) { pac_len / 8, pac_buf, pac_opaque) < 0) {
os_free(pac_buf); os_free(pac_buf);
os_free(pac_opaque); os_free(pac_opaque);
return NULL; return NULL;

View file

@ -1451,7 +1451,7 @@ ieee802_1x_mka_encode_dist_sak_body(
os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN); os_memcpy(body->sak, cipher_suite_tbl[cs_index].id, CS_ID_LEN);
sak_pos = CS_ID_LEN; sak_pos = CS_ID_LEN;
} }
if (aes_wrap(participant->kek.key, if (aes_wrap(participant->kek.key, 16,
cipher_suite_tbl[cs_index].sak_len / 8, cipher_suite_tbl[cs_index].sak_len / 8,
sak->key, body->sak + sak_pos)) { sak->key, body->sak + sak_pos)) {
wpa_printf(MSG_ERROR, "KaY: AES wrap failed"); wpa_printf(MSG_ERROR, "KaY: AES wrap failed");
@ -1611,7 +1611,7 @@ ieee802_1x_mka_decode_dist_sak_body(
wpa_printf(MSG_ERROR, "KaY-%s: Out of memory", __func__); wpa_printf(MSG_ERROR, "KaY-%s: Out of memory", __func__);
return -1; return -1;
} }
if (aes_unwrap(participant->kek.key, sak_len >> 3, wrap_sak, if (aes_unwrap(participant->kek.key, 16, sak_len >> 3, wrap_sak,
unwrap_sak)) { unwrap_sak)) {
wpa_printf(MSG_ERROR, "KaY: AES unwrap failed"); wpa_printf(MSG_ERROR, "KaY: AES unwrap failed");
os_free(unwrap_sak); os_free(unwrap_sak);

View file

@ -1295,7 +1295,8 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
(unsigned long) maxkeylen); (unsigned long) maxkeylen);
return -1; return -1;
} }
if (aes_unwrap(sm->ptk.kek, maxkeylen / 8, key_data, gd->gtk)) { if (aes_unwrap(sm->ptk.kek, 16, maxkeylen / 8, key_data,
gd->gtk)) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: AES unwrap failed - could not decrypt " "WPA: AES unwrap failed - could not decrypt "
"GTK"); "GTK");
@ -1503,7 +1504,7 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
"WPA: No memory for AES-UNWRAP buffer"); "WPA: No memory for AES-UNWRAP buffer");
return -1; return -1;
} }
if (aes_unwrap(sm->ptk.kek, *key_data_len / 8, if (aes_unwrap(sm->ptk.kek, 16, *key_data_len / 8,
key_data, buf)) { key_data, buf)) {
os_free(buf); os_free(buf);
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,

View file

@ -566,7 +566,7 @@ static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
return -1; return -1;
} }
gtk_len = gtk_elem_len - 19; gtk_len = gtk_elem_len - 19;
if (aes_unwrap(sm->ptk.kek, gtk_len / 8, gtk_elem + 11, gtk)) { if (aes_unwrap(sm->ptk.kek, 16, gtk_len / 8, gtk_elem + 11, gtk)) {
wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not " wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
"decrypt GTK"); "decrypt GTK");
return -1; return -1;
@ -645,7 +645,8 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
return -1; return -1;
} }
if (aes_unwrap(sm->ptk.kek, WPA_IGTK_LEN / 8, igtk_elem + 9, igtk)) { if (aes_unwrap(sm->ptk.kek, 16, WPA_IGTK_LEN / 8, igtk_elem + 9, igtk))
{
wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not " wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
"decrypt IGTK"); "decrypt IGTK");
return -1; return -1;

View file

@ -500,45 +500,266 @@ static struct omac1_test_vector test_vectors[] =
}; };
int main(int argc, char *argv[]) static int test_key_wrap(void)
{ {
u8 kek[] = { unsigned int i;
int ret = 0;
/* RFC 3394 - Test vector 4.1 */
u8 kek41[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
}; };
u8 plain[] = { u8 plain41[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
}; };
u8 crypt[] = { u8 crypt41[] = {
0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47, 0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82, 0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5 0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5
}; };
/* RFC 3394 - Test vector 4.2 */
u8 kek42[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
};
u8 plain42[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
};
u8 crypt42[] = {
0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D
};
/* RFC 3394 - Test vector 4.3 */
u8 kek43[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
};
u8 plain43[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
};
u8 crypt43[] = {
0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7,
};
/* RFC 3394 - Test vector 4.4 */
u8 kek44[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
};
u8 plain44[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
u8 crypt44[] = {
0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2
};
/* RFC 3394 - Test vector 4.5 */
u8 kek45[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
};
u8 plain45[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
u8 crypt45[] = {
0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1,
};
/* RFC 3394 - Test vector 4.6 */
u8 kek46[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
};
u8 plain46[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
};
u8 crypt46[] = {
0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21
};
u8 result[40];
printf("RFC 3394 - Test vector 4.1\n");
if (aes_wrap(kek41, sizeof(kek41), sizeof(plain41) / 8, plain41,
result)) {
printf("AES-WRAP-128 reported failure\n");
ret++;
}
if (memcmp(result, crypt41, sizeof(crypt41)) != 0) {
printf("AES-WRAP-128 failed\n");
ret++;
}
if (aes_unwrap(kek41, sizeof(kek41), sizeof(plain41) / 8, crypt41,
result)) {
printf("AES-UNWRAP-128 reported failure\n");
ret++;
}
if (memcmp(result, plain41, sizeof(plain41)) != 0) {
printf("AES-UNWRAP-128 failed\n");
ret++;
for (i = 0; i < sizeof(plain41); i++)
printf(" %02x", result[i]);
printf("\n");
}
printf("RFC 3394 - Test vector 4.2\n");
if (aes_wrap(kek42, sizeof(kek42), sizeof(plain42) / 8, plain42,
result)) {
printf("AES-WRAP-192 reported failure\n");
ret++;
}
if (memcmp(result, crypt42, sizeof(crypt42)) != 0) {
printf("AES-WRAP-192 failed\n");
ret++;
}
if (aes_unwrap(kek42, sizeof(kek42), sizeof(plain42) / 8, crypt42,
result)) {
printf("AES-UNWRAP-192 reported failure\n");
ret++;
}
if (memcmp(result, plain42, sizeof(plain42)) != 0) {
printf("AES-UNWRAP-192 failed\n");
ret++;
for (i = 0; i < sizeof(plain42); i++)
printf(" %02x", result[i]);
printf("\n");
}
printf("RFC 3394 - Test vector 4.3\n");
if (aes_wrap(kek43, sizeof(kek43), sizeof(plain43) / 8, plain43,
result)) {
printf("AES-WRAP-256 reported failure\n");
ret++;
}
if (memcmp(result, crypt43, sizeof(crypt43)) != 0) {
printf("AES-WRAP-256 failed\n");
ret++;
}
if (aes_unwrap(kek43, sizeof(kek43), sizeof(plain43) / 8, crypt43,
result)) {
printf("AES-UNWRAP-256 reported failure\n");
ret++;
}
if (memcmp(result, plain43, sizeof(plain43)) != 0) {
printf("AES-UNWRAP-256 failed\n");
ret++;
for (i = 0; i < sizeof(plain43); i++)
printf(" %02x", result[i]);
printf("\n");
}
printf("RFC 3394 - Test vector 4.4\n");
if (aes_wrap(kek44, sizeof(kek44), sizeof(plain44) / 8, plain44,
result)) {
printf("AES-WRAP-192 reported failure\n");
ret++;
}
if (memcmp(result, crypt44, sizeof(crypt44)) != 0) {
printf("AES-WRAP-192 failed\n");
ret++;
}
if (aes_unwrap(kek44, sizeof(kek44), sizeof(plain44) / 8, crypt44,
result)) {
printf("AES-UNWRAP-192 reported failure\n");
ret++;
}
if (memcmp(result, plain44, sizeof(plain44)) != 0) {
printf("AES-UNWRAP-192 failed\n");
ret++;
for (i = 0; i < sizeof(plain44); i++)
printf(" %02x", result[i]);
printf("\n");
}
printf("RFC 3394 - Test vector 4.5\n");
if (aes_wrap(kek45, sizeof(kek45), sizeof(plain45) / 8, plain45,
result)) {
printf("AES-WRAP-256 reported failure\n");
ret++;
}
if (memcmp(result, crypt45, sizeof(crypt45)) != 0) {
printf("AES-WRAP-256 failed\n");
ret++;
for (i = 0; i < sizeof(crypt45); i++)
printf(" %02x", result[i]);
printf("\n");
}
if (aes_unwrap(kek45, sizeof(kek45), sizeof(plain45) / 8, crypt45,
result)) {
printf("AES-UNWRAP-256 reported failure\n");
ret++;
}
if (memcmp(result, plain45, sizeof(plain45)) != 0) {
printf("AES-UNWRAP-256 failed\n");
ret++;
for (i = 0; i < sizeof(plain45); i++)
printf(" %02x", result[i]);
printf("\n");
}
printf("RFC 3394 - Test vector 4.6\n");
if (aes_wrap(kek46, sizeof(kek46), sizeof(plain46) / 8, plain46,
result)) {
printf("AES-WRAP-256 reported failure\n");
ret++;
}
if (memcmp(result, crypt46, sizeof(crypt46)) != 0) {
printf("AES-WRAP-256 failed\n");
ret++;
}
if (aes_unwrap(kek46, sizeof(kek46), sizeof(plain46) / 8, crypt46,
result)) {
printf("AES-UNWRAP-256 reported failure\n");
ret++;
}
if (memcmp(result, plain46, sizeof(plain46)) != 0) {
printf("AES-UNWRAP-256 failed\n");
ret++;
for (i = 0; i < sizeof(plain46); i++)
printf(" %02x", result[i]);
printf("\n");
}
return ret;
}
int main(int argc, char *argv[])
{
u8 result[24]; u8 result[24];
int ret = 0; int ret = 0;
unsigned int i; unsigned int i;
struct omac1_test_vector *tv; struct omac1_test_vector *tv;
if (aes_wrap(kek, 2, plain, result)) { ret += test_key_wrap();
printf("AES-WRAP-128-128 reported failure\n");
ret++;
}
if (memcmp(result, crypt, 24) != 0) {
printf("AES-WRAP-128-128 failed\n");
ret++;
}
if (aes_unwrap(kek, 2, crypt, result)) {
printf("AES-UNWRAP-128-128 reported failure\n");
ret++;
}
if (memcmp(result, plain, 16) != 0) {
printf("AES-UNWRAP-128-128 failed\n");
ret++;
for (i = 0; i < 16; i++)
printf(" %02x", result[i]);
printf("\n");
}
test_aes_perf(); test_aes_perf();

View file

@ -355,7 +355,7 @@ static u8 * decrypt_eapol_key_data_aes(struct wlantest *wt, const u8 *kek,
buf = os_malloc(keydatalen); buf = os_malloc(keydatalen);
if (buf == NULL) if (buf == NULL)
return NULL; return NULL;
if (aes_unwrap(kek, keydatalen / 8, (u8 *) (hdr + 1), buf)) { if (aes_unwrap(kek, 16, keydatalen / 8, (u8 *) (hdr + 1), buf)) {
os_free(buf); os_free(buf);
add_note(wt, MSG_INFO, add_note(wt, MSG_INFO,
"AES unwrap failed - could not decrypt EAPOL-Key " "AES unwrap failed - could not decrypt EAPOL-Key "