[openssl-dev] [openssl.org #3675] Fix key wrapping mode with padding to conform to RFC 5649

Mon, 26 Jan 2015 10:05:46 -0800 

Hello,

I'm attaching patch which fixes key wrapping mode with padding to conform to
RFC 5649.

According to RFC 5649 section 4.1 step 1) we should not add padding if
plaintext length is multiple of 8 ockets.

This matches pseudo-code in http://dx.doi.org/10.6028/NIST.SP.800-38F
on page 15, section 6.3 KWP, algorithm 5 KWP-AE, step 2.


Alternatively the same patch can be pulled from branch rfc5649_fix on Github:
https://github.com/spacekpe/openssl/commit/69a37391f4a82855246fd86ddfb0c6bb47c36855

Have a nice day!

-- 
Petr Spacek  @  Red Hat


>From 69a37391f4a82855246fd86ddfb0c6bb47c36855 Mon Sep 17 00:00:00 2001
From: Petr Spacek <[email protected]>
Date: Mon, 26 Jan 2015 14:39:50 +0100
Subject: [PATCH] Fix key wrapping mode with padding to conform to RFC 5649.

According to RFC 5649 section 4.1 step 1) we should not add padding
if plaintext length is multiply of 8 ockets.

This matches pseudo-code in http://dx.doi.org/10.6028/NIST.SP.800-38F
on page 15, section 6.3 KWP, algorithm 5 KWP-AE, step 2.
---
 crypto/modes/wrap128.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/crypto/modes/wrap128.c b/crypto/modes/wrap128.c
index 2f65314cfa26c181e9ae21a1136d441b35cffc54..ccb58c5a0b3147a3f7d0605c5817f79aca1d7e18 100644
--- a/crypto/modes/wrap128.c
+++ b/crypto/modes/wrap128.c
@@ -230,8 +230,13 @@ size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
                            const unsigned char *in, size_t inlen,
                            block128_f block)
 {
-    /* n: number of 64-bit blocks in the padded key data */
-    const size_t blocks_padded = (inlen + 8) / 8;
+    /* n: number of 64-bit blocks in the padded key data
+     *
+     * If length of plain text is not a multiple of 8, pad the plain text octet
+     * string on the right with octets of zeros, where final length is the
+     * smallest multiple of 8 that is greater than length of plain text.
+     * If length of plain text is a multiple of 8, then there is no padding. */
+    const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */
     const size_t padded_len = blocks_padded * 8;
     const size_t padding_len = padded_len - inlen;
     /* RFC 5649 section 3: Alternative Initial Value */
-- 
2.1.0


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to