From ffa75828dd13decb41d075576db676c81c1198f1 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Mon, 26 Jan 2015 14:39:50 +0100 Subject: [PATCH] Fix key wrapping mode with padding to conform to RFC 5649. According to RFC 5649 section 4.1 step 1) we should not add padding if plaintext length is multiply of 8 ockets. This matches pseudo-code in http://dx.doi.org/10.6028/NIST.SP.800-38F on page 15, section 6.3 KWP, algorithm 5 KWP-AE, step 2. PR#3675 Reviewed-by: Stephen Henson Reviewed-by: Andy Polyakov --- crypto/modes/wrap128.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto/modes/wrap128.c b/crypto/modes/wrap128.c index 2f65314cfa..ccb58c5a0b 100644 --- a/crypto/modes/wrap128.c +++ b/crypto/modes/wrap128.c @@ -230,8 +230,13 @@ size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv, const unsigned char *in, size_t inlen, block128_f block) { - /* n: number of 64-bit blocks in the padded key data */ - const size_t blocks_padded = (inlen + 8) / 8; + /* n: number of 64-bit blocks in the padded key data + * + * If length of plain text is not a multiple of 8, pad the plain text octet + * string on the right with octets of zeros, where final length is the + * smallest multiple of 8 that is greater than length of plain text. + * If length of plain text is a multiple of 8, then there is no padding. */ + const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */ const size_t padded_len = blocks_padded * 8; const size_t padding_len = padded_len - inlen; /* RFC 5649 section 3: Alternative Initial Value */ -- 2.40.0