AESWrap: fix wrap/unwrap of 64-bit keys

peterdettman · peterdettman · commit 92f2dd8bec55 · 2022-12-05T17:49:47.000+07:00
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AESWrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/AESWrapEngine.java
@@ -18,7 +18,7 @@ public AESWrapEngine()
     }
 
     /**
-     * Create an AESWrapEngine where the underlying cipher is set to decrypt for wrapping, encrypt for unwrapping.
+     * Create an AESWrapEngine where the underlying cipher is (optionally) set to decrypt for wrapping, encrypt for unwrapping.
      *
      * @param useReverseDirection true if underlying cipher should be used in decryption mode, false otherwise.
      */
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java
@@ -48,7 +48,7 @@ public RFC3394WrapEngine(BlockCipher engine)
     public RFC3394WrapEngine(BlockCipher engine, boolean useReverseDirection)
     {
         this.engine = engine;
-        this.wrapCipherMode = (useReverseDirection) ? false : true;
+        this.wrapCipherMode = !useReverseDirection;
     }
 
     public void init(
@@ -91,6 +91,10 @@ public byte[] wrap(
         {
             throw new IllegalStateException("not set for wrapping");
         }
+        if (inLen < 8)
+        {
+            throw new DataLengthException("wrap data must be at least 8 bytes");
+        }
 
         int     n = inLen / 8;
 
@@ -99,34 +103,41 @@ public byte[] wrap(
             throw new DataLengthException("wrap data must be a multiple of 8 bytes");
         }
 
-        byte[]  block = new byte[inLen + iv.length];
-        byte[]  buf = new byte[8 + iv.length];
+        engine.init(wrapCipherMode, param);
 
+        byte[] block = new byte[inLen + iv.length];
         System.arraycopy(iv, 0, block, 0, iv.length);
         System.arraycopy(in, inOff, block, iv.length, inLen);
 
-        engine.init(wrapCipherMode, param);
-
-        for (int j = 0; j != 6; j++)
+        if (n == 1)
         {
-            for (int i = 1; i <= n; i++)
-            {
-                System.arraycopy(block, 0, buf, 0, iv.length);
-                System.arraycopy(block, 8 * i, buf, iv.length, 8);
-                engine.processBlock(buf, 0, buf, 0);
+            engine.processBlock(block, 0, block, 0);
+        }
+        else
+        {
+            byte[] buf = new byte[8 + iv.length];
 
-                int t = n * j + i;
-                for (int k = 1; t != 0; k++)
+            for (int j = 0; j != 6; j++)
+            {
+                for (int i = 1; i <= n; i++)
                 {
-                    byte    v = (byte)t;
+                    System.arraycopy(block, 0, buf, 0, iv.length);
+                    System.arraycopy(block, 8 * i, buf, iv.length, 8);
+                    engine.processBlock(buf, 0, buf, 0);
 
-                    buf[iv.length - k] ^= v;
+                    int t = n * j + i;
+                    for (int k = 1; t != 0; k++)
+                    {
+                        byte    v = (byte)t;
 
-                    t >>>= 8;
-                }
+                        buf[iv.length - k] ^= v;
+
+                        t >>>= 8;
+                    }
 
-                System.arraycopy(buf, 0, block, 0, 8);
-                System.arraycopy(buf, 8, block, 8 * i, 8);
+                    System.arraycopy(buf, 0, block, 0, 8);
+                    System.arraycopy(buf, 8, block, 8 * i, 8);
+                }
             }
         }
 
@@ -143,7 +154,7 @@ public byte[] unwrap(
         {
             throw new IllegalStateException("not set for unwrapping");
         }
-        if (inLen < iv.length)
+        if (inLen < 16)
         {
             throw new InvalidCipherTextException("unwrap data too short");
         }
@@ -155,37 +166,46 @@ public byte[] unwrap(
             throw new InvalidCipherTextException("unwrap data must be a multiple of 8 bytes");
         }
 
-        byte[]  block = new byte[inLen - iv.length];
-        byte[]  a = new byte[iv.length];
-        byte[]  buf = new byte[8 + iv.length];
-
-        System.arraycopy(in, inOff, a, 0, iv.length);
-        System.arraycopy(in, inOff + iv.length, block, 0, inLen - iv.length);
-
         engine.init(!wrapCipherMode, param);
 
+        byte[] block = new byte[inLen - iv.length];
+        byte[] a = new byte[iv.length];
+        byte[] buf = new byte[8 + iv.length];
+
         n = n - 1;
 
-        for (int j = 5; j >= 0; j--)
+        if (n == 1)
         {
-            for (int i = n; i >= 1; i--)
-            {
-                System.arraycopy(a, 0, buf, 0, iv.length);
-                System.arraycopy(block, 8 * (i - 1), buf, iv.length, 8);
+            engine.processBlock(in, inOff, buf, 0);
+            System.arraycopy(buf, 0, a, 0, iv.length);
+            System.arraycopy(buf, iv.length, block, 0, 8);
+        }
+        else
+        {
+            System.arraycopy(in, inOff, a, 0, iv.length);
+            System.arraycopy(in, inOff + iv.length, block, 0, inLen - iv.length);
 
-                int t = n * j + i;
-                for (int k = 1; t != 0; k++)
+            for (int j = 5; j >= 0; j--)
+            {
+                for (int i = n; i >= 1; i--)
                 {
-                    byte    v = (byte)t;
-
-                    buf[iv.length - k] ^= v;
-
-                    t >>>= 8;
+                    System.arraycopy(a, 0, buf, 0, iv.length);
+                    System.arraycopy(block, 8 * (i - 1), buf, iv.length, 8);
+    
+                    int t = n * j + i;
+                    for (int k = 1; t != 0; k++)
+                    {
+                        byte    v = (byte)t;
+    
+                        buf[iv.length - k] ^= v;
+    
+                        t >>>= 8;
+                    }
+    
+                    engine.processBlock(buf, 0, buf, 0);
+                    System.arraycopy(buf, 0, a, 0, 8);
+                    System.arraycopy(buf, 8, block, 8 * (i - 1), 8);
                 }
-
-                engine.processBlock(buf, 0, buf, 0);
-                System.arraycopy(buf, 0, a, 0, 8);
-                System.arraycopy(buf, 8, block, 8 * (i - 1), 8);
             }
         }
 
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/AESWrapTest.java b/core/src/test/java/org/bouncycastle/crypto/test/AESWrapTest.java
@@ -181,6 +181,12 @@ public void performTest()
         byte[]  out7 = Hex.decode("cba01acbdb4c7c39fa59babb383c485f318837208731a81c735b5be6ba710375a1159e26a9b57228");
         wrapTest(7, kek7, in7, out7, true);
 
+        // Example of 64-bit input (which uses a simplified wrapping algorithm)
+        byte[]  kek8 = Hex.decode("574957151fc2afe0fa3dc7a9a7da6495");
+        byte[]  in8 = Hex.decode("0001020304050607");
+        byte[]  out8 = Hex.decode("6f0b501f1f2f59e3ae605aa679ce43a6");
+        wrapTest(8, kek8, in8, out8);
+
         Wrapper      wrapper = new AESWrapEngine();
         KeyParameter key = new KeyParameter(new byte[16]);
         byte[]       buf = new byte[16];

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ public AESWrapEngine()`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`/**`
`21`		`- * Create an AESWrapEngine where the underlying cipher is set to decrypt for wrapping, encrypt for unwrapping.`
	`21`	`+ * Create an AESWrapEngine where the underlying cipher is (optionally) set to decrypt for wrapping, encrypt for unwrapping.`
`22`	`22`	`*`
`23`	`23`	`* @param useReverseDirection true if underlying cipher should be used in decryption mode, false otherwise.`
`24`	`24`	`*/`