Commit ffa75828 authored by Petr Spacek's avatar Petr Spacek Committed by Dr. Stephen Henson
Browse files

Fix key wrapping mode with padding to conform to RFC 5649. 

According to RFC 5649 section 4.1 step 1) we should not add padding
if plaintext length is multiply of 8 ockets.

This matches pseudo-code in http://dx.doi.org/10.6028/NIST.SP.800-38F


on page 15, section 6.3 KWP, algorithm 5 KWP-AE, step 2.

PR#3675

Reviewed-by: default avatarStephen Henson <steve@openssl.org>
Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
parent b5f07d6a

crypto/modes/wrap128.c

+7 −2
Original line number Diff line number Diff line
@@ -230,8 +230,13 @@ size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv, 
                           const unsigned char *in, size_t inlen,

                           block128_f block)

{

    /* n: number of 64-bit blocks in the padded key data */

    const size_t blocks_padded = (inlen + 8) / 8;

    /* n: number of 64-bit blocks in the padded key data

     *

     * If length of plain text is not a multiple of 8, pad the plain text octet

     * string on the right with octets of zeros, where final length is the

     * smallest multiple of 8 that is greater than length of plain text.

     * If length of plain text is a multiple of 8, then there is no padding. */

    const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */

    const size_t padded_len = blocks_padded * 8;

    const size_t padding_len = padded_len - inlen;

    /* RFC 5649 section 3: Alternative Initial Value */