aes-kw 0.3.1

NIST 800-38F AES Key Wrap (KW) and Key Wrap with Padding (KWP) modes
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

use crate::IV_LEN;
use aes::cipher::{
    Block, BlockCipherDecBackend, BlockCipherDecClosure, BlockCipherEncBackend,
    BlockCipherEncClosure, BlockSizeUser, typenum::U16,
};

pub(crate) struct Ctx<'a> {
    pub(crate) blocks_len: usize,
    pub(crate) block: &'a mut Block<Self>,
    pub(crate) buf: &'a mut [u8],
}

impl BlockSizeUser for Ctx<'_> {
    type BlockSize = U16;
}

/// Very similar to the W(S) function defined by NIST in SP 800-38F, Section 6.1
impl BlockCipherEncClosure for Ctx<'_> {
    #[inline(always)]
    fn call<B: BlockCipherEncBackend<BlockSize = U16>>(self, backend: &B) {
        for j in 0..=5 {
            for (i, chunk) in self.buf.chunks_mut(IV_LEN).skip(1).enumerate() {
                // A | R[i]
                self.block[IV_LEN..].copy_from_slice(chunk);
                // B = AES(K, ..)
                backend.encrypt_block(self.block.into());

                // A = MSB(64, B) ^ t
                let t = (self.blocks_len * j + (i + 1)) as u64;
                for (ai, ti) in self.block[..IV_LEN].iter_mut().zip(&t.to_be_bytes()) {
                    *ai ^= ti;
                }

                // R[i] = LSB(64, B)
                chunk.copy_from_slice(&self.block[IV_LEN..]);
            }
        }
    }
}

/// Very similar to the W^-1(S) function defined by NIST in SP 800-38F, Section 6.1
impl BlockCipherDecClosure for Ctx<'_> {
    #[inline(always)]
    fn call<B: BlockCipherDecBackend<BlockSize = U16>>(self, backend: &B) {
        for j in (0..=5).rev() {
            for (i, chunk) in self.buf.chunks_mut(IV_LEN).enumerate().rev() {
                // A ^ t
                let t = (self.blocks_len * j + (i + 1)) as u64;
                for (ai, ti) in self.block[..IV_LEN].iter_mut().zip(&t.to_be_bytes()) {
                    *ai ^= ti;
                }

                // (A ^ t) | R[i]
                self.block[IV_LEN..].copy_from_slice(chunk);

                // B = AES-1(K, ..)
                backend.decrypt_block(self.block.into());

                // A = MSB(64, B)
                // already set

                // R[i] = LSB(64, B)
                chunk.copy_from_slice(&self.block[IV_LEN..]);
            }
        }
    }
}