wolfcrypt 0.1.1

RustCrypto trait implementations backed by wolfCrypt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

//! AES Key Wrap (RFC 3394) backed by wolfCrypt.
//!
//! Provides [`aes_wrap_key`] and [`aes_unwrap_key`] which implement the
//! AES Key Wrap algorithm per RFC 3394 using wolfSSL's OpenSSL-compatible
//! `AES_wrap_key` / `AES_unwrap_key` functions.
//!
//! The Key Encryption Key (KEK) must be 16, 24, or 32 bytes (AES-128/192/256).
//! The plaintext (key data) must be a multiple of 8 bytes and at least 16 bytes.
//! The ciphertext is always 8 bytes longer than the plaintext.
//!
//! # Example
//!
//! ```ignore
//! use wolfcrypt::keywrap::{aes_wrap_key, aes_unwrap_key};
//!
//! let kek = [0u8; 16];
//! let key_data = [0x42u8; 16];
//! let wrapped = aes_wrap_key(&kek, &key_data).unwrap();
//! let unwrapped = aes_unwrap_key(&kek, &wrapped).unwrap();
//! assert_eq!(&key_data[..], &unwrapped[..]);
//! ```

use core::ffi::c_uint;
use core::ptr;

use alloc::vec;
use alloc::vec::Vec;

use crate::error::{check, WolfCryptError};
use wolfcrypt_rs::{AES_KEY, AES_set_encrypt_key, AES_set_decrypt_key, AES_wrap_key, AES_unwrap_key};

/// RAII guard that zeroizes the key schedule in an `AES_KEY` on drop.
///
/// Ensures the key material is cleared on every exit path (success, error,
/// or panic) without requiring manual cleanup at each `return`.
struct AesKeyGuard(AES_KEY);

impl Drop for AesKeyGuard {
    fn drop(&mut self) {
        use zeroize::Zeroize;
        // SAFETY: We have exclusive access (&mut self). AES_KEY is a plain
        // C struct with no Rust drop glue. Zeroing its raw bytes is safe.
        let bytes = unsafe {
            core::slice::from_raw_parts_mut(
                &mut self.0 as *mut AES_KEY as *mut u8,
                core::mem::size_of::<AES_KEY>(),
            )
        };
        bytes.zeroize();
    }
}

/// Wrap `plaintext` key data under `kek` per RFC 3394.
///
/// - `kek` must be 16, 24, or 32 bytes.
/// - `plaintext` must be a multiple of 8 bytes and at least 16 bytes.
/// - Returns ciphertext of `plaintext.len() + 8` bytes on success.
pub fn aes_wrap_key(kek: &[u8], plaintext: &[u8]) -> Result<Vec<u8>, WolfCryptError> {
    if plaintext.len() < 16 || plaintext.len() % 8 != 0 {
        return Err(WolfCryptError::INVALID_INPUT);
    }
    match kek.len() {
        16 | 24 | 32 => {}
        _ => return Err(WolfCryptError::INVALID_INPUT),
    }

    unsafe {
        let mut guard = AesKeyGuard(AES_KEY::zeroed());
        let rc = AES_set_encrypt_key(kek.as_ptr(), (kek.len() * 8) as c_uint, &mut guard.0);
        check(rc, "AES_set_encrypt_key")?;

        let mut out = vec![0u8; plaintext.len() + 8];
        let rc = AES_wrap_key(
            &guard.0,
            ptr::null(), // default IV (A6A6A6A6 A6A6A6A6)
            out.as_mut_ptr(),
            plaintext.as_ptr(),
            plaintext.len(),
        );
        if rc <= 0 {
            return Err(WolfCryptError::Ffi { code: rc, func: "AES_wrap_key" });
        }
        let out_len = rc as usize;
        if out_len > out.len() {
            return Err(WolfCryptError::Ffi { code: -1, func: "AES_wrap_key (output length)" });
        }
        out.truncate(out_len);
        Ok(out)
    }
}

/// Unwrap `ciphertext` under `kek` per RFC 3394.
///
/// - `kek` must be 16, 24, or 32 bytes.
/// - `ciphertext` must be a multiple of 8 bytes and at least 24 bytes.
/// - Returns the original key data (`ciphertext.len() - 8` bytes) on success.
pub fn aes_unwrap_key(kek: &[u8], ciphertext: &[u8]) -> Result<Vec<u8>, WolfCryptError> {
    if ciphertext.len() < 24 || ciphertext.len() % 8 != 0 {
        return Err(WolfCryptError::INVALID_INPUT);
    }
    match kek.len() {
        16 | 24 | 32 => {}
        _ => return Err(WolfCryptError::INVALID_INPUT),
    }

    unsafe {
        let mut guard = AesKeyGuard(AES_KEY::zeroed());
        let rc = AES_set_decrypt_key(kek.as_ptr(), (kek.len() * 8) as c_uint, &mut guard.0);
        check(rc, "AES_set_decrypt_key")?;

        let mut out = vec![0u8; ciphertext.len()];
        let rc = AES_unwrap_key(
            &guard.0,
            ptr::null(), // default IV (A6A6A6A6 A6A6A6A6)
            out.as_mut_ptr(),
            ciphertext.as_ptr(),
            ciphertext.len(),
        );
        if rc <= 0 {
            return Err(WolfCryptError::Ffi { code: rc, func: "AES_unwrap_key" });
        }
        let out_len = rc as usize;
        if out_len > out.len() {
            return Err(WolfCryptError::Ffi { code: -1, func: "AES_unwrap_key (output length)" });
        }
        out.truncate(out_len);
        Ok(out)
    }
}