The spec, https://tools.ietf.org/html/rfc3394, section 2, states that
we need at least two 64 bit blocks for wrapping and, accordingly, three
64 bit blocks for unwrapping. That is: we need at least 16 bytes for
wrapping and 24 bytes for unwrapping.
This also matches the lower bounds that OpenSSL have in their
CRYPTO_128_{un,}wrap() functions.
In fact, if we pass an input with 'inlen < 8' to AES_unwrap_key(),
this results in a segfault since then inlen -= 8 underflows.
Found while playing with the Wycheproof keywrap test vectors.
Index: aes/aes_wrap.c
===================================================================
RCS file: /var/cvs/src/lib/libcrypto/aes/aes_wrap.c,v
retrieving revision 1.10
diff -u -p -r1.10 aes_wrap.c
--- aes/aes_wrap.c 10 Sep 2015 15:56:24 -0000 1.10
+++ aes/aes_wrap.c 17 Oct 2018 23:12:19 -0000
@@ -66,7 +66,8 @@ AES_wrap_key(AES_KEY *key, const unsigne
{
unsigned char *A, B[16], *R;
unsigned int i, j, t;
- if ((inlen & 0x7) || (inlen < 8))
+
+ if ((inlen & 0x7) || (inlen < 16))
return -1;
A = B;
t = 1;
@@ -100,11 +101,10 @@ AES_unwrap_key(AES_KEY *key, const unsig
{
unsigned char *A, B[16], *R;
unsigned int i, j, t;
- inlen -= 8;
- if (inlen & 0x7)
- return -1;
- if (inlen < 8)
+
+ if ((inlen & 0x7) || (inlen < 24))
return -1;
+ inlen -= 8;
A = B;
t = 6 * (inlen >> 3);
memcpy(A, in, 8);
