Backport the AES KWP fix (#4164)

* fix bug with n % 8 length wrapping on AESKWP (#4160) * fix bug with n % 8 length wrapping on AESKWP * review feedback * add changelog
2026-05-14 20:37:55 +00:00 · 2018-03-20 18:42:18 -04:00 · 2018-03-20 18:42:18 -04:00 · be31b36152
commit be31b36152
parent b17f0527a0
3 changed files with 35 additions and 2 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -8,6 +8,10 @@ Changelog

 * Reverted a change to ``GeneralNames`` which prohibited having zero elements,
  due to breakages.
+* Fixed a bug in
+  :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding`
+  that caused it to raise ``InvalidUnwrap`` when key length modulo 8 was
+  zero.

 .. _v2-2:

--- a/src/cryptography/hazmat/primitives/keywrap.py
+++ b/src/cryptography/hazmat/primitives/keywrap.py
@ -118,11 +118,16 @@ def aes_key_unwrap_with_padding(wrapping_key, wrapped_key, backend):
    b = (8 * n) - mli
    if (
        not bytes_eq(a[:4], b"\xa6\x59\x59\xa6") or not
-        8 * (n - 1) < mli <= 8 * n or not bytes_eq(data[-b:], b"\x00" * b)
+        8 * (n - 1) < mli <= 8 * n or (
+            b != 0 and not bytes_eq(data[-b:], b"\x00" * b)
+        )
    ):
        raise InvalidUnwrap()

-    return data[:-b]
+    if b == 0:
+        return data
+    else:
+        return data[:-b]


 def aes_key_unwrap(wrapping_key, wrapped_key, backend):
--- a/tests/hazmat/primitives/test_keywrap.py
+++ b/tests/hazmat/primitives/test_keywrap.py
@ -141,6 +141,18 @@ class TestAESKeyWrapWithPadding(object):
        )
        assert params["c"] == binascii.hexlify(wrapped_key)

+    @pytest.mark.parametrize(
+        "params",
+        _load_all_params("keywrap", ["kwp_botan.txt"], load_nist_vectors)
+    )
+    def test_wrap_additional_vectors(self, backend, params):
+        wrapping_key = binascii.unhexlify(params["key"])
+        key_to_wrap = binascii.unhexlify(params["input"])
+        wrapped_key = keywrap.aes_key_wrap_with_padding(
+            wrapping_key, key_to_wrap, backend
+        )
+        assert wrapped_key == binascii.unhexlify(params["output"])
+
    @pytest.mark.parametrize(
        "params",
        _load_all_params(
@ -163,6 +175,18 @@ class TestAESKeyWrapWithPadding(object):
            )
            assert params["p"] == binascii.hexlify(unwrapped_key)

+    @pytest.mark.parametrize(
+        "params",
+        _load_all_params("keywrap", ["kwp_botan.txt"], load_nist_vectors)
+    )
+    def test_unwrap_additional_vectors(self, backend, params):
+        wrapping_key = binascii.unhexlify(params["key"])
+        wrapped_key = binascii.unhexlify(params["output"])
+        unwrapped_key = keywrap.aes_key_unwrap_with_padding(
+            wrapping_key, wrapped_key, backend
+        )
+        assert unwrapped_key == binascii.unhexlify(params["input"])
+
    def test_unwrap_invalid_wrapped_key_length(self, backend):
        # Keys to unwrap must be at least 16 bytes
        with pytest.raises(ValueError, match='Must be at least 16 bytes'):