enc : add support for wrap mode

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17691)
2025-01-30 14:01:55 +08:00 · 2022-02-12 02:07:34 +01:00 · 2022-02-12 02:07:34 +01:00 · 7850cc8307
commit 7850cc8307
parent b089d54624
3 changed files with 45 additions and 3 deletions
--- a/apps/enc.c
+++ b/apps/enc.c
@ -127,6 +127,8 @@ int enc_main(int argc, char **argv)
    int pbkdf2 = 0;
    int iter = 0;
    long n;
+    int streamable = 1;
+    int wrap = 0;
    struct doall_enc_ciphers dec;
 #ifdef ZLIB
    int do_zlib = 0;
@ -298,6 +300,10 @@ int enc_main(int argc, char **argv)
    /* Get the cipher name, either from progname (if set) or flag. */
    if (!opt_cipher(ciphername, &cipher))
        goto opthelp;
+    if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_WRAP_MODE)) {
+        wrap = 1;
+        streamable = 0;
+    }
    if (digestname != NULL) {
        if (!opt_md(digestname, &dgst))
            goto opthelp;
@ -328,6 +334,10 @@ int enc_main(int argc, char **argv)
    buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");

    if (infile == NULL) {
+        if (!streamable) {
+            BIO_printf(bio_err, "Unstreamable cipher mode\n");
+            goto end;
+        }
        in = dup_bio_in(informat);
    } else {
        in = bio_open_default(infile, 'r', informat);
@ -524,7 +534,8 @@ int enc_main(int argc, char **argv)
            }
        }
        if ((hiv == NULL) && (str == NULL)
-            && EVP_CIPHER_get_iv_length(cipher) != 0) {
+            && EVP_CIPHER_get_iv_length(cipher) != 0
+            && wrap == 0) {
            /*
             * No IV was explicitly set and no IV was generated.
             * Hence the IV is undefined, making correct decryption impossible.
@ -551,6 +562,9 @@ int enc_main(int argc, char **argv)

        BIO_get_cipher_ctx(benc, &ctx);

+        if (wrap == 1)
+            EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+
        if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
            BIO_printf(bio_err, "Error setting cipher %s\n",
                       EVP_CIPHER_get0_name(cipher));
@ -561,7 +575,8 @@ int enc_main(int argc, char **argv)
        if (nopad)
            EVP_CIPHER_CTX_set_padding(ctx, 0);

-        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) {
+        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key,
+                               (hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
            BIO_printf(bio_err, "Error setting cipher %s\n",
                       EVP_CIPHER_get0_name(cipher));
            ERR_print_errors(bio_err);
@ -607,10 +622,16 @@ int enc_main(int argc, char **argv)
        inl = BIO_read(rbio, (char *)buff, bsize);
        if (inl <= 0)
            break;
+        if (!streamable && !BIO_eof(rbio)) {    /* do not output data */
+            BIO_printf(bio_err, "Unstreamable cipher mode\n");
+            goto end;
+        }
        if (BIO_write(wbio, (char *)buff, inl) != inl) {
            BIO_printf(bio_err, "error writing output file\n");
            goto end;
        }
+        if (!streamable)
+            break;
    }
    if (!BIO_flush(wbio)) {
        BIO_printf(bio_err, "bad decrypt\n");
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@ -149,6 +149,7 @@ void openssl_add_all_ciphers_int(void)
    EVP_add_cipher(EVP_aes_128_wrap());
    EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
    EVP_add_cipher(EVP_aes_128_wrap_pad());
+    EVP_add_cipher_alias(SN_id_aes128_wrap_pad, "aes128-wrap-pad");
    EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
    EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
    EVP_add_cipher(EVP_aes_192_ecb());
@ -166,6 +167,7 @@ void openssl_add_all_ciphers_int(void)
    EVP_add_cipher(EVP_aes_192_wrap());
    EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
    EVP_add_cipher(EVP_aes_192_wrap_pad());
+    EVP_add_cipher_alias(SN_id_aes192_wrap_pad, "aes192-wrap-pad");
    EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
    EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
    EVP_add_cipher(EVP_aes_256_ecb());
@ -184,6 +186,7 @@ void openssl_add_all_ciphers_int(void)
    EVP_add_cipher(EVP_aes_256_wrap());
    EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
    EVP_add_cipher(EVP_aes_256_wrap_pad());
+    EVP_add_cipher_alias(SN_id_aes256_wrap_pad, "aes256-wrap-pad");
    EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
    EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
    EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in
@ -274,7 +274,7 @@ able to roll back upon authentication failure.  The AEAD modes currently in
 common use also suffer from catastrophic failure of confidentiality and/or
 integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
 entire burden of key/iv/nonce management upon the user, the risk of
-exposing AEAD modes is too great to allow.  These key/iv/nonce
+exposing AEAD modes is too great to allow. These key/iv/nonce
 management issues also affect other modes currently exposed in this command,
 but the failure modes are less extreme in these cases, and the
 functionality cannot be removed with a stable release branch.
@ -282,6 +282,15 @@ For bulk encryption of data, whether using authenticated encryption
 modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
 standard data format and performs the needed key/iv/nonce management.

+When enc is used with key wrapping modes the input data cannot be streamed,
+meaning it must be processed in a single pass.
+Consequently, the input data size must be less than
+the buffer size (-bufsize arg, default to 8*1024 bytes).
+The '*-wrap' ciphers require the input to be a multiple of 8 bytes long,
+because no padding is involved.
+The '*-wrap-pad' ciphers allow any input length.
+In both cases, no IV is needed. See example below.
+

 base64             Base 64

@ -369,6 +378,9 @@ standard data format and performs the needed key/iv/nonce management.
 aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
 aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode

+ aes-[128|192|256]-wrap     key wrapping using 128/192/256 bit AES
+ aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES
+
 aria-[128|192|256]-cbc  128/192/256 bit ARIA in CBC mode
 aria[128|192|256]       Alias for aria-[128|192|256]-cbc
 aria-[128|192|256]-cfb  128/192/256 bit ARIA in 128 bit CFB mode
@ -417,6 +429,12 @@ Base64 decode a file then decrypt it using a password supplied in a file:
 openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
    -pass file:<passfile>

+AES key wrapping:
+
+ openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin
+or
+ openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin
+
 =head1 BUGS

 The B<-A> option when used with large files doesn't work properly.