[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Fri Feb 18 04:04:40 UTC 2022
The branch master has been updated
via 7850cc8307b9105f37dde864d5c8c881c522b28a (commit)
from b089d546242bbc073aefb6f6471586e484118863 (commit)
- Log -----------------------------------------------------------------
commit 7850cc8307b9105f37dde864d5c8c881c522b28a
Author: EasySec <easy.sec at free.fr>
Date: Sat Feb 12 02:07:34 2022 +0100
enc : add support for wrap mode
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17691)
-----------------------------------------------------------------------
Summary of changes:
apps/enc.c | 25 +++++++++++++++++++++++--
crypto/evp/c_allc.c | 3 +++
doc/man1/openssl-enc.pod.in | 20 +++++++++++++++++++-
3 files changed, 45 insertions(+), 3 deletions(-)
diff --git a/apps/enc.c b/apps/enc.c
index b14129d9b0..d50baa6d2f 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -127,6 +127,8 @@ int enc_main(int argc, char **argv)
int pbkdf2 = 0;
int iter = 0;
long n;
+ int streamable = 1;
+ int wrap = 0;
struct doall_enc_ciphers dec;
#ifdef ZLIB
int do_zlib = 0;
@@ -298,6 +300,10 @@ int enc_main(int argc, char **argv)
/* Get the cipher name, either from progname (if set) or flag. */
if (!opt_cipher(ciphername, &cipher))
goto opthelp;
+ if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_WRAP_MODE)) {
+ wrap = 1;
+ streamable = 0;
+ }
if (digestname != NULL) {
if (!opt_md(digestname, &dgst))
goto opthelp;
@@ -328,6 +334,10 @@ int enc_main(int argc, char **argv)
buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");
if (infile == NULL) {
+ if (!streamable) {
+ BIO_printf(bio_err, "Unstreamable cipher mode\n");
+ goto end;
+ }
in = dup_bio_in(informat);
} else {
in = bio_open_default(infile, 'r', informat);
@@ -524,7 +534,8 @@ int enc_main(int argc, char **argv)
}
}
if ((hiv == NULL) && (str == NULL)
- && EVP_CIPHER_get_iv_length(cipher) != 0) {
+ && EVP_CIPHER_get_iv_length(cipher) != 0
+ && wrap == 0) {
/*
* No IV was explicitly set and no IV was generated.
* Hence the IV is undefined, making correct decryption impossible.
@@ -551,6 +562,9 @@ int enc_main(int argc, char **argv)
BIO_get_cipher_ctx(benc, &ctx);
+ if (wrap == 1)
+ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+
if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
BIO_printf(bio_err, "Error setting cipher %s\n",
EVP_CIPHER_get0_name(cipher));
@@ -561,7 +575,8 @@ int enc_main(int argc, char **argv)
if (nopad)
EVP_CIPHER_CTX_set_padding(ctx, 0);
- if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) {
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key,
+ (hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
BIO_printf(bio_err, "Error setting cipher %s\n",
EVP_CIPHER_get0_name(cipher));
ERR_print_errors(bio_err);
@@ -607,10 +622,16 @@ int enc_main(int argc, char **argv)
inl = BIO_read(rbio, (char *)buff, bsize);
if (inl <= 0)
break;
+ if (!streamable && !BIO_eof(rbio)) { /* do not output data */
+ BIO_printf(bio_err, "Unstreamable cipher mode\n");
+ goto end;
+ }
if (BIO_write(wbio, (char *)buff, inl) != inl) {
BIO_printf(bio_err, "error writing output file\n");
goto end;
}
+ if (!streamable)
+ break;
}
if (!BIO_flush(wbio)) {
BIO_printf(bio_err, "bad decrypt\n");
diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index d556b5ab28..350a0e0527 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -149,6 +149,7 @@ void openssl_add_all_ciphers_int(void)
EVP_add_cipher(EVP_aes_128_wrap());
EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_id_aes128_wrap_pad, "aes128-wrap-pad");
EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
EVP_add_cipher(EVP_aes_192_ecb());
@@ -166,6 +167,7 @@ void openssl_add_all_ciphers_int(void)
EVP_add_cipher(EVP_aes_192_wrap());
EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_id_aes192_wrap_pad, "aes192-wrap-pad");
EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
EVP_add_cipher(EVP_aes_256_ecb());
@@ -184,6 +186,7 @@ void openssl_add_all_ciphers_int(void)
EVP_add_cipher(EVP_aes_256_wrap());
EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_id_aes256_wrap_pad, "aes256-wrap-pad");
EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in
index f424358ab3..85f707a17a 100644
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in
@@ -274,7 +274,7 @@ able to roll back upon authentication failure. The AEAD modes currently in
common use also suffer from catastrophic failure of confidentiality and/or
integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
entire burden of key/iv/nonce management upon the user, the risk of
-exposing AEAD modes is too great to allow. These key/iv/nonce
+exposing AEAD modes is too great to allow. These key/iv/nonce
management issues also affect other modes currently exposed in this command,
but the failure modes are less extreme in these cases, and the
functionality cannot be removed with a stable release branch.
@@ -282,6 +282,15 @@ For bulk encryption of data, whether using authenticated encryption
modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
standard data format and performs the needed key/iv/nonce management.
+When enc is used with key wrapping modes the input data cannot be streamed,
+meaning it must be processed in a single pass.
+Consequently, the input data size must be less than
+the buffer size (-bufsize arg, default to 8*1024 bytes).
+The '*-wrap' ciphers require the input to be a multiple of 8 bytes long,
+because no padding is involved.
+The '*-wrap-pad' ciphers allow any input length.
+In both cases, no IV is needed. See example below.
+
base64 Base 64
@@ -369,6 +378,9 @@ standard data format and performs the needed key/iv/nonce management.
aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
+ aes-[128|192|256]-wrap key wrapping using 128/192/256 bit AES
+ aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES
+
aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode
aria[128|192|256] Alias for aria-[128|192|256]-cbc
aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode
@@ -417,6 +429,12 @@ Base64 decode a file then decrypt it using a password supplied in a file:
openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
-pass file:<passfile>
+AES key wrapping:
+
+ openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin
+or
+ openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin
+
=head1 BUGS
The B<-A> option when used with large files doesn't work properly.
More information about the openssl-commits
mailing list