enc : add support for wrap mode

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17691)
author: EasySec <easy.sec@free.fr> 2022-02-12 02:07:34 +0100
committer: Pauli <pauli@openssl.org> 2022-02-18 15:04:28 +1100
commit: 7850cc8307b9105f37dde864d5c8c881c522b28a (patch)
tree: a8bf35ec78300468ca132d62b6931eca78e729ff
parent: b089d546242bbc073aefb6f6471586e484118863 (diff)
3 files changed, 45 insertions, 3 deletions
diff --git a/apps/enc.c b/apps/enc.c
index b14129d9b0..d50baa6d2f 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -127,6 +127,8 @@ int enc_main(int argc, char **argv)
     int pbkdf2 = 0;
     int iter = 0;
     long n;
+    int streamable = 1;
+    int wrap = 0;
     struct doall_enc_ciphers dec;
 #ifdef ZLIB
     int do_zlib = 0;
@@ -298,6 +300,10 @@ int enc_main(int argc, char **argv)
     /* Get the cipher name, either from progname (if set) or flag. */
     if (!opt_cipher(ciphername, &cipher))
         goto opthelp;
+    if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_WRAP_MODE)) {
+        wrap = 1;
+        streamable = 0;
+    }
     if (digestname != NULL) {
         if (!opt_md(digestname, &dgst))
             goto opthelp;
@@ -328,6 +334,10 @@ int enc_main(int argc, char **argv)
     buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");
 
     if (infile == NULL) {
+        if (!streamable) {
+            BIO_printf(bio_err, "Unstreamable cipher mode\n");
+            goto end;
+        }
         in = dup_bio_in(informat);
     } else {
         in = bio_open_default(infile, 'r', informat);
@@ -524,7 +534,8 @@ int enc_main(int argc, char **argv)
             }
         }
         if ((hiv == NULL) && (str == NULL)
-            && EVP_CIPHER_get_iv_length(cipher) != 0) {
+            && EVP_CIPHER_get_iv_length(cipher) != 0
+            && wrap == 0) {
             /*
              * No IV was explicitly set and no IV was generated.
              * Hence the IV is undefined, making correct decryption impossible.
@@ -551,6 +562,9 @@ int enc_main(int argc, char **argv)
 
         BIO_get_cipher_ctx(benc, &ctx);
 
+        if (wrap == 1)
+            EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+
         if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
             BIO_printf(bio_err, "Error setting cipher %s\n",
                        EVP_CIPHER_get0_name(cipher));
@@ -561,7 +575,8 @@ int enc_main(int argc, char **argv)
         if (nopad)
             EVP_CIPHER_CTX_set_padding(ctx, 0);
 
-        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) {
+        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key,
+                               (hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
             BIO_printf(bio_err, "Error setting cipher %s\n",
                        EVP_CIPHER_get0_name(cipher));
             ERR_print_errors(bio_err);
@@ -607,10 +622,16 @@ int enc_main(int argc, char **argv)
         inl = BIO_read(rbio, (char *)buff, bsize);
         if (inl <= 0)
             break;
+        if (!streamable && !BIO_eof(rbio)) {    /* do not output data */
+            BIO_printf(bio_err, "Unstreamable cipher mode\n");
+            goto end;
+        }
         if (BIO_write(wbio, (char *)buff, inl) != inl) {
             BIO_printf(bio_err, "error writing output file\n");
             goto end;
         }
+        if (!streamable)
+            break;
     }
     if (!BIO_flush(wbio)) {
         BIO_printf(bio_err, "bad decrypt\n");
diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index d556b5ab28..350a0e0527 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -149,6 +149,7 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_aes_128_wrap());
     EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
     EVP_add_cipher(EVP_aes_128_wrap_pad());
+    EVP_add_cipher_alias(SN_id_aes128_wrap_pad, "aes128-wrap-pad");
     EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
     EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
     EVP_add_cipher(EVP_aes_192_ecb());
@@ -166,6 +167,7 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_aes_192_wrap());
     EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
     EVP_add_cipher(EVP_aes_192_wrap_pad());
+    EVP_add_cipher_alias(SN_id_aes192_wrap_pad, "aes192-wrap-pad");
     EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
     EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
     EVP_add_cipher(EVP_aes_256_ecb());
@@ -184,6 +186,7 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_aes_256_wrap());
     EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
     EVP_add_cipher(EVP_aes_256_wrap_pad());
+    EVP_add_cipher_alias(SN_id_aes256_wrap_pad, "aes256-wrap-pad");
     EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
     EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
     EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in
index f424358ab3..85f707a17a 100644
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in
@@ -274,7 +274,7 @@ able to roll back upon authentication failure.  The AEAD modes currently in
 common use also suffer from catastrophic failure of confidentiality and/or
 integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
 entire burden of key/iv/nonce management upon the user, the risk of
-exposing AEAD modes is too great to allow.  These key/iv/nonce
+exposing AEAD modes is too great to allow. These key/iv/nonce
 management issues also affect other modes currently exposed in this command,
 but the failure modes are less extreme in these cases, and the
 functionality cannot be removed with a stable release branch.
@@ -282,6 +282,15 @@ For bulk encryption of data, whether using authenticated encryption
 modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
 standard data format and performs the needed key/iv/nonce management.
 
+When enc is used with key wrapping modes the input data cannot be streamed,
+meaning it must be processed in a single pass.
+Consequently, the input data size must be less than
+the buffer size (-bufsize arg, default to 8*1024 bytes).
+The '*-wrap' ciphers require the input to be a multiple of 8 bytes long,
+because no padding is involved.
+The '*-wrap-pad' ciphers allow any input length.
+In both cases, no IV is needed. See example below.
+
 
  base64             Base 64
 
@@ -369,6 +378,9 @@ standard data format and performs the needed key/iv/nonce management.
  aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
  aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode
 
+ aes-[128|192|256]-wrap     key wrapping using 128/192/256 bit AES
+ aes-[128|192|256]-wrap-pad key wrapping with padding using 128/192/256 bit AES
+
  aria-[128|192|256]-cbc  128/192/256 bit ARIA in CBC mode
  aria[128|192|256]       Alias for aria-[128|192|256]-cbc
  aria-[128|192|256]-cfb  128/192/256 bit ARIA in 128 bit CFB mode
@@ -417,6 +429,12 @@ Base64 decode a file then decrypt it using a password supplied in a file:
  openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
     -pass file:<passfile>
 
+AES key wrapping:
+
+ openssl enc -e -a -id-aes128-wrap-pad -K 000102030405060708090A0B0C0D0E0F -in file.bin
+or
+ openssl aes128-wrap-pad -e -a -K 000102030405060708090A0B0C0D0E0F -in file.bin
+
 =head1 BUGS
 
 The B<-A> option when used with large files doesn't work properly.
author	EasySec <easy.sec@free.fr>	2022-02-12 02:07:34 +0100
committer	Pauli <pauli@openssl.org>	2022-02-18 15:04:28 +1100
commit	7850cc8307b9105f37dde864d5c8c881c522b28a (patch)
tree	a8bf35ec78300468ca132d62b6931eca78e729ff
parent	b089d546242bbc073aefb6f6471586e484118863 (diff)