crypto: add test case for AES key wrapping #20587
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add test cases for AES key wrapping and only detect output length in cipher case. The reason being is the returned output length is insufficient in AES key unwrapping case. Signed-off-by: Yihong Wang <yh.wang@ibm.com>
nodejs-github-bot
added
c++
|
I tried to use the same mechanism to detect the output length for the AES key unwrapping and I found it may be a glitch in openssl. In the AES key unwrapping code path, it returns You can see I have a patch for wrap128.c here: --- a/deps/openssl/openssl/crypto/modes/wrap128.c
+++ b/deps/openssl/openssl/crypto/modes/wrap128.c
@@ -237,7 +237,7 @@ size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
*
* @param[in] key Key value.
* @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
- * @param[out] out Plaintext. Minimal buffer length = inlen bytes.
+ * @param[out] out Plaintext. Minimal buffer length = inlen - 8 bytes.
* Input and output buffers can overlap if block function
* supports that.
* @param[in] in Ciphertext as n 64-bit blocks.
@@ -267,7 +267,6 @@ size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
return 0;
- memmove(out, in, inlen);
if (inlen == 16) {
/*
* Section 4.2 - special case in step 1: When n=1, the ciphertext
@@ -275,14 +274,15 @@ size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
* single AES block using AES in ECB mode: AIV | P[1] = DEC(K, C[0] |
* C[1])
*/
+ memmove(out, in + 8, inlen - 8);
block(out, out, key);
- memcpy(aiv, out, 8);
+ memcpy(aiv, in, 8);
/* Remove AIV */
memmove(out, out + 8, 8);
padded_len = 8;
} else {
padded_len = inlen - 8;
- ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
+ ret = crypto_128_unwrap_raw(key, aiv, out, in, inlen, block);
if (padded_len != ret) {
OPENSSL_cleanse(out, inlen);
return 0;But even if we patch wrap128.c, for openssl shared lib user, we still need to skip the output length detection. |
bnoordhuis
approved these changes
May 8, 2018
3 tasks
tniessen
approved these changes
May 8, 2018
jasnell
reviewed
May 8, 2018
| @@ -2998,7 +2998,7 @@ CipherBase::UpdateResult CipherBase::Update(const char* data, | |||
| int buff_len = len + EVP_CIPHER_CTX_block_size(ctx_.get()); | |||
| // For key wrapping algorithms, get output size by calling | |||
| // EVP_CipherUpdate() with null output. | |||
| if (mode == EVP_CIPH_WRAP_MODE && | |||
| if (kind_ == kCipher && mode == EVP_CIPH_WRAP_MODE && | |||
There was a problem hiding this comment.
Is this change intended? If so, this likely should be a different commit.
There was a problem hiding this comment.
@jasnell this is needed. Sorry the title of this commit is a little misleading but I explained that I need the code change in the description
|
@bnoordhuis I will try it |
2 tasks
yhwang
added
the
author ready
|
Landed in e3ceae7 |
targos
pushed a commit
that referenced
this pull request
May 12, 2018
Add test cases for AES key wrapping and only detect output length in cipher case. The reason being is the returned output length is insufficient in AES key unwrapping case. PR-URL: #20587 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
tniessen
pushed a commit
to tniessen/node
that referenced
this pull request
May 13, 2018
Add test cases for AES key wrapping and only detect output length in cipher case. The reason being is the returned output length is insufficient in AES key unwrapping case. PR-URL: nodejs#20587 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
addaleax
pushed a commit
that referenced
this pull request
May 14, 2018
Add test cases for AES key wrapping and only detect output length in cipher case. The reason being is the returned output length is insufficient in AES key unwrapping case. Backport-PR-URL: #20706 PR-URL: #20587 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Merged
targos
added
backported-to-v10.x
and removed
author ready
|
@bnoordhuis the related change is upstreamed to OpenSSL: openssl/openssl#6266 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add test cases for AES key wrapping and only detect output length in
cipher case. The reason being is the returned output length is
insufficient in AES key unwrapping case.
Signed-off-by: Yihong Wang yh.wang@ibm.com
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes