From 40856c7d148d94245991cf24016cd65e7222eb1e Mon Sep 17 00:00:00 2001 From: Vincent Landgraf Date: Fri, 29 Oct 2021 14:57:02 +0200 Subject: [PATCH] adds support for key wrap based on des3 https://github.com/opendnssec/SoftHSMv2/issues/405 --- src/lib/SoftHSM.cpp | 7 +++++-- src/lib/crypto/BotanDES.cpp | 3 +++ src/lib/crypto/OSSLDES.cpp | 19 +++++++++++++++++-- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp index dac68a3c6..cee3c50db 100644 --- a/src/lib/SoftHSM.cpp +++ b/src/lib/SoftHSM.cpp @@ -6480,6 +6480,9 @@ CK_RV SoftHSM::C_WrapKey pMechanism->ulParameterLen != 16) return CKR_ARGUMENTS_BAD; break; + case CKM_DES3_CBC: + case CKM_DES3_CBC_PAD: + break; default: return CKR_MECHANISM_INVALID; } @@ -6518,8 +6521,8 @@ CK_RV SoftHSM::C_WrapKey return CKR_WRAPPING_KEY_TYPE_INCONSISTENT; if ((pMechanism->mechanism == CKM_AES_CBC || pMechanism->mechanism == CKM_AES_CBC_PAD) && wrapKey->getUnsignedLongValue(CKA_KEY_TYPE, CKK_VENDOR_DEFINED) != CKK_AES) return CKR_WRAPPING_KEY_TYPE_INCONSISTENT; - if (pMechanism->mechanism == CKM_DES3_CBC && (wrapKey->getUnsignedLongValue(CKA_KEY_TYPE, CKK_VENDOR_DEFINED) != CKK_DES2 || - wrapKey->getUnsignedLongValue(CKA_KEY_TYPE, CKK_VENDOR_DEFINED) != CKK_DES3)) + if ((pMechanism->mechanism == CKM_DES3_CBC || pMechanism->mechanism == CKM_DES3_CBC_PAD) && ((wrapKey->getUnsignedLongValue(CKA_KEY_TYPE, CKK_VENDOR_DEFINED) != CKK_DES2 && + wrapKey->getUnsignedLongValue(CKA_KEY_TYPE, CKK_VENDOR_DEFINED) != CKK_DES3))) return CKR_WRAPPING_KEY_TYPE_INCONSISTENT; // Check if the wrapping key can be used for wrapping diff --git a/src/lib/crypto/BotanDES.cpp b/src/lib/crypto/BotanDES.cpp index 393cf4dc9..9d3ebaa2d 100644 --- a/src/lib/crypto/BotanDES.cpp +++ b/src/lib/crypto/BotanDES.cpp @@ -61,12 +61,15 @@ std::string BotanDES::getCipher() const switch (currentKey->getBitLen()) { case 56: + case 64: // People shouldn't really be using 56-bit DES keys, generate a warning DEBUG_MSG("CAUTION: use of 56-bit DES keys is not recommended!"); algo = "DES"; break; case 112: + case 128: case 168: + case 192: algo = "TripleDES"; break; default: diff --git a/src/lib/crypto/OSSLDES.cpp b/src/lib/crypto/OSSLDES.cpp index 4fb56b5eb..4b6acf792 100644 --- a/src/lib/crypto/OSSLDES.cpp +++ b/src/lib/crypto/OSSLDES.cpp @@ -57,9 +57,12 @@ const EVP_CIPHER* OSSLDES::getCipher() const if ( #ifndef WITH_FIPS (currentKey->getBitLen() != 56) && + (currentKey->getBitLen() != 64) && #endif (currentKey->getBitLen() != 112) && - (currentKey->getBitLen() != 168)) + (currentKey->getBitLen() != 128) && + (currentKey->getBitLen() != 168) && + (currentKey->getBitLen() != 192)) { ERROR_MSG("Invalid DES currentKey length (%d bits)", currentKey->getBitLen()); @@ -67,7 +70,7 @@ const EVP_CIPHER* OSSLDES::getCipher() const } // People shouldn't really be using 56-bit DES keys, generate a warning - if (currentKey->getBitLen() == 56) + if (currentKey->getBitLen() == 56 || currentKey->getBitLen() == 64) { DEBUG_MSG("CAUTION: use of 56-bit DES keys is not recommended!"); } @@ -78,10 +81,13 @@ const EVP_CIPHER* OSSLDES::getCipher() const switch(currentKey->getBitLen()) { case 56: + case 64: return EVP_des_cbc(); case 112: + case 128: return EVP_des_ede_cbc(); case 168: + case 192: return EVP_des_ede3_cbc(); }; } @@ -90,10 +96,13 @@ const EVP_CIPHER* OSSLDES::getCipher() const switch(currentKey->getBitLen()) { case 56: + case 64: return EVP_des_ecb(); case 112: + case 128: return EVP_des_ede_ecb(); case 168: + case 192: return EVP_des_ede3_ecb(); }; } @@ -102,10 +111,13 @@ const EVP_CIPHER* OSSLDES::getCipher() const switch(currentKey->getBitLen()) { case 56: + case 64: return EVP_des_ofb(); case 112: + case 128: return EVP_des_ede_ofb(); case 168: + case 192: return EVP_des_ede3_ofb(); }; } @@ -114,10 +126,13 @@ const EVP_CIPHER* OSSLDES::getCipher() const switch(currentKey->getBitLen()) { case 56: + case 64: return EVP_des_cfb(); case 112: + case 128: return EVP_des_ede_cfb(); case 168: + case 192: return EVP_des_ede3_cfb(); }; }