Page MenuHome GnuPG
Create Task
Maniphest T5752

libgcrypt: Adding aes-wrap-pad (RFC5649) support
Closed, ResolvedPublic
Actions

Description

RFC5649 defines extended version of AES keywrap, which supports padding.
https://datatracker.ietf.org/doc/html/rfc5649
file:///home/gniibe/Downloads/NIST.SP.800-38F.pdf

It's good for libgcrypt to have the feature, even though an application can just utilize existing AES wrap routines, because having constant for AES-wrap-pad in an application looks not nice.

Given libgcrypt has AES keywrap already, it's just addition of standard IV, handling of smallest input (only a single block) case, and verification of result.

Revisions and Commits

rC libgcrypt
rC383866f014f2 cipher: Keep original behavior of Key Unwrap when not extended.
rC746b8e29969b cipher: Add an API to retrieve unwrapped key length for KWP.
rC2914f169f954 cipher: Add support of Key wrap with padding (KWP).

Related Objects

Event Timeline

gniibe triaged this task as Wishlist priority.Dec 24 2021, 9:20 AM
gniibe created this task.
gniibe added a project: libgcrypt.
gniibe added a commit: rC2914f169f954: cipher: Add support of Key wrap with padding (KWP)..Jan 3 2022, 7:41 AM
gniibe added a project: Restricted Project.Jan 4 2022, 12:56 AM
gniibe added a comment.Jan 4 2022, 1:01 PM

For unwrapping, it is good if we can support "automatic" unwrapping, apply W^-1 and check the first 8 octets to see if it's KW or KWP.

gniibe added a commit: rC746b8e29969b: cipher: Add an API to retrieve unwrapped key length for KWP..Jan 5 2022, 4:14 AM
gniibe added a comment.Jan 6 2022, 1:09 AM

Now, unwrapping supports both cases (KW and KWP).

Also, unwrapping by KWP needs an API to determine the length of KEY wrapped. The libgcrypt API for decryption unfortunately assumes that length of decrypted result is known by caller beforehand. So, I added support to get the length information through gcry_cipher_info . See tests/aeswrap.c for examples.

A caller can also know if unwrapping was done by KW or by KWP, through gcry_cipher_info (if needed). When it's 00 00 00 00, it means that it's done by KW, and it's by KWP otherwise.

gniibe added a commit: rC383866f014f2: cipher: Keep original behavior of Key Unwrap when not extended..Jan 11 2022, 3:10 AM
gniibe added a comment.Jan 11 2022, 5:39 AM

I pushed the change: rC383866f014f2: cipher: Keep original behavior of Key Unwrap when not extended.

This keeps old behavior of unwrapping with KW (only) when GCRY_CIPHER_EXTENDED is not specified.

GCRY_CIPHER_EXTENDED is specified, unwrapping by both of KW and KWP is supported, and caller can determine which.

werner mentioned this in T5691: Release libgcrypt 1.10.0.Feb 1 2022, 9:49 PM
gniibe closed this task as Resolved.Feb 2 2022, 3:30 AM
gniibe edited projects, added Feature Request; removed Restricted Project.