Page MenuHome GnuPG

libgcrypt: Adding aes-wrap-pad (RFC5649) support
Open, WishlistPublic

Description

RFC5649 defines extended version of AES keywrap, which supports padding.
https://datatracker.ietf.org/doc/html/rfc5649
file:///home/gniibe/Downloads/NIST.SP.800-38F.pdf

It's good for libgcrypt to have the feature, even though an application can just utilize existing AES wrap routines, because having constant for AES-wrap-pad in an application looks not nice.

Given libgcrypt has AES keywrap already, it's just addition of standard IV, handling of smallest input (only a single block) case, and verification of result.

Event Timeline

gniibe triaged this task as Wishlist priority.Fri, Dec 24, 9:20 AM
gniibe created this task.
gniibe added a project: libgcrypt.

For unwrapping, it is good if we can support "automatic" unwrapping, apply W^-1 and check the first 8 octets to see if it's KW or KWP.

Now, unwrapping supports both cases (KW and KWP).

Also, unwrapping by KWP needs an API to determine the length of KEY wrapped. The libgcrypt API for decryption unfortunately assumes that length of decrypted result is known by caller beforehand. So, I added support to get the length information through gcry_cipher_info . See tests/aeswrap.c for examples.

A caller can also know if unwrapping was done by KW or by KWP, through gcry_cipher_info (if needed). When it's 00 00 00 00, it means that it's done by KW, and it's by KWP otherwise.

I pushed the change: rC383866f014f2: cipher: Keep original behavior of Key Unwrap when not extended.

This keeps old behavior of unwrapping with KW (only) when GCRY_CIPHER_EXTENDED is not specified.

GCRY_CIPHER_EXTENDED is specified, unwrapping by both of KW and KWP is supported, and caller can determine which.