Skip to content

Commit

Permalink
Add support for AES-ECB.
Browse files Browse the repository at this point in the history
  • Loading branch information
anhu committed Jan 7, 2025
1 parent 7808688 commit 1a7f7d7
Show file tree
Hide file tree
Showing 8 changed files with 302 additions and 6 deletions.
19 changes: 14 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,18 +32,27 @@ cd wolfPKCS11
make
make check
```
### Optional: AES-CCM Support

To have AES-CCM support in wolfPKCS11, simiply configure wolfSSL with the
addition of `--enable-aesccm`

### TPM support with wolfTPM

Enables using a TPM for cryptography and keystore.
Tested using `./configure --enable-singlethreaded --enable-wolftpm --disable-dh CFLAGS="-DWOLFPKCS11_TPM_STORE" && make`.

Note: The TPM does not support DH, so only RSA and ECC are supported.

### Optional: AES-CCM Support

To have AES-CCM support in wolfPKCS11, configure both wolfSSL and wolfPKCS11
with the addition of `--enable-aesccm`.

### Optional: AES-ECB Support

To have AES-ECB support in wolfPKCS11, configure wolfSSL with the C macro
`HAVE_AES_ECB` defined. For example, `CFLAGS="-DHAVE_AES_ECB"`. Then
enable it in wolfPKCS11 with the addition of `--enable-aesecb` during the
configure step.

WARNING: ECB (Electronic Code Book) mode AES is generally considered to be
insecure. Please consider using a different mode of AES.

### Build options and defines

Expand Down
13 changes: 13 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,18 @@ else
DISABLE_DEFS="$DISABLE_DEFS -DHAVE_AESCCM"
fi

AC_ARG_ENABLE([aesecb],
[AS_HELP_STRING([--enable-aesecb],[Enable AES-ECB (default: disabled)])],
[ ENABLED_AESECB=$enableval ],
[ ENABLED_AESECB=no ]
)
if test "$ENABLED_AES" = "yes" && test "$ENABLED_AESECB" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_AESECB"
else
DISABLE_DEFS="$DISABLE_DEFS -DHAVE_AESECB"
fi

AC_ARG_ENABLE([hmac],
[AS_HELP_STRING([--enable-hmac],[Enable HMAC (default: enabled)])],
[ ENABLED_HMAC=$enableval ],
Expand Down Expand Up @@ -514,6 +526,7 @@ echo " * AES: $ENABLED_AES"
echo " * AES-CBC: $ENABLED_AESCBC"
echo " * AES-GCM: $ENABLED_AESGCM"
echo " * AES-CCM: $ENABLED_AESCCM"
echo " * AES-ECB: $ENABLED_AESECB"
echo " * MD5: $ENABLED_MD5"
echo " * SHA: $ENABLED_SHA1"
echo " * SHA-224: $ENABLED_SHA224"
Expand Down
67 changes: 67 additions & 0 deletions src/crypto.c
Original file line number Diff line number Diff line change
Expand Up @@ -1312,6 +1312,20 @@ CK_RV C_EncryptInit(CK_SESSION_HANDLE hSession,
break;
}
#endif

#ifdef HAVE_AESECB
case CKM_AES_ECB: {
if (type != CKK_AES)
return CKR_KEY_TYPE_INCONSISTENT;
if (pMechanism->pParameter != NULL)
return CKR_MECHANISM_PARAM_INVALID;
if (pMechanism->ulParameterLen != 0)
return CKR_MECHANISM_PARAM_INVALID;

init = WP11_INIT_AES_ECB_ENC;
break;
}
#endif
#endif
default:
(void)type;
Expand Down Expand Up @@ -1516,6 +1530,26 @@ CK_RV C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
*pulEncryptedDataLen = encDataLen;
break;
#endif
#ifdef HAVE_AESECB
case CKM_AES_ECB:
if (!WP11_Session_IsOpInitialized(session, WP11_INIT_AES_ECB_ENC))
return CKR_OPERATION_NOT_INITIALIZED;

encDataLen = (word32)ulDataLen;
if (pEncryptedData == NULL) {
*pulEncryptedDataLen = encDataLen;
return CKR_OK;
}
if (encDataLen > (word32)*pulEncryptedDataLen)
return CKR_BUFFER_TOO_SMALL;

ret = WP11_AesEcb_Encrypt(pData, (int)ulDataLen, pEncryptedData,
&encDataLen, obj, session);
if (ret < 0)
return CKR_FUNCTION_FAILED;
*pulEncryptedDataLen = encDataLen;
break;
#endif
#endif
default:
(void)ret;
Expand Down Expand Up @@ -1926,6 +1960,19 @@ CK_RV C_DecryptInit(CK_SESSION_HANDLE hSession,
break;
}
#endif
#ifdef HAVE_AESECB
case CKM_AES_ECB: {
if (type != CKK_AES)
return CKR_KEY_TYPE_INCONSISTENT;
if (pMechanism->pParameter != NULL)
return CKR_MECHANISM_PARAM_INVALID;
if (pMechanism->ulParameterLen != 0)
return CKR_MECHANISM_PARAM_INVALID;

init = WP11_INIT_AES_ECB_DEC;
break;
}
#endif
#endif
default:
(void)type;
Expand Down Expand Up @@ -2131,6 +2178,26 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
*pulDataLen = decDataLen;
break;
#endif
#ifdef HAVE_AESECB
case CKM_AES_ECB:
if (!WP11_Session_IsOpInitialized(session, WP11_INIT_AES_ECB_DEC))
return CKR_OPERATION_NOT_INITIALIZED;

decDataLen = (word32)ulEncryptedDataLen;
if (pData == NULL) {
*pulDataLen = decDataLen;
return CKR_OK;
}
if (decDataLen > (word32)*pulDataLen)
return CKR_BUFFER_TOO_SMALL;

ret = WP11_AesEcb_Decrypt(pEncryptedData, (int)ulEncryptedDataLen,
pData, &decDataLen, obj, session);
if (ret < 0)
return CKR_FUNCTION_FAILED;
*pulDataLen = decDataLen;
break;
#endif
#endif
default:
(void)decDataLen;
Expand Down
90 changes: 89 additions & 1 deletion src/internal.c
Original file line number Diff line number Diff line change
Expand Up @@ -4832,7 +4832,7 @@ int WP11_Session_SetCcmParams(WP11_Session* session, int dataSz,

return ret;
}
#endif /* HAVE_AESGCM */
#endif /* HAVE_AESCCM */
#endif /* !NO_AES */

/**
Expand Down Expand Up @@ -8660,6 +8660,94 @@ int WP11_AesCcm_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec,
return ret;
}
#endif /* HAVE_AESCCM */

#ifdef HAVE_AESECB
/**
* Encrypt plain text with AES-ECB.
* Output buffer must be large enough to hold all data.
*
* @param plain [in] Plain text.
* @param plainSz [in] Length of plain text in bytes.
* @param enc [in] Buffer to hold encrypted data.
* @param encSz [in,out] On in, length of buffer in bytes.
* On out, length of encrypted data including
* authentication tag in bytes.
* @param secret [in] Secret key object.
* @param session [in] Session object.
* @return -ve on encryption failure.
* 0 on success.
*/
int WP11_AesEcb_Encrypt(unsigned char* plain, word32 plainSz,
unsigned char* enc, word32* encSz, WP11_Object* secret,
WP11_Session* session)
{
int ret;
Aes aes;
WP11_Data* key;

ret = wc_AesInit(&aes, NULL, session->devId);
if (ret == 0) {
if (secret->onToken)
WP11_Lock_LockRO(secret->lock);
key = &secret->data.symmKey;
ret = wc_AesSetKey(&aes, key->data, key->len, NULL, AES_ENCRYPTION);
if (secret->onToken)
WP11_Lock_UnlockRO(secret->lock);

if (ret == 0)
ret = wc_AesEcbEncrypt(&aes, enc, plain, plainSz);
if (ret == 0)
*encSz = plainSz;

wc_AesFree(&aes);
}

return ret;
}

/**
* Decrypt data with AES-ECB.
* Output buffer must be large enough to hold all decrypted data.
*
* @param enc [in] Encrypted data.
* @param encSz [in] Length of encrypted data in bytes.
* @param dec [in] Buffer to hold decrypted data.
* @param decSz [in,out] On in, length of buffer in bytes.
* On out, length of decrypted data in bytes.
* @param session [in] Session object holding Aes object.
* @return -ve on decryption failure.
* 0 on success.
*/
int WP11_AesEcb_Decrypt(unsigned char* enc, word32 encSz, unsigned char* dec,
word32* decSz, WP11_Object* secret,
WP11_Session* session)
{
int ret;
Aes aes;
WP11_Data* key;

ret = wc_AesInit(&aes, NULL, session->devId);
if (ret == 0) {
if (secret->onToken)
WP11_Lock_LockRO(secret->lock);
key = &secret->data.symmKey;
ret = wc_AesSetKey(&aes, key->data, key->len, NULL, AES_DECRYPTION);
if (secret->onToken)
WP11_Lock_UnlockRO(secret->lock);

if (ret == 0)
ret = wc_AesEcbDecrypt(&aes, dec, enc, encSz);

if (ret == 0) {
*decSz = encSz;
}

wc_AesFree(&aes);
}

return ret;
}
#endif /* HAVE_AESECB */
#endif /* !NO_AES */

#ifndef NO_HMAC
Expand Down
14 changes: 14 additions & 0 deletions src/slot.c
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,9 @@ static CK_MECHANISM_TYPE mechanismList[] = {
#ifdef HAVE_AESCCM
CKM_AES_CCM,
#endif
#ifdef HAVE_AESECB
CKM_AES_ECB,
#endif
#endif
#ifndef NO_HMAC
#ifndef NO_MD5
Expand Down Expand Up @@ -390,6 +393,12 @@ static CK_MECHANISM_INFO aesCcmMechInfo = {
16, 32, CKF_ENCRYPT | CKF_DECRYPT
};
#endif
#ifdef HAVE_AESECB
/* Info on AES-ECB mechanism. */
static CK_MECHANISM_INFO aesEcbMechInfo = {
16, 32, CKF_ENCRYPT | CKF_DECRYPT
};
#endif
#endif
#ifndef NO_HMAC
#ifndef NO_MD5
Expand Down Expand Up @@ -512,6 +521,11 @@ CK_RV C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
XMEMCPY(pInfo, &aesCcmMechInfo, sizeof(CK_MECHANISM_INFO));
break;
#endif
#ifdef HAVE_AESECB
case CKM_AES_ECB:
XMEMCPY(pInfo, &aesEcbMechInfo, sizeof(CK_MECHANISM_INFO));
break;
#endif
#endif
#ifndef NO_HMAC
#ifndef NO_MD5
Expand Down
Loading

0 comments on commit 1a7f7d7

Please sign in to comment.