From a8c869fe33f2b1a1b7d23628d607c2b8b7de34e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= <bjorn.a.svensson@est.tech>
Date: Fri, 29 Nov 2024 11:02:38 +0100
Subject: [PATCH 1/3] Revert removal of Botan 2.0 ECB handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ECB handling of Botan 2.0 was added in
  "Issue #276: Support for Botan 2.0 #294"
  https://github.com/softhsm/SoftHSMv2/pull/294

but then removed in:
  https://github.com/softhsm/SoftHSMv2/pull/717
via:
  https://github.com/softhsm/SoftHSMv2/commit/8fd89ec33edfe4a7b510c471101f78b52a0c1294

This commit reverts parts of this commit and additionally removes the
used define BOTAN_DLL. The functions in Botan_ecb.h are library-local
but building on Windows fails due link failue.

Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
---
 src/lib/crypto/BotanSymmetricAlgorithm.cpp | 42 ++++++++++++++++++++--
 src/lib/crypto/Botan_ecb.h                 |  6 ++--
 src/lib/crypto/CMakeLists.txt              |  1 +
 3 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/src/lib/crypto/BotanSymmetricAlgorithm.cpp b/src/lib/crypto/BotanSymmetricAlgorithm.cpp
index 15b2b0624..1b2a291f5 100644
--- a/src/lib/crypto/BotanSymmetricAlgorithm.cpp
+++ b/src/lib/crypto/BotanSymmetricAlgorithm.cpp
@@ -169,7 +169,26 @@ bool BotanSymmetricAlgorithm::encryptInit(const SymmetricKey* key, const SymMode
 	try
 	{
 		Botan::SymmetricKey botanKey = Botan::SymmetricKey(key->getKeyBits().const_byte_str(), key->getKeyBits().size());
-		if (mode == SymMode::GCM)
+		if (mode == SymMode::ECB)
+		{
+			// ECB cipher mode was dropped in Botan 2.0
+			const std::vector<std::string> algo_parts = split_on_delim(cipherName, '/');
+			const std::string cipher_name = algo_parts[0];
+			bool with_pkcs7_padding;
+			if (algo_parts.size() == 3 && algo_parts[2] == "PKCS7")
+			{
+				with_pkcs7_padding = true;
+			}
+			else
+			{
+				with_pkcs7_padding = false;
+			}
+			std::unique_ptr<Botan::BlockCipher> bc(Botan::BlockCipher::create(cipher_name));
+			Botan::Keyed_Filter* cipher = new Botan::Cipher_Mode_Filter(new Botan::ECB_Encryption(bc.release(), with_pkcs7_padding));
+			cipher->set_key(botanKey);
+			cryption = new Botan::Pipe(cipher);
+		}
+		else if (mode == SymMode::GCM)
 		{
 			Botan::AEAD_Mode* aead = Botan::get_aead(cipherName, Botan::ENCRYPTION);
 			aead->set_key(botanKey);
@@ -385,7 +404,26 @@ bool BotanSymmetricAlgorithm::decryptInit(const SymmetricKey* key, const SymMode
 	try
 	{
 		Botan::SymmetricKey botanKey = Botan::SymmetricKey(key->getKeyBits().const_byte_str(), key->getKeyBits().size());
-		if (mode == SymMode::GCM)
+		if (mode == SymMode::ECB)
+		{
+			// ECB cipher mode was dropped in Botan 2.0
+			const std::vector<std::string> algo_parts = split_on_delim(cipherName, '/');
+			const std::string cipher_name = algo_parts[0];
+			bool with_pkcs7_padding;
+			if (algo_parts.size() == 3 && algo_parts[2] == "PKCS7")
+			{
+				with_pkcs7_padding = true;
+			}
+			else
+			{
+				with_pkcs7_padding = false;
+			}
+			std::unique_ptr<Botan::BlockCipher> bc(Botan::BlockCipher::create(cipher_name));
+			Botan::Keyed_Filter* cipher = new Botan::Cipher_Mode_Filter(new Botan::ECB_Decryption(bc.release(),with_pkcs7_padding));
+			cipher->set_key(botanKey);
+			cryption = new Botan::Pipe(cipher);
+		}
+		else if (mode == SymMode::GCM)
 		{
 			Botan::AEAD_Mode* aead = Botan::get_aead(cipherName, Botan::DECRYPTION);
 			aead->set_key(botanKey);
diff --git a/src/lib/crypto/Botan_ecb.h b/src/lib/crypto/Botan_ecb.h
index 36b12a633..a6daec152 100644
--- a/src/lib/crypto/Botan_ecb.h
+++ b/src/lib/crypto/Botan_ecb.h
@@ -22,7 +22,7 @@ namespace Botan {
 /**
 * ECB mode
 */
-class BOTAN_DLL ECB_Mode : public Cipher_Mode
+class ECB_Mode : public Cipher_Mode
    {
    public:
       std::string name() const override;
@@ -57,7 +57,7 @@ class BOTAN_DLL ECB_Mode : public Cipher_Mode
 /**
 * ECB Encryption
 */
-class BOTAN_DLL ECB_Encryption final : public ECB_Mode
+class ECB_Encryption final : public ECB_Mode
    {
    public:
       /**
@@ -78,7 +78,7 @@ class BOTAN_DLL ECB_Encryption final : public ECB_Mode
 /**
 * ECB Decryption
 */
-class BOTAN_DLL ECB_Decryption final : public ECB_Mode
+class ECB_Decryption final : public ECB_Mode
    {
    public:
       /**
diff --git a/src/lib/crypto/CMakeLists.txt b/src/lib/crypto/CMakeLists.txt
index 404e2dc2d..4b7c22e65 100644
--- a/src/lib/crypto/CMakeLists.txt
+++ b/src/lib/crypto/CMakeLists.txt
@@ -95,6 +95,7 @@ if(WITH_BOTAN)
                         BotanDSAKeyPair.cpp
                         BotanDSAPrivateKey.cpp
                         BotanDSAPublicKey.cpp
+                        Botan_ecb.cpp
                         BotanECDH.cpp
                         BotanECDHKeyPair.cpp
                         BotanECDHPrivateKey.cpp

From 152cece7ba996a7830aae65d7fcb81035353f408 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= <bjorn.a.svensson@est.tech>
Date: Fri, 29 Nov 2024 12:24:07 +0100
Subject: [PATCH 2/3] Remove testing of unsupported ED448 in Botan 2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The test can be re-enabled when we support Botan 3 due to:
https://github.com/randombit/botan/pull/3933

Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
---
 src/lib/test/SymmetricAlgorithmTests.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lib/test/SymmetricAlgorithmTests.cpp b/src/lib/test/SymmetricAlgorithmTests.cpp
index c7b9e2084..a49c9be71 100644
--- a/src/lib/test/SymmetricAlgorithmTests.cpp
+++ b/src/lib/test/SymmetricAlgorithmTests.cpp
@@ -1427,8 +1427,10 @@ void SymmetricAlgorithmTests::aesWrapUnwrapED(CK_MECHANISM_TYPE mechanismType, C
 	CK_BBOOL bTrue = CK_TRUE;
 
 	std::map<std::string, EDCurveParam > curves {
-		{ "ED25519", {0x06, 0x03, 0x2b, 0x65, 0x70} },
-		{ "ED448", {0x06, 0x03, 0x2b, 0x65, 0x71} }
+		{ "ED25519", {0x06, 0x03, 0x2b, 0x65, 0x70} }
+#ifndef WITH_BOTAN
+		, { "ED448", {0x06, 0x03, 0x2b, 0x65, 0x71} }
+#endif
 	};
 
 	for(auto &curve : curves) {

From 8635f76f9fe47ef2a06fb79b1dabae84b6bc0e5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= <bjorn.a.svensson@est.tech>
Date: Fri, 29 Nov 2024 13:20:31 +0100
Subject: [PATCH 3/3] Correcting build options for Windows in CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The CI installed libraries botan and openssl (x86 only) lacks support
for ECC and EDDSA, which now are disabled during the CI builds.

Windows x64 with OpenSSL still builds and runs these tests.

Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
---
 .github/workflows/ci.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7b682239c..5cef9bd1a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -67,12 +67,15 @@ jobs:
           - arch: x64
             backend: openssl
             target-platform: x64
+            build-options:
           - arch: x64
             backend: botan
             target-platform: x64
+            build-options: -DENABLE_ECC=OFF -DENABLE_EDDSA=OFF
           - arch: x86
             backend: openssl
             target-platform: Win32
+            build-options: -DENABLE_ECC=OFF -DENABLE_EDDSA=OFF
     steps:
       - uses: actions/checkout@v4
       - uses: ilammy/msvc-dev-cmd@v1
@@ -93,7 +96,7 @@ jobs:
       - name: Build
         run: |
           mkdir build
-          cmake -B build ${{ steps.vcpkg.outputs.vcpkg-cmake-config }} -A ${{ matrix.target-platform }} -DWITH_CRYPTO_BACKEND=${{ matrix.backend }} -DDISABLE_NON_PAGED_MEMORY=ON -DBUILD_TESTS=ON
+          cmake -B build ${{ steps.vcpkg.outputs.vcpkg-cmake-config }} -A ${{ matrix.target-platform }} -DWITH_CRYPTO_BACKEND=${{ matrix.backend }} ${{ matrix.build-options }} -DDISABLE_NON_PAGED_MEMORY=ON -DBUILD_TESTS=ON
           cmake --build build
       - name: Test
         env: