From a8c869fe33f2b1a1b7d23628d607c2b8b7de34e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Fri, 29 Nov 2024 11:02:38 +0100 Subject: [PATCH 1/3] Revert removal of Botan 2.0 ECB handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ECB handling of Botan 2.0 was added in "Issue #276: Support for Botan 2.0 #294" https://github.com/softhsm/SoftHSMv2/pull/294 but then removed in: https://github.com/softhsm/SoftHSMv2/pull/717 via: https://github.com/softhsm/SoftHSMv2/commit/8fd89ec33edfe4a7b510c471101f78b52a0c1294 This commit reverts parts of this commit and additionally removes the used define BOTAN_DLL. The functions in Botan_ecb.h are library-local but building on Windows fails due link failue. Signed-off-by: Björn Svensson --- src/lib/crypto/BotanSymmetricAlgorithm.cpp | 42 ++++++++++++++++++++-- src/lib/crypto/Botan_ecb.h | 6 ++-- src/lib/crypto/CMakeLists.txt | 1 + 3 files changed, 44 insertions(+), 5 deletions(-) diff --git a/src/lib/crypto/BotanSymmetricAlgorithm.cpp b/src/lib/crypto/BotanSymmetricAlgorithm.cpp index 15b2b0624..1b2a291f5 100644 --- a/src/lib/crypto/BotanSymmetricAlgorithm.cpp +++ b/src/lib/crypto/BotanSymmetricAlgorithm.cpp @@ -169,7 +169,26 @@ bool BotanSymmetricAlgorithm::encryptInit(const SymmetricKey* key, const SymMode try { Botan::SymmetricKey botanKey = Botan::SymmetricKey(key->getKeyBits().const_byte_str(), key->getKeyBits().size()); - if (mode == SymMode::GCM) + if (mode == SymMode::ECB) + { + // ECB cipher mode was dropped in Botan 2.0 + const std::vector algo_parts = split_on_delim(cipherName, '/'); + const std::string cipher_name = algo_parts[0]; + bool with_pkcs7_padding; + if (algo_parts.size() == 3 && algo_parts[2] == "PKCS7") + { + with_pkcs7_padding = true; + } + else + { + with_pkcs7_padding = false; + } + std::unique_ptr bc(Botan::BlockCipher::create(cipher_name)); + Botan::Keyed_Filter* cipher = new Botan::Cipher_Mode_Filter(new Botan::ECB_Encryption(bc.release(), with_pkcs7_padding)); + cipher->set_key(botanKey); + cryption = new Botan::Pipe(cipher); + } + else if (mode == SymMode::GCM) { Botan::AEAD_Mode* aead = Botan::get_aead(cipherName, Botan::ENCRYPTION); aead->set_key(botanKey); @@ -385,7 +404,26 @@ bool BotanSymmetricAlgorithm::decryptInit(const SymmetricKey* key, const SymMode try { Botan::SymmetricKey botanKey = Botan::SymmetricKey(key->getKeyBits().const_byte_str(), key->getKeyBits().size()); - if (mode == SymMode::GCM) + if (mode == SymMode::ECB) + { + // ECB cipher mode was dropped in Botan 2.0 + const std::vector algo_parts = split_on_delim(cipherName, '/'); + const std::string cipher_name = algo_parts[0]; + bool with_pkcs7_padding; + if (algo_parts.size() == 3 && algo_parts[2] == "PKCS7") + { + with_pkcs7_padding = true; + } + else + { + with_pkcs7_padding = false; + } + std::unique_ptr bc(Botan::BlockCipher::create(cipher_name)); + Botan::Keyed_Filter* cipher = new Botan::Cipher_Mode_Filter(new Botan::ECB_Decryption(bc.release(),with_pkcs7_padding)); + cipher->set_key(botanKey); + cryption = new Botan::Pipe(cipher); + } + else if (mode == SymMode::GCM) { Botan::AEAD_Mode* aead = Botan::get_aead(cipherName, Botan::DECRYPTION); aead->set_key(botanKey); diff --git a/src/lib/crypto/Botan_ecb.h b/src/lib/crypto/Botan_ecb.h index 36b12a633..a6daec152 100644 --- a/src/lib/crypto/Botan_ecb.h +++ b/src/lib/crypto/Botan_ecb.h @@ -22,7 +22,7 @@ namespace Botan { /** * ECB mode */ -class BOTAN_DLL ECB_Mode : public Cipher_Mode +class ECB_Mode : public Cipher_Mode { public: std::string name() const override; @@ -57,7 +57,7 @@ class BOTAN_DLL ECB_Mode : public Cipher_Mode /** * ECB Encryption */ -class BOTAN_DLL ECB_Encryption final : public ECB_Mode +class ECB_Encryption final : public ECB_Mode { public: /** @@ -78,7 +78,7 @@ class BOTAN_DLL ECB_Encryption final : public ECB_Mode /** * ECB Decryption */ -class BOTAN_DLL ECB_Decryption final : public ECB_Mode +class ECB_Decryption final : public ECB_Mode { public: /** diff --git a/src/lib/crypto/CMakeLists.txt b/src/lib/crypto/CMakeLists.txt index 404e2dc2d..4b7c22e65 100644 --- a/src/lib/crypto/CMakeLists.txt +++ b/src/lib/crypto/CMakeLists.txt @@ -95,6 +95,7 @@ if(WITH_BOTAN) BotanDSAKeyPair.cpp BotanDSAPrivateKey.cpp BotanDSAPublicKey.cpp + Botan_ecb.cpp BotanECDH.cpp BotanECDHKeyPair.cpp BotanECDHPrivateKey.cpp From 152cece7ba996a7830aae65d7fcb81035353f408 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Fri, 29 Nov 2024 12:24:07 +0100 Subject: [PATCH 2/3] Remove testing of unsupported ED448 in Botan 2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test can be re-enabled when we support Botan 3 due to: https://github.com/randombit/botan/pull/3933 Signed-off-by: Björn Svensson --- src/lib/test/SymmetricAlgorithmTests.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lib/test/SymmetricAlgorithmTests.cpp b/src/lib/test/SymmetricAlgorithmTests.cpp index c7b9e2084..a49c9be71 100644 --- a/src/lib/test/SymmetricAlgorithmTests.cpp +++ b/src/lib/test/SymmetricAlgorithmTests.cpp @@ -1427,8 +1427,10 @@ void SymmetricAlgorithmTests::aesWrapUnwrapED(CK_MECHANISM_TYPE mechanismType, C CK_BBOOL bTrue = CK_TRUE; std::map curves { - { "ED25519", {0x06, 0x03, 0x2b, 0x65, 0x70} }, - { "ED448", {0x06, 0x03, 0x2b, 0x65, 0x71} } + { "ED25519", {0x06, 0x03, 0x2b, 0x65, 0x70} } +#ifndef WITH_BOTAN + , { "ED448", {0x06, 0x03, 0x2b, 0x65, 0x71} } +#endif }; for(auto &curve : curves) { From 8635f76f9fe47ef2a06fb79b1dabae84b6bc0e5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Fri, 29 Nov 2024 13:20:31 +0100 Subject: [PATCH 3/3] Correcting build options for Windows in CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CI installed libraries botan and openssl (x86 only) lacks support for ECC and EDDSA, which now are disabled during the CI builds. Windows x64 with OpenSSL still builds and runs these tests. Signed-off-by: Björn Svensson --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b682239c..5cef9bd1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,12 +67,15 @@ jobs: - arch: x64 backend: openssl target-platform: x64 + build-options: - arch: x64 backend: botan target-platform: x64 + build-options: -DENABLE_ECC=OFF -DENABLE_EDDSA=OFF - arch: x86 backend: openssl target-platform: Win32 + build-options: -DENABLE_ECC=OFF -DENABLE_EDDSA=OFF steps: - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 @@ -93,7 +96,7 @@ jobs: - name: Build run: | mkdir build - cmake -B build ${{ steps.vcpkg.outputs.vcpkg-cmake-config }} -A ${{ matrix.target-platform }} -DWITH_CRYPTO_BACKEND=${{ matrix.backend }} -DDISABLE_NON_PAGED_MEMORY=ON -DBUILD_TESTS=ON + cmake -B build ${{ steps.vcpkg.outputs.vcpkg-cmake-config }} -A ${{ matrix.target-platform }} -DWITH_CRYPTO_BACKEND=${{ matrix.backend }} ${{ matrix.build-options }} -DDISABLE_NON_PAGED_MEMORY=ON -DBUILD_TESTS=ON cmake --build build - name: Test env: