AES CTR wolfcrypt interface need to support keys with ENCRYPT usage when encrypting

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!

https://www.wolfssl.com

GNU General Public License v2.0

2.35k stars 830 forks source link

AES CTR wolfcrypt interface need to support keys with ENCRYPT usage when encrypting #7767

Closed DmitryOcheretyany closed 1 month ago

DmitryOcheretyany commented 3 months ago

Version

5.7.0

Description

The AES CTR interface to encrypt is run backwards to decrypt and use IV as input. This will prevent keys with usage set to ENCRYPT from encrypting data.

Now, AES-CTR encyption uses C_Decrypt, so it's impossible to use AES-CTR encryption for keys with encrypt key purpose. It's required to extend WolfSSL, so AES-CTR encryption can be performed using C_Encrypt, but without breaking/changing behavior of the existing code.

Way to Resolve: int wc_AesGetIV(Aes aes, byte iv) is added

embhorn commented 3 months ago

Hi @DmitryOcheretyany

Thanks for your interest in the wolfSSL project. It's not clear to me what you are requesting here. The AES-CTR APIs do use the same encryption key for both directions. Here is an example: https://github.com/wolfSSL/wolfssl-examples/blob/master/crypto/aes/aesctr-file-encrypt.c

Could you modify that example to help show us the issue you are trying to resolve?

Thanks, @embhorn - wolfSSL Support

DmitryOcheretyany commented 3 months ago

Hi @embhorn, Thank you for your response and for providing the example. Our objective is to implement AES-CTR encryption in wolfSSL using C_Encrypt and IV generation while ensuring backward compatibility. Currently, AES-CTR encryption uses C_Decrypt, which prevents using encryption keys with the encrypt key purpose. To address this, we propose the following changes:

Add the function int wc_AesGetIV(Aes* aes, byte* iv) to support IV retrieval.
Modify the AES-CTR encryption to use C_Encrypt with IV generation. Here is a specific example of the added functionality:
```
#ifdef WOLF_CRYPTO_CB
WOLFSSL_API int wc_AesGetIV(Aes* aes, byte* iv);
#endif
#ifdef PKCS11_NVIDIA_VENDOR
WOLFSSL_API int wc_AesSetKeyType(Aes* aes, int keyType);
#endif
```
We aim to implement these changes without affecting the existing behavior. Your guidance on modifying the provided example to demonstrate this issue would be greatly appreciated. Best regards,
Dmitry Ocheretyany

embhorn commented 3 months ago

Hi @DmitryOcheretyany

Thanks for sharing those details. I suggest sending an email to support@wolfssl.com to create a feature request. There we can have a more in depth conversation about the feature requirements.

Thanks, @embhorn

embhorn commented 1 month ago

Since we never heard back I will go ahead and close out this support inquiry. If any other questions come up please do not hesitate to open a new issue anytime by emailing support@wolfssl.com or through the zendesk portal at https://wolfssl.zendesk.com/. We are always happy to help out in any way we can.

Until next time all the best and thank you for using wolfSSL support.