Use OpenSSL implementation of AES Key Wrap with Padding on Linux

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.Cipher.cs

@@ -258,6 +258,9 @@ internal static void EvpCipherSetCcmTagLength(SafeEvpCipherCtxHandle ctx, int ta
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpAes128Ccm")]
         internal static partial IntPtr EvpAes128Ccm();
 
+        [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpAes128WrapPad")]
+        internal static partial IntPtr EvpAes128WrapPad();
+
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpAes192Ecb")]
         internal static partial IntPtr EvpAes192Ecb();
 
@@ -276,6 +279,9 @@ internal static void EvpCipherSetCcmTagLength(SafeEvpCipherCtxHandle ctx, int ta
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpAes192Ccm")]
         internal static partial IntPtr EvpAes192Ccm();
 
+        [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpAes192WrapPad")]
+        internal static partial IntPtr EvpAes192WrapPad();
+
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpAes256Ecb")]
         internal static partial IntPtr EvpAes256Ecb();
 
@@ -294,6 +300,9 @@ internal static void EvpCipherSetCcmTagLength(SafeEvpCipherCtxHandle ctx, int ta
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpAes256Ccm")]
         internal static partial IntPtr EvpAes256Ccm();
 
+        [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpAes256WrapPad")]
+        internal static partial IntPtr EvpAes256WrapPad();
+
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpDesCbc")]
         internal static partial IntPtr EvpDesCbc();
 

src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj

@@ -1221,7 +1221,7 @@
              Link="Common\System\Security\Cryptography\SlhDsaImplementation.NotSupported.cs" />
     <Compile Include="$(CommonPath)System\Security\Cryptography\SP800108HmacCounterKdfImplementationManaged.cs"
              Link="Common\System\Security\Cryptography\SP800108HmacCounterKdfImplementationManaged.cs" />
-    <Compile Include="System\Security\Cryptography\AesImplementation.OpenSsl.cs" />
+    <Compile Include="System\Security\Cryptography\AesImplementation.Android.cs" />
     <Compile Include="System\Security\Cryptography\AesCcm.Android.cs" />
     <Compile Include="System\Security\Cryptography\AesGcm.Android.cs" />
     <Compile Include="System\Security\Cryptography\AsnFormatter.Managed.cs" />

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/AesImplementation.Android.cs

@@ -0,0 +1,63 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace System.Security.Cryptography
+{
+    internal sealed partial class AesImplementation
+    {
+        private static UniversalCryptoTransform CreateTransformCore(
+            CipherMode cipherMode,
+            PaddingMode paddingMode,
+            ReadOnlySpan<byte> key,
+            byte[]? iv,
+            int blockSize,
+            int paddingSize,
+            int feedback,
+            bool encrypting)
+        {
+            // The algorithm pointer is a static pointer, so not having any cleanup code is correct.
+            IntPtr algorithm = GetAlgorithm(key.Length * 8, feedback * 8, cipherMode);
+
+            BasicSymmetricCipher cipher = new OpenSslCipher(algorithm, cipherMode, blockSize, paddingSize, key, iv, encrypting);
+            return UniversalCryptoTransform.Create(paddingMode, cipher, encrypting);
+        }
+
+        private static OpenSslCipherLite CreateLiteCipher(
+            CipherMode cipherMode,
+            ReadOnlySpan<byte> key,
+            ReadOnlySpan<byte> iv,
+            int blockSize,
+            int paddingSize,
+            int feedback,
+            bool encrypting)
+        {
+            IntPtr algorithm = GetAlgorithm(key.Length * 8, feedback * 8, cipherMode);
+            return new OpenSslCipherLite(algorithm, blockSize, paddingSize, key, iv, encrypting);
+        }
+
+        private static IntPtr GetAlgorithm(int keySize, int feedback, CipherMode cipherMode) =>
+            (keySize, cipherMode) switch
+            {
+                // Neither OpenSSL nor Cng Aes support CTS mode.
+
+                (128, CipherMode.CBC) => Interop.Crypto.EvpAes128Cbc(),
+                (128, CipherMode.ECB) => Interop.Crypto.EvpAes128Ecb(),
+                (128, CipherMode.CFB) when feedback == 8 => Interop.Crypto.EvpAes128Cfb8(),
+                (128, CipherMode.CFB) when feedback == 128 => Interop.Crypto.EvpAes128Cfb128(),
+
+                (192, CipherMode.CBC) => Interop.Crypto.EvpAes192Cbc(),
+                (192, CipherMode.ECB) => Interop.Crypto.EvpAes192Ecb(),
+                (192, CipherMode.CFB) when feedback == 8 => Interop.Crypto.EvpAes192Cfb8(),
+                (192, CipherMode.CFB) when feedback == 128 => Interop.Crypto.EvpAes192Cfb128(),
+
+                (256, CipherMode.CBC) => Interop.Crypto.EvpAes256Cbc(),
+                (256, CipherMode.ECB) => Interop.Crypto.EvpAes256Ecb(),
+                (256, CipherMode.CFB) when feedback == 8 => Interop.Crypto.EvpAes256Cfb8(),
+                (256, CipherMode.CFB) when feedback == 128 => Interop.Crypto.EvpAes256Cfb128(),
+
+                _ => throw (keySize == 128 || keySize == 192 || keySize == 256 ? (Exception)
+                        new NotSupportedException() :
+                        new CryptographicException(SR.Cryptography_InvalidKeySize)),
+            };
+    }
+}

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/AesImplementation.OpenSsl.cs

@@ -1,6 +1,10 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
 namespace System.Security.Cryptography
 {
     internal sealed partial class AesImplementation
@@ -35,6 +39,56 @@ private static OpenSslCipherLite CreateLiteCipher(
             return new OpenSslCipherLite(algorithm, blockSize, paddingSize, key, iv, encrypting);
         }
 
+        protected override void EncryptKeyWrapPaddedCore(ReadOnlySpan<byte> source, Span<byte> destination)
+        {
+            int written = KeyWrap(source, destination, enc: 1);
+            Debug.Assert(written == destination.Length);
+        }
+
+        protected override int DecryptKeyWrapPaddedCore(ReadOnlySpan<byte> source, Span<byte> destination)
+        {
+            return KeyWrap(source, destination, enc: 0);
+        }
+
+        private int KeyWrap(ReadOnlySpan<byte> source, Span<byte> destination, int enc)
+        {
+            Debug.Assert(enc is 0 or 1);
+
+            SafeEvpCipherCtxHandle ctx = GetKey().UseKey(
+                state: enc,
+                static (enc, key) =>
+                {
+                    int keySizeInBits = key.Length * 8;
+
+                    IntPtr algorithm = GetKeyWrapAlgorithm(keySizeInBits);
+
+                    return Interop.Crypto.EvpCipherCreate(
+                        algorithm,
+                        ref MemoryMarshal.GetReference(key),
+                        key.Length * 8,
+                        ref MemoryMarshal.GetReference(ReadOnlySpan<byte>.Empty),
+                        enc);
+                });
+
+            int written;
+
+            using (ctx)
+            {
+                bool ret = Interop.Crypto.EvpCipherUpdate(
+                    ctx,
+                    destination,
+                    out written,
+                    source);
+
+                if (!ret)
+                {
+                    throw Interop.Crypto.CreateOpenSslCryptographicException();
+                }
+            }
+
+            return written;
+        }
+
         private static IntPtr GetAlgorithm(int keySize, int feedback, CipherMode cipherMode) =>
             (keySize, cipherMode) switch
             {
@@ -59,5 +113,14 @@ private static IntPtr GetAlgorithm(int keySize, int feedback, CipherMode cipherM
                         new NotSupportedException() :
                         new CryptographicException(SR.Cryptography_InvalidKeySize)),
             };
+
+        private static IntPtr GetKeyWrapAlgorithm(int keySize) =>
+            keySize switch
+            {
+                128 => Interop.Crypto.EvpAes128WrapPad(),
+                192 => Interop.Crypto.EvpAes192WrapPad(),
+                256 => Interop.Crypto.EvpAes256WrapPad(),
+                _ => throw new CryptographicException(SR.Cryptography_InvalidKeySize),
+            };
     }
 }

src/native/libs/System.Security.Cryptography.Native/entrypoints.c

@@ -100,18 +100,21 @@ static const Entry s_cryptoNative[] =
     DllImportEntry(CryptoNative_EvpAes128Cfb8)
     DllImportEntry(CryptoNative_EvpAes128Ecb)
     DllImportEntry(CryptoNative_EvpAes128Gcm)
+    DllImportEntry(CryptoNative_EvpAes128WrapPad)
     DllImportEntry(CryptoNative_EvpAes192Cbc)
     DllImportEntry(CryptoNative_EvpAes192Ccm)
     DllImportEntry(CryptoNative_EvpAes192Cfb128)
     DllImportEntry(CryptoNative_EvpAes192Cfb8)
     DllImportEntry(CryptoNative_EvpAes192Ecb)
     DllImportEntry(CryptoNative_EvpAes192Gcm)
+    DllImportEntry(CryptoNative_EvpAes192WrapPad)
     DllImportEntry(CryptoNative_EvpAes256Cbc)
     DllImportEntry(CryptoNative_EvpAes256Ccm)
     DllImportEntry(CryptoNative_EvpAes256Cfb128)
     DllImportEntry(CryptoNative_EvpAes256Cfb8)
     DllImportEntry(CryptoNative_EvpAes256Ecb)
     DllImportEntry(CryptoNative_EvpAes256Gcm)
+    DllImportEntry(CryptoNative_EvpAes256WrapPad)
     DllImportEntry(CryptoNative_EvpChaCha20Poly1305)
     DllImportEntry(CryptoNative_EvpCipherCreate2)
     DllImportEntry(CryptoNative_EvpCipherCreatePartial)

src/native/libs/System.Security.Cryptography.Native/opensslshim.h

@@ -453,18 +453,21 @@ extern bool g_libSslUses32BitTime;
     REQUIRED_FUNCTION(EVP_aes_128_cfb8) \
     REQUIRED_FUNCTION(EVP_aes_128_ecb) \
     REQUIRED_FUNCTION(EVP_aes_128_gcm) \
+    REQUIRED_FUNCTION(EVP_aes_128_wrap_pad) \
     REQUIRED_FUNCTION(EVP_aes_192_cbc) \
     REQUIRED_FUNCTION(EVP_aes_192_ccm) \
     REQUIRED_FUNCTION(EVP_aes_192_cfb128) \
     REQUIRED_FUNCTION(EVP_aes_192_cfb8) \
     REQUIRED_FUNCTION(EVP_aes_192_ecb) \
     REQUIRED_FUNCTION(EVP_aes_192_gcm) \
+    REQUIRED_FUNCTION(EVP_aes_192_wrap_pad) \
     REQUIRED_FUNCTION(EVP_aes_256_cbc) \
     REQUIRED_FUNCTION(EVP_aes_256_ccm) \
     REQUIRED_FUNCTION(EVP_aes_256_cfb128) \
     REQUIRED_FUNCTION(EVP_aes_256_cfb8) \
     REQUIRED_FUNCTION(EVP_aes_256_ecb) \
     REQUIRED_FUNCTION(EVP_aes_256_gcm) \
+    REQUIRED_FUNCTION(EVP_aes_256_wrap_pad) \
     LIGHTUP_FUNCTION(EVP_chacha20_poly1305) \
     LEGACY_FUNCTION(EVP_CIPHER_CTX_cleanup) \
     REQUIRED_FUNCTION(EVP_CIPHER_CTX_ctrl) \
@@ -1025,18 +1028,21 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr;
 #define EVP_aes_128_ecb EVP_aes_128_ecb_ptr
 #define EVP_aes_128_gcm EVP_aes_128_gcm_ptr
 #define EVP_aes_128_ccm EVP_aes_128_ccm_ptr
+#define EVP_aes_128_wrap_pad EVP_aes_128_wrap_pad_ptr
 #define EVP_aes_192_cbc EVP_aes_192_cbc_ptr
 #define EVP_aes_192_cfb8 EVP_aes_192_cfb8_ptr
 #define EVP_aes_192_cfb128 EVP_aes_192_cfb128_ptr
 #define EVP_aes_192_ecb EVP_aes_192_ecb_ptr
 #define EVP_aes_192_gcm EVP_aes_192_gcm_ptr
 #define EVP_aes_192_ccm EVP_aes_192_ccm_ptr
+#define EVP_aes_192_wrap_pad EVP_aes_192_wrap_pad_ptr
 #define EVP_aes_256_cbc EVP_aes_256_cbc_ptr
 #define EVP_aes_256_cfb8 EVP_aes_256_cfb8_ptr
 #define EVP_aes_256_cfb128 EVP_aes_256_cfb128_ptr
 #define EVP_aes_256_ecb EVP_aes_256_ecb_ptr
 #define EVP_aes_256_gcm EVP_aes_256_gcm_ptr
 #define EVP_aes_256_ccm EVP_aes_256_ccm_ptr
+#define EVP_aes_256_wrap_pad EVP_aes_256_wrap_pad_ptr
 #define EVP_chacha20_poly1305 EVP_chacha20_poly1305_ptr
 #define EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_cleanup_ptr
 #define EVP_CIPHER_CTX_ctrl EVP_CIPHER_CTX_ctrl_ptr

src/native/libs/System.Security.Cryptography.Native/pal_evp_cipher.c

@@ -275,6 +275,12 @@ const EVP_CIPHER* CryptoNative_EvpAes128Ccm(void)
     return EVP_aes_128_ccm();
 }
 
+const EVP_CIPHER* CryptoNative_EvpAes128WrapPad(void)
+{
+    // No error queue impact.
+    return EVP_aes_128_wrap_pad();
+}
+
 const EVP_CIPHER* CryptoNative_EvpAes192Ecb(void)
 {
     // No error queue impact.
@@ -311,6 +317,12 @@ const EVP_CIPHER* CryptoNative_EvpAes192Ccm(void)
     return EVP_aes_192_ccm();
 }
 
+const EVP_CIPHER* CryptoNative_EvpAes192WrapPad(void)
+{
+    // No error queue impact.
+    return EVP_aes_192_wrap_pad();
+}
+
 const EVP_CIPHER* CryptoNative_EvpAes256Ecb(void)
 {
     // No error queue impact.
@@ -347,6 +359,12 @@ const EVP_CIPHER* CryptoNative_EvpAes256Ccm(void)
     return EVP_aes_256_ccm();
 }
 
+const EVP_CIPHER* CryptoNative_EvpAes256WrapPad(void)
+{
+    // No error queue impact.
+    return EVP_aes_256_wrap_pad();
+}
+
 const EVP_CIPHER* CryptoNative_EvpDesEcb(void)
 {
     // No error queue impact.

src/native/libs/System.Security.Cryptography.Native/pal_evp_cipher.h

@@ -158,6 +158,14 @@ Direct shim to EVP_aes_128_ccm.
 */
 PALEXPORT const EVP_CIPHER* CryptoNative_EvpAes128Ccm(void);
 
+/*
+Function:
+EvpAes128WrapPad
+
+Direct shim to EVP_aes_128_wrap_pad.
+*/
+PALEXPORT const EVP_CIPHER* CryptoNative_EvpAes128WrapPad(void);
+
 /*
 Function:
 EvpAes192Ecb
@@ -206,6 +214,14 @@ Direct shim to EVP_aes_192_ccm.
 */
 PALEXPORT const EVP_CIPHER* CryptoNative_EvpAes192Ccm(void);
 
+/*
+Function:
+EvpAes192WrapPad
+
+Direct shim to EVP_aes_192_wrap_pad.
+*/
+PALEXPORT const EVP_CIPHER* CryptoNative_EvpAes192WrapPad(void);
+
 /*
 Function:
 EvpAes256Ecb
@@ -254,6 +270,14 @@ Direct shim to EVP_aes_256_ccm.
 */
 PALEXPORT const EVP_CIPHER* CryptoNative_EvpAes256Ccm(void);
 
+/*
+Function:
+EvpAes256WrapPad
+
+Direct shim to EVP_aes_256_wrap_pad.
+*/
+PALEXPORT const EVP_CIPHER* CryptoNative_EvpAes256WrapPad(void);
+
 /*
 Function:
 EvpDes3Ecb