/src/boringssl/crypto/cipher/e_tls.cc
Line | Count | Source |
1 | | // Copyright 2014 The BoringSSL Authors |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <assert.h> |
16 | | #include <limits.h> |
17 | | #include <string.h> |
18 | | |
19 | | #include <openssl/aead.h> |
20 | | #include <openssl/cipher.h> |
21 | | #include <openssl/err.h> |
22 | | #include <openssl/hmac.h> |
23 | | #include <openssl/md5.h> |
24 | | #include <openssl/mem.h> |
25 | | #include <openssl/sha.h> |
26 | | #include <openssl/span.h> |
27 | | |
28 | | #include "../fipsmodule/cipher/internal.h" |
29 | | #include "../internal.h" |
30 | | #include "../mem_internal.h" |
31 | | #include "internal.h" |
32 | | |
33 | | |
34 | | using namespace bssl; |
35 | | |
36 | | typedef struct { |
37 | | EVP_CIPHER_CTX cipher_ctx; |
38 | | HMAC_CTX *hmac_ctx; |
39 | | // mac_key is the portion of the key used for the MAC. It is retained |
40 | | // separately for the constant-time CBC code. |
41 | | uint8_t mac_key[EVP_MAX_MD_SIZE]; |
42 | | uint8_t mac_key_len; |
43 | | // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit |
44 | | // IV. |
45 | | char implicit_iv; |
46 | | } AEAD_TLS_CTX; |
47 | | |
48 | | static_assert(EVP_MAX_MD_SIZE < 256, "mac_key_len does not fit in uint8_t"); |
49 | | |
50 | | static_assert(sizeof(((EVP_AEAD_CTX *)nullptr)->state) >= sizeof(AEAD_TLS_CTX), |
51 | | "AEAD state is too small"); |
52 | | static_assert(alignof(union evp_aead_ctx_st_state) >= alignof(AEAD_TLS_CTX), |
53 | | "AEAD state has insufficient alignment"); |
54 | | |
55 | 33.1k | static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) { |
56 | 33.1k | AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
57 | 33.1k | EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx); |
58 | 33.1k | HMAC_CTX_free(tls_ctx->hmac_ctx); |
59 | 33.1k | } |
60 | | |
61 | | static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, |
62 | | size_t tag_len, enum evp_aead_direction_t dir, |
63 | | const EVP_CIPHER *cipher, const EVP_MD *md, |
64 | 33.1k | char implicit_iv) { |
65 | 33.1k | if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && tag_len != EVP_MD_size(md)) { |
66 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); |
67 | 0 | return 0; |
68 | 0 | } |
69 | | |
70 | 33.1k | if (key_len != EVP_AEAD_key_length(ctx->aead)) { |
71 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); |
72 | 0 | return 0; |
73 | 0 | } |
74 | | |
75 | 33.1k | size_t mac_key_len = EVP_MD_size(md); |
76 | 33.1k | size_t enc_key_len = EVP_CIPHER_key_length(cipher); |
77 | 33.1k | assert(mac_key_len + enc_key_len + |
78 | 33.1k | (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == |
79 | 33.1k | key_len); |
80 | | |
81 | 33.1k | AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
82 | 33.1k | tls_ctx->hmac_ctx = HMAC_CTX_new(); |
83 | 33.1k | if (!tls_ctx->hmac_ctx) { |
84 | 0 | return 0; |
85 | 0 | } |
86 | 33.1k | EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx); |
87 | 33.1k | assert(mac_key_len <= EVP_MAX_MD_SIZE); |
88 | 33.1k | OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len); |
89 | 33.1k | tls_ctx->mac_key_len = (uint8_t)mac_key_len; |
90 | 33.1k | tls_ctx->implicit_iv = implicit_iv; |
91 | | |
92 | 33.1k | if (!EVP_CipherInit_ex( |
93 | 33.1k | &tls_ctx->cipher_ctx, cipher, nullptr, &key[mac_key_len], |
94 | 33.1k | implicit_iv ? &key[mac_key_len + enc_key_len] : nullptr, |
95 | 33.1k | dir == evp_aead_seal) || |
96 | 33.1k | !HMAC_Init_ex(tls_ctx->hmac_ctx, key, mac_key_len, md, nullptr)) { |
97 | 0 | aead_tls_cleanup(ctx); |
98 | 0 | return 0; |
99 | 0 | } |
100 | 33.1k | EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0); |
101 | | |
102 | 33.1k | return 1; |
103 | 33.1k | } |
104 | | |
105 | 7.30k | static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len) { |
106 | 7.30k | const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
107 | 7.30k | assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE); |
108 | | |
109 | 7.30k | const size_t hmac_len = HMAC_size(tls_ctx->hmac_ctx); |
110 | 7.30k | const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx); |
111 | | // An overflow of |in_len + hmac_len| doesn't affect the result mod |
112 | | // |block_size|, provided that |block_size| is a smaller power of two. |
113 | 7.30k | assert(block_size == 8 /*3DES*/ || block_size == 16 /*AES*/); |
114 | 7.30k | const size_t pad_len = block_size - ((in_len + hmac_len) & (block_size - 1)); |
115 | 7.30k | return hmac_len + pad_len; |
116 | 7.30k | } |
117 | | |
118 | | static int aead_tls_sealv(const EVP_AEAD_CTX *ctx, |
119 | | Span<const CRYPTO_IOVEC> iovecs, |
120 | | Span<uint8_t> out_tag, size_t *out_tag_len, |
121 | | Span<const uint8_t> nonce, |
122 | 1.21k | Span<const CRYPTO_IVEC> aadvecs) { |
123 | 1.21k | AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
124 | | |
125 | 1.21k | if (!tls_ctx->cipher_ctx.encrypt) { |
126 | | // Unlike a normal AEAD, a TLS AEAD may only be used in one direction. |
127 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); |
128 | 0 | return 0; |
129 | 0 | } |
130 | | |
131 | 1.21k | size_t in_len = bssl::iovec::TotalLength(iovecs); |
132 | 1.21k | if (out_tag.size() < aead_tls_tag_len(ctx, in_len)) { |
133 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
134 | 0 | return 0; |
135 | 0 | } |
136 | | |
137 | 1.21k | if (nonce.size() != EVP_AEAD_nonce_length(ctx->aead)) { |
138 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
139 | 0 | return 0; |
140 | 0 | } |
141 | | |
142 | 1.21k | size_t ad_len = bssl::iovec::TotalLength(aadvecs); |
143 | 1.21k | if (ad_len != 13 - 2 /* length bytes */) { |
144 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); |
145 | 0 | return 0; |
146 | 0 | } |
147 | | |
148 | | // To allow for CBC mode which changes cipher length, |ad| doesn't include the |
149 | | // length for legacy ciphers. |
150 | 1.21k | uint8_t ad_extra[2]; |
151 | 1.21k | CRYPTO_store_u16_be(ad_extra, static_cast<uint16_t>(in_len)); |
152 | | |
153 | | // Compute the MAC. This must be first in case the operation is being done |
154 | | // in-place. |
155 | 1.21k | uint8_t mac[EVP_MAX_MD_SIZE]; |
156 | 1.21k | if (!HMAC_Init_ex(tls_ctx->hmac_ctx, nullptr, 0, nullptr, nullptr)) { |
157 | 0 | return 0; |
158 | 0 | } |
159 | 1.21k | for (const CRYPTO_IVEC &aadvec : aadvecs) { |
160 | 1.21k | if (!HMAC_Update(tls_ctx->hmac_ctx, aadvec.in, aadvec.len)) { |
161 | 0 | return 0; |
162 | 0 | } |
163 | 1.21k | } |
164 | 1.21k | if (!HMAC_Update(tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra))) { |
165 | 0 | return 0; |
166 | 0 | } |
167 | 1.21k | for (const CRYPTO_IOVEC &iovec : iovecs) { |
168 | 1.21k | if (!HMAC_Update(tls_ctx->hmac_ctx, iovec.in, iovec.len)) { |
169 | 0 | return 0; |
170 | 0 | } |
171 | 1.21k | } |
172 | 1.21k | unsigned mac_len; |
173 | 1.21k | if (!HMAC_Final(tls_ctx->hmac_ctx, mac, &mac_len)) { |
174 | 0 | return 0; |
175 | 0 | } |
176 | | |
177 | | // Configure the explicit IV. |
178 | 1.21k | assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE); |
179 | 1.21k | if (!tls_ctx->implicit_iv && |
180 | 947 | !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, nullptr, nullptr, nullptr, |
181 | 947 | nonce.data())) { |
182 | 0 | return 0; |
183 | 0 | } |
184 | | |
185 | 1.21k | size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx); |
186 | 1.21k | assert(block_size == 8 /*3DES*/ || block_size == 16 /*AES*/); |
187 | | |
188 | | // Encrypt the input. |
189 | 1.21k | size_t len = 0; |
190 | 1.21k | size_t tag_len = 0; |
191 | 1.21k | if (!bssl::iovec::ForEachBlockRange_Dynamic</*WriteOut=*/true>( |
192 | 1.21k | block_size, iovecs, |
193 | 1.21k | [&](const uint8_t *in, uint8_t *out, size_t chunk_len) { |
194 | | // Complete block(s). |
195 | 0 | size_t out_len; |
196 | 0 | if (!EVP_EncryptUpdate_ex(&tls_ctx->cipher_ctx, out, &out_len, |
197 | 0 | chunk_len, in, chunk_len)) { |
198 | 0 | return false; |
199 | 0 | } |
200 | 0 | assert(out_len == chunk_len); |
201 | 0 | len += out_len; |
202 | 0 | return true; |
203 | 0 | }, |
204 | 1.21k | [&](const uint8_t *in, uint8_t *out, size_t chunk_len) { |
205 | | // Final chunk, possibly with a partial block. |
206 | 1.21k | size_t out_len; |
207 | 1.21k | if (!EVP_EncryptUpdate_ex(&tls_ctx->cipher_ctx, out, &out_len, |
208 | 1.21k | chunk_len, in, chunk_len)) { |
209 | 0 | return false; |
210 | 0 | } |
211 | 1.21k | len += out_len; |
212 | 1.21k | size_t remaining = chunk_len - out_len; |
213 | 1.21k | assert(remaining < block_size); |
214 | 1.21k | if (remaining == 0) { |
215 | 761 | return true; |
216 | 761 | } |
217 | | |
218 | | // Feed the MAC into the cipher in two steps. First complete the |
219 | | // final partial block from encrypting the input and split the |
220 | | // result between |out| and |out_tag|. Then feed the rest. |
221 | 457 | const size_t early_mac_len = block_size - remaining; |
222 | 457 | assert(early_mac_len < block_size); |
223 | 457 | assert(len + block_size - early_mac_len == in_len); |
224 | 457 | uint8_t buf[EVP_MAX_BLOCK_LENGTH]; |
225 | 457 | size_t buf_len; |
226 | 457 | if (!EVP_EncryptUpdate_ex(&tls_ctx->cipher_ctx, buf, &buf_len, |
227 | 457 | sizeof(buf), mac, early_mac_len)) { |
228 | 0 | return false; |
229 | 0 | } |
230 | 457 | assert(buf_len == block_size); |
231 | 457 | OPENSSL_memcpy(out + out_len, buf, remaining); |
232 | 457 | OPENSSL_memcpy(out_tag.data(), buf + remaining, early_mac_len); |
233 | 457 | tag_len = early_mac_len; |
234 | 457 | return true; |
235 | 457 | })) { |
236 | 0 | return 0; |
237 | 0 | } |
238 | | |
239 | 1.21k | if (!EVP_EncryptUpdate_ex(&tls_ctx->cipher_ctx, out_tag.data() + tag_len, |
240 | 1.21k | &len, out_tag.size() - tag_len, mac + tag_len, |
241 | 1.21k | mac_len - tag_len)) { |
242 | 0 | return 0; |
243 | 0 | } |
244 | 1.21k | tag_len += len; |
245 | | |
246 | | // Compute padding and feed that into the cipher. |
247 | 1.21k | uint8_t padding[256]; |
248 | 1.21k | unsigned padding_len = block_size - ((in_len + mac_len) & (block_size - 1)); |
249 | 1.21k | OPENSSL_memset(padding, padding_len - 1, padding_len); |
250 | 1.21k | if (!EVP_EncryptUpdate_ex(&tls_ctx->cipher_ctx, out_tag.data() + tag_len, |
251 | 1.21k | &len, out_tag.size() - tag_len, padding, |
252 | 1.21k | padding_len)) { |
253 | 0 | return 0; |
254 | 0 | } |
255 | 1.21k | tag_len += len; |
256 | | |
257 | 1.21k | if (!EVP_EncryptFinal_ex2(&tls_ctx->cipher_ctx, out_tag.data() + tag_len, |
258 | 1.21k | &len, out_tag.size() - tag_len)) { |
259 | 0 | return 0; |
260 | 0 | } |
261 | 1.21k | assert(len == 0); // Padding is explicit. |
262 | 1.21k | assert(tag_len == aead_tls_tag_len(ctx, in_len)); |
263 | | |
264 | 1.21k | *out_tag_len = tag_len; |
265 | 1.21k | return 1; |
266 | 1.21k | } |
267 | | |
268 | | static int aead_tls_openv(const EVP_AEAD_CTX *ctx, |
269 | | Span<const CRYPTO_IOVEC> iovecs, |
270 | | size_t *out_total_bytes, Span<const uint8_t> nonce, |
271 | 4.02k | Span<const CRYPTO_IVEC> aadvecs) { |
272 | 4.02k | AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
273 | | |
274 | 4.02k | if (tls_ctx->cipher_ctx.encrypt) { |
275 | | // Unlike a normal AEAD, a TLS AEAD may only be used in one direction. |
276 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); |
277 | 0 | return 0; |
278 | 0 | } |
279 | | |
280 | 4.02k | size_t in_len = bssl::iovec::TotalLength(iovecs); |
281 | 4.02k | if (in_len < HMAC_size(tls_ctx->hmac_ctx)) { |
282 | 28 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
283 | 28 | return 0; |
284 | 28 | } |
285 | | |
286 | 4.00k | if (nonce.size() != EVP_AEAD_nonce_length(ctx->aead)) { |
287 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
288 | 0 | return 0; |
289 | 0 | } |
290 | | |
291 | 4.00k | size_t ad_len = bssl::iovec::TotalLength(aadvecs); |
292 | 4.00k | if (ad_len != 13 - 2 /* length bytes */) { |
293 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); |
294 | 0 | return 0; |
295 | 0 | } |
296 | | |
297 | | // Configure the explicit IV. |
298 | 4.00k | assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE); |
299 | 4.00k | if (!tls_ctx->implicit_iv && |
300 | 832 | !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, nullptr, nullptr, nullptr, |
301 | 832 | nonce.data())) { |
302 | 0 | return 0; |
303 | 0 | } |
304 | | |
305 | | // Decrypt to get the plaintext + MAC + padding. |
306 | 4.00k | size_t total = 0; |
307 | 4.00k | size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx); |
308 | 4.00k | auto decrypt_update = [&](const uint8_t *in, uint8_t *out, size_t len) { |
309 | 4.00k | size_t out_len; |
310 | 4.00k | if (!EVP_DecryptUpdate_ex(&tls_ctx->cipher_ctx, out, &out_len, len, in, |
311 | 4.00k | len)) { |
312 | 0 | return false; |
313 | 0 | } |
314 | 4.00k | CONSTTIME_SECRET(out, out_len); |
315 | 4.00k | if (out_len != len) { |
316 | | // A byte sequence that was not a multiple of the block size was provided |
317 | | // as ciphertext. This is generally invalid and thus should be rejected. |
318 | 61 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
319 | 61 | return false; |
320 | 61 | } |
321 | 3.94k | total += len; |
322 | 3.94k | return true; |
323 | 4.00k | }; |
324 | 4.00k | if (!bssl::iovec::ForEachBlockRange_Dynamic</*WriteOut=*/true>( |
325 | 4.00k | block_size, iovecs, decrypt_update, decrypt_update)) { |
326 | 61 | return false; |
327 | 61 | } |
328 | 4.00k | assert(total == in_len); |
329 | | |
330 | 3.94k | const size_t mac_len = HMAC_size(tls_ctx->hmac_ctx); |
331 | | |
332 | | // Split the decrypted record into |iovecs_without_trailer| and |trailer|, |
333 | | // based on the public lower bound of where the plaintext ends. The plaintext |
334 | | // is followed by |mac_len| and then at most 256 bytes of padding. |
335 | 3.94k | InplaceVector<CRYPTO_IOVEC, CRYPTO_IOVEC_MAX> iovecs_without_trailer; |
336 | 3.94k | iovecs_without_trailer.CopyFrom(iovecs); |
337 | 3.94k | uint8_t trailer_buf[EVP_MAX_MD_SIZE + 256]; |
338 | 3.94k | const size_t trailer_len = std::min(in_len, mac_len + 256); |
339 | 3.94k | std::optional<Span<const uint8_t>> trailer = bssl::iovec::GetAndRemoveOutSuffix( |
340 | 3.94k | Span(trailer_buf).first(trailer_len), Span(iovecs_without_trailer)); |
341 | 3.94k | BSSL_CHECK(trailer.has_value()); |
342 | | |
343 | | // Remove CBC padding. Code from here on is timing-sensitive with respect to |
344 | | // |padding_ok|, |trailer_minus_padding|, and derived values. |
345 | 3.94k | crypto_word_t padding_ok; |
346 | 3.94k | size_t trailer_minus_padding; |
347 | 3.94k | if (!EVP_tls_cbc_remove_padding(&padding_ok, &trailer_minus_padding, |
348 | 3.94k | trailer->data(), trailer->size(), block_size, |
349 | 3.94k | mac_len)) { |
350 | | // Publicly invalid. This can be rejected in non-constant time. |
351 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
352 | 0 | return 0; |
353 | 0 | } |
354 | | |
355 | | // If the padding is valid, |trailer->first(trailer_minus_padding)| is the |
356 | | // last bytes of plaintext and the MAC. Otherwise, it is still large enough to |
357 | | // extract a MAC, but it will be irrelevant. Note that |trailer_minus_padding| |
358 | | // is secret. |
359 | 3.94k | declassify_assert(trailer_minus_padding >= mac_len); |
360 | 3.94k | size_t data_in_trailer_len = trailer_minus_padding - mac_len; |
361 | 3.94k | size_t max_data_in_trailer_len = trailer->size() - mac_len; |
362 | 3.94k | size_t data_len = total - trailer->size() + data_in_trailer_len; |
363 | | |
364 | | // To allow for CBC mode which changes cipher length, |ad_len| doesn't |
365 | | // include the length for legacy ciphers. |
366 | 3.94k | uint8_t ad_extra[2]; |
367 | 3.94k | CRYPTO_store_u16_be(ad_extra, static_cast<uint16_t>(data_len)); |
368 | | |
369 | | // Compute the MAC and extract the one in the record. |
370 | 3.94k | uint8_t mac[EVP_MAX_MD_SIZE]; |
371 | 3.94k | size_t got_mac_len; |
372 | 3.94k | assert(EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx->md)); |
373 | 3.94k | if (!EVP_tls_cbc_digest_record( |
374 | 3.94k | tls_ctx->hmac_ctx->md, mac, &got_mac_len, ad_extra, aadvecs, |
375 | 3.94k | iovecs_without_trailer, trailer->first(max_data_in_trailer_len), |
376 | 3.94k | data_in_trailer_len, tls_ctx->mac_key, tls_ctx->mac_key_len)) { |
377 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
378 | 0 | return 0; |
379 | 0 | } |
380 | 3.94k | assert(got_mac_len == mac_len); |
381 | | |
382 | 3.94k | uint8_t record_mac[EVP_MAX_MD_SIZE]; |
383 | 3.94k | EVP_tls_cbc_copy_mac(record_mac, mac_len, trailer->data(), |
384 | 3.94k | trailer_minus_padding, trailer->size()); |
385 | | |
386 | | // Perform the MAC check and the padding check in constant-time. It should be |
387 | | // safe to simply perform the padding check first, but it would not be under a |
388 | | // different choice of MAC location on padding failure. See |
389 | | // EVP_tls_cbc_remove_padding. The value barrier seems to be necessary to |
390 | | // prevent a branch in Clang. |
391 | 3.94k | crypto_word_t good = value_barrier_w( |
392 | 3.94k | constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0)); |
393 | 3.94k | good &= padding_ok; |
394 | 3.94k | if (!constant_time_declassify_w(good)) { |
395 | 215 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
396 | 215 | return 0; |
397 | 215 | } |
398 | | |
399 | | // End of timing-sensitive code. |
400 | 3.72k | CONSTTIME_DECLASSIFY(&data_len, sizeof(data_len)); |
401 | 3.72k | for (const CRYPTO_IOVEC &iovec : iovecs) { |
402 | 3.72k | CONSTTIME_DECLASSIFY(iovec.out, iovec.len); |
403 | 3.72k | } |
404 | | |
405 | 3.72k | *out_total_bytes = data_len; |
406 | 3.72k | return 1; |
407 | 3.94k | } |
408 | | |
409 | | static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
410 | | size_t key_len, size_t tag_len, |
411 | 2.50k | enum evp_aead_direction_t dir) { |
412 | 2.50k | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), |
413 | 2.50k | EVP_sha1(), 0); |
414 | 2.50k | } |
415 | | |
416 | | static int aead_aes_128_cbc_sha1_tls_implicit_iv_init( |
417 | | EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, |
418 | 790 | enum evp_aead_direction_t dir) { |
419 | 790 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), |
420 | 790 | EVP_sha1(), 1); |
421 | 790 | } |
422 | | |
423 | | static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx, |
424 | | const uint8_t *key, size_t key_len, |
425 | | size_t tag_len, |
426 | 0 | enum evp_aead_direction_t dir) { |
427 | 0 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), |
428 | 0 | EVP_sha256(), 0); |
429 | 0 | } |
430 | | |
431 | | static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
432 | | size_t key_len, size_t tag_len, |
433 | 24.4k | enum evp_aead_direction_t dir) { |
434 | 24.4k | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), |
435 | 24.4k | EVP_sha1(), 0); |
436 | 24.4k | } |
437 | | |
438 | | static int aead_aes_256_cbc_sha1_tls_implicit_iv_init( |
439 | | EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, |
440 | 1.88k | enum evp_aead_direction_t dir) { |
441 | 1.88k | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), |
442 | 1.88k | EVP_sha1(), 1); |
443 | 1.88k | } |
444 | | |
445 | | static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, |
446 | | const uint8_t *key, size_t key_len, |
447 | | size_t tag_len, |
448 | 3.42k | enum evp_aead_direction_t dir) { |
449 | 3.42k | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(), |
450 | 3.42k | EVP_sha1(), 0); |
451 | 3.42k | } |
452 | | |
453 | | static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init( |
454 | | EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, |
455 | 91 | enum evp_aead_direction_t dir) { |
456 | 91 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(), |
457 | 91 | EVP_sha1(), 1); |
458 | 91 | } |
459 | | |
460 | | static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv, |
461 | 0 | size_t *out_iv_len) { |
462 | 0 | const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
463 | 0 | const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx); |
464 | 0 | if (iv_len <= 1) { |
465 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
466 | 0 | return 0; |
467 | 0 | } |
468 | | |
469 | 0 | *out_iv = tls_ctx->cipher_ctx.iv; |
470 | 0 | *out_iv_len = iv_len; |
471 | 0 | return 1; |
472 | 0 | } |
473 | | |
474 | | static const EVP_AEAD aead_aes_128_cbc_sha1_tls = { |
475 | | SHA_DIGEST_LENGTH + 16, // key len (SHA1 + AES128) |
476 | | 16, // nonce len (IV) |
477 | | 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
478 | | SHA_DIGEST_LENGTH, // max tag length |
479 | | |
480 | | nullptr, // init |
481 | | aead_aes_128_cbc_sha1_tls_init, |
482 | | aead_tls_cleanup, |
483 | | aead_tls_openv, |
484 | | aead_tls_sealv, |
485 | | nullptr, // openv_detached |
486 | | nullptr, // get_iv |
487 | | aead_tls_tag_len, |
488 | | }; |
489 | | |
490 | | static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = { |
491 | | SHA_DIGEST_LENGTH + 16 + 16, // key len (SHA1 + AES128 + IV) |
492 | | 0, // nonce len |
493 | | 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
494 | | SHA_DIGEST_LENGTH, // max tag length |
495 | | |
496 | | nullptr, // init |
497 | | aead_aes_128_cbc_sha1_tls_implicit_iv_init, |
498 | | aead_tls_cleanup, |
499 | | aead_tls_openv, |
500 | | aead_tls_sealv, |
501 | | nullptr, // openv_detached |
502 | | aead_tls_get_iv, // get_iv |
503 | | aead_tls_tag_len, |
504 | | }; |
505 | | |
506 | | static const EVP_AEAD aead_aes_128_cbc_sha256_tls = { |
507 | | SHA256_DIGEST_LENGTH + 16, // key len (SHA256 + AES128) |
508 | | 16, // nonce len (IV) |
509 | | 16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256) |
510 | | SHA256_DIGEST_LENGTH, // max tag length |
511 | | |
512 | | nullptr, // init |
513 | | aead_aes_128_cbc_sha256_tls_init, |
514 | | aead_tls_cleanup, |
515 | | aead_tls_openv, |
516 | | aead_tls_sealv, |
517 | | nullptr, // openv_detached |
518 | | nullptr, // get_iv |
519 | | aead_tls_tag_len, |
520 | | }; |
521 | | |
522 | | static const EVP_AEAD aead_aes_256_cbc_sha1_tls = { |
523 | | SHA_DIGEST_LENGTH + 32, // key len (SHA1 + AES256) |
524 | | 16, // nonce len (IV) |
525 | | 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
526 | | SHA_DIGEST_LENGTH, // max tag length |
527 | | |
528 | | nullptr, // init |
529 | | aead_aes_256_cbc_sha1_tls_init, |
530 | | aead_tls_cleanup, |
531 | | aead_tls_openv, |
532 | | aead_tls_sealv, |
533 | | nullptr, // openv_detached |
534 | | nullptr, // get_iv |
535 | | aead_tls_tag_len, |
536 | | }; |
537 | | |
538 | | static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = { |
539 | | SHA_DIGEST_LENGTH + 32 + 16, // key len (SHA1 + AES256 + IV) |
540 | | 0, // nonce len |
541 | | 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
542 | | SHA_DIGEST_LENGTH, // max tag length |
543 | | |
544 | | nullptr, // init |
545 | | aead_aes_256_cbc_sha1_tls_implicit_iv_init, |
546 | | aead_tls_cleanup, |
547 | | aead_tls_openv, |
548 | | aead_tls_sealv, |
549 | | nullptr, // openv_detached |
550 | | aead_tls_get_iv, // get_iv |
551 | | aead_tls_tag_len, |
552 | | }; |
553 | | |
554 | | static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = { |
555 | | SHA_DIGEST_LENGTH + 24, // key len (SHA1 + 3DES) |
556 | | 8, // nonce len (IV) |
557 | | 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
558 | | SHA_DIGEST_LENGTH, // max tag length |
559 | | |
560 | | nullptr, // init |
561 | | aead_des_ede3_cbc_sha1_tls_init, |
562 | | aead_tls_cleanup, |
563 | | aead_tls_openv, |
564 | | aead_tls_sealv, |
565 | | nullptr, // openv_detached |
566 | | nullptr, // get_iv |
567 | | aead_tls_tag_len, |
568 | | }; |
569 | | |
570 | | static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = { |
571 | | SHA_DIGEST_LENGTH + 24 + 8, // key len (SHA1 + 3DES + IV) |
572 | | 0, // nonce len |
573 | | 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
574 | | SHA_DIGEST_LENGTH, // max tag length |
575 | | |
576 | | nullptr, // init |
577 | | aead_des_ede3_cbc_sha1_tls_implicit_iv_init, |
578 | | aead_tls_cleanup, |
579 | | aead_tls_openv, |
580 | | aead_tls_sealv, |
581 | | nullptr, // openv_detached |
582 | | aead_tls_get_iv, // get_iv |
583 | | aead_tls_tag_len, |
584 | | }; |
585 | | |
586 | 5.00k | const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls() { |
587 | 5.00k | return &aead_aes_128_cbc_sha1_tls; |
588 | 5.00k | } |
589 | | |
590 | 1.58k | const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv() { |
591 | 1.58k | return &aead_aes_128_cbc_sha1_tls_implicit_iv; |
592 | 1.58k | } |
593 | | |
594 | 0 | const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls() { |
595 | 0 | return &aead_aes_128_cbc_sha256_tls; |
596 | 0 | } |
597 | | |
598 | 48.8k | const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls() { |
599 | 48.8k | return &aead_aes_256_cbc_sha1_tls; |
600 | 48.8k | } |
601 | | |
602 | 3.77k | const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv() { |
603 | 3.77k | return &aead_aes_256_cbc_sha1_tls_implicit_iv; |
604 | 3.77k | } |
605 | | |
606 | 6.84k | const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls() { |
607 | 6.84k | return &aead_des_ede3_cbc_sha1_tls; |
608 | 6.84k | } |
609 | | |
610 | 182 | const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv() { |
611 | 182 | return &aead_des_ede3_cbc_sha1_tls_implicit_iv; |
612 | 182 | } |