Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/cipher_extra/e_tls.c
Line
Count
Source (jump to first uncovered line)
1
/* Copyright (c) 2014, Google Inc.
2
 *
3
 * Permission to use, copy, modify, and/or distribute this software for any
4
 * purpose with or without fee is hereby granted, provided that the above
5
 * copyright notice and this permission notice appear in all copies.
6
 *
7
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15
#include <assert.h>
16
#include <limits.h>
17
#include <string.h>
18
19
#include <openssl/aead.h>
20
#include <openssl/cipher.h>
21
#include <openssl/err.h>
22
#include <openssl/hmac.h>
23
#include <openssl/md5.h>
24
#include <openssl/mem.h>
25
#include <openssl/sha.h>
26
27
#include "../fipsmodule/cipher/internal.h"
28
#include "../internal.h"
29
#include "internal.h"
30
31
32
typedef struct {
33
  EVP_CIPHER_CTX cipher_ctx;
34
  HMAC_CTX hmac_ctx;
35
  // mac_key is the portion of the key used for the MAC. It is retained
36
  // separately for the constant-time CBC code.
37
  uint8_t mac_key[EVP_MAX_MD_SIZE];
38
  uint8_t mac_key_len;
39
  // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
40
  // IV.
41
  char implicit_iv;
42
} AEAD_TLS_CTX;
43
44
static_assert(EVP_MAX_MD_SIZE < 256, "mac_key_len does not fit in uint8_t");
45
46
static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= sizeof(AEAD_TLS_CTX),
47
              "AEAD state is too small");
48
static_assert(alignof(union evp_aead_ctx_st_state) >= alignof(AEAD_TLS_CTX),
49
              "AEAD state has insufficient alignment");
50
51
0
static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
52
0
  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
53
0
  EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
54
0
  HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
55
0
}
56
57
static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
58
                         size_t tag_len, enum evp_aead_direction_t dir,
59
                         const EVP_CIPHER *cipher, const EVP_MD *md,
60
0
                         char implicit_iv) {
61
0
  if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
62
0
      tag_len != EVP_MD_size(md)) {
63
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
64
0
    return 0;
65
0
  }
66
67
0
  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
68
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
69
0
    return 0;
70
0
  }
71
72
0
  size_t mac_key_len = EVP_MD_size(md);
73
0
  size_t enc_key_len = EVP_CIPHER_key_length(cipher);
74
0
  assert(mac_key_len + enc_key_len +
75
0
         (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
76
77
0
  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
78
0
  EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
79
0
  HMAC_CTX_init(&tls_ctx->hmac_ctx);
80
0
  assert(mac_key_len <= EVP_MAX_MD_SIZE);
81
0
  OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len);
82
0
  tls_ctx->mac_key_len = (uint8_t)mac_key_len;
83
0
  tls_ctx->implicit_iv = implicit_iv;
84
85
0
  if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
86
0
                         implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
87
0
                         dir == evp_aead_seal) ||
88
0
      !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
89
0
    aead_tls_cleanup(ctx);
90
0
    return 0;
91
0
  }
92
0
  EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
93
94
0
  return 1;
95
0
}
96
97
static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
98
0
                               const size_t extra_in_len) {
99
0
  assert(extra_in_len == 0);
100
0
  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
101
102
0
  const size_t hmac_len = HMAC_size(&tls_ctx->hmac_ctx);
103
0
  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
104
    // The NULL cipher.
105
0
    return hmac_len;
106
0
  }
107
108
0
  const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
109
  // An overflow of |in_len + hmac_len| doesn't affect the result mod
110
  // |block_size|, provided that |block_size| is a smaller power of two.
111
0
  assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
112
0
  const size_t pad_len = block_size - (in_len + hmac_len) % block_size;
113
0
  return hmac_len + pad_len;
114
0
}
115
116
static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
117
                                 uint8_t *out_tag, size_t *out_tag_len,
118
                                 const size_t max_out_tag_len,
119
                                 const uint8_t *nonce, const size_t nonce_len,
120
                                 const uint8_t *in, const size_t in_len,
121
                                 const uint8_t *extra_in,
122
                                 const size_t extra_in_len, const uint8_t *ad,
123
0
                                 const size_t ad_len) {
124
0
  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
125
126
0
  if (!tls_ctx->cipher_ctx.encrypt) {
127
    // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
128
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
129
0
    return 0;
130
0
  }
131
132
0
  if (in_len > INT_MAX) {
133
    // EVP_CIPHER takes int as input.
134
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
135
0
    return 0;
136
0
  }
137
138
0
  if (max_out_tag_len < aead_tls_tag_len(ctx, in_len, extra_in_len)) {
139
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
140
0
    return 0;
141
0
  }
142
143
0
  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
144
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
145
0
    return 0;
146
0
  }
147
148
0
  if (ad_len != 13 - 2 /* length bytes */) {
149
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
150
0
    return 0;
151
0
  }
152
153
  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
154
  // length for legacy ciphers.
155
0
  uint8_t ad_extra[2];
156
0
  ad_extra[0] = (uint8_t)(in_len >> 8);
157
0
  ad_extra[1] = (uint8_t)(in_len & 0xff);
158
159
  // Compute the MAC. This must be first in case the operation is being done
160
  // in-place.
161
0
  uint8_t mac[EVP_MAX_MD_SIZE];
162
0
  unsigned mac_len;
163
0
  if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
164
0
      !HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) ||
165
0
      !HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) ||
166
0
      !HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) ||
167
0
      !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) {
168
0
    return 0;
169
0
  }
170
171
  // Configure the explicit IV.
172
0
  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
173
0
      !tls_ctx->implicit_iv &&
174
0
      !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
175
0
    return 0;
176
0
  }
177
178
  // Encrypt the input.
179
0
  int len;
180
0
  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
181
0
    return 0;
182
0
  }
183
184
0
  unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
185
186
  // Feed the MAC into the cipher in two steps. First complete the final partial
187
  // block from encrypting the input and split the result between |out| and
188
  // |out_tag|. Then feed the rest.
189
190
0
  const size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
191
0
  if (early_mac_len != 0) {
192
0
    assert(len + block_size - early_mac_len == in_len);
193
0
    uint8_t buf[EVP_MAX_BLOCK_LENGTH];
194
0
    int buf_len;
195
0
    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, buf, &buf_len, mac,
196
0
                           (int)early_mac_len)) {
197
0
      return 0;
198
0
    }
199
0
    assert(buf_len == (int)block_size);
200
0
    OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
201
0
    OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
202
0
  }
203
0
  size_t tag_len = early_mac_len;
204
205
0
  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
206
0
                         mac + tag_len, mac_len - tag_len)) {
207
0
    return 0;
208
0
  }
209
0
  tag_len += len;
210
211
0
  if (block_size > 1) {
212
0
    assert(block_size <= 256);
213
0
    assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
214
215
    // Compute padding and feed that into the cipher.
216
0
    uint8_t padding[256];
217
0
    unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
218
0
    OPENSSL_memset(padding, padding_len - 1, padding_len);
219
0
    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
220
0
                           padding, (int)padding_len)) {
221
0
      return 0;
222
0
    }
223
0
    tag_len += len;
224
0
  }
225
226
0
  if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {
227
0
    return 0;
228
0
  }
229
0
  assert(len == 0);  // Padding is explicit.
230
0
  assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len));
231
232
0
  *out_tag_len = tag_len;
233
0
  return 1;
234
0
}
235
236
static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
237
                         size_t max_out_len, const uint8_t *nonce,
238
                         size_t nonce_len, const uint8_t *in, size_t in_len,
239
0
                         const uint8_t *ad, size_t ad_len) {
240
0
  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
241
242
0
  if (tls_ctx->cipher_ctx.encrypt) {
243
    // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
244
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
245
0
    return 0;
246
0
  }
247
248
0
  if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
249
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
250
0
    return 0;
251
0
  }
252
253
0
  if (max_out_len < in_len) {
254
    // This requires that the caller provide space for the MAC, even though it
255
    // will always be removed on return.
256
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
257
0
    return 0;
258
0
  }
259
260
0
  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
261
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
262
0
    return 0;
263
0
  }
264
265
0
  if (ad_len != 13 - 2 /* length bytes */) {
266
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
267
0
    return 0;
268
0
  }
269
270
0
  if (in_len > INT_MAX) {
271
    // EVP_CIPHER takes int as input.
272
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
273
0
    return 0;
274
0
  }
275
276
  // Configure the explicit IV.
277
0
  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
278
0
      !tls_ctx->implicit_iv &&
279
0
      !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
280
0
    return 0;
281
0
  }
282
283
  // Decrypt to get the plaintext + MAC + padding.
284
0
  size_t total = 0;
285
0
  int len;
286
0
  if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
287
0
    return 0;
288
0
  }
289
0
  total += len;
290
0
  if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
291
0
    return 0;
292
0
  }
293
0
  total += len;
294
0
  assert(total == in_len);
295
296
0
  CONSTTIME_SECRET(out, total);
297
298
  // Remove CBC padding. Code from here on is timing-sensitive with respect to
299
  // |padding_ok| and |data_plus_mac_len| for CBC ciphers.
300
0
  size_t data_plus_mac_len;
301
0
  crypto_word_t padding_ok;
302
0
  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
303
0
    if (!EVP_tls_cbc_remove_padding(
304
0
            &padding_ok, &data_plus_mac_len, out, total,
305
0
            EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
306
0
            HMAC_size(&tls_ctx->hmac_ctx))) {
307
      // Publicly invalid. This can be rejected in non-constant time.
308
0
      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
309
0
      return 0;
310
0
    }
311
0
  } else {
312
0
    padding_ok = CONSTTIME_TRUE_W;
313
0
    data_plus_mac_len = total;
314
    // |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
315
    // already been checked against the MAC size at the top of the function.
316
0
    assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
317
0
  }
318
0
  size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
319
320
  // At this point, if the padding is valid, the first |data_plus_mac_len| bytes
321
  // after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
322
  // still large enough to extract a MAC, but it will be irrelevant.
323
324
  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
325
  // length for legacy ciphers.
326
0
  uint8_t ad_fixed[13];
327
0
  OPENSSL_memcpy(ad_fixed, ad, 11);
328
0
  ad_fixed[11] = (uint8_t)(data_len >> 8);
329
0
  ad_fixed[12] = (uint8_t)(data_len & 0xff);
330
0
  ad_len += 2;
331
332
  // Compute the MAC and extract the one in the record.
333
0
  uint8_t mac[EVP_MAX_MD_SIZE];
334
0
  size_t mac_len;
335
0
  uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
336
0
  uint8_t *record_mac;
337
0
  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
338
0
      EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) {
339
0
    if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,
340
0
                                   ad_fixed, out, data_len, total,
341
0
                                   tls_ctx->mac_key, tls_ctx->mac_key_len)) {
342
0
      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
343
0
      return 0;
344
0
    }
345
0
    assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
346
347
0
    record_mac = record_mac_tmp;
348
0
    EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
349
0
  } else {
350
    // We should support the constant-time path for all CBC-mode ciphers
351
    // implemented.
352
0
    assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
353
354
0
    unsigned mac_len_u;
355
0
    if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
356
0
        !HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) ||
357
0
        !HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) ||
358
0
        !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) {
359
0
      return 0;
360
0
    }
361
0
    mac_len = mac_len_u;
362
363
0
    assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
364
0
    record_mac = &out[data_len];
365
0
  }
366
367
  // Perform the MAC check and the padding check in constant-time. It should be
368
  // safe to simply perform the padding check first, but it would not be under a
369
  // different choice of MAC location on padding failure. See
370
  // EVP_tls_cbc_remove_padding.
371
0
  crypto_word_t good =
372
0
      constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
373
0
  good &= padding_ok;
374
0
  CONSTTIME_DECLASSIFY(&good, sizeof(good));
375
0
  if (!good) {
376
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
377
0
    return 0;
378
0
  }
379
380
0
  CONSTTIME_DECLASSIFY(&data_len, sizeof(data_len));
381
0
  CONSTTIME_DECLASSIFY(out, data_len);
382
383
  // End of timing-sensitive code.
384
385
0
  *out_len = data_len;
386
0
  return 1;
387
0
}
388
389
static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
390
                                          size_t key_len, size_t tag_len,
391
0
                                          enum evp_aead_direction_t dir) {
392
0
  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
393
0
                       EVP_sha1(), 0);
394
0
}
395
396
static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
397
    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
398
0
    enum evp_aead_direction_t dir) {
399
0
  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
400
0
                       EVP_sha1(), 1);
401
0
}
402
403
static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
404
                                            const uint8_t *key, size_t key_len,
405
                                            size_t tag_len,
406
0
                                            enum evp_aead_direction_t dir) {
407
0
  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
408
0
                       EVP_sha256(), 0);
409
0
}
410
411
static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
412
                                          size_t key_len, size_t tag_len,
413
0
                                          enum evp_aead_direction_t dir) {
414
0
  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
415
0
                       EVP_sha1(), 0);
416
0
}
417
418
static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(
419
    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
420
0
    enum evp_aead_direction_t dir) {
421
0
  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
422
0
                       EVP_sha1(), 1);
423
0
}
424
425
static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
426
                                           const uint8_t *key, size_t key_len,
427
                                           size_t tag_len,
428
0
                                           enum evp_aead_direction_t dir) {
429
0
  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
430
0
                       EVP_sha1(), 0);
431
0
}
432
433
static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
434
    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
435
0
    enum evp_aead_direction_t dir) {
436
0
  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
437
0
                       EVP_sha1(), 1);
438
0
}
439
440
static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
441
0
                           size_t *out_iv_len) {
442
0
  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
443
0
  const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx);
444
0
  if (iv_len <= 1) {
445
0
    OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
446
0
    return 0;
447
0
  }
448
449
0
  *out_iv = tls_ctx->cipher_ctx.iv;
450
0
  *out_iv_len = iv_len;
451
0
  return 1;
452
0
}
453
454
static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
455
    SHA_DIGEST_LENGTH + 16,  // key len (SHA1 + AES128)
456
    16,                      // nonce len (IV)
457
    16 + SHA_DIGEST_LENGTH,  // overhead (padding + SHA1)
458
    SHA_DIGEST_LENGTH,       // max tag length
459
    0,                       // seal_scatter_supports_extra_in
460
461
    NULL,  // init
462
    aead_aes_128_cbc_sha1_tls_init,
463
    aead_tls_cleanup,
464
    aead_tls_open,
465
    aead_tls_seal_scatter,
466
    NULL,  // open_gather
467
    NULL,  // get_iv
468
    aead_tls_tag_len,
469
};
470
471
static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
472
    SHA_DIGEST_LENGTH + 16 + 16,  // key len (SHA1 + AES128 + IV)
473
    0,                            // nonce len
474
    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
475
    SHA_DIGEST_LENGTH,            // max tag length
476
    0,                            // seal_scatter_supports_extra_in
477
478
    NULL,  // init
479
    aead_aes_128_cbc_sha1_tls_implicit_iv_init,
480
    aead_tls_cleanup,
481
    aead_tls_open,
482
    aead_tls_seal_scatter,
483
    NULL,             // open_gather
484
    aead_tls_get_iv,  // get_iv
485
    aead_tls_tag_len,
486
};
487
488
static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
489
    SHA256_DIGEST_LENGTH + 16,  // key len (SHA256 + AES128)
490
    16,                         // nonce len (IV)
491
    16 + SHA256_DIGEST_LENGTH,  // overhead (padding + SHA256)
492
    SHA256_DIGEST_LENGTH,       // max tag length
493
    0,                          // seal_scatter_supports_extra_in
494
495
    NULL,  // init
496
    aead_aes_128_cbc_sha256_tls_init,
497
    aead_tls_cleanup,
498
    aead_tls_open,
499
    aead_tls_seal_scatter,
500
    NULL,  // open_gather
501
    NULL,  // get_iv
502
    aead_tls_tag_len,
503
};
504
505
static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
506
    SHA_DIGEST_LENGTH + 32,  // key len (SHA1 + AES256)
507
    16,                      // nonce len (IV)
508
    16 + SHA_DIGEST_LENGTH,  // overhead (padding + SHA1)
509
    SHA_DIGEST_LENGTH,       // max tag length
510
    0,                       // seal_scatter_supports_extra_in
511
512
    NULL,  // init
513
    aead_aes_256_cbc_sha1_tls_init,
514
    aead_tls_cleanup,
515
    aead_tls_open,
516
    aead_tls_seal_scatter,
517
    NULL,  // open_gather
518
    NULL,  // get_iv
519
    aead_tls_tag_len,
520
};
521
522
static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
523
    SHA_DIGEST_LENGTH + 32 + 16,  // key len (SHA1 + AES256 + IV)
524
    0,                            // nonce len
525
    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
526
    SHA_DIGEST_LENGTH,            // max tag length
527
    0,                            // seal_scatter_supports_extra_in
528
529
    NULL,  // init
530
    aead_aes_256_cbc_sha1_tls_implicit_iv_init,
531
    aead_tls_cleanup,
532
    aead_tls_open,
533
    aead_tls_seal_scatter,
534
    NULL,             // open_gather
535
    aead_tls_get_iv,  // get_iv
536
    aead_tls_tag_len,
537
};
538
539
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
540
    SHA_DIGEST_LENGTH + 24,  // key len (SHA1 + 3DES)
541
    8,                       // nonce len (IV)
542
    8 + SHA_DIGEST_LENGTH,   // overhead (padding + SHA1)
543
    SHA_DIGEST_LENGTH,       // max tag length
544
    0,                       // seal_scatter_supports_extra_in
545
546
    NULL,  // init
547
    aead_des_ede3_cbc_sha1_tls_init,
548
    aead_tls_cleanup,
549
    aead_tls_open,
550
    aead_tls_seal_scatter,
551
    NULL,  // open_gather
552
    NULL,  // get_iv
553
    aead_tls_tag_len,
554
};
555
556
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
557
    SHA_DIGEST_LENGTH + 24 + 8,  // key len (SHA1 + 3DES + IV)
558
    0,                           // nonce len
559
    8 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
560
    SHA_DIGEST_LENGTH,           // max tag length
561
    0,                           // seal_scatter_supports_extra_in
562
563
    NULL,  // init
564
    aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
565
    aead_tls_cleanup,
566
    aead_tls_open,
567
    aead_tls_seal_scatter,
568
    NULL,             // open_gather
569
    aead_tls_get_iv,  // get_iv
570
    aead_tls_tag_len,
571
};
572
573
2
const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
574
2
  return &aead_aes_128_cbc_sha1_tls;
575
2
}
576
577
2
const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {
578
2
  return &aead_aes_128_cbc_sha1_tls_implicit_iv;
579
2
}
580
581
0
const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {
582
0
  return &aead_aes_128_cbc_sha256_tls;
583
0
}
584
585
2
const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {
586
2
  return &aead_aes_256_cbc_sha1_tls;
587
2
}
588
589
2
const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) {
590
2
  return &aead_aes_256_cbc_sha1_tls_implicit_iv;
591
2
}
592
593
2
const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
594
2
  return &aead_des_ede3_cbc_sha1_tls;
595
2
}
596
597
2
const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
598
2
  return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
599
2
}