/src/boringssl/crypto/cipher_extra/e_tls.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (c) 2014, Google Inc. |
2 | | * |
3 | | * Permission to use, copy, modify, and/or distribute this software for any |
4 | | * purpose with or without fee is hereby granted, provided that the above |
5 | | * copyright notice and this permission notice appear in all copies. |
6 | | * |
7 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
8 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
9 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
10 | | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
11 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
12 | | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
13 | | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
14 | | |
15 | | #include <assert.h> |
16 | | #include <limits.h> |
17 | | #include <string.h> |
18 | | |
19 | | #include <openssl/aead.h> |
20 | | #include <openssl/cipher.h> |
21 | | #include <openssl/err.h> |
22 | | #include <openssl/hmac.h> |
23 | | #include <openssl/md5.h> |
24 | | #include <openssl/mem.h> |
25 | | #include <openssl/sha.h> |
26 | | |
27 | | #include "../fipsmodule/cipher/internal.h" |
28 | | #include "../internal.h" |
29 | | #include "internal.h" |
30 | | |
31 | | |
32 | | typedef struct { |
33 | | EVP_CIPHER_CTX cipher_ctx; |
34 | | HMAC_CTX hmac_ctx; |
35 | | // mac_key is the portion of the key used for the MAC. It is retained |
36 | | // separately for the constant-time CBC code. |
37 | | uint8_t mac_key[EVP_MAX_MD_SIZE]; |
38 | | uint8_t mac_key_len; |
39 | | // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit |
40 | | // IV. |
41 | | char implicit_iv; |
42 | | } AEAD_TLS_CTX; |
43 | | |
44 | | static_assert(EVP_MAX_MD_SIZE < 256, "mac_key_len does not fit in uint8_t"); |
45 | | |
46 | | static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= sizeof(AEAD_TLS_CTX), |
47 | | "AEAD state is too small"); |
48 | | static_assert(alignof(union evp_aead_ctx_st_state) >= alignof(AEAD_TLS_CTX), |
49 | | "AEAD state has insufficient alignment"); |
50 | | |
51 | 0 | static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) { |
52 | 0 | AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
53 | 0 | EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx); |
54 | 0 | HMAC_CTX_cleanup(&tls_ctx->hmac_ctx); |
55 | 0 | } |
56 | | |
57 | | static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, |
58 | | size_t tag_len, enum evp_aead_direction_t dir, |
59 | | const EVP_CIPHER *cipher, const EVP_MD *md, |
60 | 0 | char implicit_iv) { |
61 | 0 | if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && |
62 | 0 | tag_len != EVP_MD_size(md)) { |
63 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); |
64 | 0 | return 0; |
65 | 0 | } |
66 | | |
67 | 0 | if (key_len != EVP_AEAD_key_length(ctx->aead)) { |
68 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); |
69 | 0 | return 0; |
70 | 0 | } |
71 | | |
72 | 0 | size_t mac_key_len = EVP_MD_size(md); |
73 | 0 | size_t enc_key_len = EVP_CIPHER_key_length(cipher); |
74 | 0 | assert(mac_key_len + enc_key_len + |
75 | 0 | (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len); |
76 | | |
77 | 0 | AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
78 | 0 | EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx); |
79 | 0 | HMAC_CTX_init(&tls_ctx->hmac_ctx); |
80 | 0 | assert(mac_key_len <= EVP_MAX_MD_SIZE); |
81 | 0 | OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len); |
82 | 0 | tls_ctx->mac_key_len = (uint8_t)mac_key_len; |
83 | 0 | tls_ctx->implicit_iv = implicit_iv; |
84 | |
|
85 | 0 | if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len], |
86 | 0 | implicit_iv ? &key[mac_key_len + enc_key_len] : NULL, |
87 | 0 | dir == evp_aead_seal) || |
88 | 0 | !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) { |
89 | 0 | aead_tls_cleanup(ctx); |
90 | 0 | return 0; |
91 | 0 | } |
92 | 0 | EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0); |
93 | |
|
94 | 0 | return 1; |
95 | 0 | } |
96 | | |
97 | | static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len, |
98 | 0 | const size_t extra_in_len) { |
99 | 0 | assert(extra_in_len == 0); |
100 | 0 | const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
101 | |
|
102 | 0 | const size_t hmac_len = HMAC_size(&tls_ctx->hmac_ctx); |
103 | 0 | if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) { |
104 | | // The NULL cipher. |
105 | 0 | return hmac_len; |
106 | 0 | } |
107 | | |
108 | 0 | const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx); |
109 | | // An overflow of |in_len + hmac_len| doesn't affect the result mod |
110 | | // |block_size|, provided that |block_size| is a smaller power of two. |
111 | 0 | assert(block_size != 0 && (block_size & (block_size - 1)) == 0); |
112 | 0 | const size_t pad_len = block_size - (in_len + hmac_len) % block_size; |
113 | 0 | return hmac_len + pad_len; |
114 | 0 | } |
115 | | |
116 | | static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out, |
117 | | uint8_t *out_tag, size_t *out_tag_len, |
118 | | const size_t max_out_tag_len, |
119 | | const uint8_t *nonce, const size_t nonce_len, |
120 | | const uint8_t *in, const size_t in_len, |
121 | | const uint8_t *extra_in, |
122 | | const size_t extra_in_len, const uint8_t *ad, |
123 | 0 | const size_t ad_len) { |
124 | 0 | AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
125 | |
|
126 | 0 | if (!tls_ctx->cipher_ctx.encrypt) { |
127 | | // Unlike a normal AEAD, a TLS AEAD may only be used in one direction. |
128 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); |
129 | 0 | return 0; |
130 | 0 | } |
131 | | |
132 | 0 | if (in_len > INT_MAX) { |
133 | | // EVP_CIPHER takes int as input. |
134 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
135 | 0 | return 0; |
136 | 0 | } |
137 | | |
138 | 0 | if (max_out_tag_len < aead_tls_tag_len(ctx, in_len, extra_in_len)) { |
139 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
140 | 0 | return 0; |
141 | 0 | } |
142 | | |
143 | 0 | if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { |
144 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
145 | 0 | return 0; |
146 | 0 | } |
147 | | |
148 | 0 | if (ad_len != 13 - 2 /* length bytes */) { |
149 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); |
150 | 0 | return 0; |
151 | 0 | } |
152 | | |
153 | | // To allow for CBC mode which changes cipher length, |ad| doesn't include the |
154 | | // length for legacy ciphers. |
155 | 0 | uint8_t ad_extra[2]; |
156 | 0 | ad_extra[0] = (uint8_t)(in_len >> 8); |
157 | 0 | ad_extra[1] = (uint8_t)(in_len & 0xff); |
158 | | |
159 | | // Compute the MAC. This must be first in case the operation is being done |
160 | | // in-place. |
161 | 0 | uint8_t mac[EVP_MAX_MD_SIZE]; |
162 | 0 | unsigned mac_len; |
163 | 0 | if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) || |
164 | 0 | !HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) || |
165 | 0 | !HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) || |
166 | 0 | !HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) || |
167 | 0 | !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) { |
168 | 0 | return 0; |
169 | 0 | } |
170 | | |
171 | | // Configure the explicit IV. |
172 | 0 | if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE && |
173 | 0 | !tls_ctx->implicit_iv && |
174 | 0 | !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) { |
175 | 0 | return 0; |
176 | 0 | } |
177 | | |
178 | | // Encrypt the input. |
179 | 0 | int len; |
180 | 0 | if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) { |
181 | 0 | return 0; |
182 | 0 | } |
183 | | |
184 | 0 | unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx); |
185 | | |
186 | | // Feed the MAC into the cipher in two steps. First complete the final partial |
187 | | // block from encrypting the input and split the result between |out| and |
188 | | // |out_tag|. Then feed the rest. |
189 | |
|
190 | 0 | const size_t early_mac_len = (block_size - (in_len % block_size)) % block_size; |
191 | 0 | if (early_mac_len != 0) { |
192 | 0 | assert(len + block_size - early_mac_len == in_len); |
193 | 0 | uint8_t buf[EVP_MAX_BLOCK_LENGTH]; |
194 | 0 | int buf_len; |
195 | 0 | if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, buf, &buf_len, mac, |
196 | 0 | (int)early_mac_len)) { |
197 | 0 | return 0; |
198 | 0 | } |
199 | 0 | assert(buf_len == (int)block_size); |
200 | 0 | OPENSSL_memcpy(out + len, buf, block_size - early_mac_len); |
201 | 0 | OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len); |
202 | 0 | } |
203 | 0 | size_t tag_len = early_mac_len; |
204 | |
|
205 | 0 | if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len, |
206 | 0 | mac + tag_len, mac_len - tag_len)) { |
207 | 0 | return 0; |
208 | 0 | } |
209 | 0 | tag_len += len; |
210 | |
|
211 | 0 | if (block_size > 1) { |
212 | 0 | assert(block_size <= 256); |
213 | 0 | assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE); |
214 | | |
215 | | // Compute padding and feed that into the cipher. |
216 | 0 | uint8_t padding[256]; |
217 | 0 | unsigned padding_len = block_size - ((in_len + mac_len) % block_size); |
218 | 0 | OPENSSL_memset(padding, padding_len - 1, padding_len); |
219 | 0 | if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len, |
220 | 0 | padding, (int)padding_len)) { |
221 | 0 | return 0; |
222 | 0 | } |
223 | 0 | tag_len += len; |
224 | 0 | } |
225 | | |
226 | 0 | if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) { |
227 | 0 | return 0; |
228 | 0 | } |
229 | 0 | assert(len == 0); // Padding is explicit. |
230 | 0 | assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len)); |
231 | | |
232 | 0 | *out_tag_len = tag_len; |
233 | 0 | return 1; |
234 | 0 | } |
235 | | |
236 | | static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, |
237 | | size_t max_out_len, const uint8_t *nonce, |
238 | | size_t nonce_len, const uint8_t *in, size_t in_len, |
239 | 0 | const uint8_t *ad, size_t ad_len) { |
240 | 0 | AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
241 | |
|
242 | 0 | if (tls_ctx->cipher_ctx.encrypt) { |
243 | | // Unlike a normal AEAD, a TLS AEAD may only be used in one direction. |
244 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); |
245 | 0 | return 0; |
246 | 0 | } |
247 | | |
248 | 0 | if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) { |
249 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
250 | 0 | return 0; |
251 | 0 | } |
252 | | |
253 | 0 | if (max_out_len < in_len) { |
254 | | // This requires that the caller provide space for the MAC, even though it |
255 | | // will always be removed on return. |
256 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
257 | 0 | return 0; |
258 | 0 | } |
259 | | |
260 | 0 | if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { |
261 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
262 | 0 | return 0; |
263 | 0 | } |
264 | | |
265 | 0 | if (ad_len != 13 - 2 /* length bytes */) { |
266 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); |
267 | 0 | return 0; |
268 | 0 | } |
269 | | |
270 | 0 | if (in_len > INT_MAX) { |
271 | | // EVP_CIPHER takes int as input. |
272 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
273 | 0 | return 0; |
274 | 0 | } |
275 | | |
276 | | // Configure the explicit IV. |
277 | 0 | if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE && |
278 | 0 | !tls_ctx->implicit_iv && |
279 | 0 | !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) { |
280 | 0 | return 0; |
281 | 0 | } |
282 | | |
283 | | // Decrypt to get the plaintext + MAC + padding. |
284 | 0 | size_t total = 0; |
285 | 0 | int len; |
286 | 0 | if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) { |
287 | 0 | return 0; |
288 | 0 | } |
289 | 0 | total += len; |
290 | 0 | if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) { |
291 | 0 | return 0; |
292 | 0 | } |
293 | 0 | total += len; |
294 | 0 | assert(total == in_len); |
295 | | |
296 | 0 | CONSTTIME_SECRET(out, total); |
297 | | |
298 | | // Remove CBC padding. Code from here on is timing-sensitive with respect to |
299 | | // |padding_ok| and |data_plus_mac_len| for CBC ciphers. |
300 | 0 | size_t data_plus_mac_len; |
301 | 0 | crypto_word_t padding_ok; |
302 | 0 | if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) { |
303 | 0 | if (!EVP_tls_cbc_remove_padding( |
304 | 0 | &padding_ok, &data_plus_mac_len, out, total, |
305 | 0 | EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx), |
306 | 0 | HMAC_size(&tls_ctx->hmac_ctx))) { |
307 | | // Publicly invalid. This can be rejected in non-constant time. |
308 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
309 | 0 | return 0; |
310 | 0 | } |
311 | 0 | } else { |
312 | 0 | padding_ok = CONSTTIME_TRUE_W; |
313 | 0 | data_plus_mac_len = total; |
314 | | // |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has |
315 | | // already been checked against the MAC size at the top of the function. |
316 | 0 | assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx)); |
317 | 0 | } |
318 | 0 | size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx); |
319 | | |
320 | | // At this point, if the padding is valid, the first |data_plus_mac_len| bytes |
321 | | // after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is |
322 | | // still large enough to extract a MAC, but it will be irrelevant. |
323 | | |
324 | | // To allow for CBC mode which changes cipher length, |ad| doesn't include the |
325 | | // length for legacy ciphers. |
326 | 0 | uint8_t ad_fixed[13]; |
327 | 0 | OPENSSL_memcpy(ad_fixed, ad, 11); |
328 | 0 | ad_fixed[11] = (uint8_t)(data_len >> 8); |
329 | 0 | ad_fixed[12] = (uint8_t)(data_len & 0xff); |
330 | 0 | ad_len += 2; |
331 | | |
332 | | // Compute the MAC and extract the one in the record. |
333 | 0 | uint8_t mac[EVP_MAX_MD_SIZE]; |
334 | 0 | size_t mac_len; |
335 | 0 | uint8_t record_mac_tmp[EVP_MAX_MD_SIZE]; |
336 | 0 | uint8_t *record_mac; |
337 | 0 | if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE && |
338 | 0 | EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) { |
339 | 0 | if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len, |
340 | 0 | ad_fixed, out, data_len, total, |
341 | 0 | tls_ctx->mac_key, tls_ctx->mac_key_len)) { |
342 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
343 | 0 | return 0; |
344 | 0 | } |
345 | 0 | assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx)); |
346 | | |
347 | 0 | record_mac = record_mac_tmp; |
348 | 0 | EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total); |
349 | 0 | } else { |
350 | | // We should support the constant-time path for all CBC-mode ciphers |
351 | | // implemented. |
352 | 0 | assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE); |
353 | | |
354 | 0 | unsigned mac_len_u; |
355 | 0 | if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) || |
356 | 0 | !HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) || |
357 | 0 | !HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) || |
358 | 0 | !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) { |
359 | 0 | return 0; |
360 | 0 | } |
361 | 0 | mac_len = mac_len_u; |
362 | |
|
363 | 0 | assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx)); |
364 | 0 | record_mac = &out[data_len]; |
365 | 0 | } |
366 | | |
367 | | // Perform the MAC check and the padding check in constant-time. It should be |
368 | | // safe to simply perform the padding check first, but it would not be under a |
369 | | // different choice of MAC location on padding failure. See |
370 | | // EVP_tls_cbc_remove_padding. |
371 | 0 | crypto_word_t good = |
372 | 0 | constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0); |
373 | 0 | good &= padding_ok; |
374 | 0 | CONSTTIME_DECLASSIFY(&good, sizeof(good)); |
375 | 0 | if (!good) { |
376 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
377 | 0 | return 0; |
378 | 0 | } |
379 | | |
380 | 0 | CONSTTIME_DECLASSIFY(&data_len, sizeof(data_len)); |
381 | 0 | CONSTTIME_DECLASSIFY(out, data_len); |
382 | | |
383 | | // End of timing-sensitive code. |
384 | |
|
385 | 0 | *out_len = data_len; |
386 | 0 | return 1; |
387 | 0 | } |
388 | | |
389 | | static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
390 | | size_t key_len, size_t tag_len, |
391 | 0 | enum evp_aead_direction_t dir) { |
392 | 0 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), |
393 | 0 | EVP_sha1(), 0); |
394 | 0 | } |
395 | | |
396 | | static int aead_aes_128_cbc_sha1_tls_implicit_iv_init( |
397 | | EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, |
398 | 0 | enum evp_aead_direction_t dir) { |
399 | 0 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), |
400 | 0 | EVP_sha1(), 1); |
401 | 0 | } |
402 | | |
403 | | static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx, |
404 | | const uint8_t *key, size_t key_len, |
405 | | size_t tag_len, |
406 | 0 | enum evp_aead_direction_t dir) { |
407 | 0 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), |
408 | 0 | EVP_sha256(), 0); |
409 | 0 | } |
410 | | |
411 | | static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
412 | | size_t key_len, size_t tag_len, |
413 | 0 | enum evp_aead_direction_t dir) { |
414 | 0 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), |
415 | 0 | EVP_sha1(), 0); |
416 | 0 | } |
417 | | |
418 | | static int aead_aes_256_cbc_sha1_tls_implicit_iv_init( |
419 | | EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, |
420 | 0 | enum evp_aead_direction_t dir) { |
421 | 0 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), |
422 | 0 | EVP_sha1(), 1); |
423 | 0 | } |
424 | | |
425 | | static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, |
426 | | const uint8_t *key, size_t key_len, |
427 | | size_t tag_len, |
428 | 0 | enum evp_aead_direction_t dir) { |
429 | 0 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(), |
430 | 0 | EVP_sha1(), 0); |
431 | 0 | } |
432 | | |
433 | | static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init( |
434 | | EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, |
435 | 0 | enum evp_aead_direction_t dir) { |
436 | 0 | return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(), |
437 | 0 | EVP_sha1(), 1); |
438 | 0 | } |
439 | | |
440 | | static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv, |
441 | 0 | size_t *out_iv_len) { |
442 | 0 | const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; |
443 | 0 | const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx); |
444 | 0 | if (iv_len <= 1) { |
445 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
446 | 0 | return 0; |
447 | 0 | } |
448 | | |
449 | 0 | *out_iv = tls_ctx->cipher_ctx.iv; |
450 | 0 | *out_iv_len = iv_len; |
451 | 0 | return 1; |
452 | 0 | } |
453 | | |
454 | | static const EVP_AEAD aead_aes_128_cbc_sha1_tls = { |
455 | | SHA_DIGEST_LENGTH + 16, // key len (SHA1 + AES128) |
456 | | 16, // nonce len (IV) |
457 | | 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
458 | | SHA_DIGEST_LENGTH, // max tag length |
459 | | 0, // seal_scatter_supports_extra_in |
460 | | |
461 | | NULL, // init |
462 | | aead_aes_128_cbc_sha1_tls_init, |
463 | | aead_tls_cleanup, |
464 | | aead_tls_open, |
465 | | aead_tls_seal_scatter, |
466 | | NULL, // open_gather |
467 | | NULL, // get_iv |
468 | | aead_tls_tag_len, |
469 | | }; |
470 | | |
471 | | static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = { |
472 | | SHA_DIGEST_LENGTH + 16 + 16, // key len (SHA1 + AES128 + IV) |
473 | | 0, // nonce len |
474 | | 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
475 | | SHA_DIGEST_LENGTH, // max tag length |
476 | | 0, // seal_scatter_supports_extra_in |
477 | | |
478 | | NULL, // init |
479 | | aead_aes_128_cbc_sha1_tls_implicit_iv_init, |
480 | | aead_tls_cleanup, |
481 | | aead_tls_open, |
482 | | aead_tls_seal_scatter, |
483 | | NULL, // open_gather |
484 | | aead_tls_get_iv, // get_iv |
485 | | aead_tls_tag_len, |
486 | | }; |
487 | | |
488 | | static const EVP_AEAD aead_aes_128_cbc_sha256_tls = { |
489 | | SHA256_DIGEST_LENGTH + 16, // key len (SHA256 + AES128) |
490 | | 16, // nonce len (IV) |
491 | | 16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256) |
492 | | SHA256_DIGEST_LENGTH, // max tag length |
493 | | 0, // seal_scatter_supports_extra_in |
494 | | |
495 | | NULL, // init |
496 | | aead_aes_128_cbc_sha256_tls_init, |
497 | | aead_tls_cleanup, |
498 | | aead_tls_open, |
499 | | aead_tls_seal_scatter, |
500 | | NULL, // open_gather |
501 | | NULL, // get_iv |
502 | | aead_tls_tag_len, |
503 | | }; |
504 | | |
505 | | static const EVP_AEAD aead_aes_256_cbc_sha1_tls = { |
506 | | SHA_DIGEST_LENGTH + 32, // key len (SHA1 + AES256) |
507 | | 16, // nonce len (IV) |
508 | | 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
509 | | SHA_DIGEST_LENGTH, // max tag length |
510 | | 0, // seal_scatter_supports_extra_in |
511 | | |
512 | | NULL, // init |
513 | | aead_aes_256_cbc_sha1_tls_init, |
514 | | aead_tls_cleanup, |
515 | | aead_tls_open, |
516 | | aead_tls_seal_scatter, |
517 | | NULL, // open_gather |
518 | | NULL, // get_iv |
519 | | aead_tls_tag_len, |
520 | | }; |
521 | | |
522 | | static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = { |
523 | | SHA_DIGEST_LENGTH + 32 + 16, // key len (SHA1 + AES256 + IV) |
524 | | 0, // nonce len |
525 | | 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
526 | | SHA_DIGEST_LENGTH, // max tag length |
527 | | 0, // seal_scatter_supports_extra_in |
528 | | |
529 | | NULL, // init |
530 | | aead_aes_256_cbc_sha1_tls_implicit_iv_init, |
531 | | aead_tls_cleanup, |
532 | | aead_tls_open, |
533 | | aead_tls_seal_scatter, |
534 | | NULL, // open_gather |
535 | | aead_tls_get_iv, // get_iv |
536 | | aead_tls_tag_len, |
537 | | }; |
538 | | |
539 | | static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = { |
540 | | SHA_DIGEST_LENGTH + 24, // key len (SHA1 + 3DES) |
541 | | 8, // nonce len (IV) |
542 | | 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
543 | | SHA_DIGEST_LENGTH, // max tag length |
544 | | 0, // seal_scatter_supports_extra_in |
545 | | |
546 | | NULL, // init |
547 | | aead_des_ede3_cbc_sha1_tls_init, |
548 | | aead_tls_cleanup, |
549 | | aead_tls_open, |
550 | | aead_tls_seal_scatter, |
551 | | NULL, // open_gather |
552 | | NULL, // get_iv |
553 | | aead_tls_tag_len, |
554 | | }; |
555 | | |
556 | | static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = { |
557 | | SHA_DIGEST_LENGTH + 24 + 8, // key len (SHA1 + 3DES + IV) |
558 | | 0, // nonce len |
559 | | 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1) |
560 | | SHA_DIGEST_LENGTH, // max tag length |
561 | | 0, // seal_scatter_supports_extra_in |
562 | | |
563 | | NULL, // init |
564 | | aead_des_ede3_cbc_sha1_tls_implicit_iv_init, |
565 | | aead_tls_cleanup, |
566 | | aead_tls_open, |
567 | | aead_tls_seal_scatter, |
568 | | NULL, // open_gather |
569 | | aead_tls_get_iv, // get_iv |
570 | | aead_tls_tag_len, |
571 | | }; |
572 | | |
573 | 2 | const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) { |
574 | 2 | return &aead_aes_128_cbc_sha1_tls; |
575 | 2 | } |
576 | | |
577 | 2 | const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) { |
578 | 2 | return &aead_aes_128_cbc_sha1_tls_implicit_iv; |
579 | 2 | } |
580 | | |
581 | 0 | const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) { |
582 | 0 | return &aead_aes_128_cbc_sha256_tls; |
583 | 0 | } |
584 | | |
585 | 2 | const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) { |
586 | 2 | return &aead_aes_256_cbc_sha1_tls; |
587 | 2 | } |
588 | | |
589 | 2 | const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) { |
590 | 2 | return &aead_aes_256_cbc_sha1_tls_implicit_iv; |
591 | 2 | } |
592 | | |
593 | 2 | const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) { |
594 | 2 | return &aead_des_ede3_cbc_sha1_tls; |
595 | 2 | } |
596 | | |
597 | 2 | const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) { |
598 | 2 | return &aead_des_ede3_cbc_sha1_tls_implicit_iv; |
599 | 2 | } |