/src/picotls/lib/openssl.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 2016 DeNA Co., Ltd., Kazuho Oku |
3 | | * |
4 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
5 | | * of this software and associated documentation files (the "Software"), to |
6 | | * deal in the Software without restriction, including without limitation the |
7 | | * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
8 | | * sell copies of the Software, and to permit persons to whom the Software is |
9 | | * furnished to do so, subject to the following conditions: |
10 | | * |
11 | | * The above copyright notice and this permission notice shall be included in |
12 | | * all copies or substantial portions of the Software. |
13 | | * |
14 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
15 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
16 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
17 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
18 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
19 | | * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS |
20 | | * IN THE SOFTWARE. |
21 | | */ |
22 | | |
23 | | #ifdef _WINDOWS |
24 | | #include "wincompat.h" |
25 | | #else |
26 | | #include <unistd.h> |
27 | | #endif |
28 | | #include <assert.h> |
29 | | #include <stdio.h> |
30 | | #include <stdlib.h> |
31 | | #include <string.h> |
32 | | #define OPENSSL_API_COMPAT 0x00908000L |
33 | | #include <openssl/bn.h> |
34 | | #include <openssl/crypto.h> |
35 | | #ifdef OPENSSL_IS_BORINGSSL |
36 | | #include <openssl/curve25519.h> |
37 | | #include <openssl/chacha.h> |
38 | | #include <openssl/poly1305.h> |
39 | | #endif |
40 | | #include <openssl/ec.h> |
41 | | #include <openssl/ecdh.h> |
42 | | #include <openssl/err.h> |
43 | | #include <openssl/evp.h> |
44 | | #include <openssl/objects.h> |
45 | | #include <openssl/rand.h> |
46 | | #include <openssl/rsa.h> |
47 | | #include <openssl/x509.h> |
48 | | #include <openssl/x509v3.h> |
49 | | #include <openssl/x509_vfy.h> |
50 | | #include "picotls.h" |
51 | | #include "picotls/openssl.h" |
52 | | #ifdef OPENSSL_IS_BORINGSSL |
53 | | #include "./chacha20poly1305.h" |
54 | | #endif |
55 | | #ifdef PTLS_HAVE_AEGIS |
56 | | #include "./libaegis.h" |
57 | | #endif |
58 | | |
59 | | #ifdef _WINDOWS |
60 | | #ifndef _CRT_SECURE_NO_WARNINGS |
61 | | #define _CRT_SECURE_NO_WARNINGS |
62 | | #endif |
63 | | #pragma warning(disable : 4996) |
64 | | #endif |
65 | | |
66 | | #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L |
67 | | #define OPENSSL_1_1_API 1 |
68 | | #elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL |
69 | | #define OPENSSL_1_1_API 1 |
70 | | #else |
71 | | #define OPENSSL_1_1_API 0 |
72 | | #endif |
73 | | |
74 | | #if !OPENSSL_1_1_API |
75 | | |
76 | | #define EVP_PKEY_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_EVP_PKEY) |
77 | | #define X509_STORE_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_X509_STORE) |
78 | | #define X509_STORE_get0_param(p) ((p)->param) |
79 | | |
80 | | static HMAC_CTX *HMAC_CTX_new(void) |
81 | | { |
82 | | HMAC_CTX *ctx; |
83 | | |
84 | | if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL) |
85 | | return NULL; |
86 | | HMAC_CTX_init(ctx); |
87 | | return ctx; |
88 | | } |
89 | | |
90 | | static void HMAC_CTX_free(HMAC_CTX *ctx) |
91 | | { |
92 | | HMAC_CTX_cleanup(ctx); |
93 | | OPENSSL_free(ctx); |
94 | | } |
95 | | |
96 | | static int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) |
97 | | { |
98 | | return EVP_CIPHER_CTX_cleanup(ctx); |
99 | | } |
100 | | |
101 | | #endif |
102 | | |
103 | | static const ptls_openssl_signature_scheme_t rsa_signature_schemes[] = {{PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, EVP_sha256}, |
104 | | {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384, EVP_sha384}, |
105 | | {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512, EVP_sha512}, |
106 | | {UINT16_MAX, NULL}}; |
107 | | static const ptls_openssl_signature_scheme_t secp256r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, EVP_sha256}, |
108 | | {UINT16_MAX, NULL}}; |
109 | | #if PTLS_OPENSSL_HAVE_SECP384R1 |
110 | | static const ptls_openssl_signature_scheme_t secp384r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384, EVP_sha384}, |
111 | | {UINT16_MAX, NULL}}; |
112 | | #endif |
113 | | #if PTLS_OPENSSL_HAVE_SECP521R1 |
114 | | static const ptls_openssl_signature_scheme_t secp521r1_signature_schemes[] = {{PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512, EVP_sha512}, |
115 | | {UINT16_MAX, NULL}}; |
116 | | #endif |
117 | | #if PTLS_OPENSSL_HAVE_ED25519 |
118 | | static const ptls_openssl_signature_scheme_t ed25519_signature_schemes[] = {{PTLS_SIGNATURE_ED25519, NULL}, {UINT16_MAX, NULL}}; |
119 | | #endif |
120 | | |
121 | | /** |
122 | | * The default list sent in ClientHello.signature_algorithms. ECDSA certificates are preferred. |
123 | | */ |
124 | | static const uint16_t default_signature_schemes[] = { |
125 | | #if PTLS_OPENSSL_HAVE_ED25519 |
126 | | PTLS_SIGNATURE_ED25519, |
127 | | #endif |
128 | | PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, |
129 | | #if PTLS_OPENSSL_HAVE_SECP384R1 |
130 | | PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384, |
131 | | #endif |
132 | | #if PTLS_OPENSSL_HAVE_SECP521R1 |
133 | | PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512, |
134 | | #endif |
135 | | PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512, |
136 | | PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384, |
137 | | PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, |
138 | | UINT16_MAX}; |
139 | | |
140 | | const ptls_openssl_signature_scheme_t *ptls_openssl_lookup_signature_schemes(EVP_PKEY *key) |
141 | 0 | { |
142 | 0 | const ptls_openssl_signature_scheme_t *schemes = NULL; |
143 | |
|
144 | 0 | switch (EVP_PKEY_id(key)) { |
145 | 0 | case EVP_PKEY_RSA: |
146 | 0 | schemes = rsa_signature_schemes; |
147 | 0 | break; |
148 | 0 | case EVP_PKEY_EC: { |
149 | 0 | EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(key); |
150 | 0 | switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey))) { |
151 | 0 | case NID_X9_62_prime256v1: |
152 | 0 | schemes = secp256r1_signature_schemes; |
153 | 0 | break; |
154 | 0 | #if PTLS_OPENSSL_HAVE_SECP384R1 |
155 | 0 | case NID_secp384r1: |
156 | 0 | schemes = secp384r1_signature_schemes; |
157 | 0 | break; |
158 | 0 | #endif |
159 | 0 | #if PTLS_OPENSSL_HAVE_SECP521R1 |
160 | 0 | case NID_secp521r1: |
161 | 0 | schemes = secp521r1_signature_schemes; |
162 | 0 | break; |
163 | 0 | #endif |
164 | 0 | default: |
165 | 0 | break; |
166 | 0 | } |
167 | 0 | EC_KEY_free(eckey); |
168 | 0 | } break; |
169 | 0 | #if PTLS_OPENSSL_HAVE_ED25519 |
170 | 0 | case EVP_PKEY_ED25519: |
171 | 0 | schemes = ed25519_signature_schemes; |
172 | 0 | break; |
173 | 0 | #endif |
174 | 0 | default: |
175 | 0 | break; |
176 | 0 | } |
177 | | |
178 | 0 | return schemes; |
179 | 0 | } |
180 | | |
181 | | const ptls_openssl_signature_scheme_t *ptls_openssl_select_signature_scheme(const ptls_openssl_signature_scheme_t *available, |
182 | | const uint16_t *algorithms, size_t num_algorithms) |
183 | 0 | { |
184 | 0 | const ptls_openssl_signature_scheme_t *scheme; |
185 | | |
186 | | /* select the algorithm, driven by server-isde preference of `available` */ |
187 | 0 | for (scheme = available; scheme->scheme_id != UINT16_MAX; ++scheme) |
188 | 0 | for (size_t i = 0; i != num_algorithms; ++i) |
189 | 0 | if (algorithms[i] == scheme->scheme_id) |
190 | 0 | return scheme; |
191 | | |
192 | 0 | return NULL; |
193 | 0 | } |
194 | | |
195 | | void ptls_openssl_random_bytes(void *buf, size_t len) |
196 | 0 | { |
197 | 0 | int ret = RAND_bytes(buf, (int)len); |
198 | 0 | if (ret != 1) { |
199 | 0 | fprintf(stderr, "RAND_bytes() failed with code: %d\n", ret); |
200 | 0 | abort(); |
201 | 0 | } |
202 | 0 | } |
203 | | |
204 | | static EC_KEY *ecdh_generate_key(EC_GROUP *group) |
205 | 40.3k | { |
206 | 40.3k | EC_KEY *key; |
207 | | |
208 | 40.3k | if ((key = EC_KEY_new()) == NULL) |
209 | 0 | return NULL; |
210 | 40.3k | if (!EC_KEY_set_group(key, group) || !EC_KEY_generate_key(key)) { |
211 | 0 | EC_KEY_free(key); |
212 | 0 | return NULL; |
213 | 0 | } |
214 | | |
215 | 40.3k | return key; |
216 | 40.3k | } |
217 | | |
218 | | static int ecdh_calc_secret(ptls_iovec_t *out, const EC_GROUP *group, EC_KEY *privkey, EC_POINT *peer_point) |
219 | 1.11k | { |
220 | 1.11k | ptls_iovec_t secret; |
221 | 1.11k | int ret; |
222 | | |
223 | 1.11k | secret.len = (EC_GROUP_get_degree(group) + 7) / 8; |
224 | 1.11k | if ((secret.base = malloc(secret.len)) == NULL) { |
225 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
226 | 0 | goto Exit; |
227 | 0 | } |
228 | 1.11k | if (ECDH_compute_key(secret.base, secret.len, peer_point, privkey, NULL) <= 0) { |
229 | 1 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; /* ??? */ |
230 | 1 | goto Exit; |
231 | 1 | } |
232 | 1.11k | ret = 0; |
233 | | |
234 | 1.11k | Exit: |
235 | 1.11k | if (ret == 0) { |
236 | 1.11k | *out = secret; |
237 | 1.11k | } else { |
238 | 1 | free(secret.base); |
239 | 1 | *out = (ptls_iovec_t){NULL}; |
240 | 1 | } |
241 | 1.11k | return ret; |
242 | 1.11k | } |
243 | | |
244 | | static EC_POINT *x9_62_decode_point(const EC_GROUP *group, ptls_iovec_t vec, BN_CTX *bn_ctx) |
245 | 1.11k | { |
246 | 1.11k | EC_POINT *point = NULL; |
247 | | |
248 | 1.11k | if ((point = EC_POINT_new(group)) == NULL) |
249 | 0 | return NULL; |
250 | 1.11k | if (!EC_POINT_oct2point(group, point, vec.base, vec.len, bn_ctx)) { |
251 | 2 | EC_POINT_free(point); |
252 | 2 | return NULL; |
253 | 2 | } |
254 | | |
255 | 1.11k | return point; |
256 | 1.11k | } |
257 | | |
258 | | static ptls_iovec_t x9_62_encode_point(const EC_GROUP *group, const EC_POINT *point, BN_CTX *bn_ctx) |
259 | 40.3k | { |
260 | 40.3k | ptls_iovec_t vec; |
261 | | |
262 | 40.3k | if ((vec.len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, bn_ctx)) == 0) |
263 | 0 | return (ptls_iovec_t){NULL}; |
264 | 40.3k | if ((vec.base = malloc(vec.len)) == NULL) |
265 | 0 | return (ptls_iovec_t){NULL}; |
266 | 40.3k | if (EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, vec.base, vec.len, bn_ctx) != vec.len) { |
267 | 0 | free(vec.base); |
268 | 0 | return (ptls_iovec_t){NULL}; |
269 | 0 | } |
270 | | |
271 | 40.3k | return vec; |
272 | 40.3k | } |
273 | | |
274 | | struct st_x9_62_keyex_context_t { |
275 | | ptls_key_exchange_context_t super; |
276 | | BN_CTX *bn_ctx; |
277 | | EC_KEY *privkey; |
278 | | }; |
279 | | |
280 | | static void x9_62_free_context(struct st_x9_62_keyex_context_t *ctx) |
281 | 40.3k | { |
282 | 40.3k | free(ctx->super.pubkey.base); |
283 | 40.3k | if (ctx->privkey != NULL) |
284 | 40.3k | EC_KEY_free(ctx->privkey); |
285 | 40.3k | if (ctx->bn_ctx != NULL) |
286 | 40.3k | BN_CTX_free(ctx->bn_ctx); |
287 | 40.3k | free(ctx); |
288 | 40.3k | } |
289 | | |
290 | | static int x9_62_on_exchange(ptls_key_exchange_context_t **_ctx, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey) |
291 | 40.3k | { |
292 | 40.3k | struct st_x9_62_keyex_context_t *ctx = (struct st_x9_62_keyex_context_t *)*_ctx; |
293 | 40.3k | const EC_GROUP *group = EC_KEY_get0_group(ctx->privkey); |
294 | 40.3k | EC_POINT *peer_point = NULL; |
295 | 40.3k | int ret; |
296 | | |
297 | 40.3k | if (secret == NULL) { |
298 | 39.2k | ret = 0; |
299 | 39.2k | goto Exit; |
300 | 39.2k | } |
301 | | |
302 | 1.11k | if ((peer_point = x9_62_decode_point(group, peerkey, ctx->bn_ctx)) == NULL) { |
303 | 2 | ret = PTLS_ALERT_DECODE_ERROR; |
304 | 2 | goto Exit; |
305 | 2 | } |
306 | 1.11k | if ((ret = ecdh_calc_secret(secret, group, ctx->privkey, peer_point)) != 0) |
307 | 1 | goto Exit; |
308 | | |
309 | 40.3k | Exit: |
310 | 40.3k | if (peer_point != NULL) |
311 | 1.11k | EC_POINT_free(peer_point); |
312 | 40.3k | if (release) { |
313 | 40.3k | x9_62_free_context(ctx); |
314 | 40.3k | *_ctx = NULL; |
315 | 40.3k | } |
316 | 40.3k | return ret; |
317 | 1.11k | } |
318 | | |
319 | | static int x9_62_create_context(ptls_key_exchange_algorithm_t *algo, struct st_x9_62_keyex_context_t **ctx) |
320 | 40.3k | { |
321 | 40.3k | int ret; |
322 | | |
323 | 40.3k | if ((*ctx = (struct st_x9_62_keyex_context_t *)malloc(sizeof(**ctx))) == NULL) { |
324 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
325 | 0 | goto Exit; |
326 | 0 | } |
327 | 40.3k | **ctx = (struct st_x9_62_keyex_context_t){{algo, {NULL}, x9_62_on_exchange}}; |
328 | | |
329 | 40.3k | if (((*ctx)->bn_ctx = BN_CTX_new()) == NULL) { |
330 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
331 | 0 | goto Exit; |
332 | 0 | } |
333 | | |
334 | 40.3k | ret = 0; |
335 | 40.3k | Exit: |
336 | 40.3k | if (ret != 0 && *ctx != NULL) { |
337 | 0 | x9_62_free_context(*ctx); |
338 | 0 | *ctx = NULL; |
339 | 0 | } |
340 | 40.3k | return ret; |
341 | 40.3k | } |
342 | | |
343 | | static int x9_62_setup_pubkey(struct st_x9_62_keyex_context_t *ctx) |
344 | 40.3k | { |
345 | 40.3k | const EC_GROUP *group = EC_KEY_get0_group(ctx->privkey); |
346 | 40.3k | const EC_POINT *pubkey = EC_KEY_get0_public_key(ctx->privkey); |
347 | 40.3k | if ((ctx->super.pubkey = x9_62_encode_point(group, pubkey, ctx->bn_ctx)).base == NULL) |
348 | 0 | return PTLS_ERROR_NO_MEMORY; |
349 | 40.3k | return 0; |
350 | 40.3k | } |
351 | | |
352 | | static int x9_62_create_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx) |
353 | 40.3k | { |
354 | 40.3k | EC_GROUP *group = NULL; |
355 | 40.3k | struct st_x9_62_keyex_context_t *ctx = NULL; |
356 | 40.3k | int ret; |
357 | | |
358 | | /* FIXME use a global? */ |
359 | 40.3k | if ((group = EC_GROUP_new_by_curve_name((int)algo->data)) == NULL) { |
360 | 0 | ret = PTLS_ERROR_LIBRARY; |
361 | 0 | goto Exit; |
362 | 0 | } |
363 | 40.3k | if ((ret = x9_62_create_context(algo, &ctx)) != 0) |
364 | 0 | goto Exit; |
365 | 40.3k | if ((ctx->privkey = ecdh_generate_key(group)) == NULL) { |
366 | 0 | ret = PTLS_ERROR_LIBRARY; |
367 | 0 | goto Exit; |
368 | 0 | } |
369 | 40.3k | if ((ret = x9_62_setup_pubkey(ctx)) != 0) |
370 | 0 | goto Exit; |
371 | 40.3k | ret = 0; |
372 | | |
373 | 40.3k | Exit: |
374 | 40.3k | if (group != NULL) |
375 | 40.3k | EC_GROUP_free(group); |
376 | 40.3k | if (ret == 0) { |
377 | 40.3k | *_ctx = &ctx->super; |
378 | 40.3k | } else { |
379 | 0 | if (ctx != NULL) |
380 | 0 | x9_62_free_context(ctx); |
381 | 0 | *_ctx = NULL; |
382 | 0 | } |
383 | | |
384 | 40.3k | return ret; |
385 | 40.3k | } |
386 | | |
387 | | static int x9_62_init_key(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx, EC_KEY *eckey) |
388 | 0 | { |
389 | 0 | struct st_x9_62_keyex_context_t *ctx = NULL; |
390 | 0 | int ret; |
391 | |
|
392 | 0 | if ((ret = x9_62_create_context(algo, &ctx)) != 0) |
393 | 0 | goto Exit; |
394 | 0 | ctx->privkey = eckey; |
395 | 0 | if ((ret = x9_62_setup_pubkey(ctx)) != 0) |
396 | 0 | goto Exit; |
397 | 0 | ret = 0; |
398 | |
|
399 | 0 | Exit: |
400 | 0 | if (ret == 0) { |
401 | 0 | *_ctx = &ctx->super; |
402 | 0 | } else { |
403 | 0 | if (ctx != NULL) |
404 | 0 | x9_62_free_context(ctx); |
405 | 0 | *_ctx = NULL; |
406 | 0 | } |
407 | 0 | return ret; |
408 | 0 | } |
409 | | |
410 | | static int x9_62_key_exchange(EC_GROUP *group, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey, BN_CTX *bn_ctx) |
411 | 0 | { |
412 | 0 | EC_POINT *peer_point = NULL; |
413 | 0 | EC_KEY *privkey = NULL; |
414 | 0 | int ret; |
415 | |
|
416 | 0 | *pubkey = (ptls_iovec_t){NULL}; |
417 | 0 | *secret = (ptls_iovec_t){NULL}; |
418 | | |
419 | | /* decode peer key */ |
420 | 0 | if ((peer_point = x9_62_decode_point(group, peerkey, bn_ctx)) == NULL) { |
421 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
422 | 0 | goto Exit; |
423 | 0 | } |
424 | | |
425 | | /* create private key */ |
426 | 0 | if ((privkey = ecdh_generate_key(group)) == NULL) { |
427 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
428 | 0 | goto Exit; |
429 | 0 | } |
430 | | |
431 | | /* encode public key */ |
432 | 0 | if ((*pubkey = x9_62_encode_point(group, EC_KEY_get0_public_key(privkey), bn_ctx)).base == NULL) { |
433 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
434 | 0 | goto Exit; |
435 | 0 | } |
436 | | |
437 | | /* allocate space for secret */ |
438 | 0 | secret->len = (EC_GROUP_get_degree(group) + 7) / 8; |
439 | 0 | if ((secret->base = malloc(secret->len)) == NULL) { |
440 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
441 | 0 | goto Exit; |
442 | 0 | } |
443 | | |
444 | | /* calc secret */ |
445 | 0 | if (ECDH_compute_key(secret->base, secret->len, peer_point, privkey, NULL) <= 0) { |
446 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; /* ??? */ |
447 | 0 | goto Exit; |
448 | 0 | } |
449 | | |
450 | 0 | ret = 0; |
451 | |
|
452 | 0 | Exit: |
453 | 0 | if (peer_point != NULL) |
454 | 0 | EC_POINT_free(peer_point); |
455 | 0 | if (privkey != NULL) |
456 | 0 | EC_KEY_free(privkey); |
457 | 0 | if (ret != 0) { |
458 | 0 | free(pubkey->base); |
459 | 0 | *pubkey = (ptls_iovec_t){NULL}; |
460 | 0 | free(secret->base); |
461 | 0 | *secret = (ptls_iovec_t){NULL}; |
462 | 0 | } |
463 | 0 | return ret; |
464 | 0 | } |
465 | | |
466 | | static int secp_key_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey) |
467 | 0 | { |
468 | 0 | EC_GROUP *group = NULL; |
469 | 0 | BN_CTX *bn_ctx = NULL; |
470 | 0 | int ret; |
471 | |
|
472 | 0 | if ((group = EC_GROUP_new_by_curve_name((int)algo->data)) == NULL) { |
473 | 0 | ret = PTLS_ERROR_LIBRARY; |
474 | 0 | goto Exit; |
475 | 0 | } |
476 | 0 | if ((bn_ctx = BN_CTX_new()) == NULL) { |
477 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
478 | 0 | goto Exit; |
479 | 0 | } |
480 | | |
481 | 0 | ret = x9_62_key_exchange(group, pubkey, secret, peerkey, bn_ctx); |
482 | |
|
483 | 0 | Exit: |
484 | 0 | if (bn_ctx != NULL) |
485 | 0 | BN_CTX_free(bn_ctx); |
486 | 0 | if (group != NULL) |
487 | 0 | EC_GROUP_free(group); |
488 | 0 | return ret; |
489 | 0 | } |
490 | | |
491 | | #if PTLS_OPENSSL_HAVE_X25519 |
492 | | |
493 | | struct st_evp_keyex_context_t { |
494 | | ptls_key_exchange_context_t super; |
495 | | EVP_PKEY *privkey; |
496 | | }; |
497 | | |
498 | | static void evp_keyex_free(struct st_evp_keyex_context_t *ctx) |
499 | 0 | { |
500 | 0 | if (ctx->privkey != NULL) |
501 | 0 | EVP_PKEY_free(ctx->privkey); |
502 | 0 | if (ctx->super.pubkey.base != NULL) |
503 | 0 | OPENSSL_free(ctx->super.pubkey.base); |
504 | 0 | free(ctx); |
505 | 0 | } |
506 | | |
507 | | static int evp_keyex_on_exchange(ptls_key_exchange_context_t **_ctx, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey) |
508 | 0 | { |
509 | 0 | struct st_evp_keyex_context_t *ctx = (void *)*_ctx; |
510 | 0 | EVP_PKEY *evppeer = NULL; |
511 | 0 | EVP_PKEY_CTX *evpctx = NULL; |
512 | 0 | int ret; |
513 | |
|
514 | 0 | if (secret == NULL) { |
515 | 0 | ret = 0; |
516 | 0 | goto Exit; |
517 | 0 | } |
518 | | |
519 | 0 | secret->base = NULL; |
520 | |
|
521 | 0 | if (peerkey.len != ctx->super.pubkey.len) { |
522 | 0 | ret = PTLS_ALERT_DECRYPT_ERROR; |
523 | 0 | goto Exit; |
524 | 0 | } |
525 | | |
526 | | #ifdef OPENSSL_IS_BORINGSSL |
527 | | #define X25519_KEY_SIZE 32 |
528 | | if (ctx->super.algo->id == PTLS_GROUP_X25519) { |
529 | | /* allocate memory to return secret */ |
530 | | if ((secret->base = malloc(X25519_KEY_SIZE)) == NULL) { |
531 | | ret = PTLS_ERROR_NO_MEMORY; |
532 | | goto Exit; |
533 | | } |
534 | | secret->len = X25519_KEY_SIZE; |
535 | | /* fetch raw key and derive the secret */ |
536 | | uint8_t sk_raw[X25519_KEY_SIZE]; |
537 | | size_t sk_raw_len = sizeof(sk_raw); |
538 | | if (EVP_PKEY_get_raw_private_key(ctx->privkey, sk_raw, &sk_raw_len) != 1) { |
539 | | ret = PTLS_ERROR_LIBRARY; |
540 | | goto Exit; |
541 | | } |
542 | | assert(sk_raw_len == sizeof(sk_raw)); |
543 | | X25519(secret->base, sk_raw, peerkey.base); |
544 | | ptls_clear_memory(sk_raw, sizeof(sk_raw)); |
545 | | /* check bad key */ |
546 | | static const uint8_t zeros[X25519_KEY_SIZE] = {0}; |
547 | | if (ptls_mem_equal(secret->base, zeros, X25519_KEY_SIZE)) { |
548 | | ret = PTLS_ERROR_INCOMPATIBLE_KEY; |
549 | | goto Exit; |
550 | | } |
551 | | /* success */ |
552 | | ret = 0; |
553 | | goto Exit; |
554 | | } |
555 | | #undef X25519_KEY_SIZE |
556 | | #endif |
557 | | |
558 | 0 | if ((evppeer = EVP_PKEY_new()) == NULL) { |
559 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
560 | 0 | goto Exit; |
561 | 0 | } |
562 | 0 | if (EVP_PKEY_copy_parameters(evppeer, ctx->privkey) <= 0) { |
563 | 0 | ret = PTLS_ERROR_LIBRARY; |
564 | 0 | goto Exit; |
565 | 0 | } |
566 | 0 | if (EVP_PKEY_set1_tls_encodedpoint(evppeer, peerkey.base, peerkey.len) <= 0) { |
567 | 0 | ret = PTLS_ERROR_LIBRARY; |
568 | 0 | goto Exit; |
569 | 0 | } |
570 | 0 | if ((evpctx = EVP_PKEY_CTX_new(ctx->privkey, NULL)) == NULL) { |
571 | 0 | ret = PTLS_ERROR_LIBRARY; |
572 | 0 | goto Exit; |
573 | 0 | } |
574 | 0 | if (EVP_PKEY_derive_init(evpctx) <= 0) { |
575 | 0 | ret = PTLS_ERROR_LIBRARY; |
576 | 0 | goto Exit; |
577 | 0 | } |
578 | 0 | if (EVP_PKEY_derive_set_peer(evpctx, evppeer) <= 0) { |
579 | 0 | ret = PTLS_ERROR_LIBRARY; |
580 | 0 | goto Exit; |
581 | 0 | } |
582 | 0 | if (EVP_PKEY_derive(evpctx, NULL, &secret->len) <= 0) { |
583 | 0 | ret = PTLS_ERROR_LIBRARY; |
584 | 0 | goto Exit; |
585 | 0 | } |
586 | 0 | if ((secret->base = malloc(secret->len)) == NULL) { |
587 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
588 | 0 | goto Exit; |
589 | 0 | } |
590 | 0 | if (EVP_PKEY_derive(evpctx, secret->base, &secret->len) <= 0) { |
591 | 0 | ret = PTLS_ERROR_LIBRARY; |
592 | 0 | goto Exit; |
593 | 0 | } |
594 | | |
595 | 0 | ret = 0; |
596 | 0 | Exit: |
597 | 0 | if (evpctx != NULL) |
598 | 0 | EVP_PKEY_CTX_free(evpctx); |
599 | 0 | if (evppeer != NULL) |
600 | 0 | EVP_PKEY_free(evppeer); |
601 | 0 | if (ret != 0) |
602 | 0 | free(secret->base); |
603 | 0 | if (release) { |
604 | 0 | evp_keyex_free(ctx); |
605 | 0 | *_ctx = NULL; |
606 | 0 | } |
607 | 0 | return ret; |
608 | 0 | } |
609 | | |
610 | | /** |
611 | | * Upon success, ownership of `pkey` is transferred to the object being created. Otherwise, the refcount remains unchanged. |
612 | | */ |
613 | | static int evp_keyex_init(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **_ctx, EVP_PKEY *pkey) |
614 | 0 | { |
615 | 0 | struct st_evp_keyex_context_t *ctx = NULL; |
616 | 0 | int ret; |
617 | | |
618 | | /* instantiate */ |
619 | 0 | if ((ctx = malloc(sizeof(*ctx))) == NULL) { |
620 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
621 | 0 | goto Exit; |
622 | 0 | } |
623 | 0 | *ctx = (struct st_evp_keyex_context_t){{algo, {NULL}, evp_keyex_on_exchange}, pkey}; |
624 | | |
625 | | /* set public key */ |
626 | 0 | if ((ctx->super.pubkey.len = EVP_PKEY_get1_tls_encodedpoint(ctx->privkey, &ctx->super.pubkey.base)) == 0) { |
627 | 0 | ctx->super.pubkey.base = NULL; |
628 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
629 | 0 | goto Exit; |
630 | 0 | } |
631 | | |
632 | 0 | *_ctx = &ctx->super; |
633 | 0 | ret = 0; |
634 | 0 | Exit: |
635 | 0 | if (ret != 0 && ctx != NULL) { |
636 | 0 | ctx->privkey = NULL; /* do not decrement refcount of pkey in case of error */ |
637 | 0 | evp_keyex_free(ctx); |
638 | 0 | } |
639 | 0 | return ret; |
640 | 0 | } |
641 | | |
642 | | static int evp_keyex_create(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx) |
643 | 0 | { |
644 | 0 | EVP_PKEY_CTX *evpctx = NULL; |
645 | 0 | EVP_PKEY *pkey = NULL; |
646 | 0 | int ret; |
647 | | |
648 | | /* generate private key */ |
649 | 0 | if ((evpctx = EVP_PKEY_CTX_new_id((int)algo->data, NULL)) == NULL) { |
650 | 0 | ret = PTLS_ERROR_LIBRARY; |
651 | 0 | goto Exit; |
652 | 0 | } |
653 | 0 | if (EVP_PKEY_keygen_init(evpctx) <= 0) { |
654 | 0 | ret = PTLS_ERROR_LIBRARY; |
655 | 0 | goto Exit; |
656 | 0 | } |
657 | 0 | if (EVP_PKEY_keygen(evpctx, &pkey) <= 0) { |
658 | 0 | ret = PTLS_ERROR_LIBRARY; |
659 | 0 | goto Exit; |
660 | 0 | } |
661 | | |
662 | | /* setup */ |
663 | 0 | if ((ret = evp_keyex_init(algo, ctx, pkey)) != 0) |
664 | 0 | goto Exit; |
665 | 0 | pkey = NULL; |
666 | 0 | ret = 0; |
667 | |
|
668 | 0 | Exit: |
669 | 0 | if (pkey != NULL) |
670 | 0 | EVP_PKEY_free(pkey); |
671 | 0 | if (evpctx != NULL) |
672 | 0 | EVP_PKEY_CTX_free(evpctx); |
673 | 0 | return ret; |
674 | 0 | } |
675 | | |
676 | | static int evp_keyex_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *outpubkey, ptls_iovec_t *secret, |
677 | | ptls_iovec_t peerkey) |
678 | 0 | { |
679 | 0 | ptls_key_exchange_context_t *ctx = NULL; |
680 | 0 | int ret; |
681 | |
|
682 | 0 | outpubkey->base = NULL; |
683 | |
|
684 | 0 | if ((ret = evp_keyex_create(algo, &ctx)) != 0) |
685 | 0 | goto Exit; |
686 | 0 | if ((outpubkey->base = malloc(ctx->pubkey.len)) == NULL) { |
687 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
688 | 0 | goto Exit; |
689 | 0 | } |
690 | 0 | memcpy(outpubkey->base, ctx->pubkey.base, ctx->pubkey.len); |
691 | 0 | outpubkey->len = ctx->pubkey.len; |
692 | 0 | ret = evp_keyex_on_exchange(&ctx, 1, secret, peerkey); |
693 | 0 | assert(ctx == NULL); |
694 | | |
695 | 0 | Exit: |
696 | 0 | if (ctx != NULL) |
697 | 0 | evp_keyex_on_exchange(&ctx, 1, NULL, ptls_iovec_init(NULL, 0)); |
698 | 0 | if (ret != 0) |
699 | 0 | free(outpubkey->base); |
700 | 0 | return ret; |
701 | 0 | } |
702 | | |
703 | | #endif |
704 | | |
705 | | int ptls_openssl_create_key_exchange(ptls_key_exchange_context_t **ctx, EVP_PKEY *pkey) |
706 | 0 | { |
707 | 0 | int ret, id; |
708 | |
|
709 | 0 | switch (id = EVP_PKEY_id(pkey)) { |
710 | | |
711 | 0 | case EVP_PKEY_EC: { |
712 | | /* obtain eckey */ |
713 | 0 | EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey); |
714 | | |
715 | | /* determine algo */ |
716 | 0 | ptls_key_exchange_algorithm_t *algo; |
717 | 0 | switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey))) { |
718 | 0 | case NID_X9_62_prime256v1: |
719 | 0 | algo = &ptls_openssl_secp256r1; |
720 | 0 | break; |
721 | 0 | #if PTLS_OPENSSL_HAVE_SECP384R1 |
722 | 0 | case NID_secp384r1: |
723 | 0 | algo = &ptls_openssl_secp384r1; |
724 | 0 | break; |
725 | 0 | #endif |
726 | 0 | #if PTLS_OPENSSL_HAVE_SECP521R1 |
727 | 0 | case NID_secp521r1: |
728 | 0 | algo = &ptls_openssl_secp521r1; |
729 | 0 | break; |
730 | 0 | #endif |
731 | 0 | default: |
732 | 0 | EC_KEY_free(eckey); |
733 | 0 | return PTLS_ERROR_INCOMPATIBLE_KEY; |
734 | 0 | } |
735 | | |
736 | | /* load key */ |
737 | 0 | if ((ret = x9_62_init_key(algo, ctx, eckey)) != 0) { |
738 | 0 | EC_KEY_free(eckey); |
739 | 0 | return ret; |
740 | 0 | } |
741 | | |
742 | 0 | return 0; |
743 | 0 | } break; |
744 | | |
745 | 0 | #if PTLS_OPENSSL_HAVE_X25519 |
746 | 0 | case NID_X25519: |
747 | 0 | if ((ret = evp_keyex_init(&ptls_openssl_x25519, ctx, pkey)) != 0) |
748 | 0 | return ret; |
749 | 0 | EVP_PKEY_up_ref(pkey); |
750 | 0 | return 0; |
751 | 0 | #endif |
752 | | |
753 | 0 | default: |
754 | 0 | return PTLS_ERROR_INCOMPATIBLE_KEY; |
755 | 0 | } |
756 | 0 | } |
757 | | |
758 | | #if PTLS_OPENSSL_HAVE_ASYNC |
759 | | |
760 | | struct async_sign_ctx { |
761 | | ptls_async_job_t super; |
762 | | const ptls_openssl_signature_scheme_t *scheme; |
763 | | EVP_MD_CTX *ctx; |
764 | | ASYNC_WAIT_CTX *waitctx; |
765 | | ASYNC_JOB *job; |
766 | | size_t siglen; |
767 | | uint8_t sig[0]; // must be last, see `async_sign_ctx_new` |
768 | | }; |
769 | | |
770 | | static void async_sign_ctx_free(ptls_async_job_t *_self) |
771 | 0 | { |
772 | 0 | struct async_sign_ctx *self = (void *)_self; |
773 | | |
774 | | /* Once the async operation is complete, the user might call `ptls_free` instead of `ptls_handshake`. In such case, to avoid |
775 | | * desynchronization, let the backend read the result from the socket. The code below is a loop, but it is not going to block; |
776 | | * it is the responsibility of the user to refrain from calling `ptls_free` until the asynchronous operation is complete. */ |
777 | 0 | if (self->job != NULL) { |
778 | 0 | int ret; |
779 | 0 | while (ASYNC_start_job(&self->job, self->waitctx, &ret, NULL, NULL, 0) == ASYNC_PAUSE) |
780 | 0 | ; |
781 | 0 | } |
782 | |
|
783 | 0 | EVP_MD_CTX_destroy(self->ctx); |
784 | 0 | ASYNC_WAIT_CTX_free(self->waitctx); |
785 | 0 | free(self); |
786 | 0 | } |
787 | | |
788 | | int async_sign_ctx_get_fd(ptls_async_job_t *_self) |
789 | 0 | { |
790 | 0 | struct async_sign_ctx *self = (void *)_self; |
791 | 0 | OSSL_ASYNC_FD fds[1]; |
792 | 0 | size_t numfds; |
793 | |
|
794 | 0 | ASYNC_WAIT_CTX_get_all_fds(self->waitctx, NULL, &numfds); |
795 | 0 | assert(numfds == 1); |
796 | 0 | ASYNC_WAIT_CTX_get_all_fds(self->waitctx, fds, &numfds); |
797 | 0 | return (int)fds[0]; |
798 | 0 | } |
799 | | |
800 | | static ptls_async_job_t *async_sign_ctx_new(const ptls_openssl_signature_scheme_t *scheme, EVP_MD_CTX *ctx, size_t siglen) |
801 | 0 | { |
802 | 0 | struct async_sign_ctx *self; |
803 | |
|
804 | 0 | if ((self = malloc(offsetof(struct async_sign_ctx, sig) + siglen)) == NULL) |
805 | 0 | return NULL; |
806 | | |
807 | 0 | self->super = (ptls_async_job_t){async_sign_ctx_free, async_sign_ctx_get_fd}; |
808 | 0 | self->scheme = scheme; |
809 | 0 | self->ctx = ctx; |
810 | 0 | self->waitctx = ASYNC_WAIT_CTX_new(); |
811 | 0 | self->job = NULL; |
812 | 0 | self->siglen = siglen; |
813 | 0 | memset(self->sig, 0, siglen); |
814 | |
|
815 | 0 | return &self->super; |
816 | 0 | } |
817 | | |
818 | | static int do_sign_async_job(void *_async) |
819 | 0 | { |
820 | 0 | struct async_sign_ctx *async = *(struct async_sign_ctx **)_async; |
821 | 0 | return EVP_DigestSignFinal(async->ctx, async->sig, &async->siglen); |
822 | 0 | } |
823 | | |
824 | | static int do_sign_async(ptls_buffer_t *outbuf, ptls_async_job_t **_async) |
825 | 0 | { |
826 | 0 | struct async_sign_ctx *async = (void *)*_async; |
827 | 0 | int ret; |
828 | |
|
829 | 0 | switch (ASYNC_start_job(&async->job, async->waitctx, &ret, do_sign_async_job, &async, sizeof(async))) { |
830 | 0 | case ASYNC_PAUSE: |
831 | 0 | return PTLS_ERROR_ASYNC_OPERATION; // async operation inflight; bail out without getting rid of async context |
832 | 0 | case ASYNC_ERR: |
833 | 0 | ret = PTLS_ERROR_LIBRARY; |
834 | 0 | break; |
835 | 0 | case ASYNC_NO_JOBS: |
836 | 0 | ret = PTLS_ERROR_LIBRARY; |
837 | 0 | break; |
838 | 0 | case ASYNC_FINISH: |
839 | 0 | async->job = NULL; |
840 | 0 | ptls_buffer_pushv(outbuf, async->sig, async->siglen); |
841 | 0 | ret = 0; |
842 | 0 | break; |
843 | 0 | default: |
844 | 0 | ret = PTLS_ERROR_LIBRARY; |
845 | 0 | break; |
846 | 0 | } |
847 | | |
848 | 0 | Exit: |
849 | 0 | async_sign_ctx_free(&async->super); |
850 | 0 | *_async = NULL; |
851 | 0 | return ret; |
852 | 0 | } |
853 | | |
854 | | #endif |
855 | | |
856 | | static int do_sign(EVP_PKEY *key, const ptls_openssl_signature_scheme_t *scheme, ptls_buffer_t *outbuf, ptls_iovec_t input, |
857 | | ptls_async_job_t **async) |
858 | 0 | { |
859 | 0 | EVP_MD_CTX *ctx = NULL; |
860 | 0 | const EVP_MD *md = scheme->scheme_md != NULL ? scheme->scheme_md() : NULL; |
861 | 0 | EVP_PKEY_CTX *pkey_ctx; |
862 | 0 | size_t siglen; |
863 | 0 | int ret; |
864 | |
|
865 | 0 | if ((ctx = EVP_MD_CTX_create()) == NULL) { |
866 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
867 | 0 | goto Exit; |
868 | 0 | } |
869 | | |
870 | 0 | if (EVP_DigestSignInit(ctx, &pkey_ctx, md, NULL, key) != 1) { |
871 | 0 | ret = PTLS_ERROR_LIBRARY; |
872 | 0 | goto Exit; |
873 | 0 | } |
874 | | |
875 | 0 | #if PTLS_OPENSSL_HAVE_ED25519 |
876 | 0 | if (EVP_PKEY_id(key) == EVP_PKEY_ED25519) { |
877 | | /* ED25519 requires the use of the all-at-once function that appeared in OpenSSL 1.1.1, hence different path */ |
878 | 0 | if (EVP_DigestSign(ctx, NULL, &siglen, input.base, input.len) != 1) { |
879 | 0 | ret = PTLS_ERROR_LIBRARY; |
880 | 0 | goto Exit; |
881 | 0 | } |
882 | 0 | if ((ret = ptls_buffer_reserve(outbuf, siglen)) != 0) |
883 | 0 | goto Exit; |
884 | 0 | if (EVP_DigestSign(ctx, outbuf->base + outbuf->off, &siglen, input.base, input.len) != 1) { |
885 | 0 | ret = PTLS_ERROR_LIBRARY; |
886 | 0 | goto Exit; |
887 | 0 | } |
888 | 0 | } else |
889 | 0 | #endif |
890 | 0 | { |
891 | 0 | if (EVP_PKEY_id(key) == EVP_PKEY_RSA) { |
892 | 0 | if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1) { |
893 | 0 | ret = PTLS_ERROR_LIBRARY; |
894 | 0 | goto Exit; |
895 | 0 | } |
896 | 0 | if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1) != 1) { |
897 | 0 | ret = PTLS_ERROR_LIBRARY; |
898 | 0 | goto Exit; |
899 | 0 | } |
900 | 0 | if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, md) != 1) { |
901 | 0 | ret = PTLS_ERROR_LIBRARY; |
902 | 0 | goto Exit; |
903 | 0 | } |
904 | 0 | } |
905 | 0 | if (EVP_DigestSignUpdate(ctx, input.base, input.len) != 1) { |
906 | 0 | ret = PTLS_ERROR_LIBRARY; |
907 | 0 | goto Exit; |
908 | 0 | } |
909 | 0 | if (EVP_DigestSignFinal(ctx, NULL, &siglen) != 1) { |
910 | 0 | ret = PTLS_ERROR_LIBRARY; |
911 | 0 | goto Exit; |
912 | 0 | } |
913 | | /* If permitted by the caller (by providing a non-NULL `async` slot), use the asynchronous signing method and return |
914 | | * immediately. */ |
915 | 0 | #if PTLS_OPENSSL_HAVE_ASYNC |
916 | 0 | if (async != NULL) { |
917 | 0 | if ((*async = async_sign_ctx_new(scheme, ctx, siglen)) == NULL) { |
918 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
919 | 0 | goto Exit; |
920 | 0 | } |
921 | 0 | return do_sign_async(outbuf, async); |
922 | 0 | } |
923 | 0 | #endif |
924 | | /* Otherwise, generate signature synchronously. */ |
925 | 0 | if ((ret = ptls_buffer_reserve(outbuf, siglen)) != 0) |
926 | 0 | goto Exit; |
927 | 0 | if (EVP_DigestSignFinal(ctx, outbuf->base + outbuf->off, &siglen) != 1) { |
928 | 0 | ret = PTLS_ERROR_LIBRARY; |
929 | 0 | goto Exit; |
930 | 0 | } |
931 | 0 | } |
932 | | |
933 | 0 | outbuf->off += siglen; |
934 | |
|
935 | 0 | ret = 0; |
936 | 0 | Exit: |
937 | 0 | if (ctx != NULL) |
938 | 0 | EVP_MD_CTX_destroy(ctx); |
939 | 0 | return ret; |
940 | 0 | } |
941 | | |
942 | | struct cipher_context_t { |
943 | | ptls_cipher_context_t super; |
944 | | EVP_CIPHER_CTX *evp; |
945 | | }; |
946 | | |
947 | | static void cipher_dispose(ptls_cipher_context_t *_ctx) |
948 | 0 | { |
949 | 0 | struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx; |
950 | 0 | EVP_CIPHER_CTX_free(ctx->evp); |
951 | 0 | } |
952 | | |
953 | | static void cipher_do_init(ptls_cipher_context_t *_ctx, const void *iv) |
954 | 0 | { |
955 | 0 | struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx; |
956 | 0 | int ret; |
957 | 0 | ret = EVP_EncryptInit_ex(ctx->evp, NULL, NULL, NULL, iv); |
958 | 0 | assert(ret); |
959 | 0 | } |
960 | | |
961 | | static int cipher_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key, const EVP_CIPHER *cipher, |
962 | | void (*do_transform)(ptls_cipher_context_t *, void *, const void *, size_t)) |
963 | 0 | { |
964 | 0 | struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx; |
965 | |
|
966 | 0 | ctx->super.do_dispose = cipher_dispose; |
967 | 0 | ctx->super.do_init = cipher_do_init; |
968 | 0 | ctx->super.do_transform = do_transform; |
969 | |
|
970 | 0 | if ((ctx->evp = EVP_CIPHER_CTX_new()) == NULL) |
971 | 0 | return PTLS_ERROR_NO_MEMORY; |
972 | | |
973 | 0 | if (is_enc) { |
974 | 0 | if (!EVP_EncryptInit_ex(ctx->evp, cipher, NULL, key, NULL)) |
975 | 0 | goto Error; |
976 | 0 | } else { |
977 | 0 | if (!EVP_DecryptInit_ex(ctx->evp, cipher, NULL, key, NULL)) |
978 | 0 | goto Error; |
979 | 0 | EVP_CIPHER_CTX_set_padding(ctx->evp, 0); /* required to disable one block buffering in ECB mode */ |
980 | 0 | } |
981 | | |
982 | 0 | return 0; |
983 | 0 | Error: |
984 | 0 | EVP_CIPHER_CTX_free(ctx->evp); |
985 | 0 | return PTLS_ERROR_LIBRARY; |
986 | 0 | } |
987 | | |
988 | | static void cipher_encrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t _len) |
989 | 0 | { |
990 | 0 | struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx; |
991 | 0 | int len = (int)_len, ret = EVP_EncryptUpdate(ctx->evp, output, &len, input, len); |
992 | 0 | assert(ret); |
993 | 0 | assert(len == (int)_len); |
994 | 0 | } |
995 | | |
996 | | static void cipher_decrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t _len) |
997 | 0 | { |
998 | 0 | struct cipher_context_t *ctx = (struct cipher_context_t *)_ctx; |
999 | 0 | int len = (int)_len, ret = EVP_DecryptUpdate(ctx->evp, output, &len, input, len); |
1000 | 0 | assert(ret); |
1001 | 0 | assert(len == (int)_len); |
1002 | 0 | } |
1003 | | |
1004 | | static int aes128ecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key) |
1005 | 0 | { |
1006 | 0 | return cipher_setup_crypto(ctx, is_enc, key, EVP_aes_128_ecb(), is_enc ? cipher_encrypt : cipher_decrypt); |
1007 | 0 | } |
1008 | | |
1009 | | static int aes256ecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key) |
1010 | 0 | { |
1011 | 0 | return cipher_setup_crypto(ctx, is_enc, key, EVP_aes_256_ecb(), is_enc ? cipher_encrypt : cipher_decrypt); |
1012 | 0 | } |
1013 | | |
1014 | | static int aes128ctr_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key) |
1015 | 0 | { |
1016 | 0 | return cipher_setup_crypto(ctx, 1, key, EVP_aes_128_ctr(), cipher_encrypt); |
1017 | 0 | } |
1018 | | |
1019 | | static int aes256ctr_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key) |
1020 | 0 | { |
1021 | 0 | return cipher_setup_crypto(ctx, 1, key, EVP_aes_256_ctr(), cipher_encrypt); |
1022 | 0 | } |
1023 | | |
1024 | | #if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 |
1025 | | #ifdef OPENSSL_IS_BORINGSSL |
1026 | | |
1027 | | struct boringssl_chacha20_context_t { |
1028 | | ptls_cipher_context_t super; |
1029 | | uint8_t key[PTLS_CHACHA20_KEY_SIZE]; |
1030 | | uint8_t iv[12]; |
1031 | | struct { |
1032 | | uint32_t ctr; |
1033 | | uint8_t bytes[64]; |
1034 | | size_t len; |
1035 | | } keystream; |
1036 | | }; |
1037 | | |
1038 | | static void boringssl_chacha20_dispose(ptls_cipher_context_t *_ctx) |
1039 | | { |
1040 | | struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx; |
1041 | | |
1042 | | ptls_clear_memory(ctx->key, sizeof(ctx->key)); |
1043 | | ptls_clear_memory(ctx->iv, sizeof(ctx->iv)); |
1044 | | ptls_clear_memory(ctx->keystream.bytes, sizeof(ctx->keystream.bytes)); |
1045 | | } |
1046 | | |
1047 | | static void boringssl_chacha20_init(ptls_cipher_context_t *_ctx, const void *_iv) |
1048 | | { |
1049 | | struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx; |
1050 | | const uint8_t *iv = _iv; |
1051 | | |
1052 | | memcpy(ctx->iv, iv + 4, sizeof(ctx->iv)); |
1053 | | ctx->keystream.ctr = iv[0] | ((uint32_t)iv[1] << 8) | ((uint32_t)iv[2] << 16) | ((uint32_t)iv[3] << 24); |
1054 | | ctx->keystream.len = 0; |
1055 | | } |
1056 | | |
1057 | | static inline void boringssl_chacha20_transform_buffered(struct boringssl_chacha20_context_t *ctx, uint8_t **output, |
1058 | | const uint8_t **input, size_t *len) |
1059 | | { |
1060 | | size_t apply_len = *len < ctx->keystream.len ? *len : ctx->keystream.len; |
1061 | | const uint8_t *ks = ctx->keystream.bytes + sizeof(ctx->keystream.bytes) - ctx->keystream.len; |
1062 | | ctx->keystream.len -= apply_len; |
1063 | | |
1064 | | *len -= apply_len; |
1065 | | for (size_t i = 0; i < apply_len; ++i) |
1066 | | *(*output)++ = *(*input)++ ^ *ks++; |
1067 | | } |
1068 | | |
1069 | | static void boringssl_chacha20_transform(ptls_cipher_context_t *_ctx, void *_output, const void *_input, size_t len) |
1070 | | { |
1071 | | struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx; |
1072 | | uint8_t *output = _output; |
1073 | | const uint8_t *input = _input; |
1074 | | |
1075 | | if (len == 0) |
1076 | | return; |
1077 | | |
1078 | | if (ctx->keystream.len != 0) { |
1079 | | boringssl_chacha20_transform_buffered(ctx, &output, &input, &len); |
1080 | | if (len == 0) |
1081 | | return; |
1082 | | } |
1083 | | |
1084 | | assert(ctx->keystream.len == 0); |
1085 | | |
1086 | | if (len >= sizeof(ctx->keystream.bytes)) { |
1087 | | size_t blocks = len / CHACHA20POLY1305_BLOCKSIZE; |
1088 | | CRYPTO_chacha_20(output, input, blocks * CHACHA20POLY1305_BLOCKSIZE, ctx->key, ctx->iv, ctx->keystream.ctr); |
1089 | | ctx->keystream.ctr += blocks; |
1090 | | output += blocks * CHACHA20POLY1305_BLOCKSIZE; |
1091 | | input += blocks * CHACHA20POLY1305_BLOCKSIZE; |
1092 | | len -= blocks * CHACHA20POLY1305_BLOCKSIZE; |
1093 | | if (len == 0) |
1094 | | return; |
1095 | | } |
1096 | | |
1097 | | memset(ctx->keystream.bytes, 0, CHACHA20POLY1305_BLOCKSIZE); |
1098 | | CRYPTO_chacha_20(ctx->keystream.bytes, ctx->keystream.bytes, CHACHA20POLY1305_BLOCKSIZE, ctx->key, ctx->iv, |
1099 | | ctx->keystream.ctr++); |
1100 | | ctx->keystream.len = sizeof(ctx->keystream.bytes); |
1101 | | |
1102 | | boringssl_chacha20_transform_buffered(ctx, &output, &input, &len); |
1103 | | assert(len == 0); |
1104 | | } |
1105 | | |
1106 | | static int boringssl_chacha20_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key) |
1107 | | { |
1108 | | struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx; |
1109 | | |
1110 | | ctx->super.do_dispose = boringssl_chacha20_dispose; |
1111 | | ctx->super.do_init = boringssl_chacha20_init; |
1112 | | ctx->super.do_transform = boringssl_chacha20_transform; |
1113 | | memcpy(ctx->key, key, sizeof(ctx->key)); |
1114 | | |
1115 | | return 0; |
1116 | | } |
1117 | | |
1118 | | #else |
1119 | | |
1120 | | static int chacha20_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key) |
1121 | 0 | { |
1122 | 0 | return cipher_setup_crypto(ctx, 1, key, EVP_chacha20(), cipher_encrypt); |
1123 | 0 | } |
1124 | | |
1125 | | #endif |
1126 | | #endif |
1127 | | |
1128 | | #if PTLS_OPENSSL_HAVE_BF |
1129 | | |
1130 | | static int bfecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key) |
1131 | 0 | { |
1132 | 0 | return cipher_setup_crypto(ctx, is_enc, key, EVP_bf_ecb(), is_enc ? cipher_encrypt : cipher_decrypt); |
1133 | 0 | } |
1134 | | |
1135 | | #endif |
1136 | | |
1137 | | struct aead_crypto_context_t { |
1138 | | ptls_aead_context_t super; |
1139 | | EVP_CIPHER_CTX *evp_ctx; |
1140 | | uint8_t static_iv[PTLS_MAX_IV_SIZE]; |
1141 | | }; |
1142 | | |
1143 | | static void aead_dispose_crypto(ptls_aead_context_t *_ctx) |
1144 | 2.22k | { |
1145 | 2.22k | struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx; |
1146 | | |
1147 | 2.22k | if (ctx->evp_ctx != NULL) |
1148 | 2.22k | EVP_CIPHER_CTX_free(ctx->evp_ctx); |
1149 | 2.22k | } |
1150 | | |
1151 | | static void aead_get_iv(ptls_aead_context_t *_ctx, void *iv) |
1152 | 0 | { |
1153 | 0 | struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx; |
1154 | |
|
1155 | 0 | memcpy(iv, ctx->static_iv, ctx->super.algo->iv_size); |
1156 | 0 | } |
1157 | | |
1158 | | static void aead_set_iv(ptls_aead_context_t *_ctx, const void *iv) |
1159 | 0 | { |
1160 | 0 | struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx; |
1161 | |
|
1162 | 0 | memcpy(ctx->static_iv, iv, ctx->super.algo->iv_size); |
1163 | 0 | } |
1164 | | |
1165 | | static void aead_do_encrypt_init(ptls_aead_context_t *_ctx, uint64_t seq, const void *aad, size_t aadlen) |
1166 | 0 | { |
1167 | 0 | struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx; |
1168 | 0 | uint8_t iv[PTLS_MAX_IV_SIZE]; |
1169 | 0 | int ret; |
1170 | |
|
1171 | 0 | ptls_aead__build_iv(ctx->super.algo, iv, ctx->static_iv, seq); |
1172 | 0 | ret = EVP_EncryptInit_ex(ctx->evp_ctx, NULL, NULL, NULL, iv); |
1173 | 0 | assert(ret); |
1174 | | |
1175 | 0 | if (aadlen != 0) { |
1176 | 0 | int blocklen; |
1177 | 0 | ret = EVP_EncryptUpdate(ctx->evp_ctx, NULL, &blocklen, aad, (int)aadlen); |
1178 | 0 | assert(ret); |
1179 | 0 | } |
1180 | 0 | } |
1181 | | |
1182 | | static size_t aead_do_encrypt_update(ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen) |
1183 | 0 | { |
1184 | 0 | struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx; |
1185 | 0 | int blocklen, ret; |
1186 | |
|
1187 | 0 | ret = EVP_EncryptUpdate(ctx->evp_ctx, output, &blocklen, input, (int)inlen); |
1188 | 0 | assert(ret); |
1189 | | |
1190 | 0 | return blocklen; |
1191 | 0 | } |
1192 | | |
1193 | | static size_t aead_do_encrypt_final(ptls_aead_context_t *_ctx, void *_output) |
1194 | 0 | { |
1195 | 0 | struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx; |
1196 | 0 | uint8_t *output = _output; |
1197 | 0 | size_t off = 0, tag_size = ctx->super.algo->tag_size; |
1198 | 0 | int blocklen, ret; |
1199 | |
|
1200 | 0 | ret = EVP_EncryptFinal_ex(ctx->evp_ctx, output + off, &blocklen); |
1201 | 0 | assert(ret); |
1202 | 0 | off += blocklen; |
1203 | 0 | ret = EVP_CIPHER_CTX_ctrl(ctx->evp_ctx, EVP_CTRL_GCM_GET_TAG, (int)tag_size, output + off); |
1204 | 0 | assert(ret); |
1205 | 0 | off += tag_size; |
1206 | |
|
1207 | 0 | return off; |
1208 | 0 | } |
1209 | | |
1210 | | static size_t aead_do_decrypt(ptls_aead_context_t *_ctx, void *_output, const void *input, size_t inlen, uint64_t seq, |
1211 | | const void *aad, size_t aadlen) |
1212 | 0 | { |
1213 | 0 | struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx; |
1214 | 0 | uint8_t *output = _output, iv[PTLS_MAX_IV_SIZE]; |
1215 | 0 | size_t off = 0, tag_size = ctx->super.algo->tag_size; |
1216 | 0 | int blocklen, ret; |
1217 | |
|
1218 | 0 | if (inlen < tag_size) |
1219 | 0 | return SIZE_MAX; |
1220 | | |
1221 | 0 | ptls_aead__build_iv(ctx->super.algo, iv, ctx->static_iv, seq); |
1222 | 0 | ret = EVP_DecryptInit_ex(ctx->evp_ctx, NULL, NULL, NULL, iv); |
1223 | 0 | assert(ret); |
1224 | 0 | if (aadlen != 0) { |
1225 | 0 | ret = EVP_DecryptUpdate(ctx->evp_ctx, NULL, &blocklen, aad, (int)aadlen); |
1226 | 0 | assert(ret); |
1227 | 0 | } |
1228 | 0 | ret = EVP_DecryptUpdate(ctx->evp_ctx, output + off, &blocklen, input, (int)(inlen - tag_size)); |
1229 | 0 | assert(ret); |
1230 | 0 | off += blocklen; |
1231 | 0 | if (!EVP_CIPHER_CTX_ctrl(ctx->evp_ctx, EVP_CTRL_GCM_SET_TAG, (int)tag_size, (void *)((uint8_t *)input + inlen - tag_size))) |
1232 | 0 | return SIZE_MAX; |
1233 | 0 | if (!EVP_DecryptFinal_ex(ctx->evp_ctx, output + off, &blocklen)) |
1234 | 0 | return SIZE_MAX; |
1235 | 0 | off += blocklen; |
1236 | |
|
1237 | 0 | return off; |
1238 | 0 | } |
1239 | | |
1240 | | static int aead_setup_crypto(ptls_aead_context_t *_ctx, int is_enc, const void *key, const void *iv, const EVP_CIPHER *cipher) |
1241 | 2.22k | { |
1242 | 2.22k | struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *)_ctx; |
1243 | 2.22k | int ret; |
1244 | | |
1245 | 2.22k | ctx->super.dispose_crypto = aead_dispose_crypto; |
1246 | 2.22k | ctx->super.do_get_iv = aead_get_iv; |
1247 | 2.22k | ctx->super.do_set_iv = aead_set_iv; |
1248 | 2.22k | if (is_enc) { |
1249 | 1.11k | ctx->super.do_encrypt_init = aead_do_encrypt_init; |
1250 | 1.11k | ctx->super.do_encrypt_update = aead_do_encrypt_update; |
1251 | 1.11k | ctx->super.do_encrypt_final = aead_do_encrypt_final; |
1252 | 1.11k | ctx->super.do_encrypt = ptls_aead__do_encrypt; |
1253 | 1.11k | ctx->super.do_encrypt_v = ptls_aead__do_encrypt_v; |
1254 | 1.11k | ctx->super.do_decrypt = NULL; |
1255 | 1.11k | } else { |
1256 | 1.11k | ctx->super.do_encrypt_init = NULL; |
1257 | 1.11k | ctx->super.do_encrypt_update = NULL; |
1258 | 1.11k | ctx->super.do_encrypt_final = NULL; |
1259 | 1.11k | ctx->super.do_encrypt = NULL; |
1260 | 1.11k | ctx->super.do_encrypt_v = NULL; |
1261 | 1.11k | ctx->super.do_decrypt = aead_do_decrypt; |
1262 | 1.11k | } |
1263 | 2.22k | ctx->evp_ctx = NULL; |
1264 | | |
1265 | 2.22k | if ((ctx->evp_ctx = EVP_CIPHER_CTX_new()) == NULL) { |
1266 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1267 | 0 | goto Error; |
1268 | 0 | } |
1269 | 2.22k | if (is_enc) { |
1270 | 1.11k | if (!EVP_EncryptInit_ex(ctx->evp_ctx, cipher, NULL, key, NULL)) { |
1271 | 0 | ret = PTLS_ERROR_LIBRARY; |
1272 | 0 | goto Error; |
1273 | 0 | } |
1274 | 1.11k | } else { |
1275 | 1.11k | if (!EVP_DecryptInit_ex(ctx->evp_ctx, cipher, NULL, key, NULL)) { |
1276 | 0 | ret = PTLS_ERROR_LIBRARY; |
1277 | 0 | goto Error; |
1278 | 0 | } |
1279 | 1.11k | } |
1280 | 2.22k | if (!EVP_CIPHER_CTX_ctrl(ctx->evp_ctx, EVP_CTRL_GCM_SET_IVLEN, (int)ctx->super.algo->iv_size, NULL)) { |
1281 | 0 | ret = PTLS_ERROR_LIBRARY; |
1282 | 0 | goto Error; |
1283 | 0 | } |
1284 | | |
1285 | 2.22k | memcpy(ctx->static_iv, iv, ctx->super.algo->iv_size); |
1286 | | |
1287 | 2.22k | return 0; |
1288 | | |
1289 | 0 | Error: |
1290 | 0 | aead_dispose_crypto(&ctx->super); |
1291 | 0 | return ret; |
1292 | 2.22k | } |
1293 | | |
1294 | | static int aead_aes128gcm_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv) |
1295 | 2.22k | { |
1296 | 2.22k | return aead_setup_crypto(ctx, is_enc, key, iv, EVP_aes_128_gcm()); |
1297 | 2.22k | } |
1298 | | |
1299 | | static int aead_aes256gcm_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv) |
1300 | 0 | { |
1301 | 0 | return aead_setup_crypto(ctx, is_enc, key, iv, EVP_aes_256_gcm()); |
1302 | 0 | } |
1303 | | |
1304 | | #if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 |
1305 | | #ifdef OPENSSL_IS_BORINGSSL |
1306 | | |
1307 | | struct boringssl_chacha20poly1305_context_t { |
1308 | | struct chacha20poly1305_context_t super; |
1309 | | poly1305_state poly1305; |
1310 | | }; |
1311 | | |
1312 | | static void boringssl_poly1305_init(struct chacha20poly1305_context_t *_ctx, const void *key) |
1313 | | { |
1314 | | struct boringssl_chacha20poly1305_context_t *ctx = (struct boringssl_chacha20poly1305_context_t *)_ctx; |
1315 | | CRYPTO_poly1305_init(&ctx->poly1305, key); |
1316 | | } |
1317 | | |
1318 | | static void boringssl_poly1305_update(struct chacha20poly1305_context_t *_ctx, const void *input, size_t len) |
1319 | | { |
1320 | | struct boringssl_chacha20poly1305_context_t *ctx = (struct boringssl_chacha20poly1305_context_t *)_ctx; |
1321 | | CRYPTO_poly1305_update(&ctx->poly1305, input, len); |
1322 | | } |
1323 | | |
1324 | | static void boringssl_poly1305_finish(struct chacha20poly1305_context_t *_ctx, void *tag) |
1325 | | { |
1326 | | struct boringssl_chacha20poly1305_context_t *ctx = (struct boringssl_chacha20poly1305_context_t *)_ctx; |
1327 | | CRYPTO_poly1305_finish(&ctx->poly1305, tag); |
1328 | | } |
1329 | | |
1330 | | static int boringssl_chacha20poly1305_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv) |
1331 | | { |
1332 | | return chacha20poly1305_setup_crypto(ctx, is_enc, key, iv, &ptls_openssl_chacha20, boringssl_poly1305_init, |
1333 | | boringssl_poly1305_update, boringssl_poly1305_finish); |
1334 | | } |
1335 | | |
1336 | | #else |
1337 | | |
1338 | | static int aead_chacha20poly1305_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv) |
1339 | 0 | { |
1340 | 0 | return aead_setup_crypto(ctx, is_enc, key, iv, EVP_chacha20_poly1305()); |
1341 | 0 | } |
1342 | | |
1343 | | #endif |
1344 | | #endif |
1345 | | |
1346 | 62.6k | #define _sha256_final(ctx, md) SHA256_Final((md), (ctx)) |
1347 | 62.6k | ptls_define_hash(sha256, SHA256_CTX, SHA256_Init, SHA256_Update, _sha256_final); |
1348 | | |
1349 | 0 | #define _sha384_final(ctx, md) SHA384_Final((md), (ctx)) |
1350 | 0 | ptls_define_hash(sha384, SHA512_CTX, SHA384_Init, SHA384_Update, _sha384_final); |
1351 | | |
1352 | 0 | #define _sha512_final(ctx, md) SHA512_Final((md), (ctx)) |
1353 | 0 | ptls_define_hash(sha512, SHA512_CTX, SHA512_Init, SHA512_Update, _sha512_final); |
1354 | | |
1355 | | static int sign_certificate(ptls_sign_certificate_t *_self, ptls_t *tls, ptls_async_job_t **async, uint16_t *selected_algorithm, |
1356 | | ptls_buffer_t *outbuf, ptls_iovec_t input, const uint16_t *algorithms, size_t num_algorithms) |
1357 | 0 | { |
1358 | 0 | ptls_openssl_sign_certificate_t *self = (ptls_openssl_sign_certificate_t *)_self; |
1359 | 0 | const ptls_openssl_signature_scheme_t *scheme; |
1360 | | |
1361 | | /* Just resume the asynchronous operation, if one is in flight. */ |
1362 | 0 | #if PTLS_OPENSSL_HAVE_ASYNC |
1363 | 0 | if (async != NULL && *async != NULL) { |
1364 | 0 | struct async_sign_ctx *sign_ctx = (struct async_sign_ctx *)(*async); |
1365 | 0 | *selected_algorithm = sign_ctx->scheme->scheme_id; |
1366 | 0 | return do_sign_async(outbuf, async); |
1367 | 0 | } |
1368 | 0 | #endif |
1369 | | |
1370 | | /* Select the algorithm or return failure if none found. */ |
1371 | 0 | if ((scheme = ptls_openssl_select_signature_scheme(self->schemes, algorithms, num_algorithms)) == NULL) |
1372 | 0 | return PTLS_ALERT_HANDSHAKE_FAILURE; |
1373 | 0 | *selected_algorithm = scheme->scheme_id; |
1374 | |
|
1375 | 0 | #if PTLS_OPENSSL_HAVE_ASYNC |
1376 | 0 | if (!self->async && async != NULL) { |
1377 | | /* indicate to `do_sign` that async mode is disabled for this operation */ |
1378 | 0 | assert(*async == NULL); |
1379 | 0 | async = NULL; |
1380 | 0 | } |
1381 | 0 | #endif |
1382 | 0 | return do_sign(self->key, scheme, outbuf, input, async); |
1383 | 0 | } |
1384 | | |
1385 | | static X509 *to_x509(ptls_iovec_t vec) |
1386 | 0 | { |
1387 | 0 | const uint8_t *p = vec.base; |
1388 | 0 | return d2i_X509(NULL, &p, (long)vec.len); |
1389 | 0 | } |
1390 | | |
1391 | | static int verify_sign(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t signature) |
1392 | 0 | { |
1393 | 0 | EVP_PKEY *key = verify_ctx; |
1394 | 0 | const ptls_openssl_signature_scheme_t *scheme; |
1395 | 0 | EVP_MD_CTX *ctx = NULL; |
1396 | 0 | EVP_PKEY_CTX *pkey_ctx = NULL; |
1397 | 0 | int ret = 0; |
1398 | |
|
1399 | 0 | if (data.base == NULL) |
1400 | 0 | goto Exit; |
1401 | | |
1402 | 0 | if ((scheme = ptls_openssl_lookup_signature_schemes(key)) == NULL) { |
1403 | 0 | ret = PTLS_ERROR_LIBRARY; |
1404 | 0 | goto Exit; |
1405 | 0 | } |
1406 | 0 | for (; scheme->scheme_id != UINT16_MAX; ++scheme) |
1407 | 0 | if (scheme->scheme_id == algo) |
1408 | 0 | goto SchemeFound; |
1409 | 0 | ret = PTLS_ALERT_ILLEGAL_PARAMETER; |
1410 | 0 | goto Exit; |
1411 | | |
1412 | 0 | SchemeFound: |
1413 | 0 | if ((ctx = EVP_MD_CTX_create()) == NULL) { |
1414 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1415 | 0 | goto Exit; |
1416 | 0 | } |
1417 | | |
1418 | 0 | #if PTLS_OPENSSL_HAVE_ED25519 |
1419 | 0 | if (EVP_PKEY_id(key) == EVP_PKEY_ED25519) { |
1420 | | /* ED25519 requires the use of the all-at-once function that appeared in OpenSSL 1.1.1, hence different path */ |
1421 | 0 | if (EVP_DigestVerifyInit(ctx, &pkey_ctx, NULL, NULL, key) != 1) { |
1422 | 0 | ret = PTLS_ERROR_LIBRARY; |
1423 | 0 | goto Exit; |
1424 | 0 | } |
1425 | 0 | if (EVP_DigestVerify(ctx, signature.base, signature.len, data.base, data.len) != 1) { |
1426 | 0 | ret = PTLS_ERROR_LIBRARY; |
1427 | 0 | goto Exit; |
1428 | 0 | } |
1429 | 0 | } else |
1430 | 0 | #endif |
1431 | 0 | { |
1432 | 0 | if (EVP_DigestVerifyInit(ctx, &pkey_ctx, scheme->scheme_md(), NULL, key) != 1) { |
1433 | 0 | ret = PTLS_ERROR_LIBRARY; |
1434 | 0 | goto Exit; |
1435 | 0 | } |
1436 | | |
1437 | 0 | if (EVP_PKEY_id(key) == EVP_PKEY_RSA) { |
1438 | 0 | if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1) { |
1439 | 0 | ret = PTLS_ERROR_LIBRARY; |
1440 | 0 | goto Exit; |
1441 | 0 | } |
1442 | 0 | if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1) != 1) { |
1443 | 0 | ret = PTLS_ERROR_LIBRARY; |
1444 | 0 | goto Exit; |
1445 | 0 | } |
1446 | 0 | if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, scheme->scheme_md()) != 1) { |
1447 | 0 | ret = PTLS_ERROR_LIBRARY; |
1448 | 0 | goto Exit; |
1449 | 0 | } |
1450 | 0 | } |
1451 | 0 | if (EVP_DigestVerifyUpdate(ctx, data.base, data.len) != 1) { |
1452 | 0 | ret = PTLS_ERROR_LIBRARY; |
1453 | 0 | goto Exit; |
1454 | 0 | } |
1455 | 0 | if (EVP_DigestVerifyFinal(ctx, signature.base, signature.len) != 1) { |
1456 | 0 | ret = PTLS_ALERT_DECRYPT_ERROR; |
1457 | 0 | goto Exit; |
1458 | 0 | } |
1459 | 0 | } |
1460 | | |
1461 | 0 | ret = 0; |
1462 | |
|
1463 | 0 | Exit: |
1464 | 0 | if (ctx != NULL) |
1465 | 0 | EVP_MD_CTX_destroy(ctx); |
1466 | 0 | EVP_PKEY_free(key); |
1467 | 0 | return ret; |
1468 | 0 | } |
1469 | | |
1470 | | int ptls_openssl_init_sign_certificate(ptls_openssl_sign_certificate_t *self, EVP_PKEY *key) |
1471 | 0 | { |
1472 | 0 | *self = (ptls_openssl_sign_certificate_t){.super = {sign_certificate}, .async = 0 /* libssl has it off by default too */}; |
1473 | |
|
1474 | 0 | if ((self->schemes = ptls_openssl_lookup_signature_schemes(key)) == NULL) |
1475 | 0 | return PTLS_ERROR_INCOMPATIBLE_KEY; |
1476 | 0 | EVP_PKEY_up_ref(key); |
1477 | 0 | self->key = key; |
1478 | |
|
1479 | 0 | return 0; |
1480 | 0 | } |
1481 | | |
1482 | | void ptls_openssl_dispose_sign_certificate(ptls_openssl_sign_certificate_t *self) |
1483 | 0 | { |
1484 | 0 | EVP_PKEY_free(self->key); |
1485 | 0 | } |
1486 | | |
1487 | | static int serialize_cert(X509 *cert, ptls_iovec_t *dst) |
1488 | 0 | { |
1489 | 0 | int len = i2d_X509(cert, NULL); |
1490 | 0 | assert(len > 0); |
1491 | | |
1492 | 0 | if ((dst->base = malloc(len)) == NULL) |
1493 | 0 | return PTLS_ERROR_NO_MEMORY; |
1494 | 0 | unsigned char *p = dst->base; |
1495 | 0 | dst->len = i2d_X509(cert, &p); |
1496 | 0 | assert(len == dst->len); |
1497 | | |
1498 | 0 | return 0; |
1499 | 0 | } |
1500 | | |
1501 | | int ptls_openssl_load_certificates(ptls_context_t *ctx, X509 *cert, STACK_OF(X509) * chain) |
1502 | 0 | { |
1503 | 0 | ptls_iovec_t *list = NULL; |
1504 | 0 | size_t slot = 0, count = (cert != NULL) + (chain != NULL ? sk_X509_num(chain) : 0); |
1505 | 0 | int ret; |
1506 | |
|
1507 | 0 | assert(ctx->certificates.list == NULL); |
1508 | | |
1509 | 0 | if ((list = malloc(sizeof(*list) * count)) == NULL) { |
1510 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1511 | 0 | goto Exit; |
1512 | 0 | } |
1513 | 0 | if (cert != NULL) { |
1514 | 0 | if ((ret = serialize_cert(cert, list + slot++)) != 0) |
1515 | 0 | goto Exit; |
1516 | 0 | } |
1517 | 0 | if (chain != NULL) { |
1518 | 0 | int i; |
1519 | 0 | for (i = 0; i != sk_X509_num(chain); ++i) { |
1520 | 0 | if ((ret = serialize_cert(sk_X509_value(chain, i), list + slot++)) != 0) |
1521 | 0 | goto Exit; |
1522 | 0 | } |
1523 | 0 | } |
1524 | | |
1525 | 0 | assert(slot == count); |
1526 | | |
1527 | 0 | ctx->certificates.list = list; |
1528 | 0 | ctx->certificates.count = count; |
1529 | 0 | ret = 0; |
1530 | |
|
1531 | 0 | Exit: |
1532 | 0 | if (ret != 0 && list != NULL) { |
1533 | 0 | size_t i; |
1534 | 0 | for (i = 0; i != slot; ++i) |
1535 | 0 | free(list[i].base); |
1536 | 0 | free(list); |
1537 | 0 | } |
1538 | 0 | return ret; |
1539 | 0 | } |
1540 | | |
1541 | | static int verify_cert_chain(X509_STORE *store, X509 *cert, STACK_OF(X509) * chain, int is_server, const char *server_name, |
1542 | | int *ossl_x509_err) |
1543 | 0 | { |
1544 | 0 | X509_STORE_CTX *verify_ctx; |
1545 | 0 | int ret; |
1546 | 0 | *ossl_x509_err = 0; |
1547 | | |
1548 | | /* verify certificate chain */ |
1549 | 0 | if ((verify_ctx = X509_STORE_CTX_new()) == NULL) { |
1550 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1551 | 0 | goto Exit; |
1552 | 0 | } |
1553 | 0 | if (X509_STORE_CTX_init(verify_ctx, store, cert, chain) != 1) { |
1554 | 0 | ret = PTLS_ERROR_LIBRARY; |
1555 | 0 | goto Exit; |
1556 | 0 | } |
1557 | | |
1558 | 0 | { /* setup verify params */ |
1559 | 0 | X509_VERIFY_PARAM *params = X509_STORE_CTX_get0_param(verify_ctx); |
1560 | 0 | X509_VERIFY_PARAM_set_purpose(params, is_server ? X509_PURPOSE_SSL_CLIENT : X509_PURPOSE_SSL_SERVER); |
1561 | 0 | X509_VERIFY_PARAM_set_depth(params, 98); /* use the default of OpenSSL 1.0.2 and above; see `man SSL_CTX_set_verify` */ |
1562 | | /* when _acting_ as client, set the server name if provided*/ |
1563 | 0 | if (!is_server && server_name != NULL) { |
1564 | 0 | if (ptls_server_name_is_ipaddr(server_name)) { |
1565 | 0 | X509_VERIFY_PARAM_set1_ip_asc(params, server_name); |
1566 | 0 | } else { |
1567 | 0 | X509_VERIFY_PARAM_set1_host(params, server_name, strlen(server_name)); |
1568 | 0 | X509_VERIFY_PARAM_set_hostflags(params, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); |
1569 | 0 | } |
1570 | 0 | } |
1571 | 0 | } |
1572 | |
|
1573 | 0 | if (X509_verify_cert(verify_ctx) != 1) { |
1574 | 0 | *ossl_x509_err = X509_STORE_CTX_get_error(verify_ctx); |
1575 | 0 | switch (*ossl_x509_err) { |
1576 | 0 | case X509_V_ERR_OUT_OF_MEM: |
1577 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1578 | 0 | break; |
1579 | 0 | case X509_V_ERR_CERT_REVOKED: |
1580 | 0 | ret = PTLS_ALERT_CERTIFICATE_REVOKED; |
1581 | 0 | break; |
1582 | 0 | case X509_V_ERR_CERT_NOT_YET_VALID: |
1583 | 0 | case X509_V_ERR_CERT_HAS_EXPIRED: |
1584 | 0 | ret = PTLS_ALERT_CERTIFICATE_EXPIRED; |
1585 | 0 | break; |
1586 | 0 | case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: |
1587 | 0 | case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: |
1588 | 0 | case X509_V_ERR_CERT_UNTRUSTED: |
1589 | 0 | case X509_V_ERR_CERT_REJECTED: |
1590 | 0 | ret = PTLS_ALERT_UNKNOWN_CA; |
1591 | 0 | break; |
1592 | 0 | case X509_V_ERR_HOSTNAME_MISMATCH: |
1593 | 0 | case X509_V_ERR_INVALID_CA: |
1594 | 0 | ret = PTLS_ALERT_BAD_CERTIFICATE; |
1595 | 0 | break; |
1596 | 0 | default: |
1597 | 0 | ret = PTLS_ALERT_CERTIFICATE_UNKNOWN; |
1598 | 0 | break; |
1599 | 0 | } |
1600 | 0 | goto Exit; |
1601 | 0 | } |
1602 | | |
1603 | 0 | ret = 0; |
1604 | |
|
1605 | 0 | Exit: |
1606 | 0 | if (verify_ctx != NULL) |
1607 | 0 | X509_STORE_CTX_free(verify_ctx); |
1608 | 0 | return ret; |
1609 | 0 | } |
1610 | | |
1611 | | static int verify_cert(ptls_verify_certificate_t *_self, ptls_t *tls, const char *server_name, |
1612 | | int (**verifier)(void *, uint16_t, ptls_iovec_t, ptls_iovec_t), void **verify_data, ptls_iovec_t *certs, |
1613 | | size_t num_certs) |
1614 | 0 | { |
1615 | 0 | ptls_openssl_verify_certificate_t *self = (ptls_openssl_verify_certificate_t *)_self; |
1616 | 0 | X509 *cert = NULL; |
1617 | 0 | STACK_OF(X509) *chain = sk_X509_new_null(); |
1618 | 0 | size_t i; |
1619 | 0 | int ossl_x509_err, ret; |
1620 | | |
1621 | | /* If any certs are given, convert them to OpenSSL representation, then verify the cert chain. If no certs are given, just give |
1622 | | * the override_callback to see if we want to stay fail open. */ |
1623 | 0 | if (num_certs != 0) { |
1624 | 0 | if ((cert = to_x509(certs[0])) == NULL) { |
1625 | 0 | ret = PTLS_ALERT_BAD_CERTIFICATE; |
1626 | 0 | goto Exit; |
1627 | 0 | } |
1628 | 0 | for (i = 1; i != num_certs; ++i) { |
1629 | 0 | X509 *interm = to_x509(certs[i]); |
1630 | 0 | if (interm == NULL) { |
1631 | 0 | ret = PTLS_ALERT_BAD_CERTIFICATE; |
1632 | 0 | goto Exit; |
1633 | 0 | } |
1634 | 0 | sk_X509_push(chain, interm); |
1635 | 0 | } |
1636 | 0 | ret = verify_cert_chain(self->cert_store, cert, chain, ptls_is_server(tls), server_name, &ossl_x509_err); |
1637 | 0 | } else { |
1638 | 0 | ret = PTLS_ALERT_CERTIFICATE_REQUIRED; |
1639 | 0 | ossl_x509_err = 0; |
1640 | 0 | } |
1641 | | |
1642 | | /* When override callback is available, let it override the error. */ |
1643 | 0 | if (self->override_callback != NULL) |
1644 | 0 | ret = self->override_callback->cb(self->override_callback, tls, ret, ossl_x509_err, cert, chain); |
1645 | |
|
1646 | 0 | if (ret != 0 || num_certs == 0) |
1647 | 0 | goto Exit; |
1648 | | |
1649 | | /* extract public key for verifying the TLS handshake signature */ |
1650 | 0 | if ((*verify_data = X509_get_pubkey(cert)) == NULL) { |
1651 | 0 | ret = PTLS_ALERT_BAD_CERTIFICATE; |
1652 | 0 | goto Exit; |
1653 | 0 | } |
1654 | 0 | *verifier = verify_sign; |
1655 | |
|
1656 | 0 | Exit: |
1657 | 0 | if (chain != NULL) |
1658 | 0 | sk_X509_pop_free(chain, X509_free); |
1659 | 0 | if (cert != NULL) |
1660 | 0 | X509_free(cert); |
1661 | 0 | return ret; |
1662 | 0 | } |
1663 | | |
1664 | | int ptls_openssl_init_verify_certificate(ptls_openssl_verify_certificate_t *self, X509_STORE *store) |
1665 | 0 | { |
1666 | 0 | *self = (ptls_openssl_verify_certificate_t){{verify_cert, default_signature_schemes}, NULL}; |
1667 | |
|
1668 | 0 | if (store != NULL) { |
1669 | 0 | X509_STORE_up_ref(store); |
1670 | 0 | self->cert_store = store; |
1671 | 0 | } else { |
1672 | | /* use default store */ |
1673 | 0 | if ((self->cert_store = ptls_openssl_create_default_certificate_store()) == NULL) |
1674 | 0 | return -1; |
1675 | 0 | } |
1676 | | |
1677 | 0 | return 0; |
1678 | 0 | } |
1679 | | |
1680 | | void ptls_openssl_dispose_verify_certificate(ptls_openssl_verify_certificate_t *self) |
1681 | 0 | { |
1682 | 0 | X509_STORE_free(self->cert_store); |
1683 | 0 | } |
1684 | | |
1685 | | X509_STORE *ptls_openssl_create_default_certificate_store(void) |
1686 | 0 | { |
1687 | 0 | X509_STORE *store; |
1688 | 0 | X509_LOOKUP *lookup; |
1689 | |
|
1690 | 0 | if ((store = X509_STORE_new()) == NULL) |
1691 | 0 | goto Error; |
1692 | 0 | if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) == NULL) |
1693 | 0 | goto Error; |
1694 | 0 | X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); |
1695 | 0 | if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir())) == NULL) |
1696 | 0 | goto Error; |
1697 | 0 | X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); |
1698 | |
|
1699 | 0 | return store; |
1700 | 0 | Error: |
1701 | 0 | if (store != NULL) |
1702 | 0 | X509_STORE_free(store); |
1703 | 0 | return NULL; |
1704 | 0 | } |
1705 | | |
1706 | | static int verify_raw_cert(ptls_verify_certificate_t *_self, ptls_t *tls, const char *server_name, |
1707 | | int (**verifier)(void *, uint16_t algo, ptls_iovec_t, ptls_iovec_t), void **verify_data, |
1708 | | ptls_iovec_t *certs, size_t num_certs) |
1709 | 0 | { |
1710 | 0 | ptls_openssl_raw_pubkey_verify_certificate_t *self = (ptls_openssl_raw_pubkey_verify_certificate_t *)_self; |
1711 | 0 | int ret = PTLS_ALERT_BAD_CERTIFICATE; |
1712 | 0 | ptls_iovec_t expected_pubkey = {0}; |
1713 | |
|
1714 | 0 | assert(num_certs != 0); |
1715 | | |
1716 | 0 | if (num_certs != 1) |
1717 | 0 | goto Exit; |
1718 | | |
1719 | 0 | int r = i2d_PUBKEY(self->expected_pubkey, &expected_pubkey.base); |
1720 | 0 | if (r <= 0) { |
1721 | 0 | ret = PTLS_ALERT_BAD_CERTIFICATE; |
1722 | 0 | goto Exit; |
1723 | 0 | } |
1724 | | |
1725 | 0 | expected_pubkey.len = r; |
1726 | 0 | if (certs[0].len != expected_pubkey.len) |
1727 | 0 | goto Exit; |
1728 | | |
1729 | 0 | if (!ptls_mem_equal(expected_pubkey.base, certs[0].base, certs[0].len)) |
1730 | 0 | goto Exit; |
1731 | | |
1732 | 0 | EVP_PKEY_up_ref(self->expected_pubkey); |
1733 | 0 | *verify_data = self->expected_pubkey; |
1734 | 0 | *verifier = verify_sign; |
1735 | 0 | ret = 0; |
1736 | 0 | Exit: |
1737 | 0 | OPENSSL_free(expected_pubkey.base); |
1738 | 0 | return ret; |
1739 | 0 | } |
1740 | | |
1741 | | int ptls_openssl_raw_pubkey_init_verify_certificate(ptls_openssl_raw_pubkey_verify_certificate_t *self, EVP_PKEY *expected_pubkey) |
1742 | 0 | { |
1743 | 0 | EVP_PKEY_up_ref(expected_pubkey); |
1744 | 0 | *self = (ptls_openssl_raw_pubkey_verify_certificate_t){{verify_raw_cert, default_signature_schemes}, expected_pubkey}; |
1745 | 0 | return 0; |
1746 | 0 | } |
1747 | | void ptls_openssl_raw_pubkey_dispose_verify_certificate(ptls_openssl_raw_pubkey_verify_certificate_t *self) |
1748 | 0 | { |
1749 | 0 | EVP_PKEY_free(self->expected_pubkey); |
1750 | 0 | } |
1751 | | |
1752 | 0 | #define TICKET_LABEL_SIZE 16 |
1753 | 0 | #define TICKET_IV_SIZE EVP_MAX_IV_LENGTH |
1754 | | |
1755 | | int ptls_openssl_encrypt_ticket(ptls_buffer_t *buf, ptls_iovec_t src, |
1756 | | int (*cb)(unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)) |
1757 | 0 | { |
1758 | 0 | EVP_CIPHER_CTX *cctx = NULL; |
1759 | 0 | HMAC_CTX *hctx = NULL; |
1760 | 0 | uint8_t *dst; |
1761 | 0 | int clen, ret; |
1762 | |
|
1763 | 0 | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { |
1764 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1765 | 0 | goto Exit; |
1766 | 0 | } |
1767 | 0 | if ((hctx = HMAC_CTX_new()) == NULL) { |
1768 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1769 | 0 | goto Exit; |
1770 | 0 | } |
1771 | | |
1772 | 0 | if ((ret = ptls_buffer_reserve(buf, TICKET_LABEL_SIZE + TICKET_IV_SIZE + src.len + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE)) != |
1773 | 0 | 0) |
1774 | 0 | goto Exit; |
1775 | 0 | dst = buf->base + buf->off; |
1776 | | |
1777 | | /* fill label and iv, as well as obtaining the keys */ |
1778 | 0 | if (!(*cb)(dst, dst + TICKET_LABEL_SIZE, cctx, hctx, 1)) { |
1779 | 0 | ret = PTLS_ERROR_LIBRARY; |
1780 | 0 | goto Exit; |
1781 | 0 | } |
1782 | 0 | dst += TICKET_LABEL_SIZE + TICKET_IV_SIZE; |
1783 | | |
1784 | | /* encrypt */ |
1785 | 0 | if (!EVP_EncryptUpdate(cctx, dst, &clen, src.base, (int)src.len)) { |
1786 | 0 | ret = PTLS_ERROR_LIBRARY; |
1787 | 0 | goto Exit; |
1788 | 0 | } |
1789 | 0 | dst += clen; |
1790 | 0 | if (!EVP_EncryptFinal_ex(cctx, dst, &clen)) { |
1791 | 0 | ret = PTLS_ERROR_LIBRARY; |
1792 | 0 | goto Exit; |
1793 | 0 | } |
1794 | 0 | dst += clen; |
1795 | | |
1796 | | /* append hmac */ |
1797 | 0 | if (!HMAC_Update(hctx, buf->base + buf->off, dst - (buf->base + buf->off)) || !HMAC_Final(hctx, dst, NULL)) { |
1798 | 0 | ret = PTLS_ERROR_LIBRARY; |
1799 | 0 | goto Exit; |
1800 | 0 | } |
1801 | 0 | dst += HMAC_size(hctx); |
1802 | |
|
1803 | 0 | assert(dst <= buf->base + buf->capacity); |
1804 | 0 | buf->off += dst - (buf->base + buf->off); |
1805 | 0 | ret = 0; |
1806 | |
|
1807 | 0 | Exit: |
1808 | 0 | if (cctx != NULL) |
1809 | 0 | EVP_CIPHER_CTX_free(cctx); |
1810 | 0 | if (hctx != NULL) |
1811 | 0 | HMAC_CTX_free(hctx); |
1812 | 0 | return ret; |
1813 | 0 | } |
1814 | | |
1815 | | int ptls_openssl_decrypt_ticket(ptls_buffer_t *buf, ptls_iovec_t src, |
1816 | | int (*cb)(unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)) |
1817 | 0 | { |
1818 | 0 | EVP_CIPHER_CTX *cctx = NULL; |
1819 | 0 | HMAC_CTX *hctx = NULL; |
1820 | 0 | int clen, ret; |
1821 | |
|
1822 | 0 | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { |
1823 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1824 | 0 | goto Exit; |
1825 | 0 | } |
1826 | 0 | if ((hctx = HMAC_CTX_new()) == NULL) { |
1827 | 0 | ret = PTLS_ERROR_NO_MEMORY; |
1828 | 0 | goto Exit; |
1829 | 0 | } |
1830 | | |
1831 | | /* obtain cipher and hash context. |
1832 | | * Note: no need to handle renew, since in picotls we always send a new ticket to minimize the chance of ticket reuse */ |
1833 | 0 | if (src.len < TICKET_LABEL_SIZE + TICKET_IV_SIZE) { |
1834 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1835 | 0 | goto Exit; |
1836 | 0 | } |
1837 | 0 | if (!(*cb)(src.base, src.base + TICKET_LABEL_SIZE, cctx, hctx, 0)) { |
1838 | 0 | ret = PTLS_ERROR_LIBRARY; |
1839 | 0 | goto Exit; |
1840 | 0 | } |
1841 | | |
1842 | | /* check hmac, and exclude label, iv, hmac */ |
1843 | 0 | size_t hmac_size = HMAC_size(hctx); |
1844 | 0 | if (src.len < TICKET_LABEL_SIZE + TICKET_IV_SIZE + hmac_size) { |
1845 | 0 | ret = PTLS_ALERT_DECODE_ERROR; |
1846 | 0 | goto Exit; |
1847 | 0 | } |
1848 | 0 | src.len -= hmac_size; |
1849 | 0 | uint8_t hmac[EVP_MAX_MD_SIZE]; |
1850 | 0 | if (!HMAC_Update(hctx, src.base, src.len) || !HMAC_Final(hctx, hmac, NULL)) { |
1851 | 0 | ret = PTLS_ERROR_LIBRARY; |
1852 | 0 | goto Exit; |
1853 | 0 | } |
1854 | 0 | if (!ptls_mem_equal(src.base + src.len, hmac, hmac_size)) { |
1855 | 0 | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
1856 | 0 | goto Exit; |
1857 | 0 | } |
1858 | 0 | src.base += TICKET_LABEL_SIZE + TICKET_IV_SIZE; |
1859 | 0 | src.len -= TICKET_LABEL_SIZE + TICKET_IV_SIZE; |
1860 | | |
1861 | | /* decrypt */ |
1862 | 0 | if ((ret = ptls_buffer_reserve(buf, src.len)) != 0) |
1863 | 0 | goto Exit; |
1864 | 0 | if (!EVP_DecryptUpdate(cctx, buf->base + buf->off, &clen, src.base, (int)src.len)) { |
1865 | 0 | ret = PTLS_ERROR_LIBRARY; |
1866 | 0 | goto Exit; |
1867 | 0 | } |
1868 | 0 | buf->off += clen; |
1869 | 0 | if (!EVP_DecryptFinal_ex(cctx, buf->base + buf->off, &clen)) { |
1870 | 0 | ret = PTLS_ERROR_LIBRARY; |
1871 | 0 | goto Exit; |
1872 | 0 | } |
1873 | 0 | buf->off += clen; |
1874 | |
|
1875 | 0 | ret = 0; |
1876 | |
|
1877 | 0 | Exit: |
1878 | 0 | if (cctx != NULL) |
1879 | 0 | EVP_CIPHER_CTX_free(cctx); |
1880 | 0 | if (hctx != NULL) |
1881 | 0 | HMAC_CTX_free(hctx); |
1882 | 0 | return ret; |
1883 | 0 | } |
1884 | | |
1885 | | #if OPENSSL_VERSION_NUMBER >= 0x30000000L |
1886 | | int ptls_openssl_encrypt_ticket_evp(ptls_buffer_t *buf, ptls_iovec_t src, |
1887 | | int (*cb)(unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, |
1888 | | int enc)) |
1889 | | { |
1890 | | EVP_CIPHER_CTX *cctx = NULL; |
1891 | | EVP_MAC *mac = NULL; |
1892 | | EVP_MAC_CTX *hctx = NULL; |
1893 | | size_t hlen; |
1894 | | uint8_t *dst; |
1895 | | int clen, ret; |
1896 | | |
1897 | | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { |
1898 | | ret = PTLS_ERROR_NO_MEMORY; |
1899 | | goto Exit; |
1900 | | } |
1901 | | if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) == NULL) { |
1902 | | ret = PTLS_ERROR_NO_MEMORY; |
1903 | | goto Exit; |
1904 | | } |
1905 | | if ((hctx = EVP_MAC_CTX_new(mac)) == NULL) { |
1906 | | ret = PTLS_ERROR_NO_MEMORY; |
1907 | | goto Exit; |
1908 | | } |
1909 | | |
1910 | | if ((ret = ptls_buffer_reserve(buf, TICKET_LABEL_SIZE + TICKET_IV_SIZE + src.len + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE)) != |
1911 | | 0) |
1912 | | goto Exit; |
1913 | | dst = buf->base + buf->off; |
1914 | | |
1915 | | /* fill label and iv, as well as obtaining the keys */ |
1916 | | if (!(*cb)(dst, dst + TICKET_LABEL_SIZE, cctx, hctx, 1)) { |
1917 | | ret = PTLS_ERROR_LIBRARY; |
1918 | | goto Exit; |
1919 | | } |
1920 | | dst += TICKET_LABEL_SIZE + TICKET_IV_SIZE; |
1921 | | |
1922 | | /* encrypt */ |
1923 | | if (!EVP_EncryptUpdate(cctx, dst, &clen, src.base, (int)src.len)) { |
1924 | | ret = PTLS_ERROR_LIBRARY; |
1925 | | goto Exit; |
1926 | | } |
1927 | | dst += clen; |
1928 | | if (!EVP_EncryptFinal_ex(cctx, dst, &clen)) { |
1929 | | ret = PTLS_ERROR_LIBRARY; |
1930 | | goto Exit; |
1931 | | } |
1932 | | dst += clen; |
1933 | | |
1934 | | /* append hmac */ |
1935 | | if (!EVP_MAC_update(hctx, buf->base + buf->off, dst - (buf->base + buf->off)) || |
1936 | | !EVP_MAC_final(hctx, dst, &hlen, EVP_MAC_CTX_get_mac_size(hctx))) { |
1937 | | ret = PTLS_ERROR_LIBRARY; |
1938 | | goto Exit; |
1939 | | } |
1940 | | dst += hlen; |
1941 | | |
1942 | | assert(dst <= buf->base + buf->capacity); |
1943 | | buf->off += dst - (buf->base + buf->off); |
1944 | | ret = 0; |
1945 | | |
1946 | | Exit: |
1947 | | if (cctx != NULL) |
1948 | | EVP_CIPHER_CTX_free(cctx); |
1949 | | if (hctx != NULL) |
1950 | | EVP_MAC_CTX_free(hctx); |
1951 | | if (mac != NULL) |
1952 | | EVP_MAC_free(mac); |
1953 | | return ret; |
1954 | | } |
1955 | | |
1956 | | int ptls_openssl_decrypt_ticket_evp(ptls_buffer_t *buf, ptls_iovec_t src, |
1957 | | int (*cb)(unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, |
1958 | | int enc)) |
1959 | | { |
1960 | | EVP_CIPHER_CTX *cctx = NULL; |
1961 | | EVP_MAC *mac = NULL; |
1962 | | EVP_MAC_CTX *hctx = NULL; |
1963 | | size_t hlen; |
1964 | | int clen, ret; |
1965 | | |
1966 | | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { |
1967 | | ret = PTLS_ERROR_NO_MEMORY; |
1968 | | goto Exit; |
1969 | | } |
1970 | | if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) == NULL) { |
1971 | | ret = PTLS_ERROR_NO_MEMORY; |
1972 | | goto Exit; |
1973 | | } |
1974 | | if ((hctx = EVP_MAC_CTX_new(mac)) == NULL) { |
1975 | | ret = PTLS_ERROR_NO_MEMORY; |
1976 | | goto Exit; |
1977 | | } |
1978 | | |
1979 | | /* obtain cipher and hash context. |
1980 | | * Note: no need to handle renew, since in picotls we always send a new ticket to minimize the chance of ticket reuse */ |
1981 | | if (src.len < TICKET_LABEL_SIZE + TICKET_IV_SIZE) { |
1982 | | ret = PTLS_ALERT_DECODE_ERROR; |
1983 | | goto Exit; |
1984 | | } |
1985 | | if (!(*cb)(src.base, src.base + TICKET_LABEL_SIZE, cctx, hctx, 0)) { |
1986 | | ret = PTLS_ERROR_LIBRARY; |
1987 | | goto Exit; |
1988 | | } |
1989 | | |
1990 | | /* check hmac, and exclude label, iv, hmac */ |
1991 | | size_t hmac_size = EVP_MAC_CTX_get_mac_size(hctx); |
1992 | | if (src.len < TICKET_LABEL_SIZE + TICKET_IV_SIZE + hmac_size) { |
1993 | | ret = PTLS_ALERT_DECODE_ERROR; |
1994 | | goto Exit; |
1995 | | } |
1996 | | src.len -= hmac_size; |
1997 | | uint8_t hmac[EVP_MAX_MD_SIZE]; |
1998 | | if (!EVP_MAC_update(hctx, src.base, src.len) || !EVP_MAC_final(hctx, hmac, &hlen, sizeof(hmac))) { |
1999 | | ret = PTLS_ERROR_LIBRARY; |
2000 | | goto Exit; |
2001 | | } |
2002 | | if (!ptls_mem_equal(src.base + src.len, hmac, hmac_size)) { |
2003 | | ret = PTLS_ALERT_HANDSHAKE_FAILURE; |
2004 | | goto Exit; |
2005 | | } |
2006 | | src.base += TICKET_LABEL_SIZE + TICKET_IV_SIZE; |
2007 | | src.len -= TICKET_LABEL_SIZE + TICKET_IV_SIZE; |
2008 | | |
2009 | | /* decrypt */ |
2010 | | if ((ret = ptls_buffer_reserve(buf, src.len)) != 0) |
2011 | | goto Exit; |
2012 | | if (!EVP_DecryptUpdate(cctx, buf->base + buf->off, &clen, src.base, (int)src.len)) { |
2013 | | ret = PTLS_ERROR_LIBRARY; |
2014 | | goto Exit; |
2015 | | } |
2016 | | buf->off += clen; |
2017 | | if (!EVP_DecryptFinal_ex(cctx, buf->base + buf->off, &clen)) { |
2018 | | ret = PTLS_ERROR_LIBRARY; |
2019 | | goto Exit; |
2020 | | } |
2021 | | buf->off += clen; |
2022 | | |
2023 | | ret = 0; |
2024 | | |
2025 | | Exit: |
2026 | | if (cctx != NULL) |
2027 | | EVP_CIPHER_CTX_free(cctx); |
2028 | | if (hctx != NULL) |
2029 | | EVP_MAC_CTX_free(hctx); |
2030 | | if (mac != NULL) |
2031 | | EVP_MAC_free(mac); |
2032 | | return ret; |
2033 | | } |
2034 | | #endif |
2035 | | |
2036 | | ptls_key_exchange_algorithm_t ptls_openssl_secp256r1 = {.id = PTLS_GROUP_SECP256R1, |
2037 | | .name = PTLS_GROUP_NAME_SECP256R1, |
2038 | | .create = x9_62_create_key_exchange, |
2039 | | .exchange = secp_key_exchange, |
2040 | | .data = NID_X9_62_prime256v1}; |
2041 | | #if PTLS_OPENSSL_HAVE_SECP384R1 |
2042 | | ptls_key_exchange_algorithm_t ptls_openssl_secp384r1 = {.id = PTLS_GROUP_SECP384R1, |
2043 | | .name = PTLS_GROUP_NAME_SECP384R1, |
2044 | | .create = x9_62_create_key_exchange, |
2045 | | .exchange = secp_key_exchange, |
2046 | | .data = NID_secp384r1}; |
2047 | | #endif |
2048 | | #if PTLS_OPENSSL_HAVE_SECP521R1 |
2049 | | ptls_key_exchange_algorithm_t ptls_openssl_secp521r1 = {.id = PTLS_GROUP_SECP521R1, |
2050 | | .name = PTLS_GROUP_NAME_SECP521R1, |
2051 | | .create = x9_62_create_key_exchange, |
2052 | | .exchange = secp_key_exchange, |
2053 | | .data = NID_secp521r1}; |
2054 | | #endif |
2055 | | #if PTLS_OPENSSL_HAVE_X25519 |
2056 | | ptls_key_exchange_algorithm_t ptls_openssl_x25519 = {.id = PTLS_GROUP_X25519, |
2057 | | .name = PTLS_GROUP_NAME_X25519, |
2058 | | .create = evp_keyex_create, |
2059 | | .exchange = evp_keyex_exchange, |
2060 | | .data = NID_X25519}; |
2061 | | #endif |
2062 | | ptls_key_exchange_algorithm_t *ptls_openssl_key_exchanges[] = {&ptls_openssl_secp256r1, NULL}; |
2063 | | ptls_cipher_algorithm_t ptls_openssl_aes128ecb = { |
2064 | | "AES128-ECB", PTLS_AES128_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct cipher_context_t), |
2065 | | aes128ecb_setup_crypto}; |
2066 | | ptls_cipher_algorithm_t ptls_openssl_aes128ctr = { |
2067 | | "AES128-CTR", PTLS_AES128_KEY_SIZE, 1, PTLS_AES_IV_SIZE, sizeof(struct cipher_context_t), aes128ctr_setup_crypto}; |
2068 | | ptls_aead_algorithm_t ptls_openssl_aes128gcm = {"AES128-GCM", |
2069 | | PTLS_AESGCM_CONFIDENTIALITY_LIMIT, |
2070 | | PTLS_AESGCM_INTEGRITY_LIMIT, |
2071 | | &ptls_openssl_aes128ctr, |
2072 | | &ptls_openssl_aes128ecb, |
2073 | | PTLS_AES128_KEY_SIZE, |
2074 | | PTLS_AESGCM_IV_SIZE, |
2075 | | PTLS_AESGCM_TAG_SIZE, |
2076 | | {PTLS_TLS12_AESGCM_FIXED_IV_SIZE, PTLS_TLS12_AESGCM_RECORD_IV_SIZE}, |
2077 | | 0, |
2078 | | 0, |
2079 | | sizeof(struct aead_crypto_context_t), |
2080 | | aead_aes128gcm_setup_crypto}; |
2081 | | ptls_cipher_algorithm_t ptls_openssl_aes256ecb = { |
2082 | | "AES256-ECB", PTLS_AES256_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct cipher_context_t), |
2083 | | aes256ecb_setup_crypto}; |
2084 | | ptls_cipher_algorithm_t ptls_openssl_aes256ctr = { |
2085 | | "AES256-CTR", PTLS_AES256_KEY_SIZE, 1 /* block size */, PTLS_AES_IV_SIZE, sizeof(struct cipher_context_t), |
2086 | | aes256ctr_setup_crypto}; |
2087 | | ptls_aead_algorithm_t ptls_openssl_aes256gcm = {"AES256-GCM", |
2088 | | PTLS_AESGCM_CONFIDENTIALITY_LIMIT, |
2089 | | PTLS_AESGCM_INTEGRITY_LIMIT, |
2090 | | &ptls_openssl_aes256ctr, |
2091 | | &ptls_openssl_aes256ecb, |
2092 | | PTLS_AES256_KEY_SIZE, |
2093 | | PTLS_AESGCM_IV_SIZE, |
2094 | | PTLS_AESGCM_TAG_SIZE, |
2095 | | {PTLS_TLS12_AESGCM_FIXED_IV_SIZE, PTLS_TLS12_AESGCM_RECORD_IV_SIZE}, |
2096 | | 0, |
2097 | | 0, |
2098 | | sizeof(struct aead_crypto_context_t), |
2099 | | aead_aes256gcm_setup_crypto}; |
2100 | | ptls_hash_algorithm_t ptls_openssl_sha256 = {"sha256", PTLS_SHA256_BLOCK_SIZE, PTLS_SHA256_DIGEST_SIZE, sha256_create, |
2101 | | PTLS_ZERO_DIGEST_SHA256}; |
2102 | | ptls_hash_algorithm_t ptls_openssl_sha384 = {"sha384", PTLS_SHA384_BLOCK_SIZE, PTLS_SHA384_DIGEST_SIZE, sha384_create, |
2103 | | PTLS_ZERO_DIGEST_SHA384}; |
2104 | | ptls_hash_algorithm_t ptls_openssl_sha512 = {"sha512", PTLS_SHA512_BLOCK_SIZE, PTLS_SHA512_DIGEST_SIZE, sha512_create, |
2105 | | PTLS_ZERO_DIGEST_SHA512}; |
2106 | | ptls_cipher_suite_t ptls_openssl_aes128gcmsha256 = {.id = PTLS_CIPHER_SUITE_AES_128_GCM_SHA256, |
2107 | | .name = PTLS_CIPHER_SUITE_NAME_AES_128_GCM_SHA256, |
2108 | | .aead = &ptls_openssl_aes128gcm, |
2109 | | .hash = &ptls_openssl_sha256}; |
2110 | | ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_rsa_aes128gcmsha256 = {.id = PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
2111 | | .name = |
2112 | | PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
2113 | | .aead = &ptls_openssl_aes128gcm, |
2114 | | .hash = &ptls_openssl_sha256}; |
2115 | | ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_ecdsa_aes128gcmsha256 = { |
2116 | | .id = PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
2117 | | .name = PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
2118 | | .aead = &ptls_openssl_aes128gcm, |
2119 | | .hash = &ptls_openssl_sha256}; |
2120 | | ptls_cipher_suite_t ptls_openssl_aes256gcmsha384 = {.id = PTLS_CIPHER_SUITE_AES_256_GCM_SHA384, |
2121 | | .name = PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384, |
2122 | | .aead = &ptls_openssl_aes256gcm, |
2123 | | .hash = &ptls_openssl_sha384}; |
2124 | | ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_rsa_aes256gcmsha384 = {.id = PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384, |
2125 | | .name = |
2126 | | PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_AES_256_GCM_SHA384, |
2127 | | .aead = &ptls_openssl_aes256gcm, |
2128 | | .hash = &ptls_openssl_sha384}; |
2129 | | ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_ecdsa_aes256gcmsha384 = { |
2130 | | .id = PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, |
2131 | | .name = PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, |
2132 | | .aead = &ptls_openssl_aes256gcm, |
2133 | | .hash = &ptls_openssl_sha384}; |
2134 | | #if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 |
2135 | | ptls_cipher_algorithm_t ptls_openssl_chacha20 = { |
2136 | | .name = "CHACHA20", |
2137 | | .key_size = PTLS_CHACHA20_KEY_SIZE, |
2138 | | .block_size = 1, |
2139 | | .iv_size = PTLS_CHACHA20_IV_SIZE, |
2140 | | #ifdef OPENSSL_IS_BORINGSSL |
2141 | | .context_size = sizeof(struct boringssl_chacha20_context_t), |
2142 | | .setup_crypto = boringssl_chacha20_setup_crypto, |
2143 | | #else |
2144 | | .context_size = sizeof(struct cipher_context_t), |
2145 | | .setup_crypto = chacha20_setup_crypto, |
2146 | | #endif |
2147 | | }; |
2148 | | ptls_aead_algorithm_t ptls_openssl_chacha20poly1305 = { |
2149 | | .name = "CHACHA20-POLY1305", |
2150 | | .confidentiality_limit = PTLS_CHACHA20POLY1305_CONFIDENTIALITY_LIMIT, |
2151 | | .integrity_limit = PTLS_CHACHA20POLY1305_INTEGRITY_LIMIT, |
2152 | | .ctr_cipher = &ptls_openssl_chacha20, |
2153 | | .ecb_cipher = NULL, |
2154 | | .key_size = PTLS_CHACHA20_KEY_SIZE, |
2155 | | .iv_size = PTLS_CHACHA20POLY1305_IV_SIZE, |
2156 | | .tag_size = PTLS_CHACHA20POLY1305_TAG_SIZE, |
2157 | | .tls12 = {.fixed_iv_size = PTLS_TLS12_CHACHAPOLY_FIXED_IV_SIZE, .record_iv_size = PTLS_TLS12_CHACHAPOLY_RECORD_IV_SIZE}, |
2158 | | .non_temporal = 0, |
2159 | | .align_bits = 0, |
2160 | | #ifdef OPENSSL_IS_BORINGSSL |
2161 | | .context_size = sizeof(struct boringssl_chacha20poly1305_context_t), |
2162 | | .setup_crypto = boringssl_chacha20poly1305_setup_crypto, |
2163 | | #else |
2164 | | .context_size = sizeof(struct aead_crypto_context_t), |
2165 | | .setup_crypto = aead_chacha20poly1305_setup_crypto, |
2166 | | #endif |
2167 | | }; |
2168 | | ptls_cipher_suite_t ptls_openssl_chacha20poly1305sha256 = {.id = PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256, |
2169 | | .name = PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256, |
2170 | | .aead = &ptls_openssl_chacha20poly1305, |
2171 | | .hash = &ptls_openssl_sha256}; |
2172 | | ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_rsa_chacha20poly1305sha256 = { |
2173 | | .id = PTLS_CIPHER_SUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
2174 | | .name = PTLS_CIPHER_SUITE_NAME_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, |
2175 | | .aead = &ptls_openssl_chacha20poly1305, |
2176 | | .hash = &ptls_openssl_sha256}; |
2177 | | ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_ecdsa_chacha20poly1305sha256 = { |
2178 | | .id = PTLS_CIPHER_SUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, |
2179 | | .name = PTLS_CIPHER_SUITE_NAME_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, |
2180 | | .aead = &ptls_openssl_chacha20poly1305, |
2181 | | .hash = &ptls_openssl_sha256}; |
2182 | | #endif |
2183 | | |
2184 | | #if PTLS_HAVE_AEGIS |
2185 | | ptls_aead_algorithm_t ptls_openssl_aegis128l = { |
2186 | | .name = "AEGIS-128L", |
2187 | | .confidentiality_limit = PTLS_AEGIS128L_CONFIDENTIALITY_LIMIT, |
2188 | | .integrity_limit = PTLS_AEGIS128L_INTEGRITY_LIMIT, |
2189 | | .ctr_cipher = NULL, |
2190 | | .ecb_cipher = NULL, |
2191 | | .key_size = PTLS_AEGIS128L_KEY_SIZE, |
2192 | | .iv_size = PTLS_AEGIS128L_IV_SIZE, |
2193 | | .tag_size = PTLS_AEGIS128L_TAG_SIZE, |
2194 | | .tls12 = {.fixed_iv_size = 0, .record_iv_size = 0}, |
2195 | | .non_temporal = 0, |
2196 | | .align_bits = 0, |
2197 | | .context_size = sizeof(struct aegis128l_context_t), |
2198 | | .setup_crypto = aegis128l_setup_crypto, |
2199 | | }; |
2200 | | ptls_cipher_suite_t ptls_openssl_aegis128lsha256 = {.id = PTLS_CIPHER_SUITE_AEGIS128L_SHA256, |
2201 | | .name = PTLS_CIPHER_SUITE_NAME_AEGIS128L_SHA256, |
2202 | | .aead = &ptls_openssl_aegis128l, |
2203 | | .hash = &ptls_openssl_sha256}; |
2204 | | |
2205 | | ptls_aead_algorithm_t ptls_openssl_aegis256 = { |
2206 | | .name = "AEGIS-256", |
2207 | | .confidentiality_limit = PTLS_AEGIS256_CONFIDENTIALITY_LIMIT, |
2208 | | .integrity_limit = PTLS_AEGIS256_INTEGRITY_LIMIT, |
2209 | | .ctr_cipher = NULL, |
2210 | | .ecb_cipher = NULL, |
2211 | | .key_size = PTLS_AEGIS256_KEY_SIZE, |
2212 | | .iv_size = PTLS_AEGIS256_IV_SIZE, |
2213 | | .tag_size = PTLS_AEGIS256_TAG_SIZE, |
2214 | | .tls12 = {.fixed_iv_size = 0, .record_iv_size = 0}, |
2215 | | .non_temporal = 0, |
2216 | | .align_bits = 0, |
2217 | | .context_size = sizeof(struct aegis256_context_t), |
2218 | | .setup_crypto = aegis256_setup_crypto, |
2219 | | }; |
2220 | | ptls_cipher_suite_t ptls_openssl_aegis256sha512 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA512, |
2221 | | .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512, |
2222 | | .aead = &ptls_openssl_aegis256, |
2223 | | .hash = &ptls_openssl_sha512}; |
2224 | | #endif |
2225 | | |
2226 | | ptls_cipher_suite_t *ptls_openssl_cipher_suites[] = { // ciphers used with sha384 (must be first) |
2227 | | &ptls_openssl_aes256gcmsha384, |
2228 | | |
2229 | | // ciphers used with sha256 |
2230 | | &ptls_openssl_aes128gcmsha256, |
2231 | | #if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 |
2232 | | &ptls_openssl_chacha20poly1305sha256, |
2233 | | #endif |
2234 | | NULL}; |
2235 | | |
2236 | | ptls_cipher_suite_t *ptls_openssl_cipher_suites_all[] = { // ciphers used with sha384 (must be first) |
2237 | | #if PTLS_HAVE_AEGIS |
2238 | | &ptls_openssl_aegis256sha512, |
2239 | | #endif |
2240 | | &ptls_openssl_aes256gcmsha384, |
2241 | | |
2242 | | // ciphers used with sha256 |
2243 | | #if PTLS_HAVE_AEGIS |
2244 | | &ptls_openssl_aegis128lsha256, |
2245 | | #endif |
2246 | | &ptls_openssl_aes128gcmsha256, |
2247 | | #if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 |
2248 | | &ptls_openssl_chacha20poly1305sha256, |
2249 | | #endif |
2250 | | NULL}; |
2251 | | |
2252 | | ptls_cipher_suite_t *ptls_openssl_tls12_cipher_suites[] = {&ptls_openssl_tls12_ecdhe_rsa_aes128gcmsha256, |
2253 | | &ptls_openssl_tls12_ecdhe_ecdsa_aes128gcmsha256, |
2254 | | &ptls_openssl_tls12_ecdhe_rsa_aes256gcmsha384, |
2255 | | &ptls_openssl_tls12_ecdhe_ecdsa_aes256gcmsha384, |
2256 | | #if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 |
2257 | | &ptls_openssl_tls12_ecdhe_rsa_chacha20poly1305sha256, |
2258 | | &ptls_openssl_tls12_ecdhe_ecdsa_chacha20poly1305sha256, |
2259 | | #endif |
2260 | | NULL}; |
2261 | | |
2262 | | #if PTLS_OPENSSL_HAVE_BF |
2263 | | ptls_cipher_algorithm_t ptls_openssl_bfecb = {"BF-ECB", PTLS_BLOWFISH_KEY_SIZE, PTLS_BLOWFISH_BLOCK_SIZE, |
2264 | | 0 /* iv size */, sizeof(struct cipher_context_t), bfecb_setup_crypto}; |
2265 | | #endif |
2266 | | |
2267 | | ptls_hpke_kem_t ptls_openssl_hpke_kem_p256sha256 = {PTLS_HPKE_KEM_P256_SHA256, &ptls_openssl_secp256r1, &ptls_openssl_sha256}; |
2268 | | ptls_hpke_kem_t ptls_openssl_hpke_kem_p384sha384 = {PTLS_HPKE_KEM_P384_SHA384, &ptls_openssl_secp384r1, &ptls_openssl_sha384}; |
2269 | | #if PTLS_OPENSSL_HAVE_X25519 |
2270 | | ptls_hpke_kem_t ptls_openssl_hpke_kem_x25519sha256 = {PTLS_HPKE_KEM_X25519_SHA256, &ptls_openssl_x25519, &ptls_openssl_sha256}; |
2271 | | #endif |
2272 | | ptls_hpke_kem_t *ptls_openssl_hpke_kems[] = {&ptls_openssl_hpke_kem_p384sha384, |
2273 | | #if PTLS_OPENSSL_HAVE_X25519 |
2274 | | &ptls_openssl_hpke_kem_x25519sha256, |
2275 | | #endif |
2276 | | &ptls_openssl_hpke_kem_p256sha256, NULL}; |
2277 | | |
2278 | | ptls_hpke_cipher_suite_t ptls_openssl_hpke_aes128gcmsha256 = { |
2279 | | .id = {.kdf = PTLS_HPKE_HKDF_SHA256, .aead = PTLS_HPKE_AEAD_AES_128_GCM}, |
2280 | | .name = "HKDF-SHA256/AES-128-GCM", |
2281 | | .hash = &ptls_openssl_sha256, |
2282 | | .aead = &ptls_openssl_aes128gcm}; |
2283 | | ptls_hpke_cipher_suite_t ptls_openssl_hpke_aes128gcmsha512 = { |
2284 | | .id = {.kdf = PTLS_HPKE_HKDF_SHA512, .aead = PTLS_HPKE_AEAD_AES_128_GCM}, |
2285 | | .name = "HKDF-SHA512/AES-128-GCM", |
2286 | | .hash = &ptls_openssl_sha512, |
2287 | | .aead = &ptls_openssl_aes128gcm}; |
2288 | | ptls_hpke_cipher_suite_t ptls_openssl_hpke_aes256gcmsha384 = { |
2289 | | .id = {.kdf = PTLS_HPKE_HKDF_SHA384, .aead = PTLS_HPKE_AEAD_AES_256_GCM}, |
2290 | | .name = "HKDF-SHA384/AES-256-GCM", |
2291 | | .hash = &ptls_openssl_sha384, |
2292 | | .aead = &ptls_openssl_aes256gcm}; |
2293 | | #if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 |
2294 | | ptls_hpke_cipher_suite_t ptls_openssl_hpke_chacha20poly1305sha256 = { |
2295 | | .id = {.kdf = PTLS_HPKE_HKDF_SHA256, .aead = PTLS_HPKE_AEAD_CHACHA20POLY1305}, |
2296 | | .name = "HKDF-SHA256/ChaCha20Poly1305", |
2297 | | .hash = &ptls_openssl_sha256, |
2298 | | .aead = &ptls_openssl_chacha20poly1305}; |
2299 | | #endif |
2300 | | ptls_hpke_cipher_suite_t *ptls_openssl_hpke_cipher_suites[] = {&ptls_openssl_hpke_aes128gcmsha256, |
2301 | | &ptls_openssl_hpke_aes256gcmsha384, |
2302 | | #if PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 |
2303 | | &ptls_openssl_hpke_chacha20poly1305sha256, |
2304 | | #endif |
2305 | | &ptls_openssl_hpke_aes128gcmsha512, /* likely only for tests */ |
2306 | | NULL}; |