/src/openssl/crypto/evp/e_aria.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. |
4 | | * |
5 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6 | | * this file except in compliance with the License. You can obtain a copy |
7 | | * in the file LICENSE in the source distribution or at |
8 | | * https://www.openssl.org/source/license.html |
9 | | */ |
10 | | |
11 | | #include "internal/deprecated.h" |
12 | | |
13 | | #include "internal/cryptlib.h" |
14 | | #ifndef OPENSSL_NO_ARIA |
15 | | # include <openssl/evp.h> |
16 | | # include <openssl/modes.h> |
17 | | # include <openssl/rand.h> |
18 | | # include "crypto/aria.h" |
19 | | # include "crypto/evp.h" |
20 | | # include "crypto/modes.h" |
21 | | # include "evp_local.h" |
22 | | |
23 | | /* ARIA subkey Structure */ |
24 | | typedef struct { |
25 | | ARIA_KEY ks; |
26 | | } EVP_ARIA_KEY; |
27 | | |
28 | | /* ARIA GCM context */ |
29 | | typedef struct { |
30 | | union { |
31 | | OSSL_UNION_ALIGN; |
32 | | ARIA_KEY ks; |
33 | | } ks; /* ARIA subkey to use */ |
34 | | int key_set; /* Set if key initialised */ |
35 | | int iv_set; /* Set if an iv is set */ |
36 | | GCM128_CONTEXT gcm; |
37 | | unsigned char *iv; /* Temporary IV store */ |
38 | | int ivlen; /* IV length */ |
39 | | int taglen; |
40 | | int iv_gen; /* It is OK to generate IVs */ |
41 | | int tls_aad_len; /* TLS AAD length */ |
42 | | } EVP_ARIA_GCM_CTX; |
43 | | |
44 | | /* ARIA CCM context */ |
45 | | typedef struct { |
46 | | union { |
47 | | OSSL_UNION_ALIGN; |
48 | | ARIA_KEY ks; |
49 | | } ks; /* ARIA key schedule to use */ |
50 | | int key_set; /* Set if key initialised */ |
51 | | int iv_set; /* Set if an iv is set */ |
52 | | int tag_set; /* Set if tag is valid */ |
53 | | int len_set; /* Set if message length set */ |
54 | | int L, M; /* L and M parameters from RFC3610 */ |
55 | | int tls_aad_len; /* TLS AAD length */ |
56 | | CCM128_CONTEXT ccm; |
57 | | ccm128_f str; |
58 | | } EVP_ARIA_CCM_CTX; |
59 | | |
60 | | /* The subkey for ARIA is generated. */ |
61 | | static int aria_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
62 | | const unsigned char *iv, int enc) |
63 | 0 | { |
64 | 0 | int ret; |
65 | 0 | int mode = EVP_CIPHER_CTX_get_mode(ctx); |
66 | |
|
67 | 0 | if (enc || (mode != EVP_CIPH_ECB_MODE && mode != EVP_CIPH_CBC_MODE)) |
68 | 0 | ret = ossl_aria_set_encrypt_key(key, |
69 | 0 | EVP_CIPHER_CTX_get_key_length(ctx) * 8, |
70 | 0 | EVP_CIPHER_CTX_get_cipher_data(ctx)); |
71 | 0 | else |
72 | 0 | ret = ossl_aria_set_decrypt_key(key, |
73 | 0 | EVP_CIPHER_CTX_get_key_length(ctx) * 8, |
74 | 0 | EVP_CIPHER_CTX_get_cipher_data(ctx)); |
75 | 0 | if (ret < 0) { |
76 | 0 | ERR_raise(ERR_LIB_EVP, EVP_R_ARIA_KEY_SETUP_FAILED); |
77 | 0 | return 0; |
78 | 0 | } |
79 | 0 | return 1; |
80 | 0 | } |
81 | | |
82 | | static void aria_cbc_encrypt(const unsigned char *in, unsigned char *out, |
83 | | size_t len, const ARIA_KEY *key, |
84 | | unsigned char *ivec, const int enc) |
85 | 0 | { |
86 | |
|
87 | 0 | if (enc) |
88 | 0 | CRYPTO_cbc128_encrypt(in, out, len, key, ivec, |
89 | 0 | (block128_f) ossl_aria_encrypt); |
90 | 0 | else |
91 | 0 | CRYPTO_cbc128_decrypt(in, out, len, key, ivec, |
92 | 0 | (block128_f) ossl_aria_encrypt); |
93 | 0 | } |
94 | | |
95 | | static void aria_cfb128_encrypt(const unsigned char *in, unsigned char *out, |
96 | | size_t length, const ARIA_KEY *key, |
97 | | unsigned char *ivec, int *num, const int enc) |
98 | 0 | { |
99 | |
|
100 | 0 | CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc, |
101 | 0 | (block128_f) ossl_aria_encrypt); |
102 | 0 | } |
103 | | |
104 | | static void aria_cfb1_encrypt(const unsigned char *in, unsigned char *out, |
105 | | size_t length, const ARIA_KEY *key, |
106 | | unsigned char *ivec, int *num, const int enc) |
107 | 0 | { |
108 | 0 | CRYPTO_cfb128_1_encrypt(in, out, length, key, ivec, num, enc, |
109 | 0 | (block128_f) ossl_aria_encrypt); |
110 | 0 | } |
111 | | |
112 | | static void aria_cfb8_encrypt(const unsigned char *in, unsigned char *out, |
113 | | size_t length, const ARIA_KEY *key, |
114 | | unsigned char *ivec, int *num, const int enc) |
115 | 0 | { |
116 | 0 | CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, num, enc, |
117 | 0 | (block128_f) ossl_aria_encrypt); |
118 | 0 | } |
119 | | |
120 | | static void aria_ecb_encrypt(const unsigned char *in, unsigned char *out, |
121 | | const ARIA_KEY *key, const int enc) |
122 | 0 | { |
123 | 0 | ossl_aria_encrypt(in, out, key); |
124 | 0 | } |
125 | | |
126 | | static void aria_ofb128_encrypt(const unsigned char *in, unsigned char *out, |
127 | | size_t length, const ARIA_KEY *key, |
128 | | unsigned char *ivec, int *num) |
129 | 0 | { |
130 | 0 | CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num, |
131 | 0 | (block128_f) ossl_aria_encrypt); |
132 | 0 | } |
133 | | |
134 | | IMPLEMENT_BLOCK_CIPHER(aria_128, ks, aria, EVP_ARIA_KEY, |
135 | | NID_aria_128, 16, 16, 16, 128, |
136 | | 0, aria_init_key, NULL, |
137 | | EVP_CIPHER_set_asn1_iv, |
138 | | EVP_CIPHER_get_asn1_iv, |
139 | | NULL) |
140 | | IMPLEMENT_BLOCK_CIPHER(aria_192, ks, aria, EVP_ARIA_KEY, |
141 | | NID_aria_192, 16, 24, 16, 128, |
142 | | 0, aria_init_key, NULL, |
143 | | EVP_CIPHER_set_asn1_iv, |
144 | | EVP_CIPHER_get_asn1_iv, |
145 | | NULL) |
146 | | IMPLEMENT_BLOCK_CIPHER(aria_256, ks, aria, EVP_ARIA_KEY, |
147 | | NID_aria_256, 16, 32, 16, 128, |
148 | | 0, aria_init_key, NULL, |
149 | | EVP_CIPHER_set_asn1_iv, |
150 | | EVP_CIPHER_get_asn1_iv, |
151 | | NULL) |
152 | | |
153 | | # define IMPLEMENT_ARIA_CFBR(ksize,cbits) \ |
154 | | IMPLEMENT_CFBR(aria,aria,EVP_ARIA_KEY,ks,ksize,cbits,16,0) |
155 | | IMPLEMENT_ARIA_CFBR(128,1) |
156 | | IMPLEMENT_ARIA_CFBR(192,1) |
157 | | IMPLEMENT_ARIA_CFBR(256,1) |
158 | | IMPLEMENT_ARIA_CFBR(128,8) |
159 | | IMPLEMENT_ARIA_CFBR(192,8) |
160 | | IMPLEMENT_ARIA_CFBR(256,8) |
161 | | |
162 | | # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ |
163 | | static const EVP_CIPHER aria_##keylen##_##mode = { \ |
164 | | nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ |
165 | | flags|EVP_CIPH_##MODE##_MODE, \ |
166 | | EVP_ORIG_GLOBAL, \ |
167 | | aria_init_key, \ |
168 | | aria_##mode##_cipher, \ |
169 | | NULL, \ |
170 | | sizeof(EVP_ARIA_KEY), \ |
171 | | NULL,NULL,NULL,NULL }; \ |
172 | 3 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ |
173 | 3 | { return &aria_##keylen##_##mode; } Line | Count | Source | 172 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 173 | 1 | { return &aria_##keylen##_##mode; } |
Line | Count | Source | 172 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 173 | 1 | { return &aria_##keylen##_##mode; } |
Line | Count | Source | 172 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 173 | 1 | { return &aria_##keylen##_##mode; } |
|
174 | | |
175 | | static int aria_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
176 | | const unsigned char *in, size_t len) |
177 | 0 | { |
178 | 0 | int n = EVP_CIPHER_CTX_get_num(ctx); |
179 | 0 | unsigned int num; |
180 | 0 | EVP_ARIA_KEY *dat = EVP_C_DATA(EVP_ARIA_KEY, ctx); |
181 | |
|
182 | 0 | if (n < 0) |
183 | 0 | return 0; |
184 | 0 | num = (unsigned int)n; |
185 | |
|
186 | 0 | CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, ctx->iv, |
187 | 0 | EVP_CIPHER_CTX_buf_noconst(ctx), &num, |
188 | 0 | (block128_f) ossl_aria_encrypt); |
189 | 0 | EVP_CIPHER_CTX_set_num(ctx, num); |
190 | 0 | return 1; |
191 | 0 | } |
192 | | |
193 | | BLOCK_CIPHER_generic(NID_aria, 128, 1, 16, ctr, ctr, CTR, 0) |
194 | | BLOCK_CIPHER_generic(NID_aria, 192, 1, 16, ctr, ctr, CTR, 0) |
195 | | BLOCK_CIPHER_generic(NID_aria, 256, 1, 16, ctr, ctr, CTR, 0) |
196 | | |
197 | | /* Authenticated cipher modes (GCM/CCM) */ |
198 | | |
199 | | /* increment counter (64-bit int) by 1 */ |
200 | | static void ctr64_inc(unsigned char *counter) |
201 | 0 | { |
202 | 0 | int n = 8; |
203 | 0 | unsigned char c; |
204 | |
|
205 | 0 | do { |
206 | 0 | --n; |
207 | 0 | c = counter[n]; |
208 | 0 | ++c; |
209 | 0 | counter[n] = c; |
210 | 0 | if (c) |
211 | 0 | return; |
212 | 0 | } while (n); |
213 | 0 | } |
214 | | |
215 | | static int aria_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
216 | | const unsigned char *iv, int enc) |
217 | 0 | { |
218 | 0 | int ret; |
219 | 0 | EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx); |
220 | |
|
221 | 0 | if (!iv && !key) |
222 | 0 | return 1; |
223 | 0 | if (key) { |
224 | 0 | ret = ossl_aria_set_encrypt_key(key, |
225 | 0 | EVP_CIPHER_CTX_get_key_length(ctx) * 8, |
226 | 0 | &gctx->ks.ks); |
227 | 0 | CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, |
228 | 0 | (block128_f) ossl_aria_encrypt); |
229 | 0 | if (ret < 0) { |
230 | 0 | ERR_raise(ERR_LIB_EVP, EVP_R_ARIA_KEY_SETUP_FAILED); |
231 | 0 | return 0; |
232 | 0 | } |
233 | | |
234 | | /* |
235 | | * If we have an iv can set it directly, otherwise use saved IV. |
236 | | */ |
237 | 0 | if (iv == NULL && gctx->iv_set) |
238 | 0 | iv = gctx->iv; |
239 | 0 | if (iv) { |
240 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); |
241 | 0 | gctx->iv_set = 1; |
242 | 0 | } |
243 | 0 | gctx->key_set = 1; |
244 | 0 | } else { |
245 | | /* If key set use IV, otherwise copy */ |
246 | 0 | if (gctx->key_set) |
247 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); |
248 | 0 | else |
249 | 0 | memcpy(gctx->iv, iv, gctx->ivlen); |
250 | 0 | gctx->iv_set = 1; |
251 | 0 | gctx->iv_gen = 0; |
252 | 0 | } |
253 | 0 | return 1; |
254 | 0 | } |
255 | | |
256 | | static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) |
257 | 0 | { |
258 | 0 | EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, c); |
259 | |
|
260 | 0 | switch (type) { |
261 | 0 | case EVP_CTRL_INIT: |
262 | 0 | gctx->key_set = 0; |
263 | 0 | gctx->iv_set = 0; |
264 | 0 | gctx->ivlen = EVP_CIPHER_get_iv_length(c->cipher); |
265 | 0 | gctx->iv = c->iv; |
266 | 0 | gctx->taglen = -1; |
267 | 0 | gctx->iv_gen = 0; |
268 | 0 | gctx->tls_aad_len = -1; |
269 | 0 | return 1; |
270 | | |
271 | 0 | case EVP_CTRL_GET_IVLEN: |
272 | 0 | *(int *)ptr = gctx->ivlen; |
273 | 0 | return 1; |
274 | | |
275 | 0 | case EVP_CTRL_AEAD_SET_IVLEN: |
276 | 0 | if (arg <= 0) |
277 | 0 | return 0; |
278 | | /* Allocate memory for IV if needed */ |
279 | 0 | if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { |
280 | 0 | if (gctx->iv != c->iv) |
281 | 0 | OPENSSL_free(gctx->iv); |
282 | 0 | if ((gctx->iv = OPENSSL_malloc(arg)) == NULL) |
283 | 0 | return 0; |
284 | 0 | } |
285 | 0 | gctx->ivlen = arg; |
286 | 0 | return 1; |
287 | | |
288 | 0 | case EVP_CTRL_AEAD_SET_TAG: |
289 | 0 | if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_is_encrypting(c)) |
290 | 0 | return 0; |
291 | 0 | memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg); |
292 | 0 | gctx->taglen = arg; |
293 | 0 | return 1; |
294 | | |
295 | 0 | case EVP_CTRL_AEAD_GET_TAG: |
296 | 0 | if (arg <= 0 || arg > 16 || !EVP_CIPHER_CTX_is_encrypting(c) |
297 | 0 | || gctx->taglen < 0) |
298 | 0 | return 0; |
299 | 0 | memcpy(ptr, EVP_CIPHER_CTX_buf_noconst(c), arg); |
300 | 0 | return 1; |
301 | | |
302 | 0 | case EVP_CTRL_GCM_SET_IV_FIXED: |
303 | | /* Special case: -1 length restores whole IV */ |
304 | 0 | if (arg == -1) { |
305 | 0 | memcpy(gctx->iv, ptr, gctx->ivlen); |
306 | 0 | gctx->iv_gen = 1; |
307 | 0 | return 1; |
308 | 0 | } |
309 | | /* |
310 | | * Fixed field must be at least 4 bytes and invocation field at least |
311 | | * 8. |
312 | | */ |
313 | 0 | if ((arg < 4) || (gctx->ivlen - arg) < 8) |
314 | 0 | return 0; |
315 | 0 | if (arg) |
316 | 0 | memcpy(gctx->iv, ptr, arg); |
317 | 0 | if (EVP_CIPHER_CTX_is_encrypting(c) |
318 | 0 | && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) |
319 | 0 | return 0; |
320 | 0 | gctx->iv_gen = 1; |
321 | 0 | return 1; |
322 | | |
323 | 0 | case EVP_CTRL_GCM_IV_GEN: |
324 | 0 | if (gctx->iv_gen == 0 || gctx->key_set == 0) |
325 | 0 | return 0; |
326 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); |
327 | 0 | if (arg <= 0 || arg > gctx->ivlen) |
328 | 0 | arg = gctx->ivlen; |
329 | 0 | memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); |
330 | | /* |
331 | | * Invocation field will be at least 8 bytes in size and so no need |
332 | | * to check wrap around or increment more than last 8 bytes. |
333 | | */ |
334 | 0 | ctr64_inc(gctx->iv + gctx->ivlen - 8); |
335 | 0 | gctx->iv_set = 1; |
336 | 0 | return 1; |
337 | | |
338 | 0 | case EVP_CTRL_GCM_SET_IV_INV: |
339 | 0 | if (gctx->iv_gen == 0 || gctx->key_set == 0 |
340 | 0 | || EVP_CIPHER_CTX_is_encrypting(c)) |
341 | 0 | return 0; |
342 | 0 | memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); |
343 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen); |
344 | 0 | gctx->iv_set = 1; |
345 | 0 | return 1; |
346 | | |
347 | 0 | case EVP_CTRL_AEAD_TLS1_AAD: |
348 | | /* Save the AAD for later use */ |
349 | 0 | if (arg != EVP_AEAD_TLS1_AAD_LEN) |
350 | 0 | return 0; |
351 | 0 | memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg); |
352 | 0 | gctx->tls_aad_len = arg; |
353 | 0 | { |
354 | 0 | unsigned int len = |
355 | 0 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8 |
356 | 0 | | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1]; |
357 | | /* Correct length for explicit IV */ |
358 | 0 | if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) |
359 | 0 | return 0; |
360 | 0 | len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; |
361 | | /* If decrypting correct for tag too */ |
362 | 0 | if (!EVP_CIPHER_CTX_is_encrypting(c)) { |
363 | 0 | if (len < EVP_GCM_TLS_TAG_LEN) |
364 | 0 | return 0; |
365 | 0 | len -= EVP_GCM_TLS_TAG_LEN; |
366 | 0 | } |
367 | 0 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8; |
368 | 0 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff; |
369 | 0 | } |
370 | | /* Extra padding: tag appended to record */ |
371 | 0 | return EVP_GCM_TLS_TAG_LEN; |
372 | | |
373 | 0 | case EVP_CTRL_COPY: |
374 | 0 | { |
375 | 0 | EVP_CIPHER_CTX *out = ptr; |
376 | 0 | EVP_ARIA_GCM_CTX *gctx_out = EVP_C_DATA(EVP_ARIA_GCM_CTX, out); |
377 | 0 | if (gctx->gcm.key) { |
378 | 0 | if (gctx->gcm.key != &gctx->ks) |
379 | 0 | return 0; |
380 | 0 | gctx_out->gcm.key = &gctx_out->ks; |
381 | 0 | } |
382 | 0 | if (gctx->iv == c->iv) |
383 | 0 | gctx_out->iv = out->iv; |
384 | 0 | else { |
385 | 0 | if ((gctx_out->iv = OPENSSL_malloc(gctx->ivlen)) == NULL) |
386 | 0 | return 0; |
387 | 0 | memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); |
388 | 0 | } |
389 | 0 | return 1; |
390 | 0 | } |
391 | | |
392 | 0 | default: |
393 | 0 | return -1; |
394 | |
|
395 | 0 | } |
396 | 0 | } |
397 | | |
398 | | static int aria_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
399 | | const unsigned char *in, size_t len) |
400 | 0 | { |
401 | 0 | EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx); |
402 | 0 | int rv = -1; |
403 | | |
404 | | /* Encrypt/decrypt must be performed in place */ |
405 | 0 | if (out != in |
406 | 0 | || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) |
407 | 0 | return -1; |
408 | | /* |
409 | | * Set IV from start of buffer or generate IV and write to start of |
410 | | * buffer. |
411 | | */ |
412 | 0 | if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CIPHER_CTX_is_encrypting(ctx) ? |
413 | 0 | EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV, |
414 | 0 | EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) |
415 | 0 | goto err; |
416 | | /* Use saved AAD */ |
417 | 0 | if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), |
418 | 0 | gctx->tls_aad_len)) |
419 | 0 | goto err; |
420 | | /* Fix buffer and length to point to payload */ |
421 | 0 | in += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
422 | 0 | out += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
423 | 0 | len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; |
424 | 0 | if (EVP_CIPHER_CTX_is_encrypting(ctx)) { |
425 | | /* Encrypt payload */ |
426 | 0 | if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) |
427 | 0 | goto err; |
428 | 0 | out += len; |
429 | | /* Finally write tag */ |
430 | 0 | CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); |
431 | 0 | rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; |
432 | 0 | } else { |
433 | | /* Decrypt */ |
434 | 0 | if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) |
435 | 0 | goto err; |
436 | | /* Retrieve tag */ |
437 | 0 | CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), |
438 | 0 | EVP_GCM_TLS_TAG_LEN); |
439 | | /* If tag mismatch wipe buffer */ |
440 | 0 | if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len, |
441 | 0 | EVP_GCM_TLS_TAG_LEN)) { |
442 | 0 | OPENSSL_cleanse(out, len); |
443 | 0 | goto err; |
444 | 0 | } |
445 | 0 | rv = len; |
446 | 0 | } |
447 | | |
448 | 0 | err: |
449 | 0 | gctx->iv_set = 0; |
450 | 0 | gctx->tls_aad_len = -1; |
451 | 0 | return rv; |
452 | 0 | } |
453 | | |
454 | | static int aria_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
455 | | const unsigned char *in, size_t len) |
456 | 0 | { |
457 | 0 | EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx); |
458 | | |
459 | | /* If not set up, return error */ |
460 | 0 | if (!gctx->key_set) |
461 | 0 | return -1; |
462 | | |
463 | 0 | if (gctx->tls_aad_len >= 0) |
464 | 0 | return aria_gcm_tls_cipher(ctx, out, in, len); |
465 | | |
466 | 0 | if (!gctx->iv_set) |
467 | 0 | return -1; |
468 | 0 | if (in) { |
469 | 0 | if (out == NULL) { |
470 | 0 | if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) |
471 | 0 | return -1; |
472 | 0 | } else if (EVP_CIPHER_CTX_is_encrypting(ctx)) { |
473 | 0 | if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len)) |
474 | 0 | return -1; |
475 | 0 | } else { |
476 | 0 | if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len)) |
477 | 0 | return -1; |
478 | 0 | } |
479 | 0 | return len; |
480 | 0 | } |
481 | 0 | if (!EVP_CIPHER_CTX_is_encrypting(ctx)) { |
482 | 0 | if (gctx->taglen < 0) |
483 | 0 | return -1; |
484 | 0 | if (CRYPTO_gcm128_finish(&gctx->gcm, |
485 | 0 | EVP_CIPHER_CTX_buf_noconst(ctx), |
486 | 0 | gctx->taglen) != 0) |
487 | 0 | return -1; |
488 | 0 | gctx->iv_set = 0; |
489 | 0 | return 0; |
490 | 0 | } |
491 | 0 | CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16); |
492 | 0 | gctx->taglen = 16; |
493 | | /* Don't reuse the IV */ |
494 | 0 | gctx->iv_set = 0; |
495 | 0 | return 0; |
496 | 0 | } |
497 | | |
498 | | static int aria_gcm_cleanup(EVP_CIPHER_CTX *ctx) |
499 | 0 | { |
500 | 0 | EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX, ctx); |
501 | |
|
502 | 0 | if (gctx->iv != ctx->iv) |
503 | 0 | OPENSSL_free(gctx->iv); |
504 | |
|
505 | 0 | return 1; |
506 | 0 | } |
507 | | |
508 | | static int aria_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
509 | | const unsigned char *iv, int enc) |
510 | 0 | { |
511 | 0 | int ret; |
512 | 0 | EVP_ARIA_CCM_CTX *cctx = EVP_C_DATA(EVP_ARIA_CCM_CTX, ctx); |
513 | |
|
514 | 0 | if (!iv && !key) |
515 | 0 | return 1; |
516 | | |
517 | 0 | if (key) { |
518 | 0 | ret = ossl_aria_set_encrypt_key(key, |
519 | 0 | EVP_CIPHER_CTX_get_key_length(ctx) * 8, |
520 | 0 | &cctx->ks.ks); |
521 | 0 | CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, |
522 | 0 | &cctx->ks, (block128_f) ossl_aria_encrypt); |
523 | 0 | if (ret < 0) { |
524 | 0 | ERR_raise(ERR_LIB_EVP, EVP_R_ARIA_KEY_SETUP_FAILED); |
525 | 0 | return 0; |
526 | 0 | } |
527 | 0 | cctx->str = NULL; |
528 | 0 | cctx->key_set = 1; |
529 | 0 | } |
530 | 0 | if (iv) { |
531 | 0 | memcpy(ctx->iv, iv, 15 - cctx->L); |
532 | 0 | cctx->iv_set = 1; |
533 | 0 | } |
534 | 0 | return 1; |
535 | 0 | } |
536 | | |
537 | | static int aria_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) |
538 | 0 | { |
539 | 0 | EVP_ARIA_CCM_CTX *cctx = EVP_C_DATA(EVP_ARIA_CCM_CTX, c); |
540 | |
|
541 | 0 | switch (type) { |
542 | 0 | case EVP_CTRL_INIT: |
543 | 0 | cctx->key_set = 0; |
544 | 0 | cctx->iv_set = 0; |
545 | 0 | cctx->L = 8; |
546 | 0 | cctx->M = 12; |
547 | 0 | cctx->tag_set = 0; |
548 | 0 | cctx->len_set = 0; |
549 | 0 | cctx->tls_aad_len = -1; |
550 | 0 | return 1; |
551 | | |
552 | 0 | case EVP_CTRL_GET_IVLEN: |
553 | 0 | *(int *)ptr = 15 - cctx->L; |
554 | 0 | return 1; |
555 | | |
556 | 0 | case EVP_CTRL_AEAD_TLS1_AAD: |
557 | | /* Save the AAD for later use */ |
558 | 0 | if (arg != EVP_AEAD_TLS1_AAD_LEN) |
559 | 0 | return 0; |
560 | 0 | memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg); |
561 | 0 | cctx->tls_aad_len = arg; |
562 | 0 | { |
563 | 0 | uint16_t len = |
564 | 0 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8 |
565 | 0 | | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1]; |
566 | | /* Correct length for explicit IV */ |
567 | 0 | if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN) |
568 | 0 | return 0; |
569 | 0 | len -= EVP_CCM_TLS_EXPLICIT_IV_LEN; |
570 | | /* If decrypting correct for tag too */ |
571 | 0 | if (!EVP_CIPHER_CTX_is_encrypting(c)) { |
572 | 0 | if (len < cctx->M) |
573 | 0 | return 0; |
574 | 0 | len -= cctx->M; |
575 | 0 | } |
576 | 0 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8; |
577 | 0 | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff; |
578 | 0 | } |
579 | | /* Extra padding: tag appended to record */ |
580 | 0 | return cctx->M; |
581 | | |
582 | 0 | case EVP_CTRL_CCM_SET_IV_FIXED: |
583 | | /* Sanity check length */ |
584 | 0 | if (arg != EVP_CCM_TLS_FIXED_IV_LEN) |
585 | 0 | return 0; |
586 | | /* Just copy to first part of IV */ |
587 | 0 | memcpy(c->iv, ptr, arg); |
588 | 0 | return 1; |
589 | | |
590 | 0 | case EVP_CTRL_AEAD_SET_IVLEN: |
591 | 0 | arg = 15 - arg; |
592 | | /* fall through */ |
593 | 0 | case EVP_CTRL_CCM_SET_L: |
594 | 0 | if (arg < 2 || arg > 8) |
595 | 0 | return 0; |
596 | 0 | cctx->L = arg; |
597 | 0 | return 1; |
598 | 0 | case EVP_CTRL_AEAD_SET_TAG: |
599 | 0 | if ((arg & 1) || arg < 4 || arg > 16) |
600 | 0 | return 0; |
601 | 0 | if (EVP_CIPHER_CTX_is_encrypting(c) && ptr) |
602 | 0 | return 0; |
603 | 0 | if (ptr) { |
604 | 0 | cctx->tag_set = 1; |
605 | 0 | memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg); |
606 | 0 | } |
607 | 0 | cctx->M = arg; |
608 | 0 | return 1; |
609 | | |
610 | 0 | case EVP_CTRL_AEAD_GET_TAG: |
611 | 0 | if (!EVP_CIPHER_CTX_is_encrypting(c) || !cctx->tag_set) |
612 | 0 | return 0; |
613 | 0 | if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg)) |
614 | 0 | return 0; |
615 | 0 | cctx->tag_set = 0; |
616 | 0 | cctx->iv_set = 0; |
617 | 0 | cctx->len_set = 0; |
618 | 0 | return 1; |
619 | | |
620 | 0 | case EVP_CTRL_COPY: |
621 | 0 | { |
622 | 0 | EVP_CIPHER_CTX *out = ptr; |
623 | 0 | EVP_ARIA_CCM_CTX *cctx_out = EVP_C_DATA(EVP_ARIA_CCM_CTX, out); |
624 | 0 | if (cctx->ccm.key) { |
625 | 0 | if (cctx->ccm.key != &cctx->ks) |
626 | 0 | return 0; |
627 | 0 | cctx_out->ccm.key = &cctx_out->ks; |
628 | 0 | } |
629 | 0 | return 1; |
630 | 0 | } |
631 | | |
632 | 0 | default: |
633 | 0 | return -1; |
634 | 0 | } |
635 | 0 | } |
636 | | |
637 | | static int aria_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
638 | | const unsigned char *in, size_t len) |
639 | 0 | { |
640 | 0 | EVP_ARIA_CCM_CTX *cctx = EVP_C_DATA(EVP_ARIA_CCM_CTX, ctx); |
641 | 0 | CCM128_CONTEXT *ccm = &cctx->ccm; |
642 | | |
643 | | /* Encrypt/decrypt must be performed in place */ |
644 | 0 | if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M)) |
645 | 0 | return -1; |
646 | | /* If encrypting set explicit IV from sequence number (start of AAD) */ |
647 | 0 | if (EVP_CIPHER_CTX_is_encrypting(ctx)) |
648 | 0 | memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx), |
649 | 0 | EVP_CCM_TLS_EXPLICIT_IV_LEN); |
650 | | /* Get rest of IV from explicit IV */ |
651 | 0 | memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in, |
652 | 0 | EVP_CCM_TLS_EXPLICIT_IV_LEN); |
653 | | /* Correct length value */ |
654 | 0 | len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M; |
655 | 0 | if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, |
656 | 0 | len)) |
657 | 0 | return -1; |
658 | | /* Use saved AAD */ |
659 | 0 | CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), |
660 | 0 | cctx->tls_aad_len); |
661 | | /* Fix buffer to point to payload */ |
662 | 0 | in += EVP_CCM_TLS_EXPLICIT_IV_LEN; |
663 | 0 | out += EVP_CCM_TLS_EXPLICIT_IV_LEN; |
664 | 0 | if (EVP_CIPHER_CTX_is_encrypting(ctx)) { |
665 | 0 | if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, cctx->str) |
666 | 0 | : CRYPTO_ccm128_encrypt(ccm, in, out, len)) |
667 | 0 | return -1; |
668 | 0 | if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M)) |
669 | 0 | return -1; |
670 | 0 | return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M; |
671 | 0 | } else { |
672 | 0 | if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, cctx->str) |
673 | 0 | : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { |
674 | 0 | unsigned char tag[16]; |
675 | 0 | if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { |
676 | 0 | if (!CRYPTO_memcmp(tag, in + len, cctx->M)) |
677 | 0 | return len; |
678 | 0 | } |
679 | 0 | } |
680 | 0 | OPENSSL_cleanse(out, len); |
681 | 0 | return -1; |
682 | 0 | } |
683 | 0 | } |
684 | | |
685 | | static int aria_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
686 | | const unsigned char *in, size_t len) |
687 | 0 | { |
688 | 0 | EVP_ARIA_CCM_CTX *cctx = EVP_C_DATA(EVP_ARIA_CCM_CTX, ctx); |
689 | 0 | CCM128_CONTEXT *ccm = &cctx->ccm; |
690 | | |
691 | | /* If not set up, return error */ |
692 | 0 | if (!cctx->key_set) |
693 | 0 | return -1; |
694 | | |
695 | 0 | if (cctx->tls_aad_len >= 0) |
696 | 0 | return aria_ccm_tls_cipher(ctx, out, in, len); |
697 | | |
698 | | /* EVP_*Final() doesn't return any data */ |
699 | 0 | if (in == NULL && out != NULL) |
700 | 0 | return 0; |
701 | | |
702 | 0 | if (!cctx->iv_set) |
703 | 0 | return -1; |
704 | | |
705 | 0 | if (!out) { |
706 | 0 | if (!in) { |
707 | 0 | if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) |
708 | 0 | return -1; |
709 | 0 | cctx->len_set = 1; |
710 | 0 | return len; |
711 | 0 | } |
712 | | /* If have AAD need message length */ |
713 | 0 | if (!cctx->len_set && len) |
714 | 0 | return -1; |
715 | 0 | CRYPTO_ccm128_aad(ccm, in, len); |
716 | 0 | return len; |
717 | 0 | } |
718 | | |
719 | | /* The tag must be set before actually decrypting data */ |
720 | 0 | if (!EVP_CIPHER_CTX_is_encrypting(ctx) && !cctx->tag_set) |
721 | 0 | return -1; |
722 | | |
723 | | /* If not set length yet do it */ |
724 | 0 | if (!cctx->len_set) { |
725 | 0 | if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len)) |
726 | 0 | return -1; |
727 | 0 | cctx->len_set = 1; |
728 | 0 | } |
729 | 0 | if (EVP_CIPHER_CTX_is_encrypting(ctx)) { |
730 | 0 | if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len, cctx->str) |
731 | 0 | : CRYPTO_ccm128_encrypt(ccm, in, out, len)) |
732 | 0 | return -1; |
733 | 0 | cctx->tag_set = 1; |
734 | 0 | return len; |
735 | 0 | } else { |
736 | 0 | int rv = -1; |
737 | 0 | if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len, |
738 | 0 | cctx->str) : |
739 | 0 | !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { |
740 | 0 | unsigned char tag[16]; |
741 | 0 | if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { |
742 | 0 | if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx), |
743 | 0 | cctx->M)) |
744 | 0 | rv = len; |
745 | 0 | } |
746 | 0 | } |
747 | 0 | if (rv == -1) |
748 | 0 | OPENSSL_cleanse(out, len); |
749 | 0 | cctx->iv_set = 0; |
750 | 0 | cctx->tag_set = 0; |
751 | 0 | cctx->len_set = 0; |
752 | 0 | return rv; |
753 | 0 | } |
754 | 0 | } |
755 | | |
756 | | #define aria_ccm_cleanup NULL |
757 | | |
758 | | #define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ |
759 | | | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ |
760 | | | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ |
761 | | | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER \ |
762 | | | EVP_CIPH_CUSTOM_IV_LENGTH) |
763 | | |
764 | | #define BLOCK_CIPHER_aead(keylen,mode,MODE) \ |
765 | | static const EVP_CIPHER aria_##keylen##_##mode = { \ |
766 | | NID_aria_##keylen##_##mode, \ |
767 | | 1, keylen/8, 12, \ |
768 | | ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE, \ |
769 | | EVP_ORIG_GLOBAL, \ |
770 | | aria_##mode##_init_key, \ |
771 | | aria_##mode##_cipher, \ |
772 | | aria_##mode##_cleanup, \ |
773 | | sizeof(EVP_ARIA_##MODE##_CTX), \ |
774 | | NULL,NULL,aria_##mode##_ctrl,NULL }; \ |
775 | 6 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ |
776 | 6 | { return (EVP_CIPHER*)&aria_##keylen##_##mode; } Line | Count | Source | 775 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 776 | 1 | { return (EVP_CIPHER*)&aria_##keylen##_##mode; } |
Line | Count | Source | 775 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 776 | 1 | { return (EVP_CIPHER*)&aria_##keylen##_##mode; } |
Line | Count | Source | 775 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 776 | 1 | { return (EVP_CIPHER*)&aria_##keylen##_##mode; } |
Line | Count | Source | 775 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 776 | 1 | { return (EVP_CIPHER*)&aria_##keylen##_##mode; } |
Line | Count | Source | 775 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 776 | 1 | { return (EVP_CIPHER*)&aria_##keylen##_##mode; } |
Line | Count | Source | 775 | 1 | const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \ | 776 | 1 | { return (EVP_CIPHER*)&aria_##keylen##_##mode; } |
|
777 | | |
778 | | BLOCK_CIPHER_aead(128, gcm, GCM) |
779 | | BLOCK_CIPHER_aead(192, gcm, GCM) |
780 | | BLOCK_CIPHER_aead(256, gcm, GCM) |
781 | | |
782 | | BLOCK_CIPHER_aead(128, ccm, CCM) |
783 | | BLOCK_CIPHER_aead(192, ccm, CCM) |
784 | | BLOCK_CIPHER_aead(256, ccm, CCM) |
785 | | |
786 | | #endif |