openssl/providers/implementations/ciphers/cipher_aes_siv_hw.c
Shane Lontis 90409da6a5 Fix provider cipher reinit issue
Fixes #12405
Fixes #12377

Calling Init()/Update() and then Init()/Update() again gave a different result when using the same key and iv.
Cipher modes that were using ctx->num were not resetting this value, this includes OFB, CFB & CTR.
The fix is to reset this value during the ciphers einit() and dinit() methods.
Most ciphers go thru a generic method so one line fixes most cases.

Add test for calling EVP_EncryptInit()/EVP_EncryptUpdate() multiple times for all ciphers.
Ciphers should return the same value for both updates.
DES3-WRAP does not since it uses a random in the update.
CCM modes currently also fail on the second update (This also happens in 1_1_1).

Fix memory leak in AES_OCB cipher if EVP_EncryptInit is called multiple times.

Fix AES_SIV cipher dup_ctx and init.
Calling EVP_CIPHER_init multiple times resulted in a memory leak in the siv.
Fixing this leak also showed that the dup ctx was not working for siv mode.
Note: aes_siv_cleanup() can not be used by aes_siv_dupctx() as it clears data
that is required for the decrypt (e.g the tag).

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12413)
2020-07-22 10:40:55 +10:00

137 lines
3.7 KiB
C

/*
* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/*
* This file uses the low level AES functions (which are deprecated for
* non-internal use) in order to implement provider AES ciphers.
*/
#include "internal/deprecated.h"
#include "cipher_aes_siv.h"
static void aes_siv_cleanup(void *vctx);
static int aes_siv_initkey(void *vctx, const unsigned char *key, size_t keylen)
{
PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
SIV128_CONTEXT *sctx = &ctx->siv;
size_t klen = keylen / 2;
OPENSSL_CTX *libctx = ctx->libctx;
const char *propq = NULL;
EVP_CIPHER_free(ctx->cbc);
EVP_CIPHER_free(ctx->ctr);
ctx->cbc = NULL;
ctx->ctr = NULL;
switch (klen) {
case 16:
ctx->cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", propq);
ctx->ctr = EVP_CIPHER_fetch(libctx, "AES-128-CTR", propq);
break;
case 24:
ctx->cbc = EVP_CIPHER_fetch(libctx, "AES-192-CBC", propq);
ctx->ctr = EVP_CIPHER_fetch(libctx, "AES-192-CTR", propq);
break;
case 32:
ctx->cbc = EVP_CIPHER_fetch(libctx, "AES-256-CBC", propq);
ctx->ctr = EVP_CIPHER_fetch(libctx, "AES-256-CTR", propq);
break;
default:
break;
}
if (ctx->cbc == NULL || ctx->ctr == NULL)
return 0;
/*
* klen is the length of the underlying cipher, not the input key,
* which should be twice as long
*/
return CRYPTO_siv128_init(sctx, key, klen, ctx->cbc, ctx->ctr, libctx,
propq);
}
static int aes_siv_dupctx(void *in_vctx, void *out_vctx)
{
PROV_AES_SIV_CTX *in = (PROV_AES_SIV_CTX *)in_vctx;
PROV_AES_SIV_CTX *out = (PROV_AES_SIV_CTX *)out_vctx;
*out = *in;
out->siv.cipher_ctx = NULL;
out->siv.mac_ctx_init = NULL;
out->siv.mac = NULL;
if (!CRYPTO_siv128_copy_ctx(&out->siv, &in->siv))
return 0;
if (out->cbc != NULL)
EVP_CIPHER_up_ref(out->cbc);
if (out->ctr != NULL)
EVP_CIPHER_up_ref(out->ctr);
return 1;
}
static int aes_siv_settag(void *vctx, const unsigned char *tag, size_t tagl)
{
PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
SIV128_CONTEXT *sctx = &ctx->siv;
return CRYPTO_siv128_set_tag(sctx, tag, tagl);
}
static void aes_siv_setspeed(void *vctx, int speed)
{
PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
SIV128_CONTEXT *sctx = &ctx->siv;
CRYPTO_siv128_speed(sctx, (int)speed);
}
static void aes_siv_cleanup(void *vctx)
{
PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
SIV128_CONTEXT *sctx = &ctx->siv;
CRYPTO_siv128_cleanup(sctx);
EVP_CIPHER_free(ctx->cbc);
EVP_CIPHER_free(ctx->ctr);
}
static int aes_siv_cipher(void *vctx, unsigned char *out,
const unsigned char *in, size_t len)
{
PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
SIV128_CONTEXT *sctx = &ctx->siv;
/* EncryptFinal or DecryptFinal */
if (in == NULL)
return CRYPTO_siv128_finish(sctx) == 0;
/* Deal with associated data */
if (out == NULL)
return (CRYPTO_siv128_aad(sctx, in, len) == 1);
if (ctx->enc)
return CRYPTO_siv128_encrypt(sctx, in, out, len) > 0;
return CRYPTO_siv128_decrypt(sctx, in, out, len) > 0;
}
static const PROV_CIPHER_HW_AES_SIV aes_siv_hw =
{
aes_siv_initkey,
aes_siv_cipher,
aes_siv_setspeed,
aes_siv_settag,
aes_siv_cleanup,
aes_siv_dupctx,
};
const PROV_CIPHER_HW_AES_SIV *PROV_CIPHER_HW_aes_siv(size_t keybits)
{
return &aes_siv_hw;
}