mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
a361cb841d
TLS1.0 does not have an explicit IV in the record, and therefore we should not attempt to remove it. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12670)
389 lines
16 KiB
C
389 lines
16 KiB
C
/*
|
|
* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
/*
|
|
* AES low level APIs are deprecated for public use, but still ok for internal
|
|
* use where we're using them to implement the higher level EVP interface, as is
|
|
* the case here.
|
|
*/
|
|
#include "internal/deprecated.h"
|
|
|
|
/* Dispatch functions for AES_CBC_HMAC_SHA ciphers */
|
|
|
|
/* Only for SSL3_VERSION and TLS1_VERSION */
|
|
#include <openssl/ssl.h>
|
|
#include "cipher_aes_cbc_hmac_sha.h"
|
|
#include "prov/implementations.h"
|
|
|
|
#ifndef AES_CBC_HMAC_SHA_CAPABLE
|
|
# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags) \
|
|
const OSSL_DISPATCH nm##kbits##sub##_functions[] = { \
|
|
{ 0, NULL } \
|
|
};
|
|
#else
|
|
# include "prov/providercommonerr.h"
|
|
|
|
/* TODO(3.0) Figure out what flags are required */
|
|
# define AES_CBC_HMAC_SHA_FLAGS (EVP_CIPH_CBC_MODE \
|
|
| EVP_CIPH_FLAG_DEFAULT_ASN1 \
|
|
| EVP_CIPH_FLAG_AEAD_CIPHER \
|
|
| EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
|
|
|
|
static OSSL_FUNC_cipher_freectx_fn aes_cbc_hmac_sha1_freectx;
|
|
static OSSL_FUNC_cipher_freectx_fn aes_cbc_hmac_sha256_freectx;
|
|
static OSSL_FUNC_cipher_get_ctx_params_fn aes_get_ctx_params;
|
|
static OSSL_FUNC_cipher_gettable_ctx_params_fn aes_gettable_ctx_params;
|
|
static OSSL_FUNC_cipher_set_ctx_params_fn aes_set_ctx_params;
|
|
static OSSL_FUNC_cipher_settable_ctx_params_fn aes_settable_ctx_params;
|
|
# define aes_gettable_params cipher_generic_gettable_params
|
|
# define aes_einit cipher_generic_einit
|
|
# define aes_dinit cipher_generic_dinit
|
|
# define aes_update cipher_generic_stream_update
|
|
# define aes_final cipher_generic_stream_final
|
|
# define aes_cipher cipher_generic_cipher
|
|
|
|
static const OSSL_PARAM cipher_aes_known_settable_ctx_params[] = {
|
|
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_MAC_KEY, NULL, 0),
|
|
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
|
|
# if !defined(OPENSSL_NO_MULTIBLOCK)
|
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT, NULL),
|
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD, NULL),
|
|
OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, NULL),
|
|
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC, NULL, 0),
|
|
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN, NULL, 0),
|
|
# endif /* !defined(OPENSSL_NO_MULTIBLOCK) */
|
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
|
|
OSSL_PARAM_END
|
|
};
|
|
const OSSL_PARAM *aes_settable_ctx_params(ossl_unused void *provctx)
|
|
{
|
|
return cipher_aes_known_settable_ctx_params;
|
|
}
|
|
|
|
static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
|
{
|
|
PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx;
|
|
PROV_CIPHER_HW_AES_HMAC_SHA *hw =
|
|
(PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->hw;
|
|
const OSSL_PARAM *p;
|
|
int ret = 1;
|
|
# if !defined(OPENSSL_NO_MULTIBLOCK)
|
|
EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
|
|
# endif
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_MAC_KEY);
|
|
if (p != NULL) {
|
|
if (p->data_type != OSSL_PARAM_OCTET_STRING) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
|
|
return 0;
|
|
}
|
|
hw->init_mac_key(ctx, p->data, p->data_size);
|
|
}
|
|
|
|
# if !defined(OPENSSL_NO_MULTIBLOCK)
|
|
p = OSSL_PARAM_locate_const(params,
|
|
OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT);
|
|
if (p != NULL
|
|
&& !OSSL_PARAM_get_size_t(p, &ctx->multiblock_max_send_fragment)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
|
|
return 0;
|
|
}
|
|
/*
|
|
* The inputs to tls1_multiblock_aad are:
|
|
* mb_param->inp
|
|
* mb_param->len
|
|
* mb_param->interleave
|
|
* The outputs of tls1_multiblock_aad are written to:
|
|
* ctx->multiblock_interleave
|
|
* ctx->multiblock_aad_packlen
|
|
*/
|
|
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD);
|
|
if (p != NULL) {
|
|
const OSSL_PARAM *p1 = OSSL_PARAM_locate_const(params,
|
|
OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE);
|
|
if (p->data_type != OSSL_PARAM_OCTET_STRING
|
|
|| p1 == NULL
|
|
|| !OSSL_PARAM_get_uint(p1, &mb_param.interleave)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
|
|
return 0;
|
|
}
|
|
mb_param.inp = p->data;
|
|
mb_param.len = p->data_size;
|
|
if (hw->tls1_multiblock_aad(vctx, &mb_param) <= 0)
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* The inputs to tls1_multiblock_encrypt are:
|
|
* mb_param->inp
|
|
* mb_param->len
|
|
* mb_param->interleave
|
|
* mb_param->out
|
|
* The outputs of tls1_multiblock_encrypt are:
|
|
* ctx->multiblock_encrypt_len
|
|
*/
|
|
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC);
|
|
if (p != NULL) {
|
|
const OSSL_PARAM *p1 = OSSL_PARAM_locate_const(params,
|
|
OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE);
|
|
const OSSL_PARAM *pin = OSSL_PARAM_locate_const(params,
|
|
OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN);
|
|
|
|
if (p->data_type != OSSL_PARAM_OCTET_STRING
|
|
|| pin == NULL
|
|
|| pin->data_type != OSSL_PARAM_OCTET_STRING
|
|
|| p1 == NULL
|
|
|| !OSSL_PARAM_get_uint(p1, &mb_param.interleave)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
|
|
return 0;
|
|
}
|
|
mb_param.out = p->data;
|
|
mb_param.inp = pin->data;
|
|
mb_param.len = pin->data_size;
|
|
if (hw->tls1_multiblock_encrypt(vctx, &mb_param) <= 0)
|
|
return 0;
|
|
}
|
|
# endif /* !defined(OPENSSL_NO_MULTIBLOCK) */
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
|
|
if (p != NULL) {
|
|
if (p->data_type != OSSL_PARAM_OCTET_STRING) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
|
|
return 0;
|
|
}
|
|
if (hw->set_tls1_aad(ctx, p->data, p->data_size) <= 0)
|
|
return 0;
|
|
}
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
|
|
if (p != NULL) {
|
|
size_t keylen;
|
|
|
|
if (!OSSL_PARAM_get_size_t(p, &keylen)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
|
|
return 0;
|
|
}
|
|
if (ctx->base.keylen != keylen) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION);
|
|
if (p != NULL) {
|
|
if (!OSSL_PARAM_get_uint(p, &ctx->base.tlsversion)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
|
|
return 0;
|
|
}
|
|
if (ctx->base.tlsversion == SSL3_VERSION
|
|
|| ctx->base.tlsversion == TLS1_VERSION) {
|
|
if (!ossl_assert(ctx->base.removetlspad >= AES_BLOCK_SIZE)) {
|
|
ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
|
|
return 0;
|
|
}
|
|
/*
|
|
* There is no explicit IV with these TLS versions, so don't attempt
|
|
* to remove it.
|
|
*/
|
|
ctx->base.removetlspad -= AES_BLOCK_SIZE;
|
|
}
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static int aes_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
{
|
|
PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx;
|
|
OSSL_PARAM *p;
|
|
|
|
# if !defined(OPENSSL_NO_MULTIBLOCK)
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE);
|
|
if (p != NULL) {
|
|
PROV_CIPHER_HW_AES_HMAC_SHA *hw =
|
|
(PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->hw;
|
|
size_t len = hw->tls1_multiblock_max_bufsize(ctx);
|
|
|
|
if (!OSSL_PARAM_set_size_t(p, len)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE);
|
|
if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->multiblock_interleave)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN);
|
|
if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->multiblock_aad_packlen)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN);
|
|
if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->multiblock_encrypt_len)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
# endif /* !defined(OPENSSL_NO_MULTIBLOCK) */
|
|
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
|
|
if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
|
|
if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
|
|
if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
|
|
if (p != NULL
|
|
&& !OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)
|
|
&& !OSSL_PARAM_set_octet_ptr(p, &ctx->base.oiv, ctx->base.ivlen)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE);
|
|
if (p != NULL
|
|
&& !OSSL_PARAM_set_octet_string(p, ctx->base.iv, ctx->base.ivlen)) {
|
|
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
static const OSSL_PARAM cipher_aes_known_gettable_ctx_params[] = {
|
|
# if !defined(OPENSSL_NO_MULTIBLOCK)
|
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE, NULL),
|
|
OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, NULL),
|
|
OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN, NULL),
|
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN, NULL),
|
|
# endif /* !defined(OPENSSL_NO_MULTIBLOCK) */
|
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
|
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
|
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
|
|
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
|
|
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0),
|
|
OSSL_PARAM_END
|
|
};
|
|
const OSSL_PARAM *aes_gettable_ctx_params(ossl_unused void *provctx)
|
|
{
|
|
return cipher_aes_known_gettable_ctx_params;
|
|
}
|
|
|
|
static void base_init(void *provctx, PROV_AES_HMAC_SHA_CTX *ctx,
|
|
const PROV_CIPHER_HW_AES_HMAC_SHA *meths,
|
|
size_t kbits, size_t blkbits, size_t ivbits,
|
|
uint64_t flags)
|
|
{
|
|
cipher_generic_initkey(&ctx->base, kbits, blkbits, ivbits,
|
|
EVP_CIPH_CBC_MODE, flags,
|
|
&meths->base, provctx);
|
|
ctx->hw = (PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->base.hw;
|
|
}
|
|
|
|
static void *aes_cbc_hmac_sha1_newctx(void *provctx, size_t kbits,
|
|
size_t blkbits, size_t ivbits,
|
|
uint64_t flags)
|
|
{
|
|
PROV_AES_HMAC_SHA1_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
|
|
|
|
if (ctx != NULL)
|
|
base_init(provctx, &ctx->base_ctx,
|
|
PROV_CIPHER_HW_aes_cbc_hmac_sha1(), kbits, blkbits,
|
|
ivbits, flags);
|
|
return ctx;
|
|
}
|
|
|
|
static void aes_cbc_hmac_sha1_freectx(void *vctx)
|
|
{
|
|
PROV_AES_HMAC_SHA1_CTX *ctx = (PROV_AES_HMAC_SHA1_CTX *)vctx;
|
|
|
|
if (ctx != NULL) {
|
|
cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
|
|
OPENSSL_clear_free(ctx, sizeof(*ctx));
|
|
}
|
|
}
|
|
|
|
static void *aes_cbc_hmac_sha256_newctx(void *provctx, size_t kbits,
|
|
size_t blkbits, size_t ivbits,
|
|
uint64_t flags)
|
|
{
|
|
PROV_AES_HMAC_SHA256_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
|
|
|
|
if (ctx != NULL)
|
|
base_init(provctx, &ctx->base_ctx,
|
|
PROV_CIPHER_HW_aes_cbc_hmac_sha256(), kbits, blkbits,
|
|
ivbits, flags);
|
|
return ctx;
|
|
}
|
|
|
|
static void aes_cbc_hmac_sha256_freectx(void *vctx)
|
|
{
|
|
PROV_AES_HMAC_SHA256_CTX *ctx = (PROV_AES_HMAC_SHA256_CTX *)vctx;
|
|
|
|
if (ctx != NULL) {
|
|
cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
|
|
OPENSSL_clear_free(ctx, sizeof(*ctx));
|
|
}
|
|
}
|
|
|
|
# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags) \
|
|
static OSSL_FUNC_cipher_newctx_fn nm##_##kbits##_##sub##_newctx; \
|
|
static void *nm##_##kbits##_##sub##_newctx(void *provctx) \
|
|
{ \
|
|
return nm##_##sub##_newctx(provctx, kbits, blkbits, ivbits, flags); \
|
|
} \
|
|
static OSSL_FUNC_cipher_get_params_fn nm##_##kbits##_##sub##_get_params; \
|
|
static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[]) \
|
|
{ \
|
|
return cipher_generic_get_params(params, EVP_CIPH_CBC_MODE, \
|
|
flags, kbits, blkbits, ivbits); \
|
|
} \
|
|
const OSSL_DISPATCH nm##kbits##sub##_functions[] = { \
|
|
{ OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\
|
|
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))nm##_##sub##_freectx }, \
|
|
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))nm##_einit }, \
|
|
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))nm##_dinit }, \
|
|
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))nm##_update }, \
|
|
{ OSSL_FUNC_CIPHER_FINAL, (void (*)(void))nm##_final }, \
|
|
{ OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))nm##_cipher }, \
|
|
{ OSSL_FUNC_CIPHER_GET_PARAMS, \
|
|
(void (*)(void))nm##_##kbits##_##sub##_get_params }, \
|
|
{ OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
|
|
(void (*)(void))nm##_gettable_params }, \
|
|
{ OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
|
|
(void (*)(void))nm##_get_ctx_params }, \
|
|
{ OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
|
|
(void (*)(void))nm##_gettable_ctx_params }, \
|
|
{ OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
|
|
(void (*)(void))nm##_set_ctx_params }, \
|
|
{ OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
|
|
(void (*)(void))nm##_settable_ctx_params }, \
|
|
{ 0, NULL } \
|
|
};
|
|
|
|
#endif /* AES_CBC_HMAC_SHA_CAPABLE */
|
|
|
|
/* aes128cbc_hmac_sha1_functions */
|
|
IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 128, 128, 128, AES_CBC_HMAC_SHA_FLAGS)
|
|
/* aes256cbc_hmac_sha1_functions */
|
|
IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 256, 128, 128, AES_CBC_HMAC_SHA_FLAGS)
|
|
/* aes128cbc_hmac_sha256_functions */
|
|
IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 128, 128, 128, AES_CBC_HMAC_SHA_FLAGS)
|
|
/* aes256cbc_hmac_sha256_functions */
|
|
IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 256, 128, 128, AES_CBC_HMAC_SHA_FLAGS)
|