1 /* 2 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * AES low level APIs are deprecated for public use, but still ok for internal 12 * use where we're using them to implement the higher level EVP interface, as is 13 * the case here. 14 */ 15 #include "internal/deprecated.h" 16 17 /* Dispatch functions for AES_CBC_HMAC_SHA ciphers */ 18 19 /* For SSL3_VERSION and TLS1_VERSION */ 20 #include <openssl/prov_ssl.h> 21 #include <openssl/proverr.h> 22 #include "cipher_aes_cbc_hmac_sha.h" 23 #include "prov/implementations.h" 24 #include "prov/providercommon.h" 25 26 #ifndef AES_CBC_HMAC_SHA_CAPABLE 27 # define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags) \ 28 const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = { \ 29 { 0, NULL } \ 30 }; 31 #else 32 33 # define AES_CBC_HMAC_SHA_FLAGS (PROV_CIPHER_FLAG_AEAD \ 34 | PROV_CIPHER_FLAG_TLS1_MULTIBLOCK) 35 36 static OSSL_FUNC_cipher_encrypt_init_fn aes_einit; 37 static OSSL_FUNC_cipher_decrypt_init_fn aes_dinit; 38 static OSSL_FUNC_cipher_freectx_fn aes_cbc_hmac_sha1_freectx; 39 static OSSL_FUNC_cipher_freectx_fn aes_cbc_hmac_sha256_freectx; 40 static OSSL_FUNC_cipher_get_ctx_params_fn aes_get_ctx_params; 41 static OSSL_FUNC_cipher_gettable_ctx_params_fn aes_gettable_ctx_params; 42 static OSSL_FUNC_cipher_set_ctx_params_fn aes_set_ctx_params; 43 static OSSL_FUNC_cipher_settable_ctx_params_fn aes_settable_ctx_params; 44 # define aes_gettable_params ossl_cipher_generic_gettable_params 45 # define aes_update ossl_cipher_generic_stream_update 46 # define aes_final ossl_cipher_generic_stream_final 47 # define aes_cipher ossl_cipher_generic_cipher 48 49 static int aes_einit(void *ctx, const unsigned char *key, size_t keylen, 50 const unsigned char *iv, size_t ivlen, 51 const OSSL_PARAM params[]) 52 { 53 if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL)) 54 return 0; 55 return aes_set_ctx_params(ctx, params); 56 } 57 58 static int aes_dinit(void *ctx, const unsigned char *key, size_t keylen, 59 const unsigned char *iv, size_t ivlen, 60 const OSSL_PARAM params[]) 61 { 62 if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL)) 63 return 0; 64 return aes_set_ctx_params(ctx, params); 65 } 66 67 static const OSSL_PARAM cipher_aes_known_settable_ctx_params[] = { 68 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_MAC_KEY, NULL, 0), 69 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0), 70 # if !defined(OPENSSL_NO_MULTIBLOCK) 71 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT, NULL), 72 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD, NULL), 73 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, NULL), 74 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC, NULL, 0), 75 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN, NULL, 0), 76 # endif /* !defined(OPENSSL_NO_MULTIBLOCK) */ 77 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), 78 OSSL_PARAM_END 79 }; 80 const OSSL_PARAM *aes_settable_ctx_params(ossl_unused void *cctx, 81 ossl_unused void *provctx) 82 { 83 return cipher_aes_known_settable_ctx_params; 84 } 85 86 static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 87 { 88 PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; 89 PROV_CIPHER_HW_AES_HMAC_SHA *hw = 90 (PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->hw; 91 const OSSL_PARAM *p; 92 int ret = 1; 93 # if !defined(OPENSSL_NO_MULTIBLOCK) 94 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; 95 # endif 96 97 if (params == NULL) 98 return 1; 99 100 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_MAC_KEY); 101 if (p != NULL) { 102 if (p->data_type != OSSL_PARAM_OCTET_STRING) { 103 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); 104 return 0; 105 } 106 hw->init_mac_key(ctx, p->data, p->data_size); 107 } 108 109 # if !defined(OPENSSL_NO_MULTIBLOCK) 110 p = OSSL_PARAM_locate_const(params, 111 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT); 112 if (p != NULL 113 && !OSSL_PARAM_get_size_t(p, &ctx->multiblock_max_send_fragment)) { 114 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); 115 return 0; 116 } 117 /* 118 * The inputs to tls1_multiblock_aad are: 119 * mb_param->inp 120 * mb_param->len 121 * mb_param->interleave 122 * The outputs of tls1_multiblock_aad are written to: 123 * ctx->multiblock_interleave 124 * ctx->multiblock_aad_packlen 125 */ 126 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD); 127 if (p != NULL) { 128 const OSSL_PARAM *p1 = OSSL_PARAM_locate_const(params, 129 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE); 130 if (p->data_type != OSSL_PARAM_OCTET_STRING 131 || p1 == NULL 132 || !OSSL_PARAM_get_uint(p1, &mb_param.interleave)) { 133 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); 134 return 0; 135 } 136 mb_param.inp = p->data; 137 mb_param.len = p->data_size; 138 if (hw->tls1_multiblock_aad(vctx, &mb_param) <= 0) 139 return 0; 140 } 141 142 /* 143 * The inputs to tls1_multiblock_encrypt are: 144 * mb_param->inp 145 * mb_param->len 146 * mb_param->interleave 147 * mb_param->out 148 * The outputs of tls1_multiblock_encrypt are: 149 * ctx->multiblock_encrypt_len 150 */ 151 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC); 152 if (p != NULL) { 153 const OSSL_PARAM *p1 = OSSL_PARAM_locate_const(params, 154 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE); 155 const OSSL_PARAM *pin = OSSL_PARAM_locate_const(params, 156 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN); 157 158 if (p->data_type != OSSL_PARAM_OCTET_STRING 159 || pin == NULL 160 || pin->data_type != OSSL_PARAM_OCTET_STRING 161 || p1 == NULL 162 || !OSSL_PARAM_get_uint(p1, &mb_param.interleave)) { 163 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); 164 return 0; 165 } 166 mb_param.out = p->data; 167 mb_param.inp = pin->data; 168 mb_param.len = pin->data_size; 169 if (hw->tls1_multiblock_encrypt(vctx, &mb_param) <= 0) 170 return 0; 171 } 172 # endif /* !defined(OPENSSL_NO_MULTIBLOCK) */ 173 174 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD); 175 if (p != NULL) { 176 if (p->data_type != OSSL_PARAM_OCTET_STRING) { 177 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); 178 return 0; 179 } 180 if (hw->set_tls1_aad(ctx, p->data, p->data_size) <= 0) 181 return 0; 182 } 183 184 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); 185 if (p != NULL) { 186 size_t keylen; 187 188 if (!OSSL_PARAM_get_size_t(p, &keylen)) { 189 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); 190 return 0; 191 } 192 if (ctx->base.keylen != keylen) { 193 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 194 return 0; 195 } 196 } 197 198 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION); 199 if (p != NULL) { 200 if (!OSSL_PARAM_get_uint(p, &ctx->base.tlsversion)) { 201 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); 202 return 0; 203 } 204 if (ctx->base.tlsversion == SSL3_VERSION 205 || ctx->base.tlsversion == TLS1_VERSION) { 206 if (!ossl_assert(ctx->base.removetlsfixed >= AES_BLOCK_SIZE)) { 207 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 208 return 0; 209 } 210 /* 211 * There is no explicit IV with these TLS versions, so don't attempt 212 * to remove it. 213 */ 214 ctx->base.removetlsfixed -= AES_BLOCK_SIZE; 215 } 216 } 217 return ret; 218 } 219 220 static int aes_get_ctx_params(void *vctx, OSSL_PARAM params[]) 221 { 222 PROV_AES_HMAC_SHA_CTX *ctx = (PROV_AES_HMAC_SHA_CTX *)vctx; 223 OSSL_PARAM *p; 224 225 # if !defined(OPENSSL_NO_MULTIBLOCK) 226 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE); 227 if (p != NULL) { 228 PROV_CIPHER_HW_AES_HMAC_SHA *hw = 229 (PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->hw; 230 size_t len = hw->tls1_multiblock_max_bufsize(ctx); 231 232 if (!OSSL_PARAM_set_size_t(p, len)) { 233 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 234 return 0; 235 } 236 } 237 238 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE); 239 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->multiblock_interleave)) { 240 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 241 return 0; 242 } 243 244 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN); 245 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->multiblock_aad_packlen)) { 246 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 247 return 0; 248 } 249 250 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN); 251 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->multiblock_encrypt_len)) { 252 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 253 return 0; 254 } 255 # endif /* !defined(OPENSSL_NO_MULTIBLOCK) */ 256 257 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD); 258 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad)) { 259 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 260 return 0; 261 } 262 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN); 263 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) { 264 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 265 return 0; 266 } 267 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN); 268 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) { 269 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 270 return 0; 271 } 272 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); 273 if (p != NULL 274 && !OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen) 275 && !OSSL_PARAM_set_octet_ptr(p, &ctx->base.oiv, ctx->base.ivlen)) { 276 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 277 return 0; 278 } 279 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); 280 if (p != NULL 281 && !OSSL_PARAM_set_octet_string(p, ctx->base.iv, ctx->base.ivlen) 282 && !OSSL_PARAM_set_octet_ptr(p, &ctx->base.iv, ctx->base.ivlen)) { 283 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); 284 return 0; 285 } 286 return 1; 287 } 288 289 static const OSSL_PARAM cipher_aes_known_gettable_ctx_params[] = { 290 # if !defined(OPENSSL_NO_MULTIBLOCK) 291 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE, NULL), 292 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, NULL), 293 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN, NULL), 294 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN, NULL), 295 # endif /* !defined(OPENSSL_NO_MULTIBLOCK) */ 296 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), 297 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), 298 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), 299 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), 300 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0), 301 OSSL_PARAM_END 302 }; 303 const OSSL_PARAM *aes_gettable_ctx_params(ossl_unused void *cctx, 304 ossl_unused void *provctx) 305 { 306 return cipher_aes_known_gettable_ctx_params; 307 } 308 309 static void base_init(void *provctx, PROV_AES_HMAC_SHA_CTX *ctx, 310 const PROV_CIPHER_HW_AES_HMAC_SHA *meths, 311 size_t kbits, size_t blkbits, size_t ivbits, 312 uint64_t flags) 313 { 314 ossl_cipher_generic_initkey(&ctx->base, kbits, blkbits, ivbits, 315 EVP_CIPH_CBC_MODE, flags, 316 &meths->base, provctx); 317 ctx->hw = (PROV_CIPHER_HW_AES_HMAC_SHA *)ctx->base.hw; 318 } 319 320 static void *aes_cbc_hmac_sha1_newctx(void *provctx, size_t kbits, 321 size_t blkbits, size_t ivbits, 322 uint64_t flags) 323 { 324 PROV_AES_HMAC_SHA1_CTX *ctx; 325 326 if (!ossl_prov_is_running()) 327 return NULL; 328 329 ctx = OPENSSL_zalloc(sizeof(*ctx)); 330 if (ctx != NULL) 331 base_init(provctx, &ctx->base_ctx, 332 ossl_prov_cipher_hw_aes_cbc_hmac_sha1(), kbits, blkbits, 333 ivbits, flags); 334 return ctx; 335 } 336 337 static void *aes_cbc_hmac_sha1_dupctx(void *provctx) 338 { 339 PROV_AES_HMAC_SHA1_CTX *ctx = provctx; 340 341 if (ctx == NULL) 342 return NULL; 343 344 return OPENSSL_memdup(ctx, sizeof(*ctx)); 345 } 346 347 static void aes_cbc_hmac_sha1_freectx(void *vctx) 348 { 349 PROV_AES_HMAC_SHA1_CTX *ctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; 350 351 if (ctx != NULL) { 352 ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx); 353 OPENSSL_clear_free(ctx, sizeof(*ctx)); 354 } 355 } 356 357 static void *aes_cbc_hmac_sha256_newctx(void *provctx, size_t kbits, 358 size_t blkbits, size_t ivbits, 359 uint64_t flags) 360 { 361 PROV_AES_HMAC_SHA256_CTX *ctx; 362 363 if (!ossl_prov_is_running()) 364 return NULL; 365 366 ctx = OPENSSL_zalloc(sizeof(*ctx)); 367 if (ctx != NULL) 368 base_init(provctx, &ctx->base_ctx, 369 ossl_prov_cipher_hw_aes_cbc_hmac_sha256(), kbits, blkbits, 370 ivbits, flags); 371 return ctx; 372 } 373 374 static void *aes_cbc_hmac_sha256_dupctx(void *provctx) 375 { 376 PROV_AES_HMAC_SHA256_CTX *ctx = provctx; 377 378 return OPENSSL_memdup(ctx, sizeof(*ctx)); 379 } 380 381 static void aes_cbc_hmac_sha256_freectx(void *vctx) 382 { 383 PROV_AES_HMAC_SHA256_CTX *ctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; 384 385 if (ctx != NULL) { 386 ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx); 387 OPENSSL_clear_free(ctx, sizeof(*ctx)); 388 } 389 } 390 391 # define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags) \ 392 static OSSL_FUNC_cipher_newctx_fn nm##_##kbits##_##sub##_newctx; \ 393 static void *nm##_##kbits##_##sub##_newctx(void *provctx) \ 394 { \ 395 return nm##_##sub##_newctx(provctx, kbits, blkbits, ivbits, flags); \ 396 } \ 397 static OSSL_FUNC_cipher_get_params_fn nm##_##kbits##_##sub##_get_params; \ 398 static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[]) \ 399 { \ 400 return ossl_cipher_generic_get_params(params, EVP_CIPH_CBC_MODE, \ 401 flags, kbits, blkbits, ivbits); \ 402 } \ 403 const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = { \ 404 { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\ 405 { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))nm##_##sub##_freectx }, \ 406 { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))nm##_##sub##_dupctx}, \ 407 { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))nm##_einit }, \ 408 { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))nm##_dinit }, \ 409 { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))nm##_update }, \ 410 { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))nm##_final }, \ 411 { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))nm##_cipher }, \ 412 { OSSL_FUNC_CIPHER_GET_PARAMS, \ 413 (void (*)(void))nm##_##kbits##_##sub##_get_params }, \ 414 { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ 415 (void (*)(void))nm##_gettable_params }, \ 416 { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \ 417 (void (*)(void))nm##_get_ctx_params }, \ 418 { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ 419 (void (*)(void))nm##_gettable_ctx_params }, \ 420 { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ 421 (void (*)(void))nm##_set_ctx_params }, \ 422 { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \ 423 (void (*)(void))nm##_settable_ctx_params }, \ 424 { 0, NULL } \ 425 }; 426 427 #endif /* AES_CBC_HMAC_SHA_CAPABLE */ 428 429 /* ossl_aes128cbc_hmac_sha1_functions */ 430 IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 128, 128, 128, AES_CBC_HMAC_SHA_FLAGS) 431 /* ossl_aes256cbc_hmac_sha1_functions */ 432 IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 256, 128, 128, AES_CBC_HMAC_SHA_FLAGS) 433 /* ossl_aes128cbc_hmac_sha256_functions */ 434 IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 128, 128, 128, AES_CBC_HMAC_SHA_FLAGS) 435 /* ossl_aes256cbc_hmac_sha256_functions */ 436 IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 256, 128, 128, AES_CBC_HMAC_SHA_FLAGS) 437