2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * Generic dispatch table functions for ciphers.
14 /* For SSL3_VERSION */
15 #include <openssl/prov_ssl.h>
16 #include <openssl/proverr.h>
17 #include "ciphercommon_local.h"
18 #include "prov/provider_ctx.h"
19 #include "prov/providercommon.h"
22 * Generic cipher functions for OSSL_PARAM gettables and settables
24 static const OSSL_PARAM cipher_known_gettable_params[] = {
25 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_MODE, NULL),
26 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
27 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
28 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL),
29 OSSL_PARAM_int(OSSL_CIPHER_PARAM_AEAD, NULL),
30 OSSL_PARAM_int(OSSL_CIPHER_PARAM_CUSTOM_IV, NULL),
31 OSSL_PARAM_int(OSSL_CIPHER_PARAM_CTS, NULL),
32 OSSL_PARAM_int(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK, NULL),
35 const OSSL_PARAM *ossl_cipher_generic_gettable_params(ossl_unused void *provctx)
37 return cipher_known_gettable_params;
40 int ossl_cipher_generic_get_params(OSSL_PARAM params[], unsigned int md,
42 size_t kbits, size_t blkbits, size_t ivbits)
46 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_MODE);
47 if (p != NULL && !OSSL_PARAM_set_uint(p, md)) {
48 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
51 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD);
53 && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_AEAD) != 0)) {
54 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
57 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CUSTOM_IV);
59 && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_CUSTOM_IV) != 0)) {
60 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
63 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS);
65 && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_CTS) != 0)) {
66 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
69 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK);
71 && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_TLS1_MULTIBLOCK) != 0)) {
72 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
75 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
76 if (p != NULL && !OSSL_PARAM_set_size_t(p, kbits / 8)) {
77 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
80 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_BLOCK_SIZE);
81 if (p != NULL && !OSSL_PARAM_set_size_t(p, blkbits / 8)) {
82 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
85 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
86 if (p != NULL && !OSSL_PARAM_set_size_t(p, ivbits / 8)) {
87 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
93 CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(ossl_cipher_generic)
94 { OSSL_CIPHER_PARAM_TLS_MAC, OSSL_PARAM_OCTET_PTR, NULL, 0, OSSL_PARAM_UNMODIFIED },
95 CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(ossl_cipher_generic)
97 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_cipher_generic)
98 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_USE_BITS, NULL),
99 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS_VERSION, NULL),
100 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, NULL),
101 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_cipher_generic)
104 * Variable key length cipher functions for OSSL_PARAM settables
106 int ossl_cipher_var_keylen_set_ctx_params(void *vctx, const OSSL_PARAM params[])
108 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
114 if (!ossl_cipher_generic_set_ctx_params(vctx, params))
116 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
120 if (!OSSL_PARAM_get_size_t(p, &keylen)) {
121 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
124 ctx->keylen = keylen;
129 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_cipher_var_keylen)
130 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
131 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_cipher_var_keylen)
134 * AEAD cipher functions for OSSL_PARAM gettables and settables
136 static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
137 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
138 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
139 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
140 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
141 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0),
142 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
143 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
144 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
147 const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
148 ossl_unused void *cctx, ossl_unused void *provctx
151 return cipher_aead_known_gettable_ctx_params;
154 static const OSSL_PARAM cipher_aead_known_settable_ctx_params[] = {
155 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
156 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
157 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
158 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0),
159 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV, NULL, 0),
162 const OSSL_PARAM *ossl_cipher_aead_settable_ctx_params(
163 ossl_unused void *cctx, ossl_unused void *provctx
166 return cipher_aead_known_settable_ctx_params;
169 void ossl_cipher_generic_reset_ctx(PROV_CIPHER_CTX *ctx)
171 if (ctx != NULL && ctx->alloced) {
172 OPENSSL_free(ctx->tlsmac);
178 static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
179 const unsigned char *key, size_t keylen,
180 const unsigned char *iv, size_t ivlen,
181 const OSSL_PARAM params[], int enc)
186 ctx->enc = enc ? 1 : 0;
188 if (!ossl_prov_is_running())
191 if (iv != NULL && ctx->mode != EVP_CIPH_ECB_MODE) {
192 if (!ossl_cipher_generic_initiv(ctx, iv, ivlen))
195 if (iv == NULL && ctx->iv_set
196 && (ctx->mode == EVP_CIPH_CBC_MODE
197 || ctx->mode == EVP_CIPH_CFB_MODE
198 || ctx->mode == EVP_CIPH_OFB_MODE))
199 /* reset IV for these modes to keep compatibility with 1.1.1 */
200 memcpy(ctx->iv, ctx->oiv, ctx->ivlen);
203 if (ctx->variable_keylength == 0) {
204 if (keylen != ctx->keylen) {
205 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
209 ctx->keylen = keylen;
211 if (!ctx->hw->init(ctx, key, ctx->keylen))
214 return ossl_cipher_generic_set_ctx_params(ctx, params);
217 int ossl_cipher_generic_einit(void *vctx, const unsigned char *key,
218 size_t keylen, const unsigned char *iv,
219 size_t ivlen, const OSSL_PARAM params[])
221 return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
222 iv, ivlen, params, 1);
225 int ossl_cipher_generic_dinit(void *vctx, const unsigned char *key,
226 size_t keylen, const unsigned char *iv,
227 size_t ivlen, const OSSL_PARAM params[])
229 return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
230 iv, ivlen, params, 0);
233 /* Max padding including padding length byte */
234 #define MAX_PADDING 256
236 int ossl_cipher_generic_block_update(void *vctx, unsigned char *out,
237 size_t *outl, size_t outsize,
238 const unsigned char *in, size_t inl)
241 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
242 size_t blksz = ctx->blocksize;
245 if (ctx->tlsversion > 0) {
247 * Each update call corresponds to a TLS record and is individually
251 /* Sanity check inputs */
256 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
261 unsigned char padval;
266 padnum = blksz - (inl % blksz);
268 if (outsize < inl + padnum) {
269 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
273 if (padnum > MAX_PADDING) {
274 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
277 padval = (unsigned char)(padnum - 1);
278 if (ctx->tlsversion == SSL3_VERSION) {
280 memset(out + inl, 0, padnum - 1);
281 *(out + inl + padnum - 1) = padval;
283 /* we need to add 'padnum' padding bytes of value padval */
284 for (loop = inl; loop < inl + padnum; loop++)
290 if ((inl % blksz) != 0) {
291 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
296 /* Shouldn't normally fail */
297 if (!ctx->hw->cipher(ctx, out, in, inl)) {
298 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
303 OPENSSL_free(ctx->tlsmac);
308 /* This only fails if padding is publicly invalid */
311 && !ossl_cipher_tlsunpadblock(ctx->libctx, ctx->tlsversion,
313 blksz, &ctx->tlsmac, &ctx->alloced,
314 ctx->tlsmacsize, 0)) {
315 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
322 nextblocks = ossl_cipher_fillblock(ctx->buf, &ctx->bufsz, blksz,
325 nextblocks = inl & ~(blksz-1);
328 * If we're decrypting and we end an update on a block boundary we hold
329 * the last block back in case this is the last update call and the last
332 if (ctx->bufsz == blksz && (ctx->enc || inl > 0 || !ctx->pad)) {
333 if (outsize < blksz) {
334 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
337 if (!ctx->hw->cipher(ctx, out, ctx->buf, blksz)) {
338 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
345 if (nextblocks > 0) {
346 if (!ctx->enc && ctx->pad && nextblocks == inl) {
347 if (!ossl_assert(inl >= blksz)) {
348 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
353 outlint += nextblocks;
354 if (outsize < outlint) {
355 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
359 if (nextblocks > 0) {
360 if (!ctx->hw->cipher(ctx, out, in, nextblocks)) {
361 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
368 && !ossl_cipher_trailingdata(ctx->buf, &ctx->bufsz, blksz, &in, &inl)) {
369 /* ERR_raise already called */
377 int ossl_cipher_generic_block_final(void *vctx, unsigned char *out,
378 size_t *outl, size_t outsize)
380 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
381 size_t blksz = ctx->blocksize;
383 if (!ossl_prov_is_running())
386 if (ctx->tlsversion > 0) {
387 /* We never finalize TLS, so this is an error */
388 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
394 ossl_cipher_padblock(ctx->buf, &ctx->bufsz, blksz);
395 } else if (ctx->bufsz == 0) {
398 } else if (ctx->bufsz != blksz) {
399 ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
403 if (outsize < blksz) {
404 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
407 if (!ctx->hw->cipher(ctx, out, ctx->buf, blksz)) {
408 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
417 if (ctx->bufsz != blksz) {
418 if (ctx->bufsz == 0 && !ctx->pad) {
422 ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
426 if (!ctx->hw->cipher(ctx, ctx->buf, ctx->buf, blksz)) {
427 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
431 if (ctx->pad && !ossl_cipher_unpadblock(ctx->buf, &ctx->bufsz, blksz)) {
432 /* ERR_raise already called */
436 if (outsize < ctx->bufsz) {
437 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
440 memcpy(out, ctx->buf, ctx->bufsz);
446 int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out,
447 size_t *outl, size_t outsize,
448 const unsigned char *in, size_t inl)
450 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
458 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
462 if (!ctx->hw->cipher(ctx, out, in, inl)) {
463 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
468 if (!ctx->enc && ctx->tlsversion > 0) {
470 * Remove any TLS padding. Only used by cipher_aes_cbc_hmac_sha1_hw.c and
471 * cipher_aes_cbc_hmac_sha256_hw.c
473 if (ctx->removetlspad) {
475 * We should have already failed in the cipher() call above if this
478 if (!ossl_assert(*outl >= (size_t)(out[inl - 1] + 1)))
480 /* The actual padding length */
481 *outl -= out[inl - 1] + 1;
484 /* TLS MAC and explicit IV if relevant. We should have already failed
485 * in the cipher() call above if *outl is too short.
487 if (!ossl_assert(*outl >= ctx->removetlsfixed))
489 *outl -= ctx->removetlsfixed;
491 /* Extract the MAC if there is one */
492 if (ctx->tlsmacsize > 0) {
493 if (*outl < ctx->tlsmacsize)
496 ctx->tlsmac = out + *outl - ctx->tlsmacsize;
497 *outl -= ctx->tlsmacsize;
503 int ossl_cipher_generic_stream_final(void *vctx, unsigned char *out,
504 size_t *outl, size_t outsize)
506 if (!ossl_prov_is_running())
513 int ossl_cipher_generic_cipher(void *vctx, unsigned char *out, size_t *outl,
514 size_t outsize, const unsigned char *in,
517 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
519 if (!ossl_prov_is_running())
523 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
527 if (!ctx->hw->cipher(ctx, out, in, inl)) {
528 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
536 int ossl_cipher_generic_get_ctx_params(void *vctx, OSSL_PARAM params[])
538 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
541 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
542 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
543 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
546 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
547 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->pad)) {
548 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
551 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
553 && !OSSL_PARAM_set_octet_ptr(p, &ctx->oiv, ctx->ivlen)
554 && !OSSL_PARAM_set_octet_string(p, &ctx->oiv, ctx->ivlen)) {
555 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
558 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV);
560 && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)
561 && !OSSL_PARAM_set_octet_string(p, &ctx->iv, ctx->ivlen)) {
562 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
565 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_NUM);
566 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->num)) {
567 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
570 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
571 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
572 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
575 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS_MAC);
577 && !OSSL_PARAM_set_octet_ptr(p, ctx->tlsmac, ctx->tlsmacsize)) {
578 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
584 int ossl_cipher_generic_set_ctx_params(void *vctx, const OSSL_PARAM params[])
586 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
592 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING);
596 if (!OSSL_PARAM_get_uint(p, &pad)) {
597 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
600 ctx->pad = pad ? 1 : 0;
602 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_USE_BITS);
606 if (!OSSL_PARAM_get_uint(p, &bits)) {
607 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
610 ctx->use_bits = bits ? 1 : 0;
612 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION);
614 if (!OSSL_PARAM_get_uint(p, &ctx->tlsversion)) {
615 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
619 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_MAC_SIZE);
621 if (!OSSL_PARAM_get_size_t(p, &ctx->tlsmacsize)) {
622 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
626 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_NUM);
630 if (!OSSL_PARAM_get_uint(p, &num)) {
631 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
639 int ossl_cipher_generic_initiv(PROV_CIPHER_CTX *ctx, const unsigned char *iv,
642 if (ivlen != ctx->ivlen
643 || ivlen > sizeof(ctx->iv)) {
644 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
648 memcpy(ctx->iv, iv, ivlen);
649 memcpy(ctx->oiv, iv, ivlen);
653 void ossl_cipher_generic_initkey(void *vctx, size_t kbits, size_t blkbits,
654 size_t ivbits, unsigned int mode,
655 uint64_t flags, const PROV_CIPHER_HW *hw,
658 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
660 if ((flags & PROV_CIPHER_FLAG_INVERSE_CIPHER) != 0)
661 ctx->inverse_cipher = 1;
662 if ((flags & PROV_CIPHER_FLAG_VARIABLE_LENGTH) != 0)
663 ctx->variable_keylength = 1;
666 ctx->keylen = ((kbits) / 8);
667 ctx->ivlen = ((ivbits) / 8);
670 ctx->blocksize = blkbits / 8;
672 ctx->libctx = PROV_LIBCTX_OF(provctx); /* used for rand */