2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * Generic dispatch table functions for ciphers.
14 /* For SSL3_VERSION */
15 #include <openssl/ssl.h>
16 #include "ciphercommon_local.h"
17 #include "prov/provider_ctx.h"
18 #include "prov/providercommonerr.h"
21 * Generic cipher functions for OSSL_PARAM gettables and settables
23 static const OSSL_PARAM cipher_known_gettable_params[] = {
24 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_MODE, NULL),
25 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
26 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
27 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL),
28 OSSL_PARAM_ulong(OSSL_CIPHER_PARAM_FLAGS, NULL),
29 { OSSL_CIPHER_PARAM_TLS_MAC, OSSL_PARAM_OCTET_PTR, NULL, 0, OSSL_PARAM_UNMODIFIED },
32 const OSSL_PARAM *cipher_generic_gettable_params(void)
34 return cipher_known_gettable_params;
37 int cipher_generic_get_params(OSSL_PARAM params[], unsigned int md,
39 size_t kbits, size_t blkbits, size_t ivbits)
43 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_MODE);
44 if (p != NULL && !OSSL_PARAM_set_uint(p, md)) {
45 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
48 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_FLAGS);
49 if (p != NULL && !OSSL_PARAM_set_ulong(p, flags)) {
50 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
53 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
54 if (p != NULL && !OSSL_PARAM_set_size_t(p, kbits / 8)) {
55 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
58 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_BLOCK_SIZE);
59 if (p != NULL && !OSSL_PARAM_set_size_t(p, blkbits / 8)) {
60 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
63 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
64 if (p != NULL && !OSSL_PARAM_set_size_t(p, ivbits / 8)) {
65 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
71 CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(cipher_generic)
72 CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(cipher_generic)
74 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(cipher_generic)
75 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS_VERSION, NULL),
76 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, NULL),
77 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(cipher_generic)
80 * Variable key length cipher functions for OSSL_PARAM settables
83 int cipher_var_keylen_set_ctx_params(void *vctx, const OSSL_PARAM params[])
85 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
88 if (!cipher_generic_set_ctx_params(vctx, params))
90 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
94 if (!OSSL_PARAM_get_size_t(p, &keylen)) {
95 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
103 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(cipher_var_keylen)
104 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
105 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(cipher_var_keylen)
108 * AEAD cipher functions for OSSL_PARAM gettables and settables
110 static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
111 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
112 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
113 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
114 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
115 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
116 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
117 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
120 const OSSL_PARAM *cipher_aead_gettable_ctx_params(void)
122 return cipher_aead_known_gettable_ctx_params;
125 static const OSSL_PARAM cipher_aead_known_settable_ctx_params[] = {
126 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
127 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
128 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
129 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0),
130 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV, NULL, 0),
133 const OSSL_PARAM *cipher_aead_settable_ctx_params(void)
135 return cipher_aead_known_settable_ctx_params;
138 void cipher_generic_reset_ctx(PROV_CIPHER_CTX *ctx)
140 if (ctx != NULL && ctx->alloced) {
141 OPENSSL_free(ctx->tlsmac);
147 static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
148 const unsigned char *key, size_t keylen,
149 const unsigned char *iv, size_t ivlen,
152 ctx->enc = enc ? 1 : 0;
154 if (iv != NULL && ctx->mode != EVP_CIPH_ECB_MODE) {
155 if (!cipher_generic_initiv(ctx, iv, ivlen))
159 if ((ctx->flags & EVP_CIPH_VARIABLE_LENGTH) == 0) {
160 if (keylen != ctx->keylen) {
161 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN);
165 ctx->keylen = keylen;
167 return ctx->hw->init(ctx, key, ctx->keylen);
172 int cipher_generic_einit(void *vctx, const unsigned char *key, size_t keylen,
173 const unsigned char *iv, size_t ivlen)
175 return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
179 int cipher_generic_dinit(void *vctx, const unsigned char *key, size_t keylen,
180 const unsigned char *iv, size_t ivlen)
182 return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
186 /* Max padding including padding length byte */
187 #define MAX_PADDING 256
189 int cipher_generic_block_update(void *vctx, unsigned char *out, size_t *outl,
190 size_t outsize, const unsigned char *in,
194 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
195 size_t blksz = ctx->blocksize;
198 if (ctx->tlsversion > 0) {
200 * Each update call corresponds to a TLS record and is individually
204 /* Sanity check inputs */
209 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
214 unsigned char padval;
219 padnum = blksz - (inl % blksz);
221 if (outsize < inl + padnum) {
222 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
226 if (padnum > MAX_PADDING) {
227 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
230 padval = (unsigned char)(padnum - 1);
231 if (ctx->tlsversion == SSL3_VERSION) {
233 memset(out + inl, 0, padnum - 1);
234 *(out + inl + padnum - 1) = padval;
236 /* we need to add 'padnum' padding bytes of value padval */
237 for (loop = inl; loop < inl + padnum; loop++)
243 if ((inl % blksz) != 0) {
244 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
249 /* Shouldn't normally fail */
250 if (!ctx->hw->cipher(ctx, out, in, inl)) {
251 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
256 OPENSSL_free(ctx->tlsmac);
261 /* This only fails if padding is publicly invalid */
264 && !tlsunpadblock(ctx->libctx, ctx->tlsversion, out, outl,
265 blksz, &ctx->tlsmac, &ctx->alloced,
266 ctx->tlsmacsize, 0)) {
267 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
274 nextblocks = fillblock(ctx->buf, &ctx->bufsz, blksz, &in, &inl);
276 nextblocks = inl & ~(blksz-1);
279 * If we're decrypting and we end an update on a block boundary we hold
280 * the last block back in case this is the last update call and the last
283 if (ctx->bufsz == blksz && (ctx->enc || inl > 0 || !ctx->pad)) {
284 if (outsize < blksz) {
285 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
288 if (!ctx->hw->cipher(ctx, out, ctx->buf, blksz)) {
289 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
296 if (nextblocks > 0) {
297 if (!ctx->enc && ctx->pad && nextblocks == inl) {
298 if (!ossl_assert(inl >= blksz)) {
299 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
304 outlint += nextblocks;
305 if (outsize < outlint) {
306 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
310 if (nextblocks > 0) {
311 if (!ctx->hw->cipher(ctx, out, in, nextblocks)) {
312 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
318 if (inl != 0 && !trailingdata(ctx->buf, &ctx->bufsz, blksz, &in, &inl)) {
319 /* ERR_raise already called */
327 int cipher_generic_block_final(void *vctx, unsigned char *out, size_t *outl,
330 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
331 size_t blksz = ctx->blocksize;
333 if (ctx->tlsversion > 0) {
334 /* We never finalize TLS, so this is an error */
335 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
341 padblock(ctx->buf, &ctx->bufsz, blksz);
342 } else if (ctx->bufsz == 0) {
345 } else if (ctx->bufsz != blksz) {
346 ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
350 if (outsize < blksz) {
351 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
354 if (!ctx->hw->cipher(ctx, out, ctx->buf, blksz)) {
355 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
364 if (ctx->bufsz != blksz) {
365 if (ctx->bufsz == 0 && !ctx->pad) {
369 ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
373 if (!ctx->hw->cipher(ctx, ctx->buf, ctx->buf, blksz)) {
374 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
378 if (ctx->pad && !unpadblock(ctx->buf, &ctx->bufsz, blksz)) {
379 /* ERR_raise already called */
383 if (outsize < ctx->bufsz) {
384 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
387 memcpy(out, ctx->buf, ctx->bufsz);
393 int cipher_generic_stream_update(void *vctx, unsigned char *out, size_t *outl,
394 size_t outsize, const unsigned char *in,
397 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
405 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
409 if (!ctx->hw->cipher(ctx, out, in, inl)) {
410 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
416 * Remove any TLS padding. Only used by cipher_aes_cbc_hmac_sha1_hw.c and
417 * cipher_aes_cbc_hmac_sha256_hw.c
419 if (!ctx->enc && ctx->removetlspad > 0) {
420 /* The actual padding length */
421 *outl -= out[inl - 1] + 1;
423 /* MAC and explicit IV */
424 *outl -= ctx->removetlspad;
429 int cipher_generic_stream_final(void *vctx, unsigned char *out, size_t *outl,
436 int cipher_generic_cipher(void *vctx,
437 unsigned char *out, size_t *outl, size_t outsize,
438 const unsigned char *in, size_t inl)
440 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
443 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
447 if (!ctx->hw->cipher(ctx, out, in, inl)) {
448 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
456 int cipher_generic_get_ctx_params(void *vctx, OSSL_PARAM params[])
458 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
461 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
462 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
463 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
466 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
467 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->pad)) {
468 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
471 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
473 && !OSSL_PARAM_set_octet_ptr(p, &ctx->oiv, ctx->ivlen)
474 && !OSSL_PARAM_set_octet_string(p, &ctx->oiv, ctx->ivlen)) {
475 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
478 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_NUM);
479 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->num)) {
480 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
483 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
484 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
485 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
488 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS_MAC);
490 && !OSSL_PARAM_set_octet_ptr(p, ctx->tlsmac, ctx->tlsmacsize)) {
491 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
497 int cipher_generic_set_ctx_params(void *vctx, const OSSL_PARAM params[])
499 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
502 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING);
506 if (!OSSL_PARAM_get_uint(p, &pad)) {
507 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
510 ctx->pad = pad ? 1 : 0;
512 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION);
514 if (!OSSL_PARAM_get_uint(p, &ctx->tlsversion)) {
515 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
519 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_MAC_SIZE);
521 if (!OSSL_PARAM_get_size_t(p, &ctx->tlsmacsize)) {
522 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
526 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_NUM);
530 if (!OSSL_PARAM_get_uint(p, &num)) {
531 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
539 int cipher_generic_initiv(PROV_CIPHER_CTX *ctx, const unsigned char *iv,
542 if (ivlen != ctx->ivlen
543 || ivlen > sizeof(ctx->iv)) {
544 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
548 memcpy(ctx->iv, iv, ivlen);
549 memcpy(ctx->oiv, iv, ivlen);
553 void cipher_generic_initkey(void *vctx, size_t kbits, size_t blkbits,
554 size_t ivbits, unsigned int mode, uint64_t flags,
555 const PROV_CIPHER_HW *hw, void *provctx)
557 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
561 ctx->keylen = ((kbits) / 8);
562 ctx->ivlen = ((ivbits) / 8);
565 ctx->blocksize = blkbits / 8;
567 ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx); /* used for rand */