2 * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * Generic dispatch table functions for ciphers.
14 /* For SSL3_VERSION */
15 #include <openssl/ssl.h>
16 #include <openssl/proverr.h>
17 #include "ciphercommon_local.h"
18 #include "prov/provider_ctx.h"
19 #include "prov/providercommon.h"
22 * Generic cipher functions for OSSL_PARAM gettables and settables
24 static const OSSL_PARAM cipher_known_gettable_params[] = {
25 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_MODE, NULL),
26 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
27 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
28 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_BLOCK_SIZE, NULL),
29 OSSL_PARAM_int(OSSL_CIPHER_PARAM_AEAD, NULL),
30 OSSL_PARAM_int(OSSL_CIPHER_PARAM_CUSTOM_IV, NULL),
31 OSSL_PARAM_int(OSSL_CIPHER_PARAM_CTS, NULL),
32 OSSL_PARAM_int(OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK, NULL),
33 { OSSL_CIPHER_PARAM_TLS_MAC, OSSL_PARAM_OCTET_PTR, NULL, 0, OSSL_PARAM_UNMODIFIED },
36 const OSSL_PARAM *ossl_cipher_generic_gettable_params(void *provctx)
38 return cipher_known_gettable_params;
41 int ossl_cipher_generic_get_params(OSSL_PARAM params[], unsigned int md,
43 size_t kbits, size_t blkbits, size_t ivbits)
47 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_MODE);
48 if (p != NULL && !OSSL_PARAM_set_uint(p, md)) {
49 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
52 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD);
54 && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_AEAD) != 0)) {
55 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
58 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CUSTOM_IV);
60 && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_CUSTOM_IV) != 0)) {
61 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
64 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS);
66 && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_CTS) != 0)) {
67 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
70 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK);
72 && !OSSL_PARAM_set_int(p, (flags & PROV_CIPHER_FLAG_TLS1_MULTIBLOCK) != 0)) {
73 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
76 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
77 if (p != NULL && !OSSL_PARAM_set_size_t(p, kbits / 8)) {
78 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
81 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_BLOCK_SIZE);
82 if (p != NULL && !OSSL_PARAM_set_size_t(p, blkbits / 8)) {
83 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
86 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
87 if (p != NULL && !OSSL_PARAM_set_size_t(p, ivbits / 8)) {
88 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
94 CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(ossl_cipher_generic)
95 CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(ossl_cipher_generic)
97 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_cipher_generic)
98 OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS_VERSION, NULL),
99 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, NULL),
100 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_cipher_generic)
103 * Variable key length cipher functions for OSSL_PARAM settables
105 int ossl_cipher_var_keylen_set_ctx_params(void *vctx, const OSSL_PARAM params[])
107 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
110 if (!ossl_cipher_generic_set_ctx_params(vctx, params))
112 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
116 if (!OSSL_PARAM_get_size_t(p, &keylen)) {
117 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
120 ctx->keylen = keylen;
125 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_cipher_var_keylen)
126 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
127 CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_cipher_var_keylen)
130 * AEAD cipher functions for OSSL_PARAM gettables and settables
132 static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
133 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
134 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
135 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
136 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
137 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0),
138 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
139 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
140 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
143 const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
144 ossl_unused void *provctx
147 return cipher_aead_known_gettable_ctx_params;
150 static const OSSL_PARAM cipher_aead_known_settable_ctx_params[] = {
151 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
152 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
153 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
154 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0),
155 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV, NULL, 0),
158 const OSSL_PARAM *ossl_cipher_aead_settable_ctx_params(
159 ossl_unused void *provctx
162 return cipher_aead_known_settable_ctx_params;
165 void ossl_cipher_generic_reset_ctx(PROV_CIPHER_CTX *ctx)
167 if (ctx != NULL && ctx->alloced) {
168 OPENSSL_free(ctx->tlsmac);
174 static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
175 const unsigned char *key, size_t keylen,
176 const unsigned char *iv, size_t ivlen,
182 ctx->enc = enc ? 1 : 0;
184 if (!ossl_prov_is_running())
187 if (iv != NULL && ctx->mode != EVP_CIPH_ECB_MODE) {
188 if (!ossl_cipher_generic_initiv(ctx, iv, ivlen))
192 if (ctx->variable_keylength == 0) {
193 if (keylen != ctx->keylen) {
194 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEYLEN);
198 ctx->keylen = keylen;
200 return ctx->hw->init(ctx, key, ctx->keylen);
205 int ossl_cipher_generic_einit(void *vctx, const unsigned char *key,
206 size_t keylen, const unsigned char *iv,
209 return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
213 int ossl_cipher_generic_dinit(void *vctx, const unsigned char *key,
214 size_t keylen, const unsigned char *iv,
217 return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
221 /* Max padding including padding length byte */
222 #define MAX_PADDING 256
224 int ossl_cipher_generic_block_update(void *vctx, unsigned char *out,
225 size_t *outl, size_t outsize,
226 const unsigned char *in, size_t inl)
229 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
230 size_t blksz = ctx->blocksize;
233 if (ctx->tlsversion > 0) {
235 * Each update call corresponds to a TLS record and is individually
239 /* Sanity check inputs */
244 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
249 unsigned char padval;
254 padnum = blksz - (inl % blksz);
256 if (outsize < inl + padnum) {
257 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
261 if (padnum > MAX_PADDING) {
262 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
265 padval = (unsigned char)(padnum - 1);
266 if (ctx->tlsversion == SSL3_VERSION) {
268 memset(out + inl, 0, padnum - 1);
269 *(out + inl + padnum - 1) = padval;
271 /* we need to add 'padnum' padding bytes of value padval */
272 for (loop = inl; loop < inl + padnum; loop++)
278 if ((inl % blksz) != 0) {
279 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
284 /* Shouldn't normally fail */
285 if (!ctx->hw->cipher(ctx, out, in, inl)) {
286 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
291 OPENSSL_free(ctx->tlsmac);
296 /* This only fails if padding is publicly invalid */
299 && !tlsunpadblock(ctx->libctx, ctx->tlsversion, out, outl,
300 blksz, &ctx->tlsmac, &ctx->alloced,
301 ctx->tlsmacsize, 0)) {
302 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
309 nextblocks = fillblock(ctx->buf, &ctx->bufsz, blksz, &in, &inl);
311 nextblocks = inl & ~(blksz-1);
314 * If we're decrypting and we end an update on a block boundary we hold
315 * the last block back in case this is the last update call and the last
318 if (ctx->bufsz == blksz && (ctx->enc || inl > 0 || !ctx->pad)) {
319 if (outsize < blksz) {
320 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
323 if (!ctx->hw->cipher(ctx, out, ctx->buf, blksz)) {
324 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
331 if (nextblocks > 0) {
332 if (!ctx->enc && ctx->pad && nextblocks == inl) {
333 if (!ossl_assert(inl >= blksz)) {
334 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
339 outlint += nextblocks;
340 if (outsize < outlint) {
341 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
345 if (nextblocks > 0) {
346 if (!ctx->hw->cipher(ctx, out, in, nextblocks)) {
347 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
353 if (inl != 0 && !trailingdata(ctx->buf, &ctx->bufsz, blksz, &in, &inl)) {
354 /* ERR_raise already called */
362 int ossl_cipher_generic_block_final(void *vctx, unsigned char *out,
363 size_t *outl, size_t outsize)
365 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
366 size_t blksz = ctx->blocksize;
368 if (!ossl_prov_is_running())
371 if (ctx->tlsversion > 0) {
372 /* We never finalize TLS, so this is an error */
373 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
379 padblock(ctx->buf, &ctx->bufsz, blksz);
380 } else if (ctx->bufsz == 0) {
383 } else if (ctx->bufsz != blksz) {
384 ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
388 if (outsize < blksz) {
389 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
392 if (!ctx->hw->cipher(ctx, out, ctx->buf, blksz)) {
393 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
402 if (ctx->bufsz != blksz) {
403 if (ctx->bufsz == 0 && !ctx->pad) {
407 ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
411 if (!ctx->hw->cipher(ctx, ctx->buf, ctx->buf, blksz)) {
412 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
416 if (ctx->pad && !unpadblock(ctx->buf, &ctx->bufsz, blksz)) {
417 /* ERR_raise already called */
421 if (outsize < ctx->bufsz) {
422 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
425 memcpy(out, ctx->buf, ctx->bufsz);
431 int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out,
432 size_t *outl, size_t outsize,
433 const unsigned char *in, size_t inl)
435 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
443 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
447 if (!ctx->hw->cipher(ctx, out, in, inl)) {
448 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
453 if (!ctx->enc && ctx->tlsversion > 0) {
455 * Remove any TLS padding. Only used by cipher_aes_cbc_hmac_sha1_hw.c and
456 * cipher_aes_cbc_hmac_sha256_hw.c
458 if (ctx->removetlspad) {
460 * We should have already failed in the cipher() call above if this
463 if (!ossl_assert(*outl >= (size_t)(out[inl - 1] + 1)))
465 /* The actual padding length */
466 *outl -= out[inl - 1] + 1;
469 /* TLS MAC and explicit IV if relevant. We should have already failed
470 * in the cipher() call above if *outl is too short.
472 if (!ossl_assert(*outl >= ctx->removetlsfixed))
474 *outl -= ctx->removetlsfixed;
476 /* Extract the MAC if there is one */
477 if (ctx->tlsmacsize > 0) {
478 if (*outl < ctx->tlsmacsize)
481 ctx->tlsmac = out + *outl - ctx->tlsmacsize;
482 *outl -= ctx->tlsmacsize;
488 int ossl_cipher_generic_stream_final(void *vctx, unsigned char *out,
489 size_t *outl, size_t outsize)
491 if (!ossl_prov_is_running())
498 int ossl_cipher_generic_cipher(void *vctx, unsigned char *out, size_t *outl,
499 size_t outsize, const unsigned char *in,
502 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
504 if (!ossl_prov_is_running())
508 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
512 if (!ctx->hw->cipher(ctx, out, in, inl)) {
513 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
521 int ossl_cipher_generic_get_ctx_params(void *vctx, OSSL_PARAM params[])
523 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
526 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
527 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
528 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
531 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_PADDING);
532 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->pad)) {
533 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
536 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
538 && !OSSL_PARAM_set_octet_ptr(p, &ctx->oiv, ctx->ivlen)
539 && !OSSL_PARAM_set_octet_string(p, &ctx->oiv, ctx->ivlen)) {
540 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
543 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV);
545 && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)
546 && !OSSL_PARAM_set_octet_string(p, &ctx->iv, ctx->ivlen)) {
547 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
550 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_NUM);
551 if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->num)) {
552 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
555 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
556 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
557 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
560 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_TLS_MAC);
562 && !OSSL_PARAM_set_octet_ptr(p, ctx->tlsmac, ctx->tlsmacsize)) {
563 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
569 int ossl_cipher_generic_set_ctx_params(void *vctx, const OSSL_PARAM params[])
571 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
574 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING);
578 if (!OSSL_PARAM_get_uint(p, &pad)) {
579 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
582 ctx->pad = pad ? 1 : 0;
584 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION);
586 if (!OSSL_PARAM_get_uint(p, &ctx->tlsversion)) {
587 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
591 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_MAC_SIZE);
593 if (!OSSL_PARAM_get_size_t(p, &ctx->tlsmacsize)) {
594 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
598 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_NUM);
602 if (!OSSL_PARAM_get_uint(p, &num)) {
603 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
611 int ossl_cipher_generic_initiv(PROV_CIPHER_CTX *ctx, const unsigned char *iv,
614 if (ivlen != ctx->ivlen
615 || ivlen > sizeof(ctx->iv)) {
616 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN);
620 memcpy(ctx->iv, iv, ivlen);
621 memcpy(ctx->oiv, iv, ivlen);
625 void ossl_cipher_generic_initkey(void *vctx, size_t kbits, size_t blkbits,
626 size_t ivbits, unsigned int mode,
627 uint64_t flags, const PROV_CIPHER_HW *hw,
630 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
632 if ((flags & PROV_CIPHER_FLAG_INVERSE_CIPHER) != 0)
633 ctx->inverse_cipher = 1;
634 if ((flags & PROV_CIPHER_FLAG_VARIABLE_LENGTH) != 0)
635 ctx->variable_keylength = 1;
638 ctx->keylen = ((kbits) / 8);
639 ctx->ivlen = ((ivbits) / 8);
642 ctx->blocksize = blkbits / 8;
644 ctx->libctx = PROV_LIBCTX_OF(provctx); /* used for rand */