2014-12-22 02:27:41 +00:00
|
|
|
/* Copyright (c) 2014, Google Inc.
|
|
|
|
*
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
|
|
|
|
#include <assert.h>
|
|
|
|
#include <limits.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include <openssl/aead.h>
|
|
|
|
#include <openssl/cipher.h>
|
|
|
|
#include <openssl/err.h>
|
|
|
|
#include <openssl/hmac.h>
|
2015-12-08 00:34:31 +00:00
|
|
|
#include <openssl/md5.h>
|
2014-12-22 02:27:41 +00:00
|
|
|
#include <openssl/mem.h>
|
|
|
|
#include <openssl/sha.h>
|
2015-02-28 08:59:33 +00:00
|
|
|
#include <openssl/type_check.h>
|
2014-12-22 02:27:41 +00:00
|
|
|
|
2017-06-06 20:29:48 +01:00
|
|
|
#include "../fipsmodule/cipher/internal.h"
|
2016-08-17 21:56:14 +01:00
|
|
|
#include "../internal.h"
|
2014-12-22 02:27:41 +00:00
|
|
|
#include "internal.h"
|
|
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
EVP_CIPHER_CTX cipher_ctx;
|
|
|
|
HMAC_CTX hmac_ctx;
|
2017-08-18 19:06:02 +01:00
|
|
|
// mac_key is the portion of the key used for the MAC. It is retained
|
|
|
|
// separately for the constant-time CBC code.
|
2014-12-22 02:27:41 +00:00
|
|
|
uint8_t mac_key[EVP_MAX_MD_SIZE];
|
|
|
|
uint8_t mac_key_len;
|
2017-08-18 19:06:02 +01:00
|
|
|
// implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
|
|
|
|
// IV.
|
2014-12-22 02:27:41 +00:00
|
|
|
char implicit_iv;
|
|
|
|
} AEAD_TLS_CTX;
|
|
|
|
|
2018-10-24 23:08:00 +01:00
|
|
|
OPENSSL_STATIC_ASSERT(EVP_MAX_MD_SIZE < 256,
|
|
|
|
"mac_key_len does not fit in uint8_t");
|
2014-12-22 02:27:41 +00:00
|
|
|
|
2018-10-24 23:08:00 +01:00
|
|
|
OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
|
|
|
|
sizeof(AEAD_TLS_CTX),
|
|
|
|
"AEAD state is too small");
|
2018-10-16 20:11:51 +01:00
|
|
|
#if defined(__GNUC__) || defined(__clang__)
|
2018-10-24 23:08:00 +01:00
|
|
|
OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
|
|
|
|
alignof(AEAD_TLS_CTX),
|
|
|
|
"AEAD state has insufficient alignment");
|
2018-10-16 20:11:51 +01:00
|
|
|
#endif
|
|
|
|
|
2014-12-22 02:27:41 +00:00
|
|
|
static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
|
2018-10-16 20:11:51 +01:00
|
|
|
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
|
|
|
|
HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
|
2015-02-28 08:59:33 +00:00
|
|
|
size_t tag_len, enum evp_aead_direction_t dir,
|
2015-03-07 08:10:27 +00:00
|
|
|
const EVP_CIPHER *cipher, const EVP_MD *md,
|
|
|
|
char implicit_iv) {
|
2014-12-22 02:27:41 +00:00
|
|
|
if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
|
|
|
|
tag_len != EVP_MD_size(md)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (key_len != EVP_AEAD_key_length(ctx->aead)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t mac_key_len = EVP_MD_size(md);
|
|
|
|
size_t enc_key_len = EVP_CIPHER_key_length(cipher);
|
2015-02-28 08:59:33 +00:00
|
|
|
assert(mac_key_len + enc_key_len +
|
|
|
|
(implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
|
2014-12-22 02:27:41 +00:00
|
|
|
|
2018-10-16 20:11:51 +01:00
|
|
|
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
|
|
|
|
HMAC_CTX_init(&tls_ctx->hmac_ctx);
|
2015-02-28 08:59:33 +00:00
|
|
|
assert(mac_key_len <= EVP_MAX_MD_SIZE);
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len);
|
2014-12-22 02:27:41 +00:00
|
|
|
tls_ctx->mac_key_len = (uint8_t)mac_key_len;
|
|
|
|
tls_ctx->implicit_iv = implicit_iv;
|
|
|
|
|
2015-02-28 08:59:33 +00:00
|
|
|
if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
|
|
|
|
implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
|
|
|
|
dir == evp_aead_seal) ||
|
2014-12-22 02:27:41 +00:00
|
|
|
!HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
|
|
|
|
aead_tls_cleanup(ctx);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2017-07-22 00:27:54 +01:00
|
|
|
static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
|
|
|
|
const size_t extra_in_len) {
|
|
|
|
assert(extra_in_len == 0);
|
2018-10-16 20:11:51 +01:00
|
|
|
const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
|
2017-07-22 00:27:54 +01:00
|
|
|
|
|
|
|
const size_t hmac_len = HMAC_size(&tls_ctx->hmac_ctx);
|
|
|
|
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
|
|
|
|
// The NULL cipher.
|
|
|
|
return hmac_len;
|
|
|
|
}
|
|
|
|
|
|
|
|
const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
|
2017-08-18 19:06:02 +01:00
|
|
|
// An overflow of |in_len + hmac_len| doesn't affect the result mod
|
|
|
|
// |block_size|, provided that |block_size| is a smaller power of two.
|
2017-07-22 00:27:54 +01:00
|
|
|
assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
|
|
|
|
const size_t pad_len = block_size - (in_len + hmac_len) % block_size;
|
|
|
|
return hmac_len + pad_len;
|
|
|
|
}
|
|
|
|
|
2017-06-06 20:29:48 +01:00
|
|
|
static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
|
|
|
|
uint8_t *out_tag, size_t *out_tag_len,
|
2017-07-22 00:27:54 +01:00
|
|
|
const size_t max_out_tag_len,
|
|
|
|
const uint8_t *nonce, const size_t nonce_len,
|
|
|
|
const uint8_t *in, const size_t in_len,
|
|
|
|
const uint8_t *extra_in,
|
|
|
|
const size_t extra_in_len, const uint8_t *ad,
|
|
|
|
const size_t ad_len) {
|
2018-10-16 20:11:51 +01:00
|
|
|
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
|
2014-12-22 02:27:41 +00:00
|
|
|
|
2015-02-28 08:59:33 +00:00
|
|
|
if (!tls_ctx->cipher_ctx.encrypt) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
|
2015-02-28 08:59:33 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-06-06 20:29:48 +01:00
|
|
|
if (in_len > INT_MAX) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// EVP_CIPHER takes int as input.
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-07-22 00:27:54 +01:00
|
|
|
if (max_out_tag_len < aead_tls_tag_len(ctx, in_len, extra_in_len)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-01-14 22:24:53 +00:00
|
|
|
if (ad_len != 13 - 2 /* length bytes */) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// To allow for CBC mode which changes cipher length, |ad| doesn't include the
|
|
|
|
// length for legacy ciphers.
|
2014-12-22 02:27:41 +00:00
|
|
|
uint8_t ad_extra[2];
|
|
|
|
ad_extra[0] = (uint8_t)(in_len >> 8);
|
|
|
|
ad_extra[1] = (uint8_t)(in_len & 0xff);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Compute the MAC. This must be first in case the operation is being done
|
|
|
|
// in-place.
|
2014-12-22 02:27:41 +00:00
|
|
|
uint8_t mac[EVP_MAX_MD_SIZE];
|
|
|
|
unsigned mac_len;
|
2015-12-08 00:52:56 +00:00
|
|
|
if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
|
|
|
|
!HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) ||
|
|
|
|
!HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) ||
|
|
|
|
!HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) ||
|
|
|
|
!HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) {
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Configure the explicit IV.
|
2014-12-22 02:27:41 +00:00
|
|
|
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
|
|
|
|
!tls_ctx->implicit_iv &&
|
|
|
|
!EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Encrypt the input.
|
2014-12-22 02:27:41 +00:00
|
|
|
int len;
|
2017-06-06 20:29:48 +01:00
|
|
|
if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-06-06 20:29:48 +01:00
|
|
|
unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Feed the MAC into the cipher in two steps. First complete the final partial
|
|
|
|
// block from encrypting the input and split the result between |out| and
|
|
|
|
// |out_tag|. Then feed the rest.
|
2017-06-06 20:29:48 +01:00
|
|
|
|
2017-12-21 21:30:28 +00:00
|
|
|
const size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
|
2017-06-06 20:29:48 +01:00
|
|
|
if (early_mac_len != 0) {
|
|
|
|
assert(len + block_size - early_mac_len == in_len);
|
|
|
|
uint8_t buf[EVP_MAX_BLOCK_LENGTH];
|
|
|
|
int buf_len;
|
|
|
|
if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, buf, &buf_len, mac,
|
|
|
|
(int)early_mac_len)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
assert(buf_len == (int)block_size);
|
|
|
|
OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
|
|
|
|
OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
|
|
|
|
}
|
|
|
|
size_t tag_len = early_mac_len;
|
|
|
|
|
|
|
|
if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
|
|
|
|
mac + tag_len, mac_len - tag_len)) {
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2017-06-06 20:29:48 +01:00
|
|
|
tag_len += len;
|
2014-12-22 02:27:41 +00:00
|
|
|
|
|
|
|
if (block_size > 1) {
|
|
|
|
assert(block_size <= 256);
|
|
|
|
assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Compute padding and feed that into the cipher.
|
2014-12-22 02:27:41 +00:00
|
|
|
uint8_t padding[256];
|
|
|
|
unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(padding, padding_len - 1, padding_len);
|
2017-06-06 20:29:48 +01:00
|
|
|
if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
|
|
|
|
padding, (int)padding_len)) {
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2017-06-06 20:29:48 +01:00
|
|
|
tag_len += len;
|
2014-12-22 02:27:41 +00:00
|
|
|
}
|
|
|
|
|
2017-06-06 20:29:48 +01:00
|
|
|
if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2017-08-18 19:06:02 +01:00
|
|
|
assert(len == 0); // Padding is explicit.
|
2017-07-22 00:27:54 +01:00
|
|
|
assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len));
|
2014-12-22 02:27:41 +00:00
|
|
|
|
2017-06-06 20:29:48 +01:00
|
|
|
*out_tag_len = tag_len;
|
2014-12-22 02:27:41 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2017-06-06 20:29:48 +01:00
|
|
|
static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
|
|
|
|
size_t max_out_len, const uint8_t *nonce,
|
|
|
|
size_t nonce_len, const uint8_t *in, size_t in_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
const uint8_t *ad, size_t ad_len) {
|
2018-10-16 20:11:51 +01:00
|
|
|
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
|
2014-12-22 02:27:41 +00:00
|
|
|
|
2015-02-28 08:59:33 +00:00
|
|
|
if (tls_ctx->cipher_ctx.encrypt) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
|
2015-02-28 08:59:33 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-12-22 02:27:41 +00:00
|
|
|
if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (max_out_len < in_len) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// This requires that the caller provide space for the MAC, even though it
|
|
|
|
// will always be removed on return.
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-01-14 22:24:53 +00:00
|
|
|
if (ad_len != 13 - 2 /* length bytes */) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (in_len > INT_MAX) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// EVP_CIPHER takes int as input.
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Configure the explicit IV.
|
2014-12-22 02:27:41 +00:00
|
|
|
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
|
|
|
|
!tls_ctx->implicit_iv &&
|
|
|
|
!EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Decrypt to get the plaintext + MAC + padding.
|
2014-12-22 02:27:41 +00:00
|
|
|
size_t total = 0;
|
|
|
|
int len;
|
|
|
|
if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
total += len;
|
|
|
|
if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
total += len;
|
|
|
|
assert(total == in_len);
|
|
|
|
|
Add start of infrastructure for checking constant-time properties.
Valgrind's checking of uninitialised memory behaves very much like a
check for constant-time code: branches and memory indexes based on
uninitialised memory trigger warnings. Therefore, if we can tell
Valgrind that some secret is “uninitialised”, it'll give us a warning if
we do something non-constant-time with it.
This was the idea behind https://github.com/agl/ctgrind. But tricks like
that are no longer needed because Valgrind now comes with support for
marking regions of memory as defined or not. Therefore we can use that
API to check constant-time code.
This CL defines |CONSTTIME_SECRET| and |CONSTTIME_DECLASSIFY|, which are
no-ops unless the code is built with
|BORINGSSL_CONSTANT_TIME_VALIDATION| defined, which it isn't by default.
So this CL is a no-op itself so far. But it does show that a couple of
bits of constant-time time are, in fact, constant-time—seemingly even
when compiled with optimisations, which is nice.
The annotations in the RSA code are a) probably not marking all the
secrets as secret, and b) triggers warnings that are a little
interesting:
The anti-glitch check calls |BN_mod_exp_mont| which checks that the
input is less than the modulus. Of course, it is because the input is
the RSA plaintext that we just decrypted, but the plaintext is supposed
to be secret and so branching based on its contents isn't allows by
Valgrind. The answer isn't totally clear, but I've run out of time on
this for now.
Change-Id: I1608ed0b22d201e97595fafe46127159e02d5b1b
Reviewed-on: https://boringssl-review.googlesource.com/c/33504
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
2018-12-07 01:15:58 +00:00
|
|
|
CONSTTIME_SECRET(out, total);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Remove CBC padding. Code from here on is timing-sensitive with respect to
|
|
|
|
// |padding_ok| and |data_plus_mac_len| for CBC ciphers.
|
2017-04-20 21:51:11 +01:00
|
|
|
size_t data_plus_mac_len;
|
|
|
|
crypto_word_t padding_ok;
|
2014-12-22 02:27:41 +00:00
|
|
|
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
|
2016-08-10 04:36:43 +01:00
|
|
|
if (!EVP_tls_cbc_remove_padding(
|
|
|
|
&padding_ok, &data_plus_mac_len, out, total,
|
|
|
|
EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
|
2017-03-16 17:46:54 +00:00
|
|
|
HMAC_size(&tls_ctx->hmac_ctx))) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// Publicly invalid. This can be rejected in non-constant time.
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
} else {
|
2017-04-20 21:51:11 +01:00
|
|
|
padding_ok = CONSTTIME_TRUE_W;
|
2014-12-22 02:27:41 +00:00
|
|
|
data_plus_mac_len = total;
|
2017-08-18 19:06:02 +01:00
|
|
|
// |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
|
|
|
|
// already been checked against the MAC size at the top of the function.
|
2014-12-22 02:27:41 +00:00
|
|
|
assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
|
|
|
|
}
|
2017-03-16 17:46:54 +00:00
|
|
|
size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
|
2014-12-22 02:27:41 +00:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// At this point, if the padding is valid, the first |data_plus_mac_len| bytes
|
|
|
|
// after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
|
|
|
|
// still large enough to extract a MAC, but it will be irrelevant.
|
2014-12-22 02:27:41 +00:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// To allow for CBC mode which changes cipher length, |ad| doesn't include the
|
|
|
|
// length for legacy ciphers.
|
2014-12-22 02:27:41 +00:00
|
|
|
uint8_t ad_fixed[13];
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memcpy(ad_fixed, ad, 11);
|
2014-12-22 02:27:41 +00:00
|
|
|
ad_fixed[11] = (uint8_t)(data_len >> 8);
|
|
|
|
ad_fixed[12] = (uint8_t)(data_len & 0xff);
|
|
|
|
ad_len += 2;
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Compute the MAC and extract the one in the record.
|
2014-12-22 02:27:41 +00:00
|
|
|
uint8_t mac[EVP_MAX_MD_SIZE];
|
|
|
|
size_t mac_len;
|
|
|
|
uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
|
|
|
|
uint8_t *record_mac;
|
|
|
|
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
|
2014-12-22 12:23:54 +00:00
|
|
|
EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) {
|
|
|
|
if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,
|
|
|
|
ad_fixed, out, data_plus_mac_len, total,
|
|
|
|
tls_ctx->mac_key, tls_ctx->mac_key_len)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
|
|
|
|
|
|
|
|
record_mac = record_mac_tmp;
|
2014-12-22 12:23:54 +00:00
|
|
|
EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
|
2014-12-22 02:27:41 +00:00
|
|
|
} else {
|
2017-08-18 19:06:02 +01:00
|
|
|
// We should support the constant-time path for all CBC-mode ciphers
|
|
|
|
// implemented.
|
2014-12-22 02:27:41 +00:00
|
|
|
assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
|
|
|
|
|
|
|
|
unsigned mac_len_u;
|
2015-12-08 00:52:56 +00:00
|
|
|
if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
|
|
|
|
!HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) ||
|
|
|
|
!HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) ||
|
|
|
|
!HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) {
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
mac_len = mac_len_u;
|
|
|
|
|
|
|
|
assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
|
|
|
|
record_mac = &out[data_len];
|
|
|
|
}
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Perform the MAC check and the padding check in constant-time. It should be
|
|
|
|
// safe to simply perform the padding check first, but it would not be under a
|
|
|
|
// different choice of MAC location on padding failure. See
|
|
|
|
// EVP_tls_cbc_remove_padding.
|
2017-04-20 21:51:11 +01:00
|
|
|
crypto_word_t good =
|
2017-03-16 17:46:54 +00:00
|
|
|
constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
|
2016-08-10 04:36:43 +01:00
|
|
|
good &= padding_ok;
|
Add start of infrastructure for checking constant-time properties.
Valgrind's checking of uninitialised memory behaves very much like a
check for constant-time code: branches and memory indexes based on
uninitialised memory trigger warnings. Therefore, if we can tell
Valgrind that some secret is “uninitialised”, it'll give us a warning if
we do something non-constant-time with it.
This was the idea behind https://github.com/agl/ctgrind. But tricks like
that are no longer needed because Valgrind now comes with support for
marking regions of memory as defined or not. Therefore we can use that
API to check constant-time code.
This CL defines |CONSTTIME_SECRET| and |CONSTTIME_DECLASSIFY|, which are
no-ops unless the code is built with
|BORINGSSL_CONSTANT_TIME_VALIDATION| defined, which it isn't by default.
So this CL is a no-op itself so far. But it does show that a couple of
bits of constant-time time are, in fact, constant-time—seemingly even
when compiled with optimisations, which is nice.
The annotations in the RSA code are a) probably not marking all the
secrets as secret, and b) triggers warnings that are a little
interesting:
The anti-glitch check calls |BN_mod_exp_mont| which checks that the
input is less than the modulus. Of course, it is because the input is
the RSA plaintext that we just decrypted, but the plaintext is supposed
to be secret and so branching based on its contents isn't allows by
Valgrind. The answer isn't totally clear, but I've run out of time on
this for now.
Change-Id: I1608ed0b22d201e97595fafe46127159e02d5b1b
Reviewed-on: https://boringssl-review.googlesource.com/c/33504
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
2018-12-07 01:15:58 +00:00
|
|
|
CONSTTIME_DECLASSIFY(&good, sizeof(good));
|
2014-12-22 02:27:41 +00:00
|
|
|
if (!good) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
|
2014-12-22 02:27:41 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
Add start of infrastructure for checking constant-time properties.
Valgrind's checking of uninitialised memory behaves very much like a
check for constant-time code: branches and memory indexes based on
uninitialised memory trigger warnings. Therefore, if we can tell
Valgrind that some secret is “uninitialised”, it'll give us a warning if
we do something non-constant-time with it.
This was the idea behind https://github.com/agl/ctgrind. But tricks like
that are no longer needed because Valgrind now comes with support for
marking regions of memory as defined or not. Therefore we can use that
API to check constant-time code.
This CL defines |CONSTTIME_SECRET| and |CONSTTIME_DECLASSIFY|, which are
no-ops unless the code is built with
|BORINGSSL_CONSTANT_TIME_VALIDATION| defined, which it isn't by default.
So this CL is a no-op itself so far. But it does show that a couple of
bits of constant-time time are, in fact, constant-time—seemingly even
when compiled with optimisations, which is nice.
The annotations in the RSA code are a) probably not marking all the
secrets as secret, and b) triggers warnings that are a little
interesting:
The anti-glitch check calls |BN_mod_exp_mont| which checks that the
input is less than the modulus. Of course, it is because the input is
the RSA plaintext that we just decrypted, but the plaintext is supposed
to be secret and so branching based on its contents isn't allows by
Valgrind. The answer isn't totally clear, but I've run out of time on
this for now.
Change-Id: I1608ed0b22d201e97595fafe46127159e02d5b1b
Reviewed-on: https://boringssl-review.googlesource.com/c/33504
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
2018-12-07 01:15:58 +00:00
|
|
|
CONSTTIME_DECLASSIFY(&data_len, sizeof(data_len));
|
|
|
|
CONSTTIME_DECLASSIFY(out, data_len);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// End of timing-sensitive code.
|
2014-12-22 02:27:41 +00:00
|
|
|
|
|
|
|
*out_len = data_len;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
2015-02-28 08:59:33 +00:00
|
|
|
size_t key_len, size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha1(), 0);
|
|
|
|
}
|
|
|
|
|
2015-02-28 08:59:33 +00:00
|
|
|
static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
|
|
|
|
EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha1(), 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
|
|
|
|
const uint8_t *key, size_t key_len,
|
2015-02-28 08:59:33 +00:00
|
|
|
size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha256(), 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
2015-02-28 08:59:33 +00:00
|
|
|
size_t key_len, size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha1(), 0);
|
|
|
|
}
|
|
|
|
|
2015-02-28 08:59:33 +00:00
|
|
|
static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(
|
|
|
|
EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha1(), 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
|
|
|
|
const uint8_t *key, size_t key_len,
|
2015-02-28 08:59:33 +00:00
|
|
|
size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha256(), 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,
|
|
|
|
const uint8_t *key, size_t key_len,
|
2015-02-28 08:59:33 +00:00
|
|
|
size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha384(), 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
|
|
|
|
const uint8_t *key, size_t key_len,
|
2015-02-28 08:59:33 +00:00
|
|
|
size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha1(), 0);
|
|
|
|
}
|
|
|
|
|
2015-02-28 08:59:33 +00:00
|
|
|
static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
|
|
|
|
EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
|
2014-12-22 02:27:41 +00:00
|
|
|
EVP_sha1(), 1);
|
|
|
|
}
|
|
|
|
|
2015-11-04 02:36:10 +00:00
|
|
|
static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
|
|
|
|
size_t *out_iv_len) {
|
2018-10-16 20:11:51 +01:00
|
|
|
const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
|
2015-11-04 02:36:10 +00:00
|
|
|
const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx);
|
|
|
|
if (iv_len <= 1) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
*out_iv = tls_ctx->cipher_ctx.iv;
|
|
|
|
*out_iv_len = iv_len;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-09-03 03:48:16 +01:00
|
|
|
static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
|
|
|
size_t key_len, size_t tag_len,
|
|
|
|
enum evp_aead_direction_t dir) {
|
|
|
|
return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
|
|
|
|
EVP_sha1(), 1 /* implicit iv */);
|
|
|
|
}
|
|
|
|
|
2014-12-22 02:27:41 +00:00
|
|
|
static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA_DIGEST_LENGTH + 16, // key len (SHA1 + AES128)
|
|
|
|
16, // nonce len (IV)
|
|
|
|
16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
|
|
|
|
SHA_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_aes_128_cbc_sha1_tls_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
NULL, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA_DIGEST_LENGTH + 16 + 16, // key len (SHA1 + AES128 + IV)
|
|
|
|
0, // nonce len
|
|
|
|
16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
|
|
|
|
SHA_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_aes_128_cbc_sha1_tls_implicit_iv_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
aead_tls_get_iv, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA256_DIGEST_LENGTH + 16, // key len (SHA256 + AES128)
|
|
|
|
16, // nonce len (IV)
|
|
|
|
16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256)
|
|
|
|
SHA256_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_aes_128_cbc_sha256_tls_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
NULL, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA_DIGEST_LENGTH + 32, // key len (SHA1 + AES256)
|
|
|
|
16, // nonce len (IV)
|
|
|
|
16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
|
|
|
|
SHA_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_aes_256_cbc_sha1_tls_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
NULL, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA_DIGEST_LENGTH + 32 + 16, // key len (SHA1 + AES256 + IV)
|
|
|
|
0, // nonce len
|
|
|
|
16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
|
|
|
|
SHA_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_aes_256_cbc_sha1_tls_implicit_iv_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
aead_tls_get_iv, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA256_DIGEST_LENGTH + 32, // key len (SHA256 + AES256)
|
|
|
|
16, // nonce len (IV)
|
|
|
|
16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256)
|
|
|
|
SHA256_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_aes_256_cbc_sha256_tls_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
NULL, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA384_DIGEST_LENGTH + 32, // key len (SHA384 + AES256)
|
|
|
|
16, // nonce len (IV)
|
|
|
|
16 + SHA384_DIGEST_LENGTH, // overhead (padding + SHA384)
|
|
|
|
SHA384_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_aes_256_cbc_sha384_tls_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
NULL, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA_DIGEST_LENGTH + 24, // key len (SHA1 + 3DES)
|
|
|
|
8, // nonce len (IV)
|
|
|
|
8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
|
|
|
|
SHA_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_des_ede3_cbc_sha1_tls_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
NULL, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA_DIGEST_LENGTH + 24 + 8, // key len (SHA1 + 3DES + IV)
|
|
|
|
0, // nonce len
|
|
|
|
8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
|
|
|
|
SHA_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2014-12-22 02:27:41 +00:00
|
|
|
aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
aead_tls_get_iv, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2014-12-22 02:27:41 +00:00
|
|
|
};
|
|
|
|
|
2015-09-03 03:48:16 +01:00
|
|
|
static const EVP_AEAD aead_null_sha1_tls = {
|
2017-08-18 19:06:02 +01:00
|
|
|
SHA_DIGEST_LENGTH, // key len
|
|
|
|
0, // nonce len
|
|
|
|
SHA_DIGEST_LENGTH, // overhead (SHA1)
|
|
|
|
SHA_DIGEST_LENGTH, // max tag length
|
|
|
|
0, // seal_scatter_supports_extra_in
|
2017-06-23 22:49:22 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // init
|
2015-09-03 03:48:16 +01:00
|
|
|
aead_null_sha1_tls_init,
|
|
|
|
aead_tls_cleanup,
|
|
|
|
aead_tls_open,
|
2017-06-06 20:29:48 +01:00
|
|
|
aead_tls_seal_scatter,
|
2017-08-18 19:06:02 +01:00
|
|
|
NULL, // open_gather
|
|
|
|
NULL, // get_iv
|
2017-07-22 00:27:54 +01:00
|
|
|
aead_tls_tag_len,
|
2015-09-03 03:48:16 +01:00
|
|
|
};
|
|
|
|
|
2014-12-22 02:27:41 +00:00
|
|
|
const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
|
|
|
|
return &aead_aes_128_cbc_sha1_tls;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {
|
|
|
|
return &aead_aes_128_cbc_sha1_tls_implicit_iv;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {
|
|
|
|
return &aead_aes_128_cbc_sha256_tls;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {
|
|
|
|
return &aead_aes_256_cbc_sha1_tls;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) {
|
|
|
|
return &aead_aes_256_cbc_sha1_tls_implicit_iv;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void) {
|
|
|
|
return &aead_aes_256_cbc_sha256_tls;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void) {
|
|
|
|
return &aead_aes_256_cbc_sha384_tls;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
|
|
|
|
return &aead_des_ede3_cbc_sha1_tls;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
|
|
|
|
return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
|
|
|
|
}
|
2015-09-03 03:48:16 +01:00
|
|
|
|
|
|
|
const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; }
|