kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1050 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 5edc4e2a9b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5edc4e2a9b'
${ noResults }
boringssl/crypto/cipher/e_tls.c

613 lines
21 KiB
Raw Blame History 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <assert.h>

  16. #include <limits.h>

  17. #include <string.h>

  18. 

  19. #include <openssl/aead.h>

  20. #include <openssl/cipher.h>

  21. #include <openssl/err.h>

  22. #include <openssl/hmac.h>

  23. #include <openssl/mem.h>

  24. #include <openssl/sha.h>

  25. #include <openssl/type_check.h>

  26. 

  27. #include "../crypto/internal.h"

  28. #include "internal.h"

  29. 

  30. 

  31. typedef struct {

  32.   EVP_CIPHER_CTX cipher_ctx;

  33.   HMAC_CTX hmac_ctx;

  34.   /* mac_key is the portion of the key used for the MAC. It is retained

  35.    * separately for the constant-time CBC code. */

  36.   uint8_t mac_key[EVP_MAX_MD_SIZE];

  37.   uint8_t mac_key_len;

  38.   /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit

  39.    * IV. */

  40.   char implicit_iv;

  41. } AEAD_TLS_CTX;

  42. 

  43. OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE < 256, mac_key_len_fits_in_uint8_t);

  44. 

  45. static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {

  46.   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;

  47.   EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);

  48.   HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);

  49.   OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));

  50.   OPENSSL_free(tls_ctx);

  51.   ctx->aead_state = NULL;

  52. }

  53. 

  54. static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,

  55.                          size_t tag_len, enum evp_aead_direction_t dir,

  56.                          const EVP_CIPHER *cipher, const EVP_MD *md,

  57.                          char implicit_iv) {

  58.   if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&

  59.       tag_len != EVP_MD_size(md)) {

  60.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_UNSUPPORTED_TAG_SIZE);

  61.     return 0;

  62.   }

  63. 

  64.   if (key_len != EVP_AEAD_key_length(ctx->aead)) {

  65.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_BAD_KEY_LENGTH);

  66.     return 0;

  67.   }

  68. 

  69.   size_t mac_key_len = EVP_MD_size(md);

  70.   size_t enc_key_len = EVP_CIPHER_key_length(cipher);

  71.   assert(mac_key_len + enc_key_len +

  72.          (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);

  73.   /* Although EVP_rc4() is a variable-length cipher, the default key size is

  74.    * correct for TLS. */

  75. 

  76.   AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX));

  77.   if (tls_ctx == NULL) {

  78.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, ERR_R_MALLOC_FAILURE);

  79.     return 0;

  80.   }

  81.   EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);

  82.   HMAC_CTX_init(&tls_ctx->hmac_ctx);

  83.   assert(mac_key_len <= EVP_MAX_MD_SIZE);

  84.   memcpy(tls_ctx->mac_key, key, mac_key_len);

  85.   tls_ctx->mac_key_len = (uint8_t)mac_key_len;

  86.   tls_ctx->implicit_iv = implicit_iv;

  87. 

  88.   ctx->aead_state = tls_ctx;

  89.   if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],

  90.                          implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,

  91.                          dir == evp_aead_seal) ||

  92.       !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {

  93.     aead_tls_cleanup(ctx);

  94.     return 0;

  95.   }

  96.   EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);

  97. 

  98.   return 1;

  99. }

  100. 

  101. static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  102.                          size_t *out_len, size_t max_out_len,

  103.                          const uint8_t *nonce, size_t nonce_len,

  104.                          const uint8_t *in, size_t in_len,

  105.                          const uint8_t *ad, size_t ad_len) {

  106.   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;

  107.   size_t total = 0;

  108. 

  109.   if (!tls_ctx->cipher_ctx.encrypt) {

  110.     /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */

  111.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_OPERATION);

  112.     return 0;

  113. 

  114.   }

  115. 

  116.   if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||

  117.       in_len > INT_MAX) {

  118.     /* EVP_CIPHER takes int as input. */

  119.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_TOO_LARGE);

  120.     return 0;

  121.   }

  122. 

  123.   if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {

  124.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_BUFFER_TOO_SMALL);

  125.     return 0;

  126.   }

  127. 

  128.   if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {

  129.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_NONCE_SIZE);

  130.     return 0;

  131.   }

  132. 

  133.   if (ad_len != 13 - 2 /* length bytes */) {

  134.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_AD_SIZE);

  135.     return 0;

  136.   }

  137. 

  138.   /* To allow for CBC mode which changes cipher length, |ad| doesn't include the

  139.    * length for legacy ciphers. */

  140.   uint8_t ad_extra[2];

  141.   ad_extra[0] = (uint8_t)(in_len >> 8);

  142.   ad_extra[1] = (uint8_t)(in_len & 0xff);

  143. 

  144.   /* Compute the MAC. This must be first in case the operation is being done

  145.    * in-place. */

  146.   uint8_t mac[EVP_MAX_MD_SIZE];

  147.   unsigned mac_len;

  148.   HMAC_CTX hmac_ctx;

  149.   HMAC_CTX_init(&hmac_ctx);

  150.   if (!HMAC_CTX_copy_ex(&hmac_ctx, &tls_ctx->hmac_ctx) ||

  151.       !HMAC_Update(&hmac_ctx, ad, ad_len) ||

  152.       !HMAC_Update(&hmac_ctx, ad_extra, sizeof(ad_extra)) ||

  153.       !HMAC_Update(&hmac_ctx, in, in_len) ||

  154.       !HMAC_Final(&hmac_ctx, mac, &mac_len)) {

  155.     HMAC_CTX_cleanup(&hmac_ctx);

  156.     return 0;

  157.   }

  158.   HMAC_CTX_cleanup(&hmac_ctx);

  159. 

  160.   /* Configure the explicit IV. */

  161.   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&

  162.       !tls_ctx->implicit_iv &&

  163.       !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {

  164.     return 0;

  165.   }

  166. 

  167.   /* Encrypt the input. */

  168.   int len;

  169.   if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in,

  170.                          (int)in_len)) {

  171.     return 0;

  172.   }

  173.   total = len;

  174. 

  175.   /* Feed the MAC into the cipher. */

  176.   if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, mac,

  177.                          (int)mac_len)) {

  178.     return 0;

  179.   }

  180.   total += len;

  181. 

  182.   unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);

  183.   if (block_size > 1) {

  184.     assert(block_size <= 256);

  185.     assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);

  186. 

  187.     /* Compute padding and feed that into the cipher. */

  188.     uint8_t padding[256];

  189.     unsigned padding_len = block_size - ((in_len + mac_len) % block_size);

  190.     memset(padding, padding_len - 1, padding_len);

  191.     if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, padding,

  192.                            (int)padding_len)) {

  193.       return 0;

  194.     }

  195.     total += len;

  196.   }

  197. 

  198.   if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {

  199.     return 0;

  200.   }

  201.   total += len;

  202. 

  203.   *out_len = total;

  204.   return 1;

  205. }

  206. 

  207. static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  208.                          size_t *out_len, size_t max_out_len,

  209.                          const uint8_t *nonce, size_t nonce_len,

  210.                          const uint8_t *in, size_t in_len,

  211.                          const uint8_t *ad, size_t ad_len) {

  212.   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;

  213. 

  214.   if (tls_ctx->cipher_ctx.encrypt) {

  215.     /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */

  216.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_OPERATION);

  217.     return 0;

  218. 

  219.   }

  220. 

  221.   if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {

  222.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);

  223.     return 0;

  224.   }

  225. 

  226.   if (max_out_len < in_len) {

  227.     /* This requires that the caller provide space for the MAC, even though it

  228.      * will always be removed on return. */

  229.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BUFFER_TOO_SMALL);

  230.     return 0;

  231.   }

  232. 

  233.   if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {

  234.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_NONCE_SIZE);

  235.     return 0;

  236.   }

  237. 

  238.   if (ad_len != 13 - 2 /* length bytes */) {

  239.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_AD_SIZE);

  240.     return 0;

  241.   }

  242. 

  243.   if (in_len > INT_MAX) {

  244.     /* EVP_CIPHER takes int as input. */

  245.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_TOO_LARGE);

  246.     return 0;

  247.   }

  248. 

  249.   /* Configure the explicit IV. */

  250.   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&

  251.       !tls_ctx->implicit_iv &&

  252.       !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {

  253.     return 0;

  254.   }

  255. 

  256.   /* Decrypt to get the plaintext + MAC + padding. */

  257.   size_t total = 0;

  258.   int len;

  259.   if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {

  260.     return 0;

  261.   }

  262.   total += len;

  263.   if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {

  264.     return 0;

  265.   }

  266.   total += len;

  267.   assert(total == in_len);

  268. 

  269.   /* Remove CBC padding. Code from here on is timing-sensitive with respect to

  270.    * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */

  271.   int padding_ok;

  272.   unsigned data_plus_mac_len, data_len;

  273.   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {

  274.     padding_ok = EVP_tls_cbc_remove_padding(

  275.         &data_plus_mac_len, out, total,

  276.         EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),

  277.         (unsigned)HMAC_size(&tls_ctx->hmac_ctx));

  278.     /* Publicly invalid. This can be rejected in non-constant time. */

  279.     if (padding_ok == 0) {

  280.       OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);

  281.       return 0;

  282.     }

  283.   } else {

  284.     padding_ok = 1;

  285.     data_plus_mac_len = total;

  286.     /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has

  287.      * already been checked against the MAC size at the top of the function. */

  288.     assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));

  289.   }

  290.   data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);

  291. 

  292.   /* At this point, |padding_ok| is 1 or -1. If 1, the padding is valid and the

  293.    * first |data_plus_mac_size| bytes after |out| are the plaintext and

  294.    * MAC. Either way, |data_plus_mac_size| is large enough to extract a MAC. */

  295. 

  296.   /* To allow for CBC mode which changes cipher length, |ad| doesn't include the

  297.    * length for legacy ciphers. */

  298.   uint8_t ad_fixed[13];

  299.   memcpy(ad_fixed, ad, 11);

  300.   ad_fixed[11] = (uint8_t)(data_len >> 8);

  301.   ad_fixed[12] = (uint8_t)(data_len & 0xff);

  302.   ad_len += 2;

  303. 

  304.   /* Compute the MAC and extract the one in the record. */

  305.   uint8_t mac[EVP_MAX_MD_SIZE];

  306.   size_t mac_len;

  307.   uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];

  308.   uint8_t *record_mac;

  309.   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&

  310.       EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) {

  311.     if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,

  312.                                    ad_fixed, out, data_plus_mac_len, total,

  313.                                    tls_ctx->mac_key, tls_ctx->mac_key_len)) {

  314.       OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);

  315.       return 0;

  316.     }

  317.     assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));

  318. 

  319.     record_mac = record_mac_tmp;

  320.     EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);

  321.   } else {

  322.     /* We should support the constant-time path for all CBC-mode ciphers

  323.      * implemented. */

  324.     assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);

  325. 

  326.     HMAC_CTX hmac_ctx;

  327.     HMAC_CTX_init(&hmac_ctx);

  328.     unsigned mac_len_u;

  329.     if (!HMAC_CTX_copy_ex(&hmac_ctx, &tls_ctx->hmac_ctx) ||

  330.         !HMAC_Update(&hmac_ctx, ad_fixed, ad_len) ||

  331.         !HMAC_Update(&hmac_ctx, out, data_len) ||

  332.         !HMAC_Final(&hmac_ctx, mac, &mac_len_u)) {

  333.       HMAC_CTX_cleanup(&hmac_ctx);

  334.       return 0;

  335.     }

  336.     mac_len = mac_len_u;

  337.     HMAC_CTX_cleanup(&hmac_ctx);

  338. 

  339.     assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));

  340.     record_mac = &out[data_len];

  341.   }

  342. 

  343.   /* Perform the MAC check and the padding check in constant-time. It should be

  344.    * safe to simply perform the padding check first, but it would not be under a

  345.    * different choice of MAC location on padding failure. See

  346.    * EVP_tls_cbc_remove_padding. */

  347.   unsigned good = constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len),

  348.                                        0);

  349.   good &= constant_time_eq_int(padding_ok, 1);

  350.   if (!good) {

  351.     OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);

  352.     return 0;

  353.   }

  354. 

  355.   /* End of timing-sensitive code. */

  356. 

  357.   *out_len = data_len;

  358.   return 1;

  359. }

  360. 

  361. static int aead_rc4_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  362.                                   size_t key_len, size_t tag_len,

  363.                                   enum evp_aead_direction_t dir) {

  364.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1(),

  365.                        0);

  366. }

  367. 

  368. static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  369.                                           size_t key_len, size_t tag_len,

  370.                                           enum evp_aead_direction_t dir) {

  371.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),

  372.                        EVP_sha1(), 0);

  373. }

  374. 

  375. static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(

  376.     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,

  377.     enum evp_aead_direction_t dir) {

  378.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),

  379.                        EVP_sha1(), 1);

  380. }

  381. 

  382. static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,

  383.                                             const uint8_t *key, size_t key_len,

  384.                                             size_t tag_len,

  385.                                             enum evp_aead_direction_t dir) {

  386.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),

  387.                        EVP_sha256(), 0);

  388. }

  389. 

  390. static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  391.                                           size_t key_len, size_t tag_len,

  392.                                           enum evp_aead_direction_t dir) {

  393.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),

  394.                        EVP_sha1(), 0);

  395. }

  396. 

  397. static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(

  398.     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,

  399.     enum evp_aead_direction_t dir) {

  400.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),

  401.                        EVP_sha1(), 1);

  402. }

  403. 

  404. static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,

  405.                                             const uint8_t *key, size_t key_len,

  406.                                             size_t tag_len,

  407.                                             enum evp_aead_direction_t dir) {

  408.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),

  409.                        EVP_sha256(), 0);

  410. }

  411. 

  412. static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,

  413.                                             const uint8_t *key, size_t key_len,

  414.                                             size_t tag_len,

  415.                                             enum evp_aead_direction_t dir) {

  416.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),

  417.                        EVP_sha384(), 0);

  418. }

  419. 

  420. static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,

  421.                                            const uint8_t *key, size_t key_len,

  422.                                            size_t tag_len,

  423.                                            enum evp_aead_direction_t dir) {

  424.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),

  425.                        EVP_sha1(), 0);

  426. }

  427. 

  428. static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(

  429.     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,

  430.     enum evp_aead_direction_t dir) {

  431.   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),

  432.                        EVP_sha1(), 1);

  433. }

  434. 

  435. static int aead_rc4_sha1_tls_get_rc4_state(const EVP_AEAD_CTX *ctx,

  436.                                            const RC4_KEY **out_key) {

  437.   const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;

  438.   if (EVP_CIPHER_CTX_cipher(&tls_ctx->cipher_ctx) != EVP_rc4()) {

  439.     return 0;

  440.   }

  441. 

  442.   *out_key = (const RC4_KEY*) tls_ctx->cipher_ctx.cipher_data;

  443.   return 1;

  444. }

  445. 

  446. static const EVP_AEAD aead_rc4_sha1_tls = {

  447.     SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */

  448.     0,                      /* nonce len */

  449.     SHA_DIGEST_LENGTH,      /* overhead */

  450.     SHA_DIGEST_LENGTH,      /* max tag length */

  451.     NULL, /* init */

  452.     aead_rc4_sha1_tls_init,

  453.     aead_tls_cleanup,

  454.     aead_tls_seal,

  455.     aead_tls_open,

  456.     aead_rc4_sha1_tls_get_rc4_state, /* get_rc4_state */

  457. };

  458. 

  459. static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {

  460.     SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */

  461.     16,                     /* nonce len (IV) */

  462.     16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */

  463.     SHA_DIGEST_LENGTH,      /* max tag length */

  464.     NULL, /* init */

  465.     aead_aes_128_cbc_sha1_tls_init,

  466.     aead_tls_cleanup,

  467.     aead_tls_seal,

  468.     aead_tls_open,

  469.     NULL,                   /* get_rc4_state */

  470. };

  471. 

  472. static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {

  473.     SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */

  474.     0,                           /* nonce len */

  475.     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */

  476.     SHA_DIGEST_LENGTH,           /* max tag length */

  477.     NULL, /* init */

  478.     aead_aes_128_cbc_sha1_tls_implicit_iv_init,

  479.     aead_tls_cleanup,

  480.     aead_tls_seal,

  481.     aead_tls_open,

  482.     NULL,                        /* get_rc4_state */

  483. };

  484. 

  485. static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {

  486.     SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */

  487.     16,                        /* nonce len (IV) */

  488.     16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */

  489.     SHA_DIGEST_LENGTH,         /* max tag length */

  490.     NULL, /* init */

  491.     aead_aes_128_cbc_sha256_tls_init,

  492.     aead_tls_cleanup,

  493.     aead_tls_seal,

  494.     aead_tls_open,

  495.     NULL,                      /* get_rc4_state */

  496. };

  497. 

  498. static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {

  499.     SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */

  500.     16,                     /* nonce len (IV) */

  501.     16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */

  502.     SHA_DIGEST_LENGTH,      /* max tag length */

  503.     NULL, /* init */

  504.     aead_aes_256_cbc_sha1_tls_init,

  505.     aead_tls_cleanup,

  506.     aead_tls_seal,

  507.     aead_tls_open,

  508.     NULL,                   /* get_rc4_state */

  509. };

  510. 

  511. static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {

  512.     SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */

  513.     0,                           /* nonce len */

  514.     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */

  515.     SHA_DIGEST_LENGTH,           /* max tag length */

  516.     NULL, /* init */

  517.     aead_aes_256_cbc_sha1_tls_implicit_iv_init,

  518.     aead_tls_cleanup,

  519.     aead_tls_seal,

  520.     aead_tls_open,

  521.     NULL,                        /* get_rc4_state */

  522. };

  523. 

  524. static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {

  525.     SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */

  526.     16,                        /* nonce len (IV) */

  527.     16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */

  528.     SHA_DIGEST_LENGTH,         /* max tag length */

  529.     NULL, /* init */

  530.     aead_aes_256_cbc_sha256_tls_init,

  531.     aead_tls_cleanup,

  532.     aead_tls_seal,

  533.     aead_tls_open,

  534.     NULL,                      /* get_rc4_state */

  535. };

  536. 

  537. static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {

  538.     SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */

  539.     16,                        /* nonce len (IV) */

  540.     16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */

  541.     SHA_DIGEST_LENGTH,         /* max tag length */

  542.     NULL, /* init */

  543.     aead_aes_256_cbc_sha384_tls_init,

  544.     aead_tls_cleanup,

  545.     aead_tls_seal,

  546.     aead_tls_open,

  547.     NULL,                      /* get_rc4_state */

  548. };

  549. 

  550. static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {

  551.     SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */

  552.     8,                      /* nonce len (IV) */

  553.     8 + SHA_DIGEST_LENGTH,  /* overhead (padding + SHA1) */

  554.     SHA_DIGEST_LENGTH,      /* max tag length */

  555.     NULL, /* init */

  556.     aead_des_ede3_cbc_sha1_tls_init,

  557.     aead_tls_cleanup,

  558.     aead_tls_seal,

  559.     aead_tls_open,

  560.     NULL,                   /* get_rc4_state */

  561. };

  562. 

  563. static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {

  564.     SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */

  565.     0,                          /* nonce len */

  566.     8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */

  567.     SHA_DIGEST_LENGTH,          /* max tag length */

  568.     NULL, /* init */

  569.     aead_des_ede3_cbc_sha1_tls_implicit_iv_init,

  570.     aead_tls_cleanup,

  571.     aead_tls_seal,

  572.     aead_tls_open,

  573.     NULL,                       /* get_rc4_state */

  574. };

  575. 

  576. const EVP_AEAD *EVP_aead_rc4_sha1_tls(void) { return &aead_rc4_sha1_tls; }

  577. 

  578. const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {

  579.   return &aead_aes_128_cbc_sha1_tls;

  580. }

  581. 

  582. const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {

  583.   return &aead_aes_128_cbc_sha1_tls_implicit_iv;

  584. }

  585. 

  586. const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {

  587.   return &aead_aes_128_cbc_sha256_tls;

  588. }

  589. 

  590. const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {

  591.   return &aead_aes_256_cbc_sha1_tls;

  592. }

  593. 

  594. const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) {

  595.   return &aead_aes_256_cbc_sha1_tls_implicit_iv;

  596. }

  597. 

  598. const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void) {

  599.   return &aead_aes_256_cbc_sha256_tls;

  600. }

  601. 

  602. const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void) {

  603.   return &aead_aes_256_cbc_sha384_tls;

  604. }

  605. 

  606. const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {

  607.   return &aead_des_ede3_cbc_sha1_tls;

  608. }

  609. 

  610. const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {

  611.   return &aead_des_ede3_cbc_sha1_tls_implicit_iv;

  612. }