1 /* Copyright (c) 2014, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <assert.h>
16 #include <limits.h>
17 #include <string.h>
18 
19 #include <openssl/aead.h>
20 #include <openssl/cipher.h>
21 #include <openssl/err.h>
22 #include <openssl/hmac.h>
23 #include <openssl/md5.h>
24 #include <openssl/mem.h>
25 #include <openssl/sha.h>
26 #include <openssl/type_check.h>
27 
28 #include "../fipsmodule/cipher/internal.h"
29 #include "../internal.h"
30 #include "internal.h"
31 
32 
33 typedef struct {
34   EVP_CIPHER_CTX cipher_ctx;
35   HMAC_CTX hmac_ctx;
36   // mac_key is the portion of the key used for the MAC. It is retained
37   // separately for the constant-time CBC code.
38   uint8_t mac_key[EVP_MAX_MD_SIZE];
39   uint8_t mac_key_len;
40   // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
41   // IV.
42   char implicit_iv;
43 } AEAD_TLS_CTX;
44 
45 OPENSSL_STATIC_ASSERT(EVP_MAX_MD_SIZE < 256,
46                       "mac_key_len does not fit in uint8_t");
47 
48 OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
49                           sizeof(AEAD_TLS_CTX),
50                       "AEAD state is too small");
51 #if defined(__GNUC__) || defined(__clang__)
52 OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
53                           alignof(AEAD_TLS_CTX),
54                       "AEAD state has insufficient alignment");
55 #endif
56 
aead_tls_cleanup(EVP_AEAD_CTX * ctx)57 static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
58   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
59   EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
60   HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
61 }
62 
aead_tls_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir,const EVP_CIPHER * cipher,const EVP_MD * md,char implicit_iv)63 static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
64                          size_t tag_len, enum evp_aead_direction_t dir,
65                          const EVP_CIPHER *cipher, const EVP_MD *md,
66                          char implicit_iv) {
67   if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
68       tag_len != EVP_MD_size(md)) {
69     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
70     return 0;
71   }
72 
73   if (key_len != EVP_AEAD_key_length(ctx->aead)) {
74     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
75     return 0;
76   }
77 
78   size_t mac_key_len = EVP_MD_size(md);
79   size_t enc_key_len = EVP_CIPHER_key_length(cipher);
80   assert(mac_key_len + enc_key_len +
81          (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
82 
83   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
84   EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
85   HMAC_CTX_init(&tls_ctx->hmac_ctx);
86   assert(mac_key_len <= EVP_MAX_MD_SIZE);
87   OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len);
88   tls_ctx->mac_key_len = (uint8_t)mac_key_len;
89   tls_ctx->implicit_iv = implicit_iv;
90 
91   if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
92                          implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
93                          dir == evp_aead_seal) ||
94       !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
95     aead_tls_cleanup(ctx);
96     return 0;
97   }
98   EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
99 
100   return 1;
101 }
102 
aead_tls_tag_len(const EVP_AEAD_CTX * ctx,const size_t in_len,const size_t extra_in_len)103 static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
104                                const size_t extra_in_len) {
105   assert(extra_in_len == 0);
106   const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
107 
108   const size_t hmac_len = HMAC_size(&tls_ctx->hmac_ctx);
109   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
110     // The NULL cipher.
111     return hmac_len;
112   }
113 
114   const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
115   // An overflow of |in_len + hmac_len| doesn't affect the result mod
116   // |block_size|, provided that |block_size| is a smaller power of two.
117   assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
118   const size_t pad_len = block_size - (in_len + hmac_len) % block_size;
119   return hmac_len + pad_len;
120 }
121 
aead_tls_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,const size_t max_out_tag_len,const uint8_t * nonce,const size_t nonce_len,const uint8_t * in,const size_t in_len,const uint8_t * extra_in,const size_t extra_in_len,const uint8_t * ad,const size_t ad_len)122 static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
123                                  uint8_t *out_tag, size_t *out_tag_len,
124                                  const size_t max_out_tag_len,
125                                  const uint8_t *nonce, const size_t nonce_len,
126                                  const uint8_t *in, const size_t in_len,
127                                  const uint8_t *extra_in,
128                                  const size_t extra_in_len, const uint8_t *ad,
129                                  const size_t ad_len) {
130   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
131 
132   if (!tls_ctx->cipher_ctx.encrypt) {
133     // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
134     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
135     return 0;
136   }
137 
138   if (in_len > INT_MAX) {
139     // EVP_CIPHER takes int as input.
140     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
141     return 0;
142   }
143 
144   if (max_out_tag_len < aead_tls_tag_len(ctx, in_len, extra_in_len)) {
145     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
146     return 0;
147   }
148 
149   if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
150     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
151     return 0;
152   }
153 
154   if (ad_len != 13 - 2 /* length bytes */) {
155     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
156     return 0;
157   }
158 
159   // To allow for CBC mode which changes cipher length, |ad| doesn't include the
160   // length for legacy ciphers.
161   uint8_t ad_extra[2];
162   ad_extra[0] = (uint8_t)(in_len >> 8);
163   ad_extra[1] = (uint8_t)(in_len & 0xff);
164 
165   // Compute the MAC. This must be first in case the operation is being done
166   // in-place.
167   uint8_t mac[EVP_MAX_MD_SIZE];
168   unsigned mac_len;
169   if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
170       !HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) ||
171       !HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) ||
172       !HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) ||
173       !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) {
174     return 0;
175   }
176 
177   // Configure the explicit IV.
178   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
179       !tls_ctx->implicit_iv &&
180       !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
181     return 0;
182   }
183 
184   // Encrypt the input.
185   int len;
186   if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
187     return 0;
188   }
189 
190   unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
191 
192   // Feed the MAC into the cipher in two steps. First complete the final partial
193   // block from encrypting the input and split the result between |out| and
194   // |out_tag|. Then feed the rest.
195 
196   const size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
197   if (early_mac_len != 0) {
198     assert(len + block_size - early_mac_len == in_len);
199     uint8_t buf[EVP_MAX_BLOCK_LENGTH];
200     int buf_len;
201     if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, buf, &buf_len, mac,
202                            (int)early_mac_len)) {
203       return 0;
204     }
205     assert(buf_len == (int)block_size);
206     OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
207     OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
208   }
209   size_t tag_len = early_mac_len;
210 
211   if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
212                          mac + tag_len, mac_len - tag_len)) {
213     return 0;
214   }
215   tag_len += len;
216 
217   if (block_size > 1) {
218     assert(block_size <= 256);
219     assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
220 
221     // Compute padding and feed that into the cipher.
222     uint8_t padding[256];
223     unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
224     OPENSSL_memset(padding, padding_len - 1, padding_len);
225     if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
226                            padding, (int)padding_len)) {
227       return 0;
228     }
229     tag_len += len;
230   }
231 
232   if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {
233     return 0;
234   }
235   assert(len == 0);  // Padding is explicit.
236   assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len));
237 
238   *out_tag_len = tag_len;
239   return 1;
240 }
241 
aead_tls_open(const EVP_AEAD_CTX * ctx,uint8_t * out,size_t * out_len,size_t max_out_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * ad,size_t ad_len)242 static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
243                          size_t max_out_len, const uint8_t *nonce,
244                          size_t nonce_len, const uint8_t *in, size_t in_len,
245                          const uint8_t *ad, size_t ad_len) {
246   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
247 
248   if (tls_ctx->cipher_ctx.encrypt) {
249     // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
250     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
251     return 0;
252   }
253 
254   if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
255     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
256     return 0;
257   }
258 
259   if (max_out_len < in_len) {
260     // This requires that the caller provide space for the MAC, even though it
261     // will always be removed on return.
262     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
263     return 0;
264   }
265 
266   if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
267     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
268     return 0;
269   }
270 
271   if (ad_len != 13 - 2 /* length bytes */) {
272     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
273     return 0;
274   }
275 
276   if (in_len > INT_MAX) {
277     // EVP_CIPHER takes int as input.
278     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
279     return 0;
280   }
281 
282   // Configure the explicit IV.
283   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
284       !tls_ctx->implicit_iv &&
285       !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
286     return 0;
287   }
288 
289   // Decrypt to get the plaintext + MAC + padding.
290   size_t total = 0;
291   int len;
292   if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
293     return 0;
294   }
295   total += len;
296   if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
297     return 0;
298   }
299   total += len;
300   assert(total == in_len);
301 
302   CONSTTIME_SECRET(out, total);
303 
304   // Remove CBC padding. Code from here on is timing-sensitive with respect to
305   // |padding_ok| and |data_plus_mac_len| for CBC ciphers.
306   size_t data_plus_mac_len;
307   crypto_word_t padding_ok;
308   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
309     if (!EVP_tls_cbc_remove_padding(
310             &padding_ok, &data_plus_mac_len, out, total,
311             EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
312             HMAC_size(&tls_ctx->hmac_ctx))) {
313       // Publicly invalid. This can be rejected in non-constant time.
314       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
315       return 0;
316     }
317   } else {
318     padding_ok = CONSTTIME_TRUE_W;
319     data_plus_mac_len = total;
320     // |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
321     // already been checked against the MAC size at the top of the function.
322     assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
323   }
324   size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
325 
326   // At this point, if the padding is valid, the first |data_plus_mac_len| bytes
327   // after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
328   // still large enough to extract a MAC, but it will be irrelevant.
329 
330   // To allow for CBC mode which changes cipher length, |ad| doesn't include the
331   // length for legacy ciphers.
332   uint8_t ad_fixed[13];
333   OPENSSL_memcpy(ad_fixed, ad, 11);
334   ad_fixed[11] = (uint8_t)(data_len >> 8);
335   ad_fixed[12] = (uint8_t)(data_len & 0xff);
336   ad_len += 2;
337 
338   // Compute the MAC and extract the one in the record.
339   uint8_t mac[EVP_MAX_MD_SIZE];
340   size_t mac_len;
341   uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
342   uint8_t *record_mac;
343   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
344       EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) {
345     if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,
346                                    ad_fixed, out, data_plus_mac_len, total,
347                                    tls_ctx->mac_key, tls_ctx->mac_key_len)) {
348       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
349       return 0;
350     }
351     assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
352 
353     record_mac = record_mac_tmp;
354     EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
355   } else {
356     // We should support the constant-time path for all CBC-mode ciphers
357     // implemented.
358     assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
359 
360     unsigned mac_len_u;
361     if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
362         !HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) ||
363         !HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) ||
364         !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) {
365       return 0;
366     }
367     mac_len = mac_len_u;
368 
369     assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
370     record_mac = &out[data_len];
371   }
372 
373   // Perform the MAC check and the padding check in constant-time. It should be
374   // safe to simply perform the padding check first, but it would not be under a
375   // different choice of MAC location on padding failure. See
376   // EVP_tls_cbc_remove_padding.
377   crypto_word_t good =
378       constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
379   good &= padding_ok;
380   CONSTTIME_DECLASSIFY(&good, sizeof(good));
381   if (!good) {
382     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
383     return 0;
384   }
385 
386   CONSTTIME_DECLASSIFY(&data_len, sizeof(data_len));
387   CONSTTIME_DECLASSIFY(out, data_len);
388 
389   // End of timing-sensitive code.
390 
391   *out_len = data_len;
392   return 1;
393 }
394 
aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)395 static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
396                                           size_t key_len, size_t tag_len,
397                                           enum evp_aead_direction_t dir) {
398   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
399                        EVP_sha1(), 0);
400 }
401 
aead_aes_128_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)402 static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
403     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
404     enum evp_aead_direction_t dir) {
405   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
406                        EVP_sha1(), 1);
407 }
408 
aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)409 static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
410                                             const uint8_t *key, size_t key_len,
411                                             size_t tag_len,
412                                             enum evp_aead_direction_t dir) {
413   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
414                        EVP_sha256(), 0);
415 }
416 
aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)417 static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
418                                           size_t key_len, size_t tag_len,
419                                           enum evp_aead_direction_t dir) {
420   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
421                        EVP_sha1(), 0);
422 }
423 
aead_aes_256_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)424 static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(
425     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
426     enum evp_aead_direction_t dir) {
427   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
428                        EVP_sha1(), 1);
429 }
430 
aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)431 static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
432                                             const uint8_t *key, size_t key_len,
433                                             size_t tag_len,
434                                             enum evp_aead_direction_t dir) {
435   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
436                        EVP_sha256(), 0);
437 }
438 
aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)439 static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,
440                                             const uint8_t *key, size_t key_len,
441                                             size_t tag_len,
442                                             enum evp_aead_direction_t dir) {
443   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
444                        EVP_sha384(), 0);
445 }
446 
aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)447 static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
448                                            const uint8_t *key, size_t key_len,
449                                            size_t tag_len,
450                                            enum evp_aead_direction_t dir) {
451   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
452                        EVP_sha1(), 0);
453 }
454 
aead_des_ede3_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)455 static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
456     EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
457     enum evp_aead_direction_t dir) {
458   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
459                        EVP_sha1(), 1);
460 }
461 
aead_tls_get_iv(const EVP_AEAD_CTX * ctx,const uint8_t ** out_iv,size_t * out_iv_len)462 static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
463                            size_t *out_iv_len) {
464   const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
465   const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx);
466   if (iv_len <= 1) {
467     return 0;
468   }
469 
470   *out_iv = tls_ctx->cipher_ctx.iv;
471   *out_iv_len = iv_len;
472   return 1;
473 }
474 
aead_null_sha1_tls_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,enum evp_aead_direction_t dir)475 static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
476                                    size_t key_len, size_t tag_len,
477                                    enum evp_aead_direction_t dir) {
478   return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
479                        EVP_sha1(), 1 /* implicit iv */);
480 }
481 
482 static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
483     SHA_DIGEST_LENGTH + 16,  // key len (SHA1 + AES128)
484     16,                      // nonce len (IV)
485     16 + SHA_DIGEST_LENGTH,  // overhead (padding + SHA1)
486     SHA_DIGEST_LENGTH,       // max tag length
487     0,                       // seal_scatter_supports_extra_in
488 
489     NULL,  // init
490     aead_aes_128_cbc_sha1_tls_init,
491     aead_tls_cleanup,
492     aead_tls_open,
493     aead_tls_seal_scatter,
494     NULL,  // open_gather
495     NULL,  // get_iv
496     aead_tls_tag_len,
497 };
498 
499 static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
500     SHA_DIGEST_LENGTH + 16 + 16,  // key len (SHA1 + AES128 + IV)
501     0,                            // nonce len
502     16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
503     SHA_DIGEST_LENGTH,            // max tag length
504     0,                            // seal_scatter_supports_extra_in
505 
506     NULL,  // init
507     aead_aes_128_cbc_sha1_tls_implicit_iv_init,
508     aead_tls_cleanup,
509     aead_tls_open,
510     aead_tls_seal_scatter,
511     NULL,             // open_gather
512     aead_tls_get_iv,  // get_iv
513     aead_tls_tag_len,
514 };
515 
516 static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
517     SHA256_DIGEST_LENGTH + 16,  // key len (SHA256 + AES128)
518     16,                         // nonce len (IV)
519     16 + SHA256_DIGEST_LENGTH,  // overhead (padding + SHA256)
520     SHA256_DIGEST_LENGTH,       // max tag length
521     0,                          // seal_scatter_supports_extra_in
522 
523     NULL,  // init
524     aead_aes_128_cbc_sha256_tls_init,
525     aead_tls_cleanup,
526     aead_tls_open,
527     aead_tls_seal_scatter,
528     NULL,  // open_gather
529     NULL,  // get_iv
530     aead_tls_tag_len,
531 };
532 
533 static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
534     SHA_DIGEST_LENGTH + 32,  // key len (SHA1 + AES256)
535     16,                      // nonce len (IV)
536     16 + SHA_DIGEST_LENGTH,  // overhead (padding + SHA1)
537     SHA_DIGEST_LENGTH,       // max tag length
538     0,                       // seal_scatter_supports_extra_in
539 
540     NULL,  // init
541     aead_aes_256_cbc_sha1_tls_init,
542     aead_tls_cleanup,
543     aead_tls_open,
544     aead_tls_seal_scatter,
545     NULL,  // open_gather
546     NULL,  // get_iv
547     aead_tls_tag_len,
548 };
549 
550 static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
551     SHA_DIGEST_LENGTH + 32 + 16,  // key len (SHA1 + AES256 + IV)
552     0,                            // nonce len
553     16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
554     SHA_DIGEST_LENGTH,            // max tag length
555     0,                            // seal_scatter_supports_extra_in
556 
557     NULL,  // init
558     aead_aes_256_cbc_sha1_tls_implicit_iv_init,
559     aead_tls_cleanup,
560     aead_tls_open,
561     aead_tls_seal_scatter,
562     NULL,             // open_gather
563     aead_tls_get_iv,  // get_iv
564     aead_tls_tag_len,
565 };
566 
567 static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
568     SHA256_DIGEST_LENGTH + 32,  // key len (SHA256 + AES256)
569     16,                         // nonce len (IV)
570     16 + SHA256_DIGEST_LENGTH,  // overhead (padding + SHA256)
571     SHA256_DIGEST_LENGTH,       // max tag length
572     0,                          // seal_scatter_supports_extra_in
573 
574     NULL,  // init
575     aead_aes_256_cbc_sha256_tls_init,
576     aead_tls_cleanup,
577     aead_tls_open,
578     aead_tls_seal_scatter,
579     NULL,  // open_gather
580     NULL,  // get_iv
581     aead_tls_tag_len,
582 };
583 
584 static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
585     SHA384_DIGEST_LENGTH + 32,  // key len (SHA384 + AES256)
586     16,                         // nonce len (IV)
587     16 + SHA384_DIGEST_LENGTH,  // overhead (padding + SHA384)
588     SHA384_DIGEST_LENGTH,       // max tag length
589     0,                          // seal_scatter_supports_extra_in
590 
591     NULL,  // init
592     aead_aes_256_cbc_sha384_tls_init,
593     aead_tls_cleanup,
594     aead_tls_open,
595     aead_tls_seal_scatter,
596     NULL,  // open_gather
597     NULL,  // get_iv
598     aead_tls_tag_len,
599 };
600 
601 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
602     SHA_DIGEST_LENGTH + 24,  // key len (SHA1 + 3DES)
603     8,                       // nonce len (IV)
604     8 + SHA_DIGEST_LENGTH,   // overhead (padding + SHA1)
605     SHA_DIGEST_LENGTH,       // max tag length
606     0,                       // seal_scatter_supports_extra_in
607 
608     NULL,  // init
609     aead_des_ede3_cbc_sha1_tls_init,
610     aead_tls_cleanup,
611     aead_tls_open,
612     aead_tls_seal_scatter,
613     NULL,  // open_gather
614     NULL,  // get_iv
615     aead_tls_tag_len,
616 };
617 
618 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
619     SHA_DIGEST_LENGTH + 24 + 8,  // key len (SHA1 + 3DES + IV)
620     0,                           // nonce len
621     8 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
622     SHA_DIGEST_LENGTH,           // max tag length
623     0,                           // seal_scatter_supports_extra_in
624 
625     NULL,  // init
626     aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
627     aead_tls_cleanup,
628     aead_tls_open,
629     aead_tls_seal_scatter,
630     NULL,             // open_gather
631     aead_tls_get_iv,  // get_iv
632     aead_tls_tag_len,
633 };
634 
635 static const EVP_AEAD aead_null_sha1_tls = {
636     SHA_DIGEST_LENGTH,  // key len
637     0,                  // nonce len
638     SHA_DIGEST_LENGTH,  // overhead (SHA1)
639     SHA_DIGEST_LENGTH,  // max tag length
640     0,                  // seal_scatter_supports_extra_in
641 
642     NULL,  // init
643     aead_null_sha1_tls_init,
644     aead_tls_cleanup,
645     aead_tls_open,
646     aead_tls_seal_scatter,
647     NULL,  // open_gather
648     NULL,  // get_iv
649     aead_tls_tag_len,
650 };
651 
EVP_aead_aes_128_cbc_sha1_tls(void)652 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
653   return &aead_aes_128_cbc_sha1_tls;
654 }
655 
EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void)656 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {
657   return &aead_aes_128_cbc_sha1_tls_implicit_iv;
658 }
659 
EVP_aead_aes_128_cbc_sha256_tls(void)660 const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {
661   return &aead_aes_128_cbc_sha256_tls;
662 }
663 
EVP_aead_aes_256_cbc_sha1_tls(void)664 const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {
665   return &aead_aes_256_cbc_sha1_tls;
666 }
667 
EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void)668 const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) {
669   return &aead_aes_256_cbc_sha1_tls_implicit_iv;
670 }
671 
EVP_aead_aes_256_cbc_sha256_tls(void)672 const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void) {
673   return &aead_aes_256_cbc_sha256_tls;
674 }
675 
EVP_aead_aes_256_cbc_sha384_tls(void)676 const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void) {
677   return &aead_aes_256_cbc_sha384_tls;
678 }
679 
EVP_aead_des_ede3_cbc_sha1_tls(void)680 const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
681   return &aead_des_ede3_cbc_sha1_tls;
682 }
683 
EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void)684 const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
685   return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
686 }
687 
EVP_aead_null_sha1_tls(void)688 const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; }
689