1 /* 2 * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #if defined(_WIN32) 11 # include <windows.h> 12 #endif 13 14 #include <stdio.h> 15 #include <string.h> 16 17 #include <openssl/engine.h> 18 #include <openssl/sha.h> 19 #include <openssl/aes.h> 20 #include <openssl/rsa.h> 21 #include <openssl/evp.h> 22 #include <openssl/async.h> 23 #include <openssl/bn.h> 24 #include <openssl/crypto.h> 25 #include <openssl/ssl.h> 26 #include <openssl/modes.h> 27 28 #if defined(OPENSSL_SYS_UNIX) && defined(OPENSSL_THREADS) 29 # undef ASYNC_POSIX 30 # define ASYNC_POSIX 31 # include <unistd.h> 32 #elif defined(_WIN32) 33 # undef ASYNC_WIN 34 # define ASYNC_WIN 35 #endif 36 37 #include "e_dasync_err.c" 38 39 /* Engine Id and Name */ 40 static const char *engine_dasync_id = "dasync"; 41 static const char *engine_dasync_name = "Dummy Async engine support"; 42 43 44 /* Engine Lifetime functions */ 45 static int dasync_destroy(ENGINE *e); 46 static int dasync_init(ENGINE *e); 47 static int dasync_finish(ENGINE *e); 48 void engine_load_dasync_int(void); 49 50 51 /* Set up digests. Just SHA1 for now */ 52 static int dasync_digests(ENGINE *e, const EVP_MD **digest, 53 const int **nids, int nid); 54 55 static void dummy_pause_job(void); 56 57 /* SHA1 */ 58 static int dasync_sha1_init(EVP_MD_CTX *ctx); 59 static int dasync_sha1_update(EVP_MD_CTX *ctx, const void *data, 60 size_t count); 61 static int dasync_sha1_final(EVP_MD_CTX *ctx, unsigned char *md); 62 63 /* 64 * Holds the EVP_MD object for sha1 in this engine. Set up once only during 65 * engine bind and can then be reused many times. 66 */ 67 static EVP_MD *_hidden_sha1_md = NULL; 68 static const EVP_MD *dasync_sha1(void) 69 { 70 return _hidden_sha1_md; 71 } 72 static void destroy_digests(void) 73 { 74 EVP_MD_meth_free(_hidden_sha1_md); 75 _hidden_sha1_md = NULL; 76 } 77 78 static int dasync_digest_nids(const int **nids) 79 { 80 static int digest_nids[2] = { 0, 0 }; 81 static int pos = 0; 82 static int init = 0; 83 84 if (!init) { 85 const EVP_MD *md; 86 if ((md = dasync_sha1()) != NULL) 87 digest_nids[pos++] = EVP_MD_type(md); 88 digest_nids[pos] = 0; 89 init = 1; 90 } 91 *nids = digest_nids; 92 return pos; 93 } 94 95 /* RSA */ 96 97 static int dasync_pub_enc(int flen, const unsigned char *from, 98 unsigned char *to, RSA *rsa, int padding); 99 static int dasync_pub_dec(int flen, const unsigned char *from, 100 unsigned char *to, RSA *rsa, int padding); 101 static int dasync_rsa_priv_enc(int flen, const unsigned char *from, 102 unsigned char *to, RSA *rsa, int padding); 103 static int dasync_rsa_priv_dec(int flen, const unsigned char *from, 104 unsigned char *to, RSA *rsa, int padding); 105 static int dasync_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, 106 BN_CTX *ctx); 107 108 static int dasync_rsa_init(RSA *rsa); 109 static int dasync_rsa_finish(RSA *rsa); 110 111 static RSA_METHOD *dasync_rsa_method = NULL; 112 113 /* AES */ 114 115 static int dasync_aes128_cbc_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 116 void *ptr); 117 static int dasync_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 118 const unsigned char *iv, int enc); 119 static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 120 const unsigned char *in, size_t inl); 121 static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx); 122 123 static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, 124 int arg, void *ptr); 125 static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 126 const unsigned char *key, 127 const unsigned char *iv, 128 int enc); 129 static int dasync_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, 130 unsigned char *out, 131 const unsigned char *in, 132 size_t inl); 133 static int dasync_aes128_cbc_hmac_sha1_cleanup(EVP_CIPHER_CTX *ctx); 134 135 struct dasync_pipeline_ctx { 136 void *inner_cipher_data; 137 unsigned int numpipes; 138 unsigned char **inbufs; 139 unsigned char **outbufs; 140 size_t *lens; 141 unsigned char tlsaad[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; 142 unsigned int aadctr; 143 }; 144 145 /* 146 * Holds the EVP_CIPHER object for aes_128_cbc in this engine. Set up once only 147 * during engine bind and can then be reused many times. 148 */ 149 static EVP_CIPHER *_hidden_aes_128_cbc = NULL; 150 static const EVP_CIPHER *dasync_aes_128_cbc(void) 151 { 152 return _hidden_aes_128_cbc; 153 } 154 155 /* 156 * Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up 157 * once only during engine bind and can then be reused many times. 158 * 159 * This 'stitched' cipher depends on the EVP_aes_128_cbc_hmac_sha1() cipher, 160 * which is implemented only if the AES-NI instruction set extension is available 161 * (see OPENSSL_IA32CAP(3)). If that's not the case, then this cipher will not 162 * be available either. 163 * 164 * Note: Since it is a legacy mac-then-encrypt cipher, modern TLS peers (which 165 * negotiate the encrypt-then-mac extension) won't negotiate it anyway. 166 */ 167 static EVP_CIPHER *_hidden_aes_128_cbc_hmac_sha1 = NULL; 168 static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void) 169 { 170 return _hidden_aes_128_cbc_hmac_sha1; 171 } 172 173 static void destroy_ciphers(void) 174 { 175 EVP_CIPHER_meth_free(_hidden_aes_128_cbc); 176 EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); 177 _hidden_aes_128_cbc = NULL; 178 _hidden_aes_128_cbc_hmac_sha1 = NULL; 179 } 180 181 static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, 182 const int **nids, int nid); 183 184 static int dasync_cipher_nids[] = { 185 NID_aes_128_cbc, 186 NID_aes_128_cbc_hmac_sha1, 187 0 188 }; 189 190 static int bind_dasync(ENGINE *e) 191 { 192 /* Setup RSA_METHOD */ 193 if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) == NULL 194 || RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0 195 || RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0 196 || RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc) == 0 197 || RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec) == 0 198 || RSA_meth_set_mod_exp(dasync_rsa_method, dasync_rsa_mod_exp) == 0 199 || RSA_meth_set_bn_mod_exp(dasync_rsa_method, BN_mod_exp_mont) == 0 200 || RSA_meth_set_init(dasync_rsa_method, dasync_rsa_init) == 0 201 || RSA_meth_set_finish(dasync_rsa_method, dasync_rsa_finish) == 0) { 202 DASYNCerr(DASYNC_F_BIND_DASYNC, DASYNC_R_INIT_FAILED); 203 return 0; 204 } 205 206 /* Ensure the dasync error handling is set up */ 207 ERR_load_DASYNC_strings(); 208 209 if (!ENGINE_set_id(e, engine_dasync_id) 210 || !ENGINE_set_name(e, engine_dasync_name) 211 || !ENGINE_set_RSA(e, dasync_rsa_method) 212 || !ENGINE_set_digests(e, dasync_digests) 213 || !ENGINE_set_ciphers(e, dasync_ciphers) 214 || !ENGINE_set_destroy_function(e, dasync_destroy) 215 || !ENGINE_set_init_function(e, dasync_init) 216 || !ENGINE_set_finish_function(e, dasync_finish)) { 217 DASYNCerr(DASYNC_F_BIND_DASYNC, DASYNC_R_INIT_FAILED); 218 return 0; 219 } 220 221 /* 222 * Set up the EVP_CIPHER and EVP_MD objects for the ciphers/digests 223 * supplied by this engine 224 */ 225 _hidden_sha1_md = EVP_MD_meth_new(NID_sha1, NID_sha1WithRSAEncryption); 226 if (_hidden_sha1_md == NULL 227 || !EVP_MD_meth_set_result_size(_hidden_sha1_md, SHA_DIGEST_LENGTH) 228 || !EVP_MD_meth_set_input_blocksize(_hidden_sha1_md, SHA_CBLOCK) 229 || !EVP_MD_meth_set_app_datasize(_hidden_sha1_md, 230 sizeof(EVP_MD *) + sizeof(SHA_CTX)) 231 || !EVP_MD_meth_set_flags(_hidden_sha1_md, EVP_MD_FLAG_DIGALGID_ABSENT) 232 || !EVP_MD_meth_set_init(_hidden_sha1_md, dasync_sha1_init) 233 || !EVP_MD_meth_set_update(_hidden_sha1_md, dasync_sha1_update) 234 || !EVP_MD_meth_set_final(_hidden_sha1_md, dasync_sha1_final)) { 235 EVP_MD_meth_free(_hidden_sha1_md); 236 _hidden_sha1_md = NULL; 237 } 238 239 _hidden_aes_128_cbc = EVP_CIPHER_meth_new(NID_aes_128_cbc, 240 16 /* block size */, 241 16 /* key len */); 242 if (_hidden_aes_128_cbc == NULL 243 || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc,16) 244 || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc, 245 EVP_CIPH_FLAG_DEFAULT_ASN1 246 | EVP_CIPH_CBC_MODE 247 | EVP_CIPH_FLAG_PIPELINE) 248 || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc, 249 dasync_aes128_init_key) 250 || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc, 251 dasync_aes128_cbc_cipher) 252 || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_128_cbc, 253 dasync_aes128_cbc_cleanup) 254 || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc, 255 dasync_aes128_cbc_ctrl) 256 || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc, 257 sizeof(struct dasync_pipeline_ctx))) { 258 EVP_CIPHER_meth_free(_hidden_aes_128_cbc); 259 _hidden_aes_128_cbc = NULL; 260 } 261 262 _hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new( 263 NID_aes_128_cbc_hmac_sha1, 264 16 /* block size */, 265 16 /* key len */); 266 if (_hidden_aes_128_cbc_hmac_sha1 == NULL 267 || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16) 268 || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1, 269 EVP_CIPH_CBC_MODE 270 | EVP_CIPH_FLAG_DEFAULT_ASN1 271 | EVP_CIPH_FLAG_AEAD_CIPHER 272 | EVP_CIPH_FLAG_PIPELINE) 273 || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1, 274 dasync_aes128_cbc_hmac_sha1_init_key) 275 || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1, 276 dasync_aes128_cbc_hmac_sha1_cipher) 277 || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_128_cbc_hmac_sha1, 278 dasync_aes128_cbc_hmac_sha1_cleanup) 279 || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc_hmac_sha1, 280 dasync_aes128_cbc_hmac_sha1_ctrl) 281 || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc_hmac_sha1, 282 sizeof(struct dasync_pipeline_ctx))) { 283 EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); 284 _hidden_aes_128_cbc_hmac_sha1 = NULL; 285 } 286 287 return 1; 288 } 289 290 # ifndef OPENSSL_NO_DYNAMIC_ENGINE 291 static int bind_helper(ENGINE *e, const char *id) 292 { 293 if (id && (strcmp(id, engine_dasync_id) != 0)) 294 return 0; 295 if (!bind_dasync(e)) 296 return 0; 297 return 1; 298 } 299 300 IMPLEMENT_DYNAMIC_CHECK_FN() 301 IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) 302 # endif 303 304 static ENGINE *engine_dasync(void) 305 { 306 ENGINE *ret = ENGINE_new(); 307 if (!ret) 308 return NULL; 309 if (!bind_dasync(ret)) { 310 ENGINE_free(ret); 311 return NULL; 312 } 313 return ret; 314 } 315 316 void engine_load_dasync_int(void) 317 { 318 ENGINE *toadd = engine_dasync(); 319 if (!toadd) 320 return; 321 ENGINE_add(toadd); 322 ENGINE_free(toadd); 323 ERR_clear_error(); 324 } 325 326 static int dasync_init(ENGINE *e) 327 { 328 return 1; 329 } 330 331 332 static int dasync_finish(ENGINE *e) 333 { 334 return 1; 335 } 336 337 338 static int dasync_destroy(ENGINE *e) 339 { 340 destroy_digests(); 341 destroy_ciphers(); 342 RSA_meth_free(dasync_rsa_method); 343 ERR_unload_DASYNC_strings(); 344 return 1; 345 } 346 347 static int dasync_digests(ENGINE *e, const EVP_MD **digest, 348 const int **nids, int nid) 349 { 350 int ok = 1; 351 if (!digest) { 352 /* We are returning a list of supported nids */ 353 return dasync_digest_nids(nids); 354 } 355 /* We are being asked for a specific digest */ 356 switch (nid) { 357 case NID_sha1: 358 *digest = dasync_sha1(); 359 break; 360 default: 361 ok = 0; 362 *digest = NULL; 363 break; 364 } 365 return ok; 366 } 367 368 static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, 369 const int **nids, int nid) 370 { 371 int ok = 1; 372 if (cipher == NULL) { 373 /* We are returning a list of supported nids */ 374 *nids = dasync_cipher_nids; 375 return (sizeof(dasync_cipher_nids) - 376 1) / sizeof(dasync_cipher_nids[0]); 377 } 378 /* We are being asked for a specific cipher */ 379 switch (nid) { 380 case NID_aes_128_cbc: 381 *cipher = dasync_aes_128_cbc(); 382 break; 383 case NID_aes_128_cbc_hmac_sha1: 384 *cipher = dasync_aes_128_cbc_hmac_sha1(); 385 break; 386 default: 387 ok = 0; 388 *cipher = NULL; 389 break; 390 } 391 return ok; 392 } 393 394 static void wait_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, 395 OSSL_ASYNC_FD readfd, void *pvwritefd) 396 { 397 OSSL_ASYNC_FD *pwritefd = (OSSL_ASYNC_FD *)pvwritefd; 398 #if defined(ASYNC_WIN) 399 CloseHandle(readfd); 400 CloseHandle(*pwritefd); 401 #elif defined(ASYNC_POSIX) 402 close(readfd); 403 close(*pwritefd); 404 #endif 405 OPENSSL_free(pwritefd); 406 } 407 408 #define DUMMY_CHAR 'X' 409 410 static void dummy_pause_job(void) { 411 ASYNC_JOB *job; 412 ASYNC_WAIT_CTX *waitctx; 413 OSSL_ASYNC_FD pipefds[2] = {0, 0}; 414 OSSL_ASYNC_FD *writefd; 415 #if defined(ASYNC_WIN) 416 DWORD numwritten, numread; 417 char buf = DUMMY_CHAR; 418 #elif defined(ASYNC_POSIX) 419 char buf = DUMMY_CHAR; 420 #endif 421 422 if ((job = ASYNC_get_current_job()) == NULL) 423 return; 424 425 waitctx = ASYNC_get_wait_ctx(job); 426 427 if (ASYNC_WAIT_CTX_get_fd(waitctx, engine_dasync_id, &pipefds[0], 428 (void **)&writefd)) { 429 pipefds[1] = *writefd; 430 } else { 431 writefd = OPENSSL_malloc(sizeof(*writefd)); 432 if (writefd == NULL) 433 return; 434 #if defined(ASYNC_WIN) 435 if (CreatePipe(&pipefds[0], &pipefds[1], NULL, 256) == 0) { 436 OPENSSL_free(writefd); 437 return; 438 } 439 #elif defined(ASYNC_POSIX) 440 if (pipe(pipefds) != 0) { 441 OPENSSL_free(writefd); 442 return; 443 } 444 #endif 445 *writefd = pipefds[1]; 446 447 if (!ASYNC_WAIT_CTX_set_wait_fd(waitctx, engine_dasync_id, pipefds[0], 448 writefd, wait_cleanup)) { 449 wait_cleanup(waitctx, engine_dasync_id, pipefds[0], writefd); 450 return; 451 } 452 } 453 /* 454 * In the Dummy async engine we are cheating. We signal that the job 455 * is complete by waking it before the call to ASYNC_pause_job(). A real 456 * async engine would only wake when the job was actually complete 457 */ 458 #if defined(ASYNC_WIN) 459 WriteFile(pipefds[1], &buf, 1, &numwritten, NULL); 460 #elif defined(ASYNC_POSIX) 461 if (write(pipefds[1], &buf, 1) < 0) 462 return; 463 #endif 464 465 /* Ignore errors - we carry on anyway */ 466 ASYNC_pause_job(); 467 468 /* Clear the wake signal */ 469 #if defined(ASYNC_WIN) 470 ReadFile(pipefds[0], &buf, 1, &numread, NULL); 471 #elif defined(ASYNC_POSIX) 472 if (read(pipefds[0], &buf, 1) < 0) 473 return; 474 #endif 475 } 476 477 /* 478 * SHA1 implementation. At the moment we just defer to the standard 479 * implementation 480 */ 481 #undef data 482 #define data(ctx) ((SHA_CTX *)EVP_MD_CTX_md_data(ctx)) 483 static int dasync_sha1_init(EVP_MD_CTX *ctx) 484 { 485 dummy_pause_job(); 486 487 return SHA1_Init(data(ctx)); 488 } 489 490 static int dasync_sha1_update(EVP_MD_CTX *ctx, const void *data, 491 size_t count) 492 { 493 dummy_pause_job(); 494 495 return SHA1_Update(data(ctx), data, (size_t)count); 496 } 497 498 static int dasync_sha1_final(EVP_MD_CTX *ctx, unsigned char *md) 499 { 500 dummy_pause_job(); 501 502 return SHA1_Final(md, data(ctx)); 503 } 504 505 /* 506 * RSA implementation 507 */ 508 509 static int dasync_pub_enc(int flen, const unsigned char *from, 510 unsigned char *to, RSA *rsa, int padding) { 511 /* Ignore errors - we carry on anyway */ 512 dummy_pause_job(); 513 return RSA_meth_get_pub_enc(RSA_PKCS1_OpenSSL()) 514 (flen, from, to, rsa, padding); 515 } 516 517 static int dasync_pub_dec(int flen, const unsigned char *from, 518 unsigned char *to, RSA *rsa, int padding) { 519 /* Ignore errors - we carry on anyway */ 520 dummy_pause_job(); 521 return RSA_meth_get_pub_dec(RSA_PKCS1_OpenSSL()) 522 (flen, from, to, rsa, padding); 523 } 524 525 static int dasync_rsa_priv_enc(int flen, const unsigned char *from, 526 unsigned char *to, RSA *rsa, int padding) 527 { 528 /* Ignore errors - we carry on anyway */ 529 dummy_pause_job(); 530 return RSA_meth_get_priv_enc(RSA_PKCS1_OpenSSL()) 531 (flen, from, to, rsa, padding); 532 } 533 534 static int dasync_rsa_priv_dec(int flen, const unsigned char *from, 535 unsigned char *to, RSA *rsa, int padding) 536 { 537 /* Ignore errors - we carry on anyway */ 538 dummy_pause_job(); 539 return RSA_meth_get_priv_dec(RSA_PKCS1_OpenSSL()) 540 (flen, from, to, rsa, padding); 541 } 542 543 static int dasync_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 544 { 545 /* Ignore errors - we carry on anyway */ 546 dummy_pause_job(); 547 return RSA_meth_get_mod_exp(RSA_PKCS1_OpenSSL())(r0, I, rsa, ctx); 548 } 549 550 static int dasync_rsa_init(RSA *rsa) 551 { 552 return RSA_meth_get_init(RSA_PKCS1_OpenSSL())(rsa); 553 } 554 static int dasync_rsa_finish(RSA *rsa) 555 { 556 return RSA_meth_get_finish(RSA_PKCS1_OpenSSL())(rsa); 557 } 558 559 /* Cipher helper functions */ 560 561 static int dasync_cipher_ctrl_helper(EVP_CIPHER_CTX *ctx, int type, int arg, 562 void *ptr, int aeadcapable) 563 { 564 int ret; 565 struct dasync_pipeline_ctx *pipe_ctx = 566 (struct dasync_pipeline_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); 567 568 if (pipe_ctx == NULL) 569 return 0; 570 571 switch (type) { 572 case EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS: 573 pipe_ctx->numpipes = arg; 574 pipe_ctx->outbufs = (unsigned char **)ptr; 575 break; 576 577 case EVP_CTRL_SET_PIPELINE_INPUT_BUFS: 578 pipe_ctx->numpipes = arg; 579 pipe_ctx->inbufs = (unsigned char **)ptr; 580 break; 581 582 case EVP_CTRL_SET_PIPELINE_INPUT_LENS: 583 pipe_ctx->numpipes = arg; 584 pipe_ctx->lens = (size_t *)ptr; 585 break; 586 587 case EVP_CTRL_AEAD_SET_MAC_KEY: 588 if (!aeadcapable) 589 return -1; 590 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx->inner_cipher_data); 591 ret = EVP_CIPHER_meth_get_ctrl(EVP_aes_128_cbc_hmac_sha1()) 592 (ctx, type, arg, ptr); 593 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx); 594 return ret; 595 596 case EVP_CTRL_AEAD_TLS1_AAD: 597 { 598 unsigned char *p = ptr; 599 unsigned int len; 600 601 if (!aeadcapable || arg != EVP_AEAD_TLS1_AAD_LEN) 602 return -1; 603 604 if (pipe_ctx->aadctr >= SSL_MAX_PIPELINES) 605 return -1; 606 607 memcpy(pipe_ctx->tlsaad[pipe_ctx->aadctr], ptr, 608 EVP_AEAD_TLS1_AAD_LEN); 609 pipe_ctx->aadctr++; 610 611 len = p[arg - 2] << 8 | p[arg - 1]; 612 613 if (EVP_CIPHER_CTX_encrypting(ctx)) { 614 if ((p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) { 615 if (len < AES_BLOCK_SIZE) 616 return 0; 617 len -= AES_BLOCK_SIZE; 618 } 619 620 return ((len + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) 621 & -AES_BLOCK_SIZE) - len; 622 } else { 623 return SHA_DIGEST_LENGTH; 624 } 625 } 626 627 default: 628 return 0; 629 } 630 631 return 1; 632 } 633 634 static int dasync_cipher_init_key_helper(EVP_CIPHER_CTX *ctx, 635 const unsigned char *key, 636 const unsigned char *iv, int enc, 637 const EVP_CIPHER *cipher) 638 { 639 int ret; 640 struct dasync_pipeline_ctx *pipe_ctx = 641 (struct dasync_pipeline_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); 642 643 if (pipe_ctx->inner_cipher_data == NULL 644 && EVP_CIPHER_impl_ctx_size(cipher) != 0) { 645 pipe_ctx->inner_cipher_data = OPENSSL_zalloc( 646 EVP_CIPHER_impl_ctx_size(cipher)); 647 if (pipe_ctx->inner_cipher_data == NULL) { 648 DASYNCerr(DASYNC_F_DASYNC_CIPHER_INIT_KEY_HELPER, 649 ERR_R_MALLOC_FAILURE); 650 return 0; 651 } 652 } 653 654 pipe_ctx->numpipes = 0; 655 pipe_ctx->aadctr = 0; 656 657 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx->inner_cipher_data); 658 ret = EVP_CIPHER_meth_get_init(cipher)(ctx, key, iv, enc); 659 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx); 660 661 return ret; 662 } 663 664 static int dasync_cipher_helper(EVP_CIPHER_CTX *ctx, unsigned char *out, 665 const unsigned char *in, size_t inl, 666 const EVP_CIPHER *cipher) 667 { 668 int ret = 1; 669 unsigned int i, pipes; 670 struct dasync_pipeline_ctx *pipe_ctx = 671 (struct dasync_pipeline_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); 672 673 pipes = pipe_ctx->numpipes; 674 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx->inner_cipher_data); 675 if (pipes == 0) { 676 if (pipe_ctx->aadctr != 0) { 677 if (pipe_ctx->aadctr != 1) 678 return -1; 679 EVP_CIPHER_meth_get_ctrl(cipher) 680 (ctx, EVP_CTRL_AEAD_TLS1_AAD, 681 EVP_AEAD_TLS1_AAD_LEN, 682 pipe_ctx->tlsaad[0]); 683 } 684 ret = EVP_CIPHER_meth_get_do_cipher(cipher) 685 (ctx, out, in, inl); 686 } else { 687 if (pipe_ctx->aadctr > 0 && pipe_ctx->aadctr != pipes) 688 return -1; 689 for (i = 0; i < pipes; i++) { 690 if (pipe_ctx->aadctr > 0) { 691 EVP_CIPHER_meth_get_ctrl(cipher) 692 (ctx, EVP_CTRL_AEAD_TLS1_AAD, 693 EVP_AEAD_TLS1_AAD_LEN, 694 pipe_ctx->tlsaad[i]); 695 } 696 ret = ret && EVP_CIPHER_meth_get_do_cipher(cipher) 697 (ctx, pipe_ctx->outbufs[i], pipe_ctx->inbufs[i], 698 pipe_ctx->lens[i]); 699 } 700 pipe_ctx->numpipes = 0; 701 } 702 pipe_ctx->aadctr = 0; 703 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx); 704 return ret; 705 } 706 707 static int dasync_cipher_cleanup_helper(EVP_CIPHER_CTX *ctx, 708 const EVP_CIPHER *cipher) 709 { 710 struct dasync_pipeline_ctx *pipe_ctx = 711 (struct dasync_pipeline_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); 712 713 OPENSSL_clear_free(pipe_ctx->inner_cipher_data, 714 EVP_CIPHER_impl_ctx_size(cipher)); 715 716 return 1; 717 } 718 719 /* 720 * AES128 CBC Implementation 721 */ 722 723 static int dasync_aes128_cbc_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 724 void *ptr) 725 { 726 return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0); 727 } 728 729 static int dasync_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 730 const unsigned char *iv, int enc) 731 { 732 return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_128_cbc()); 733 } 734 735 static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 736 const unsigned char *in, size_t inl) 737 { 738 return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_128_cbc()); 739 } 740 741 static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) 742 { 743 return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc()); 744 } 745 746 747 /* 748 * AES128 CBC HMAC SHA1 Implementation 749 */ 750 751 static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, 752 int arg, void *ptr) 753 { 754 return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 1); 755 } 756 757 static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 758 const unsigned char *key, 759 const unsigned char *iv, 760 int enc) 761 { 762 /* 763 * We can safely assume that EVP_aes_128_cbc_hmac_sha1() != NULL, 764 * see comment before the definition of dasync_aes_128_cbc_hmac_sha1(). 765 */ 766 return dasync_cipher_init_key_helper(ctx, key, iv, enc, 767 EVP_aes_128_cbc_hmac_sha1()); 768 } 769 770 static int dasync_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, 771 unsigned char *out, 772 const unsigned char *in, 773 size_t inl) 774 { 775 return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_128_cbc_hmac_sha1()); 776 } 777 778 static int dasync_aes128_cbc_hmac_sha1_cleanup(EVP_CIPHER_CTX *ctx) 779 { 780 /* 781 * We can safely assume that EVP_aes_128_cbc_hmac_sha1() != NULL, 782 * see comment before the definition of dasync_aes_128_cbc_hmac_sha1(). 783 */ 784 return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc_hmac_sha1()); 785 } 786