xref: /freebsd/crypto/openssl/providers/implementations/ciphers/cipher_aes_wrp.c (revision a91a246563dffa876a52f53a98de4af9fa364c52)
1 /*
2  * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * This file uses the low level AES functions (which are deprecated for
12  * non-internal use) in order to implement provider AES ciphers.
13  */
14 #include "internal/deprecated.h"
15 
16 #include <openssl/proverr.h>
17 #include "cipher_aes.h"
18 #include "prov/providercommon.h"
19 #include "prov/implementations.h"
20 
21 /* AES wrap with padding has IV length of 4, without padding 8 */
22 #define AES_WRAP_PAD_IVLEN   4
23 #define AES_WRAP_NOPAD_IVLEN 8
24 
25 #define WRAP_FLAGS (PROV_CIPHER_FLAG_CUSTOM_IV)
26 #define WRAP_FLAGS_INV (WRAP_FLAGS | PROV_CIPHER_FLAG_INVERSE_CIPHER)
27 
28 typedef size_t (*aeswrap_fn)(void *key, const unsigned char *iv,
29                              unsigned char *out, const unsigned char *in,
30                              size_t inlen, block128_f block);
31 
32 static OSSL_FUNC_cipher_encrypt_init_fn aes_wrap_einit;
33 static OSSL_FUNC_cipher_decrypt_init_fn aes_wrap_dinit;
34 static OSSL_FUNC_cipher_update_fn aes_wrap_cipher;
35 static OSSL_FUNC_cipher_final_fn aes_wrap_final;
36 static OSSL_FUNC_cipher_freectx_fn aes_wrap_freectx;
37 static OSSL_FUNC_cipher_set_ctx_params_fn aes_wrap_set_ctx_params;
38 
39 typedef struct prov_aes_wrap_ctx_st {
40     PROV_CIPHER_CTX base;
41     union {
42         OSSL_UNION_ALIGN;
43         AES_KEY ks;
44     } ks;
45     aeswrap_fn wrapfn;
46 
47 } PROV_AES_WRAP_CTX;
48 
49 
50 static void *aes_wrap_newctx(size_t kbits, size_t blkbits,
51                              size_t ivbits, unsigned int mode, uint64_t flags)
52 {
53     PROV_AES_WRAP_CTX *wctx;
54     PROV_CIPHER_CTX *ctx;
55 
56     if (!ossl_prov_is_running())
57         return NULL;
58 
59     wctx = OPENSSL_zalloc(sizeof(*wctx));
60     ctx = (PROV_CIPHER_CTX *)wctx;
61     if (ctx != NULL) {
62         ossl_cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
63                                     NULL, NULL);
64         ctx->pad = (ctx->ivlen == AES_WRAP_PAD_IVLEN);
65     }
66     return wctx;
67 }
68 
69 static void *aes_wrap_dupctx(void *wctx)
70 {
71     PROV_AES_WRAP_CTX *ctx = wctx;
72     PROV_AES_WRAP_CTX *dctx = wctx;
73 
74     if (ctx == NULL)
75         return NULL;
76     dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
77 
78     if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) {
79         dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac,
80                                            dctx->base.tlsmacsize);
81         if (dctx->base.tlsmac == NULL) {
82             OPENSSL_free(dctx);
83             dctx = NULL;
84         }
85     }
86     return dctx;
87 }
88 
89 static void aes_wrap_freectx(void *vctx)
90 {
91     PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
92 
93     ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
94     OPENSSL_clear_free(wctx,  sizeof(*wctx));
95 }
96 
97 static int aes_wrap_init(void *vctx, const unsigned char *key,
98                          size_t keylen, const unsigned char *iv,
99                          size_t ivlen, const OSSL_PARAM params[], int enc)
100 {
101     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
102     PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
103 
104     if (!ossl_prov_is_running())
105         return 0;
106 
107     ctx->enc = enc;
108     if (ctx->pad)
109         wctx->wrapfn = enc ? CRYPTO_128_wrap_pad : CRYPTO_128_unwrap_pad;
110     else
111         wctx->wrapfn = enc ? CRYPTO_128_wrap : CRYPTO_128_unwrap;
112 
113     if (iv != NULL) {
114         if (!ossl_cipher_generic_initiv(ctx, iv, ivlen))
115             return 0;
116     }
117     if (key != NULL) {
118         int use_forward_transform;
119 
120         if (keylen != ctx->keylen) {
121            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
122            return 0;
123         }
124         /*
125          * See SP800-38F : Section 5.1
126          * The forward and inverse transformations for the AES block
127          * cipher—called “cipher” and “inverse  cipher” are informally known as
128          * the AES encryption and AES decryption functions, respectively.
129          * If the designated cipher function for a key-wrap algorithm is chosen
130          * to be the AES decryption function, then CIPH-1K will be the AES
131          * encryption function.
132          */
133         if (ctx->inverse_cipher == 0)
134             use_forward_transform = ctx->enc;
135         else
136             use_forward_transform = !ctx->enc;
137         if (use_forward_transform) {
138             AES_set_encrypt_key(key, keylen * 8, &wctx->ks.ks);
139             ctx->block = (block128_f)AES_encrypt;
140         } else {
141             AES_set_decrypt_key(key, keylen * 8, &wctx->ks.ks);
142             ctx->block = (block128_f)AES_decrypt;
143         }
144     }
145     return aes_wrap_set_ctx_params(ctx, params);
146 }
147 
148 static int aes_wrap_einit(void *ctx, const unsigned char *key, size_t keylen,
149                           const unsigned char *iv, size_t ivlen,
150                           const OSSL_PARAM params[])
151 {
152     return aes_wrap_init(ctx, key, keylen, iv, ivlen, params, 1);
153 }
154 
155 static int aes_wrap_dinit(void *ctx, const unsigned char *key, size_t keylen,
156                           const unsigned char *iv, size_t ivlen,
157                           const OSSL_PARAM params[])
158 {
159     return aes_wrap_init(ctx, key, keylen, iv, ivlen, params, 0);
160 }
161 
162 static int aes_wrap_cipher_internal(void *vctx, unsigned char *out,
163                                     const unsigned char *in, size_t inlen)
164 {
165     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
166     PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
167     size_t rv;
168     int pad = ctx->pad;
169 
170     /* No final operation so always return zero length */
171     if (in == NULL)
172         return 0;
173 
174     /* Input length must always be non-zero */
175     if (inlen == 0) {
176         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH);
177         return -1;
178     }
179 
180     /* If decrypting need at least 16 bytes and multiple of 8 */
181     if (!ctx->enc && (inlen < 16 || inlen & 0x7)) {
182         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH);
183         return -1;
184     }
185 
186     /* If not padding input must be multiple of 8 */
187     if (!pad && inlen & 0x7) {
188         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH);
189         return -1;
190     }
191 
192     if (out == NULL) {
193         if (ctx->enc) {
194             /* If padding round up to multiple of 8 */
195             if (pad)
196                 inlen = (inlen + 7) / 8 * 8;
197             /* 8 byte prefix */
198             return inlen + 8;
199         } else {
200             /*
201              * If not padding output will be exactly 8 bytes smaller than
202              * input. If padding it will be at least 8 bytes smaller but we
203              * don't know how much.
204              */
205             return inlen - 8;
206         }
207     }
208 
209     rv = wctx->wrapfn(&wctx->ks.ks, ctx->iv_set ? ctx->iv : NULL, out, in,
210                       inlen, ctx->block);
211     if (!rv) {
212         ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
213         return -1;
214     }
215     if (rv > INT_MAX) {
216         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
217         return -1;
218     }
219     return (int)rv;
220 }
221 
222 static int aes_wrap_final(void *vctx, unsigned char *out, size_t *outl,
223                           size_t outsize)
224 {
225     if (!ossl_prov_is_running())
226         return 0;
227 
228     *outl = 0;
229     return 1;
230 }
231 
232 static int aes_wrap_cipher(void *vctx,
233                            unsigned char *out, size_t *outl, size_t outsize,
234                            const unsigned char *in, size_t inl)
235 {
236     PROV_AES_WRAP_CTX *ctx = (PROV_AES_WRAP_CTX *)vctx;
237     size_t len;
238 
239     if (!ossl_prov_is_running())
240         return 0;
241 
242     if (inl == 0) {
243         *outl = 0;
244         return 1;
245     }
246 
247     if (outsize < inl) {
248         ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
249         return 0;
250     }
251 
252     len = aes_wrap_cipher_internal(ctx, out, in, inl);
253     if (len <= 0)
254         return 0;
255 
256     *outl = len;
257     return 1;
258 }
259 
260 static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[])
261 {
262     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
263     const OSSL_PARAM *p;
264     size_t keylen = 0;
265 
266     if (params == NULL)
267         return 1;
268 
269     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
270     if (p != NULL) {
271         if (!OSSL_PARAM_get_size_t(p, &keylen)) {
272             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
273             return 0;
274         }
275         if (ctx->keylen != keylen) {
276             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
277             return 0;
278         }
279     }
280     return 1;
281 }
282 
283 #define IMPLEMENT_cipher(mode, fname, UCMODE, flags, kbits, blkbits, ivbits)   \
284     static OSSL_FUNC_cipher_get_params_fn aes_##kbits##_##fname##_get_params;  \
285     static int aes_##kbits##_##fname##_get_params(OSSL_PARAM params[])         \
286     {                                                                          \
287         return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,\
288                                               flags, kbits, blkbits, ivbits);  \
289     }                                                                          \
290     static OSSL_FUNC_cipher_newctx_fn aes_##kbits##fname##_newctx;             \
291     static void *aes_##kbits##fname##_newctx(void *provctx)                    \
292     {                                                                          \
293         return aes_##mode##_newctx(kbits, blkbits, ivbits,                     \
294                                    EVP_CIPH_##UCMODE##_MODE, flags);           \
295     }                                                                          \
296     const OSSL_DISPATCH ossl_##aes##kbits##fname##_functions[] = {             \
297         { OSSL_FUNC_CIPHER_NEWCTX,                                             \
298             (void (*)(void))aes_##kbits##fname##_newctx },                     \
299         { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
300         { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
301         { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_cipher },      \
302         { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_final },        \
303         { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx },    \
304         { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx },      \
305         { OSSL_FUNC_CIPHER_GET_PARAMS,                                         \
306             (void (*)(void))aes_##kbits##_##fname##_get_params },              \
307         { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                    \
308             (void (*)(void))ossl_cipher_generic_gettable_params },             \
309         { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                     \
310             (void (*)(void))ossl_cipher_generic_get_ctx_params },              \
311         { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                     \
312             (void (*)(void))aes_wrap_set_ctx_params },                         \
313         { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                \
314             (void (*)(void))ossl_cipher_generic_gettable_ctx_params },         \
315         { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                \
316             (void (*)(void))ossl_cipher_generic_settable_ctx_params },         \
317         { 0, NULL }                                                            \
318     }
319 
320 IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_NOPAD_IVLEN * 8);
321 IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_NOPAD_IVLEN * 8);
322 IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_NOPAD_IVLEN * 8);
323 IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_PAD_IVLEN * 8);
324 IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_PAD_IVLEN * 8);
325 IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_PAD_IVLEN * 8);
326 
327 IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 256, 64, AES_WRAP_NOPAD_IVLEN * 8);
328 IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 192, 64, AES_WRAP_NOPAD_IVLEN * 8);
329 IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 128, 64, AES_WRAP_NOPAD_IVLEN * 8);
330 IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 256, 64, AES_WRAP_PAD_IVLEN * 8);
331 IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 192, 64, AES_WRAP_PAD_IVLEN * 8);
332 IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 128, 64, AES_WRAP_PAD_IVLEN * 8);
333