providers/implementations/ciphers/cipher_aes_wrp.c

   1 /*
   2  * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /*
  11  * This file uses the low level AES functions (which are deprecated for
  12  * non-internal use) in order to implement provider AES ciphers.
  13  */
  14 #include "internal/deprecated.h"
  15
  16 #include "cipher_aes.h"
  17 #include "prov/providercommon.h"
  18 #include "prov/providercommonerr.h"
  19 #include "prov/implementations.h"
  20
  21 /* AES wrap with padding has IV length of 4, without padding 8 */
  22 #define AES_WRAP_PAD_IVLEN   4
  23 #define AES_WRAP_NOPAD_IVLEN 8
  24
  25 /* TODO(3.0) Figure out what flags need to be passed */
  26 #define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV \
  27                     | EVP_CIPH_ALWAYS_CALL_INIT)
  28
  29 typedef size_t (*aeswrap_fn)(void *key, const unsigned char *iv,
  30                              unsigned char *out, const unsigned char *in,
  31                              size_t inlen, block128_f block);
  32
  33 static OSSL_FUNC_cipher_encrypt_init_fn aes_wrap_einit;
  34 static OSSL_FUNC_cipher_decrypt_init_fn aes_wrap_dinit;
  35 static OSSL_FUNC_cipher_update_fn aes_wrap_cipher;
  36 static OSSL_FUNC_cipher_final_fn aes_wrap_final;
  37 static OSSL_FUNC_cipher_freectx_fn aes_wrap_freectx;
  38
  39 typedef struct prov_aes_wrap_ctx_st {
  40     PROV_CIPHER_CTX base;
  41     union {
  42         OSSL_UNION_ALIGN;
  43         AES_KEY ks;
  44     } ks;
  45     aeswrap_fn wrapfn;
  46
  47 } PROV_AES_WRAP_CTX;
  48
  49
  50 static void *aes_wrap_newctx(size_t kbits, size_t blkbits,
  51                              size_t ivbits, unsigned int mode, uint64_t flags)
  52 {
  53     PROV_AES_WRAP_CTX *wctx;
  54     PROV_CIPHER_CTX *ctx;
  55
  56     if (!ossl_prov_is_running())
  57         return NULL;
  58
  59     wctx = OPENSSL_zalloc(sizeof(*wctx));
  60     ctx = (PROV_CIPHER_CTX *)wctx;
  61     if (ctx != NULL) {
  62         cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
  63                                NULL, NULL);
  64         ctx->pad = (ctx->ivlen == AES_WRAP_PAD_IVLEN);
  65     }
  66     return wctx;
  67 }
  68
  69 static void aes_wrap_freectx(void *vctx)
  70 {
  71     PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
  72
  73     cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
  74     OPENSSL_clear_free(wctx,  sizeof(*wctx));
  75 }
  76
  77 static int aes_wrap_init(void *vctx, const unsigned char *key,
  78                          size_t keylen, const unsigned char *iv,
  79                          size_t ivlen, int enc)
  80 {
  81     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
  82     PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
  83
  84     if (!ossl_prov_is_running())
  85         return 0;
  86
  87     ctx->enc = enc;
  88     ctx->block = enc ? (block128_f)AES_encrypt : (block128_f)AES_decrypt;
  89     if (ctx->pad)
  90         wctx->wrapfn = enc ? CRYPTO_128_wrap_pad : CRYPTO_128_unwrap_pad;
  91     else
  92         wctx->wrapfn = enc ? CRYPTO_128_wrap : CRYPTO_128_unwrap;
  93
  94     if (iv != NULL) {
  95         if (!cipher_generic_initiv(ctx, iv, ivlen))
  96             return 0;
  97     }
  98     if (key != NULL) {
  99         if (keylen != ctx->keylen) {
 100            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
 101            return 0;
 102         }
 103         if (ctx->enc)
 104             AES_set_encrypt_key(key, keylen * 8, &wctx->ks.ks);
 105         else
 106             AES_set_decrypt_key(key, keylen * 8, &wctx->ks.ks);
 107     }
 108     return 1;
 109 }
 110
 111 static int aes_wrap_einit(void *ctx, const unsigned char *key, size_t keylen,
 112                           const unsigned char *iv, size_t ivlen)
 113 {
 114     return aes_wrap_init(ctx, key, keylen, iv, ivlen, 1);
 115 }
 116
 117 static int aes_wrap_dinit(void *ctx, const unsigned char *key, size_t keylen,
 118                           const unsigned char *iv, size_t ivlen)
 119 {
 120     return aes_wrap_init(ctx, key, keylen, iv, ivlen, 0);
 121 }
 122
 123 static int aes_wrap_cipher_internal(void *vctx, unsigned char *out,
 124                                     const unsigned char *in, size_t inlen)
 125 {
 126     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
 127     PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
 128     size_t rv;
 129     int pad = ctx->pad;
 130
 131     /* No final operation so always return zero length */
 132     if (in == NULL)
 133         return 0;
 134
 135     /* Input length must always be non-zero */
 136     if (inlen == 0)
 137         return -1;
 138
 139     /* If decrypting need at least 16 bytes and multiple of 8 */
 140     if (!ctx->enc && (inlen < 16 || inlen & 0x7))
 141         return -1;
 142
 143     /* If not padding input must be multiple of 8 */
 144     if (!pad && inlen & 0x7)
 145         return -1;
 146
 147     if (out == NULL) {
 148         if (ctx->enc) {
 149             /* If padding round up to multiple of 8 */
 150             if (pad)
 151                 inlen = (inlen + 7) / 8 * 8;
 152             /* 8 byte prefix */
 153             return inlen + 8;
 154         } else {
 155             /*
 156              * If not padding output will be exactly 8 bytes smaller than
 157              * input. If padding it will be at least 8 bytes smaller but we
 158              * don't know how much.
 159              */
 160             return inlen - 8;
 161         }
 162     }
 163
 164     rv = wctx->wrapfn(&wctx->ks.ks, ctx->iv_set ? ctx->iv : NULL, out, in,
 165                       inlen, ctx->block);
 166     return rv ? (int)rv : -1;
 167 }
 168
 169 static int aes_wrap_final(void *vctx, unsigned char *out, size_t *outl,
 170                           size_t outsize)
 171 {
 172     if (!ossl_prov_is_running())
 173         return 0;
 174
 175     *outl = 0;
 176     return 1;
 177 }
 178
 179 static int aes_wrap_cipher(void *vctx,
 180                            unsigned char *out, size_t *outl, size_t outsize,
 181                            const unsigned char *in, size_t inl)
 182 {
 183     PROV_AES_WRAP_CTX *ctx = (PROV_AES_WRAP_CTX *)vctx;
 184     size_t len;
 185
 186     if (!ossl_prov_is_running())
 187         return 0;
 188
 189     if (inl == 0) {
 190         *outl = 0;
 191         return 1;
 192     }
 193
 194     if (outsize < inl) {
 195         ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
 196         return -1;
 197     }
 198
 199     len = aes_wrap_cipher_internal(ctx, out, in, inl);
 200     if (len == 0)
 201         return -1;
 202
 203     *outl = len;
 204     return 1;
 205 }
 206
 207 static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[])
 208 {
 209     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
 210     const OSSL_PARAM *p;
 211     size_t keylen = 0;
 212
 213     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
 214     if (p != NULL) {
 215         if (!OSSL_PARAM_get_size_t(p, &keylen)) {
 216             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
 217             return 0;
 218         }
 219         if (ctx->keylen != keylen) {
 220             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
 221             return 0;
 222         }
 223     }
 224     return 1;
 225 }
 226
 227 #define IMPLEMENT_cipher(mode, fname, UCMODE, flags, kbits, blkbits, ivbits)   \
 228     static OSSL_FUNC_cipher_get_params_fn aes_##kbits##_##fname##_get_params;  \
 229     static int aes_##kbits##_##fname##_get_params(OSSL_PARAM params[])         \
 230     {                                                                          \
 231         return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,     \
 232                                          flags, kbits, blkbits, ivbits);       \
 233     }                                                                          \
 234     static OSSL_FUNC_cipher_newctx_fn aes_##kbits##fname##_newctx;             \
 235     static void *aes_##kbits##fname##_newctx(void *provctx)                    \
 236     {                                                                          \
 237         return aes_##mode##_newctx(kbits, blkbits, ivbits,                     \
 238                                    EVP_CIPH_##UCMODE##_MODE, flags);           \
 239     }                                                                          \
 240     const OSSL_DISPATCH ossl_##aes##kbits##fname##_functions[] = {             \
 241         { OSSL_FUNC_CIPHER_NEWCTX,                                             \
 242             (void (*)(void))aes_##kbits##fname##_newctx },                     \
 243         { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
 244         { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
 245         { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_cipher },      \
 246         { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_final },        \
 247         { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx },    \
 248         { OSSL_FUNC_CIPHER_GET_PARAMS,                                         \
 249             (void (*)(void))aes_##kbits##_##fname##_get_params },              \
 250         { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                    \
 251             (void (*)(void))cipher_generic_gettable_params },                  \
 252         { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                     \
 253             (void (*)(void))cipher_generic_get_ctx_params },                   \
 254         { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                     \
 255             (void (*)(void))aes_wrap_set_ctx_params },                         \
 256         { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                \
 257             (void (*)(void))cipher_generic_gettable_ctx_params },              \
 258         { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                \
 259             (void (*)(void))cipher_generic_settable_ctx_params },              \
 260         { 0, NULL }                                                            \
 261     }
 262
 263 IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_NOPAD_IVLEN * 8);
 264 IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_NOPAD_IVLEN * 8);
 265 IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_NOPAD_IVLEN * 8);
 266 IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_PAD_IVLEN * 8);
 267 IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_PAD_IVLEN * 8);
 268 IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_PAD_IVLEN * 8);