[thirdparty/openssl.git] / providers / implementations / ciphers / cipher_aes_wrp.c

/*
 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * This file uses the low level AES functions (which are deprecated for
 * non-internal use) in order to implement provider AES ciphers.
 */
#include "internal/deprecated.h"

#include "cipher_aes.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"

/* AES wrap with padding has IV length of 4, without padding 8 */
#define AES_WRAP_PAD_IVLEN   4
#define AES_WRAP_NOPAD_IVLEN 8

/* TODO(3.0) Figure out what flags need to be passed */
#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV \
                    | EVP_CIPH_ALWAYS_CALL_INIT)

typedef size_t (*aeswrap_fn)(void *key, const unsigned char *iv,
                             unsigned char *out, const unsigned char *in,
                             size_t inlen, block128_f block);

static OSSL_OP_cipher_encrypt_init_fn aes_wrap_einit;
static OSSL_OP_cipher_decrypt_init_fn aes_wrap_dinit;
static OSSL_OP_cipher_update_fn aes_wrap_cipher;
static OSSL_OP_cipher_final_fn aes_wrap_final;
static OSSL_OP_cipher_freectx_fn aes_wrap_freectx;

typedef struct prov_aes_wrap_ctx_st {
    PROV_CIPHER_CTX base;
    union {
        OSSL_UNION_ALIGN;
        AES_KEY ks;
    } ks;
    aeswrap_fn wrapfn;

} PROV_AES_WRAP_CTX;


static void *aes_wrap_newctx(size_t kbits, size_t blkbits,
                             size_t ivbits, unsigned int mode, uint64_t flags)
{
    PROV_AES_WRAP_CTX *wctx = OPENSSL_zalloc(sizeof(*wctx));
    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)wctx;

    if (ctx != NULL) {
        cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
                               NULL, NULL);
        ctx->pad = (ctx->ivlen == AES_WRAP_PAD_IVLEN);
    }
    return wctx;
}

static void aes_wrap_freectx(void *vctx)
{
    PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;

    OPENSSL_clear_free(wctx,  sizeof(*wctx));
}

static int aes_wrap_init(void *vctx, const unsigned char *key,
                         size_t keylen, const unsigned char *iv,
                         size_t ivlen, int enc)
{
    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
    PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;

    ctx->enc = enc;
    ctx->block = enc ? (block128_f)AES_encrypt : (block128_f)AES_decrypt;
    if (ctx->pad)
        wctx->wrapfn = enc ? CRYPTO_128_wrap_pad : CRYPTO_128_unwrap_pad;
    else
        wctx->wrapfn = enc ? CRYPTO_128_wrap : CRYPTO_128_unwrap;

    if (iv != NULL) {
        if (!cipher_generic_initiv(ctx, iv, ivlen))
            return 0;
    }
    if (key != NULL) {
        if (keylen != ctx->keylen) {
           ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
           return 0;
        }
        if (ctx->enc)
            AES_set_encrypt_key(key, keylen * 8, &wctx->ks.ks);
        else
            AES_set_decrypt_key(key, keylen * 8, &wctx->ks.ks);
    }
    return 1;
}

static int aes_wrap_einit(void *ctx, const unsigned char *key, size_t keylen,
                          const unsigned char *iv, size_t ivlen)
{
    return aes_wrap_init(ctx, key, keylen, iv, ivlen, 1);
}

static int aes_wrap_dinit(void *ctx, const unsigned char *key, size_t keylen,
                          const unsigned char *iv, size_t ivlen)
{
    return aes_wrap_init(ctx, key, keylen, iv, ivlen, 0);
}

static int aes_wrap_cipher_internal(void *vctx, unsigned char *out,
                                    const unsigned char *in, size_t inlen)
{
    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
    PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
    size_t rv;
    int pad = ctx->pad;

    /* No final operation so always return zero length */
    if (in == NULL)
        return 0;

    /* Input length must always be non-zero */
    if (inlen == 0)
        return -1;

    /* If decrypting need at least 16 bytes and multiple of 8 */
    if (!ctx->enc && (inlen < 16 || inlen & 0x7))
        return -1;

    /* If not padding input must be multiple of 8 */
    if (!pad && inlen & 0x7)
        return -1;

    if (out == NULL) {
        if (ctx->enc) {
            /* If padding round up to multiple of 8 */
            if (pad)
                inlen = (inlen + 7) / 8 * 8;
            /* 8 byte prefix */
            return inlen + 8;
        } else {
            /*
             * If not padding output will be exactly 8 bytes smaller than
             * input. If padding it will be at least 8 bytes smaller but we
             * don't know how much.
             */
            return inlen - 8;
        }
    }

    rv = wctx->wrapfn(&wctx->ks.ks, ctx->iv_set ? ctx->iv : NULL, out, in,
                      inlen, ctx->block);
    return rv ? (int)rv : -1;
}

static int aes_wrap_final(void *vctx, unsigned char *out, size_t *outl,
                          size_t outsize)
{
    *outl = 0;
    return 1;
}

static int aes_wrap_cipher(void *vctx,
                           unsigned char *out, size_t *outl, size_t outsize,
                           const unsigned char *in, size_t inl)
{
    PROV_AES_WRAP_CTX *ctx = (PROV_AES_WRAP_CTX *)vctx;
    size_t len;

    if (inl == 0) {
        *outl = 0;
        return 1;
    }

    if (outsize < inl) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return -1;
    }

    len = aes_wrap_cipher_internal(ctx, out, in, inl);
    if (len == 0)
        return -1;

    *outl = len;
    return 1;
}

static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
    const OSSL_PARAM *p;
    size_t keylen = 0;

    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
    if (p != NULL) {
        if (!OSSL_PARAM_get_size_t(p, &keylen)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        if (ctx->keylen != keylen) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
            return 0;
        }
    }
    return 1;
}

#define IMPLEMENT_cipher(mode, fname, UCMODE, flags, kbits, blkbits, ivbits)   \
    static OSSL_OP_cipher_get_params_fn aes_##kbits##_##fname##_get_params;    \
    static int aes_##kbits##_##fname##_get_params(OSSL_PARAM params[])         \
    {                                                                          \
        return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,     \
                                         flags, kbits, blkbits, ivbits);       \
    }                                                                          \
    static OSSL_OP_cipher_newctx_fn aes_##kbits##fname##_newctx;               \
    static void *aes_##kbits##fname##_newctx(void *provctx)                    \
    {                                                                          \
        return aes_##mode##_newctx(kbits, blkbits, ivbits,                     \
                                   EVP_CIPH_##UCMODE##_MODE, flags);           \
    }                                                                          \
    const OSSL_DISPATCH aes##kbits##fname##_functions[] = {                    \
        { OSSL_FUNC_CIPHER_NEWCTX,                                             \
            (void (*)(void))aes_##kbits##fname##_newctx },                     \
        { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
        { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
        { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_cipher },      \
        { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_final },        \
        { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx },    \
        { OSSL_FUNC_CIPHER_GET_PARAMS,                                         \
            (void (*)(void))aes_##kbits##_##fname##_get_params },              \
        { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                    \
            (void (*)(void))cipher_generic_gettable_params },                  \
        { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                     \
            (void (*)(void))cipher_generic_get_ctx_params },                   \
        { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                     \
            (void (*)(void))aes_wrap_set_ctx_params },                         \
        { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                \
            (void (*)(void))cipher_generic_gettable_ctx_params },              \
        { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                \
            (void (*)(void))cipher_generic_settable_ctx_params },              \
        { 0, NULL }                                                            \
    }

IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_NOPAD_IVLEN * 8);
IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_NOPAD_IVLEN * 8);
IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_NOPAD_IVLEN * 8);
IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_PAD_IVLEN * 8);
IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_PAD_IVLEN * 8);
IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_PAD_IVLEN * 8);
Commit	Line	Data
ca392b29	1	/*
33388b44	2	* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
ca392b29 SL	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
c72fa255 MC	10	/*
	11	* This file uses the low level AES functions (which are deprecated for
	12	* non-internal use) in order to implement provider AES ciphers.
	13	*/
	14	#include "internal/deprecated.h"
	15
ca392b29	16	#include "cipher_aes.h"
ddd21319	17	#include "prov/providercommonerr.h"
af3e7e1b	18	#include "prov/implementations.h"
ca392b29 SL	19
	20	/* AES wrap with padding has IV length of 4, without padding 8 */
	21	#define AES_WRAP_PAD_IVLEN 4
	22	#define AES_WRAP_NOPAD_IVLEN 8
	23
	24	/* TODO(3.0) Figure out what flags need to be passed */
5b084ca0 RL	25	#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \| EVP_CIPH_CUSTOM_IV \
5b084ca0 RL	26	\| EVP_CIPH_ALWAYS_CALL_INIT)
ca392b29 SL	27
	28	typedef size_t (aeswrap_fn)(void key, const unsigned char *iv,
	29	unsigned char out, const unsigned char in,
	30	size_t inlen, block128_f block);
	31
	32	static OSSL_OP_cipher_encrypt_init_fn aes_wrap_einit;
	33	static OSSL_OP_cipher_decrypt_init_fn aes_wrap_dinit;
	34	static OSSL_OP_cipher_update_fn aes_wrap_cipher;
	35	static OSSL_OP_cipher_final_fn aes_wrap_final;
	36	static OSSL_OP_cipher_freectx_fn aes_wrap_freectx;
	37
	38	typedef struct prov_aes_wrap_ctx_st {
	39	PROV_CIPHER_CTX base;
	40	union {
	41	OSSL_UNION_ALIGN;
	42	AES_KEY ks;
	43	} ks;
ca392b29 SL	44	aeswrap_fn wrapfn;
	45
	46	} PROV_AES_WRAP_CTX;
	47
	48
	49	static void *aes_wrap_newctx(size_t kbits, size_t blkbits,
	50	size_t ivbits, unsigned int mode, uint64_t flags)
	51	{
	52	PROV_AES_WRAP_CTX wctx = OPENSSL_zalloc(sizeof(wctx));
	53	PROV_CIPHER_CTX ctx = (PROV_CIPHER_CTX )wctx;
	54
	55	if (ctx != NULL) {
	56	cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
	57	NULL, NULL);
	58	ctx->pad = (ctx->ivlen == AES_WRAP_PAD_IVLEN);
	59	}
	60	return wctx;
	61	}
	62
	63	static void aes_wrap_freectx(void *vctx)
	64	{
	65	PROV_AES_WRAP_CTX wctx = (PROV_AES_WRAP_CTX )vctx;
ca392b29	66
ca392b29 SL	67	OPENSSL_clear_free(wctx, sizeof(*wctx));
	68	}
	69
	70	static int aes_wrap_init(void vctx, const unsigned char key,
	71	size_t keylen, const unsigned char *iv,
	72	size_t ivlen, int enc)
	73	{
	74	PROV_CIPHER_CTX ctx = (PROV_CIPHER_CTX )vctx;
	75	PROV_AES_WRAP_CTX wctx = (PROV_AES_WRAP_CTX )vctx;
	76
	77	ctx->enc = enc;
	78	ctx->block = enc ? (block128_f)AES_encrypt : (block128_f)AES_decrypt;
	79	if (ctx->pad)
	80	wctx->wrapfn = enc ? CRYPTO_128_wrap_pad : CRYPTO_128_unwrap_pad;
	81	else
	82	wctx->wrapfn = enc ? CRYPTO_128_wrap : CRYPTO_128_unwrap;
	83
	84	if (iv != NULL) {
089cb623 SL	85	if (!cipher_generic_initiv(ctx, iv, ivlen))
089cb623 SL	86	return 0;
ca392b29 SL	87	}
	88	if (key != NULL) {
	89	if (keylen != ctx->keylen) {
	90	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
	91	return 0;
	92	}
	93	if (ctx->enc)
	94	AES_set_encrypt_key(key, keylen * 8, &wctx->ks.ks);
	95	else
	96	AES_set_decrypt_key(key, keylen * 8, &wctx->ks.ks);
	97	}
	98	return 1;
	99	}
	100
	101	static int aes_wrap_einit(void ctx, const unsigned char key, size_t keylen,
	102	const unsigned char *iv, size_t ivlen)
	103	{
	104	return aes_wrap_init(ctx, key, keylen, iv, ivlen, 1);
	105	}
	106
	107	static int aes_wrap_dinit(void ctx, const unsigned char key, size_t keylen,
	108	const unsigned char *iv, size_t ivlen)
	109	{
	110	return aes_wrap_init(ctx, key, keylen, iv, ivlen, 0);
	111	}
	112
	113	static int aes_wrap_cipher_internal(void vctx, unsigned char out,
	114	const unsigned char *in, size_t inlen)
	115	{
	116	PROV_CIPHER_CTX ctx = (PROV_CIPHER_CTX )vctx;
	117	PROV_AES_WRAP_CTX wctx = (PROV_AES_WRAP_CTX )vctx;
	118	size_t rv;
	119	int pad = ctx->pad;
	120
	121	/* No final operation so always return zero length */
	122	if (in == NULL)
	123	return 0;
	124
	125	/* Input length must always be non-zero */
	126	if (inlen == 0)
	127	return -1;
	128
	129	/* If decrypting need at least 16 bytes and multiple of 8 */
	130	if (!ctx->enc && (inlen < 16 \|\| inlen & 0x7))
	131	return -1;
	132
	133	/* If not padding input must be multiple of 8 */
	134	if (!pad && inlen & 0x7)
	135	return -1;
	136
	137	if (out == NULL) {
	138	if (ctx->enc) {
	139	/* If padding round up to multiple of 8 */
	140	if (pad)
	141	inlen = (inlen + 7) / 8 * 8;
	142	/* 8 byte prefix */
	143	return inlen + 8;
	144	} else {
	145	/*
	146	* If not padding output will be exactly 8 bytes smaller than
	147	* input. If padding it will be at least 8 bytes smaller but we
	148	* don't know how much.
	149	*/
	150	return inlen - 8;
151	}
152	}
153
089cb623	154	rv = wctx->wrapfn(&wctx->ks.ks, ctx->iv_set ? ctx->iv : NULL, out, in,
ca392b29 SL	155	inlen, ctx->block);
	156	return rv ? (int)rv : -1;
	157	}
	158
	159	static int aes_wrap_final(void vctx, unsigned char out, size_t *outl,
	160	size_t outsize)
	161	{
	162	*outl = 0;
	163	return 1;
	164	}
	165
	166	static int aes_wrap_cipher(void *vctx,
	167	unsigned char out, size_t outl, size_t outsize,
	168	const unsigned char *in, size_t inl)
	169	{
	170	PROV_AES_WRAP_CTX ctx = (PROV_AES_WRAP_CTX )vctx;
	171	size_t len;
	172
4b9c750b MC	173	if (inl == 0) {
	174	*outl = 0;
	175	return 1;
	176	}
	177
ca392b29 SL	178	if (outsize < inl) {
	179	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
	180	return -1;
	181	}
	182
	183	len = aes_wrap_cipher_internal(ctx, out, in, inl);
	184	if (len == 0)
	185	return -1;
	186
	187	*outl = len;
	188	return 1;
	189	}
	190
	191	static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[])
	192	{
	193	PROV_CIPHER_CTX ctx = (PROV_CIPHER_CTX )vctx;
	194	const OSSL_PARAM *p;
	195	size_t keylen = 0;
	196
	197	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
	198	if (p != NULL) {
	199	if (!OSSL_PARAM_get_size_t(p, &keylen)) {
	200	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
	201	return 0;
	202	}
	203	if (ctx->keylen != keylen) {
	204	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
	205	return 0;
	206	}
	207	}
	208	return 1;
	209	}
	210
	211	#define IMPLEMENT_cipher(mode, fname, UCMODE, flags, kbits, blkbits, ivbits) \
	212	static OSSL_OP_cipher_get_params_fn aes_##kbits##_##fname##_get_params; \
	213	static int aes_##kbits##_##fname##_get_params(OSSL_PARAM params[]) \
	214	{ \
	215	return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
	216	flags, kbits, blkbits, ivbits); \
	217	} \
	218	static OSSL_OP_cipher_newctx_fn aes_##kbits##fname##_newctx; \
	219	static void aes_##kbits##fname##_newctx(void provctx) \
	220	{ \
	221	return aes_##mode##_newctx(kbits, blkbits, ivbits, \
	222	EVP_CIPH_##UCMODE##_MODE, flags); \
	223	} \
	224	const OSSL_DISPATCH aes##kbits##fname##_functions[] = { \
	225	{ OSSL_FUNC_CIPHER_NEWCTX, \
	226	(void (*)(void))aes_##kbits##fname##_newctx }, \
	227	{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
	228	{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
	229	{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_cipher }, \
	230	{ OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_final }, \
	231	{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
	232	{ OSSL_FUNC_CIPHER_GET_PARAMS, \
	233	(void (*)(void))aes_##kbits##_##fname##_get_params }, \
	234	{ OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
	235	(void (*)(void))cipher_generic_gettable_params }, \
	236	{ OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
	237	(void (*)(void))cipher_generic_get_ctx_params }, \
	238	{ OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
	239	(void (*)(void))aes_wrap_set_ctx_params }, \
	240	{ OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
	241	(void (*)(void))cipher_generic_gettable_ctx_params }, \
242	{ OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
243	(void (*)(void))cipher_generic_settable_ctx_params }, \
244	{ 0, NULL } \
245	}
246
247	IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_NOPAD_IVLEN * 8);
248	IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_NOPAD_IVLEN * 8);
249	IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_NOPAD_IVLEN * 8);
250	IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_PAD_IVLEN * 8);
251	IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_PAD_IVLEN * 8);
252	IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_PAD_IVLEN * 8);