1/* 2 * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#if defined(_WIN32) 11# include <windows.h> 12#endif 13 14#include <stdio.h> 15#include <string.h> 16 17#include <openssl/engine.h> 18#include <openssl/sha.h> 19#include <openssl/aes.h> 20#include <openssl/rsa.h> 21#include <openssl/evp.h> 22#include <openssl/async.h> 23#include <openssl/bn.h> 24#include <openssl/crypto.h> 25#include <openssl/ssl.h> 26#include <openssl/modes.h> 27 28#if defined(OPENSSL_SYS_UNIX) && defined(OPENSSL_THREADS) 29# undef ASYNC_POSIX 30# define ASYNC_POSIX 31# include <unistd.h> 32#elif defined(_WIN32) 33# undef ASYNC_WIN 34# define ASYNC_WIN 35#endif 36 37#include "e_dasync_err.c" 38 39/* Engine Id and Name */ 40static const char *engine_dasync_id = "dasync"; 41static const char *engine_dasync_name = "Dummy Async engine support"; 42 43 44/* Engine Lifetime functions */ 45static int dasync_destroy(ENGINE *e); 46static int dasync_init(ENGINE *e); 47static int dasync_finish(ENGINE *e); 48void engine_load_dasync_int(void); 49 50 51/* Set up digests. Just SHA1 for now */ 52static int dasync_digests(ENGINE *e, const EVP_MD **digest, 53 const int **nids, int nid); 54 55static void dummy_pause_job(void); 56 57/* SHA1 */ 58static int dasync_sha1_init(EVP_MD_CTX *ctx); 59static int dasync_sha1_update(EVP_MD_CTX *ctx, const void *data, 60 size_t count); 61static int dasync_sha1_final(EVP_MD_CTX *ctx, unsigned char *md); 62 63/* 64 * Holds the EVP_MD object for sha1 in this engine. Set up once only during 65 * engine bind and can then be reused many times. 66 */ 67static EVP_MD *_hidden_sha1_md = NULL; 68static const EVP_MD *dasync_sha1(void) 69{ 70 return _hidden_sha1_md; 71} 72static void destroy_digests(void) 73{ 74 EVP_MD_meth_free(_hidden_sha1_md); 75 _hidden_sha1_md = NULL; 76} 77 78static int dasync_digest_nids(const int **nids) 79{ 80 static int digest_nids[2] = { 0, 0 }; 81 static int pos = 0; 82 static int init = 0; 83 84 if (!init) { 85 const EVP_MD *md; 86 if ((md = dasync_sha1()) != NULL) 87 digest_nids[pos++] = EVP_MD_type(md); 88 digest_nids[pos] = 0; 89 init = 1; 90 } 91 *nids = digest_nids; 92 return pos; 93} 94 95/* RSA */ 96 97static int dasync_pub_enc(int flen, const unsigned char *from, 98 unsigned char *to, RSA *rsa, int padding); 99static int dasync_pub_dec(int flen, const unsigned char *from, 100 unsigned char *to, RSA *rsa, int padding); 101static int dasync_rsa_priv_enc(int flen, const unsigned char *from, 102 unsigned char *to, RSA *rsa, int padding); 103static int dasync_rsa_priv_dec(int flen, const unsigned char *from, 104 unsigned char *to, RSA *rsa, int padding); 105static int dasync_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, 106 BN_CTX *ctx); 107 108static int dasync_rsa_init(RSA *rsa); 109static int dasync_rsa_finish(RSA *rsa); 110 111static RSA_METHOD *dasync_rsa_method = NULL; 112 113/* AES */ 114 115static int dasync_aes128_cbc_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 116 void *ptr); 117static int dasync_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 118 const unsigned char *iv, int enc); 119static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 120 const unsigned char *in, size_t inl); 121static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx); 122 123static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, 124 int arg, void *ptr); 125static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 126 const unsigned char *key, 127 const unsigned char *iv, 128 int enc); 129static int dasync_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, 130 unsigned char *out, 131 const unsigned char *in, 132 size_t inl); 133static int dasync_aes128_cbc_hmac_sha1_cleanup(EVP_CIPHER_CTX *ctx); 134 135struct dasync_pipeline_ctx { 136 void *inner_cipher_data; 137 unsigned int numpipes; 138 unsigned char **inbufs; 139 unsigned char **outbufs; 140 size_t *lens; 141 unsigned char tlsaad[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; 142 unsigned int aadctr; 143}; 144 145/* 146 * Holds the EVP_CIPHER object for aes_128_cbc in this engine. Set up once only 147 * during engine bind and can then be reused many times. 148 */ 149static EVP_CIPHER *_hidden_aes_128_cbc = NULL; 150static const EVP_CIPHER *dasync_aes_128_cbc(void) 151{ 152 return _hidden_aes_128_cbc; 153} 154 155/* 156 * Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up 157 * once only during engine bind and can then be reused many times. 158 * 159 * This 'stitched' cipher depends on the EVP_aes_128_cbc_hmac_sha1() cipher, 160 * which is implemented only if the AES-NI instruction set extension is available 161 * (see OPENSSL_IA32CAP(3)). If that's not the case, then this cipher will not 162 * be available either. 163 * 164 * Note: Since it is a legacy mac-then-encrypt cipher, modern TLS peers (which 165 * negotiate the encrypt-then-mac extension) won't negotiate it anyway. 166 */ 167static EVP_CIPHER *_hidden_aes_128_cbc_hmac_sha1 = NULL; 168static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void) 169{ 170 return _hidden_aes_128_cbc_hmac_sha1; 171} 172 173static void destroy_ciphers(void) 174{ 175 EVP_CIPHER_meth_free(_hidden_aes_128_cbc); 176 EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); 177 _hidden_aes_128_cbc = NULL; 178 _hidden_aes_128_cbc_hmac_sha1 = NULL; 179} 180 181static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, 182 const int **nids, int nid); 183 184static int dasync_cipher_nids[] = { 185 NID_aes_128_cbc_hmac_sha1, 186 NID_aes_128_cbc, 187 0 188}; 189 190static int bind_dasync(ENGINE *e) 191{ 192 /* Setup RSA_METHOD */ 193 if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) == NULL 194 || RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0 195 || RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0 196 || RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc) == 0 197 || RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec) == 0 198 || RSA_meth_set_mod_exp(dasync_rsa_method, dasync_rsa_mod_exp) == 0 199 || RSA_meth_set_bn_mod_exp(dasync_rsa_method, BN_mod_exp_mont) == 0 200 || RSA_meth_set_init(dasync_rsa_method, dasync_rsa_init) == 0 201 || RSA_meth_set_finish(dasync_rsa_method, dasync_rsa_finish) == 0) { 202 DASYNCerr(DASYNC_F_BIND_DASYNC, DASYNC_R_INIT_FAILED); 203 return 0; 204 } 205 206 /* Ensure the dasync error handling is set up */ 207 ERR_load_DASYNC_strings(); 208 209 if (!ENGINE_set_id(e, engine_dasync_id) 210 || !ENGINE_set_name(e, engine_dasync_name) 211 || !ENGINE_set_RSA(e, dasync_rsa_method) 212 || !ENGINE_set_digests(e, dasync_digests) 213 || !ENGINE_set_ciphers(e, dasync_ciphers) 214 || !ENGINE_set_destroy_function(e, dasync_destroy) 215 || !ENGINE_set_init_function(e, dasync_init) 216 || !ENGINE_set_finish_function(e, dasync_finish)) { 217 DASYNCerr(DASYNC_F_BIND_DASYNC, DASYNC_R_INIT_FAILED); 218 return 0; 219 } 220 221 /* 222 * Set up the EVP_CIPHER and EVP_MD objects for the ciphers/digests 223 * supplied by this engine 224 */ 225 _hidden_sha1_md = EVP_MD_meth_new(NID_sha1, NID_sha1WithRSAEncryption); 226 if (_hidden_sha1_md == NULL 227 || !EVP_MD_meth_set_result_size(_hidden_sha1_md, SHA_DIGEST_LENGTH) 228 || !EVP_MD_meth_set_input_blocksize(_hidden_sha1_md, SHA_CBLOCK) 229 || !EVP_MD_meth_set_app_datasize(_hidden_sha1_md, 230 sizeof(EVP_MD *) + sizeof(SHA_CTX)) 231 || !EVP_MD_meth_set_flags(_hidden_sha1_md, EVP_MD_FLAG_DIGALGID_ABSENT) 232 || !EVP_MD_meth_set_init(_hidden_sha1_md, dasync_sha1_init) 233 || !EVP_MD_meth_set_update(_hidden_sha1_md, dasync_sha1_update) 234 || !EVP_MD_meth_set_final(_hidden_sha1_md, dasync_sha1_final)) { 235 EVP_MD_meth_free(_hidden_sha1_md); 236 _hidden_sha1_md = NULL; 237 } 238 239 _hidden_aes_128_cbc = EVP_CIPHER_meth_new(NID_aes_128_cbc, 240 16 /* block size */, 241 16 /* key len */); 242 if (_hidden_aes_128_cbc == NULL 243 || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc,16) 244 || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc, 245 EVP_CIPH_FLAG_DEFAULT_ASN1 246 | EVP_CIPH_CBC_MODE 247 | EVP_CIPH_FLAG_PIPELINE 248 | EVP_CIPH_CUSTOM_COPY) 249 || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc, 250 dasync_aes128_init_key) 251 || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc, 252 dasync_aes128_cbc_cipher) 253 || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_128_cbc, 254 dasync_aes128_cbc_cleanup) 255 || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc, 256 dasync_aes128_cbc_ctrl) 257 || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc, 258 sizeof(struct dasync_pipeline_ctx))) { 259 EVP_CIPHER_meth_free(_hidden_aes_128_cbc); 260 _hidden_aes_128_cbc = NULL; 261 } 262 263 _hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new( 264 NID_aes_128_cbc_hmac_sha1, 265 16 /* block size */, 266 16 /* key len */); 267 if (_hidden_aes_128_cbc_hmac_sha1 == NULL 268 || EVP_aes_128_cbc_hmac_sha1() == NULL 269 || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16) 270 || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1, 271 EVP_CIPH_CBC_MODE 272 | EVP_CIPH_FLAG_DEFAULT_ASN1 273 | EVP_CIPH_FLAG_AEAD_CIPHER 274 | EVP_CIPH_FLAG_PIPELINE 275 | EVP_CIPH_CUSTOM_COPY) 276 || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1, 277 dasync_aes128_cbc_hmac_sha1_init_key) 278 || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1, 279 dasync_aes128_cbc_hmac_sha1_cipher) 280 || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_128_cbc_hmac_sha1, 281 dasync_aes128_cbc_hmac_sha1_cleanup) 282 || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc_hmac_sha1, 283 dasync_aes128_cbc_hmac_sha1_ctrl) 284 || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc_hmac_sha1, 285 sizeof(struct dasync_pipeline_ctx))) { 286 EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); 287 _hidden_aes_128_cbc_hmac_sha1 = NULL; 288 } 289 290 return 1; 291} 292 293# ifndef OPENSSL_NO_DYNAMIC_ENGINE 294static int bind_helper(ENGINE *e, const char *id) 295{ 296 if (id && (strcmp(id, engine_dasync_id) != 0)) 297 return 0; 298 if (!bind_dasync(e)) 299 return 0; 300 return 1; 301} 302 303IMPLEMENT_DYNAMIC_CHECK_FN() 304 IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) 305# endif 306 307static ENGINE *engine_dasync(void) 308{ 309 ENGINE *ret = ENGINE_new(); 310 if (!ret) 311 return NULL; 312 if (!bind_dasync(ret)) { 313 ENGINE_free(ret); 314 return NULL; 315 } 316 return ret; 317} 318 319void engine_load_dasync_int(void) 320{ 321 ENGINE *toadd = engine_dasync(); 322 if (!toadd) 323 return; 324 ENGINE_add(toadd); 325 ENGINE_free(toadd); 326 ERR_clear_error(); 327} 328 329static int dasync_init(ENGINE *e) 330{ 331 return 1; 332} 333 334 335static int dasync_finish(ENGINE *e) 336{ 337 return 1; 338} 339 340 341static int dasync_destroy(ENGINE *e) 342{ 343 destroy_digests(); 344 destroy_ciphers(); 345 RSA_meth_free(dasync_rsa_method); 346 ERR_unload_DASYNC_strings(); 347 return 1; 348} 349 350static int dasync_digests(ENGINE *e, const EVP_MD **digest, 351 const int **nids, int nid) 352{ 353 int ok = 1; 354 if (!digest) { 355 /* We are returning a list of supported nids */ 356 return dasync_digest_nids(nids); 357 } 358 /* We are being asked for a specific digest */ 359 switch (nid) { 360 case NID_sha1: 361 *digest = dasync_sha1(); 362 break; 363 default: 364 ok = 0; 365 *digest = NULL; 366 break; 367 } 368 return ok; 369} 370 371static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, 372 const int **nids, int nid) 373{ 374 int ok = 1; 375 if (cipher == NULL) { 376 /* We are returning a list of supported nids */ 377 if (dasync_aes_128_cbc_hmac_sha1() == NULL) { 378 *nids = dasync_cipher_nids + 1; 379 return 1; 380 } 381 *nids = dasync_cipher_nids; 382 return (sizeof(dasync_cipher_nids) - 383 1) / sizeof(dasync_cipher_nids[0]); 384 } 385 /* We are being asked for a specific cipher */ 386 switch (nid) { 387 case NID_aes_128_cbc: 388 *cipher = dasync_aes_128_cbc(); 389 break; 390 case NID_aes_128_cbc_hmac_sha1: 391 *cipher = dasync_aes_128_cbc_hmac_sha1(); 392 break; 393 default: 394 ok = 0; 395 *cipher = NULL; 396 break; 397 } 398 return ok; 399} 400 401static void wait_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, 402 OSSL_ASYNC_FD readfd, void *pvwritefd) 403{ 404 OSSL_ASYNC_FD *pwritefd = (OSSL_ASYNC_FD *)pvwritefd; 405#if defined(ASYNC_WIN) 406 CloseHandle(readfd); 407 CloseHandle(*pwritefd); 408#elif defined(ASYNC_POSIX) 409 close(readfd); 410 close(*pwritefd); 411#endif 412 OPENSSL_free(pwritefd); 413} 414 415#define DUMMY_CHAR 'X' 416 417static void dummy_pause_job(void) { 418 ASYNC_JOB *job; 419 ASYNC_WAIT_CTX *waitctx; 420 OSSL_ASYNC_FD pipefds[2] = {0, 0}; 421 OSSL_ASYNC_FD *writefd; 422#if defined(ASYNC_WIN) 423 DWORD numwritten, numread; 424 char buf = DUMMY_CHAR; 425#elif defined(ASYNC_POSIX) 426 char buf = DUMMY_CHAR; 427#endif 428 429 if ((job = ASYNC_get_current_job()) == NULL) 430 return; 431 432 waitctx = ASYNC_get_wait_ctx(job); 433 434 if (ASYNC_WAIT_CTX_get_fd(waitctx, engine_dasync_id, &pipefds[0], 435 (void **)&writefd)) { 436 pipefds[1] = *writefd; 437 } else { 438 writefd = OPENSSL_malloc(sizeof(*writefd)); 439 if (writefd == NULL) 440 return; 441#if defined(ASYNC_WIN) 442 if (CreatePipe(&pipefds[0], &pipefds[1], NULL, 256) == 0) { 443 OPENSSL_free(writefd); 444 return; 445 } 446#elif defined(ASYNC_POSIX) 447 if (pipe(pipefds) != 0) { 448 OPENSSL_free(writefd); 449 return; 450 } 451#endif 452 *writefd = pipefds[1]; 453 454 if (!ASYNC_WAIT_CTX_set_wait_fd(waitctx, engine_dasync_id, pipefds[0], 455 writefd, wait_cleanup)) { 456 wait_cleanup(waitctx, engine_dasync_id, pipefds[0], writefd); 457 return; 458 } 459 } 460 /* 461 * In the Dummy async engine we are cheating. We signal that the job 462 * is complete by waking it before the call to ASYNC_pause_job(). A real 463 * async engine would only wake when the job was actually complete 464 */ 465#if defined(ASYNC_WIN) 466 WriteFile(pipefds[1], &buf, 1, &numwritten, NULL); 467#elif defined(ASYNC_POSIX) 468 if (write(pipefds[1], &buf, 1) < 0) 469 return; 470#endif 471 472 /* Ignore errors - we carry on anyway */ 473 ASYNC_pause_job(); 474 475 /* Clear the wake signal */ 476#if defined(ASYNC_WIN) 477 ReadFile(pipefds[0], &buf, 1, &numread, NULL); 478#elif defined(ASYNC_POSIX) 479 if (read(pipefds[0], &buf, 1) < 0) 480 return; 481#endif 482} 483 484/* 485 * SHA1 implementation. At the moment we just defer to the standard 486 * implementation 487 */ 488#undef data 489#define data(ctx) ((SHA_CTX *)EVP_MD_CTX_md_data(ctx)) 490static int dasync_sha1_init(EVP_MD_CTX *ctx) 491{ 492 dummy_pause_job(); 493 494 return SHA1_Init(data(ctx)); 495} 496 497static int dasync_sha1_update(EVP_MD_CTX *ctx, const void *data, 498 size_t count) 499{ 500 dummy_pause_job(); 501 502 return SHA1_Update(data(ctx), data, (size_t)count); 503} 504 505static int dasync_sha1_final(EVP_MD_CTX *ctx, unsigned char *md) 506{ 507 dummy_pause_job(); 508 509 return SHA1_Final(md, data(ctx)); 510} 511 512/* 513 * RSA implementation 514 */ 515 516static int dasync_pub_enc(int flen, const unsigned char *from, 517 unsigned char *to, RSA *rsa, int padding) { 518 /* Ignore errors - we carry on anyway */ 519 dummy_pause_job(); 520 return RSA_meth_get_pub_enc(RSA_PKCS1_OpenSSL()) 521 (flen, from, to, rsa, padding); 522} 523 524static int dasync_pub_dec(int flen, const unsigned char *from, 525 unsigned char *to, RSA *rsa, int padding) { 526 /* Ignore errors - we carry on anyway */ 527 dummy_pause_job(); 528 return RSA_meth_get_pub_dec(RSA_PKCS1_OpenSSL()) 529 (flen, from, to, rsa, padding); 530} 531 532static int dasync_rsa_priv_enc(int flen, const unsigned char *from, 533 unsigned char *to, RSA *rsa, int padding) 534{ 535 /* Ignore errors - we carry on anyway */ 536 dummy_pause_job(); 537 return RSA_meth_get_priv_enc(RSA_PKCS1_OpenSSL()) 538 (flen, from, to, rsa, padding); 539} 540 541static int dasync_rsa_priv_dec(int flen, const unsigned char *from, 542 unsigned char *to, RSA *rsa, int padding) 543{ 544 /* Ignore errors - we carry on anyway */ 545 dummy_pause_job(); 546 return RSA_meth_get_priv_dec(RSA_PKCS1_OpenSSL()) 547 (flen, from, to, rsa, padding); 548} 549 550static int dasync_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 551{ 552 /* Ignore errors - we carry on anyway */ 553 dummy_pause_job(); 554 return RSA_meth_get_mod_exp(RSA_PKCS1_OpenSSL())(r0, I, rsa, ctx); 555} 556 557static int dasync_rsa_init(RSA *rsa) 558{ 559 return RSA_meth_get_init(RSA_PKCS1_OpenSSL())(rsa); 560} 561static int dasync_rsa_finish(RSA *rsa) 562{ 563 return RSA_meth_get_finish(RSA_PKCS1_OpenSSL())(rsa); 564} 565 566/* Cipher helper functions */ 567 568static int dasync_cipher_ctrl_helper(EVP_CIPHER_CTX *ctx, int type, int arg, 569 void *ptr, int aeadcapable) 570{ 571 int ret; 572 struct dasync_pipeline_ctx *pipe_ctx = 573 (struct dasync_pipeline_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); 574 575 if (pipe_ctx == NULL) 576 return 0; 577 578 switch (type) { 579 case EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS: 580 pipe_ctx->numpipes = arg; 581 pipe_ctx->outbufs = (unsigned char **)ptr; 582 break; 583 584 case EVP_CTRL_SET_PIPELINE_INPUT_BUFS: 585 pipe_ctx->numpipes = arg; 586 pipe_ctx->inbufs = (unsigned char **)ptr; 587 break; 588 589 case EVP_CTRL_SET_PIPELINE_INPUT_LENS: 590 pipe_ctx->numpipes = arg; 591 pipe_ctx->lens = (size_t *)ptr; 592 break; 593 594 case EVP_CTRL_AEAD_SET_MAC_KEY: 595 if (!aeadcapable) 596 return -1; 597 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx->inner_cipher_data); 598 ret = EVP_CIPHER_meth_get_ctrl(EVP_aes_128_cbc_hmac_sha1()) 599 (ctx, type, arg, ptr); 600 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx); 601 return ret; 602 603 case EVP_CTRL_AEAD_TLS1_AAD: 604 { 605 unsigned char *p = ptr; 606 unsigned int len; 607 608 if (!aeadcapable || arg != EVP_AEAD_TLS1_AAD_LEN) 609 return -1; 610 611 if (pipe_ctx->aadctr >= SSL_MAX_PIPELINES) 612 return -1; 613 614 memcpy(pipe_ctx->tlsaad[pipe_ctx->aadctr], ptr, 615 EVP_AEAD_TLS1_AAD_LEN); 616 pipe_ctx->aadctr++; 617 618 len = p[arg - 2] << 8 | p[arg - 1]; 619 620 if (EVP_CIPHER_CTX_encrypting(ctx)) { 621 if ((p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) { 622 if (len < AES_BLOCK_SIZE) 623 return 0; 624 len -= AES_BLOCK_SIZE; 625 } 626 627 return ((len + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) 628 & -AES_BLOCK_SIZE) - len; 629 } else { 630 return SHA_DIGEST_LENGTH; 631 } 632 } 633 634 case EVP_CTRL_COPY: 635 { 636 const EVP_CIPHER *cipher = aeadcapable 637 ? EVP_aes_128_cbc_hmac_sha1() 638 : EVP_aes_128_cbc(); 639 size_t data_size = EVP_CIPHER_impl_ctx_size(cipher); 640 void *cipher_data = OPENSSL_malloc(data_size); 641 642 if (cipher_data == NULL) 643 return 0; 644 memcpy(cipher_data, pipe_ctx->inner_cipher_data, data_size); 645 pipe_ctx->inner_cipher_data = cipher_data; 646 return 1; 647 } 648 649 default: 650 return 0; 651 } 652 653 return 1; 654} 655 656static int dasync_cipher_init_key_helper(EVP_CIPHER_CTX *ctx, 657 const unsigned char *key, 658 const unsigned char *iv, int enc, 659 const EVP_CIPHER *cipher) 660{ 661 int ret; 662 struct dasync_pipeline_ctx *pipe_ctx = 663 (struct dasync_pipeline_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); 664 665 if (pipe_ctx->inner_cipher_data == NULL 666 && EVP_CIPHER_impl_ctx_size(cipher) != 0) { 667 pipe_ctx->inner_cipher_data = OPENSSL_zalloc( 668 EVP_CIPHER_impl_ctx_size(cipher)); 669 if (pipe_ctx->inner_cipher_data == NULL) { 670 DASYNCerr(DASYNC_F_DASYNC_CIPHER_INIT_KEY_HELPER, 671 ERR_R_MALLOC_FAILURE); 672 return 0; 673 } 674 } 675 676 pipe_ctx->numpipes = 0; 677 pipe_ctx->aadctr = 0; 678 679 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx->inner_cipher_data); 680 ret = EVP_CIPHER_meth_get_init(cipher)(ctx, key, iv, enc); 681 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx); 682 683 return ret; 684} 685 686static int dasync_cipher_helper(EVP_CIPHER_CTX *ctx, unsigned char *out, 687 const unsigned char *in, size_t inl, 688 const EVP_CIPHER *cipher) 689{ 690 int ret = 1; 691 unsigned int i, pipes; 692 struct dasync_pipeline_ctx *pipe_ctx = 693 (struct dasync_pipeline_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); 694 695 pipes = pipe_ctx->numpipes; 696 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx->inner_cipher_data); 697 if (pipes == 0) { 698 if (pipe_ctx->aadctr != 0) { 699 if (pipe_ctx->aadctr != 1) 700 return -1; 701 EVP_CIPHER_meth_get_ctrl(cipher) 702 (ctx, EVP_CTRL_AEAD_TLS1_AAD, 703 EVP_AEAD_TLS1_AAD_LEN, 704 pipe_ctx->tlsaad[0]); 705 } 706 ret = EVP_CIPHER_meth_get_do_cipher(cipher) 707 (ctx, out, in, inl); 708 } else { 709 if (pipe_ctx->aadctr > 0 && pipe_ctx->aadctr != pipes) 710 return -1; 711 for (i = 0; i < pipes; i++) { 712 if (pipe_ctx->aadctr > 0) { 713 EVP_CIPHER_meth_get_ctrl(cipher) 714 (ctx, EVP_CTRL_AEAD_TLS1_AAD, 715 EVP_AEAD_TLS1_AAD_LEN, 716 pipe_ctx->tlsaad[i]); 717 } 718 ret = ret && EVP_CIPHER_meth_get_do_cipher(cipher) 719 (ctx, pipe_ctx->outbufs[i], pipe_ctx->inbufs[i], 720 pipe_ctx->lens[i]); 721 } 722 pipe_ctx->numpipes = 0; 723 } 724 pipe_ctx->aadctr = 0; 725 EVP_CIPHER_CTX_set_cipher_data(ctx, pipe_ctx); 726 return ret; 727} 728 729static int dasync_cipher_cleanup_helper(EVP_CIPHER_CTX *ctx, 730 const EVP_CIPHER *cipher) 731{ 732 struct dasync_pipeline_ctx *pipe_ctx = 733 (struct dasync_pipeline_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); 734 735 OPENSSL_clear_free(pipe_ctx->inner_cipher_data, 736 EVP_CIPHER_impl_ctx_size(cipher)); 737 738 return 1; 739} 740 741/* 742 * AES128 CBC Implementation 743 */ 744 745static int dasync_aes128_cbc_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 746 void *ptr) 747{ 748 return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0); 749} 750 751static int dasync_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 752 const unsigned char *iv, int enc) 753{ 754 return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_128_cbc()); 755} 756 757static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 758 const unsigned char *in, size_t inl) 759{ 760 return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_128_cbc()); 761} 762 763static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) 764{ 765 return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc()); 766} 767 768 769/* 770 * AES128 CBC HMAC SHA1 Implementation 771 */ 772 773static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, 774 int arg, void *ptr) 775{ 776 return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 1); 777} 778 779static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, 780 const unsigned char *key, 781 const unsigned char *iv, 782 int enc) 783{ 784 /* 785 * We can safely assume that EVP_aes_128_cbc_hmac_sha1() != NULL, 786 * see comment before the definition of dasync_aes_128_cbc_hmac_sha1(). 787 */ 788 return dasync_cipher_init_key_helper(ctx, key, iv, enc, 789 EVP_aes_128_cbc_hmac_sha1()); 790} 791 792static int dasync_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, 793 unsigned char *out, 794 const unsigned char *in, 795 size_t inl) 796{ 797 return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_128_cbc_hmac_sha1()); 798} 799 800static int dasync_aes128_cbc_hmac_sha1_cleanup(EVP_CIPHER_CTX *ctx) 801{ 802 /* 803 * We can safely assume that EVP_aes_128_cbc_hmac_sha1() != NULL, 804 * see comment before the definition of dasync_aes_128_cbc_hmac_sha1(). 805 */ 806 return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc_hmac_sha1()); 807} 808