OLD | NEW |
| (Empty) |
1 From 98f0c6e114f55b4451bea824b05ab29db3351f12 Mon Sep 17 00:00:00 2001 | |
2 From: Adam Langley <agl@chromium.org> | |
3 Date: Thu, 25 Jul 2013 16:52:35 -0400 | |
4 Subject: [PATCH 40/50] aead_support | |
5 | |
6 This change adds an AEAD interface to EVP and an AES-GCM implementation | |
7 suitable for use in TLS. | |
8 --- | |
9 crypto/evp/Makefile | 4 +- | |
10 crypto/evp/e_aes.c | 214 +++++++++++++++++++++++++++++++++++---- | |
11 crypto/evp/evp.h | 111 ++++++++++++++++++++ | |
12 crypto/evp/evp_aead.c | 192 +++++++++++++++++++++++++++++++++++ | |
13 crypto/evp/evp_err.c | 8 ++ | |
14 crypto/evp/evp_locl.h | 24 +++++ | |
15 doc/crypto/EVP_AEAD_CTX_init.pod | 96 ++++++++++++++++++ | |
16 7 files changed, 626 insertions(+), 23 deletions(-) | |
17 create mode 100644 crypto/evp/evp_aead.c | |
18 create mode 100644 doc/crypto/EVP_AEAD_CTX_init.pod | |
19 | |
20 diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile | |
21 index 1e46ceb..b73038d 100644 | |
22 --- a/crypto/evp/Makefile | |
23 +++ b/crypto/evp/Makefile | |
24 @@ -29,7 +29,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c evp_c
nf.c \ | |
25 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ | |
26 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \ | |
27 e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \ | |
28 - e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c | |
29 + e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c evp_aead.c | |
30 | |
31 LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \ | |
32 e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\ | |
33 @@ -42,7 +42,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o
evp_cnf.o \ | |
34 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ | |
35 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \ | |
36 e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \ | |
37 - e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o | |
38 + e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o evp_aead.o | |
39 | |
40 SRC= $(LIBSRC) | |
41 | |
42 diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c | |
43 index ef44f63..e4485e4 100644 | |
44 --- a/crypto/evp/e_aes.c | |
45 +++ b/crypto/evp/e_aes.c | |
46 @@ -814,44 +814,45 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int a
rg, void *ptr) | |
47 } | |
48 } | |
49 | |
50 -static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
51 - const unsigned char *iv, int enc) | |
52 +static ctr128_f aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, | |
53 + const unsigned char *key, size_t key_len) | |
54 { | |
55 - EVP_AES_GCM_CTX *gctx = ctx->cipher_data; | |
56 - if (!iv && !key) | |
57 - return 1; | |
58 - if (key) | |
59 - { do { | |
60 #ifdef BSAES_CAPABLE | |
61 if (BSAES_CAPABLE) | |
62 { | |
63 - AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); | |
64 - CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, | |
65 + AES_set_encrypt_key(key,key_len*8,aes_key); | |
66 + CRYPTO_gcm128_init(gcm_ctx,aes_key, | |
67 (block128_f)AES_encrypt); | |
68 - gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; | |
69 - break; | |
70 + return (ctr128_f)bsaes_ctr32_encrypt_blocks; | |
71 } | |
72 - else | |
73 #endif | |
74 #ifdef VPAES_CAPABLE | |
75 if (VPAES_CAPABLE) | |
76 { | |
77 - vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); | |
78 - CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, | |
79 + vpaes_set_encrypt_key(key,key_len*8,aes_key); | |
80 + CRYPTO_gcm128_init(gcm_ctx,aes_key, | |
81 (block128_f)vpaes_encrypt); | |
82 - gctx->ctr = NULL; | |
83 - break; | |
84 + return NULL; | |
85 } | |
86 #endif | |
87 - AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); | |
88 - CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encryp
t); | |
89 + AES_set_encrypt_key(key, key_len*8, aes_key); | |
90 + CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); | |
91 #ifdef AES_CTR_ASM | |
92 - gctx->ctr = (ctr128_f)AES_ctr32_encrypt; | |
93 + return (ctr128_f)AES_ctr32_encrypt; | |
94 #else | |
95 - gctx->ctr = NULL; | |
96 + return NULL; | |
97 #endif | |
98 - } while (0); | |
99 + } | |
100 | |
101 +static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | |
102 + const unsigned char *iv, int enc) | |
103 + { | |
104 + EVP_AES_GCM_CTX *gctx = ctx->cipher_data; | |
105 + if (!iv && !key) | |
106 + return 1; | |
107 + if (key) | |
108 + { | |
109 + gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, key, ctx->key
_len); | |
110 /* If we have an iv can set it directly, otherwise use | |
111 * saved IV. | |
112 */ | |
113 @@ -1310,5 +1311,176 @@ BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FL
AG_FIPS|CUSTOM_FLAGS) | |
114 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) | |
115 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) | |
116 | |
117 +#define EVP_AEAD_AES_128_GCM_TAG_LEN 16 | |
118 + | |
119 +struct aead_aes_128_gcm_ctx { | |
120 + union { double align; AES_KEY ks; } ks; | |
121 + GCM128_CONTEXT gcm; | |
122 + ctr128_f ctr; | |
123 + unsigned char tag_len; | |
124 +}; | |
125 + | |
126 +static int aead_aes_128_gcm_init(EVP_AEAD_CTX *ctx, | |
127 + const unsigned char *key, size_t key_len, size_t tag_len) | |
128 + { | |
129 + struct aead_aes_128_gcm_ctx *gcm_ctx; | |
130 + | |
131 + if (key_len*8 != 128) | |
132 + { | |
133 + EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_BAD_KEY_LENGTH); | |
134 + return 0; /* EVP_AEAD_CTX_init should catch this. */ | |
135 + } | |
136 + | |
137 + if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) | |
138 + tag_len = EVP_AEAD_AES_128_GCM_TAG_LEN; | |
139 + | |
140 + if (tag_len > EVP_AEAD_AES_128_GCM_TAG_LEN) | |
141 + { | |
142 + EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_TAG_TOO_LARGE); | |
143 + return 0; | |
144 + } | |
145 + | |
146 + gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_128_gcm_ctx)); | |
147 + if (gcm_ctx == NULL) | |
148 + return 0; | |
149 + | |
150 +#ifdef AESNI_CAPABLE | |
151 + if (AESNI_CAPABLE) | |
152 + { | |
153 + aesni_set_encrypt_key(key, key_len * 8, &gcm_ctx->ks.ks); | |
154 + CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, | |
155 + (block128_f)aesni_encrypt); | |
156 + gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; | |
157 + } | |
158 + else | |
159 +#endif | |
160 + { | |
161 + gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, | |
162 + key, key_len); | |
163 + } | |
164 + gcm_ctx->tag_len = tag_len; | |
165 + ctx->aead_state = gcm_ctx; | |
166 + | |
167 + return 1; | |
168 + } | |
169 + | |
170 +static void aead_aes_128_gcm_cleanup(EVP_AEAD_CTX *ctx) | |
171 + { | |
172 + struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; | |
173 + OPENSSL_free(gcm_ctx); | |
174 + } | |
175 + | |
176 +static ssize_t aead_aes_128_gcm_seal(const EVP_AEAD_CTX *ctx, | |
177 + unsigned char *out, size_t max_out_len, | |
178 + const unsigned char *nonce, size_t nonce_len, | |
179 + const unsigned char *in, size_t in_len, | |
180 + const unsigned char *ad, size_t ad_len) | |
181 + { | |
182 + size_t bulk = 0; | |
183 + const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; | |
184 + GCM128_CONTEXT gcm; | |
185 + | |
186 + if (max_out_len < in_len + gcm_ctx->tag_len) | |
187 + { | |
188 + EVPerr(EVP_F_AEAD_AES_128_GCM_SEAL, EVP_R_BUFFER_TOO_SMALL); | |
189 + return -1; | |
190 + } | |
191 + | |
192 + memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); | |
193 + CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); | |
194 + | |
195 + if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) | |
196 + return -1; | |
197 + | |
198 + if (gcm_ctx->ctr) | |
199 + { | |
200 + if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, | |
201 + in_len - bulk, gcm_ctx->ctr)) | |
202 + return -1; | |
203 + } | |
204 + else | |
205 + { | |
206 + if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, | |
207 + in_len - bulk)) | |
208 + return -1; | |
209 + } | |
210 + | |
211 + CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); | |
212 + return in_len + gcm_ctx->tag_len; | |
213 + } | |
214 + | |
215 +static ssize_t aead_aes_128_gcm_open(const EVP_AEAD_CTX *ctx, | |
216 + unsigned char *out, size_t max_out_len, | |
217 + const unsigned char *nonce, size_t nonce_len, | |
218 + const unsigned char *in, size_t in_len, | |
219 + const unsigned char *ad, size_t ad_len) | |
220 + { | |
221 + size_t bulk = 0; | |
222 + const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; | |
223 + unsigned char tag[EVP_AEAD_AES_128_GCM_TAG_LEN]; | |
224 + size_t out_len; | |
225 + GCM128_CONTEXT gcm; | |
226 + | |
227 + if (in_len < gcm_ctx->tag_len) | |
228 + { | |
229 + EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT); | |
230 + return -1; | |
231 + } | |
232 + | |
233 + out_len = in_len - gcm_ctx->tag_len; | |
234 + | |
235 + if (max_out_len < out_len) | |
236 + { | |
237 + EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BUFFER_TOO_SMALL); | |
238 + return -1; | |
239 + } | |
240 + | |
241 + memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); | |
242 + CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); | |
243 + | |
244 + if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) | |
245 + return -1; | |
246 + | |
247 + if (gcm_ctx->ctr) | |
248 + { | |
249 + if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, | |
250 + in_len-bulk-gcm_ctx->tag_len, | |
251 + gcm_ctx->ctr)) | |
252 + return -1; | |
253 + } | |
254 + else | |
255 + { | |
256 + if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, | |
257 + in_len - bulk - gcm_ctx->tag_len)) | |
258 + return -1; | |
259 + } | |
260 + | |
261 + CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); | |
262 + if (CRYPTO_memcmp(tag, in + out_len, gcm_ctx->tag_len) != 0) | |
263 + { | |
264 + EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT); | |
265 + return -1; | |
266 + } | |
267 + | |
268 + return out_len; | |
269 + } | |
270 + | |
271 +static const EVP_AEAD aead_aes_128_gcm = { | |
272 + 16, /* key len */ | |
273 + 12, /* nonce len */ | |
274 + EVP_AEAD_AES_128_GCM_TAG_LEN, /* overhead */ | |
275 + EVP_AEAD_AES_128_GCM_TAG_LEN, /* max tag length */ | |
276 + | |
277 + aead_aes_128_gcm_init, | |
278 + aead_aes_128_gcm_cleanup, | |
279 + aead_aes_128_gcm_seal, | |
280 + aead_aes_128_gcm_open, | |
281 +}; | |
282 + | |
283 +const EVP_AEAD *EVP_aead_aes_128_gcm() | |
284 + { | |
285 + return &aead_aes_128_gcm; | |
286 + } | |
287 + | |
288 #endif | |
289 #endif | |
290 diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h | |
291 index 5f18d4b..bd10642 100644 | |
292 --- a/crypto/evp/evp.h | |
293 +++ b/crypto/evp/evp.h | |
294 @@ -1243,6 +1243,109 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, | |
295 int (*ctrl_str)(EVP_PKEY_CTX *ctx, | |
296 const char *type, const char *value)); | |
297 | |
298 +/* Authenticated Encryption with Additional Data. | |
299 + * | |
300 + * AEAD couples confidentiality and integrity in a single primtive. AEAD | |
301 + * algorithms take a key and then can seal and open individual messages. Each | |
302 + * message has a unique, per-message nonce and, optionally, additional data | |
303 + * which is authenticated but not included in the output. */ | |
304 + | |
305 +struct evp_aead_st; | |
306 +typedef struct evp_aead_st EVP_AEAD; | |
307 + | |
308 +#ifndef OPENSSL_NO_AES | |
309 +/* EVP_aes_128_gcm is AES-128 in Galois Counter Mode. */ | |
310 +const EVP_AEAD *EVP_aead_aes_128_gcm(void); | |
311 +#endif | |
312 + | |
313 +/* EVP_AEAD_key_length returns the length, in bytes, of the keys used by | |
314 + * |aead|. */ | |
315 +size_t EVP_AEAD_key_length(const EVP_AEAD *aead); | |
316 + | |
317 +/* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce | |
318 + * for |aead|. */ | |
319 +size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead); | |
320 + | |
321 +/* EVP_AEAD_max_overhead returns the maximum number of additional bytes added | |
322 + * by the act of sealing data with |aead|. */ | |
323 +size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead); | |
324 + | |
325 +/* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This | |
326 + * is the largest value that can be passed as |tag_len| to | |
327 + * |EVP_AEAD_CTX_init|. */ | |
328 +size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead); | |
329 + | |
330 +/* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key | |
331 + * and message-independent IV. */ | |
332 +typedef struct evp_aead_ctx_st { | |
333 + const EVP_AEAD *aead; | |
334 + /* aead_state is an opaque pointer to whatever state the AEAD needs to | |
335 + * maintain. */ | |
336 + void *aead_state; | |
337 +} EVP_AEAD_CTX; | |
338 + | |
339 +#define EVP_AEAD_DEFAULT_TAG_LENGTH 0 | |
340 + | |
341 +/* EVP_AEAD_init initializes |ctx| for the given AEAD algorithm from |impl|. | |
342 + * The |impl| argument may be NULL to choose the default implementation. | |
343 + * Authentication tags may be truncated by passing a size as |tag_len|. A | |
344 + * |tag_len| of zero indicates the default tag length and this is defined as | |
345 + * EVP_AEAD_DEFAULT_TAG_LENGTH for readability. | |
346 + * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. */ | |
347 +int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, | |
348 + const unsigned char *key, size_t key_len, | |
349 + size_t tag_len, ENGINE *impl); | |
350 + | |
351 +/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. */ | |
352 +void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx); | |
353 + | |
354 +/* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and | |
355 + * authenticates |ad_len| bytes from |ad| and writes the result to |out|, | |
356 + * returning the number of bytes written, or -1 on error. | |
357 + * | |
358 + * This function may be called (with the same EVP_AEAD_CTX) concurrently with | |
359 + * itself or EVP_AEAD_CTX_open. | |
360 + * | |
361 + * At most |max_out_len| bytes are written to |out| and, in order to ensure | |
362 + * success, |max_out_len| should be |in_len| plus the result of | |
363 + * EVP_AEAD_overhead. | |
364 + * | |
365 + * The length of |nonce|, |nonce_len|, must be equal to the result of | |
366 + * EVP_AEAD_nonce_length for this AEAD. | |
367 + * | |
368 + * EVP_AEAD_CTX_seal never results in a partial output. If |max_out_len| is | |
369 + * insufficient, -1 will be returned. | |
370 + * | |
371 + * If |in| and |out| alias then |out| must be <= |in|. */ | |
372 +ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, | |
373 + unsigned char *out, size_t max_out_len, | |
374 + const unsigned char *nonce, size_t nonce_len, | |
375 + const unsigned char *in, size_t in_len, | |
376 + const unsigned char *ad, size_t ad_len); | |
377 + | |
378 +/* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes | |
379 + * from |ad| and decrypts at most |in_len| bytes into |out|. It returns the | |
380 + * number of bytes written, or -1 on error. | |
381 + * | |
382 + * This function may be called (with the same EVP_AEAD_CTX) concurrently with | |
383 + * itself or EVP_AEAD_CTX_seal. | |
384 + * | |
385 + * At most |in_len| bytes are written to |out|. In order to ensure success, | |
386 + * |max_out_len| should be at least |in_len|. | |
387 + * | |
388 + * The length of |nonce|, |nonce_len|, must be equal to the result of | |
389 + * EVP_AEAD_nonce_length for this AEAD. | |
390 + * | |
391 + * EVP_AEAD_CTX_open never results in a partial output. If |max_out_len| is | |
392 + * insufficient, -1 will be returned. | |
393 + * | |
394 + * If |in| and |out| alias then |out| must be <= |in|. */ | |
395 +ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, | |
396 + unsigned char *out, size_t max_out_len, | |
397 + const unsigned char *nonce, size_t nonce_len, | |
398 + const unsigned char *in, size_t in_len, | |
399 + const unsigned char *ad, size_t ad_len); | |
400 + | |
401 void EVP_add_alg_module(void); | |
402 | |
403 /* BEGIN ERROR CODES */ | |
404 @@ -1254,6 +1357,11 @@ void ERR_load_EVP_strings(void); | |
405 /* Error codes for the EVP functions. */ | |
406 | |
407 /* Function codes. */ | |
408 +#define EVP_F_AEAD_AES_128_GCM_INIT 183 | |
409 +#define EVP_F_AEAD_AES_128_GCM_OPEN 181 | |
410 +#define EVP_F_AEAD_AES_128_GCM_SEAL 182 | |
411 +#define EVP_F_AEAD_CTX_OPEN 185 | |
412 +#define EVP_F_AEAD_CTX_SEAL 186 | |
413 #define EVP_F_AESNI_INIT_KEY 165 | |
414 #define EVP_F_AESNI_XTS_CIPHER 176 | |
415 #define EVP_F_AES_INIT_KEY 133 | |
416 @@ -1268,6 +1376,7 @@ void ERR_load_EVP_strings(void); | |
417 #define EVP_F_DSA_PKEY2PKCS8 135 | |
418 #define EVP_F_ECDSA_PKEY2PKCS8 129 | |
419 #define EVP_F_ECKEY_PKEY2PKCS8 132 | |
420 +#define EVP_F_EVP_AEAD_CTX_INIT 180 | |
421 #define EVP_F_EVP_CIPHERINIT_EX 123 | |
422 #define EVP_F_EVP_CIPHER_CTX_COPY 163 | |
423 #define EVP_F_EVP_CIPHER_CTX_CTRL 124 | |
424 @@ -1383,10 +1492,12 @@ void ERR_load_EVP_strings(void); | |
425 #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105 | |
426 #define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 | |
427 #define EVP_R_OPERATON_NOT_INITIALIZED 151 | |
428 +#define EVP_R_OUTPUT_ALIASES_INPUT 170 | |
429 #define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117 | |
430 #define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 | |
431 #define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 | |
432 #define EVP_R_PUBLIC_KEY_NOT_RSA 106 | |
433 +#define EVP_R_TAG_TOO_LARGE 171 | |
434 #define EVP_R_TOO_LARGE 164 | |
435 #define EVP_R_UNKNOWN_CIPHER 160 | |
436 #define EVP_R_UNKNOWN_DIGEST 161 | |
437 diff --git a/crypto/evp/evp_aead.c b/crypto/evp/evp_aead.c | |
438 new file mode 100644 | |
439 index 0000000..91da561 | |
440 --- /dev/null | |
441 +++ b/crypto/evp/evp_aead.c | |
442 @@ -0,0 +1,192 @@ | |
443 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
444 + * All rights reserved. | |
445 + * | |
446 + * This package is an SSL implementation written | |
447 + * by Eric Young (eay@cryptsoft.com). | |
448 + * The implementation was written so as to conform with Netscapes SSL. | |
449 + * | |
450 + * This library is free for commercial and non-commercial use as long as | |
451 + * the following conditions are aheared to. The following conditions | |
452 + * apply to all code found in this distribution, be it the RC4, RSA, | |
453 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
454 + * included with this distribution is covered by the same copyright terms | |
455 + * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
456 + * | |
457 + * Copyright remains Eric Young's, and as such any Copyright notices in | |
458 + * the code are not to be removed. | |
459 + * If this package is used in a product, Eric Young should be given attribution | |
460 + * as the author of the parts of the library used. | |
461 + * This can be in the form of a textual message at program startup or | |
462 + * in documentation (online or textual) provided with the package. | |
463 + * | |
464 + * Redistribution and use in source and binary forms, with or without | |
465 + * modification, are permitted provided that the following conditions | |
466 + * are met: | |
467 + * 1. Redistributions of source code must retain the copyright | |
468 + * notice, this list of conditions and the following disclaimer. | |
469 + * 2. Redistributions in binary form must reproduce the above copyright | |
470 + * notice, this list of conditions and the following disclaimer in the | |
471 + * documentation and/or other materials provided with the distribution. | |
472 + * 3. All advertising materials mentioning features or use of this software | |
473 + * must display the following acknowledgement: | |
474 + * "This product includes cryptographic software written by | |
475 + * Eric Young (eay@cryptsoft.com)" | |
476 + * The word 'cryptographic' can be left out if the rouines from the library | |
477 + * being used are not cryptographic related :-). | |
478 + * 4. If you include any Windows specific code (or a derivative thereof) from | |
479 + * the apps directory (application code) you must include an acknowledgement
: | |
480 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)
" | |
481 + * | |
482 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
483 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
484 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
485 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
486 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
487 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
488 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
489 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
490 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
491 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
492 + * SUCH DAMAGE. | |
493 + * | |
494 + * The licence and distribution terms for any publically available version or | |
495 + * derivative of this code cannot be changed. i.e. this code cannot simply be | |
496 + * copied and put under another distribution licence | |
497 + * [including the GNU Public Licence.] | |
498 + */ | |
499 + | |
500 +#include <limits.h> | |
501 +#include <string.h> | |
502 + | |
503 +#include <openssl/evp.h> | |
504 +#include <openssl/err.h> | |
505 + | |
506 +#include "evp_locl.h" | |
507 + | |
508 +size_t EVP_AEAD_key_length(const EVP_AEAD *aead) | |
509 + { | |
510 + return aead->key_len; | |
511 + } | |
512 + | |
513 +size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead) | |
514 + { | |
515 + return aead->nonce_len; | |
516 + } | |
517 + | |
518 +size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) | |
519 + { | |
520 + return aead->overhead; | |
521 + } | |
522 + | |
523 +size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) | |
524 + { | |
525 + return aead->max_tag_len; | |
526 + } | |
527 + | |
528 +int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, | |
529 + const unsigned char *key, size_t key_len, | |
530 + size_t tag_len, ENGINE *impl) | |
531 + { | |
532 + ctx->aead = aead; | |
533 + if (key_len != aead->key_len) | |
534 + { | |
535 + EVPerr(EVP_F_EVP_AEAD_CTX_INIT,EVP_R_UNSUPPORTED_KEY_SIZE); | |
536 + return 0; | |
537 + } | |
538 + return aead->init(ctx, key, key_len, tag_len); | |
539 + } | |
540 + | |
541 +void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) | |
542 + { | |
543 + if (ctx->aead == NULL) | |
544 + return; | |
545 + ctx->aead->cleanup(ctx); | |
546 + ctx->aead = NULL; | |
547 + } | |
548 + | |
549 +/* check_alias returns 0 if |out| points within the buffer determined by |in| | |
550 + * and |in_len| and 1 otherwise. | |
551 + * | |
552 + * When processing, there's only an issue if |out| points within in[:in_len] | |
553 + * and isn't equal to |in|. If that's the case then writing the output will | |
554 + * stomp input that hasn't been read yet. | |
555 + * | |
556 + * This function checks for that case. */ | |
557 +static int check_alias(const unsigned char *in, size_t in_len, | |
558 + const unsigned char *out) | |
559 + { | |
560 + if (out <= in) | |
561 + return 1; | |
562 + if (in + in_len <= out) | |
563 + return 1; | |
564 + return 0; | |
565 + } | |
566 + | |
567 +ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, | |
568 + unsigned char *out, size_t max_out_len, | |
569 + const unsigned char *nonce, size_t nonce_len, | |
570 + const unsigned char *in, size_t in_len, | |
571 + const unsigned char *ad, size_t ad_len) | |
572 + { | |
573 + size_t possible_out_len = in_len + ctx->aead->overhead; | |
574 + ssize_t r; | |
575 + | |
576 + if (possible_out_len < in_len /* overflow */ || | |
577 + possible_out_len > SSIZE_MAX /* return value cannot be | |
578 + represented */) | |
579 + { | |
580 + EVPerr(EVP_F_AEAD_CTX_SEAL, EVP_R_TOO_LARGE); | |
581 + goto error; | |
582 + } | |
583 + | |
584 + if (!check_alias(in, in_len, out)) | |
585 + { | |
586 + EVPerr(EVP_F_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT); | |
587 + goto error; | |
588 + } | |
589 + | |
590 + r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len, | |
591 + in, in_len, ad, ad_len); | |
592 + if (r >= 0) | |
593 + return r; | |
594 + | |
595 +error: | |
596 + /* In the event of an error, clear the output buffer so that a caller | |
597 + * that doesn't check the return value doesn't send raw data. */ | |
598 + memset(out, 0, max_out_len); | |
599 + return -1; | |
600 + } | |
601 + | |
602 +ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, | |
603 + unsigned char *out, size_t max_out_len, | |
604 + const unsigned char *nonce, size_t nonce_len, | |
605 + const unsigned char *in, size_t in_len, | |
606 + const unsigned char *ad, size_t ad_len) | |
607 + { | |
608 + ssize_t r; | |
609 + | |
610 + if (in_len > SSIZE_MAX) | |
611 + { | |
612 + EVPerr(EVP_F_AEAD_CTX_OPEN, EVP_R_TOO_LARGE); | |
613 + goto error; /* may not be able to represent return value. */ | |
614 + } | |
615 + | |
616 + if (!check_alias(in, in_len, out)) | |
617 + { | |
618 + EVPerr(EVP_F_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT); | |
619 + goto error; | |
620 + } | |
621 + | |
622 + r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len, | |
623 + in, in_len, ad, ad_len); | |
624 + | |
625 + if (r >= 0) | |
626 + return r; | |
627 + | |
628 +error: | |
629 + /* In the event of an error, clear the output buffer so that a caller | |
630 + * that doesn't check the return value doesn't try and process bad | |
631 + * data. */ | |
632 + memset(out, 0, max_out_len); | |
633 + return -1; | |
634 + } | |
635 diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c | |
636 index 08eab98..c47969c 100644 | |
637 --- a/crypto/evp/evp_err.c | |
638 +++ b/crypto/evp/evp_err.c | |
639 @@ -70,6 +70,11 @@ | |
640 | |
641 static ERR_STRING_DATA EVP_str_functs[]= | |
642 { | |
643 +{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_INIT), "AEAD_AES_128_GCM_INIT"}, | |
644 +{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_OPEN), "AEAD_AES_128_GCM_OPEN"}, | |
645 +{ERR_FUNC(EVP_F_AEAD_AES_128_GCM_SEAL), "AEAD_AES_128_GCM_SEAL"}, | |
646 +{ERR_FUNC(EVP_F_AEAD_CTX_OPEN), "AEAD_CTX_OPEN"}, | |
647 +{ERR_FUNC(EVP_F_AEAD_CTX_SEAL), "AEAD_CTX_SEAL"}, | |
648 {ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"}, | |
649 {ERR_FUNC(EVP_F_AESNI_XTS_CIPHER), "AESNI_XTS_CIPHER"}, | |
650 {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, | |
651 @@ -84,6 +89,7 @@ static ERR_STRING_DATA EVP_str_functs[]= | |
652 {ERR_FUNC(EVP_F_DSA_PKEY2PKCS8), "DSA_PKEY2PKCS8"}, | |
653 {ERR_FUNC(EVP_F_ECDSA_PKEY2PKCS8), "ECDSA_PKEY2PKCS8"}, | |
654 {ERR_FUNC(EVP_F_ECKEY_PKEY2PKCS8), "ECKEY_PKEY2PKCS8"}, | |
655 +{ERR_FUNC(EVP_F_EVP_AEAD_CTX_INIT), "EVP_AEAD_CTX_init"}, | |
656 {ERR_FUNC(EVP_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"}, | |
657 {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_COPY), "EVP_CIPHER_CTX_copy"}, | |
658 {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL), "EVP_CIPHER_CTX_ctrl"}, | |
659 @@ -202,10 +208,12 @@ static ERR_STRING_DATA EVP_str_reasons[]= | |
660 {ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured
"}, | |
661 {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supp
orted for this keytype"}, | |
662 {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED),"operaton not initialized"}, | |
663 +{ERR_REASON(EVP_R_OUTPUT_ALIASES_INPUT) ,"output aliases input"}, | |
664 {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"}, | |
665 {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"}, | |
666 {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"}, | |
667 {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"}, | |
668 +{ERR_REASON(EVP_R_TAG_TOO_LARGE) ,"tag too large"}, | |
669 {ERR_REASON(EVP_R_TOO_LARGE) ,"too large"}, | |
670 {ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"}, | |
671 {ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"}, | |
672 diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h | |
673 index 08c0a66..c0f9fdf 100644 | |
674 --- a/crypto/evp/evp_locl.h | |
675 +++ b/crypto/evp/evp_locl.h | |
676 @@ -348,6 +348,30 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const cha
r *pass, int passlen, | |
677 ASN1_TYPE *param, | |
678 const EVP_CIPHER *c, const EVP_MD *md, int en_de); | |
679 | |
680 +/* EVP_AEAD represents a specific AEAD algorithm. */ | |
681 +struct evp_aead_st { | |
682 + unsigned char key_len; | |
683 + unsigned char nonce_len; | |
684 + unsigned char overhead; | |
685 + unsigned char max_tag_len; | |
686 + | |
687 + int (*init) (struct evp_aead_ctx_st*, const unsigned char *key, | |
688 + size_t key_len, size_t tag_len); | |
689 + void (*cleanup) (struct evp_aead_ctx_st*); | |
690 + | |
691 + ssize_t (*seal) (const struct evp_aead_ctx_st *ctx, | |
692 + unsigned char *out, size_t max_out_len, | |
693 + const unsigned char *nonce, size_t nonce_len, | |
694 + const unsigned char *in, size_t in_len, | |
695 + const unsigned char *ad, size_t ad_len); | |
696 + | |
697 + ssize_t (*open) (const struct evp_aead_ctx_st *ctx, | |
698 + unsigned char *out, size_t max_out_len, | |
699 + const unsigned char *nonce, size_t nonce_len, | |
700 + const unsigned char *in, size_t in_len, | |
701 + const unsigned char *ad, size_t ad_len); | |
702 +}; | |
703 + | |
704 #ifdef OPENSSL_FIPS | |
705 | |
706 #ifdef OPENSSL_DOING_MAKEDEPEND | |
707 diff --git a/doc/crypto/EVP_AEAD_CTX_init.pod b/doc/crypto/EVP_AEAD_CTX_init.pod | |
708 new file mode 100644 | |
709 index 0000000..20e455d | |
710 --- /dev/null | |
711 +++ b/doc/crypto/EVP_AEAD_CTX_init.pod | |
712 @@ -0,0 +1,96 @@ | |
713 +=pod | |
714 + | |
715 +=head1 NAME | |
716 + | |
717 +EVP_AEAD_CTX_init, EVP_AEAD_CTX_cleanup, EVP_AEAD_CTX_seal, EVP_AEAD_CTX_open -
authenticated encryption functions. | |
718 + | |
719 +=head1 SYNOPSIS | |
720 + | |
721 + #include <openssl/evp.h> | |
722 + | |
723 + int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, | |
724 + const unsigned char *key, size_t key_len, | |
725 + size_t tag_len, ENGINE *impl); | |
726 + void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx); | |
727 + ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, | |
728 + unsigned char *out, size_t max_out_len, | |
729 + const unsigned char *nonce, size_t nonce_len, | |
730 + const unsigned char *in, size_t in_len, | |
731 + const unsigned char *ad, size_t ad_len); | |
732 + ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, | |
733 + unsigned char *out, size_t max_out_len, | |
734 + const unsigned char *nonce, size_t nonce_len, | |
735 + const unsigned char *in, size_t in_len, | |
736 + const unsigned char *ad, size_t ad_len); | |
737 + | |
738 +=head1 DESCRIPTION | |
739 + | |
740 +The EVP_AEAD_CTX_init() function initialises an B<EVP_AEAD_CTX> structure and | |
741 +performs any precomputation needed to use B<aead> with B<key>. The length of | |
742 +the key, B<key_len>, is given in bytes. | |
743 + | |
744 +The B<tag_len> argument contains the length of the tags, in bytes, and allows | |
745 +for the processing of truncated authenticators. A zero value indicates that the | |
746 +default tag length should be used and this is defined as | |
747 +C<EVP_AEAD_DEFAULT_TAG_LENGTH> in order to make the code clear. Using truncated | |
748 +tags increases an attacker's chance of creating a valid forgery. Be aware that | |
749 +the attacker's chance may increase more than exponentially as would naively be | |
750 +expected. | |
751 + | |
752 +When no longer needed, the initialised B<EVP_AEAD_CTX> structure must be passed | |
753 +to EVP_AEAD_CTX_cleanup(), which will deallocate any memory used. | |
754 + | |
755 +With an B<EVP_AEAD_CTX> in hand, one can seal and open messages. These | |
756 +operations are intended to meet the standard notions of privacy and | |
757 +authenticity for authenticated encryption. For formal definitions see I<Bellare | |
758 +and Namprempre>, "Authenticated encryption: relations among notions and | |
759 +analysis of the generic composition paradigm," Lecture Notes in Computer | |
760 +Science B<1976> (2000), 531–545, | |
761 +L<http://www-cse.ucsd.edu/~mihir/papers/oem.html>. | |
762 + | |
763 +When sealing messages, a nonce must be given. The length of the nonce is fixed | |
764 +by the AEAD in use and is returned by EVP_AEAD_nonce_length(). I<The nonce must | |
765 +be unique for all messages with the same key>. This is critically important - | |
766 +nonce reuse may completely undermine the security of the AEAD. Nonces may be | |
767 +predictable and public, so long as they are unique. Uniqueness may be achieved | |
768 +with a simple counter or, if long enough, may be generated randomly. The nonce | |
769 +must be passed into the "open" operation by the receiver so must either be | |
770 +implicit (e.g. a counter), or must be transmitted along with the sealed message
. | |
771 + | |
772 +The "seal" and "open" operations are atomic - an entire message must be | |
773 +encrypted or decrypted in a single call. Large messages may have to be split up | |
774 +in order to accomodate this. When doing so, be mindful of the need not to | |
775 +repeat nonces and the possibility that an attacker could duplicate, reorder or | |
776 +drop message chunks. For example, using a single key for a given (large) | |
777 +message and sealing chunks with nonces counting from zero would be secure as | |
778 +long as the number of chunks was securely transmitted. (Otherwise an attacker | |
779 +could truncate the message by dropping chunks from the end.) | |
780 + | |
781 +The number of chunks could be transmitted by prefixing it to the plaintext, for | |
782 +example. This also assumes that no other message would ever use the same key | |
783 +otherwise the rule that nonces must be unique for a given key would be | |
784 +violated. | |
785 + | |
786 +The "seal" and "open" operations also permit additional data to be | |
787 +authenticated via the B<ad> parameter. This data is not included in the | |
788 +ciphertext and must be identical for both the "seal" and "open" call. This | |
789 +permits implicit context to be authenticated but may be C<NULL> if not needed. | |
790 + | |
791 +The "seal" and "open" operations may work inplace if the B<out> and B<in> | |
792 +arguments are equal. They may also be used to shift the data left inside the | |
793 +same buffer if B<out> is less than B<in>. However, B<out> may not point inside | |
794 +the input data otherwise the input may be overwritten before it has been read. | |
795 +This case will cause an error. | |
796 + | |
797 +=head1 RETURN VALUES | |
798 + | |
799 +The "seal" and "open" operations return an C<ssize_t> with value -1 on error, | |
800 +otherwise they return the number of output bytes written. An error will be | |
801 +returned if the input length is large enough that the output size exceeds the | |
802 +range of a C<ssize_t>. | |
803 + | |
804 +=head1 HISTORY | |
805 + | |
806 +These functions were first added to OpenSSL 1.0.2. | |
807 + | |
808 +=cut | |
809 -- | |
810 1.8.4.1 | |
811 | |
OLD | NEW |