From f4e427204234da139fd0585def4b4e22502e33f0 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Thu, 4 Jun 2015 17:45:09 -0700 Subject: Bump revision of BoringSSL. This depends on https://android-review.googlesource.com/#/c/153481/ af0e32c Add SSL_get_tls_unique. 691992b Minor typo fix in comment. cc1e3df Make CBS_get_any_asn1_element accept only DER. 0976096 bytestring: Test out_header_len != NULL before writing. ba5934b Tighten up EMS resumption behaviour. b0eef0a runner: minor tidyups. 9f8ef2d Add |EVP_get_digestbyname|. b7326b0 Implement |PEM_def_callback| and call it where appropriate. e26e590 Avoid unused variable warnings with assert. efad697 Sync vs_toolschain.py up with Chromium. 39da317 Empty commit to kick the bots. 1550a84 Allow compilation for armv6 9a4996e Fix compilation of sha256-armv4.S when using -march=armv6 485a50a Match the ifdef check in bsaes-armv7.S e216288 Unexport and prune EVP_MD_CTX flags. af8731f Remove HMAC_CTX_set_flags. bf3208b Add additional HMAC tests. a1c90a5 Further tidy up cipher logic. 0fa4012 Add a test that DTLS does not support RC4. 9a980ab Fold TLS1_PRF_* into SSL_HANDSHAKE_MAC_* 29864b5 Remove SSL_CIPHER_ALGORITHM2_AEAD. 904dc72 Fold away SSL_PROTOCOL_METHOD hooks shared between TLS and DTLS. a602277 Split ssl_read_bytes hook into app_data and close_notify hooks. c933a47 Switch the ssl_write_bytes hook to ssl_write_app_data. 2c36792 EVP_Digest*Update, EVP_DigestFinal, and HMAC_Update can never fail. e2375e1 Low-level hash 'final' functions cannot fail. 049756b Fix integer types in low-level hash functions. 338e067 Reject sessions with the wrong structure version. f297e02 Reject unknown fields in d2i_SSL_SESSION. 8a228f5 Disable the malloc interceptor without glibc. bd15a8e Fix DTLS handling of multiple records in a packet. 15eaafb Fix bn_test's bc output and shut it up a little. efd8eb3 Tidy up overflows in obj_cmp. 05ead68 Readd CRYPTO_{LOCK|UNLOCK|READ|WRITE}. 71106ad Add |BIO_read_asn1| to read a single ASN.1 object. eb930b8 Fix signed/unsigned warning in bn_test.cc. b3a7b51 Fix off-by-one in BN_rand 074cc04 Reject negative shifts for BN_rshift and BN_lshift. 75fb74a aes/asm/bsaes-armv7.pl: fix compilation with Xcode 6.3. ff81e10 Add OPENSSL_PUT_ERROR line to X509V3_parse_list. 1590811 Fix typo in valid_star. e76ccae Release handshake buffer when sending no certificate. 5f04b65 Release the handshake buffer on the client for abbreviated handshakes. 5c1ce29 Decide whether or not to request client certificates early. 4b30b28 Remove server-side renego session resumption check. 5aea93e Deprecate and no-op SSL_VERIFY_CLIENT_ONCE. 34a1635 Remove fake RLE compression OID. 9c0918f Fix typo in objects.txt 91af02a Add some comments and tweak assertions for cbc.c. 74d8bc2 Don't make SSL_MODE_*HELLO_TIME configurable. 7b5aff4 Have consumers supply OPENSSL_C11_ATOMIC. ac63748 Revert "tool: we don't need -lrt." 444dce4 Do-nothing fns |OpenSSL_add_all_ciphers| and |OpenSSL_add_all_digests|. ece089c Deprecate and no-op SSL_set_state. be05c63 Remove compatibility s->version checks. 8ec8810 Remove SSL_in_before and SSL_ST_BEFORE. cd90f3a Remove renegotiation deferral logic. 44d3eed Forbid caller-initiated renegotiations and all renego as a servers. 3d59e04 Fix test used for not-in-place CBC mode. 5f387e3 Remove s->renegotiate check in SSL_clear. 20f6e97 Switch three more renegotiate checks to initial_handshake_complete. d23d5a5 Remove remnants of DTLS renegotiate. 9a41d1b Deprecate SSL_*_read_ahead and enforce DTLS packet boundaries. 76e48c5 Fix Windows mode. 3fa65f0 Fix some malloc test crashs. 0b635c5 Add malloc test support to unit tests. 3e3090d Pass a dtls1_use_epoch enum down to dtls1_seal_record. 31a0779 Factor SSL_AEAD_CTX into a dedicated type. 69d07d9 Get version-related functions from crypto.h rather than ssl.h. b487df6 Pull version, option, and mode APIs into their own sections. 7270cfc Prune version constants. 7ef9fff Remove ssl_ok. afc9ecd Unexport ssl_get_new_session and ssl_update_cache. 3b7456e Fix some documentation typos. b480428 Also skip #elif lines. 6deacb3 Parse macros in getNameFromDecl. 4831c33 Document some core SSL_CTX and SSL methods. 4dab297 Don't use struct names in ssl.h. 760b1dd Tidy up state machine coverage tests. 3629c7b Add client peer-initiated renego to the state machine tests. cff0b90 Add client-side tests for renegotiation_info enforcement. 6bff1ca Specify argc and argv arguments to refcount_test:main. 12a4768 Try to fix MSVC and __STDC_VERSION__ again. cb56c2a Cast refcounts to _Atomic before use. 0d1d0d5 Try again to only test __STDC_VERSION__ when defined. 7b348dc Disable C11 atomics on OS X. 04edcc8 Tag the mutex functions with OPENSSL_EXPORT. 6e1f645 Don't test __STDC_VERSION__ unless it's defined. 552df47 Remove leftovers of the old-style locks. 6fb174e Remove last references to named locks. 4bdb6e4 Remove remaining calls to the old lock functions. 03163f3 Remove |CRYPTO_add|. 0b5e390 Convert reference counts in ssl/ 0da323a Convert reference counts in crypto/ 6f2e733 Add infrastructure for reference counts. daaff93 Use C11 _Static_assert where available. dc8c739 Implement |DES_ede2_cbc_encrypt|. a7997f1 Set minimum DH group size to 1024 bits. 4a7b70d Add LICENSE file. b3a262c Fix |SSLeay|. f0320d3 Fix use after free in X509. 3dacff9 Always include x86_64-gcc.c in the standalone build. 9660032 Don't use x86_64-gcc.c with NO_ASM. 81091d5 Don't use uninitialized memory in RAND_bytes. d72e284 Support arbitrary elliptic curve groups. a07c0fc Fix SSL_get_current_cipher. 4b27d9f Never resume sessions on renegotiations. 785e07b Copy ecdsa_meth in EC_KEY_copy. 08dc68d Define no-op options consistently. e6df054 Add s->s3->initial_handshake_complete. 897e5e0 Default renegotiations to off. 4690bb5 Port cipher_test to file_test. 771a138 Add missing #include for abort() de12d6c Mind the end of the buffer in aligned case of generic RC4 implementation. 5694b3a Fix invalid assert in CRYPTO_ctr128_encrypt. 9b68e72 Define compatibility function |ERR_remove_state|. 2607383 Fix generate_build_files.py to account for crypto/test. af3d5bd Add no-op |RAND_load_file| function for compatibility. 58e95fc Remove a spurious semicolon after |DECLARE_LHASH_OF|. 3c65171 Add buffer.h for compatibility. c85373d Use EVP_AEAD_CTX in crypto/cipher/internal.h. Change-Id: Ife3698f4520572e1fca48732c6a1cbd4254ec85c --- src/crypto/cipher/CMakeLists.txt | 3 +- src/crypto/cipher/cipher.c | 13 +- src/crypto/cipher/cipher_test.c | 423 ------------------------ src/crypto/cipher/cipher_test.cc | 262 +++++++++++++++ src/crypto/cipher/e_aes.c | 2 +- src/crypto/cipher/internal.h | 40 ++- src/crypto/cipher/test/cipher_test.txt | 571 ++++++++++++++++++++++++++++----- 7 files changed, 785 insertions(+), 529 deletions(-) delete mode 100644 src/crypto/cipher/cipher_test.c create mode 100644 src/crypto/cipher/cipher_test.cc (limited to 'src/crypto/cipher') diff --git a/src/crypto/cipher/CMakeLists.txt b/src/crypto/cipher/CMakeLists.txt index f428e25..2775698 100644 --- a/src/crypto/cipher/CMakeLists.txt +++ b/src/crypto/cipher/CMakeLists.txt @@ -24,7 +24,8 @@ add_library( add_executable( cipher_test - cipher_test.c + cipher_test.cc + $ ) add_executable( diff --git a/src/crypto/cipher/cipher.c b/src/crypto/cipher/cipher.c index 1dcfd06..400c3f5 100644 --- a/src/crypto/cipher/cipher.c +++ b/src/crypto/cipher/cipher.c @@ -94,14 +94,13 @@ EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { } int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { - if (c->cipher != NULL && c->cipher->cleanup) { - c->cipher->cleanup(c); - } - - if (c->cipher_data) { + if (c->cipher != NULL) { + if (c->cipher->cleanup) { + c->cipher->cleanup(c); + } OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size); - OPENSSL_free(c->cipher_data); } + OPENSSL_free(c->cipher_data); memset(c, 0, sizeof(EVP_CIPHER_CTX)); return 1; @@ -165,6 +164,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, if (ctx->cipher->ctx_size) { ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); if (!ctx->cipher_data) { + ctx->cipher = NULL; OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, ERR_R_MALLOC_FAILURE); return 0; } @@ -177,6 +177,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { + ctx->cipher = NULL; OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_INITIALIZATION_ERROR); return 0; } diff --git a/src/crypto/cipher/cipher_test.c b/src/crypto/cipher/cipher_test.c deleted file mode 100644 index 390262f..0000000 --- a/src/crypto/cipher/cipher_test.c +++ /dev/null @@ -1,423 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] */ - -#include -#include - -#include -#include -#include - - -static void hexdump(FILE *f, const char *title, const uint8_t *s, int l) { - int n = 0; - - fprintf(f, "%s", title); - for (; n < l; ++n) { - if ((n % 16) == 0) { - fprintf(f, "\n%04x", n); - } - fprintf(f, " %02x", s[n]); - } - fprintf(f, "\n"); -} - -static int convert(uint8_t *s) { - uint8_t *d; - - for (d = s; *s; s += 2, ++d) { - unsigned int n; - - if (!s[1]) { - fprintf(stderr, "Odd number of hex digits!"); - exit(4); - } - sscanf((char *)s, "%2x", &n); - *d = (uint8_t)n; - } - return s - d; -} - -static char *sstrsep(char **string, const char *delim) { - char isdelim[256]; - char *token = *string; - - if (**string == 0) { - return NULL; - } - - memset(isdelim, 0, 256); - isdelim[0] = 1; - - while (*delim) { - isdelim[(uint8_t)(*delim)] = 1; - delim++; - } - - while (!isdelim[(uint8_t)(**string)]) { - (*string)++; - } - - if (**string) { - **string = 0; - (*string)++; - } - - return token; -} - -static uint8_t *ustrsep(char **p, const char *sep) { - return (uint8_t *)sstrsep(p, sep); -} - -static void test1(const char* cipher_name, const EVP_CIPHER *c, - const uint8_t *key, int kn, const uint8_t *iv, int in, - const uint8_t *plaintext, int pn, const uint8_t *ciphertext, - int cn, const uint8_t *aad, int an, const uint8_t *tag, - int tn, int encdec) { - EVP_CIPHER_CTX ctx; - uint8_t out[4096]; - int outl, outl2, mode; - - printf("Testing cipher %s%s\n", cipher_name, - (encdec == 1 ? "(encrypt)" - : (encdec == 0 ? "(decrypt)" : "(encrypt/decrypt)"))); - hexdump(stdout, "Key", key, kn); - if (in) { - hexdump(stdout, "IV", iv, in); - } - hexdump(stdout, "Plaintext", plaintext, pn); - hexdump(stdout, "Ciphertext", ciphertext, cn); - if (an) { - hexdump(stdout, "AAD", aad, an); - } - if (tn) { - hexdump(stdout, "Tag", tag, tn); - } - mode = EVP_CIPHER_mode(c); - if (kn != EVP_CIPHER_key_length(c)) { - fprintf(stderr, "Key length doesn't match, got %d expected %lu\n", kn, - (unsigned long)EVP_CIPHER_key_length(c)); - exit(5); - } - EVP_CIPHER_CTX_init(&ctx); - if (encdec != 0) { - if (mode == EVP_CIPH_GCM_MODE) { - if (!EVP_EncryptInit_ex(&ctx, c, NULL, NULL, NULL)) { - fprintf(stderr, "EncryptInit failed\n"); - ERR_print_errors_fp(stderr); - exit(10); - } - if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, in, NULL)) { - fprintf(stderr, "IV length set failed\n"); - ERR_print_errors_fp(stderr); - exit(11); - } - if (!EVP_EncryptInit_ex(&ctx, NULL, NULL, key, iv)) { - fprintf(stderr, "Key/IV set failed\n"); - ERR_print_errors_fp(stderr); - exit(12); - } - if (an && !EVP_EncryptUpdate(&ctx, NULL, &outl, aad, an)) { - fprintf(stderr, "AAD set failed\n"); - ERR_print_errors_fp(stderr); - exit(13); - } - } else if (!EVP_EncryptInit_ex(&ctx, c, NULL, key, iv)) { - fprintf(stderr, "EncryptInit failed\n"); - ERR_print_errors_fp(stderr); - exit(10); - } - EVP_CIPHER_CTX_set_padding(&ctx, 0); - - if (!EVP_EncryptUpdate(&ctx, out, &outl, plaintext, pn)) { - fprintf(stderr, "Encrypt failed\n"); - ERR_print_errors_fp(stderr); - exit(6); - } - if (!EVP_EncryptFinal_ex(&ctx, out + outl, &outl2)) { - fprintf(stderr, "EncryptFinal failed\n"); - ERR_print_errors_fp(stderr); - exit(7); - } - - if (outl + outl2 != cn) { - fprintf(stderr, "Ciphertext length mismatch got %d expected %d\n", - outl + outl2, cn); - exit(8); - } - - if (memcmp(out, ciphertext, cn)) { - fprintf(stderr, "Ciphertext mismatch\n"); - hexdump(stderr, "Got", out, cn); - hexdump(stderr, "Expected", ciphertext, cn); - exit(9); - } - if (mode == EVP_CIPH_GCM_MODE) { - uint8_t rtag[16]; - /* Note: EVP_CTRL_CCM_GET_TAG has same value as - * EVP_CTRL_GCM_GET_TAG - */ - if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, tn, rtag)) { - fprintf(stderr, "Get tag failed\n"); - ERR_print_errors_fp(stderr); - exit(14); - } - if (memcmp(rtag, tag, tn)) { - fprintf(stderr, "Tag mismatch\n"); - hexdump(stderr, "Got", rtag, tn); - hexdump(stderr, "Expected", tag, tn); - exit(9); - } - } - } - - if (encdec <= 0) { - if (mode == EVP_CIPH_GCM_MODE) { - if (!EVP_DecryptInit_ex(&ctx, c, NULL, NULL, NULL)) { - fprintf(stderr, "EncryptInit failed\n"); - ERR_print_errors_fp(stderr); - exit(10); - } - if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, in, NULL)) { - fprintf(stderr, "IV length set failed\n"); - ERR_print_errors_fp(stderr); - exit(11); - } - if (!EVP_DecryptInit_ex(&ctx, NULL, NULL, key, iv)) { - fprintf(stderr, "Key/IV set failed\n"); - ERR_print_errors_fp(stderr); - exit(12); - } - if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, tn, (void *)tag)) { - fprintf(stderr, "Set tag failed\n"); - ERR_print_errors_fp(stderr); - exit(14); - } - if (an && !EVP_DecryptUpdate(&ctx, NULL, &outl, aad, an)) { - fprintf(stderr, "AAD set failed\n"); - ERR_print_errors_fp(stderr); - exit(13); - } - } else if (!EVP_DecryptInit_ex(&ctx, c, NULL, key, iv)) { - fprintf(stderr, "DecryptInit failed\n"); - ERR_print_errors_fp(stderr); - exit(11); - } - EVP_CIPHER_CTX_set_padding(&ctx, 0); - - if (!EVP_DecryptUpdate(&ctx, out, &outl, ciphertext, cn)) { - fprintf(stderr, "Decrypt failed\n"); - ERR_print_errors_fp(stderr); - exit(6); - } - outl2 = 0; - if (!EVP_DecryptFinal_ex(&ctx, out + outl, &outl2)) { - fprintf(stderr, "DecryptFinal failed\n"); - ERR_print_errors_fp(stderr); - exit(7); - } - - if (outl + outl2 != pn) { - fprintf(stderr, "Plaintext length mismatch got %d expected %d\n", - outl + outl2, pn); - exit(8); - } - - if (memcmp(out, plaintext, pn)) { - fprintf(stderr, "Plaintext mismatch\n"); - hexdump(stderr, "Got", out, pn); - hexdump(stderr, "Expected", plaintext, pn); - exit(9); - } - } - - EVP_CIPHER_CTX_cleanup(&ctx); - - printf("\n"); -} - -static int test_cipher(const char *cipher, const uint8_t *key, int kn, - const uint8_t *iv, int in, const uint8_t *plaintext, - int pn, const uint8_t *ciphertext, int cn, - const uint8_t *aad, int an, const uint8_t *tag, int tn, - int encdec) { - const EVP_CIPHER *c; - - if (strcmp(cipher, "DES-CBC") == 0) { - c = EVP_des_cbc(); - } else if (strcmp(cipher, "DES-EDE3-CBC") == 0) { - c = EVP_des_ede3_cbc(); - } else if (strcmp(cipher, "RC4") == 0) { - c = EVP_rc4(); - } else if (strcmp(cipher, "AES-128-ECB") == 0) { - c = EVP_aes_128_ecb(); - } else if (strcmp(cipher, "AES-256-ECB") == 0) { - c = EVP_aes_256_ecb(); - } else if (strcmp(cipher, "AES-128-CBC") == 0) { - c = EVP_aes_128_cbc(); - } else if (strcmp(cipher, "AES-128-GCM") == 0) { - c = EVP_aes_128_gcm(); - } else if (strcmp(cipher, "AES-128-OFB") == 0) { - c = EVP_aes_128_ofb(); - } else if (strcmp(cipher, "AES-192-CBC") == 0) { - c = EVP_aes_192_cbc(); - } else if (strcmp(cipher, "AES-192-ECB") == 0) { - c = EVP_aes_192_ecb(); - } else if (strcmp(cipher, "AES-256-CBC") == 0) { - c = EVP_aes_256_cbc(); - } else if (strcmp(cipher, "AES-128-CTR") == 0) { - c = EVP_aes_128_ctr(); - } else if (strcmp(cipher, "AES-256-CTR") == 0) { - c = EVP_aes_256_ctr(); - } else if (strcmp(cipher, "AES-256-GCM") == 0) { - c = EVP_aes_256_gcm(); - } else if (strcmp(cipher, "AES-256-OFB") == 0) { - c = EVP_aes_256_ofb(); - } else { - fprintf(stderr, "Unknown cipher type %s\n", cipher); - return 0; - } - - test1(cipher, c, key, kn, iv, in, plaintext, pn, ciphertext, cn, aad, an, - tag, tn, encdec); - - return 1; -} - -int main(int argc, char **argv) { - const char *input_file; - FILE *f; - - CRYPTO_library_init(); - - if (argc != 2) { - fprintf(stderr, "%s \n", argv[0]); - return 1; - } - - input_file = argv[1]; - - f = fopen(input_file, "r"); - if (!f) { - perror(input_file); - return 2; - } - - ERR_load_crypto_strings(); - - for (;;) { - char line[4096]; - char *p; - char *cipher; - uint8_t *iv, *key, *plaintext, *ciphertext, *aad, *tag; - int encdec; - int kn, in, pn, cn; - int an = 0; - int tn = 0; - - if (!fgets((char *)line, sizeof line, f)) { - break; - } - if (line[0] == '#' || line[0] == '\n') { - continue; - } - p = line; - cipher = sstrsep(&p, ":"); - key = ustrsep(&p, ":"); - iv = ustrsep(&p, ":"); - plaintext = ustrsep(&p, ":"); - ciphertext = ustrsep(&p, ":"); - if (p[-1] == '\n') { - encdec = -1; - p[-1] = '\0'; - tag = aad = NULL; - an = tn = 0; - } else { - aad = ustrsep(&p, ":"); - tag = ustrsep(&p, ":"); - if (tag == NULL) { - p = (char *)aad; - tag = aad = NULL; - an = tn = 0; - } - if (p[-1] == '\n') { - encdec = -1; - p[-1] = '\0'; - } else { - encdec = atoi(sstrsep(&p, "\n")); - } - } - - kn = convert(key); - in = convert(iv); - pn = convert(plaintext); - cn = convert(ciphertext); - if (aad) { - an = convert(aad); - tn = convert(tag); - } - - if (!test_cipher(cipher, key, kn, iv, in, plaintext, pn, ciphertext, cn, - aad, an, tag, tn, encdec)) { - return 3; - } - } - fclose(f); - - printf("PASS\n"); - return 0; -} diff --git a/src/crypto/cipher/cipher_test.cc b/src/crypto/cipher/cipher_test.cc new file mode 100644 index 0000000..97a84e0 --- /dev/null +++ b/src/crypto/cipher/cipher_test.cc @@ -0,0 +1,262 @@ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include + +#include +#include + +#include +#include +#include + +#include "../test/file_test.h" +#include "../test/scoped_types.h" +#include "../test/stl_compat.h" + + +static const EVP_CIPHER *GetCipher(const std::string &name) { + if (name == "DES-CBC") { + return EVP_des_cbc(); + } else if (name == "DES-EDE3-CBC") { + return EVP_des_ede3_cbc(); + } else if (name == "RC4") { + return EVP_rc4(); + } else if (name == "AES-128-ECB") { + return EVP_aes_128_ecb(); + } else if (name == "AES-256-ECB") { + return EVP_aes_256_ecb(); + } else if (name == "AES-128-CBC") { + return EVP_aes_128_cbc(); + } else if (name == "AES-128-GCM") { + return EVP_aes_128_gcm(); + } else if (name == "AES-128-OFB") { + return EVP_aes_128_ofb(); + } else if (name == "AES-192-CBC") { + return EVP_aes_192_cbc(); + } else if (name == "AES-192-ECB") { + return EVP_aes_192_ecb(); + } else if (name == "AES-256-CBC") { + return EVP_aes_256_cbc(); + } else if (name == "AES-128-CTR") { + return EVP_aes_128_ctr(); + } else if (name == "AES-256-CTR") { + return EVP_aes_256_ctr(); + } else if (name == "AES-256-GCM") { + return EVP_aes_256_gcm(); + } else if (name == "AES-256-OFB") { + return EVP_aes_256_ofb(); + } + return nullptr; +} + +static bool TestOperation(FileTest *t, + const EVP_CIPHER *cipher, + bool encrypt, + const std::vector &key, + const std::vector &iv, + const std::vector &plaintext, + const std::vector &ciphertext, + const std::vector &aad, + const std::vector &tag) { + const std::vector *in, *out; + if (encrypt) { + in = &plaintext; + out = &ciphertext; + } else { + in = &ciphertext; + out = &plaintext; + } + + bool is_aead = EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE; + + ScopedEVP_CIPHER_CTX ctx; + if (!EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr, + encrypt ? 1 : 0)) { + return false; + } + if (t->HasAttribute("IV")) { + if (is_aead) { + if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, + iv.size(), 0)) { + return false; + } + } else if (iv.size() != (size_t)EVP_CIPHER_CTX_iv_length(ctx.get())) { + t->PrintLine("Bad IV length."); + return false; + } + } + if (is_aead && !encrypt && + !EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, tag.size(), + const_cast(bssl::vector_data(&tag)))) { + return false; + } + // The ciphers are run with no padding. For each of the ciphers we test, the + // output size matches the input size. + std::vector result(in->size()); + if (in->size() != out->size()) { + t->PrintLine("Input/output size mismatch (%u vs %u).", (unsigned)in->size(), + (unsigned)out->size()); + return false; + } + // Note: the deprecated |EVP_CIPHER|-based AES-GCM API is sensitive to whether + // parameters are NULL, so it is important to skip the |in| and |aad| + // |EVP_CipherUpdate| calls when empty. + int unused, result_len1 = 0, result_len2; + if (!EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()) || + !EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, bssl::vector_data(&key), + bssl::vector_data(&iv), -1) || + (!aad.empty() && + !EVP_CipherUpdate(ctx.get(), nullptr, &unused, bssl::vector_data(&aad), + aad.size())) || + !EVP_CIPHER_CTX_set_padding(ctx.get(), 0) || + (!in->empty() && + !EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result), &result_len1, + bssl::vector_data(in), in->size())) || + !EVP_CipherFinal_ex(ctx.get(), bssl::vector_data(&result) + result_len1, + &result_len2)) { + t->PrintLine("Operation failed."); + return false; + } + result.resize(result_len1 + result_len2); + if (!t->ExpectBytesEqual(bssl::vector_data(out), out->size(), + bssl::vector_data(&result), result.size())) { + return false; + } + if (encrypt && is_aead) { + uint8_t rtag[16]; + if (tag.size() > sizeof(rtag)) { + t->PrintLine("Bad tag length."); + return false; + } + if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, tag.size(), + rtag) || + !t->ExpectBytesEqual(bssl::vector_data(&tag), tag.size(), rtag, + tag.size())) { + return false; + } + } + return true; +} + +static bool TestCipher(FileTest *t, void *arg) { + std::string cipher_str; + if (!t->GetAttribute(&cipher_str, "Cipher")) { + return false; + } + const EVP_CIPHER *cipher = GetCipher(cipher_str); + if (cipher == nullptr) { + t->PrintLine("Unknown cipher: '%s'.", cipher_str.c_str()); + return false; + } + + std::vector key, iv, plaintext, ciphertext, aad, tag; + if (!t->GetBytes(&key, "Key") || + !t->GetBytes(&plaintext, "Plaintext") || + !t->GetBytes(&ciphertext, "Ciphertext")) { + return false; + } + if (EVP_CIPHER_iv_length(cipher) > 0 && + !t->GetBytes(&iv, "IV")) { + return false; + } + if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) { + if (!t->GetBytes(&aad, "AAD") || + !t->GetBytes(&tag, "Tag")) { + return false; + } + } + + enum { + kEncrypt, + kDecrypt, + kBoth, + } operation = kBoth; + if (t->HasAttribute("Operation")) { + const std::string &str = t->GetAttributeOrDie("Operation"); + if (str == "ENCRYPT") { + operation = kEncrypt; + } else if (str == "DECRYPT") { + operation = kDecrypt; + } else { + t->PrintLine("Unknown operation: '%s'.", str.c_str()); + return false; + } + } + + // By default, both directions are run, unless overridden by the operation. + if (operation != kDecrypt && + !TestOperation(t, cipher, true /* encrypt */, key, iv, plaintext, + ciphertext, aad, tag)) { + return false; + } + if (operation != kEncrypt && + !TestOperation(t, cipher, false /* decrypt */, key, iv, plaintext, + ciphertext, aad, tag)) { + return false; + } + + return true; +} + +int main(int argc, char **argv) { + CRYPTO_library_init(); + + if (argc != 2) { + fprintf(stderr, "%s \n", argv[0]); + return 1; + } + + return FileTestMain(TestCipher, nullptr, argv[1]); +} diff --git a/src/crypto/cipher/e_aes.c b/src/crypto/cipher/e_aes.c index eacbd10..41d0aec 100644 --- a/src/crypto/cipher/e_aes.c +++ b/src/crypto/cipher/e_aes.c @@ -115,7 +115,7 @@ static char bsaes_capable(void) { (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) #include "../arm_arch.h" -#if defined(OPENSSL_ARM) && __ARM_ARCH__ >= 7 +#if defined(OPENSSL_ARM) && __ARM_MAX_ARCH__ >= 7 #define BSAES static char bsaes_capable(void) { return CRYPTO_is_NEON_capable(); diff --git a/src/crypto/cipher/internal.h b/src/crypto/cipher/internal.h index 605b8cb..b2a94f4 100644 --- a/src/crypto/cipher/internal.h +++ b/src/crypto/cipher/internal.h @@ -70,8 +70,6 @@ extern "C" { #define EVP_CIPH_MODE_MASK 0x3f -struct evp_aead_ctx_st; - /* EVP_AEAD represents a specific AEAD algorithm. */ struct evp_aead_st { uint8_t key_len; @@ -79,27 +77,25 @@ struct evp_aead_st { uint8_t overhead; uint8_t max_tag_len; - /* init initialises an |evp_aead_ctx_st|. If this call returns zero then + /* init initialises an |EVP_AEAD_CTX|. If this call returns zero then * |cleanup| will not be called for that context. */ - int (*init)(struct evp_aead_ctx_st *, const uint8_t *key, - size_t key_len, size_t tag_len); - int (*init_with_direction)(struct evp_aead_ctx_st *, const uint8_t *key, - size_t key_len, size_t tag_len, - enum evp_aead_direction_t dir); - void (*cleanup)(struct evp_aead_ctx_st *); - - int (*seal)(const struct evp_aead_ctx_st *ctx, uint8_t *out, - size_t *out_len, size_t max_out_len, const uint8_t *nonce, - size_t nonce_len, const uint8_t *in, size_t in_len, - const uint8_t *ad, size_t ad_len); - - int (*open)(const struct evp_aead_ctx_st *ctx, uint8_t *out, - size_t *out_len, size_t max_out_len, const uint8_t *nonce, - size_t nonce_len, const uint8_t *in, size_t in_len, - const uint8_t *ad, size_t ad_len); - - int (*get_rc4_state)(const struct evp_aead_ctx_st *ctx, - const RC4_KEY **out_key); + int (*init)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len, + size_t tag_len); + int (*init_with_direction)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len, + size_t tag_len, enum evp_aead_direction_t dir); + void (*cleanup)(EVP_AEAD_CTX *); + + int (*seal)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, + size_t max_out_len, const uint8_t *nonce, size_t nonce_len, + const uint8_t *in, size_t in_len, const uint8_t *ad, + size_t ad_len); + + int (*open)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, + size_t max_out_len, const uint8_t *nonce, size_t nonce_len, + const uint8_t *in, size_t in_len, const uint8_t *ad, + size_t ad_len); + + int (*get_rc4_state)(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key); }; diff --git a/src/crypto/cipher/test/cipher_test.txt b/src/crypto/cipher/test/cipher_test.txt index f3c6d35..93cb8f3 100644 --- a/src/crypto/cipher/test/cipher_test.txt +++ b/src/crypto/cipher/test/cipher_test.txt @@ -1,118 +1,537 @@ # RC4 tests (from rc4test) -RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596 -RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879 -RC4:00000000000000000000000000000000::0000000000000000:de188941a3375d3a -RC4:ef012345ef012345ef012345ef012345::0000000000000000000000000000000000000000:d6a141a7ec3c38dfbd615a1162e1c7ba36b67858 -RC4:0123456789abcdef0123456789abcdef::123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678:66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf -RC4:ef012345ef012345ef012345ef012345::00000000000000000000:d6a141a7ec3c38dfbd61 +Cipher = RC4 +Key = 0123456789abcdef0123456789abcdef +Plaintext = 0123456789abcdef +Ciphertext = 75b7878099e0c596 + +Cipher = RC4 +Key = 0123456789abcdef0123456789abcdef +Plaintext = 0000000000000000 +Ciphertext = 7494c2e7104b0879 + +Cipher = RC4 +Key = 00000000000000000000000000000000 +Plaintext = 0000000000000000 +Ciphertext = de188941a3375d3a + +Cipher = RC4 +Key = ef012345ef012345ef012345ef012345 +Plaintext = 0000000000000000000000000000000000000000 +Ciphertext = d6a141a7ec3c38dfbd615a1162e1c7ba36b67858 + +Cipher = RC4 +Key = 0123456789abcdef0123456789abcdef +Plaintext = 123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678 +Ciphertext = 66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf + +Cipher = RC4 +Key = ef012345ef012345ef012345ef012345 +Plaintext = 00000000000000000000 +Ciphertext = d6a141a7ec3c38dfbd61 + # DES EDE3 CBC tests (from destest) -DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 +Cipher = DES-EDE3-CBC +Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 +IV = fedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 + # AES 128 ECB tests (from FIPS-197 test vectors, encrypt) -AES-128-ECB:000102030405060708090A0B0C0D0E0F::00112233445566778899AABBCCDDEEFF:69C4E0D86A7B0430D8CDB78070B4C55A:1 +Cipher = AES-128-ECB +Key = 000102030405060708090A0B0C0D0E0F +Operation = ENCRYPT +Plaintext = 00112233445566778899AABBCCDDEEFF +Ciphertext = 69C4E0D86A7B0430D8CDB78070B4C55A + # AES 256 ECB tests (from FIPS-197 test vectors, encrypt) -AES-256-ECB:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF:8EA2B7CA516745BFEAFC49904B496089:1 +Cipher = AES-256-ECB +Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +Operation = ENCRYPT +Plaintext = 00112233445566778899AABBCCDDEEFF +Ciphertext = 8EA2B7CA516745BFEAFC49904B496089 -# AES 128 CBC tests (from NIST test vectors, decrypt) # AES tests from NIST document SP800-38A # For all ECB encrypts and decrypts, the transformed sequence is # AES-bits-ECB:key::plaintext:ciphertext:encdec # ECB-AES128.Encrypt and ECB-AES128.Decrypt -AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::6BC1BEE22E409F96E93D7E117393172A:3AD77BB40D7A3660A89ECAF32466EF97 -AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::AE2D8A571E03AC9C9EB76FAC45AF8E51:F5D3D58503B9699DE785895A96FDBAAF -AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::30C81C46A35CE411E5FBC1191A0A52EF:43B1CD7F598ECE23881B00E3ED030688 -AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::F69F2445DF4F9B17AD2B417BE66C3710:7B0C785E27E8AD3F8223207104725DD4 +Cipher = AES-128-ECB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = 3AD77BB40D7A3660A89ECAF32466EF97 + +Cipher = AES-128-ECB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = F5D3D58503B9699DE785895A96FDBAAF + +Cipher = AES-128-ECB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = 43B1CD7F598ECE23881B00E3ED030688 + +Cipher = AES-128-ECB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 7B0C785E27E8AD3F8223207104725DD4 + + # ECB-AES256.Encrypt and ECB-AES256.Decrypt -AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::6BC1BEE22E409F96E93D7E117393172A:F3EED1BDB5D2A03C064B5A7E3DB181F8 -AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::AE2D8A571E03AC9C9EB76FAC45AF8E51:591CCB10D410ED26DC5BA74A31362870 -AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::30C81C46A35CE411E5FBC1191A0A52EF:B6ED21B99CA6F4F9F153E7B1BEAFED1D -AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::F69F2445DF4F9B17AD2B417BE66C3710:23304B7A39F9F3FF067D8D8F9E24ECC7 +Cipher = AES-256-ECB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = F3EED1BDB5D2A03C064B5A7E3DB181F8 + +Cipher = AES-256-ECB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = 591CCB10D410ED26DC5BA74A31362870 + +Cipher = AES-256-ECB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = B6ED21B99CA6F4F9F153E7B1BEAFED1D + +Cipher = AES-256-ECB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 23304B7A39F9F3FF067D8D8F9E24ECC7 + + # For all CBC encrypts and decrypts, the transformed sequence is # AES-bits-CBC:key:IV/ciphertext':plaintext:ciphertext:encdec # CBC-AES128.Encrypt and CBC-AES128.Decrypt -AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:7649ABAC8119B246CEE98E9B12E9197D -AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:7649ABAC8119B246CEE98E9B12E9197D:AE2D8A571E03AC9C9EB76FAC45AF8E51:5086CB9B507219EE95DB113A917678B2 -AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:5086CB9B507219EE95DB113A917678B2:30C81C46A35CE411E5FBC1191A0A52EF:73BED6B8E3C1743B7116E69E22229516 -AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:73BED6B8E3C1743B7116E69E22229516:F69F2445DF4F9B17AD2B417BE66C3710:3FF1CAA1681FAC09120ECA307586E1A7 +Cipher = AES-128-CBC +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = 000102030405060708090A0B0C0D0E0F +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = 7649ABAC8119B246CEE98E9B12E9197D + +Cipher = AES-128-CBC +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = 7649ABAC8119B246CEE98E9B12E9197D +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = 5086CB9B507219EE95DB113A917678B2 + +Cipher = AES-128-CBC +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = 5086CB9B507219EE95DB113A917678B2 +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = 73BED6B8E3C1743B7116E69E22229516 + +Cipher = AES-128-CBC +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = 73BED6B8E3C1743B7116E69E22229516 +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 3FF1CAA1681FAC09120ECA307586E1A7 + + # CBC-AES256.Encrypt and CBC-AES256.Decrypt -AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:F58C4C04D6E5F1BA779EABFB5F7BFBD6 -AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D -AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461 -AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B +Cipher = AES-256-CBC +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = 000102030405060708090A0B0C0D0E0F +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = F58C4C04D6E5F1BA779EABFB5F7BFBD6 + +Cipher = AES-256-CBC +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = F58C4C04D6E5F1BA779EABFB5F7BFBD6 +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = 9CFC4E967EDB808D679F777BC6702C7D + +Cipher = AES-256-CBC +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = 9CFC4E967EDB808D679F777BC6702C7D +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = 39F23369A9D9BACFA530E26304231461 + +Cipher = AES-256-CBC +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = 39F23369A9D9BACFA530E26304231461 +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = B2EB05E2C39BE9FCDA6C19078C6A9D1B + # AES Counter test vectors from RFC3686 -AES-128-CTR:AE6852F8121067CC4BF7A5765577F39E:00000030000000000000000000000001:53696E676C6520626C6F636B206D7367:E4095D4FB7A7B3792D6175A3261311B8:1 -AES-128-CTR:7E24067817FAE0D743D6CE1F32539163:006CB6DBC0543B59DA48D90B00000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F:5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28:1 -AES-128-CTR:7691BE035E5020A8AC6E618529F9A0DC:00E0017B27777F3F4A1786F000000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223:C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F:1 +Cipher = AES-128-CTR +Key = AE6852F8121067CC4BF7A5765577F39E +IV = 00000030000000000000000000000001 +Operation = ENCRYPT +Plaintext = 53696E676C6520626C6F636B206D7367 +Ciphertext = E4095D4FB7A7B3792D6175A3261311B8 + +Cipher = AES-128-CTR +Key = 7E24067817FAE0D743D6CE1F32539163 +IV = 006CB6DBC0543B59DA48D90B00000001 +Operation = ENCRYPT +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +Ciphertext = 5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28 + +Cipher = AES-128-CTR +Key = 7691BE035E5020A8AC6E618529F9A0DC +IV = 00E0017B27777F3F4A1786F000000001 +Operation = ENCRYPT +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 +Ciphertext = C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F + +Cipher = AES-256-CTR +Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104 +IV = 00000060DB5672C97AA8F0B200000001 +Operation = ENCRYPT +Plaintext = 53696E676C6520626C6F636B206D7367 +Ciphertext = 145AD01DBF824EC7560863DC71E3E0C0 + +Cipher = AES-256-CTR +Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884 +IV = 00FAAC24C1585EF15A43D87500000001 +Operation = ENCRYPT +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +Ciphertext = F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C + +Cipher = AES-256-CTR +Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D +IV = 001CC5B751A51D70A1C1114800000001 +Operation = ENCRYPT +Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 +Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8 -AES-256-CTR:776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104:00000060DB5672C97AA8F0B200000001:53696E676C6520626C6F636B206D7367:145AD01DBF824EC7560863DC71E3E0C0:1 -AES-256-CTR:F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884:00FAAC24C1585EF15A43D87500000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F:F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C:1 -AES-256-CTR:FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D:001CC5B751A51D70A1C1114800000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223:EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8:1 # AES GCM test vectors from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf -AES-128-GCM:00000000000000000000000000000000:000000000000000000000000::::58e2fccefa7e3061367f1d57a4e7455a -AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:00000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78::ab6e47d42cec13bdf53a67b21257bddf -AES-128-GCM:feffe9928665731c6d6a8f9467308308:cafebabefacedbaddecaf888:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255:42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985::4d5c2af327cd64a62cf35abd2ba6fab4 -AES-128-GCM:feffe9928665731c6d6a8f9467308308:cafebabefacedbaddecaf888:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091:feedfacedeadbeeffeedfacedeadbeefabaddad2:5bc94fbc3221a5db94fae95ae7121a47 -AES-128-GCM:feffe9928665731c6d6a8f9467308308:cafebabefacedbad:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598:feedfacedeadbeeffeedfacedeadbeefabaddad2:3612d2e79e3b0785561be14aaca2fccb -AES-128-GCM:feffe9928665731c6d6a8f9467308308:9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5:feedfacedeadbeeffeedfacedeadbeefabaddad2:619cc5aefffe0bfa462af43c1699d050 -AES-256-GCM:0000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000::::530f8afbc74536b9a963b4f1c4cb738b -AES-256-GCM:0000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000:00000000000000000000000000000000:cea7403d4d606b6e074ec5d3baf39d18::d0d1c8a799996bf0265b98b5d48ab919 -AES-256-GCM:feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308:cafebabefacedbaddecaf888:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255:522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad::b094dac5d93471bdec1a502270e3cc6c -AES-256-GCM:feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308:cafebabefacedbaddecaf888:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662:feedfacedeadbeeffeedfacedeadbeefabaddad2:76fc6ece0f4e1768cddf8853bb2d551b -AES-256-GCM:feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308:cafebabefacedbad:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f:feedfacedeadbeeffeedfacedeadbeefabaddad2:3a337dbf46a792c45e454913fe2ea8f2 -AES-256-GCM:feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308:9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f:feedfacedeadbeeffeedfacedeadbeefabaddad2:a44a8266ee1c8eb0c8b5d4cf5ae9f19a +Cipher = AES-128-GCM +Key = 00000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = +Ciphertext = +AAD = +Tag = 58e2fccefa7e3061367f1d57a4e7455a + +Cipher = AES-128-GCM +Key = 00000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = 00000000000000000000000000000000 +Ciphertext = 0388dace60b6a392f328c2b971b2fe78 +AAD = +Tag = ab6e47d42cec13bdf53a67b21257bddf + +Cipher = AES-128-GCM +Key = feffe9928665731c6d6a8f9467308308 +IV = cafebabefacedbaddecaf888 +Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255 +Ciphertext = 42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985 +AAD = +Tag = 4d5c2af327cd64a62cf35abd2ba6fab4 + +Cipher = AES-128-GCM +Key = feffe9928665731c6d6a8f9467308308 +IV = cafebabefacedbaddecaf888 +Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39 +Ciphertext = 42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091 +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 5bc94fbc3221a5db94fae95ae7121a47 + +Cipher = AES-128-GCM +Key = feffe9928665731c6d6a8f9467308308 +IV = cafebabefacedbad +Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39 +Ciphertext = 61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598 +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 3612d2e79e3b0785561be14aaca2fccb + +Cipher = AES-128-GCM +Key = feffe9928665731c6d6a8f9467308308 +IV = 9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b +Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39 +Ciphertext = 8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5 +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 619cc5aefffe0bfa462af43c1699d050 + +Cipher = AES-256-GCM +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = +Ciphertext = +AAD = +Tag = 530f8afbc74536b9a963b4f1c4cb738b + +Cipher = AES-256-GCM +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = 00000000000000000000000000000000 +Ciphertext = cea7403d4d606b6e074ec5d3baf39d18 +AAD = +Tag = d0d1c8a799996bf0265b98b5d48ab919 + +Cipher = AES-256-GCM +Key = feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308 +IV = cafebabefacedbaddecaf888 +Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255 +Ciphertext = 522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad +AAD = +Tag = b094dac5d93471bdec1a502270e3cc6c + +Cipher = AES-256-GCM +Key = feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308 +IV = cafebabefacedbaddecaf888 +Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39 +Ciphertext = 522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662 +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 76fc6ece0f4e1768cddf8853bb2d551b + +Cipher = AES-256-GCM +Key = feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308 +IV = cafebabefacedbad +Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39 +Ciphertext = c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 3a337dbf46a792c45e454913fe2ea8f2 + +Cipher = AES-256-GCM +Key = feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308 +IV = 9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b +Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39 +Ciphertext = 5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = a44a8266ee1c8eb0c8b5d4cf5ae9f19a + # local add-ons, primarily streaming ghash tests # 128 bytes aad -AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:::d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad:5fea793a2d6f974d37e68e0cb8ff9492 +Cipher = AES-128-GCM +Key = 00000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = +Ciphertext = +AAD = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad +Tag = 5fea793a2d6f974d37e68e0cb8ff9492 + # 48 bytes plaintext -AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0::9dd0a376b08e40eb00c35f29f9ea61a4 +Cipher = AES-128-GCM +Key = 00000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Ciphertext = 0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0 +AAD = +Tag = 9dd0a376b08e40eb00c35f29f9ea61a4 + # 80 bytes plaintext -AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d5270291::98885a3a22bd4742fe7b72172193b163 +Cipher = AES-128-GCM +Key = 00000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Ciphertext = 0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d5270291 +AAD = +Tag = 98885a3a22bd4742fe7b72172193b163 + # 128 bytes plaintext -AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d527029195b84d1b96c690ff2f2de30bf2ec89e00253786e126504f0dab90c48a30321de3345e6b0461e7c9e6c6b7afedde83f40::cac45f60e31efd3b5a43b98a22ce1aa1 +Cipher = AES-128-GCM +Key = 00000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Ciphertext = 0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d527029195b84d1b96c690ff2f2de30bf2ec89e00253786e126504f0dab90c48a30321de3345e6b0461e7c9e6c6b7afedde83f40 +AAD = +Tag = cac45f60e31efd3b5a43b98a22ce1aa1 + # 192 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF -AES-128-GCM:00000000000000000000000000000000:ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606::566f8ef683078bfdeeffa869d751a017 +Cipher = AES-128-GCM +Key = 00000000000000000000000000000000 +IV = ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Plaintext = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Ciphertext = 56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606 +AAD = +Tag = 566f8ef683078bfdeeffa869d751a017 + # 288 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF -AES-128-GCM:00000000000000000000000000000000:ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606872ca10dee15b3249b1a1b958f23134c4bccb7d03200bce420a2f8eb66dcf3644d1423c1b5699003c13ecef4bf38a3b60eedc34033bac1902783dc6d89e2e774188a439c7ebcc0672dbda4ddcfb2794613b0be41315ef778708a70ee7d75165c::8b307f6b33286d0ab026a9ed3fe1e85f +Cipher = AES-128-GCM +Key = 00000000000000000000000000000000 +IV = ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Plaintext = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Ciphertext = 56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606872ca10dee15b3249b1a1b958f23134c4bccb7d03200bce420a2f8eb66dcf3644d1423c1b5699003c13ecef4bf38a3b60eedc34033bac1902783dc6d89e2e774188a439c7ebcc0672dbda4ddcfb2794613b0be41315ef778708a70ee7d75165c +AAD = +Tag = 8b307f6b33286d0ab026a9ed3fe1e85f + # 80 bytes plaintext, submitted by Intel -AES-128-GCM:843ffcf5d2b72694d19ed01d01249412:dbcca32ebf9b804617c3aa9e:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f:6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3dcee23ad2f1ab3a6c80eaf4b140eb05de3457f0fbc111a6b43d0763aa422a3013cf1dc37fe417d1fbfc449b75d4cc5:00000000000000000000000000000000101112131415161718191a1b1c1d1e1f:3b629ccfbc1119b7319e1dce2cd6fd6d +Cipher = AES-128-GCM +Key = 843ffcf5d2b72694d19ed01d01249412 +IV = dbcca32ebf9b804617c3aa9e +Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f +Ciphertext = 6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3dcee23ad2f1ab3a6c80eaf4b140eb05de3457f0fbc111a6b43d0763aa422a3013cf1dc37fe417d1fbfc449b75d4cc5 +AAD = 00000000000000000000000000000000101112131415161718191a1b1c1d1e1f +Tag = 3b629ccfbc1119b7319e1dce2cd6fd6d + # OFB tests from OpenSSL upstream. -AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:1 -AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:1 -AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:1 -AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:1 + +# OFB-AES128.Encrypt +Cipher = AES-128-OFB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = 000102030405060708090A0B0C0D0E0F +Operation = ENCRYPT +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A + +Cipher = AES-128-OFB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = 50FE67CC996D32B6DA0937E99BAFEC60 +Operation = ENCRYPT +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = 7789508D16918F03F53C52DAC54ED825 + +Cipher = AES-128-OFB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = D9A4DADA0892239F6B8B3D7680E15674 +Operation = ENCRYPT +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = 9740051E9C5FECF64344F7A82260EDCC + +Cipher = AES-128-OFB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = A78819583F0308E7A6BF36B1386ABF23 +Operation = ENCRYPT +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 304C6528F659C77866A510D9C1D6AE5E + # OFB-AES128.Decrypt -AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:0 -AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:0 -AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:0 -AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:0 +Cipher = AES-128-OFB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = 000102030405060708090A0B0C0D0E0F +Operation = DECRYPT +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A + +Cipher = AES-128-OFB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = 50FE67CC996D32B6DA0937E99BAFEC60 +Operation = DECRYPT +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = 7789508D16918F03F53C52DAC54ED825 + +Cipher = AES-128-OFB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = D9A4DADA0892239F6B8B3D7680E15674 +Operation = DECRYPT +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = 9740051E9C5FECF64344F7A82260EDCC + +Cipher = AES-128-OFB +Key = 2B7E151628AED2A6ABF7158809CF4F3C +IV = A78819583F0308E7A6BF36B1386ABF23 +Operation = DECRYPT +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 304C6528F659C77866A510D9C1D6AE5E + # OFB-AES256.Encrypt -AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:1 -AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:1 -AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:1 -AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:1 +Cipher = AES-256-OFB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = 000102030405060708090A0B0C0D0E0F +Operation = ENCRYPT +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = DC7E84BFDA79164B7ECD8486985D3860 + +Cipher = AES-256-OFB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A +Operation = ENCRYPT +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D + +Cipher = AES-256-OFB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = E1C656305ED1A7A6563805746FE03EDC +Operation = ENCRYPT +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408 + +Cipher = AES-256-OFB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = 41635BE625B48AFC1666DD42A09D96E7 +Operation = ENCRYPT +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 0126141D67F37BE8538F5A8BE740E484 + + # OFB-AES256.Decrypt -AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:0 -AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:0 -AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:0 -AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:0 +Cipher = AES-256-OFB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = 000102030405060708090A0B0C0D0E0F +Operation = DECRYPT +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = DC7E84BFDA79164B7ECD8486985D3860 + +Cipher = AES-256-OFB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A +Operation = DECRYPT +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D + +Cipher = AES-256-OFB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = E1C656305ED1A7A6563805746FE03EDC +Operation = DECRYPT +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408 + +Cipher = AES-256-OFB +Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +IV = 41635BE625B48AFC1666DD42A09D96E7 +Operation = DECRYPT +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 0126141D67F37BE8538F5A8BE740E484 + # AES-192 CBC-mode test from upstream OpenSSL. -AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:4F021DB243BC633D7178183A9FA071E8 -AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:4F021DB243BC633D7178183A9FA071E8:AE2D8A571E03AC9C9EB76FAC45AF8E51:B4D9ADA9AD7DEDF4E5E738763F69145A -AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:B4D9ADA9AD7DEDF4E5E738763F69145A:30C81C46A35CE411E5FBC1191A0A52EF:571B242012FB7AE07FA9BAAC3DF102E0 -AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:571B242012FB7AE07FA9BAAC3DF102E0:F69F2445DF4F9B17AD2B417BE66C3710:08B0E27988598881D920A9E64F5615CD +Cipher = AES-192-CBC +Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +IV = 000102030405060708090A0B0C0D0E0F +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = 4F021DB243BC633D7178183A9FA071E8 + +Cipher = AES-192-CBC +Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +IV = 4F021DB243BC633D7178183A9FA071E8 +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = B4D9ADA9AD7DEDF4E5E738763F69145A + +Cipher = AES-192-CBC +Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +IV = B4D9ADA9AD7DEDF4E5E738763F69145A +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = 571B242012FB7AE07FA9BAAC3DF102E0 + +Cipher = AES-192-CBC +Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +IV = 571B242012FB7AE07FA9BAAC3DF102E0 +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 08B0E27988598881D920A9E64F5615CD + # AES-192-ECB tests from FIPS-197 -AES-192-ECB:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:DDA97CA4864CDFE06EAF70A0EC0D7191:1 +Cipher = AES-192-ECB +Key = 000102030405060708090A0B0C0D0E0F1011121314151617 +Operation = ENCRYPT +Plaintext = 00112233445566778899AABBCCDDEEFF +Ciphertext = DDA97CA4864CDFE06EAF70A0EC0D7191 + # AES-192-ECB tests from NIST document SP800-38A -AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::6BC1BEE22E409F96E93D7E117393172A:BD334F1D6E45F25FF712A214571FA5CC:1 -AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::AE2D8A571E03AC9C9EB76FAC45AF8E51:974104846D0AD3AD7734ECB3ECEE4EEF:1 -AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::30C81C46A35CE411E5FBC1191A0A52EF:EF7AFD2270E2E60ADCE0BA2FACE6444E:1 -AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::F69F2445DF4F9B17AD2B417BE66C3710:9A4B41BA738D6C72FB16691603C18E0E:1 +Cipher = AES-192-ECB +Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +Plaintext = 6BC1BEE22E409F96E93D7E117393172A +Ciphertext = BD334F1D6E45F25FF712A214571FA5CC + +Cipher = AES-192-ECB +Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +Ciphertext = 974104846D0AD3AD7734ECB3ECEE4EEF + +Cipher = AES-192-ECB +Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +Ciphertext = EF7AFD2270E2E60ADCE0BA2FACE6444E + +Cipher = AES-192-ECB +Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +Ciphertext = 9A4B41BA738D6C72FB16691603C18E0E -- cgit v1.1 From 1e4884f615b20946411a74e41eb9c6aa65e2d5f3 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Thu, 24 Sep 2015 10:57:52 -0700 Subject: external/boringssl: sync with upstream. This change imports the current version of BoringSSL. The only local change now is that |BORINGSSL_201509| is defined in base.h. This allows this change to be made without (hopefully) breaking the build. This change will need https://android-review.googlesource.com/172744 to be landed afterwards to update a test. Change-Id: I6d1f463f7785a2423bd846305af91c973c326104 --- src/crypto/cipher/CMakeLists.txt | 2 +- src/crypto/cipher/aead.c | 15 ++-- src/crypto/cipher/aead_test.cc | 62 +++++++-------- src/crypto/cipher/cipher.c | 41 +++++----- src/crypto/cipher/cipher_test.cc | 57 ++++++++++---- src/crypto/cipher/e_aes.c | 108 ++++++++++----------------- src/crypto/cipher/e_chacha20poly1305.c | 22 +++--- src/crypto/cipher/e_des.c | 78 ++++++++++++++++++- src/crypto/cipher/e_rc2.c | 27 ++++++- src/crypto/cipher/e_rc4.c | 22 +++--- src/crypto/cipher/e_ssl3.c | 56 +++++++++----- src/crypto/cipher/e_tls.c | 56 +++++++++----- src/crypto/cipher/test/aes_128_gcm_tests.txt | 6 ++ src/crypto/cipher/test/cipher_test.txt | 60 +++++++++++++++ 14 files changed, 407 insertions(+), 205 deletions(-) (limited to 'src/crypto/cipher') diff --git a/src/crypto/cipher/CMakeLists.txt b/src/crypto/cipher/CMakeLists.txt index 2775698..6b4c729 100644 --- a/src/crypto/cipher/CMakeLists.txt +++ b/src/crypto/cipher/CMakeLists.txt @@ -1,4 +1,4 @@ -include_directories(. .. ../../include) +include_directories(../../include) add_library( cipher diff --git a/src/crypto/cipher/aead.c b/src/crypto/cipher/aead.c index 20d699d..7e747f8 100644 --- a/src/crypto/cipher/aead.c +++ b/src/crypto/cipher/aead.c @@ -30,11 +30,15 @@ size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) { return aead->overhead; } size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) { return aead->max_tag_len; } +void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx) { + memset(ctx, 0, sizeof(EVP_AEAD_CTX)); +} + int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len, size_t tag_len, ENGINE *impl) { if (!aead->init) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init, CIPHER_R_NO_DIRECTION_SET); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_DIRECTION_SET); ctx->aead = NULL; return 0; } @@ -47,8 +51,7 @@ int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, size_t tag_len, enum evp_aead_direction_t dir) { if (key_len != aead->key_len) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init_with_direction, - CIPHER_R_UNSUPPORTED_KEY_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_KEY_SIZE); ctx->aead = NULL; return 0; } @@ -101,12 +104,12 @@ int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t possible_out_len = in_len + ctx->aead->overhead; if (possible_out_len < in_len /* overflow */) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); goto error; } if (!check_alias(in, in_len, out)) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_seal, CIPHER_R_OUTPUT_ALIASES_INPUT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT); goto error; } @@ -128,7 +131,7 @@ int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len) { if (!check_alias(in, in_len, out)) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_open, CIPHER_R_OUTPUT_ALIASES_INPUT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT); goto error; } diff --git a/src/crypto/cipher/aead_test.cc b/src/crypto/cipher/aead_test.cc index e4b75d6..baaee9e 100644 --- a/src/crypto/cipher/aead_test.cc +++ b/src/crypto/cipher/aead_test.cc @@ -22,6 +22,7 @@ #include #include "../test/file_test.h" +#include "../test/scoped_types.h" #include "../test/stl_compat.h" @@ -35,18 +36,6 @@ // CT: 5294265a60 // TAG: 1d45758621762e061368e68868e2f929 -// EVP_AEAD_CTX lacks a zero state, so it doesn't fit easily into -// ScopedOpenSSLContext. -class EVP_AEAD_CTXScoper { - public: - EVP_AEAD_CTXScoper(EVP_AEAD_CTX *ctx) : ctx_(ctx) {} - ~EVP_AEAD_CTXScoper() { - EVP_AEAD_CTX_cleanup(ctx_); - } - private: - EVP_AEAD_CTX *ctx_; -}; - static bool TestAEAD(FileTest *t, void *arg) { const EVP_AEAD *aead = reinterpret_cast(arg); @@ -60,20 +49,19 @@ static bool TestAEAD(FileTest *t, void *arg) { return false; } - EVP_AEAD_CTX ctx; - if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), - key.size(), tag.size(), - evp_aead_seal)) { + ScopedEVP_AEAD_CTX ctx; + if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, + bssl::vector_data(&key), key.size(), + tag.size(), evp_aead_seal)) { t->PrintLine("Failed to init AEAD."); return false; } - EVP_AEAD_CTXScoper cleanup(&ctx); std::vector out(in.size() + EVP_AEAD_max_overhead(aead)); if (!t->HasAttribute("NO_SEAL")) { size_t out_len; - if (!EVP_AEAD_CTX_seal(&ctx, bssl::vector_data(&out), &out_len, out.size(), - bssl::vector_data(&nonce), nonce.size(), + if (!EVP_AEAD_CTX_seal(ctx.get(), bssl::vector_data(&out), &out_len, + out.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&in), in.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Failed to run AEAD."); @@ -101,17 +89,17 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - EVP_AEAD_CTX_cleanup(&ctx); - if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), - key.size(), tag.size(), - evp_aead_open)) { + ctx.Reset(); + if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, + bssl::vector_data(&key), key.size(), + tag.size(), evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } std::vector out2(out.size()); size_t out2_len; - int ret = EVP_AEAD_CTX_open(&ctx, + int ret = EVP_AEAD_CTX_open(ctx.get(), bssl::vector_data(&out2), &out2_len, out2.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), @@ -137,10 +125,10 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - EVP_AEAD_CTX_cleanup(&ctx); - if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), - key.size(), tag.size(), - evp_aead_open)) { + ctx.Reset(); + if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, + bssl::vector_data(&key), key.size(), + tag.size(), evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } @@ -148,8 +136,8 @@ static bool TestAEAD(FileTest *t, void *arg) { // Garbage at the end isn't ignored. out.push_back(0); out2.resize(out.size()); - if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(), - bssl::vector_data(&nonce), nonce.size(), + if (EVP_AEAD_CTX_open(ctx.get(), bssl::vector_data(&out2), &out2_len, + out2.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Decrypted bad data with trailing garbage."); @@ -159,10 +147,10 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - EVP_AEAD_CTX_cleanup(&ctx); - if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), - key.size(), tag.size(), - evp_aead_open)) { + ctx.Reset(); + if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, + bssl::vector_data(&key), key.size(), + tag.size(), evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } @@ -171,8 +159,8 @@ static bool TestAEAD(FileTest *t, void *arg) { out[0] ^= 0x80; out.resize(out.size() - 1); out2.resize(out.size()); - if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(), - bssl::vector_data(&nonce), nonce.size(), + if (EVP_AEAD_CTX_open(ctx.get(), bssl::vector_data(&out2), &out2_len, + out2.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Decrypted bad data with corrupted byte."); @@ -200,6 +188,7 @@ static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) { fprintf(stderr, "A silly tag length didn't trigger an error!\n"); return 0; } + ERR_clear_error(); /* Running a second, failed _init should not cause a memory leak. */ if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len, @@ -208,6 +197,7 @@ static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) { fprintf(stderr, "A silly tag length didn't trigger an error!\n"); return 0; } + ERR_clear_error(); /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a * no-op. */ diff --git a/src/crypto/cipher/cipher.c b/src/crypto/cipher/cipher.c index 400c3f5..4401867 100644 --- a/src/crypto/cipher/cipher.c +++ b/src/crypto/cipher/cipher.c @@ -68,12 +68,18 @@ const EVP_CIPHER *EVP_get_cipherbynid(int nid) { switch (nid) { + case NID_rc2_cbc: + return EVP_rc2_cbc(); + case NID_rc2_40_cbc: + return EVP_rc2_40_cbc(); case NID_des_ede3_cbc: return EVP_des_ede3_cbc(); case NID_des_ede_cbc: return EVP_des_cbc(); case NID_aes_128_cbc: return EVP_aes_128_cbc(); + case NID_aes_192_cbc: + return EVP_aes_192_cbc(); case NID_aes_256_cbc: return EVP_aes_256_cbc(); default: @@ -115,7 +121,7 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { if (in == NULL || in->cipher == NULL) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, CIPHER_R_INPUT_NOT_INITIALIZED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED); return 0; } @@ -125,7 +131,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { if (in->cipher_data && in->cipher->ctx_size) { out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); if (!out->cipher_data) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); @@ -165,7 +171,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); if (!ctx->cipher_data) { ctx->cipher = NULL; - OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } } else { @@ -178,12 +184,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { ctx->cipher = NULL; - OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_INITIALIZATION_ERROR); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR); return 0; } } } else if (!ctx->cipher) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_NO_CIPHER_SET); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); return 0; } @@ -338,8 +344,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { bl = ctx->buf_len; if (ctx->flags & EVP_CIPH_NO_PADDING) { if (bl) { - OPENSSL_PUT_ERROR(CIPHER, EVP_EncryptFinal_ex, - CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); return 0; } *out_len = 0; @@ -434,8 +439,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { b = ctx->cipher->block_size; if (ctx->flags & EVP_CIPH_NO_PADDING) { if (ctx->buf_len) { - OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, - CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); return 0; } *out_len = 0; @@ -444,8 +448,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { if (b > 1) { if (ctx->buf_len || !ctx->final_used) { - OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, - CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); return 0; } assert(b <= sizeof(ctx->final)); @@ -454,13 +457,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { * Otherwise it provides a padding oracle. */ n = ctx->final[b - 1]; if (n == 0 || n > (int)b) { - OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } for (i = 0; i < n; i++) { if (ctx->final[--b] != n) { - OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } } @@ -538,19 +541,18 @@ uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) { int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) { int ret; if (!ctx->cipher) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_NO_CIPHER_SET); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); return 0; } if (!ctx->cipher->ctrl) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_CTRL_NOT_IMPLEMENTED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED); return 0; } ret = ctx->cipher->ctrl(ctx, command, arg, ptr); if (ret == -1) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, - CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); return 0; } @@ -572,8 +574,7 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) { } if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_set_key_length, - CIPHER_R_INVALID_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_KEY_LENGTH); return 0; } @@ -630,7 +631,7 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) { return EVP_rc4(); } else if (OPENSSL_strcasecmp(name, "des-cbc") == 0) { return EVP_des_cbc(); - } else if (OPENSSL_strcasecmp(name, "3des-cbc") == 0 || + } else if (OPENSSL_strcasecmp(name, "des-ede3-cbc") == 0 || OPENSSL_strcasecmp(name, "3des") == 0) { return EVP_des_ede3_cbc(); } else if (OPENSSL_strcasecmp(name, "aes-128-cbc") == 0) { diff --git a/src/crypto/cipher/cipher_test.cc b/src/crypto/cipher/cipher_test.cc index 97a84e0..5f04178 100644 --- a/src/crypto/cipher/cipher_test.cc +++ b/src/crypto/cipher/cipher_test.cc @@ -69,6 +69,12 @@ static const EVP_CIPHER *GetCipher(const std::string &name) { if (name == "DES-CBC") { return EVP_des_cbc(); + } else if (name == "DES-ECB") { + return EVP_des_ecb(); + } else if (name == "DES-EDE") { + return EVP_des_ede(); + } else if (name == "DES-EDE-CBC") { + return EVP_des_ede_cbc(); } else if (name == "DES-EDE3-CBC") { return EVP_des_ede3_cbc(); } else if (name == "RC4") { @@ -104,6 +110,7 @@ static const EVP_CIPHER *GetCipher(const std::string &name) { static bool TestOperation(FileTest *t, const EVP_CIPHER *cipher, bool encrypt, + bool streaming, const std::vector &key, const std::vector &iv, const std::vector &plaintext, @@ -160,11 +167,29 @@ static bool TestOperation(FileTest *t, (!aad.empty() && !EVP_CipherUpdate(ctx.get(), nullptr, &unused, bssl::vector_data(&aad), aad.size())) || - !EVP_CIPHER_CTX_set_padding(ctx.get(), 0) || - (!in->empty() && - !EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result), &result_len1, - bssl::vector_data(in), in->size())) || - !EVP_CipherFinal_ex(ctx.get(), bssl::vector_data(&result) + result_len1, + !EVP_CIPHER_CTX_set_padding(ctx.get(), 0)) { + t->PrintLine("Operation failed."); + return false; + } + if (streaming) { + for (size_t i = 0; i < in->size(); i++) { + uint8_t c = (*in)[i]; + int len; + if (!EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result) + result_len1, + &len, &c, 1)) { + t->PrintLine("Operation failed."); + return false; + } + result_len1 += len; + } + } else if (!in->empty() && + !EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result), + &result_len1, bssl::vector_data(in), + in->size())) { + t->PrintLine("Operation failed."); + return false; + } + if (!EVP_CipherFinal_ex(ctx.get(), bssl::vector_data(&result) + result_len1, &result_len2)) { t->PrintLine("Operation failed."); return false; @@ -236,15 +261,21 @@ static bool TestCipher(FileTest *t, void *arg) { } // By default, both directions are run, unless overridden by the operation. - if (operation != kDecrypt && - !TestOperation(t, cipher, true /* encrypt */, key, iv, plaintext, - ciphertext, aad, tag)) { - return false; + if (operation != kDecrypt) { + if (!TestOperation(t, cipher, true /* encrypt */, false /* single-shot */, + key, iv, plaintext, ciphertext, aad, tag) || + !TestOperation(t, cipher, true /* encrypt */, true /* streaming */, key, + iv, plaintext, ciphertext, aad, tag)) { + return false; + } } - if (operation != kEncrypt && - !TestOperation(t, cipher, false /* decrypt */, key, iv, plaintext, - ciphertext, aad, tag)) { - return false; + if (operation != kEncrypt) { + if (!TestOperation(t, cipher, false /* decrypt */, false /* single-shot */, + key, iv, plaintext, ciphertext, aad, tag) || + !TestOperation(t, cipher, false /* decrypt */, true /* streaming */, + key, iv, plaintext, ciphertext, aad, tag)) { + return false; + } } return true; diff --git a/src/crypto/cipher/e_aes.c b/src/crypto/cipher/e_aes.c index 41d0aec..e8905f6 100644 --- a/src/crypto/cipher/e_aes.c +++ b/src/crypto/cipher/e_aes.c @@ -64,7 +64,7 @@ #include "../modes/internal.h" #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) -#include "../arm_arch.h" +#include #endif @@ -98,8 +98,6 @@ typedef struct { #if !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_X86_64) || defined(OPENSSL_X86)) #define VPAES -extern unsigned int OPENSSL_ia32cap_P[]; - static char vpaes_capable(void) { return (OPENSSL_ia32cap_P[1] & (1 << (41 - 32))) != 0; } @@ -113,7 +111,6 @@ static char bsaes_capable(void) { #elif !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) -#include "../arm_arch.h" #if defined(OPENSSL_ARM) && __ARM_MAX_ARCH__ >= 7 #define BSAES @@ -338,7 +335,7 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, } if (ret < 0) { - OPENSSL_PUT_ERROR(CIPHER, aes_init_key, CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -711,7 +708,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, } else { if (!ctx->encrypt) { if (gctx->taglen < 0 || - !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0) { + !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) { return -1; } gctx->iv_set = 0; @@ -853,7 +850,7 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, } if (ret < 0) { - OPENSSL_PUT_ERROR(CIPHER, aesni_init_key, CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1066,7 +1063,7 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, const size_t key_bits = key_len * 8; if (key_bits != 128 && key_bits != 256) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1075,7 +1072,7 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_init, CIPHER_R_TAG_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); return 0; } @@ -1108,12 +1105,12 @@ static int aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, GCM128_CONTEXT gcm; if (in_len + gcm_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + gcm_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -1152,14 +1149,14 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, GCM128_CONTEXT gcm; if (in_len < gcm_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - gcm_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -1185,7 +1182,7 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); if (CRYPTO_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -1239,7 +1236,7 @@ static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key, const size_t key_bits = key_len * 8; if (key_bits != 128 && key_bits != 256) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1248,14 +1245,13 @@ static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, - CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } kw_ctx = OPENSSL_malloc(sizeof(struct aead_aes_key_wrap_ctx)); if (kw_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } @@ -1293,8 +1289,7 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t A[AES_BLOCK_SIZE]; if (ad_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_UNSUPPORTED_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE); return 0; } @@ -1304,14 +1299,12 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (nonce_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } if (in_len % 8 != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } @@ -1320,32 +1313,29 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, * conservatively cap it to 2^32-16 to stop 32-bit platforms complaining that * a comparison is always true. */ if (in_len > 0xfffffff0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } n = in_len / 8; if (n < 2) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } if (in_len + 8 < in_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (AES_set_encrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1388,8 +1378,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t A[AES_BLOCK_SIZE]; if (ad_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_UNSUPPORTED_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE); return 0; } @@ -1399,14 +1388,12 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (nonce_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } if (in_len % 8 != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } @@ -1415,26 +1402,24 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, * conservatively cap it to 2^32-8 to stop 32-bit platforms complaining that * a comparison is always true. */ if (in_len > 0xfffffff8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (in_len < 24) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } n = (in_len / 8) - 1; if (max_out_len < in_len - 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (AES_set_decrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1457,7 +1442,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (CRYPTO_memcmp(A, nonce, 8) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -1541,15 +1526,13 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key, static const size_t hmac_key_len = 32; if (key_len < hmac_key_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, - CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } const size_t aes_key_len = key_len - hmac_key_len; if (aes_key_len != 16 && aes_key_len != 32) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, - CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1558,15 +1541,13 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, - CIPHER_R_TAG_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); return 0; } aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx)); if (aes_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, - ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } @@ -1666,20 +1647,17 @@ static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (in_len + aes_ctx->tag_len < in_len || /* This input is so large it would overflow the 32-bit block counter. */ in_len_64 >= (OPENSSL_U64(1) << 32) * AES_BLOCK_SIZE) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, - CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + aes_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, - CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } @@ -1703,22 +1681,19 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t plaintext_len; if (in_len < aes_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, - CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - aes_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, - CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } @@ -1727,8 +1702,7 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out, &aes_ctx->outer_init_state, ad, ad_len, nonce, in, plaintext_len); if (CRYPTO_memcmp(hmac_result, in + plaintext_len, aes_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, - CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_chacha20poly1305.c b/src/crypto/cipher/e_chacha20poly1305.c index ebf0088..9dda1b0 100644 --- a/src/crypto/cipher/e_chacha20poly1305.c +++ b/src/crypto/cipher/e_chacha20poly1305.c @@ -42,7 +42,7 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > POLY1305_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_init, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -107,23 +107,22 @@ static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, * Casting to uint64_t inside the conditional is not sufficient to stop * the warning. */ if (in_len_64 >= (1ull << 32) * 64 - 64) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (in_len + c20_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + c20_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != CHACHA20_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); return 0; } @@ -156,7 +155,7 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, const uint64_t in_len_64 = in_len; if (in_len < c20_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -168,20 +167,19 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, * Casting to uint64_t inside the conditional is not sufficient to stop * the warning. */ if (in_len_64 >= (1ull << 32) * 64 - 64) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (nonce_len != CHACHA20_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); return 0; } plaintext_len = in_len - c20_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -195,7 +193,7 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, CRYPTO_poly1305_finish(&poly1305, mac); if (CRYPTO_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_des.c b/src/crypto/cipher/e_des.c index 74e1fce..b1d312c 100644 --- a/src/crypto/cipher/e_des.c +++ b/src/crypto/cipher/e_des.c @@ -96,6 +96,31 @@ static const EVP_CIPHER des_cbc = { const EVP_CIPHER *EVP_des_cbc(void) { return &des_cbc; } +static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, + size_t in_len) { + if (in_len < ctx->cipher->block_size) { + return 1; + } + in_len -= ctx->cipher->block_size; + + EVP_DES_KEY *dat = (EVP_DES_KEY *) ctx->cipher_data; + size_t i; + for (i = 0; i <= in_len; i += ctx->cipher->block_size) { + DES_ecb_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), + &dat->ks.ks, ctx->encrypt); + } + return 1; +} + +static const EVP_CIPHER des_ecb = { + NID_des_ecb, 8 /* block_size */, 8 /* key_size */, + 0 /* iv_len */, sizeof(EVP_DES_KEY), EVP_CIPH_ECB_MODE, + NULL /* app_data */, des_init_key, des_ecb_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; + +const EVP_CIPHER *EVP_des_ecb(void) { return &des_ecb; } + + typedef struct { union { double align; @@ -126,10 +151,57 @@ static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, return 1; } -static const EVP_CIPHER des3_cbc = { - NID_des_cbc, 8 /* block_size */, 24 /* key_size */, +static const EVP_CIPHER des_ede3_cbc = { + NID_des_ede3_cbc, 8 /* block_size */, 24 /* key_size */, 8 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_CBC_MODE, NULL /* app_data */, des_ede3_init_key, des_ede3_cbc_cipher, NULL /* cleanup */, NULL /* ctrl */, }; -const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &des3_cbc; } +const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &des_ede3_cbc; } + + +static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, + const uint8_t *iv, int enc) { + DES_cblock *deskey = (DES_cblock *) key; + DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; + + DES_set_key(&deskey[0], &dat->ks.ks[0]); + DES_set_key(&deskey[1], &dat->ks.ks[1]); + DES_set_key(&deskey[0], &dat->ks.ks[2]); + + return 1; +} + +static const EVP_CIPHER des_ede_cbc = { + NID_des_ede_cbc, 8 /* block_size */, 16 /* key_size */, + 8 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_CBC_MODE, + NULL /* app_data */, des_ede_init_key , des_ede3_cbc_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; + +const EVP_CIPHER *EVP_des_ede_cbc(void) { return &des_ede_cbc; } + + +static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, + const uint8_t *in, size_t in_len) { + if (in_len < ctx->cipher->block_size) { + return 1; + } + in_len -= ctx->cipher->block_size; + + DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; + size_t i; + for (i = 0; i <= in_len; i += ctx->cipher->block_size) { + DES_ecb3_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), + &dat->ks.ks[0], &dat->ks.ks[1], &dat->ks.ks[2], + ctx->encrypt); + } + return 1; +} + +static const EVP_CIPHER des_ede_ecb = { + NID_des_ede_cbc, 8 /* block_size */, 16 /* key_size */, + 0 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_ECB_MODE, + NULL /* app_data */, des_ede_init_key , des_ede_ecb_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; + +const EVP_CIPHER *EVP_des_ede(void) { return &des_ede_ecb; } diff --git a/src/crypto/cipher/e_rc2.c b/src/crypto/cipher/e_rc2.c index c90ab93..8ca7bba 100644 --- a/src/crypto/cipher/e_rc2.c +++ b/src/crypto/cipher/e_rc2.c @@ -395,13 +395,18 @@ static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { case EVP_CTRL_INIT: key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8; return 1; + case EVP_CTRL_SET_RC2_KEY_BITS: + /* Should be overridden by later call to |EVP_CTRL_INIT|, but + * people call it, so it may as well work. */ + key->key_bits = arg; + return 1; default: return -1; } } -static const EVP_CIPHER rc2_40_cbc_cipher = { +static const EVP_CIPHER rc2_40_cbc = { NID_rc2_40_cbc, 8 /* block size */, 5 /* 40 bit */, @@ -416,5 +421,23 @@ static const EVP_CIPHER rc2_40_cbc_cipher = { }; const EVP_CIPHER *EVP_rc2_40_cbc(void) { - return &rc2_40_cbc_cipher; + return &rc2_40_cbc; +} + +static const EVP_CIPHER rc2_cbc = { + NID_rc2_cbc, + 8 /* block size */, + 16 /* 128 bit */, + 8 /* iv len */, + sizeof(EVP_RC2_KEY), + EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, + NULL /* app_data */, + rc2_init_key, + rc2_cbc_cipher, + NULL, + rc2_ctrl, +}; + +const EVP_CIPHER *EVP_rc2_cbc(void) { + return &rc2_cbc; } diff --git a/src/crypto/cipher/e_rc4.c b/src/crypto/cipher/e_rc4.c index 80dea36..e05b9fd 100644 --- a/src/crypto/cipher/e_rc4.c +++ b/src/crypto/cipher/e_rc4.c @@ -115,20 +115,20 @@ aead_rc4_md5_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, } if (tag_len > MD5_DIGEST_LENGTH) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } /* The keys consists of |MD5_DIGEST_LENGTH| bytes of HMAC(MD5) key followed * by some number of bytes of RC4 key. */ if (key_len <= MD5_DIGEST_LENGTH) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; } rc4_ctx = OPENSSL_malloc(sizeof(struct aead_rc4_md5_tls_ctx)); if (rc4_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } memset(rc4_ctx, 0, sizeof(struct aead_rc4_md5_tls_ctx)); @@ -185,22 +185,22 @@ static int aead_rc4_md5_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t digest[MD5_DIGEST_LENGTH]; if (in_len + rc4_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); return 0; } if (max_out_len < in_len + rc4_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -288,21 +288,21 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t digest[MD5_DIGEST_LENGTH]; if (in_len < rc4_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - rc4_ctx->tag_len; if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -366,7 +366,7 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, MD5_Final(digest, &md); if (CRYPTO_memcmp(out + plaintext_len, digest, rc4_ctx->tag_len)) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_ssl3.c b/src/crypto/cipher/e_ssl3.c index 1031d9b..389c52f 100644 --- a/src/crypto/cipher/e_ssl3.c +++ b/src/crypto/cipher/e_ssl3.c @@ -85,12 +85,12 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, const EVP_CIPHER *cipher, const EVP_MD *md) { if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && tag_len != EVP_MD_size(md)) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } if (key_len != EVP_AEAD_key_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; } @@ -102,7 +102,7 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX)); if (ssl3_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx); @@ -133,29 +133,29 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!ssl3_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); return 0; } if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len || in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); return 0; } if (ad_len != 11 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); return 0; } @@ -217,36 +217,36 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (ssl3_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); return 0; } size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx); if (in_len < mac_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (ad_len != 11 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); return 0; } if (in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -270,12 +270,12 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) { unsigned padding_length = out[total - 1]; if (total < padding_length + 1 + mac_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } /* The padding must be minimal. */ if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } data_len = total - padding_length - 1 - mac_len; @@ -289,7 +289,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, return 0; } if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -340,6 +340,13 @@ static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, EVP_sha1()); } +static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, + size_t key_len, size_t tag_len, + enum evp_aead_direction_t dir) { + return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), + EVP_sha1()); +} + static const EVP_AEAD aead_rc4_md5_ssl3 = { MD5_DIGEST_LENGTH + 16, /* key len (MD5 + RC4) */ 0, /* nonce len */ @@ -405,6 +412,19 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = { NULL, /* get_rc4_state */ }; +static const EVP_AEAD aead_null_sha1_ssl3 = { + SHA_DIGEST_LENGTH, /* key len */ + 0, /* nonce len */ + SHA_DIGEST_LENGTH, /* overhead (SHA1) */ + SHA_DIGEST_LENGTH, /* max tag length */ + NULL, /* init */ + aead_null_sha1_ssl3_init, + aead_ssl3_cleanup, + aead_ssl3_seal, + aead_ssl3_open, + NULL, /* get_rc4_state */ +}; + const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void) { return &aead_rc4_md5_ssl3; } const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void) { return &aead_rc4_sha1_ssl3; } @@ -420,3 +440,5 @@ const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) { const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) { return &aead_des_ede3_cbc_sha1_ssl3; } + +const EVP_AEAD *EVP_aead_null_sha1_ssl3(void) { return &aead_null_sha1_ssl3; } diff --git a/src/crypto/cipher/e_tls.c b/src/crypto/cipher/e_tls.c index bed02cb..2778881 100644 --- a/src/crypto/cipher/e_tls.c +++ b/src/crypto/cipher/e_tls.c @@ -57,12 +57,12 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, char implicit_iv) { if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && tag_len != EVP_MD_size(md)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } if (key_len != EVP_AEAD_key_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; } @@ -75,7 +75,7 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX)); if (tls_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx); @@ -109,7 +109,7 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!tls_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); return 0; } @@ -117,22 +117,22 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len || in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); return 0; } if (ad_len != 13 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); return 0; } @@ -214,36 +214,36 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (tls_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); return 0; } if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); return 0; } if (ad_len != 13 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); return 0; } if (in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -278,7 +278,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, (unsigned)HMAC_size(&tls_ctx->hmac_ctx)); /* Publicly invalid. This can be rejected in non-constant time. */ if (padding_ok == 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } } else { @@ -312,7 +312,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len, ad_fixed, out, data_plus_mac_len, total, tls_ctx->mac_key, tls_ctx->mac_key_len)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx)); @@ -349,7 +349,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, 0); good &= constant_time_eq_int(padding_ok, 1); if (!good) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -444,6 +444,13 @@ static int aead_rc4_sha1_tls_get_rc4_state(const EVP_AEAD_CTX *ctx, return 1; } +static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, + size_t key_len, size_t tag_len, + enum evp_aead_direction_t dir) { + return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), + EVP_sha1(), 1 /* implicit iv */); +} + static const EVP_AEAD aead_rc4_sha1_tls = { SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */ 0, /* nonce len */ @@ -574,6 +581,19 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = { NULL, /* get_rc4_state */ }; +static const EVP_AEAD aead_null_sha1_tls = { + SHA_DIGEST_LENGTH, /* key len */ + 0, /* nonce len */ + SHA_DIGEST_LENGTH, /* overhead (SHA1) */ + SHA_DIGEST_LENGTH, /* max tag length */ + NULL, /* init */ + aead_null_sha1_tls_init, + aead_tls_cleanup, + aead_tls_seal, + aead_tls_open, + NULL, /* get_rc4_state */ +}; + const EVP_AEAD *EVP_aead_rc4_sha1_tls(void) { return &aead_rc4_sha1_tls; } const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) { @@ -611,3 +631,5 @@ const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) { const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) { return &aead_des_ede3_cbc_sha1_tls_implicit_iv; } + +const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; } diff --git a/src/crypto/cipher/test/aes_128_gcm_tests.txt b/src/crypto/cipher/test/aes_128_gcm_tests.txt index 5f7ad35..75466fe 100644 --- a/src/crypto/cipher/test/aes_128_gcm_tests.txt +++ b/src/crypto/cipher/test/aes_128_gcm_tests.txt @@ -418,3 +418,9 @@ AD: 18e2ed6d500b176e49f7e1b5074c0b7dbfdefdf00a63d9fa2fea8c5e78a1c4ae00f17b234429 CT: 5f3627bd53f8da0bbe6f3c9246d6f96fe9abb91cdecf66ddd42f833d98f4d4634c2e1e1ad4088c84c22191bdb9d99ef227320e455dd112c4a9e9cca95724fcc9ae024ed12bf60a802d0b87b99d9bf22590786567c2962171d2b05bec9754c627608e9eba7bccc70540aa4da72e1e04b26d8f968b10230f707501c0091a8ac118f86e87aae1ac00257aee29c3345bd3839154977acd378fc1b2197f5c1fd8e12262f9c2974fb92dc481eeb51aadd44a8851f61b93a84ba57f2870df0423d289bfdcfe634f9ecb7d7c6110a95b49418a2dd6663377690275c205b3efa79a0a77c92567fb429d8ee437312a39df7516dc238f7b9414938223d7ec24d256d3fb3a5954a7c75dbd79486d49ba6bb38a7ccce0f58700260b71319adf98ab8684e34913abe2d9d97193e2 TAG: e690e89af39ff367f5d40a1b7c7ccd4f +KEY: 31323334353637383930313233343536 +NONCE: 31323334353637383930313233343536 +IN: 48656c6c6f2c20576f726c64 +AD: +CT: cec189d0e8419b90fb16d555 +TAG: 32893832a8d609224d77c2e56a922282 diff --git a/src/crypto/cipher/test/cipher_test.txt b/src/crypto/cipher/test/cipher_test.txt index 93cb8f3..21fffdb 100644 --- a/src/crypto/cipher/test/cipher_test.txt +++ b/src/crypto/cipher/test/cipher_test.txt @@ -38,6 +38,22 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 +# DES EDE CBC tests +Cipher = DES-EDE-CBC +Key = 0123456789abcdeff1e0d3c2b5a49786 +IV = fedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +Ciphertext = 7948C0DA4FE91CD815DCA96DBC9B60A857EB954F4DEB08EB98722642AE69257B + + +# DES EDE tests +Cipher = DES-EDE +Key = 0123456789abcdeff1e0d3c2b5a49786 +IV = fedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +Ciphertext = 22E889402E28422F8167AD279D90A566DA75B734E12C671FC2669AECB3E4FE8F + + # AES 128 ECB tests (from FIPS-197 test vectors, encrypt) Cipher = AES-128-ECB Key = 000102030405060708090A0B0C0D0E0F @@ -360,6 +376,13 @@ Ciphertext = 6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3d AAD = 00000000000000000000000000000000101112131415161718191a1b1c1d1e1f Tag = 3b629ccfbc1119b7319e1dce2cd6fd6d +Cipher = AES-128-GCM +Key = 31323334353637383930313233343536 +IV = 31323334353637383930313233343536 +Plaintext = 48656c6c6f2c20576f726c64 +Ciphertext = cec189d0e8419b90fb16d555 +Tag = 32893832a8d609224d77c2e56a922282 +AAD = # OFB tests from OpenSSL upstream. @@ -535,3 +558,40 @@ Cipher = AES-192-ECB Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 Ciphertext = 9A4B41BA738D6C72FB16691603C18E0E + +# DES ECB tests + +Cipher = DES-ECB +Key = 0000000000000000 +Plaintext = 0000000000000000 +Ciphertext = 8CA64DE9C1B123A7 + +Cipher = DES-ECB +Key = FFFFFFFFFFFFFFFF +Plaintext = FFFFFFFFFFFFFFFF +Ciphertext = 7359B2163E4EDC58 + +Cipher = DES-ECB +Key = 3000000000000000 +Plaintext = 1000000000000001 +Ciphertext = 958E6E627A05557B + +Cipher = DES-ECB +Key = 1111111111111111 +Plaintext = 1111111111111111 +Ciphertext = F40379AB9E0EC533 + +Cipher = DES-ECB +Key = 0123456789ABCDEF +Plaintext = 1111111111111111 +Ciphertext = 17668DFC7292532D + +Cipher = DES-ECB +Key = 1111111111111111 +Plaintext = 0123456789ABCDEF +Ciphertext = 8A5AE1F81AB8F2DD + +Cipher = DES-ECB +Key = FEDCBA9876543210 +Plaintext = 0123456789ABCDEF +Ciphertext = ED39D950FA74BCC4 -- cgit v1.1 From a04d78d392463df4e69a64360c952ffa5abd22f7 Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Fri, 25 Sep 2015 00:26:37 +0000 Subject: Revert "external/boringssl: sync with upstream." This reverts commit 1e4884f615b20946411a74e41eb9c6aa65e2d5f3. This breaks some x86 builds. Change-Id: I4d4310663ce52bc0a130e6b9dbc22b868ff4fb25 --- src/crypto/cipher/CMakeLists.txt | 2 +- src/crypto/cipher/aead.c | 15 ++-- src/crypto/cipher/aead_test.cc | 62 ++++++++------- src/crypto/cipher/cipher.c | 41 +++++----- src/crypto/cipher/cipher_test.cc | 57 ++++---------- src/crypto/cipher/e_aes.c | 108 +++++++++++++++++---------- src/crypto/cipher/e_chacha20poly1305.c | 22 +++--- src/crypto/cipher/e_des.c | 78 +------------------ src/crypto/cipher/e_rc2.c | 27 +------ src/crypto/cipher/e_rc4.c | 22 +++--- src/crypto/cipher/e_ssl3.c | 56 +++++--------- src/crypto/cipher/e_tls.c | 56 +++++--------- src/crypto/cipher/test/aes_128_gcm_tests.txt | 6 -- src/crypto/cipher/test/cipher_test.txt | 60 --------------- 14 files changed, 205 insertions(+), 407 deletions(-) (limited to 'src/crypto/cipher') diff --git a/src/crypto/cipher/CMakeLists.txt b/src/crypto/cipher/CMakeLists.txt index 6b4c729..2775698 100644 --- a/src/crypto/cipher/CMakeLists.txt +++ b/src/crypto/cipher/CMakeLists.txt @@ -1,4 +1,4 @@ -include_directories(../../include) +include_directories(. .. ../../include) add_library( cipher diff --git a/src/crypto/cipher/aead.c b/src/crypto/cipher/aead.c index 7e747f8..20d699d 100644 --- a/src/crypto/cipher/aead.c +++ b/src/crypto/cipher/aead.c @@ -30,15 +30,11 @@ size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) { return aead->overhead; } size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) { return aead->max_tag_len; } -void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx) { - memset(ctx, 0, sizeof(EVP_AEAD_CTX)); -} - int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len, size_t tag_len, ENGINE *impl) { if (!aead->init) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_DIRECTION_SET); + OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init, CIPHER_R_NO_DIRECTION_SET); ctx->aead = NULL; return 0; } @@ -51,7 +47,8 @@ int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, size_t tag_len, enum evp_aead_direction_t dir) { if (key_len != aead->key_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_KEY_SIZE); + OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init_with_direction, + CIPHER_R_UNSUPPORTED_KEY_SIZE); ctx->aead = NULL; return 0; } @@ -104,12 +101,12 @@ int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t possible_out_len = in_len + ctx->aead->overhead; if (possible_out_len < in_len /* overflow */) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_seal, CIPHER_R_TOO_LARGE); goto error; } if (!check_alias(in, in_len, out)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT); + OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_seal, CIPHER_R_OUTPUT_ALIASES_INPUT); goto error; } @@ -131,7 +128,7 @@ int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len) { if (!check_alias(in, in_len, out)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT); + OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_open, CIPHER_R_OUTPUT_ALIASES_INPUT); goto error; } diff --git a/src/crypto/cipher/aead_test.cc b/src/crypto/cipher/aead_test.cc index baaee9e..e4b75d6 100644 --- a/src/crypto/cipher/aead_test.cc +++ b/src/crypto/cipher/aead_test.cc @@ -22,7 +22,6 @@ #include #include "../test/file_test.h" -#include "../test/scoped_types.h" #include "../test/stl_compat.h" @@ -36,6 +35,18 @@ // CT: 5294265a60 // TAG: 1d45758621762e061368e68868e2f929 +// EVP_AEAD_CTX lacks a zero state, so it doesn't fit easily into +// ScopedOpenSSLContext. +class EVP_AEAD_CTXScoper { + public: + EVP_AEAD_CTXScoper(EVP_AEAD_CTX *ctx) : ctx_(ctx) {} + ~EVP_AEAD_CTXScoper() { + EVP_AEAD_CTX_cleanup(ctx_); + } + private: + EVP_AEAD_CTX *ctx_; +}; + static bool TestAEAD(FileTest *t, void *arg) { const EVP_AEAD *aead = reinterpret_cast(arg); @@ -49,19 +60,20 @@ static bool TestAEAD(FileTest *t, void *arg) { return false; } - ScopedEVP_AEAD_CTX ctx; - if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, - bssl::vector_data(&key), key.size(), - tag.size(), evp_aead_seal)) { + EVP_AEAD_CTX ctx; + if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), + key.size(), tag.size(), + evp_aead_seal)) { t->PrintLine("Failed to init AEAD."); return false; } + EVP_AEAD_CTXScoper cleanup(&ctx); std::vector out(in.size() + EVP_AEAD_max_overhead(aead)); if (!t->HasAttribute("NO_SEAL")) { size_t out_len; - if (!EVP_AEAD_CTX_seal(ctx.get(), bssl::vector_data(&out), &out_len, - out.size(), bssl::vector_data(&nonce), nonce.size(), + if (!EVP_AEAD_CTX_seal(&ctx, bssl::vector_data(&out), &out_len, out.size(), + bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&in), in.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Failed to run AEAD."); @@ -89,17 +101,17 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - ctx.Reset(); - if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, - bssl::vector_data(&key), key.size(), - tag.size(), evp_aead_open)) { + EVP_AEAD_CTX_cleanup(&ctx); + if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), + key.size(), tag.size(), + evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } std::vector out2(out.size()); size_t out2_len; - int ret = EVP_AEAD_CTX_open(ctx.get(), + int ret = EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), @@ -125,10 +137,10 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - ctx.Reset(); - if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, - bssl::vector_data(&key), key.size(), - tag.size(), evp_aead_open)) { + EVP_AEAD_CTX_cleanup(&ctx); + if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), + key.size(), tag.size(), + evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } @@ -136,8 +148,8 @@ static bool TestAEAD(FileTest *t, void *arg) { // Garbage at the end isn't ignored. out.push_back(0); out2.resize(out.size()); - if (EVP_AEAD_CTX_open(ctx.get(), bssl::vector_data(&out2), &out2_len, - out2.size(), bssl::vector_data(&nonce), nonce.size(), + if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(), + bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Decrypted bad data with trailing garbage."); @@ -147,10 +159,10 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - ctx.Reset(); - if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, - bssl::vector_data(&key), key.size(), - tag.size(), evp_aead_open)) { + EVP_AEAD_CTX_cleanup(&ctx); + if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), + key.size(), tag.size(), + evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } @@ -159,8 +171,8 @@ static bool TestAEAD(FileTest *t, void *arg) { out[0] ^= 0x80; out.resize(out.size() - 1); out2.resize(out.size()); - if (EVP_AEAD_CTX_open(ctx.get(), bssl::vector_data(&out2), &out2_len, - out2.size(), bssl::vector_data(&nonce), nonce.size(), + if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(), + bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Decrypted bad data with corrupted byte."); @@ -188,7 +200,6 @@ static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) { fprintf(stderr, "A silly tag length didn't trigger an error!\n"); return 0; } - ERR_clear_error(); /* Running a second, failed _init should not cause a memory leak. */ if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len, @@ -197,7 +208,6 @@ static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) { fprintf(stderr, "A silly tag length didn't trigger an error!\n"); return 0; } - ERR_clear_error(); /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a * no-op. */ diff --git a/src/crypto/cipher/cipher.c b/src/crypto/cipher/cipher.c index 4401867..400c3f5 100644 --- a/src/crypto/cipher/cipher.c +++ b/src/crypto/cipher/cipher.c @@ -68,18 +68,12 @@ const EVP_CIPHER *EVP_get_cipherbynid(int nid) { switch (nid) { - case NID_rc2_cbc: - return EVP_rc2_cbc(); - case NID_rc2_40_cbc: - return EVP_rc2_40_cbc(); case NID_des_ede3_cbc: return EVP_des_ede3_cbc(); case NID_des_ede_cbc: return EVP_des_cbc(); case NID_aes_128_cbc: return EVP_aes_128_cbc(); - case NID_aes_192_cbc: - return EVP_aes_192_cbc(); case NID_aes_256_cbc: return EVP_aes_256_cbc(); default: @@ -121,7 +115,7 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { if (in == NULL || in->cipher == NULL) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED); + OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, CIPHER_R_INPUT_NOT_INITIALIZED); return 0; } @@ -131,7 +125,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { if (in->cipher_data && in->cipher->ctx_size) { out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); if (!out->cipher_data) { - OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, ERR_R_MALLOC_FAILURE); return 0; } memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); @@ -171,7 +165,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); if (!ctx->cipher_data) { ctx->cipher = NULL; - OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, ERR_R_MALLOC_FAILURE); return 0; } } else { @@ -184,12 +178,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { ctx->cipher = NULL; - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR); + OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_INITIALIZATION_ERROR); return 0; } } } else if (!ctx->cipher) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); + OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_NO_CIPHER_SET); return 0; } @@ -344,7 +338,8 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { bl = ctx->buf_len; if (ctx->flags & EVP_CIPH_NO_PADDING) { if (bl) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, EVP_EncryptFinal_ex, + CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); return 0; } *out_len = 0; @@ -439,7 +434,8 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { b = ctx->cipher->block_size; if (ctx->flags & EVP_CIPH_NO_PADDING) { if (ctx->buf_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, + CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); return 0; } *out_len = 0; @@ -448,7 +444,8 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { if (b > 1) { if (ctx->buf_len || !ctx->final_used) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, + CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); return 0; } assert(b <= sizeof(ctx->final)); @@ -457,13 +454,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { * Otherwise it provides a padding oracle. */ n = ctx->final[b - 1]; if (n == 0 || n > (int)b) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT); return 0; } for (i = 0; i < n; i++) { if (ctx->final[--b] != n) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT); return 0; } } @@ -541,18 +538,19 @@ uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) { int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) { int ret; if (!ctx->cipher) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); + OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_NO_CIPHER_SET); return 0; } if (!ctx->cipher->ctrl) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED); + OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_CTRL_NOT_IMPLEMENTED); return 0; } ret = ctx->cipher->ctrl(ctx, command, arg, ptr); if (ret == -1) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); + OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, + CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); return 0; } @@ -574,7 +572,8 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) { } if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_set_key_length, + CIPHER_R_INVALID_KEY_LENGTH); return 0; } @@ -631,7 +630,7 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) { return EVP_rc4(); } else if (OPENSSL_strcasecmp(name, "des-cbc") == 0) { return EVP_des_cbc(); - } else if (OPENSSL_strcasecmp(name, "des-ede3-cbc") == 0 || + } else if (OPENSSL_strcasecmp(name, "3des-cbc") == 0 || OPENSSL_strcasecmp(name, "3des") == 0) { return EVP_des_ede3_cbc(); } else if (OPENSSL_strcasecmp(name, "aes-128-cbc") == 0) { diff --git a/src/crypto/cipher/cipher_test.cc b/src/crypto/cipher/cipher_test.cc index 5f04178..97a84e0 100644 --- a/src/crypto/cipher/cipher_test.cc +++ b/src/crypto/cipher/cipher_test.cc @@ -69,12 +69,6 @@ static const EVP_CIPHER *GetCipher(const std::string &name) { if (name == "DES-CBC") { return EVP_des_cbc(); - } else if (name == "DES-ECB") { - return EVP_des_ecb(); - } else if (name == "DES-EDE") { - return EVP_des_ede(); - } else if (name == "DES-EDE-CBC") { - return EVP_des_ede_cbc(); } else if (name == "DES-EDE3-CBC") { return EVP_des_ede3_cbc(); } else if (name == "RC4") { @@ -110,7 +104,6 @@ static const EVP_CIPHER *GetCipher(const std::string &name) { static bool TestOperation(FileTest *t, const EVP_CIPHER *cipher, bool encrypt, - bool streaming, const std::vector &key, const std::vector &iv, const std::vector &plaintext, @@ -167,29 +160,11 @@ static bool TestOperation(FileTest *t, (!aad.empty() && !EVP_CipherUpdate(ctx.get(), nullptr, &unused, bssl::vector_data(&aad), aad.size())) || - !EVP_CIPHER_CTX_set_padding(ctx.get(), 0)) { - t->PrintLine("Operation failed."); - return false; - } - if (streaming) { - for (size_t i = 0; i < in->size(); i++) { - uint8_t c = (*in)[i]; - int len; - if (!EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result) + result_len1, - &len, &c, 1)) { - t->PrintLine("Operation failed."); - return false; - } - result_len1 += len; - } - } else if (!in->empty() && - !EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result), - &result_len1, bssl::vector_data(in), - in->size())) { - t->PrintLine("Operation failed."); - return false; - } - if (!EVP_CipherFinal_ex(ctx.get(), bssl::vector_data(&result) + result_len1, + !EVP_CIPHER_CTX_set_padding(ctx.get(), 0) || + (!in->empty() && + !EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result), &result_len1, + bssl::vector_data(in), in->size())) || + !EVP_CipherFinal_ex(ctx.get(), bssl::vector_data(&result) + result_len1, &result_len2)) { t->PrintLine("Operation failed."); return false; @@ -261,21 +236,15 @@ static bool TestCipher(FileTest *t, void *arg) { } // By default, both directions are run, unless overridden by the operation. - if (operation != kDecrypt) { - if (!TestOperation(t, cipher, true /* encrypt */, false /* single-shot */, - key, iv, plaintext, ciphertext, aad, tag) || - !TestOperation(t, cipher, true /* encrypt */, true /* streaming */, key, - iv, plaintext, ciphertext, aad, tag)) { - return false; - } + if (operation != kDecrypt && + !TestOperation(t, cipher, true /* encrypt */, key, iv, plaintext, + ciphertext, aad, tag)) { + return false; } - if (operation != kEncrypt) { - if (!TestOperation(t, cipher, false /* decrypt */, false /* single-shot */, - key, iv, plaintext, ciphertext, aad, tag) || - !TestOperation(t, cipher, false /* decrypt */, true /* streaming */, - key, iv, plaintext, ciphertext, aad, tag)) { - return false; - } + if (operation != kEncrypt && + !TestOperation(t, cipher, false /* decrypt */, key, iv, plaintext, + ciphertext, aad, tag)) { + return false; } return true; diff --git a/src/crypto/cipher/e_aes.c b/src/crypto/cipher/e_aes.c index e8905f6..41d0aec 100644 --- a/src/crypto/cipher/e_aes.c +++ b/src/crypto/cipher/e_aes.c @@ -64,7 +64,7 @@ #include "../modes/internal.h" #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) -#include +#include "../arm_arch.h" #endif @@ -98,6 +98,8 @@ typedef struct { #if !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_X86_64) || defined(OPENSSL_X86)) #define VPAES +extern unsigned int OPENSSL_ia32cap_P[]; + static char vpaes_capable(void) { return (OPENSSL_ia32cap_P[1] & (1 << (41 - 32))) != 0; } @@ -111,6 +113,7 @@ static char bsaes_capable(void) { #elif !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) +#include "../arm_arch.h" #if defined(OPENSSL_ARM) && __ARM_MAX_ARCH__ >= 7 #define BSAES @@ -335,7 +338,7 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, } if (ret < 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, aes_init_key, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -708,7 +711,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, } else { if (!ctx->encrypt) { if (gctx->taglen < 0 || - !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) { + !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0) { return -1; } gctx->iv_set = 0; @@ -850,7 +853,7 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, } if (ret < 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, aesni_init_key, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1063,7 +1066,7 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, const size_t key_bits = key_len * 8; if (key_bits != 128 && key_bits != 256) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_init, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1072,7 +1075,7 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_init, CIPHER_R_TAG_TOO_LARGE); return 0; } @@ -1105,12 +1108,12 @@ static int aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, GCM128_CONTEXT gcm; if (in_len + gcm_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + gcm_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -1149,14 +1152,14 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, GCM128_CONTEXT gcm; if (in_len < gcm_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - gcm_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -1182,7 +1185,7 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); if (CRYPTO_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT); return 0; } @@ -1236,7 +1239,7 @@ static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key, const size_t key_bits = key_len * 8; if (key_bits != 128 && key_bits != 256) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1245,13 +1248,14 @@ static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, + CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } kw_ctx = OPENSSL_malloc(sizeof(struct aead_aes_key_wrap_ctx)); if (kw_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, ERR_R_MALLOC_FAILURE); return 0; } @@ -1289,7 +1293,8 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t A[AES_BLOCK_SIZE]; if (ad_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, + CIPHER_R_UNSUPPORTED_AD_SIZE); return 0; } @@ -1299,12 +1304,14 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (nonce_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, + CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } if (in_len % 8 != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, + CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } @@ -1313,29 +1320,32 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, * conservatively cap it to 2^32-16 to stop 32-bit platforms complaining that * a comparison is always true. */ if (in_len > 0xfffffff0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, CIPHER_R_TOO_LARGE); return 0; } n = in_len / 8; if (n < 2) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, + CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } if (in_len + 8 < in_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + 8) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, + CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (AES_set_encrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, + CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1378,7 +1388,8 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t A[AES_BLOCK_SIZE]; if (ad_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, + CIPHER_R_UNSUPPORTED_AD_SIZE); return 0; } @@ -1388,12 +1399,14 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (nonce_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, + CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } if (in_len % 8 != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, + CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } @@ -1402,24 +1415,26 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, * conservatively cap it to 2^32-8 to stop 32-bit platforms complaining that * a comparison is always true. */ if (in_len > 0xfffffff8) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_TOO_LARGE); return 0; } if (in_len < 24) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT); return 0; } n = (in_len / 8) - 1; if (max_out_len < in_len - 8) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, + CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (AES_set_decrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, + CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1442,7 +1457,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (CRYPTO_memcmp(A, nonce, 8) != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT); return 0; } @@ -1526,13 +1541,15 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key, static const size_t hmac_key_len = 32; if (key_len < hmac_key_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, + CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } const size_t aes_key_len = key_len - hmac_key_len; if (aes_key_len != 16 && aes_key_len != 32) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, + CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1541,13 +1558,15 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, + CIPHER_R_TAG_TOO_LARGE); return 0; } aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx)); if (aes_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, + ERR_R_MALLOC_FAILURE); return 0; } @@ -1647,17 +1666,20 @@ static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (in_len + aes_ctx->tag_len < in_len || /* This input is so large it would overflow the 32-bit block counter. */ in_len_64 >= (OPENSSL_U64(1) << 32) * AES_BLOCK_SIZE) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, + CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + aes_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, + CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, + CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } @@ -1681,19 +1703,22 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t plaintext_len; if (in_len < aes_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, + CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - aes_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, + CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, + CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } @@ -1702,7 +1727,8 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out, &aes_ctx->outer_init_state, ad, ad_len, nonce, in, plaintext_len); if (CRYPTO_memcmp(hmac_result, in + plaintext_len, aes_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, + CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_chacha20poly1305.c b/src/crypto/cipher/e_chacha20poly1305.c index 9dda1b0..ebf0088 100644 --- a/src/crypto/cipher/e_chacha20poly1305.c +++ b/src/crypto/cipher/e_chacha20poly1305.c @@ -42,7 +42,7 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > POLY1305_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_init, CIPHER_R_TOO_LARGE); return 0; } @@ -107,22 +107,23 @@ static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, * Casting to uint64_t inside the conditional is not sufficient to stop * the warning. */ if (in_len_64 >= (1ull << 32) * 64 - 64) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_TOO_LARGE); return 0; } if (in_len + c20_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + c20_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, + CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != CHACHA20_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_IV_TOO_LARGE); return 0; } @@ -155,7 +156,7 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, const uint64_t in_len_64 = in_len; if (in_len < c20_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_BAD_DECRYPT); return 0; } @@ -167,19 +168,20 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, * Casting to uint64_t inside the conditional is not sufficient to stop * the warning. */ if (in_len_64 >= (1ull << 32) * 64 - 64) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_TOO_LARGE); return 0; } if (nonce_len != CHACHA20_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_IV_TOO_LARGE); return 0; } plaintext_len = in_len - c20_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, + CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -193,7 +195,7 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, CRYPTO_poly1305_finish(&poly1305, mac); if (CRYPTO_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_des.c b/src/crypto/cipher/e_des.c index b1d312c..74e1fce 100644 --- a/src/crypto/cipher/e_des.c +++ b/src/crypto/cipher/e_des.c @@ -96,31 +96,6 @@ static const EVP_CIPHER des_cbc = { const EVP_CIPHER *EVP_des_cbc(void) { return &des_cbc; } -static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, - size_t in_len) { - if (in_len < ctx->cipher->block_size) { - return 1; - } - in_len -= ctx->cipher->block_size; - - EVP_DES_KEY *dat = (EVP_DES_KEY *) ctx->cipher_data; - size_t i; - for (i = 0; i <= in_len; i += ctx->cipher->block_size) { - DES_ecb_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), - &dat->ks.ks, ctx->encrypt); - } - return 1; -} - -static const EVP_CIPHER des_ecb = { - NID_des_ecb, 8 /* block_size */, 8 /* key_size */, - 0 /* iv_len */, sizeof(EVP_DES_KEY), EVP_CIPH_ECB_MODE, - NULL /* app_data */, des_init_key, des_ecb_cipher, - NULL /* cleanup */, NULL /* ctrl */, }; - -const EVP_CIPHER *EVP_des_ecb(void) { return &des_ecb; } - - typedef struct { union { double align; @@ -151,57 +126,10 @@ static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, return 1; } -static const EVP_CIPHER des_ede3_cbc = { - NID_des_ede3_cbc, 8 /* block_size */, 24 /* key_size */, +static const EVP_CIPHER des3_cbc = { + NID_des_cbc, 8 /* block_size */, 24 /* key_size */, 8 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_CBC_MODE, NULL /* app_data */, des_ede3_init_key, des_ede3_cbc_cipher, NULL /* cleanup */, NULL /* ctrl */, }; -const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &des_ede3_cbc; } - - -static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, - const uint8_t *iv, int enc) { - DES_cblock *deskey = (DES_cblock *) key; - DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; - - DES_set_key(&deskey[0], &dat->ks.ks[0]); - DES_set_key(&deskey[1], &dat->ks.ks[1]); - DES_set_key(&deskey[0], &dat->ks.ks[2]); - - return 1; -} - -static const EVP_CIPHER des_ede_cbc = { - NID_des_ede_cbc, 8 /* block_size */, 16 /* key_size */, - 8 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_CBC_MODE, - NULL /* app_data */, des_ede_init_key , des_ede3_cbc_cipher, - NULL /* cleanup */, NULL /* ctrl */, }; - -const EVP_CIPHER *EVP_des_ede_cbc(void) { return &des_ede_cbc; } - - -static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, - const uint8_t *in, size_t in_len) { - if (in_len < ctx->cipher->block_size) { - return 1; - } - in_len -= ctx->cipher->block_size; - - DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; - size_t i; - for (i = 0; i <= in_len; i += ctx->cipher->block_size) { - DES_ecb3_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), - &dat->ks.ks[0], &dat->ks.ks[1], &dat->ks.ks[2], - ctx->encrypt); - } - return 1; -} - -static const EVP_CIPHER des_ede_ecb = { - NID_des_ede_cbc, 8 /* block_size */, 16 /* key_size */, - 0 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_ECB_MODE, - NULL /* app_data */, des_ede_init_key , des_ede_ecb_cipher, - NULL /* cleanup */, NULL /* ctrl */, }; - -const EVP_CIPHER *EVP_des_ede(void) { return &des_ede_ecb; } +const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &des3_cbc; } diff --git a/src/crypto/cipher/e_rc2.c b/src/crypto/cipher/e_rc2.c index 8ca7bba..c90ab93 100644 --- a/src/crypto/cipher/e_rc2.c +++ b/src/crypto/cipher/e_rc2.c @@ -395,18 +395,13 @@ static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { case EVP_CTRL_INIT: key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8; return 1; - case EVP_CTRL_SET_RC2_KEY_BITS: - /* Should be overridden by later call to |EVP_CTRL_INIT|, but - * people call it, so it may as well work. */ - key->key_bits = arg; - return 1; default: return -1; } } -static const EVP_CIPHER rc2_40_cbc = { +static const EVP_CIPHER rc2_40_cbc_cipher = { NID_rc2_40_cbc, 8 /* block size */, 5 /* 40 bit */, @@ -421,23 +416,5 @@ static const EVP_CIPHER rc2_40_cbc = { }; const EVP_CIPHER *EVP_rc2_40_cbc(void) { - return &rc2_40_cbc; -} - -static const EVP_CIPHER rc2_cbc = { - NID_rc2_cbc, - 8 /* block size */, - 16 /* 128 bit */, - 8 /* iv len */, - sizeof(EVP_RC2_KEY), - EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, - NULL /* app_data */, - rc2_init_key, - rc2_cbc_cipher, - NULL, - rc2_ctrl, -}; - -const EVP_CIPHER *EVP_rc2_cbc(void) { - return &rc2_cbc; + return &rc2_40_cbc_cipher; } diff --git a/src/crypto/cipher/e_rc4.c b/src/crypto/cipher/e_rc4.c index e05b9fd..80dea36 100644 --- a/src/crypto/cipher/e_rc4.c +++ b/src/crypto/cipher/e_rc4.c @@ -115,20 +115,20 @@ aead_rc4_md5_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, } if (tag_len > MD5_DIGEST_LENGTH) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, CIPHER_R_TOO_LARGE); return 0; } /* The keys consists of |MD5_DIGEST_LENGTH| bytes of HMAC(MD5) key followed * by some number of bytes of RC4 key. */ if (key_len <= MD5_DIGEST_LENGTH) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, CIPHER_R_BAD_KEY_LENGTH); return 0; } rc4_ctx = OPENSSL_malloc(sizeof(struct aead_rc4_md5_tls_ctx)); if (rc4_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, ERR_R_MALLOC_FAILURE); return 0; } memset(rc4_ctx, 0, sizeof(struct aead_rc4_md5_tls_ctx)); @@ -185,22 +185,22 @@ static int aead_rc4_md5_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t digest[MD5_DIGEST_LENGTH]; if (in_len + rc4_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_TOO_LARGE); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_IV_TOO_LARGE); return 0; } if (max_out_len < in_len + rc4_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_TOO_LARGE); return 0; } @@ -288,21 +288,21 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t digest[MD5_DIGEST_LENGTH]; if (in_len < rc4_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - rc4_ctx->tag_len; if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -366,7 +366,7 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, MD5_Final(digest, &md); if (CRYPTO_memcmp(out + plaintext_len, digest, rc4_ctx->tag_len)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_ssl3.c b/src/crypto/cipher/e_ssl3.c index 389c52f..1031d9b 100644 --- a/src/crypto/cipher/e_ssl3.c +++ b/src/crypto/cipher/e_ssl3.c @@ -85,12 +85,12 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, const EVP_CIPHER *cipher, const EVP_MD *md) { if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && tag_len != EVP_MD_size(md)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } if (key_len != EVP_AEAD_key_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_BAD_KEY_LENGTH); return 0; } @@ -102,7 +102,7 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX)); if (ssl3_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, ERR_R_MALLOC_FAILURE); return 0; } EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx); @@ -133,29 +133,29 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!ssl3_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_OPERATION); return 0; } if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len || in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_IV_TOO_LARGE); return 0; } if (ad_len != 11 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_AD_SIZE); return 0; } @@ -217,36 +217,36 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (ssl3_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_OPERATION); return 0; } size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx); if (in_len < mac_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE); return 0; } if (ad_len != 11 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_AD_SIZE); return 0; } if (in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE); return 0; } @@ -270,12 +270,12 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) { unsigned padding_length = out[total - 1]; if (total < padding_length + 1 + mac_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); return 0; } /* The padding must be minimal. */ if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); return 0; } data_len = total - padding_length - 1 - mac_len; @@ -289,7 +289,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, return 0; } if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); return 0; } @@ -340,13 +340,6 @@ static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, EVP_sha1()); } -static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, - size_t key_len, size_t tag_len, - enum evp_aead_direction_t dir) { - return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), - EVP_sha1()); -} - static const EVP_AEAD aead_rc4_md5_ssl3 = { MD5_DIGEST_LENGTH + 16, /* key len (MD5 + RC4) */ 0, /* nonce len */ @@ -412,19 +405,6 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = { NULL, /* get_rc4_state */ }; -static const EVP_AEAD aead_null_sha1_ssl3 = { - SHA_DIGEST_LENGTH, /* key len */ - 0, /* nonce len */ - SHA_DIGEST_LENGTH, /* overhead (SHA1) */ - SHA_DIGEST_LENGTH, /* max tag length */ - NULL, /* init */ - aead_null_sha1_ssl3_init, - aead_ssl3_cleanup, - aead_ssl3_seal, - aead_ssl3_open, - NULL, /* get_rc4_state */ -}; - const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void) { return &aead_rc4_md5_ssl3; } const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void) { return &aead_rc4_sha1_ssl3; } @@ -440,5 +420,3 @@ const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) { const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) { return &aead_des_ede3_cbc_sha1_ssl3; } - -const EVP_AEAD *EVP_aead_null_sha1_ssl3(void) { return &aead_null_sha1_ssl3; } diff --git a/src/crypto/cipher/e_tls.c b/src/crypto/cipher/e_tls.c index 2778881..bed02cb 100644 --- a/src/crypto/cipher/e_tls.c +++ b/src/crypto/cipher/e_tls.c @@ -57,12 +57,12 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, char implicit_iv) { if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && tag_len != EVP_MD_size(md)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } if (key_len != EVP_AEAD_key_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_BAD_KEY_LENGTH); return 0; } @@ -75,7 +75,7 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX)); if (tls_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, ERR_R_MALLOC_FAILURE); return 0; } EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx); @@ -109,7 +109,7 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!tls_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_OPERATION); return 0; } @@ -117,22 +117,22 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len || in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_NONCE_SIZE); return 0; } if (ad_len != 13 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_AD_SIZE); return 0; } @@ -214,36 +214,36 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (tls_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_OPERATION); return 0; } if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_NONCE_SIZE); return 0; } if (ad_len != 13 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_AD_SIZE); return 0; } if (in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_TOO_LARGE); return 0; } @@ -278,7 +278,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, (unsigned)HMAC_size(&tls_ctx->hmac_ctx)); /* Publicly invalid. This can be rejected in non-constant time. */ if (padding_ok == 0) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); return 0; } } else { @@ -312,7 +312,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len, ad_fixed, out, data_plus_mac_len, total, tls_ctx->mac_key, tls_ctx->mac_key_len)) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); return 0; } assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx)); @@ -349,7 +349,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, 0); good &= constant_time_eq_int(padding_ok, 1); if (!good) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); return 0; } @@ -444,13 +444,6 @@ static int aead_rc4_sha1_tls_get_rc4_state(const EVP_AEAD_CTX *ctx, return 1; } -static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, - size_t key_len, size_t tag_len, - enum evp_aead_direction_t dir) { - return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), - EVP_sha1(), 1 /* implicit iv */); -} - static const EVP_AEAD aead_rc4_sha1_tls = { SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */ 0, /* nonce len */ @@ -581,19 +574,6 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = { NULL, /* get_rc4_state */ }; -static const EVP_AEAD aead_null_sha1_tls = { - SHA_DIGEST_LENGTH, /* key len */ - 0, /* nonce len */ - SHA_DIGEST_LENGTH, /* overhead (SHA1) */ - SHA_DIGEST_LENGTH, /* max tag length */ - NULL, /* init */ - aead_null_sha1_tls_init, - aead_tls_cleanup, - aead_tls_seal, - aead_tls_open, - NULL, /* get_rc4_state */ -}; - const EVP_AEAD *EVP_aead_rc4_sha1_tls(void) { return &aead_rc4_sha1_tls; } const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) { @@ -631,5 +611,3 @@ const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) { const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) { return &aead_des_ede3_cbc_sha1_tls_implicit_iv; } - -const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; } diff --git a/src/crypto/cipher/test/aes_128_gcm_tests.txt b/src/crypto/cipher/test/aes_128_gcm_tests.txt index 75466fe..5f7ad35 100644 --- a/src/crypto/cipher/test/aes_128_gcm_tests.txt +++ b/src/crypto/cipher/test/aes_128_gcm_tests.txt @@ -418,9 +418,3 @@ AD: 18e2ed6d500b176e49f7e1b5074c0b7dbfdefdf00a63d9fa2fea8c5e78a1c4ae00f17b234429 CT: 5f3627bd53f8da0bbe6f3c9246d6f96fe9abb91cdecf66ddd42f833d98f4d4634c2e1e1ad4088c84c22191bdb9d99ef227320e455dd112c4a9e9cca95724fcc9ae024ed12bf60a802d0b87b99d9bf22590786567c2962171d2b05bec9754c627608e9eba7bccc70540aa4da72e1e04b26d8f968b10230f707501c0091a8ac118f86e87aae1ac00257aee29c3345bd3839154977acd378fc1b2197f5c1fd8e12262f9c2974fb92dc481eeb51aadd44a8851f61b93a84ba57f2870df0423d289bfdcfe634f9ecb7d7c6110a95b49418a2dd6663377690275c205b3efa79a0a77c92567fb429d8ee437312a39df7516dc238f7b9414938223d7ec24d256d3fb3a5954a7c75dbd79486d49ba6bb38a7ccce0f58700260b71319adf98ab8684e34913abe2d9d97193e2 TAG: e690e89af39ff367f5d40a1b7c7ccd4f -KEY: 31323334353637383930313233343536 -NONCE: 31323334353637383930313233343536 -IN: 48656c6c6f2c20576f726c64 -AD: -CT: cec189d0e8419b90fb16d555 -TAG: 32893832a8d609224d77c2e56a922282 diff --git a/src/crypto/cipher/test/cipher_test.txt b/src/crypto/cipher/test/cipher_test.txt index 21fffdb..93cb8f3 100644 --- a/src/crypto/cipher/test/cipher_test.txt +++ b/src/crypto/cipher/test/cipher_test.txt @@ -38,22 +38,6 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 -# DES EDE CBC tests -Cipher = DES-EDE-CBC -Key = 0123456789abcdeff1e0d3c2b5a49786 -IV = fedcba9876543210 -Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 -Ciphertext = 7948C0DA4FE91CD815DCA96DBC9B60A857EB954F4DEB08EB98722642AE69257B - - -# DES EDE tests -Cipher = DES-EDE -Key = 0123456789abcdeff1e0d3c2b5a49786 -IV = fedcba9876543210 -Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 -Ciphertext = 22E889402E28422F8167AD279D90A566DA75B734E12C671FC2669AECB3E4FE8F - - # AES 128 ECB tests (from FIPS-197 test vectors, encrypt) Cipher = AES-128-ECB Key = 000102030405060708090A0B0C0D0E0F @@ -376,13 +360,6 @@ Ciphertext = 6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3d AAD = 00000000000000000000000000000000101112131415161718191a1b1c1d1e1f Tag = 3b629ccfbc1119b7319e1dce2cd6fd6d -Cipher = AES-128-GCM -Key = 31323334353637383930313233343536 -IV = 31323334353637383930313233343536 -Plaintext = 48656c6c6f2c20576f726c64 -Ciphertext = cec189d0e8419b90fb16d555 -Tag = 32893832a8d609224d77c2e56a922282 -AAD = # OFB tests from OpenSSL upstream. @@ -558,40 +535,3 @@ Cipher = AES-192-ECB Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 Ciphertext = 9A4B41BA738D6C72FB16691603C18E0E - -# DES ECB tests - -Cipher = DES-ECB -Key = 0000000000000000 -Plaintext = 0000000000000000 -Ciphertext = 8CA64DE9C1B123A7 - -Cipher = DES-ECB -Key = FFFFFFFFFFFFFFFF -Plaintext = FFFFFFFFFFFFFFFF -Ciphertext = 7359B2163E4EDC58 - -Cipher = DES-ECB -Key = 3000000000000000 -Plaintext = 1000000000000001 -Ciphertext = 958E6E627A05557B - -Cipher = DES-ECB -Key = 1111111111111111 -Plaintext = 1111111111111111 -Ciphertext = F40379AB9E0EC533 - -Cipher = DES-ECB -Key = 0123456789ABCDEF -Plaintext = 1111111111111111 -Ciphertext = 17668DFC7292532D - -Cipher = DES-ECB -Key = 1111111111111111 -Plaintext = 0123456789ABCDEF -Ciphertext = 8A5AE1F81AB8F2DD - -Cipher = DES-ECB -Key = FEDCBA9876543210 -Plaintext = 0123456789ABCDEF -Ciphertext = ED39D950FA74BCC4 -- cgit v1.1 From b8494591d1b1a143f3b192d845c238bbf3bc629d Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Fri, 25 Sep 2015 02:29:14 +0000 Subject: Revert "Revert "external/boringssl: sync with upstream."" This reverts commit a04d78d392463df4e69a64360c952ffa5abd22f7. Underlying issue was fixed. Change-Id: I49685b653d16e728eb38e79e02b2c33ddeefed88 --- src/crypto/cipher/CMakeLists.txt | 2 +- src/crypto/cipher/aead.c | 15 ++-- src/crypto/cipher/aead_test.cc | 62 +++++++-------- src/crypto/cipher/cipher.c | 41 +++++----- src/crypto/cipher/cipher_test.cc | 57 ++++++++++---- src/crypto/cipher/e_aes.c | 108 ++++++++++----------------- src/crypto/cipher/e_chacha20poly1305.c | 22 +++--- src/crypto/cipher/e_des.c | 78 ++++++++++++++++++- src/crypto/cipher/e_rc2.c | 27 ++++++- src/crypto/cipher/e_rc4.c | 22 +++--- src/crypto/cipher/e_ssl3.c | 56 +++++++++----- src/crypto/cipher/e_tls.c | 56 +++++++++----- src/crypto/cipher/test/aes_128_gcm_tests.txt | 6 ++ src/crypto/cipher/test/cipher_test.txt | 60 +++++++++++++++ 14 files changed, 407 insertions(+), 205 deletions(-) (limited to 'src/crypto/cipher') diff --git a/src/crypto/cipher/CMakeLists.txt b/src/crypto/cipher/CMakeLists.txt index 2775698..6b4c729 100644 --- a/src/crypto/cipher/CMakeLists.txt +++ b/src/crypto/cipher/CMakeLists.txt @@ -1,4 +1,4 @@ -include_directories(. .. ../../include) +include_directories(../../include) add_library( cipher diff --git a/src/crypto/cipher/aead.c b/src/crypto/cipher/aead.c index 20d699d..7e747f8 100644 --- a/src/crypto/cipher/aead.c +++ b/src/crypto/cipher/aead.c @@ -30,11 +30,15 @@ size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) { return aead->overhead; } size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) { return aead->max_tag_len; } +void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx) { + memset(ctx, 0, sizeof(EVP_AEAD_CTX)); +} + int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len, size_t tag_len, ENGINE *impl) { if (!aead->init) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init, CIPHER_R_NO_DIRECTION_SET); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_DIRECTION_SET); ctx->aead = NULL; return 0; } @@ -47,8 +51,7 @@ int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, size_t tag_len, enum evp_aead_direction_t dir) { if (key_len != aead->key_len) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init_with_direction, - CIPHER_R_UNSUPPORTED_KEY_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_KEY_SIZE); ctx->aead = NULL; return 0; } @@ -101,12 +104,12 @@ int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t possible_out_len = in_len + ctx->aead->overhead; if (possible_out_len < in_len /* overflow */) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); goto error; } if (!check_alias(in, in_len, out)) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_seal, CIPHER_R_OUTPUT_ALIASES_INPUT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT); goto error; } @@ -128,7 +131,7 @@ int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len) { if (!check_alias(in, in_len, out)) { - OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_open, CIPHER_R_OUTPUT_ALIASES_INPUT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT); goto error; } diff --git a/src/crypto/cipher/aead_test.cc b/src/crypto/cipher/aead_test.cc index e4b75d6..baaee9e 100644 --- a/src/crypto/cipher/aead_test.cc +++ b/src/crypto/cipher/aead_test.cc @@ -22,6 +22,7 @@ #include #include "../test/file_test.h" +#include "../test/scoped_types.h" #include "../test/stl_compat.h" @@ -35,18 +36,6 @@ // CT: 5294265a60 // TAG: 1d45758621762e061368e68868e2f929 -// EVP_AEAD_CTX lacks a zero state, so it doesn't fit easily into -// ScopedOpenSSLContext. -class EVP_AEAD_CTXScoper { - public: - EVP_AEAD_CTXScoper(EVP_AEAD_CTX *ctx) : ctx_(ctx) {} - ~EVP_AEAD_CTXScoper() { - EVP_AEAD_CTX_cleanup(ctx_); - } - private: - EVP_AEAD_CTX *ctx_; -}; - static bool TestAEAD(FileTest *t, void *arg) { const EVP_AEAD *aead = reinterpret_cast(arg); @@ -60,20 +49,19 @@ static bool TestAEAD(FileTest *t, void *arg) { return false; } - EVP_AEAD_CTX ctx; - if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), - key.size(), tag.size(), - evp_aead_seal)) { + ScopedEVP_AEAD_CTX ctx; + if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, + bssl::vector_data(&key), key.size(), + tag.size(), evp_aead_seal)) { t->PrintLine("Failed to init AEAD."); return false; } - EVP_AEAD_CTXScoper cleanup(&ctx); std::vector out(in.size() + EVP_AEAD_max_overhead(aead)); if (!t->HasAttribute("NO_SEAL")) { size_t out_len; - if (!EVP_AEAD_CTX_seal(&ctx, bssl::vector_data(&out), &out_len, out.size(), - bssl::vector_data(&nonce), nonce.size(), + if (!EVP_AEAD_CTX_seal(ctx.get(), bssl::vector_data(&out), &out_len, + out.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&in), in.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Failed to run AEAD."); @@ -101,17 +89,17 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - EVP_AEAD_CTX_cleanup(&ctx); - if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), - key.size(), tag.size(), - evp_aead_open)) { + ctx.Reset(); + if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, + bssl::vector_data(&key), key.size(), + tag.size(), evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } std::vector out2(out.size()); size_t out2_len; - int ret = EVP_AEAD_CTX_open(&ctx, + int ret = EVP_AEAD_CTX_open(ctx.get(), bssl::vector_data(&out2), &out2_len, out2.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), @@ -137,10 +125,10 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - EVP_AEAD_CTX_cleanup(&ctx); - if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), - key.size(), tag.size(), - evp_aead_open)) { + ctx.Reset(); + if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, + bssl::vector_data(&key), key.size(), + tag.size(), evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } @@ -148,8 +136,8 @@ static bool TestAEAD(FileTest *t, void *arg) { // Garbage at the end isn't ignored. out.push_back(0); out2.resize(out.size()); - if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(), - bssl::vector_data(&nonce), nonce.size(), + if (EVP_AEAD_CTX_open(ctx.get(), bssl::vector_data(&out2), &out2_len, + out2.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Decrypted bad data with trailing garbage."); @@ -159,10 +147,10 @@ static bool TestAEAD(FileTest *t, void *arg) { // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be // reset after each operation. - EVP_AEAD_CTX_cleanup(&ctx); - if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key), - key.size(), tag.size(), - evp_aead_open)) { + ctx.Reset(); + if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, + bssl::vector_data(&key), key.size(), + tag.size(), evp_aead_open)) { t->PrintLine("Failed to init AEAD."); return false; } @@ -171,8 +159,8 @@ static bool TestAEAD(FileTest *t, void *arg) { out[0] ^= 0x80; out.resize(out.size() - 1); out2.resize(out.size()); - if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(), - bssl::vector_data(&nonce), nonce.size(), + if (EVP_AEAD_CTX_open(ctx.get(), bssl::vector_data(&out2), &out2_len, + out2.size(), bssl::vector_data(&nonce), nonce.size(), bssl::vector_data(&out), out.size(), bssl::vector_data(&ad), ad.size())) { t->PrintLine("Decrypted bad data with corrupted byte."); @@ -200,6 +188,7 @@ static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) { fprintf(stderr, "A silly tag length didn't trigger an error!\n"); return 0; } + ERR_clear_error(); /* Running a second, failed _init should not cause a memory leak. */ if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len, @@ -208,6 +197,7 @@ static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) { fprintf(stderr, "A silly tag length didn't trigger an error!\n"); return 0; } + ERR_clear_error(); /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a * no-op. */ diff --git a/src/crypto/cipher/cipher.c b/src/crypto/cipher/cipher.c index 400c3f5..4401867 100644 --- a/src/crypto/cipher/cipher.c +++ b/src/crypto/cipher/cipher.c @@ -68,12 +68,18 @@ const EVP_CIPHER *EVP_get_cipherbynid(int nid) { switch (nid) { + case NID_rc2_cbc: + return EVP_rc2_cbc(); + case NID_rc2_40_cbc: + return EVP_rc2_40_cbc(); case NID_des_ede3_cbc: return EVP_des_ede3_cbc(); case NID_des_ede_cbc: return EVP_des_cbc(); case NID_aes_128_cbc: return EVP_aes_128_cbc(); + case NID_aes_192_cbc: + return EVP_aes_192_cbc(); case NID_aes_256_cbc: return EVP_aes_256_cbc(); default: @@ -115,7 +121,7 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { if (in == NULL || in->cipher == NULL) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, CIPHER_R_INPUT_NOT_INITIALIZED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED); return 0; } @@ -125,7 +131,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { if (in->cipher_data && in->cipher->ctx_size) { out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); if (!out->cipher_data) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); @@ -165,7 +171,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); if (!ctx->cipher_data) { ctx->cipher = NULL; - OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } } else { @@ -178,12 +184,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { ctx->cipher = NULL; - OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_INITIALIZATION_ERROR); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR); return 0; } } } else if (!ctx->cipher) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_NO_CIPHER_SET); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); return 0; } @@ -338,8 +344,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { bl = ctx->buf_len; if (ctx->flags & EVP_CIPH_NO_PADDING) { if (bl) { - OPENSSL_PUT_ERROR(CIPHER, EVP_EncryptFinal_ex, - CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); return 0; } *out_len = 0; @@ -434,8 +439,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { b = ctx->cipher->block_size; if (ctx->flags & EVP_CIPH_NO_PADDING) { if (ctx->buf_len) { - OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, - CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); return 0; } *out_len = 0; @@ -444,8 +448,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { if (b > 1) { if (ctx->buf_len || !ctx->final_used) { - OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, - CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); return 0; } assert(b <= sizeof(ctx->final)); @@ -454,13 +457,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { * Otherwise it provides a padding oracle. */ n = ctx->final[b - 1]; if (n == 0 || n > (int)b) { - OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } for (i = 0; i < n; i++) { if (ctx->final[--b] != n) { - OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } } @@ -538,19 +541,18 @@ uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) { int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) { int ret; if (!ctx->cipher) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_NO_CIPHER_SET); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); return 0; } if (!ctx->cipher->ctrl) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_CTRL_NOT_IMPLEMENTED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED); return 0; } ret = ctx->cipher->ctrl(ctx, command, arg, ptr); if (ret == -1) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, - CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); return 0; } @@ -572,8 +574,7 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) { } if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { - OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_set_key_length, - CIPHER_R_INVALID_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_KEY_LENGTH); return 0; } @@ -630,7 +631,7 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) { return EVP_rc4(); } else if (OPENSSL_strcasecmp(name, "des-cbc") == 0) { return EVP_des_cbc(); - } else if (OPENSSL_strcasecmp(name, "3des-cbc") == 0 || + } else if (OPENSSL_strcasecmp(name, "des-ede3-cbc") == 0 || OPENSSL_strcasecmp(name, "3des") == 0) { return EVP_des_ede3_cbc(); } else if (OPENSSL_strcasecmp(name, "aes-128-cbc") == 0) { diff --git a/src/crypto/cipher/cipher_test.cc b/src/crypto/cipher/cipher_test.cc index 97a84e0..5f04178 100644 --- a/src/crypto/cipher/cipher_test.cc +++ b/src/crypto/cipher/cipher_test.cc @@ -69,6 +69,12 @@ static const EVP_CIPHER *GetCipher(const std::string &name) { if (name == "DES-CBC") { return EVP_des_cbc(); + } else if (name == "DES-ECB") { + return EVP_des_ecb(); + } else if (name == "DES-EDE") { + return EVP_des_ede(); + } else if (name == "DES-EDE-CBC") { + return EVP_des_ede_cbc(); } else if (name == "DES-EDE3-CBC") { return EVP_des_ede3_cbc(); } else if (name == "RC4") { @@ -104,6 +110,7 @@ static const EVP_CIPHER *GetCipher(const std::string &name) { static bool TestOperation(FileTest *t, const EVP_CIPHER *cipher, bool encrypt, + bool streaming, const std::vector &key, const std::vector &iv, const std::vector &plaintext, @@ -160,11 +167,29 @@ static bool TestOperation(FileTest *t, (!aad.empty() && !EVP_CipherUpdate(ctx.get(), nullptr, &unused, bssl::vector_data(&aad), aad.size())) || - !EVP_CIPHER_CTX_set_padding(ctx.get(), 0) || - (!in->empty() && - !EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result), &result_len1, - bssl::vector_data(in), in->size())) || - !EVP_CipherFinal_ex(ctx.get(), bssl::vector_data(&result) + result_len1, + !EVP_CIPHER_CTX_set_padding(ctx.get(), 0)) { + t->PrintLine("Operation failed."); + return false; + } + if (streaming) { + for (size_t i = 0; i < in->size(); i++) { + uint8_t c = (*in)[i]; + int len; + if (!EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result) + result_len1, + &len, &c, 1)) { + t->PrintLine("Operation failed."); + return false; + } + result_len1 += len; + } + } else if (!in->empty() && + !EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result), + &result_len1, bssl::vector_data(in), + in->size())) { + t->PrintLine("Operation failed."); + return false; + } + if (!EVP_CipherFinal_ex(ctx.get(), bssl::vector_data(&result) + result_len1, &result_len2)) { t->PrintLine("Operation failed."); return false; @@ -236,15 +261,21 @@ static bool TestCipher(FileTest *t, void *arg) { } // By default, both directions are run, unless overridden by the operation. - if (operation != kDecrypt && - !TestOperation(t, cipher, true /* encrypt */, key, iv, plaintext, - ciphertext, aad, tag)) { - return false; + if (operation != kDecrypt) { + if (!TestOperation(t, cipher, true /* encrypt */, false /* single-shot */, + key, iv, plaintext, ciphertext, aad, tag) || + !TestOperation(t, cipher, true /* encrypt */, true /* streaming */, key, + iv, plaintext, ciphertext, aad, tag)) { + return false; + } } - if (operation != kEncrypt && - !TestOperation(t, cipher, false /* decrypt */, key, iv, plaintext, - ciphertext, aad, tag)) { - return false; + if (operation != kEncrypt) { + if (!TestOperation(t, cipher, false /* decrypt */, false /* single-shot */, + key, iv, plaintext, ciphertext, aad, tag) || + !TestOperation(t, cipher, false /* decrypt */, true /* streaming */, + key, iv, plaintext, ciphertext, aad, tag)) { + return false; + } } return true; diff --git a/src/crypto/cipher/e_aes.c b/src/crypto/cipher/e_aes.c index 41d0aec..e8905f6 100644 --- a/src/crypto/cipher/e_aes.c +++ b/src/crypto/cipher/e_aes.c @@ -64,7 +64,7 @@ #include "../modes/internal.h" #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) -#include "../arm_arch.h" +#include #endif @@ -98,8 +98,6 @@ typedef struct { #if !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_X86_64) || defined(OPENSSL_X86)) #define VPAES -extern unsigned int OPENSSL_ia32cap_P[]; - static char vpaes_capable(void) { return (OPENSSL_ia32cap_P[1] & (1 << (41 - 32))) != 0; } @@ -113,7 +111,6 @@ static char bsaes_capable(void) { #elif !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) -#include "../arm_arch.h" #if defined(OPENSSL_ARM) && __ARM_MAX_ARCH__ >= 7 #define BSAES @@ -338,7 +335,7 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, } if (ret < 0) { - OPENSSL_PUT_ERROR(CIPHER, aes_init_key, CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -711,7 +708,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, } else { if (!ctx->encrypt) { if (gctx->taglen < 0 || - !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0) { + !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) { return -1; } gctx->iv_set = 0; @@ -853,7 +850,7 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, } if (ret < 0) { - OPENSSL_PUT_ERROR(CIPHER, aesni_init_key, CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1066,7 +1063,7 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, const size_t key_bits = key_len * 8; if (key_bits != 128 && key_bits != 256) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1075,7 +1072,7 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_init, CIPHER_R_TAG_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); return 0; } @@ -1108,12 +1105,12 @@ static int aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, GCM128_CONTEXT gcm; if (in_len + gcm_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + gcm_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -1152,14 +1149,14 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, GCM128_CONTEXT gcm; if (in_len < gcm_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - gcm_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -1185,7 +1182,7 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); if (CRYPTO_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -1239,7 +1236,7 @@ static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key, const size_t key_bits = key_len * 8; if (key_bits != 128 && key_bits != 256) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1248,14 +1245,13 @@ static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, - CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } kw_ctx = OPENSSL_malloc(sizeof(struct aead_aes_key_wrap_ctx)); if (kw_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } @@ -1293,8 +1289,7 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t A[AES_BLOCK_SIZE]; if (ad_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_UNSUPPORTED_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE); return 0; } @@ -1304,14 +1299,12 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (nonce_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } if (in_len % 8 != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } @@ -1320,32 +1313,29 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, * conservatively cap it to 2^32-16 to stop 32-bit platforms complaining that * a comparison is always true. */ if (in_len > 0xfffffff0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } n = in_len / 8; if (n < 2) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } if (in_len + 8 < in_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (AES_set_encrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, - CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1388,8 +1378,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t A[AES_BLOCK_SIZE]; if (ad_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_UNSUPPORTED_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE); return 0; } @@ -1399,14 +1388,12 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (nonce_len != 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } if (in_len % 8 != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_UNSUPPORTED_INPUT_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE); return 0; } @@ -1415,26 +1402,24 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, * conservatively cap it to 2^32-8 to stop 32-bit platforms complaining that * a comparison is always true. */ if (in_len > 0xfffffff8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (in_len < 24) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } n = (in_len / 8) - 1; if (max_out_len < in_len - 8) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (AES_set_decrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, - CIPHER_R_AES_KEY_SETUP_FAILED); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); return 0; } @@ -1457,7 +1442,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } if (CRYPTO_memcmp(A, nonce, 8) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -1541,15 +1526,13 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key, static const size_t hmac_key_len = 32; if (key_len < hmac_key_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, - CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } const size_t aes_key_len = key_len - hmac_key_len; if (aes_key_len != 16 && aes_key_len != 32) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, - CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; /* EVP_AEAD_CTX_init should catch this. */ } @@ -1558,15 +1541,13 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, - CIPHER_R_TAG_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); return 0; } aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx)); if (aes_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init, - ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } @@ -1666,20 +1647,17 @@ static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (in_len + aes_ctx->tag_len < in_len || /* This input is so large it would overflow the 32-bit block counter. */ in_len_64 >= (OPENSSL_U64(1) << 32) * AES_BLOCK_SIZE) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, - CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + aes_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal, - CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } @@ -1703,22 +1681,19 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t plaintext_len; if (in_len < aes_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, - CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - aes_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, - CIPHER_R_UNSUPPORTED_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); return 0; } @@ -1727,8 +1702,7 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out, &aes_ctx->outer_init_state, ad, ad_len, nonce, in, plaintext_len); if (CRYPTO_memcmp(hmac_result, in + plaintext_len, aes_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open, - CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_chacha20poly1305.c b/src/crypto/cipher/e_chacha20poly1305.c index ebf0088..9dda1b0 100644 --- a/src/crypto/cipher/e_chacha20poly1305.c +++ b/src/crypto/cipher/e_chacha20poly1305.c @@ -42,7 +42,7 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key, } if (tag_len > POLY1305_TAG_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_init, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -107,23 +107,22 @@ static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, * Casting to uint64_t inside the conditional is not sufficient to stop * the warning. */ if (in_len_64 >= (1ull << 32) * 64 - 64) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (in_len + c20_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + c20_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != CHACHA20_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); return 0; } @@ -156,7 +155,7 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, const uint64_t in_len_64 = in_len; if (in_len < c20_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -168,20 +167,19 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, * Casting to uint64_t inside the conditional is not sufficient to stop * the warning. */ if (in_len_64 >= (1ull << 32) * 64 - 64) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (nonce_len != CHACHA20_NONCE_LEN) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); return 0; } plaintext_len = in_len - c20_ctx->tag_len; if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, - CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -195,7 +193,7 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out, CRYPTO_poly1305_finish(&poly1305, mac); if (CRYPTO_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_des.c b/src/crypto/cipher/e_des.c index 74e1fce..b1d312c 100644 --- a/src/crypto/cipher/e_des.c +++ b/src/crypto/cipher/e_des.c @@ -96,6 +96,31 @@ static const EVP_CIPHER des_cbc = { const EVP_CIPHER *EVP_des_cbc(void) { return &des_cbc; } +static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, + size_t in_len) { + if (in_len < ctx->cipher->block_size) { + return 1; + } + in_len -= ctx->cipher->block_size; + + EVP_DES_KEY *dat = (EVP_DES_KEY *) ctx->cipher_data; + size_t i; + for (i = 0; i <= in_len; i += ctx->cipher->block_size) { + DES_ecb_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), + &dat->ks.ks, ctx->encrypt); + } + return 1; +} + +static const EVP_CIPHER des_ecb = { + NID_des_ecb, 8 /* block_size */, 8 /* key_size */, + 0 /* iv_len */, sizeof(EVP_DES_KEY), EVP_CIPH_ECB_MODE, + NULL /* app_data */, des_init_key, des_ecb_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; + +const EVP_CIPHER *EVP_des_ecb(void) { return &des_ecb; } + + typedef struct { union { double align; @@ -126,10 +151,57 @@ static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, return 1; } -static const EVP_CIPHER des3_cbc = { - NID_des_cbc, 8 /* block_size */, 24 /* key_size */, +static const EVP_CIPHER des_ede3_cbc = { + NID_des_ede3_cbc, 8 /* block_size */, 24 /* key_size */, 8 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_CBC_MODE, NULL /* app_data */, des_ede3_init_key, des_ede3_cbc_cipher, NULL /* cleanup */, NULL /* ctrl */, }; -const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &des3_cbc; } +const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &des_ede3_cbc; } + + +static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, + const uint8_t *iv, int enc) { + DES_cblock *deskey = (DES_cblock *) key; + DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; + + DES_set_key(&deskey[0], &dat->ks.ks[0]); + DES_set_key(&deskey[1], &dat->ks.ks[1]); + DES_set_key(&deskey[0], &dat->ks.ks[2]); + + return 1; +} + +static const EVP_CIPHER des_ede_cbc = { + NID_des_ede_cbc, 8 /* block_size */, 16 /* key_size */, + 8 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_CBC_MODE, + NULL /* app_data */, des_ede_init_key , des_ede3_cbc_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; + +const EVP_CIPHER *EVP_des_ede_cbc(void) { return &des_ede_cbc; } + + +static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, + const uint8_t *in, size_t in_len) { + if (in_len < ctx->cipher->block_size) { + return 1; + } + in_len -= ctx->cipher->block_size; + + DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; + size_t i; + for (i = 0; i <= in_len; i += ctx->cipher->block_size) { + DES_ecb3_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), + &dat->ks.ks[0], &dat->ks.ks[1], &dat->ks.ks[2], + ctx->encrypt); + } + return 1; +} + +static const EVP_CIPHER des_ede_ecb = { + NID_des_ede_cbc, 8 /* block_size */, 16 /* key_size */, + 0 /* iv_len */, sizeof(DES_EDE_KEY), EVP_CIPH_ECB_MODE, + NULL /* app_data */, des_ede_init_key , des_ede_ecb_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; + +const EVP_CIPHER *EVP_des_ede(void) { return &des_ede_ecb; } diff --git a/src/crypto/cipher/e_rc2.c b/src/crypto/cipher/e_rc2.c index c90ab93..8ca7bba 100644 --- a/src/crypto/cipher/e_rc2.c +++ b/src/crypto/cipher/e_rc2.c @@ -395,13 +395,18 @@ static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { case EVP_CTRL_INIT: key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8; return 1; + case EVP_CTRL_SET_RC2_KEY_BITS: + /* Should be overridden by later call to |EVP_CTRL_INIT|, but + * people call it, so it may as well work. */ + key->key_bits = arg; + return 1; default: return -1; } } -static const EVP_CIPHER rc2_40_cbc_cipher = { +static const EVP_CIPHER rc2_40_cbc = { NID_rc2_40_cbc, 8 /* block size */, 5 /* 40 bit */, @@ -416,5 +421,23 @@ static const EVP_CIPHER rc2_40_cbc_cipher = { }; const EVP_CIPHER *EVP_rc2_40_cbc(void) { - return &rc2_40_cbc_cipher; + return &rc2_40_cbc; +} + +static const EVP_CIPHER rc2_cbc = { + NID_rc2_cbc, + 8 /* block size */, + 16 /* 128 bit */, + 8 /* iv len */, + sizeof(EVP_RC2_KEY), + EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, + NULL /* app_data */, + rc2_init_key, + rc2_cbc_cipher, + NULL, + rc2_ctrl, +}; + +const EVP_CIPHER *EVP_rc2_cbc(void) { + return &rc2_cbc; } diff --git a/src/crypto/cipher/e_rc4.c b/src/crypto/cipher/e_rc4.c index 80dea36..e05b9fd 100644 --- a/src/crypto/cipher/e_rc4.c +++ b/src/crypto/cipher/e_rc4.c @@ -115,20 +115,20 @@ aead_rc4_md5_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, } if (tag_len > MD5_DIGEST_LENGTH) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } /* The keys consists of |MD5_DIGEST_LENGTH| bytes of HMAC(MD5) key followed * by some number of bytes of RC4 key. */ if (key_len <= MD5_DIGEST_LENGTH) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; } rc4_ctx = OPENSSL_malloc(sizeof(struct aead_rc4_md5_tls_ctx)); if (rc4_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } memset(rc4_ctx, 0, sizeof(struct aead_rc4_md5_tls_ctx)); @@ -185,22 +185,22 @@ static int aead_rc4_md5_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t digest[MD5_DIGEST_LENGTH]; if (in_len + rc4_ctx->tag_len < in_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); return 0; } if (max_out_len < in_len + rc4_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -288,21 +288,21 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t digest[MD5_DIGEST_LENGTH]; if (in_len < rc4_ctx->tag_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } plaintext_len = in_len - rc4_ctx->tag_len; if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } @@ -366,7 +366,7 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, MD5_Final(digest, &md); if (CRYPTO_memcmp(out + plaintext_len, digest, rc4_ctx->tag_len)) { - OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/src/crypto/cipher/e_ssl3.c b/src/crypto/cipher/e_ssl3.c index 1031d9b..389c52f 100644 --- a/src/crypto/cipher/e_ssl3.c +++ b/src/crypto/cipher/e_ssl3.c @@ -85,12 +85,12 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, const EVP_CIPHER *cipher, const EVP_MD *md) { if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && tag_len != EVP_MD_size(md)) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } if (key_len != EVP_AEAD_key_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; } @@ -102,7 +102,7 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX)); if (ssl3_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx); @@ -133,29 +133,29 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!ssl3_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); return 0; } if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len || in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_IV_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE); return 0; } if (ad_len != 11 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); return 0; } @@ -217,36 +217,36 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (ssl3_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); return 0; } size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx); if (in_len < mac_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (ad_len != 11 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); return 0; } if (in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -270,12 +270,12 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) { unsigned padding_length = out[total - 1]; if (total < padding_length + 1 + mac_len) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } /* The padding must be minimal. */ if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } data_len = total - padding_length - 1 - mac_len; @@ -289,7 +289,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out, return 0; } if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -340,6 +340,13 @@ static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, EVP_sha1()); } +static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, + size_t key_len, size_t tag_len, + enum evp_aead_direction_t dir) { + return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), + EVP_sha1()); +} + static const EVP_AEAD aead_rc4_md5_ssl3 = { MD5_DIGEST_LENGTH + 16, /* key len (MD5 + RC4) */ 0, /* nonce len */ @@ -405,6 +412,19 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = { NULL, /* get_rc4_state */ }; +static const EVP_AEAD aead_null_sha1_ssl3 = { + SHA_DIGEST_LENGTH, /* key len */ + 0, /* nonce len */ + SHA_DIGEST_LENGTH, /* overhead (SHA1) */ + SHA_DIGEST_LENGTH, /* max tag length */ + NULL, /* init */ + aead_null_sha1_ssl3_init, + aead_ssl3_cleanup, + aead_ssl3_seal, + aead_ssl3_open, + NULL, /* get_rc4_state */ +}; + const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void) { return &aead_rc4_md5_ssl3; } const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void) { return &aead_rc4_sha1_ssl3; } @@ -420,3 +440,5 @@ const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) { const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) { return &aead_des_ede3_cbc_sha1_ssl3; } + +const EVP_AEAD *EVP_aead_null_sha1_ssl3(void) { return &aead_null_sha1_ssl3; } diff --git a/src/crypto/cipher/e_tls.c b/src/crypto/cipher/e_tls.c index bed02cb..2778881 100644 --- a/src/crypto/cipher/e_tls.c +++ b/src/crypto/cipher/e_tls.c @@ -57,12 +57,12 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, char implicit_iv) { if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && tag_len != EVP_MD_size(md)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_UNSUPPORTED_TAG_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); return 0; } if (key_len != EVP_AEAD_key_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_BAD_KEY_LENGTH); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; } @@ -75,7 +75,7 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX)); if (tls_ctx == NULL) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, ERR_R_MALLOC_FAILURE); + OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); return 0; } EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx); @@ -109,7 +109,7 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!tls_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); return 0; } @@ -117,22 +117,22 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len || in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); return 0; } if (ad_len != 13 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); return 0; } @@ -214,36 +214,36 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (tls_ctx->cipher_ctx.encrypt) { /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_OPERATION); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); return 0; } if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } if (max_out_len < in_len) { /* This requires that the caller provide space for the MAC, even though it * will always be removed on return. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BUFFER_TOO_SMALL); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); return 0; } if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_NONCE_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); return 0; } if (ad_len != 13 - 2 /* length bytes */) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_AD_SIZE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); return 0; } if (in_len > INT_MAX) { /* EVP_CIPHER takes int as input. */ - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_TOO_LARGE); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -278,7 +278,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, (unsigned)HMAC_size(&tls_ctx->hmac_ctx)); /* Publicly invalid. This can be rejected in non-constant time. */ if (padding_ok == 0) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } } else { @@ -312,7 +312,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len, ad_fixed, out, data_plus_mac_len, total, tls_ctx->mac_key, tls_ctx->mac_key_len)) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx)); @@ -349,7 +349,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, 0); good &= constant_time_eq_int(padding_ok, 1); if (!good) { - OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT); + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -444,6 +444,13 @@ static int aead_rc4_sha1_tls_get_rc4_state(const EVP_AEAD_CTX *ctx, return 1; } +static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, + size_t key_len, size_t tag_len, + enum evp_aead_direction_t dir) { + return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), + EVP_sha1(), 1 /* implicit iv */); +} + static const EVP_AEAD aead_rc4_sha1_tls = { SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */ 0, /* nonce len */ @@ -574,6 +581,19 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = { NULL, /* get_rc4_state */ }; +static const EVP_AEAD aead_null_sha1_tls = { + SHA_DIGEST_LENGTH, /* key len */ + 0, /* nonce len */ + SHA_DIGEST_LENGTH, /* overhead (SHA1) */ + SHA_DIGEST_LENGTH, /* max tag length */ + NULL, /* init */ + aead_null_sha1_tls_init, + aead_tls_cleanup, + aead_tls_seal, + aead_tls_open, + NULL, /* get_rc4_state */ +}; + const EVP_AEAD *EVP_aead_rc4_sha1_tls(void) { return &aead_rc4_sha1_tls; } const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) { @@ -611,3 +631,5 @@ const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) { const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) { return &aead_des_ede3_cbc_sha1_tls_implicit_iv; } + +const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; } diff --git a/src/crypto/cipher/test/aes_128_gcm_tests.txt b/src/crypto/cipher/test/aes_128_gcm_tests.txt index 5f7ad35..75466fe 100644 --- a/src/crypto/cipher/test/aes_128_gcm_tests.txt +++ b/src/crypto/cipher/test/aes_128_gcm_tests.txt @@ -418,3 +418,9 @@ AD: 18e2ed6d500b176e49f7e1b5074c0b7dbfdefdf00a63d9fa2fea8c5e78a1c4ae00f17b234429 CT: 5f3627bd53f8da0bbe6f3c9246d6f96fe9abb91cdecf66ddd42f833d98f4d4634c2e1e1ad4088c84c22191bdb9d99ef227320e455dd112c4a9e9cca95724fcc9ae024ed12bf60a802d0b87b99d9bf22590786567c2962171d2b05bec9754c627608e9eba7bccc70540aa4da72e1e04b26d8f968b10230f707501c0091a8ac118f86e87aae1ac00257aee29c3345bd3839154977acd378fc1b2197f5c1fd8e12262f9c2974fb92dc481eeb51aadd44a8851f61b93a84ba57f2870df0423d289bfdcfe634f9ecb7d7c6110a95b49418a2dd6663377690275c205b3efa79a0a77c92567fb429d8ee437312a39df7516dc238f7b9414938223d7ec24d256d3fb3a5954a7c75dbd79486d49ba6bb38a7ccce0f58700260b71319adf98ab8684e34913abe2d9d97193e2 TAG: e690e89af39ff367f5d40a1b7c7ccd4f +KEY: 31323334353637383930313233343536 +NONCE: 31323334353637383930313233343536 +IN: 48656c6c6f2c20576f726c64 +AD: +CT: cec189d0e8419b90fb16d555 +TAG: 32893832a8d609224d77c2e56a922282 diff --git a/src/crypto/cipher/test/cipher_test.txt b/src/crypto/cipher/test/cipher_test.txt index 93cb8f3..21fffdb 100644 --- a/src/crypto/cipher/test/cipher_test.txt +++ b/src/crypto/cipher/test/cipher_test.txt @@ -38,6 +38,22 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 +# DES EDE CBC tests +Cipher = DES-EDE-CBC +Key = 0123456789abcdeff1e0d3c2b5a49786 +IV = fedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +Ciphertext = 7948C0DA4FE91CD815DCA96DBC9B60A857EB954F4DEB08EB98722642AE69257B + + +# DES EDE tests +Cipher = DES-EDE +Key = 0123456789abcdeff1e0d3c2b5a49786 +IV = fedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +Ciphertext = 22E889402E28422F8167AD279D90A566DA75B734E12C671FC2669AECB3E4FE8F + + # AES 128 ECB tests (from FIPS-197 test vectors, encrypt) Cipher = AES-128-ECB Key = 000102030405060708090A0B0C0D0E0F @@ -360,6 +376,13 @@ Ciphertext = 6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3d AAD = 00000000000000000000000000000000101112131415161718191a1b1c1d1e1f Tag = 3b629ccfbc1119b7319e1dce2cd6fd6d +Cipher = AES-128-GCM +Key = 31323334353637383930313233343536 +IV = 31323334353637383930313233343536 +Plaintext = 48656c6c6f2c20576f726c64 +Ciphertext = cec189d0e8419b90fb16d555 +Tag = 32893832a8d609224d77c2e56a922282 +AAD = # OFB tests from OpenSSL upstream. @@ -535,3 +558,40 @@ Cipher = AES-192-ECB Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 Ciphertext = 9A4B41BA738D6C72FB16691603C18E0E + +# DES ECB tests + +Cipher = DES-ECB +Key = 0000000000000000 +Plaintext = 0000000000000000 +Ciphertext = 8CA64DE9C1B123A7 + +Cipher = DES-ECB +Key = FFFFFFFFFFFFFFFF +Plaintext = FFFFFFFFFFFFFFFF +Ciphertext = 7359B2163E4EDC58 + +Cipher = DES-ECB +Key = 3000000000000000 +Plaintext = 1000000000000001 +Ciphertext = 958E6E627A05557B + +Cipher = DES-ECB +Key = 1111111111111111 +Plaintext = 1111111111111111 +Ciphertext = F40379AB9E0EC533 + +Cipher = DES-ECB +Key = 0123456789ABCDEF +Plaintext = 1111111111111111 +Ciphertext = 17668DFC7292532D + +Cipher = DES-ECB +Key = 1111111111111111 +Plaintext = 0123456789ABCDEF +Ciphertext = 8A5AE1F81AB8F2DD + +Cipher = DES-ECB +Key = FEDCBA9876543210 +Plaintext = 0123456789ABCDEF +Ciphertext = ED39D950FA74BCC4 -- cgit v1.1