1/* Copyright (c) 2014, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15#include <assert.h> 16#include <limits.h> 17#include <string.h> 18 19#include <openssl/aead.h> 20#include <openssl/cipher.h> 21#include <openssl/err.h> 22#include <openssl/hmac.h> 23#include <openssl/md5.h> 24#include <openssl/mem.h> 25#include <openssl/sha.h> 26#include <openssl/type_check.h> 27 28#include "../crypto/internal.h" 29#include "internal.h" 30 31 32typedef struct { 33 EVP_CIPHER_CTX cipher_ctx; 34 HMAC_CTX hmac_ctx; 35 /* mac_key is the portion of the key used for the MAC. It is retained 36 * separately for the constant-time CBC code. */ 37 uint8_t mac_key[EVP_MAX_MD_SIZE]; 38 uint8_t mac_key_len; 39 /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit 40 * IV. */ 41 char implicit_iv; 42} AEAD_TLS_CTX; 43 44OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE < 256, mac_key_len_fits_in_uint8_t); 45 46static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) { 47 AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state; 48 EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx); 49 HMAC_CTX_cleanup(&tls_ctx->hmac_ctx); 50 OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key)); 51 OPENSSL_free(tls_ctx); 52 ctx->aead_state = NULL; 53} 54 55static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, 56 size_t tag_len, enum evp_aead_direction_t dir, 57 const EVP_CIPHER *cipher, const EVP_MD *md, 58 char implicit_iv) { 59 if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH && 60 tag_len != EVP_MD_size(md)) { 61 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE); 62 return 0; 63 } 64 65 if (key_len != EVP_AEAD_key_length(ctx->aead)) { 66 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); 67 return 0; 68 } 69 70 size_t mac_key_len = EVP_MD_size(md); 71 size_t enc_key_len = EVP_CIPHER_key_length(cipher); 72 assert(mac_key_len + enc_key_len + 73 (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len); 74 /* Although EVP_rc4() is a variable-length cipher, the default key size is 75 * correct for TLS. */ 76 77 AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX)); 78 if (tls_ctx == NULL) { 79 OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); 80 return 0; 81 } 82 EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx); 83 HMAC_CTX_init(&tls_ctx->hmac_ctx); 84 assert(mac_key_len <= EVP_MAX_MD_SIZE); 85 memcpy(tls_ctx->mac_key, key, mac_key_len); 86 tls_ctx->mac_key_len = (uint8_t)mac_key_len; 87 tls_ctx->implicit_iv = implicit_iv; 88 89 ctx->aead_state = tls_ctx; 90 if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len], 91 implicit_iv ? &key[mac_key_len + enc_key_len] : NULL, 92 dir == evp_aead_seal) || 93 !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) { 94 aead_tls_cleanup(ctx); 95 ctx->aead_state = NULL; 96 return 0; 97 } 98 EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0); 99 100 return 1; 101} 102 103static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, 104 size_t *out_len, size_t max_out_len, 105 const uint8_t *nonce, size_t nonce_len, 106 const uint8_t *in, size_t in_len, 107 const uint8_t *ad, size_t ad_len) { 108 AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state; 109 size_t total = 0; 110 111 if (!tls_ctx->cipher_ctx.encrypt) { 112 /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */ 113 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); 114 return 0; 115 } 116 117 if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len || 118 in_len > INT_MAX) { 119 /* EVP_CIPHER takes int as input. */ 120 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 121 return 0; 122 } 123 124 if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) { 125 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 126 return 0; 127 } 128 129 if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { 130 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); 131 return 0; 132 } 133 134 if (ad_len != 13 - 2 /* length bytes */) { 135 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); 136 return 0; 137 } 138 139 /* To allow for CBC mode which changes cipher length, |ad| doesn't include the 140 * length for legacy ciphers. */ 141 uint8_t ad_extra[2]; 142 ad_extra[0] = (uint8_t)(in_len >> 8); 143 ad_extra[1] = (uint8_t)(in_len & 0xff); 144 145 /* Compute the MAC. This must be first in case the operation is being done 146 * in-place. */ 147 uint8_t mac[EVP_MAX_MD_SIZE]; 148 unsigned mac_len; 149 if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) || 150 !HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) || 151 !HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) || 152 !HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) || 153 !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) { 154 return 0; 155 } 156 157 /* Configure the explicit IV. */ 158 if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE && 159 !tls_ctx->implicit_iv && 160 !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) { 161 return 0; 162 } 163 164 /* Encrypt the input. */ 165 int len; 166 if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, 167 (int)in_len)) { 168 return 0; 169 } 170 total = len; 171 172 /* Feed the MAC into the cipher. */ 173 if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, mac, 174 (int)mac_len)) { 175 return 0; 176 } 177 total += len; 178 179 unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx); 180 if (block_size > 1) { 181 assert(block_size <= 256); 182 assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE); 183 184 /* Compute padding and feed that into the cipher. */ 185 uint8_t padding[256]; 186 unsigned padding_len = block_size - ((in_len + mac_len) % block_size); 187 memset(padding, padding_len - 1, padding_len); 188 if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, padding, 189 (int)padding_len)) { 190 return 0; 191 } 192 total += len; 193 } 194 195 if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) { 196 return 0; 197 } 198 total += len; 199 200 *out_len = total; 201 return 1; 202} 203 204static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, 205 size_t *out_len, size_t max_out_len, 206 const uint8_t *nonce, size_t nonce_len, 207 const uint8_t *in, size_t in_len, 208 const uint8_t *ad, size_t ad_len) { 209 AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state; 210 211 if (tls_ctx->cipher_ctx.encrypt) { 212 /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */ 213 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION); 214 return 0; 215 } 216 217 if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) { 218 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 219 return 0; 220 } 221 222 if (max_out_len < in_len) { 223 /* This requires that the caller provide space for the MAC, even though it 224 * will always be removed on return. */ 225 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 226 return 0; 227 } 228 229 if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) { 230 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); 231 return 0; 232 } 233 234 if (ad_len != 13 - 2 /* length bytes */) { 235 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE); 236 return 0; 237 } 238 239 if (in_len > INT_MAX) { 240 /* EVP_CIPHER takes int as input. */ 241 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 242 return 0; 243 } 244 245 /* Configure the explicit IV. */ 246 if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE && 247 !tls_ctx->implicit_iv && 248 !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) { 249 return 0; 250 } 251 252 /* Decrypt to get the plaintext + MAC + padding. */ 253 size_t total = 0; 254 int len; 255 if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) { 256 return 0; 257 } 258 total += len; 259 if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) { 260 return 0; 261 } 262 total += len; 263 assert(total == in_len); 264 265 /* Remove CBC padding. Code from here on is timing-sensitive with respect to 266 * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */ 267 int padding_ok; 268 unsigned data_plus_mac_len, data_len; 269 if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) { 270 padding_ok = EVP_tls_cbc_remove_padding( 271 &data_plus_mac_len, out, total, 272 EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx), 273 (unsigned)HMAC_size(&tls_ctx->hmac_ctx)); 274 /* Publicly invalid. This can be rejected in non-constant time. */ 275 if (padding_ok == 0) { 276 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 277 return 0; 278 } 279 } else { 280 padding_ok = 1; 281 data_plus_mac_len = total; 282 /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has 283 * already been checked against the MAC size at the top of the function. */ 284 assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx)); 285 } 286 data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx); 287 288 /* At this point, |padding_ok| is 1 or -1. If 1, the padding is valid and the 289 * first |data_plus_mac_size| bytes after |out| are the plaintext and 290 * MAC. Either way, |data_plus_mac_size| is large enough to extract a MAC. */ 291 292 /* To allow for CBC mode which changes cipher length, |ad| doesn't include the 293 * length for legacy ciphers. */ 294 uint8_t ad_fixed[13]; 295 memcpy(ad_fixed, ad, 11); 296 ad_fixed[11] = (uint8_t)(data_len >> 8); 297 ad_fixed[12] = (uint8_t)(data_len & 0xff); 298 ad_len += 2; 299 300 /* Compute the MAC and extract the one in the record. */ 301 uint8_t mac[EVP_MAX_MD_SIZE]; 302 size_t mac_len; 303 uint8_t record_mac_tmp[EVP_MAX_MD_SIZE]; 304 uint8_t *record_mac; 305 if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE && 306 EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) { 307 if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len, 308 ad_fixed, out, data_plus_mac_len, total, 309 tls_ctx->mac_key, tls_ctx->mac_key_len)) { 310 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 311 return 0; 312 } 313 assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx)); 314 315 record_mac = record_mac_tmp; 316 EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total); 317 } else { 318 /* We should support the constant-time path for all CBC-mode ciphers 319 * implemented. */ 320 assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE); 321 322 unsigned mac_len_u; 323 if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) || 324 !HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) || 325 !HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) || 326 !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) { 327 return 0; 328 } 329 mac_len = mac_len_u; 330 331 assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx)); 332 record_mac = &out[data_len]; 333 } 334 335 /* Perform the MAC check and the padding check in constant-time. It should be 336 * safe to simply perform the padding check first, but it would not be under a 337 * different choice of MAC location on padding failure. See 338 * EVP_tls_cbc_remove_padding. */ 339 unsigned good = constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 340 0); 341 good &= constant_time_eq_int(padding_ok, 1); 342 if (!good) { 343 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 344 return 0; 345 } 346 347 /* End of timing-sensitive code. */ 348 349 *out_len = data_len; 350 return 1; 351} 352 353static int aead_rc4_md5_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 354 size_t key_len, size_t tag_len, 355 enum evp_aead_direction_t dir) { 356 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_md5(), 357 0); 358} 359 360static int aead_rc4_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 361 size_t key_len, size_t tag_len, 362 enum evp_aead_direction_t dir) { 363 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1(), 364 0); 365} 366 367static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 368 size_t key_len, size_t tag_len, 369 enum evp_aead_direction_t dir) { 370 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), 371 EVP_sha1(), 0); 372} 373 374static int aead_aes_128_cbc_sha1_tls_implicit_iv_init( 375 EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, 376 enum evp_aead_direction_t dir) { 377 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), 378 EVP_sha1(), 1); 379} 380 381static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx, 382 const uint8_t *key, size_t key_len, 383 size_t tag_len, 384 enum evp_aead_direction_t dir) { 385 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(), 386 EVP_sha256(), 0); 387} 388 389static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 390 size_t key_len, size_t tag_len, 391 enum evp_aead_direction_t dir) { 392 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), 393 EVP_sha1(), 0); 394} 395 396static int aead_aes_256_cbc_sha1_tls_implicit_iv_init( 397 EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, 398 enum evp_aead_direction_t dir) { 399 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), 400 EVP_sha1(), 1); 401} 402 403static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx, 404 const uint8_t *key, size_t key_len, 405 size_t tag_len, 406 enum evp_aead_direction_t dir) { 407 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), 408 EVP_sha256(), 0); 409} 410 411static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx, 412 const uint8_t *key, size_t key_len, 413 size_t tag_len, 414 enum evp_aead_direction_t dir) { 415 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(), 416 EVP_sha384(), 0); 417} 418 419static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, 420 const uint8_t *key, size_t key_len, 421 size_t tag_len, 422 enum evp_aead_direction_t dir) { 423 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(), 424 EVP_sha1(), 0); 425} 426 427static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init( 428 EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len, 429 enum evp_aead_direction_t dir) { 430 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(), 431 EVP_sha1(), 1); 432} 433 434static int aead_rc4_tls_get_rc4_state(const EVP_AEAD_CTX *ctx, 435 const RC4_KEY **out_key) { 436 const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state; 437 if (EVP_CIPHER_CTX_cipher(&tls_ctx->cipher_ctx) != EVP_rc4()) { 438 return 0; 439 } 440 441 *out_key = (const RC4_KEY*) tls_ctx->cipher_ctx.cipher_data; 442 return 1; 443} 444 445static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv, 446 size_t *out_iv_len) { 447 const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state; 448 const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx); 449 if (iv_len <= 1) { 450 return 0; 451 } 452 453 *out_iv = tls_ctx->cipher_ctx.iv; 454 *out_iv_len = iv_len; 455 return 1; 456} 457 458static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 459 size_t key_len, size_t tag_len, 460 enum evp_aead_direction_t dir) { 461 return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), 462 EVP_sha1(), 1 /* implicit iv */); 463} 464 465static const EVP_AEAD aead_rc4_md5_tls = { 466 MD5_DIGEST_LENGTH + 16, /* key len (MD5 + RC4) */ 467 0, /* nonce len */ 468 MD5_DIGEST_LENGTH, /* overhead */ 469 MD5_DIGEST_LENGTH, /* max tag length */ 470 NULL, /* init */ 471 aead_rc4_md5_tls_init, 472 aead_tls_cleanup, 473 aead_tls_seal, 474 aead_tls_open, 475 aead_rc4_tls_get_rc4_state, /* get_rc4_state */ 476 NULL, /* get_iv */ 477}; 478 479static const EVP_AEAD aead_rc4_sha1_tls = { 480 SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */ 481 0, /* nonce len */ 482 SHA_DIGEST_LENGTH, /* overhead */ 483 SHA_DIGEST_LENGTH, /* max tag length */ 484 NULL, /* init */ 485 aead_rc4_sha1_tls_init, 486 aead_tls_cleanup, 487 aead_tls_seal, 488 aead_tls_open, 489 aead_rc4_tls_get_rc4_state, /* get_rc4_state */ 490 NULL, /* get_iv */ 491}; 492 493static const EVP_AEAD aead_aes_128_cbc_sha1_tls = { 494 SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */ 495 16, /* nonce len (IV) */ 496 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 497 SHA_DIGEST_LENGTH, /* max tag length */ 498 NULL, /* init */ 499 aead_aes_128_cbc_sha1_tls_init, 500 aead_tls_cleanup, 501 aead_tls_seal, 502 aead_tls_open, 503 NULL, /* get_rc4_state */ 504 NULL, /* get_iv */ 505}; 506 507static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = { 508 SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */ 509 0, /* nonce len */ 510 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 511 SHA_DIGEST_LENGTH, /* max tag length */ 512 NULL, /* init */ 513 aead_aes_128_cbc_sha1_tls_implicit_iv_init, 514 aead_tls_cleanup, 515 aead_tls_seal, 516 aead_tls_open, 517 NULL, /* get_rc4_state */ 518 aead_tls_get_iv, /* get_iv */ 519}; 520 521static const EVP_AEAD aead_aes_128_cbc_sha256_tls = { 522 SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */ 523 16, /* nonce len (IV) */ 524 16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */ 525 SHA256_DIGEST_LENGTH, /* max tag length */ 526 NULL, /* init */ 527 aead_aes_128_cbc_sha256_tls_init, 528 aead_tls_cleanup, 529 aead_tls_seal, 530 aead_tls_open, 531 NULL, /* get_rc4_state */ 532 NULL, /* get_iv */ 533}; 534 535static const EVP_AEAD aead_aes_256_cbc_sha1_tls = { 536 SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */ 537 16, /* nonce len (IV) */ 538 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 539 SHA_DIGEST_LENGTH, /* max tag length */ 540 NULL, /* init */ 541 aead_aes_256_cbc_sha1_tls_init, 542 aead_tls_cleanup, 543 aead_tls_seal, 544 aead_tls_open, 545 NULL, /* get_rc4_state */ 546 NULL, /* get_iv */ 547}; 548 549static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = { 550 SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */ 551 0, /* nonce len */ 552 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 553 SHA_DIGEST_LENGTH, /* max tag length */ 554 NULL, /* init */ 555 aead_aes_256_cbc_sha1_tls_implicit_iv_init, 556 aead_tls_cleanup, 557 aead_tls_seal, 558 aead_tls_open, 559 NULL, /* get_rc4_state */ 560 aead_tls_get_iv, /* get_iv */ 561}; 562 563static const EVP_AEAD aead_aes_256_cbc_sha256_tls = { 564 SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */ 565 16, /* nonce len (IV) */ 566 16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */ 567 SHA256_DIGEST_LENGTH, /* max tag length */ 568 NULL, /* init */ 569 aead_aes_256_cbc_sha256_tls_init, 570 aead_tls_cleanup, 571 aead_tls_seal, 572 aead_tls_open, 573 NULL, /* get_rc4_state */ 574 NULL, /* get_iv */ 575}; 576 577static const EVP_AEAD aead_aes_256_cbc_sha384_tls = { 578 SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */ 579 16, /* nonce len (IV) */ 580 16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */ 581 SHA384_DIGEST_LENGTH, /* max tag length */ 582 NULL, /* init */ 583 aead_aes_256_cbc_sha384_tls_init, 584 aead_tls_cleanup, 585 aead_tls_seal, 586 aead_tls_open, 587 NULL, /* get_rc4_state */ 588 NULL, /* get_iv */ 589}; 590 591static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = { 592 SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */ 593 8, /* nonce len (IV) */ 594 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 595 SHA_DIGEST_LENGTH, /* max tag length */ 596 NULL, /* init */ 597 aead_des_ede3_cbc_sha1_tls_init, 598 aead_tls_cleanup, 599 aead_tls_seal, 600 aead_tls_open, 601 NULL, /* get_rc4_state */ 602 NULL, /* get_iv */ 603}; 604 605static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = { 606 SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */ 607 0, /* nonce len */ 608 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */ 609 SHA_DIGEST_LENGTH, /* max tag length */ 610 NULL, /* init */ 611 aead_des_ede3_cbc_sha1_tls_implicit_iv_init, 612 aead_tls_cleanup, 613 aead_tls_seal, 614 aead_tls_open, 615 NULL, /* get_rc4_state */ 616 aead_tls_get_iv, /* get_iv */ 617}; 618 619static const EVP_AEAD aead_null_sha1_tls = { 620 SHA_DIGEST_LENGTH, /* key len */ 621 0, /* nonce len */ 622 SHA_DIGEST_LENGTH, /* overhead (SHA1) */ 623 SHA_DIGEST_LENGTH, /* max tag length */ 624 NULL, /* init */ 625 aead_null_sha1_tls_init, 626 aead_tls_cleanup, 627 aead_tls_seal, 628 aead_tls_open, 629 NULL, /* get_rc4_state */ 630 NULL, /* get_iv */ 631}; 632 633const EVP_AEAD *EVP_aead_rc4_md5_tls(void) { return &aead_rc4_md5_tls; } 634 635const EVP_AEAD *EVP_aead_rc4_sha1_tls(void) { return &aead_rc4_sha1_tls; } 636 637const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) { 638 return &aead_aes_128_cbc_sha1_tls; 639} 640 641const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) { 642 return &aead_aes_128_cbc_sha1_tls_implicit_iv; 643} 644 645const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) { 646 return &aead_aes_128_cbc_sha256_tls; 647} 648 649const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) { 650 return &aead_aes_256_cbc_sha1_tls; 651} 652 653const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) { 654 return &aead_aes_256_cbc_sha1_tls_implicit_iv; 655} 656 657const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void) { 658 return &aead_aes_256_cbc_sha256_tls; 659} 660 661const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void) { 662 return &aead_aes_256_cbc_sha384_tls; 663} 664 665const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) { 666 return &aead_des_ede3_cbc_sha1_tls; 667} 668 669const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) { 670 return &aead_des_ede3_cbc_sha1_tls_implicit_iv; 671} 672 673const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; } 674