Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / 8ff035535f7cf2903f02bbe94d2fa10b7ab855f1 / . / src / crypto / cipher_extra / e_ssl3.c
blob: 7af9a58c527cf82bfde83fb186a0044092304087 [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <assert.h>
16#include <limits.h>
17#include <string.h>
18
19#include <openssl/aead.h>
20#include <openssl/cipher.h>
21#include <openssl/err.h>
22#include <openssl/hmac.h>
23#include <openssl/md5.h>
24#include <openssl/mem.h>
25#include <openssl/sha.h>
26
27#include "internal.h"
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]28#include "../internal.h"
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]29#include "../fipsmodule/cipher/internal.h"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]30
31
32typedef struct {
33 EVP_CIPHER_CTX cipher_ctx;
34 EVP_MD_CTX md_ctx;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]35} AEAD_SSL3_CTX;
36
37static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
38 const uint8_t *ad, size_t ad_len, const uint8_t *in,
39 size_t in_len) {
40 size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
41 size_t pad_len = (md_size == 20) ? 40 : 48;
42
43 /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
44 * length for legacy ciphers. */
45 uint8_t ad_extra[2];
46 ad_extra[0] = (uint8_t)(in_len >> 8);
47 ad_extra[1] = (uint8_t)(in_len & 0xff);
48
49 EVP_MD_CTX md_ctx;
50 EVP_MD_CTX_init(&md_ctx);
51
52 uint8_t pad[48];
53 uint8_t tmp[EVP_MAX_MD_SIZE];
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]54 OPENSSL_memset(pad, 0x36, pad_len);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]55 if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
56 !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
57 !EVP_DigestUpdate(&md_ctx, ad, ad_len) ||
58 !EVP_DigestUpdate(&md_ctx, ad_extra, sizeof(ad_extra)) ||
59 !EVP_DigestUpdate(&md_ctx, in, in_len) ||
60 !EVP_DigestFinal_ex(&md_ctx, tmp, NULL)) {
61 EVP_MD_CTX_cleanup(&md_ctx);
62 return 0;
63 }
64
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]65 OPENSSL_memset(pad, 0x5c, pad_len);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]66 if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
67 !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
68 !EVP_DigestUpdate(&md_ctx, tmp, md_size) ||
69 !EVP_DigestFinal_ex(&md_ctx, out, out_len)) {
70 EVP_MD_CTX_cleanup(&md_ctx);
71 return 0;
72 }
73 EVP_MD_CTX_cleanup(&md_ctx);
74 return 1;
75}
76
77static void aead_ssl3_cleanup(EVP_AEAD_CTX *ctx) {
78 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
79 EVP_CIPHER_CTX_cleanup(&ssl3_ctx->cipher_ctx);
80 EVP_MD_CTX_cleanup(&ssl3_ctx->md_ctx);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]81 OPENSSL_free(ssl3_ctx);
82 ctx->aead_state = NULL;
83}
84
85static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]86 size_t tag_len, enum evp_aead_direction_t dir,
87 const EVP_CIPHER *cipher, const EVP_MD *md) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]88 if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
89 tag_len != EVP_MD_size(md)) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]90 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]91 return 0;
92 }
93
94 if (key_len != EVP_AEAD_key_length(ctx->aead)) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]95 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]96 return 0;
97 }
98
99 size_t mac_key_len = EVP_MD_size(md);
100 size_t enc_key_len = EVP_CIPHER_key_length(cipher);
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]101 assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]102
103 AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX));
104 if (ssl3_ctx == NULL) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]105 OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]106 return 0;
107 }
108 EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx);
109 EVP_MD_CTX_init(&ssl3_ctx->md_ctx);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]110
111 ctx->aead_state = ssl3_ctx;
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]112 if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
113 &key[mac_key_len + enc_key_len],
114 dir == evp_aead_seal) ||
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]115 !EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) ||
116 !EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) {
117 aead_ssl3_cleanup(ctx);
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]118 ctx->aead_state = NULL;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]119 return 0;
120 }
121 EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0);
122
123 return 1;
124}
125
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]126static int aead_ssl3_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
127 uint8_t *out_tag, size_t *out_tag_len,
128 size_t max_out_tag_len, const uint8_t *nonce,
129 size_t nonce_len, const uint8_t *in,
130 size_t in_len, const uint8_t *ad,
131 size_t ad_len) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]132 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]133
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]134 if (!ssl3_ctx->cipher_ctx.encrypt) {
135 /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]136 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]137 return 0;
138 }
139
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]140 if (in_len > INT_MAX) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]141 /* EVP_CIPHER takes int as input. */
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]142 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]143 return 0;
144 }
145
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]146 const size_t max_overhead = EVP_AEAD_max_overhead(ctx->aead);
147 if (max_out_tag_len < max_overhead) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]148 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]149 return 0;
150 }
151
152 if (nonce_len != 0) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]153 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]154 return 0;
155 }
156
157 if (ad_len != 11 - 2 /* length bytes */) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]158 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]159 return 0;
160 }
161
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]162 /* Compute the MAC. This must be first in case the operation is being done
163 * in-place. */
164 uint8_t mac[EVP_MAX_MD_SIZE];
165 unsigned mac_len;
166 if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {
167 return 0;
168 }
169
170 /* Encrypt the input. */
171 int len;
172 if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,
173 (int)in_len)) {
174 return 0;
175 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]176
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]177 const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
178
179 /* Feed the MAC into the cipher in two steps. First complete the final partial
180 * block from encrypting the input and split the result between |out| and
181 * |out_tag|. Then encrypt the remainder. */
182
183 size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
184 if (early_mac_len != 0) {
185 assert(len + block_size - early_mac_len == in_len);
186 uint8_t buf[EVP_MAX_BLOCK_LENGTH];
187 int buf_len;
188 if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, buf, &buf_len, mac,
189 (int)early_mac_len)) {
190 return 0;
191 }
192 assert(buf_len == (int)block_size);
193 OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
194 OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
195 }
196 size_t tag_len = early_mac_len;
197
198 if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len,
199 mac + tag_len, mac_len - tag_len)) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]200 return 0;
201 }
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]202 tag_len += len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]203
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]204 if (block_size > 1) {
205 assert(block_size <= 256);
206 assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
207
208 /* Compute padding and feed that into the cipher. */
209 uint8_t padding[256];
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]210 size_t padding_len = block_size - ((in_len + mac_len) % block_size);
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]211 OPENSSL_memset(padding, 0, padding_len - 1);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]212 padding[padding_len - 1] = padding_len - 1;
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]213 if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len, padding,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]214 (int)padding_len)) {
215 return 0;
216 }
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]217 tag_len += len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]218 }
219
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]220 if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len)) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]221 return 0;
222 }
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]223 tag_len += len;
224 assert(tag_len <= max_overhead);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]225
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]226 *out_tag_len = tag_len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]227 return 1;
228}
229
230static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
231 size_t *out_len, size_t max_out_len,
232 const uint8_t *nonce, size_t nonce_len,
233 const uint8_t *in, size_t in_len,
234 const uint8_t *ad, size_t ad_len) {
235 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
236
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]237 if (ssl3_ctx->cipher_ctx.encrypt) {
238 /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]239 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]240 return 0;
241 }
242
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]243 size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
244 if (in_len < mac_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]245 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]246 return 0;
247 }
248
249 if (max_out_len < in_len) {
250 /* This requires that the caller provide space for the MAC, even though it
251 * will always be removed on return. */
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]252 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]253 return 0;
254 }
255
256 if (nonce_len != 0) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]257 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]258 return 0;
259 }
260
261 if (ad_len != 11 - 2 /* length bytes */) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]262 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]263 return 0;
264 }
265
266 if (in_len > INT_MAX) {
267 /* EVP_CIPHER takes int as input. */
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]268 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]269 return 0;
270 }
271
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]272 /* Decrypt to get the plaintext + MAC + padding. */
273 size_t total = 0;
274 int len;
275 if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
276 return 0;
277 }
278 total += len;
279 if (!EVP_DecryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {
280 return 0;
281 }
282 total += len;
283 assert(total == in_len);
284
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]285 /* Remove CBC padding and MAC. This would normally be timing-sensitive, but
286 * SSLv3 CBC ciphers are already broken. Support will be removed eventually.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]287 * https://www.openssl.org/~bodo/ssl-poodle.pdf */
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]288 size_t data_len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]289 if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
290 unsigned padding_length = out[total - 1];
291 if (total < padding_length + 1 + mac_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]292 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]293 return 0;
294 }
295 /* The padding must be minimal. */
296 if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]297 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]298 return 0;
299 }
300 data_len = total - padding_length - 1 - mac_len;
301 } else {
302 data_len = total - mac_len;
303 }
304
305 /* Compute the MAC and compare against the one in the record. */
306 uint8_t mac[EVP_MAX_MD_SIZE];
307 if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {
308 return 0;
309 }
310 if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]311 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]312 return 0;
313 }
314
315 *out_len = data_len;
316 return 1;
317}
318
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]319static int aead_ssl3_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
320 size_t *out_iv_len) {
321 AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
322 const size_t iv_len = EVP_CIPHER_CTX_iv_length(&ssl3_ctx->cipher_ctx);
323 if (iv_len <= 1) {
324 return 0;
325 }
326
327 *out_iv = ssl3_ctx->cipher_ctx.iv;
328 *out_iv_len = iv_len;
329 return 1;
330}
331
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]332static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]333 size_t key_len, size_t tag_len,
334 enum evp_aead_direction_t dir) {
335 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]336 EVP_sha1());
337}
338
339static int aead_aes_256_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]340 size_t key_len, size_t tag_len,
341 enum evp_aead_direction_t dir) {
342 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]343 EVP_sha1());
344}
345static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx,
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]346 const uint8_t *key, size_t key_len,
347 size_t tag_len,
348 enum evp_aead_direction_t dir) {
349 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]350 EVP_sha1());
351}
352
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]353static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
354 size_t key_len, size_t tag_len,
355 enum evp_aead_direction_t dir) {
356 return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
357 EVP_sha1());
358}
359
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]360static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
361 SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
362 0, /* nonce len */
363 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
364 SHA_DIGEST_LENGTH, /* max tag length */
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]365 NULL, /* init */
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]366 aead_aes_128_cbc_sha1_ssl3_init,
367 aead_ssl3_cleanup,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]368 aead_ssl3_open,
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]369 aead_ssl3_seal_scatter,
370 NULL, /* open_gather */
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]371 aead_ssl3_get_iv,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]372};
373
374static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
375 SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
376 0, /* nonce len */
377 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
378 SHA_DIGEST_LENGTH, /* max tag length */
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]379 NULL, /* init */
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]380 aead_aes_256_cbc_sha1_ssl3_init,
381 aead_ssl3_cleanup,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]382 aead_ssl3_open,
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]383 aead_ssl3_seal_scatter,
384 NULL, /* open_gather */
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]385 aead_ssl3_get_iv,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]386};
387
388static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
389 SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
390 0, /* nonce len */
391 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
392 SHA_DIGEST_LENGTH, /* max tag length */
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]393 NULL, /* init */
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]394 aead_des_ede3_cbc_sha1_ssl3_init,
395 aead_ssl3_cleanup,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]396 aead_ssl3_open,
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]397 aead_ssl3_seal_scatter,
398 NULL, /* open_gather */
Adam Langleyfad63272015-11-12 12:15:39 -0800[diff] [blame]399 aead_ssl3_get_iv,
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]400};
401
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]402static const EVP_AEAD aead_null_sha1_ssl3 = {
403 SHA_DIGEST_LENGTH, /* key len */
404 0, /* nonce len */
405 SHA_DIGEST_LENGTH, /* overhead (SHA1) */
406 SHA_DIGEST_LENGTH, /* max tag length */
407 NULL, /* init */
408 aead_null_sha1_ssl3_init,
409 aead_ssl3_cleanup,
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]410 aead_ssl3_open,
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame^]411 aead_ssl3_seal_scatter,
412 NULL, /* open_gather */
413 NULL, /* get_iv */
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]414};
415
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]416const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) {
417 return &aead_aes_128_cbc_sha1_ssl3;
418}
419
420const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) {
421 return &aead_aes_256_cbc_sha1_ssl3;
422}
423
424const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) {
425 return &aead_des_ede3_cbc_sha1_ssl3;
426}
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]427
428const EVP_AEAD *EVP_aead_null_sha1_ssl3(void) { return &aead_null_sha1_ssl3; }