1 /*
2  * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* Dispatch functions for ccm mode */
11 
12 #include <openssl/proverr.h>
13 #include "prov/ciphercommon.h"
14 #include "prov/ciphercommon_ccm.h"
15 #include "prov/providercommon.h"
16 
17 static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
18                                size_t *padlen, const unsigned char *in,
19                                size_t len);
20 
ccm_tls_init(PROV_CCM_CTX * ctx,unsigned char * aad,size_t alen)21 static int ccm_tls_init(PROV_CCM_CTX *ctx, unsigned char *aad, size_t alen)
22 {
23     size_t len;
24 
25     if (!ossl_prov_is_running() || alen != EVP_AEAD_TLS1_AAD_LEN)
26         return 0;
27 
28     /* Save the aad for later use. */
29     memcpy(ctx->buf, aad, alen);
30     ctx->tls_aad_len = alen;
31 
32     len = ctx->buf[alen - 2] << 8 | ctx->buf[alen - 1];
33     if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
34         return 0;
35 
36     /* Correct length for explicit iv. */
37     len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
38 
39     if (!ctx->enc) {
40         if (len < ctx->m)
41             return 0;
42         /* Correct length for tag. */
43         len -= ctx->m;
44     }
45     ctx->buf[alen - 2] = (unsigned char)(len >> 8);
46     ctx->buf[alen - 1] = (unsigned char)(len & 0xff);
47 
48     /* Extra padding: tag appended to record. */
49     return ctx->m;
50 }
51 
ccm_tls_iv_set_fixed(PROV_CCM_CTX * ctx,unsigned char * fixed,size_t flen)52 static int ccm_tls_iv_set_fixed(PROV_CCM_CTX *ctx, unsigned char *fixed,
53                                 size_t flen)
54 {
55     if (flen != EVP_CCM_TLS_FIXED_IV_LEN)
56         return 0;
57 
58     /* Copy to first part of the iv. */
59     memcpy(ctx->iv, fixed, flen);
60     return 1;
61 }
62 
ccm_get_ivlen(PROV_CCM_CTX * ctx)63 static size_t ccm_get_ivlen(PROV_CCM_CTX *ctx)
64 {
65     return 15 - ctx->l;
66 }
67 
ossl_ccm_set_ctx_params(void * vctx,const OSSL_PARAM params[])68 int ossl_ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
69 {
70     PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
71     const OSSL_PARAM *p;
72     size_t sz;
73 
74     if (ossl_param_is_empty(params))
75         return 1;
76 
77     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
78     if (p != NULL) {
79         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
80             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
81             return 0;
82         }
83         if ((p->data_size & 1) || (p->data_size < 4) || p->data_size > 16) {
84             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH);
85             return 0;
86         }
87 
88         if (p->data != NULL) {
89             if (ctx->enc) {
90                 ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_NEEDED);
91                 return 0;
92             }
93             memcpy(ctx->buf, p->data, p->data_size);
94             ctx->tag_set = 1;
95         }
96         ctx->m = p->data_size;
97     }
98 
99     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
100     if (p != NULL) {
101         size_t ivlen;
102 
103         if (!OSSL_PARAM_get_size_t(p, &sz)) {
104             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
105             return 0;
106         }
107         ivlen = 15 - sz;
108         if (ivlen < 2 || ivlen > 8) {
109             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
110             return 0;
111         }
112         if (ctx->l != ivlen) {
113             ctx->l = ivlen;
114             ctx->iv_set = 0;
115         }
116     }
117 
118     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
119     if (p != NULL) {
120         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
121             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
122             return 0;
123         }
124         sz = ccm_tls_init(ctx, p->data, p->data_size);
125         if (sz == 0) {
126             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
127             return 0;
128         }
129         ctx->tls_aad_pad_sz = sz;
130     }
131 
132     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
133     if (p != NULL) {
134         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
135             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
136             return 0;
137         }
138         if (ccm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
139             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
140             return 0;
141         }
142     }
143 
144     return 1;
145 }
146 
ossl_ccm_get_ctx_params(void * vctx,OSSL_PARAM params[])147 int ossl_ccm_get_ctx_params(void *vctx, OSSL_PARAM params[])
148 {
149     PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
150     OSSL_PARAM *p;
151 
152     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
153     if (p != NULL && !OSSL_PARAM_set_size_t(p, ccm_get_ivlen(ctx))) {
154         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
155         return 0;
156     }
157 
158     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
159     if (p != NULL) {
160         size_t m = ctx->m;
161 
162         if (!OSSL_PARAM_set_size_t(p, m)) {
163             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
164             return 0;
165         }
166     }
167 
168     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
169     if (p != NULL) {
170         if (ccm_get_ivlen(ctx) > p->data_size) {
171             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
172             return 0;
173         }
174         if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size)
175             && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, p->data_size)) {
176             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
177             return 0;
178         }
179     }
180 
181     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV);
182     if (p != NULL) {
183         if (ccm_get_ivlen(ctx) > p->data_size) {
184             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
185             return 0;
186         }
187         if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size)
188             && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, p->data_size)) {
189             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
190             return 0;
191         }
192     }
193 
194     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
195     if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
196         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
197         return 0;
198     }
199 
200     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
201     if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
202         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
203         return 0;
204     }
205 
206     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
207     if (p != NULL) {
208         if (!ctx->enc || !ctx->tag_set) {
209             ERR_raise(ERR_LIB_PROV, PROV_R_TAG_NOT_SET);
210             return 0;
211         }
212         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
213             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
214             return 0;
215         }
216         if (!ctx->hw->gettag(ctx, p->data, p->data_size))
217             return 0;
218         ctx->tag_set = 0;
219         ctx->iv_set = 0;
220         ctx->len_set = 0;
221     }
222     return 1;
223 }
224 
ccm_init(void * vctx,const unsigned char * key,size_t keylen,const unsigned char * iv,size_t ivlen,const OSSL_PARAM params[],int enc)225 static int ccm_init(void *vctx, const unsigned char *key, size_t keylen,
226                     const unsigned char *iv, size_t ivlen,
227                     const OSSL_PARAM params[], int enc)
228 {
229     PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
230 
231     if (!ossl_prov_is_running())
232         return 0;
233 
234     ctx->enc = enc;
235 
236     if (iv != NULL) {
237         if (ivlen != ccm_get_ivlen(ctx)) {
238             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
239             return 0;
240         }
241         memcpy(ctx->iv, iv, ivlen);
242         ctx->iv_set = 1;
243     }
244     if (key != NULL) {
245         if (keylen != ctx->keylen) {
246             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
247             return 0;
248         }
249         if (!ctx->hw->setkey(ctx, key, keylen))
250             return 0;
251     }
252     return ossl_ccm_set_ctx_params(ctx, params);
253 }
254 
ossl_ccm_einit(void * vctx,const unsigned char * key,size_t keylen,const unsigned char * iv,size_t ivlen,const OSSL_PARAM params[])255 int ossl_ccm_einit(void *vctx, const unsigned char *key, size_t keylen,
256                    const unsigned char *iv, size_t ivlen,
257                    const OSSL_PARAM params[])
258 {
259     return ccm_init(vctx, key, keylen, iv, ivlen, params, 1);
260 }
261 
ossl_ccm_dinit(void * vctx,const unsigned char * key,size_t keylen,const unsigned char * iv,size_t ivlen,const OSSL_PARAM params[])262 int ossl_ccm_dinit(void *vctx, const unsigned char *key, size_t keylen,
263                    const unsigned char *iv, size_t ivlen,
264                    const OSSL_PARAM params[])
265 {
266     return ccm_init(vctx, key, keylen, iv, ivlen, params, 0);
267 }
268 
ossl_ccm_stream_update(void * vctx,unsigned char * out,size_t * outl,size_t outsize,const unsigned char * in,size_t inl)269 int ossl_ccm_stream_update(void *vctx, unsigned char *out, size_t *outl,
270                            size_t outsize, const unsigned char *in,
271                            size_t inl)
272 {
273     PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
274 
275     if (outsize < inl) {
276         ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
277         return 0;
278     }
279 
280     if (!ccm_cipher_internal(ctx, out, outl, in, inl)) {
281         ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
282         return 0;
283     }
284     return 1;
285 }
286 
ossl_ccm_stream_final(void * vctx,unsigned char * out,size_t * outl,size_t outsize)287 int ossl_ccm_stream_final(void *vctx, unsigned char *out, size_t *outl,
288                           size_t outsize)
289 {
290     PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
291     int i;
292 
293     if (!ossl_prov_is_running())
294         return 0;
295 
296     i = ccm_cipher_internal(ctx, out, outl, NULL, 0);
297     if (i <= 0)
298         return 0;
299 
300     *outl = 0;
301     return 1;
302 }
303 
ossl_ccm_cipher(void * vctx,unsigned char * out,size_t * outl,size_t outsize,const unsigned char * in,size_t inl)304 int ossl_ccm_cipher(void *vctx, unsigned char *out, size_t *outl, size_t outsize,
305                     const unsigned char *in, size_t inl)
306 {
307     PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
308 
309     if (!ossl_prov_is_running())
310         return 0;
311 
312     if (outsize < inl) {
313         ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
314         return 0;
315     }
316 
317     if (ccm_cipher_internal(ctx, out, outl, in, inl) <= 0)
318         return 0;
319 
320     *outl = inl;
321     return 1;
322 }
323 
324 /* Copy the buffered iv */
ccm_set_iv(PROV_CCM_CTX * ctx,size_t mlen)325 static int ccm_set_iv(PROV_CCM_CTX *ctx, size_t mlen)
326 {
327     const PROV_CCM_HW *hw = ctx->hw;
328 
329     if (!hw->setiv(ctx, ctx->iv, ccm_get_ivlen(ctx), mlen))
330         return 0;
331     ctx->len_set = 1;
332     return 1;
333 }
334 
ccm_tls_cipher(PROV_CCM_CTX * ctx,unsigned char * out,size_t * padlen,const unsigned char * in,size_t len)335 static int ccm_tls_cipher(PROV_CCM_CTX *ctx,
336                           unsigned char *out, size_t *padlen,
337                           const unsigned char *in, size_t len)
338 {
339     int rv = 0;
340     size_t olen = 0;
341 
342     if (!ossl_prov_is_running())
343         goto err;
344 
345     /* Encrypt/decrypt must be performed in place */
346     if (in == NULL || out != in || len < EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m)
347         goto err;
348 
349     /* If encrypting set explicit IV from sequence number (start of AAD) */
350     if (ctx->enc)
351         memcpy(out, ctx->buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
352     /* Get rest of IV from explicit IV */
353     memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
354     /* Correct length value */
355     len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
356     if (!ccm_set_iv(ctx, len))
357         goto err;
358 
359     /* Use saved AAD */
360     if (!ctx->hw->setaad(ctx, ctx->buf, ctx->tls_aad_len))
361         goto err;
362 
363     /* Fix buffer to point to payload */
364     in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
365     out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
366     if (ctx->enc) {
367         if (!ctx->hw->auth_encrypt(ctx, in, out, len,  out + len, ctx->m))
368             goto err;
369         olen = len + EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m;
370     } else {
371         if (!ctx->hw->auth_decrypt(ctx, in, out, len,
372                                    (unsigned char *)in + len, ctx->m))
373             goto err;
374         olen = len;
375     }
376     rv = 1;
377 err:
378     *padlen = olen;
379     return rv;
380 }
381 
ccm_cipher_internal(PROV_CCM_CTX * ctx,unsigned char * out,size_t * padlen,const unsigned char * in,size_t len)382 static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
383                                size_t *padlen, const unsigned char *in,
384                                size_t len)
385 {
386     int rv = 0;
387     size_t olen = 0;
388     const PROV_CCM_HW *hw = ctx->hw;
389 
390     /* If no key set, return error */
391     if (!ctx->key_set)
392         return 0;
393 
394     if (ctx->tls_aad_len != UNINITIALISED_SIZET)
395         return ccm_tls_cipher(ctx, out, padlen, in, len);
396 
397     /* EVP_*Final() doesn't return any data */
398     if (in == NULL && out != NULL)
399         goto finish;
400 
401     if (!ctx->iv_set)
402         goto err;
403 
404     if (out == NULL) {
405         if (in == NULL) {
406             if (!ccm_set_iv(ctx, len))
407                 goto err;
408         } else {
409             /* If we have AAD, we need a message length */
410             if (!ctx->len_set && len)
411                 goto err;
412             if (!hw->setaad(ctx, in, len))
413                 goto err;
414         }
415     } else {
416         /* If not set length yet do it */
417         if (!ctx->len_set && !ccm_set_iv(ctx, len))
418             goto err;
419 
420         if (ctx->enc) {
421             if (!hw->auth_encrypt(ctx, in, out, len, NULL, 0))
422                 goto err;
423             ctx->tag_set = 1;
424         } else {
425             /* The tag must be set before actually decrypting data */
426             if (!ctx->tag_set)
427                 goto err;
428 
429             if (!hw->auth_decrypt(ctx, in, out, len, ctx->buf, ctx->m))
430                 goto err;
431             /* Finished - reset flags so calling this method again will fail */
432             ctx->iv_set = 0;
433             ctx->tag_set = 0;
434             ctx->len_set = 0;
435         }
436     }
437     olen = len;
438 finish:
439     rv = 1;
440 err:
441     *padlen = olen;
442     return rv;
443 }
444 
ossl_ccm_initctx(PROV_CCM_CTX * ctx,size_t keybits,const PROV_CCM_HW * hw)445 void ossl_ccm_initctx(PROV_CCM_CTX *ctx, size_t keybits, const PROV_CCM_HW *hw)
446 {
447     ctx->keylen = keybits / 8;
448     ctx->key_set = 0;
449     ctx->iv_set = 0;
450     ctx->tag_set = 0;
451     ctx->len_set = 0;
452     ctx->l = 8;
453     ctx->m = 12;
454     ctx->tls_aad_len = UNINITIALISED_SIZET;
455     ctx->hw = hw;
456 }
457