Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include <openssl/aes.h>
17 : : #include <openssl/evp.h>
18 : : #include <openssl/sha.h>
19 : :
20 : : #include "crypto/s2n_cipher.h"
21 : : #include "crypto/s2n_fips.h"
22 : : #include "crypto/s2n_openssl.h"
23 : : #include "tls/s2n_crypto.h"
24 : : #include "utils/s2n_blob.h"
25 : : #include "utils/s2n_safety.h"
26 : :
27 : : /* LibreSSL and BoringSSL support the cipher, but the interface is different from Openssl's. We
28 : : * should define a separate s2n_cipher struct for LibreSSL and BoringSSL.
29 : : */
30 : : #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
31 : : /* Symbols for AES-SHA1-CBC composite ciphers were added in Openssl 1.0.1
32 : : * These composite ciphers exhibit erratic behavior in LibreSSL releases.
33 : : */
34 : : #if S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 1)
35 : : #define S2N_AES_SHA1_COMPOSITE_AVAILABLE
36 : : #endif
37 : : #if defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17)
38 : : #undef S2N_AES_SHA1_COMPOSITE_AVAILABLE
39 : : #endif
40 : : /* Symbols for AES-SHA256-CBC composite ciphers were added in Openssl 1.0.2
41 : : * See https://www.openssl.org/news/cl102.txt
42 : : * These composite ciphers exhibit erratic behavior in LibreSSL releases.
43 : : */
44 : : #if S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 2)
45 : : #define S2N_AES_SHA256_COMPOSITE_AVAILABLE
46 : : #endif
47 : : #if defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17)
48 : : #undef S2N_AES_SHA256_COMPOSITE_AVAILABLE
49 : : #endif
50 : : #endif
51 : :
52 : : /* Silly accessors, but we avoid using version macro guards in multiple places */
53 : : static const EVP_CIPHER *s2n_evp_aes_128_cbc_hmac_sha1(void)
54 : 51430 : {
55 : 51430 : #if defined(S2N_AES_SHA1_COMPOSITE_AVAILABLE)
56 : 51430 : return EVP_aes_128_cbc_hmac_sha1();
57 : : #else
58 : : return NULL;
59 : : #endif
60 : 51430 : }
61 : :
62 : : static const EVP_CIPHER *s2n_evp_aes_256_cbc_hmac_sha1(void)
63 : 51171 : {
64 : 51171 : #if defined(S2N_AES_SHA1_COMPOSITE_AVAILABLE)
65 : 51171 : return EVP_aes_256_cbc_hmac_sha1();
66 : : #else
67 : : return NULL;
68 : : #endif
69 : 51171 : }
70 : :
71 : : static const EVP_CIPHER *s2n_evp_aes_128_cbc_hmac_sha256(void)
72 : 51020 : {
73 : 51020 : #if defined(S2N_AES_SHA256_COMPOSITE_AVAILABLE)
74 : 51020 : return EVP_aes_128_cbc_hmac_sha256();
75 : : #else
76 : : return NULL;
77 : : #endif
78 : 51020 : }
79 : :
80 : : static const EVP_CIPHER *s2n_evp_aes_256_cbc_hmac_sha256(void)
81 : 49691 : {
82 : 49691 : #if defined(S2N_AES_SHA256_COMPOSITE_AVAILABLE)
83 : 49691 : return EVP_aes_256_cbc_hmac_sha256();
84 : : #else
85 : : return NULL;
86 : : #endif
87 : 49691 : }
88 : :
89 : : static bool s2n_composite_cipher_aes128_sha_available(void)
90 : 2186 : {
91 : : /* EVP_aes_128_cbc_hmac_sha1() returns NULL if the implementations aren't available.
92 : : * See https://github.com/openssl/openssl/blob/master/crypto/evp/e_aes_cbc_hmac_sha1.c#L952
93 : : *
94 : : * Composite ciphers cannot be used when FIPS mode is set. Ciphers require the
95 : : * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite
96 : : * ciphers cause OpenSSL errors due to the lack of the flag.
97 : : */
98 [ + - ][ + - ]: 2186 : return (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha1() ? true : false);
99 : 2186 : }
100 : :
101 : : static bool s2n_composite_cipher_aes256_sha_available(void)
102 : 2185 : {
103 : : /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the
104 : : * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite
105 : : * ciphers cause OpenSSL errors due to the lack of the flag.
106 : : */
107 [ + - ][ + - ]: 2185 : return (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha1() ? true : false);
108 : 2185 : }
109 : :
110 : : static bool s2n_composite_cipher_aes128_sha256_available(void)
111 : 2186 : {
112 : : /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the
113 : : * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite
114 : : * ciphers cause OpenSSL errors due to the lack of the flag.
115 : : */
116 [ + - ][ + - ]: 2186 : return (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha256() ? true : false);
117 : 2186 : }
118 : :
119 : : static bool s2n_composite_cipher_aes256_sha256_available(void)
120 : 1093 : {
121 : : /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the
122 : : * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite
123 : : * ciphers cause OpenSSL errors due to the lack of the flag.
124 : : */
125 [ + - ][ + - ]: 1093 : return (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha256() ? true : false);
126 : 1093 : }
127 : :
128 : : static int s2n_composite_cipher_aes_sha_initial_hmac(struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type,
129 : : uint16_t protocol_version, uint16_t payload_and_eiv_len, int *extra)
130 : 271537 : {
131 : : /* BoringSSL and AWS-LC(AWSLC_API_VERSION <= 17) do not support these composite ciphers with the existing EVP API, and they took out the
132 : : * constants used below. This method should never be called with BoringSSL or AWS-LC(AWSLC_API_VERSION <= 17) because the isAvaliable checked
133 : : * will fail. Instead of defining a possibly dangerous default or hard coding this to 0x16 error out with BoringSSL and AWS-LC(AWSLC_API_VERSION <= 17).
134 : : */
135 : : #if defined(OPENSSL_IS_BORINGSSL) || (defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17))
136 : : POSIX_BAIL(S2N_ERR_UNIMPLEMENTED);
137 : : #else
138 : 271537 : uint8_t ctrl_buf[S2N_TLS12_AAD_LEN];
139 : 271537 : struct s2n_blob ctrl_blob = { 0 };
140 [ - + ]: 271537 : POSIX_GUARD(s2n_blob_init(&ctrl_blob, ctrl_buf, S2N_TLS12_AAD_LEN));
141 : 271537 : struct s2n_stuffer ctrl_stuffer = { 0 };
142 [ - + ]: 271537 : POSIX_GUARD(s2n_stuffer_init(&ctrl_stuffer, &ctrl_blob));
143 : :
144 [ - + ]: 271537 : POSIX_GUARD(s2n_stuffer_write_bytes(&ctrl_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
145 [ - + ]: 271537 : POSIX_GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, content_type));
146 [ - + ]: 271537 : POSIX_GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, protocol_version / 10));
147 [ - + ]: 271537 : POSIX_GUARD(s2n_stuffer_write_uint8(&ctrl_stuffer, protocol_version % 10));
148 [ - + ]: 271537 : POSIX_GUARD(s2n_stuffer_write_uint16(&ctrl_stuffer, payload_and_eiv_len));
149 : :
150 : : /* This will unnecessarily mangle the input buffer, which is fine since it's temporary
151 : : * Return value will be length of digest, padding, and padding length byte.
152 : : * See https://github.com/openssl/openssl/blob/master/crypto/evp/e_aes_cbc_hmac_sha1.c#L814
153 : : * and https://github.com/openssl/openssl/blob/4f0c475719defd7c051964ef9964cc6e5b3a63bf/ssl/record/ssl3_record.c#L743
154 : : */
155 : 271537 : int ctrl_ret = EVP_CIPHER_CTX_ctrl(key->evp_cipher_ctx, EVP_CTRL_AEAD_TLS1_AAD, S2N_TLS12_AAD_LEN, ctrl_buf);
156 : :
157 [ - + ][ # # ]: 271537 : S2N_ERROR_IF(ctrl_ret <= 0, S2N_ERR_INITIAL_HMAC);
158 : :
159 : 271537 : *extra = ctrl_ret;
160 : 271537 : return 0;
161 : 271537 : #endif
162 : 271537 : }
163 : :
164 : : static int s2n_composite_cipher_aes_sha_encrypt(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out)
165 : 163955 : {
166 [ - + ][ # # ]: 163955 : POSIX_ENSURE_EQ(out->size, in->size);
167 : :
168 [ - + ][ # # ]: 163955 : POSIX_GUARD_OSSL(EVP_EncryptInit_ex(key->evp_cipher_ctx, NULL, NULL, NULL, iv->data), S2N_ERR_KEY_INIT);
169 : :
170 : : /* len is set by EVP_EncryptUpdate and checked post operation */
171 : 163955 : int len = 0;
172 [ - + ][ # # ]: 163955 : POSIX_GUARD_OSSL(EVP_EncryptUpdate(key->evp_cipher_ctx, out->data, &len, in->data, in->size), S2N_ERR_ENCRYPT);
173 : :
174 [ # # ][ - + ]: 163955 : POSIX_ENSURE((int64_t) len == (int64_t) in->size, S2N_ERR_ENCRYPT);
175 : :
176 : 163955 : return 0;
177 : 163955 : }
178 : :
179 : : static int s2n_composite_cipher_aes_sha_decrypt(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out)
180 : 107582 : {
181 [ # # ][ - + ]: 107582 : POSIX_ENSURE_EQ(out->size, in->size);
182 [ # # ][ - + ]: 107582 : POSIX_GUARD_OSSL(EVP_DecryptInit_ex(key->evp_cipher_ctx, NULL, NULL, NULL, iv->data), S2N_ERR_KEY_INIT);
183 : :
184 : : /* len is set by EVP_DecryptUpdate. It is not checked here but padding is manually removed and therefore
185 : : * the decryption operation is validated. */
186 : 107582 : int len = 0;
187 [ - + ][ # # ]: 107582 : POSIX_GUARD_OSSL(EVP_DecryptUpdate(key->evp_cipher_ctx, out->data, &len, in->data, in->size), S2N_ERR_DECRYPT);
188 : :
189 : 107582 : return 0;
190 : 107582 : }
191 : :
192 : : static int s2n_composite_cipher_aes_sha_set_mac_write_key(struct s2n_session_key *key, uint8_t *mac_key, uint32_t mac_size)
193 : 98230 : {
194 [ # # ][ - + ]: 98230 : POSIX_ENSURE_EQ(mac_size, SHA_DIGEST_LENGTH);
195 : :
196 : 98230 : EVP_CIPHER_CTX_ctrl(key->evp_cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, mac_size, mac_key);
197 : :
198 : 98230 : return 0;
199 : 98230 : }
200 : :
201 : : static int s2n_composite_cipher_aes_sha256_set_mac_write_key(struct s2n_session_key *key, uint8_t *mac_key, uint32_t mac_size)
202 : 97432 : {
203 [ - + ][ # # ]: 97432 : POSIX_ENSURE_EQ(mac_size, SHA256_DIGEST_LENGTH);
204 : :
205 : 97432 : EVP_CIPHER_CTX_ctrl(key->evp_cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, mac_size, mac_key);
206 : :
207 : 97432 : return 0;
208 : 97432 : }
209 : :
210 : : static S2N_RESULT s2n_composite_cipher_aes128_sha_set_encryption_key(struct s2n_session_key *key, struct s2n_blob *in)
211 : 24622 : {
212 [ # # ][ - + ]: 24622 : RESULT_ENSURE_EQ(in->size, 16);
213 : :
214 : 24622 : EVP_CIPHER_CTX_set_padding(key->evp_cipher_ctx, 0);
215 : 24622 : EVP_EncryptInit_ex(key->evp_cipher_ctx, s2n_evp_aes_128_cbc_hmac_sha1(), NULL, in->data, NULL);
216 : :
217 : 24622 : return S2N_RESULT_OK;
218 : 24622 : }
219 : :
220 : : static S2N_RESULT s2n_composite_cipher_aes128_sha_set_decryption_key(struct s2n_session_key *key, struct s2n_blob *in)
221 : 24622 : {
222 [ # # ][ - + ]: 24622 : RESULT_ENSURE_EQ(in->size, 16);
223 : :
224 : 24622 : EVP_CIPHER_CTX_set_padding(key->evp_cipher_ctx, 0);
225 : 24622 : EVP_DecryptInit_ex(key->evp_cipher_ctx, s2n_evp_aes_128_cbc_hmac_sha1(), NULL, in->data, NULL);
226 : :
227 : 24622 : return S2N_RESULT_OK;
228 : 24622 : }
229 : :
230 : : static S2N_RESULT s2n_composite_cipher_aes256_sha_set_encryption_key(struct s2n_session_key *key, struct s2n_blob *in)
231 : 24493 : {
232 [ # # ][ - + ]: 24493 : RESULT_ENSURE_EQ(in->size, 32);
233 : :
234 : 24493 : EVP_CIPHER_CTX_set_padding(key->evp_cipher_ctx, 0);
235 : 24493 : EVP_EncryptInit_ex(key->evp_cipher_ctx, s2n_evp_aes_256_cbc_hmac_sha1(), NULL, in->data, NULL);
236 : :
237 : 24493 : return S2N_RESULT_OK;
238 : 24493 : }
239 : :
240 : : static S2N_RESULT s2n_composite_cipher_aes256_sha_set_decryption_key(struct s2n_session_key *key, struct s2n_blob *in)
241 : 24493 : {
242 [ # # ][ - + ]: 24493 : RESULT_ENSURE_EQ(in->size, 32);
243 : :
244 : 24493 : EVP_CIPHER_CTX_set_padding(key->evp_cipher_ctx, 0);
245 : 24493 : EVP_DecryptInit_ex(key->evp_cipher_ctx, s2n_evp_aes_256_cbc_hmac_sha1(), NULL, in->data, NULL);
246 : :
247 : 24493 : return S2N_RESULT_OK;
248 : 24493 : }
249 : :
250 : : static S2N_RESULT s2n_composite_cipher_aes128_sha256_set_encryption_key(struct s2n_session_key *key, struct s2n_blob *in)
251 : 24417 : {
252 [ # # ][ - + ]: 24417 : RESULT_ENSURE_EQ(in->size, 16);
253 : :
254 : 24417 : EVP_CIPHER_CTX_set_padding(key->evp_cipher_ctx, 0);
255 : 24417 : EVP_EncryptInit_ex(key->evp_cipher_ctx, s2n_evp_aes_128_cbc_hmac_sha256(), NULL, in->data, NULL);
256 : :
257 : 24417 : return S2N_RESULT_OK;
258 : 24417 : }
259 : :
260 : : static S2N_RESULT s2n_composite_cipher_aes128_sha256_set_decryption_key(struct s2n_session_key *key, struct s2n_blob *in)
261 : 24417 : {
262 [ - + ][ # # ]: 24417 : RESULT_ENSURE_EQ(in->size, 16);
263 : :
264 : 24417 : EVP_CIPHER_CTX_set_padding(key->evp_cipher_ctx, 0);
265 : 24417 : EVP_DecryptInit_ex(key->evp_cipher_ctx, s2n_evp_aes_128_cbc_hmac_sha256(), NULL, in->data, NULL);
266 : :
267 : 24417 : return S2N_RESULT_OK;
268 : 24417 : }
269 : :
270 : : static S2N_RESULT s2n_composite_cipher_aes256_sha256_set_encryption_key(struct s2n_session_key *key, struct s2n_blob *in)
271 : 24299 : {
272 [ # # ][ - + ]: 24299 : RESULT_ENSURE_EQ(in->size, 32);
273 : :
274 : 24299 : EVP_CIPHER_CTX_set_padding(key->evp_cipher_ctx, 0);
275 : 24299 : EVP_EncryptInit_ex(key->evp_cipher_ctx, s2n_evp_aes_256_cbc_hmac_sha256(), NULL, in->data, NULL);
276 : :
277 : 24299 : return S2N_RESULT_OK;
278 : 24299 : }
279 : :
280 : : static S2N_RESULT s2n_composite_cipher_aes256_sha256_set_decryption_key(struct s2n_session_key *key, struct s2n_blob *in)
281 : 24299 : {
282 [ - + ][ # # ]: 24299 : RESULT_ENSURE_EQ(in->size, 32);
283 : :
284 : 24299 : EVP_CIPHER_CTX_set_padding(key->evp_cipher_ctx, 0);
285 : 24299 : EVP_DecryptInit_ex(key->evp_cipher_ctx, s2n_evp_aes_256_cbc_hmac_sha256(), NULL, in->data, NULL);
286 : :
287 : 24299 : return S2N_RESULT_OK;
288 : 24299 : }
289 : :
290 : : static S2N_RESULT s2n_composite_cipher_aes_sha_init(struct s2n_session_key *key)
291 : 1530 : {
292 [ # # ][ - + ]: 1530 : RESULT_EVP_CTX_INIT(key->evp_cipher_ctx);
293 : :
294 : 1530 : return S2N_RESULT_OK;
295 : 1530 : }
296 : :
297 : : static S2N_RESULT s2n_composite_cipher_aes_sha_destroy_key(struct s2n_session_key *key)
298 : 388404 : {
299 : 388404 : EVP_CIPHER_CTX_cleanup(key->evp_cipher_ctx);
300 : :
301 : 388404 : return S2N_RESULT_OK;
302 : 388404 : }
303 : :
304 : : const struct s2n_cipher s2n_aes128_sha = {
305 : : .key_material_size = 16,
306 : : .type = S2N_COMPOSITE,
307 : : .io.comp = {
308 : : .block_size = 16,
309 : : .record_iv_size = 16,
310 : : .mac_key_size = SHA_DIGEST_LENGTH,
311 : : .decrypt = s2n_composite_cipher_aes_sha_decrypt,
312 : : .encrypt = s2n_composite_cipher_aes_sha_encrypt,
313 : : .set_mac_write_key = s2n_composite_cipher_aes_sha_set_mac_write_key,
314 : : .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
315 : : .is_available = s2n_composite_cipher_aes128_sha_available,
316 : : .init = s2n_composite_cipher_aes_sha_init,
317 : : .set_encryption_key = s2n_composite_cipher_aes128_sha_set_encryption_key,
318 : : .set_decryption_key = s2n_composite_cipher_aes128_sha_set_decryption_key,
319 : : .destroy_key = s2n_composite_cipher_aes_sha_destroy_key,
320 : : };
321 : :
322 : : const struct s2n_cipher s2n_aes256_sha = {
323 : : .key_material_size = 32,
324 : : .type = S2N_COMPOSITE,
325 : : .io.comp = {
326 : : .block_size = 16,
327 : : .record_iv_size = 16,
328 : : .mac_key_size = SHA_DIGEST_LENGTH,
329 : : .decrypt = s2n_composite_cipher_aes_sha_decrypt,
330 : : .encrypt = s2n_composite_cipher_aes_sha_encrypt,
331 : : .set_mac_write_key = s2n_composite_cipher_aes_sha_set_mac_write_key,
332 : : .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
333 : : .is_available = s2n_composite_cipher_aes256_sha_available,
334 : : .init = s2n_composite_cipher_aes_sha_init,
335 : : .set_encryption_key = s2n_composite_cipher_aes256_sha_set_encryption_key,
336 : : .set_decryption_key = s2n_composite_cipher_aes256_sha_set_decryption_key,
337 : : .destroy_key = s2n_composite_cipher_aes_sha_destroy_key,
338 : : };
339 : :
340 : : const struct s2n_cipher s2n_aes128_sha256 = {
341 : : .key_material_size = 16,
342 : : .type = S2N_COMPOSITE,
343 : : .io.comp = {
344 : : .block_size = 16,
345 : : .record_iv_size = 16,
346 : : .mac_key_size = SHA256_DIGEST_LENGTH,
347 : : .decrypt = s2n_composite_cipher_aes_sha_decrypt,
348 : : .encrypt = s2n_composite_cipher_aes_sha_encrypt,
349 : : .set_mac_write_key = s2n_composite_cipher_aes_sha256_set_mac_write_key,
350 : : .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
351 : : .is_available = s2n_composite_cipher_aes128_sha256_available,
352 : : .init = s2n_composite_cipher_aes_sha_init,
353 : : .set_encryption_key = s2n_composite_cipher_aes128_sha256_set_encryption_key,
354 : : .set_decryption_key = s2n_composite_cipher_aes128_sha256_set_decryption_key,
355 : : .destroy_key = s2n_composite_cipher_aes_sha_destroy_key,
356 : : };
357 : :
358 : : const struct s2n_cipher s2n_aes256_sha256 = {
359 : : .key_material_size = 32,
360 : : .type = S2N_COMPOSITE,
361 : : .io.comp = {
362 : : .block_size = 16,
363 : : .record_iv_size = 16,
364 : : .mac_key_size = SHA256_DIGEST_LENGTH,
365 : : .decrypt = s2n_composite_cipher_aes_sha_decrypt,
366 : : .encrypt = s2n_composite_cipher_aes_sha_encrypt,
367 : : .set_mac_write_key = s2n_composite_cipher_aes_sha256_set_mac_write_key,
368 : : .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
369 : : .is_available = s2n_composite_cipher_aes256_sha256_available,
370 : : .init = s2n_composite_cipher_aes_sha_init,
371 : : .set_encryption_key = s2n_composite_cipher_aes256_sha256_set_encryption_key,
372 : : .set_decryption_key = s2n_composite_cipher_aes256_sha256_set_decryption_key,
373 : : .destroy_key = s2n_composite_cipher_aes_sha_destroy_key,
374 : : };
|
