diff options
-rw-r--r-- | crypto/evp/evp_enc.c | 5 | ||||
-rw-r--r-- | crypto/evp/evp_lib.c | 4 | ||||
-rw-r--r-- | doc/man7/provider-cipher.pod | 9 | ||||
-rw-r--r-- | include/openssl/core_names.h | 1 | ||||
-rw-r--r-- | providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c | 7 | ||||
-rw-r--r-- | providers/implementations/ciphers/cipher_aes_ocb.c | 13 | ||||
-rw-r--r-- | providers/implementations/ciphers/ciphercommon.c | 8 | ||||
-rw-r--r-- | providers/implementations/ciphers/ciphercommon_ccm.c | 13 | ||||
-rw-r--r-- | providers/implementations/ciphers/ciphercommon_gcm.c | 15 | ||||
-rw-r--r-- | providers/implementations/include/prov/ciphercommon.h | 3 |
10 files changed, 72 insertions, 6 deletions
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 74d4afdac4..44108db30b 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -973,8 +973,9 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) goto end; case EVP_CTRL_GET_IV: set_params = 0; - params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV, - ptr, sz); + params[0] = + OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV_STATE, ptr, + sz); break; case EVP_CTRL_AEAD_SET_IVLEN: if (arg < 0) diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 9f2165dc59..e6902ac6f1 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -460,7 +460,7 @@ const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx) OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; params[0] = - OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV, (void **)&v, + OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV_STATE, (void **)&v, sizeof(ctx->iv)); ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); @@ -474,7 +474,7 @@ unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx) OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; params[0] = - OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV, (void **)&v, + OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV_STATE, (void **)&v, sizeof(ctx->iv)); ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index ee159ff7eb..d6d544c0ba 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -240,7 +240,14 @@ The length of the "ivlen" parameter should not exceed that of a B<size_t>. =item "iv" (B<OSSL_CIPHER_PARAM_IV>) <octet string OR octet ptr> -Gets the IV for the associated cipher ctx. +Gets the IV used to initialize the associated cipher ctx. + +=item "iv-state" (B<OSSL_CIPHER_PARAM_IV_STATE>) <octet string OR octet ptr> + +Gets the current pseudo-IV state for the associated cipher ctx, e.g., +the previous ciphertext block for CBC mode or the iteratively encrypted IV +value for OFB mode. Note that octet pointer access is deprecated and is +provided only for backwards compatibility with historical libcrypto APIs. =item "num" (B<OSSL_CIPHER_PARAM_NUM>) <unsigned integer> diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index b511571fb3..53e68e778b 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -53,6 +53,7 @@ extern "C" { #define OSSL_CIPHER_PARAM_KEYLEN "keylen" /* size_t */ #define OSSL_CIPHER_PARAM_IVLEN "ivlen" /* size_t */ #define OSSL_CIPHER_PARAM_IV "iv" /* octet_string OR octet_ptr */ +#define OSSL_CIPHER_PARAM_IV_STATE "iv-state" /* octet_string OR octet_ptr */ #define OSSL_CIPHER_PARAM_NUM "num" /* uint */ #define OSSL_CIPHER_PARAM_ROUNDS "rounds" /* uint */ #define OSSL_CIPHER_PARAM_AEAD_TAG "tag" /* octet_string */ diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index 6cf6a1b111..8f731228d9 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -234,6 +234,12 @@ static int aes_get_ctx_params(void *vctx, OSSL_PARAM params[]) ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + if (p != NULL + && !OSSL_PARAM_set_octet_string(p, ctx->base.iv, ctx->base.ivlen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } return 1; } @@ -248,6 +254,7 @@ static const OSSL_PARAM cipher_aes_known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0), OSSL_PARAM_END }; const OSSL_PARAM *aes_gettable_ctx_params(void *provctx) diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index 162945f922..7be5c7f5e8 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -416,6 +416,18 @@ static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[]) return 0; } } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + if (p != NULL) { + if (ctx->base.ivlen > p->data_size) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); + return 0; + } + if (!OSSL_PARAM_set_octet_string(p, ctx->base.iv, ctx->base.ivlen) + && !OSSL_PARAM_set_octet_ptr(p, &ctx->base.iv, ctx->base.ivlen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + } p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG); if (p != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) { @@ -436,6 +448,7 @@ static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_END }; diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index dd25f00db4..a5de18ab3b 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -112,6 +112,7 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), @@ -478,6 +479,13 @@ int cipher_generic_get_ctx_params(void *vctx, OSSL_PARAM params[]) ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + if (p != NULL + && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen) + && !OSSL_PARAM_set_octet_string(p, &ctx->iv, ctx->ivlen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_NUM); if (p != NULL && !OSSL_PARAM_set_uint(p, ctx->num)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c index 2b9a0687e3..bdbfa74d40 100644 --- a/providers/implementations/ciphers/ciphercommon_ccm.c +++ b/providers/implementations/ciphers/ciphercommon_ccm.c @@ -171,6 +171,19 @@ int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[]) } } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + if (p != NULL) { + if (ccm_get_ivlen(ctx) > p->data_size) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); + return 0; + } + if (!OSSL_PARAM_set_octet_string(p, ctx->iv, p->data_size) + && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, p->data_size)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN); if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c index 080fcc9bc2..415483cf2b 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm.c +++ b/providers/implementations/ciphers/ciphercommon_gcm.c @@ -167,6 +167,21 @@ int gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) } } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + if (p != NULL) { + if (ctx->iv_gen != 1 && ctx->iv_gen_rand != 1) + return 0; + if (ctx->ivlen > p->data_size) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); + return 0; + } + if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen) + && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + } + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD); if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h index 43cec3cc2b..90f6d39d39 100644 --- a/providers/implementations/include/prov/ciphercommon.h +++ b/providers/implementations/include/prov/ciphercommon.h @@ -314,7 +314,8 @@ static const OSSL_PARAM name##_known_gettable_ctx_params[] = { \ OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), \ OSSL_PARAM_uint(OSSL_CIPHER_PARAM_PADDING, NULL), \ OSSL_PARAM_uint(OSSL_CIPHER_PARAM_NUM, NULL), \ - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), \ + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0), #define CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(name) \ OSSL_PARAM_END \ |