/src/boringssl/crypto/fipsmodule/cipher/e_aes.c.inc
Line | Count | Source (jump to first uncovered line) |
1 | | /* ==================================================================== |
2 | | * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. |
3 | | * |
4 | | * Redistribution and use in source and binary forms, with or without |
5 | | * modification, are permitted provided that the following conditions |
6 | | * are met: |
7 | | * |
8 | | * 1. Redistributions of source code must retain the above copyright |
9 | | * notice, this list of conditions and the following disclaimer. |
10 | | * |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in |
13 | | * the documentation and/or other materials provided with the |
14 | | * distribution. |
15 | | * |
16 | | * 3. All advertising materials mentioning features or use of this |
17 | | * software must display the following acknowledgment: |
18 | | * "This product includes software developed by the OpenSSL Project |
19 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
20 | | * |
21 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
22 | | * endorse or promote products derived from this software without |
23 | | * prior written permission. For written permission, please contact |
24 | | * openssl-core@openssl.org. |
25 | | * |
26 | | * 5. Products derived from this software may not be called "OpenSSL" |
27 | | * nor may "OpenSSL" appear in their names without prior written |
28 | | * permission of the OpenSSL Project. |
29 | | * |
30 | | * 6. Redistributions of any form whatsoever must retain the following |
31 | | * acknowledgment: |
32 | | * "This product includes software developed by the OpenSSL Project |
33 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
34 | | * |
35 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
36 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
37 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
38 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
39 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
40 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
41 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
42 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
43 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
44 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
45 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
46 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
47 | | * ==================================================================== */ |
48 | | |
49 | | #include <assert.h> |
50 | | #include <limits.h> |
51 | | #include <string.h> |
52 | | |
53 | | #include <openssl/aead.h> |
54 | | #include <openssl/aes.h> |
55 | | #include <openssl/cipher.h> |
56 | | #include <openssl/err.h> |
57 | | #include <openssl/mem.h> |
58 | | #include <openssl/nid.h> |
59 | | |
60 | | #include "internal.h" |
61 | | #include "../../internal.h" |
62 | | #include "../aes/internal.h" |
63 | | #include "../bcm_interface.h" |
64 | | #include "../modes/internal.h" |
65 | | #include "../service_indicator/internal.h" |
66 | | #include "../delocate.h" |
67 | | |
68 | | |
69 | | OPENSSL_MSVC_PRAGMA(warning(push)) |
70 | | OPENSSL_MSVC_PRAGMA(warning(disable: 4702)) // Unreachable code. |
71 | | |
72 | 0 | #define AES_GCM_NONCE_LENGTH 12 |
73 | | |
74 | | #if defined(BSAES) |
75 | | static void vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in, |
76 | | uint8_t *out, size_t blocks, |
77 | | const AES_KEY *key, |
78 | | const uint8_t ivec[16]) { |
79 | | // |bsaes_ctr32_encrypt_blocks| is faster than |vpaes_ctr32_encrypt_blocks|, |
80 | | // but it takes at least one full 8-block batch to amortize the conversion. |
81 | | if (blocks < 8) { |
82 | | vpaes_ctr32_encrypt_blocks(in, out, blocks, key, ivec); |
83 | | return; |
84 | | } |
85 | | |
86 | | size_t bsaes_blocks = blocks; |
87 | | if (bsaes_blocks % 8 < 6) { |
88 | | // |bsaes_ctr32_encrypt_blocks| internally works in 8-block batches. If the |
89 | | // final batch is too small (under six blocks), it is faster to loop over |
90 | | // |vpaes_encrypt|. Round |bsaes_blocks| down to a multiple of 8. |
91 | | bsaes_blocks -= bsaes_blocks % 8; |
92 | | } |
93 | | |
94 | | AES_KEY bsaes; |
95 | | vpaes_encrypt_key_to_bsaes(&bsaes, key); |
96 | | bsaes_ctr32_encrypt_blocks(in, out, bsaes_blocks, &bsaes, ivec); |
97 | | OPENSSL_cleanse(&bsaes, sizeof(bsaes)); |
98 | | |
99 | | in += 16 * bsaes_blocks; |
100 | | out += 16 * bsaes_blocks; |
101 | | blocks -= bsaes_blocks; |
102 | | |
103 | | uint8_t new_ivec[16]; |
104 | | memcpy(new_ivec, ivec, 12); |
105 | | uint32_t ctr = CRYPTO_load_u32_be(ivec + 12) + bsaes_blocks; |
106 | | CRYPTO_store_u32_be(new_ivec + 12, ctr); |
107 | | |
108 | | // Finish any remaining blocks with |vpaes_ctr32_encrypt_blocks|. |
109 | | vpaes_ctr32_encrypt_blocks(in, out, blocks, key, new_ivec); |
110 | | } |
111 | | #endif // BSAES |
112 | | |
113 | | typedef struct { |
114 | | union { |
115 | | double align; |
116 | | AES_KEY ks; |
117 | | } ks; |
118 | | block128_f block; |
119 | | union { |
120 | | cbc128_f cbc; |
121 | | ctr128_f ctr; |
122 | | } stream; |
123 | | } EVP_AES_KEY; |
124 | | |
125 | | typedef struct { |
126 | | GCM128_CONTEXT gcm; |
127 | | union { |
128 | | double align; |
129 | | AES_KEY ks; |
130 | | } ks; // AES key schedule to use |
131 | | int key_set; // Set if key initialised |
132 | | int iv_set; // Set if an iv is set |
133 | | uint8_t *iv; // Temporary IV store |
134 | | int ivlen; // IV length |
135 | | int taglen; |
136 | | int iv_gen; // It is OK to generate IVs |
137 | | ctr128_f ctr; |
138 | | } EVP_AES_GCM_CTX; |
139 | | |
140 | | static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, |
141 | 0 | const uint8_t *iv, int enc) { |
142 | 0 | int ret; |
143 | 0 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
144 | 0 | const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK; |
145 | |
|
146 | 0 | if (mode == EVP_CIPH_CTR_MODE) { |
147 | 0 | switch (ctx->key_len) { |
148 | 0 | case 16: |
149 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr); |
150 | 0 | break; |
151 | | |
152 | 0 | case 32: |
153 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr); |
154 | 0 | break; |
155 | 0 | } |
156 | 0 | } |
157 | | |
158 | 0 | if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { |
159 | 0 | if (hwaes_capable()) { |
160 | 0 | ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
161 | 0 | dat->block = aes_hw_decrypt; |
162 | 0 | dat->stream.cbc = NULL; |
163 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
164 | 0 | dat->stream.cbc = aes_hw_cbc_encrypt; |
165 | 0 | } |
166 | 0 | } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) { |
167 | 0 | assert(vpaes_capable()); |
168 | 0 | ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
169 | 0 | if (ret == 0) { |
170 | 0 | vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks); |
171 | 0 | } |
172 | | // If |dat->stream.cbc| is provided, |dat->block| is never used. |
173 | 0 | dat->block = NULL; |
174 | 0 | dat->stream.cbc = bsaes_cbc_encrypt; |
175 | 0 | } else if (vpaes_capable()) { |
176 | 0 | ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
177 | 0 | dat->block = vpaes_decrypt; |
178 | 0 | dat->stream.cbc = NULL; |
179 | 0 | #if defined(VPAES_CBC) |
180 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
181 | 0 | dat->stream.cbc = vpaes_cbc_encrypt; |
182 | 0 | } |
183 | 0 | #endif |
184 | 0 | } else { |
185 | 0 | ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
186 | 0 | dat->block = aes_nohw_decrypt; |
187 | 0 | dat->stream.cbc = NULL; |
188 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
189 | 0 | dat->stream.cbc = aes_nohw_cbc_encrypt; |
190 | 0 | } |
191 | 0 | } |
192 | 0 | } else if (hwaes_capable()) { |
193 | 0 | ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
194 | 0 | dat->block = aes_hw_encrypt; |
195 | 0 | dat->stream.cbc = NULL; |
196 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
197 | 0 | dat->stream.cbc = aes_hw_cbc_encrypt; |
198 | 0 | } else if (mode == EVP_CIPH_CTR_MODE) { |
199 | 0 | dat->stream.ctr = aes_hw_ctr32_encrypt_blocks; |
200 | 0 | } |
201 | 0 | } else if (vpaes_capable()) { |
202 | 0 | ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
203 | 0 | dat->block = vpaes_encrypt; |
204 | 0 | dat->stream.cbc = NULL; |
205 | 0 | #if defined(VPAES_CBC) |
206 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
207 | 0 | dat->stream.cbc = vpaes_cbc_encrypt; |
208 | 0 | } |
209 | 0 | #endif |
210 | 0 | if (mode == EVP_CIPH_CTR_MODE) { |
211 | | #if defined(BSAES) |
212 | | assert(bsaes_capable()); |
213 | | dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes; |
214 | | #elif defined(VPAES_CTR32) |
215 | 0 | dat->stream.ctr = vpaes_ctr32_encrypt_blocks; |
216 | 0 | #endif |
217 | 0 | } |
218 | 0 | } else { |
219 | 0 | ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
220 | 0 | dat->block = aes_nohw_encrypt; |
221 | 0 | dat->stream.cbc = NULL; |
222 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
223 | 0 | dat->stream.cbc = aes_nohw_cbc_encrypt; |
224 | 0 | } |
225 | 0 | } |
226 | | |
227 | 0 | if (ret < 0) { |
228 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); |
229 | 0 | return 0; |
230 | 0 | } |
231 | | |
232 | 0 | return 1; |
233 | 0 | } |
234 | | |
235 | | static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
236 | 0 | size_t len) { |
237 | 0 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
238 | |
|
239 | 0 | if (dat->stream.cbc) { |
240 | 0 | (*dat->stream.cbc)(in, out, len, &dat->ks.ks, ctx->iv, ctx->encrypt); |
241 | 0 | } else if (ctx->encrypt) { |
242 | 0 | CRYPTO_cbc128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block); |
243 | 0 | } else { |
244 | 0 | CRYPTO_cbc128_decrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block); |
245 | 0 | } |
246 | |
|
247 | 0 | return 1; |
248 | 0 | } |
249 | | |
250 | | static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
251 | 0 | size_t len) { |
252 | 0 | size_t bl = ctx->cipher->block_size; |
253 | 0 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
254 | |
|
255 | 0 | if (len < bl) { |
256 | 0 | return 1; |
257 | 0 | } |
258 | | |
259 | 0 | len -= bl; |
260 | 0 | for (size_t i = 0; i <= len; i += bl) { |
261 | 0 | (*dat->block)(in + i, out + i, &dat->ks.ks); |
262 | 0 | } |
263 | |
|
264 | 0 | return 1; |
265 | 0 | } |
266 | | |
267 | | static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
268 | 0 | size_t len) { |
269 | 0 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
270 | |
|
271 | 0 | if (dat->stream.ctr) { |
272 | 0 | CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf, |
273 | 0 | &ctx->num, dat->stream.ctr); |
274 | 0 | } else { |
275 | 0 | CRYPTO_ctr128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf, |
276 | 0 | &ctx->num, dat->block); |
277 | 0 | } |
278 | 0 | return 1; |
279 | 0 | } |
280 | | |
281 | | static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
282 | 0 | size_t len) { |
283 | 0 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
284 | |
|
285 | 0 | CRYPTO_ofb128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, &ctx->num, |
286 | 0 | dat->block); |
287 | 0 | return 1; |
288 | 0 | } |
289 | | |
290 | | ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key, |
291 | | block128_f *out_block, const uint8_t *key, |
292 | 39.7k | size_t key_bytes) { |
293 | | // This function assumes the key length was previously validated. |
294 | 39.7k | assert(key_bytes == 128 / 8 || key_bytes == 192 / 8 || key_bytes == 256 / 8); |
295 | 39.7k | if (hwaes_capable()) { |
296 | 39.7k | aes_hw_set_encrypt_key(key, (int)key_bytes * 8, aes_key); |
297 | 39.7k | if (gcm_key != NULL) { |
298 | 0 | CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_hw_encrypt, 1); |
299 | 0 | } |
300 | 39.7k | if (out_block) { |
301 | 39.7k | *out_block = aes_hw_encrypt; |
302 | 39.7k | } |
303 | 39.7k | return aes_hw_ctr32_encrypt_blocks; |
304 | 39.7k | } |
305 | | |
306 | 0 | if (vpaes_capable()) { |
307 | 0 | vpaes_set_encrypt_key(key, (int)key_bytes * 8, aes_key); |
308 | 0 | if (out_block) { |
309 | 0 | *out_block = vpaes_encrypt; |
310 | 0 | } |
311 | 0 | if (gcm_key != NULL) { |
312 | 0 | CRYPTO_gcm128_init_key(gcm_key, aes_key, vpaes_encrypt, 0); |
313 | 0 | } |
314 | | #if defined(BSAES) |
315 | | assert(bsaes_capable()); |
316 | | return vpaes_ctr32_encrypt_blocks_with_bsaes; |
317 | | #elif defined(VPAES_CTR32) |
318 | 0 | return vpaes_ctr32_encrypt_blocks; |
319 | | #else |
320 | | return NULL; |
321 | | #endif |
322 | 0 | } |
323 | | |
324 | 0 | aes_nohw_set_encrypt_key(key, (int)key_bytes * 8, aes_key); |
325 | 0 | if (gcm_key != NULL) { |
326 | 0 | CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_nohw_encrypt, 0); |
327 | 0 | } |
328 | 0 | if (out_block) { |
329 | 0 | *out_block = aes_nohw_encrypt; |
330 | 0 | } |
331 | 0 | return aes_nohw_ctr32_encrypt_blocks; |
332 | 0 | } |
333 | | |
334 | | #if defined(OPENSSL_32_BIT) |
335 | | #define EVP_AES_GCM_CTX_PADDING (4+8) |
336 | | #else |
337 | 0 | #define EVP_AES_GCM_CTX_PADDING 8 |
338 | | #endif |
339 | | |
340 | 0 | static EVP_AES_GCM_CTX *aes_gcm_from_cipher_ctx(EVP_CIPHER_CTX *ctx) { |
341 | 0 | static_assert( |
342 | 0 | alignof(EVP_AES_GCM_CTX) <= 16, |
343 | 0 | "EVP_AES_GCM_CTX needs more alignment than this function provides"); |
344 | | |
345 | | // |malloc| guarantees up to 4-byte alignment on 32-bit and 8-byte alignment |
346 | | // on 64-bit systems, so we need to adjust to reach 16-byte alignment. |
347 | 0 | assert(ctx->cipher->ctx_size == |
348 | 0 | sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING); |
349 | | |
350 | 0 | char *ptr = ctx->cipher_data; |
351 | | #if defined(OPENSSL_32_BIT) |
352 | | assert((uintptr_t)ptr % 4 == 0); |
353 | | ptr += (uintptr_t)ptr & 4; |
354 | | #endif |
355 | 0 | assert((uintptr_t)ptr % 8 == 0); |
356 | 0 | ptr += (uintptr_t)ptr & 8; |
357 | 0 | return (EVP_AES_GCM_CTX *)ptr; |
358 | 0 | } |
359 | | |
360 | | static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, |
361 | 0 | const uint8_t *iv, int enc) { |
362 | 0 | EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(ctx); |
363 | 0 | if (!iv && !key) { |
364 | 0 | return 1; |
365 | 0 | } |
366 | | |
367 | 0 | switch (ctx->key_len) { |
368 | 0 | case 16: |
369 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm); |
370 | 0 | break; |
371 | | |
372 | 0 | case 32: |
373 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm); |
374 | 0 | break; |
375 | 0 | } |
376 | | |
377 | 0 | if (key) { |
378 | 0 | OPENSSL_memset(&gctx->gcm, 0, sizeof(gctx->gcm)); |
379 | 0 | gctx->ctr = aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm.gcm_key, NULL, key, |
380 | 0 | ctx->key_len); |
381 | | // If we have an iv can set it directly, otherwise use saved IV. |
382 | 0 | if (iv == NULL && gctx->iv_set) { |
383 | 0 | iv = gctx->iv; |
384 | 0 | } |
385 | 0 | if (iv) { |
386 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen); |
387 | 0 | gctx->iv_set = 1; |
388 | 0 | } |
389 | 0 | gctx->key_set = 1; |
390 | 0 | } else { |
391 | | // If key set use IV, otherwise copy |
392 | 0 | if (gctx->key_set) { |
393 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen); |
394 | 0 | } else { |
395 | 0 | OPENSSL_memcpy(gctx->iv, iv, gctx->ivlen); |
396 | 0 | } |
397 | 0 | gctx->iv_set = 1; |
398 | 0 | gctx->iv_gen = 0; |
399 | 0 | } |
400 | 0 | return 1; |
401 | 0 | } |
402 | | |
403 | 0 | static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) { |
404 | 0 | EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c); |
405 | 0 | OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); |
406 | 0 | if (gctx->iv != c->iv) { |
407 | 0 | OPENSSL_free(gctx->iv); |
408 | 0 | } |
409 | 0 | } |
410 | | |
411 | 0 | static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { |
412 | 0 | EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c); |
413 | 0 | switch (type) { |
414 | 0 | case EVP_CTRL_INIT: |
415 | 0 | gctx->key_set = 0; |
416 | 0 | gctx->iv_set = 0; |
417 | 0 | gctx->ivlen = c->cipher->iv_len; |
418 | 0 | gctx->iv = c->iv; |
419 | 0 | gctx->taglen = -1; |
420 | 0 | gctx->iv_gen = 0; |
421 | 0 | return 1; |
422 | | |
423 | 0 | case EVP_CTRL_AEAD_SET_IVLEN: |
424 | 0 | if (arg <= 0) { |
425 | 0 | return 0; |
426 | 0 | } |
427 | | |
428 | | // Allocate memory for IV if needed |
429 | 0 | if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) { |
430 | 0 | if (gctx->iv != c->iv) { |
431 | 0 | OPENSSL_free(gctx->iv); |
432 | 0 | } |
433 | 0 | gctx->iv = OPENSSL_malloc(arg); |
434 | 0 | if (!gctx->iv) { |
435 | 0 | return 0; |
436 | 0 | } |
437 | 0 | } |
438 | 0 | gctx->ivlen = arg; |
439 | 0 | return 1; |
440 | | |
441 | 0 | case EVP_CTRL_GET_IVLEN: |
442 | 0 | *(int *)ptr = gctx->ivlen; |
443 | 0 | return 1; |
444 | | |
445 | 0 | case EVP_CTRL_AEAD_SET_TAG: |
446 | 0 | if (arg <= 0 || arg > 16 || c->encrypt) { |
447 | 0 | return 0; |
448 | 0 | } |
449 | 0 | OPENSSL_memcpy(c->buf, ptr, arg); |
450 | 0 | gctx->taglen = arg; |
451 | 0 | return 1; |
452 | | |
453 | 0 | case EVP_CTRL_AEAD_GET_TAG: |
454 | 0 | if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) { |
455 | 0 | return 0; |
456 | 0 | } |
457 | 0 | OPENSSL_memcpy(ptr, c->buf, arg); |
458 | 0 | return 1; |
459 | | |
460 | 0 | case EVP_CTRL_AEAD_SET_IV_FIXED: |
461 | | // Special case: -1 length restores whole IV |
462 | 0 | if (arg == -1) { |
463 | 0 | OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen); |
464 | 0 | gctx->iv_gen = 1; |
465 | 0 | return 1; |
466 | 0 | } |
467 | | // Fixed field must be at least 4 bytes and invocation field |
468 | | // at least 8. |
469 | 0 | if (arg < 4 || (gctx->ivlen - arg) < 8) { |
470 | 0 | return 0; |
471 | 0 | } |
472 | 0 | OPENSSL_memcpy(gctx->iv, ptr, arg); |
473 | 0 | if (c->encrypt) { |
474 | | // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with |
475 | | // state lock functions to avoid updating the service indicator with the |
476 | | // DRBG functions. |
477 | 0 | FIPS_service_indicator_lock_state(); |
478 | 0 | BCM_rand_bytes(gctx->iv + arg, gctx->ivlen - arg); |
479 | 0 | FIPS_service_indicator_unlock_state(); |
480 | 0 | } |
481 | 0 | gctx->iv_gen = 1; |
482 | 0 | return 1; |
483 | | |
484 | 0 | case EVP_CTRL_GCM_IV_GEN: { |
485 | 0 | if (gctx->iv_gen == 0 || gctx->key_set == 0) { |
486 | 0 | return 0; |
487 | 0 | } |
488 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen); |
489 | 0 | if (arg <= 0 || arg > gctx->ivlen) { |
490 | 0 | arg = gctx->ivlen; |
491 | 0 | } |
492 | 0 | OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); |
493 | | // Invocation field will be at least 8 bytes in size, so no need to check |
494 | | // wrap around or increment more than last 8 bytes. |
495 | 0 | uint8_t *ctr = gctx->iv + gctx->ivlen - 8; |
496 | 0 | CRYPTO_store_u64_be(ctr, CRYPTO_load_u64_be(ctr) + 1); |
497 | 0 | gctx->iv_set = 1; |
498 | 0 | return 1; |
499 | 0 | } |
500 | | |
501 | 0 | case EVP_CTRL_GCM_SET_IV_INV: |
502 | 0 | if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) { |
503 | 0 | return 0; |
504 | 0 | } |
505 | 0 | OPENSSL_memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); |
506 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen); |
507 | 0 | gctx->iv_set = 1; |
508 | 0 | return 1; |
509 | | |
510 | 0 | case EVP_CTRL_COPY: { |
511 | 0 | EVP_CIPHER_CTX *out = ptr; |
512 | 0 | EVP_AES_GCM_CTX *gctx_out = aes_gcm_from_cipher_ctx(out); |
513 | | // |EVP_CIPHER_CTX_copy| copies this generically, but we must redo it in |
514 | | // case |out->cipher_data| and |in->cipher_data| are differently aligned. |
515 | 0 | OPENSSL_memcpy(gctx_out, gctx, sizeof(EVP_AES_GCM_CTX)); |
516 | 0 | if (gctx->iv == c->iv) { |
517 | 0 | gctx_out->iv = out->iv; |
518 | 0 | } else { |
519 | 0 | gctx_out->iv = OPENSSL_memdup(gctx->iv, gctx->ivlen); |
520 | 0 | if (!gctx_out->iv) { |
521 | 0 | return 0; |
522 | 0 | } |
523 | 0 | } |
524 | 0 | return 1; |
525 | 0 | } |
526 | | |
527 | 0 | default: |
528 | 0 | return -1; |
529 | 0 | } |
530 | 0 | } |
531 | | |
532 | | static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
533 | 0 | size_t len) { |
534 | 0 | EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(ctx); |
535 | | |
536 | | // If not set up, return error |
537 | 0 | if (!gctx->key_set) { |
538 | 0 | return -1; |
539 | 0 | } |
540 | 0 | if (!gctx->iv_set) { |
541 | 0 | return -1; |
542 | 0 | } |
543 | | |
544 | 0 | if (len > INT_MAX) { |
545 | | // This function signature can only express up to |INT_MAX| bytes encrypted. |
546 | | // |
547 | | // TODO(https://crbug.com/boringssl/494): Make the internal |EVP_CIPHER| |
548 | | // calling convention |size_t|-clean. |
549 | 0 | return -1; |
550 | 0 | } |
551 | | |
552 | 0 | if (in) { |
553 | 0 | if (out == NULL) { |
554 | 0 | if (!CRYPTO_gcm128_aad(&gctx->gcm, in, len)) { |
555 | 0 | return -1; |
556 | 0 | } |
557 | 0 | } else if (ctx->encrypt) { |
558 | 0 | if (gctx->ctr) { |
559 | 0 | if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len, |
560 | 0 | gctx->ctr)) { |
561 | 0 | return -1; |
562 | 0 | } |
563 | 0 | } else { |
564 | 0 | if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) { |
565 | 0 | return -1; |
566 | 0 | } |
567 | 0 | } |
568 | 0 | } else { |
569 | 0 | if (gctx->ctr) { |
570 | 0 | if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len, |
571 | 0 | gctx->ctr)) { |
572 | 0 | return -1; |
573 | 0 | } |
574 | 0 | } else { |
575 | 0 | if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) { |
576 | 0 | return -1; |
577 | 0 | } |
578 | 0 | } |
579 | 0 | } |
580 | 0 | return (int)len; |
581 | 0 | } else { |
582 | 0 | if (!ctx->encrypt) { |
583 | 0 | if (gctx->taglen < 0 || |
584 | 0 | !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) { |
585 | 0 | return -1; |
586 | 0 | } |
587 | 0 | gctx->iv_set = 0; |
588 | 0 | return 0; |
589 | 0 | } |
590 | 0 | CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); |
591 | 0 | gctx->taglen = 16; |
592 | | // Don't reuse the IV |
593 | 0 | gctx->iv_set = 0; |
594 | 0 | return 0; |
595 | 0 | } |
596 | 0 | } |
597 | | |
598 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_cbc) { |
599 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
600 | |
|
601 | 0 | out->nid = NID_aes_128_cbc; |
602 | 0 | out->block_size = 16; |
603 | 0 | out->key_len = 16; |
604 | 0 | out->iv_len = 16; |
605 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
606 | 0 | out->flags = EVP_CIPH_CBC_MODE; |
607 | 0 | out->init = aes_init_key; |
608 | 0 | out->cipher = aes_cbc_cipher; |
609 | 0 | } |
610 | | |
611 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ctr) { |
612 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
613 | |
|
614 | 0 | out->nid = NID_aes_128_ctr; |
615 | 0 | out->block_size = 1; |
616 | 0 | out->key_len = 16; |
617 | 0 | out->iv_len = 16; |
618 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
619 | 0 | out->flags = EVP_CIPH_CTR_MODE; |
620 | 0 | out->init = aes_init_key; |
621 | 0 | out->cipher = aes_ctr_cipher; |
622 | 0 | } |
623 | | |
624 | 0 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_ecb_generic) { |
625 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
626 | |
|
627 | 0 | out->nid = NID_aes_128_ecb; |
628 | 0 | out->block_size = 16; |
629 | 0 | out->key_len = 16; |
630 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
631 | 0 | out->flags = EVP_CIPH_ECB_MODE; |
632 | 0 | out->init = aes_init_key; |
633 | 0 | out->cipher = aes_ecb_cipher; |
634 | 0 | } |
635 | | |
636 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ofb) { |
637 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
638 | |
|
639 | 0 | out->nid = NID_aes_128_ofb128; |
640 | 0 | out->block_size = 1; |
641 | 0 | out->key_len = 16; |
642 | 0 | out->iv_len = 16; |
643 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
644 | 0 | out->flags = EVP_CIPH_OFB_MODE; |
645 | 0 | out->init = aes_init_key; |
646 | 0 | out->cipher = aes_ofb_cipher; |
647 | 0 | } |
648 | | |
649 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_gcm) { |
650 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
651 | |
|
652 | 0 | out->nid = NID_aes_128_gcm; |
653 | 0 | out->block_size = 1; |
654 | 0 | out->key_len = 16; |
655 | 0 | out->iv_len = AES_GCM_NONCE_LENGTH; |
656 | 0 | out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING; |
657 | 0 | out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | |
658 | 0 | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | |
659 | 0 | EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; |
660 | 0 | out->init = aes_gcm_init_key; |
661 | 0 | out->cipher = aes_gcm_cipher; |
662 | 0 | out->cleanup = aes_gcm_cleanup; |
663 | 0 | out->ctrl = aes_gcm_ctrl; |
664 | 0 | } |
665 | | |
666 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_cbc) { |
667 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
668 | |
|
669 | 0 | out->nid = NID_aes_192_cbc; |
670 | 0 | out->block_size = 16; |
671 | 0 | out->key_len = 24; |
672 | 0 | out->iv_len = 16; |
673 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
674 | 0 | out->flags = EVP_CIPH_CBC_MODE; |
675 | 0 | out->init = aes_init_key; |
676 | 0 | out->cipher = aes_cbc_cipher; |
677 | 0 | } |
678 | | |
679 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ctr) { |
680 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
681 | |
|
682 | 0 | out->nid = NID_aes_192_ctr; |
683 | 0 | out->block_size = 1; |
684 | 0 | out->key_len = 24; |
685 | 0 | out->iv_len = 16; |
686 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
687 | 0 | out->flags = EVP_CIPH_CTR_MODE; |
688 | 0 | out->init = aes_init_key; |
689 | 0 | out->cipher = aes_ctr_cipher; |
690 | 0 | } |
691 | | |
692 | 0 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_ecb_generic) { |
693 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
694 | |
|
695 | 0 | out->nid = NID_aes_192_ecb; |
696 | 0 | out->block_size = 16; |
697 | 0 | out->key_len = 24; |
698 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
699 | 0 | out->flags = EVP_CIPH_ECB_MODE; |
700 | 0 | out->init = aes_init_key; |
701 | 0 | out->cipher = aes_ecb_cipher; |
702 | 0 | } |
703 | | |
704 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ofb) { |
705 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
706 | |
|
707 | 0 | out->nid = NID_aes_192_ofb128; |
708 | 0 | out->block_size = 1; |
709 | 0 | out->key_len = 24; |
710 | 0 | out->iv_len = 16; |
711 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
712 | 0 | out->flags = EVP_CIPH_OFB_MODE; |
713 | 0 | out->init = aes_init_key; |
714 | 0 | out->cipher = aes_ofb_cipher; |
715 | 0 | } |
716 | | |
717 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_gcm) { |
718 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
719 | |
|
720 | 0 | out->nid = NID_aes_192_gcm; |
721 | 0 | out->block_size = 1; |
722 | 0 | out->key_len = 24; |
723 | 0 | out->iv_len = AES_GCM_NONCE_LENGTH; |
724 | 0 | out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING; |
725 | 0 | out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | |
726 | 0 | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | |
727 | 0 | EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; |
728 | 0 | out->init = aes_gcm_init_key; |
729 | 0 | out->cipher = aes_gcm_cipher; |
730 | 0 | out->cleanup = aes_gcm_cleanup; |
731 | 0 | out->ctrl = aes_gcm_ctrl; |
732 | 0 | } |
733 | | |
734 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_cbc) { |
735 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
736 | |
|
737 | 0 | out->nid = NID_aes_256_cbc; |
738 | 0 | out->block_size = 16; |
739 | 0 | out->key_len = 32; |
740 | 0 | out->iv_len = 16; |
741 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
742 | 0 | out->flags = EVP_CIPH_CBC_MODE; |
743 | 0 | out->init = aes_init_key; |
744 | 0 | out->cipher = aes_cbc_cipher; |
745 | 0 | } |
746 | | |
747 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ctr) { |
748 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
749 | |
|
750 | 0 | out->nid = NID_aes_256_ctr; |
751 | 0 | out->block_size = 1; |
752 | 0 | out->key_len = 32; |
753 | 0 | out->iv_len = 16; |
754 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
755 | 0 | out->flags = EVP_CIPH_CTR_MODE; |
756 | 0 | out->init = aes_init_key; |
757 | 0 | out->cipher = aes_ctr_cipher; |
758 | 0 | } |
759 | | |
760 | 0 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_ecb_generic) { |
761 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
762 | |
|
763 | 0 | out->nid = NID_aes_256_ecb; |
764 | 0 | out->block_size = 16; |
765 | 0 | out->key_len = 32; |
766 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
767 | 0 | out->flags = EVP_CIPH_ECB_MODE; |
768 | 0 | out->init = aes_init_key; |
769 | 0 | out->cipher = aes_ecb_cipher; |
770 | 0 | } |
771 | | |
772 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ofb) { |
773 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
774 | |
|
775 | 0 | out->nid = NID_aes_256_ofb128; |
776 | 0 | out->block_size = 1; |
777 | 0 | out->key_len = 32; |
778 | 0 | out->iv_len = 16; |
779 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
780 | 0 | out->flags = EVP_CIPH_OFB_MODE; |
781 | 0 | out->init = aes_init_key; |
782 | 0 | out->cipher = aes_ofb_cipher; |
783 | 0 | } |
784 | | |
785 | 0 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_gcm) { |
786 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
787 | |
|
788 | 0 | out->nid = NID_aes_256_gcm; |
789 | 0 | out->block_size = 1; |
790 | 0 | out->key_len = 32; |
791 | 0 | out->iv_len = AES_GCM_NONCE_LENGTH; |
792 | 0 | out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING; |
793 | 0 | out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | |
794 | 0 | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | |
795 | 0 | EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; |
796 | 0 | out->init = aes_gcm_init_key; |
797 | 0 | out->cipher = aes_gcm_cipher; |
798 | 0 | out->cleanup = aes_gcm_cleanup; |
799 | 0 | out->ctrl = aes_gcm_ctrl; |
800 | 0 | } |
801 | | |
802 | | #if defined(HWAES_ECB) |
803 | | |
804 | | static int aes_hw_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, |
805 | 0 | const uint8_t *in, size_t len) { |
806 | 0 | size_t bl = ctx->cipher->block_size; |
807 | |
|
808 | 0 | if (len < bl) { |
809 | 0 | return 1; |
810 | 0 | } |
811 | | |
812 | 0 | aes_hw_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); |
813 | |
|
814 | 0 | return 1; |
815 | 0 | } |
816 | | |
817 | 0 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_128_ecb) { |
818 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
819 | |
|
820 | 0 | out->nid = NID_aes_128_ecb; |
821 | 0 | out->block_size = 16; |
822 | 0 | out->key_len = 16; |
823 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
824 | 0 | out->flags = EVP_CIPH_ECB_MODE; |
825 | 0 | out->init = aes_init_key; |
826 | 0 | out->cipher = aes_hw_ecb_cipher; |
827 | 0 | } |
828 | | |
829 | 0 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_192_ecb) { |
830 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
831 | |
|
832 | 0 | out->nid = NID_aes_192_ecb; |
833 | 0 | out->block_size = 16; |
834 | 0 | out->key_len = 24; |
835 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
836 | 0 | out->flags = EVP_CIPH_ECB_MODE; |
837 | 0 | out->init = aes_init_key; |
838 | 0 | out->cipher = aes_hw_ecb_cipher; |
839 | 0 | } |
840 | | |
841 | 0 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_256_ecb) { |
842 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
843 | |
|
844 | 0 | out->nid = NID_aes_256_ecb; |
845 | 0 | out->block_size = 16; |
846 | 0 | out->key_len = 32; |
847 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
848 | 0 | out->flags = EVP_CIPH_ECB_MODE; |
849 | 0 | out->init = aes_init_key; |
850 | 0 | out->cipher = aes_hw_ecb_cipher; |
851 | 0 | } |
852 | | |
853 | | #define EVP_ECB_CIPHER_FUNCTION(keybits) \ |
854 | | const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ |
855 | | if (hwaes_capable()) { \ |
856 | | return aes_hw_##keybits##_ecb(); \ |
857 | | } \ |
858 | | return aes_##keybits##_ecb_generic(); \ |
859 | | } |
860 | | |
861 | | #else |
862 | | |
863 | | #define EVP_ECB_CIPHER_FUNCTION(keybits) \ |
864 | | const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ |
865 | | return aes_##keybits##_ecb_generic(); \ |
866 | | } |
867 | | |
868 | | #endif // HWAES_ECB |
869 | | |
870 | | EVP_ECB_CIPHER_FUNCTION(128) |
871 | | EVP_ECB_CIPHER_FUNCTION(192) |
872 | | EVP_ECB_CIPHER_FUNCTION(256) |
873 | | |
874 | | |
875 | 0 | #define EVP_AEAD_AES_GCM_TAG_LEN 16 |
876 | | |
877 | | struct aead_aes_gcm_ctx { |
878 | | union { |
879 | | double align; |
880 | | AES_KEY ks; |
881 | | } ks; |
882 | | GCM128_KEY gcm_key; |
883 | | ctr128_f ctr; |
884 | | }; |
885 | | |
886 | | static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx, |
887 | | size_t *out_tag_len, const uint8_t *key, |
888 | 0 | size_t key_len, size_t tag_len) { |
889 | 0 | const size_t key_bits = key_len * 8; |
890 | |
|
891 | 0 | switch (key_bits) { |
892 | 0 | case 128: |
893 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm); |
894 | 0 | break; |
895 | | |
896 | 0 | case 256: |
897 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm); |
898 | 0 | break; |
899 | 0 | } |
900 | | |
901 | 0 | if (key_bits != 128 && key_bits != 192 && key_bits != 256) { |
902 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); |
903 | 0 | return 0; // EVP_AEAD_CTX_init should catch this. |
904 | 0 | } |
905 | | |
906 | 0 | if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) { |
907 | 0 | tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
908 | 0 | } |
909 | |
|
910 | 0 | if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { |
911 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); |
912 | 0 | return 0; |
913 | 0 | } |
914 | | |
915 | 0 | gcm_ctx->ctr = |
916 | 0 | aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm_key, NULL, key, key_len); |
917 | 0 | *out_tag_len = tag_len; |
918 | 0 | return 1; |
919 | 0 | } |
920 | | |
921 | | static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= |
922 | | sizeof(struct aead_aes_gcm_ctx), |
923 | | "AEAD state is too small"); |
924 | | static_assert(alignof(union evp_aead_ctx_st_state) >= |
925 | | alignof(struct aead_aes_gcm_ctx), |
926 | | "AEAD state has insufficient alignment"); |
927 | | |
928 | | static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
929 | 0 | size_t key_len, size_t requested_tag_len) { |
930 | 0 | struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *) &ctx->state; |
931 | |
|
932 | 0 | size_t actual_tag_len; |
933 | 0 | if (!aead_aes_gcm_init_impl(gcm_ctx, &actual_tag_len, key, key_len, |
934 | 0 | requested_tag_len)) { |
935 | 0 | return 0; |
936 | 0 | } |
937 | | |
938 | 0 | ctx->tag_len = actual_tag_len; |
939 | 0 | return 1; |
940 | 0 | } |
941 | | |
942 | 0 | static void aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) {} |
943 | | |
944 | | static int aead_aes_gcm_seal_scatter_impl( |
945 | | const struct aead_aes_gcm_ctx *gcm_ctx, |
946 | | uint8_t *out, uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len, |
947 | | const uint8_t *nonce, size_t nonce_len, |
948 | | const uint8_t *in, size_t in_len, |
949 | | const uint8_t *extra_in, size_t extra_in_len, |
950 | | const uint8_t *ad, size_t ad_len, |
951 | 0 | size_t tag_len) { |
952 | 0 | if (extra_in_len + tag_len < tag_len) { |
953 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
954 | 0 | return 0; |
955 | 0 | } |
956 | 0 | if (max_out_tag_len < extra_in_len + tag_len) { |
957 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
958 | 0 | return 0; |
959 | 0 | } |
960 | 0 | if (nonce_len == 0) { |
961 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
962 | 0 | return 0; |
963 | 0 | } |
964 | | |
965 | 0 | const AES_KEY *key = &gcm_ctx->ks.ks; |
966 | |
|
967 | 0 | GCM128_CONTEXT gcm; |
968 | 0 | OPENSSL_memset(&gcm, 0, sizeof(gcm)); |
969 | 0 | OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key)); |
970 | 0 | CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len); |
971 | |
|
972 | 0 | if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) { |
973 | 0 | return 0; |
974 | 0 | } |
975 | | |
976 | 0 | if (gcm_ctx->ctr) { |
977 | 0 | if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len, |
978 | 0 | gcm_ctx->ctr)) { |
979 | 0 | return 0; |
980 | 0 | } |
981 | 0 | } else { |
982 | 0 | if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) { |
983 | 0 | return 0; |
984 | 0 | } |
985 | 0 | } |
986 | | |
987 | 0 | if (extra_in_len) { |
988 | 0 | if (gcm_ctx->ctr) { |
989 | 0 | if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, extra_in, out_tag, |
990 | 0 | extra_in_len, gcm_ctx->ctr)) { |
991 | 0 | return 0; |
992 | 0 | } |
993 | 0 | } else { |
994 | 0 | if (!CRYPTO_gcm128_encrypt(&gcm, key, extra_in, out_tag, extra_in_len)) { |
995 | 0 | return 0; |
996 | 0 | } |
997 | 0 | } |
998 | 0 | } |
999 | | |
1000 | 0 | CRYPTO_gcm128_tag(&gcm, out_tag + extra_in_len, tag_len); |
1001 | 0 | *out_tag_len = tag_len + extra_in_len; |
1002 | |
|
1003 | 0 | return 1; |
1004 | 0 | } |
1005 | | |
1006 | | static int aead_aes_gcm_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out, |
1007 | | uint8_t *out_tag, size_t *out_tag_len, |
1008 | | size_t max_out_tag_len, |
1009 | | const uint8_t *nonce, size_t nonce_len, |
1010 | | const uint8_t *in, size_t in_len, |
1011 | | const uint8_t *extra_in, |
1012 | | size_t extra_in_len, |
1013 | 0 | const uint8_t *ad, size_t ad_len) { |
1014 | 0 | const struct aead_aes_gcm_ctx *gcm_ctx = |
1015 | 0 | (const struct aead_aes_gcm_ctx *)&ctx->state; |
1016 | 0 | return aead_aes_gcm_seal_scatter_impl( |
1017 | 0 | gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len, nonce, nonce_len, in, |
1018 | 0 | in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len); |
1019 | 0 | } |
1020 | | |
1021 | | static int aead_aes_gcm_open_gather_impl(const struct aead_aes_gcm_ctx *gcm_ctx, |
1022 | | uint8_t *out, |
1023 | | const uint8_t *nonce, size_t nonce_len, |
1024 | | const uint8_t *in, size_t in_len, |
1025 | | const uint8_t *in_tag, |
1026 | | size_t in_tag_len, |
1027 | | const uint8_t *ad, size_t ad_len, |
1028 | 0 | size_t tag_len) { |
1029 | 0 | uint8_t tag[EVP_AEAD_AES_GCM_TAG_LEN]; |
1030 | |
|
1031 | 0 | if (nonce_len == 0) { |
1032 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
1033 | 0 | return 0; |
1034 | 0 | } |
1035 | | |
1036 | 0 | if (in_tag_len != tag_len) { |
1037 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
1038 | 0 | return 0; |
1039 | 0 | } |
1040 | | |
1041 | 0 | const AES_KEY *key = &gcm_ctx->ks.ks; |
1042 | |
|
1043 | 0 | GCM128_CONTEXT gcm; |
1044 | 0 | OPENSSL_memset(&gcm, 0, sizeof(gcm)); |
1045 | 0 | OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key)); |
1046 | 0 | CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len); |
1047 | |
|
1048 | 0 | if (!CRYPTO_gcm128_aad(&gcm, ad, ad_len)) { |
1049 | 0 | return 0; |
1050 | 0 | } |
1051 | | |
1052 | 0 | if (gcm_ctx->ctr) { |
1053 | 0 | if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, key, in, out, in_len, |
1054 | 0 | gcm_ctx->ctr)) { |
1055 | 0 | return 0; |
1056 | 0 | } |
1057 | 0 | } else { |
1058 | 0 | if (!CRYPTO_gcm128_decrypt(&gcm, key, in, out, in_len)) { |
1059 | 0 | return 0; |
1060 | 0 | } |
1061 | 0 | } |
1062 | | |
1063 | 0 | CRYPTO_gcm128_tag(&gcm, tag, tag_len); |
1064 | 0 | if (CRYPTO_memcmp(tag, in_tag, tag_len) != 0) { |
1065 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
1066 | 0 | return 0; |
1067 | 0 | } |
1068 | | |
1069 | 0 | return 1; |
1070 | 0 | } |
1071 | | |
1072 | | static int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out, |
1073 | | const uint8_t *nonce, size_t nonce_len, |
1074 | | const uint8_t *in, size_t in_len, |
1075 | | const uint8_t *in_tag, size_t in_tag_len, |
1076 | 0 | const uint8_t *ad, size_t ad_len) { |
1077 | 0 | struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state; |
1078 | 0 | if (!aead_aes_gcm_open_gather_impl(gcm_ctx, out, nonce, nonce_len, in, in_len, |
1079 | 0 | in_tag, in_tag_len, ad, ad_len, |
1080 | 0 | ctx->tag_len)) { |
1081 | 0 | return 0; |
1082 | 0 | } |
1083 | | |
1084 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1085 | 0 | return 1; |
1086 | 0 | } |
1087 | | |
1088 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm) { |
1089 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1090 | |
|
1091 | 0 | out->key_len = 16; |
1092 | 0 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1093 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1094 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1095 | 0 | out->seal_scatter_supports_extra_in = 1; |
1096 | |
|
1097 | 0 | out->init = aead_aes_gcm_init; |
1098 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1099 | 0 | out->seal_scatter = aead_aes_gcm_seal_scatter; |
1100 | 0 | out->open_gather = aead_aes_gcm_open_gather; |
1101 | 0 | } |
1102 | | |
1103 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_192_gcm) { |
1104 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1105 | |
|
1106 | 0 | out->key_len = 24; |
1107 | 0 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1108 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1109 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1110 | 0 | out->seal_scatter_supports_extra_in = 1; |
1111 | |
|
1112 | 0 | out->init = aead_aes_gcm_init; |
1113 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1114 | 0 | out->seal_scatter = aead_aes_gcm_seal_scatter; |
1115 | 0 | out->open_gather = aead_aes_gcm_open_gather; |
1116 | 0 | } |
1117 | | |
1118 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm) { |
1119 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1120 | |
|
1121 | 0 | out->key_len = 32; |
1122 | 0 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1123 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1124 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1125 | 0 | out->seal_scatter_supports_extra_in = 1; |
1126 | |
|
1127 | 0 | out->init = aead_aes_gcm_init; |
1128 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1129 | 0 | out->seal_scatter = aead_aes_gcm_seal_scatter; |
1130 | 0 | out->open_gather = aead_aes_gcm_open_gather; |
1131 | 0 | } |
1132 | | |
1133 | | static int aead_aes_gcm_init_randnonce(EVP_AEAD_CTX *ctx, const uint8_t *key, |
1134 | | size_t key_len, |
1135 | 0 | size_t requested_tag_len) { |
1136 | 0 | if (requested_tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH) { |
1137 | 0 | if (requested_tag_len < AES_GCM_NONCE_LENGTH) { |
1138 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
1139 | 0 | return 0; |
1140 | 0 | } |
1141 | 0 | requested_tag_len -= AES_GCM_NONCE_LENGTH; |
1142 | 0 | } |
1143 | | |
1144 | 0 | if (!aead_aes_gcm_init(ctx, key, key_len, requested_tag_len)) { |
1145 | 0 | return 0; |
1146 | 0 | } |
1147 | | |
1148 | 0 | ctx->tag_len += AES_GCM_NONCE_LENGTH; |
1149 | 0 | return 1; |
1150 | 0 | } |
1151 | | |
1152 | | static int aead_aes_gcm_seal_scatter_randnonce( |
1153 | | const EVP_AEAD_CTX *ctx, |
1154 | | uint8_t *out, uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len, |
1155 | | const uint8_t *external_nonce, size_t external_nonce_len, |
1156 | | const uint8_t *in, size_t in_len, |
1157 | | const uint8_t *extra_in, size_t extra_in_len, |
1158 | 0 | const uint8_t *ad, size_t ad_len) { |
1159 | 0 | if (external_nonce_len != 0) { |
1160 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
1161 | 0 | return 0; |
1162 | 0 | } |
1163 | | |
1164 | 0 | uint8_t nonce[AES_GCM_NONCE_LENGTH]; |
1165 | 0 | if (max_out_tag_len < sizeof(nonce)) { |
1166 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
1167 | 0 | return 0; |
1168 | 0 | } |
1169 | | |
1170 | | // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with state |
1171 | | // lock functions to avoid updating the service indicator with the DRBG |
1172 | | // functions. |
1173 | 0 | FIPS_service_indicator_lock_state(); |
1174 | 0 | BCM_rand_bytes(nonce, sizeof(nonce)); |
1175 | 0 | FIPS_service_indicator_unlock_state(); |
1176 | |
|
1177 | 0 | const struct aead_aes_gcm_ctx *gcm_ctx = |
1178 | 0 | (const struct aead_aes_gcm_ctx *)&ctx->state; |
1179 | 0 | if (!aead_aes_gcm_seal_scatter_impl(gcm_ctx, out, out_tag, out_tag_len, |
1180 | 0 | max_out_tag_len - AES_GCM_NONCE_LENGTH, |
1181 | 0 | nonce, sizeof(nonce), in, in_len, |
1182 | 0 | extra_in, extra_in_len, ad, ad_len, |
1183 | 0 | ctx->tag_len - AES_GCM_NONCE_LENGTH)) { |
1184 | 0 | return 0; |
1185 | 0 | } |
1186 | | |
1187 | 0 | assert(*out_tag_len + sizeof(nonce) <= max_out_tag_len); |
1188 | 0 | memcpy(out_tag + *out_tag_len, nonce, sizeof(nonce)); |
1189 | 0 | *out_tag_len += sizeof(nonce); |
1190 | |
|
1191 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1192 | 0 | return 1; |
1193 | 0 | } |
1194 | | |
1195 | | static int aead_aes_gcm_open_gather_randnonce( |
1196 | | const EVP_AEAD_CTX *ctx, uint8_t *out, |
1197 | | const uint8_t *external_nonce, size_t external_nonce_len, |
1198 | | const uint8_t *in, size_t in_len, |
1199 | | const uint8_t *in_tag, size_t in_tag_len, |
1200 | 0 | const uint8_t *ad, size_t ad_len) { |
1201 | 0 | if (external_nonce_len != 0) { |
1202 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
1203 | 0 | return 0; |
1204 | 0 | } |
1205 | | |
1206 | 0 | if (in_tag_len < AES_GCM_NONCE_LENGTH) { |
1207 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
1208 | 0 | return 0; |
1209 | 0 | } |
1210 | 0 | const uint8_t *nonce = in_tag + in_tag_len - AES_GCM_NONCE_LENGTH; |
1211 | |
|
1212 | 0 | const struct aead_aes_gcm_ctx *gcm_ctx = |
1213 | 0 | (const struct aead_aes_gcm_ctx *)&ctx->state; |
1214 | 0 | if (!aead_aes_gcm_open_gather_impl( |
1215 | 0 | gcm_ctx, out, nonce, AES_GCM_NONCE_LENGTH, in, in_len, in_tag, |
1216 | 0 | in_tag_len - AES_GCM_NONCE_LENGTH, ad, ad_len, |
1217 | 0 | ctx->tag_len - AES_GCM_NONCE_LENGTH)) { |
1218 | 0 | return 0; |
1219 | 0 | } |
1220 | | |
1221 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1222 | 0 | return 1; |
1223 | 0 | } |
1224 | | |
1225 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_randnonce) { |
1226 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1227 | |
|
1228 | 0 | out->key_len = 16; |
1229 | 0 | out->nonce_len = 0; |
1230 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; |
1231 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; |
1232 | 0 | out->seal_scatter_supports_extra_in = 1; |
1233 | |
|
1234 | 0 | out->init = aead_aes_gcm_init_randnonce; |
1235 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1236 | 0 | out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce; |
1237 | 0 | out->open_gather = aead_aes_gcm_open_gather_randnonce; |
1238 | 0 | } |
1239 | | |
1240 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_randnonce) { |
1241 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1242 | |
|
1243 | 0 | out->key_len = 32; |
1244 | 0 | out->nonce_len = 0; |
1245 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; |
1246 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; |
1247 | 0 | out->seal_scatter_supports_extra_in = 1; |
1248 | |
|
1249 | 0 | out->init = aead_aes_gcm_init_randnonce; |
1250 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1251 | 0 | out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce; |
1252 | 0 | out->open_gather = aead_aes_gcm_open_gather_randnonce; |
1253 | 0 | } |
1254 | | |
1255 | | struct aead_aes_gcm_tls12_ctx { |
1256 | | struct aead_aes_gcm_ctx gcm_ctx; |
1257 | | uint64_t min_next_nonce; |
1258 | | }; |
1259 | | |
1260 | | static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= |
1261 | | sizeof(struct aead_aes_gcm_tls12_ctx), |
1262 | | "AEAD state is too small"); |
1263 | | static_assert(alignof(union evp_aead_ctx_st_state) >= |
1264 | | alignof(struct aead_aes_gcm_tls12_ctx), |
1265 | | "AEAD state has insufficient alignment"); |
1266 | | |
1267 | | static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
1268 | 0 | size_t key_len, size_t requested_tag_len) { |
1269 | 0 | struct aead_aes_gcm_tls12_ctx *gcm_ctx = |
1270 | 0 | (struct aead_aes_gcm_tls12_ctx *) &ctx->state; |
1271 | |
|
1272 | 0 | gcm_ctx->min_next_nonce = 0; |
1273 | |
|
1274 | 0 | size_t actual_tag_len; |
1275 | 0 | if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len, |
1276 | 0 | requested_tag_len)) { |
1277 | 0 | return 0; |
1278 | 0 | } |
1279 | | |
1280 | 0 | ctx->tag_len = actual_tag_len; |
1281 | 0 | return 1; |
1282 | 0 | } |
1283 | | |
1284 | | static int aead_aes_gcm_tls12_seal_scatter( |
1285 | | const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, |
1286 | | size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, |
1287 | | size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, |
1288 | 0 | size_t extra_in_len, const uint8_t *ad, size_t ad_len) { |
1289 | 0 | struct aead_aes_gcm_tls12_ctx *gcm_ctx = |
1290 | 0 | (struct aead_aes_gcm_tls12_ctx *) &ctx->state; |
1291 | |
|
1292 | 0 | if (nonce_len != AES_GCM_NONCE_LENGTH) { |
1293 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); |
1294 | 0 | return 0; |
1295 | 0 | } |
1296 | | |
1297 | | // The given nonces must be strictly monotonically increasing. |
1298 | 0 | uint64_t given_counter = |
1299 | 0 | CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t)); |
1300 | 0 | if (given_counter == UINT64_MAX || given_counter < gcm_ctx->min_next_nonce) { |
1301 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE); |
1302 | 0 | return 0; |
1303 | 0 | } |
1304 | | |
1305 | 0 | gcm_ctx->min_next_nonce = given_counter + 1; |
1306 | |
|
1307 | 0 | if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len, |
1308 | 0 | max_out_tag_len, nonce, nonce_len, in, in_len, |
1309 | 0 | extra_in, extra_in_len, ad, ad_len)) { |
1310 | 0 | return 0; |
1311 | 0 | } |
1312 | | |
1313 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1314 | 0 | return 1; |
1315 | 0 | } |
1316 | | |
1317 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls12) { |
1318 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1319 | |
|
1320 | 0 | out->key_len = 16; |
1321 | 0 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1322 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1323 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1324 | 0 | out->seal_scatter_supports_extra_in = 1; |
1325 | |
|
1326 | 0 | out->init = aead_aes_gcm_tls12_init; |
1327 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1328 | 0 | out->seal_scatter = aead_aes_gcm_tls12_seal_scatter; |
1329 | 0 | out->open_gather = aead_aes_gcm_open_gather; |
1330 | 0 | } |
1331 | | |
1332 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls12) { |
1333 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1334 | |
|
1335 | 0 | out->key_len = 32; |
1336 | 0 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1337 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1338 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1339 | 0 | out->seal_scatter_supports_extra_in = 1; |
1340 | |
|
1341 | 0 | out->init = aead_aes_gcm_tls12_init; |
1342 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1343 | 0 | out->seal_scatter = aead_aes_gcm_tls12_seal_scatter; |
1344 | 0 | out->open_gather = aead_aes_gcm_open_gather; |
1345 | 0 | } |
1346 | | |
1347 | | struct aead_aes_gcm_tls13_ctx { |
1348 | | struct aead_aes_gcm_ctx gcm_ctx; |
1349 | | uint64_t min_next_nonce; |
1350 | | uint64_t mask; |
1351 | | uint8_t first; |
1352 | | }; |
1353 | | |
1354 | | static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= |
1355 | | sizeof(struct aead_aes_gcm_tls13_ctx), |
1356 | | "AEAD state is too small"); |
1357 | | static_assert(alignof(union evp_aead_ctx_st_state) >= |
1358 | | alignof(struct aead_aes_gcm_tls13_ctx), |
1359 | | "AEAD state has insufficient alignment"); |
1360 | | |
1361 | | static int aead_aes_gcm_tls13_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
1362 | 0 | size_t key_len, size_t requested_tag_len) { |
1363 | 0 | struct aead_aes_gcm_tls13_ctx *gcm_ctx = |
1364 | 0 | (struct aead_aes_gcm_tls13_ctx *) &ctx->state; |
1365 | |
|
1366 | 0 | gcm_ctx->min_next_nonce = 0; |
1367 | 0 | gcm_ctx->first = 1; |
1368 | |
|
1369 | 0 | size_t actual_tag_len; |
1370 | 0 | if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len, |
1371 | 0 | requested_tag_len)) { |
1372 | 0 | return 0; |
1373 | 0 | } |
1374 | | |
1375 | 0 | ctx->tag_len = actual_tag_len; |
1376 | 0 | return 1; |
1377 | 0 | } |
1378 | | |
1379 | | static int aead_aes_gcm_tls13_seal_scatter( |
1380 | | const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, |
1381 | | size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, |
1382 | | size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, |
1383 | 0 | size_t extra_in_len, const uint8_t *ad, size_t ad_len) { |
1384 | 0 | struct aead_aes_gcm_tls13_ctx *gcm_ctx = |
1385 | 0 | (struct aead_aes_gcm_tls13_ctx *) &ctx->state; |
1386 | |
|
1387 | 0 | if (nonce_len != AES_GCM_NONCE_LENGTH) { |
1388 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); |
1389 | 0 | return 0; |
1390 | 0 | } |
1391 | | |
1392 | | // The given nonces must be strictly monotonically increasing. See |
1393 | | // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3 |
1394 | | // nonce construction. |
1395 | 0 | uint64_t given_counter = |
1396 | 0 | CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t)); |
1397 | |
|
1398 | 0 | if (gcm_ctx->first) { |
1399 | | // In the first call the sequence number will be zero and therefore the |
1400 | | // given nonce will be 0 ^ mask = mask. |
1401 | 0 | gcm_ctx->mask = given_counter; |
1402 | 0 | gcm_ctx->first = 0; |
1403 | 0 | } |
1404 | 0 | given_counter ^= gcm_ctx->mask; |
1405 | |
|
1406 | 0 | if (given_counter == UINT64_MAX || |
1407 | 0 | given_counter < gcm_ctx->min_next_nonce) { |
1408 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE); |
1409 | 0 | return 0; |
1410 | 0 | } |
1411 | | |
1412 | 0 | gcm_ctx->min_next_nonce = given_counter + 1; |
1413 | |
|
1414 | 0 | if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len, |
1415 | 0 | max_out_tag_len, nonce, nonce_len, in, in_len, |
1416 | 0 | extra_in, extra_in_len, ad, ad_len)) { |
1417 | 0 | return 0; |
1418 | 0 | } |
1419 | | |
1420 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1421 | 0 | return 1; |
1422 | 0 | } |
1423 | | |
1424 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls13) { |
1425 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1426 | |
|
1427 | 0 | out->key_len = 16; |
1428 | 0 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1429 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1430 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1431 | 0 | out->seal_scatter_supports_extra_in = 1; |
1432 | |
|
1433 | 0 | out->init = aead_aes_gcm_tls13_init; |
1434 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1435 | 0 | out->seal_scatter = aead_aes_gcm_tls13_seal_scatter; |
1436 | 0 | out->open_gather = aead_aes_gcm_open_gather; |
1437 | 0 | } |
1438 | | |
1439 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls13) { |
1440 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1441 | |
|
1442 | 0 | out->key_len = 32; |
1443 | 0 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1444 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1445 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1446 | 0 | out->seal_scatter_supports_extra_in = 1; |
1447 | |
|
1448 | 0 | out->init = aead_aes_gcm_tls13_init; |
1449 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1450 | 0 | out->seal_scatter = aead_aes_gcm_tls13_seal_scatter; |
1451 | 0 | out->open_gather = aead_aes_gcm_open_gather; |
1452 | 0 | } |
1453 | | |
1454 | 0 | int EVP_has_aes_hardware(void) { |
1455 | 0 | #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) |
1456 | 0 | return hwaes_capable() && crypto_gcm_clmul_enabled(); |
1457 | | #elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) |
1458 | | return hwaes_capable() && CRYPTO_is_ARMv8_PMULL_capable(); |
1459 | | #else |
1460 | | return 0; |
1461 | | #endif |
1462 | 0 | } |
1463 | | |
1464 | | OPENSSL_MSVC_PRAGMA(warning(pop)) |