Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/fipsmodule/cipher/e_aes.c.inc
Line
Count
Source (jump to first uncovered line)
1
/* ====================================================================
2
 * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3
 *
4
 * Redistribution and use in source and binary forms, with or without
5
 * modification, are permitted provided that the following conditions
6
 * are met:
7
 *
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 *
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in
13
 *    the documentation and/or other materials provided with the
14
 *    distribution.
15
 *
16
 * 3. All advertising materials mentioning features or use of this
17
 *    software must display the following acknowledgment:
18
 *    "This product includes software developed by the OpenSSL Project
19
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20
 *
21
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22
 *    endorse or promote products derived from this software without
23
 *    prior written permission. For written permission, please contact
24
 *    openssl-core@openssl.org.
25
 *
26
 * 5. Products derived from this software may not be called "OpenSSL"
27
 *    nor may "OpenSSL" appear in their names without prior written
28
 *    permission of the OpenSSL Project.
29
 *
30
 * 6. Redistributions of any form whatsoever must retain the following
31
 *    acknowledgment:
32
 *    "This product includes software developed by the OpenSSL Project
33
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34
 *
35
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46
 * OF THE POSSIBILITY OF SUCH DAMAGE.
47
 * ==================================================================== */
48
49
#include <assert.h>
50
#include <limits.h>
51
#include <string.h>
52
53
#include <openssl/aead.h>
54
#include <openssl/aes.h>
55
#include <openssl/cipher.h>
56
#include <openssl/err.h>
57
#include <openssl/mem.h>
58
#include <openssl/nid.h>
59
60
#include "internal.h"
61
#include "../../internal.h"
62
#include "../aes/internal.h"
63
#include "../bcm_interface.h"
64
#include "../modes/internal.h"
65
#include "../service_indicator/internal.h"
66
#include "../delocate.h"
67
68
69
OPENSSL_MSVC_PRAGMA(warning(push))
70
OPENSSL_MSVC_PRAGMA(warning(disable: 4702))  // Unreachable code.
71
72
18
#define AES_GCM_NONCE_LENGTH 12
73
74
#if defined(BSAES)
75
static void vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in,
76
                                                  uint8_t *out, size_t blocks,
77
                                                  const AES_KEY *key,
78
                                                  const uint8_t ivec[16]) {
79
  // |bsaes_ctr32_encrypt_blocks| is faster than |vpaes_ctr32_encrypt_blocks|,
80
  // but it takes at least one full 8-block batch to amortize the conversion.
81
  if (blocks < 8) {
82
    vpaes_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
83
    return;
84
  }
85
86
  size_t bsaes_blocks = blocks;
87
  if (bsaes_blocks % 8 < 6) {
88
    // |bsaes_ctr32_encrypt_blocks| internally works in 8-block batches. If the
89
    // final batch is too small (under six blocks), it is faster to loop over
90
    // |vpaes_encrypt|. Round |bsaes_blocks| down to a multiple of 8.
91
    bsaes_blocks -= bsaes_blocks % 8;
92
  }
93
94
  AES_KEY bsaes;
95
  vpaes_encrypt_key_to_bsaes(&bsaes, key);
96
  bsaes_ctr32_encrypt_blocks(in, out, bsaes_blocks, &bsaes, ivec);
97
  OPENSSL_cleanse(&bsaes, sizeof(bsaes));
98
99
  in += 16 * bsaes_blocks;
100
  out += 16 * bsaes_blocks;
101
  blocks -= bsaes_blocks;
102
103
  uint8_t new_ivec[16];
104
  memcpy(new_ivec, ivec, 12);
105
  uint32_t ctr = CRYPTO_load_u32_be(ivec + 12) + bsaes_blocks;
106
  CRYPTO_store_u32_be(new_ivec + 12, ctr);
107
108
  // Finish any remaining blocks with |vpaes_ctr32_encrypt_blocks|.
109
  vpaes_ctr32_encrypt_blocks(in, out, blocks, key, new_ivec);
110
}
111
#endif  // BSAES
112
113
typedef struct {
114
  union {
115
    double align;
116
    AES_KEY ks;
117
  } ks;
118
  block128_f block;
119
  union {
120
    cbc128_f cbc;
121
    ctr128_f ctr;
122
  } stream;
123
} EVP_AES_KEY;
124
125
typedef struct {
126
  GCM128_CONTEXT gcm;
127
  union {
128
    double align;
129
    AES_KEY ks;
130
  } ks;         // AES key schedule to use
131
  int key_set;  // Set if key initialised
132
  int iv_set;   // Set if an iv is set
133
  uint8_t *iv;  // Temporary IV store
134
  int ivlen;         // IV length
135
  int taglen;
136
  int iv_gen;      // It is OK to generate IVs
137
  ctr128_f ctr;
138
} EVP_AES_GCM_CTX;
139
140
static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
141
599
                        const uint8_t *iv, int enc) {
142
599
  int ret;
143
599
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
144
599
  const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;
145
146
599
  if (mode == EVP_CIPH_CTR_MODE) {
147
156
    switch (ctx->key_len) {
148
156
      case 16:
149
156
        boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr);
150
156
        break;
151
152
0
      case 32:
153
0
        boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr);
154
0
        break;
155
156
    }
156
156
  }
157
158
599
  if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {
159
120
    if (hwaes_capable()) {
160
0
      ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
161
0
      dat->block = aes_hw_decrypt;
162
0
      dat->stream.cbc = NULL;
163
0
      if (mode == EVP_CIPH_CBC_MODE) {
164
0
        dat->stream.cbc = aes_hw_cbc_encrypt;
165
0
      }
166
120
    } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) {
167
0
      assert(vpaes_capable());
168
0
      ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
169
0
      if (ret == 0) {
170
0
        vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks);
171
0
      }
172
      // If |dat->stream.cbc| is provided, |dat->block| is never used.
173
0
      dat->block = NULL;
174
0
      dat->stream.cbc = bsaes_cbc_encrypt;
175
120
    } else if (vpaes_capable()) {
176
0
      ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
177
0
      dat->block = vpaes_decrypt;
178
0
      dat->stream.cbc = NULL;
179
#if defined(VPAES_CBC)
180
0
      if (mode == EVP_CIPH_CBC_MODE) {
181
0
        dat->stream.cbc = vpaes_cbc_encrypt;
182
0
      }
183
#endif
184
120
    } else {
185
120
      ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
186
120
      dat->block = aes_nohw_decrypt;
187
120
      dat->stream.cbc = NULL;
188
120
      if (mode == EVP_CIPH_CBC_MODE) {
189
20
        dat->stream.cbc = aes_nohw_cbc_encrypt;
190
20
      }
191
120
    }
192
479
  } else if (hwaes_capable()) {
193
101
    ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
194
101
    dat->block = aes_hw_encrypt;
195
101
    dat->stream.cbc = NULL;
196
101
    if (mode == EVP_CIPH_CBC_MODE) {
197
0
      dat->stream.cbc = aes_hw_cbc_encrypt;
198
101
    } else if (mode == EVP_CIPH_CTR_MODE) {
199
40
      dat->stream.ctr = aes_hw_ctr32_encrypt_blocks;
200
40
    }
201
378
  } else if (vpaes_capable()) {
202
0
    ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
203
0
    dat->block = vpaes_encrypt;
204
0
    dat->stream.cbc = NULL;
205
#if defined(VPAES_CBC)
206
0
    if (mode == EVP_CIPH_CBC_MODE) {
207
0
      dat->stream.cbc = vpaes_cbc_encrypt;
208
0
    }
209
#endif
210
0
    if (mode == EVP_CIPH_CTR_MODE) {
211
#if defined(BSAES)
212
      assert(bsaes_capable());
213
      dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes;
214
#elif defined(VPAES_CTR32)
215
      dat->stream.ctr = vpaes_ctr32_encrypt_blocks;
216
#endif
217
0
    }
218
378
  } else {
219
378
    ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
220
378
    dat->block = aes_nohw_encrypt;
221
378
    dat->stream.cbc = NULL;
222
378
    if (mode == EVP_CIPH_CBC_MODE) {
223
20
      dat->stream.cbc = aes_nohw_cbc_encrypt;
224
20
    }
225
378
  }
226
227
599
  if (ret < 0) {
228
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
229
0
    return 0;
230
0
  }
231
232
599
  return 1;
233
599
}
bcm.c:aes_init_key
Line
Count
Source
141
498
                        const uint8_t *iv, int enc) {
142
498
  int ret;
143
498
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
144
498
  const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;
145
146
498
  if (mode == EVP_CIPH_CTR_MODE) {
147
116
    switch (ctx->key_len) {
148
116
      case 16:
149
116
        boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr);
150
116
        break;
151
152
0
      case 32:
153
0
        boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr);
154
0
        break;
155
116
    }
156
116
  }
157
158
498
  if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {
159
120
    if (hwaes_capable()) {
160
0
      ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
161
0
      dat->block = aes_hw_decrypt;
162
0
      dat->stream.cbc = NULL;
163
0
      if (mode == EVP_CIPH_CBC_MODE) {
164
0
        dat->stream.cbc = aes_hw_cbc_encrypt;
165
0
      }
166
120
    } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) {
167
0
      assert(vpaes_capable());
168
0
      ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
169
0
      if (ret == 0) {
170
0
        vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks);
171
0
      }
172
      // If |dat->stream.cbc| is provided, |dat->block| is never used.
173
0
      dat->block = NULL;
174
0
      dat->stream.cbc = bsaes_cbc_encrypt;
175
120
    } else if (vpaes_capable()) {
176
0
      ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
177
0
      dat->block = vpaes_decrypt;
178
0
      dat->stream.cbc = NULL;
179
#if defined(VPAES_CBC)
180
      if (mode == EVP_CIPH_CBC_MODE) {
181
        dat->stream.cbc = vpaes_cbc_encrypt;
182
      }
183
#endif
184
120
    } else {
185
120
      ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
186
120
      dat->block = aes_nohw_decrypt;
187
120
      dat->stream.cbc = NULL;
188
120
      if (mode == EVP_CIPH_CBC_MODE) {
189
20
        dat->stream.cbc = aes_nohw_cbc_encrypt;
190
20
      }
191
120
    }
192
378
  } else if (hwaes_capable()) {
193
0
    ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
194
0
    dat->block = aes_hw_encrypt;
195
0
    dat->stream.cbc = NULL;
196
0
    if (mode == EVP_CIPH_CBC_MODE) {
197
0
      dat->stream.cbc = aes_hw_cbc_encrypt;
198
0
    } else if (mode == EVP_CIPH_CTR_MODE) {
199
0
      dat->stream.ctr = aes_hw_ctr32_encrypt_blocks;
200
0
    }
201
378
  } else if (vpaes_capable()) {
202
0
    ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
203
0
    dat->block = vpaes_encrypt;
204
0
    dat->stream.cbc = NULL;
205
#if defined(VPAES_CBC)
206
    if (mode == EVP_CIPH_CBC_MODE) {
207
      dat->stream.cbc = vpaes_cbc_encrypt;
208
    }
209
#endif
210
0
    if (mode == EVP_CIPH_CTR_MODE) {
211
#if defined(BSAES)
212
      assert(bsaes_capable());
213
      dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes;
214
#elif defined(VPAES_CTR32)
215
      dat->stream.ctr = vpaes_ctr32_encrypt_blocks;
216
#endif
217
0
    }
218
378
  } else {
219
378
    ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
220
378
    dat->block = aes_nohw_encrypt;
221
378
    dat->stream.cbc = NULL;
222
378
    if (mode == EVP_CIPH_CBC_MODE) {
223
20
      dat->stream.cbc = aes_nohw_cbc_encrypt;
224
20
    }
225
378
  }
226
227
498
  if (ret < 0) {
228
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
229
0
    return 0;
230
0
  }
231
232
498
  return 1;
233
498
}
bcm.c:aes_init_key
Line
Count
Source
141
101
                        const uint8_t *iv, int enc) {
142
101
  int ret;
143
101
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
144
101
  const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;
145
146
101
  if (mode == EVP_CIPH_CTR_MODE) {
147
40
    switch (ctx->key_len) {
148
40
      case 16:
149
40
        boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr);
150
40
        break;
151
152
0
      case 32:
153
0
        boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr);
154
0
        break;
155
40
    }
156
40
  }
157
158
101
  if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {
159
0
    if (hwaes_capable()) {
160
0
      ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
161
0
      dat->block = aes_hw_decrypt;
162
0
      dat->stream.cbc = NULL;
163
0
      if (mode == EVP_CIPH_CBC_MODE) {
164
0
        dat->stream.cbc = aes_hw_cbc_encrypt;
165
0
      }
166
0
    } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) {
167
0
      assert(vpaes_capable());
168
0
      ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
169
0
      if (ret == 0) {
170
0
        vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks);
171
0
      }
172
      // If |dat->stream.cbc| is provided, |dat->block| is never used.
173
0
      dat->block = NULL;
174
0
      dat->stream.cbc = bsaes_cbc_encrypt;
175
0
    } else if (vpaes_capable()) {
176
0
      ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
177
0
      dat->block = vpaes_decrypt;
178
0
      dat->stream.cbc = NULL;
179
0
#if defined(VPAES_CBC)
180
0
      if (mode == EVP_CIPH_CBC_MODE) {
181
0
        dat->stream.cbc = vpaes_cbc_encrypt;
182
0
      }
183
0
#endif
184
0
    } else {
185
0
      ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
186
0
      dat->block = aes_nohw_decrypt;
187
0
      dat->stream.cbc = NULL;
188
0
      if (mode == EVP_CIPH_CBC_MODE) {
189
0
        dat->stream.cbc = aes_nohw_cbc_encrypt;
190
0
      }
191
0
    }
192
101
  } else if (hwaes_capable()) {
193
101
    ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
194
101
    dat->block = aes_hw_encrypt;
195
101
    dat->stream.cbc = NULL;
196
101
    if (mode == EVP_CIPH_CBC_MODE) {
197
0
      dat->stream.cbc = aes_hw_cbc_encrypt;
198
101
    } else if (mode == EVP_CIPH_CTR_MODE) {
199
40
      dat->stream.ctr = aes_hw_ctr32_encrypt_blocks;
200
40
    }
201
101
  } else if (vpaes_capable()) {
202
0
    ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
203
0
    dat->block = vpaes_encrypt;
204
0
    dat->stream.cbc = NULL;
205
0
#if defined(VPAES_CBC)
206
0
    if (mode == EVP_CIPH_CBC_MODE) {
207
0
      dat->stream.cbc = vpaes_cbc_encrypt;
208
0
    }
209
0
#endif
210
0
    if (mode == EVP_CIPH_CTR_MODE) {
211
#if defined(BSAES)
212
      assert(bsaes_capable());
213
      dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes;
214
#elif defined(VPAES_CTR32)
215
0
      dat->stream.ctr = vpaes_ctr32_encrypt_blocks;
216
0
#endif
217
0
    }
218
0
  } else {
219
0
    ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
220
0
    dat->block = aes_nohw_encrypt;
221
0
    dat->stream.cbc = NULL;
222
0
    if (mode == EVP_CIPH_CBC_MODE) {
223
0
      dat->stream.cbc = aes_nohw_cbc_encrypt;
224
0
    }
225
0
  }
226
227
101
  if (ret < 0) {
228
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
229
0
    return 0;
230
0
  }
231
232
101
  return 1;
233
101
}
234
235
static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
236
79
                          size_t len) {
237
79
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
238
239
79
  if (dat->stream.cbc) {
240
79
    (*dat->stream.cbc)(in, out, len, &dat->ks.ks, ctx->iv, ctx->encrypt);
241
79
  } else if (ctx->encrypt) {
242
0
    CRYPTO_cbc128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block);
243
0
  } else {
244
0
    CRYPTO_cbc128_decrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block);
245
0
  }
246
247
79
  return 1;
248
79
}
249
250
static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
251
1.38k
                          size_t len) {
252
1.38k
  size_t bl = ctx->cipher->block_size;
253
1.38k
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
254
255
1.38k
  if (len < bl) {
256
0
    return 1;
257
0
  }
258
259
1.38k
  len -= bl;
260
2.92k
  for (size_t i = 0; i <= len; i += bl) {
261
1.54k
    (*dat->block)(in + i, out + i, &dat->ks.ks);
262
1.54k
  }
263
264
1.38k
  return 1;
265
1.38k
}
266
267
static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
268
447
                          size_t len) {
269
447
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
270
271
447
  if (dat->stream.ctr) {
272
127
    CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf,
273
127
                                &ctx->num, dat->stream.ctr);
274
320
  } else {
275
320
    CRYPTO_ctr128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf,
276
320
                          &ctx->num, dat->block);
277
320
  }
278
447
  return 1;
279
447
}
280
281
static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
282
684
                          size_t len) {
283
684
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
284
285
684
  CRYPTO_ofb128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, &ctx->num,
286
684
                        dat->block);
287
684
  return 1;
288
684
}
289
290
ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key,
291
                         block128_f *out_block, const uint8_t *key,
292
9.49k
                         size_t key_bytes) {
293
  // This function assumes the key length was previously validated.
294
9.49k
  assert(key_bytes == 128 / 8 || key_bytes == 192 / 8 || key_bytes == 256 / 8);
295
9.49k
  if (hwaes_capable()) {
296
2.10k
    aes_hw_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
297
2.10k
    if (gcm_key != NULL) {
298
141
      CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_hw_encrypt, 1);
299
141
    }
300
2.10k
    if (out_block) {
301
1.96k
      *out_block = aes_hw_encrypt;
302
1.96k
    }
303
2.10k
    return aes_hw_ctr32_encrypt_blocks;
304
2.10k
  }
305
306
7.39k
  if (vpaes_capable()) {
307
0
    vpaes_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
308
0
    if (out_block) {
309
0
      *out_block = vpaes_encrypt;
310
0
    }
311
0
    if (gcm_key != NULL) {
312
0
      CRYPTO_gcm128_init_key(gcm_key, aes_key, vpaes_encrypt, 0);
313
0
    }
314
#if defined(BSAES)
315
    assert(bsaes_capable());
316
    return vpaes_ctr32_encrypt_blocks_with_bsaes;
317
#elif defined(VPAES_CTR32)
318
    return vpaes_ctr32_encrypt_blocks;
319
#else
320
0
    return NULL;
321
0
#endif
322
0
  }
323
324
7.39k
  aes_nohw_set_encrypt_key(key, (int)key_bytes * 8, aes_key);
325
7.39k
  if (gcm_key != NULL) {
326
694
    CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_nohw_encrypt, 0);
327
694
  }
328
7.39k
  if (out_block) {
329
6.70k
    *out_block = aes_nohw_encrypt;
330
6.70k
  }
331
7.39k
  return aes_nohw_ctr32_encrypt_blocks;
332
7.39k
}
333
334
#if defined(OPENSSL_32_BIT)
335
#define EVP_AES_GCM_CTX_PADDING (4+8)
336
#else
337
6
#define EVP_AES_GCM_CTX_PADDING 8
338
#endif
339
340
12.1k
static EVP_AES_GCM_CTX *aes_gcm_from_cipher_ctx(EVP_CIPHER_CTX *ctx) {
341
12.1k
  static_assert(
342
12.1k
      alignof(EVP_AES_GCM_CTX) <= 16,
343
12.1k
      "EVP_AES_GCM_CTX needs more alignment than this function provides");
344
345
  // |malloc| guarantees up to 4-byte alignment on 32-bit and 8-byte alignment
346
  // on 64-bit systems, so we need to adjust to reach 16-byte alignment.
347
12.1k
  assert(ctx->cipher->ctx_size ==
348
12.1k
         sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING);
349
350
12.1k
  char *ptr = ctx->cipher_data;
351
#if defined(OPENSSL_32_BIT)
352
  assert((uintptr_t)ptr % 4 == 0);
353
  ptr += (uintptr_t)ptr & 4;
354
#endif
355
12.1k
  assert((uintptr_t)ptr % 8 == 0);
356
12.1k
  ptr += (uintptr_t)ptr & 8;
357
12.1k
  return (EVP_AES_GCM_CTX *)ptr;
358
12.1k
}
359
360
static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
361
540
                            const uint8_t *iv, int enc) {
362
540
  EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(ctx);
363
540
  if (!iv && !key) {
364
319
    return 1;
365
319
  }
366
367
221
  switch (ctx->key_len) {
368
104
    case 16:
369
104
      boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm);
370
104
      break;
371
372
111
    case 32:
373
111
      boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm);
374
111
      break;
375
221
  }
376
377
221
  if (key) {
378
221
    OPENSSL_memset(&gctx->gcm, 0, sizeof(gctx->gcm));
379
221
    gctx->ctr = aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm.gcm_key, NULL, key,
380
221
                                ctx->key_len);
381
    // If we have an iv can set it directly, otherwise use saved IV.
382
221
    if (iv == NULL && gctx->iv_set) {
383
0
      iv = gctx->iv;
384
0
    }
385
221
    if (iv) {
386
221
      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
387
221
      gctx->iv_set = 1;
388
221
    }
389
221
    gctx->key_set = 1;
390
221
  } else {
391
    // If key set use IV, otherwise copy
392
0
    if (gctx->key_set) {
393
0
      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
394
0
    } else {
395
0
      OPENSSL_memcpy(gctx->iv, iv, gctx->ivlen);
396
0
    }
397
0
    gctx->iv_set = 1;
398
0
    gctx->iv_gen = 0;
399
0
  }
400
221
  return 1;
401
221
}
402
403
3.19k
static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) {
404
3.19k
  EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c);
405
3.19k
  OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
406
3.19k
  if (gctx->iv != c->iv) {
407
1.91k
    OPENSSL_free(gctx->iv);
408
1.91k
  }
409
3.19k
}
410
411
3.62k
static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
412
3.62k
  EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c);
413
3.62k
  switch (type) {
414
319
    case EVP_CTRL_INIT:
415
319
      gctx->key_set = 0;
416
319
      gctx->iv_set = 0;
417
319
      gctx->ivlen = c->cipher->iv_len;
418
319
      gctx->iv = c->iv;
419
319
      gctx->taglen = -1;
420
319
      gctx->iv_gen = 0;
421
319
      return 1;
422
423
316
    case EVP_CTRL_AEAD_SET_IVLEN:
424
316
      if (arg <= 0) {
425
41
        return 0;
426
41
      }
427
428
      // Allocate memory for IV if needed
429
275
      if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) {
430
111
        if (gctx->iv != c->iv) {
431
0
          OPENSSL_free(gctx->iv);
432
0
        }
433
111
        gctx->iv = OPENSSL_malloc(arg);
434
111
        if (!gctx->iv) {
435
0
          return 0;
436
0
        }
437
111
      }
438
275
      gctx->ivlen = arg;
439
275
      return 1;
440
441
0
    case EVP_CTRL_GET_IVLEN:
442
0
      *(int *)ptr = gctx->ivlen;
443
0
      return 1;
444
445
2
    case EVP_CTRL_AEAD_SET_TAG:
446
2
      if (arg <= 0 || arg > 16 || c->encrypt) {
447
0
        return 0;
448
0
      }
449
2
      OPENSSL_memcpy(c->buf, ptr, arg);
450
2
      gctx->taglen = arg;
451
2
      return 1;
452
453
105
    case EVP_CTRL_AEAD_GET_TAG:
454
105
      if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) {
455
69
        return 0;
456
69
      }
457
36
      OPENSSL_memcpy(ptr, c->buf, arg);
458
36
      return 1;
459
460
0
    case EVP_CTRL_AEAD_SET_IV_FIXED:
461
      // Special case: -1 length restores whole IV
462
0
      if (arg == -1) {
463
0
        OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen);
464
0
        gctx->iv_gen = 1;
465
0
        return 1;
466
0
      }
467
      // Fixed field must be at least 4 bytes and invocation field
468
      // at least 8.
469
0
      if (arg < 4 || (gctx->ivlen - arg) < 8) {
470
0
        return 0;
471
0
      }
472
0
      OPENSSL_memcpy(gctx->iv, ptr, arg);
473
0
      if (c->encrypt) {
474
        // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with
475
        // state lock functions to avoid updating the service indicator with the
476
        // DRBG functions.
477
0
        FIPS_service_indicator_lock_state();
478
0
        BCM_rand_bytes(gctx->iv + arg, gctx->ivlen - arg);
479
0
        FIPS_service_indicator_unlock_state();
480
0
      }
481
0
      gctx->iv_gen = 1;
482
0
      return 1;
483
484
0
    case EVP_CTRL_GCM_IV_GEN: {
485
0
      if (gctx->iv_gen == 0 || gctx->key_set == 0) {
486
0
        return 0;
487
0
      }
488
0
      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
489
0
      if (arg <= 0 || arg > gctx->ivlen) {
490
0
        arg = gctx->ivlen;
491
0
      }
492
0
      OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
493
      // Invocation field will be at least 8 bytes in size, so no need to check
494
      // wrap around or increment more than last 8 bytes.
495
0
      uint8_t *ctr = gctx->iv + gctx->ivlen - 8;
496
0
      CRYPTO_store_u64_be(ctr, CRYPTO_load_u64_be(ctr) + 1);
497
0
      gctx->iv_set = 1;
498
0
      return 1;
499
0
    }
500
501
0
    case EVP_CTRL_GCM_SET_IV_INV:
502
0
      if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) {
503
0
        return 0;
504
0
      }
505
0
      OPENSSL_memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
506
0
      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
507
0
      gctx->iv_set = 1;
508
0
      return 1;
509
510
2.87k
    case EVP_CTRL_COPY: {
511
2.87k
      EVP_CIPHER_CTX *out = ptr;
512
2.87k
      EVP_AES_GCM_CTX *gctx_out = aes_gcm_from_cipher_ctx(out);
513
      // |EVP_CIPHER_CTX_copy| copies this generically, but we must redo it in
514
      // case |out->cipher_data| and |in->cipher_data| are differently aligned.
515
2.87k
      OPENSSL_memcpy(gctx_out, gctx, sizeof(EVP_AES_GCM_CTX));
516
2.87k
      if (gctx->iv == c->iv) {
517
1.07k
        gctx_out->iv = out->iv;
518
1.80k
      } else {
519
1.80k
        gctx_out->iv = OPENSSL_memdup(gctx->iv, gctx->ivlen);
520
1.80k
        if (!gctx_out->iv) {
521
0
          return 0;
522
0
        }
523
1.80k
      }
524
2.87k
      return 1;
525
2.87k
    }
526
527
0
    default:
528
0
      return -1;
529
3.62k
  }
530
3.62k
}
531
532
static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
533
1.95k
                          size_t len) {
534
1.95k
  EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(ctx);
535
536
  // If not set up, return error
537
1.95k
  if (!gctx->key_set) {
538
0
    return -1;
539
0
  }
540
1.95k
  if (!gctx->iv_set) {
541
4
    return -1;
542
4
  }
543
544
1.94k
  if (len > INT_MAX) {
545
    // This function signature can only express up to |INT_MAX| bytes encrypted.
546
    //
547
    // TODO(https://crbug.com/boringssl/494): Make the internal |EVP_CIPHER|
548
    // calling convention |size_t|-clean.
549
0
    return -1;
550
0
  }
551
552
1.94k
  if (in) {
553
1.73k
    if (out == NULL) {
554
20
      if (!CRYPTO_gcm128_aad(&gctx->gcm, in, len)) {
555
0
        return -1;
556
0
      }
557
1.71k
    } else if (ctx->encrypt) {
558
377
      if (gctx->ctr) {
559
377
        if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len,
560
377
                                         gctx->ctr)) {
561
0
          return -1;
562
0
        }
563
377
      } else {
564
0
        if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) {
565
0
          return -1;
566
0
        }
567
0
      }
568
1.33k
    } else {
569
1.33k
      if (gctx->ctr) {
570
1.33k
        if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len,
571
1.33k
                                         gctx->ctr)) {
572
0
          return -1;
573
0
        }
574
1.33k
      } else {
575
0
        if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) {
576
0
          return -1;
577
0
        }
578
0
      }
579
1.33k
    }
580
1.73k
    return (int)len;
581
1.73k
  } else {
582
217
    if (!ctx->encrypt) {
583
66
      if (gctx->taglen < 0 ||
584
66
          !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) {
585
64
        return -1;
586
64
      }
587
2
      gctx->iv_set = 0;
588
2
      return 0;
589
66
    }
590
151
    CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
591
151
    gctx->taglen = 16;
592
    // Don't reuse the IV
593
151
    gctx->iv_set = 0;
594
151
    return 0;
595
217
  }
596
1.94k
}
597
598
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_cbc) {
599
2
  memset(out, 0, sizeof(EVP_CIPHER));
600
601
2
  out->nid = NID_aes_128_cbc;
602
2
  out->block_size = 16;
603
2
  out->key_len = 16;
604
2
  out->iv_len = 16;
605
2
  out->ctx_size = sizeof(EVP_AES_KEY);
606
2
  out->flags = EVP_CIPH_CBC_MODE;
607
2
  out->init = aes_init_key;
608
2
  out->cipher = aes_cbc_cipher;
609
2
}
610
611
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ctr) {
612
2
  memset(out, 0, sizeof(EVP_CIPHER));
613
614
2
  out->nid = NID_aes_128_ctr;
615
2
  out->block_size = 1;
616
2
  out->key_len = 16;
617
2
  out->iv_len = 16;
618
2
  out->ctx_size = sizeof(EVP_AES_KEY);
619
2
  out->flags = EVP_CIPH_CTR_MODE;
620
2
  out->init = aes_init_key;
621
2
  out->cipher = aes_ctr_cipher;
622
2
}
623
624
1
DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_ecb_generic) {
625
1
  memset(out, 0, sizeof(EVP_CIPHER));
626
627
1
  out->nid = NID_aes_128_ecb;
628
1
  out->block_size = 16;
629
1
  out->key_len = 16;
630
1
  out->ctx_size = sizeof(EVP_AES_KEY);
631
1
  out->flags = EVP_CIPH_ECB_MODE;
632
1
  out->init = aes_init_key;
633
1
  out->cipher = aes_ecb_cipher;
634
1
}
635
636
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ofb) {
637
2
  memset(out, 0, sizeof(EVP_CIPHER));
638
639
2
  out->nid = NID_aes_128_ofb128;
640
2
  out->block_size = 1;
641
2
  out->key_len = 16;
642
2
  out->iv_len = 16;
643
2
  out->ctx_size = sizeof(EVP_AES_KEY);
644
2
  out->flags = EVP_CIPH_OFB_MODE;
645
2
  out->init = aes_init_key;
646
2
  out->cipher = aes_ofb_cipher;
647
2
}
648
649
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_gcm) {
650
2
  memset(out, 0, sizeof(EVP_CIPHER));
651
652
2
  out->nid = NID_aes_128_gcm;
653
2
  out->block_size = 1;
654
2
  out->key_len = 16;
655
2
  out->iv_len = AES_GCM_NONCE_LENGTH;
656
2
  out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING;
657
2
  out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY |
658
2
               EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |
659
2
               EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;
660
2
  out->init = aes_gcm_init_key;
661
2
  out->cipher = aes_gcm_cipher;
662
2
  out->cleanup = aes_gcm_cleanup;
663
2
  out->ctrl = aes_gcm_ctrl;
664
2
}
665
666
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_cbc) {
667
2
  memset(out, 0, sizeof(EVP_CIPHER));
668
669
2
  out->nid = NID_aes_192_cbc;
670
2
  out->block_size = 16;
671
2
  out->key_len = 24;
672
2
  out->iv_len = 16;
673
2
  out->ctx_size = sizeof(EVP_AES_KEY);
674
2
  out->flags = EVP_CIPH_CBC_MODE;
675
2
  out->init = aes_init_key;
676
2
  out->cipher = aes_cbc_cipher;
677
2
}
678
679
1
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ctr) {
680
1
  memset(out, 0, sizeof(EVP_CIPHER));
681
682
1
  out->nid = NID_aes_192_ctr;
683
1
  out->block_size = 1;
684
1
  out->key_len = 24;
685
1
  out->iv_len = 16;
686
1
  out->ctx_size = sizeof(EVP_AES_KEY);
687
1
  out->flags = EVP_CIPH_CTR_MODE;
688
1
  out->init = aes_init_key;
689
1
  out->cipher = aes_ctr_cipher;
690
1
}
691
692
1
DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_ecb_generic) {
693
1
  memset(out, 0, sizeof(EVP_CIPHER));
694
695
1
  out->nid = NID_aes_192_ecb;
696
1
  out->block_size = 16;
697
1
  out->key_len = 24;
698
1
  out->ctx_size = sizeof(EVP_AES_KEY);
699
1
  out->flags = EVP_CIPH_ECB_MODE;
700
1
  out->init = aes_init_key;
701
1
  out->cipher = aes_ecb_cipher;
702
1
}
703
704
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ofb) {
705
2
  memset(out, 0, sizeof(EVP_CIPHER));
706
707
2
  out->nid = NID_aes_192_ofb128;
708
2
  out->block_size = 1;
709
2
  out->key_len = 24;
710
2
  out->iv_len = 16;
711
2
  out->ctx_size = sizeof(EVP_AES_KEY);
712
2
  out->flags = EVP_CIPH_OFB_MODE;
713
2
  out->init = aes_init_key;
714
2
  out->cipher = aes_ofb_cipher;
715
2
}
716
717
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_gcm) {
718
2
  memset(out, 0, sizeof(EVP_CIPHER));
719
720
2
  out->nid = NID_aes_192_gcm;
721
2
  out->block_size = 1;
722
2
  out->key_len = 24;
723
2
  out->iv_len = AES_GCM_NONCE_LENGTH;
724
2
  out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING;
725
2
  out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY |
726
2
               EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |
727
2
               EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;
728
2
  out->init = aes_gcm_init_key;
729
2
  out->cipher = aes_gcm_cipher;
730
2
  out->cleanup = aes_gcm_cleanup;
731
2
  out->ctrl = aes_gcm_ctrl;
732
2
}
733
734
1
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_cbc) {
735
1
  memset(out, 0, sizeof(EVP_CIPHER));
736
737
1
  out->nid = NID_aes_256_cbc;
738
1
  out->block_size = 16;
739
1
  out->key_len = 32;
740
1
  out->iv_len = 16;
741
1
  out->ctx_size = sizeof(EVP_AES_KEY);
742
1
  out->flags = EVP_CIPH_CBC_MODE;
743
1
  out->init = aes_init_key;
744
1
  out->cipher = aes_cbc_cipher;
745
1
}
746
747
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ctr) {
748
2
  memset(out, 0, sizeof(EVP_CIPHER));
749
750
2
  out->nid = NID_aes_256_ctr;
751
2
  out->block_size = 1;
752
2
  out->key_len = 32;
753
2
  out->iv_len = 16;
754
2
  out->ctx_size = sizeof(EVP_AES_KEY);
755
2
  out->flags = EVP_CIPH_CTR_MODE;
756
2
  out->init = aes_init_key;
757
2
  out->cipher = aes_ctr_cipher;
758
2
}
759
760
0
DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_ecb_generic) {
761
0
  memset(out, 0, sizeof(EVP_CIPHER));
762
763
0
  out->nid = NID_aes_256_ecb;
764
0
  out->block_size = 16;
765
0
  out->key_len = 32;
766
0
  out->ctx_size = sizeof(EVP_AES_KEY);
767
0
  out->flags = EVP_CIPH_ECB_MODE;
768
0
  out->init = aes_init_key;
769
0
  out->cipher = aes_ecb_cipher;
770
0
}
771
772
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ofb) {
773
2
  memset(out, 0, sizeof(EVP_CIPHER));
774
775
2
  out->nid = NID_aes_256_ofb128;
776
2
  out->block_size = 1;
777
2
  out->key_len = 32;
778
2
  out->iv_len = 16;
779
2
  out->ctx_size = sizeof(EVP_AES_KEY);
780
2
  out->flags = EVP_CIPH_OFB_MODE;
781
2
  out->init = aes_init_key;
782
2
  out->cipher = aes_ofb_cipher;
783
2
}
784
785
2
DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_gcm) {
786
2
  memset(out, 0, sizeof(EVP_CIPHER));
787
788
2
  out->nid = NID_aes_256_gcm;
789
2
  out->block_size = 1;
790
2
  out->key_len = 32;
791
2
  out->iv_len = AES_GCM_NONCE_LENGTH;
792
2
  out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING;
793
2
  out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY |
794
2
               EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |
795
2
               EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;
796
2
  out->init = aes_gcm_init_key;
797
2
  out->cipher = aes_gcm_cipher;
798
2
  out->cleanup = aes_gcm_cleanup;
799
2
  out->ctrl = aes_gcm_ctrl;
800
2
}
801
802
#if defined(HWAES_ECB)
803
804
static int aes_hw_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
805
340
                             const uint8_t *in, size_t len) {
806
340
  size_t bl = ctx->cipher->block_size;
807
808
340
  if (len < bl) {
809
0
    return 1;
810
0
  }
811
812
340
  aes_hw_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
813
814
340
  return 1;
815
340
}
816
817
1
DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_128_ecb) {
818
1
  memset(out, 0, sizeof(EVP_CIPHER));
819
820
1
  out->nid = NID_aes_128_ecb;
821
1
  out->block_size = 16;
822
1
  out->key_len = 16;
823
1
  out->ctx_size = sizeof(EVP_AES_KEY);
824
1
  out->flags = EVP_CIPH_ECB_MODE;
825
1
  out->init = aes_init_key;
826
1
  out->cipher = aes_hw_ecb_cipher;
827
1
}
828
829
1
DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_192_ecb) {
830
1
  memset(out, 0, sizeof(EVP_CIPHER));
831
832
1
  out->nid = NID_aes_192_ecb;
833
1
  out->block_size = 16;
834
1
  out->key_len = 24;
835
1
  out->ctx_size = sizeof(EVP_AES_KEY);
836
1
  out->flags = EVP_CIPH_ECB_MODE;
837
1
  out->init = aes_init_key;
838
1
  out->cipher = aes_hw_ecb_cipher;
839
1
}
840
841
0
DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_256_ecb) {
842
0
  memset(out, 0, sizeof(EVP_CIPHER));
843
844
0
  out->nid = NID_aes_256_ecb;
845
0
  out->block_size = 16;
846
0
  out->key_len = 32;
847
0
  out->ctx_size = sizeof(EVP_AES_KEY);
848
0
  out->flags = EVP_CIPH_ECB_MODE;
849
0
  out->init = aes_init_key;
850
0
  out->cipher = aes_hw_ecb_cipher;
851
0
}
852
853
#define EVP_ECB_CIPHER_FUNCTION(keybits)            \
854
  const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \
855
    if (hwaes_capable()) {                          \
856
      return aes_hw_##keybits##_ecb();              \
857
    }                                               \
858
    return aes_##keybits##_ecb_generic();           \
859
  }
860
861
#else
862
863
#define EVP_ECB_CIPHER_FUNCTION(keybits)            \
864
302
  const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \
865
302
    return aes_##keybits##_ecb_generic();           \
866
302
  }
EVP_aes_128_ecb
Line
Count
Source
864
252
  const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \
865
252
    return aes_##keybits##_ecb_generic();           \
866
252
  }
EVP_aes_192_ecb
Line
Count
Source
864
38
  const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \
865
38
    return aes_##keybits##_ecb_generic();           \
866
38
  }
EVP_aes_256_ecb
Line
Count
Source
864
12
  const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \
865
12
    return aes_##keybits##_ecb_generic();           \
866
12
  }
867
868
#endif  // HWAES_ECB
869
870
EVP_ECB_CIPHER_FUNCTION(128)
871
EVP_ECB_CIPHER_FUNCTION(192)
872
EVP_ECB_CIPHER_FUNCTION(256)
873
874
875
861
#define EVP_AEAD_AES_GCM_TAG_LEN 16
876
877
struct aead_aes_gcm_ctx {
878
  union {
879
    double align;
880
    AES_KEY ks;
881
  } ks;
882
  GCM128_KEY gcm_key;
883
  ctr128_f ctr;
884
};
885
886
static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
887
                                  size_t *out_tag_len, const uint8_t *key,
888
692
                                  size_t key_len, size_t tag_len) {
889
692
  const size_t key_bits = key_len * 8;
890
891
692
  switch (key_bits) {
892
485
    case 128:
893
485
      boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm);
894
485
      break;
895
896
207
    case 256:
897
207
      boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm);
898
207
      break;
899
692
  }
900
901
692
  if (key_bits != 128 && key_bits != 192 && key_bits != 256) {
902
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
903
0
    return 0;  // EVP_AEAD_CTX_init should catch this.
904
0
  }
905
906
692
  if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
907
145
    tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
908
145
  }
909
910
692
  if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
911
78
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
912
78
    return 0;
913
78
  }
914
915
614
  gcm_ctx->ctr =
916
614
      aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm_key, NULL, key, key_len);
917
614
  *out_tag_len = tag_len;
918
614
  return 1;
919
692
}
920
921
static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
922
                  sizeof(struct aead_aes_gcm_ctx),
923
              "AEAD state is too small");
924
static_assert(alignof(union evp_aead_ctx_st_state) >=
925
                  alignof(struct aead_aes_gcm_ctx),
926
              "AEAD state has insufficient alignment");
927
928
static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
929
690
                             size_t key_len, size_t requested_tag_len) {
930
690
  struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *) &ctx->state;
931
932
690
  size_t actual_tag_len;
933
690
  if (!aead_aes_gcm_init_impl(gcm_ctx, &actual_tag_len, key, key_len,
934
690
                              requested_tag_len)) {
935
77
    return 0;
936
77
  }
937
938
613
  ctx->tag_len = actual_tag_len;
939
613
  return 1;
940
690
}
941
942
614
static void aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) {}
943
944
static int aead_aes_gcm_seal_scatter_impl(
945
    const struct aead_aes_gcm_ctx *gcm_ctx,
946
    uint8_t *out, uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len,
947
    const uint8_t *nonce, size_t nonce_len,
948
    const uint8_t *in, size_t in_len,
949
    const uint8_t *extra_in, size_t extra_in_len,
950
    const uint8_t *ad, size_t ad_len,
951
318
    size_t tag_len) {
952
318
  if (extra_in_len + tag_len < tag_len) {
953
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
954
0
    return 0;
955
0
  }
956
318
  if (max_out_tag_len < extra_in_len + tag_len) {
957
22
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
958
22
    return 0;
959
22
  }
960
296
  if (nonce_len == 0) {
961
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
962
0
    return 0;
963
0
  }
964
965
296
  const AES_KEY *key = &gcm_ctx->ks.ks;
966
967
296
  GCM128_CONTEXT gcm;
968
296
  OPENSSL_memset(&gcm, 0, sizeof(gcm));
969
296
  OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key));
970
296
  CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
971
972
296
  if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
973
0
    return 0;
974
0
  }
975
976
296
  if (gcm_ctx->ctr) {
977
296
    if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len,
978
296
                                     gcm_ctx->ctr)) {
979
0
      return 0;
980
0
    }
981
296
  } else {
982
0
    if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) {
983
0
      return 0;
984
0
    }
985
0
  }
986
987
296
  if (extra_in_len) {
988
0
    if (gcm_ctx->ctr) {
989
0
      if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, extra_in, out_tag,
990
0
                                       extra_in_len, gcm_ctx->ctr)) {
991
0
        return 0;
992
0
      }
993
0
    } else {
994
0
      if (!CRYPTO_gcm128_encrypt(&gcm, key, extra_in, out_tag, extra_in_len)) {
995
0
        return 0;
996
0
      }
997
0
    }
998
0
  }
999
1000
296
  CRYPTO_gcm128_tag(&gcm, out_tag + extra_in_len, tag_len);
1001
296
  *out_tag_len = tag_len + extra_in_len;
1002
1003
296
  return 1;
1004
296
}
1005
1006
static int aead_aes_gcm_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
1007
                                     uint8_t *out_tag, size_t *out_tag_len,
1008
                                     size_t max_out_tag_len,
1009
                                     const uint8_t *nonce, size_t nonce_len,
1010
                                     const uint8_t *in, size_t in_len,
1011
                                     const uint8_t *extra_in,
1012
                                     size_t extra_in_len,
1013
318
                                     const uint8_t *ad, size_t ad_len) {
1014
318
  const struct aead_aes_gcm_ctx *gcm_ctx =
1015
318
      (const struct aead_aes_gcm_ctx *)&ctx->state;
1016
318
  return aead_aes_gcm_seal_scatter_impl(
1017
318
      gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len, nonce, nonce_len, in,
1018
318
      in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);
1019
318
}
1020
1021
static int aead_aes_gcm_open_gather_impl(const struct aead_aes_gcm_ctx *gcm_ctx,
1022
                                         uint8_t *out,
1023
                                         const uint8_t *nonce, size_t nonce_len,
1024
                                         const uint8_t *in, size_t in_len,
1025
                                         const uint8_t *in_tag,
1026
                                         size_t in_tag_len,
1027
                                         const uint8_t *ad, size_t ad_len,
1028
292
                                         size_t tag_len) {
1029
292
  uint8_t tag[EVP_AEAD_AES_GCM_TAG_LEN];
1030
1031
292
  if (nonce_len == 0) {
1032
16
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
1033
16
    return 0;
1034
16
  }
1035
1036
276
  if (in_tag_len != tag_len) {
1037
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1038
0
    return 0;
1039
0
  }
1040
1041
276
  const AES_KEY *key = &gcm_ctx->ks.ks;
1042
1043
276
  GCM128_CONTEXT gcm;
1044
276
  OPENSSL_memset(&gcm, 0, sizeof(gcm));
1045
276
  OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key));
1046
276
  CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
1047
1048
276
  if (!CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
1049
0
    return 0;
1050
0
  }
1051
1052
276
  if (gcm_ctx->ctr) {
1053
276
    if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, key, in, out, in_len,
1054
276
                                     gcm_ctx->ctr)) {
1055
0
      return 0;
1056
0
    }
1057
276
  } else {
1058
0
    if (!CRYPTO_gcm128_decrypt(&gcm, key, in, out, in_len)) {
1059
0
      return 0;
1060
0
    }
1061
0
  }
1062
1063
276
  CRYPTO_gcm128_tag(&gcm, tag, tag_len);
1064
276
  if (CRYPTO_memcmp(tag, in_tag, tag_len) != 0) {
1065
99
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1066
99
    return 0;
1067
99
  }
1068
1069
177
  return 1;
1070
276
}
1071
1072
static int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
1073
                                    const uint8_t *nonce, size_t nonce_len,
1074
                                    const uint8_t *in, size_t in_len,
1075
                                    const uint8_t *in_tag, size_t in_tag_len,
1076
292
                                    const uint8_t *ad, size_t ad_len) {
1077
292
  struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state;
1078
292
  if (!aead_aes_gcm_open_gather_impl(gcm_ctx, out, nonce, nonce_len, in, in_len,
1079
292
                                     in_tag, in_tag_len, ad, ad_len,
1080
292
                                     ctx->tag_len)) {
1081
115
    return 0;
1082
115
  }
1083
1084
177
  AEAD_GCM_verify_service_indicator(ctx);
1085
177
  return 1;
1086
292
}
1087
1088
2
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm) {
1089
2
  memset(out, 0, sizeof(EVP_AEAD));
1090
1091
2
  out->key_len = 16;
1092
2
  out->nonce_len = AES_GCM_NONCE_LENGTH;
1093
2
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1094
2
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1095
2
  out->seal_scatter_supports_extra_in = 1;
1096
1097
2
  out->init = aead_aes_gcm_init;
1098
2
  out->cleanup = aead_aes_gcm_cleanup;
1099
2
  out->seal_scatter = aead_aes_gcm_seal_scatter;
1100
2
  out->open_gather = aead_aes_gcm_open_gather;
1101
2
}
1102
1103
0
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_192_gcm) {
1104
0
  memset(out, 0, sizeof(EVP_AEAD));
1105
1106
0
  out->key_len = 24;
1107
0
  out->nonce_len = AES_GCM_NONCE_LENGTH;
1108
0
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1109
0
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1110
0
  out->seal_scatter_supports_extra_in = 1;
1111
1112
0
  out->init = aead_aes_gcm_init;
1113
0
  out->cleanup = aead_aes_gcm_cleanup;
1114
0
  out->seal_scatter = aead_aes_gcm_seal_scatter;
1115
0
  out->open_gather = aead_aes_gcm_open_gather;
1116
0
}
1117
1118
2
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm) {
1119
2
  memset(out, 0, sizeof(EVP_AEAD));
1120
1121
2
  out->key_len = 32;
1122
2
  out->nonce_len = AES_GCM_NONCE_LENGTH;
1123
2
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1124
2
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1125
2
  out->seal_scatter_supports_extra_in = 1;
1126
1127
2
  out->init = aead_aes_gcm_init;
1128
2
  out->cleanup = aead_aes_gcm_cleanup;
1129
2
  out->seal_scatter = aead_aes_gcm_seal_scatter;
1130
2
  out->open_gather = aead_aes_gcm_open_gather;
1131
2
}
1132
1133
static int aead_aes_gcm_init_randnonce(EVP_AEAD_CTX *ctx, const uint8_t *key,
1134
                                       size_t key_len,
1135
0
                                       size_t requested_tag_len) {
1136
0
  if (requested_tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH) {
1137
0
    if (requested_tag_len < AES_GCM_NONCE_LENGTH) {
1138
0
      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
1139
0
      return 0;
1140
0
    }
1141
0
    requested_tag_len -= AES_GCM_NONCE_LENGTH;
1142
0
  }
1143
1144
0
  if (!aead_aes_gcm_init(ctx, key, key_len, requested_tag_len)) {
1145
0
    return 0;
1146
0
  }
1147
1148
0
  ctx->tag_len += AES_GCM_NONCE_LENGTH;
1149
0
  return 1;
1150
0
}
1151
1152
static int aead_aes_gcm_seal_scatter_randnonce(
1153
    const EVP_AEAD_CTX *ctx,
1154
    uint8_t *out, uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len,
1155
    const uint8_t *external_nonce, size_t external_nonce_len,
1156
    const uint8_t *in, size_t in_len,
1157
    const uint8_t *extra_in, size_t extra_in_len,
1158
0
    const uint8_t *ad, size_t ad_len) {
1159
0
  if (external_nonce_len != 0) {
1160
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
1161
0
    return 0;
1162
0
  }
1163
1164
0
  uint8_t nonce[AES_GCM_NONCE_LENGTH];
1165
0
  if (max_out_tag_len < sizeof(nonce)) {
1166
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
1167
0
    return 0;
1168
0
  }
1169
1170
  // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with state
1171
  // lock functions to avoid updating the service indicator with the DRBG
1172
  // functions.
1173
0
  FIPS_service_indicator_lock_state();
1174
0
  BCM_rand_bytes(nonce, sizeof(nonce));
1175
0
  FIPS_service_indicator_unlock_state();
1176
1177
0
  const struct aead_aes_gcm_ctx *gcm_ctx =
1178
0
      (const struct aead_aes_gcm_ctx *)&ctx->state;
1179
0
  if (!aead_aes_gcm_seal_scatter_impl(gcm_ctx, out, out_tag, out_tag_len,
1180
0
                                      max_out_tag_len - AES_GCM_NONCE_LENGTH,
1181
0
                                      nonce, sizeof(nonce), in, in_len,
1182
0
                                      extra_in, extra_in_len, ad, ad_len,
1183
0
                                      ctx->tag_len - AES_GCM_NONCE_LENGTH)) {
1184
0
    return 0;
1185
0
  }
1186
1187
0
  assert(*out_tag_len + sizeof(nonce) <= max_out_tag_len);
1188
0
  memcpy(out_tag + *out_tag_len, nonce, sizeof(nonce));
1189
0
  *out_tag_len += sizeof(nonce);
1190
1191
0
  AEAD_GCM_verify_service_indicator(ctx);
1192
0
  return 1;
1193
0
}
1194
1195
static int aead_aes_gcm_open_gather_randnonce(
1196
    const EVP_AEAD_CTX *ctx, uint8_t *out,
1197
    const uint8_t *external_nonce, size_t external_nonce_len,
1198
    const uint8_t *in, size_t in_len,
1199
    const uint8_t *in_tag, size_t in_tag_len,
1200
0
    const uint8_t *ad, size_t ad_len) {
1201
0
  if (external_nonce_len != 0) {
1202
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
1203
0
    return 0;
1204
0
  }
1205
1206
0
  if (in_tag_len < AES_GCM_NONCE_LENGTH) {
1207
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
1208
0
    return 0;
1209
0
  }
1210
0
  const uint8_t *nonce = in_tag + in_tag_len - AES_GCM_NONCE_LENGTH;
1211
1212
0
  const struct aead_aes_gcm_ctx *gcm_ctx =
1213
0
      (const struct aead_aes_gcm_ctx *)&ctx->state;
1214
0
  if (!aead_aes_gcm_open_gather_impl(
1215
0
      gcm_ctx, out, nonce, AES_GCM_NONCE_LENGTH, in, in_len, in_tag,
1216
0
      in_tag_len - AES_GCM_NONCE_LENGTH, ad, ad_len,
1217
0
      ctx->tag_len - AES_GCM_NONCE_LENGTH)) {
1218
0
    return 0;
1219
0
  }
1220
1221
0
  AEAD_GCM_verify_service_indicator(ctx);
1222
0
  return 1;
1223
0
}
1224
1225
0
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_randnonce) {
1226
0
  memset(out, 0, sizeof(EVP_AEAD));
1227
1228
0
  out->key_len = 16;
1229
0
  out->nonce_len = 0;
1230
0
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH;
1231
0
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH;
1232
0
  out->seal_scatter_supports_extra_in = 1;
1233
1234
0
  out->init = aead_aes_gcm_init_randnonce;
1235
0
  out->cleanup = aead_aes_gcm_cleanup;
1236
0
  out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce;
1237
0
  out->open_gather = aead_aes_gcm_open_gather_randnonce;
1238
0
}
1239
1240
0
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_randnonce) {
1241
0
  memset(out, 0, sizeof(EVP_AEAD));
1242
1243
0
  out->key_len = 32;
1244
0
  out->nonce_len = 0;
1245
0
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH;
1246
0
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH;
1247
0
  out->seal_scatter_supports_extra_in = 1;
1248
1249
0
  out->init = aead_aes_gcm_init_randnonce;
1250
0
  out->cleanup = aead_aes_gcm_cleanup;
1251
0
  out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce;
1252
0
  out->open_gather = aead_aes_gcm_open_gather_randnonce;
1253
0
}
1254
1255
struct aead_aes_gcm_tls12_ctx {
1256
  struct aead_aes_gcm_ctx gcm_ctx;
1257
  uint64_t min_next_nonce;
1258
};
1259
1260
static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
1261
                  sizeof(struct aead_aes_gcm_tls12_ctx),
1262
              "AEAD state is too small");
1263
static_assert(alignof(union evp_aead_ctx_st_state) >=
1264
                  alignof(struct aead_aes_gcm_tls12_ctx),
1265
              "AEAD state has insufficient alignment");
1266
1267
static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
1268
1
                                   size_t key_len, size_t requested_tag_len) {
1269
1
  struct aead_aes_gcm_tls12_ctx *gcm_ctx =
1270
1
      (struct aead_aes_gcm_tls12_ctx *) &ctx->state;
1271
1272
1
  gcm_ctx->min_next_nonce = 0;
1273
1274
1
  size_t actual_tag_len;
1275
1
  if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,
1276
1
                              requested_tag_len)) {
1277
0
    return 0;
1278
0
  }
1279
1280
1
  ctx->tag_len = actual_tag_len;
1281
1
  return 1;
1282
1
}
1283
1284
static int aead_aes_gcm_tls12_seal_scatter(
1285
    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
1286
    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
1287
    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
1288
0
    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
1289
0
  struct aead_aes_gcm_tls12_ctx *gcm_ctx =
1290
0
      (struct aead_aes_gcm_tls12_ctx *) &ctx->state;
1291
1292
0
  if (nonce_len != AES_GCM_NONCE_LENGTH) {
1293
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
1294
0
    return 0;
1295
0
  }
1296
1297
  // The given nonces must be strictly monotonically increasing.
1298
0
  uint64_t given_counter =
1299
0
      CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t));
1300
0
  if (given_counter == UINT64_MAX || given_counter < gcm_ctx->min_next_nonce) {
1301
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE);
1302
0
    return 0;
1303
0
  }
1304
1305
0
  gcm_ctx->min_next_nonce = given_counter + 1;
1306
1307
0
  if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
1308
0
                                 max_out_tag_len, nonce, nonce_len, in, in_len,
1309
0
                                 extra_in, extra_in_len, ad, ad_len)) {
1310
0
    return 0;
1311
0
  }
1312
1313
0
  AEAD_GCM_verify_service_indicator(ctx);
1314
0
  return 1;
1315
0
}
1316
1317
2
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls12) {
1318
2
  memset(out, 0, sizeof(EVP_AEAD));
1319
1320
2
  out->key_len = 16;
1321
2
  out->nonce_len = AES_GCM_NONCE_LENGTH;
1322
2
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1323
2
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1324
2
  out->seal_scatter_supports_extra_in = 1;
1325
1326
2
  out->init = aead_aes_gcm_tls12_init;
1327
2
  out->cleanup = aead_aes_gcm_cleanup;
1328
2
  out->seal_scatter = aead_aes_gcm_tls12_seal_scatter;
1329
2
  out->open_gather = aead_aes_gcm_open_gather;
1330
2
}
1331
1332
2
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls12) {
1333
2
  memset(out, 0, sizeof(EVP_AEAD));
1334
1335
2
  out->key_len = 32;
1336
2
  out->nonce_len = AES_GCM_NONCE_LENGTH;
1337
2
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1338
2
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1339
2
  out->seal_scatter_supports_extra_in = 1;
1340
1341
2
  out->init = aead_aes_gcm_tls12_init;
1342
2
  out->cleanup = aead_aes_gcm_cleanup;
1343
2
  out->seal_scatter = aead_aes_gcm_tls12_seal_scatter;
1344
2
  out->open_gather = aead_aes_gcm_open_gather;
1345
2
}
1346
1347
struct aead_aes_gcm_tls13_ctx {
1348
  struct aead_aes_gcm_ctx gcm_ctx;
1349
  uint64_t min_next_nonce;
1350
  uint64_t mask;
1351
  uint8_t first;
1352
};
1353
1354
static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
1355
                  sizeof(struct aead_aes_gcm_tls13_ctx),
1356
              "AEAD state is too small");
1357
static_assert(alignof(union evp_aead_ctx_st_state) >=
1358
                  alignof(struct aead_aes_gcm_tls13_ctx),
1359
              "AEAD state has insufficient alignment");
1360
1361
static int aead_aes_gcm_tls13_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
1362
1
                                   size_t key_len, size_t requested_tag_len) {
1363
1
  struct aead_aes_gcm_tls13_ctx *gcm_ctx =
1364
1
      (struct aead_aes_gcm_tls13_ctx *) &ctx->state;
1365
1366
1
  gcm_ctx->min_next_nonce = 0;
1367
1
  gcm_ctx->first = 1;
1368
1369
1
  size_t actual_tag_len;
1370
1
  if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,
1371
1
                              requested_tag_len)) {
1372
1
    return 0;
1373
1
  }
1374
1375
0
  ctx->tag_len = actual_tag_len;
1376
0
  return 1;
1377
1
}
1378
1379
static int aead_aes_gcm_tls13_seal_scatter(
1380
    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
1381
    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
1382
    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
1383
0
    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
1384
0
  struct aead_aes_gcm_tls13_ctx *gcm_ctx =
1385
0
      (struct aead_aes_gcm_tls13_ctx *) &ctx->state;
1386
1387
0
  if (nonce_len != AES_GCM_NONCE_LENGTH) {
1388
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
1389
0
    return 0;
1390
0
  }
1391
1392
  // The given nonces must be strictly monotonically increasing. See
1393
  // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3
1394
  // nonce construction.
1395
0
  uint64_t given_counter =
1396
0
      CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t));
1397
1398
0
  if (gcm_ctx->first) {
1399
    // In the first call the sequence number will be zero and therefore the
1400
    // given nonce will be 0 ^ mask = mask.
1401
0
    gcm_ctx->mask = given_counter;
1402
0
    gcm_ctx->first = 0;
1403
0
  }
1404
0
  given_counter ^= gcm_ctx->mask;
1405
1406
0
  if (given_counter == UINT64_MAX ||
1407
0
      given_counter < gcm_ctx->min_next_nonce) {
1408
0
    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE);
1409
0
    return 0;
1410
0
  }
1411
1412
0
  gcm_ctx->min_next_nonce = given_counter + 1;
1413
1414
0
  if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,
1415
0
                                 max_out_tag_len, nonce, nonce_len, in, in_len,
1416
0
                                 extra_in, extra_in_len, ad, ad_len)) {
1417
0
    return 0;
1418
0
  }
1419
1420
0
  AEAD_GCM_verify_service_indicator(ctx);
1421
0
  return 1;
1422
0
}
1423
1424
2
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls13) {
1425
2
  memset(out, 0, sizeof(EVP_AEAD));
1426
1427
2
  out->key_len = 16;
1428
2
  out->nonce_len = AES_GCM_NONCE_LENGTH;
1429
2
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1430
2
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1431
2
  out->seal_scatter_supports_extra_in = 1;
1432
1433
2
  out->init = aead_aes_gcm_tls13_init;
1434
2
  out->cleanup = aead_aes_gcm_cleanup;
1435
2
  out->seal_scatter = aead_aes_gcm_tls13_seal_scatter;
1436
2
  out->open_gather = aead_aes_gcm_open_gather;
1437
2
}
1438
1439
2
DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls13) {
1440
2
  memset(out, 0, sizeof(EVP_AEAD));
1441
1442
2
  out->key_len = 32;
1443
2
  out->nonce_len = AES_GCM_NONCE_LENGTH;
1444
2
  out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;
1445
2
  out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;
1446
2
  out->seal_scatter_supports_extra_in = 1;
1447
1448
2
  out->init = aead_aes_gcm_tls13_init;
1449
2
  out->cleanup = aead_aes_gcm_cleanup;
1450
2
  out->seal_scatter = aead_aes_gcm_tls13_seal_scatter;
1451
2
  out->open_gather = aead_aes_gcm_open_gather;
1452
2
}
1453
1454
0
int EVP_has_aes_hardware(void) {
1455
0
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
1456
0
  return hwaes_capable() && crypto_gcm_clmul_enabled();
1457
#elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
1458
  return hwaes_capable() && CRYPTO_is_ARMv8_PMULL_capable();
1459
#else
1460
  return 0;
1461
#endif
1462
0
}
1463
1464
OPENSSL_MSVC_PRAGMA(warning(pop))