/src/boringssl/crypto/fipsmodule/cipher/e_aes.c.inc
Line | Count | Source (jump to first uncovered line) |
1 | | /* ==================================================================== |
2 | | * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. |
3 | | * |
4 | | * Redistribution and use in source and binary forms, with or without |
5 | | * modification, are permitted provided that the following conditions |
6 | | * are met: |
7 | | * |
8 | | * 1. Redistributions of source code must retain the above copyright |
9 | | * notice, this list of conditions and the following disclaimer. |
10 | | * |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in |
13 | | * the documentation and/or other materials provided with the |
14 | | * distribution. |
15 | | * |
16 | | * 3. All advertising materials mentioning features or use of this |
17 | | * software must display the following acknowledgment: |
18 | | * "This product includes software developed by the OpenSSL Project |
19 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
20 | | * |
21 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
22 | | * endorse or promote products derived from this software without |
23 | | * prior written permission. For written permission, please contact |
24 | | * openssl-core@openssl.org. |
25 | | * |
26 | | * 5. Products derived from this software may not be called "OpenSSL" |
27 | | * nor may "OpenSSL" appear in their names without prior written |
28 | | * permission of the OpenSSL Project. |
29 | | * |
30 | | * 6. Redistributions of any form whatsoever must retain the following |
31 | | * acknowledgment: |
32 | | * "This product includes software developed by the OpenSSL Project |
33 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
34 | | * |
35 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
36 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
37 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
38 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
39 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
40 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
41 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
42 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
43 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
44 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
45 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
46 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
47 | | * ==================================================================== */ |
48 | | |
49 | | #include <assert.h> |
50 | | #include <limits.h> |
51 | | #include <string.h> |
52 | | |
53 | | #include <openssl/aead.h> |
54 | | #include <openssl/aes.h> |
55 | | #include <openssl/cipher.h> |
56 | | #include <openssl/err.h> |
57 | | #include <openssl/mem.h> |
58 | | #include <openssl/nid.h> |
59 | | |
60 | | #include "internal.h" |
61 | | #include "../../internal.h" |
62 | | #include "../aes/internal.h" |
63 | | #include "../bcm_interface.h" |
64 | | #include "../modes/internal.h" |
65 | | #include "../service_indicator/internal.h" |
66 | | #include "../delocate.h" |
67 | | |
68 | | |
69 | | OPENSSL_MSVC_PRAGMA(warning(push)) |
70 | | OPENSSL_MSVC_PRAGMA(warning(disable: 4702)) // Unreachable code. |
71 | | |
72 | 18 | #define AES_GCM_NONCE_LENGTH 12 |
73 | | |
74 | | #if defined(BSAES) |
75 | | static void vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in, |
76 | | uint8_t *out, size_t blocks, |
77 | | const AES_KEY *key, |
78 | | const uint8_t ivec[16]) { |
79 | | // |bsaes_ctr32_encrypt_blocks| is faster than |vpaes_ctr32_encrypt_blocks|, |
80 | | // but it takes at least one full 8-block batch to amortize the conversion. |
81 | | if (blocks < 8) { |
82 | | vpaes_ctr32_encrypt_blocks(in, out, blocks, key, ivec); |
83 | | return; |
84 | | } |
85 | | |
86 | | size_t bsaes_blocks = blocks; |
87 | | if (bsaes_blocks % 8 < 6) { |
88 | | // |bsaes_ctr32_encrypt_blocks| internally works in 8-block batches. If the |
89 | | // final batch is too small (under six blocks), it is faster to loop over |
90 | | // |vpaes_encrypt|. Round |bsaes_blocks| down to a multiple of 8. |
91 | | bsaes_blocks -= bsaes_blocks % 8; |
92 | | } |
93 | | |
94 | | AES_KEY bsaes; |
95 | | vpaes_encrypt_key_to_bsaes(&bsaes, key); |
96 | | bsaes_ctr32_encrypt_blocks(in, out, bsaes_blocks, &bsaes, ivec); |
97 | | OPENSSL_cleanse(&bsaes, sizeof(bsaes)); |
98 | | |
99 | | in += 16 * bsaes_blocks; |
100 | | out += 16 * bsaes_blocks; |
101 | | blocks -= bsaes_blocks; |
102 | | |
103 | | uint8_t new_ivec[16]; |
104 | | memcpy(new_ivec, ivec, 12); |
105 | | uint32_t ctr = CRYPTO_load_u32_be(ivec + 12) + bsaes_blocks; |
106 | | CRYPTO_store_u32_be(new_ivec + 12, ctr); |
107 | | |
108 | | // Finish any remaining blocks with |vpaes_ctr32_encrypt_blocks|. |
109 | | vpaes_ctr32_encrypt_blocks(in, out, blocks, key, new_ivec); |
110 | | } |
111 | | #endif // BSAES |
112 | | |
113 | | typedef struct { |
114 | | union { |
115 | | double align; |
116 | | AES_KEY ks; |
117 | | } ks; |
118 | | block128_f block; |
119 | | union { |
120 | | cbc128_f cbc; |
121 | | ctr128_f ctr; |
122 | | } stream; |
123 | | } EVP_AES_KEY; |
124 | | |
125 | | typedef struct { |
126 | | GCM128_CONTEXT gcm; |
127 | | union { |
128 | | double align; |
129 | | AES_KEY ks; |
130 | | } ks; // AES key schedule to use |
131 | | int key_set; // Set if key initialised |
132 | | int iv_set; // Set if an iv is set |
133 | | uint8_t *iv; // Temporary IV store |
134 | | int ivlen; // IV length |
135 | | int taglen; |
136 | | int iv_gen; // It is OK to generate IVs |
137 | | ctr128_f ctr; |
138 | | } EVP_AES_GCM_CTX; |
139 | | |
140 | | static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, |
141 | 599 | const uint8_t *iv, int enc) { |
142 | 599 | int ret; |
143 | 599 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
144 | 599 | const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK; |
145 | | |
146 | 599 | if (mode == EVP_CIPH_CTR_MODE) { |
147 | 156 | switch (ctx->key_len) { |
148 | 156 | case 16: |
149 | 156 | boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr); |
150 | 156 | break; |
151 | | |
152 | 0 | case 32: |
153 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr); |
154 | 0 | break; |
155 | 156 | } |
156 | 156 | } |
157 | | |
158 | 599 | if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { |
159 | 120 | if (hwaes_capable()) { |
160 | 0 | ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
161 | 0 | dat->block = aes_hw_decrypt; |
162 | 0 | dat->stream.cbc = NULL; |
163 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
164 | 0 | dat->stream.cbc = aes_hw_cbc_encrypt; |
165 | 0 | } |
166 | 120 | } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) { |
167 | 0 | assert(vpaes_capable()); |
168 | 0 | ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
169 | 0 | if (ret == 0) { |
170 | 0 | vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks); |
171 | 0 | } |
172 | | // If |dat->stream.cbc| is provided, |dat->block| is never used. |
173 | 0 | dat->block = NULL; |
174 | 0 | dat->stream.cbc = bsaes_cbc_encrypt; |
175 | 120 | } else if (vpaes_capable()) { |
176 | 0 | ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
177 | 0 | dat->block = vpaes_decrypt; |
178 | 0 | dat->stream.cbc = NULL; |
179 | | #if defined(VPAES_CBC) |
180 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
181 | 0 | dat->stream.cbc = vpaes_cbc_encrypt; |
182 | 0 | } |
183 | | #endif |
184 | 120 | } else { |
185 | 120 | ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
186 | 120 | dat->block = aes_nohw_decrypt; |
187 | 120 | dat->stream.cbc = NULL; |
188 | 120 | if (mode == EVP_CIPH_CBC_MODE) { |
189 | 20 | dat->stream.cbc = aes_nohw_cbc_encrypt; |
190 | 20 | } |
191 | 120 | } |
192 | 479 | } else if (hwaes_capable()) { |
193 | 101 | ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
194 | 101 | dat->block = aes_hw_encrypt; |
195 | 101 | dat->stream.cbc = NULL; |
196 | 101 | if (mode == EVP_CIPH_CBC_MODE) { |
197 | 0 | dat->stream.cbc = aes_hw_cbc_encrypt; |
198 | 101 | } else if (mode == EVP_CIPH_CTR_MODE) { |
199 | 40 | dat->stream.ctr = aes_hw_ctr32_encrypt_blocks; |
200 | 40 | } |
201 | 378 | } else if (vpaes_capable()) { |
202 | 0 | ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
203 | 0 | dat->block = vpaes_encrypt; |
204 | 0 | dat->stream.cbc = NULL; |
205 | | #if defined(VPAES_CBC) |
206 | 0 | if (mode == EVP_CIPH_CBC_MODE) { |
207 | 0 | dat->stream.cbc = vpaes_cbc_encrypt; |
208 | 0 | } |
209 | | #endif |
210 | 0 | if (mode == EVP_CIPH_CTR_MODE) { |
211 | | #if defined(BSAES) |
212 | | assert(bsaes_capable()); |
213 | | dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes; |
214 | | #elif defined(VPAES_CTR32) |
215 | | dat->stream.ctr = vpaes_ctr32_encrypt_blocks; |
216 | | #endif |
217 | 0 | } |
218 | 378 | } else { |
219 | 378 | ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); |
220 | 378 | dat->block = aes_nohw_encrypt; |
221 | 378 | dat->stream.cbc = NULL; |
222 | 378 | if (mode == EVP_CIPH_CBC_MODE) { |
223 | 20 | dat->stream.cbc = aes_nohw_cbc_encrypt; |
224 | 20 | } |
225 | 378 | } |
226 | | |
227 | 599 | if (ret < 0) { |
228 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); |
229 | 0 | return 0; |
230 | 0 | } |
231 | | |
232 | 599 | return 1; |
233 | 599 | } Line | Count | Source | 141 | 498 | const uint8_t *iv, int enc) { | 142 | 498 | int ret; | 143 | 498 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | 144 | 498 | const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK; | 145 | | | 146 | 498 | if (mode == EVP_CIPH_CTR_MODE) { | 147 | 116 | switch (ctx->key_len) { | 148 | 116 | case 16: | 149 | 116 | boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr); | 150 | 116 | break; | 151 | | | 152 | 0 | case 32: | 153 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr); | 154 | 0 | break; | 155 | 116 | } | 156 | 116 | } | 157 | | | 158 | 498 | if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { | 159 | 120 | if (hwaes_capable()) { | 160 | 0 | ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 161 | 0 | dat->block = aes_hw_decrypt; | 162 | 0 | dat->stream.cbc = NULL; | 163 | 0 | if (mode == EVP_CIPH_CBC_MODE) { | 164 | 0 | dat->stream.cbc = aes_hw_cbc_encrypt; | 165 | 0 | } | 166 | 120 | } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) { | 167 | 0 | assert(vpaes_capable()); | 168 | 0 | ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 169 | 0 | if (ret == 0) { | 170 | 0 | vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks); | 171 | 0 | } | 172 | | // If |dat->stream.cbc| is provided, |dat->block| is never used. | 173 | 0 | dat->block = NULL; | 174 | 0 | dat->stream.cbc = bsaes_cbc_encrypt; | 175 | 120 | } else if (vpaes_capable()) { | 176 | 0 | ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 177 | 0 | dat->block = vpaes_decrypt; | 178 | 0 | dat->stream.cbc = NULL; | 179 | | #if defined(VPAES_CBC) | 180 | | if (mode == EVP_CIPH_CBC_MODE) { | 181 | | dat->stream.cbc = vpaes_cbc_encrypt; | 182 | | } | 183 | | #endif | 184 | 120 | } else { | 185 | 120 | ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 186 | 120 | dat->block = aes_nohw_decrypt; | 187 | 120 | dat->stream.cbc = NULL; | 188 | 120 | if (mode == EVP_CIPH_CBC_MODE) { | 189 | 20 | dat->stream.cbc = aes_nohw_cbc_encrypt; | 190 | 20 | } | 191 | 120 | } | 192 | 378 | } else if (hwaes_capable()) { | 193 | 0 | ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 194 | 0 | dat->block = aes_hw_encrypt; | 195 | 0 | dat->stream.cbc = NULL; | 196 | 0 | if (mode == EVP_CIPH_CBC_MODE) { | 197 | 0 | dat->stream.cbc = aes_hw_cbc_encrypt; | 198 | 0 | } else if (mode == EVP_CIPH_CTR_MODE) { | 199 | 0 | dat->stream.ctr = aes_hw_ctr32_encrypt_blocks; | 200 | 0 | } | 201 | 378 | } else if (vpaes_capable()) { | 202 | 0 | ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 203 | 0 | dat->block = vpaes_encrypt; | 204 | 0 | dat->stream.cbc = NULL; | 205 | | #if defined(VPAES_CBC) | 206 | | if (mode == EVP_CIPH_CBC_MODE) { | 207 | | dat->stream.cbc = vpaes_cbc_encrypt; | 208 | | } | 209 | | #endif | 210 | 0 | if (mode == EVP_CIPH_CTR_MODE) { | 211 | | #if defined(BSAES) | 212 | | assert(bsaes_capable()); | 213 | | dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes; | 214 | | #elif defined(VPAES_CTR32) | 215 | | dat->stream.ctr = vpaes_ctr32_encrypt_blocks; | 216 | | #endif | 217 | 0 | } | 218 | 378 | } else { | 219 | 378 | ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 220 | 378 | dat->block = aes_nohw_encrypt; | 221 | 378 | dat->stream.cbc = NULL; | 222 | 378 | if (mode == EVP_CIPH_CBC_MODE) { | 223 | 20 | dat->stream.cbc = aes_nohw_cbc_encrypt; | 224 | 20 | } | 225 | 378 | } | 226 | | | 227 | 498 | if (ret < 0) { | 228 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); | 229 | 0 | return 0; | 230 | 0 | } | 231 | | | 232 | 498 | return 1; | 233 | 498 | } |
Line | Count | Source | 141 | 101 | const uint8_t *iv, int enc) { | 142 | 101 | int ret; | 143 | 101 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; | 144 | 101 | const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK; | 145 | | | 146 | 101 | if (mode == EVP_CIPH_CTR_MODE) { | 147 | 40 | switch (ctx->key_len) { | 148 | 40 | case 16: | 149 | 40 | boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr); | 150 | 40 | break; | 151 | | | 152 | 0 | case 32: | 153 | 0 | boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr); | 154 | 0 | break; | 155 | 40 | } | 156 | 40 | } | 157 | | | 158 | 101 | if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { | 159 | 0 | if (hwaes_capable()) { | 160 | 0 | ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 161 | 0 | dat->block = aes_hw_decrypt; | 162 | 0 | dat->stream.cbc = NULL; | 163 | 0 | if (mode == EVP_CIPH_CBC_MODE) { | 164 | 0 | dat->stream.cbc = aes_hw_cbc_encrypt; | 165 | 0 | } | 166 | 0 | } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) { | 167 | 0 | assert(vpaes_capable()); | 168 | 0 | ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 169 | 0 | if (ret == 0) { | 170 | 0 | vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks); | 171 | 0 | } | 172 | | // If |dat->stream.cbc| is provided, |dat->block| is never used. | 173 | 0 | dat->block = NULL; | 174 | 0 | dat->stream.cbc = bsaes_cbc_encrypt; | 175 | 0 | } else if (vpaes_capable()) { | 176 | 0 | ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 177 | 0 | dat->block = vpaes_decrypt; | 178 | 0 | dat->stream.cbc = NULL; | 179 | 0 | #if defined(VPAES_CBC) | 180 | 0 | if (mode == EVP_CIPH_CBC_MODE) { | 181 | 0 | dat->stream.cbc = vpaes_cbc_encrypt; | 182 | 0 | } | 183 | 0 | #endif | 184 | 0 | } else { | 185 | 0 | ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 186 | 0 | dat->block = aes_nohw_decrypt; | 187 | 0 | dat->stream.cbc = NULL; | 188 | 0 | if (mode == EVP_CIPH_CBC_MODE) { | 189 | 0 | dat->stream.cbc = aes_nohw_cbc_encrypt; | 190 | 0 | } | 191 | 0 | } | 192 | 101 | } else if (hwaes_capable()) { | 193 | 101 | ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 194 | 101 | dat->block = aes_hw_encrypt; | 195 | 101 | dat->stream.cbc = NULL; | 196 | 101 | if (mode == EVP_CIPH_CBC_MODE) { | 197 | 0 | dat->stream.cbc = aes_hw_cbc_encrypt; | 198 | 101 | } else if (mode == EVP_CIPH_CTR_MODE) { | 199 | 40 | dat->stream.ctr = aes_hw_ctr32_encrypt_blocks; | 200 | 40 | } | 201 | 101 | } else if (vpaes_capable()) { | 202 | 0 | ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 203 | 0 | dat->block = vpaes_encrypt; | 204 | 0 | dat->stream.cbc = NULL; | 205 | 0 | #if defined(VPAES_CBC) | 206 | 0 | if (mode == EVP_CIPH_CBC_MODE) { | 207 | 0 | dat->stream.cbc = vpaes_cbc_encrypt; | 208 | 0 | } | 209 | 0 | #endif | 210 | 0 | if (mode == EVP_CIPH_CTR_MODE) { | 211 | | #if defined(BSAES) | 212 | | assert(bsaes_capable()); | 213 | | dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes; | 214 | | #elif defined(VPAES_CTR32) | 215 | 0 | dat->stream.ctr = vpaes_ctr32_encrypt_blocks; | 216 | 0 | #endif | 217 | 0 | } | 218 | 0 | } else { | 219 | 0 | ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); | 220 | 0 | dat->block = aes_nohw_encrypt; | 221 | 0 | dat->stream.cbc = NULL; | 222 | 0 | if (mode == EVP_CIPH_CBC_MODE) { | 223 | 0 | dat->stream.cbc = aes_nohw_cbc_encrypt; | 224 | 0 | } | 225 | 0 | } | 226 | | | 227 | 101 | if (ret < 0) { | 228 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); | 229 | 0 | return 0; | 230 | 0 | } | 231 | | | 232 | 101 | return 1; | 233 | 101 | } |
|
234 | | |
235 | | static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
236 | 79 | size_t len) { |
237 | 79 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
238 | | |
239 | 79 | if (dat->stream.cbc) { |
240 | 79 | (*dat->stream.cbc)(in, out, len, &dat->ks.ks, ctx->iv, ctx->encrypt); |
241 | 79 | } else if (ctx->encrypt) { |
242 | 0 | CRYPTO_cbc128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block); |
243 | 0 | } else { |
244 | 0 | CRYPTO_cbc128_decrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block); |
245 | 0 | } |
246 | | |
247 | 79 | return 1; |
248 | 79 | } |
249 | | |
250 | | static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
251 | 1.38k | size_t len) { |
252 | 1.38k | size_t bl = ctx->cipher->block_size; |
253 | 1.38k | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
254 | | |
255 | 1.38k | if (len < bl) { |
256 | 0 | return 1; |
257 | 0 | } |
258 | | |
259 | 1.38k | len -= bl; |
260 | 2.92k | for (size_t i = 0; i <= len; i += bl) { |
261 | 1.54k | (*dat->block)(in + i, out + i, &dat->ks.ks); |
262 | 1.54k | } |
263 | | |
264 | 1.38k | return 1; |
265 | 1.38k | } |
266 | | |
267 | | static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
268 | 447 | size_t len) { |
269 | 447 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
270 | | |
271 | 447 | if (dat->stream.ctr) { |
272 | 127 | CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf, |
273 | 127 | &ctx->num, dat->stream.ctr); |
274 | 320 | } else { |
275 | 320 | CRYPTO_ctr128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf, |
276 | 320 | &ctx->num, dat->block); |
277 | 320 | } |
278 | 447 | return 1; |
279 | 447 | } |
280 | | |
281 | | static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
282 | 684 | size_t len) { |
283 | 684 | EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; |
284 | | |
285 | 684 | CRYPTO_ofb128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, &ctx->num, |
286 | 684 | dat->block); |
287 | 684 | return 1; |
288 | 684 | } |
289 | | |
290 | | ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key, |
291 | | block128_f *out_block, const uint8_t *key, |
292 | 9.49k | size_t key_bytes) { |
293 | | // This function assumes the key length was previously validated. |
294 | 9.49k | assert(key_bytes == 128 / 8 || key_bytes == 192 / 8 || key_bytes == 256 / 8); |
295 | 9.49k | if (hwaes_capable()) { |
296 | 2.10k | aes_hw_set_encrypt_key(key, (int)key_bytes * 8, aes_key); |
297 | 2.10k | if (gcm_key != NULL) { |
298 | 141 | CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_hw_encrypt, 1); |
299 | 141 | } |
300 | 2.10k | if (out_block) { |
301 | 1.96k | *out_block = aes_hw_encrypt; |
302 | 1.96k | } |
303 | 2.10k | return aes_hw_ctr32_encrypt_blocks; |
304 | 2.10k | } |
305 | | |
306 | 7.39k | if (vpaes_capable()) { |
307 | 0 | vpaes_set_encrypt_key(key, (int)key_bytes * 8, aes_key); |
308 | 0 | if (out_block) { |
309 | 0 | *out_block = vpaes_encrypt; |
310 | 0 | } |
311 | 0 | if (gcm_key != NULL) { |
312 | 0 | CRYPTO_gcm128_init_key(gcm_key, aes_key, vpaes_encrypt, 0); |
313 | 0 | } |
314 | | #if defined(BSAES) |
315 | | assert(bsaes_capable()); |
316 | | return vpaes_ctr32_encrypt_blocks_with_bsaes; |
317 | | #elif defined(VPAES_CTR32) |
318 | | return vpaes_ctr32_encrypt_blocks; |
319 | | #else |
320 | 0 | return NULL; |
321 | 0 | #endif |
322 | 0 | } |
323 | | |
324 | 7.39k | aes_nohw_set_encrypt_key(key, (int)key_bytes * 8, aes_key); |
325 | 7.39k | if (gcm_key != NULL) { |
326 | 694 | CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_nohw_encrypt, 0); |
327 | 694 | } |
328 | 7.39k | if (out_block) { |
329 | 6.70k | *out_block = aes_nohw_encrypt; |
330 | 6.70k | } |
331 | 7.39k | return aes_nohw_ctr32_encrypt_blocks; |
332 | 7.39k | } |
333 | | |
334 | | #if defined(OPENSSL_32_BIT) |
335 | | #define EVP_AES_GCM_CTX_PADDING (4+8) |
336 | | #else |
337 | 6 | #define EVP_AES_GCM_CTX_PADDING 8 |
338 | | #endif |
339 | | |
340 | 12.1k | static EVP_AES_GCM_CTX *aes_gcm_from_cipher_ctx(EVP_CIPHER_CTX *ctx) { |
341 | 12.1k | static_assert( |
342 | 12.1k | alignof(EVP_AES_GCM_CTX) <= 16, |
343 | 12.1k | "EVP_AES_GCM_CTX needs more alignment than this function provides"); |
344 | | |
345 | | // |malloc| guarantees up to 4-byte alignment on 32-bit and 8-byte alignment |
346 | | // on 64-bit systems, so we need to adjust to reach 16-byte alignment. |
347 | 12.1k | assert(ctx->cipher->ctx_size == |
348 | 12.1k | sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING); |
349 | | |
350 | 12.1k | char *ptr = ctx->cipher_data; |
351 | | #if defined(OPENSSL_32_BIT) |
352 | | assert((uintptr_t)ptr % 4 == 0); |
353 | | ptr += (uintptr_t)ptr & 4; |
354 | | #endif |
355 | 12.1k | assert((uintptr_t)ptr % 8 == 0); |
356 | 12.1k | ptr += (uintptr_t)ptr & 8; |
357 | 12.1k | return (EVP_AES_GCM_CTX *)ptr; |
358 | 12.1k | } |
359 | | |
360 | | static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, |
361 | 540 | const uint8_t *iv, int enc) { |
362 | 540 | EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(ctx); |
363 | 540 | if (!iv && !key) { |
364 | 319 | return 1; |
365 | 319 | } |
366 | | |
367 | 221 | switch (ctx->key_len) { |
368 | 104 | case 16: |
369 | 104 | boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm); |
370 | 104 | break; |
371 | | |
372 | 111 | case 32: |
373 | 111 | boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm); |
374 | 111 | break; |
375 | 221 | } |
376 | | |
377 | 221 | if (key) { |
378 | 221 | OPENSSL_memset(&gctx->gcm, 0, sizeof(gctx->gcm)); |
379 | 221 | gctx->ctr = aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm.gcm_key, NULL, key, |
380 | 221 | ctx->key_len); |
381 | | // If we have an iv can set it directly, otherwise use saved IV. |
382 | 221 | if (iv == NULL && gctx->iv_set) { |
383 | 0 | iv = gctx->iv; |
384 | 0 | } |
385 | 221 | if (iv) { |
386 | 221 | CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen); |
387 | 221 | gctx->iv_set = 1; |
388 | 221 | } |
389 | 221 | gctx->key_set = 1; |
390 | 221 | } else { |
391 | | // If key set use IV, otherwise copy |
392 | 0 | if (gctx->key_set) { |
393 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen); |
394 | 0 | } else { |
395 | 0 | OPENSSL_memcpy(gctx->iv, iv, gctx->ivlen); |
396 | 0 | } |
397 | 0 | gctx->iv_set = 1; |
398 | 0 | gctx->iv_gen = 0; |
399 | 0 | } |
400 | 221 | return 1; |
401 | 221 | } |
402 | | |
403 | 3.19k | static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) { |
404 | 3.19k | EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c); |
405 | 3.19k | OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); |
406 | 3.19k | if (gctx->iv != c->iv) { |
407 | 1.91k | OPENSSL_free(gctx->iv); |
408 | 1.91k | } |
409 | 3.19k | } |
410 | | |
411 | 3.62k | static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { |
412 | 3.62k | EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c); |
413 | 3.62k | switch (type) { |
414 | 319 | case EVP_CTRL_INIT: |
415 | 319 | gctx->key_set = 0; |
416 | 319 | gctx->iv_set = 0; |
417 | 319 | gctx->ivlen = c->cipher->iv_len; |
418 | 319 | gctx->iv = c->iv; |
419 | 319 | gctx->taglen = -1; |
420 | 319 | gctx->iv_gen = 0; |
421 | 319 | return 1; |
422 | | |
423 | 316 | case EVP_CTRL_AEAD_SET_IVLEN: |
424 | 316 | if (arg <= 0) { |
425 | 41 | return 0; |
426 | 41 | } |
427 | | |
428 | | // Allocate memory for IV if needed |
429 | 275 | if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) { |
430 | 111 | if (gctx->iv != c->iv) { |
431 | 0 | OPENSSL_free(gctx->iv); |
432 | 0 | } |
433 | 111 | gctx->iv = OPENSSL_malloc(arg); |
434 | 111 | if (!gctx->iv) { |
435 | 0 | return 0; |
436 | 0 | } |
437 | 111 | } |
438 | 275 | gctx->ivlen = arg; |
439 | 275 | return 1; |
440 | | |
441 | 0 | case EVP_CTRL_GET_IVLEN: |
442 | 0 | *(int *)ptr = gctx->ivlen; |
443 | 0 | return 1; |
444 | | |
445 | 2 | case EVP_CTRL_AEAD_SET_TAG: |
446 | 2 | if (arg <= 0 || arg > 16 || c->encrypt) { |
447 | 0 | return 0; |
448 | 0 | } |
449 | 2 | OPENSSL_memcpy(c->buf, ptr, arg); |
450 | 2 | gctx->taglen = arg; |
451 | 2 | return 1; |
452 | | |
453 | 105 | case EVP_CTRL_AEAD_GET_TAG: |
454 | 105 | if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) { |
455 | 69 | return 0; |
456 | 69 | } |
457 | 36 | OPENSSL_memcpy(ptr, c->buf, arg); |
458 | 36 | return 1; |
459 | | |
460 | 0 | case EVP_CTRL_AEAD_SET_IV_FIXED: |
461 | | // Special case: -1 length restores whole IV |
462 | 0 | if (arg == -1) { |
463 | 0 | OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen); |
464 | 0 | gctx->iv_gen = 1; |
465 | 0 | return 1; |
466 | 0 | } |
467 | | // Fixed field must be at least 4 bytes and invocation field |
468 | | // at least 8. |
469 | 0 | if (arg < 4 || (gctx->ivlen - arg) < 8) { |
470 | 0 | return 0; |
471 | 0 | } |
472 | 0 | OPENSSL_memcpy(gctx->iv, ptr, arg); |
473 | 0 | if (c->encrypt) { |
474 | | // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with |
475 | | // state lock functions to avoid updating the service indicator with the |
476 | | // DRBG functions. |
477 | 0 | FIPS_service_indicator_lock_state(); |
478 | 0 | BCM_rand_bytes(gctx->iv + arg, gctx->ivlen - arg); |
479 | 0 | FIPS_service_indicator_unlock_state(); |
480 | 0 | } |
481 | 0 | gctx->iv_gen = 1; |
482 | 0 | return 1; |
483 | | |
484 | 0 | case EVP_CTRL_GCM_IV_GEN: { |
485 | 0 | if (gctx->iv_gen == 0 || gctx->key_set == 0) { |
486 | 0 | return 0; |
487 | 0 | } |
488 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen); |
489 | 0 | if (arg <= 0 || arg > gctx->ivlen) { |
490 | 0 | arg = gctx->ivlen; |
491 | 0 | } |
492 | 0 | OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); |
493 | | // Invocation field will be at least 8 bytes in size, so no need to check |
494 | | // wrap around or increment more than last 8 bytes. |
495 | 0 | uint8_t *ctr = gctx->iv + gctx->ivlen - 8; |
496 | 0 | CRYPTO_store_u64_be(ctr, CRYPTO_load_u64_be(ctr) + 1); |
497 | 0 | gctx->iv_set = 1; |
498 | 0 | return 1; |
499 | 0 | } |
500 | | |
501 | 0 | case EVP_CTRL_GCM_SET_IV_INV: |
502 | 0 | if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) { |
503 | 0 | return 0; |
504 | 0 | } |
505 | 0 | OPENSSL_memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); |
506 | 0 | CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen); |
507 | 0 | gctx->iv_set = 1; |
508 | 0 | return 1; |
509 | | |
510 | 2.87k | case EVP_CTRL_COPY: { |
511 | 2.87k | EVP_CIPHER_CTX *out = ptr; |
512 | 2.87k | EVP_AES_GCM_CTX *gctx_out = aes_gcm_from_cipher_ctx(out); |
513 | | // |EVP_CIPHER_CTX_copy| copies this generically, but we must redo it in |
514 | | // case |out->cipher_data| and |in->cipher_data| are differently aligned. |
515 | 2.87k | OPENSSL_memcpy(gctx_out, gctx, sizeof(EVP_AES_GCM_CTX)); |
516 | 2.87k | if (gctx->iv == c->iv) { |
517 | 1.07k | gctx_out->iv = out->iv; |
518 | 1.80k | } else { |
519 | 1.80k | gctx_out->iv = OPENSSL_memdup(gctx->iv, gctx->ivlen); |
520 | 1.80k | if (!gctx_out->iv) { |
521 | 0 | return 0; |
522 | 0 | } |
523 | 1.80k | } |
524 | 2.87k | return 1; |
525 | 2.87k | } |
526 | | |
527 | 0 | default: |
528 | 0 | return -1; |
529 | 3.62k | } |
530 | 3.62k | } |
531 | | |
532 | | static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
533 | 1.95k | size_t len) { |
534 | 1.95k | EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(ctx); |
535 | | |
536 | | // If not set up, return error |
537 | 1.95k | if (!gctx->key_set) { |
538 | 0 | return -1; |
539 | 0 | } |
540 | 1.95k | if (!gctx->iv_set) { |
541 | 4 | return -1; |
542 | 4 | } |
543 | | |
544 | 1.94k | if (len > INT_MAX) { |
545 | | // This function signature can only express up to |INT_MAX| bytes encrypted. |
546 | | // |
547 | | // TODO(https://crbug.com/boringssl/494): Make the internal |EVP_CIPHER| |
548 | | // calling convention |size_t|-clean. |
549 | 0 | return -1; |
550 | 0 | } |
551 | | |
552 | 1.94k | if (in) { |
553 | 1.73k | if (out == NULL) { |
554 | 20 | if (!CRYPTO_gcm128_aad(&gctx->gcm, in, len)) { |
555 | 0 | return -1; |
556 | 0 | } |
557 | 1.71k | } else if (ctx->encrypt) { |
558 | 377 | if (gctx->ctr) { |
559 | 377 | if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len, |
560 | 377 | gctx->ctr)) { |
561 | 0 | return -1; |
562 | 0 | } |
563 | 377 | } else { |
564 | 0 | if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) { |
565 | 0 | return -1; |
566 | 0 | } |
567 | 0 | } |
568 | 1.33k | } else { |
569 | 1.33k | if (gctx->ctr) { |
570 | 1.33k | if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len, |
571 | 1.33k | gctx->ctr)) { |
572 | 0 | return -1; |
573 | 0 | } |
574 | 1.33k | } else { |
575 | 0 | if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) { |
576 | 0 | return -1; |
577 | 0 | } |
578 | 0 | } |
579 | 1.33k | } |
580 | 1.73k | return (int)len; |
581 | 1.73k | } else { |
582 | 217 | if (!ctx->encrypt) { |
583 | 66 | if (gctx->taglen < 0 || |
584 | 66 | !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) { |
585 | 64 | return -1; |
586 | 64 | } |
587 | 2 | gctx->iv_set = 0; |
588 | 2 | return 0; |
589 | 66 | } |
590 | 151 | CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16); |
591 | 151 | gctx->taglen = 16; |
592 | | // Don't reuse the IV |
593 | 151 | gctx->iv_set = 0; |
594 | 151 | return 0; |
595 | 217 | } |
596 | 1.94k | } |
597 | | |
598 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_cbc) { |
599 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
600 | | |
601 | 2 | out->nid = NID_aes_128_cbc; |
602 | 2 | out->block_size = 16; |
603 | 2 | out->key_len = 16; |
604 | 2 | out->iv_len = 16; |
605 | 2 | out->ctx_size = sizeof(EVP_AES_KEY); |
606 | 2 | out->flags = EVP_CIPH_CBC_MODE; |
607 | 2 | out->init = aes_init_key; |
608 | 2 | out->cipher = aes_cbc_cipher; |
609 | 2 | } |
610 | | |
611 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ctr) { |
612 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
613 | | |
614 | 2 | out->nid = NID_aes_128_ctr; |
615 | 2 | out->block_size = 1; |
616 | 2 | out->key_len = 16; |
617 | 2 | out->iv_len = 16; |
618 | 2 | out->ctx_size = sizeof(EVP_AES_KEY); |
619 | 2 | out->flags = EVP_CIPH_CTR_MODE; |
620 | 2 | out->init = aes_init_key; |
621 | 2 | out->cipher = aes_ctr_cipher; |
622 | 2 | } |
623 | | |
624 | 1 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_ecb_generic) { |
625 | 1 | memset(out, 0, sizeof(EVP_CIPHER)); |
626 | | |
627 | 1 | out->nid = NID_aes_128_ecb; |
628 | 1 | out->block_size = 16; |
629 | 1 | out->key_len = 16; |
630 | 1 | out->ctx_size = sizeof(EVP_AES_KEY); |
631 | 1 | out->flags = EVP_CIPH_ECB_MODE; |
632 | 1 | out->init = aes_init_key; |
633 | 1 | out->cipher = aes_ecb_cipher; |
634 | 1 | } |
635 | | |
636 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ofb) { |
637 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
638 | | |
639 | 2 | out->nid = NID_aes_128_ofb128; |
640 | 2 | out->block_size = 1; |
641 | 2 | out->key_len = 16; |
642 | 2 | out->iv_len = 16; |
643 | 2 | out->ctx_size = sizeof(EVP_AES_KEY); |
644 | 2 | out->flags = EVP_CIPH_OFB_MODE; |
645 | 2 | out->init = aes_init_key; |
646 | 2 | out->cipher = aes_ofb_cipher; |
647 | 2 | } |
648 | | |
649 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_gcm) { |
650 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
651 | | |
652 | 2 | out->nid = NID_aes_128_gcm; |
653 | 2 | out->block_size = 1; |
654 | 2 | out->key_len = 16; |
655 | 2 | out->iv_len = AES_GCM_NONCE_LENGTH; |
656 | 2 | out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING; |
657 | 2 | out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | |
658 | 2 | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | |
659 | 2 | EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; |
660 | 2 | out->init = aes_gcm_init_key; |
661 | 2 | out->cipher = aes_gcm_cipher; |
662 | 2 | out->cleanup = aes_gcm_cleanup; |
663 | 2 | out->ctrl = aes_gcm_ctrl; |
664 | 2 | } |
665 | | |
666 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_cbc) { |
667 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
668 | | |
669 | 2 | out->nid = NID_aes_192_cbc; |
670 | 2 | out->block_size = 16; |
671 | 2 | out->key_len = 24; |
672 | 2 | out->iv_len = 16; |
673 | 2 | out->ctx_size = sizeof(EVP_AES_KEY); |
674 | 2 | out->flags = EVP_CIPH_CBC_MODE; |
675 | 2 | out->init = aes_init_key; |
676 | 2 | out->cipher = aes_cbc_cipher; |
677 | 2 | } |
678 | | |
679 | 1 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ctr) { |
680 | 1 | memset(out, 0, sizeof(EVP_CIPHER)); |
681 | | |
682 | 1 | out->nid = NID_aes_192_ctr; |
683 | 1 | out->block_size = 1; |
684 | 1 | out->key_len = 24; |
685 | 1 | out->iv_len = 16; |
686 | 1 | out->ctx_size = sizeof(EVP_AES_KEY); |
687 | 1 | out->flags = EVP_CIPH_CTR_MODE; |
688 | 1 | out->init = aes_init_key; |
689 | 1 | out->cipher = aes_ctr_cipher; |
690 | 1 | } |
691 | | |
692 | 1 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_ecb_generic) { |
693 | 1 | memset(out, 0, sizeof(EVP_CIPHER)); |
694 | | |
695 | 1 | out->nid = NID_aes_192_ecb; |
696 | 1 | out->block_size = 16; |
697 | 1 | out->key_len = 24; |
698 | 1 | out->ctx_size = sizeof(EVP_AES_KEY); |
699 | 1 | out->flags = EVP_CIPH_ECB_MODE; |
700 | 1 | out->init = aes_init_key; |
701 | 1 | out->cipher = aes_ecb_cipher; |
702 | 1 | } |
703 | | |
704 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ofb) { |
705 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
706 | | |
707 | 2 | out->nid = NID_aes_192_ofb128; |
708 | 2 | out->block_size = 1; |
709 | 2 | out->key_len = 24; |
710 | 2 | out->iv_len = 16; |
711 | 2 | out->ctx_size = sizeof(EVP_AES_KEY); |
712 | 2 | out->flags = EVP_CIPH_OFB_MODE; |
713 | 2 | out->init = aes_init_key; |
714 | 2 | out->cipher = aes_ofb_cipher; |
715 | 2 | } |
716 | | |
717 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_gcm) { |
718 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
719 | | |
720 | 2 | out->nid = NID_aes_192_gcm; |
721 | 2 | out->block_size = 1; |
722 | 2 | out->key_len = 24; |
723 | 2 | out->iv_len = AES_GCM_NONCE_LENGTH; |
724 | 2 | out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING; |
725 | 2 | out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | |
726 | 2 | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | |
727 | 2 | EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; |
728 | 2 | out->init = aes_gcm_init_key; |
729 | 2 | out->cipher = aes_gcm_cipher; |
730 | 2 | out->cleanup = aes_gcm_cleanup; |
731 | 2 | out->ctrl = aes_gcm_ctrl; |
732 | 2 | } |
733 | | |
734 | 1 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_cbc) { |
735 | 1 | memset(out, 0, sizeof(EVP_CIPHER)); |
736 | | |
737 | 1 | out->nid = NID_aes_256_cbc; |
738 | 1 | out->block_size = 16; |
739 | 1 | out->key_len = 32; |
740 | 1 | out->iv_len = 16; |
741 | 1 | out->ctx_size = sizeof(EVP_AES_KEY); |
742 | 1 | out->flags = EVP_CIPH_CBC_MODE; |
743 | 1 | out->init = aes_init_key; |
744 | 1 | out->cipher = aes_cbc_cipher; |
745 | 1 | } |
746 | | |
747 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ctr) { |
748 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
749 | | |
750 | 2 | out->nid = NID_aes_256_ctr; |
751 | 2 | out->block_size = 1; |
752 | 2 | out->key_len = 32; |
753 | 2 | out->iv_len = 16; |
754 | 2 | out->ctx_size = sizeof(EVP_AES_KEY); |
755 | 2 | out->flags = EVP_CIPH_CTR_MODE; |
756 | 2 | out->init = aes_init_key; |
757 | 2 | out->cipher = aes_ctr_cipher; |
758 | 2 | } |
759 | | |
760 | 0 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_ecb_generic) { |
761 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
762 | |
|
763 | 0 | out->nid = NID_aes_256_ecb; |
764 | 0 | out->block_size = 16; |
765 | 0 | out->key_len = 32; |
766 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
767 | 0 | out->flags = EVP_CIPH_ECB_MODE; |
768 | 0 | out->init = aes_init_key; |
769 | 0 | out->cipher = aes_ecb_cipher; |
770 | 0 | } |
771 | | |
772 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ofb) { |
773 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
774 | | |
775 | 2 | out->nid = NID_aes_256_ofb128; |
776 | 2 | out->block_size = 1; |
777 | 2 | out->key_len = 32; |
778 | 2 | out->iv_len = 16; |
779 | 2 | out->ctx_size = sizeof(EVP_AES_KEY); |
780 | 2 | out->flags = EVP_CIPH_OFB_MODE; |
781 | 2 | out->init = aes_init_key; |
782 | 2 | out->cipher = aes_ofb_cipher; |
783 | 2 | } |
784 | | |
785 | 2 | DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_gcm) { |
786 | 2 | memset(out, 0, sizeof(EVP_CIPHER)); |
787 | | |
788 | 2 | out->nid = NID_aes_256_gcm; |
789 | 2 | out->block_size = 1; |
790 | 2 | out->key_len = 32; |
791 | 2 | out->iv_len = AES_GCM_NONCE_LENGTH; |
792 | 2 | out->ctx_size = sizeof(EVP_AES_GCM_CTX) + EVP_AES_GCM_CTX_PADDING; |
793 | 2 | out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | |
794 | 2 | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | |
795 | 2 | EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; |
796 | 2 | out->init = aes_gcm_init_key; |
797 | 2 | out->cipher = aes_gcm_cipher; |
798 | 2 | out->cleanup = aes_gcm_cleanup; |
799 | 2 | out->ctrl = aes_gcm_ctrl; |
800 | 2 | } |
801 | | |
802 | | #if defined(HWAES_ECB) |
803 | | |
804 | | static int aes_hw_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, |
805 | 340 | const uint8_t *in, size_t len) { |
806 | 340 | size_t bl = ctx->cipher->block_size; |
807 | | |
808 | 340 | if (len < bl) { |
809 | 0 | return 1; |
810 | 0 | } |
811 | | |
812 | 340 | aes_hw_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt); |
813 | | |
814 | 340 | return 1; |
815 | 340 | } |
816 | | |
817 | 1 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_128_ecb) { |
818 | 1 | memset(out, 0, sizeof(EVP_CIPHER)); |
819 | | |
820 | 1 | out->nid = NID_aes_128_ecb; |
821 | 1 | out->block_size = 16; |
822 | 1 | out->key_len = 16; |
823 | 1 | out->ctx_size = sizeof(EVP_AES_KEY); |
824 | 1 | out->flags = EVP_CIPH_ECB_MODE; |
825 | 1 | out->init = aes_init_key; |
826 | 1 | out->cipher = aes_hw_ecb_cipher; |
827 | 1 | } |
828 | | |
829 | 1 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_192_ecb) { |
830 | 1 | memset(out, 0, sizeof(EVP_CIPHER)); |
831 | | |
832 | 1 | out->nid = NID_aes_192_ecb; |
833 | 1 | out->block_size = 16; |
834 | 1 | out->key_len = 24; |
835 | 1 | out->ctx_size = sizeof(EVP_AES_KEY); |
836 | 1 | out->flags = EVP_CIPH_ECB_MODE; |
837 | 1 | out->init = aes_init_key; |
838 | 1 | out->cipher = aes_hw_ecb_cipher; |
839 | 1 | } |
840 | | |
841 | 0 | DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_256_ecb) { |
842 | 0 | memset(out, 0, sizeof(EVP_CIPHER)); |
843 | |
|
844 | 0 | out->nid = NID_aes_256_ecb; |
845 | 0 | out->block_size = 16; |
846 | 0 | out->key_len = 32; |
847 | 0 | out->ctx_size = sizeof(EVP_AES_KEY); |
848 | 0 | out->flags = EVP_CIPH_ECB_MODE; |
849 | 0 | out->init = aes_init_key; |
850 | 0 | out->cipher = aes_hw_ecb_cipher; |
851 | 0 | } |
852 | | |
853 | | #define EVP_ECB_CIPHER_FUNCTION(keybits) \ |
854 | | const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ |
855 | | if (hwaes_capable()) { \ |
856 | | return aes_hw_##keybits##_ecb(); \ |
857 | | } \ |
858 | | return aes_##keybits##_ecb_generic(); \ |
859 | | } |
860 | | |
861 | | #else |
862 | | |
863 | | #define EVP_ECB_CIPHER_FUNCTION(keybits) \ |
864 | 302 | const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ |
865 | 302 | return aes_##keybits##_ecb_generic(); \ |
866 | 302 | } Line | Count | Source | 864 | 252 | const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ | 865 | 252 | return aes_##keybits##_ecb_generic(); \ | 866 | 252 | } |
Line | Count | Source | 864 | 38 | const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ | 865 | 38 | return aes_##keybits##_ecb_generic(); \ | 866 | 38 | } |
Line | Count | Source | 864 | 12 | const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ | 865 | 12 | return aes_##keybits##_ecb_generic(); \ | 866 | 12 | } |
|
867 | | |
868 | | #endif // HWAES_ECB |
869 | | |
870 | | EVP_ECB_CIPHER_FUNCTION(128) |
871 | | EVP_ECB_CIPHER_FUNCTION(192) |
872 | | EVP_ECB_CIPHER_FUNCTION(256) |
873 | | |
874 | | |
875 | 861 | #define EVP_AEAD_AES_GCM_TAG_LEN 16 |
876 | | |
877 | | struct aead_aes_gcm_ctx { |
878 | | union { |
879 | | double align; |
880 | | AES_KEY ks; |
881 | | } ks; |
882 | | GCM128_KEY gcm_key; |
883 | | ctr128_f ctr; |
884 | | }; |
885 | | |
886 | | static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx, |
887 | | size_t *out_tag_len, const uint8_t *key, |
888 | 692 | size_t key_len, size_t tag_len) { |
889 | 692 | const size_t key_bits = key_len * 8; |
890 | | |
891 | 692 | switch (key_bits) { |
892 | 485 | case 128: |
893 | 485 | boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm); |
894 | 485 | break; |
895 | | |
896 | 207 | case 256: |
897 | 207 | boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm); |
898 | 207 | break; |
899 | 692 | } |
900 | | |
901 | 692 | if (key_bits != 128 && key_bits != 192 && key_bits != 256) { |
902 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); |
903 | 0 | return 0; // EVP_AEAD_CTX_init should catch this. |
904 | 0 | } |
905 | | |
906 | 692 | if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) { |
907 | 145 | tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
908 | 145 | } |
909 | | |
910 | 692 | if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { |
911 | 78 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); |
912 | 78 | return 0; |
913 | 78 | } |
914 | | |
915 | 614 | gcm_ctx->ctr = |
916 | 614 | aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm_key, NULL, key, key_len); |
917 | 614 | *out_tag_len = tag_len; |
918 | 614 | return 1; |
919 | 692 | } |
920 | | |
921 | | static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= |
922 | | sizeof(struct aead_aes_gcm_ctx), |
923 | | "AEAD state is too small"); |
924 | | static_assert(alignof(union evp_aead_ctx_st_state) >= |
925 | | alignof(struct aead_aes_gcm_ctx), |
926 | | "AEAD state has insufficient alignment"); |
927 | | |
928 | | static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
929 | 690 | size_t key_len, size_t requested_tag_len) { |
930 | 690 | struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *) &ctx->state; |
931 | | |
932 | 690 | size_t actual_tag_len; |
933 | 690 | if (!aead_aes_gcm_init_impl(gcm_ctx, &actual_tag_len, key, key_len, |
934 | 690 | requested_tag_len)) { |
935 | 77 | return 0; |
936 | 77 | } |
937 | | |
938 | 613 | ctx->tag_len = actual_tag_len; |
939 | 613 | return 1; |
940 | 690 | } |
941 | | |
942 | 614 | static void aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) {} |
943 | | |
944 | | static int aead_aes_gcm_seal_scatter_impl( |
945 | | const struct aead_aes_gcm_ctx *gcm_ctx, |
946 | | uint8_t *out, uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len, |
947 | | const uint8_t *nonce, size_t nonce_len, |
948 | | const uint8_t *in, size_t in_len, |
949 | | const uint8_t *extra_in, size_t extra_in_len, |
950 | | const uint8_t *ad, size_t ad_len, |
951 | 318 | size_t tag_len) { |
952 | 318 | if (extra_in_len + tag_len < tag_len) { |
953 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
954 | 0 | return 0; |
955 | 0 | } |
956 | 318 | if (max_out_tag_len < extra_in_len + tag_len) { |
957 | 22 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
958 | 22 | return 0; |
959 | 22 | } |
960 | 296 | if (nonce_len == 0) { |
961 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
962 | 0 | return 0; |
963 | 0 | } |
964 | | |
965 | 296 | const AES_KEY *key = &gcm_ctx->ks.ks; |
966 | | |
967 | 296 | GCM128_CONTEXT gcm; |
968 | 296 | OPENSSL_memset(&gcm, 0, sizeof(gcm)); |
969 | 296 | OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key)); |
970 | 296 | CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len); |
971 | | |
972 | 296 | if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) { |
973 | 0 | return 0; |
974 | 0 | } |
975 | | |
976 | 296 | if (gcm_ctx->ctr) { |
977 | 296 | if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len, |
978 | 296 | gcm_ctx->ctr)) { |
979 | 0 | return 0; |
980 | 0 | } |
981 | 296 | } else { |
982 | 0 | if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) { |
983 | 0 | return 0; |
984 | 0 | } |
985 | 0 | } |
986 | | |
987 | 296 | if (extra_in_len) { |
988 | 0 | if (gcm_ctx->ctr) { |
989 | 0 | if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, extra_in, out_tag, |
990 | 0 | extra_in_len, gcm_ctx->ctr)) { |
991 | 0 | return 0; |
992 | 0 | } |
993 | 0 | } else { |
994 | 0 | if (!CRYPTO_gcm128_encrypt(&gcm, key, extra_in, out_tag, extra_in_len)) { |
995 | 0 | return 0; |
996 | 0 | } |
997 | 0 | } |
998 | 0 | } |
999 | | |
1000 | 296 | CRYPTO_gcm128_tag(&gcm, out_tag + extra_in_len, tag_len); |
1001 | 296 | *out_tag_len = tag_len + extra_in_len; |
1002 | | |
1003 | 296 | return 1; |
1004 | 296 | } |
1005 | | |
1006 | | static int aead_aes_gcm_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out, |
1007 | | uint8_t *out_tag, size_t *out_tag_len, |
1008 | | size_t max_out_tag_len, |
1009 | | const uint8_t *nonce, size_t nonce_len, |
1010 | | const uint8_t *in, size_t in_len, |
1011 | | const uint8_t *extra_in, |
1012 | | size_t extra_in_len, |
1013 | 318 | const uint8_t *ad, size_t ad_len) { |
1014 | 318 | const struct aead_aes_gcm_ctx *gcm_ctx = |
1015 | 318 | (const struct aead_aes_gcm_ctx *)&ctx->state; |
1016 | 318 | return aead_aes_gcm_seal_scatter_impl( |
1017 | 318 | gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len, nonce, nonce_len, in, |
1018 | 318 | in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len); |
1019 | 318 | } |
1020 | | |
1021 | | static int aead_aes_gcm_open_gather_impl(const struct aead_aes_gcm_ctx *gcm_ctx, |
1022 | | uint8_t *out, |
1023 | | const uint8_t *nonce, size_t nonce_len, |
1024 | | const uint8_t *in, size_t in_len, |
1025 | | const uint8_t *in_tag, |
1026 | | size_t in_tag_len, |
1027 | | const uint8_t *ad, size_t ad_len, |
1028 | 292 | size_t tag_len) { |
1029 | 292 | uint8_t tag[EVP_AEAD_AES_GCM_TAG_LEN]; |
1030 | | |
1031 | 292 | if (nonce_len == 0) { |
1032 | 16 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
1033 | 16 | return 0; |
1034 | 16 | } |
1035 | | |
1036 | 276 | if (in_tag_len != tag_len) { |
1037 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
1038 | 0 | return 0; |
1039 | 0 | } |
1040 | | |
1041 | 276 | const AES_KEY *key = &gcm_ctx->ks.ks; |
1042 | | |
1043 | 276 | GCM128_CONTEXT gcm; |
1044 | 276 | OPENSSL_memset(&gcm, 0, sizeof(gcm)); |
1045 | 276 | OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key)); |
1046 | 276 | CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len); |
1047 | | |
1048 | 276 | if (!CRYPTO_gcm128_aad(&gcm, ad, ad_len)) { |
1049 | 0 | return 0; |
1050 | 0 | } |
1051 | | |
1052 | 276 | if (gcm_ctx->ctr) { |
1053 | 276 | if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, key, in, out, in_len, |
1054 | 276 | gcm_ctx->ctr)) { |
1055 | 0 | return 0; |
1056 | 0 | } |
1057 | 276 | } else { |
1058 | 0 | if (!CRYPTO_gcm128_decrypt(&gcm, key, in, out, in_len)) { |
1059 | 0 | return 0; |
1060 | 0 | } |
1061 | 0 | } |
1062 | | |
1063 | 276 | CRYPTO_gcm128_tag(&gcm, tag, tag_len); |
1064 | 276 | if (CRYPTO_memcmp(tag, in_tag, tag_len) != 0) { |
1065 | 99 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
1066 | 99 | return 0; |
1067 | 99 | } |
1068 | | |
1069 | 177 | return 1; |
1070 | 276 | } |
1071 | | |
1072 | | static int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out, |
1073 | | const uint8_t *nonce, size_t nonce_len, |
1074 | | const uint8_t *in, size_t in_len, |
1075 | | const uint8_t *in_tag, size_t in_tag_len, |
1076 | 292 | const uint8_t *ad, size_t ad_len) { |
1077 | 292 | struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state; |
1078 | 292 | if (!aead_aes_gcm_open_gather_impl(gcm_ctx, out, nonce, nonce_len, in, in_len, |
1079 | 292 | in_tag, in_tag_len, ad, ad_len, |
1080 | 292 | ctx->tag_len)) { |
1081 | 115 | return 0; |
1082 | 115 | } |
1083 | | |
1084 | 177 | AEAD_GCM_verify_service_indicator(ctx); |
1085 | 177 | return 1; |
1086 | 292 | } |
1087 | | |
1088 | 2 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm) { |
1089 | 2 | memset(out, 0, sizeof(EVP_AEAD)); |
1090 | | |
1091 | 2 | out->key_len = 16; |
1092 | 2 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1093 | 2 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1094 | 2 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1095 | 2 | out->seal_scatter_supports_extra_in = 1; |
1096 | | |
1097 | 2 | out->init = aead_aes_gcm_init; |
1098 | 2 | out->cleanup = aead_aes_gcm_cleanup; |
1099 | 2 | out->seal_scatter = aead_aes_gcm_seal_scatter; |
1100 | 2 | out->open_gather = aead_aes_gcm_open_gather; |
1101 | 2 | } |
1102 | | |
1103 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_192_gcm) { |
1104 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1105 | |
|
1106 | 0 | out->key_len = 24; |
1107 | 0 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1108 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1109 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1110 | 0 | out->seal_scatter_supports_extra_in = 1; |
1111 | |
|
1112 | 0 | out->init = aead_aes_gcm_init; |
1113 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1114 | 0 | out->seal_scatter = aead_aes_gcm_seal_scatter; |
1115 | 0 | out->open_gather = aead_aes_gcm_open_gather; |
1116 | 0 | } |
1117 | | |
1118 | 2 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm) { |
1119 | 2 | memset(out, 0, sizeof(EVP_AEAD)); |
1120 | | |
1121 | 2 | out->key_len = 32; |
1122 | 2 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1123 | 2 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1124 | 2 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1125 | 2 | out->seal_scatter_supports_extra_in = 1; |
1126 | | |
1127 | 2 | out->init = aead_aes_gcm_init; |
1128 | 2 | out->cleanup = aead_aes_gcm_cleanup; |
1129 | 2 | out->seal_scatter = aead_aes_gcm_seal_scatter; |
1130 | 2 | out->open_gather = aead_aes_gcm_open_gather; |
1131 | 2 | } |
1132 | | |
1133 | | static int aead_aes_gcm_init_randnonce(EVP_AEAD_CTX *ctx, const uint8_t *key, |
1134 | | size_t key_len, |
1135 | 0 | size_t requested_tag_len) { |
1136 | 0 | if (requested_tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH) { |
1137 | 0 | if (requested_tag_len < AES_GCM_NONCE_LENGTH) { |
1138 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
1139 | 0 | return 0; |
1140 | 0 | } |
1141 | 0 | requested_tag_len -= AES_GCM_NONCE_LENGTH; |
1142 | 0 | } |
1143 | | |
1144 | 0 | if (!aead_aes_gcm_init(ctx, key, key_len, requested_tag_len)) { |
1145 | 0 | return 0; |
1146 | 0 | } |
1147 | | |
1148 | 0 | ctx->tag_len += AES_GCM_NONCE_LENGTH; |
1149 | 0 | return 1; |
1150 | 0 | } |
1151 | | |
1152 | | static int aead_aes_gcm_seal_scatter_randnonce( |
1153 | | const EVP_AEAD_CTX *ctx, |
1154 | | uint8_t *out, uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len, |
1155 | | const uint8_t *external_nonce, size_t external_nonce_len, |
1156 | | const uint8_t *in, size_t in_len, |
1157 | | const uint8_t *extra_in, size_t extra_in_len, |
1158 | 0 | const uint8_t *ad, size_t ad_len) { |
1159 | 0 | if (external_nonce_len != 0) { |
1160 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
1161 | 0 | return 0; |
1162 | 0 | } |
1163 | | |
1164 | 0 | uint8_t nonce[AES_GCM_NONCE_LENGTH]; |
1165 | 0 | if (max_out_tag_len < sizeof(nonce)) { |
1166 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
1167 | 0 | return 0; |
1168 | 0 | } |
1169 | | |
1170 | | // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with state |
1171 | | // lock functions to avoid updating the service indicator with the DRBG |
1172 | | // functions. |
1173 | 0 | FIPS_service_indicator_lock_state(); |
1174 | 0 | BCM_rand_bytes(nonce, sizeof(nonce)); |
1175 | 0 | FIPS_service_indicator_unlock_state(); |
1176 | |
|
1177 | 0 | const struct aead_aes_gcm_ctx *gcm_ctx = |
1178 | 0 | (const struct aead_aes_gcm_ctx *)&ctx->state; |
1179 | 0 | if (!aead_aes_gcm_seal_scatter_impl(gcm_ctx, out, out_tag, out_tag_len, |
1180 | 0 | max_out_tag_len - AES_GCM_NONCE_LENGTH, |
1181 | 0 | nonce, sizeof(nonce), in, in_len, |
1182 | 0 | extra_in, extra_in_len, ad, ad_len, |
1183 | 0 | ctx->tag_len - AES_GCM_NONCE_LENGTH)) { |
1184 | 0 | return 0; |
1185 | 0 | } |
1186 | | |
1187 | 0 | assert(*out_tag_len + sizeof(nonce) <= max_out_tag_len); |
1188 | 0 | memcpy(out_tag + *out_tag_len, nonce, sizeof(nonce)); |
1189 | 0 | *out_tag_len += sizeof(nonce); |
1190 | |
|
1191 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1192 | 0 | return 1; |
1193 | 0 | } |
1194 | | |
1195 | | static int aead_aes_gcm_open_gather_randnonce( |
1196 | | const EVP_AEAD_CTX *ctx, uint8_t *out, |
1197 | | const uint8_t *external_nonce, size_t external_nonce_len, |
1198 | | const uint8_t *in, size_t in_len, |
1199 | | const uint8_t *in_tag, size_t in_tag_len, |
1200 | 0 | const uint8_t *ad, size_t ad_len) { |
1201 | 0 | if (external_nonce_len != 0) { |
1202 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); |
1203 | 0 | return 0; |
1204 | 0 | } |
1205 | | |
1206 | 0 | if (in_tag_len < AES_GCM_NONCE_LENGTH) { |
1207 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
1208 | 0 | return 0; |
1209 | 0 | } |
1210 | 0 | const uint8_t *nonce = in_tag + in_tag_len - AES_GCM_NONCE_LENGTH; |
1211 | |
|
1212 | 0 | const struct aead_aes_gcm_ctx *gcm_ctx = |
1213 | 0 | (const struct aead_aes_gcm_ctx *)&ctx->state; |
1214 | 0 | if (!aead_aes_gcm_open_gather_impl( |
1215 | 0 | gcm_ctx, out, nonce, AES_GCM_NONCE_LENGTH, in, in_len, in_tag, |
1216 | 0 | in_tag_len - AES_GCM_NONCE_LENGTH, ad, ad_len, |
1217 | 0 | ctx->tag_len - AES_GCM_NONCE_LENGTH)) { |
1218 | 0 | return 0; |
1219 | 0 | } |
1220 | | |
1221 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1222 | 0 | return 1; |
1223 | 0 | } |
1224 | | |
1225 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_randnonce) { |
1226 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1227 | |
|
1228 | 0 | out->key_len = 16; |
1229 | 0 | out->nonce_len = 0; |
1230 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; |
1231 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; |
1232 | 0 | out->seal_scatter_supports_extra_in = 1; |
1233 | |
|
1234 | 0 | out->init = aead_aes_gcm_init_randnonce; |
1235 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1236 | 0 | out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce; |
1237 | 0 | out->open_gather = aead_aes_gcm_open_gather_randnonce; |
1238 | 0 | } |
1239 | | |
1240 | 0 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_randnonce) { |
1241 | 0 | memset(out, 0, sizeof(EVP_AEAD)); |
1242 | |
|
1243 | 0 | out->key_len = 32; |
1244 | 0 | out->nonce_len = 0; |
1245 | 0 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; |
1246 | 0 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; |
1247 | 0 | out->seal_scatter_supports_extra_in = 1; |
1248 | |
|
1249 | 0 | out->init = aead_aes_gcm_init_randnonce; |
1250 | 0 | out->cleanup = aead_aes_gcm_cleanup; |
1251 | 0 | out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce; |
1252 | 0 | out->open_gather = aead_aes_gcm_open_gather_randnonce; |
1253 | 0 | } |
1254 | | |
1255 | | struct aead_aes_gcm_tls12_ctx { |
1256 | | struct aead_aes_gcm_ctx gcm_ctx; |
1257 | | uint64_t min_next_nonce; |
1258 | | }; |
1259 | | |
1260 | | static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= |
1261 | | sizeof(struct aead_aes_gcm_tls12_ctx), |
1262 | | "AEAD state is too small"); |
1263 | | static_assert(alignof(union evp_aead_ctx_st_state) >= |
1264 | | alignof(struct aead_aes_gcm_tls12_ctx), |
1265 | | "AEAD state has insufficient alignment"); |
1266 | | |
1267 | | static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
1268 | 1 | size_t key_len, size_t requested_tag_len) { |
1269 | 1 | struct aead_aes_gcm_tls12_ctx *gcm_ctx = |
1270 | 1 | (struct aead_aes_gcm_tls12_ctx *) &ctx->state; |
1271 | | |
1272 | 1 | gcm_ctx->min_next_nonce = 0; |
1273 | | |
1274 | 1 | size_t actual_tag_len; |
1275 | 1 | if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len, |
1276 | 1 | requested_tag_len)) { |
1277 | 0 | return 0; |
1278 | 0 | } |
1279 | | |
1280 | 1 | ctx->tag_len = actual_tag_len; |
1281 | 1 | return 1; |
1282 | 1 | } |
1283 | | |
1284 | | static int aead_aes_gcm_tls12_seal_scatter( |
1285 | | const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, |
1286 | | size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, |
1287 | | size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, |
1288 | 0 | size_t extra_in_len, const uint8_t *ad, size_t ad_len) { |
1289 | 0 | struct aead_aes_gcm_tls12_ctx *gcm_ctx = |
1290 | 0 | (struct aead_aes_gcm_tls12_ctx *) &ctx->state; |
1291 | |
|
1292 | 0 | if (nonce_len != AES_GCM_NONCE_LENGTH) { |
1293 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); |
1294 | 0 | return 0; |
1295 | 0 | } |
1296 | | |
1297 | | // The given nonces must be strictly monotonically increasing. |
1298 | 0 | uint64_t given_counter = |
1299 | 0 | CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t)); |
1300 | 0 | if (given_counter == UINT64_MAX || given_counter < gcm_ctx->min_next_nonce) { |
1301 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE); |
1302 | 0 | return 0; |
1303 | 0 | } |
1304 | | |
1305 | 0 | gcm_ctx->min_next_nonce = given_counter + 1; |
1306 | |
|
1307 | 0 | if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len, |
1308 | 0 | max_out_tag_len, nonce, nonce_len, in, in_len, |
1309 | 0 | extra_in, extra_in_len, ad, ad_len)) { |
1310 | 0 | return 0; |
1311 | 0 | } |
1312 | | |
1313 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1314 | 0 | return 1; |
1315 | 0 | } |
1316 | | |
1317 | 2 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls12) { |
1318 | 2 | memset(out, 0, sizeof(EVP_AEAD)); |
1319 | | |
1320 | 2 | out->key_len = 16; |
1321 | 2 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1322 | 2 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1323 | 2 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1324 | 2 | out->seal_scatter_supports_extra_in = 1; |
1325 | | |
1326 | 2 | out->init = aead_aes_gcm_tls12_init; |
1327 | 2 | out->cleanup = aead_aes_gcm_cleanup; |
1328 | 2 | out->seal_scatter = aead_aes_gcm_tls12_seal_scatter; |
1329 | 2 | out->open_gather = aead_aes_gcm_open_gather; |
1330 | 2 | } |
1331 | | |
1332 | 2 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls12) { |
1333 | 2 | memset(out, 0, sizeof(EVP_AEAD)); |
1334 | | |
1335 | 2 | out->key_len = 32; |
1336 | 2 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1337 | 2 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1338 | 2 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1339 | 2 | out->seal_scatter_supports_extra_in = 1; |
1340 | | |
1341 | 2 | out->init = aead_aes_gcm_tls12_init; |
1342 | 2 | out->cleanup = aead_aes_gcm_cleanup; |
1343 | 2 | out->seal_scatter = aead_aes_gcm_tls12_seal_scatter; |
1344 | 2 | out->open_gather = aead_aes_gcm_open_gather; |
1345 | 2 | } |
1346 | | |
1347 | | struct aead_aes_gcm_tls13_ctx { |
1348 | | struct aead_aes_gcm_ctx gcm_ctx; |
1349 | | uint64_t min_next_nonce; |
1350 | | uint64_t mask; |
1351 | | uint8_t first; |
1352 | | }; |
1353 | | |
1354 | | static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= |
1355 | | sizeof(struct aead_aes_gcm_tls13_ctx), |
1356 | | "AEAD state is too small"); |
1357 | | static_assert(alignof(union evp_aead_ctx_st_state) >= |
1358 | | alignof(struct aead_aes_gcm_tls13_ctx), |
1359 | | "AEAD state has insufficient alignment"); |
1360 | | |
1361 | | static int aead_aes_gcm_tls13_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
1362 | 1 | size_t key_len, size_t requested_tag_len) { |
1363 | 1 | struct aead_aes_gcm_tls13_ctx *gcm_ctx = |
1364 | 1 | (struct aead_aes_gcm_tls13_ctx *) &ctx->state; |
1365 | | |
1366 | 1 | gcm_ctx->min_next_nonce = 0; |
1367 | 1 | gcm_ctx->first = 1; |
1368 | | |
1369 | 1 | size_t actual_tag_len; |
1370 | 1 | if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len, |
1371 | 1 | requested_tag_len)) { |
1372 | 1 | return 0; |
1373 | 1 | } |
1374 | | |
1375 | 0 | ctx->tag_len = actual_tag_len; |
1376 | 0 | return 1; |
1377 | 1 | } |
1378 | | |
1379 | | static int aead_aes_gcm_tls13_seal_scatter( |
1380 | | const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, |
1381 | | size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, |
1382 | | size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, |
1383 | 0 | size_t extra_in_len, const uint8_t *ad, size_t ad_len) { |
1384 | 0 | struct aead_aes_gcm_tls13_ctx *gcm_ctx = |
1385 | 0 | (struct aead_aes_gcm_tls13_ctx *) &ctx->state; |
1386 | |
|
1387 | 0 | if (nonce_len != AES_GCM_NONCE_LENGTH) { |
1388 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); |
1389 | 0 | return 0; |
1390 | 0 | } |
1391 | | |
1392 | | // The given nonces must be strictly monotonically increasing. See |
1393 | | // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3 |
1394 | | // nonce construction. |
1395 | 0 | uint64_t given_counter = |
1396 | 0 | CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t)); |
1397 | |
|
1398 | 0 | if (gcm_ctx->first) { |
1399 | | // In the first call the sequence number will be zero and therefore the |
1400 | | // given nonce will be 0 ^ mask = mask. |
1401 | 0 | gcm_ctx->mask = given_counter; |
1402 | 0 | gcm_ctx->first = 0; |
1403 | 0 | } |
1404 | 0 | given_counter ^= gcm_ctx->mask; |
1405 | |
|
1406 | 0 | if (given_counter == UINT64_MAX || |
1407 | 0 | given_counter < gcm_ctx->min_next_nonce) { |
1408 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE); |
1409 | 0 | return 0; |
1410 | 0 | } |
1411 | | |
1412 | 0 | gcm_ctx->min_next_nonce = given_counter + 1; |
1413 | |
|
1414 | 0 | if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len, |
1415 | 0 | max_out_tag_len, nonce, nonce_len, in, in_len, |
1416 | 0 | extra_in, extra_in_len, ad, ad_len)) { |
1417 | 0 | return 0; |
1418 | 0 | } |
1419 | | |
1420 | 0 | AEAD_GCM_verify_service_indicator(ctx); |
1421 | 0 | return 1; |
1422 | 0 | } |
1423 | | |
1424 | 2 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls13) { |
1425 | 2 | memset(out, 0, sizeof(EVP_AEAD)); |
1426 | | |
1427 | 2 | out->key_len = 16; |
1428 | 2 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1429 | 2 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1430 | 2 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1431 | 2 | out->seal_scatter_supports_extra_in = 1; |
1432 | | |
1433 | 2 | out->init = aead_aes_gcm_tls13_init; |
1434 | 2 | out->cleanup = aead_aes_gcm_cleanup; |
1435 | 2 | out->seal_scatter = aead_aes_gcm_tls13_seal_scatter; |
1436 | 2 | out->open_gather = aead_aes_gcm_open_gather; |
1437 | 2 | } |
1438 | | |
1439 | 2 | DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls13) { |
1440 | 2 | memset(out, 0, sizeof(EVP_AEAD)); |
1441 | | |
1442 | 2 | out->key_len = 32; |
1443 | 2 | out->nonce_len = AES_GCM_NONCE_LENGTH; |
1444 | 2 | out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; |
1445 | 2 | out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; |
1446 | 2 | out->seal_scatter_supports_extra_in = 1; |
1447 | | |
1448 | 2 | out->init = aead_aes_gcm_tls13_init; |
1449 | 2 | out->cleanup = aead_aes_gcm_cleanup; |
1450 | 2 | out->seal_scatter = aead_aes_gcm_tls13_seal_scatter; |
1451 | 2 | out->open_gather = aead_aes_gcm_open_gather; |
1452 | 2 | } |
1453 | | |
1454 | 0 | int EVP_has_aes_hardware(void) { |
1455 | 0 | #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) |
1456 | 0 | return hwaes_capable() && crypto_gcm_clmul_enabled(); |
1457 | | #elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) |
1458 | | return hwaes_capable() && CRYPTO_is_ARMv8_PMULL_capable(); |
1459 | | #else |
1460 | | return 0; |
1461 | | #endif |
1462 | 0 | } |
1463 | | |
1464 | | OPENSSL_MSVC_PRAGMA(warning(pop)) |