/src/gnupg/g10/cipher-aead.c

Source
/* cipher-aead.c - Enciphering filter for AEAD modes
 * Copyright (C) 2018 Werner koch
 *
 * This file is part of GnuPG.
 *
 * GnuPG is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * GnuPG is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <https://www.gnu.org/licenses/>.
 * SPDX-License-Identifier: GPL-3.0+
 */

#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#include "gpg.h"
#include "../common/status.h"
#include "../common/iobuf.h"
#include "../common/util.h"
#include "filter.h"
#include "packet.h"
#include "options.h"
#include "main.h"


/* The size of the buffer we allocate to encrypt the data.  This must
 * be a multiple of the OCB blocksize (16 byte).  */
#define AEAD_ENC_BUFFER_SIZE (64*1024)


/* Wrapper around iobuf_write to make sure that a proper error code is
 * always returned.  */
static gpg_error_t
my_iobuf_write (iobuf_t a, const void *buffer, size_t buflen)
{
  if (iobuf_write (a, buffer, buflen))
    {
      gpg_error_t err = iobuf_error (a);
      if (!err || !gpg_err_code (err)) /* (The latter should never happen) */
        err = gpg_error (GPG_ERR_EIO);
      return err;
    }
  return 0;
}


/* Set the nonce and the additional data for the current chunk.  If
 * FINAL is set the final AEAD chunk is processed.  This also reset
 * the encryption machinery so that the handle can be used for a new
 * chunk.  */
static gpg_error_t
set_nonce_and_ad (cipher_filter_context_t *cfx, int final)
{
  gpg_error_t err;
  unsigned char nonce[16];
  unsigned char ad[21];
  int i;

  switch (cfx->dek->use_aead)
    {
    case AEAD_ALGO_OCB:
      memcpy (nonce, cfx->startiv, 15);
      i = 7;
      break;

    case AEAD_ALGO_EAX:
      memcpy (nonce, cfx->startiv, 16);
      i = 8;
      break;

    default:
      BUG ();
    }

  nonce[i++] ^= cfx->chunkindex >> 56;
  nonce[i++] ^= cfx->chunkindex >> 48;
  nonce[i++] ^= cfx->chunkindex >> 40;
  nonce[i++] ^= cfx->chunkindex >> 32;
  nonce[i++] ^= cfx->chunkindex >> 24;
  nonce[i++] ^= cfx->chunkindex >> 16;
  nonce[i++] ^= cfx->chunkindex >>  8;
  nonce[i++] ^= cfx->chunkindex;

  if (DBG_CRYPTO)
    log_printhex (nonce, 15, "nonce:");
  err = gcry_cipher_setiv (cfx->cipher_hd, nonce, i);
  if (err)
    return err;

  ad[0] = (0xc0 | PKT_ENCRYPTED_AEAD);
  ad[1] = 1;
  ad[2] = cfx->dek->algo;
  ad[3] = cfx->dek->use_aead;
  ad[4] = cfx->chunkbyte;
  ad[5] = cfx->chunkindex >> 56;
  ad[6] = cfx->chunkindex >> 48;
  ad[7] = cfx->chunkindex >> 40;
  ad[8] = cfx->chunkindex >> 32;
  ad[9] = cfx->chunkindex >> 24;
  ad[10]= cfx->chunkindex >> 16;
  ad[11]= cfx->chunkindex >>  8;
  ad[12]= cfx->chunkindex;
  if (final)
    {
      ad[13] = cfx->total >> 56;
      ad[14] = cfx->total >> 48;
      ad[15] = cfx->total >> 40;
      ad[16] = cfx->total >> 32;
      ad[17] = cfx->total >> 24;
      ad[18] = cfx->total >> 16;
      ad[19] = cfx->total >>  8;
      ad[20] = cfx->total;
    }
  if (DBG_CRYPTO)
    log_printhex (ad, final? 21 : 13, "authdata:");
  return gcry_cipher_authenticate (cfx->cipher_hd, ad, final? 21 : 13);
}


static gpg_error_t
write_header (cipher_filter_context_t *cfx, iobuf_t a)
{
  gpg_error_t err;
  PACKET pkt;
  PKT_encrypted ed;
  unsigned int blocksize;
  unsigned int startivlen;
  enum gcry_cipher_modes ciphermode;

  log_assert (cfx->dek->use_aead);

  blocksize = openpgp_cipher_get_algo_blklen (cfx->dek->algo);
  if (blocksize != 16 )
    log_fatal ("unsupported blocksize %u for AEAD\n", blocksize);

  err = openpgp_aead_algo_info (cfx->dek->use_aead, &ciphermode, &startivlen);
  if (err)
    goto leave;

  log_assert (opt.chunk_size >= 6 && opt.chunk_size <= 62);
  cfx->chunkbyte = opt.chunk_size - 6;
  cfx->chunksize = (uint64_t)1 << (cfx->chunkbyte + 6);
  cfx->chunklen = 0;
  cfx->bufsize = AEAD_ENC_BUFFER_SIZE;
  cfx->buflen = 0;
  cfx->buffer = xtrymalloc (cfx->bufsize);
  if (!cfx->buffer)
    return gpg_error_from_syserror ();

  memset (&ed, 0, sizeof ed);
  ed.new_ctb = 1;  /* (Is anyway required for the packet type).  */
  ed.len = 0; /* fixme: cfx->datalen */
  ed.extralen    = startivlen + 16; /* (16 is the taglen) */
  ed.cipher_algo = cfx->dek->algo;
  ed.aead_algo   = cfx->dek->use_aead;
  ed.chunkbyte   = cfx->chunkbyte;

  init_packet (&pkt);
  pkt.pkttype = PKT_ENCRYPTED_AEAD;
  pkt.pkt.encrypted = &ed;

  if (DBG_FILTER)
    log_debug ("aead packet: len=%lu extralen=%d\n",
               (unsigned long)ed.len, ed.extralen);

  print_cipher_algo_note (cfx->dek->algo);

  if (build_packet( a, &pkt))
    log_bug ("build_packet(ENCRYPTED_AEAD) failed\n");

  log_assert (sizeof cfx->startiv >= startivlen);
  gcry_randomize (cfx->startiv, startivlen, GCRY_STRONG_RANDOM);
  err = my_iobuf_write (a, cfx->startiv, startivlen);
  if (err)
    goto leave;

  err = openpgp_cipher_open (&cfx->cipher_hd,
                             cfx->dek->algo,
                             ciphermode,
                             GCRY_CIPHER_SECURE);
  if (err)
    goto leave;

  if (DBG_CRYPTO)
    log_printhex (cfx->dek->key, cfx->dek->keylen, "thekey:");
  err = gcry_cipher_setkey (cfx->cipher_hd, cfx->dek->key, cfx->dek->keylen);
  if (err)
    return err;

  cfx->wrote_header = 1;

 leave:
  return err;
}


/* Get and write the auth tag to stream A.  */
static gpg_error_t
write_auth_tag (cipher_filter_context_t *cfx, iobuf_t a)
{
  gpg_error_t err;
  char tag[16];

  err = gcry_cipher_gettag (cfx->cipher_hd, tag, 16);
  if (err)
    goto leave;
  err = my_iobuf_write (a, tag, 16);
  if (err)
    goto leave;

 leave:
  if (err)
    log_error ("write_auth_tag failed: %s\n", gpg_strerror (err));
  return err;
}


/* Write the final chunk to stream A.  */
static gpg_error_t
write_final_chunk (cipher_filter_context_t *cfx, iobuf_t a)
{
  gpg_error_t err;
  char dummy[1];

  err = set_nonce_and_ad (cfx, 1);
  if (err)
    goto leave;

  gcry_cipher_final (cfx->cipher_hd);

  /* Encrypt an empty string.  */
  err = gcry_cipher_encrypt (cfx->cipher_hd, dummy, 0, NULL, 0);
  if (err)
    goto leave;

  err = write_auth_tag (cfx, a);

 leave:
  return err;
}


/* The core of the flush sub-function of cipher_filter_aead.   */
static gpg_error_t
do_flush (cipher_filter_context_t *cfx, iobuf_t a, byte *buf, size_t size)
{
  gpg_error_t err = 0;
  int finalize = 0;
  size_t n;

  /* Put the data into a buffer, flush and encrypt as needed.  */
  if (DBG_FILTER)
    log_debug ("flushing %zu bytes (cur buflen=%zu)\n", size, cfx->buflen);
  do
    {
      const unsigned fast_threshold = 512;
      const byte *src_buf = NULL;
      int enc_now = 0;

      if (cfx->buflen + size < cfx->bufsize)
        n = size;
      else
        n = cfx->bufsize - cfx->buflen;

      if (cfx->buflen % fast_threshold != 0)
  {
    /* Attempt to align cfx->buflen to fast threshold size first. */
    size_t nalign = fast_threshold - (cfx->buflen % fast_threshold);
    if (nalign < n)
      {
        n = nalign;
      }
  }
      else if (cfx->buflen == 0 && n >= fast_threshold)
  {
    /* Handle large input buffers as multiple of cipher blocksize. */
    n = (n / 16) * 16;
  }

      if (cfx->chunklen + cfx->buflen + n >= cfx->chunksize)
        {
          size_t n1 = cfx->chunksize - (cfx->chunklen + cfx->buflen);
          finalize = 1;
          if (DBG_FILTER)
            log_debug ("chunksize %llu reached;"
                       " cur buflen=%zu using %zu of %zu\n",
                       (unsigned long long)cfx->chunksize, cfx->buflen,
                       n1, n);
          n = n1;
        }

      if (!finalize && cfx->buflen % 16 == 0 && cfx->buflen > 0
    && size >= fast_threshold)
  {
    /* If cfx->buffer is aligned and remaining input buffer length
     * is long, encrypt cfx->buffer inplace now to allow fast path
     * handling on next loop iteration. */
    src_buf = cfx->buffer;
    enc_now = 1;
    n = 0;
  }
      else if (cfx->buflen == 0 && n >= fast_threshold)
  {
    /* Fast path for large input buffer. This avoids memcpy and
     * instead encrypts directly from input to cfx->buffer. */
    log_assert (n % 16 == 0 || finalize);
    src_buf = buf;
    cfx->buflen = n;
    buf += n;
    size -= n;
    enc_now = 1;
  }
      else if (n > 0)
  {
    memcpy (cfx->buffer + cfx->buflen, buf, n);
    src_buf = cfx->buffer;
    cfx->buflen += n;
    buf  += n;
    size -= n;
  }

      if (cfx->buflen == cfx->bufsize || enc_now || finalize)
        {
          if (DBG_FILTER)
            log_debug ("encrypting: size=%zu buflen=%zu %s%s n=%zu\n",
                       size, cfx->buflen, finalize?"(finalize)":"",
           enc_now?"(now)":"", n);

          if (!cfx->chunklen)
            {
              if (DBG_FILTER)
                log_debug ("start encrypting a new chunk\n");
              err = set_nonce_and_ad (cfx, 0);
              if (err)
                goto leave;
            }

          if (finalize)
            gcry_cipher_final (cfx->cipher_hd);
          if (DBG_FILTER)
            {
              if (finalize)
                log_printhex (src_buf, cfx->buflen, "plain(1):");
              else if (cfx->buflen > 32)
                log_printhex (src_buf + cfx->buflen - 32, 32,
                              "plain(last32):");
            }

          /* Take care: even with a buflen of zero an encrypt needs to
           * be called after gcry_cipher_final and before
           * gcry_cipher_gettag - at least with libgcrypt 1.8 and OCB
           * mode.  */
    err = gcry_cipher_encrypt (cfx->cipher_hd, cfx->buffer,
             cfx->buflen, src_buf, cfx->buflen);
          if (err)
            goto leave;
          if (finalize && DBG_FILTER)
            log_printhex (cfx->buffer, cfx->buflen, "ciphr(1):");
          err = my_iobuf_write (a, cfx->buffer, cfx->buflen);
          if (err)
            goto leave;
          cfx->chunklen += cfx->buflen;
          cfx->total += cfx->buflen;
          cfx->buflen = 0;

          if (finalize)
            {
              if (DBG_FILTER)
                log_debug ("writing tag: chunklen=%ju total=%ju\n",
                           (uintmax_t)cfx->chunklen, (uintmax_t)cfx->total);
              err = write_auth_tag (cfx, a);
              if (err)
                goto leave;

              cfx->chunkindex++;
              cfx->chunklen = 0;
              finalize = 0;
            }
        }
    }
  while (size);

 leave:
  return err;
}


/* The core of the free sub-function of cipher_filter_aead.   */
static gpg_error_t
do_free (cipher_filter_context_t *cfx, iobuf_t a)
{
  gpg_error_t err = 0;

  if (DBG_FILTER)
    log_debug ("do_free: buflen=%zu\n", cfx->buflen);

  if (cfx->chunklen || cfx->buflen)
    {
      if (DBG_FILTER)
        log_debug ("encrypting last %zu bytes of the last chunk\n",cfx->buflen);

      if (!cfx->chunklen)
        {
          if (DBG_FILTER)
            log_debug ("start encrypting a new chunk\n");
          err = set_nonce_and_ad (cfx, 0);
          if (err)
            goto leave;
        }

      gcry_cipher_final (cfx->cipher_hd);
      err = gcry_cipher_encrypt (cfx->cipher_hd, cfx->buffer, cfx->buflen,
                                 NULL, 0);
      if (err)
        goto leave;
      err = my_iobuf_write (a, cfx->buffer, cfx->buflen);
      if (err)
        goto leave;
      /* log_printhex (cfx->buffer, cfx->buflen, "wrote:"); */
      cfx->chunklen += cfx->buflen;
      cfx->total += cfx->buflen;

      /* Get and write the authentication tag.  */
      if (DBG_FILTER)
        log_debug ("writing tag: chunklen=%ju total=%ju\n",
                   (uintmax_t)cfx->chunklen, (uintmax_t)cfx->total);
      err = write_auth_tag (cfx, a);
      if (err)
        goto leave;
      cfx->chunkindex++;
      cfx->chunklen = 0;
    }

  /* Write the final chunk.  */
  if (DBG_FILTER)
    log_debug ("creating final chunk\n");
  err = write_final_chunk (cfx, a);

 leave:
  xfree (cfx->buffer);
  cfx->buffer = NULL;
  gcry_cipher_close (cfx->cipher_hd);
  cfx->cipher_hd = NULL;
  return err;
}


/*
 * This filter is used to encrypt data with an AEAD algorithm
 */
int
cipher_filter_aead (void *opaque, int control,
                    iobuf_t a, byte *buf, size_t *ret_len)
{
  cipher_filter_context_t *cfx = opaque;
  size_t size = *ret_len;
  int rc = 0;

  if (control == IOBUFCTRL_UNDERFLOW) /* decrypt */
    {
      rc = -1; /* not used */
    }
  else if (control == IOBUFCTRL_FLUSH) /* encrypt */
    {
      if (!cfx->wrote_header && (rc=write_header (cfx, a)))
        ;
      else
        rc = do_flush (cfx, a, buf, size);
    }
  else if (control == IOBUFCTRL_FREE)
    {
      rc = do_free (cfx, a);
    }
  else if (control == IOBUFCTRL_DESC)
    {
      mem2str (buf, "cipher_filter_aead", *ret_len);
    }
  else if (control == IOBUFCTRL_INIT)
    {
      write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d",
                           cfx->dek->algo, cfx->dek->use_aead);
    }

  return rc;
}

Coverage Report

Created: 2026-01-09 06:48

Line	Count	Source
1		/* cipher-aead.c - Enciphering filter for AEAD modes
2		* Copyright (C) 2018 Werner koch
3		*
4		* This file is part of GnuPG.
5		*
6		* GnuPG is free software; you can redistribute it and/or modify
7		* it under the terms of the GNU General Public License as published by
8		* the Free Software Foundation; either version 3 of the License, or
9		* (at your option) any later version.
10		*
11		* GnuPG is distributed in the hope that it will be useful,
12		* but WITHOUT ANY WARRANTY; without even the implied warranty of
13		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		* GNU General Public License for more details.
15		*
16		* You should have received a copy of the GNU General Public License
17		* along with this program; if not, see <https://www.gnu.org/licenses/>.
18		* SPDX-License-Identifier: GPL-3.0+
19		*/
20
21		#include <config.h>
22		#include <stdio.h>
23		#include <stdlib.h>
24		#include <string.h>
25		#include <errno.h>
26
27		#include "gpg.h"
28		#include "../common/status.h"
29		#include "../common/iobuf.h"
30		#include "../common/util.h"
31		#include "filter.h"
32		#include "packet.h"
33		#include "options.h"
34		#include "main.h"
35
36
37		/* The size of the buffer we allocate to encrypt the data. This must
38		* be a multiple of the OCB blocksize (16 byte). */
39	0	#define AEAD_ENC_BUFFER_SIZE (64*1024)
40
41
42		/* Wrapper around iobuf_write to make sure that a proper error code is
43		* always returned. */
44		static gpg_error_t
45		my_iobuf_write (iobuf_t a, const void *buffer, size_t buflen)
46	0	{
47	0	if (iobuf_write (a, buffer, buflen))
48	0	{
49	0	gpg_error_t err = iobuf_error (a);
50	0	if (!err \|\| !gpg_err_code (err)) /* (The latter should never happen) */
51	0	err = gpg_error (GPG_ERR_EIO);
52	0	return err;
53	0	}
54	0	return 0;
55	0	}
56
57
58		/* Set the nonce and the additional data for the current chunk. If
59		* FINAL is set the final AEAD chunk is processed. This also reset
60		* the encryption machinery so that the handle can be used for a new
61		* chunk. */
62		static gpg_error_t
63		set_nonce_and_ad (cipher_filter_context_t *cfx, int final)
64	0	{
65	0	gpg_error_t err;
66	0	unsigned char nonce[16];
67	0	unsigned char ad[21];
68	0	int i;
69
70	0	switch (cfx->dek->use_aead)
71	0	{
72	0	case AEAD_ALGO_OCB:
73	0	memcpy (nonce, cfx->startiv, 15);
74	0	i = 7;
75	0	break;
76
77	0	case AEAD_ALGO_EAX:
78	0	memcpy (nonce, cfx->startiv, 16);
79	0	i = 8;
80	0	break;
81
82	0	default:
83	0	BUG ();
84	0	}
85
86	0	nonce[i++] ^= cfx->chunkindex >> 56;
87	0	nonce[i++] ^= cfx->chunkindex >> 48;
88	0	nonce[i++] ^= cfx->chunkindex >> 40;
89	0	nonce[i++] ^= cfx->chunkindex >> 32;
90	0	nonce[i++] ^= cfx->chunkindex >> 24;
91	0	nonce[i++] ^= cfx->chunkindex >> 16;
92	0	nonce[i++] ^= cfx->chunkindex >> 8;
93	0	nonce[i++] ^= cfx->chunkindex;
94
95	0	if (DBG_CRYPTO)
96	0	log_printhex (nonce, 15, "nonce:");
97	0	err = gcry_cipher_setiv (cfx->cipher_hd, nonce, i);
98	0	if (err)
99	0	return err;
100
101	0	ad[0] = (0xc0 \| PKT_ENCRYPTED_AEAD);
102	0	ad[1] = 1;
103	0	ad[2] = cfx->dek->algo;
104	0	ad[3] = cfx->dek->use_aead;
105	0	ad[4] = cfx->chunkbyte;
106	0	ad[5] = cfx->chunkindex >> 56;
107	0	ad[6] = cfx->chunkindex >> 48;
108	0	ad[7] = cfx->chunkindex >> 40;
109	0	ad[8] = cfx->chunkindex >> 32;
110	0	ad[9] = cfx->chunkindex >> 24;
111	0	ad[10]= cfx->chunkindex >> 16;
112	0	ad[11]= cfx->chunkindex >> 8;
113	0	ad[12]= cfx->chunkindex;
114	0	if (final)
115	0	{
116	0	ad[13] = cfx->total >> 56;
117	0	ad[14] = cfx->total >> 48;
118	0	ad[15] = cfx->total >> 40;
119	0	ad[16] = cfx->total >> 32;
120	0	ad[17] = cfx->total >> 24;
121	0	ad[18] = cfx->total >> 16;
122	0	ad[19] = cfx->total >> 8;
123	0	ad[20] = cfx->total;
124	0	}
125	0	if (DBG_CRYPTO)
126	0	log_printhex (ad, final? 21 : 13, "authdata:");
127	0	return gcry_cipher_authenticate (cfx->cipher_hd, ad, final? 21 : 13);
128	0	}
129
130
131		static gpg_error_t
132		write_header (cipher_filter_context_t *cfx, iobuf_t a)
133	0	{
134	0	gpg_error_t err;
135	0	PACKET pkt;
136	0	PKT_encrypted ed;
137	0	unsigned int blocksize;
138	0	unsigned int startivlen;
139	0	enum gcry_cipher_modes ciphermode;
140
141	0	log_assert (cfx->dek->use_aead);
142
143	0	blocksize = openpgp_cipher_get_algo_blklen (cfx->dek->algo);
144	0	if (blocksize != 16 )
145	0	log_fatal ("unsupported blocksize %u for AEAD\n", blocksize);
146
147	0	err = openpgp_aead_algo_info (cfx->dek->use_aead, &ciphermode, &startivlen);
148	0	if (err)
149	0	goto leave;
150
151	0	log_assert (opt.chunk_size >= 6 && opt.chunk_size <= 62);
152	0	cfx->chunkbyte = opt.chunk_size - 6;
153	0	cfx->chunksize = (uint64_t)1 << (cfx->chunkbyte + 6);
154	0	cfx->chunklen = 0;
155	0	cfx->bufsize = AEAD_ENC_BUFFER_SIZE;
156	0	cfx->buflen = 0;
157	0	cfx->buffer = xtrymalloc (cfx->bufsize);
158	0	if (!cfx->buffer)
159	0	return gpg_error_from_syserror ();
160
161	0	memset (&ed, 0, sizeof ed);
162	0	ed.new_ctb = 1; /* (Is anyway required for the packet type). */
163	0	ed.len = 0; /* fixme: cfx->datalen */
164	0	ed.extralen = startivlen + 16; /* (16 is the taglen) */
165	0	ed.cipher_algo = cfx->dek->algo;
166	0	ed.aead_algo = cfx->dek->use_aead;
167	0	ed.chunkbyte = cfx->chunkbyte;
168
169	0	init_packet (&pkt);
170	0	pkt.pkttype = PKT_ENCRYPTED_AEAD;
171	0	pkt.pkt.encrypted = &ed;
172
173	0	if (DBG_FILTER)
174	0	log_debug ("aead packet: len=%lu extralen=%d\n",
175	0	(unsigned long)ed.len, ed.extralen);
176
177	0	print_cipher_algo_note (cfx->dek->algo);
178
179	0	if (build_packet( a, &pkt))
180	0	log_bug ("build_packet(ENCRYPTED_AEAD) failed\n");
181
182	0	log_assert (sizeof cfx->startiv >= startivlen);
183	0	gcry_randomize (cfx->startiv, startivlen, GCRY_STRONG_RANDOM);
184	0	err = my_iobuf_write (a, cfx->startiv, startivlen);
185	0	if (err)
186	0	goto leave;
187
188	0	err = openpgp_cipher_open (&cfx->cipher_hd,
189	0	cfx->dek->algo,
190	0	ciphermode,
191	0	GCRY_CIPHER_SECURE);
192	0	if (err)
193	0	goto leave;
194
195	0	if (DBG_CRYPTO)
196	0	log_printhex (cfx->dek->key, cfx->dek->keylen, "thekey:");
197	0	err = gcry_cipher_setkey (cfx->cipher_hd, cfx->dek->key, cfx->dek->keylen);
198	0	if (err)
199	0	return err;
200
201	0	cfx->wrote_header = 1;
202
203	0	leave:
204	0	return err;
205	0	}
206
207
208		/* Get and write the auth tag to stream A. */
209		static gpg_error_t
210		write_auth_tag (cipher_filter_context_t *cfx, iobuf_t a)
211	0	{
212	0	gpg_error_t err;
213	0	char tag[16];
214
215	0	err = gcry_cipher_gettag (cfx->cipher_hd, tag, 16);
216	0	if (err)
217	0	goto leave;
218	0	err = my_iobuf_write (a, tag, 16);
219	0	if (err)
220	0	goto leave;
221
222	0	leave:
223	0	if (err)
224	0	log_error ("write_auth_tag failed: %s\n", gpg_strerror (err));
225	0	return err;
226	0	}
227
228
229		/* Write the final chunk to stream A. */
230		static gpg_error_t
231		write_final_chunk (cipher_filter_context_t *cfx, iobuf_t a)
232	0	{
233	0	gpg_error_t err;
234	0	char dummy[1];
235
236	0	err = set_nonce_and_ad (cfx, 1);
237	0	if (err)
238	0	goto leave;
239
240	0	gcry_cipher_final (cfx->cipher_hd);
241
242		/* Encrypt an empty string. */
243	0	err = gcry_cipher_encrypt (cfx->cipher_hd, dummy, 0, NULL, 0);
244	0	if (err)
245	0	goto leave;
246
247	0	err = write_auth_tag (cfx, a);
248
249	0	leave:
250	0	return err;
251	0	}
252
253
254		/* The core of the flush sub-function of cipher_filter_aead. */
255		static gpg_error_t
256		do_flush (cipher_filter_context_t cfx, iobuf_t a, byte buf, size_t size)
257	0	{
258	0	gpg_error_t err = 0;
259	0	int finalize = 0;
260	0	size_t n;
261
262		/* Put the data into a buffer, flush and encrypt as needed. */
263	0	if (DBG_FILTER)
264	0	log_debug ("flushing %zu bytes (cur buflen=%zu)\n", size, cfx->buflen);
265	0	do
266	0	{
267	0	const unsigned fast_threshold = 512;
268	0	const byte *src_buf = NULL;
269	0	int enc_now = 0;
270
271	0	if (cfx->buflen + size < cfx->bufsize)
272	0	n = size;
273	0	else
274	0	n = cfx->bufsize - cfx->buflen;
275
276	0	if (cfx->buflen % fast_threshold != 0)
277	0	{
278		/* Attempt to align cfx->buflen to fast threshold size first. */
279	0	size_t nalign = fast_threshold - (cfx->buflen % fast_threshold);
280	0	if (nalign < n)
281	0	{
282	0	n = nalign;
283	0	}
284	0	}
285	0	else if (cfx->buflen == 0 && n >= fast_threshold)
286	0	{
287		/* Handle large input buffers as multiple of cipher blocksize. */
288	0	n = (n / 16) * 16;
289	0	}
290
291	0	if (cfx->chunklen + cfx->buflen + n >= cfx->chunksize)
292	0	{
293	0	size_t n1 = cfx->chunksize - (cfx->chunklen + cfx->buflen);
294	0	finalize = 1;
295	0	if (DBG_FILTER)
296	0	log_debug ("chunksize %llu reached;"
297	0	" cur buflen=%zu using %zu of %zu\n",
298	0	(unsigned long long)cfx->chunksize, cfx->buflen,
299	0	n1, n);
300	0	n = n1;
301	0	}
302
303	0	if (!finalize && cfx->buflen % 16 == 0 && cfx->buflen > 0
304	0	&& size >= fast_threshold)
305	0	{
306		/* If cfx->buffer is aligned and remaining input buffer length
307		* is long, encrypt cfx->buffer inplace now to allow fast path
308		* handling on next loop iteration. */
309	0	src_buf = cfx->buffer;
310	0	enc_now = 1;
311	0	n = 0;
312	0	}
313	0	else if (cfx->buflen == 0 && n >= fast_threshold)
314	0	{
315		/* Fast path for large input buffer. This avoids memcpy and
316		* instead encrypts directly from input to cfx->buffer. */
317	0	log_assert (n % 16 == 0 \|\| finalize);
318	0	src_buf = buf;
319	0	cfx->buflen = n;
320	0	buf += n;
321	0	size -= n;
322	0	enc_now = 1;
323	0	}
324	0	else if (n > 0)
325	0	{
326	0	memcpy (cfx->buffer + cfx->buflen, buf, n);
327	0	src_buf = cfx->buffer;
328	0	cfx->buflen += n;
329	0	buf += n;
330	0	size -= n;
331	0	}
332
333	0	if (cfx->buflen == cfx->bufsize \|\| enc_now \|\| finalize)
334	0	{
335	0	if (DBG_FILTER)
336	0	log_debug ("encrypting: size=%zu buflen=%zu %s%s n=%zu\n",
337	0	size, cfx->buflen, finalize?"(finalize)":"",
338	0	enc_now?"(now)":"", n);
339
340	0	if (!cfx->chunklen)
341	0	{
342	0	if (DBG_FILTER)
343	0	log_debug ("start encrypting a new chunk\n");
344	0	err = set_nonce_and_ad (cfx, 0);
345	0	if (err)
346	0	goto leave;
347	0	}
348
349	0	if (finalize)
350	0	gcry_cipher_final (cfx->cipher_hd);
351	0	if (DBG_FILTER)
352	0	{
353	0	if (finalize)
354	0	log_printhex (src_buf, cfx->buflen, "plain(1):");
355	0	else if (cfx->buflen > 32)
356	0	log_printhex (src_buf + cfx->buflen - 32, 32,
357	0	"plain(last32):");
358	0	}
359
360		/* Take care: even with a buflen of zero an encrypt needs to
361		* be called after gcry_cipher_final and before
362		* gcry_cipher_gettag - at least with libgcrypt 1.8 and OCB
363		* mode. */
364	0	err = gcry_cipher_encrypt (cfx->cipher_hd, cfx->buffer,
365	0	cfx->buflen, src_buf, cfx->buflen);
366	0	if (err)
367	0	goto leave;
368	0	if (finalize && DBG_FILTER)
369	0	log_printhex (cfx->buffer, cfx->buflen, "ciphr(1):");
370	0	err = my_iobuf_write (a, cfx->buffer, cfx->buflen);
371	0	if (err)
372	0	goto leave;
373	0	cfx->chunklen += cfx->buflen;
374	0	cfx->total += cfx->buflen;
375	0	cfx->buflen = 0;
376
377	0	if (finalize)
378	0	{
379	0	if (DBG_FILTER)
380	0	log_debug ("writing tag: chunklen=%ju total=%ju\n",
381	0	(uintmax_t)cfx->chunklen, (uintmax_t)cfx->total);
382	0	err = write_auth_tag (cfx, a);
383	0	if (err)
384	0	goto leave;
385
386	0	cfx->chunkindex++;
387	0	cfx->chunklen = 0;
388	0	finalize = 0;
389	0	}
390	0	}
391	0	}
392	0	while (size);
393
394	0	leave:
395	0	return err;
396	0	}
397
398
399		/* The core of the free sub-function of cipher_filter_aead. */
400		static gpg_error_t
401		do_free (cipher_filter_context_t *cfx, iobuf_t a)
402	0	{
403	0	gpg_error_t err = 0;
404
405	0	if (DBG_FILTER)
406	0	log_debug ("do_free: buflen=%zu\n", cfx->buflen);
407
408	0	if (cfx->chunklen \|\| cfx->buflen)
409	0	{
410	0	if (DBG_FILTER)
411	0	log_debug ("encrypting last %zu bytes of the last chunk\n",cfx->buflen);
412
413	0	if (!cfx->chunklen)
414	0	{
415	0	if (DBG_FILTER)
416	0	log_debug ("start encrypting a new chunk\n");
417	0	err = set_nonce_and_ad (cfx, 0);
418	0	if (err)
419	0	goto leave;
420	0	}
421
422	0	gcry_cipher_final (cfx->cipher_hd);
423	0	err = gcry_cipher_encrypt (cfx->cipher_hd, cfx->buffer, cfx->buflen,
424	0	NULL, 0);
425	0	if (err)
426	0	goto leave;
427	0	err = my_iobuf_write (a, cfx->buffer, cfx->buflen);
428	0	if (err)
429	0	goto leave;
430		/* log_printhex (cfx->buffer, cfx->buflen, "wrote:"); */
431	0	cfx->chunklen += cfx->buflen;
432	0	cfx->total += cfx->buflen;
433
434		/* Get and write the authentication tag. */
435	0	if (DBG_FILTER)
436	0	log_debug ("writing tag: chunklen=%ju total=%ju\n",
437	0	(uintmax_t)cfx->chunklen, (uintmax_t)cfx->total);
438	0	err = write_auth_tag (cfx, a);
439	0	if (err)
440	0	goto leave;
441	0	cfx->chunkindex++;
442	0	cfx->chunklen = 0;
443	0	}
444
445		/* Write the final chunk. */
446	0	if (DBG_FILTER)
447	0	log_debug ("creating final chunk\n");
448	0	err = write_final_chunk (cfx, a);
449
450	0	leave:
451	0	xfree (cfx->buffer);
452	0	cfx->buffer = NULL;
453	0	gcry_cipher_close (cfx->cipher_hd);
454	0	cfx->cipher_hd = NULL;
455	0	return err;
456	0	}
457
458
459		/*
460		* This filter is used to encrypt data with an AEAD algorithm
461		*/
462		int
463		cipher_filter_aead (void *opaque, int control,
464		iobuf_t a, byte buf, size_t ret_len)
465	0	{
466	0	cipher_filter_context_t *cfx = opaque;
467	0	size_t size = *ret_len;
468	0	int rc = 0;
469
470	0	if (control == IOBUFCTRL_UNDERFLOW) /* decrypt */
471	0	{
472	0	rc = -1; /* not used */
473	0	}
474	0	else if (control == IOBUFCTRL_FLUSH) /* encrypt */
475	0	{
476	0	if (!cfx->wrote_header && (rc=write_header (cfx, a)))
477	0	;
478	0	else
479	0	rc = do_flush (cfx, a, buf, size);
480	0	}
481	0	else if (control == IOBUFCTRL_FREE)
482	0	{
483	0	rc = do_free (cfx, a);
484	0	}
485	0	else if (control == IOBUFCTRL_DESC)
486	0	{
487	0	mem2str (buf, "cipher_filter_aead", *ret_len);
488	0	}
489	0	else if (control == IOBUFCTRL_INIT)
490	0	{
491	0	write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d",
492	0	cfx->dek->algo, cfx->dek->use_aead);
493	0	}
494
495	0	return rc;
496	0	}