Coverage Report

Created: 2025-03-06 06:58

/src/gnutls/lib/nettle/cipher.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
3
 * Copyright (C) 2014 Red Hat, Inc.
4
 *
5
 * Author: Nikos Mavrogiannopoulos
6
 *
7
 * This file is part of GNUTLS.
8
 *
9
 * The GNUTLS library is free software; you can redistribute it and/or
10
 * modify it under the terms of the GNU Lesser General Public License
11
 * as published by the Free Software Foundation; either version 2.1 of
12
 * the License, or (at your option) any later version.
13
 *
14
 * This library is distributed in the hope that it will be useful, but
15
 * WITHOUT ANY WARRANTY; without even the implied warranty of
16
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
17
 * Lesser General Public License for more details.
18
 *
19
 * You should have received a copy of the GNU Lesser General Public License
20
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
21
 *
22
 */
23
24
/* Here lie nettle's wrappers for cipher support.
25
 */
26
27
#include "gnutls_int.h"
28
#include "errors.h"
29
#include "cipher_int.h"
30
#include <nettle/aes.h>
31
#include <nettle/camellia.h>
32
#include <nettle/arcfour.h>
33
#include <nettle/arctwo.h>
34
#include <nettle/salsa20.h>
35
#include <nettle/des.h>
36
#include <nettle/version.h>
37
#if ENABLE_GOST
38
#ifndef HAVE_NETTLE_GOST28147_SET_KEY
39
#include "gost/gost28147.h"
40
#else
41
#include <nettle/gost28147.h>
42
#endif
43
#ifndef HAVE_NETTLE_MAGMA_SET_KEY
44
#include "gost/magma.h"
45
#else
46
#include <nettle/magma.h>
47
#endif
48
#ifndef HAVE_NETTLE_KUZNYECHIK_SET_KEY
49
#include "gost/kuznyechik.h"
50
#else
51
#include <nettle/kuznyechik.h>
52
#endif
53
#include "gost/acpkm.h"
54
#include <nettle/ctr.h>
55
#endif
56
#include <nettle/nettle-meta.h>
57
#include <nettle/cbc.h>
58
#include <nettle/gcm.h>
59
#include <nettle/ccm.h>
60
#include <nettle/chacha.h>
61
#include <nettle/chacha-poly1305.h>
62
#include <nettle/cfb.h>
63
#include <nettle/xts.h>
64
#include <nettle/siv-cmac.h>
65
#ifdef HAVE_NETTLE_SIV_GCM_ENCRYPT_MESSAGE
66
#include <nettle/siv-gcm.h>
67
#else
68
#include "backport/siv-gcm.h"
69
#endif
70
#include "fips.h"
71
#include <intprops.h>
72
73
struct nettle_cipher_ctx;
74
75
/* Functions that refer to the nettle library.
76
 */
77
typedef void (*encrypt_func)(struct nettle_cipher_ctx *, size_t length,
78
           uint8_t *dst, const uint8_t *src);
79
typedef void (*decrypt_func)(struct nettle_cipher_ctx *, size_t length,
80
           uint8_t *dst, const uint8_t *src);
81
82
typedef void (*aead_encrypt_func)(struct nettle_cipher_ctx *, size_t nonce_size,
83
          const void *nonce, size_t auth_size,
84
          const void *auth, size_t tag_size,
85
          size_t length, uint8_t *dst,
86
          const uint8_t *src);
87
typedef int (*aead_decrypt_func)(struct nettle_cipher_ctx *, size_t nonce_size,
88
         const void *nonce, size_t auth_size,
89
         const void *auth, size_t tag_size,
90
         size_t length, uint8_t *dst,
91
         const uint8_t *src);
92
93
typedef void (*setiv_func)(void *ctx, size_t length, const uint8_t *);
94
typedef void (*gen_setkey_func)(void *ctx, size_t length, const uint8_t *);
95
96
struct nettle_cipher_st {
97
  gnutls_cipher_algorithm_t algo;
98
  unsigned ctx_size;
99
  nettle_cipher_func *encrypt_block;
100
  nettle_cipher_func *decrypt_block;
101
  unsigned block_size;
102
  unsigned key_size;
103
  unsigned max_iv_size;
104
105
  encrypt_func encrypt;
106
  decrypt_func decrypt;
107
  aead_encrypt_func aead_encrypt;
108
  aead_decrypt_func aead_decrypt;
109
  nettle_hash_update_func *auth;
110
  nettle_hash_digest_func *tag;
111
  nettle_set_key_func *set_encrypt_key;
112
  nettle_set_key_func *set_decrypt_key;
113
  gen_setkey_func gen_set_key; /* for arcfour which has variable key size */
114
  setiv_func set_iv;
115
};
116
117
struct nettle_cipher_ctx {
118
  const struct nettle_cipher_st *cipher;
119
  void *ctx_ptr; /* always 16-aligned */
120
  uint8_t iv[MAX_CIPHER_BLOCK_SIZE];
121
  unsigned iv_size;
122
123
  bool enc;
124
  size_t rekey_counter;
125
};
126
127
0
#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
128
static inline int record_aes_gcm_encrypt_size(size_t *counter, size_t size)
129
0
{
130
0
  size_t sum;
131
132
0
  if (!INT_ADD_OK(*counter, size, &sum) ||
133
0
      sum > AES_GCM_ENCRYPT_MAX_BYTES) {
134
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
135
0
  }
136
0
  *counter = sum;
137
138
0
  return 0;
139
0
}
140
141
static void _stream_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
142
          uint8_t *dst, const uint8_t *src)
143
0
{
144
0
  ctx->cipher->encrypt_block(ctx->ctx_ptr, length, dst, src);
145
0
}
146
147
static void _stream_decrypt(struct nettle_cipher_ctx *ctx, size_t length,
148
          uint8_t *dst, const uint8_t *src)
149
0
{
150
0
  ctx->cipher->decrypt_block(ctx->ctx_ptr, length, dst, src);
151
0
}
152
153
static void _cbc_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
154
       uint8_t *dst, const uint8_t *src)
155
0
{
156
0
  cbc_encrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size,
157
0
        ctx->iv, length, dst, src);
158
0
}
159
160
static void _cbc_decrypt(struct nettle_cipher_ctx *ctx, size_t length,
161
       uint8_t *dst, const uint8_t *src)
162
0
{
163
0
  cbc_decrypt(ctx->ctx_ptr, ctx->cipher->decrypt_block, ctx->iv_size,
164
0
        ctx->iv, length, dst, src);
165
0
}
166
167
#if ENABLE_GOST
168
struct magma_acpkm_ctx {
169
  uint8_t iv[MAGMA_BLOCK_SIZE];
170
  struct acpkm_ctx ctx;
171
  struct magma_ctx cipher;
172
};
173
174
struct kuznyechik_acpkm_ctx {
175
  uint8_t iv[KUZNYECHIK_BLOCK_SIZE];
176
  struct acpkm_ctx ctx;
177
  struct kuznyechik_ctx cipher;
178
};
179
180
static void _cfb_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
181
       uint8_t *dst, const uint8_t *src)
182
0
{
183
0
  cfb_encrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size,
184
0
        ctx->iv, length, dst, src);
185
0
}
186
187
static void _cfb_decrypt(struct nettle_cipher_ctx *ctx, size_t length,
188
       uint8_t *dst, const uint8_t *src)
189
0
{
190
0
  cfb_decrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size,
191
0
        ctx->iv, length, dst, src);
192
0
}
193
194
static void _ctr_acpkm_crypt(struct nettle_cipher_ctx *ctx, size_t length,
195
           uint8_t *dst, const uint8_t *src)
196
0
{
197
  /* Use context-specific IV which comes as a first field */
198
0
  ctr_crypt(ctx->ctx_ptr, ctx->cipher->encrypt_block,
199
0
      ctx->cipher->block_size, ctx->ctx_ptr, length, dst, src);
200
0
}
201
202
static void _gost28147_set_key_tc26z(void *ctx, const uint8_t *key)
203
0
{
204
0
  gost28147_set_param(ctx, &gost28147_param_TC26_Z);
205
0
  gost28147_set_key(ctx, key);
206
0
}
207
208
static void _gost28147_set_key_cpa(void *ctx, const uint8_t *key)
209
0
{
210
0
  gost28147_set_param(ctx, &gost28147_param_CryptoPro_A);
211
0
  gost28147_set_key(ctx, key);
212
0
}
213
214
static void _gost28147_set_key_cpb(void *ctx, const uint8_t *key)
215
0
{
216
0
  gost28147_set_param(ctx, &gost28147_param_CryptoPro_B);
217
0
  gost28147_set_key(ctx, key);
218
0
}
219
220
static void _gost28147_set_key_cpc(void *ctx, const uint8_t *key)
221
0
{
222
0
  gost28147_set_param(ctx, &gost28147_param_CryptoPro_C);
223
0
  gost28147_set_key(ctx, key);
224
0
}
225
226
static void _gost28147_set_key_cpd(void *ctx, const uint8_t *key)
227
0
{
228
0
  gost28147_set_param(ctx, &gost28147_param_CryptoPro_D);
229
0
  gost28147_set_key(ctx, key);
230
0
}
231
232
static void _gost28147_cnt_set_key_tc26z(void *ctx, const uint8_t *key)
233
0
{
234
0
  gost28147_cnt_init(ctx, key, &gost28147_param_TC26_Z);
235
0
}
236
237
static void _gost28147_cnt_set_nonce(void *ctx, size_t length,
238
             const uint8_t *nonce)
239
0
{
240
0
  gost28147_cnt_set_iv(ctx, nonce);
241
0
}
242
243
static void _gost28147_cnt_crypt(struct nettle_cipher_ctx *ctx, size_t length,
244
         uint8_t *dst, const uint8_t *src)
245
0
{
246
0
  gost28147_cnt_crypt((void *)ctx->ctx_ptr, length, dst, src);
247
0
}
248
249
static void _magma_acpkm_crypt(struct magma_acpkm_ctx *ctx, size_t length,
250
             uint8_t *dst, const uint8_t *src)
251
0
{
252
0
  acpkm_crypt(&ctx->ctx, &ctx->cipher,
253
0
        (nettle_cipher_func *)magma_encrypt,
254
0
        (nettle_set_key_func *)magma_set_key, length, dst, src);
255
0
}
256
257
static void _kuznyechik_acpkm_crypt(struct kuznyechik_acpkm_ctx *ctx,
258
            size_t length, uint8_t *dst,
259
            const uint8_t *src)
260
0
{
261
0
  acpkm_crypt(&ctx->ctx, &ctx->cipher,
262
0
        (nettle_cipher_func *)kuznyechik_encrypt,
263
0
        (nettle_set_key_func *)kuznyechik_set_key, length, dst,
264
0
        src);
265
0
}
266
267
static void _magma_ctr_acpkm_set_key(struct magma_acpkm_ctx *ctx,
268
             const uint8_t *key)
269
0
{
270
0
  magma_set_key(&ctx->cipher, key);
271
0
  ctx->ctx.pos = 0;
272
0
  ctx->ctx.N = 1024;
273
0
}
274
275
static void _magma_ctr_acpkm_set_iv(struct magma_acpkm_ctx *ctx, size_t length,
276
            const uint8_t *iv)
277
0
{
278
0
  memcpy(ctx->iv, iv, length);
279
0
  memset(ctx->iv + length, 0, MAGMA_BLOCK_SIZE - length);
280
0
}
281
282
static void _kuznyechik_ctr_acpkm_set_key(struct kuznyechik_acpkm_ctx *ctx,
283
            const uint8_t *key)
284
0
{
285
0
  kuznyechik_set_key(&ctx->cipher, key);
286
0
  ctx->ctx.pos = 0;
287
0
  ctx->ctx.N = 4096;
288
0
}
289
290
static void _kuznyechik_ctr_acpkm_set_iv(struct kuznyechik_acpkm_ctx *ctx,
291
           size_t length, const uint8_t *iv)
292
0
{
293
0
  memcpy(ctx->iv, iv, length);
294
0
  memset(ctx->iv + length, 0, KUZNYECHIK_BLOCK_SIZE - length);
295
0
}
296
#endif
297
298
static void _ccm_encrypt(struct nettle_cipher_ctx *ctx, size_t nonce_size,
299
       const void *nonce, size_t auth_size, const void *auth,
300
       size_t tag_size, size_t length, uint8_t *dst,
301
       const uint8_t *src)
302
0
{
303
0
  ccm_encrypt_message((void *)ctx->ctx_ptr, ctx->cipher->encrypt_block,
304
0
          nonce_size, nonce, auth_size, auth, tag_size,
305
0
          length, dst, src);
306
0
}
307
308
static int _ccm_decrypt(struct nettle_cipher_ctx *ctx, size_t nonce_size,
309
      const void *nonce, size_t auth_size, const void *auth,
310
      size_t tag_size, size_t length, uint8_t *dst,
311
      const uint8_t *src)
312
0
{
313
0
  return ccm_decrypt_message((void *)ctx->ctx_ptr,
314
0
           ctx->cipher->encrypt_block, nonce_size,
315
0
           nonce, auth_size, auth, tag_size, length,
316
0
           dst, src);
317
0
}
318
319
static void _siv_cmac_aes128_encrypt_message(struct nettle_cipher_ctx *ctx,
320
               size_t nonce_size,
321
               const void *nonce,
322
               size_t auth_size, const void *auth,
323
               size_t tag_size, size_t length,
324
               uint8_t *dst, const uint8_t *src)
325
0
{
326
0
  siv_cmac_aes128_encrypt_message((void *)ctx->ctx_ptr, nonce_size, nonce,
327
0
          auth_size, auth, length, dst, src);
328
0
}
329
330
static int _siv_cmac_aes128_decrypt_message(struct nettle_cipher_ctx *ctx,
331
              size_t nonce_size,
332
              const void *nonce, size_t auth_size,
333
              const void *auth, size_t tag_size,
334
              size_t length, uint8_t *dst,
335
              const uint8_t *src)
336
0
{
337
0
  return siv_cmac_aes128_decrypt_message((void *)ctx->ctx_ptr, nonce_size,
338
0
                 nonce, auth_size, auth, length,
339
0
                 dst, src);
340
0
}
341
342
static void _siv_cmac_aes256_encrypt_message(struct nettle_cipher_ctx *ctx,
343
               size_t nonce_size,
344
               const void *nonce,
345
               size_t auth_size, const void *auth,
346
               size_t tag_size, size_t length,
347
               uint8_t *dst, const uint8_t *src)
348
0
{
349
0
  siv_cmac_aes256_encrypt_message((void *)ctx->ctx_ptr, nonce_size, nonce,
350
0
          auth_size, auth, length, dst, src);
351
0
}
352
353
static int _siv_cmac_aes256_decrypt_message(struct nettle_cipher_ctx *ctx,
354
              size_t nonce_size,
355
              const void *nonce, size_t auth_size,
356
              const void *auth, size_t tag_size,
357
              size_t length, uint8_t *dst,
358
              const uint8_t *src)
359
0
{
360
0
  return siv_cmac_aes256_decrypt_message((void *)ctx->ctx_ptr, nonce_size,
361
0
                 nonce, auth_size, auth, length,
362
0
                 dst, src);
363
0
}
364
365
static void _siv_gcm_aes128_encrypt_message(struct nettle_cipher_ctx *ctx,
366
              size_t nonce_size,
367
              const void *nonce, size_t auth_size,
368
              const void *auth, size_t tag_size,
369
              size_t length, uint8_t *dst,
370
              const uint8_t *src)
371
0
{
372
0
  siv_gcm_aes128_encrypt_message((void *)ctx->ctx_ptr, nonce_size, nonce,
373
0
               auth_size, auth, length, dst, src);
374
0
}
375
376
static int _siv_gcm_aes128_decrypt_message(struct nettle_cipher_ctx *ctx,
377
             size_t nonce_size, const void *nonce,
378
             size_t auth_size, const void *auth,
379
             size_t tag_size, size_t length,
380
             uint8_t *dst, const uint8_t *src)
381
0
{
382
0
  return siv_gcm_aes128_decrypt_message((void *)ctx->ctx_ptr, nonce_size,
383
0
                nonce, auth_size, auth, length,
384
0
                dst, src);
385
0
}
386
387
static void _siv_gcm_aes256_encrypt_message(struct nettle_cipher_ctx *ctx,
388
              size_t nonce_size,
389
              const void *nonce, size_t auth_size,
390
              const void *auth, size_t tag_size,
391
              size_t length, uint8_t *dst,
392
              const uint8_t *src)
393
0
{
394
0
  siv_gcm_aes256_encrypt_message((void *)ctx->ctx_ptr, nonce_size, nonce,
395
0
               auth_size, auth, length, dst, src);
396
0
}
397
398
static int _siv_gcm_aes256_decrypt_message(struct nettle_cipher_ctx *ctx,
399
             size_t nonce_size, const void *nonce,
400
             size_t auth_size, const void *auth,
401
             size_t tag_size, size_t length,
402
             uint8_t *dst, const uint8_t *src)
403
0
{
404
0
  return siv_gcm_aes256_decrypt_message((void *)ctx->ctx_ptr, nonce_size,
405
0
                nonce, auth_size, auth, length,
406
0
                dst, src);
407
0
}
408
409
static void _chacha_set_nonce(struct chacha_ctx *ctx, size_t length,
410
            const uint8_t *nonce)
411
0
{
412
0
  chacha_set_nonce(ctx, nonce + CHACHA_COUNTER_SIZE);
413
0
  chacha_set_counter(ctx, nonce);
414
0
}
415
416
static void _chacha_set_nonce96(struct chacha_ctx *ctx, size_t length,
417
        const uint8_t *nonce)
418
0
{
419
0
  chacha_set_nonce96(ctx, nonce + CHACHA_COUNTER32_SIZE);
420
0
  chacha_set_counter32(ctx, nonce);
421
0
}
422
423
static void _chacha_poly1305_set_nonce(struct chacha_poly1305_ctx *ctx,
424
               size_t length, const uint8_t *nonce)
425
0
{
426
0
  chacha_poly1305_set_nonce(ctx, nonce);
427
0
}
428
429
struct gcm_cast_st {
430
  struct gcm_key key;
431
  struct gcm_ctx gcm;
432
  unsigned long xx[1];
433
};
434
0
#define GCM_CTX_GET_KEY(ptr) (&((struct gcm_cast_st *)ptr)->key)
435
0
#define GCM_CTX_GET_CTX(ptr) (&((struct gcm_cast_st *)ptr)->gcm)
436
0
#define GCM_CTX_GET_CIPHER(ptr) ((void *)&((struct gcm_cast_st *)ptr)->xx)
437
438
static void _gcm_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
439
       uint8_t *dst, const uint8_t *src)
440
0
{
441
0
  gcm_encrypt(GCM_CTX_GET_CTX(ctx->ctx_ptr),
442
0
        GCM_CTX_GET_KEY(ctx->ctx_ptr),
443
0
        GCM_CTX_GET_CIPHER(ctx->ctx_ptr),
444
0
        ctx->cipher->encrypt_block, length, dst, src);
445
0
}
446
447
static void _gcm_decrypt(struct nettle_cipher_ctx *ctx, size_t length,
448
       uint8_t *dst, const uint8_t *src)
449
0
{
450
0
  gcm_decrypt(GCM_CTX_GET_CTX(ctx->ctx_ptr),
451
0
        GCM_CTX_GET_KEY(ctx->ctx_ptr),
452
0
        GCM_CTX_GET_CIPHER(ctx->ctx_ptr),
453
0
        ctx->cipher->encrypt_block, length, dst, src);
454
0
}
455
456
static void _des_set_key(struct des_ctx *ctx, const uint8_t *key)
457
0
{
458
0
  des_set_key(ctx, key);
459
0
}
460
461
static void _des3_set_key(struct des3_ctx *ctx, const uint8_t *key)
462
0
{
463
0
  des3_set_key(ctx, key);
464
0
}
465
466
static void _cfb8_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
467
        uint8_t *dst, const uint8_t *src)
468
0
{
469
0
  cfb8_encrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size,
470
0
         ctx->iv, length, dst, src);
471
0
}
472
473
static void _cfb8_decrypt(struct nettle_cipher_ctx *ctx, size_t length,
474
        uint8_t *dst, const uint8_t *src)
475
0
{
476
0
  cfb8_decrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size,
477
0
         ctx->iv, length, dst, src);
478
0
}
479
480
static void _xts_aes128_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
481
        uint8_t *dst, const uint8_t *src)
482
0
{
483
0
  xts_aes128_encrypt_message(ctx->ctx_ptr, ctx->iv, length, dst, src);
484
0
}
485
486
static void _xts_aes128_decrypt(struct nettle_cipher_ctx *ctx, size_t length,
487
        uint8_t *dst, const uint8_t *src)
488
0
{
489
0
  xts_aes128_decrypt_message(ctx->ctx_ptr, ctx->iv, length, dst, src);
490
0
}
491
492
static void _xts_aes256_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
493
        uint8_t *dst, const uint8_t *src)
494
0
{
495
0
  xts_aes256_encrypt_message(ctx->ctx_ptr, ctx->iv, length, dst, src);
496
0
}
497
498
static void _xts_aes256_decrypt(struct nettle_cipher_ctx *ctx, size_t length,
499
        uint8_t *dst, const uint8_t *src)
500
0
{
501
0
  xts_aes256_decrypt_message(ctx->ctx_ptr, ctx->iv, length, dst, src);
502
0
}
503
504
#ifdef HAVE_NETTLE_CBC_AES128_ENCRYPT
505
506
static void _cbc_aes128_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
507
        uint8_t *dst, const uint8_t *src)
508
0
{
509
0
  assert((length % ctx->cipher->block_size) == 0);
510
0
  cbc_aes128_encrypt(ctx->ctx_ptr, ctx->iv, length, dst, src);
511
0
}
512
513
static void _cbc_aes192_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
514
        uint8_t *dst, const uint8_t *src)
515
0
{
516
0
  assert((length % ctx->cipher->block_size) == 0);
517
0
  cbc_aes192_encrypt(ctx->ctx_ptr, ctx->iv, length, dst, src);
518
0
}
519
520
static void _cbc_aes256_encrypt(struct nettle_cipher_ctx *ctx, size_t length,
521
        uint8_t *dst, const uint8_t *src)
522
0
{
523
0
  assert((length % ctx->cipher->block_size) == 0);
524
0
  cbc_aes256_encrypt(ctx->ctx_ptr, ctx->iv, length, dst, src);
525
0
}
526
527
#endif /* HAVE_NETTLE_CBC_AES128_ENCRYPT */
528
529
static const struct nettle_cipher_st builtin_ciphers[] = {
530
  {
531
    .algo = GNUTLS_CIPHER_AES_128_GCM,
532
    .block_size = AES_BLOCK_SIZE,
533
    .key_size = AES128_KEY_SIZE,
534
    .encrypt_block = (nettle_cipher_func *)aes128_encrypt,
535
    .decrypt_block = (nettle_cipher_func *)aes128_decrypt,
536
537
    .ctx_size = sizeof(struct gcm_aes128_ctx),
538
    .encrypt = _gcm_encrypt,
539
    .decrypt = _gcm_decrypt,
540
    .set_encrypt_key = (nettle_set_key_func *)gcm_aes128_set_key,
541
    .set_decrypt_key = (nettle_set_key_func *)gcm_aes128_set_key,
542
543
    .tag = (nettle_hash_digest_func *)gcm_aes128_digest,
544
    .auth = (nettle_hash_update_func *)gcm_aes128_update,
545
    .set_iv = (setiv_func)gcm_aes128_set_iv,
546
    .max_iv_size = GCM_IV_SIZE,
547
  },
548
  {
549
    .algo = GNUTLS_CIPHER_AES_192_GCM,
550
    .block_size = AES_BLOCK_SIZE,
551
    .key_size = AES192_KEY_SIZE,
552
    .encrypt_block = (nettle_cipher_func *)aes192_encrypt,
553
    .decrypt_block = (nettle_cipher_func *)aes192_decrypt,
554
555
    .ctx_size = sizeof(struct gcm_aes192_ctx),
556
    .encrypt = _gcm_encrypt,
557
    .decrypt = _gcm_decrypt,
558
    .set_encrypt_key = (nettle_set_key_func *)gcm_aes192_set_key,
559
    .set_decrypt_key = (nettle_set_key_func *)gcm_aes192_set_key,
560
561
    .tag = (nettle_hash_digest_func *)gcm_aes192_digest,
562
    .auth = (nettle_hash_update_func *)gcm_aes192_update,
563
    .set_iv = (setiv_func)gcm_aes192_set_iv,
564
    .max_iv_size = GCM_IV_SIZE,
565
  },
566
  {
567
    .algo = GNUTLS_CIPHER_AES_256_GCM,
568
    .block_size = AES_BLOCK_SIZE,
569
    .key_size = AES256_KEY_SIZE,
570
    .encrypt_block = (nettle_cipher_func *)aes256_encrypt,
571
    .decrypt_block = (nettle_cipher_func *)aes256_decrypt,
572
573
    .ctx_size = sizeof(struct gcm_aes256_ctx),
574
    .encrypt = _gcm_encrypt,
575
    .decrypt = _gcm_decrypt,
576
    .set_encrypt_key = (nettle_set_key_func *)gcm_aes256_set_key,
577
    .set_decrypt_key = (nettle_set_key_func *)gcm_aes256_set_key,
578
579
    .tag = (nettle_hash_digest_func *)gcm_aes256_digest,
580
    .auth = (nettle_hash_update_func *)gcm_aes256_update,
581
    .set_iv = (setiv_func)gcm_aes256_set_iv,
582
    .max_iv_size = GCM_IV_SIZE,
583
  },
584
  {
585
    .algo = GNUTLS_CIPHER_AES_128_CCM,
586
    .block_size = AES_BLOCK_SIZE,
587
    .key_size = AES128_KEY_SIZE,
588
    .encrypt_block = (nettle_cipher_func *)aes128_encrypt,
589
    .decrypt_block = (nettle_cipher_func *)aes128_decrypt,
590
591
    .ctx_size = sizeof(struct aes128_ctx),
592
    .aead_encrypt = _ccm_encrypt,
593
    .aead_decrypt = _ccm_decrypt,
594
    .set_encrypt_key =
595
      (nettle_set_key_func *)aes128_set_encrypt_key,
596
    .set_decrypt_key =
597
      (nettle_set_key_func *)aes128_set_encrypt_key,
598
    .max_iv_size = CCM_MAX_NONCE_SIZE,
599
  },
600
  {
601
    .algo = GNUTLS_CIPHER_AES_128_CCM_8,
602
    .block_size = AES_BLOCK_SIZE,
603
    .key_size = AES128_KEY_SIZE,
604
    .encrypt_block = (nettle_cipher_func *)aes128_encrypt,
605
    .decrypt_block = (nettle_cipher_func *)aes128_decrypt,
606
607
    .ctx_size = sizeof(struct aes128_ctx),
608
    .aead_encrypt = _ccm_encrypt,
609
    .aead_decrypt = _ccm_decrypt,
610
    .set_encrypt_key =
611
      (nettle_set_key_func *)aes128_set_encrypt_key,
612
    .set_decrypt_key =
613
      (nettle_set_key_func *)aes128_set_encrypt_key,
614
    .max_iv_size = CCM_MAX_NONCE_SIZE,
615
  },
616
  {
617
    .algo = GNUTLS_CIPHER_AES_256_CCM,
618
    .block_size = AES_BLOCK_SIZE,
619
    .key_size = AES256_KEY_SIZE,
620
    .encrypt_block = (nettle_cipher_func *)aes256_encrypt,
621
    .decrypt_block = (nettle_cipher_func *)aes256_decrypt,
622
623
    .ctx_size = sizeof(struct aes256_ctx),
624
    .aead_encrypt = _ccm_encrypt,
625
    .aead_decrypt = _ccm_decrypt,
626
    .set_encrypt_key =
627
      (nettle_set_key_func *)aes256_set_encrypt_key,
628
    .set_decrypt_key =
629
      (nettle_set_key_func *)aes256_set_encrypt_key,
630
    .max_iv_size = CCM_MAX_NONCE_SIZE,
631
  },
632
  {
633
    .algo = GNUTLS_CIPHER_AES_256_CCM_8,
634
    .block_size = AES_BLOCK_SIZE,
635
    .key_size = AES256_KEY_SIZE,
636
    .encrypt_block = (nettle_cipher_func *)aes256_encrypt,
637
    .decrypt_block = (nettle_cipher_func *)aes256_decrypt,
638
639
    .ctx_size = sizeof(struct aes256_ctx),
640
    .aead_encrypt = _ccm_encrypt,
641
    .aead_decrypt = _ccm_decrypt,
642
    .set_encrypt_key =
643
      (nettle_set_key_func *)aes256_set_encrypt_key,
644
    .set_decrypt_key =
645
      (nettle_set_key_func *)aes256_set_encrypt_key,
646
    .max_iv_size = CCM_MAX_NONCE_SIZE,
647
  },
648
  { .algo = GNUTLS_CIPHER_CAMELLIA_128_GCM,
649
    .block_size = CAMELLIA_BLOCK_SIZE,
650
    .key_size = CAMELLIA128_KEY_SIZE,
651
    .encrypt_block = (nettle_cipher_func *)camellia128_crypt,
652
    .decrypt_block = (nettle_cipher_func *)camellia128_crypt,
653
654
    .ctx_size = sizeof(struct gcm_camellia128_ctx),
655
    .encrypt = _gcm_encrypt,
656
    .decrypt = _gcm_decrypt,
657
    .set_encrypt_key = (nettle_set_key_func *)gcm_camellia128_set_key,
658
    .set_decrypt_key = (nettle_set_key_func *)gcm_camellia128_set_key,
659
    .tag = (nettle_hash_digest_func *)gcm_camellia128_digest,
660
    .auth = (nettle_hash_update_func *)gcm_camellia128_update,
661
    .max_iv_size = GCM_IV_SIZE,
662
    .set_iv = (setiv_func)gcm_camellia128_set_iv },
663
  { .algo = GNUTLS_CIPHER_CAMELLIA_256_GCM,
664
    .block_size = CAMELLIA_BLOCK_SIZE,
665
    .key_size = CAMELLIA256_KEY_SIZE,
666
    .encrypt_block = (nettle_cipher_func *)camellia256_crypt,
667
    .decrypt_block = (nettle_cipher_func *)camellia256_crypt,
668
669
    .ctx_size = sizeof(struct gcm_camellia256_ctx),
670
    .encrypt = _gcm_encrypt,
671
    .decrypt = _gcm_decrypt,
672
    .set_encrypt_key = (nettle_set_key_func *)gcm_camellia256_set_key,
673
    .set_decrypt_key = (nettle_set_key_func *)gcm_camellia256_set_key,
674
    .tag = (nettle_hash_digest_func *)gcm_camellia256_digest,
675
    .auth = (nettle_hash_update_func *)gcm_camellia256_update,
676
    .max_iv_size = GCM_IV_SIZE,
677
    .set_iv = (setiv_func)gcm_camellia256_set_iv },
678
  {
679
    .algo = GNUTLS_CIPHER_AES_128_CBC,
680
    .block_size = AES_BLOCK_SIZE,
681
    .key_size = AES128_KEY_SIZE,
682
    .encrypt_block = (nettle_cipher_func *)aes128_encrypt,
683
    .decrypt_block = (nettle_cipher_func *)aes128_decrypt,
684
685
    .ctx_size = sizeof(
686
      struct CBC_CTX(struct aes128_ctx, AES_BLOCK_SIZE)),
687
#ifdef HAVE_NETTLE_CBC_AES128_ENCRYPT
688
    .encrypt = _cbc_aes128_encrypt,
689
#else
690
    .encrypt = _cbc_encrypt,
691
#endif
692
    .decrypt = _cbc_decrypt,
693
    .set_encrypt_key =
694
      (nettle_set_key_func *)aes128_set_encrypt_key,
695
    .set_decrypt_key =
696
      (nettle_set_key_func *)aes128_set_decrypt_key,
697
    .max_iv_size = AES_BLOCK_SIZE,
698
  },
699
  {
700
    .algo = GNUTLS_CIPHER_AES_192_CBC,
701
    .block_size = AES_BLOCK_SIZE,
702
    .key_size = AES192_KEY_SIZE,
703
    .encrypt_block = (nettle_cipher_func *)aes192_encrypt,
704
    .decrypt_block = (nettle_cipher_func *)aes192_decrypt,
705
706
    .ctx_size = sizeof(
707
      struct CBC_CTX(struct aes192_ctx, AES_BLOCK_SIZE)),
708
#ifdef HAVE_NETTLE_CBC_AES128_ENCRYPT
709
    .encrypt = _cbc_aes192_encrypt,
710
#else
711
    .encrypt = _cbc_encrypt,
712
#endif
713
    .decrypt = _cbc_decrypt,
714
    .set_encrypt_key =
715
      (nettle_set_key_func *)aes192_set_encrypt_key,
716
    .set_decrypt_key =
717
      (nettle_set_key_func *)aes192_set_decrypt_key,
718
    .max_iv_size = AES_BLOCK_SIZE,
719
  },
720
  {
721
    .algo = GNUTLS_CIPHER_AES_256_CBC,
722
    .block_size = AES_BLOCK_SIZE,
723
    .key_size = AES256_KEY_SIZE,
724
    .encrypt_block = (nettle_cipher_func *)aes256_encrypt,
725
    .decrypt_block = (nettle_cipher_func *)aes256_decrypt,
726
727
    .ctx_size = sizeof(
728
      struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE)),
729
#ifdef HAVE_NETTLE_CBC_AES128_ENCRYPT
730
    .encrypt = _cbc_aes256_encrypt,
731
#else
732
    .encrypt = _cbc_encrypt,
733
#endif
734
    .decrypt = _cbc_decrypt,
735
    .set_encrypt_key =
736
      (nettle_set_key_func *)aes256_set_encrypt_key,
737
    .set_decrypt_key =
738
      (nettle_set_key_func *)aes256_set_decrypt_key,
739
    .max_iv_size = AES_BLOCK_SIZE,
740
  },
741
  {
742
    .algo = GNUTLS_CIPHER_CAMELLIA_128_CBC,
743
    .block_size = CAMELLIA_BLOCK_SIZE,
744
    .key_size = CAMELLIA128_KEY_SIZE,
745
    .encrypt_block = (nettle_cipher_func *)camellia128_crypt,
746
    .decrypt_block = (nettle_cipher_func *)camellia128_crypt,
747
748
    .ctx_size = sizeof(struct CBC_CTX(struct camellia128_ctx,
749
              CAMELLIA_BLOCK_SIZE)),
750
    .encrypt = _cbc_encrypt,
751
    .decrypt = _cbc_decrypt,
752
    .set_encrypt_key =
753
      (nettle_set_key_func *)camellia128_set_encrypt_key,
754
    .set_decrypt_key =
755
      (nettle_set_key_func *)camellia128_set_decrypt_key,
756
    .max_iv_size = CAMELLIA_BLOCK_SIZE,
757
  },
758
  {
759
    .algo = GNUTLS_CIPHER_CAMELLIA_192_CBC,
760
    .block_size = CAMELLIA_BLOCK_SIZE,
761
    .key_size = CAMELLIA192_KEY_SIZE,
762
    .encrypt_block = (nettle_cipher_func *)camellia192_crypt,
763
    .decrypt_block = (nettle_cipher_func *)camellia192_crypt,
764
765
    .ctx_size = sizeof(struct CBC_CTX(struct camellia192_ctx,
766
              CAMELLIA_BLOCK_SIZE)),
767
    .encrypt = _cbc_encrypt,
768
    .decrypt = _cbc_decrypt,
769
    .set_encrypt_key =
770
      (nettle_set_key_func *)camellia192_set_encrypt_key,
771
    .set_decrypt_key =
772
      (nettle_set_key_func *)camellia192_set_decrypt_key,
773
    .max_iv_size = CAMELLIA_BLOCK_SIZE,
774
  },
775
  {
776
    .algo = GNUTLS_CIPHER_CAMELLIA_256_CBC,
777
    .block_size = CAMELLIA_BLOCK_SIZE,
778
    .key_size = CAMELLIA256_KEY_SIZE,
779
    .encrypt_block = (nettle_cipher_func *)camellia256_crypt,
780
    .decrypt_block = (nettle_cipher_func *)camellia256_crypt,
781
782
    .ctx_size = sizeof(struct CBC_CTX(struct camellia256_ctx,
783
              CAMELLIA_BLOCK_SIZE)),
784
    .encrypt = _cbc_encrypt,
785
    .decrypt = _cbc_decrypt,
786
    .set_encrypt_key =
787
      (nettle_set_key_func *)camellia256_set_encrypt_key,
788
    .set_decrypt_key =
789
      (nettle_set_key_func *)camellia256_set_decrypt_key,
790
    .max_iv_size = CAMELLIA_BLOCK_SIZE,
791
  },
792
  {
793
    .algo = GNUTLS_CIPHER_RC2_40_CBC,
794
    .block_size = ARCTWO_BLOCK_SIZE,
795
    .key_size = 5,
796
    .encrypt_block = (nettle_cipher_func *)arctwo_encrypt,
797
    .decrypt_block = (nettle_cipher_func *)arctwo_decrypt,
798
799
    .ctx_size = sizeof(
800
      struct CBC_CTX(struct arctwo_ctx, ARCTWO_BLOCK_SIZE)),
801
    .encrypt = _cbc_encrypt,
802
    .decrypt = _cbc_decrypt,
803
    .set_encrypt_key = (nettle_set_key_func *)arctwo40_set_key,
804
    .set_decrypt_key = (nettle_set_key_func *)arctwo40_set_key,
805
    .max_iv_size = ARCTWO_BLOCK_SIZE,
806
  },
807
  {
808
    .algo = GNUTLS_CIPHER_DES_CBC,
809
    .block_size = DES_BLOCK_SIZE,
810
    .key_size = DES_KEY_SIZE,
811
    .encrypt_block = (nettle_cipher_func *)des_encrypt,
812
    .decrypt_block = (nettle_cipher_func *)des_decrypt,
813
814
    .ctx_size =
815
      sizeof(struct CBC_CTX(struct des_ctx, DES_BLOCK_SIZE)),
816
    .encrypt = _cbc_encrypt,
817
    .decrypt = _cbc_decrypt,
818
    .set_encrypt_key = (nettle_set_key_func *)_des_set_key,
819
    .set_decrypt_key = (nettle_set_key_func *)_des_set_key,
820
    .max_iv_size = DES_BLOCK_SIZE,
821
  },
822
  {
823
    .algo = GNUTLS_CIPHER_3DES_CBC,
824
    .block_size = DES3_BLOCK_SIZE,
825
    .key_size = DES3_KEY_SIZE,
826
    .encrypt_block = (nettle_cipher_func *)des3_encrypt,
827
    .decrypt_block = (nettle_cipher_func *)des3_decrypt,
828
829
    .ctx_size = sizeof(
830
      struct CBC_CTX(struct des3_ctx, DES3_BLOCK_SIZE)),
831
    .encrypt = _cbc_encrypt,
832
    .decrypt = _cbc_decrypt,
833
    .set_encrypt_key = (nettle_set_key_func *)_des3_set_key,
834
    .set_decrypt_key = (nettle_set_key_func *)_des3_set_key,
835
    .max_iv_size = DES_BLOCK_SIZE,
836
  },
837
  {
838
    .algo = GNUTLS_CIPHER_ARCFOUR_128,
839
    .block_size = 1,
840
    .key_size = 0,
841
    .encrypt_block = (nettle_cipher_func *)arcfour_crypt,
842
    .decrypt_block = (nettle_cipher_func *)arcfour_crypt,
843
844
    .ctx_size = sizeof(struct arcfour_ctx),
845
    .encrypt = _stream_encrypt,
846
    .decrypt = _stream_encrypt,
847
    .gen_set_key = (gen_setkey_func)arcfour_set_key,
848
    .set_encrypt_key = (nettle_set_key_func *)arcfour128_set_key,
849
    .set_decrypt_key = (nettle_set_key_func *)arcfour128_set_key,
850
  },
851
  {
852
    .algo = GNUTLS_CIPHER_SALSA20_256,
853
    .block_size = 1,
854
    .key_size = SALSA20_256_KEY_SIZE,
855
    .encrypt_block = (nettle_cipher_func *)salsa20_crypt,
856
    .decrypt_block = (nettle_cipher_func *)salsa20_crypt,
857
858
    .ctx_size = sizeof(struct salsa20_ctx),
859
    .encrypt = _stream_encrypt,
860
    .decrypt = _stream_encrypt,
861
    .set_encrypt_key = (nettle_set_key_func *)salsa20_256_set_key,
862
    .set_decrypt_key = (nettle_set_key_func *)salsa20_256_set_key,
863
    .max_iv_size = SALSA20_NONCE_SIZE,
864
  },
865
  {
866
    .algo = GNUTLS_CIPHER_ESTREAM_SALSA20_256,
867
    .block_size = 1,
868
    .key_size = SALSA20_256_KEY_SIZE,
869
    .encrypt_block = (nettle_cipher_func *)salsa20r12_crypt,
870
    .decrypt_block = (nettle_cipher_func *)salsa20r12_crypt,
871
872
    .ctx_size = sizeof(struct salsa20_ctx),
873
    .encrypt = _stream_encrypt,
874
    .decrypt = _stream_encrypt,
875
    .set_encrypt_key = (nettle_set_key_func *)salsa20_256_set_key,
876
    .set_decrypt_key = (nettle_set_key_func *)salsa20_256_set_key,
877
    .max_iv_size = SALSA20_NONCE_SIZE,
878
  },
879
  {
880
    .algo = GNUTLS_CIPHER_CHACHA20_32,
881
    .block_size = 1,
882
    .key_size = CHACHA_KEY_SIZE,
883
    .encrypt_block = (nettle_cipher_func *)chacha_crypt32,
884
    .decrypt_block = (nettle_cipher_func *)chacha_crypt32,
885
886
    .ctx_size = sizeof(struct chacha_ctx),
887
    .encrypt = _stream_encrypt,
888
    .decrypt = _stream_encrypt,
889
    .set_encrypt_key = (nettle_set_key_func *)chacha_set_key,
890
    .set_decrypt_key = (nettle_set_key_func *)chacha_set_key,
891
    .set_iv = (setiv_func)_chacha_set_nonce96,
892
    /* we allow setting the initial block counter as part of nonce */
893
    .max_iv_size = CHACHA_NONCE96_SIZE + CHACHA_COUNTER32_SIZE,
894
  },
895
  {
896
    .algo = GNUTLS_CIPHER_CHACHA20_64,
897
    .block_size = 1,
898
    .key_size = CHACHA_KEY_SIZE,
899
    .encrypt_block = (nettle_cipher_func *)chacha_crypt,
900
    .decrypt_block = (nettle_cipher_func *)chacha_crypt,
901
902
    .ctx_size = sizeof(struct chacha_ctx),
903
    .encrypt = _stream_encrypt,
904
    .decrypt = _stream_encrypt,
905
    .set_encrypt_key = (nettle_set_key_func *)chacha_set_key,
906
    .set_decrypt_key = (nettle_set_key_func *)chacha_set_key,
907
    .set_iv = (setiv_func)_chacha_set_nonce,
908
    /* we allow setting the initial block counter as part of nonce */
909
    .max_iv_size = CHACHA_NONCE_SIZE + CHACHA_COUNTER_SIZE,
910
  },
911
  {
912
    .algo = GNUTLS_CIPHER_CHACHA20_POLY1305,
913
    .block_size = CHACHA_POLY1305_BLOCK_SIZE,
914
    .key_size = CHACHA_POLY1305_KEY_SIZE,
915
916
    .ctx_size = sizeof(struct chacha_poly1305_ctx),
917
    .encrypt_block = (nettle_cipher_func *)chacha_poly1305_encrypt,
918
    .decrypt_block = (nettle_cipher_func *)chacha_poly1305_decrypt,
919
    .encrypt = _stream_encrypt,
920
    .decrypt = _stream_decrypt,
921
    .auth = (nettle_hash_update_func *)chacha_poly1305_update,
922
    .tag = (nettle_hash_digest_func *)chacha_poly1305_digest,
923
    .set_encrypt_key =
924
      (nettle_set_key_func *)chacha_poly1305_set_key,
925
    .set_decrypt_key =
926
      (nettle_set_key_func *)chacha_poly1305_set_key,
927
    .set_iv = (setiv_func)_chacha_poly1305_set_nonce,
928
    .max_iv_size = CHACHA_POLY1305_NONCE_SIZE,
929
  },
930
#if ENABLE_GOST
931
  {
932
    .algo = GNUTLS_CIPHER_GOST28147_TC26Z_CFB,
933
    .block_size = GOST28147_BLOCK_SIZE,
934
    .key_size = GOST28147_KEY_SIZE,
935
    .encrypt_block =
936
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
937
    .decrypt_block =
938
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
939
940
    .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx,
941
              GOST28147_BLOCK_SIZE)),
942
    .encrypt = _cfb_encrypt,
943
    .decrypt = _cfb_decrypt,
944
    .set_encrypt_key = _gost28147_set_key_tc26z,
945
    .set_decrypt_key = _gost28147_set_key_tc26z,
946
  },
947
  {
948
    .algo = GNUTLS_CIPHER_GOST28147_CPA_CFB,
949
    .block_size = GOST28147_BLOCK_SIZE,
950
    .key_size = GOST28147_KEY_SIZE,
951
    .encrypt_block =
952
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
953
    .decrypt_block =
954
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
955
956
    .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx,
957
              GOST28147_BLOCK_SIZE)),
958
    .encrypt = _cfb_encrypt,
959
    .decrypt = _cfb_decrypt,
960
    .set_encrypt_key = _gost28147_set_key_cpa,
961
    .set_decrypt_key = _gost28147_set_key_cpa,
962
  },
963
  {
964
    .algo = GNUTLS_CIPHER_GOST28147_CPB_CFB,
965
    .block_size = GOST28147_BLOCK_SIZE,
966
    .key_size = GOST28147_KEY_SIZE,
967
    .encrypt_block =
968
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
969
    .decrypt_block =
970
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
971
972
    .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx,
973
              GOST28147_BLOCK_SIZE)),
974
    .encrypt = _cfb_encrypt,
975
    .decrypt = _cfb_decrypt,
976
    .set_encrypt_key = _gost28147_set_key_cpb,
977
    .set_decrypt_key = _gost28147_set_key_cpb,
978
  },
979
  {
980
    .algo = GNUTLS_CIPHER_GOST28147_CPC_CFB,
981
    .block_size = GOST28147_BLOCK_SIZE,
982
    .key_size = GOST28147_KEY_SIZE,
983
    .encrypt_block =
984
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
985
    .decrypt_block =
986
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
987
988
    .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx,
989
              GOST28147_BLOCK_SIZE)),
990
    .encrypt = _cfb_encrypt,
991
    .decrypt = _cfb_decrypt,
992
    .set_encrypt_key = _gost28147_set_key_cpc,
993
    .set_decrypt_key = _gost28147_set_key_cpc,
994
  },
995
  {
996
    .algo = GNUTLS_CIPHER_GOST28147_CPD_CFB,
997
    .block_size = GOST28147_BLOCK_SIZE,
998
    .key_size = GOST28147_KEY_SIZE,
999
    .encrypt_block =
1000
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
1001
    .decrypt_block =
1002
      (nettle_cipher_func *)gost28147_encrypt_for_cfb,
1003
1004
    .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx,
1005
              GOST28147_BLOCK_SIZE)),
1006
    .encrypt = _cfb_encrypt,
1007
    .decrypt = _cfb_decrypt,
1008
    .set_encrypt_key = _gost28147_set_key_cpd,
1009
    .set_decrypt_key = _gost28147_set_key_cpd,
1010
  },
1011
  {
1012
    .algo = GNUTLS_CIPHER_GOST28147_TC26Z_CNT,
1013
    .block_size = GOST28147_BLOCK_SIZE,
1014
    .key_size = GOST28147_KEY_SIZE,
1015
    .encrypt_block =
1016
      (nettle_cipher_func *)gost28147_encrypt, /* unused */
1017
    .decrypt_block =
1018
      (nettle_cipher_func *)gost28147_decrypt, /* unused */
1019
1020
    .ctx_size = sizeof(struct gost28147_cnt_ctx),
1021
    .encrypt = _gost28147_cnt_crypt,
1022
    .decrypt = _gost28147_cnt_crypt,
1023
    .set_encrypt_key = _gost28147_cnt_set_key_tc26z,
1024
    .set_decrypt_key = _gost28147_cnt_set_key_tc26z,
1025
    .set_iv = (setiv_func)_gost28147_cnt_set_nonce,
1026
  },
1027
  {
1028
    .algo = GNUTLS_CIPHER_MAGMA_CTR_ACPKM,
1029
    .block_size = MAGMA_BLOCK_SIZE,
1030
    .key_size = MAGMA_KEY_SIZE,
1031
    .encrypt_block = (nettle_cipher_func *)_magma_acpkm_crypt,
1032
    .decrypt_block = (nettle_cipher_func *)_magma_acpkm_crypt,
1033
1034
    .ctx_size = sizeof(struct magma_acpkm_ctx),
1035
    .encrypt = _ctr_acpkm_crypt,
1036
    .decrypt = _ctr_acpkm_crypt,
1037
    .set_encrypt_key =
1038
      (nettle_set_key_func *)_magma_ctr_acpkm_set_key,
1039
    .set_decrypt_key =
1040
      (nettle_set_key_func *)_magma_ctr_acpkm_set_key,
1041
    .set_iv = (setiv_func)_magma_ctr_acpkm_set_iv,
1042
  },
1043
  {
1044
    .algo = GNUTLS_CIPHER_KUZNYECHIK_CTR_ACPKM,
1045
    .block_size = KUZNYECHIK_BLOCK_SIZE,
1046
    .key_size = KUZNYECHIK_KEY_SIZE,
1047
    .encrypt_block = (nettle_cipher_func *)_kuznyechik_acpkm_crypt,
1048
    .decrypt_block = (nettle_cipher_func *)_kuznyechik_acpkm_crypt,
1049
1050
    .ctx_size = sizeof(struct kuznyechik_acpkm_ctx),
1051
    .encrypt = _ctr_acpkm_crypt,
1052
    .decrypt = _ctr_acpkm_crypt,
1053
    .set_encrypt_key =
1054
      (nettle_set_key_func *)_kuznyechik_ctr_acpkm_set_key,
1055
    .set_decrypt_key =
1056
      (nettle_set_key_func *)_kuznyechik_ctr_acpkm_set_key,
1057
    .set_iv = (setiv_func)_kuznyechik_ctr_acpkm_set_iv,
1058
  },
1059
#endif
1060
  {
1061
    .algo = GNUTLS_CIPHER_AES_128_CFB8,
1062
    .block_size = AES_BLOCK_SIZE,
1063
    .key_size = AES128_KEY_SIZE,
1064
    .encrypt_block = (nettle_cipher_func *)aes128_encrypt,
1065
    .decrypt_block = (nettle_cipher_func *)aes128_encrypt,
1066
1067
    .ctx_size = sizeof(
1068
      struct CFB8_CTX(struct aes128_ctx, AES_BLOCK_SIZE)),
1069
    .encrypt = _cfb8_encrypt,
1070
    .decrypt = _cfb8_decrypt,
1071
    .set_encrypt_key =
1072
      (nettle_set_key_func *)aes128_set_encrypt_key,
1073
    .set_decrypt_key =
1074
      (nettle_set_key_func *)aes128_set_encrypt_key,
1075
    .max_iv_size = AES_BLOCK_SIZE,
1076
  },
1077
  {
1078
    .algo = GNUTLS_CIPHER_AES_192_CFB8,
1079
    .block_size = AES_BLOCK_SIZE,
1080
    .key_size = AES192_KEY_SIZE,
1081
    .encrypt_block = (nettle_cipher_func *)aes192_encrypt,
1082
    .decrypt_block = (nettle_cipher_func *)aes192_encrypt,
1083
1084
    .ctx_size = sizeof(
1085
      struct CFB8_CTX(struct aes192_ctx, AES_BLOCK_SIZE)),
1086
    .encrypt = _cfb8_encrypt,
1087
    .decrypt = _cfb8_decrypt,
1088
    .set_encrypt_key =
1089
      (nettle_set_key_func *)aes192_set_encrypt_key,
1090
    .set_decrypt_key =
1091
      (nettle_set_key_func *)aes192_set_encrypt_key,
1092
    .max_iv_size = AES_BLOCK_SIZE,
1093
  },
1094
  {
1095
    .algo = GNUTLS_CIPHER_AES_256_CFB8,
1096
    .block_size = AES_BLOCK_SIZE,
1097
    .key_size = AES256_KEY_SIZE,
1098
    .encrypt_block = (nettle_cipher_func *)aes256_encrypt,
1099
    .decrypt_block = (nettle_cipher_func *)aes256_encrypt,
1100
1101
    .ctx_size = sizeof(
1102
      struct CFB8_CTX(struct aes256_ctx, AES_BLOCK_SIZE)),
1103
    .encrypt = _cfb8_encrypt,
1104
    .decrypt = _cfb8_decrypt,
1105
    .set_encrypt_key =
1106
      (nettle_set_key_func *)aes256_set_encrypt_key,
1107
    .set_decrypt_key =
1108
      (nettle_set_key_func *)aes256_set_encrypt_key,
1109
    .max_iv_size = AES_BLOCK_SIZE,
1110
  },
1111
  {
1112
    .algo = GNUTLS_CIPHER_AES_128_XTS,
1113
    .block_size = AES_BLOCK_SIZE,
1114
    .key_size = AES128_KEY_SIZE * 2,
1115
1116
    .ctx_size = sizeof(struct xts_aes128_key),
1117
    .encrypt = _xts_aes128_encrypt,
1118
    .decrypt = _xts_aes128_decrypt,
1119
    .set_encrypt_key =
1120
      (nettle_set_key_func *)xts_aes128_set_encrypt_key,
1121
    .set_decrypt_key =
1122
      (nettle_set_key_func *)xts_aes128_set_decrypt_key,
1123
    .max_iv_size = AES_BLOCK_SIZE,
1124
  },
1125
  {
1126
    .algo = GNUTLS_CIPHER_AES_256_XTS,
1127
    .block_size = AES_BLOCK_SIZE,
1128
    .key_size = AES256_KEY_SIZE * 2,
1129
1130
    .ctx_size = sizeof(struct xts_aes256_key),
1131
    .encrypt = _xts_aes256_encrypt,
1132
    .decrypt = _xts_aes256_decrypt,
1133
    .set_encrypt_key =
1134
      (nettle_set_key_func *)xts_aes256_set_encrypt_key,
1135
    .set_decrypt_key =
1136
      (nettle_set_key_func *)xts_aes256_set_decrypt_key,
1137
    .max_iv_size = AES_BLOCK_SIZE,
1138
  },
1139
  {
1140
    .algo = GNUTLS_CIPHER_AES_128_SIV,
1141
    .block_size = SIV_BLOCK_SIZE,
1142
    .key_size = SIV_CMAC_AES128_KEY_SIZE,
1143
1144
    .ctx_size = sizeof(struct siv_cmac_aes128_ctx),
1145
    .aead_encrypt =
1146
      (aead_encrypt_func)_siv_cmac_aes128_encrypt_message,
1147
    .aead_decrypt =
1148
      (aead_decrypt_func)_siv_cmac_aes128_decrypt_message,
1149
    .set_encrypt_key =
1150
      (nettle_set_key_func *)siv_cmac_aes128_set_key,
1151
    .set_decrypt_key =
1152
      (nettle_set_key_func *)siv_cmac_aes128_set_key,
1153
    .max_iv_size = SIV_DIGEST_SIZE,
1154
  },
1155
  {
1156
    .algo = GNUTLS_CIPHER_AES_256_SIV,
1157
    .block_size = SIV_BLOCK_SIZE,
1158
    .key_size = SIV_CMAC_AES256_KEY_SIZE,
1159
1160
    .ctx_size = sizeof(struct siv_cmac_aes256_ctx),
1161
    .aead_encrypt =
1162
      (aead_encrypt_func)_siv_cmac_aes256_encrypt_message,
1163
    .aead_decrypt =
1164
      (aead_decrypt_func)_siv_cmac_aes256_decrypt_message,
1165
    .set_encrypt_key =
1166
      (nettle_set_key_func *)siv_cmac_aes256_set_key,
1167
    .set_decrypt_key =
1168
      (nettle_set_key_func *)siv_cmac_aes256_set_key,
1169
    .max_iv_size = SIV_DIGEST_SIZE,
1170
  },
1171
  {
1172
    .algo = GNUTLS_CIPHER_AES_128_SIV_GCM,
1173
    .block_size = SIV_GCM_BLOCK_SIZE,
1174
    .key_size = AES128_KEY_SIZE,
1175
1176
    .ctx_size = sizeof(struct aes128_ctx),
1177
    .aead_encrypt =
1178
      (aead_encrypt_func)_siv_gcm_aes128_encrypt_message,
1179
    .aead_decrypt =
1180
      (aead_decrypt_func)_siv_gcm_aes128_decrypt_message,
1181
    .set_encrypt_key =
1182
      (nettle_set_key_func *)aes128_set_encrypt_key,
1183
    .set_decrypt_key =
1184
      (nettle_set_key_func *)aes128_set_encrypt_key,
1185
    .max_iv_size = SIV_GCM_NONCE_SIZE,
1186
  },
1187
  {
1188
    .algo = GNUTLS_CIPHER_AES_256_SIV_GCM,
1189
    .block_size = SIV_GCM_BLOCK_SIZE,
1190
    .key_size = AES256_KEY_SIZE,
1191
1192
    .ctx_size = sizeof(struct aes256_ctx),
1193
    .aead_encrypt =
1194
      (aead_encrypt_func)_siv_gcm_aes256_encrypt_message,
1195
    .aead_decrypt =
1196
      (aead_decrypt_func)_siv_gcm_aes256_decrypt_message,
1197
    .set_encrypt_key =
1198
      (nettle_set_key_func *)aes256_set_encrypt_key,
1199
    .set_decrypt_key =
1200
      (nettle_set_key_func *)aes256_set_encrypt_key,
1201
    .max_iv_size = SIV_GCM_NONCE_SIZE,
1202
  },
1203
};
1204
1205
static int wrap_nettle_cipher_exists(gnutls_cipher_algorithm_t algo)
1206
0
{
1207
0
  unsigned i;
1208
0
  for (i = 0; i < sizeof(builtin_ciphers) / sizeof(builtin_ciphers[0]);
1209
0
       i++) {
1210
0
    if (algo == builtin_ciphers[i].algo) {
1211
0
      return 1;
1212
0
    }
1213
0
  }
1214
0
  return 0;
1215
0
}
1216
1217
static int wrap_nettle_cipher_init(gnutls_cipher_algorithm_t algo, void **_ctx,
1218
           int enc)
1219
0
{
1220
0
  struct nettle_cipher_ctx *ctx;
1221
0
  uintptr_t cur_alignment;
1222
0
  int idx = -1;
1223
0
  unsigned i;
1224
0
  uint8_t *ctx_ptr;
1225
1226
0
  for (i = 0; i < sizeof(builtin_ciphers) / sizeof(builtin_ciphers[0]);
1227
0
       i++) {
1228
0
    if (algo == builtin_ciphers[i].algo) {
1229
0
      idx = i;
1230
0
      break;
1231
0
    }
1232
0
  }
1233
1234
0
  if (idx == -1)
1235
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1236
1237
0
  ctx = gnutls_calloc(1,
1238
0
          sizeof(*ctx) + builtin_ciphers[idx].ctx_size + 16);
1239
0
  if (ctx == NULL) {
1240
0
    gnutls_assert();
1241
0
    return GNUTLS_E_MEMORY_ERROR;
1242
0
  }
1243
1244
0
  ctx->enc = enc;
1245
0
  ctx_ptr = ((uint8_t *)ctx) + sizeof(*ctx);
1246
1247
0
  cur_alignment = ((uintptr_t)ctx_ptr) % 16;
1248
0
  if (cur_alignment > 0)
1249
0
    ctx_ptr += 16 - cur_alignment;
1250
1251
0
  ctx->ctx_ptr = ctx_ptr;
1252
0
  ctx->cipher = &builtin_ciphers[idx];
1253
1254
0
  *_ctx = ctx;
1255
1256
0
  return 0;
1257
0
}
1258
1259
static int wrap_nettle_cipher_setkey(void *_ctx, const void *key,
1260
             size_t keysize)
1261
0
{
1262
0
  struct nettle_cipher_ctx *ctx = _ctx;
1263
1264
0
  if (ctx->cipher->key_size > 0 &&
1265
0
      unlikely(keysize != ctx->cipher->key_size)) {
1266
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1267
0
  } else if (ctx->cipher->key_size == 0) {
1268
0
    ctx->cipher->gen_set_key(ctx->ctx_ptr, keysize, key);
1269
0
    return 0;
1270
0
  }
1271
1272
0
  switch (ctx->cipher->algo) {
1273
0
  case GNUTLS_CIPHER_AES_128_XTS:
1274
0
    if (_gnutls_fips_mode_enabled() &&
1275
0
        gnutls_memcmp(key, (char *)key + AES128_KEY_SIZE,
1276
0
          AES128_KEY_SIZE) == 0)
1277
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1278
0
    break;
1279
0
  case GNUTLS_CIPHER_AES_256_XTS:
1280
0
    if (_gnutls_fips_mode_enabled() &&
1281
0
        gnutls_memcmp(key, (char *)key + AES256_KEY_SIZE,
1282
0
          AES256_KEY_SIZE) == 0)
1283
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1284
0
    break;
1285
0
  default:
1286
0
    break;
1287
0
  }
1288
1289
0
  if (ctx->enc)
1290
0
    ctx->cipher->set_encrypt_key(ctx->ctx_ptr, key);
1291
0
  else
1292
0
    ctx->cipher->set_decrypt_key(ctx->ctx_ptr, key);
1293
1294
0
  switch (ctx->cipher->algo) {
1295
0
  case GNUTLS_CIPHER_AES_128_GCM:
1296
0
  case GNUTLS_CIPHER_AES_192_GCM:
1297
0
  case GNUTLS_CIPHER_AES_256_GCM:
1298
0
    ctx->rekey_counter = 0;
1299
0
    break;
1300
0
  default:
1301
0
    break;
1302
0
  }
1303
1304
0
  return 0;
1305
0
}
1306
1307
static int wrap_nettle_cipher_setiv(void *_ctx, const void *iv, size_t iv_size)
1308
0
{
1309
0
  struct nettle_cipher_ctx *ctx = _ctx;
1310
0
  unsigned max_iv;
1311
1312
0
  switch (ctx->cipher->algo) {
1313
0
  case GNUTLS_CIPHER_AES_128_GCM:
1314
0
  case GNUTLS_CIPHER_AES_192_GCM:
1315
0
  case GNUTLS_CIPHER_AES_256_GCM:
1316
0
    FIPS_RULE(iv_size < GCM_IV_SIZE, GNUTLS_E_INVALID_REQUEST,
1317
0
        "access to short GCM nonce size\n");
1318
0
    ctx->rekey_counter = 0;
1319
0
    break;
1320
0
  case GNUTLS_CIPHER_SALSA20_256:
1321
0
  case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
1322
0
    if (iv_size != SALSA20_IV_SIZE)
1323
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1324
0
    break;
1325
0
  default:
1326
0
    break;
1327
0
  }
1328
1329
0
  max_iv = ctx->cipher->max_iv_size;
1330
0
  if (max_iv == 0)
1331
0
    max_iv = MAX_CIPHER_BLOCK_SIZE;
1332
1333
0
  if (iv_size > max_iv)
1334
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1335
1336
0
  if (ctx->cipher->set_iv) {
1337
0
    ctx->cipher->set_iv(ctx->ctx_ptr, iv_size, iv);
1338
0
  } else {
1339
0
    if (iv)
1340
0
      memcpy(ctx->iv, iv, iv_size);
1341
0
    ctx->iv_size = iv_size;
1342
0
  }
1343
1344
0
  return 0;
1345
0
}
1346
1347
static int wrap_nettle_cipher_getiv(void *_ctx, void *iv, size_t iv_size)
1348
0
{
1349
0
  struct nettle_cipher_ctx *ctx = _ctx;
1350
1351
0
  if (iv_size < ctx->iv_size)
1352
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1353
1354
0
  memcpy(iv, ctx->iv, ctx->iv_size);
1355
1356
0
  return (int)ctx->iv_size;
1357
0
}
1358
1359
static int wrap_nettle_cipher_decrypt(void *_ctx, const void *encr,
1360
              size_t encr_size, void *plain,
1361
              size_t plain_size)
1362
0
{
1363
0
  struct nettle_cipher_ctx *ctx = _ctx;
1364
1365
0
  if (unlikely(ctx->cipher->decrypt == NULL))
1366
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1367
1368
0
  ctx->cipher->decrypt(ctx, encr_size, plain, encr);
1369
1370
0
  return 0;
1371
0
}
1372
1373
static int wrap_nettle_cipher_encrypt(void *_ctx, const void *plain,
1374
              size_t plain_size, void *encr,
1375
              size_t encr_size)
1376
0
{
1377
0
  struct nettle_cipher_ctx *ctx = _ctx;
1378
0
  int ret;
1379
1380
0
  if (unlikely(ctx->cipher->encrypt == NULL))
1381
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1382
1383
0
  switch (ctx->cipher->algo) {
1384
0
  case GNUTLS_CIPHER_AES_128_GCM:
1385
0
  case GNUTLS_CIPHER_AES_192_GCM:
1386
0
  case GNUTLS_CIPHER_AES_256_GCM:
1387
0
    ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter,
1388
0
              plain_size);
1389
0
    if (ret < 0) {
1390
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1391
0
    }
1392
0
    break;
1393
0
  default:
1394
0
    break;
1395
0
  }
1396
1397
0
  ctx->cipher->encrypt(ctx, plain_size, encr, plain);
1398
1399
0
  return 0;
1400
0
}
1401
1402
static int wrap_nettle_cipher_aead_encrypt(void *_ctx, const void *nonce,
1403
             size_t nonce_size, const void *auth,
1404
             size_t auth_size, size_t tag_size,
1405
             const void *plain, size_t plain_size,
1406
             void *encr, size_t encr_size)
1407
0
{
1408
0
  struct nettle_cipher_ctx *ctx = _ctx;
1409
1410
0
  if (ctx->cipher->aead_encrypt == NULL) {
1411
    /* proper AEAD cipher */
1412
0
    unsigned max_iv;
1413
1414
0
    if (encr_size < plain_size + tag_size)
1415
0
      return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
1416
1417
0
    max_iv = ctx->cipher->max_iv_size;
1418
0
    if (max_iv == 0)
1419
0
      max_iv = MAX_CIPHER_BLOCK_SIZE;
1420
1421
0
    if (nonce_size > max_iv)
1422
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1423
1424
0
    ctx->cipher->set_iv(ctx->ctx_ptr, nonce_size, nonce);
1425
0
    ctx->cipher->auth(ctx->ctx_ptr, auth_size, auth);
1426
1427
0
    ctx->cipher->encrypt(ctx, plain_size, encr, plain);
1428
1429
0
    ctx->cipher->tag(ctx->ctx_ptr, tag_size,
1430
0
         ((uint8_t *)encr) + plain_size);
1431
0
  } else {
1432
    /* CCM-style cipher */
1433
1434
0
    switch (ctx->cipher->algo) {
1435
0
    case GNUTLS_CIPHER_AES_128_CCM:
1436
0
    case GNUTLS_CIPHER_AES_256_CCM:
1437
      /* SP800-38C A.1 says Tlen must be a multiple of 16
1438
       * between 32 and 128.
1439
       */
1440
0
      switch (tag_size) {
1441
0
      case 4:
1442
0
      case 6:
1443
        /* SP800-38C B.2 says Tlen smaller than 64
1444
         * should not be used under sufficient
1445
         * restriction. We simply allow those for now.
1446
         */
1447
0
        FALLTHROUGH;
1448
0
      case 8:
1449
0
      case 10:
1450
0
      case 12:
1451
0
      case 14:
1452
0
      case 16:
1453
0
        break;
1454
0
      default:
1455
0
        if (_gnutls_fips_mode_enabled()) {
1456
0
          _gnutls_switch_fips_state(
1457
0
            GNUTLS_FIPS140_OP_ERROR);
1458
0
          return gnutls_assert_val(
1459
0
            GNUTLS_E_INVALID_REQUEST);
1460
0
        }
1461
0
        break;
1462
0
      }
1463
0
      break;
1464
0
    default:
1465
0
      break;
1466
0
    }
1467
1468
0
    ctx->cipher->aead_encrypt(ctx, nonce_size, nonce, auth_size,
1469
0
            auth, tag_size, tag_size + plain_size,
1470
0
            encr, plain);
1471
0
  }
1472
0
  return 0;
1473
0
}
1474
1475
static int wrap_nettle_cipher_aead_decrypt(void *_ctx, const void *nonce,
1476
             size_t nonce_size, const void *auth,
1477
             size_t auth_size, size_t tag_size,
1478
             const void *encr, size_t encr_size,
1479
             void *plain, size_t plain_size)
1480
0
{
1481
0
  struct nettle_cipher_ctx *ctx = _ctx;
1482
0
  int ret;
1483
1484
0
  if (unlikely(encr_size < tag_size))
1485
0
    return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1486
1487
0
  if (ctx->cipher->aead_decrypt == NULL) {
1488
    /* proper AEAD cipher */
1489
0
    uint8_t tag[MAX_HASH_SIZE];
1490
0
    unsigned max_iv;
1491
1492
0
    max_iv = ctx->cipher->max_iv_size;
1493
0
    if (max_iv == 0)
1494
0
      max_iv = MAX_CIPHER_BLOCK_SIZE;
1495
1496
0
    if (nonce_size > max_iv)
1497
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1498
1499
0
    ctx->cipher->set_iv(ctx->ctx_ptr, nonce_size, nonce);
1500
0
    ctx->cipher->auth(ctx->ctx_ptr, auth_size, auth);
1501
1502
0
    encr_size -= tag_size;
1503
1504
0
    if (unlikely(plain_size < encr_size))
1505
0
      return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
1506
1507
0
    ctx->cipher->decrypt(ctx, encr_size, plain, encr);
1508
1509
0
    ctx->cipher->tag(ctx->ctx_ptr, tag_size, tag);
1510
1511
0
    if (gnutls_memcmp(((uint8_t *)encr) + encr_size, tag,
1512
0
          tag_size) != 0)
1513
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1514
0
  } else {
1515
    /* CCM-style cipher */
1516
0
    encr_size -= tag_size;
1517
1518
0
    if (unlikely(plain_size < encr_size))
1519
0
      return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
1520
1521
0
    switch (ctx->cipher->algo) {
1522
0
    case GNUTLS_CIPHER_AES_128_CCM:
1523
0
    case GNUTLS_CIPHER_AES_256_CCM:
1524
      /* SP800-38C A.1 says Tlen must be a multiple of 16
1525
       * between 32 and 128.
1526
       */
1527
0
      switch (tag_size) {
1528
0
      case 4:
1529
0
      case 6:
1530
        /* SP800-38C B.2 says Tlen smaller than 64
1531
         * should not be used under sufficient
1532
         * restriction. We simply allow those for now.
1533
         */
1534
0
        FALLTHROUGH;
1535
0
      case 8:
1536
0
      case 10:
1537
0
      case 12:
1538
0
      case 14:
1539
0
      case 16:
1540
0
        break;
1541
0
      default:
1542
0
        if (_gnutls_fips_mode_enabled()) {
1543
0
          _gnutls_switch_fips_state(
1544
0
            GNUTLS_FIPS140_OP_ERROR);
1545
0
          return gnutls_assert_val(
1546
0
            GNUTLS_E_INVALID_REQUEST);
1547
0
        }
1548
0
        break;
1549
0
      }
1550
0
      break;
1551
0
    default:
1552
0
      break;
1553
0
    }
1554
1555
0
    ret = ctx->cipher->aead_decrypt(ctx, nonce_size, nonce,
1556
0
            auth_size, auth, tag_size,
1557
0
            encr_size, plain, encr);
1558
0
    if (unlikely(ret == 0))
1559
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1560
0
  }
1561
0
  return 0;
1562
0
}
1563
1564
static int wrap_nettle_cipher_auth(void *_ctx, const void *plain,
1565
           size_t plain_size)
1566
0
{
1567
0
  struct nettle_cipher_ctx *ctx = _ctx;
1568
1569
0
  ctx->cipher->auth(ctx->ctx_ptr, plain_size, plain);
1570
1571
0
  return 0;
1572
0
}
1573
1574
static void wrap_nettle_cipher_tag(void *_ctx, void *tag, size_t tag_size)
1575
0
{
1576
0
  struct nettle_cipher_ctx *ctx = _ctx;
1577
1578
0
  ctx->cipher->tag(ctx->ctx_ptr, tag_size, tag);
1579
0
}
1580
1581
static void wrap_nettle_cipher_close(void *_ctx)
1582
0
{
1583
0
  struct nettle_cipher_ctx *ctx = _ctx;
1584
1585
0
  zeroize_temp_key(ctx->ctx_ptr, ctx->cipher->ctx_size);
1586
0
  gnutls_free(ctx);
1587
0
}
1588
1589
gnutls_crypto_cipher_st _gnutls_cipher_ops = {
1590
  .init = wrap_nettle_cipher_init,
1591
  .exists = wrap_nettle_cipher_exists,
1592
  .setiv = wrap_nettle_cipher_setiv,
1593
  .getiv = wrap_nettle_cipher_getiv,
1594
  .setkey = wrap_nettle_cipher_setkey,
1595
  .encrypt = wrap_nettle_cipher_encrypt,
1596
  .decrypt = wrap_nettle_cipher_decrypt,
1597
  .aead_encrypt = wrap_nettle_cipher_aead_encrypt,
1598
  .aead_decrypt = wrap_nettle_cipher_aead_decrypt,
1599
  .deinit = wrap_nettle_cipher_close,
1600
  .auth = wrap_nettle_cipher_auth,
1601
  .tag = wrap_nettle_cipher_tag,
1602
};