/src/gnutls/lib/nettle/cipher.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright (C) 2010-2012 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2014 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GNUTLS. |
8 | | * |
9 | | * The GNUTLS library is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | /* Here lie nettle's wrappers for cipher support. |
25 | | */ |
26 | | |
27 | | #include "gnutls_int.h" |
28 | | #include "errors.h" |
29 | | #include "cipher_int.h" |
30 | | #include <nettle/aes.h> |
31 | | #include <nettle/camellia.h> |
32 | | #include <nettle/arcfour.h> |
33 | | #include <nettle/arctwo.h> |
34 | | #include <nettle/salsa20.h> |
35 | | #include <nettle/des.h> |
36 | | #include <nettle/version.h> |
37 | | #if ENABLE_GOST |
38 | | #ifndef HAVE_NETTLE_GOST28147_SET_KEY |
39 | | #include "gost/gost28147.h" |
40 | | #else |
41 | | #include <nettle/gost28147.h> |
42 | | #endif |
43 | | #ifndef HAVE_NETTLE_MAGMA_SET_KEY |
44 | | #include "gost/magma.h" |
45 | | #else |
46 | | #include <nettle/magma.h> |
47 | | #endif |
48 | | #ifndef HAVE_NETTLE_KUZNYECHIK_SET_KEY |
49 | | #include "gost/kuznyechik.h" |
50 | | #else |
51 | | #include <nettle/kuznyechik.h> |
52 | | #endif |
53 | | #include "gost/acpkm.h" |
54 | | #include <nettle/ctr.h> |
55 | | #endif |
56 | | #include <nettle/nettle-meta.h> |
57 | | #include <nettle/cbc.h> |
58 | | #include <nettle/gcm.h> |
59 | | #include <nettle/ccm.h> |
60 | | #include <nettle/chacha.h> |
61 | | #include <nettle/chacha-poly1305.h> |
62 | | #include <nettle/cfb.h> |
63 | | #include <nettle/xts.h> |
64 | | #include <nettle/siv-cmac.h> |
65 | | #include <nettle/siv-gcm.h> |
66 | | #include <nettle/version.h> |
67 | | #include "fips.h" |
68 | | #include <intprops.h> |
69 | | |
70 | | struct nettle_cipher_ctx; |
71 | | |
72 | | /* Functions that refer to the nettle library. |
73 | | */ |
74 | | typedef void (*encrypt_func)(struct nettle_cipher_ctx *, size_t length, |
75 | | uint8_t *dst, const uint8_t *src); |
76 | | typedef void (*decrypt_func)(struct nettle_cipher_ctx *, size_t length, |
77 | | uint8_t *dst, const uint8_t *src); |
78 | | |
79 | | typedef void (*aead_encrypt_func)(struct nettle_cipher_ctx *, size_t nonce_size, |
80 | | const void *nonce, size_t auth_size, |
81 | | const void *auth, size_t tag_size, |
82 | | size_t length, uint8_t *dst, |
83 | | const uint8_t *src); |
84 | | typedef int (*aead_decrypt_func)(struct nettle_cipher_ctx *, size_t nonce_size, |
85 | | const void *nonce, size_t auth_size, |
86 | | const void *auth, size_t tag_size, |
87 | | size_t length, uint8_t *dst, |
88 | | const uint8_t *src); |
89 | | |
90 | | typedef void (*setiv_func)(void *ctx, size_t length, const uint8_t *); |
91 | | typedef void (*gen_setkey_func)(void *ctx, size_t length, const uint8_t *); |
92 | | |
93 | | struct nettle_cipher_st { |
94 | | gnutls_cipher_algorithm_t algo; |
95 | | unsigned ctx_size; |
96 | | nettle_cipher_func *encrypt_block; |
97 | | nettle_cipher_func *decrypt_block; |
98 | | unsigned block_size; |
99 | | unsigned key_size; |
100 | | unsigned max_iv_size; |
101 | | |
102 | | encrypt_func encrypt; |
103 | | decrypt_func decrypt; |
104 | | aead_encrypt_func aead_encrypt; |
105 | | aead_decrypt_func aead_decrypt; |
106 | | nettle_hash_update_func *auth; |
107 | | nettle_hash_digest_func *tag; |
108 | | nettle_set_key_func *set_encrypt_key; |
109 | | nettle_set_key_func *set_decrypt_key; |
110 | | gen_setkey_func gen_set_key; /* for arcfour which has variable key size */ |
111 | | setiv_func set_iv; |
112 | | }; |
113 | | |
114 | | struct nettle_cipher_ctx { |
115 | | const struct nettle_cipher_st *cipher; |
116 | | void *ctx_ptr; /* always 16-aligned */ |
117 | | uint8_t iv[MAX_CIPHER_BLOCK_SIZE]; |
118 | | unsigned iv_size; |
119 | | |
120 | | bool enc; |
121 | | size_t rekey_counter; |
122 | | }; |
123 | | |
124 | 0 | #define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32) |
125 | | static inline int record_aes_gcm_encrypt_size(size_t *counter, size_t size) |
126 | 0 | { |
127 | 0 | size_t sum; |
128 | |
|
129 | 0 | if (!INT_ADD_OK(*counter, size, &sum) || |
130 | 0 | sum > AES_GCM_ENCRYPT_MAX_BYTES) { |
131 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
132 | 0 | } |
133 | 0 | *counter = sum; |
134 | |
|
135 | 0 | return 0; |
136 | 0 | } |
137 | | |
138 | | static void _stream_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
139 | | uint8_t *dst, const uint8_t *src) |
140 | 0 | { |
141 | 0 | ctx->cipher->encrypt_block(ctx->ctx_ptr, length, dst, src); |
142 | 0 | } |
143 | | |
144 | | static void _stream_decrypt(struct nettle_cipher_ctx *ctx, size_t length, |
145 | | uint8_t *dst, const uint8_t *src) |
146 | 0 | { |
147 | 0 | ctx->cipher->decrypt_block(ctx->ctx_ptr, length, dst, src); |
148 | 0 | } |
149 | | |
150 | | static void _cbc_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
151 | | uint8_t *dst, const uint8_t *src) |
152 | 0 | { |
153 | 0 | cbc_encrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size, |
154 | 0 | ctx->iv, length, dst, src); |
155 | 0 | } |
156 | | |
157 | | static void _cbc_decrypt(struct nettle_cipher_ctx *ctx, size_t length, |
158 | | uint8_t *dst, const uint8_t *src) |
159 | 0 | { |
160 | 0 | cbc_decrypt(ctx->ctx_ptr, ctx->cipher->decrypt_block, ctx->iv_size, |
161 | 0 | ctx->iv, length, dst, src); |
162 | 0 | } |
163 | | |
164 | | static void _cfb_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
165 | | uint8_t *dst, const uint8_t *src) |
166 | 0 | { |
167 | 0 | cfb_encrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size, |
168 | 0 | ctx->iv, length, dst, src); |
169 | 0 | } |
170 | | |
171 | | static void _cfb_decrypt(struct nettle_cipher_ctx *ctx, size_t length, |
172 | | uint8_t *dst, const uint8_t *src) |
173 | 0 | { |
174 | 0 | cfb_decrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size, |
175 | 0 | ctx->iv, length, dst, src); |
176 | 0 | } |
177 | | |
178 | | #if ENABLE_GOST |
179 | | struct magma_acpkm_ctx { |
180 | | uint8_t iv[MAGMA_BLOCK_SIZE]; |
181 | | struct acpkm_ctx ctx; |
182 | | struct magma_ctx cipher; |
183 | | }; |
184 | | |
185 | | struct kuznyechik_acpkm_ctx { |
186 | | uint8_t iv[KUZNYECHIK_BLOCK_SIZE]; |
187 | | struct acpkm_ctx ctx; |
188 | | struct kuznyechik_ctx cipher; |
189 | | }; |
190 | | |
191 | | static void _ctr_acpkm_crypt(struct nettle_cipher_ctx *ctx, size_t length, |
192 | | uint8_t *dst, const uint8_t *src) |
193 | 0 | { |
194 | | /* Use context-specific IV which comes as a first field */ |
195 | 0 | ctr_crypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, |
196 | 0 | ctx->cipher->block_size, ctx->ctx_ptr, length, dst, src); |
197 | 0 | } |
198 | | |
199 | | static void _gost28147_set_key_tc26z(void *ctx, const uint8_t *key) |
200 | 0 | { |
201 | 0 | gost28147_set_param(ctx, &gost28147_param_TC26_Z); |
202 | 0 | gost28147_set_key(ctx, key); |
203 | 0 | } |
204 | | |
205 | | static void _gost28147_set_key_cpa(void *ctx, const uint8_t *key) |
206 | 0 | { |
207 | 0 | gost28147_set_param(ctx, &gost28147_param_CryptoPro_A); |
208 | 0 | gost28147_set_key(ctx, key); |
209 | 0 | } |
210 | | |
211 | | static void _gost28147_set_key_cpb(void *ctx, const uint8_t *key) |
212 | 0 | { |
213 | 0 | gost28147_set_param(ctx, &gost28147_param_CryptoPro_B); |
214 | 0 | gost28147_set_key(ctx, key); |
215 | 0 | } |
216 | | |
217 | | static void _gost28147_set_key_cpc(void *ctx, const uint8_t *key) |
218 | 0 | { |
219 | 0 | gost28147_set_param(ctx, &gost28147_param_CryptoPro_C); |
220 | 0 | gost28147_set_key(ctx, key); |
221 | 0 | } |
222 | | |
223 | | static void _gost28147_set_key_cpd(void *ctx, const uint8_t *key) |
224 | 0 | { |
225 | 0 | gost28147_set_param(ctx, &gost28147_param_CryptoPro_D); |
226 | 0 | gost28147_set_key(ctx, key); |
227 | 0 | } |
228 | | |
229 | | static void _gost28147_cnt_set_key_tc26z(void *ctx, const uint8_t *key) |
230 | 0 | { |
231 | 0 | gost28147_cnt_init(ctx, key, &gost28147_param_TC26_Z); |
232 | 0 | } |
233 | | |
234 | | static void _gost28147_cnt_set_nonce(void *ctx, size_t length, |
235 | | const uint8_t *nonce) |
236 | 0 | { |
237 | 0 | gost28147_cnt_set_iv(ctx, nonce); |
238 | 0 | } |
239 | | |
240 | | static void _gost28147_cnt_crypt(struct nettle_cipher_ctx *ctx, size_t length, |
241 | | uint8_t *dst, const uint8_t *src) |
242 | 0 | { |
243 | 0 | gost28147_cnt_crypt((void *)ctx->ctx_ptr, length, dst, src); |
244 | 0 | } |
245 | | |
246 | | static void _magma_acpkm_crypt(struct magma_acpkm_ctx *ctx, size_t length, |
247 | | uint8_t *dst, const uint8_t *src) |
248 | 0 | { |
249 | 0 | acpkm_crypt(&ctx->ctx, &ctx->cipher, |
250 | 0 | (nettle_cipher_func *)magma_encrypt, |
251 | 0 | (nettle_set_key_func *)magma_set_key, length, dst, src); |
252 | 0 | } |
253 | | |
254 | | static void _kuznyechik_acpkm_crypt(struct kuznyechik_acpkm_ctx *ctx, |
255 | | size_t length, uint8_t *dst, |
256 | | const uint8_t *src) |
257 | 0 | { |
258 | 0 | acpkm_crypt(&ctx->ctx, &ctx->cipher, |
259 | 0 | (nettle_cipher_func *)kuznyechik_encrypt, |
260 | 0 | (nettle_set_key_func *)kuznyechik_set_key, length, dst, |
261 | 0 | src); |
262 | 0 | } |
263 | | |
264 | | static void _magma_ctr_acpkm_set_key(struct magma_acpkm_ctx *ctx, |
265 | | const uint8_t *key) |
266 | 0 | { |
267 | 0 | magma_set_key(&ctx->cipher, key); |
268 | 0 | ctx->ctx.pos = 0; |
269 | 0 | ctx->ctx.N = 1024; |
270 | 0 | } |
271 | | |
272 | | static void _magma_ctr_acpkm_set_iv(struct magma_acpkm_ctx *ctx, size_t length, |
273 | | const uint8_t *iv) |
274 | 0 | { |
275 | 0 | memcpy(ctx->iv, iv, length); |
276 | 0 | memset(ctx->iv + length, 0, MAGMA_BLOCK_SIZE - length); |
277 | 0 | } |
278 | | |
279 | | static void _kuznyechik_ctr_acpkm_set_key(struct kuznyechik_acpkm_ctx *ctx, |
280 | | const uint8_t *key) |
281 | 0 | { |
282 | 0 | kuznyechik_set_key(&ctx->cipher, key); |
283 | 0 | ctx->ctx.pos = 0; |
284 | 0 | ctx->ctx.N = 4096; |
285 | 0 | } |
286 | | |
287 | | static void _kuznyechik_ctr_acpkm_set_iv(struct kuznyechik_acpkm_ctx *ctx, |
288 | | size_t length, const uint8_t *iv) |
289 | 0 | { |
290 | 0 | memcpy(ctx->iv, iv, length); |
291 | 0 | memset(ctx->iv + length, 0, KUZNYECHIK_BLOCK_SIZE - length); |
292 | 0 | } |
293 | | #endif |
294 | | |
295 | | static void _ccm_encrypt(struct nettle_cipher_ctx *ctx, size_t nonce_size, |
296 | | const void *nonce, size_t auth_size, const void *auth, |
297 | | size_t tag_size, size_t length, uint8_t *dst, |
298 | | const uint8_t *src) |
299 | 0 | { |
300 | 0 | ccm_encrypt_message((void *)ctx->ctx_ptr, ctx->cipher->encrypt_block, |
301 | 0 | nonce_size, nonce, auth_size, auth, tag_size, |
302 | 0 | length, dst, src); |
303 | 0 | } |
304 | | |
305 | | static int _ccm_decrypt(struct nettle_cipher_ctx *ctx, size_t nonce_size, |
306 | | const void *nonce, size_t auth_size, const void *auth, |
307 | | size_t tag_size, size_t length, uint8_t *dst, |
308 | | const uint8_t *src) |
309 | 0 | { |
310 | 0 | return ccm_decrypt_message((void *)ctx->ctx_ptr, |
311 | 0 | ctx->cipher->encrypt_block, nonce_size, |
312 | 0 | nonce, auth_size, auth, tag_size, length, |
313 | 0 | dst, src); |
314 | 0 | } |
315 | | |
316 | | static void _siv_cmac_aes128_encrypt_message(struct nettle_cipher_ctx *ctx, |
317 | | size_t nonce_size, |
318 | | const void *nonce, |
319 | | size_t auth_size, const void *auth, |
320 | | size_t tag_size, size_t length, |
321 | | uint8_t *dst, const uint8_t *src) |
322 | 0 | { |
323 | 0 | siv_cmac_aes128_encrypt_message((void *)ctx->ctx_ptr, nonce_size, nonce, |
324 | 0 | auth_size, auth, length, dst, src); |
325 | 0 | } |
326 | | |
327 | | static int _siv_cmac_aes128_decrypt_message(struct nettle_cipher_ctx *ctx, |
328 | | size_t nonce_size, |
329 | | const void *nonce, size_t auth_size, |
330 | | const void *auth, size_t tag_size, |
331 | | size_t length, uint8_t *dst, |
332 | | const uint8_t *src) |
333 | 0 | { |
334 | 0 | return siv_cmac_aes128_decrypt_message((void *)ctx->ctx_ptr, nonce_size, |
335 | 0 | nonce, auth_size, auth, length, |
336 | 0 | dst, src); |
337 | 0 | } |
338 | | |
339 | | static void _siv_cmac_aes256_encrypt_message(struct nettle_cipher_ctx *ctx, |
340 | | size_t nonce_size, |
341 | | const void *nonce, |
342 | | size_t auth_size, const void *auth, |
343 | | size_t tag_size, size_t length, |
344 | | uint8_t *dst, const uint8_t *src) |
345 | 0 | { |
346 | 0 | siv_cmac_aes256_encrypt_message((void *)ctx->ctx_ptr, nonce_size, nonce, |
347 | 0 | auth_size, auth, length, dst, src); |
348 | 0 | } |
349 | | |
350 | | static int _siv_cmac_aes256_decrypt_message(struct nettle_cipher_ctx *ctx, |
351 | | size_t nonce_size, |
352 | | const void *nonce, size_t auth_size, |
353 | | const void *auth, size_t tag_size, |
354 | | size_t length, uint8_t *dst, |
355 | | const uint8_t *src) |
356 | 0 | { |
357 | 0 | return siv_cmac_aes256_decrypt_message((void *)ctx->ctx_ptr, nonce_size, |
358 | 0 | nonce, auth_size, auth, length, |
359 | 0 | dst, src); |
360 | 0 | } |
361 | | |
362 | | static void _siv_gcm_aes128_encrypt_message(struct nettle_cipher_ctx *ctx, |
363 | | size_t nonce_size, |
364 | | const void *nonce, size_t auth_size, |
365 | | const void *auth, size_t tag_size, |
366 | | size_t length, uint8_t *dst, |
367 | | const uint8_t *src) |
368 | 0 | { |
369 | 0 | siv_gcm_aes128_encrypt_message((void *)ctx->ctx_ptr, nonce_size, nonce, |
370 | 0 | auth_size, auth, length, dst, src); |
371 | 0 | } |
372 | | |
373 | | static int _siv_gcm_aes128_decrypt_message(struct nettle_cipher_ctx *ctx, |
374 | | size_t nonce_size, const void *nonce, |
375 | | size_t auth_size, const void *auth, |
376 | | size_t tag_size, size_t length, |
377 | | uint8_t *dst, const uint8_t *src) |
378 | 0 | { |
379 | 0 | return siv_gcm_aes128_decrypt_message((void *)ctx->ctx_ptr, nonce_size, |
380 | 0 | nonce, auth_size, auth, length, |
381 | 0 | dst, src); |
382 | 0 | } |
383 | | |
384 | | static void _siv_gcm_aes256_encrypt_message(struct nettle_cipher_ctx *ctx, |
385 | | size_t nonce_size, |
386 | | const void *nonce, size_t auth_size, |
387 | | const void *auth, size_t tag_size, |
388 | | size_t length, uint8_t *dst, |
389 | | const uint8_t *src) |
390 | 0 | { |
391 | 0 | siv_gcm_aes256_encrypt_message((void *)ctx->ctx_ptr, nonce_size, nonce, |
392 | 0 | auth_size, auth, length, dst, src); |
393 | 0 | } |
394 | | |
395 | | static int _siv_gcm_aes256_decrypt_message(struct nettle_cipher_ctx *ctx, |
396 | | size_t nonce_size, const void *nonce, |
397 | | size_t auth_size, const void *auth, |
398 | | size_t tag_size, size_t length, |
399 | | uint8_t *dst, const uint8_t *src) |
400 | 0 | { |
401 | 0 | return siv_gcm_aes256_decrypt_message((void *)ctx->ctx_ptr, nonce_size, |
402 | 0 | nonce, auth_size, auth, length, |
403 | 0 | dst, src); |
404 | 0 | } |
405 | | |
406 | | static void _chacha_set_nonce(struct chacha_ctx *ctx, size_t length, |
407 | | const uint8_t *nonce) |
408 | 0 | { |
409 | 0 | chacha_set_nonce(ctx, nonce + CHACHA_COUNTER_SIZE); |
410 | 0 | chacha_set_counter(ctx, nonce); |
411 | 0 | } |
412 | | |
413 | | static void _chacha_set_nonce96(struct chacha_ctx *ctx, size_t length, |
414 | | const uint8_t *nonce) |
415 | 0 | { |
416 | 0 | chacha_set_nonce96(ctx, nonce + CHACHA_COUNTER32_SIZE); |
417 | 0 | chacha_set_counter32(ctx, nonce); |
418 | 0 | } |
419 | | |
420 | | static void _chacha_poly1305_set_nonce(struct chacha_poly1305_ctx *ctx, |
421 | | size_t length, const uint8_t *nonce) |
422 | 0 | { |
423 | 0 | chacha_poly1305_set_nonce(ctx, nonce); |
424 | 0 | } |
425 | | |
426 | | struct gcm_cast_st { |
427 | | struct gcm_key key; |
428 | | struct gcm_ctx gcm; |
429 | | unsigned long xx[1]; |
430 | | }; |
431 | 0 | #define GCM_CTX_GET_KEY(ptr) (&((struct gcm_cast_st *)ptr)->key) |
432 | 0 | #define GCM_CTX_GET_CTX(ptr) (&((struct gcm_cast_st *)ptr)->gcm) |
433 | 0 | #define GCM_CTX_GET_CIPHER(ptr) ((void *)&((struct gcm_cast_st *)ptr)->xx) |
434 | | |
435 | | static void _gcm_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
436 | | uint8_t *dst, const uint8_t *src) |
437 | 0 | { |
438 | 0 | gcm_encrypt(GCM_CTX_GET_CTX(ctx->ctx_ptr), |
439 | 0 | GCM_CTX_GET_KEY(ctx->ctx_ptr), |
440 | 0 | GCM_CTX_GET_CIPHER(ctx->ctx_ptr), |
441 | 0 | ctx->cipher->encrypt_block, length, dst, src); |
442 | 0 | } |
443 | | |
444 | | static void _gcm_decrypt(struct nettle_cipher_ctx *ctx, size_t length, |
445 | | uint8_t *dst, const uint8_t *src) |
446 | 0 | { |
447 | 0 | gcm_decrypt(GCM_CTX_GET_CTX(ctx->ctx_ptr), |
448 | 0 | GCM_CTX_GET_KEY(ctx->ctx_ptr), |
449 | 0 | GCM_CTX_GET_CIPHER(ctx->ctx_ptr), |
450 | 0 | ctx->cipher->encrypt_block, length, dst, src); |
451 | 0 | } |
452 | | |
453 | | static void _des_set_key(struct des_ctx *ctx, const uint8_t *key) |
454 | 0 | { |
455 | 0 | des_set_key(ctx, key); |
456 | 0 | } |
457 | | |
458 | | static void _des3_set_key(struct des3_ctx *ctx, const uint8_t *key) |
459 | 0 | { |
460 | 0 | des3_set_key(ctx, key); |
461 | 0 | } |
462 | | |
463 | | static void _cfb8_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
464 | | uint8_t *dst, const uint8_t *src) |
465 | 0 | { |
466 | 0 | cfb8_encrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size, |
467 | 0 | ctx->iv, length, dst, src); |
468 | 0 | } |
469 | | |
470 | | static void _cfb8_decrypt(struct nettle_cipher_ctx *ctx, size_t length, |
471 | | uint8_t *dst, const uint8_t *src) |
472 | 0 | { |
473 | 0 | cfb8_decrypt(ctx->ctx_ptr, ctx->cipher->encrypt_block, ctx->iv_size, |
474 | 0 | ctx->iv, length, dst, src); |
475 | 0 | } |
476 | | |
477 | | static void _xts_aes128_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
478 | | uint8_t *dst, const uint8_t *src) |
479 | 0 | { |
480 | 0 | xts_aes128_encrypt_message(ctx->ctx_ptr, ctx->iv, length, dst, src); |
481 | 0 | } |
482 | | |
483 | | static void _xts_aes128_decrypt(struct nettle_cipher_ctx *ctx, size_t length, |
484 | | uint8_t *dst, const uint8_t *src) |
485 | 0 | { |
486 | 0 | xts_aes128_decrypt_message(ctx->ctx_ptr, ctx->iv, length, dst, src); |
487 | 0 | } |
488 | | |
489 | | static void _xts_aes256_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
490 | | uint8_t *dst, const uint8_t *src) |
491 | 0 | { |
492 | 0 | xts_aes256_encrypt_message(ctx->ctx_ptr, ctx->iv, length, dst, src); |
493 | 0 | } |
494 | | |
495 | | static void _xts_aes256_decrypt(struct nettle_cipher_ctx *ctx, size_t length, |
496 | | uint8_t *dst, const uint8_t *src) |
497 | 0 | { |
498 | 0 | xts_aes256_decrypt_message(ctx->ctx_ptr, ctx->iv, length, dst, src); |
499 | 0 | } |
500 | | |
501 | | static void _cbc_aes128_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
502 | | uint8_t *dst, const uint8_t *src) |
503 | 0 | { |
504 | 0 | assert((length % ctx->cipher->block_size) == 0); |
505 | 0 | cbc_aes128_encrypt(ctx->ctx_ptr, ctx->iv, length, dst, src); |
506 | 0 | } |
507 | | |
508 | | static void _cbc_aes192_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
509 | | uint8_t *dst, const uint8_t *src) |
510 | 0 | { |
511 | 0 | assert((length % ctx->cipher->block_size) == 0); |
512 | 0 | cbc_aes192_encrypt(ctx->ctx_ptr, ctx->iv, length, dst, src); |
513 | 0 | } |
514 | | |
515 | | static void _cbc_aes256_encrypt(struct nettle_cipher_ctx *ctx, size_t length, |
516 | | uint8_t *dst, const uint8_t *src) |
517 | 0 | { |
518 | 0 | assert((length % ctx->cipher->block_size) == 0); |
519 | 0 | cbc_aes256_encrypt(ctx->ctx_ptr, ctx->iv, length, dst, src); |
520 | 0 | } |
521 | | |
522 | | static const struct nettle_cipher_st builtin_ciphers[] = { |
523 | | { |
524 | | .algo = GNUTLS_CIPHER_AES_128_GCM, |
525 | | .block_size = AES_BLOCK_SIZE, |
526 | | .key_size = AES128_KEY_SIZE, |
527 | | .encrypt_block = (nettle_cipher_func *)aes128_encrypt, |
528 | | .decrypt_block = (nettle_cipher_func *)aes128_decrypt, |
529 | | |
530 | | .ctx_size = sizeof(struct gcm_aes128_ctx), |
531 | | .encrypt = _gcm_encrypt, |
532 | | .decrypt = _gcm_decrypt, |
533 | | .set_encrypt_key = (nettle_set_key_func *)gcm_aes128_set_key, |
534 | | .set_decrypt_key = (nettle_set_key_func *)gcm_aes128_set_key, |
535 | | |
536 | | .tag = (nettle_hash_digest_func *)gcm_aes128_digest, |
537 | | .auth = (nettle_hash_update_func *)gcm_aes128_update, |
538 | | .set_iv = (setiv_func)gcm_aes128_set_iv, |
539 | | .max_iv_size = GCM_IV_SIZE, |
540 | | }, |
541 | | { |
542 | | .algo = GNUTLS_CIPHER_AES_192_GCM, |
543 | | .block_size = AES_BLOCK_SIZE, |
544 | | .key_size = AES192_KEY_SIZE, |
545 | | .encrypt_block = (nettle_cipher_func *)aes192_encrypt, |
546 | | .decrypt_block = (nettle_cipher_func *)aes192_decrypt, |
547 | | |
548 | | .ctx_size = sizeof(struct gcm_aes192_ctx), |
549 | | .encrypt = _gcm_encrypt, |
550 | | .decrypt = _gcm_decrypt, |
551 | | .set_encrypt_key = (nettle_set_key_func *)gcm_aes192_set_key, |
552 | | .set_decrypt_key = (nettle_set_key_func *)gcm_aes192_set_key, |
553 | | |
554 | | .tag = (nettle_hash_digest_func *)gcm_aes192_digest, |
555 | | .auth = (nettle_hash_update_func *)gcm_aes192_update, |
556 | | .set_iv = (setiv_func)gcm_aes192_set_iv, |
557 | | .max_iv_size = GCM_IV_SIZE, |
558 | | }, |
559 | | { |
560 | | .algo = GNUTLS_CIPHER_AES_256_GCM, |
561 | | .block_size = AES_BLOCK_SIZE, |
562 | | .key_size = AES256_KEY_SIZE, |
563 | | .encrypt_block = (nettle_cipher_func *)aes256_encrypt, |
564 | | .decrypt_block = (nettle_cipher_func *)aes256_decrypt, |
565 | | |
566 | | .ctx_size = sizeof(struct gcm_aes256_ctx), |
567 | | .encrypt = _gcm_encrypt, |
568 | | .decrypt = _gcm_decrypt, |
569 | | .set_encrypt_key = (nettle_set_key_func *)gcm_aes256_set_key, |
570 | | .set_decrypt_key = (nettle_set_key_func *)gcm_aes256_set_key, |
571 | | |
572 | | .tag = (nettle_hash_digest_func *)gcm_aes256_digest, |
573 | | .auth = (nettle_hash_update_func *)gcm_aes256_update, |
574 | | .set_iv = (setiv_func)gcm_aes256_set_iv, |
575 | | .max_iv_size = GCM_IV_SIZE, |
576 | | }, |
577 | | { |
578 | | .algo = GNUTLS_CIPHER_AES_128_CCM, |
579 | | .block_size = AES_BLOCK_SIZE, |
580 | | .key_size = AES128_KEY_SIZE, |
581 | | .encrypt_block = (nettle_cipher_func *)aes128_encrypt, |
582 | | .decrypt_block = (nettle_cipher_func *)aes128_decrypt, |
583 | | |
584 | | .ctx_size = sizeof(struct aes128_ctx), |
585 | | .aead_encrypt = _ccm_encrypt, |
586 | | .aead_decrypt = _ccm_decrypt, |
587 | | .set_encrypt_key = |
588 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
589 | | .set_decrypt_key = |
590 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
591 | | .max_iv_size = CCM_MAX_NONCE_SIZE, |
592 | | }, |
593 | | { |
594 | | .algo = GNUTLS_CIPHER_AES_128_CCM_8, |
595 | | .block_size = AES_BLOCK_SIZE, |
596 | | .key_size = AES128_KEY_SIZE, |
597 | | .encrypt_block = (nettle_cipher_func *)aes128_encrypt, |
598 | | .decrypt_block = (nettle_cipher_func *)aes128_decrypt, |
599 | | |
600 | | .ctx_size = sizeof(struct aes128_ctx), |
601 | | .aead_encrypt = _ccm_encrypt, |
602 | | .aead_decrypt = _ccm_decrypt, |
603 | | .set_encrypt_key = |
604 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
605 | | .set_decrypt_key = |
606 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
607 | | .max_iv_size = CCM_MAX_NONCE_SIZE, |
608 | | }, |
609 | | { |
610 | | .algo = GNUTLS_CIPHER_AES_256_CCM, |
611 | | .block_size = AES_BLOCK_SIZE, |
612 | | .key_size = AES256_KEY_SIZE, |
613 | | .encrypt_block = (nettle_cipher_func *)aes256_encrypt, |
614 | | .decrypt_block = (nettle_cipher_func *)aes256_decrypt, |
615 | | |
616 | | .ctx_size = sizeof(struct aes256_ctx), |
617 | | .aead_encrypt = _ccm_encrypt, |
618 | | .aead_decrypt = _ccm_decrypt, |
619 | | .set_encrypt_key = |
620 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
621 | | .set_decrypt_key = |
622 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
623 | | .max_iv_size = CCM_MAX_NONCE_SIZE, |
624 | | }, |
625 | | { |
626 | | .algo = GNUTLS_CIPHER_AES_256_CCM_8, |
627 | | .block_size = AES_BLOCK_SIZE, |
628 | | .key_size = AES256_KEY_SIZE, |
629 | | .encrypt_block = (nettle_cipher_func *)aes256_encrypt, |
630 | | .decrypt_block = (nettle_cipher_func *)aes256_decrypt, |
631 | | |
632 | | .ctx_size = sizeof(struct aes256_ctx), |
633 | | .aead_encrypt = _ccm_encrypt, |
634 | | .aead_decrypt = _ccm_decrypt, |
635 | | .set_encrypt_key = |
636 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
637 | | .set_decrypt_key = |
638 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
639 | | .max_iv_size = CCM_MAX_NONCE_SIZE, |
640 | | }, |
641 | | { .algo = GNUTLS_CIPHER_CAMELLIA_128_GCM, |
642 | | .block_size = CAMELLIA_BLOCK_SIZE, |
643 | | .key_size = CAMELLIA128_KEY_SIZE, |
644 | | .encrypt_block = (nettle_cipher_func *)camellia128_crypt, |
645 | | .decrypt_block = (nettle_cipher_func *)camellia128_crypt, |
646 | | |
647 | | .ctx_size = sizeof(struct gcm_camellia128_ctx), |
648 | | .encrypt = _gcm_encrypt, |
649 | | .decrypt = _gcm_decrypt, |
650 | | .set_encrypt_key = (nettle_set_key_func *)gcm_camellia128_set_key, |
651 | | .set_decrypt_key = (nettle_set_key_func *)gcm_camellia128_set_key, |
652 | | .tag = (nettle_hash_digest_func *)gcm_camellia128_digest, |
653 | | .auth = (nettle_hash_update_func *)gcm_camellia128_update, |
654 | | .max_iv_size = GCM_IV_SIZE, |
655 | | .set_iv = (setiv_func)gcm_camellia128_set_iv }, |
656 | | { .algo = GNUTLS_CIPHER_CAMELLIA_256_GCM, |
657 | | .block_size = CAMELLIA_BLOCK_SIZE, |
658 | | .key_size = CAMELLIA256_KEY_SIZE, |
659 | | .encrypt_block = (nettle_cipher_func *)camellia256_crypt, |
660 | | .decrypt_block = (nettle_cipher_func *)camellia256_crypt, |
661 | | |
662 | | .ctx_size = sizeof(struct gcm_camellia256_ctx), |
663 | | .encrypt = _gcm_encrypt, |
664 | | .decrypt = _gcm_decrypt, |
665 | | .set_encrypt_key = (nettle_set_key_func *)gcm_camellia256_set_key, |
666 | | .set_decrypt_key = (nettle_set_key_func *)gcm_camellia256_set_key, |
667 | | .tag = (nettle_hash_digest_func *)gcm_camellia256_digest, |
668 | | .auth = (nettle_hash_update_func *)gcm_camellia256_update, |
669 | | .max_iv_size = GCM_IV_SIZE, |
670 | | .set_iv = (setiv_func)gcm_camellia256_set_iv }, |
671 | | { |
672 | | .algo = GNUTLS_CIPHER_AES_128_CBC, |
673 | | .block_size = AES_BLOCK_SIZE, |
674 | | .key_size = AES128_KEY_SIZE, |
675 | | .encrypt_block = (nettle_cipher_func *)aes128_encrypt, |
676 | | .decrypt_block = (nettle_cipher_func *)aes128_decrypt, |
677 | | |
678 | | .ctx_size = sizeof( |
679 | | struct CBC_CTX(struct aes128_ctx, AES_BLOCK_SIZE)), |
680 | | .encrypt = _cbc_aes128_encrypt, |
681 | | .decrypt = _cbc_decrypt, |
682 | | .set_encrypt_key = |
683 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
684 | | .set_decrypt_key = |
685 | | (nettle_set_key_func *)aes128_set_decrypt_key, |
686 | | .max_iv_size = AES_BLOCK_SIZE, |
687 | | }, |
688 | | { |
689 | | .algo = GNUTLS_CIPHER_AES_192_CBC, |
690 | | .block_size = AES_BLOCK_SIZE, |
691 | | .key_size = AES192_KEY_SIZE, |
692 | | .encrypt_block = (nettle_cipher_func *)aes192_encrypt, |
693 | | .decrypt_block = (nettle_cipher_func *)aes192_decrypt, |
694 | | |
695 | | .ctx_size = sizeof( |
696 | | struct CBC_CTX(struct aes192_ctx, AES_BLOCK_SIZE)), |
697 | | .encrypt = _cbc_aes192_encrypt, |
698 | | .decrypt = _cbc_decrypt, |
699 | | .set_encrypt_key = |
700 | | (nettle_set_key_func *)aes192_set_encrypt_key, |
701 | | .set_decrypt_key = |
702 | | (nettle_set_key_func *)aes192_set_decrypt_key, |
703 | | .max_iv_size = AES_BLOCK_SIZE, |
704 | | }, |
705 | | { |
706 | | .algo = GNUTLS_CIPHER_AES_256_CBC, |
707 | | .block_size = AES_BLOCK_SIZE, |
708 | | .key_size = AES256_KEY_SIZE, |
709 | | .encrypt_block = (nettle_cipher_func *)aes256_encrypt, |
710 | | .decrypt_block = (nettle_cipher_func *)aes256_decrypt, |
711 | | |
712 | | .ctx_size = sizeof( |
713 | | struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE)), |
714 | | .encrypt = _cbc_aes256_encrypt, |
715 | | .decrypt = _cbc_decrypt, |
716 | | .set_encrypt_key = |
717 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
718 | | .set_decrypt_key = |
719 | | (nettle_set_key_func *)aes256_set_decrypt_key, |
720 | | .max_iv_size = AES_BLOCK_SIZE, |
721 | | }, |
722 | | { |
723 | | .algo = GNUTLS_CIPHER_CAMELLIA_128_CBC, |
724 | | .block_size = CAMELLIA_BLOCK_SIZE, |
725 | | .key_size = CAMELLIA128_KEY_SIZE, |
726 | | .encrypt_block = (nettle_cipher_func *)camellia128_crypt, |
727 | | .decrypt_block = (nettle_cipher_func *)camellia128_crypt, |
728 | | |
729 | | .ctx_size = sizeof(struct CBC_CTX(struct camellia128_ctx, |
730 | | CAMELLIA_BLOCK_SIZE)), |
731 | | .encrypt = _cbc_encrypt, |
732 | | .decrypt = _cbc_decrypt, |
733 | | .set_encrypt_key = |
734 | | (nettle_set_key_func *)camellia128_set_encrypt_key, |
735 | | .set_decrypt_key = |
736 | | (nettle_set_key_func *)camellia128_set_decrypt_key, |
737 | | .max_iv_size = CAMELLIA_BLOCK_SIZE, |
738 | | }, |
739 | | { |
740 | | .algo = GNUTLS_CIPHER_CAMELLIA_192_CBC, |
741 | | .block_size = CAMELLIA_BLOCK_SIZE, |
742 | | .key_size = CAMELLIA192_KEY_SIZE, |
743 | | .encrypt_block = (nettle_cipher_func *)camellia192_crypt, |
744 | | .decrypt_block = (nettle_cipher_func *)camellia192_crypt, |
745 | | |
746 | | .ctx_size = sizeof(struct CBC_CTX(struct camellia192_ctx, |
747 | | CAMELLIA_BLOCK_SIZE)), |
748 | | .encrypt = _cbc_encrypt, |
749 | | .decrypt = _cbc_decrypt, |
750 | | .set_encrypt_key = |
751 | | (nettle_set_key_func *)camellia192_set_encrypt_key, |
752 | | .set_decrypt_key = |
753 | | (nettle_set_key_func *)camellia192_set_decrypt_key, |
754 | | .max_iv_size = CAMELLIA_BLOCK_SIZE, |
755 | | }, |
756 | | { |
757 | | .algo = GNUTLS_CIPHER_CAMELLIA_256_CBC, |
758 | | .block_size = CAMELLIA_BLOCK_SIZE, |
759 | | .key_size = CAMELLIA256_KEY_SIZE, |
760 | | .encrypt_block = (nettle_cipher_func *)camellia256_crypt, |
761 | | .decrypt_block = (nettle_cipher_func *)camellia256_crypt, |
762 | | |
763 | | .ctx_size = sizeof(struct CBC_CTX(struct camellia256_ctx, |
764 | | CAMELLIA_BLOCK_SIZE)), |
765 | | .encrypt = _cbc_encrypt, |
766 | | .decrypt = _cbc_decrypt, |
767 | | .set_encrypt_key = |
768 | | (nettle_set_key_func *)camellia256_set_encrypt_key, |
769 | | .set_decrypt_key = |
770 | | (nettle_set_key_func *)camellia256_set_decrypt_key, |
771 | | .max_iv_size = CAMELLIA_BLOCK_SIZE, |
772 | | }, |
773 | | { |
774 | | .algo = GNUTLS_CIPHER_RC2_40_CBC, |
775 | | .block_size = ARCTWO_BLOCK_SIZE, |
776 | | .key_size = 5, |
777 | | .encrypt_block = (nettle_cipher_func *)arctwo_encrypt, |
778 | | .decrypt_block = (nettle_cipher_func *)arctwo_decrypt, |
779 | | |
780 | | .ctx_size = sizeof( |
781 | | struct CBC_CTX(struct arctwo_ctx, ARCTWO_BLOCK_SIZE)), |
782 | | .encrypt = _cbc_encrypt, |
783 | | .decrypt = _cbc_decrypt, |
784 | | .set_encrypt_key = (nettle_set_key_func *)arctwo40_set_key, |
785 | | .set_decrypt_key = (nettle_set_key_func *)arctwo40_set_key, |
786 | | .max_iv_size = ARCTWO_BLOCK_SIZE, |
787 | | }, |
788 | | { |
789 | | .algo = GNUTLS_CIPHER_DES_CBC, |
790 | | .block_size = DES_BLOCK_SIZE, |
791 | | .key_size = DES_KEY_SIZE, |
792 | | .encrypt_block = (nettle_cipher_func *)des_encrypt, |
793 | | .decrypt_block = (nettle_cipher_func *)des_decrypt, |
794 | | |
795 | | .ctx_size = |
796 | | sizeof(struct CBC_CTX(struct des_ctx, DES_BLOCK_SIZE)), |
797 | | .encrypt = _cbc_encrypt, |
798 | | .decrypt = _cbc_decrypt, |
799 | | .set_encrypt_key = (nettle_set_key_func *)_des_set_key, |
800 | | .set_decrypt_key = (nettle_set_key_func *)_des_set_key, |
801 | | .max_iv_size = DES_BLOCK_SIZE, |
802 | | }, |
803 | | { |
804 | | .algo = GNUTLS_CIPHER_3DES_CBC, |
805 | | .block_size = DES3_BLOCK_SIZE, |
806 | | .key_size = DES3_KEY_SIZE, |
807 | | .encrypt_block = (nettle_cipher_func *)des3_encrypt, |
808 | | .decrypt_block = (nettle_cipher_func *)des3_decrypt, |
809 | | |
810 | | .ctx_size = sizeof( |
811 | | struct CBC_CTX(struct des3_ctx, DES3_BLOCK_SIZE)), |
812 | | .encrypt = _cbc_encrypt, |
813 | | .decrypt = _cbc_decrypt, |
814 | | .set_encrypt_key = (nettle_set_key_func *)_des3_set_key, |
815 | | .set_decrypt_key = (nettle_set_key_func *)_des3_set_key, |
816 | | .max_iv_size = DES_BLOCK_SIZE, |
817 | | }, |
818 | | { |
819 | | .algo = GNUTLS_CIPHER_ARCFOUR_128, |
820 | | .block_size = 1, |
821 | | .key_size = 0, |
822 | | .encrypt_block = (nettle_cipher_func *)arcfour_crypt, |
823 | | .decrypt_block = (nettle_cipher_func *)arcfour_crypt, |
824 | | |
825 | | .ctx_size = sizeof(struct arcfour_ctx), |
826 | | .encrypt = _stream_encrypt, |
827 | | .decrypt = _stream_encrypt, |
828 | | .gen_set_key = (gen_setkey_func)arcfour_set_key, |
829 | | .set_encrypt_key = (nettle_set_key_func *)arcfour128_set_key, |
830 | | .set_decrypt_key = (nettle_set_key_func *)arcfour128_set_key, |
831 | | }, |
832 | | { |
833 | | .algo = GNUTLS_CIPHER_SALSA20_256, |
834 | | .block_size = 1, |
835 | | .key_size = SALSA20_256_KEY_SIZE, |
836 | | .encrypt_block = (nettle_cipher_func *)salsa20_crypt, |
837 | | .decrypt_block = (nettle_cipher_func *)salsa20_crypt, |
838 | | |
839 | | .ctx_size = sizeof(struct salsa20_ctx), |
840 | | .encrypt = _stream_encrypt, |
841 | | .decrypt = _stream_encrypt, |
842 | | .set_encrypt_key = (nettle_set_key_func *)salsa20_256_set_key, |
843 | | .set_decrypt_key = (nettle_set_key_func *)salsa20_256_set_key, |
844 | | .max_iv_size = SALSA20_NONCE_SIZE, |
845 | | }, |
846 | | { |
847 | | .algo = GNUTLS_CIPHER_ESTREAM_SALSA20_256, |
848 | | .block_size = 1, |
849 | | .key_size = SALSA20_256_KEY_SIZE, |
850 | | .encrypt_block = (nettle_cipher_func *)salsa20r12_crypt, |
851 | | .decrypt_block = (nettle_cipher_func *)salsa20r12_crypt, |
852 | | |
853 | | .ctx_size = sizeof(struct salsa20_ctx), |
854 | | .encrypt = _stream_encrypt, |
855 | | .decrypt = _stream_encrypt, |
856 | | .set_encrypt_key = (nettle_set_key_func *)salsa20_256_set_key, |
857 | | .set_decrypt_key = (nettle_set_key_func *)salsa20_256_set_key, |
858 | | .max_iv_size = SALSA20_NONCE_SIZE, |
859 | | }, |
860 | | { |
861 | | .algo = GNUTLS_CIPHER_CHACHA20_32, |
862 | | .block_size = 1, |
863 | | .key_size = CHACHA_KEY_SIZE, |
864 | | .encrypt_block = (nettle_cipher_func *)chacha_crypt32, |
865 | | .decrypt_block = (nettle_cipher_func *)chacha_crypt32, |
866 | | |
867 | | .ctx_size = sizeof(struct chacha_ctx), |
868 | | .encrypt = _stream_encrypt, |
869 | | .decrypt = _stream_encrypt, |
870 | | .set_encrypt_key = (nettle_set_key_func *)chacha_set_key, |
871 | | .set_decrypt_key = (nettle_set_key_func *)chacha_set_key, |
872 | | .set_iv = (setiv_func)_chacha_set_nonce96, |
873 | | /* we allow setting the initial block counter as part of nonce */ |
874 | | .max_iv_size = CHACHA_NONCE96_SIZE + CHACHA_COUNTER32_SIZE, |
875 | | }, |
876 | | { |
877 | | .algo = GNUTLS_CIPHER_CHACHA20_64, |
878 | | .block_size = 1, |
879 | | .key_size = CHACHA_KEY_SIZE, |
880 | | .encrypt_block = (nettle_cipher_func *)chacha_crypt, |
881 | | .decrypt_block = (nettle_cipher_func *)chacha_crypt, |
882 | | |
883 | | .ctx_size = sizeof(struct chacha_ctx), |
884 | | .encrypt = _stream_encrypt, |
885 | | .decrypt = _stream_encrypt, |
886 | | .set_encrypt_key = (nettle_set_key_func *)chacha_set_key, |
887 | | .set_decrypt_key = (nettle_set_key_func *)chacha_set_key, |
888 | | .set_iv = (setiv_func)_chacha_set_nonce, |
889 | | /* we allow setting the initial block counter as part of nonce */ |
890 | | .max_iv_size = CHACHA_NONCE_SIZE + CHACHA_COUNTER_SIZE, |
891 | | }, |
892 | | { |
893 | | .algo = GNUTLS_CIPHER_CHACHA20_POLY1305, |
894 | | .block_size = CHACHA_POLY1305_BLOCK_SIZE, |
895 | | .key_size = CHACHA_POLY1305_KEY_SIZE, |
896 | | |
897 | | .ctx_size = sizeof(struct chacha_poly1305_ctx), |
898 | | .encrypt_block = (nettle_cipher_func *)chacha_poly1305_encrypt, |
899 | | .decrypt_block = (nettle_cipher_func *)chacha_poly1305_decrypt, |
900 | | .encrypt = _stream_encrypt, |
901 | | .decrypt = _stream_decrypt, |
902 | | .auth = (nettle_hash_update_func *)chacha_poly1305_update, |
903 | | .tag = (nettle_hash_digest_func *)chacha_poly1305_digest, |
904 | | .set_encrypt_key = |
905 | | (nettle_set_key_func *)chacha_poly1305_set_key, |
906 | | .set_decrypt_key = |
907 | | (nettle_set_key_func *)chacha_poly1305_set_key, |
908 | | .set_iv = (setiv_func)_chacha_poly1305_set_nonce, |
909 | | .max_iv_size = CHACHA_POLY1305_NONCE_SIZE, |
910 | | }, |
911 | | #if ENABLE_GOST |
912 | | { |
913 | | .algo = GNUTLS_CIPHER_GOST28147_TC26Z_CFB, |
914 | | .block_size = GOST28147_BLOCK_SIZE, |
915 | | .key_size = GOST28147_KEY_SIZE, |
916 | | .encrypt_block = |
917 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
918 | | .decrypt_block = |
919 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
920 | | |
921 | | .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx, |
922 | | GOST28147_BLOCK_SIZE)), |
923 | | .encrypt = _cfb_encrypt, |
924 | | .decrypt = _cfb_decrypt, |
925 | | .set_encrypt_key = _gost28147_set_key_tc26z, |
926 | | .set_decrypt_key = _gost28147_set_key_tc26z, |
927 | | }, |
928 | | { |
929 | | .algo = GNUTLS_CIPHER_GOST28147_CPA_CFB, |
930 | | .block_size = GOST28147_BLOCK_SIZE, |
931 | | .key_size = GOST28147_KEY_SIZE, |
932 | | .encrypt_block = |
933 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
934 | | .decrypt_block = |
935 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
936 | | |
937 | | .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx, |
938 | | GOST28147_BLOCK_SIZE)), |
939 | | .encrypt = _cfb_encrypt, |
940 | | .decrypt = _cfb_decrypt, |
941 | | .set_encrypt_key = _gost28147_set_key_cpa, |
942 | | .set_decrypt_key = _gost28147_set_key_cpa, |
943 | | }, |
944 | | { |
945 | | .algo = GNUTLS_CIPHER_GOST28147_CPB_CFB, |
946 | | .block_size = GOST28147_BLOCK_SIZE, |
947 | | .key_size = GOST28147_KEY_SIZE, |
948 | | .encrypt_block = |
949 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
950 | | .decrypt_block = |
951 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
952 | | |
953 | | .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx, |
954 | | GOST28147_BLOCK_SIZE)), |
955 | | .encrypt = _cfb_encrypt, |
956 | | .decrypt = _cfb_decrypt, |
957 | | .set_encrypt_key = _gost28147_set_key_cpb, |
958 | | .set_decrypt_key = _gost28147_set_key_cpb, |
959 | | }, |
960 | | { |
961 | | .algo = GNUTLS_CIPHER_GOST28147_CPC_CFB, |
962 | | .block_size = GOST28147_BLOCK_SIZE, |
963 | | .key_size = GOST28147_KEY_SIZE, |
964 | | .encrypt_block = |
965 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
966 | | .decrypt_block = |
967 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
968 | | |
969 | | .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx, |
970 | | GOST28147_BLOCK_SIZE)), |
971 | | .encrypt = _cfb_encrypt, |
972 | | .decrypt = _cfb_decrypt, |
973 | | .set_encrypt_key = _gost28147_set_key_cpc, |
974 | | .set_decrypt_key = _gost28147_set_key_cpc, |
975 | | }, |
976 | | { |
977 | | .algo = GNUTLS_CIPHER_GOST28147_CPD_CFB, |
978 | | .block_size = GOST28147_BLOCK_SIZE, |
979 | | .key_size = GOST28147_KEY_SIZE, |
980 | | .encrypt_block = |
981 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
982 | | .decrypt_block = |
983 | | (nettle_cipher_func *)gost28147_encrypt_for_cfb, |
984 | | |
985 | | .ctx_size = sizeof(struct CFB_CTX(struct gost28147_ctx, |
986 | | GOST28147_BLOCK_SIZE)), |
987 | | .encrypt = _cfb_encrypt, |
988 | | .decrypt = _cfb_decrypt, |
989 | | .set_encrypt_key = _gost28147_set_key_cpd, |
990 | | .set_decrypt_key = _gost28147_set_key_cpd, |
991 | | }, |
992 | | { |
993 | | .algo = GNUTLS_CIPHER_GOST28147_TC26Z_CNT, |
994 | | .block_size = GOST28147_BLOCK_SIZE, |
995 | | .key_size = GOST28147_KEY_SIZE, |
996 | | .encrypt_block = |
997 | | (nettle_cipher_func *)gost28147_encrypt, /* unused */ |
998 | | .decrypt_block = |
999 | | (nettle_cipher_func *)gost28147_decrypt, /* unused */ |
1000 | | |
1001 | | .ctx_size = sizeof(struct gost28147_cnt_ctx), |
1002 | | .encrypt = _gost28147_cnt_crypt, |
1003 | | .decrypt = _gost28147_cnt_crypt, |
1004 | | .set_encrypt_key = _gost28147_cnt_set_key_tc26z, |
1005 | | .set_decrypt_key = _gost28147_cnt_set_key_tc26z, |
1006 | | .set_iv = (setiv_func)_gost28147_cnt_set_nonce, |
1007 | | }, |
1008 | | { |
1009 | | .algo = GNUTLS_CIPHER_MAGMA_CTR_ACPKM, |
1010 | | .block_size = MAGMA_BLOCK_SIZE, |
1011 | | .key_size = MAGMA_KEY_SIZE, |
1012 | | .encrypt_block = (nettle_cipher_func *)_magma_acpkm_crypt, |
1013 | | .decrypt_block = (nettle_cipher_func *)_magma_acpkm_crypt, |
1014 | | |
1015 | | .ctx_size = sizeof(struct magma_acpkm_ctx), |
1016 | | .encrypt = _ctr_acpkm_crypt, |
1017 | | .decrypt = _ctr_acpkm_crypt, |
1018 | | .set_encrypt_key = |
1019 | | (nettle_set_key_func *)_magma_ctr_acpkm_set_key, |
1020 | | .set_decrypt_key = |
1021 | | (nettle_set_key_func *)_magma_ctr_acpkm_set_key, |
1022 | | .set_iv = (setiv_func)_magma_ctr_acpkm_set_iv, |
1023 | | }, |
1024 | | { |
1025 | | .algo = GNUTLS_CIPHER_KUZNYECHIK_CTR_ACPKM, |
1026 | | .block_size = KUZNYECHIK_BLOCK_SIZE, |
1027 | | .key_size = KUZNYECHIK_KEY_SIZE, |
1028 | | .encrypt_block = (nettle_cipher_func *)_kuznyechik_acpkm_crypt, |
1029 | | .decrypt_block = (nettle_cipher_func *)_kuznyechik_acpkm_crypt, |
1030 | | |
1031 | | .ctx_size = sizeof(struct kuznyechik_acpkm_ctx), |
1032 | | .encrypt = _ctr_acpkm_crypt, |
1033 | | .decrypt = _ctr_acpkm_crypt, |
1034 | | .set_encrypt_key = |
1035 | | (nettle_set_key_func *)_kuznyechik_ctr_acpkm_set_key, |
1036 | | .set_decrypt_key = |
1037 | | (nettle_set_key_func *)_kuznyechik_ctr_acpkm_set_key, |
1038 | | .set_iv = (setiv_func)_kuznyechik_ctr_acpkm_set_iv, |
1039 | | }, |
1040 | | #endif |
1041 | | { |
1042 | | .algo = GNUTLS_CIPHER_AES_128_CFB8, |
1043 | | .block_size = AES_BLOCK_SIZE, |
1044 | | .key_size = AES128_KEY_SIZE, |
1045 | | .encrypt_block = (nettle_cipher_func *)aes128_encrypt, |
1046 | | .decrypt_block = (nettle_cipher_func *)aes128_encrypt, |
1047 | | |
1048 | | .ctx_size = sizeof( |
1049 | | struct CFB8_CTX(struct aes128_ctx, AES_BLOCK_SIZE)), |
1050 | | .encrypt = _cfb8_encrypt, |
1051 | | .decrypt = _cfb8_decrypt, |
1052 | | .set_encrypt_key = |
1053 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
1054 | | .set_decrypt_key = |
1055 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
1056 | | .max_iv_size = AES_BLOCK_SIZE, |
1057 | | }, |
1058 | | { |
1059 | | .algo = GNUTLS_CIPHER_AES_192_CFB8, |
1060 | | .block_size = AES_BLOCK_SIZE, |
1061 | | .key_size = AES192_KEY_SIZE, |
1062 | | .encrypt_block = (nettle_cipher_func *)aes192_encrypt, |
1063 | | .decrypt_block = (nettle_cipher_func *)aes192_encrypt, |
1064 | | |
1065 | | .ctx_size = sizeof( |
1066 | | struct CFB8_CTX(struct aes192_ctx, AES_BLOCK_SIZE)), |
1067 | | .encrypt = _cfb8_encrypt, |
1068 | | .decrypt = _cfb8_decrypt, |
1069 | | .set_encrypt_key = |
1070 | | (nettle_set_key_func *)aes192_set_encrypt_key, |
1071 | | .set_decrypt_key = |
1072 | | (nettle_set_key_func *)aes192_set_encrypt_key, |
1073 | | .max_iv_size = AES_BLOCK_SIZE, |
1074 | | }, |
1075 | | { |
1076 | | .algo = GNUTLS_CIPHER_AES_256_CFB8, |
1077 | | .block_size = AES_BLOCK_SIZE, |
1078 | | .key_size = AES256_KEY_SIZE, |
1079 | | .encrypt_block = (nettle_cipher_func *)aes256_encrypt, |
1080 | | .decrypt_block = (nettle_cipher_func *)aes256_encrypt, |
1081 | | |
1082 | | .ctx_size = sizeof( |
1083 | | struct CFB8_CTX(struct aes256_ctx, AES_BLOCK_SIZE)), |
1084 | | .encrypt = _cfb8_encrypt, |
1085 | | .decrypt = _cfb8_decrypt, |
1086 | | .set_encrypt_key = |
1087 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
1088 | | .set_decrypt_key = |
1089 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
1090 | | .max_iv_size = AES_BLOCK_SIZE, |
1091 | | }, |
1092 | | { |
1093 | | .algo = GNUTLS_CIPHER_AES_128_CFB, |
1094 | | .block_size = AES_BLOCK_SIZE, |
1095 | | .key_size = AES128_KEY_SIZE, |
1096 | | .encrypt_block = (nettle_cipher_func *)aes128_encrypt, |
1097 | | .decrypt_block = (nettle_cipher_func *)aes128_encrypt, |
1098 | | |
1099 | | .ctx_size = sizeof( |
1100 | | struct CFB_CTX(struct aes128_ctx, AES_BLOCK_SIZE)), |
1101 | | .encrypt = _cfb_encrypt, |
1102 | | .decrypt = _cfb_decrypt, |
1103 | | .set_encrypt_key = |
1104 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
1105 | | .set_decrypt_key = |
1106 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
1107 | | .max_iv_size = AES_BLOCK_SIZE, |
1108 | | }, |
1109 | | { |
1110 | | .algo = GNUTLS_CIPHER_AES_192_CFB, |
1111 | | .block_size = AES_BLOCK_SIZE, |
1112 | | .key_size = AES192_KEY_SIZE, |
1113 | | .encrypt_block = (nettle_cipher_func *)aes192_encrypt, |
1114 | | .decrypt_block = (nettle_cipher_func *)aes192_encrypt, |
1115 | | |
1116 | | .ctx_size = sizeof( |
1117 | | struct CFB_CTX(struct aes192_ctx, AES_BLOCK_SIZE)), |
1118 | | .encrypt = _cfb_encrypt, |
1119 | | .decrypt = _cfb_decrypt, |
1120 | | .set_encrypt_key = |
1121 | | (nettle_set_key_func *)aes192_set_encrypt_key, |
1122 | | .set_decrypt_key = |
1123 | | (nettle_set_key_func *)aes192_set_encrypt_key, |
1124 | | .max_iv_size = AES_BLOCK_SIZE, |
1125 | | }, |
1126 | | { |
1127 | | .algo = GNUTLS_CIPHER_AES_256_CFB, |
1128 | | .block_size = AES_BLOCK_SIZE, |
1129 | | .key_size = AES256_KEY_SIZE, |
1130 | | .encrypt_block = (nettle_cipher_func *)aes256_encrypt, |
1131 | | .decrypt_block = (nettle_cipher_func *)aes256_encrypt, |
1132 | | |
1133 | | .ctx_size = sizeof( |
1134 | | struct CFB_CTX(struct aes256_ctx, AES_BLOCK_SIZE)), |
1135 | | .encrypt = _cfb_encrypt, |
1136 | | .decrypt = _cfb_decrypt, |
1137 | | .set_encrypt_key = |
1138 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
1139 | | .set_decrypt_key = |
1140 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
1141 | | .max_iv_size = AES_BLOCK_SIZE, |
1142 | | }, |
1143 | | { |
1144 | | .algo = GNUTLS_CIPHER_AES_128_XTS, |
1145 | | .block_size = AES_BLOCK_SIZE, |
1146 | | .key_size = AES128_KEY_SIZE * 2, |
1147 | | |
1148 | | .ctx_size = sizeof(struct xts_aes128_key), |
1149 | | .encrypt = _xts_aes128_encrypt, |
1150 | | .decrypt = _xts_aes128_decrypt, |
1151 | | .set_encrypt_key = |
1152 | | (nettle_set_key_func *)xts_aes128_set_encrypt_key, |
1153 | | .set_decrypt_key = |
1154 | | (nettle_set_key_func *)xts_aes128_set_decrypt_key, |
1155 | | .max_iv_size = AES_BLOCK_SIZE, |
1156 | | }, |
1157 | | { |
1158 | | .algo = GNUTLS_CIPHER_AES_256_XTS, |
1159 | | .block_size = AES_BLOCK_SIZE, |
1160 | | .key_size = AES256_KEY_SIZE * 2, |
1161 | | |
1162 | | .ctx_size = sizeof(struct xts_aes256_key), |
1163 | | .encrypt = _xts_aes256_encrypt, |
1164 | | .decrypt = _xts_aes256_decrypt, |
1165 | | .set_encrypt_key = |
1166 | | (nettle_set_key_func *)xts_aes256_set_encrypt_key, |
1167 | | .set_decrypt_key = |
1168 | | (nettle_set_key_func *)xts_aes256_set_decrypt_key, |
1169 | | .max_iv_size = AES_BLOCK_SIZE, |
1170 | | }, |
1171 | | { |
1172 | | .algo = GNUTLS_CIPHER_AES_128_SIV, |
1173 | | .block_size = SIV_BLOCK_SIZE, |
1174 | | .key_size = SIV_CMAC_AES128_KEY_SIZE, |
1175 | | |
1176 | | .ctx_size = sizeof(struct siv_cmac_aes128_ctx), |
1177 | | .aead_encrypt = |
1178 | | (aead_encrypt_func)_siv_cmac_aes128_encrypt_message, |
1179 | | .aead_decrypt = |
1180 | | (aead_decrypt_func)_siv_cmac_aes128_decrypt_message, |
1181 | | .set_encrypt_key = |
1182 | | (nettle_set_key_func *)siv_cmac_aes128_set_key, |
1183 | | .set_decrypt_key = |
1184 | | (nettle_set_key_func *)siv_cmac_aes128_set_key, |
1185 | | .max_iv_size = SIV_DIGEST_SIZE, |
1186 | | }, |
1187 | | { |
1188 | | .algo = GNUTLS_CIPHER_AES_256_SIV, |
1189 | | .block_size = SIV_BLOCK_SIZE, |
1190 | | .key_size = SIV_CMAC_AES256_KEY_SIZE, |
1191 | | |
1192 | | .ctx_size = sizeof(struct siv_cmac_aes256_ctx), |
1193 | | .aead_encrypt = |
1194 | | (aead_encrypt_func)_siv_cmac_aes256_encrypt_message, |
1195 | | .aead_decrypt = |
1196 | | (aead_decrypt_func)_siv_cmac_aes256_decrypt_message, |
1197 | | .set_encrypt_key = |
1198 | | (nettle_set_key_func *)siv_cmac_aes256_set_key, |
1199 | | .set_decrypt_key = |
1200 | | (nettle_set_key_func *)siv_cmac_aes256_set_key, |
1201 | | .max_iv_size = SIV_DIGEST_SIZE, |
1202 | | }, |
1203 | | { |
1204 | | .algo = GNUTLS_CIPHER_AES_128_SIV_GCM, |
1205 | | .block_size = SIV_GCM_BLOCK_SIZE, |
1206 | | .key_size = AES128_KEY_SIZE, |
1207 | | |
1208 | | .ctx_size = sizeof(struct aes128_ctx), |
1209 | | .aead_encrypt = |
1210 | | (aead_encrypt_func)_siv_gcm_aes128_encrypt_message, |
1211 | | .aead_decrypt = |
1212 | | (aead_decrypt_func)_siv_gcm_aes128_decrypt_message, |
1213 | | .set_encrypt_key = |
1214 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
1215 | | .set_decrypt_key = |
1216 | | (nettle_set_key_func *)aes128_set_encrypt_key, |
1217 | | .max_iv_size = SIV_GCM_NONCE_SIZE, |
1218 | | }, |
1219 | | { |
1220 | | .algo = GNUTLS_CIPHER_AES_256_SIV_GCM, |
1221 | | .block_size = SIV_GCM_BLOCK_SIZE, |
1222 | | .key_size = AES256_KEY_SIZE, |
1223 | | |
1224 | | .ctx_size = sizeof(struct aes256_ctx), |
1225 | | .aead_encrypt = |
1226 | | (aead_encrypt_func)_siv_gcm_aes256_encrypt_message, |
1227 | | .aead_decrypt = |
1228 | | (aead_decrypt_func)_siv_gcm_aes256_decrypt_message, |
1229 | | .set_encrypt_key = |
1230 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
1231 | | .set_decrypt_key = |
1232 | | (nettle_set_key_func *)aes256_set_encrypt_key, |
1233 | | .max_iv_size = SIV_GCM_NONCE_SIZE, |
1234 | | }, |
1235 | | }; |
1236 | | |
1237 | | static int wrap_nettle_cipher_exists(gnutls_cipher_algorithm_t algo) |
1238 | 0 | { |
1239 | 0 | unsigned i; |
1240 | 0 | for (i = 0; i < sizeof(builtin_ciphers) / sizeof(builtin_ciphers[0]); |
1241 | 0 | i++) { |
1242 | 0 | if (algo == builtin_ciphers[i].algo) { |
1243 | 0 | return 1; |
1244 | 0 | } |
1245 | 0 | } |
1246 | 0 | return 0; |
1247 | 0 | } |
1248 | | |
1249 | | static int wrap_nettle_cipher_init(gnutls_cipher_algorithm_t algo, void **_ctx, |
1250 | | int enc) |
1251 | 0 | { |
1252 | 0 | struct nettle_cipher_ctx *ctx; |
1253 | 0 | uintptr_t cur_alignment; |
1254 | 0 | int idx = -1; |
1255 | 0 | unsigned i; |
1256 | 0 | uint8_t *ctx_ptr; |
1257 | |
|
1258 | 0 | for (i = 0; i < sizeof(builtin_ciphers) / sizeof(builtin_ciphers[0]); |
1259 | 0 | i++) { |
1260 | 0 | if (algo == builtin_ciphers[i].algo) { |
1261 | 0 | idx = i; |
1262 | 0 | break; |
1263 | 0 | } |
1264 | 0 | } |
1265 | |
|
1266 | 0 | if (idx == -1) |
1267 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1268 | | |
1269 | 0 | ctx = gnutls_calloc(1, |
1270 | 0 | sizeof(*ctx) + builtin_ciphers[idx].ctx_size + 16); |
1271 | 0 | if (ctx == NULL) { |
1272 | 0 | gnutls_assert(); |
1273 | 0 | return GNUTLS_E_MEMORY_ERROR; |
1274 | 0 | } |
1275 | | |
1276 | 0 | ctx->enc = enc; |
1277 | 0 | ctx_ptr = ((uint8_t *)ctx) + sizeof(*ctx); |
1278 | |
|
1279 | 0 | cur_alignment = ((uintptr_t)ctx_ptr) % 16; |
1280 | 0 | if (cur_alignment > 0) |
1281 | 0 | ctx_ptr += 16 - cur_alignment; |
1282 | |
|
1283 | 0 | ctx->ctx_ptr = ctx_ptr; |
1284 | 0 | ctx->cipher = &builtin_ciphers[idx]; |
1285 | |
|
1286 | 0 | *_ctx = ctx; |
1287 | |
|
1288 | 0 | return 0; |
1289 | 0 | } |
1290 | | |
1291 | | static int wrap_nettle_cipher_setkey(void *_ctx, const void *key, |
1292 | | size_t keysize) |
1293 | 0 | { |
1294 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1295 | |
|
1296 | 0 | if (ctx->cipher->key_size > 0 && |
1297 | 0 | unlikely(keysize != ctx->cipher->key_size)) { |
1298 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1299 | 0 | } else if (ctx->cipher->key_size == 0) { |
1300 | 0 | ctx->cipher->gen_set_key(ctx->ctx_ptr, keysize, key); |
1301 | 0 | return 0; |
1302 | 0 | } |
1303 | | |
1304 | 0 | switch (ctx->cipher->algo) { |
1305 | 0 | case GNUTLS_CIPHER_AES_128_XTS: |
1306 | 0 | if (_gnutls_fips_mode_enabled() && |
1307 | 0 | gnutls_memcmp(key, (char *)key + AES128_KEY_SIZE, |
1308 | 0 | AES128_KEY_SIZE) == 0) |
1309 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1310 | 0 | break; |
1311 | 0 | case GNUTLS_CIPHER_AES_256_XTS: |
1312 | 0 | if (_gnutls_fips_mode_enabled() && |
1313 | 0 | gnutls_memcmp(key, (char *)key + AES256_KEY_SIZE, |
1314 | 0 | AES256_KEY_SIZE) == 0) |
1315 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1316 | 0 | break; |
1317 | 0 | default: |
1318 | 0 | break; |
1319 | 0 | } |
1320 | | |
1321 | 0 | if (ctx->enc) |
1322 | 0 | ctx->cipher->set_encrypt_key(ctx->ctx_ptr, key); |
1323 | 0 | else |
1324 | 0 | ctx->cipher->set_decrypt_key(ctx->ctx_ptr, key); |
1325 | |
|
1326 | 0 | switch (ctx->cipher->algo) { |
1327 | 0 | case GNUTLS_CIPHER_AES_128_GCM: |
1328 | 0 | case GNUTLS_CIPHER_AES_192_GCM: |
1329 | 0 | case GNUTLS_CIPHER_AES_256_GCM: |
1330 | 0 | ctx->rekey_counter = 0; |
1331 | 0 | break; |
1332 | 0 | default: |
1333 | 0 | break; |
1334 | 0 | } |
1335 | | |
1336 | 0 | return 0; |
1337 | 0 | } |
1338 | | |
1339 | | static int wrap_nettle_cipher_setiv(void *_ctx, const void *iv, size_t iv_size) |
1340 | 0 | { |
1341 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1342 | 0 | unsigned max_iv; |
1343 | |
|
1344 | 0 | switch (ctx->cipher->algo) { |
1345 | 0 | case GNUTLS_CIPHER_AES_128_GCM: |
1346 | 0 | case GNUTLS_CIPHER_AES_192_GCM: |
1347 | 0 | case GNUTLS_CIPHER_AES_256_GCM: |
1348 | 0 | FIPS_RULE(iv_size < GCM_IV_SIZE, GNUTLS_E_INVALID_REQUEST, |
1349 | 0 | "access to short GCM nonce size\n"); |
1350 | 0 | ctx->rekey_counter = 0; |
1351 | 0 | break; |
1352 | 0 | case GNUTLS_CIPHER_SALSA20_256: |
1353 | 0 | case GNUTLS_CIPHER_ESTREAM_SALSA20_256: |
1354 | 0 | if (iv_size != SALSA20_NONCE_SIZE) |
1355 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1356 | 0 | break; |
1357 | 0 | default: |
1358 | 0 | break; |
1359 | 0 | } |
1360 | | |
1361 | 0 | max_iv = ctx->cipher->max_iv_size; |
1362 | 0 | if (max_iv == 0) |
1363 | 0 | max_iv = MAX_CIPHER_BLOCK_SIZE; |
1364 | |
|
1365 | 0 | if (iv_size > max_iv) |
1366 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1367 | | |
1368 | 0 | if (ctx->cipher->set_iv) { |
1369 | 0 | ctx->cipher->set_iv(ctx->ctx_ptr, iv_size, iv); |
1370 | 0 | } else { |
1371 | 0 | if (iv) |
1372 | 0 | memcpy(ctx->iv, iv, iv_size); |
1373 | 0 | ctx->iv_size = iv_size; |
1374 | 0 | } |
1375 | |
|
1376 | 0 | return 0; |
1377 | 0 | } |
1378 | | |
1379 | | static int wrap_nettle_cipher_getiv(void *_ctx, void *iv, size_t iv_size) |
1380 | 0 | { |
1381 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1382 | |
|
1383 | 0 | if (iv_size < ctx->iv_size) |
1384 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1385 | | |
1386 | 0 | memcpy(iv, ctx->iv, ctx->iv_size); |
1387 | |
|
1388 | 0 | return (int)ctx->iv_size; |
1389 | 0 | } |
1390 | | |
1391 | | static int wrap_nettle_cipher_decrypt(void *_ctx, const void *encr, |
1392 | | size_t encr_size, void *plain, |
1393 | | size_t plain_size) |
1394 | 0 | { |
1395 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1396 | |
|
1397 | 0 | if (unlikely(ctx->cipher->decrypt == NULL)) |
1398 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1399 | | |
1400 | 0 | ctx->cipher->decrypt(ctx, encr_size, plain, encr); |
1401 | |
|
1402 | 0 | return 0; |
1403 | 0 | } |
1404 | | |
1405 | | static int wrap_nettle_cipher_encrypt(void *_ctx, const void *plain, |
1406 | | size_t plain_size, void *encr, |
1407 | | size_t encr_size) |
1408 | 0 | { |
1409 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1410 | 0 | int ret; |
1411 | |
|
1412 | 0 | if (unlikely(ctx->cipher->encrypt == NULL)) |
1413 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1414 | | |
1415 | 0 | switch (ctx->cipher->algo) { |
1416 | 0 | case GNUTLS_CIPHER_AES_128_GCM: |
1417 | 0 | case GNUTLS_CIPHER_AES_192_GCM: |
1418 | 0 | case GNUTLS_CIPHER_AES_256_GCM: |
1419 | 0 | ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, |
1420 | 0 | plain_size); |
1421 | 0 | if (ret < 0) { |
1422 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1423 | 0 | } |
1424 | 0 | break; |
1425 | 0 | default: |
1426 | 0 | break; |
1427 | 0 | } |
1428 | | |
1429 | 0 | ctx->cipher->encrypt(ctx, plain_size, encr, plain); |
1430 | |
|
1431 | 0 | return 0; |
1432 | 0 | } |
1433 | | |
1434 | | static int wrap_nettle_cipher_aead_encrypt(void *_ctx, const void *nonce, |
1435 | | size_t nonce_size, const void *auth, |
1436 | | size_t auth_size, size_t tag_size, |
1437 | | const void *plain, size_t plain_size, |
1438 | | void *encr, size_t encr_size) |
1439 | 0 | { |
1440 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1441 | |
|
1442 | 0 | if (ctx->cipher->aead_encrypt == NULL) { |
1443 | | /* proper AEAD cipher */ |
1444 | 0 | unsigned max_iv; |
1445 | |
|
1446 | 0 | if (encr_size < plain_size + tag_size) |
1447 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
1448 | | |
1449 | 0 | max_iv = ctx->cipher->max_iv_size; |
1450 | 0 | if (max_iv == 0) |
1451 | 0 | max_iv = MAX_CIPHER_BLOCK_SIZE; |
1452 | |
|
1453 | 0 | if (nonce_size > max_iv) |
1454 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1455 | | |
1456 | 0 | ctx->cipher->set_iv(ctx->ctx_ptr, nonce_size, nonce); |
1457 | 0 | ctx->cipher->auth(ctx->ctx_ptr, auth_size, auth); |
1458 | |
|
1459 | 0 | ctx->cipher->encrypt(ctx, plain_size, encr, plain); |
1460 | |
|
1461 | | #if NETTLE_VERSION_MAJOR >= 4 |
1462 | | ctx->cipher->tag(ctx->ctx_ptr, ((uint8_t *)encr) + plain_size); |
1463 | | #else |
1464 | 0 | ctx->cipher->tag(ctx->ctx_ptr, tag_size, |
1465 | 0 | ((uint8_t *)encr) + plain_size); |
1466 | 0 | #endif |
1467 | 0 | } else { |
1468 | | /* CCM-style cipher */ |
1469 | |
|
1470 | 0 | switch (ctx->cipher->algo) { |
1471 | 0 | case GNUTLS_CIPHER_AES_128_CCM: |
1472 | 0 | case GNUTLS_CIPHER_AES_256_CCM: |
1473 | | /* SP800-38C A.1 says Tlen must be a multiple of 16 |
1474 | | * between 32 and 128. |
1475 | | */ |
1476 | 0 | switch (tag_size) { |
1477 | 0 | case 4: |
1478 | 0 | case 6: |
1479 | | /* SP800-38C B.2 says Tlen smaller than 64 |
1480 | | * should not be used under sufficient |
1481 | | * restriction. We simply allow those for now. |
1482 | | */ |
1483 | 0 | FALLTHROUGH; |
1484 | 0 | case 8: |
1485 | 0 | case 10: |
1486 | 0 | case 12: |
1487 | 0 | case 14: |
1488 | 0 | case 16: |
1489 | 0 | break; |
1490 | 0 | default: |
1491 | 0 | if (_gnutls_fips_mode_enabled()) { |
1492 | 0 | _gnutls_switch_fips_state( |
1493 | 0 | GNUTLS_FIPS140_OP_ERROR); |
1494 | 0 | return gnutls_assert_val( |
1495 | 0 | GNUTLS_E_INVALID_REQUEST); |
1496 | 0 | } |
1497 | 0 | break; |
1498 | 0 | } |
1499 | 0 | break; |
1500 | 0 | default: |
1501 | 0 | break; |
1502 | 0 | } |
1503 | | |
1504 | 0 | ctx->cipher->aead_encrypt(ctx, nonce_size, nonce, auth_size, |
1505 | 0 | auth, tag_size, tag_size + plain_size, |
1506 | 0 | encr, plain); |
1507 | 0 | } |
1508 | 0 | return 0; |
1509 | 0 | } |
1510 | | |
1511 | | static int wrap_nettle_cipher_aead_decrypt(void *_ctx, const void *nonce, |
1512 | | size_t nonce_size, const void *auth, |
1513 | | size_t auth_size, size_t tag_size, |
1514 | | const void *encr, size_t encr_size, |
1515 | | void *plain, size_t plain_size) |
1516 | 0 | { |
1517 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1518 | 0 | int ret; |
1519 | |
|
1520 | 0 | if (unlikely(encr_size < tag_size)) |
1521 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
1522 | | |
1523 | 0 | if (ctx->cipher->aead_decrypt == NULL) { |
1524 | | /* proper AEAD cipher */ |
1525 | 0 | uint8_t tag[MAX_HASH_SIZE]; |
1526 | 0 | unsigned max_iv; |
1527 | |
|
1528 | 0 | max_iv = ctx->cipher->max_iv_size; |
1529 | 0 | if (max_iv == 0) |
1530 | 0 | max_iv = MAX_CIPHER_BLOCK_SIZE; |
1531 | |
|
1532 | 0 | if (nonce_size > max_iv) |
1533 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1534 | | |
1535 | 0 | ctx->cipher->set_iv(ctx->ctx_ptr, nonce_size, nonce); |
1536 | 0 | ctx->cipher->auth(ctx->ctx_ptr, auth_size, auth); |
1537 | |
|
1538 | 0 | encr_size -= tag_size; |
1539 | |
|
1540 | 0 | if (unlikely(plain_size < encr_size)) |
1541 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
1542 | | |
1543 | 0 | ctx->cipher->decrypt(ctx, encr_size, plain, encr); |
1544 | |
|
1545 | | #if NETTLE_VERSION_MAJOR >= 4 |
1546 | | ctx->cipher->tag(ctx->ctx_ptr, tag); |
1547 | | #else |
1548 | 0 | ctx->cipher->tag(ctx->ctx_ptr, tag_size, tag); |
1549 | 0 | #endif |
1550 | |
|
1551 | 0 | if (gnutls_memcmp(((uint8_t *)encr) + encr_size, tag, |
1552 | 0 | tag_size) != 0) |
1553 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
1554 | 0 | } else { |
1555 | | /* CCM-style cipher */ |
1556 | 0 | encr_size -= tag_size; |
1557 | |
|
1558 | 0 | if (unlikely(plain_size < encr_size)) |
1559 | 0 | return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
1560 | | |
1561 | 0 | switch (ctx->cipher->algo) { |
1562 | 0 | case GNUTLS_CIPHER_AES_128_CCM: |
1563 | 0 | case GNUTLS_CIPHER_AES_256_CCM: |
1564 | | /* SP800-38C A.1 says Tlen must be a multiple of 16 |
1565 | | * between 32 and 128. |
1566 | | */ |
1567 | 0 | switch (tag_size) { |
1568 | 0 | case 4: |
1569 | 0 | case 6: |
1570 | | /* SP800-38C B.2 says Tlen smaller than 64 |
1571 | | * should not be used under sufficient |
1572 | | * restriction. We simply allow those for now. |
1573 | | */ |
1574 | 0 | FALLTHROUGH; |
1575 | 0 | case 8: |
1576 | 0 | case 10: |
1577 | 0 | case 12: |
1578 | 0 | case 14: |
1579 | 0 | case 16: |
1580 | 0 | break; |
1581 | 0 | default: |
1582 | 0 | if (_gnutls_fips_mode_enabled()) { |
1583 | 0 | _gnutls_switch_fips_state( |
1584 | 0 | GNUTLS_FIPS140_OP_ERROR); |
1585 | 0 | return gnutls_assert_val( |
1586 | 0 | GNUTLS_E_INVALID_REQUEST); |
1587 | 0 | } |
1588 | 0 | break; |
1589 | 0 | } |
1590 | 0 | break; |
1591 | 0 | default: |
1592 | 0 | break; |
1593 | 0 | } |
1594 | | |
1595 | 0 | ret = ctx->cipher->aead_decrypt(ctx, nonce_size, nonce, |
1596 | 0 | auth_size, auth, tag_size, |
1597 | 0 | encr_size, plain, encr); |
1598 | 0 | if (unlikely(ret == 0)) |
1599 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
1600 | 0 | } |
1601 | 0 | return 0; |
1602 | 0 | } |
1603 | | |
1604 | | static int wrap_nettle_cipher_auth(void *_ctx, const void *plain, |
1605 | | size_t plain_size) |
1606 | 0 | { |
1607 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1608 | |
|
1609 | 0 | ctx->cipher->auth(ctx->ctx_ptr, plain_size, plain); |
1610 | |
|
1611 | 0 | return 0; |
1612 | 0 | } |
1613 | | |
1614 | | static void wrap_nettle_cipher_tag(void *_ctx, void *tag, size_t tag_size) |
1615 | 0 | { |
1616 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1617 | |
|
1618 | | #if NETTLE_VERSION_MAJOR >= 4 |
1619 | | ctx->cipher->tag(ctx->ctx_ptr, tag); |
1620 | | #else |
1621 | 0 | ctx->cipher->tag(ctx->ctx_ptr, tag_size, tag); |
1622 | 0 | #endif |
1623 | 0 | } |
1624 | | |
1625 | | static void wrap_nettle_cipher_close(void *_ctx) |
1626 | 0 | { |
1627 | 0 | struct nettle_cipher_ctx *ctx = _ctx; |
1628 | |
|
1629 | 0 | zeroize_key(ctx->ctx_ptr, ctx->cipher->ctx_size); |
1630 | | gnutls_free(ctx); |
1631 | 0 | } |
1632 | | |
1633 | | gnutls_crypto_cipher_st _gnutls_cipher_ops = { |
1634 | | .init = wrap_nettle_cipher_init, |
1635 | | .exists = wrap_nettle_cipher_exists, |
1636 | | .setiv = wrap_nettle_cipher_setiv, |
1637 | | .getiv = wrap_nettle_cipher_getiv, |
1638 | | .setkey = wrap_nettle_cipher_setkey, |
1639 | | .encrypt = wrap_nettle_cipher_encrypt, |
1640 | | .decrypt = wrap_nettle_cipher_decrypt, |
1641 | | .aead_encrypt = wrap_nettle_cipher_aead_encrypt, |
1642 | | .aead_decrypt = wrap_nettle_cipher_aead_decrypt, |
1643 | | .deinit = wrap_nettle_cipher_close, |
1644 | | .auth = wrap_nettle_cipher_auth, |
1645 | | .tag = wrap_nettle_cipher_tag, |
1646 | | }; |