1/* 2 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <assert.h> 11#include <limits.h> 12#include <string.h> 13 14#include <openssl/aead.h> 15#include <openssl/aes.h> 16#include <openssl/cipher.h> 17#include <openssl/err.h> 18#include <openssl/mem.h> 19#include <openssl/nid.h> 20 21#include "../../internal.h" 22#include "../aes/internal.h" 23#include "../bcm_interface.h" 24#include "../delocate.h" 25#include "../modes/internal.h" 26#include "../service_indicator/internal.h" 27#include "internal.h" 28 29 30OPENSSL_MSVC_PRAGMA(warning(push)) 31OPENSSL_MSVC_PRAGMA(warning(disable : 4702)) // Unreachable code. 32 33#define AES_GCM_NONCE_LENGTH 12 34 35typedef struct { 36 union { 37 double align; 38 AES_KEY ks; 39 } ks; 40 block128_f block; 41 union { 42 cbc128_f cbc; 43 ctr128_f ctr; 44 } stream; 45} EVP_AES_KEY; 46 47typedef struct { 48 GCM128_KEY key; 49 GCM128_CONTEXT gcm; 50 int key_set; // Set if key initialised 51 int iv_set; // Set if an iv is set 52 uint8_t *iv; // Temporary IV store 53 int ivlen; // IV length 54 int taglen; 55 int iv_gen; // It is OK to generate IVs 56 ctr128_f ctr; 57} EVP_AES_GCM_CTX; 58 59static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, 60 const uint8_t *iv, int enc) { 61 int ret; 62 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 63 const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK; 64 65 if (mode == EVP_CIPH_CTR_MODE) { 66 switch (ctx->key_len) { 67 case 16: 68 boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr); 69 break; 70 71 case 32: 72 boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr); 73 break; 74 } 75 } 76 77 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { 78 if (hwaes_capable()) { 79 ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); 80 dat->block = aes_hw_decrypt; 81 dat->stream.cbc = NULL; 82 if (mode == EVP_CIPH_CBC_MODE) { 83 dat->stream.cbc = aes_hw_cbc_encrypt; 84 } 85 } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) { 86 assert(vpaes_capable()); 87 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); 88 if (ret == 0) { 89 vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks); 90 } 91 // If |dat->stream.cbc| is provided, |dat->block| is never used. 92 dat->block = NULL; 93 dat->stream.cbc = bsaes_cbc_encrypt; 94 } else if (vpaes_capable()) { 95 ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); 96 dat->block = vpaes_decrypt; 97 dat->stream.cbc = NULL; 98#if defined(VPAES_CBC) 99 if (mode == EVP_CIPH_CBC_MODE) { 100 dat->stream.cbc = vpaes_cbc_encrypt; 101 } 102#endif 103 } else { 104 ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); 105 dat->block = aes_nohw_decrypt; 106 dat->stream.cbc = NULL; 107 if (mode == EVP_CIPH_CBC_MODE) { 108 dat->stream.cbc = aes_nohw_cbc_encrypt; 109 } 110 } 111 } else if (hwaes_capable()) { 112 ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); 113 dat->block = aes_hw_encrypt; 114 dat->stream.cbc = NULL; 115 if (mode == EVP_CIPH_CBC_MODE) { 116 dat->stream.cbc = aes_hw_cbc_encrypt; 117 } else if (mode == EVP_CIPH_CTR_MODE) { 118 dat->stream.ctr = aes_hw_ctr32_encrypt_blocks; 119 } 120 } else if (vpaes_capable()) { 121 ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); 122 dat->block = vpaes_encrypt; 123 dat->stream.cbc = NULL; 124#if defined(VPAES_CBC) 125 if (mode == EVP_CIPH_CBC_MODE) { 126 dat->stream.cbc = vpaes_cbc_encrypt; 127 } 128#endif 129 if (mode == EVP_CIPH_CTR_MODE) { 130#if defined(BSAES) 131 assert(bsaes_capable()); 132 dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes; 133#else 134 dat->stream.ctr = vpaes_ctr32_encrypt_blocks; 135#endif 136 } 137 } else { 138 ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); 139 dat->block = aes_nohw_encrypt; 140 dat->stream.cbc = NULL; 141 if (mode == EVP_CIPH_CBC_MODE) { 142 dat->stream.cbc = aes_nohw_cbc_encrypt; 143 } else if (mode == EVP_CIPH_CTR_MODE) { 144 dat->stream.ctr = aes_nohw_ctr32_encrypt_blocks; 145 } 146 } 147 148 if (ret < 0) { 149 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED); 150 return 0; 151 } 152 153 return 1; 154} 155 156static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, 157 size_t len) { 158 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 159 160 if (dat->stream.cbc) { 161 (*dat->stream.cbc)(in, out, len, &dat->ks.ks, ctx->iv, ctx->encrypt); 162 } else if (ctx->encrypt) { 163 CRYPTO_cbc128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block); 164 } else { 165 CRYPTO_cbc128_decrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block); 166 } 167 168 return 1; 169} 170 171static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, 172 size_t len) { 173 size_t bl = ctx->cipher->block_size; 174 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 175 176 if (len < bl) { 177 return 1; 178 } 179 180 len -= bl; 181 for (size_t i = 0; i <= len; i += bl) { 182 (*dat->block)(in + i, out + i, &dat->ks.ks); 183 } 184 185 return 1; 186} 187 188static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, 189 size_t len) { 190 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 191 CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf, 192 &ctx->num, dat->stream.ctr); 193 return 1; 194} 195 196static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, 197 size_t len) { 198 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; 199 200 CRYPTO_ofb128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, &ctx->num, 201 dat->block); 202 return 1; 203} 204 205static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, 206 const uint8_t *iv, int enc) { 207 EVP_AES_GCM_CTX *gctx = reinterpret_cast<EVP_AES_GCM_CTX *>(ctx->cipher_data); 208 if (!iv && !key) { 209 return 1; 210 } 211 212 // We must configure first the key, then the IV, but the caller may pass both 213 // together, or separately in either order. 214 if (key) { 215 OPENSSL_memset(&gctx->gcm, 0, sizeof(gctx->gcm)); 216 CRYPTO_gcm128_init_aes_key(&gctx->key, key, ctx->key_len); 217 // Use the IV if specified. Otherwise, use the saved IV, if any. 218 if (iv == NULL && gctx->iv_set) { 219 iv = gctx->iv; 220 } 221 if (iv) { 222 CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, iv, gctx->ivlen); 223 gctx->iv_set = 1; 224 } 225 gctx->key_set = 1; 226 } else { 227 if (gctx->key_set) { 228 CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, iv, gctx->ivlen); 229 } else { 230 // The caller specified the IV before the key. Save the IV for later. 231 OPENSSL_memcpy(gctx->iv, iv, gctx->ivlen); 232 } 233 gctx->iv_set = 1; 234 gctx->iv_gen = 0; 235 } 236 return 1; 237} 238 239static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) { 240 EVP_AES_GCM_CTX *gctx = reinterpret_cast<EVP_AES_GCM_CTX *>(c->cipher_data); 241 OPENSSL_cleanse(&gctx->key, sizeof(gctx->key)); 242 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); 243 if (gctx->iv != c->iv) { 244 OPENSSL_free(gctx->iv); 245 } 246} 247 248static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { 249 EVP_AES_GCM_CTX *gctx = reinterpret_cast<EVP_AES_GCM_CTX *>(c->cipher_data); 250 switch (type) { 251 case EVP_CTRL_INIT: 252 gctx->key_set = 0; 253 gctx->iv_set = 0; 254 gctx->ivlen = c->cipher->iv_len; 255 gctx->iv = c->iv; 256 gctx->taglen = -1; 257 gctx->iv_gen = 0; 258 return 1; 259 260 case EVP_CTRL_AEAD_SET_IVLEN: 261 if (arg <= 0) { 262 return 0; 263 } 264 265 // Allocate memory for IV if needed 266 if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) { 267 if (gctx->iv != c->iv) { 268 OPENSSL_free(gctx->iv); 269 } 270 gctx->iv = reinterpret_cast<uint8_t *>(OPENSSL_malloc(arg)); 271 if (!gctx->iv) { 272 return 0; 273 } 274 } 275 gctx->ivlen = arg; 276 return 1; 277 278 case EVP_CTRL_GET_IVLEN: 279 *(int *)ptr = gctx->ivlen; 280 return 1; 281 282 case EVP_CTRL_AEAD_SET_TAG: 283 if (arg <= 0 || arg > 16 || c->encrypt) { 284 return 0; 285 } 286 OPENSSL_memcpy(c->buf, ptr, arg); 287 gctx->taglen = arg; 288 return 1; 289 290 case EVP_CTRL_AEAD_GET_TAG: 291 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) { 292 return 0; 293 } 294 OPENSSL_memcpy(ptr, c->buf, arg); 295 return 1; 296 297 case EVP_CTRL_AEAD_SET_IV_FIXED: 298 // Special case: -1 length restores whole IV 299 if (arg == -1) { 300 OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen); 301 gctx->iv_gen = 1; 302 return 1; 303 } 304 // Fixed field must be at least 4 bytes and invocation field 305 // at least 8. 306 if (arg < 4 || (gctx->ivlen - arg) < 8) { 307 return 0; 308 } 309 OPENSSL_memcpy(gctx->iv, ptr, arg); 310 if (c->encrypt) { 311 // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with 312 // state lock functions to avoid updating the service indicator with the 313 // DRBG functions. 314 FIPS_service_indicator_lock_state(); 315 BCM_rand_bytes(gctx->iv + arg, gctx->ivlen - arg); 316 FIPS_service_indicator_unlock_state(); 317 } 318 gctx->iv_gen = 1; 319 return 1; 320 321 case EVP_CTRL_GCM_IV_GEN: { 322 if (gctx->iv_gen == 0 || gctx->key_set == 0) { 323 return 0; 324 } 325 CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, gctx->iv, gctx->ivlen); 326 if (arg <= 0 || arg > gctx->ivlen) { 327 arg = gctx->ivlen; 328 } 329 OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); 330 // Invocation field will be at least 8 bytes in size, so no need to check 331 // wrap around or increment more than last 8 bytes. 332 uint8_t *ctr = gctx->iv + gctx->ivlen - 8; 333 CRYPTO_store_u64_be(ctr, CRYPTO_load_u64_be(ctr) + 1); 334 gctx->iv_set = 1; 335 return 1; 336 } 337 338 case EVP_CTRL_GCM_SET_IV_INV: 339 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) { 340 return 0; 341 } 342 OPENSSL_memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); 343 CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, gctx->iv, gctx->ivlen); 344 gctx->iv_set = 1; 345 return 1; 346 347 case EVP_CTRL_COPY: { 348 EVP_CIPHER_CTX *out = reinterpret_cast<EVP_CIPHER_CTX *>(ptr); 349 EVP_AES_GCM_CTX *gctx_out = 350 reinterpret_cast<EVP_AES_GCM_CTX *>(out->cipher_data); 351 if (gctx->iv == c->iv) { 352 gctx_out->iv = out->iv; 353 } else { 354 gctx_out->iv = 355 reinterpret_cast<uint8_t *>(OPENSSL_memdup(gctx->iv, gctx->ivlen)); 356 if (!gctx_out->iv) { 357 return 0; 358 } 359 } 360 return 1; 361 } 362 363 default: 364 return -1; 365 } 366} 367 368static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, 369 size_t len) { 370 EVP_AES_GCM_CTX *gctx = reinterpret_cast<EVP_AES_GCM_CTX *>(ctx->cipher_data); 371 372 // If not set up, return error 373 if (!gctx->key_set) { 374 return -1; 375 } 376 if (!gctx->iv_set) { 377 return -1; 378 } 379 380 if (len > INT_MAX) { 381 // This function signature can only express up to |INT_MAX| bytes encrypted. 382 // 383 // TODO(https://crbug.com/boringssl/494): Make the internal |EVP_CIPHER| 384 // calling convention |size_t|-clean. 385 return -1; 386 } 387 388 if (in) { 389 if (out == NULL) { 390 if (!CRYPTO_gcm128_aad(&gctx->key, &gctx->gcm, in, len)) { 391 return -1; 392 } 393 } else if (ctx->encrypt) { 394 if (!CRYPTO_gcm128_encrypt(&gctx->key, &gctx->gcm, in, out, len)) { 395 return -1; 396 } 397 } else { 398 if (!CRYPTO_gcm128_decrypt(&gctx->key, &gctx->gcm, in, out, len)) { 399 return -1; 400 } 401 } 402 return (int)len; 403 } else { 404 if (!ctx->encrypt) { 405 if (gctx->taglen < 0 || !CRYPTO_gcm128_finish(&gctx->key, &gctx->gcm, 406 ctx->buf, gctx->taglen)) { 407 return -1; 408 } 409 gctx->iv_set = 0; 410 return 0; 411 } 412 CRYPTO_gcm128_tag(&gctx->key, &gctx->gcm, ctx->buf, 16); 413 gctx->taglen = 16; 414 // Don't reuse the IV 415 gctx->iv_set = 0; 416 return 0; 417 } 418} 419 420DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_cbc) { 421 memset(out, 0, sizeof(EVP_CIPHER)); 422 423 out->nid = NID_aes_128_cbc; 424 out->block_size = 16; 425 out->key_len = 16; 426 out->iv_len = 16; 427 out->ctx_size = sizeof(EVP_AES_KEY); 428 out->flags = EVP_CIPH_CBC_MODE; 429 out->init = aes_init_key; 430 out->cipher = aes_cbc_cipher; 431} 432 433DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ctr) { 434 memset(out, 0, sizeof(EVP_CIPHER)); 435 436 out->nid = NID_aes_128_ctr; 437 out->block_size = 1; 438 out->key_len = 16; 439 out->iv_len = 16; 440 out->ctx_size = sizeof(EVP_AES_KEY); 441 out->flags = EVP_CIPH_CTR_MODE; 442 out->init = aes_init_key; 443 out->cipher = aes_ctr_cipher; 444} 445 446DEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_ecb_generic) { 447 memset(out, 0, sizeof(EVP_CIPHER)); 448 449 out->nid = NID_aes_128_ecb; 450 out->block_size = 16; 451 out->key_len = 16; 452 out->ctx_size = sizeof(EVP_AES_KEY); 453 out->flags = EVP_CIPH_ECB_MODE; 454 out->init = aes_init_key; 455 out->cipher = aes_ecb_cipher; 456} 457 458DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ofb) { 459 memset(out, 0, sizeof(EVP_CIPHER)); 460 461 out->nid = NID_aes_128_ofb128; 462 out->block_size = 1; 463 out->key_len = 16; 464 out->iv_len = 16; 465 out->ctx_size = sizeof(EVP_AES_KEY); 466 out->flags = EVP_CIPH_OFB_MODE; 467 out->init = aes_init_key; 468 out->cipher = aes_ofb_cipher; 469} 470 471DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_gcm) { 472 memset(out, 0, sizeof(EVP_CIPHER)); 473 474 out->nid = NID_aes_128_gcm; 475 out->block_size = 1; 476 out->key_len = 16; 477 out->iv_len = AES_GCM_NONCE_LENGTH; 478 out->ctx_size = sizeof(EVP_AES_GCM_CTX); 479 out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | 480 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | 481 EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; 482 out->init = aes_gcm_init_key; 483 out->cipher = aes_gcm_cipher; 484 out->cleanup = aes_gcm_cleanup; 485 out->ctrl = aes_gcm_ctrl; 486} 487 488DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_cbc) { 489 memset(out, 0, sizeof(EVP_CIPHER)); 490 491 out->nid = NID_aes_192_cbc; 492 out->block_size = 16; 493 out->key_len = 24; 494 out->iv_len = 16; 495 out->ctx_size = sizeof(EVP_AES_KEY); 496 out->flags = EVP_CIPH_CBC_MODE; 497 out->init = aes_init_key; 498 out->cipher = aes_cbc_cipher; 499} 500 501DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ctr) { 502 memset(out, 0, sizeof(EVP_CIPHER)); 503 504 out->nid = NID_aes_192_ctr; 505 out->block_size = 1; 506 out->key_len = 24; 507 out->iv_len = 16; 508 out->ctx_size = sizeof(EVP_AES_KEY); 509 out->flags = EVP_CIPH_CTR_MODE; 510 out->init = aes_init_key; 511 out->cipher = aes_ctr_cipher; 512} 513 514DEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_ecb_generic) { 515 memset(out, 0, sizeof(EVP_CIPHER)); 516 517 out->nid = NID_aes_192_ecb; 518 out->block_size = 16; 519 out->key_len = 24; 520 out->ctx_size = sizeof(EVP_AES_KEY); 521 out->flags = EVP_CIPH_ECB_MODE; 522 out->init = aes_init_key; 523 out->cipher = aes_ecb_cipher; 524} 525 526DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ofb) { 527 memset(out, 0, sizeof(EVP_CIPHER)); 528 529 out->nid = NID_aes_192_ofb128; 530 out->block_size = 1; 531 out->key_len = 24; 532 out->iv_len = 16; 533 out->ctx_size = sizeof(EVP_AES_KEY); 534 out->flags = EVP_CIPH_OFB_MODE; 535 out->init = aes_init_key; 536 out->cipher = aes_ofb_cipher; 537} 538 539DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_gcm) { 540 memset(out, 0, sizeof(EVP_CIPHER)); 541 542 out->nid = NID_aes_192_gcm; 543 out->block_size = 1; 544 out->key_len = 24; 545 out->iv_len = AES_GCM_NONCE_LENGTH; 546 out->ctx_size = sizeof(EVP_AES_GCM_CTX); 547 out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | 548 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | 549 EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; 550 out->init = aes_gcm_init_key; 551 out->cipher = aes_gcm_cipher; 552 out->cleanup = aes_gcm_cleanup; 553 out->ctrl = aes_gcm_ctrl; 554} 555 556DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_cbc) { 557 memset(out, 0, sizeof(EVP_CIPHER)); 558 559 out->nid = NID_aes_256_cbc; 560 out->block_size = 16; 561 out->key_len = 32; 562 out->iv_len = 16; 563 out->ctx_size = sizeof(EVP_AES_KEY); 564 out->flags = EVP_CIPH_CBC_MODE; 565 out->init = aes_init_key; 566 out->cipher = aes_cbc_cipher; 567} 568 569DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ctr) { 570 memset(out, 0, sizeof(EVP_CIPHER)); 571 572 out->nid = NID_aes_256_ctr; 573 out->block_size = 1; 574 out->key_len = 32; 575 out->iv_len = 16; 576 out->ctx_size = sizeof(EVP_AES_KEY); 577 out->flags = EVP_CIPH_CTR_MODE; 578 out->init = aes_init_key; 579 out->cipher = aes_ctr_cipher; 580} 581 582DEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_ecb_generic) { 583 memset(out, 0, sizeof(EVP_CIPHER)); 584 585 out->nid = NID_aes_256_ecb; 586 out->block_size = 16; 587 out->key_len = 32; 588 out->ctx_size = sizeof(EVP_AES_KEY); 589 out->flags = EVP_CIPH_ECB_MODE; 590 out->init = aes_init_key; 591 out->cipher = aes_ecb_cipher; 592} 593 594DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ofb) { 595 memset(out, 0, sizeof(EVP_CIPHER)); 596 597 out->nid = NID_aes_256_ofb128; 598 out->block_size = 1; 599 out->key_len = 32; 600 out->iv_len = 16; 601 out->ctx_size = sizeof(EVP_AES_KEY); 602 out->flags = EVP_CIPH_OFB_MODE; 603 out->init = aes_init_key; 604 out->cipher = aes_ofb_cipher; 605} 606 607DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_gcm) { 608 memset(out, 0, sizeof(EVP_CIPHER)); 609 610 out->nid = NID_aes_256_gcm; 611 out->block_size = 1; 612 out->key_len = 32; 613 out->iv_len = AES_GCM_NONCE_LENGTH; 614 out->ctx_size = sizeof(EVP_AES_GCM_CTX); 615 out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY | 616 EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | 617 EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER; 618 out->init = aes_gcm_init_key; 619 out->cipher = aes_gcm_cipher; 620 out->cleanup = aes_gcm_cleanup; 621 out->ctrl = aes_gcm_ctrl; 622} 623 624#if defined(HWAES_ECB) 625 626static int aes_hw_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, 627 const uint8_t *in, size_t len) { 628 size_t bl = ctx->cipher->block_size; 629 630 if (len < bl) { 631 return 1; 632 } 633 634 aes_hw_ecb_encrypt(in, out, len, 635 reinterpret_cast<const AES_KEY *>(ctx->cipher_data), 636 ctx->encrypt); 637 638 return 1; 639} 640 641DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_128_ecb) { 642 memset(out, 0, sizeof(EVP_CIPHER)); 643 644 out->nid = NID_aes_128_ecb; 645 out->block_size = 16; 646 out->key_len = 16; 647 out->ctx_size = sizeof(EVP_AES_KEY); 648 out->flags = EVP_CIPH_ECB_MODE; 649 out->init = aes_init_key; 650 out->cipher = aes_hw_ecb_cipher; 651} 652 653DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_192_ecb) { 654 memset(out, 0, sizeof(EVP_CIPHER)); 655 656 out->nid = NID_aes_192_ecb; 657 out->block_size = 16; 658 out->key_len = 24; 659 out->ctx_size = sizeof(EVP_AES_KEY); 660 out->flags = EVP_CIPH_ECB_MODE; 661 out->init = aes_init_key; 662 out->cipher = aes_hw_ecb_cipher; 663} 664 665DEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_256_ecb) { 666 memset(out, 0, sizeof(EVP_CIPHER)); 667 668 out->nid = NID_aes_256_ecb; 669 out->block_size = 16; 670 out->key_len = 32; 671 out->ctx_size = sizeof(EVP_AES_KEY); 672 out->flags = EVP_CIPH_ECB_MODE; 673 out->init = aes_init_key; 674 out->cipher = aes_hw_ecb_cipher; 675} 676 677#define EVP_ECB_CIPHER_FUNCTION(keybits) \ 678 const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ 679 if (hwaes_capable()) { \ 680 return aes_hw_##keybits##_ecb(); \ 681 } \ 682 return aes_##keybits##_ecb_generic(); \ 683 } 684 685#else 686 687#define EVP_ECB_CIPHER_FUNCTION(keybits) \ 688 const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \ 689 return aes_##keybits##_ecb_generic(); \ 690 } 691 692#endif // HWAES_ECB 693 694EVP_ECB_CIPHER_FUNCTION(128) 695EVP_ECB_CIPHER_FUNCTION(192) 696EVP_ECB_CIPHER_FUNCTION(256) 697 698 699#define EVP_AEAD_AES_GCM_TAG_LEN 16 700 701namespace { 702struct aead_aes_gcm_ctx { 703 GCM128_KEY key; 704}; 705} // namespace 706 707static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx, 708 size_t *out_tag_len, const uint8_t *key, 709 size_t key_len, size_t tag_len) { 710 const size_t key_bits = key_len * 8; 711 if (key_bits != 128 && key_bits != 192 && key_bits != 256) { 712 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); 713 return 0; // EVP_AEAD_CTX_init should catch this. 714 } 715 716 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) { 717 tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 718 } 719 720 if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) { 721 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); 722 return 0; 723 } 724 725 CRYPTO_gcm128_init_aes_key(&gcm_ctx->key, key, key_len); 726 *out_tag_len = tag_len; 727 return 1; 728} 729 730static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= 731 sizeof(struct aead_aes_gcm_ctx), 732 "AEAD state is too small"); 733static_assert(alignof(union evp_aead_ctx_st_state) >= 734 alignof(struct aead_aes_gcm_ctx), 735 "AEAD state has insufficient alignment"); 736 737static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 738 size_t key_len, size_t requested_tag_len) { 739 struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state; 740 741 size_t actual_tag_len; 742 if (!aead_aes_gcm_init_impl(gcm_ctx, &actual_tag_len, key, key_len, 743 requested_tag_len)) { 744 return 0; 745 } 746 747 ctx->tag_len = actual_tag_len; 748 return 1; 749} 750 751static void aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) {} 752 753static int aead_aes_gcm_seal_scatter_impl( 754 const struct aead_aes_gcm_ctx *gcm_ctx, uint8_t *out, uint8_t *out_tag, 755 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, 756 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, 757 size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) { 758 if (extra_in_len + tag_len < tag_len) { 759 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 760 return 0; 761 } 762 if (max_out_tag_len < extra_in_len + tag_len) { 763 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 764 return 0; 765 } 766 if (nonce_len == 0) { 767 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); 768 return 0; 769 } 770 771 const GCM128_KEY *key = &gcm_ctx->key; 772 GCM128_CONTEXT gcm; 773 CRYPTO_gcm128_init_ctx(key, &gcm, nonce, nonce_len); 774 775 if (ad_len > 0 && !CRYPTO_gcm128_aad(key, &gcm, ad, ad_len)) { 776 return 0; 777 } 778 779 if (!CRYPTO_gcm128_encrypt(key, &gcm, in, out, in_len)) { 780 return 0; 781 } 782 783 if (extra_in_len > 0 && 784 !CRYPTO_gcm128_encrypt(key, &gcm, extra_in, out_tag, extra_in_len)) { 785 return 0; 786 } 787 788 CRYPTO_gcm128_tag(key, &gcm, out_tag + extra_in_len, tag_len); 789 *out_tag_len = tag_len + extra_in_len; 790 791 return 1; 792} 793 794static int aead_aes_gcm_seal_scatter( 795 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, 796 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, 797 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, 798 size_t extra_in_len, const uint8_t *ad, size_t ad_len) { 799 const struct aead_aes_gcm_ctx *gcm_ctx = 800 (const struct aead_aes_gcm_ctx *)&ctx->state; 801 return aead_aes_gcm_seal_scatter_impl( 802 gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len, nonce, nonce_len, in, 803 in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len); 804} 805 806static int aead_aes_gcm_open_gather_impl(const struct aead_aes_gcm_ctx *gcm_ctx, 807 uint8_t *out, const uint8_t *nonce, 808 size_t nonce_len, const uint8_t *in, 809 size_t in_len, const uint8_t *in_tag, 810 size_t in_tag_len, const uint8_t *ad, 811 size_t ad_len, size_t tag_len) { 812 uint8_t tag[EVP_AEAD_AES_GCM_TAG_LEN]; 813 814 if (nonce_len == 0) { 815 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); 816 return 0; 817 } 818 819 if (in_tag_len != tag_len) { 820 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 821 return 0; 822 } 823 824 const GCM128_KEY *key = &gcm_ctx->key; 825 GCM128_CONTEXT gcm; 826 CRYPTO_gcm128_init_ctx(key, &gcm, nonce, nonce_len); 827 828 if (!CRYPTO_gcm128_aad(key, &gcm, ad, ad_len)) { 829 return 0; 830 } 831 832 if (!CRYPTO_gcm128_decrypt(key, &gcm, in, out, in_len)) { 833 return 0; 834 } 835 836 CRYPTO_gcm128_tag(key, &gcm, tag, tag_len); 837 if (CRYPTO_memcmp(tag, in_tag, tag_len) != 0) { 838 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 839 return 0; 840 } 841 842 return 1; 843} 844 845static int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out, 846 const uint8_t *nonce, size_t nonce_len, 847 const uint8_t *in, size_t in_len, 848 const uint8_t *in_tag, size_t in_tag_len, 849 const uint8_t *ad, size_t ad_len) { 850 struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state; 851 if (!aead_aes_gcm_open_gather_impl(gcm_ctx, out, nonce, nonce_len, in, in_len, 852 in_tag, in_tag_len, ad, ad_len, 853 ctx->tag_len)) { 854 return 0; 855 } 856 857 AEAD_GCM_verify_service_indicator(ctx); 858 return 1; 859} 860 861DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm) { 862 memset(out, 0, sizeof(EVP_AEAD)); 863 864 out->key_len = 16; 865 out->nonce_len = AES_GCM_NONCE_LENGTH; 866 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; 867 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 868 out->seal_scatter_supports_extra_in = 1; 869 870 out->init = aead_aes_gcm_init; 871 out->cleanup = aead_aes_gcm_cleanup; 872 out->seal_scatter = aead_aes_gcm_seal_scatter; 873 out->open_gather = aead_aes_gcm_open_gather; 874} 875 876DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_192_gcm) { 877 memset(out, 0, sizeof(EVP_AEAD)); 878 879 out->key_len = 24; 880 out->nonce_len = AES_GCM_NONCE_LENGTH; 881 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; 882 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 883 out->seal_scatter_supports_extra_in = 1; 884 885 out->init = aead_aes_gcm_init; 886 out->cleanup = aead_aes_gcm_cleanup; 887 out->seal_scatter = aead_aes_gcm_seal_scatter; 888 out->open_gather = aead_aes_gcm_open_gather; 889} 890 891DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm) { 892 memset(out, 0, sizeof(EVP_AEAD)); 893 894 out->key_len = 32; 895 out->nonce_len = AES_GCM_NONCE_LENGTH; 896 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; 897 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 898 out->seal_scatter_supports_extra_in = 1; 899 900 out->init = aead_aes_gcm_init; 901 out->cleanup = aead_aes_gcm_cleanup; 902 out->seal_scatter = aead_aes_gcm_seal_scatter; 903 out->open_gather = aead_aes_gcm_open_gather; 904} 905 906static int aead_aes_gcm_init_randnonce(EVP_AEAD_CTX *ctx, const uint8_t *key, 907 size_t key_len, 908 size_t requested_tag_len) { 909 if (requested_tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH) { 910 if (requested_tag_len < AES_GCM_NONCE_LENGTH) { 911 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 912 return 0; 913 } 914 requested_tag_len -= AES_GCM_NONCE_LENGTH; 915 } 916 917 if (!aead_aes_gcm_init(ctx, key, key_len, requested_tag_len)) { 918 return 0; 919 } 920 921 ctx->tag_len += AES_GCM_NONCE_LENGTH; 922 return 1; 923} 924 925static int aead_aes_gcm_seal_scatter_randnonce( 926 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, 927 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *external_nonce, 928 size_t external_nonce_len, const uint8_t *in, size_t in_len, 929 const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad, 930 size_t ad_len) { 931 if (external_nonce_len != 0) { 932 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); 933 return 0; 934 } 935 936 uint8_t nonce[AES_GCM_NONCE_LENGTH]; 937 if (max_out_tag_len < sizeof(nonce)) { 938 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 939 return 0; 940 } 941 942 // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with state 943 // lock functions to avoid updating the service indicator with the DRBG 944 // functions. 945 FIPS_service_indicator_lock_state(); 946 BCM_rand_bytes(nonce, sizeof(nonce)); 947 FIPS_service_indicator_unlock_state(); 948 949 const struct aead_aes_gcm_ctx *gcm_ctx = 950 (const struct aead_aes_gcm_ctx *)&ctx->state; 951 if (!aead_aes_gcm_seal_scatter_impl(gcm_ctx, out, out_tag, out_tag_len, 952 max_out_tag_len - AES_GCM_NONCE_LENGTH, 953 nonce, sizeof(nonce), in, in_len, 954 extra_in, extra_in_len, ad, ad_len, 955 ctx->tag_len - AES_GCM_NONCE_LENGTH)) { 956 return 0; 957 } 958 959 assert(*out_tag_len + sizeof(nonce) <= max_out_tag_len); 960 memcpy(out_tag + *out_tag_len, nonce, sizeof(nonce)); 961 *out_tag_len += sizeof(nonce); 962 963 AEAD_GCM_verify_service_indicator(ctx); 964 return 1; 965} 966 967static int aead_aes_gcm_open_gather_randnonce( 968 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *external_nonce, 969 size_t external_nonce_len, const uint8_t *in, size_t in_len, 970 const uint8_t *in_tag, size_t in_tag_len, const uint8_t *ad, 971 size_t ad_len) { 972 if (external_nonce_len != 0) { 973 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); 974 return 0; 975 } 976 977 if (in_tag_len < AES_GCM_NONCE_LENGTH) { 978 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 979 return 0; 980 } 981 const uint8_t *nonce = in_tag + in_tag_len - AES_GCM_NONCE_LENGTH; 982 983 const struct aead_aes_gcm_ctx *gcm_ctx = 984 (const struct aead_aes_gcm_ctx *)&ctx->state; 985 if (!aead_aes_gcm_open_gather_impl( 986 gcm_ctx, out, nonce, AES_GCM_NONCE_LENGTH, in, in_len, in_tag, 987 in_tag_len - AES_GCM_NONCE_LENGTH, ad, ad_len, 988 ctx->tag_len - AES_GCM_NONCE_LENGTH)) { 989 return 0; 990 } 991 992 AEAD_GCM_verify_service_indicator(ctx); 993 return 1; 994} 995 996DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_randnonce) { 997 memset(out, 0, sizeof(EVP_AEAD)); 998 999 out->key_len = 16; 1000 out->nonce_len = 0; 1001 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; 1002 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; 1003 out->seal_scatter_supports_extra_in = 1; 1004 1005 out->init = aead_aes_gcm_init_randnonce; 1006 out->cleanup = aead_aes_gcm_cleanup; 1007 out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce; 1008 out->open_gather = aead_aes_gcm_open_gather_randnonce; 1009} 1010 1011DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_randnonce) { 1012 memset(out, 0, sizeof(EVP_AEAD)); 1013 1014 out->key_len = 32; 1015 out->nonce_len = 0; 1016 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; 1017 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH; 1018 out->seal_scatter_supports_extra_in = 1; 1019 1020 out->init = aead_aes_gcm_init_randnonce; 1021 out->cleanup = aead_aes_gcm_cleanup; 1022 out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce; 1023 out->open_gather = aead_aes_gcm_open_gather_randnonce; 1024} 1025 1026namespace { 1027struct aead_aes_gcm_tls12_ctx { 1028 struct aead_aes_gcm_ctx gcm_ctx; 1029 uint64_t min_next_nonce; 1030}; 1031} // namespace 1032 1033static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= 1034 sizeof(struct aead_aes_gcm_tls12_ctx), 1035 "AEAD state is too small"); 1036static_assert(alignof(union evp_aead_ctx_st_state) >= 1037 alignof(struct aead_aes_gcm_tls12_ctx), 1038 "AEAD state has insufficient alignment"); 1039 1040static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 1041 size_t key_len, size_t requested_tag_len) { 1042 struct aead_aes_gcm_tls12_ctx *gcm_ctx = 1043 (struct aead_aes_gcm_tls12_ctx *)&ctx->state; 1044 1045 gcm_ctx->min_next_nonce = 0; 1046 1047 size_t actual_tag_len; 1048 if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len, 1049 requested_tag_len)) { 1050 return 0; 1051 } 1052 1053 ctx->tag_len = actual_tag_len; 1054 return 1; 1055} 1056 1057static int aead_aes_gcm_tls12_seal_scatter( 1058 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, 1059 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, 1060 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, 1061 size_t extra_in_len, const uint8_t *ad, size_t ad_len) { 1062 struct aead_aes_gcm_tls12_ctx *gcm_ctx = 1063 (struct aead_aes_gcm_tls12_ctx *)&ctx->state; 1064 1065 if (nonce_len != AES_GCM_NONCE_LENGTH) { 1066 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); 1067 return 0; 1068 } 1069 1070 // The given nonces must be strictly monotonically increasing. 1071 uint64_t given_counter = 1072 CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t)); 1073 if (given_counter == UINT64_MAX || given_counter < gcm_ctx->min_next_nonce) { 1074 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE); 1075 return 0; 1076 } 1077 1078 gcm_ctx->min_next_nonce = given_counter + 1; 1079 1080 if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len, 1081 max_out_tag_len, nonce, nonce_len, in, in_len, 1082 extra_in, extra_in_len, ad, ad_len)) { 1083 return 0; 1084 } 1085 1086 AEAD_GCM_verify_service_indicator(ctx); 1087 return 1; 1088} 1089 1090DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls12) { 1091 memset(out, 0, sizeof(EVP_AEAD)); 1092 1093 out->key_len = 16; 1094 out->nonce_len = AES_GCM_NONCE_LENGTH; 1095 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; 1096 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 1097 out->seal_scatter_supports_extra_in = 1; 1098 1099 out->init = aead_aes_gcm_tls12_init; 1100 out->cleanup = aead_aes_gcm_cleanup; 1101 out->seal_scatter = aead_aes_gcm_tls12_seal_scatter; 1102 out->open_gather = aead_aes_gcm_open_gather; 1103} 1104 1105DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls12) { 1106 memset(out, 0, sizeof(EVP_AEAD)); 1107 1108 out->key_len = 32; 1109 out->nonce_len = AES_GCM_NONCE_LENGTH; 1110 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; 1111 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 1112 out->seal_scatter_supports_extra_in = 1; 1113 1114 out->init = aead_aes_gcm_tls12_init; 1115 out->cleanup = aead_aes_gcm_cleanup; 1116 out->seal_scatter = aead_aes_gcm_tls12_seal_scatter; 1117 out->open_gather = aead_aes_gcm_open_gather; 1118} 1119 1120namespace { 1121struct aead_aes_gcm_tls13_ctx { 1122 struct aead_aes_gcm_ctx gcm_ctx; 1123 uint64_t min_next_nonce; 1124 uint64_t mask; 1125 uint8_t first; 1126}; 1127} // namespace 1128 1129static_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= 1130 sizeof(struct aead_aes_gcm_tls13_ctx), 1131 "AEAD state is too small"); 1132static_assert(alignof(union evp_aead_ctx_st_state) >= 1133 alignof(struct aead_aes_gcm_tls13_ctx), 1134 "AEAD state has insufficient alignment"); 1135 1136static int aead_aes_gcm_tls13_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 1137 size_t key_len, size_t requested_tag_len) { 1138 struct aead_aes_gcm_tls13_ctx *gcm_ctx = 1139 (struct aead_aes_gcm_tls13_ctx *)&ctx->state; 1140 1141 gcm_ctx->min_next_nonce = 0; 1142 gcm_ctx->first = 1; 1143 1144 size_t actual_tag_len; 1145 if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len, 1146 requested_tag_len)) { 1147 return 0; 1148 } 1149 1150 ctx->tag_len = actual_tag_len; 1151 return 1; 1152} 1153 1154static int aead_aes_gcm_tls13_seal_scatter( 1155 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, 1156 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, 1157 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, 1158 size_t extra_in_len, const uint8_t *ad, size_t ad_len) { 1159 struct aead_aes_gcm_tls13_ctx *gcm_ctx = 1160 (struct aead_aes_gcm_tls13_ctx *)&ctx->state; 1161 1162 if (nonce_len != AES_GCM_NONCE_LENGTH) { 1163 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); 1164 return 0; 1165 } 1166 1167 // The given nonces must be strictly monotonically increasing. See 1168 // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3 1169 // nonce construction. 1170 uint64_t given_counter = 1171 CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t)); 1172 1173 if (gcm_ctx->first) { 1174 // In the first call the sequence number will be zero and therefore the 1175 // given nonce will be 0 ^ mask = mask. 1176 gcm_ctx->mask = given_counter; 1177 gcm_ctx->first = 0; 1178 } 1179 given_counter ^= gcm_ctx->mask; 1180 1181 if (given_counter == UINT64_MAX || given_counter < gcm_ctx->min_next_nonce) { 1182 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE); 1183 return 0; 1184 } 1185 1186 gcm_ctx->min_next_nonce = given_counter + 1; 1187 1188 if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len, 1189 max_out_tag_len, nonce, nonce_len, in, in_len, 1190 extra_in, extra_in_len, ad, ad_len)) { 1191 return 0; 1192 } 1193 1194 AEAD_GCM_verify_service_indicator(ctx); 1195 return 1; 1196} 1197 1198DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls13) { 1199 memset(out, 0, sizeof(EVP_AEAD)); 1200 1201 out->key_len = 16; 1202 out->nonce_len = AES_GCM_NONCE_LENGTH; 1203 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; 1204 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 1205 out->seal_scatter_supports_extra_in = 1; 1206 1207 out->init = aead_aes_gcm_tls13_init; 1208 out->cleanup = aead_aes_gcm_cleanup; 1209 out->seal_scatter = aead_aes_gcm_tls13_seal_scatter; 1210 out->open_gather = aead_aes_gcm_open_gather; 1211} 1212 1213DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls13) { 1214 memset(out, 0, sizeof(EVP_AEAD)); 1215 1216 out->key_len = 32; 1217 out->nonce_len = AES_GCM_NONCE_LENGTH; 1218 out->overhead = EVP_AEAD_AES_GCM_TAG_LEN; 1219 out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN; 1220 out->seal_scatter_supports_extra_in = 1; 1221 1222 out->init = aead_aes_gcm_tls13_init; 1223 out->cleanup = aead_aes_gcm_cleanup; 1224 out->seal_scatter = aead_aes_gcm_tls13_seal_scatter; 1225 out->open_gather = aead_aes_gcm_open_gather; 1226} 1227 1228int EVP_has_aes_hardware(void) { 1229#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) 1230 return hwaes_capable() && crypto_gcm_clmul_enabled(); 1231#elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) 1232 return hwaes_capable() && CRYPTO_is_ARMv8_PMULL_capable(); 1233#else 1234 return 0; 1235#endif 1236} 1237 1238OPENSSL_MSVC_PRAGMA(warning(pop)) 1239