| OLD | NEW |
|---|
| 1 /* ==================================================================== | 1 /* ==================================================================== |
| 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. | 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * | 7 * |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * | 10 * |
| (...skipping 796 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 807 } | 807 } |
| 808 /* Extra padding: tag appended to record */ | 808 /* Extra padding: tag appended to record */ |
| 809 return EVP_GCM_TLS_TAG_LEN; | 809 return EVP_GCM_TLS_TAG_LEN; |
| 810 | 810 |
| 811 default: | 811 default: |
| 812 return -1; | 812 return -1; |
| 813 | 813 |
| 814 } | 814 } |
| 815 } | 815 } |
| 816 | 816 |
| 817 static ctr128_f aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, |
| 818 const unsigned char *key, size_t key_len) |
| 819 { |
| 820 #ifdef BSAES_CAPABLE |
| 821 if (BSAES_CAPABLE) |
| 822 { |
| 823 AES_set_encrypt_key(key,key_len*8,aes_key); |
| 824 CRYPTO_gcm128_init(gcm_ctx,aes_key, |
| 825 (block128_f)AES_encrypt); |
| 826 return (ctr128_f)bsaes_ctr32_encrypt_blocks; |
| 827 } |
| 828 #endif |
| 829 #ifdef VPAES_CAPABLE |
| 830 if (VPAES_CAPABLE) |
| 831 { |
| 832 vpaes_set_encrypt_key(key,key_len*8,aes_key); |
| 833 CRYPTO_gcm128_init(gcm_ctx,aes_key, |
| 834 (block128_f)vpaes_encrypt); |
| 835 return NULL; |
| 836 } |
| 837 #endif |
| 838 AES_set_encrypt_key(key, key_len*8, aes_key); |
| 839 CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt); |
| 840 #ifdef AES_CTR_ASM |
| 841 return (ctr128_f)AES_ctr32_encrypt; |
| 842 #else |
| 843 return NULL; |
| 844 #endif |
| 845 } |
| 846 |
| 817 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | 847 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
| 818 const unsigned char *iv, int enc) | 848 const unsigned char *iv, int enc) |
| 819 { | 849 { |
| 820 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; | 850 EVP_AES_GCM_CTX *gctx = ctx->cipher_data; |
| 821 if (!iv && !key) | 851 if (!iv && !key) |
| 822 return 1; | 852 return 1; |
| 823 if (key) | 853 if (key) |
| 824 » » { do { | 854 » » { |
| 825 #ifdef BSAES_CAPABLE | 855 » » gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, key, ctx->key
_len); |
| 826 » » if (BSAES_CAPABLE) | |
| 827 » » » { | |
| 828 » » » AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); | |
| 829 » » » CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, | |
| 830 » » » » » (block128_f)AES_encrypt); | |
| 831 » » » gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; | |
| 832 » » » break; | |
| 833 » » » } | |
| 834 » » else | |
| 835 #endif | |
| 836 #ifdef VPAES_CAPABLE | |
| 837 » » if (VPAES_CAPABLE) | |
| 838 » » » { | |
| 839 » » » vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks); | |
| 840 » » » CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, | |
| 841 » » » » » (block128_f)vpaes_encrypt); | |
| 842 » » » gctx->ctr = NULL; | |
| 843 » » » break; | |
| 844 » » » } | |
| 845 #endif | |
| 846 » » AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); | |
| 847 » » CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encryp
t); | |
| 848 #ifdef AES_CTR_ASM | |
| 849 » » gctx->ctr = (ctr128_f)AES_ctr32_encrypt; | |
| 850 #else | |
| 851 » » gctx->ctr = NULL; | |
| 852 #endif | |
| 853 » » } while (0); | |
| 854 | |
| 855 /* If we have an iv can set it directly, otherwise use | 856 /* If we have an iv can set it directly, otherwise use |
| 856 * saved IV. | 857 * saved IV. |
| 857 */ | 858 */ |
| 858 if (iv == NULL && gctx->iv_set) | 859 if (iv == NULL && gctx->iv_set) |
| 859 iv = gctx->iv; | 860 iv = gctx->iv; |
| 860 if (iv) | 861 if (iv) |
| 861 { | 862 { |
| 862 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); | 863 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); |
| 863 gctx->iv_set = 1; | 864 gctx->iv_set = 1; |
| 864 } | 865 } |
| (...skipping 438 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1303 } | 1304 } |
| 1304 | 1305 |
| 1305 } | 1306 } |
| 1306 | 1307 |
| 1307 #define aes_ccm_cleanup NULL | 1308 #define aes_ccm_cleanup NULL |
| 1308 | 1309 |
| 1309 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) | 1310 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) |
| 1310 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) | 1311 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) |
| 1311 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) | 1312 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) |
| 1312 | 1313 |
| 1314 #define EVP_AEAD_AES_128_GCM_TAG_LEN 16 |
| 1315 |
| 1316 struct aead_aes_128_gcm_ctx { |
| 1317 union { double align; AES_KEY ks; } ks; |
| 1318 GCM128_CONTEXT gcm; |
| 1319 ctr128_f ctr; |
| 1320 unsigned char tag_len; |
| 1321 }; |
| 1322 |
| 1323 static int aead_aes_128_gcm_init(EVP_AEAD_CTX *ctx, |
| 1324 const unsigned char *key, size_t key_len, size_t tag_len) |
| 1325 { |
| 1326 struct aead_aes_128_gcm_ctx *gcm_ctx; |
| 1327 |
| 1328 if (key_len*8 != 128) |
| 1329 { |
| 1330 EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_BAD_KEY_LENGTH); |
| 1331 return 0; /* EVP_AEAD_CTX_init should catch this. */ |
| 1332 } |
| 1333 |
| 1334 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) |
| 1335 tag_len = EVP_AEAD_AES_128_GCM_TAG_LEN; |
| 1336 |
| 1337 if (tag_len > EVP_AEAD_AES_128_GCM_TAG_LEN) |
| 1338 { |
| 1339 EVPerr(EVP_F_AEAD_AES_128_GCM_INIT, EVP_R_TAG_TOO_LARGE); |
| 1340 return 0; |
| 1341 } |
| 1342 |
| 1343 gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_128_gcm_ctx)); |
| 1344 if (gcm_ctx == NULL) |
| 1345 return 0; |
| 1346 |
| 1347 #ifdef AESNI_CAPABLE |
| 1348 if (AESNI_CAPABLE) |
| 1349 { |
| 1350 aesni_set_encrypt_key(key, key_len * 8, &gcm_ctx->ks.ks); |
| 1351 CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, |
| 1352 (block128_f)aesni_encrypt); |
| 1353 gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; |
| 1354 } |
| 1355 else |
| 1356 #endif |
| 1357 { |
| 1358 gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, |
| 1359 key, key_len); |
| 1360 } |
| 1361 gcm_ctx->tag_len = tag_len; |
| 1362 ctx->aead_state = gcm_ctx; |
| 1363 |
| 1364 return 1; |
| 1365 } |
| 1366 |
| 1367 static void aead_aes_128_gcm_cleanup(EVP_AEAD_CTX *ctx) |
| 1368 { |
| 1369 struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; |
| 1370 OPENSSL_free(gcm_ctx); |
| 1371 } |
| 1372 |
| 1373 static ssize_t aead_aes_128_gcm_seal(const EVP_AEAD_CTX *ctx, |
| 1374 unsigned char *out, size_t max_out_len, |
| 1375 const unsigned char *nonce, size_t nonce_len, |
| 1376 const unsigned char *in, size_t in_len, |
| 1377 const unsigned char *ad, size_t ad_len) |
| 1378 { |
| 1379 size_t bulk = 0; |
| 1380 const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; |
| 1381 GCM128_CONTEXT gcm; |
| 1382 |
| 1383 if (max_out_len < in_len + gcm_ctx->tag_len) |
| 1384 { |
| 1385 EVPerr(EVP_F_AEAD_AES_128_GCM_SEAL, EVP_R_BUFFER_TOO_SMALL); |
| 1386 return -1; |
| 1387 } |
| 1388 |
| 1389 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); |
| 1390 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); |
| 1391 |
| 1392 if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) |
| 1393 return -1; |
| 1394 |
| 1395 if (gcm_ctx->ctr) |
| 1396 { |
| 1397 if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, |
| 1398 in_len - bulk, gcm_ctx->ctr)) |
| 1399 return -1; |
| 1400 } |
| 1401 else |
| 1402 { |
| 1403 if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, |
| 1404 in_len - bulk)) |
| 1405 return -1; |
| 1406 } |
| 1407 |
| 1408 CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len); |
| 1409 return in_len + gcm_ctx->tag_len; |
| 1410 } |
| 1411 |
| 1412 static ssize_t aead_aes_128_gcm_open(const EVP_AEAD_CTX *ctx, |
| 1413 unsigned char *out, size_t max_out_len, |
| 1414 const unsigned char *nonce, size_t nonce_len, |
| 1415 const unsigned char *in, size_t in_len, |
| 1416 const unsigned char *ad, size_t ad_len) |
| 1417 { |
| 1418 size_t bulk = 0; |
| 1419 const struct aead_aes_128_gcm_ctx *gcm_ctx = ctx->aead_state; |
| 1420 unsigned char tag[EVP_AEAD_AES_128_GCM_TAG_LEN]; |
| 1421 size_t out_len; |
| 1422 GCM128_CONTEXT gcm; |
| 1423 |
| 1424 if (in_len < gcm_ctx->tag_len) |
| 1425 { |
| 1426 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT); |
| 1427 return -1; |
| 1428 } |
| 1429 |
| 1430 out_len = in_len - gcm_ctx->tag_len; |
| 1431 |
| 1432 if (max_out_len < out_len) |
| 1433 { |
| 1434 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BUFFER_TOO_SMALL); |
| 1435 return -1; |
| 1436 } |
| 1437 |
| 1438 memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); |
| 1439 CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); |
| 1440 |
| 1441 if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) |
| 1442 return -1; |
| 1443 |
| 1444 if (gcm_ctx->ctr) |
| 1445 { |
| 1446 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, |
| 1447 in_len-bulk-gcm_ctx->tag_len, |
| 1448 gcm_ctx->ctr)) |
| 1449 return -1; |
| 1450 } |
| 1451 else |
| 1452 { |
| 1453 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, |
| 1454 in_len - bulk - gcm_ctx->tag_len)) |
| 1455 return -1; |
| 1456 } |
| 1457 |
| 1458 CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len); |
| 1459 if (CRYPTO_memcmp(tag, in + out_len, gcm_ctx->tag_len) != 0) |
| 1460 { |
| 1461 EVPerr(EVP_F_AEAD_AES_128_GCM_OPEN, EVP_R_BAD_DECRYPT); |
| 1462 return -1; |
| 1463 } |
| 1464 |
| 1465 return out_len; |
| 1466 } |
| 1467 |
| 1468 static const EVP_AEAD aead_aes_128_gcm = { |
| 1469 16, /* key len */ |
| 1470 12, /* nonce len */ |
| 1471 EVP_AEAD_AES_128_GCM_TAG_LEN, /* overhead */ |
| 1472 EVP_AEAD_AES_128_GCM_TAG_LEN, /* max tag length */ |
| 1473 |
| 1474 aead_aes_128_gcm_init, |
| 1475 aead_aes_128_gcm_cleanup, |
| 1476 aead_aes_128_gcm_seal, |
| 1477 aead_aes_128_gcm_open, |
| 1478 }; |
| 1479 |
| 1480 const EVP_AEAD *EVP_aead_aes_128_gcm() |
| 1481 { |
| 1482 return &aead_aes_128_gcm; |
| 1483 } |
| 1484 |
| 1313 #endif | 1485 #endif |
| 1314 #endif | 1486 #endif |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 59083010:
third_party/openssl: add ChaCha20+Poly1305 support.
Base URL: https://chromium.googlesource.com/chromium/deps/openssl.git@master