AES-GCM shouldn't keep its own version of the tag length.
There's a |tag_len| in the generic AEAD context now so keeping a second copy only invites confusion. Change-Id: I029d8a8ee366e3af7f61408177c950d5b1a740a9 Reviewed-on: https://boringssl-review.googlesource.com/17424 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
3120950b1e
commit
946dd62ac0
@ -1144,7 +1144,6 @@ struct aead_aes_gcm_ctx {
|
|||||||
} ks;
|
} ks;
|
||||||
GCM128_CONTEXT gcm;
|
GCM128_CONTEXT gcm;
|
||||||
ctr128_f ctr;
|
ctr128_f ctr;
|
||||||
uint8_t tag_len;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
struct aead_aes_gcm_tls12_ctx {
|
struct aead_aes_gcm_tls12_ctx {
|
||||||
@ -1153,8 +1152,8 @@ struct aead_aes_gcm_tls12_ctx {
|
|||||||
};
|
};
|
||||||
|
|
||||||
static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
|
static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
|
||||||
const uint8_t *key, size_t key_len,
|
size_t *out_tag_len, const uint8_t *key,
|
||||||
size_t tag_len) {
|
size_t key_len, size_t tag_len) {
|
||||||
const size_t key_bits = key_len * 8;
|
const size_t key_bits = key_len * 8;
|
||||||
|
|
||||||
if (key_bits != 128 && key_bits != 256) {
|
if (key_bits != 128 && key_bits != 256) {
|
||||||
@ -1173,25 +1172,27 @@ static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
|
|||||||
|
|
||||||
gcm_ctx->ctr =
|
gcm_ctx->ctr =
|
||||||
aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, NULL, key, key_len);
|
aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, NULL, key, key_len);
|
||||||
gcm_ctx->tag_len = tag_len;
|
*out_tag_len = tag_len;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
||||||
size_t key_len, size_t tag_len) {
|
size_t key_len, size_t requested_tag_len) {
|
||||||
struct aead_aes_gcm_ctx *gcm_ctx;
|
struct aead_aes_gcm_ctx *gcm_ctx;
|
||||||
gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_gcm_ctx));
|
gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_gcm_ctx));
|
||||||
if (gcm_ctx == NULL) {
|
if (gcm_ctx == NULL) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!aead_aes_gcm_init_impl(gcm_ctx, key, key_len, tag_len)) {
|
size_t actual_tag_len;
|
||||||
|
if (!aead_aes_gcm_init_impl(gcm_ctx, &actual_tag_len, key, key_len,
|
||||||
|
requested_tag_len)) {
|
||||||
OPENSSL_free(gcm_ctx);
|
OPENSSL_free(gcm_ctx);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx->aead_state = gcm_ctx;
|
ctx->aead_state = gcm_ctx;
|
||||||
ctx->tag_len = gcm_ctx->tag_len;
|
ctx->tag_len = actual_tag_len;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1215,7 +1216,7 @@ static int aead_aes_gcm_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (max_out_tag_len < gcm_ctx->tag_len) {
|
if (max_out_tag_len < ctx->tag_len) {
|
||||||
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -1240,8 +1241,8 @@ static int aead_aes_gcm_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
CRYPTO_gcm128_tag(&gcm, out_tag, gcm_ctx->tag_len);
|
CRYPTO_gcm128_tag(&gcm, out_tag, ctx->tag_len);
|
||||||
*out_tag_len = gcm_ctx->tag_len;
|
*out_tag_len = ctx->tag_len;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1259,7 +1260,7 @@ static int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (in_tag_len != gcm_ctx->tag_len) {
|
if (in_tag_len != ctx->tag_len) {
|
||||||
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -1284,8 +1285,8 @@ static int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
|
CRYPTO_gcm128_tag(&gcm, tag, ctx->tag_len);
|
||||||
if (CRYPTO_memcmp(tag, in_tag, gcm_ctx->tag_len) != 0) {
|
if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) {
|
||||||
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
|
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -1320,7 +1321,7 @@ DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
||||||
size_t key_len, size_t tag_len) {
|
size_t key_len, size_t requested_tag_len) {
|
||||||
struct aead_aes_gcm_tls12_ctx *gcm_ctx;
|
struct aead_aes_gcm_tls12_ctx *gcm_ctx;
|
||||||
gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_gcm_tls12_ctx));
|
gcm_ctx = OPENSSL_malloc(sizeof(struct aead_aes_gcm_tls12_ctx));
|
||||||
if (gcm_ctx == NULL) {
|
if (gcm_ctx == NULL) {
|
||||||
@ -1329,13 +1330,15 @@ static int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
|
|||||||
|
|
||||||
gcm_ctx->counter = 0;
|
gcm_ctx->counter = 0;
|
||||||
|
|
||||||
if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, key, key_len, tag_len)) {
|
size_t actual_tag_len;
|
||||||
|
if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,
|
||||||
|
requested_tag_len)) {
|
||||||
OPENSSL_free(gcm_ctx);
|
OPENSSL_free(gcm_ctx);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx->aead_state = gcm_ctx;
|
ctx->aead_state = gcm_ctx;
|
||||||
ctx->tag_len = gcm_ctx->gcm_ctx.tag_len;
|
ctx->tag_len = actual_tag_len;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user