kris
/
boringssl
1
0
Fork 0
Código Issues 0 Pull requests 0 Versões 0 Wiki Atividade
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
4106 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tag: f131301413
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de f131301413
${ noResults }
boringssl/crypto/cipher/e_aesgcmsiv.c

324 linhas
10 KiB
Original Anotar Histórico 

  1. /* Copyright (c) 2017, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/aead.h>

  16. #include <openssl/cipher.h>

  17. #include <openssl/crypto.h>

  18. #include <openssl/err.h>

  19. 

  20. #include "internal.h"

  21. 

  22. 

  23. #if !defined(OPENSSL_SMALL)

  24. 

  25. #define EVP_AEAD_AES_GCM_SIV_NONCE_LEN 12

  26. #define EVP_AEAD_AES_GCM_SIV_TAG_LEN 16

  27. 

  28. struct aead_aes_gcm_siv_ctx {

  29.   union {

  30.     double align;

  31.     AES_KEY ks;

  32.   } ks;

  33.   block128_f kgk_block;

  34.   unsigned is_256:1;

  35. };

  36. 

  37. static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  38.                                  size_t key_len, size_t tag_len) {

  39.   const size_t key_bits = key_len * 8;

  40. 

  41.   if (key_bits != 128 && key_bits != 256) {

  42.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);

  43.     return 0; /* EVP_AEAD_CTX_init should catch this. */

  44.   }

  45. 

  46.   if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {

  47.     tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;

  48.   }

  49. 

  50.   if (tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) {

  51.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);

  52.     return 0;

  53.   }

  54. 

  55.   struct aead_aes_gcm_siv_ctx *gcm_siv_ctx =

  56.       OPENSSL_malloc(sizeof(struct aead_aes_gcm_siv_ctx));

  57.   if (gcm_siv_ctx == NULL) {

  58.     return 0;

  59.   }

  60.   OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx));

  61. 

  62.   aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key,

  63.                   key_len);

  64.   gcm_siv_ctx->is_256 = (key_len == 32);

  65.   ctx->aead_state = gcm_siv_ctx;

  66. 

  67.   return 1;

  68. }

  69. 

  70. static void aead_aes_gcm_siv_cleanup(EVP_AEAD_CTX *ctx) {

  71.   struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;

  72.   OPENSSL_cleanse(gcm_siv_ctx, sizeof(struct aead_aes_gcm_siv_ctx));

  73.   OPENSSL_free(gcm_siv_ctx);

  74. }

  75. 

  76. /* gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from

  77.  * |in| to |out|, using the block function |enc_block| with |key| in counter

  78.  * mode, starting at |initial_counter|. This differs from the traditional

  79.  * counter mode code in that the counter is handled little-endian, only the

  80.  * first four bytes are used and the GCM-SIV tweak to the final byte is

  81.  * applied. The |in| and |out| pointers may be equal but otherwise must not

  82.  * alias. */

  83. static void gcm_siv_crypt(uint8_t *out, const uint8_t *in, size_t in_len,

  84.                           const uint8_t initial_counter[AES_BLOCK_SIZE],

  85.                           block128_f enc_block, const AES_KEY *key) {

  86.   union {

  87.     uint32_t w[4];

  88.     uint8_t c[16];

  89.   } counter;

  90. 

  91.   OPENSSL_memcpy(counter.c, initial_counter, AES_BLOCK_SIZE);

  92.   counter.c[15] |= 0x80;

  93. 

  94.   for (size_t done = 0; done < in_len;) {

  95.     uint8_t keystream[AES_BLOCK_SIZE];

  96.     enc_block(counter.c, keystream, key);

  97.     counter.w[0]++;

  98. 

  99.     size_t todo = AES_BLOCK_SIZE;

  100.     if (in_len - done < todo) {

  101.       todo = in_len - done;

  102.     }

  103. 

  104.     for (size_t i = 0; i < todo; i++) {

  105.       out[done + i] = keystream[i] ^ in[done + i];

  106.     }

  107. 

  108.     done += todo;

  109.   }

  110. }

  111. 

  112. /* gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and

  113.  * AD. The result is written to |out_tag|. */

  114. static void gcm_siv_polyval(

  115.     uint8_t out_tag[16], const uint8_t *in, size_t in_len, const uint8_t *ad,

  116.     size_t ad_len, const uint8_t auth_key[16],

  117.     const uint8_t nonce[EVP_AEAD_AES_GCM_SIV_NONCE_LEN]) {

  118.   struct polyval_ctx polyval_ctx;

  119.   CRYPTO_POLYVAL_init(&polyval_ctx, auth_key);

  120. 

  121.   CRYPTO_POLYVAL_update_blocks(&polyval_ctx, ad, ad_len & ~15);

  122. 

  123.   uint8_t scratch[16];

  124.   if (ad_len & 15) {

  125.     OPENSSL_memset(scratch, 0, sizeof(scratch));

  126.     OPENSSL_memcpy(scratch, &ad[ad_len & ~15], ad_len & 15);

  127.     CRYPTO_POLYVAL_update_blocks(&polyval_ctx, scratch, sizeof(scratch));

  128.   }

  129. 

  130.   CRYPTO_POLYVAL_update_blocks(&polyval_ctx, in, in_len & ~15);

  131.   if (in_len & 15) {

  132.     OPENSSL_memset(scratch, 0, sizeof(scratch));

  133.     OPENSSL_memcpy(scratch, &in[in_len & ~15], in_len & 15);

  134.     CRYPTO_POLYVAL_update_blocks(&polyval_ctx, scratch, sizeof(scratch));

  135.   }

  136. 

  137.   union {

  138.     uint8_t c[16];

  139.     struct {

  140.       uint64_t ad;

  141.       uint64_t in;

  142.     } bitlens;

  143.   } length_block;

  144. 

  145.   length_block.bitlens.ad = ad_len * 8;

  146.   length_block.bitlens.in = in_len * 8;

  147.   CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block.c,

  148.                                sizeof(length_block));

  149. 

  150.   CRYPTO_POLYVAL_finish(&polyval_ctx, out_tag);

  151.   for (size_t i = 0; i < EVP_AEAD_AES_GCM_SIV_NONCE_LEN; i++) {

  152.     out_tag[i] ^= nonce[i];

  153.   }

  154.   out_tag[15] &= 0x7f;

  155. }

  156. 

  157. /* gcm_siv_record_keys contains the keys used for a specific GCM-SIV record. */

  158. struct gcm_siv_record_keys {

  159.   uint8_t auth_key[16];

  160.   union {

  161.     double align;

  162.     AES_KEY ks;

  163.   } enc_key;

  164.   block128_f enc_block;

  165. };

  166. 

  167. /* gcm_siv_keys calculates the keys for a specific GCM-SIV record with the

  168.  * given nonce and writes them to |*out_keys|. */

  169. static void gcm_siv_keys(

  170.     const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx,

  171.     struct gcm_siv_record_keys *out_keys,

  172.     const uint8_t nonce[EVP_AEAD_AES_GCM_SIV_NONCE_LEN]) {

  173.   const AES_KEY *const key = &gcm_siv_ctx->ks.ks;

  174.   uint8_t key_material[(128 /* POLYVAL key */ + 256 /* max AES key */) / 8];

  175.   const size_t blocks_needed = gcm_siv_ctx->is_256 ? 6 : 4;

  176. 

  177.   uint8_t counter[AES_BLOCK_SIZE];

  178.   OPENSSL_memset(counter, 0, AES_BLOCK_SIZE - EVP_AEAD_AES_GCM_SIV_NONCE_LEN);

  179.   OPENSSL_memcpy(counter + AES_BLOCK_SIZE - EVP_AEAD_AES_GCM_SIV_NONCE_LEN,

  180.                  nonce, EVP_AEAD_AES_GCM_SIV_NONCE_LEN);

  181.   for (size_t i = 0; i < blocks_needed; i++) {

  182.     counter[0] = i;

  183. 

  184.     uint8_t ciphertext[AES_BLOCK_SIZE];

  185.     gcm_siv_ctx->kgk_block(counter, ciphertext, key);

  186.     OPENSSL_memcpy(&key_material[i * 8], ciphertext, 8);

  187.   }

  188. 

  189.   OPENSSL_memcpy(out_keys->auth_key, key_material, 16);

  190.   aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,

  191.                   key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16);

  192. }

  193. 

  194. static int aead_aes_gcm_siv_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  195.                                  size_t *out_len, size_t max_out_len,

  196.                                  const uint8_t *nonce, size_t nonce_len,

  197.                                  const uint8_t *in, size_t in_len,

  198.                                  const uint8_t *ad, size_t ad_len) {

  199.   const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;

  200.   const uint64_t in_len_64 = in_len;

  201.   const uint64_t ad_len_64 = ad_len;

  202. 

  203.   if (in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN < in_len ||

  204.       in_len_64 > (UINT64_C(1) << 36) ||

  205.       ad_len_64 >= (UINT64_C(1) << 61)) {

  206.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  207.     return 0;

  208.   }

  209. 

  210.   if (max_out_len < in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN) {

  211.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);

  212.     return 0;

  213.   }

  214. 

  215.   if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) {

  216.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);

  217.     return 0;

  218.   }

  219. 

  220.   struct gcm_siv_record_keys keys;

  221.   gcm_siv_keys(gcm_siv_ctx, &keys, nonce);

  222. 

  223.   uint8_t tag[16];

  224.   gcm_siv_polyval(tag, in, in_len, ad, ad_len, keys.auth_key, nonce);

  225.   keys.enc_block(tag, tag, &keys.enc_key.ks);

  226. 

  227.   gcm_siv_crypt(out, in, in_len, tag, keys.enc_block, &keys.enc_key.ks);

  228. 

  229.   OPENSSL_memcpy(&out[in_len], tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN);

  230.   *out_len = in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN;

  231. 

  232.   return 1;

  233. }

  234. 

  235. static int aead_aes_gcm_siv_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  236.                                  size_t *out_len, size_t max_out_len,

  237.                                  const uint8_t *nonce, size_t nonce_len,

  238.                                  const uint8_t *in, size_t in_len,

  239.                                  const uint8_t *ad, size_t ad_len) {

  240.   const uint64_t ad_len_64 = ad_len;

  241.   if (ad_len_64 >= (UINT64_C(1) << 61)) {

  242.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  243.     return 0;

  244.   }

  245. 

  246.   const uint64_t in_len_64 = in_len;

  247.   if (in_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN ||

  248.       in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) {

  249.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);

  250.     return 0;

  251.   }

  252. 

  253.   if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) {

  254.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);

  255.     return 0;

  256.   }

  257. 

  258.   const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;

  259.   const size_t plaintext_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN;

  260. 

  261.   if (max_out_len < plaintext_len) {

  262.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);

  263.     return 0;

  264.   }

  265. 

  266.   struct gcm_siv_record_keys keys;

  267.   gcm_siv_keys(gcm_siv_ctx, &keys, nonce);

  268. 

  269.   gcm_siv_crypt(out, in, plaintext_len, &in[plaintext_len], keys.enc_block,

  270.                 &keys.enc_key.ks);

  271. 

  272.   uint8_t expected_tag[EVP_AEAD_AES_GCM_SIV_TAG_LEN];

  273.   gcm_siv_polyval(expected_tag, out, plaintext_len, ad, ad_len, keys.auth_key,

  274.                   nonce);

  275.   keys.enc_block(expected_tag, expected_tag, &keys.enc_key.ks);

  276. 

  277.   if (CRYPTO_memcmp(expected_tag, &in[plaintext_len], sizeof(expected_tag)) !=

  278.       0) {

  279.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);

  280.     return 0;

  281.   }

  282. 

  283.   *out_len = plaintext_len;

  284.   return 1;

  285. }

  286. 

  287. static const EVP_AEAD aead_aes_128_gcm_siv = {

  288.     16,                             /* key length */

  289.     EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */

  290.     EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* overhead */

  291.     EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* max tag length */

  292. 

  293.     aead_aes_gcm_siv_init,

  294.     NULL /* init_with_direction */,

  295.     aead_aes_gcm_siv_cleanup,

  296.     aead_aes_gcm_siv_seal,

  297.     aead_aes_gcm_siv_open,

  298.     NULL /* get_iv */,

  299. };

  300. 

  301. static const EVP_AEAD aead_aes_256_gcm_siv = {

  302.     32,                             /* key length */

  303.     EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */

  304.     EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* overhead */

  305.     EVP_AEAD_AES_GCM_SIV_TAG_LEN,   /* max tag length */

  306. 

  307.     aead_aes_gcm_siv_init,

  308.     NULL /* init_with_direction */,

  309.     aead_aes_gcm_siv_cleanup,

  310.     aead_aes_gcm_siv_seal,

  311.     aead_aes_gcm_siv_open,

  312.     NULL /* get_iv */,

  313. };

  314. 

  315. const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) {

  316.   return &aead_aes_128_gcm_siv;

  317. }

  318. 

  319. const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) {

  320.   return &aead_aes_256_gcm_siv;

  321. }

  322. 

  323. #endif  /* !OPENSSL_SMALL */