static int aead_chacha20_poly1305_seal(aead_poly1305_update poly1305_update,
const void *ctx_buf, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t nonce[12],
const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len) {
aead_assert_open_seal_preconditions(alignof(struct aead_chacha20_poly1305_ctx),
ctx_buf, out, out_len, nonce, in, in_len,
ad, ad_len);
const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx_buf;
if (!aead_seal_out_max_out_in_tag_len(out_len, max_out_len, in_len,
POLY1305_TAG_LEN)) {
/* |aead_seal_out_max_out_in_tag_len| already called |OPENSSL_PUT_ERROR|. */
return 0;
}
CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
uint8_t tag[POLY1305_TAG_LEN] ALIGNED;
aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, out, in_len);
/* TODO: Does |tag| really need to be |ALIGNED|? If not, we can avoid this
* call to |memcpy|. */
memcpy(out + in_len, tag, POLY1305_TAG_LEN);
return 1;
}
int evp_aead_aes_gcm_seal(const void *ctx_buf, uint8_t *out, size_t *out_len,
size_t max_out_len, const uint8_t *nonce,
const uint8_t *in, size_t in_len, const uint8_t *ad,
size_t ad_len) {
aead_assert_open_seal_preconditions(alignof(struct aead_aes_gcm_ctx), ctx_buf,
out, out_len, nonce, in, in_len, ad,
ad_len);
const struct aead_aes_gcm_ctx *gcm_ctx = ctx_buf;
if (!aead_seal_out_max_out_in_tag_len(out_len, max_out_len, in_len,
EVP_AEAD_AES_GCM_TAG_LEN)) {
/* |aead_seal_out_max_out_in_tag_len| already called |OPENSSL_PUT_ERROR|. */
return 0;
}
GCM128_CONTEXT gcm;
const AES_KEY *key = &gcm_ctx->ks.ks;
memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
CRYPTO_gcm128_set_96_bit_iv(&gcm, key, nonce);
if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
return 0;
}
if (gcm_ctx->ctr) {
if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len, gcm_ctx->ctr)) {
return 0;
}
} else {
if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) {
return 0;
}
}
CRYPTO_gcm128_tag(&gcm, out + in_len, EVP_AEAD_AES_GCM_TAG_LEN);
return 1;
}
