static void benchmark_gcm128(const unsigned char *K, size_t Klen,
const unsigned char *IV, size_t IVlen)
{
#ifdef OPENSSL_CPUID_OBJ
GCM128_CONTEXT ctx;
AES_KEY key;
uint32_t start, gcm_t, ctr_t;
union {
u64 u;
u8 c[1024];
} buf;
AES_set_encrypt_key(K, Klen * 8, &key);
CRYPTO_gcm128_init(&ctx, &key, (block128_f) AES_encrypt);
CRYPTO_gcm128_setiv(&ctx, IV, IVlen);
CRYPTO_gcm128_encrypt(&ctx, buf.c, buf.c, sizeof(buf));
start = OPENSSL_rdtsc();
CRYPTO_gcm128_encrypt(&ctx, buf.c, buf.c, sizeof(buf));
gcm_t = OPENSSL_rdtsc() - start;
CRYPTO_ctr128_encrypt(buf.c, buf.c, sizeof(buf),
&key, ctx.Yi.c, ctx.EKi.c, &ctx.mres,
(block128_f) AES_encrypt);
start = OPENSSL_rdtsc();
CRYPTO_ctr128_encrypt(buf.c, buf.c, sizeof(buf),
&key, ctx.Yi.c, ctx.EKi.c, &ctx.mres,
(block128_f) AES_encrypt);
ctr_t = OPENSSL_rdtsc() - start;
printf("%.2f-%.2f=%.2f\n",
gcm_t / (double)sizeof(buf),
ctr_t / (double)sizeof(buf),
(gcm_t - ctr_t) / (double)sizeof(buf));
# ifdef GHASH
{
void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
const u8 *inp, size_t len) = ctx.ghash;
GHASH((&ctx), buf.c, sizeof(buf));
start = OPENSSL_rdtsc();
for (i = 0; i < 100; ++i)
GHASH((&ctx), buf.c, sizeof(buf));
gcm_t = OPENSSL_rdtsc() - start;
printf("%.2f\n", gcm_t / (double)sizeof(buf) / (double)i);
}
# endif
#else
fprintf(stderr,
"Benchmarking of modes isn't available on this platform\n");
#endif
}
static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
size_t len) {
EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
// If not set up, return error
if (!gctx->key_set) {
return -1;
}
if (!gctx->iv_set) {
return -1;
}
if (in) {
if (out == NULL) {
if (!CRYPTO_gcm128_aad(&gctx->gcm, in, len)) {
return -1;
}
} else if (ctx->encrypt) {
if (gctx->ctr) {
if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len,
gctx->ctr)) {
return -1;
}
} else {
if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) {
return -1;
}
}
} else {
if (gctx->ctr) {
if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in, out, len,
gctx->ctr)) {
return -1;
}
} else {
if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in, out, len)) {
return -1;
}
}
}
return len;
} else {
if (!ctx->encrypt) {
if (gctx->taglen < 0 ||
!CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) {
return -1;
}
gctx->iv_set = 0;
return 0;
}
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
gctx->taglen = 16;
// Don't reuse the IV
gctx->iv_set = 0;
return 0;
}
}
static int aria_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX,ctx);
int rv = -1;
/* Encrypt/decrypt must be performed in place */
if (out != in
|| len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
return -1;
/*
* Set IV from start of buffer or generate IV and write to start of
* buffer.
*/
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CIPHER_CTX_encrypting(ctx) ?
EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
goto err;
/* Use saved AAD */
if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
gctx->tls_aad_len))
goto err;
/* Fix buffer and length to point to payload */
in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
if (EVP_CIPHER_CTX_encrypting(ctx)) {
/* Encrypt payload */
if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
goto err;
out += len;
/* Finally write tag */
CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
} else {
/* Decrypt */
if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
goto err;
/* Retrieve tag */
CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
EVP_GCM_TLS_TAG_LEN);
/* If tag mismatch wipe buffer */
if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len,
EVP_GCM_TLS_TAG_LEN)) {
OPENSSL_cleanse(out, len);
goto err;
}
rv = len;
}
err:
gctx->iv_set = 0;
gctx->tls_aad_len = -1;
return rv;
}
static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
/* If not set up, return error */
if (!gctx->key_set)
return -1;
if (gctx->tls_aad_len >= 0)
return aes_gcm_tls_cipher(ctx, out, in, len);
if (!gctx->iv_set)
return -1;
if (in) {
if (out == NULL) {
if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
return -1;
} else if (ctx->encrypt) {
if (gctx->ctr) {
if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
in, out, len, gctx->ctr))
return -1;
} else {
if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
return -1;
}
} else {
if (gctx->ctr) {
if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
in, out, len, gctx->ctr))
return -1;
} else {
if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
return -1;
}
}
return len;
} else {
if (!ctx->encrypt) {
if (gctx->taglen < 0)
return -1;
if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
return -1;
gctx->iv_set = 0;
return 0;
}
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
gctx->taglen = 16;
/* Don't reuse the IV */
gctx->iv_set = 0;
return 0;
}
}
static int test_gcm128(int idx)
{
unsigned char out[512];
SIZED_DATA K = gcm128_vectors[idx].K;
SIZED_DATA IV = gcm128_vectors[idx].IV;
SIZED_DATA A = gcm128_vectors[idx].A;
SIZED_DATA P = gcm128_vectors[idx].P;
SIZED_DATA C = gcm128_vectors[idx].C;
SIZED_DATA T = gcm128_vectors[idx].T;
GCM128_CONTEXT ctx;
AES_KEY key;
/* Size 1 inputs are special-cased to signal NULL. */
if (A.size == 1)
A.data = NULL;
if (P.size == 1)
P.data = NULL;
if (C.size == 1)
C.data = NULL;
AES_set_encrypt_key(K.data, K.size * 8, &key);
CRYPTO_gcm128_init(&ctx, &key, (block128_f)AES_encrypt);
CRYPTO_gcm128_setiv(&ctx, IV.data, IV.size);
memset(out, 0, P.size);
if (A.data != NULL)
CRYPTO_gcm128_aad(&ctx, A.data, A.size);
if (P.data != NULL)
CRYPTO_gcm128_encrypt( &ctx, P.data, out, P.size);
if (!TEST_false(CRYPTO_gcm128_finish(&ctx, T.data, 16))
|| (C.data != NULL
&& !TEST_mem_eq(out, P.size, C.data, P.size)))
return 0;
CRYPTO_gcm128_setiv(&ctx, IV.data, IV.size);
memset(out, 0, P.size);
if (A.data != NULL)
CRYPTO_gcm128_aad(&ctx, A.data, A.size);
if (C.data != NULL)
CRYPTO_gcm128_decrypt(&ctx, C.data, out, P.size);
if (!TEST_false(CRYPTO_gcm128_finish(&ctx, T.data, 16))
|| (P.data != NULL
&& !TEST_mem_eq(out, P.size, P.data, P.size)))
return 0;
return 1;
}
static int aria_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
EVP_ARIA_GCM_CTX *gctx = EVP_C_DATA(EVP_ARIA_GCM_CTX,ctx);
/* If not set up, return error */
if (!gctx->key_set)
return -1;
if (gctx->tls_aad_len >= 0)
return aria_gcm_tls_cipher(ctx, out, in, len);
if (!gctx->iv_set)
return -1;
if (in) {
if (out == NULL) {
if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
return -1;
} else if (EVP_CIPHER_CTX_encrypting(ctx)) {
if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
return -1;
} else {
if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
return -1;
}
return len;
}
if (!EVP_CIPHER_CTX_encrypting(ctx)) {
if (gctx->taglen < 0)
return -1;
if (CRYPTO_gcm128_finish(&gctx->gcm,
EVP_CIPHER_CTX_buf_noconst(ctx),
gctx->taglen) != 0)
return -1;
gctx->iv_set = 0;
return 0;
}
CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
gctx->taglen = 16;
/* Don't reuse the IV */
gctx->iv_set = 0;
return 0;
}
static int aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len) {
size_t bulk = 0;
const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
GCM128_CONTEXT gcm;
if (in_len + gcm_ctx->tag_len < in_len) {
OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_TOO_LARGE);
return 0;
}
if (max_out_len < in_len + gcm_ctx->tag_len) {
OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
return 0;
}
if (gcm_ctx->ctr) {
if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk, in_len - bulk,
gcm_ctx->ctr)) {
return 0;
}
} else {
if (!CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk, in_len - bulk)) {
return 0;
}
}
CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
*out_len = in_len + gcm_ctx->tag_len;
return 1;
}
int evp_aead_aes_gcm_seal(const void *ctx_buf, uint8_t *out, size_t *out_len,
size_t max_out_len, const uint8_t *nonce,
const uint8_t *in, size_t in_len, const uint8_t *ad,
size_t ad_len) {
aead_assert_open_seal_preconditions(alignof(struct aead_aes_gcm_ctx), ctx_buf,
out, out_len, nonce, in, in_len, ad,
ad_len);
const struct aead_aes_gcm_ctx *gcm_ctx = ctx_buf;
if (!aead_seal_out_max_out_in_tag_len(out_len, max_out_len, in_len,
EVP_AEAD_AES_GCM_TAG_LEN)) {
/* |aead_seal_out_max_out_in_tag_len| already called |OPENSSL_PUT_ERROR|. */
return 0;
}
GCM128_CONTEXT gcm;
const AES_KEY *key = &gcm_ctx->ks.ks;
memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
CRYPTO_gcm128_set_96_bit_iv(&gcm, key, nonce);
if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
return 0;
}
if (gcm_ctx->ctr) {
if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len, gcm_ctx->ctr)) {
return 0;
}
} else {
if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) {
return 0;
}
}
CRYPTO_gcm128_tag(&gcm, out + in_len, EVP_AEAD_AES_GCM_TAG_LEN);
return 1;
}
static int
aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
const unsigned char *in, size_t in_len, const unsigned char *ad,
size_t ad_len)
{
const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
GCM128_CONTEXT gcm;
size_t bulk = 0;
if (max_out_len < in_len + gcm_ctx->tag_len) {
EVPerr(EVP_F_AEAD_AES_GCM_SEAL, EVP_R_BUFFER_TOO_SMALL);
return 0;
}
memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
return 0;
if (gcm_ctx->ctr) {
if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
in_len - bulk, gcm_ctx->ctr))
return 0;
} else {
if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
in_len - bulk))
return 0;
}
CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
*out_len = in_len + gcm_ctx->tag_len;
return 1;
}
static int aead_aes_gcm_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
uint8_t *out_tag, size_t *out_tag_len,
size_t max_out_tag_len,
const uint8_t *nonce, size_t nonce_len,
const uint8_t *in, size_t in_len,
const uint8_t *extra_in,
size_t extra_in_len,
const uint8_t *ad, size_t ad_len) {
const struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
if (extra_in_len + ctx->tag_len < ctx->tag_len) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
if (max_out_tag_len < extra_in_len + ctx->tag_len) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
if (nonce_len == 0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
return 0;
}
const AES_KEY *key = &gcm_ctx->ks.ks;
GCM128_CONTEXT gcm;
OPENSSL_memset(&gcm, 0, sizeof(gcm));
OPENSSL_memcpy(&gcm.gcm_key, &gcm_ctx->gcm_key, sizeof(gcm.gcm_key));
CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
return 0;
}
if (gcm_ctx->ctr) {
if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len,
gcm_ctx->ctr)) {
return 0;
}
} else {
if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) {
return 0;
}
}
if (extra_in_len) {
if (gcm_ctx->ctr) {
if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, extra_in, out_tag,
extra_in_len, gcm_ctx->ctr)) {
return 0;
}
} else {
if (!CRYPTO_gcm128_encrypt(&gcm, key, extra_in, out_tag, extra_in_len)) {
return 0;
}
}
}
CRYPTO_gcm128_tag(&gcm, out_tag + extra_in_len, ctx->tag_len);
*out_tag_len = ctx->tag_len + extra_in_len;
return 1;
}
static int32_t create_format_v1(unsigned char *wire,
loc_t *loc,
struct crypt_inode_info *info,
struct master_cipher_info *master)
{
int32_t ret;
struct mtd_format_v1 *fmt;
unsigned char mtd_key[16];
AES_KEY EMTD_KEY;
unsigned char nmtd_link_key[16];
uint32_t ad;
GCM128_CONTEXT *gctx;
fmt = (struct mtd_format_v1 *)wire;
fmt->minor_id = info->nr_minor;
fmt->alg_id = AES_CIPHER_ALG;
fmt->dkey_factor = master->m_dkey_size >> KEY_FACTOR_BITS;
fmt->block_bits = master->m_block_bits;
fmt->mode_id = master->m_mode;
/*
* retrieve keys for the parts of metadata
*/
ret = get_emtd_file_key(info, master, mtd_key);
if (ret)
return ret;
ret = get_nmtd_link_key(loc, master, nmtd_link_key);
if (ret)
return ret;
AES_set_encrypt_key(mtd_key, sizeof(mtd_key)*8, &EMTD_KEY);
gctx = CRYPTO_gcm128_new(&EMTD_KEY, (block128_f)AES_encrypt);
/* TBD: Check return values */
CRYPTO_gcm128_setiv(gctx, info->oid, sizeof(uuid_t));
ad = htole32(MTD_LOADER_V1);
ret = CRYPTO_gcm128_aad(gctx, (const unsigned char *)&ad, sizeof(ad));
if (ret) {
gf_log("crypt", GF_LOG_ERROR, " CRYPTO_gcm128_aad failed");
CRYPTO_gcm128_release(gctx);
return ret;
}
ret = CRYPTO_gcm128_encrypt(gctx,
get_EMTD_V1(fmt),
get_EMTD_V1(fmt),
SIZE_OF_EMTD_V1);
if (ret) {
gf_log("crypt", GF_LOG_ERROR, " CRYPTO_gcm128_encrypt failed");
CRYPTO_gcm128_release(gctx);
return ret;
}
/*
* set MAC of encrypted part of metadata
*/
CRYPTO_gcm128_tag(gctx, get_EMTD_V1_MAC(fmt), SIZE_OF_EMTD_V1_MAC);
CRYPTO_gcm128_release(gctx);
/*
* set the first MAC of non-encrypted part of metadata
*/
return create_link_mac_v1(fmt, 0, loc, info, master);
}
static int run_test_case(unsigned test_num, const struct test_case *test) {
size_t key_len, plaintext_len, additional_data_len, nonce_len, ciphertext_len,
tag_len;
uint8_t *key = NULL, *plaintext = NULL, *additional_data = NULL,
*nonce = NULL, *ciphertext = NULL, *tag = NULL, *out = NULL;
int ret = 0;
AES_KEY aes_key;
GCM128_CONTEXT ctx;
if (!decode_hex(&key, &key_len, test->key, test_num, "key") ||
!decode_hex(&plaintext, &plaintext_len, test->plaintext, test_num,
"plaintext") ||
!decode_hex(&additional_data, &additional_data_len, test->additional_data,
test_num, "additional_data") ||
!decode_hex(&nonce, &nonce_len, test->nonce, test_num, "nonce") ||
!decode_hex(&ciphertext, &ciphertext_len, test->ciphertext, test_num,
"ciphertext") ||
!decode_hex(&tag, &tag_len, test->tag, test_num, "tag")) {
goto out;
}
if (plaintext_len != ciphertext_len) {
fprintf(stderr, "%u: plaintext and ciphertext have differing lengths.\n",
test_num);
goto out;
}
if (key_len != 16 && key_len != 24 && key_len != 32) {
fprintf(stderr, "%u: bad key length.\n", test_num);
goto out;
}
if (tag_len != 16) {
fprintf(stderr, "%u: bad tag length.\n", test_num);
goto out;
}
out = OPENSSL_malloc(plaintext_len);
if (AES_set_encrypt_key(key, key_len*8, &aes_key)) {
fprintf(stderr, "%u: AES_set_encrypt_key failed.\n", test_num);
goto out;
}
CRYPTO_gcm128_init(&ctx, &aes_key, (block128_f) AES_encrypt);
CRYPTO_gcm128_setiv(&ctx, nonce, nonce_len);
memset(out, 0, plaintext_len);
if (additional_data) {
CRYPTO_gcm128_aad(&ctx, additional_data, additional_data_len);
}
if (plaintext) {
CRYPTO_gcm128_encrypt(&ctx, plaintext, out, plaintext_len);
}
if (!CRYPTO_gcm128_finish(&ctx, tag, tag_len) ||
(ciphertext && memcmp(out, ciphertext, plaintext_len) != 0)) {
fprintf(stderr, "%u: encrypt failed.\n", test_num);
hexdump("got ", out, plaintext_len);
hexdump("want", ciphertext, plaintext_len);
goto out;
}
CRYPTO_gcm128_setiv(&ctx, nonce, nonce_len);
memset(out, 0, plaintext_len);
if (additional_data) {
CRYPTO_gcm128_aad(&ctx, additional_data, additional_data_len);
}
if (ciphertext) {
CRYPTO_gcm128_decrypt(&ctx, ciphertext, out, plaintext_len);
}
if (!CRYPTO_gcm128_finish(&ctx, tag, tag_len)) {
fprintf(stderr, "%u: decrypt failed.\n", test_num);
goto out;
}
if (plaintext && memcmp(out, plaintext, plaintext_len)) {
fprintf(stderr, "%u: plaintext doesn't match.\n", test_num);
goto out;
}
ret = 1;
out:
OPENSSL_free(key);
OPENSSL_free(plaintext);
OPENSSL_free(additional_data);
OPENSSL_free(nonce);
OPENSSL_free(ciphertext);
OPENSSL_free(tag);
OPENSSL_free(out);
return ret;
}
static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
size_t len) {
EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
/* If not set up, return error */
if (!gctx->key_set) {
return -1;
}
if (!gctx->iv_set) {
return -1;
}
if (in) {
if (out == NULL) {
if (!CRYPTO_gcm128_aad(&gctx->gcm, in, len)) {
return -1;
}
} else if (ctx->encrypt) {
if (gctx->ctr) {
size_t bulk = 0;
#if defined(AES_GCM_ASM)
if (len >= 32 && AES_GCM_ASM(gctx)) {
size_t res = (16 - gctx->gcm.mres) % 16;
if (!CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res)) {
return -1;
}
bulk = AES_gcm_encrypt(in + res, out + res, len - res, gctx->gcm.key,
gctx->gcm.Yi.c, gctx->gcm.Xi.u);
gctx->gcm.len.u[1] += bulk;
bulk += res;
}
#endif
if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in + bulk, out + bulk,
len - bulk, gctx->ctr)) {
return -1;
}
} else {
size_t bulk = 0;
if (!CRYPTO_gcm128_encrypt(&gctx->gcm, in + bulk, out + bulk,
len - bulk)) {
return -1;
}
}
} else {
if (gctx->ctr) {
size_t bulk = 0;
#if defined(AES_GCM_ASM)
if (len >= 16 && AES_GCM_ASM(gctx)) {
size_t res = (16 - gctx->gcm.mres) % 16;
if (!CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res)) {
return -1;
}
bulk = AES_gcm_decrypt(in + res, out + res, len - res, gctx->gcm.key,
gctx->gcm.Yi.c, gctx->gcm.Xi.u);
gctx->gcm.len.u[1] += bulk;
bulk += res;
}
#endif
if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in + bulk, out + bulk,
len - bulk, gctx->ctr)) {
return -1;
}
} else {
size_t bulk = 0;
if (!CRYPTO_gcm128_decrypt(&gctx->gcm, in + bulk, out + bulk,
len - bulk)) {
return -1;
}
}
}
return len;
} else {
if (!ctx->encrypt) {
if (gctx->taglen < 0 ||
!CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0) {
return -1;
}
gctx->iv_set = 0;
return 0;
}
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
gctx->taglen = 16;
/* Don't reuse the IV */
gctx->iv_set = 0;
return 0;
}
}
static int
aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
int rv = -1;
/* Encrypt/decrypt must be performed in place */
if (out != in ||
len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
return -1;
/* Set IV from start of buffer or generate IV and write to start
* of buffer.
*/
if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
goto err;
/* Use saved AAD */
if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
goto err;
/* Fix buffer and length to point to payload */
in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
if (ctx->encrypt) {
/* Encrypt payload */
if (gctx->ctr) {
if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
len, gctx->ctr))
goto err;
} else {
if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
goto err;
}
out += len;
/* Finally write tag */
CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
} else {
/* Decrypt */
if (gctx->ctr) {
if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
len, gctx->ctr))
goto err;
} else {
if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
goto err;
}
/* Retrieve tag */
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
/* If tag mismatch wipe buffer */
if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
explicit_bzero(out, len);
goto err;
}
rv = len;
}
err:
gctx->iv_set = 0;
gctx->tls_aad_len = -1;
return rv;
}
