1 /* 2 * Copyright 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include "aes_operation.h" 18 19 #include <stdio.h> 20 21 #include <new> 22 23 #include <UniquePtr.h> 24 25 #include <openssl/aes.h> 26 #include <openssl/err.h> 27 #include <openssl/rand.h> 28 29 #include <keymaster/logger.h> 30 31 #include "aes_key.h" 32 #include "openssl_err.h" 33 34 namespace keymaster { 35 36 static const size_t GCM_NONCE_SIZE = 12; 37 38 inline bool allows_padding(keymaster_block_mode_t block_mode) { 39 switch (block_mode) { 40 case KM_MODE_CTR: 41 case KM_MODE_GCM: 42 return false; 43 case KM_MODE_ECB: 44 case KM_MODE_CBC: 45 return true; 46 } 47 assert(false /* Can't get here */); 48 return false; 49 } 50 51 static keymaster_error_t GetAndValidateGcmTagLength(const AuthorizationSet& begin_params, 52 const AuthorizationSet& key_params, 53 size_t* tag_length) { 54 uint32_t tag_length_bits; 55 if (!begin_params.GetTagValue(TAG_MAC_LENGTH, &tag_length_bits)) { 56 return KM_ERROR_MISSING_MAC_LENGTH; 57 } 58 59 uint32_t min_tag_length_bits; 60 if (!key_params.GetTagValue(TAG_MIN_MAC_LENGTH, &min_tag_length_bits)) { 61 LOG_E("AES GCM key must have KM_TAG_MIN_MAC_LENGTH", 0); 62 return KM_ERROR_INVALID_KEY_BLOB; 63 } 64 65 if (tag_length_bits % 8 != 0 || tag_length_bits > kMaxGcmTagLength || 66 tag_length_bits < kMinGcmTagLength) { 67 return KM_ERROR_UNSUPPORTED_MAC_LENGTH; 68 } 69 70 if (tag_length_bits < min_tag_length_bits) { 71 return KM_ERROR_INVALID_MAC_LENGTH; 72 } 73 74 *tag_length = tag_length_bits / 8; 75 return KM_ERROR_OK; 76 } 77 78 Operation* AesOperationFactory::CreateOperation(const Key& key, 79 const AuthorizationSet& begin_params, 80 keymaster_error_t* error) { 81 *error = KM_ERROR_OK; 82 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key); 83 84 switch (symmetric_key->key_data_size()) { 85 case 16: 86 case 24: 87 case 32: 88 break; 89 default: 90 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE; 91 return nullptr; 92 } 93 94 keymaster_block_mode_t block_mode; 95 if (!begin_params.GetTagValue(TAG_BLOCK_MODE, &block_mode)) { 96 LOG_E("%d block modes specified in begin params", begin_params.GetTagCount(TAG_BLOCK_MODE)); 97 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE; 98 return nullptr; 99 } else if (!supported(block_mode)) { 100 LOG_E("Block mode %d not supported", block_mode); 101 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE; 102 return nullptr; 103 } else if (!key.authorizations().Contains(TAG_BLOCK_MODE, block_mode)) { 104 LOG_E("Block mode %d was specified, but not authorized by key", block_mode); 105 *error = KM_ERROR_INCOMPATIBLE_BLOCK_MODE; 106 return nullptr; 107 } 108 109 size_t tag_length = 0; 110 if (block_mode == KM_MODE_GCM) { 111 *error = GetAndValidateGcmTagLength(begin_params, key.authorizations(), &tag_length); 112 if (*error != KM_ERROR_OK) { 113 return nullptr; 114 } 115 } 116 117 keymaster_padding_t padding; 118 if (!GetAndValidatePadding(begin_params, key, &padding, error)) { 119 return nullptr; 120 } 121 if (!allows_padding(block_mode) && padding != KM_PAD_NONE) { 122 LOG_E("Mode does not support padding", 0); 123 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE; 124 return nullptr; 125 } 126 127 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE); 128 129 Operation* op = nullptr; 130 switch (purpose()) { 131 case KM_PURPOSE_ENCRYPT: 132 op = new (std::nothrow) 133 AesEvpEncryptOperation(block_mode, padding, caller_nonce, tag_length, 134 symmetric_key->key_data(), symmetric_key->key_data_size()); 135 break; 136 case KM_PURPOSE_DECRYPT: 137 op = new (std::nothrow) 138 AesEvpDecryptOperation(block_mode, padding, tag_length, symmetric_key->key_data(), 139 symmetric_key->key_data_size()); 140 break; 141 default: 142 *error = KM_ERROR_UNSUPPORTED_PURPOSE; 143 return nullptr; 144 } 145 146 if (!op) 147 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; 148 return op; 149 } 150 151 static const keymaster_block_mode_t supported_block_modes[] = {KM_MODE_ECB, KM_MODE_CBC, 152 KM_MODE_CTR, KM_MODE_GCM}; 153 154 const keymaster_block_mode_t* 155 AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const { 156 *block_mode_count = array_length(supported_block_modes); 157 return supported_block_modes; 158 } 159 160 static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7}; 161 const keymaster_padding_t* 162 AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const { 163 *padding_mode_count = array_length(supported_padding_modes); 164 return supported_padding_modes; 165 } 166 167 AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode, 168 keymaster_padding_t padding, bool caller_iv, size_t tag_length, 169 const uint8_t* key, size_t key_size) 170 : Operation(purpose), block_mode_(block_mode), caller_iv_(caller_iv), tag_length_(tag_length), 171 data_started_(false), key_size_(key_size), padding_(padding) { 172 memcpy(key_, key, key_size_); 173 EVP_CIPHER_CTX_init(&ctx_); 174 } 175 176 AesEvpOperation::~AesEvpOperation() { 177 EVP_CIPHER_CTX_cleanup(&ctx_); 178 memset_s(aad_block_buf_.get(), AES_BLOCK_SIZE, 0); 179 } 180 181 keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& /* input_params */, 182 AuthorizationSet* /* output_params */) { 183 if (block_mode_ == KM_MODE_GCM) { 184 aad_block_buf_length_ = 0; 185 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]); 186 if (!aad_block_buf_.get()) 187 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 188 } 189 190 return InitializeCipher(); 191 } 192 193 keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& additional_params, 194 const Buffer& input, 195 AuthorizationSet* /* output_params */, Buffer* output, 196 size_t* input_consumed) { 197 keymaster_error_t error; 198 if (block_mode_ == KM_MODE_GCM) 199 if (!HandleAad(additional_params, input, &error)) 200 return error; 201 202 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error)) 203 return error; 204 *input_consumed = input.available_read(); 205 206 return KM_ERROR_OK; 207 } 208 209 inline bool is_bad_decrypt(unsigned long error) { 210 return (ERR_GET_LIB(error) == ERR_LIB_CIPHER && // 211 ERR_GET_REASON(error) == CIPHER_R_BAD_DECRYPT); 212 } 213 214 keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& additional_params, 215 const Buffer& input, const Buffer& /* signature */, 216 AuthorizationSet* output_params, Buffer* output) { 217 keymaster_error_t error; 218 if (!UpdateForFinish(additional_params, input, output_params, output, &error)) 219 return error; 220 221 if (!output->reserve(AES_BLOCK_SIZE)) 222 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 223 224 if (block_mode_ == KM_MODE_GCM && aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(&error)) 225 return error; 226 227 int output_written = -1; 228 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) { 229 if (tag_length_ > 0) 230 return KM_ERROR_VERIFICATION_FAILED; 231 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL)); 232 return TranslateLastOpenSslError(); 233 } 234 235 assert(output_written <= AES_BLOCK_SIZE); 236 if (!output->advance_write(output_written)) 237 return KM_ERROR_UNKNOWN_ERROR; 238 return KM_ERROR_OK; 239 } 240 241 bool AesEvpOperation::need_iv() const { 242 switch (block_mode_) { 243 case KM_MODE_CBC: 244 case KM_MODE_CTR: 245 case KM_MODE_GCM: 246 return true; 247 case KM_MODE_ECB: 248 return false; 249 default: 250 // Shouldn't get here. 251 assert(false); 252 return false; 253 } 254 } 255 256 keymaster_error_t AesEvpOperation::InitializeCipher() { 257 const EVP_CIPHER* cipher; 258 switch (block_mode_) { 259 case KM_MODE_ECB: 260 switch (key_size_) { 261 case 16: 262 cipher = EVP_aes_128_ecb(); 263 break; 264 case 24: 265 cipher = EVP_aes_192_ecb(); 266 break; 267 case 32: 268 cipher = EVP_aes_256_ecb(); 269 break; 270 default: 271 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 272 } 273 break; 274 case KM_MODE_CBC: 275 switch (key_size_) { 276 case 16: 277 cipher = EVP_aes_128_cbc(); 278 break; 279 case 24: 280 cipher = EVP_aes_192_cbc(); 281 break; 282 case 32: 283 cipher = EVP_aes_256_cbc(); 284 break; 285 default: 286 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 287 } 288 break; 289 case KM_MODE_CTR: 290 switch (key_size_) { 291 case 16: 292 cipher = EVP_aes_128_ctr(); 293 break; 294 case 24: 295 cipher = EVP_aes_192_ctr(); 296 break; 297 case 32: 298 cipher = EVP_aes_256_ctr(); 299 break; 300 default: 301 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 302 } 303 break; 304 case KM_MODE_GCM: 305 switch (key_size_) { 306 case 16: 307 cipher = EVP_aes_128_gcm(); 308 break; 309 case 24: 310 cipher = EVP_aes_192_gcm(); 311 break; 312 case 32: 313 cipher = EVP_aes_256_gcm(); 314 break; 315 default: 316 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 317 } 318 break; 319 default: 320 return KM_ERROR_UNSUPPORTED_BLOCK_MODE; 321 } 322 323 if (!EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_.get(), evp_encrypt_mode())) 324 return TranslateLastOpenSslError(); 325 326 switch (padding_) { 327 case KM_PAD_NONE: 328 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */); 329 break; 330 case KM_PAD_PKCS7: 331 // This is the default for OpenSSL EVP cipher operations. 332 break; 333 default: 334 return KM_ERROR_UNSUPPORTED_PADDING_MODE; 335 } 336 337 if (block_mode_ == KM_MODE_GCM) { 338 aad_block_buf_length_ = 0; 339 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]); 340 if (!aad_block_buf_.get()) 341 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 342 } 343 344 return KM_ERROR_OK; 345 } 346 347 keymaster_error_t AesEvpOperation::GetIv(const AuthorizationSet& input_params) { 348 keymaster_blob_t iv_blob; 349 if (!input_params.GetTagValue(TAG_NONCE, &iv_blob)) { 350 LOG_E("No IV provided", 0); 351 return KM_ERROR_INVALID_ARGUMENT; 352 } 353 if (block_mode_ != KM_MODE_GCM && iv_blob.data_length != AES_BLOCK_SIZE) { 354 LOG_E("Expected %d-byte IV for AES operation, but got %d bytes", AES_BLOCK_SIZE, 355 iv_blob.data_length); 356 return KM_ERROR_INVALID_NONCE; 357 } 358 if (block_mode_ == KM_MODE_GCM && iv_blob.data_length != GCM_NONCE_SIZE) { 359 LOG_E("Expected %d-byte nonce for AES-GCM operation, but got %d bytes", GCM_NONCE_SIZE, 360 iv_blob.data_length); 361 return KM_ERROR_INVALID_NONCE; 362 } 363 iv_.reset(dup_array(iv_blob.data, iv_blob.data_length)); 364 if (!iv_.get()) 365 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 366 iv_length_ = iv_blob.data_length; 367 return KM_ERROR_OK; 368 } 369 370 /* 371 * Process Incoming Associated Authentication Data. 372 * 373 * This method is more complex than might be expected, because the underlying library silently does 374 * the wrong thing when given partial AAD blocks, so we have to take care to process AAD in 375 * AES_BLOCK_SIZE increments, buffering (in aad_block_buf_) when given smaller amounts of data. 376 */ 377 bool AesEvpOperation::HandleAad(const AuthorizationSet& input_params, const Buffer& input, 378 keymaster_error_t* error) { 379 assert(tag_length_ > 0); 380 assert(error); 381 382 keymaster_blob_t aad; 383 if (input_params.GetTagValue(TAG_ASSOCIATED_DATA, &aad)) { 384 if (data_started_) { 385 *error = KM_ERROR_INVALID_TAG; 386 return false; 387 } 388 389 if (aad_block_buf_length_ > 0) { 390 FillBufferedAadBlock(&aad); 391 if (aad_block_buf_length_ == AES_BLOCK_SIZE && !ProcessBufferedAadBlock(error)) 392 return false; 393 } 394 395 size_t blocks_to_process = aad.data_length / AES_BLOCK_SIZE; 396 if (blocks_to_process && !ProcessAadBlocks(aad.data, blocks_to_process, error)) 397 return false; 398 aad.data += blocks_to_process * AES_BLOCK_SIZE; 399 aad.data_length -= blocks_to_process * AES_BLOCK_SIZE; 400 401 FillBufferedAadBlock(&aad); 402 assert(aad.data_length == 0); 403 } 404 405 if (input.available_read()) { 406 data_started_ = true; 407 // Data has begun, no more AAD is allowed. Process any buffered AAD. 408 if (aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(error)) 409 return false; 410 } 411 412 return true; 413 } 414 415 bool AesEvpOperation::ProcessBufferedAadBlock(keymaster_error_t* error) { 416 int output_written; 417 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, aad_block_buf_.get(), 418 aad_block_buf_length_)) { 419 aad_block_buf_length_ = 0; 420 return true; 421 } 422 *error = TranslateLastOpenSslError(); 423 return false; 424 } 425 426 bool AesEvpOperation::ProcessAadBlocks(const uint8_t* data, size_t blocks, 427 keymaster_error_t* error) { 428 int output_written; 429 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, data, blocks * AES_BLOCK_SIZE)) 430 return true; 431 *error = TranslateLastOpenSslError(); 432 return false; 433 } 434 435 inline size_t min(size_t a, size_t b) { 436 return (a < b) ? a : b; 437 } 438 439 void AesEvpOperation::FillBufferedAadBlock(keymaster_blob_t* aad) { 440 size_t to_buffer = min(AES_BLOCK_SIZE - aad_block_buf_length_, aad->data_length); 441 memcpy(aad_block_buf_.get() + aad_block_buf_length_, aad->data, to_buffer); 442 aad->data += to_buffer; 443 aad->data_length -= to_buffer; 444 aad_block_buf_length_ += to_buffer; 445 } 446 447 bool AesEvpOperation::InternalUpdate(const uint8_t* input, size_t input_length, Buffer* output, 448 keymaster_error_t* error) { 449 assert(output); 450 assert(error); 451 452 if (!input_length) 453 return true; 454 455 if (!output->reserve(input_length + AES_BLOCK_SIZE)) { 456 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; 457 return false; 458 } 459 460 int output_written = -1; 461 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input, input_length)) { 462 *error = TranslateLastOpenSslError(); 463 return false; 464 } 465 return output->advance_write(output_written); 466 } 467 468 bool AesEvpOperation::UpdateForFinish(const AuthorizationSet& additional_params, 469 const Buffer& input, AuthorizationSet* output_params, 470 Buffer* output, keymaster_error_t* error) { 471 if (input.available_read() || !additional_params.empty()) { 472 size_t input_consumed; 473 *error = Update(additional_params, input, output_params, output, &input_consumed); 474 if (*error != KM_ERROR_OK) 475 return false; 476 if (input_consumed != input.available_read()) { 477 *error = KM_ERROR_INVALID_INPUT_LENGTH; 478 return false; 479 } 480 } 481 482 return true; 483 } 484 485 keymaster_error_t AesEvpEncryptOperation::Begin(const AuthorizationSet& input_params, 486 AuthorizationSet* output_params) { 487 if (!output_params) 488 return KM_ERROR_OUTPUT_PARAMETER_NULL; 489 490 if (need_iv()) { 491 keymaster_error_t error = KM_ERROR_OK; 492 if (input_params.find(TAG_NONCE) == -1) 493 error = GenerateIv(); 494 else if (caller_iv_) 495 error = GetIv(input_params); 496 else 497 error = KM_ERROR_CALLER_NONCE_PROHIBITED; 498 499 if (error == KM_ERROR_OK) 500 output_params->push_back(TAG_NONCE, iv_.get(), iv_length_); 501 else 502 return error; 503 } 504 505 return AesEvpOperation::Begin(input_params, output_params); 506 } 507 508 keymaster_error_t AesEvpEncryptOperation::Finish(const AuthorizationSet& additional_params, 509 const Buffer& input, const Buffer& signature, 510 AuthorizationSet* output_params, Buffer* output) { 511 if (!output->reserve(input.available_read() + AES_BLOCK_SIZE + tag_length_)) 512 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 513 514 keymaster_error_t error = 515 AesEvpOperation::Finish(additional_params, input, signature, output_params, output); 516 if (error != KM_ERROR_OK) 517 return error; 518 519 if (tag_length_ > 0) { 520 if (!output->reserve(tag_length_)) 521 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 522 523 if (!EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_GET_TAG, tag_length_, output->peek_write())) 524 return TranslateLastOpenSslError(); 525 if (!output->advance_write(tag_length_)) 526 return KM_ERROR_UNKNOWN_ERROR; 527 } 528 529 return KM_ERROR_OK; 530 } 531 532 keymaster_error_t AesEvpEncryptOperation::GenerateIv() { 533 iv_length_ = (block_mode_ == KM_MODE_GCM) ? GCM_NONCE_SIZE : AES_BLOCK_SIZE; 534 iv_.reset(new (std::nothrow) uint8_t[iv_length_]); 535 if (!iv_.get()) 536 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 537 if (RAND_bytes(iv_.get(), iv_length_) != 1) 538 return TranslateLastOpenSslError(); 539 return KM_ERROR_OK; 540 } 541 542 keymaster_error_t AesEvpDecryptOperation::Begin(const AuthorizationSet& input_params, 543 AuthorizationSet* output_params) { 544 if (need_iv()) { 545 keymaster_error_t error = GetIv(input_params); 546 if (error != KM_ERROR_OK) 547 return error; 548 } 549 550 if (tag_length_ > 0) { 551 tag_buf_length_ = 0; 552 tag_buf_.reset(new (std::nothrow) uint8_t[tag_length_]); 553 if (!tag_buf_.get()) 554 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 555 } 556 557 return AesEvpOperation::Begin(input_params, output_params); 558 } 559 560 keymaster_error_t AesEvpDecryptOperation::Update(const AuthorizationSet& additional_params, 561 const Buffer& input, 562 AuthorizationSet* /* output_params */, 563 Buffer* output, size_t* input_consumed) { 564 if (!output || !input_consumed) 565 return KM_ERROR_OUTPUT_PARAMETER_NULL; 566 567 // Barring error, we'll consume it all. 568 *input_consumed = input.available_read(); 569 570 keymaster_error_t error; 571 if (block_mode_ == KM_MODE_GCM) { 572 if (!HandleAad(additional_params, input, &error)) 573 return error; 574 return ProcessAllButTagLengthBytes(input, output); 575 } 576 577 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error)) 578 return error; 579 return KM_ERROR_OK; 580 } 581 582 keymaster_error_t AesEvpDecryptOperation::ProcessAllButTagLengthBytes(const Buffer& input, 583 Buffer* output) { 584 if (input.available_read() <= tag_buf_unused()) { 585 BufferCandidateTagData(input.peek_read(), input.available_read()); 586 return KM_ERROR_OK; 587 } 588 589 const size_t data_available = tag_buf_length_ + input.available_read(); 590 591 const size_t to_process = data_available - tag_length_; 592 const size_t to_process_from_tag_buf = min(to_process, tag_buf_length_); 593 const size_t to_process_from_input = to_process - to_process_from_tag_buf; 594 595 if (!output->reserve(to_process + AES_BLOCK_SIZE)) 596 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 597 598 keymaster_error_t error; 599 if (!ProcessTagBufContentsAsData(to_process_from_tag_buf, output, &error)) 600 return error; 601 602 if (!InternalUpdate(input.peek_read(), to_process_from_input, output, &error)) 603 return error; 604 605 BufferCandidateTagData(input.peek_read() + to_process_from_input, 606 input.available_read() - to_process_from_input); 607 assert(tag_buf_unused() == 0); 608 609 return KM_ERROR_OK; 610 } 611 612 bool AesEvpDecryptOperation::ProcessTagBufContentsAsData(size_t to_process, Buffer* output, 613 keymaster_error_t* error) { 614 assert(to_process <= tag_buf_length_); 615 if (!InternalUpdate(tag_buf_.get(), to_process, output, error)) 616 return false; 617 if (to_process < tag_buf_length_) 618 memmove(tag_buf_.get(), tag_buf_.get() + to_process, tag_buf_length_ - to_process); 619 tag_buf_length_ -= to_process; 620 return true; 621 } 622 623 void AesEvpDecryptOperation::BufferCandidateTagData(const uint8_t* data, size_t data_length) { 624 assert(data_length <= tag_length_ - tag_buf_length_); 625 memcpy(tag_buf_.get() + tag_buf_length_, data, data_length); 626 tag_buf_length_ += data_length; 627 } 628 629 keymaster_error_t AesEvpDecryptOperation::Finish(const AuthorizationSet& additional_params, 630 const Buffer& input, const Buffer& signature, 631 AuthorizationSet* output_params, Buffer* output) { 632 keymaster_error_t error; 633 if (!UpdateForFinish(additional_params, input, output_params, output, &error)) 634 return error; 635 636 if (tag_buf_length_ < tag_length_) 637 return KM_ERROR_INVALID_INPUT_LENGTH; 638 else if (tag_length_ > 0 && 639 !EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_SET_TAG, tag_length_, tag_buf_.get())) 640 return TranslateLastOpenSslError(); 641 642 AuthorizationSet empty_params; 643 Buffer empty_input; 644 return AesEvpOperation::Finish(empty_params, empty_input, signature, output_params, output); 645 } 646 647 keymaster_error_t AesEvpOperation::Abort() { 648 return KM_ERROR_OK; 649 } 650 651 } // namespace keymaster 652
