1 /* Copyright (c) 2017, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/aead.h> 16 17 #include <assert.h> 18 19 #include <openssl/cipher.h> 20 #include <openssl/cpu.h> 21 #include <openssl/crypto.h> 22 #include <openssl/err.h> 23 24 #include "../fipsmodule/cipher/internal.h" 25 26 27 #define EVP_AEAD_AES_GCM_SIV_NONCE_LEN 12 28 #define EVP_AEAD_AES_GCM_SIV_TAG_LEN 16 29 30 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) 31 32 /* Optimised AES-GCM-SIV */ 33 34 struct aead_aes_gcm_siv_asm_ctx { 35 alignas(16) uint8_t key[16*15]; 36 int is_128_bit; 37 }; 38 39 /* aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to 40 * |out_expanded_key|. */ 41 extern void aes128gcmsiv_aes_ks( 42 const uint8_t key[16], uint8_t out_expanded_key[16*15]); 43 44 /* aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to 45 * |out_expanded_key|. */ 46 extern void aes256gcmsiv_aes_ks( 47 const uint8_t key[16], uint8_t out_expanded_key[16*15]); 48 49 static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 50 size_t key_len, size_t tag_len) { 51 const size_t key_bits = key_len * 8; 52 53 if (key_bits != 128 && key_bits != 256) { 54 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); 55 return 0; /* EVP_AEAD_CTX_init should catch this. */ 56 } 57 58 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) { 59 tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN; 60 } 61 62 if (tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) { 63 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); 64 return 0; 65 } 66 67 struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = 68 OPENSSL_malloc(sizeof(struct aead_aes_gcm_siv_asm_ctx)); 69 if (gcm_siv_ctx == NULL) { 70 return 0; 71 } 72 73 /* malloc should return a 16-byte-aligned address. */ 74 assert((((uintptr_t)gcm_siv_ctx) & 15) == 0); 75 76 if (key_bits == 128) { 77 aes128gcmsiv_aes_ks(key, &gcm_siv_ctx->key[0]); 78 gcm_siv_ctx->is_128_bit = 1; 79 } else { 80 aes256gcmsiv_aes_ks(key, &gcm_siv_ctx->key[0]); 81 gcm_siv_ctx->is_128_bit = 0; 82 } 83 ctx->aead_state = gcm_siv_ctx; 84 ctx->tag_len = tag_len; 85 86 return 1; 87 } 88 89 static void aead_aes_gcm_siv_asm_cleanup(EVP_AEAD_CTX *ctx) { 90 struct aead_aes_gcm_siv_asm_ctx *gcm_siv_asm_ctx = ctx->aead_state; 91 OPENSSL_cleanse(gcm_siv_asm_ctx, sizeof(struct aead_aes_gcm_siv_asm_ctx)); 92 OPENSSL_free(gcm_siv_asm_ctx); 93 } 94 95 /* aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to 96 * include a number (|in_blocks|) of 16-byte blocks of data from |in|, given 97 * the POLYVAL key in |key|. */ 98 extern void aesgcmsiv_polyval_horner(const uint8_t in_out_poly[16], 99 const uint8_t key[16], const uint8_t *in, 100 size_t in_blocks); 101 102 /* aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|. */ 103 extern void aesgcmsiv_htable_init(uint8_t out_htable[16 * 8], 104 const uint8_t auth_key[16]); 105 106 /* aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|. */ 107 extern void aesgcmsiv_htable6_init(uint8_t out_htable[16 * 6], 108 const uint8_t auth_key[16]); 109 110 /* aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to 111 * include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple 112 * of 16.) It uses the precomputed powers of the key given in |htable|. */ 113 extern void aesgcmsiv_htable_polyval(const uint8_t htable[16 * 8], 114 const uint8_t *in, size_t in_len, 115 uint8_t in_out_poly[16]); 116 117 /* aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to 118 * |in|. (The full value of |in_len| is still used to find the authentication 119 * tag appended to the ciphertext, however, so must not be pre-masked.) 120 * 121 * |in| and |out| may be equal, but must not otherwise overlap. 122 * 123 * While decrypting, it updates the POLYVAL value found at the beginning of 124 * |in_out_calculated_tag_and_scratch| and writes the updated value back before 125 * return. During executation, it may use the whole of this space for other 126 * purposes. In order to decrypt and update the POLYVAL value, it uses the 127 * expanded key from |key| and the table of powers in |htable|. */ 128 extern void aes128gcmsiv_dec(const uint8_t *in, uint8_t *out, 129 uint8_t in_out_calculated_tag_and_scratch[16 * 8], 130 const uint8_t htable[16 * 6], 131 const struct aead_aes_gcm_siv_asm_ctx *key, 132 size_t in_len); 133 134 /* aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256. */ 135 extern void aes256gcmsiv_dec(const uint8_t *in, uint8_t *out, 136 uint8_t in_out_calculated_tag_and_scratch[16 * 8], 137 const uint8_t htable[16 * 6], 138 const struct aead_aes_gcm_siv_asm_ctx *key, 139 size_t in_len); 140 141 /* aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from 142 * |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of 143 * the nonce are used, 16 bytes are read and so the value must be 144 * right-padded. */ 145 extern void aes128gcmsiv_kdf(const uint8_t nonce[16], 146 uint64_t out_key_material[8], 147 const uint8_t *key_schedule); 148 149 /* aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256. */ 150 extern void aes256gcmsiv_kdf(const uint8_t nonce[16], 151 uint64_t out_key_material[12], 152 const uint8_t *key_schedule); 153 154 /* aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in 155 * |key|, writes the expanded key to |out_expanded_key| and encrypts a single 156 * block from |in| to |out|. */ 157 extern void aes128gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16], 158 uint8_t out_expanded_key[16 * 15], 159 const uint64_t key[2]); 160 161 /* aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for 162 * AES-256. */ 163 extern void aes256gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16], 164 uint8_t out_expanded_key[16 * 15], 165 const uint64_t key[4]); 166 167 /* aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using 168 * the expanded key in |expanded_key|. */ 169 extern void aes128gcmsiv_ecb_enc_block( 170 const uint8_t in[16], uint8_t out[16], 171 const struct aead_aes_gcm_siv_asm_ctx *expanded_key); 172 173 /* aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for 174 * AES-256. */ 175 extern void aes256gcmsiv_ecb_enc_block( 176 const uint8_t in[16], uint8_t out[16], 177 const struct aead_aes_gcm_siv_asm_ctx *expanded_key); 178 179 /* aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the 180 * expanded key from |key|. (The value of |in_len| must be a multiple of 16.) 181 * The |in| and |out| buffers may be equal but must not otherwise overlap. The 182 * initial counter is constructed from the given |tag| as required by 183 * AES-GCM-SIV. */ 184 extern void aes128gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out, 185 const uint8_t *tag, 186 const struct aead_aes_gcm_siv_asm_ctx *key, 187 size_t in_len); 188 189 /* aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for 190 * AES-256. */ 191 extern void aes256gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out, 192 const uint8_t *tag, 193 const struct aead_aes_gcm_siv_asm_ctx *key, 194 size_t in_len); 195 196 /* aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is 197 * optimised for longer messages. */ 198 extern void aes128gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out, 199 const uint8_t *tag, 200 const struct aead_aes_gcm_siv_asm_ctx *key, 201 size_t in_len); 202 203 /* aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is 204 * optimised for longer messages. */ 205 extern void aes256gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out, 206 const uint8_t *tag, 207 const struct aead_aes_gcm_siv_asm_ctx *key, 208 size_t in_len); 209 210 /* gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext 211 * and AD. The result is written to |out_tag|. */ 212 static void gcm_siv_asm_polyval(uint8_t out_tag[16], const uint8_t *in, 213 size_t in_len, const uint8_t *ad, size_t ad_len, 214 const uint8_t auth_key[16], 215 const uint8_t nonce[12]) { 216 OPENSSL_memset(out_tag, 0, 16); 217 const size_t ad_blocks = ad_len / 16; 218 const size_t in_blocks = in_len / 16; 219 int htable_init = 0; 220 alignas(16) uint8_t htable[16*8]; 221 222 if (ad_blocks > 8 || in_blocks > 8) { 223 htable_init = 1; 224 aesgcmsiv_htable_init(htable, auth_key); 225 } 226 227 if (htable_init) { 228 aesgcmsiv_htable_polyval(htable, ad, ad_len & ~15, out_tag); 229 } else { 230 aesgcmsiv_polyval_horner(out_tag, auth_key, ad, ad_blocks); 231 } 232 233 uint8_t scratch[16]; 234 if (ad_len & 15) { 235 OPENSSL_memset(scratch, 0, sizeof(scratch)); 236 OPENSSL_memcpy(scratch, &ad[ad_len & ~15], ad_len & 15); 237 aesgcmsiv_polyval_horner(out_tag, auth_key, scratch, 1); 238 } 239 240 if (htable_init) { 241 aesgcmsiv_htable_polyval(htable, in, in_len & ~15, out_tag); 242 } else { 243 aesgcmsiv_polyval_horner(out_tag, auth_key, in, in_blocks); 244 } 245 246 if (in_len & 15) { 247 OPENSSL_memset(scratch, 0, sizeof(scratch)); 248 OPENSSL_memcpy(scratch, &in[in_len & ~15], in_len & 15); 249 aesgcmsiv_polyval_horner(out_tag, auth_key, scratch, 1); 250 } 251 252 union { 253 uint8_t c[16]; 254 struct { 255 uint64_t ad; 256 uint64_t in; 257 } bitlens; 258 } length_block; 259 260 length_block.bitlens.ad = ad_len * 8; 261 length_block.bitlens.in = in_len * 8; 262 aesgcmsiv_polyval_horner(out_tag, auth_key, length_block.c, 1); 263 264 for (size_t i = 0; i < 12; i++) { 265 out_tag[i] ^= nonce[i]; 266 } 267 268 out_tag[15] &= 0x7f; 269 } 270 271 /* aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption 272 * (same thing in CTR mode) of the final block of a plaintext/ciphertext. It 273 * writes |in_len| & 15 bytes to |out| + |in_len|, based on an initial counter 274 * derived from |tag|. */ 275 static void aead_aes_gcm_siv_asm_crypt_last_block( 276 int is_128_bit, uint8_t *out, const uint8_t *in, size_t in_len, 277 const uint8_t tag[16], 278 const struct aead_aes_gcm_siv_asm_ctx *enc_key_expanded) { 279 alignas(16) union { 280 uint8_t c[16]; 281 uint32_t u32[4]; 282 } counter; 283 OPENSSL_memcpy(&counter, tag, sizeof(counter)); 284 counter.c[15] |= 0x80; 285 counter.u32[0] += in_len / 16; 286 287 if (is_128_bit) { 288 aes128gcmsiv_ecb_enc_block(&counter.c[0], &counter.c[0], enc_key_expanded); 289 } else { 290 aes256gcmsiv_ecb_enc_block(&counter.c[0], &counter.c[0], enc_key_expanded); 291 } 292 293 const size_t last_bytes_offset = in_len & ~15; 294 const size_t last_bytes_len = in_len & 15; 295 uint8_t *last_bytes_out = &out[last_bytes_offset]; 296 const uint8_t *last_bytes_in = &in[last_bytes_offset]; 297 for (size_t i = 0; i < last_bytes_len; i++) { 298 last_bytes_out[i] = last_bytes_in[i] ^ counter.c[i]; 299 } 300 } 301 302 /* aead_aes_gcm_siv_kdf calculates the record encryption and authentication 303 * keys given the |nonce|. */ 304 static void aead_aes_gcm_siv_kdf( 305 int is_128_bit, const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx, 306 uint64_t out_record_auth_key[2], uint64_t out_record_enc_key[4], 307 const uint8_t nonce[12]) { 308 alignas(16) uint8_t padded_nonce[16]; 309 OPENSSL_memcpy(padded_nonce, nonce, 12); 310 311 alignas(16) uint64_t key_material[12]; 312 if (is_128_bit) { 313 aes128gcmsiv_kdf(padded_nonce, key_material, &gcm_siv_ctx->key[0]); 314 out_record_enc_key[0] = key_material[4]; 315 out_record_enc_key[1] = key_material[6]; 316 } else { 317 aes256gcmsiv_kdf(padded_nonce, key_material, &gcm_siv_ctx->key[0]); 318 out_record_enc_key[0] = key_material[4]; 319 out_record_enc_key[1] = key_material[6]; 320 out_record_enc_key[2] = key_material[8]; 321 out_record_enc_key[3] = key_material[10]; 322 } 323 324 out_record_auth_key[0] = key_material[0]; 325 out_record_auth_key[1] = key_material[2]; 326 } 327 328 static int aead_aes_gcm_siv_asm_seal_scatter( 329 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, 330 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, 331 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, 332 size_t extra_in_len, const uint8_t *ad, size_t ad_len) { 333 const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = ctx->aead_state; 334 const uint64_t in_len_64 = in_len; 335 const uint64_t ad_len_64 = ad_len; 336 337 if (in_len_64 > (UINT64_C(1) << 36) || 338 ad_len_64 >= (UINT64_C(1) << 61)) { 339 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 340 return 0; 341 } 342 343 if (max_out_tag_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN) { 344 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 345 return 0; 346 } 347 348 if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) { 349 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); 350 return 0; 351 } 352 353 alignas(16) uint64_t record_auth_key[2]; 354 alignas(16) uint64_t record_enc_key[4]; 355 aead_aes_gcm_siv_kdf(gcm_siv_ctx->is_128_bit, gcm_siv_ctx, record_auth_key, 356 record_enc_key, nonce); 357 358 alignas(16) uint8_t tag[16] = {0}; 359 gcm_siv_asm_polyval(tag, in, in_len, ad, ad_len, 360 (const uint8_t *)record_auth_key, nonce); 361 362 struct aead_aes_gcm_siv_asm_ctx enc_key_expanded; 363 364 if (gcm_siv_ctx->is_128_bit) { 365 aes128gcmsiv_aes_ks_enc_x1(tag, tag, &enc_key_expanded.key[0], 366 record_enc_key); 367 368 if (in_len < 128) { 369 aes128gcmsiv_enc_msg_x4(in, out, tag, &enc_key_expanded, in_len & ~15); 370 } else { 371 aes128gcmsiv_enc_msg_x8(in, out, tag, &enc_key_expanded, in_len & ~15); 372 } 373 } else { 374 aes256gcmsiv_aes_ks_enc_x1(tag, tag, &enc_key_expanded.key[0], 375 record_enc_key); 376 377 if (in_len < 128) { 378 aes256gcmsiv_enc_msg_x4(in, out, tag, &enc_key_expanded, in_len & ~15); 379 } else { 380 aes256gcmsiv_enc_msg_x8(in, out, tag, &enc_key_expanded, in_len & ~15); 381 } 382 } 383 384 if (in_len & 15) { 385 aead_aes_gcm_siv_asm_crypt_last_block(gcm_siv_ctx->is_128_bit, out, in, 386 in_len, tag, &enc_key_expanded); 387 } 388 389 OPENSSL_memcpy(out_tag, tag, sizeof(tag)); 390 *out_tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN; 391 392 return 1; 393 } 394 395 // TODO(martinkr): Add aead_aes_gcm_siv_asm_open_gather. N.B. aes128gcmsiv_dec 396 // expects ciphertext and tag in a contiguous buffer. 397 398 static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, 399 size_t *out_len, size_t max_out_len, 400 const uint8_t *nonce, size_t nonce_len, 401 const uint8_t *in, size_t in_len, 402 const uint8_t *ad, size_t ad_len) { 403 const uint64_t ad_len_64 = ad_len; 404 if (ad_len_64 >= (UINT64_C(1) << 61)) { 405 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 406 return 0; 407 } 408 409 const uint64_t in_len_64 = in_len; 410 if (in_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN || 411 in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) { 412 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 413 return 0; 414 } 415 416 const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = ctx->aead_state; 417 const size_t plaintext_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN; 418 const uint8_t *const given_tag = in + plaintext_len; 419 420 if (max_out_len < plaintext_len) { 421 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 422 return 0; 423 } 424 425 alignas(16) uint64_t record_auth_key[2]; 426 alignas(16) uint64_t record_enc_key[4]; 427 aead_aes_gcm_siv_kdf(gcm_siv_ctx->is_128_bit, gcm_siv_ctx, record_auth_key, 428 record_enc_key, nonce); 429 430 struct aead_aes_gcm_siv_asm_ctx expanded_key; 431 if (gcm_siv_ctx->is_128_bit) { 432 aes128gcmsiv_aes_ks((const uint8_t *) record_enc_key, &expanded_key.key[0]); 433 } else { 434 aes256gcmsiv_aes_ks((const uint8_t *) record_enc_key, &expanded_key.key[0]); 435 } 436 /* calculated_tag is 16*8 bytes, rather than 16 bytes, because 437 * aes[128|256]gcmsiv_dec uses the extra as scratch space. */ 438 alignas(16) uint8_t calculated_tag[16 * 8] = {0}; 439 440 OPENSSL_memset(calculated_tag, 0, EVP_AEAD_AES_GCM_SIV_TAG_LEN); 441 const size_t ad_blocks = ad_len / 16; 442 aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, ad, 443 ad_blocks); 444 445 uint8_t scratch[16]; 446 if (ad_len & 15) { 447 OPENSSL_memset(scratch, 0, sizeof(scratch)); 448 OPENSSL_memcpy(scratch, &ad[ad_len & ~15], ad_len & 15); 449 aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, 450 scratch, 1); 451 } 452 453 alignas(16) uint8_t htable[16 * 6]; 454 aesgcmsiv_htable6_init(htable, (const uint8_t *)record_auth_key); 455 456 if (gcm_siv_ctx->is_128_bit) { 457 aes128gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, 458 plaintext_len); 459 } else { 460 aes256gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, 461 plaintext_len); 462 } 463 464 if (plaintext_len & 15) { 465 aead_aes_gcm_siv_asm_crypt_last_block(gcm_siv_ctx->is_128_bit, out, in, 466 plaintext_len, given_tag, 467 &expanded_key); 468 OPENSSL_memset(scratch, 0, sizeof(scratch)); 469 OPENSSL_memcpy(scratch, out + (plaintext_len & ~15), plaintext_len & 15); 470 aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, 471 scratch, 1); 472 } 473 474 union { 475 uint8_t c[16]; 476 struct { 477 uint64_t ad; 478 uint64_t in; 479 } bitlens; 480 } length_block; 481 482 length_block.bitlens.ad = ad_len * 8; 483 length_block.bitlens.in = plaintext_len * 8; 484 aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, 485 length_block.c, 1); 486 487 for (size_t i = 0; i < 12; i++) { 488 calculated_tag[i] ^= nonce[i]; 489 } 490 491 calculated_tag[15] &= 0x7f; 492 493 if (gcm_siv_ctx->is_128_bit) { 494 aes128gcmsiv_ecb_enc_block(calculated_tag, calculated_tag, &expanded_key); 495 } else { 496 aes256gcmsiv_ecb_enc_block(calculated_tag, calculated_tag, &expanded_key); 497 } 498 499 if (CRYPTO_memcmp(calculated_tag, given_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN) != 500 0) { 501 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 502 return 0; 503 } 504 505 *out_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN; 506 return 1; 507 } 508 509 static const EVP_AEAD aead_aes_128_gcm_siv_asm = { 510 16, /* key length */ 511 EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */ 512 EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */ 513 EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */ 514 0, /* seal_scatter_supports_extra_in */ 515 516 aead_aes_gcm_siv_asm_init, 517 NULL /* init_with_direction */, 518 aead_aes_gcm_siv_asm_cleanup, 519 aead_aes_gcm_siv_asm_open, 520 aead_aes_gcm_siv_asm_seal_scatter, 521 NULL /* open_gather */, 522 NULL /* get_iv */, 523 }; 524 525 static const EVP_AEAD aead_aes_256_gcm_siv_asm = { 526 32, /* key length */ 527 EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */ 528 EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */ 529 EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */ 530 0, /* seal_scatter_supports_extra_in */ 531 532 aead_aes_gcm_siv_asm_init, 533 NULL /* init_with_direction */, 534 aead_aes_gcm_siv_asm_cleanup, 535 aead_aes_gcm_siv_asm_open, 536 aead_aes_gcm_siv_asm_seal_scatter, 537 NULL /* open_gather */, 538 NULL /* get_iv */, 539 }; 540 541 #endif /* X86_64 && !NO_ASM */ 542 543 struct aead_aes_gcm_siv_ctx { 544 union { 545 double align; 546 AES_KEY ks; 547 } ks; 548 block128_f kgk_block; 549 unsigned is_256:1; 550 }; 551 552 static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key, 553 size_t key_len, size_t tag_len) { 554 const size_t key_bits = key_len * 8; 555 556 if (key_bits != 128 && key_bits != 256) { 557 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); 558 return 0; /* EVP_AEAD_CTX_init should catch this. */ 559 } 560 561 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) { 562 tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN; 563 } 564 if (tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) { 565 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE); 566 return 0; 567 } 568 569 struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = 570 OPENSSL_malloc(sizeof(struct aead_aes_gcm_siv_ctx)); 571 if (gcm_siv_ctx == NULL) { 572 return 0; 573 } 574 OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx)); 575 576 aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key, 577 key_len); 578 gcm_siv_ctx->is_256 = (key_len == 32); 579 ctx->aead_state = gcm_siv_ctx; 580 ctx->tag_len = tag_len; 581 582 return 1; 583 } 584 585 static void aead_aes_gcm_siv_cleanup(EVP_AEAD_CTX *ctx) { 586 struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state; 587 OPENSSL_cleanse(gcm_siv_ctx, sizeof(struct aead_aes_gcm_siv_ctx)); 588 OPENSSL_free(gcm_siv_ctx); 589 } 590 591 /* gcm_siv_crypt encrypts (or decryptsit's the same thing) |in_len| bytes from 592 * |in| to |out|, using the block function |enc_block| with |key| in counter 593 * mode, starting at |initial_counter|. This differs from the traditional 594 * counter mode code in that the counter is handled little-endian, only the 595 * first four bytes are used and the GCM-SIV tweak to the final byte is 596 * applied. The |in| and |out| pointers may be equal but otherwise must not 597 * alias. */ 598 static void gcm_siv_crypt(uint8_t *out, const uint8_t *in, size_t in_len, 599 const uint8_t initial_counter[AES_BLOCK_SIZE], 600 block128_f enc_block, const AES_KEY *key) { 601 union { 602 uint32_t w[4]; 603 uint8_t c[16]; 604 } counter; 605 606 OPENSSL_memcpy(counter.c, initial_counter, AES_BLOCK_SIZE); 607 counter.c[15] |= 0x80; 608 609 for (size_t done = 0; done < in_len;) { 610 uint8_t keystream[AES_BLOCK_SIZE]; 611 enc_block(counter.c, keystream, key); 612 counter.w[0]++; 613 614 size_t todo = AES_BLOCK_SIZE; 615 if (in_len - done < todo) { 616 todo = in_len - done; 617 } 618 619 for (size_t i = 0; i < todo; i++) { 620 out[done + i] = keystream[i] ^ in[done + i]; 621 } 622 623 done += todo; 624 } 625 } 626 627 /* gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and 628 * AD. The result is written to |out_tag|. */ 629 static void gcm_siv_polyval( 630 uint8_t out_tag[16], const uint8_t *in, size_t in_len, const uint8_t *ad, 631 size_t ad_len, const uint8_t auth_key[16], 632 const uint8_t nonce[EVP_AEAD_AES_GCM_SIV_NONCE_LEN]) { 633 struct polyval_ctx polyval_ctx; 634 CRYPTO_POLYVAL_init(&polyval_ctx, auth_key); 635 636 CRYPTO_POLYVAL_update_blocks(&polyval_ctx, ad, ad_len & ~15); 637 638 uint8_t scratch[16]; 639 if (ad_len & 15) { 640 OPENSSL_memset(scratch, 0, sizeof(scratch)); 641 OPENSSL_memcpy(scratch, &ad[ad_len & ~15], ad_len & 15); 642 CRYPTO_POLYVAL_update_blocks(&polyval_ctx, scratch, sizeof(scratch)); 643 } 644 645 CRYPTO_POLYVAL_update_blocks(&polyval_ctx, in, in_len & ~15); 646 if (in_len & 15) { 647 OPENSSL_memset(scratch, 0, sizeof(scratch)); 648 OPENSSL_memcpy(scratch, &in[in_len & ~15], in_len & 15); 649 CRYPTO_POLYVAL_update_blocks(&polyval_ctx, scratch, sizeof(scratch)); 650 } 651 652 union { 653 uint8_t c[16]; 654 struct { 655 uint64_t ad; 656 uint64_t in; 657 } bitlens; 658 } length_block; 659 660 length_block.bitlens.ad = ad_len * 8; 661 length_block.bitlens.in = in_len * 8; 662 CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block.c, 663 sizeof(length_block)); 664 665 CRYPTO_POLYVAL_finish(&polyval_ctx, out_tag); 666 for (size_t i = 0; i < EVP_AEAD_AES_GCM_SIV_NONCE_LEN; i++) { 667 out_tag[i] ^= nonce[i]; 668 } 669 out_tag[15] &= 0x7f; 670 } 671 672 /* gcm_siv_record_keys contains the keys used for a specific GCM-SIV record. */ 673 struct gcm_siv_record_keys { 674 uint8_t auth_key[16]; 675 union { 676 double align; 677 AES_KEY ks; 678 } enc_key; 679 block128_f enc_block; 680 }; 681 682 /* gcm_siv_keys calculates the keys for a specific GCM-SIV record with the 683 * given nonce and writes them to |*out_keys|. */ 684 static void gcm_siv_keys( 685 const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx, 686 struct gcm_siv_record_keys *out_keys, 687 const uint8_t nonce[EVP_AEAD_AES_GCM_SIV_NONCE_LEN]) { 688 const AES_KEY *const key = &gcm_siv_ctx->ks.ks; 689 uint8_t key_material[(128 /* POLYVAL key */ + 256 /* max AES key */) / 8]; 690 const size_t blocks_needed = gcm_siv_ctx->is_256 ? 6 : 4; 691 692 uint8_t counter[AES_BLOCK_SIZE]; 693 OPENSSL_memset(counter, 0, AES_BLOCK_SIZE - EVP_AEAD_AES_GCM_SIV_NONCE_LEN); 694 OPENSSL_memcpy(counter + AES_BLOCK_SIZE - EVP_AEAD_AES_GCM_SIV_NONCE_LEN, 695 nonce, EVP_AEAD_AES_GCM_SIV_NONCE_LEN); 696 for (size_t i = 0; i < blocks_needed; i++) { 697 counter[0] = i; 698 699 uint8_t ciphertext[AES_BLOCK_SIZE]; 700 gcm_siv_ctx->kgk_block(counter, ciphertext, key); 701 OPENSSL_memcpy(&key_material[i * 8], ciphertext, 8); 702 } 703 704 OPENSSL_memcpy(out_keys->auth_key, key_material, 16); 705 aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block, 706 key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16); 707 } 708 709 static int aead_aes_gcm_siv_seal_scatter( 710 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, 711 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, 712 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, 713 size_t extra_in_len, const uint8_t *ad, size_t ad_len) { 714 const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state; 715 const uint64_t in_len_64 = in_len; 716 const uint64_t ad_len_64 = ad_len; 717 718 if (in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN < in_len || 719 in_len_64 > (UINT64_C(1) << 36) || 720 ad_len_64 >= (UINT64_C(1) << 61)) { 721 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 722 return 0; 723 } 724 725 if (max_out_tag_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN) { 726 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); 727 return 0; 728 } 729 730 if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) { 731 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); 732 return 0; 733 } 734 735 struct gcm_siv_record_keys keys; 736 gcm_siv_keys(gcm_siv_ctx, &keys, nonce); 737 738 uint8_t tag[16]; 739 gcm_siv_polyval(tag, in, in_len, ad, ad_len, keys.auth_key, nonce); 740 keys.enc_block(tag, tag, &keys.enc_key.ks); 741 742 gcm_siv_crypt(out, in, in_len, tag, keys.enc_block, &keys.enc_key.ks); 743 744 OPENSSL_memcpy(out_tag, tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN); 745 *out_tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN; 746 747 return 1; 748 } 749 750 static int aead_aes_gcm_siv_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out, 751 const uint8_t *nonce, size_t nonce_len, 752 const uint8_t *in, size_t in_len, 753 const uint8_t *in_tag, 754 size_t in_tag_len, const uint8_t *ad, 755 size_t ad_len) { 756 const uint64_t ad_len_64 = ad_len; 757 if (ad_len_64 >= (UINT64_C(1) << 61)) { 758 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); 759 return 0; 760 } 761 762 const uint64_t in_len_64 = in_len; 763 if (in_tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN || 764 in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) { 765 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 766 return 0; 767 } 768 769 if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) { 770 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); 771 return 0; 772 } 773 774 const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state; 775 776 struct gcm_siv_record_keys keys; 777 gcm_siv_keys(gcm_siv_ctx, &keys, nonce); 778 779 gcm_siv_crypt(out, in, in_len, in_tag, keys.enc_block, &keys.enc_key.ks); 780 781 uint8_t expected_tag[EVP_AEAD_AES_GCM_SIV_TAG_LEN]; 782 gcm_siv_polyval(expected_tag, out, in_len, ad, ad_len, keys.auth_key, nonce); 783 keys.enc_block(expected_tag, expected_tag, &keys.enc_key.ks); 784 785 if (CRYPTO_memcmp(expected_tag, in_tag, sizeof(expected_tag)) != 0) { 786 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 787 return 0; 788 } 789 790 return 1; 791 } 792 793 static const EVP_AEAD aead_aes_128_gcm_siv = { 794 16, /* key length */ 795 EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */ 796 EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */ 797 EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */ 798 0, /* seal_scatter_supports_extra_in */ 799 800 aead_aes_gcm_siv_init, 801 NULL /* init_with_direction */, 802 aead_aes_gcm_siv_cleanup, 803 NULL /* open */, 804 aead_aes_gcm_siv_seal_scatter, 805 aead_aes_gcm_siv_open_gather, 806 NULL /* get_iv */, 807 }; 808 809 static const EVP_AEAD aead_aes_256_gcm_siv = { 810 32, /* key length */ 811 EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */ 812 EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */ 813 EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */ 814 0, /* seal_scatter_supports_extra_in */ 815 816 aead_aes_gcm_siv_init, 817 NULL /* init_with_direction */, 818 aead_aes_gcm_siv_cleanup, 819 NULL /* open */, 820 aead_aes_gcm_siv_seal_scatter, 821 aead_aes_gcm_siv_open_gather, 822 NULL /* get_iv */, 823 }; 824 825 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) 826 827 static char avx_aesni_capable(void) { 828 const uint32_t ecx = OPENSSL_ia32cap_P[1]; 829 830 return (ecx & (1 << (57 - 32))) != 0 /* AESNI */ && 831 (ecx & (1 << 28)) != 0 /* AVX */; 832 } 833 834 const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) { 835 if (avx_aesni_capable()) { 836 return &aead_aes_128_gcm_siv_asm; 837 } 838 return &aead_aes_128_gcm_siv; 839 } 840 841 const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) { 842 if (avx_aesni_capable()) { 843 return &aead_aes_256_gcm_siv_asm; 844 } 845 return &aead_aes_256_gcm_siv; 846 } 847 848 #else 849 850 const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) { 851 return &aead_aes_128_gcm_siv; 852 } 853 854 const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) { 855 return &aead_aes_256_gcm_siv; 856 } 857 858 #endif /* X86_64 && !NO_ASM */ 859