Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / c4bfa86500fe46c0796b6d4378f9264f1c4f7d5d / . / aes_operation.cpp
blob: 9231c95d8dccb7fff15f7408d70bdcc1eba82b5a [file] [log] [blame]
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]17#include <stdio.h>
18
Shawn Willden06298102015-05-25 23:12:48 -0600[diff] [blame]19#include <UniquePtr.h>
20
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]21#include <openssl/aes.h>
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]22#include <openssl/err.h>
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]23#include <openssl/rand.h>
24
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]25#include <keymaster/logger.h>
26
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]27#include "aes_key.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]28#include "aes_operation.h"
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]29#include "openssl_err.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]30
31namespace keymaster {
32
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame^]33static const size_t GCM_NONCE_SIZE = 12;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]34static const size_t GCM_MAX_TAG_LENGTH = 16;
35static const size_t GCM_MIN_TAG_LENGTH = 12;
36
37inline bool allows_padding(keymaster_block_mode_t block_mode) {
38 return (block_mode == KM_MODE_CTR || block_mode == KM_MODE_GCM);
39}
40
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]41Operation* AesOperationFactory::CreateOperation(const Key& key,
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]42 const AuthorizationSet& begin_params,
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]43 keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]44 *error = KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]45 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]46
47 switch (symmetric_key->key_data_size()) {
48 case 16:
49 case 24:
50 case 32:
51 break;
52 default:
53 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]54 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]55 }
56
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]57 keymaster_block_mode_t block_mode;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]58 if (!begin_params.GetTagValue(TAG_BLOCK_MODE, &block_mode)) {
59 LOG_E("%d block modes specified in begin params", begin_params.GetTagCount(TAG_BLOCK_MODE));
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]60 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]61 } else if (!supported(block_mode)) {
62 LOG_E("Block mode %d not supported", block_mode);
63 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]64 } else if (!key.authorizations().Contains(TAG_BLOCK_MODE, block_mode)) {
65 LOG_E("Block mode %d was specified, but not authorized by key", block_mode);
66 *error = KM_ERROR_INCOMPATIBLE_BLOCK_MODE;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]67 }
68
69 size_t tag_length = 0;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]70 if (block_mode == KM_MODE_GCM) {
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]71 uint32_t tag_length_bits;
72 if (!begin_params.GetTagValue(TAG_MAC_LENGTH, &tag_length_bits))
73 *error = KM_ERROR_MISSING_MAC_LENGTH;
74 tag_length = tag_length_bits / 8;
75 if (tag_length_bits % 8 != 0 || tag_length > GCM_MAX_TAG_LENGTH ||
76 tag_length < GCM_MIN_TAG_LENGTH)
77 *error = KM_ERROR_UNSUPPORTED_MAC_LENGTH;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]78 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]79
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]80 keymaster_padding_t padding;
81 if (!begin_params.GetTagValue(TAG_PADDING, &padding)) {
Shawn Willdended8e7d2015-06-01 15:29:12 -0600[diff] [blame]82 LOG_E("%d padding modes specified in begin params", begin_params.GetTagCount(TAG_PADDING));
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]83 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]84 } else if (!supported(padding)) {
85 LOG_E("Padding mode %d not supported", padding);
86 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]87 } else if (allows_padding(block_mode) && padding != KM_PAD_NONE) {
88 LOG_E("Mode does not support padding", 0);
89 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]90 } else if (!key.authorizations().Contains(TAG_PADDING, padding)) {
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]91 LOG_E("Padding mode %d was specified, but not authorized by key", padding);
92 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
93 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]94
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]95 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE);
96
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]97 if (*error != KM_ERROR_OK)
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]98 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]99
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]100 Operation* op = NULL;
101 switch (purpose()) {
102 case KM_PURPOSE_ENCRYPT:
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]103 op = new AesEvpEncryptOperation(block_mode, padding, caller_nonce, tag_length,
104 symmetric_key->key_data(), symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]105 break;
106 case KM_PURPOSE_DECRYPT:
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]107 op = new AesEvpDecryptOperation(block_mode, padding, tag_length, symmetric_key->key_data(),
108 symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]109 break;
110 default:
111 *error = KM_ERROR_UNSUPPORTED_PURPOSE;
112 return NULL;
113 }
114
115 if (!op)
116 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
117 return op;
118}
119
Shawn Willdenc47c88f2015-04-07 17:23:27 -0600[diff] [blame]120static const keymaster_block_mode_t supported_block_modes[] = {KM_MODE_ECB, KM_MODE_CBC,
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]121 KM_MODE_CTR, KM_MODE_GCM};
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]122
123const keymaster_block_mode_t*
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]124AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]125 *block_mode_count = array_length(supported_block_modes);
126 return supported_block_modes;
127}
128
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]129static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7};
130const keymaster_padding_t*
131AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
132 *padding_mode_count = array_length(supported_padding_modes);
133 return supported_padding_modes;
134}
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]135
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]136AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]137 keymaster_padding_t padding, bool caller_iv, size_t tag_length,
138 const uint8_t* key, size_t key_size)
139 : Operation(purpose), block_mode_(block_mode), caller_iv_(caller_iv), tag_length_(tag_length),
140 data_started_(false), key_size_(key_size), padding_(padding) {
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]141 memcpy(key_, key, key_size_);
142 EVP_CIPHER_CTX_init(&ctx_);
143}
144
145AesEvpOperation::~AesEvpOperation() {
146 EVP_CIPHER_CTX_cleanup(&ctx_);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]147 memset_s(aad_block_buf_.get(), AES_BLOCK_SIZE, 0);
148}
149
150keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& /* input_params */,
151 AuthorizationSet* /* output_params */) {
152 if (block_mode_ == KM_MODE_GCM) {
153 aad_block_buf_length_ = 0;
154 aad_block_buf_.reset(new uint8_t[AES_BLOCK_SIZE]);
155 if (!aad_block_buf_.get())
156 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
157 }
158
159 return InitializeCipher();
160}
161
162keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& additional_params,
163 const Buffer& input,
164 AuthorizationSet* /* output_params */, Buffer* output,
165 size_t* input_consumed) {
166 keymaster_error_t error;
167 if (block_mode_ == KM_MODE_GCM)
168 if (!HandleAad(additional_params, input, &error))
169 return error;
170
171 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
172 return error;
173 *input_consumed = input.available_read();
174
175 return KM_ERROR_OK;
176}
177
178inline bool is_bad_decrypt(unsigned long error) {
179 return (ERR_GET_LIB(error) == ERR_LIB_CIPHER && //
180 ERR_GET_REASON(error) == CIPHER_R_BAD_DECRYPT);
181}
182
183keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& /* additional_params */,
184 const Buffer& /* signature */,
185 AuthorizationSet* /* output_params */, Buffer* output) {
186 if (!output->reserve(AES_BLOCK_SIZE))
187 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
188
189 keymaster_error_t error;
190 if (block_mode_ == KM_MODE_GCM && aad_block_buf_length_ > 0 &&
191 !ProcessBufferedAadBlock(&error)) {
192 return error;
193 }
194
195 int output_written = -1;
196 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) {
197 if (tag_length_ > 0)
198 return KM_ERROR_VERIFICATION_FAILED;
199 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL));
200 return TranslateLastOpenSslError();
201 }
202
203 assert(output_written <= AES_BLOCK_SIZE);
204 output->advance_write(output_written);
205 return KM_ERROR_OK;
206}
207
208bool AesEvpOperation::need_iv() const {
209 switch (block_mode_) {
210 case KM_MODE_CBC:
211 case KM_MODE_CTR:
212 case KM_MODE_GCM:
213 return true;
214 case KM_MODE_ECB:
215 return false;
216 default:
217 // Shouldn't get here.
218 assert(false);
219 return false;
220 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]221}
222
223keymaster_error_t AesEvpOperation::InitializeCipher() {
224 const EVP_CIPHER* cipher;
225 switch (block_mode_) {
226 case KM_MODE_ECB:
227 switch (key_size_) {
228 case 16:
229 cipher = EVP_aes_128_ecb();
230 break;
231 case 24:
232 cipher = EVP_aes_192_ecb();
233 break;
234 case 32:
235 cipher = EVP_aes_256_ecb();
236 break;
237 default:
238 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
239 }
240 break;
241 case KM_MODE_CBC:
242 switch (key_size_) {
243 case 16:
244 cipher = EVP_aes_128_cbc();
245 break;
246 case 24:
247 cipher = EVP_aes_192_cbc();
248 break;
249 case 32:
250 cipher = EVP_aes_256_cbc();
251 break;
252 default:
253 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
254 }
255 break;
Thai Duong20d725d2015-03-24 17:49:58 -0700[diff] [blame]256 case KM_MODE_CTR:
257 switch (key_size_) {
258 case 16:
259 cipher = EVP_aes_128_ctr();
260 break;
261 case 24:
262 cipher = EVP_aes_192_ctr();
263 break;
264 case 32:
265 cipher = EVP_aes_256_ctr();
266 break;
267 default:
268 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
269 }
270 break;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]271 case KM_MODE_GCM:
272 switch (key_size_) {
273 case 16:
274 cipher = EVP_aes_128_gcm();
275 break;
276 case 24:
277 cipher = EVP_aes_192_gcm();
278 break;
279 case 32:
280 cipher = EVP_aes_256_gcm();
281 break;
282 default:
283 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
284 }
285 break;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]286 default:
287 return KM_ERROR_UNSUPPORTED_BLOCK_MODE;
288 }
289
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]290 if (!EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_.get(), evp_encrypt_mode()))
Shawn Willdenf01329d2015-03-11 21:51:38 -0600[diff] [blame]291 return TranslateLastOpenSslError();
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]292
293 switch (padding_) {
294 case KM_PAD_NONE:
295 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */);
296 break;
297 case KM_PAD_PKCS7:
298 // This is the default for OpenSSL EVP cipher operations.
299 break;
300 default:
301 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
302 }
303
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]304 if (block_mode_ == KM_MODE_GCM) {
305 aad_block_buf_length_ = 0;
306 aad_block_buf_.reset(new uint8_t[AES_BLOCK_SIZE]);
307 if (!aad_block_buf_.get())
308 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
309 }
310
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]311 return KM_ERROR_OK;
312}
313
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]314keymaster_error_t AesEvpOperation::GetIv(const AuthorizationSet& input_params) {
315 keymaster_blob_t iv_blob;
316 if (!input_params.GetTagValue(TAG_NONCE, &iv_blob)) {
317 LOG_E("No IV provided", 0);
318 return KM_ERROR_INVALID_ARGUMENT;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]319 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]320 if (block_mode_ != KM_MODE_GCM && iv_blob.data_length != AES_BLOCK_SIZE) {
321 LOG_E("Expected %d-byte IV for AES operation, but got %d bytes", AES_BLOCK_SIZE,
322 iv_blob.data_length);
323 return KM_ERROR_INVALID_NONCE;
324 }
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame^]325 if (block_mode_ == KM_MODE_GCM && iv_blob.data_length != GCM_NONCE_SIZE) {
326 LOG_E("Expected %d-byte nonce for AES-GCM operation, but got %d bytes", GCM_NONCE_SIZE,
327 iv_blob.data_length);
328 return KM_ERROR_INVALID_NONCE;
329 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]330 iv_.reset(dup_array(iv_blob.data, iv_blob.data_length));
331 if (!iv_.get())
332 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
333 iv_length_ = iv_blob.data_length;
334 return KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]335}
336
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]337/*
338 * Process Incoming Associated Authentication Data.
339 *
340 * This method is more complex than might be expected, because the underlying library silently does
341 * the wrong thing when given partial AAD blocks, so we have to take care to process AAD in
342 * AES_BLOCK_SIZE increments, buffering (in aad_block_buf_) when given smaller amounts of data.
343 */
344bool AesEvpOperation::HandleAad(const AuthorizationSet& input_params, const Buffer& input,
345 keymaster_error_t* error) {
346 assert(tag_length_ > 0);
347 assert(error);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]348
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]349 keymaster_blob_t aad;
350 if (input_params.GetTagValue(TAG_ASSOCIATED_DATA, &aad)) {
351 if (data_started_) {
352 *error = KM_ERROR_INVALID_TAG;
353 return false;
354 }
355
356 if (aad_block_buf_length_ > 0) {
357 FillBufferedAadBlock(&aad);
358 if (aad_block_buf_length_ == AES_BLOCK_SIZE && !ProcessBufferedAadBlock(error))
359 return false;
360 }
361
362 size_t blocks_to_process = aad.data_length / AES_BLOCK_SIZE;
363 if (blocks_to_process && !ProcessAadBlocks(aad.data, blocks_to_process, error))
364 return false;
365 aad.data += blocks_to_process * AES_BLOCK_SIZE;
366 aad.data_length -= blocks_to_process * AES_BLOCK_SIZE;
367
368 FillBufferedAadBlock(&aad);
369 assert(aad.data_length == 0);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]370 }
371
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]372 if (input.available_read()) {
373 data_started_ = true;
374 // Data has begun, no more AAD is allowed. Process any buffered AAD.
375 if (aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(error))
376 return false;
377 }
378
379 return true;
380}
381
382bool AesEvpOperation::ProcessBufferedAadBlock(keymaster_error_t* error) {
383 int output_written;
384 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, aad_block_buf_.get(),
385 aad_block_buf_length_)) {
386 aad_block_buf_length_ = 0;
387 return true;
388 }
389 *error = TranslateLastOpenSslError();
390 return false;
391}
392
393bool AesEvpOperation::ProcessAadBlocks(const uint8_t* data, size_t blocks,
394 keymaster_error_t* error) {
395 int output_written;
396 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, data, blocks * AES_BLOCK_SIZE))
397 return true;
398 *error = TranslateLastOpenSslError();
399 return false;
400}
401
402inline size_t min(size_t a, size_t b) {
403 return (a < b) ? a : b;
404}
405
406void AesEvpOperation::FillBufferedAadBlock(keymaster_blob_t* aad) {
407 size_t to_buffer = min(AES_BLOCK_SIZE - aad_block_buf_length_, aad->data_length);
408 memcpy(aad_block_buf_.get() + aad_block_buf_length_, aad->data, to_buffer);
409 aad->data += to_buffer;
410 aad->data_length -= to_buffer;
411 aad_block_buf_length_ += to_buffer;
412}
413
414bool AesEvpOperation::InternalUpdate(const uint8_t* input, size_t input_length, Buffer* output,
415 keymaster_error_t* error) {
416 assert(output);
417 assert(error);
418
419 if (!output->reserve(input_length + AES_BLOCK_SIZE)) {
420 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
421 return false;
422 }
423
424 int output_written = -1;
425 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input, input_length)) {
426 *error = TranslateLastOpenSslError();
427 return false;
428 }
429 output->advance_write(output_written);
430 return true;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]431}
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]432
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]433keymaster_error_t AesEvpEncryptOperation::Begin(const AuthorizationSet& input_params,
434 AuthorizationSet* output_params) {
435 if (!output_params)
436 return KM_ERROR_OUTPUT_PARAMETER_NULL;
437
438 if (need_iv()) {
439 keymaster_error_t error = KM_ERROR_OK;
440 if (input_params.find(TAG_NONCE) == -1)
441 error = GenerateIv();
442 else if (caller_iv_)
443 error = GetIv(input_params);
444 else
445 error = KM_ERROR_CALLER_NONCE_PROHIBITED;
446
447 if (error == KM_ERROR_OK)
448 output_params->push_back(TAG_NONCE, iv_.get(), iv_length_);
449 else
450 return error;
451 }
452
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]453 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]454}
455
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]456keymaster_error_t AesEvpEncryptOperation::Finish(const AuthorizationSet& additional_params,
457 const Buffer& signature,
458 AuthorizationSet* output_params, Buffer* output) {
459 if (!output->reserve(AES_BLOCK_SIZE + tag_length_))
Shawn Willden92b69a32015-03-14 11:07:36 -0600[diff] [blame]460 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]461
462 keymaster_error_t error =
463 AesEvpOperation::Finish(additional_params, signature, output_params, output);
464 if (error != KM_ERROR_OK)
465 return error;
466
467 if (tag_length_ > 0) {
468 if (!output->reserve(output->available_read() + tag_length_))
469 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
470
471 if (!EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_GET_TAG, tag_length_, output->peek_write()))
472 return TranslateLastOpenSslError();
473 output->advance_write(tag_length_);
474 }
475
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]476 return KM_ERROR_OK;
477}
478
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]479keymaster_error_t AesEvpEncryptOperation::GenerateIv() {
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame^]480 iv_length_ = (block_mode_ == KM_MODE_GCM) ? GCM_NONCE_SIZE : AES_BLOCK_SIZE;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]481 iv_.reset(new uint8_t[iv_length_]);
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]482 if (!iv_.get())
483 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]484 if (RAND_bytes(iv_.get(), iv_length_) != 1)
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]485 return TranslateLastOpenSslError();
486 return KM_ERROR_OK;
487}
488
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]489keymaster_error_t AesEvpDecryptOperation::Begin(const AuthorizationSet& input_params,
490 AuthorizationSet* output_params) {
491 if (need_iv()) {
492 keymaster_error_t error = GetIv(input_params);
493 if (error != KM_ERROR_OK)
494 return error;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]495 }
496
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]497 if (tag_length_ > 0) {
498 tag_buf_length_ = 0;
499 tag_buf_.reset(new uint8_t[tag_length_]);
500 if (!tag_buf_.get())
501 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
502 }
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]503
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]504 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]505}
506
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]507keymaster_error_t AesEvpDecryptOperation::Update(const AuthorizationSet& additional_params,
508 const Buffer& input,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]509 AuthorizationSet* /* output_params */,
510 Buffer* output, size_t* input_consumed) {
511 if (!output || !input_consumed)
512 return KM_ERROR_OUTPUT_PARAMETER_NULL;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]513
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]514 // Barring error, we'll consume it all.
515 *input_consumed = input.available_read();
516
517 keymaster_error_t error;
518 if (block_mode_ == KM_MODE_GCM) {
519 if (!HandleAad(additional_params, input, &error))
520 return error;
521 return ProcessAllButTagLengthBytes(input, output);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]522 }
523
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]524 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
525 return error;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]526 return KM_ERROR_OK;
527}
528
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]529keymaster_error_t AesEvpDecryptOperation::ProcessAllButTagLengthBytes(const Buffer& input,
530 Buffer* output) {
531 if (input.available_read() <= tag_buf_unused()) {
532 BufferCandidateTagData(input.peek_read(), input.available_read());
533 return KM_ERROR_OK;
534 }
535
536 const size_t data_available = tag_buf_length_ + input.available_read();
537
538 const size_t to_process = data_available - tag_length_;
539 const size_t to_process_from_tag_buf = min(to_process, tag_buf_length_);
540 const size_t to_process_from_input = to_process - to_process_from_tag_buf;
541
542 if (!output->reserve(to_process + AES_BLOCK_SIZE))
543 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
544
545 keymaster_error_t error;
546 if (!ProcessTagBufContentsAsData(to_process_from_tag_buf, output, &error))
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]547 return error;
548
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]549 if (!InternalUpdate(input.peek_read(), to_process_from_input, output, &error))
550 return error;
551
552 BufferCandidateTagData(input.peek_read() + to_process_from_input,
553 input.available_read() - to_process_from_input);
554 assert(tag_buf_unused() == 0);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]555
556 return KM_ERROR_OK;
557}
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]558
559bool AesEvpDecryptOperation::ProcessTagBufContentsAsData(size_t to_process, Buffer* output,
560 keymaster_error_t* error) {
561 assert(to_process <= tag_buf_length_);
562 if (!InternalUpdate(tag_buf_.get(), to_process, output, error))
563 return false;
564 if (to_process < tag_buf_length_)
565 memmove(tag_buf_.get(), tag_buf_.get() + to_process, tag_buf_length_ - to_process);
566 tag_buf_length_ -= to_process;
567 return true;
568}
569
570void AesEvpDecryptOperation::BufferCandidateTagData(const uint8_t* data, size_t data_length) {
571 assert(data_length <= tag_length_ - tag_buf_length_);
572 memcpy(tag_buf_.get() + tag_buf_length_, data, data_length);
573 tag_buf_length_ += data_length;
574}
575
576keymaster_error_t AesEvpDecryptOperation::Finish(const AuthorizationSet& additional_params,
577 const Buffer& signature,
578 AuthorizationSet* output_params, Buffer* output) {
579 if (tag_buf_length_ < tag_length_)
580 return KM_ERROR_INVALID_INPUT_LENGTH;
581 else if (tag_length_ > 0 &&
582 !EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_SET_TAG, tag_length_, tag_buf_.get()))
583 return TranslateLastOpenSslError();
584
585 return AesEvpOperation::Finish(additional_params, signature, output_params, output);
586}
587
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]588keymaster_error_t AesEvpOperation::Abort() {
589 return KM_ERROR_OK;
590}
591
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]592} // namespace keymaster