Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / ebc99a15e324d9f1cfaf681a8c95676984f16f08 / . / aes_operation.cpp
blob: 339fdaa267d7fb84860900711681d7814fe9d11a [file] [log] [blame]
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]17#include "aes_operation.h"
18
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]19#include <stdio.h>
20
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]21#include <new>
22
Shawn Willden06298102015-05-25 23:12:48 -0600[diff] [blame]23#include <UniquePtr.h>
24
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]25#include <openssl/aes.h>
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]26#include <openssl/err.h>
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]27#include <openssl/rand.h>
28
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]29#include <keymaster/logger.h>
30
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]31#include "aes_key.h"
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]32#include "openssl_err.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]33
34namespace keymaster {
35
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]36static const size_t GCM_NONCE_SIZE = 12;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]37static const size_t GCM_MAX_TAG_LENGTH = 16;
38static const size_t GCM_MIN_TAG_LENGTH = 12;
39
40inline bool allows_padding(keymaster_block_mode_t block_mode) {
41 return (block_mode == KM_MODE_CTR || block_mode == KM_MODE_GCM);
42}
43
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]44Operation* AesOperationFactory::CreateOperation(const Key& key,
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]45 const AuthorizationSet& begin_params,
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]46 keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]47 *error = KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]48 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]49
50 switch (symmetric_key->key_data_size()) {
51 case 16:
52 case 24:
53 case 32:
54 break;
55 default:
56 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]57 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]58 }
59
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]60 keymaster_block_mode_t block_mode;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]61 if (!begin_params.GetTagValue(TAG_BLOCK_MODE, &block_mode)) {
62 LOG_E("%d block modes specified in begin params", begin_params.GetTagCount(TAG_BLOCK_MODE));
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]63 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]64 } else if (!supported(block_mode)) {
65 LOG_E("Block mode %d not supported", block_mode);
66 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]67 } else if (!key.authorizations().Contains(TAG_BLOCK_MODE, block_mode)) {
68 LOG_E("Block mode %d was specified, but not authorized by key", block_mode);
69 *error = KM_ERROR_INCOMPATIBLE_BLOCK_MODE;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]70 }
71
72 size_t tag_length = 0;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]73 if (block_mode == KM_MODE_GCM) {
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]74 uint32_t tag_length_bits;
75 if (!begin_params.GetTagValue(TAG_MAC_LENGTH, &tag_length_bits))
76 *error = KM_ERROR_MISSING_MAC_LENGTH;
77 tag_length = tag_length_bits / 8;
78 if (tag_length_bits % 8 != 0 || tag_length > GCM_MAX_TAG_LENGTH ||
79 tag_length < GCM_MIN_TAG_LENGTH)
80 *error = KM_ERROR_UNSUPPORTED_MAC_LENGTH;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]81 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]82
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]83 keymaster_padding_t padding;
84 if (!begin_params.GetTagValue(TAG_PADDING, &padding)) {
Shawn Willdended8e7d2015-06-01 15:29:12 -0600[diff] [blame]85 LOG_E("%d padding modes specified in begin params", begin_params.GetTagCount(TAG_PADDING));
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]86 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]87 } else if (!supported(padding)) {
88 LOG_E("Padding mode %d not supported", padding);
89 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]90 } else if (allows_padding(block_mode) && padding != KM_PAD_NONE) {
91 LOG_E("Mode does not support padding", 0);
92 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]93 } else if (!key.authorizations().Contains(TAG_PADDING, padding)) {
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]94 LOG_E("Padding mode %d was specified, but not authorized by key", padding);
95 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
96 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]97
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]98 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE);
99
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]100 if (*error != KM_ERROR_OK)
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]101 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]102
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]103 Operation* op = NULL;
104 switch (purpose()) {
105 case KM_PURPOSE_ENCRYPT:
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]106 op = new (std::nothrow)
107 AesEvpEncryptOperation(block_mode, padding, caller_nonce, tag_length,
108 symmetric_key->key_data(), symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]109 break;
110 case KM_PURPOSE_DECRYPT:
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]111 op = new (std::nothrow)
112 AesEvpDecryptOperation(block_mode, padding, tag_length, symmetric_key->key_data(),
113 symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]114 break;
115 default:
116 *error = KM_ERROR_UNSUPPORTED_PURPOSE;
117 return NULL;
118 }
119
120 if (!op)
121 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
122 return op;
123}
124
Shawn Willdenc47c88f2015-04-07 17:23:27 -0600[diff] [blame]125static const keymaster_block_mode_t supported_block_modes[] = {KM_MODE_ECB, KM_MODE_CBC,
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]126 KM_MODE_CTR, KM_MODE_GCM};
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]127
128const keymaster_block_mode_t*
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]129AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]130 *block_mode_count = array_length(supported_block_modes);
131 return supported_block_modes;
132}
133
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]134static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7};
135const keymaster_padding_t*
136AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
137 *padding_mode_count = array_length(supported_padding_modes);
138 return supported_padding_modes;
139}
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]140
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]141AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]142 keymaster_padding_t padding, bool caller_iv, size_t tag_length,
143 const uint8_t* key, size_t key_size)
144 : Operation(purpose), block_mode_(block_mode), caller_iv_(caller_iv), tag_length_(tag_length),
145 data_started_(false), key_size_(key_size), padding_(padding) {
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]146 memcpy(key_, key, key_size_);
147 EVP_CIPHER_CTX_init(&ctx_);
148}
149
150AesEvpOperation::~AesEvpOperation() {
151 EVP_CIPHER_CTX_cleanup(&ctx_);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]152 memset_s(aad_block_buf_.get(), AES_BLOCK_SIZE, 0);
153}
154
155keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& /* input_params */,
156 AuthorizationSet* /* output_params */) {
157 if (block_mode_ == KM_MODE_GCM) {
158 aad_block_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]159 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]160 if (!aad_block_buf_.get())
161 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
162 }
163
164 return InitializeCipher();
165}
166
167keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& additional_params,
168 const Buffer& input,
169 AuthorizationSet* /* output_params */, Buffer* output,
170 size_t* input_consumed) {
171 keymaster_error_t error;
172 if (block_mode_ == KM_MODE_GCM)
173 if (!HandleAad(additional_params, input, &error))
174 return error;
175
176 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
177 return error;
178 *input_consumed = input.available_read();
179
180 return KM_ERROR_OK;
181}
182
183inline bool is_bad_decrypt(unsigned long error) {
184 return (ERR_GET_LIB(error) == ERR_LIB_CIPHER && //
185 ERR_GET_REASON(error) == CIPHER_R_BAD_DECRYPT);
186}
187
188keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& /* additional_params */,
189 const Buffer& /* signature */,
190 AuthorizationSet* /* output_params */, Buffer* output) {
191 if (!output->reserve(AES_BLOCK_SIZE))
192 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
193
194 keymaster_error_t error;
195 if (block_mode_ == KM_MODE_GCM && aad_block_buf_length_ > 0 &&
196 !ProcessBufferedAadBlock(&error)) {
197 return error;
198 }
199
200 int output_written = -1;
201 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) {
202 if (tag_length_ > 0)
203 return KM_ERROR_VERIFICATION_FAILED;
204 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL));
205 return TranslateLastOpenSslError();
206 }
207
208 assert(output_written <= AES_BLOCK_SIZE);
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]209 if (!output->advance_write(output_written))
210 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]211 return KM_ERROR_OK;
212}
213
214bool AesEvpOperation::need_iv() const {
215 switch (block_mode_) {
216 case KM_MODE_CBC:
217 case KM_MODE_CTR:
218 case KM_MODE_GCM:
219 return true;
220 case KM_MODE_ECB:
221 return false;
222 default:
223 // Shouldn't get here.
224 assert(false);
225 return false;
226 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]227}
228
229keymaster_error_t AesEvpOperation::InitializeCipher() {
230 const EVP_CIPHER* cipher;
231 switch (block_mode_) {
232 case KM_MODE_ECB:
233 switch (key_size_) {
234 case 16:
235 cipher = EVP_aes_128_ecb();
236 break;
237 case 24:
238 cipher = EVP_aes_192_ecb();
239 break;
240 case 32:
241 cipher = EVP_aes_256_ecb();
242 break;
243 default:
244 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
245 }
246 break;
247 case KM_MODE_CBC:
248 switch (key_size_) {
249 case 16:
250 cipher = EVP_aes_128_cbc();
251 break;
252 case 24:
253 cipher = EVP_aes_192_cbc();
254 break;
255 case 32:
256 cipher = EVP_aes_256_cbc();
257 break;
258 default:
259 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
260 }
261 break;
Thai Duong20d725d2015-03-24 17:49:58 -0700[diff] [blame]262 case KM_MODE_CTR:
263 switch (key_size_) {
264 case 16:
265 cipher = EVP_aes_128_ctr();
266 break;
267 case 24:
268 cipher = EVP_aes_192_ctr();
269 break;
270 case 32:
271 cipher = EVP_aes_256_ctr();
272 break;
273 default:
274 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
275 }
276 break;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]277 case KM_MODE_GCM:
278 switch (key_size_) {
279 case 16:
280 cipher = EVP_aes_128_gcm();
281 break;
282 case 24:
283 cipher = EVP_aes_192_gcm();
284 break;
285 case 32:
286 cipher = EVP_aes_256_gcm();
287 break;
288 default:
289 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
290 }
291 break;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]292 default:
293 return KM_ERROR_UNSUPPORTED_BLOCK_MODE;
294 }
295
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]296 if (!EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_.get(), evp_encrypt_mode()))
Shawn Willdenf01329d2015-03-11 21:51:38 -0600[diff] [blame]297 return TranslateLastOpenSslError();
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]298
299 switch (padding_) {
300 case KM_PAD_NONE:
301 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */);
302 break;
303 case KM_PAD_PKCS7:
304 // This is the default for OpenSSL EVP cipher operations.
305 break;
306 default:
307 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
308 }
309
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]310 if (block_mode_ == KM_MODE_GCM) {
311 aad_block_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]312 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]313 if (!aad_block_buf_.get())
314 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
315 }
316
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]317 return KM_ERROR_OK;
318}
319
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]320keymaster_error_t AesEvpOperation::GetIv(const AuthorizationSet& input_params) {
321 keymaster_blob_t iv_blob;
322 if (!input_params.GetTagValue(TAG_NONCE, &iv_blob)) {
323 LOG_E("No IV provided", 0);
324 return KM_ERROR_INVALID_ARGUMENT;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]325 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]326 if (block_mode_ != KM_MODE_GCM && iv_blob.data_length != AES_BLOCK_SIZE) {
327 LOG_E("Expected %d-byte IV for AES operation, but got %d bytes", AES_BLOCK_SIZE,
328 iv_blob.data_length);
329 return KM_ERROR_INVALID_NONCE;
330 }
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]331 if (block_mode_ == KM_MODE_GCM && iv_blob.data_length != GCM_NONCE_SIZE) {
332 LOG_E("Expected %d-byte nonce for AES-GCM operation, but got %d bytes", GCM_NONCE_SIZE,
333 iv_blob.data_length);
334 return KM_ERROR_INVALID_NONCE;
335 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]336 iv_.reset(dup_array(iv_blob.data, iv_blob.data_length));
337 if (!iv_.get())
338 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
339 iv_length_ = iv_blob.data_length;
340 return KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]341}
342
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]343/*
344 * Process Incoming Associated Authentication Data.
345 *
346 * This method is more complex than might be expected, because the underlying library silently does
347 * the wrong thing when given partial AAD blocks, so we have to take care to process AAD in
348 * AES_BLOCK_SIZE increments, buffering (in aad_block_buf_) when given smaller amounts of data.
349 */
350bool AesEvpOperation::HandleAad(const AuthorizationSet& input_params, const Buffer& input,
351 keymaster_error_t* error) {
352 assert(tag_length_ > 0);
353 assert(error);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]354
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]355 keymaster_blob_t aad;
356 if (input_params.GetTagValue(TAG_ASSOCIATED_DATA, &aad)) {
357 if (data_started_) {
358 *error = KM_ERROR_INVALID_TAG;
359 return false;
360 }
361
362 if (aad_block_buf_length_ > 0) {
363 FillBufferedAadBlock(&aad);
364 if (aad_block_buf_length_ == AES_BLOCK_SIZE && !ProcessBufferedAadBlock(error))
365 return false;
366 }
367
368 size_t blocks_to_process = aad.data_length / AES_BLOCK_SIZE;
369 if (blocks_to_process && !ProcessAadBlocks(aad.data, blocks_to_process, error))
370 return false;
371 aad.data += blocks_to_process * AES_BLOCK_SIZE;
372 aad.data_length -= blocks_to_process * AES_BLOCK_SIZE;
373
374 FillBufferedAadBlock(&aad);
375 assert(aad.data_length == 0);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]376 }
377
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]378 if (input.available_read()) {
379 data_started_ = true;
380 // Data has begun, no more AAD is allowed. Process any buffered AAD.
381 if (aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(error))
382 return false;
383 }
384
385 return true;
386}
387
388bool AesEvpOperation::ProcessBufferedAadBlock(keymaster_error_t* error) {
389 int output_written;
390 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, aad_block_buf_.get(),
391 aad_block_buf_length_)) {
392 aad_block_buf_length_ = 0;
393 return true;
394 }
395 *error = TranslateLastOpenSslError();
396 return false;
397}
398
399bool AesEvpOperation::ProcessAadBlocks(const uint8_t* data, size_t blocks,
400 keymaster_error_t* error) {
401 int output_written;
402 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, data, blocks * AES_BLOCK_SIZE))
403 return true;
404 *error = TranslateLastOpenSslError();
405 return false;
406}
407
408inline size_t min(size_t a, size_t b) {
409 return (a < b) ? a : b;
410}
411
412void AesEvpOperation::FillBufferedAadBlock(keymaster_blob_t* aad) {
413 size_t to_buffer = min(AES_BLOCK_SIZE - aad_block_buf_length_, aad->data_length);
414 memcpy(aad_block_buf_.get() + aad_block_buf_length_, aad->data, to_buffer);
415 aad->data += to_buffer;
416 aad->data_length -= to_buffer;
417 aad_block_buf_length_ += to_buffer;
418}
419
420bool AesEvpOperation::InternalUpdate(const uint8_t* input, size_t input_length, Buffer* output,
421 keymaster_error_t* error) {
422 assert(output);
423 assert(error);
424
Shawn Willden294a2db2015-06-17 11:20:56 -0600[diff] [blame]425 if (!input_length)
426 return true;
427
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]428 if (!output->reserve(input_length + AES_BLOCK_SIZE)) {
429 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
430 return false;
431 }
432
433 int output_written = -1;
434 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input, input_length)) {
435 *error = TranslateLastOpenSslError();
436 return false;
437 }
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]438 return output->advance_write(output_written);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]439}
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]440
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]441keymaster_error_t AesEvpEncryptOperation::Begin(const AuthorizationSet& input_params,
442 AuthorizationSet* output_params) {
443 if (!output_params)
444 return KM_ERROR_OUTPUT_PARAMETER_NULL;
445
446 if (need_iv()) {
447 keymaster_error_t error = KM_ERROR_OK;
448 if (input_params.find(TAG_NONCE) == -1)
449 error = GenerateIv();
450 else if (caller_iv_)
451 error = GetIv(input_params);
452 else
453 error = KM_ERROR_CALLER_NONCE_PROHIBITED;
454
455 if (error == KM_ERROR_OK)
456 output_params->push_back(TAG_NONCE, iv_.get(), iv_length_);
457 else
458 return error;
459 }
460
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]461 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]462}
463
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]464keymaster_error_t AesEvpEncryptOperation::Finish(const AuthorizationSet& additional_params,
465 const Buffer& signature,
466 AuthorizationSet* output_params, Buffer* output) {
467 if (!output->reserve(AES_BLOCK_SIZE + tag_length_))
Shawn Willden92b69a32015-03-14 11:07:36 -0600[diff] [blame]468 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]469
470 keymaster_error_t error =
471 AesEvpOperation::Finish(additional_params, signature, output_params, output);
472 if (error != KM_ERROR_OK)
473 return error;
474
475 if (tag_length_ > 0) {
476 if (!output->reserve(output->available_read() + tag_length_))
477 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
478
479 if (!EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_GET_TAG, tag_length_, output->peek_write()))
480 return TranslateLastOpenSslError();
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]481 if (!output->advance_write(tag_length_))
482 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]483 }
484
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]485 return KM_ERROR_OK;
486}
487
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]488keymaster_error_t AesEvpEncryptOperation::GenerateIv() {
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]489 iv_length_ = (block_mode_ == KM_MODE_GCM) ? GCM_NONCE_SIZE : AES_BLOCK_SIZE;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]490 iv_.reset(new (std::nothrow) uint8_t[iv_length_]);
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]491 if (!iv_.get())
492 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]493 if (RAND_bytes(iv_.get(), iv_length_) != 1)
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]494 return TranslateLastOpenSslError();
495 return KM_ERROR_OK;
496}
497
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]498keymaster_error_t AesEvpDecryptOperation::Begin(const AuthorizationSet& input_params,
499 AuthorizationSet* output_params) {
500 if (need_iv()) {
501 keymaster_error_t error = GetIv(input_params);
502 if (error != KM_ERROR_OK)
503 return error;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]504 }
505
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]506 if (tag_length_ > 0) {
507 tag_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]508 tag_buf_.reset(new (std::nothrow) uint8_t[tag_length_]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]509 if (!tag_buf_.get())
510 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
511 }
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]512
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]513 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]514}
515
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]516keymaster_error_t AesEvpDecryptOperation::Update(const AuthorizationSet& additional_params,
517 const Buffer& input,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]518 AuthorizationSet* /* output_params */,
519 Buffer* output, size_t* input_consumed) {
520 if (!output || !input_consumed)
521 return KM_ERROR_OUTPUT_PARAMETER_NULL;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]522
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]523 // Barring error, we'll consume it all.
524 *input_consumed = input.available_read();
525
526 keymaster_error_t error;
527 if (block_mode_ == KM_MODE_GCM) {
528 if (!HandleAad(additional_params, input, &error))
529 return error;
530 return ProcessAllButTagLengthBytes(input, output);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]531 }
532
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]533 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
534 return error;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]535 return KM_ERROR_OK;
536}
537
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]538keymaster_error_t AesEvpDecryptOperation::ProcessAllButTagLengthBytes(const Buffer& input,
539 Buffer* output) {
540 if (input.available_read() <= tag_buf_unused()) {
541 BufferCandidateTagData(input.peek_read(), input.available_read());
542 return KM_ERROR_OK;
543 }
544
545 const size_t data_available = tag_buf_length_ + input.available_read();
546
547 const size_t to_process = data_available - tag_length_;
548 const size_t to_process_from_tag_buf = min(to_process, tag_buf_length_);
549 const size_t to_process_from_input = to_process - to_process_from_tag_buf;
550
551 if (!output->reserve(to_process + AES_BLOCK_SIZE))
552 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
553
554 keymaster_error_t error;
555 if (!ProcessTagBufContentsAsData(to_process_from_tag_buf, output, &error))
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]556 return error;
557
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]558 if (!InternalUpdate(input.peek_read(), to_process_from_input, output, &error))
559 return error;
560
561 BufferCandidateTagData(input.peek_read() + to_process_from_input,
562 input.available_read() - to_process_from_input);
563 assert(tag_buf_unused() == 0);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]564
565 return KM_ERROR_OK;
566}
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]567
568bool AesEvpDecryptOperation::ProcessTagBufContentsAsData(size_t to_process, Buffer* output,
569 keymaster_error_t* error) {
570 assert(to_process <= tag_buf_length_);
571 if (!InternalUpdate(tag_buf_.get(), to_process, output, error))
572 return false;
573 if (to_process < tag_buf_length_)
574 memmove(tag_buf_.get(), tag_buf_.get() + to_process, tag_buf_length_ - to_process);
575 tag_buf_length_ -= to_process;
576 return true;
577}
578
579void AesEvpDecryptOperation::BufferCandidateTagData(const uint8_t* data, size_t data_length) {
580 assert(data_length <= tag_length_ - tag_buf_length_);
581 memcpy(tag_buf_.get() + tag_buf_length_, data, data_length);
582 tag_buf_length_ += data_length;
583}
584
585keymaster_error_t AesEvpDecryptOperation::Finish(const AuthorizationSet& additional_params,
586 const Buffer& signature,
587 AuthorizationSet* output_params, Buffer* output) {
588 if (tag_buf_length_ < tag_length_)
589 return KM_ERROR_INVALID_INPUT_LENGTH;
590 else if (tag_length_ > 0 &&
591 !EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_SET_TAG, tag_length_, tag_buf_.get()))
592 return TranslateLastOpenSslError();
593
594 return AesEvpOperation::Finish(additional_params, signature, output_params, output);
595}
596
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]597keymaster_error_t AesEvpOperation::Abort() {
598 return KM_ERROR_OK;
599}
600
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]601} // namespace keymaster