Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 36d41e230417ac3b86a1425ebf60fff6d92377ec / . / aes_operation.cpp
blob: c678262f8d892df76bcbc4352a460f7fa8297a6d [file] [log] [blame]
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]17#include <stdio.h>
18
Shawn Willden06298102015-05-25 23:12:48 -0600[diff] [blame]19#include <UniquePtr.h>
20
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]21#include <openssl/aes.h>
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]22#include <openssl/err.h>
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]23#include <openssl/rand.h>
24
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]25#include <keymaster/logger.h>
26
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]27#include "aes_key.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]28#include "aes_operation.h"
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]29#include "openssl_err.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]30
31namespace keymaster {
32
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]33static const size_t GCM_DEFAULT_NONCE_SIZE = 12;
34static const size_t GCM_MAX_TAG_LENGTH = 16;
35static const size_t GCM_MIN_TAG_LENGTH = 12;
36
37inline bool allows_padding(keymaster_block_mode_t block_mode) {
38 return (block_mode == KM_MODE_CTR || block_mode == KM_MODE_GCM);
39}
40
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]41Operation* AesOperationFactory::CreateOperation(const Key& key,
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]42 const AuthorizationSet& begin_params,
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]43 keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]44 *error = KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]45 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]46
47 switch (symmetric_key->key_data_size()) {
48 case 16:
49 case 24:
50 case 32:
51 break;
52 default:
53 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]54 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]55 }
56
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]57 keymaster_block_mode_t block_mode;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]58 if (!begin_params.GetTagValue(TAG_BLOCK_MODE, &block_mode)) {
59 LOG_E("%d block modes specified in begin params", begin_params.GetTagCount(TAG_BLOCK_MODE));
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]60 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]61 } else if (!supported(block_mode)) {
62 LOG_E("Block mode %d not supported", block_mode);
63 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]64 } else if (!key.authorizations().Contains(TAG_BLOCK_MODE, block_mode)) {
65 LOG_E("Block mode %d was specified, but not authorized by key", block_mode);
66 *error = KM_ERROR_INCOMPATIBLE_BLOCK_MODE;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]67 }
68
69 size_t tag_length = 0;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]70 if (block_mode == KM_MODE_GCM) {
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]71 uint32_t tag_length_bits;
72 if (!begin_params.GetTagValue(TAG_MAC_LENGTH, &tag_length_bits))
73 *error = KM_ERROR_MISSING_MAC_LENGTH;
74 tag_length = tag_length_bits / 8;
75 if (tag_length_bits % 8 != 0 || tag_length > GCM_MAX_TAG_LENGTH ||
76 tag_length < GCM_MIN_TAG_LENGTH)
77 *error = KM_ERROR_UNSUPPORTED_MAC_LENGTH;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]78 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]79
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]80 keymaster_padding_t padding;
81 if (!begin_params.GetTagValue(TAG_PADDING, &padding)) {
Shawn Willdended8e7d2015-06-01 15:29:12 -0600[diff] [blame]82 LOG_E("%d padding modes specified in begin params", begin_params.GetTagCount(TAG_PADDING));
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]83 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]84 } else if (!supported(padding)) {
85 LOG_E("Padding mode %d not supported", padding);
86 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]87 } else if (allows_padding(block_mode) && padding != KM_PAD_NONE) {
88 LOG_E("Mode does not support padding", 0);
89 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]90 } else if (!key.authorizations().Contains(TAG_PADDING, padding)) {
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]91 LOG_E("Padding mode %d was specified, but not authorized by key", padding);
92 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
93 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]94
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]95 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE);
96
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]97 if (*error != KM_ERROR_OK)
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]98 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]99
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]100 Operation* op = NULL;
101 switch (purpose()) {
102 case KM_PURPOSE_ENCRYPT:
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]103 op = new AesEvpEncryptOperation(block_mode, padding, caller_nonce, tag_length,
104 symmetric_key->key_data(), symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]105 break;
106 case KM_PURPOSE_DECRYPT:
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]107 op = new AesEvpDecryptOperation(block_mode, padding, tag_length, symmetric_key->key_data(),
108 symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]109 break;
110 default:
111 *error = KM_ERROR_UNSUPPORTED_PURPOSE;
112 return NULL;
113 }
114
115 if (!op)
116 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
117 return op;
118}
119
Shawn Willdenc47c88f2015-04-07 17:23:27 -0600[diff] [blame]120static const keymaster_block_mode_t supported_block_modes[] = {KM_MODE_ECB, KM_MODE_CBC,
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]121 KM_MODE_CTR, KM_MODE_GCM};
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]122
123const keymaster_block_mode_t*
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]124AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]125 *block_mode_count = array_length(supported_block_modes);
126 return supported_block_modes;
127}
128
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]129static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7};
130const keymaster_padding_t*
131AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
132 *padding_mode_count = array_length(supported_padding_modes);
133 return supported_padding_modes;
134}
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]135
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]136AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]137 keymaster_padding_t padding, bool caller_iv, size_t tag_length,
138 const uint8_t* key, size_t key_size)
139 : Operation(purpose), block_mode_(block_mode), caller_iv_(caller_iv), tag_length_(tag_length),
140 data_started_(false), key_size_(key_size), padding_(padding) {
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]141 memcpy(key_, key, key_size_);
142 EVP_CIPHER_CTX_init(&ctx_);
143}
144
145AesEvpOperation::~AesEvpOperation() {
146 EVP_CIPHER_CTX_cleanup(&ctx_);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]147 memset_s(aad_block_buf_.get(), AES_BLOCK_SIZE, 0);
148}
149
150keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& /* input_params */,
151 AuthorizationSet* /* output_params */) {
152 if (block_mode_ == KM_MODE_GCM) {
153 aad_block_buf_length_ = 0;
154 aad_block_buf_.reset(new uint8_t[AES_BLOCK_SIZE]);
155 if (!aad_block_buf_.get())
156 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
157 }
158
159 return InitializeCipher();
160}
161
162keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& additional_params,
163 const Buffer& input,
164 AuthorizationSet* /* output_params */, Buffer* output,
165 size_t* input_consumed) {
166 keymaster_error_t error;
167 if (block_mode_ == KM_MODE_GCM)
168 if (!HandleAad(additional_params, input, &error))
169 return error;
170
171 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
172 return error;
173 *input_consumed = input.available_read();
174
175 return KM_ERROR_OK;
176}
177
178inline bool is_bad_decrypt(unsigned long error) {
179 return (ERR_GET_LIB(error) == ERR_LIB_CIPHER && //
180 ERR_GET_REASON(error) == CIPHER_R_BAD_DECRYPT);
181}
182
183keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& /* additional_params */,
184 const Buffer& /* signature */,
185 AuthorizationSet* /* output_params */, Buffer* output) {
186 if (!output->reserve(AES_BLOCK_SIZE))
187 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
188
189 keymaster_error_t error;
190 if (block_mode_ == KM_MODE_GCM && aad_block_buf_length_ > 0 &&
191 !ProcessBufferedAadBlock(&error)) {
192 return error;
193 }
194
195 int output_written = -1;
196 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) {
197 if (tag_length_ > 0)
198 return KM_ERROR_VERIFICATION_FAILED;
199 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL));
200 return TranslateLastOpenSslError();
201 }
202
203 assert(output_written <= AES_BLOCK_SIZE);
204 output->advance_write(output_written);
205 return KM_ERROR_OK;
206}
207
208bool AesEvpOperation::need_iv() const {
209 switch (block_mode_) {
210 case KM_MODE_CBC:
211 case KM_MODE_CTR:
212 case KM_MODE_GCM:
213 return true;
214 case KM_MODE_ECB:
215 return false;
216 default:
217 // Shouldn't get here.
218 assert(false);
219 return false;
220 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]221}
222
223keymaster_error_t AesEvpOperation::InitializeCipher() {
224 const EVP_CIPHER* cipher;
225 switch (block_mode_) {
226 case KM_MODE_ECB:
227 switch (key_size_) {
228 case 16:
229 cipher = EVP_aes_128_ecb();
230 break;
231 case 24:
232 cipher = EVP_aes_192_ecb();
233 break;
234 case 32:
235 cipher = EVP_aes_256_ecb();
236 break;
237 default:
238 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
239 }
240 break;
241 case KM_MODE_CBC:
242 switch (key_size_) {
243 case 16:
244 cipher = EVP_aes_128_cbc();
245 break;
246 case 24:
247 cipher = EVP_aes_192_cbc();
248 break;
249 case 32:
250 cipher = EVP_aes_256_cbc();
251 break;
252 default:
253 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
254 }
255 break;
Thai Duong20d725d2015-03-24 17:49:58 -0700[diff] [blame]256 case KM_MODE_CTR:
257 switch (key_size_) {
258 case 16:
259 cipher = EVP_aes_128_ctr();
260 break;
261 case 24:
262 cipher = EVP_aes_192_ctr();
263 break;
264 case 32:
265 cipher = EVP_aes_256_ctr();
266 break;
267 default:
268 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
269 }
270 break;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]271 case KM_MODE_GCM:
272 switch (key_size_) {
273 case 16:
274 cipher = EVP_aes_128_gcm();
275 break;
276 case 24:
277 cipher = EVP_aes_192_gcm();
278 break;
279 case 32:
280 cipher = EVP_aes_256_gcm();
281 break;
282 default:
283 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
284 }
285 break;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]286 default:
287 return KM_ERROR_UNSUPPORTED_BLOCK_MODE;
288 }
289
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]290 if (!EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_.get(), evp_encrypt_mode()))
Shawn Willdenf01329d2015-03-11 21:51:38 -0600[diff] [blame]291 return TranslateLastOpenSslError();
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]292
293 switch (padding_) {
294 case KM_PAD_NONE:
295 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */);
296 break;
297 case KM_PAD_PKCS7:
298 // This is the default for OpenSSL EVP cipher operations.
299 break;
300 default:
301 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
302 }
303
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]304 if (block_mode_ == KM_MODE_GCM) {
305 aad_block_buf_length_ = 0;
306 aad_block_buf_.reset(new uint8_t[AES_BLOCK_SIZE]);
307 if (!aad_block_buf_.get())
308 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
309 }
310
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]311 return KM_ERROR_OK;
312}
313
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]314keymaster_error_t AesEvpOperation::GetIv(const AuthorizationSet& input_params) {
315 keymaster_blob_t iv_blob;
316 if (!input_params.GetTagValue(TAG_NONCE, &iv_blob)) {
317 LOG_E("No IV provided", 0);
318 return KM_ERROR_INVALID_ARGUMENT;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]319 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]320 if (block_mode_ != KM_MODE_GCM && iv_blob.data_length != AES_BLOCK_SIZE) {
321 LOG_E("Expected %d-byte IV for AES operation, but got %d bytes", AES_BLOCK_SIZE,
322 iv_blob.data_length);
323 return KM_ERROR_INVALID_NONCE;
324 }
325 iv_.reset(dup_array(iv_blob.data, iv_blob.data_length));
326 if (!iv_.get())
327 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
328 iv_length_ = iv_blob.data_length;
329 return KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]330}
331
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]332/*
333 * Process Incoming Associated Authentication Data.
334 *
335 * This method is more complex than might be expected, because the underlying library silently does
336 * the wrong thing when given partial AAD blocks, so we have to take care to process AAD in
337 * AES_BLOCK_SIZE increments, buffering (in aad_block_buf_) when given smaller amounts of data.
338 */
339bool AesEvpOperation::HandleAad(const AuthorizationSet& input_params, const Buffer& input,
340 keymaster_error_t* error) {
341 assert(tag_length_ > 0);
342 assert(error);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]343
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]344 keymaster_blob_t aad;
345 if (input_params.GetTagValue(TAG_ASSOCIATED_DATA, &aad)) {
346 if (data_started_) {
347 *error = KM_ERROR_INVALID_TAG;
348 return false;
349 }
350
351 if (aad_block_buf_length_ > 0) {
352 FillBufferedAadBlock(&aad);
353 if (aad_block_buf_length_ == AES_BLOCK_SIZE && !ProcessBufferedAadBlock(error))
354 return false;
355 }
356
357 size_t blocks_to_process = aad.data_length / AES_BLOCK_SIZE;
358 if (blocks_to_process && !ProcessAadBlocks(aad.data, blocks_to_process, error))
359 return false;
360 aad.data += blocks_to_process * AES_BLOCK_SIZE;
361 aad.data_length -= blocks_to_process * AES_BLOCK_SIZE;
362
363 FillBufferedAadBlock(&aad);
364 assert(aad.data_length == 0);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]365 }
366
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]367 if (input.available_read()) {
368 data_started_ = true;
369 // Data has begun, no more AAD is allowed. Process any buffered AAD.
370 if (aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(error))
371 return false;
372 }
373
374 return true;
375}
376
377bool AesEvpOperation::ProcessBufferedAadBlock(keymaster_error_t* error) {
378 int output_written;
379 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, aad_block_buf_.get(),
380 aad_block_buf_length_)) {
381 aad_block_buf_length_ = 0;
382 return true;
383 }
384 *error = TranslateLastOpenSslError();
385 return false;
386}
387
388bool AesEvpOperation::ProcessAadBlocks(const uint8_t* data, size_t blocks,
389 keymaster_error_t* error) {
390 int output_written;
391 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, data, blocks * AES_BLOCK_SIZE))
392 return true;
393 *error = TranslateLastOpenSslError();
394 return false;
395}
396
397inline size_t min(size_t a, size_t b) {
398 return (a < b) ? a : b;
399}
400
401void AesEvpOperation::FillBufferedAadBlock(keymaster_blob_t* aad) {
402 size_t to_buffer = min(AES_BLOCK_SIZE - aad_block_buf_length_, aad->data_length);
403 memcpy(aad_block_buf_.get() + aad_block_buf_length_, aad->data, to_buffer);
404 aad->data += to_buffer;
405 aad->data_length -= to_buffer;
406 aad_block_buf_length_ += to_buffer;
407}
408
409bool AesEvpOperation::InternalUpdate(const uint8_t* input, size_t input_length, Buffer* output,
410 keymaster_error_t* error) {
411 assert(output);
412 assert(error);
413
414 if (!output->reserve(input_length + AES_BLOCK_SIZE)) {
415 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
416 return false;
417 }
418
419 int output_written = -1;
420 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input, input_length)) {
421 *error = TranslateLastOpenSslError();
422 return false;
423 }
424 output->advance_write(output_written);
425 return true;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]426}
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]427
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]428keymaster_error_t AesEvpEncryptOperation::Begin(const AuthorizationSet& input_params,
429 AuthorizationSet* output_params) {
430 if (!output_params)
431 return KM_ERROR_OUTPUT_PARAMETER_NULL;
432
433 if (need_iv()) {
434 keymaster_error_t error = KM_ERROR_OK;
435 if (input_params.find(TAG_NONCE) == -1)
436 error = GenerateIv();
437 else if (caller_iv_)
438 error = GetIv(input_params);
439 else
440 error = KM_ERROR_CALLER_NONCE_PROHIBITED;
441
442 if (error == KM_ERROR_OK)
443 output_params->push_back(TAG_NONCE, iv_.get(), iv_length_);
444 else
445 return error;
446 }
447
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]448 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]449}
450
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]451keymaster_error_t AesEvpEncryptOperation::Finish(const AuthorizationSet& additional_params,
452 const Buffer& signature,
453 AuthorizationSet* output_params, Buffer* output) {
454 if (!output->reserve(AES_BLOCK_SIZE + tag_length_))
Shawn Willden92b69a32015-03-14 11:07:36 -0600[diff] [blame]455 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]456
457 keymaster_error_t error =
458 AesEvpOperation::Finish(additional_params, signature, output_params, output);
459 if (error != KM_ERROR_OK)
460 return error;
461
462 if (tag_length_ > 0) {
463 if (!output->reserve(output->available_read() + tag_length_))
464 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
465
466 if (!EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_GET_TAG, tag_length_, output->peek_write()))
467 return TranslateLastOpenSslError();
468 output->advance_write(tag_length_);
469 }
470
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]471 return KM_ERROR_OK;
472}
473
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]474keymaster_error_t AesEvpEncryptOperation::GenerateIv() {
475 iv_length_ = (block_mode_ == KM_MODE_GCM) ? GCM_DEFAULT_NONCE_SIZE : AES_BLOCK_SIZE;
476 iv_.reset(new uint8_t[iv_length_]);
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]477 if (!iv_.get())
478 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]479 if (RAND_bytes(iv_.get(), iv_length_) != 1)
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]480 return TranslateLastOpenSslError();
481 return KM_ERROR_OK;
482}
483
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]484keymaster_error_t AesEvpDecryptOperation::Begin(const AuthorizationSet& input_params,
485 AuthorizationSet* output_params) {
486 if (need_iv()) {
487 keymaster_error_t error = GetIv(input_params);
488 if (error != KM_ERROR_OK)
489 return error;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]490 }
491
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]492 if (tag_length_ > 0) {
493 tag_buf_length_ = 0;
494 tag_buf_.reset(new uint8_t[tag_length_]);
495 if (!tag_buf_.get())
496 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
497 }
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]498
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]499 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]500}
501
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]502keymaster_error_t AesEvpDecryptOperation::Update(const AuthorizationSet& additional_params,
503 const Buffer& input,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]504 AuthorizationSet* /* output_params */,
505 Buffer* output, size_t* input_consumed) {
506 if (!output || !input_consumed)
507 return KM_ERROR_OUTPUT_PARAMETER_NULL;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]508
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]509 // Barring error, we'll consume it all.
510 *input_consumed = input.available_read();
511
512 keymaster_error_t error;
513 if (block_mode_ == KM_MODE_GCM) {
514 if (!HandleAad(additional_params, input, &error))
515 return error;
516 return ProcessAllButTagLengthBytes(input, output);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]517 }
518
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]519 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
520 return error;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]521 return KM_ERROR_OK;
522}
523
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]524keymaster_error_t AesEvpDecryptOperation::ProcessAllButTagLengthBytes(const Buffer& input,
525 Buffer* output) {
526 if (input.available_read() <= tag_buf_unused()) {
527 BufferCandidateTagData(input.peek_read(), input.available_read());
528 return KM_ERROR_OK;
529 }
530
531 const size_t data_available = tag_buf_length_ + input.available_read();
532
533 const size_t to_process = data_available - tag_length_;
534 const size_t to_process_from_tag_buf = min(to_process, tag_buf_length_);
535 const size_t to_process_from_input = to_process - to_process_from_tag_buf;
536
537 if (!output->reserve(to_process + AES_BLOCK_SIZE))
538 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
539
540 keymaster_error_t error;
541 if (!ProcessTagBufContentsAsData(to_process_from_tag_buf, output, &error))
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]542 return error;
543
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]544 if (!InternalUpdate(input.peek_read(), to_process_from_input, output, &error))
545 return error;
546
547 BufferCandidateTagData(input.peek_read() + to_process_from_input,
548 input.available_read() - to_process_from_input);
549 assert(tag_buf_unused() == 0);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]550
551 return KM_ERROR_OK;
552}
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]553
554bool AesEvpDecryptOperation::ProcessTagBufContentsAsData(size_t to_process, Buffer* output,
555 keymaster_error_t* error) {
556 assert(to_process <= tag_buf_length_);
557 if (!InternalUpdate(tag_buf_.get(), to_process, output, error))
558 return false;
559 if (to_process < tag_buf_length_)
560 memmove(tag_buf_.get(), tag_buf_.get() + to_process, tag_buf_length_ - to_process);
561 tag_buf_length_ -= to_process;
562 return true;
563}
564
565void AesEvpDecryptOperation::BufferCandidateTagData(const uint8_t* data, size_t data_length) {
566 assert(data_length <= tag_length_ - tag_buf_length_);
567 memcpy(tag_buf_.get() + tag_buf_length_, data, data_length);
568 tag_buf_length_ += data_length;
569}
570
571keymaster_error_t AesEvpDecryptOperation::Finish(const AuthorizationSet& additional_params,
572 const Buffer& signature,
573 AuthorizationSet* output_params, Buffer* output) {
574 if (tag_buf_length_ < tag_length_)
575 return KM_ERROR_INVALID_INPUT_LENGTH;
576 else if (tag_length_ > 0 &&
577 !EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_SET_TAG, tag_length_, tag_buf_.get()))
578 return TranslateLastOpenSslError();
579
580 return AesEvpOperation::Finish(additional_params, signature, output_params, output);
581}
582
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]583keymaster_error_t AesEvpOperation::Abort() {
584 return KM_ERROR_OK;
585}
586
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]587} // namespace keymaster