Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 4ed2d7ed2275735ddc4952f310badfa4dcbaf04e / . / aes_operation.cpp
blob: bbaa0ad4c0bb8caa32d454848fbd322fdf17c9ac [file] [log] [blame]
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]17#include "aes_operation.h"
18
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]19#include <stdio.h>
20
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]21#include <new>
22
Shawn Willden06298102015-05-25 23:12:48 -0600[diff] [blame]23#include <UniquePtr.h>
24
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]25#include <openssl/aes.h>
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]26#include <openssl/err.h>
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]27#include <openssl/rand.h>
28
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]29#include <keymaster/logger.h>
30
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]31#include "aes_key.h"
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]32#include "openssl_err.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]33
34namespace keymaster {
35
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]36static const size_t GCM_NONCE_SIZE = 12;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]37
38inline bool allows_padding(keymaster_block_mode_t block_mode) {
Shawn Willden5532a082015-07-01 12:58:08 -0600[diff] [blame]39 switch (block_mode) {
40 case KM_MODE_CTR:
41 case KM_MODE_GCM:
42 return false;
43 case KM_MODE_ECB:
44 case KM_MODE_CBC:
45 return true;
46 }
47 assert(false /* Can't get here */);
48 return false;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]49}
50
Shawn Willden33ab0382015-07-08 08:47:25 -0600[diff] [blame]51static keymaster_error_t GetAndValidateGcmTagLength(const AuthorizationSet& begin_params,
52 const AuthorizationSet& key_params,
53 size_t* tag_length) {
54 uint32_t tag_length_bits;
55 if (!begin_params.GetTagValue(TAG_MAC_LENGTH, &tag_length_bits)) {
56 return KM_ERROR_MISSING_MAC_LENGTH;
57 }
58
59 uint32_t min_tag_length_bits;
60 if (!key_params.GetTagValue(TAG_MIN_MAC_LENGTH, &min_tag_length_bits)) {
61 LOG_E("AES GCM key must have KM_TAG_MIN_MAC_LENGTH", 0);
62 return KM_ERROR_INVALID_KEY_BLOB;
63 }
64
65 if (tag_length_bits % 8 != 0 || tag_length_bits > kMaxGcmTagLength ||
66 tag_length_bits < kMinGcmTagLength) {
67 return KM_ERROR_UNSUPPORTED_MAC_LENGTH;
68 }
69
70 if (tag_length_bits < min_tag_length_bits) {
71 return KM_ERROR_INVALID_MAC_LENGTH;
72 }
73
74 *tag_length = tag_length_bits / 8;
75 return KM_ERROR_OK;
76}
77
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]78Operation* AesOperationFactory::CreateOperation(const Key& key,
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]79 const AuthorizationSet& begin_params,
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]80 keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]81 *error = KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]82 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]83
84 switch (symmetric_key->key_data_size()) {
85 case 16:
86 case 24:
87 case 32:
88 break;
89 default:
90 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]91 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]92 }
93
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]94 keymaster_block_mode_t block_mode;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]95 if (!begin_params.GetTagValue(TAG_BLOCK_MODE, &block_mode)) {
96 LOG_E("%d block modes specified in begin params", begin_params.GetTagCount(TAG_BLOCK_MODE));
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]97 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame]98 return nullptr;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]99 } else if (!supported(block_mode)) {
100 LOG_E("Block mode %d not supported", block_mode);
101 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame]102 return nullptr;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]103 } else if (!key.authorizations().Contains(TAG_BLOCK_MODE, block_mode)) {
104 LOG_E("Block mode %d was specified, but not authorized by key", block_mode);
105 *error = KM_ERROR_INCOMPATIBLE_BLOCK_MODE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame]106 return nullptr;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]107 }
108
109 size_t tag_length = 0;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]110 if (block_mode == KM_MODE_GCM) {
Shawn Willden33ab0382015-07-08 08:47:25 -0600[diff] [blame]111 *error = GetAndValidateGcmTagLength(begin_params, key.authorizations(), &tag_length);
112 if (*error != KM_ERROR_OK) {
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame]113 return nullptr;
114 }
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]115 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]116
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]117 keymaster_padding_t padding;
Shawn Willden33ab0382015-07-08 08:47:25 -0600[diff] [blame]118 if (!GetAndValidatePadding(begin_params, key, &padding, error)) {
Shawn Willden5532a082015-07-01 12:58:08 -0600[diff] [blame]119 return nullptr;
Shawn Willden33ab0382015-07-08 08:47:25 -0600[diff] [blame]120 }
Shawn Willden5532a082015-07-01 12:58:08 -0600[diff] [blame]121 if (!allows_padding(block_mode) && padding != KM_PAD_NONE) {
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]122 LOG_E("Mode does not support padding", 0);
123 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame]124 return nullptr;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]125 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]126
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]127 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE);
128
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame]129 Operation* op = nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]130 switch (purpose()) {
131 case KM_PURPOSE_ENCRYPT:
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]132 op = new (std::nothrow)
133 AesEvpEncryptOperation(block_mode, padding, caller_nonce, tag_length,
134 symmetric_key->key_data(), symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]135 break;
136 case KM_PURPOSE_DECRYPT:
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]137 op = new (std::nothrow)
138 AesEvpDecryptOperation(block_mode, padding, tag_length, symmetric_key->key_data(),
139 symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]140 break;
141 default:
142 *error = KM_ERROR_UNSUPPORTED_PURPOSE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame]143 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]144 }
145
146 if (!op)
147 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
148 return op;
149}
150
Shawn Willdenc47c88f2015-04-07 17:23:27 -0600[diff] [blame]151static const keymaster_block_mode_t supported_block_modes[] = {KM_MODE_ECB, KM_MODE_CBC,
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]152 KM_MODE_CTR, KM_MODE_GCM};
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]153
154const keymaster_block_mode_t*
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]155AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]156 *block_mode_count = array_length(supported_block_modes);
157 return supported_block_modes;
158}
159
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]160static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7};
161const keymaster_padding_t*
162AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
163 *padding_mode_count = array_length(supported_padding_modes);
164 return supported_padding_modes;
165}
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]166
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]167AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]168 keymaster_padding_t padding, bool caller_iv, size_t tag_length,
169 const uint8_t* key, size_t key_size)
170 : Operation(purpose), block_mode_(block_mode), caller_iv_(caller_iv), tag_length_(tag_length),
171 data_started_(false), key_size_(key_size), padding_(padding) {
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]172 memcpy(key_, key, key_size_);
173 EVP_CIPHER_CTX_init(&ctx_);
174}
175
176AesEvpOperation::~AesEvpOperation() {
177 EVP_CIPHER_CTX_cleanup(&ctx_);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]178 memset_s(aad_block_buf_.get(), AES_BLOCK_SIZE, 0);
179}
180
181keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& /* input_params */,
182 AuthorizationSet* /* output_params */) {
183 if (block_mode_ == KM_MODE_GCM) {
184 aad_block_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]185 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]186 if (!aad_block_buf_.get())
187 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
188 }
189
190 return InitializeCipher();
191}
192
193keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& additional_params,
194 const Buffer& input,
195 AuthorizationSet* /* output_params */, Buffer* output,
196 size_t* input_consumed) {
197 keymaster_error_t error;
198 if (block_mode_ == KM_MODE_GCM)
199 if (!HandleAad(additional_params, input, &error))
200 return error;
201
202 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
203 return error;
204 *input_consumed = input.available_read();
205
206 return KM_ERROR_OK;
207}
208
209inline bool is_bad_decrypt(unsigned long error) {
210 return (ERR_GET_LIB(error) == ERR_LIB_CIPHER && //
211 ERR_GET_REASON(error) == CIPHER_R_BAD_DECRYPT);
212}
213
214keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& /* additional_params */,
215 const Buffer& /* signature */,
216 AuthorizationSet* /* output_params */, Buffer* output) {
217 if (!output->reserve(AES_BLOCK_SIZE))
218 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
219
220 keymaster_error_t error;
221 if (block_mode_ == KM_MODE_GCM && aad_block_buf_length_ > 0 &&
222 !ProcessBufferedAadBlock(&error)) {
223 return error;
224 }
225
226 int output_written = -1;
227 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) {
228 if (tag_length_ > 0)
229 return KM_ERROR_VERIFICATION_FAILED;
230 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL));
231 return TranslateLastOpenSslError();
232 }
233
234 assert(output_written <= AES_BLOCK_SIZE);
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]235 if (!output->advance_write(output_written))
236 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]237 return KM_ERROR_OK;
238}
239
240bool AesEvpOperation::need_iv() const {
241 switch (block_mode_) {
242 case KM_MODE_CBC:
243 case KM_MODE_CTR:
244 case KM_MODE_GCM:
245 return true;
246 case KM_MODE_ECB:
247 return false;
248 default:
249 // Shouldn't get here.
250 assert(false);
251 return false;
252 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]253}
254
255keymaster_error_t AesEvpOperation::InitializeCipher() {
256 const EVP_CIPHER* cipher;
257 switch (block_mode_) {
258 case KM_MODE_ECB:
259 switch (key_size_) {
260 case 16:
261 cipher = EVP_aes_128_ecb();
262 break;
263 case 24:
264 cipher = EVP_aes_192_ecb();
265 break;
266 case 32:
267 cipher = EVP_aes_256_ecb();
268 break;
269 default:
270 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
271 }
272 break;
273 case KM_MODE_CBC:
274 switch (key_size_) {
275 case 16:
276 cipher = EVP_aes_128_cbc();
277 break;
278 case 24:
279 cipher = EVP_aes_192_cbc();
280 break;
281 case 32:
282 cipher = EVP_aes_256_cbc();
283 break;
284 default:
285 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
286 }
287 break;
Thai Duong20d725d2015-03-24 17:49:58 -0700[diff] [blame]288 case KM_MODE_CTR:
289 switch (key_size_) {
290 case 16:
291 cipher = EVP_aes_128_ctr();
292 break;
293 case 24:
294 cipher = EVP_aes_192_ctr();
295 break;
296 case 32:
297 cipher = EVP_aes_256_ctr();
298 break;
299 default:
300 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
301 }
302 break;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]303 case KM_MODE_GCM:
304 switch (key_size_) {
305 case 16:
306 cipher = EVP_aes_128_gcm();
307 break;
308 case 24:
309 cipher = EVP_aes_192_gcm();
310 break;
311 case 32:
312 cipher = EVP_aes_256_gcm();
313 break;
314 default:
315 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
316 }
317 break;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]318 default:
319 return KM_ERROR_UNSUPPORTED_BLOCK_MODE;
320 }
321
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]322 if (!EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_.get(), evp_encrypt_mode()))
Shawn Willdenf01329d2015-03-11 21:51:38 -0600[diff] [blame]323 return TranslateLastOpenSslError();
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]324
325 switch (padding_) {
326 case KM_PAD_NONE:
327 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */);
328 break;
329 case KM_PAD_PKCS7:
330 // This is the default for OpenSSL EVP cipher operations.
331 break;
332 default:
333 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
334 }
335
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]336 if (block_mode_ == KM_MODE_GCM) {
337 aad_block_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]338 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]339 if (!aad_block_buf_.get())
340 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
341 }
342
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]343 return KM_ERROR_OK;
344}
345
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]346keymaster_error_t AesEvpOperation::GetIv(const AuthorizationSet& input_params) {
347 keymaster_blob_t iv_blob;
348 if (!input_params.GetTagValue(TAG_NONCE, &iv_blob)) {
349 LOG_E("No IV provided", 0);
350 return KM_ERROR_INVALID_ARGUMENT;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]351 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]352 if (block_mode_ != KM_MODE_GCM && iv_blob.data_length != AES_BLOCK_SIZE) {
353 LOG_E("Expected %d-byte IV for AES operation, but got %d bytes", AES_BLOCK_SIZE,
354 iv_blob.data_length);
355 return KM_ERROR_INVALID_NONCE;
356 }
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]357 if (block_mode_ == KM_MODE_GCM && iv_blob.data_length != GCM_NONCE_SIZE) {
358 LOG_E("Expected %d-byte nonce for AES-GCM operation, but got %d bytes", GCM_NONCE_SIZE,
359 iv_blob.data_length);
360 return KM_ERROR_INVALID_NONCE;
361 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]362 iv_.reset(dup_array(iv_blob.data, iv_blob.data_length));
363 if (!iv_.get())
364 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
365 iv_length_ = iv_blob.data_length;
366 return KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]367}
368
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]369/*
370 * Process Incoming Associated Authentication Data.
371 *
372 * This method is more complex than might be expected, because the underlying library silently does
373 * the wrong thing when given partial AAD blocks, so we have to take care to process AAD in
374 * AES_BLOCK_SIZE increments, buffering (in aad_block_buf_) when given smaller amounts of data.
375 */
376bool AesEvpOperation::HandleAad(const AuthorizationSet& input_params, const Buffer& input,
377 keymaster_error_t* error) {
378 assert(tag_length_ > 0);
379 assert(error);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]380
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]381 keymaster_blob_t aad;
382 if (input_params.GetTagValue(TAG_ASSOCIATED_DATA, &aad)) {
383 if (data_started_) {
384 *error = KM_ERROR_INVALID_TAG;
385 return false;
386 }
387
388 if (aad_block_buf_length_ > 0) {
389 FillBufferedAadBlock(&aad);
390 if (aad_block_buf_length_ == AES_BLOCK_SIZE && !ProcessBufferedAadBlock(error))
391 return false;
392 }
393
394 size_t blocks_to_process = aad.data_length / AES_BLOCK_SIZE;
395 if (blocks_to_process && !ProcessAadBlocks(aad.data, blocks_to_process, error))
396 return false;
397 aad.data += blocks_to_process * AES_BLOCK_SIZE;
398 aad.data_length -= blocks_to_process * AES_BLOCK_SIZE;
399
400 FillBufferedAadBlock(&aad);
401 assert(aad.data_length == 0);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]402 }
403
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]404 if (input.available_read()) {
405 data_started_ = true;
406 // Data has begun, no more AAD is allowed. Process any buffered AAD.
407 if (aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(error))
408 return false;
409 }
410
411 return true;
412}
413
414bool AesEvpOperation::ProcessBufferedAadBlock(keymaster_error_t* error) {
415 int output_written;
416 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, aad_block_buf_.get(),
417 aad_block_buf_length_)) {
418 aad_block_buf_length_ = 0;
419 return true;
420 }
421 *error = TranslateLastOpenSslError();
422 return false;
423}
424
425bool AesEvpOperation::ProcessAadBlocks(const uint8_t* data, size_t blocks,
426 keymaster_error_t* error) {
427 int output_written;
428 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, data, blocks * AES_BLOCK_SIZE))
429 return true;
430 *error = TranslateLastOpenSslError();
431 return false;
432}
433
434inline size_t min(size_t a, size_t b) {
435 return (a < b) ? a : b;
436}
437
438void AesEvpOperation::FillBufferedAadBlock(keymaster_blob_t* aad) {
439 size_t to_buffer = min(AES_BLOCK_SIZE - aad_block_buf_length_, aad->data_length);
440 memcpy(aad_block_buf_.get() + aad_block_buf_length_, aad->data, to_buffer);
441 aad->data += to_buffer;
442 aad->data_length -= to_buffer;
443 aad_block_buf_length_ += to_buffer;
444}
445
446bool AesEvpOperation::InternalUpdate(const uint8_t* input, size_t input_length, Buffer* output,
447 keymaster_error_t* error) {
448 assert(output);
449 assert(error);
450
Shawn Willden294a2db2015-06-17 11:20:56 -0600[diff] [blame]451 if (!input_length)
452 return true;
453
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]454 if (!output->reserve(input_length + AES_BLOCK_SIZE)) {
455 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
456 return false;
457 }
458
459 int output_written = -1;
460 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input, input_length)) {
461 *error = TranslateLastOpenSslError();
462 return false;
463 }
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]464 return output->advance_write(output_written);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]465}
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]466
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]467keymaster_error_t AesEvpEncryptOperation::Begin(const AuthorizationSet& input_params,
468 AuthorizationSet* output_params) {
469 if (!output_params)
470 return KM_ERROR_OUTPUT_PARAMETER_NULL;
471
472 if (need_iv()) {
473 keymaster_error_t error = KM_ERROR_OK;
474 if (input_params.find(TAG_NONCE) == -1)
475 error = GenerateIv();
476 else if (caller_iv_)
477 error = GetIv(input_params);
478 else
479 error = KM_ERROR_CALLER_NONCE_PROHIBITED;
480
481 if (error == KM_ERROR_OK)
482 output_params->push_back(TAG_NONCE, iv_.get(), iv_length_);
483 else
484 return error;
485 }
486
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]487 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]488}
489
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]490keymaster_error_t AesEvpEncryptOperation::Finish(const AuthorizationSet& additional_params,
491 const Buffer& signature,
492 AuthorizationSet* output_params, Buffer* output) {
493 if (!output->reserve(AES_BLOCK_SIZE + tag_length_))
Shawn Willden92b69a32015-03-14 11:07:36 -0600[diff] [blame]494 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]495
496 keymaster_error_t error =
497 AesEvpOperation::Finish(additional_params, signature, output_params, output);
498 if (error != KM_ERROR_OK)
499 return error;
500
501 if (tag_length_ > 0) {
502 if (!output->reserve(output->available_read() + tag_length_))
503 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
504
505 if (!EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_GET_TAG, tag_length_, output->peek_write()))
506 return TranslateLastOpenSslError();
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]507 if (!output->advance_write(tag_length_))
508 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]509 }
510
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]511 return KM_ERROR_OK;
512}
513
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]514keymaster_error_t AesEvpEncryptOperation::GenerateIv() {
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]515 iv_length_ = (block_mode_ == KM_MODE_GCM) ? GCM_NONCE_SIZE : AES_BLOCK_SIZE;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]516 iv_.reset(new (std::nothrow) uint8_t[iv_length_]);
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]517 if (!iv_.get())
518 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]519 if (RAND_bytes(iv_.get(), iv_length_) != 1)
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]520 return TranslateLastOpenSslError();
521 return KM_ERROR_OK;
522}
523
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]524keymaster_error_t AesEvpDecryptOperation::Begin(const AuthorizationSet& input_params,
525 AuthorizationSet* output_params) {
526 if (need_iv()) {
527 keymaster_error_t error = GetIv(input_params);
528 if (error != KM_ERROR_OK)
529 return error;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]530 }
531
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]532 if (tag_length_ > 0) {
533 tag_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]534 tag_buf_.reset(new (std::nothrow) uint8_t[tag_length_]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]535 if (!tag_buf_.get())
536 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
537 }
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]538
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]539 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]540}
541
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]542keymaster_error_t AesEvpDecryptOperation::Update(const AuthorizationSet& additional_params,
543 const Buffer& input,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]544 AuthorizationSet* /* output_params */,
545 Buffer* output, size_t* input_consumed) {
546 if (!output || !input_consumed)
547 return KM_ERROR_OUTPUT_PARAMETER_NULL;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]548
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]549 // Barring error, we'll consume it all.
550 *input_consumed = input.available_read();
551
552 keymaster_error_t error;
553 if (block_mode_ == KM_MODE_GCM) {
554 if (!HandleAad(additional_params, input, &error))
555 return error;
556 return ProcessAllButTagLengthBytes(input, output);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]557 }
558
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]559 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
560 return error;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]561 return KM_ERROR_OK;
562}
563
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]564keymaster_error_t AesEvpDecryptOperation::ProcessAllButTagLengthBytes(const Buffer& input,
565 Buffer* output) {
566 if (input.available_read() <= tag_buf_unused()) {
567 BufferCandidateTagData(input.peek_read(), input.available_read());
568 return KM_ERROR_OK;
569 }
570
571 const size_t data_available = tag_buf_length_ + input.available_read();
572
573 const size_t to_process = data_available - tag_length_;
574 const size_t to_process_from_tag_buf = min(to_process, tag_buf_length_);
575 const size_t to_process_from_input = to_process - to_process_from_tag_buf;
576
577 if (!output->reserve(to_process + AES_BLOCK_SIZE))
578 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
579
580 keymaster_error_t error;
581 if (!ProcessTagBufContentsAsData(to_process_from_tag_buf, output, &error))
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]582 return error;
583
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]584 if (!InternalUpdate(input.peek_read(), to_process_from_input, output, &error))
585 return error;
586
587 BufferCandidateTagData(input.peek_read() + to_process_from_input,
588 input.available_read() - to_process_from_input);
589 assert(tag_buf_unused() == 0);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]590
591 return KM_ERROR_OK;
592}
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]593
594bool AesEvpDecryptOperation::ProcessTagBufContentsAsData(size_t to_process, Buffer* output,
595 keymaster_error_t* error) {
596 assert(to_process <= tag_buf_length_);
597 if (!InternalUpdate(tag_buf_.get(), to_process, output, error))
598 return false;
599 if (to_process < tag_buf_length_)
600 memmove(tag_buf_.get(), tag_buf_.get() + to_process, tag_buf_length_ - to_process);
601 tag_buf_length_ -= to_process;
602 return true;
603}
604
605void AesEvpDecryptOperation::BufferCandidateTagData(const uint8_t* data, size_t data_length) {
606 assert(data_length <= tag_length_ - tag_buf_length_);
607 memcpy(tag_buf_.get() + tag_buf_length_, data, data_length);
608 tag_buf_length_ += data_length;
609}
610
611keymaster_error_t AesEvpDecryptOperation::Finish(const AuthorizationSet& additional_params,
612 const Buffer& signature,
613 AuthorizationSet* output_params, Buffer* output) {
614 if (tag_buf_length_ < tag_length_)
615 return KM_ERROR_INVALID_INPUT_LENGTH;
616 else if (tag_length_ > 0 &&
617 !EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_SET_TAG, tag_length_, tag_buf_.get()))
618 return TranslateLastOpenSslError();
619
620 return AesEvpOperation::Finish(additional_params, signature, output_params, output);
621}
622
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]623keymaster_error_t AesEvpOperation::Abort() {
624 return KM_ERROR_OK;
625}
626
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]627} // namespace keymaster