Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / e23a2c91145e2294915e5d0cc5d7591c1aa82aca / . / aes_operation.cpp
blob: bf18041ec68929081a06347acee15e0cf26fea3a [file] [log] [blame]
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]17#include "aes_operation.h"
18
Shawn Willden6dde87c2014-12-11 14:08:48 -0700[diff] [blame]19#include <stdio.h>
20
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]21#include <new>
22
Shawn Willden06298102015-05-25 23:12:48 -0600[diff] [blame]23#include <UniquePtr.h>
24
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]25#include <openssl/aes.h>
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]26#include <openssl/err.h>
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]27#include <openssl/rand.h>
28
Shawn Willden567a4a02014-12-31 12:14:46 -0700[diff] [blame]29#include <keymaster/logger.h>
30
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]31#include "aes_key.h"
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]32#include "openssl_err.h"
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]33
34namespace keymaster {
35
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]36static const size_t GCM_NONCE_SIZE = 12;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]37static const size_t GCM_MAX_TAG_LENGTH = 16;
38static const size_t GCM_MIN_TAG_LENGTH = 12;
39
40inline bool allows_padding(keymaster_block_mode_t block_mode) {
Shawn Willden5532a082015-07-01 12:58:08 -0600[diff] [blame]41 switch (block_mode) {
42 case KM_MODE_CTR:
43 case KM_MODE_GCM:
44 return false;
45 case KM_MODE_ECB:
46 case KM_MODE_CBC:
47 return true;
48 }
49 assert(false /* Can't get here */);
50 return false;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]51}
52
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]53Operation* AesOperationFactory::CreateOperation(const Key& key,
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]54 const AuthorizationSet& begin_params,
Shawn Willden3ed6d062015-04-15 13:39:38 -0600[diff] [blame]55 keymaster_error_t* error) {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]56 *error = KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]57 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]58
59 switch (symmetric_key->key_data_size()) {
60 case 16:
61 case 24:
62 case 32:
63 break;
64 default:
65 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]66 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]67 }
68
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]69 keymaster_block_mode_t block_mode;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]70 if (!begin_params.GetTagValue(TAG_BLOCK_MODE, &block_mode)) {
71 LOG_E("%d block modes specified in begin params", begin_params.GetTagCount(TAG_BLOCK_MODE));
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]72 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]73 return nullptr;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]74 } else if (!supported(block_mode)) {
75 LOG_E("Block mode %d not supported", block_mode);
76 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]77 return nullptr;
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]78 } else if (!key.authorizations().Contains(TAG_BLOCK_MODE, block_mode)) {
79 LOG_E("Block mode %d was specified, but not authorized by key", block_mode);
80 *error = KM_ERROR_INCOMPATIBLE_BLOCK_MODE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]81 return nullptr;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]82 }
83
84 size_t tag_length = 0;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]85 if (block_mode == KM_MODE_GCM) {
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]86 uint32_t tag_length_bits;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]87 if (!begin_params.GetTagValue(TAG_MAC_LENGTH, &tag_length_bits)) {
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]88 *error = KM_ERROR_MISSING_MAC_LENGTH;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]89 return nullptr;
90 }
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]91 tag_length = tag_length_bits / 8;
92 if (tag_length_bits % 8 != 0 || tag_length > GCM_MAX_TAG_LENGTH ||
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]93 tag_length < GCM_MIN_TAG_LENGTH) {
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]94 *error = KM_ERROR_UNSUPPORTED_MAC_LENGTH;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]95 return nullptr;
96 }
Shawn Willden31e063f2015-05-08 14:31:22 -0600[diff] [blame]97 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]98
Shawn Willdenc4424672015-05-11 11:56:02 -0600[diff] [blame]99 keymaster_padding_t padding;
Shawn Willden5532a082015-07-01 12:58:08 -0600[diff] [blame]100 if (!GetAndValidatePadding(begin_params, key, &padding, error))
101 return nullptr;
102 if (!allows_padding(block_mode) && padding != KM_PAD_NONE) {
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]103 LOG_E("Mode does not support padding", 0);
104 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]105 return nullptr;
Shawn Willden3ad5f052015-05-08 14:05:13 -0600[diff] [blame]106 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]107
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]108 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE);
109
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]110 Operation* op = nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]111 switch (purpose()) {
112 case KM_PURPOSE_ENCRYPT:
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]113 op = new (std::nothrow)
114 AesEvpEncryptOperation(block_mode, padding, caller_nonce, tag_length,
115 symmetric_key->key_data(), symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]116 break;
117 case KM_PURPOSE_DECRYPT:
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]118 op = new (std::nothrow)
119 AesEvpDecryptOperation(block_mode, padding, tag_length, symmetric_key->key_data(),
120 symmetric_key->key_data_size());
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]121 break;
122 default:
123 *error = KM_ERROR_UNSUPPORTED_PURPOSE;
Shawn Willdene23a2c92015-07-06 15:52:45 -0600[diff] [blame^]124 return nullptr;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]125 }
126
127 if (!op)
128 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
129 return op;
130}
131
Shawn Willdenc47c88f2015-04-07 17:23:27 -0600[diff] [blame]132static const keymaster_block_mode_t supported_block_modes[] = {KM_MODE_ECB, KM_MODE_CBC,
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]133 KM_MODE_CTR, KM_MODE_GCM};
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]134
135const keymaster_block_mode_t*
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]136AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const {
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]137 *block_mode_count = array_length(supported_block_modes);
138 return supported_block_modes;
139}
140
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]141static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7};
142const keymaster_padding_t*
143AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
144 *padding_mode_count = array_length(supported_padding_modes);
145 return supported_padding_modes;
146}
Shawn Willden63ac0432014-12-29 14:07:08 -0700[diff] [blame]147
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]148AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]149 keymaster_padding_t padding, bool caller_iv, size_t tag_length,
150 const uint8_t* key, size_t key_size)
151 : Operation(purpose), block_mode_(block_mode), caller_iv_(caller_iv), tag_length_(tag_length),
152 data_started_(false), key_size_(key_size), padding_(padding) {
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]153 memcpy(key_, key, key_size_);
154 EVP_CIPHER_CTX_init(&ctx_);
155}
156
157AesEvpOperation::~AesEvpOperation() {
158 EVP_CIPHER_CTX_cleanup(&ctx_);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]159 memset_s(aad_block_buf_.get(), AES_BLOCK_SIZE, 0);
160}
161
162keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& /* input_params */,
163 AuthorizationSet* /* output_params */) {
164 if (block_mode_ == KM_MODE_GCM) {
165 aad_block_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]166 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]167 if (!aad_block_buf_.get())
168 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
169 }
170
171 return InitializeCipher();
172}
173
174keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& additional_params,
175 const Buffer& input,
176 AuthorizationSet* /* output_params */, Buffer* output,
177 size_t* input_consumed) {
178 keymaster_error_t error;
179 if (block_mode_ == KM_MODE_GCM)
180 if (!HandleAad(additional_params, input, &error))
181 return error;
182
183 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
184 return error;
185 *input_consumed = input.available_read();
186
187 return KM_ERROR_OK;
188}
189
190inline bool is_bad_decrypt(unsigned long error) {
191 return (ERR_GET_LIB(error) == ERR_LIB_CIPHER && //
192 ERR_GET_REASON(error) == CIPHER_R_BAD_DECRYPT);
193}
194
195keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& /* additional_params */,
196 const Buffer& /* signature */,
197 AuthorizationSet* /* output_params */, Buffer* output) {
198 if (!output->reserve(AES_BLOCK_SIZE))
199 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
200
201 keymaster_error_t error;
202 if (block_mode_ == KM_MODE_GCM && aad_block_buf_length_ > 0 &&
203 !ProcessBufferedAadBlock(&error)) {
204 return error;
205 }
206
207 int output_written = -1;
208 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) {
209 if (tag_length_ > 0)
210 return KM_ERROR_VERIFICATION_FAILED;
211 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL));
212 return TranslateLastOpenSslError();
213 }
214
215 assert(output_written <= AES_BLOCK_SIZE);
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]216 if (!output->advance_write(output_written))
217 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]218 return KM_ERROR_OK;
219}
220
221bool AesEvpOperation::need_iv() const {
222 switch (block_mode_) {
223 case KM_MODE_CBC:
224 case KM_MODE_CTR:
225 case KM_MODE_GCM:
226 return true;
227 case KM_MODE_ECB:
228 return false;
229 default:
230 // Shouldn't get here.
231 assert(false);
232 return false;
233 }
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]234}
235
236keymaster_error_t AesEvpOperation::InitializeCipher() {
237 const EVP_CIPHER* cipher;
238 switch (block_mode_) {
239 case KM_MODE_ECB:
240 switch (key_size_) {
241 case 16:
242 cipher = EVP_aes_128_ecb();
243 break;
244 case 24:
245 cipher = EVP_aes_192_ecb();
246 break;
247 case 32:
248 cipher = EVP_aes_256_ecb();
249 break;
250 default:
251 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
252 }
253 break;
254 case KM_MODE_CBC:
255 switch (key_size_) {
256 case 16:
257 cipher = EVP_aes_128_cbc();
258 break;
259 case 24:
260 cipher = EVP_aes_192_cbc();
261 break;
262 case 32:
263 cipher = EVP_aes_256_cbc();
264 break;
265 default:
266 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
267 }
268 break;
Thai Duong20d725d2015-03-24 17:49:58 -0700[diff] [blame]269 case KM_MODE_CTR:
270 switch (key_size_) {
271 case 16:
272 cipher = EVP_aes_128_ctr();
273 break;
274 case 24:
275 cipher = EVP_aes_192_ctr();
276 break;
277 case 32:
278 cipher = EVP_aes_256_ctr();
279 break;
280 default:
281 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
282 }
283 break;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]284 case KM_MODE_GCM:
285 switch (key_size_) {
286 case 16:
287 cipher = EVP_aes_128_gcm();
288 break;
289 case 24:
290 cipher = EVP_aes_192_gcm();
291 break;
292 case 32:
293 cipher = EVP_aes_256_gcm();
294 break;
295 default:
296 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
297 }
298 break;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]299 default:
300 return KM_ERROR_UNSUPPORTED_BLOCK_MODE;
301 }
302
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]303 if (!EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_.get(), evp_encrypt_mode()))
Shawn Willdenf01329d2015-03-11 21:51:38 -0600[diff] [blame]304 return TranslateLastOpenSslError();
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]305
306 switch (padding_) {
307 case KM_PAD_NONE:
308 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */);
309 break;
310 case KM_PAD_PKCS7:
311 // This is the default for OpenSSL EVP cipher operations.
312 break;
313 default:
314 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
315 }
316
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]317 if (block_mode_ == KM_MODE_GCM) {
318 aad_block_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]319 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]320 if (!aad_block_buf_.get())
321 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
322 }
323
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]324 return KM_ERROR_OK;
325}
326
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]327keymaster_error_t AesEvpOperation::GetIv(const AuthorizationSet& input_params) {
328 keymaster_blob_t iv_blob;
329 if (!input_params.GetTagValue(TAG_NONCE, &iv_blob)) {
330 LOG_E("No IV provided", 0);
331 return KM_ERROR_INVALID_ARGUMENT;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]332 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]333 if (block_mode_ != KM_MODE_GCM && iv_blob.data_length != AES_BLOCK_SIZE) {
334 LOG_E("Expected %d-byte IV for AES operation, but got %d bytes", AES_BLOCK_SIZE,
335 iv_blob.data_length);
336 return KM_ERROR_INVALID_NONCE;
337 }
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]338 if (block_mode_ == KM_MODE_GCM && iv_blob.data_length != GCM_NONCE_SIZE) {
339 LOG_E("Expected %d-byte nonce for AES-GCM operation, but got %d bytes", GCM_NONCE_SIZE,
340 iv_blob.data_length);
341 return KM_ERROR_INVALID_NONCE;
342 }
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]343 iv_.reset(dup_array(iv_blob.data, iv_blob.data_length));
344 if (!iv_.get())
345 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
346 iv_length_ = iv_blob.data_length;
347 return KM_ERROR_OK;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]348}
349
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]350/*
351 * Process Incoming Associated Authentication Data.
352 *
353 * This method is more complex than might be expected, because the underlying library silently does
354 * the wrong thing when given partial AAD blocks, so we have to take care to process AAD in
355 * AES_BLOCK_SIZE increments, buffering (in aad_block_buf_) when given smaller amounts of data.
356 */
357bool AesEvpOperation::HandleAad(const AuthorizationSet& input_params, const Buffer& input,
358 keymaster_error_t* error) {
359 assert(tag_length_ > 0);
360 assert(error);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]361
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]362 keymaster_blob_t aad;
363 if (input_params.GetTagValue(TAG_ASSOCIATED_DATA, &aad)) {
364 if (data_started_) {
365 *error = KM_ERROR_INVALID_TAG;
366 return false;
367 }
368
369 if (aad_block_buf_length_ > 0) {
370 FillBufferedAadBlock(&aad);
371 if (aad_block_buf_length_ == AES_BLOCK_SIZE && !ProcessBufferedAadBlock(error))
372 return false;
373 }
374
375 size_t blocks_to_process = aad.data_length / AES_BLOCK_SIZE;
376 if (blocks_to_process && !ProcessAadBlocks(aad.data, blocks_to_process, error))
377 return false;
378 aad.data += blocks_to_process * AES_BLOCK_SIZE;
379 aad.data_length -= blocks_to_process * AES_BLOCK_SIZE;
380
381 FillBufferedAadBlock(&aad);
382 assert(aad.data_length == 0);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]383 }
384
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]385 if (input.available_read()) {
386 data_started_ = true;
387 // Data has begun, no more AAD is allowed. Process any buffered AAD.
388 if (aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(error))
389 return false;
390 }
391
392 return true;
393}
394
395bool AesEvpOperation::ProcessBufferedAadBlock(keymaster_error_t* error) {
396 int output_written;
397 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, aad_block_buf_.get(),
398 aad_block_buf_length_)) {
399 aad_block_buf_length_ = 0;
400 return true;
401 }
402 *error = TranslateLastOpenSslError();
403 return false;
404}
405
406bool AesEvpOperation::ProcessAadBlocks(const uint8_t* data, size_t blocks,
407 keymaster_error_t* error) {
408 int output_written;
409 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, data, blocks * AES_BLOCK_SIZE))
410 return true;
411 *error = TranslateLastOpenSslError();
412 return false;
413}
414
415inline size_t min(size_t a, size_t b) {
416 return (a < b) ? a : b;
417}
418
419void AesEvpOperation::FillBufferedAadBlock(keymaster_blob_t* aad) {
420 size_t to_buffer = min(AES_BLOCK_SIZE - aad_block_buf_length_, aad->data_length);
421 memcpy(aad_block_buf_.get() + aad_block_buf_length_, aad->data, to_buffer);
422 aad->data += to_buffer;
423 aad->data_length -= to_buffer;
424 aad_block_buf_length_ += to_buffer;
425}
426
427bool AesEvpOperation::InternalUpdate(const uint8_t* input, size_t input_length, Buffer* output,
428 keymaster_error_t* error) {
429 assert(output);
430 assert(error);
431
Shawn Willden294a2db2015-06-17 11:20:56 -0600[diff] [blame]432 if (!input_length)
433 return true;
434
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]435 if (!output->reserve(input_length + AES_BLOCK_SIZE)) {
436 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
437 return false;
438 }
439
440 int output_written = -1;
441 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input, input_length)) {
442 *error = TranslateLastOpenSslError();
443 return false;
444 }
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]445 return output->advance_write(output_written);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]446}
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]447
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]448keymaster_error_t AesEvpEncryptOperation::Begin(const AuthorizationSet& input_params,
449 AuthorizationSet* output_params) {
450 if (!output_params)
451 return KM_ERROR_OUTPUT_PARAMETER_NULL;
452
453 if (need_iv()) {
454 keymaster_error_t error = KM_ERROR_OK;
455 if (input_params.find(TAG_NONCE) == -1)
456 error = GenerateIv();
457 else if (caller_iv_)
458 error = GetIv(input_params);
459 else
460 error = KM_ERROR_CALLER_NONCE_PROHIBITED;
461
462 if (error == KM_ERROR_OK)
463 output_params->push_back(TAG_NONCE, iv_.get(), iv_length_);
464 else
465 return error;
466 }
467
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]468 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willden7a62f5e2015-03-10 12:59:20 -0600[diff] [blame]469}
470
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]471keymaster_error_t AesEvpEncryptOperation::Finish(const AuthorizationSet& additional_params,
472 const Buffer& signature,
473 AuthorizationSet* output_params, Buffer* output) {
474 if (!output->reserve(AES_BLOCK_SIZE + tag_length_))
Shawn Willden92b69a32015-03-14 11:07:36 -0600[diff] [blame]475 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]476
477 keymaster_error_t error =
478 AesEvpOperation::Finish(additional_params, signature, output_params, output);
479 if (error != KM_ERROR_OK)
480 return error;
481
482 if (tag_length_ > 0) {
483 if (!output->reserve(output->available_read() + tag_length_))
484 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
485
486 if (!EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_GET_TAG, tag_length_, output->peek_write()))
487 return TranslateLastOpenSslError();
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]488 if (!output->advance_write(tag_length_))
489 return KM_ERROR_UNKNOWN_ERROR;
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]490 }
491
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]492 return KM_ERROR_OK;
493}
494
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]495keymaster_error_t AesEvpEncryptOperation::GenerateIv() {
Shawn Willdenc4bfa862015-06-17 09:46:50 -0600[diff] [blame]496 iv_length_ = (block_mode_ == KM_MODE_GCM) ? GCM_NONCE_SIZE : AES_BLOCK_SIZE;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]497 iv_.reset(new (std::nothrow) uint8_t[iv_length_]);
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]498 if (!iv_.get())
499 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]500 if (RAND_bytes(iv_.get(), iv_length_) != 1)
Shawn Willden67706352015-04-28 00:43:19 -0600[diff] [blame]501 return TranslateLastOpenSslError();
502 return KM_ERROR_OK;
503}
504
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]505keymaster_error_t AesEvpDecryptOperation::Begin(const AuthorizationSet& input_params,
506 AuthorizationSet* output_params) {
507 if (need_iv()) {
508 keymaster_error_t error = GetIv(input_params);
509 if (error != KM_ERROR_OK)
510 return error;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]511 }
512
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]513 if (tag_length_ > 0) {
514 tag_buf_length_ = 0;
Shawn Willden0f906ec2015-06-20 09:16:30 -0600[diff] [blame]515 tag_buf_.reset(new (std::nothrow) uint8_t[tag_length_]);
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]516 if (!tag_buf_.get())
517 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
518 }
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]519
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]520 return AesEvpOperation::Begin(input_params, output_params);
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]521}
522
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]523keymaster_error_t AesEvpDecryptOperation::Update(const AuthorizationSet& additional_params,
524 const Buffer& input,
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]525 AuthorizationSet* /* output_params */,
526 Buffer* output, size_t* input_consumed) {
527 if (!output || !input_consumed)
528 return KM_ERROR_OUTPUT_PARAMETER_NULL;
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]529
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]530 // Barring error, we'll consume it all.
531 *input_consumed = input.available_read();
532
533 keymaster_error_t error;
534 if (block_mode_ == KM_MODE_GCM) {
535 if (!HandleAad(additional_params, input, &error))
536 return error;
537 return ProcessAllButTagLengthBytes(input, output);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]538 }
539
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]540 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
541 return error;
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]542 return KM_ERROR_OK;
543}
544
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]545keymaster_error_t AesEvpDecryptOperation::ProcessAllButTagLengthBytes(const Buffer& input,
546 Buffer* output) {
547 if (input.available_read() <= tag_buf_unused()) {
548 BufferCandidateTagData(input.peek_read(), input.available_read());
549 return KM_ERROR_OK;
550 }
551
552 const size_t data_available = tag_buf_length_ + input.available_read();
553
554 const size_t to_process = data_available - tag_length_;
555 const size_t to_process_from_tag_buf = min(to_process, tag_buf_length_);
556 const size_t to_process_from_input = to_process - to_process_from_tag_buf;
557
558 if (!output->reserve(to_process + AES_BLOCK_SIZE))
559 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
560
561 keymaster_error_t error;
562 if (!ProcessTagBufContentsAsData(to_process_from_tag_buf, output, &error))
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]563 return error;
564
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]565 if (!InternalUpdate(input.peek_read(), to_process_from_input, output, &error))
566 return error;
567
568 BufferCandidateTagData(input.peek_read() + to_process_from_input,
569 input.available_read() - to_process_from_input);
570 assert(tag_buf_unused() == 0);
Shawn Willden0f392562015-06-02 09:00:52 -0600[diff] [blame]571
572 return KM_ERROR_OK;
573}
Shawn Willden34419132015-06-08 23:10:44 -0600[diff] [blame]574
575bool AesEvpDecryptOperation::ProcessTagBufContentsAsData(size_t to_process, Buffer* output,
576 keymaster_error_t* error) {
577 assert(to_process <= tag_buf_length_);
578 if (!InternalUpdate(tag_buf_.get(), to_process, output, error))
579 return false;
580 if (to_process < tag_buf_length_)
581 memmove(tag_buf_.get(), tag_buf_.get() + to_process, tag_buf_length_ - to_process);
582 tag_buf_length_ -= to_process;
583 return true;
584}
585
586void AesEvpDecryptOperation::BufferCandidateTagData(const uint8_t* data, size_t data_length) {
587 assert(data_length <= tag_length_ - tag_buf_length_);
588 memcpy(tag_buf_.get() + tag_buf_length_, data, data_length);
589 tag_buf_length_ += data_length;
590}
591
592keymaster_error_t AesEvpDecryptOperation::Finish(const AuthorizationSet& additional_params,
593 const Buffer& signature,
594 AuthorizationSet* output_params, Buffer* output) {
595 if (tag_buf_length_ < tag_length_)
596 return KM_ERROR_INVALID_INPUT_LENGTH;
597 else if (tag_length_ > 0 &&
598 !EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_SET_TAG, tag_length_, tag_buf_.get()))
599 return TranslateLastOpenSslError();
600
601 return AesEvpOperation::Finish(additional_params, signature, output_params, output);
602}
603
Shawn Willdenf0f68b92014-12-30 16:03:28 -0700[diff] [blame]604keymaster_error_t AesEvpOperation::Abort() {
605 return KM_ERROR_OK;
606}
607
Shawn Willden907c3012014-12-08 15:51:55 -0700[diff] [blame]608} // namespace keymaster