Make |gcm128_context| memcpy-safe.

This removes the confusion about whether |gcm128_context| copies the key (it didn't) or whether the caller is responsible for keeping the key alive for the lifetime of the |gcm128_context| (it was). Change-Id: Ia0ad0a8223e664381fbbfb56570b2545f51cad9f Reviewed-on: https://boringssl-review.googlesource.com/6053 Reviewed-by: Adam Langley <alangley@gmail.com>
author: Brian Smith <brian@briansmith.org> 2015-09-27 09:12:01 +0300
committer: Adam Langley <alangley@gmail.com> 2015-10-27 01:05:33 +0300
commit: 0f8bfdeb3383749eecfefb17a36416e6b35fa10c (patch)
tree: 82202e266d9a63b5d2dcd13e1af37d6a1f8a5cbc /crypto/cipher
parent: 3f3f25d8a26f4685ed67d392a5468403c9cd00af (diff)
1 files changed, 30 insertions, 31 deletions
diff --git a/crypto/cipher/e_aes.c b/crypto/cipher/e_aes.c
index 74f32230..444af3a4 100644
--- a/crypto/cipher/e_aes.c
+++ b/crypto/cipher/e_aes.c
@@ -481,14 +481,14 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
       iv = gctx->iv;
     }
     if (iv) {
-      CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
       gctx->iv_set = 1;
     }
     gctx->key_set = 1;
   } else {
     /* If key set use IV, otherwise copy */
     if (gctx->key_set) {
-      CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
     } else {
       memcpy(gctx->iv, iv, gctx->ivlen);
     }
@@ -592,7 +592,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
       if (gctx->iv_gen == 0 || gctx->key_set == 0) {
         return 0;
       }
-      CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
       if (arg <= 0 || arg > gctx->ivlen) {
         arg = gctx->ivlen;
       }
@@ -609,19 +609,13 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
         return 0;
       }
       memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
-      CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
       gctx->iv_set = 1;
       return 1;
 
     case EVP_CTRL_COPY: {
       EVP_CIPHER_CTX *out = ptr;
       EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
-      if (gctx->gcm.key) {
-        if (gctx->gcm.key != &gctx->ks) {
-          return 0;
-        }
-        gctx_out->gcm.key = &gctx_out->ks;
-      }
       if (gctx->iv == c->iv) {
         gctx_out->iv = out->iv;
       } else {
@@ -663,24 +657,24 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
         if (len >= 32 && AES_GCM_ASM(gctx)) {
           size_t res = (16 - gctx->gcm.mres) % 16;
 
-          if (!CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res)) {
+          if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in, out, res)) {
             return -1;
           }
 
-          bulk = AES_gcm_encrypt(in + res, out + res, len - res, gctx->gcm.key,
+          bulk = AES_gcm_encrypt(in + res, out + res, len - res, &gctx->ks.ks,
                                  gctx->gcm.Yi.c, gctx->gcm.Xi.u);
           gctx->gcm.len.u[1] += bulk;
           bulk += res;
         }
 #endif
-        if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in + bulk, out + bulk,
-                                        len - bulk, gctx->ctr)) {
+        if (!CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in + bulk,
+                                         out + bulk, len - bulk, gctx->ctr)) {
           return -1;
         }
       } else {
         size_t bulk = 0;
-        if (!CRYPTO_gcm128_encrypt(&gctx->gcm, in + bulk, out + bulk,
-                                  len - bulk)) {
+        if (!CRYPTO_gcm128_encrypt(&gctx->gcm, &gctx->ks.ks, in + bulk,
+                                   out + bulk, len - bulk)) {
           return -1;
         }
       }
@@ -691,24 +685,24 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
         if (len >= 16 && AES_GCM_ASM(gctx)) {
           size_t res = (16 - gctx->gcm.mres) % 16;
 
-          if (!CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res)) {
+          if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in, out, res)) {
             return -1;
           }
 
-          bulk = AES_gcm_decrypt(in + res, out + res, len - res, gctx->gcm.key,
+          bulk = AES_gcm_decrypt(in + res, out + res, len - res, &gctx->ks.ks,
                                  gctx->gcm.Yi.c, gctx->gcm.Xi.u);
           gctx->gcm.len.u[1] += bulk;
           bulk += res;
         }
 #endif
-        if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in + bulk, out + bulk,
-                                        len - bulk, gctx->ctr)) {
+        if (!CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, &gctx->ks.ks, in + bulk,
+                                         out + bulk, len - bulk, gctx->ctr)) {
           return -1;
         }
       } else {
         size_t bulk = 0;
-        if (!CRYPTO_gcm128_decrypt(&gctx->gcm, in + bulk, out + bulk,
-                                  len - bulk)) {
+        if (!CRYPTO_gcm128_decrypt(&gctx->gcm, &gctx->ks.ks, in + bulk,
+                                   out + bulk, len - bulk)) {
           return -1;
         }
       }
@@ -902,14 +896,14 @@ static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
       iv = gctx->iv;
     }
     if (iv) {
-      CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
       gctx->iv_set = 1;
     }
     gctx->key_set = 1;
   } else {
     /* If key set use IV, otherwise copy */
     if (gctx->key_set) {
-      CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+      CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
     } else {
       memcpy(gctx->iv, iv, gctx->ivlen);
     }
@@ -1122,19 +1116,22 @@ static int aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
+  const AES_KEY *key = &gcm_ctx->ks.ks;
+
   memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
-  CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
+  CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
 
   if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
     return 0;
   }
 
   if (gcm_ctx->ctr) {
-    if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, in, out, in_len, gcm_ctx->ctr)) {
+    if (!CRYPTO_gcm128_encrypt_ctr32(&gcm, key, in, out, in_len,
+                                     gcm_ctx->ctr)) {
       return 0;
     }
   } else {
-    if (!CRYPTO_gcm128_encrypt(&gcm, in, out, in_len)) {
+    if (!CRYPTO_gcm128_encrypt(&gcm, key, in, out, in_len)) {
       return 0;
     }
   }
@@ -1166,20 +1163,22 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
+  const AES_KEY *key = &gcm_ctx->ks.ks;
+
   memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
-  CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
+  CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
 
   if (!CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
     return 0;
   }
 
   if (gcm_ctx->ctr) {
-    if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, in, out, in_len - gcm_ctx->tag_len,
-                                     gcm_ctx->ctr)) {
+    if (!CRYPTO_gcm128_decrypt_ctr32(&gcm, key, in, out,
+                                     in_len - gcm_ctx->tag_len, gcm_ctx->ctr)) {
       return 0;
     }
   } else {
-    if (!CRYPTO_gcm128_decrypt(&gcm, in, out, in_len - gcm_ctx->tag_len)) {
+    if (!CRYPTO_gcm128_decrypt(&gcm, key, in, out, in_len - gcm_ctx->tag_len)) {
       return 0;
     }
   }
author	Brian Smith <brian@briansmith.org>	2015-09-27 09:12:01 +0300
committer	Adam Langley <alangley@gmail.com>	2015-10-27 01:05:33 +0300
commit	0f8bfdeb3383749eecfefb17a36416e6b35fa10c (patch)
tree	82202e266d9a63b5d2dcd13e1af37d6a1f8a5cbc /crypto/cipher
parent	3f3f25d8a26f4685ed67d392a5468403c9cd00af (diff)