external/boringssl: Sync to 2c1523733a71166943e52da11ac2eae82b0227b8.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/2c45fa0b90f61b27973fa81893e014fc8c8e8999..2c1523733a71166943e52da11ac2eae82b0227b8
Test: Boringssl CTS Presubmits
Change-Id: I3dd86f480a6498f78b7b0cce8278179b7201107c
diff --git a/src/crypto/cipher/e_aes.c b/src/crypto/cipher/e_aes.c
index 861a563..a16956e 100644
--- a/src/crypto/cipher/e_aes.c
+++ b/src/crypto/cipher/e_aes.c
@@ -59,7 +59,7 @@
#include "internal.h"
#include "../internal.h"
-#include "../modes/internal.h"
+#include "../fipsmodule/modes/internal.h"
#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
#include <openssl/arm_arch.h>
@@ -404,7 +404,7 @@
if (aesni_capable()) {
aesni_set_encrypt_key(key, key_bytes * 8, aes_key);
if (gcm_ctx != NULL) {
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aesni_encrypt);
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aesni_encrypt, 1);
}
if (out_block) {
*out_block = (block128_f) aesni_encrypt;
@@ -415,7 +415,7 @@
if (hwaes_capable()) {
aes_hw_set_encrypt_key(key, key_bytes * 8, aes_key);
if (gcm_ctx != NULL) {
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aes_hw_encrypt);
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aes_hw_encrypt, 0);
}
if (out_block) {
*out_block = (block128_f) aes_hw_encrypt;
@@ -426,7 +426,7 @@
if (bsaes_capable()) {
AES_set_encrypt_key(key, key_bytes * 8, aes_key);
if (gcm_ctx != NULL) {
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt, 0);
}
if (out_block) {
*out_block = (block128_f) AES_encrypt;
@@ -440,14 +440,14 @@
*out_block = (block128_f) vpaes_encrypt;
}
if (gcm_ctx != NULL) {
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt, 0);
}
return NULL;
}
AES_set_encrypt_key(key, key_bytes * 8, aes_key);
if (gcm_ctx != NULL) {
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt, 0);
}
if (out_block) {
*out_block = (block128_f) AES_encrypt;
@@ -842,7 +842,7 @@
}
if (key) {
aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
- CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)aesni_encrypt);
+ CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)aesni_encrypt, 1);
gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
/* If we have an iv can set it directly, otherwise use
* saved IV. */
@@ -1177,6 +1177,109 @@
const EVP_AEAD *EVP_aead_aes_256_gcm(void) { return &aead_aes_256_gcm; }
+#if defined(BORINGSSL_FIPS)
+#define FIPS_AES_GCM_IV_LEN 12
+
+static int aead_aes_gcm_fips_testonly_seal(
+ const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,
+ const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,
+ const uint8_t *ad, size_t ad_len) {
+ if (nonce_len != 0) {
+ OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+ return 0;
+ }
+ if (max_out_len < FIPS_AES_GCM_IV_LEN) {
+ OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ uint8_t real_nonce[FIPS_AES_GCM_IV_LEN];
+ if (!RAND_bytes(real_nonce, sizeof(real_nonce))) {
+ return 0;
+ }
+ int ret =
+ aead_aes_gcm_seal(ctx, out, out_len, max_out_len - FIPS_AES_GCM_IV_LEN,
+ real_nonce, sizeof(real_nonce), in, in_len, ad, ad_len);
+ if (ret) {
+ /* Copy the generated IV into the start of the ciphertext. */
+ OPENSSL_memmove(out + sizeof(real_nonce), out, *out_len);
+ OPENSSL_memcpy(out, real_nonce, sizeof(real_nonce));
+ *out_len += sizeof(real_nonce);
+ }
+
+ return ret;
+}
+
+static int aead_aes_gcm_fips_testonly_open(
+ const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,
+ const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,
+ const uint8_t *ad, size_t ad_len) {
+ if (nonce_len != 0) {
+ OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+ return 0;
+ }
+ if (in_len < FIPS_AES_GCM_IV_LEN) {
+ OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ /* Parse the generated IV from the start of the ciphertext. */
+ uint8_t real_nonce[FIPS_AES_GCM_IV_LEN];
+ OPENSSL_memcpy(real_nonce, in, sizeof(real_nonce));
+
+ /* Aliasing guarantees only allow the use of overlapping buffers when the
+ * input and output buffers are identical, so a new input needs to be
+ * allocated for the actual input ciphertext. */
+ size_t real_len = in_len - FIPS_AES_GCM_IV_LEN;
+ uint8_t *real_in = OPENSSL_malloc(real_len);
+ if (real_in == NULL) {
+ OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ OPENSSL_memcpy(real_in, in + FIPS_AES_GCM_IV_LEN, real_len);
+
+ int ret =
+ aead_aes_gcm_open(ctx, out, out_len, max_out_len, real_nonce,
+ sizeof(real_nonce), real_in, real_len, ad, ad_len);
+
+ OPENSSL_free(real_in);
+ return ret;
+}
+
+static const EVP_AEAD aead_aes_128_gcm_fips_testonly = {
+ 16, /* key len */
+ 0, /* nonce len */
+ EVP_AEAD_AES_GCM_TAG_LEN + FIPS_AES_GCM_IV_LEN, /* overhead */
+ EVP_AEAD_AES_GCM_TAG_LEN, /* max tag length */
+ aead_aes_gcm_init,
+ NULL, /* init_with_direction */
+ aead_aes_gcm_cleanup,
+ aead_aes_gcm_fips_testonly_seal,
+ aead_aes_gcm_fips_testonly_open,
+ NULL, /* get_iv */
+};
+
+static const EVP_AEAD aead_aes_256_gcm_fips_testonly = {
+ 32, /* key len */
+ 0, /* nonce len */
+ EVP_AEAD_AES_GCM_TAG_LEN + FIPS_AES_GCM_IV_LEN, /* overhead */
+ EVP_AEAD_AES_GCM_TAG_LEN, /* max tag length */
+ aead_aes_gcm_init,
+ NULL, /* init_with_direction */
+ aead_aes_gcm_cleanup,
+ aead_aes_gcm_fips_testonly_seal,
+ aead_aes_gcm_fips_testonly_open,
+ NULL, /* get_iv */
+};
+
+const EVP_AEAD *EVP_aead_aes_128_gcm_fips_testonly(void) {
+ return &aead_aes_128_gcm_fips_testonly;
+}
+
+const EVP_AEAD *EVP_aead_aes_256_gcm_fips_testonly(void) {
+ return &aead_aes_256_gcm_fips_testonly;
+}
+#endif /* BORINGSSL_FIPS */
int EVP_has_aes_hardware(void) {
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)