Revert the initial seal/openv implementations This reverts commits 0b3bd177c1cc8abae01bc4e57852e6586436152b and 7a8c43cae95e51b7a9049d57bc598e6b843e295f. They seem to have broken in Chromium: https://chromium-review.googlesource.com/c/chromium/src/+/7247456 This timeout may also be related: https://ci.chromium.org/ui/p/boringssl/builders/ci/android_aarch64_fips_noasm/b8695885099251955441/overview Not sure why yet. Reverting just to avoid jamming the Chromium autoroller. Bug: 383343306 Change-Id: I658a05cd6131d303a1bbf11851bc8f1e95bfb826 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/85467 Commit-Queue: Lily Chen <chlily@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Lily Chen <chlily@google.com>
diff --git a/crypto/cipher/e_aesctrhmac.cc b/crypto/cipher/e_aesctrhmac.cc index 52481f0..7530fef 100644 --- a/crypto/cipher/e_aesctrhmac.cc +++ b/crypto/cipher/e_aesctrhmac.cc
@@ -20,7 +20,6 @@ #include <openssl/crypto.h> #include <openssl/err.h> #include <openssl/sha2.h> -#include <openssl/span.h> #include "../fipsmodule/aes/internal.h" #include "../fipsmodule/cipher/internal.h" @@ -119,23 +118,22 @@ SHA256_Update(sha256, bytes, sizeof(bytes)); } -static void hmac_calculate( - uint8_t out[SHA256_DIGEST_LENGTH], const SHA256_CTX *inner_init_state, - const SHA256_CTX *outer_init_state, bssl::Span<const CRYPTO_IVEC> aadvecs, - const uint8_t *nonce, bssl::Span<const CRYPTO_IOVEC> iovecs, bool encrypt) { - size_t ad_len = bssl::iovec::TotalLength(aadvecs); +static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH], + const SHA256_CTX *inner_init_state, + const SHA256_CTX *outer_init_state, + const uint8_t *ad, size_t ad_len, + const uint8_t *nonce, const uint8_t *ciphertext, + size_t ciphertext_len) { SHA256_CTX sha256; OPENSSL_memcpy(&sha256, inner_init_state, sizeof(sha256)); hmac_update_uint64(&sha256, ad_len); - hmac_update_uint64(&sha256, bssl::iovec::TotalLength(iovecs)); + hmac_update_uint64(&sha256, ciphertext_len); SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN); - for (const CRYPTO_IVEC &aadvec : aadvecs) { - SHA256_Update(&sha256, aadvec.in, aadvec.len); - } + SHA256_Update(&sha256, ad, ad_len); // Pad with zeros to the end of the SHA-256 block. const unsigned num_padding = - (SHA256_CBLOCK - ((sizeof(uint64_t) * 2 + + (SHA256_CBLOCK - ((sizeof(uint64_t)*2 + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) % SHA256_CBLOCK)) % SHA256_CBLOCK; @@ -143,9 +141,7 @@ OPENSSL_memset(padding, 0, num_padding); SHA256_Update(&sha256, padding, num_padding); - for (const CRYPTO_IOVEC &iovec : iovecs) { - SHA256_Update(&sha256, encrypt ? iovec.out : iovec.in, iovec.len); - } + SHA256_Update(&sha256, ciphertext, ciphertext_len); uint8_t inner_digest[SHA256_DIGEST_LENGTH]; SHA256_Final(inner_digest, &sha256); @@ -156,8 +152,10 @@ } static void aead_aes_ctr_hmac_sha256_crypt( - const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, - bssl::Span<const CRYPTO_IOVEC> iovecs, const uint8_t *nonce) { + const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out, + const uint8_t *in, size_t len, const uint8_t *nonce) { + // Since the AEAD operation is one-shot, keeping a buffer of unused keystream + // bytes is pointless. However, |CRYPTO_ctr128_encrypt_ctr32| requires it. uint8_t partial_block_buffer[AES_BLOCK_SIZE]; unsigned partial_block_offset = 0; OPENSSL_memset(partial_block_buffer, 0, sizeof(partial_block_buffer)); @@ -166,24 +164,22 @@ OPENSSL_memcpy(counter, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN); OPENSSL_memset(counter + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN, 0, 4); - for (const CRYPTO_IOVEC &iovec : iovecs) { - CRYPTO_ctr128_encrypt_ctr32(iovec.in, iovec.out, iovec.len, &aes_ctx->ks.ks, - counter, partial_block_buffer, - &partial_block_offset, aes_ctx->ctr); - } + CRYPTO_ctr128_encrypt_ctr32(in, out, len, &aes_ctx->ks.ks, counter, + partial_block_buffer, &partial_block_offset, + aes_ctx->ctr); } -static int aead_aes_ctr_hmac_sha256_sealv( - const EVP_AEAD_CTX *ctx, bssl::Span<const CRYPTO_IOVEC> iovecs, - uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len, - const uint8_t *nonce, size_t nonce_len, - bssl::Span<const CRYPTO_IVEC> aadvecs) { +static int aead_aes_ctr_hmac_sha256_seal_scatter( + const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, + size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, + size_t extra_in_len, const uint8_t *ad, size_t ad_len) { const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = - (struct aead_aes_ctr_hmac_sha256_ctx *)&ctx->state; - const uint64_t in_len_64 = bssl::iovec::TotalLength(iovecs); + (struct aead_aes_ctr_hmac_sha256_ctx *) &ctx->state; + const uint64_t in_len_64 = in_len; if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) { - // This input is so large it would overflow the 32-bit block counter. + // This input is so large it would overflow the 32-bit block counter. OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; } @@ -198,24 +194,23 @@ return 0; } - aead_aes_ctr_hmac_sha256_crypt(aes_ctx, iovecs, nonce); + aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce); uint8_t hmac_result[SHA256_DIGEST_LENGTH]; hmac_calculate(hmac_result, &aes_ctx->inner_init_state, - &aes_ctx->outer_init_state, aadvecs, nonce, iovecs, - /*encrypt=*/true); + &aes_ctx->outer_init_state, ad, ad_len, nonce, out, in_len); OPENSSL_memcpy(out_tag, hmac_result, ctx->tag_len); *out_tag_len = ctx->tag_len; return 1; } -static int aead_aes_ctr_hmac_sha256_openv_detached( - const EVP_AEAD_CTX *ctx, bssl::Span<const CRYPTO_IOVEC> iovecs, - const uint8_t *nonce, size_t nonce_len, const uint8_t *in_tag, - size_t in_tag_len, bssl::Span<const CRYPTO_IVEC> aadvecs) { +static int aead_aes_ctr_hmac_sha256_open_gather( + const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag, + size_t in_tag_len, const uint8_t *ad, size_t ad_len) { const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = - (struct aead_aes_ctr_hmac_sha256_ctx *)&ctx->state; + (struct aead_aes_ctr_hmac_sha256_ctx *) &ctx->state; if (in_tag_len != ctx->tag_len) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); @@ -229,14 +224,14 @@ uint8_t hmac_result[SHA256_DIGEST_LENGTH]; hmac_calculate(hmac_result, &aes_ctx->inner_init_state, - &aes_ctx->outer_init_state, aadvecs, nonce, iovecs, - /*encrypt=*/false); + &aes_ctx->outer_init_state, ad, ad_len, nonce, in, + in_len); if (CRYPTO_memcmp(hmac_result, in_tag, ctx->tag_len) != 0) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } - aead_aes_ctr_hmac_sha256_crypt(aes_ctx, iovecs, nonce); + aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce); return 1; } @@ -252,11 +247,11 @@ nullptr /* init_with_direction */, aead_aes_ctr_hmac_sha256_cleanup, nullptr /* open */, - nullptr /* seal_scatter */, - nullptr /* open_gather */, + aead_aes_ctr_hmac_sha256_seal_scatter, + aead_aes_ctr_hmac_sha256_open_gather, nullptr /* openv */, - aead_aes_ctr_hmac_sha256_sealv, - aead_aes_ctr_hmac_sha256_openv_detached, + nullptr /* sealv */, + nullptr /* openv_detached */, nullptr /* get_iv */, nullptr /* tag_len */, }; @@ -272,11 +267,11 @@ nullptr /* init_with_direction */, aead_aes_ctr_hmac_sha256_cleanup, nullptr /* open */, - nullptr /* seal_scatter */, - nullptr /* open_gather */, + aead_aes_ctr_hmac_sha256_seal_scatter, + aead_aes_ctr_hmac_sha256_open_gather, nullptr /* openv */, - aead_aes_ctr_hmac_sha256_sealv, - aead_aes_ctr_hmac_sha256_openv_detached, + nullptr /* sealv */, + nullptr /* openv_detached */, nullptr /* get_iv */, nullptr /* tag_len */, };
diff --git a/crypto/fipsmodule/cipher/e_aes.cc.inc b/crypto/fipsmodule/cipher/e_aes.cc.inc index 353e972..52ffca5 100644 --- a/crypto/fipsmodule/cipher/e_aes.cc.inc +++ b/crypto/fipsmodule/cipher/e_aes.cc.inc
@@ -22,7 +22,6 @@ #include <openssl/err.h> #include <openssl/mem.h> #include <openssl/nid.h> -#include <openssl/span.h> #include "../../internal.h" #include "../aes/internal.h" @@ -757,13 +756,19 @@ static void aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) {} -static int aead_aes_gcm_sealv_impl(const struct aead_aes_gcm_ctx *gcm_ctx, - bssl::Span<const CRYPTO_IOVEC> iovecs, - uint8_t *out_tag, size_t *out_tag_len, - size_t max_out_tag_len, const uint8_t *nonce, - size_t nonce_len, - bssl::Span<const CRYPTO_IVEC> aadvecs, - size_t tag_len) { +static int aead_aes_gcm_seal_scatter_impl( + const struct aead_aes_gcm_ctx *gcm_ctx, uint8_t *out, uint8_t *out_tag, + size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, + size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) { + if (extra_in_len + tag_len < tag_len) { + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); + return 0; + } + if (max_out_tag_len < extra_in_len + tag_len) { + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); + return 0; + } if (nonce_len == 0) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); return 0; @@ -773,42 +778,43 @@ GCM128_CONTEXT gcm; CRYPTO_gcm128_init_ctx(key, &gcm, nonce, nonce_len); - for (const CRYPTO_IVEC &aadvec : aadvecs) { - if (!CRYPTO_gcm128_aad(key, &gcm, aadvec.in, aadvec.len)) { - return 0; - } + if (ad_len > 0 && !CRYPTO_gcm128_aad(key, &gcm, ad, ad_len)) { + return 0; } - for (const CRYPTO_IOVEC &iovec : iovecs) { - if (!CRYPTO_gcm128_encrypt(key, &gcm, iovec.in, iovec.out, iovec.len)) { - return 0; - } + if (!CRYPTO_gcm128_encrypt(key, &gcm, in, out, in_len)) { + return 0; } - CRYPTO_gcm128_tag(key, &gcm, out_tag, tag_len); - *out_tag_len = tag_len; + if (extra_in_len > 0 && + !CRYPTO_gcm128_encrypt(key, &gcm, extra_in, out_tag, extra_in_len)) { + return 0; + } + + CRYPTO_gcm128_tag(key, &gcm, out_tag + extra_in_len, tag_len); + *out_tag_len = tag_len + extra_in_len; return 1; } -static int aead_aes_gcm_sealv(const EVP_AEAD_CTX *ctx, - bssl::Span<const CRYPTO_IOVEC> iovecs, - uint8_t *out_tag, size_t *out_tag_len, - size_t max_out_tag_len, const uint8_t *nonce, - size_t nonce_len, - bssl::Span<const CRYPTO_IVEC> aadvecs) { +static int aead_aes_gcm_seal_scatter( + const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, + size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, + size_t extra_in_len, const uint8_t *ad, size_t ad_len) { const struct aead_aes_gcm_ctx *gcm_ctx = (const struct aead_aes_gcm_ctx *)&ctx->state; - return aead_aes_gcm_sealv_impl(gcm_ctx, iovecs, out_tag, out_tag_len, - max_out_tag_len, nonce, nonce_len, aadvecs, - ctx->tag_len); + return aead_aes_gcm_seal_scatter_impl( + gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len, nonce, nonce_len, in, + in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len); } -static int aead_aes_gcm_openv_detached_impl( - const struct aead_aes_gcm_ctx *gcm_ctx, - bssl::Span<const CRYPTO_IOVEC> iovecs, const uint8_t *nonce, - size_t nonce_len, const uint8_t *in_tag, size_t in_tag_len, - bssl::Span<const CRYPTO_IVEC> aadvecs, size_t tag_len) { +static int aead_aes_gcm_open_gather_impl(const struct aead_aes_gcm_ctx *gcm_ctx, + uint8_t *out, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, + size_t in_len, const uint8_t *in_tag, + size_t in_tag_len, const uint8_t *ad, + size_t ad_len, size_t tag_len) { uint8_t tag[EVP_AEAD_AES_GCM_TAG_LEN]; if (nonce_len == 0) { @@ -825,16 +831,12 @@ GCM128_CONTEXT gcm; CRYPTO_gcm128_init_ctx(key, &gcm, nonce, nonce_len); - for (const CRYPTO_IVEC &aadvec : aadvecs) { - if (!CRYPTO_gcm128_aad(key, &gcm, aadvec.in, aadvec.len)) { - return 0; - } + if (!CRYPTO_gcm128_aad(key, &gcm, ad, ad_len)) { + return 0; } - for (const CRYPTO_IOVEC &iovec : iovecs) { - if (!CRYPTO_gcm128_decrypt(key, &gcm, iovec.in, iovec.out, iovec.len)) { - return 0; - } + if (!CRYPTO_gcm128_decrypt(key, &gcm, in, out, in_len)) { + return 0; } CRYPTO_gcm128_tag(key, &gcm, tag, tag_len); @@ -846,15 +848,15 @@ return 1; } -static int aead_aes_gcm_openv_detached(const EVP_AEAD_CTX *ctx, - bssl::Span<const CRYPTO_IOVEC> iovecs, - const uint8_t *nonce, size_t nonce_len, - const uint8_t *in_tag, size_t in_tag_len, - bssl::Span<const CRYPTO_IVEC> aadvecs) { +static int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out, + const uint8_t *nonce, size_t nonce_len, + const uint8_t *in, size_t in_len, + const uint8_t *in_tag, size_t in_tag_len, + const uint8_t *ad, size_t ad_len) { struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state; - if (!aead_aes_gcm_openv_detached_impl(gcm_ctx, iovecs, nonce, nonce_len, - in_tag, in_tag_len, aadvecs, - ctx->tag_len)) { + if (!aead_aes_gcm_open_gather_impl(gcm_ctx, out, nonce, nonce_len, in, in_len, + in_tag, in_tag_len, ad, ad_len, + ctx->tag_len)) { return 0; } @@ -873,8 +875,8 @@ out->init = aead_aes_gcm_init; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_sealv; - out->openv_detached = aead_aes_gcm_openv_detached; + out->seal_scatter = aead_aes_gcm_seal_scatter; + out->open_gather = aead_aes_gcm_open_gather; } DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_192_gcm) { @@ -888,8 +890,8 @@ out->init = aead_aes_gcm_init; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_sealv; - out->openv_detached = aead_aes_gcm_openv_detached; + out->seal_scatter = aead_aes_gcm_seal_scatter; + out->open_gather = aead_aes_gcm_open_gather; } DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm) { @@ -903,8 +905,8 @@ out->init = aead_aes_gcm_init; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_sealv; - out->openv_detached = aead_aes_gcm_openv_detached; + out->seal_scatter = aead_aes_gcm_seal_scatter; + out->open_gather = aead_aes_gcm_open_gather; } static int aead_aes_gcm_init_randnonce(EVP_AEAD_CTX *ctx, const uint8_t *key, @@ -926,13 +928,12 @@ return 1; } -static int aead_aes_gcm_sealv_randnonce(const EVP_AEAD_CTX *ctx, - bssl::Span<const CRYPTO_IOVEC> iovecs, - uint8_t *out_tag, size_t *out_tag_len, - size_t max_out_tag_len, - const uint8_t *external_nonce, - size_t external_nonce_len, - bssl::Span<const CRYPTO_IVEC> aadvecs) { +static int aead_aes_gcm_seal_scatter_randnonce( + const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, + size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *external_nonce, + size_t external_nonce_len, const uint8_t *in, size_t in_len, + const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad, + size_t ad_len) { if (external_nonce_len != 0) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); return 0; @@ -953,10 +954,11 @@ const struct aead_aes_gcm_ctx *gcm_ctx = (const struct aead_aes_gcm_ctx *)&ctx->state; - if (!aead_aes_gcm_sealv_impl(gcm_ctx, iovecs, out_tag, out_tag_len, - max_out_tag_len - AES_GCM_NONCE_LENGTH, nonce, - sizeof(nonce), aadvecs, - ctx->tag_len - AES_GCM_NONCE_LENGTH)) { + if (!aead_aes_gcm_seal_scatter_impl(gcm_ctx, out, out_tag, out_tag_len, + max_out_tag_len - AES_GCM_NONCE_LENGTH, + nonce, sizeof(nonce), in, in_len, + extra_in, extra_in_len, ad, ad_len, + ctx->tag_len - AES_GCM_NONCE_LENGTH)) { return 0; } @@ -968,11 +970,11 @@ return 1; } -static int aead_aes_gcm_openv_detached_randnonce( - const EVP_AEAD_CTX *ctx, bssl::Span<const CRYPTO_IOVEC> iovecs, - const uint8_t *external_nonce, size_t external_nonce_len, - const uint8_t *in_tag, size_t in_tag_len, - bssl::Span<const CRYPTO_IVEC> aadvecs) { +static int aead_aes_gcm_open_gather_randnonce( + const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *external_nonce, + size_t external_nonce_len, const uint8_t *in, size_t in_len, + const uint8_t *in_tag, size_t in_tag_len, const uint8_t *ad, + size_t ad_len) { if (external_nonce_len != 0) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE); return 0; @@ -986,9 +988,9 @@ const struct aead_aes_gcm_ctx *gcm_ctx = (const struct aead_aes_gcm_ctx *)&ctx->state; - if (!aead_aes_gcm_openv_detached_impl( - gcm_ctx, iovecs, nonce, AES_GCM_NONCE_LENGTH, in_tag, - in_tag_len - AES_GCM_NONCE_LENGTH, aadvecs, + if (!aead_aes_gcm_open_gather_impl( + gcm_ctx, out, nonce, AES_GCM_NONCE_LENGTH, in, in_len, in_tag, + in_tag_len - AES_GCM_NONCE_LENGTH, ad, ad_len, ctx->tag_len - AES_GCM_NONCE_LENGTH)) { return 0; } @@ -1008,8 +1010,8 @@ out->init = aead_aes_gcm_init_randnonce; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_sealv_randnonce; - out->openv_detached = aead_aes_gcm_openv_detached_randnonce; + out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce; + out->open_gather = aead_aes_gcm_open_gather_randnonce; } DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_randnonce) { @@ -1023,8 +1025,8 @@ out->init = aead_aes_gcm_init_randnonce; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_sealv_randnonce; - out->openv_detached = aead_aes_gcm_openv_detached_randnonce; + out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce; + out->open_gather = aead_aes_gcm_open_gather_randnonce; } namespace { @@ -1058,12 +1060,11 @@ return 1; } -static int aead_aes_gcm_tls12_sealv(const EVP_AEAD_CTX *ctx, - bssl::Span<const CRYPTO_IOVEC> iovecs, - uint8_t *out_tag, size_t *out_tag_len, - size_t max_out_tag_len, - const uint8_t *nonce, size_t nonce_len, - bssl::Span<const CRYPTO_IVEC> aadvecs) { +static int aead_aes_gcm_tls12_seal_scatter( + const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, + size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, + size_t extra_in_len, const uint8_t *ad, size_t ad_len) { struct aead_aes_gcm_tls12_ctx *gcm_ctx = (struct aead_aes_gcm_tls12_ctx *)&ctx->state; @@ -1082,8 +1083,9 @@ gcm_ctx->min_next_nonce = given_counter + 1; - if (!aead_aes_gcm_sealv(ctx, iovecs, out_tag, out_tag_len, max_out_tag_len, - nonce, nonce_len, aadvecs)) { + if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len, + max_out_tag_len, nonce, nonce_len, in, in_len, + extra_in, extra_in_len, ad, ad_len)) { return 0; } @@ -1102,8 +1104,8 @@ out->init = aead_aes_gcm_tls12_init; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_tls12_sealv; - out->openv_detached = aead_aes_gcm_openv_detached; + out->seal_scatter = aead_aes_gcm_tls12_seal_scatter; + out->open_gather = aead_aes_gcm_open_gather; } DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls12) { @@ -1117,8 +1119,8 @@ out->init = aead_aes_gcm_tls12_init; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_tls12_sealv; - out->openv_detached = aead_aes_gcm_openv_detached; + out->seal_scatter = aead_aes_gcm_tls12_seal_scatter; + out->open_gather = aead_aes_gcm_open_gather; } namespace { @@ -1153,12 +1155,11 @@ return 1; } -static int aead_aes_gcm_tls13_sealv(const EVP_AEAD_CTX *ctx, - bssl::Span<const CRYPTO_IOVEC> iovecs, - uint8_t *out_tag, size_t *out_tag_len, - size_t max_out_tag_len, - const uint8_t *nonce, size_t nonce_len, - bssl::Span<const CRYPTO_IVEC> aadvecs) { +static int aead_aes_gcm_tls13_seal_scatter( + const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, + size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, + size_t extra_in_len, const uint8_t *ad, size_t ad_len) { struct aead_aes_gcm_tls13_ctx *gcm_ctx = (struct aead_aes_gcm_tls13_ctx *)&ctx->state; @@ -1188,8 +1189,9 @@ gcm_ctx->min_next_nonce = given_counter + 1; } - if (!aead_aes_gcm_sealv(ctx, iovecs, out_tag, out_tag_len, max_out_tag_len, - nonce, nonce_len, aadvecs)) { + if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len, + max_out_tag_len, nonce, nonce_len, in, in_len, + extra_in, extra_in_len, ad, ad_len)) { return 0; } @@ -1208,8 +1210,8 @@ out->init = aead_aes_gcm_tls13_init; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_tls13_sealv; - out->openv_detached = aead_aes_gcm_openv_detached; + out->seal_scatter = aead_aes_gcm_tls13_seal_scatter; + out->open_gather = aead_aes_gcm_open_gather; } DEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls13) { @@ -1223,8 +1225,8 @@ out->init = aead_aes_gcm_tls13_init; out->cleanup = aead_aes_gcm_cleanup; - out->sealv = aead_aes_gcm_tls13_sealv; - out->openv_detached = aead_aes_gcm_openv_detached; + out->seal_scatter = aead_aes_gcm_tls13_seal_scatter; + out->open_gather = aead_aes_gcm_open_gather; } int EVP_has_aes_hardware(void) {