From 73535ab252b514030a935274397dc4bab089efa1 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 22 Sep 2018 20:37:01 -0500 Subject: [PATCH] Fix undefined block128_f, etc., casts. This one is a little thorny. All the various block cipher modes functions and callbacks take a void *key. This allows them to be used with multiple kinds of block ciphers. However, the implementations of those callbacks are the normal typed functions, like AES_encrypt. Those take AES_KEY *key. While, at the ABI level, this is perfectly fine, C considers this undefined behavior. If we wish to preserve this genericness, we could either instantiate multiple versions of these mode functions or create wrappers of AES_encrypt, etc., that take void *key. The former means more code and is tedious without C++ templates (maybe someday...). The latter would not be difficult for a compiler to optimize out. C mistakenly allowed comparing function pointers for equality, which means a compiler cannot replace pointers to wrapper functions with the real thing. (That said, the performance-sensitive bits already act in chunks, e.g. ctr128_f, so the function call overhead shouldn't matter.) But our only 128-bit block cipher is AES anyway, so I just switched things to use AES_KEY throughout. AES is doing fine, and hopefully we would have the sense not to pair a hypothetical future block cipher with so many modes! Change-Id: Ied3e843f0e3042a439f09e655b29847ade9d4c7d Reviewed-on: https://boringssl-review.googlesource.com/32107 Reviewed-by: Adam Langley --- crypto/fipsmodule/aes/mode_wrappers.c | 13 ++--- crypto/fipsmodule/cipher/e_aes.c | 75 +++++++++++++------------- crypto/fipsmodule/modes/cbc.c | 4 +- crypto/fipsmodule/modes/ccm.c | 14 ++--- crypto/fipsmodule/modes/cfb.c | 10 ++-- crypto/fipsmodule/modes/ctr.c | 11 ++-- crypto/fipsmodule/modes/gcm.c | 16 +++--- crypto/fipsmodule/modes/gcm_test.cc | 2 +- crypto/fipsmodule/modes/internal.h | 76 +++++++++++++++------------ crypto/fipsmodule/modes/ofb.c | 2 +- decrepit/xts/xts.c | 20 +++---- 11 files changed, 123 insertions(+), 120 deletions(-) diff --git a/crypto/fipsmodule/aes/mode_wrappers.c b/crypto/fipsmodule/aes/mode_wrappers.c index 5c50c85858..0140c70fab 100644 --- a/crypto/fipsmodule/aes/mode_wrappers.c +++ b/crypto/fipsmodule/aes/mode_wrappers.c @@ -57,8 +57,7 @@ void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[AES_BLOCK_SIZE], uint8_t ecount_buf[AES_BLOCK_SIZE], unsigned int *num) { - CRYPTO_ctr128_encrypt(in, out, len, key, ivec, ecount_buf, num, - (block128_f)AES_encrypt); + CRYPTO_ctr128_encrypt(in, out, len, key, ivec, ecount_buf, num, AES_encrypt); } void AES_ecb_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key, @@ -90,9 +89,9 @@ void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, aes_nohw_cbc_encrypt(in, out, len, key, ivec, enc); #else if (enc) { - CRYPTO_cbc128_encrypt(in, out, len, key, ivec, (block128_f)AES_encrypt); + CRYPTO_cbc128_encrypt(in, out, len, key, ivec, AES_encrypt); } else { - CRYPTO_cbc128_decrypt(in, out, len, key, ivec, (block128_f)AES_decrypt); + CRYPTO_cbc128_decrypt(in, out, len, key, ivec, AES_decrypt); } #endif } @@ -100,8 +99,7 @@ void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length, const AES_KEY *key, uint8_t *ivec, int *num) { unsigned num_u = (unsigned)(*num); - CRYPTO_ofb128_encrypt(in, out, length, key, ivec, &num_u, - (block128_f)AES_encrypt); + CRYPTO_ofb128_encrypt(in, out, length, key, ivec, &num_u, AES_encrypt); *num = (int)num_u; } @@ -109,7 +107,6 @@ void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t length, const AES_KEY *key, uint8_t *ivec, int *num, int enc) { unsigned num_u = (unsigned)(*num); - CRYPTO_cfb128_encrypt(in, out, length, key, ivec, &num_u, enc, - (block128_f)AES_encrypt); + CRYPTO_cfb128_encrypt(in, out, length, key, ivec, &num_u, enc, AES_encrypt); *num = (int)num_u; } diff --git a/crypto/fipsmodule/cipher/e_aes.c b/crypto/fipsmodule/cipher/e_aes.c index 734a517460..0ced193507 100644 --- a/crypto/fipsmodule/cipher/e_aes.c +++ b/crypto/fipsmodule/cipher/e_aes.c @@ -198,49 +198,45 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { if (hwaes_capable()) { ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); - dat->block = (block128_f)aes_hw_decrypt; + dat->block = aes_hw_decrypt; dat->stream.cbc = NULL; if (mode == EVP_CIPH_CBC_MODE) { - dat->stream.cbc = (cbc128_f)aes_hw_cbc_encrypt; + dat->stream.cbc = aes_hw_cbc_encrypt; } } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) { ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); - dat->block = (block128_f)AES_decrypt; - dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt; + dat->block = AES_decrypt; + dat->stream.cbc = bsaes_cbc_encrypt; } else if (vpaes_capable()) { ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); - dat->block = (block128_f)vpaes_decrypt; - dat->stream.cbc = - mode == EVP_CIPH_CBC_MODE ? (cbc128_f)vpaes_cbc_encrypt : NULL; + dat->block = vpaes_decrypt; + dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? vpaes_cbc_encrypt : NULL; } else { ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks); - dat->block = (block128_f)AES_decrypt; - dat->stream.cbc = - mode == EVP_CIPH_CBC_MODE ? (cbc128_f)AES_cbc_encrypt : NULL; + dat->block = AES_decrypt; + dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? AES_cbc_encrypt : NULL; } } else if (hwaes_capable()) { ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); - dat->block = (block128_f)aes_hw_encrypt; + dat->block = aes_hw_encrypt; dat->stream.cbc = NULL; if (mode == EVP_CIPH_CBC_MODE) { - dat->stream.cbc = (cbc128_f)aes_hw_cbc_encrypt; + dat->stream.cbc = aes_hw_cbc_encrypt; } else if (mode == EVP_CIPH_CTR_MODE) { - dat->stream.ctr = (ctr128_f)aes_hw_ctr32_encrypt_blocks; + dat->stream.ctr = aes_hw_ctr32_encrypt_blocks; } } else if (bsaes_capable() && mode == EVP_CIPH_CTR_MODE) { ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); - dat->block = (block128_f)AES_encrypt; - dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks; + dat->block = AES_encrypt; + dat->stream.ctr = bsaes_ctr32_encrypt_blocks; } else if (vpaes_capable()) { ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); - dat->block = (block128_f)vpaes_encrypt; - dat->stream.cbc = - mode == EVP_CIPH_CBC_MODE ? (cbc128_f)vpaes_cbc_encrypt : NULL; + dat->block = vpaes_encrypt; + dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? vpaes_cbc_encrypt : NULL; } else { ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks); - dat->block = (block128_f)AES_encrypt; - dat->stream.cbc = - mode == EVP_CIPH_CBC_MODE ? (cbc128_f)AES_cbc_encrypt : NULL; + dat->block = AES_encrypt; + dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? AES_cbc_encrypt : NULL; } if (ret < 0) { @@ -256,11 +252,11 @@ static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; if (dat->stream.cbc) { - (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv, ctx->encrypt); + (*dat->stream.cbc)(in, out, len, &dat->ks.ks, ctx->iv, ctx->encrypt); } else if (ctx->encrypt) { - CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block); + CRYPTO_cbc128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block); } else { - CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, dat->block); + CRYPTO_cbc128_decrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block); } return 1; @@ -277,7 +273,7 @@ static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, len -= bl; for (size_t i = 0; i <= len; i += bl) { - (*dat->block)(in + i, out + i, &dat->ks); + (*dat->block)(in + i, out + i, &dat->ks.ks); } return 1; @@ -288,11 +284,11 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; if (dat->stream.ctr) { - CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, ctx->iv, ctx->buf, + CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf, &ctx->num, dat->stream.ctr); } else { - CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, ctx->iv, ctx->buf, &ctx->num, - dat->block); + CRYPTO_ctr128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf, + &ctx->num, dat->block); } return 1; } @@ -301,7 +297,8 @@ static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t len) { EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data; - CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, dat->block); + CRYPTO_ofb128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, &ctx->num, + dat->block); return 1; } @@ -311,42 +308,42 @@ ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key, if (hwaes_capable()) { aes_hw_set_encrypt_key(key, key_bytes * 8, aes_key); if (gcm_key != NULL) { - CRYPTO_gcm128_init_key(gcm_key, aes_key, (block128_f)aes_hw_encrypt, 1); + CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_hw_encrypt, 1); } if (out_block) { - *out_block = (block128_f) aes_hw_encrypt; + *out_block = aes_hw_encrypt; } - return (ctr128_f)aes_hw_ctr32_encrypt_blocks; + return aes_hw_ctr32_encrypt_blocks; } if (bsaes_capable()) { AES_set_encrypt_key(key, key_bytes * 8, aes_key); if (gcm_key != NULL) { - CRYPTO_gcm128_init_key(gcm_key, aes_key, (block128_f)AES_encrypt, 0); + CRYPTO_gcm128_init_key(gcm_key, aes_key, AES_encrypt, 0); } if (out_block) { - *out_block = (block128_f) AES_encrypt; + *out_block = AES_encrypt; } - return (ctr128_f)bsaes_ctr32_encrypt_blocks; + return bsaes_ctr32_encrypt_blocks; } if (vpaes_capable()) { vpaes_set_encrypt_key(key, key_bytes * 8, aes_key); if (out_block) { - *out_block = (block128_f) vpaes_encrypt; + *out_block = vpaes_encrypt; } if (gcm_key != NULL) { - CRYPTO_gcm128_init_key(gcm_key, aes_key, (block128_f)vpaes_encrypt, 0); + CRYPTO_gcm128_init_key(gcm_key, aes_key, vpaes_encrypt, 0); } return NULL; } AES_set_encrypt_key(key, key_bytes * 8, aes_key); if (gcm_key != NULL) { - CRYPTO_gcm128_init_key(gcm_key, aes_key, (block128_f)AES_encrypt, 0); + CRYPTO_gcm128_init_key(gcm_key, aes_key, AES_encrypt, 0); } if (out_block) { - *out_block = (block128_f) AES_encrypt; + *out_block = AES_encrypt; } return NULL; } diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c index db9f024196..64ea505635 100644 --- a/crypto/fipsmodule/modes/cbc.c +++ b/crypto/fipsmodule/modes/cbc.c @@ -53,7 +53,7 @@ void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], + const AES_KEY *key, uint8_t ivec[16], block128_f block) { size_t n; const uint8_t *iv = ivec; @@ -108,7 +108,7 @@ void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, } void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], + const AES_KEY *key, uint8_t ivec[16], block128_f block) { size_t n; union { diff --git a/crypto/fipsmodule/modes/ccm.c b/crypto/fipsmodule/modes/ccm.c index 784e4fa2a9..5a153f41e0 100644 --- a/crypto/fipsmodule/modes/ccm.c +++ b/crypto/fipsmodule/modes/ccm.c @@ -64,8 +64,8 @@ struct ccm128_state { } nonce, cmac; }; -int CRYPTO_ccm128_init(CCM128_CONTEXT *ctx, const void *key, block128_f block, - ctr128_f ctr, unsigned M, unsigned L) { +int CRYPTO_ccm128_init(CCM128_CONTEXT *ctx, const AES_KEY *key, + block128_f block, ctr128_f ctr, unsigned M, unsigned L) { if (M < 4 || M > 16 || (M & 1) != 0 || L < 2 || L > 8) { return 0; } @@ -82,7 +82,7 @@ size_t CRYPTO_ccm128_max_input(const CCM128_CONTEXT *ctx) { } static int ccm128_init_state(const CCM128_CONTEXT *ctx, - struct ccm128_state *state, const void *key, + struct ccm128_state *state, const AES_KEY *key, const uint8_t *nonce, size_t nonce_len, const uint8_t *aad, size_t aad_len, size_t plaintext_len) { @@ -170,7 +170,7 @@ static int ccm128_init_state(const CCM128_CONTEXT *ctx, } static int ccm128_encrypt(const CCM128_CONTEXT *ctx, struct ccm128_state *state, - const void *key, uint8_t *out, const uint8_t *in, + const AES_KEY *key, uint8_t *out, const uint8_t *in, size_t len) { // The counter for encryption begins at one. for (unsigned i = 0; i < ctx->L; i++) { @@ -191,7 +191,7 @@ static int ccm128_encrypt(const CCM128_CONTEXT *ctx, struct ccm128_state *state, } static int ccm128_compute_mac(const CCM128_CONTEXT *ctx, - struct ccm128_state *state, const void *key, + struct ccm128_state *state, const AES_KEY *key, uint8_t *out_tag, size_t tag_len, const uint8_t *in, size_t len) { block128_f block = ctx->block; @@ -231,7 +231,7 @@ static int ccm128_compute_mac(const CCM128_CONTEXT *ctx, return 1; } -int CRYPTO_ccm128_encrypt(const CCM128_CONTEXT *ctx, const void *key, +int CRYPTO_ccm128_encrypt(const CCM128_CONTEXT *ctx, const AES_KEY *key, uint8_t *out, uint8_t *out_tag, size_t tag_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t len, const uint8_t *aad, @@ -243,7 +243,7 @@ int CRYPTO_ccm128_encrypt(const CCM128_CONTEXT *ctx, const void *key, ccm128_encrypt(ctx, &state, key, out, in, len); } -int CRYPTO_ccm128_decrypt(const CCM128_CONTEXT *ctx, const void *key, +int CRYPTO_ccm128_decrypt(const CCM128_CONTEXT *ctx, const AES_KEY *key, uint8_t *out, uint8_t *out_tag, size_t tag_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t len, const uint8_t *aad, diff --git a/crypto/fipsmodule/modes/cfb.c b/crypto/fipsmodule/modes/cfb.c index e1b0a80e03..d3a38d6ee5 100644 --- a/crypto/fipsmodule/modes/cfb.c +++ b/crypto/fipsmodule/modes/cfb.c @@ -57,7 +57,7 @@ OPENSSL_COMPILE_ASSERT((16 % sizeof(size_t)) == 0, bad_size_t_size_cfb); void CRYPTO_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], unsigned *num, + const AES_KEY *key, uint8_t ivec[16], unsigned *num, int enc, block128_f block) { size_t l = 0; @@ -161,7 +161,7 @@ void CRYPTO_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, /* This expects a single block of size nbits for both in and out. Note that it corrupts any extra bits in the last byte of out */ static void cfbr_encrypt_block(const uint8_t *in, uint8_t *out, unsigned nbits, - const void *key, uint8_t ivec[16], int enc, + const AES_KEY *key, uint8_t ivec[16], int enc, block128_f block) { int n, rem, num; uint8_t ovec[16 * 2 + 1]; /* +1 because we dererefence (but don't use) one @@ -203,8 +203,8 @@ static void cfbr_encrypt_block(const uint8_t *in, uint8_t *out, unsigned nbits, // N.B. This expects the input to be packed, MS bit first void CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits, - const void *key, uint8_t ivec[16], unsigned *num, - int enc, block128_f block) { + const AES_KEY *key, uint8_t ivec[16], + unsigned *num, int enc, block128_f block) { size_t n; uint8_t c[1], d[1]; @@ -220,7 +220,7 @@ void CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits, } void CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const void *key, + size_t length, const AES_KEY *key, unsigned char ivec[16], unsigned *num, int enc, block128_f block) { size_t n; diff --git a/crypto/fipsmodule/modes/ctr.c b/crypto/fipsmodule/modes/ctr.c index 63907b43ae..5093408c5f 100644 --- a/crypto/fipsmodule/modes/ctr.c +++ b/crypto/fipsmodule/modes/ctr.c @@ -82,7 +82,7 @@ OPENSSL_COMPILE_ASSERT((16 % sizeof(size_t)) == 0, bad_size_t_size_ctr); // of the IV. This implementation takes NO responsibility for checking that // the counter doesn't overflow into the rest of the IV when incremented. void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], + const AES_KEY *key, uint8_t ivec[16], uint8_t ecount_buf[16], unsigned int *num, block128_f block) { unsigned int n; @@ -153,11 +153,10 @@ static void ctr96_inc(uint8_t *counter) { } while (n); } -void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, - size_t len, const void *key, - uint8_t ivec[16], - uint8_t ecount_buf[16], - unsigned int *num, ctr128_f func) { +void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len, + const AES_KEY *key, uint8_t ivec[16], + uint8_t ecount_buf[16], unsigned int *num, + ctr128_f func) { unsigned int n, ctr32; assert(key && ecount_buf && num); diff --git a/crypto/fipsmodule/modes/gcm.c b/crypto/fipsmodule/modes/gcm.c index 6eff479218..5e556df270 100644 --- a/crypto/fipsmodule/modes/gcm.c +++ b/crypto/fipsmodule/modes/gcm.c @@ -271,9 +271,9 @@ void gcm_ghash_avx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *in, size_t len); #define AESNI_GCM size_t aesni_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], uint64_t *Xi); + const AES_KEY *key, uint8_t ivec[16], uint64_t *Xi); size_t aesni_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], uint64_t *Xi); + const AES_KEY *key, uint8_t ivec[16], uint64_t *Xi); #endif #if defined(OPENSSL_X86) @@ -419,7 +419,7 @@ void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, #endif } -void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key, const void *aes_key, +void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key, const AES_KEY *aes_key, block128_f block, int block_is_hwaes) { OPENSSL_memset(gcm_key, 0, sizeof(*gcm_key)); gcm_key->block = block; @@ -435,7 +435,7 @@ void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key, const void *aes_key, gcm_key->use_aesni_gcm_crypt = (is_avx && block_is_hwaes) ? 1 : 0; } -void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key, +void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const AES_KEY *key, const uint8_t *iv, size_t len) { unsigned int ctr; #ifdef GCM_FUNCREF_4BIT @@ -553,7 +553,7 @@ int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad, size_t len) { return 1; } -int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key, +int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const AES_KEY *key, const uint8_t *in, uint8_t *out, size_t len) { unsigned int n, ctr; uint64_t mlen = ctx->len.u[1]; @@ -679,7 +679,7 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key, return 1; } -int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key, +int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const AES_KEY *key, const unsigned char *in, unsigned char *out, size_t len) { unsigned int n, ctr; @@ -813,7 +813,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key, return 1; } -int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const void *key, +int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key, const uint8_t *in, uint8_t *out, size_t len, ctr128_f stream) { unsigned int n, ctr; @@ -915,7 +915,7 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const void *key, return 1; } -int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const void *key, +int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key, const uint8_t *in, uint8_t *out, size_t len, ctr128_f stream) { unsigned int n, ctr; diff --git a/crypto/fipsmodule/modes/gcm_test.cc b/crypto/fipsmodule/modes/gcm_test.cc index ab8cc34e34..30308f8a5e 100644 --- a/crypto/fipsmodule/modes/gcm_test.cc +++ b/crypto/fipsmodule/modes/gcm_test.cc @@ -88,7 +88,7 @@ TEST(GCMTest, TestVectors) { GCM128_CONTEXT ctx; OPENSSL_memset(&ctx, 0, sizeof(ctx)); - CRYPTO_gcm128_init_key(&ctx.gcm_key, &aes_key, (block128_f)AES_encrypt, 0); + CRYPTO_gcm128_init_key(&ctx.gcm_key, &aes_key, AES_encrypt, 0); CRYPTO_gcm128_setiv(&ctx, &aes_key, nonce.data(), nonce.size()); if (!additional_data.empty()) { CRYPTO_gcm128_aad(&ctx, additional_data.data(), additional_data.size()); diff --git a/crypto/fipsmodule/modes/internal.h b/crypto/fipsmodule/modes/internal.h index 788960b70b..38cc70e8ed 100644 --- a/crypto/fipsmodule/modes/internal.h +++ b/crypto/fipsmodule/modes/internal.h @@ -87,16 +87,24 @@ static inline void store_word_le(void *out, size_t v) { OPENSSL_memcpy(out, &v, sizeof(v)); } -// block128_f is the type of a 128-bit, block cipher. +// block128_f is the type of an AES block cipher implementation. +// +// Unlike upstream OpenSSL, it and the other functions in this file hard-code +// |AES_KEY|. It is undefined in C to call a function pointer with anything +// other than the original type. Thus we either must match |block128_f| to the +// type signature of |AES_encrypt| and friends or pass in |void*| wrapper +// functions. +// +// These functions are called exclusively with AES, so we use the former. typedef void (*block128_f)(const uint8_t in[16], uint8_t out[16], - const void *key); + const AES_KEY *key); // CTR. // ctr128_f is the type of a function that performs CTR-mode encryption. typedef void (*ctr128_f)(const uint8_t *in, uint8_t *out, size_t blocks, - const void *key, const uint8_t ivec[16]); + const AES_KEY *key, const uint8_t ivec[16]); // CRYPTO_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode) // |len| bytes from |in| to |out| using |block| in counter mode. There's no @@ -105,7 +113,7 @@ typedef void (*ctr128_f)(const uint8_t *in, uint8_t *out, size_t blocks, // call. The counter is a 128-bit, big-endian value in |ivec| and is // incremented by this function. void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], + const AES_KEY *key, uint8_t ivec[16], uint8_t ecount_buf[16], unsigned *num, block128_f block); @@ -114,14 +122,14 @@ void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len, // bits of the counter. This is useful when |ctr| can be an optimised // function. void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], + const AES_KEY *key, uint8_t ivec[16], uint8_t ecount_buf[16], unsigned *num, ctr128_f ctr); #if !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_X86) || defined(OPENSSL_X86_64)) void aesni_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks, - const void *key, const uint8_t *ivec); + const AES_KEY *key, const uint8_t *ivec); #endif @@ -194,13 +202,13 @@ void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, // CRYPTO_gcm128_init_key initialises |gcm_key| to use |block| (typically AES) // with the given key. |block_is_hwaes| is one if |block| is |aes_hw_encrypt|. -OPENSSL_EXPORT void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key, const void *key, - block128_f block, +OPENSSL_EXPORT void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key, + const AES_KEY *key, block128_f block, int block_is_hwaes); // CRYPTO_gcm128_setiv sets the IV (nonce) for |ctx|. The |key| must be the // same key that was passed to |CRYPTO_gcm128_init|. -OPENSSL_EXPORT void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key, +OPENSSL_EXPORT void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const AES_KEY *key, const uint8_t *iv, size_t iv_len); // CRYPTO_gcm128_aad sets the authenticated data for an instance of GCM. @@ -212,16 +220,16 @@ OPENSSL_EXPORT int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad, // CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. The |key| // must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one // on success and zero otherwise. -OPENSSL_EXPORT int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key, - const uint8_t *in, uint8_t *out, - size_t len); +OPENSSL_EXPORT int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, + const AES_KEY *key, const uint8_t *in, + uint8_t *out, size_t len); // CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. The |key| // must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one // on success and zero otherwise. -OPENSSL_EXPORT int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key, - const uint8_t *in, uint8_t *out, - size_t len); +OPENSSL_EXPORT int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, + const AES_KEY *key, const uint8_t *in, + uint8_t *out, size_t len); // CRYPTO_gcm128_encrypt_ctr32 encrypts |len| bytes from |in| to |out| using // a CTR function that only handles the bottom 32 bits of the nonce, like @@ -229,7 +237,7 @@ OPENSSL_EXPORT int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key, // passed to |CRYPTO_gcm128_init|. It returns one on success and zero // otherwise. OPENSSL_EXPORT int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, - const void *key, + const AES_KEY *key, const uint8_t *in, uint8_t *out, size_t len, ctr128_f stream); @@ -239,7 +247,7 @@ OPENSSL_EXPORT int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, // passed to |CRYPTO_gcm128_init|. It returns one on success and zero // otherwise. OPENSSL_EXPORT int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, - const void *key, + const AES_KEY *key, const uint8_t *in, uint8_t *out, size_t len, ctr128_f stream); @@ -265,8 +273,8 @@ typedef struct ccm128_context { // CRYPTO_ccm128_init initialises |ctx| to use |block| (typically AES) with the // specified |M| and |L| parameters. It returns one on success and zero if |M| // or |L| is invalid. -int CRYPTO_ccm128_init(CCM128_CONTEXT *ctx, const void *key, block128_f block, - ctr128_f ctr, unsigned M, unsigned L); +int CRYPTO_ccm128_init(CCM128_CONTEXT *ctx, const AES_KEY *key, + block128_f block, ctr128_f ctr, unsigned M, unsigned L); // CRYPTO_ccm128_max_input returns the maximum input length accepted by |ctx|. size_t CRYPTO_ccm128_max_input(const CCM128_CONTEXT *ctx); @@ -274,7 +282,7 @@ size_t CRYPTO_ccm128_max_input(const CCM128_CONTEXT *ctx); // CRYPTO_ccm128_encrypt encrypts |len| bytes from |in| to |out| writing the tag // to |out_tag|. |key| must be the same key that was passed to // |CRYPTO_ccm128_init|. It returns one on success and zero otherwise. -int CRYPTO_ccm128_encrypt(const CCM128_CONTEXT *ctx, const void *key, +int CRYPTO_ccm128_encrypt(const CCM128_CONTEXT *ctx, const AES_KEY *key, uint8_t *out, uint8_t *out_tag, size_t tag_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t len, const uint8_t *aad, @@ -283,7 +291,7 @@ int CRYPTO_ccm128_encrypt(const CCM128_CONTEXT *ctx, const void *key, // CRYPTO_ccm128_decrypt decrypts |len| bytes from |in| to |out|, writing the // expected tag to |out_tag|. |key| must be the same key that was passed to // |CRYPTO_ccm128_init|. It returns one on success and zero otherwise. -int CRYPTO_ccm128_decrypt(const CCM128_CONTEXT *ctx, const void *key, +int CRYPTO_ccm128_decrypt(const CCM128_CONTEXT *ctx, const AES_KEY *key, uint8_t *out, uint8_t *out_tag, size_t tag_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t len, const uint8_t *aad, @@ -294,21 +302,23 @@ int CRYPTO_ccm128_decrypt(const CCM128_CONTEXT *ctx, const void *key, // cbc128_f is the type of a function that performs CBC-mode encryption. typedef void (*cbc128_f)(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], int enc); + const AES_KEY *key, uint8_t ivec[16], int enc); // CRYPTO_cbc128_encrypt encrypts |len| bytes from |in| to |out| using the // given IV and block cipher in CBC mode. The input need not be a multiple of // 128 bits long, but the output will round up to the nearest 128 bit multiple, // zero padding the input if needed. The IV will be updated on return. void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], block128_f block); + const AES_KEY *key, uint8_t ivec[16], + block128_f block); // CRYPTO_cbc128_decrypt decrypts |len| bytes from |in| to |out| using the // given IV and block cipher in CBC mode. If |len| is not a multiple of 128 // bits then only that many bytes will be written, but a multiple of 128 bits // is always read from |in|. The IV will be updated on return. void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], block128_f block); + const AES_KEY *key, uint8_t ivec[16], + block128_f block); // OFB. @@ -318,9 +328,9 @@ void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, // requirement that |len| be a multiple of any value and any partial blocks are // stored in |ivec| and |*num|, the latter must be zero before the initial // call. -void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, - size_t len, const void *key, uint8_t ivec[16], - unsigned *num, block128_f block); +void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, + const AES_KEY *key, uint8_t ivec[16], unsigned *num, + block128_f block); // CFB. @@ -330,25 +340,25 @@ void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, // |len| be a multiple of any value and any partial blocks are stored in |ivec| // and |*num|, the latter must be zero before the initial call. void CRYPTO_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], unsigned *num, + const AES_KEY *key, uint8_t ivec[16], unsigned *num, int enc, block128_f block); // CRYPTO_cfb128_8_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes // from |in| to |out| using |block| in CFB-8 mode. Prior to the first call // |num| should be set to zero. void CRYPTO_cfb128_8_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], unsigned *num, - int enc, block128_f block); + const AES_KEY *key, uint8_t ivec[16], + unsigned *num, int enc, block128_f block); // CRYPTO_cfb128_1_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes // from |in| to |out| using |block| in CFB-1 mode. Prior to the first call // |num| should be set to zero. void CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits, - const void *key, uint8_t ivec[16], unsigned *num, - int enc, block128_f block); + const AES_KEY *key, uint8_t ivec[16], + unsigned *num, int enc, block128_f block); size_t CRYPTO_cts128_encrypt_block(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], + const AES_KEY *key, uint8_t ivec[16], block128_f block); diff --git a/crypto/fipsmodule/modes/ofb.c b/crypto/fipsmodule/modes/ofb.c index 63bba68b00..b1b4d875b2 100644 --- a/crypto/fipsmodule/modes/ofb.c +++ b/crypto/fipsmodule/modes/ofb.c @@ -57,7 +57,7 @@ OPENSSL_COMPILE_ASSERT((16 % sizeof(size_t)) == 0, bad_size_t_size_ofb); void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const void *key, uint8_t ivec[16], unsigned *num, + const AES_KEY *key, uint8_t ivec[16], unsigned *num, block128_f block) { assert(in && out && key && ivec && num); diff --git a/decrepit/xts/xts.c b/decrepit/xts/xts.c index e3189e592e..bc2a1b23b8 100644 --- a/decrepit/xts/xts.c +++ b/decrepit/xts/xts.c @@ -57,7 +57,7 @@ typedef struct xts128_context { - void *key1, *key2; + AES_KEY *key1, *key2; block128_f block1, block2; } XTS128_CONTEXT; @@ -186,20 +186,20 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, // key_len is two AES keys if (enc) { AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) AES_encrypt; + xctx->xts.block1 = AES_encrypt; } else { AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) AES_decrypt; + xctx->xts.block1 = AES_decrypt; } AES_set_encrypt_key(key + ctx->key_len / 2, ctx->key_len * 4, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) AES_encrypt; - xctx->xts.key1 = &xctx->ks1; + xctx->xts.block2 = AES_encrypt; + xctx->xts.key1 = &xctx->ks1.ks; } if (iv) { - xctx->xts.key2 = &xctx->ks2; + xctx->xts.key2 = &xctx->ks2.ks; OPENSSL_memcpy(ctx->iv, iv, 16); } @@ -226,16 +226,16 @@ static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { EVP_CIPHER_CTX *out = ptr; EVP_AES_XTS_CTX *xctx_out = out->cipher_data; if (xctx->xts.key1) { - if (xctx->xts.key1 != &xctx->ks1) { + if (xctx->xts.key1 != &xctx->ks1.ks) { return 0; } - xctx_out->xts.key1 = &xctx_out->ks1; + xctx_out->xts.key1 = &xctx_out->ks1.ks; } if (xctx->xts.key2) { - if (xctx->xts.key2 != &xctx->ks2) { + if (xctx->xts.key2 != &xctx->ks2.ks) { return 0; } - xctx_out->xts.key2 = &xctx_out->ks2; + xctx_out->xts.key2 = &xctx_out->ks2.ks; } return 1; } else if (type != EVP_CTRL_INIT) {