libs/bssl/src/aead.rs - platform/packages/modules/Virtualization - Git at Google

 // Copyright 2023, The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 //! Wrappers of the AEAD functions in BoringSSL aead.h.

 use crate::util::{check_int_result, to_call_failed_error};
 use bssl_avf_error::{ApiName, Result};
 use bssl_ffi::{
     EVP_AEAD_CTX_free, EVP_AEAD_CTX_new, EVP_AEAD_CTX_open, EVP_AEAD_CTX_seal,
     EVP_AEAD_max_overhead, EVP_AEAD_nonce_length, EVP_aead_aes_256_gcm, EVP_AEAD, EVP_AEAD_CTX,
     EVP_AEAD_DEFAULT_TAG_LENGTH,
 };
 use core::ptr::NonNull;

 /// BoringSSL spec recommends to use 12-byte nonces.
 ///
 /// https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html#EVP_aead_aes_256_gcm
 pub const AES_GCM_NONCE_LENGTH: usize = 12;

 /// Magic value indicating that the default tag length for an AEAD should be used to
 /// initialize `AeadCtx`.
 const AEAD_DEFAULT_TAG_LENGTH: usize = EVP_AEAD_DEFAULT_TAG_LENGTH as usize;

 /// Represents an AEAD algorithm.
 #[derive(Clone, Copy, Debug)]
 pub struct Aead(&'static EVP_AEAD);

 impl Aead {
     /// This is AES-256 in Galois Counter Mode.
     /// AES-GCM should only be used with 12-byte (96-bit) nonces as suggested in the
     /// BoringSSL spec:
     ///
     /// https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html
     pub fn aes_256_gcm() -> Self {
         // SAFETY: This function does not access any Rust variables and simply returns
         // a pointer to the static variable in BoringSSL.
         let p = unsafe { EVP_aead_aes_256_gcm() };
         // SAFETY: The returned pointer should always be valid and points to a static
         // `EVP_AEAD`.
         Self(unsafe { &*p })
     }

     /// Returns the maximum number of additional bytes added by the act of sealing data.
     pub fn max_overhead(&self) -> usize {
         // SAFETY: This function only reads from self.
         unsafe { EVP_AEAD_max_overhead(self.0) }
     }

     /// Returns the length, in bytes, of the per-message nonce.
     pub fn nonce_length(&self) -> usize {
         // SAFETY: This function only reads from self.
         unsafe { EVP_AEAD_nonce_length(self.0) }
     }
 }

 /// Represents an AEAD algorithm configuration.
 pub struct AeadCtx {
     ctx: NonNull<EVP_AEAD_CTX>,
     aead: Aead,
 }

 impl Drop for AeadCtx {
     fn drop(&mut self) {
         // SAFETY: It is safe because the pointer has been created with `EVP_AEAD_CTX_new`
         // and isn't used after this.
         unsafe { EVP_AEAD_CTX_free(self.ctx.as_ptr()) }
     }
 }

 impl AeadCtx {
     /// Creates a new `AeadCtx` with the given `Aead` algorithm, `key` and `tag_len`.
     ///
     /// The default tag length will be used if `tag_len` is None.
     pub fn new(aead: Aead, key: &[u8], tag_len: Option<usize>) -> Result<Self> {
         let tag_len = tag_len.unwrap_or(AEAD_DEFAULT_TAG_LENGTH);
         // SAFETY: This function only reads the given data and the returned pointer is
         // checked below.
         let ctx = unsafe { EVP_AEAD_CTX_new(aead.0, key.as_ptr(), key.len(), tag_len) };
         let ctx = NonNull::new(ctx).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_new))?;
         Ok(Self { ctx, aead })
     }

     /// Encrypts and authenticates `data` and writes the result to `out`.
     /// The `out` length should be at least the `data` length plus the `max_overhead` of the
     /// `aead` and the length of `nonce` should match the `nonce_length` of the `aead`.
     ///  Otherwise, an error will be returned.
     ///
     /// The output is returned as a subslice of `out`.
     pub fn seal<'b>(
         &self,
         data: &[u8],
         nonce: &[u8],
         ad: &[u8],
         out: &'b mut [u8],
     ) -> Result<&'b [u8]> {
         let mut out_len = 0;
         // SAFETY: Only reads from/writes to the provided slices.
         let ret = unsafe {
             EVP_AEAD_CTX_seal(
                 self.ctx.as_ptr(),
                 out.as_mut_ptr(),
                 &mut out_len,
                 out.len(),
                 nonce.as_ptr(),
                 nonce.len(),
                 data.as_ptr(),
                 data.len(),
                 ad.as_ptr(),
                 ad.len(),
             )
         };
         check_int_result(ret, ApiName::EVP_AEAD_CTX_seal)?;
         out.get(0..out_len).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_seal))
     }

     /// Authenticates `data` and decrypts it to `out`.
     /// The `out` length should be at least the `data` length, and the length of `nonce` should
     /// match the `nonce_length` of the `aead`.
     /// Otherwise, an error will be returned.
     ///
     /// The output is returned as a subslice of `out`.
     pub fn open<'b>(
         &self,
         data: &[u8],
         nonce: &[u8],
         ad: &[u8],
         out: &'b mut [u8],
     ) -> Result<&'b [u8]> {
         let mut out_len = 0;
         // SAFETY: Only reads from/writes to the provided slices.
         // `data` and `out` are checked to be non-alias internally.
         let ret = unsafe {
             EVP_AEAD_CTX_open(
                 self.ctx.as_ptr(),
                 out.as_mut_ptr(),
                 &mut out_len,
                 out.len(),
                 nonce.as_ptr(),
                 nonce.len(),
                 data.as_ptr(),
                 data.len(),
                 ad.as_ptr(),
                 ad.len(),
             )
         };
         check_int_result(ret, ApiName::EVP_AEAD_CTX_open)?;
         out.get(0..out_len).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_open))
     }

     /// Returns the `Aead` represented by this `AeadCtx`.
     pub fn aead(&self) -> Aead {
         self.aead
     }
 }
	// Copyright 2023, The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	//! Wrappers of the AEAD functions in BoringSSL aead.h.

	use crate::util::{check_int_result, to_call_failed_error};
	use bssl_avf_error::{ApiName, Result};
	use bssl_ffi::{
	EVP_AEAD_CTX_free, EVP_AEAD_CTX_new, EVP_AEAD_CTX_open, EVP_AEAD_CTX_seal,
	EVP_AEAD_max_overhead, EVP_AEAD_nonce_length, EVP_aead_aes_256_gcm, EVP_AEAD, EVP_AEAD_CTX,
	EVP_AEAD_DEFAULT_TAG_LENGTH,
	};
	use core::ptr::NonNull;

	/// BoringSSL spec recommends to use 12-byte nonces.
	///
	/// https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html#EVP_aead_aes_256_gcm
	pub const AES_GCM_NONCE_LENGTH: usize = 12;

	/// Magic value indicating that the default tag length for an AEAD should be used to
	/// initialize `AeadCtx`.
	const AEAD_DEFAULT_TAG_LENGTH: usize = EVP_AEAD_DEFAULT_TAG_LENGTH as usize;

	/// Represents an AEAD algorithm.
	#[derive(Clone, Copy, Debug)]
	pub struct Aead(&'static EVP_AEAD);

	impl Aead {
	/// This is AES-256 in Galois Counter Mode.
	/// AES-GCM should only be used with 12-byte (96-bit) nonces as suggested in the
	/// BoringSSL spec:
	///
	/// https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html
	pub fn aes_256_gcm() -> Self {
	// SAFETY: This function does not access any Rust variables and simply returns
	// a pointer to the static variable in BoringSSL.
	let p = unsafe { EVP_aead_aes_256_gcm() };
	// SAFETY: The returned pointer should always be valid and points to a static
	// `EVP_AEAD`.
	Self(unsafe { &*p })
	}

	/// Returns the maximum number of additional bytes added by the act of sealing data.
	pub fn max_overhead(&self) -> usize {
	// SAFETY: This function only reads from self.
	unsafe { EVP_AEAD_max_overhead(self.0) }
	}

	/// Returns the length, in bytes, of the per-message nonce.
	pub fn nonce_length(&self) -> usize {
	// SAFETY: This function only reads from self.
	unsafe { EVP_AEAD_nonce_length(self.0) }
	}
	}

	/// Represents an AEAD algorithm configuration.
	pub struct AeadCtx {
	ctx: NonNull<EVP_AEAD_CTX>,
	aead: Aead,
	}

	impl Drop for AeadCtx {
	fn drop(&mut self) {
	// SAFETY: It is safe because the pointer has been created with `EVP_AEAD_CTX_new`
	// and isn't used after this.
	unsafe { EVP_AEAD_CTX_free(self.ctx.as_ptr()) }
	}
	}

	impl AeadCtx {
	/// Creates a new `AeadCtx` with the given `Aead` algorithm, `key` and `tag_len`.
	///
	/// The default tag length will be used if `tag_len` is None.
	pub fn new(aead: Aead, key: &[u8], tag_len: Option<usize>) -> Result<Self> {
	let tag_len = tag_len.unwrap_or(AEAD_DEFAULT_TAG_LENGTH);
	// SAFETY: This function only reads the given data and the returned pointer is
	// checked below.
	let ctx = unsafe { EVP_AEAD_CTX_new(aead.0, key.as_ptr(), key.len(), tag_len) };
	let ctx = NonNull::new(ctx).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_new))?;
	Ok(Self { ctx, aead })
	}

	/// Encrypts and authenticates `data` and writes the result to `out`.
	/// The `out` length should be at least the `data` length plus the `max_overhead` of the
	/// `aead` and the length of `nonce` should match the `nonce_length` of the `aead`.
	/// Otherwise, an error will be returned.
	///
	/// The output is returned as a subslice of `out`.
	pub fn seal<'b>(
	&self,
	data: &[u8],
	nonce: &[u8],
	ad: &[u8],
	out: &'b mut [u8],
	) -> Result<&'b [u8]> {
	let mut out_len = 0;
	// SAFETY: Only reads from/writes to the provided slices.
	let ret = unsafe {
	EVP_AEAD_CTX_seal(
	self.ctx.as_ptr(),
	out.as_mut_ptr(),
	&mut out_len,
	out.len(),
	nonce.as_ptr(),
	nonce.len(),
	data.as_ptr(),
	data.len(),
	ad.as_ptr(),
	ad.len(),
	)
	};
	check_int_result(ret, ApiName::EVP_AEAD_CTX_seal)?;
	out.get(0..out_len).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_seal))
	}

	/// Authenticates `data` and decrypts it to `out`.
	/// The `out` length should be at least the `data` length, and the length of `nonce` should
	/// match the `nonce_length` of the `aead`.
	/// Otherwise, an error will be returned.
	///
	/// The output is returned as a subslice of `out`.
	pub fn open<'b>(
	&self,
	data: &[u8],
	nonce: &[u8],
	ad: &[u8],
	out: &'b mut [u8],
	) -> Result<&'b [u8]> {
	let mut out_len = 0;
	// SAFETY: Only reads from/writes to the provided slices.
	// `data` and `out` are checked to be non-alias internally.
	let ret = unsafe {
	EVP_AEAD_CTX_open(
	self.ctx.as_ptr(),
	out.as_mut_ptr(),
	&mut out_len,
	out.len(),
	nonce.as_ptr(),
	nonce.len(),
	data.as_ptr(),
	data.len(),
	ad.as_ptr(),
	ad.len(),
	)
	};
	check_int_result(ret, ApiName::EVP_AEAD_CTX_open)?;
	out.get(0..out_len).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_open))
	}

	/// Returns the `Aead` represented by this `AeadCtx`.
	pub fn aead(&self) -> Aead {
	self.aead
	}
	}