1*90e502c7SAndroid Build Coastguard Worker /*
2*90e502c7SAndroid Build Coastguard Worker * aes_gcm_nss.c
3*90e502c7SAndroid Build Coastguard Worker *
4*90e502c7SAndroid Build Coastguard Worker * AES Galois Counter Mode
5*90e502c7SAndroid Build Coastguard Worker *
6*90e502c7SAndroid Build Coastguard Worker * Richard L. Barnes
7*90e502c7SAndroid Build Coastguard Worker * Cisco Systems, Inc.
8*90e502c7SAndroid Build Coastguard Worker *
9*90e502c7SAndroid Build Coastguard Worker */
10*90e502c7SAndroid Build Coastguard Worker
11*90e502c7SAndroid Build Coastguard Worker /*
12*90e502c7SAndroid Build Coastguard Worker *
13*90e502c7SAndroid Build Coastguard Worker * Copyright (c) 2013-2017, Cisco Systems, Inc.
14*90e502c7SAndroid Build Coastguard Worker * All rights reserved.
15*90e502c7SAndroid Build Coastguard Worker *
16*90e502c7SAndroid Build Coastguard Worker * Redistribution and use in source and binary forms, with or without
17*90e502c7SAndroid Build Coastguard Worker * modification, are permitted provided that the following conditions
18*90e502c7SAndroid Build Coastguard Worker * are met:
19*90e502c7SAndroid Build Coastguard Worker *
20*90e502c7SAndroid Build Coastguard Worker * Redistributions of source code must retain the above copyright
21*90e502c7SAndroid Build Coastguard Worker * notice, this list of conditions and the following disclaimer.
22*90e502c7SAndroid Build Coastguard Worker *
23*90e502c7SAndroid Build Coastguard Worker * Redistributions in binary form must reproduce the above
24*90e502c7SAndroid Build Coastguard Worker * copyright notice, this list of conditions and the following
25*90e502c7SAndroid Build Coastguard Worker * disclaimer in the documentation and/or other materials provided
26*90e502c7SAndroid Build Coastguard Worker * with the distribution.
27*90e502c7SAndroid Build Coastguard Worker *
28*90e502c7SAndroid Build Coastguard Worker * Neither the name of the Cisco Systems, Inc. nor the names of its
29*90e502c7SAndroid Build Coastguard Worker * contributors may be used to endorse or promote products derived
30*90e502c7SAndroid Build Coastguard Worker * from this software without specific prior written permission.
31*90e502c7SAndroid Build Coastguard Worker *
32*90e502c7SAndroid Build Coastguard Worker * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
33*90e502c7SAndroid Build Coastguard Worker * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
34*90e502c7SAndroid Build Coastguard Worker * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
35*90e502c7SAndroid Build Coastguard Worker * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
36*90e502c7SAndroid Build Coastguard Worker * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
37*90e502c7SAndroid Build Coastguard Worker * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
38*90e502c7SAndroid Build Coastguard Worker * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
39*90e502c7SAndroid Build Coastguard Worker * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
40*90e502c7SAndroid Build Coastguard Worker * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
41*90e502c7SAndroid Build Coastguard Worker * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
42*90e502c7SAndroid Build Coastguard Worker * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
43*90e502c7SAndroid Build Coastguard Worker * OF THE POSSIBILITY OF SUCH DAMAGE.
44*90e502c7SAndroid Build Coastguard Worker *
45*90e502c7SAndroid Build Coastguard Worker */
46*90e502c7SAndroid Build Coastguard Worker
47*90e502c7SAndroid Build Coastguard Worker #ifdef HAVE_CONFIG_H
48*90e502c7SAndroid Build Coastguard Worker #include <config.h>
49*90e502c7SAndroid Build Coastguard Worker #endif
50*90e502c7SAndroid Build Coastguard Worker
51*90e502c7SAndroid Build Coastguard Worker #include "aes_gcm.h"
52*90e502c7SAndroid Build Coastguard Worker #include "alloc.h"
53*90e502c7SAndroid Build Coastguard Worker #include "err.h" /* for srtp_debug */
54*90e502c7SAndroid Build Coastguard Worker #include "crypto_types.h"
55*90e502c7SAndroid Build Coastguard Worker #include "cipher_types.h"
56*90e502c7SAndroid Build Coastguard Worker #include <secerr.h>
57*90e502c7SAndroid Build Coastguard Worker #include <nspr.h>
58*90e502c7SAndroid Build Coastguard Worker
59*90e502c7SAndroid Build Coastguard Worker srtp_debug_module_t srtp_mod_aes_gcm = {
60*90e502c7SAndroid Build Coastguard Worker 0, /* debugging is off by default */
61*90e502c7SAndroid Build Coastguard Worker "aes gcm nss" /* printable module name */
62*90e502c7SAndroid Build Coastguard Worker };
63*90e502c7SAndroid Build Coastguard Worker
64*90e502c7SAndroid Build Coastguard Worker /*
65*90e502c7SAndroid Build Coastguard Worker * For now we only support 8 and 16 octet tags. The spec allows for
66*90e502c7SAndroid Build Coastguard Worker * optional 12 byte tag, which may be supported in the future.
67*90e502c7SAndroid Build Coastguard Worker */
68*90e502c7SAndroid Build Coastguard Worker #define GCM_IV_LEN 12
69*90e502c7SAndroid Build Coastguard Worker #define GCM_AUTH_TAG_LEN 16
70*90e502c7SAndroid Build Coastguard Worker #define GCM_AUTH_TAG_LEN_8 8
71*90e502c7SAndroid Build Coastguard Worker
72*90e502c7SAndroid Build Coastguard Worker /*
73*90e502c7SAndroid Build Coastguard Worker * This function allocates a new instance of this crypto engine.
74*90e502c7SAndroid Build Coastguard Worker * The key_len parameter should be one of 28 or 44 for
75*90e502c7SAndroid Build Coastguard Worker * AES-128-GCM or AES-256-GCM respectively. Note that the
76*90e502c7SAndroid Build Coastguard Worker * key length includes the 14 byte salt value that is used when
77*90e502c7SAndroid Build Coastguard Worker * initializing the KDF.
78*90e502c7SAndroid Build Coastguard Worker */
srtp_aes_gcm_nss_alloc(srtp_cipher_t ** c,int key_len,int tlen)79*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_alloc(srtp_cipher_t **c,
80*90e502c7SAndroid Build Coastguard Worker int key_len,
81*90e502c7SAndroid Build Coastguard Worker int tlen)
82*90e502c7SAndroid Build Coastguard Worker {
83*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_ctx_t *gcm;
84*90e502c7SAndroid Build Coastguard Worker NSSInitContext *nss;
85*90e502c7SAndroid Build Coastguard Worker
86*90e502c7SAndroid Build Coastguard Worker debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d",
87*90e502c7SAndroid Build Coastguard Worker key_len);
88*90e502c7SAndroid Build Coastguard Worker debug_print(srtp_mod_aes_gcm, "allocating cipher with tag length %d", tlen);
89*90e502c7SAndroid Build Coastguard Worker
90*90e502c7SAndroid Build Coastguard Worker /*
91*90e502c7SAndroid Build Coastguard Worker * Verify the key_len is valid for one of: AES-128/256
92*90e502c7SAndroid Build Coastguard Worker */
93*90e502c7SAndroid Build Coastguard Worker if (key_len != SRTP_AES_GCM_128_KEY_LEN_WSALT &&
94*90e502c7SAndroid Build Coastguard Worker key_len != SRTP_AES_GCM_256_KEY_LEN_WSALT) {
95*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_bad_param);
96*90e502c7SAndroid Build Coastguard Worker }
97*90e502c7SAndroid Build Coastguard Worker
98*90e502c7SAndroid Build Coastguard Worker if (tlen != GCM_AUTH_TAG_LEN && tlen != GCM_AUTH_TAG_LEN_8) {
99*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_bad_param);
100*90e502c7SAndroid Build Coastguard Worker }
101*90e502c7SAndroid Build Coastguard Worker
102*90e502c7SAndroid Build Coastguard Worker /* Initialize NSS equiv of NSS_NoDB_Init(NULL) */
103*90e502c7SAndroid Build Coastguard Worker nss = NSS_InitContext("", "", "", "", NULL,
104*90e502c7SAndroid Build Coastguard Worker NSS_INIT_READONLY | NSS_INIT_NOCERTDB |
105*90e502c7SAndroid Build Coastguard Worker NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN |
106*90e502c7SAndroid Build Coastguard Worker NSS_INIT_OPTIMIZESPACE);
107*90e502c7SAndroid Build Coastguard Worker if (!nss) {
108*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_cipher_fail);
109*90e502c7SAndroid Build Coastguard Worker }
110*90e502c7SAndroid Build Coastguard Worker
111*90e502c7SAndroid Build Coastguard Worker /* allocate memory a cipher of type aes_gcm */
112*90e502c7SAndroid Build Coastguard Worker *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
113*90e502c7SAndroid Build Coastguard Worker if (*c == NULL) {
114*90e502c7SAndroid Build Coastguard Worker NSS_ShutdownContext(nss);
115*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_alloc_fail);
116*90e502c7SAndroid Build Coastguard Worker }
117*90e502c7SAndroid Build Coastguard Worker
118*90e502c7SAndroid Build Coastguard Worker gcm = (srtp_aes_gcm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_gcm_ctx_t));
119*90e502c7SAndroid Build Coastguard Worker if (gcm == NULL) {
120*90e502c7SAndroid Build Coastguard Worker NSS_ShutdownContext(nss);
121*90e502c7SAndroid Build Coastguard Worker srtp_crypto_free(*c);
122*90e502c7SAndroid Build Coastguard Worker *c = NULL;
123*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_alloc_fail);
124*90e502c7SAndroid Build Coastguard Worker }
125*90e502c7SAndroid Build Coastguard Worker
126*90e502c7SAndroid Build Coastguard Worker gcm->nss = nss;
127*90e502c7SAndroid Build Coastguard Worker
128*90e502c7SAndroid Build Coastguard Worker /* set pointers */
129*90e502c7SAndroid Build Coastguard Worker (*c)->state = gcm;
130*90e502c7SAndroid Build Coastguard Worker
131*90e502c7SAndroid Build Coastguard Worker /* setup cipher attributes */
132*90e502c7SAndroid Build Coastguard Worker switch (key_len) {
133*90e502c7SAndroid Build Coastguard Worker case SRTP_AES_GCM_128_KEY_LEN_WSALT:
134*90e502c7SAndroid Build Coastguard Worker (*c)->type = &srtp_aes_gcm_128;
135*90e502c7SAndroid Build Coastguard Worker (*c)->algorithm = SRTP_AES_GCM_128;
136*90e502c7SAndroid Build Coastguard Worker gcm->key_size = SRTP_AES_128_KEY_LEN;
137*90e502c7SAndroid Build Coastguard Worker gcm->tag_size = tlen;
138*90e502c7SAndroid Build Coastguard Worker gcm->params.ulTagBits = 8 * tlen;
139*90e502c7SAndroid Build Coastguard Worker break;
140*90e502c7SAndroid Build Coastguard Worker case SRTP_AES_GCM_256_KEY_LEN_WSALT:
141*90e502c7SAndroid Build Coastguard Worker (*c)->type = &srtp_aes_gcm_256;
142*90e502c7SAndroid Build Coastguard Worker (*c)->algorithm = SRTP_AES_GCM_256;
143*90e502c7SAndroid Build Coastguard Worker gcm->key_size = SRTP_AES_256_KEY_LEN;
144*90e502c7SAndroid Build Coastguard Worker gcm->tag_size = tlen;
145*90e502c7SAndroid Build Coastguard Worker gcm->params.ulTagBits = 8 * tlen;
146*90e502c7SAndroid Build Coastguard Worker break;
147*90e502c7SAndroid Build Coastguard Worker default:
148*90e502c7SAndroid Build Coastguard Worker /* this should never hit, but to be sure... */
149*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_bad_param);
150*90e502c7SAndroid Build Coastguard Worker }
151*90e502c7SAndroid Build Coastguard Worker
152*90e502c7SAndroid Build Coastguard Worker /* set key size and tag size*/
153*90e502c7SAndroid Build Coastguard Worker (*c)->key_len = key_len;
154*90e502c7SAndroid Build Coastguard Worker
155*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_ok);
156*90e502c7SAndroid Build Coastguard Worker }
157*90e502c7SAndroid Build Coastguard Worker
158*90e502c7SAndroid Build Coastguard Worker /*
159*90e502c7SAndroid Build Coastguard Worker * This function deallocates a GCM session
160*90e502c7SAndroid Build Coastguard Worker */
srtp_aes_gcm_nss_dealloc(srtp_cipher_t * c)161*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_dealloc(srtp_cipher_t *c)
162*90e502c7SAndroid Build Coastguard Worker {
163*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_ctx_t *ctx;
164*90e502c7SAndroid Build Coastguard Worker
165*90e502c7SAndroid Build Coastguard Worker ctx = (srtp_aes_gcm_ctx_t *)c->state;
166*90e502c7SAndroid Build Coastguard Worker if (ctx) {
167*90e502c7SAndroid Build Coastguard Worker /* release NSS resources */
168*90e502c7SAndroid Build Coastguard Worker if (ctx->key) {
169*90e502c7SAndroid Build Coastguard Worker PK11_FreeSymKey(ctx->key);
170*90e502c7SAndroid Build Coastguard Worker }
171*90e502c7SAndroid Build Coastguard Worker
172*90e502c7SAndroid Build Coastguard Worker if (ctx->nss) {
173*90e502c7SAndroid Build Coastguard Worker NSS_ShutdownContext(ctx->nss);
174*90e502c7SAndroid Build Coastguard Worker ctx->nss = NULL;
175*90e502c7SAndroid Build Coastguard Worker }
176*90e502c7SAndroid Build Coastguard Worker
177*90e502c7SAndroid Build Coastguard Worker /* zeroize the key material */
178*90e502c7SAndroid Build Coastguard Worker octet_string_set_to_zero(ctx, sizeof(srtp_aes_gcm_ctx_t));
179*90e502c7SAndroid Build Coastguard Worker srtp_crypto_free(ctx);
180*90e502c7SAndroid Build Coastguard Worker }
181*90e502c7SAndroid Build Coastguard Worker
182*90e502c7SAndroid Build Coastguard Worker /* free memory */
183*90e502c7SAndroid Build Coastguard Worker srtp_crypto_free(c);
184*90e502c7SAndroid Build Coastguard Worker
185*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_ok);
186*90e502c7SAndroid Build Coastguard Worker }
187*90e502c7SAndroid Build Coastguard Worker
188*90e502c7SAndroid Build Coastguard Worker /*
189*90e502c7SAndroid Build Coastguard Worker * aes_gcm_nss_context_init(...) initializes the aes_gcm_context
190*90e502c7SAndroid Build Coastguard Worker * using the value in key[].
191*90e502c7SAndroid Build Coastguard Worker *
192*90e502c7SAndroid Build Coastguard Worker * the key is the secret key
193*90e502c7SAndroid Build Coastguard Worker */
srtp_aes_gcm_nss_context_init(void * cv,const uint8_t * key)194*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_context_init(void *cv,
195*90e502c7SAndroid Build Coastguard Worker const uint8_t *key)
196*90e502c7SAndroid Build Coastguard Worker {
197*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
198*90e502c7SAndroid Build Coastguard Worker
199*90e502c7SAndroid Build Coastguard Worker c->dir = srtp_direction_any;
200*90e502c7SAndroid Build Coastguard Worker
201*90e502c7SAndroid Build Coastguard Worker debug_print(srtp_mod_aes_gcm, "key: %s",
202*90e502c7SAndroid Build Coastguard Worker srtp_octet_string_hex_string(key, c->key_size));
203*90e502c7SAndroid Build Coastguard Worker
204*90e502c7SAndroid Build Coastguard Worker if (c->key) {
205*90e502c7SAndroid Build Coastguard Worker PK11_FreeSymKey(c->key);
206*90e502c7SAndroid Build Coastguard Worker c->key = NULL;
207*90e502c7SAndroid Build Coastguard Worker }
208*90e502c7SAndroid Build Coastguard Worker
209*90e502c7SAndroid Build Coastguard Worker PK11SlotInfo *slot = PK11_GetBestSlot(CKM_AES_GCM, NULL);
210*90e502c7SAndroid Build Coastguard Worker if (!slot) {
211*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_cipher_fail);
212*90e502c7SAndroid Build Coastguard Worker }
213*90e502c7SAndroid Build Coastguard Worker
214*90e502c7SAndroid Build Coastguard Worker SECItem key_item = { siBuffer, (unsigned char *)key, c->key_size };
215*90e502c7SAndroid Build Coastguard Worker c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
216*90e502c7SAndroid Build Coastguard Worker CKA_ENCRYPT, &key_item, NULL);
217*90e502c7SAndroid Build Coastguard Worker PK11_FreeSlot(slot);
218*90e502c7SAndroid Build Coastguard Worker
219*90e502c7SAndroid Build Coastguard Worker if (!c->key) {
220*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_cipher_fail);
221*90e502c7SAndroid Build Coastguard Worker }
222*90e502c7SAndroid Build Coastguard Worker
223*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_ok);
224*90e502c7SAndroid Build Coastguard Worker }
225*90e502c7SAndroid Build Coastguard Worker
226*90e502c7SAndroid Build Coastguard Worker /*
227*90e502c7SAndroid Build Coastguard Worker * aes_gcm_nss_set_iv(c, iv) sets the counter value to the exor of iv with
228*90e502c7SAndroid Build Coastguard Worker * the offset
229*90e502c7SAndroid Build Coastguard Worker */
srtp_aes_gcm_nss_set_iv(void * cv,uint8_t * iv,srtp_cipher_direction_t direction)230*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_set_iv(
231*90e502c7SAndroid Build Coastguard Worker void *cv,
232*90e502c7SAndroid Build Coastguard Worker uint8_t *iv,
233*90e502c7SAndroid Build Coastguard Worker srtp_cipher_direction_t direction)
234*90e502c7SAndroid Build Coastguard Worker {
235*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
236*90e502c7SAndroid Build Coastguard Worker
237*90e502c7SAndroid Build Coastguard Worker if (direction != srtp_direction_encrypt &&
238*90e502c7SAndroid Build Coastguard Worker direction != srtp_direction_decrypt) {
239*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_bad_param);
240*90e502c7SAndroid Build Coastguard Worker }
241*90e502c7SAndroid Build Coastguard Worker c->dir = direction;
242*90e502c7SAndroid Build Coastguard Worker
243*90e502c7SAndroid Build Coastguard Worker debug_print(srtp_mod_aes_gcm, "setting iv: %s",
244*90e502c7SAndroid Build Coastguard Worker srtp_octet_string_hex_string(iv, GCM_IV_LEN));
245*90e502c7SAndroid Build Coastguard Worker
246*90e502c7SAndroid Build Coastguard Worker memcpy(c->iv, iv, GCM_IV_LEN);
247*90e502c7SAndroid Build Coastguard Worker
248*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_ok);
249*90e502c7SAndroid Build Coastguard Worker }
250*90e502c7SAndroid Build Coastguard Worker
251*90e502c7SAndroid Build Coastguard Worker /*
252*90e502c7SAndroid Build Coastguard Worker * This function processes the AAD
253*90e502c7SAndroid Build Coastguard Worker *
254*90e502c7SAndroid Build Coastguard Worker * Parameters:
255*90e502c7SAndroid Build Coastguard Worker * c Crypto context
256*90e502c7SAndroid Build Coastguard Worker * aad Additional data to process for AEAD cipher suites
257*90e502c7SAndroid Build Coastguard Worker * aad_len length of aad buffer
258*90e502c7SAndroid Build Coastguard Worker */
srtp_aes_gcm_nss_set_aad(void * cv,const uint8_t * aad,uint32_t aad_len)259*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_set_aad(void *cv,
260*90e502c7SAndroid Build Coastguard Worker const uint8_t *aad,
261*90e502c7SAndroid Build Coastguard Worker uint32_t aad_len)
262*90e502c7SAndroid Build Coastguard Worker {
263*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
264*90e502c7SAndroid Build Coastguard Worker
265*90e502c7SAndroid Build Coastguard Worker debug_print(srtp_mod_aes_gcm, "setting AAD: %s",
266*90e502c7SAndroid Build Coastguard Worker srtp_octet_string_hex_string(aad, aad_len));
267*90e502c7SAndroid Build Coastguard Worker
268*90e502c7SAndroid Build Coastguard Worker if (aad_len + c->aad_size > MAX_AD_SIZE) {
269*90e502c7SAndroid Build Coastguard Worker return srtp_err_status_bad_param;
270*90e502c7SAndroid Build Coastguard Worker }
271*90e502c7SAndroid Build Coastguard Worker
272*90e502c7SAndroid Build Coastguard Worker memcpy(c->aad + c->aad_size, aad, aad_len);
273*90e502c7SAndroid Build Coastguard Worker c->aad_size += aad_len;
274*90e502c7SAndroid Build Coastguard Worker
275*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_ok);
276*90e502c7SAndroid Build Coastguard Worker }
277*90e502c7SAndroid Build Coastguard Worker
srtp_aes_gcm_nss_do_crypto(void * cv,int encrypt,unsigned char * buf,unsigned int * enc_len)278*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_do_crypto(void *cv,
279*90e502c7SAndroid Build Coastguard Worker int encrypt,
280*90e502c7SAndroid Build Coastguard Worker unsigned char *buf,
281*90e502c7SAndroid Build Coastguard Worker unsigned int *enc_len)
282*90e502c7SAndroid Build Coastguard Worker {
283*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
284*90e502c7SAndroid Build Coastguard Worker
285*90e502c7SAndroid Build Coastguard Worker c->params.pIv = c->iv;
286*90e502c7SAndroid Build Coastguard Worker c->params.ulIvLen = GCM_IV_LEN;
287*90e502c7SAndroid Build Coastguard Worker c->params.pAAD = c->aad;
288*90e502c7SAndroid Build Coastguard Worker c->params.ulAADLen = c->aad_size;
289*90e502c7SAndroid Build Coastguard Worker
290*90e502c7SAndroid Build Coastguard Worker // Reset AAD
291*90e502c7SAndroid Build Coastguard Worker c->aad_size = 0;
292*90e502c7SAndroid Build Coastguard Worker
293*90e502c7SAndroid Build Coastguard Worker int rv;
294*90e502c7SAndroid Build Coastguard Worker SECItem param = { siBuffer, (unsigned char *)&c->params,
295*90e502c7SAndroid Build Coastguard Worker sizeof(CK_GCM_PARAMS) };
296*90e502c7SAndroid Build Coastguard Worker if (encrypt) {
297*90e502c7SAndroid Build Coastguard Worker rv = PK11_Encrypt(c->key, CKM_AES_GCM, ¶m, buf, enc_len,
298*90e502c7SAndroid Build Coastguard Worker *enc_len + 16, buf, *enc_len);
299*90e502c7SAndroid Build Coastguard Worker } else {
300*90e502c7SAndroid Build Coastguard Worker rv = PK11_Decrypt(c->key, CKM_AES_GCM, ¶m, buf, enc_len, *enc_len,
301*90e502c7SAndroid Build Coastguard Worker buf, *enc_len);
302*90e502c7SAndroid Build Coastguard Worker }
303*90e502c7SAndroid Build Coastguard Worker
304*90e502c7SAndroid Build Coastguard Worker srtp_err_status_t status = (srtp_err_status_ok);
305*90e502c7SAndroid Build Coastguard Worker if (rv != SECSuccess) {
306*90e502c7SAndroid Build Coastguard Worker status = (srtp_err_status_cipher_fail);
307*90e502c7SAndroid Build Coastguard Worker }
308*90e502c7SAndroid Build Coastguard Worker
309*90e502c7SAndroid Build Coastguard Worker return status;
310*90e502c7SAndroid Build Coastguard Worker }
311*90e502c7SAndroid Build Coastguard Worker
312*90e502c7SAndroid Build Coastguard Worker /*
313*90e502c7SAndroid Build Coastguard Worker * This function encrypts a buffer using AES GCM mode
314*90e502c7SAndroid Build Coastguard Worker *
315*90e502c7SAndroid Build Coastguard Worker * XXX([email protected]): We're required to break off and cache the tag
316*90e502c7SAndroid Build Coastguard Worker * here, because the get_tag() method is separate and the tests expect
317*90e502c7SAndroid Build Coastguard Worker * encrypt() not to change the size of the plaintext. It might be
318*90e502c7SAndroid Build Coastguard Worker * good to update the calling API so that this is cleaner.
319*90e502c7SAndroid Build Coastguard Worker *
320*90e502c7SAndroid Build Coastguard Worker * Parameters:
321*90e502c7SAndroid Build Coastguard Worker * c Crypto context
322*90e502c7SAndroid Build Coastguard Worker * buf data to encrypt
323*90e502c7SAndroid Build Coastguard Worker * enc_len length of encrypt buffer
324*90e502c7SAndroid Build Coastguard Worker */
srtp_aes_gcm_nss_encrypt(void * cv,unsigned char * buf,unsigned int * enc_len)325*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_encrypt(void *cv,
326*90e502c7SAndroid Build Coastguard Worker unsigned char *buf,
327*90e502c7SAndroid Build Coastguard Worker unsigned int *enc_len)
328*90e502c7SAndroid Build Coastguard Worker {
329*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
330*90e502c7SAndroid Build Coastguard Worker
331*90e502c7SAndroid Build Coastguard Worker // When we get a non-NULL buffer, we know that the caller is
332*90e502c7SAndroid Build Coastguard Worker // prepared to also take the tag. When we get a NULL buffer,
333*90e502c7SAndroid Build Coastguard Worker // even though there's no data, we need to give NSS a buffer
334*90e502c7SAndroid Build Coastguard Worker // where it can write the tag. We can't just use c->tag because
335*90e502c7SAndroid Build Coastguard Worker // memcpy has undefined behavior on overlapping ranges.
336*90e502c7SAndroid Build Coastguard Worker unsigned char tagbuf[16];
337*90e502c7SAndroid Build Coastguard Worker unsigned char *non_null_buf = buf;
338*90e502c7SAndroid Build Coastguard Worker if (!non_null_buf && (*enc_len == 0)) {
339*90e502c7SAndroid Build Coastguard Worker non_null_buf = tagbuf;
340*90e502c7SAndroid Build Coastguard Worker } else if (!non_null_buf) {
341*90e502c7SAndroid Build Coastguard Worker return srtp_err_status_bad_param;
342*90e502c7SAndroid Build Coastguard Worker }
343*90e502c7SAndroid Build Coastguard Worker
344*90e502c7SAndroid Build Coastguard Worker srtp_err_status_t status =
345*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_do_crypto(cv, 1, non_null_buf, enc_len);
346*90e502c7SAndroid Build Coastguard Worker if (status != srtp_err_status_ok) {
347*90e502c7SAndroid Build Coastguard Worker return status;
348*90e502c7SAndroid Build Coastguard Worker }
349*90e502c7SAndroid Build Coastguard Worker
350*90e502c7SAndroid Build Coastguard Worker memcpy(c->tag, non_null_buf + (*enc_len - c->tag_size), c->tag_size);
351*90e502c7SAndroid Build Coastguard Worker *enc_len -= c->tag_size;
352*90e502c7SAndroid Build Coastguard Worker return srtp_err_status_ok;
353*90e502c7SAndroid Build Coastguard Worker }
354*90e502c7SAndroid Build Coastguard Worker
355*90e502c7SAndroid Build Coastguard Worker /*
356*90e502c7SAndroid Build Coastguard Worker * This function calculates and returns the GCM tag for a given context.
357*90e502c7SAndroid Build Coastguard Worker * This should be called after encrypting the data. The *len value
358*90e502c7SAndroid Build Coastguard Worker * is increased by the tag size. The caller must ensure that *buf has
359*90e502c7SAndroid Build Coastguard Worker * enough room to accept the appended tag.
360*90e502c7SAndroid Build Coastguard Worker *
361*90e502c7SAndroid Build Coastguard Worker * Parameters:
362*90e502c7SAndroid Build Coastguard Worker * c Crypto context
363*90e502c7SAndroid Build Coastguard Worker * buf data to encrypt
364*90e502c7SAndroid Build Coastguard Worker * len length of encrypt buffer
365*90e502c7SAndroid Build Coastguard Worker */
srtp_aes_gcm_nss_get_tag(void * cv,uint8_t * buf,uint32_t * len)366*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_get_tag(void *cv,
367*90e502c7SAndroid Build Coastguard Worker uint8_t *buf,
368*90e502c7SAndroid Build Coastguard Worker uint32_t *len)
369*90e502c7SAndroid Build Coastguard Worker {
370*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
371*90e502c7SAndroid Build Coastguard Worker *len = c->tag_size;
372*90e502c7SAndroid Build Coastguard Worker memcpy(buf, c->tag, c->tag_size);
373*90e502c7SAndroid Build Coastguard Worker return (srtp_err_status_ok);
374*90e502c7SAndroid Build Coastguard Worker }
375*90e502c7SAndroid Build Coastguard Worker
376*90e502c7SAndroid Build Coastguard Worker /*
377*90e502c7SAndroid Build Coastguard Worker * This function decrypts a buffer using AES GCM mode
378*90e502c7SAndroid Build Coastguard Worker *
379*90e502c7SAndroid Build Coastguard Worker * Parameters:
380*90e502c7SAndroid Build Coastguard Worker * c Crypto context
381*90e502c7SAndroid Build Coastguard Worker * buf data to encrypt
382*90e502c7SAndroid Build Coastguard Worker * enc_len length of encrypt buffer
383*90e502c7SAndroid Build Coastguard Worker */
srtp_aes_gcm_nss_decrypt(void * cv,unsigned char * buf,unsigned int * enc_len)384*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t srtp_aes_gcm_nss_decrypt(void *cv,
385*90e502c7SAndroid Build Coastguard Worker unsigned char *buf,
386*90e502c7SAndroid Build Coastguard Worker unsigned int *enc_len)
387*90e502c7SAndroid Build Coastguard Worker {
388*90e502c7SAndroid Build Coastguard Worker srtp_err_status_t status = srtp_aes_gcm_nss_do_crypto(cv, 0, buf, enc_len);
389*90e502c7SAndroid Build Coastguard Worker if (status != srtp_err_status_ok) {
390*90e502c7SAndroid Build Coastguard Worker int err = PR_GetError();
391*90e502c7SAndroid Build Coastguard Worker if (err == SEC_ERROR_BAD_DATA) {
392*90e502c7SAndroid Build Coastguard Worker status = srtp_err_status_auth_fail;
393*90e502c7SAndroid Build Coastguard Worker }
394*90e502c7SAndroid Build Coastguard Worker }
395*90e502c7SAndroid Build Coastguard Worker
396*90e502c7SAndroid Build Coastguard Worker return status;
397*90e502c7SAndroid Build Coastguard Worker }
398*90e502c7SAndroid Build Coastguard Worker
399*90e502c7SAndroid Build Coastguard Worker /*
400*90e502c7SAndroid Build Coastguard Worker * Name of this crypto engine
401*90e502c7SAndroid Build Coastguard Worker */
402*90e502c7SAndroid Build Coastguard Worker static const char srtp_aes_gcm_128_nss_description[] = "AES-128 GCM using NSS";
403*90e502c7SAndroid Build Coastguard Worker static const char srtp_aes_gcm_256_nss_description[] = "AES-256 GCM using NSS";
404*90e502c7SAndroid Build Coastguard Worker
405*90e502c7SAndroid Build Coastguard Worker /*
406*90e502c7SAndroid Build Coastguard Worker * KAT values for AES self-test. These
407*90e502c7SAndroid Build Coastguard Worker * values we're derived from independent test code
408*90e502c7SAndroid Build Coastguard Worker * using OpenSSL.
409*90e502c7SAndroid Build Coastguard Worker */
410*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
411*90e502c7SAndroid Build Coastguard Worker static const uint8_t srtp_aes_gcm_test_case_0_key[SRTP_AES_GCM_128_KEY_LEN_WSALT] = {
412*90e502c7SAndroid Build Coastguard Worker 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
413*90e502c7SAndroid Build Coastguard Worker 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
414*90e502c7SAndroid Build Coastguard Worker 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
415*90e502c7SAndroid Build Coastguard Worker 0x09, 0x0a, 0x0b, 0x0c,
416*90e502c7SAndroid Build Coastguard Worker };
417*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
418*90e502c7SAndroid Build Coastguard Worker
419*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
420*90e502c7SAndroid Build Coastguard Worker static uint8_t srtp_aes_gcm_test_case_0_iv[12] = {
421*90e502c7SAndroid Build Coastguard Worker 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
422*90e502c7SAndroid Build Coastguard Worker 0xde, 0xca, 0xf8, 0x88
423*90e502c7SAndroid Build Coastguard Worker };
424*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
425*90e502c7SAndroid Build Coastguard Worker
426*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
427*90e502c7SAndroid Build Coastguard Worker static const uint8_t srtp_aes_gcm_test_case_0_plaintext[60] = {
428*90e502c7SAndroid Build Coastguard Worker 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
429*90e502c7SAndroid Build Coastguard Worker 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
430*90e502c7SAndroid Build Coastguard Worker 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
431*90e502c7SAndroid Build Coastguard Worker 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
432*90e502c7SAndroid Build Coastguard Worker 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
433*90e502c7SAndroid Build Coastguard Worker 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
434*90e502c7SAndroid Build Coastguard Worker 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
435*90e502c7SAndroid Build Coastguard Worker 0xba, 0x63, 0x7b, 0x39
436*90e502c7SAndroid Build Coastguard Worker };
437*90e502c7SAndroid Build Coastguard Worker
438*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
439*90e502c7SAndroid Build Coastguard Worker static const uint8_t srtp_aes_gcm_test_case_0_aad[20] = {
440*90e502c7SAndroid Build Coastguard Worker 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
441*90e502c7SAndroid Build Coastguard Worker 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
442*90e502c7SAndroid Build Coastguard Worker 0xab, 0xad, 0xda, 0xd2
443*90e502c7SAndroid Build Coastguard Worker };
444*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
445*90e502c7SAndroid Build Coastguard Worker
446*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
447*90e502c7SAndroid Build Coastguard Worker static const uint8_t srtp_aes_gcm_test_case_0_ciphertext[76] = {
448*90e502c7SAndroid Build Coastguard Worker 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
449*90e502c7SAndroid Build Coastguard Worker 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
450*90e502c7SAndroid Build Coastguard Worker 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
451*90e502c7SAndroid Build Coastguard Worker 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
452*90e502c7SAndroid Build Coastguard Worker 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
453*90e502c7SAndroid Build Coastguard Worker 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
454*90e502c7SAndroid Build Coastguard Worker 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
455*90e502c7SAndroid Build Coastguard Worker 0x3d, 0x58, 0xe0, 0x91,
456*90e502c7SAndroid Build Coastguard Worker /* the last 16 bytes are the tag */
457*90e502c7SAndroid Build Coastguard Worker 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
458*90e502c7SAndroid Build Coastguard Worker 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47,
459*90e502c7SAndroid Build Coastguard Worker };
460*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
461*90e502c7SAndroid Build Coastguard Worker
462*90e502c7SAndroid Build Coastguard Worker static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0a = {
463*90e502c7SAndroid Build Coastguard Worker SRTP_AES_GCM_128_KEY_LEN_WSALT, /* octets in key */
464*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_key, /* key */
465*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_iv, /* packet index */
466*90e502c7SAndroid Build Coastguard Worker 60, /* octets in plaintext */
467*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_plaintext, /* plaintext */
468*90e502c7SAndroid Build Coastguard Worker 68, /* octets in ciphertext */
469*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext + tag */
470*90e502c7SAndroid Build Coastguard Worker 20, /* octets in AAD */
471*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_aad, /* AAD */
472*90e502c7SAndroid Build Coastguard Worker GCM_AUTH_TAG_LEN_8, /* */
473*90e502c7SAndroid Build Coastguard Worker NULL /* pointer to next testcase */
474*90e502c7SAndroid Build Coastguard Worker };
475*90e502c7SAndroid Build Coastguard Worker
476*90e502c7SAndroid Build Coastguard Worker static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0 = {
477*90e502c7SAndroid Build Coastguard Worker SRTP_AES_GCM_128_KEY_LEN_WSALT, /* octets in key */
478*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_key, /* key */
479*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_iv, /* packet index */
480*90e502c7SAndroid Build Coastguard Worker 60, /* octets in plaintext */
481*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_plaintext, /* plaintext */
482*90e502c7SAndroid Build Coastguard Worker 76, /* octets in ciphertext */
483*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext + tag */
484*90e502c7SAndroid Build Coastguard Worker 20, /* octets in AAD */
485*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_0_aad, /* AAD */
486*90e502c7SAndroid Build Coastguard Worker GCM_AUTH_TAG_LEN, /* */
487*90e502c7SAndroid Build Coastguard Worker &srtp_aes_gcm_test_case_0a /* pointer to next testcase */
488*90e502c7SAndroid Build Coastguard Worker };
489*90e502c7SAndroid Build Coastguard Worker
490*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
491*90e502c7SAndroid Build Coastguard Worker static const uint8_t srtp_aes_gcm_test_case_1_key[SRTP_AES_GCM_256_KEY_LEN_WSALT] = {
492*90e502c7SAndroid Build Coastguard Worker 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
493*90e502c7SAndroid Build Coastguard Worker 0xa5, 0x59, 0x09, 0xc5, 0x54, 0x66, 0x93, 0x1c,
494*90e502c7SAndroid Build Coastguard Worker 0xaf, 0xf5, 0x26, 0x9a, 0x21, 0xd5, 0x14, 0xb2,
495*90e502c7SAndroid Build Coastguard Worker 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
496*90e502c7SAndroid Build Coastguard Worker 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
497*90e502c7SAndroid Build Coastguard Worker 0x09, 0x0a, 0x0b, 0x0c,
498*90e502c7SAndroid Build Coastguard Worker };
499*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
500*90e502c7SAndroid Build Coastguard Worker
501*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
502*90e502c7SAndroid Build Coastguard Worker static uint8_t srtp_aes_gcm_test_case_1_iv[12] = {
503*90e502c7SAndroid Build Coastguard Worker 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
504*90e502c7SAndroid Build Coastguard Worker 0xde, 0xca, 0xf8, 0x88
505*90e502c7SAndroid Build Coastguard Worker };
506*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
507*90e502c7SAndroid Build Coastguard Worker
508*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
509*90e502c7SAndroid Build Coastguard Worker static const uint8_t srtp_aes_gcm_test_case_1_plaintext[60] = {
510*90e502c7SAndroid Build Coastguard Worker 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
511*90e502c7SAndroid Build Coastguard Worker 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
512*90e502c7SAndroid Build Coastguard Worker 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
513*90e502c7SAndroid Build Coastguard Worker 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
514*90e502c7SAndroid Build Coastguard Worker 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
515*90e502c7SAndroid Build Coastguard Worker 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
516*90e502c7SAndroid Build Coastguard Worker 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
517*90e502c7SAndroid Build Coastguard Worker 0xba, 0x63, 0x7b, 0x39
518*90e502c7SAndroid Build Coastguard Worker };
519*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
520*90e502c7SAndroid Build Coastguard Worker
521*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
522*90e502c7SAndroid Build Coastguard Worker static const uint8_t srtp_aes_gcm_test_case_1_aad[20] = {
523*90e502c7SAndroid Build Coastguard Worker 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
524*90e502c7SAndroid Build Coastguard Worker 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
525*90e502c7SAndroid Build Coastguard Worker 0xab, 0xad, 0xda, 0xd2
526*90e502c7SAndroid Build Coastguard Worker };
527*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
528*90e502c7SAndroid Build Coastguard Worker
529*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
530*90e502c7SAndroid Build Coastguard Worker static const uint8_t srtp_aes_gcm_test_case_1_ciphertext[76] = {
531*90e502c7SAndroid Build Coastguard Worker 0x0b, 0x11, 0xcf, 0xaf, 0x68, 0x4d, 0xae, 0x46,
532*90e502c7SAndroid Build Coastguard Worker 0xc7, 0x90, 0xb8, 0x8e, 0xb7, 0x6a, 0x76, 0x2a,
533*90e502c7SAndroid Build Coastguard Worker 0x94, 0x82, 0xca, 0xab, 0x3e, 0x39, 0xd7, 0x86,
534*90e502c7SAndroid Build Coastguard Worker 0x1b, 0xc7, 0x93, 0xed, 0x75, 0x7f, 0x23, 0x5a,
535*90e502c7SAndroid Build Coastguard Worker 0xda, 0xfd, 0xd3, 0xe2, 0x0e, 0x80, 0x87, 0xa9,
536*90e502c7SAndroid Build Coastguard Worker 0x6d, 0xd7, 0xe2, 0x6a, 0x7d, 0x5f, 0xb4, 0x80,
537*90e502c7SAndroid Build Coastguard Worker 0xef, 0xef, 0xc5, 0x29, 0x12, 0xd1, 0xaa, 0x10,
538*90e502c7SAndroid Build Coastguard Worker 0x09, 0xc9, 0x86, 0xc1,
539*90e502c7SAndroid Build Coastguard Worker /* the last 16 bytes are the tag */
540*90e502c7SAndroid Build Coastguard Worker 0x45, 0xbc, 0x03, 0xe6, 0xe1, 0xac, 0x0a, 0x9f,
541*90e502c7SAndroid Build Coastguard Worker 0x81, 0xcb, 0x8e, 0x5b, 0x46, 0x65, 0x63, 0x1d,
542*90e502c7SAndroid Build Coastguard Worker };
543*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
544*90e502c7SAndroid Build Coastguard Worker
545*90e502c7SAndroid Build Coastguard Worker static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1a = {
546*90e502c7SAndroid Build Coastguard Worker SRTP_AES_GCM_256_KEY_LEN_WSALT, /* octets in key */
547*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_key, /* key */
548*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_iv, /* packet index */
549*90e502c7SAndroid Build Coastguard Worker 60, /* octets in plaintext */
550*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_plaintext, /* plaintext */
551*90e502c7SAndroid Build Coastguard Worker 68, /* octets in ciphertext */
552*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext + tag */
553*90e502c7SAndroid Build Coastguard Worker 20, /* octets in AAD */
554*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_aad, /* AAD */
555*90e502c7SAndroid Build Coastguard Worker GCM_AUTH_TAG_LEN_8, /* */
556*90e502c7SAndroid Build Coastguard Worker NULL /* pointer to next testcase */
557*90e502c7SAndroid Build Coastguard Worker };
558*90e502c7SAndroid Build Coastguard Worker
559*90e502c7SAndroid Build Coastguard Worker static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1 = {
560*90e502c7SAndroid Build Coastguard Worker SRTP_AES_GCM_256_KEY_LEN_WSALT, /* octets in key */
561*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_key, /* key */
562*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_iv, /* packet index */
563*90e502c7SAndroid Build Coastguard Worker 60, /* octets in plaintext */
564*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_plaintext, /* plaintext */
565*90e502c7SAndroid Build Coastguard Worker 76, /* octets in ciphertext */
566*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext + tag */
567*90e502c7SAndroid Build Coastguard Worker 20, /* octets in AAD */
568*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_test_case_1_aad, /* AAD */
569*90e502c7SAndroid Build Coastguard Worker GCM_AUTH_TAG_LEN, /* */
570*90e502c7SAndroid Build Coastguard Worker &srtp_aes_gcm_test_case_1a /* pointer to next testcase */
571*90e502c7SAndroid Build Coastguard Worker };
572*90e502c7SAndroid Build Coastguard Worker
573*90e502c7SAndroid Build Coastguard Worker /*
574*90e502c7SAndroid Build Coastguard Worker * This is the vector function table for this crypto engine.
575*90e502c7SAndroid Build Coastguard Worker */
576*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
577*90e502c7SAndroid Build Coastguard Worker const srtp_cipher_type_t srtp_aes_gcm_128 = {
578*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_alloc,
579*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_dealloc,
580*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_context_init,
581*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_set_aad,
582*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_encrypt,
583*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_decrypt,
584*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_set_iv,
585*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_get_tag,
586*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_128_nss_description,
587*90e502c7SAndroid Build Coastguard Worker &srtp_aes_gcm_test_case_0,
588*90e502c7SAndroid Build Coastguard Worker SRTP_AES_GCM_128
589*90e502c7SAndroid Build Coastguard Worker };
590*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
591*90e502c7SAndroid Build Coastguard Worker
592*90e502c7SAndroid Build Coastguard Worker /*
593*90e502c7SAndroid Build Coastguard Worker * This is the vector function table for this crypto engine.
594*90e502c7SAndroid Build Coastguard Worker */
595*90e502c7SAndroid Build Coastguard Worker /* clang-format off */
596*90e502c7SAndroid Build Coastguard Worker const srtp_cipher_type_t srtp_aes_gcm_256 = {
597*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_alloc,
598*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_dealloc,
599*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_context_init,
600*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_set_aad,
601*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_encrypt,
602*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_decrypt,
603*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_set_iv,
604*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_nss_get_tag,
605*90e502c7SAndroid Build Coastguard Worker srtp_aes_gcm_256_nss_description,
606*90e502c7SAndroid Build Coastguard Worker &srtp_aes_gcm_test_case_1,
607*90e502c7SAndroid Build Coastguard Worker SRTP_AES_GCM_256
608*90e502c7SAndroid Build Coastguard Worker };
609*90e502c7SAndroid Build Coastguard Worker /* clang-format on */
610