Skip to content

Commit d8d40f6

Browse files
ttungle96ttungle96
committed
Remove gcm_ctx in AEAD_XAES_256_GCM_CTX
1 parent 3d3a12b commit d8d40f6

File tree

2 files changed

+18
-14
lines changed

2 files changed

+18
-14
lines changed

crypto/fipsmodule/cipher/e_aes.c

Lines changed: 17 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1814,8 +1814,11 @@ static int xaes_256_gcm_CMAC_derive_key(AES_KEY *xaes_key, uint8_t *k1,
18141814
for (size_t i = 0; i < AES_BLOCK_SIZE; i++) {
18151815
M[i] ^= k1[i];
18161816
}
1817-
1818-
AES_encrypt(M, derived_key, xaes_key);
1817+
1818+
AES_encrypt(M, derived_key, xaes_key);
1819+
/* Since M1[i] and M2[i] are the same except at i = 1, where:
1820+
* M1[1] = k1[1] ^ 0x01, and M2[1] = k1[1] ^ 0x02, we have:
1821+
* M2[1] = M1[1] ^ 0x03 = (k1[1] ^ 0x01) ^ (0x01 ^ 0x02) = M2[1] */
18191822
M[1] ^= 0x03;
18201823
AES_encrypt(M, derived_key + AES_BLOCK_SIZE, xaes_key);
18211824

@@ -1921,7 +1924,6 @@ DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_xaes_256_gcm) {
19211924
// ---------------- EVP_AEAD XAES-256-GCM Without Key Commitment ----------------
19221925
// ------------------------------------------------------------------------------
19231926
typedef struct {
1924-
struct aead_aes_gcm_ctx gcm_ctx;
19251927
AES_KEY xaes_key;
19261928
uint8_t k1[AES_BLOCK_SIZE];
19271929
} AEAD_XAES_256_GCM_CTX;
@@ -1937,7 +1939,7 @@ static int aead_xaes_256_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
19371939
// ctx->state is a void pointer in the EVP_AEAD_CTX object pointing to an
19381940
// opaque memory that can be used to store implementation-specific data
19391941
AEAD_XAES_256_GCM_CTX *xaes_ctx = (AEAD_XAES_256_GCM_CTX*)&ctx->state;
1940-
1942+
19411943
xaes_256_gcm_ctx_init(&xaes_ctx->xaes_key, xaes_ctx->k1, key);
19421944

19431945
// requested_tag_len = 0 means using the default tag length of AES_GCM
@@ -1946,8 +1948,8 @@ static int aead_xaes_256_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
19461948
return 1;
19471949
}
19481950

1949-
static int aead_xaes_256_gcm_set_gcm_key(AEAD_XAES_256_GCM_CTX *xaes_ctx,
1950-
const uint8_t *nonce, const size_t nonce_len) {
1951+
static int aead_xaes_256_gcm_set_gcm_key(AEAD_XAES_256_GCM_CTX *xaes_ctx, struct aead_aes_gcm_ctx *gcm_ctx,
1952+
const uint8_t *nonce, const size_t nonce_len) {
19511953
if(nonce_len < 20 || nonce_len > 24) {
19521954
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
19531955
return 0;
@@ -1962,8 +1964,6 @@ static int aead_xaes_256_gcm_set_gcm_key(AEAD_XAES_256_GCM_CTX *xaes_ctx,
19621964

19631965
xaes_256_gcm_CMAC_derive_key(&xaes_ctx->xaes_key, xaes_ctx->k1, nonce, gcm_key);
19641966

1965-
struct aead_aes_gcm_ctx *gcm_ctx = &xaes_ctx->gcm_ctx;
1966-
19671967
gcm_ctx->ctr = aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm_key, NULL,
19681968
gcm_key, XAES_256_GCM_KEY_LENGTH);
19691969

@@ -1982,17 +1982,19 @@ static int aead_xaes_256_gcm_seal_scatter(
19821982

19831983
AEAD_XAES_256_GCM_CTX *xaes_ctx = (AEAD_XAES_256_GCM_CTX*)&ctx->state;
19841984

1985-
if(!aead_xaes_256_gcm_set_gcm_key(xaes_ctx, nonce, nonce_len)) {
1985+
struct aead_aes_gcm_ctx gcm_ctx;
1986+
1987+
if(!aead_xaes_256_gcm_set_gcm_key(xaes_ctx, &gcm_ctx, nonce, nonce_len)) {
19861988
return 0;
19871989
}
1988-
1990+
19891991
// Reference for nonce size < 24 bytes:
19901992
// https://eprint.iacr.org/2025/758.pdf#page=24
19911993
/* When nonce size b < 24 bytes, it uses bytes [b-12:b]
19921994
* of input nonce as iv for the underlying AES encryption.
19931995
* nonce_len is b in the referece, where 20 <= b <= 24 */
19941996
return aead_aes_gcm_seal_scatter_impl(
1995-
&xaes_ctx->gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len,
1997+
&gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len,
19961998
nonce + nonce_len - AES_GCM_NONCE_LENGTH, AES_GCM_NONCE_LENGTH,
19971999
in, in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);
19982000
}
@@ -2004,8 +2006,10 @@ static int aead_xaes_256_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
20042006
const uint8_t *ad, size_t ad_len) {
20052007

20062008
AEAD_XAES_256_GCM_CTX *xaes_ctx = (AEAD_XAES_256_GCM_CTX*)&ctx->state;
2009+
2010+
struct aead_aes_gcm_ctx gcm_ctx;
20072011

2008-
if(!aead_xaes_256_gcm_set_gcm_key(xaes_ctx, nonce, nonce_len)) {
2012+
if(!aead_xaes_256_gcm_set_gcm_key(xaes_ctx, &gcm_ctx, nonce, nonce_len)) {
20092013
return 0;
20102014
}
20112015

@@ -2015,7 +2019,7 @@ static int aead_xaes_256_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
20152019
* of input nonce as iv for the underlying AES decryption.
20162020
* nonce_len is b in the referece, where 20 <= b <= 24 */
20172021
return aead_aes_gcm_open_gather_impl(
2018-
&xaes_ctx->gcm_ctx, out, nonce + nonce_len - AES_GCM_NONCE_LENGTH,
2022+
&gcm_ctx, out, nonce + nonce_len - AES_GCM_NONCE_LENGTH,
20192023
AES_GCM_NONCE_LENGTH, in, in_len, in_tag, in_tag_len,
20202024
ad, ad_len, ctx->tag_len);
20212025
}

include/openssl/aead.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -211,7 +211,7 @@ OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
211211
// AEAD operations.
212212

213213
union evp_aead_ctx_st_state {
214-
uint8_t opaque[808];
214+
uint8_t opaque[564];
215215
uint64_t alignment;
216216
void *ptr;
217217
};

0 commit comments

Comments
 (0)