Blame SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch

8dd812
From 38c8dc4317296624cba5b2c8ddba6e9047048180 Mon Sep 17 00:00:00 2001
8dd812
From: Daiki Ueno <dueno@redhat.com>
8dd812
Date: Thu, 1 Aug 2019 17:41:45 +0200
8dd812
Subject: [PATCH 1/3] iov: add iterator interface for giovec_t
8dd812
8dd812
This adds an iterator interface over giovec_t array, extracting a
8dd812
fixed sized block.
8dd812
8dd812
Signed-off-by: Daiki Ueno <dueno@redhat.com>
8dd812
---
8dd812
 .gitignore        |   1 +
8dd812
 lib/Makefile.am   |   3 +-
8dd812
 lib/iov.c         | 120 ++++++++++++++++++++++++++++++++
8dd812
 lib/iov.h         |  46 +++++++++++++
8dd812
 lib/libgnutls.map |   3 +
8dd812
 tests/Makefile.am |   6 +-
8dd812
 tests/iov.c       | 170 ++++++++++++++++++++++++++++++++++++++++++++++
8dd812
 7 files changed, 347 insertions(+), 2 deletions(-)
8dd812
 create mode 100644 lib/iov.c
8dd812
 create mode 100644 lib/iov.h
8dd812
 create mode 100644 tests/iov.c
8dd812
8dd812
diff --git a/lib/Makefile.am b/lib/Makefile.am
8dd812
index ffc72e4c2..9fe78afbd 100644
8dd812
--- a/lib/Makefile.am
8dd812
+++ b/lib/Makefile.am
8dd812
@@ -80,7 +80,8 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h handshake-tls
8dd812
 	system-keys.h urls.c urls.h prf.c auto-verify.c dh-session.c \
8dd812
 	cert-session.c handshake-checks.c dtls-sw.c dh-primes.c openpgp_compat.c \
8dd812
 	crypto-selftests.c crypto-selftests-pk.c secrets.c extv.c extv.h \
8dd812
-	hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c
8dd812
+	hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c \
8dd812
+	iov.c iov.h
8dd812
 
8dd812
 if WINDOWS
8dd812
 COBJECTS += system/keys-win.c
8dd812
diff --git a/lib/iov.c b/lib/iov.c
8dd812
new file mode 100644
8dd812
index 000000000..5dc29c54b
8dd812
--- /dev/null
8dd812
+++ b/lib/iov.c
8dd812
@@ -0,0 +1,120 @@
8dd812
+/*
8dd812
+ * Copyright (C) 2019 Red Hat, Inc.
8dd812
+ *
8dd812
+ * Author: Daiki Ueno
8dd812
+ *
8dd812
+ * This file is part of GnuTLS.
8dd812
+ *
8dd812
+ * The GnuTLS is free software; you can redistribute it and/or
8dd812
+ * modify it under the terms of the GNU Lesser General Public License
8dd812
+ * as published by the Free Software Foundation; either version 2.1 of
8dd812
+ * the License, or (at your option) any later version.
8dd812
+ *
8dd812
+ * This library is distributed in the hope that it will be useful, but
8dd812
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
8dd812
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
8dd812
+ * Lesser General Public License for more details.
8dd812
+ *
8dd812
+ * You should have received a copy of the GNU Lesser General Public License
8dd812
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
8dd812
+ *
8dd812
+ */
8dd812
+
8dd812
+#include "gnutls_int.h"
8dd812
+#include "iov.h"
8dd812
+
8dd812
+/**
8dd812
+ * _gnutls_iov_iter_init:
8dd812
+ * @iter: the iterator
8dd812
+ * @iov: the data buffers
8dd812
+ * @iov_count: the number of data buffers
8dd812
+ * @block_size: block size to iterate
8dd812
+ *
8dd812
+ * Initialize the iterator.
8dd812
+ *
8dd812
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
8dd812
+ *   an error code is returned
8dd812
+ */
8dd812
+int
8dd812
+_gnutls_iov_iter_init(struct iov_iter_st *iter,
8dd812
+		      const giovec_t *iov, size_t iov_count,
8dd812
+		      size_t block_size)
8dd812
+{
8dd812
+	if (unlikely(block_size > MAX_CIPHER_BLOCK_SIZE))
8dd812
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
8dd812
+
8dd812
+	iter->iov = iov;
8dd812
+	iter->iov_count = iov_count;
8dd812
+	iter->iov_index = 0;
8dd812
+	iter->iov_offset = 0;
8dd812
+	iter->block_size = block_size;
8dd812
+	iter->block_offset = 0;
8dd812
+	return 0;
8dd812
+}
8dd812
+
8dd812
+/**
8dd812
+ * _gnutls_iov_iter_next:
8dd812
+ * @iter: the iterator
8dd812
+ * @data: the return location of extracted data
8dd812
+ *
8dd812
+ * Retrieve block(s) pointed by @iter and advance it to the next
8dd812
+ * position.  It returns the number of consecutive blocks in @data.
8dd812
+ * At the end of iteration, 0 is returned.
8dd812
+ *
8dd812
+ * If the data stored in @iter is not multiple of the block size, the
8dd812
+ * remaining data is stored in the "block" field of @iter with the
8dd812
+ * size stored in the "block_offset" field.
8dd812
+ *
8dd812
+ * Returns: On success, a value greater than or equal to zero is
8dd812
+ *   returned, otherwise a negative error code is returned
8dd812
+ */
8dd812
+ssize_t
8dd812
+_gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
8dd812
+{
8dd812
+	while (iter->iov_index < iter->iov_count) {
8dd812
+		const giovec_t *iov = &iter->iov[iter->iov_index];
8dd812
+		uint8_t *p = iov->iov_base;
8dd812
+		size_t len = iov->iov_len;
8dd812
+		size_t block_left;
8dd812
+
8dd812
+		if (unlikely(len < iter->iov_offset))
8dd812
+			return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
8dd812
+		len -= iter->iov_offset;
8dd812
+		p += iter->iov_offset;
8dd812
+
8dd812
+		/* We have at least one full block, return a whole set
8dd812
+		 * of full blocks immediately. */
8dd812
+		if (iter->block_offset == 0 && len >= iter->block_size) {
8dd812
+			if ((len % iter->block_size) == 0) {
8dd812
+				iter->iov_index++;
8dd812
+				iter->iov_offset = 0;
8dd812
+			} else
8dd812
+				iter->iov_offset +=
8dd812
+					len - (len % iter->block_size);
8dd812
+
8dd812
+			/* Return the blocks. */
8dd812
+			*data = p;
8dd812
+			return len / iter->block_size;
8dd812
+		}
8dd812
+
8dd812
+		/* We can complete one full block to return. */
8dd812
+		block_left = iter->block_size - iter->block_offset;
8dd812
+		if (len >= block_left) {
8dd812
+			memcpy(iter->block + iter->block_offset, p, block_left);
8dd812
+			iter->iov_offset += block_left;
8dd812
+			iter->block_offset = 0;
8dd812
+
8dd812
+			/* Return the filled block. */
8dd812
+			*data = iter->block;
8dd812
+			return 1;
8dd812
+		}
8dd812
+
8dd812
+		/* Not enough data for a full block, store in temp
8dd812
+		 * memory and continue. */
8dd812
+		memcpy(iter->block + iter->block_offset, p, len);
8dd812
+		iter->block_offset += len;
8dd812
+		iter->iov_index++;
8dd812
+		iter->iov_offset = 0;
8dd812
+	}
8dd812
+	return 0;
8dd812
+}
8dd812
diff --git a/lib/iov.h b/lib/iov.h
8dd812
new file mode 100644
8dd812
index 000000000..47fba559a
8dd812
--- /dev/null
8dd812
+++ b/lib/iov.h
8dd812
@@ -0,0 +1,46 @@
8dd812
+/*
8dd812
+ * Copyright (C) 2019 Red Hat, Inc.
8dd812
+ *
8dd812
+ * Author: Daiki Ueno
8dd812
+ *
8dd812
+ * This file is part of GnuTLS.
8dd812
+ *
8dd812
+ * The GnuTLS is free software; you can redistribute it and/or
8dd812
+ * modify it under the terms of the GNU Lesser General Public License
8dd812
+ * as published by the Free Software Foundation; either version 2.1 of
8dd812
+ * the License, or (at your option) any later version.
8dd812
+ *
8dd812
+ * This library is distributed in the hope that it will be useful, but
8dd812
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
8dd812
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
8dd812
+ * Lesser General Public License for more details.
8dd812
+ *
8dd812
+ * You should have received a copy of the GNU Lesser General Public License
8dd812
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
8dd812
+ *
8dd812
+ */
8dd812
+
8dd812
+#ifndef GNUTLS_LIB_IOV_H
8dd812
+#define GNUTLS_LIB_IOV_H
8dd812
+
8dd812
+#include "gnutls_int.h"
8dd812
+
8dd812
+struct iov_iter_st {
8dd812
+	const giovec_t *iov;
8dd812
+	size_t iov_count;	/* the number of iov */
8dd812
+	size_t iov_index;	/* index of the current buffer */
8dd812
+	size_t iov_offset;	/* byte offset in the current buffer */
8dd812
+
8dd812
+	uint8_t block[MAX_CIPHER_BLOCK_SIZE]; /* incomplete block for reading */
8dd812
+	size_t block_size;	/* actual block size of the cipher */
8dd812
+	size_t block_offset;	/* offset in block */
8dd812
+
8dd812
+};
8dd812
+
8dd812
+int _gnutls_iov_iter_init(struct iov_iter_st *iter,
8dd812
+			  const giovec_t *iov, size_t iov_count,
8dd812
+			  size_t block_size);
8dd812
+
8dd812
+ssize_t _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data);
8dd812
+
8dd812
+#endif /* GNUTLS_LIB_IOV_H */
8dd812
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
8dd812
index 0f31f4aef..fc93c0857 100644
8dd812
--- a/lib/libgnutls.map
8dd812
+++ b/lib/libgnutls.map
8dd812
@@ -1374,4 +1374,7 @@ GNUTLS_PRIVATE_3_4 {
8dd812
 	_gnutls_global_set_gettime_function;
8dd812
 	# Internal symbols needed by tests/tls13/anti_replay.c
8dd812
 	_gnutls_anti_replay_check;
8dd812
+	# needed by tests/iov:
8dd812
+	_gnutls_iov_iter_init;
8dd812
+	_gnutls_iov_iter_next;
8dd812
 } GNUTLS_3_4;
8dd812
diff --git a/tests/Makefile.am b/tests/Makefile.am
8dd812
index a8c2d152e..a2883570f 100644
8dd812
--- a/tests/Makefile.am
8dd812
+++ b/tests/Makefile.am
8dd812
@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
8dd812
 	 null_retrieve_function tls-record-size-limit tls-crt_type-neg \
8dd812
 	 resume-with-stek-expiration resume-with-previous-stek rawpk-api \
8dd812
 	 tls-record-size-limit-asym dh-compute ecdh-compute \
8dd812
-	 sign-verify-deterministic
8dd812
+	 sign-verify-deterministic iov
8dd812
 
8dd812
 if HAVE_SECCOMP_TESTS
8dd812
 ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
8dd812
@@ -460,6 +460,10 @@ tls13_anti_replay_CPPFLAGS = $(AM_CPPFLAGS) \
8dd812
 	-I$(top_builddir)/gl	\
8dd812
 	$(NETTLE_CFLAGS)
8dd812
 
8dd812
+iov_CPPFLAGS = $(AM_CPPFLAGS) \
8dd812
+	-I$(top_srcdir)/gl	\
8dd812
+	-I$(top_builddir)/gl
8dd812
+
8dd812
 if ENABLE_PKCS11
8dd812
 if !WINDOWS
8dd812
 ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key
8dd812
diff --git a/tests/iov.c b/tests/iov.c
8dd812
new file mode 100644
8dd812
index 000000000..eda5583a7
8dd812
--- /dev/null
8dd812
+++ b/tests/iov.c
8dd812
@@ -0,0 +1,170 @@
8dd812
+/*
8dd812
+ * Copyright (C) 2019 Red Hat, Inc.
8dd812
+ *
8dd812
+ * Author: Daiki Ueno
8dd812
+ *
8dd812
+ * This file is part of GnuTLS.
8dd812
+ *
8dd812
+ * GnuTLS is free software; you can redistribute it and/or modify it
8dd812
+ * under the terms of the GNU General Public License as published by
8dd812
+ * the Free Software Foundation; either version 3 of the License, or
8dd812
+ * (at your option) any later version.
8dd812
+ *
8dd812
+ * GnuTLS is distributed in the hope that it will be useful, but
8dd812
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
8dd812
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
8dd812
+ * General Public License for more details.
8dd812
+ *
8dd812
+ * You should have received a copy of the GNU Lesser General Public License
8dd812
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
8dd812
+ */
8dd812
+
8dd812
+#ifdef HAVE_CONFIG_H
8dd812
+#include <config.h>
8dd812
+#endif
8dd812
+
8dd812
+#include "gnutls_int.h"
8dd812
+#include "../lib/iov.h"
8dd812
+
8dd812
+#include "utils.h"
8dd812
+
8dd812
+struct exp_st {
8dd812
+	ssize_t ret;
8dd812
+	size_t iov_index;
8dd812
+	size_t iov_offset;
8dd812
+	size_t block_offset;
8dd812
+};
8dd812
+
8dd812
+struct test_st {
8dd812
+	const char *name;
8dd812
+	const giovec_t *iov;
8dd812
+	size_t iovcnt;
8dd812
+	size_t block_size;
8dd812
+	const struct exp_st *exp;
8dd812
+	size_t expcnt;
8dd812
+	size_t remaining;
8dd812
+};
8dd812
+
8dd812
+static const giovec_t iov16[] = {
8dd812
+	{(void *) "0123456789abcdef", 16},
8dd812
+	{(void *) "0123456789abcdef", 16},
8dd812
+	{(void *) "0123456789abcdef", 16},
8dd812
+	{(void *) "0123456789abcdef", 16}
8dd812
+};
8dd812
+
8dd812
+static const struct exp_st exp16_64[] = {
8dd812
+	{1, 3, 16, 0},
8dd812
+	{0, 0, 0, 0}
8dd812
+};
8dd812
+
8dd812
+static const struct exp_st exp16_32[] = {
8dd812
+	{1, 1, 16, 0},
8dd812
+	{1, 3, 16, 0},
8dd812
+	{0, 0, 0, 0}
8dd812
+};
8dd812
+
8dd812
+static const struct exp_st exp16_16[] = {
8dd812
+	{1, 1, 0, 0},
8dd812
+	{1, 2, 0, 0},
8dd812
+	{1, 3, 0, 0},
8dd812
+	{1, 4, 0, 0},
8dd812
+	{0, 0, 0, 0}
8dd812
+};
8dd812
+
8dd812
+static const struct exp_st exp16_4[] = {
8dd812
+	{4, 1, 0, 0},
8dd812
+	{4, 2, 0, 0},
8dd812
+	{4, 3, 0, 0},
8dd812
+	{4, 4, 0, 0},
8dd812
+	{0, 0, 0, 0}
8dd812
+};
8dd812
+
8dd812
+static const struct exp_st exp16_3[] = {
8dd812
+	{5, 0, 15, 0},
8dd812
+	{1, 1, 2, 0},
8dd812
+	{4, 1, 14, 0},
8dd812
+	{1, 2, 1, 0},
8dd812
+	{5, 3, 0, 0},
8dd812
+	{5, 3, 15, 0},
8dd812
+	{0, 0, 0, 1}
8dd812
+};
8dd812
+
8dd812
+static const giovec_t iov8[] = {
8dd812
+	{(void *) "01234567", 8},
8dd812
+	{(void *) "01234567", 8},
8dd812
+	{(void *) "01234567", 8},
8dd812
+	{(void *) "01234567", 8}
8dd812
+};
8dd812
+
8dd812
+static const struct exp_st exp8_64[] = {
8dd812
+	{0, 0, 0, 32}
8dd812
+};
8dd812
+
8dd812
+static const struct test_st tests[] = {
8dd812
+	{ "16/64", iov16, sizeof(iov16)/sizeof(iov16[0]), 64,
8dd812
+	  exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]), 0 },
8dd812
+	{ "16/32", iov16, sizeof(iov16)/sizeof(iov16[0]), 32,
8dd812
+	  exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]), 0 },
8dd812
+	{ "16/16", iov16, sizeof(iov16)/sizeof(iov16[0]), 16,
8dd812
+	  exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]), 0 },
8dd812
+	{ "16/4", iov16, sizeof(iov16)/sizeof(iov16[0]), 4,
8dd812
+	  exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]), 0 },
8dd812
+	{ "16/3", iov16, sizeof(iov16)/sizeof(iov16[0]), 3,
8dd812
+	  exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]), 1 },
8dd812
+	{ "8/64", iov8, sizeof(iov8)/sizeof(iov8[0]), 64,
8dd812
+	  exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]), 32 }
8dd812
+};
8dd812
+
8dd812
+void
8dd812
+doit (void)
8dd812
+{
8dd812
+	size_t i;
8dd812
+
8dd812
+	for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
8dd812
+		struct iov_iter_st iter;
8dd812
+		const struct exp_st *exp = tests[i].exp;
8dd812
+		uint8_t *data;
8dd812
+		size_t j;
8dd812
+
8dd812
+		success("%s\n", tests[i].name);
8dd812
+		assert(_gnutls_iov_iter_init(&iter,
8dd812
+					     tests[i].iov, tests[i].iovcnt,
8dd812
+					     tests[i].block_size) == 0);
8dd812
+		for (j = 0; j < tests[i].expcnt; j++) {
8dd812
+			ssize_t ret;
8dd812
+
8dd812
+			ret = _gnutls_iov_iter_next(&iter, &data);
8dd812
+			if (ret != exp[j].ret)
8dd812
+				fail("iov_iter_next: %d != %d\n",
8dd812
+				     (int) ret, (int) exp[j].ret);
8dd812
+			else if (debug)
8dd812
+				success("iov_iter_next: %d == %d\n",
8dd812
+					(int) ret, (int) exp[j].ret);
8dd812
+			if (ret == 0)
8dd812
+				break;
8dd812
+			if (ret > 0) {
8dd812
+				if (iter.iov_index != exp[j].iov_index)
8dd812
+					fail("iter.iov_index: %u != %u\n",
8dd812
+					     (unsigned) iter.iov_index, (unsigned) exp[j].iov_index);
8dd812
+				else if (debug)
8dd812
+					success("iter.iov_index: %u == %u\n",
8dd812
+					     (unsigned) iter.iov_index, (unsigned) exp[j].iov_index);
8dd812
+				if (iter.iov_offset != exp[j].iov_offset)
8dd812
+					fail("iter.iov_offset: %u != %u\n",
8dd812
+					     (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset);
8dd812
+				else if (debug)
8dd812
+					success("iter.iov_offset: %u == %u\n",
8dd812
+					     (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset);
8dd812
+				if (iter.block_offset != exp[j].block_offset)
8dd812
+					fail("iter.block_offset: %u != %u\n",
8dd812
+					     (unsigned) iter.block_offset, (unsigned) exp[j].block_offset);
8dd812
+				else if (debug)
8dd812
+					success("iter.block_offset: %u == %u\n",
8dd812
+					     (unsigned) iter.block_offset, (unsigned) exp[j].block_offset);
8dd812
+			}
8dd812
+		}
8dd812
+		if (iter.block_offset != tests[i].remaining)
8dd812
+			fail("remaining: %u != %u\n",
8dd812
+			     (unsigned) iter.block_offset, (unsigned) tests[i].remaining);
8dd812
+	}
8dd812
+}
8dd812
-- 
8dd812
2.21.0
8dd812
8dd812
8dd812
From 9ca7a2b42168d356126e306e25211d43ea3c2e7d Mon Sep 17 00:00:00 2001
8dd812
From: Daiki Ueno <dueno@redhat.com>
8dd812
Date: Thu, 1 Aug 2019 18:13:38 +0200
8dd812
Subject: [PATCH 2/3] crypto-api: use giovec_t iterator interface for
8dd812
 aead_encryptv
8dd812
8dd812
This replaces the macros AUTH_UPDATE and ENCRYPT used in
8dd812
gnutls_aead_cipher_encryptv() with the iov_iter interface.
8dd812
8dd812
Signed-off-by: Daiki Ueno <dueno@redhat.com>
8dd812
---
8dd812
 lib/crypto-api.c | 167 ++++++++++++++++-------------------------------
8dd812
 1 file changed, 57 insertions(+), 110 deletions(-)
8dd812
8dd812
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
8dd812
index 8af3f3b7d..70107fed0 100644
8dd812
--- a/lib/crypto-api.c
8dd812
+++ b/lib/crypto-api.c
8dd812
@@ -31,6 +31,7 @@
8dd812
 #include <crypto.h>
8dd812
 #include <fips.h>
8dd812
 #include "crypto-api.h"
8dd812
+#include "iov.h"
8dd812
 
8dd812
 typedef struct api_cipher_hd_st {
8dd812
 	cipher_hd_st ctx_enc;
8dd812
@@ -916,98 +917,6 @@ static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
8dd812
 	}
8dd812
 }
8dd812
 
8dd812
-#define AUTH_UPDATE_FINAL(ctx) do { \
8dd812
-	if (index) { \
8dd812
-		ret = _gnutls_cipher_auth(ctx, cache, index); \
8dd812
-		if (unlikely(ret < 0)) \
8dd812
-			return gnutls_assert_val(ret); \
8dd812
-	} \
8dd812
-	} while(0)
8dd812
-
8dd812
-#define AUTH_UPDATE(ctx, data, length) do { \
8dd812
-	if (index) { \
8dd812
-		ssize_t left = blocksize - index; \
8dd812
-		if (length < left) { \
8dd812
-			memcpy(cache+index, data, \
8dd812
-			       length); \
8dd812
-			index += length; \
8dd812
-			goto __update_done; \
8dd812
-		} else { \
8dd812
-			memcpy(cache+index, data, left); \
8dd812
-			ret = _gnutls_cipher_auth(ctx, cache, blocksize); \
8dd812
-			if (unlikely(ret < 0)) \
8dd812
-				return gnutls_assert_val(ret); \
8dd812
-			data += left; \
8dd812
-			length -= left; \
8dd812
-		} \
8dd812
-	} \
8dd812
-	if (length >= blocksize) { \
8dd812
-		ssize_t to_proc = (length/blocksize)*blocksize; \
8dd812
-		ret = _gnutls_cipher_auth(ctx, data, to_proc); \
8dd812
-		if (unlikely(ret < 0)) \
8dd812
-			return gnutls_assert_val(ret); \
8dd812
-		data += to_proc; \
8dd812
-		length -= to_proc; \
8dd812
-	} \
8dd812
-	if (length) \
8dd812
-		memcpy(cache, data, length); \
8dd812
-	index = length; \
8dd812
- __update_done: \
8dd812
-	; \
8dd812
-	} while(0)
8dd812
-
8dd812
-#define ENCRYPT_FINAL(ctx, dst, dst_size) do { \
8dd812
-	if (index) { \
8dd812
-		if (unlikely(dst_size < (ssize_t)index)) \
8dd812
-			return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \
8dd812
-		ret = _gnutls_cipher_encrypt2(ctx, cache, index, dst, dst_size); \
8dd812
-		if (unlikely(ret < 0)) \
8dd812
-			return gnutls_assert_val(ret); \
8dd812
-		dst += index; \
8dd812
-		dst_size -= index; \
8dd812
-	} \
8dd812
-	} while(0)
8dd812
-
8dd812
-#define ENCRYPT(ctx, data, length, dst, dst_size) do { \
8dd812
-	if (index) { \
8dd812
-		ssize_t left = blocksize - index; \
8dd812
-		if (length < left) { \
8dd812
-			memcpy(cache+index, data, \
8dd812
-			       length); \
8dd812
-			index += length; \
8dd812
-			goto __encrypt_done; \
8dd812
-		} else { \
8dd812
-			if (unlikely(dst_size < blocksize)) \
8dd812
-				return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \
8dd812
-			memcpy(cache+index, data, left); \
8dd812
-			ret = _gnutls_cipher_encrypt2(ctx, cache, blocksize, dst, dst_size); \
8dd812
-			if (unlikely(ret < 0)) \
8dd812
-				return gnutls_assert_val(ret); \
8dd812
-			data += left; \
8dd812
-			length -= left; \
8dd812
-			dst += blocksize; \
8dd812
-			dst_size -= blocksize; \
8dd812
-		} \
8dd812
-	} \
8dd812
-	if (length >= blocksize) { \
8dd812
-		ssize_t to_proc = (length/blocksize)*blocksize; \
8dd812
-		if (unlikely(dst_size < to_proc)) \
8dd812
-			return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \
8dd812
-		ret = _gnutls_cipher_encrypt2(ctx, data, to_proc, dst, dst_size); \
8dd812
-		if (unlikely(ret < 0)) \
8dd812
-			return gnutls_assert_val(ret); \
8dd812
-		data += to_proc; \
8dd812
-		length -= to_proc; \
8dd812
-		dst += to_proc; \
8dd812
-		dst_size -= to_proc; \
8dd812
-	} \
8dd812
-	if (length) \
8dd812
-		memcpy(cache, data, length); \
8dd812
-	index = length; \
8dd812
- __encrypt_done: \
8dd812
-	; \
8dd812
-	} while(0)
8dd812
-
8dd812
 
8dd812
 /**
8dd812
  * gnutls_aead_cipher_encryptv:
8dd812
@@ -1039,14 +948,13 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
8dd812
 			    void *ctext, size_t *ctext_len)
8dd812
 {
8dd812
 	api_aead_cipher_hd_st *h = handle;
8dd812
-	int ret;
8dd812
+	ssize_t ret;
8dd812
 	uint8_t *dst;
8dd812
-	ssize_t dst_size, total = 0, len;
8dd812
+	ssize_t dst_size, total = 0;
8dd812
 	uint8_t *p;
8dd812
-	unsigned i;
8dd812
-	uint8_t cache[MAX_CIPHER_BLOCK_SIZE];
8dd812
-	unsigned index;
8dd812
 	ssize_t blocksize = handle->ctx_enc.e->blocksize;
8dd812
+	struct iov_iter_st iter;
8dd812
+	size_t blocks;
8dd812
 
8dd812
 	/* Limitation: this function provides an optimization under the internally registered
8dd812
 	 * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(),
8dd812
@@ -1088,25 +996,64 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
8dd812
 	if (unlikely(ret < 0))
8dd812
 		return gnutls_assert_val(ret);
8dd812
 
8dd812
-	index = 0;
8dd812
-	for (i = 0; i < (unsigned)auth_iovcnt; i++) {
8dd812
-		p = auth_iov[i].iov_base;
8dd812
-		len = auth_iov[i].iov_len;
8dd812
-		AUTH_UPDATE(&handle->ctx_enc, p, len);
8dd812
+	ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize);
8dd812
+	if (unlikely(ret < 0))
8dd812
+		return gnutls_assert_val(ret);
8dd812
+	while (1) {
8dd812
+		ret = _gnutls_iov_iter_next(&iter, &p);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+		if (ret == 0)
8dd812
+			break;
8dd812
+		blocks = ret;
8dd812
+		ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
8dd812
+					  blocksize * blocks);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+	if (iter.block_offset > 0) {
8dd812
+		ret = _gnutls_cipher_auth(&handle->ctx_enc,
8dd812
+					  iter.block, iter.block_offset);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
 	}
8dd812
-	AUTH_UPDATE_FINAL(&handle->ctx_enc);
8dd812
 
8dd812
 	dst = ctext;
8dd812
 	dst_size = *ctext_len;
8dd812
 
8dd812
-	index = 0;
8dd812
-	for (i = 0; i < (unsigned)iovcnt; i++) {
8dd812
-		p = iov[i].iov_base;
8dd812
-		len = iov[i].iov_len;
8dd812
-		ENCRYPT(&handle->ctx_enc, p, len, dst, dst_size);
8dd812
-		total += iov[i].iov_len;
8dd812
+	ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize);
8dd812
+	if (unlikely(ret < 0))
8dd812
+		return gnutls_assert_val(ret);
8dd812
+	while (1) {
8dd812
+		ret = _gnutls_iov_iter_next(&iter, &p);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+		if (ret == 0)
8dd812
+			break;
8dd812
+		blocks = ret;
8dd812
+		if (unlikely((size_t) dst_size < blocksize * blocks))
8dd812
+			return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
8dd812
+		ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p,
8dd812
+					      blocksize * blocks,
8dd812
+					      dst, dst_size);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+		DECR_LEN(dst_size, blocksize * blocks);
8dd812
+		dst += blocksize * blocks;
8dd812
+		total += blocksize * blocks;
8dd812
+	}
8dd812
+	if (iter.block_offset > 0) {
8dd812
+		if (unlikely((size_t) dst_size < iter.block_offset))
8dd812
+			return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
8dd812
+		ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
8dd812
+					      iter.block, iter.block_offset,
8dd812
+					      dst, dst_size);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+		DECR_LEN(dst_size, iter.block_offset);
8dd812
+		dst += iter.block_offset;
8dd812
+		total += iter.block_offset;
8dd812
 	}
8dd812
-	ENCRYPT_FINAL(&handle->ctx_enc, dst, dst_size);
8dd812
 
8dd812
 	if ((size_t)dst_size < tag_size)
8dd812
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
8dd812
-- 
8dd812
2.21.0
8dd812
8dd812
8dd812
From d230011cdbbe55f429b43d818c75c8f6687cbc78 Mon Sep 17 00:00:00 2001
8dd812
From: Daiki Ueno <dueno@redhat.com>
8dd812
Date: Fri, 2 Aug 2019 07:40:44 +0200
8dd812
Subject: [PATCH 3/3] crypto-api: add gnutls_aead_cipher_{en,de}cryptv2
8dd812
8dd812
This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and
8dd812
gnutls_aead_cipher_decrypt(), that works on data buffers.
8dd812
8dd812
Signed-off-by: Daiki Ueno <dueno@redhat.com>
8dd812
---
8dd812
 .gitignore                        |   1 +
8dd812
 NEWS                              |   7 +
8dd812
 devel/libgnutls-latest-x86_64.abi |  26 +++
8dd812
 devel/symbols.last                |   3 +
8dd812
 doc/Makefile.am                   |   4 +
8dd812
 doc/manpages/Makefile.am          |   2 +
8dd812
 lib/crypto-api.c                  | 356 +++++++++++++++++++++++++++++-
8dd812
 lib/includes/gnutls/crypto.h      |  14 ++
8dd812
 lib/libgnutls.map                 |   7 +
8dd812
 tests/Makefile.am                 |   2 +-
8dd812
 tests/aead-cipher-vec.c           | 123 +++++++++++
8dd812
 11 files changed, 541 insertions(+), 4 deletions(-)
8dd812
 create mode 100644 tests/aead-cipher-vec.c
8dd812
8dd812
diff --git a/doc/Makefile.am b/doc/Makefile.am
8dd812
index 6d21d7482..add63c23d 100644
8dd812
--- a/doc/Makefile.am
8dd812
+++ b/doc/Makefile.am
8dd812
@@ -635,12 +635,16 @@ FUNCS += functions/dane_verify_session_crt
8dd812
 FUNCS += functions/dane_verify_session_crt.short
8dd812
 FUNCS += functions/gnutls_aead_cipher_decrypt
8dd812
 FUNCS += functions/gnutls_aead_cipher_decrypt.short
8dd812
+FUNCS += functions/gnutls_aead_cipher_decryptv2
8dd812
+FUNCS += functions/gnutls_aead_cipher_decryptv2.short
8dd812
 FUNCS += functions/gnutls_aead_cipher_deinit
8dd812
 FUNCS += functions/gnutls_aead_cipher_deinit.short
8dd812
 FUNCS += functions/gnutls_aead_cipher_encrypt
8dd812
 FUNCS += functions/gnutls_aead_cipher_encrypt.short
8dd812
 FUNCS += functions/gnutls_aead_cipher_encryptv
8dd812
 FUNCS += functions/gnutls_aead_cipher_encryptv.short
8dd812
+FUNCS += functions/gnutls_aead_cipher_encryptv2
8dd812
+FUNCS += functions/gnutls_aead_cipher_encryptv2.short
8dd812
 FUNCS += functions/gnutls_aead_cipher_init
8dd812
 FUNCS += functions/gnutls_aead_cipher_init.short
8dd812
 FUNCS += functions/gnutls_alert_get
8dd812
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
8dd812
index d06c18013..ee855adf3 100644
8dd812
--- a/doc/manpages/Makefile.am
8dd812
+++ b/doc/manpages/Makefile.am
8dd812
@@ -119,9 +119,11 @@ APIMANS += dane_verify_crt.3
8dd812
 APIMANS += dane_verify_crt_raw.3
8dd812
 APIMANS += dane_verify_session_crt.3
8dd812
 APIMANS += gnutls_aead_cipher_decrypt.3
8dd812
+APIMANS += gnutls_aead_cipher_decryptv2.3
8dd812
 APIMANS += gnutls_aead_cipher_deinit.3
8dd812
 APIMANS += gnutls_aead_cipher_encrypt.3
8dd812
 APIMANS += gnutls_aead_cipher_encryptv.3
8dd812
+APIMANS += gnutls_aead_cipher_encryptv2.3
8dd812
 APIMANS += gnutls_aead_cipher_init.3
8dd812
 APIMANS += gnutls_alert_get.3
8dd812
 APIMANS += gnutls_alert_get_name.3
8dd812
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
8dd812
index 70107fed0..2834c0199 100644
8dd812
--- a/lib/crypto-api.c
8dd812
+++ b/lib/crypto-api.c
8dd812
@@ -885,7 +885,26 @@ static void iov_store_free(struct iov_store_st *s)
8dd812
 	}
8dd812
 }
8dd812
 
8dd812
-static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
8dd812
+static int iov_store_grow(struct iov_store_st *s, size_t length)
8dd812
+{
8dd812
+	if (s->allocated || s->data == NULL) {
8dd812
+		s->size += length;
8dd812
+		s->data = gnutls_realloc(s->data, s->size);
8dd812
+		if (s->data == NULL)
8dd812
+			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
8dd812
+		s->allocated = 1;
8dd812
+	} else {
8dd812
+		void *data = s->data;
8dd812
+		size_t size = s->size + length;
8dd812
+		s->data = gnutls_malloc(size);
8dd812
+		memcpy(s->data, data, s->size);
8dd812
+		s->size += length;
8dd812
+	}
8dd812
+	return 0;
8dd812
+}
8dd812
+
8dd812
+static int
8dd812
+copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
8dd812
 {
8dd812
 	memset(dst, 0, sizeof(*dst));
8dd812
 	if (iovcnt == 0) {
8dd812
@@ -917,6 +936,27 @@ static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
8dd812
 	}
8dd812
 }
8dd812
 
8dd812
+static int
8dd812
+copy_to_iov(struct iov_store_st *src, size_t size,
8dd812
+	    const giovec_t *iov, int iovcnt)
8dd812
+{
8dd812
+	size_t offset = 0;
8dd812
+	int i;
8dd812
+
8dd812
+	if (unlikely(src->size < size))
8dd812
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
8dd812
+
8dd812
+	for (i = 0; i < iovcnt && size > 0; i++) {
8dd812
+		size_t to_copy = MIN(size, iov[i].iov_len);
8dd812
+		memcpy(iov[i].iov_base, (uint8_t *) src->data + offset, to_copy);
8dd812
+		offset += to_copy;
8dd812
+		size -= to_copy;
8dd812
+	}
8dd812
+	if (size > 0)
8dd812
+		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
8dd812
+	return 0;
8dd812
+}
8dd812
+
8dd812
 
8dd812
 /**
8dd812
  * gnutls_aead_cipher_encryptv:
8dd812
@@ -971,11 +1011,11 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
8dd812
 		struct iov_store_st auth;
8dd812
 		struct iov_store_st ptext;
8dd812
 
8dd812
-		ret = copy_iov(&auth, auth_iov, auth_iovcnt);
8dd812
+		ret = copy_from_iov(&auth, auth_iov, auth_iovcnt);
8dd812
 		if (ret < 0)
8dd812
 			return gnutls_assert_val(ret);
8dd812
 
8dd812
-		ret = copy_iov(&ptext, iov, iovcnt);
8dd812
+		ret = copy_from_iov(&ptext, iov, iovcnt);
8dd812
 		if (ret < 0) {
8dd812
 			iov_store_free(&auth);
8dd812
 			return gnutls_assert_val(ret);
8dd812
@@ -1066,6 +1106,316 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
8dd812
 	return 0;
8dd812
 }
8dd812
 
8dd812
+/**
8dd812
+ * gnutls_aead_cipher_encryptv2:
8dd812
+ * @handle: is a #gnutls_aead_cipher_hd_t type.
8dd812
+ * @nonce: the nonce to set
8dd812
+ * @nonce_len: The length of the nonce
8dd812
+ * @auth_iov: additional data to be authenticated
8dd812
+ * @auth_iovcnt: The number of buffers in @auth_iov
8dd812
+ * @iov: the data to be encrypted
8dd812
+ * @iovcnt: The number of buffers in @iov
8dd812
+ * @tag: The authentication tag
8dd812
+ * @tag_size: The size of the tag to use (use zero for the default)
8dd812
+ *
8dd812
+ * This is similar to gnutls_aead_cipher_encrypt(), but it performs
8dd812
+ * in-place encryption on the provided data buffers.
8dd812
+ *
8dd812
+ * Returns: Zero or a negative error code on error.
8dd812
+ *
8dd812
+ * Since: 3.6.10
8dd812
+ **/
8dd812
+int
8dd812
+gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
8dd812
+			     const void *nonce, size_t nonce_len,
8dd812
+			     const giovec_t *auth_iov, int auth_iovcnt,
8dd812
+			     const giovec_t *iov, int iovcnt,
8dd812
+			     void *tag, size_t *tag_size)
8dd812
+{
8dd812
+	api_aead_cipher_hd_st *h = handle;
8dd812
+	ssize_t ret;
8dd812
+	uint8_t *p;
8dd812
+	ssize_t blocksize = handle->ctx_enc.e->blocksize;
8dd812
+	struct iov_iter_st iter;
8dd812
+	size_t blocks;
8dd812
+	size_t _tag_size;
8dd812
+
8dd812
+	if (tag_size == NULL || *tag_size == 0)
8dd812
+		_tag_size = _gnutls_cipher_get_tag_size(h->ctx_enc.e);
8dd812
+	else
8dd812
+		_tag_size = *tag_size;
8dd812
+
8dd812
+	if (_tag_size > (unsigned)_gnutls_cipher_get_tag_size(h->ctx_enc.e))
8dd812
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
8dd812
+
8dd812
+	/* Limitation: this function provides an optimization under the internally registered
8dd812
+	 * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(),
8dd812
+	 * then this becomes a convenience function as it missed the lower-level primitives
8dd812
+	 * necessary for piecemeal encryption. */
8dd812
+	if (handle->ctx_enc.e->only_aead || handle->ctx_enc.encrypt == NULL) {
8dd812
+		/* ciphertext cannot be produced in a piecemeal approach */
8dd812
+		struct iov_store_st auth;
8dd812
+		struct iov_store_st ptext;
8dd812
+		size_t ptext_size;
8dd812
+
8dd812
+		ret = copy_from_iov(&auth, auth_iov, auth_iovcnt);
8dd812
+		if (ret < 0)
8dd812
+			return gnutls_assert_val(ret);
8dd812
+
8dd812
+		ret = copy_from_iov(&ptext, iov, iovcnt);
8dd812
+		if (ret < 0) {
8dd812
+			gnutls_assert();
8dd812
+			goto fallback_fail;
8dd812
+		}
8dd812
+
8dd812
+		ptext_size = ptext.size;
8dd812
+
8dd812
+		/* append space for tag */
8dd812
+		ret = iov_store_grow(&ptext, _tag_size);
8dd812
+		if (ret < 0) {
8dd812
+			gnutls_assert();
8dd812
+			goto fallback_fail;
8dd812
+		}
8dd812
+
8dd812
+		ret = gnutls_aead_cipher_encrypt(handle, nonce, nonce_len,
8dd812
+						 auth.data, auth.size,
8dd812
+						 _tag_size,
8dd812
+						 ptext.data, ptext_size,
8dd812
+						 ptext.data, &ptext.size);
8dd812
+		if (ret < 0) {
8dd812
+			gnutls_assert();
8dd812
+			goto fallback_fail;
8dd812
+		}
8dd812
+
8dd812
+		ret = copy_to_iov(&ptext, ptext_size, iov, iovcnt);
8dd812
+		if (ret < 0) {
8dd812
+			gnutls_assert();
8dd812
+			goto fallback_fail;
8dd812
+		}
8dd812
+
8dd812
+		if (tag != NULL)
8dd812
+			memcpy(tag,
8dd812
+			       (uint8_t *) ptext.data + ptext_size,
8dd812
+			       _tag_size);
8dd812
+		if (tag_size != NULL)
8dd812
+			*tag_size = _tag_size;
8dd812
+
8dd812
+	fallback_fail:
8dd812
+		iov_store_free(&auth);
8dd812
+		iov_store_free(&ptext);
8dd812
+
8dd812
+		return ret;
8dd812
+	}
8dd812
+
8dd812
+	ret = _gnutls_cipher_setiv(&handle->ctx_enc, nonce, nonce_len);
8dd812
+	if (unlikely(ret < 0))
8dd812
+		return gnutls_assert_val(ret);
8dd812
+
8dd812
+	ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize);
8dd812
+	if (unlikely(ret < 0))
8dd812
+		return gnutls_assert_val(ret);
8dd812
+	while (1) {
8dd812
+		ret = _gnutls_iov_iter_next(&iter, &p);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+		if (ret == 0)
8dd812
+			break;
8dd812
+		blocks = ret;
8dd812
+		ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
8dd812
+					  blocksize * blocks);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+	if (iter.block_offset > 0) {
8dd812
+		ret = _gnutls_cipher_auth(&handle->ctx_enc,
8dd812
+					  iter.block, iter.block_offset);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+
8dd812
+	ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize);
8dd812
+	if (unlikely(ret < 0))
8dd812
+		return gnutls_assert_val(ret);
8dd812
+	while (1) {
8dd812
+		ret = _gnutls_iov_iter_next(&iter, &p);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+		if (ret == 0)
8dd812
+			break;
8dd812
+		blocks = ret;
8dd812
+		ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
8dd812
+					      p, blocksize * blocks,
8dd812
+					      p, blocksize * blocks);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+	if (iter.block_offset > 0) {
8dd812
+		ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
8dd812
+					      iter.block, iter.block_offset,
8dd812
+					      iter.block, iter.block_offset);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+
8dd812
+	if (tag != NULL)
8dd812
+		_gnutls_cipher_tag(&handle->ctx_enc, tag, _tag_size);
8dd812
+	if (tag_size != NULL)
8dd812
+		*tag_size = _tag_size;
8dd812
+
8dd812
+	return 0;
8dd812
+}
8dd812
+
8dd812
+/**
8dd812
+ * gnutls_aead_cipher_decryptv2:
8dd812
+ * @handle: is a #gnutls_aead_cipher_hd_t type.
8dd812
+ * @nonce: the nonce to set
8dd812
+ * @nonce_len: The length of the nonce
8dd812
+ * @auth_iov: additional data to be authenticated
8dd812
+ * @auth_iovcnt: The number of buffers in @auth_iov
8dd812
+ * @iov: the data to decrypt
8dd812
+ * @iovcnt: The number of buffers in @iov
8dd812
+ * @tag: The authentication tag
8dd812
+ * @tag_size: The size of the tag to use (use zero for the default)
8dd812
+ *
8dd812
+ * This is similar to gnutls_aead_cipher_decrypt(), but it performs
8dd812
+ * in-place encryption on the provided data buffers.
8dd812
+ *
8dd812
+ * Returns: Zero or a negative error code on error.
8dd812
+ *
8dd812
+ * Since: 3.6.10
8dd812
+ **/
8dd812
+int
8dd812
+gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
8dd812
+			     const void *nonce, size_t nonce_len,
8dd812
+			     const giovec_t *auth_iov, int auth_iovcnt,
8dd812
+			     const giovec_t *iov, int iovcnt,
8dd812
+			     void *tag, size_t tag_size)
8dd812
+{
8dd812
+	api_aead_cipher_hd_st *h = handle;
8dd812
+	ssize_t ret;
8dd812
+	uint8_t *p;
8dd812
+	ssize_t blocksize = handle->ctx_enc.e->blocksize;
8dd812
+	struct iov_iter_st iter;
8dd812
+	size_t blocks;
8dd812
+	uint8_t _tag[MAX_HASH_SIZE];
8dd812
+
8dd812
+	if (tag_size == 0)
8dd812
+		tag_size = _gnutls_cipher_get_tag_size(h->ctx_enc.e);
8dd812
+	else if (tag_size > (unsigned)_gnutls_cipher_get_tag_size(h->ctx_enc.e))
8dd812
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
8dd812
+
8dd812
+	/* Limitation: this function provides an optimization under the internally registered
8dd812
+	 * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(),
8dd812
+	 * then this becomes a convenience function as it missed the lower-level primitives
8dd812
+	 * necessary for piecemeal encryption. */
8dd812
+	if (handle->ctx_enc.e->only_aead || handle->ctx_enc.encrypt == NULL) {
8dd812
+		/* ciphertext cannot be produced in a piecemeal approach */
8dd812
+		struct iov_store_st auth;
8dd812
+		struct iov_store_st ctext;
8dd812
+		size_t ctext_size;
8dd812
+
8dd812
+		ret = copy_from_iov(&auth, auth_iov, auth_iovcnt);
8dd812
+		if (ret < 0)
8dd812
+			return gnutls_assert_val(ret);
8dd812
+
8dd812
+		ret = copy_from_iov(&ctext, iov, iovcnt);
8dd812
+		if (ret < 0) {
8dd812
+			gnutls_assert();
8dd812
+			goto fallback_fail;
8dd812
+		}
8dd812
+
8dd812
+		ctext_size = ctext.size;
8dd812
+
8dd812
+		/* append tag */
8dd812
+		ret = iov_store_grow(&ctext, tag_size);
8dd812
+		if (ret < 0) {
8dd812
+			gnutls_assert();
8dd812
+			goto fallback_fail;
8dd812
+		}
8dd812
+		memcpy((uint8_t *) ctext.data + ctext_size, tag, tag_size);
8dd812
+
8dd812
+		ret = gnutls_aead_cipher_decrypt(handle, nonce, nonce_len,
8dd812
+						 auth.data, auth.size,
8dd812
+						 tag_size,
8dd812
+						 ctext.data, ctext.size,
8dd812
+						 ctext.data, &ctext_size);
8dd812
+		if (ret < 0) {
8dd812
+			gnutls_assert();
8dd812
+			goto fallback_fail;
8dd812
+		}
8dd812
+
8dd812
+		ret = copy_to_iov(&ctext, ctext_size, iov, iovcnt);
8dd812
+		if (ret < 0) {
8dd812
+			gnutls_assert();
8dd812
+			goto fallback_fail;
8dd812
+		}
8dd812
+
8dd812
+	fallback_fail:
8dd812
+		iov_store_free(&auth);
8dd812
+		iov_store_free(&ctext);
8dd812
+
8dd812
+		return ret;
8dd812
+	}
8dd812
+
8dd812
+	ret = _gnutls_cipher_setiv(&handle->ctx_enc, nonce, nonce_len);
8dd812
+	if (unlikely(ret < 0))
8dd812
+		return gnutls_assert_val(ret);
8dd812
+
8dd812
+	ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize);
8dd812
+	if (unlikely(ret < 0))
8dd812
+		return gnutls_assert_val(ret);
8dd812
+	while (1) {
8dd812
+		ret = _gnutls_iov_iter_next(&iter, &p);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+		if (ret == 0)
8dd812
+			break;
8dd812
+		blocks = ret;
8dd812
+		ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
8dd812
+					  blocksize * blocks);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+	if (iter.block_offset > 0) {
8dd812
+		ret = _gnutls_cipher_auth(&handle->ctx_enc,
8dd812
+					  iter.block, iter.block_offset);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+
8dd812
+	ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize);
8dd812
+	if (unlikely(ret < 0))
8dd812
+		return gnutls_assert_val(ret);
8dd812
+	while (1) {
8dd812
+		ret = _gnutls_iov_iter_next(&iter, &p);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+		if (ret == 0)
8dd812
+			break;
8dd812
+		blocks = ret;
8dd812
+		ret = _gnutls_cipher_decrypt2(&handle->ctx_enc,
8dd812
+					      p, blocksize * blocks,
8dd812
+					      p, blocksize * blocks);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+	if (iter.block_offset > 0) {
8dd812
+		ret = _gnutls_cipher_decrypt2(&handle->ctx_enc,
8dd812
+					      iter.block, iter.block_offset,
8dd812
+					      iter.block, iter.block_offset);
8dd812
+		if (unlikely(ret < 0))
8dd812
+			return gnutls_assert_val(ret);
8dd812
+	}
8dd812
+
8dd812
+	if (tag != NULL) {
8dd812
+		_gnutls_cipher_tag(&handle->ctx_enc, _tag, tag_size);
8dd812
+		if (gnutls_memcmp(_tag, tag, tag_size) != 0)
8dd812
+			return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
8dd812
+	}
8dd812
+
8dd812
+	return 0;
8dd812
+}
8dd812
+
8dd812
 /**
8dd812
  * gnutls_aead_cipher_deinit:
8dd812
  * @handle: is a #gnutls_aead_cipher_hd_t type.
8dd812
diff --git a/lib/includes/gnutls/crypto.h b/lib/includes/gnutls/crypto.h
8dd812
index d2b8cae8f..4d4926c86 100644
8dd812
--- a/lib/includes/gnutls/crypto.h
8dd812
+++ b/lib/includes/gnutls/crypto.h
8dd812
@@ -92,6 +92,20 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
8dd812
 			    const giovec_t *iov, int iovcnt,
8dd812
 			    void *ctext, size_t *ctext_len);
8dd812
 
8dd812
+int
8dd812
+gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
8dd812
+			     const void *nonce, size_t nonce_len,
8dd812
+			     const giovec_t *auth_iov, int auth_iovcnt,
8dd812
+			     const giovec_t *iov, int iovcnt,
8dd812
+			     void *tag, size_t *tag_size);
8dd812
+
8dd812
+int
8dd812
+gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
8dd812
+			     const void *nonce, size_t nonce_len,
8dd812
+			     const giovec_t *auth_iov, int auth_iovcnt,
8dd812
+			     const giovec_t *iov, int iovcnt,
8dd812
+			     void *tag, size_t tag_size);
8dd812
+
8dd812
 void gnutls_aead_cipher_deinit(gnutls_aead_cipher_hd_t handle);
8dd812
 
8dd812
 /* Hash - MAC API */
8dd812
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
8dd812
index fc93c0857..f83a21e9b 100644
8dd812
--- a/lib/libgnutls.map
8dd812
+++ b/lib/libgnutls.map
8dd812
@@ -1286,6 +1286,13 @@ GNUTLS_3_6_8
8dd812
 	gnutls_ffdhe_8192_group_q;
8dd812
 } GNUTLS_3_6_6;
8dd812
 
8dd812
+GNUTLS_3_6_10
8dd812
+{
8dd812
+ global:
8dd812
+	gnutls_aead_cipher_encryptv2;
8dd812
+	gnutls_aead_cipher_decryptv2;
8dd812
+} GNUTLS_3_6_8;
8dd812
+
8dd812
 GNUTLS_FIPS140_3_4 {
8dd812
   global:
8dd812
 	gnutls_cipher_self_test;
8dd812
diff --git a/tests/Makefile.am b/tests/Makefile.am
8dd812
index a2883570f..075c2728f 100644
8dd812
--- a/tests/Makefile.am
8dd812
+++ b/tests/Makefile.am
8dd812
@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
8dd812
 	 null_retrieve_function tls-record-size-limit tls-crt_type-neg \
8dd812
 	 resume-with-stek-expiration resume-with-previous-stek rawpk-api \
8dd812
 	 tls-record-size-limit-asym dh-compute ecdh-compute \
8dd812
-	 sign-verify-deterministic iov
8dd812
+	 sign-verify-deterministic iov aead-cipher-vec
8dd812
 
8dd812
 if HAVE_SECCOMP_TESTS
8dd812
 ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
8dd812
diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c
8dd812
new file mode 100644
8dd812
index 000000000..6c2542cf1
8dd812
--- /dev/null
8dd812
+++ b/tests/aead-cipher-vec.c
8dd812
@@ -0,0 +1,123 @@
8dd812
+/*
8dd812
+ * Copyright (C) 2019 Red Hat, Inc.
8dd812
+ *
8dd812
+ * Author: Daiki Ueno
8dd812
+ *
8dd812
+ * This file is part of GnuTLS.
8dd812
+ *
8dd812
+ * GnuTLS is free software; you can redistribute it and/or modify it
8dd812
+ * under the terms of the GNU General Public License as published by
8dd812
+ * the Free Software Foundation; either version 3 of the License, or
8dd812
+ * (at your option) any later version.
8dd812
+ *
8dd812
+ * GnuTLS is distributed in the hope that it will be useful, but
8dd812
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
8dd812
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
8dd812
+ * General Public License for more details.
8dd812
+ *
8dd812
+ * You should have received a copy of the GNU Lesser General Public License
8dd812
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
8dd812
+ */
8dd812
+
8dd812
+#ifdef HAVE_CONFIG_H
8dd812
+#include <config.h>
8dd812
+#endif
8dd812
+
8dd812
+#include <gnutls/crypto.h>
8dd812
+
8dd812
+#include <assert.h>
8dd812
+#include <stdint.h>
8dd812
+#include <string.h>
8dd812
+#include "utils.h"
8dd812
+
8dd812
+static void tls_log_func(int level, const char *str)
8dd812
+{
8dd812
+	fprintf(stderr, "<%d>| %s", level, str);
8dd812
+}
8dd812
+
8dd812
+/* Test whether gnutls_aead_cipher_{en,de}crypt_vec works */
8dd812
+static void start(const char *name, int algo)
8dd812
+{
8dd812
+	int ret;
8dd812
+	gnutls_aead_cipher_hd_t ch;
8dd812
+	uint8_t key16[64];
8dd812
+	uint8_t iv16[32];
8dd812
+	uint8_t auth[128];
8dd812
+	uint8_t data[128+64];
8dd812
+	gnutls_datum_t key, iv;
8dd812
+	giovec_t iov[2];
8dd812
+	giovec_t auth_iov[2];
8dd812
+	uint8_t tag[64];
8dd812
+	size_t tag_size = 0;
8dd812
+
8dd812
+	key.data = key16;
8dd812
+	key.size = gnutls_cipher_get_key_size(algo);
8dd812
+	assert(key.size <= sizeof(key16));
8dd812
+
8dd812
+	iv.data = iv16;
8dd812
+	iv.size = gnutls_cipher_get_iv_size(algo);
8dd812
+	assert(iv.size <= sizeof(iv16));
8dd812
+
8dd812
+	memset(iv.data, 0xff, iv.size);
8dd812
+	memset(key.data, 0xfe, key.size);
8dd812
+	memset(data, 0xfa, 128);
8dd812
+	memset(auth, 0xaa, sizeof(auth));
8dd812
+
8dd812
+	iov[0].iov_base = data;
8dd812
+	iov[0].iov_len = 64;
8dd812
+	iov[1].iov_base = data + 64;
8dd812
+	iov[1].iov_len = 64;
8dd812
+
8dd812
+	auth_iov[0].iov_base = auth;
8dd812
+	auth_iov[0].iov_len = 64;
8dd812
+	auth_iov[1].iov_base = auth + 64;
8dd812
+	auth_iov[1].iov_len = 64;
8dd812
+
8dd812
+	success("trying %s\n", name);
8dd812
+
8dd812
+	ret =
8dd812
+	    gnutls_aead_cipher_init(&ch, algo, &key);
8dd812
+	if (ret < 0)
8dd812
+		fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret));
8dd812
+
8dd812
+	ret = gnutls_aead_cipher_encryptv2(ch,
8dd812
+					   iv.data, iv.size,
8dd812
+					   auth_iov, 2,
8dd812
+					   iov, 2,
8dd812
+					   tag, &tag_size);
8dd812
+	if (ret < 0)
8dd812
+		fail("could not encrypt data: %s\n", gnutls_strerror(ret));
8dd812
+
8dd812
+	ret = gnutls_aead_cipher_decryptv2(ch,
8dd812
+					   iv.data, iv.size,
8dd812
+					   auth_iov, 2,
8dd812
+					   iov, 2,
8dd812
+					   tag, tag_size);
8dd812
+	if (ret < 0)
8dd812
+		fail("could not decrypt data: %s\n", gnutls_strerror(ret));
8dd812
+
8dd812
+	gnutls_aead_cipher_deinit(ch);
8dd812
+}
8dd812
+
8dd812
+void
8dd812
+doit(void)
8dd812
+{
8dd812
+	int ret;
8dd812
+
8dd812
+	gnutls_global_set_log_function(tls_log_func);
8dd812
+	if (debug)
8dd812
+		gnutls_global_set_log_level(4711);
8dd812
+
8dd812
+	ret = global_init();
8dd812
+	if (ret < 0) {
8dd812
+		fail("Cannot initialize library\n"); /*errcode 1 */
8dd812
+	}
8dd812
+
8dd812
+	start("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM);
8dd812
+	start("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM);
8dd812
+	start("aes-128-ccm", GNUTLS_CIPHER_AES_128_CCM);
8dd812
+	if (!gnutls_fips140_mode_enabled())
8dd812
+		start("chacha20-poly1305", GNUTLS_CIPHER_CHACHA20_POLY1305);
8dd812
+
8dd812
+	gnutls_global_deinit();
8dd812
+}
8dd812
-- 
8dd812
2.21.0
8dd812