Support for EVP_AEAD_CTX_copy#3332
Open
justsmth wants to merge 4 commits into
Open
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3332 +/- ##
=======================================
Coverage 78.20% 78.20%
=======================================
Files 695 695
Lines 124086 124172 +86
Branches 17224 17239 +15
=======================================
+ Hits 97038 97112 +74
- Misses 26128 26140 +12
Partials 920 920 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
justsmth
force-pushed
the
evp-aead-ctx-copy
branch
from
July 2, 2026 16:03
01595f0 to
d824892
Compare
Introduces a public EVP_AEAD_CTX_copy backed by an opt-in per-AEAD 'copy' vtable callback, following the EVP_CIPHER_CTX_copy convention (destination first, 1/0 return, out must be initialized or zeroed, out left cleanup-safe on failure). Copy is opt-in per AEAD (NULL callback means unsupported). Unlike EVP_CIPHER, the EVP_AEAD state union records no size and may own heap resources, so there is no safe generic copy; requiring an explicit hook avoids a silent double-free if a future heap-backed AEAD forgets to opt out. Supported (self-contained inline state, immutable during seal/open): AES-GCM, GCM-RandomNonce, ChaCha20/XChaCha20-Poly1305, AES-CTR-HMAC-SHA256, AES-CCM, and AES-GCM-SIV. GCM-SIV's assembly path needs a bespoke hook that re-derives state_offset and relocates its over-aligned sub-context; a verbatim state copy would break it across differing alignments. TLS record-layer AEADs (heap-backed AEAD_TLS_CTX) and the stateful GCM-TLS12/TLS13 AEADs deliberately do not implement copy. Adds a PerAEADTest.Copy case: capability agreement with kCanCopy, rejection of uninitialized sources, deterministic byte-equality, cross round-trip, self-copy no-op, and a differing-alignment stress that exercises the GCM-SIV relocation path. Note the GCM-SIV asm hook is only exercised at runtime on native x86_64+AVX (CI); locally it is compile-verified only.
- Correct EVP_AEAD_CTX_copy documentation: on the early failure paths (NULL argument, uninitialized source, unsupported AEAD) |out| is left unmodified rather than zeroed; it remains cleanup-safe either way. - aead_aes_gcm_siv_asm_copy: emit CIPHER_R_INITIALIZATION_ERROR when the source context fails the state_offset consistency check (matching aead_aes_gcm_siv_asm_init), and drop the impossible out_ctx NULL check since the offset is derived on the preceding line. - aead_test.cc: remove a redundant EVP_AEAD_CTX_zero (ScopedEVP_AEAD_CTX already zeroes) and use placement new instead of reinterpret_cast in the alignment-stress case to avoid an object-lifetime violation.
justsmth
force-pushed
the
evp-aead-ctx-copy
branch
from
July 15, 2026 12:35
d824892 to
db4e041
Compare
Contributor
|
🔒 Security Review — View Report Please review before merging. |
torben-hansen
approved these changes
Jul 17, 2026
| size_t key_bytes); | ||
|
|
||
| // aead_ctx_copy_state_trivial is a ready-made |copy| callback (see | ||
| // |evp_aead_st|) for AEADs whose per-key state is fully self-contained within |
Contributor
There was a problem hiding this comment.
I think the term you looking for is that the memory for these object types is flat and contiguous.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issues
Cloneforaead::LessSafeKeyaws-lc-rs#1165Description of changes:
Adds
EVP_AEAD_CTX_copy, which duplicates an initializedEVP_AEAD_CTX. Callers wanting multiple contexts with the same key (e.g. one per thread, since concurrent use of one context is not supported -- see #3318) currently must re-runEVP_AEAD_CTX_initeach time. The API follows theEVP_CIPHER_CTX_copyconvention: destination first, returns 1/0, and on failure the destination is left cleanup-safe.Implemented as an opt-in copy callback on the
EVP_AEADvtable; aNULLcallback means copying is unsupported andEVP_AEAD_CTX_copyfails cleanly. Opt-in (rather than a generic memcpy default) because the AEAD state union may own heap resources, and a generic default would double-free if a future heap-backed AEAD forgot to opt out.state_offset-- its hook re-derives the offset and relocates the sub-context instead of copying state verbatim.Call-outs:
EVP_CIPHER_CTX_copy, there's no capability-query function; unsupported AEADs are detected by a failed copy (CIPHER_R_CTRL_NOT_IMPLEMENTED).Related to Documented and added feature stability tests for EVP_AEAD implementations that support concurrency through EVP_AEAD_CTX_seal/gather functions #3325. This will need to be rebased (and conflicts resolved) after that is merged.Testing:
New
PerAEADTest.Copycase over every AEAD inkAEADs: success/failure must match a newkCanCopyflag (keeping the flag and copy hooks in sync), uninitialized sources are rejected, copies are independently usable in both directions with byte-identical output for deterministic AEADs, and a differing-alignment copy exercises the GCM-SIV state_offset relocation path. The assembly hook only runs on x86_64 with AVX+AES-NI, so CI covers that path at runtime.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.