Skip to content

Support for EVP_AEAD_CTX_copy#3332

Open
justsmth wants to merge 4 commits into
aws:mainfrom
justsmth:evp-aead-ctx-copy
Open

Support for EVP_AEAD_CTX_copy#3332
justsmth wants to merge 4 commits into
aws:mainfrom
justsmth:evp-aead-ctx-copy

Conversation

@justsmth

@justsmth justsmth commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Issues

Description of changes:

Adds EVP_AEAD_CTX_copy, which duplicates an initialized EVP_AEAD_CTX. Callers wanting multiple contexts with the same key (e.g. one per thread, since concurrent use of one context is not supported -- see #3318) currently must re-run EVP_AEAD_CTX_init each time. The API follows the EVP_CIPHER_CTX_copy convention: destination first, returns 1/0, and on failure the destination is left cleanup-safe.

Implemented as an opt-in copy callback on the EVP_AEAD vtable; a NULL callback means copying is unsupported and EVP_AEAD_CTX_copy fails cleanly. Opt-in (rather than a generic memcpy default) because the AEAD state union may own heap resources, and a generic default would double-free if a future heap-backed AEAD forgot to opt out.

  • Supported: AES-GCM, GCM-RandomNonce, (X)ChaCha20-Poly1305, AES-CTR-HMAC-SHA256, AES-CCM, AES-GCM-SIV. All use a shared trivial state-copy helper except the AES-GCM-SIV assembly implementation, whose over-aligned sub-context is located via the address-dependent state_offset -- its hook re-derives the offset and relocates the sub-context instead of copying state verbatim.
  • Not supported: the heap-backed TLS record-layer AEADs, and the stateful GCM-TLS12/TLS13 AEADs (copying their nonce counter would invite nonce reuse).

Call-outs:

Testing:

New PerAEADTest.Copy case over every AEAD in kAEADs: success/failure must match a new kCanCopy flag (keeping the flag and copy hooks in sync), uninitialized sources are rejected, copies are independently usable in both directions with byte-identical output for deterministic AEADs, and a differing-alignment copy exercises the GCM-SIV state_offset relocation path. The assembly hook only runs on x86_64 with AVX+AES-NI, so CI covers that path at runtime.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@justsmth
justsmth requested a review from a team as a code owner July 2, 2026 13:09
@justsmth justsmth changed the title Evp aead ctx copy Support for EVP_AEAD_CTX_copy Jul 2, 2026
@codecov-commenter

codecov-commenter commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 92.94118% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.20%. Comparing base (683ebde) to head (3e5895c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
crypto/cipher_extra/aead_test.cc 95.55% 2 Missing ⚠️
crypto/cipher_extra/e_aesgcmsiv.c 77.77% 2 Missing ⚠️
crypto/fipsmodule/cipher/aead.c 91.30% 2 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3332   +/-   ##
=======================================
  Coverage   78.20%   78.20%           
=======================================
  Files         695      695           
  Lines      124086   124172   +86     
  Branches    17224    17239   +15     
=======================================
+ Hits        97038    97112   +74     
- Misses      26128    26140   +12     
  Partials      920      920           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

justsmth added 2 commits July 15, 2026 08:35
Introduces a public EVP_AEAD_CTX_copy backed by an opt-in per-AEAD 'copy'
vtable callback, following the EVP_CIPHER_CTX_copy convention (destination
first, 1/0 return, out must be initialized or zeroed, out left cleanup-safe
on failure).

Copy is opt-in per AEAD (NULL callback means unsupported). Unlike EVP_CIPHER,
the EVP_AEAD state union records no size and may own heap resources, so there
is no safe generic copy; requiring an explicit hook avoids a silent double-free
if a future heap-backed AEAD forgets to opt out.

Supported (self-contained inline state, immutable during seal/open): AES-GCM,
GCM-RandomNonce, ChaCha20/XChaCha20-Poly1305, AES-CTR-HMAC-SHA256, AES-CCM, and
AES-GCM-SIV. GCM-SIV's assembly path needs a bespoke hook that re-derives
state_offset and relocates its over-aligned sub-context; a verbatim state copy
would break it across differing alignments. TLS record-layer AEADs (heap-backed
AEAD_TLS_CTX) and the stateful GCM-TLS12/TLS13 AEADs deliberately do not
implement copy.

Adds a PerAEADTest.Copy case: capability agreement with kCanCopy, rejection of
uninitialized sources, deterministic byte-equality, cross round-trip, self-copy
no-op, and a differing-alignment stress that exercises the GCM-SIV relocation
path. Note the GCM-SIV asm hook is only exercised at runtime on native
x86_64+AVX (CI); locally it is compile-verified only.
- Correct EVP_AEAD_CTX_copy documentation: on the early failure paths
  (NULL argument, uninitialized source, unsupported AEAD) |out| is left
  unmodified rather than zeroed; it remains cleanup-safe either way.
- aead_aes_gcm_siv_asm_copy: emit CIPHER_R_INITIALIZATION_ERROR when the
  source context fails the state_offset consistency check (matching
  aead_aes_gcm_siv_asm_init), and drop the impossible out_ctx NULL check
  since the offset is derived on the preceding line.
- aead_test.cc: remove a redundant EVP_AEAD_CTX_zero (ScopedEVP_AEAD_CTX
  already zeroes) and use placement new instead of reinterpret_cast in
  the alignment-stress case to avoid an object-lifetime violation.
@github-actions

Copy link
Copy Markdown
Contributor

🔒 Security ReviewView Report

Please review before merging.

size_t key_bytes);

// aead_ctx_copy_state_trivial is a ready-made |copy| callback (see
// |evp_aead_st|) for AEADs whose per-key state is fully self-contained within

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the term you looking for is that the memory for these object types is flat and contiguous.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants