Coverage Report

Created: 2024-11-21 06:47

/src/boringssl/crypto/fipsmodule/modes/gcm.c.inc
Line
Count
Source (jump to first uncovered line)
1
/* ====================================================================
2
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
3
 *
4
 * Redistribution and use in source and binary forms, with or without
5
 * modification, are permitted provided that the following conditions
6
 * are met:
7
 *
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 *
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in
13
 *    the documentation and/or other materials provided with the
14
 *    distribution.
15
 *
16
 * 3. All advertising materials mentioning features or use of this
17
 *    software must display the following acknowledgment:
18
 *    "This product includes software developed by the OpenSSL Project
19
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20
 *
21
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22
 *    endorse or promote products derived from this software without
23
 *    prior written permission. For written permission, please contact
24
 *    openssl-core@openssl.org.
25
 *
26
 * 5. Products derived from this software may not be called "OpenSSL"
27
 *    nor may "OpenSSL" appear in their names without prior written
28
 *    permission of the OpenSSL Project.
29
 *
30
 * 6. Redistributions of any form whatsoever must retain the following
31
 *    acknowledgment:
32
 *    "This product includes software developed by the OpenSSL Project
33
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34
 *
35
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46
 * OF THE POSSIBILITY OF SUCH DAMAGE.
47
 * ==================================================================== */
48
49
#include <openssl/base.h>
50
51
#include <assert.h>
52
#include <string.h>
53
54
#include <openssl/mem.h>
55
56
#include "internal.h"
57
#include "../../internal.h"
58
59
60
// kSizeTWithoutLower4Bits is a mask that can be used to zero the lower four
61
// bits of a |size_t|.
62
static const size_t kSizeTWithoutLower4Bits = (size_t) -16;
63
64
65
#define GCM_MUL(ctx, Xi) gcm_gmult_nohw((ctx)->Xi, (ctx)->gcm_key.Htable)
66
#define GHASH(ctx, in, len) \
67
  gcm_ghash_nohw((ctx)->Xi, (ctx)->gcm_key.Htable, in, len)
68
// GHASH_CHUNK is "stride parameter" missioned to mitigate cache
69
// trashing effect. In other words idea is to hash data while it's
70
// still in L1 cache after encryption pass...
71
0
#define GHASH_CHUNK (3 * 1024)
72
73
#if defined(GHASH_ASM_X86_64) || defined(GHASH_ASM_X86)
74
0
static inline void gcm_reduce_1bit(u128 *V) {
75
0
  if (sizeof(crypto_word_t) == 8) {
76
0
    uint64_t T = UINT64_C(0xe100000000000000) & (0 - (V->hi & 1));
77
0
    V->hi = (V->lo << 63) | (V->hi >> 1);
78
0
    V->lo = (V->lo >> 1) ^ T;
79
0
  } else {
80
0
    uint32_t T = 0xe1000000U & (0 - (uint32_t)(V->hi & 1));
81
0
    V->hi = (V->lo << 63) | (V->hi >> 1);
82
0
    V->lo = (V->lo >> 1) ^ ((uint64_t)T << 32);
83
0
  }
84
0
}
85
86
0
void gcm_init_ssse3(u128 Htable[16], const uint64_t H[2]) {
87
0
  Htable[0].hi = 0;
88
0
  Htable[0].lo = 0;
89
0
  u128 V;
90
0
  V.hi = H[1];
91
0
  V.lo = H[0];
92
93
0
  Htable[8] = V;
94
0
  gcm_reduce_1bit(&V);
95
0
  Htable[4] = V;
96
0
  gcm_reduce_1bit(&V);
97
0
  Htable[2] = V;
98
0
  gcm_reduce_1bit(&V);
99
0
  Htable[1] = V;
100
0
  Htable[3].hi = V.hi ^ Htable[2].hi, Htable[3].lo = V.lo ^ Htable[2].lo;
101
0
  V = Htable[4];
102
0
  Htable[5].hi = V.hi ^ Htable[1].hi, Htable[5].lo = V.lo ^ Htable[1].lo;
103
0
  Htable[6].hi = V.hi ^ Htable[2].hi, Htable[6].lo = V.lo ^ Htable[2].lo;
104
0
  Htable[7].hi = V.hi ^ Htable[3].hi, Htable[7].lo = V.lo ^ Htable[3].lo;
105
0
  V = Htable[8];
106
0
  Htable[9].hi = V.hi ^ Htable[1].hi, Htable[9].lo = V.lo ^ Htable[1].lo;
107
0
  Htable[10].hi = V.hi ^ Htable[2].hi, Htable[10].lo = V.lo ^ Htable[2].lo;
108
0
  Htable[11].hi = V.hi ^ Htable[3].hi, Htable[11].lo = V.lo ^ Htable[3].lo;
109
0
  Htable[12].hi = V.hi ^ Htable[4].hi, Htable[12].lo = V.lo ^ Htable[4].lo;
110
0
  Htable[13].hi = V.hi ^ Htable[5].hi, Htable[13].lo = V.lo ^ Htable[5].lo;
111
0
  Htable[14].hi = V.hi ^ Htable[6].hi, Htable[14].lo = V.lo ^ Htable[6].lo;
112
0
  Htable[15].hi = V.hi ^ Htable[7].hi, Htable[15].lo = V.lo ^ Htable[7].lo;
113
114
  // Treat |Htable| as a 16x16 byte table and transpose it. Thus, Htable[i]
115
  // contains the i'th byte of j*H for all j.
116
0
  uint8_t *Hbytes = (uint8_t *)Htable;
117
0
  for (int i = 0; i < 16; i++) {
118
0
    for (int j = 0; j < i; j++) {
119
0
      uint8_t tmp = Hbytes[16*i + j];
120
0
      Hbytes[16*i + j] = Hbytes[16*j + i];
121
0
      Hbytes[16*j + i] = tmp;
122
0
    }
123
0
  }
124
0
}
125
#endif  // GHASH_ASM_X86_64 || GHASH_ASM_X86
126
127
#ifdef GCM_FUNCREF
128
#undef GCM_MUL
129
0
#define GCM_MUL(ctx, Xi) (*gcm_gmult_p)((ctx)->Xi, (ctx)->gcm_key.Htable)
130
#undef GHASH
131
#define GHASH(ctx, in, len) \
132
0
  (*gcm_ghash_p)((ctx)->Xi, (ctx)->gcm_key.Htable, in, len)
133
#endif  // GCM_FUNCREF
134
135
#if defined(HW_GCM) && defined(OPENSSL_X86_64)
136
static size_t hw_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,
137
                             const AES_KEY *key, uint8_t ivec[16],
138
0
                             uint8_t Xi[16], const u128 Htable[16]) {
139
0
  return aesni_gcm_encrypt(in, out, len, key, ivec, Htable, Xi);
140
0
}
141
142
static size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
143
                             const AES_KEY *key, uint8_t ivec[16],
144
0
                             uint8_t Xi[16], const u128 Htable[16]) {
145
0
  return aesni_gcm_decrypt(in, out, len, key, ivec, Htable, Xi);
146
0
}
147
#endif  // HW_GCM && X86_64
148
149
#if defined(HW_GCM) && defined(OPENSSL_AARCH64)
150
151
static size_t hw_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,
152
                             const AES_KEY *key, uint8_t ivec[16],
153
                             uint8_t Xi[16], const u128 Htable[16]) {
154
  const size_t len_blocks = len & kSizeTWithoutLower4Bits;
155
  if (!len_blocks) {
156
    return 0;
157
  }
158
  aes_gcm_enc_kernel(in, len_blocks * 8, out, Xi, ivec, key, Htable);
159
  return len_blocks;
160
}
161
162
static size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,
163
                             const AES_KEY *key, uint8_t ivec[16],
164
                             uint8_t Xi[16], const u128 Htable[16]) {
165
  const size_t len_blocks = len & kSizeTWithoutLower4Bits;
166
  if (!len_blocks) {
167
    return 0;
168
  }
169
  aes_gcm_dec_kernel(in, len_blocks * 8, out, Xi, ivec, key, Htable);
170
  return len_blocks;
171
}
172
173
#endif  // HW_GCM && AARCH64
174
175
void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
176
                       u128 out_table[16], int *out_is_avx,
177
0
                       const uint8_t gcm_key[16]) {
178
0
  *out_is_avx = 0;
179
180
  // H is passed to |gcm_init_*| as a pair of byte-swapped, 64-bit values.
181
0
  uint64_t H[2] = {CRYPTO_load_u64_be(gcm_key),
182
0
                   CRYPTO_load_u64_be(gcm_key + 8)};
183
184
0
#if defined(GHASH_ASM_X86_64)
185
0
  if (crypto_gcm_clmul_enabled()) {
186
0
    if (CRYPTO_is_AVX_capable() && CRYPTO_is_MOVBE_capable()) {
187
0
      gcm_init_avx(out_table, H);
188
0
      *out_mult = gcm_gmult_avx;
189
0
      *out_hash = gcm_ghash_avx;
190
0
      *out_is_avx = 1;
191
0
      return;
192
0
    }
193
0
    gcm_init_clmul(out_table, H);
194
0
    *out_mult = gcm_gmult_clmul;
195
0
    *out_hash = gcm_ghash_clmul;
196
0
    return;
197
0
  }
198
0
  if (CRYPTO_is_SSSE3_capable()) {
199
0
    gcm_init_ssse3(out_table, H);
200
0
    *out_mult = gcm_gmult_ssse3;
201
0
    *out_hash = gcm_ghash_ssse3;
202
0
    return;
203
0
  }
204
#elif defined(GHASH_ASM_X86)
205
  if (crypto_gcm_clmul_enabled()) {
206
    gcm_init_clmul(out_table, H);
207
    *out_mult = gcm_gmult_clmul;
208
    *out_hash = gcm_ghash_clmul;
209
    return;
210
  }
211
  if (CRYPTO_is_SSSE3_capable()) {
212
    gcm_init_ssse3(out_table, H);
213
    *out_mult = gcm_gmult_ssse3;
214
    *out_hash = gcm_ghash_ssse3;
215
    return;
216
  }
217
#elif defined(GHASH_ASM_ARM)
218
  if (gcm_pmull_capable()) {
219
    gcm_init_v8(out_table, H);
220
    *out_mult = gcm_gmult_v8;
221
    *out_hash = gcm_ghash_v8;
222
    return;
223
  }
224
225
  if (gcm_neon_capable()) {
226
    gcm_init_neon(out_table, H);
227
    *out_mult = gcm_gmult_neon;
228
    *out_hash = gcm_ghash_neon;
229
    return;
230
  }
231
#endif
232
233
0
  gcm_init_nohw(out_table, H);
234
0
  *out_mult = gcm_gmult_nohw;
235
0
  *out_hash = gcm_ghash_nohw;
236
0
}
237
238
void CRYPTO_gcm128_init_key(GCM128_KEY *gcm_key, const AES_KEY *aes_key,
239
0
                            block128_f block, int block_is_hwaes) {
240
0
  OPENSSL_memset(gcm_key, 0, sizeof(*gcm_key));
241
0
  gcm_key->block = block;
242
243
0
  uint8_t ghash_key[16];
244
0
  OPENSSL_memset(ghash_key, 0, sizeof(ghash_key));
245
0
  (*block)(ghash_key, ghash_key, aes_key);
246
247
0
  int is_avx;
248
0
  CRYPTO_ghash_init(&gcm_key->gmult, &gcm_key->ghash, gcm_key->Htable, &is_avx,
249
0
                    ghash_key);
250
251
#if defined(OPENSSL_AARCH64) && !defined(OPENSSL_NO_ASM)
252
  gcm_key->use_hw_gcm_crypt = (gcm_pmull_capable() && block_is_hwaes) ? 1 : 0;
253
#else
254
0
  gcm_key->use_hw_gcm_crypt = (is_avx && block_is_hwaes) ? 1 : 0;
255
0
#endif
256
0
}
257
258
void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const AES_KEY *key,
259
0
                         const uint8_t *iv, size_t len) {
260
0
#ifdef GCM_FUNCREF
261
0
  void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) =
262
0
      ctx->gcm_key.gmult;
263
0
#endif
264
265
0
  OPENSSL_memset(&ctx->Yi, 0, sizeof(ctx->Yi));
266
0
  OPENSSL_memset(&ctx->Xi, 0, sizeof(ctx->Xi));
267
0
  ctx->len.aad = 0;
268
0
  ctx->len.msg = 0;
269
0
  ctx->ares = 0;
270
0
  ctx->mres = 0;
271
272
0
  uint32_t ctr;
273
0
  if (len == 12) {
274
0
    OPENSSL_memcpy(ctx->Yi, iv, 12);
275
0
    ctx->Yi[15] = 1;
276
0
    ctr = 1;
277
0
  } else {
278
0
    uint64_t len0 = len;
279
280
0
    while (len >= 16) {
281
0
      CRYPTO_xor16(ctx->Yi, ctx->Yi, iv);
282
0
      GCM_MUL(ctx, Yi);
283
0
      iv += 16;
284
0
      len -= 16;
285
0
    }
286
0
    if (len) {
287
0
      for (size_t i = 0; i < len; ++i) {
288
0
        ctx->Yi[i] ^= iv[i];
289
0
      }
290
0
      GCM_MUL(ctx, Yi);
291
0
    }
292
293
0
    uint8_t len_block[16];
294
0
    OPENSSL_memset(len_block, 0, 8);
295
0
    CRYPTO_store_u64_be(len_block + 8, len0 << 3);
296
0
    CRYPTO_xor16(ctx->Yi, ctx->Yi, len_block);
297
298
0
    GCM_MUL(ctx, Yi);
299
0
    ctr = CRYPTO_load_u32_be(ctx->Yi + 12);
300
0
  }
301
302
0
  (*ctx->gcm_key.block)(ctx->Yi, ctx->EK0, key);
303
0
  ++ctr;
304
0
  CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
305
0
}
306
307
0
int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad, size_t len) {
308
0
#ifdef GCM_FUNCREF
309
0
  void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) =
310
0
      ctx->gcm_key.gmult;
311
0
  void (*gcm_ghash_p)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
312
0
                      size_t len) = ctx->gcm_key.ghash;
313
0
#endif
314
315
0
  if (ctx->len.msg != 0) {
316
    // The caller must have finished the AAD before providing other input.
317
0
    return 0;
318
0
  }
319
320
0
  uint64_t alen = ctx->len.aad + len;
321
0
  if (alen > (UINT64_C(1) << 61) || (sizeof(len) == 8 && alen < len)) {
322
0
    return 0;
323
0
  }
324
0
  ctx->len.aad = alen;
325
326
0
  unsigned n = ctx->ares;
327
0
  if (n) {
328
0
    while (n && len) {
329
0
      ctx->Xi[n] ^= *(aad++);
330
0
      --len;
331
0
      n = (n + 1) % 16;
332
0
    }
333
0
    if (n == 0) {
334
0
      GCM_MUL(ctx, Xi);
335
0
    } else {
336
0
      ctx->ares = n;
337
0
      return 1;
338
0
    }
339
0
  }
340
341
  // Process a whole number of blocks.
342
0
  size_t len_blocks = len & kSizeTWithoutLower4Bits;
343
0
  if (len_blocks != 0) {
344
0
    GHASH(ctx, aad, len_blocks);
345
0
    aad += len_blocks;
346
0
    len -= len_blocks;
347
0
  }
348
349
  // Process the remainder.
350
0
  if (len != 0) {
351
0
    n = (unsigned int)len;
352
0
    for (size_t i = 0; i < len; ++i) {
353
0
      ctx->Xi[i] ^= aad[i];
354
0
    }
355
0
  }
356
357
0
  ctx->ares = n;
358
0
  return 1;
359
0
}
360
361
int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const AES_KEY *key,
362
0
                          const uint8_t *in, uint8_t *out, size_t len) {
363
0
  block128_f block = ctx->gcm_key.block;
364
0
#ifdef GCM_FUNCREF
365
0
  void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) =
366
0
      ctx->gcm_key.gmult;
367
0
  void (*gcm_ghash_p)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
368
0
                      size_t len) = ctx->gcm_key.ghash;
369
0
#endif
370
371
0
  uint64_t mlen = ctx->len.msg + len;
372
0
  if (mlen > ((UINT64_C(1) << 36) - 32) ||
373
0
      (sizeof(len) == 8 && mlen < len)) {
374
0
    return 0;
375
0
  }
376
0
  ctx->len.msg = mlen;
377
378
0
  if (ctx->ares) {
379
    // First call to encrypt finalizes GHASH(AAD)
380
0
    GCM_MUL(ctx, Xi);
381
0
    ctx->ares = 0;
382
0
  }
383
384
0
  unsigned n = ctx->mres;
385
0
  if (n) {
386
0
    while (n && len) {
387
0
      ctx->Xi[n] ^= *(out++) = *(in++) ^ ctx->EKi[n];
388
0
      --len;
389
0
      n = (n + 1) % 16;
390
0
    }
391
0
    if (n == 0) {
392
0
      GCM_MUL(ctx, Xi);
393
0
    } else {
394
0
      ctx->mres = n;
395
0
      return 1;
396
0
    }
397
0
  }
398
399
0
  uint32_t ctr = CRYPTO_load_u32_be(ctx->Yi + 12);
400
0
  while (len >= GHASH_CHUNK) {
401
0
    size_t j = GHASH_CHUNK;
402
403
0
    while (j) {
404
0
      (*block)(ctx->Yi, ctx->EKi, key);
405
0
      ++ctr;
406
0
      CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
407
0
      CRYPTO_xor16(out, in, ctx->EKi);
408
0
      out += 16;
409
0
      in += 16;
410
0
      j -= 16;
411
0
    }
412
0
    GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK);
413
0
    len -= GHASH_CHUNK;
414
0
  }
415
0
  size_t len_blocks = len & kSizeTWithoutLower4Bits;
416
0
  if (len_blocks != 0) {
417
0
    while (len >= 16) {
418
0
      (*block)(ctx->Yi, ctx->EKi, key);
419
0
      ++ctr;
420
0
      CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
421
0
      CRYPTO_xor16(out, in, ctx->EKi);
422
0
      out += 16;
423
0
      in += 16;
424
0
      len -= 16;
425
0
    }
426
0
    GHASH(ctx, out - len_blocks, len_blocks);
427
0
  }
428
0
  if (len) {
429
0
    (*block)(ctx->Yi, ctx->EKi, key);
430
0
    ++ctr;
431
0
    CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
432
0
    while (len--) {
433
0
      ctx->Xi[n] ^= out[n] = in[n] ^ ctx->EKi[n];
434
0
      ++n;
435
0
    }
436
0
  }
437
438
0
  ctx->mres = n;
439
0
  return 1;
440
0
}
441
442
int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const AES_KEY *key,
443
                          const unsigned char *in, unsigned char *out,
444
0
                          size_t len) {
445
0
  block128_f block = ctx->gcm_key.block;
446
0
#ifdef GCM_FUNCREF
447
0
  void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) =
448
0
      ctx->gcm_key.gmult;
449
0
  void (*gcm_ghash_p)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
450
0
                      size_t len) = ctx->gcm_key.ghash;
451
0
#endif
452
453
0
  uint64_t mlen = ctx->len.msg + len;
454
0
  if (mlen > ((UINT64_C(1) << 36) - 32) ||
455
0
      (sizeof(len) == 8 && mlen < len)) {
456
0
    return 0;
457
0
  }
458
0
  ctx->len.msg = mlen;
459
460
0
  if (ctx->ares) {
461
    // First call to decrypt finalizes GHASH(AAD)
462
0
    GCM_MUL(ctx, Xi);
463
0
    ctx->ares = 0;
464
0
  }
465
466
0
  unsigned n = ctx->mres;
467
0
  if (n) {
468
0
    while (n && len) {
469
0
      uint8_t c = *(in++);
470
0
      *(out++) = c ^ ctx->EKi[n];
471
0
      ctx->Xi[n] ^= c;
472
0
      --len;
473
0
      n = (n + 1) % 16;
474
0
    }
475
0
    if (n == 0) {
476
0
      GCM_MUL(ctx, Xi);
477
0
    } else {
478
0
      ctx->mres = n;
479
0
      return 1;
480
0
    }
481
0
  }
482
483
0
  uint32_t ctr = CRYPTO_load_u32_be(ctx->Yi + 12);
484
0
  while (len >= GHASH_CHUNK) {
485
0
    size_t j = GHASH_CHUNK;
486
487
0
    GHASH(ctx, in, GHASH_CHUNK);
488
0
    while (j) {
489
0
      (*block)(ctx->Yi, ctx->EKi, key);
490
0
      ++ctr;
491
0
      CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
492
0
      CRYPTO_xor16(out, in, ctx->EKi);
493
0
      out += 16;
494
0
      in += 16;
495
0
      j -= 16;
496
0
    }
497
0
    len -= GHASH_CHUNK;
498
0
  }
499
0
  size_t len_blocks = len & kSizeTWithoutLower4Bits;
500
0
  if (len_blocks != 0) {
501
0
    GHASH(ctx, in, len_blocks);
502
0
    while (len >= 16) {
503
0
      (*block)(ctx->Yi, ctx->EKi, key);
504
0
      ++ctr;
505
0
      CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
506
0
      CRYPTO_xor16(out, in, ctx->EKi);
507
0
      out += 16;
508
0
      in += 16;
509
0
      len -= 16;
510
0
    }
511
0
  }
512
0
  if (len) {
513
0
    (*block)(ctx->Yi, ctx->EKi, key);
514
0
    ++ctr;
515
0
    CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
516
0
    while (len--) {
517
0
      uint8_t c = in[n];
518
0
      ctx->Xi[n] ^= c;
519
0
      out[n] = c ^ ctx->EKi[n];
520
0
      ++n;
521
0
    }
522
0
  }
523
524
0
  ctx->mres = n;
525
0
  return 1;
526
0
}
527
528
int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key,
529
                                const uint8_t *in, uint8_t *out, size_t len,
530
0
                                ctr128_f stream) {
531
0
#ifdef GCM_FUNCREF
532
0
  void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) =
533
0
      ctx->gcm_key.gmult;
534
0
  void (*gcm_ghash_p)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
535
0
                      size_t len) = ctx->gcm_key.ghash;
536
0
#endif
537
538
0
  uint64_t mlen = ctx->len.msg + len;
539
0
  if (mlen > ((UINT64_C(1) << 36) - 32) ||
540
0
      (sizeof(len) == 8 && mlen < len)) {
541
0
    return 0;
542
0
  }
543
0
  ctx->len.msg = mlen;
544
545
0
  if (ctx->ares) {
546
    // First call to encrypt finalizes GHASH(AAD)
547
0
    GCM_MUL(ctx, Xi);
548
0
    ctx->ares = 0;
549
0
  }
550
551
0
  unsigned n = ctx->mres;
552
0
  if (n) {
553
0
    while (n && len) {
554
0
      ctx->Xi[n] ^= *(out++) = *(in++) ^ ctx->EKi[n];
555
0
      --len;
556
0
      n = (n + 1) % 16;
557
0
    }
558
0
    if (n == 0) {
559
0
      GCM_MUL(ctx, Xi);
560
0
    } else {
561
0
      ctx->mres = n;
562
0
      return 1;
563
0
    }
564
0
  }
565
566
0
#if defined(HW_GCM)
567
  // Check |len| to work around a C language bug. See https://crbug.com/1019588.
568
0
  if (ctx->gcm_key.use_hw_gcm_crypt && len > 0) {
569
    // |hw_gcm_encrypt| may not process all the input given to it. It may
570
    // not process *any* of its input if it is deemed too small.
571
0
    size_t bulk = hw_gcm_encrypt(in, out, len, key, ctx->Yi, ctx->Xi,
572
0
                                 ctx->gcm_key.Htable);
573
0
    in += bulk;
574
0
    out += bulk;
575
0
    len -= bulk;
576
0
  }
577
0
#endif
578
579
0
  uint32_t ctr = CRYPTO_load_u32_be(ctx->Yi + 12);
580
0
  while (len >= GHASH_CHUNK) {
581
0
    (*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi);
582
0
    ctr += GHASH_CHUNK / 16;
583
0
    CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
584
0
    GHASH(ctx, out, GHASH_CHUNK);
585
0
    out += GHASH_CHUNK;
586
0
    in += GHASH_CHUNK;
587
0
    len -= GHASH_CHUNK;
588
0
  }
589
0
  size_t len_blocks = len & kSizeTWithoutLower4Bits;
590
0
  if (len_blocks != 0) {
591
0
    size_t j = len_blocks / 16;
592
593
0
    (*stream)(in, out, j, key, ctx->Yi);
594
0
    ctr += (unsigned int)j;
595
0
    CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
596
0
    in += len_blocks;
597
0
    len -= len_blocks;
598
0
    GHASH(ctx, out, len_blocks);
599
0
    out += len_blocks;
600
0
  }
601
0
  if (len) {
602
0
    (*ctx->gcm_key.block)(ctx->Yi, ctx->EKi, key);
603
0
    ++ctr;
604
0
    CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
605
0
    while (len--) {
606
0
      ctx->Xi[n] ^= out[n] = in[n] ^ ctx->EKi[n];
607
0
      ++n;
608
0
    }
609
0
  }
610
611
0
  ctx->mres = n;
612
0
  return 1;
613
0
}
614
615
int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const AES_KEY *key,
616
                                const uint8_t *in, uint8_t *out, size_t len,
617
0
                                ctr128_f stream) {
618
0
#ifdef GCM_FUNCREF
619
0
  void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) =
620
0
      ctx->gcm_key.gmult;
621
0
  void (*gcm_ghash_p)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,
622
0
                      size_t len) = ctx->gcm_key.ghash;
623
0
#endif
624
625
0
  uint64_t mlen = ctx->len.msg + len;
626
0
  if (mlen > ((UINT64_C(1) << 36) - 32) ||
627
0
      (sizeof(len) == 8 && mlen < len)) {
628
0
    return 0;
629
0
  }
630
0
  ctx->len.msg = mlen;
631
632
0
  if (ctx->ares) {
633
    // First call to decrypt finalizes GHASH(AAD)
634
0
    GCM_MUL(ctx, Xi);
635
0
    ctx->ares = 0;
636
0
  }
637
638
0
  unsigned n = ctx->mres;
639
0
  if (n) {
640
0
    while (n && len) {
641
0
      uint8_t c = *(in++);
642
0
      *(out++) = c ^ ctx->EKi[n];
643
0
      ctx->Xi[n] ^= c;
644
0
      --len;
645
0
      n = (n + 1) % 16;
646
0
    }
647
0
    if (n == 0) {
648
0
      GCM_MUL(ctx, Xi);
649
0
    } else {
650
0
      ctx->mres = n;
651
0
      return 1;
652
0
    }
653
0
  }
654
655
0
#if defined(HW_GCM)
656
  // Check |len| to work around a C language bug. See https://crbug.com/1019588.
657
0
  if (ctx->gcm_key.use_hw_gcm_crypt && len > 0) {
658
    // |hw_gcm_decrypt| may not process all the input given to it. It may
659
    // not process *any* of its input if it is deemed too small.
660
0
    size_t bulk = hw_gcm_decrypt(in, out, len, key, ctx->Yi, ctx->Xi,
661
0
                                 ctx->gcm_key.Htable);
662
0
    in += bulk;
663
0
    out += bulk;
664
0
    len -= bulk;
665
0
  }
666
0
#endif
667
668
0
  uint32_t ctr = CRYPTO_load_u32_be(ctx->Yi + 12);
669
0
  while (len >= GHASH_CHUNK) {
670
0
    GHASH(ctx, in, GHASH_CHUNK);
671
0
    (*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi);
672
0
    ctr += GHASH_CHUNK / 16;
673
0
    CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
674
0
    out += GHASH_CHUNK;
675
0
    in += GHASH_CHUNK;
676
0
    len -= GHASH_CHUNK;
677
0
  }
678
0
  size_t len_blocks = len & kSizeTWithoutLower4Bits;
679
0
  if (len_blocks != 0) {
680
0
    size_t j = len_blocks / 16;
681
682
0
    GHASH(ctx, in, len_blocks);
683
0
    (*stream)(in, out, j, key, ctx->Yi);
684
0
    ctr += (unsigned int)j;
685
0
    CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
686
0
    out += len_blocks;
687
0
    in += len_blocks;
688
0
    len -= len_blocks;
689
0
  }
690
0
  if (len) {
691
0
    (*ctx->gcm_key.block)(ctx->Yi, ctx->EKi, key);
692
0
    ++ctr;
693
0
    CRYPTO_store_u32_be(ctx->Yi + 12, ctr);
694
0
    while (len--) {
695
0
      uint8_t c = in[n];
696
0
      ctx->Xi[n] ^= c;
697
0
      out[n] = c ^ ctx->EKi[n];
698
0
      ++n;
699
0
    }
700
0
  }
701
702
0
  ctx->mres = n;
703
0
  return 1;
704
0
}
705
706
0
int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag, size_t len) {
707
0
#ifdef GCM_FUNCREF
708
0
  void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) =
709
0
      ctx->gcm_key.gmult;
710
0
#endif
711
712
0
  if (ctx->mres || ctx->ares) {
713
0
    GCM_MUL(ctx, Xi);
714
0
  }
715
716
0
  uint8_t len_block[16];
717
0
  CRYPTO_store_u64_be(len_block, ctx->len.aad << 3);
718
0
  CRYPTO_store_u64_be(len_block + 8, ctx->len.msg << 3);
719
0
  CRYPTO_xor16(ctx->Xi, ctx->Xi, len_block);
720
0
  GCM_MUL(ctx, Xi);
721
0
  CRYPTO_xor16(ctx->Xi, ctx->Xi, ctx->EK0);
722
723
0
  if (tag && len <= sizeof(ctx->Xi)) {
724
0
    return CRYPTO_memcmp(ctx->Xi, tag, len) == 0;
725
0
  } else {
726
0
    return 0;
727
0
  }
728
0
}
729
730
0
void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len) {
731
0
  CRYPTO_gcm128_finish(ctx, NULL, 0);
732
0
  OPENSSL_memcpy(tag, ctx->Xi, len <= sizeof(ctx->Xi) ? len : sizeof(ctx->Xi));
733
0
}
734
735
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
736
0
int crypto_gcm_clmul_enabled(void) {
737
0
#if defined(GHASH_ASM_X86) || defined(GHASH_ASM_X86_64)
738
0
  return CRYPTO_is_FXSR_capable() && CRYPTO_is_PCLMUL_capable();
739
#else
740
  return 0;
741
#endif
742
0
}
743
#endif