Coverage Report

Created: 2024-11-21 07:03

/src/openssl/providers/implementations/ciphers/ciphercommon_gcm.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
/* Dispatch functions for gcm mode */
11
12
#include <openssl/rand.h>
13
#include <openssl/proverr.h>
14
#include "prov/ciphercommon.h"
15
#include "prov/ciphercommon_gcm.h"
16
#include "prov/providercommon.h"
17
#include "prov/provider_ctx.h"
18
#include "internal/param_names.h"
19
20
static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
21
static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
22
                                size_t len);
23
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
24
                          const unsigned char *in, size_t len);
25
static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
26
                               size_t *padlen, const unsigned char *in,
27
                               size_t len);
28
29
/*
30
 * Called from EVP_CipherInit when there is currently no context via
31
 * the new_ctx() function
32
 */
33
void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
34
                      const PROV_GCM_HW *hw)
35
715
{
36
715
    ctx->pad = 1;
37
715
    ctx->mode = EVP_CIPH_GCM_MODE;
38
715
    ctx->taglen = UNINITIALISED_SIZET;
39
715
    ctx->tls_aad_len = UNINITIALISED_SIZET;
40
715
    ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
41
715
    ctx->keylen = keybits / 8;
42
715
    ctx->hw = hw;
43
715
    ctx->libctx = PROV_LIBCTX_OF(provctx);
44
715
}
45
46
/*
47
 * Called by EVP_CipherInit via the _einit and _dinit functions
48
 */
49
static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
50
                    const unsigned char *iv, size_t ivlen,
51
                    const OSSL_PARAM params[], int enc)
52
1.64k
{
53
1.64k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
54
55
1.64k
    if (!ossl_prov_is_running())
56
0
        return 0;
57
58
1.64k
    ctx->enc = enc;
59
60
1.64k
    if (iv != NULL) {
61
934
        if (ivlen == 0 || ivlen > sizeof(ctx->iv)) {
62
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
63
0
            return 0;
64
0
        }
65
934
        ctx->ivlen = ivlen;
66
934
        memcpy(ctx->iv, iv, ivlen);
67
934
        ctx->iv_state = IV_STATE_BUFFERED;
68
934
    }
69
70
1.64k
    if (key != NULL) {
71
588
        if (keylen != ctx->keylen) {
72
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
73
0
            return 0;
74
0
        }
75
588
        if (!ctx->hw->setkey(ctx, key, ctx->keylen))
76
0
            return 0;
77
588
        ctx->tls_enc_records = 0;
78
588
    }
79
1.64k
    return ossl_gcm_set_ctx_params(ctx, params);
80
1.64k
}
81
82
int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
83
                   const unsigned char *iv, size_t ivlen,
84
                   const OSSL_PARAM params[])
85
1.19k
{
86
1.19k
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
87
1.19k
}
88
89
int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
90
                   const unsigned char *iv, size_t ivlen,
91
                   const OSSL_PARAM params[])
92
457
{
93
457
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
94
457
}
95
96
/* increment counter (64-bit int) by 1 */
97
static void ctr64_inc(unsigned char *counter)
98
0
{
99
0
    int n = 8;
100
0
    unsigned char c;
101
102
0
    do {
103
0
        --n;
104
0
        c = counter[n];
105
0
        ++c;
106
0
        counter[n] = c;
107
0
        if (c > 0)
108
0
            return;
109
0
    } while (n > 0);
110
0
}
111
112
static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen)
113
0
{
114
0
    if (!ctx->iv_gen
115
0
        || !ctx->key_set
116
0
        || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
117
0
        return 0;
118
0
    if (olen == 0 || olen > ctx->ivlen)
119
0
        olen = ctx->ivlen;
120
0
    memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
121
    /*
122
     * Invocation field will be at least 8 bytes in size and so no need
123
     * to check wrap around or increment more than last 8 bytes.
124
     */
125
0
    ctr64_inc(ctx->iv + ctx->ivlen - 8);
126
0
    ctx->iv_state = IV_STATE_COPIED;
127
0
    return 1;
128
0
}
129
130
static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl)
131
0
{
132
0
    if (!ctx->iv_gen
133
0
        || !ctx->key_set
134
0
        || ctx->enc)
135
0
        return 0;
136
137
0
    memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
138
0
    if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
139
0
        return 0;
140
0
    ctx->iv_state = IV_STATE_COPIED;
141
0
    return 1;
142
0
}
143
144
int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
145
1.23k
{
146
1.23k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
147
1.23k
    OSSL_PARAM *p;
148
1.23k
    size_t sz;
149
1.23k
    int type;
150
151
2.45k
    for (p = params; p->key != NULL; p++) {
152
1.23k
        type = ossl_param_find_pidx(p->key);
153
1.23k
        switch (type) {
154
0
        default:
155
0
            break;
156
157
588
        case PIDX_CIPHER_PARAM_IVLEN:
158
588
            if (!OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
159
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
160
0
                return 0;
161
0
            }
162
588
            break;
163
164
638
        case PIDX_CIPHER_PARAM_KEYLEN:
165
638
            if (!OSSL_PARAM_set_size_t(p, ctx->keylen)) {
166
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
167
0
                return 0;
168
0
            }
169
638
            break;
170
171
638
        case PIDX_CIPHER_PARAM_AEAD_TAGLEN:
172
0
            {
173
0
                size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen :
174
0
                                 GCM_TAG_MAX_SIZE;
175
176
0
                if (!OSSL_PARAM_set_size_t(p, taglen)) {
177
0
                    ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
178
0
                    return 0;
179
0
                }
180
0
            }
181
0
            break;
182
183
0
        case PIDX_CIPHER_PARAM_IV:
184
0
            if (ctx->iv_state == IV_STATE_UNINITIALISED)
185
0
                return 0;
186
0
            if (ctx->ivlen > p->data_size) {
187
0
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
188
0
                return 0;
189
0
            }
190
0
            if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
191
0
                && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
192
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
193
0
                return 0;
194
0
            }
195
0
            break;
196
197
0
        case PIDX_CIPHER_PARAM_UPDATED_IV:
198
0
            if (ctx->iv_state == IV_STATE_UNINITIALISED)
199
0
                return 0;
200
0
            if (ctx->ivlen > p->data_size) {
201
0
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
202
0
                return 0;
203
0
            }
204
0
            if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
205
0
                && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
206
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
207
0
                return 0;
208
0
            }
209
0
            break;
210
211
0
        case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD_PAD:
212
0
            if (!OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
213
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
214
0
                return 0;
215
0
            }
216
0
            break;
217
218
5
        case PIDX_CIPHER_PARAM_AEAD_TAG:
219
5
            sz = p->data_size;
220
5
            if (sz == 0
221
5
                || sz > EVP_GCM_TLS_TAG_LEN
222
5
                || !ctx->enc
223
5
                || ctx->taglen == UNINITIALISED_SIZET) {
224
5
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
225
5
                return 0;
226
5
            }
227
0
            if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
228
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
229
0
                return 0;
230
0
            }
231
0
            break;
232
233
0
        case PIDX_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN:
234
0
            if (p->data == NULL
235
0
                || p->data_type != OSSL_PARAM_OCTET_STRING
236
0
                || !getivgen(ctx, p->data, p->data_size))
237
0
                return 0;
238
0
            break;
239
0
        case PIDX_CIPHER_PARAM_AEAD_IV_GENERATED:
240
0
            if (!OSSL_PARAM_set_uint(p, ctx->iv_gen_rand))
241
0
                return 0;
242
1.23k
        }
243
1.23k
    }
244
1.22k
    return 1;
245
1.23k
}
246
247
int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
248
1.94k
{
249
1.94k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
250
1.94k
    const OSSL_PARAM *p;
251
1.94k
    size_t sz;
252
1.94k
    void *vp;
253
1.94k
    int type;
254
255
1.94k
    if (ossl_param_is_empty(params))
256
1.64k
        return 1;
257
258
555
    for (p = params; p->key != NULL; p++) {
259
294
        type = ossl_param_find_pidx(p->key);
260
294
        switch (type) {
261
0
        default:
262
0
            break;
263
264
10
        case PIDX_CIPHER_PARAM_AEAD_TAG:
265
10
            vp = ctx->buf;
266
10
            if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
267
6
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
268
6
                return 0;
269
6
            }
270
4
            if (sz == 0 || ctx->enc) {
271
0
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
272
0
                return 0;
273
0
            }
274
4
            ctx->taglen = sz;
275
4
            break;
276
277
284
        case PIDX_CIPHER_PARAM_AEAD_IVLEN:
278
284
            if (!OSSL_PARAM_get_size_t(p, &sz)) {
279
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
280
0
                return 0;
281
0
            }
282
284
            if (sz == 0 || sz > sizeof(ctx->iv)) {
283
27
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
284
27
                return 0;
285
27
            }
286
257
            if (ctx->ivlen != sz) {
287
                /* If the iv was already set or autogenerated, it is invalid. */
288
257
                if (ctx->iv_state != IV_STATE_UNINITIALISED)
289
0
                    ctx->iv_state = IV_STATE_FINISHED;
290
257
                ctx->ivlen = sz;
291
257
            }
292
257
            break;
293
294
0
        case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD:
295
0
            if (p->data_type != OSSL_PARAM_OCTET_STRING) {
296
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
297
0
                return 0;
298
0
            }
299
0
            sz = gcm_tls_init(ctx, p->data, p->data_size);
300
0
            if (sz == 0) {
301
0
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
302
0
                return 0;
303
0
            }
304
0
            ctx->tls_aad_pad_sz = sz;
305
0
            break;
306
307
0
        case PIDX_CIPHER_PARAM_AEAD_TLS1_IV_FIXED:
308
0
            if (p->data_type != OSSL_PARAM_OCTET_STRING) {
309
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
310
0
                return 0;
311
0
            }
312
0
            if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
313
0
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
314
0
                return 0;
315
0
            }
316
0
            break;
317
318
0
        case PIDX_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV:
319
0
            if (p->data == NULL
320
0
                || p->data_type != OSSL_PARAM_OCTET_STRING
321
0
                || !setivinv(ctx, p->data, p->data_size))
322
0
                return 0;
323
0
            break;
324
294
        }
325
294
    }
326
327
261
    return 1;
328
294
}
329
330
int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
331
                           size_t outsize, const unsigned char *in, size_t inl)
332
8.37k
{
333
8.37k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
334
335
8.37k
    if (inl == 0) {
336
7.14k
        *outl = 0;
337
7.14k
        return 1;
338
7.14k
    }
339
340
1.22k
    if (outsize < inl) {
341
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
342
0
        return 0;
343
0
    }
344
345
1.22k
    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
346
0
        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
347
0
        return 0;
348
0
    }
349
1.22k
    return 1;
350
1.22k
}
351
352
int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
353
                          size_t outsize)
354
233
{
355
233
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
356
233
    int i;
357
358
233
    if (!ossl_prov_is_running())
359
0
        return 0;
360
361
233
    i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
362
233
    if (i <= 0)
363
214
        return 0;
364
365
19
    *outl = 0;
366
19
    return 1;
367
233
}
368
369
int ossl_gcm_cipher(void *vctx,
370
                    unsigned char *out, size_t *outl, size_t outsize,
371
                    const unsigned char *in, size_t inl)
372
2.53k
{
373
2.53k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
374
375
2.53k
    if (!ossl_prov_is_running())
376
0
        return 0;
377
378
2.53k
    if (outsize < inl) {
379
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
380
0
        return 0;
381
0
    }
382
383
2.53k
    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
384
0
        return 0;
385
386
2.53k
    *outl = inl;
387
2.53k
    return 1;
388
2.53k
}
389
390
/*
391
 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
392
 *
393
 * See also 8.2.2 RBG-based construction.
394
 * Random construction consists of a free field (which can be NULL) and a
395
 * random field which will use a DRBG that can return at least 96 bits of
396
 * entropy strength. (The DRBG must be seeded by the FIPS module).
397
 */
398
static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
399
0
{
400
0
    int sz = ctx->ivlen - offset;
401
402
    /* Must be at least 96 bits */
403
0
    if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
404
0
        return 0;
405
406
    /* Use DRBG to generate random iv */
407
0
    if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
408
0
        return 0;
409
0
    ctx->iv_state = IV_STATE_BUFFERED;
410
0
    ctx->iv_gen_rand = 1;
411
0
    return 1;
412
0
}
413
414
static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
415
                               size_t *padlen, const unsigned char *in,
416
                               size_t len)
417
3.99k
{
418
3.99k
    size_t olen = 0;
419
3.99k
    int rv = 0;
420
3.99k
    const PROV_GCM_HW *hw = ctx->hw;
421
422
3.99k
    if (ctx->tls_aad_len != UNINITIALISED_SIZET)
423
0
        return gcm_tls_cipher(ctx, out, padlen, in, len);
424
425
3.99k
    if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
426
0
        goto err;
427
428
    /*
429
     * FIPS requires generation of AES-GCM IV's inside the FIPS module.
430
     * The IV can still be set externally (the security policy will state that
431
     * this is not FIPS compliant). There are some applications
432
     * where setting the IV externally is the only option available.
433
     */
434
3.99k
    if (ctx->iv_state == IV_STATE_UNINITIALISED) {
435
0
        if (!ctx->enc || !gcm_iv_generate(ctx, 0))
436
0
            goto err;
437
0
    }
438
439
3.99k
    if (ctx->iv_state == IV_STATE_BUFFERED) {
440
927
        if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
441
0
            goto err;
442
927
        ctx->iv_state = IV_STATE_COPIED;
443
927
    }
444
445
3.99k
    if (in != NULL) {
446
        /*  The input is AAD if out is NULL */
447
3.75k
        if (out == NULL) {
448
19
            if (!hw->aadupdate(ctx, in, len))
449
0
                goto err;
450
3.73k
        } else {
451
            /* The input is ciphertext OR plaintext */
452
3.73k
            if (!hw->cipherupdate(ctx, in, len, out))
453
0
                goto err;
454
3.73k
        }
455
3.75k
    } else {
456
        /* The tag must be set before actually decrypting data */
457
233
        if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
458
211
            goto err;
459
22
        if (!hw->cipherfinal(ctx, ctx->buf))
460
3
            goto err;
461
19
        ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
462
19
        goto finish;
463
22
    }
464
3.75k
    olen = len;
465
3.77k
finish:
466
3.77k
    rv = 1;
467
3.99k
err:
468
3.99k
    *padlen = olen;
469
3.99k
    return rv;
470
3.77k
}
471
472
static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
473
0
{
474
0
    unsigned char *buf;
475
0
    size_t len;
476
477
0
    if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
478
0
       return 0;
479
480
    /* Save the aad for later use. */
481
0
    buf = dat->buf;
482
0
    memcpy(buf, aad, aad_len);
483
0
    dat->tls_aad_len = aad_len;
484
485
0
    len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
486
    /* Correct length for explicit iv. */
487
0
    if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
488
0
        return 0;
489
0
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
490
491
    /* If decrypting correct for tag too. */
492
0
    if (!dat->enc) {
493
0
        if (len < EVP_GCM_TLS_TAG_LEN)
494
0
            return 0;
495
0
        len -= EVP_GCM_TLS_TAG_LEN;
496
0
    }
497
0
    buf[aad_len - 2] = (unsigned char)(len >> 8);
498
0
    buf[aad_len - 1] = (unsigned char)(len & 0xff);
499
    /* Extra padding: tag appended to record. */
500
0
    return EVP_GCM_TLS_TAG_LEN;
501
0
}
502
503
static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
504
                                size_t len)
505
0
{
506
    /* Special case: -1 length restores whole IV */
507
0
    if (len == (size_t)-1) {
508
0
        memcpy(ctx->iv, iv, ctx->ivlen);
509
0
        ctx->iv_gen = 1;
510
0
        ctx->iv_state = IV_STATE_BUFFERED;
511
0
        return 1;
512
0
    }
513
    /* Fixed field must be at least 4 bytes and invocation field at least 8 */
514
0
    if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
515
0
        || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
516
0
            return 0;
517
0
    if (len > 0)
518
0
        memcpy(ctx->iv, iv, len);
519
0
    if (ctx->enc) {
520
0
        if (RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
521
0
            return 0;
522
0
        ctx->iv_gen_rand = 1;
523
0
    }
524
0
    ctx->iv_gen = 1;
525
0
    ctx->iv_state = IV_STATE_BUFFERED;
526
0
    return 1;
527
0
}
528
529
/*
530
 * Handle TLS GCM packet format. This consists of the last portion of the IV
531
 * followed by the payload and finally the tag. On encrypt generate IV,
532
 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
533
 * and verify tag.
534
 */
535
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
536
                          const unsigned char *in, size_t len)
537
0
{
538
0
    int rv = 0;
539
0
    size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
540
0
    size_t plen = 0;
541
0
    unsigned char *tag = NULL;
542
543
0
    if (!ossl_prov_is_running() || !ctx->key_set)
544
0
        goto err;
545
546
    /* Encrypt/decrypt must be performed in place */
547
0
    if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
548
0
        goto err;
549
550
    /*
551
     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
552
     * Requirements from SP 800-38D".  The requirements is for one party to the
553
     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting
554
     * side only.
555
     */
556
0
    if (ctx->enc && ++ctx->tls_enc_records == 0) {
557
0
        ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
558
0
        goto err;
559
0
    }
560
561
    /*
562
     * Set IV from start of buffer or generate IV and write to start of
563
     * buffer.
564
     */
565
0
    if (ctx->enc) {
566
0
        if (!getivgen(ctx, out, arg))
567
0
            goto err;
568
0
    } else {
569
0
        if (!setivinv(ctx, out, arg))
570
0
            goto err;
571
0
    }
572
573
    /* Fix buffer and length to point to payload */
574
0
    in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
575
0
    out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
576
0
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
577
578
0
    tag = ctx->enc ? out + len : (unsigned char *)in + len;
579
0
    if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
580
0
                          EVP_GCM_TLS_TAG_LEN)) {
581
0
        if (!ctx->enc)
582
0
            OPENSSL_cleanse(out, len);
583
0
        goto err;
584
0
    }
585
0
    if (ctx->enc)
586
0
        plen =  len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
587
0
    else
588
0
        plen = len;
589
590
0
    rv = 1;
591
0
err:
592
0
    ctx->iv_state = IV_STATE_FINISHED;
593
0
    ctx->tls_aad_len = UNINITIALISED_SIZET;
594
0
    *padlen = plen;
595
0
    return rv;
596
0
}