/src/openssl30/providers/implementations/ciphers/ciphercommon_gcm.c

Source (jump to first uncovered line)
/*
 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* Dispatch functions for gcm mode */

#include <openssl/rand.h>
#include <openssl/proverr.h>
#include "prov/ciphercommon.h"
#include "prov/ciphercommon_gcm.h"
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"

static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
                                size_t len);
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
                          const unsigned char *in, size_t len);
static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
                               size_t *padlen, const unsigned char *in,
                               size_t len);

/*
 * Called from EVP_CipherInit when there is currently no context via
 * the new_ctx() function
 */
void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
                      const PROV_GCM_HW *hw)
{
    ctx->pad = 1;
    ctx->mode = EVP_CIPH_GCM_MODE;
    ctx->taglen = UNINITIALISED_SIZET;
    ctx->tls_aad_len = UNINITIALISED_SIZET;
    ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
    ctx->keylen = keybits / 8;
    ctx->hw = hw;
    ctx->libctx = PROV_LIBCTX_OF(provctx);
}

/*
 * Called by EVP_CipherInit via the _einit and _dinit functions
 */
static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
                    const unsigned char *iv, size_t ivlen,
                    const OSSL_PARAM params[], int enc)
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;

    if (!ossl_prov_is_running())
        return 0;

    ctx->enc = enc;

    if (iv != NULL) {
        if (ivlen == 0 || ivlen > sizeof(ctx->iv)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
            return 0;
        }
        ctx->ivlen = ivlen;
        memcpy(ctx->iv, iv, ivlen);
        ctx->iv_state = IV_STATE_BUFFERED;
    }

    if (key != NULL) {
        if (keylen != ctx->keylen) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
            return 0;
        }
        if (!ctx->hw->setkey(ctx, key, ctx->keylen))
            return 0;
        ctx->tls_enc_records = 0;
    }
    return ossl_gcm_set_ctx_params(ctx, params);
}

int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
                   const unsigned char *iv, size_t ivlen,
                   const OSSL_PARAM params[])
{
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
}

int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
                   const unsigned char *iv, size_t ivlen,
                   const OSSL_PARAM params[])
{
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
}

/* increment counter (64-bit int) by 1 */
static void ctr64_inc(unsigned char *counter)
{
    int n = 8;
    unsigned char c;

    do {
        --n;
        c = counter[n];
        ++c;
        counter[n] = c;
        if (c > 0)
            return;
    } while (n > 0);
}

static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen)
{
    if (!ctx->iv_gen
        || !ctx->key_set
        || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
        return 0;
    if (olen == 0 || olen > ctx->ivlen)
        olen = ctx->ivlen;
    memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
    /*
     * Invocation field will be at least 8 bytes in size and so no need
     * to check wrap around or increment more than last 8 bytes.
     */
    ctr64_inc(ctx->iv + ctx->ivlen - 8);
    ctx->iv_state = IV_STATE_COPIED;
    return 1;
}

static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl)
{
    if (!ctx->iv_gen
        || !ctx->key_set
        || ctx->enc)
        return 0;

    memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
    if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
        return 0;
    ctx->iv_state = IV_STATE_COPIED;
    return 1;
}

int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
    OSSL_PARAM *p;
    size_t sz;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
        return 0;
    }
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
        return 0;
    }
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
    if (p != NULL) {
        size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen :
                         GCM_TAG_MAX_SIZE;

        if (!OSSL_PARAM_set_size_t(p, taglen)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
            return 0;
        }
    }

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
    if (p != NULL) {
        if (ctx->iv_state == IV_STATE_UNINITIALISED)
            return 0;
        if (ctx->ivlen > p->data_size) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
            return 0;
        }
        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
            && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
            return 0;
        }
    }

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV);
    if (p != NULL) {
        if (ctx->iv_state == IV_STATE_UNINITIALISED)
            return 0;
        if (ctx->ivlen > p->data_size) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
            return 0;
        }
        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
            && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
            return 0;
        }
    }

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
        return 0;
    }
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
    if (p != NULL) {
        sz = p->data_size;
        if (sz == 0
            || sz > EVP_GCM_TLS_TAG_LEN
            || !ctx->enc
            || ctx->taglen == UNINITIALISED_SIZET) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
            return 0;
        }
        if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
            return 0;
        }
    }
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN);
    if (p != NULL) {
        if (p->data == NULL
            || p->data_type != OSSL_PARAM_OCTET_STRING
            || !getivgen(ctx, p->data, p->data_size))
            return 0;
    }
    return 1;
}

int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
    const OSSL_PARAM *p;
    size_t sz;
    void *vp;

    if (params == NULL)
        return 1;

    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
    if (p != NULL) {
        vp = ctx->buf;
        if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        if (sz == 0 || ctx->enc) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
            return 0;
        }
        ctx->taglen = sz;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
    if (p != NULL) {
        if (!OSSL_PARAM_get_size_t(p, &sz)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        if (sz == 0 || sz > sizeof(ctx->iv)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
            return 0;
        }
        ctx->ivlen = sz;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
    if (p != NULL) {
        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        sz = gcm_tls_init(ctx, p->data, p->data_size);
        if (sz == 0) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
            return 0;
        }
        ctx->tls_aad_pad_sz = sz;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
    if (p != NULL) {
        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
    }
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV);
    if (p != NULL) {
        if (p->data == NULL
            || p->data_type != OSSL_PARAM_OCTET_STRING
            || !setivinv(ctx, p->data, p->data_size))
            return 0;
    }


    return 1;
}

int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
                           size_t outsize, const unsigned char *in, size_t inl)
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;

    if (inl == 0) {
        *outl = 0;
        return 1;
    }

    if (outsize < inl) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }

    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
        return 0;
    }
    return 1;
}

int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
                          size_t outsize)
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
    int i;

    if (!ossl_prov_is_running())
        return 0;

    i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
    if (i <= 0)
        return 0;

    *outl = 0;
    return 1;
}

int ossl_gcm_cipher(void *vctx,
                    unsigned char *out, size_t *outl, size_t outsize,
                    const unsigned char *in, size_t inl)
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;

    if (!ossl_prov_is_running())
        return 0;

    if (outsize < inl) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }

    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
        return 0;

    *outl = inl;
    return 1;
}

/*
 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
 *
 * See also 8.2.2 RBG-based construction.
 * Random construction consists of a free field (which can be NULL) and a
 * random field which will use a DRBG that can return at least 96 bits of
 * entropy strength. (The DRBG must be seeded by the FIPS module).
 */
static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
{
    int sz = ctx->ivlen - offset;

    /* Must be at least 96 bits */
    if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
        return 0;

    /* Use DRBG to generate random iv */
    if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
        return 0;
    ctx->iv_state = IV_STATE_BUFFERED;
    ctx->iv_gen_rand = 1;
    return 1;
}

static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
                               size_t *padlen, const unsigned char *in,
                               size_t len)
{
    size_t olen = 0;
    int rv = 0;
    const PROV_GCM_HW *hw = ctx->hw;

    if (ctx->tls_aad_len != UNINITIALISED_SIZET)
        return gcm_tls_cipher(ctx, out, padlen, in, len);

    if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
        goto err;

    /*
     * FIPS requires generation of AES-GCM IV's inside the FIPS module.
     * The IV can still be set externally (the security policy will state that
     * this is not FIPS compliant). There are some applications
     * where setting the IV externally is the only option available.
     */
    if (ctx->iv_state == IV_STATE_UNINITIALISED) {
        if (!ctx->enc || !gcm_iv_generate(ctx, 0))
            goto err;
    }

    if (ctx->iv_state == IV_STATE_BUFFERED) {
        if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
            goto err;
        ctx->iv_state = IV_STATE_COPIED;
    }

    if (in != NULL) {
        /*  The input is AAD if out is NULL */
        if (out == NULL) {
            if (!hw->aadupdate(ctx, in, len))
                goto err;
        } else {
            /* The input is ciphertext OR plaintext */
            if (!hw->cipherupdate(ctx, in, len, out))
                goto err;
        }
    } else {
        /* The tag must be set before actually decrypting data */
        if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
            goto err;
        if (!hw->cipherfinal(ctx, ctx->buf))
            goto err;
        ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
        goto finish;
    }
    olen = len;
finish:
    rv = 1;
err:
    *padlen = olen;
    return rv;
}

static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
{
    unsigned char *buf;
    size_t len;

    if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
       return 0;

    /* Save the aad for later use. */
    buf = dat->buf;
    memcpy(buf, aad, aad_len);
    dat->tls_aad_len = aad_len;

    len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
    /* Correct length for explicit iv. */
    if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
        return 0;
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;

    /* If decrypting correct for tag too. */
    if (!dat->enc) {
        if (len < EVP_GCM_TLS_TAG_LEN)
            return 0;
        len -= EVP_GCM_TLS_TAG_LEN;
    }
    buf[aad_len - 2] = (unsigned char)(len >> 8);
    buf[aad_len - 1] = (unsigned char)(len & 0xff);
    /* Extra padding: tag appended to record. */
    return EVP_GCM_TLS_TAG_LEN;
}

static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
                                size_t len)
{
    /* Special case: -1 length restores whole IV */
    if (len == (size_t)-1) {
        memcpy(ctx->iv, iv, ctx->ivlen);
        ctx->iv_gen = 1;
        ctx->iv_state = IV_STATE_BUFFERED;
        return 1;
    }
    /* Fixed field must be at least 4 bytes and invocation field at least 8 */
    if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
        || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
            return 0;
    if (len > 0)
        memcpy(ctx->iv, iv, len);
    if (ctx->enc
        && RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
            return 0;
    ctx->iv_gen = 1;
    ctx->iv_state = IV_STATE_BUFFERED;
    return 1;
}

/*
 * Handle TLS GCM packet format. This consists of the last portion of the IV
 * followed by the payload and finally the tag. On encrypt generate IV,
 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
 * and verify tag.
 */
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
                          const unsigned char *in, size_t len)
{
    int rv = 0;
    size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
    size_t plen = 0;
    unsigned char *tag = NULL;

    if (!ossl_prov_is_running() || !ctx->key_set)
        goto err;

    /* Encrypt/decrypt must be performed in place */
    if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
        goto err;

    /*
     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
     * Requirements from SP 800-38D".  The requirements is for one party to the
     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting
     * side only.
     */
    if (ctx->enc && ++ctx->tls_enc_records == 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
        goto err;
    }

    /*
     * Set IV from start of buffer or generate IV and write to start of
     * buffer.
     */
    if (ctx->enc) {
        if (!getivgen(ctx, out, arg))
            goto err;
    } else {
        if (!setivinv(ctx, out, arg))
            goto err;
    }

    /* Fix buffer and length to point to payload */
    in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
    out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;

    tag = ctx->enc ? out + len : (unsigned char *)in + len;
    if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
                          EVP_GCM_TLS_TAG_LEN)) {
        if (!ctx->enc)
            OPENSSL_cleanse(out, len);
        goto err;
    }
    if (ctx->enc)
        plen =  len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
    else
        plen = len;

    rv = 1;
err:
    ctx->iv_state = IV_STATE_FINISHED;
    ctx->tls_aad_len = UNINITIALISED_SIZET;
    *padlen = plen;
    return rv;
}

Coverage Report

Created: 2023-09-25 06:45

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/* Dispatch functions for gcm mode */
11
12		#include <openssl/rand.h>
13		#include <openssl/proverr.h>
14		#include "prov/ciphercommon.h"
15		#include "prov/ciphercommon_gcm.h"
16		#include "prov/providercommon.h"
17		#include "prov/provider_ctx.h"
18
19		static int gcm_tls_init(PROV_GCM_CTX dat, unsigned char aad, size_t aad_len);
20		static int gcm_tls_iv_set_fixed(PROV_GCM_CTX ctx, unsigned char iv,
21		size_t len);
22		static int gcm_tls_cipher(PROV_GCM_CTX ctx, unsigned char out, size_t *padlen,
23		const unsigned char *in, size_t len);
24		static int gcm_cipher_internal(PROV_GCM_CTX ctx, unsigned char out,
25		size_t padlen, const unsigned char in,
26		size_t len);
27
28		/*
29		* Called from EVP_CipherInit when there is currently no context via
30		* the new_ctx() function
31		*/
32		void ossl_gcm_initctx(void provctx, PROV_GCM_CTX ctx, size_t keybits,
33		const PROV_GCM_HW *hw)
34	2.33k	{
35	2.33k	ctx->pad = 1;
36	2.33k	ctx->mode = EVP_CIPH_GCM_MODE;
37	2.33k	ctx->taglen = UNINITIALISED_SIZET;
38	2.33k	ctx->tls_aad_len = UNINITIALISED_SIZET;
39	2.33k	ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
40	2.33k	ctx->keylen = keybits / 8;
41	2.33k	ctx->hw = hw;
42	2.33k	ctx->libctx = PROV_LIBCTX_OF(provctx);
43	2.33k	}
44
45		/*
46		* Called by EVP_CipherInit via the _einit and _dinit functions
47		*/
48		static int gcm_init(void vctx, const unsigned char key, size_t keylen,
49		const unsigned char *iv, size_t ivlen,
50		const OSSL_PARAM params[], int enc)
51	31.0k	{
52	31.0k	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
53
54	31.0k	if (!ossl_prov_is_running())
55	0	return 0;
56
57	31.0k	ctx->enc = enc;
58
59	31.0k	if (iv != NULL) {
60	27.0k	if (ivlen == 0 \|\| ivlen > sizeof(ctx->iv)) {
61	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
62	0	return 0;
63	0	}
64	27.0k	ctx->ivlen = ivlen;
65	27.0k	memcpy(ctx->iv, iv, ivlen);
66	27.0k	ctx->iv_state = IV_STATE_BUFFERED;
67	27.0k	}
68
69	31.0k	if (key != NULL) {
70	2.33k	if (keylen != ctx->keylen) {
71	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
72	0	return 0;
73	0	}
74	2.33k	if (!ctx->hw->setkey(ctx, key, ctx->keylen))
75	0	return 0;
76	2.33k	ctx->tls_enc_records = 0;
77	2.33k	}
78	31.0k	return ossl_gcm_set_ctx_params(ctx, params);
79	31.0k	}
80
81		int ossl_gcm_einit(void vctx, const unsigned char key, size_t keylen,
82		const unsigned char *iv, size_t ivlen,
83		const OSSL_PARAM params[])
84	4.71k	{
85	4.71k	return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
86	4.71k	}
87
88		int ossl_gcm_dinit(void vctx, const unsigned char key, size_t keylen,
89		const unsigned char *iv, size_t ivlen,
90		const OSSL_PARAM params[])
91	26.2k	{
92	26.2k	return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
93	26.2k	}
94
95		/* increment counter (64-bit int) by 1 */
96		static void ctr64_inc(unsigned char *counter)
97	562	{
98	562	int n = 8;
99	562	unsigned char c;
100
101	562	do {
102	562	--n;
103	562	c = counter[n];
104	562	++c;
105	562	counter[n] = c;
106	562	if (c > 0)
107	562	return;
108	562	} while (n > 0);
109	562	}
110
111		static int getivgen(PROV_GCM_CTX ctx, unsigned char out, size_t olen)
112	562	{
113	562	if (!ctx->iv_gen
114	562	\|\| !ctx->key_set
115	562	\|\| !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
116	0	return 0;
117	562	if (olen == 0 \|\| olen > ctx->ivlen)
118	0	olen = ctx->ivlen;
119	562	memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
120		/*
121		* Invocation field will be at least 8 bytes in size and so no need
122		* to check wrap around or increment more than last 8 bytes.
123		*/
124	562	ctr64_inc(ctx->iv + ctx->ivlen - 8);
125	562	ctx->iv_state = IV_STATE_COPIED;
126	562	return 1;
127	562	}
128
129		static int setivinv(PROV_GCM_CTX ctx, unsigned char in, size_t inl)
130	307	{
131	307	if (!ctx->iv_gen
132	307	\|\| !ctx->key_set
133	307	\|\| ctx->enc)
134	0	return 0;
135
136	307	memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
137	307	if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
138	0	return 0;
139	307	ctx->iv_state = IV_STATE_COPIED;
140	307	return 1;
141	307	}
142
143		int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
144	16.3k	{
145	16.3k	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
146	16.3k	OSSL_PARAM *p;
147	16.3k	size_t sz;
148
149	16.3k	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
150	16.3k	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
151	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
152	0	return 0;
153	0	}
154	16.3k	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
155	16.3k	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
156	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
157	0	return 0;
158	0	}
159	16.3k	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
160	16.3k	if (p != NULL) {
161	0	size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen :
162	0	GCM_TAG_MAX_SIZE;
163
164	0	if (!OSSL_PARAM_set_size_t(p, taglen)) {
165	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
166	0	return 0;
167	0	}
168	0	}
169
170	16.3k	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
171	16.3k	if (p != NULL) {
172	0	if (ctx->iv_state == IV_STATE_UNINITIALISED)
173	0	return 0;
174	0	if (ctx->ivlen > p->data_size) {
175	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
176	0	return 0;
177	0	}
178	0	if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
179	0	&& !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
180	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
181	0	return 0;
182	0	}
183	0	}
184
185	16.3k	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV);
186	16.3k	if (p != NULL) {
187	0	if (ctx->iv_state == IV_STATE_UNINITIALISED)
188	0	return 0;
189	0	if (ctx->ivlen > p->data_size) {
190	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
191	0	return 0;
192	0	}
193	0	if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
194	0	&& !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
195	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
196	0	return 0;
197	0	}
198	0	}
199
200	16.3k	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
201	16.3k	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
202	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
203	0	return 0;
204	0	}
205	16.3k	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
206	16.3k	if (p != NULL) {
207	1.01k	sz = p->data_size;
208	1.01k	if (sz == 0
209	1.01k	\|\| sz > EVP_GCM_TLS_TAG_LEN
210	1.01k	\|\| !ctx->enc
211	1.01k	\|\| ctx->taglen == UNINITIALISED_SIZET) {
212	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
213	0	return 0;
214	0	}
215	1.01k	if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
216	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
217	0	return 0;
218	0	}
219	1.01k	}
220	16.3k	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN);
221	16.3k	if (p != NULL) {
222	0	if (p->data == NULL
223	0	\|\| p->data_type != OSSL_PARAM_OCTET_STRING
224	0	\|\| !getivgen(ctx, p->data, p->data_size))
225	0	return 0;
226	0	}
227	16.3k	return 1;
228	16.3k	}
229
230		int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
231	29.2k	{
232	29.2k	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
233	29.2k	const OSSL_PARAM *p;
234	29.2k	size_t sz;
235	29.2k	void *vp;
236
237	29.2k	if (params == NULL)
238	14.9k	return 1;
239
240	14.2k	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
241	14.2k	if (p != NULL) {
242	12.1k	vp = ctx->buf;
243	12.1k	if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
244	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
245	0	return 0;
246	0	}
247	12.1k	if (sz == 0 \|\| ctx->enc) {
248	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
249	0	return 0;
250	0	}
251	12.1k	ctx->taglen = sz;
252	12.1k	}
253
254	14.2k	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
255	14.2k	if (p != NULL) {
256	695	if (!OSSL_PARAM_get_size_t(p, &sz)) {
257	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
258	0	return 0;
259	0	}
260	695	if (sz == 0 \|\| sz > sizeof(ctx->iv)) {
261	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
262	0	return 0;
263	0	}
264	695	ctx->ivlen = sz;
265	695	}
266
267	14.2k	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
268	14.2k	if (p != NULL) {
269	509	if (p->data_type != OSSL_PARAM_OCTET_STRING) {
270	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
271	0	return 0;
272	0	}
273	509	sz = gcm_tls_init(ctx, p->data, p->data_size);
274	509	if (sz == 0) {
275	11	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
276	11	return 0;
277	11	}
278	498	ctx->tls_aad_pad_sz = sz;
279	498	}
280
281	14.2k	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
282	14.2k	if (p != NULL) {
283	444	if (p->data_type != OSSL_PARAM_OCTET_STRING) {
284	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
285	0	return 0;
286	0	}
287	444	if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
288	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
289	0	return 0;
290	0	}
291	444	}
292	14.2k	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV);
293	14.2k	if (p != NULL) {
294	0	if (p->data == NULL
295	0	\|\| p->data_type != OSSL_PARAM_OCTET_STRING
296	0	\|\| !setivinv(ctx, p->data, p->data_size))
297	0	return 0;
298	0	}
299
300
301	14.2k	return 1;
302	14.2k	}
303
304		int ossl_gcm_stream_update(void vctx, unsigned char out, size_t *outl,
305		size_t outsize, const unsigned char *in, size_t inl)
306	55.0k	{
307	55.0k	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
308
309	55.0k	if (inl == 0) {
310	0	*outl = 0;
311	0	return 1;
312	0	}
313
314	55.0k	if (outsize < inl) {
315	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
316	0	return 0;
317	0	}
318
319	55.0k	if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
320	260	ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
321	260	return 0;
322	260	}
323	54.7k	return 1;
324	55.0k	}
325
326		int ossl_gcm_stream_final(void vctx, unsigned char out, size_t *outl,
327		size_t outsize)
328	27.0k	{
329	27.0k	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
330	27.0k	int i;
331
332	27.0k	if (!ossl_prov_is_running())
333	0	return 0;
334
335	27.0k	i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
336	27.0k	if (i <= 0)
337	24.5k	return 0;
338
339	2.50k	*outl = 0;
340	2.50k	return 1;
341	27.0k	}
342
343		int ossl_gcm_cipher(void *vctx,
344		unsigned char out, size_t outl, size_t outsize,
345		const unsigned char *in, size_t inl)
346	0	{
347	0	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
348
349	0	if (!ossl_prov_is_running())
350	0	return 0;
351
352	0	if (outsize < inl) {
353	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
354	0	return 0;
355	0	}
356
357	0	if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
358	0	return 0;
359
360	0	*outl = inl;
361	0	return 1;
362	0	}
363
364		/*
365		* See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
366		*
367		* See also 8.2.2 RBG-based construction.
368		* Random construction consists of a free field (which can be NULL) and a
369		* random field which will use a DRBG that can return at least 96 bits of
370		* entropy strength. (The DRBG must be seeded by the FIPS module).
371		*/
372		static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
373	0	{
374	0	int sz = ctx->ivlen - offset;
375
376		/* Must be at least 96 bits */
377	0	if (sz <= 0 \|\| ctx->ivlen < GCM_IV_DEFAULT_SIZE)
378	0	return 0;
379
380		/* Use DRBG to generate random iv */
381	0	if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
382	0	return 0;
383	0	ctx->iv_state = IV_STATE_BUFFERED;
384	0	ctx->iv_gen_rand = 1;
385	0	return 1;
386	0	}
387
388		static int gcm_cipher_internal(PROV_GCM_CTX ctx, unsigned char out,
389		size_t padlen, const unsigned char in,
390		size_t len)
391	82.0k	{
392	82.0k	size_t olen = 0;
393	82.0k	int rv = 0;
394	82.0k	const PROV_GCM_HW *hw = ctx->hw;
395
396	82.0k	if (ctx->tls_aad_len != UNINITIALISED_SIZET)
397	869	return gcm_tls_cipher(ctx, out, padlen, in, len);
398
399	81.2k	if (!ctx->key_set \|\| ctx->iv_state == IV_STATE_FINISHED)
400	0	goto err;
401
402		/*
403		* FIPS requires generation of AES-GCM IV's inside the FIPS module.
404		* The IV can still be set externally (the security policy will state that
405		* this is not FIPS compliant). There are some applications
406		* where setting the IV externally is the only option available.
407		*/
408	81.2k	if (ctx->iv_state == IV_STATE_UNINITIALISED) {
409	0	if (!ctx->enc \|\| !gcm_iv_generate(ctx, 0))
410	0	goto err;
411	0	}
412
413	81.2k	if (ctx->iv_state == IV_STATE_BUFFERED) {
414	27.0k	if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
415	0	goto err;
416	27.0k	ctx->iv_state = IV_STATE_COPIED;
417	27.0k	}
418
419	81.2k	if (in != NULL) {
420		/* The input is AAD if out is NULL */
421	54.1k	if (out == NULL) {
422	27.0k	if (!hw->aadupdate(ctx, in, len))
423	0	goto err;
424	27.0k	} else {
425		/* The input is ciphertext OR plaintext */
426	27.0k	if (!hw->cipherupdate(ctx, in, len, out))
427	0	goto err;
428	27.0k	}
429	54.1k	} else {
430		/* The tag must be set before actually decrypting data */
431	27.0k	if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
432	0	goto err;
433	27.0k	if (!hw->cipherfinal(ctx, ctx->buf))
434	24.5k	goto err;
435	2.50k	ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
436	2.50k	goto finish;
437	27.0k	}
438	54.1k	olen = len;
439	56.6k	finish:
440	56.6k	rv = 1;
441	81.2k	err:
442	81.2k	*padlen = olen;
443	81.2k	return rv;
444	56.6k	}
445
446		static int gcm_tls_init(PROV_GCM_CTX dat, unsigned char aad, size_t aad_len)
447	894	{
448	894	unsigned char *buf;
449	894	size_t len;
450
451	894	if (!ossl_prov_is_running() \|\| aad_len != EVP_AEAD_TLS1_AAD_LEN)
452	0	return 0;
453
454		/* Save the aad for later use. */
455	894	buf = dat->buf;
456	894	memcpy(buf, aad, aad_len);
457	894	dat->tls_aad_len = aad_len;
458
459	894	len = buf[aad_len - 2] << 8 \| buf[aad_len - 1];
460		/* Correct length for explicit iv. */
461	894	if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
462	15	return 0;
463	879	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
464
465		/* If decrypting correct for tag too. */
466	879	if (!dat->enc) {
467	317	if (len < EVP_GCM_TLS_TAG_LEN)
468	10	return 0;
469	307	len -= EVP_GCM_TLS_TAG_LEN;
470	307	}
471	869	buf[aad_len - 2] = (unsigned char)(len >> 8);
472	869	buf[aad_len - 1] = (unsigned char)(len & 0xff);
473		/* Extra padding: tag appended to record. */
474	869	return EVP_GCM_TLS_TAG_LEN;
475	879	}
476
477		static int gcm_tls_iv_set_fixed(PROV_GCM_CTX ctx, unsigned char iv,
478		size_t len)
479	729	{
480		/* Special case: -1 length restores whole IV */
481	729	if (len == (size_t)-1) {
482	0	memcpy(ctx->iv, iv, ctx->ivlen);
483	0	ctx->iv_gen = 1;
484	0	ctx->iv_state = IV_STATE_BUFFERED;
485	0	return 1;
486	0	}
487		/* Fixed field must be at least 4 bytes and invocation field at least 8 */
488	729	if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
489	729	\|\| (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
490	0	return 0;
491	729	if (len > 0)
492	729	memcpy(ctx->iv, iv, len);
493	729	if (ctx->enc
494	729	&& RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
495	0	return 0;
496	729	ctx->iv_gen = 1;
497	729	ctx->iv_state = IV_STATE_BUFFERED;
498	729	return 1;
499	729	}
500
501		/*
502		* Handle TLS GCM packet format. This consists of the last portion of the IV
503		* followed by the payload and finally the tag. On encrypt generate IV,
504		* encrypt payload and write the tag. On verify retrieve IV, decrypt payload
505		* and verify tag.
506		*/
507		static int gcm_tls_cipher(PROV_GCM_CTX ctx, unsigned char out, size_t *padlen,
508		const unsigned char *in, size_t len)
509	869	{
510	869	int rv = 0;
511	869	size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
512	869	size_t plen = 0;
513	869	unsigned char *tag = NULL;
514
515	869	if (!ossl_prov_is_running() \|\| !ctx->key_set)
516	0	goto err;
517
518		/* Encrypt/decrypt must be performed in place */
519	869	if (out != in \|\| len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
520	0	goto err;
521
522		/*
523		* Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
524		* Requirements from SP 800-38D". The requirements is for one party to the
525		* communication to fail after 2^64 - 1 keys. We do this on the encrypting
526		* side only.
527		*/
528	869	if (ctx->enc && ++ctx->tls_enc_records == 0) {
529	0	ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
530	0	goto err;
531	0	}
532
533		/*
534		* Set IV from start of buffer or generate IV and write to start of
535		* buffer.
536		*/
537	869	if (ctx->enc) {
538	562	if (!getivgen(ctx, out, arg))
539	0	goto err;
540	562	} else {
541	307	if (!setivinv(ctx, out, arg))
542	0	goto err;
543	307	}
544
545		/* Fix buffer and length to point to payload */
546	869	in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
547	869	out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
548	869	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
549
550	869	tag = ctx->enc ? out + len : (unsigned char *)in + len;
551	869	if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
552	869	EVP_GCM_TLS_TAG_LEN)) {
553	260	if (!ctx->enc)
554	260	OPENSSL_cleanse(out, len);
555	260	goto err;
556	260	}
557	609	if (ctx->enc)
558	562	plen = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
559	47	else
560	47	plen = len;
561
562	609	rv = 1;
563	869	err:
564	869	ctx->iv_state = IV_STATE_FINISHED;
565	869	ctx->tls_aad_len = UNINITIALISED_SIZET;
566	869	*padlen = plen;
567	869	return rv;
568	609	}