Coverage Report

Created: 2024-07-27 06:39

/src/openssl30/providers/implementations/ciphers/ciphercommon_gcm.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
/* Dispatch functions for gcm mode */
11
12
#include <openssl/rand.h>
13
#include <openssl/proverr.h>
14
#include "prov/ciphercommon.h"
15
#include "prov/ciphercommon_gcm.h"
16
#include "prov/providercommon.h"
17
#include "prov/provider_ctx.h"
18
19
static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
20
static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
21
                                size_t len);
22
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
23
                          const unsigned char *in, size_t len);
24
static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
25
                               size_t *padlen, const unsigned char *in,
26
                               size_t len);
27
28
/*
29
 * Called from EVP_CipherInit when there is currently no context via
30
 * the new_ctx() function
31
 */
32
void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
33
                      const PROV_GCM_HW *hw)
34
252k
{
35
252k
    ctx->pad = 1;
36
252k
    ctx->mode = EVP_CIPH_GCM_MODE;
37
252k
    ctx->taglen = UNINITIALISED_SIZET;
38
252k
    ctx->tls_aad_len = UNINITIALISED_SIZET;
39
252k
    ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
40
252k
    ctx->keylen = keybits / 8;
41
252k
    ctx->hw = hw;
42
252k
    ctx->libctx = PROV_LIBCTX_OF(provctx);
43
252k
}
44
45
/*
46
 * Called by EVP_CipherInit via the _einit and _dinit functions
47
 */
48
static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
49
                    const unsigned char *iv, size_t ivlen,
50
                    const OSSL_PARAM params[], int enc)
51
1.06M
{
52
1.06M
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
53
54
1.06M
    if (!ossl_prov_is_running())
55
0
        return 0;
56
57
1.06M
    ctx->enc = enc;
58
59
1.06M
    if (iv != NULL) {
60
1.05M
        if (ivlen == 0 || ivlen > sizeof(ctx->iv)) {
61
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
62
0
            return 0;
63
0
        }
64
1.05M
        ctx->ivlen = ivlen;
65
1.05M
        memcpy(ctx->iv, iv, ivlen);
66
1.05M
        ctx->iv_state = IV_STATE_BUFFERED;
67
1.05M
    }
68
69
1.06M
    if (key != NULL) {
70
252k
        if (keylen != ctx->keylen) {
71
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
72
0
            return 0;
73
0
        }
74
252k
        if (!ctx->hw->setkey(ctx, key, ctx->keylen))
75
0
            return 0;
76
252k
        ctx->tls_enc_records = 0;
77
252k
    }
78
1.06M
    return ossl_gcm_set_ctx_params(ctx, params);
79
1.06M
}
80
81
int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
82
                   const unsigned char *iv, size_t ivlen,
83
                   const OSSL_PARAM params[])
84
592k
{
85
592k
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
86
592k
}
87
88
int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
89
                   const unsigned char *iv, size_t ivlen,
90
                   const OSSL_PARAM params[])
91
470k
{
92
470k
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
93
470k
}
94
95
/* increment counter (64-bit int) by 1 */
96
static void ctr64_inc(unsigned char *counter)
97
1.07k
{
98
1.07k
    int n = 8;
99
1.07k
    unsigned char c;
100
101
1.07k
    do {
102
1.07k
        --n;
103
1.07k
        c = counter[n];
104
1.07k
        ++c;
105
1.07k
        counter[n] = c;
106
1.07k
        if (c > 0)
107
1.07k
            return;
108
1.07k
    } while (n > 0);
109
1.07k
}
110
111
static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen)
112
1.07k
{
113
1.07k
    if (!ctx->iv_gen
114
1.07k
        || !ctx->key_set
115
1.07k
        || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
116
0
        return 0;
117
1.07k
    if (olen == 0 || olen > ctx->ivlen)
118
0
        olen = ctx->ivlen;
119
1.07k
    memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
120
    /*
121
     * Invocation field will be at least 8 bytes in size and so no need
122
     * to check wrap around or increment more than last 8 bytes.
123
     */
124
1.07k
    ctr64_inc(ctx->iv + ctx->ivlen - 8);
125
1.07k
    ctx->iv_state = IV_STATE_COPIED;
126
1.07k
    return 1;
127
1.07k
}
128
129
static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl)
130
7.35k
{
131
7.35k
    if (!ctx->iv_gen
132
7.35k
        || !ctx->key_set
133
7.35k
        || ctx->enc)
134
0
        return 0;
135
136
7.35k
    memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
137
7.35k
    if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
138
0
        return 0;
139
7.35k
    ctx->iv_state = IV_STATE_COPIED;
140
7.35k
    return 1;
141
7.35k
}
142
143
int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
144
22.8k
{
145
22.8k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
146
22.8k
    OSSL_PARAM *p;
147
22.8k
    size_t sz;
148
149
22.8k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
150
22.8k
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
151
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
152
0
        return 0;
153
0
    }
154
22.8k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
155
22.8k
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
156
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
157
0
        return 0;
158
0
    }
159
22.8k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
160
22.8k
    if (p != NULL) {
161
0
        size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen :
162
0
                         GCM_TAG_MAX_SIZE;
163
164
0
        if (!OSSL_PARAM_set_size_t(p, taglen)) {
165
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
166
0
            return 0;
167
0
        }
168
0
    }
169
170
22.8k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
171
22.8k
    if (p != NULL) {
172
0
        if (ctx->iv_state == IV_STATE_UNINITIALISED)
173
0
            return 0;
174
0
        if (ctx->ivlen > p->data_size) {
175
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
176
0
            return 0;
177
0
        }
178
0
        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
179
0
            && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
180
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
181
0
            return 0;
182
0
        }
183
0
    }
184
185
22.8k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV);
186
22.8k
    if (p != NULL) {
187
0
        if (ctx->iv_state == IV_STATE_UNINITIALISED)
188
0
            return 0;
189
0
        if (ctx->ivlen > p->data_size) {
190
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
191
0
            return 0;
192
0
        }
193
0
        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
194
0
            && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
195
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
196
0
            return 0;
197
0
        }
198
0
    }
199
200
22.8k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
201
22.8k
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
202
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
203
0
        return 0;
204
0
    }
205
22.8k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
206
22.8k
    if (p != NULL) {
207
2.18k
        sz = p->data_size;
208
2.18k
        if (sz == 0
209
2.18k
            || sz > EVP_GCM_TLS_TAG_LEN
210
2.18k
            || !ctx->enc
211
2.18k
            || ctx->taglen == UNINITIALISED_SIZET) {
212
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
213
0
            return 0;
214
0
        }
215
2.18k
        if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
216
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
217
0
            return 0;
218
0
        }
219
2.18k
    }
220
22.8k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN);
221
22.8k
    if (p != NULL) {
222
0
        if (p->data == NULL
223
0
            || p->data_type != OSSL_PARAM_OCTET_STRING
224
0
            || !getivgen(ctx, p->data, p->data_size))
225
0
            return 0;
226
0
    }
227
22.8k
    return 1;
228
22.8k
}
229
230
int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
231
64.0k
{
232
64.0k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
233
64.0k
    const OSSL_PARAM *p;
234
64.0k
    size_t sz;
235
64.0k
    void *vp;
236
237
64.0k
    if (params == NULL)
238
32.8k
        return 1;
239
240
31.1k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
241
31.1k
    if (p != NULL) {
242
26.7k
        vp = ctx->buf;
243
26.7k
        if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
244
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
245
0
            return 0;
246
0
        }
247
26.7k
        if (sz == 0 || ctx->enc) {
248
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
249
0
            return 0;
250
0
        }
251
26.7k
        ctx->taglen = sz;
252
26.7k
    }
253
254
31.1k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
255
31.1k
    if (p != NULL) {
256
1.51k
        if (!OSSL_PARAM_get_size_t(p, &sz)) {
257
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
258
0
            return 0;
259
0
        }
260
1.51k
        if (sz == 0 || sz > sizeof(ctx->iv)) {
261
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
262
0
            return 0;
263
0
        }
264
1.51k
        if (ctx->ivlen != sz) {
265
            /* If the iv was already set or autogenerated, it is invalid. */
266
0
            if (ctx->iv_state != IV_STATE_UNINITIALISED)
267
0
                ctx->iv_state = IV_STATE_FINISHED;
268
0
            ctx->ivlen = sz;
269
0
        }
270
1.51k
    }
271
272
31.1k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
273
31.1k
    if (p != NULL) {
274
1.05k
        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
275
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
276
0
            return 0;
277
0
        }
278
1.05k
        sz = gcm_tls_init(ctx, p->data, p->data_size);
279
1.05k
        if (sz == 0) {
280
24
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
281
24
            return 0;
282
24
        }
283
1.02k
        ctx->tls_aad_pad_sz = sz;
284
1.02k
    }
285
286
31.1k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
287
31.1k
    if (p != NULL) {
288
896
        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
289
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
290
0
            return 0;
291
0
        }
292
896
        if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
293
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
294
0
            return 0;
295
0
        }
296
896
    }
297
31.1k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV);
298
31.1k
    if (p != NULL) {
299
0
        if (p->data == NULL
300
0
            || p->data_type != OSSL_PARAM_OCTET_STRING
301
0
            || !setivinv(ctx, p->data, p->data_size))
302
0
            return 0;
303
0
    }
304
305
306
31.1k
    return 1;
307
31.1k
}
308
309
int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
310
                           size_t outsize, const unsigned char *in, size_t inl)
311
2.38M
{
312
2.38M
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
313
314
2.38M
    if (inl == 0) {
315
0
        *outl = 0;
316
0
        return 1;
317
0
    }
318
319
2.38M
    if (outsize < inl) {
320
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
321
0
        return 0;
322
0
    }
323
324
2.38M
    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
325
7.24k
        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
326
7.24k
        return 0;
327
7.24k
    }
328
2.37M
    return 1;
329
2.38M
}
330
331
int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
332
                          size_t outsize)
333
961k
{
334
961k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
335
961k
    int i;
336
337
961k
    if (!ossl_prov_is_running())
338
0
        return 0;
339
340
961k
    i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
341
961k
    if (i <= 0)
342
372k
        return 0;
343
344
589k
    *outl = 0;
345
589k
    return 1;
346
961k
}
347
348
int ossl_gcm_cipher(void *vctx,
349
                    unsigned char *out, size_t *outl, size_t outsize,
350
                    const unsigned char *in, size_t inl)
351
0
{
352
0
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
353
354
0
    if (!ossl_prov_is_running())
355
0
        return 0;
356
357
0
    if (outsize < inl) {
358
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
359
0
        return 0;
360
0
    }
361
362
0
    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
363
0
        return 0;
364
365
0
    *outl = inl;
366
0
    return 1;
367
0
}
368
369
/*
370
 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
371
 *
372
 * See also 8.2.2 RBG-based construction.
373
 * Random construction consists of a free field (which can be NULL) and a
374
 * random field which will use a DRBG that can return at least 96 bits of
375
 * entropy strength. (The DRBG must be seeded by the FIPS module).
376
 */
377
static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
378
0
{
379
0
    int sz = ctx->ivlen - offset;
380
381
    /* Must be at least 96 bits */
382
0
    if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
383
0
        return 0;
384
385
    /* Use DRBG to generate random iv */
386
0
    if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
387
0
        return 0;
388
0
    ctx->iv_state = IV_STATE_BUFFERED;
389
0
    ctx->iv_gen_rand = 1;
390
0
    return 1;
391
0
}
392
393
static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
394
                               size_t *padlen, const unsigned char *in,
395
                               size_t len)
396
3.34M
{
397
3.34M
    size_t olen = 0;
398
3.34M
    int rv = 0;
399
3.34M
    const PROV_GCM_HW *hw = ctx->hw;
400
401
3.34M
    if (ctx->tls_aad_len != UNINITIALISED_SIZET)
402
8.42k
        return gcm_tls_cipher(ctx, out, padlen, in, len);
403
404
3.33M
    if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
405
0
        goto err;
406
407
    /*
408
     * FIPS requires generation of AES-GCM IV's inside the FIPS module.
409
     * The IV can still be set externally (the security policy will state that
410
     * this is not FIPS compliant). There are some applications
411
     * where setting the IV externally is the only option available.
412
     */
413
3.33M
    if (ctx->iv_state == IV_STATE_UNINITIALISED) {
414
0
        if (!ctx->enc || !gcm_iv_generate(ctx, 0))
415
0
            goto err;
416
0
    }
417
418
3.33M
    if (ctx->iv_state == IV_STATE_BUFFERED) {
419
961k
        if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
420
0
            goto err;
421
961k
        ctx->iv_state = IV_STATE_COPIED;
422
961k
    }
423
424
3.33M
    if (in != NULL) {
425
        /*  The input is AAD if out is NULL */
426
2.37M
        if (out == NULL) {
427
1.11M
            if (!hw->aadupdate(ctx, in, len))
428
0
                goto err;
429
1.26M
        } else {
430
            /* The input is ciphertext OR plaintext */
431
1.26M
            if (!hw->cipherupdate(ctx, in, len, out))
432
0
                goto err;
433
1.26M
        }
434
2.37M
    } else {
435
        /* The tag must be set before actually decrypting data */
436
961k
        if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
437
0
            goto err;
438
961k
        if (!hw->cipherfinal(ctx, ctx->buf))
439
372k
            goto err;
440
589k
        ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
441
589k
        goto finish;
442
961k
    }
443
2.37M
    olen = len;
444
2.96M
finish:
445
2.96M
    rv = 1;
446
3.33M
err:
447
3.33M
    *padlen = olen;
448
3.33M
    return rv;
449
2.96M
}
450
451
static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
452
8.48k
{
453
8.48k
    unsigned char *buf;
454
8.48k
    size_t len;
455
456
8.48k
    if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
457
0
       return 0;
458
459
    /* Save the aad for later use. */
460
8.48k
    buf = dat->buf;
461
8.48k
    memcpy(buf, aad, aad_len);
462
8.48k
    dat->tls_aad_len = aad_len;
463
464
8.48k
    len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
465
    /* Correct length for explicit iv. */
466
8.48k
    if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
467
30
        return 0;
468
8.45k
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
469
470
    /* If decrypting correct for tag too. */
471
8.45k
    if (!dat->enc) {
472
7.37k
        if (len < EVP_GCM_TLS_TAG_LEN)
473
25
            return 0;
474
7.35k
        len -= EVP_GCM_TLS_TAG_LEN;
475
7.35k
    }
476
8.42k
    buf[aad_len - 2] = (unsigned char)(len >> 8);
477
8.42k
    buf[aad_len - 1] = (unsigned char)(len & 0xff);
478
    /* Extra padding: tag appended to record. */
479
8.42k
    return EVP_GCM_TLS_TAG_LEN;
480
8.45k
}
481
482
static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
483
                                size_t len)
484
1.61k
{
485
    /* Special case: -1 length restores whole IV */
486
1.61k
    if (len == (size_t)-1) {
487
0
        memcpy(ctx->iv, iv, ctx->ivlen);
488
0
        ctx->iv_gen = 1;
489
0
        ctx->iv_state = IV_STATE_BUFFERED;
490
0
        return 1;
491
0
    }
492
    /* Fixed field must be at least 4 bytes and invocation field at least 8 */
493
1.61k
    if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
494
1.61k
        || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
495
0
            return 0;
496
1.61k
    if (len > 0)
497
1.61k
        memcpy(ctx->iv, iv, len);
498
1.61k
    if (ctx->enc
499
1.61k
        && RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
500
0
            return 0;
501
1.61k
    ctx->iv_gen = 1;
502
1.61k
    ctx->iv_state = IV_STATE_BUFFERED;
503
1.61k
    return 1;
504
1.61k
}
505
506
/*
507
 * Handle TLS GCM packet format. This consists of the last portion of the IV
508
 * followed by the payload and finally the tag. On encrypt generate IV,
509
 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
510
 * and verify tag.
511
 */
512
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
513
                          const unsigned char *in, size_t len)
514
8.42k
{
515
8.42k
    int rv = 0;
516
8.42k
    size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
517
8.42k
    size_t plen = 0;
518
8.42k
    unsigned char *tag = NULL;
519
520
8.42k
    if (!ossl_prov_is_running() || !ctx->key_set)
521
0
        goto err;
522
523
    /* Encrypt/decrypt must be performed in place */
524
8.42k
    if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
525
0
        goto err;
526
527
    /*
528
     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
529
     * Requirements from SP 800-38D".  The requirements is for one party to the
530
     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting
531
     * side only.
532
     */
533
8.42k
    if (ctx->enc && ++ctx->tls_enc_records == 0) {
534
0
        ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
535
0
        goto err;
536
0
    }
537
538
    /*
539
     * Set IV from start of buffer or generate IV and write to start of
540
     * buffer.
541
     */
542
8.42k
    if (ctx->enc) {
543
1.07k
        if (!getivgen(ctx, out, arg))
544
0
            goto err;
545
7.35k
    } else {
546
7.35k
        if (!setivinv(ctx, out, arg))
547
0
            goto err;
548
7.35k
    }
549
550
    /* Fix buffer and length to point to payload */
551
8.42k
    in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
552
8.42k
    out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
553
8.42k
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
554
555
8.42k
    tag = ctx->enc ? out + len : (unsigned char *)in + len;
556
8.42k
    if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
557
8.42k
                          EVP_GCM_TLS_TAG_LEN)) {
558
7.24k
        if (!ctx->enc)
559
7.24k
            OPENSSL_cleanse(out, len);
560
7.24k
        goto err;
561
7.24k
    }
562
1.18k
    if (ctx->enc)
563
1.07k
        plen =  len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
564
105
    else
565
105
        plen = len;
566
567
1.18k
    rv = 1;
568
8.42k
err:
569
8.42k
    ctx->iv_state = IV_STATE_FINISHED;
570
8.42k
    ctx->tls_aad_len = UNINITIALISED_SIZET;
571
8.42k
    *padlen = plen;
572
8.42k
    return rv;
573
1.18k
}