Coverage Report

Created: 2025-06-13 06:58

/src/openssl30/providers/implementations/ciphers/ciphercommon_gcm.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
/* Dispatch functions for gcm mode */
11
12
#include <openssl/rand.h>
13
#include <openssl/proverr.h>
14
#include "prov/ciphercommon.h"
15
#include "prov/ciphercommon_gcm.h"
16
#include "prov/providercommon.h"
17
#include "prov/provider_ctx.h"
18
19
static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
20
static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
21
                                size_t len);
22
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
23
                          const unsigned char *in, size_t len);
24
static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
25
                               size_t *padlen, const unsigned char *in,
26
                               size_t len);
27
28
/*
29
 * Called from EVP_CipherInit when there is currently no context via
30
 * the new_ctx() function
31
 */
32
void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
33
                      const PROV_GCM_HW *hw)
34
225k
{
35
225k
    ctx->pad = 1;
36
225k
    ctx->mode = EVP_CIPH_GCM_MODE;
37
225k
    ctx->taglen = UNINITIALISED_SIZET;
38
225k
    ctx->tls_aad_len = UNINITIALISED_SIZET;
39
225k
    ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
40
225k
    ctx->keylen = keybits / 8;
41
225k
    ctx->hw = hw;
42
225k
    ctx->libctx = PROV_LIBCTX_OF(provctx);
43
225k
}
44
45
/*
46
 * Called by EVP_CipherInit via the _einit and _dinit functions
47
 */
48
static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
49
                    const unsigned char *iv, size_t ivlen,
50
                    const OSSL_PARAM params[], int enc)
51
1.62M
{
52
1.62M
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
53
54
1.62M
    if (!ossl_prov_is_running())
55
0
        return 0;
56
57
1.62M
    ctx->enc = enc;
58
59
1.62M
    if (iv != NULL) {
60
1.59M
        if (ivlen == 0 || ivlen > sizeof(ctx->iv)) {
61
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
62
0
            return 0;
63
0
        }
64
1.59M
        ctx->ivlen = ivlen;
65
1.59M
        memcpy(ctx->iv, iv, ivlen);
66
1.59M
        ctx->iv_state = IV_STATE_BUFFERED;
67
1.59M
    }
68
69
1.62M
    if (key != NULL) {
70
225k
        if (keylen != ctx->keylen) {
71
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
72
0
            return 0;
73
0
        }
74
225k
        if (!ctx->hw->setkey(ctx, key, ctx->keylen))
75
0
            return 0;
76
225k
        ctx->tls_enc_records = 0;
77
225k
    }
78
1.62M
    return ossl_gcm_set_ctx_params(ctx, params);
79
1.62M
}
80
81
int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
82
                   const unsigned char *iv, size_t ivlen,
83
                   const OSSL_PARAM params[])
84
913k
{
85
913k
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
86
913k
}
87
88
int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
89
                   const unsigned char *iv, size_t ivlen,
90
                   const OSSL_PARAM params[])
91
714k
{
92
714k
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
93
714k
}
94
95
/* increment counter (64-bit int) by 1 */
96
static void ctr64_inc(unsigned char *counter)
97
1.21k
{
98
1.21k
    int n = 8;
99
1.21k
    unsigned char c;
100
101
1.21k
    do {
102
1.21k
        --n;
103
1.21k
        c = counter[n];
104
1.21k
        ++c;
105
1.21k
        counter[n] = c;
106
1.21k
        if (c > 0)
107
1.21k
            return;
108
1.21k
    } while (n > 0);
109
1.21k
}
110
111
static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen)
112
1.21k
{
113
1.21k
    if (!ctx->iv_gen
114
1.21k
        || !ctx->key_set
115
1.21k
        || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
116
0
        return 0;
117
1.21k
    if (olen == 0 || olen > ctx->ivlen)
118
0
        olen = ctx->ivlen;
119
1.21k
    memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
120
    /*
121
     * Invocation field will be at least 8 bytes in size and so no need
122
     * to check wrap around or increment more than last 8 bytes.
123
     */
124
1.21k
    ctr64_inc(ctx->iv + ctx->ivlen - 8);
125
1.21k
    ctx->iv_state = IV_STATE_COPIED;
126
1.21k
    return 1;
127
1.21k
}
128
129
static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl)
130
9.47k
{
131
9.47k
    if (!ctx->iv_gen
132
9.47k
        || !ctx->key_set
133
9.47k
        || ctx->enc)
134
0
        return 0;
135
136
9.47k
    memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
137
9.47k
    if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
138
0
        return 0;
139
9.47k
    ctx->iv_state = IV_STATE_COPIED;
140
9.47k
    return 1;
141
9.47k
}
142
143
int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
144
15.0k
{
145
15.0k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
146
15.0k
    OSSL_PARAM *p;
147
15.0k
    size_t sz;
148
149
15.0k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
150
15.0k
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
151
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
152
0
        return 0;
153
0
    }
154
15.0k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
155
15.0k
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
156
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
157
0
        return 0;
158
0
    }
159
15.0k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
160
15.0k
    if (p != NULL) {
161
0
        size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen :
162
0
                         GCM_TAG_MAX_SIZE;
163
164
0
        if (!OSSL_PARAM_set_size_t(p, taglen)) {
165
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
166
0
            return 0;
167
0
        }
168
0
    }
169
170
15.0k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
171
15.0k
    if (p != NULL) {
172
0
        if (ctx->iv_state == IV_STATE_UNINITIALISED)
173
0
            return 0;
174
0
        if (ctx->ivlen > p->data_size) {
175
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
176
0
            return 0;
177
0
        }
178
0
        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
179
0
            && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
180
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
181
0
            return 0;
182
0
        }
183
0
    }
184
185
15.0k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV);
186
15.0k
    if (p != NULL) {
187
0
        if (ctx->iv_state == IV_STATE_UNINITIALISED)
188
0
            return 0;
189
0
        if (ctx->ivlen > p->data_size) {
190
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
191
0
            return 0;
192
0
        }
193
0
        if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
194
0
            && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
195
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
196
0
            return 0;
197
0
        }
198
0
    }
199
200
15.0k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
201
15.0k
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
202
0
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
203
0
        return 0;
204
0
    }
205
15.0k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
206
15.0k
    if (p != NULL) {
207
1.84k
        sz = p->data_size;
208
1.84k
        if (sz == 0
209
1.84k
            || sz > EVP_GCM_TLS_TAG_LEN
210
1.84k
            || !ctx->enc
211
1.84k
            || ctx->taglen == UNINITIALISED_SIZET) {
212
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
213
0
            return 0;
214
0
        }
215
1.84k
        if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
216
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
217
0
            return 0;
218
0
        }
219
1.84k
    }
220
15.0k
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN);
221
15.0k
    if (p != NULL) {
222
0
        if (p->data == NULL
223
0
            || p->data_type != OSSL_PARAM_OCTET_STRING
224
0
            || !getivgen(ctx, p->data, p->data_size))
225
0
            return 0;
226
0
    }
227
15.0k
    return 1;
228
15.0k
}
229
230
int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
231
47.7k
{
232
47.7k
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
233
47.7k
    const OSSL_PARAM *p;
234
47.7k
    size_t sz;
235
47.7k
    void *vp;
236
237
47.7k
    if (params == NULL)
238
24.3k
        return 1;
239
240
23.4k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
241
23.4k
    if (p != NULL) {
242
18.7k
        vp = ctx->buf;
243
18.7k
        if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
244
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
245
0
            return 0;
246
0
        }
247
18.7k
        if (sz == 0 || ctx->enc) {
248
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
249
0
            return 0;
250
0
        }
251
18.7k
        ctx->taglen = sz;
252
18.7k
    }
253
254
23.4k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
255
23.4k
    if (p != NULL) {
256
1.33k
        if (!OSSL_PARAM_get_size_t(p, &sz)) {
257
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
258
0
            return 0;
259
0
        }
260
1.33k
        if (sz == 0 || sz > sizeof(ctx->iv)) {
261
0
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
262
0
            return 0;
263
0
        }
264
1.33k
        if (ctx->ivlen != sz) {
265
            /* If the iv was already set or autogenerated, it is invalid. */
266
0
            if (ctx->iv_state != IV_STATE_UNINITIALISED)
267
0
                ctx->iv_state = IV_STATE_FINISHED;
268
0
            ctx->ivlen = sz;
269
0
        }
270
1.33k
    }
271
272
23.4k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
273
23.4k
    if (p != NULL) {
274
1.24k
        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
275
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
276
0
            return 0;
277
0
        }
278
1.24k
        sz = gcm_tls_init(ctx, p->data, p->data_size);
279
1.24k
        if (sz == 0) {
280
28
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
281
28
            return 0;
282
28
        }
283
1.21k
        ctx->tls_aad_pad_sz = sz;
284
1.21k
    }
285
286
23.4k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
287
23.4k
    if (p != NULL) {
288
1.07k
        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
289
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
290
0
            return 0;
291
0
        }
292
1.07k
        if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
293
0
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
294
0
            return 0;
295
0
        }
296
1.07k
    }
297
23.4k
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV);
298
23.4k
    if (p != NULL) {
299
0
        if (p->data == NULL
300
0
            || p->data_type != OSSL_PARAM_OCTET_STRING
301
0
            || !setivinv(ctx, p->data, p->data_size))
302
0
            return 0;
303
0
    }
304
305
306
23.4k
    return 1;
307
23.4k
}
308
309
int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
310
                           size_t outsize, const unsigned char *in, size_t inl)
311
3.75M
{
312
3.75M
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
313
314
3.75M
    if (inl == 0) {
315
0
        *outl = 0;
316
0
        return 1;
317
0
    }
318
319
3.75M
    if (outsize < inl) {
320
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
321
0
        return 0;
322
0
    }
323
324
3.75M
    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
325
9.33k
        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
326
9.33k
        return 0;
327
9.33k
    }
328
3.74M
    return 1;
329
3.75M
}
330
331
int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
332
                          size_t outsize)
333
1.49M
{
334
1.49M
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
335
1.49M
    int i;
336
337
1.49M
    if (!ossl_prov_is_running())
338
0
        return 0;
339
340
1.49M
    i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
341
1.49M
    if (i <= 0)
342
602k
        return 0;
343
344
887k
    *outl = 0;
345
887k
    return 1;
346
1.49M
}
347
348
int ossl_gcm_cipher(void *vctx,
349
                    unsigned char *out, size_t *outl, size_t outsize,
350
                    const unsigned char *in, size_t inl)
351
0
{
352
0
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
353
354
0
    if (!ossl_prov_is_running())
355
0
        return 0;
356
357
0
    if (outsize < inl) {
358
0
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
359
0
        return 0;
360
0
    }
361
362
0
    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
363
0
        return 0;
364
365
0
    *outl = inl;
366
0
    return 1;
367
0
}
368
369
/*
370
 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
371
 *
372
 * See also 8.2.2 RBG-based construction.
373
 * Random construction consists of a free field (which can be NULL) and a
374
 * random field which will use a DRBG that can return at least 96 bits of
375
 * entropy strength. (The DRBG must be seeded by the FIPS module).
376
 */
377
static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
378
0
{
379
0
    int sz = ctx->ivlen - offset;
380
381
    /* Must be at least 96 bits */
382
0
    if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
383
0
        return 0;
384
385
    /* Use DRBG to generate random iv */
386
0
    if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
387
0
        return 0;
388
0
    ctx->iv_state = IV_STATE_BUFFERED;
389
0
    ctx->iv_gen_rand = 1;
390
0
    return 1;
391
0
}
392
393
static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
394
                               size_t *padlen, const unsigned char *in,
395
                               size_t len)
396
5.24M
{
397
5.24M
    size_t olen = 0;
398
5.24M
    int rv = 0;
399
5.24M
    const PROV_GCM_HW *hw = ctx->hw;
400
401
5.24M
    if (ctx->tls_aad_len != UNINITIALISED_SIZET)
402
10.6k
        return gcm_tls_cipher(ctx, out, padlen, in, len);
403
404
5.23M
    if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
405
0
        goto err;
406
407
    /*
408
     * FIPS requires generation of AES-GCM IV's inside the FIPS module.
409
     * The IV can still be set externally (the security policy will state that
410
     * this is not FIPS compliant). There are some applications
411
     * where setting the IV externally is the only option available.
412
     */
413
5.23M
    if (ctx->iv_state == IV_STATE_UNINITIALISED) {
414
0
        if (!ctx->enc || !gcm_iv_generate(ctx, 0))
415
0
            goto err;
416
0
    }
417
418
5.23M
    if (ctx->iv_state == IV_STATE_BUFFERED) {
419
1.49M
        if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
420
0
            goto err;
421
1.49M
        ctx->iv_state = IV_STATE_COPIED;
422
1.49M
    }
423
424
5.23M
    if (in != NULL) {
425
        /*  The input is AAD if out is NULL */
426
3.74M
        if (out == NULL) {
427
1.59M
            if (!hw->aadupdate(ctx, in, len))
428
0
                goto err;
429
2.15M
        } else {
430
            /* The input is ciphertext OR plaintext */
431
2.15M
            if (!hw->cipherupdate(ctx, in, len, out))
432
0
                goto err;
433
2.15M
        }
434
3.74M
    } else {
435
        /* The tag must be set before actually decrypting data */
436
1.49M
        if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
437
0
            goto err;
438
1.49M
        if (!hw->cipherfinal(ctx, ctx->buf))
439
602k
            goto err;
440
887k
        ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
441
887k
        goto finish;
442
1.49M
    }
443
3.74M
    olen = len;
444
4.63M
finish:
445
4.63M
    rv = 1;
446
5.23M
err:
447
5.23M
    *padlen = olen;
448
5.23M
    return rv;
449
4.63M
}
450
451
static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
452
10.7k
{
453
10.7k
    unsigned char *buf;
454
10.7k
    size_t len;
455
456
10.7k
    if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
457
0
       return 0;
458
459
    /* Save the aad for later use. */
460
10.7k
    buf = dat->buf;
461
10.7k
    memcpy(buf, aad, aad_len);
462
10.7k
    dat->tls_aad_len = aad_len;
463
464
10.7k
    len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
465
    /* Correct length for explicit iv. */
466
10.7k
    if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
467
47
        return 0;
468
10.7k
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
469
470
    /* If decrypting correct for tag too. */
471
10.7k
    if (!dat->enc) {
472
9.49k
        if (len < EVP_GCM_TLS_TAG_LEN)
473
21
            return 0;
474
9.47k
        len -= EVP_GCM_TLS_TAG_LEN;
475
9.47k
    }
476
10.6k
    buf[aad_len - 2] = (unsigned char)(len >> 8);
477
10.6k
    buf[aad_len - 1] = (unsigned char)(len & 0xff);
478
    /* Extra padding: tag appended to record. */
479
10.6k
    return EVP_GCM_TLS_TAG_LEN;
480
10.7k
}
481
482
static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
483
                                size_t len)
484
1.33k
{
485
    /* Special case: -1 length restores whole IV */
486
1.33k
    if (len == (size_t)-1) {
487
0
        memcpy(ctx->iv, iv, ctx->ivlen);
488
0
        ctx->iv_gen = 1;
489
0
        ctx->iv_state = IV_STATE_BUFFERED;
490
0
        return 1;
491
0
    }
492
    /* Fixed field must be at least 4 bytes and invocation field at least 8 */
493
1.33k
    if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
494
1.33k
        || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
495
0
            return 0;
496
1.33k
    if (len > 0)
497
1.33k
        memcpy(ctx->iv, iv, len);
498
1.33k
    if (ctx->enc
499
1.33k
        && RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
500
0
            return 0;
501
1.33k
    ctx->iv_gen = 1;
502
1.33k
    ctx->iv_state = IV_STATE_BUFFERED;
503
1.33k
    return 1;
504
1.33k
}
505
506
/*
507
 * Handle TLS GCM packet format. This consists of the last portion of the IV
508
 * followed by the payload and finally the tag. On encrypt generate IV,
509
 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
510
 * and verify tag.
511
 */
512
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
513
                          const unsigned char *in, size_t len)
514
10.6k
{
515
10.6k
    int rv = 0;
516
10.6k
    size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
517
10.6k
    size_t plen = 0;
518
10.6k
    unsigned char *tag = NULL;
519
520
10.6k
    if (!ossl_prov_is_running() || !ctx->key_set)
521
0
        goto err;
522
523
    /* Encrypt/decrypt must be performed in place */
524
10.6k
    if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
525
0
        goto err;
526
527
    /*
528
     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
529
     * Requirements from SP 800-38D".  The requirements is for one party to the
530
     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting
531
     * side only.
532
     */
533
10.6k
    if (ctx->enc && ++ctx->tls_enc_records == 0) {
534
0
        ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
535
0
        goto err;
536
0
    }
537
538
    /*
539
     * Set IV from start of buffer or generate IV and write to start of
540
     * buffer.
541
     */
542
10.6k
    if (ctx->enc) {
543
1.21k
        if (!getivgen(ctx, out, arg))
544
0
            goto err;
545
9.47k
    } else {
546
9.47k
        if (!setivinv(ctx, out, arg))
547
0
            goto err;
548
9.47k
    }
549
550
    /* Fix buffer and length to point to payload */
551
10.6k
    in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
552
10.6k
    out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
553
10.6k
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
554
555
10.6k
    tag = ctx->enc ? out + len : (unsigned char *)in + len;
556
10.6k
    if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
557
10.6k
                          EVP_GCM_TLS_TAG_LEN)) {
558
9.33k
        if (!ctx->enc)
559
9.33k
            OPENSSL_cleanse(out, len);
560
9.33k
        goto err;
561
9.33k
    }
562
1.35k
    if (ctx->enc)
563
1.21k
        plen =  len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
564
140
    else
565
140
        plen = len;
566
567
1.35k
    rv = 1;
568
10.6k
err:
569
10.6k
    ctx->iv_state = IV_STATE_FINISHED;
570
10.6k
    ctx->tls_aad_len = UNINITIALISED_SIZET;
571
10.6k
    *padlen = plen;
572
10.6k
    return rv;
573
1.35k
}