/src/openssl36/providers/implementations/ciphers/ciphercommon_gcm.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | /* clang-format off */ |
10 | | |
11 | | /* clang-format on */ |
12 | | |
13 | | /* Dispatch functions for gcm mode */ |
14 | | |
15 | | #include <openssl/rand.h> |
16 | | #include <openssl/proverr.h> |
17 | | #include "prov/ciphercommon.h" |
18 | | #include "prov/ciphercommon_gcm.h" |
19 | | #include "prov/providercommon.h" |
20 | | #include "prov/provider_ctx.h" |
21 | | |
22 | | static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len); |
23 | | static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv, |
24 | | size_t len); |
25 | | static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen, |
26 | | const unsigned char *in, size_t len); |
27 | | static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out, |
28 | | size_t *padlen, const unsigned char *in, |
29 | | size_t len); |
30 | | |
31 | | /* |
32 | | * Called from EVP_CipherInit when there is currently no context via |
33 | | * the new_ctx() function |
34 | | */ |
35 | | void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits, |
36 | | const PROV_GCM_HW *hw) |
37 | 616k | { |
38 | 616k | ctx->pad = 1; |
39 | 616k | ctx->mode = EVP_CIPH_GCM_MODE; |
40 | 616k | ctx->taglen = UNINITIALISED_SIZET; |
41 | 616k | ctx->tls_aad_len = UNINITIALISED_SIZET; |
42 | 616k | ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN); |
43 | 616k | ctx->keylen = keybits / 8; |
44 | 616k | ctx->hw = hw; |
45 | 616k | ctx->libctx = PROV_LIBCTX_OF(provctx); |
46 | 616k | } |
47 | | |
48 | | /* |
49 | | * Called by EVP_CipherInit via the _einit and _dinit functions |
50 | | */ |
51 | | static int gcm_init(void *vctx, const unsigned char *key, size_t keylen, |
52 | | const unsigned char *iv, size_t ivlen, |
53 | | const OSSL_PARAM params[], int enc) |
54 | 3.88M | { |
55 | 3.88M | PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; |
56 | | |
57 | 3.88M | if (!ossl_prov_is_running()) |
58 | 0 | return 0; |
59 | | |
60 | 3.88M | ctx->enc = enc; |
61 | | |
62 | 3.88M | if (iv != NULL) { |
63 | 3.80M | if (ivlen == 0 || ivlen > sizeof(ctx->iv)) { |
64 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); |
65 | 0 | return 0; |
66 | 0 | } |
67 | 3.80M | ctx->ivlen = ivlen; |
68 | 3.80M | memcpy(ctx->iv, iv, ivlen); |
69 | 3.80M | ctx->iv_state = IV_STATE_BUFFERED; |
70 | 3.80M | } |
71 | | |
72 | 3.88M | if (key != NULL) { |
73 | 616k | if (keylen != ctx->keylen) { |
74 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); |
75 | 0 | return 0; |
76 | 0 | } |
77 | 616k | if (!ctx->hw->setkey(ctx, key, ctx->keylen)) |
78 | 0 | return 0; |
79 | 616k | ctx->tls_enc_records = 0; |
80 | 616k | } |
81 | 3.88M | return ossl_gcm_set_ctx_params(ctx, params); |
82 | 3.88M | } |
83 | | |
84 | | int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen, |
85 | | const unsigned char *iv, size_t ivlen, |
86 | | const OSSL_PARAM params[]) |
87 | 2.39M | { |
88 | 2.39M | return gcm_init(vctx, key, keylen, iv, ivlen, params, 1); |
89 | 2.39M | } |
90 | | |
91 | | int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen, |
92 | | const unsigned char *iv, size_t ivlen, |
93 | | const OSSL_PARAM params[]) |
94 | 1.48M | { |
95 | 1.48M | return gcm_init(vctx, key, keylen, iv, ivlen, params, 0); |
96 | 1.48M | } |
97 | | |
98 | | /* increment counter (64-bit int) by 1 */ |
99 | | static void ctr64_inc(unsigned char *counter) |
100 | 1.68k | { |
101 | 1.68k | int n = 8; |
102 | 1.68k | unsigned char c; |
103 | | |
104 | 1.68k | do { |
105 | 1.68k | --n; |
106 | 1.68k | c = counter[n]; |
107 | 1.68k | ++c; |
108 | 1.68k | counter[n] = c; |
109 | 1.68k | if (c > 0) |
110 | 1.68k | return; |
111 | 1.68k | } while (n > 0); |
112 | 1.68k | } |
113 | | |
114 | | static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen) |
115 | 1.68k | { |
116 | 1.68k | if (!ctx->iv_gen |
117 | 1.68k | || !ctx->key_set |
118 | 1.68k | || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen)) |
119 | 0 | return 0; |
120 | 1.68k | if (olen == 0 || olen > ctx->ivlen) |
121 | 0 | olen = ctx->ivlen; |
122 | 1.68k | memcpy(out, ctx->iv + ctx->ivlen - olen, olen); |
123 | | /* |
124 | | * Invocation field will be at least 8 bytes in size and so no need |
125 | | * to check wrap around or increment more than last 8 bytes. |
126 | | */ |
127 | 1.68k | ctr64_inc(ctx->iv + ctx->ivlen - 8); |
128 | 1.68k | ctx->iv_state = IV_STATE_COPIED; |
129 | 1.68k | return 1; |
130 | 1.68k | } |
131 | | |
132 | | static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl) |
133 | 66.0k | { |
134 | 66.0k | if (!ctx->iv_gen |
135 | 66.0k | || !ctx->key_set |
136 | 66.0k | || ctx->enc) |
137 | 0 | return 0; |
138 | | |
139 | 66.0k | memcpy(ctx->iv + ctx->ivlen - inl, in, inl); |
140 | 66.0k | if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen)) |
141 | 0 | return 0; |
142 | 66.0k | ctx->iv_state = IV_STATE_COPIED; |
143 | 66.0k | return 1; |
144 | 66.0k | } |
145 | | |
146 | | /* clang-format off */ |
147 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
148 | | #ifndef ossl_cipher_gcm_get_ctx_params_list |
149 | | static const OSSL_PARAM ossl_cipher_gcm_get_ctx_params_list[] = { |
150 | | OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), |
151 | | OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), |
152 | | OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL), |
153 | | OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), |
154 | | OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0), |
155 | | OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), |
156 | | OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), |
157 | | OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), |
158 | | OSSL_PARAM_uint(OSSL_CIPHER_PARAM_AEAD_IV_GENERATED, NULL), |
159 | | OSSL_PARAM_END |
160 | | }; |
161 | | #endif |
162 | | |
163 | | #ifndef ossl_cipher_gcm_get_ctx_params_st |
164 | | struct ossl_cipher_gcm_get_ctx_params_st { |
165 | | OSSL_PARAM *gen; |
166 | | OSSL_PARAM *iv; |
167 | | OSSL_PARAM *ivgen; |
168 | | OSSL_PARAM *ivlen; |
169 | | OSSL_PARAM *keylen; |
170 | | OSSL_PARAM *pad; |
171 | | OSSL_PARAM *tag; |
172 | | OSSL_PARAM *taglen; |
173 | | OSSL_PARAM *updiv; |
174 | | }; |
175 | | #endif |
176 | | |
177 | | #ifndef ossl_cipher_gcm_get_ctx_params_decoder |
178 | | static int ossl_cipher_gcm_get_ctx_params_decoder |
179 | | (const OSSL_PARAM *p, struct ossl_cipher_gcm_get_ctx_params_st *r) |
180 | 1.70M | { |
181 | 1.70M | const char *s; |
182 | | |
183 | 1.70M | memset(r, 0, sizeof(*r)); |
184 | 1.70M | if (p != NULL) |
185 | 3.41M | for (; (s = p->key) != NULL; p++) |
186 | 1.70M | switch(s[0]) { |
187 | 0 | default: |
188 | 0 | break; |
189 | 269k | case 'i': |
190 | 269k | switch(s[1]) { |
191 | 0 | default: |
192 | 0 | break; |
193 | 269k | case 'v': |
194 | 269k | switch(s[2]) { |
195 | 0 | default: |
196 | 0 | break; |
197 | 0 | case '-': |
198 | 0 | if (ossl_likely(strcmp("generated", s + 3) == 0)) { |
199 | | /* OSSL_CIPHER_PARAM_AEAD_IV_GENERATED */ |
200 | 0 | if (ossl_unlikely(r->gen != NULL)) { |
201 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
202 | 0 | "param %s is repeated", s); |
203 | 0 | return 0; |
204 | 0 | } |
205 | 0 | r->gen = (OSSL_PARAM *)p; |
206 | 0 | } |
207 | 0 | break; |
208 | 269k | case 'l': |
209 | 269k | if (ossl_likely(strcmp("en", s + 3) == 0)) { |
210 | | /* OSSL_CIPHER_PARAM_IVLEN */ |
211 | 269k | if (ossl_unlikely(r->ivlen != NULL)) { |
212 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
213 | 0 | "param %s is repeated", s); |
214 | 0 | return 0; |
215 | 0 | } |
216 | 269k | r->ivlen = (OSSL_PARAM *)p; |
217 | 269k | } |
218 | 269k | break; |
219 | 269k | case '\0': |
220 | 0 | if (ossl_unlikely(r->iv != NULL)) { |
221 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
222 | 0 | "param %s is repeated", s); |
223 | 0 | return 0; |
224 | 0 | } |
225 | 0 | r->iv = (OSSL_PARAM *)p; |
226 | 269k | } |
227 | 269k | } |
228 | 269k | break; |
229 | 292k | case 'k': |
230 | 292k | if (ossl_likely(strcmp("eylen", s + 1) == 0)) { |
231 | | /* OSSL_CIPHER_PARAM_KEYLEN */ |
232 | 292k | if (ossl_unlikely(r->keylen != NULL)) { |
233 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
234 | 0 | "param %s is repeated", s); |
235 | 0 | return 0; |
236 | 0 | } |
237 | 292k | r->keylen = (OSSL_PARAM *)p; |
238 | 292k | } |
239 | 292k | break; |
240 | 1.14M | case 't': |
241 | 1.14M | switch(s[1]) { |
242 | 0 | default: |
243 | 0 | break; |
244 | 1.12M | case 'a': |
245 | 1.12M | switch(s[2]) { |
246 | 0 | default: |
247 | 0 | break; |
248 | 1.12M | case 'g': |
249 | 1.12M | switch(s[3]) { |
250 | 0 | default: |
251 | 0 | break; |
252 | 0 | case 'l': |
253 | 0 | if (ossl_likely(strcmp("en", s + 4) == 0)) { |
254 | | /* OSSL_CIPHER_PARAM_AEAD_TAGLEN */ |
255 | 0 | if (ossl_unlikely(r->taglen != NULL)) { |
256 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
257 | 0 | "param %s is repeated", s); |
258 | 0 | return 0; |
259 | 0 | } |
260 | 0 | r->taglen = (OSSL_PARAM *)p; |
261 | 0 | } |
262 | 0 | break; |
263 | 1.12M | case '\0': |
264 | 1.12M | if (ossl_unlikely(r->tag != NULL)) { |
265 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
266 | 0 | "param %s is repeated", s); |
267 | 0 | return 0; |
268 | 0 | } |
269 | 1.12M | r->tag = (OSSL_PARAM *)p; |
270 | 1.12M | } |
271 | 1.12M | } |
272 | 1.12M | break; |
273 | 1.12M | case 'l': |
274 | 18.3k | switch(s[2]) { |
275 | 0 | default: |
276 | 0 | break; |
277 | 18.3k | case 's': |
278 | 18.3k | switch(s[3]) { |
279 | 13 | default: |
280 | 13 | break; |
281 | 18.3k | case 'a': |
282 | 18.3k | if (ossl_likely(strcmp("adpad", s + 4) == 0)) { |
283 | | /* OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD */ |
284 | 18.3k | if (ossl_unlikely(r->pad != NULL)) { |
285 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
286 | 0 | "param %s is repeated", s); |
287 | 0 | return 0; |
288 | 0 | } |
289 | 18.3k | r->pad = (OSSL_PARAM *)p; |
290 | 18.3k | } |
291 | 18.3k | break; |
292 | 18.3k | case 'i': |
293 | 0 | if (ossl_likely(strcmp("vgen", s + 4) == 0)) { |
294 | | /* OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN */ |
295 | 0 | if (ossl_unlikely(r->ivgen != NULL)) { |
296 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
297 | 0 | "param %s is repeated", s); |
298 | 0 | return 0; |
299 | 0 | } |
300 | 0 | r->ivgen = (OSSL_PARAM *)p; |
301 | 0 | } |
302 | 18.3k | } |
303 | 18.3k | } |
304 | 1.14M | } |
305 | 1.14M | break; |
306 | 1.14M | case 'u': |
307 | 0 | if (ossl_likely(strcmp("pdated-iv", s + 1) == 0)) { |
308 | | /* OSSL_CIPHER_PARAM_UPDATED_IV */ |
309 | 0 | if (ossl_unlikely(r->updiv != NULL)) { |
310 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
311 | 0 | "param %s is repeated", s); |
312 | 0 | return 0; |
313 | 0 | } |
314 | 0 | r->updiv = (OSSL_PARAM *)p; |
315 | 0 | } |
316 | 1.70M | } |
317 | 1.70M | return 1; |
318 | 1.70M | } |
319 | | #endif |
320 | | /* End of machine generated */ |
321 | | /* clang-format on */ |
322 | | |
323 | | const OSSL_PARAM *ossl_gcm_gettable_ctx_params( |
324 | | ossl_unused void *cctx, ossl_unused void *provctx) |
325 | 203 | { |
326 | 203 | return ossl_cipher_gcm_get_ctx_params_list; |
327 | 203 | } |
328 | | |
329 | | int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) |
330 | 682k | { |
331 | 682k | PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; |
332 | 682k | size_t sz; |
333 | 682k | struct ossl_cipher_gcm_get_ctx_params_st p; |
334 | | |
335 | 682k | if (ctx == NULL || !ossl_cipher_gcm_get_ctx_params_decoder(params, &p)) |
336 | 0 | return 0; |
337 | | |
338 | 682k | if (p.ivlen != NULL && !OSSL_PARAM_set_size_t(p.ivlen, ctx->ivlen)) { |
339 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); |
340 | 0 | return 0; |
341 | 0 | } |
342 | | |
343 | 682k | if (p.keylen != NULL && !OSSL_PARAM_set_size_t(p.keylen, ctx->keylen)) { |
344 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); |
345 | 0 | return 0; |
346 | 0 | } |
347 | | |
348 | 682k | if (p.taglen != NULL) { |
349 | 0 | size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen : GCM_TAG_MAX_SIZE; |
350 | |
|
351 | 0 | if (!OSSL_PARAM_set_size_t(p.taglen, taglen)) { |
352 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); |
353 | 0 | return 0; |
354 | 0 | } |
355 | 0 | } |
356 | | |
357 | 682k | if (p.iv != NULL) { |
358 | 0 | if (ctx->iv_state == IV_STATE_UNINITIALISED) |
359 | 0 | return 0; |
360 | 0 | if (p.iv->data != NULL && ctx->ivlen > p.iv->data_size) { |
361 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); |
362 | 0 | return 0; |
363 | 0 | } |
364 | 0 | if (!OSSL_PARAM_set_octet_string_or_ptr(p.iv, ctx->iv, ctx->ivlen)) { |
365 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); |
366 | 0 | return 0; |
367 | 0 | } |
368 | 0 | } |
369 | | |
370 | 682k | if (p.updiv != NULL) { |
371 | 0 | if (ctx->iv_state == IV_STATE_UNINITIALISED) |
372 | 0 | return 0; |
373 | 0 | if (p.updiv->data != NULL && ctx->ivlen > p.updiv->data_size) { |
374 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); |
375 | 0 | return 0; |
376 | 0 | } |
377 | 0 | if (!OSSL_PARAM_set_octet_string_or_ptr(p.updiv, ctx->iv, ctx->ivlen)) { |
378 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); |
379 | 0 | return 0; |
380 | 0 | } |
381 | 0 | } |
382 | | |
383 | 682k | if (p.pad != NULL && !OSSL_PARAM_set_size_t(p.pad, ctx->tls_aad_pad_sz)) { |
384 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); |
385 | 0 | return 0; |
386 | 0 | } |
387 | | |
388 | 682k | if (p.tag != NULL) { |
389 | 497k | sz = p.tag->data_size; |
390 | 497k | if (!ctx->enc || ctx->taglen == UNINITIALISED_SIZET) { |
391 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG); |
392 | 0 | return 0; |
393 | 0 | } |
394 | 497k | if (p.tag->data != NULL && (sz > EVP_GCM_TLS_TAG_LEN || sz == 0)) { |
395 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG); |
396 | 0 | return 0; |
397 | 0 | } |
398 | | |
399 | 497k | if (!OSSL_PARAM_set_octet_string(p.tag, ctx->buf, sz)) { |
400 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); |
401 | 0 | return 0; |
402 | 0 | } |
403 | 497k | } |
404 | | |
405 | 682k | if (p.ivgen != NULL) |
406 | 0 | if (p.ivgen->data == NULL |
407 | 0 | || p.ivgen->data_type != OSSL_PARAM_OCTET_STRING |
408 | 0 | || !getivgen(ctx, p.ivgen->data, p.ivgen->data_size)) |
409 | 0 | return 0; |
410 | | |
411 | 682k | if (p.gen != NULL && !OSSL_PARAM_set_uint(p.gen, ctx->iv_gen_rand)) |
412 | 0 | return 0; |
413 | | |
414 | 682k | return 1; |
415 | 682k | } |
416 | | |
417 | | /* clang-format off */ |
418 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
419 | | #ifndef ossl_cipher_gcm_set_ctx_params_list |
420 | | static const OSSL_PARAM ossl_cipher_gcm_set_ctx_params_list[] = { |
421 | | OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL), |
422 | | OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), |
423 | | OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0), |
424 | | OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, NULL, 0), |
425 | | OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV, NULL, 0), |
426 | | OSSL_PARAM_END |
427 | | }; |
428 | | #endif |
429 | | |
430 | | #ifndef ossl_cipher_gcm_set_ctx_params_st |
431 | | struct ossl_cipher_gcm_set_ctx_params_st { |
432 | | OSSL_PARAM *aad; |
433 | | OSSL_PARAM *fixed; |
434 | | OSSL_PARAM *inviv; |
435 | | OSSL_PARAM *ivlen; |
436 | | OSSL_PARAM *tag; |
437 | | }; |
438 | | #endif |
439 | | |
440 | | #ifndef ossl_cipher_gcm_set_ctx_params_decoder |
441 | | static int ossl_cipher_gcm_set_ctx_params_decoder |
442 | | (const OSSL_PARAM *p, struct ossl_cipher_gcm_set_ctx_params_st *r) |
443 | 2.46M | { |
444 | 2.46M | const char *s; |
445 | | |
446 | 2.46M | memset(r, 0, sizeof(*r)); |
447 | 2.46M | if (p != NULL) |
448 | 1.21M | for (; (s = p->key) != NULL; p++) |
449 | 609k | switch(s[0]) { |
450 | 387 | default: |
451 | 387 | break; |
452 | 2.01k | case 'i': |
453 | 2.01k | if (ossl_likely(strcmp("vlen", s + 1) == 0)) { |
454 | | /* OSSL_CIPHER_PARAM_AEAD_IVLEN */ |
455 | 2.01k | if (ossl_unlikely(r->ivlen != NULL)) { |
456 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
457 | 0 | "param %s is repeated", s); |
458 | 0 | return 0; |
459 | 0 | } |
460 | 2.01k | r->ivlen = (OSSL_PARAM *)p; |
461 | 2.01k | } |
462 | 2.01k | break; |
463 | 607k | case 't': |
464 | 607k | switch(s[1]) { |
465 | 0 | default: |
466 | 0 | break; |
467 | 585k | case 'a': |
468 | 585k | if (ossl_likely(strcmp("g", s + 2) == 0)) { |
469 | | /* OSSL_CIPHER_PARAM_AEAD_TAG */ |
470 | 585k | if (ossl_unlikely(r->tag != NULL)) { |
471 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
472 | 0 | "param %s is repeated", s); |
473 | 0 | return 0; |
474 | 0 | } |
475 | 585k | r->tag = (OSSL_PARAM *)p; |
476 | 585k | } |
477 | 585k | break; |
478 | 585k | case 'l': |
479 | 21.2k | switch(s[2]) { |
480 | 0 | default: |
481 | 0 | break; |
482 | 21.2k | case 's': |
483 | 21.2k | switch(s[3]) { |
484 | 1.89k | default: |
485 | 1.89k | break; |
486 | 18.3k | case 'a': |
487 | 18.3k | if (ossl_likely(strcmp("ad", s + 4) == 0)) { |
488 | | /* OSSL_CIPHER_PARAM_AEAD_TLS1_AAD */ |
489 | 18.3k | if (ossl_unlikely(r->aad != NULL)) { |
490 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
491 | 0 | "param %s is repeated", s); |
492 | 0 | return 0; |
493 | 0 | } |
494 | 18.3k | r->aad = (OSSL_PARAM *)p; |
495 | 18.3k | } |
496 | 18.3k | break; |
497 | 18.3k | case 'i': |
498 | 947 | switch(s[4]) { |
499 | 0 | default: |
500 | 0 | break; |
501 | 947 | case 'v': |
502 | 947 | switch(s[5]) { |
503 | 0 | default: |
504 | 0 | break; |
505 | 947 | case 'f': |
506 | 947 | if (ossl_likely(strcmp("ixed", s + 6) == 0)) { |
507 | | /* OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED */ |
508 | 947 | if (ossl_unlikely(r->fixed != NULL)) { |
509 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
510 | 0 | "param %s is repeated", s); |
511 | 0 | return 0; |
512 | 0 | } |
513 | 947 | r->fixed = (OSSL_PARAM *)p; |
514 | 947 | } |
515 | 947 | break; |
516 | 947 | case 'i': |
517 | 0 | if (ossl_likely(strcmp("nv", s + 6) == 0)) { |
518 | | /* OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV */ |
519 | 0 | if (ossl_unlikely(r->inviv != NULL)) { |
520 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
521 | 0 | "param %s is repeated", s); |
522 | 0 | return 0; |
523 | 0 | } |
524 | 0 | r->inviv = (OSSL_PARAM *)p; |
525 | 0 | } |
526 | 947 | } |
527 | 947 | } |
528 | 21.2k | } |
529 | 21.2k | } |
530 | 607k | } |
531 | 609k | } |
532 | 2.46M | return 1; |
533 | 2.46M | } |
534 | | #endif |
535 | | /* End of machine generated */ |
536 | | /* clang-format on */ |
537 | | |
538 | | const OSSL_PARAM *ossl_gcm_settable_ctx_params( |
539 | | ossl_unused void *cctx, ossl_unused void *provctx) |
540 | 5 | { |
541 | 5 | return ossl_cipher_gcm_set_ctx_params_list; |
542 | 5 | } |
543 | | |
544 | | int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
545 | 2.46M | { |
546 | 2.46M | PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; |
547 | 2.46M | size_t sz; |
548 | 2.46M | void *vp; |
549 | 2.46M | struct ossl_cipher_gcm_set_ctx_params_st p; |
550 | | |
551 | 2.46M | if (ctx == NULL || !ossl_cipher_gcm_set_ctx_params_decoder(params, &p)) |
552 | 0 | return 0; |
553 | | |
554 | 2.46M | if (p.tag != NULL) { |
555 | 585k | vp = ctx->buf; |
556 | 585k | if (!OSSL_PARAM_get_octet_string(p.tag, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) { |
557 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); |
558 | 0 | return 0; |
559 | 0 | } |
560 | 585k | if (sz == 0 || ctx->enc) { |
561 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG); |
562 | 0 | return 0; |
563 | 0 | } |
564 | 585k | ctx->taglen = sz; |
565 | 585k | } |
566 | | |
567 | 2.46M | if (p.ivlen != NULL) { |
568 | 2.01k | if (!OSSL_PARAM_get_size_t(p.ivlen, &sz)) { |
569 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); |
570 | 0 | return 0; |
571 | 0 | } |
572 | 2.01k | if (sz == 0 || sz > sizeof(ctx->iv)) { |
573 | 16 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); |
574 | 16 | return 0; |
575 | 16 | } |
576 | 1.99k | if (ctx->ivlen != sz) { |
577 | | /* If the iv was already set or autogenerated, it is invalid. */ |
578 | 7 | if (ctx->iv_state != IV_STATE_UNINITIALISED) |
579 | 0 | ctx->iv_state = IV_STATE_FINISHED; |
580 | 7 | ctx->ivlen = sz; |
581 | 7 | } |
582 | 1.99k | } |
583 | | |
584 | 2.46M | if (p.aad != NULL) { |
585 | 18.3k | if (p.aad->data_type != OSSL_PARAM_OCTET_STRING) { |
586 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); |
587 | 0 | return 0; |
588 | 0 | } |
589 | 18.3k | sz = gcm_tls_init(ctx, p.aad->data, p.aad->data_size); |
590 | 18.3k | if (sz == 0) { |
591 | 53 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD); |
592 | 53 | return 0; |
593 | 53 | } |
594 | 18.3k | ctx->tls_aad_pad_sz = sz; |
595 | 18.3k | } |
596 | | |
597 | 2.46M | if (p.fixed != NULL) { |
598 | 947 | if (p.fixed->data_type != OSSL_PARAM_OCTET_STRING) { |
599 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); |
600 | 0 | return 0; |
601 | 0 | } |
602 | 947 | if (gcm_tls_iv_set_fixed(ctx, p.fixed->data, p.fixed->data_size) == 0) { |
603 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); |
604 | 0 | return 0; |
605 | 0 | } |
606 | 947 | } |
607 | | |
608 | 2.46M | if (p.inviv != NULL) |
609 | 0 | if (p.inviv->data == NULL |
610 | 0 | || p.inviv->data_type != OSSL_PARAM_OCTET_STRING |
611 | 0 | || !setivinv(ctx, p.inviv->data, p.inviv->data_size)) |
612 | 0 | return 0; |
613 | | |
614 | 2.46M | return 1; |
615 | 2.46M | } |
616 | | |
617 | | int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl, |
618 | | size_t outsize, const unsigned char *in, size_t inl) |
619 | 9.11M | { |
620 | 9.11M | PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; |
621 | | |
622 | 9.11M | if (inl == 0) { |
623 | 0 | *outl = 0; |
624 | 0 | return 1; |
625 | 0 | } |
626 | | |
627 | 9.11M | if (outsize < inl) { |
628 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); |
629 | 0 | return 0; |
630 | 0 | } |
631 | | |
632 | 9.11M | if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) { |
633 | 65.8k | ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); |
634 | 65.8k | return 0; |
635 | 65.8k | } |
636 | 9.05M | return 1; |
637 | 9.11M | } |
638 | | |
639 | | int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl, |
640 | | size_t outsize) |
641 | 3.56M | { |
642 | 3.56M | PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; |
643 | 3.56M | int i; |
644 | | |
645 | 3.56M | if (!ossl_prov_is_running()) |
646 | 0 | return 0; |
647 | | |
648 | 3.56M | i = gcm_cipher_internal(ctx, out, outl, NULL, 0); |
649 | 3.56M | if (i <= 0) |
650 | 1.23M | return 0; |
651 | | |
652 | 2.33M | *outl = 0; |
653 | 2.33M | return 1; |
654 | 3.56M | } |
655 | | |
656 | | int ossl_gcm_cipher(void *vctx, |
657 | | unsigned char *out, size_t *outl, size_t outsize, |
658 | | const unsigned char *in, size_t inl) |
659 | 0 | { |
660 | 0 | PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; |
661 | |
|
662 | 0 | if (!ossl_prov_is_running()) |
663 | 0 | return 0; |
664 | | |
665 | 0 | if (outsize < inl) { |
666 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); |
667 | 0 | return 0; |
668 | 0 | } |
669 | | |
670 | 0 | if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) |
671 | 0 | return 0; |
672 | | |
673 | 0 | *outl = inl; |
674 | 0 | return 1; |
675 | 0 | } |
676 | | |
677 | | /* |
678 | | * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys" |
679 | | * |
680 | | * See also 8.2.2 RBG-based construction. |
681 | | * Random construction consists of a free field (which can be NULL) and a |
682 | | * random field which will use a DRBG that can return at least 96 bits of |
683 | | * entropy strength. (The DRBG must be seeded by the FIPS module). |
684 | | */ |
685 | | static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset) |
686 | 672 | { |
687 | 672 | int sz = (int)(ctx->ivlen - offset); |
688 | | |
689 | | /* Must be at least 96 bits */ |
690 | 672 | if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE) |
691 | 0 | return 0; |
692 | | |
693 | | /* Use DRBG to generate random iv */ |
694 | 672 | if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0) |
695 | 0 | return 0; |
696 | 672 | ctx->iv_state = IV_STATE_BUFFERED; |
697 | 672 | ctx->iv_gen_rand = 1; |
698 | 672 | return 1; |
699 | 672 | } |
700 | | |
701 | | static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out, |
702 | | size_t *padlen, const unsigned char *in, |
703 | | size_t len) |
704 | 12.6M | { |
705 | 12.6M | size_t olen = 0; |
706 | 12.6M | int rv = 0; |
707 | 12.6M | const PROV_GCM_HW *hw = ctx->hw; |
708 | | |
709 | 12.6M | if (ctx->tls_aad_len != UNINITIALISED_SIZET) |
710 | 67.6k | return gcm_tls_cipher(ctx, out, padlen, in, len); |
711 | | |
712 | 12.6M | if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED) |
713 | 0 | goto err; |
714 | | |
715 | | /* |
716 | | * FIPS requires generation of AES-GCM IV's inside the FIPS module. |
717 | | * The IV can still be set externally (the security policy will state that |
718 | | * this is not FIPS compliant). There are some applications |
719 | | * where setting the IV externally is the only option available. |
720 | | */ |
721 | 12.6M | if (ctx->iv_state == IV_STATE_UNINITIALISED) { |
722 | 672 | if (!ctx->enc || !gcm_iv_generate(ctx, 0)) |
723 | 0 | goto err; |
724 | 672 | } |
725 | | |
726 | 12.6M | if (ctx->iv_state == IV_STATE_BUFFERED) { |
727 | 3.56M | if (!hw->setiv(ctx, ctx->iv, ctx->ivlen)) |
728 | 0 | goto err; |
729 | 3.56M | ctx->iv_state = IV_STATE_COPIED; |
730 | 3.56M | } |
731 | | |
732 | 12.6M | if (in != NULL) { |
733 | | /* The input is AAD if out is NULL */ |
734 | 9.05M | if (out == NULL) { |
735 | 3.89M | if (!hw->aadupdate(ctx, in, len)) |
736 | 0 | goto err; |
737 | 5.15M | } else { |
738 | | /* The input is ciphertext OR plaintext */ |
739 | 5.15M | if (!hw->cipherupdate(ctx, in, len, out)) |
740 | 0 | goto err; |
741 | 5.15M | } |
742 | 9.05M | } else { |
743 | | /* The tag must be set before actually decrypting data */ |
744 | 3.56M | if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET) |
745 | 0 | goto err; |
746 | 3.56M | if (!hw->cipherfinal(ctx, ctx->buf)) |
747 | 1.23M | goto err; |
748 | 2.33M | ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */ |
749 | 2.33M | goto finish; |
750 | 3.56M | } |
751 | 9.05M | olen = len; |
752 | 11.3M | finish: |
753 | 11.3M | rv = 1; |
754 | 12.6M | err: |
755 | 12.6M | *padlen = olen; |
756 | 12.6M | return rv; |
757 | 11.3M | } |
758 | | |
759 | | static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len) |
760 | 67.8k | { |
761 | 67.8k | unsigned char *buf; |
762 | 67.8k | size_t len; |
763 | | |
764 | 67.8k | if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN) |
765 | 0 | return 0; |
766 | | |
767 | | /* Save the aad for later use. */ |
768 | 67.8k | buf = dat->buf; |
769 | 67.8k | memcpy(buf, aad, aad_len); |
770 | 67.8k | dat->tls_aad_len = aad_len; |
771 | | |
772 | 67.8k | len = buf[aad_len - 2] << 8 | buf[aad_len - 1]; |
773 | | /* Correct length for explicit iv. */ |
774 | 67.8k | if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) |
775 | 87 | return 0; |
776 | 67.7k | len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; |
777 | | |
778 | | /* If decrypting correct for tag too. */ |
779 | 67.7k | if (!dat->enc) { |
780 | 66.0k | if (len < EVP_GCM_TLS_TAG_LEN) |
781 | 51 | return 0; |
782 | 66.0k | len -= EVP_GCM_TLS_TAG_LEN; |
783 | 66.0k | } |
784 | 67.6k | buf[aad_len - 2] = (unsigned char)(len >> 8); |
785 | 67.6k | buf[aad_len - 1] = (unsigned char)(len & 0xff); |
786 | | /* Extra padding: tag appended to record. */ |
787 | 67.6k | return EVP_GCM_TLS_TAG_LEN; |
788 | 67.7k | } |
789 | | |
790 | | static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv, |
791 | | size_t len) |
792 | 2.77k | { |
793 | | /* Special case: -1 length restores whole IV */ |
794 | 2.77k | if (len == (size_t)-1) { |
795 | 0 | memcpy(ctx->iv, iv, ctx->ivlen); |
796 | 0 | ctx->iv_gen = 1; |
797 | 0 | ctx->iv_state = IV_STATE_BUFFERED; |
798 | 0 | return 1; |
799 | 0 | } |
800 | | /* Fixed field must be at least 4 bytes and invocation field at least 8 */ |
801 | 2.77k | if ((len < EVP_GCM_TLS_FIXED_IV_LEN) |
802 | 2.77k | || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN) |
803 | 0 | return 0; |
804 | 2.77k | if (len > 0) |
805 | 2.77k | memcpy(ctx->iv, iv, len); |
806 | 2.77k | if (ctx->enc) { |
807 | 1.11k | if (RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0) |
808 | 0 | return 0; |
809 | 1.11k | ctx->iv_gen_rand = 1; |
810 | 1.11k | } |
811 | 2.77k | ctx->iv_gen = 1; |
812 | 2.77k | ctx->iv_state = IV_STATE_BUFFERED; |
813 | 2.77k | return 1; |
814 | 2.77k | } |
815 | | |
816 | | /* |
817 | | * Handle TLS GCM packet format. This consists of the last portion of the IV |
818 | | * followed by the payload and finally the tag. On encrypt generate IV, |
819 | | * encrypt payload and write the tag. On verify retrieve IV, decrypt payload |
820 | | * and verify tag. |
821 | | */ |
822 | | static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen, |
823 | | const unsigned char *in, size_t len) |
824 | 67.6k | { |
825 | 67.6k | int rv = 0; |
826 | 67.6k | size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN; |
827 | 67.6k | size_t plen = 0; |
828 | 67.6k | unsigned char *tag = NULL; |
829 | | |
830 | 67.6k | if (!ossl_prov_is_running() || !ctx->key_set) |
831 | 0 | goto err; |
832 | | |
833 | | /* Encrypt/decrypt must be performed in place */ |
834 | 67.6k | if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) |
835 | 0 | goto err; |
836 | | |
837 | | /* |
838 | | * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness |
839 | | * Requirements from SP 800-38D". The requirements is for one party to the |
840 | | * communication to fail after 2^64 - 1 keys. We do this on the encrypting |
841 | | * side only. |
842 | | */ |
843 | 67.6k | if (ctx->enc && ++ctx->tls_enc_records == 0) { |
844 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS); |
845 | 0 | goto err; |
846 | 0 | } |
847 | | |
848 | | /* |
849 | | * Set IV from start of buffer or generate IV and write to start of |
850 | | * buffer. |
851 | | */ |
852 | 67.6k | if (ctx->enc) { |
853 | 1.68k | if (!getivgen(ctx, out, arg)) |
854 | 0 | goto err; |
855 | 66.0k | } else { |
856 | 66.0k | if (!setivinv(ctx, out, arg)) |
857 | 0 | goto err; |
858 | 66.0k | } |
859 | | |
860 | | /* Fix buffer and length to point to payload */ |
861 | 67.6k | in += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
862 | 67.6k | out += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
863 | 67.6k | len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; |
864 | | |
865 | 67.6k | tag = ctx->enc ? out + len : (unsigned char *)in + len; |
866 | 67.6k | if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag, |
867 | 67.6k | EVP_GCM_TLS_TAG_LEN)) { |
868 | 65.8k | if (!ctx->enc) |
869 | 65.8k | OPENSSL_cleanse(out, len); |
870 | 65.8k | goto err; |
871 | 65.8k | } |
872 | 1.86k | if (ctx->enc) |
873 | 1.68k | plen = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; |
874 | 180 | else |
875 | 180 | plen = len; |
876 | | |
877 | 1.86k | rv = 1; |
878 | 67.6k | err: |
879 | 67.6k | ctx->iv_state = IV_STATE_FINISHED; |
880 | 67.6k | ctx->tls_aad_len = UNINITIALISED_SIZET; |
881 | 67.6k | *padlen = plen; |
882 | 67.6k | return rv; |
883 | 1.86k | } |