/src/openssl34/providers/implementations/ciphers/ciphercommon_gcm.c

Source
/*
 * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* Dispatch functions for gcm mode */

#include <openssl/rand.h>
#include <openssl/proverr.h>
#include "prov/ciphercommon.h"
#include "prov/ciphercommon_gcm.h"
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "internal/param_names.h"

static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
    size_t len);
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
    const unsigned char *in, size_t len);
static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
    size_t *padlen, const unsigned char *in,
    size_t len);

/*
 * Called from EVP_CipherInit when there is currently no context via
 * the new_ctx() function
 */
void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
    const PROV_GCM_HW *hw)
{
    ctx->pad = 1;
    ctx->mode = EVP_CIPH_GCM_MODE;
    ctx->taglen = UNINITIALISED_SIZET;
    ctx->tls_aad_len = UNINITIALISED_SIZET;
    ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
    ctx->keylen = keybits / 8;
    ctx->hw = hw;
    ctx->libctx = PROV_LIBCTX_OF(provctx);
}

/*
 * Called by EVP_CipherInit via the _einit and _dinit functions
 */
static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[], int enc)
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;

    if (!ossl_prov_is_running())
        return 0;

    ctx->enc = enc;

    if (iv != NULL) {
        if (ivlen == 0 || ivlen > sizeof(ctx->iv)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
            return 0;
        }
        ctx->ivlen = ivlen;
        memcpy(ctx->iv, iv, ivlen);
        ctx->iv_state = IV_STATE_BUFFERED;
    }

    if (key != NULL) {
        if (keylen != ctx->keylen) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
            return 0;
        }
        if (!ctx->hw->setkey(ctx, key, ctx->keylen))
            return 0;
        ctx->tls_enc_records = 0;
    }
    return ossl_gcm_set_ctx_params(ctx, params);
}

int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[])
{
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
}

int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[])
{
    return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
}

/* increment counter (64-bit int) by 1 */
static void ctr64_inc(unsigned char *counter)
{
    int n = 8;
    unsigned char c;

    do {
        --n;
        c = counter[n];
        ++c;
        counter[n] = c;
        if (c > 0)
            return;
    } while (n > 0);
}

static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen)
{
    if (!ctx->iv_gen
        || !ctx->key_set
        || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
        return 0;
    if (olen == 0 || olen > ctx->ivlen)
        olen = ctx->ivlen;
    memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
    /*
     * Invocation field will be at least 8 bytes in size and so no need
     * to check wrap around or increment more than last 8 bytes.
     */
    ctr64_inc(ctx->iv + ctx->ivlen - 8);
    ctx->iv_state = IV_STATE_COPIED;
    return 1;
}

static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl)
{
    if (!ctx->iv_gen
        || !ctx->key_set
        || ctx->enc)
        return 0;

    memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
    if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
        return 0;
    ctx->iv_state = IV_STATE_COPIED;
    return 1;
}

int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
    OSSL_PARAM *p;
    size_t sz;
    int type;

    for (p = params; p->key != NULL; p++) {
        type = ossl_param_find_pidx(p->key);
        switch (type) {
        default:
            break;

        case PIDX_CIPHER_PARAM_IVLEN:
            if (!OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
                return 0;
            }
            break;

        case PIDX_CIPHER_PARAM_KEYLEN:
            if (!OSSL_PARAM_set_size_t(p, ctx->keylen)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
                return 0;
            }
            break;

        case PIDX_CIPHER_PARAM_AEAD_TAGLEN: {
            size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen : GCM_TAG_MAX_SIZE;

            if (!OSSL_PARAM_set_size_t(p, taglen)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
                return 0;
            }
        } break;

        case PIDX_CIPHER_PARAM_IV:
            if (ctx->iv_state == IV_STATE_UNINITIALISED)
                return 0;
            if (ctx->ivlen > p->data_size) {
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
                return 0;
            }
            if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
                && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
                return 0;
            }
            break;

        case PIDX_CIPHER_PARAM_UPDATED_IV:
            if (ctx->iv_state == IV_STATE_UNINITIALISED)
                return 0;
            if (ctx->ivlen > p->data_size) {
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
                return 0;
            }
            if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
                && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
                return 0;
            }
            break;

        case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD_PAD:
            if (!OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
                return 0;
            }
            break;

        case PIDX_CIPHER_PARAM_AEAD_TAG:
            sz = p->data_size;
            if (sz == 0
                || sz > EVP_GCM_TLS_TAG_LEN
                || !ctx->enc
                || ctx->taglen == UNINITIALISED_SIZET) {
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
                return 0;
            }
            if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
                return 0;
            }
            break;

        case PIDX_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN:
            if (p->data == NULL
                || p->data_type != OSSL_PARAM_OCTET_STRING
                || !getivgen(ctx, p->data, p->data_size))
                return 0;
            break;
        case PIDX_CIPHER_PARAM_AEAD_IV_GENERATED:
            if (!OSSL_PARAM_set_uint(p, ctx->iv_gen_rand))
                return 0;
        }
    }
    return 1;
}

int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
    const OSSL_PARAM *p;
    size_t sz;
    void *vp;
    int type;

    if (params == NULL)
        return 1;

    for (p = params; p->key != NULL; p++) {
        type = ossl_param_find_pidx(p->key);
        switch (type) {
        default:
            break;

        case PIDX_CIPHER_PARAM_AEAD_TAG:
            vp = ctx->buf;
            if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
                return 0;
            }
            if (sz == 0 || ctx->enc) {
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
                return 0;
            }
            ctx->taglen = sz;
            break;

        case PIDX_CIPHER_PARAM_AEAD_IVLEN:
            if (!OSSL_PARAM_get_size_t(p, &sz)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
                return 0;
            }
            if (sz == 0 || sz > sizeof(ctx->iv)) {
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
                return 0;
            }
            if (ctx->ivlen != sz) {
                /* If the iv was already set or autogenerated, it is invalid. */
                if (ctx->iv_state != IV_STATE_UNINITIALISED)
                    ctx->iv_state = IV_STATE_FINISHED;
                ctx->ivlen = sz;
            }
            break;

        case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD:
            if (p->data_type != OSSL_PARAM_OCTET_STRING) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
                return 0;
            }
            sz = gcm_tls_init(ctx, p->data, p->data_size);
            if (sz == 0) {
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
                return 0;
            }
            ctx->tls_aad_pad_sz = sz;
            break;

        case PIDX_CIPHER_PARAM_AEAD_TLS1_IV_FIXED:
            if (p->data_type != OSSL_PARAM_OCTET_STRING) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
                return 0;
            }
            if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
                ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
                return 0;
            }
            break;

        case PIDX_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV:
            if (p->data == NULL
                || p->data_type != OSSL_PARAM_OCTET_STRING
                || !setivinv(ctx, p->data, p->data_size))
                return 0;
            break;
        }
    }

    return 1;
}

int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
    size_t outsize, const unsigned char *in, size_t inl)
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;

    if (inl == 0) {
        *outl = 0;
        return 1;
    }

    if (outsize < inl) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }

    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
        return 0;
    }
    return 1;
}

int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
    size_t outsize)
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
    int i;

    if (!ossl_prov_is_running())
        return 0;

    i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
    if (i <= 0)
        return 0;

    *outl = 0;
    return 1;
}

int ossl_gcm_cipher(void *vctx,
    unsigned char *out, size_t *outl, size_t outsize,
    const unsigned char *in, size_t inl)
{
    PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;

    if (!ossl_prov_is_running())
        return 0;

    if (outsize < inl) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }

    if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
        return 0;

    *outl = inl;
    return 1;
}

/*
 * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
 *
 * See also 8.2.2 RBG-based construction.
 * Random construction consists of a free field (which can be NULL) and a
 * random field which will use a DRBG that can return at least 96 bits of
 * entropy strength. (The DRBG must be seeded by the FIPS module).
 */
static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
{
    int sz = ctx->ivlen - offset;

    /* Must be at least 96 bits */
    if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
        return 0;

    /* Use DRBG to generate random iv */
    if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
        return 0;
    ctx->iv_state = IV_STATE_BUFFERED;
    ctx->iv_gen_rand = 1;
    return 1;
}

static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
    size_t *padlen, const unsigned char *in,
    size_t len)
{
    size_t olen = 0;
    int rv = 0;
    const PROV_GCM_HW *hw = ctx->hw;

    if (ctx->tls_aad_len != UNINITIALISED_SIZET)
        return gcm_tls_cipher(ctx, out, padlen, in, len);

    if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
        goto err;

    /*
     * FIPS requires generation of AES-GCM IV's inside the FIPS module.
     * The IV can still be set externally (the security policy will state that
     * this is not FIPS compliant). There are some applications
     * where setting the IV externally is the only option available.
     */
    if (ctx->iv_state == IV_STATE_UNINITIALISED) {
        if (!ctx->enc || !gcm_iv_generate(ctx, 0))
            goto err;
    }

    if (ctx->iv_state == IV_STATE_BUFFERED) {
        if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
            goto err;
        ctx->iv_state = IV_STATE_COPIED;
    }

    if (in != NULL) {
        /*  The input is AAD if out is NULL */
        if (out == NULL) {
            if (!hw->aadupdate(ctx, in, len))
                goto err;
        } else {
            /* The input is ciphertext OR plaintext */
            if (!hw->cipherupdate(ctx, in, len, out))
                goto err;
        }
    } else {
        /* The tag must be set before actually decrypting data */
        if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
            goto err;
        if (!hw->cipherfinal(ctx, ctx->buf))
            goto err;
        ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
        goto finish;
    }
    olen = len;
finish:
    rv = 1;
err:
    *padlen = olen;
    return rv;
}

static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
{
    unsigned char *buf;
    size_t len;

    if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
        return 0;

    /* Save the aad for later use. */
    buf = dat->buf;
    memcpy(buf, aad, aad_len);
    dat->tls_aad_len = aad_len;

    len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
    /* Correct length for explicit iv. */
    if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
        return 0;
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;

    /* If decrypting correct for tag too. */
    if (!dat->enc) {
        if (len < EVP_GCM_TLS_TAG_LEN)
            return 0;
        len -= EVP_GCM_TLS_TAG_LEN;
    }
    buf[aad_len - 2] = (unsigned char)(len >> 8);
    buf[aad_len - 1] = (unsigned char)(len & 0xff);
    /* Extra padding: tag appended to record. */
    return EVP_GCM_TLS_TAG_LEN;
}

static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
    size_t len)
{
    /* Special case: -1 length restores whole IV */
    if (len == (size_t)-1) {
        memcpy(ctx->iv, iv, ctx->ivlen);
        ctx->iv_gen = 1;
        ctx->iv_state = IV_STATE_BUFFERED;
        return 1;
    }
    /* Fixed field must be at least 4 bytes and invocation field at least 8 */
    if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
        || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
        return 0;
    if (len > 0)
        memcpy(ctx->iv, iv, len);
    if (ctx->enc) {
        if (RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
            return 0;
        ctx->iv_gen_rand = 1;
    }
    ctx->iv_gen = 1;
    ctx->iv_state = IV_STATE_BUFFERED;
    return 1;
}

/*
 * Handle TLS GCM packet format. This consists of the last portion of the IV
 * followed by the payload and finally the tag. On encrypt generate IV,
 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
 * and verify tag.
 */
static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
    const unsigned char *in, size_t len)
{
    int rv = 0;
    size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
    size_t plen = 0;
    unsigned char *tag = NULL;

    if (!ossl_prov_is_running() || !ctx->key_set)
        goto err;

    /* Encrypt/decrypt must be performed in place */
    if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
        goto err;

    /*
     * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
     * Requirements from SP 800-38D".  The requirements is for one party to the
     * communication to fail after 2^64 - 1 keys.  We do this on the encrypting
     * side only.
     */
    if (ctx->enc && ++ctx->tls_enc_records == 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
        goto err;
    }

    /*
     * Set IV from start of buffer or generate IV and write to start of
     * buffer.
     */
    if (ctx->enc) {
        if (!getivgen(ctx, out, arg))
            goto err;
    } else {
        if (!setivinv(ctx, out, arg))
            goto err;
    }

    /* Fix buffer and length to point to payload */
    in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
    out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
    len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;

    tag = ctx->enc ? out + len : (unsigned char *)in + len;
    if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
            EVP_GCM_TLS_TAG_LEN)) {
        if (!ctx->enc)
            OPENSSL_cleanse(out, len);
        goto err;
    }
    if (ctx->enc)
        plen = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
    else
        plen = len;

    rv = 1;
err:
    ctx->iv_state = IV_STATE_FINISHED;
    ctx->tls_aad_len = UNINITIALISED_SIZET;
    *padlen = plen;
    return rv;
}

Coverage Report

Created: 2026-04-09 06:50

Line	Count	Source
1		/*
2		* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/* Dispatch functions for gcm mode */
11
12		#include <openssl/rand.h>
13		#include <openssl/proverr.h>
14		#include "prov/ciphercommon.h"
15		#include "prov/ciphercommon_gcm.h"
16		#include "prov/providercommon.h"
17		#include "prov/provider_ctx.h"
18		#include "internal/param_names.h"
19
20		static int gcm_tls_init(PROV_GCM_CTX dat, unsigned char aad, size_t aad_len);
21		static int gcm_tls_iv_set_fixed(PROV_GCM_CTX ctx, unsigned char iv,
22		size_t len);
23		static int gcm_tls_cipher(PROV_GCM_CTX ctx, unsigned char out, size_t *padlen,
24		const unsigned char *in, size_t len);
25		static int gcm_cipher_internal(PROV_GCM_CTX ctx, unsigned char out,
26		size_t padlen, const unsigned char in,
27		size_t len);
28
29		/*
30		* Called from EVP_CipherInit when there is currently no context via
31		* the new_ctx() function
32		*/
33		void ossl_gcm_initctx(void provctx, PROV_GCM_CTX ctx, size_t keybits,
34		const PROV_GCM_HW *hw)
35	809k	{
36	809k	ctx->pad = 1;
37	809k	ctx->mode = EVP_CIPH_GCM_MODE;
38	809k	ctx->taglen = UNINITIALISED_SIZET;
39	809k	ctx->tls_aad_len = UNINITIALISED_SIZET;
40	809k	ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
41	809k	ctx->keylen = keybits / 8;
42	809k	ctx->hw = hw;
43	809k	ctx->libctx = PROV_LIBCTX_OF(provctx);
44	809k	}
45
46		/*
47		* Called by EVP_CipherInit via the _einit and _dinit functions
48		*/
49		static int gcm_init(void vctx, const unsigned char key, size_t keylen,
50		const unsigned char *iv, size_t ivlen,
51		const OSSL_PARAM params[], int enc)
52	4.27M	{
53	4.27M	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
54
55	4.27M	if (!ossl_prov_is_running())
56	0	return 0;
57
58	4.27M	ctx->enc = enc;
59
60	4.27M	if (iv != NULL) {
61	4.19M	if (ivlen == 0 \|\| ivlen > sizeof(ctx->iv)) {
62	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
63	0	return 0;
64	0	}
65	4.19M	ctx->ivlen = ivlen;
66	4.19M	memcpy(ctx->iv, iv, ivlen);
67	4.19M	ctx->iv_state = IV_STATE_BUFFERED;
68	4.19M	}
69
70	4.27M	if (key != NULL) {
71	809k	if (keylen != ctx->keylen) {
72	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
73	0	return 0;
74	0	}
75	809k	if (!ctx->hw->setkey(ctx, key, ctx->keylen))
76	0	return 0;
77	809k	ctx->tls_enc_records = 0;
78	809k	}
79	4.27M	return ossl_gcm_set_ctx_params(ctx, params);
80	4.27M	}
81
82		int ossl_gcm_einit(void vctx, const unsigned char key, size_t keylen,
83		const unsigned char *iv, size_t ivlen,
84		const OSSL_PARAM params[])
85	2.72M	{
86	2.72M	return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
87	2.72M	}
88
89		int ossl_gcm_dinit(void vctx, const unsigned char key, size_t keylen,
90		const unsigned char *iv, size_t ivlen,
91		const OSSL_PARAM params[])
92	1.54M	{
93	1.54M	return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
94	1.54M	}
95
96		/* increment counter (64-bit int) by 1 */
97		static void ctr64_inc(unsigned char *counter)
98	2.01k	{
99	2.01k	int n = 8;
100	2.01k	unsigned char c;
101
102	2.01k	do {
103	2.01k	--n;
104	2.01k	c = counter[n];
105	2.01k	++c;
106	2.01k	counter[n] = c;
107	2.01k	if (c > 0)
108	2.01k	return;
109	2.01k	} while (n > 0);
110	2.01k	}
111
112		static int getivgen(PROV_GCM_CTX ctx, unsigned char out, size_t olen)
113	2.01k	{
114	2.01k	if (!ctx->iv_gen
115	2.01k	\|\| !ctx->key_set
116	2.01k	\|\| !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
117	0	return 0;
118	2.01k	if (olen == 0 \|\| olen > ctx->ivlen)
119	0	olen = ctx->ivlen;
120	2.01k	memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
121		/*
122		* Invocation field will be at least 8 bytes in size and so no need
123		* to check wrap around or increment more than last 8 bytes.
124		*/
125	2.01k	ctr64_inc(ctx->iv + ctx->ivlen - 8);
126	2.01k	ctx->iv_state = IV_STATE_COPIED;
127	2.01k	return 1;
128	2.01k	}
129
130		static int setivinv(PROV_GCM_CTX ctx, unsigned char in, size_t inl)
131	92.0k	{
132	92.0k	if (!ctx->iv_gen
133	92.0k	\|\| !ctx->key_set
134	92.0k	\|\| ctx->enc)
135	0	return 0;
136
137	92.0k	memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
138	92.0k	if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
139	0	return 0;
140	92.0k	ctx->iv_state = IV_STATE_COPIED;
141	92.0k	return 1;
142	92.0k	}
143
144		int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
145	1.72M	{
146	1.72M	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
147	1.72M	OSSL_PARAM *p;
148	1.72M	size_t sz;
149	1.72M	int type;
150
151	3.44M	for (p = params; p->key != NULL; p++) {
152	1.72M	type = ossl_param_find_pidx(p->key);
153	1.72M	switch (type) {
154	43	default:
155	43	break;
156
157	372k	case PIDX_CIPHER_PARAM_IVLEN:
158	372k	if (!OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
159	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
160	0	return 0;
161	0	}
162	372k	break;
163
164	385k	case PIDX_CIPHER_PARAM_KEYLEN:
165	385k	if (!OSSL_PARAM_set_size_t(p, ctx->keylen)) {
166	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
167	0	return 0;
168	0	}
169	385k	break;
170
171	385k	case PIDX_CIPHER_PARAM_AEAD_TAGLEN: {
172	0	size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen : GCM_TAG_MAX_SIZE;
173
174	0	if (!OSSL_PARAM_set_size_t(p, taglen)) {
175	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
176	0	return 0;
177	0	}
178	0	} break;
179
180	0	case PIDX_CIPHER_PARAM_IV:
181	0	if (ctx->iv_state == IV_STATE_UNINITIALISED)
182	0	return 0;
183	0	if (ctx->ivlen > p->data_size) {
184	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
185	0	return 0;
186	0	}
187	0	if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
188	0	&& !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
189	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
190	0	return 0;
191	0	}
192	0	break;
193
194	0	case PIDX_CIPHER_PARAM_UPDATED_IV:
195	0	if (ctx->iv_state == IV_STATE_UNINITIALISED)
196	0	return 0;
197	0	if (ctx->ivlen > p->data_size) {
198	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
199	0	return 0;
200	0	}
201	0	if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
202	0	&& !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
203	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
204	0	return 0;
205	0	}
206	0	break;
207
208	50.5k	case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD_PAD:
209	50.5k	if (!OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
210	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
211	0	return 0;
212	0	}
213	50.5k	break;
214
215	913k	case PIDX_CIPHER_PARAM_AEAD_TAG:
216	913k	sz = p->data_size;
217	913k	if (sz == 0
218	913k	\|\| sz > EVP_GCM_TLS_TAG_LEN
219	913k	\|\| !ctx->enc
220	913k	\|\| ctx->taglen == UNINITIALISED_SIZET) {
221	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
222	0	return 0;
223	0	}
224	913k	if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
225	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
226	0	return 0;
227	0	}
228	913k	break;
229
230	913k	case PIDX_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN:
231	0	if (p->data == NULL
232	0	\|\| p->data_type != OSSL_PARAM_OCTET_STRING
233	0	\|\| !getivgen(ctx, p->data, p->data_size))
234	0	return 0;
235	0	break;
236	0	case PIDX_CIPHER_PARAM_AEAD_IV_GENERATED:
237	0	if (!OSSL_PARAM_set_uint(p, ctx->iv_gen_rand))
238	0	return 0;
239	1.72M	}
240	1.72M	}
241	1.72M	return 1;
242	1.72M	}
243
244		int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
245	2.50M	{
246	2.50M	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
247	2.50M	const OSSL_PARAM *p;
248	2.50M	size_t sz;
249	2.50M	void *vp;
250	2.50M	int type;
251
252	2.50M	if (params == NULL)
253	1.87M	return 1;
254
255	1.25M	for (p = params; p->key != NULL; p++) {
256	629k	type = ossl_param_find_pidx(p->key);
257	629k	switch (type) {
258	3.35k	default:
259	3.35k	break;
260
261	588k	case PIDX_CIPHER_PARAM_AEAD_TAG:
262	588k	vp = ctx->buf;
263	588k	if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
264	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
265	0	return 0;
266	0	}
267	588k	if (sz == 0 \|\| ctx->enc) {
268	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
269	0	return 0;
270	0	}
271	588k	ctx->taglen = sz;
272	588k	break;
273
274	1.65k	case PIDX_CIPHER_PARAM_AEAD_IVLEN:
275	1.65k	if (!OSSL_PARAM_get_size_t(p, &sz)) {
276	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
277	0	return 0;
278	0	}
279	1.65k	if (sz == 0 \|\| sz > sizeof(ctx->iv)) {
280	19	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
281	19	return 0;
282	19	}
283	1.63k	if (ctx->ivlen != sz) {
284		/* If the iv was already set or autogenerated, it is invalid. */
285	11	if (ctx->iv_state != IV_STATE_UNINITIALISED)
286	0	ctx->iv_state = IV_STATE_FINISHED;
287	11	ctx->ivlen = sz;
288	11	}
289	1.63k	break;
290
291	34.3k	case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD:
292	34.3k	if (p->data_type != OSSL_PARAM_OCTET_STRING) {
293	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
294	0	return 0;
295	0	}
296	34.3k	sz = gcm_tls_init(ctx, p->data, p->data_size);
297	34.3k	if (sz == 0) {
298	73	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
299	73	return 0;
300	73	}
301	34.2k	ctx->tls_aad_pad_sz = sz;
302	34.2k	break;
303
304	1.45k	case PIDX_CIPHER_PARAM_AEAD_TLS1_IV_FIXED:
305	1.45k	if (p->data_type != OSSL_PARAM_OCTET_STRING) {
306	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
307	0	return 0;
308	0	}
309	1.45k	if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
310	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
311	0	return 0;
312	0	}
313	1.45k	break;
314
315	1.45k	case PIDX_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV:
316	0	if (p->data == NULL
317	0	\|\| p->data_type != OSSL_PARAM_OCTET_STRING
318	0	\|\| !setivinv(ctx, p->data, p->data_size))
319	0	return 0;
320	0	break;
321	629k	}
322	629k	}
323
324	628k	return 1;
325	628k	}
326
327		int ossl_gcm_stream_update(void vctx, unsigned char out, size_t *outl,
328		size_t outsize, const unsigned char *in, size_t inl)
329	10.0M	{
330	10.0M	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
331
332	10.0M	if (inl == 0) {
333	0	*outl = 0;
334	0	return 1;
335	0	}
336
337	10.0M	if (outsize < inl) {
338	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
339	0	return 0;
340	0	}
341
342	10.0M	if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
343	91.8k	ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
344	91.8k	return 0;
345	91.8k	}
346	9.92M	return 1;
347	10.0M	}
348
349		int ossl_gcm_stream_final(void vctx, unsigned char out, size_t *outl,
350		size_t outsize)
351	3.94M	{
352	3.94M	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
353	3.94M	int i;
354
355	3.94M	if (!ossl_prov_is_running())
356	0	return 0;
357
358	3.94M	i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
359	3.94M	if (i <= 0)
360	1.28M	return 0;
361
362	2.65M	*outl = 0;
363	2.65M	return 1;
364	3.94M	}
365
366		int ossl_gcm_cipher(void *vctx,
367		unsigned char out, size_t outl, size_t outsize,
368		const unsigned char *in, size_t inl)
369	0	{
370	0	PROV_GCM_CTX ctx = (PROV_GCM_CTX )vctx;
371
372	0	if (!ossl_prov_is_running())
373	0	return 0;
374
375	0	if (outsize < inl) {
376	0	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
377	0	return 0;
378	0	}
379
380	0	if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
381	0	return 0;
382
383	0	*outl = inl;
384	0	return 1;
385	0	}
386
387		/*
388		* See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
389		*
390		* See also 8.2.2 RBG-based construction.
391		* Random construction consists of a free field (which can be NULL) and a
392		* random field which will use a DRBG that can return at least 96 bits of
393		* entropy strength. (The DRBG must be seeded by the FIPS module).
394		*/
395		static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
396	672	{
397	672	int sz = ctx->ivlen - offset;
398
399		/* Must be at least 96 bits */
400	672	if (sz <= 0 \|\| ctx->ivlen < GCM_IV_DEFAULT_SIZE)
401	0	return 0;
402
403		/* Use DRBG to generate random iv */
404	672	if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
405	0	return 0;
406	672	ctx->iv_state = IV_STATE_BUFFERED;
407	672	ctx->iv_gen_rand = 1;
408	672	return 1;
409	672	}
410
411		static int gcm_cipher_internal(PROV_GCM_CTX ctx, unsigned char out,
412		size_t padlen, const unsigned char in,
413		size_t len)
414	13.9M	{
415	13.9M	size_t olen = 0;
416	13.9M	int rv = 0;
417	13.9M	const PROV_GCM_HW *hw = ctx->hw;
418
419	13.9M	if (ctx->tls_aad_len != UNINITIALISED_SIZET)
420	94.1k	return gcm_tls_cipher(ctx, out, padlen, in, len);
421
422	13.8M	if (!ctx->key_set \|\| ctx->iv_state == IV_STATE_FINISHED)
423	0	goto err;
424
425		/*
426		* FIPS requires generation of AES-GCM IV's inside the FIPS module.
427		* The IV can still be set externally (the security policy will state that
428		* this is not FIPS compliant). There are some applications
429		* where setting the IV externally is the only option available.
430		*/
431	13.8M	if (ctx->iv_state == IV_STATE_UNINITIALISED) {
432	672	if (!ctx->enc \|\| !gcm_iv_generate(ctx, 0))
433	0	goto err;
434	672	}
435
436	13.8M	if (ctx->iv_state == IV_STATE_BUFFERED) {
437	3.94M	if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
438	0	goto err;
439	3.94M	ctx->iv_state = IV_STATE_COPIED;
440	3.94M	}
441
442	13.8M	if (in != NULL) {
443		/* The input is AAD if out is NULL */
444	9.91M	if (out == NULL) {
445	4.46M	if (!hw->aadupdate(ctx, in, len))
446	0	goto err;
447	5.45M	} else {
448		/* The input is ciphertext OR plaintext */
449	5.45M	if (!hw->cipherupdate(ctx, in, len, out))
450	0	goto err;
451	5.45M	}
452	9.91M	} else {
453		/* The tag must be set before actually decrypting data */
454	3.94M	if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
455	0	goto err;
456	3.94M	if (!hw->cipherfinal(ctx, ctx->buf))
457	1.28M	goto err;
458	2.65M	ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
459	2.65M	goto finish;
460	3.94M	}
461	9.91M	olen = len;
462	12.5M	finish:
463	12.5M	rv = 1;
464	13.8M	err:
465	13.8M	*padlen = olen;
466	13.8M	return rv;
467	12.5M	}
468
469		static int gcm_tls_init(PROV_GCM_CTX dat, unsigned char aad, size_t aad_len)
470	94.2k	{
471	94.2k	unsigned char *buf;
472	94.2k	size_t len;
473
474	94.2k	if (!ossl_prov_is_running() \|\| aad_len != EVP_AEAD_TLS1_AAD_LEN)
475	0	return 0;
476
477		/* Save the aad for later use. */
478	94.2k	buf = dat->buf;
479	94.2k	memcpy(buf, aad, aad_len);
480	94.2k	dat->tls_aad_len = aad_len;
481
482	94.2k	len = buf[aad_len - 2] << 8 \| buf[aad_len - 1];
483		/* Correct length for explicit iv. */
484	94.2k	if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
485	107	return 0;
486	94.1k	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
487
488		/* If decrypting correct for tag too. */
489	94.1k	if (!dat->enc) {
490	92.1k	if (len < EVP_GCM_TLS_TAG_LEN)
491	72	return 0;
492	92.0k	len -= EVP_GCM_TLS_TAG_LEN;
493	92.0k	}
494	94.1k	buf[aad_len - 2] = (unsigned char)(len >> 8);
495	94.1k	buf[aad_len - 1] = (unsigned char)(len & 0xff);
496		/* Extra padding: tag appended to record. */
497	94.1k	return EVP_GCM_TLS_TAG_LEN;
498	94.1k	}
499
500		static int gcm_tls_iv_set_fixed(PROV_GCM_CTX ctx, unsigned char iv,
501		size_t len)
502	2.78k	{
503		/* Special case: -1 length restores whole IV */
504	2.78k	if (len == (size_t)-1) {
505	0	memcpy(ctx->iv, iv, ctx->ivlen);
506	0	ctx->iv_gen = 1;
507	0	ctx->iv_state = IV_STATE_BUFFERED;
508	0	return 1;
509	0	}
510		/* Fixed field must be at least 4 bytes and invocation field at least 8 */
511	2.78k	if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
512	2.78k	\|\| (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
513	0	return 0;
514	2.78k	if (len > 0)
515	2.78k	memcpy(ctx->iv, iv, len);
516	2.78k	if (ctx->enc) {
517	1.09k	if (RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
518	0	return 0;
519	1.09k	ctx->iv_gen_rand = 1;
520	1.09k	}
521	2.78k	ctx->iv_gen = 1;
522	2.78k	ctx->iv_state = IV_STATE_BUFFERED;
523	2.78k	return 1;
524	2.78k	}
525
526		/*
527		* Handle TLS GCM packet format. This consists of the last portion of the IV
528		* followed by the payload and finally the tag. On encrypt generate IV,
529		* encrypt payload and write the tag. On verify retrieve IV, decrypt payload
530		* and verify tag.
531		*/
532		static int gcm_tls_cipher(PROV_GCM_CTX ctx, unsigned char out, size_t *padlen,
533		const unsigned char *in, size_t len)
534	94.1k	{
535	94.1k	int rv = 0;
536	94.1k	size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
537	94.1k	size_t plen = 0;
538	94.1k	unsigned char *tag = NULL;
539
540	94.1k	if (!ossl_prov_is_running() \|\| !ctx->key_set)
541	0	goto err;
542
543		/* Encrypt/decrypt must be performed in place */
544	94.1k	if (out != in \|\| len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
545	0	goto err;
546
547		/*
548		* Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
549		* Requirements from SP 800-38D". The requirements is for one party to the
550		* communication to fail after 2^64 - 1 keys. We do this on the encrypting
551		* side only.
552		*/
553	94.1k	if (ctx->enc && ++ctx->tls_enc_records == 0) {
554	0	ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
555	0	goto err;
556	0	}
557
558		/*
559		* Set IV from start of buffer or generate IV and write to start of
560		* buffer.
561		*/
562	94.1k	if (ctx->enc) {
563	2.01k	if (!getivgen(ctx, out, arg))
564	0	goto err;
565	92.0k	} else {
566	92.0k	if (!setivinv(ctx, out, arg))
567	0	goto err;
568	92.0k	}
569
570		/* Fix buffer and length to point to payload */
571	94.1k	in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
572	94.1k	out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
573	94.1k	len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
574
575	94.1k	tag = ctx->enc ? out + len : (unsigned char *)in + len;
576	94.1k	if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
577	94.1k	EVP_GCM_TLS_TAG_LEN)) {
578	91.8k	if (!ctx->enc)
579	91.8k	OPENSSL_cleanse(out, len);
580	91.8k	goto err;
581	91.8k	}
582	2.22k	if (ctx->enc)
583	2.01k	plen = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
584	212	else
585	212	plen = len;
586
587	2.22k	rv = 1;
588	94.1k	err:
589	94.1k	ctx->iv_state = IV_STATE_FINISHED;
590	94.1k	ctx->tls_aad_len = UNINITIALISED_SIZET;
591	94.1k	*padlen = plen;
592	94.1k	return rv;
593	2.22k	}