xref: /freebsd/crypto/openssl/providers/implementations/ciphers/ciphercommon_gcm.c (revision 5b56413d04e608379c9a306373554a8e4d321bc0)
1 /*
2  * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* Dispatch functions for gcm mode */
11 
12 #include <openssl/rand.h>
13 #include <openssl/proverr.h>
14 #include "prov/ciphercommon.h"
15 #include "prov/ciphercommon_gcm.h"
16 #include "prov/providercommon.h"
17 #include "prov/provider_ctx.h"
18 
19 static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len);
20 static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
21                                 size_t len);
22 static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
23                           const unsigned char *in, size_t len);
24 static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
25                                size_t *padlen, const unsigned char *in,
26                                size_t len);
27 
28 /*
29  * Called from EVP_CipherInit when there is currently no context via
30  * the new_ctx() function
31  */
32 void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
33                       const PROV_GCM_HW *hw)
34 {
35     ctx->pad = 1;
36     ctx->mode = EVP_CIPH_GCM_MODE;
37     ctx->taglen = UNINITIALISED_SIZET;
38     ctx->tls_aad_len = UNINITIALISED_SIZET;
39     ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN);
40     ctx->keylen = keybits / 8;
41     ctx->hw = hw;
42     ctx->libctx = PROV_LIBCTX_OF(provctx);
43 }
44 
45 /*
46  * Called by EVP_CipherInit via the _einit and _dinit functions
47  */
48 static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
49                     const unsigned char *iv, size_t ivlen,
50                     const OSSL_PARAM params[], int enc)
51 {
52     PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
53 
54     if (!ossl_prov_is_running())
55         return 0;
56 
57     ctx->enc = enc;
58 
59     if (iv != NULL) {
60         if (ivlen == 0 || ivlen > sizeof(ctx->iv)) {
61             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
62             return 0;
63         }
64         ctx->ivlen = ivlen;
65         memcpy(ctx->iv, iv, ivlen);
66         ctx->iv_state = IV_STATE_BUFFERED;
67     }
68 
69     if (key != NULL) {
70         if (keylen != ctx->keylen) {
71             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
72             return 0;
73         }
74         if (!ctx->hw->setkey(ctx, key, ctx->keylen))
75             return 0;
76         ctx->tls_enc_records = 0;
77     }
78     return ossl_gcm_set_ctx_params(ctx, params);
79 }
80 
81 int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
82                    const unsigned char *iv, size_t ivlen,
83                    const OSSL_PARAM params[])
84 {
85     return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
86 }
87 
88 int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
89                    const unsigned char *iv, size_t ivlen,
90                    const OSSL_PARAM params[])
91 {
92     return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
93 }
94 
95 /* increment counter (64-bit int) by 1 */
96 static void ctr64_inc(unsigned char *counter)
97 {
98     int n = 8;
99     unsigned char c;
100 
101     do {
102         --n;
103         c = counter[n];
104         ++c;
105         counter[n] = c;
106         if (c > 0)
107             return;
108     } while (n > 0);
109 }
110 
111 static int getivgen(PROV_GCM_CTX *ctx, unsigned char *out, size_t olen)
112 {
113     if (!ctx->iv_gen
114         || !ctx->key_set
115         || !ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
116         return 0;
117     if (olen == 0 || olen > ctx->ivlen)
118         olen = ctx->ivlen;
119     memcpy(out, ctx->iv + ctx->ivlen - olen, olen);
120     /*
121      * Invocation field will be at least 8 bytes in size and so no need
122      * to check wrap around or increment more than last 8 bytes.
123      */
124     ctr64_inc(ctx->iv + ctx->ivlen - 8);
125     ctx->iv_state = IV_STATE_COPIED;
126     return 1;
127 }
128 
129 static int setivinv(PROV_GCM_CTX *ctx, unsigned char *in, size_t inl)
130 {
131     if (!ctx->iv_gen
132         || !ctx->key_set
133         || ctx->enc)
134         return 0;
135 
136     memcpy(ctx->iv + ctx->ivlen - inl, in, inl);
137     if (!ctx->hw->setiv(ctx, ctx->iv, ctx->ivlen))
138         return 0;
139     ctx->iv_state = IV_STATE_COPIED;
140     return 1;
141 }
142 
143 int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
144 {
145     PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
146     OSSL_PARAM *p;
147     size_t sz;
148 
149     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
150     if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) {
151         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
152         return 0;
153     }
154     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
155     if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) {
156         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
157         return 0;
158     }
159     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
160     if (p != NULL) {
161         size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen :
162                          GCM_TAG_MAX_SIZE;
163 
164         if (!OSSL_PARAM_set_size_t(p, taglen)) {
165             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
166             return 0;
167         }
168     }
169 
170     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
171     if (p != NULL) {
172         if (ctx->iv_state == IV_STATE_UNINITIALISED)
173             return 0;
174         if (ctx->ivlen > p->data_size) {
175             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
176             return 0;
177         }
178         if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
179             && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
180             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
181             return 0;
182         }
183     }
184 
185     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV);
186     if (p != NULL) {
187         if (ctx->iv_state == IV_STATE_UNINITIALISED)
188             return 0;
189         if (ctx->ivlen > p->data_size) {
190             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
191             return 0;
192         }
193         if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen)
194             && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) {
195             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
196             return 0;
197         }
198     }
199 
200     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD);
201     if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) {
202         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
203         return 0;
204     }
205     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
206     if (p != NULL) {
207         sz = p->data_size;
208         if (sz == 0
209             || sz > EVP_GCM_TLS_TAG_LEN
210             || !ctx->enc
211             || ctx->taglen == UNINITIALISED_SIZET) {
212             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
213             return 0;
214         }
215         if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) {
216             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
217             return 0;
218         }
219     }
220     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN);
221     if (p != NULL) {
222         if (p->data == NULL
223             || p->data_type != OSSL_PARAM_OCTET_STRING
224             || !getivgen(ctx, p->data, p->data_size))
225             return 0;
226     }
227     return 1;
228 }
229 
230 int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
231 {
232     PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
233     const OSSL_PARAM *p;
234     size_t sz;
235     void *vp;
236 
237     if (params == NULL)
238         return 1;
239 
240     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
241     if (p != NULL) {
242         vp = ctx->buf;
243         if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) {
244             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
245             return 0;
246         }
247         if (sz == 0 || ctx->enc) {
248             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG);
249             return 0;
250         }
251         ctx->taglen = sz;
252     }
253 
254     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
255     if (p != NULL) {
256         if (!OSSL_PARAM_get_size_t(p, &sz)) {
257             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
258             return 0;
259         }
260         if (sz == 0 || sz > sizeof(ctx->iv)) {
261             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
262             return 0;
263         }
264         if (ctx->ivlen != sz) {
265             /* If the iv was already set or autogenerated, it is invalid. */
266             if (ctx->iv_state != IV_STATE_UNINITIALISED)
267                 ctx->iv_state = IV_STATE_FINISHED;
268             ctx->ivlen = sz;
269         }
270     }
271 
272     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
273     if (p != NULL) {
274         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
275             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
276             return 0;
277         }
278         sz = gcm_tls_init(ctx, p->data, p->data_size);
279         if (sz == 0) {
280             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD);
281             return 0;
282         }
283         ctx->tls_aad_pad_sz = sz;
284     }
285 
286     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED);
287     if (p != NULL) {
288         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
289             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
290             return 0;
291         }
292         if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) {
293             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
294             return 0;
295         }
296     }
297     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV);
298     if (p != NULL) {
299         if (p->data == NULL
300             || p->data_type != OSSL_PARAM_OCTET_STRING
301             || !setivinv(ctx, p->data, p->data_size))
302             return 0;
303     }
304 
305 
306     return 1;
307 }
308 
309 int ossl_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl,
310                            size_t outsize, const unsigned char *in, size_t inl)
311 {
312     PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
313 
314     if (inl == 0) {
315         *outl = 0;
316         return 1;
317     }
318 
319     if (outsize < inl) {
320         ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
321         return 0;
322     }
323 
324     if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0) {
325         ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
326         return 0;
327     }
328     return 1;
329 }
330 
331 int ossl_gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
332                           size_t outsize)
333 {
334     PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
335     int i;
336 
337     if (!ossl_prov_is_running())
338         return 0;
339 
340     i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
341     if (i <= 0)
342         return 0;
343 
344     *outl = 0;
345     return 1;
346 }
347 
348 int ossl_gcm_cipher(void *vctx,
349                     unsigned char *out, size_t *outl, size_t outsize,
350                     const unsigned char *in, size_t inl)
351 {
352     PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
353 
354     if (!ossl_prov_is_running())
355         return 0;
356 
357     if (outsize < inl) {
358         ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
359         return 0;
360     }
361 
362     if (gcm_cipher_internal(ctx, out, outl, in, inl) <= 0)
363         return 0;
364 
365     *outl = inl;
366     return 1;
367 }
368 
369 /*
370  * See SP800-38D (GCM) Section 8 "Uniqueness requirement on IVS and keys"
371  *
372  * See also 8.2.2 RBG-based construction.
373  * Random construction consists of a free field (which can be NULL) and a
374  * random field which will use a DRBG that can return at least 96 bits of
375  * entropy strength. (The DRBG must be seeded by the FIPS module).
376  */
377 static int gcm_iv_generate(PROV_GCM_CTX *ctx, int offset)
378 {
379     int sz = ctx->ivlen - offset;
380 
381     /* Must be at least 96 bits */
382     if (sz <= 0 || ctx->ivlen < GCM_IV_DEFAULT_SIZE)
383         return 0;
384 
385     /* Use DRBG to generate random iv */
386     if (RAND_bytes_ex(ctx->libctx, ctx->iv + offset, sz, 0) <= 0)
387         return 0;
388     ctx->iv_state = IV_STATE_BUFFERED;
389     ctx->iv_gen_rand = 1;
390     return 1;
391 }
392 
393 static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out,
394                                size_t *padlen, const unsigned char *in,
395                                size_t len)
396 {
397     size_t olen = 0;
398     int rv = 0;
399     const PROV_GCM_HW *hw = ctx->hw;
400 
401     if (ctx->tls_aad_len != UNINITIALISED_SIZET)
402         return gcm_tls_cipher(ctx, out, padlen, in, len);
403 
404     if (!ctx->key_set || ctx->iv_state == IV_STATE_FINISHED)
405         goto err;
406 
407     /*
408      * FIPS requires generation of AES-GCM IV's inside the FIPS module.
409      * The IV can still be set externally (the security policy will state that
410      * this is not FIPS compliant). There are some applications
411      * where setting the IV externally is the only option available.
412      */
413     if (ctx->iv_state == IV_STATE_UNINITIALISED) {
414         if (!ctx->enc || !gcm_iv_generate(ctx, 0))
415             goto err;
416     }
417 
418     if (ctx->iv_state == IV_STATE_BUFFERED) {
419         if (!hw->setiv(ctx, ctx->iv, ctx->ivlen))
420             goto err;
421         ctx->iv_state = IV_STATE_COPIED;
422     }
423 
424     if (in != NULL) {
425         /*  The input is AAD if out is NULL */
426         if (out == NULL) {
427             if (!hw->aadupdate(ctx, in, len))
428                 goto err;
429         } else {
430             /* The input is ciphertext OR plaintext */
431             if (!hw->cipherupdate(ctx, in, len, out))
432                 goto err;
433         }
434     } else {
435         /* The tag must be set before actually decrypting data */
436         if (!ctx->enc && ctx->taglen == UNINITIALISED_SIZET)
437             goto err;
438         if (!hw->cipherfinal(ctx, ctx->buf))
439             goto err;
440         ctx->iv_state = IV_STATE_FINISHED; /* Don't reuse the IV */
441         goto finish;
442     }
443     olen = len;
444 finish:
445     rv = 1;
446 err:
447     *padlen = olen;
448     return rv;
449 }
450 
451 static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
452 {
453     unsigned char *buf;
454     size_t len;
455 
456     if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
457        return 0;
458 
459     /* Save the aad for later use. */
460     buf = dat->buf;
461     memcpy(buf, aad, aad_len);
462     dat->tls_aad_len = aad_len;
463 
464     len = buf[aad_len - 2] << 8 | buf[aad_len - 1];
465     /* Correct length for explicit iv. */
466     if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
467         return 0;
468     len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
469 
470     /* If decrypting correct for tag too. */
471     if (!dat->enc) {
472         if (len < EVP_GCM_TLS_TAG_LEN)
473             return 0;
474         len -= EVP_GCM_TLS_TAG_LEN;
475     }
476     buf[aad_len - 2] = (unsigned char)(len >> 8);
477     buf[aad_len - 1] = (unsigned char)(len & 0xff);
478     /* Extra padding: tag appended to record. */
479     return EVP_GCM_TLS_TAG_LEN;
480 }
481 
482 static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv,
483                                 size_t len)
484 {
485     /* Special case: -1 length restores whole IV */
486     if (len == (size_t)-1) {
487         memcpy(ctx->iv, iv, ctx->ivlen);
488         ctx->iv_gen = 1;
489         ctx->iv_state = IV_STATE_BUFFERED;
490         return 1;
491     }
492     /* Fixed field must be at least 4 bytes and invocation field at least 8 */
493     if ((len < EVP_GCM_TLS_FIXED_IV_LEN)
494         || (ctx->ivlen - (int)len) < EVP_GCM_TLS_EXPLICIT_IV_LEN)
495             return 0;
496     if (len > 0)
497         memcpy(ctx->iv, iv, len);
498     if (ctx->enc
499         && RAND_bytes_ex(ctx->libctx, ctx->iv + len, ctx->ivlen - len, 0) <= 0)
500             return 0;
501     ctx->iv_gen = 1;
502     ctx->iv_state = IV_STATE_BUFFERED;
503     return 1;
504 }
505 
506 /*
507  * Handle TLS GCM packet format. This consists of the last portion of the IV
508  * followed by the payload and finally the tag. On encrypt generate IV,
509  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
510  * and verify tag.
511  */
512 static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
513                           const unsigned char *in, size_t len)
514 {
515     int rv = 0;
516     size_t arg = EVP_GCM_TLS_EXPLICIT_IV_LEN;
517     size_t plen = 0;
518     unsigned char *tag = NULL;
519 
520     if (!ossl_prov_is_running() || !ctx->key_set)
521         goto err;
522 
523     /* Encrypt/decrypt must be performed in place */
524     if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN))
525         goto err;
526 
527     /*
528      * Check for too many keys as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness
529      * Requirements from SP 800-38D".  The requirements is for one party to the
530      * communication to fail after 2^64 - 1 keys.  We do this on the encrypting
531      * side only.
532      */
533     if (ctx->enc && ++ctx->tls_enc_records == 0) {
534         ERR_raise(ERR_LIB_PROV, PROV_R_TOO_MANY_RECORDS);
535         goto err;
536     }
537 
538     /*
539      * Set IV from start of buffer or generate IV and write to start of
540      * buffer.
541      */
542     if (ctx->enc) {
543         if (!getivgen(ctx, out, arg))
544             goto err;
545     } else {
546         if (!setivinv(ctx, out, arg))
547             goto err;
548     }
549 
550     /* Fix buffer and length to point to payload */
551     in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
552     out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
553     len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
554 
555     tag = ctx->enc ? out + len : (unsigned char *)in + len;
556     if (!ctx->hw->oneshot(ctx, ctx->buf, ctx->tls_aad_len, in, len, out, tag,
557                           EVP_GCM_TLS_TAG_LEN)) {
558         if (!ctx->enc)
559             OPENSSL_cleanse(out, len);
560         goto err;
561     }
562     if (ctx->enc)
563         plen =  len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
564     else
565         plen = len;
566 
567     rv = 1;
568 err:
569     ctx->iv_state = IV_STATE_FINISHED;
570     ctx->tls_aad_len = UNINITIALISED_SIZET;
571     *padlen = plen;
572     return rv;
573 }
574