1 2 /* 3 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #ifndef OSSL_PROV_CIPHERCOMMON_GCM_H 12 # define OSSL_PROV_CIPHERCOMMON_GCM_H 13 # pragma once 14 15 # include <openssl/aes.h> 16 # include "ciphercommon_aead.h" 17 18 typedef struct prov_gcm_hw_st PROV_GCM_HW; 19 20 # define GCM_IV_DEFAULT_SIZE 12 /* IV's for AES_GCM should normally be 12 bytes */ 21 # define GCM_IV_MAX_SIZE (1024 / 8) 22 # define GCM_TAG_MAX_SIZE 16 23 24 # if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) 25 /*- 26 * KMA-GCM-AES parameter block - begin 27 * (see z/Architecture Principles of Operation >= SA22-7832-11) 28 */ 29 typedef struct S390X_kma_params_st { 30 unsigned char reserved[12]; 31 union { 32 unsigned int w; 33 unsigned char b[4]; 34 } cv; /* 32 bit counter value */ 35 union { 36 unsigned long long g[2]; 37 unsigned char b[16]; 38 } t; /* tag */ 39 unsigned char h[16]; /* hash subkey */ 40 unsigned long long taadl; /* total AAD length */ 41 unsigned long long tpcl; /* total plaintxt/ciphertxt len */ 42 union { 43 unsigned long long g[2]; 44 unsigned int w[4]; 45 } j0; /* initial counter value */ 46 unsigned char k[32]; /* key */ 47 } S390X_KMA_PARAMS; 48 49 # endif 50 51 typedef struct prov_gcm_ctx_st { 52 unsigned int mode; /* The mode that we are using */ 53 size_t keylen; 54 size_t ivlen; 55 size_t taglen; 56 size_t tls_aad_pad_sz; 57 size_t tls_aad_len; /* TLS AAD length */ 58 uint64_t tls_enc_records; /* Number of TLS records encrypted */ 59 60 /* 61 * num contains the number of bytes of |iv| which are valid for modes that 62 * manage partial blocks themselves. 63 */ 64 size_t num; 65 size_t bufsz; /* Number of bytes in buf */ 66 uint64_t flags; 67 68 unsigned int iv_state; /* set to one of IV_STATE_XXX */ 69 unsigned int enc:1; /* Set to 1 if we are encrypting or 0 otherwise */ 70 unsigned int pad:1; /* Whether padding should be used or not */ 71 unsigned int key_set:1; /* Set if key initialised */ 72 unsigned int iv_gen_rand:1; /* No IV was specified, so generate a rand IV */ 73 unsigned int iv_gen:1; /* It is OK to generate IVs */ 74 75 unsigned char iv[GCM_IV_MAX_SIZE]; /* Buffer to use for IV's */ 76 unsigned char buf[AES_BLOCK_SIZE]; /* Buffer of partial blocks processed via update calls */ 77 78 OSSL_LIB_CTX *libctx; /* needed for rand calls */ 79 const PROV_GCM_HW *hw; /* hardware specific methods */ 80 GCM128_CONTEXT gcm; 81 ctr128_f ctr; 82 const void *ks; 83 } PROV_GCM_CTX; 84 85 PROV_CIPHER_FUNC(int, GCM_setkey, (PROV_GCM_CTX *ctx, const unsigned char *key, 86 size_t keylen)); 87 PROV_CIPHER_FUNC(int, GCM_setiv, (PROV_GCM_CTX *dat, const unsigned char *iv, 88 size_t ivlen)); 89 PROV_CIPHER_FUNC(int, GCM_aadupdate, (PROV_GCM_CTX *ctx, 90 const unsigned char *aad, size_t aadlen)); 91 PROV_CIPHER_FUNC(int, GCM_cipherupdate, (PROV_GCM_CTX *ctx, 92 const unsigned char *in, size_t len, 93 unsigned char *out)); 94 PROV_CIPHER_FUNC(int, GCM_cipherfinal, (PROV_GCM_CTX *ctx, unsigned char *tag)); 95 PROV_CIPHER_FUNC(int, GCM_oneshot, (PROV_GCM_CTX *ctx, unsigned char *aad, 96 size_t aad_len, const unsigned char *in, 97 size_t in_len, unsigned char *out, 98 unsigned char *tag, size_t taglen)); 99 struct prov_gcm_hw_st { 100 OSSL_GCM_setkey_fn setkey; 101 OSSL_GCM_setiv_fn setiv; 102 OSSL_GCM_aadupdate_fn aadupdate; 103 OSSL_GCM_cipherupdate_fn cipherupdate; 104 OSSL_GCM_cipherfinal_fn cipherfinal; 105 OSSL_GCM_oneshot_fn oneshot; 106 }; 107 108 OSSL_FUNC_cipher_encrypt_init_fn ossl_gcm_einit; 109 OSSL_FUNC_cipher_decrypt_init_fn ossl_gcm_dinit; 110 OSSL_FUNC_cipher_get_ctx_params_fn ossl_gcm_get_ctx_params; 111 OSSL_FUNC_cipher_set_ctx_params_fn ossl_gcm_set_ctx_params; 112 OSSL_FUNC_cipher_cipher_fn ossl_gcm_cipher; 113 OSSL_FUNC_cipher_update_fn ossl_gcm_stream_update; 114 OSSL_FUNC_cipher_final_fn ossl_gcm_stream_final; 115 void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits, 116 const PROV_GCM_HW *hw); 117 118 int ossl_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen); 119 int ossl_gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad, 120 size_t aad_len); 121 int ossl_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag); 122 int ossl_gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len, 123 const unsigned char *in, size_t in_len, 124 unsigned char *out, unsigned char *tag, size_t tag_len); 125 int ossl_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, 126 size_t len, unsigned char *out); 127 128 # define GCM_HW_SET_KEY_CTR_FN(ks, fn_set_enc_key, fn_block, fn_ctr) \ 129 ctx->ks = ks; \ 130 fn_set_enc_key(key, keylen * 8, ks); \ 131 CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)fn_block); \ 132 ctx->ctr = (ctr128_f)fn_ctr; \ 133 ctx->key_set = 1; 134 135 #endif 136