1 
2 /*
3  * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10 
11 #ifndef OSSL_PROV_CIPHERCOMMON_GCM_H
12 # define OSSL_PROV_CIPHERCOMMON_GCM_H
13 # pragma once
14 
15 # include <openssl/aes.h>
16 # include "ciphercommon_aead.h"
17 
18 typedef struct prov_gcm_hw_st PROV_GCM_HW;
19 
20 # define GCM_IV_DEFAULT_SIZE 12 /* IV's for AES_GCM should normally be 12 bytes */
21 # define GCM_IV_MAX_SIZE     (1024 / 8)
22 # define GCM_TAG_MAX_SIZE    16
23 
24 # if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
25 /*-
26  * KMA-GCM-AES parameter block - begin
27  * (see z/Architecture Principles of Operation >= SA22-7832-11)
28  */
29 typedef struct S390X_kma_params_st {
30     unsigned char reserved[12];
31     union {
32         unsigned int w;
33         unsigned char b[4];
34     } cv; /* 32 bit counter value */
35     union {
36         unsigned long long g[2];
37         unsigned char b[16];
38     } t; /* tag */
39     unsigned char h[16]; /* hash subkey */
40     unsigned long long taadl; /* total AAD length */
41     unsigned long long tpcl; /* total plaintxt/ciphertxt len */
42     union {
43         unsigned long long g[2];
44         unsigned int w[4];
45     } j0;                   /* initial counter value */
46     unsigned char k[32];    /* key */
47 } S390X_KMA_PARAMS;
48 
49 # endif
50 
51 typedef struct prov_gcm_ctx_st {
52     unsigned int mode;          /* The mode that we are using */
53     size_t keylen;
54     size_t ivlen;
55     size_t taglen;
56     size_t tls_aad_pad_sz;
57     size_t tls_aad_len;         /* TLS AAD length */
58     uint64_t tls_enc_records;   /* Number of TLS records encrypted */
59 
60     /*
61      * num contains the number of bytes of |iv| which are valid for modes that
62      * manage partial blocks themselves.
63      */
64     size_t num;
65     size_t bufsz;               /* Number of bytes in buf */
66     uint64_t flags;
67 
68     unsigned int iv_state;      /* set to one of IV_STATE_XXX */
69     unsigned int enc:1;         /* Set to 1 if we are encrypting or 0 otherwise */
70     unsigned int pad:1;         /* Whether padding should be used or not */
71     unsigned int key_set:1;     /* Set if key initialised */
72     unsigned int iv_gen_rand:1; /* No IV was specified, so generate a rand IV */
73     unsigned int iv_gen:1;      /* It is OK to generate IVs */
74 
75     unsigned char iv[GCM_IV_MAX_SIZE]; /* Buffer to use for IV's */
76     unsigned char buf[AES_BLOCK_SIZE]; /* Buffer of partial blocks processed via update calls */
77 
78     OSSL_LIB_CTX *libctx;    /* needed for rand calls */
79     const PROV_GCM_HW *hw;  /* hardware specific methods */
80     GCM128_CONTEXT gcm;
81     ctr128_f ctr;
82     const void *ks;
83 } PROV_GCM_CTX;
84 
85 PROV_CIPHER_FUNC(int, GCM_setkey, (PROV_GCM_CTX *ctx, const unsigned char *key,
86                                    size_t keylen));
87 PROV_CIPHER_FUNC(int, GCM_setiv, (PROV_GCM_CTX *dat, const unsigned char *iv,
88                                   size_t ivlen));
89 PROV_CIPHER_FUNC(int, GCM_aadupdate, (PROV_GCM_CTX *ctx,
90                                       const unsigned char *aad, size_t aadlen));
91 PROV_CIPHER_FUNC(int, GCM_cipherupdate, (PROV_GCM_CTX *ctx,
92                                          const unsigned char *in, size_t len,
93                                          unsigned char *out));
94 PROV_CIPHER_FUNC(int, GCM_cipherfinal, (PROV_GCM_CTX *ctx, unsigned char *tag));
95 PROV_CIPHER_FUNC(int, GCM_oneshot, (PROV_GCM_CTX *ctx, unsigned char *aad,
96                                     size_t aad_len, const unsigned char *in,
97                                     size_t in_len, unsigned char *out,
98                                     unsigned char *tag, size_t taglen));
99 struct prov_gcm_hw_st {
100   OSSL_GCM_setkey_fn setkey;
101   OSSL_GCM_setiv_fn setiv;
102   OSSL_GCM_aadupdate_fn aadupdate;
103   OSSL_GCM_cipherupdate_fn cipherupdate;
104   OSSL_GCM_cipherfinal_fn cipherfinal;
105   OSSL_GCM_oneshot_fn oneshot;
106 };
107 
108 OSSL_FUNC_cipher_encrypt_init_fn ossl_gcm_einit;
109 OSSL_FUNC_cipher_decrypt_init_fn ossl_gcm_dinit;
110 OSSL_FUNC_cipher_get_ctx_params_fn ossl_gcm_get_ctx_params;
111 OSSL_FUNC_cipher_set_ctx_params_fn ossl_gcm_set_ctx_params;
112 OSSL_FUNC_cipher_cipher_fn ossl_gcm_cipher;
113 OSSL_FUNC_cipher_update_fn ossl_gcm_stream_update;
114 OSSL_FUNC_cipher_final_fn ossl_gcm_stream_final;
115 void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
116                       const PROV_GCM_HW *hw);
117 
118 int ossl_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen);
119 int ossl_gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad,
120                         size_t aad_len);
121 int ossl_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag);
122 int ossl_gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
123                       const unsigned char *in, size_t in_len,
124                       unsigned char *out, unsigned char *tag, size_t tag_len);
125 int ossl_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
126                            size_t len, unsigned char *out);
127 
128 # define GCM_HW_SET_KEY_CTR_FN(ks, fn_set_enc_key, fn_block, fn_ctr)            \
129     ctx->ks = ks;                                                              \
130     fn_set_enc_key(key, keylen * 8, ks);                                       \
131     CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)fn_block);                   \
132     ctx->ctr = (ctr128_f)fn_ctr;                                               \
133     ctx->key_set = 1;
134 
135 #endif
136