1

2
/*
3
 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
4
 *
5
 * Licensed under the Apache License 2.0 (the "License").  You may not use
6
 * this file except in compliance with the License.  You can obtain a copy
7
 * in the file LICENSE in the source distribution or at
8
 * https://www.openssl.org/source/license.html
9
 */
10

11
#ifndef OSSL_PROV_CIPHERCOMMON_GCM_H
12
#define OSSL_PROV_CIPHERCOMMON_GCM_H
13
#pragma once
14

15
#include <openssl/aes.h>
16
#include "ciphercommon_aead.h"
17

18
typedef struct prov_gcm_hw_st PROV_GCM_HW;
19

20
#define GCM_IV_DEFAULT_SIZE 12 /* IV's for AES_GCM should normally be 12 bytes */
21
#define GCM_IV_MAX_SIZE (1024 / 8)
22
#define GCM_TAG_MAX_SIZE 16
23

24
#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
25
/*-
26
 * KMA-GCM-AES parameter block - begin
27
 * (see z/Architecture Principles of Operation >= SA22-7832-11)
28
 */
29
typedef struct S390X_kma_params_st {
30
    unsigned char reserved[12];
31
    union {
32
        unsigned int w;
33
        unsigned char b[4];
34
    } cv; /* 32 bit counter value */
35
    union {
36
        unsigned long long g[2];
37
        unsigned char b[16];
38
    } t; /* tag */
39
    unsigned char h[16]; /* hash subkey */
40
    unsigned long long taadl; /* total AAD length */
41
    unsigned long long tpcl; /* total plaintxt/ciphertxt len */
42
    union {
43
        unsigned long long g[2];
44
        unsigned int w[4];
45
    } j0; /* initial counter value */
46
    unsigned char k[32]; /* key */
47
} S390X_KMA_PARAMS;
48

49
#endif
50

51
typedef struct prov_gcm_ctx_st {
52
    unsigned int mode; /* The mode that we are using */
53
    size_t keylen;
54
    size_t ivlen;
55
    size_t taglen;
56
    size_t tls_aad_pad_sz;
57
    size_t tls_aad_len; /* TLS AAD length */
58
    uint64_t tls_enc_records; /* Number of TLS records encrypted */
59

60
    /*
61
     * num contains the number of bytes of |iv| which are valid for modes that
62
     * manage partial blocks themselves.
63
     */
64
    size_t num;
65
    size_t bufsz; /* Number of bytes in buf */
66
    uint64_t flags;
67

68
    unsigned int iv_state; /* set to one of IV_STATE_XXX */
69
    unsigned int enc : 1; /* Set to 1 if we are encrypting or 0 otherwise */
70
    unsigned int pad : 1; /* Whether padding should be used or not */
71
    unsigned int key_set : 1; /* Set if key initialised */
72
    unsigned int iv_gen_rand : 1; /* No IV was specified, so generate a rand IV */
73
    unsigned int iv_gen : 1; /* It is OK to generate IVs */
74

75
    unsigned char iv[GCM_IV_MAX_SIZE]; /* Buffer to use for IV's */
76
    unsigned char buf[AES_BLOCK_SIZE]; /* Buffer of partial blocks processed via update calls */
77

78
    OSSL_LIB_CTX *libctx; /* needed for rand calls */
79
    const PROV_GCM_HW *hw; /* hardware specific methods */
80
    GCM128_CONTEXT gcm;
81
    ctr128_f ctr;
82
} PROV_GCM_CTX;
83

84
PROV_CIPHER_FUNC(int, GCM_setkey, (PROV_GCM_CTX * ctx, const unsigned char *key, size_t keylen));
85
PROV_CIPHER_FUNC(int, GCM_setiv, (PROV_GCM_CTX * dat, const unsigned char *iv, size_t ivlen));
86
PROV_CIPHER_FUNC(int, GCM_aadupdate, (PROV_GCM_CTX * ctx, const unsigned char *aad, size_t aadlen));
87
PROV_CIPHER_FUNC(int, GCM_cipherupdate, (PROV_GCM_CTX * ctx, const unsigned char *in, size_t len, unsigned char *out));
88
PROV_CIPHER_FUNC(int, GCM_cipherfinal, (PROV_GCM_CTX * ctx, unsigned char *tag));
89
PROV_CIPHER_FUNC(int, GCM_oneshot, (PROV_GCM_CTX * ctx, unsigned char *aad, size_t aad_len, const unsigned char *in, size_t in_len, unsigned char *out, unsigned char *tag, size_t taglen));
90
struct prov_gcm_hw_st {
91
    OSSL_GCM_setkey_fn setkey;
92
    OSSL_GCM_setiv_fn setiv;
93
    OSSL_GCM_aadupdate_fn aadupdate;
94
    OSSL_GCM_cipherupdate_fn cipherupdate;
95
    OSSL_GCM_cipherfinal_fn cipherfinal;
96
    OSSL_GCM_oneshot_fn oneshot;
97
};
98

99
OSSL_FUNC_cipher_encrypt_init_fn ossl_gcm_einit;
100
OSSL_FUNC_cipher_decrypt_init_fn ossl_gcm_dinit;
101
OSSL_FUNC_cipher_get_ctx_params_fn ossl_gcm_get_ctx_params;
102
OSSL_FUNC_cipher_set_ctx_params_fn ossl_gcm_set_ctx_params;
103
OSSL_FUNC_cipher_cipher_fn ossl_gcm_cipher;
104
OSSL_FUNC_cipher_update_fn ossl_gcm_stream_update;
105
OSSL_FUNC_cipher_final_fn ossl_gcm_stream_final;
106
void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
107
    const PROV_GCM_HW *hw);
108

109
int ossl_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen);
110
int ossl_gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad,
111
    size_t aad_len);
112
int ossl_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag);
113
int ossl_gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len,
114
    const unsigned char *in, size_t in_len,
115
    unsigned char *out, unsigned char *tag, size_t tag_len);
116
int ossl_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in,
117
    size_t len, unsigned char *out);
118

119
#define GCM_HW_SET_KEY_CTR_FN(ks, fn_set_enc_key, fn_block, fn_ctr) \
120
    fn_set_enc_key(key, keylen * 8, ks);                            \
121
    CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)fn_block);        \
122
    ctx->ctr = (ctr128_f)fn_ctr;                                    \
123
    ctx->key_set = 1;
124

125
#endif
126

127