1/* Copyright (c) (2015-2019,2021,2022) Apple Inc. All rights reserved.
2 *
3 * corecrypto is licensed under Apple Inc.’s Internal Use License Agreement (which
4 * is contained in the License.txt file distributed with corecrypto) and only to
5 * people who accept that license. IMPORTANT: Any license rights granted to you by
6 * Apple Inc. (if any) are limited to internal use within your organization only on
7 * devices and computers you own or control, for the sole purpose of verifying the
8 * security characteristics and correct functioning of the Apple Software. You may
9 * not, directly or indirectly, redistribute the Apple Software or any portions thereof.
10 *
11 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
12 *
13 * This file contains Original Code and/or Modifications of Original Code
14 * as defined in and that are subject to the Apple Public Source License
15 * Version 2.0 (the 'License'). You may not use this file except in
16 * compliance with the License. The rights granted to you under the License
17 * may not be used to create, or enable the creation or redistribution of,
18 * unlawful or unlicensed copies of an Apple operating system, or to
19 * circumvent, violate, or enable the circumvention or violation of, any
20 * terms of an Apple operating system software license agreement.
21 *
22 * Please obtain a copy of the License at
23 * http://www.opensource.apple.com/apsl/ and read it before using this file.
24 *
25 * The Original Code and all software distributed under the License are
26 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
27 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
28 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
29 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
30 * Please see the License for the specific language governing rights and
31 * limitations under the License.
32 *
33 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
34 */
35
36#include "cc_internal.h"
37#include "cc_macros.h"
38#include "fipspost_trace.h"
39#include "ccmode_gcm_internal.h"
40#include <corecrypto/ccmode.h>
41
42size_t
43ccgcm_context_size(const struct ccmode_gcm *mode)
44{
45 CC_ENSURE_DIT_ENABLED
46
47 return mode->size;
48}
49
50size_t
51ccgcm_block_size(const struct ccmode_gcm *mode)
52{
53 CC_ENSURE_DIT_ENABLED
54
55 return mode->block_size;
56}
57
58int
59ccgcm_init(const struct ccmode_gcm *mode,
60 ccgcm_ctx *ctx,
61 size_t key_nbytes,
62 const void *cc_sized_by(key_nbytes)key)
63{
64 CC_ENSURE_DIT_ENABLED
65
66 return mode->init(mode, ctx, key_nbytes, key);
67}
68
69int
70ccgcm_init_with_iv(const struct ccmode_gcm *mode, ccgcm_ctx *ctx,
71 size_t key_nbytes, const void *key,
72 const void *iv)
73{
74 CC_ENSURE_DIT_ENABLED
75
76 int rc;
77
78 rc = ccgcm_init(mode, ctx, key_nbytes, key);
79 if (rc == 0) {
80 rc = ccgcm_set_iv(mode, ctx, CCGCM_IV_NBYTES, iv);
81 }
82 if (rc == 0) {
83 _CCMODE_GCM_KEY(ctx)->flags |= CCGCM_FLAGS_INIT_WITH_IV;
84 }
85 return rc;
86}
87
88int
89ccgcm_set_iv(const struct ccmode_gcm *mode,
90 ccgcm_ctx *ctx,
91 size_t iv_nbytes,
92 const void *cc_sized_by(iv_nbytes)iv)
93{
94 CC_ENSURE_DIT_ENABLED
95
96 return mode->set_iv(ctx, iv_nbytes, iv);
97}
98
99int
100ccgcm_inc_iv(CC_UNUSED const struct ccmode_gcm *mode, ccgcm_ctx *ctx, void *iv)
101{
102 CC_ENSURE_DIT_ENABLED
103
104 uint8_t *Y0 = CCMODE_GCM_KEY_Y_0(ctx);
105
106 cc_require(_CCMODE_GCM_KEY(ctx)->state == CCMODE_GCM_STATE_IV, errOut);
107 cc_require(_CCMODE_GCM_KEY(ctx)->flags & CCGCM_FLAGS_INIT_WITH_IV, errOut);
108
109 inc_uint(buf: Y0 + 4, nbytes: 8);
110 cc_memcpy(iv, Y0, CCGCM_IV_NBYTES);
111 cc_memcpy(CCMODE_GCM_KEY_Y(ctx), Y0, CCGCM_BLOCK_NBYTES);
112 ccmode_gcm_update_pad(key: ctx);
113
114 _CCMODE_GCM_KEY(ctx)->state = CCMODE_GCM_STATE_AAD;
115
116 return 0;
117
118errOut:
119 return CCMODE_INVALID_CALL_SEQUENCE;
120}
121
122int
123ccgcm_aad(const struct ccmode_gcm *mode,
124 ccgcm_ctx *ctx,
125 size_t nbytes,
126 const void *cc_sized_by(nbytes)additional_data)
127{
128 CC_ENSURE_DIT_ENABLED
129
130 return mode->gmac(ctx, nbytes, additional_data);
131}
132
133int
134ccgcm_gmac(const struct ccmode_gcm *mode,
135 ccgcm_ctx *ctx,
136 size_t nbytes,
137 const void *cc_sized_by(nbytes)in)
138{
139 CC_ENSURE_DIT_ENABLED
140
141 return mode->gmac(ctx, nbytes, in);
142}
143
144int
145ccgcm_update(const struct ccmode_gcm *mode,
146 ccgcm_ctx *ctx,
147 size_t nbytes,
148 const void *cc_sized_by(nbytes)in,
149 void *cc_sized_by(nbytes)out)
150{
151 CC_ENSURE_DIT_ENABLED
152
153 return mode->gcm(ctx, nbytes, in, out);
154}
155
156int
157ccgcm_finalize(const struct ccmode_gcm *mode,
158 ccgcm_ctx *ctx,
159 size_t tag_nbytes,
160 void *cc_sized_by(tag_nbytes)tag)
161{
162 CC_ENSURE_DIT_ENABLED
163
164 return mode->finalize(ctx, tag_nbytes, tag);
165}
166
167int
168ccgcm_reset(const struct ccmode_gcm *mode, ccgcm_ctx *ctx)
169{
170 CC_ENSURE_DIT_ENABLED
171
172 return mode->reset(ctx);
173}
174
175int
176ccgcm_one_shot(const struct ccmode_gcm *mode,
177 size_t key_nbytes, const void *key,
178 size_t iv_nbytes, const void *iv,
179 size_t adata_nbytes, const void *adata,
180 size_t nbytes, const void *in, void *out,
181 size_t tag_nbytes, void *tag)
182{
183 CC_ENSURE_DIT_ENABLED
184
185 FIPSPOST_TRACE_EVENT;
186
187 int rc = 0;
188
189 ccgcm_ctx_decl(mode->size, ctx);
190 rc = ccgcm_init(mode, ctx, key_nbytes, key); cc_require(rc == 0, errOut);
191 rc = ccgcm_set_iv(mode, ctx, iv_nbytes, iv); cc_require(rc == 0, errOut);
192 rc = ccgcm_aad(mode, ctx, nbytes: adata_nbytes, additional_data: adata); cc_require(rc == 0, errOut);
193 rc = ccgcm_update(mode, ctx, nbytes, in, out); cc_require(rc == 0, errOut);
194 rc = ccgcm_finalize(mode, ctx, tag_nbytes, tag); cc_require(rc == 0, errOut);
195
196errOut:
197 ccgcm_ctx_clear(mode->size, ctx);
198 return rc;
199}
200
201
202//ccgcm_one_shot_legacy() is created because in the previous implementation of aes-gcm
203//set_iv() could be skipped.
204//In the new version of aes-gcm set_iv() cannot be skipped and IV length cannot
205//be zero, as specified in FIPS.
206//do not call ccgcm_one_shot_legacy() in any new application
207int
208ccgcm_set_iv_legacy(const struct ccmode_gcm *mode, ccgcm_ctx *key, size_t iv_nbytes, const void *iv)
209{
210 CC_ENSURE_DIT_ENABLED
211
212 int rc = -1;
213
214 if (iv_nbytes == 0 || iv == NULL) {
215 /* must be in IV state */
216 cc_require(_CCMODE_GCM_KEY(key)->state == CCMODE_GCM_STATE_IV, errOut); /* CRYPT_INVALID_ARG */
217
218 // this is the net effect of setting IV to the empty string
219 cc_clear(CCGCM_BLOCK_NBYTES, CCMODE_GCM_KEY_Y(key));
220 ccmode_gcm_update_pad(key);
221 cc_clear(CCGCM_BLOCK_NBYTES, CCMODE_GCM_KEY_Y_0(key));
222
223 _CCMODE_GCM_KEY(key)->state = CCMODE_GCM_STATE_AAD;
224 rc = 0;
225 } else {
226 rc = ccgcm_set_iv(mode, ctx: key, iv_nbytes, iv);
227 }
228
229errOut:
230 return rc;
231}
232
233int
234ccgcm_one_shot_legacy(const struct ccmode_gcm *mode,
235 size_t key_nbytes, const void *key,
236 size_t iv_nbytes, const void *iv,
237 size_t adata_nbytes, const void *adata,
238 size_t nbytes, const void *in, void *out,
239 size_t tag_nbytes, void *tag)
240{
241 CC_ENSURE_DIT_ENABLED
242
243 int rc = 0;
244
245 ccgcm_ctx_decl(mode->size, ctx);
246 rc = ccgcm_init(mode, ctx, key_nbytes, key); cc_require(rc == 0, errOut);
247 rc = ccgcm_set_iv_legacy(mode, key: ctx, iv_nbytes, iv); cc_require(rc == 0, errOut);
248 rc = ccgcm_aad(mode, ctx, nbytes: adata_nbytes, additional_data: adata); cc_require(rc == 0, errOut);
249 rc = ccgcm_update(mode, ctx, nbytes, in, out); cc_require(rc == 0, errOut);
250 rc = ccgcm_finalize(mode, ctx, tag_nbytes, tag); cc_require(rc == 0, errOut);
251
252errOut:
253 ccgcm_ctx_clear(mode->size, ctx);
254 return rc;
255}
256
257void
258inc_uint(uint8_t *buf, size_t nbytes)
259{
260 for (size_t i = 1; i <= nbytes; i += 1) {
261 size_t j = nbytes - i;
262 buf[j] = (uint8_t)(buf[j] + 1);
263 if (buf[j] > 0) {
264 return;
265 }
266 }
267}
268
269void
270ccmode_gcm_update_pad(ccgcm_ctx *key)
271{
272 inc_uint(CCMODE_GCM_KEY_Y(key) + 12, nbytes: 4);
273 CCMODE_GCM_KEY_ECB(key)->ecb(CCMODE_GCM_KEY_ECB_KEY(key), 1,
274 CCMODE_GCM_KEY_Y(key),
275 CCMODE_GCM_KEY_PAD(key));
276}
277
278void
279ccmode_gcm_aad_finalize(ccgcm_ctx *key)
280{
281 if (_CCMODE_GCM_KEY(key)->state == CCMODE_GCM_STATE_AAD) {
282 if (_CCMODE_GCM_KEY(key)->aad_nbytes % CCGCM_BLOCK_NBYTES > 0) {
283 ccmode_gcm_mult_h(key, CCMODE_GCM_KEY_X(key));
284 }
285 _CCMODE_GCM_KEY(key)->state = CCMODE_GCM_STATE_TEXT;
286 }
287}
288