/* Copyright (c) (2015-2019,2021,2022) Apple Inc. All rights reserved. * * corecrypto is licensed under Apple Inc.’s Internal Use License Agreement (which * is contained in the License.txt file distributed with corecrypto) and only to * people who accept that license. IMPORTANT: Any license rights granted to you by * Apple Inc. (if any) are limited to internal use within your organization only on * devices and computers you own or control, for the sole purpose of verifying the * security characteristics and correct functioning of the Apple Software. You may * not, directly or indirectly, redistribute the Apple Software or any portions thereof. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. The rights granted to you under the License * may not be used to create, or enable the creation or redistribution of, * unlawful or unlicensed copies of an Apple operating system, or to * circumvent, violate, or enable the circumvention or violation of, any * terms of an Apple operating system software license agreement. * * Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ #include "cc_internal.h" #include "cc_macros.h" #include "fipspost_trace.h" #include "ccmode_gcm_internal.h" #include size_t ccgcm_context_size(const struct ccmode_gcm *mode) { CC_ENSURE_DIT_ENABLED return mode->size; } size_t ccgcm_block_size(const struct ccmode_gcm *mode) { CC_ENSURE_DIT_ENABLED return mode->block_size; } int ccgcm_init(const struct ccmode_gcm *mode, ccgcm_ctx *ctx, size_t key_nbytes, const void *cc_sized_by(key_nbytes)key) { CC_ENSURE_DIT_ENABLED return mode->init(mode, ctx, key_nbytes, key); } int ccgcm_init_with_iv(const struct ccmode_gcm *mode, ccgcm_ctx *ctx, size_t key_nbytes, const void *key, const void *iv) { CC_ENSURE_DIT_ENABLED int rc; rc = ccgcm_init(mode, ctx, key_nbytes, key); if (rc == 0) { rc = ccgcm_set_iv(mode, ctx, CCGCM_IV_NBYTES, iv); } if (rc == 0) { _CCMODE_GCM_KEY(ctx)->flags |= CCGCM_FLAGS_INIT_WITH_IV; } return rc; } int ccgcm_set_iv(const struct ccmode_gcm *mode, ccgcm_ctx *ctx, size_t iv_nbytes, const void *cc_sized_by(iv_nbytes)iv) { CC_ENSURE_DIT_ENABLED return mode->set_iv(ctx, iv_nbytes, iv); } int ccgcm_inc_iv(CC_UNUSED const struct ccmode_gcm *mode, ccgcm_ctx *ctx, void *iv) { CC_ENSURE_DIT_ENABLED uint8_t *Y0 = CCMODE_GCM_KEY_Y_0(ctx); cc_require(_CCMODE_GCM_KEY(ctx)->state == CCMODE_GCM_STATE_IV, errOut); cc_require(_CCMODE_GCM_KEY(ctx)->flags & CCGCM_FLAGS_INIT_WITH_IV, errOut); inc_uint(Y0 + 4, 8); cc_memcpy(iv, Y0, CCGCM_IV_NBYTES); cc_memcpy(CCMODE_GCM_KEY_Y(ctx), Y0, CCGCM_BLOCK_NBYTES); ccmode_gcm_update_pad(ctx); _CCMODE_GCM_KEY(ctx)->state = CCMODE_GCM_STATE_AAD; return 0; errOut: return CCMODE_INVALID_CALL_SEQUENCE; } int ccgcm_aad(const struct ccmode_gcm *mode, ccgcm_ctx *ctx, size_t nbytes, const void *cc_sized_by(nbytes)additional_data) { CC_ENSURE_DIT_ENABLED return mode->gmac(ctx, nbytes, additional_data); } int ccgcm_gmac(const struct ccmode_gcm *mode, ccgcm_ctx *ctx, size_t nbytes, const void *cc_sized_by(nbytes)in) { CC_ENSURE_DIT_ENABLED return mode->gmac(ctx, nbytes, in); } int ccgcm_update(const struct ccmode_gcm *mode, ccgcm_ctx *ctx, size_t nbytes, const void *cc_sized_by(nbytes)in, void *cc_sized_by(nbytes)out) { CC_ENSURE_DIT_ENABLED return mode->gcm(ctx, nbytes, in, out); } int ccgcm_finalize(const struct ccmode_gcm *mode, ccgcm_ctx *ctx, size_t tag_nbytes, void *cc_sized_by(tag_nbytes)tag) { CC_ENSURE_DIT_ENABLED return mode->finalize(ctx, tag_nbytes, tag); } int ccgcm_reset(const struct ccmode_gcm *mode, ccgcm_ctx *ctx) { CC_ENSURE_DIT_ENABLED return mode->reset(ctx); } int ccgcm_one_shot(const struct ccmode_gcm *mode, size_t key_nbytes, const void *key, size_t iv_nbytes, const void *iv, size_t adata_nbytes, const void *adata, size_t nbytes, const void *in, void *out, size_t tag_nbytes, void *tag) { CC_ENSURE_DIT_ENABLED FIPSPOST_TRACE_EVENT; int rc = 0; ccgcm_ctx_decl(mode->size, ctx); rc = ccgcm_init(mode, ctx, key_nbytes, key); cc_require(rc == 0, errOut); rc = ccgcm_set_iv(mode, ctx, iv_nbytes, iv); cc_require(rc == 0, errOut); rc = ccgcm_aad(mode, ctx, adata_nbytes, adata); cc_require(rc == 0, errOut); rc = ccgcm_update(mode, ctx, nbytes, in, out); cc_require(rc == 0, errOut); rc = ccgcm_finalize(mode, ctx, tag_nbytes, tag); cc_require(rc == 0, errOut); errOut: ccgcm_ctx_clear(mode->size, ctx); return rc; } //ccgcm_one_shot_legacy() is created because in the previous implementation of aes-gcm //set_iv() could be skipped. //In the new version of aes-gcm set_iv() cannot be skipped and IV length cannot //be zero, as specified in FIPS. //do not call ccgcm_one_shot_legacy() in any new application int ccgcm_set_iv_legacy(const struct ccmode_gcm *mode, ccgcm_ctx *key, size_t iv_nbytes, const void *iv) { CC_ENSURE_DIT_ENABLED int rc = -1; if (iv_nbytes == 0 || iv == NULL) { /* must be in IV state */ cc_require(_CCMODE_GCM_KEY(key)->state == CCMODE_GCM_STATE_IV, errOut); /* CRYPT_INVALID_ARG */ // this is the net effect of setting IV to the empty string cc_clear(CCGCM_BLOCK_NBYTES, CCMODE_GCM_KEY_Y(key)); ccmode_gcm_update_pad(key); cc_clear(CCGCM_BLOCK_NBYTES, CCMODE_GCM_KEY_Y_0(key)); _CCMODE_GCM_KEY(key)->state = CCMODE_GCM_STATE_AAD; rc = 0; } else { rc = ccgcm_set_iv(mode, key, iv_nbytes, iv); } errOut: return rc; } int ccgcm_one_shot_legacy(const struct ccmode_gcm *mode, size_t key_nbytes, const void *key, size_t iv_nbytes, const void *iv, size_t adata_nbytes, const void *adata, size_t nbytes, const void *in, void *out, size_t tag_nbytes, void *tag) { CC_ENSURE_DIT_ENABLED int rc = 0; ccgcm_ctx_decl(mode->size, ctx); rc = ccgcm_init(mode, ctx, key_nbytes, key); cc_require(rc == 0, errOut); rc = ccgcm_set_iv_legacy(mode, ctx, iv_nbytes, iv); cc_require(rc == 0, errOut); rc = ccgcm_aad(mode, ctx, adata_nbytes, adata); cc_require(rc == 0, errOut); rc = ccgcm_update(mode, ctx, nbytes, in, out); cc_require(rc == 0, errOut); rc = ccgcm_finalize(mode, ctx, tag_nbytes, tag); cc_require(rc == 0, errOut); errOut: ccgcm_ctx_clear(mode->size, ctx); return rc; } void inc_uint(uint8_t *buf, size_t nbytes) { for (size_t i = 1; i <= nbytes; i += 1) { size_t j = nbytes - i; buf[j] = (uint8_t)(buf[j] + 1); if (buf[j] > 0) { return; } } } void ccmode_gcm_update_pad(ccgcm_ctx *key) { inc_uint(CCMODE_GCM_KEY_Y(key) + 12, 4); CCMODE_GCM_KEY_ECB(key)->ecb(CCMODE_GCM_KEY_ECB_KEY(key), 1, CCMODE_GCM_KEY_Y(key), CCMODE_GCM_KEY_PAD(key)); } void ccmode_gcm_aad_finalize(ccgcm_ctx *key) { if (_CCMODE_GCM_KEY(key)->state == CCMODE_GCM_STATE_AAD) { if (_CCMODE_GCM_KEY(key)->aad_nbytes % CCGCM_BLOCK_NBYTES > 0) { ccmode_gcm_mult_h(key, CCMODE_GCM_KEY_X(key)); } _CCMODE_GCM_KEY(key)->state = CCMODE_GCM_STATE_TEXT; } }