Merged PR 10481180: Add OpenSSL implementation for AesGcm test

## Description: ## Admin Checklist: - [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior - [ ] You have updated CHANGELOG.md to reflect any changes in behavior - [ ] You have updated symcryptunittest to exercise any new functionality - [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest - [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features - [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations - [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary Add OpenSSL implementation for AesGcm test
2024-03-29 03:39:59 +00:00 · 2024-03-29 03:39:59 +00:00 · 7c1f6b4143
--- a/.pipelines/OneBranch.PullRequest.yml
+++ b/.pipelines/OneBranch.PullRequest.yml
@ -146,7 +146,8 @@ extends:
          cc: 'gcc'
          cxx: 'g++'
          skipTests: true
-          additionalArgs: '--no-asm --openssl'
+          additionalArgs: '--no-asm'
+          openssl: true
          identifier: 'NoAsm'
      - template: .pipelines/templates/build-linux.yml@self
        parameters:
@ -155,7 +156,8 @@ extends:
          cc: 'clang'
          cxx: 'clang++'
          skipTests: true
-          additionalArgs: '--no-asm --openssl'
+          additionalArgs: '--no-asm'
+          openssl: true
          identifier: 'NoAsm'
      - template: .pipelines/templates/build-linux.yml@self
        parameters:
--- a/.pipelines/templates/build-linux.yml
+++ b/.pipelines/templates/build-linux.yml
@ -50,7 +50,7 @@ jobs:
    ${{ else }}:
      verbose_build_flag: ''
    ${{ if eq(parameters.openssl, true) }}:
-      openssl_build_flag: '--openssl'
+      openssl_build_flag: '--openssl-build-from-source'
    ${{ else }}:
      openssl_build_flag: ''

@ -86,10 +86,12 @@ jobs:
          apt-get install -y gcc-arm-linux-gnueabihf g++-arm-linux-gnueabihf qemu-user
        displayName: 'Install arm cross-compilation tools'

-    - ${{ if eq(parameters.openssl, true) }}:
-      - script: |
-          apt-get install -y libssl-dev
-        displayName: 'Install OpenSSL'
+    # TODO: Once we move to Azure Linux 3 we can use the system-provided OpenSSL package.
+    # For now we will built from source since Ubuntu 20.04 doesn't have OpenSSL 3.
+    # - ${{ if eq(parameters.openssl, true) }}:
+    #   - script: |
+    #       apt-get install -y libssl-dev
+    #     displayName: 'Install OpenSSL'

    - task: PipAuthenticate@1
      inputs:
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -4,6 +4,14 @@
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
+        {
+            "type": "lldb",
+            "request": "launch",
+            "name": "(lldb) symcryptunittest",
+            "program": "${workspaceFolder}/bin/exe/symcryptunittest",
+            "args": [],
+            "cwd": "${workspaceFolder}"
+        },
        {
            "name": "(Windows) symcryptunittest",
            "type": "cppvsdbg",
@ -17,34 +25,5 @@
            "console": "integratedTerminal",
            "internalConsoleOptions": "openOnSessionStart"
        },
-        {
-            "name": "(Windows) symcryptunittest [+openssl +symcrypt +xtsaes]",
-            "type": "cppvsdbg",
-            "request": "launch",
-            "program": "${workspaceFolder}/bin/exe/symcryptunittest.exe",
-            "args": [
-                "+openssl",
-                "+symcrypt",
-                "+xtsaes",
-            ],
-            "stopAtEntry": false,
-            "cwd": "${fileDirname}",
-            "console": "integratedTerminal",
-        },
-        {
-            "name": "(Windows) symcryptunittest [+openssl +symcrypt +xtsaes -vaes]",
-            "type": "cppvsdbg",
-            "request": "launch",
-            "program": "${workspaceFolder}/bin/exe/symcryptunittest.exe",
-            "args": [
-                "+openssl",
-                "+symcrypt",
-                "+xtsaes",
-                "-vaes"
-            ],
-            "stopAtEntry": false,
-            "cwd": "${fileDirname}",
-            "console": "integratedTerminal",
-        },
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -11,5 +11,18 @@
            "icon": "terminal-powershell",
            "overrideName": true,
        }
-    }
+    },
+    "terminal.integrated.defaultProfile.linux": "SymCrypt Profile",
+    "terminal.integrated.profiles.linux": {
+        "SymCrypt Profile": {
+            "args": [
+                "-c",
+                "[ -f ./.venv/bin/activate ] && . ./.venv/bin/activate; exec bash"
+            ],
+            "path": "bash",
+            "source": "bash",
+            "icon": "terminal-bash",
+            "overrideName": true,
+        }
+    },
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -11,16 +11,20 @@
            }
        },
    },
+    "linux": {
+        "options": {
+            "shell": {
+                "executable": "bash",
+                "args": [
+                    "-c",
+                ]
+            }
+        },
+    },
    "tasks": [
        {
            "label": "Setup",
            "type": "shell",
-            "command": [
-                "python -m venv .venv;",
-                ". .\\.venv\\Scripts\\activate.ps1;",
-                "pip install -r .\\scripts\\requirements.txt;",
-                "Set-Content -value ('pushd;\n& \"\"\"' + (resolve-path 'C:\\Program Files\\Microsoft Visual Studio\\*\\*\\Common7\\Tools\\Launch-VsDevShell.ps1').path + '\"\"\" -Arch $env:PROCESSOR_ARCHITECTURE -HostArch $env:PROCESSOR_ARCHITECTURE;\npopd') -path '${workspaceFolder}\\.venv\\profile.ps1';",
-            ],
            "options": {
                "cwd": "${workspaceFolder}/",
            },
@ -31,14 +35,36 @@
                "panel": "shared",
                "showReuseMessage": true,
                "clear": false,
+            },
+            "windows": {
+                "command": [
+                    "python -m venv .venv;",
+                    ". .\\.venv\\Scripts\\activate.ps1;",
+                    "pip install -r .\\scripts\\requirements.txt;",
+                    "Set-Content -value ('pushd;\n& \"\"\"' + (resolve-path 'C:\\Program Files\\Microsoft Visual Studio\\*\\*\\Common7\\Tools\\Launch-VsDevShell.ps1').path + '\"\"\" -Arch $env:PROCESSOR_ARCHITECTURE -HostArch $env:PROCESSOR_ARCHITECTURE;\npopd') -path '${workspaceFolder}\\.venv\\profile.ps1';",
+                ],                
+            },
+            "linux": {
+                "command": [
+                    "python3 -m venv .venv;",
+                    ". ./.venv/bin/activate;",
+                    "pip install -r ./scripts/requirements.txt;",
+                ],
            }
        },
        {
            "label": "Clean",
            "type": "shell",
-            "command": [
-                "del -recurse bin_*,bin;",
-            ],
+            "windows": {
+                "command": [
+                    "del -recurse bin_*,bin,.venv;",
+                ],
+            },
+            "linux": {
+                "command": [
+                    "rm -rf bin_* bin .venv"
+                ]
+            },
            "options": {
                "cwd": "${workspaceFolder}/",
            },
@ -54,16 +80,25 @@
        {
            "label": "Build [Debug]",
            "type": "shell",
-            "command": "python",
-            "args": [
-                ".\\scripts\\build.py",
-                "cmake",
-                "bin",
-                "--arch",
-                "amd64",
-                "--config",
-                "Debug",
-            ],
+            "windows": {
+                "command": "python",
+                "args": [
+                    ".\\scripts\\build.py",
+                    "cmake",
+                    "bin",
+                    "--arch",
+                    "amd64",
+                    "--config",
+                    "Debug",
+                ],
+            },
+            "linux": {
+                "command": [
+                    "[ -f ./.venv/bin/activate ] && . ./.venv/bin/activate;",
+                    "python3 ./scripts/build.py cmake bin --arch amd64 --config Debug;",
+                    "exit",
+                ]
+            },
            "options": {
                "cwd": "${workspaceFolder}/",
            },
--- a/BUILD.md
+++ b/BUILD.md
@ -89,6 +89,7 @@ apt update
 apt -y install --no-install-recommends \
    cmake \
    python3-pyelftools \
+    build-essential \
    gcc-arm-linux-gnueabihf g++-arm-linux-gnueabihf
 ```
 `python3-pyelftools` is for integrity verification and `gcc-arm-linux-gnueabihf` `g++-arm-linux-gnueabihf` are for ARM cross compile
@ -110,19 +111,19 @@ prerequisites to building OpenSSL.

 ```
 winget install nasm strawberryperl
-.\scripts\build.py cmake bin --config Release --openssl-build-from-source
+python3 .\scripts\build.py cmake bin --config Release --openssl-build-from-source
 ```

 And on Linux we can use OpenSSL installed by system's package manager.

 ```
 sudo apt install -y libssl-dev
-./scripts/build.py cmake bin --config Release --openssl
+python3 ./scripts/build.py cmake bin --config Release --openssl
 ```

 To build OpenSSL on Linux we need to install following prerequisites.

 ```
 sudo apt install -y nasm perl
-.\scripts\build.py cmake bin --config Release --openssl-build-from-source
+python3 ./scripts/build.py cmake bin --config Release --openssl-build-from-source
 ```
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -81,9 +81,6 @@ option(
    OFF)


-if (SYMCRYPT_TEST_WITH_OPENSSL)
-    include(${CMAKE_SOURCE_DIR}/cmake-configs/OpenSSL.cmake)
-endif()
 include(${CMAKE_SOURCE_DIR}/cmake-configs/SymCrypt-Platforms.cmake)

 if(NOT DEFINED CMAKE_BUILD_TYPE)
--- a/cmake-configs/OpenSSL.cmake
+++ b/cmake-configs/OpenSSL.cmake
@ -29,12 +29,12 @@ if(OPENSSL_BUILD_FROM_SOURCE)
        set(ENV{CL} /MP)
        if(OPENSSL_BUILD_TYPE STREQUAL "release")
            execute_process(
-                COMMAND perl Configure no-ssl no-tls1 no-tls1_1 --release
+                COMMAND perl Configure no-ssl no-tls no-dtls no-legacy no-engine no-weak-ssl-ciphers no-rc4 no-rc5 no-rc2 no-md4 no-deprecated no-apps no-docs no-tests  no-shared --release
                WORKING_DIRECTORY ${OPENSSL_BUILD_ROOT}
                RESULT_VARIABLE result)
        else()
            execute_process(
-                COMMAND perl Configure no-ssl no-tls1 no-tls1_1 --debug
+                COMMAND perl Configure no-ssl no-tls no-dtls no-legacy no-engine no-weak-ssl-ciphers no-rc4 no-rc5 no-rc2 no-md4 no-deprecated no-apps no-docs no-tests  no-shared --debug
                WORKING_DIRECTORY ${OPENSSL_BUILD_ROOT}
                RESULT_VARIABLE result)
        endif()
@ -61,11 +61,11 @@ if(OPENSSL_BUILD_FROM_SOURCE)

    include(${OPENSSL_BUILD_ROOT}/OpenSSLConfig.cmake)
 else()
-    find_package(OpenSSL REQUIRED)
+    find_package(OpenSSL 3 REQUIRED)
 endif()

-message("Found OpenSSL include directory ${OPENSSL_INCLUDE_DIR}")
-include_directories(${OPENSSL_INCLUDE_DIR})
-link_directories(${OPENSSL_LIBRARY_DIR})
-link_libraries(${OPENSSL_CRYPTO_LIBRARIES})
-add_compile_options(-DINCLUDE_IMPL_OPENSSL=1)
+if(OPENSSL_VERSION_MAJOR LESS 3)
+    message(FATAL_ERROR "-- Invalid OpenSSL version found ${OPENSSL_VERSION} at ${OPENSSL_INCLUDE_DIR}")
+else()
+    message("-- Found OpenSSL ${OPENSSL_VERSION} include directory ${OPENSSL_INCLUDE_DIR}")
+endif()
--- a/unittest/CMakeLists.txt
+++ b/unittest/CMakeLists.txt
@ -79,6 +79,15 @@ if(WIN32 AND SYMCRYPT_TARGET_ARCH MATCHES "X86")
  add_link_options(/SAFESEH:NO)
 endif()

+
+if(SYMCRYPT_TEST_WITH_OPENSSL)
+    include(${CMAKE_SOURCE_DIR}/cmake-configs/OpenSSL.cmake)
+    include_directories(${OPENSSL_INCLUDE_DIR})
+    link_directories(${OPENSSL_LIBRARY_DIR})
+    link_libraries(${OPENSSL_CRYPTO_LIBRARIES})
+    add_compile_options(-DINCLUDE_IMPL_OPENSSL=1)
+endif()
+
 include_directories(inc)
 include_directories(lib)
 include_directories(resource)
--- a/unittest/inc/openssl_implementations.h
+++ b/unittest/inc/openssl_implementations.h
@ -24,5 +24,13 @@ public:
    EVP_CIPHER_CTX* decCtx;
 };

+template<>
+class AuthEncImpState<ImpOpenssl, AlgAes, ModeGcm> {
+public:
+    EVP_CIPHER_CTX* encCtx;
+    EVP_CIPHER_CTX* decCtx;
+    BOOLEAN inComputation;
+};
+
 VOID
 addOpensslAlgs();
--- a/unittest/lib/openssl_implementations.cpp
+++ b/unittest/lib/openssl_implementations.cpp
@ -4,6 +4,8 @@

 #include "precomp.h"
 #include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/core_names.h>
 #include <algorithm>

 char * ImpOpenssl::name = "OpenSSL";
@ -28,6 +30,8 @@ std::string getOpensslError()

 #define CHECK_OPENSSL_SUCCESS(osslInvocation) CHECK(((osslInvocation) == 1), getOpensslError().data())

+// AlgXtsAes
+
 struct ExpandedKeyContext
 {
    EVP_CIPHER_CTX* encCtx;
@ -337,11 +341,393 @@ XtsImp<ImpOpenssl, AlgXtsAes>::decryptWith128bTweak(
    return STATUS_SUCCESS;
 }

+// AlgXtsAes end
+
+// ModeGcm
+
+template<>
+VOID
+algImpKeyPerfFunction< ImpOpenssl, AlgAes, ModeGcm>( PBYTE expandedKey, PBYTE keyBytes, PBYTE buf3, SIZE_T keySize )
+{
+    UNREFERENCED_PARAMETER( buf3 );
+
+    // SymCryptGcmExpandKey( (PSYMCRYPT_GCM_EXPANDED_KEY) expandedKey,
+    //                     SymCryptAesBlockCipher,
+    //                     keyBytes, keySize );
+
+    const EVP_CIPHER *cipher = NULL;
+
+    if (keySize == 32)
+    {
+        cipher = EVP_aes_256_gcm();
+    }
+    else if (keySize == 24)
+    {
+        cipher = EVP_aes_192_gcm();
+    }
+    else if (keySize == 16)
+    {
+        cipher = EVP_aes_128_gcm();
+    }
+    CHECK(cipher != NULL, "Unsupported key length");
+
+    EVP_CIPHER_CTX* encCtx = EVP_CIPHER_CTX_new();
+    EVP_CIPHER_CTX* decCtx = EVP_CIPHER_CTX_new();
+    CHECK_OPENSSL_SUCCESS(EVP_EncryptInit_ex(encCtx, cipher, NULL, keyBytes, NULL));
+    CHECK_OPENSSL_SUCCESS(EVP_DecryptInit_ex(decCtx, cipher, NULL, keyBytes, NULL));
+
+    ExpandedKeyContext *pContext = (ExpandedKeyContext *)expandedKey;
+    pContext->encCtx = encCtx;
+    pContext->decCtx = decCtx;
+}
+
+template<>
+VOID
+algImpDataPerfFunction<ImpOpenssl,AlgAes, ModeGcm>( PBYTE expandedKey, PBYTE buf2, PBYTE buf3, SIZE_T dataSize )
+{
+    // SymCryptGcmEncrypt( (PCSYMCRYPT_GCM_EXPANDED_KEY) expandedKey,
+    //                         buf2, 12,
+    //                         nullptr, 0,
+    //                         buf2 + 16, buf3 + 16, dataSize,
+    //                         buf3, 16 );
+
+    int outlen = 0;
+    PCBYTE pbNonce = buf2;
+    PCBYTE  pbSrc = buf2 + 16;
+    PBYTE   pbDst = buf3 + 16;
+    SIZE_T  cbData = dataSize;
+    PBYTE   pbTag = buf3;
+    SIZE_T  cbTag = 16;
+    ExpandedKeyContext *pContext = (ExpandedKeyContext *)expandedKey;
+
+    // Default nonce size is 12.
+    CHECK(EVP_EncryptInit_ex2(pContext->encCtx, NULL, NULL, pbNonce, NULL) == 1, getOpensslError().data());
+    CHECK(EVP_EncryptUpdate(pContext->encCtx, pbDst, &outlen, pbSrc, (int)cbData) == 1, getOpensslError().data());
+    CHECK(EVP_EncryptFinal_ex(pContext->encCtx, pbDst, &outlen) == 1, getOpensslError().data());
+    CHECK(EVP_CIPHER_CTX_ctrl(pContext->encCtx, EVP_CTRL_AEAD_GET_TAG, (int)cbTag, pbTag) > 0, getOpensslError().data());
+}
+
+template<>
+VOID
+algImpDecryptPerfFunction<ImpOpenssl,AlgAes, ModeGcm>( PBYTE expandedKey, PBYTE buf2, PBYTE buf3, SIZE_T dataSize )
+{
+    // SymCryptGcmDecrypt( (PCSYMCRYPT_GCM_EXPANDED_KEY) buf1,
+    //                         buf2, 12,
+    //                         nullptr, 0,
+    //                         buf3 + 16, buf2 + 16, dataSize,
+    //                         buf3, 16 );
+    int outlen = 0;
+    PCBYTE pbNonce = buf2;
+    PCBYTE  pbSrc = buf3 + 16;
+    PBYTE   pbDst = buf2 + 16;
+    SIZE_T  cbData = dataSize;
+    PBYTE   pbTag = buf3;
+    SIZE_T  cbTag = 16;
+    ExpandedKeyContext *pContext = (ExpandedKeyContext *)expandedKey;
+
+    // Default nonce size is 12.
+    CHECK(EVP_DecryptInit_ex2(pContext->decCtx, NULL, NULL, pbNonce, NULL) == 1, getOpensslError().data());
+    CHECK(EVP_DecryptUpdate(pContext->decCtx, pbDst, &outlen, pbSrc, (int)cbData) == 1, getOpensslError().data());
+    CHECK(EVP_CIPHER_CTX_ctrl(pContext->decCtx, EVP_CTRL_AEAD_SET_TAG,
+                                               (int)cbTag, (void *)pbTag) > 0, getOpensslError().data());
+    CHECK(EVP_DecryptFinal_ex(pContext->decCtx, pbDst, &outlen) == 1, getOpensslError().data());
+}
+
+template<>
+VOID
+algImpCleanPerfFunction<ImpOpenssl,AlgAes, ModeGcm>( PBYTE expandedKey, PBYTE buf2, PBYTE buf3 )
+{
+    ExpandedKeyContext *pContext = (ExpandedKeyContext *)expandedKey;
+    UNREFERENCED_PARAMETER( buf2 );
+    UNREFERENCED_PARAMETER( buf3 );
+
+    EVP_CIPHER_CTX_free(pContext->encCtx);
+    EVP_CIPHER_CTX_free(pContext->decCtx);
+}
+
+template<>
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::AuthEncImp()
+{
+    m_perfKeyFunction     = &algImpKeyPerfFunction<ImpOpenssl, AlgAes, ModeGcm>;
+    m_perfCleanFunction   = &algImpCleanPerfFunction<ImpOpenssl, AlgAes, ModeGcm>;
+    m_perfDataFunction    = &algImpDataPerfFunction<ImpOpenssl, AlgAes, ModeGcm>;
+    m_perfDecryptFunction = &algImpDecryptPerfFunction<ImpOpenssl, AlgAes, ModeGcm>;
+    state.encCtx          = EVP_CIPHER_CTX_new();
+    state.decCtx          = EVP_CIPHER_CTX_new();
+}
+
+template<>
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::~AuthEncImp()
+{
+    EVP_CIPHER_CTX_free(state.encCtx);
+    EVP_CIPHER_CTX_free(state.decCtx);
+}
+
+template<>
+std::set<SIZE_T>
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::getKeySizes()
+{
+    std::set<SIZE_T> res;
+
+    res.insert( 16 );
+    res.insert( 24 );
+    res.insert( 32 );
+
+    return res;
+}
+
+
+template<>
+std::set<SIZE_T>
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::getNonceSizes()
+{
+    std::set<SIZE_T> res;
+
+    for(int i = 1; i <= 256; ++i)
+    {
+        res.insert( i );
+    }
+
+    return res;
+}
+
+
+template<>
+std::set<SIZE_T>
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::getTagSizes()
+{
+    std::set<SIZE_T> res;
+
+    for( int i=12; i<=16; i ++ )
+    {
+        res.insert( i );
+    }
+
+    return res;
+}
+
+template<>
+NTSTATUS
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::setKey( PCBYTE pbKey, SIZE_T cbKey )
+{
+    const EVP_CIPHER *cipher = NULL;
+
+    if (cbKey == 32)
+    {
+        cipher = EVP_aes_256_gcm();
+    }
+    else if (cbKey == 24)
+    {
+        cipher = EVP_aes_192_gcm();
+    }
+    else if (cbKey == 16)
+    {
+        cipher = EVP_aes_128_gcm();
+    }
+    else
+    {
+        return STATUS_NOT_SUPPORTED;
+    }
+
+    CHECK(EVP_EncryptInit_ex2(state.encCtx, cipher, pbKey, NULL, NULL) == 1, getOpensslError().data());
+    CHECK(EVP_DecryptInit_ex2(state.decCtx, cipher, pbKey, NULL, NULL) == 1, getOpensslError().data());
+
+
+    // SymCryptGcmExpandKey( &state.key, SymCryptAesBlockCipher, pbKey, cbKey );
+
+    state.inComputation = FALSE;
+    return STATUS_SUCCESS;
+}
+
+template<>
+VOID
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::setTotalCbData( SIZE_T )
+{
+}
+
+template<>
+NTSTATUS
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::encrypt(
+        _In_reads_( cbNonce )       PCBYTE  pbNonce,
+                                    SIZE_T  cbNonce,
+        _In_reads_( cbAuthData )    PCBYTE  pbAuthData,
+                                    SIZE_T  cbAuthData,
+        _In_reads_( cbData )        PCBYTE  pbSrc,
+        _Out_writes_( cbData )      PBYTE   pbDst,
+                                    SIZE_T  cbData,
+        _Out_writes_( cbTag )       PBYTE   pbTag,
+                                    SIZE_T  cbTag,
+                                    ULONG   flags )
+{
+    NTSTATUS status = STATUS_SUCCESS;
+    int outlen = 0;
+
+    CHECK( (flags & ~AUTHENC_FLAG_PARTIAL) == 0, "Unknown flag" );
+
+    const int GCM_IV_MAX_SIZE = (1024 / 8);
+    if( cbNonce > GCM_IV_MAX_SIZE )
+    {
+        return STATUS_NOT_SUPPORTED;
+    }
+
+    if( (flags & AUTHENC_FLAG_PARTIAL) == 0 )
+    {
+        // simple straight GCM computation.
+        // CHECK( SymCryptGcmValidateParameters(
+        //     SymCryptAesBlockCipher,
+        //     cbNonce,
+        //     cbAuthData,
+        //     cbData,
+        //     cbTag ) == SYMCRYPT_NO_ERROR, "?" );
+
+        // SymCryptGcmEncrypt( &state.key,
+        //     pbNonce, cbNonce, pbAuthData, cbAuthData,
+        //     pbSrc, pbDst, cbData,
+        //     pbTag, cbTag );
+        OSSL_PARAM params[2] = {
+            OSSL_PARAM_END, OSSL_PARAM_END
+        };
+
+        params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+                                            &cbNonce);
+        CHECK(EVP_EncryptInit_ex2(state.encCtx, NULL, NULL, pbNonce, params) == 1, getOpensslError().data());
+        CHECK(EVP_EncryptUpdate(state.encCtx, NULL, &outlen, pbAuthData, (int)cbAuthData) == 1, getOpensslError().data());
+        CHECK(EVP_EncryptUpdate(state.encCtx, pbDst, &outlen, pbSrc, (int)cbData) == 1, getOpensslError().data());
+        CHECK(EVP_EncryptFinal_ex(state.encCtx, pbDst, &outlen) == 1, getOpensslError().data());
+        params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
+                                                  pbTag, cbTag);
+
+        CHECK(EVP_CIPHER_CTX_get_params(state.encCtx, params) == 1, getOpensslError().data());
+
+        // Done
+        goto cleanup;
+    }
+
+    if( !state.inComputation )
+    {
+        OSSL_PARAM params[2] = {
+            OSSL_PARAM_END, OSSL_PARAM_END
+        };
+
+        params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+                                            &cbNonce);
+        CHECK(EVP_EncryptInit_ex2(state.encCtx, NULL, NULL, pbNonce, params) == 1, getOpensslError().data());
+        CHECK(EVP_EncryptUpdate(state.encCtx, NULL, &outlen, pbAuthData, (int)cbAuthData) == 1, getOpensslError().data());
+        state.inComputation = TRUE;
+    }
+
+    CHECK(EVP_EncryptUpdate(state.encCtx, pbDst, &outlen, pbSrc, (int)cbData) == 1, getOpensslError().data());
+
+    if( pbTag != nullptr )
+    {
+        CHECK(EVP_EncryptFinal_ex(state.encCtx, pbDst, &outlen) == 1, getOpensslError().data());
+        EVP_CIPHER_CTX_ctrl(state.encCtx, EVP_CTRL_AEAD_GET_TAG, (int)cbTag, pbTag);
+        state.inComputation = FALSE;
+    }
+
+cleanup:
+    return status;
+}
+
+template<>
+NTSTATUS
+AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>::decrypt(
+        _In_reads_( cbNonce )       PCBYTE  pbNonce,
+                                    SIZE_T  cbNonce,
+        _In_reads_( cbAuthData )    PCBYTE  pbAuthData,
+                                    SIZE_T  cbAuthData,
+        _In_reads_( cbData )        PCBYTE  pbSrc,
+        _Out_writes_( cbData )      PBYTE   pbDst,
+                                    SIZE_T  cbData,
+        _In_reads_( cbTag )         PCBYTE  pbTag,
+                                    SIZE_T  cbTag,
+                                    ULONG   flags )
+{
+    int scError = 1;
+    int outlen = 0;
+
+    CHECK( (flags & ~AUTHENC_FLAG_PARTIAL) == 0, "Unknown flag" );
+    const int GCM_IV_MAX_SIZE = (1024 / 8);
+    if( cbNonce > GCM_IV_MAX_SIZE )
+    {
+        return STATUS_NOT_SUPPORTED;
+    }
+
+    if( (flags & AUTHENC_FLAG_PARTIAL) == 0 )
+    {
+        // simple straight GCM computation.
+        // CHECK( SymCryptGcmValidateParameters(
+        //     SymCryptAesBlockCipher,
+        //     cbNonce,
+        //     cbAuthData,
+        //     cbData,
+        //     cbTag ) == SYMCRYPT_NO_ERROR, "?" );
+
+        // scError = SymCryptGcmDecrypt( &state.key,
+        //     pbNonce, cbNonce, pbAuthData, cbAuthData,
+        //     pbSrc, pbDst, cbData,
+        //     pbTag, cbTag );
+
+        OSSL_PARAM params[2] = {
+            OSSL_PARAM_END, OSSL_PARAM_END
+        };
+
+        params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+                                            &cbNonce);
+
+        CHECK(EVP_DecryptInit_ex2(state.decCtx, NULL, NULL, pbNonce, params) == 1, getOpensslError().data());
+        CHECK(EVP_DecryptUpdate(state.decCtx, NULL, &outlen, pbAuthData, (int)cbAuthData) == 1, getOpensslError().data());
+        CHECK(EVP_DecryptUpdate(state.decCtx, pbDst, &outlen, pbSrc, (int)cbData) == 1, getOpensslError().data());
+        params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
+                                                  (void *)pbTag, cbTag);
+
+        CHECK(EVP_CIPHER_CTX_set_params(state.decCtx, params) == 1, getOpensslError().data());
+        scError = EVP_DecryptFinal_ex(state.decCtx, pbDst, &outlen);
+
+        // Done
+        goto cleanup;
+    }
+
+    if( !state.inComputation )
+    {
+        OSSL_PARAM params[2] = {
+            OSSL_PARAM_END, OSSL_PARAM_END
+        };
+
+        params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+                                            &cbNonce);
+        CHECK(EVP_DecryptInit_ex2(state.decCtx, NULL, NULL, pbNonce, params) == 1, getOpensslError().data());
+        CHECK(EVP_DecryptUpdate(state.decCtx, NULL, &outlen, pbAuthData, (int)cbAuthData) == 1, getOpensslError().data());
+        state.inComputation = TRUE;
+    }
+    CHECK(EVP_DecryptUpdate(state.decCtx, pbDst, &outlen, pbSrc, (int)cbData) == 1, getOpensslError().data());
+
+    if( pbTag != nullptr )
+    {
+        // OSSL_PARAM params[2] = {
+        //     OSSL_PARAM_END, OSSL_PARAM_END
+        // };
+
+        // params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
+        //                                             (void *)pbTag, cbTag);
+        EVP_CIPHER_CTX_ctrl(state.decCtx, EVP_CTRL_AEAD_SET_TAG,
+                                               (int)cbTag, (void *)pbTag);
+        scError = EVP_DecryptFinal_ex(state.decCtx, pbDst, &outlen);
+        state.inComputation = FALSE;
+    }
+
+cleanup:
+    return scError > 0 ? 0 : STATUS_AUTH_TAG_MISMATCH;
+}
+
+// ModeGcm end
+
+
 VOID
 addOpensslAlgs()
 {
    addImplementationToGlobalList<XtsImp<ImpOpenssl, AlgXtsAes>>();
-    // addImplementationToGlobalList<AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>>();
+    addImplementationToGlobalList<AuthEncImp<ImpOpenssl, AlgAes, ModeGcm>>();
    // addImplementationToGlobalList<RsaSignImp<ImpOpenssl, AlgRsaSignPss>>();
    // addImplementationToGlobalList<HashImp<ImpOpenssl, AlgSha256>>();
    // addImplementationToGlobalList<HashImp<ImpOpenssl, AlgSha384>>();
--- a/unittest/lib/perfPrint.cpp
+++ b/unittest/lib/perfPrint.cpp
@ -32,6 +32,15 @@ print( const char *format, ...)

    va_start( vl, format );

+    // TODO: We should use CHECK here but CHECK will re-enter this function via fatal()
+    // so we should fix fatal to use fprintf instead of buffering to Output.
+    if ( OutputOffset >= MAX_OUTPUT_SIZE )
+    {
+        fputs( "Out of output buffer space.\n", stderr );
+        exit(-1);
+    }
+
+    // TODO: We should also replace compiler dependent VSNPRINTF_S with std::vsnprintf.
    res = VSNPRINTF_S( &Output[OutputOffset], MAX_OUTPUT_SIZE - OutputOffset, _TRUNCATE, format, vl );

    CHECK( res >= 0 , "WHOA!!!" );
@ -117,6 +126,12 @@ iprint( const char *format, ...)

    va_start( vl, format );

+    if ( OutputOffset >= MAX_OUTPUT_SIZE )
+    {
+        fputs( "Out of output buffer space.\n", stderr );
+        exit(-1);
+    }
+
    res = VSNPRINTF_S( &Output[OutputOffset], MAX_OUTPUT_SIZE - OutputOffset, _TRUNCATE, format, vl );

    CHECK( res >= 0 , "WHOA!!!" );
@ -134,6 +149,12 @@ dprint( const char * format, ... )

    va_start( vl, format );

+    if ( OutputOffset >= MAX_OUTPUT_SIZE )
+    {
+        fputs( "Out of output buffer space.\n", stderr );
+        exit(-1);
+    }
+
    res = _vsnprintf_s( &Output[OutputOffset], MAX_OUTPUT_SIZE - OutputOffset, _TRUNCATE, format, vl );

    CHECK( res >= 0 , "WHOA!!!" );
@ -164,6 +185,12 @@ vprint(BOOL bPrint, const char *format, ...)
    {
        va_start( vl, format );

+        if ( OutputOffset >= MAX_OUTPUT_SIZE )
+        {
+            fputs( "Out of output buffer space.\n", stderr );
+            exit(-1);
+        }
+
        res = VSNPRINTF_S( &Output[OutputOffset], MAX_OUTPUT_SIZE - OutputOffset, _TRUNCATE, format, vl );

        CHECK( res >= 0 , "WHOA!!!" );