/*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* Copyright (C) 2019-2020 STMicroelectronics, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file implements ST CCM HW services based on API from mbed TLS
*/
/*
* Definition of CCM:
* http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
* RFC 3610 "Counter with CBC-MAC (CCM)"
*
* Related:
* RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
*/
/* Includes ------------------------------------------------------------------*/
#include "mbedtls/ccm.h"
#if defined(MBEDTLS_CCM_C)
#if defined(MBEDTLS_CCM_ALT)
#include <string.h>
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
#include "platform/PlatformMutex.h"
#include "platform/SingletonPtr.h"
static SingletonPtr<PlatformMutex> ccm_mutex;
#define MBEDTLS_DEBUG 0
/* Parameter validation macros */
#define CCM_VALIDATE_RET( cond ) \
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT )
#define CCM_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
/* Private typedef -----------------------------------------------------------*/
/* Private define ------------------------------------------------------------*/
#define CCM_ENCRYPT 0
#define CCM_DECRYPT 1
#define H_LENGTH 2 /* Formatting of the Associated Data */
/* If 0 < a < 2e16-2e8, */
/* then a is encoded as [a]16, i.e., two octets */
/* Private macro -------------------------------------------------------------*/
/* Private variables ---------------------------------------------------------*/
/* Private function prototypes -----------------------------------------------*/
/* Private functions ---------------------------------------------------------*/
/*
* Initialize context
*/
void mbedtls_ccm_init(mbedtls_ccm_context *ctx)
{
CCM_VALIDATE(ctx != NULL);
ccm_mutex->lock();
cryp_context_count++;
ccm_mutex->unlock();
cryp_zeroize((void *)ctx, sizeof(mbedtls_ccm_context));
#if (MBEDTLS_DEBUG)
printf("[ALT] mbedtls_ccm_init %u\n", cryp_context_count);
#endif
}
int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
mbedtls_cipher_id_t cipher,
const unsigned char *key,
unsigned int keybits)
{
unsigned int i;
int ret = 0;
#if (MBEDTLS_DEBUG)
printf("[ALT] mbedtls_ccm_setkey\n");
#endif
CCM_VALIDATE_RET(ctx != NULL);
CCM_VALIDATE_RET(key != NULL);
/* Protect context access */
/* (it may occur at a same time in a threaded environment) */
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_lock(&cryp_mutex) != 0) {
return (MBEDTLS_ERR_THREADING_MUTEX_ERROR);
}
#endif /* MBEDTLS_THREADING_C */
switch (keybits) {
case 128:
ctx->hcryp_ccm.Init.KeySize = CRYP_KEYSIZE_128B;;
break;
case 192:
#if ( USE_AES_KEY192 == 1 )
ctx->hcryp_ccm.Init.KeySize = CRYP_KEYSIZE_192B;
break;
#else
ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
goto exit;
#endif /* USE_AES_KEY192 */
case 256:
ctx->hcryp_ccm.Init.KeySize = CRYP_KEYSIZE_256B;
break;
default :
ret = MBEDTLS_ERR_CCM_BAD_INPUT;
goto exit;
}
/* Format and fill AES key */
for (i = 0; i < (keybits / 32) ; i++) {
GET_UINT32_BE(ctx->ccm_key[i], key, 4 * i);
}
/* include the appropriate instance name */
#if defined (AES)
ctx->hcryp_ccm.Instance = AES;
#elif defined (AES1)
ctx->hcryp_ccm.Instance = AES1;
#else /* CRYP */
ctx->hcryp_ccm.Instance = CRYP;
#endif /* AES */
ctx->hcryp_ccm.Init.DataType = CRYP_DATATYPE_8B;
ctx->hcryp_ccm.Init.pKey = ctx->ccm_key;
ctx->hcryp_ccm.Init.pInitVect = NULL;
ctx->hcryp_ccm.Init.Algorithm = CRYP_AES_CCM;
ctx->hcryp_ccm.Init.Header = NULL;
ctx->hcryp_ccm.Init.HeaderSize = 0;
ctx->hcryp_ccm.Init.B0 = NULL;
ctx->hcryp_ccm.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;
if (HAL_CRYP_Init(&ctx->hcryp_ccm) != HAL_OK) {
ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
goto exit;
}
/* allow multi-context of CRYP : save context */
ctx->ctx_save_cr = ctx->hcryp_ccm.Instance->CR;
exit :
/* Free context access */
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_unlock(&cryp_mutex) != 0) {
ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
}
#endif /* MBEDTLS_THREADING_C */
return (ret);
}
/*
* Free context
*/
void mbedtls_ccm_free(mbedtls_ccm_context *ctx)
{
#if (MBEDTLS_DEBUG)
printf("[ALT] mbedtls_ccm_free %u\n", cryp_context_count);
#endif
if (ctx == NULL) {
return;
}
ccm_mutex->lock();
if (cryp_context_count > 0) {
cryp_context_count--;
/* Shut down CRYP on last context */
if (cryp_context_count == 0) {
HAL_CRYP_DeInit(&ctx->hcryp_ccm);
}
}
ccm_mutex->unlock();
cryp_zeroize((void *)ctx, sizeof(mbedtls_ccm_context));
}
/*
* Authenticated encryption or decryption
*/
static int ccm_auth_crypt(mbedtls_ccm_context *ctx, int mode, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len)
{
int ret = 0;
unsigned char i;
unsigned char q;
size_t len_left;
unsigned int j;
__ALIGN_BEGIN unsigned char b0[16] __ALIGN_END; /* Formatting of B0 */
__ALIGN_BEGIN uint32_t b0_32B[4] __ALIGN_END; /* B0 data swapping */
unsigned char *b1_padded_addr = NULL; /* Formatting of B1 */
unsigned char *b1_aligned_addr = NULL;
size_t b1_length; /* B1 with padding */
uint8_t b1_padding; /* B1 word alignement */
__ALIGN_BEGIN uint8_t mac[16] __ALIGN_END; /* temporary mac */
CCM_VALIDATE_RET(mode != CCM_ENCRYPT || mode != CCM_DECRYPT);
/*
* Check length requirements: SP800-38C A.1
* Additional requirement: a < 2^16 - 2^8 to simplify the code.
* 'length' checked later (when writing it to the first block)
*
* Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
*/
/* tag_len, aka t, is an element of {4, 6, 8, 10, 12, 14, 16} */
if (tag_len < 4 || tag_len > 16 || tag_len % 2 != 0) {
return (MBEDTLS_ERR_CCM_BAD_INPUT);
}
/* Also implies q is within bounds */
/* iv_len, aka n, is an element of {7, 8, 9, 10, 11, 12, 13} */
if (iv_len < 7 || iv_len > 13) {
return (MBEDTLS_ERR_CCM_BAD_INPUT);
}
/* add_len, aka a, a < 2^16 - 2^8 */
if (add_len > 0xFF00) {
return (MBEDTLS_ERR_CCM_BAD_INPUT);
}
/* The octet length of Q, denoted q */
q = 15 - (unsigned char) iv_len;
/*
* First block B_0:
* 0 .. 0 flags
* 1 .. iv_len nonce (aka iv)
* iv_len+1 .. 15 length
*
* With flags as (bits):
* 7 0
* 6 add present?
* 5 .. 3 (t - 2) / 2
* 2 .. 0 q - 1
*/
memset(b0, 0, 16);
if (add_len > 0) {
b0[0] |= 0x40;
}
b0[0] |= ((tag_len - 2) / 2) << 3;
b0[0] |= q - 1;
/* Nonce concatenation */
memcpy(b0 + 1, iv, iv_len);
/* Data length concatenation */
for (i = 0, len_left = length; i < q; i++, len_left >>= 8) {
b0[15 - i] = (unsigned char)(len_left & 0xFF);
}
if (len_left > 0) {
return (MBEDTLS_ERR_CCM_BAD_INPUT);
}
/* Protect context access */
/* (it may occur at a same time in a threaded environment) */
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_lock(&cryp_mutex) != 0) {
return (MBEDTLS_ERR_THREADING_MUTEX_ERROR);
}
#endif /* MBEDTLS_THREADING_C */
/* allow multi-context of CRYP use: restore context */
ctx->hcryp_ccm.Instance->CR = ctx->ctx_save_cr;
/*
* If there is additional data, update with
* add_len, add, 0 (padding to a block boundary)
*/
if (add_len > 0) {
/* Extra bytes to deal with data padding such that */
/* the resulting string can be partitioned into words */
b1_padding = ((add_len + H_LENGTH) % 4);
b1_length = add_len + H_LENGTH + b1_padding;
/* reserve extra bytes to deal with 4-bytes memory alignement */
b1_padded_addr =
mbedtls_calloc(1, b1_length + 3);
if (b1_padded_addr == NULL) {
ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
goto exit;
}
/* move up to a 4-bytes aligned address in the reserved memory chuck */
b1_aligned_addr =
(unsigned char *)((uint32_t)(b1_padded_addr + 3) & 0xFFFFFFFC);
/* Header length */
b1_aligned_addr[0] = (unsigned char)((add_len >> 8) & 0xFF);
b1_aligned_addr[1] = (unsigned char)((add_len) & 0xFF);
/* data concatenation */
memcpy(b1_aligned_addr + H_LENGTH, add, add_len);
/* blocks (B) associated to the Associated Data (A) */
ctx->hcryp_ccm.Init.Header = (uint32_t *)b1_aligned_addr;
ctx->hcryp_ccm.Init.HeaderSize = b1_length / 4;
} else {
ctx->hcryp_ccm.Init.Header = NULL;
ctx->hcryp_ccm.Init.HeaderSize = 0;
}
/* first authentication block */
for (j = 0; j < 4; j++) {
GET_UINT32_BE(b0_32B[j], b0, 4 * j);
}
ctx->hcryp_ccm.Init.B0 = b0_32B;
/* reconfigure the CRYP */
if (HAL_CRYP_SetConfig(&ctx->hcryp_ccm, &ctx->hcryp_ccm.Init) != HAL_OK) {
ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
goto free_block;
}
/* blocks (B) associated to the plaintext message (P) */
if (mode == CCM_DECRYPT) {
if (HAL_CRYP_Decrypt(&ctx->hcryp_ccm,
(uint32_t *)input,
length,
(uint32_t *)output,
ST_CRYP_TIMEOUT) != HAL_OK) {
ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
goto free_block;
}
} else {
if (HAL_CRYP_Encrypt(&ctx->hcryp_ccm,
(uint32_t *)input,
length,
(uint32_t *)output,
ST_CRYP_TIMEOUT) != HAL_OK) {
ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
goto free_block;
}
}
/* Tag has a variable length */
memset(mac, 0, sizeof(mac));
/* Generate the authentication TAG */
if (HAL_CRYPEx_AESCCM_GenerateAuthTAG(&ctx->hcryp_ccm,
(uint32_t *)mac,
ST_CRYP_TIMEOUT) != HAL_OK) {
ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
goto free_block;
}
memcpy(tag, mac, tag_len);
/* allow multi-context of CRYP : save context */
ctx->ctx_save_cr = ctx->hcryp_ccm.Instance->CR;
free_block:
if (add_len > 0) {
mbedtls_free(b1_padded_addr);
}
exit:
/* Free context access */
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_unlock(&cryp_mutex) != 0) {
ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
}
#endif /* MBEDTLS_THREADING_C */
return (ret);
}
/*
* Authenticated encryption
*/
int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len)
{
CCM_VALIDATE_RET(ctx != NULL);
CCM_VALIDATE_RET(iv != NULL);
CCM_VALIDATE_RET(add_len == 0 || add != NULL);
CCM_VALIDATE_RET(length == 0 || input != NULL);
CCM_VALIDATE_RET(length == 0 || output != NULL);
CCM_VALIDATE_RET(tag_len == 0 || tag != NULL);
return (ccm_auth_crypt(ctx, CCM_ENCRYPT, length, iv, iv_len,
add, add_len, input, output, tag, tag_len));
}
int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len)
{
CCM_VALIDATE_RET(ctx != NULL);
CCM_VALIDATE_RET(iv != NULL);
CCM_VALIDATE_RET(add_len == 0 || add != NULL);
CCM_VALIDATE_RET(length == 0 || input != NULL);
CCM_VALIDATE_RET(length == 0 || output != NULL);
CCM_VALIDATE_RET(tag_len == 0 || tag != NULL);
if (tag_len == 0) {
return (MBEDTLS_ERR_CCM_BAD_INPUT);
}
return (mbedtls_ccm_star_encrypt_and_tag(ctx, length, iv, iv_len, add,
add_len, input, output, tag, tag_len));
}
/*
* Authenticated decryption
*/
int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
const unsigned char *tag, size_t tag_len)
{
int ret;
unsigned char check_tag[16];
unsigned char i;
int diff;
CCM_VALIDATE_RET(ctx != NULL);
CCM_VALIDATE_RET(iv != NULL);
CCM_VALIDATE_RET(add_len == 0 || add != NULL);
CCM_VALIDATE_RET(length == 0 || input != NULL);
CCM_VALIDATE_RET(length == 0 || output != NULL);
CCM_VALIDATE_RET(tag_len == 0 || tag != NULL);
if ((ret = ccm_auth_crypt(ctx, CCM_DECRYPT, length,
iv, iv_len, add, add_len,
input, output, check_tag, tag_len)) != 0) {
return (ret);
}
/* Check tag in "constant-time" */
for (diff = 0, i = 0; i < tag_len; i++) {
diff |= tag[i] ^ check_tag[i];
}
if (diff != 0) {
mbedtls_platform_zeroize(output, length);
return (MBEDTLS_ERR_CCM_AUTH_FAILED);
}
return (0);
}
int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
const unsigned char *tag, size_t tag_len)
{
CCM_VALIDATE_RET(ctx != NULL);
CCM_VALIDATE_RET(iv != NULL);
CCM_VALIDATE_RET(add_len == 0 || add != NULL);
CCM_VALIDATE_RET(length == 0 || input != NULL);
CCM_VALIDATE_RET(length == 0 || output != NULL);
CCM_VALIDATE_RET(tag_len == 0 || tag != NULL);
if (tag_len == 0) {
return (MBEDTLS_ERR_CCM_BAD_INPUT);
}
return (mbedtls_ccm_star_auth_decrypt(ctx, length, iv, iv_len, add,
add_len, input, output, tag, tag_len));
}
#endif /*MBEDTLS_CCM_ALT*/
#endif /*MBEDTLS_CCM_C*/
