/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * Copyright (C) 2019-2020 STMicroelectronics, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * This file implements ST GCM HW services based on API from mbed TLS */ /* Includes ------------------------------------------------------------------*/ #include "mbedtls/gcm.h" #if defined(MBEDTLS_GCM_C) #if defined(MBEDTLS_GCM_ALT) #include <string.h> #include "mbedtls/platform_util.h" #include "mbedtls/platform.h" #include "platform/PlatformMutex.h" #include "platform/SingletonPtr.h" static SingletonPtr<PlatformMutex> gcm_mutex; /* Parameter validation macros */ #define GCM_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) #define GCM_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) /* Private typedef -----------------------------------------------------------*/ /* Private define ------------------------------------------------------------*/ #define IV_LENGTH 12U /* implementations restrict support to 96 bits */ #if !defined(STM32_AAD_ANY_LENGTH_SUPPORT) #define AAD_WORD_ALIGN 4U /* implementations restrict AAD support on a */ /* buffer multiple of 32 bits */ #endif /* Private macro -------------------------------------------------------------*/ /* Private variables ---------------------------------------------------------*/ /* Private function prototypes -----------------------------------------------*/ /* Private functions ---------------------------------------------------------*/ /* * Initialize a context */ void mbedtls_gcm_init(mbedtls_gcm_context *ctx) { GCM_VALIDATE(ctx != NULL); sha1_mutex->lock(); cryp_context_count++; sha1_mutex->unlock(); cryp_zeroize((void *)ctx, sizeof(mbedtls_gcm_context)); } int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx, mbedtls_cipher_id_t cipher, const unsigned char *key, unsigned int keybits) { unsigned int i; int ret = 0; GCM_VALIDATE_RET(ctx != NULL); GCM_VALIDATE_RET(key != NULL); /* Protect context access */ /* (it may occur at a same time in a threaded environment) */ #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_lock(&cryp_mutex) != 0) { return (MBEDTLS_ERR_THREADING_MUTEX_ERROR); } #endif /* MBEDTLS_THREADING_C */ switch (keybits) { case 128: ctx->hcryp_gcm.Init.KeySize = CRYP_KEYSIZE_128B; break; case 192: #if ( USE_AES_KEY192 == 1 ) ctx->hcryp_gcm.Init.KeySize = CRYP_KEYSIZE_192B; break; #else ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; goto exit; #endif /* USE_AES_KEY192 */ case 256: ctx->hcryp_gcm.Init.KeySize = CRYP_KEYSIZE_256B; break; default : ret = MBEDTLS_ERR_GCM_BAD_INPUT; goto exit; } /* Format and fill AES key */ for (i = 0; i < (keybits / 32); i++) { GET_UINT32_BE(ctx->gcm_key[i], key, 4 * i); } /* include the appropriate instance name */ #if defined (AES) ctx->hcryp_gcm.Instance = AES; ctx->hcryp_gcm.Init.Algorithm = CRYP_AES_GCM_GMAC; #elif defined (AES1) ctx->hcryp_gcm.Instance = AES1; ctx->hcryp_gcm.Init.Algorithm = CRYP_AES_GCM_GMAC; #else /* CRYP */ ctx->hcryp_gcm.Instance = CRYP; ctx->hcryp_gcm.Init.Algorithm = CRYP_AES_GCM; #endif /* AES */ ctx->hcryp_gcm.Init.DataType = CRYP_DATATYPE_8B; ctx->hcryp_gcm.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE; ctx->hcryp_gcm.Init.pKey = ctx->gcm_key; if (HAL_CRYP_Init(&ctx->hcryp_gcm) != HAL_OK) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } /* allow multi-context of CRYP : save context */ ctx->ctx_save_cr = ctx->hcryp_gcm.Instance->CR; exit : /* Free context access */ #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_unlock(&cryp_mutex) != 0) { ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; } #endif /* MBEDTLS_THREADING_C */ return (ret); } int mbedtls_gcm_starts(mbedtls_gcm_context *ctx, int mode, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len) { int ret = 0; unsigned int i; __ALIGN_BEGIN static uint32_t iv_32B[4] __ALIGN_END; GCM_VALIDATE_RET(ctx != NULL); GCM_VALIDATE_RET(mode != MBEDTLS_GCM_ENCRYPT || mode != MBEDTLS_GCM_DECRYPT); GCM_VALIDATE_RET(iv != NULL); GCM_VALIDATE_RET(add_len == 0 || add != NULL); /* IV and AD are limited to 2^64 bits, so 2^61 bytes */ /* IV is not allowed to be zero length */ if (iv_len == 0 || ((uint64_t) iv_len) >> 61 != 0 || ((uint64_t) add_len) >> 61 != 0) { return (MBEDTLS_ERR_GCM_BAD_INPUT); } /* implementation restrict support to the length of 96 bits */ if (IV_LENGTH != iv_len) { return (MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED); } #if !defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* implementation restrict support to a buffer multiple of 32 bits */ if ((add_len % AAD_WORD_ALIGN) != 0U) { return (MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED); } #endif /* Protect context access */ /* (it may occur at a same time in a threaded environment) */ #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_lock(&cryp_mutex) != 0) { return (MBEDTLS_ERR_THREADING_MUTEX_ERROR); } #endif /* MBEDTLS_THREADING_C */ if (HAL_CRYP_Init(&ctx->hcryp_gcm) != HAL_OK) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } /* allow multi-context of CRYP use: restore context */ ctx->hcryp_gcm.Instance->CR = ctx->ctx_save_cr; ctx->mode = mode; ctx->len = 0; /* Set IV with invert endianness */ for (i = 0; i < 3; i++) { GET_UINT32_BE(iv_32B[i], iv, 4 * i); } /* According to NIST specification, the counter value is 0x2 when processing the first block of payload */ iv_32B[3] = 0x00000002; ctx->hcryp_gcm.Init.pInitVect = iv_32B; if (add_len > 0) { ctx->hcryp_gcm.Init.Header = (uint32_t *)add; #if defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* header buffer in byte length */ ctx->hcryp_gcm.Init.HeaderSize = (uint32_t)add_len; #else /* header buffer in word length */ ctx->hcryp_gcm.Init.HeaderSize = (uint32_t)(add_len / AAD_WORD_ALIGN); #endif } else { ctx->hcryp_gcm.Init.Header = NULL; ctx->hcryp_gcm.Init.HeaderSize = 0; } #if defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* Additional Authentication Data in bytes unit */ ctx->hcryp_gcm.Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_BYTE; #endif /* Do not Allow IV reconfiguration at every gcm update */ ctx->hcryp_gcm.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE; /* reconfigure the CRYP */ if (HAL_CRYP_SetConfig(&ctx->hcryp_gcm, &ctx->hcryp_gcm.Init) != HAL_OK) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } /* allow multi-context of CRYP : save context */ ctx->ctx_save_cr = ctx->hcryp_gcm.Instance->CR; exit: /* Free context access */ #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_unlock(&cryp_mutex) != 0) { ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; } #endif /* MBEDTLS_THREADING_C */ return (ret); } int mbedtls_gcm_update(mbedtls_gcm_context *ctx, size_t length, const unsigned char *input, unsigned char *output) { int ret = 0; #if !defined(STM32_AAD_ANY_LENGTH_SUPPORT) size_t rest_length = 0; #endif GCM_VALIDATE_RET(ctx != NULL); GCM_VALIDATE_RET(length == 0 || input != NULL); GCM_VALIDATE_RET(length == 0 || output != NULL); if (output > input && (size_t)(output - input) < length) { return (MBEDTLS_ERR_GCM_BAD_INPUT); } /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes * Also check for possible overflow */ if (((ctx->len + length) < ctx->len) || ((uint64_t)(ctx->len + length) > 0xFFFFFFFE0ull)) { return (MBEDTLS_ERR_GCM_BAD_INPUT); } /* Protect context access */ /* (it may occur at a same time in a threaded environment) */ #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_lock(&cryp_mutex) != 0) { return (MBEDTLS_ERR_THREADING_MUTEX_ERROR); } #endif /* MBEDTLS_THREADING_C */ /* allow multi-context of CRYP use: restore context */ ctx->hcryp_gcm.Instance->CR = ctx->ctx_save_cr; ctx->len += length; #if !defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* compute remaining data (data buffer in word) */ if ((length % AAD_WORD_ALIGN) != 0U) { rest_length = length % AAD_WORD_ALIGN; } #endif if (ctx->mode == MBEDTLS_GCM_DECRYPT) { if (HAL_CRYP_Decrypt(&ctx->hcryp_gcm, (uint32_t *)input, length, (uint32_t *)output, ST_CRYP_TIMEOUT) != HAL_OK) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } #if !defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* manage last bytes */ if (rest_length != 0) { if (HAL_CRYP_Decrypt(&ctx->hcryp_gcm, (uint32_t *)(input + (length / AAD_WORD_ALIGN)), rest_length, (uint32_t *)(output + (length / AAD_WORD_ALIGN)), ST_CRYP_TIMEOUT) != HAL_OK) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } } #endif } else { if (HAL_CRYP_Encrypt(&ctx->hcryp_gcm, (uint32_t *)input, length, (uint32_t *)output, ST_CRYP_TIMEOUT) != HAL_OK) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } #if !defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* manage last bytes */ if (rest_length != 0) { if (HAL_CRYP_Encrypt(&ctx->hcryp_gcm, (uint32_t *)(input + (length / AAD_WORD_ALIGN)), rest_length, (uint32_t *)(output + (length / AAD_WORD_ALIGN)), ST_CRYP_TIMEOUT) != HAL_OK) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } } #endif } /* allow multi-context of CRYP : save context */ ctx->ctx_save_cr = ctx->hcryp_gcm.Instance->CR; exit: /* Free context access */ #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_unlock(&cryp_mutex) != 0) { ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; } #endif /* MBEDTLS_THREADING_C */ return (ret); } int mbedtls_gcm_finish(mbedtls_gcm_context *ctx, unsigned char *tag, size_t tag_len) { int ret = 0; __ALIGN_BEGIN uint8_t mac[16] __ALIGN_END; /* temporary mac */ GCM_VALIDATE_RET(ctx != NULL); GCM_VALIDATE_RET(tag != NULL); if (tag_len > 16 || tag_len < 4) { return (MBEDTLS_ERR_GCM_BAD_INPUT); } /* Protect context access */ /* (it may occur at a same time in a threaded environment) */ #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_lock(&cryp_mutex) != 0) { return (MBEDTLS_ERR_THREADING_MUTEX_ERROR); } #endif /* MBEDTLS_THREADING_C */ /* allow multi-context of CRYP use: restore context */ ctx->hcryp_gcm.Instance->CR = ctx->ctx_save_cr; /* Tag has a variable length */ memset(mac, 0, sizeof(mac)); /* Generate the authentication TAG */ if (HAL_CRYPEx_AESGCM_GenerateAuthTAG(&ctx->hcryp_gcm, (uint32_t *)mac, ST_CRYP_TIMEOUT) != HAL_OK) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } memcpy(tag, mac, tag_len); /* allow multi-context of CRYP : save context */ ctx->ctx_save_cr = ctx->hcryp_gcm.Instance->CR; exit: /* Free context access */ #if defined(MBEDTLS_THREADING_C) if (mbedtls_mutex_unlock(&cryp_mutex) != 0) { ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; } #endif /* MBEDTLS_THREADING_C */ return (ret); } int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx, int mode, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, size_t tag_len, unsigned char *tag) { int ret; GCM_VALIDATE_RET(ctx != NULL); GCM_VALIDATE_RET(iv != NULL); GCM_VALIDATE_RET(add_len == 0 || add != NULL); GCM_VALIDATE_RET(length == 0 || input != NULL); GCM_VALIDATE_RET(length == 0 || output != NULL); GCM_VALIDATE_RET(tag != NULL); if ((ret = mbedtls_gcm_starts(ctx, mode, iv, iv_len, add, add_len)) != 0) { return (ret); } if ((ret = mbedtls_gcm_update(ctx, length, input, output)) != 0) { return (ret); } if ((ret = mbedtls_gcm_finish(ctx, tag, tag_len)) != 0) { return (ret); } return (0); } int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *tag, size_t tag_len, const unsigned char *input, unsigned char *output) { int ret; unsigned char check_tag[16]; size_t i; int diff; GCM_VALIDATE_RET(ctx != NULL); GCM_VALIDATE_RET(iv != NULL); GCM_VALIDATE_RET(add_len == 0 || add != NULL); GCM_VALIDATE_RET(tag != NULL); GCM_VALIDATE_RET(length == 0 || input != NULL); GCM_VALIDATE_RET(length == 0 || output != NULL); if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length, iv, iv_len, add, add_len, input, output, tag_len, check_tag)) != 0) { return (ret); } /* Check tag in "constant-time" */ for (diff = 0, i = 0; i < tag_len; i++) { diff |= tag[i] ^ check_tag[i]; } if (diff != 0) { mbedtls_platform_zeroize(output, length); return (MBEDTLS_ERR_GCM_AUTH_FAILED); } return (0); } void mbedtls_gcm_free(mbedtls_gcm_context *ctx) { if (ctx == NULL) { return; } gcm_mutex->lock(); if (cryp_context_count > 0) { cryp_context_count--; /* Shut down CRYP on last context */ if (cryp_context_count == 0) { HAL_CRYP_DeInit(&ctx->hcryp_gcm); } } gcm_mutex->unlock(); cryp_zeroize((void *)ctx, sizeof(mbedtls_gcm_context)); } #endif /*MBEDTLS_GCM_ALT*/ #endif /*MBEDTLS_GCM_C*/