/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * Copyright (C) 2019-2020 STMicroelectronics, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * This file implements ST GCM HW services based on API from mbed TLS */ /* Includes ------------------------------------------------------------------*/ #include "mbedtls/gcm.h" #if defined(MBEDTLS_GCM_C) #if defined(MBEDTLS_GCM_ALT) #include #include "mbedtls/platform_util.h" #include "mbedtls/platform.h" /* Parameter validation macros */ #define GCM_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) #define GCM_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) /* Private typedef -----------------------------------------------------------*/ /* Private define ------------------------------------------------------------*/ #define IV_LENGTH 12U /* implementations restrict support to 96 bits */ #if !defined(STM32_AAD_ANY_LENGTH_SUPPORT) #define AAD_WORD_ALIGN 4U /* implementations may restrict AAD support on */ /* a buffer multiple of 32 bits */ #endif /* Private macro -------------------------------------------------------------*/ /* Private variables ---------------------------------------------------------*/ /* Private function prototypes -----------------------------------------------*/ /* Private functions ---------------------------------------------------------*/ /* * Initialize a context */ void mbedtls_gcm_init( mbedtls_gcm_context *ctx ) { GCM_VALIDATE( ctx != NULL ); __disable_irq(); #if defined(MBEDTLS_THREADING_C) /* mutex cannot be initialized twice */ if ( !cryp_mutex_started ) { mbedtls_mutex_init( &cryp_mutex ); cryp_mutex_started = 1; } #endif /* MBEDTLS_THREADING_C */ cryp_context_count++; __enable_irq(); cryp_zeroize( (void*)ctx, sizeof(mbedtls_gcm_context) ); } int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx, mbedtls_cipher_id_t cipher, const unsigned char *key, unsigned int keybits ) { unsigned int i; int ret = 0; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( key != NULL ); /* Protect context access */ /* (it may occur at a same time in a threaded environment) */ #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_lock( &cryp_mutex ) != 0 ) return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); #endif /* MBEDTLS_THREADING_C */ switch (keybits) { case 128: ctx->hcryp_gcm.Init.KeySize = CRYP_KEYSIZE_128B; break; case 192: #if ( USE_AES_KEY192 == 1 ) ctx->hcryp_gcm.Init.KeySize = CRYP_KEYSIZE_192B; break; #else ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; goto exit; #endif /* USE_AES_KEY192 */ case 256: ctx->hcryp_gcm.Init.KeySize = CRYP_KEYSIZE_256B; break; default : ret = MBEDTLS_ERR_GCM_BAD_INPUT; goto exit; } /* Format and fill AES key */ for( i=0; i < (keybits/32); i++ ) GET_UINT32_BE( ctx->gcm_key[i], key, 4*i ); /* include the appropriate instance name */ #if defined (AES) ctx->hcryp_gcm.Instance = AES; ctx->hcryp_gcm.Init.Algorithm = CRYP_AES_GCM_GMAC; #elif defined (AES1) ctx->hcryp_gcm.Instance = AES1; ctx->hcryp_gcm.Init.Algorithm = CRYP_AES_GCM_GMAC; #else /* CRYP */ ctx->hcryp_gcm.Instance = CRYP; ctx->hcryp_gcm.Init.Algorithm = CRYP_AES_GCM; #endif /* AES */ ctx->hcryp_gcm.Init.DataType = CRYP_DATATYPE_8B; ctx->hcryp_gcm.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE; ctx->hcryp_gcm.Init.pKey = ctx->gcm_key; if ( HAL_CRYP_Init( &ctx->hcryp_gcm ) != HAL_OK ) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } /* allow multi-context of CRYP : save context */ ctx->ctx_save_cr = ctx->hcryp_gcm.Instance->CR; exit : /* Free context access */ #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_unlock( &cryp_mutex ) != 0 ) ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; #endif /* MBEDTLS_THREADING_C */ return( ret ); } int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, int mode, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len ) { int ret = 0; unsigned int i; __ALIGN_BEGIN static uint32_t iv_32B[4] __ALIGN_END; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( mode != MBEDTLS_GCM_ENCRYPT || mode != MBEDTLS_GCM_DECRYPT ); GCM_VALIDATE_RET( iv != NULL ); GCM_VALIDATE_RET( add_len == 0 || add != NULL ); /* IV and AD are limited to 2^64 bits, so 2^61 bytes */ /* IV is not allowed to be zero length */ if( iv_len == 0 || ( (uint64_t) iv_len ) >> 61 != 0 || ( (uint64_t) add_len ) >> 61 != 0 ) { return( MBEDTLS_ERR_GCM_BAD_INPUT ); } /* implementation restrict support to the length of 96 bits */ if( IV_LENGTH != iv_len ) { return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ); } #if !defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* implementation restrict support to a buffer multiple of 32 bits */ if ((add_len % AAD_WORD_ALIGN) != 0U) { return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ); } #endif /* Protect context access */ /* (it may occur at a same time in a threaded environment) */ #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_lock( &cryp_mutex ) != 0 ) return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); #endif /* MBEDTLS_THREADING_C */ if ( HAL_CRYP_Init( &ctx->hcryp_gcm ) != HAL_OK ) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } /* allow multi-context of CRYP use: restore context */ ctx->hcryp_gcm.Instance->CR = ctx->ctx_save_cr; ctx->mode = mode; ctx->len = 0; /* Set IV with invert endianness */ for( i=0; i < 3; i++ ) GET_UINT32_BE( iv_32B[i], iv, 4*i ); /* According to NIST specification, the counter value is 0x2 when processing the first block of payload */ iv_32B[3] = 0x00000002; ctx->hcryp_gcm.Init.pInitVect = iv_32B; if ( add_len > 0 ) { ctx->hcryp_gcm.Init.Header = (uint32_t *)add; #if defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* header buffer in byte length */ ctx->hcryp_gcm.Init.HeaderSize = (uint32_t)add_len; #else /* header buffer in word length */ ctx->hcryp_gcm.Init.HeaderSize = (uint32_t)(add_len/AAD_WORD_ALIGN); #endif } else { ctx->hcryp_gcm.Init.Header = NULL; ctx->hcryp_gcm.Init.HeaderSize = 0; } #if defined(STM32_AAD_ANY_LENGTH_SUPPORT) /* Additional Authentication Data in bytes unit */ ctx->hcryp_gcm.Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_BYTE; #endif /* Do not Allow IV reconfiguration at every gcm update */ ctx->hcryp_gcm.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE; /* reconfigure the CRYP */ if ( HAL_CRYP_SetConfig( &ctx->hcryp_gcm, &ctx->hcryp_gcm.Init ) != HAL_OK ) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } /* allow multi-context of CRYP : save context */ ctx->ctx_save_cr = ctx->hcryp_gcm.Instance->CR; exit: /* Free context access */ #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_unlock( &cryp_mutex ) != 0 ) ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; #endif /* MBEDTLS_THREADING_C */ return( ret ); } int mbedtls_gcm_update( mbedtls_gcm_context *ctx, size_t length, const unsigned char *input, unsigned char *output ) { int ret = 0; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( length == 0 || input != NULL ); GCM_VALIDATE_RET( length == 0 || output != NULL ); if( output > input && (size_t) ( output - input ) < length ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes * Also check for possible overflow */ if( ( (ctx->len + length) < ctx->len ) || ( (uint64_t)(ctx->len + length) > 0xFFFFFFFE0ull ) ) { return( MBEDTLS_ERR_GCM_BAD_INPUT ); } /* Protect context access */ /* (it may occur at a same time in a threaded environment) */ #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_lock( &cryp_mutex ) != 0 ) return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); #endif /* MBEDTLS_THREADING_C */ /* allow multi-context of CRYP use: restore context */ ctx->hcryp_gcm.Instance->CR = ctx->ctx_save_cr; ctx->len += length; if( ctx->mode == MBEDTLS_GCM_DECRYPT ) { if ( HAL_CRYP_Decrypt( &ctx->hcryp_gcm, (uint32_t *)input, length, (uint32_t *)output, ST_CRYP_TIMEOUT ) != HAL_OK ) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } } else { if ( HAL_CRYP_Encrypt( &ctx->hcryp_gcm, (uint32_t *)input, length, (uint32_t *)output, ST_CRYP_TIMEOUT ) != HAL_OK ) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } } /* allow multi-context of CRYP : save context */ ctx->ctx_save_cr = ctx->hcryp_gcm.Instance->CR; exit: /* Free context access */ #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_unlock( &cryp_mutex ) != 0 ) ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; #endif /* MBEDTLS_THREADING_C */ return( ret ); } int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, unsigned char *tag, size_t tag_len ) { int ret = 0; __ALIGN_BEGIN uint8_t mac[16] __ALIGN_END; /* temporary mac */ GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( tag != NULL ); if( tag_len > 16 || tag_len < 4 ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); /* Protect context access */ /* (it may occur at a same time in a threaded environment) */ #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_lock( &cryp_mutex ) != 0 ) return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); #endif /* MBEDTLS_THREADING_C */ /* allow multi-context of CRYP use: restore context */ ctx->hcryp_gcm.Instance->CR = ctx->ctx_save_cr; /* Tag has a variable length */ memset(mac, 0, sizeof(mac)); /* Generate the authentication TAG */ if ( HAL_CRYPEx_AESGCM_GenerateAuthTAG( &ctx->hcryp_gcm, (uint32_t *)mac, ST_CRYP_TIMEOUT )!= HAL_OK ) { ret = MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; goto exit; } memcpy( tag, mac, tag_len ); /* allow multi-context of CRYP : save context */ ctx->ctx_save_cr = ctx->hcryp_gcm.Instance->CR; exit: /* Free context access */ #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_unlock( &cryp_mutex ) != 0 ) ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; #endif /* MBEDTLS_THREADING_C */ return( ret ); } int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx, int mode, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, size_t tag_len, unsigned char *tag ) { int ret; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( iv != NULL ); GCM_VALIDATE_RET( add_len == 0 || add != NULL ); GCM_VALIDATE_RET( length == 0 || input != NULL ); GCM_VALIDATE_RET( length == 0 || output != NULL ); GCM_VALIDATE_RET( tag != NULL ); if( ( ret = mbedtls_gcm_starts( ctx, mode, iv, iv_len, add, add_len ) ) != 0 ) return( ret ); if( ( ret = mbedtls_gcm_update( ctx, length, input, output ) ) != 0 ) return( ret ); if( ( ret = mbedtls_gcm_finish( ctx, tag, tag_len ) ) != 0 ) return( ret ); return( 0 ); } int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *tag, size_t tag_len, const unsigned char *input, unsigned char *output ) { int ret; unsigned char check_tag[16]; size_t i; int diff; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( iv != NULL ); GCM_VALIDATE_RET( add_len == 0 || add != NULL ); GCM_VALIDATE_RET( tag != NULL ); GCM_VALIDATE_RET( length == 0 || input != NULL ); GCM_VALIDATE_RET( length == 0 || output != NULL ); if( ( ret = mbedtls_gcm_crypt_and_tag( ctx, MBEDTLS_GCM_DECRYPT, length, iv, iv_len, add, add_len, input, output, tag_len, check_tag ) ) != 0 ) { return( ret ); } /* Check tag in "constant-time" */ for( diff = 0, i = 0; i < tag_len; i++ ) diff |= tag[i] ^ check_tag[i]; if( diff != 0 ) { mbedtls_platform_zeroize( output, length ); return( MBEDTLS_ERR_GCM_AUTH_FAILED ); } return( 0 ); } void mbedtls_gcm_free( mbedtls_gcm_context *ctx ) { if( ctx == NULL ) return; __disable_irq(); if ( cryp_context_count > 0 ) cryp_context_count--; #if defined(MBEDTLS_THREADING_C) if ( cryp_mutex_started ) { mbedtls_mutex_free( &cryp_mutex ); cryp_mutex_started = 0; } #endif /* MBEDTLS_THREADING_C */ __enable_irq(); /* Shut down CRYP on last context */ if ( cryp_context_count == 0 ) HAL_CRYP_DeInit( &ctx->hcryp_gcm ); cryp_zeroize( (void*)ctx, sizeof(mbedtls_gcm_context) ); } #endif /*MBEDTLS_GCM_ALT*/ #endif /*MBEDTLS_GCM_C*/