![(please configure the [header_logo] section in trac.ini)](/trac_user/contrib/chrome/site/your_project_logo.png){kind=logo}
- Timestamp:
- Jun 22, 2021, 9:00:19 PM (3 years ago)
- Location:
- azure_iot_hub_f767zi/trunk/wolfssl-4.7.0
- Files:
-
- 1 edited
- 1 moved
-
. (moved) (moved from azure_iot_hub_f767zi/trunk/wolfssl-4.4.0 )
-
wolfcrypt/src/aes.c (modified) (178 diffs)
Legend:
- Unmodified
- Added
- Removed
-
azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/wolfcrypt/src/aes.c
r457 r464 20 20 */ 21 21 22 22 /* 23 24 DESCRIPTION 25 This library provides the interfaces to the Advanced Encryption Standard (AES) 26 for encrypting and decrypting data. AES is the standard known for a symmetric 27 block cipher mechanism that uses n-bit binary string parameter key with 128-bits, 28 192-bits, and 256-bits of key sizes. 29 30 */ 23 31 #ifdef HAVE_CONFIG_H 24 32 #include <config.h> … … 45 53 46 54 #include <wolfssl/wolfcrypt/aes.h> 55 56 #ifdef WOLFSSL_AESNI 57 #include <wmmintrin.h> 58 #include <emmintrin.h> 59 #include <smmintrin.h> 60 #endif /* WOLFSSL_AESNI */ 61 47 62 #include <wolfssl/wolfcrypt/cpuid.h> 48 63 49 64 #ifdef WOLF_CRYPTO_CB 50 65 #include <wolfssl/wolfcrypt/cryptocb.h> 66 #endif 67 68 #ifdef WOLFSSL_IMXRT_DCP 69 #include <wolfssl/wolfcrypt/port/nxp/dcp_port.h> 51 70 #endif 52 71 … … 289 308 /* Define AES implementation includes and functions */ 290 309 #if defined(STM32_CRYPTO) 291 /* STM32F2/F4/F7/L4 hardware AES support for ECB, CBC, CTR and GCM modes */310 /* STM32F2/F4/F7/L4/L5/H7/WB55 hardware AES support for ECB, CBC, CTR and GCM modes */ 292 311 293 312 #if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESGCM) || defined(HAVE_AESCCM) … … 308 327 return ret; 309 328 310 #ifdef STM32_CRYPTO_AES_ONLY 329 ret = wolfSSL_CryptHwMutexLock(); 330 if (ret != 0) 331 return ret; 332 333 #if defined(STM32_HAL_V2) 334 hcryp.Init.Algorithm = CRYP_AES_ECB; 335 #elif defined(STM32_CRYPTO_AES_ONLY) 311 336 hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT; 312 337 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_ECB; 313 338 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE; 314 #elif defined(STM32_HAL_V2)315 hcryp.Init.Algorithm = CRYP_AES_ECB;316 339 #endif 317 340 HAL_CRYP_Init(&hcryp); 318 341 319 #ifdef STM32_CRYPTO_AES_ONLY 342 #if defined(STM32_HAL_V2) 343 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)inBlock, AES_BLOCK_SIZE, 344 (uint32_t*)outBlock, STM32_HAL_TIMEOUT); 345 #elif defined(STM32_CRYPTO_AES_ONLY) 320 346 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE, 321 347 outBlock, STM32_HAL_TIMEOUT); 322 #elif defined(STM32_HAL_V2)323 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)inBlock, AES_BLOCK_SIZE,324 (uint32_t*)outBlock, STM32_HAL_TIMEOUT);325 348 #else 326 349 ret = HAL_CRYP_AESECB_Encrypt(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE, … … 332 355 HAL_CRYP_DeInit(&hcryp); 333 356 334 #else /* S TD_PERI_LIB*/357 #else /* Standard Peripheral Library */ 335 358 ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit); 359 if (ret != 0) 360 return ret; 361 362 ret = wolfSSL_CryptHwMutexLock(); 336 363 if (ret != 0) 337 364 return ret; … … 370 397 CRYP_Cmd(DISABLE); 371 398 #endif /* WOLFSSL_STM32_CUBEMX */ 399 wolfSSL_CryptHwMutexUnLock(); 372 400 373 401 return ret; … … 392 420 return ret; 393 421 394 #ifdef STM32_CRYPTO_AES_ONLY 395 hcryp.Init.OperatingMode = CRYP_ALGOMODE_DECRYPT; 422 ret = wolfSSL_CryptHwMutexLock(); 423 if (ret != 0) 424 return ret; 425 426 #if defined(STM32_HAL_V2) 427 hcryp.Init.Algorithm = CRYP_AES_ECB; 428 #elif defined(STM32_CRYPTO_AES_ONLY) 429 hcryp.Init.OperatingMode = CRYP_ALGOMODE_KEYDERIVATION_DECRYPT; 396 430 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_ECB; 397 431 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE; 398 #elif defined(STM32_HAL_V2)399 hcryp.Init.Algorithm = CRYP_AES_ECB;400 432 #endif 401 433 HAL_CRYP_Init(&hcryp); 402 434 403 #ifdef STM32_CRYPTO_AES_ONLY 435 #if defined(STM32_HAL_V2) 436 ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)inBlock, AES_BLOCK_SIZE, 437 (uint32_t*)outBlock, STM32_HAL_TIMEOUT); 438 #elif defined(STM32_CRYPTO_AES_ONLY) 404 439 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE, 405 440 outBlock, STM32_HAL_TIMEOUT); 406 #elif defined(STM32_HAL_V2)407 ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)inBlock, AES_BLOCK_SIZE,408 (uint32_t*)outBlock, STM32_HAL_TIMEOUT);409 441 #else 410 442 ret = HAL_CRYP_AESECB_Decrypt(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE, … … 416 448 HAL_CRYP_DeInit(&hcryp); 417 449 418 #else /* S TD_PERI_LIB*/450 #else /* Standard Peripheral Library */ 419 451 ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit); 452 if (ret != 0) 453 return ret; 454 455 ret = wolfSSL_CryptHwMutexLock(); 420 456 if (ret != 0) 421 457 return ret; … … 463 499 CRYP_Cmd(DISABLE); 464 500 #endif /* WOLFSSL_STM32_CUBEMX */ 501 wolfSSL_CryptHwMutexUnLock(); 465 502 466 503 return ret; … … 481 518 #undef NEED_AES_TABLES 482 519 #undef GCM_TABLE 483 #else 520 #endif 521 484 522 /* if LTC doesn't have GCM, use software with LTC AES ECB mode */ 485 523 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) 486 524 { 487 wc_AesEncryptDirect(aes, outBlock, inBlock); 525 word32 keySize = 0; 526 byte* key = (byte*)aes->key; 527 wc_AesGetKeySize(aes, &keySize); 528 529 if (wolfSSL_CryptHwMutexLock() == 0) { 530 LTC_AES_EncryptEcb(LTC_BASE, inBlock, outBlock, AES_BLOCK_SIZE, 531 key, keySize); 532 wolfSSL_CryptHwMutexUnLock(); 533 } 488 534 return 0; 489 535 } 536 #ifdef HAVE_AES_DECRYPT 490 537 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock) 491 538 { 492 wc_AesDecryptDirect(aes, outBlock, inBlock); 539 word32 keySize = 0; 540 byte* key = (byte*)aes->key; 541 wc_AesGetKeySize(aes, &keySize); 542 543 if (wolfSSL_CryptHwMutexLock() == 0) { 544 LTC_AES_DecryptEcb(LTC_BASE, inBlock, outBlock, AES_BLOCK_SIZE, 545 key, keySize, kLTC_EncryptKey); 546 wolfSSL_CryptHwMutexUnLock(); 547 } 493 548 return 0; 494 549 } 495 #endif 550 #endif 551 496 552 #elif defined(FREESCALE_MMCAU) 497 553 /* Freescale mmCAU hardware AES support for Direct, CBC, CCM, GCM modes … … 508 564 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) 509 565 { 510 int ret; 511 512 #ifdef FREESCALE_MMCAU_CLASSIC 513 if ((wolfssl_word)outBlock % WOLFSSL_MMCAU_ALIGNMENT) { 514 WOLFSSL_MSG("Bad cau_aes_encrypt alignment"); 515 return BAD_ALIGN_E; 516 } 517 #endif 518 519 ret = wolfSSL_CryptHwMutexLock(); 520 if(ret == 0) { 566 if (wolfSSL_CryptHwMutexLock() == 0) { 521 567 #ifdef FREESCALE_MMCAU_CLASSIC 568 if ((wolfssl_word)outBlock % WOLFSSL_MMCAU_ALIGNMENT) { 569 WOLFSSL_MSG("Bad cau_aes_encrypt alignment"); 570 return BAD_ALIGN_E; 571 } 522 572 cau_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock); 523 573 #else … … 527 577 wolfSSL_CryptHwMutexUnLock(); 528 578 } 529 return ret;579 return 0; 530 580 } 531 581 #ifdef HAVE_AES_DECRYPT 532 582 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock) 533 583 { 534 int ret; 535 536 #ifdef FREESCALE_MMCAU_CLASSIC 537 if ((wolfssl_word)outBlock % WOLFSSL_MMCAU_ALIGNMENT) { 538 WOLFSSL_MSG("Bad cau_aes_decrypt alignment"); 539 return BAD_ALIGN_E; 540 } 541 #endif 542 543 ret = wolfSSL_CryptHwMutexLock(); 544 if(ret == 0) { 584 if (wolfSSL_CryptHwMutexLock() == 0) { 545 585 #ifdef FREESCALE_MMCAU_CLASSIC 586 if ((wolfssl_word)outBlock % WOLFSSL_MMCAU_ALIGNMENT) { 587 WOLFSSL_MSG("Bad cau_aes_decrypt alignment"); 588 return BAD_ALIGN_E; 589 } 546 590 cau_aes_decrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock); 547 591 #else … … 551 595 wolfSSL_CryptHwMutexUnLock(); 552 596 } 553 return ret;597 return 0; 554 598 } 555 599 #endif /* HAVE_AES_DECRYPT */ … … 562 606 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) 563 607 { 608 /* Thread mutex protection handled in Pic32Crypto */ 564 609 return wc_Pic32AesCrypt(aes->key, aes->keylen, NULL, 0, 565 610 outBlock, inBlock, AES_BLOCK_SIZE, … … 571 616 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock) 572 617 { 618 /* Thread mutex protection handled in Pic32Crypto */ 573 619 return wc_Pic32AesCrypt(aes->key, aes->keylen, NULL, 0, 574 620 outBlock, inBlock, AES_BLOCK_SIZE, … … 583 629 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) 584 630 { 585 return nrf51_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock); 631 int ret; 632 ret = wolfSSL_CryptHwMutexLock(); 633 if (ret == 0) { 634 ret = nrf51_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock); 635 wolfSSL_CryptHwMutexUnLock(); 636 } 637 return ret; 586 638 } 587 639 … … 598 650 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) 599 651 { 652 /* Thread mutex protection handled in esp_aes_hw_InUse */ 600 653 return wc_esp32AesEncrypt(aes, inBlock, outBlock); 601 654 } … … 605 658 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock) 606 659 { 660 /* Thread mutex protection handled in esp_aes_hw_InUse */ 607 661 return wc_esp32AesDecrypt(aes, inBlock, outBlock); 608 662 } … … 722 776 { 723 777 int nr; 724 Aes temp_key; 725 __m128i *Key_Schedule = (__m128i*)aes->key; 726 __m128i *Temp_Key_Schedule = (__m128i*)temp_key.key; 778 #ifdef WOLFSSL_SMALL_STACK 779 Aes *temp_key; 780 #else 781 Aes temp_key[1]; 782 #endif 783 __m128i *Key_Schedule; 784 __m128i *Temp_Key_Schedule; 727 785 728 786 if (!userKey || !aes) 729 787 return BAD_FUNC_ARG; 730 788 731 if (AES_set_encrypt_key(userKey,bits,&temp_key) == BAD_FUNC_ARG) 789 #ifdef WOLFSSL_SMALL_STACK 790 if ((temp_key = (Aes *)XMALLOC(sizeof *aes, aes->heap, 791 DYNAMIC_TYPE_AES)) == NULL) 792 return MEMORY_E; 793 #endif 794 795 if (AES_set_encrypt_key(userKey,bits,temp_key) == BAD_FUNC_ARG) { 796 #ifdef WOLFSSL_SMALL_STACK 797 XFREE(temp_key, aes->heap, DYNAMIC_TYPE_AES); 798 #endif 732 799 return BAD_FUNC_ARG; 733 734 nr = temp_key.rounds; 800 } 801 802 Key_Schedule = (__m128i*)aes->key; 803 Temp_Key_Schedule = (__m128i*)temp_key->key; 804 805 nr = temp_key->rounds; 735 806 aes->rounds = nr; 807 808 SAVE_VECTOR_REGISTERS(); 736 809 737 810 Key_Schedule[nr] = Temp_Key_Schedule[0]; … … 758 831 Key_Schedule[0] = Temp_Key_Schedule[nr]; 759 832 833 RESTORE_VECTOR_REGISTERS(); 834 835 #ifdef WOLFSSL_SMALL_STACK 836 XFREE(temp_key, aes->heap, DYNAMIC_TYPE_AES); 837 #endif 838 760 839 return 0; 761 840 } … … 772 851 773 852 #elif defined(WOLFSSL_AFALG) 853 /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */ 854 774 855 #elif defined(WOLFSSL_DEVCRYPTO_AES) 856 /* implemented in wolfcrypt/src/port/devcrypto/devcrypto_aes.c */ 775 857 776 858 #elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES) … … 792 874 int sz) 793 875 { 794 uint32_tret;876 word32 ret; 795 877 796 878 if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag == … … 830 912 831 913 if (ret != SSP_SUCCESS) { 832 /* revert input */914 /* revert input */ 833 915 ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz); 834 916 return WC_HW_E; … … 850 932 int sz) 851 933 { 852 uint32_tret;934 word32 ret; 853 935 854 936 if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag == … … 901 983 return 0; 902 984 } 903 904 #endif 985 #endif /* HAVE_AES_DECRYPT */ 905 986 906 987 #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT) … … 927 1008 #ifdef NEED_AES_TABLES 928 1009 929 static const word32 rcon[] = {1010 static const FLASH_QUALIFIER word32 rcon[] = { 930 1011 0x01000000, 0x02000000, 0x04000000, 0x08000000, 931 1012 0x10000000, 0x20000000, 0x40000000, 0x80000000, … … 935 1016 936 1017 #ifndef WOLFSSL_AES_SMALL_TABLES 937 static const word32 Te[4][256] = {1018 static const FLASH_QUALIFIER word32 Te[4][256] = { 938 1019 { 939 1020 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, … … 1203 1284 1204 1285 #ifdef HAVE_AES_DECRYPT 1205 static const word32 Td[4][256] = {1286 static const FLASH_QUALIFIER word32 Td[4][256] = { 1206 1287 { 1207 1288 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U, … … 1471 1552 }; 1472 1553 #endif /* HAVE_AES_DECRYPT */ 1473 #endif 1554 #endif /* WOLFSSL_AES_SMALL_TABLES */ 1474 1555 1475 1556 #ifdef HAVE_AES_DECRYPT 1476 1557 #if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) \ 1477 1478 static const byte Td4[256] =1558 || defined(WOLFSSL_AES_DIRECT) 1559 static const FLASH_QUALIFIER byte Td4[256] = 1479 1560 { 1480 1561 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U, … … 1562 1643 } 1563 1644 1645 #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) 1564 1646 static word32 inv_col_mul(word32 t, int i9, int ib, int id, int ie) 1565 1647 { … … 1572 1654 } 1573 1655 #endif 1574 1575 #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESGCM) 1656 #endif 1657 1658 #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) || \ 1659 defined(HAVE_AESCCM) || defined(HAVE_AESGCM) 1576 1660 1577 1661 #ifndef WC_CACHE_LINE_SZ … … 1586 1670 1587 1671 1672 #ifndef WC_NO_CACHE_RESISTANT 1588 1673 #ifndef WOLFSSL_AES_SMALL_TABLES 1589 1674 /* load 4 Te Tables into cache by cache line stride */ … … 1614 1699 } 1615 1700 #endif 1701 #endif 1616 1702 1617 1703 /* Software AES - ECB Encrypt */ … … 1623 1709 const word32* rk = aes->key; 1624 1710 1711 #ifdef DEBUG_WOLFSSL 1625 1712 if (r > 7 || r == 0) { 1626 1713 WOLFSSL_MSG("AesEncrypt encountered improper key, set it up"); 1627 1714 return; /* stop instead of seg-faulting, set up your keys! */ 1628 1715 } 1716 #endif 1629 1717 1630 1718 #ifdef WOLFSSL_AESNI … … 1650 1738 1651 1739 XMEMCPY(tmp_align, inBlock, AES_BLOCK_SIZE); 1740 SAVE_VECTOR_REGISTERS(); 1652 1741 AES_ECB_encrypt(tmp_align, tmp_align, AES_BLOCK_SIZE, 1653 1742 (byte*)aes->key, aes->rounds); 1743 RESTORE_VECTOR_REGISTERS(); 1654 1744 XMEMCPY(outBlock, tmp_align, AES_BLOCK_SIZE); 1655 1745 XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER); … … 1661 1751 } 1662 1752 1753 SAVE_VECTOR_REGISTERS(); 1663 1754 AES_ECB_encrypt(inBlock, outBlock, AES_BLOCK_SIZE, (byte*)aes->key, 1664 1755 aes->rounds); 1756 RESTORE_VECTOR_REGISTERS(); 1665 1757 1666 1758 return; … … 1675 1767 AES_ECB_encrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE); 1676 1768 return; 1769 #endif 1770 1771 #if defined(WOLFSSL_IMXRT_DCP) 1772 if (aes->keylen == 16) { 1773 DCPAesEcbEncrypt(aes, outBlock, inBlock, AES_BLOCK_SIZE); 1774 return; 1775 } 1677 1776 #endif 1678 1777 … … 1682 1781 */ 1683 1782 XMEMCPY(&s0, inBlock, sizeof(s0)); 1684 XMEMCPY(&s1, inBlock + sizeof(s0),sizeof(s1));1783 XMEMCPY(&s1, inBlock + sizeof(s0), sizeof(s1)); 1685 1784 XMEMCPY(&s2, inBlock + 2 * sizeof(s0), sizeof(s2)); 1686 1785 XMEMCPY(&s3, inBlock + 3 * sizeof(s0), sizeof(s3)); … … 1700 1799 1701 1800 #ifndef WOLFSSL_AES_SMALL_TABLES 1801 #ifndef WC_NO_CACHE_RESISTANT 1702 1802 s0 |= PreFetchTe(); 1703 1803 #endif 1804 1805 #ifndef WOLFSSL_AES_NO_UNROLL 1806 /* Unroll the loop. */ 1807 #define ENC_ROUND_T_S(o) \ 1808 t0 = Te[0][GETBYTE(s0, 3)] ^ Te[1][GETBYTE(s1, 2)] ^ \ 1809 Te[2][GETBYTE(s2, 1)] ^ Te[3][GETBYTE(s3, 0)] ^ rk[o+4]; \ 1810 t1 = Te[0][GETBYTE(s1, 3)] ^ Te[1][GETBYTE(s2, 2)] ^ \ 1811 Te[2][GETBYTE(s3, 1)] ^ Te[3][GETBYTE(s0, 0)] ^ rk[o+5]; \ 1812 t2 = Te[0][GETBYTE(s2, 3)] ^ Te[1][GETBYTE(s3, 2)] ^ \ 1813 Te[2][GETBYTE(s0, 1)] ^ Te[3][GETBYTE(s1, 0)] ^ rk[o+6]; \ 1814 t3 = Te[0][GETBYTE(s3, 3)] ^ Te[1][GETBYTE(s0, 2)] ^ \ 1815 Te[2][GETBYTE(s1, 1)] ^ Te[3][GETBYTE(s2, 0)] ^ rk[o+7] 1816 #define ENC_ROUND_S_T(o) \ 1817 s0 = Te[0][GETBYTE(t0, 3)] ^ Te[1][GETBYTE(t1, 2)] ^ \ 1818 Te[2][GETBYTE(t2, 1)] ^ Te[3][GETBYTE(t3, 0)] ^ rk[o+0]; \ 1819 s1 = Te[0][GETBYTE(t1, 3)] ^ Te[1][GETBYTE(t2, 2)] ^ \ 1820 Te[2][GETBYTE(t3, 1)] ^ Te[3][GETBYTE(t0, 0)] ^ rk[o+1]; \ 1821 s2 = Te[0][GETBYTE(t2, 3)] ^ Te[1][GETBYTE(t3, 2)] ^ \ 1822 Te[2][GETBYTE(t0, 1)] ^ Te[3][GETBYTE(t1, 0)] ^ rk[o+2]; \ 1823 s3 = Te[0][GETBYTE(t3, 3)] ^ Te[1][GETBYTE(t0, 2)] ^ \ 1824 Te[2][GETBYTE(t1, 1)] ^ Te[3][GETBYTE(t2, 0)] ^ rk[o+3] 1825 1826 ENC_ROUND_T_S( 0); 1827 ENC_ROUND_S_T( 8); ENC_ROUND_T_S( 8); 1828 ENC_ROUND_S_T(16); ENC_ROUND_T_S(16); 1829 ENC_ROUND_S_T(24); ENC_ROUND_T_S(24); 1830 ENC_ROUND_S_T(32); ENC_ROUND_T_S(32); 1831 if (r > 5) { 1832 ENC_ROUND_S_T(40); ENC_ROUND_T_S(40); 1833 if (r > 6) { 1834 ENC_ROUND_S_T(48); ENC_ROUND_T_S(48); 1835 } 1836 } 1837 rk += r * 8; 1838 #else 1704 1839 /* 1705 1840 * Nr - 1 full rounds: … … 1762 1897 rk[3]; 1763 1898 } 1899 #endif 1764 1900 1765 1901 /* … … 1793 1929 rk[3]; 1794 1930 #else 1931 #ifndef WC_NO_CACHE_RESISTANT 1795 1932 s0 |= PreFetchSBox(); 1933 #endif 1796 1934 1797 1935 r *= 2; … … 1880 2018 1881 2019 XMEMCPY(outBlock, &s0, sizeof(s0)); 1882 XMEMCPY(outBlock + sizeof(s0),&s1, sizeof(s1));2020 XMEMCPY(outBlock + sizeof(s0), &s1, sizeof(s1)); 1883 2021 XMEMCPY(outBlock + 2 * sizeof(s0), &s2, sizeof(s2)); 1884 2022 XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3)); … … 1891 2029 defined(WOLFSSL_AES_DIRECT) 1892 2030 2031 #ifndef WC_NO_CACHE_RESISTANT 1893 2032 #ifndef WOLFSSL_AES_SMALL_TABLES 1894 2033 /* load 4 Td Tables into cache by cache line stride */ … … 1919 2058 return x; 1920 2059 } 2060 #endif 1921 2061 1922 2062 /* Software AES - ECB Decrypt */ … … 1926 2066 word32 t0, t1, t2, t3; 1927 2067 word32 r = aes->rounds >> 1; 1928 1929 2068 const word32* rk = aes->key; 2069 2070 #ifdef DEBUG_WOLFSSL 1930 2071 if (r > 7 || r == 0) { 1931 2072 WOLFSSL_MSG("AesDecrypt encountered improper key, set it up"); 1932 2073 return; /* stop instead of seg-faulting, set up your keys! */ 1933 2074 } 2075 #endif 2076 1934 2077 #ifdef WOLFSSL_AESNI 1935 2078 if (haveAESNI && aes->use_aesni) { … … 1946 2089 if ((const byte*)aes->tmp != inBlock) 1947 2090 XMEMCPY(aes->tmp, inBlock, AES_BLOCK_SIZE); 2091 SAVE_VECTOR_REGISTERS(); 1948 2092 AES_ECB_decrypt(inBlock, outBlock, AES_BLOCK_SIZE, (byte*)aes->key, 1949 2093 aes->rounds); 2094 RESTORE_VECTOR_REGISTERS(); 1950 2095 return; 1951 2096 } … … 1958 2103 #if defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES) 1959 2104 return AES_ECB_decrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE); 2105 #endif 2106 #if defined(WOLFSSL_IMXRT_DCP) 2107 if (aes->keylen == 16) { 2108 DCPAesEcbDecrypt(aes, outBlock, inBlock, AES_BLOCK_SIZE); 2109 return; 2110 } 1960 2111 #endif 1961 2112 … … 1982 2133 1983 2134 #ifndef WOLFSSL_AES_SMALL_TABLES 2135 #ifndef WC_NO_CACHE_RESISTANT 1984 2136 s0 |= PreFetchTd(); 2137 #endif 2138 2139 #ifndef WOLFSSL_AES_NO_UNROLL 2140 /* Unroll the loop. */ 2141 #define DEC_ROUND_T_S(o) \ 2142 t0 = Td[0][GETBYTE(s0, 3)] ^ Td[1][GETBYTE(s3, 2)] ^ \ 2143 Td[2][GETBYTE(s2, 1)] ^ Td[3][GETBYTE(s1, 0)] ^ rk[o+4]; \ 2144 t1 = Td[0][GETBYTE(s1, 3)] ^ Td[1][GETBYTE(s0, 2)] ^ \ 2145 Td[2][GETBYTE(s3, 1)] ^ Td[3][GETBYTE(s2, 0)] ^ rk[o+5]; \ 2146 t2 = Td[0][GETBYTE(s2, 3)] ^ Td[1][GETBYTE(s1, 2)] ^ \ 2147 Td[2][GETBYTE(s0, 1)] ^ Td[3][GETBYTE(s3, 0)] ^ rk[o+6]; \ 2148 t3 = Td[0][GETBYTE(s3, 3)] ^ Td[1][GETBYTE(s2, 2)] ^ \ 2149 Td[2][GETBYTE(s1, 1)] ^ Td[3][GETBYTE(s0, 0)] ^ rk[o+7] 2150 #define DEC_ROUND_S_T(o) \ 2151 s0 = Td[0][GETBYTE(t0, 3)] ^ Td[1][GETBYTE(t3, 2)] ^ \ 2152 Td[2][GETBYTE(t2, 1)] ^ Td[3][GETBYTE(t1, 0)] ^ rk[o+0]; \ 2153 s1 = Td[0][GETBYTE(t1, 3)] ^ Td[1][GETBYTE(t0, 2)] ^ \ 2154 Td[2][GETBYTE(t3, 1)] ^ Td[3][GETBYTE(t2, 0)] ^ rk[o+1]; \ 2155 s2 = Td[0][GETBYTE(t2, 3)] ^ Td[1][GETBYTE(t1, 2)] ^ \ 2156 Td[2][GETBYTE(t0, 1)] ^ Td[3][GETBYTE(t3, 0)] ^ rk[o+2]; \ 2157 s3 = Td[0][GETBYTE(t3, 3)] ^ Td[1][GETBYTE(t2, 2)] ^ \ 2158 Td[2][GETBYTE(t1, 1)] ^ Td[3][GETBYTE(t0, 0)] ^ rk[o+3] 2159 2160 DEC_ROUND_T_S( 0); 2161 DEC_ROUND_S_T( 8); DEC_ROUND_T_S( 8); 2162 DEC_ROUND_S_T(16); DEC_ROUND_T_S(16); 2163 DEC_ROUND_S_T(24); DEC_ROUND_T_S(24); 2164 DEC_ROUND_S_T(32); DEC_ROUND_T_S(32); 2165 if (r > 5) { 2166 DEC_ROUND_S_T(40); DEC_ROUND_T_S(40); 2167 if (r > 6) { 2168 DEC_ROUND_S_T(48); DEC_ROUND_T_S(48); 2169 } 2170 } 2171 rk += r * 8; 2172 #else 1985 2173 1986 2174 /* … … 2044 2232 rk[3]; 2045 2233 } 2234 #endif 2046 2235 /* 2047 2236 * apply last round and … … 2049 2238 */ 2050 2239 2240 #ifndef WC_NO_CACHE_RESISTANT 2051 2241 t0 |= PreFetchTd4(); 2242 #endif 2052 2243 2053 2244 s0 = … … 2076 2267 rk[3]; 2077 2268 #else 2269 #ifndef WC_NO_CACHE_RESISTANT 2078 2270 s0 |= PreFetchTd4(); 2271 #endif 2079 2272 2080 2273 r *= 2; … … 2202 2395 aes->left = 0; 2203 2396 #endif 2204 2205 2397 return wc_AesSetIV(aes, iv); 2206 2398 } … … 2389 2581 aes->keylen = keylen; 2390 2582 aes->rounds = keylen/4 + 6; 2583 XMEMCPY(aes->key, userKey, keylen); 2391 2584 ret = nrf51_aes_set_key(userKey); 2392 2585 … … 2475 2668 XMEMCPY(aes->key, userKey, keylen); 2476 2669 2477 aes->ctx.key.pKey = ( uint8_t*)aes->key;2670 aes->ctx.key.pKey = (byte*)aes->key; 2478 2671 aes->ctx.key.keySize= keylen; 2479 2672 … … 2517 2710 /* implemented in wolfcrypt/src/port/devcrypto/devcrypto_aes.c */ 2518 2711 2712 #elif defined(WOLFSSL_SILABS_SE_ACCEL) 2713 /* implemented in wolfcrypt/src/port/silabs/silabs_hash.c */ 2714 2519 2715 #else 2520 2716 2521 2717 /* Software AES - SetKey */ 2522 2718 static int wc_AesSetKeyLocal(Aes* aes, const byte* userKey, word32 keylen, 2523 const byte* iv, int dir )2719 const byte* iv, int dir, int checkKeyLen) 2524 2720 { 2525 word32 *rk = aes->key; 2721 int ret; 2722 word32 *rk; 2526 2723 #ifdef NEED_AES_TABLES 2527 2724 word32 temp; 2528 2725 unsigned int i = 0; 2529 2726 #endif 2530 2531 #ifdef WOLFSSL_AESNI 2532 aes->use_aesni = 0; 2533 #endif /* WOLFSSL_AESNI */ 2534 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \ 2535 defined(WOLFSSL_AES_OFB) 2536 aes->left = 0; 2727 #ifdef WOLFSSL_IMX6_CAAM_BLOB 2728 byte local[32]; 2729 word32 localSz = 32; 2730 #endif 2731 2732 #ifdef WOLFSSL_IMX6_CAAM_BLOB 2733 if (keylen == (16 + WC_CAAM_BLOB_SZ) || 2734 keylen == (24 + WC_CAAM_BLOB_SZ) || 2735 keylen == (32 + WC_CAAM_BLOB_SZ)) { 2736 if (wc_caamOpenBlob((byte*)userKey, keylen, local, &localSz) != 0) { 2737 return BAD_FUNC_ARG; 2738 } 2739 2740 /* set local values */ 2741 userKey = local; 2742 keylen = localSz; 2743 } 2744 #endif 2745 2746 #if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \ 2747 (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))) || \ 2748 (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)) 2749 #ifdef WOLF_CRYPTO_CB 2750 if (aes->devId != INVALID_DEVID) 2537 2751 #endif 2752 { 2753 if (keylen > sizeof(aes->devKey)) { 2754 return BAD_FUNC_ARG; 2755 } 2756 XMEMCPY(aes->devKey, userKey, keylen); 2757 } 2758 #endif 2759 2760 if (checkKeyLen) { 2761 if (keylen != 16 && keylen != 24 && keylen != 32) { 2762 return BAD_FUNC_ARG; 2763 } 2764 #ifdef AES_MAX_KEY_SIZE 2765 /* Check key length */ 2766 if (keylen > (AES_MAX_KEY_SIZE / 8)) { 2767 return BAD_FUNC_ARG; 2768 } 2769 #endif 2770 } 2771 2772 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \ 2773 defined(WOLFSSL_AES_OFB) 2774 aes->left = 0; 2775 #endif 2538 2776 2539 2777 aes->keylen = keylen; 2540 2778 aes->rounds = (keylen/4) + 6; 2541 2779 2780 #ifdef WOLFSSL_AESNI 2781 aes->use_aesni = 0; 2782 if (checkAESNI == 0) { 2783 haveAESNI = Check_CPU_support_AES(); 2784 checkAESNI = 1; 2785 } 2786 if (haveAESNI) { 2787 aes->use_aesni = 1; 2788 if (iv) 2789 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE); 2790 else 2791 XMEMSET(aes->reg, 0, AES_BLOCK_SIZE); 2792 if (dir == AES_ENCRYPTION) 2793 return AES_set_encrypt_key(userKey, keylen * 8, aes); 2794 #ifdef HAVE_AES_DECRYPT 2795 else 2796 return AES_set_decrypt_key(userKey, keylen * 8, aes); 2797 #endif 2798 } 2799 #endif /* WOLFSSL_AESNI */ 2800 2801 if (keylen > sizeof(aes->key)) { 2802 return BAD_FUNC_ARG; 2803 } 2804 rk = aes->key; 2542 2805 XMEMCPY(rk, userKey, keylen); 2543 2806 #if defined(LITTLE_ENDIAN_ORDER) && !defined(WOLFSSL_PIC32MZ_CRYPT) && \ … … 2545 2808 defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)) 2546 2809 ByteReverseWords(rk, rk, keylen); 2810 #endif 2811 2812 #ifdef WOLFSSL_IMXRT_DCP 2813 /* Implemented in wolfcrypt/src/port/nxp/dcp_port.c */ 2814 temp = 0; 2815 if (keylen == 16) 2816 temp = DCPAesSetKey(aes, userKey, keylen, iv, dir); 2817 if (temp != 0) 2818 return WC_HW_E; 2547 2819 #endif 2548 2820 … … 2659 2931 return BAD_FUNC_ARG; 2660 2932 } /* switch */ 2933 ForceZero(&temp, sizeof(temp)); 2661 2934 2662 2935 #if defined(HAVE_AES_DECRYPT) … … 2672 2945 temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp; 2673 2946 } 2947 ForceZero(&temp, sizeof(temp)); 2674 2948 #if !defined(WOLFSSL_AES_SMALL_TABLES) 2675 2949 /* apply the inverse MixColumn transform to all round keys but the … … 2713 2987 #endif 2714 2988 2715 return wc_AesSetIV(aes, iv); 2716 } 2717 2718 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, 2719 const byte* iv, int dir) 2720 { 2721 int ret; 2722 #if defined(AES_MAX_KEY_SIZE) 2723 const word32 max_key_len = (AES_MAX_KEY_SIZE / 8); 2724 #endif 2725 2726 #ifdef WOLFSSL_IMX6_CAAM_BLOB 2727 byte local[32]; 2728 word32 localSz = 32; 2729 2730 if (keylen == (16 + WC_CAAM_BLOB_SZ) || 2731 keylen == (24 + WC_CAAM_BLOB_SZ) || 2732 keylen == (32 + WC_CAAM_BLOB_SZ)) { 2733 if (wc_caamOpenBlob((byte*)userKey, keylen, local, &localSz) != 0) { 2734 return BAD_FUNC_ARG; 2735 } 2736 2737 /* set local values */ 2738 userKey = local; 2739 keylen = localSz; 2740 } 2741 #endif 2742 if (aes == NULL || 2743 !((keylen == 16) || (keylen == 24) || (keylen == 32))) { 2744 return BAD_FUNC_ARG; 2745 } 2746 2747 #if defined(AES_MAX_KEY_SIZE) 2748 /* Check key length */ 2749 if (keylen > max_key_len) { 2750 return BAD_FUNC_ARG; 2751 } 2752 #endif 2753 aes->keylen = keylen; 2754 aes->rounds = keylen/4 + 6; 2755 2756 #if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \ 2757 (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))) || \ 2758 (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)) 2759 #ifdef WOLF_CRYPTO_CB 2760 if (aes->devId != INVALID_DEVID) 2761 #endif 2762 { 2763 XMEMCPY(aes->devKey, userKey, keylen); 2764 } 2765 #endif 2766 2767 #ifdef WOLFSSL_AESNI 2768 if (checkAESNI == 0) { 2769 haveAESNI = Check_CPU_support_AES(); 2770 checkAESNI = 1; 2771 } 2772 if (haveAESNI) { 2773 #if defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_CFB) || \ 2774 defined(WOLFSSL_AES_OFB) 2775 aes->left = 0; 2776 #endif /* WOLFSSL_AES_COUNTER */ 2777 aes->use_aesni = 1; 2778 if (iv) 2779 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE); 2780 else 2781 XMEMSET(aes->reg, 0, AES_BLOCK_SIZE); 2782 if (dir == AES_ENCRYPTION) 2783 return AES_set_encrypt_key(userKey, keylen * 8, aes); 2784 #ifdef HAVE_AES_DECRYPT 2785 else 2786 return AES_set_decrypt_key(userKey, keylen * 8, aes); 2787 #endif 2788 } 2789 #endif /* WOLFSSL_AESNI */ 2790 2791 ret = wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir); 2989 ret = wc_AesSetIV(aes, iv); 2792 2990 2793 2991 #if defined(WOLFSSL_DEVCRYPTO) && \ … … 2801 2999 } 2802 3000 3001 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, 3002 const byte* iv, int dir) 3003 { 3004 if (aes == NULL) { 3005 return BAD_FUNC_ARG; 3006 } 3007 if (keylen > sizeof(aes->key)) { 3008 return BAD_FUNC_ARG; 3009 } 3010 3011 return wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir, 1); 3012 } 3013 2803 3014 #if defined(WOLFSSL_AES_DIRECT) || defined(WOLFSSL_AES_COUNTER) 2804 /* AES-CTR and AES-DIRECT need to use this for key setup, no aesni yet */ 3015 /* AES-CTR and AES-DIRECT need to use this for key setup */ 3016 /* This function allows key sizes that are not 128/192/256 bits */ 2805 3017 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen, 2806 3018 const byte* iv, int dir) 2807 3019 { 2808 int ret; 2809 2810 #ifdef WOLFSSL_IMX6_CAAM_BLOB 2811 byte local[32]; 2812 word32 localSz = 32; 2813 2814 if (keylen == (16 + WC_CAAM_BLOB_SZ) || 2815 keylen == (24 + WC_CAAM_BLOB_SZ) || 2816 keylen == (32 + WC_CAAM_BLOB_SZ)) { 2817 if (wc_caamOpenBlob((byte*)userKey, keylen, local, &localSz) 2818 != 0) { 2819 return BAD_FUNC_ARG; 2820 } 2821 2822 /* set local values */ 2823 userKey = local; 2824 keylen = localSz; 3020 if (aes == NULL) { 3021 return BAD_FUNC_ARG; 2825 3022 } 2826 #endif 2827 ret = wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir); 2828 2829 #ifdef WOLFSSL_IMX6_CAAM_BLOB 2830 ForceZero(local, sizeof(local)); 2831 #endif 2832 2833 return ret; 3023 if (keylen > sizeof(aes->key)) { 3024 return BAD_FUNC_ARG; 3025 } 3026 3027 return wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir, 0); 2834 3028 } 2835 3029 #endif /* WOLFSSL_AES_DIRECT || WOLFSSL_AES_COUNTER */ … … 2847 3041 else 2848 3042 XMEMSET(aes->reg, 0, AES_BLOCK_SIZE); 2849 2850 3043 return 0; 2851 3044 } … … 2856 3049 #error "Coldfire SEC doesn't yet support AES direct" 2857 3050 2858 #elif defined(FREESCALE_LTC)2859 /* Allow direct access to one block encrypt */2860 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)2861 {2862 byte *key;2863 uint32_t keySize;2864 2865 key = (byte*)aes->key;2866 wc_AesGetKeySize(aes, &keySize);2867 2868 LTC_AES_EncryptEcb(LTC_BASE, in, out, AES_BLOCK_SIZE,2869 key, keySize);2870 }2871 2872 /* Allow direct access to one block decrypt */2873 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)2874 {2875 byte *key;2876 uint32_t keySize;2877 2878 key = (byte*)aes->key;2879 wc_AesGetKeySize(aes, &keySize);2880 2881 LTC_AES_DecryptEcb(LTC_BASE, in, out, AES_BLOCK_SIZE,2882 key, keySize, kLTC_EncryptKey);2883 }2884 2885 3051 #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES) 2886 3052 /* implemented in wolfcrypt/src/port/caam/caam_aes.c */ … … 2892 3058 /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */ 2893 3059 2894 #elif defined(STM32_CRYPTO)2895 /* Allow direct access to one block encrypt */2896 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)2897 {2898 if (wolfSSL_CryptHwMutexLock() == 0) {2899 wc_AesEncrypt(aes, in, out);2900 wolfSSL_CryptHwMutexUnLock();2901 }2902 }2903 #ifdef HAVE_AES_DECRYPT2904 /* Allow direct access to one block decrypt */2905 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)2906 {2907 if (wolfSSL_CryptHwMutexLock() == 0) {2908 wc_AesDecrypt(aes, in, out);2909 wolfSSL_CryptHwMutexUnLock();2910 }2911 }2912 #endif /* HAVE_AES_DECRYPT */2913 2914 #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \2915 !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)2916 2917 /* Allow direct access to one block encrypt */2918 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)2919 {2920 wc_AesEncrypt(aes, in, out);2921 }2922 #ifdef HAVE_AES_DECRYPT2923 /* Allow direct access to one block decrypt */2924 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)2925 {2926 wc_AesDecrypt(aes, in, out);2927 }2928 #endif /* HAVE_AES_DECRYPT */2929 3060 #else 2930 3061 /* Allow direct access to one block encrypt */ … … 2964 3095 } 2965 3096 2966 #ifdef STM32_CRYPTO_AES_ONLY 3097 #if defined(STM32_HAL_V2) 3098 hcryp.Init.Algorithm = CRYP_AES_CBC; 3099 ByteReverseWords(aes->reg, aes->reg, AES_BLOCK_SIZE); 3100 #elif defined(STM32_CRYPTO_AES_ONLY) 2967 3101 hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT; 2968 3102 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_CBC; 2969 3103 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE; 2970 #elif defined(STM32_HAL_V2)2971 hcryp.Init.Algorithm = CRYP_AES_CBC;2972 ByteReverseWords(aes->reg, aes->reg, AES_BLOCK_SIZE);2973 3104 #endif 2974 3105 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg; 2975 3106 HAL_CRYP_Init(&hcryp); 2976 3107 2977 while (blocks--) { 2978 #ifdef STM32_CRYPTO_AES_ONLY 2979 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE, 2980 out, STM32_HAL_TIMEOUT); 2981 #elif defined(STM32_HAL_V2) 2982 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE, 2983 (uint32_t*)out, STM32_HAL_TIMEOUT); 2984 #else 2985 ret = HAL_CRYP_AESCBC_Encrypt(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE, 2986 out, STM32_HAL_TIMEOUT); 2987 #endif 2988 if (ret != HAL_OK) { 2989 ret = WC_TIMEOUT_E; 2990 break; 2991 } 2992 2993 /* store iv for next call */ 2994 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE); 2995 2996 sz -= AES_BLOCK_SIZE; 2997 in += AES_BLOCK_SIZE; 2998 out += AES_BLOCK_SIZE; 2999 } 3108 #if defined(STM32_HAL_V2) 3109 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, blocks * AES_BLOCK_SIZE, 3110 (uint32_t*)out, STM32_HAL_TIMEOUT); 3111 #elif defined(STM32_CRYPTO_AES_ONLY) 3112 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)in, blocks * AES_BLOCK_SIZE, 3113 out, STM32_HAL_TIMEOUT); 3114 #else 3115 ret = HAL_CRYP_AESCBC_Encrypt(&hcryp, (uint8_t*)in, blocks * AES_BLOCK_SIZE, 3116 out, STM32_HAL_TIMEOUT); 3117 #endif 3118 if (ret != HAL_OK) { 3119 ret = WC_TIMEOUT_E; 3120 } 3121 3122 /* store iv for next call */ 3123 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE); 3000 3124 3001 3125 HAL_CRYP_DeInit(&hcryp); … … 3024 3148 XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE); 3025 3149 3026 #ifdef STM32_CRYPTO_AES_ONLY 3150 #if defined(STM32_HAL_V2) 3151 hcryp.Init.Algorithm = CRYP_AES_CBC; 3152 ByteReverseWords(aes->reg, aes->reg, AES_BLOCK_SIZE); 3153 #elif defined(STM32_CRYPTO_AES_ONLY) 3027 3154 hcryp.Init.OperatingMode = CRYP_ALGOMODE_KEYDERIVATION_DECRYPT; 3028 3155 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_CBC; 3029 3156 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE; 3030 #elif defined(STM32_HAL_V2)3031 hcryp.Init.Algorithm = CRYP_AES_CBC;3032 ByteReverseWords(aes->reg, aes->reg, AES_BLOCK_SIZE);3033 3157 #endif 3034 3158 … … 3036 3160 HAL_CRYP_Init(&hcryp); 3037 3161 3038 while (blocks--) { 3039 #ifdef STM32_CRYPTO_AES_ONLY 3040 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE, 3041 out, STM32_HAL_TIMEOUT); 3042 #elif defined(STM32_HAL_V2) 3043 ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE, 3044 (uint32_t*)out, STM32_HAL_TIMEOUT); 3045 #else 3046 ret = HAL_CRYP_AESCBC_Decrypt(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE, 3047 out, STM32_HAL_TIMEOUT); 3048 #endif 3049 if (ret != HAL_OK) { 3050 ret = WC_TIMEOUT_E; 3051 break; 3052 } 3053 3054 /* store iv for next call */ 3055 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE); 3056 3057 in += AES_BLOCK_SIZE; 3058 out += AES_BLOCK_SIZE; 3059 } 3162 #if defined(STM32_HAL_V2) 3163 ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, blocks * AES_BLOCK_SIZE, 3164 (uint32_t*)out, STM32_HAL_TIMEOUT); 3165 #elif defined(STM32_CRYPTO_AES_ONLY) 3166 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)in, blocks * AES_BLOCK_SIZE, 3167 out, STM32_HAL_TIMEOUT); 3168 #else 3169 ret = HAL_CRYP_AESCBC_Decrypt(&hcryp, (uint8_t*)in, blocks * AES_BLOCK_SIZE, 3170 out, STM32_HAL_TIMEOUT); 3171 #endif 3172 if (ret != HAL_OK) { 3173 ret = WC_TIMEOUT_E; 3174 } 3175 3176 /* store iv for next call */ 3177 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE); 3060 3178 3061 3179 HAL_CRYP_DeInit(&hcryp); … … 3066 3184 #endif /* HAVE_AES_DECRYPT */ 3067 3185 3068 #else /* S TD_PERI_LIB*/3186 #else /* Standard Peripheral Library */ 3069 3187 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) 3070 3188 { … … 3338 3456 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) 3339 3457 { 3340 uint32_tkeySize;3458 word32 keySize; 3341 3459 status_t status; 3342 3460 byte *iv, *enc_key; … … 3351 3469 } 3352 3470 3471 status = wolfSSL_CryptHwMutexLock(); 3472 if (status != 0) 3473 return status; 3353 3474 status = LTC_AES_EncryptCbc(LTC_BASE, in, out, blocks * AES_BLOCK_SIZE, 3354 3475 iv, enc_key, keySize); 3476 wolfSSL_CryptHwMutexUnLock(); 3355 3477 3356 3478 /* store iv for next call */ … … 3365 3487 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) 3366 3488 { 3367 uint32_tkeySize;3489 word32 keySize; 3368 3490 status_t status; 3369 3491 byte* iv, *dec_key; … … 3382 3504 XMEMCPY(temp_block, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE); 3383 3505 3506 status = wolfSSL_CryptHwMutexLock(); 3507 if (status != 0) 3508 return status; 3384 3509 status = LTC_AES_DecryptCbc(LTC_BASE, in, out, blocks * AES_BLOCK_SIZE, 3385 3510 iv, dec_key, keySize, kLTC_EncryptKey); 3511 wolfSSL_CryptHwMutexUnLock(); 3386 3512 3387 3513 /* store IV for next call */ … … 3403 3529 byte temp_block[AES_BLOCK_SIZE]; 3404 3530 3405 iv 3531 iv = (byte*)aes->reg; 3406 3532 3407 3533 while (blocks--) { … … 3431 3557 byte temp_block[AES_BLOCK_SIZE]; 3432 3558 3433 iv 3559 iv = (byte*)aes->reg; 3434 3560 3435 3561 while (blocks--) { … … 3514 3640 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) 3515 3641 { 3516 return SaSi_AesBlock(&aes->ctx.user_ctx, (uint8_t* 3642 return SaSi_AesBlock(&aes->ctx.user_ctx, (uint8_t*)in, sz, out); 3517 3643 } 3518 3644 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) 3519 3645 { 3520 return SaSi_AesBlock(&aes->ctx.user_ctx, (uint8_t* 3646 return SaSi_AesBlock(&aes->ctx.user_ctx, (uint8_t*)in, sz, out); 3521 3647 } 3522 3648 #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES) … … 3528 3654 #elif defined(WOLFSSL_DEVCRYPTO_CBC) 3529 3655 /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */ 3656 3657 #elif defined(WOLFSSL_SILABS_SE_ACCEL) 3658 /* implemented in wolfcrypt/src/port/silabs/silabs_hash.c */ 3530 3659 3531 3660 #else … … 3539 3668 return BAD_FUNC_ARG; 3540 3669 } 3670 3671 if (sz == 0) { 3672 return 0; 3673 } 3674 #ifdef WOLFSSL_IMXRT_DCP 3675 /* Implemented in wolfcrypt/src/port/nxp/dcp_port.c */ 3676 if (aes->keylen == 16) 3677 return DCPAesCbcEncrypt(aes, out, in, sz); 3678 #endif 3541 3679 3542 3680 #ifdef WOLF_CRYPTO_CB … … 3593 3731 tmp_align = tmp + (AESNI_ALIGN - ((size_t)tmp % AESNI_ALIGN)); 3594 3732 XMEMCPY(tmp_align, in, sz); 3733 SAVE_VECTOR_REGISTERS(); 3595 3734 AES_CBC_encrypt(tmp_align, tmp_align, (byte*)aes->reg, sz, 3596 3735 (byte*)aes->key, aes->rounds); 3736 RESTORE_VECTOR_REGISTERS(); 3597 3737 /* store iv for next call */ 3598 3738 XMEMCPY(aes->reg, tmp_align + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE); … … 3607 3747 } 3608 3748 3749 SAVE_VECTOR_REGISTERS(); 3609 3750 AES_CBC_encrypt(in, out, (byte*)aes->reg, sz, (byte*)aes->key, 3610 3751 aes->rounds); 3752 RESTORE_VECTOR_REGISTERS(); 3611 3753 /* store iv for next call */ 3612 3754 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE); … … 3638 3780 return BAD_FUNC_ARG; 3639 3781 } 3782 3783 if (sz == 0) { 3784 return 0; 3785 } 3786 #ifdef WOLFSSL_IMXRT_DCP 3787 /* Implemented in wolfcrypt/src/port/nxp/dcp_port.c */ 3788 if (aes->keylen == 16) 3789 return DCPAesCbcDecrypt(aes, out, in, sz); 3790 #endif 3640 3791 3641 3792 #ifdef WOLF_CRYPTO_CB … … 3684 3835 /* if input and output same will overwrite input iv */ 3685 3836 XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE); 3837 SAVE_VECTOR_REGISTERS(); 3686 3838 #if defined(WOLFSSL_AESNI_BY4) 3687 3839 AES_CBC_decrypt_by4(in, out, (byte*)aes->reg, sz, (byte*)aes->key, … … 3695 3847 #endif /* WOLFSSL_AESNI_BYx */ 3696 3848 /* store iv for next call */ 3849 RESTORE_VECTOR_REGISTERS(); 3697 3850 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE); 3698 3851 return 0; … … 3741 3894 #endif 3742 3895 3896 #ifdef WOLFSSL_STM32_CUBEMX 3897 ret = wc_Stm32_Aes_Init(aes, &hcryp); 3898 if (ret != 0) { 3899 return ret; 3900 } 3901 3743 3902 ret = wolfSSL_CryptHwMutexLock(); 3744 3903 if (ret != 0) { … … 3746 3905 } 3747 3906 3748 #ifdef WOLFSSL_STM32_CUBEMX 3749 ret = wc_Stm32_Aes_Init(aes, &hcryp); 3750 if (ret != 0) { 3751 wolfSSL_CryptHwMutexUnLock(); 3752 return ret; 3753 } 3754 3755 #ifdef STM32_CRYPTO_AES_ONLY 3907 #if defined(STM32_HAL_V2) 3908 hcryp.Init.Algorithm = CRYP_AES_CTR; 3909 ByteReverseWords(iv, aes->reg, AES_BLOCK_SIZE); 3910 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)iv; 3911 #elif defined(STM32_CRYPTO_AES_ONLY) 3756 3912 hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT; 3757 3913 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_CTR; 3758 3914 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE; 3759 3915 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg; 3760 #elif defined(STM32_HAL_V2)3761 hcryp.Init.Algorithm = CRYP_AES_CTR;3762 ByteReverseWords(iv, aes->reg, AES_BLOCK_SIZE);3763 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)iv;3764 3916 #else 3765 3917 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg; … … 3767 3919 HAL_CRYP_Init(&hcryp); 3768 3920 3769 #ifdef STM32_CRYPTO_AES_ONLY 3921 #if defined(STM32_HAL_V2) 3922 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE, 3923 (uint32_t*)out, STM32_HAL_TIMEOUT); 3924 #elif defined(STM32_CRYPTO_AES_ONLY) 3770 3925 ret = HAL_CRYPEx_AES(&hcryp, (byte*)in, AES_BLOCK_SIZE, 3771 3926 out, STM32_HAL_TIMEOUT); 3772 #elif defined(STM32_HAL_V2)3773 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE,3774 (uint32_t*)out, STM32_HAL_TIMEOUT);3775 3927 #else 3776 3928 ret = HAL_CRYP_AESCTR_Encrypt(&hcryp, (byte*)in, AES_BLOCK_SIZE, … … 3782 3934 HAL_CRYP_DeInit(&hcryp); 3783 3935 3784 #else /* S TD_PERI_LIB*/3936 #else /* Standard Peripheral Library */ 3785 3937 ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit); 3786 3938 if (ret != 0) { 3787 wolfSSL_CryptHwMutexUnLock(); 3939 return ret; 3940 } 3941 3942 ret = wolfSSL_CryptHwMutexLock(); 3943 if (ret != 0) { 3788 3944 return ret; 3789 3945 } … … 3830 3986 /* disable crypto processor */ 3831 3987 CRYP_Cmd(DISABLE); 3832 3833 3988 #endif /* WOLFSSL_STM32_CUBEMX */ 3834 3989 … … 3859 4014 int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) 3860 4015 { 3861 uint32_t keySize; 4016 int ret = 0; 4017 word32 keySize; 3862 4018 byte *iv, *enc_key; 3863 4019 byte* tmp; … … 3881 4037 wc_AesGetKeySize(aes, &keySize); 3882 4038 4039 ret = wolfSSL_CryptHwMutexLock(); 4040 if (ret != 0) 4041 return ret; 3883 4042 LTC_AES_CryptCtr(LTC_BASE, in, out, sz, 3884 4043 iv, enc_key, keySize, (byte*)aes->tmp, 3885 4044 (uint32_t*)&aes->left); 4045 wolfSSL_CryptHwMutexUnLock(); 3886 4046 } 3887 4047 3888 return 0;4048 return ret; 3889 4049 } 3890 4050 … … 3897 4057 #elif defined(WOLFSSL_DEVCRYPTO_AES) 3898 4058 /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */ 3899 4059 3900 4060 #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \ 3901 4061 !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES) … … 4010 4170 #error "Coldfire SEC doesn't currently support AES-GCM mode" 4011 4171 4012 #elif defined(WOLFSSL_NRF51_AES)4013 #error "nRF51 doesn't currently support AES-GCM mode"4014 4015 4172 #endif 4016 4173 … … 4037 4194 } 4038 4195 } 4039 #ifdef STM32_CRYPTO_AES_GCM4040 static WC_INLINE void DecrementGcmCounter(byte* inOutCtr)4041 {4042 int i;4043 4044 /* in network byte order so start at end and work back */4045 for (i = AES_BLOCK_SIZE - 1; i >= AES_BLOCK_SIZE - CTR_SZ; i--) {4046 if (--inOutCtr[i] != 0xFF) /* we're done unless we underflow */4047 return;4048 }4049 }4050 #endif /* STM32_CRYPTO_AES_GCM */4051 4196 #endif /* !FREESCALE_LTC_AES_GCM */ 4052 4197 4053 #if defined(GCM_SMALL) || defined(GCM_TABLE) 4198 #if defined(GCM_SMALL) || defined(GCM_TABLE) || defined(GCM_TABLE_4BIT) 4054 4199 4055 4200 static WC_INLINE void FlattenSzInBits(byte* buf, word32 sz) … … 4086 4231 } 4087 4232 4088 #endif /* defined(GCM_SMALL) || defined(GCM_TABLE) */4233 #endif /* defined(GCM_SMALL) || defined(GCM_TABLE) || defined(GCM_TABLE_4BIT) */ 4089 4234 4090 4235 … … 4111 4256 4112 4257 XMEMSET(m[0], 0, AES_BLOCK_SIZE); 4258 } 4259 4260 #elif defined(GCM_TABLE_4BIT) 4261 4262 static WC_INLINE void Shift4_M0(byte *r8, byte* z8) 4263 { 4264 int i; 4265 for (i = 15; i > 0; i--) 4266 r8[i] = (z8[i-1] << 4) | (z8[i] >> 4); 4267 r8[0] = z8[0] >> 4; 4268 } 4269 4270 static void GenerateM0(Aes* aes) 4271 { 4272 #if !defined(BIG_ENDIAN_ORDER) && !defined(WC_16BIT_CPU) 4273 int i; 4274 #endif 4275 byte (*m)[AES_BLOCK_SIZE] = aes->M0; 4276 4277 /* 0 times -> 0x0 */ 4278 XMEMSET(m[0x0], 0, AES_BLOCK_SIZE); 4279 /* 1 times -> 0x8 */ 4280 XMEMCPY(m[0x8], aes->H, AES_BLOCK_SIZE); 4281 /* 2 times -> 0x4 */ 4282 XMEMCPY(m[0x4], m[0x8], AES_BLOCK_SIZE); 4283 RIGHTSHIFTX(m[0x4]); 4284 /* 4 times -> 0x2 */ 4285 XMEMCPY(m[0x2], m[0x4], AES_BLOCK_SIZE); 4286 RIGHTSHIFTX(m[0x2]); 4287 /* 8 times -> 0x1 */ 4288 XMEMCPY(m[0x1], m[0x2], AES_BLOCK_SIZE); 4289 RIGHTSHIFTX(m[0x1]); 4290 4291 /* 0x3 */ 4292 XMEMCPY(m[0x3], m[0x2], AES_BLOCK_SIZE); 4293 xorbuf (m[0x3], m[0x1], AES_BLOCK_SIZE); 4294 4295 /* 0x5 -> 0x7 */ 4296 XMEMCPY(m[0x5], m[0x4], AES_BLOCK_SIZE); 4297 xorbuf (m[0x5], m[0x1], AES_BLOCK_SIZE); 4298 XMEMCPY(m[0x6], m[0x4], AES_BLOCK_SIZE); 4299 xorbuf (m[0x6], m[0x2], AES_BLOCK_SIZE); 4300 XMEMCPY(m[0x7], m[0x4], AES_BLOCK_SIZE); 4301 xorbuf (m[0x7], m[0x3], AES_BLOCK_SIZE); 4302 4303 /* 0x9 -> 0xf */ 4304 XMEMCPY(m[0x9], m[0x8], AES_BLOCK_SIZE); 4305 xorbuf (m[0x9], m[0x1], AES_BLOCK_SIZE); 4306 XMEMCPY(m[0xa], m[0x8], AES_BLOCK_SIZE); 4307 xorbuf (m[0xa], m[0x2], AES_BLOCK_SIZE); 4308 XMEMCPY(m[0xb], m[0x8], AES_BLOCK_SIZE); 4309 xorbuf (m[0xb], m[0x3], AES_BLOCK_SIZE); 4310 XMEMCPY(m[0xc], m[0x8], AES_BLOCK_SIZE); 4311 xorbuf (m[0xc], m[0x4], AES_BLOCK_SIZE); 4312 XMEMCPY(m[0xd], m[0x8], AES_BLOCK_SIZE); 4313 xorbuf (m[0xd], m[0x5], AES_BLOCK_SIZE); 4314 XMEMCPY(m[0xe], m[0x8], AES_BLOCK_SIZE); 4315 xorbuf (m[0xe], m[0x6], AES_BLOCK_SIZE); 4316 XMEMCPY(m[0xf], m[0x8], AES_BLOCK_SIZE); 4317 xorbuf (m[0xf], m[0x7], AES_BLOCK_SIZE); 4318 4319 #if !defined(BIG_ENDIAN_ORDER) && !defined(WC_16BIT_CPU) 4320 for (i = 0; i < 16; i++) { 4321 Shift4_M0(m[16+i], m[i]); 4322 } 4323 #endif 4113 4324 } 4114 4325 … … 4159 4370 if (ret == 0) { 4160 4371 wc_AesEncrypt(aes, iv, aes->H); 4161 #if def GCM_TABLE4372 #if defined(GCM_TABLE) || defined(GCM_TABLE_4BIT) 4162 4373 GenerateM0(aes); 4163 4374 #endif /* GCM_TABLE */ … … 4180 4391 ForceZero(local, sizeof(local)); 4181 4392 #endif 4182 4183 4393 return ret; 4184 4394 } … … 4196 4406 void AES_GCM_encrypt(const unsigned char *in, unsigned char *out, 4197 4407 const unsigned char* addt, const unsigned char* ivec, 4198 unsigned char *tag, unsigned intnbytes,4199 unsigned int abytes, unsigned intibytes,4200 unsigned inttbytes, const unsigned char* key, int nr)4408 unsigned char *tag, word32 nbytes, 4409 word32 abytes, word32 ibytes, 4410 word32 tbytes, const unsigned char* key, int nr) 4201 4411 XASM_LINK("AES_GCM_encrypt"); 4202 4412 #ifdef HAVE_INTEL_AVX1 4203 4413 void AES_GCM_encrypt_avx1(const unsigned char *in, unsigned char *out, 4204 4414 const unsigned char* addt, const unsigned char* ivec, 4205 unsigned char *tag, unsigned intnbytes,4206 unsigned int abytes, unsigned intibytes,4207 unsigned inttbytes, const unsigned char* key,4415 unsigned char *tag, word32 nbytes, 4416 word32 abytes, word32 ibytes, 4417 word32 tbytes, const unsigned char* key, 4208 4418 int nr) 4209 4419 XASM_LINK("AES_GCM_encrypt_avx1"); … … 4211 4421 void AES_GCM_encrypt_avx2(const unsigned char *in, unsigned char *out, 4212 4422 const unsigned char* addt, const unsigned char* ivec, 4213 unsigned char *tag, unsigned intnbytes,4214 unsigned int abytes, unsigned intibytes,4215 unsigned inttbytes, const unsigned char* key,4423 unsigned char *tag, word32 nbytes, 4424 word32 abytes, word32 ibytes, 4425 word32 tbytes, const unsigned char* key, 4216 4426 int nr) 4217 4427 XASM_LINK("AES_GCM_encrypt_avx2"); … … 4222 4432 void AES_GCM_decrypt(const unsigned char *in, unsigned char *out, 4223 4433 const unsigned char* addt, const unsigned char* ivec, 4224 const unsigned char *tag, int nbytes, intabytes,4225 int ibytes, int tbytes, const unsigned char* key, int nr,4226 int * res)4434 const unsigned char *tag, word32 nbytes, word32 abytes, 4435 word32 ibytes, word32 tbytes, const unsigned char* key, 4436 int nr, int* res) 4227 4437 XASM_LINK("AES_GCM_decrypt"); 4228 4438 #ifdef HAVE_INTEL_AVX1 4229 4439 void AES_GCM_decrypt_avx1(const unsigned char *in, unsigned char *out, 4230 4440 const unsigned char* addt, const unsigned char* ivec, 4231 const unsigned char *tag, int nbytes, int abytes,4232 int ibytes, int tbytes, const unsigned char* key,4233 int nr, int* res)4441 const unsigned char *tag, word32 nbytes, 4442 word32 abytes, word32 ibytes, word32 tbytes, 4443 const unsigned char* key, int nr, int* res) 4234 4444 XASM_LINK("AES_GCM_decrypt_avx1"); 4235 4445 #ifdef HAVE_INTEL_AVX2 4236 4446 void AES_GCM_decrypt_avx2(const unsigned char *in, unsigned char *out, 4237 4447 const unsigned char* addt, const unsigned char* ivec, 4238 const unsigned char *tag, int nbytes, int abytes,4239 int ibytes, int tbytes, const unsigned char* key,4240 int nr, int* res)4448 const unsigned char *tag, word32 nbytes, 4449 word32 abytes, word32 ibytes, word32 tbytes, 4450 const unsigned char* key, int nr, int* res) 4241 4451 XASM_LINK("AES_GCM_decrypt_avx2"); 4242 4452 #endif /* HAVE_INTEL_AVX2 */ … … 4585 4795 4586 4796 4587 static void AES_GCM_encrypt(const unsigned char *in, 4588 unsigned char *out, 4589 const unsigned char* addt, 4590 const unsigned char* ivec, 4591 unsigned char *tag, unsigned int nbytes, 4592 unsigned int abytes, unsigned int ibytes, 4593 unsigned int tbytes, 4594 const unsigned char* key, int nr) 4797 static void AES_GCM_encrypt(const unsigned char *in, unsigned char *out, 4798 const unsigned char* addt, 4799 const unsigned char* ivec, unsigned char *tag, 4800 word32 nbytes, word32 abytes, word32 ibytes, 4801 wrd32 tbytes, const unsigned char* key, int nr) 4595 4802 { 4596 4803 int i, j ,k; … … 5013 5220 X = gfmul_shifted(X, H); 5014 5221 } 5015 tmp1 = _mm_insert_epi64(tmp1, nbytes*8, 0);5016 tmp1 = _mm_insert_epi64(tmp1, abytes*8, 1);5222 tmp1 = _mm_insert_epi64(tmp1, ((word64)nbytes)*8, 0); 5223 tmp1 = _mm_insert_epi64(tmp1, ((word64)abytes)*8, 1); 5017 5224 X = _mm_xor_si128(X, tmp1); 5018 5225 X = gfmul_shifted(X, H); … … 5021 5228 /*_mm_storeu_si128((__m128i*)tag, T);*/ 5022 5229 XMEMCPY(tag, &T, tbytes); 5230 ForceZero(&lastKey, sizeof(lastKey)); 5023 5231 } 5024 5232 5025 5233 #ifdef HAVE_AES_DECRYPT 5026 5234 5027 static void AES_GCM_decrypt(const unsigned char *in, 5028 unsigned char *out, 5029 const unsigned char* addt, 5030 const unsigned char* ivec, 5031 const unsigned char *tag, int nbytes, int abytes, 5032 int ibytes, word32 tbytes, const unsigned char* key, 5033 int nr, int* res) 5235 static void AES_GCM_decrypt(const unsigned char *in, unsigned char *out, 5236 const unsigned char* addt, 5237 const unsigned char* ivec, const unsigned char *tag, 5238 word32 nbytes, word32 abytes, word32 ibytes, 5239 word32 tbytes, const unsigned char* key, int nr, 5240 int* res) 5034 5241 { 5035 5242 int i, j ,k; … … 5337 5544 } 5338 5545 5339 tmp1 = _mm_insert_epi64(tmp1, nbytes*8, 0);5340 tmp1 = _mm_insert_epi64(tmp1, abytes*8, 1);5546 tmp1 = _mm_insert_epi64(tmp1, ((word64)nbytes)*8, 0); 5547 tmp1 = _mm_insert_epi64(tmp1, ((word64)abytes)*8, 1); 5341 5548 /* 128 x 128 Carryless Multiply */ 5342 5549 X = _mm_xor_si128(X, tmp1); … … 5351 5558 else 5352 5559 *res = 1; /* when successful returns 1 */ 5560 ForceZero(&lastKey, sizeof(lastKey)); 5353 5561 } 5354 5562 … … 5510 5718 static void GMULT(byte *x, byte m[256][AES_BLOCK_SIZE]) 5511 5719 { 5720 #if !defined(WORD64_AVAILABLE) || defined(BIG_ENDIAN_ORDER) 5512 5721 int i, j; 5513 5722 byte Z[AES_BLOCK_SIZE]; … … 5524 5733 } 5525 5734 5526 Z[0] = R[a][0];5735 Z[0] = R[a][0]; 5527 5736 Z[1] ^= R[a][1]; 5528 5737 } … … 5530 5739 5531 5740 XMEMCPY(x, Z, AES_BLOCK_SIZE); 5532 } 5533 5741 #else 5742 byte Z[AES_BLOCK_SIZE + AES_BLOCK_SIZE]; 5743 byte a; 5744 word64* pZ; 5745 word64* pm; 5746 word64* px = (word64*)(x); 5747 int i; 5748 5749 pZ = (word64*)(Z + 15 + 1); 5750 pm = (word64*)(m[x[15]]); 5751 pZ[0] = pm[0]; 5752 pZ[1] = pm[1]; 5753 a = Z[16 + 15]; 5754 Z[15] = R[a][0]; 5755 Z[16] ^= R[a][1]; 5756 for (i = 14; i > 0; i--) { 5757 pZ = (word64*)(Z + i + 1); 5758 pm = (word64*)(m[x[i]]); 5759 pZ[0] ^= pm[0]; 5760 pZ[1] ^= pm[1]; 5761 a = Z[16 + i]; 5762 Z[i] = R[a][0]; 5763 Z[i+1] ^= R[a][1]; 5764 } 5765 pZ = (word64*)(Z + 1); 5766 pm = (word64*)(m[x[0]]); 5767 px[0] = pZ[0] ^ pm[0]; px[1] = pZ[1] ^ pm[1]; 5768 #endif 5769 } 5534 5770 5535 5771 void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c, … … 5587 5823 5588 5824 /* end GCM_TABLE */ 5825 #elif defined(GCM_TABLE_4BIT) 5826 5827 /* remainder = x^7 + x^2 + x^1 + 1 => 0xe1 5828 * R shifts right a reverse bit pair of bytes such that: 5829 * R(b0, b1) => b1 = (b1 >> 1) | (b0 << 7); b0 >>= 1 5830 * 0 => 0, 0, 0, 0 => R(R(R(00,00) ^ 00,00) ^ 00,00) ^ 00,00 = 00,00 5831 * 8 => 0, 0, 0, 1 => R(R(R(00,00) ^ 00,00) ^ 00,00) ^ e1,00 = e1,00 5832 * 4 => 0, 0, 1, 0 => R(R(R(00,00) ^ 00,00) ^ e1,00) ^ 00,00 = 70,80 5833 * 2 => 0, 1, 0, 0 => R(R(R(00,00) ^ e1,00) ^ 00,00) ^ 00,00 = 38,40 5834 * 1 => 1, 0, 0, 0 => R(R(R(e1,00) ^ 00,00) ^ 00,00) ^ 00,00 = 1c,20 5835 * To calculate te rest, XOR result for each bit. 5836 * e.g. 6 = 4 ^ 2 => 48,c0 5837 * 5838 * Second half is same values rotated by 4-bits. 5839 */ 5840 #if defined(BIG_ENDIAN_ORDER) || defined(WC_16BIT_CPU) 5841 static const byte R[16][2] = { 5842 {0x00, 0x00}, {0x1c, 0x20}, {0x38, 0x40}, {0x24, 0x60}, 5843 {0x70, 0x80}, {0x6c, 0xa0}, {0x48, 0xc0}, {0x54, 0xe0}, 5844 {0xe1, 0x00}, {0xfd, 0x20}, {0xd9, 0x40}, {0xc5, 0x60}, 5845 {0x91, 0x80}, {0x8d, 0xa0}, {0xa9, 0xc0}, {0xb5, 0xe0}, 5846 }; 5847 #else 5848 static const word16 R[32] = { 5849 0x0000, 0x201c, 0x4038, 0x6024, 5850 0x8070, 0xa06c, 0xc048, 0xe054, 5851 0x00e1, 0x20fd, 0x40d9, 0x60c5, 5852 0x8091, 0xa08d, 0xc0a9, 0xe0b5, 5853 5854 0x0000, 0xc201, 0x8403, 0x4602, 5855 0x0807, 0xca06, 0x8c04, 0x4e05, 5856 0x100e, 0xd20f, 0x940d, 0x560c, 5857 0x1809, 0xda08, 0x9c0a, 0x5e0b, 5858 }; 5859 #endif 5860 5861 /* Multiply in GF(2^128) defined by polynomial: 5862 * x^128 + x^7 + x^2 + x^1 + 1. 5863 * 5864 * H: hash key = encrypt(key, 0) 5865 * x = x * H in field 5866 * 5867 * x: cumlative result 5868 * m: 4-bit table 5869 * [0..15] * H 5870 */ 5871 #if defined(BIG_ENDIAN_ORDER) || defined(WC_16BIT_CPU) 5872 static void GMULT(byte *x, byte m[16][AES_BLOCK_SIZE]) 5873 { 5874 int i, j, n; 5875 byte Z[AES_BLOCK_SIZE]; 5876 byte a; 5877 5878 XMEMSET(Z, 0, sizeof(Z)); 5879 5880 for (i = 15; i >= 0; i--) { 5881 for (n = 0; n < 2; n++) { 5882 if (n == 0) 5883 xorbuf(Z, m[x[i] & 0xf], AES_BLOCK_SIZE); 5884 else { 5885 xorbuf(Z, m[x[i] >> 4], AES_BLOCK_SIZE); 5886 if (i == 0) 5887 break; 5888 } 5889 a = Z[15] & 0xf; 5890 5891 for (j = 15; j > 0; j--) 5892 Z[j] = (Z[j-1] << 4) | (Z[j] >> 4); 5893 Z[0] >>= 4; 5894 5895 Z[0] ^= R[a][0]; 5896 Z[1] ^= R[a][1]; 5897 } 5898 } 5899 5900 XMEMCPY(x, Z, AES_BLOCK_SIZE); 5901 } 5902 #elif defined(WC_32BIT_CPU) 5903 static WC_INLINE void GMULT(byte *x, byte m[32][AES_BLOCK_SIZE]) 5904 { 5905 int i; 5906 word32 z8[4] = {0, 0, 0, 0}; 5907 byte a; 5908 word32* x8 = (word32*)x; 5909 word32* m8; 5910 byte xi; 5911 word32 n7, n6, n5, n4, n3, n2, n1, n0; 5912 5913 for (i = 15; i > 0; i--) { 5914 xi = x[i]; 5915 5916 /* XOR in (msn * H) */ 5917 m8 = (word32*)m[xi & 0xf]; 5918 z8[0] ^= m8[0]; z8[1] ^= m8[1]; z8[2] ^= m8[2]; z8[3] ^= m8[3]; 5919 5920 /* Cache top byte for remainder calculations - lost in rotate. */ 5921 a = z8[3] >> 24; 5922 5923 /* Rotate Z by 8-bits */ 5924 z8[3] = (z8[2] >> 24) | (z8[3] << 8); 5925 z8[2] = (z8[1] >> 24) | (z8[2] << 8); 5926 z8[1] = (z8[0] >> 24) | (z8[1] << 8); 5927 z8[0] <<= 8; 5928 5929 /* XOR in (msn * remainder) [pre-rotated by 4 bits] */ 5930 z8[0] ^= (word32)R[16 + (a & 0xf)]; 5931 5932 xi >>= 4; 5933 /* XOR in next significant nibble (XORed with H) * remainder */ 5934 m8 = (word32*)m[xi]; 5935 a ^= (byte)(m8[3] >> 20); 5936 z8[0] ^= (word32)R[a >> 4]; 5937 5938 /* XOR in (next significant nibble * H) [pre-rotated by 4 bits] */ 5939 m8 = (word32*)m[16 + xi]; 5940 z8[0] ^= m8[0]; z8[1] ^= m8[1]; 5941 z8[2] ^= m8[2]; z8[3] ^= m8[3]; 5942 } 5943 5944 xi = x[0]; 5945 5946 /* XOR in most significant nibble * H */ 5947 m8 = (word32*)m[xi & 0xf]; 5948 z8[0] ^= m8[0]; z8[1] ^= m8[1]; z8[2] ^= m8[2]; z8[3] ^= m8[3]; 5949 5950 /* Cache top byte for remainder calculations - lost in rotate. */ 5951 a = (z8[3] >> 24) & 0xf; 5952 5953 /* Rotate z by 4-bits */ 5954 n7 = z8[3] & 0xf0f0f0f0ULL; 5955 n6 = z8[3] & 0x0f0f0f0fULL; 5956 n5 = z8[2] & 0xf0f0f0f0ULL; 5957 n4 = z8[2] & 0x0f0f0f0fULL; 5958 n3 = z8[1] & 0xf0f0f0f0ULL; 5959 n2 = z8[1] & 0x0f0f0f0fULL; 5960 n1 = z8[0] & 0xf0f0f0f0ULL; 5961 n0 = z8[0] & 0x0f0f0f0fULL; 5962 z8[3] = (n7 >> 4) | (n6 << 12) | (n4 >> 20); 5963 z8[2] = (n5 >> 4) | (n4 << 12) | (n2 >> 20); 5964 z8[1] = (n3 >> 4) | (n2 << 12) | (n0 >> 20); 5965 z8[0] = (n1 >> 4) | (n0 << 12); 5966 5967 /* XOR in most significant nibble * remainder */ 5968 z8[0] ^= (word32)R[a]; 5969 /* XOR in next significant nibble * H */ 5970 m8 = (word32*)m[xi >> 4]; 5971 z8[0] ^= m8[0]; z8[1] ^= m8[1]; z8[2] ^= m8[2]; z8[3] ^= m8[3]; 5972 5973 /* Write back result. */ 5974 x8[0] = z8[0]; x8[1] = z8[1]; x8[2] = z8[2]; x8[3] = z8[3]; 5975 } 5976 #else 5977 static WC_INLINE void GMULT(byte *x, byte m[32][AES_BLOCK_SIZE]) 5978 { 5979 int i; 5980 word64 z8[2] = {0, 0}; 5981 byte a; 5982 word64* x8 = (word64*)x; 5983 word64* m8; 5984 word64 n0, n1, n2, n3; 5985 byte xi; 5986 5987 for (i = 15; i > 0; i--) { 5988 xi = x[i]; 5989 5990 /* XOR in (msn * H) */ 5991 m8 = (word64*)m[xi & 0xf]; 5992 z8[0] ^= m8[0]; 5993 z8[1] ^= m8[1]; 5994 5995 /* Cache top byte for remainder calculations - lost in rotate. */ 5996 a = z8[1] >> 56; 5997 5998 /* Rotate Z by 8-bits */ 5999 z8[1] = (z8[0] >> 56) | (z8[1] << 8); 6000 z8[0] <<= 8; 6001 6002 /* XOR in (next significant nibble * H) [pre-rotated by 4 bits] */ 6003 m8 = (word64*)m[16 + (xi >> 4)]; 6004 z8[0] ^= m8[0]; 6005 z8[1] ^= m8[1]; 6006 6007 /* XOR in (msn * remainder) [pre-rotated by 4 bits] */ 6008 z8[0] ^= (word64)R[16 + (a & 0xf)]; 6009 /* XOR in next significant nibble (XORed with H) * remainder */ 6010 m8 = (word64*)m[xi >> 4]; 6011 a ^= (byte)(m8[1] >> 52); 6012 z8[0] ^= (word64)R[a >> 4]; 6013 } 6014 6015 xi = x[0]; 6016 6017 /* XOR in most significant nibble * H */ 6018 m8 = (word64*)m[xi & 0xf]; 6019 z8[0] ^= m8[0]; 6020 z8[1] ^= m8[1]; 6021 6022 /* Cache top byte for remainder calculations - lost in rotate. */ 6023 a = (z8[1] >> 56) & 0xf; 6024 6025 /* Rotate z by 4-bits */ 6026 n3 = z8[1] & 0xf0f0f0f0f0f0f0f0ULL; 6027 n2 = z8[1] & 0x0f0f0f0f0f0f0f0fULL; 6028 n1 = z8[0] & 0xf0f0f0f0f0f0f0f0ULL; 6029 n0 = z8[0] & 0x0f0f0f0f0f0f0f0fULL; 6030 z8[1] = (n3 >> 4) | (n2 << 12) | (n0 >> 52); 6031 z8[0] = (n1 >> 4) | (n0 << 12); 6032 6033 /* XOR in next significant nibble * H */ 6034 m8 = (word64*)m[xi >> 4]; 6035 z8[0] ^= m8[0]; 6036 z8[1] ^= m8[1]; 6037 /* XOR in most significant nibble * remainder */ 6038 z8[0] ^= (word64)R[a]; 6039 6040 /* Write back result. */ 6041 x8[0] = z8[0]; 6042 x8[1] = z8[1]; 6043 } 6044 #endif 6045 6046 void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c, 6047 word32 cSz, byte* s, word32 sSz) 6048 { 6049 byte x[AES_BLOCK_SIZE]; 6050 byte scratch[AES_BLOCK_SIZE]; 6051 word32 blocks, partial; 6052 6053 XMEMSET(x, 0, AES_BLOCK_SIZE); 6054 6055 /* Hash in A, the Additional Authentication Data */ 6056 if (aSz != 0 && a != NULL) { 6057 blocks = aSz / AES_BLOCK_SIZE; 6058 partial = aSz % AES_BLOCK_SIZE; 6059 while (blocks--) { 6060 xorbuf(x, a, AES_BLOCK_SIZE); 6061 GMULT(x, aes->M0); 6062 a += AES_BLOCK_SIZE; 6063 } 6064 if (partial != 0) { 6065 XMEMSET(scratch, 0, AES_BLOCK_SIZE); 6066 XMEMCPY(scratch, a, partial); 6067 xorbuf(x, scratch, AES_BLOCK_SIZE); 6068 GMULT(x, aes->M0); 6069 } 6070 } 6071 6072 /* Hash in C, the Ciphertext */ 6073 if (cSz != 0 && c != NULL) { 6074 blocks = cSz / AES_BLOCK_SIZE; 6075 partial = cSz % AES_BLOCK_SIZE; 6076 while (blocks--) { 6077 xorbuf(x, c, AES_BLOCK_SIZE); 6078 GMULT(x, aes->M0); 6079 c += AES_BLOCK_SIZE; 6080 } 6081 if (partial != 0) { 6082 XMEMSET(scratch, 0, AES_BLOCK_SIZE); 6083 XMEMCPY(scratch, c, partial); 6084 xorbuf(x, scratch, AES_BLOCK_SIZE); 6085 GMULT(x, aes->M0); 6086 } 6087 } 6088 6089 /* Hash in the lengths of A and C in bits */ 6090 FlattenSzInBits(&scratch[0], aSz); 6091 FlattenSzInBits(&scratch[8], cSz); 6092 xorbuf(x, scratch, AES_BLOCK_SIZE); 6093 GMULT(x, aes->M0); 6094 6095 /* Copy the result into s. */ 6096 XMEMCPY(s, x, sSz); 6097 } 6098 5589 6099 #elif defined(WORD64_AVAILABLE) && !defined(GCM_WORD32) 5590 6100 … … 5595 6105 word64 V[2]; 5596 6106 int i, j; 6107 #ifdef AES_GCM_GMULT_CT 6108 word64 v1; 6109 #endif 5597 6110 V[0] = X[0]; V[1] = X[1]; 5598 6111 … … 5602 6115 for (j = 0; j < 64; j++) 5603 6116 { 6117 #ifdef AES_GCM_GMULT_CT 6118 word64 mask = 0 - (y >> 63); 6119 Z[0] ^= V[0] & mask; 6120 Z[1] ^= V[1] & mask; 6121 #else 5604 6122 if (y & 0x8000000000000000ULL) { 5605 6123 Z[0] ^= V[0]; 5606 6124 Z[1] ^= V[1]; 5607 6125 } 5608 6126 #endif 6127 6128 #ifdef AES_GCM_GMULT_CT 6129 v1 = (0 - (V[1] & 1)) & 0xE100000000000000ULL; 6130 V[1] >>= 1; 6131 V[1] |= V[0] << 63; 6132 V[0] >>= 1; 6133 V[0] ^= v1; 6134 #else 5609 6135 if (V[1] & 0x0000000000000001) { 5610 6136 V[1] >>= 1; … … 5620 6146 V[0] >>= 1; 5621 6147 } 6148 #endif 5622 6149 y <<= 1; 5623 6150 } … … 5905 6432 return status; 5906 6433 6434 status = wolfSSL_CryptHwMutexLock(); 6435 if (status != 0) 6436 return status; 6437 5907 6438 status = LTC_AES_EncryptTagGcm(LTC_BASE, in, out, sz, iv, ivSz, 5908 6439 authIn, authInSz, (byte*)aes->key, keySize, authTag, authTagSz); 6440 wolfSSL_CryptHwMutexUnLock(); 5909 6441 5910 6442 return (status == kStatus_Success) ? 0 : AES_GCM_AUTH_E; … … 5916 6448 5917 6449 /* this function supports inline encrypt */ 6450 /* define STM32_AESGCM_PARTIAL for newer STM Cube HAL's with workaround 6451 for handling partial packets to improve auth tag calculation performance by 6452 using hardware */ 5918 6453 static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz, 5919 6454 const byte* iv, word32 ivSz, … … 5928 6463 #endif 5929 6464 word32 keySize; 6465 #ifdef WOLFSSL_STM32_CUBEMX 5930 6466 int status = HAL_OK; 5931 6467 word32 blocks = sz / AES_BLOCK_SIZE; 6468 word32 partialBlock[AES_BLOCK_SIZE/sizeof(word32)]; 6469 #else 6470 int status = SUCCESS; 6471 #endif 5932 6472 word32 partial = sz % AES_BLOCK_SIZE; 5933 byte tag[AES_BLOCK_SIZE]; 5934 byte partialBlock[AES_BLOCK_SIZE]; 5935 byte ctr[AES_BLOCK_SIZE]; 6473 word32 tag[AES_BLOCK_SIZE/sizeof(word32)]; 6474 word32 ctrInit[AES_BLOCK_SIZE/sizeof(word32)]; 6475 word32 ctr[AES_BLOCK_SIZE/sizeof(word32)]; 6476 word32 authhdr[AES_BLOCK_SIZE/sizeof(word32)]; 5936 6477 byte* authInPadded = NULL; 5937 int authPadSz ;6478 int authPadSz, wasAlloc = 0, useSwGhash = 0; 5938 6479 5939 6480 ret = wc_AesGetKeySize(aes, &keySize); … … 5947 6488 #endif 5948 6489 5949 ret = wolfSSL_CryptHwMutexLock();5950 if (ret != 0) {5951 return ret;5952 }5953 5954 6490 XMEMSET(ctr, 0, AES_BLOCK_SIZE); 5955 6491 if (ivSz == GCM_NONCE_MID_SZ) { 6492 byte* pCtr = (byte*)ctr; 5956 6493 XMEMCPY(ctr, iv, ivSz); 5957 ctr[AES_BLOCK_SIZE - 1] = 1;6494 pCtr[AES_BLOCK_SIZE - 1] = 1; 5958 6495 } 5959 6496 else { 5960 GHASH(aes, NULL, 0, iv, ivSz, ctr, AES_BLOCK_SIZE); 5961 } 5962 /* Hardware requires counter + 1 */ 5963 IncrementGcmCounter(ctr); 5964 5965 if (authInSz == 0 || (authInSz % AES_BLOCK_SIZE) != 0) { 5966 /* Need to pad the AAD to a full block with zeros. */ 5967 authPadSz = ((authInSz / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE; 5968 authInPadded = (byte*)XMALLOC(authPadSz, aes->heap, 5969 DYNAMIC_TYPE_TMP_BUFFER); 5970 if (authInPadded == NULL) { 5971 wolfSSL_CryptHwMutexUnLock(); 5972 return MEMORY_E; 6497 GHASH(aes, NULL, 0, iv, ivSz, (byte*)ctr, AES_BLOCK_SIZE); 6498 } 6499 XMEMCPY(ctrInit, ctr, sizeof(ctr)); /* save off initial counter for GMAC */ 6500 6501 /* Authentication buffer - must be 4-byte multiple zero padded */ 6502 authPadSz = authInSz % sizeof(word32); 6503 if (authPadSz != 0) { 6504 authPadSz = authInSz + sizeof(word32) - authPadSz; 6505 if (authPadSz <= sizeof(authhdr)) { 6506 authInPadded = (byte*)authhdr; 6507 } 6508 else { 6509 authInPadded = (byte*)XMALLOC(authPadSz, aes->heap, 6510 DYNAMIC_TYPE_TMP_BUFFER); 6511 if (authInPadded == NULL) { 6512 wolfSSL_CryptHwMutexUnLock(); 6513 return MEMORY_E; 6514 } 6515 wasAlloc = 1; 5973 6516 } 5974 6517 XMEMSET(authInPadded, 0, authPadSz); … … 5979 6522 } 5980 6523 6524 /* for cases where hardware cannot be used for authTag calculate it */ 6525 /* if IV is not 12 calculate GHASH using software */ 6526 if (ivSz != GCM_NONCE_MID_SZ 6527 #ifndef STM32_AESGCM_PARTIAL 6528 /* or authIn is not a multiple of 4 */ 6529 || authPadSz != authInSz || sz == 0 || partial != 0 6530 #endif 6531 ) { 6532 useSwGhash = 1; 6533 } 6534 6535 /* Hardware requires counter + 1 */ 6536 IncrementGcmCounter((byte*)ctr); 6537 6538 ret = wolfSSL_CryptHwMutexLock(); 6539 if (ret != 0) { 6540 return ret; 6541 } 5981 6542 #ifdef WOLFSSL_STM32_CUBEMX 5982 6543 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr; 5983 6544 hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded; 5984 hcryp.Init.HeaderSize = authInSz; 5985 5986 #ifdef STM32_CRYPTO_AES_ONLY 6545 6546 #if defined(STM32_HAL_V2) 6547 hcryp.Init.Algorithm = CRYP_AES_GCM; 6548 hcryp.Init.HeaderSize = authPadSz/sizeof(word32); 6549 #ifdef STM32_AESGCM_PARTIAL 6550 hcryp.Init.HeaderPadSize = authPadSz - authInSz; 6551 #endif 6552 ByteReverseWords(partialBlock, ctr, AES_BLOCK_SIZE); 6553 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock; 6554 HAL_CRYP_Init(&hcryp); 6555 6556 /* GCM payload phase - can handle partial blocks */ 6557 status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, 6558 (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); 6559 if (status == HAL_OK && !useSwGhash) { 6560 /* Compute the authTag */ 6561 status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag, 6562 STM32_HAL_TIMEOUT); 6563 } 6564 #elif defined(STM32_CRYPTO_AES_ONLY) 5987 6565 /* Set the CRYP parameters */ 6566 hcryp.Init.HeaderSize = authPadSz; 6567 if (authPadSz == 0) 6568 hcryp.Init.Header = NULL; /* cannot pass pointer here when authIn == 0 */ 5988 6569 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_GCM_GMAC; 5989 6570 hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT; … … 5995 6576 if (status == HAL_OK) { 5996 6577 /* GCM header phase */ 5997 hcryp.Init.GCMCMACPhase 6578 hcryp.Init.GCMCMACPhase = CRYP_HEADER_PHASE; 5998 6579 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT); 5999 6580 } 6000 6581 if (status == HAL_OK) { 6001 6582 /* GCM payload phase - blocks */ 6002 hcryp.Init.GCMCMACPhase 6583 hcryp.Init.GCMCMACPhase = CRYP_PAYLOAD_PHASE; 6003 6584 if (blocks) { 6004 6585 status = HAL_CRYPEx_AES_Auth(&hcryp, (byte*)in, … … 6006 6587 } 6007 6588 } 6008 if (status == HAL_OK && (partial != 0 || blocks == 0)) {6589 if (status == HAL_OK && (partial != 0 || (sz > 0 && blocks == 0))) { 6009 6590 /* GCM payload phase - partial remainder */ 6010 6591 XMEMSET(partialBlock, 0, sizeof(partialBlock)); 6011 6592 XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial); 6012 status = HAL_CRYPEx_AES_Auth(&hcryp, partialBlock, partial,6013 partialBlock, STM32_HAL_TIMEOUT);6593 status = HAL_CRYPEx_AES_Auth(&hcryp, (uint8_t*)partialBlock, partial, 6594 (uint8_t*)partialBlock, STM32_HAL_TIMEOUT); 6014 6595 XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial); 6015 6596 } 6016 if (status == HAL_OK ) {6597 if (status == HAL_OK && !useSwGhash) { 6017 6598 /* GCM final phase */ 6018 6599 hcryp.Init.GCMCMACPhase = CRYP_FINAL_PHASE; 6019 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, sz, tag, STM32_HAL_TIMEOUT); 6020 } 6021 #elif defined(STM32_HAL_V2) 6022 hcryp.Init.Algorithm = CRYP_AES_GCM; 6023 ByteReverseWords((word32*)partialBlock, (word32*)ctr, AES_BLOCK_SIZE); 6024 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock; 6025 HAL_CRYP_Init(&hcryp); 6026 6027 /* GCM payload phase - can handle partial blocks */ 6028 status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, 6029 (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); 6030 if (status == HAL_OK) { 6031 /* Compute the authTag */ 6032 status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag, 6033 STM32_HAL_TIMEOUT); 6600 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, sz, (uint8_t*)tag, STM32_HAL_TIMEOUT); 6034 6601 } 6035 6602 #else 6603 hcryp.Init.HeaderSize = authPadSz; 6036 6604 HAL_CRYP_Init(&hcryp); 6037 6605 if (blocks) { … … 6044 6612 XMEMSET(partialBlock, 0, sizeof(partialBlock)); 6045 6613 XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial); 6046 status = HAL_CRYPEx_AESGCM_Encrypt(&hcryp, partialBlock, partial,6047 partialBlock, STM32_HAL_TIMEOUT);6614 status = HAL_CRYPEx_AESGCM_Encrypt(&hcryp, (uint8_t*)partialBlock, partial, 6615 (uint8_t*)partialBlock, STM32_HAL_TIMEOUT); 6048 6616 XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial); 6049 6617 } 6050 if (status == HAL_OK ) {6618 if (status == HAL_OK && !useSwGhash) { 6051 6619 /* Compute the authTag */ 6052 status = HAL_CRYPEx_AESGCM_Finish(&hcryp, sz, tag, STM32_HAL_TIMEOUT);6620 status = HAL_CRYPEx_AESGCM_Finish(&hcryp, sz, (uint8_t*)tag, STM32_HAL_TIMEOUT); 6053 6621 } 6054 6622 #endif … … 6058 6626 HAL_CRYP_DeInit(&hcryp); 6059 6627 6060 #else /* S TD_PERI_LIB*/6628 #else /* Standard Peripheral Library */ 6061 6629 ByteReverseWords(keyCopy, (word32*)aes->key, keySize); 6062 6630 status = CRYP_AES_GCM(MODE_ENCRYPT, (uint8_t*)ctr, … … 6064 6632 (uint8_t*)in, sz, 6065 6633 (uint8_t*)authInPadded, authInSz, 6066 (uint8_t*)out, tag);6634 (uint8_t*)out, (uint8_t*)tag); 6067 6635 if (status != SUCCESS) 6068 6636 ret = AES_GCM_AUTH_E; 6069 6637 #endif /* WOLFSSL_STM32_CUBEMX */ 6638 wolfSSL_CryptHwMutexUnLock(); 6070 6639 6071 6640 if (ret == 0) { 6072 6641 /* return authTag */ 6073 6642 if (authTag) { 6074 /* STM32 GCM won't compute Auth correctly for partial or 6075 when IV != 12, so use software here */ 6076 if (sz == 0 || partial != 0 || ivSz != GCM_NONCE_MID_SZ) { 6077 DecrementGcmCounter(ctr); /* hardware requires +1, so subtract it */ 6643 if (useSwGhash) { 6078 6644 GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz); 6079 wc_AesEncrypt(aes, ctr,tag);6645 wc_AesEncrypt(aes, (byte*)ctrInit, (byte*)tag); 6080 6646 xorbuf(authTag, tag, authTagSz); 6081 6647 } 6082 6648 else { 6649 /* use hardware calculated tag */ 6083 6650 XMEMCPY(authTag, tag, authTagSz); 6084 6651 } … … 6086 6653 } 6087 6654 6088 /* Free memory if not a multiple of AES_BLOCK_SZ*/6089 if ( authInPadded != authIn) {6655 /* Free memory */ 6656 if (wasAlloc) { 6090 6657 XFREE(authInPadded, aes->heap, DYNAMIC_TYPE_TMP_BUFFER); 6091 6658 } 6092 6093 wolfSSL_CryptHwMutexUnLock();6094 6659 6095 6660 return ret; … … 6116 6681 const byte* p = in; 6117 6682 byte* c = out; 6118 byte counter[AES_BLOCK_SIZE]; 6119 byte initialCounter[AES_BLOCK_SIZE]; 6120 byte *ctr; 6121 byte scratch[AES_BLOCK_SIZE]; 6683 ALIGN32 byte counter[AES_BLOCK_SIZE]; 6684 ALIGN32 byte initialCounter[AES_BLOCK_SIZE]; 6685 ALIGN32 byte scratch[AES_BLOCK_SIZE]; 6686 6687 if (ivSz == GCM_NONCE_MID_SZ) { 6688 /* Counter is IV with bottom 4 bytes set to: 0x00,0x00,0x00,0x01. */ 6689 XMEMCPY(counter, iv, ivSz); 6690 XMEMSET(counter + GCM_NONCE_MID_SZ, 0, 6691 AES_BLOCK_SIZE - GCM_NONCE_MID_SZ - 1); 6692 counter[AES_BLOCK_SIZE - 1] = 1; 6693 } 6694 else { 6695 /* Counter is GHASH of IV. */ 6122 6696 #ifdef OPENSSL_EXTRA 6123 word32 aadTemp; 6124 #endif 6125 ctr = counter; 6126 XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); 6127 XMEMSET(scratch, 0, AES_BLOCK_SIZE); 6128 if (ivSz == GCM_NONCE_MID_SZ) { 6129 XMEMCPY(initialCounter, iv, ivSz); 6130 initialCounter[AES_BLOCK_SIZE - 1] = 1; 6131 } 6132 else { 6133 #ifdef OPENSSL_EXTRA 6134 aadTemp = aes->aadLen; 6697 word32 aadTemp = aes->aadLen; 6135 6698 aes->aadLen = 0; 6136 6699 #endif 6137 GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE);6700 GHASH(aes, NULL, 0, iv, ivSz, counter, AES_BLOCK_SIZE); 6138 6701 #ifdef OPENSSL_EXTRA 6139 6702 aes->aadLen = aadTemp; 6140 6703 #endif 6141 6704 } 6142 XMEMCPY( ctr, initialCounter, AES_BLOCK_SIZE);6705 XMEMCPY(initialCounter, counter, AES_BLOCK_SIZE); 6143 6706 6144 6707 #ifdef WOLFSSL_PIC32MZ_CRYPT 6145 6708 if (blocks) { 6146 6709 /* use initial IV for HW, but don't use it below */ 6147 XMEMCPY(aes->reg, c tr, AES_BLOCK_SIZE);6710 XMEMCPY(aes->reg, counter, AES_BLOCK_SIZE); 6148 6711 6149 6712 ret = wc_Pic32AesCrypt( … … 6162 6725 if (c != p && blocks > 0) { /* can not handle inline encryption */ 6163 6726 while (blocks--) { 6164 IncrementGcmCounter(c tr);6165 XMEMCPY(c, c tr, AES_BLOCK_SIZE);6727 IncrementGcmCounter(counter); 6728 XMEMCPY(c, counter, AES_BLOCK_SIZE); 6166 6729 c += AES_BLOCK_SIZE; 6167 6730 } … … 6175 6738 else 6176 6739 #endif /* HAVE_AES_ECB && !WOLFSSL_PIC32MZ_CRYPT */ 6177 6178 while (blocks--) {6179 IncrementGcmCounter(ctr);6180 #if !defined(WOLFSSL_PIC32MZ_CRYPT)6181 wc_AesEncrypt(aes, ctr, scratch);6182 xorbuf(scratch, p, AES_BLOCK_SIZE);6183 XMEMCPY(c, scratch, AES_BLOCK_SIZE);6184 #endif6185 p+= AES_BLOCK_SIZE;6186 c += AES_BLOCK_SIZE;6740 { 6741 while (blocks--) { 6742 IncrementGcmCounter(counter); 6743 #if !defined(WOLFSSL_PIC32MZ_CRYPT) 6744 wc_AesEncrypt(aes, counter, scratch); 6745 xorbufout(c, scratch, p, AES_BLOCK_SIZE); 6746 #endif 6747 p += AES_BLOCK_SIZE; 6748 c += AES_BLOCK_SIZE; 6749 } 6187 6750 } 6188 6751 6189 6752 if (partial != 0) { 6190 IncrementGcmCounter(ctr); 6191 wc_AesEncrypt(aes, ctr, scratch); 6192 xorbuf(scratch, p, partial); 6193 XMEMCPY(c, scratch, partial); 6753 IncrementGcmCounter(counter); 6754 wc_AesEncrypt(aes, counter, scratch); 6755 xorbufout(c, scratch, p, partial); 6194 6756 } 6195 6757 if (authTag) { … … 6269 6831 #endif /* WOLFSSL_ASYNC_CRYPT */ 6270 6832 6833 #ifdef WOLFSSL_SILABS_SE_ACCEL 6834 return wc_AesGcmEncrypt_silabs( 6835 aes, out, in, sz, 6836 iv, ivSz, 6837 authTag, authTagSz, 6838 authIn, authInSz); 6839 #endif 6840 6271 6841 #ifdef STM32_CRYPTO_AES_GCM 6272 /* The STM standard peripheral library API's doesn't support partial blocks */ 6273 #ifdef STD_PERI_LIB 6274 if (partial == 0) 6275 #endif 6276 { 6277 return wc_AesGcmEncrypt_STM32( 6278 aes, out, in, sz, iv, ivSz, 6279 authTag, authTagSz, authIn, authInSz); 6280 } 6842 return wc_AesGcmEncrypt_STM32( 6843 aes, out, in, sz, iv, ivSz, 6844 authTag, authTagSz, authIn, authInSz); 6281 6845 #endif /* STM32_CRYPTO_AES_GCM */ 6282 6846 … … 6284 6848 #ifdef HAVE_INTEL_AVX2 6285 6849 if (IS_INTEL_AVX2(intel_flags)) { 6850 SAVE_VECTOR_REGISTERS(); 6286 6851 AES_GCM_encrypt_avx2(in, out, authIn, iv, authTag, sz, authInSz, ivSz, 6287 6852 authTagSz, (const byte*)aes->key, aes->rounds); 6853 RESTORE_VECTOR_REGISTERS(); 6288 6854 return 0; 6289 6855 } … … 6292 6858 #ifdef HAVE_INTEL_AVX1 6293 6859 if (IS_INTEL_AVX1(intel_flags)) { 6860 SAVE_VECTOR_REGISTERS(); 6294 6861 AES_GCM_encrypt_avx1(in, out, authIn, iv, authTag, sz, authInSz, ivSz, 6295 6862 authTagSz, (const byte*)aes->key, aes->rounds); 6863 RESTORE_VECTOR_REGISTERS(); 6296 6864 return 0; 6297 6865 } … … 6341 6909 } 6342 6910 6911 status = wolfSSL_CryptHwMutexLock(); 6912 if (status != 0) 6913 return status; 6914 6343 6915 status = LTC_AES_DecryptTagGcm(LTC_BASE, in, out, sz, iv, ivSz, 6344 6916 authIn, authInSz, (byte*)aes->key, keySize, authTag, authTagSz); 6917 wolfSSL_CryptHwMutexUnLock(); 6345 6918 6346 6919 return (status == kStatus_Success) ? 0 : AES_GCM_AUTH_E; … … 6359 6932 int ret; 6360 6933 #ifdef WOLFSSL_STM32_CUBEMX 6934 int status = HAL_OK; 6361 6935 CRYP_HandleTypeDef hcryp; 6936 word32 blocks = sz / AES_BLOCK_SIZE; 6362 6937 #else 6938 int status = SUCCESS; 6363 6939 word32 keyCopy[AES_256_KEY_SIZE/sizeof(word32)]; 6364 6940 #endif 6365 6941 word32 keySize; 6366 int status = HAL_OK;6367 word32 blocks = sz / AES_BLOCK_SIZE;6368 6942 word32 partial = sz % AES_BLOCK_SIZE; 6369 byte tag[AES_BLOCK_SIZE]; 6370 byte partialBlock[AES_BLOCK_SIZE]; 6371 byte ctr[AES_BLOCK_SIZE]; 6943 word32 tag[AES_BLOCK_SIZE/sizeof(word32)]; 6944 word32 tagExpected[AES_BLOCK_SIZE/sizeof(word32)]; 6945 word32 partialBlock[AES_BLOCK_SIZE/sizeof(word32)]; 6946 word32 ctr[AES_BLOCK_SIZE/sizeof(word32)]; 6947 word32 authhdr[AES_BLOCK_SIZE/sizeof(word32)]; 6372 6948 byte* authInPadded = NULL; 6373 int authPadSz ;6949 int authPadSz, wasAlloc = 0, tagComputed = 0; 6374 6950 6375 6951 ret = wc_AesGetKeySize(aes, &keySize); … … 6383 6959 #endif 6384 6960 6961 XMEMSET(ctr, 0, AES_BLOCK_SIZE); 6962 if (ivSz == GCM_NONCE_MID_SZ) { 6963 byte* pCtr = (byte*)ctr; 6964 XMEMCPY(ctr, iv, ivSz); 6965 pCtr[AES_BLOCK_SIZE - 1] = 1; 6966 } 6967 else { 6968 GHASH(aes, NULL, 0, iv, ivSz, (byte*)ctr, AES_BLOCK_SIZE); 6969 } 6970 6971 /* Make copy of expected authTag, which could get corrupted in some 6972 * Cube HAL versions without proper partial block support. 6973 * For TLS blocks the authTag is after the output buffer, so save it */ 6974 XMEMCPY(tagExpected, authTag, authTagSz); 6975 6976 /* Authentication buffer - must be 4-byte multiple zero padded */ 6977 authPadSz = authInSz % sizeof(word32); 6978 if (authPadSz != 0) { 6979 authPadSz = authInSz + sizeof(word32) - authPadSz; 6980 } 6981 else { 6982 authPadSz = authInSz; 6983 } 6984 6985 /* for cases where hardware cannot be used for authTag calculate it */ 6986 /* if IV is not 12 calculate GHASH using software */ 6987 if (ivSz != GCM_NONCE_MID_SZ || sz == 0 || partial != 0 6988 #ifndef STM32_AESGCM_PARTIAL 6989 /* or authIn is not a multiple of 4 */ 6990 || authPadSz != authInSz 6991 #endif 6992 ) { 6993 GHASH(aes, authIn, authInSz, in, sz, (byte*)tag, sizeof(tag)); 6994 wc_AesEncrypt(aes, (byte*)ctr, (byte*)partialBlock); 6995 xorbuf(tag, partialBlock, sizeof(tag)); 6996 tagComputed = 1; 6997 } 6998 6999 /* if using hardware for authentication tag make sure its aligned and zero padded */ 7000 if (authPadSz != authInSz && !tagComputed) { 7001 if (authPadSz <= sizeof(authhdr)) { 7002 authInPadded = (byte*)authhdr; 7003 } 7004 else { 7005 authInPadded = (byte*)XMALLOC(authPadSz, aes->heap, 7006 DYNAMIC_TYPE_TMP_BUFFER); 7007 if (authInPadded == NULL) { 7008 wolfSSL_CryptHwMutexUnLock(); 7009 return MEMORY_E; 7010 } 7011 wasAlloc = 1; 7012 } 7013 XMEMSET(authInPadded, 0, authPadSz); 7014 XMEMCPY(authInPadded, authIn, authInSz); 7015 } else { 7016 authInPadded = (byte*)authIn; 7017 } 7018 7019 /* Hardware requires counter + 1 */ 7020 IncrementGcmCounter((byte*)ctr); 7021 6385 7022 ret = wolfSSL_CryptHwMutexLock(); 6386 7023 if (ret != 0) { 6387 7024 return ret; 6388 7025 } 6389 6390 XMEMSET(ctr, 0, AES_BLOCK_SIZE);6391 if (ivSz == GCM_NONCE_MID_SZ) {6392 XMEMCPY(ctr, iv, ivSz);6393 ctr[AES_BLOCK_SIZE - 1] = 1;6394 }6395 else {6396 GHASH(aes, NULL, 0, iv, ivSz, ctr, AES_BLOCK_SIZE);6397 }6398 /* Hardware requires counter + 1 */6399 IncrementGcmCounter(ctr);6400 6401 if (authInSz == 0 || (authInSz % AES_BLOCK_SIZE) != 0) {6402 /* Need to pad the AAD to a full block with zeros. */6403 authPadSz = ((authInSz / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE;6404 authInPadded = (byte*)XMALLOC(authPadSz, aes->heap,6405 DYNAMIC_TYPE_TMP_BUFFER);6406 if (authInPadded == NULL) {6407 wolfSSL_CryptHwMutexUnLock();6408 return MEMORY_E;6409 }6410 XMEMSET(authInPadded, 0, authPadSz);6411 XMEMCPY(authInPadded, authIn, authInSz);6412 } else {6413 authPadSz = authInSz;6414 authInPadded = (byte*)authIn;6415 }6416 6417 7026 #ifdef WOLFSSL_STM32_CUBEMX 6418 7027 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr; 6419 7028 hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded; 6420 hcryp.Init.HeaderSize = authInSz; 6421 6422 #ifdef STM32_CRYPTO_AES_ONLY 7029 7030 #if defined(STM32_HAL_V2) 7031 hcryp.Init.Algorithm = CRYP_AES_GCM; 7032 hcryp.Init.HeaderSize = authPadSz/sizeof(word32); 7033 #ifdef STM32_AESGCM_PARTIAL 7034 hcryp.Init.HeaderPadSize = authPadSz - authInSz; 7035 #endif 7036 ByteReverseWords(partialBlock, ctr, AES_BLOCK_SIZE); 7037 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock; 7038 HAL_CRYP_Init(&hcryp); 7039 7040 /* GCM payload phase - can handle partial blocks */ 7041 status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, 7042 (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); 7043 if (status == HAL_OK && tagComputed == 0) { 7044 /* Compute the authTag */ 7045 status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag, 7046 STM32_HAL_TIMEOUT); 7047 } 7048 #elif defined(STM32_CRYPTO_AES_ONLY) 6423 7049 /* Set the CRYP parameters */ 7050 hcryp.Init.HeaderSize = authPadSz; 7051 if (authPadSz == 0) 7052 hcryp.Init.Header = NULL; /* cannot pass pointer when authIn == 0 */ 6424 7053 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_GCM_GMAC; 6425 7054 hcryp.Init.OperatingMode = CRYP_ALGOMODE_DECRYPT; … … 6436 7065 if (status == HAL_OK) { 6437 7066 /* GCM payload phase - blocks */ 6438 hcryp.Init.GCMCMACPhase 7067 hcryp.Init.GCMCMACPhase = CRYP_PAYLOAD_PHASE; 6439 7068 if (blocks) { 6440 7069 status = HAL_CRYPEx_AES_Auth(&hcryp, (byte*)in, … … 6442 7071 } 6443 7072 } 6444 if (status == HAL_OK && (partial != 0 || blocks == 0)) {7073 if (status == HAL_OK && (partial != 0 || (sz > 0 && blocks == 0))) { 6445 7074 /* GCM payload phase - partial remainder */ 6446 7075 XMEMSET(partialBlock, 0, sizeof(partialBlock)); 6447 7076 XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial); 6448 status = HAL_CRYPEx_AES_Auth(&hcryp, partialBlock, partial,6449 partialBlock, STM32_HAL_TIMEOUT);7077 status = HAL_CRYPEx_AES_Auth(&hcryp, (byte*)partialBlock, partial, 7078 (byte*)partialBlock, STM32_HAL_TIMEOUT); 6450 7079 XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial); 6451 7080 } 6452 if (status == HAL_OK ) {7081 if (status == HAL_OK && tagComputed == 0) { 6453 7082 /* GCM final phase */ 6454 7083 hcryp.Init.GCMCMACPhase = CRYP_FINAL_PHASE; 6455 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, sz, tag, STM32_HAL_TIMEOUT); 6456 } 6457 #elif defined(STM32_HAL_V2) 6458 hcryp.Init.Algorithm = CRYP_AES_GCM; 6459 ByteReverseWords((word32*)partialBlock, (word32*)ctr, AES_BLOCK_SIZE); 6460 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock; 6461 HAL_CRYP_Init(&hcryp); 6462 6463 /* GCM payload phase - can handle partial blocks */ 6464 status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, 6465 (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); 6466 if (status == HAL_OK) { 6467 /* Compute the authTag */ 6468 status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag, 6469 STM32_HAL_TIMEOUT); 7084 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, sz, (byte*)tag, STM32_HAL_TIMEOUT); 6470 7085 } 6471 7086 #else 7087 hcryp.Init.HeaderSize = authPadSz; 6472 7088 HAL_CRYP_Init(&hcryp); 6473 7089 if (blocks) { … … 6480 7096 XMEMSET(partialBlock, 0, sizeof(partialBlock)); 6481 7097 XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial); 6482 status = HAL_CRYPEx_AESGCM_Decrypt(&hcryp, partialBlock, partial,6483 partialBlock, STM32_HAL_TIMEOUT);7098 status = HAL_CRYPEx_AESGCM_Decrypt(&hcryp, (byte*)partialBlock, partial, 7099 (byte*)partialBlock, STM32_HAL_TIMEOUT); 6484 7100 XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial); 6485 7101 } 6486 if (status == HAL_OK ) {7102 if (status == HAL_OK && tagComputed == 0) { 6487 7103 /* Compute the authTag */ 6488 status = HAL_CRYPEx_AESGCM_Finish(&hcryp, sz, tag, STM32_HAL_TIMEOUT);7104 status = HAL_CRYPEx_AESGCM_Finish(&hcryp, sz, (byte*)tag, STM32_HAL_TIMEOUT); 6489 7105 } 6490 7106 #endif … … 6495 7111 HAL_CRYP_DeInit(&hcryp); 6496 7112 6497 #else /* S TD_PERI_LIB*/7113 #else /* Standard Peripheral Library */ 6498 7114 ByteReverseWords(keyCopy, (word32*)aes->key, aes->keylen); 6499 7115 … … 6501 7117 * they are not block aligned, because this length (in bits) is used 6502 7118 * in the final GHASH. */ 7119 XMEMSET(partialBlock, 0, sizeof(partialBlock)); /* use this to get tag */ 6503 7120 status = CRYP_AES_GCM(MODE_DECRYPT, (uint8_t*)ctr, 6504 7121 (uint8_t*)keyCopy, keySize * 8, 6505 7122 (uint8_t*)in, sz, 6506 7123 (uint8_t*)authInPadded, authInSz, 6507 (uint8_t*)out, tag);7124 (uint8_t*)out, (uint8_t*)partialBlock); 6508 7125 if (status != SUCCESS) 6509 7126 ret = AES_GCM_AUTH_E; 7127 if (tagComputed == 0) 7128 XMEMCPY(tag, partialBlock, authTagSz); 6510 7129 #endif /* WOLFSSL_STM32_CUBEMX */ 6511 6512 /* STM32 GCM hardware only supports IV of 12 bytes, so use software for auth */ 6513 if (sz == 0 || ivSz != GCM_NONCE_MID_SZ) { 6514 DecrementGcmCounter(ctr); /* hardware requires +1, so subtract it */ 6515 GHASH(aes, authIn, authInSz, in, sz, tag, sizeof(tag)); 6516 wc_AesEncrypt(aes, ctr, partialBlock); 6517 xorbuf(tag, partialBlock, sizeof(tag)); 6518 } 6519 6520 if (ConstantCompare(authTag, tag, authTagSz) != 0) { 7130 wolfSSL_CryptHwMutexUnLock(); 7131 7132 /* Check authentication tag */ 7133 if (ConstantCompare((const byte*)tagExpected, (byte*)tag, authTagSz) != 0) { 6521 7134 ret = AES_GCM_AUTH_E; 6522 7135 } 6523 7136 6524 /* Free memory if not a multiple of AES_BLOCK_SZ*/6525 if ( authInPadded != authIn) {7137 /* Free memory */ 7138 if (wasAlloc) { 6526 7139 XFREE(authInPadded, aes->heap, DYNAMIC_TYPE_TMP_BUFFER); 6527 7140 } 6528 6529 wolfSSL_CryptHwMutexUnLock();6530 7141 6531 7142 return ret; … … 6552 7163 const byte* c = in; 6553 7164 byte* p = out; 6554 byte counter[AES_BLOCK_SIZE]; 6555 byte initialCounter[AES_BLOCK_SIZE]; 6556 byte *ctr; 6557 byte scratch[AES_BLOCK_SIZE]; 6558 byte Tprime[AES_BLOCK_SIZE]; 6559 byte EKY0[AES_BLOCK_SIZE]; 7165 ALIGN32 byte counter[AES_BLOCK_SIZE]; 7166 ALIGN32 byte scratch[AES_BLOCK_SIZE]; 7167 ALIGN32 byte Tprime[AES_BLOCK_SIZE]; 7168 ALIGN32 byte EKY0[AES_BLOCK_SIZE]; 7169 7170 if (ivSz == GCM_NONCE_MID_SZ) { 7171 /* Counter is IV with bottom 4 bytes set to: 0x00,0x00,0x00,0x01. */ 7172 XMEMCPY(counter, iv, ivSz); 7173 XMEMSET(counter + GCM_NONCE_MID_SZ, 0, 7174 AES_BLOCK_SIZE - GCM_NONCE_MID_SZ - 1); 7175 counter[AES_BLOCK_SIZE - 1] = 1; 7176 } 7177 else { 7178 /* Counter is GHASH of IV. */ 6560 7179 #ifdef OPENSSL_EXTRA 6561 word32 aadTemp; 6562 #endif 6563 ctr = counter; 6564 XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); 6565 if (ivSz == GCM_NONCE_MID_SZ) { 6566 XMEMCPY(initialCounter, iv, ivSz); 6567 initialCounter[AES_BLOCK_SIZE - 1] = 1; 6568 } 6569 else { 6570 #ifdef OPENSSL_EXTRA 6571 aadTemp = aes->aadLen; 7180 word32 aadTemp = aes->aadLen; 6572 7181 aes->aadLen = 0; 6573 7182 #endif 6574 GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE);7183 GHASH(aes, NULL, 0, iv, ivSz, counter, AES_BLOCK_SIZE); 6575 7184 #ifdef OPENSSL_EXTRA 6576 7185 aes->aadLen = aadTemp; 6577 7186 #endif 6578 7187 } 6579 XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE); 6580 6581 /* Calc the authTag again using the received auth data and the cipher text */ 7188 7189 /* Calc the authTag again using received auth data and the cipher text */ 6582 7190 GHASH(aes, authIn, authInSz, in, sz, Tprime, sizeof(Tprime)); 6583 wc_AesEncrypt(aes, c tr, EKY0);7191 wc_AesEncrypt(aes, counter, EKY0); 6584 7192 xorbuf(Tprime, EKY0, sizeof(Tprime)); 6585 7193 … … 6598 7206 if (blocks) { 6599 7207 /* use initial IV for HW, but don't use it below */ 6600 XMEMCPY(aes->reg, c tr, AES_BLOCK_SIZE);7208 XMEMCPY(aes->reg, counter, AES_BLOCK_SIZE); 6601 7209 6602 7210 ret = wc_Pic32AesCrypt( … … 6615 7223 if (c != p && blocks > 0) { /* can not handle inline decryption */ 6616 7224 while (blocks--) { 6617 IncrementGcmCounter(c tr);6618 XMEMCPY(p, c tr, AES_BLOCK_SIZE);7225 IncrementGcmCounter(counter); 7226 XMEMCPY(p, counter, AES_BLOCK_SIZE); 6619 7227 p += AES_BLOCK_SIZE; 6620 7228 } … … 6629 7237 else 6630 7238 #endif /* HAVE_AES_ECB && !PIC32MZ */ 6631 while (blocks--) { 6632 IncrementGcmCounter(ctr); 6633 #if !defined(WOLFSSL_PIC32MZ_CRYPT) 6634 wc_AesEncrypt(aes, ctr, scratch); 6635 xorbuf(scratch, c, AES_BLOCK_SIZE); 6636 XMEMCPY(p, scratch, AES_BLOCK_SIZE); 6637 #endif 6638 p += AES_BLOCK_SIZE; 6639 c += AES_BLOCK_SIZE; 7239 { 7240 while (blocks--) { 7241 IncrementGcmCounter(counter); 7242 #if !defined(WOLFSSL_PIC32MZ_CRYPT) 7243 wc_AesEncrypt(aes, counter, scratch); 7244 xorbufout(p, scratch, c, AES_BLOCK_SIZE); 7245 #endif 7246 p += AES_BLOCK_SIZE; 7247 c += AES_BLOCK_SIZE; 7248 } 6640 7249 } 6641 7250 6642 7251 if (partial != 0) { 6643 IncrementGcmCounter(c tr);6644 wc_AesEncrypt(aes, c tr, scratch);7252 IncrementGcmCounter(counter); 7253 wc_AesEncrypt(aes, counter, scratch); 6645 7254 xorbuf(scratch, c, partial); 6646 7255 XMEMCPY(p, scratch, partial); … … 6716 7325 #endif /* WOLFSSL_ASYNC_CRYPT */ 6717 7326 7327 #ifdef WOLFSSL_SILABS_SE_ACCEL 7328 return wc_AesGcmDecrypt_silabs( 7329 aes, out, in, sz, iv, ivSz, 7330 authTag, authTagSz, authIn, authInSz); 7331 7332 #endif 7333 6718 7334 #ifdef STM32_CRYPTO_AES_GCM 6719 7335 /* The STM standard peripheral library API's doesn't support partial blocks */ 6720 #ifdef STD_PERI_LIB 6721 if (partial == 0) 6722 #endif 6723 { 6724 return wc_AesGcmDecrypt_STM32( 6725 aes, out, in, sz, iv, ivSz, 6726 authTag, authTagSz, authIn, authInSz); 6727 } 7336 return wc_AesGcmDecrypt_STM32( 7337 aes, out, in, sz, iv, ivSz, 7338 authTag, authTagSz, authIn, authInSz); 6728 7339 #endif /* STM32_CRYPTO_AES_GCM */ 6729 7340 … … 6731 7342 #ifdef HAVE_INTEL_AVX2 6732 7343 if (IS_INTEL_AVX2(intel_flags)) { 7344 SAVE_VECTOR_REGISTERS(); 6733 7345 AES_GCM_decrypt_avx2(in, out, authIn, iv, authTag, sz, authInSz, ivSz, 6734 7346 authTagSz, (byte*)aes->key, aes->rounds, &res); 7347 RESTORE_VECTOR_REGISTERS(); 6735 7348 if (res == 0) 6736 7349 return AES_GCM_AUTH_E; … … 6741 7354 #ifdef HAVE_INTEL_AVX1 6742 7355 if (IS_INTEL_AVX1(intel_flags)) { 7356 SAVE_VECTOR_REGISTERS(); 6743 7357 AES_GCM_decrypt_avx1(in, out, authIn, iv, authTag, sz, authInSz, ivSz, 6744 7358 authTagSz, (byte*)aes->key, aes->rounds, &res); 7359 RESTORE_VECTOR_REGISTERS(); 6745 7360 if (res == 0) 6746 7361 return AES_GCM_AUTH_E; … … 6876 7491 byte* authTag, word32 authTagSz, WC_RNG* rng) 6877 7492 { 6878 Aes aes; 7493 #ifdef WOLFSSL_SMALL_STACK 7494 Aes *aes = NULL; 7495 #else 7496 Aes aes[1]; 7497 #endif 6879 7498 int ret; 6880 7499 … … 6885 7504 } 6886 7505 6887 ret = wc_AesInit(&aes, NULL, INVALID_DEVID); 7506 #ifdef WOLFSSL_SMALL_STACK 7507 if ((aes = (Aes *)XMALLOC(sizeof *aes, NULL, 7508 DYNAMIC_TYPE_AES)) == NULL) 7509 return MEMORY_E; 7510 #endif 7511 7512 ret = wc_AesInit(aes, NULL, INVALID_DEVID); 6888 7513 if (ret == 0) { 6889 ret = wc_AesGcmSetKey( &aes, key, keySz);7514 ret = wc_AesGcmSetKey(aes, key, keySz); 6890 7515 if (ret == 0) 6891 ret = wc_AesGcmSetIV( &aes, ivSz, NULL, 0, rng);7516 ret = wc_AesGcmSetIV(aes, ivSz, NULL, 0, rng); 6892 7517 if (ret == 0) 6893 ret = wc_AesGcmEncrypt_ex( &aes, NULL, NULL, 0, iv, ivSz,7518 ret = wc_AesGcmEncrypt_ex(aes, NULL, NULL, 0, iv, ivSz, 6894 7519 authTag, authTagSz, authIn, authInSz); 6895 wc_AesFree(&aes); 6896 } 6897 ForceZero(&aes, sizeof(aes)); 7520 wc_AesFree(aes); 7521 } 7522 ForceZero(aes, sizeof *aes); 7523 #ifdef WOLFSSL_SMALL_STACK 7524 XFREE(aes, NULL, DYNAMIC_TYPE_AES); 7525 #endif 6898 7526 6899 7527 return ret; … … 6906 7534 { 6907 7535 int ret; 6908 #ifndef NO_AES_DECRYPT 6909 Aes aes; 7536 #ifdef HAVE_AES_DECRYPT 7537 #ifdef WOLFSSL_SMALL_STACK 7538 Aes *aes = NULL; 7539 #else 7540 Aes aes[1]; 7541 #endif 6910 7542 6911 7543 if (key == NULL || iv == NULL || (authIn == NULL && authInSz != 0) || … … 6915 7547 } 6916 7548 6917 ret = wc_AesInit(&aes, NULL, INVALID_DEVID); 7549 #ifdef WOLFSSL_SMALL_STACK 7550 if ((aes = (Aes *)XMALLOC(sizeof *aes, NULL, 7551 DYNAMIC_TYPE_AES)) == NULL) 7552 return MEMORY_E; 7553 #endif 7554 7555 ret = wc_AesInit(aes, NULL, INVALID_DEVID); 6918 7556 if (ret == 0) { 6919 ret = wc_AesGcmSetKey( &aes, key, keySz);7557 ret = wc_AesGcmSetKey(aes, key, keySz); 6920 7558 if (ret == 0) 6921 ret = wc_AesGcmDecrypt( &aes, NULL, NULL, 0, iv, ivSz,7559 ret = wc_AesGcmDecrypt(aes, NULL, NULL, 0, iv, ivSz, 6922 7560 authTag, authTagSz, authIn, authInSz); 6923 wc_AesFree(&aes); 6924 } 6925 ForceZero(&aes, sizeof(aes)); 7561 wc_AesFree(aes); 7562 } 7563 ForceZero(aes, sizeof *aes); 7564 #ifdef WOLFSSL_SMALL_STACK 7565 XFREE(aes, NULL, DYNAMIC_TYPE_AES); 7566 #endif 6926 7567 #else 6927 7568 (void)key; … … 6971 7612 } 6972 7613 7614 7615 /* Checks if the tag size is an accepted value based on RFC 3610 section 2 7616 * returns 0 if tag size is ok 7617 */ 7618 int wc_AesCcmCheckTagSize(int sz) 7619 { 7620 /* values here are from RFC 3610 section 2 */ 7621 if (sz != 4 && sz != 6 && sz != 8 && sz != 10 && sz != 12 && sz != 14 7622 && sz != 16) { 7623 WOLFSSL_MSG("Bad auth tag size AES-CCM"); 7624 return BAD_FUNC_ARG; 7625 } 7626 return 0; 7627 } 7628 6973 7629 #ifdef WOLFSSL_ARMASM 6974 7630 /* implementation located in wolfcrypt/src/port/arm/armv8-aes.c */ … … 6980 7636 /* implemented in wolfcrypt/src/port/caam_aes.c */ 6981 7637 7638 #elif defined(WOLFSSL_SILABS_SE_ACCEL) 7639 /* implemented in wolfcrypt/src/port/silabs/silabs_aes.c */ 7640 int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz, 7641 const byte* nonce, word32 nonceSz, 7642 byte* authTag, word32 authTagSz, 7643 const byte* authIn, word32 authInSz) 7644 { 7645 return wc_AesCcmEncrypt_silabs( 7646 aes, out, in, inSz, 7647 nonce, nonceSz, 7648 authTag, authTagSz, 7649 authIn, authInSz); 7650 } 7651 7652 #ifdef HAVE_AES_DECRYPT 7653 int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz, 7654 const byte* nonce, word32 nonceSz, 7655 const byte* authTag, word32 authTagSz, 7656 const byte* authIn, word32 authInSz) 7657 { 7658 return wc_AesCcmDecrypt_silabs( 7659 aes, out, in, inSz, 7660 nonce, nonceSz, 7661 authTag, authTagSz, 7662 authIn, authInSz); 7663 } 7664 #endif 6982 7665 #elif defined(FREESCALE_LTC) 6983 7666 … … 6989 7672 { 6990 7673 byte *key; 6991 uint32_tkeySize;7674 word32 keySize; 6992 7675 status_t status; 6993 7676 6994 7677 /* sanity check on arguments */ 7678 /* note, LTC_AES_EncryptTagCcm() doesn't allow null src or dst 7679 * ptrs even if inSz is zero (ltc_aes_ccm_check_input_args()), so 7680 * don't allow it here either. 7681 */ 6995 7682 if (aes == NULL || out == NULL || in == NULL || nonce == NULL 6996 || authTag == NULL || nonceSz < 7 || nonceSz > 13) 7683 || authTag == NULL || nonceSz < 7 || nonceSz > 13) { 6997 7684 return BAD_FUNC_ARG; 7685 } 7686 7687 if (wc_AesCcmCheckTagSize(authTagSz) != 0) { 7688 return BAD_FUNC_ARG; 7689 } 6998 7690 6999 7691 key = (byte*)aes->key; … … 7004 7696 } 7005 7697 7698 status = wolfSSL_CryptHwMutexLock(); 7699 if (status != 0) 7700 return status; 7701 7006 7702 status = LTC_AES_EncryptTagCcm(LTC_BASE, in, out, inSz, 7007 7703 nonce, nonceSz, authIn, authInSz, key, keySize, authTag, authTagSz); 7704 wolfSSL_CryptHwMutexUnLock(); 7008 7705 7009 7706 return (kStatus_Success == status) ? 0 : BAD_FUNC_ARG; … … 7017 7714 { 7018 7715 byte *key; 7019 uint32_tkeySize;7716 word32 keySize; 7020 7717 status_t status; 7021 7718 7022 7719 /* sanity check on arguments */ 7023 7720 if (aes == NULL || out == NULL || in == NULL || nonce == NULL 7024 || authTag == NULL || nonceSz < 7 || nonceSz > 13) 7721 || authTag == NULL || nonceSz < 7 || nonceSz > 13) { 7025 7722 return BAD_FUNC_ARG; 7723 } 7026 7724 7027 7725 key = (byte*)aes->key; … … 7031 7729 return status; 7032 7730 } 7033 7731 7732 status = wolfSSL_CryptHwMutexLock(); 7733 if (status != 0) 7734 return status; 7034 7735 status = LTC_AES_DecryptTagCcm(LTC_BASE, in, out, inSz, 7035 7736 nonce, nonceSz, authIn, authInSz, key, keySize, authTag, authTagSz); 7036 7037 if (status == kStatus_Success) { 7038 return 0; 7039 } 7040 else { 7737 wolfSSL_CryptHwMutexUnLock(); 7738 7739 if (status != kStatus_Success) { 7041 7740 XMEMSET(out, 0, inSz); 7042 7741 return AES_CCM_AUTH_E; 7043 7742 } 7743 return 0; 7044 7744 } 7045 7745 #endif /* HAVE_AES_DECRYPT */ … … 7131 7831 7132 7832 for (i = 0; i < lenSz; i++) { 7133 if (++B[AES_BLOCK_SIZE * 1 - 1 - i] != 0) break; 7134 } 7135 B[AES_BLOCK_SIZE * 2 - 1] += 2; 7136 if (B[AES_BLOCK_SIZE * 2 - 1] < 2) { 7137 for (i = 1; i < lenSz; i++) { 7138 if (++B[AES_BLOCK_SIZE * 2 - 1 - i] != 0) break; 7139 } 7140 } 7141 B[AES_BLOCK_SIZE * 3 - 1] += 3; 7142 if (B[AES_BLOCK_SIZE * 3 - 1] < 3) { 7833 if (++B[AES_BLOCK_SIZE * 2 - 1 - i] != 0) break; 7834 } 7835 B[AES_BLOCK_SIZE * 3 - 1] += 2; 7836 if (B[AES_BLOCK_SIZE * 3 - 1] < 2) { 7143 7837 for (i = 1; i < lenSz; i++) { 7144 7838 if (++B[AES_BLOCK_SIZE * 3 - 1 - i] != 0) break; 7839 } 7840 } 7841 B[AES_BLOCK_SIZE * 4 - 1] += 3; 7842 if (B[AES_BLOCK_SIZE * 4 - 1] < 3) { 7843 for (i = 1; i < lenSz; i++) { 7844 if (++B[AES_BLOCK_SIZE * 4 - 1 - i] != 0) break; 7145 7845 } 7146 7846 } … … 7180 7880 7181 7881 /* sanity check on arguments */ 7182 if (aes == NULL || out == NULL || in == NULL || nonce == NULL7183 7882 if (aes == NULL || (inSz != 0 && (in == NULL || out == NULL)) || 7883 nonce == NULL || authTag == NULL || nonceSz < 7 || nonceSz > 13 || 7184 7884 authTagSz > AES_BLOCK_SIZE) 7185 7885 return BAD_FUNC_ARG; 7886 7887 /* sanity check on tag size */ 7888 if (wc_AesCcmCheckTagSize(authTagSz) != 0) { 7889 return BAD_FUNC_ARG; 7890 } 7186 7891 7187 7892 XMEMSET(A, 0, sizeof(A)); … … 7217 7922 AesCcmCtrIncSet4(B, lenSz); 7218 7923 7924 SAVE_VECTOR_REGISTERS(); 7219 7925 AES_ECB_encrypt(B, A, AES_BLOCK_SIZE * 4, (byte*)aes->key, 7220 7926 aes->rounds); 7927 RESTORE_VECTOR_REGISTERS(); 7928 7221 7929 xorbuf(A, in, AES_BLOCK_SIZE * 4); 7222 7930 XMEMCPY(out, A, AES_BLOCK_SIZE * 4); … … 7226 7934 out += AES_BLOCK_SIZE * 4; 7227 7935 7228 if (inSz < AES_BLOCK_SIZE * 4) { 7229 AesCcmCtrInc4(B, lenSz); 7230 } 7936 AesCcmCtrInc4(B, lenSz); 7231 7937 } 7232 7938 } … … 7276 7982 7277 7983 /* sanity check on arguments */ 7278 if (aes == NULL || out == NULL || in == NULL || nonce == NULL7279 7280 7984 if (aes == NULL || (inSz != 0 && (in == NULL || out == NULL)) || 7985 nonce == NULL || authTag == NULL || nonceSz < 7 || nonceSz > 13 || 7986 authTagSz > AES_BLOCK_SIZE) 7281 7987 return BAD_FUNC_ARG; 7988 7989 /* sanity check on tag size */ 7990 if (wc_AesCcmCheckTagSize(authTagSz) != 0) { 7991 return BAD_FUNC_ARG; 7992 } 7282 7993 7283 7994 o = out; … … 7296 8007 AesCcmCtrIncSet4(B, lenSz); 7297 8008 8009 SAVE_VECTOR_REGISTERS(); 7298 8010 AES_ECB_encrypt(B, A, AES_BLOCK_SIZE * 4, (byte*)aes->key, 7299 8011 aes->rounds); 8012 RESTORE_VECTOR_REGISTERS(); 8013 7300 8014 xorbuf(A, in, AES_BLOCK_SIZE * 4); 7301 8015 XMEMCPY(o, A, AES_BLOCK_SIZE * 4); … … 7305 8019 o += AES_BLOCK_SIZE * 4; 7306 8020 7307 if (oSz < AES_BLOCK_SIZE * 4) { 7308 AesCcmCtrInc4(B, lenSz); 7309 } 8021 AesCcmCtrInc4(B, lenSz); 7310 8022 } 7311 8023 } … … 7360 8072 * Unfortunately, you need the decrypted data to calculate the 7361 8073 * check value. */ 7362 XMEMSET(out, 0, inSz); 8074 #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) && \ 8075 defined(ACVP_VECTOR_TESTING) 8076 WOLFSSL_MSG("Preserve output for vector responses"); 8077 #else 8078 if (inSz > 0) 8079 XMEMSET(out, 0, inSz); 8080 #endif 7363 8081 result = AES_CCM_AUTH_E; 7364 8082 } … … 7476 8194 XMEMSET(&aes->ctx, 0, sizeof(aes->ctx)); 7477 8195 #endif 8196 #if defined(WOLFSSL_IMXRT_DCP) 8197 DCPAesInit(aes); 8198 #endif 8199 8200 7478 8201 #ifdef HAVE_AESGCM 7479 8202 #ifdef OPENSSL_EXTRA … … 7496 8219 7497 8220 if (ret == 0) 7498 ret 8221 ret = wc_AesInit(aes, heap, devId); 7499 8222 if (ret == 0) { 7500 8223 XMEMCPY(aes->id, id, len); 7501 8224 aes->idLen = len; 8225 aes->labelLen = 0; 8226 } 8227 8228 return ret; 8229 } 8230 8231 int wc_AesInit_Label(Aes* aes, const char* label, void* heap, int devId) 8232 { 8233 int ret = 0; 8234 int labelLen = 0; 8235 8236 if (aes == NULL || label == NULL) 8237 ret = BAD_FUNC_ARG; 8238 if (ret == 0) { 8239 labelLen = (int)XSTRLEN(label); 8240 if (labelLen == 0 || labelLen > AES_MAX_LABEL_LEN) 8241 ret = BUFFER_E; 8242 } 8243 8244 if (ret == 0) 8245 ret = wc_AesInit(aes, heap, devId); 8246 if (ret == 0) { 8247 XMEMCPY(aes->label, label, labelLen); 8248 aes->labelLen = labelLen; 8249 aes->idLen = 0; 7502 8250 } 7503 8251 … … 7532 8280 ForceZero((byte*)aes->devKey, AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE); 7533 8281 #endif 8282 #if defined(WOLFSSL_IMXRT_DCP) 8283 DCPAesFree(aes); 8284 #endif 7534 8285 } 7535 8286 … … 7590 8341 return BAD_FUNC_ARG; 7591 8342 7592 8343 return AES_ECB_encrypt(aes, in, out, sz); 7593 8344 } 7594 8345 … … 7599 8350 return BAD_FUNC_ARG; 7600 8351 7601 8352 return AES_ECB_decrypt(aes, in, out, sz); 7602 8353 } 7603 8354 … … 7611 8362 if ((in == NULL) || (out == NULL) || (aes == NULL)) 7612 8363 return BAD_FUNC_ARG; 7613 while (blocks>0) { 8364 #ifdef WOLFSSL_IMXRT_DCP 8365 if (aes->keylen == 16) 8366 return DCPAesEcbEncrypt(aes, out, in, sz); 8367 #endif 8368 while (blocks > 0) { 7614 8369 wc_AesEncryptDirect(aes, out, in); 7615 8370 out += AES_BLOCK_SIZE; … … 7628 8383 if ((in == NULL) || (out == NULL) || (aes == NULL)) 7629 8384 return BAD_FUNC_ARG; 7630 while (blocks>0) { 8385 #ifdef WOLFSSL_IMXRT_DCP 8386 if (aes->keylen == 16) 8387 return DCPAesEcbDecrypt(aes, out, in, sz); 8388 #endif 8389 while (blocks > 0) { 7631 8390 wc_AesDecryptDirect(aes, out, in); 7632 8391 out += AES_BLOCK_SIZE; … … 7910 8669 7911 8670 /* MSB + XOR */ 8671 #ifdef BIG_ENDIAN_ORDER 8672 ByteReverseWords(aes->tmp, aes->tmp, AES_BLOCK_SIZE); 8673 #endif 7912 8674 out[0] = aes->tmp[0] ^ in[0]; 7913 8675 if (dir == AES_ENCRYPTION) { … … 8141 8903 byte* out, word32 outSz, const byte* iv) 8142 8904 { 8143 Aes aes; 8905 #ifdef WOLFSSL_SMALL_STACK 8906 Aes *aes = NULL; 8907 #else 8908 Aes aes[1]; 8909 #endif 8910 int aes_inited = 0; 8144 8911 byte* r; 8145 8912 word32 i; … … 8157 8924 if (inSz % KEYWRAP_BLOCK_SIZE != 0) 8158 8925 return BAD_FUNC_ARG; 8926 8927 #ifdef WOLFSSL_SMALL_STACK 8928 if ((aes = (Aes *)XMALLOC(sizeof *aes, NULL, 8929 DYNAMIC_TYPE_AES)) == NULL) 8930 return MEMORY_E; 8931 #endif 8159 8932 8160 8933 /* user IV is optional */ … … 8169 8942 XMEMSET(t, 0, sizeof(t)); 8170 8943 8171 ret = wc_AesInit( &aes, NULL, INVALID_DEVID);8944 ret = wc_AesInit(aes, NULL, INVALID_DEVID); 8172 8945 if (ret != 0) 8173 return ret; 8174 8175 ret = wc_AesSetKey(&aes, key, keySz, NULL, AES_ENCRYPTION); 8946 goto out; 8947 else 8948 aes_inited = 1; 8949 8950 ret = wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION); 8176 8951 if (ret != 0) 8177 return ret;8952 goto out; 8178 8953 8179 8954 for (j = 0; j <= 5; j++) { … … 8183 8958 XMEMCPY(tmp + KEYWRAP_BLOCK_SIZE, r, KEYWRAP_BLOCK_SIZE); 8184 8959 8185 wc_AesEncryptDirect( &aes, tmp, tmp);8960 wc_AesEncryptDirect(aes, tmp, tmp); 8186 8961 8187 8962 /* calculate new A */ … … 8199 8974 XMEMCPY(out, tmp, KEYWRAP_BLOCK_SIZE); 8200 8975 8201 wc_AesFree(&aes); 8202 8203 return inSz + KEYWRAP_BLOCK_SIZE; 8976 ret = 0; 8977 8978 out: 8979 8980 if (aes_inited) 8981 wc_AesFree(aes); 8982 #ifdef WOLFSSL_SMALL_STACK 8983 if (aes) 8984 XFREE(aes, NULL, DYNAMIC_TYPE_AES); 8985 #endif 8986 8987 if (ret != 0) 8988 return ret; 8989 else 8990 return inSz + KEYWRAP_BLOCK_SIZE; 8204 8991 } 8205 8992 … … 8207 8994 byte* out, word32 outSz, const byte* iv) 8208 8995 { 8209 Aes aes; 8996 #ifdef WOLFSSL_SMALL_STACK 8997 Aes *aes = NULL; 8998 #else 8999 Aes aes[1]; 9000 #endif 9001 int aes_inited = 0; 8210 9002 byte* r; 8211 9003 word32 i, n; … … 8229 9021 if (inSz % KEYWRAP_BLOCK_SIZE != 0) 8230 9022 return BAD_FUNC_ARG; 9023 9024 #ifdef WOLFSSL_SMALL_STACK 9025 if ((aes = (Aes *)XMALLOC(sizeof *aes, NULL, 9026 DYNAMIC_TYPE_AES)) == NULL) 9027 return MEMORY_E; 9028 #endif 8231 9029 8232 9030 /* user IV optional */ … … 8242 9040 XMEMSET(t, 0, sizeof(t)); 8243 9041 8244 ret = wc_AesInit( &aes, NULL, INVALID_DEVID);9042 ret = wc_AesInit(aes, NULL, INVALID_DEVID); 8245 9043 if (ret != 0) 8246 return ret; 8247 8248 ret = wc_AesSetKey(&aes, key, keySz, NULL, AES_DECRYPTION); 9044 goto out; 9045 else 9046 aes_inited = 1; 9047 9048 ret = wc_AesSetKey(aes, key, keySz, NULL, AES_DECRYPTION); 8249 9049 if (ret != 0) 8250 return ret;9050 goto out; 8251 9051 8252 9052 /* initialize counter to 6n */ … … 8264 9064 r = out + ((i - 1) * KEYWRAP_BLOCK_SIZE); 8265 9065 XMEMCPY(tmp + KEYWRAP_BLOCK_SIZE, r, KEYWRAP_BLOCK_SIZE); 8266 wc_AesDecryptDirect( &aes, tmp, tmp);9066 wc_AesDecryptDirect(aes, tmp, tmp); 8267 9067 8268 9068 /* save R[i] */ … … 8271 9071 } 8272 9072 8273 wc_AesFree(&aes);8274 8275 9073 /* verify IV */ 8276 if (XMEMCMP(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0) 8277 return BAD_KEYWRAP_IV_E; 8278 8279 return inSz - KEYWRAP_BLOCK_SIZE; 9074 if (XMEMCMP(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0) { 9075 ret = BAD_KEYWRAP_IV_E; 9076 goto out; 9077 } 9078 9079 out: 9080 9081 if (aes_inited) 9082 wc_AesFree(aes); 9083 #ifdef WOLFSSL_SMALL_STACK 9084 if (aes) 9085 XFREE(aes, NULL, DYNAMIC_TYPE_AES); 9086 #endif 9087 9088 if (ret != 0) 9089 return ret; 9090 else 9091 return inSz - KEYWRAP_BLOCK_SIZE; 8280 9092 } 8281 9093
Note:
See TracChangeset
for help on using the changeset viewer.
