3
0

tls_aesgcm.c 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202
  1. /*
  2. * Copyright (C) 2018 Denys Vlasenko
  3. *
  4. * Licensed under GPLv2, see file LICENSE in this source tree.
  5. */
  6. #include "tls.h"
  7. typedef uint8_t byte;
  8. typedef uint32_t word32;
  9. #define XMEMSET memset
  10. #define XMEMCPY memcpy
  11. /* from wolfssl-3.15.3/wolfcrypt/src/aes.c */
  12. #ifdef UNUSED
  13. static ALWAYS_INLINE void FlattenSzInBits(byte* buf, word32 sz)
  14. {
  15. /* Multiply the sz by 8 */
  16. //bbox: these sizes are never even close to 2^32/8
  17. // word32 szHi = (sz >> (8*sizeof(sz) - 3));
  18. sz <<= 3;
  19. /* copy over the words of the sz into the destination buffer */
  20. // buf[0] = (szHi >> 24) & 0xff;
  21. // buf[1] = (szHi >> 16) & 0xff;
  22. // buf[2] = (szHi >> 8) & 0xff;
  23. // buf[3] = szHi & 0xff;
  24. *(uint32_t*)(buf + 0) = 0;
  25. // buf[4] = (sz >> 24) & 0xff;
  26. // buf[5] = (sz >> 16) & 0xff;
  27. // buf[6] = (sz >> 8) & 0xff;
  28. // buf[7] = sz & 0xff;
  29. *(uint32_t*)(buf + 4) = SWAP_BE32(sz);
  30. }
  31. #endif
  32. static void RIGHTSHIFTX(byte* x)
  33. {
  34. #define l ((unsigned long*)x)
  35. #if 0
  36. // Generic byte-at-a-time algorithm
  37. int i;
  38. byte carryIn = (x[15] & 0x01) ? 0xE1 : 0;
  39. for (i = 0; i < AES_BLOCK_SIZE; i++) {
  40. byte carryOut = (x[i] << 7); // zero, or 0x80
  41. x[i] = (x[i] >> 1) ^ carryIn;
  42. carryIn = carryOut;
  43. }
  44. #elif BB_BIG_ENDIAN
  45. // Big-endian can shift-right in larger than byte chunks
  46. // (we use the fact that 'x' is long-aligned)
  47. unsigned long carryIn = (x[15] & 0x01)
  48. ? ((unsigned long)0xE1 << (LONG_BIT-8))
  49. : 0;
  50. # if ULONG_MAX <= 0xffffffff
  51. int i;
  52. for (i = 0; i < AES_BLOCK_SIZE/sizeof(long); i++) {
  53. unsigned long carryOut = l[i] << (LONG_BIT-1); // zero, or 0x800..00
  54. l[i] = (l[i] >> 1) ^ carryIn;
  55. carryIn = carryOut;
  56. }
  57. # else
  58. // 64-bit code: need to process only 2 words
  59. unsigned long carryOut = l[0] << (LONG_BIT-1); // zero, or 0x800..00
  60. l[0] = (l[0] >> 1) ^ carryIn;
  61. l[1] = (l[1] >> 1) ^ carryOut;
  62. # endif
  63. #else /* LITTLE_ENDIAN */
  64. // In order to use word-sized ops, little-endian needs to byteswap.
  65. // On x86, code size increase is ~10 bytes compared to byte-by-byte.
  66. unsigned long carryIn = (x[15] & 0x01)
  67. ? ((unsigned long)0xE1 << (LONG_BIT-8))
  68. : 0;
  69. # if ULONG_MAX <= 0xffffffff
  70. int i;
  71. for (i = 0; i < AES_BLOCK_SIZE/sizeof(long); i++) {
  72. unsigned long ti = SWAP_BE32(l[i]);
  73. unsigned long carryOut = ti << (LONG_BIT-1); // zero, or 0x800..00
  74. ti = (ti >> 1) ^ carryIn;
  75. l[i] = SWAP_BE32(ti);
  76. carryIn = carryOut;
  77. }
  78. # else
  79. // 64-bit code: need to process only 2 words
  80. unsigned long tt = SWAP_BE64(l[0]);
  81. unsigned long carryOut = tt << (LONG_BIT-1); // zero, or 0x800..00
  82. tt = (tt >> 1) ^ carryIn; l[0] = SWAP_BE64(tt);
  83. tt = SWAP_BE64(l[1]);
  84. tt = (tt >> 1) ^ carryOut; l[1] = SWAP_BE64(tt);
  85. # endif
  86. #endif /* LITTLE_ENDIAN */
  87. #undef l
  88. }
  89. // Caller guarantees X is aligned
  90. static void GMULT(byte* X, byte* Y)
  91. {
  92. byte Z[AES_BLOCK_SIZE] ALIGNED_long;
  93. //byte V[AES_BLOCK_SIZE] ALIGNED_long;
  94. int i;
  95. XMEMSET(Z, 0, AES_BLOCK_SIZE);
  96. //XMEMCPY(V, X, AES_BLOCK_SIZE);
  97. for (i = 0; i < AES_BLOCK_SIZE; i++) {
  98. uint32_t y = 0x800000 | Y[i];
  99. for (;;) { // for every bit in Y[i], from msb to lsb
  100. if (y & 0x80) {
  101. xorbuf_aligned_AES_BLOCK_SIZE(Z, X); // was V, not X
  102. }
  103. RIGHTSHIFTX(X); // was V, not X
  104. y = y << 1;
  105. if ((int32_t)y < 0) // if bit 0x80000000 set = if 8 iterations done
  106. break;
  107. }
  108. }
  109. XMEMCPY(X, Z, AES_BLOCK_SIZE);
  110. }
  111. //bbox:
  112. // for TLS AES-GCM, a (which is AAD) is always 13 bytes long, and bbox code provides
  113. // extra 3 zeroed bytes, making it a[16], or a[AES_BLOCK_SIZE].
  114. // Resulting auth tag in s[] is also always AES_BLOCK_SIZE bytes.
  115. //
  116. // This allows some simplifications.
  117. #define aSz 13
  118. #define sSz AES_BLOCK_SIZE
  119. void FAST_FUNC aesgcm_GHASH(byte* h,
  120. const byte* a, //unsigned aSz,
  121. const byte* c, unsigned cSz,
  122. byte* s //, unsigned sSz
  123. )
  124. {
  125. byte x[AES_BLOCK_SIZE] ALIGNED_long;
  126. // byte scratch[AES_BLOCK_SIZE] ALIGNED_long;
  127. unsigned blocks, partial;
  128. //was: byte* h = aes->H;
  129. //XMEMSET(x, 0, AES_BLOCK_SIZE);
  130. /* Hash in A, the Additional Authentication Data */
  131. // if (aSz != 0 && a != NULL) {
  132. // blocks = aSz / AES_BLOCK_SIZE;
  133. // partial = aSz % AES_BLOCK_SIZE;
  134. // while (blocks--) {
  135. //xorbuf(x, a, AES_BLOCK_SIZE);
  136. XMEMCPY(x, a, AES_BLOCK_SIZE);// memcpy(x,a) = memset(x,0)+xorbuf(x,a)
  137. GMULT(x, h);
  138. // a += AES_BLOCK_SIZE;
  139. // }
  140. // if (partial != 0) {
  141. // XMEMSET(scratch, 0, AES_BLOCK_SIZE);
  142. // XMEMCPY(scratch, a, partial);
  143. // xorbuf(x, scratch, AES_BLOCK_SIZE);
  144. // GMULT(x, h);
  145. // }
  146. // }
  147. /* Hash in C, the Ciphertext */
  148. if (cSz != 0 /*&& c != NULL*/) {
  149. blocks = cSz / AES_BLOCK_SIZE;
  150. partial = cSz % AES_BLOCK_SIZE;
  151. while (blocks--) {
  152. if (BB_UNALIGNED_MEMACCESS_OK) // c is not guaranteed to be aligned
  153. xorbuf_aligned_AES_BLOCK_SIZE(x, c);
  154. else
  155. xorbuf(x, c, AES_BLOCK_SIZE);
  156. GMULT(x, h);
  157. c += AES_BLOCK_SIZE;
  158. }
  159. if (partial != 0) {
  160. //XMEMSET(scratch, 0, AES_BLOCK_SIZE);
  161. //XMEMCPY(scratch, c, partial);
  162. //xorbuf(x, scratch, AES_BLOCK_SIZE);
  163. xorbuf(x, c, partial);//same result as above
  164. GMULT(x, h);
  165. }
  166. }
  167. /* Hash in the lengths of A and C in bits */
  168. //FlattenSzInBits(&scratch[0], aSz);
  169. //FlattenSzInBits(&scratch[8], cSz);
  170. //xorbuf_aligned_AES_BLOCK_SIZE(x, scratch);
  171. // simpler:
  172. #define P32(v) ((uint32_t*)v)
  173. //P32(x)[0] ^= 0;
  174. P32(x)[1] ^= SWAP_BE32(aSz * 8);
  175. //P32(x)[2] ^= 0;
  176. P32(x)[3] ^= SWAP_BE32(cSz * 8);
  177. #undef P32
  178. GMULT(x, h);
  179. /* Copy the result into s. */
  180. XMEMCPY(s, x, sSz);
  181. }