Merge branch 'feature/gcm_operation_using_ctr_based_calculation_v5.0' into 'release/v5.0'

GCM operation optimisation (v5.0)

See merge request espressif/esp-idf!21856

components/mbedtls/CMakeLists.txt

@@ -219,7 +219,7 @@ if(CONFIG_MBEDTLS_HARDWARE_SHA)
     )
 endif()
 
-if(CONFIG_MBEDTLS_HARDWARE_GCM)
+if(CONFIG_MBEDTLS_HARDWARE_GCM OR (NOT CONFIG_SOC_AES_SUPPORT_GCM AND CONFIG_MBEDTLS_HARDWARE_AES))
     target_sources(mbedcrypto PRIVATE  "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c")
 endif()
 

components/mbedtls/port/aes/esp_aes_gcm.c

@@ -16,7 +16,6 @@
  */
 #include "soc/soc_caps.h"
 
-#if SOC_AES_SUPPORT_GCM
 
 #include "aes/esp_aes.h"
 #include "aes/esp_aes_gcm.h"
@@ -28,6 +27,7 @@
 #include "esp_heap_caps.h"
 #include "soc/soc_memory_layout.h"
 
+#include "mbedtls/error.h"
 #include <string.h>
 
 #define ESP_PUT_BE64(a, val)                                    \
@@ -245,6 +245,11 @@ int esp_aes_gcm_setkey( esp_gcm_context *ctx,
                         const unsigned char *key,
                         unsigned int keybits )
 {
+#if !SOC_AES_SUPPORT_AES_192
+    if (keybits == 192) {
+        return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+    }
+#endif
     if (keybits != 128 && keybits != 192 && keybits != 256) {
         return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
     }
@@ -346,6 +351,8 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
     /* Initialize AES-GCM context */
     memset(ctx->ghash, 0, sizeof(ctx->ghash));
     ctx->data_len = 0;
+    ctx->aad = NULL;
+    ctx->aad_len = 0;
 
     ctx->iv = iv;
     ctx->iv_len = iv_len;
@@ -354,6 +361,7 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
     /* H and the lookup table are only generated once per ctx */
     if (ctx->gcm_state == ESP_AES_GCM_STATE_INIT) {
         /* Lock the AES engine to calculate ghash key H in hardware */
+#if SOC_AES_SUPPORT_GCM
         esp_aes_acquire_hardware();
         ctx->aes_ctx.key_in_hardware = aes_hal_setkey(ctx->aes_ctx.key, ctx->aes_ctx.key_bytes, mode);
         aes_hal_mode_init(ESP_AES_BLOCK_MODE_GCM);
@@ -361,10 +369,22 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
         aes_hal_gcm_calc_hash(ctx->H);
 
         esp_aes_release_hardware();
-
+#else
+        memset(ctx->H, 0, sizeof(ctx->H));
+        esp_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->H, ctx->H);
+#endif
         gcm_gen_table(ctx);
     }
 
+    /* Once H is obtained we need to derive J0 (Initial Counter Block) */
+    esp_gcm_derive_J0(ctx);
+
+    /* The initial counter block keeps updating during the esp_gcm_update call
+     * however to calculate final authentication tag T we need original J0
+     * so we make a copy here
+     */
+    memcpy(ctx->ori_j0, ctx->J0, 16);
+
     ctx->gcm_state = ESP_AES_GCM_STATE_START;
 
     return ( 0 );
@@ -389,26 +409,14 @@ int esp_aes_gcm_update_ad( esp_gcm_context *ctx,
         return -1;
     }
 
-    /* Initialize AES-GCM context */
-    memset(ctx->ghash, 0, sizeof(ctx->ghash));
-    ctx->data_len = 0;
-
-    ctx->aad = aad;
-    ctx->aad_len = aad_len;
-
     if (ctx->gcm_state != ESP_AES_GCM_STATE_START) {
         ESP_LOGE(TAG, "AES context in invalid state!");
         return -1;
     }
 
-    /* Once H is obtained we need to derive J0 (Initial Counter Block) */
+    /* Initialise associated data */
-    esp_gcm_derive_J0(ctx);
+    ctx->aad = aad;
-
+    ctx->aad_len = aad_len;
-    /* The initial counter block keeps updating during the esp_gcm_update call
-     * however to calculate final authentication tag T we need original J0
-     * so we make a copy here
-     */
-    memcpy(ctx->ori_j0, ctx->J0, 16);
 
     esp_gcm_ghash(ctx, ctx->aad, ctx->aad_len, ctx->ghash);
 
@@ -425,6 +433,12 @@ int esp_aes_gcm_update( esp_gcm_context *ctx,
     uint8_t nonce_counter[AES_BLOCK_BYTES] = {0};
     uint8_t stream[AES_BLOCK_BYTES] = {0};
 
+    if (!output_length) {
+        ESP_LOGE(TAG, "No output length supplied");
+        return -1;
+    }
+    *output_length = input_length;
+
     if (!ctx) {
         ESP_LOGE(TAG, "No GCM context supplied");
         return -1;
@@ -484,6 +498,7 @@ int esp_aes_gcm_finish( esp_gcm_context *ctx,
 {
     size_t nc_off = 0;
     uint8_t len_block[AES_BLOCK_BYTES] = {0};
+    uint8_t stream[AES_BLOCK_BYTES] = {0};
 
     if ( tag_len > 16 || tag_len < 4 ) {
         return ( MBEDTLS_ERR_GCM_BAD_INPUT );
@@ -495,11 +510,12 @@ int esp_aes_gcm_finish( esp_gcm_context *ctx,
     esp_gcm_ghash(ctx, len_block, AES_BLOCK_BYTES, ctx->ghash);
 
     /* Tag T = GCTR(J0, ) where T is truncated to tag_len */
-    esp_aes_crypt_ctr(&ctx->aes_ctx, tag_len, &nc_off, ctx->ori_j0, 0, ctx->ghash, tag);
+    esp_aes_crypt_ctr(&ctx->aes_ctx, tag_len, &nc_off, ctx->ori_j0, stream, ctx->ghash, tag);
 
     return 0;
 }
 
+#if SOC_AES_SUPPORT_GCM
 /* Due to restrictions in the hardware (e.g. need to do the whole conversion in one go),
    some combinations of inputs are not supported */
 static bool esp_aes_gcm_input_support_hw_accel(size_t length, const unsigned char *aad, size_t aad_len,
@@ -529,6 +545,7 @@ static bool esp_aes_gcm_input_support_hw_accel(size_t length, const unsigned cha
 
     return support_hw_accel;
 }
+#endif
 
 static int esp_aes_gcm_crypt_and_tag_partial_hw( esp_gcm_context *ctx,
         int mode,
@@ -543,6 +560,7 @@ static int esp_aes_gcm_crypt_and_tag_partial_hw( esp_gcm_context *ctx,
         unsigned char *tag )
 {
     int ret = 0;
+    size_t olen;
 
     if ( ( ret = esp_aes_gcm_starts( ctx, mode, iv, iv_len ) ) != 0 ) {
         return ( ret );
@@ -552,11 +570,11 @@ static int esp_aes_gcm_crypt_and_tag_partial_hw( esp_gcm_context *ctx,
         return ( ret );
     }
 
-    if ( ( ret = esp_aes_gcm_update( ctx, input, length, output, 0, NULL ) ) != 0 ) {
+    if ( ( ret = esp_aes_gcm_update( ctx, input, length, output, 0, &olen ) ) != 0 ) {
         return ( ret );
     }
 
-    if ( ( ret = esp_aes_gcm_finish( ctx, output, 0, NULL, tag, tag_len ) ) != 0 ) {
+    if ( ( ret = esp_aes_gcm_finish( ctx, output, 0, &olen, tag, tag_len ) ) != 0 ) {
         return ( ret );
     }
 
@@ -575,6 +593,7 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
                                size_t tag_len,
                                unsigned char *tag )
 {
+#if SOC_AES_SUPPORT_GCM
     int ret;
     lldesc_t aad_desc[2] = {};
     lldesc_t *aad_head_desc = NULL;
@@ -673,6 +692,9 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
     esp_aes_release_hardware();
 
     return ( ret );
+#else
+    return esp_aes_gcm_crypt_and_tag_partial_hw(ctx, mode, length, iv, iv_len, aad, aad_len, input, output, tag_len, tag);
+#endif
 }
 
 
@@ -710,5 +732,3 @@ int esp_aes_gcm_auth_decrypt( esp_gcm_context *ctx,
 
     return ( 0 );
 }
-
-#endif //SOC_AES_SUPPORT_GCM

components/mbedtls/port/include/gcm_alt.h

@@ -18,7 +18,7 @@ extern "C" {
 
 #if defined(MBEDTLS_GCM_ALT)
 
-#if SOC_AES_SUPPORT_GCM
+
 #include "aes/esp_aes_gcm.h"
 
 
@@ -34,8 +34,6 @@ typedef esp_gcm_context mbedtls_gcm_context;
 #define mbedtls_gcm_auth_decrypt    esp_aes_gcm_auth_decrypt
 #define mbedtls_gcm_crypt_and_tag   esp_aes_gcm_crypt_and_tag
 
-#endif // SOC_AES_SUPPORT_GCM
-
 #endif /* MBEDTLS_GCM_ALT */
 
 #ifdef __cplusplus

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -137,10 +137,8 @@
 #undef MBEDTLS_AES_ALT
 #endif
 
-#ifdef CONFIG_MBEDTLS_HARDWARE_GCM
+#ifdef CONFIG_MBEDTLS_HARDWARE_AES
 #define MBEDTLS_GCM_ALT
-#else
-#undef MBEDTLS_GCM_ALT
 #endif
 
 /* MBEDTLS_SHAxx_ALT to enable hardware SHA support

components/mbedtls/test/test_aes_gcm.c

@@ -17,7 +17,7 @@
 #include "ccomp_timer.h"
 #include "sys/param.h"
 
-#if CONFIG_MBEDTLS_HARDWARE_GCM
+#if CONFIG_MBEDTLS_HARDWARE_AES
 
 /*
     Python example code for generating test vectors
@@ -105,13 +105,13 @@ TEST_CASE("mbedtls GCM stream test", "[aes-gcm]")
         mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, nonce, sizeof(nonce) );
         mbedtls_gcm_update_ad( &ctx, NULL, 0 );
 
+        size_t olen;
         // Encrypt
         for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
             // Limit length of last call to avoid exceeding buffer size
             size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
-            mbedtls_gcm_update(&ctx, plaintext + idx, length, ciphertext + idx, 0, NULL);
+            mbedtls_gcm_update(&ctx, plaintext + idx, length, ciphertext + idx, length, &olen);
         }
-        size_t olen;
         mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag, sizeof(tag) );
         TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_cipher, ciphertext, SZ);
         TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_tag, tag, sizeof(tag));
@@ -129,7 +129,7 @@ TEST_CASE("mbedtls GCM stream test", "[aes-gcm]")
             // Limit length of last call to avoid exceeding buffer size
 
             size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
-            mbedtls_gcm_update(&ctx, ciphertext + idx, length, decryptedtext + idx, 0, NULL);
+            mbedtls_gcm_update(&ctx, ciphertext + idx, length, decryptedtext + idx, length, &olen);
         }
         mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag, sizeof(tag) );
         TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext, decryptedtext, SZ);
@@ -199,7 +199,7 @@ static void aes_gcm_test(aes_gcm_test_cfg_t *cfg, aes_gcm_test_expected_res_t *r
     } else if (aes_gcm_type == AES_GCM_TEST_START_UPDATE_FINISH) {
         TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, iv_buf, cfg->iv_length) == 0 );
         TEST_ASSERT(mbedtls_gcm_update_ad( &ctx, cfg->add_buf, cfg->add_length) == 0 );
-        TEST_ASSERT(mbedtls_gcm_update( &ctx, cfg->plaintext, cfg->plaintext_length, ciphertext, 0, NULL) == 0 );
+        TEST_ASSERT(mbedtls_gcm_update( &ctx, cfg->plaintext, cfg->plaintext_length, ciphertext, cfg->plaintext_length, &olen) == 0 );
         TEST_ASSERT(mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag_buf_encrypt, cfg->tag_len) == 0 );
     }
     size_t offset = cfg->plaintext_length > 16 ? cfg->plaintext_length - 16 : 0;
@@ -214,7 +214,7 @@ static void aes_gcm_test(aes_gcm_test_cfg_t *cfg, aes_gcm_test_expected_res_t *r
     } else if (aes_gcm_type == AES_GCM_TEST_START_UPDATE_FINISH) {
         TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_DECRYPT, iv_buf, cfg->iv_length) == 0 );
         TEST_ASSERT(mbedtls_gcm_update_ad( &ctx, cfg->add_buf, cfg->add_length) == 0 );
-        TEST_ASSERT(mbedtls_gcm_update( &ctx, ciphertext, cfg->plaintext_length, output, 0, NULL) == 0 );
+        TEST_ASSERT(mbedtls_gcm_update( &ctx, ciphertext, cfg->plaintext_length, output, cfg->plaintext_length, &olen) == 0 );
         TEST_ASSERT(mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag_buf_decrypt, cfg->tag_len) == 0 );
 
         /* mbedtls_gcm_auth_decrypt already checks tag so only needed for AES_GCM_TEST_START_UPDATE_FINISH */
@@ -222,7 +222,7 @@ static void aes_gcm_test(aes_gcm_test_cfg_t *cfg, aes_gcm_test_expected_res_t *r
     }
 
     TEST_ASSERT_EQUAL_HEX8_ARRAY(cfg->plaintext, output, cfg->plaintext_length);
-
+    mbedtls_gcm_free( &ctx );
     free(ciphertext);
     free(output);
 }
@@ -439,7 +439,7 @@ TEST_CASE("mbedtls AES GCM performance, start, update, ret", "[aes-gcm]")
 
     TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, iv, sizeof(iv) ) == 0 );
     TEST_ASSERT(mbedtls_gcm_update_ad( &ctx, aad, sizeof(aad)) == 0 );
-    TEST_ASSERT(mbedtls_gcm_update( &ctx, buf, CALL_SZ, buf, 0, NULL) == 0 );
+    TEST_ASSERT(mbedtls_gcm_update( &ctx, buf, CALL_SZ, buf, CALL_SZ, &olen) == 0 );
     TEST_ASSERT(mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag_buf, 16 ) == 0 );
 
     elapsed_usec = ccomp_timer_stop();
@@ -830,4 +830,4 @@ TEST_CASE("mbedtls AES GCM - Combine different IV/Key/Plaintext/AAD lengths", "[
     }
 }
 
-#endif //CONFIG_MBEDTLS_HARDWARE_GCM
+#endif //CONFIG_MBEDTLS_HARDWARE_AES