diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 5ced9b2f7..4b940cfc5 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -6987,10 +6987,14 @@ static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz /* for cases where hardware cannot be used for authTag calculate it */ /* if IV is not 12 calculate GHASH using software */ if (ivSz != GCM_NONCE_MID_SZ -#ifndef STM32_AESGCM_PARTIAL + #ifndef CRYP_HEADERWIDTHUNIT_BYTE + /* or harware that does not support partial block */ + || sz == 0 || partial != 0 + #endif + #ifndef STM32_AESGCM_PARTIAL /* or authIn is not a multiple of 4 */ - || authPadSz != authInSz || sz == 0 || partial != 0 -#endif + || authPadSz != authInSz + #endif ) { useSwGhash = 1; } @@ -7008,17 +7012,42 @@ static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz #if defined(STM32_HAL_V2) hcryp.Init.Algorithm = CRYP_AES_GCM; + #ifdef CRYP_HEADERWIDTHUNIT_BYTE + /* V2 with CRYP_HEADERWIDTHUNIT_BYTE uses byte size for header */ + hcryp.Init.HeaderSize = authPadSz; + #else hcryp.Init.HeaderSize = authPadSz/sizeof(word32); + #endif #ifdef STM32_AESGCM_PARTIAL hcryp.Init.HeaderPadSize = authPadSz - authInSz; #endif - ByteReverseWords(partialBlock, ctr, AES_BLOCK_SIZE); - hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock; + #ifdef CRYP_KEYIVCONFIG_ONCE + /* allows repeated calls to HAL_CRYP_Encrypt */ + hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE; + #endif + ByteReverseWords(ctr, ctr, AES_BLOCK_SIZE); + hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr; HAL_CRYP_Init(&hcryp); + #ifndef CRYP_KEYIVCONFIG_ONCE /* GCM payload phase - can handle partial blocks */ status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); + #else + /* GCM payload phase - blocks */ + if (blocks) { + status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, + (blocks * AES_BLOCK_SIZE), (uint32_t*)out, STM32_HAL_TIMEOUT); + } + /* GCM payload phase - partial remainder */ + if (status == HAL_OK && (partial != 0 || blocks == 0)) { + XMEMSET(partialBlock, 0, sizeof(partialBlock)); + XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial); + status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)partialBlock, partial, + (uint32_t*)partialBlock, STM32_HAL_TIMEOUT); + XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial); + } + #endif if (status == HAL_OK && !useSwGhash) { /* Compute the authTag */ status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag, @@ -7447,16 +7476,20 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out, /* for cases where hardware cannot be used for authTag calculate it */ /* if IV is not 12 calculate GHASH using software */ - if (ivSz != GCM_NONCE_MID_SZ || sz == 0 || partial != 0 -#ifndef STM32_AESGCM_PARTIAL + if (ivSz != GCM_NONCE_MID_SZ + #ifndef CRYP_HEADERWIDTHUNIT_BYTE + /* or harware that does not support partial block */ + || sz == 0 || partial != 0 + #endif + #ifndef STM32_AESGCM_PARTIAL /* or authIn is not a multiple of 4 */ || authPadSz != authInSz -#endif + #endif ) { - GHASH(aes, authIn, authInSz, in, sz, (byte*)tag, sizeof(tag)); - wc_AesEncrypt(aes, (byte*)ctr, (byte*)partialBlock); - xorbuf(tag, partialBlock, sizeof(tag)); - tagComputed = 1; + GHASH(aes, authIn, authInSz, in, sz, (byte*)tag, sizeof(tag)); + wc_AesEncrypt(aes, (byte*)ctr, (byte*)partialBlock); + xorbuf(tag, partialBlock, sizeof(tag)); + tagComputed = 1; } /* if using hardware for authentication tag make sure its aligned and zero padded */ @@ -7492,18 +7525,42 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out, #if defined(STM32_HAL_V2) hcryp.Init.Algorithm = CRYP_AES_GCM; + #ifdef CRYP_HEADERWIDTHUNIT_BYTE + /* V2 with CRYP_HEADERWIDTHUNIT_BYTE uses byte size for header */ + hcryp.Init.HeaderSize = authPadSz; + #else hcryp.Init.HeaderSize = authPadSz/sizeof(word32); + #endif #ifdef STM32_AESGCM_PARTIAL hcryp.Init.HeaderPadSize = authPadSz - authInSz; #endif - ByteReverseWords(partialBlock, ctr, AES_BLOCK_SIZE); - hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock; + #ifdef CRYP_KEYIVCONFIG_ONCE + /* allows repeated calls to HAL_CRYP_Decrypt */ + hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE; + #endif + ByteReverseWords(ctr, ctr, AES_BLOCK_SIZE); + hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr; HAL_CRYP_Init(&hcryp); - /* GCM payload phase - can handle partial blocks */ + #ifndef CRYP_KEYIVCONFIG_ONCE status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); - if (status == HAL_OK && tagComputed == 0) { + #else + /* GCM payload phase - blocks */ + if (blocks) { + status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, + (blocks * AES_BLOCK_SIZE), (uint32_t*)out, STM32_HAL_TIMEOUT); + } + /* GCM payload phase - partial remainder */ + if (status == HAL_OK && (partial != 0 || blocks == 0)) { + XMEMSET(partialBlock, 0, sizeof(partialBlock)); + XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial); + status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)partialBlock, partial, +( uint32_t*)partialBlock, STM32_HAL_TIMEOUT); + XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial); + } + #endif + if (status == HAL_OK && !tagComputed) { /* Compute the authTag */ status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag, STM32_HAL_TIMEOUT); @@ -7588,7 +7645,7 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out, if (status != SUCCESS) ret = AES_GCM_AUTH_E; if (tagComputed == 0) - XMEMCPY(tag, partialBlock, authTagSz); + XMEMCPY(tag, partialBlock, authTagSz); #endif /* WOLFSSL_STM32_CUBEMX */ wolfSSL_CryptHwMutexUnLock(); diff --git a/wolfcrypt/src/port/st/stm32.c b/wolfcrypt/src/port/st/stm32.c index dd19797a8..390fa23f4 100644 --- a/wolfcrypt/src/port/st/stm32.c +++ b/wolfcrypt/src/port/st/stm32.c @@ -294,6 +294,9 @@ int wc_Stm32_Aes_Init(Aes* aes, CRYP_HandleTypeDef* hcryp) hcryp->Init.pKey = (STM_CRYPT_TYPE*)aes->key; #ifdef STM32_HAL_V2 hcryp->Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE; + #ifdef CRYP_HEADERWIDTHUNIT_BYTE + hcryp->Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_BYTE; + #endif #endif return 0;