forked from wolfSSL/wolfssl
Merge pull request #3951 from dgarske/stm32_aes_h7
Fix for AES GCM with STM32H7
This commit is contained in:
Chris Conlon
GitHub
@ -6987,9 +6987,13 @@ static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz
|
||||
/* for cases where hardware cannot be used for authTag calculate it */
|
||||
/* if IV is not 12 calculate GHASH using software */
|
||||
if (ivSz != GCM_NONCE_MID_SZ
|
||||
#ifndef CRYP_HEADERWIDTHUNIT_BYTE
|
||||
/* or harware that does not support partial block */
|
||||
|| sz == 0 || partial != 0
|
||||
#endif
|
||||
#ifndef STM32_AESGCM_PARTIAL
|
||||
/* or authIn is not a multiple of 4 */
|
||||
|| authPadSz != authInSz || sz == 0 || partial != 0
|
||||
|| authPadSz != authInSz
|
||||
#endif
|
||||
) {
|
||||
useSwGhash = 1;
|
||||
@ -7008,17 +7012,42 @@ static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz
|
||||
|
||||
#if defined(STM32_HAL_V2)
|
||||
hcryp.Init.Algorithm = CRYP_AES_GCM;
|
||||
#ifdef CRYP_HEADERWIDTHUNIT_BYTE
|
||||
/* V2 with CRYP_HEADERWIDTHUNIT_BYTE uses byte size for header */
|
||||
hcryp.Init.HeaderSize = authPadSz;
|
||||
#else
|
||||
hcryp.Init.HeaderSize = authPadSz/sizeof(word32);
|
||||
#endif
|
||||
#ifdef STM32_AESGCM_PARTIAL
|
||||
hcryp.Init.HeaderPadSize = authPadSz - authInSz;
|
||||
#endif
|
||||
ByteReverseWords(partialBlock, ctr, AES_BLOCK_SIZE);
|
||||
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock;
|
||||
#ifdef CRYP_KEYIVCONFIG_ONCE
|
||||
/* allows repeated calls to HAL_CRYP_Encrypt */
|
||||
hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE;
|
||||
#endif
|
||||
ByteReverseWords(ctr, ctr, AES_BLOCK_SIZE);
|
||||
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
|
||||
HAL_CRYP_Init(&hcryp);
|
||||
|
||||
#ifndef CRYP_KEYIVCONFIG_ONCE
|
||||
/* GCM payload phase - can handle partial blocks */
|
||||
status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in,
|
||||
(blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
|
||||
#else
|
||||
/* GCM payload phase - blocks */
|
||||
if (blocks) {
|
||||
status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in,
|
||||
(blocks * AES_BLOCK_SIZE), (uint32_t*)out, STM32_HAL_TIMEOUT);
|
||||
}
|
||||
/* GCM payload phase - partial remainder */
|
||||
if (status == HAL_OK && (partial != 0 || blocks == 0)) {
|
||||
XMEMSET(partialBlock, 0, sizeof(partialBlock));
|
||||
XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
|
||||
status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)partialBlock, partial,
|
||||
(uint32_t*)partialBlock, STM32_HAL_TIMEOUT);
|
||||
XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
|
||||
}
|
||||
#endif
|
||||
if (status == HAL_OK && !useSwGhash) {
|
||||
/* Compute the authTag */
|
||||
status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag,
|
||||
@ -7447,7 +7476,11 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
|
||||
|
||||
/* for cases where hardware cannot be used for authTag calculate it */
|
||||
/* if IV is not 12 calculate GHASH using software */
|
||||
if (ivSz != GCM_NONCE_MID_SZ || sz == 0 || partial != 0
|
||||
if (ivSz != GCM_NONCE_MID_SZ
|
||||
#ifndef CRYP_HEADERWIDTHUNIT_BYTE
|
||||
/* or harware that does not support partial block */
|
||||
|| sz == 0 || partial != 0
|
||||
#endif
|
||||
#ifndef STM32_AESGCM_PARTIAL
|
||||
/* or authIn is not a multiple of 4 */
|
||||
|| authPadSz != authInSz
|
||||
@ -7492,18 +7525,42 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
|
||||
|
||||
#if defined(STM32_HAL_V2)
|
||||
hcryp.Init.Algorithm = CRYP_AES_GCM;
|
||||
#ifdef CRYP_HEADERWIDTHUNIT_BYTE
|
||||
/* V2 with CRYP_HEADERWIDTHUNIT_BYTE uses byte size for header */
|
||||
hcryp.Init.HeaderSize = authPadSz;
|
||||
#else
|
||||
hcryp.Init.HeaderSize = authPadSz/sizeof(word32);
|
||||
#endif
|
||||
#ifdef STM32_AESGCM_PARTIAL
|
||||
hcryp.Init.HeaderPadSize = authPadSz - authInSz;
|
||||
#endif
|
||||
ByteReverseWords(partialBlock, ctr, AES_BLOCK_SIZE);
|
||||
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock;
|
||||
#ifdef CRYP_KEYIVCONFIG_ONCE
|
||||
/* allows repeated calls to HAL_CRYP_Decrypt */
|
||||
hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE;
|
||||
#endif
|
||||
ByteReverseWords(ctr, ctr, AES_BLOCK_SIZE);
|
||||
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
|
||||
HAL_CRYP_Init(&hcryp);
|
||||
|
||||
/* GCM payload phase - can handle partial blocks */
|
||||
#ifndef CRYP_KEYIVCONFIG_ONCE
|
||||
status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in,
|
||||
(blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
|
||||
if (status == HAL_OK && tagComputed == 0) {
|
||||
#else
|
||||
/* GCM payload phase - blocks */
|
||||
if (blocks) {
|
||||
status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in,
|
||||
(blocks * AES_BLOCK_SIZE), (uint32_t*)out, STM32_HAL_TIMEOUT);
|
||||
}
|
||||
/* GCM payload phase - partial remainder */
|
||||
if (status == HAL_OK && (partial != 0 || blocks == 0)) {
|
||||
XMEMSET(partialBlock, 0, sizeof(partialBlock));
|
||||
XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
|
||||
status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)partialBlock, partial,
|
||||
( uint32_t*)partialBlock, STM32_HAL_TIMEOUT);
|
||||
XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
|
||||
}
|
||||
#endif
|
||||
if (status == HAL_OK && !tagComputed) {
|
||||
/* Compute the authTag */
|
||||
status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag,
|
||||
STM32_HAL_TIMEOUT);
|
||||
|
||||
@ -294,6 +294,9 @@ int wc_Stm32_Aes_Init(Aes* aes, CRYP_HandleTypeDef* hcryp)
|
||||
hcryp->Init.pKey = (STM_CRYPT_TYPE*)aes->key;
|
||||
#ifdef STM32_HAL_V2
|
||||
hcryp->Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;
|
||||
#ifdef CRYP_HEADERWIDTHUNIT_BYTE
|
||||
hcryp->Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_BYTE;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
|
||||
Reference in New Issue
Block a user