wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 02:37:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix to improve STM32 AES GCM with partial blocks. Use a local buffer for partial remainder and make sure remainder is zero'd.

Browse Source
This commit is contained in:
David Garske
2021-04-16 11:58:45 -07:00
parent 54e111aa85
commit 7cfd22304e
1 changed files with 49 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
wolfcrypt/src/aes.c
View File

@ -7021,13 +7021,33 @@ static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz
#ifdef STM32_AESGCM_PARTIAL #ifdef STM32_AESGCM_PARTIAL
hcryp.Init.HeaderPadSize = authPadSz - authInSz; hcryp.Init.HeaderPadSize = authPadSz - authInSz;
#endif #endif
ByteReverseWords(partialBlock, ctr, AES_BLOCK_SIZE); #ifdef CRYP_KEYIVCONFIG_ONCE
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock; /* allows repeated calls to HAL_CRYP_Encrypt */
hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE;
#endif
ByteReverseWords(ctr, ctr, AES_BLOCK_SIZE);
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
HAL_CRYP_Init(&hcryp); HAL_CRYP_Init(&hcryp);
#ifndef CRYP_KEYIVCONFIG_ONCE
/* GCM payload phase - can handle partial blocks */ /* GCM payload phase - can handle partial blocks */
status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in,
(blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
#else
/* GCM payload phase - blocks */
if (blocks) {
status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in,
(blocks * AES_BLOCK_SIZE), (uint32_t*)out, STM32_HAL_TIMEOUT);
}
/* GCM payload phase - partial remainder */
if (status == HAL_OK && (partial != 0 || blocks == 0)) {
XMEMSET(partialBlock, 0, sizeof(partialBlock));
XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)partialBlock, partial,
(uint32_t*)partialBlock, STM32_HAL_TIMEOUT);
XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
}
#endif
if (status == HAL_OK && !useSwGhash) { if (status == HAL_OK && !useSwGhash) {
/* Compute the authTag */ /* Compute the authTag */
status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag, status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag,
@ -7466,10 +7486,10 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
|| authPadSz != authInSz || authPadSz != authInSz
#endif #endif
) { ) {
GHASH(aes, authIn, authInSz, in, sz, (byte*)tag, sizeof(tag)); GHASH(aes, authIn, authInSz, in, sz, (byte*)tag, sizeof(tag));
wc_AesEncrypt(aes, (byte*)ctr, (byte*)partialBlock); wc_AesEncrypt(aes, (byte*)ctr, (byte*)partialBlock);
xorbuf(tag, partialBlock, sizeof(tag)); xorbuf(tag, partialBlock, sizeof(tag));
tagComputed = 1; tagComputed = 1;
} }
/* if using hardware for authentication tag make sure its aligned and zero padded */ /* if using hardware for authentication tag make sure its aligned and zero padded */
@ -7514,25 +7534,32 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
#ifdef STM32_AESGCM_PARTIAL #ifdef STM32_AESGCM_PARTIAL
hcryp.Init.HeaderPadSize = authPadSz - authInSz; hcryp.Init.HeaderPadSize = authPadSz - authInSz;
#endif #endif
ByteReverseWords(partialBlock, ctr, AES_BLOCK_SIZE); #ifdef CRYP_KEYIVCONFIG_ONCE
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock; /* allows repeated calls to HAL_CRYP_Decrypt */
hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE;
#endif
ByteReverseWords(ctr, ctr, AES_BLOCK_SIZE);
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
HAL_CRYP_Init(&hcryp); HAL_CRYP_Init(&hcryp);
/* GCM payload phase - can handle partial blocks */ #ifndef CRYP_KEYIVCONFIG_ONCE
#ifdef CRYP_HEADERWIDTHUNIT_BYTE
{
/* clear remainder of partial input (for 32-bit uint) */
word32 remain = (partial & 3);
if (remain > 0)
remain = 4 - remain;
while (sz > 0 && remain > 0) {
((byte*)in)[sz + remain - 1] = 0;
remain--;
}
}
#endif
status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in,
(blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
#else
/* GCM payload phase - blocks */
if (blocks) {
status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in,
(blocks * AES_BLOCK_SIZE), (uint32_t*)out, STM32_HAL_TIMEOUT);
}
/* GCM payload phase - partial remainder */
if (status == HAL_OK && (partial != 0 || blocks == 0)) {
XMEMSET(partialBlock, 0, sizeof(partialBlock));
XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)partialBlock, partial,
( uint32_t*)partialBlock, STM32_HAL_TIMEOUT);
XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
}
#endif
if (status == HAL_OK && !tagComputed) { if (status == HAL_OK && !tagComputed) {
/* Compute the authTag */ /* Compute the authTag */
status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag, status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag,
@ -7618,7 +7645,7 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
if (status != SUCCESS) if (status != SUCCESS)
ret = AES_GCM_AUTH_E; ret = AES_GCM_AUTH_E;
if (tagComputed == 0) if (tagComputed == 0)
XMEMCPY(tag, partialBlock, authTagSz); XMEMCPY(tag, partialBlock, authTagSz);
#endif /* WOLFSSL_STM32_CUBEMX */ #endif /* WOLFSSL_STM32_CUBEMX */
wolfSSL_CryptHwMutexUnLock(); wolfSSL_CryptHwMutexUnLock();