andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: /* Copyright(c) 2013, Intel Corp. */ andre@0: andre@0: /* Wrapper functions for Intel optimized implementation of AES-GCM */ andre@0: andre@0: #ifdef USE_HW_AES andre@0: andre@0: #ifdef FREEBL_NO_DEPEND andre@0: #include "stubs.h" andre@0: #endif andre@0: andre@0: #include "blapii.h" andre@0: #include "blapit.h" andre@0: #include "gcm.h" andre@0: #include "ctr.h" andre@0: #include "secerr.h" andre@0: #include "prtypes.h" andre@0: #include "pkcs11t.h" andre@0: andre@0: #include andre@0: andre@0: #include "intel-gcm.h" andre@0: #include "rijndael.h" andre@0: andre@0: #include andre@0: #include andre@0: andre@0: andre@0: struct intel_AES_GCMContextStr{ andre@0: unsigned char Htbl[16*AES_BLOCK_SIZE]; andre@0: unsigned char X0[AES_BLOCK_SIZE]; andre@0: unsigned char T[AES_BLOCK_SIZE]; andre@0: unsigned char CTR[AES_BLOCK_SIZE]; andre@0: AESContext *aes_context; andre@0: unsigned long tagBits; andre@0: unsigned long Alen; andre@0: unsigned long Mlen; andre@0: }; andre@0: andre@0: intel_AES_GCMContext *intel_AES_GCM_CreateContext(void *context, andre@0: freeblCipherFunc cipher, andre@0: const unsigned char *params, andre@0: unsigned int blocksize) andre@0: { andre@0: intel_AES_GCMContext *gcm = NULL; andre@0: AESContext *aes = (AESContext*)context; andre@0: const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params; andre@0: unsigned char buff[AES_BLOCK_SIZE]; /* aux buffer */ andre@0: andre@0: int IV_whole_len = gcmParams->ulIvLen&(~0xf); andre@0: int IV_remainder_len = gcmParams->ulIvLen&0xf; andre@0: int AAD_whole_len = gcmParams->ulAADLen&(~0xf); andre@0: int AAD_remainder_len = gcmParams->ulAADLen&0xf; andre@0: andre@0: __m128i BSWAP_MASK = _mm_setr_epi8(15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0); andre@0: __m128i ONE = _mm_set_epi32(0,0,0,1); andre@0: unsigned int j; andre@0: SECStatus rv; andre@0: andre@0: if (blocksize != AES_BLOCK_SIZE) { andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); andre@0: return NULL; andre@0: } andre@0: gcm = PORT_ZNew(intel_AES_GCMContext); andre@0: andre@0: if (gcm == NULL) { andre@0: return NULL; andre@0: } andre@0: /* initialize context fields */ andre@0: gcm->aes_context = aes; andre@0: gcm->tagBits = gcmParams->ulTagBits; andre@0: gcm->Alen = 0; andre@0: gcm->Mlen = 0; andre@0: /* first prepare H and its derivatives for ghash */ andre@0: intel_aes_gcmINIT(gcm->Htbl, (unsigned char*)aes->expandedKey, aes->Nr); andre@0: /* Initial TAG value is zero*/ andre@0: _mm_storeu_si128((__m128i*)gcm->T, _mm_setzero_si128()); andre@0: _mm_storeu_si128((__m128i*)gcm->X0, _mm_setzero_si128()); andre@0: /* Init the counter */ andre@0: if(gcmParams->ulIvLen == 12) { andre@0: _mm_storeu_si128((__m128i*)gcm->CTR, _mm_setr_epi32(((unsigned int*)gcmParams->pIv)[0], ((unsigned int*)gcmParams->pIv)[1], ((unsigned int*)gcmParams->pIv)[2], 0x01000000)); andre@0: } else { andre@0: /* If IV size is not 96 bits, then the initial counter value is GHASH of the IV */ andre@0: intel_aes_gcmAAD(gcm->Htbl, gcmParams->pIv, IV_whole_len, gcm->T); andre@0: /* Partial block */ andre@0: if(IV_remainder_len) { andre@0: PORT_Memset(buff, 0, AES_BLOCK_SIZE); andre@0: PORT_Memcpy(buff, gcmParams->pIv + IV_whole_len, IV_remainder_len); andre@0: intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T); andre@0: } andre@0: andre@0: intel_aes_gcmTAG andre@0: ( andre@0: gcm->Htbl, andre@0: gcm->T, andre@0: gcmParams->ulIvLen, andre@0: 0, andre@0: gcm->X0, andre@0: gcm->CTR andre@0: ); andre@0: /* TAG should be zero again */ andre@0: _mm_storeu_si128((__m128i*)gcm->T, _mm_setzero_si128()); andre@0: } andre@0: /* Encrypt the initial counter, will be used to encrypt the GHASH value, in the end */ andre@0: rv = (*cipher)(context, gcm->X0, &j, AES_BLOCK_SIZE, gcm->CTR, AES_BLOCK_SIZE, AES_BLOCK_SIZE); andre@0: if (rv != SECSuccess) { andre@0: goto loser; andre@0: } andre@0: /* Promote the counter by 1 */ andre@0: _mm_storeu_si128((__m128i*)gcm->CTR, _mm_shuffle_epi8(_mm_add_epi32(ONE, _mm_shuffle_epi8(_mm_loadu_si128((__m128i*)gcm->CTR), BSWAP_MASK)), BSWAP_MASK)); andre@0: andre@0: /* Now hash AAD - it would actually make sense to seperate the context creation from the AAD, andre@0: * because that would allow to reuse the H, which only changes when the AES key changes, andre@0: * and not every package, like the IV and AAD */ andre@0: intel_aes_gcmAAD(gcm->Htbl, gcmParams->pAAD, AAD_whole_len, gcm->T); andre@0: if(AAD_remainder_len) { andre@0: PORT_Memset(buff, 0, AES_BLOCK_SIZE); andre@0: PORT_Memcpy(buff, gcmParams->pAAD + AAD_whole_len, AAD_remainder_len); andre@0: intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T); andre@0: } andre@0: gcm->Alen += gcmParams->ulAADLen; andre@0: return gcm; andre@0: andre@0: loser: andre@0: if (gcm) { andre@0: PORT_Free(gcm); andre@0: } andre@0: return NULL; andre@0: } andre@0: andre@0: void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit) andre@0: { andre@0: if (freeit) { andre@0: PORT_Free(gcm); andre@0: } andre@0: } andre@0: andre@0: SECStatus intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm, andre@0: unsigned char *outbuf, andre@0: unsigned int *outlen, unsigned int maxout, andre@0: const unsigned char *inbuf, unsigned int inlen, andre@0: unsigned int blocksize) andre@0: { andre@0: unsigned int tagBytes; andre@0: unsigned char T[AES_BLOCK_SIZE]; andre@0: int j; andre@0: andre@0: tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE; andre@0: if (UINT_MAX - inlen < tagBytes) { andre@0: PORT_SetError(SEC_ERROR_INPUT_LEN); andre@0: return SECFailure; andre@0: } andre@0: if (maxout < inlen + tagBytes) { andre@0: *outlen = inlen + tagBytes; andre@0: PORT_SetError(SEC_ERROR_OUTPUT_LEN); andre@0: return SECFailure; andre@0: } andre@0: andre@0: intel_aes_gcmENC( andre@0: inbuf, andre@0: outbuf, andre@0: gcm, andre@0: inlen); andre@0: andre@0: gcm->Mlen += inlen; andre@0: andre@0: intel_aes_gcmTAG( andre@0: gcm->Htbl, andre@0: gcm->T, andre@0: gcm->Mlen, andre@0: gcm->Alen, andre@0: gcm->X0, andre@0: T); andre@0: andre@0: *outlen = inlen + tagBytes; andre@0: andre@0: for(j=0; jtagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE; andre@0: andre@0: /* get the authentication block */ andre@0: if (inlen < tagBytes) { andre@0: PORT_SetError(SEC_ERROR_INPUT_LEN); andre@0: return SECFailure; andre@0: } andre@0: andre@0: inlen -= tagBytes; andre@0: intag = inbuf + inlen; andre@0: andre@0: if (maxout < inlen) { andre@0: *outlen = inlen; andre@0: PORT_SetError(SEC_ERROR_OUTPUT_LEN); andre@0: return SECFailure; andre@0: } andre@0: andre@0: intel_aes_gcmDEC( andre@0: inbuf, andre@0: outbuf, andre@0: gcm, andre@0: inlen); andre@0: andre@0: gcm->Mlen += inlen; andre@0: intel_aes_gcmTAG( andre@0: gcm->Htbl, andre@0: gcm->T, andre@0: gcm->Mlen, andre@0: gcm->Alen, andre@0: gcm->X0, andre@0: T); andre@0: andre@0: if (NSS_SecureMemcmp(T, intag, tagBytes) != 0) { andre@0: memset(outbuf, 0, inlen); andre@0: *outlen = 0; andre@0: /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ andre@0: PORT_SetError(SEC_ERROR_BAD_DATA); andre@0: return SECFailure; andre@0: } andre@0: *outlen = inlen; andre@0: andre@0: return SECSuccess; andre@0: } andre@0: andre@0: #endif