2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 * Implementation Notes
29 * ====================
31 * Since CTR and GHASH implementations can handle only full blocks, a
32 * 16-byte buffer (buf[]) is maintained in the context:
34 * - When processing AAD, buf[] contains the 0-15 unprocessed bytes.
36 * - When doing CTR encryption / decryption, buf[] contains the AES output
37 * for the last partial block, to be used with the next few bytes of
38 * data, as well as the already encrypted bytes. For instance, if the
39 * processed data length so far is 21 bytes, then buf[0..4] contains
40 * the five last encrypted bytes, and buf[5..15] contains the next 11
41 * AES output bytes to be XORed with the next 11 bytes of input.
43 * The recorded AES output bytes are used to complete the block when
44 * the corresponding bytes are obtained. Note that buf[] always
45 * contains the _encrypted_ bytes, whether we apply encryption or
46 * decryption: these bytes are used as input to GHASH when the block
49 * In both cases, the low bits of the data length counters (count_aad,
50 * count_ctr) are used to work out the current situation.
53 /* see bearssl_aead.h */
55 br_gcm_init(br_gcm_context *ctx, const br_block_ctr_class **bctx, br_ghash gh)
59 ctx->vtable = &br_gcm_vtable;
64 * The GHASH key h[] is the raw encryption of the all-zero
65 * block. Since we only have a CTR implementation, we use it
66 * with an all-zero IV and a zero counter, to CTR-encrypt an
69 memset(ctx->h, 0, sizeof ctx->h);
70 memset(iv, 0, sizeof iv);
71 (*bctx)->run(bctx, iv, 0, ctx->h, sizeof ctx->h);
74 /* see bearssl_aead.h */
76 br_gcm_reset(br_gcm_context *ctx, const void *iv, size_t len)
79 * If the provided nonce is 12 bytes, then this is the initial
80 * IV for CTR mode; it will be used with a counter that starts
81 * at 2 (value 1 is for encrypting the GHASH output into the tag).
83 * If the provided nonce has any other length, then it is hashed
84 * (with GHASH) into a 16-byte value that will be the IV for CTR
85 * (both 12-byte IV and 32-bit counter).
88 memcpy(ctx->j0_1, iv, 12);
91 unsigned char ty[16], tmp[16];
93 memset(ty, 0, sizeof ty);
94 ctx->gh(ty, ctx->h, iv, len);
96 br_enc64be(tmp + 8, (uint64_t)len << 3);
97 ctx->gh(ty, ctx->h, tmp, 16);
98 memcpy(ctx->j0_1, ty, 12);
99 ctx->j0_2 = br_dec32be(ty + 12);
101 ctx->jc = ctx->j0_2 + 1;
102 memset(ctx->y, 0, sizeof ctx->y);
107 /* see bearssl_aead.h */
109 br_gcm_aad_inject(br_gcm_context *ctx, const void *data, size_t len)
113 ptr = (size_t)ctx->count_aad & (size_t)15;
116 * If there is a partial block, then we first try to
123 memcpy(ctx->buf + ptr, data, len);
124 ctx->count_aad += (uint64_t)len;
127 memcpy(ctx->buf + ptr, data, clen);
128 ctx->gh(ctx->y, ctx->h, ctx->buf, 16);
129 data = (const unsigned char *)data + clen;
131 ctx->count_aad += (uint64_t)clen;
135 * Now AAD is aligned on a 16-byte block (with regards to GHASH).
136 * We process all complete blocks, and save the last partial
139 dlen = len & ~(size_t)15;
140 ctx->gh(ctx->y, ctx->h, data, dlen);
141 memcpy(ctx->buf, (const unsigned char *)data + dlen, len - dlen);
142 ctx->count_aad += (uint64_t)len;
145 /* see bearssl_aead.h */
147 br_gcm_flip(br_gcm_context *ctx)
150 * We complete the GHASH computation if there is a partial block.
151 * The GHASH implementation automatically applies padding with
156 ptr = (size_t)ctx->count_aad & (size_t)15;
158 ctx->gh(ctx->y, ctx->h, ctx->buf, ptr);
162 /* see bearssl_aead.h */
164 br_gcm_run(br_gcm_context *ctx, int encrypt, void *data, size_t len)
170 ptr = (size_t)ctx->count_ctr & (size_t)15;
173 * If we have a partial block, then we try to complete it.
181 for (u = 0; u < clen; u ++) {
185 y = x ^ ctx->buf[ptr + u];
186 ctx->buf[ptr + u] = encrypt ? y : x;
189 ctx->count_ctr += (uint64_t)clen;
192 if (ptr + clen < 16) {
195 ctx->gh(ctx->y, ctx->h, ctx->buf, 16);
199 * Process full blocks.
201 dlen = len & ~(size_t)15;
203 ctx->gh(ctx->y, ctx->h, buf, dlen);
205 ctx->jc = (*ctx->bctx)->run(ctx->bctx, ctx->j0_1, ctx->jc, buf, dlen);
207 ctx->gh(ctx->y, ctx->h, buf, dlen);
211 ctx->count_ctr += (uint64_t)dlen;
215 * There is a partial block.
219 memset(ctx->buf, 0, sizeof ctx->buf);
220 ctx->jc = (*ctx->bctx)->run(ctx->bctx, ctx->j0_1,
221 ctx->jc, ctx->buf, 16);
222 for (u = 0; u < len; u ++) {
227 ctx->buf[u] = encrypt ? y : x;
230 ctx->count_ctr += (uint64_t)len;
234 /* see bearssl_aead.h */
236 br_gcm_get_tag(br_gcm_context *ctx, void *tag)
239 unsigned char tmp[16];
241 ptr = (size_t)ctx->count_ctr & (size_t)15;
244 * There is a partial block: encrypted/decrypted data has
245 * been produced, but the encrypted bytes must still be
246 * processed by GHASH.
248 ctx->gh(ctx->y, ctx->h, ctx->buf, ptr);
252 * Final block for GHASH: the AAD and plaintext lengths (in bits).
254 br_enc64be(tmp, ctx->count_aad << 3);
255 br_enc64be(tmp + 8, ctx->count_ctr << 3);
256 ctx->gh(ctx->y, ctx->h, tmp, 16);
259 * Tag is the GHASH output XORed with the encryption of the
260 * nonce with the initial counter value.
262 memcpy(tag, ctx->y, 16);
263 (*ctx->bctx)->run(ctx->bctx, ctx->j0_1, ctx->j0_2, tag, 16);
266 /* see bearssl_aead.h */
268 br_gcm_get_tag_trunc(br_gcm_context *ctx, void *tag, size_t len)
270 unsigned char tmp[16];
272 br_gcm_get_tag(ctx, tmp);
273 memcpy(tag, tmp, len);
276 /* see bearssl_aead.h */
278 br_gcm_check_tag_trunc(br_gcm_context *ctx, const void *tag, size_t len)
280 unsigned char tmp[16];
284 br_gcm_get_tag(ctx, tmp);
286 for (u = 0; u < len; u ++) {
287 x |= tmp[u] ^ ((const unsigned char *)tag)[u];
292 /* see bearssl_aead.h */
294 br_gcm_check_tag(br_gcm_context *ctx, const void *tag)
296 return br_gcm_check_tag_trunc(ctx, tag, 16);
299 /* see bearssl_aead.h */
300 const br_aead_class br_gcm_vtable = {
302 (void (*)(const br_aead_class **, const void *, size_t))
304 (void (*)(const br_aead_class **, const void *, size_t))
306 (void (*)(const br_aead_class **))
308 (void (*)(const br_aead_class **, int, void *, size_t))
310 (void (*)(const br_aead_class **, void *))
312 (uint32_t (*)(const br_aead_class **, const void *))
314 (void (*)(const br_aead_class **, void *, size_t))
315 &br_gcm_get_tag_trunc,
316 (uint32_t (*)(const br_aead_class **, const void *, size_t))
317 &br_gcm_check_tag_trunc