2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 * GCM initialisation. This does everything except setting the vtable,
29 * which depends on whether this is a context for encrypting or for
33 gen_gcm_init(br_sslrec_gcm_context *cc,
34 const br_block_ctr_class *bc_impl,
35 const void *key, size_t key_len,
39 unsigned char tmp[12];
42 bc_impl->init(&cc->bc.vtable, key, key_len);
44 memcpy(cc->iv, iv, sizeof cc->iv);
45 memset(cc->h, 0, sizeof cc->h);
46 memset(tmp, 0, sizeof tmp);
47 bc_impl->run(&cc->bc.vtable, tmp, 0, cc->h, sizeof cc->h);
51 in_gcm_init(br_sslrec_gcm_context *cc,
52 const br_block_ctr_class *bc_impl,
53 const void *key, size_t key_len,
57 cc->vtable.in = &br_sslrec_in_gcm_vtable;
58 gen_gcm_init(cc, bc_impl, key, key_len, gh_impl, iv);
62 gcm_check_length(const br_sslrec_gcm_context *cc, size_t rlen)
65 * GCM adds a fixed overhead:
66 * 8 bytes for the nonce_explicit (before the ciphertext)
67 * 16 bytes for the authentication tag (after the ciphertext)
70 return rlen >= 24 && rlen <= (16384 + 24);
74 * Compute the authentication tag. The value written in 'tag' must still
78 do_tag(br_sslrec_gcm_context *cc,
79 int record_type, unsigned version,
80 void *data, size_t len, void *tag)
82 unsigned char header[13];
83 unsigned char footer[16];
86 * Compute authentication tag. Three elements must be injected in
87 * sequence, each possibly 0-padded to reach a length multiple
88 * of the block size: the 13-byte header (sequence number, record
89 * type, protocol version, record length), the cipher text, and
90 * the word containing the encodings of the bit lengths of the two
93 br_enc64be(header, cc->seq ++);
94 header[8] = (unsigned char)record_type;
95 br_enc16be(header + 9, version);
96 br_enc16be(header + 11, len);
97 br_enc64be(footer, (uint64_t)(sizeof header) << 3);
98 br_enc64be(footer + 8, (uint64_t)len << 3);
100 cc->gh(tag, cc->h, header, sizeof header);
101 cc->gh(tag, cc->h, data, len);
102 cc->gh(tag, cc->h, footer, sizeof footer);
106 * Do CTR encryption. This also does CTR encryption of a single block at
107 * address 'xortag' with the counter value appropriate for the final
108 * processing of the authentication tag.
111 do_ctr(br_sslrec_gcm_context *cc, const void *nonce, void *data, size_t len,
114 unsigned char iv[12];
116 memcpy(iv, cc->iv, 4);
117 memcpy(iv + 4, nonce, 8);
118 cc->bc.vtable->run(&cc->bc.vtable, iv, 2, data, len);
119 cc->bc.vtable->run(&cc->bc.vtable, iv, 1, xortag, 16);
122 static unsigned char *
123 gcm_decrypt(br_sslrec_gcm_context *cc,
124 int record_type, unsigned version, void *data, size_t *data_len)
129 unsigned char tag[16];
131 buf = (unsigned char *)data + 8;
132 len = *data_len - 24;
133 do_tag(cc, record_type, version, buf, len, tag);
134 do_ctr(cc, data, buf, len, tag);
137 * Compare the computed tag with the value from the record. It
138 * is possibly useless to do a constant-time comparison here,
139 * but it does not hurt.
142 for (u = 0; u < 16; u ++) {
143 bad |= tag[u] ^ buf[len + u];
152 /* see bearssl_ssl.h */
153 const br_sslrec_in_gcm_class br_sslrec_in_gcm_vtable = {
155 sizeof(br_sslrec_gcm_context),
156 (int (*)(const br_sslrec_in_class *const *, size_t))
158 (unsigned char *(*)(const br_sslrec_in_class **,
159 int, unsigned, void *, size_t *))
162 (void (*)(const br_sslrec_in_gcm_class **,
163 const br_block_ctr_class *, const void *, size_t,
164 br_ghash, const void *))
169 out_gcm_init(br_sslrec_gcm_context *cc,
170 const br_block_ctr_class *bc_impl,
171 const void *key, size_t key_len,
175 cc->vtable.out = &br_sslrec_out_gcm_vtable;
176 gen_gcm_init(cc, bc_impl, key, key_len, gh_impl, iv);
180 gcm_max_plaintext(const br_sslrec_gcm_context *cc,
181 size_t *start, size_t *end)
187 len = *end - *start - 16;
194 static unsigned char *
195 gcm_encrypt(br_sslrec_gcm_context *cc,
196 int record_type, unsigned version, void *data, size_t *data_len)
200 unsigned char tmp[16];
202 buf = (unsigned char *)data;
204 memset(tmp, 0, sizeof tmp);
205 br_enc64be(buf - 8, cc->seq);
206 do_ctr(cc, buf - 8, buf, len, tmp);
207 do_tag(cc, record_type, version, buf, len, buf + len);
208 for (u = 0; u < 16; u ++) {
209 buf[len + u] ^= tmp[u];
213 buf[0] = (unsigned char)record_type;
214 br_enc16be(buf + 1, version);
215 br_enc16be(buf + 3, len);
220 /* see bearssl_ssl.h */
221 const br_sslrec_out_gcm_class br_sslrec_out_gcm_vtable = {
223 sizeof(br_sslrec_gcm_context),
224 (void (*)(const br_sslrec_out_class *const *,
227 (unsigned char *(*)(const br_sslrec_out_class **,
228 int, unsigned, void *, size_t *))
231 (void (*)(const br_sslrec_out_gcm_class **,
232 const br_block_ctr_class *, const void *, size_t,
233 br_ghash, const void *))
projects / FreeBSD / FreeBSD.git / blob