diff --git a/apps/crypto_test/pkg.yml b/apps/crypto_test/pkg.yml index 045d9a3570..0a5c38f8dd 100644 --- a/apps/crypto_test/pkg.yml +++ b/apps/crypto_test/pkg.yml @@ -28,5 +28,3 @@ pkg.deps: - "@apache-mynewt-core/sys/log" - "@apache-mynewt-core/crypto/mbedtls" - "@apache-mynewt-core/crypto/tinycrypt" - -pkg.cflags: '-DMBEDTLS_USER_CONFIG_FILE="mbedtls/config_mynewt.h"' diff --git a/apps/hash_test/pkg.yml b/apps/hash_test/pkg.yml index cf45bea829..ba0cb3118b 100644 --- a/apps/hash_test/pkg.yml +++ b/apps/hash_test/pkg.yml @@ -28,5 +28,3 @@ pkg.deps: - "@apache-mynewt-core/sys/log" - "@apache-mynewt-core/crypto/mbedtls" - "@apache-mynewt-core/crypto/tinycrypt" - -pkg.cflags: '-DMBEDTLS_USER_CONFIG_FILE="mbedtls/config_mynewt.h"' diff --git a/crypto/mbedtls/include/mbedtls/config_mynewt.h b/crypto/mbedtls/include/mbedtls/config_mynewt.h index 57b39c1194..ebe3676b38 100644 --- a/crypto/mbedtls/include/mbedtls/config_mynewt.h +++ b/crypto/mbedtls/include/mbedtls/config_mynewt.h @@ -501,6 +501,7 @@ extern "C" { #undef MBEDTLS_PSA_CRYPTO_SE_C #undef MBEDTLS_PSA_CRYPTO_STORAGE_C #undef MBEDTLS_PSA_ITS_FILE_C +#undef MBEDTLS_LMS_C #ifdef __cplusplus } diff --git a/crypto/mbedtls/include/mbedtls/gcm_mynewt.h b/crypto/mbedtls/include/mbedtls/gcm_mynewt.h index b0746448a0..40945bd48c 100644 --- a/crypto/mbedtls/include/mbedtls/gcm_mynewt.h +++ b/crypto/mbedtls/include/mbedtls/gcm_mynewt.h @@ -20,38 +20,16 @@ #ifndef _GCM_MYNEWT_H_ #define _GCM_MYNEWT_H_ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include -/** - * \brief This function feeds an input buffer into an ongoing GCM - * encryption or decryption operation as additional data. - * This needs to be called before starting enc/dec - * operations. - * - * ` The function expects input to be a multiple of 16 - * Bytes. Only the last call before mbedtls_gcm_update() or - * mbedtls_gcm_finish() can be less than 16 Bytes. - * - * - * \param ctx The GCM context. - * \param length The length of the input data. This must be a multiple of - * 16 except in the last call before mbedtls_gcm_finish(). - * \param input The buffer holding the input ADD. - * - * \return \c 0 on success. - * \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure. - */ -int mbedtls_gcm_update_add( mbedtls_gcm_context *ctx, - size_t length, - const unsigned char *input ); - - /** * Same as mbedtls_gcm_setkey, but with preallocated memory for cipher algorithm context */ int mbedtls_gcm_setkey_noalloc( mbedtls_gcm_context *ctx, const mbedtls_cipher_info_t *cipher_info, const unsigned char *key, + unsigned int keybits, void *cipher_ctx); diff --git a/crypto/mbedtls/pkg.yml b/crypto/mbedtls/pkg.yml index b68eea40fe..4cb20931d8 100644 --- a/crypto/mbedtls/pkg.yml +++ b/crypto/mbedtls/pkg.yml @@ -26,11 +26,14 @@ pkg.keywords: - tls pkg.type: sdk -pkg.cflags: +app.cflags: - '-DMBEDTLS_USER_CONFIG_FILE=' +app.cflags.TEST: + - '-DTEST' + +pkg.cflags: - -Wno-maybe-uninitialized - -Wno-unknown-warning-option -pkg.cflags.TEST: -DTEST pkg.include_dirs: - "include" @@ -44,7 +47,7 @@ pkg.src_dirs: repository.mbedtls: type: github - vers: v2.28.9-commit + vers: v3.6.2-commit branch: master user: Mbed-TLS repo: mbedtls diff --git a/crypto/mbedtls/selftest/src/mbedtls_test.c b/crypto/mbedtls/selftest/src/mbedtls_test.c index f746cc8662..a8547c1f08 100644 --- a/crypto/mbedtls/selftest/src/mbedtls_test.c +++ b/crypto/mbedtls/selftest/src/mbedtls_test.c @@ -27,7 +27,6 @@ #include "mbedtls/sha256.h" #include "mbedtls/sha512.h" #include "mbedtls/aes.h" -#include "mbedtls/arc4.h" #include "mbedtls/bignum.h" #include "mbedtls/ccm.h" #include "mbedtls/dhm.h" @@ -41,7 +40,6 @@ #include "mbedtls/ripemd160.h" #include "mbedtls/rsa.h" #include "mbedtls/x509.h" -#include "mbedtls/xtea.h" #include "mbedtls/poly1305.h" #include "mbedtls/chacha20.h" #include "mbedtls/chachapoly.h" @@ -53,7 +51,6 @@ #include "mbedtls/timing.h" TEST_CASE_DECL(aes_test) -TEST_CASE_DECL(arc4_test) TEST_CASE_DECL(aria_test) TEST_CASE_DECL(base64_test) TEST_CASE_DECL(bignum_test) @@ -70,8 +67,6 @@ TEST_CASE_DECL(ecp_test) TEST_CASE_DECL(entropy_test) TEST_CASE_DECL(gcm_test) TEST_CASE_DECL(hmac_drbg_test) -TEST_CASE_DECL(md2_test) -TEST_CASE_DECL(md4_test) TEST_CASE_DECL(md5_test) TEST_CASE_DECL(memory_buffer_alloc_test) TEST_CASE_DECL(nist_kw_test) @@ -82,14 +77,11 @@ TEST_CASE_DECL(rsa_test) TEST_CASE_DECL(sha1_test) TEST_CASE_DECL(sha256_test) TEST_CASE_DECL(sha512_test) -TEST_CASE_DECL(timing_test) -TEST_CASE_DECL(x509_test) -TEST_CASE_DECL(xtea_test) +TEST_CASE_DECL(gcm_mynewt_test) TEST_SUITE(mbedtls_test_all) { aes_test(); - arc4_test(); aria_test(); base64_test(); bignum_test(); @@ -106,8 +98,6 @@ TEST_SUITE(mbedtls_test_all) entropy_test(); gcm_test(); hmac_drbg_test(); - md2_test(); - md4_test(); md5_test(); nist_kw_test(); pkcs5_test(); @@ -117,9 +107,7 @@ TEST_SUITE(mbedtls_test_all) sha1_test(); sha256_test(); sha512_test(); - timing_test(); - x509_test(); - xtea_test(); + gcm_mynewt_test(); } int diff --git a/crypto/mbedtls/selftest/src/mbedtls_test.h b/crypto/mbedtls/selftest/src/mbedtls_test.h index 0d1c751400..5f6286df2e 100644 --- a/crypto/mbedtls/selftest/src/mbedtls_test.h +++ b/crypto/mbedtls/selftest/src/mbedtls_test.h @@ -25,7 +25,6 @@ #include "testutil/testutil.h" #include "mbedtls/aes.h" -#include "mbedtls/arc4.h" #include "mbedtls/aria.h" #include "mbedtls/base64.h" #include "mbedtls/bignum.h" @@ -42,8 +41,6 @@ #include "mbedtls/entropy.h" #include "mbedtls/gcm.h" #include "mbedtls/hmac_drbg.h" -#include "mbedtls/md2.h" -#include "mbedtls/md4.h" #include "mbedtls/md5.h" #include "mbedtls/nist_kw.h" #include "mbedtls/pkcs5.h" @@ -53,9 +50,7 @@ #include "mbedtls/sha1.h" #include "mbedtls/sha256.h" #include "mbedtls/sha512.h" -#include "mbedtls/timing.h" -#include "mbedtls/x509.h" -#include "mbedtls/xtea.h" +#include "gcm_mynewt.h" #ifdef __cplusplus extern "C" { diff --git a/crypto/mbedtls/selftest/src/testcases/arc4_test.c b/crypto/mbedtls/selftest/src/testcases/arc4_test.c deleted file mode 100644 index c4f4ec251d..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/arc4_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(arc4_test) -{ - int rc; - - rc = mbedtls_arc4_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c b/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c new file mode 100644 index 0000000000..f062f2b4e0 --- /dev/null +++ b/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c @@ -0,0 +1,149 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +#include "mbedtls_test.h" + +#define AES_BLK_SZ 16 + +static const mbedtls_cipher_info_t *rsm_ucast_cipher; + +/* This contains both ADD and plaintext for encryption */ +static const uint8_t initial_data[110] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, + 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, + 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, + 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, + 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, + 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, + 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, + 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, + 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, + 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9A, + 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8, 0xA9, 0xAA +}; +static const uint8_t key[32] = { + 0xC0, 0xCA, 0xC0, 0x1A, 0xC0, 0xCA, 0xC0, 0x1A, + 0xC0, 0xCA, 0xC0, 0x1A, 0xC0, 0xCA, 0xC0, 0x1A, + 0xC0, 0xCA, 0xC0, 0x1A, 0xC0, 0xCA, 0xC0, 0x1A, + 0xC0, 0xCA, 0xC0, 0x1A, 0xC0, 0xCA, 0xC0, 0x1A +}; +static const uint8_t iv[12] = { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB }; +static const uint8_t expected_tag[16] = { 0x05, 0x5D, 0x8E, 0xD4, 0xF9, 0x2A, 0x87, 0x87, + 0x6F, 0x23, 0xF2, 0xE6, 0xF0, 0x1D, 0x6D, 0x5C }; + +static uint8_t test_tag[16]; +static uint8_t test_buf[110]; + +static int mbedtls_gcm_mynewt_test_crypt(uint8_t enc) +{ + int add_len = 40; + mbedtls_gcm_context ctx; + mbedtls_aes_context aes_ctx; + uint8_t *ptr; + + uint16_t off; + uint16_t blklen; + uint16_t totlen; + size_t len_check; + int rc; + + if (rsm_ucast_cipher == NULL) { + rsm_ucast_cipher = + mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, 256, + MBEDTLS_MODE_ECB); + } + + memset(&ctx, 0, sizeof(ctx)); + mbedtls_aes_init(&aes_ctx); + rc = mbedtls_gcm_setkey_noalloc(&ctx, rsm_ucast_cipher, key, 256, &aes_ctx); + if (rc) { + goto out; + } + + rc = mbedtls_gcm_starts(&ctx, + enc == 1 ? MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT, + iv, sizeof(iv)); + if (rc) { + goto out; + } + + off = 0; + totlen = 110; + + while (off < totlen) { + ptr = test_buf + off; + blklen = sizeof(test_buf) - off; + if (blklen < AES_BLK_SZ) { + blklen = AES_BLK_SZ; + } else { + blklen &= ~(AES_BLK_SZ - 1); + } + if (off < add_len) { + if (blklen + off > add_len) { + blklen = add_len - off; + } + } else { + if (blklen + off > totlen) { + blklen = totlen - off; + } + } + + if (off < add_len) { + mbedtls_gcm_update_ad(&ctx, ptr, blklen); + } else { + rc = mbedtls_gcm_update(&ctx, ptr, blklen, ptr, blklen, &len_check); + if (rc) { + goto out; + } + if (len_check != blklen) { + rc = 1; + goto out; + } + } + + off += blklen; + } + + rc = mbedtls_gcm_finish(&ctx, NULL, 0, &len_check, test_tag, sizeof(test_tag)); + if (len_check != 0) { + rc = 1; + goto out; + } +out: + memset(&ctx, 0, sizeof(ctx)); + mbedtls_aes_free(&aes_ctx); + if (rc) { + return 1; + } + return 0; +} + +TEST_CASE_SELF(gcm_mynewt_test) +{ + int rc; + + memcpy(test_buf, initial_data, sizeof(initial_data)); + + rc = mbedtls_gcm_mynewt_test_crypt(1); + TEST_ASSERT(rc == 0); + + rc = mbedtls_gcm_mynewt_test_crypt(0); + TEST_ASSERT(rc == 0); + TEST_ASSERT(memcmp(test_tag, expected_tag, sizeof(test_tag)) == 0); + TEST_ASSERT(memcmp(test_buf, initial_data, sizeof(initial_data)) == 0); +} diff --git a/crypto/mbedtls/selftest/src/testcases/md2_test.c b/crypto/mbedtls/selftest/src/testcases/md2_test.c deleted file mode 100644 index c65be75735..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/md2_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(md2_test) -{ - int rc; - - rc = mbedtls_md2_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/md4_test.c b/crypto/mbedtls/selftest/src/testcases/md4_test.c deleted file mode 100644 index 1edf8e115b..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/md4_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(md4_test) -{ - int rc; - - rc = mbedtls_md4_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/timing_test.c b/crypto/mbedtls/selftest/src/testcases/timing_test.c deleted file mode 100644 index 97d6bc5ad4..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/timing_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(timing_test) -{ - int rc; - - rc = mbedtls_timing_self_test(0); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/x509_test.c b/crypto/mbedtls/selftest/src/testcases/x509_test.c deleted file mode 100644 index b89bfe9c25..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/x509_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(x509_test) -{ - int rc; - - rc = mbedtls_x509_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/xtea_test.c b/crypto/mbedtls/selftest/src/testcases/xtea_test.c deleted file mode 100644 index b0f29b7ead..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/xtea_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(xtea_test) -{ - int rc; - - rc = mbedtls_xtea_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/src/gcm_mynewt.c b/crypto/mbedtls/src/gcm_mynewt.c index dfd68f5594..f846124633 100644 --- a/crypto/mbedtls/src/gcm_mynewt.c +++ b/crypto/mbedtls/src/gcm_mynewt.c @@ -63,193 +63,133 @@ #include #if defined(MBEDTLS_AESNI_C) -#include "mbedtls/aesni.h" +#include "aesni.h" #endif #if !defined(MBEDTLS_GCM_ALT) -/* Parameter validation macros */ -#define GCM_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_GCM_BAD_INPUT) -#define GCM_VALIDATE(cond) \ - MBEDTLS_INTERNAL_VALIDATE(cond) +/* Used to select the acceleration mechanism */ +#define MBEDTLS_GCM_ACC_SMALLTABLE 0 +#define MBEDTLS_GCM_ACC_LARGETABLE 1 +#define MBEDTLS_GCM_ACC_AESNI 2 +#define MBEDTLS_GCM_ACC_AESCE 3 -/* - * Precompute small multiples of H, that is set - * HH[i] || HL[i] = H times i, - * where i is seen as a field element as in [MGV], ie high-order bits - * correspond to low powers of P. The result is stored in the same way, that - * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL - * corresponds to P^127. - */ -static int gcm_gen_table(mbedtls_gcm_context *ctx) +static inline void gcm_set_acceleration(mbedtls_gcm_context *ctx) { - int ret, i, j; - uint64_t hi, lo; - uint64_t vl, vh; - unsigned char h[16]; - size_t olen = 0; - - memset(h, 0, 16); - if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, h, 16, h, &olen)) != 0) { - return ret; - } - - /* pack h as two 64-bits ints, big-endian */ - hi = MBEDTLS_GET_UINT32_BE(h, 0); - lo = MBEDTLS_GET_UINT32_BE(h, 4); - vh = (uint64_t) hi << 32 | lo; - - hi = MBEDTLS_GET_UINT32_BE(h, 8); - lo = MBEDTLS_GET_UINT32_BE(h, 12); - vl = (uint64_t) hi << 32 | lo; - - /* 8 = 1000 corresponds to 1 in GF(2^128) */ - ctx->HL[8] = vl; - ctx->HH[8] = vh; +#if defined(MBEDTLS_GCM_LARGE_TABLE) + ctx->acceleration = MBEDTLS_GCM_ACC_LARGETABLE; +#else + ctx->acceleration = MBEDTLS_GCM_ACC_SMALLTABLE; +#endif #if defined(MBEDTLS_AESNI_HAVE_CODE) /* With CLMUL support, we need only h, not the rest of the table */ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) { - return 0; + ctx->acceleration = MBEDTLS_GCM_ACC_AESNI; } #endif - /* 0 corresponds to 0 in GF(2^128) */ - ctx->HH[0] = 0; - ctx->HL[0] = 0; - - for (i = 4; i > 0; i >>= 1) { - uint32_t T = (vl & 1) * 0xe1000000U; - vl = (vh << 63) | (vl >> 1); - vh = (vh >> 1) ^ ((uint64_t) T << 32); - - ctx->HL[i] = vl; - ctx->HH[i] = vh; +#if defined(MBEDTLS_AESCE_HAVE_CODE) + if (MBEDTLS_AESCE_HAS_SUPPORT()) { + ctx->acceleration = MBEDTLS_GCM_ACC_AESCE; } - - for (i = 2; i <= 8; i *= 2) { - uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i; - vh = *HiH; - vl = *HiL; - for (j = 1; j < i; j++) { - HiH[j] = vh ^ ctx->HH[j]; - HiL[j] = vl ^ ctx->HL[j]; - } - } - - return 0; +#endif } -/* - * Shoup's method for multiplication use this table with - * last4[x] = x times P^128 - * where x and last4[x] are seen as elements of GF(2^128) as in [MGV] - */ -static const uint64_t last4[16] = +static inline void gcm_gen_table_rightshift(uint64_t dst[2], const uint64_t src[2]) { - 0x0000, 0x1c20, 0x3840, 0x2460, - 0x7080, 0x6ca0, 0x48c0, 0x54e0, - 0xe100, 0xfd20, 0xd940, 0xc560, - 0x9180, 0x8da0, 0xa9c0, 0xb5e0 -}; + uint8_t *u8Dst = (uint8_t *) dst; + uint8_t *u8Src = (uint8_t *) src; + + MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[1], 0) >> 1, &dst[1], 0); + u8Dst[8] |= (u8Src[7] & 0x01) << 7; + MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[0], 0) >> 1, &dst[0], 0); + u8Dst[0] ^= (u8Src[15] & 0x01) ? 0xE1 : 0; +} /* - * Sets output to x times H using the precomputed tables. - * x and output are seen as elements of GF(2^128) as in [MGV]. + * Precompute small multiples of H, that is set + * HH[i] || HL[i] = H times i, + * where i is seen as a field element as in [MGV], ie high-order bits + * correspond to low powers of P. The result is stored in the same way, that + * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL + * corresponds to P^127. */ -static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16], - unsigned char output[16]) +static int gcm_gen_table(mbedtls_gcm_context *ctx) { - int i = 0; - unsigned char lo, hi, rem; - uint64_t zh, zl; - -#if defined(MBEDTLS_AESNI_HAVE_CODE) - if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) { - unsigned char h[16]; - - MBEDTLS_PUT_UINT32_BE(ctx->HH[8] >> 32, h, 0); - MBEDTLS_PUT_UINT32_BE(ctx->HH[8], h, 4); - MBEDTLS_PUT_UINT32_BE(ctx->HL[8] >> 32, h, 8); - MBEDTLS_PUT_UINT32_BE(ctx->HL[8], h, 12); + int ret, i, j; + uint64_t u64h[2] = { 0 }; + uint8_t *h = (uint8_t *) u64h; - mbedtls_aesni_gcm_mult(output, x, h); - return; +#if defined(MBEDTLS_BLOCK_CIPHER_C) + ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, h, h); +#else + size_t olen = 0; + ret = mbedtls_cipher_update(&ctx->cipher_ctx, h, 16, h, &olen); +#endif + if (ret != 0) { + return ret; } -#endif /* MBEDTLS_AESNI_HAVE_CODE */ - - lo = x[15] & 0xf; - - zh = ctx->HH[lo]; - zl = ctx->HL[lo]; - - for (i = 15; i >= 0; i--) { - lo = x[i] & 0xf; - hi = (x[i] >> 4) & 0xf; - - if (i != 15) { - rem = (unsigned char) zl & 0xf; - zl = (zh << 60) | (zl >> 4); - zh = (zh >> 4); - zh ^= (uint64_t) last4[rem] << 48; - zh ^= ctx->HH[lo]; - zl ^= ctx->HL[lo]; - } + gcm_set_acceleration(ctx); - rem = (unsigned char) zl & 0xf; - zl = (zh << 60) | (zl >> 4); - zh = (zh >> 4); - zh ^= (uint64_t) last4[rem] << 48; - zh ^= ctx->HH[hi]; - zl ^= ctx->HL[hi]; - } + /* MBEDTLS_GCM_HTABLE_SIZE/2 = 1000 corresponds to 1 in GF(2^128) */ + ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][0] = u64h[0]; + ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][1] = u64h[1]; - MBEDTLS_PUT_UINT32_BE(zh >> 32, output, 0); - MBEDTLS_PUT_UINT32_BE(zh, output, 4); - MBEDTLS_PUT_UINT32_BE(zl >> 32, output, 8); - MBEDTLS_PUT_UINT32_BE(zl, output, 12); -} + switch (ctx->acceleration) { +#if defined(MBEDTLS_AESNI_HAVE_CODE) + case MBEDTLS_GCM_ACC_AESNI: + return 0; +#endif -int mbedtls_gcm_update_add( mbedtls_gcm_context *ctx, - size_t add_len, - const unsigned char *add ) -{ - const unsigned char *p; - size_t i; - size_t use_len; +#if defined(MBEDTLS_AESCE_HAVE_CODE) + case MBEDTLS_GCM_ACC_AESCE: + return 0; +#endif - if ( ctx->add_len & 15 ) - { - return( MBEDTLS_ERR_GCM_BAD_INPUT ); - } - ctx->add_len += add_len; - p = add; + default: + /* 0 corresponds to 0 in GF(2^128) */ + ctx->H[0][0] = 0; + ctx->H[0][1] = 0; - while (add_len > 0) - { - use_len = ( add_len < 16 ) ? add_len : 16; + for (i = MBEDTLS_GCM_HTABLE_SIZE/4; i > 0; i >>= 1) { + gcm_gen_table_rightshift(ctx->H[i], ctx->H[i*2]); + } - for( i = 0; i < use_len; i++ ) { - ctx->buf[i] ^= p[i]; +#if !defined(MBEDTLS_GCM_LARGE_TABLE) + /* pack elements of H as 64-bits ints, big-endian */ + for (i = MBEDTLS_GCM_HTABLE_SIZE/2; i > 0; i >>= 1) { + MBEDTLS_PUT_UINT64_BE(ctx->H[i][0], &ctx->H[i][0], 0); + MBEDTLS_PUT_UINT64_BE(ctx->H[i][1], &ctx->H[i][1], 0); } - gcm_mult( ctx, ctx->buf, ctx->buf ); +#endif - add_len -= use_len; - p += use_len; + for (i = 2; i < MBEDTLS_GCM_HTABLE_SIZE; i <<= 1) { + for (j = 1; j < i; j++) { + mbedtls_xor_no_simd((unsigned char *) ctx->H[i+j], + (unsigned char *) ctx->H[i], + (unsigned char *) ctx->H[j], + 16); + } + } } - return( 0 ); + return 0; } int mbedtls_gcm_setkey_noalloc( mbedtls_gcm_context *ctx, const mbedtls_cipher_info_t *cipher_info, const unsigned char *key, + unsigned int keybits, void *cipher_ctx) { int ret; + if (keybits != 128 && keybits != 192 && keybits != 256) { + return MBEDTLS_ERR_GCM_BAD_INPUT; + } + ctx->cipher_ctx.cipher_info = cipher_info; ctx->cipher_ctx.cipher_ctx = cipher_ctx; #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) @@ -266,7 +206,7 @@ int mbedtls_gcm_setkey_noalloc( mbedtls_gcm_context *ctx, #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, - cipher_info->key_bitlen, + keybits, MBEDTLS_ENCRYPT ) ) != 0 ) { return( ret ); diff --git a/crypto/mbedtls/syscfg.yml b/crypto/mbedtls/syscfg.yml index 485144f41e..9315e03f05 100644 --- a/crypto/mbedtls/syscfg.yml +++ b/crypto/mbedtls/syscfg.yml @@ -119,8 +119,10 @@ syscfg.defs: value: 0 MBEDTLS_CIPHER_MODE_CFB: value: 0 + # XXX: This should be 0 on default, but mcuboot's test needs this enabled. Until a new mcuboot version with this + # config enabled is released we have to enable this by default. MBEDTLS_CIPHER_MODE_CTR: - value: 0 + value: 1 MBEDTLS_CIPHER_MODE_OFB: value: 0 MBEDTLS_CIPHER_MODE_XTS: