2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 * Implementation Notes
29 * ====================
31 * Since CTR and GHASH implementations can handle only full blocks, a
32 * 16-byte buffer (buf[]) is maintained in the context:
34 * - When processing AAD, buf[] contains the 0-15 unprocessed bytes.
36 * - When doing CTR encryption / decryption, buf[] contains the AES output
37 * for the last partial block, to be used with the next few bytes of
38 * data, as well as the already encrypted bytes. For instance, if the
39 * processed data length so far is 21 bytes, then buf[0..4] contains
40 * the five last encrypted bytes, and buf[5..15] contains the next 11
41 * AES output bytes to be XORed with the next 11 bytes of input.
43 * The recorded AES output bytes are used to complete the block when
44 * the corresponding bytes are obtained. Note that buf[] always
45 * contains the _encrypted_ bytes, whether we apply encryption or
46 * decryption: these bytes are used as input to GHASH when the block
49 * In both cases, the low bits of the data length counters (count_aad,
50 * count_ctr) are used to work out the current situation.
53 /* see bearssl_aead.h */
55 br_gcm_init(br_gcm_context
*ctx
, const br_block_ctr_class
**bctx
, br_ghash gh
)
63 * The GHASH key h[] is the raw encryption of the all-zero
64 * block. Since we only have a CTR implementation, we use it
65 * with an all-zero IV and a zero counter, to CTR-encrypt an
68 memset(ctx
->h
, 0, sizeof ctx
->h
);
69 memset(iv
, 0, sizeof iv
);
70 (*bctx
)->run(bctx
, iv
, 0, ctx
->h
, sizeof ctx
->h
);
73 /* see bearssl_aead.h */
75 br_gcm_reset(br_gcm_context
*ctx
, const void *iv
, size_t len
)
78 * If the provided nonce is 12 bytes, then this is the initial
79 * IV for CTR mode; it will be used with a counter that starts
80 * at 2 (value 1 is for encrypting the GHASH output into the tag).
82 * If the provided nonce has any other length, then it is hashed
83 * (with GHASH) into a 16-byte value that will be the IV for CTR
84 * (both 12-byte IV and 32-bit counter).
87 memcpy(ctx
->j0_1
, iv
, 12);
90 unsigned char ty
[16], tmp
[16];
92 memset(ty
, 0, sizeof ty
);
93 ctx
->gh(ty
, ctx
->h
, iv
, len
);
95 br_enc64be(tmp
+ 8, (uint64_t)len
<< 3);
96 ctx
->gh(ty
, ctx
->h
, tmp
, 16);
97 memcpy(ctx
->j0_1
, ty
, 12);
98 ctx
->j0_2
= br_dec32be(ty
+ 12);
100 ctx
->jc
= ctx
->j0_2
+ 1;
101 memset(ctx
->y
, 0, sizeof ctx
->y
);
106 /* see bearssl_aead.h */
108 br_gcm_aad_inject(br_gcm_context
*ctx
, const void *data
, size_t len
)
112 ptr
= (size_t)ctx
->count_aad
& (size_t)15;
115 * If there is a partial block, then we first try to
122 memcpy(ctx
->buf
+ ptr
, data
, len
);
123 ctx
->count_aad
+= (uint64_t)len
;
126 memcpy(ctx
->buf
+ ptr
, data
, clen
);
127 ctx
->gh(ctx
->y
, ctx
->h
, ctx
->buf
, 16);
128 data
= (const unsigned char *)data
+ clen
;
130 ctx
->count_aad
+= (uint64_t)clen
;
134 * Now AAD is aligned on a 16-byte block (with regards to GHASH).
135 * We process all complete blocks, and save the last partial
138 dlen
= len
& ~(size_t)15;
139 ctx
->gh(ctx
->y
, ctx
->h
, data
, dlen
);
140 memcpy(ctx
->buf
, (const unsigned char *)data
+ dlen
, len
- dlen
);
141 ctx
->count_aad
+= (uint64_t)len
;
144 /* see bearssl_aead.h */
146 br_gcm_flip(br_gcm_context
*ctx
)
149 * We complete the GHASH computation if there is a partial block.
150 * The GHASH implementation automatically applies padding with
155 ptr
= (size_t)ctx
->count_aad
& (size_t)15;
157 ctx
->gh(ctx
->y
, ctx
->h
, ctx
->buf
, ptr
);
161 /* see bearssl_aead.h */
163 br_gcm_run(br_gcm_context
*ctx
, int encrypt
, void *data
, size_t len
)
169 ptr
= (size_t)ctx
->count_ctr
& (size_t)15;
172 * If we have a partial block, then we try to complete it.
180 for (u
= 0; u
< clen
; u
++) {
184 y
= x
^ ctx
->buf
[ptr
+ u
];
185 ctx
->buf
[ptr
+ u
] = encrypt
? y
: x
;
188 ctx
->count_ctr
+= (uint64_t)clen
;
191 if (ptr
+ clen
< 16) {
194 ctx
->gh(ctx
->y
, ctx
->h
, ctx
->buf
, 16);
198 * Process full blocks.
200 dlen
= len
& ~(size_t)15;
202 ctx
->gh(ctx
->y
, ctx
->h
, buf
, dlen
);
204 ctx
->jc
= (*ctx
->bctx
)->run(ctx
->bctx
, ctx
->j0_1
, ctx
->jc
, buf
, dlen
);
206 ctx
->gh(ctx
->y
, ctx
->h
, buf
, dlen
);
210 ctx
->count_ctr
+= (uint64_t)dlen
;
214 * There is a partial block.
218 memset(ctx
->buf
, 0, sizeof ctx
->buf
);
219 ctx
->jc
= (*ctx
->bctx
)->run(ctx
->bctx
, ctx
->j0_1
,
220 ctx
->jc
, ctx
->buf
, 16);
221 for (u
= 0; u
< len
; u
++) {
226 ctx
->buf
[u
] = encrypt
? y
: x
;
229 ctx
->count_ctr
+= (uint64_t)len
;
233 /* see bearssl_aead.h */
235 br_gcm_get_tag(br_gcm_context
*ctx
, void *tag
)
238 unsigned char tmp
[16];
240 ptr
= (size_t)ctx
->count_ctr
& (size_t)15;
243 * There is a partial block: encrypted/decrypted data has
244 * been produced, but the encrypted bytes must still be
245 * processed by GHASH.
247 ctx
->gh(ctx
->y
, ctx
->h
, ctx
->buf
, ptr
);
251 * Final block for GHASH: the AAD and plaintext lengths (in bits).
253 br_enc64be(tmp
, ctx
->count_aad
<< 3);
254 br_enc64be(tmp
+ 8, ctx
->count_ctr
<< 3);
255 ctx
->gh(ctx
->y
, ctx
->h
, tmp
, 16);
258 * Tag is the GHASH output XORed with the encryption of the
259 * nonce with the initial counter value.
261 memcpy(tag
, ctx
->y
, 16);
262 (*ctx
->bctx
)->run(ctx
->bctx
, ctx
->j0_1
, ctx
->j0_2
, tag
, 16);
265 /* see bearssl_aead.h */
267 br_gcm_check_tag(br_gcm_context
*ctx
, const void *tag
)
269 unsigned char tmp
[16];
273 br_gcm_get_tag(ctx
, tmp
);
275 for (u
= 0; u
< sizeof tmp
; u
++) {
276 x
|= tmp
[u
] ^ ((const unsigned char *)tag
)[u
];
281 /* see bearssl_aead.h */
282 const br_aead_class br_gcm_vtable
= {
284 (void (*)(const br_aead_class
**, const void *, size_t))
286 (void (*)(const br_aead_class
**, const void *, size_t))
288 (void (*)(const br_aead_class
**))
290 (void (*)(const br_aead_class
**, int, void *, size_t))
292 (void (*)(const br_aead_class
**, void *))
294 (uint32_t (*)(const br_aead_class
**, const void *))