2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 * GCM initialisation. This does everything except setting the vtable,
29 * which depends on whether this is a context for encrypting or for
33 gen_gcm_init(br_sslrec_gcm_context
*cc
,
34 const br_block_ctr_class
*bc_impl
,
35 const void *key
, size_t key_len
,
39 unsigned char tmp
[12];
42 bc_impl
->init(&cc
->bc
.vtable
, key
, key_len
);
44 memcpy(cc
->iv
, iv
, sizeof cc
->iv
);
45 memset(cc
->h
, 0, sizeof cc
->h
);
46 memset(tmp
, 0, sizeof tmp
);
47 bc_impl
->run(&cc
->bc
.vtable
, tmp
, 0, cc
->h
, sizeof cc
->h
);
51 in_gcm_init(br_sslrec_gcm_context
*cc
,
52 const br_block_ctr_class
*bc_impl
,
53 const void *key
, size_t key_len
,
57 cc
->vtable
.in
= &br_sslrec_in_gcm_vtable
;
58 gen_gcm_init(cc
, bc_impl
, key
, key_len
, gh_impl
, iv
);
62 gcm_check_length(const br_sslrec_gcm_context
*cc
, size_t rlen
)
65 * GCM adds a fixed overhead:
66 * 8 bytes for the nonce_explicit (before the ciphertext)
67 * 16 bytes for the authentication tag (after the ciphertext)
70 return rlen
>= 24 && rlen
<= (16384 + 24);
74 * Compute the authentication tag. The value written in 'tag' must still
78 do_tag(br_sslrec_gcm_context
*cc
,
79 int record_type
, unsigned version
,
80 void *data
, size_t len
, void *tag
)
82 unsigned char header
[13];
83 unsigned char footer
[16];
86 * Compute authentication tag. Three elements must be injected in
87 * sequence, each possibly 0-padded to reach a length multiple
88 * of the block size: the 13-byte header (sequence number, record
89 * type, protocol version, record length), the cipher text, and
90 * the word containing the encodings of the bit lengths of the two
93 br_enc64be(header
, cc
->seq
++);
94 header
[8] = (unsigned char)record_type
;
95 br_enc16be(header
+ 9, version
);
96 br_enc16be(header
+ 11, len
);
97 br_enc64be(footer
, (uint64_t)(sizeof header
) << 3);
98 br_enc64be(footer
+ 8, (uint64_t)len
<< 3);
100 cc
->gh(tag
, cc
->h
, header
, sizeof header
);
101 cc
->gh(tag
, cc
->h
, data
, len
);
102 cc
->gh(tag
, cc
->h
, footer
, sizeof footer
);
106 * Do CTR encryption. This also does CTR encryption of a single block at
107 * address 'xortag' with the counter value appropriate for the final
108 * processing of the authentication tag.
111 do_ctr(br_sslrec_gcm_context
*cc
, const void *nonce
, void *data
, size_t len
,
114 unsigned char iv
[12];
116 memcpy(iv
, cc
->iv
, 4);
117 memcpy(iv
+ 4, nonce
, 8);
118 cc
->bc
.vtable
->run(&cc
->bc
.vtable
, iv
, 2, data
, len
);
119 cc
->bc
.vtable
->run(&cc
->bc
.vtable
, iv
, 1, xortag
, 16);
122 static unsigned char *
123 gcm_decrypt(br_sslrec_gcm_context
*cc
,
124 int record_type
, unsigned version
, void *data
, size_t *data_len
)
129 unsigned char tag
[16];
131 buf
= (unsigned char *)data
+ 8;
132 len
= *data_len
- 24;
133 do_tag(cc
, record_type
, version
, buf
, len
, tag
);
134 do_ctr(cc
, data
, buf
, len
, tag
);
137 * Compare the computed tag with the value from the record. It
138 * is possibly useless to do a constant-time comparison here,
139 * but it does not hurt.
142 for (u
= 0; u
< 16; u
++) {
143 bad
|= tag
[u
] ^ buf
[len
+ u
];
152 /* see bearssl_ssl.h */
153 const br_sslrec_in_gcm_class br_sslrec_in_gcm_vtable
= {
155 sizeof(br_sslrec_gcm_context
),
156 (int (*)(const br_sslrec_in_class
*const *, size_t))
158 (unsigned char *(*)(const br_sslrec_in_class
**,
159 int, unsigned, void *, size_t *))
162 (void (*)(const br_sslrec_in_gcm_class
**,
163 const br_block_ctr_class
*, const void *, size_t,
164 br_ghash
, const void *))
169 out_gcm_init(br_sslrec_gcm_context
*cc
,
170 const br_block_ctr_class
*bc_impl
,
171 const void *key
, size_t key_len
,
175 cc
->vtable
.out
= &br_sslrec_out_gcm_vtable
;
176 gen_gcm_init(cc
, bc_impl
, key
, key_len
, gh_impl
, iv
);
180 gcm_max_plaintext(const br_sslrec_gcm_context
*cc
,
181 size_t *start
, size_t *end
)
187 len
= *end
- *start
- 16;
194 static unsigned char *
195 gcm_encrypt(br_sslrec_gcm_context
*cc
,
196 int record_type
, unsigned version
, void *data
, size_t *data_len
)
200 unsigned char tmp
[16];
202 buf
= (unsigned char *)data
;
204 memset(tmp
, 0, sizeof tmp
);
205 br_enc64be(buf
- 8, cc
->seq
);
206 do_ctr(cc
, buf
- 8, buf
, len
, tmp
);
207 do_tag(cc
, record_type
, version
, buf
, len
, buf
+ len
);
208 for (u
= 0; u
< 16; u
++) {
209 buf
[len
+ u
] ^= tmp
[u
];
213 buf
[0] = (unsigned char)record_type
;
214 br_enc16be(buf
+ 1, version
);
215 br_enc16be(buf
+ 3, len
);
220 /* see bearssl_ssl.h */
221 const br_sslrec_out_gcm_class br_sslrec_out_gcm_vtable
= {
223 sizeof(br_sslrec_gcm_context
),
224 (void (*)(const br_sslrec_out_class
*const *,
227 (unsigned char *(*)(const br_sslrec_out_class
**,
228 int, unsigned, void *, size_t *))
231 (void (*)(const br_sslrec_out_gcm_class
**,
232 const br_block_ctr_class
*, const void *, size_t,
233 br_ghash
, const void *))
projects / BearSSL / blob