| /* |
| * Copyright (C) 2018 Denys Vlasenko |
| * |
| * Licensed under GPLv2, see file LICENSE in this source tree. |
| */ |
| |
| #include "tls.h" |
| |
| typedef uint8_t byte; |
| typedef uint32_t word32; |
| #define XMEMSET memset |
| #define XMEMCPY memcpy |
| |
| /* from wolfssl-3.15.3/wolfcrypt/src/aes.c */ |
| |
| static ALWAYS_INLINE void FlattenSzInBits(byte* buf, word32 sz) |
| { |
| /* Multiply the sz by 8 */ |
| //bbox: these sizes are never even close to 2^32/8 |
| // word32 szHi = (sz >> (8*sizeof(sz) - 3)); |
| sz <<= 3; |
| |
| /* copy over the words of the sz into the destination buffer */ |
| // buf[0] = (szHi >> 24) & 0xff; |
| // buf[1] = (szHi >> 16) & 0xff; |
| // buf[2] = (szHi >> 8) & 0xff; |
| // buf[3] = szHi & 0xff; |
| *(uint32_t*)(buf + 0) = 0; |
| // buf[4] = (sz >> 24) & 0xff; |
| // buf[5] = (sz >> 16) & 0xff; |
| // buf[6] = (sz >> 8) & 0xff; |
| // buf[7] = sz & 0xff; |
| *(uint32_t*)(buf + 4) = SWAP_BE32(sz); |
| } |
| |
| static void RIGHTSHIFTX(byte* x) |
| { |
| int i; |
| int carryOut = 0; |
| int carryIn = 0; |
| int borrow = x[15] & 0x01; |
| |
| for (i = 0; i < AES_BLOCK_SIZE; i++) { |
| carryOut = x[i] & 0x01; |
| x[i] = (x[i] >> 1) | (carryIn ? 0x80 : 0); |
| carryIn = carryOut; |
| } |
| if (borrow) x[0] ^= 0xE1; |
| } |
| |
| static void GMULT(byte* X, byte* Y) |
| { |
| byte Z[AES_BLOCK_SIZE] ALIGNED_long; |
| byte V[AES_BLOCK_SIZE] ALIGNED_long; |
| int i, j; |
| |
| XMEMSET(Z, 0, AES_BLOCK_SIZE); |
| XMEMCPY(V, X, AES_BLOCK_SIZE); |
| for (i = 0; i < AES_BLOCK_SIZE; i++) |
| { |
| byte y = Y[i]; |
| for (j = 0; j < 8; j++) |
| { |
| if (y & 0x80) { |
| xorbuf_aligned_AES_BLOCK_SIZE(Z, V); |
| } |
| |
| RIGHTSHIFTX(V); |
| y = y << 1; |
| } |
| } |
| XMEMCPY(X, Z, AES_BLOCK_SIZE); |
| } |
| |
| //bbox: |
| // for TLS AES-GCM, a (which is AAD) is always 13 bytes long, and bbox code provides |
| // extra 3 zeroed bytes, making it a[16], or a[AES_BLOCK_SIZE]. |
| // Resulting auth tag in s[] is also always AES_BLOCK_SIZE bytes. |
| // |
| // This allows some simplifications. |
| #define aSz 13 |
| #define sSz AES_BLOCK_SIZE |
| void FAST_FUNC aesgcm_GHASH(byte* h, |
| const byte* a, //unsigned aSz, |
| const byte* c, unsigned cSz, |
| byte* s //, unsigned sSz |
| ) |
| { |
| byte x[AES_BLOCK_SIZE] ALIGNED_long; |
| // byte scratch[AES_BLOCK_SIZE] ALIGNED_long; |
| unsigned blocks, partial; |
| //was: byte* h = aes->H; |
| |
| //XMEMSET(x, 0, AES_BLOCK_SIZE); |
| |
| /* Hash in A, the Additional Authentication Data */ |
| // if (aSz != 0 && a != NULL) { |
| // blocks = aSz / AES_BLOCK_SIZE; |
| // partial = aSz % AES_BLOCK_SIZE; |
| // while (blocks--) { |
| //xorbuf(x, a, AES_BLOCK_SIZE); |
| XMEMCPY(x, a, AES_BLOCK_SIZE);// memcpy(x,a) = memset(x,0)+xorbuf(x,a) |
| GMULT(x, h); |
| // a += AES_BLOCK_SIZE; |
| // } |
| // if (partial != 0) { |
| // XMEMSET(scratch, 0, AES_BLOCK_SIZE); |
| // XMEMCPY(scratch, a, partial); |
| // xorbuf(x, scratch, AES_BLOCK_SIZE); |
| // GMULT(x, h); |
| // } |
| // } |
| |
| /* Hash in C, the Ciphertext */ |
| if (cSz != 0 /*&& c != NULL*/) { |
| blocks = cSz / AES_BLOCK_SIZE; |
| partial = cSz % AES_BLOCK_SIZE; |
| while (blocks--) { |
| if (BB_UNALIGNED_MEMACCESS_OK) // c is not guaranteed to be aligned |
| xorbuf_aligned_AES_BLOCK_SIZE(x, c); |
| else |
| xorbuf(x, c, AES_BLOCK_SIZE); |
| GMULT(x, h); |
| c += AES_BLOCK_SIZE; |
| } |
| if (partial != 0) { |
| //XMEMSET(scratch, 0, AES_BLOCK_SIZE); |
| //XMEMCPY(scratch, c, partial); |
| //xorbuf(x, scratch, AES_BLOCK_SIZE); |
| xorbuf(x, c, partial);//same result as above |
| GMULT(x, h); |
| } |
| } |
| |
| /* Hash in the lengths of A and C in bits */ |
| //FlattenSzInBits(&scratch[0], aSz); |
| //FlattenSzInBits(&scratch[8], cSz); |
| //xorbuf_aligned_AES_BLOCK_SIZE(x, scratch); |
| // simpler: |
| #define P32(v) ((uint32_t*)v) |
| //P32(x)[0] ^= 0; |
| P32(x)[1] ^= SWAP_BE32(aSz * 8); |
| //P32(x)[2] ^= 0; |
| P32(x)[3] ^= SWAP_BE32(cSz * 8); |
| #undef P32 |
| |
| GMULT(x, h); |
| |
| /* Copy the result into s. */ |
| XMEMCPY(s, x, sSz); |
| } |