/*
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/*-
* S390X support for AES CCM.
* This file is included by cipher_aes_ccm_hw.c
*/
#define S390X_CCM_AAD_FLAG 0x40
static int s390x_aes_ccm_initkey(PROV_CCM_CTX *ctx,
const unsigned char *key, size_t keylen)
{
PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
sctx->ccm.s390x.fc = S390X_AES_FC(keylen);
memcpy(&sctx->ccm.s390x.kmac.k, key, keylen);
/* Store encoded m and l. */
sctx->ccm.s390x.nonce.b[0] = ((ctx->l - 1) & 0x7)
| (((ctx->m - 2) >> 1) & 0x7) << 3;
memset(sctx->ccm.s390x.nonce.b + 1, 0, sizeof(sctx->ccm.s390x.nonce.b));
sctx->ccm.s390x.blocks = 0;
ctx->key_set = 1;
return 1;
}
static int s390x_aes_ccm_setiv(PROV_CCM_CTX *ctx,
const unsigned char *nonce, size_t noncelen,
size_t mlen)
{
PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
sctx->ccm.s390x.nonce.b[0] &= ~S390X_CCM_AAD_FLAG;
sctx->ccm.s390x.nonce.g[1] = mlen;
memcpy(sctx->ccm.s390x.nonce.b + 1, nonce, 15 - ctx->l);
return 1;
}
/*-
* Process additional authenticated data. Code is big-endian.
*/
static int s390x_aes_ccm_setaad(PROV_CCM_CTX *ctx,
const unsigned char *aad, size_t alen)
{
PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
unsigned char *ptr;
int i, rem;
if (!alen)
return 1;
sctx->ccm.s390x.nonce.b[0] |= S390X_CCM_AAD_FLAG;
/* Suppress 'type-punned pointer dereference' warning. */
ptr = sctx->ccm.s390x.buf.b;
if (alen < ((1 << 16) - (1 << 8))) {
*(uint16_t *)ptr = alen;
i = 2;
} else if (sizeof(alen) == 8
&& alen >= (size_t)1 << (32 % (sizeof(alen) * 8))) {
*(uint16_t *)ptr = 0xffff;
*(uint64_t *)(ptr + 2) = alen;
i = 10;
} else {
*(uint16_t *)ptr = 0xfffe;
*(uint32_t *)(ptr + 2) = alen;
i = 6;
}
while (i < 16 && alen) {
sctx->ccm.s390x.buf.b[i] = *aad;
++aad;
--alen;
++i;
}
while (i < 16) {
sctx->ccm.s390x.buf.b[i] = 0;
++i;
}
sctx->ccm.s390x.kmac.icv.g[0] = 0;
sctx->ccm.s390x.kmac.icv.g[1] = 0;
s390x_kmac(sctx->ccm.s390x.nonce.b, 32, sctx->ccm.s390x.fc,
&sctx->ccm.s390x.kmac);
sctx->ccm.s390x.blocks += 2;
rem = alen & 0xf;
alen &= ~(size_t)0xf;
if (alen) {
s390x_kmac(aad, alen, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
sctx->ccm.s390x.blocks += alen >> 4;
aad += alen;
}
if (rem) {
for (i = 0; i < rem; i++)
sctx->ccm.s390x.kmac.icv.b[i] ^= aad[i];
s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
sctx->ccm.s390x.kmac.icv.b, sctx->ccm.s390x.fc,
sctx->ccm.s390x.kmac.k);
sctx->ccm.s390x.blocks++;
}
return 1;
}
/*-
* En/de-crypt plain/cipher-text. Compute tag from plaintext. Returns 1 for
* success.
*/
static int s390x_aes_ccm_auth_encdec(PROV_CCM_CTX *ctx,
const unsigned char *in,
unsigned char *out, size_t len, int enc)
{
PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
size_t n, rem;
unsigned int i, l, num;
unsigned char flags;
flags = sctx->ccm.s390x.nonce.b[0];
if (!(flags & S390X_CCM_AAD_FLAG)) {
s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.kmac.icv.b,
sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
sctx->ccm.s390x.blocks++;
}
l = flags & 0x7;
sctx->ccm.s390x.nonce.b[0] = l;
/*-
* Reconstruct length from encoded length field
* and initialize it with counter value.
*/
n = 0;
for (i = 15 - l; i < 15; i++) {
n |= sctx->ccm.s390x.nonce.b[i];
sctx->ccm.s390x.nonce.b[i] = 0;
n <<= 8;
}
n |= sctx->ccm.s390x.nonce.b[15];
sctx->ccm.s390x.nonce.b[15] = 1;
if (n != len)
return 0; /* length mismatch */
if (enc) {
/* Two operations per block plus one for tag encryption */
sctx->ccm.s390x.blocks += (((len + 15) >> 4) << 1) + 1;
if (sctx->ccm.s390x.blocks > (1ULL << 61))
return 0; /* too much data */
}
num = 0;
rem = len & 0xf;
len &= ~(size_t)0xf;
if (enc) {
/* mac-then-encrypt */
if (len)
s390x_kmac(in, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
if (rem) {
for (i = 0; i < rem; i++)
sctx->ccm.s390x.kmac.icv.b[i] ^= in[len + i];
s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
sctx->ccm.s390x.kmac.icv.b,
sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
}
CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
&num, (ctr128_f)AES_ctr32_encrypt);
} else {
/* decrypt-then-mac */
CRYPTO_ctr128_encrypt_ctr32(in, out, len + rem, &sctx->ccm.ks.ks,
sctx->ccm.s390x.nonce.b, sctx->ccm.s390x.buf.b,
&num, (ctr128_f)AES_ctr32_encrypt);
if (len)
s390x_kmac(out, len, sctx->ccm.s390x.fc, &sctx->ccm.s390x.kmac);
if (rem) {
for (i = 0; i < rem; i++)
sctx->ccm.s390x.kmac.icv.b[i] ^= out[len + i];
s390x_km(sctx->ccm.s390x.kmac.icv.b, 16,
sctx->ccm.s390x.kmac.icv.b,
sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
}
}
/* encrypt tag */
for (i = 15 - l; i < 16; i++)
sctx->ccm.s390x.nonce.b[i] = 0;
s390x_km(sctx->ccm.s390x.nonce.b, 16, sctx->ccm.s390x.buf.b,
sctx->ccm.s390x.fc, sctx->ccm.s390x.kmac.k);
sctx->ccm.s390x.kmac.icv.g[0] ^= sctx->ccm.s390x.buf.g[0];
sctx->ccm.s390x.kmac.icv.g[1] ^= sctx->ccm.s390x.buf.g[1];
sctx->ccm.s390x.nonce.b[0] = flags; /* restore flags field */
return 1;
}
static int s390x_aes_ccm_gettag(PROV_CCM_CTX *ctx,
unsigned char *tag, size_t tlen)
{
PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
if (tlen > ctx->m)
return 0;
memcpy(tag, sctx->ccm.s390x.kmac.icv.b, tlen);
return 1;
}
static int s390x_aes_ccm_auth_encrypt(PROV_CCM_CTX *ctx,
const unsigned char *in,
unsigned char *out, size_t len,
unsigned char *tag, size_t taglen)
{
int rv;
rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 1);
if (rv && tag != NULL)
rv = s390x_aes_ccm_gettag(ctx, tag, taglen);
return rv;
}
static int s390x_aes_ccm_auth_decrypt(PROV_CCM_CTX *ctx,
const unsigned char *in,
unsigned char *out, size_t len,
unsigned char *expected_tag,
size_t taglen)
{
int rv = 0;
PROV_AES_CCM_CTX *sctx = (PROV_AES_CCM_CTX *)ctx;
rv = s390x_aes_ccm_auth_encdec(ctx, in, out, len, 0);
if (rv) {
if (CRYPTO_memcmp(sctx->ccm.s390x.kmac.icv.b, expected_tag, ctx->m) != 0)
rv = 0;
}
if (rv == 0)
OPENSSL_cleanse(out, len);
return rv;
}
static const PROV_CCM_HW s390x_aes_ccm = {
s390x_aes_ccm_initkey,
s390x_aes_ccm_setiv,
s390x_aes_ccm_setaad,
s390x_aes_ccm_auth_encrypt,
s390x_aes_ccm_auth_decrypt,
s390x_aes_ccm_gettag
};
const PROV_CCM_HW *ossl_prov_aes_hw_ccm(size_t keybits)
{
if ((keybits == 128 && S390X_aes_128_ccm_CAPABLE)
|| (keybits == 192 && S390X_aes_192_ccm_CAPABLE)
|| (keybits == 256 && S390X_aes_256_ccm_CAPABLE))
return &s390x_aes_ccm;
return &aes_ccm;
}