summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/freebl/gcm.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/freebl/gcm.c')
-rw-r--r--security/nss/lib/freebl/gcm.c860
1 files changed, 860 insertions, 0 deletions
diff --git a/security/nss/lib/freebl/gcm.c b/security/nss/lib/freebl/gcm.c
new file mode 100644
index 000000000..22121001b
--- /dev/null
+++ b/security/nss/lib/freebl/gcm.c
@@ -0,0 +1,860 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+#include "blapii.h"
+#include "blapit.h"
+#include "gcm.h"
+#include "ctr.h"
+#include "secerr.h"
+#include "prtypes.h"
+#include "pkcs11t.h"
+
+#include <limits.h>
+
+/**************************************************************************
+ * First implement the Galois hash function of GCM (gcmHash) *
+ **************************************************************************/
+#define GCM_HASH_LEN_LEN 8 /* gcm hash defines lengths to be 64 bits */
+
+typedef struct gcmHashContextStr gcmHashContext;
+
+static SECStatus gcmHash_InitContext(gcmHashContext *hash,
+ const unsigned char *H,
+ unsigned int blocksize);
+static void gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit);
+static SECStatus gcmHash_Update(gcmHashContext *ghash,
+ const unsigned char *buf, unsigned int len,
+ unsigned int blocksize);
+static SECStatus gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize);
+static SECStatus gcmHash_Final(gcmHashContext *gcm, unsigned char *outbuf,
+ unsigned int *outlen, unsigned int maxout,
+ unsigned int blocksize);
+static SECStatus gcmHash_Reset(gcmHashContext *ghash,
+ const unsigned char *inbuf,
+ unsigned int inbufLen, unsigned int blocksize);
+
+/* compile time defines to select how the GF2 multiply is calculated.
+ * There are currently 2 algorithms implemented here: MPI and ALGORITHM_1.
+ *
+ * MPI uses the GF2m implemented in mpi to support GF2 ECC.
+ * ALGORITHM_1 is the Algorithm 1 in both NIST SP 800-38D and
+ * "The Galois/Counter Mode of Operation (GCM)", McGrew & Viega.
+ */
+#if !defined(GCM_USE_ALGORITHM_1) && !defined(GCM_USE_MPI)
+#define GCM_USE_MPI 1 /* MPI is about 5x faster with the \
+ * same or less complexity. It's possible to use \
+ * tables to speed things up even more */
+#endif
+
+/* GCM defines the bit string to be LSB first, which is exactly
+ * opposite everyone else, including hardware. build array
+ * to reverse everything. */
+static const unsigned char gcm_byte_rev[256] = {
+ 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
+ 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
+ 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
+ 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
+ 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
+ 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
+ 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
+ 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
+ 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
+ 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
+ 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
+ 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
+ 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
+ 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
+ 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
+ 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
+ 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
+ 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
+ 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
+ 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
+ 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
+ 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
+ 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
+ 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
+ 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
+ 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
+ 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
+ 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
+ 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
+ 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
+ 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
+ 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
+};
+
+#ifdef GCM_TRACE
+#include <stdio.h>
+
+#define GCM_TRACE_X(ghash, label) \
+ { \
+ unsigned char _X[MAX_BLOCK_SIZE]; \
+ int i; \
+ gcm_getX(ghash, _X, blocksize); \
+ printf(label, (ghash)->m); \
+ for (i = 0; i < blocksize; i++) \
+ printf("%02x", _X[i]); \
+ printf("\n"); \
+ }
+#define GCM_TRACE_BLOCK(label, buf, blocksize) \
+ { \
+ printf(label); \
+ for (i = 0; i < blocksize; i++) \
+ printf("%02x", buf[i]); \
+ printf("\n"); \
+ }
+#else
+#define GCM_TRACE_X(ghash, label)
+#define GCM_TRACE_BLOCK(label, buf, blocksize)
+#endif
+
+#ifdef GCM_USE_MPI
+
+#ifdef GCM_USE_ALGORITHM_1
+#error "Only define one of GCM_USE_MPI, GCM_USE_ALGORITHM_1"
+#endif
+/* use the MPI functions to calculate Xn = (Xn-1^C_i)*H mod poly */
+#include "mpi.h"
+#include "secmpi.h"
+#include "mplogic.h"
+#include "mp_gf2m.h"
+
+/* state needed to handle GCM Hash function */
+struct gcmHashContextStr {
+ mp_int H;
+ mp_int X;
+ mp_int C_i;
+ const unsigned int *poly;
+ unsigned char buffer[MAX_BLOCK_SIZE];
+ unsigned int bufLen;
+ int m; /* XXX what is m? */
+ unsigned char counterBuf[2 * GCM_HASH_LEN_LEN];
+ PRUint64 cLen;
+};
+
+/* f = x^128 + x^7 + x^2 + x + 1 */
+static const unsigned int poly_128[] = { 128, 7, 2, 1, 0 };
+
+/* sigh, GCM defines the bit strings exactly backwards from everything else */
+static void
+gcm_reverse(unsigned char *target, const unsigned char *src,
+ unsigned int blocksize)
+{
+ unsigned int i;
+ for (i = 0; i < blocksize; i++) {
+ target[blocksize - i - 1] = gcm_byte_rev[src[i]];
+ }
+}
+
+/* Initialize a gcmHashContext */
+static SECStatus
+gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H,
+ unsigned int blocksize)
+{
+ mp_err err = MP_OKAY;
+ unsigned char H_rev[MAX_BLOCK_SIZE];
+
+ MP_DIGITS(&ghash->H) = 0;
+ MP_DIGITS(&ghash->X) = 0;
+ MP_DIGITS(&ghash->C_i) = 0;
+ CHECK_MPI_OK(mp_init(&ghash->H));
+ CHECK_MPI_OK(mp_init(&ghash->X));
+ CHECK_MPI_OK(mp_init(&ghash->C_i));
+
+ mp_zero(&ghash->X);
+ gcm_reverse(H_rev, H, blocksize);
+ CHECK_MPI_OK(mp_read_unsigned_octets(&ghash->H, H_rev, blocksize));
+
+ /* set the irreducible polynomial. Each blocksize has its own polynomial.
+ * for now only blocksize 16 (=128 bits) is defined */
+ switch (blocksize) {
+ case 16: /* 128 bits */
+ ghash->poly = poly_128;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
+ ghash->cLen = 0;
+ ghash->bufLen = 0;
+ ghash->m = 0;
+ PORT_Memset(ghash->counterBuf, 0, sizeof(ghash->counterBuf));
+ return SECSuccess;
+cleanup:
+ gcmHash_DestroyContext(ghash, PR_FALSE);
+ return SECFailure;
+}
+
+/* Destroy a HashContext (Note we zero the digits so this function
+ * is idempotent if called with freeit == PR_FALSE */
+static void
+gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit)
+{
+ mp_clear(&ghash->H);
+ mp_clear(&ghash->X);
+ mp_clear(&ghash->C_i);
+ PORT_Memset(ghash, 0, sizeof(gcmHashContext));
+ if (freeit) {
+ PORT_Free(ghash);
+ }
+}
+
+static SECStatus
+gcm_getX(gcmHashContext *ghash, unsigned char *T, unsigned int blocksize)
+{
+ int len;
+ mp_err err;
+ unsigned char tmp_buf[MAX_BLOCK_SIZE];
+ unsigned char *X;
+
+ len = mp_unsigned_octet_size(&ghash->X);
+ if (len <= 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ X = tmp_buf;
+ PORT_Assert((unsigned int)len <= blocksize);
+ if ((unsigned int)len > blocksize) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ /* zero pad the result */
+ if (len != blocksize) {
+ PORT_Memset(X, 0, blocksize - len);
+ X += blocksize - len;
+ }
+
+ err = mp_to_unsigned_octets(&ghash->X, X, len);
+ if (err < 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ gcm_reverse(T, tmp_buf, blocksize);
+ return SECSuccess;
+}
+
+static SECStatus
+gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf,
+ unsigned int count, unsigned int blocksize)
+{
+ SECStatus rv = SECFailure;
+ mp_err err = MP_OKAY;
+ unsigned char tmp_buf[MAX_BLOCK_SIZE];
+ unsigned int i;
+
+ for (i = 0; i < count; i++, buf += blocksize) {
+ ghash->m++;
+ gcm_reverse(tmp_buf, buf, blocksize);
+ CHECK_MPI_OK(mp_read_unsigned_octets(&ghash->C_i, tmp_buf, blocksize));
+ CHECK_MPI_OK(mp_badd(&ghash->X, &ghash->C_i, &ghash->C_i));
+ /*
+ * Looking to speed up GCM, this the the place to do it.
+ * There are two areas that can be exploited to speed up this code.
+ *
+ * 1) H is a constant in this multiply. We can precompute H * (0 - 255)
+ * at init time and this becomes an blockize xors of our table lookup.
+ *
+ * 2) poly is a constant for each blocksize. We can calculate the
+ * modulo reduction by a series of adds and shifts.
+ *
+ * For now we are after functionality, so we will go ahead and use
+ * the builtin bmulmod from mpi
+ */
+ CHECK_MPI_OK(mp_bmulmod(&ghash->C_i, &ghash->H,
+ ghash->poly, &ghash->X));
+ GCM_TRACE_X(ghash, "X%d = ")
+ }
+ rv = SECSuccess;
+cleanup:
+ PORT_Memset(tmp_buf, 0, sizeof(tmp_buf));
+ if (rv != SECSuccess) {
+ MP_TO_SEC_ERROR(err);
+ }
+ return rv;
+}
+
+static void
+gcm_zeroX(gcmHashContext *ghash)
+{
+ mp_zero(&ghash->X);
+ ghash->m = 0;
+}
+
+#endif
+
+#ifdef GCM_USE_ALGORITHM_1
+/* use algorithm 1 of McGrew & Viega "The Galois/Counter Mode of Operation" */
+
+#define GCM_ARRAY_SIZE (MAX_BLOCK_SIZE / sizeof(unsigned long))
+
+struct gcmHashContextStr {
+ unsigned long H[GCM_ARRAY_SIZE];
+ unsigned long X[GCM_ARRAY_SIZE];
+ unsigned long R;
+ unsigned char buffer[MAX_BLOCK_SIZE];
+ unsigned int bufLen;
+ int m;
+ unsigned char counterBuf[2 * GCM_HASH_LEN_LEN];
+ PRUint64 cLen;
+};
+
+static void
+gcm_bytes_to_longs(unsigned long *l, const unsigned char *c, unsigned int len)
+{
+ int i, j;
+ int array_size = len / sizeof(unsigned long);
+
+ PORT_Assert(len % sizeof(unsigned long) == 0);
+ for (i = 0; i < array_size; i++) {
+ unsigned long tmp = 0;
+ int byte_offset = i * sizeof(unsigned long);
+ for (j = sizeof(unsigned long) - 1; j >= 0; j--) {
+ tmp = (tmp << PR_BITS_PER_BYTE) | gcm_byte_rev[c[byte_offset + j]];
+ }
+ l[i] = tmp;
+ }
+}
+
+static void
+gcm_longs_to_bytes(const unsigned long *l, unsigned char *c, unsigned int len)
+{
+ int i, j;
+ int array_size = len / sizeof(unsigned long);
+
+ PORT_Assert(len % sizeof(unsigned long) == 0);
+ for (i = 0; i < array_size; i++) {
+ unsigned long tmp = l[i];
+ int byte_offset = i * sizeof(unsigned long);
+ for (j = 0; j < sizeof(unsigned long); j++) {
+ c[byte_offset + j] = gcm_byte_rev[tmp & 0xff];
+ tmp = (tmp >> PR_BITS_PER_BYTE);
+ }
+ }
+}
+
+/* Initialize a gcmHashContext */
+static SECStatus
+gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H,
+ unsigned int blocksize)
+{
+ PORT_Memset(ghash->X, 0, sizeof(ghash->X));
+ PORT_Memset(ghash->H, 0, sizeof(ghash->H));
+ gcm_bytes_to_longs(ghash->H, H, blocksize);
+
+ /* set the irreducible polynomial. Each blocksize has its own polynommial
+ * for now only blocksize 16 (=128 bits) is defined */
+ switch (blocksize) {
+ case 16: /* 128 bits */
+ ghash->R = (unsigned long)0x87; /* x^7 + x^2 + x +1 */
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
+ ghash->cLen = 0;
+ ghash->bufLen = 0;
+ ghash->m = 0;
+ PORT_Memset(ghash->counterBuf, 0, sizeof(ghash->counterBuf));
+ return SECSuccess;
+cleanup:
+ return SECFailure;
+}
+
+/* Destroy a HashContext (Note we zero the digits so this function
+ * is idempotent if called with freeit == PR_FALSE */
+static void
+gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit)
+{
+ PORT_Memset(ghash, 0, sizeof(gcmHashContext));
+ if (freeit) {
+ PORT_Free(ghash);
+ }
+}
+
+static unsigned long
+gcm_shift_one(unsigned long *t, unsigned int count)
+{
+ unsigned long carry = 0;
+ unsigned long nextcarry = 0;
+ unsigned int i;
+ for (i = 0; i < count; i++) {
+ nextcarry = t[i] >> ((sizeof(unsigned long) * PR_BITS_PER_BYTE) - 1);
+ t[i] = (t[i] << 1) | carry;
+ carry = nextcarry;
+ }
+ return carry;
+}
+
+static SECStatus
+gcm_getX(gcmHashContext *ghash, unsigned char *T, unsigned int blocksize)
+{
+ gcm_longs_to_bytes(ghash->X, T, blocksize);
+ return SECSuccess;
+}
+
+#define GCM_XOR(t, s, len) \
+ for (l = 0; l < len; l++) \
+ t[l] ^= s[l]
+
+static SECStatus
+gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf,
+ unsigned int count, unsigned int blocksize)
+{
+ unsigned long C_i[GCM_ARRAY_SIZE];
+ unsigned int arraysize = blocksize / sizeof(unsigned long);
+ unsigned int i, j, k, l;
+
+ for (i = 0; i < count; i++, buf += blocksize) {
+ ghash->m++;
+ gcm_bytes_to_longs(C_i, buf, blocksize);
+ GCM_XOR(C_i, ghash->X, arraysize);
+ /* multiply X = C_i * H */
+ PORT_Memset(ghash->X, 0, sizeof(ghash->X));
+ for (j = 0; j < arraysize; j++) {
+ unsigned long H = ghash->H[j];
+ for (k = 0; k < sizeof(unsigned long) * PR_BITS_PER_BYTE; k++) {
+ if (H & 1) {
+ GCM_XOR(ghash->X, C_i, arraysize);
+ }
+ if (gcm_shift_one(C_i, arraysize)) {
+ C_i[0] = C_i[0] ^ ghash->R;
+ }
+ H = H >> 1;
+ }
+ }
+ GCM_TRACE_X(ghash, "X%d = ")
+ }
+ PORT_Memset(C_i, 0, sizeof(C_i));
+ return SECSuccess;
+}
+
+static void
+gcm_zeroX(gcmHashContext *ghash)
+{
+ PORT_Memset(ghash->X, 0, sizeof(ghash->X));
+ ghash->m = 0;
+}
+#endif
+
+/*
+ * implement GCM GHASH using the freebl GHASH function. The gcm_HashMult
+ * function always takes blocksize lengths of data. gcmHash_Update will
+ * format the data properly.
+ */
+static SECStatus
+gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf,
+ unsigned int len, unsigned int blocksize)
+{
+ unsigned int blocks;
+ SECStatus rv;
+
+ ghash->cLen += (len * PR_BITS_PER_BYTE);
+
+ /* first deal with the current buffer of data. Try to fill it out so
+ * we can hash it */
+ if (ghash->bufLen) {
+ unsigned int needed = PR_MIN(len, blocksize - ghash->bufLen);
+ if (needed != 0) {
+ PORT_Memcpy(ghash->buffer + ghash->bufLen, buf, needed);
+ }
+ buf += needed;
+ len -= needed;
+ ghash->bufLen += needed;
+ if (len == 0) {
+ /* didn't add enough to hash the data, nothing more do do */
+ return SECSuccess;
+ }
+ PORT_Assert(ghash->bufLen == blocksize);
+ /* hash the buffer and clear it */
+ rv = gcm_HashMult(ghash, ghash->buffer, 1, blocksize);
+ PORT_Memset(ghash->buffer, 0, blocksize);
+ ghash->bufLen = 0;
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ }
+ /* now hash any full blocks remaining in the data stream */
+ blocks = len / blocksize;
+ if (blocks) {
+ rv = gcm_HashMult(ghash, buf, blocks, blocksize);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ buf += blocks * blocksize;
+ len -= blocks * blocksize;
+ }
+
+ /* save any remainder in the buffer to be hashed with the next call */
+ if (len != 0) {
+ PORT_Memcpy(ghash->buffer, buf, len);
+ ghash->bufLen = len;
+ }
+ return SECSuccess;
+}
+
+/*
+ * write out any partial blocks zero padded through the GHASH engine,
+ * save the lengths for the final completion of the hash
+ */
+static SECStatus
+gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize)
+{
+ int i;
+ SECStatus rv;
+
+ /* copy the previous counter to the upper block */
+ PORT_Memcpy(ghash->counterBuf, &ghash->counterBuf[GCM_HASH_LEN_LEN],
+ GCM_HASH_LEN_LEN);
+ /* copy the current counter in the lower block */
+ for (i = 0; i < GCM_HASH_LEN_LEN; i++) {
+ ghash->counterBuf[GCM_HASH_LEN_LEN + i] =
+ (ghash->cLen >> ((GCM_HASH_LEN_LEN - 1 - i) * PR_BITS_PER_BYTE)) & 0xff;
+ }
+ ghash->cLen = 0;
+
+ /* now zero fill the buffer and hash the last block */
+ if (ghash->bufLen) {
+ PORT_Memset(ghash->buffer + ghash->bufLen, 0, blocksize - ghash->bufLen);
+ rv = gcm_HashMult(ghash, ghash->buffer, 1, blocksize);
+ PORT_Memset(ghash->buffer, 0, blocksize);
+ ghash->bufLen = 0;
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ }
+ return SECSuccess;
+}
+
+/*
+ * This does the final sync, hashes the lengths, then returns
+ * "T", the hashed output.
+ */
+static SECStatus
+gcmHash_Final(gcmHashContext *ghash, unsigned char *outbuf,
+ unsigned int *outlen, unsigned int maxout,
+ unsigned int blocksize)
+{
+ unsigned char T[MAX_BLOCK_SIZE];
+ SECStatus rv;
+
+ rv = gcmHash_Sync(ghash, blocksize);
+ if (rv != SECSuccess) {
+ goto cleanup;
+ }
+
+ rv = gcm_HashMult(ghash, ghash->counterBuf, (GCM_HASH_LEN_LEN * 2) / blocksize,
+ blocksize);
+ if (rv != SECSuccess) {
+ goto cleanup;
+ }
+
+ GCM_TRACE_X(ghash, "GHASH(H,A,C) = ")
+
+ rv = gcm_getX(ghash, T, blocksize);
+ if (rv != SECSuccess) {
+ goto cleanup;
+ }
+
+ if (maxout > blocksize)
+ maxout = blocksize;
+ PORT_Memcpy(outbuf, T, maxout);
+ *outlen = maxout;
+ rv = SECSuccess;
+
+cleanup:
+ PORT_Memset(T, 0, sizeof(T));
+ return rv;
+}
+
+SECStatus
+gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD,
+ unsigned int AADLen, unsigned int blocksize)
+{
+ SECStatus rv;
+
+ ghash->cLen = 0;
+ PORT_Memset(ghash->counterBuf, 0, GCM_HASH_LEN_LEN * 2);
+ ghash->bufLen = 0;
+ gcm_zeroX(ghash);
+
+ /* now kick things off by hashing the Additional Authenticated Data */
+ if (AADLen != 0) {
+ rv = gcmHash_Update(ghash, AAD, AADLen, blocksize);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ rv = gcmHash_Sync(ghash, blocksize);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ }
+ return SECSuccess;
+}
+
+/**************************************************************************
+ * Now implement the GCM using gcmHash and CTR *
+ **************************************************************************/
+
+/* state to handle the full GCM operation (hash and counter) */
+struct GCMContextStr {
+ gcmHashContext ghash_context;
+ CTRContext ctr_context;
+ unsigned long tagBits;
+ unsigned char tagKey[MAX_BLOCK_SIZE];
+};
+
+GCMContext *
+GCM_CreateContext(void *context, freeblCipherFunc cipher,
+ const unsigned char *params, unsigned int blocksize)
+{
+ GCMContext *gcm = NULL;
+ gcmHashContext *ghash;
+ unsigned char H[MAX_BLOCK_SIZE];
+ unsigned int tmp;
+ PRBool freeCtr = PR_FALSE;
+ PRBool freeHash = PR_FALSE;
+ const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params;
+ CK_AES_CTR_PARAMS ctrParams;
+ SECStatus rv;
+
+ if (blocksize > MAX_BLOCK_SIZE || blocksize > sizeof(ctrParams.cb)) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return NULL;
+ }
+ gcm = PORT_ZNew(GCMContext);
+ if (gcm == NULL) {
+ return NULL;
+ }
+ /* first fill in the ghash context */
+ ghash = &gcm->ghash_context;
+ PORT_Memset(H, 0, blocksize);
+ rv = (*cipher)(context, H, &tmp, blocksize, H, blocksize, blocksize);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = gcmHash_InitContext(ghash, H, blocksize);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ freeHash = PR_TRUE;
+
+ /* fill in the Counter context */
+ ctrParams.ulCounterBits = 32;
+ PORT_Memset(ctrParams.cb, 0, sizeof(ctrParams.cb));
+ if ((blocksize == 16) && (gcmParams->ulIvLen == 12)) {
+ PORT_Memcpy(ctrParams.cb, gcmParams->pIv, gcmParams->ulIvLen);
+ ctrParams.cb[blocksize - 1] = 1;
+ } else {
+ rv = gcmHash_Update(ghash, gcmParams->pIv, gcmParams->ulIvLen,
+ blocksize);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = gcmHash_Final(ghash, ctrParams.cb, &tmp, blocksize, blocksize);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+ rv = CTR_InitContext(&gcm->ctr_context, context, cipher,
+ (unsigned char *)&ctrParams, blocksize);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ freeCtr = PR_TRUE;
+
+ /* fill in the gcm structure */
+ gcm->tagBits = gcmParams->ulTagBits; /* save for final step */
+ /* calculate the final tag key. NOTE: gcm->tagKey is zero to start with.
+ * if this assumption changes, we would need to explicitly clear it here */
+ rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, blocksize,
+ gcm->tagKey, blocksize, blocksize);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* finally mix in the AAD data */
+ rv = gcmHash_Reset(ghash, gcmParams->pAAD, gcmParams->ulAADLen, blocksize);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ return gcm;
+
+loser:
+ if (freeCtr) {
+ CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+ }
+ if (freeHash) {
+ gcmHash_DestroyContext(&gcm->ghash_context, PR_FALSE);
+ }
+ if (gcm) {
+ PORT_Free(gcm);
+ }
+ return NULL;
+}
+
+void
+GCM_DestroyContext(GCMContext *gcm, PRBool freeit)
+{
+ /* these two are statically allocated and will be freed when we free
+ * gcm. call their destroy functions to free up any locally
+ * allocated data (like mp_int's) */
+ CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+ gcmHash_DestroyContext(&gcm->ghash_context, PR_FALSE);
+ PORT_Memset(&gcm->tagBits, 0, sizeof(gcm->tagBits));
+ PORT_Memset(gcm->tagKey, 0, sizeof(gcm->tagKey));
+ if (freeit) {
+ PORT_Free(gcm);
+ }
+}
+
+static SECStatus
+gcm_GetTag(GCMContext *gcm, unsigned char *outbuf,
+ unsigned int *outlen, unsigned int maxout,
+ unsigned int blocksize)
+{
+ unsigned int tagBytes;
+ unsigned int extra;
+ unsigned int i;
+ SECStatus rv;
+
+ tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
+ extra = tagBytes * PR_BITS_PER_BYTE - gcm->tagBits;
+
+ if (outbuf == NULL) {
+ *outlen = tagBytes;
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+
+ if (maxout < tagBytes) {
+ *outlen = tagBytes;
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+ maxout = tagBytes;
+ rv = gcmHash_Final(&gcm->ghash_context, outbuf, outlen, maxout, blocksize);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ GCM_TRACE_BLOCK("GHASH=", outbuf, blocksize);
+ GCM_TRACE_BLOCK("Y0=", gcm->tagKey, blocksize);
+ for (i = 0; i < *outlen; i++) {
+ outbuf[i] ^= gcm->tagKey[i];
+ }
+ GCM_TRACE_BLOCK("Y0=", gcm->tagKey, blocksize);
+ GCM_TRACE_BLOCK("T=", outbuf, blocksize);
+ /* mask off any extra bits we got */
+ if (extra) {
+ outbuf[tagBytes - 1] &= ~((1 << extra) - 1);
+ }
+ return SECSuccess;
+}
+
+/*
+ * See The Galois/Counter Mode of Operation, McGrew and Viega.
+ * GCM is basically counter mode with a specific initialization and
+ * built in macing operation.
+ */
+SECStatus
+GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf,
+ unsigned int *outlen, unsigned int maxout,
+ const unsigned char *inbuf, unsigned int inlen,
+ unsigned int blocksize)
+{
+ SECStatus rv;
+ unsigned int tagBytes;
+ unsigned int len;
+
+ tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
+ if (UINT_MAX - inlen < tagBytes) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return SECFailure;
+ }
+ if (maxout < inlen + tagBytes) {
+ *outlen = inlen + tagBytes;
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+
+ rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
+ inbuf, inlen, blocksize);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ rv = gcmHash_Update(&gcm->ghash_context, outbuf, *outlen, blocksize);
+ if (rv != SECSuccess) {
+ PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */
+ *outlen = 0;
+ return SECFailure;
+ }
+ rv = gcm_GetTag(gcm, outbuf + *outlen, &len, maxout - *outlen, blocksize);
+ if (rv != SECSuccess) {
+ PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */
+ *outlen = 0;
+ return SECFailure;
+ };
+ *outlen += len;
+ return SECSuccess;
+}
+
+/*
+ * See The Galois/Counter Mode of Operation, McGrew and Viega.
+ * GCM is basically counter mode with a specific initialization and
+ * built in macing operation. NOTE: the only difference between Encrypt
+ * and Decrypt is when we calculate the mac. That is because the mac must
+ * always be calculated on the cipher text, not the plain text, so for
+ * encrypt, we do the CTR update first and for decrypt we do the mac first.
+ */
+SECStatus
+GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf,
+ unsigned int *outlen, unsigned int maxout,
+ const unsigned char *inbuf, unsigned int inlen,
+ unsigned int blocksize)
+{
+ SECStatus rv;
+ unsigned int tagBytes;
+ unsigned char tag[MAX_BLOCK_SIZE];
+ const unsigned char *intag;
+ unsigned int len;
+
+ tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
+
+ /* get the authentication block */
+ if (inlen < tagBytes) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return SECFailure;
+ }
+
+ inlen -= tagBytes;
+ intag = inbuf + inlen;
+
+ /* verify the block */
+ rv = gcmHash_Update(&gcm->ghash_context, inbuf, inlen, blocksize);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ rv = gcm_GetTag(gcm, tag, &len, blocksize, blocksize);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* Don't decrypt if we can't authenticate the encrypted data!
+ * This assumes that if tagBits is not a multiple of 8, intag will
+ * preserve the masked off missing bits. */
+ if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
+ /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
+ PORT_SetError(SEC_ERROR_BAD_DATA);
+ PORT_Memset(tag, 0, sizeof(tag));
+ return SECFailure;
+ }
+ PORT_Memset(tag, 0, sizeof(tag));
+ /* finish the decryption */
+ return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
+ inbuf, inlen, blocksize);
+}