/* * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ /*- * IBM S390X support for AES GCM. * This file is included by cipher_aes_gcm_hw.c */ /* iv + padding length for iv lengths != 12 */ #define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16) static int s390x_aes_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, size_t keylen) { PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; ctx->key_set = 1; memcpy(&actx->plat.s390x.param.kma.k, key, keylen); actx->plat.s390x.fc = S390X_AES_FC(keylen); if (!ctx->enc) actx->plat.s390x.fc |= S390X_DECRYPT; return 1; } static int s390x_aes_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen) { PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma; kma->t.g[0] = 0; kma->t.g[1] = 0; kma->tpcl = 0; kma->taadl = 0; actx->plat.s390x.mreslen = 0; actx->plat.s390x.areslen = 0; actx->plat.s390x.kreslen = 0; if (ivlen == GCM_IV_DEFAULT_SIZE) { memcpy(&kma->j0, iv, ivlen); kma->j0.w[3] = 1; kma->cv.w = 1; } else { unsigned long long ivbits = ivlen << 3; size_t len = S390X_gcm_ivpadlen(ivlen); unsigned char iv_zero_pad[S390X_gcm_ivpadlen(GCM_IV_MAX_SIZE)]; /* * The IV length needs to be zero padded to be a multiple of 16 bytes * followed by 8 bytes of zeros and 8 bytes for the IV length. * The GHASH of this value can then be calculated. */ memcpy(iv_zero_pad, iv, ivlen); memset(iv_zero_pad + ivlen, 0, len - ivlen); memcpy(iv_zero_pad + len - sizeof(ivbits), &ivbits, sizeof(ivbits)); /* * Calculate the ghash of the iv - the result is stored into the tag * param. */ s390x_kma(iv_zero_pad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma); actx->plat.s390x.fc |= S390X_KMA_HS; /* The hash subkey is set */ /* Copy the 128 bit GHASH result into J0 and clear the tag */ kma->j0.g[0] = kma->t.g[0]; kma->j0.g[1] = kma->t.g[1]; kma->t.g[0] = 0; kma->t.g[1] = 0; /* Set the 32 bit counter */ kma->cv.w = kma->j0.w[3]; } return 1; } static int s390x_aes_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag) { PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma; unsigned char out[AES_BLOCK_SIZE]; int rc; kma->taadl <<= 3; kma->tpcl <<= 3; s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, actx->plat.s390x.mres, actx->plat.s390x.mreslen, out, actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma); /* gctx->mres already returned to the caller */ OPENSSL_cleanse(out, actx->plat.s390x.mreslen); if (ctx->enc) { ctx->taglen = GCM_TAG_MAX_SIZE; memcpy(tag, kma->t.b, ctx->taglen); rc = 1; } else { rc = (CRYPTO_memcmp(tag, kma->t.b, ctx->taglen) == 0); } return rc; } static int s390x_aes_gcm_one_shot(PROV_GCM_CTX *ctx, unsigned char *aad, size_t aad_len, const unsigned char *in, size_t in_len, unsigned char *out, unsigned char *tag, size_t taglen) { PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma; int rc; kma->taadl = aad_len << 3; kma->tpcl = in_len << 3; s390x_kma(aad, aad_len, in, in_len, out, actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma); if (ctx->enc) { memcpy(tag, kma->t.b, taglen); rc = 1; } else { rc = (CRYPTO_memcmp(tag, kma->t.b, taglen) == 0); } return rc; } /* * Process additional authenticated data. Returns 1 on success. Code is * big-endian. */ static int s390x_aes_gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad, size_t len) { PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma; unsigned long long alen; int n, rem; /* If already processed pt/ct then error */ if (kma->tpcl != 0) return 0; /* update the total aad length */ alen = kma->taadl + len; if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len)) return 0; kma->taadl = alen; /* check if there is any existing aad data from a previous add */ n = actx->plat.s390x.areslen; if (n) { /* add additional data to a buffer until it has 16 bytes */ while (n && len) { actx->plat.s390x.ares[n] = *aad; ++aad; --len; n = (n + 1) & 0xf; } /* ctx->ares contains a complete block if offset has wrapped around */ if (!n) { s390x_kma(actx->plat.s390x.ares, 16, NULL, 0, NULL, actx->plat.s390x.fc, kma); actx->plat.s390x.fc |= S390X_KMA_HS; } actx->plat.s390x.areslen = n; } /* If there are leftover bytes (< 128 bits) save them for next time */ rem = len & 0xf; /* Add any remaining 16 byte blocks (128 bit each) */ len &= ~(size_t)0xf; if (len) { s390x_kma(aad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma); actx->plat.s390x.fc |= S390X_KMA_HS; aad += len; } if (rem) { actx->plat.s390x.areslen = rem; do { --rem; actx->plat.s390x.ares[rem] = aad[rem]; } while (rem); } return 1; } /*- * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 1 for * success. Code is big-endian. */ static int s390x_aes_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, size_t len, unsigned char *out) { PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma; const unsigned char *inptr; unsigned long long mlen; union { unsigned int w[4]; unsigned char b[16]; } buf; size_t inlen; int n, rem, i; mlen = kma->tpcl + len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) return 0; kma->tpcl = mlen; n = actx->plat.s390x.mreslen; if (n) { inptr = in; inlen = len; while (n && inlen) { actx->plat.s390x.mres[n] = *inptr; n = (n + 1) & 0xf; ++inptr; --inlen; } /* ctx->mres contains a complete block if offset has wrapped around */ if (!n) { s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, actx->plat.s390x.mres, 16, buf.b, actx->plat.s390x.fc | S390X_KMA_LAAD, kma); actx->plat.s390x.fc |= S390X_KMA_HS; actx->plat.s390x.areslen = 0; /* previous call already encrypted/decrypted its remainder, * see comment below */ n = actx->plat.s390x.mreslen; while (n) { *out = buf.b[n]; n = (n + 1) & 0xf; ++out; ++in; --len; } actx->plat.s390x.mreslen = 0; } } rem = len & 0xf; len &= ~(size_t)0xf; if (len) { s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, in, len, out, actx->plat.s390x.fc | S390X_KMA_LAAD, kma); in += len; out += len; actx->plat.s390x.fc |= S390X_KMA_HS; actx->plat.s390x.areslen = 0; } /*- * If there is a remainder, it has to be saved such that it can be * processed by kma later. However, we also have to do the for-now * unauthenticated encryption/decryption part here and now... */ if (rem) { if (!actx->plat.s390x.mreslen) { buf.w[0] = kma->j0.w[0]; buf.w[1] = kma->j0.w[1]; buf.w[2] = kma->j0.w[2]; buf.w[3] = kma->cv.w + 1; s390x_km(buf.b, 16, actx->plat.s390x.kres, actx->plat.s390x.fc & 0x1f, &kma->k); } n = actx->plat.s390x.mreslen; for (i = 0; i < rem; i++) { actx->plat.s390x.mres[n + i] = in[i]; out[i] = in[i] ^ actx->plat.s390x.kres[n + i]; } actx->plat.s390x.mreslen += rem; } return 1; } static const PROV_GCM_HW s390x_aes_gcm = { s390x_aes_gcm_initkey, s390x_aes_gcm_setiv, s390x_aes_gcm_aad_update, s390x_aes_gcm_cipher_update, s390x_aes_gcm_cipher_final, s390x_aes_gcm_one_shot }; const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits) { if ((keybits == 128 && S390X_aes_128_gcm_CAPABLE) || (keybits == 192 && S390X_aes_192_gcm_CAPABLE) || (keybits == 256 && S390X_aes_256_gcm_CAPABLE)) return &s390x_aes_gcm; return &aes_gcm; }