2 * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * IBM S390X support for AES GCM.
12 * This file is included by cipher_aes_gcm_hw.c
15 /* iv + padding length for iv lengths != 12 */
16 #define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
18 /* Additional flag or'ed to fc for decryption */
19 #define S390X_gcm_decrypt_flag(ctx) (((ctx)->enc) ? 0 : S390X_DECRYPT)
21 #define S390X_gcm_fc(A,C) ((A)->plat.s390x.fc | (A)->plat.s390x.hsflag |\
22 S390X_gcm_decrypt_flag((C)))
24 static int s390x_aes_gcm_initkey(PROV_GCM_CTX *ctx,
25 const unsigned char *key, size_t keylen)
27 PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
30 memcpy(&actx->plat.s390x.param.kma.k, key, keylen);
31 actx->plat.s390x.fc = S390X_AES_FC(keylen);
35 static int s390x_aes_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv,
38 PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
39 S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
45 actx->plat.s390x.mreslen = 0;
46 actx->plat.s390x.areslen = 0;
47 actx->plat.s390x.kreslen = 0;
49 if (ivlen == GCM_IV_DEFAULT_SIZE) {
50 memcpy(&kma->j0, iv, ivlen);
53 actx->plat.s390x.hsflag = 0;
55 unsigned long long ivbits = ivlen << 3;
56 size_t len = S390X_gcm_ivpadlen(ivlen);
57 unsigned char iv_zero_pad[S390X_gcm_ivpadlen(GCM_IV_MAX_SIZE)];
59 * The IV length needs to be zero padded to be a multiple of 16 bytes
60 * followed by 8 bytes of zeros and 8 bytes for the IV length.
61 * The GHASH of this value can then be calculated.
63 memcpy(iv_zero_pad, iv, ivlen);
64 memset(iv_zero_pad + ivlen, 0, len - ivlen);
65 memcpy(iv_zero_pad + len - sizeof(ivbits), &ivbits, sizeof(ivbits));
67 * Calculate the ghash of the iv - the result is stored into the tag
70 s390x_kma(iv_zero_pad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
71 actx->plat.s390x.hsflag = S390X_KMA_HS; /* The hash subkey is set */
73 /* Copy the 128 bit GHASH result into J0 and clear the tag */
74 kma->j0.g[0] = kma->t.g[0];
75 kma->j0.g[1] = kma->t.g[1];
78 /* Set the 32 bit counter */
79 kma->cv.w = kma->j0.w[3];
84 static int s390x_aes_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
86 PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
87 S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
88 unsigned char out[AES_BLOCK_SIZE];
94 fc = S390X_gcm_fc(actx, ctx) | S390X_KMA_LAAD | S390X_KMA_LPC;
95 s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
96 actx->plat.s390x.mres, actx->plat.s390x.mreslen, out,
99 /* gctx->mres already returned to the caller */
100 OPENSSL_cleanse(out, actx->plat.s390x.mreslen);
103 ctx->taglen = GCM_TAG_MAX_SIZE;
104 memcpy(tag, kma->t.b, ctx->taglen);
107 rc = (CRYPTO_memcmp(tag, kma->t.b, ctx->taglen) == 0);
112 static int s390x_aes_gcm_one_shot(PROV_GCM_CTX *ctx,
113 unsigned char *aad, size_t aad_len,
114 const unsigned char *in, size_t in_len,
116 unsigned char *tag, size_t taglen)
118 PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
119 S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
123 kma->taadl = aad_len << 3;
124 kma->tpcl = in_len << 3;
125 fc = S390X_gcm_fc(actx, ctx) | S390X_KMA_LAAD | S390X_KMA_LPC;
126 s390x_kma(aad, aad_len, in, in_len, out, fc, kma);
129 memcpy(tag, kma->t.b, taglen);
132 rc = (CRYPTO_memcmp(tag, kma->t.b, taglen) == 0);
138 * Process additional authenticated data. Returns 1 on success. Code is
141 static int s390x_aes_gcm_aad_update(PROV_GCM_CTX *ctx,
142 const unsigned char *aad, size_t len)
144 PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
145 S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
146 unsigned long long alen;
150 /* If already processed pt/ct then error */
154 /* update the total aad length */
155 alen = kma->taadl + len;
156 if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
160 /* check if there is any existing aad data from a previous add */
161 n = actx->plat.s390x.areslen;
163 /* add additional data to a buffer until it has 16 bytes */
165 actx->plat.s390x.ares[n] = *aad;
170 /* ctx->ares contains a complete block if offset has wrapped around */
172 fc = S390X_gcm_fc(actx, ctx);
173 s390x_kma(actx->plat.s390x.ares, 16, NULL, 0, NULL, fc, kma);
174 actx->plat.s390x.hsflag = S390X_KMA_HS;
176 actx->plat.s390x.areslen = n;
179 /* If there are leftover bytes (< 128 bits) save them for next time */
181 /* Add any remaining 16 byte blocks (128 bit each) */
184 fc = S390X_gcm_fc(actx, ctx);
185 s390x_kma(aad, len, NULL, 0, NULL, fc, kma);
186 actx->plat.s390x.hsflag = S390X_KMA_HS;
191 actx->plat.s390x.areslen = rem;
195 actx->plat.s390x.ares[rem] = aad[rem];
202 * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 1 for
203 * success. Code is big-endian.
205 static int s390x_aes_gcm_cipher_update(PROV_GCM_CTX *ctx,
206 const unsigned char *in, size_t len,
209 PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
210 S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
211 const unsigned char *inptr;
212 unsigned long long mlen;
221 mlen = kma->tpcl + len;
222 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
226 fc = S390X_gcm_fc(actx, ctx) | S390X_KMA_LAAD;
227 n = actx->plat.s390x.mreslen;
232 actx->plat.s390x.mres[n] = *inptr;
237 /* ctx->mres contains a complete block if offset has wrapped around */
239 s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
240 actx->plat.s390x.mres, 16, buf.b, fc, kma);
241 actx->plat.s390x.hsflag = S390X_KMA_HS;
243 actx->plat.s390x.areslen = 0;
245 /* previous call already encrypted/decrypted its remainder,
246 * see comment below */
247 n = actx->plat.s390x.mreslen;
255 actx->plat.s390x.mreslen = 0;
263 s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, in, len, out,
267 actx->plat.s390x.hsflag = S390X_KMA_HS;
268 actx->plat.s390x.areslen = 0;
272 * If there is a remainder, it has to be saved such that it can be
273 * processed by kma later. However, we also have to do the for-now
274 * unauthenticated encryption/decryption part here and now...
277 if (!actx->plat.s390x.mreslen) {
278 buf.w[0] = kma->j0.w[0];
279 buf.w[1] = kma->j0.w[1];
280 buf.w[2] = kma->j0.w[2];
281 buf.w[3] = kma->cv.w + 1;
282 s390x_km(buf.b, 16, actx->plat.s390x.kres,
286 n = actx->plat.s390x.mreslen;
287 for (i = 0; i < rem; i++) {
288 actx->plat.s390x.mres[n + i] = in[i];
289 out[i] = in[i] ^ actx->plat.s390x.kres[n + i];
291 actx->plat.s390x.mreslen += rem;
296 static const PROV_GCM_HW s390x_aes_gcm = {
297 s390x_aes_gcm_initkey,
299 s390x_aes_gcm_aad_update,
300 s390x_aes_gcm_cipher_update,
301 s390x_aes_gcm_cipher_final,
302 s390x_aes_gcm_one_shot
305 const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits)
307 if ((keybits == 128 && S390X_aes_128_gcm_CAPABLE)
308 || (keybits == 192 && S390X_aes_192_gcm_CAPABLE)
309 || (keybits == 256 && S390X_aes_256_gcm_CAPABLE))
310 return &s390x_aes_gcm;