WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

For for STM32 with TLS v1.3 and AES-GCM. The IV was not being reset after using hardware causing the aes->reg to be incorrect.

pull/3169/head
David Garske 2020-07-29 15:39:49 -07:00
parent e4650a9151
commit 46ef82e2fd
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
wolfcrypt/src/aes.c
View File

@ -5961,8 +5961,6 @@ static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz
else { else {
GHASH(aes, NULL, 0, iv, ivSz, (byte*)ctr, AES_BLOCK_SIZE); GHASH(aes, NULL, 0, iv, ivSz, (byte*)ctr, AES_BLOCK_SIZE);
} }
/* Hardware requires counter + 1 */
IncrementGcmCounter((byte*)ctr);
/* Authentication buffer - must be 4-byte multiple zero padded */ /* Authentication buffer - must be 4-byte multiple zero padded */
authPadSz = authInSz % sizeof(word32); authPadSz = authInSz % sizeof(word32);
@ -5987,6 +5985,9 @@ static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz
authInPadded = (byte*)authIn; authInPadded = (byte*)authIn;
} }
/* Hardware requires counter + 1 */
IncrementGcmCounter((byte*)ctr);
#ifdef WOLFSSL_STM32_CUBEMX #ifdef WOLFSSL_STM32_CUBEMX
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr; hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded; hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded;
@ -6081,12 +6082,14 @@ static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz
ret = AES_GCM_AUTH_E; ret = AES_GCM_AUTH_E;
#endif /* WOLFSSL_STM32_CUBEMX */ #endif /* WOLFSSL_STM32_CUBEMX */
/* hardware requires +1, so subtract it */
DecrementGcmCounter((byte*)ctr);
if (ret == 0) { if (ret == 0) {
/* return authTag */ /* return authTag */
if (authTag) { if (authTag) {
/* For STM32 GCM fallback to software if partial AES block or IV != 12 */ /* For STM32 GCM fallback to software if partial AES block or IV != 12 */
if (sz == 0 || partial != 0 || ivSz != GCM_NONCE_MID_SZ) { if (sz == 0 || partial != 0 || ivSz != GCM_NONCE_MID_SZ) {
DecrementGcmCounter((byte*)ctr); /* hardware requires +1, so subtract it */
GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz); GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
wc_AesEncrypt(aes, (byte*)ctr, (byte*)tag); wc_AesEncrypt(aes, (byte*)ctr, (byte*)tag);
xorbuf(authTag, tag, authTagSz); xorbuf(authTag, tag, authTagSz);
@ -6404,8 +6407,6 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
else { else {
GHASH(aes, NULL, 0, iv, ivSz, (byte*)ctr, AES_BLOCK_SIZE); GHASH(aes, NULL, 0, iv, ivSz, (byte*)ctr, AES_BLOCK_SIZE);
} }
/* Hardware requires counter + 1 */
IncrementGcmCounter((byte*)ctr);
/* Authentication buffer - must be 4-byte multiple zero padded */ /* Authentication buffer - must be 4-byte multiple zero padded */
authPadSz = authInSz % sizeof(word32); authPadSz = authInSz % sizeof(word32);
@ -6430,6 +6431,9 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
authInPadded = (byte*)authIn; authInPadded = (byte*)authIn;
} }
/* Hardware requires counter + 1 */
IncrementGcmCounter((byte*)ctr);
#ifdef WOLFSSL_STM32_CUBEMX #ifdef WOLFSSL_STM32_CUBEMX
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr; hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded; hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded;
@ -6529,9 +6533,11 @@ static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
ret = AES_GCM_AUTH_E; ret = AES_GCM_AUTH_E;
#endif /* WOLFSSL_STM32_CUBEMX */ #endif /* WOLFSSL_STM32_CUBEMX */
/* hardware requires +1, so subtract it */
DecrementGcmCounter((byte*)ctr);
/* For STM32 GCM fallback to software if partial AES block or IV != 12 */ /* For STM32 GCM fallback to software if partial AES block or IV != 12 */
if (sz == 0 || partial != 0 || ivSz != GCM_NONCE_MID_SZ) { if (sz == 0 || partial != 0 || ivSz != GCM_NONCE_MID_SZ) {
DecrementGcmCounter((byte*)ctr); /* hardware requires +1, so subtract it */
GHASH(aes, authIn, authInSz, in, sz, (byte*)tag, sizeof(tag)); GHASH(aes, authIn, authInSz, in, sz, (byte*)tag, sizeof(tag));
wc_AesEncrypt(aes, (byte*)ctr, (byte*)partialBlock); wc_AesEncrypt(aes, (byte*)ctr, (byte*)partialBlock);
xorbuf(tag, partialBlock, sizeof(tag)); xorbuf(tag, partialBlock, sizeof(tag));