WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #8745 from dgarske/stm32_crypt_header_width 

Fix edge case issue with STM32 AES GCM auth padding
pull/8777/head
Andrew Hutchings 2025-05-15 16:51:52 +01:00 committed by GitHub
parent 2ac4be3f22 6270429089
commit 6790c95e94
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 39 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
wolfcrypt/src/aes.c
View File

@ -8345,19 +8345,22 @@ static WARN_UNUSED_RESULT int wc_AesGcmEncrypt_STM32(
} }
XMEMCPY(ctrInit, ctr, sizeof(ctr)); /* save off initial counter for GMAC */ XMEMCPY(ctrInit, ctr, sizeof(ctr)); /* save off initial counter for GMAC */
/* Authentication buffer - must be 4-byte multiple zero padded */ /* Authentication buffer */
authPadSz = authInSz % sizeof(word32); #if STM_CRYPT_HEADER_WIDTH == 1
authPadSz = 0; /* CubeHAL supports byte mode */
#else
authPadSz = authInSz % STM_CRYPT_HEADER_WIDTH;
#endif
#ifdef WOLFSSL_STM32MP13 #ifdef WOLFSSL_STM32MP13
/* STM32MP13 HAL at least v1.2 and lower has a bug with which it needs a /* STM32MP13 HAL at least v1.2 and lower has a bug with which it needs a
* minimum of 16 bytes for the auth * minimum of 16 bytes for the auth */
*/
if ((authInSz > 0) && (authInSz < 16)) { if ((authInSz > 0) && (authInSz < 16)) {
authPadSz = 16 - authInSz; authPadSz = 16 - authInSz;
} }
#endif #endif
if (authPadSz != 0) { if (authPadSz != 0) {
if (authPadSz < authInSz + sizeof(word32)) { if (authPadSz < authInSz + STM_CRYPT_HEADER_WIDTH) {
authPadSz = authInSz + sizeof(word32) - authPadSz; authPadSz = authInSz + STM_CRYPT_HEADER_WIDTH - authPadSz;
} }
if (authPadSz <= sizeof(authhdr)) { if (authPadSz <= sizeof(authhdr)) {
authInPadded = (byte*)authhdr; authInPadded = (byte*)authhdr;
@ -8385,7 +8388,7 @@ static WARN_UNUSED_RESULT int wc_AesGcmEncrypt_STM32(
/* or hardware that does not support partial block */ /* or hardware that does not support partial block */
|| sz == 0 || partial != 0 || sz == 0 || partial != 0
#endif #endif
#if !defined(STM_CRYPT_HEADER_WIDTH) || STM_CRYPT_HEADER_WIDTH == 4 #if STM_CRYPT_HEADER_WIDTH == 4
/* or authIn is not a multiple of 4 */ /* or authIn is not a multiple of 4 */
|| authPadSz != authInSz || authPadSz != authInSz
#endif #endif
@ -8444,7 +8447,7 @@ static WARN_UNUSED_RESULT int wc_AesGcmEncrypt_STM32(
/* Set the CRYP parameters */ /* Set the CRYP parameters */
hcryp.Init.HeaderSize = authPadSz; hcryp.Init.HeaderSize = authPadSz;
if (authPadSz == 0) if (authPadSz == 0)
hcryp.Init.Header = NULL; /* cannot pass pointer here when authIn == 0 */ hcryp.Init.Header = NULL; /* cannot pass pointer when authIn == 0 */
hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_GCM_GMAC; hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_GCM_GMAC;
hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT; hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
hcryp.Init.GCMCMACPhase = CRYP_INIT_PHASE; hcryp.Init.GCMCMACPhase = CRYP_INIT_PHASE;
@ -8884,22 +8887,25 @@ static WARN_UNUSED_RESULT int wc_AesGcmDecrypt_STM32(
* For TLS blocks the authTag is after the output buffer, so save it */ * For TLS blocks the authTag is after the output buffer, so save it */
XMEMCPY(tagExpected, authTag, authTagSz); XMEMCPY(tagExpected, authTag, authTagSz);
/* Authentication buffer - must be 4-byte multiple zero padded */ /* Authentication buffer */
authPadSz = authInSz % sizeof(word32); #if STM_CRYPT_HEADER_WIDTH == 1
authPadSz = 0; /* CubeHAL supports byte mode */
#else
authPadSz = authInSz % STM_CRYPT_HEADER_WIDTH;
#endif
#ifdef WOLFSSL_STM32MP13
/* STM32MP13 HAL at least v1.2 and lower has a bug with which it needs a
* minimum of 16 bytes for the auth */
if ((authInSz > 0) && (authInSz < 16)) {
authPadSz = 16 - authInSz;
}
#else
if (authPadSz != 0) { if (authPadSz != 0) {
authPadSz = authInSz + sizeof(word32) - authPadSz; authPadSz = authInSz + STM_CRYPT_HEADER_WIDTH - authPadSz;
} }
else { else {
authPadSz = authInSz; authPadSz = authInSz;
} }
#ifdef WOLFSSL_STM32MP13
/* STM32MP13 HAL at least v1.2 and lower has a bug with which it needs a
* minimum of 16 bytes for the auth
*/
if ((authInSz > 0) && (authInSz < 16)) {
authPadSz = 16 - authInSz;
}
#endif #endif
/* for cases where hardware cannot be used for authTag calculate it */ /* for cases where hardware cannot be used for authTag calculate it */
@ -8909,7 +8915,7 @@ static WARN_UNUSED_RESULT int wc_AesGcmDecrypt_STM32(
/* or hardware that does not support partial block */ /* or hardware that does not support partial block */
|| sz == 0 || partial != 0 || sz == 0 || partial != 0
#endif #endif
#if !defined(STM_CRYPT_HEADER_WIDTH) || STM_CRYPT_HEADER_WIDTH == 4 #if STM_CRYPT_HEADER_WIDTH == 4
/* or authIn is not a multiple of 4 */ /* or authIn is not a multiple of 4 */
|| authPadSz != authInSz || authPadSz != authInSz
#endif #endif
@ -8949,6 +8955,7 @@ static WARN_UNUSED_RESULT int wc_AesGcmDecrypt_STM32(
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
#ifdef WOLFSSL_STM32_CUBEMX #ifdef WOLFSSL_STM32_CUBEMX
hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr; hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded; hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded;
@ -8956,7 +8963,6 @@ static WARN_UNUSED_RESULT int wc_AesGcmDecrypt_STM32(
#if defined(STM32_HAL_V2) #if defined(STM32_HAL_V2)
hcryp.Init.Algorithm = CRYP_AES_GCM; hcryp.Init.Algorithm = CRYP_AES_GCM;
hcryp.Init.HeaderSize = authPadSz / STM_CRYPT_HEADER_WIDTH; hcryp.Init.HeaderSize = authPadSz / STM_CRYPT_HEADER_WIDTH;
#ifdef CRYP_KEYIVCONFIG_ONCE #ifdef CRYP_KEYIVCONFIG_ONCE
/* allows repeated calls to HAL_CRYP_Decrypt */ /* allows repeated calls to HAL_CRYP_Decrypt */
hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE; hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ONCE;
@ -8966,6 +8972,7 @@ static WARN_UNUSED_RESULT int wc_AesGcmDecrypt_STM32(
HAL_CRYP_Init(&hcryp); HAL_CRYP_Init(&hcryp);
#ifndef CRYP_KEYIVCONFIG_ONCE #ifndef CRYP_KEYIVCONFIG_ONCE
/* GCM payload phase - can handle partial blocks */
status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in,
(blocks * WC_AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT); (blocks * WC_AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
#else #else

4
wolfssl/internal.h
View File

@ -249,8 +249,8 @@
#endif #endif
#endif #endif
#if !defined(CHAR_BIT) || (defined(OPENSSL_EXTRA) && !defined(INT_MAX)) #if !defined(WOLFCRYPT_ONLY) && !defined(INT_MAX)
/* Needed for DTLS without big math and INT_MAX */ /* Needed for TLS/DTLS limit checking (Added in 91aad90c59 Jan 24, 2025) */
#include <limits.h> #include <limits.h>
#endif #endif

15
wolfssl/wolfcrypt/port/st/stm32.h
View File

@ -188,12 +188,15 @@ int wc_Stm32_Hash_Final(STM32_HASH_Context* stmCtx, word32 algo,
#define STM_CRYPT_TYPE uint8_t #define STM_CRYPT_TYPE uint8_t
#endif #endif
/* newer crypt HAL requires auth header size as 4 bytes (word) */ /* Determine minimum AES GCM alignment supported */
#if defined(CRYP_HEADERWIDTHUNIT_BYTE) && \ #ifndef STM_CRYPT_HEADER_WIDTH
!defined(WOLFSSL_STM32MP13) && !defined(WOLFSSL_STM32H7S) /* newer crypt HAL requires auth header size as 4 bytes (word) */
#define STM_CRYPT_HEADER_WIDTH 1 #if defined(CRYP_HEADERWIDTHUNIT_BYTE) && \
#else !defined(WOLFSSL_STM32MP13) && !defined(WOLFSSL_STM32H7S)
#define STM_CRYPT_HEADER_WIDTH 4 #define STM_CRYPT_HEADER_WIDTH 1
#else
#define STM_CRYPT_HEADER_WIDTH 4
#endif
#endif #endif
/* CRYPT_AES_GCM starts the IV with 2 */ /* CRYPT_AES_GCM starts the IV with 2 */