revert AESNI padding and handle the case in aes.c
This commit is contained in:
parent
cc303a3035
commit
0b3d9cbccd
@ -8444,13 +8444,8 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
|
||||
#ifdef BUILD_AESGCM
|
||||
case wolfssl_aes_gcm:
|
||||
{
|
||||
#ifdef WOLFSSL_AESNI /* pad buffer for AESNI */
|
||||
byte additional[AEAD_AUTH_DATA_SZ + AEAD_AUTH_SZ_PAD];
|
||||
byte nonce[AESGCM_NONCE_SZ + AESGCM_NONCE_SZ_PAD];
|
||||
#else
|
||||
byte additional[AEAD_AUTH_DATA_SZ];
|
||||
byte nonce[AESGCM_NONCE_SZ];
|
||||
#endif
|
||||
const byte* additionalSrc = input - 5;
|
||||
|
||||
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
|
||||
@ -8623,13 +8618,8 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
#ifdef BUILD_AESGCM
|
||||
case wolfssl_aes_gcm:
|
||||
{
|
||||
#ifdef WOLFSSL_AESNI /* pad buffer for AESNI */
|
||||
byte additional[AEAD_AUTH_DATA_SZ + AEAD_AUTH_SZ_PAD];
|
||||
byte nonce[AESGCM_NONCE_SZ + AESGCM_NONCE_SZ_PAD];
|
||||
#else
|
||||
byte additional[AEAD_AUTH_DATA_SZ];
|
||||
byte nonce[AESGCM_NONCE_SZ];
|
||||
#endif
|
||||
|
||||
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
|
||||
|
||||
|
@ -2956,7 +2956,9 @@ static void AES_GCM_encrypt(const unsigned char *in,
|
||||
__m128i X = _mm_setzero_si128();
|
||||
|
||||
if(ibytes == 96/8) {
|
||||
Y = _mm_loadu_si128((__m128i*)ivec);
|
||||
Y = _mm_setzero_si128();
|
||||
for(j=0; j < ibytes%16; j++)
|
||||
((unsigned char*)&Y)[j] = ivec[j];
|
||||
Y = _mm_insert_epi32(Y, 0x1000000, 3);
|
||||
/* (Compute E[ZERO, KS] and E[Y0, KS] together */
|
||||
tmp1 = _mm_xor_si128(X, KEY[0]);
|
||||
@ -3105,7 +3107,9 @@ static void AES_GCM_encrypt(const unsigned char *in,
|
||||
}
|
||||
tmp1 = _mm_aesenc_si128(tmp1, KEY[nr-1]);
|
||||
tmp1 = _mm_aesenclast_si128(tmp1, KEY[nr]);
|
||||
tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[k]));
|
||||
for(j=0; j < nbytes%16; j++)
|
||||
((unsigned char*)&last_block)[j]= in[k*16+j];
|
||||
tmp1 = _mm_xor_si128(tmp1, last_block);
|
||||
last_block = tmp1;
|
||||
for(j=0; j < nbytes%16; j++)
|
||||
out[k*16+j]=((unsigned char*)&last_block)[j];
|
||||
@ -3149,7 +3153,9 @@ static int AES_GCM_decrypt(const unsigned char *in,
|
||||
__m128i X = _mm_setzero_si128();
|
||||
|
||||
if (ibytes == 96/8) {
|
||||
Y = _mm_loadu_si128((__m128i*)ivec);
|
||||
Y = _mm_setzero_si128();
|
||||
for(j=0; j < ibytes%16; j++)
|
||||
((unsigned char*)&Y)[j] = ivec[j];
|
||||
Y = _mm_insert_epi32(Y, 0x1000000, 3);
|
||||
/* (Compute E[ZERO, KS] and E[Y0, KS] together */
|
||||
tmp1 = _mm_xor_si128(X, KEY[0]);
|
||||
@ -3337,7 +3343,9 @@ static int AES_GCM_decrypt(const unsigned char *in,
|
||||
}
|
||||
tmp1 = _mm_aesenc_si128(tmp1, KEY[nr-1]);
|
||||
tmp1 = _mm_aesenclast_si128(tmp1, KEY[nr]);
|
||||
tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[k]));
|
||||
for(j=0; j < nbytes%16; j++)
|
||||
((unsigned char*)&last_block)[j]= in[k*16+j];
|
||||
tmp1 = _mm_xor_si128(tmp1, last_block);
|
||||
last_block = tmp1;
|
||||
for (j = 0; j < nbytes % 16; j++)
|
||||
out[k*16+j]=((unsigned char*)&last_block)[j];
|
||||
@ -3871,8 +3879,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
|
||||
|
||||
#ifdef WOLFSSL_AESNI
|
||||
if (haveAESNI) {
|
||||
AES_GCM_encrypt((void*)in, out, (void*)authIn, (void*)iv, authTag,
|
||||
sz, authInSz, ivSz, (byte*)aes->key, aes->rounds);
|
||||
AES_GCM_encrypt(in, out, authIn, iv, authTag,
|
||||
sz, authInSz, ivSz, (const byte*)aes->key, aes->rounds);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
@ -3052,8 +3052,6 @@ int aes_test(void)
|
||||
|
||||
|
||||
#ifdef HAVE_AESGCM
|
||||
/* NOTE: AESNI requires 128 bit alignment, padding arrays with 0's to be
|
||||
aligned */
|
||||
int aesgcm_test(void)
|
||||
{
|
||||
Aes enc;
|
||||
@ -3072,17 +3070,15 @@ int aesgcm_test(void)
|
||||
0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
|
||||
0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
|
||||
0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
|
||||
0xba, 0x63, 0x7b, 0x39, 0x00, 0x00, 0x00, 0x00
|
||||
0xba, 0x63, 0x7b, 0x39
|
||||
};
|
||||
word32 pSz = 60;
|
||||
|
||||
const byte a[] =
|
||||
{
|
||||
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
|
||||
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
|
||||
0xab, 0xad, 0xda, 0xd2, 0x00, 0x00, 0x00, 0x00
|
||||
0xab, 0xad, 0xda, 0xd2
|
||||
};
|
||||
word32 aSz = 20;
|
||||
|
||||
const byte k1[] =
|
||||
{
|
||||
@ -3095,9 +3091,8 @@ int aesgcm_test(void)
|
||||
const byte iv1[] =
|
||||
{
|
||||
0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
|
||||
0xde, 0xca, 0xf8, 0x88, 0x00, 0x00, 0x00, 0x00
|
||||
0xde, 0xca, 0xf8, 0x88
|
||||
};
|
||||
word32 iv1Sz = 12;
|
||||
|
||||
const byte c1[] =
|
||||
{
|
||||
@ -3135,9 +3130,8 @@ int aesgcm_test(void)
|
||||
0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
|
||||
0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
|
||||
0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
|
||||
0xa6, 0x37, 0xb3, 0x9b, 0x00, 0x00, 0x00, 0x00
|
||||
0xa6, 0x37, 0xb3, 0x9b
|
||||
};
|
||||
word32 iv2Sz = 60;
|
||||
|
||||
const byte c2[] =
|
||||
{
|
||||
@ -3169,15 +3163,15 @@ int aesgcm_test(void)
|
||||
|
||||
wc_AesGcmSetKey(&enc, k1, sizeof(k1));
|
||||
/* AES-GCM encrypt and decrypt both use AES encrypt internally */
|
||||
wc_AesGcmEncrypt(&enc, resultC, p, pSz, iv1, iv1Sz,
|
||||
resultT, sizeof(resultT), a, aSz);
|
||||
if (XMEMCMP(c1, resultC, sizeof(c1)))
|
||||
wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv1, sizeof(iv1),
|
||||
resultT, sizeof(resultT), a, sizeof(a));
|
||||
if (XMEMCMP(c1, resultC, sizeof(resultC)))
|
||||
return -68;
|
||||
if (XMEMCMP(t1, resultT, sizeof(t1)))
|
||||
if (XMEMCMP(t1, resultT, sizeof(resultT)))
|
||||
return -69;
|
||||
|
||||
result = wc_AesGcmDecrypt(&enc, resultP, resultC, pSz,
|
||||
iv1, iv1Sz, resultT, sizeof(resultT), a, aSz);
|
||||
result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(resultC),
|
||||
iv1, sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a));
|
||||
if (result != 0)
|
||||
return -70;
|
||||
if (XMEMCMP(p, resultP, sizeof(resultP)))
|
||||
@ -3190,15 +3184,15 @@ int aesgcm_test(void)
|
||||
|
||||
wc_AesGcmSetKey(&enc, k2, sizeof(k2));
|
||||
/* AES-GCM encrypt and decrypt both use AES encrypt internally */
|
||||
wc_AesGcmEncrypt(&enc, resultC, p, pSz, iv2, iv2Sz,
|
||||
resultT, sizeof(resultT), a, aSz);
|
||||
if (XMEMCMP(c2, resultC, sizeof(c2)))
|
||||
wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv2, sizeof(iv2),
|
||||
resultT, sizeof(resultT), a, sizeof(a));
|
||||
if (XMEMCMP(c2, resultC, sizeof(resultC)))
|
||||
return -230;
|
||||
if (XMEMCMP(t2, resultT, sizeof(t2)))
|
||||
if (XMEMCMP(t2, resultT, sizeof(resultT)))
|
||||
return -231;
|
||||
|
||||
result = wc_AesGcmDecrypt(&enc, resultP, resultC, pSz,
|
||||
iv2, iv2Sz, resultT, sizeof(resultT), a, aSz);
|
||||
result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(resultC),
|
||||
iv2, sizeof(iv2), resultT, sizeof(resultT), a, sizeof(a));
|
||||
if (result != 0)
|
||||
return -232;
|
||||
if (XMEMCMP(p, resultP, sizeof(resultP)))
|
||||
@ -3208,8 +3202,6 @@ int aesgcm_test(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* NOTE: AESNI requires 128 bit alignment, padding arrays to be aligned */
|
||||
int gmac_test(void)
|
||||
{
|
||||
Gmac gmac;
|
||||
@ -3222,9 +3214,8 @@ int gmac_test(void)
|
||||
const byte iv1[] =
|
||||
{
|
||||
0xd1, 0xb1, 0x04, 0xc8, 0x15, 0xbf, 0x1e, 0x94,
|
||||
0xe2, 0x8c, 0x8f, 0x16, 0x00, 0x00, 0x00, 0x00
|
||||
0xe2, 0x8c, 0x8f, 0x16
|
||||
};
|
||||
word32 iv1Sz = 12;
|
||||
const byte a1[] =
|
||||
{
|
||||
0x82, 0xad, 0xcd, 0x63, 0x8d, 0x3f, 0xa9, 0xd9,
|
||||
@ -3244,9 +3235,8 @@ int gmac_test(void)
|
||||
const byte iv2[] =
|
||||
{
|
||||
0xee, 0x9c, 0x6e, 0x06, 0x15, 0x45, 0x45, 0x03,
|
||||
0x1a, 0x60, 0x24, 0xa7, 0x00, 0x00, 0x00, 0x00
|
||||
0x1a, 0x60, 0x24, 0xa7
|
||||
};
|
||||
word32 iv2Sz = 12;
|
||||
const byte a2[] =
|
||||
{
|
||||
0x94, 0x81, 0x2c, 0x87, 0x07, 0x4e, 0x15, 0x18,
|
||||
@ -3266,9 +3256,8 @@ int gmac_test(void)
|
||||
const byte iv3[] =
|
||||
{
|
||||
0xe4, 0x4a, 0x42, 0x18, 0x8c, 0xae, 0x94, 0x92,
|
||||
0x6a, 0x9c, 0x26, 0xb0, 0x00, 0x00, 0x00, 0x00
|
||||
0x6a, 0x9c, 0x26, 0xb0
|
||||
};
|
||||
word32 iv3Sz = 12;
|
||||
const byte a3[] =
|
||||
{
|
||||
0x9d, 0xb9, 0x61, 0x68, 0xa6, 0x76, 0x7a, 0x31,
|
||||
@ -3283,19 +3272,19 @@ int gmac_test(void)
|
||||
|
||||
XMEMSET(tag, 0, sizeof(tag));
|
||||
wc_GmacSetKey(&gmac, k1, sizeof(k1));
|
||||
wc_GmacUpdate(&gmac, iv1, iv1Sz, a1, sizeof(a1), tag, sizeof(t1));
|
||||
wc_GmacUpdate(&gmac, iv1, sizeof(iv1), a1, sizeof(a1), tag, sizeof(t1));
|
||||
if (XMEMCMP(t1, tag, sizeof(t1)) != 0)
|
||||
return -126;
|
||||
|
||||
XMEMSET(tag, 0, sizeof(tag));
|
||||
wc_GmacSetKey(&gmac, k2, sizeof(k2));
|
||||
wc_GmacUpdate(&gmac, iv2, iv2Sz, a2, sizeof(a2), tag, sizeof(t2));
|
||||
wc_GmacUpdate(&gmac, iv2, sizeof(iv2), a2, sizeof(a2), tag, sizeof(t2));
|
||||
if (XMEMCMP(t2, tag, sizeof(t2)) != 0)
|
||||
return -127;
|
||||
|
||||
XMEMSET(tag, 0, sizeof(tag));
|
||||
wc_GmacSetKey(&gmac, k3, sizeof(k3));
|
||||
wc_GmacUpdate(&gmac, iv3, iv3Sz, a3, sizeof(a3), tag, sizeof(t3));
|
||||
wc_GmacUpdate(&gmac, iv3, sizeof(iv3), a3, sizeof(a3), tag, sizeof(t3));
|
||||
if (XMEMCMP(t3, tag, sizeof(t3)) != 0)
|
||||
return -128;
|
||||
|
||||
|
@ -992,11 +992,6 @@ enum Misc {
|
||||
AESGCM_IMP_IV_SZ = 4, /* Size of GCM/CCM AEAD implicit IV */
|
||||
AESGCM_EXP_IV_SZ = 8, /* Size of GCM/CCM AEAD explicit IV */
|
||||
AESGCM_NONCE_SZ = AESGCM_EXP_IV_SZ + AESGCM_IMP_IV_SZ,
|
||||
#ifdef WOLFSSL_AESNI
|
||||
/* with AESNI make buffer 128 bit aligned */
|
||||
AEAD_AUTH_SZ_PAD = -(int)AEAD_AUTH_DATA_SZ & 15,
|
||||
AESGCM_NONCE_SZ_PAD = -(int)AESGCM_NONCE_SZ & 15,
|
||||
#endif
|
||||
|
||||
CHACHA20_IMP_IV_SZ = 12, /* Size of ChaCha20 AEAD implicit IV */
|
||||
CHACHA20_NONCE_SZ = 12, /* Size of ChacCha20 nonce */
|
||||
|
Loading…
Reference in New Issue
Block a user