Merge branch 'feature/gcm_operation_using_ctr_based_calculation_v5.0' into 'release/v5.0'

GCM operation optimisation (v5.0)

See merge request espressif/esp-idf!21856
This commit is contained in:
Mahavir Jain 2023-01-12 12:38:42 +08:00
commit ef5465b3d9
5 changed files with 54 additions and 38 deletions

View File

@ -219,7 +219,7 @@ if(CONFIG_MBEDTLS_HARDWARE_SHA)
)
endif()
if(CONFIG_MBEDTLS_HARDWARE_GCM)
if(CONFIG_MBEDTLS_HARDWARE_GCM OR (NOT CONFIG_SOC_AES_SUPPORT_GCM AND CONFIG_MBEDTLS_HARDWARE_AES))
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c")
endif()

View File

@ -16,7 +16,6 @@
*/
#include "soc/soc_caps.h"
#if SOC_AES_SUPPORT_GCM
#include "aes/esp_aes.h"
#include "aes/esp_aes_gcm.h"
@ -28,6 +27,7 @@
#include "esp_heap_caps.h"
#include "soc/soc_memory_layout.h"
#include "mbedtls/error.h"
#include <string.h>
#define ESP_PUT_BE64(a, val) \
@ -245,6 +245,11 @@ int esp_aes_gcm_setkey( esp_gcm_context *ctx,
const unsigned char *key,
unsigned int keybits )
{
#if !SOC_AES_SUPPORT_AES_192
if (keybits == 192) {
return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
}
#endif
if (keybits != 128 && keybits != 192 && keybits != 256) {
return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
}
@ -346,6 +351,8 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
/* Initialize AES-GCM context */
memset(ctx->ghash, 0, sizeof(ctx->ghash));
ctx->data_len = 0;
ctx->aad = NULL;
ctx->aad_len = 0;
ctx->iv = iv;
ctx->iv_len = iv_len;
@ -354,6 +361,7 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
/* H and the lookup table are only generated once per ctx */
if (ctx->gcm_state == ESP_AES_GCM_STATE_INIT) {
/* Lock the AES engine to calculate ghash key H in hardware */
#if SOC_AES_SUPPORT_GCM
esp_aes_acquire_hardware();
ctx->aes_ctx.key_in_hardware = aes_hal_setkey(ctx->aes_ctx.key, ctx->aes_ctx.key_bytes, mode);
aes_hal_mode_init(ESP_AES_BLOCK_MODE_GCM);
@ -361,10 +369,22 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
aes_hal_gcm_calc_hash(ctx->H);
esp_aes_release_hardware();
#else
memset(ctx->H, 0, sizeof(ctx->H));
esp_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->H, ctx->H);
#endif
gcm_gen_table(ctx);
}
/* Once H is obtained we need to derive J0 (Initial Counter Block) */
esp_gcm_derive_J0(ctx);
/* The initial counter block keeps updating during the esp_gcm_update call
* however to calculate final authentication tag T we need original J0
* so we make a copy here
*/
memcpy(ctx->ori_j0, ctx->J0, 16);
ctx->gcm_state = ESP_AES_GCM_STATE_START;
return ( 0 );
@ -389,26 +409,14 @@ int esp_aes_gcm_update_ad( esp_gcm_context *ctx,
return -1;
}
/* Initialize AES-GCM context */
memset(ctx->ghash, 0, sizeof(ctx->ghash));
ctx->data_len = 0;
ctx->aad = aad;
ctx->aad_len = aad_len;
if (ctx->gcm_state != ESP_AES_GCM_STATE_START) {
ESP_LOGE(TAG, "AES context in invalid state!");
return -1;
}
/* Once H is obtained we need to derive J0 (Initial Counter Block) */
esp_gcm_derive_J0(ctx);
/* The initial counter block keeps updating during the esp_gcm_update call
* however to calculate final authentication tag T we need original J0
* so we make a copy here
*/
memcpy(ctx->ori_j0, ctx->J0, 16);
/* Initialise associated data */
ctx->aad = aad;
ctx->aad_len = aad_len;
esp_gcm_ghash(ctx, ctx->aad, ctx->aad_len, ctx->ghash);
@ -425,6 +433,12 @@ int esp_aes_gcm_update( esp_gcm_context *ctx,
uint8_t nonce_counter[AES_BLOCK_BYTES] = {0};
uint8_t stream[AES_BLOCK_BYTES] = {0};
if (!output_length) {
ESP_LOGE(TAG, "No output length supplied");
return -1;
}
*output_length = input_length;
if (!ctx) {
ESP_LOGE(TAG, "No GCM context supplied");
return -1;
@ -484,6 +498,7 @@ int esp_aes_gcm_finish( esp_gcm_context *ctx,
{
size_t nc_off = 0;
uint8_t len_block[AES_BLOCK_BYTES] = {0};
uint8_t stream[AES_BLOCK_BYTES] = {0};
if ( tag_len > 16 || tag_len < 4 ) {
return ( MBEDTLS_ERR_GCM_BAD_INPUT );
@ -495,11 +510,12 @@ int esp_aes_gcm_finish( esp_gcm_context *ctx,
esp_gcm_ghash(ctx, len_block, AES_BLOCK_BYTES, ctx->ghash);
/* Tag T = GCTR(J0, ) where T is truncated to tag_len */
esp_aes_crypt_ctr(&ctx->aes_ctx, tag_len, &nc_off, ctx->ori_j0, 0, ctx->ghash, tag);
esp_aes_crypt_ctr(&ctx->aes_ctx, tag_len, &nc_off, ctx->ori_j0, stream, ctx->ghash, tag);
return 0;
}
#if SOC_AES_SUPPORT_GCM
/* Due to restrictions in the hardware (e.g. need to do the whole conversion in one go),
some combinations of inputs are not supported */
static bool esp_aes_gcm_input_support_hw_accel(size_t length, const unsigned char *aad, size_t aad_len,
@ -529,6 +545,7 @@ static bool esp_aes_gcm_input_support_hw_accel(size_t length, const unsigned cha
return support_hw_accel;
}
#endif
static int esp_aes_gcm_crypt_and_tag_partial_hw( esp_gcm_context *ctx,
int mode,
@ -543,6 +560,7 @@ static int esp_aes_gcm_crypt_and_tag_partial_hw( esp_gcm_context *ctx,
unsigned char *tag )
{
int ret = 0;
size_t olen;
if ( ( ret = esp_aes_gcm_starts( ctx, mode, iv, iv_len ) ) != 0 ) {
return ( ret );
@ -552,11 +570,11 @@ static int esp_aes_gcm_crypt_and_tag_partial_hw( esp_gcm_context *ctx,
return ( ret );
}
if ( ( ret = esp_aes_gcm_update( ctx, input, length, output, 0, NULL ) ) != 0 ) {
if ( ( ret = esp_aes_gcm_update( ctx, input, length, output, 0, &olen ) ) != 0 ) {
return ( ret );
}
if ( ( ret = esp_aes_gcm_finish( ctx, output, 0, NULL, tag, tag_len ) ) != 0 ) {
if ( ( ret = esp_aes_gcm_finish( ctx, output, 0, &olen, tag, tag_len ) ) != 0 ) {
return ( ret );
}
@ -575,6 +593,7 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
size_t tag_len,
unsigned char *tag )
{
#if SOC_AES_SUPPORT_GCM
int ret;
lldesc_t aad_desc[2] = {};
lldesc_t *aad_head_desc = NULL;
@ -673,6 +692,9 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
esp_aes_release_hardware();
return ( ret );
#else
return esp_aes_gcm_crypt_and_tag_partial_hw(ctx, mode, length, iv, iv_len, aad, aad_len, input, output, tag_len, tag);
#endif
}
@ -710,5 +732,3 @@ int esp_aes_gcm_auth_decrypt( esp_gcm_context *ctx,
return ( 0 );
}
#endif //SOC_AES_SUPPORT_GCM

View File

@ -18,7 +18,7 @@ extern "C" {
#if defined(MBEDTLS_GCM_ALT)
#if SOC_AES_SUPPORT_GCM
#include "aes/esp_aes_gcm.h"
@ -34,8 +34,6 @@ typedef esp_gcm_context mbedtls_gcm_context;
#define mbedtls_gcm_auth_decrypt esp_aes_gcm_auth_decrypt
#define mbedtls_gcm_crypt_and_tag esp_aes_gcm_crypt_and_tag
#endif // SOC_AES_SUPPORT_GCM
#endif /* MBEDTLS_GCM_ALT */
#ifdef __cplusplus

View File

@ -137,10 +137,8 @@
#undef MBEDTLS_AES_ALT
#endif
#ifdef CONFIG_MBEDTLS_HARDWARE_GCM
#ifdef CONFIG_MBEDTLS_HARDWARE_AES
#define MBEDTLS_GCM_ALT
#else
#undef MBEDTLS_GCM_ALT
#endif
/* MBEDTLS_SHAxx_ALT to enable hardware SHA support

View File

@ -17,7 +17,7 @@
#include "ccomp_timer.h"
#include "sys/param.h"
#if CONFIG_MBEDTLS_HARDWARE_GCM
#if CONFIG_MBEDTLS_HARDWARE_AES
/*
Python example code for generating test vectors
@ -105,13 +105,13 @@ TEST_CASE("mbedtls GCM stream test", "[aes-gcm]")
mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, nonce, sizeof(nonce) );
mbedtls_gcm_update_ad( &ctx, NULL, 0 );
size_t olen;
// Encrypt
for (int idx = 0; idx < SZ; idx = idx + bytes_to_process) {
// Limit length of last call to avoid exceeding buffer size
size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
mbedtls_gcm_update(&ctx, plaintext + idx, length, ciphertext + idx, 0, NULL);
mbedtls_gcm_update(&ctx, plaintext + idx, length, ciphertext + idx, length, &olen);
}
size_t olen;
mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag, sizeof(tag) );
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_cipher, ciphertext, SZ);
TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_tag, tag, sizeof(tag));
@ -129,7 +129,7 @@ TEST_CASE("mbedtls GCM stream test", "[aes-gcm]")
// Limit length of last call to avoid exceeding buffer size
size_t length = (idx + bytes_to_process > SZ) ? (SZ - idx) : bytes_to_process;
mbedtls_gcm_update(&ctx, ciphertext + idx, length, decryptedtext + idx, 0, NULL);
mbedtls_gcm_update(&ctx, ciphertext + idx, length, decryptedtext + idx, length, &olen);
}
mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag, sizeof(tag) );
TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext, decryptedtext, SZ);
@ -199,7 +199,7 @@ static void aes_gcm_test(aes_gcm_test_cfg_t *cfg, aes_gcm_test_expected_res_t *r
} else if (aes_gcm_type == AES_GCM_TEST_START_UPDATE_FINISH) {
TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, iv_buf, cfg->iv_length) == 0 );
TEST_ASSERT(mbedtls_gcm_update_ad( &ctx, cfg->add_buf, cfg->add_length) == 0 );
TEST_ASSERT(mbedtls_gcm_update( &ctx, cfg->plaintext, cfg->plaintext_length, ciphertext, 0, NULL) == 0 );
TEST_ASSERT(mbedtls_gcm_update( &ctx, cfg->plaintext, cfg->plaintext_length, ciphertext, cfg->plaintext_length, &olen) == 0 );
TEST_ASSERT(mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag_buf_encrypt, cfg->tag_len) == 0 );
}
size_t offset = cfg->plaintext_length > 16 ? cfg->plaintext_length - 16 : 0;
@ -214,7 +214,7 @@ static void aes_gcm_test(aes_gcm_test_cfg_t *cfg, aes_gcm_test_expected_res_t *r
} else if (aes_gcm_type == AES_GCM_TEST_START_UPDATE_FINISH) {
TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_DECRYPT, iv_buf, cfg->iv_length) == 0 );
TEST_ASSERT(mbedtls_gcm_update_ad( &ctx, cfg->add_buf, cfg->add_length) == 0 );
TEST_ASSERT(mbedtls_gcm_update( &ctx, ciphertext, cfg->plaintext_length, output, 0, NULL) == 0 );
TEST_ASSERT(mbedtls_gcm_update( &ctx, ciphertext, cfg->plaintext_length, output, cfg->plaintext_length, &olen) == 0 );
TEST_ASSERT(mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag_buf_decrypt, cfg->tag_len) == 0 );
/* mbedtls_gcm_auth_decrypt already checks tag so only needed for AES_GCM_TEST_START_UPDATE_FINISH */
@ -222,7 +222,7 @@ static void aes_gcm_test(aes_gcm_test_cfg_t *cfg, aes_gcm_test_expected_res_t *r
}
TEST_ASSERT_EQUAL_HEX8_ARRAY(cfg->plaintext, output, cfg->plaintext_length);
mbedtls_gcm_free( &ctx );
free(ciphertext);
free(output);
}
@ -439,7 +439,7 @@ TEST_CASE("mbedtls AES GCM performance, start, update, ret", "[aes-gcm]")
TEST_ASSERT(mbedtls_gcm_starts( &ctx, MBEDTLS_AES_ENCRYPT, iv, sizeof(iv) ) == 0 );
TEST_ASSERT(mbedtls_gcm_update_ad( &ctx, aad, sizeof(aad)) == 0 );
TEST_ASSERT(mbedtls_gcm_update( &ctx, buf, CALL_SZ, buf, 0, NULL) == 0 );
TEST_ASSERT(mbedtls_gcm_update( &ctx, buf, CALL_SZ, buf, CALL_SZ, &olen) == 0 );
TEST_ASSERT(mbedtls_gcm_finish( &ctx, NULL, 0, &olen, tag_buf, 16 ) == 0 );
elapsed_usec = ccomp_timer_stop();
@ -830,4 +830,4 @@ TEST_CASE("mbedtls AES GCM - Combine different IV/Key/Plaintext/AAD lengths", "[
}
}
#endif //CONFIG_MBEDTLS_HARDWARE_GCM
#endif //CONFIG_MBEDTLS_HARDWARE_AES