20 #if defined(MBEDTLS_GCM_C)
28 #if defined(MBEDTLS_BLOCK_CIPHER_C)
34 #if defined(MBEDTLS_AESNI_C)
38 #if defined(MBEDTLS_AESCE_C)
42 #if !defined(MBEDTLS_GCM_ALT)
45 #define MBEDTLS_GCM_ACC_SMALLTABLE 0
46 #define MBEDTLS_GCM_ACC_LARGETABLE 1
47 #define MBEDTLS_GCM_ACC_AESNI 2
48 #define MBEDTLS_GCM_ACC_AESCE 3
60 #if defined(MBEDTLS_GCM_LARGE_TABLE)
61 ctx->acceleration = MBEDTLS_GCM_ACC_LARGETABLE;
63 ctx->acceleration = MBEDTLS_GCM_ACC_SMALLTABLE;
66 #if defined(MBEDTLS_AESNI_HAVE_CODE)
69 ctx->acceleration = MBEDTLS_GCM_ACC_AESNI;
73 #if defined(MBEDTLS_AESCE_HAVE_CODE)
74 if (MBEDTLS_AESCE_HAS_SUPPORT()) {
75 ctx->acceleration = MBEDTLS_GCM_ACC_AESCE;
80 static inline void gcm_gen_table_rightshift(
uint64_t dst[2],
const uint64_t src[2])
86 u8Dst[8] |= (u8Src[7] & 0x01) << 7;
88 u8Dst[0] ^= (u8Src[15] & 0x01) ? 0xE1 : 0;
105 #if defined(MBEDTLS_BLOCK_CIPHER_C)
115 gcm_set_acceleration(
ctx);
121 switch (
ctx->acceleration) {
122 #if defined(MBEDTLS_AESNI_HAVE_CODE)
123 case MBEDTLS_GCM_ACC_AESNI:
127 #if defined(MBEDTLS_AESCE_HAVE_CODE)
128 case MBEDTLS_GCM_ACC_AESCE:
138 gcm_gen_table_rightshift(
ctx->H[
i],
ctx->H[
i*2]);
141 #if !defined(MBEDTLS_GCM_LARGE_TABLE)
150 for (j = 1; j <
i; j++) {
152 (
unsigned char *)
ctx->H[
i],
153 (
unsigned char *)
ctx->H[j],
164 const unsigned char *
key,
165 unsigned int keybits)
169 if (keybits != 128 && keybits != 192 && keybits != 256) {
173 #if defined(MBEDTLS_BLOCK_CIPHER_C)
188 if (cipher_info ==
NULL) {
208 if ((ret = gcm_gen_table(
ctx)) != 0) {
215 #if defined(MBEDTLS_GCM_LARGE_TABLE)
216 static const uint16_t last8[256] = {
217 0x0000, 0xc201, 0x8403, 0x4602, 0x0807, 0xca06, 0x8c04, 0x4e05,
218 0x100e, 0xd20f, 0x940d, 0x560c, 0x1809, 0xda08, 0x9c0a, 0x5e0b,
219 0x201c, 0xe21d, 0xa41f, 0x661e, 0x281b, 0xea1a, 0xac18, 0x6e19,
220 0x3012, 0xf213, 0xb411, 0x7610, 0x3815, 0xfa14, 0xbc16, 0x7e17,
221 0x4038, 0x8239, 0xc43b, 0x063a, 0x483f, 0x8a3e, 0xcc3c, 0x0e3d,
222 0x5036, 0x9237, 0xd435, 0x1634, 0x5831, 0x9a30, 0xdc32, 0x1e33,
223 0x6024, 0xa225, 0xe427, 0x2626, 0x6823, 0xaa22, 0xec20, 0x2e21,
224 0x702a, 0xb22b, 0xf429, 0x3628, 0x782d, 0xba2c, 0xfc2e, 0x3e2f,
225 0x8070, 0x4271, 0x0473, 0xc672, 0x8877, 0x4a76, 0x0c74, 0xce75,
226 0x907e, 0x527f, 0x147d, 0xd67c, 0x9879, 0x5a78, 0x1c7a, 0xde7b,
227 0xa06c, 0x626d, 0x246f, 0xe66e, 0xa86b, 0x6a6a, 0x2c68, 0xee69,
228 0xb062, 0x7263, 0x3461, 0xf660, 0xb865, 0x7a64, 0x3c66, 0xfe67,
229 0xc048, 0x0249, 0x444b, 0x864a, 0xc84f, 0x0a4e, 0x4c4c, 0x8e4d,
230 0xd046, 0x1247, 0x5445, 0x9644, 0xd841, 0x1a40, 0x5c42, 0x9e43,
231 0xe054, 0x2255, 0x6457, 0xa656, 0xe853, 0x2a52, 0x6c50, 0xae51,
232 0xf05a, 0x325b, 0x7459, 0xb658, 0xf85d, 0x3a5c, 0x7c5e, 0xbe5f,
233 0x00e1, 0xc2e0, 0x84e2, 0x46e3, 0x08e6, 0xcae7, 0x8ce5, 0x4ee4,
234 0x10ef, 0xd2ee, 0x94ec, 0x56ed, 0x18e8, 0xdae9, 0x9ceb, 0x5eea,
235 0x20fd, 0xe2fc, 0xa4fe, 0x66ff, 0x28fa, 0xeafb, 0xacf9, 0x6ef8,
236 0x30f3, 0xf2f2, 0xb4f0, 0x76f1, 0x38f4, 0xfaf5, 0xbcf7, 0x7ef6,
237 0x40d9, 0x82d8, 0xc4da, 0x06db, 0x48de, 0x8adf, 0xccdd, 0x0edc,
238 0x50d7, 0x92d6, 0xd4d4, 0x16d5, 0x58d0, 0x9ad1, 0xdcd3, 0x1ed2,
239 0x60c5, 0xa2c4, 0xe4c6, 0x26c7, 0x68c2, 0xaac3, 0xecc1, 0x2ec0,
240 0x70cb, 0xb2ca, 0xf4c8, 0x36c9, 0x78cc, 0xbacd, 0xfccf, 0x3ece,
241 0x8091, 0x4290, 0x0492, 0xc693, 0x8896, 0x4a97, 0x0c95, 0xce94,
242 0x909f, 0x529e, 0x149c, 0xd69d, 0x9898, 0x5a99, 0x1c9b, 0xde9a,
243 0xa08d, 0x628c, 0x248e, 0xe68f, 0xa88a, 0x6a8b, 0x2c89, 0xee88,
244 0xb083, 0x7282, 0x3480, 0xf681, 0xb884, 0x7a85, 0x3c87, 0xfe86,
245 0xc0a9, 0x02a8, 0x44aa, 0x86ab, 0xc8ae, 0x0aaf, 0x4cad, 0x8eac,
246 0xd0a7, 0x12a6, 0x54a4, 0x96a5, 0xd8a0, 0x1aa1, 0x5ca3, 0x9ea2,
247 0xe0b5, 0x22b4, 0x64b6, 0xa6b7, 0xe8b2, 0x2ab3, 0x6cb1, 0xaeb0,
248 0xf0bb, 0x32ba, 0x74b8, 0xb6b9, 0xf8bc, 0x3abd, 0x7cbf, 0xbebe
263 for (
i = 15;
i > 0;
i--) {
274 for (
i = 15;
i > 0;
i--) {
282 u16z[0] ^= last8[rem];
296 0x0000, 0x1c20, 0x3840, 0x2460,
297 0x7080, 0x6ca0, 0x48c0, 0x54e0,
298 0xe100, 0xfd20, 0xd940, 0xc560,
299 0x9180, 0x8da0, 0xa9c0, 0xb5e0
305 unsigned char lo, hi, rem;
311 hi = (x[15] >> 4) & 0xf;
315 rem = (
unsigned char) pu64z[1] & 0xf;
316 u64z[1] = (pu64z[0] << 60) | (pu64z[1] >> 4);
317 u64z[0] = (pu64z[0] >> 4);
318 u64z[0] ^= (
uint64_t) last4[rem] << 48;
321 for (
i = 14;
i >= 0;
i--) {
323 hi = (x[
i] >> 4) & 0xf;
325 rem = (
unsigned char) u64z[1] & 0xf;
326 u64z[1] = (u64z[0] << 60) | (u64z[1] >> 4);
327 u64z[0] = (u64z[0] >> 4);
328 u64z[0] ^= (
uint64_t) last4[rem] << 48;
331 rem = (
unsigned char) u64z[1] & 0xf;
332 u64z[1] = (u64z[0] << 60) | (u64z[1] >> 4);
333 u64z[0] = (u64z[0] >> 4);
334 u64z[0] ^= (
uint64_t) last4[rem] << 48;
350 switch (
ctx->acceleration) {
351 #if defined(MBEDTLS_AESNI_HAVE_CODE)
352 case MBEDTLS_GCM_ACC_AESNI:
357 #if defined(MBEDTLS_AESCE_HAVE_CODE)
358 case MBEDTLS_GCM_ACC_AESCE:
363 #if defined(MBEDTLS_GCM_LARGE_TABLE)
364 case MBEDTLS_GCM_ACC_LARGETABLE:
368 case MBEDTLS_GCM_ACC_SMALLTABLE:
379 const unsigned char *iv,
size_t iv_len)
382 unsigned char work_buf[16];
383 const unsigned char *p;
386 #if !defined(MBEDTLS_BLOCK_CIPHER_C)
392 if (iv_len == 0 || (
uint64_t) iv_len >> 61 != 0) {
396 memset(
ctx->y, 0x00,
sizeof(
ctx->y));
397 memset(
ctx->buf, 0x00,
sizeof(
ctx->buf));
404 memcpy(
ctx->y, iv, iv_len);
407 memset(work_buf, 0x00, 16);
413 use_len = (iv_len < 16) ? iv_len : 16;
415 #if defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 70110)
416 #pragma GCC diagnostic push
417 #pragma GCC diagnostic warning "-Wstringop-overflow=0"
422 #if defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 70110)
423 #pragma GCC diagnostic pop
438 #if defined(MBEDTLS_BLOCK_CIPHER_C)
468 const unsigned char *add,
size_t add_len)
470 const unsigned char *p;
476 #if SIZE_MAX > 0xFFFFFFFFFFFFFFFFULL
477 if (add_len > 0xFFFFFFFFFFFFFFFFULL) {
482 if (new_add_len < ctx->add_len || new_add_len >> 61 != 0) {
491 if (use_len > add_len) {
497 if (
offset + use_len == 16) {
501 ctx->add_len += use_len;
506 ctx->add_len += add_len;
508 while (add_len >= 16) {
525 static void gcm_incr(
unsigned char y[16])
535 unsigned char ectr[16],
536 size_t offset,
size_t use_len,
537 const unsigned char *
input,
542 #if defined(MBEDTLS_BLOCK_CIPHER_C)
565 const unsigned char *
input,
size_t input_length,
566 unsigned char *
output,
size_t output_size,
567 size_t *output_length)
570 const unsigned char *p =
input;
571 unsigned char *out_p =
output;
573 unsigned char ectr[16] = { 0 };
575 if (output_size < input_length) {
578 *output_length = input_length;
584 if (input_length == 0) {
594 if (
ctx->len + input_length < ctx->
len ||
595 (
uint64_t)
ctx->len + input_length > 0xFFFFFFFE0ull) {
599 if (
ctx->len == 0 &&
ctx->add_len % 16 != 0) {
605 size_t use_len = 16 -
offset;
606 if (use_len > input_length) {
607 use_len = input_length;
610 if ((ret = gcm_mask(
ctx, ectr,
offset, use_len, p, out_p)) != 0) {
614 if (
offset + use_len == 16) {
619 input_length -= use_len;
624 ctx->len += input_length;
626 while (input_length >= 16) {
628 if ((ret = gcm_mask(
ctx, ectr, 0, 16, p, out_p)) != 0) {
639 if (input_length > 0) {
641 if ((ret = gcm_mask(
ctx, ectr, 0, input_length, p, out_p)) != 0) {
651 unsigned char *
output,
size_t output_size,
652 size_t *output_length,
653 unsigned char *
tag,
size_t tag_len)
655 unsigned char work_buf[16];
668 orig_len =
ctx->len * 8;
669 orig_add_len =
ctx->add_len * 8;
671 if (
ctx->len == 0 &&
ctx->add_len % 16 != 0) {
675 if (tag_len > 16 || tag_len < 4) {
679 if (
ctx->len % 16 != 0) {
683 memcpy(
tag,
ctx->base_ectr, tag_len);
685 if (orig_len || orig_add_len) {
686 memset(work_buf, 0x00, 16);
706 const unsigned char *iv,
708 const unsigned char *add,
710 const unsigned char *
input,
727 output, length, &olen)) != 0) {
740 const unsigned char *iv,
742 const unsigned char *add,
744 const unsigned char *
tag,
746 const unsigned char *
input,
750 unsigned char check_tag[16];
754 iv, iv_len, add, add_len,
775 #if defined(MBEDTLS_BLOCK_CIPHER_C)
785 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)
793 static const int key_index_test_data[
MAX_TESTS] =
794 { 0, 0, 1, 1, 1, 1 };
796 static const unsigned char key_test_data[][32] =
798 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
802 { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
803 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
804 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
805 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },
808 static const size_t iv_len_test_data[
MAX_TESTS] =
809 { 12, 12, 12, 12, 8, 60 };
811 static const int iv_index_test_data[
MAX_TESTS] =
812 { 0, 0, 1, 1, 1, 2 };
814 static const unsigned char iv_test_data[][64] =
816 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
817 0x00, 0x00, 0x00, 0x00 },
818 { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
819 0xde, 0xca, 0xf8, 0x88 },
820 { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
821 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
822 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
823 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
824 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
825 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
826 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
827 0xa6, 0x37, 0xb3, 0x9b },
830 static const size_t add_len_test_data[
MAX_TESTS] =
831 { 0, 0, 0, 20, 20, 20 };
833 static const int add_index_test_data[
MAX_TESTS] =
834 { 0, 0, 0, 1, 1, 1 };
836 static const unsigned char additional_test_data[][64] =
839 { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
840 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
841 0xab, 0xad, 0xda, 0xd2 },
844 static const size_t pt_len_test_data[
MAX_TESTS] =
845 { 0, 16, 64, 60, 60, 60 };
847 static const int pt_index_test_data[
MAX_TESTS] =
848 { 0, 0, 1, 1, 1, 1 };
850 static const unsigned char pt_test_data[][64] =
852 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
853 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
854 { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
855 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
856 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
857 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
858 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
859 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
860 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
861 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
864 static const unsigned char ct_test_data[][64] =
867 { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
868 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
869 { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
870 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
871 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
872 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
873 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
874 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
875 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
876 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
877 { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
878 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
879 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
880 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
881 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
882 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
883 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
884 0x3d, 0x58, 0xe0, 0x91 },
885 { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
886 0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
887 0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
888 0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
889 0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
890 0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
891 0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
892 0xc2, 0x3f, 0x45, 0x98 },
893 { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
894 0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
895 0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
896 0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
897 0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
898 0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
899 0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
900 0x4c, 0x34, 0xae, 0xe5 },
901 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
903 { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
904 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
905 { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
906 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
907 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
908 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
909 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
910 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
911 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
912 0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
913 { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
914 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
915 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
916 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
917 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
918 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
919 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
920 0xcc, 0xda, 0x27, 0x10 },
921 { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
922 0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
923 0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
924 0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
925 0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
926 0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
927 0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
928 0xa0, 0xf0, 0x62, 0xf7 },
929 { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
930 0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
931 0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
932 0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
933 0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
934 0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
935 0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
936 0xe9, 0xb7, 0x37, 0x3b },
938 { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
939 0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 },
940 { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
941 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
942 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
943 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
944 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
945 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
946 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
947 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad },
948 { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
949 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
950 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
951 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
952 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
953 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
954 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
955 0xbc, 0xc9, 0xf6, 0x62 },
956 { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
957 0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
958 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
959 0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
960 0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
961 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
962 0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
963 0xf4, 0x7c, 0x9b, 0x1f },
964 { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
965 0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
966 0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
967 0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
968 0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
969 0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
970 0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
971 0x44, 0xae, 0x7e, 0x3f },
975 static const unsigned char tag_test_data[][16] =
977 { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
978 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
979 { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
980 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
981 { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
982 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 },
983 { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
984 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
985 { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
986 0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
987 { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
988 0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
989 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
990 { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
991 0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
992 { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
993 0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb },
994 { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
995 0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
996 { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
997 0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c },
998 { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
999 0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 },
1000 { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
1001 0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 },
1002 { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
1003 0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b },
1004 { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
1005 0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 },
1006 { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
1007 0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c },
1008 { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
1009 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b },
1010 { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
1011 0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
1012 { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
1013 0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
1017 int mbedtls_gcm_self_test(
int verbose)
1020 unsigned char buf[64];
1021 unsigned char tag_buf[16];
1027 #if defined(MBEDTLS_GCM_ALT)
1030 #if defined(MBEDTLS_AESNI_HAVE_CODE)
1036 #if defined(MBEDTLS_AESCE_HAVE_CODE)
1037 if (MBEDTLS_AESCE_HAS_SUPPORT()) {
1046 static const int loop_limit =
1047 (
sizeof(ct_test_data) /
sizeof(*ct_test_data)) /
MAX_TESTS;
1049 for (j = 0; j < loop_limit; j++) {
1050 int key_len = 128 + 64 * j;
1061 key_test_data[key_index_test_data[
i]],
1071 }
else if (ret != 0) {
1076 pt_len_test_data[
i],
1077 iv_test_data[iv_index_test_data[
i]],
1078 iv_len_test_data[
i],
1079 additional_test_data[add_index_test_data[
i]],
1080 add_len_test_data[
i],
1081 pt_test_data[pt_index_test_data[
i]],
1083 #if defined(MBEDTLS_GCM_ALT)
1086 iv_len_test_data[
i] != 12) {
1095 if (memcmp(
buf, ct_test_data[j * 6 +
i],
1096 pt_len_test_data[
i]) != 0 ||
1097 memcmp(tag_buf, tag_test_data[j * 6 +
i], 16) != 0) {
1116 key_test_data[key_index_test_data[
i]],
1123 pt_len_test_data[
i],
1124 iv_test_data[iv_index_test_data[
i]],
1125 iv_len_test_data[
i],
1126 additional_test_data[add_index_test_data[
i]],
1127 add_len_test_data[
i],
1128 ct_test_data[j * 6 +
i],
buf, 16, tag_buf);
1134 if (memcmp(
buf, pt_test_data[pt_index_test_data[
i]],
1135 pt_len_test_data[
i]) != 0 ||
1136 memcmp(tag_buf, tag_test_data[j * 6 +
i], 16) != 0) {
1155 key_test_data[key_index_test_data[
i]],
1162 iv_test_data[iv_index_test_data[
i]],
1163 iv_len_test_data[
i]);
1169 additional_test_data[add_index_test_data[
i]],
1170 add_len_test_data[
i]);
1175 if (pt_len_test_data[
i] > 32) {
1176 size_t rest_len = pt_len_test_data[
i] - 32;
1178 pt_test_data[pt_index_test_data[
i]],
1180 buf,
sizeof(
buf), &olen);
1189 pt_test_data[pt_index_test_data[
i]] + 32,
1191 buf + 32,
sizeof(
buf) - 32, &olen);
1195 if (olen != rest_len) {
1200 pt_test_data[pt_index_test_data[
i]],
1201 pt_len_test_data[
i],
1202 buf,
sizeof(
buf), &olen);
1206 if (olen != pt_len_test_data[
i]) {
1216 if (memcmp(
buf, ct_test_data[j * 6 +
i],
1217 pt_len_test_data[
i]) != 0 ||
1218 memcmp(tag_buf, tag_test_data[j * 6 +
i], 16) != 0) {
1237 key_test_data[key_index_test_data[
i]],
1244 iv_test_data[iv_index_test_data[
i]],
1245 iv_len_test_data[
i]);
1250 additional_test_data[add_index_test_data[
i]],
1251 add_len_test_data[
i]);
1256 if (pt_len_test_data[
i] > 32) {
1257 size_t rest_len = pt_len_test_data[
i] - 32;
1259 ct_test_data[j * 6 +
i], 32,
1260 buf,
sizeof(
buf), &olen);
1269 ct_test_data[j * 6 +
i] + 32,
1271 buf + 32,
sizeof(
buf) - 32, &olen);
1275 if (olen != rest_len) {
1280 ct_test_data[j * 6 +
i],
1281 pt_len_test_data[
i],
1282 buf,
sizeof(
buf), &olen);
1286 if (olen != pt_len_test_data[
i]) {
1296 if (memcmp(
buf, pt_test_data[pt_index_test_data[
i]],
1297 pt_len_test_data[
i]) != 0 ||
1298 memcmp(tag_buf, tag_test_data[j * 6 +
i], 16) != 0) {
Support hardware AES acceleration on Armv8-A processors with the Armv8-A Cryptographic Extension.
AES-NI for hardware AES acceleration on some Intel processors.
#define MBEDTLS_AESNI_CLMUL
#define MBEDTLS_IS_BIG_ENDIAN
#define MBEDTLS_GET_UINT16_LE(data, offset)
Get the unsigned 16 bits integer corresponding to two bytes in little-endian order (LSB first).
#define MBEDTLS_PUT_UINT32_BE(n, data, offset)
Put in memory a 32 bits unsigned integer in big-endian order.
#define MBEDTLS_PUT_UINT64_BE(n, data, offset)
Put in memory a 64 bits unsigned integer in big-endian order.
#define MBEDTLS_GET_UINT32_BE(data, offset)
Get the unsigned 32 bits integer corresponding to four bytes in big-endian order (MSB first).
#define MBEDTLS_GET_UINT64_BE(data, offset)
Get the unsigned 64 bits integer corresponding to eight bytes in big-endian order (MSB first).
Lightweight abstraction layer for block ciphers with 128 bit blocks, for use by the GCM and CCM modul...
int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx, const unsigned char *key, unsigned key_bitlen)
Set the key into the context.
int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx, mbedtls_cipher_id_t cipher_id)
Set the block cipher to use with this context.
void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx)
Clear the context.
int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx, const unsigned char input[16], unsigned char output[16])
Encrypt one block (16 bytes) with the configured key.
int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info)
This function prepares a cipher context for use with the given cipher primitive.
int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *key, int key_bitlen, const mbedtls_operation_t operation)
This function sets the key to use with the given context.
static size_t mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *info)
This function returns the block size of the given cipher info structure in bytes.
void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
This function frees and clears the cipher-specific context of ctx.
int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
The generic cipher update function.
const mbedtls_cipher_info_t * mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id, int key_bitlen, const mbedtls_cipher_mode_t mode)
This function retrieves the cipher-information structure associated with the given cipher ID,...
@ MBEDTLS_MODE_ECB
The ECB cipher mode.
mbedtls_cipher_id_t
Supported cipher types.
@ MBEDTLS_CIPHER_ID_AES
The AES cipher.
static void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n)
Perform a fast block XOR operation, such that r[i] = a[i] ^ b[i] where 0 <= i < n.
static void mbedtls_xor_no_simd(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n)
Perform a fast block XOR operation, such that r[i] = a[i] ^ b[i] where 0 <= i < n.
static SQLCHAR output[256]
This file contains GCM definitions and functions.
#define MBEDTLS_GCM_ENCRYPT
#define MBEDTLS_GCM_HTABLE_SIZE
int mbedtls_gcm_update(mbedtls_gcm_context *ctx, const unsigned char *input, size_t input_length, unsigned char *output, size_t output_size, size_t *output_length)
This function feeds an input buffer into an ongoing GCM encryption or decryption operation.
#define MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL
An output buffer is too small.
int mbedtls_gcm_finish(mbedtls_gcm_context *ctx, unsigned char *output, size_t output_size, size_t *output_length, unsigned char *tag, size_t tag_len)
This function finishes the GCM operation and generates the authentication tag.
int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx, int mode, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, size_t tag_len, unsigned char *tag)
This function performs GCM encryption or decryption of a buffer.
#define MBEDTLS_ERR_GCM_AUTH_FAILED
Authenticated decryption failed.
#define MBEDTLS_ERR_GCM_BAD_INPUT
Bad input parameters to function.
#define MBEDTLS_GCM_DECRYPT
int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx, const unsigned char *add, size_t add_len)
This function feeds an input buffer as associated data (authenticated but not encrypted data) in a GC...
int mbedtls_gcm_starts(mbedtls_gcm_context *ctx, int mode, const unsigned char *iv, size_t iv_len)
This function starts a GCM encryption or decryption operation.
void mbedtls_gcm_init(mbedtls_gcm_context *ctx)
This function initializes the specified GCM context, to make references valid, and prepares the conte...
int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx, mbedtls_cipher_id_t cipher, const unsigned char *key, unsigned int keybits)
This function associates a GCM context with a cipher algorithm and a key.
void mbedtls_gcm_free(mbedtls_gcm_context *ctx)
This function clears a GCM context and the underlying cipher sub-context.
int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *tag, size_t tag_len, const unsigned char *input, unsigned char *output)
This function performs a GCM authenticated decryption of a buffer.
const struct ncbi::grid::netcache::search::fields::KEY key
#define mbedtls_platform_zeroize
#define mbedtls_aesni_gcm_mult
#define mbedtls_aesni_has_support
#define mbedtls_ct_memcmp
Error to string translation.
#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED
The requested feature is not supported by the platform.
#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED
This is a bug in the library.
The GCM context structure.