/src/nettle-with-libgmp/siv-gcm.c

Source (jump to first uncovered line)
/* siv-gcm.c

   AES-GCM-SIV, RFC8452

   Copyright (C) 2022 Red Hat, Inc.

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include "siv-gcm.h"
#include "ghash-internal.h"
#include "block-internal.h"
#include "nettle-internal.h"
#include "macros.h"
#include "memops.h"
#include "ctr-internal.h"
#include <string.h>

#define MIN(a,b) (((a) < (b)) ? (a) : (b))

static void
siv_gcm_derive_keys (const void *ctx,
         nettle_cipher_func *f,
         size_t key_size,
         size_t nlength, const uint8_t *nonce,
         union nettle_block16 *auth_key,
         uint8_t *encryption_key)
{
  union nettle_block16 block;
  union nettle_block16 out;
  size_t i;

  block16_zero (&block);
  memcpy (block.b + 4, nonce, MIN(nlength, SIV_GCM_NONCE_SIZE));

  f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b);
  auth_key->u64[0] = out.u64[0];

  block.b[0] = 1;
  f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b);
  auth_key->u64[1] = out.u64[0];

  assert (key_size % 8 == 0 && key_size / 8 + 2 <= UINT8_MAX);

  for (i = 0; i < key_size; i += 8)
    {
      block.b[0]++;
      f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b);
      memcpy (encryption_key + i, out.b, 8);
    }
}

static nettle_fill16_func siv_gcm_fill;

static void
siv_gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer)
{
  uint32_t c;

  c = LE_READ_UINT32(ctr);

  for (; blocks-- > 0; buffer++, c++)
    {
      memcpy(buffer->b + 4, ctr + 4, SIV_GCM_BLOCK_SIZE - 4);
      LE_WRITE_UINT32(buffer->b, c);
    }

  LE_WRITE_UINT32(ctr, c);
}

static void
siv_ghash_pad_update (struct gcm_key *ctx,
          union nettle_block16 *state,
          size_t length, const uint8_t *data)
{
  size_t blocks;

  blocks = length / SIV_GCM_BLOCK_SIZE;
  if (blocks > 0)
    {
      data = _siv_ghash_update (ctx, state, blocks, data);
      length &= 0xf;
    }
  if (length > 0)
    {
      uint8_t block[SIV_GCM_BLOCK_SIZE];

      memset (block + length, 0, SIV_GCM_BLOCK_SIZE - length);
      memcpy (block, data, length);
      _siv_ghash_update (ctx, state, 1, block);
    }
}

static void
siv_gcm_authenticate (const void *ctx,
          const struct nettle_cipher *nc,
          const union nettle_block16 *authentication_key,
          const uint8_t *nonce,
          size_t alength, const uint8_t *adata,
          size_t mlength, const uint8_t *mdata,
          uint8_t *tag)
{
  union nettle_block16 state;
  struct gcm_key siv_ghash_key;
  union nettle_block16 block;

  _siv_ghash_set_key (&siv_ghash_key, authentication_key);

  block16_zero (&state);
  siv_ghash_pad_update (&siv_ghash_key, &state, alength, adata);
  siv_ghash_pad_update (&siv_ghash_key, &state, mlength, mdata);

  block.u64[0] = bswap64_if_be (alength * 8);
  block.u64[1] = bswap64_if_be (mlength * 8);

  _siv_ghash_update (&siv_ghash_key, &state, 1, block.b);
  block16_bswap (&state, &state);

  memxor (state.b, nonce, SIV_GCM_NONCE_SIZE);
  state.b[15] &= 0x7f;
  nc->encrypt (ctx, SIV_GCM_BLOCK_SIZE, tag, state.b);
}

void
siv_gcm_encrypt_message (const struct nettle_cipher *nc,
       const void *ctx,
       void *ctr_ctx,
       size_t nlength, const uint8_t *nonce,
       size_t alength, const uint8_t *adata,
       size_t clength, uint8_t *dst, const uint8_t *src)
{
  union nettle_block16 authentication_key;
  TMP_DECL(encryption_key, uint8_t, NETTLE_MAX_CIPHER_KEY_SIZE);
  uint8_t ctr[SIV_GCM_DIGEST_SIZE];
  uint8_t *tag = dst + clength - SIV_GCM_BLOCK_SIZE;

  assert (clength >= SIV_GCM_DIGEST_SIZE);
  assert (nlength == SIV_GCM_NONCE_SIZE);

  TMP_ALLOC(encryption_key, nc->key_size);
  siv_gcm_derive_keys (ctx, nc->encrypt, nc->key_size, nlength, nonce,
           &authentication_key, encryption_key);

  /* Calculate authentication tag.  */
  nc->set_encrypt_key (ctr_ctx, encryption_key);

  siv_gcm_authenticate (ctr_ctx, nc,
      &authentication_key,
      nonce, alength, adata,
      clength - SIV_GCM_BLOCK_SIZE, src,
      tag);

  /* Encrypt the plaintext.  */

  /* The initial counter block is the tag with the most significant
     bit of the last byte set to one.  */
  memcpy (ctr, tag, SIV_GCM_DIGEST_SIZE);
  ctr[15] |= 0x80;
  _nettle_ctr_crypt16 (ctr_ctx, nc->encrypt, siv_gcm_fill, ctr,
           clength - SIV_GCM_BLOCK_SIZE, dst, src);
}

int
siv_gcm_decrypt_message (const struct nettle_cipher *nc,
       const void *ctx,
       void *ctr_ctx,
       size_t nlength, const uint8_t *nonce,
       size_t alength, const uint8_t *adata,
       size_t mlength, uint8_t *dst, const uint8_t *src)
{
  union nettle_block16 authentication_key;
  TMP_DECL(encryption_key, uint8_t, NETTLE_MAX_CIPHER_KEY_SIZE);
  union nettle_block16 state;
  uint8_t tag[SIV_GCM_DIGEST_SIZE];

  assert (nlength == SIV_GCM_NONCE_SIZE);

  TMP_ALLOC(encryption_key, nc->key_size);
  siv_gcm_derive_keys (ctx, nc->encrypt, nc->key_size, nlength, nonce,
           &authentication_key, encryption_key);

  memcpy (state.b, src + mlength, SIV_GCM_DIGEST_SIZE);
  /* The initial counter block is the tag with the most significant
     bit of the last byte set to one.  */
  state.b[15] |= 0x80;

  /* Decrypt the ciphertext.  */
  nc->set_encrypt_key (ctr_ctx, encryption_key);

  _nettle_ctr_crypt16 (ctr_ctx, nc->encrypt, siv_gcm_fill, state.b,
           mlength, dst, src);

  /* Calculate authentication tag.  */
  siv_gcm_authenticate (ctr_ctx, nc,
      &authentication_key,
      nonce, alength, adata,
      mlength, dst,
      tag);

  return memeql_sec (tag, src + mlength, SIV_GCM_DIGEST_SIZE);
}

Coverage Report

Created: 2023-09-25 06:33

Line	Count	Source (jump to first uncovered line)
1		/* siv-gcm.c
2
3		AES-GCM-SIV, RFC8452
4
5		Copyright (C) 2022 Red Hat, Inc.
6
7		This file is part of GNU Nettle.
8
9		GNU Nettle is free software: you can redistribute it and/or
10		modify it under the terms of either:
11
12		* the GNU Lesser General Public License as published by the Free
13		Software Foundation; either version 3 of the License, or (at your
14		option) any later version.
15
16		or
17
18		* the GNU General Public License as published by the Free
19		Software Foundation; either version 2 of the License, or (at your
20		option) any later version.
21
22		or both in parallel, as here.
23
24		GNU Nettle is distributed in the hope that it will be useful,
25		but WITHOUT ANY WARRANTY; without even the implied warranty of
26		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
27		General Public License for more details.
28
29		You should have received copies of the GNU General Public License and
30		the GNU Lesser General Public License along with this program. If
31		not, see http://www.gnu.org/licenses/.
32		*/
33
34		#if HAVE_CONFIG_H
35		# include "config.h"
36		#endif
37
38		#include "siv-gcm.h"
39		#include "ghash-internal.h"
40		#include "block-internal.h"
41		#include "nettle-internal.h"
42		#include "macros.h"
43		#include "memops.h"
44		#include "ctr-internal.h"
45		#include <string.h>
46
47	58	#define MIN(a,b) (((a) < (b)) ? (a) : (b))
48
49		static void
50		siv_gcm_derive_keys (const void *ctx,
51		nettle_cipher_func *f,
52		size_t key_size,
53		size_t nlength, const uint8_t *nonce,
54		union nettle_block16 *auth_key,
55		uint8_t *encryption_key)
56	58	{
57	58	union nettle_block16 block;
58	58	union nettle_block16 out;
59	58	size_t i;
60
61	58	block16_zero (&block);
62	58	memcpy (block.b + 4, nonce, MIN(nlength, SIV_GCM_NONCE_SIZE));
63
64	58	f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b);
65	58	auth_key->u64[0] = out.u64[0];
66
67	58	block.b[0] = 1;
68	58	f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b);
69	58	auth_key->u64[1] = out.u64[0];
70
71	58	assert (key_size % 8 == 0 && key_size / 8 + 2 <= UINT8_MAX);
72
73	278	for (i = 0; i < key_size; i += 8)
74	220	{
75	220	block.b[0]++;
76	220	f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b);
77	220	memcpy (encryption_key + i, out.b, 8);
78	220	}
79	58	}
80
81		static nettle_fill16_func siv_gcm_fill;
82
83		static void
84		siv_gcm_fill(uint8_t ctr, size_t blocks, union nettle_block16 buffer)
85	62	{
86	62	uint32_t c;
87
88	62	c = LE_READ_UINT32(ctr);
89
90	140	for (; blocks-- > 0; buffer++, c++)
91	78	{
92	78	memcpy(buffer->b + 4, ctr + 4, SIV_GCM_BLOCK_SIZE - 4);
93	78	LE_WRITE_UINT32(buffer->b, c);
94	78	}
95
96	62	LE_WRITE_UINT32(ctr, c);
97	62	}
98
99		static void
100		siv_ghash_pad_update (struct gcm_key *ctx,
101		union nettle_block16 *state,
102		size_t length, const uint8_t *data)
103	116	{
104	116	size_t blocks;
105
106	116	blocks = length / SIV_GCM_BLOCK_SIZE;
107	116	if (blocks > 0)
108	60	{
109	60	data = _siv_ghash_update (ctx, state, blocks, data);
110	60	length &= 0xf;
111	60	}
112	116	if (length > 0)
113	6	{
114	6	uint8_t block[SIV_GCM_BLOCK_SIZE];
115
116	6	memset (block + length, 0, SIV_GCM_BLOCK_SIZE - length);
117	6	memcpy (block, data, length);
118	6	_siv_ghash_update (ctx, state, 1, block);
119	6	}
120	116	}
121
122		static void
123		siv_gcm_authenticate (const void *ctx,
124		const struct nettle_cipher *nc,
125		const union nettle_block16 *authentication_key,
126		const uint8_t *nonce,
127		size_t alength, const uint8_t *adata,
128		size_t mlength, const uint8_t *mdata,
129		uint8_t *tag)
130	58	{
131	58	union nettle_block16 state;
132	58	struct gcm_key siv_ghash_key;
133	58	union nettle_block16 block;
134
135	58	_siv_ghash_set_key (&siv_ghash_key, authentication_key);
136
137	58	block16_zero (&state);
138	58	siv_ghash_pad_update (&siv_ghash_key, &state, alength, adata);
139	58	siv_ghash_pad_update (&siv_ghash_key, &state, mlength, mdata);
140
141	58	block.u64[0] = bswap64_if_be (alength * 8);
142	58	block.u64[1] = bswap64_if_be (mlength * 8);
143
144	58	_siv_ghash_update (&siv_ghash_key, &state, 1, block.b);
145	58	block16_bswap (&state, &state);
146
147	58	memxor (state.b, nonce, SIV_GCM_NONCE_SIZE);
148	58	state.b[15] &= 0x7f;
149	58	nc->encrypt (ctx, SIV_GCM_BLOCK_SIZE, tag, state.b);
150	58	}
151
152		void
153		siv_gcm_encrypt_message (const struct nettle_cipher *nc,
154		const void *ctx,
155		void *ctr_ctx,
156		size_t nlength, const uint8_t *nonce,
157		size_t alength, const uint8_t *adata,
158		size_t clength, uint8_t dst, const uint8_t src)
159	29	{
160	29	union nettle_block16 authentication_key;
161	29	TMP_DECL(encryption_key, uint8_t, NETTLE_MAX_CIPHER_KEY_SIZE);
162	29	uint8_t ctr[SIV_GCM_DIGEST_SIZE];
163	29	uint8_t *tag = dst + clength - SIV_GCM_BLOCK_SIZE;
164
165	29	assert (clength >= SIV_GCM_DIGEST_SIZE);
166	29	assert (nlength == SIV_GCM_NONCE_SIZE);
167
168	29	TMP_ALLOC(encryption_key, nc->key_size);
169	29	siv_gcm_derive_keys (ctx, nc->encrypt, nc->key_size, nlength, nonce,
170	29	&authentication_key, encryption_key);
171
172		/* Calculate authentication tag. */
173	29	nc->set_encrypt_key (ctr_ctx, encryption_key);
174
175	29	siv_gcm_authenticate (ctr_ctx, nc,
176	29	&authentication_key,
177	29	nonce, alength, adata,
178	29	clength - SIV_GCM_BLOCK_SIZE, src,
179	29	tag);
180
181		/* Encrypt the plaintext. */
182
183		/* The initial counter block is the tag with the most significant
184		bit of the last byte set to one. */
185	29	memcpy (ctr, tag, SIV_GCM_DIGEST_SIZE);
186	29	ctr[15] \|= 0x80;
187	29	_nettle_ctr_crypt16 (ctr_ctx, nc->encrypt, siv_gcm_fill, ctr,
188	29	clength - SIV_GCM_BLOCK_SIZE, dst, src);
189	29	}
190
191		int
192		siv_gcm_decrypt_message (const struct nettle_cipher *nc,
193		const void *ctx,
194		void *ctr_ctx,
195		size_t nlength, const uint8_t *nonce,
196		size_t alength, const uint8_t *adata,
197		size_t mlength, uint8_t dst, const uint8_t src)
198	29	{
199	29	union nettle_block16 authentication_key;
200	29	TMP_DECL(encryption_key, uint8_t, NETTLE_MAX_CIPHER_KEY_SIZE);
201	29	union nettle_block16 state;
202	29	uint8_t tag[SIV_GCM_DIGEST_SIZE];
203
204	29	assert (nlength == SIV_GCM_NONCE_SIZE);
205
206	29	TMP_ALLOC(encryption_key, nc->key_size);
207	29	siv_gcm_derive_keys (ctx, nc->encrypt, nc->key_size, nlength, nonce,
208	29	&authentication_key, encryption_key);
209
210	29	memcpy (state.b, src + mlength, SIV_GCM_DIGEST_SIZE);
211		/* The initial counter block is the tag with the most significant
212		bit of the last byte set to one. */
213	29	state.b[15] \|= 0x80;
214
215		/* Decrypt the ciphertext. */
216	29	nc->set_encrypt_key (ctr_ctx, encryption_key);
217
218	29	_nettle_ctr_crypt16 (ctr_ctx, nc->encrypt, siv_gcm_fill, state.b,
219	29	mlength, dst, src);
220
221		/* Calculate authentication tag. */
222	29	siv_gcm_authenticate (ctr_ctx, nc,
223	29	&authentication_key,
224	29	nonce, alength, adata,
225	29	mlength, dst,
226	29	tag);
227
228	29	return memeql_sec (tag, src + mlength, SIV_GCM_DIGEST_SIZE);
229	29	}