[thirdparty/openssl.git] / providers / common / ciphers / cipher_aes_gcm_hw_s390x.inc

/*
 * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*-
 * IBM S390X support for AES GCM.
 * This file is included by cipher_gcm_hw.c
 */

/* iv + padding length for iv lengths != 12 */
#define S390X_gcm_ivpadlen(i)  ((((i) + 15) >> 4 << 4) + 16)

static int s390x_aes_gcm_initkey(PROV_GCM_CTX *ctx,
                                 const unsigned char *key, size_t keylen)
{
    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;

    ctx->key_set = 1;
    memcpy(&actx->plat.s390x.param.kma.k, key, keylen);
    actx->plat.s390x.fc = S390X_AES_FC(keylen);
    if (!ctx->enc)
        actx->plat.s390x.fc |= S390X_DECRYPT;
    return 1;
}

static int s390x_aes_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv,
                               size_t ivlen)
{
    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;

    kma->t.g[0] = 0;
    kma->t.g[1] = 0;
    kma->tpcl = 0;
    kma->taadl = 0;
    actx->plat.s390x.mreslen = 0;
    actx->plat.s390x.areslen = 0;
    actx->plat.s390x.kreslen = 0;

    if (ivlen == GCM_IV_DEFAULT_SIZE) {
        memcpy(&kma->j0, iv, ivlen);
        kma->j0.w[3] = 1;
        kma->cv.w = 1;
    } else {
        unsigned long long ivbits = ivlen << 3;
        size_t len = S390X_gcm_ivpadlen(ivlen);
        unsigned char iv_zero_pad[S390X_gcm_ivpadlen(GCM_IV_MAX_SIZE)];
        /*
         * The IV length needs to be zero padded to be a multiple of 16 bytes
         * followed by 8 bytes of zeros and 8 bytes for the IV length.
         * The GHASH of this value can then be calculated.
         */
        memcpy(iv_zero_pad, iv, ivlen);
        memset(iv_zero_pad + ivlen, 0, len - ivlen);
        memcpy(iv_zero_pad + len - sizeof(ivbits), &ivbits, sizeof(ivbits));
        /*
         * Calculate the ghash of the iv - the result is stored into the tag
         * param.
         */
        s390x_kma(iv_zero_pad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
        actx->plat.s390x.fc |= S390X_KMA_HS; /* The hash subkey is set */

        /* Copy the 128 bit GHASH result into J0 and clear the tag */
        kma->j0.g[0] = kma->t.g[0];
        kma->j0.g[1] = kma->t.g[1];
        kma->t.g[0] = 0;
        kma->t.g[1] = 0;
        /* Set the 32 bit counter */
        kma->cv.w = kma->j0.w[3];
    }
    return 1;
}

static int s390x_aes_gcm_cipher_final(PROV_GCM_CTX *ctx, unsigned char *tag)
{
    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
    unsigned char out[AES_BLOCK_SIZE];
    int rc;

    kma->taadl <<= 3;
    kma->tpcl <<= 3;
    s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
              actx->plat.s390x.mres, actx->plat.s390x.mreslen, out,
              actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);

    /* gctx->mres already returned to the caller */
    OPENSSL_cleanse(out, actx->plat.s390x.mreslen);

    if (ctx->enc) {
        ctx->taglen = GCM_TAG_MAX_SIZE;
        memcpy(tag, kma->t.b, ctx->taglen);
        rc = 1;
    } else {
        if (ctx->taglen < 0)
            rc = 0;
        else
            rc = (CRYPTO_memcmp(tag, kma->t.b, ctx->taglen) == 0);
    }
    return rc;
}

static int s390x_aes_gcm_one_shot(PROV_GCM_CTX *ctx,
                                  unsigned char *aad, size_t aad_len,
                                  const unsigned char *in, size_t in_len,
                                  unsigned char *out,
                                  unsigned char *tag, size_t taglen)
{
    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
    int rc;

    kma->taadl = aad_len << 3;
    kma->tpcl = in_len << 3;
    s390x_kma(aad, aad_len, in, in_len, out,
              actx->plat.s390x.fc | S390X_KMA_LAAD | S390X_KMA_LPC, kma);

    if (ctx->enc) {
        memcpy(tag, kma->t.b, taglen);
        rc = 1;
    } else {
        rc = (CRYPTO_memcmp(tag, kma->t.b, taglen) == 0);
    }
    return rc;
}

/*
 * Process additional authenticated data. Returns 1 on success. Code is
 * big-endian.
 */
static int s390x_aes_gcm_aad_update(PROV_GCM_CTX *ctx,
                                    const unsigned char *aad, size_t len)
{
    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
    unsigned long long alen;
    int n, rem;

    /* If already processed pt/ct then error */
    if (kma->tpcl != 0)
        return 0;

    /* update the total aad length */
    alen = kma->taadl + len;
    if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
        return 0;
    kma->taadl = alen;

    /* check if there is any existing aad data from a previous add */
    n = actx->plat.s390x.areslen;
    if (n) {
        /* add additional data to a buffer until it has 16 bytes */
        while (n && len) {
            actx->plat.s390x.ares[n] = *aad;
            ++aad;
            --len;
            n = (n + 1) & 0xf;
        }
        /* ctx->ares contains a complete block if offset has wrapped around */
        if (!n) {
            s390x_kma(actx->plat.s390x.ares, 16, NULL, 0, NULL,
                      actx->plat.s390x.fc, kma);
            actx->plat.s390x.fc |= S390X_KMA_HS;
        }
        actx->plat.s390x.areslen = n;
    }

    /* If there are leftover bytes (< 128 bits) save them for next time */
    rem = len & 0xf;
    /* Add any remaining 16 byte blocks (128 bit each) */
    len &= ~(size_t)0xf;
    if (len) {
        s390x_kma(aad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
        actx->plat.s390x.fc |= S390X_KMA_HS;
        aad += len;
    }

    if (rem) {
        actx->plat.s390x.areslen = rem;

        do {
            --rem;
            actx->plat.s390x.ares[rem] = aad[rem];
        } while (rem);
    }
    return 1;
}

/*-
 * En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 1 for
 * success. Code is big-endian.
 */
static int s390x_aes_gcm_cipher_update(PROV_GCM_CTX *ctx,
                                       const unsigned char *in, size_t len,
                                       unsigned char *out)
{
    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
    S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
    const unsigned char *inptr;
    unsigned long long mlen;
    union {
        unsigned int w[4];
        unsigned char b[16];
    } buf;
    size_t inlen;
    int n, rem, i;

    mlen = kma->tpcl + len;
    if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
        return 0;
    kma->tpcl = mlen;

    n = actx->plat.s390x.mreslen;
    if (n) {
        inptr = in;
        inlen = len;
        while (n && inlen) {
            actx->plat.s390x.mres[n] = *inptr;
            n = (n + 1) & 0xf;
            ++inptr;
            --inlen;
        }
        /* ctx->mres contains a complete block if offset has wrapped around */
        if (!n) {
            s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
                      actx->plat.s390x.mres, 16, buf.b,
                      actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
            actx->plat.s390x.fc |= S390X_KMA_HS;
            actx->plat.s390x.areslen = 0;

            /* previous call already encrypted/decrypted its remainder,
             * see comment below */
            n = actx->plat.s390x.mreslen;
            while (n) {
                *out = buf.b[n];
                n = (n + 1) & 0xf;
                ++out;
                ++in;
                --len;
            }
            actx->plat.s390x.mreslen = 0;
        }
    }

    rem = len & 0xf;

    len &= ~(size_t)0xf;
    if (len) {
        s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, in, len, out,
                  actx->plat.s390x.fc | S390X_KMA_LAAD, kma);
        in += len;
        out += len;
        actx->plat.s390x.fc |= S390X_KMA_HS;
        actx->plat.s390x.areslen = 0;
    }

    /*-
     * If there is a remainder, it has to be saved such that it can be
     * processed by kma later. However, we also have to do the for-now
     * unauthenticated encryption/decryption part here and now...
     */
    if (rem) {
        if (!actx->plat.s390x.mreslen) {
            buf.w[0] = kma->j0.w[0];
            buf.w[1] = kma->j0.w[1];
            buf.w[2] = kma->j0.w[2];
            buf.w[3] = kma->cv.w + 1;
            s390x_km(buf.b, 16, actx->plat.s390x.kres,
                     actx->plat.s390x.fc & 0x1f, &kma->k);
        }

        n = actx->plat.s390x.mreslen;
        for (i = 0; i < rem; i++) {
            actx->plat.s390x.mres[n + i] = in[i];
            out[i] = in[i] ^ actx->plat.s390x.kres[n + i];
        }
        actx->plat.s390x.mreslen += rem;
    }
    return 1;
}

static const PROV_GCM_HW s390x_aes_gcm = {
    s390x_aes_gcm_initkey,
    s390x_aes_gcm_setiv,
    s390x_aes_gcm_aad_update,
    s390x_aes_gcm_cipher_update,
    s390x_aes_gcm_cipher_final,
    s390x_aes_gcm_one_shot
};

const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
{
    if ((keybits == 128 && S390X_aes_128_gcm_CAPABLE)
         || (keybits == 192 && S390X_aes_192_gcm_CAPABLE)
         || (keybits == 256 && S390X_aes_256_gcm_CAPABLE))
        return &s390x_aes_gcm;
    return &aes_gcm;
}
Commit	Line	Data
a672a02a SL	1	/*
	2	* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
e1178600 SL	10	/*-
	11	* IBM S390X support for AES GCM.
	12	* This file is included by cipher_gcm_hw.c
a672a02a SL	13	*/
	14
	15	/* iv + padding length for iv lengths != 12 */
	16	#define S390X_gcm_ivpadlen(i) ((((i) + 15) >> 4 << 4) + 16)
	17
e1178600 SL	18	static int s390x_aes_gcm_initkey(PROV_GCM_CTX *ctx,
e1178600 SL	19	const unsigned char *key, size_t keylen)
a672a02a SL	20	{
	21	PROV_AES_GCM_CTX actx = (PROV_AES_GCM_CTX )ctx;
	22
	23	ctx->key_set = 1;
	24	memcpy(&actx->plat.s390x.param.kma.k, key, keylen);
	25	actx->plat.s390x.fc = S390X_AES_FC(keylen);
	26	if (!ctx->enc)
	27	actx->plat.s390x.fc \|= S390X_DECRYPT;
	28	return 1;
	29	}
	30
	31	static int s390x_aes_gcm_setiv(PROV_GCM_CTX ctx, const unsigned char iv,
	32	size_t ivlen)
	33	{
	34	PROV_AES_GCM_CTX actx = (PROV_AES_GCM_CTX )ctx;
	35	S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
	36
	37	kma->t.g[0] = 0;
	38	kma->t.g[1] = 0;
	39	kma->tpcl = 0;
	40	kma->taadl = 0;
	41	actx->plat.s390x.mreslen = 0;
	42	actx->plat.s390x.areslen = 0;
	43	actx->plat.s390x.kreslen = 0;
	44
2b2eb210	45	if (ivlen == GCM_IV_DEFAULT_SIZE) {
a672a02a SL	46	memcpy(&kma->j0, iv, ivlen);
	47	kma->j0.w[3] = 1;
	48	kma->cv.w = 1;
	49	} else {
	50	unsigned long long ivbits = ivlen << 3;
	51	size_t len = S390X_gcm_ivpadlen(ivlen);
2b2eb210	52	unsigned char iv_zero_pad[S390X_gcm_ivpadlen(GCM_IV_MAX_SIZE)];
a672a02a SL	53	/*
	54	* The IV length needs to be zero padded to be a multiple of 16 bytes
	55	* followed by 8 bytes of zeros and 8 bytes for the IV length.
	56	* The GHASH of this value can then be calculated.
	57	*/
	58	memcpy(iv_zero_pad, iv, ivlen);
	59	memset(iv_zero_pad + ivlen, 0, len - ivlen);
	60	memcpy(iv_zero_pad + len - sizeof(ivbits), &ivbits, sizeof(ivbits));
	61	/*
	62	* Calculate the ghash of the iv - the result is stored into the tag
	63	* param.
	64	*/
	65	s390x_kma(iv_zero_pad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
	66	actx->plat.s390x.fc \|= S390X_KMA_HS; /* The hash subkey is set */
	67
	68	/* Copy the 128 bit GHASH result into J0 and clear the tag */
	69	kma->j0.g[0] = kma->t.g[0];
	70	kma->j0.g[1] = kma->t.g[1];
	71	kma->t.g[0] = 0;
	72	kma->t.g[1] = 0;
	73	/* Set the 32 bit counter */
	74	kma->cv.w = kma->j0.w[3];
	75	}
	76	return 1;
	77	}
	78
	79	static int s390x_aes_gcm_cipher_final(PROV_GCM_CTX ctx, unsigned char tag)
	80	{
	81	PROV_AES_GCM_CTX actx = (PROV_AES_GCM_CTX )ctx;
	82	S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
	83	unsigned char out[AES_BLOCK_SIZE];
	84	int rc;
	85
	86	kma->taadl <<= 3;
	87	kma->tpcl <<= 3;
	88	s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
	89	actx->plat.s390x.mres, actx->plat.s390x.mreslen, out,
	90	actx->plat.s390x.fc \| S390X_KMA_LAAD \| S390X_KMA_LPC, kma);
	91
	92	/* gctx->mres already returned to the caller */
	93	OPENSSL_cleanse(out, actx->plat.s390x.mreslen);
	94
	95	if (ctx->enc) {
2b2eb210	96	ctx->taglen = GCM_TAG_MAX_SIZE;
a672a02a SL	97	memcpy(tag, kma->t.b, ctx->taglen);
	98	rc = 1;
	99	} else {
	100	if (ctx->taglen < 0)
	101	rc = 0;
	102	else
	103	rc = (CRYPTO_memcmp(tag, kma->t.b, ctx->taglen) == 0);
	104	}
	105	return rc;
	106	}
	107
	108	static int s390x_aes_gcm_one_shot(PROV_GCM_CTX *ctx,
	109	unsigned char *aad, size_t aad_len,
	110	const unsigned char *in, size_t in_len,
	111	unsigned char *out,
	112	unsigned char *tag, size_t taglen)
	113	{
	114	PROV_AES_GCM_CTX actx = (PROV_AES_GCM_CTX )ctx;
	115	S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
	116	int rc;
	117
	118	kma->taadl = aad_len << 3;
	119	kma->tpcl = in_len << 3;
	120	s390x_kma(aad, aad_len, in, in_len, out,
	121	actx->plat.s390x.fc \| S390X_KMA_LAAD \| S390X_KMA_LPC, kma);
	122
	123	if (ctx->enc) {
	124	memcpy(tag, kma->t.b, taglen);
	125	rc = 1;
	126	} else {
	127	rc = (CRYPTO_memcmp(tag, kma->t.b, taglen) == 0);
	128	}
	129	return rc;
	130	}
	131
	132	/*
	133	* Process additional authenticated data. Returns 1 on success. Code is
	134	* big-endian.
	135	*/
	136	static int s390x_aes_gcm_aad_update(PROV_GCM_CTX *ctx,
	137	const unsigned char *aad, size_t len)
	138	{
	139	PROV_AES_GCM_CTX actx = (PROV_AES_GCM_CTX )ctx;
	140	S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
	141	unsigned long long alen;
	142	int n, rem;
	143
	144	/* If already processed pt/ct then error */
	145	if (kma->tpcl != 0)
	146	return 0;
	147
	148	/* update the total aad length */
	149	alen = kma->taadl + len;
	150	if (alen > (U64(1) << 61) \|\| (sizeof(len) == 8 && alen < len))
	151	return 0;
	152	kma->taadl = alen;
	153
	154	/* check if there is any existing aad data from a previous add */
	155	n = actx->plat.s390x.areslen;
	156	if (n) {
	157	/* add additional data to a buffer until it has 16 bytes */
	158	while (n && len) {
	159	actx->plat.s390x.ares[n] = *aad;
	160	++aad;
161	--len;
162	n = (n + 1) & 0xf;
163	}
164	/* ctx->ares contains a complete block if offset has wrapped around */
165	if (!n) {
166	s390x_kma(actx->plat.s390x.ares, 16, NULL, 0, NULL,
167	actx->plat.s390x.fc, kma);
168	actx->plat.s390x.fc \|= S390X_KMA_HS;
169	}
170	actx->plat.s390x.areslen = n;
171	}
172
173	/* If there are leftover bytes (< 128 bits) save them for next time */
174	rem = len & 0xf;
175	/* Add any remaining 16 byte blocks (128 bit each) */
176	len &= ~(size_t)0xf;
177	if (len) {
178	s390x_kma(aad, len, NULL, 0, NULL, actx->plat.s390x.fc, kma);
179	actx->plat.s390x.fc \|= S390X_KMA_HS;
180	aad += len;
181	}
182
183	if (rem) {
184	actx->plat.s390x.areslen = rem;
185
186	do {
187	--rem;
188	actx->plat.s390x.ares[rem] = aad[rem];
189	} while (rem);
190	}
191	return 1;
192	}
193
194	/*-
195	* En/de-crypt plain/cipher-text and authenticate ciphertext. Returns 1 for
196	* success. Code is big-endian.
197	*/
198	static int s390x_aes_gcm_cipher_update(PROV_GCM_CTX *ctx,
199	const unsigned char *in, size_t len,
200	unsigned char *out)
201	{
202	PROV_AES_GCM_CTX actx = (PROV_AES_GCM_CTX )ctx;
203	S390X_KMA_PARAMS *kma = &actx->plat.s390x.param.kma;
204	const unsigned char *inptr;
205	unsigned long long mlen;
206	union {
207	unsigned int w[4];
208	unsigned char b[16];
209	} buf;
210	size_t inlen;
211	int n, rem, i;
212
213	mlen = kma->tpcl + len;
214	if (mlen > ((U64(1) << 36) - 32) \|\| (sizeof(len) == 8 && mlen < len))
215	return 0;
216	kma->tpcl = mlen;
217
218	n = actx->plat.s390x.mreslen;
219	if (n) {
220	inptr = in;
221	inlen = len;
222	while (n && inlen) {
223	actx->plat.s390x.mres[n] = *inptr;
224	n = (n + 1) & 0xf;
225	++inptr;
226	--inlen;
227	}
228	/* ctx->mres contains a complete block if offset has wrapped around */
229	if (!n) {
230	s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen,
231	actx->plat.s390x.mres, 16, buf.b,
232	actx->plat.s390x.fc \| S390X_KMA_LAAD, kma);
233	actx->plat.s390x.fc \|= S390X_KMA_HS;
234	actx->plat.s390x.areslen = 0;
235
236	/* previous call already encrypted/decrypted its remainder,
237	* see comment below */
238	n = actx->plat.s390x.mreslen;
239	while (n) {
240	*out = buf.b[n];
241	n = (n + 1) & 0xf;
242	++out;
243	++in;
244	--len;
245	}
246	actx->plat.s390x.mreslen = 0;
247	}
248	}
249
250	rem = len & 0xf;
251
252	len &= ~(size_t)0xf;
253	if (len) {
254	s390x_kma(actx->plat.s390x.ares, actx->plat.s390x.areslen, in, len, out,
255	actx->plat.s390x.fc \| S390X_KMA_LAAD, kma);
256	in += len;
257	out += len;
258	actx->plat.s390x.fc \|= S390X_KMA_HS;
259	actx->plat.s390x.areslen = 0;
260	}
261
262	/*-
263	* If there is a remainder, it has to be saved such that it can be
264	* processed by kma later. However, we also have to do the for-now
265	* unauthenticated encryption/decryption part here and now...
266	*/
267	if (rem) {
268	if (!actx->plat.s390x.mreslen) {
269	buf.w[0] = kma->j0.w[0];
270	buf.w[1] = kma->j0.w[1];
271	buf.w[2] = kma->j0.w[2];
272	buf.w[3] = kma->cv.w + 1;
273	s390x_km(buf.b, 16, actx->plat.s390x.kres,
274	actx->plat.s390x.fc & 0x1f, &kma->k);
275	}
276
277	n = actx->plat.s390x.mreslen;
278	for (i = 0; i < rem; i++) {
279	actx->plat.s390x.mres[n + i] = in[i];
280	out[i] = in[i] ^ actx->plat.s390x.kres[n + i];
281	}
282	actx->plat.s390x.mreslen += rem;
283	}
284	return 1;
285	}
286
287	static const PROV_GCM_HW s390x_aes_gcm = {
e1178600	288	s390x_aes_gcm_initkey,
a672a02a SL	289	s390x_aes_gcm_setiv,
	290	s390x_aes_gcm_aad_update,
	291	s390x_aes_gcm_cipher_update,
	292	s390x_aes_gcm_cipher_final,
	293	s390x_aes_gcm_one_shot
	294	};
	295
	296	const PROV_GCM_HW *PROV_AES_HW_gcm(size_t keybits)
	297	{
	298	if ((keybits == 128 && S390X_aes_128_gcm_CAPABLE)
	299	\|\| (keybits == 192 && S390X_aes_192_gcm_CAPABLE)
	300	\|\| (keybits == 256 && S390X_aes_256_gcm_CAPABLE))
	301	return &s390x_aes_gcm;
	302	return &aes_gcm;
	303	}