/* * FIPS-197 compliant AES implementation * * Copyright (C) 2017, Silicon Labs, http://www.silabs.com * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* * This file includes alternative plugin implementations of various * functions in aes.c using the CRYPTO hardware accelerator incorporated * in MCU devices from Silicon Laboratories. */ /* * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. * * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf */ #include "mbedtls/aes.h" #include "em_device.h" #if defined(CRYPTO_PRESENT) #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_AES_ALT) #include "crypto_management.h" #include "em_crypto.h" #include "em_core.h" #include __STATIC_INLINE void CRYPTO_DataReadUnaligned(volatile uint32_t * reg, uint8_t * const val) { /* Check data is 32bit aligned, if not, read into temporary buffer and then move to user buffer. */ if ((uint32_t)val & 0x3) { uint32_t temp[4]; CRYPTO_DataRead(reg, temp); memcpy(val, temp, 16); } else { CRYPTO_DataRead(reg, (uint32_t* const)val); } } __STATIC_INLINE void CRYPTO_DataWriteUnaligned(volatile uint32_t * reg, uint8_t * const val) { /* Check data is 32bit aligned, if not move to temporary buffer before writing.*/ if ((uint32_t)val & 0x3) { uint32_t temp[4]; memcpy(temp, val, 16); CRYPTO_DataWrite(reg, temp); } else { CRYPTO_DataWrite(reg, (uint32_t* const)val); } } /* * Initialize AES context */ void mbedtls_aes_init( mbedtls_aes_context *ctx ) { if( ctx == NULL ) { return; } memset( ctx, 0, sizeof( mbedtls_aes_context ) ); } /* * Clear AES context */ void mbedtls_aes_free( mbedtls_aes_context *ctx ) { if( ctx == NULL ) { return; } memset( ctx, 0, sizeof( mbedtls_aes_context ) ); } /* * AES key schedule (encryption) */ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits ) { if( ctx == NULL || key == NULL ) { return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); } if ( ( 128UL != keybits ) && ( 256UL != keybits ) ) { /* Unsupported key size */ return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); } ctx->keybits = keybits; memcpy(ctx->key, key, keybits/8); return 0; } /* * AES key schedule (decryption) */ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits ) { CORE_DECLARE_IRQ_STATE; if( ctx == NULL || key == NULL ) { return ( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); } if ( ( 128UL != keybits ) && ( 256UL != keybits ) ) { /* Unsupported key size */ return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); } ctx->keybits = keybits; CRYPTO_TypeDef *device = crypto_management_acquire(); device->WAC = 0; device->CTRL = 0; CORE_ENTER_CRITICAL(); CRYPTO_KeyBufWrite(device, (uint32_t*)key, (keybits == 128) ? cryptoKey128Bits : cryptoKey256Bits); CORE_EXIT_CRITICAL(); /* Busy-wait here to allow context-switching to occur */ device->CMD = CRYPTO_CMD_INSTR_AESENC; while ((device->STATUS & CRYPTO_STATUS_INSTRRUNNING) != 0); CORE_ENTER_CRITICAL(); CRYPTO_KeyRead(device, (uint32_t*)ctx->key, (keybits == 128) ? cryptoKey128Bits : cryptoKey256Bits); CORE_EXIT_CRITICAL(); crypto_management_release(device); return 0; } /* TODO: underneath these, we should swap out the em_crypto-provided library * functions with in-place implemented functions, to get much shorter * critical sections */ /* * AES-ECB block encryption */ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16] ) { return mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, input, output); } /* * AES-ECB block decryption */ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16] ) { return mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_DECRYPT, input, output); } /* * AES-ECB block encryption/decryption */ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, int mode, const unsigned char input[16], unsigned char output[16] ) { int ret = 0; CORE_DECLARE_IRQ_STATE; if( ctx == NULL || input == NULL || output == NULL ) { return ( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); } if ( ctx->keybits != 128UL && ctx->keybits != 256UL) { return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; } CRYPTO_TypeDef *device = crypto_management_acquire(); device->WAC = 0; device->CTRL = 0; CORE_ENTER_CRITICAL(); CRYPTO_KeyBufWrite(device, (uint32_t*)ctx->key, (ctx->keybits == 128UL) ? cryptoKey128Bits : cryptoKey256Bits); CRYPTO_DataWriteUnaligned(&device->DATA0, (uint8_t *)input); CORE_EXIT_CRITICAL(); if ( mode == MBEDTLS_AES_ENCRYPT ) { device->CMD = CRYPTO_CMD_INSTR_AESENC; } else { device->CMD = CRYPTO_CMD_INSTR_AESDEC; } while ((device->STATUS & CRYPTO_STATUS_INSTRRUNNING) != 0); CORE_ENTER_CRITICAL(); CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)output); CORE_EXIT_CRITICAL(); crypto_management_release(device); return ret; } #if defined(MBEDTLS_CIPHER_MODE_CBC) /* * AES-CBC buffer encryption/decryption */ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output ) { int ret = 0; CORE_DECLARE_IRQ_STATE; size_t processed = 0; if( ctx == NULL || input == NULL || output == NULL || iv == NULL ) { return ( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); } /* Input length must be a multiple of 16 bytes which is the AES block length. */ if( length & 0xf ) { return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); } if ( ctx->keybits != 128UL && ctx->keybits != 256UL) { return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; } CRYPTO_TypeDef *device = crypto_management_acquire(); device->WAC = 0; device->CTRL = 0; CORE_ENTER_CRITICAL(); CRYPTO_KeyBufWrite(device, (uint32_t*)ctx->key, (ctx->keybits == 128UL) ? cryptoKey128Bits : cryptoKey256Bits); if ( mode == MBEDTLS_AES_ENCRYPT ) { CRYPTO_DataWriteUnaligned(&device->DATA0, (uint8_t *)iv); } else { CRYPTO_DataWriteUnaligned(&device->DATA2, (uint8_t *)iv); } CORE_EXIT_CRITICAL(); while ( processed < length ) { if ( mode == MBEDTLS_AES_ENCRYPT ) { CORE_ENTER_CRITICAL(); CRYPTO_DataWriteUnaligned(&device->DATA0XOR, (uint8_t *)(&input[processed])); device->CMD = CRYPTO_CMD_INSTR_AESENC; CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)(&output[processed])); CORE_EXIT_CRITICAL(); } else { /* Decrypt input block, XOR IV to decrypted text, set ciphertext as next IV */ CORE_ENTER_CRITICAL(); CRYPTO_DataWriteUnaligned(&device->DATA0, (uint8_t *)(&input[processed])); CRYPTO_EXECUTE_4( device, CRYPTO_CMD_INSTR_DATA0TODATA1, CRYPTO_CMD_INSTR_AESDEC, CRYPTO_CMD_INSTR_DATA2TODATA0XOR, CRYPTO_CMD_INSTR_DATA1TODATA2); CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)(&output[processed])); CORE_EXIT_CRITICAL(); } processed += 16; } if ( processed >= 16 ) { if ( mode == MBEDTLS_AES_ENCRYPT ) { memcpy(iv, &output[processed-16], 16); } else { CORE_ENTER_CRITICAL(); CRYPTO_DataReadUnaligned(&device->DATA2, (uint8_t *)(iv)); CORE_EXIT_CRITICAL(); } } crypto_management_release(device); return ret; } #endif /* MBEDTLS_CIPHER_MODE_CBC */ #if defined(MBEDTLS_CIPHER_MODE_CFB) /* * AES-CFB128 buffer encryption/decryption */ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, int mode, size_t length, size_t *iv_off, unsigned char iv[16], const unsigned char *input, unsigned char *output ) { size_t n = iv_off ? *iv_off : 0; size_t processed = 0; int ret = 0; CORE_DECLARE_IRQ_STATE; if( ctx == NULL || input == NULL || output == NULL || iv == NULL ) { return ( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); } if ( ctx->keybits != 128UL && ctx->keybits != 256UL) { return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; } while ( processed < length ) { if ( n > 0 ) { /* start by filling up the IV */ if( mode == MBEDTLS_AES_ENCRYPT ) { iv[n] = output[processed] = (unsigned char)( iv[n] ^ input[processed] ); } else { int c = input[processed]; output[processed] = (unsigned char)( c ^ iv[n] ); iv[n] = (unsigned char) c; } n = ( n + 1 ) & 0x0F; processed++; continue; } else { /* process one ore more blocks of data */ CRYPTO_TypeDef *device = crypto_management_acquire(); device->WAC = 0; device->CTRL = 0; CORE_ENTER_CRITICAL(); CRYPTO_KeyBufWrite(device, (uint32_t*)ctx->key, (ctx->keybits == 128UL) ? cryptoKey128Bits : cryptoKey256Bits); CRYPTO_DataWriteUnaligned(&device->DATA0, (uint8_t *)iv); CORE_EXIT_CRITICAL(); /* Encryption: encrypt IV, encIV xor input -> output and IV */ /* Decryption: encrypt IV, encIV xor input -> output, input -> IV */ size_t iterations = (length - processed) / 16; for (size_t i = 0; i < iterations; i++ ) { device->CMD = CRYPTO_CMD_INSTR_AESENC; while ((device->STATUS & CRYPTO_STATUS_INSTRRUNNING) != 0); CORE_ENTER_CRITICAL(); if ( mode == MBEDTLS_AES_ENCRYPT ) { CRYPTO_DataWriteUnaligned(&device->DATA0XOR, (uint8_t *)(&input[processed])); CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)(&output[processed])); } else { CRYPTO_DataWriteUnaligned(&device->DATA1, (uint8_t *)(&input[processed])); device->CMD = CRYPTO_CMD_INSTR_DATA1TODATA0XOR; CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)(&output[processed])); device->CMD = CRYPTO_CMD_INSTR_DATA1TODATA0; } CORE_EXIT_CRITICAL(); processed += 16; } CORE_ENTER_CRITICAL(); CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)iv); CORE_EXIT_CRITICAL(); while ( length - processed > 0 ) { if ( n == 0 ) { device->CMD = CRYPTO_CMD_INSTR_AESENC; while ((device->STATUS & CRYPTO_STATUS_INSTRRUNNING) != 0); CORE_ENTER_CRITICAL(); CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)iv); CORE_EXIT_CRITICAL(); } /* Save remainder to iv */ if( mode == MBEDTLS_AES_ENCRYPT ) { iv[n] = output[processed] = (unsigned char)( iv[n] ^ input[processed] ); } else { int c = input[processed]; output[processed] = (unsigned char)( c ^ iv[n] ); iv[n] = (unsigned char) c; } n = ( n + 1 ) & 0x0F; processed++; } crypto_management_release(device); } } if ( iv_off ) { *iv_off = n; } return ret; } /* * AES-CFB8 buffer encryption/decryption */ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output ) { unsigned char c; unsigned char ov[17]; int ret = 0; if( ctx == NULL || input == NULL || output == NULL || iv == NULL ) { return ( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); } if ( ctx->keybits != 128UL && ctx->keybits != 256UL) { return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; } while( length-- ) { memcpy( ov, iv, 16 ); if ( (ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ) ) != 0 ) { return ret; } if( mode == MBEDTLS_AES_DECRYPT ) ov[16] = *input; c = *output++ = (unsigned char)( iv[0] ^ *input++ ); if( mode == MBEDTLS_AES_ENCRYPT ) ov[16] = c; memcpy( iv, ov + 1, 16 ); } return ret; } #endif /*MBEDTLS_CIPHER_MODE_CFB */ #if defined(MBEDTLS_CIPHER_MODE_CTR) /* * AES-CTR buffer encryption/decryption */ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, size_t length, size_t *nc_off, unsigned char nonce_counter[16], unsigned char stream_block[16], const unsigned char *input, unsigned char *output ) { size_t n = nc_off ? *nc_off : 0; size_t processed = 0; int ret = 0; CORE_DECLARE_IRQ_STATE; if( ctx == NULL || input == NULL || output == NULL || nonce_counter == NULL || stream_block == NULL ) { return ( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); } if ( ctx->keybits != 128UL && ctx->keybits != 256UL) { return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; } while ( processed < length ) { if ( n > 0 ) { /* start by filling up the IV */ output[processed] = (unsigned char)( input[processed] ^ stream_block[n] ); n = ( n + 1 ) & 0x0F; processed++; continue; } else { /* process one ore more blocks of data */ CRYPTO_TypeDef *device = crypto_management_acquire(); device->WAC = 0; device->CTRL = CRYPTO_CTRL_INCWIDTH_INCWIDTH4; CORE_ENTER_CRITICAL(); CRYPTO_KeyBufWrite(device, (uint32_t*)ctx->key, (ctx->keybits == 128UL) ? cryptoKey128Bits : cryptoKey256Bits); CRYPTO_DataWriteUnaligned(&device->DATA1, (uint8_t *)nonce_counter); CORE_EXIT_CRITICAL(); /* strategy: encrypt nonce, encNonce xor input -> output, inc(nonce) */ size_t iterations = (length - processed) / 16; for (size_t i = 0; i < iterations; i++ ) { device->CMD = CRYPTO_CMD_INSTR_DATA1TODATA0; device->CMD = CRYPTO_CMD_INSTR_AESENC; while ((device->STATUS & CRYPTO_STATUS_INSTRRUNNING) != 0); device->CMD = CRYPTO_CMD_INSTR_DATA1INC; CORE_ENTER_CRITICAL(); CRYPTO_DataWriteUnaligned(&device->DATA0XOR, (uint8_t *)(&input[processed])); CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)(&output[processed])); CORE_EXIT_CRITICAL(); processed += 16; } while ( length - processed > 0 ) { if ( n == 0 ) { device->CMD = CRYPTO_CMD_INSTR_DATA1TODATA0; device->CMD = CRYPTO_CMD_INSTR_AESENC; while ((device->STATUS & CRYPTO_STATUS_INSTRRUNNING) != 0); device->CMD = CRYPTO_CMD_INSTR_DATA1INC; CORE_ENTER_CRITICAL(); CRYPTO_DataReadUnaligned(&device->DATA0, (uint8_t *)stream_block); CORE_EXIT_CRITICAL(); } /* Save remainder to iv */ output[processed] = (unsigned char)( input[processed] ^ stream_block[n] ); n = ( n + 1 ) & 0x0F; processed++; } CORE_ENTER_CRITICAL(); CRYPTO_DataReadUnaligned(&device->DATA1, (uint8_t *)nonce_counter); CORE_EXIT_CRITICAL(); crypto_management_release(device); } } if ( nc_off ) { *nc_off = n; } return ret; } #endif /* MBEDTLS_CIPHER_MODE_CTR */ #endif /* MBEDTLS_AES_ALT */ #endif /* MBEDTLS_AES_C */ #endif /* CRYPTO_PRESENT */