mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
b49af54726
--HG-- rename : security/coreconf/AIX.mk => security/nss/coreconf/AIX.mk rename : security/coreconf/Android.mk => security/nss/coreconf/Android.mk rename : security/coreconf/BSD_OS.mk => security/nss/coreconf/BSD_OS.mk rename : security/coreconf/BeOS.mk => security/nss/coreconf/BeOS.mk rename : security/coreconf/Darwin.mk => security/nss/coreconf/Darwin.mk rename : security/coreconf/FreeBSD.mk => security/nss/coreconf/FreeBSD.mk rename : security/coreconf/HP-UX.mk => security/nss/coreconf/HP-UX.mk rename : security/coreconf/HP-UXA.09.03.mk => security/nss/coreconf/HP-UXA.09.03.mk rename : security/coreconf/HP-UXA.09.07.mk => security/nss/coreconf/HP-UXA.09.07.mk rename : security/coreconf/HP-UXA.09.mk => security/nss/coreconf/HP-UXA.09.mk rename : security/coreconf/HP-UXB.10.01.mk => security/nss/coreconf/HP-UXB.10.01.mk rename : security/coreconf/HP-UXB.10.10.mk => security/nss/coreconf/HP-UXB.10.10.mk rename : security/coreconf/HP-UXB.10.20.mk => security/nss/coreconf/HP-UXB.10.20.mk rename : security/coreconf/HP-UXB.10.30.mk => security/nss/coreconf/HP-UXB.10.30.mk rename : security/coreconf/HP-UXB.10.mk => security/nss/coreconf/HP-UXB.10.mk rename : security/coreconf/HP-UXB.11.00.mk => security/nss/coreconf/HP-UXB.11.00.mk rename : security/coreconf/HP-UXB.11.11.mk => security/nss/coreconf/HP-UXB.11.11.mk rename : security/coreconf/HP-UXB.11.20.mk => security/nss/coreconf/HP-UXB.11.20.mk rename : security/coreconf/HP-UXB.11.22.mk => security/nss/coreconf/HP-UXB.11.22.mk rename : security/coreconf/HP-UXB.11.23.mk => security/nss/coreconf/HP-UXB.11.23.mk rename : security/coreconf/HP-UXB.11.mk => security/nss/coreconf/HP-UXB.11.mk rename : security/coreconf/IRIX.mk => security/nss/coreconf/IRIX.mk rename : security/coreconf/IRIX5.2.mk => security/nss/coreconf/IRIX5.2.mk rename : security/coreconf/IRIX5.3.mk => security/nss/coreconf/IRIX5.3.mk rename : security/coreconf/IRIX5.mk => security/nss/coreconf/IRIX5.mk rename : security/coreconf/IRIX6.2.mk => security/nss/coreconf/IRIX6.2.mk rename : security/coreconf/IRIX6.3.mk => security/nss/coreconf/IRIX6.3.mk rename : security/coreconf/IRIX6.5.mk => security/nss/coreconf/IRIX6.5.mk rename : security/coreconf/IRIX6.mk => security/nss/coreconf/IRIX6.mk rename : security/coreconf/Linux.mk => security/nss/coreconf/Linux.mk rename : security/coreconf/Makefile => security/nss/coreconf/Makefile rename : security/coreconf/NCR3.0.mk => security/nss/coreconf/NCR3.0.mk rename : security/coreconf/NEC4.2.mk => security/nss/coreconf/NEC4.2.mk rename : security/coreconf/NetBSD.mk => security/nss/coreconf/NetBSD.mk rename : security/coreconf/OS2.mk => security/nss/coreconf/OS2.mk rename : security/coreconf/OSF1.mk => security/nss/coreconf/OSF1.mk rename : security/coreconf/OSF1V3.0.mk => security/nss/coreconf/OSF1V2.0.mk rename : security/coreconf/OSF1V3.0.mk => security/nss/coreconf/OSF1V3.0.mk rename : security/coreconf/OSF1V3.2.mk => security/nss/coreconf/OSF1V3.2.mk rename : security/coreconf/OSF1V4.0.mk => security/nss/coreconf/OSF1V4.0.mk rename : security/coreconf/OSF1V4.0B.mk => security/nss/coreconf/OSF1V4.0B.mk rename : security/coreconf/OSF1V4.0D.mk => security/nss/coreconf/OSF1V4.0D.mk rename : security/coreconf/OSF1V5.0.mk => security/nss/coreconf/OSF1V5.0.mk rename : security/coreconf/OSF1V5.1.mk => security/nss/coreconf/OSF1V5.1.mk rename : security/coreconf/OpenBSD.mk => security/nss/coreconf/OpenBSD.mk rename : security/coreconf/OpenUNIX.mk => security/nss/coreconf/OpenUNIX.mk rename : security/coreconf/QNX.mk => security/nss/coreconf/QNX.mk rename : security/coreconf/README => security/nss/coreconf/README rename : security/coreconf/RISCOS.mk => security/nss/coreconf/RISCOS.mk rename : security/coreconf/ReliantUNIX.mk => security/nss/coreconf/ReliantUNIX.mk rename : security/coreconf/ReliantUNIX5.4.mk => security/nss/coreconf/ReliantUNIX5.4.mk rename : security/coreconf/SCOOS5.0.mk => security/nss/coreconf/SCOOS5.0.mk rename : security/coreconf/SCO_SV3.2.mk => security/nss/coreconf/SCO_SV3.2.mk rename : security/coreconf/SunOS4.1.3_U1.mk => security/nss/coreconf/SunOS4.1.3_U1.mk rename : security/coreconf/UNIX.mk => security/nss/coreconf/UNIX.mk rename : security/coreconf/UNIXWARE2.1.mk => security/nss/coreconf/UNIXWARE2.1.mk rename : security/coreconf/WIN95.mk => security/nss/coreconf/WIN95.mk rename : security/coreconf/WINNT.mk => security/nss/coreconf/WINNT.mk rename : security/coreconf/arch.mk => security/nss/coreconf/arch.mk rename : security/coreconf/command.mk => security/nss/coreconf/command.mk rename : security/coreconf/coreconf.pl => security/nss/coreconf/coreconf.pl rename : security/coreconf/cpdist.pl => security/nss/coreconf/cpdist.pl rename : security/coreconf/headers.mk => security/nss/coreconf/headers.mk rename : security/coreconf/import.pl => security/nss/coreconf/import.pl rename : security/coreconf/jdk.mk => security/nss/coreconf/jdk.mk rename : security/coreconf/jniregen.pl => security/nss/coreconf/jniregen.pl rename : security/coreconf/location.mk => security/nss/coreconf/location.mk rename : security/coreconf/mkdepend/Makefile => security/nss/coreconf/mkdepend/Makefile rename : security/coreconf/mkdepend/cppsetup.c => security/nss/coreconf/mkdepend/cppsetup.c rename : security/coreconf/mkdepend/def.h => security/nss/coreconf/mkdepend/def.h rename : security/coreconf/mkdepend/ifparser.c => security/nss/coreconf/mkdepend/ifparser.c rename : security/coreconf/mkdepend/ifparser.h => security/nss/coreconf/mkdepend/ifparser.h rename : security/coreconf/mkdepend/imakemdep.h => security/nss/coreconf/mkdepend/imakemdep.h rename : security/coreconf/mkdepend/include.c => security/nss/coreconf/mkdepend/include.c rename : security/coreconf/mkdepend/main.c => security/nss/coreconf/mkdepend/main.c rename : security/coreconf/mkdepend/mkdepend.man => security/nss/coreconf/mkdepend/mkdepend.man rename : security/coreconf/mkdepend/parse.c => security/nss/coreconf/mkdepend/parse.c rename : security/coreconf/mkdepend/pr.c => security/nss/coreconf/mkdepend/pr.c rename : security/coreconf/module.mk => security/nss/coreconf/module.mk rename : security/coreconf/nsinstall/Makefile => security/nss/coreconf/nsinstall/Makefile rename : security/coreconf/nsinstall/nsinstall.c => security/nss/coreconf/nsinstall/nsinstall.c rename : security/coreconf/nsinstall/pathsub.c => security/nss/coreconf/nsinstall/pathsub.c rename : security/coreconf/nsinstall/pathsub.h => security/nss/coreconf/nsinstall/pathsub.h rename : security/coreconf/nsinstall/sunos4.h => security/nss/coreconf/nsinstall/sunos4.h rename : security/coreconf/outofdate.pl => security/nss/coreconf/outofdate.pl rename : security/coreconf/prefix.mk => security/nss/coreconf/prefix.mk rename : security/coreconf/release.pl => security/nss/coreconf/release.pl rename : security/coreconf/rules.mk => security/nss/coreconf/rules.mk rename : security/coreconf/ruleset.mk => security/nss/coreconf/ruleset.mk rename : security/coreconf/source.mk => security/nss/coreconf/source.mk rename : security/coreconf/suffix.mk => security/nss/coreconf/suffix.mk rename : security/coreconf/tree.mk => security/nss/coreconf/tree.mk rename : security/coreconf/version.mk => security/nss/coreconf/version.mk rename : security/coreconf/version.pl => security/nss/coreconf/version.pl rename : security/dbm/config/config.mk => security/nss/lib/dbm/config/config.mk rename : dbm/include/cdefs.h => security/nss/lib/dbm/include/cdefs.h rename : dbm/include/extern.h => security/nss/lib/dbm/include/extern.h rename : dbm/include/hash.h => security/nss/lib/dbm/include/hash.h rename : dbm/include/search.h => security/nss/lib/dbm/include/hsearch.h rename : dbm/include/mcom_db.h => security/nss/lib/dbm/include/mcom_db.h rename : dbm/include/mpool.h => security/nss/lib/dbm/include/mpool.h rename : dbm/include/ncompat.h => security/nss/lib/dbm/include/ncompat.h rename : dbm/include/page.h => security/nss/lib/dbm/include/page.h rename : dbm/include/queue.h => security/nss/lib/dbm/include/queue.h rename : dbm/include/search.h => security/nss/lib/dbm/include/search.h rename : dbm/include/winfile.h => security/nss/lib/dbm/include/winfile.h rename : dbm/src/db.c => security/nss/lib/dbm/src/db.c rename : security/dbm/src/dirent.c => security/nss/lib/dbm/src/dirent.c rename : security/dbm/src/dirent.h => security/nss/lib/dbm/src/dirent.h rename : dbm/src/h_bigkey.c => security/nss/lib/dbm/src/h_bigkey.c rename : dbm/src/h_func.c => security/nss/lib/dbm/src/h_func.c rename : dbm/src/h_log2.c => security/nss/lib/dbm/src/h_log2.c rename : dbm/src/h_page.c => security/nss/lib/dbm/src/h_page.c rename : dbm/src/hash.c => security/nss/lib/dbm/src/hash.c rename : dbm/src/hash_buf.c => security/nss/lib/dbm/src/hash_buf.c rename : dbm/src/memmove.c => security/nss/lib/dbm/src/memmove.c rename : dbm/src/mktemp.c => security/nss/lib/dbm/src/mktemp.c rename : dbm/src/snprintf.c => security/nss/lib/dbm/src/snprintf.c rename : dbm/src/strerror.c => security/nss/lib/dbm/src/strerror.c rename : dbm/tests/dbmtest.pkg => security/nss/lib/dbm/tests/dbmtest.pkg rename : dbm/tests/lots.c => security/nss/lib/dbm/tests/lots.c extra : rebase_source : 119dad5f824e8e760182047fd32e2a0d0f944172 extra : amend_source : 98e24aa51f9044d9091a26f013b643925e8f9dcf
847 lines
24 KiB
C
847 lines
24 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifdef FREEBL_NO_DEPEND
|
|
#include "stubs.h"
|
|
#endif
|
|
#include "blapii.h"
|
|
#include "blapit.h"
|
|
#include "gcm.h"
|
|
#include "ctr.h"
|
|
#include "secerr.h"
|
|
#include "prtypes.h"
|
|
#include "pkcs11t.h"
|
|
|
|
#include <limits.h>
|
|
|
|
/**************************************************************************
|
|
* First implement the Galois hash function of GCM (gcmHash) *
|
|
**************************************************************************/
|
|
#define GCM_HASH_LEN_LEN 8 /* gcm hash defines lengths to be 64 bits */
|
|
|
|
typedef struct gcmHashContextStr gcmHashContext;
|
|
|
|
static SECStatus gcmHash_InitContext(gcmHashContext *hash,
|
|
const unsigned char *H,
|
|
unsigned int blocksize);
|
|
static void gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit);
|
|
static SECStatus gcmHash_Update(gcmHashContext *ghash,
|
|
const unsigned char *buf, unsigned int len,
|
|
unsigned int blocksize);
|
|
static SECStatus gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize);
|
|
static SECStatus gcmHash_Final(gcmHashContext *gcm, unsigned char *outbuf,
|
|
unsigned int *outlen, unsigned int maxout,
|
|
unsigned int blocksize);
|
|
static SECStatus gcmHash_Reset(gcmHashContext *ghash,
|
|
const unsigned char *inbuf,
|
|
unsigned int inbufLen, unsigned int blocksize);
|
|
|
|
/* compile time defines to select how the GF2 multiply is calculated.
|
|
* There are currently 2 algorithms implemented here: MPI and ALGORITHM_1.
|
|
*
|
|
* MPI uses the GF2m implemented in mpi to support GF2 ECC.
|
|
* ALGORITHM_1 is the Algorithm 1 in both NIST SP 800-38D and
|
|
* "The Galois/Counter Mode of Operation (GCM)", McGrew & Viega.
|
|
*/
|
|
#if !defined(GCM_USE_ALGORITHM_1) && !defined(GCM_USE_MPI)
|
|
#define GCM_USE_MPI 1 /* MPI is about 5x faster with the
|
|
* same or less complexity. It's possible to use
|
|
* tables to speed things up even more */
|
|
#endif
|
|
|
|
/* GCM defines the bit string to be LSB first, which is exactly
|
|
* opposite everyone else, including hardware. build array
|
|
* to reverse everything. */
|
|
static const unsigned char gcm_byte_rev[256] = {
|
|
0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
|
|
0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
|
|
0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
|
|
0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
|
|
0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
|
|
0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
|
|
0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
|
|
0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
|
|
0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
|
|
0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
|
|
0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
|
|
0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
|
|
0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
|
|
0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
|
|
0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
|
|
0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
|
|
0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
|
|
0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
|
|
0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
|
|
0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
|
|
0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
|
|
0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
|
|
0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
|
|
0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
|
|
0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
|
|
0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
|
|
0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
|
|
0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
|
|
0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
|
|
0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
|
|
0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
|
|
0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
|
|
};
|
|
|
|
|
|
#ifdef GCM_TRACE
|
|
#include <stdio.h>
|
|
|
|
#define GCM_TRACE_X(ghash,label) { \
|
|
unsigned char _X[MAX_BLOCK_SIZE]; int i; \
|
|
gcm_getX(ghash, _X, blocksize); \
|
|
printf(label,(ghash)->m); \
|
|
for (i=0; i < blocksize; i++) printf("%02x",_X[i]); \
|
|
printf("\n"); }
|
|
#define GCM_TRACE_BLOCK(label,buf,blocksize) {\
|
|
printf(label); \
|
|
for (i=0; i < blocksize; i++) printf("%02x",buf[i]); \
|
|
printf("\n"); }
|
|
#else
|
|
#define GCM_TRACE_X(ghash,label)
|
|
#define GCM_TRACE_BLOCK(label,buf,blocksize)
|
|
#endif
|
|
|
|
#ifdef GCM_USE_MPI
|
|
|
|
#ifdef GCM_USE_ALGORITHM_1
|
|
#error "Only define one of GCM_USE_MPI, GCM_USE_ALGORITHM_1"
|
|
#endif
|
|
/* use the MPI functions to calculate Xn = (Xn-1^C_i)*H mod poly */
|
|
#include "mpi.h"
|
|
#include "secmpi.h"
|
|
#include "mplogic.h"
|
|
#include "mp_gf2m.h"
|
|
|
|
/* state needed to handle GCM Hash function */
|
|
struct gcmHashContextStr {
|
|
mp_int H;
|
|
mp_int X;
|
|
mp_int C_i;
|
|
const unsigned int *poly;
|
|
unsigned char buffer[MAX_BLOCK_SIZE];
|
|
unsigned int bufLen;
|
|
int m; /* XXX what is m? */
|
|
unsigned char counterBuf[2*GCM_HASH_LEN_LEN];
|
|
PRUint64 cLen;
|
|
};
|
|
|
|
/* f = x^128 + x^7 + x^2 + x + 1 */
|
|
static const unsigned int poly_128[] = { 128, 7, 2, 1, 0 };
|
|
|
|
/* sigh, GCM defines the bit strings exactly backwards from everything else */
|
|
static void
|
|
gcm_reverse(unsigned char *target, const unsigned char *src,
|
|
unsigned int blocksize)
|
|
{
|
|
unsigned int i;
|
|
for (i=0; i < blocksize; i++) {
|
|
target[blocksize-i-1] = gcm_byte_rev[src[i]];
|
|
}
|
|
}
|
|
|
|
/* Initialize a gcmHashContext */
|
|
static SECStatus
|
|
gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H,
|
|
unsigned int blocksize)
|
|
{
|
|
mp_err err = MP_OKAY;
|
|
unsigned char H_rev[MAX_BLOCK_SIZE];
|
|
|
|
MP_DIGITS(&ghash->H) = 0;
|
|
MP_DIGITS(&ghash->X) = 0;
|
|
MP_DIGITS(&ghash->C_i) = 0;
|
|
CHECK_MPI_OK( mp_init(&ghash->H) );
|
|
CHECK_MPI_OK( mp_init(&ghash->X) );
|
|
CHECK_MPI_OK( mp_init(&ghash->C_i) );
|
|
|
|
mp_zero(&ghash->X);
|
|
gcm_reverse(H_rev, H, blocksize);
|
|
CHECK_MPI_OK( mp_read_unsigned_octets(&ghash->H, H_rev, blocksize) );
|
|
|
|
/* set the irreducible polynomial. Each blocksize has its own polynomial.
|
|
* for now only blocksize 16 (=128 bits) is defined */
|
|
switch (blocksize) {
|
|
case 16: /* 128 bits */
|
|
ghash->poly = poly_128;
|
|
break;
|
|
default:
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
goto cleanup;
|
|
}
|
|
ghash->cLen = 0;
|
|
ghash->bufLen = 0;
|
|
ghash->m = 0;
|
|
PORT_Memset(ghash->counterBuf, 0, sizeof(ghash->counterBuf));
|
|
return SECSuccess;
|
|
cleanup:
|
|
gcmHash_DestroyContext(ghash, PR_FALSE);
|
|
return SECFailure;
|
|
}
|
|
|
|
/* Destroy a HashContext (Note we zero the digits so this function
|
|
* is idempotent if called with freeit == PR_FALSE */
|
|
static void
|
|
gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit)
|
|
{
|
|
mp_clear(&ghash->H);
|
|
mp_clear(&ghash->X);
|
|
mp_clear(&ghash->C_i);
|
|
MP_DIGITS(&ghash->H) = 0;
|
|
MP_DIGITS(&ghash->X) = 0;
|
|
MP_DIGITS(&ghash->C_i) = 0;
|
|
if (freeit) {
|
|
PORT_Free(ghash);
|
|
}
|
|
}
|
|
|
|
static SECStatus
|
|
gcm_getX(gcmHashContext *ghash, unsigned char *T, unsigned int blocksize)
|
|
{
|
|
int len;
|
|
mp_err err;
|
|
unsigned char tmp_buf[MAX_BLOCK_SIZE];
|
|
unsigned char *X;
|
|
|
|
len = mp_unsigned_octet_size(&ghash->X);
|
|
if (len <= 0) {
|
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
|
return SECFailure;
|
|
}
|
|
X = tmp_buf;
|
|
PORT_Assert((unsigned int)len <= blocksize);
|
|
if ((unsigned int)len > blocksize) {
|
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
|
return SECFailure;
|
|
}
|
|
/* zero pad the result */
|
|
if (len != blocksize) {
|
|
PORT_Memset(X,0,blocksize-len);
|
|
X += blocksize-len;
|
|
}
|
|
|
|
err = mp_to_unsigned_octets(&ghash->X, X, len);
|
|
if (err < 0) {
|
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
|
return SECFailure;
|
|
}
|
|
gcm_reverse(T, tmp_buf, blocksize);
|
|
return SECSuccess;
|
|
}
|
|
|
|
static SECStatus
|
|
gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf,
|
|
unsigned int count, unsigned int blocksize)
|
|
{
|
|
SECStatus rv = SECFailure;
|
|
mp_err err = MP_OKAY;
|
|
unsigned char tmp_buf[MAX_BLOCK_SIZE];
|
|
unsigned int i;
|
|
|
|
for (i=0; i < count; i++, buf += blocksize) {
|
|
ghash->m++;
|
|
gcm_reverse(tmp_buf, buf, blocksize);
|
|
CHECK_MPI_OK(mp_read_unsigned_octets(&ghash->C_i, tmp_buf, blocksize));
|
|
CHECK_MPI_OK(mp_badd(&ghash->X, &ghash->C_i, &ghash->C_i));
|
|
/*
|
|
* Looking to speed up GCM, this the the place to do it.
|
|
* There are two areas that can be exploited to speed up this code.
|
|
*
|
|
* 1) H is a constant in this multiply. We can precompute H * (0 - 255)
|
|
* at init time and this becomes an blockize xors of our table lookup.
|
|
*
|
|
* 2) poly is a constant for each blocksize. We can calculate the
|
|
* modulo reduction by a series of adds and shifts.
|
|
*
|
|
* For now we are after functionality, so we will go ahead and use
|
|
* the builtin bmulmod from mpi
|
|
*/
|
|
CHECK_MPI_OK(mp_bmulmod(&ghash->C_i, &ghash->H,
|
|
ghash->poly, &ghash->X));
|
|
GCM_TRACE_X(ghash, "X%d = ")
|
|
}
|
|
rv = SECSuccess;
|
|
cleanup:
|
|
if (rv != SECSuccess) {
|
|
MP_TO_SEC_ERROR(err);
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
static void
|
|
gcm_zeroX(gcmHashContext *ghash)
|
|
{
|
|
mp_zero(&ghash->X);
|
|
ghash->m = 0;
|
|
}
|
|
|
|
#endif
|
|
|
|
#ifdef GCM_USE_ALGORITHM_1
|
|
/* use algorithm 1 of McGrew & Viega "The Galois/Counter Mode of Operation" */
|
|
|
|
#define GCM_ARRAY_SIZE (MAX_BLOCK_SIZE/sizeof(unsigned long))
|
|
|
|
struct gcmHashContextStr {
|
|
unsigned long H[GCM_ARRAY_SIZE];
|
|
unsigned long X[GCM_ARRAY_SIZE];
|
|
unsigned long R;
|
|
unsigned char buffer[MAX_BLOCK_SIZE];
|
|
unsigned int bufLen;
|
|
int m;
|
|
unsigned char counterBuf[2*GCM_HASH_LEN_LEN];
|
|
PRUint64 cLen;
|
|
};
|
|
|
|
static void
|
|
gcm_bytes_to_longs(unsigned long *l, const unsigned char *c, unsigned int len)
|
|
{
|
|
int i,j;
|
|
int array_size = len/sizeof(unsigned long);
|
|
|
|
PORT_Assert(len % sizeof(unsigned long) == 0);
|
|
for (i=0; i < array_size; i++) {
|
|
unsigned long tmp = 0;
|
|
int byte_offset = i * sizeof(unsigned long);
|
|
for (j=sizeof(unsigned long)-1; j >= 0; j--) {
|
|
tmp = (tmp << PR_BITS_PER_BYTE) | gcm_byte_rev[c[byte_offset+j]];
|
|
}
|
|
l[i] = tmp;
|
|
}
|
|
}
|
|
|
|
static void
|
|
gcm_longs_to_bytes(const unsigned long *l, unsigned char *c, unsigned int len)
|
|
{
|
|
int i,j;
|
|
int array_size = len/sizeof(unsigned long);
|
|
|
|
PORT_Assert(len % sizeof(unsigned long) == 0);
|
|
for (i=0; i < array_size; i++) {
|
|
unsigned long tmp = l[i];
|
|
int byte_offset = i * sizeof(unsigned long);
|
|
for (j=0; j < sizeof(unsigned long); j++) {
|
|
c[byte_offset+j] = gcm_byte_rev[tmp & 0xff];
|
|
tmp = (tmp >> PR_BITS_PER_BYTE);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
/* Initialize a gcmHashContext */
|
|
static SECStatus
|
|
gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H,
|
|
unsigned int blocksize)
|
|
{
|
|
PORT_Memset(ghash->X, 0, sizeof(ghash->X));
|
|
PORT_Memset(ghash->H, 0, sizeof(ghash->H));
|
|
gcm_bytes_to_longs(ghash->H, H, blocksize);
|
|
|
|
/* set the irreducible polynomial. Each blocksize has its own polynommial
|
|
* for now only blocksize 16 (=128 bits) is defined */
|
|
switch (blocksize) {
|
|
case 16: /* 128 bits */
|
|
ghash->R = (unsigned long) 0x87; /* x^7 + x^2 + x +1 */
|
|
break;
|
|
default:
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
goto cleanup;
|
|
}
|
|
ghash->cLen = 0;
|
|
ghash->bufLen = 0;
|
|
ghash->m = 0;
|
|
PORT_Memset(ghash->counterBuf, 0, sizeof(ghash->counterBuf));
|
|
return SECSuccess;
|
|
cleanup:
|
|
return SECFailure;
|
|
}
|
|
|
|
/* Destroy a HashContext (Note we zero the digits so this function
|
|
* is idempotent if called with freeit == PR_FALSE */
|
|
static void
|
|
gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit)
|
|
{
|
|
if (freeit) {
|
|
PORT_Free(ghash);
|
|
}
|
|
}
|
|
|
|
static unsigned long
|
|
gcm_shift_one(unsigned long *t, unsigned int count)
|
|
{
|
|
unsigned long carry = 0;
|
|
unsigned long nextcarry = 0;
|
|
unsigned int i;
|
|
for (i=0; i < count; i++) {
|
|
nextcarry = t[i] >> ((sizeof(unsigned long)*PR_BITS_PER_BYTE)-1);
|
|
t[i] = (t[i] << 1) | carry;
|
|
carry = nextcarry;
|
|
}
|
|
return carry;
|
|
}
|
|
|
|
static SECStatus
|
|
gcm_getX(gcmHashContext *ghash, unsigned char *T, unsigned int blocksize)
|
|
{
|
|
gcm_longs_to_bytes(ghash->X, T, blocksize);
|
|
return SECSuccess;
|
|
}
|
|
|
|
#define GCM_XOR(t, s, len) \
|
|
for (l=0; l < len; l++) t[l] ^= s[l]
|
|
|
|
static SECStatus
|
|
gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf,
|
|
unsigned int count, unsigned int blocksize)
|
|
{
|
|
unsigned long C_i[GCM_ARRAY_SIZE];
|
|
unsigned int arraysize = blocksize/sizeof(unsigned long);
|
|
unsigned int i, j, k, l;
|
|
|
|
for (i=0; i < count; i++, buf += blocksize) {
|
|
ghash->m++;
|
|
gcm_bytes_to_longs(C_i, buf, blocksize);
|
|
GCM_XOR(C_i, ghash->X, arraysize);
|
|
/* multiply X = C_i * H */
|
|
PORT_Memset(ghash->X, 0, sizeof(ghash->X));
|
|
for (j=0; j < arraysize; j++) {
|
|
unsigned long H = ghash->H[j];
|
|
for (k=0; k < sizeof(unsigned long)*PR_BITS_PER_BYTE; k++) {
|
|
if (H & 1) {
|
|
GCM_XOR(ghash->X, C_i, arraysize);
|
|
}
|
|
if (gcm_shift_one(C_i, arraysize)) {
|
|
C_i[0] = C_i[0] ^ ghash->R;
|
|
}
|
|
H = H >> 1;
|
|
}
|
|
}
|
|
GCM_TRACE_X(ghash, "X%d = ")
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
|
|
static void
|
|
gcm_zeroX(gcmHashContext *ghash)
|
|
{
|
|
PORT_Memset(ghash->X, 0, sizeof(ghash->X));
|
|
ghash->m = 0;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* implement GCM GHASH using the freebl GHASH function. The gcm_HashMult
|
|
* function always takes blocksize lengths of data. gcmHash_Update will
|
|
* format the data properly.
|
|
*/
|
|
static SECStatus
|
|
gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf,
|
|
unsigned int len, unsigned int blocksize)
|
|
{
|
|
unsigned int blocks;
|
|
SECStatus rv;
|
|
|
|
ghash->cLen += (len*PR_BITS_PER_BYTE);
|
|
|
|
/* first deal with the current buffer of data. Try to fill it out so
|
|
* we can hash it */
|
|
if (ghash->bufLen) {
|
|
unsigned int needed = PR_MIN(len, blocksize - ghash->bufLen);
|
|
if (needed != 0) {
|
|
PORT_Memcpy(ghash->buffer+ghash->bufLen, buf, needed);
|
|
}
|
|
buf += needed;
|
|
len -= needed;
|
|
ghash->bufLen += needed;
|
|
if (len == 0) {
|
|
/* didn't add enough to hash the data, nothing more do do */
|
|
return SECSuccess;
|
|
}
|
|
PORT_Assert(ghash->bufLen == blocksize);
|
|
/* hash the buffer and clear it */
|
|
rv = gcm_HashMult(ghash, ghash->buffer, 1, blocksize);
|
|
PORT_Memset(ghash->buffer, 0, blocksize);
|
|
ghash->bufLen = 0;
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
}
|
|
/* now hash any full blocks remaining in the data stream */
|
|
blocks = len/blocksize;
|
|
if (blocks) {
|
|
rv = gcm_HashMult(ghash, buf, blocks, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
buf += blocks*blocksize;
|
|
len -= blocks*blocksize;
|
|
}
|
|
|
|
/* save any remainder in the buffer to be hashed with the next call */
|
|
if (len != 0) {
|
|
PORT_Memcpy(ghash->buffer, buf, len);
|
|
ghash->bufLen = len;
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* write out any partial blocks zero padded through the GHASH engine,
|
|
* save the lengths for the final completion of the hash
|
|
*/
|
|
static SECStatus
|
|
gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize)
|
|
{
|
|
int i;
|
|
SECStatus rv;
|
|
|
|
/* copy the previous counter to the upper block */
|
|
PORT_Memcpy(ghash->counterBuf, &ghash->counterBuf[GCM_HASH_LEN_LEN],
|
|
GCM_HASH_LEN_LEN);
|
|
/* copy the current counter in the lower block */
|
|
for (i=0; i < GCM_HASH_LEN_LEN; i++) {
|
|
ghash->counterBuf[GCM_HASH_LEN_LEN+i] =
|
|
(ghash->cLen >> ((GCM_HASH_LEN_LEN-1-i)*PR_BITS_PER_BYTE)) & 0xff;
|
|
}
|
|
ghash->cLen = 0;
|
|
|
|
/* now zero fill the buffer and hash the last block */
|
|
if (ghash->bufLen) {
|
|
PORT_Memset(ghash->buffer+ghash->bufLen, 0, blocksize - ghash->bufLen);
|
|
rv = gcm_HashMult(ghash, ghash->buffer, 1, blocksize);
|
|
PORT_Memset(ghash->buffer, 0, blocksize);
|
|
ghash->bufLen = 0;
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* This does the final sync, hashes the lengths, then returns
|
|
* "T", the hashed output.
|
|
*/
|
|
static SECStatus
|
|
gcmHash_Final(gcmHashContext *ghash, unsigned char *outbuf,
|
|
unsigned int *outlen, unsigned int maxout,
|
|
unsigned int blocksize)
|
|
{
|
|
unsigned char T[MAX_BLOCK_SIZE];
|
|
SECStatus rv;
|
|
|
|
rv = gcmHash_Sync(ghash, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
|
|
rv = gcm_HashMult(ghash, ghash->counterBuf, (GCM_HASH_LEN_LEN*2)/blocksize,
|
|
blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
|
|
GCM_TRACE_X(ghash, "GHASH(H,A,C) = ")
|
|
|
|
rv = gcm_getX(ghash, T, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
|
|
if (maxout > blocksize) maxout = blocksize;
|
|
PORT_Memcpy(outbuf, T, maxout);
|
|
*outlen = maxout;
|
|
return SECSuccess;
|
|
}
|
|
|
|
SECStatus
|
|
gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD,
|
|
unsigned int AADLen, unsigned int blocksize)
|
|
{
|
|
SECStatus rv;
|
|
|
|
ghash->cLen = 0;
|
|
PORT_Memset(ghash->counterBuf, 0, GCM_HASH_LEN_LEN*2);
|
|
ghash->bufLen = 0;
|
|
gcm_zeroX(ghash);
|
|
|
|
/* now kick things off by hashing the Additional Authenticated Data */
|
|
if (AADLen != 0) {
|
|
rv = gcmHash_Update(ghash, AAD, AADLen, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
rv = gcmHash_Sync(ghash, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/**************************************************************************
|
|
* Now implement the GCM using gcmHash and CTR *
|
|
**************************************************************************/
|
|
|
|
/* state to handle the full GCM operation (hash and counter) */
|
|
struct GCMContextStr {
|
|
gcmHashContext ghash_context;
|
|
CTRContext ctr_context;
|
|
unsigned long tagBits;
|
|
unsigned char tagKey[MAX_BLOCK_SIZE];
|
|
};
|
|
|
|
GCMContext *
|
|
GCM_CreateContext(void *context, freeblCipherFunc cipher,
|
|
const unsigned char *params, unsigned int blocksize)
|
|
{
|
|
GCMContext *gcm = NULL;
|
|
gcmHashContext *ghash;
|
|
unsigned char H[MAX_BLOCK_SIZE];
|
|
unsigned int tmp;
|
|
PRBool freeCtr = PR_FALSE;
|
|
PRBool freeHash = PR_FALSE;
|
|
const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params;
|
|
CK_AES_CTR_PARAMS ctrParams;
|
|
SECStatus rv;
|
|
|
|
if (blocksize > MAX_BLOCK_SIZE || blocksize > sizeof(ctrParams.cb)) {
|
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
|
return NULL;
|
|
}
|
|
gcm = PORT_ZNew(GCMContext);
|
|
if (gcm == NULL) {
|
|
return NULL;
|
|
}
|
|
/* first fill in the ghash context */
|
|
ghash = &gcm->ghash_context;
|
|
PORT_Memset(H, 0, blocksize);
|
|
rv = (*cipher)(context, H, &tmp, blocksize, H, blocksize, blocksize);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
rv = gcmHash_InitContext(ghash, H, blocksize);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
freeHash = PR_TRUE;
|
|
|
|
/* fill in the Counter context */
|
|
ctrParams.ulCounterBits = 32;
|
|
PORT_Memset(ctrParams.cb, 0, sizeof(ctrParams.cb));
|
|
if ((blocksize == 16) && (gcmParams->ulIvLen == 12)) {
|
|
PORT_Memcpy(ctrParams.cb, gcmParams->pIv, gcmParams->ulIvLen);
|
|
ctrParams.cb[blocksize-1] = 1;
|
|
} else {
|
|
rv = gcmHash_Update(ghash, gcmParams->pIv, gcmParams->ulIvLen,
|
|
blocksize);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
rv = gcmHash_Final(ghash, ctrParams.cb, &tmp, blocksize, blocksize);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
}
|
|
rv = CTR_InitContext(&gcm->ctr_context, context, cipher,
|
|
(unsigned char *)&ctrParams, blocksize);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
freeCtr = PR_TRUE;
|
|
|
|
/* fill in the gcm structure */
|
|
gcm->tagBits = gcmParams->ulTagBits; /* save for final step */
|
|
/* calculate the final tag key. NOTE: gcm->tagKey is zero to start with.
|
|
* if this assumption changes, we would need to explicitly clear it here */
|
|
rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, blocksize,
|
|
gcm->tagKey, blocksize, blocksize);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
|
|
/* finally mix in the AAD data */
|
|
rv = gcmHash_Reset(ghash, gcmParams->pAAD, gcmParams->ulAADLen, blocksize);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
|
|
return gcm;
|
|
|
|
loser:
|
|
if (freeCtr) {
|
|
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
|
|
}
|
|
if (freeHash) {
|
|
gcmHash_DestroyContext(&gcm->ghash_context, PR_FALSE);
|
|
}
|
|
if (gcm) {
|
|
PORT_Free(gcm);
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
void
|
|
GCM_DestroyContext(GCMContext *gcm, PRBool freeit)
|
|
{
|
|
/* these two are statically allocated and will be freed when we free
|
|
* gcm. call their destroy functions to free up any locally
|
|
* allocated data (like mp_int's) */
|
|
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
|
|
gcmHash_DestroyContext(&gcm->ghash_context, PR_FALSE);
|
|
if (freeit) {
|
|
PORT_Free(gcm);
|
|
}
|
|
}
|
|
|
|
static SECStatus
|
|
gcm_GetTag(GCMContext *gcm, unsigned char *outbuf,
|
|
unsigned int *outlen, unsigned int maxout,
|
|
unsigned int blocksize)
|
|
{
|
|
unsigned int tagBytes;
|
|
unsigned int extra;
|
|
unsigned int i;
|
|
SECStatus rv;
|
|
|
|
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
|
|
extra = tagBytes*PR_BITS_PER_BYTE - gcm->tagBits;
|
|
|
|
if (outbuf == NULL) {
|
|
*outlen = tagBytes;
|
|
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
|
return SECFailure;
|
|
}
|
|
|
|
if (maxout < tagBytes) {
|
|
*outlen = tagBytes;
|
|
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
|
return SECFailure;
|
|
}
|
|
maxout = tagBytes;
|
|
rv = gcmHash_Final(&gcm->ghash_context, outbuf, outlen, maxout, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
|
|
GCM_TRACE_BLOCK("GHASH=", outbuf, blocksize);
|
|
GCM_TRACE_BLOCK("Y0=", gcm->tagKey, blocksize);
|
|
for (i=0; i < *outlen; i++) {
|
|
outbuf[i] ^= gcm->tagKey[i];
|
|
}
|
|
GCM_TRACE_BLOCK("Y0=", gcm->tagKey, blocksize);
|
|
GCM_TRACE_BLOCK("T=", outbuf, blocksize);
|
|
/* mask off any extra bits we got */
|
|
if (extra) {
|
|
outbuf[tagBytes-1] &= ~((1 << extra)-1);
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
|
|
/*
|
|
* See The Galois/Counter Mode of Operation, McGrew and Viega.
|
|
* GCM is basically counter mode with a specific initialization and
|
|
* built in macing operation.
|
|
*/
|
|
SECStatus
|
|
GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf,
|
|
unsigned int *outlen, unsigned int maxout,
|
|
const unsigned char *inbuf, unsigned int inlen,
|
|
unsigned int blocksize)
|
|
{
|
|
SECStatus rv;
|
|
unsigned int tagBytes;
|
|
unsigned int len;
|
|
|
|
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
|
|
if (UINT_MAX - inlen < tagBytes) {
|
|
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
|
return SECFailure;
|
|
}
|
|
if (maxout < inlen + tagBytes) {
|
|
*outlen = inlen + tagBytes;
|
|
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
|
return SECFailure;
|
|
}
|
|
|
|
rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
|
|
inbuf, inlen, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
rv = gcmHash_Update(&gcm->ghash_context, outbuf, *outlen, blocksize);
|
|
if (rv != SECSuccess) {
|
|
PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */
|
|
*outlen = 0;
|
|
return SECFailure;
|
|
}
|
|
rv = gcm_GetTag(gcm, outbuf + *outlen, &len, maxout - *outlen, blocksize);
|
|
if (rv != SECSuccess) {
|
|
PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */
|
|
*outlen = 0;
|
|
return SECFailure;
|
|
};
|
|
*outlen += len;
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* See The Galois/Counter Mode of Operation, McGrew and Viega.
|
|
* GCM is basically counter mode with a specific initialization and
|
|
* built in macing operation. NOTE: the only difference between Encrypt
|
|
* and Decrypt is when we calculate the mac. That is because the mac must
|
|
* always be calculated on the cipher text, not the plain text, so for
|
|
* encrypt, we do the CTR update first and for decrypt we do the mac first.
|
|
*/
|
|
SECStatus
|
|
GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf,
|
|
unsigned int *outlen, unsigned int maxout,
|
|
const unsigned char *inbuf, unsigned int inlen,
|
|
unsigned int blocksize)
|
|
{
|
|
SECStatus rv;
|
|
unsigned int tagBytes;
|
|
unsigned char tag[MAX_BLOCK_SIZE];
|
|
const unsigned char *intag;
|
|
unsigned int len;
|
|
|
|
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
|
|
|
|
/* get the authentication block */
|
|
if (inlen < tagBytes) {
|
|
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
|
return SECFailure;
|
|
}
|
|
|
|
inlen -= tagBytes;
|
|
intag = inbuf + inlen;
|
|
|
|
/* verify the block */
|
|
rv = gcmHash_Update(&gcm->ghash_context, inbuf, inlen, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
rv = gcm_GetTag(gcm, tag, &len, blocksize, blocksize);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
/* Don't decrypt if we can't authenticate the encrypted data!
|
|
* This assumes that if tagBits is not a multiple of 8, intag will
|
|
* preserve the masked off missing bits. */
|
|
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
|
|
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
|
PORT_SetError(SEC_ERROR_BAD_DATA);
|
|
return SECFailure;
|
|
}
|
|
/* finish the decryption */
|
|
return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
|
|
inbuf, inlen, blocksize);
|
|
}
|