fix(mbedtls/gcm): Add support for software fallback for non-AES ciphers in a GCM operation

Harshal5 · Harshal5 · commit 2c85399da0eb · 2024-03-12T13:35:49.000+05:30
- Even if the config MBEDTLS_HARDWARE_AES is enabled, we now support fallback
to software implementation of GCM operations when non-AES ciphers are used.
diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
@@ -402,6 +402,29 @@ menu "mbedTLS"
             mbedTLS will still use the hardware accelerated AES block operation, but
             on a single block at a time.
 
+    config MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER
+        bool "Enable support for non-AES ciphers in GCM operation"
+        depends on MBEDTLS_HARDWARE_AES
+        default n
+        help
+            Enable this config to support fallback to software definitions for a non-AES
+            cipher GCM operation as we support hardware acceleration only for AES cipher.
+            Some of the non-AES ciphers used in a GCM operation are DES, ARIA, CAMELLIA,
+            CHACHA20, BLOWFISH.
+
+            If this config is disabled, performing a non-AES cipher GCM operation with
+            the config MBEDTLS_HARDWARE_AES enabled will result in calculation of an
+            AES-GCM operation instead for the given input values and thus could lead
+            to failure in certificate validation which would ultimately lead to a SSL
+            handshake failure.
+
+            This config being by-default enabled leads to an increase in binary size
+            footprint of ~2.5KB.
+            In case you are sure that your use case (for example, client and server
+            configurations in case of a TLS handshake) would not involve any GCM
+            operations using a non-AES cipher, you can safely disable this config,
+            leading to reduction in binary size footprint.
+
     config MBEDTLS_HARDWARE_MPI
         bool "Enable hardware MPI (bignum) acceleration"
         default y
diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls
@@ -1 +1 @@
-Subproject commit 89cc7af4bb9cfaeac9c4aa08d1e8cf550fa0c155
+Subproject commit 09bba150d0d822aad2e58d71723f5407da5c21e0
diff --git a/components/mbedtls/port/aes/esp_aes_gcm.c b/components/mbedtls/port/aes/esp_aes_gcm.c
@@ -6,7 +6,7 @@
  *
  * SPDX-License-Identifier: Apache-2.0
  *
- * SPDX-FileContributor: 2016-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileContributor: 2016-2024 Espressif Systems (Shanghai) CO LTD
  */
 /*
  *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
@@ -251,6 +251,27 @@ int esp_aes_gcm_setkey( esp_gcm_context *ctx,
                         const unsigned char *key,
                         unsigned int keybits )
 {
+    /* Fallback to software implementation of GCM operation when a non-AES
+     * cipher is selected, as we support hardware acceleration only for a
+     * GCM operation using AES cipher.
+     */
+#if defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+    if (ctx->ctx_soft != NULL) {
+        mbedtls_gcm_free_soft(ctx->ctx_soft);
+        free(ctx->ctx_soft);
+        ctx->ctx_soft = NULL;
+    }
+
+    if (cipher != MBEDTLS_CIPHER_ID_AES) {
+        ctx->ctx_soft = (mbedtls_gcm_context_soft*) malloc(sizeof(mbedtls_gcm_context_soft));
+        if (ctx->ctx_soft == NULL) {
+            return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+        }
+        mbedtls_gcm_init_soft(ctx->ctx_soft);
+        return mbedtls_gcm_setkey_soft(ctx->ctx_soft, cipher, key, keybits);
+    }
+#endif
+
 #if !SOC_AES_SUPPORT_AES_192
     if (keybits == 192) {
         return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
@@ -332,6 +353,14 @@ void esp_aes_gcm_free( esp_gcm_context *ctx)
     if (ctx == NULL) {
         return;
     }
+#if defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+    if (ctx->ctx_soft != NULL) {
+        mbedtls_gcm_free_soft(ctx->ctx_soft);
+        free(ctx->ctx_soft);
+        /* Note that the value of ctx->ctx_soft should be NULL'ed out
+        and here it is taken care by the bzero call below */
+    }
+#endif
     bzero(ctx, sizeof(esp_gcm_context));
 }
 
@@ -341,18 +370,24 @@ int esp_aes_gcm_starts( esp_gcm_context *ctx,
                         const unsigned char *iv,
                         size_t iv_len )
 {
+    if (!ctx) {
+        ESP_LOGE(TAG, "No AES context supplied");
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+#if defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+    if (ctx->ctx_soft != NULL) {
+        return mbedtls_gcm_starts_soft(ctx->ctx_soft, mode, iv, iv_len);
+    }
+#endif
+
     /* IV is limited to 2^32 bits, so 2^29 bytes */
     /* IV is not allowed to be zero length */
     if ( iv_len == 0 ||
             ( (uint32_t) iv_len  ) >> 29 != 0 ) {
         return ( MBEDTLS_ERR_GCM_BAD_INPUT );
     }
 
-    if (!ctx) {
-        ESP_LOGE(TAG, "No AES context supplied");
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
     if (!iv) {
         ESP_LOGE(TAG, "No IV supplied");
         return MBEDTLS_ERR_GCM_BAD_INPUT;
@@ -407,16 +442,22 @@ int esp_aes_gcm_update_ad( esp_gcm_context *ctx,
                            const unsigned char *aad,
                            size_t aad_len )
 {
-    /* AD are limited to 2^32 bits, so 2^29 bytes */
-    if ( ( (uint32_t) aad_len ) >> 29 != 0 ) {
-        return ( MBEDTLS_ERR_GCM_BAD_INPUT );
-    }
-
     if (!ctx) {
         ESP_LOGE(TAG, "No AES context supplied");
         return MBEDTLS_ERR_GCM_BAD_INPUT;
     }
 
+#if defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+    if (ctx->ctx_soft != NULL) {
+        return mbedtls_gcm_update_ad_soft(ctx->ctx_soft, aad, aad_len);
+    }
+#endif
+
+    /* AD are limited to 2^32 bits, so 2^29 bytes */
+    if ( ( (uint32_t) aad_len ) >> 29 != 0 ) {
+        return ( MBEDTLS_ERR_GCM_BAD_INPUT );
+    }
+
     if ( (aad_len > 0) && !aad) {
         ESP_LOGE(TAG, "No aad supplied");
         return MBEDTLS_ERR_GCM_BAD_INPUT;
@@ -442,6 +483,17 @@ int esp_aes_gcm_update( esp_gcm_context *ctx,
                         unsigned char *output, size_t output_size,
                         size_t *output_length )
 {
+    if (!ctx) {
+        ESP_LOGE(TAG, "No GCM context supplied");
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+#if defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+    if (ctx->ctx_soft != NULL) {
+        return mbedtls_gcm_update_soft(ctx->ctx_soft, input, input_length, output, output_size, output_length);
+    }
+#endif
+
     size_t nc_off = 0;
     uint8_t nonce_counter[AES_BLOCK_BYTES] = {0};
     uint8_t stream[AES_BLOCK_BYTES] = {0};
@@ -452,10 +504,6 @@ int esp_aes_gcm_update( esp_gcm_context *ctx,
     }
     *output_length = input_length;
 
-    if (!ctx) {
-        ESP_LOGE(TAG, "No GCM context supplied");
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
     if (!input) {
         ESP_LOGE(TAG, "No input supplied");
         return MBEDTLS_ERR_GCM_BAD_INPUT;
@@ -512,6 +560,11 @@ int esp_aes_gcm_finish( esp_gcm_context *ctx,
                         size_t *output_length,
                         unsigned char *tag, size_t tag_len )
 {
+#if defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+    if (ctx->ctx_soft != NULL) {
+        return mbedtls_gcm_finish_soft(ctx->ctx_soft, output, output_size, output_length, tag, tag_len);
+    }
+#endif
     size_t nc_off = 0;
     uint8_t len_block[AES_BLOCK_BYTES] = {0};
     uint8_t stream[AES_BLOCK_BYTES] = {0};
@@ -607,6 +660,16 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
                                size_t tag_len,
                                unsigned char *tag )
 {
+    if (!ctx) {
+        ESP_LOGE(TAG, "No AES context supplied");
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+#if defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+    if (ctx->ctx_soft != NULL) {
+        return mbedtls_gcm_crypt_and_tag_soft(ctx->ctx_soft, mode, length, iv, iv_len, aad, aad_len, input, output, tag_len, tag);
+    }
+#endif
 #if CONFIG_MBEDTLS_HARDWARE_GCM
     int ret;
     lldesc_t aad_desc[2] = {};
@@ -635,11 +698,6 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
         return ( MBEDTLS_ERR_GCM_BAD_INPUT );
     }
 
-    if (!ctx) {
-        ESP_LOGE(TAG, "No AES context supplied");
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
     if (!iv) {
         ESP_LOGE(TAG, "No IV supplied");
         return MBEDTLS_ERR_GCM_BAD_INPUT;
@@ -727,6 +785,11 @@ int esp_aes_gcm_auth_decrypt( esp_gcm_context *ctx,
                               const unsigned char *input,
                               unsigned char *output )
 {
+#if defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+    if (ctx->ctx_soft != NULL) {
+        return mbedtls_gcm_auth_decrypt_soft(ctx->ctx_soft, length, iv, iv_len, aad, aad_len, tag, tag_len, input, output);
+    }
+#endif
     int ret;
     unsigned char check_tag[16];
     size_t i;
diff --git a/components/mbedtls/port/include/aes/esp_aes_gcm.h b/components/mbedtls/port/include/aes/esp_aes_gcm.h
@@ -42,6 +42,8 @@ typedef struct {
     const unsigned char *aad;             /*!< The additional data. */
     esp_aes_context aes_ctx;
     esp_aes_gcm_state gcm_state;
+    /* Software context needed for soft fallback for non-AES ciphers */
+    void *ctx_soft;
 } esp_gcm_context;
 
 
diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -155,6 +155,12 @@
 
 #ifdef CONFIG_MBEDTLS_HARDWARE_AES
 #define MBEDTLS_GCM_ALT
+#ifdef CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER
+    /* Prefer hardware and fallback to software */
+    #define MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK
+#else
+    #undef MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK
+#endif
 #endif
 
 /* MBEDTLS_SHAxx_ALT to enable hardware SHA support
diff --git a/components/mbedtls/port/include/mbedtls/gcm.h b/components/mbedtls/port/include/mbedtls/gcm.h
@@ -0,0 +1,81 @@
+/*
+ * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#pragma once
+
+#include_next "mbedtls/gcm.h"
+#include "sdkconfig.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_GCM_ALT) && defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
+
+/**
+ * When the MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK is defined, for non-AES GCM
+ * operations we need to fallback to the software function definitions of the
+ * mbedtls GCM layer.
+ * Thus in this case we need declarations for the software funtions.
+ * Please refer mbedtls/include/mbedtls/gcm.h for function documentations
+ */
+
+void mbedtls_gcm_init_soft(mbedtls_gcm_context_soft *ctx);
+
+
+int mbedtls_gcm_setkey_soft(mbedtls_gcm_context_soft *ctx,
+                            mbedtls_cipher_id_t cipher,
+                            const unsigned char *key,
+                            unsigned int keybits);
+
+int mbedtls_gcm_starts_soft(mbedtls_gcm_context_soft *ctx,
+                            int mode,
+                            const unsigned char *iv, size_t iv_len);
+
+int mbedtls_gcm_update_ad_soft(mbedtls_gcm_context_soft *ctx,
+                            const unsigned char *add, size_t add_len);
+
+int mbedtls_gcm_update_soft(mbedtls_gcm_context_soft *ctx,
+                            const unsigned char *input, size_t input_length,
+                            unsigned char *output, size_t output_size,
+                            size_t *output_length);
+
+int mbedtls_gcm_finish_soft(mbedtls_gcm_context_soft *ctx,
+                            unsigned char *output, size_t output_size,
+                            size_t *output_length,
+                            unsigned char *tag, size_t tag_len);
+
+
+int mbedtls_gcm_crypt_and_tag_soft(mbedtls_gcm_context_soft *ctx,
+                                int mode,
+                                size_t length,
+                                const unsigned char *iv,
+                                size_t iv_len,
+                                const unsigned char *add,
+                                size_t add_len,
+                                const unsigned char *input,
+                                unsigned char *output,
+                                size_t tag_len,
+                                unsigned char *tag);
+
+
+int mbedtls_gcm_auth_decrypt_soft(mbedtls_gcm_context_soft *ctx,
+                                size_t length,
+                                const unsigned char *iv,
+                                size_t iv_len,
+                                const unsigned char *add,
+                                size_t add_len,
+                                const unsigned char *tag,
+                                size_t tag_len,
+                                const unsigned char *input,
+                                unsigned char *output);
+
+void mbedtls_gcm_free_soft(mbedtls_gcm_context_soft *ctx);
+
+#endif /* MBEDTLS_GCM_ALT && MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK*/
+
+#ifdef __cplusplus
+}
+#endif
