[thirdparty/openssl.git] / crypto / modes / ocb128.c

/*
 * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include "modes_lcl.h"

#ifndef OPENSSL_NO_OCB

/*
 * Calculate the number of binary trailing zero's in any given number
 */
static u32 ocb_ntz(u64 n)
{
    u32 cnt = 0;

    /*
     * We do a right-to-left simple sequential search. This is surprisingly
     * efficient as the distribution of trailing zeros is not uniform,
     * e.g. the number of possible inputs with no trailing zeros is equal to
     * the number with 1 or more; the number with exactly 1 is equal to the
     * number with 2 or more, etc. Checking the last two bits covers 75% of
     * all numbers. Checking the last three covers 87.5%
     */
    while (!(n & 1)) {
        n >>= 1;
        cnt++;
    }
    return cnt;
}

/*
 * Shift a block of 16 bytes left by shift bits
 */
static void ocb_block_lshift(const unsigned char *in, size_t shift,
                             unsigned char *out)
{
    unsigned char shift_mask;
    int i;
    unsigned char mask[15];

    shift_mask = 0xff;
    shift_mask <<= (8 - shift);
    for (i = 15; i >= 0; i--) {
        if (i > 0) {
            mask[i - 1] = in[i] & shift_mask;
            mask[i - 1] >>= 8 - shift;
        }
        out[i] = in[i] << shift;

        if (i != 15) {
            out[i] ^= mask[i];
        }
    }
}

/*
 * Perform a "double" operation as per OCB spec
 */
static void ocb_double(OCB_BLOCK *in, OCB_BLOCK *out)
{
    unsigned char mask;

    /*
     * Calculate the mask based on the most significant bit. There are more
     * efficient ways to do this - but this way is constant time
     */
    mask = in->c[0] & 0x80;
    mask >>= 7;
    mask *= 135;

    ocb_block_lshift(in->c, 1, out->c);

    out->c[15] ^= mask;
}

/*
 * Perform an xor on in1 and in2 - each of len bytes. Store result in out
 */
static void ocb_block_xor(const unsigned char *in1,
                          const unsigned char *in2, size_t len,
                          unsigned char *out)
{
    size_t i;
    for (i = 0; i < len; i++) {
        out[i] = in1[i] ^ in2[i];
    }
}

/*
 * Lookup L_index in our lookup table. If we haven't already got it we need to
 * calculate it
 */
static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
{
    size_t l_index = ctx->l_index;

    if (idx <= l_index) {
        return ctx->l + idx;
    }

    /* We don't have it - so calculate it */
    if (idx >= ctx->max_l_index) {
        void *tmp_ptr;
        /*
         * Each additional entry allows to process almost double as
         * much data, so that in linear world the table will need to
         * be expanded with smaller and smaller increments. Originally
         * it was doubling in size, which was a waste. Growing it
         * linearly is not formally optimal, but is simpler to implement.
         * We grow table by minimally required 4*n that would accommodate
         * the index.
         */
        ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
        tmp_ptr =
            OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
        if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
            return NULL;
        ctx->l = tmp_ptr;
    }
    while (l_index < idx) {
        ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
        l_index++;
    }
    ctx->l_index = l_index;

    return ctx->l + idx;
}

/*
 * Create a new OCB128_CONTEXT
 */
OCB128_CONTEXT *CRYPTO_ocb128_new(void *keyenc, void *keydec,
                                  block128_f encrypt, block128_f decrypt,
                                  ocb128_f stream)
{
    OCB128_CONTEXT *octx;
    int ret;

    if ((octx = OPENSSL_malloc(sizeof(*octx))) != NULL) {
        ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt,
                                 stream);
        if (ret)
            return octx;
        OPENSSL_free(octx);
    }

    return NULL;
}

/*
 * Initialise an existing OCB128_CONTEXT
 */
int CRYPTO_ocb128_init(OCB128_CONTEXT *ctx, void *keyenc, void *keydec,
                       block128_f encrypt, block128_f decrypt,
                       ocb128_f stream)
{
    memset(ctx, 0, sizeof(*ctx));
    ctx->l_index = 0;
    ctx->max_l_index = 5;
    if ((ctx->l = OPENSSL_malloc(ctx->max_l_index * 16)) == NULL) {
        CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_INIT, ERR_R_MALLOC_FAILURE);
        return 0;
    }

    /*
     * We set both the encryption and decryption key schedules - decryption
     * needs both. Don't really need decryption schedule if only doing
     * encryption - but it simplifies things to take it anyway
     */
    ctx->encrypt = encrypt;
    ctx->decrypt = decrypt;
    ctx->stream = stream;
    ctx->keyenc = keyenc;
    ctx->keydec = keydec;

    /* L_* = ENCIPHER(K, zeros(128)) */
    ctx->encrypt(ctx->l_star.c, ctx->l_star.c, ctx->keyenc);

    /* L_$ = double(L_*) */
    ocb_double(&ctx->l_star, &ctx->l_dollar);

    /* L_0 = double(L_$) */
    ocb_double(&ctx->l_dollar, ctx->l);

    /* L_{i} = double(L_{i-1}) */
    ocb_double(ctx->l, ctx->l+1);
    ocb_double(ctx->l+1, ctx->l+2);
    ocb_double(ctx->l+2, ctx->l+3);
    ocb_double(ctx->l+3, ctx->l+4);
    ctx->l_index = 4;   /* enough to process up to 496 bytes */

    return 1;
}

/*
 * Copy an OCB128_CONTEXT object
 */
int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT *dest, OCB128_CONTEXT *src,
                           void *keyenc, void *keydec)
{
    memcpy(dest, src, sizeof(OCB128_CONTEXT));
    if (keyenc)
        dest->keyenc = keyenc;
    if (keydec)
        dest->keydec = keydec;
    if (src->l) {
        if ((dest->l = OPENSSL_malloc(src->max_l_index * 16)) == NULL) {
            CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_COPY_CTX, ERR_R_MALLOC_FAILURE);
            return 0;
        }
        memcpy(dest->l, src->l, (src->l_index + 1) * 16);
    }
    return 1;
}

/*
 * Set the IV to be used for this operation. Must be 1 - 15 bytes.
 */
int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv,
                        size_t len, size_t taglen)
{
    unsigned char ktop[16], tmp[16], mask;
    unsigned char stretch[24], nonce[16];
    size_t bottom, shift;

    /*
     * Spec says IV is 120 bits or fewer - it allows non byte aligned lengths.
     * We don't support this at this stage
     */
    if ((len > 15) || (len < 1) || (taglen > 16) || (taglen < 1)) {
        return -1;
    }

    /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */
    nonce[0] = ((taglen * 8) % 128) << 1;
    memset(nonce + 1, 0, 15);
    memcpy(nonce + 16 - len, iv, len);
    nonce[15 - len] |= 1;

    /* Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6)) */
    memcpy(tmp, nonce, 16);
    tmp[15] &= 0xc0;
    ctx->encrypt(tmp, ktop, ctx->keyenc);

    /* Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72]) */
    memcpy(stretch, ktop, 16);
    ocb_block_xor(ktop, ktop + 1, 8, stretch + 16);

    /* bottom = str2num(Nonce[123..128]) */
    bottom = nonce[15] & 0x3f;

    /* Offset_0 = Stretch[1+bottom..128+bottom] */
    shift = bottom % 8;
    ocb_block_lshift(stretch + (bottom / 8), shift, ctx->offset.c);
    mask = 0xff;
    mask <<= 8 - shift;
    ctx->offset.c[15] |=
        (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift);

    return 1;
}

/*
 * Provide any AAD. This can be called multiple times. Only the final time can
 * have a partial block
 */
int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad,
                      size_t len)
{
    u64 i, all_num_blocks;
    size_t num_blocks, last_len;
    OCB_BLOCK tmp;

    /* Calculate the number of blocks of AAD provided now, and so far */
    num_blocks = len / 16;
    all_num_blocks = num_blocks + ctx->blocks_hashed;

    /* Loop through all full blocks of AAD */
    for (i = ctx->blocks_hashed + 1; i <= all_num_blocks; i++) {
        OCB_BLOCK *lookup;

        /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
        lookup = ocb_lookup_l(ctx, ocb_ntz(i));
        if (lookup == NULL)
            return 0;
        ocb_block16_xor(&ctx->offset_aad, lookup, &ctx->offset_aad);

        memcpy(tmp.c, aad, 16);
        aad += 16;

        /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
        ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp);
        ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
        ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum);
    }

    /*
     * Check if we have any partial blocks left over. This is only valid in the
     * last call to this function
     */
    last_len = len % 16;

    if (last_len > 0) {
        /* Offset_* = Offset_m xor L_* */
        ocb_block16_xor(&ctx->offset_aad, &ctx->l_star, &ctx->offset_aad);

        /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */
        memset(tmp.c, 0, 16);
        memcpy(tmp.c, aad, last_len);
        tmp.c[last_len] = 0x80;
        ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp);

        /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
        ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
        ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum);
    }

    ctx->blocks_hashed = all_num_blocks;

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called multiple times. Only
 * the final time can have a partial block
 */
int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    u64 i, all_num_blocks;
    size_t num_blocks, last_len;

    /*
     * Calculate the number of blocks of data to be encrypted provided now, and
     * so far
     */
    num_blocks = len / 16;
    all_num_blocks = num_blocks + ctx->blocks_processed;

    if (num_blocks && all_num_blocks == (size_t)all_num_blocks
        && ctx->stream != NULL) {
        size_t max_idx = 0, top = (size_t)all_num_blocks;

        /*
         * See how many L_{i} entries we need to process data at hand
         * and pre-compute missing entries in the table [if any]...
         */
        while (top >>= 1)
            max_idx++;
        if (ocb_lookup_l(ctx, max_idx) == NULL)
            return 0;

        ctx->stream(in, out, num_blocks, ctx->keyenc,
                    (size_t)ctx->blocks_processed + 1, ctx->offset.c,
                    (const unsigned char (*)[16])ctx->l, ctx->checksum.c);
    } else {
        /* Loop through all full blocks to be encrypted */
        for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
            OCB_BLOCK *lookup;
            OCB_BLOCK tmp;

            /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
            lookup = ocb_lookup_l(ctx, ocb_ntz(i));
            if (lookup == NULL)
                return 0;
            ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);

            memcpy(tmp.c, in, 16);
            in += 16;

            /* Checksum_i = Checksum_{i-1} xor P_i */
            ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum);

            /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */
            ocb_block16_xor(&ctx->offset, &tmp, &tmp);
            ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
            ocb_block16_xor(&ctx->offset, &tmp, &tmp);

            memcpy(out, tmp.c, 16);
            out += 16;
        }
    }

    /*
     * Check if we have any partial blocks left over. This is only valid in the
     * last call to this function
     */
    last_len = len % 16;

    if (last_len > 0) {
        OCB_BLOCK pad;

        /* Offset_* = Offset_m xor L_* */
        ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);

        /* Pad = ENCIPHER(K, Offset_*) */
        ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);

        /* C_* = P_* xor Pad[1..bitlen(P_*)] */
        ocb_block_xor(in, pad.c, last_len, out);

        /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
        memset(pad.c, 0, 16);           /* borrow pad */
        memcpy(pad.c, in, last_len);
        pad.c[last_len] = 0x80;
        ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum);
    }

    ctx->blocks_processed = all_num_blocks;

    return 1;
}

/*
 * Provide any data to be decrypted. This can be called multiple times. Only
 * the final time can have a partial block
 */
int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    u64 i, all_num_blocks;
    size_t num_blocks, last_len;

    /*
     * Calculate the number of blocks of data to be decrypted provided now, and
     * so far
     */
    num_blocks = len / 16;
    all_num_blocks = num_blocks + ctx->blocks_processed;

    if (num_blocks && all_num_blocks == (size_t)all_num_blocks
        && ctx->stream != NULL) {
        size_t max_idx = 0, top = (size_t)all_num_blocks;

        /*
         * See how many L_{i} entries we need to process data at hand
         * and pre-compute missing entries in the table [if any]...
         */
        while (top >>= 1)
            max_idx++;
        if (ocb_lookup_l(ctx, max_idx) == NULL)
            return 0;

        ctx->stream(in, out, num_blocks, ctx->keydec,
                    (size_t)ctx->blocks_processed + 1, ctx->offset.c,
                    (const unsigned char (*)[16])ctx->l, ctx->checksum.c);
    } else {
        OCB_BLOCK tmp;

        /* Loop through all full blocks to be decrypted */
        for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {

            /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
            OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i));
            if (lookup == NULL)
                return 0;
            ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);

            memcpy(tmp.c, in, 16);
            in += 16;

            /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */
            ocb_block16_xor(&ctx->offset, &tmp, &tmp);
            ctx->decrypt(tmp.c, tmp.c, ctx->keydec);
            ocb_block16_xor(&ctx->offset, &tmp, &tmp);

            /* Checksum_i = Checksum_{i-1} xor P_i */
            ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum);

            memcpy(out, tmp.c, 16);
            out += 16;
        }
    }

    /*
     * Check if we have any partial blocks left over. This is only valid in the
     * last call to this function
     */
    last_len = len % 16;

    if (last_len > 0) {
        OCB_BLOCK pad;

        /* Offset_* = Offset_m xor L_* */
        ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);

        /* Pad = ENCIPHER(K, Offset_*) */
        ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);

        /* P_* = C_* xor Pad[1..bitlen(C_*)] */
        ocb_block_xor(in, pad.c, last_len, out);

        /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
        memset(pad.c, 0, 16);           /* borrow pad */
        memcpy(pad.c, out, last_len);
        pad.c[last_len] = 0x80;
        ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum);
    }

    ctx->blocks_processed = all_num_blocks;

    return 1;
}

/*
 * Calculate the tag and verify it against the supplied tag
 */
int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag,
                         size_t len)
{
    OCB_BLOCK tmp;

    /*
     * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
     */
    ocb_block16_xor(&ctx->checksum, &ctx->offset, &tmp);
    ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp);
    ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
    ocb_block16_xor(&tmp, &ctx->sum, &ctx->tag);

    if (len > 16 || len < 1) {
        return -1;
    }

    /* Compare the tag if we've been given one */
    if (tag)
        return CRYPTO_memcmp(&ctx->tag, tag, len);
    else
        return -1;
}

/*
 * Retrieve the calculated tag
 */
int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    if (len > 16 || len < 1) {
        return -1;
    }

    /* Calculate the tag */
    CRYPTO_ocb128_finish(ctx, NULL, 0);

    /* Copy the tag into the supplied buffer */
    memcpy(tag, ctx->tag.c, len);

    return 1;
}

/*
 * Release all resources
 */
void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
{
    if (ctx) {
        OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
        OPENSSL_cleanse(ctx, sizeof(*ctx));
    }
}

#endif                          /* OPENSSL_NO_OCB */
Commit	Line	Data
4f22f405	1	/*
28428130	2	* Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
c857a80c	3	*
4f22f405 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
c857a80c MC	8	*/
	9
	10	#include <string.h>
	11	#include <openssl/crypto.h>
7de2b9c4	12	#include <openssl/err.h>
c857a80c MC	13	#include "modes_lcl.h"
c857a80c MC	14
3feb6305 MC	15	#ifndef OPENSSL_NO_OCB
3feb6305 MC	16
c857a80c MC	17	/*
	18	* Calculate the number of binary trailing zero's in any given number
	19	*/
	20	static u32 ocb_ntz(u64 n)
	21	{
	22	u32 cnt = 0;
	23
	24	/*
	25	* We do a right-to-left simple sequential search. This is surprisingly
	26	* efficient as the distribution of trailing zeros is not uniform,
	27	* e.g. the number of possible inputs with no trailing zeros is equal to
	28	* the number with 1 or more; the number with exactly 1 is equal to the
	29	* number with 2 or more, etc. Checking the last two bits covers 75% of
	30	* all numbers. Checking the last three covers 87.5%
	31	*/
	32	while (!(n & 1)) {
	33	n >>= 1;
	34	cnt++;
	35	}
	36	return cnt;
	37	}
	38
	39	/*
	40	* Shift a block of 16 bytes left by shift bits
	41	*/
1bbea403 AP	42	static void ocb_block_lshift(const unsigned char *in, size_t shift,
1bbea403 AP	43	unsigned char *out)
c857a80c MC	44	{
	45	unsigned char shift_mask;
	46	int i;
	47	unsigned char mask[15];
0f113f3e	48
c857a80c MC	49	shift_mask = 0xff;
	50	shift_mask <<= (8 - shift);
	51	for (i = 15; i >= 0; i--) {
	52	if (i > 0) {
1bbea403	53	mask[i - 1] = in[i] & shift_mask;
c857a80c MC	54	mask[i - 1] >>= 8 - shift;
c857a80c MC	55	}
1bbea403	56	out[i] = in[i] << shift;
c857a80c MC	57
c857a80c MC	58	if (i != 15) {
1bbea403	59	out[i] ^= mask[i];
c857a80c MC	60	}
	61	}
	62	}
	63
	64	/*
	65	* Perform a "double" operation as per OCB spec
	66	*/
	67	static void ocb_double(OCB_BLOCK in, OCB_BLOCK out)
	68	{
	69	unsigned char mask;
c857a80c MC	70
	71	/*
	72	* Calculate the mask based on the most significant bit. There are more
	73	* efficient ways to do this - but this way is constant time
	74	*/
81f3d632	75	mask = in->c[0] & 0x80;
c857a80c MC	76	mask >>= 7;
	77	mask *= 135;
	78
1bbea403	79	ocb_block_lshift(in->c, 1, out->c);
c857a80c	80
81f3d632	81	out->c[15] ^= mask;
c857a80c MC	82	}
	83
	84	/*
	85	* Perform an xor on in1 and in2 - each of len bytes. Store result in out
	86	*/
	87	static void ocb_block_xor(const unsigned char *in1,
	88	const unsigned char *in2, size_t len,
	89	unsigned char *out)
	90	{
	91	size_t i;
	92	for (i = 0; i < len; i++) {
	93	out[i] = in1[i] ^ in2[i];
	94	}
	95	}
	96
	97	/*
	98	* Lookup L_index in our lookup table. If we haven't already got it we need to
	99	* calculate it
	100	*/
55467a16	101	static OCB_BLOCK ocb_lookup_l(OCB128_CONTEXT ctx, size_t idx)
c857a80c	102	{
b9e3d7e0 AP	103	size_t l_index = ctx->l_index;
	104
	105	if (idx <= l_index) {
55467a16	106	return ctx->l + idx;
c857a80c MC	107	}
	108
	109	/* We don't have it - so calculate it */
b9e3d7e0	110	if (idx >= ctx->max_l_index) {
7c0ef843	111	void *tmp_ptr;
b9e3d7e0 AP	112	/*
	113	* Each additional entry allows to process almost double as
	114	* much data, so that in linear world the table will need to
	115	* be expanded with smaller and smaller increments. Originally
	116	* it was doubling in size, which was a waste. Growing it
	117	* linearly is not formally optimal, but is simpler to implement.
	118	* We grow table by minimally required 4*n that would accommodate
	119	* the index.
	120	*/
	121	ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
7c0ef843	122	tmp_ptr =
0f113f3e	123	OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
7c0ef843	124	if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
c857a80c	125	return NULL;
7c0ef843	126	ctx->l = tmp_ptr;
c857a80c	127	}
44bf7119	128	while (l_index < idx) {
b9e3d7e0 AP	129	ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
	130	l_index++;
	131	}
	132	ctx->l_index = l_index;
c857a80c	133
55467a16	134	return ctx->l + idx;
c857a80c MC	135	}
c857a80c MC	136
c857a80c MC	137	/*
	138	* Create a new OCB128_CONTEXT
	139	*/
	140	OCB128_CONTEXT CRYPTO_ocb128_new(void keyenc, void *keydec,
bd30091c AP	141	block128_f encrypt, block128_f decrypt,
bd30091c AP	142	ocb128_f stream)
c857a80c MC	143	{
	144	OCB128_CONTEXT *octx;
	145	int ret;
	146
90945fa3	147	if ((octx = OPENSSL_malloc(sizeof(*octx))) != NULL) {
bd30091c AP	148	ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt,
bd30091c AP	149	stream);
c857a80c MC	150	if (ret)
	151	return octx;
	152	OPENSSL_free(octx);
	153	}
	154
	155	return NULL;
	156	}
	157
	158	/*
	159	* Initialise an existing OCB128_CONTEXT
	160	*/
	161	int CRYPTO_ocb128_init(OCB128_CONTEXT ctx, void keyenc, void *keydec,
bd30091c AP	162	block128_f encrypt, block128_f decrypt,
bd30091c AP	163	ocb128_f stream)
c857a80c	164	{
c857a80c	165	memset(ctx, 0, sizeof(*ctx));
c857a80c	166	ctx->l_index = 0;
b9e3d7e0	167	ctx->max_l_index = 5;
7de2b9c4 RS	168	if ((ctx->l = OPENSSL_malloc(ctx->max_l_index * 16)) == NULL) {
7de2b9c4 RS	169	CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_INIT, ERR_R_MALLOC_FAILURE);
c857a80c	170	return 0;
7de2b9c4	171	}
c857a80c MC	172
	173	/*
	174	* We set both the encryption and decryption key schedules - decryption
	175	* needs both. Don't really need decryption schedule if only doing
	176	* encryption - but it simplifies things to take it anyway
	177	*/
	178	ctx->encrypt = encrypt;
	179	ctx->decrypt = decrypt;
bd30091c	180	ctx->stream = stream;
c857a80c MC	181	ctx->keyenc = keyenc;
	182	ctx->keydec = keydec;
	183
	184	/* L_* = ENCIPHER(K, zeros(128)) */
bd30091c	185	ctx->encrypt(ctx->l_star.c, ctx->l_star.c, ctx->keyenc);
c857a80c MC	186
	187	/* L_$ = double(L_) /
	188	ocb_double(&ctx->l_star, &ctx->l_dollar);
	189
	190	/* L_0 = double(L_$) */
	191	ocb_double(&ctx->l_dollar, ctx->l);
	192
b9e3d7e0 AP	193	/* L_{i} = double(L_{i-1}) */
	194	ocb_double(ctx->l, ctx->l+1);
	195	ocb_double(ctx->l+1, ctx->l+2);
	196	ocb_double(ctx->l+2, ctx->l+3);
	197	ocb_double(ctx->l+3, ctx->l+4);
	198	ctx->l_index = 4; /* enough to process up to 496 bytes */
	199
c857a80c MC	200	return 1;
	201	}
	202
	203	/*
	204	* Copy an OCB128_CONTEXT object
	205	*/
0f113f3e	206	int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT dest, OCB128_CONTEXT src,
c857a80c MC	207	void keyenc, void keydec)
	208	{
	209	memcpy(dest, src, sizeof(OCB128_CONTEXT));
	210	if (keyenc)
	211	dest->keyenc = keyenc;
	212	if (keydec)
	213	dest->keydec = keydec;
	214	if (src->l) {
7de2b9c4 RS	215	if ((dest->l = OPENSSL_malloc(src->max_l_index * 16)) == NULL) {
7de2b9c4 RS	216	CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_COPY_CTX, ERR_R_MALLOC_FAILURE);
c857a80c	217	return 0;
7de2b9c4	218	}
c857a80c MC	219	memcpy(dest->l, src->l, (src->l_index + 1) * 16);
	220	}
	221	return 1;
	222	}
	223
	224	/*
	225	* Set the IV to be used for this operation. Must be 1 - 15 bytes.
	226	*/
0f113f3e	227	int CRYPTO_ocb128_setiv(OCB128_CONTEXT ctx, const unsigned char iv,
c857a80c MC	228	size_t len, size_t taglen)
	229	{
	230	unsigned char ktop[16], tmp[16], mask;
	231	unsigned char stretch[24], nonce[16];
	232	size_t bottom, shift;
c857a80c MC	233
	234	/*
	235	* Spec says IV is 120 bits or fewer - it allows non byte aligned lengths.
02e112a8	236	* We don't support this at this stage
c857a80c MC	237	*/
	238	if ((len > 15) \|\| (len < 1) \|\| (taglen > 16) \|\| (taglen < 1)) {
	239	return -1;
	240	}
	241
	242	/* Nonce = num2str(TAGLEN mod 128,7) \|\| zeros(120-bitlen(N)) \|\| 1 \|\| N */
	243	nonce[0] = ((taglen * 8) % 128) << 1;
	244	memset(nonce + 1, 0, 15);
	245	memcpy(nonce + 16 - len, iv, len);
	246	nonce[15 - len] \|= 1;
	247
	248	/* Ktop = ENCIPHER(K, Nonce[1..122] \|\| zeros(6)) */
	249	memcpy(tmp, nonce, 16);
	250	tmp[15] &= 0xc0;
	251	ctx->encrypt(tmp, ktop, ctx->keyenc);
	252
	253	/* Stretch = Ktop \|\| (Ktop[1..64] xor Ktop[9..72]) */
	254	memcpy(stretch, ktop, 16);
	255	ocb_block_xor(ktop, ktop + 1, 8, stretch + 16);
	256
	257	/* bottom = str2num(Nonce[123..128]) */
	258	bottom = nonce[15] & 0x3f;
	259
	260	/* Offset_0 = Stretch[1+bottom..128+bottom] */
	261	shift = bottom % 8;
1bbea403	262	ocb_block_lshift(stretch + (bottom / 8), shift, ctx->offset.c);
c857a80c MC	263	mask = 0xff;
c857a80c MC	264	mask <<= 8 - shift;
81f3d632	265	ctx->offset.c[15] \|=
0f113f3e	266	(*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift);
c857a80c MC	267
	268	return 1;
	269	}
	270
	271	/*
	272	* Provide any AAD. This can be called multiple times. Only the final time can
	273	* have a partial block
	274	*/
0f113f3e	275	int CRYPTO_ocb128_aad(OCB128_CONTEXT ctx, const unsigned char aad,
c857a80c MC	276	size_t len)
c857a80c MC	277	{
bd30091c AP	278	u64 i, all_num_blocks;
bd30091c AP	279	size_t num_blocks, last_len;
14bb100b	280	OCB_BLOCK tmp;
0f113f3e	281
c857a80c MC	282	/* Calculate the number of blocks of AAD provided now, and so far */
	283	num_blocks = len / 16;
	284	all_num_blocks = num_blocks + ctx->blocks_hashed;
	285
	286	/* Loop through all full blocks of AAD */
	287	for (i = ctx->blocks_hashed + 1; i <= all_num_blocks; i++) {
	288	OCB_BLOCK *lookup;
0f113f3e	289
c857a80c MC	290	/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
c857a80c MC	291	lookup = ocb_lookup_l(ctx, ocb_ntz(i));
bd30091c	292	if (lookup == NULL)
c857a80c MC	293	return 0;
	294	ocb_block16_xor(&ctx->offset_aad, lookup, &ctx->offset_aad);
	295
14bb100b AP	296	memcpy(tmp.c, aad, 16);
	297	aad += 16;
	298
c857a80c	299	/* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
14bb100b AP	300	ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp);
	301	ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
	302	ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum);
c857a80c MC	303	}
	304
	305	/*
	306	* Check if we have any partial blocks left over. This is only valid in the
	307	* last call to this function
	308	*/
	309	last_len = len % 16;
	310
	311	if (last_len > 0) {
	312	/* Offset_* = Offset_m xor L_* */
	313	ocb_block16_xor(&ctx->offset_aad, &ctx->l_star, &ctx->offset_aad);
	314
	315	/* CipherInput = (A_* \|\| 1 \|\| zeros(127-bitlen(A_))) xor Offset_ */
14bb100b AP	316	memset(tmp.c, 0, 16);
	317	memcpy(tmp.c, aad, last_len);
	318	tmp.c[last_len] = 0x80;
	319	ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp);
c857a80c MC	320
c857a80c MC	321	/* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
14bb100b AP	322	ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
14bb100b AP	323	ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum);
c857a80c MC	324	}
	325
	326	ctx->blocks_hashed = all_num_blocks;
	327
	328	return 1;
	329	}
	330
	331	/*
	332	* Provide any data to be encrypted. This can be called multiple times. Only
	333	* the final time can have a partial block
	334	*/
0f113f3e	335	int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
c857a80c MC	336	const unsigned char in, unsigned char out,
	337	size_t len)
	338	{
bd30091c AP	339	u64 i, all_num_blocks;
bd30091c AP	340	size_t num_blocks, last_len;
c857a80c MC	341
	342	/*
	343	* Calculate the number of blocks of data to be encrypted provided now, and
	344	* so far
	345	*/
	346	num_blocks = len / 16;
	347	all_num_blocks = num_blocks + ctx->blocks_processed;
	348
bd30091c AP	349	if (num_blocks && all_num_blocks == (size_t)all_num_blocks
	350	&& ctx->stream != NULL) {
	351	size_t max_idx = 0, top = (size_t)all_num_blocks;
0f113f3e	352
bd30091c AP	353	/*
	354	* See how many L_{i} entries we need to process data at hand
	355	* and pre-compute missing entries in the table [if any]...
	356	*/
	357	while (top >>= 1)
	358	max_idx++;
	359	if (ocb_lookup_l(ctx, max_idx) == NULL)
c857a80c	360	return 0;
c857a80c	361
bd30091c AP	362	ctx->stream(in, out, num_blocks, ctx->keyenc,
	363	(size_t)ctx->blocks_processed + 1, ctx->offset.c,
	364	(const unsigned char (*)[16])ctx->l, ctx->checksum.c);
	365	} else {
	366	/* Loop through all full blocks to be encrypted */
	367	for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
	368	OCB_BLOCK *lookup;
14bb100b	369	OCB_BLOCK tmp;
bd30091c AP	370
	371	/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
	372	lookup = ocb_lookup_l(ctx, ocb_ntz(i));
	373	if (lookup == NULL)
	374	return 0;
	375	ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);
	376
14bb100b AP	377	memcpy(tmp.c, in, 16);
	378	in += 16;
	379
bd30091c	380	/* Checksum_i = Checksum_{i-1} xor P_i */
14bb100b AP	381	ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum);
	382
	383	/* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */
	384	ocb_block16_xor(&ctx->offset, &tmp, &tmp);
	385	ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
	386	ocb_block16_xor(&ctx->offset, &tmp, &tmp);
	387
	388	memcpy(out, tmp.c, 16);
	389	out += 16;
bd30091c	390	}
c857a80c MC	391	}
	392
	393	/*
	394	* Check if we have any partial blocks left over. This is only valid in the
	395	* last call to this function
	396	*/
	397	last_len = len % 16;
	398
	399	if (last_len > 0) {
14bb100b AP	400	OCB_BLOCK pad;
14bb100b AP	401
c857a80c MC	402	/* Offset_* = Offset_m xor L_* */
	403	ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);
	404
	405	/* Pad = ENCIPHER(K, Offset_) /
bd30091c	406	ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);
c857a80c MC	407
c857a80c MC	408	/* C_* = P_* xor Pad[1..bitlen(P_)] /
14bb100b	409	ocb_block_xor(in, pad.c, last_len, out);
c857a80c MC	410
c857a80c MC	411	/* Checksum_* = Checksum_m xor (P_* \|\| 1 \|\| zeros(127-bitlen(P_))) /
14bb100b AP	412	memset(pad.c, 0, 16); /* borrow pad */
	413	memcpy(pad.c, in, last_len);
	414	pad.c[last_len] = 0x80;
	415	ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum);
c857a80c MC	416	}
	417
	418	ctx->blocks_processed = all_num_blocks;
	419
	420	return 1;
	421	}
	422
	423	/*
	424	* Provide any data to be decrypted. This can be called multiple times. Only
	425	* the final time can have a partial block
	426	*/
0f113f3e	427	int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
c857a80c MC	428	const unsigned char in, unsigned char out,
	429	size_t len)
	430	{
bd30091c AP	431	u64 i, all_num_blocks;
bd30091c AP	432	size_t num_blocks, last_len;
bd30091c	433
c857a80c MC	434	/*
	435	* Calculate the number of blocks of data to be decrypted provided now, and
	436	* so far
	437	*/
	438	num_blocks = len / 16;
	439	all_num_blocks = num_blocks + ctx->blocks_processed;
	440
bd30091c AP	441	if (num_blocks && all_num_blocks == (size_t)all_num_blocks
	442	&& ctx->stream != NULL) {
	443	size_t max_idx = 0, top = (size_t)all_num_blocks;
0f113f3e	444
bd30091c AP	445	/*
	446	* See how many L_{i} entries we need to process data at hand
	447	* and pre-compute missing entries in the table [if any]...
	448	*/
	449	while (top >>= 1)
	450	max_idx++;
	451	if (ocb_lookup_l(ctx, max_idx) == NULL)
c857a80c	452	return 0;
bd30091c AP	453
	454	ctx->stream(in, out, num_blocks, ctx->keydec,
	455	(size_t)ctx->blocks_processed + 1, ctx->offset.c,
	456	(const unsigned char (*)[16])ctx->l, ctx->checksum.c);
	457	} else {
14bb100b AP	458	OCB_BLOCK tmp;
14bb100b AP	459
bd30091c AP	460	/* Loop through all full blocks to be decrypted */
bd30091c AP	461	for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
bd30091c AP	462
	463	/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
	464	OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i));
	465	if (lookup == NULL)
	466	return 0;
	467	ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);
	468
14bb100b AP	469	memcpy(tmp.c, in, 16);
	470	in += 16;
	471
bd30091c	472	/* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */
14bb100b AP	473	ocb_block16_xor(&ctx->offset, &tmp, &tmp);
	474	ctx->decrypt(tmp.c, tmp.c, ctx->keydec);
	475	ocb_block16_xor(&ctx->offset, &tmp, &tmp);
bd30091c AP	476
bd30091c AP	477	/* Checksum_i = Checksum_{i-1} xor P_i */
14bb100b AP	478	ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum);
	479
	480	memcpy(out, tmp.c, 16);
	481	out += 16;
bd30091c	482	}
c857a80c MC	483	}
	484
	485	/*
	486	* Check if we have any partial blocks left over. This is only valid in the
	487	* last call to this function
	488	*/
	489	last_len = len % 16;
	490
	491	if (last_len > 0) {
14bb100b AP	492	OCB_BLOCK pad;
14bb100b AP	493
c857a80c MC	494	/* Offset_* = Offset_m xor L_* */
	495	ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);
	496
	497	/* Pad = ENCIPHER(K, Offset_) /
bd30091c	498	ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);
c857a80c MC	499
c857a80c MC	500	/* P_* = C_* xor Pad[1..bitlen(C_)] /
14bb100b	501	ocb_block_xor(in, pad.c, last_len, out);
c857a80c MC	502
c857a80c MC	503	/* Checksum_* = Checksum_m xor (P_* \|\| 1 \|\| zeros(127-bitlen(P_))) /
14bb100b AP	504	memset(pad.c, 0, 16); /* borrow pad */
	505	memcpy(pad.c, out, last_len);
	506	pad.c[last_len] = 0x80;
	507	ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum);
c857a80c MC	508	}
	509
	510	ctx->blocks_processed = all_num_blocks;
	511
	512	return 1;
	513	}
	514
	515	/*
	516	* Calculate the tag and verify it against the supplied tag
	517	*/
0f113f3e	518	int CRYPTO_ocb128_finish(OCB128_CONTEXT ctx, const unsigned char tag,
c857a80c MC	519	size_t len)
c857a80c MC	520	{
14bb100b	521	OCB_BLOCK tmp;
c857a80c	522
0f113f3e MC	523	/*
	524	* Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
	525	*/
14bb100b AP	526	ocb_block16_xor(&ctx->checksum, &ctx->offset, &tmp);
	527	ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp);
	528	ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
	529	ocb_block16_xor(&tmp, &ctx->sum, &ctx->tag);
c857a80c MC	530
	531	if (len > 16 \|\| len < 1) {
	532	return -1;
	533	}
	534
	535	/* Compare the tag if we've been given one */
	536	if (tag)
	537	return CRYPTO_memcmp(&ctx->tag, tag, len);
	538	else
	539	return -1;
	540	}
	541
	542	/*
	543	* Retrieve the calculated tag
	544	*/
0f113f3e	545	int CRYPTO_ocb128_tag(OCB128_CONTEXT ctx, unsigned char tag, size_t len)
c857a80c MC	546	{
	547	if (len > 16 \|\| len < 1) {
	548	return -1;
	549	}
	550
	551	/* Calculate the tag */
	552	CRYPTO_ocb128_finish(ctx, NULL, 0);
	553
	554	/* Copy the tag into the supplied buffer */
14bb100b	555	memcpy(tag, ctx->tag.c, len);
c857a80c MC	556
	557	return 1;
	558	}
	559
	560	/*
	561	* Release all resources
	562	*/
0f113f3e	563	void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
c857a80c MC	564	{
c857a80c MC	565	if (ctx) {
4b45c6e5	566	OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
c857a80c MC	567	OPENSSL_cleanse(ctx, sizeof(*ctx));
	568	}
	569	}
3feb6305	570
0f113f3e	571	#endif /* OPENSSL_NO_OCB */