[thirdparty/openssl.git] / crypto / modes / ocb128.c

/*
 * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include "modes_local.h"

#ifndef OPENSSL_NO_OCB

/*
 * Calculate the number of binary trailing zero's in any given number
 */
static u32 ocb_ntz(u64 n)
{
    u32 cnt = 0;

    /*
     * We do a right-to-left simple sequential search. This is surprisingly
     * efficient as the distribution of trailing zeros is not uniform,
     * e.g. the number of possible inputs with no trailing zeros is equal to
     * the number with 1 or more; the number with exactly 1 is equal to the
     * number with 2 or more, etc. Checking the last two bits covers 75% of
     * all numbers. Checking the last three covers 87.5%
     */
    while (!(n & 1)) {
        n >>= 1;
        cnt++;
    }
    return cnt;
}

/*
 * Shift a block of 16 bytes left by shift bits
 */
static void ocb_block_lshift(const unsigned char *in, size_t shift,
                             unsigned char *out)
{
    int i;
    unsigned char carry = 0, carry_next;

    for (i = 15; i >= 0; i--) {
        carry_next = in[i] >> (8 - shift);
        out[i] = (in[i] << shift) | carry;
        carry = carry_next;
    }
}

/*
 * Perform a "double" operation as per OCB spec
 */
static void ocb_double(OCB_BLOCK *in, OCB_BLOCK *out)
{
    unsigned char mask;

    /*
     * Calculate the mask based on the most significant bit. There are more
     * efficient ways to do this - but this way is constant time
     */
    mask = in->c[0] & 0x80;
    mask >>= 7;
    mask = (0 - mask) & 0x87;

    ocb_block_lshift(in->c, 1, out->c);

    out->c[15] ^= mask;
}

/*
 * Perform an xor on in1 and in2 - each of len bytes. Store result in out
 */
static void ocb_block_xor(const unsigned char *in1,
                          const unsigned char *in2, size_t len,
                          unsigned char *out)
{
    size_t i;
    for (i = 0; i < len; i++) {
        out[i] = in1[i] ^ in2[i];
    }
}

/*
 * Lookup L_index in our lookup table. If we haven't already got it we need to
 * calculate it
 */
static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
{
    size_t l_index = ctx->l_index;

    if (idx <= l_index) {
        return ctx->l + idx;
    }

    /* We don't have it - so calculate it */
    if (idx >= ctx->max_l_index) {
        void *tmp_ptr;
        /*
         * Each additional entry allows to process almost double as
         * much data, so that in linear world the table will need to
         * be expanded with smaller and smaller increments. Originally
         * it was doubling in size, which was a waste. Growing it
         * linearly is not formally optimal, but is simpler to implement.
         * We grow table by minimally required 4*n that would accommodate
         * the index.
         */
        ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
        tmp_ptr = OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
        if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
            return NULL;
        ctx->l = tmp_ptr;
    }
    while (l_index < idx) {
        ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
        l_index++;
    }
    ctx->l_index = l_index;

    return ctx->l + idx;
}

/*
 * Create a new OCB128_CONTEXT
 */
OCB128_CONTEXT *CRYPTO_ocb128_new(void *keyenc, void *keydec,
                                  block128_f encrypt, block128_f decrypt,
                                  ocb128_f stream)
{
    OCB128_CONTEXT *octx;
    int ret;

    if ((octx = OPENSSL_malloc(sizeof(*octx))) != NULL) {
        ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt,
                                 stream);
        if (ret)
            return octx;
        OPENSSL_free(octx);
    }

    return NULL;
}

/*
 * Initialise an existing OCB128_CONTEXT
 */
int CRYPTO_ocb128_init(OCB128_CONTEXT *ctx, void *keyenc, void *keydec,
                       block128_f encrypt, block128_f decrypt,
                       ocb128_f stream)
{
    memset(ctx, 0, sizeof(*ctx));
    ctx->l_index = 0;
    ctx->max_l_index = 5;
    if ((ctx->l = OPENSSL_malloc(ctx->max_l_index * 16)) == NULL) {
        CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_INIT, ERR_R_MALLOC_FAILURE);
        return 0;
    }

    /*
     * We set both the encryption and decryption key schedules - decryption
     * needs both. Don't really need decryption schedule if only doing
     * encryption - but it simplifies things to take it anyway
     */
    ctx->encrypt = encrypt;
    ctx->decrypt = decrypt;
    ctx->stream = stream;
    ctx->keyenc = keyenc;
    ctx->keydec = keydec;

    /* L_* = ENCIPHER(K, zeros(128)) */
    ctx->encrypt(ctx->l_star.c, ctx->l_star.c, ctx->keyenc);

    /* L_$ = double(L_*) */
    ocb_double(&ctx->l_star, &ctx->l_dollar);

    /* L_0 = double(L_$) */
    ocb_double(&ctx->l_dollar, ctx->l);

    /* L_{i} = double(L_{i-1}) */
    ocb_double(ctx->l, ctx->l+1);
    ocb_double(ctx->l+1, ctx->l+2);
    ocb_double(ctx->l+2, ctx->l+3);
    ocb_double(ctx->l+3, ctx->l+4);
    ctx->l_index = 4;   /* enough to process up to 496 bytes */

    return 1;
}

/*
 * Copy an OCB128_CONTEXT object
 */
int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT *dest, OCB128_CONTEXT *src,
                           void *keyenc, void *keydec)
{
    memcpy(dest, src, sizeof(OCB128_CONTEXT));
    if (keyenc)
        dest->keyenc = keyenc;
    if (keydec)
        dest->keydec = keydec;
    if (src->l) {
        if ((dest->l = OPENSSL_malloc(src->max_l_index * 16)) == NULL) {
            CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_COPY_CTX, ERR_R_MALLOC_FAILURE);
            return 0;
        }
        memcpy(dest->l, src->l, (src->l_index + 1) * 16);
    }
    return 1;
}

/*
 * Set the IV to be used for this operation. Must be 1 - 15 bytes.
 */
int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv,
                        size_t len, size_t taglen)
{
    unsigned char ktop[16], tmp[16], mask;
    unsigned char stretch[24], nonce[16];
    size_t bottom, shift;

    /*
     * Spec says IV is 120 bits or fewer - it allows non byte aligned lengths.
     * We don't support this at this stage
     */
    if ((len > 15) || (len < 1) || (taglen > 16) || (taglen < 1)) {
        return -1;
    }

    /* Reset nonce-dependent variables */
    memset(&ctx->sess, 0, sizeof(ctx->sess));

    /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */
    nonce[0] = ((taglen * 8) % 128) << 1;
    memset(nonce + 1, 0, 15);
    memcpy(nonce + 16 - len, iv, len);
    nonce[15 - len] |= 1;

    /* Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6)) */
    memcpy(tmp, nonce, 16);
    tmp[15] &= 0xc0;
    ctx->encrypt(tmp, ktop, ctx->keyenc);

    /* Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72]) */
    memcpy(stretch, ktop, 16);
    ocb_block_xor(ktop, ktop + 1, 8, stretch + 16);

    /* bottom = str2num(Nonce[123..128]) */
    bottom = nonce[15] & 0x3f;

    /* Offset_0 = Stretch[1+bottom..128+bottom] */
    shift = bottom % 8;
    ocb_block_lshift(stretch + (bottom / 8), shift, ctx->sess.offset.c);
    mask = 0xff;
    mask <<= 8 - shift;
    ctx->sess.offset.c[15] |=
        (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift);

    return 1;
}

/*
 * Provide any AAD. This can be called multiple times. Only the final time can
 * have a partial block
 */
int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad,
                      size_t len)
{
    u64 i, all_num_blocks;
    size_t num_blocks, last_len;
    OCB_BLOCK tmp;

    /* Calculate the number of blocks of AAD provided now, and so far */
    num_blocks = len / 16;
    all_num_blocks = num_blocks + ctx->sess.blocks_hashed;

    /* Loop through all full blocks of AAD */
    for (i = ctx->sess.blocks_hashed + 1; i <= all_num_blocks; i++) {
        OCB_BLOCK *lookup;

        /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
        lookup = ocb_lookup_l(ctx, ocb_ntz(i));
        if (lookup == NULL)
            return 0;
        ocb_block16_xor(&ctx->sess.offset_aad, lookup, &ctx->sess.offset_aad);

        memcpy(tmp.c, aad, 16);
        aad += 16;

        /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
        ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp);
        ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
        ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum);
    }

    /*
     * Check if we have any partial blocks left over. This is only valid in the
     * last call to this function
     */
    last_len = len % 16;

    if (last_len > 0) {
        /* Offset_* = Offset_m xor L_* */
        ocb_block16_xor(&ctx->sess.offset_aad, &ctx->l_star,
                        &ctx->sess.offset_aad);

        /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */
        memset(tmp.c, 0, 16);
        memcpy(tmp.c, aad, last_len);
        tmp.c[last_len] = 0x80;
        ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp);

        /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
        ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
        ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum);
    }

    ctx->sess.blocks_hashed = all_num_blocks;

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called multiple times. Only
 * the final time can have a partial block
 */
int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    u64 i, all_num_blocks;
    size_t num_blocks, last_len;

    /*
     * Calculate the number of blocks of data to be encrypted provided now, and
     * so far
     */
    num_blocks = len / 16;
    all_num_blocks = num_blocks + ctx->sess.blocks_processed;

    if (num_blocks && all_num_blocks == (size_t)all_num_blocks
        && ctx->stream != NULL) {
        size_t max_idx = 0, top = (size_t)all_num_blocks;

        /*
         * See how many L_{i} entries we need to process data at hand
         * and pre-compute missing entries in the table [if any]...
         */
        while (top >>= 1)
            max_idx++;
        if (ocb_lookup_l(ctx, max_idx) == NULL)
            return 0;

        ctx->stream(in, out, num_blocks, ctx->keyenc,
                    (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
                    (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
    } else {
        /* Loop through all full blocks to be encrypted */
        for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
            OCB_BLOCK *lookup;
            OCB_BLOCK tmp;

            /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
            lookup = ocb_lookup_l(ctx, ocb_ntz(i));
            if (lookup == NULL)
                return 0;
            ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset);

            memcpy(tmp.c, in, 16);
            in += 16;

            /* Checksum_i = Checksum_{i-1} xor P_i */
            ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum);

            /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */
            ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
            ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
            ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);

            memcpy(out, tmp.c, 16);
            out += 16;
        }
    }

    /*
     * Check if we have any partial blocks left over. This is only valid in the
     * last call to this function
     */
    last_len = len % 16;

    if (last_len > 0) {
        OCB_BLOCK pad;

        /* Offset_* = Offset_m xor L_* */
        ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset);

        /* Pad = ENCIPHER(K, Offset_*) */
        ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc);

        /* C_* = P_* xor Pad[1..bitlen(P_*)] */
        ocb_block_xor(in, pad.c, last_len, out);

        /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
        memset(pad.c, 0, 16);           /* borrow pad */
        memcpy(pad.c, in, last_len);
        pad.c[last_len] = 0x80;
        ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum);
    }

    ctx->sess.blocks_processed = all_num_blocks;

    return 1;
}

/*
 * Provide any data to be decrypted. This can be called multiple times. Only
 * the final time can have a partial block
 */
int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    u64 i, all_num_blocks;
    size_t num_blocks, last_len;

    /*
     * Calculate the number of blocks of data to be decrypted provided now, and
     * so far
     */
    num_blocks = len / 16;
    all_num_blocks = num_blocks + ctx->sess.blocks_processed;

    if (num_blocks && all_num_blocks == (size_t)all_num_blocks
        && ctx->stream != NULL) {
        size_t max_idx = 0, top = (size_t)all_num_blocks;

        /*
         * See how many L_{i} entries we need to process data at hand
         * and pre-compute missing entries in the table [if any]...
         */
        while (top >>= 1)
            max_idx++;
        if (ocb_lookup_l(ctx, max_idx) == NULL)
            return 0;

        ctx->stream(in, out, num_blocks, ctx->keydec,
                    (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
                    (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
    } else {
        OCB_BLOCK tmp;

        /* Loop through all full blocks to be decrypted */
        for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {

            /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
            OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i));
            if (lookup == NULL)
                return 0;
            ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset);

            memcpy(tmp.c, in, 16);
            in += 16;

            /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */
            ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
            ctx->decrypt(tmp.c, tmp.c, ctx->keydec);
            ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);

            /* Checksum_i = Checksum_{i-1} xor P_i */
            ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum);

            memcpy(out, tmp.c, 16);
            out += 16;
        }
    }

    /*
     * Check if we have any partial blocks left over. This is only valid in the
     * last call to this function
     */
    last_len = len % 16;

    if (last_len > 0) {
        OCB_BLOCK pad;

        /* Offset_* = Offset_m xor L_* */
        ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset);

        /* Pad = ENCIPHER(K, Offset_*) */
        ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc);

        /* P_* = C_* xor Pad[1..bitlen(C_*)] */
        ocb_block_xor(in, pad.c, last_len, out);

        /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
        memset(pad.c, 0, 16);           /* borrow pad */
        memcpy(pad.c, out, last_len);
        pad.c[last_len] = 0x80;
        ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum);
    }

    ctx->sess.blocks_processed = all_num_blocks;

    return 1;
}

static int ocb_finish(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len,
                      int write)
{
    OCB_BLOCK tmp;

    if (len > 16 || len < 1) {
        return -1;
    }

    /*
     * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
     */
    ocb_block16_xor(&ctx->sess.checksum, &ctx->sess.offset, &tmp);
    ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp);
    ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
    ocb_block16_xor(&tmp, &ctx->sess.sum, &tmp);

    if (write) {
        memcpy(tag, &tmp, len);
        return 1;
    } else {
        return CRYPTO_memcmp(&tmp, tag, len);
    }
}

/*
 * Calculate the tag and verify it against the supplied tag
 */
int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag,
                         size_t len)
{
    return ocb_finish(ctx, (unsigned char*)tag, len, 0);
}

/*
 * Retrieve the calculated tag
 */
int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    return ocb_finish(ctx, tag, len, 1);
}

/*
 * Release all resources
 */
void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
{
    if (ctx) {
        OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
        OPENSSL_cleanse(ctx, sizeof(*ctx));
    }
}

#endif                          /* OPENSSL_NO_OCB */
Commit	Line	Data
4f22f405	1	/*
28428130	2	* Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
c857a80c	3	*
4f22f405 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
c857a80c MC	8	*/
	9
	10	#include <string.h>
	11	#include <openssl/crypto.h>
7de2b9c4	12	#include <openssl/err.h>
b5acbf91	13	#include "modes_local.h"
c857a80c	14
3feb6305 MC	15	#ifndef OPENSSL_NO_OCB
3feb6305 MC	16
c857a80c MC	17	/*
	18	* Calculate the number of binary trailing zero's in any given number
	19	*/
	20	static u32 ocb_ntz(u64 n)
	21	{
	22	u32 cnt = 0;
	23
	24	/*
	25	* We do a right-to-left simple sequential search. This is surprisingly
	26	* efficient as the distribution of trailing zeros is not uniform,
	27	* e.g. the number of possible inputs with no trailing zeros is equal to
	28	* the number with 1 or more; the number with exactly 1 is equal to the
	29	* number with 2 or more, etc. Checking the last two bits covers 75% of
	30	* all numbers. Checking the last three covers 87.5%
	31	*/
	32	while (!(n & 1)) {
	33	n >>= 1;
	34	cnt++;
	35	}
	36	return cnt;
	37	}
	38
	39	/*
	40	* Shift a block of 16 bytes left by shift bits
	41	*/
1bbea403 AP	42	static void ocb_block_lshift(const unsigned char *in, size_t shift,
1bbea403 AP	43	unsigned char *out)
c857a80c	44	{
c857a80c	45	int i;
45197ad3	46	unsigned char carry = 0, carry_next;
0f113f3e	47
c857a80c	48	for (i = 15; i >= 0; i--) {
45197ad3 AP	49	carry_next = in[i] >> (8 - shift);
	50	out[i] = (in[i] << shift) \| carry;
	51	carry = carry_next;
c857a80c MC	52	}
	53	}
	54
	55	/*
	56	* Perform a "double" operation as per OCB spec
	57	*/
	58	static void ocb_double(OCB_BLOCK in, OCB_BLOCK out)
	59	{
	60	unsigned char mask;
c857a80c MC	61
	62	/*
	63	* Calculate the mask based on the most significant bit. There are more
	64	* efficient ways to do this - but this way is constant time
	65	*/
81f3d632	66	mask = in->c[0] & 0x80;
c857a80c	67	mask >>= 7;
c118fb92	68	mask = (0 - mask) & 0x87;
c857a80c	69
1bbea403	70	ocb_block_lshift(in->c, 1, out->c);
c857a80c	71
81f3d632	72	out->c[15] ^= mask;
c857a80c MC	73	}
	74
	75	/*
	76	* Perform an xor on in1 and in2 - each of len bytes. Store result in out
	77	*/
	78	static void ocb_block_xor(const unsigned char *in1,
	79	const unsigned char *in2, size_t len,
	80	unsigned char *out)
	81	{
	82	size_t i;
	83	for (i = 0; i < len; i++) {
	84	out[i] = in1[i] ^ in2[i];
	85	}
	86	}
	87
	88	/*
	89	* Lookup L_index in our lookup table. If we haven't already got it we need to
	90	* calculate it
	91	*/
55467a16	92	static OCB_BLOCK ocb_lookup_l(OCB128_CONTEXT ctx, size_t idx)
c857a80c	93	{
b9e3d7e0 AP	94	size_t l_index = ctx->l_index;
	95
	96	if (idx <= l_index) {
55467a16	97	return ctx->l + idx;
c857a80c MC	98	}
	99
	100	/* We don't have it - so calculate it */
b9e3d7e0	101	if (idx >= ctx->max_l_index) {
7c0ef843	102	void *tmp_ptr;
b9e3d7e0 AP	103	/*
	104	* Each additional entry allows to process almost double as
	105	* much data, so that in linear world the table will need to
	106	* be expanded with smaller and smaller increments. Originally
	107	* it was doubling in size, which was a waste. Growing it
	108	* linearly is not formally optimal, but is simpler to implement.
	109	* We grow table by minimally required 4*n that would accommodate
	110	* the index.
	111	*/
	112	ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
45197ad3	113	tmp_ptr = OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
7c0ef843	114	if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
c857a80c	115	return NULL;
7c0ef843	116	ctx->l = tmp_ptr;
c857a80c	117	}
44bf7119	118	while (l_index < idx) {
b9e3d7e0 AP	119	ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
	120	l_index++;
	121	}
	122	ctx->l_index = l_index;
c857a80c	123
55467a16	124	return ctx->l + idx;
c857a80c MC	125	}
c857a80c MC	126
c857a80c MC	127	/*
	128	* Create a new OCB128_CONTEXT
	129	*/
	130	OCB128_CONTEXT CRYPTO_ocb128_new(void keyenc, void *keydec,
bd30091c AP	131	block128_f encrypt, block128_f decrypt,
bd30091c AP	132	ocb128_f stream)
c857a80c MC	133	{
	134	OCB128_CONTEXT *octx;
	135	int ret;
	136
90945fa3	137	if ((octx = OPENSSL_malloc(sizeof(*octx))) != NULL) {
bd30091c AP	138	ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt,
bd30091c AP	139	stream);
c857a80c MC	140	if (ret)
	141	return octx;
	142	OPENSSL_free(octx);
	143	}
	144
	145	return NULL;
	146	}
	147
	148	/*
	149	* Initialise an existing OCB128_CONTEXT
	150	*/
	151	int CRYPTO_ocb128_init(OCB128_CONTEXT ctx, void keyenc, void *keydec,
bd30091c AP	152	block128_f encrypt, block128_f decrypt,
bd30091c AP	153	ocb128_f stream)
c857a80c	154	{
c857a80c	155	memset(ctx, 0, sizeof(*ctx));
c857a80c	156	ctx->l_index = 0;
b9e3d7e0	157	ctx->max_l_index = 5;
7de2b9c4 RS	158	if ((ctx->l = OPENSSL_malloc(ctx->max_l_index * 16)) == NULL) {
7de2b9c4 RS	159	CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_INIT, ERR_R_MALLOC_FAILURE);
c857a80c	160	return 0;
7de2b9c4	161	}
c857a80c MC	162
	163	/*
	164	* We set both the encryption and decryption key schedules - decryption
	165	* needs both. Don't really need decryption schedule if only doing
	166	* encryption - but it simplifies things to take it anyway
	167	*/
	168	ctx->encrypt = encrypt;
	169	ctx->decrypt = decrypt;
bd30091c	170	ctx->stream = stream;
c857a80c MC	171	ctx->keyenc = keyenc;
	172	ctx->keydec = keydec;
	173
	174	/* L_* = ENCIPHER(K, zeros(128)) */
bd30091c	175	ctx->encrypt(ctx->l_star.c, ctx->l_star.c, ctx->keyenc);
c857a80c MC	176
	177	/* L_$ = double(L_) /
	178	ocb_double(&ctx->l_star, &ctx->l_dollar);
	179
	180	/* L_0 = double(L_$) */
	181	ocb_double(&ctx->l_dollar, ctx->l);
	182
b9e3d7e0 AP	183	/* L_{i} = double(L_{i-1}) */
	184	ocb_double(ctx->l, ctx->l+1);
	185	ocb_double(ctx->l+1, ctx->l+2);
	186	ocb_double(ctx->l+2, ctx->l+3);
	187	ocb_double(ctx->l+3, ctx->l+4);
	188	ctx->l_index = 4; /* enough to process up to 496 bytes */
	189
c857a80c MC	190	return 1;
	191	}
	192
	193	/*
	194	* Copy an OCB128_CONTEXT object
	195	*/
0f113f3e	196	int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT dest, OCB128_CONTEXT src,
c857a80c MC	197	void keyenc, void keydec)
	198	{
	199	memcpy(dest, src, sizeof(OCB128_CONTEXT));
	200	if (keyenc)
	201	dest->keyenc = keyenc;
	202	if (keydec)
	203	dest->keydec = keydec;
	204	if (src->l) {
7de2b9c4 RS	205	if ((dest->l = OPENSSL_malloc(src->max_l_index * 16)) == NULL) {
7de2b9c4 RS	206	CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_COPY_CTX, ERR_R_MALLOC_FAILURE);
c857a80c	207	return 0;
7de2b9c4	208	}
c857a80c MC	209	memcpy(dest->l, src->l, (src->l_index + 1) * 16);
	210	}
	211	return 1;
	212	}
	213
	214	/*
	215	* Set the IV to be used for this operation. Must be 1 - 15 bytes.
	216	*/
0f113f3e	217	int CRYPTO_ocb128_setiv(OCB128_CONTEXT ctx, const unsigned char iv,
c857a80c MC	218	size_t len, size_t taglen)
	219	{
	220	unsigned char ktop[16], tmp[16], mask;
	221	unsigned char stretch[24], nonce[16];
	222	size_t bottom, shift;
c857a80c MC	223
	224	/*
	225	* Spec says IV is 120 bits or fewer - it allows non byte aligned lengths.
02e112a8	226	* We don't support this at this stage
c857a80c MC	227	*/
	228	if ((len > 15) \|\| (len < 1) \|\| (taglen > 16) \|\| (taglen < 1)) {
	229	return -1;
	230	}
	231
bbb02a5b MY	232	/* Reset nonce-dependent variables */
	233	memset(&ctx->sess, 0, sizeof(ctx->sess));
	234
c857a80c MC	235	/* Nonce = num2str(TAGLEN mod 128,7) \|\| zeros(120-bitlen(N)) \|\| 1 \|\| N */
	236	nonce[0] = ((taglen * 8) % 128) << 1;
	237	memset(nonce + 1, 0, 15);
	238	memcpy(nonce + 16 - len, iv, len);
	239	nonce[15 - len] \|= 1;
	240
	241	/* Ktop = ENCIPHER(K, Nonce[1..122] \|\| zeros(6)) */
	242	memcpy(tmp, nonce, 16);
	243	tmp[15] &= 0xc0;
	244	ctx->encrypt(tmp, ktop, ctx->keyenc);
	245
	246	/* Stretch = Ktop \|\| (Ktop[1..64] xor Ktop[9..72]) */
	247	memcpy(stretch, ktop, 16);
	248	ocb_block_xor(ktop, ktop + 1, 8, stretch + 16);
	249
	250	/* bottom = str2num(Nonce[123..128]) */
	251	bottom = nonce[15] & 0x3f;
	252
	253	/* Offset_0 = Stretch[1+bottom..128+bottom] */
	254	shift = bottom % 8;
bbb02a5b	255	ocb_block_lshift(stretch + (bottom / 8), shift, ctx->sess.offset.c);
c857a80c MC	256	mask = 0xff;
c857a80c MC	257	mask <<= 8 - shift;
bbb02a5b	258	ctx->sess.offset.c[15] \|=
0f113f3e	259	(*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift);
c857a80c MC	260
	261	return 1;
	262	}
	263
	264	/*
	265	* Provide any AAD. This can be called multiple times. Only the final time can
	266	* have a partial block
	267	*/
0f113f3e	268	int CRYPTO_ocb128_aad(OCB128_CONTEXT ctx, const unsigned char aad,
c857a80c MC	269	size_t len)
c857a80c MC	270	{
bd30091c AP	271	u64 i, all_num_blocks;
bd30091c AP	272	size_t num_blocks, last_len;
14bb100b	273	OCB_BLOCK tmp;
0f113f3e	274
c857a80c MC	275	/* Calculate the number of blocks of AAD provided now, and so far */
c857a80c MC	276	num_blocks = len / 16;
bbb02a5b	277	all_num_blocks = num_blocks + ctx->sess.blocks_hashed;
c857a80c MC	278
c857a80c MC	279	/* Loop through all full blocks of AAD */
bbb02a5b	280	for (i = ctx->sess.blocks_hashed + 1; i <= all_num_blocks; i++) {
c857a80c	281	OCB_BLOCK *lookup;
0f113f3e	282
c857a80c MC	283	/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
c857a80c MC	284	lookup = ocb_lookup_l(ctx, ocb_ntz(i));
bd30091c	285	if (lookup == NULL)
c857a80c	286	return 0;
bbb02a5b	287	ocb_block16_xor(&ctx->sess.offset_aad, lookup, &ctx->sess.offset_aad);
c857a80c	288
14bb100b AP	289	memcpy(tmp.c, aad, 16);
	290	aad += 16;
	291
c857a80c	292	/* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
bbb02a5b	293	ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp);
14bb100b	294	ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
bbb02a5b	295	ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum);
c857a80c MC	296	}
	297
	298	/*
	299	* Check if we have any partial blocks left over. This is only valid in the
	300	* last call to this function
	301	*/
	302	last_len = len % 16;
	303
	304	if (last_len > 0) {
	305	/* Offset_* = Offset_m xor L_* */
bbb02a5b MY	306	ocb_block16_xor(&ctx->sess.offset_aad, &ctx->l_star,
bbb02a5b MY	307	&ctx->sess.offset_aad);
c857a80c MC	308
c857a80c MC	309	/* CipherInput = (A_* \|\| 1 \|\| zeros(127-bitlen(A_))) xor Offset_ */
14bb100b AP	310	memset(tmp.c, 0, 16);
	311	memcpy(tmp.c, aad, last_len);
	312	tmp.c[last_len] = 0x80;
bbb02a5b	313	ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp);
c857a80c MC	314
c857a80c MC	315	/* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
14bb100b	316	ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
bbb02a5b	317	ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum);
c857a80c MC	318	}
c857a80c MC	319
bbb02a5b	320	ctx->sess.blocks_hashed = all_num_blocks;
c857a80c MC	321
	322	return 1;
	323	}
	324
	325	/*
	326	* Provide any data to be encrypted. This can be called multiple times. Only
	327	* the final time can have a partial block
	328	*/
0f113f3e	329	int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
c857a80c MC	330	const unsigned char in, unsigned char out,
	331	size_t len)
	332	{
bd30091c AP	333	u64 i, all_num_blocks;
bd30091c AP	334	size_t num_blocks, last_len;
c857a80c MC	335
	336	/*
	337	* Calculate the number of blocks of data to be encrypted provided now, and
	338	* so far
	339	*/
	340	num_blocks = len / 16;
bbb02a5b	341	all_num_blocks = num_blocks + ctx->sess.blocks_processed;
c857a80c	342
bd30091c AP	343	if (num_blocks && all_num_blocks == (size_t)all_num_blocks
	344	&& ctx->stream != NULL) {
	345	size_t max_idx = 0, top = (size_t)all_num_blocks;
0f113f3e	346
bd30091c AP	347	/*
	348	* See how many L_{i} entries we need to process data at hand
	349	* and pre-compute missing entries in the table [if any]...
	350	*/
	351	while (top >>= 1)
	352	max_idx++;
	353	if (ocb_lookup_l(ctx, max_idx) == NULL)
c857a80c	354	return 0;
c857a80c	355
bd30091c	356	ctx->stream(in, out, num_blocks, ctx->keyenc,
bbb02a5b MY	357	(size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
bbb02a5b MY	358	(const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
bd30091c AP	359	} else {
bd30091c AP	360	/* Loop through all full blocks to be encrypted */
bbb02a5b	361	for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
bd30091c	362	OCB_BLOCK *lookup;
14bb100b	363	OCB_BLOCK tmp;
bd30091c AP	364
	365	/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
	366	lookup = ocb_lookup_l(ctx, ocb_ntz(i));
	367	if (lookup == NULL)
	368	return 0;
bbb02a5b	369	ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset);
bd30091c	370
14bb100b AP	371	memcpy(tmp.c, in, 16);
	372	in += 16;
	373
bd30091c	374	/* Checksum_i = Checksum_{i-1} xor P_i */
bbb02a5b	375	ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum);
14bb100b AP	376
14bb100b AP	377	/* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */
bbb02a5b	378	ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
14bb100b	379	ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
bbb02a5b	380	ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
14bb100b AP	381
	382	memcpy(out, tmp.c, 16);
	383	out += 16;
bd30091c	384	}
c857a80c MC	385	}
	386
	387	/*
	388	* Check if we have any partial blocks left over. This is only valid in the
	389	* last call to this function
	390	*/
	391	last_len = len % 16;
	392
	393	if (last_len > 0) {
14bb100b AP	394	OCB_BLOCK pad;
14bb100b AP	395
c857a80c	396	/* Offset_* = Offset_m xor L_* */
bbb02a5b	397	ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset);
c857a80c MC	398
c857a80c MC	399	/* Pad = ENCIPHER(K, Offset_) /
bbb02a5b	400	ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc);
c857a80c MC	401
c857a80c MC	402	/* C_* = P_* xor Pad[1..bitlen(P_)] /
14bb100b	403	ocb_block_xor(in, pad.c, last_len, out);
c857a80c MC	404
c857a80c MC	405	/* Checksum_* = Checksum_m xor (P_* \|\| 1 \|\| zeros(127-bitlen(P_))) /
14bb100b AP	406	memset(pad.c, 0, 16); /* borrow pad */
	407	memcpy(pad.c, in, last_len);
	408	pad.c[last_len] = 0x80;
bbb02a5b	409	ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum);
c857a80c MC	410	}
c857a80c MC	411
bbb02a5b	412	ctx->sess.blocks_processed = all_num_blocks;
c857a80c MC	413
	414	return 1;
	415	}
	416
	417	/*
	418	* Provide any data to be decrypted. This can be called multiple times. Only
	419	* the final time can have a partial block
	420	*/
0f113f3e	421	int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
c857a80c MC	422	const unsigned char in, unsigned char out,
	423	size_t len)
	424	{
bd30091c AP	425	u64 i, all_num_blocks;
bd30091c AP	426	size_t num_blocks, last_len;
bd30091c	427
c857a80c MC	428	/*
	429	* Calculate the number of blocks of data to be decrypted provided now, and
	430	* so far
	431	*/
	432	num_blocks = len / 16;
bbb02a5b	433	all_num_blocks = num_blocks + ctx->sess.blocks_processed;
c857a80c	434
bd30091c AP	435	if (num_blocks && all_num_blocks == (size_t)all_num_blocks
	436	&& ctx->stream != NULL) {
	437	size_t max_idx = 0, top = (size_t)all_num_blocks;
0f113f3e	438
bd30091c AP	439	/*
	440	* See how many L_{i} entries we need to process data at hand
	441	* and pre-compute missing entries in the table [if any]...
	442	*/
	443	while (top >>= 1)
	444	max_idx++;
	445	if (ocb_lookup_l(ctx, max_idx) == NULL)
c857a80c	446	return 0;
bd30091c AP	447
bd30091c AP	448	ctx->stream(in, out, num_blocks, ctx->keydec,
bbb02a5b MY	449	(size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
bbb02a5b MY	450	(const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
bd30091c	451	} else {
14bb100b AP	452	OCB_BLOCK tmp;
14bb100b AP	453
bd30091c	454	/* Loop through all full blocks to be decrypted */
bbb02a5b	455	for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
bd30091c AP	456
	457	/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
	458	OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i));
	459	if (lookup == NULL)
	460	return 0;
bbb02a5b	461	ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset);
bd30091c	462
14bb100b AP	463	memcpy(tmp.c, in, 16);
	464	in += 16;
	465
bd30091c	466	/* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */
bbb02a5b	467	ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
14bb100b	468	ctx->decrypt(tmp.c, tmp.c, ctx->keydec);
bbb02a5b	469	ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
bd30091c AP	470
bd30091c AP	471	/* Checksum_i = Checksum_{i-1} xor P_i */
bbb02a5b	472	ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum);
14bb100b AP	473
	474	memcpy(out, tmp.c, 16);
	475	out += 16;
bd30091c	476	}
c857a80c MC	477	}
	478
	479	/*
	480	* Check if we have any partial blocks left over. This is only valid in the
	481	* last call to this function
	482	*/
	483	last_len = len % 16;
	484
	485	if (last_len > 0) {
14bb100b AP	486	OCB_BLOCK pad;
14bb100b AP	487
c857a80c	488	/* Offset_* = Offset_m xor L_* */
bbb02a5b	489	ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset);
c857a80c MC	490
c857a80c MC	491	/* Pad = ENCIPHER(K, Offset_) /
bbb02a5b	492	ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc);
c857a80c MC	493
c857a80c MC	494	/* P_* = C_* xor Pad[1..bitlen(C_)] /
14bb100b	495	ocb_block_xor(in, pad.c, last_len, out);
c857a80c MC	496
c857a80c MC	497	/* Checksum_* = Checksum_m xor (P_* \|\| 1 \|\| zeros(127-bitlen(P_))) /
14bb100b AP	498	memset(pad.c, 0, 16); /* borrow pad */
	499	memcpy(pad.c, out, last_len);
	500	pad.c[last_len] = 0x80;
bbb02a5b	501	ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum);
c857a80c MC	502	}
c857a80c MC	503
bbb02a5b	504	ctx->sess.blocks_processed = all_num_blocks;
c857a80c MC	505
	506	return 1;
	507	}
	508
bbb02a5b MY	509	static int ocb_finish(OCB128_CONTEXT ctx, unsigned char tag, size_t len,
bbb02a5b MY	510	int write)
c857a80c	511	{
14bb100b	512	OCB_BLOCK tmp;
c857a80c	513
bbb02a5b MY	514	if (len > 16 \|\| len < 1) {
	515	return -1;
	516	}
	517
0f113f3e MC	518	/*
	519	* Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
	520	*/
bbb02a5b	521	ocb_block16_xor(&ctx->sess.checksum, &ctx->sess.offset, &tmp);
14bb100b AP	522	ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp);
14bb100b AP	523	ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
bbb02a5b	524	ocb_block16_xor(&tmp, &ctx->sess.sum, &tmp);
c857a80c	525
bbb02a5b MY	526	if (write) {
	527	memcpy(tag, &tmp, len);
	528	return 1;
	529	} else {
	530	return CRYPTO_memcmp(&tmp, tag, len);
c857a80c	531	}
bbb02a5b	532	}
c857a80c	533
bbb02a5b MY	534	/*
	535	* Calculate the tag and verify it against the supplied tag
	536	*/
	537	int CRYPTO_ocb128_finish(OCB128_CONTEXT ctx, const unsigned char tag,
	538	size_t len)
	539	{
	540	return ocb_finish(ctx, (unsigned char*)tag, len, 0);
c857a80c MC	541	}
	542
	543	/*
	544	* Retrieve the calculated tag
	545	*/
0f113f3e	546	int CRYPTO_ocb128_tag(OCB128_CONTEXT ctx, unsigned char tag, size_t len)
c857a80c	547	{
bbb02a5b	548	return ocb_finish(ctx, tag, len, 1);
c857a80c MC	549	}
	550
	551	/*
	552	* Release all resources
	553	*/
0f113f3e	554	void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
c857a80c MC	555	{
c857a80c MC	556	if (ctx) {
4b45c6e5	557	OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
c857a80c MC	558	OPENSSL_cleanse(ctx, sizeof(*ctx));
	559	}
	560	}
3feb6305	561
0f113f3e	562	#endif /* OPENSSL_NO_OCB */