[thirdparty/openssl.git] / crypto / modes / siv128.c

/*
 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <stdlib.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include "internal/modes_int.h"
#include "internal/siv_int.h"

#ifndef OPENSSL_NO_SIV

__owur static ossl_inline uint32_t rotl8(uint32_t x)
{
    return (x << 8) | (x >> 24);
}

__owur static ossl_inline uint32_t rotr8(uint32_t x)
{
    return (x >> 8) | (x << 24);
}

__owur static ossl_inline uint64_t byteswap8(uint64_t x)
{
    uint32_t high = (uint32_t)(x >> 32);
    uint32_t low = (uint32_t)x;

    high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
    low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
    return ((uint64_t)low) << 32 | (uint64_t)high;
}

__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
{
    const union {
        long one;
        char little;
    } is_endian = { 1 };

    if (is_endian.little)
        return byteswap8(b->word[i]);
    return b->word[i];
}

static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
{
    const union {
        long one;
        char little;
    } is_endian = { 1 };

    if (is_endian.little)
        b->word[i] = byteswap8(x);
    else
        b->word[i] = x;
}

static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
                                        SIV_BLOCK const *y)
{
    x->word[0] ^= y->word[0];
    x->word[1] ^= y->word[1];
}

/*
 * Doubles |b|, which is 16 bytes representing an element
 * of GF(2**128) modulo the irreducible polynomial
 * x**128 + x**7 + x**2 + x + 1.
 * Assumes two's-complement arithmetic
 */
static ossl_inline void siv128_dbl(SIV_BLOCK *b)
{
    uint64_t high = siv128_getword(b, 0);
    uint64_t low = siv128_getword(b, 1);
    uint64_t high_carry = high & (((uint64_t)1) << 63);
    uint64_t low_carry = low & (((uint64_t)1) << 63);
    int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
    uint64_t high_mask = low_carry >> 63;

    high = (high << 1) | high_mask;
    low = (low << 1) ^ (uint64_t)low_mask;
    siv128_putword(b, 0, high);
    siv128_putword(b, 1, low);
}

__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
                                              unsigned char const* in, size_t len)
{
    SIV_BLOCK t;
    size_t out_len = sizeof(out->byte);
    EVP_MAC_CTX *mac_ctx;
    int ret = 0;

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL)
        return 0;

    if (len >= SIV_LEN) {
        if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
            goto err;
        memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    } else {
        memset(&t, 0, sizeof(t));
        memcpy(&t, in, len);
        t.byte[len] = 0x80;
        siv128_dbl(&ctx->d);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    }
    if (!EVP_MAC_final(mac_ctx, out->byte, &out_len)
        || out_len != SIV_LEN)
        goto err;

    ret = 1;

err:
    EVP_MAC_CTX_free(mac_ctx);
    return ret;
}


__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                             unsigned char const *in, size_t len,
                                             SIV_BLOCK *icv)
{
    int out_len = (int)len;

    if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
        return 0;
    return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
}

/*
 * Create a new SIV128_CONTEXT
 */
SIV128_CONTEXT *CRYPTO_siv128_new(const unsigned char *key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
{
    SIV128_CONTEXT *ctx;
    int ret;

    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
        ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
        if (ret)
            return ctx;
        OPENSSL_free(ctx);
    }

    return NULL;
}

/*
 * Initialise an existing SIV128_CONTEXT
 */
int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
                       const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
{
    static const unsigned char zero[SIV_LEN] = { 0 };
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx = NULL;

    memset(&ctx->d, 0, sizeof(ctx->d));
    ctx->cipher_ctx = NULL;
    ctx->mac_ctx_init = NULL;

    if (key == NULL || cbc == NULL || ctr == NULL
            || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
            || (ctx->mac_ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
            || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc) <= 0
            || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen) <= 0
            || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
            || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
            || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
            || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len)) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    ctx->final_ret = -1;
    ctx->crypto_ok = 1;

    return 1;
}

/*
 * Copy an SIV128_CONTEXT object
 */
int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
{
    memcpy(&dest->d, &src->d, sizeof(src->d));
    if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
        return 0;
    EVP_MAC_CTX_free(dest->mac_ctx_init);
    dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
    if (dest->mac_ctx_init == NULL)
        return 0;
    return 1;
}

/*
 * Provide any AAD. This can be called multiple times.
 * Per RFC5297, the last piece of associated data
 * is the nonce, but it's not treated special
 */
int CRYPTO_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
                      size_t len)
{
    SIV_BLOCK mac_out;
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx;

    siv128_dbl(&ctx->d);

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL
        || !EVP_MAC_update(mac_ctx, aad, len)
        || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len)
        || out_len != SIV_LEN) {
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    siv128_xorblock(&ctx->d, &mac_out);

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called once.
 */
int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    SIV_BLOCK q;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    if (!siv128_do_s2v_p(ctx, &q, in, len))
        return 0;

    memcpy(ctx->tag.byte, &q, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
        return 0;
    ctx->final_ret = 0;
    return len;
}

/*
 * Provide any data to be decrypted. This can be called once.
 */
int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    unsigned char* p;
    SIV_BLOCK t, q;
    int i;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    memcpy(&q, ctx->tag.byte, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
        || !siv128_do_s2v_p(ctx, &t, out, len))
        return 0;

    p = ctx->tag.byte;
    for (i = 0; i < SIV_LEN; i++)
        t.byte[i] ^= p[i];

    if ((t.word[0] | t.word[1]) != 0) {
        OPENSSL_cleanse(out, len);
        return 0;
    }
    ctx->final_ret = 0;
    return len;
}

/*
 * Return the already calculated final result.
 */
int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
{
    return ctx->final_ret;
}

/*
 * Set the tag
 */
int CRYPTO_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag from the supplied buffer */
    memcpy(ctx->tag.byte, tag, len);
    return 1;
}

/*
 * Retrieve the calculated tag
 */
int CRYPTO_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag into the supplied buffer */
    memcpy(tag, ctx->tag.byte, len);
    return 1;
}

/*
 * Release all resources
 */
int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
{
    if (ctx != NULL) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
        OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
        ctx->final_ret = -1;
        ctx->crypto_ok = 1;
    }
    return 1;
}

int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
{
    ctx->crypto_ok = (arg == 1) ? -1 : 1;
    return 1;
}

#endif                          /* OPENSSL_NO_SIV */
Commit	Line	Data
b1ceb439 TS	1	/*
	2	* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <string.h>
	11	#include <stdlib.h>
	12	#include <openssl/crypto.h>
459b15d4	13	#include <openssl/evp.h>
743694a6	14	#include "internal/modes_int.h"
459b15d4	15	#include "internal/siv_int.h"
b1ceb439 TS	16
	17	#ifndef OPENSSL_NO_SIV
	18
	19	__owur static ossl_inline uint32_t rotl8(uint32_t x)
	20	{
	21	return (x << 8) \| (x >> 24);
	22	}
	23
	24	__owur static ossl_inline uint32_t rotr8(uint32_t x)
	25	{
	26	return (x >> 8) \| (x << 24);
	27	}
	28
	29	__owur static ossl_inline uint64_t byteswap8(uint64_t x)
	30	{
	31	uint32_t high = (uint32_t)(x >> 32);
	32	uint32_t low = (uint32_t)x;
	33
	34	high = (rotl8(high) & 0x00ff00ff) \| (rotr8(high) & 0xff00ff00);
	35	low = (rotl8(low) & 0x00ff00ff) \| (rotr8(low) & 0xff00ff00);
	36	return ((uint64_t)low) << 32 \| (uint64_t)high;
	37	}
	38
	39	__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
	40	{
	41	const union {
	42	long one;
	43	char little;
	44	} is_endian = { 1 };
	45
	46	if (is_endian.little)
	47	return byteswap8(b->word[i]);
	48	return b->word[i];
	49	}
	50
	51	static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
	52	{
	53	const union {
	54	long one;
	55	char little;
	56	} is_endian = { 1 };
	57
	58	if (is_endian.little)
	59	b->word[i] = byteswap8(x);
	60	else
	61	b->word[i] = x;
	62	}
	63
	64	static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
	65	SIV_BLOCK const *y)
	66	{
	67	x->word[0] ^= y->word[0];
	68	x->word[1] ^= y->word[1];
	69	}
	70
	71	/*
	72	* Doubles \|b\|, which is 16 bytes representing an element
	73	* of GF(2**128) modulo the irreducible polynomial
	74	* x128 + x7 + x**2 + x + 1.
	75	* Assumes two's-complement arithmetic
	76	*/
	77	static ossl_inline void siv128_dbl(SIV_BLOCK *b)
	78	{
	79	uint64_t high = siv128_getword(b, 0);
80	uint64_t low = siv128_getword(b, 1);
81	uint64_t high_carry = high & (((uint64_t)1) << 63);
82	uint64_t low_carry = low & (((uint64_t)1) << 63);
83	int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
84	uint64_t high_mask = low_carry >> 63;
85
86	high = (high << 1) \| high_mask;
87	low = (low << 1) ^ (uint64_t)low_mask;
88	siv128_putword(b, 0, high);
89	siv128_putword(b, 1, low);
90	}
91
92	__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT ctx, SIV_BLOCK out,
93	unsigned char const* in, size_t len)
94	{
95	SIV_BLOCK t;
96	size_t out_len = sizeof(out->byte);
be5fc053 KR	97	EVP_MAC_CTX *mac_ctx;
be5fc053 KR	98	int ret = 0;
b1ceb439	99
be5fc053 KR	100	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
be5fc053 KR	101	if (mac_ctx == NULL)
b1ceb439 TS	102	return 0;
	103
	104	if (len >= SIV_LEN) {
be5fc053 KR	105	if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
be5fc053 KR	106	goto err;
b1ceb439 TS	107	memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
b1ceb439 TS	108	siv128_xorblock(&t, &ctx->d);
be5fc053 KR	109	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
be5fc053 KR	110	goto err;
b1ceb439 TS	111	} else {
	112	memset(&t, 0, sizeof(t));
	113	memcpy(&t, in, len);
	114	t.byte[len] = 0x80;
	115	siv128_dbl(&ctx->d);
	116	siv128_xorblock(&t, &ctx->d);
be5fc053 KR	117	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
be5fc053 KR	118	goto err;
b1ceb439	119	}
be5fc053	120	if (!EVP_MAC_final(mac_ctx, out->byte, &out_len)
b1ceb439	121	\|\| out_len != SIV_LEN)
be5fc053 KR	122	goto err;
	123
	124	ret = 1;
	125
	126	err:
	127	EVP_MAC_CTX_free(mac_ctx);
	128	return ret;
b1ceb439 TS	129	}
	130
	131
	132	__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX ctx, unsigned char out,
	133	unsigned char const *in, size_t len,
	134	SIV_BLOCK *icv)
	135	{
	136	int out_len = (int)len;
	137
	138	if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
	139	return 0;
	140	return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
	141	}
	142
	143	/*
	144	* Create a new SIV128_CONTEXT
	145	*/
	146	SIV128_CONTEXT CRYPTO_siv128_new(const unsigned char key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
	147	{
	148	SIV128_CONTEXT *ctx;
	149	int ret;
	150
	151	if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
	152	ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
	153	if (ret)
	154	return ctx;
	155	OPENSSL_free(ctx);
	156	}
	157
	158	return NULL;
	159	}
	160
	161	/*
	162	* Initialise an existing SIV128_CONTEXT
	163	*/
	164	int CRYPTO_siv128_init(SIV128_CONTEXT ctx, const unsigned char key, int klen,
	165	const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
	166	{
	167	static const unsigned char zero[SIV_LEN] = { 0 };
	168	size_t out_len = SIV_LEN;
be5fc053	169	EVP_MAC_CTX *mac_ctx = NULL;
b1ceb439 TS	170
	171	memset(&ctx->d, 0, sizeof(ctx->d));
	172	ctx->cipher_ctx = NULL;
9a3b5b76	173	ctx->mac_ctx_init = NULL;
b1ceb439 TS	174
	175	if (key == NULL \|\| cbc == NULL \|\| ctr == NULL
	176	\|\| (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
9a3b5b76	177	\|\| (ctx->mac_ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
17838470 MC	178	\|\| EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc) <= 0
17838470 MC	179	\|\| EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen) <= 0
b1ceb439	180	\|\| !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
be5fc053 KR	181	\|\| (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
	182	\|\| !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
	183	\|\| !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len)) {
b1ceb439	184	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
9a3b5b76	185	EVP_MAC_CTX_free(ctx->mac_ctx_init);
be5fc053	186	EVP_MAC_CTX_free(mac_ctx);
b1ceb439 TS	187	return 0;
b1ceb439 TS	188	}
be5fc053	189	EVP_MAC_CTX_free(mac_ctx);
b1ceb439 TS	190
	191	ctx->final_ret = -1;
	192	ctx->crypto_ok = 1;
	193
	194	return 1;
	195	}
	196
	197	/*
	198	* Copy an SIV128_CONTEXT object
	199	*/
	200	int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT dest, SIV128_CONTEXT src)
	201	{
	202	memcpy(&dest->d, &src->d, sizeof(src->d));
	203	if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
	204	return 0;
be5fc053 KR	205	EVP_MAC_CTX_free(dest->mac_ctx_init);
	206	dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
	207	if (dest->mac_ctx_init == NULL)
b1ceb439	208	return 0;
b1ceb439 TS	209	return 1;
	210	}
	211
	212	/*
	213	* Provide any AAD. This can be called multiple times.
	214	* Per RFC5297, the last piece of associated data
	215	* is the nonce, but it's not treated special
	216	*/
	217	int CRYPTO_siv128_aad(SIV128_CONTEXT ctx, const unsigned char aad,
	218	size_t len)
	219	{
9a3b5b76	220	SIV_BLOCK mac_out;
b1ceb439	221	size_t out_len = SIV_LEN;
be5fc053	222	EVP_MAC_CTX *mac_ctx;
b1ceb439 TS	223
	224	siv128_dbl(&ctx->d);
	225
be5fc053 KR	226	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
	227	if (mac_ctx == NULL
	228	\|\| !EVP_MAC_update(mac_ctx, aad, len)
	229	\|\| !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len)
	230	\|\| out_len != SIV_LEN) {
	231	EVP_MAC_CTX_free(mac_ctx);
b1ceb439	232	return 0;
be5fc053 KR	233	}
be5fc053 KR	234	EVP_MAC_CTX_free(mac_ctx);
b1ceb439	235
9a3b5b76	236	siv128_xorblock(&ctx->d, &mac_out);
b1ceb439 TS	237
b1ceb439 TS	238	return 1;
b1ceb439 TS	239	}
	240
	241	/*
	242	* Provide any data to be encrypted. This can be called once.
	243	*/
	244	int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
	245	const unsigned char in, unsigned char out,
	246	size_t len)
	247	{
	248	SIV_BLOCK q;
	249
	250	/* can only do one crypto operation */
	251	if (ctx->crypto_ok == 0)
	252	return 0;
	253	ctx->crypto_ok--;
	254
	255	if (!siv128_do_s2v_p(ctx, &q, in, len))
	256	return 0;
	257
	258	memcpy(ctx->tag.byte, &q, SIV_LEN);
	259	q.byte[8] &= 0x7f;
	260	q.byte[12] &= 0x7f;
	261
	262	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
	263	return 0;
	264	ctx->final_ret = 0;
	265	return len;
	266	}
	267
	268	/*
	269	* Provide any data to be decrypted. This can be called once.
	270	*/
	271	int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
	272	const unsigned char in, unsigned char out,
	273	size_t len)
	274	{
	275	unsigned char* p;
	276	SIV_BLOCK t, q;
	277	int i;
	278
	279	/* can only do one crypto operation */
	280	if (ctx->crypto_ok == 0)
	281	return 0;
	282	ctx->crypto_ok--;
	283
	284	memcpy(&q, ctx->tag.byte, SIV_LEN);
	285	q.byte[8] &= 0x7f;
	286	q.byte[12] &= 0x7f;
	287
	288	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
	289	\|\| !siv128_do_s2v_p(ctx, &t, out, len))
	290	return 0;
	291
	292	p = ctx->tag.byte;
	293	for (i = 0; i < SIV_LEN; i++)
	294	t.byte[i] ^= p[i];
	295
	296	if ((t.word[0] \| t.word[1]) != 0) {
	297	OPENSSL_cleanse(out, len);
	298	return 0;
	299	}
	300	ctx->final_ret = 0;
	301	return len;
	302	}
303
304	/*
305	* Return the already calculated final result.
306	*/
307	int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
308	{
309	return ctx->final_ret;
310	}
311
312	/*
313	* Set the tag
314	*/
315	int CRYPTO_siv128_set_tag(SIV128_CONTEXT ctx, const unsigned char tag, size_t len)
316	{
317	if (len != SIV_LEN)
318	return 0;
319
320	/* Copy the tag from the supplied buffer */
321	memcpy(ctx->tag.byte, tag, len);
322	return 1;
323	}
324
325	/*
326	* Retrieve the calculated tag
327	*/
328	int CRYPTO_siv128_get_tag(SIV128_CONTEXT ctx, unsigned char tag, size_t len)
329	{
330	if (len != SIV_LEN)
331	return 0;
332
333	/* Copy the tag into the supplied buffer */
334	memcpy(tag, ctx->tag.byte, len);
335	return 1;
336	}
337
338	/*
339	* Release all resources
340	*/
341	int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
342	{
343	if (ctx != NULL) {
344	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
345	ctx->cipher_ctx = NULL;
9a3b5b76 TS	346	EVP_MAC_CTX_free(ctx->mac_ctx_init);
9a3b5b76 TS	347	ctx->mac_ctx_init = NULL;
b1ceb439 TS	348	OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
	349	OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
	350	ctx->final_ret = -1;
	351	ctx->crypto_ok = 1;
	352	}
	353	return 1;
	354	}
	355
	356	int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
	357	{
	358	ctx->crypto_ok = (arg == 1) ? -1 : 1;
	359	return 1;
	360	}
	361
	362	#endif /* OPENSSL_NO_SIV */