[thirdparty/openssl.git] / crypto / modes / siv128.c

/*
 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <stdlib.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include "crypto/modes.h"
#include "crypto/siv.h"

#ifndef OPENSSL_NO_SIV

__owur static ossl_inline uint32_t rotl8(uint32_t x)
{
    return (x << 8) | (x >> 24);
}

__owur static ossl_inline uint32_t rotr8(uint32_t x)
{
    return (x >> 8) | (x << 24);
}

__owur static ossl_inline uint64_t byteswap8(uint64_t x)
{
    uint32_t high = (uint32_t)(x >> 32);
    uint32_t low = (uint32_t)x;

    high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
    low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
    return ((uint64_t)low) << 32 | (uint64_t)high;
}

__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
{
    const union {
        long one;
        char little;
    } is_endian = { 1 };

    if (is_endian.little)
        return byteswap8(b->word[i]);
    return b->word[i];
}

static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
{
    const union {
        long one;
        char little;
    } is_endian = { 1 };

    if (is_endian.little)
        b->word[i] = byteswap8(x);
    else
        b->word[i] = x;
}

static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
                                        SIV_BLOCK const *y)
{
    x->word[0] ^= y->word[0];
    x->word[1] ^= y->word[1];
}

/*
 * Doubles |b|, which is 16 bytes representing an element
 * of GF(2**128) modulo the irreducible polynomial
 * x**128 + x**7 + x**2 + x + 1.
 * Assumes two's-complement arithmetic
 */
static ossl_inline void siv128_dbl(SIV_BLOCK *b)
{
    uint64_t high = siv128_getword(b, 0);
    uint64_t low = siv128_getword(b, 1);
    uint64_t high_carry = high & (((uint64_t)1) << 63);
    uint64_t low_carry = low & (((uint64_t)1) << 63);
    int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
    uint64_t high_mask = low_carry >> 63;

    high = (high << 1) | high_mask;
    low = (low << 1) ^ (uint64_t)low_mask;
    siv128_putword(b, 0, high);
    siv128_putword(b, 1, low);
}

__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
                                              unsigned char const* in, size_t len)
{
    SIV_BLOCK t;
    size_t out_len = sizeof(out->byte);
    EVP_MAC_CTX *mac_ctx;
    int ret = 0;

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL)
        return 0;

    if (len >= SIV_LEN) {
        if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
            goto err;
        memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    } else {
        memset(&t, 0, sizeof(t));
        memcpy(&t, in, len);
        t.byte[len] = 0x80;
        siv128_dbl(&ctx->d);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    }
    if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
        || out_len != SIV_LEN)
        goto err;

    ret = 1;

err:
    EVP_MAC_CTX_free(mac_ctx);
    return ret;
}


__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                             unsigned char const *in, size_t len,
                                             SIV_BLOCK *icv)
{
    int out_len = (int)len;

    if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
        return 0;
    return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
}

/*
 * Create a new SIV128_CONTEXT
 */
SIV128_CONTEXT *CRYPTO_siv128_new(const unsigned char *key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
{
    SIV128_CONTEXT *ctx;
    int ret;

    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
        ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
        if (ret)
            return ctx;
        OPENSSL_free(ctx);
    }

    return NULL;
}

/*
 * Initialise an existing SIV128_CONTEXT
 */
int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
                       const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
{
    static const unsigned char zero[SIV_LEN] = { 0 };
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx = NULL;
    OSSL_PARAM params[3];
    const char *cbc_name = EVP_CIPHER_name(cbc);

    params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
                                                 (char *)cbc_name, 0);
    params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
                                                  (void *)key, klen);
    params[2] = OSSL_PARAM_construct_end();

    memset(&ctx->d, 0, sizeof(ctx->d));
    ctx->cipher_ctx = NULL;
    ctx->mac_ctx_init = NULL;

    if (key == NULL || cbc == NULL || ctr == NULL
            || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
            /* TODO(3.0) library context */
            || (ctx->mac =
                EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL)) == NULL
            || (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
            || !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
            || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
            || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
            || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
            || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
                              sizeof(ctx->d.byte))) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        EVP_MAC_CTX_free(mac_ctx);
        EVP_MAC_free(ctx->mac);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    ctx->final_ret = -1;
    ctx->crypto_ok = 1;

    return 1;
}

/*
 * Copy an SIV128_CONTEXT object
 */
int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
{
    memcpy(&dest->d, &src->d, sizeof(src->d));
    if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
        return 0;
    EVP_MAC_CTX_free(dest->mac_ctx_init);
    dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
    if (dest->mac_ctx_init == NULL)
        return 0;
    return 1;
}

/*
 * Provide any AAD. This can be called multiple times.
 * Per RFC5297, the last piece of associated data
 * is the nonce, but it's not treated special
 */
int CRYPTO_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
                      size_t len)
{
    SIV_BLOCK mac_out;
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx;

    siv128_dbl(&ctx->d);

    if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
        || !EVP_MAC_update(mac_ctx, aad, len)
        || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
                          sizeof(mac_out.byte))
        || out_len != SIV_LEN) {
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    siv128_xorblock(&ctx->d, &mac_out);

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called once.
 */
int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    SIV_BLOCK q;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    if (!siv128_do_s2v_p(ctx, &q, in, len))
        return 0;

    memcpy(ctx->tag.byte, &q, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
        return 0;
    ctx->final_ret = 0;
    return len;
}

/*
 * Provide any data to be decrypted. This can be called once.
 */
int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    unsigned char* p;
    SIV_BLOCK t, q;
    int i;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    memcpy(&q, ctx->tag.byte, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
        || !siv128_do_s2v_p(ctx, &t, out, len))
        return 0;

    p = ctx->tag.byte;
    for (i = 0; i < SIV_LEN; i++)
        t.byte[i] ^= p[i];

    if ((t.word[0] | t.word[1]) != 0) {
        OPENSSL_cleanse(out, len);
        return 0;
    }
    ctx->final_ret = 0;
    return len;
}

/*
 * Return the already calculated final result.
 */
int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
{
    return ctx->final_ret;
}

/*
 * Set the tag
 */
int CRYPTO_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag from the supplied buffer */
    memcpy(ctx->tag.byte, tag, len);
    return 1;
}

/*
 * Retrieve the calculated tag
 */
int CRYPTO_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag into the supplied buffer */
    memcpy(tag, ctx->tag.byte, len);
    return 1;
}

/*
 * Release all resources
 */
int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
{
    if (ctx != NULL) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        EVP_MAC_free(ctx->mac);
        ctx->mac = NULL;
        OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
        OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
        ctx->final_ret = -1;
        ctx->crypto_ok = 1;
    }
    return 1;
}

int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
{
    ctx->crypto_ok = (arg == 1) ? -1 : 1;
    return 1;
}

#endif                          /* OPENSSL_NO_SIV */
Commit	Line	Data
b1ceb439 TS	1	/*
	2	* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <string.h>
	11	#include <stdlib.h>
	12	#include <openssl/crypto.h>
459b15d4	13	#include <openssl/evp.h>
776796e8 RL	14	#include <openssl/core_names.h>
776796e8 RL	15	#include <openssl/params.h>
25f2138b DMSP	16	#include "crypto/modes.h"
25f2138b DMSP	17	#include "crypto/siv.h"
b1ceb439 TS	18
	19	#ifndef OPENSSL_NO_SIV
	20
	21	__owur static ossl_inline uint32_t rotl8(uint32_t x)
	22	{
	23	return (x << 8) \| (x >> 24);
	24	}
	25
	26	__owur static ossl_inline uint32_t rotr8(uint32_t x)
	27	{
	28	return (x >> 8) \| (x << 24);
	29	}
	30
	31	__owur static ossl_inline uint64_t byteswap8(uint64_t x)
	32	{
	33	uint32_t high = (uint32_t)(x >> 32);
	34	uint32_t low = (uint32_t)x;
	35
	36	high = (rotl8(high) & 0x00ff00ff) \| (rotr8(high) & 0xff00ff00);
	37	low = (rotl8(low) & 0x00ff00ff) \| (rotr8(low) & 0xff00ff00);
	38	return ((uint64_t)low) << 32 \| (uint64_t)high;
	39	}
	40
	41	__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
	42	{
	43	const union {
	44	long one;
	45	char little;
	46	} is_endian = { 1 };
	47
	48	if (is_endian.little)
	49	return byteswap8(b->word[i]);
	50	return b->word[i];
	51	}
	52
	53	static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
	54	{
	55	const union {
	56	long one;
	57	char little;
	58	} is_endian = { 1 };
	59
	60	if (is_endian.little)
	61	b->word[i] = byteswap8(x);
	62	else
	63	b->word[i] = x;
	64	}
	65
	66	static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
	67	SIV_BLOCK const *y)
	68	{
	69	x->word[0] ^= y->word[0];
	70	x->word[1] ^= y->word[1];
	71	}
	72
	73	/*
	74	* Doubles \|b\|, which is 16 bytes representing an element
	75	* of GF(2**128) modulo the irreducible polynomial
	76	* x128 + x7 + x**2 + x + 1.
	77	* Assumes two's-complement arithmetic
	78	*/
	79	static ossl_inline void siv128_dbl(SIV_BLOCK *b)
	80	{
	81	uint64_t high = siv128_getword(b, 0);
82	uint64_t low = siv128_getword(b, 1);
83	uint64_t high_carry = high & (((uint64_t)1) << 63);
84	uint64_t low_carry = low & (((uint64_t)1) << 63);
85	int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
86	uint64_t high_mask = low_carry >> 63;
87
88	high = (high << 1) \| high_mask;
89	low = (low << 1) ^ (uint64_t)low_mask;
90	siv128_putword(b, 0, high);
91	siv128_putword(b, 1, low);
92	}
93
94	__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT ctx, SIV_BLOCK out,
95	unsigned char const* in, size_t len)
96	{
97	SIV_BLOCK t;
98	size_t out_len = sizeof(out->byte);
be5fc053 KR	99	EVP_MAC_CTX *mac_ctx;
be5fc053 KR	100	int ret = 0;
b1ceb439	101
be5fc053 KR	102	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
be5fc053 KR	103	if (mac_ctx == NULL)
b1ceb439 TS	104	return 0;
	105
	106	if (len >= SIV_LEN) {
be5fc053 KR	107	if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
be5fc053 KR	108	goto err;
b1ceb439 TS	109	memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
b1ceb439 TS	110	siv128_xorblock(&t, &ctx->d);
be5fc053 KR	111	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
be5fc053 KR	112	goto err;
b1ceb439 TS	113	} else {
	114	memset(&t, 0, sizeof(t));
	115	memcpy(&t, in, len);
	116	t.byte[len] = 0x80;
	117	siv128_dbl(&ctx->d);
	118	siv128_xorblock(&t, &ctx->d);
be5fc053 KR	119	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
be5fc053 KR	120	goto err;
b1ceb439	121	}
776796e8	122	if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
b1ceb439	123	\|\| out_len != SIV_LEN)
be5fc053 KR	124	goto err;
	125
	126	ret = 1;
	127
	128	err:
	129	EVP_MAC_CTX_free(mac_ctx);
	130	return ret;
b1ceb439 TS	131	}
	132
	133
	134	__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX ctx, unsigned char out,
	135	unsigned char const *in, size_t len,
	136	SIV_BLOCK *icv)
	137	{
	138	int out_len = (int)len;
	139
	140	if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
	141	return 0;
	142	return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
	143	}
	144
	145	/*
	146	* Create a new SIV128_CONTEXT
	147	*/
	148	SIV128_CONTEXT CRYPTO_siv128_new(const unsigned char key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
	149	{
	150	SIV128_CONTEXT *ctx;
	151	int ret;
	152
	153	if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
	154	ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
	155	if (ret)
	156	return ctx;
	157	OPENSSL_free(ctx);
	158	}
	159
	160	return NULL;
	161	}
	162
	163	/*
	164	* Initialise an existing SIV128_CONTEXT
	165	*/
	166	int CRYPTO_siv128_init(SIV128_CONTEXT ctx, const unsigned char key, int klen,
	167	const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
	168	{
	169	static const unsigned char zero[SIV_LEN] = { 0 };
	170	size_t out_len = SIV_LEN;
be5fc053	171	EVP_MAC_CTX *mac_ctx = NULL;
776796e8 RL	172	OSSL_PARAM params[3];
	173	const char *cbc_name = EVP_CIPHER_name(cbc);
	174
703170d4	175	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
7f588d20	176	(char *)cbc_name, 0);
776796e8 RL	177	params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
	178	(void *)key, klen);
	179	params[2] = OSSL_PARAM_construct_end();
b1ceb439 TS	180
	181	memset(&ctx->d, 0, sizeof(ctx->d));
	182	ctx->cipher_ctx = NULL;
9a3b5b76	183	ctx->mac_ctx_init = NULL;
b1ceb439 TS	184
	185	if (key == NULL \|\| cbc == NULL \|\| ctr == NULL
	186	\|\| (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
776796e8	187	/* TODO(3.0) library context */
81ff9eeb RL	188	\|\| (ctx->mac =
81ff9eeb RL	189	EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL)) == NULL
776796e8 RL	190	\|\| (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
776796e8 RL	191	\|\| !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
b1ceb439	192	\|\| !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
be5fc053 KR	193	\|\| (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
be5fc053 KR	194	\|\| !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
776796e8 RL	195	\|\| !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
776796e8 RL	196	sizeof(ctx->d.byte))) {
b1ceb439	197	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
9a3b5b76	198	EVP_MAC_CTX_free(ctx->mac_ctx_init);
be5fc053	199	EVP_MAC_CTX_free(mac_ctx);
776796e8	200	EVP_MAC_free(ctx->mac);
b1ceb439 TS	201	return 0;
b1ceb439 TS	202	}
be5fc053	203	EVP_MAC_CTX_free(mac_ctx);
b1ceb439 TS	204
	205	ctx->final_ret = -1;
	206	ctx->crypto_ok = 1;
	207
	208	return 1;
	209	}
	210
	211	/*
	212	* Copy an SIV128_CONTEXT object
	213	*/
	214	int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT dest, SIV128_CONTEXT src)
	215	{
	216	memcpy(&dest->d, &src->d, sizeof(src->d));
	217	if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
	218	return 0;
be5fc053 KR	219	EVP_MAC_CTX_free(dest->mac_ctx_init);
	220	dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
	221	if (dest->mac_ctx_init == NULL)
b1ceb439	222	return 0;
b1ceb439 TS	223	return 1;
	224	}
	225
	226	/*
	227	* Provide any AAD. This can be called multiple times.
	228	* Per RFC5297, the last piece of associated data
	229	* is the nonce, but it's not treated special
	230	*/
	231	int CRYPTO_siv128_aad(SIV128_CONTEXT ctx, const unsigned char aad,
	232	size_t len)
	233	{
9a3b5b76	234	SIV_BLOCK mac_out;
b1ceb439	235	size_t out_len = SIV_LEN;
be5fc053	236	EVP_MAC_CTX *mac_ctx;
b1ceb439 TS	237
	238	siv128_dbl(&ctx->d);
	239
776796e8	240	if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
be5fc053	241	\|\| !EVP_MAC_update(mac_ctx, aad, len)
776796e8 RL	242	\|\| !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
776796e8 RL	243	sizeof(mac_out.byte))
be5fc053 KR	244	\|\| out_len != SIV_LEN) {
be5fc053 KR	245	EVP_MAC_CTX_free(mac_ctx);
b1ceb439	246	return 0;
be5fc053 KR	247	}
be5fc053 KR	248	EVP_MAC_CTX_free(mac_ctx);
b1ceb439	249
9a3b5b76	250	siv128_xorblock(&ctx->d, &mac_out);
b1ceb439 TS	251
b1ceb439 TS	252	return 1;
b1ceb439 TS	253	}
	254
	255	/*
	256	* Provide any data to be encrypted. This can be called once.
	257	*/
	258	int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
	259	const unsigned char in, unsigned char out,
	260	size_t len)
	261	{
	262	SIV_BLOCK q;
	263
	264	/* can only do one crypto operation */
	265	if (ctx->crypto_ok == 0)
	266	return 0;
	267	ctx->crypto_ok--;
	268
	269	if (!siv128_do_s2v_p(ctx, &q, in, len))
	270	return 0;
	271
	272	memcpy(ctx->tag.byte, &q, SIV_LEN);
	273	q.byte[8] &= 0x7f;
	274	q.byte[12] &= 0x7f;
	275
	276	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
	277	return 0;
	278	ctx->final_ret = 0;
	279	return len;
	280	}
	281
	282	/*
	283	* Provide any data to be decrypted. This can be called once.
	284	*/
	285	int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
	286	const unsigned char in, unsigned char out,
	287	size_t len)
	288	{
	289	unsigned char* p;
	290	SIV_BLOCK t, q;
	291	int i;
	292
	293	/* can only do one crypto operation */
	294	if (ctx->crypto_ok == 0)
	295	return 0;
	296	ctx->crypto_ok--;
	297
	298	memcpy(&q, ctx->tag.byte, SIV_LEN);
	299	q.byte[8] &= 0x7f;
	300	q.byte[12] &= 0x7f;
	301
	302	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
	303	\|\| !siv128_do_s2v_p(ctx, &t, out, len))
	304	return 0;
	305
	306	p = ctx->tag.byte;
	307	for (i = 0; i < SIV_LEN; i++)
	308	t.byte[i] ^= p[i];
	309
	310	if ((t.word[0] \| t.word[1]) != 0) {
	311	OPENSSL_cleanse(out, len);
	312	return 0;
	313	}
	314	ctx->final_ret = 0;
	315	return len;
	316	}
317
318	/*
319	* Return the already calculated final result.
320	*/
321	int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
322	{
323	return ctx->final_ret;
324	}
325
326	/*
327	* Set the tag
328	*/
329	int CRYPTO_siv128_set_tag(SIV128_CONTEXT ctx, const unsigned char tag, size_t len)
330	{
331	if (len != SIV_LEN)
332	return 0;
333
334	/* Copy the tag from the supplied buffer */
335	memcpy(ctx->tag.byte, tag, len);
336	return 1;
337	}
338
339	/*
340	* Retrieve the calculated tag
341	*/
342	int CRYPTO_siv128_get_tag(SIV128_CONTEXT ctx, unsigned char tag, size_t len)
343	{
344	if (len != SIV_LEN)
345	return 0;
346
347	/* Copy the tag into the supplied buffer */
348	memcpy(tag, ctx->tag.byte, len);
349	return 1;
350	}
351
352	/*
353	* Release all resources
354	*/
355	int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
356	{
357	if (ctx != NULL) {
358	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
359	ctx->cipher_ctx = NULL;
9a3b5b76 TS	360	EVP_MAC_CTX_free(ctx->mac_ctx_init);
9a3b5b76 TS	361	ctx->mac_ctx_init = NULL;
776796e8 RL	362	EVP_MAC_free(ctx->mac);
776796e8 RL	363	ctx->mac = NULL;
b1ceb439 TS	364	OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
	365	OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
	366	ctx->final_ret = -1;
	367	ctx->crypto_ok = 1;
	368	}
	369	return 1;
	370	}
	371
	372	int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
	373	{
	374	ctx->crypto_ok = (arg == 1) ? -1 : 1;
	375	return 1;
	376	}
	377
	378	#endif /* OPENSSL_NO_SIV */