]>
Commit | Line | Data |
---|---|---|
743694a6 | 1 | /* |
fecb3aae | 2 | * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. |
743694a6 MC |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
946bdd12 | 10 | /* This header can move into provider when legacy support is removed */ |
459b15d4 SL |
11 | #include <openssl/modes.h> |
12 | ||
13 | #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) | |
14 | typedef __int64 i64; | |
15 | typedef unsigned __int64 u64; | |
16 | # define U64(C) C##UI64 | |
17 | #elif defined(__arch64__) | |
18 | typedef long i64; | |
19 | typedef unsigned long u64; | |
20 | # define U64(C) C##UL | |
21 | #else | |
22 | typedef long long i64; | |
23 | typedef unsigned long long u64; | |
24 | # define U64(C) C##ULL | |
25 | #endif | |
26 | ||
27 | typedef unsigned int u32; | |
28 | typedef unsigned char u8; | |
29 | ||
30 | #define STRICT_ALIGNMENT 1 | |
31 | #ifndef PEDANTIC | |
32 | # if defined(__i386) || defined(__i386__) || \ | |
33 | defined(__x86_64) || defined(__x86_64__) || \ | |
34 | defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \ | |
35 | defined(__aarch64__) || \ | |
36 | defined(__s390__) || defined(__s390x__) | |
37 | # undef STRICT_ALIGNMENT | |
38 | # endif | |
39 | #endif | |
40 | ||
41 | #if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) | |
42 | # if defined(__GNUC__) && __GNUC__>=2 | |
43 | # if defined(__x86_64) || defined(__x86_64__) | |
44 | # define BSWAP8(x) ({ u64 ret_=(x); \ | |
45 | asm ("bswapq %0" \ | |
46 | : "+r"(ret_)); ret_; }) | |
47 | # define BSWAP4(x) ({ u32 ret_=(x); \ | |
48 | asm ("bswapl %0" \ | |
49 | : "+r"(ret_)); ret_; }) | |
50 | # elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) | |
51 | # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ | |
52 | asm ("bswapl %0; bswapl %1" \ | |
53 | : "+r"(hi_),"+r"(lo_)); \ | |
54 | (u64)hi_<<32|lo_; }) | |
55 | # define BSWAP4(x) ({ u32 ret_=(x); \ | |
56 | asm ("bswapl %0" \ | |
57 | : "+r"(ret_)); ret_; }) | |
58 | # elif defined(__aarch64__) | |
bc8b648f | 59 | # if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \ |
60 | __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__ | |
61 | # define BSWAP8(x) ({ u64 ret_; \ | |
459b15d4 SL |
62 | asm ("rev %0,%1" \ |
63 | : "=r"(ret_) : "r"(x)); ret_; }) | |
bc8b648f | 64 | # define BSWAP4(x) ({ u32 ret_; \ |
459b15d4 SL |
65 | asm ("rev %w0,%w1" \ |
66 | : "=r"(ret_) : "r"(x)); ret_; }) | |
bc8b648f | 67 | # endif |
459b15d4 SL |
68 | # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT) |
69 | # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ | |
70 | asm ("rev %0,%0; rev %1,%1" \ | |
71 | : "+r"(hi_),"+r"(lo_)); \ | |
72 | (u64)hi_<<32|lo_; }) | |
73 | # define BSWAP4(x) ({ u32 ret_; \ | |
74 | asm ("rev %0,%1" \ | |
75 | : "=r"(ret_) : "r"((u32)(x))); \ | |
76 | ret_; }) | |
48b67766 | 77 | # elif (defined(__riscv_zbb) || defined(__riscv_zbkb)) && __riscv_xlen == 64 |
e4fd3fc3 HB |
78 | # define BSWAP8(x) ({ u64 ret_=(x); \ |
79 | asm ("rev8 %0,%0" \ | |
80 | : "+r"(ret_)); ret_; }) | |
81 | # define BSWAP4(x) ({ u32 ret_=(x); \ | |
82 | asm ("rev8 %0,%0; srli %0,%0,32"\ | |
48b67766 | 83 | : "+&r"(ret_)); ret_; }) |
459b15d4 SL |
84 | # endif |
85 | # elif defined(_MSC_VER) | |
86 | # if _MSC_VER>=1300 | |
87 | # include <stdlib.h> | |
88 | # pragma intrinsic(_byteswap_uint64,_byteswap_ulong) | |
89 | # define BSWAP8(x) _byteswap_uint64((u64)(x)) | |
90 | # define BSWAP4(x) _byteswap_ulong((u32)(x)) | |
91 | # elif defined(_M_IX86) | |
92 | __inline u32 _bswap4(u32 val) | |
93 | { | |
94 | _asm mov eax, val _asm bswap eax} | |
95 | # define BSWAP4(x) _bswap4(x) | |
96 | # endif | |
97 | # endif | |
98 | #endif | |
99 | #if defined(BSWAP4) && !defined(STRICT_ALIGNMENT) | |
100 | # define GETU32(p) BSWAP4(*(const u32 *)(p)) | |
101 | # define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v) | |
102 | #else | |
103 | # define GETU32(p) ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3]) | |
104 | # define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v)) | |
105 | #endif | |
106 | /*- GCM definitions */ typedef struct { | |
107 | u64 hi, lo; | |
108 | } u128; | |
109 | ||
92c9086e TS |
110 | typedef void (*gcm_init_fn)(u128 Htable[16], const u64 H[2]); |
111 | typedef void (*gcm_ghash_fn)(u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len); | |
112 | typedef void (*gcm_gmult_fn)(u64 Xi[2], const u128 Htable[16]); | |
113 | struct gcm_funcs_st { | |
114 | gcm_init_fn ginit; | |
115 | gcm_ghash_fn ghash; | |
116 | gcm_gmult_fn gmult; | |
117 | }; | |
118 | ||
459b15d4 SL |
119 | struct gcm128_context { |
120 | /* Following 6 names follow names in GCM specification */ | |
121 | union { | |
122 | u64 u[2]; | |
123 | u32 d[4]; | |
124 | u8 c[16]; | |
125 | size_t t[16 / sizeof(size_t)]; | |
126 | } Yi, EKi, EK0, len, Xi, H; | |
127 | /* | |
63b996e7 AM |
128 | * Relative position of Yi, EKi, EK0, len, Xi, H and pre-computed Htable is |
129 | * used in some assembler modules, i.e. don't change the order! | |
459b15d4 | 130 | */ |
459b15d4 | 131 | u128 Htable[16]; |
92c9086e | 132 | struct gcm_funcs_st funcs; |
459b15d4 SL |
133 | unsigned int mres, ares; |
134 | block128_f block; | |
135 | void *key; | |
136 | #if !defined(OPENSSL_SMALL_FOOTPRINT) | |
137 | unsigned char Xn[48]; | |
138 | #endif | |
139 | }; | |
140 | ||
0113ec84 TS |
141 | /* GHASH functions */ |
142 | void ossl_gcm_init_4bit(u128 Htable[16], const u64 H[2]); | |
143 | void ossl_gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], | |
144 | const u8 *inp, size_t len); | |
145 | void ossl_gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]); | |
146 | ||
459b15d4 SL |
147 | /* |
148 | * The maximum permitted number of cipher blocks per data unit in XTS mode. | |
149 | * Reference IEEE Std 1619-2018. | |
150 | */ | |
151 | #define XTS_MAX_BLOCKS_PER_DATA_UNIT (1<<20) | |
152 | ||
153 | struct xts128_context { | |
154 | void *key1, *key2; | |
155 | block128_f block1, block2; | |
156 | }; | |
157 | ||
158 | struct ccm128_context { | |
159 | union { | |
160 | u64 u[2]; | |
161 | u8 c[16]; | |
162 | } nonce, cmac; | |
163 | u64 blocks; | |
164 | block128_f block; | |
165 | void *key; | |
166 | }; | |
167 | ||
168 | #ifndef OPENSSL_NO_OCB | |
169 | ||
170 | typedef union { | |
171 | u64 a[2]; | |
172 | unsigned char c[16]; | |
173 | } OCB_BLOCK; | |
174 | # define ocb_block16_xor(in1,in2,out) \ | |
175 | ( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \ | |
176 | (out)->a[1]=(in1)->a[1]^(in2)->a[1] ) | |
177 | # if STRICT_ALIGNMENT | |
178 | # define ocb_block16_xor_misaligned(in1,in2,out) \ | |
179 | ocb_block_xor((in1)->c,(in2)->c,16,(out)->c) | |
180 | # else | |
181 | # define ocb_block16_xor_misaligned ocb_block16_xor | |
182 | # endif | |
183 | ||
184 | struct ocb128_context { | |
185 | /* Need both encrypt and decrypt key schedules for decryption */ | |
186 | block128_f encrypt; | |
187 | block128_f decrypt; | |
188 | void *keyenc; | |
189 | void *keydec; | |
190 | ocb128_f stream; /* direction dependent */ | |
191 | /* Key dependent variables. Can be reused if key remains the same */ | |
192 | size_t l_index; | |
193 | size_t max_l_index; | |
194 | OCB_BLOCK l_star; | |
195 | OCB_BLOCK l_dollar; | |
196 | OCB_BLOCK *l; | |
197 | /* Must be reset for each session */ | |
198 | struct { | |
199 | u64 blocks_hashed; | |
200 | u64 blocks_processed; | |
201 | OCB_BLOCK offset_aad; | |
202 | OCB_BLOCK sum; | |
203 | OCB_BLOCK offset; | |
204 | OCB_BLOCK checksum; | |
205 | } sess; | |
206 | }; | |
207 | #endif /* OPENSSL_NO_OCB */ | |
208 | ||
743694a6 MC |
209 | #ifndef OPENSSL_NO_SIV |
210 | ||
459b15d4 SL |
211 | #define SIV_LEN 16 |
212 | ||
213 | typedef union siv_block_u { | |
214 | uint64_t word[SIV_LEN/sizeof(uint64_t)]; | |
215 | unsigned char byte[SIV_LEN]; | |
216 | } SIV_BLOCK; | |
217 | ||
218 | struct siv128_context { | |
219 | /* d stores intermediate results of S2V; it corresponds to D from the | |
220 | pseudocode in section 2.4 of RFC 5297. */ | |
221 | SIV_BLOCK d; | |
222 | SIV_BLOCK tag; | |
223 | EVP_CIPHER_CTX *cipher_ctx; | |
776796e8 | 224 | EVP_MAC *mac; |
459b15d4 SL |
225 | EVP_MAC_CTX *mac_ctx_init; |
226 | int final_ret; | |
227 | int crypto_ok; | |
228 | }; | |
743694a6 MC |
229 | |
230 | #endif /* OPENSSL_NO_SIV */ |