[thirdparty/openssl.git] / include / crypto / modes.h

/*
 * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* This header can move into provider when legacy support is removed */
#include <openssl/modes.h>

#if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
typedef __int64 i64;
typedef unsigned __int64 u64;
# define U64(C) C##UI64
#elif defined(__arch64__)
typedef long i64;
typedef unsigned long u64;
# define U64(C) C##UL
#else
typedef long long i64;
typedef unsigned long long u64;
# define U64(C) C##ULL
#endif

typedef unsigned int u32;
typedef unsigned char u8;

#define STRICT_ALIGNMENT 1
#ifndef PEDANTIC
# if defined(__i386)    || defined(__i386__)    || \
     defined(__x86_64)  || defined(__x86_64__)  || \
     defined(_M_IX86)   || defined(_M_AMD64)    || defined(_M_X64) || \
     defined(__aarch64__)                       || \
     defined(__s390__)  || defined(__s390x__)
#  undef STRICT_ALIGNMENT
# endif
#endif

#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
# if defined(__GNUC__) && __GNUC__>=2
#  if defined(__x86_64) || defined(__x86_64__)
#   define BSWAP8(x) ({ u64 ret_=(x);                   \
                        asm ("bswapq %0"                \
                        : "+r"(ret_));   ret_;          })
#   define BSWAP4(x) ({ u32 ret_=(x);                   \
                        asm ("bswapl %0"                \
                        : "+r"(ret_));   ret_;          })
#  elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
#   define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x);   \
                        asm ("bswapl %0; bswapl %1"     \
                        : "+r"(hi_),"+r"(lo_));         \
                        (u64)hi_<<32|lo_;               })
#   define BSWAP4(x) ({ u32 ret_=(x);                   \
                        asm ("bswapl %0"                \
                        : "+r"(ret_));   ret_;          })
#  elif defined(__aarch64__)
#   if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
       __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
#    define BSWAP8(x) ({ u64 ret_;                       \
                        asm ("rev %0,%1"                \
                        : "=r"(ret_) : "r"(x)); ret_;   })
#    define BSWAP4(x) ({ u32 ret_;                       \
                        asm ("rev %w0,%w1"              \
                        : "=r"(ret_) : "r"(x)); ret_;   })
#   endif
#  elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
#   define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x);   \
                        asm ("rev %0,%0; rev %1,%1"     \
                        : "+r"(hi_),"+r"(lo_));         \
                        (u64)hi_<<32|lo_;               })
#   define BSWAP4(x) ({ u32 ret_;                       \
                        asm ("rev %0,%1"                \
                        : "=r"(ret_) : "r"((u32)(x)));  \
                        ret_;                           })
#  elif (defined(__riscv_zbb) || defined(__riscv_zbkb)) && __riscv_xlen == 64
#   define BSWAP8(x) ({ u64 ret_=(x);                   \
                        asm ("rev8 %0,%0"               \
                        : "+r"(ret_));   ret_;          })
#   define BSWAP4(x) ({ u32 ret_=(x);                   \
                        asm ("rev8 %0,%0; srli %0,%0,32"\
                        : "+&r"(ret_));  ret_;          })
#  endif
# elif defined(_MSC_VER)
#  if _MSC_VER>=1300
#   include <stdlib.h>
#   pragma intrinsic(_byteswap_uint64,_byteswap_ulong)
#   define BSWAP8(x)    _byteswap_uint64((u64)(x))
#   define BSWAP4(x)    _byteswap_ulong((u32)(x))
#  elif defined(_M_IX86)
__inline u32 _bswap4(u32 val)
{
_asm mov eax, val _asm bswap eax}
#   define BSWAP4(x)    _bswap4(x)
#  endif
# endif
#endif
#if defined(BSWAP4) && !defined(STRICT_ALIGNMENT)
# define GETU32(p)       BSWAP4(*(const u32 *)(p))
# define PUTU32(p,v)     *(u32 *)(p) = BSWAP4(v)
#else
# define GETU32(p)       ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3])
# define PUTU32(p,v)     ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v))
#endif
/*- GCM definitions */ typedef struct {
    u64 hi, lo;
} u128;

typedef void (*gcm_init_fn)(u128 Htable[16], const u64 H[2]);
typedef void (*gcm_ghash_fn)(u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len);
typedef void (*gcm_gmult_fn)(u64 Xi[2], const u128 Htable[16]);
struct gcm_funcs_st {
    gcm_init_fn ginit;
    gcm_ghash_fn ghash;
    gcm_gmult_fn gmult;
};

struct gcm128_context {
    /* Following 6 names follow names in GCM specification */
    union {
        u64 u[2];
        u32 d[4];
        u8 c[16];
        size_t t[16 / sizeof(size_t)];
    } Yi, EKi, EK0, len, Xi, H;
    /*
     * Relative position of Yi, EKi, EK0, len, Xi, H and pre-computed Htable is
     * used in some assembler modules, i.e. don't change the order!
     */
    u128 Htable[16];
    struct gcm_funcs_st funcs;
    unsigned int mres, ares;
    block128_f block;
    void *key;
#if !defined(OPENSSL_SMALL_FOOTPRINT)
    unsigned char Xn[48];
#endif
};

/* GHASH functions */
void ossl_gcm_init_4bit(u128 Htable[16], const u64 H[2]);
void ossl_gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
                         const u8 *inp, size_t len);
void ossl_gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]);

/*
 * The maximum permitted number of cipher blocks per data unit in XTS mode.
 * Reference IEEE Std 1619-2018.
 */
#define XTS_MAX_BLOCKS_PER_DATA_UNIT            (1<<20)

struct xts128_context {
    void *key1, *key2;
    block128_f block1, block2;
};

struct ccm128_context {
    union {
        u64 u[2];
        u8 c[16];
    } nonce, cmac;
    u64 blocks;
    block128_f block;
    void *key;
};

#ifndef OPENSSL_NO_OCB

typedef union {
    u64 a[2];
    unsigned char c[16];
} OCB_BLOCK;
# define ocb_block16_xor(in1,in2,out) \
    ( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \
      (out)->a[1]=(in1)->a[1]^(in2)->a[1] )
# if STRICT_ALIGNMENT
#  define ocb_block16_xor_misaligned(in1,in2,out) \
    ocb_block_xor((in1)->c,(in2)->c,16,(out)->c)
# else
#  define ocb_block16_xor_misaligned ocb_block16_xor
# endif

struct ocb128_context {
    /* Need both encrypt and decrypt key schedules for decryption */
    block128_f encrypt;
    block128_f decrypt;
    void *keyenc;
    void *keydec;
    ocb128_f stream;    /* direction dependent */
    /* Key dependent variables. Can be reused if key remains the same */
    size_t l_index;
    size_t max_l_index;
    OCB_BLOCK l_star;
    OCB_BLOCK l_dollar;
    OCB_BLOCK *l;
    /* Must be reset for each session */
    struct {
        u64 blocks_hashed;
        u64 blocks_processed;
        OCB_BLOCK offset_aad;
        OCB_BLOCK sum;
        OCB_BLOCK offset;
        OCB_BLOCK checksum;
    } sess;
};
#endif                          /* OPENSSL_NO_OCB */

#ifndef OPENSSL_NO_SIV

#define SIV_LEN 16

typedef union siv_block_u {
    uint64_t word[SIV_LEN/sizeof(uint64_t)];
    unsigned char byte[SIV_LEN];
} SIV_BLOCK;

struct siv128_context {
    /* d stores intermediate results of S2V; it corresponds to D from the
       pseudocode in section 2.4 of RFC 5297. */
    SIV_BLOCK d;
    SIV_BLOCK tag;
    EVP_CIPHER_CTX *cipher_ctx;
    EVP_MAC *mac;
    EVP_MAC_CTX *mac_ctx_init;
    int final_ret;
    int crypto_ok;
};

#endif /* OPENSSL_NO_SIV */
Commit	Line	Data
743694a6	1	/*
fecb3aae	2	* Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
743694a6 MC	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
946bdd12	10	/* This header can move into provider when legacy support is removed */
459b15d4 SL	11	#include <openssl/modes.h>
	12
	13	#if (defined(_WIN32) \|\| defined(_WIN64)) && !defined(__MINGW32__)
	14	typedef __int64 i64;
	15	typedef unsigned __int64 u64;
	16	# define U64(C) C##UI64
	17	#elif defined(__arch64__)
	18	typedef long i64;
	19	typedef unsigned long u64;
	20	# define U64(C) C##UL
	21	#else
	22	typedef long long i64;
	23	typedef unsigned long long u64;
	24	# define U64(C) C##ULL
	25	#endif
	26
	27	typedef unsigned int u32;
	28	typedef unsigned char u8;
	29
	30	#define STRICT_ALIGNMENT 1
	31	#ifndef PEDANTIC
	32	# if defined(__i386) \|\| defined(__i386__) \|\| \
	33	defined(__x86_64) \|\| defined(__x86_64__) \|\| \
	34	defined(_M_IX86) \|\| defined(_M_AMD64) \|\| defined(_M_X64) \|\| \
	35	defined(__aarch64__) \|\| \
	36	defined(__s390__) \|\| defined(__s390x__)
	37	# undef STRICT_ALIGNMENT
	38	# endif
	39	#endif
	40
	41	#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
	42	# if defined(__GNUC__) && __GNUC__>=2
	43	# if defined(__x86_64) \|\| defined(__x86_64__)
	44	# define BSWAP8(x) ({ u64 ret_=(x); \
	45	asm ("bswapq %0" \
	46	: "+r"(ret_)); ret_; })
	47	# define BSWAP4(x) ({ u32 ret_=(x); \
	48	asm ("bswapl %0" \
	49	: "+r"(ret_)); ret_; })
	50	# elif (defined(__i386) \|\| defined(__i386__)) && !defined(I386_ONLY)
	51	# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \
	52	asm ("bswapl %0; bswapl %1" \
	53	: "+r"(hi_),"+r"(lo_)); \
	54	(u64)hi_<<32\|lo_; })
	55	# define BSWAP4(x) ({ u32 ret_=(x); \
	56	asm ("bswapl %0" \
	57	: "+r"(ret_)); ret_; })
	58	# elif defined(__aarch64__)
bc8b648f	59	# if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
	60	__BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
	61	# define BSWAP8(x) ({ u64 ret_; \
459b15d4 SL	62	asm ("rev %0,%1" \
459b15d4 SL	63	: "=r"(ret_) : "r"(x)); ret_; })
bc8b648f	64	# define BSWAP4(x) ({ u32 ret_; \
459b15d4 SL	65	asm ("rev %w0,%w1" \
459b15d4 SL	66	: "=r"(ret_) : "r"(x)); ret_; })
bc8b648f	67	# endif
459b15d4 SL	68	# elif (defined(__arm__) \|\| defined(__arm)) && !defined(STRICT_ALIGNMENT)
	69	# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \
	70	asm ("rev %0,%0; rev %1,%1" \
	71	: "+r"(hi_),"+r"(lo_)); \
	72	(u64)hi_<<32\|lo_; })
	73	# define BSWAP4(x) ({ u32 ret_; \
	74	asm ("rev %0,%1" \
	75	: "=r"(ret_) : "r"((u32)(x))); \
	76	ret_; })
48b67766	77	# elif (defined(__riscv_zbb) \|\| defined(__riscv_zbkb)) && __riscv_xlen == 64
e4fd3fc3 HB	78	# define BSWAP8(x) ({ u64 ret_=(x); \
	79	asm ("rev8 %0,%0" \
	80	: "+r"(ret_)); ret_; })
	81	# define BSWAP4(x) ({ u32 ret_=(x); \
	82	asm ("rev8 %0,%0; srli %0,%0,32"\
48b67766	83	: "+&r"(ret_)); ret_; })
459b15d4 SL	84	# endif
	85	# elif defined(_MSC_VER)
	86	# if _MSC_VER>=1300
	87	# include <stdlib.h>
	88	# pragma intrinsic(_byteswap_uint64,_byteswap_ulong)
	89	# define BSWAP8(x) _byteswap_uint64((u64)(x))
	90	# define BSWAP4(x) _byteswap_ulong((u32)(x))
	91	# elif defined(_M_IX86)
	92	__inline u32 _bswap4(u32 val)
	93	{
	94	_asm mov eax, val _asm bswap eax}
	95	# define BSWAP4(x) _bswap4(x)
	96	# endif
	97	# endif
	98	#endif
	99	#if defined(BSWAP4) && !defined(STRICT_ALIGNMENT)
	100	# define GETU32(p) BSWAP4((const u32 )(p))
	101	# define PUTU32(p,v) (u32 )(p) = BSWAP4(v)
	102	#else
	103	# define GETU32(p) ((u32)(p)[0]<<24\|(u32)(p)[1]<<16\|(u32)(p)[2]<<8\|(u32)(p)[3])
	104	# define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v))
	105	#endif
	106	/- GCM definitions / typedef struct {
	107	u64 hi, lo;
	108	} u128;
	109
92c9086e TS	110	typedef void (*gcm_init_fn)(u128 Htable[16], const u64 H[2]);
	111	typedef void (gcm_ghash_fn)(u64 Xi[2], const u128 Htable[16], const u8 inp, size_t len);
	112	typedef void (*gcm_gmult_fn)(u64 Xi[2], const u128 Htable[16]);
	113	struct gcm_funcs_st {
	114	gcm_init_fn ginit;
	115	gcm_ghash_fn ghash;
	116	gcm_gmult_fn gmult;
	117	};
	118
459b15d4 SL	119	struct gcm128_context {
	120	/* Following 6 names follow names in GCM specification */
	121	union {
	122	u64 u[2];
	123	u32 d[4];
	124	u8 c[16];
	125	size_t t[16 / sizeof(size_t)];
	126	} Yi, EKi, EK0, len, Xi, H;
	127	/*
63b996e7 AM	128	* Relative position of Yi, EKi, EK0, len, Xi, H and pre-computed Htable is
63b996e7 AM	129	* used in some assembler modules, i.e. don't change the order!
459b15d4	130	*/
459b15d4	131	u128 Htable[16];
92c9086e	132	struct gcm_funcs_st funcs;
459b15d4 SL	133	unsigned int mres, ares;
	134	block128_f block;
	135	void *key;
	136	#if !defined(OPENSSL_SMALL_FOOTPRINT)
	137	unsigned char Xn[48];
	138	#endif
	139	};
	140
0113ec84 TS	141	/* GHASH functions */
	142	void ossl_gcm_init_4bit(u128 Htable[16], const u64 H[2]);
	143	void ossl_gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
	144	const u8 *inp, size_t len);
	145	void ossl_gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]);
	146
459b15d4 SL	147	/*
	148	* The maximum permitted number of cipher blocks per data unit in XTS mode.
	149	* Reference IEEE Std 1619-2018.
	150	*/
	151	#define XTS_MAX_BLOCKS_PER_DATA_UNIT (1<<20)
	152
	153	struct xts128_context {
	154	void key1, key2;
	155	block128_f block1, block2;
	156	};
	157
	158	struct ccm128_context {
	159	union {
	160	u64 u[2];
	161	u8 c[16];
	162	} nonce, cmac;
	163	u64 blocks;
	164	block128_f block;
	165	void *key;
	166	};
	167
	168	#ifndef OPENSSL_NO_OCB
	169
	170	typedef union {
	171	u64 a[2];
	172	unsigned char c[16];
	173	} OCB_BLOCK;
	174	# define ocb_block16_xor(in1,in2,out) \
	175	( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \
	176	(out)->a[1]=(in1)->a[1]^(in2)->a[1] )
	177	# if STRICT_ALIGNMENT
	178	# define ocb_block16_xor_misaligned(in1,in2,out) \
	179	ocb_block_xor((in1)->c,(in2)->c,16,(out)->c)
	180	# else
	181	# define ocb_block16_xor_misaligned ocb_block16_xor
	182	# endif
	183
	184	struct ocb128_context {
	185	/* Need both encrypt and decrypt key schedules for decryption */
	186	block128_f encrypt;
	187	block128_f decrypt;
	188	void *keyenc;
	189	void *keydec;
	190	ocb128_f stream; /* direction dependent */
	191	/* Key dependent variables. Can be reused if key remains the same */
	192	size_t l_index;
	193	size_t max_l_index;
	194	OCB_BLOCK l_star;
	195	OCB_BLOCK l_dollar;
	196	OCB_BLOCK *l;
	197	/* Must be reset for each session */
	198	struct {
	199	u64 blocks_hashed;
	200	u64 blocks_processed;
	201	OCB_BLOCK offset_aad;
	202	OCB_BLOCK sum;
	203	OCB_BLOCK offset;
	204	OCB_BLOCK checksum;
	205	} sess;
	206	};
	207	#endif /* OPENSSL_NO_OCB */
	208
743694a6 MC	209	#ifndef OPENSSL_NO_SIV
743694a6 MC	210
459b15d4 SL	211	#define SIV_LEN 16
	212
	213	typedef union siv_block_u {
	214	uint64_t word[SIV_LEN/sizeof(uint64_t)];
	215	unsigned char byte[SIV_LEN];
	216	} SIV_BLOCK;
	217
	218	struct siv128_context {
	219	/* d stores intermediate results of S2V; it corresponds to D from the
	220	pseudocode in section 2.4 of RFC 5297. */
	221	SIV_BLOCK d;
	222	SIV_BLOCK tag;
	223	EVP_CIPHER_CTX *cipher_ctx;
776796e8	224	EVP_MAC *mac;
459b15d4 SL	225	EVP_MAC_CTX *mac_ctx_init;
	226	int final_ret;
	227	int crypto_ok;
	228	};
743694a6 MC	229
743694a6 MC	230	#endif /* OPENSSL_NO_SIV */