[thirdparty/openssl.git] / crypto / modes / siv128.c

/*
 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <stdlib.h>
#include <openssl/crypto.h>
#include "internal/modes_int.h"
#include "modes_lcl.h"

#ifndef OPENSSL_NO_SIV

__owur static ossl_inline uint32_t rotl8(uint32_t x)
{
    return (x << 8) | (x >> 24);
}

__owur static ossl_inline uint32_t rotr8(uint32_t x)
{
    return (x >> 8) | (x << 24);
}

__owur static ossl_inline uint64_t byteswap8(uint64_t x)
{
    uint32_t high = (uint32_t)(x >> 32);
    uint32_t low = (uint32_t)x;

    high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
    low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
    return ((uint64_t)low) << 32 | (uint64_t)high;
}

__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
{
    const union {
        long one;
        char little;
    } is_endian = { 1 };

    if (is_endian.little)
        return byteswap8(b->word[i]);
    return b->word[i];
}

static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
{
    const union {
        long one;
        char little;
    } is_endian = { 1 };

    if (is_endian.little)
        b->word[i] = byteswap8(x);
    else
        b->word[i] = x;
}

static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
                                        SIV_BLOCK const *y)
{
    x->word[0] ^= y->word[0];
    x->word[1] ^= y->word[1];
}

/*
 * Doubles |b|, which is 16 bytes representing an element
 * of GF(2**128) modulo the irreducible polynomial
 * x**128 + x**7 + x**2 + x + 1.
 * Assumes two's-complement arithmetic
 */
static ossl_inline void siv128_dbl(SIV_BLOCK *b)
{
    uint64_t high = siv128_getword(b, 0);
    uint64_t low = siv128_getword(b, 1);
    uint64_t high_carry = high & (((uint64_t)1) << 63);
    uint64_t low_carry = low & (((uint64_t)1) << 63);
    int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
    uint64_t high_mask = low_carry >> 63;

    high = (high << 1) | high_mask;
    low = (low << 1) ^ (uint64_t)low_mask;
    siv128_putword(b, 0, high);
    siv128_putword(b, 1, low);
}

__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
                                              unsigned char const* in, size_t len)
{
    SIV_BLOCK t;
    size_t out_len = sizeof(out->byte);
    EVP_MAC_CTX *mac_ctx;
    int ret = 0;

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL)
        return 0;

    if (len >= SIV_LEN) {
        if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
            goto err;
        memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    } else {
        memset(&t, 0, sizeof(t));
        memcpy(&t, in, len);
        t.byte[len] = 0x80;
        siv128_dbl(&ctx->d);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    }
    if (!EVP_MAC_final(mac_ctx, out->byte, &out_len)
        || out_len != SIV_LEN)
        goto err;

    ret = 1;

err:
    EVP_MAC_CTX_free(mac_ctx);
    return ret;
}


__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                             unsigned char const *in, size_t len,
                                             SIV_BLOCK *icv)
{
    int out_len = (int)len;

    if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
        return 0;
    return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
}

/*
 * Create a new SIV128_CONTEXT
 */
SIV128_CONTEXT *CRYPTO_siv128_new(const unsigned char *key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
{
    SIV128_CONTEXT *ctx;
    int ret;

    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
        ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
        if (ret)
            return ctx;
        OPENSSL_free(ctx);
    }

    return NULL;
}

/*
 * Initialise an existing SIV128_CONTEXT
 */
int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
                       const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
{
    static const unsigned char zero[SIV_LEN] = { 0 };
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx = NULL;

    memset(&ctx->d, 0, sizeof(ctx->d));
    ctx->cipher_ctx = NULL;
    ctx->mac_ctx_init = NULL;

    if (key == NULL || cbc == NULL || ctr == NULL
            || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
            || (ctx->mac_ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
            || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc) <= 0
            || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen) <= 0
            || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
            || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
            || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
            || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len)) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    ctx->final_ret = -1;
    ctx->crypto_ok = 1;

    return 1;
}

/*
 * Copy an SIV128_CONTEXT object
 */
int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
{
    memcpy(&dest->d, &src->d, sizeof(src->d));
    if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
        return 0;
    EVP_MAC_CTX_free(dest->mac_ctx_init);
    dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
    if (dest->mac_ctx_init == NULL)
        return 0;
    return 1;
}

/*
 * Provide any AAD. This can be called multiple times.
 * Per RFC5297, the last piece of associated data
 * is the nonce, but it's not treated special
 */
int CRYPTO_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
                      size_t len)
{
    SIV_BLOCK mac_out;
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx;

    siv128_dbl(&ctx->d);

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL
        || !EVP_MAC_update(mac_ctx, aad, len)
        || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len)
        || out_len != SIV_LEN) {
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    siv128_xorblock(&ctx->d, &mac_out);

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called once.
 */
int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    SIV_BLOCK q;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    if (!siv128_do_s2v_p(ctx, &q, in, len))
        return 0;

    memcpy(ctx->tag.byte, &q, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
        return 0;
    ctx->final_ret = 0;
    return len;
}

/*
 * Provide any data to be decrypted. This can be called once.
 */
int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    unsigned char* p;
    SIV_BLOCK t, q;
    int i;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    memcpy(&q, ctx->tag.byte, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
        || !siv128_do_s2v_p(ctx, &t, out, len))
        return 0;

    p = ctx->tag.byte;
    for (i = 0; i < SIV_LEN; i++)
        t.byte[i] ^= p[i];

    if ((t.word[0] | t.word[1]) != 0) {
        OPENSSL_cleanse(out, len);
        return 0;
    }
    ctx->final_ret = 0;
    return len;
}

/*
 * Return the already calculated final result.
 */
int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
{
    return ctx->final_ret;
}

/*
 * Set the tag
 */
int CRYPTO_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag from the supplied buffer */
    memcpy(ctx->tag.byte, tag, len);
    return 1;
}

/*
 * Retrieve the calculated tag
 */
int CRYPTO_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag into the supplied buffer */
    memcpy(tag, ctx->tag.byte, len);
    return 1;
}

/*
 * Release all resources
 */
int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
{
    if (ctx != NULL) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
        OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
        ctx->final_ret = -1;
        ctx->crypto_ok = 1;
    }
    return 1;
}

int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
{
    ctx->crypto_ok = (arg == 1) ? -1 : 1;
    return 1;
}

#endif                          /* OPENSSL_NO_SIV */
Commit	Line	Data
b1ceb439 TS	1	/*
	2	* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <string.h>
	11	#include <stdlib.h>
	12	#include <openssl/crypto.h>
743694a6	13	#include "internal/modes_int.h"
b1ceb439 TS	14	#include "modes_lcl.h"
	15
	16	#ifndef OPENSSL_NO_SIV
	17
	18	__owur static ossl_inline uint32_t rotl8(uint32_t x)
	19	{
	20	return (x << 8) \| (x >> 24);
	21	}
	22
	23	__owur static ossl_inline uint32_t rotr8(uint32_t x)
	24	{
	25	return (x >> 8) \| (x << 24);
	26	}
	27
	28	__owur static ossl_inline uint64_t byteswap8(uint64_t x)
	29	{
	30	uint32_t high = (uint32_t)(x >> 32);
	31	uint32_t low = (uint32_t)x;
	32
	33	high = (rotl8(high) & 0x00ff00ff) \| (rotr8(high) & 0xff00ff00);
	34	low = (rotl8(low) & 0x00ff00ff) \| (rotr8(low) & 0xff00ff00);
	35	return ((uint64_t)low) << 32 \| (uint64_t)high;
	36	}
	37
	38	__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
	39	{
	40	const union {
	41	long one;
	42	char little;
	43	} is_endian = { 1 };
	44
	45	if (is_endian.little)
	46	return byteswap8(b->word[i]);
	47	return b->word[i];
	48	}
	49
	50	static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
	51	{
	52	const union {
	53	long one;
	54	char little;
	55	} is_endian = { 1 };
	56
	57	if (is_endian.little)
	58	b->word[i] = byteswap8(x);
	59	else
	60	b->word[i] = x;
	61	}
	62
	63	static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
	64	SIV_BLOCK const *y)
	65	{
	66	x->word[0] ^= y->word[0];
	67	x->word[1] ^= y->word[1];
	68	}
	69
	70	/*
	71	* Doubles \|b\|, which is 16 bytes representing an element
	72	* of GF(2**128) modulo the irreducible polynomial
	73	* x128 + x7 + x**2 + x + 1.
	74	* Assumes two's-complement arithmetic
	75	*/
	76	static ossl_inline void siv128_dbl(SIV_BLOCK *b)
	77	{
78	uint64_t high = siv128_getword(b, 0);
79	uint64_t low = siv128_getword(b, 1);
80	uint64_t high_carry = high & (((uint64_t)1) << 63);
81	uint64_t low_carry = low & (((uint64_t)1) << 63);
82	int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
83	uint64_t high_mask = low_carry >> 63;
84
85	high = (high << 1) \| high_mask;
86	low = (low << 1) ^ (uint64_t)low_mask;
87	siv128_putword(b, 0, high);
88	siv128_putword(b, 1, low);
89	}
90
91	__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT ctx, SIV_BLOCK out,
92	unsigned char const* in, size_t len)
93	{
94	SIV_BLOCK t;
95	size_t out_len = sizeof(out->byte);
be5fc053 KR	96	EVP_MAC_CTX *mac_ctx;
be5fc053 KR	97	int ret = 0;
b1ceb439	98
be5fc053 KR	99	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
be5fc053 KR	100	if (mac_ctx == NULL)
b1ceb439 TS	101	return 0;
	102
	103	if (len >= SIV_LEN) {
be5fc053 KR	104	if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
be5fc053 KR	105	goto err;
b1ceb439 TS	106	memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
b1ceb439 TS	107	siv128_xorblock(&t, &ctx->d);
be5fc053 KR	108	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
be5fc053 KR	109	goto err;
b1ceb439 TS	110	} else {
	111	memset(&t, 0, sizeof(t));
	112	memcpy(&t, in, len);
	113	t.byte[len] = 0x80;
	114	siv128_dbl(&ctx->d);
	115	siv128_xorblock(&t, &ctx->d);
be5fc053 KR	116	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
be5fc053 KR	117	goto err;
b1ceb439	118	}
be5fc053	119	if (!EVP_MAC_final(mac_ctx, out->byte, &out_len)
b1ceb439	120	\|\| out_len != SIV_LEN)
be5fc053 KR	121	goto err;
	122
	123	ret = 1;
	124
	125	err:
	126	EVP_MAC_CTX_free(mac_ctx);
	127	return ret;
b1ceb439 TS	128	}
	129
	130
	131	__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX ctx, unsigned char out,
	132	unsigned char const *in, size_t len,
	133	SIV_BLOCK *icv)
	134	{
	135	int out_len = (int)len;
	136
	137	if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
	138	return 0;
	139	return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
	140	}
	141
	142	/*
	143	* Create a new SIV128_CONTEXT
	144	*/
	145	SIV128_CONTEXT CRYPTO_siv128_new(const unsigned char key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
	146	{
	147	SIV128_CONTEXT *ctx;
	148	int ret;
	149
	150	if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
	151	ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
	152	if (ret)
	153	return ctx;
	154	OPENSSL_free(ctx);
	155	}
	156
	157	return NULL;
	158	}
	159
	160	/*
	161	* Initialise an existing SIV128_CONTEXT
	162	*/
	163	int CRYPTO_siv128_init(SIV128_CONTEXT ctx, const unsigned char key, int klen,
	164	const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
	165	{
	166	static const unsigned char zero[SIV_LEN] = { 0 };
	167	size_t out_len = SIV_LEN;
be5fc053	168	EVP_MAC_CTX *mac_ctx = NULL;
b1ceb439 TS	169
	170	memset(&ctx->d, 0, sizeof(ctx->d));
	171	ctx->cipher_ctx = NULL;
9a3b5b76	172	ctx->mac_ctx_init = NULL;
b1ceb439 TS	173
	174	if (key == NULL \|\| cbc == NULL \|\| ctr == NULL
	175	\|\| (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
9a3b5b76	176	\|\| (ctx->mac_ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
17838470 MC	177	\|\| EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc) <= 0
17838470 MC	178	\|\| EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen) <= 0
b1ceb439	179	\|\| !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
be5fc053 KR	180	\|\| (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
	181	\|\| !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
	182	\|\| !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len)) {
b1ceb439	183	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
9a3b5b76	184	EVP_MAC_CTX_free(ctx->mac_ctx_init);
be5fc053	185	EVP_MAC_CTX_free(mac_ctx);
b1ceb439 TS	186	return 0;
b1ceb439 TS	187	}
be5fc053	188	EVP_MAC_CTX_free(mac_ctx);
b1ceb439 TS	189
	190	ctx->final_ret = -1;
	191	ctx->crypto_ok = 1;
	192
	193	return 1;
	194	}
	195
	196	/*
	197	* Copy an SIV128_CONTEXT object
	198	*/
	199	int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT dest, SIV128_CONTEXT src)
	200	{
	201	memcpy(&dest->d, &src->d, sizeof(src->d));
	202	if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
	203	return 0;
be5fc053 KR	204	EVP_MAC_CTX_free(dest->mac_ctx_init);
	205	dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
	206	if (dest->mac_ctx_init == NULL)
b1ceb439	207	return 0;
b1ceb439 TS	208	return 1;
	209	}
	210
	211	/*
	212	* Provide any AAD. This can be called multiple times.
	213	* Per RFC5297, the last piece of associated data
	214	* is the nonce, but it's not treated special
	215	*/
	216	int CRYPTO_siv128_aad(SIV128_CONTEXT ctx, const unsigned char aad,
	217	size_t len)
	218	{
9a3b5b76	219	SIV_BLOCK mac_out;
b1ceb439	220	size_t out_len = SIV_LEN;
be5fc053	221	EVP_MAC_CTX *mac_ctx;
b1ceb439 TS	222
	223	siv128_dbl(&ctx->d);
	224
be5fc053 KR	225	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
	226	if (mac_ctx == NULL
	227	\|\| !EVP_MAC_update(mac_ctx, aad, len)
	228	\|\| !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len)
	229	\|\| out_len != SIV_LEN) {
	230	EVP_MAC_CTX_free(mac_ctx);
b1ceb439	231	return 0;
be5fc053 KR	232	}
be5fc053 KR	233	EVP_MAC_CTX_free(mac_ctx);
b1ceb439	234
9a3b5b76	235	siv128_xorblock(&ctx->d, &mac_out);
b1ceb439 TS	236
b1ceb439 TS	237	return 1;
b1ceb439 TS	238	}
	239
	240	/*
	241	* Provide any data to be encrypted. This can be called once.
	242	*/
	243	int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
	244	const unsigned char in, unsigned char out,
	245	size_t len)
	246	{
	247	SIV_BLOCK q;
	248
	249	/* can only do one crypto operation */
	250	if (ctx->crypto_ok == 0)
	251	return 0;
	252	ctx->crypto_ok--;
	253
	254	if (!siv128_do_s2v_p(ctx, &q, in, len))
	255	return 0;
	256
	257	memcpy(ctx->tag.byte, &q, SIV_LEN);
	258	q.byte[8] &= 0x7f;
	259	q.byte[12] &= 0x7f;
	260
	261	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
	262	return 0;
	263	ctx->final_ret = 0;
	264	return len;
	265	}
	266
	267	/*
	268	* Provide any data to be decrypted. This can be called once.
	269	*/
	270	int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
	271	const unsigned char in, unsigned char out,
	272	size_t len)
	273	{
	274	unsigned char* p;
	275	SIV_BLOCK t, q;
	276	int i;
	277
	278	/* can only do one crypto operation */
	279	if (ctx->crypto_ok == 0)
	280	return 0;
	281	ctx->crypto_ok--;
	282
	283	memcpy(&q, ctx->tag.byte, SIV_LEN);
	284	q.byte[8] &= 0x7f;
	285	q.byte[12] &= 0x7f;
	286
	287	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
	288	\|\| !siv128_do_s2v_p(ctx, &t, out, len))
	289	return 0;
	290
	291	p = ctx->tag.byte;
	292	for (i = 0; i < SIV_LEN; i++)
	293	t.byte[i] ^= p[i];
	294
	295	if ((t.word[0] \| t.word[1]) != 0) {
	296	OPENSSL_cleanse(out, len);
	297	return 0;
	298	}
	299	ctx->final_ret = 0;
	300	return len;
	301	}
302
303	/*
304	* Return the already calculated final result.
305	*/
306	int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
307	{
308	return ctx->final_ret;
309	}
310
311	/*
312	* Set the tag
313	*/
314	int CRYPTO_siv128_set_tag(SIV128_CONTEXT ctx, const unsigned char tag, size_t len)
315	{
316	if (len != SIV_LEN)
317	return 0;
318
319	/* Copy the tag from the supplied buffer */
320	memcpy(ctx->tag.byte, tag, len);
321	return 1;
322	}
323
324	/*
325	* Retrieve the calculated tag
326	*/
327	int CRYPTO_siv128_get_tag(SIV128_CONTEXT ctx, unsigned char tag, size_t len)
328	{
329	if (len != SIV_LEN)
330	return 0;
331
332	/* Copy the tag into the supplied buffer */
333	memcpy(tag, ctx->tag.byte, len);
334	return 1;
335	}
336
337	/*
338	* Release all resources
339	*/
340	int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
341	{
342	if (ctx != NULL) {
343	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
344	ctx->cipher_ctx = NULL;
9a3b5b76 TS	345	EVP_MAC_CTX_free(ctx->mac_ctx_init);
9a3b5b76 TS	346	ctx->mac_ctx_init = NULL;
b1ceb439 TS	347	OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
	348	OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
	349	ctx->final_ret = -1;
	350	ctx->crypto_ok = 1;
	351	}
	352	return 1;
	353	}
	354
	355	int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
	356	{
	357	ctx->crypto_ok = (arg == 1) ? -1 : 1;
	358	return 1;
	359	}
	360
	361	#endif /* OPENSSL_NO_SIV */