[thirdparty/openssl.git] / crypto / modes / siv128.c

/*
 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <stdlib.h>
#include <openssl/crypto.h>
#include "modes_lcl.h"

#ifndef OPENSSL_NO_SIV

__owur static ossl_inline uint32_t rotl8(uint32_t x)
{
    return (x << 8) | (x >> 24);
}

__owur static ossl_inline uint32_t rotr8(uint32_t x)
{
    return (x >> 8) | (x << 24);
}

__owur static ossl_inline uint64_t byteswap8(uint64_t x)
{
    uint32_t high = (uint32_t)(x >> 32);
    uint32_t low = (uint32_t)x;

    high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
    low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
    return ((uint64_t)low) << 32 | (uint64_t)high;
}

__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
{
    const union {
        long one;
        char little;
    } is_endian = { 1 };

    if (is_endian.little)
        return byteswap8(b->word[i]);
    return b->word[i];
}

static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
{
    const union {
        long one;
        char little;
    } is_endian = { 1 };

    if (is_endian.little)
        b->word[i] = byteswap8(x);
    else
        b->word[i] = x;
}

static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
                                        SIV_BLOCK const *y)
{
    x->word[0] ^= y->word[0];
    x->word[1] ^= y->word[1];
}

/*
 * Doubles |b|, which is 16 bytes representing an element
 * of GF(2**128) modulo the irreducible polynomial
 * x**128 + x**7 + x**2 + x + 1.
 * Assumes two's-complement arithmetic
 */
static ossl_inline void siv128_dbl(SIV_BLOCK *b)
{
    uint64_t high = siv128_getword(b, 0);
    uint64_t low = siv128_getword(b, 1);
    uint64_t high_carry = high & (((uint64_t)1) << 63);
    uint64_t low_carry = low & (((uint64_t)1) << 63);
    int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
    uint64_t high_mask = low_carry >> 63;

    high = (high << 1) | high_mask;
    low = (low << 1) ^ (uint64_t)low_mask;
    siv128_putword(b, 0, high);
    siv128_putword(b, 1, low);
}

__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
                                              unsigned char const* in, size_t len)
{
    SIV_BLOCK t;
    size_t out_len = sizeof(out->byte);
    EVP_MAC_CTX *mac_ctx;
    int ret = 0;

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL)
        return 0;

    if (len >= SIV_LEN) {
        if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
            goto err;
        memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    } else {
        memset(&t, 0, sizeof(t));
        memcpy(&t, in, len);
        t.byte[len] = 0x80;
        siv128_dbl(&ctx->d);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    }
    if (!EVP_MAC_final(mac_ctx, out->byte, &out_len)
        || out_len != SIV_LEN)
        goto err;

    ret = 1;

err:
    EVP_MAC_CTX_free(mac_ctx);
    return ret;
}


__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                             unsigned char const *in, size_t len,
                                             SIV_BLOCK *icv)
{
    int out_len = (int)len;

    if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
        return 0;
    return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
}

/*
 * Create a new SIV128_CONTEXT
 */
SIV128_CONTEXT *CRYPTO_siv128_new(const unsigned char *key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
{
    SIV128_CONTEXT *ctx;
    int ret;

    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
        ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
        if (ret)
            return ctx;
        OPENSSL_free(ctx);
    }

    return NULL;
}

/*
 * Initialise an existing SIV128_CONTEXT
 */
int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
                       const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
{
    static const unsigned char zero[SIV_LEN] = { 0 };
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx = NULL;

    memset(&ctx->d, 0, sizeof(ctx->d));
    ctx->cipher_ctx = NULL;
    ctx->mac_ctx_init = NULL;

    if (key == NULL || cbc == NULL || ctr == NULL
            || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
            || (ctx->mac_ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
            || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc) <= 0
            || EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen) <= 0
            || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
            || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
            || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
            || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len)) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    ctx->final_ret = -1;
    ctx->crypto_ok = 1;

    return 1;
}

/*
 * Copy an SIV128_CONTEXT object
 */
int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
{
    memcpy(&dest->d, &src->d, sizeof(src->d));
    if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
        return 0;
    EVP_MAC_CTX_free(dest->mac_ctx_init);
    dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
    if (dest->mac_ctx_init == NULL)
        return 0;
    return 1;
}

/*
 * Provide any AAD. This can be called multiple times.
 * Per RFC5297, the last piece of associated data
 * is the nonce, but it's not treated special
 */
int CRYPTO_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
                      size_t len)
{
    SIV_BLOCK mac_out;
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx;

    siv128_dbl(&ctx->d);

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL
        || !EVP_MAC_update(mac_ctx, aad, len)
        || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len)
        || out_len != SIV_LEN) {
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    siv128_xorblock(&ctx->d, &mac_out);

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called once.
 */
int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    SIV_BLOCK q;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    if (!siv128_do_s2v_p(ctx, &q, in, len))
        return 0;

    memcpy(ctx->tag.byte, &q, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
        return 0;
    ctx->final_ret = 0;
    return len;
}

/*
 * Provide any data to be decrypted. This can be called once.
 */
int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    unsigned char* p;
    SIV_BLOCK t, q;
    int i;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    memcpy(&q, ctx->tag.byte, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
        || !siv128_do_s2v_p(ctx, &t, out, len))
        return 0;

    p = ctx->tag.byte;
    for (i = 0; i < SIV_LEN; i++)
        t.byte[i] ^= p[i];

    if ((t.word[0] | t.word[1]) != 0) {
        OPENSSL_cleanse(out, len);
        return 0;
    }
    ctx->final_ret = 0;
    return len;
}

/*
 * Return the already calculated final result.
 */
int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
{
    return ctx->final_ret;
}

/*
 * Set the tag
 */
int CRYPTO_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag from the supplied buffer */
    memcpy(ctx->tag.byte, tag, len);
    return 1;
}

/*
 * Retrieve the calculated tag
 */
int CRYPTO_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag into the supplied buffer */
    memcpy(tag, ctx->tag.byte, len);
    return 1;
}

/*
 * Release all resources
 */
int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
{
    if (ctx != NULL) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
        OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
        ctx->final_ret = -1;
        ctx->crypto_ok = 1;
    }
    return 1;
}

int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
{
    ctx->crypto_ok = (arg == 1) ? -1 : 1;
    return 1;
}

#endif                          /* OPENSSL_NO_SIV */
Commit	Line	Data
b1ceb439 TS	1	/*
	2	* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <string.h>
	11	#include <stdlib.h>
	12	#include <openssl/crypto.h>
b1ceb439 TS	13	#include "modes_lcl.h"
	14
	15	#ifndef OPENSSL_NO_SIV
	16
	17	__owur static ossl_inline uint32_t rotl8(uint32_t x)
	18	{
	19	return (x << 8) \| (x >> 24);
	20	}
	21
	22	__owur static ossl_inline uint32_t rotr8(uint32_t x)
	23	{
	24	return (x >> 8) \| (x << 24);
	25	}
	26
	27	__owur static ossl_inline uint64_t byteswap8(uint64_t x)
	28	{
	29	uint32_t high = (uint32_t)(x >> 32);
	30	uint32_t low = (uint32_t)x;
	31
	32	high = (rotl8(high) & 0x00ff00ff) \| (rotr8(high) & 0xff00ff00);
	33	low = (rotl8(low) & 0x00ff00ff) \| (rotr8(low) & 0xff00ff00);
	34	return ((uint64_t)low) << 32 \| (uint64_t)high;
	35	}
	36
	37	__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
	38	{
	39	const union {
	40	long one;
	41	char little;
	42	} is_endian = { 1 };
	43
	44	if (is_endian.little)
	45	return byteswap8(b->word[i]);
	46	return b->word[i];
	47	}
	48
	49	static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
	50	{
	51	const union {
	52	long one;
	53	char little;
	54	} is_endian = { 1 };
	55
	56	if (is_endian.little)
	57	b->word[i] = byteswap8(x);
	58	else
	59	b->word[i] = x;
	60	}
	61
	62	static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
	63	SIV_BLOCK const *y)
	64	{
	65	x->word[0] ^= y->word[0];
	66	x->word[1] ^= y->word[1];
	67	}
	68
	69	/*
	70	* Doubles \|b\|, which is 16 bytes representing an element
	71	* of GF(2**128) modulo the irreducible polynomial
	72	* x128 + x7 + x**2 + x + 1.
	73	* Assumes two's-complement arithmetic
	74	*/
	75	static ossl_inline void siv128_dbl(SIV_BLOCK *b)
	76	{
77	uint64_t high = siv128_getword(b, 0);
78	uint64_t low = siv128_getword(b, 1);
79	uint64_t high_carry = high & (((uint64_t)1) << 63);
80	uint64_t low_carry = low & (((uint64_t)1) << 63);
81	int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
82	uint64_t high_mask = low_carry >> 63;
83
84	high = (high << 1) \| high_mask;
85	low = (low << 1) ^ (uint64_t)low_mask;
86	siv128_putword(b, 0, high);
87	siv128_putword(b, 1, low);
88	}
89
90	__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT ctx, SIV_BLOCK out,
91	unsigned char const* in, size_t len)
92	{
93	SIV_BLOCK t;
94	size_t out_len = sizeof(out->byte);
be5fc053 KR	95	EVP_MAC_CTX *mac_ctx;
be5fc053 KR	96	int ret = 0;
b1ceb439	97
be5fc053 KR	98	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
be5fc053 KR	99	if (mac_ctx == NULL)
b1ceb439 TS	100	return 0;
	101
	102	if (len >= SIV_LEN) {
be5fc053 KR	103	if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
be5fc053 KR	104	goto err;
b1ceb439 TS	105	memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
b1ceb439 TS	106	siv128_xorblock(&t, &ctx->d);
be5fc053 KR	107	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
be5fc053 KR	108	goto err;
b1ceb439 TS	109	} else {
	110	memset(&t, 0, sizeof(t));
	111	memcpy(&t, in, len);
	112	t.byte[len] = 0x80;
	113	siv128_dbl(&ctx->d);
	114	siv128_xorblock(&t, &ctx->d);
be5fc053 KR	115	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
be5fc053 KR	116	goto err;
b1ceb439	117	}
be5fc053	118	if (!EVP_MAC_final(mac_ctx, out->byte, &out_len)
b1ceb439	119	\|\| out_len != SIV_LEN)
be5fc053 KR	120	goto err;
	121
	122	ret = 1;
	123
	124	err:
	125	EVP_MAC_CTX_free(mac_ctx);
	126	return ret;
b1ceb439 TS	127	}
	128
	129
	130	__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX ctx, unsigned char out,
	131	unsigned char const *in, size_t len,
	132	SIV_BLOCK *icv)
	133	{
	134	int out_len = (int)len;
	135
	136	if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
	137	return 0;
	138	return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
	139	}
	140
	141	/*
	142	* Create a new SIV128_CONTEXT
	143	*/
	144	SIV128_CONTEXT CRYPTO_siv128_new(const unsigned char key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
	145	{
	146	SIV128_CONTEXT *ctx;
	147	int ret;
	148
	149	if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
	150	ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
	151	if (ret)
	152	return ctx;
	153	OPENSSL_free(ctx);
	154	}
	155
	156	return NULL;
	157	}
	158
	159	/*
	160	* Initialise an existing SIV128_CONTEXT
	161	*/
	162	int CRYPTO_siv128_init(SIV128_CONTEXT ctx, const unsigned char key, int klen,
	163	const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
	164	{
	165	static const unsigned char zero[SIV_LEN] = { 0 };
	166	size_t out_len = SIV_LEN;
be5fc053	167	EVP_MAC_CTX *mac_ctx = NULL;
b1ceb439 TS	168
	169	memset(&ctx->d, 0, sizeof(ctx->d));
	170	ctx->cipher_ctx = NULL;
9a3b5b76	171	ctx->mac_ctx_init = NULL;
b1ceb439 TS	172
	173	if (key == NULL \|\| cbc == NULL \|\| ctr == NULL
	174	\|\| (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
9a3b5b76	175	\|\| (ctx->mac_ctx_init = EVP_MAC_CTX_new_id(EVP_MAC_CMAC)) == NULL
17838470 MC	176	\|\| EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_CIPHER, cbc) <= 0
17838470 MC	177	\|\| EVP_MAC_ctrl(ctx->mac_ctx_init, EVP_MAC_CTRL_SET_KEY, key, klen) <= 0
b1ceb439	178	\|\| !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
be5fc053 KR	179	\|\| (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
	180	\|\| !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
	181	\|\| !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len)) {
b1ceb439	182	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
9a3b5b76	183	EVP_MAC_CTX_free(ctx->mac_ctx_init);
be5fc053	184	EVP_MAC_CTX_free(mac_ctx);
b1ceb439 TS	185	return 0;
b1ceb439 TS	186	}
be5fc053	187	EVP_MAC_CTX_free(mac_ctx);
b1ceb439 TS	188
	189	ctx->final_ret = -1;
	190	ctx->crypto_ok = 1;
	191
	192	return 1;
	193	}
	194
	195	/*
	196	* Copy an SIV128_CONTEXT object
	197	*/
	198	int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT dest, SIV128_CONTEXT src)
	199	{
	200	memcpy(&dest->d, &src->d, sizeof(src->d));
	201	if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
	202	return 0;
be5fc053 KR	203	EVP_MAC_CTX_free(dest->mac_ctx_init);
	204	dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
	205	if (dest->mac_ctx_init == NULL)
b1ceb439	206	return 0;
b1ceb439 TS	207	return 1;
	208	}
	209
	210	/*
	211	* Provide any AAD. This can be called multiple times.
	212	* Per RFC5297, the last piece of associated data
	213	* is the nonce, but it's not treated special
	214	*/
	215	int CRYPTO_siv128_aad(SIV128_CONTEXT ctx, const unsigned char aad,
	216	size_t len)
	217	{
9a3b5b76	218	SIV_BLOCK mac_out;
b1ceb439	219	size_t out_len = SIV_LEN;
be5fc053	220	EVP_MAC_CTX *mac_ctx;
b1ceb439 TS	221
	222	siv128_dbl(&ctx->d);
	223
be5fc053 KR	224	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
	225	if (mac_ctx == NULL
	226	\|\| !EVP_MAC_update(mac_ctx, aad, len)
	227	\|\| !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len)
	228	\|\| out_len != SIV_LEN) {
	229	EVP_MAC_CTX_free(mac_ctx);
b1ceb439	230	return 0;
be5fc053 KR	231	}
be5fc053 KR	232	EVP_MAC_CTX_free(mac_ctx);
b1ceb439	233
9a3b5b76	234	siv128_xorblock(&ctx->d, &mac_out);
b1ceb439 TS	235
b1ceb439 TS	236	return 1;
b1ceb439 TS	237	}
	238
	239	/*
	240	* Provide any data to be encrypted. This can be called once.
	241	*/
	242	int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
	243	const unsigned char in, unsigned char out,
	244	size_t len)
	245	{
	246	SIV_BLOCK q;
	247
	248	/* can only do one crypto operation */
	249	if (ctx->crypto_ok == 0)
	250	return 0;
	251	ctx->crypto_ok--;
	252
	253	if (!siv128_do_s2v_p(ctx, &q, in, len))
	254	return 0;
	255
	256	memcpy(ctx->tag.byte, &q, SIV_LEN);
	257	q.byte[8] &= 0x7f;
	258	q.byte[12] &= 0x7f;
	259
	260	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
	261	return 0;
	262	ctx->final_ret = 0;
	263	return len;
	264	}
	265
	266	/*
	267	* Provide any data to be decrypted. This can be called once.
	268	*/
	269	int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
	270	const unsigned char in, unsigned char out,
	271	size_t len)
	272	{
	273	unsigned char* p;
	274	SIV_BLOCK t, q;
	275	int i;
	276
	277	/* can only do one crypto operation */
	278	if (ctx->crypto_ok == 0)
	279	return 0;
	280	ctx->crypto_ok--;
	281
	282	memcpy(&q, ctx->tag.byte, SIV_LEN);
	283	q.byte[8] &= 0x7f;
	284	q.byte[12] &= 0x7f;
	285
	286	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
	287	\|\| !siv128_do_s2v_p(ctx, &t, out, len))
	288	return 0;
	289
	290	p = ctx->tag.byte;
	291	for (i = 0; i < SIV_LEN; i++)
	292	t.byte[i] ^= p[i];
	293
	294	if ((t.word[0] \| t.word[1]) != 0) {
	295	OPENSSL_cleanse(out, len);
	296	return 0;
	297	}
	298	ctx->final_ret = 0;
	299	return len;
	300	}
301
302	/*
303	* Return the already calculated final result.
304	*/
305	int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
306	{
307	return ctx->final_ret;
308	}
309
310	/*
311	* Set the tag
312	*/
313	int CRYPTO_siv128_set_tag(SIV128_CONTEXT ctx, const unsigned char tag, size_t len)
314	{
315	if (len != SIV_LEN)
316	return 0;
317
318	/* Copy the tag from the supplied buffer */
319	memcpy(ctx->tag.byte, tag, len);
320	return 1;
321	}
322
323	/*
324	* Retrieve the calculated tag
325	*/
326	int CRYPTO_siv128_get_tag(SIV128_CONTEXT ctx, unsigned char tag, size_t len)
327	{
328	if (len != SIV_LEN)
329	return 0;
330
331	/* Copy the tag into the supplied buffer */
332	memcpy(tag, ctx->tag.byte, len);
333	return 1;
334	}
335
336	/*
337	* Release all resources
338	*/
339	int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
340	{
341	if (ctx != NULL) {
342	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
343	ctx->cipher_ctx = NULL;
9a3b5b76 TS	344	EVP_MAC_CTX_free(ctx->mac_ctx_init);
9a3b5b76 TS	345	ctx->mac_ctx_init = NULL;
b1ceb439 TS	346	OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
	347	OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
	348	ctx->final_ret = -1;
	349	ctx->crypto_ok = 1;
	350	}
	351	return 1;
	352	}
	353
	354	int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
	355	{
	356	ctx->crypto_ok = (arg == 1) ? -1 : 1;
	357	return 1;
	358	}
	359
	360	#endif /* OPENSSL_NO_SIV */