]>
git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/modes/siv128.c
2 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/evp.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include "crypto/modes.h"
17 #include "crypto/siv.h"
19 #ifndef OPENSSL_NO_SIV
21 __owur
static ossl_inline
uint32_t rotl8(uint32_t x
)
23 return (x
<< 8) | (x
>> 24);
26 __owur
static ossl_inline
uint32_t rotr8(uint32_t x
)
28 return (x
>> 8) | (x
<< 24);
31 __owur
static ossl_inline
uint64_t byteswap8(uint64_t x
)
33 uint32_t high
= (uint32_t)(x
>> 32);
34 uint32_t low
= (uint32_t)x
;
36 high
= (rotl8(high
) & 0x00ff00ff) | (rotr8(high
) & 0xff00ff00);
37 low
= (rotl8(low
) & 0x00ff00ff) | (rotr8(low
) & 0xff00ff00);
38 return ((uint64_t)low
) << 32 | (uint64_t)high
;
41 __owur
static ossl_inline
uint64_t siv128_getword(SIV_BLOCK
const *b
, size_t i
)
49 return byteswap8(b
->word
[i
]);
53 static ossl_inline
void siv128_putword(SIV_BLOCK
*b
, size_t i
, uint64_t x
)
61 b
->word
[i
] = byteswap8(x
);
66 static ossl_inline
void siv128_xorblock(SIV_BLOCK
*x
,
69 x
->word
[0] ^= y
->word
[0];
70 x
->word
[1] ^= y
->word
[1];
74 * Doubles |b|, which is 16 bytes representing an element
75 * of GF(2**128) modulo the irreducible polynomial
76 * x**128 + x**7 + x**2 + x + 1.
77 * Assumes two's-complement arithmetic
79 static ossl_inline
void siv128_dbl(SIV_BLOCK
*b
)
81 uint64_t high
= siv128_getword(b
, 0);
82 uint64_t low
= siv128_getword(b
, 1);
83 uint64_t high_carry
= high
& (((uint64_t)1) << 63);
84 uint64_t low_carry
= low
& (((uint64_t)1) << 63);
85 int64_t low_mask
= -((int64_t)(high_carry
>> 63)) & 0x87;
86 uint64_t high_mask
= low_carry
>> 63;
88 high
= (high
<< 1) | high_mask
;
89 low
= (low
<< 1) ^ (uint64_t)low_mask
;
90 siv128_putword(b
, 0, high
);
91 siv128_putword(b
, 1, low
);
94 __owur
static ossl_inline
int siv128_do_s2v_p(SIV128_CONTEXT
*ctx
, SIV_BLOCK
*out
,
95 unsigned char const* in
, size_t len
)
98 size_t out_len
= sizeof(out
->byte
);
102 mac_ctx
= EVP_MAC_CTX_dup(ctx
->mac_ctx_init
);
106 if (len
>= SIV_LEN
) {
107 if (!EVP_MAC_update(mac_ctx
, in
, len
- SIV_LEN
))
109 memcpy(&t
, in
+ (len
-SIV_LEN
), SIV_LEN
);
110 siv128_xorblock(&t
, &ctx
->d
);
111 if (!EVP_MAC_update(mac_ctx
, t
.byte
, SIV_LEN
))
114 memset(&t
, 0, sizeof(t
));
118 siv128_xorblock(&t
, &ctx
->d
);
119 if (!EVP_MAC_update(mac_ctx
, t
.byte
, SIV_LEN
))
122 if (!EVP_MAC_final(mac_ctx
, out
->byte
, &out_len
, sizeof(out
->byte
))
123 || out_len
!= SIV_LEN
)
129 EVP_MAC_CTX_free(mac_ctx
);
134 __owur
static ossl_inline
int siv128_do_encrypt(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
135 unsigned char const *in
, size_t len
,
138 int out_len
= (int)len
;
140 if (!EVP_CipherInit_ex(ctx
, NULL
, NULL
, NULL
, icv
->byte
, 1))
142 return EVP_EncryptUpdate(ctx
, out
, &out_len
, in
, out_len
);
146 * Create a new SIV128_CONTEXT
148 SIV128_CONTEXT
*CRYPTO_siv128_new(const unsigned char *key
, int klen
, EVP_CIPHER
* cbc
, EVP_CIPHER
* ctr
)
153 if ((ctx
= OPENSSL_malloc(sizeof(*ctx
))) != NULL
) {
154 ret
= CRYPTO_siv128_init(ctx
, key
, klen
, cbc
, ctr
);
164 * Initialise an existing SIV128_CONTEXT
166 int CRYPTO_siv128_init(SIV128_CONTEXT
*ctx
, const unsigned char *key
, int klen
,
167 const EVP_CIPHER
* cbc
, const EVP_CIPHER
* ctr
)
169 static const unsigned char zero
[SIV_LEN
] = { 0 };
170 size_t out_len
= SIV_LEN
;
171 EVP_MAC_CTX
*mac_ctx
= NULL
;
172 OSSL_PARAM params
[3];
173 const char *cbc_name
= EVP_CIPHER_name(cbc
);
175 params
[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER
,
176 (char *)cbc_name
, 0);
177 params
[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY
,
179 params
[2] = OSSL_PARAM_construct_end();
181 memset(&ctx
->d
, 0, sizeof(ctx
->d
));
182 ctx
->cipher_ctx
= NULL
;
183 ctx
->mac_ctx_init
= NULL
;
185 if (key
== NULL
|| cbc
== NULL
|| ctr
== NULL
186 || (ctx
->cipher_ctx
= EVP_CIPHER_CTX_new()) == NULL
187 /* TODO(3.0) library context */
189 EVP_MAC_fetch(NULL
, OSSL_MAC_NAME_CMAC
, NULL
)) == NULL
190 || (ctx
->mac_ctx_init
= EVP_MAC_CTX_new(ctx
->mac
)) == NULL
191 || !EVP_MAC_CTX_set_params(ctx
->mac_ctx_init
, params
)
192 || !EVP_EncryptInit_ex(ctx
->cipher_ctx
, ctr
, NULL
, key
+ klen
, NULL
)
193 || (mac_ctx
= EVP_MAC_CTX_dup(ctx
->mac_ctx_init
)) == NULL
194 || !EVP_MAC_update(mac_ctx
, zero
, sizeof(zero
))
195 || !EVP_MAC_final(mac_ctx
, ctx
->d
.byte
, &out_len
,
196 sizeof(ctx
->d
.byte
))) {
197 EVP_CIPHER_CTX_free(ctx
->cipher_ctx
);
198 EVP_MAC_CTX_free(ctx
->mac_ctx_init
);
199 EVP_MAC_CTX_free(mac_ctx
);
200 EVP_MAC_free(ctx
->mac
);
203 EVP_MAC_CTX_free(mac_ctx
);
212 * Copy an SIV128_CONTEXT object
214 int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT
*dest
, SIV128_CONTEXT
*src
)
216 memcpy(&dest
->d
, &src
->d
, sizeof(src
->d
));
217 if (!EVP_CIPHER_CTX_copy(dest
->cipher_ctx
, src
->cipher_ctx
))
219 EVP_MAC_CTX_free(dest
->mac_ctx_init
);
220 dest
->mac_ctx_init
= EVP_MAC_CTX_dup(src
->mac_ctx_init
);
221 if (dest
->mac_ctx_init
== NULL
)
227 * Provide any AAD. This can be called multiple times.
228 * Per RFC5297, the last piece of associated data
229 * is the nonce, but it's not treated special
231 int CRYPTO_siv128_aad(SIV128_CONTEXT
*ctx
, const unsigned char *aad
,
235 size_t out_len
= SIV_LEN
;
236 EVP_MAC_CTX
*mac_ctx
;
240 if ((mac_ctx
= EVP_MAC_CTX_dup(ctx
->mac_ctx_init
)) == NULL
241 || !EVP_MAC_update(mac_ctx
, aad
, len
)
242 || !EVP_MAC_final(mac_ctx
, mac_out
.byte
, &out_len
,
243 sizeof(mac_out
.byte
))
244 || out_len
!= SIV_LEN
) {
245 EVP_MAC_CTX_free(mac_ctx
);
248 EVP_MAC_CTX_free(mac_ctx
);
250 siv128_xorblock(&ctx
->d
, &mac_out
);
256 * Provide any data to be encrypted. This can be called once.
258 int CRYPTO_siv128_encrypt(SIV128_CONTEXT
*ctx
,
259 const unsigned char *in
, unsigned char *out
,
264 /* can only do one crypto operation */
265 if (ctx
->crypto_ok
== 0)
269 if (!siv128_do_s2v_p(ctx
, &q
, in
, len
))
272 memcpy(ctx
->tag
.byte
, &q
, SIV_LEN
);
276 if (!siv128_do_encrypt(ctx
->cipher_ctx
, out
, in
, len
, &q
))
283 * Provide any data to be decrypted. This can be called once.
285 int CRYPTO_siv128_decrypt(SIV128_CONTEXT
*ctx
,
286 const unsigned char *in
, unsigned char *out
,
293 /* can only do one crypto operation */
294 if (ctx
->crypto_ok
== 0)
298 memcpy(&q
, ctx
->tag
.byte
, SIV_LEN
);
302 if (!siv128_do_encrypt(ctx
->cipher_ctx
, out
, in
, len
, &q
)
303 || !siv128_do_s2v_p(ctx
, &t
, out
, len
))
307 for (i
= 0; i
< SIV_LEN
; i
++)
310 if ((t
.word
[0] | t
.word
[1]) != 0) {
311 OPENSSL_cleanse(out
, len
);
319 * Return the already calculated final result.
321 int CRYPTO_siv128_finish(SIV128_CONTEXT
*ctx
)
323 return ctx
->final_ret
;
329 int CRYPTO_siv128_set_tag(SIV128_CONTEXT
*ctx
, const unsigned char *tag
, size_t len
)
334 /* Copy the tag from the supplied buffer */
335 memcpy(ctx
->tag
.byte
, tag
, len
);
340 * Retrieve the calculated tag
342 int CRYPTO_siv128_get_tag(SIV128_CONTEXT
*ctx
, unsigned char *tag
, size_t len
)
347 /* Copy the tag into the supplied buffer */
348 memcpy(tag
, ctx
->tag
.byte
, len
);
353 * Release all resources
355 int CRYPTO_siv128_cleanup(SIV128_CONTEXT
*ctx
)
358 EVP_CIPHER_CTX_free(ctx
->cipher_ctx
);
359 ctx
->cipher_ctx
= NULL
;
360 EVP_MAC_CTX_free(ctx
->mac_ctx_init
);
361 ctx
->mac_ctx_init
= NULL
;
362 EVP_MAC_free(ctx
->mac
);
364 OPENSSL_cleanse(&ctx
->d
, sizeof(ctx
->d
));
365 OPENSSL_cleanse(&ctx
->tag
, sizeof(ctx
->tag
));
372 int CRYPTO_siv128_speed(SIV128_CONTEXT
*ctx
, int arg
)
374 ctx
->crypto_ok
= (arg
== 1) ? -1 : 1;
378 #endif /* OPENSSL_NO_SIV */