]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/modes/siv128.c
projects / thirdparty / openssl.git / blob
? search:


de6a3b853f19121eb102c0e6ba7289b63c16575b
[thirdparty/openssl.git] / crypto / modes / siv128.c
1 /*
2 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include <stdlib.h>
12 #include <openssl/crypto.h>
13 #include <openssl/evp.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include "internal/modes_int.h"
17 #include "internal/siv_int.h"
18
19 #ifndef OPENSSL_NO_SIV
20
21 __owur static ossl_inline uint32_t rotl8(uint32_t x)
22 {
23 return (x << 8) | (x >> 24);
24 }
25
26 __owur static ossl_inline uint32_t rotr8(uint32_t x)
27 {
28 return (x >> 8) | (x << 24);
29 }
30
31 __owur static ossl_inline uint64_t byteswap8(uint64_t x)
32 {
33 uint32_t high = (uint32_t)(x >> 32);
34 uint32_t low = (uint32_t)x;
35
36 high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
37 low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
38 return ((uint64_t)low) << 32 | (uint64_t)high;
39 }
40
41 __owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
42 {
43 const union {
44 long one;
45 char little;
46 } is_endian = { 1 };
47
48 if (is_endian.little)
49 return byteswap8(b->word[i]);
50 return b->word[i];
51 }
52
53 static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
54 {
55 const union {
56 long one;
57 char little;
58 } is_endian = { 1 };
59
60 if (is_endian.little)
61 b->word[i] = byteswap8(x);
62 else
63 b->word[i] = x;
64 }
65
66 static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
67 SIV_BLOCK const *y)
68 {
69 x->word[0] ^= y->word[0];
70 x->word[1] ^= y->word[1];
71 }
72
73 /*
74 * Doubles |b|, which is 16 bytes representing an element
75 * of GF(2**128) modulo the irreducible polynomial
76 * x**128 + x**7 + x**2 + x + 1.
77 * Assumes two's-complement arithmetic
78 */
79 static ossl_inline void siv128_dbl(SIV_BLOCK *b)
80 {
81 uint64_t high = siv128_getword(b, 0);
82 uint64_t low = siv128_getword(b, 1);
83 uint64_t high_carry = high & (((uint64_t)1) << 63);
84 uint64_t low_carry = low & (((uint64_t)1) << 63);
85 int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
86 uint64_t high_mask = low_carry >> 63;
87
88 high = (high << 1) | high_mask;
89 low = (low << 1) ^ (uint64_t)low_mask;
90 siv128_putword(b, 0, high);
91 siv128_putword(b, 1, low);
92 }
93
94 __owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
95 unsigned char const* in, size_t len)
96 {
97 SIV_BLOCK t;
98 size_t out_len = sizeof(out->byte);
99 EVP_MAC_CTX *mac_ctx;
100 int ret = 0;
101
102 mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
103 if (mac_ctx == NULL)
104 return 0;
105
106 if (len >= SIV_LEN) {
107 if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
108 goto err;
109 memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
110 siv128_xorblock(&t, &ctx->d);
111 if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
112 goto err;
113 } else {
114 memset(&t, 0, sizeof(t));
115 memcpy(&t, in, len);
116 t.byte[len] = 0x80;
117 siv128_dbl(&ctx->d);
118 siv128_xorblock(&t, &ctx->d);
119 if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
120 goto err;
121 }
122 if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
123 || out_len != SIV_LEN)
124 goto err;
125
126 ret = 1;
127
128 err:
129 EVP_MAC_CTX_free(mac_ctx);
130 return ret;
131 }
132
133
134 __owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
135 unsigned char const *in, size_t len,
136 SIV_BLOCK *icv)
137 {
138 int out_len = (int)len;
139
140 if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
141 return 0;
142 return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
143 }
144
145 /*
146 * Create a new SIV128_CONTEXT
147 */
148 SIV128_CONTEXT *CRYPTO_siv128_new(const unsigned char *key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
149 {
150 SIV128_CONTEXT *ctx;
151 int ret;
152
153 if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
154 ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
155 if (ret)
156 return ctx;
157 OPENSSL_free(ctx);
158 }
159
160 return NULL;
161 }
162
163 /*
164 * Initialise an existing SIV128_CONTEXT
165 */
166 int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
167 const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
168 {
169 static const unsigned char zero[SIV_LEN] = { 0 };
170 size_t out_len = SIV_LEN;
171 EVP_MAC_CTX *mac_ctx = NULL;
172 OSSL_PARAM params[3];
173 const char *cbc_name = EVP_CIPHER_name(cbc);
174
175 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
176 (char *)cbc_name,
177 strlen(cbc_name) + 1);
178 params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
179 (void *)key, klen);
180 params[2] = OSSL_PARAM_construct_end();
181
182 memset(&ctx->d, 0, sizeof(ctx->d));
183 ctx->cipher_ctx = NULL;
184 ctx->mac_ctx_init = NULL;
185
186 if (key == NULL || cbc == NULL || ctr == NULL
187 || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
188 /* TODO(3.0) library context */
189 || (ctx->mac =
190 EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL)) == NULL
191 || (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
192 || !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
193 || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
194 || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
195 || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
196 || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
197 sizeof(ctx->d.byte))) {
198 EVP_CIPHER_CTX_free(ctx->cipher_ctx);
199 EVP_MAC_CTX_free(ctx->mac_ctx_init);
200 EVP_MAC_CTX_free(mac_ctx);
201 EVP_MAC_free(ctx->mac);
202 return 0;
203 }
204 EVP_MAC_CTX_free(mac_ctx);
205
206 ctx->final_ret = -1;
207 ctx->crypto_ok = 1;
208
209 return 1;
210 }
211
212 /*
213 * Copy an SIV128_CONTEXT object
214 */
215 int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
216 {
217 memcpy(&dest->d, &src->d, sizeof(src->d));
218 if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
219 return 0;
220 EVP_MAC_CTX_free(dest->mac_ctx_init);
221 dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
222 if (dest->mac_ctx_init == NULL)
223 return 0;
224 return 1;
225 }
226
227 /*
228 * Provide any AAD. This can be called multiple times.
229 * Per RFC5297, the last piece of associated data
230 * is the nonce, but it's not treated special
231 */
232 int CRYPTO_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
233 size_t len)
234 {
235 SIV_BLOCK mac_out;
236 size_t out_len = SIV_LEN;
237 EVP_MAC_CTX *mac_ctx;
238
239 siv128_dbl(&ctx->d);
240
241 if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
242 || !EVP_MAC_update(mac_ctx, aad, len)
243 || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
244 sizeof(mac_out.byte))
245 || out_len != SIV_LEN) {
246 EVP_MAC_CTX_free(mac_ctx);
247 return 0;
248 }
249 EVP_MAC_CTX_free(mac_ctx);
250
251 siv128_xorblock(&ctx->d, &mac_out);
252
253 return 1;
254 }
255
256 /*
257 * Provide any data to be encrypted. This can be called once.
258 */
259 int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
260 const unsigned char *in, unsigned char *out,
261 size_t len)
262 {
263 SIV_BLOCK q;
264
265 /* can only do one crypto operation */
266 if (ctx->crypto_ok == 0)
267 return 0;
268 ctx->crypto_ok--;
269
270 if (!siv128_do_s2v_p(ctx, &q, in, len))
271 return 0;
272
273 memcpy(ctx->tag.byte, &q, SIV_LEN);
274 q.byte[8] &= 0x7f;
275 q.byte[12] &= 0x7f;
276
277 if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
278 return 0;
279 ctx->final_ret = 0;
280 return len;
281 }
282
283 /*
284 * Provide any data to be decrypted. This can be called once.
285 */
286 int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
287 const unsigned char *in, unsigned char *out,
288 size_t len)
289 {
290 unsigned char* p;
291 SIV_BLOCK t, q;
292 int i;
293
294 /* can only do one crypto operation */
295 if (ctx->crypto_ok == 0)
296 return 0;
297 ctx->crypto_ok--;
298
299 memcpy(&q, ctx->tag.byte, SIV_LEN);
300 q.byte[8] &= 0x7f;
301 q.byte[12] &= 0x7f;
302
303 if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
304 || !siv128_do_s2v_p(ctx, &t, out, len))
305 return 0;
306
307 p = ctx->tag.byte;
308 for (i = 0; i < SIV_LEN; i++)
309 t.byte[i] ^= p[i];
310
311 if ((t.word[0] | t.word[1]) != 0) {
312 OPENSSL_cleanse(out, len);
313 return 0;
314 }
315 ctx->final_ret = 0;
316 return len;
317 }
318
319 /*
320 * Return the already calculated final result.
321 */
322 int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
323 {
324 return ctx->final_ret;
325 }
326
327 /*
328 * Set the tag
329 */
330 int CRYPTO_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
331 {
332 if (len != SIV_LEN)
333 return 0;
334
335 /* Copy the tag from the supplied buffer */
336 memcpy(ctx->tag.byte, tag, len);
337 return 1;
338 }
339
340 /*
341 * Retrieve the calculated tag
342 */
343 int CRYPTO_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
344 {
345 if (len != SIV_LEN)
346 return 0;
347
348 /* Copy the tag into the supplied buffer */
349 memcpy(tag, ctx->tag.byte, len);
350 return 1;
351 }
352
353 /*
354 * Release all resources
355 */
356 int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
357 {
358 if (ctx != NULL) {
359 EVP_CIPHER_CTX_free(ctx->cipher_ctx);
360 ctx->cipher_ctx = NULL;
361 EVP_MAC_CTX_free(ctx->mac_ctx_init);
362 ctx->mac_ctx_init = NULL;
363 EVP_MAC_free(ctx->mac);
364 ctx->mac = NULL;
365 OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
366 OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
367 ctx->final_ret = -1;
368 ctx->crypto_ok = 1;
369 }
370 return 1;
371 }
372
373 int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
374 {
375 ctx->crypto_ok = (arg == 1) ? -1 : 1;
376 return 1;
377 }
378
379 #endif /* OPENSSL_NO_SIV */
A mirror of the official openssl repository