]>
git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/modes/siv128.c
de6a3b853f19121eb102c0e6ba7289b63c16575b
2 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/evp.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include "internal/modes_int.h"
17 #include "internal/siv_int.h"
19 #ifndef OPENSSL_NO_SIV
21 __owur
static ossl_inline
uint32_t rotl8(uint32_t x
)
23 return (x
<< 8) | (x
>> 24);
26 __owur
static ossl_inline
uint32_t rotr8(uint32_t x
)
28 return (x
>> 8) | (x
<< 24);
31 __owur
static ossl_inline
uint64_t byteswap8(uint64_t x
)
33 uint32_t high
= (uint32_t)(x
>> 32);
34 uint32_t low
= (uint32_t)x
;
36 high
= (rotl8(high
) & 0x00ff00ff) | (rotr8(high
) & 0xff00ff00);
37 low
= (rotl8(low
) & 0x00ff00ff) | (rotr8(low
) & 0xff00ff00);
38 return ((uint64_t)low
) << 32 | (uint64_t)high
;
41 __owur
static ossl_inline
uint64_t siv128_getword(SIV_BLOCK
const *b
, size_t i
)
49 return byteswap8(b
->word
[i
]);
53 static ossl_inline
void siv128_putword(SIV_BLOCK
*b
, size_t i
, uint64_t x
)
61 b
->word
[i
] = byteswap8(x
);
66 static ossl_inline
void siv128_xorblock(SIV_BLOCK
*x
,
69 x
->word
[0] ^= y
->word
[0];
70 x
->word
[1] ^= y
->word
[1];
74 * Doubles |b|, which is 16 bytes representing an element
75 * of GF(2**128) modulo the irreducible polynomial
76 * x**128 + x**7 + x**2 + x + 1.
77 * Assumes two's-complement arithmetic
79 static ossl_inline
void siv128_dbl(SIV_BLOCK
*b
)
81 uint64_t high
= siv128_getword(b
, 0);
82 uint64_t low
= siv128_getword(b
, 1);
83 uint64_t high_carry
= high
& (((uint64_t)1) << 63);
84 uint64_t low_carry
= low
& (((uint64_t)1) << 63);
85 int64_t low_mask
= -((int64_t)(high_carry
>> 63)) & 0x87;
86 uint64_t high_mask
= low_carry
>> 63;
88 high
= (high
<< 1) | high_mask
;
89 low
= (low
<< 1) ^ (uint64_t)low_mask
;
90 siv128_putword(b
, 0, high
);
91 siv128_putword(b
, 1, low
);
94 __owur
static ossl_inline
int siv128_do_s2v_p(SIV128_CONTEXT
*ctx
, SIV_BLOCK
*out
,
95 unsigned char const* in
, size_t len
)
98 size_t out_len
= sizeof(out
->byte
);
102 mac_ctx
= EVP_MAC_CTX_dup(ctx
->mac_ctx_init
);
106 if (len
>= SIV_LEN
) {
107 if (!EVP_MAC_update(mac_ctx
, in
, len
- SIV_LEN
))
109 memcpy(&t
, in
+ (len
-SIV_LEN
), SIV_LEN
);
110 siv128_xorblock(&t
, &ctx
->d
);
111 if (!EVP_MAC_update(mac_ctx
, t
.byte
, SIV_LEN
))
114 memset(&t
, 0, sizeof(t
));
118 siv128_xorblock(&t
, &ctx
->d
);
119 if (!EVP_MAC_update(mac_ctx
, t
.byte
, SIV_LEN
))
122 if (!EVP_MAC_final(mac_ctx
, out
->byte
, &out_len
, sizeof(out
->byte
))
123 || out_len
!= SIV_LEN
)
129 EVP_MAC_CTX_free(mac_ctx
);
134 __owur
static ossl_inline
int siv128_do_encrypt(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
135 unsigned char const *in
, size_t len
,
138 int out_len
= (int)len
;
140 if (!EVP_CipherInit_ex(ctx
, NULL
, NULL
, NULL
, icv
->byte
, 1))
142 return EVP_EncryptUpdate(ctx
, out
, &out_len
, in
, out_len
);
146 * Create a new SIV128_CONTEXT
148 SIV128_CONTEXT
*CRYPTO_siv128_new(const unsigned char *key
, int klen
, EVP_CIPHER
* cbc
, EVP_CIPHER
* ctr
)
153 if ((ctx
= OPENSSL_malloc(sizeof(*ctx
))) != NULL
) {
154 ret
= CRYPTO_siv128_init(ctx
, key
, klen
, cbc
, ctr
);
164 * Initialise an existing SIV128_CONTEXT
166 int CRYPTO_siv128_init(SIV128_CONTEXT
*ctx
, const unsigned char *key
, int klen
,
167 const EVP_CIPHER
* cbc
, const EVP_CIPHER
* ctr
)
169 static const unsigned char zero
[SIV_LEN
] = { 0 };
170 size_t out_len
= SIV_LEN
;
171 EVP_MAC_CTX
*mac_ctx
= NULL
;
172 OSSL_PARAM params
[3];
173 const char *cbc_name
= EVP_CIPHER_name(cbc
);
175 params
[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER
,
177 strlen(cbc_name
) + 1);
178 params
[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY
,
180 params
[2] = OSSL_PARAM_construct_end();
182 memset(&ctx
->d
, 0, sizeof(ctx
->d
));
183 ctx
->cipher_ctx
= NULL
;
184 ctx
->mac_ctx_init
= NULL
;
186 if (key
== NULL
|| cbc
== NULL
|| ctr
== NULL
187 || (ctx
->cipher_ctx
= EVP_CIPHER_CTX_new()) == NULL
188 /* TODO(3.0) library context */
190 EVP_MAC_fetch(NULL
, OSSL_MAC_NAME_CMAC
, NULL
)) == NULL
191 || (ctx
->mac_ctx_init
= EVP_MAC_CTX_new(ctx
->mac
)) == NULL
192 || !EVP_MAC_CTX_set_params(ctx
->mac_ctx_init
, params
)
193 || !EVP_EncryptInit_ex(ctx
->cipher_ctx
, ctr
, NULL
, key
+ klen
, NULL
)
194 || (mac_ctx
= EVP_MAC_CTX_dup(ctx
->mac_ctx_init
)) == NULL
195 || !EVP_MAC_update(mac_ctx
, zero
, sizeof(zero
))
196 || !EVP_MAC_final(mac_ctx
, ctx
->d
.byte
, &out_len
,
197 sizeof(ctx
->d
.byte
))) {
198 EVP_CIPHER_CTX_free(ctx
->cipher_ctx
);
199 EVP_MAC_CTX_free(ctx
->mac_ctx_init
);
200 EVP_MAC_CTX_free(mac_ctx
);
201 EVP_MAC_free(ctx
->mac
);
204 EVP_MAC_CTX_free(mac_ctx
);
213 * Copy an SIV128_CONTEXT object
215 int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT
*dest
, SIV128_CONTEXT
*src
)
217 memcpy(&dest
->d
, &src
->d
, sizeof(src
->d
));
218 if (!EVP_CIPHER_CTX_copy(dest
->cipher_ctx
, src
->cipher_ctx
))
220 EVP_MAC_CTX_free(dest
->mac_ctx_init
);
221 dest
->mac_ctx_init
= EVP_MAC_CTX_dup(src
->mac_ctx_init
);
222 if (dest
->mac_ctx_init
== NULL
)
228 * Provide any AAD. This can be called multiple times.
229 * Per RFC5297, the last piece of associated data
230 * is the nonce, but it's not treated special
232 int CRYPTO_siv128_aad(SIV128_CONTEXT
*ctx
, const unsigned char *aad
,
236 size_t out_len
= SIV_LEN
;
237 EVP_MAC_CTX
*mac_ctx
;
241 if ((mac_ctx
= EVP_MAC_CTX_dup(ctx
->mac_ctx_init
)) == NULL
242 || !EVP_MAC_update(mac_ctx
, aad
, len
)
243 || !EVP_MAC_final(mac_ctx
, mac_out
.byte
, &out_len
,
244 sizeof(mac_out
.byte
))
245 || out_len
!= SIV_LEN
) {
246 EVP_MAC_CTX_free(mac_ctx
);
249 EVP_MAC_CTX_free(mac_ctx
);
251 siv128_xorblock(&ctx
->d
, &mac_out
);
257 * Provide any data to be encrypted. This can be called once.
259 int CRYPTO_siv128_encrypt(SIV128_CONTEXT
*ctx
,
260 const unsigned char *in
, unsigned char *out
,
265 /* can only do one crypto operation */
266 if (ctx
->crypto_ok
== 0)
270 if (!siv128_do_s2v_p(ctx
, &q
, in
, len
))
273 memcpy(ctx
->tag
.byte
, &q
, SIV_LEN
);
277 if (!siv128_do_encrypt(ctx
->cipher_ctx
, out
, in
, len
, &q
))
284 * Provide any data to be decrypted. This can be called once.
286 int CRYPTO_siv128_decrypt(SIV128_CONTEXT
*ctx
,
287 const unsigned char *in
, unsigned char *out
,
294 /* can only do one crypto operation */
295 if (ctx
->crypto_ok
== 0)
299 memcpy(&q
, ctx
->tag
.byte
, SIV_LEN
);
303 if (!siv128_do_encrypt(ctx
->cipher_ctx
, out
, in
, len
, &q
)
304 || !siv128_do_s2v_p(ctx
, &t
, out
, len
))
308 for (i
= 0; i
< SIV_LEN
; i
++)
311 if ((t
.word
[0] | t
.word
[1]) != 0) {
312 OPENSSL_cleanse(out
, len
);
320 * Return the already calculated final result.
322 int CRYPTO_siv128_finish(SIV128_CONTEXT
*ctx
)
324 return ctx
->final_ret
;
330 int CRYPTO_siv128_set_tag(SIV128_CONTEXT
*ctx
, const unsigned char *tag
, size_t len
)
335 /* Copy the tag from the supplied buffer */
336 memcpy(ctx
->tag
.byte
, tag
, len
);
341 * Retrieve the calculated tag
343 int CRYPTO_siv128_get_tag(SIV128_CONTEXT
*ctx
, unsigned char *tag
, size_t len
)
348 /* Copy the tag into the supplied buffer */
349 memcpy(tag
, ctx
->tag
.byte
, len
);
354 * Release all resources
356 int CRYPTO_siv128_cleanup(SIV128_CONTEXT
*ctx
)
359 EVP_CIPHER_CTX_free(ctx
->cipher_ctx
);
360 ctx
->cipher_ctx
= NULL
;
361 EVP_MAC_CTX_free(ctx
->mac_ctx_init
);
362 ctx
->mac_ctx_init
= NULL
;
363 EVP_MAC_free(ctx
->mac
);
365 OPENSSL_cleanse(&ctx
->d
, sizeof(ctx
->d
));
366 OPENSSL_cleanse(&ctx
->tag
, sizeof(ctx
->tag
));
373 int CRYPTO_siv128_speed(SIV128_CONTEXT
*ctx
, int arg
)
375 ctx
->crypto_ok
= (arg
== 1) ? -1 : 1;
379 #endif /* OPENSSL_NO_SIV */