VirtualBox

source: vbox/trunk/src/libs/openssl-1.1.0g/crypto/modes/gcm128.c@ 69890

Last change on this file since 69890 was 69890, checked in by vboxsync, 7 years ago

Added OpenSSL 1.1.0g with unneeded files removed, otherwise unmodified.
bugref:8070: src/libs maintenance
  • Property svn:eol-style set to native
File size: 69.6 KB
Line 
1/*
2 * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/crypto.h>
11#include "modes_lcl.h"
12#include <string.h>
13
14#if defined(BSWAP4) && defined(STRICT_ALIGNMENT)
15/* redefine, because alignment is ensured */
16# undef GETU32
17# define GETU32(p) BSWAP4(*(const u32 *)(p))
18# undef PUTU32
19# define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v)
20#endif
21
22#define PACK(s) ((size_t)(s)<<(sizeof(size_t)*8-16))
23#define REDUCE1BIT(V) do { \
24 if (sizeof(size_t)==8) { \
25 u64 T = U64(0xe100000000000000) & (0-(V.lo&1)); \
26 V.lo = (V.hi<<63)|(V.lo>>1); \
27 V.hi = (V.hi>>1 )^T; \
28 } \
29 else { \
30 u32 T = 0xe1000000U & (0-(u32)(V.lo&1)); \
31 V.lo = (V.hi<<63)|(V.lo>>1); \
32 V.hi = (V.hi>>1 )^((u64)T<<32); \
33 } \
34} while(0)
35
36/*-
37 * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
38 * never be set to 8. 8 is effectively reserved for testing purposes.
39 * TABLE_BITS>1 are lookup-table-driven implementations referred to as
40 * "Shoup's" in GCM specification. In other words OpenSSL does not cover
41 * whole spectrum of possible table driven implementations. Why? In
42 * non-"Shoup's" case memory access pattern is segmented in such manner,
43 * that it's trivial to see that cache timing information can reveal
44 * fair portion of intermediate hash value. Given that ciphertext is
45 * always available to attacker, it's possible for him to attempt to
46 * deduce secret parameter H and if successful, tamper with messages
47 * [which is nothing but trivial in CTR mode]. In "Shoup's" case it's
48 * not as trivial, but there is no reason to believe that it's resistant
49 * to cache-timing attack. And the thing about "8-bit" implementation is
50 * that it consumes 16 (sixteen) times more memory, 4KB per individual
51 * key + 1KB shared. Well, on pros side it should be twice as fast as
52 * "4-bit" version. And for gcc-generated x86[_64] code, "8-bit" version
53 * was observed to run ~75% faster, closer to 100% for commercial
54 * compilers... Yet "4-bit" procedure is preferred, because it's
55 * believed to provide better security-performance balance and adequate
56 * all-round performance. "All-round" refers to things like:
57 *
58 * - shorter setup time effectively improves overall timing for
59 * handling short messages;
60 * - larger table allocation can become unbearable because of VM
61 * subsystem penalties (for example on Windows large enough free
62 * results in VM working set trimming, meaning that consequent
63 * malloc would immediately incur working set expansion);
64 * - larger table has larger cache footprint, which can affect
65 * performance of other code paths (not necessarily even from same
66 * thread in Hyper-Threading world);
67 *
68 * Value of 1 is not appropriate for performance reasons.
69 */
70#if TABLE_BITS==8
71
72static void gcm_init_8bit(u128 Htable[256], u64 H[2])
73{
74 int i, j;
75 u128 V;
76
77 Htable[0].hi = 0;
78 Htable[0].lo = 0;
79 V.hi = H[0];
80 V.lo = H[1];
81
82 for (Htable[128] = V, i = 64; i > 0; i >>= 1) {
83 REDUCE1BIT(V);
84 Htable[i] = V;
85 }
86
87 for (i = 2; i < 256; i <<= 1) {
88 u128 *Hi = Htable + i, H0 = *Hi;
89 for (j = 1; j < i; ++j) {
90 Hi[j].hi = H0.hi ^ Htable[j].hi;
91 Hi[j].lo = H0.lo ^ Htable[j].lo;
92 }
93 }
94}
95
96static void gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
97{
98 u128 Z = { 0, 0 };
99 const u8 *xi = (const u8 *)Xi + 15;
100 size_t rem, n = *xi;
101 const union {
102 long one;
103 char little;
104 } is_endian = { 1 };
105 static const size_t rem_8bit[256] = {
106 PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
107 PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
108 PACK(0x0E10), PACK(0x0FD2), PACK(0x0D94), PACK(0x0C56),
109 PACK(0x0918), PACK(0x08DA), PACK(0x0A9C), PACK(0x0B5E),
110 PACK(0x1C20), PACK(0x1DE2), PACK(0x1FA4), PACK(0x1E66),
111 PACK(0x1B28), PACK(0x1AEA), PACK(0x18AC), PACK(0x196E),
112 PACK(0x1230), PACK(0x13F2), PACK(0x11B4), PACK(0x1076),
113 PACK(0x1538), PACK(0x14FA), PACK(0x16BC), PACK(0x177E),
114 PACK(0x3840), PACK(0x3982), PACK(0x3BC4), PACK(0x3A06),
115 PACK(0x3F48), PACK(0x3E8A), PACK(0x3CCC), PACK(0x3D0E),
116 PACK(0x3650), PACK(0x3792), PACK(0x35D4), PACK(0x3416),
117 PACK(0x3158), PACK(0x309A), PACK(0x32DC), PACK(0x331E),
118 PACK(0x2460), PACK(0x25A2), PACK(0x27E4), PACK(0x2626),
119 PACK(0x2368), PACK(0x22AA), PACK(0x20EC), PACK(0x212E),
120 PACK(0x2A70), PACK(0x2BB2), PACK(0x29F4), PACK(0x2836),
121 PACK(0x2D78), PACK(0x2CBA), PACK(0x2EFC), PACK(0x2F3E),
122 PACK(0x7080), PACK(0x7142), PACK(0x7304), PACK(0x72C6),
123 PACK(0x7788), PACK(0x764A), PACK(0x740C), PACK(0x75CE),
124 PACK(0x7E90), PACK(0x7F52), PACK(0x7D14), PACK(0x7CD6),
125 PACK(0x7998), PACK(0x785A), PACK(0x7A1C), PACK(0x7BDE),
126 PACK(0x6CA0), PACK(0x6D62), PACK(0x6F24), PACK(0x6EE6),
127 PACK(0x6BA8), PACK(0x6A6A), PACK(0x682C), PACK(0x69EE),
128 PACK(0x62B0), PACK(0x6372), PACK(0x6134), PACK(0x60F6),
129 PACK(0x65B8), PACK(0x647A), PACK(0x663C), PACK(0x67FE),
130 PACK(0x48C0), PACK(0x4902), PACK(0x4B44), PACK(0x4A86),
131 PACK(0x4FC8), PACK(0x4E0A), PACK(0x4C4C), PACK(0x4D8E),
132 PACK(0x46D0), PACK(0x4712), PACK(0x4554), PACK(0x4496),
133 PACK(0x41D8), PACK(0x401A), PACK(0x425C), PACK(0x439E),
134 PACK(0x54E0), PACK(0x5522), PACK(0x5764), PACK(0x56A6),
135 PACK(0x53E8), PACK(0x522A), PACK(0x506C), PACK(0x51AE),
136 PACK(0x5AF0), PACK(0x5B32), PACK(0x5974), PACK(0x58B6),
137 PACK(0x5DF8), PACK(0x5C3A), PACK(0x5E7C), PACK(0x5FBE),
138 PACK(0xE100), PACK(0xE0C2), PACK(0xE284), PACK(0xE346),
139 PACK(0xE608), PACK(0xE7CA), PACK(0xE58C), PACK(0xE44E),
140 PACK(0xEF10), PACK(0xEED2), PACK(0xEC94), PACK(0xED56),
141 PACK(0xE818), PACK(0xE9DA), PACK(0xEB9C), PACK(0xEA5E),
142 PACK(0xFD20), PACK(0xFCE2), PACK(0xFEA4), PACK(0xFF66),
143 PACK(0xFA28), PACK(0xFBEA), PACK(0xF9AC), PACK(0xF86E),
144 PACK(0xF330), PACK(0xF2F2), PACK(0xF0B4), PACK(0xF176),
145 PACK(0xF438), PACK(0xF5FA), PACK(0xF7BC), PACK(0xF67E),
146 PACK(0xD940), PACK(0xD882), PACK(0xDAC4), PACK(0xDB06),
147 PACK(0xDE48), PACK(0xDF8A), PACK(0xDDCC), PACK(0xDC0E),
148 PACK(0xD750), PACK(0xD692), PACK(0xD4D4), PACK(0xD516),
149 PACK(0xD058), PACK(0xD19A), PACK(0xD3DC), PACK(0xD21E),
150 PACK(0xC560), PACK(0xC4A2), PACK(0xC6E4), PACK(0xC726),
151 PACK(0xC268), PACK(0xC3AA), PACK(0xC1EC), PACK(0xC02E),
152 PACK(0xCB70), PACK(0xCAB2), PACK(0xC8F4), PACK(0xC936),
153 PACK(0xCC78), PACK(0xCDBA), PACK(0xCFFC), PACK(0xCE3E),
154 PACK(0x9180), PACK(0x9042), PACK(0x9204), PACK(0x93C6),
155 PACK(0x9688), PACK(0x974A), PACK(0x950C), PACK(0x94CE),
156 PACK(0x9F90), PACK(0x9E52), PACK(0x9C14), PACK(0x9DD6),
157 PACK(0x9898), PACK(0x995A), PACK(0x9B1C), PACK(0x9ADE),
158 PACK(0x8DA0), PACK(0x8C62), PACK(0x8E24), PACK(0x8FE6),
159 PACK(0x8AA8), PACK(0x8B6A), PACK(0x892C), PACK(0x88EE),
160 PACK(0x83B0), PACK(0x8272), PACK(0x8034), PACK(0x81F6),
161 PACK(0x84B8), PACK(0x857A), PACK(0x873C), PACK(0x86FE),
162 PACK(0xA9C0), PACK(0xA802), PACK(0xAA44), PACK(0xAB86),
163 PACK(0xAEC8), PACK(0xAF0A), PACK(0xAD4C), PACK(0xAC8E),
164 PACK(0xA7D0), PACK(0xA612), PACK(0xA454), PACK(0xA596),
165 PACK(0xA0D8), PACK(0xA11A), PACK(0xA35C), PACK(0xA29E),
166 PACK(0xB5E0), PACK(0xB422), PACK(0xB664), PACK(0xB7A6),
167 PACK(0xB2E8), PACK(0xB32A), PACK(0xB16C), PACK(0xB0AE),
168 PACK(0xBBF0), PACK(0xBA32), PACK(0xB874), PACK(0xB9B6),
169 PACK(0xBCF8), PACK(0xBD3A), PACK(0xBF7C), PACK(0xBEBE)
170 };
171
172 while (1) {
173 Z.hi ^= Htable[n].hi;
174 Z.lo ^= Htable[n].lo;
175
176 if ((u8 *)Xi == xi)
177 break;
178
179 n = *(--xi);
180
181 rem = (size_t)Z.lo & 0xff;
182 Z.lo = (Z.hi << 56) | (Z.lo >> 8);
183 Z.hi = (Z.hi >> 8);
184 if (sizeof(size_t) == 8)
185 Z.hi ^= rem_8bit[rem];
186 else
187 Z.hi ^= (u64)rem_8bit[rem] << 32;
188 }
189
190 if (is_endian.little) {
191# ifdef BSWAP8
192 Xi[0] = BSWAP8(Z.hi);
193 Xi[1] = BSWAP8(Z.lo);
194# else
195 u8 *p = (u8 *)Xi;
196 u32 v;
197 v = (u32)(Z.hi >> 32);
198 PUTU32(p, v);
199 v = (u32)(Z.hi);
200 PUTU32(p + 4, v);
201 v = (u32)(Z.lo >> 32);
202 PUTU32(p + 8, v);
203 v = (u32)(Z.lo);
204 PUTU32(p + 12, v);
205# endif
206 } else {
207 Xi[0] = Z.hi;
208 Xi[1] = Z.lo;
209 }
210}
211
212# define GCM_MUL(ctx,Xi) gcm_gmult_8bit(ctx->Xi.u,ctx->Htable)
213
214#elif TABLE_BITS==4
215
216static void gcm_init_4bit(u128 Htable[16], u64 H[2])
217{
218 u128 V;
219# if defined(OPENSSL_SMALL_FOOTPRINT)
220 int i;
221# endif
222
223 Htable[0].hi = 0;
224 Htable[0].lo = 0;
225 V.hi = H[0];
226 V.lo = H[1];
227
228# if defined(OPENSSL_SMALL_FOOTPRINT)
229 for (Htable[8] = V, i = 4; i > 0; i >>= 1) {
230 REDUCE1BIT(V);
231 Htable[i] = V;
232 }
233
234 for (i = 2; i < 16; i <<= 1) {
235 u128 *Hi = Htable + i;
236 int j;
237 for (V = *Hi, j = 1; j < i; ++j) {
238 Hi[j].hi = V.hi ^ Htable[j].hi;
239 Hi[j].lo = V.lo ^ Htable[j].lo;
240 }
241 }
242# else
243 Htable[8] = V;
244 REDUCE1BIT(V);
245 Htable[4] = V;
246 REDUCE1BIT(V);
247 Htable[2] = V;
248 REDUCE1BIT(V);
249 Htable[1] = V;
250 Htable[3].hi = V.hi ^ Htable[2].hi, Htable[3].lo = V.lo ^ Htable[2].lo;
251 V = Htable[4];
252 Htable[5].hi = V.hi ^ Htable[1].hi, Htable[5].lo = V.lo ^ Htable[1].lo;
253 Htable[6].hi = V.hi ^ Htable[2].hi, Htable[6].lo = V.lo ^ Htable[2].lo;
254 Htable[7].hi = V.hi ^ Htable[3].hi, Htable[7].lo = V.lo ^ Htable[3].lo;
255 V = Htable[8];
256 Htable[9].hi = V.hi ^ Htable[1].hi, Htable[9].lo = V.lo ^ Htable[1].lo;
257 Htable[10].hi = V.hi ^ Htable[2].hi, Htable[10].lo = V.lo ^ Htable[2].lo;
258 Htable[11].hi = V.hi ^ Htable[3].hi, Htable[11].lo = V.lo ^ Htable[3].lo;
259 Htable[12].hi = V.hi ^ Htable[4].hi, Htable[12].lo = V.lo ^ Htable[4].lo;
260 Htable[13].hi = V.hi ^ Htable[5].hi, Htable[13].lo = V.lo ^ Htable[5].lo;
261 Htable[14].hi = V.hi ^ Htable[6].hi, Htable[14].lo = V.lo ^ Htable[6].lo;
262 Htable[15].hi = V.hi ^ Htable[7].hi, Htable[15].lo = V.lo ^ Htable[7].lo;
263# endif
264# if defined(GHASH_ASM) && (defined(__arm__) || defined(__arm))
265 /*
266 * ARM assembler expects specific dword order in Htable.
267 */
268 {
269 int j;
270 const union {
271 long one;
272 char little;
273 } is_endian = { 1 };
274
275 if (is_endian.little)
276 for (j = 0; j < 16; ++j) {
277 V = Htable[j];
278 Htable[j].hi = V.lo;
279 Htable[j].lo = V.hi;
280 } else
281 for (j = 0; j < 16; ++j) {
282 V = Htable[j];
283 Htable[j].hi = V.lo << 32 | V.lo >> 32;
284 Htable[j].lo = V.hi << 32 | V.hi >> 32;
285 }
286 }
287# endif
288}
289
290# ifndef GHASH_ASM
291static const size_t rem_4bit[16] = {
292 PACK(0x0000), PACK(0x1C20), PACK(0x3840), PACK(0x2460),
293 PACK(0x7080), PACK(0x6CA0), PACK(0x48C0), PACK(0x54E0),
294 PACK(0xE100), PACK(0xFD20), PACK(0xD940), PACK(0xC560),
295 PACK(0x9180), PACK(0x8DA0), PACK(0xA9C0), PACK(0xB5E0)
296};
297
298static void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
299{
300 u128 Z;
301 int cnt = 15;
302 size_t rem, nlo, nhi;
303 const union {
304 long one;
305 char little;
306 } is_endian = { 1 };
307
308 nlo = ((const u8 *)Xi)[15];
309 nhi = nlo >> 4;
310 nlo &= 0xf;
311
312 Z.hi = Htable[nlo].hi;
313 Z.lo = Htable[nlo].lo;
314
315 while (1) {
316 rem = (size_t)Z.lo & 0xf;
317 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
318 Z.hi = (Z.hi >> 4);
319 if (sizeof(size_t) == 8)
320 Z.hi ^= rem_4bit[rem];
321 else
322 Z.hi ^= (u64)rem_4bit[rem] << 32;
323
324 Z.hi ^= Htable[nhi].hi;
325 Z.lo ^= Htable[nhi].lo;
326
327 if (--cnt < 0)
328 break;
329
330 nlo = ((const u8 *)Xi)[cnt];
331 nhi = nlo >> 4;
332 nlo &= 0xf;
333
334 rem = (size_t)Z.lo & 0xf;
335 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
336 Z.hi = (Z.hi >> 4);
337 if (sizeof(size_t) == 8)
338 Z.hi ^= rem_4bit[rem];
339 else
340 Z.hi ^= (u64)rem_4bit[rem] << 32;
341
342 Z.hi ^= Htable[nlo].hi;
343 Z.lo ^= Htable[nlo].lo;
344 }
345
346 if (is_endian.little) {
347# ifdef BSWAP8
348 Xi[0] = BSWAP8(Z.hi);
349 Xi[1] = BSWAP8(Z.lo);
350# else
351 u8 *p = (u8 *)Xi;
352 u32 v;
353 v = (u32)(Z.hi >> 32);
354 PUTU32(p, v);
355 v = (u32)(Z.hi);
356 PUTU32(p + 4, v);
357 v = (u32)(Z.lo >> 32);
358 PUTU32(p + 8, v);
359 v = (u32)(Z.lo);
360 PUTU32(p + 12, v);
361# endif
362 } else {
363 Xi[0] = Z.hi;
364 Xi[1] = Z.lo;
365 }
366}
367
368# if !defined(OPENSSL_SMALL_FOOTPRINT)
369/*
370 * Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for
371 * details... Compiler-generated code doesn't seem to give any
372 * performance improvement, at least not on x86[_64]. It's here
373 * mostly as reference and a placeholder for possible future
374 * non-trivial optimization[s]...
375 */
376static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
377 const u8 *inp, size_t len)
378{
379 u128 Z;
380 int cnt;
381 size_t rem, nlo, nhi;
382 const union {
383 long one;
384 char little;
385 } is_endian = { 1 };
386
387# if 1
388 do {
389 cnt = 15;
390 nlo = ((const u8 *)Xi)[15];
391 nlo ^= inp[15];
392 nhi = nlo >> 4;
393 nlo &= 0xf;
394
395 Z.hi = Htable[nlo].hi;
396 Z.lo = Htable[nlo].lo;
397
398 while (1) {
399 rem = (size_t)Z.lo & 0xf;
400 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
401 Z.hi = (Z.hi >> 4);
402 if (sizeof(size_t) == 8)
403 Z.hi ^= rem_4bit[rem];
404 else
405 Z.hi ^= (u64)rem_4bit[rem] << 32;
406
407 Z.hi ^= Htable[nhi].hi;
408 Z.lo ^= Htable[nhi].lo;
409
410 if (--cnt < 0)
411 break;
412
413 nlo = ((const u8 *)Xi)[cnt];
414 nlo ^= inp[cnt];
415 nhi = nlo >> 4;
416 nlo &= 0xf;
417
418 rem = (size_t)Z.lo & 0xf;
419 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
420 Z.hi = (Z.hi >> 4);
421 if (sizeof(size_t) == 8)
422 Z.hi ^= rem_4bit[rem];
423 else
424 Z.hi ^= (u64)rem_4bit[rem] << 32;
425
426 Z.hi ^= Htable[nlo].hi;
427 Z.lo ^= Htable[nlo].lo;
428 }
429# else
430 /*
431 * Extra 256+16 bytes per-key plus 512 bytes shared tables
432 * [should] give ~50% improvement... One could have PACK()-ed
433 * the rem_8bit even here, but the priority is to minimize
434 * cache footprint...
435 */
436 u128 Hshr4[16]; /* Htable shifted right by 4 bits */
437 u8 Hshl4[16]; /* Htable shifted left by 4 bits */
438 static const unsigned short rem_8bit[256] = {
439 0x0000, 0x01C2, 0x0384, 0x0246, 0x0708, 0x06CA, 0x048C, 0x054E,
440 0x0E10, 0x0FD2, 0x0D94, 0x0C56, 0x0918, 0x08DA, 0x0A9C, 0x0B5E,
441 0x1C20, 0x1DE2, 0x1FA4, 0x1E66, 0x1B28, 0x1AEA, 0x18AC, 0x196E,
442 0x1230, 0x13F2, 0x11B4, 0x1076, 0x1538, 0x14FA, 0x16BC, 0x177E,
443 0x3840, 0x3982, 0x3BC4, 0x3A06, 0x3F48, 0x3E8A, 0x3CCC, 0x3D0E,
444 0x3650, 0x3792, 0x35D4, 0x3416, 0x3158, 0x309A, 0x32DC, 0x331E,
445 0x2460, 0x25A2, 0x27E4, 0x2626, 0x2368, 0x22AA, 0x20EC, 0x212E,
446 0x2A70, 0x2BB2, 0x29F4, 0x2836, 0x2D78, 0x2CBA, 0x2EFC, 0x2F3E,
447 0x7080, 0x7142, 0x7304, 0x72C6, 0x7788, 0x764A, 0x740C, 0x75CE,
448 0x7E90, 0x7F52, 0x7D14, 0x7CD6, 0x7998, 0x785A, 0x7A1C, 0x7BDE,
449 0x6CA0, 0x6D62, 0x6F24, 0x6EE6, 0x6BA8, 0x6A6A, 0x682C, 0x69EE,
450 0x62B0, 0x6372, 0x6134, 0x60F6, 0x65B8, 0x647A, 0x663C, 0x67FE,
451 0x48C0, 0x4902, 0x4B44, 0x4A86, 0x4FC8, 0x4E0A, 0x4C4C, 0x4D8E,
452 0x46D0, 0x4712, 0x4554, 0x4496, 0x41D8, 0x401A, 0x425C, 0x439E,
453 0x54E0, 0x5522, 0x5764, 0x56A6, 0x53E8, 0x522A, 0x506C, 0x51AE,
454 0x5AF0, 0x5B32, 0x5974, 0x58B6, 0x5DF8, 0x5C3A, 0x5E7C, 0x5FBE,
455 0xE100, 0xE0C2, 0xE284, 0xE346, 0xE608, 0xE7CA, 0xE58C, 0xE44E,
456 0xEF10, 0xEED2, 0xEC94, 0xED56, 0xE818, 0xE9DA, 0xEB9C, 0xEA5E,
457 0xFD20, 0xFCE2, 0xFEA4, 0xFF66, 0xFA28, 0xFBEA, 0xF9AC, 0xF86E,
458 0xF330, 0xF2F2, 0xF0B4, 0xF176, 0xF438, 0xF5FA, 0xF7BC, 0xF67E,
459 0xD940, 0xD882, 0xDAC4, 0xDB06, 0xDE48, 0xDF8A, 0xDDCC, 0xDC0E,
460 0xD750, 0xD692, 0xD4D4, 0xD516, 0xD058, 0xD19A, 0xD3DC, 0xD21E,
461 0xC560, 0xC4A2, 0xC6E4, 0xC726, 0xC268, 0xC3AA, 0xC1EC, 0xC02E,
462 0xCB70, 0xCAB2, 0xC8F4, 0xC936, 0xCC78, 0xCDBA, 0xCFFC, 0xCE3E,
463 0x9180, 0x9042, 0x9204, 0x93C6, 0x9688, 0x974A, 0x950C, 0x94CE,
464 0x9F90, 0x9E52, 0x9C14, 0x9DD6, 0x9898, 0x995A, 0x9B1C, 0x9ADE,
465 0x8DA0, 0x8C62, 0x8E24, 0x8FE6, 0x8AA8, 0x8B6A, 0x892C, 0x88EE,
466 0x83B0, 0x8272, 0x8034, 0x81F6, 0x84B8, 0x857A, 0x873C, 0x86FE,
467 0xA9C0, 0xA802, 0xAA44, 0xAB86, 0xAEC8, 0xAF0A, 0xAD4C, 0xAC8E,
468 0xA7D0, 0xA612, 0xA454, 0xA596, 0xA0D8, 0xA11A, 0xA35C, 0xA29E,
469 0xB5E0, 0xB422, 0xB664, 0xB7A6, 0xB2E8, 0xB32A, 0xB16C, 0xB0AE,
470 0xBBF0, 0xBA32, 0xB874, 0xB9B6, 0xBCF8, 0xBD3A, 0xBF7C, 0xBEBE
471 };
472 /*
473 * This pre-processing phase slows down procedure by approximately
474 * same time as it makes each loop spin faster. In other words
475 * single block performance is approximately same as straightforward
476 * "4-bit" implementation, and then it goes only faster...
477 */
478 for (cnt = 0; cnt < 16; ++cnt) {
479 Z.hi = Htable[cnt].hi;
480 Z.lo = Htable[cnt].lo;
481 Hshr4[cnt].lo = (Z.hi << 60) | (Z.lo >> 4);
482 Hshr4[cnt].hi = (Z.hi >> 4);
483 Hshl4[cnt] = (u8)(Z.lo << 4);
484 }
485
486 do {
487 for (Z.lo = 0, Z.hi = 0, cnt = 15; cnt; --cnt) {
488 nlo = ((const u8 *)Xi)[cnt];
489 nlo ^= inp[cnt];
490 nhi = nlo >> 4;
491 nlo &= 0xf;
492
493 Z.hi ^= Htable[nlo].hi;
494 Z.lo ^= Htable[nlo].lo;
495
496 rem = (size_t)Z.lo & 0xff;
497
498 Z.lo = (Z.hi << 56) | (Z.lo >> 8);
499 Z.hi = (Z.hi >> 8);
500
501 Z.hi ^= Hshr4[nhi].hi;
502 Z.lo ^= Hshr4[nhi].lo;
503 Z.hi ^= (u64)rem_8bit[rem ^ Hshl4[nhi]] << 48;
504 }
505
506 nlo = ((const u8 *)Xi)[0];
507 nlo ^= inp[0];
508 nhi = nlo >> 4;
509 nlo &= 0xf;
510
511 Z.hi ^= Htable[nlo].hi;
512 Z.lo ^= Htable[nlo].lo;
513
514 rem = (size_t)Z.lo & 0xf;
515
516 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
517 Z.hi = (Z.hi >> 4);
518
519 Z.hi ^= Htable[nhi].hi;
520 Z.lo ^= Htable[nhi].lo;
521 Z.hi ^= ((u64)rem_8bit[rem << 4]) << 48;
522# endif
523
524 if (is_endian.little) {
525# ifdef BSWAP8
526 Xi[0] = BSWAP8(Z.hi);
527 Xi[1] = BSWAP8(Z.lo);
528# else
529 u8 *p = (u8 *)Xi;
530 u32 v;
531 v = (u32)(Z.hi >> 32);
532 PUTU32(p, v);
533 v = (u32)(Z.hi);
534 PUTU32(p + 4, v);
535 v = (u32)(Z.lo >> 32);
536 PUTU32(p + 8, v);
537 v = (u32)(Z.lo);
538 PUTU32(p + 12, v);
539# endif
540 } else {
541 Xi[0] = Z.hi;
542 Xi[1] = Z.lo;
543 }
544 } while (inp += 16, len -= 16);
545}
546# endif
547# else
548void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]);
549void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const u8 *inp,
550 size_t len);
551# endif
552
553# define GCM_MUL(ctx,Xi) gcm_gmult_4bit(ctx->Xi.u,ctx->Htable)
554# if defined(GHASH_ASM) || !defined(OPENSSL_SMALL_FOOTPRINT)
555# define GHASH(ctx,in,len) gcm_ghash_4bit((ctx)->Xi.u,(ctx)->Htable,in,len)
556/*
557 * GHASH_CHUNK is "stride parameter" missioned to mitigate cache trashing
558 * effect. In other words idea is to hash data while it's still in L1 cache
559 * after encryption pass...
560 */
561# define GHASH_CHUNK (3*1024)
562# endif
563
564#else /* TABLE_BITS */
565
566static void gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
567{
568 u128 V, Z = { 0, 0 };
569 long X;
570 int i, j;
571 const long *xi = (const long *)Xi;
572 const union {
573 long one;
574 char little;
575 } is_endian = { 1 };
576
577 V.hi = H[0]; /* H is in host byte order, no byte swapping */
578 V.lo = H[1];
579
580 for (j = 0; j < 16 / sizeof(long); ++j) {
581 if (is_endian.little) {
582 if (sizeof(long) == 8) {
583# ifdef BSWAP8
584 X = (long)(BSWAP8(xi[j]));
585# else
586 const u8 *p = (const u8 *)(xi + j);
587 X = (long)((u64)GETU32(p) << 32 | GETU32(p + 4));
588# endif
589 } else {
590 const u8 *p = (const u8 *)(xi + j);
591 X = (long)GETU32(p);
592 }
593 } else
594 X = xi[j];
595
596 for (i = 0; i < 8 * sizeof(long); ++i, X <<= 1) {
597 u64 M = (u64)(X >> (8 * sizeof(long) - 1));
598 Z.hi ^= V.hi & M;
599 Z.lo ^= V.lo & M;
600
601 REDUCE1BIT(V);
602 }
603 }
604
605 if (is_endian.little) {
606# ifdef BSWAP8
607 Xi[0] = BSWAP8(Z.hi);
608 Xi[1] = BSWAP8(Z.lo);
609# else
610 u8 *p = (u8 *)Xi;
611 u32 v;
612 v = (u32)(Z.hi >> 32);
613 PUTU32(p, v);
614 v = (u32)(Z.hi);
615 PUTU32(p + 4, v);
616 v = (u32)(Z.lo >> 32);
617 PUTU32(p + 8, v);
618 v = (u32)(Z.lo);
619 PUTU32(p + 12, v);
620# endif
621 } else {
622 Xi[0] = Z.hi;
623 Xi[1] = Z.lo;
624 }
625}
626
627# define GCM_MUL(ctx,Xi) gcm_gmult_1bit(ctx->Xi.u,ctx->H.u)
628
629#endif
630
631#if TABLE_BITS==4 && (defined(GHASH_ASM) || defined(OPENSSL_CPUID_OBJ))
632# if !defined(I386_ONLY) && \
633 (defined(__i386) || defined(__i386__) || \
634 defined(__x86_64) || defined(__x86_64__) || \
635 defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
636# define GHASH_ASM_X86_OR_64
637# define GCM_FUNCREF_4BIT
638extern unsigned int OPENSSL_ia32cap_P[];
639
640void gcm_init_clmul(u128 Htable[16], const u64 Xi[2]);
641void gcm_gmult_clmul(u64 Xi[2], const u128 Htable[16]);
642void gcm_ghash_clmul(u64 Xi[2], const u128 Htable[16], const u8 *inp,
643 size_t len);
644
645# if defined(__i386) || defined(__i386__) || defined(_M_IX86)
646# define gcm_init_avx gcm_init_clmul
647# define gcm_gmult_avx gcm_gmult_clmul
648# define gcm_ghash_avx gcm_ghash_clmul
649# else
650void gcm_init_avx(u128 Htable[16], const u64 Xi[2]);
651void gcm_gmult_avx(u64 Xi[2], const u128 Htable[16]);
652void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *inp,
653 size_t len);
654# endif
655
656# if defined(__i386) || defined(__i386__) || defined(_M_IX86)
657# define GHASH_ASM_X86
658void gcm_gmult_4bit_mmx(u64 Xi[2], const u128 Htable[16]);
659void gcm_ghash_4bit_mmx(u64 Xi[2], const u128 Htable[16], const u8 *inp,
660 size_t len);
661
662void gcm_gmult_4bit_x86(u64 Xi[2], const u128 Htable[16]);
663void gcm_ghash_4bit_x86(u64 Xi[2], const u128 Htable[16], const u8 *inp,
664 size_t len);
665# endif
666# elif defined(__arm__) || defined(__arm) || defined(__aarch64__)
667# include "arm_arch.h"
668# if __ARM_MAX_ARCH__>=7
669# define GHASH_ASM_ARM
670# define GCM_FUNCREF_4BIT
671# define PMULL_CAPABLE (OPENSSL_armcap_P & ARMV8_PMULL)
672# if defined(__arm__) || defined(__arm)
673# define NEON_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
674# endif
675void gcm_init_neon(u128 Htable[16], const u64 Xi[2]);
676void gcm_gmult_neon(u64 Xi[2], const u128 Htable[16]);
677void gcm_ghash_neon(u64 Xi[2], const u128 Htable[16], const u8 *inp,
678 size_t len);
679void gcm_init_v8(u128 Htable[16], const u64 Xi[2]);
680void gcm_gmult_v8(u64 Xi[2], const u128 Htable[16]);
681void gcm_ghash_v8(u64 Xi[2], const u128 Htable[16], const u8 *inp,
682 size_t len);
683# endif
684# elif defined(__sparc__) || defined(__sparc)
685# include "sparc_arch.h"
686# define GHASH_ASM_SPARC
687# define GCM_FUNCREF_4BIT
688extern unsigned int OPENSSL_sparcv9cap_P[];
689void gcm_init_vis3(u128 Htable[16], const u64 Xi[2]);
690void gcm_gmult_vis3(u64 Xi[2], const u128 Htable[16]);
691void gcm_ghash_vis3(u64 Xi[2], const u128 Htable[16], const u8 *inp,
692 size_t len);
693# elif defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
694# include "ppc_arch.h"
695# define GHASH_ASM_PPC
696# define GCM_FUNCREF_4BIT
697void gcm_init_p8(u128 Htable[16], const u64 Xi[2]);
698void gcm_gmult_p8(u64 Xi[2], const u128 Htable[16]);
699void gcm_ghash_p8(u64 Xi[2], const u128 Htable[16], const u8 *inp,
700 size_t len);
701# endif
702#endif
703
704#ifdef GCM_FUNCREF_4BIT
705# undef GCM_MUL
706# define GCM_MUL(ctx,Xi) (*gcm_gmult_p)(ctx->Xi.u,ctx->Htable)
707# ifdef GHASH
708# undef GHASH
709# define GHASH(ctx,in,len) (*gcm_ghash_p)(ctx->Xi.u,ctx->Htable,in,len)
710# endif
711#endif
712
713void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
714{
715 const union {
716 long one;
717 char little;
718 } is_endian = { 1 };
719
720 memset(ctx, 0, sizeof(*ctx));
721 ctx->block = block;
722 ctx->key = key;
723
724 (*block) (ctx->H.c, ctx->H.c, key);
725
726 if (is_endian.little) {
727 /* H is stored in host byte order */
728#ifdef BSWAP8
729 ctx->H.u[0] = BSWAP8(ctx->H.u[0]);
730 ctx->H.u[1] = BSWAP8(ctx->H.u[1]);
731#else
732 u8 *p = ctx->H.c;
733 u64 hi, lo;
734 hi = (u64)GETU32(p) << 32 | GETU32(p + 4);
735 lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12);
736 ctx->H.u[0] = hi;
737 ctx->H.u[1] = lo;
738#endif
739 }
740#if TABLE_BITS==8
741 gcm_init_8bit(ctx->Htable, ctx->H.u);
742#elif TABLE_BITS==4
743# if defined(GHASH)
744# define CTX__GHASH(f) (ctx->ghash = (f))
745# else
746# define CTX__GHASH(f) (ctx->ghash = NULL)
747# endif
748# if defined(GHASH_ASM_X86_OR_64)
749# if !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
750 if (OPENSSL_ia32cap_P[1] & (1 << 1)) { /* check PCLMULQDQ bit */
751 if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */
752 gcm_init_avx(ctx->Htable, ctx->H.u);
753 ctx->gmult = gcm_gmult_avx;
754 CTX__GHASH(gcm_ghash_avx);
755 } else {
756 gcm_init_clmul(ctx->Htable, ctx->H.u);
757 ctx->gmult = gcm_gmult_clmul;
758 CTX__GHASH(gcm_ghash_clmul);
759 }
760 return;
761 }
762# endif
763 gcm_init_4bit(ctx->Htable, ctx->H.u);
764# if defined(GHASH_ASM_X86) /* x86 only */
765# if defined(OPENSSL_IA32_SSE2)
766 if (OPENSSL_ia32cap_P[0] & (1 << 25)) { /* check SSE bit */
767# else
768 if (OPENSSL_ia32cap_P[0] & (1 << 23)) { /* check MMX bit */
769# endif
770 ctx->gmult = gcm_gmult_4bit_mmx;
771 CTX__GHASH(gcm_ghash_4bit_mmx);
772 } else {
773 ctx->gmult = gcm_gmult_4bit_x86;
774 CTX__GHASH(gcm_ghash_4bit_x86);
775 }
776# else
777 ctx->gmult = gcm_gmult_4bit;
778 CTX__GHASH(gcm_ghash_4bit);
779# endif
780# elif defined(GHASH_ASM_ARM)
781# ifdef PMULL_CAPABLE
782 if (PMULL_CAPABLE) {
783 gcm_init_v8(ctx->Htable, ctx->H.u);
784 ctx->gmult = gcm_gmult_v8;
785 CTX__GHASH(gcm_ghash_v8);
786 } else
787# endif
788# ifdef NEON_CAPABLE
789 if (NEON_CAPABLE) {
790 gcm_init_neon(ctx->Htable, ctx->H.u);
791 ctx->gmult = gcm_gmult_neon;
792 CTX__GHASH(gcm_ghash_neon);
793 } else
794# endif
795 {
796 gcm_init_4bit(ctx->Htable, ctx->H.u);
797 ctx->gmult = gcm_gmult_4bit;
798 CTX__GHASH(gcm_ghash_4bit);
799 }
800# elif defined(GHASH_ASM_SPARC)
801 if (OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) {
802 gcm_init_vis3(ctx->Htable, ctx->H.u);
803 ctx->gmult = gcm_gmult_vis3;
804 CTX__GHASH(gcm_ghash_vis3);
805 } else {
806 gcm_init_4bit(ctx->Htable, ctx->H.u);
807 ctx->gmult = gcm_gmult_4bit;
808 CTX__GHASH(gcm_ghash_4bit);
809 }
810# elif defined(GHASH_ASM_PPC)
811 if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
812 gcm_init_p8(ctx->Htable, ctx->H.u);
813 ctx->gmult = gcm_gmult_p8;
814 CTX__GHASH(gcm_ghash_p8);
815 } else {
816 gcm_init_4bit(ctx->Htable, ctx->H.u);
817 ctx->gmult = gcm_gmult_4bit;
818 CTX__GHASH(gcm_ghash_4bit);
819 }
820# else
821 gcm_init_4bit(ctx->Htable, ctx->H.u);
822# endif
823# undef CTX__GHASH
824#endif
825}
826
827void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv,
828 size_t len)
829{
830 const union {
831 long one;
832 char little;
833 } is_endian = { 1 };
834 unsigned int ctr;
835#ifdef GCM_FUNCREF_4BIT
836 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
837#endif
838
839 ctx->Yi.u[0] = 0;
840 ctx->Yi.u[1] = 0;
841 ctx->Xi.u[0] = 0;
842 ctx->Xi.u[1] = 0;
843 ctx->len.u[0] = 0; /* AAD length */
844 ctx->len.u[1] = 0; /* message length */
845 ctx->ares = 0;
846 ctx->mres = 0;
847
848 if (len == 12) {
849 memcpy(ctx->Yi.c, iv, 12);
850 ctx->Yi.c[15] = 1;
851 ctr = 1;
852 } else {
853 size_t i;
854 u64 len0 = len;
855
856 while (len >= 16) {
857 for (i = 0; i < 16; ++i)
858 ctx->Yi.c[i] ^= iv[i];
859 GCM_MUL(ctx, Yi);
860 iv += 16;
861 len -= 16;
862 }
863 if (len) {
864 for (i = 0; i < len; ++i)
865 ctx->Yi.c[i] ^= iv[i];
866 GCM_MUL(ctx, Yi);
867 }
868 len0 <<= 3;
869 if (is_endian.little) {
870#ifdef BSWAP8
871 ctx->Yi.u[1] ^= BSWAP8(len0);
872#else
873 ctx->Yi.c[8] ^= (u8)(len0 >> 56);
874 ctx->Yi.c[9] ^= (u8)(len0 >> 48);
875 ctx->Yi.c[10] ^= (u8)(len0 >> 40);
876 ctx->Yi.c[11] ^= (u8)(len0 >> 32);
877 ctx->Yi.c[12] ^= (u8)(len0 >> 24);
878 ctx->Yi.c[13] ^= (u8)(len0 >> 16);
879 ctx->Yi.c[14] ^= (u8)(len0 >> 8);
880 ctx->Yi.c[15] ^= (u8)(len0);
881#endif
882 } else
883 ctx->Yi.u[1] ^= len0;
884
885 GCM_MUL(ctx, Yi);
886
887 if (is_endian.little)
888#ifdef BSWAP4
889 ctr = BSWAP4(ctx->Yi.d[3]);
890#else
891 ctr = GETU32(ctx->Yi.c + 12);
892#endif
893 else
894 ctr = ctx->Yi.d[3];
895 }
896
897 (*ctx->block) (ctx->Yi.c, ctx->EK0.c, ctx->key);
898 ++ctr;
899 if (is_endian.little)
900#ifdef BSWAP4
901 ctx->Yi.d[3] = BSWAP4(ctr);
902#else
903 PUTU32(ctx->Yi.c + 12, ctr);
904#endif
905 else
906 ctx->Yi.d[3] = ctr;
907}
908
909int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const unsigned char *aad,
910 size_t len)
911{
912 size_t i;
913 unsigned int n;
914 u64 alen = ctx->len.u[0];
915#ifdef GCM_FUNCREF_4BIT
916 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
917# ifdef GHASH
918 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
919 const u8 *inp, size_t len) = ctx->ghash;
920# endif
921#endif
922
923 if (ctx->len.u[1])
924 return -2;
925
926 alen += len;
927 if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
928 return -1;
929 ctx->len.u[0] = alen;
930
931 n = ctx->ares;
932 if (n) {
933 while (n && len) {
934 ctx->Xi.c[n] ^= *(aad++);
935 --len;
936 n = (n + 1) % 16;
937 }
938 if (n == 0)
939 GCM_MUL(ctx, Xi);
940 else {
941 ctx->ares = n;
942 return 0;
943 }
944 }
945#ifdef GHASH
946 if ((i = (len & (size_t)-16))) {
947 GHASH(ctx, aad, i);
948 aad += i;
949 len -= i;
950 }
951#else
952 while (len >= 16) {
953 for (i = 0; i < 16; ++i)
954 ctx->Xi.c[i] ^= aad[i];
955 GCM_MUL(ctx, Xi);
956 aad += 16;
957 len -= 16;
958 }
959#endif
960 if (len) {
961 n = (unsigned int)len;
962 for (i = 0; i < len; ++i)
963 ctx->Xi.c[i] ^= aad[i];
964 }
965
966 ctx->ares = n;
967 return 0;
968}
969
970int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
971 const unsigned char *in, unsigned char *out,
972 size_t len)
973{
974 const union {
975 long one;
976 char little;
977 } is_endian = { 1 };
978 unsigned int n, ctr;
979 size_t i;
980 u64 mlen = ctx->len.u[1];
981 block128_f block = ctx->block;
982 void *key = ctx->key;
983#ifdef GCM_FUNCREF_4BIT
984 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
985# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
986 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
987 const u8 *inp, size_t len) = ctx->ghash;
988# endif
989#endif
990
991 mlen += len;
992 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
993 return -1;
994 ctx->len.u[1] = mlen;
995
996 if (ctx->ares) {
997 /* First call to encrypt finalizes GHASH(AAD) */
998 GCM_MUL(ctx, Xi);
999 ctx->ares = 0;
1000 }
1001
1002 if (is_endian.little)
1003#ifdef BSWAP4
1004 ctr = BSWAP4(ctx->Yi.d[3]);
1005#else
1006 ctr = GETU32(ctx->Yi.c + 12);
1007#endif
1008 else
1009 ctr = ctx->Yi.d[3];
1010
1011 n = ctx->mres;
1012#if !defined(OPENSSL_SMALL_FOOTPRINT)
1013 if (16 % sizeof(size_t) == 0) { /* always true actually */
1014 do {
1015 if (n) {
1016 while (n && len) {
1017 ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];
1018 --len;
1019 n = (n + 1) % 16;
1020 }
1021 if (n == 0)
1022 GCM_MUL(ctx, Xi);
1023 else {
1024 ctx->mres = n;
1025 return 0;
1026 }
1027 }
1028# if defined(STRICT_ALIGNMENT)
1029 if (((size_t)in | (size_t)out) % sizeof(size_t) != 0)
1030 break;
1031# endif
1032# if defined(GHASH)
1033# if defined(GHASH_CHUNK)
1034 while (len >= GHASH_CHUNK) {
1035 size_t j = GHASH_CHUNK;
1036
1037 while (j) {
1038 size_t *out_t = (size_t *)out;
1039 const size_t *in_t = (const size_t *)in;
1040
1041 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1042 ++ctr;
1043 if (is_endian.little)
1044# ifdef BSWAP4
1045 ctx->Yi.d[3] = BSWAP4(ctr);
1046# else
1047 PUTU32(ctx->Yi.c + 12, ctr);
1048# endif
1049 else
1050 ctx->Yi.d[3] = ctr;
1051 for (i = 0; i < 16 / sizeof(size_t); ++i)
1052 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1053 out += 16;
1054 in += 16;
1055 j -= 16;
1056 }
1057 GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK);
1058 len -= GHASH_CHUNK;
1059 }
1060# endif
1061 if ((i = (len & (size_t)-16))) {
1062 size_t j = i;
1063
1064 while (len >= 16) {
1065 size_t *out_t = (size_t *)out;
1066 const size_t *in_t = (const size_t *)in;
1067
1068 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1069 ++ctr;
1070 if (is_endian.little)
1071# ifdef BSWAP4
1072 ctx->Yi.d[3] = BSWAP4(ctr);
1073# else
1074 PUTU32(ctx->Yi.c + 12, ctr);
1075# endif
1076 else
1077 ctx->Yi.d[3] = ctr;
1078 for (i = 0; i < 16 / sizeof(size_t); ++i)
1079 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1080 out += 16;
1081 in += 16;
1082 len -= 16;
1083 }
1084 GHASH(ctx, out - j, j);
1085 }
1086# else
1087 while (len >= 16) {
1088 size_t *out_t = (size_t *)out;
1089 const size_t *in_t = (const size_t *)in;
1090
1091 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1092 ++ctr;
1093 if (is_endian.little)
1094# ifdef BSWAP4
1095 ctx->Yi.d[3] = BSWAP4(ctr);
1096# else
1097 PUTU32(ctx->Yi.c + 12, ctr);
1098# endif
1099 else
1100 ctx->Yi.d[3] = ctr;
1101 for (i = 0; i < 16 / sizeof(size_t); ++i)
1102 ctx->Xi.t[i] ^= out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1103 GCM_MUL(ctx, Xi);
1104 out += 16;
1105 in += 16;
1106 len -= 16;
1107 }
1108# endif
1109 if (len) {
1110 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1111 ++ctr;
1112 if (is_endian.little)
1113# ifdef BSWAP4
1114 ctx->Yi.d[3] = BSWAP4(ctr);
1115# else
1116 PUTU32(ctx->Yi.c + 12, ctr);
1117# endif
1118 else
1119 ctx->Yi.d[3] = ctr;
1120 while (len--) {
1121 ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
1122 ++n;
1123 }
1124 }
1125
1126 ctx->mres = n;
1127 return 0;
1128 } while (0);
1129 }
1130#endif
1131 for (i = 0; i < len; ++i) {
1132 if (n == 0) {
1133 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1134 ++ctr;
1135 if (is_endian.little)
1136#ifdef BSWAP4
1137 ctx->Yi.d[3] = BSWAP4(ctr);
1138#else
1139 PUTU32(ctx->Yi.c + 12, ctr);
1140#endif
1141 else
1142 ctx->Yi.d[3] = ctr;
1143 }
1144 ctx->Xi.c[n] ^= out[i] = in[i] ^ ctx->EKi.c[n];
1145 n = (n + 1) % 16;
1146 if (n == 0)
1147 GCM_MUL(ctx, Xi);
1148 }
1149
1150 ctx->mres = n;
1151 return 0;
1152}
1153
1154int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1155 const unsigned char *in, unsigned char *out,
1156 size_t len)
1157{
1158 const union {
1159 long one;
1160 char little;
1161 } is_endian = { 1 };
1162 unsigned int n, ctr;
1163 size_t i;
1164 u64 mlen = ctx->len.u[1];
1165 block128_f block = ctx->block;
1166 void *key = ctx->key;
1167#ifdef GCM_FUNCREF_4BIT
1168 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
1169# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
1170 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
1171 const u8 *inp, size_t len) = ctx->ghash;
1172# endif
1173#endif
1174
1175 mlen += len;
1176 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1177 return -1;
1178 ctx->len.u[1] = mlen;
1179
1180 if (ctx->ares) {
1181 /* First call to decrypt finalizes GHASH(AAD) */
1182 GCM_MUL(ctx, Xi);
1183 ctx->ares = 0;
1184 }
1185
1186 if (is_endian.little)
1187#ifdef BSWAP4
1188 ctr = BSWAP4(ctx->Yi.d[3]);
1189#else
1190 ctr = GETU32(ctx->Yi.c + 12);
1191#endif
1192 else
1193 ctr = ctx->Yi.d[3];
1194
1195 n = ctx->mres;
1196#if !defined(OPENSSL_SMALL_FOOTPRINT)
1197 if (16 % sizeof(size_t) == 0) { /* always true actually */
1198 do {
1199 if (n) {
1200 while (n && len) {
1201 u8 c = *(in++);
1202 *(out++) = c ^ ctx->EKi.c[n];
1203 ctx->Xi.c[n] ^= c;
1204 --len;
1205 n = (n + 1) % 16;
1206 }
1207 if (n == 0)
1208 GCM_MUL(ctx, Xi);
1209 else {
1210 ctx->mres = n;
1211 return 0;
1212 }
1213 }
1214# if defined(STRICT_ALIGNMENT)
1215 if (((size_t)in | (size_t)out) % sizeof(size_t) != 0)
1216 break;
1217# endif
1218# if defined(GHASH)
1219# if defined(GHASH_CHUNK)
1220 while (len >= GHASH_CHUNK) {
1221 size_t j = GHASH_CHUNK;
1222
1223 GHASH(ctx, in, GHASH_CHUNK);
1224 while (j) {
1225 size_t *out_t = (size_t *)out;
1226 const size_t *in_t = (const size_t *)in;
1227
1228 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1229 ++ctr;
1230 if (is_endian.little)
1231# ifdef BSWAP4
1232 ctx->Yi.d[3] = BSWAP4(ctr);
1233# else
1234 PUTU32(ctx->Yi.c + 12, ctr);
1235# endif
1236 else
1237 ctx->Yi.d[3] = ctr;
1238 for (i = 0; i < 16 / sizeof(size_t); ++i)
1239 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1240 out += 16;
1241 in += 16;
1242 j -= 16;
1243 }
1244 len -= GHASH_CHUNK;
1245 }
1246# endif
1247 if ((i = (len & (size_t)-16))) {
1248 GHASH(ctx, in, i);
1249 while (len >= 16) {
1250 size_t *out_t = (size_t *)out;
1251 const size_t *in_t = (const size_t *)in;
1252
1253 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1254 ++ctr;
1255 if (is_endian.little)
1256# ifdef BSWAP4
1257 ctx->Yi.d[3] = BSWAP4(ctr);
1258# else
1259 PUTU32(ctx->Yi.c + 12, ctr);
1260# endif
1261 else
1262 ctx->Yi.d[3] = ctr;
1263 for (i = 0; i < 16 / sizeof(size_t); ++i)
1264 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1265 out += 16;
1266 in += 16;
1267 len -= 16;
1268 }
1269 }
1270# else
1271 while (len >= 16) {
1272 size_t *out_t = (size_t *)out;
1273 const size_t *in_t = (const size_t *)in;
1274
1275 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1276 ++ctr;
1277 if (is_endian.little)
1278# ifdef BSWAP4
1279 ctx->Yi.d[3] = BSWAP4(ctr);
1280# else
1281 PUTU32(ctx->Yi.c + 12, ctr);
1282# endif
1283 else
1284 ctx->Yi.d[3] = ctr;
1285 for (i = 0; i < 16 / sizeof(size_t); ++i) {
1286 size_t c = in[i];
1287 out[i] = c ^ ctx->EKi.t[i];
1288 ctx->Xi.t[i] ^= c;
1289 }
1290 GCM_MUL(ctx, Xi);
1291 out += 16;
1292 in += 16;
1293 len -= 16;
1294 }
1295# endif
1296 if (len) {
1297 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1298 ++ctr;
1299 if (is_endian.little)
1300# ifdef BSWAP4
1301 ctx->Yi.d[3] = BSWAP4(ctr);
1302# else
1303 PUTU32(ctx->Yi.c + 12, ctr);
1304# endif
1305 else
1306 ctx->Yi.d[3] = ctr;
1307 while (len--) {
1308 u8 c = in[n];
1309 ctx->Xi.c[n] ^= c;
1310 out[n] = c ^ ctx->EKi.c[n];
1311 ++n;
1312 }
1313 }
1314
1315 ctx->mres = n;
1316 return 0;
1317 } while (0);
1318 }
1319#endif
1320 for (i = 0; i < len; ++i) {
1321 u8 c;
1322 if (n == 0) {
1323 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1324 ++ctr;
1325 if (is_endian.little)
1326#ifdef BSWAP4
1327 ctx->Yi.d[3] = BSWAP4(ctr);
1328#else
1329 PUTU32(ctx->Yi.c + 12, ctr);
1330#endif
1331 else
1332 ctx->Yi.d[3] = ctr;
1333 }
1334 c = in[i];
1335 out[i] = c ^ ctx->EKi.c[n];
1336 ctx->Xi.c[n] ^= c;
1337 n = (n + 1) % 16;
1338 if (n == 0)
1339 GCM_MUL(ctx, Xi);
1340 }
1341
1342 ctx->mres = n;
1343 return 0;
1344}
1345
1346int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1347 const unsigned char *in, unsigned char *out,
1348 size_t len, ctr128_f stream)
1349{
1350#if defined(OPENSSL_SMALL_FOOTPRINT)
1351 return CRYPTO_gcm128_encrypt(ctx, in, out, len);
1352#else
1353 const union {
1354 long one;
1355 char little;
1356 } is_endian = { 1 };
1357 unsigned int n, ctr;
1358 size_t i;
1359 u64 mlen = ctx->len.u[1];
1360 void *key = ctx->key;
1361# ifdef GCM_FUNCREF_4BIT
1362 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
1363# ifdef GHASH
1364 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
1365 const u8 *inp, size_t len) = ctx->ghash;
1366# endif
1367# endif
1368
1369 mlen += len;
1370 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1371 return -1;
1372 ctx->len.u[1] = mlen;
1373
1374 if (ctx->ares) {
1375 /* First call to encrypt finalizes GHASH(AAD) */
1376 GCM_MUL(ctx, Xi);
1377 ctx->ares = 0;
1378 }
1379
1380 if (is_endian.little)
1381# ifdef BSWAP4
1382 ctr = BSWAP4(ctx->Yi.d[3]);
1383# else
1384 ctr = GETU32(ctx->Yi.c + 12);
1385# endif
1386 else
1387 ctr = ctx->Yi.d[3];
1388
1389 n = ctx->mres;
1390 if (n) {
1391 while (n && len) {
1392 ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];
1393 --len;
1394 n = (n + 1) % 16;
1395 }
1396 if (n == 0)
1397 GCM_MUL(ctx, Xi);
1398 else {
1399 ctx->mres = n;
1400 return 0;
1401 }
1402 }
1403# if defined(GHASH) && defined(GHASH_CHUNK)
1404 while (len >= GHASH_CHUNK) {
1405 (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
1406 ctr += GHASH_CHUNK / 16;
1407 if (is_endian.little)
1408# ifdef BSWAP4
1409 ctx->Yi.d[3] = BSWAP4(ctr);
1410# else
1411 PUTU32(ctx->Yi.c + 12, ctr);
1412# endif
1413 else
1414 ctx->Yi.d[3] = ctr;
1415 GHASH(ctx, out, GHASH_CHUNK);
1416 out += GHASH_CHUNK;
1417 in += GHASH_CHUNK;
1418 len -= GHASH_CHUNK;
1419 }
1420# endif
1421 if ((i = (len & (size_t)-16))) {
1422 size_t j = i / 16;
1423
1424 (*stream) (in, out, j, key, ctx->Yi.c);
1425 ctr += (unsigned int)j;
1426 if (is_endian.little)
1427# ifdef BSWAP4
1428 ctx->Yi.d[3] = BSWAP4(ctr);
1429# else
1430 PUTU32(ctx->Yi.c + 12, ctr);
1431# endif
1432 else
1433 ctx->Yi.d[3] = ctr;
1434 in += i;
1435 len -= i;
1436# if defined(GHASH)
1437 GHASH(ctx, out, i);
1438 out += i;
1439# else
1440 while (j--) {
1441 for (i = 0; i < 16; ++i)
1442 ctx->Xi.c[i] ^= out[i];
1443 GCM_MUL(ctx, Xi);
1444 out += 16;
1445 }
1446# endif
1447 }
1448 if (len) {
1449 (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key);
1450 ++ctr;
1451 if (is_endian.little)
1452# ifdef BSWAP4
1453 ctx->Yi.d[3] = BSWAP4(ctr);
1454# else
1455 PUTU32(ctx->Yi.c + 12, ctr);
1456# endif
1457 else
1458 ctx->Yi.d[3] = ctr;
1459 while (len--) {
1460 ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
1461 ++n;
1462 }
1463 }
1464
1465 ctx->mres = n;
1466 return 0;
1467#endif
1468}
1469
1470int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1471 const unsigned char *in, unsigned char *out,
1472 size_t len, ctr128_f stream)
1473{
1474#if defined(OPENSSL_SMALL_FOOTPRINT)
1475 return CRYPTO_gcm128_decrypt(ctx, in, out, len);
1476#else
1477 const union {
1478 long one;
1479 char little;
1480 } is_endian = { 1 };
1481 unsigned int n, ctr;
1482 size_t i;
1483 u64 mlen = ctx->len.u[1];
1484 void *key = ctx->key;
1485# ifdef GCM_FUNCREF_4BIT
1486 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
1487# ifdef GHASH
1488 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
1489 const u8 *inp, size_t len) = ctx->ghash;
1490# endif
1491# endif
1492
1493 mlen += len;
1494 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1495 return -1;
1496 ctx->len.u[1] = mlen;
1497
1498 if (ctx->ares) {
1499 /* First call to decrypt finalizes GHASH(AAD) */
1500 GCM_MUL(ctx, Xi);
1501 ctx->ares = 0;
1502 }
1503
1504 if (is_endian.little)
1505# ifdef BSWAP4
1506 ctr = BSWAP4(ctx->Yi.d[3]);
1507# else
1508 ctr = GETU32(ctx->Yi.c + 12);
1509# endif
1510 else
1511 ctr = ctx->Yi.d[3];
1512
1513 n = ctx->mres;
1514 if (n) {
1515 while (n && len) {
1516 u8 c = *(in++);
1517 *(out++) = c ^ ctx->EKi.c[n];
1518 ctx->Xi.c[n] ^= c;
1519 --len;
1520 n = (n + 1) % 16;
1521 }
1522 if (n == 0)
1523 GCM_MUL(ctx, Xi);
1524 else {
1525 ctx->mres = n;
1526 return 0;
1527 }
1528 }
1529# if defined(GHASH) && defined(GHASH_CHUNK)
1530 while (len >= GHASH_CHUNK) {
1531 GHASH(ctx, in, GHASH_CHUNK);
1532 (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
1533 ctr += GHASH_CHUNK / 16;
1534 if (is_endian.little)
1535# ifdef BSWAP4
1536 ctx->Yi.d[3] = BSWAP4(ctr);
1537# else
1538 PUTU32(ctx->Yi.c + 12, ctr);
1539# endif
1540 else
1541 ctx->Yi.d[3] = ctr;
1542 out += GHASH_CHUNK;
1543 in += GHASH_CHUNK;
1544 len -= GHASH_CHUNK;
1545 }
1546# endif
1547 if ((i = (len & (size_t)-16))) {
1548 size_t j = i / 16;
1549
1550# if defined(GHASH)
1551 GHASH(ctx, in, i);
1552# else
1553 while (j--) {
1554 size_t k;
1555 for (k = 0; k < 16; ++k)
1556 ctx->Xi.c[k] ^= in[k];
1557 GCM_MUL(ctx, Xi);
1558 in += 16;
1559 }
1560 j = i / 16;
1561 in -= i;
1562# endif
1563 (*stream) (in, out, j, key, ctx->Yi.c);
1564 ctr += (unsigned int)j;
1565 if (is_endian.little)
1566# ifdef BSWAP4
1567 ctx->Yi.d[3] = BSWAP4(ctr);
1568# else
1569 PUTU32(ctx->Yi.c + 12, ctr);
1570# endif
1571 else
1572 ctx->Yi.d[3] = ctr;
1573 out += i;
1574 in += i;
1575 len -= i;
1576 }
1577 if (len) {
1578 (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key);
1579 ++ctr;
1580 if (is_endian.little)
1581# ifdef BSWAP4
1582 ctx->Yi.d[3] = BSWAP4(ctr);
1583# else
1584 PUTU32(ctx->Yi.c + 12, ctr);
1585# endif
1586 else
1587 ctx->Yi.d[3] = ctr;
1588 while (len--) {
1589 u8 c = in[n];
1590 ctx->Xi.c[n] ^= c;
1591 out[n] = c ^ ctx->EKi.c[n];
1592 ++n;
1593 }
1594 }
1595
1596 ctx->mres = n;
1597 return 0;
1598#endif
1599}
1600
1601int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
1602 size_t len)
1603{
1604 const union {
1605 long one;
1606 char little;
1607 } is_endian = { 1 };
1608 u64 alen = ctx->len.u[0] << 3;
1609 u64 clen = ctx->len.u[1] << 3;
1610#ifdef GCM_FUNCREF_4BIT
1611 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
1612#endif
1613
1614 if (ctx->mres || ctx->ares)
1615 GCM_MUL(ctx, Xi);
1616
1617 if (is_endian.little) {
1618#ifdef BSWAP8
1619 alen = BSWAP8(alen);
1620 clen = BSWAP8(clen);
1621#else
1622 u8 *p = ctx->len.c;
1623
1624 ctx->len.u[0] = alen;
1625 ctx->len.u[1] = clen;
1626
1627 alen = (u64)GETU32(p) << 32 | GETU32(p + 4);
1628 clen = (u64)GETU32(p + 8) << 32 | GETU32(p + 12);
1629#endif
1630 }
1631
1632 ctx->Xi.u[0] ^= alen;
1633 ctx->Xi.u[1] ^= clen;
1634 GCM_MUL(ctx, Xi);
1635
1636 ctx->Xi.u[0] ^= ctx->EK0.u[0];
1637 ctx->Xi.u[1] ^= ctx->EK0.u[1];
1638
1639 if (tag && len <= sizeof(ctx->Xi))
1640 return CRYPTO_memcmp(ctx->Xi.c, tag, len);
1641 else
1642 return -1;
1643}
1644
1645void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len)
1646{
1647 CRYPTO_gcm128_finish(ctx, NULL, 0);
1648 memcpy(tag, ctx->Xi.c,
1649 len <= sizeof(ctx->Xi.c) ? len : sizeof(ctx->Xi.c));
1650}
1651
1652GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
1653{
1654 GCM128_CONTEXT *ret;
1655
1656 if ((ret = OPENSSL_malloc(sizeof(*ret))) != NULL)
1657 CRYPTO_gcm128_init(ret, key, block);
1658
1659 return ret;
1660}
1661
1662void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
1663{
1664 OPENSSL_clear_free(ctx, sizeof(*ctx));
1665}
1666
1667#if defined(SELFTEST)
1668# include <stdio.h>
1669# include <openssl/aes.h>
1670
1671/* Test Case 1 */
1672static const u8 K1[16], *P1 = NULL, *A1 = NULL, IV1[12], *C1 = NULL;
1673static const u8 T1[] = {
1674 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
1675 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a
1676};
1677
1678/* Test Case 2 */
1679# define K2 K1
1680# define A2 A1
1681# define IV2 IV1
1682static const u8 P2[16];
1683static const u8 C2[] = {
1684 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
1685 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78
1686};
1687
1688static const u8 T2[] = {
1689 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
1690 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf
1691};
1692
1693/* Test Case 3 */
1694# define A3 A2
1695static const u8 K3[] = {
1696 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
1697 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
1698};
1699
1700static const u8 P3[] = {
1701 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
1702 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
1703 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
1704 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
1705 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
1706 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
1707 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
1708 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55
1709};
1710
1711static const u8 IV3[] = {
1712 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
1713 0xde, 0xca, 0xf8, 0x88
1714};
1715
1716static const u8 C3[] = {
1717 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
1718 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
1719 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
1720 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
1721 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
1722 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
1723 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
1724 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85
1725};
1726
1727static const u8 T3[] = {
1728 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
1729 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4
1730};
1731
1732/* Test Case 4 */
1733# define K4 K3
1734# define IV4 IV3
1735static const u8 P4[] = {
1736 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
1737 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
1738 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
1739 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
1740 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
1741 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
1742 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
1743 0xba, 0x63, 0x7b, 0x39
1744};
1745
1746static const u8 A4[] = {
1747 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
1748 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
1749 0xab, 0xad, 0xda, 0xd2
1750};
1751
1752static const u8 C4[] = {
1753 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
1754 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
1755 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
1756 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
1757 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
1758 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
1759 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
1760 0x3d, 0x58, 0xe0, 0x91
1761};
1762
1763static const u8 T4[] = {
1764 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
1765 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47
1766};
1767
1768/* Test Case 5 */
1769# define K5 K4
1770# define P5 P4
1771# define A5 A4
1772static const u8 IV5[] = {
1773 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad
1774};
1775
1776static const u8 C5[] = {
1777 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
1778 0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
1779 0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
1780 0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
1781 0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
1782 0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
1783 0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
1784 0xc2, 0x3f, 0x45, 0x98
1785};
1786
1787static const u8 T5[] = {
1788 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
1789 0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb
1790};
1791
1792/* Test Case 6 */
1793# define K6 K5
1794# define P6 P5
1795# define A6 A5
1796static const u8 IV6[] = {
1797 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
1798 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
1799 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
1800 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
1801 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
1802 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
1803 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
1804 0xa6, 0x37, 0xb3, 0x9b
1805};
1806
1807static const u8 C6[] = {
1808 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
1809 0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
1810 0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
1811 0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
1812 0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
1813 0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
1814 0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
1815 0x4c, 0x34, 0xae, 0xe5
1816};
1817
1818static const u8 T6[] = {
1819 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
1820 0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50
1821};
1822
1823/* Test Case 7 */
1824static const u8 K7[24], *P7 = NULL, *A7 = NULL, IV7[12], *C7 = NULL;
1825static const u8 T7[] = {
1826 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
1827 0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35
1828};
1829
1830/* Test Case 8 */
1831# define K8 K7
1832# define IV8 IV7
1833# define A8 A7
1834static const u8 P8[16];
1835static const u8 C8[] = {
1836 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
1837 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00
1838};
1839
1840static const u8 T8[] = {
1841 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
1842 0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb
1843};
1844
1845/* Test Case 9 */
1846# define A9 A8
1847static const u8 K9[] = {
1848 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
1849 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
1850 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
1851};
1852
1853static const u8 P9[] = {
1854 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
1855 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
1856 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
1857 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
1858 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
1859 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
1860 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
1861 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55
1862};
1863
1864static const u8 IV9[] = {
1865 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
1866 0xde, 0xca, 0xf8, 0x88
1867};
1868
1869static const u8 C9[] = {
1870 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
1871 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
1872 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
1873 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
1874 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
1875 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
1876 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
1877 0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56
1878};
1879
1880static const u8 T9[] = {
1881 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
1882 0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14
1883};
1884
1885/* Test Case 10 */
1886# define K10 K9
1887# define IV10 IV9
1888static const u8 P10[] = {
1889 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
1890 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
1891 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
1892 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
1893 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
1894 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
1895 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
1896 0xba, 0x63, 0x7b, 0x39
1897};
1898
1899static const u8 A10[] = {
1900 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
1901 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
1902 0xab, 0xad, 0xda, 0xd2
1903};
1904
1905static const u8 C10[] = {
1906 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
1907 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
1908 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
1909 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
1910 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
1911 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
1912 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
1913 0xcc, 0xda, 0x27, 0x10
1914};
1915
1916static const u8 T10[] = {
1917 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
1918 0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c
1919};
1920
1921/* Test Case 11 */
1922# define K11 K10
1923# define P11 P10
1924# define A11 A10
1925static const u8 IV11[] = { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad };
1926
1927static const u8 C11[] = {
1928 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
1929 0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
1930 0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
1931 0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
1932 0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
1933 0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
1934 0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
1935 0xa0, 0xf0, 0x62, 0xf7
1936};
1937
1938static const u8 T11[] = {
1939 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
1940 0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8
1941};
1942
1943/* Test Case 12 */
1944# define K12 K11
1945# define P12 P11
1946# define A12 A11
1947static const u8 IV12[] = {
1948 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
1949 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
1950 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
1951 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
1952 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
1953 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
1954 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
1955 0xa6, 0x37, 0xb3, 0x9b
1956};
1957
1958static const u8 C12[] = {
1959 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
1960 0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
1961 0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
1962 0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
1963 0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
1964 0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
1965 0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
1966 0xe9, 0xb7, 0x37, 0x3b
1967};
1968
1969static const u8 T12[] = {
1970 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
1971 0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9
1972};
1973
1974/* Test Case 13 */
1975static const u8 K13[32], *P13 = NULL, *A13 = NULL, IV13[12], *C13 = NULL;
1976static const u8 T13[] = {
1977 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
1978 0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b
1979};
1980
1981/* Test Case 14 */
1982# define K14 K13
1983# define A14 A13
1984static const u8 P14[16], IV14[12];
1985static const u8 C14[] = {
1986 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
1987 0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18
1988};
1989
1990static const u8 T14[] = {
1991 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
1992 0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19
1993};
1994
1995/* Test Case 15 */
1996# define A15 A14
1997static const u8 K15[] = {
1998 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
1999 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
2000 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
2001 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
2002};
2003
2004static const u8 P15[] = {
2005 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
2006 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
2007 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
2008 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
2009 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
2010 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
2011 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
2012 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55
2013};
2014
2015static const u8 IV15[] = {
2016 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
2017 0xde, 0xca, 0xf8, 0x88
2018};
2019
2020static const u8 C15[] = {
2021 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
2022 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
2023 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
2024 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
2025 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
2026 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
2027 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
2028 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad
2029};
2030
2031static const u8 T15[] = {
2032 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
2033 0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c
2034};
2035
2036/* Test Case 16 */
2037# define K16 K15
2038# define IV16 IV15
2039static const u8 P16[] = {
2040 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
2041 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
2042 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
2043 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
2044 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
2045 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
2046 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
2047 0xba, 0x63, 0x7b, 0x39
2048};
2049
2050static const u8 A16[] = {
2051 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
2052 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
2053 0xab, 0xad, 0xda, 0xd2
2054};
2055
2056static const u8 C16[] = {
2057 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
2058 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
2059 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
2060 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
2061 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
2062 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
2063 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
2064 0xbc, 0xc9, 0xf6, 0x62
2065};
2066
2067static const u8 T16[] = {
2068 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
2069 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b
2070};
2071
2072/* Test Case 17 */
2073# define K17 K16
2074# define P17 P16
2075# define A17 A16
2076static const u8 IV17[] = { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad };
2077
2078static const u8 C17[] = {
2079 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
2080 0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
2081 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
2082 0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
2083 0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
2084 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
2085 0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
2086 0xf4, 0x7c, 0x9b, 0x1f
2087};
2088
2089static const u8 T17[] = {
2090 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
2091 0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2
2092};
2093
2094/* Test Case 18 */
2095# define K18 K17
2096# define P18 P17
2097# define A18 A17
2098static const u8 IV18[] = {
2099 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
2100 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
2101 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
2102 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
2103 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
2104 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
2105 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
2106 0xa6, 0x37, 0xb3, 0x9b
2107};
2108
2109static const u8 C18[] = {
2110 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
2111 0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
2112 0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
2113 0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
2114 0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
2115 0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
2116 0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
2117 0x44, 0xae, 0x7e, 0x3f
2118};
2119
2120static const u8 T18[] = {
2121 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
2122 0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a
2123};
2124
2125/* Test Case 19 */
2126# define K19 K1
2127# define P19 P1
2128# define IV19 IV1
2129# define C19 C1
2130static const u8 A19[] = {
2131 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
2132 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
2133 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
2134 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
2135 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
2136 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
2137 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
2138 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55,
2139 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
2140 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
2141 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
2142 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
2143 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
2144 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
2145 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
2146 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad
2147};
2148
2149static const u8 T19[] = {
2150 0x5f, 0xea, 0x79, 0x3a, 0x2d, 0x6f, 0x97, 0x4d,
2151 0x37, 0xe6, 0x8e, 0x0c, 0xb8, 0xff, 0x94, 0x92
2152};
2153
2154/* Test Case 20 */
2155# define K20 K1
2156# define A20 A1
2157/* this results in 0xff in counter LSB */
2158static const u8 IV20[64] = { 0xff, 0xff, 0xff, 0xff };
2159
2160static const u8 P20[288];
2161static const u8 C20[] = {
2162 0x56, 0xb3, 0x37, 0x3c, 0xa9, 0xef, 0x6e, 0x4a,
2163 0x2b, 0x64, 0xfe, 0x1e, 0x9a, 0x17, 0xb6, 0x14,
2164 0x25, 0xf1, 0x0d, 0x47, 0xa7, 0x5a, 0x5f, 0xce,
2165 0x13, 0xef, 0xc6, 0xbc, 0x78, 0x4a, 0xf2, 0x4f,
2166 0x41, 0x41, 0xbd, 0xd4, 0x8c, 0xf7, 0xc7, 0x70,
2167 0x88, 0x7a, 0xfd, 0x57, 0x3c, 0xca, 0x54, 0x18,
2168 0xa9, 0xae, 0xff, 0xcd, 0x7c, 0x5c, 0xed, 0xdf,
2169 0xc6, 0xa7, 0x83, 0x97, 0xb9, 0xa8, 0x5b, 0x49,
2170 0x9d, 0xa5, 0x58, 0x25, 0x72, 0x67, 0xca, 0xab,
2171 0x2a, 0xd0, 0xb2, 0x3c, 0xa4, 0x76, 0xa5, 0x3c,
2172 0xb1, 0x7f, 0xb4, 0x1c, 0x4b, 0x8b, 0x47, 0x5c,
2173 0xb4, 0xf3, 0xf7, 0x16, 0x50, 0x94, 0xc2, 0x29,
2174 0xc9, 0xe8, 0xc4, 0xdc, 0x0a, 0x2a, 0x5f, 0xf1,
2175 0x90, 0x3e, 0x50, 0x15, 0x11, 0x22, 0x13, 0x76,
2176 0xa1, 0xcd, 0xb8, 0x36, 0x4c, 0x50, 0x61, 0xa2,
2177 0x0c, 0xae, 0x74, 0xbc, 0x4a, 0xcd, 0x76, 0xce,
2178 0xb0, 0xab, 0xc9, 0xfd, 0x32, 0x17, 0xef, 0x9f,
2179 0x8c, 0x90, 0xbe, 0x40, 0x2d, 0xdf, 0x6d, 0x86,
2180 0x97, 0xf4, 0xf8, 0x80, 0xdf, 0xf1, 0x5b, 0xfb,
2181 0x7a, 0x6b, 0x28, 0x24, 0x1e, 0xc8, 0xfe, 0x18,
2182 0x3c, 0x2d, 0x59, 0xe3, 0xf9, 0xdf, 0xff, 0x65,
2183 0x3c, 0x71, 0x26, 0xf0, 0xac, 0xb9, 0xe6, 0x42,
2184 0x11, 0xf4, 0x2b, 0xae, 0x12, 0xaf, 0x46, 0x2b,
2185 0x10, 0x70, 0xbe, 0xf1, 0xab, 0x5e, 0x36, 0x06,
2186 0x87, 0x2c, 0xa1, 0x0d, 0xee, 0x15, 0xb3, 0x24,
2187 0x9b, 0x1a, 0x1b, 0x95, 0x8f, 0x23, 0x13, 0x4c,
2188 0x4b, 0xcc, 0xb7, 0xd0, 0x32, 0x00, 0xbc, 0xe4,
2189 0x20, 0xa2, 0xf8, 0xeb, 0x66, 0xdc, 0xf3, 0x64,
2190 0x4d, 0x14, 0x23, 0xc1, 0xb5, 0x69, 0x90, 0x03,
2191 0xc1, 0x3e, 0xce, 0xf4, 0xbf, 0x38, 0xa3, 0xb6,
2192 0x0e, 0xed, 0xc3, 0x40, 0x33, 0xba, 0xc1, 0x90,
2193 0x27, 0x83, 0xdc, 0x6d, 0x89, 0xe2, 0xe7, 0x74,
2194 0x18, 0x8a, 0x43, 0x9c, 0x7e, 0xbc, 0xc0, 0x67,
2195 0x2d, 0xbd, 0xa4, 0xdd, 0xcf, 0xb2, 0x79, 0x46,
2196 0x13, 0xb0, 0xbe, 0x41, 0x31, 0x5e, 0xf7, 0x78,
2197 0x70, 0x8a, 0x70, 0xee, 0x7d, 0x75, 0x16, 0x5c
2198};
2199
2200static const u8 T20[] = {
2201 0x8b, 0x30, 0x7f, 0x6b, 0x33, 0x28, 0x6d, 0x0a,
2202 0xb0, 0x26, 0xa9, 0xed, 0x3f, 0xe1, 0xe8, 0x5f
2203};
2204
2205# define TEST_CASE(n) do { \
2206 u8 out[sizeof(P##n)]; \
2207 AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key); \
2208 CRYPTO_gcm128_init(&ctx,&key,(block128_f)AES_encrypt); \
2209 CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n)); \
2210 memset(out,0,sizeof(out)); \
2211 if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n)); \
2212 if (P##n) CRYPTO_gcm128_encrypt(&ctx,P##n,out,sizeof(out)); \
2213 if (CRYPTO_gcm128_finish(&ctx,T##n,16) || \
2214 (C##n && memcmp(out,C##n,sizeof(out)))) \
2215 ret++, printf ("encrypt test#%d failed.\n",n); \
2216 CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n)); \
2217 memset(out,0,sizeof(out)); \
2218 if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n)); \
2219 if (C##n) CRYPTO_gcm128_decrypt(&ctx,C##n,out,sizeof(out)); \
2220 if (CRYPTO_gcm128_finish(&ctx,T##n,16) || \
2221 (P##n && memcmp(out,P##n,sizeof(out)))) \
2222 ret++, printf ("decrypt test#%d failed.\n",n); \
2223 } while(0)
2224
2225int main()
2226{
2227 GCM128_CONTEXT ctx;
2228 AES_KEY key;
2229 int ret = 0;
2230
2231 TEST_CASE(1);
2232 TEST_CASE(2);
2233 TEST_CASE(3);
2234 TEST_CASE(4);
2235 TEST_CASE(5);
2236 TEST_CASE(6);
2237 TEST_CASE(7);
2238 TEST_CASE(8);
2239 TEST_CASE(9);
2240 TEST_CASE(10);
2241 TEST_CASE(11);
2242 TEST_CASE(12);
2243 TEST_CASE(13);
2244 TEST_CASE(14);
2245 TEST_CASE(15);
2246 TEST_CASE(16);
2247 TEST_CASE(17);
2248 TEST_CASE(18);
2249 TEST_CASE(19);
2250 TEST_CASE(20);
2251
2252# ifdef OPENSSL_CPUID_OBJ
2253 {
2254 size_t start, stop, gcm_t, ctr_t, OPENSSL_rdtsc();
2255 union {
2256 u64 u;
2257 u8 c[1024];
2258 } buf;
2259 int i;
2260
2261 AES_set_encrypt_key(K1, sizeof(K1) * 8, &key);
2262 CRYPTO_gcm128_init(&ctx, &key, (block128_f) AES_encrypt);
2263 CRYPTO_gcm128_setiv(&ctx, IV1, sizeof(IV1));
2264
2265 CRYPTO_gcm128_encrypt(&ctx, buf.c, buf.c, sizeof(buf));
2266 start = OPENSSL_rdtsc();
2267 CRYPTO_gcm128_encrypt(&ctx, buf.c, buf.c, sizeof(buf));
2268 gcm_t = OPENSSL_rdtsc() - start;
2269
2270 CRYPTO_ctr128_encrypt(buf.c, buf.c, sizeof(buf),
2271 &key, ctx.Yi.c, ctx.EKi.c, &ctx.mres,
2272 (block128_f) AES_encrypt);
2273 start = OPENSSL_rdtsc();
2274 CRYPTO_ctr128_encrypt(buf.c, buf.c, sizeof(buf),
2275 &key, ctx.Yi.c, ctx.EKi.c, &ctx.mres,
2276 (block128_f) AES_encrypt);
2277 ctr_t = OPENSSL_rdtsc() - start;
2278
2279 printf("%.2f-%.2f=%.2f\n",
2280 gcm_t / (double)sizeof(buf),
2281 ctr_t / (double)sizeof(buf),
2282 (gcm_t - ctr_t) / (double)sizeof(buf));
2283# ifdef GHASH
2284 {
2285 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
2286 const u8 *inp, size_t len) = ctx.ghash;
2287
2288 GHASH((&ctx), buf.c, sizeof(buf));
2289 start = OPENSSL_rdtsc();
2290 for (i = 0; i < 100; ++i)
2291 GHASH((&ctx), buf.c, sizeof(buf));
2292 gcm_t = OPENSSL_rdtsc() - start;
2293 printf("%.2f\n", gcm_t / (double)sizeof(buf) / (double)i);
2294 }
2295# endif
2296 }
2297# endif
2298
2299 return ret;
2300}
2301#endif
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette