| 1 | /*
|
|---|
| 2 | * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 3 | *
|
|---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
|---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
|---|
| 6 | * in the file LICENSE in the source distribution or at
|
|---|
| 7 | * https://www.openssl.org/source/license.html
|
|---|
| 8 | */
|
|---|
| 9 |
|
|---|
| 10 | #include <openssl/modes.h>
|
|---|
| 11 |
|
|---|
| 12 | #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
|
|---|
| 13 | typedef __int64 i64;
|
|---|
| 14 | typedef unsigned __int64 u64;
|
|---|
| 15 | # define U64(C) C##UI64
|
|---|
| 16 | #elif defined(__arch64__)
|
|---|
| 17 | typedef long i64;
|
|---|
| 18 | typedef unsigned long u64;
|
|---|
| 19 | # define U64(C) C##UL
|
|---|
| 20 | #else
|
|---|
| 21 | typedef long long i64;
|
|---|
| 22 | typedef unsigned long long u64;
|
|---|
| 23 | # define U64(C) C##ULL
|
|---|
| 24 | #endif
|
|---|
| 25 |
|
|---|
| 26 | typedef unsigned int u32;
|
|---|
| 27 | typedef unsigned char u8;
|
|---|
| 28 |
|
|---|
| 29 | #define STRICT_ALIGNMENT 1
|
|---|
| 30 | #ifndef PEDANTIC
|
|---|
| 31 | # if defined(__i386) || defined(__i386__) || \
|
|---|
| 32 | defined(__x86_64) || defined(__x86_64__) || \
|
|---|
| 33 | defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \
|
|---|
| 34 | defined(__aarch64__) || \
|
|---|
| 35 | defined(__s390__) || defined(__s390x__)
|
|---|
| 36 | # undef STRICT_ALIGNMENT
|
|---|
| 37 | # endif
|
|---|
| 38 | #endif
|
|---|
| 39 |
|
|---|
| 40 | #ifndef STRICT_ALIGNMENT
|
|---|
| 41 | # ifdef __GNUC__
|
|---|
| 42 | typedef u32 u32_a1 __attribute((__aligned__(1)));
|
|---|
| 43 | # else
|
|---|
| 44 | typedef u32 u32_a1;
|
|---|
| 45 | # endif
|
|---|
| 46 | #endif
|
|---|
| 47 |
|
|---|
| 48 | #if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
|
|---|
| 49 | # if defined(__GNUC__) && __GNUC__>=2
|
|---|
| 50 | # if defined(__x86_64) || defined(__x86_64__)
|
|---|
| 51 | # define BSWAP8(x) ({ u64 ret_=(x); \
|
|---|
| 52 | asm ("bswapq %0" \
|
|---|
| 53 | : "+r"(ret_)); ret_; })
|
|---|
| 54 | # define BSWAP4(x) ({ u32 ret_=(x); \
|
|---|
| 55 | asm ("bswapl %0" \
|
|---|
| 56 | : "+r"(ret_)); ret_; })
|
|---|
| 57 | # elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
|
|---|
| 58 | # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \
|
|---|
| 59 | asm ("bswapl %0; bswapl %1" \
|
|---|
| 60 | : "+r"(hi_),"+r"(lo_)); \
|
|---|
| 61 | (u64)hi_<<32|lo_; })
|
|---|
| 62 | # define BSWAP4(x) ({ u32 ret_=(x); \
|
|---|
| 63 | asm ("bswapl %0" \
|
|---|
| 64 | : "+r"(ret_)); ret_; })
|
|---|
| 65 | # elif defined(__aarch64__)
|
|---|
| 66 | # define BSWAP8(x) ({ u64 ret_; \
|
|---|
| 67 | asm ("rev %0,%1" \
|
|---|
| 68 | : "=r"(ret_) : "r"(x)); ret_; })
|
|---|
| 69 | # define BSWAP4(x) ({ u32 ret_; \
|
|---|
| 70 | asm ("rev %w0,%w1" \
|
|---|
| 71 | : "=r"(ret_) : "r"(x)); ret_; })
|
|---|
| 72 | # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
|
|---|
| 73 | # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \
|
|---|
| 74 | asm ("rev %0,%0; rev %1,%1" \
|
|---|
| 75 | : "+r"(hi_),"+r"(lo_)); \
|
|---|
| 76 | (u64)hi_<<32|lo_; })
|
|---|
| 77 | # define BSWAP4(x) ({ u32 ret_; \
|
|---|
| 78 | asm ("rev %0,%1" \
|
|---|
| 79 | : "=r"(ret_) : "r"((u32)(x))); \
|
|---|
| 80 | ret_; })
|
|---|
| 81 | # endif
|
|---|
| 82 | # elif defined(_MSC_VER)
|
|---|
| 83 | # if _MSC_VER>=1300
|
|---|
| 84 | # include <stdlib.h>
|
|---|
| 85 | # pragma intrinsic(_byteswap_uint64,_byteswap_ulong)
|
|---|
| 86 | # define BSWAP8(x) _byteswap_uint64((u64)(x))
|
|---|
| 87 | # define BSWAP4(x) _byteswap_ulong((u32)(x))
|
|---|
| 88 | # elif defined(_M_IX86)
|
|---|
| 89 | __inline u32 _bswap4(u32 val)
|
|---|
| 90 | {
|
|---|
| 91 | _asm mov eax, val _asm bswap eax}
|
|---|
| 92 | # define BSWAP4(x) _bswap4(x)
|
|---|
| 93 | # endif
|
|---|
| 94 | # endif
|
|---|
| 95 | #endif
|
|---|
| 96 | #if defined(BSWAP4) && !defined(STRICT_ALIGNMENT)
|
|---|
| 97 | # define GETU32(p) BSWAP4(*(const u32_a1 *)(p))
|
|---|
| 98 | # define PUTU32(p,v) *(u32_a1 *)(p) = BSWAP4(v)
|
|---|
| 99 | #else
|
|---|
| 100 | # define GETU32(p) ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3])
|
|---|
| 101 | # define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v))
|
|---|
| 102 | #endif
|
|---|
| 103 | /*- GCM definitions */ typedef struct {
|
|---|
| 104 | u64 hi, lo;
|
|---|
| 105 | } u128;
|
|---|
| 106 |
|
|---|
| 107 | #ifdef TABLE_BITS
|
|---|
| 108 | # undef TABLE_BITS
|
|---|
| 109 | #endif
|
|---|
| 110 | /*
|
|---|
| 111 | * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
|
|---|
| 112 | * never be set to 8 [or 1]. For further information see gcm128.c.
|
|---|
| 113 | */
|
|---|
| 114 | #define TABLE_BITS 4
|
|---|
| 115 |
|
|---|
| 116 | struct gcm128_context {
|
|---|
| 117 | /* Following 6 names follow names in GCM specification */
|
|---|
| 118 | union {
|
|---|
| 119 | u64 u[2];
|
|---|
| 120 | u32 d[4];
|
|---|
| 121 | u8 c[16];
|
|---|
| 122 | size_t t[16 / sizeof(size_t)];
|
|---|
| 123 | } Yi, EKi, EK0, len, Xi, H;
|
|---|
| 124 | /*
|
|---|
| 125 | * Relative position of Xi, H and pre-computed Htable is used in some
|
|---|
| 126 | * assembler modules, i.e. don't change the order!
|
|---|
| 127 | */
|
|---|
| 128 | #if TABLE_BITS==8
|
|---|
| 129 | u128 Htable[256];
|
|---|
| 130 | #else
|
|---|
| 131 | u128 Htable[16];
|
|---|
| 132 | void (*gmult) (u64 Xi[2], const u128 Htable[16]);
|
|---|
| 133 | void (*ghash) (u64 Xi[2], const u128 Htable[16], const u8 *inp,
|
|---|
| 134 | size_t len);
|
|---|
| 135 | #endif
|
|---|
| 136 | unsigned int mres, ares;
|
|---|
| 137 | block128_f block;
|
|---|
| 138 | void *key;
|
|---|
| 139 | #if !defined(OPENSSL_SMALL_FOOTPRINT)
|
|---|
| 140 | unsigned char Xn[48];
|
|---|
| 141 | #endif
|
|---|
| 142 | };
|
|---|
| 143 |
|
|---|
| 144 | struct xts128_context {
|
|---|
| 145 | void *key1, *key2;
|
|---|
| 146 | block128_f block1, block2;
|
|---|
| 147 | };
|
|---|
| 148 |
|
|---|
| 149 | struct ccm128_context {
|
|---|
| 150 | union {
|
|---|
| 151 | u64 u[2];
|
|---|
| 152 | u8 c[16];
|
|---|
| 153 | } nonce, cmac;
|
|---|
| 154 | u64 blocks;
|
|---|
| 155 | block128_f block;
|
|---|
| 156 | void *key;
|
|---|
| 157 | };
|
|---|
| 158 |
|
|---|
| 159 | #ifndef OPENSSL_NO_OCB
|
|---|
| 160 |
|
|---|
| 161 | typedef union {
|
|---|
| 162 | u64 a[2];
|
|---|
| 163 | unsigned char c[16];
|
|---|
| 164 | } OCB_BLOCK;
|
|---|
| 165 | # define ocb_block16_xor(in1,in2,out) \
|
|---|
| 166 | ( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \
|
|---|
| 167 | (out)->a[1]=(in1)->a[1]^(in2)->a[1] )
|
|---|
| 168 | # if STRICT_ALIGNMENT
|
|---|
| 169 | # define ocb_block16_xor_misaligned(in1,in2,out) \
|
|---|
| 170 | ocb_block_xor((in1)->c,(in2)->c,16,(out)->c)
|
|---|
| 171 | # else
|
|---|
| 172 | # define ocb_block16_xor_misaligned ocb_block16_xor
|
|---|
| 173 | # endif
|
|---|
| 174 |
|
|---|
| 175 | struct ocb128_context {
|
|---|
| 176 | /* Need both encrypt and decrypt key schedules for decryption */
|
|---|
| 177 | block128_f encrypt;
|
|---|
| 178 | block128_f decrypt;
|
|---|
| 179 | void *keyenc;
|
|---|
| 180 | void *keydec;
|
|---|
| 181 | ocb128_f stream; /* direction dependent */
|
|---|
| 182 | /* Key dependent variables. Can be reused if key remains the same */
|
|---|
| 183 | size_t l_index;
|
|---|
| 184 | size_t max_l_index;
|
|---|
| 185 | OCB_BLOCK l_star;
|
|---|
| 186 | OCB_BLOCK l_dollar;
|
|---|
| 187 | OCB_BLOCK *l;
|
|---|
| 188 | /* Must be reset for each session */
|
|---|
| 189 | struct {
|
|---|
| 190 | u64 blocks_hashed;
|
|---|
| 191 | u64 blocks_processed;
|
|---|
| 192 | OCB_BLOCK offset_aad;
|
|---|
| 193 | OCB_BLOCK sum;
|
|---|
| 194 | OCB_BLOCK offset;
|
|---|
| 195 | OCB_BLOCK checksum;
|
|---|
| 196 | } sess;
|
|---|
| 197 | };
|
|---|
| 198 | #endif /* OPENSSL_NO_OCB */
|
|---|
