summaryrefslogtreecommitdiff
path: root/Cryptlib/OpenSSL/crypto/modes
diff options
context:
space:
mode:
authorMathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>2017-09-13 12:09:40 -0700
committerMathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>2017-09-13 12:09:40 -0700
commitb6f94dbeacfc6f0a507413096189304c58dbe66c (patch)
treebce8c7db22209078618294c51d95a0c033aec7d9 /Cryptlib/OpenSSL/crypto/modes
parent25f7fd1fb389a5f6356f353d16c5ead80dac6bbc (diff)
downloadefi-boot-shim-upstream/13_git1505328970.9c1c35c5.tar.gz
efi-boot-shim-upstream/13_git1505328970.9c1c35c5.zip
New upstream version 13~git1505328970.9c1c35c5upstream/13_git1505328970.9c1c35c5
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/modes')
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/cbc128.c64
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/ccm128.c59
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/cfb128.c70
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/ctr128.c70
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/cts128.c33
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/gcm128.c269
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/modes_lcl.h50
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/ocb128.c568
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/ofb128.c62
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/wrap128.c311
-rw-r--r--Cryptlib/OpenSSL/crypto/modes/xts128.c59
11 files changed, 605 insertions, 1010 deletions
diff --git a/Cryptlib/OpenSSL/crypto/modes/cbc128.c b/Cryptlib/OpenSSL/crypto/modes/cbc128.c
index 4c9bc85e..c13caea5 100644
--- a/Cryptlib/OpenSSL/crypto/modes/cbc128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/cbc128.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <openssl/crypto.h>
#include "modes_lcl.h"
#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
#if !defined(STRICT_ALIGNMENT) && !defined(PEDANTIC)
# define STRICT_ALIGNMENT 0
#endif
@@ -22,6 +70,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
size_t n;
const unsigned char *iv = ivec;
+ assert(in && out && key && ivec);
+
#if !defined(OPENSSL_SMALL_FOOTPRINT)
if (STRICT_ALIGNMENT &&
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
@@ -73,6 +123,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
unsigned char c[16];
} tmp;
+ assert(in && out && key && ivec);
+
#if !defined(OPENSSL_SMALL_FOOTPRINT)
if (in != out) {
const unsigned char *iv = ivec;
diff --git a/Cryptlib/OpenSSL/crypto/modes/ccm128.c b/Cryptlib/OpenSSL/crypto/modes/ccm128.c
index 85ce84f1..c1ded0f9 100644
--- a/Cryptlib/OpenSSL/crypto/modes/ccm128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/ccm128.c
@@ -1,16 +1,63 @@
-/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
*/
#include <openssl/crypto.h>
#include "modes_lcl.h"
#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
/*
* First you setup M and L parameters and pass the key schedule. This is
* called once per session setup...
diff --git a/Cryptlib/OpenSSL/crypto/modes/cfb128.c b/Cryptlib/OpenSSL/crypto/modes/cfb128.c
index e439567f..d4ecbd08 100644
--- a/Cryptlib/OpenSSL/crypto/modes/cfb128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/cfb128.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <openssl/crypto.h>
#include "modes_lcl.h"
#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
/*
* The input and output encrypted as though 128bit cfb mode is being used.
* The extra state information to record how much of the 128bit block we have
@@ -24,6 +72,8 @@ void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
unsigned int n;
size_t l = 0;
+ assert(in && out && key && ivec && num);
+
n = *num;
if (enc) {
@@ -140,7 +190,7 @@ static void cfbr_encrypt_block(const unsigned char *in, unsigned char *out,
block128_f block)
{
int n, rem, num;
- unsigned char ovec[16 * 2 + 1]; /* +1 because we dereference (but don't
+ unsigned char ovec[16 * 2 + 1]; /* +1 because we dererefence (but don't
* use) one byte off the end */
if (nbits <= 0 || nbits > 128)
@@ -178,6 +228,9 @@ void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out,
size_t n;
unsigned char c[1], d[1];
+ assert(in && out && key && ivec && num);
+ assert(*num == 0);
+
for (n = 0; n < bits; ++n) {
c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0;
cfbr_encrypt_block(c, d, 1, key, ivec, enc, block);
@@ -193,6 +246,9 @@ void CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out,
{
size_t n;
+ assert(in && out && key && ivec && num);
+ assert(*num == 0);
+
for (n = 0; n < length; ++n)
cfbr_encrypt_block(&in[n], &out[n], 8, key, ivec, enc, block);
}
diff --git a/Cryptlib/OpenSSL/crypto/modes/ctr128.c b/Cryptlib/OpenSSL/crypto/modes/ctr128.c
index 03920b44..d4b22728 100644
--- a/Cryptlib/OpenSSL/crypto/modes/ctr128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/ctr128.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <openssl/crypto.h>
#include "modes_lcl.h"
#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
/*
* NOTE: the IV/counter CTR mode is big-endian. The code itself is
* endian-neutral.
@@ -65,7 +113,7 @@ static void ctr128_inc_aligned(unsigned char *counter)
* before the first call to CRYPTO_ctr128_encrypt(). This algorithm assumes
* that the counter is in the x lower bits of the IV (ivec), and that the
* application has full control over overflow and the rest of the IV. This
- * implementation takes NO responsibility for checking that the counter
+ * implementation takes NO responsability for checking that the counter
* doesn't overflow into the rest of the IV when incremented.
*/
void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
@@ -77,6 +125,9 @@ void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
unsigned int n;
size_t l = 0;
+ assert(in && out && key && ecount_buf && num);
+ assert(*num < 16);
+
n = *num;
#if !defined(OPENSSL_SMALL_FOOTPRINT)
@@ -152,6 +203,9 @@ void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
{
unsigned int n, ctr32;
+ assert(in && out && key && ecount_buf && num);
+ assert(*num < 16);
+
n = *num;
while (n && len) {
@@ -184,7 +238,7 @@ void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
(*func) (in, out, blocks, key, ivec);
/* (*ctr) does not update ivec, caller does: */
PUTU32(ivec + 12, ctr32);
- /* ... overflow was detected, propagate carry. */
+ /* ... overflow was detected, propogate carry. */
if (ctr32 == 0)
ctr96_inc(ivec);
blocks *= 16;
diff --git a/Cryptlib/OpenSSL/crypto/modes/cts128.c b/Cryptlib/OpenSSL/crypto/modes/cts128.c
index 77ec994b..137be595 100644
--- a/Cryptlib/OpenSSL/crypto/modes/cts128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/cts128.c
@@ -1,16 +1,21 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Rights for redistribution and usage in source and binary
+ * forms are granted according to the OpenSSL license.
*/
#include <openssl/crypto.h>
#include "modes_lcl.h"
#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
/*
* Trouble with Ciphertext Stealing, CTS, mode is that there is no
* common official specification, but couple of cipher/application
@@ -31,6 +36,8 @@ size_t CRYPTO_cts128_encrypt_block(const unsigned char *in,
{
size_t residue, n;
+ assert(in && out && key && ivec);
+
if (len <= 16)
return 0;
@@ -61,6 +68,8 @@ size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in,
{
size_t residue, n;
+ assert(in && out && key && ivec);
+
if (len < 16)
return 0;
@@ -94,6 +103,8 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
unsigned char c[16];
} tmp;
+ assert(in && out && key && ivec);
+
if (len <= 16)
return 0;
@@ -130,6 +141,8 @@ size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
unsigned char c[16];
} tmp;
+ assert(in && out && key && ivec);
+
if (len < 16)
return 0;
@@ -166,6 +179,8 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in,
unsigned char c[32];
} tmp;
+ assert(in && out && key && ivec);
+
if (len <= 16)
return 0;
@@ -209,6 +224,8 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in,
unsigned char c[32];
} tmp;
+ assert(in && out && key && ivec);
+
if (len < 16)
return 0;
@@ -255,6 +272,8 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
unsigned char c[32];
} tmp;
+ assert(in && out && key && ivec);
+
if (len <= 16)
return 0;
@@ -295,6 +314,8 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
unsigned char c[32];
} tmp;
+ assert(in && out && key && ivec);
+
if (len < 16)
return 0;
diff --git a/Cryptlib/OpenSSL/crypto/modes/gcm128.c b/Cryptlib/OpenSSL/crypto/modes/gcm128.c
index df9f6547..e299131c 100644
--- a/Cryptlib/OpenSSL/crypto/modes/gcm128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/gcm128.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
*/
+#define OPENSSL_FIPSAPI
+
#include <openssl/crypto.h>
#include "modes_lcl.h"
#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
#if defined(BSWAP4) && defined(STRICT_ALIGNMENT)
/* redefine, because alignment is ensured */
# undef GETU32
@@ -101,7 +150,9 @@ static void gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
static const size_t rem_8bit[256] = {
PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
@@ -270,7 +321,9 @@ static void gcm_init_4bit(u128 Htable[16], u64 H[2])
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
if (is_endian.little)
for (j = 0; j < 16; ++j) {
@@ -303,7 +356,9 @@ static void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
nlo = ((const u8 *)Xi)[15];
nhi = nlo >> 4;
@@ -382,7 +437,9 @@ static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
# if 1
do {
@@ -572,7 +629,9 @@ static void gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
V.hi = H[0]; /* H is in host byte order, no byte swapping */
V.lo = H[1];
@@ -715,7 +774,9 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
memset(ctx, 0, sizeof(*ctx));
ctx->block = block;
@@ -740,11 +801,6 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
#if TABLE_BITS==8
gcm_init_8bit(ctx->Htable, ctx->H.u);
#elif TABLE_BITS==4
-# if defined(GHASH)
-# define CTX__GHASH(f) (ctx->ghash = (f))
-# else
-# define CTX__GHASH(f) (ctx->ghash = NULL)
-# endif
# if defined(GHASH_ASM_X86_OR_64)
# if !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
if (OPENSSL_ia32cap_P[0] & (1 << 24) && /* check FXSR bit */
@@ -752,11 +808,11 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */
gcm_init_avx(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_avx;
- CTX__GHASH(gcm_ghash_avx);
+ ctx->ghash = gcm_ghash_avx;
} else {
gcm_init_clmul(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_clmul;
- CTX__GHASH(gcm_ghash_clmul);
+ ctx->ghash = gcm_ghash_clmul;
}
return;
}
@@ -769,59 +825,66 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
if (OPENSSL_ia32cap_P[0] & (1 << 23)) { /* check MMX bit */
# endif
ctx->gmult = gcm_gmult_4bit_mmx;
- CTX__GHASH(gcm_ghash_4bit_mmx);
+ ctx->ghash = gcm_ghash_4bit_mmx;
} else {
ctx->gmult = gcm_gmult_4bit_x86;
- CTX__GHASH(gcm_ghash_4bit_x86);
+ ctx->ghash = gcm_ghash_4bit_x86;
}
# else
ctx->gmult = gcm_gmult_4bit;
- CTX__GHASH(gcm_ghash_4bit);
+ ctx->ghash = gcm_ghash_4bit;
# endif
# elif defined(GHASH_ASM_ARM)
# ifdef PMULL_CAPABLE
if (PMULL_CAPABLE) {
gcm_init_v8(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_v8;
- CTX__GHASH(gcm_ghash_v8);
+ ctx->ghash = gcm_ghash_v8;
} else
# endif
# ifdef NEON_CAPABLE
if (NEON_CAPABLE) {
gcm_init_neon(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_neon;
- CTX__GHASH(gcm_ghash_neon);
+ ctx->ghash = gcm_ghash_neon;
} else
# endif
{
gcm_init_4bit(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_4bit;
- CTX__GHASH(gcm_ghash_4bit);
+# if defined(GHASH)
+ ctx->ghash = gcm_ghash_4bit;
+# else
+ ctx->ghash = NULL;
+# endif
}
# elif defined(GHASH_ASM_SPARC)
if (OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) {
gcm_init_vis3(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_vis3;
- CTX__GHASH(gcm_ghash_vis3);
+ ctx->ghash = gcm_ghash_vis3;
} else {
gcm_init_4bit(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_4bit;
- CTX__GHASH(gcm_ghash_4bit);
+ ctx->ghash = gcm_ghash_4bit;
}
# elif defined(GHASH_ASM_PPC)
if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
gcm_init_p8(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_p8;
- CTX__GHASH(gcm_ghash_p8);
+ ctx->ghash = gcm_ghash_p8;
} else {
gcm_init_4bit(ctx->Htable, ctx->H.u);
ctx->gmult = gcm_gmult_4bit;
- CTX__GHASH(gcm_ghash_4bit);
+# if defined(GHASH)
+ ctx->ghash = gcm_ghash_4bit;
+# else
+ ctx->ghash = NULL;
+# endif
}
# else
gcm_init_4bit(ctx->Htable, ctx->H.u);
# endif
-# undef CTX__GHASH
#endif
}
@@ -831,7 +894,9 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv,
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
unsigned int ctr;
#ifdef GCM_FUNCREF_4BIT
void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
@@ -975,7 +1040,9 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
unsigned int n, ctr;
size_t i;
u64 mlen = ctx->len.u[1];
@@ -983,12 +1050,15 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
void *key = ctx->key;
#ifdef GCM_FUNCREF_4BIT
void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
+# ifdef GHASH
void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
const u8 *inp, size_t len) = ctx->ghash;
# endif
#endif
+#if 0
+ n = (unsigned int)mlen % 16; /* alternative to ctx->mres */
+#endif
mlen += len;
if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
return -1;
@@ -1030,8 +1100,7 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
if (((size_t)in | (size_t)out) % sizeof(size_t) != 0)
break;
# endif
-# if defined(GHASH)
-# if defined(GHASH_CHUNK)
+# if defined(GHASH) && defined(GHASH_CHUNK)
while (len >= GHASH_CHUNK) {
size_t j = GHASH_CHUNK;
@@ -1042,11 +1111,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block) (ctx->Yi.c, ctx->EKi.c, key);
++ctr;
if (is_endian.little)
-# ifdef BSWAP4
+# ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+# else
PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+# endif
else
ctx->Yi.d[3] = ctr;
for (i = 0; i < 16 / sizeof(size_t); ++i)
@@ -1058,7 +1127,6 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK);
len -= GHASH_CHUNK;
}
-# endif
if ((i = (len & (size_t)-16))) {
size_t j = i;
@@ -1159,7 +1227,9 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
unsigned int n, ctr;
size_t i;
u64 mlen = ctx->len.u[1];
@@ -1167,7 +1237,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
void *key = ctx->key;
#ifdef GCM_FUNCREF_4BIT
void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
+# ifdef GHASH
void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
const u8 *inp, size_t len) = ctx->ghash;
# endif
@@ -1216,8 +1286,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
if (((size_t)in | (size_t)out) % sizeof(size_t) != 0)
break;
# endif
-# if defined(GHASH)
-# if defined(GHASH_CHUNK)
+# if defined(GHASH) && defined(GHASH_CHUNK)
while (len >= GHASH_CHUNK) {
size_t j = GHASH_CHUNK;
@@ -1229,11 +1298,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block) (ctx->Yi.c, ctx->EKi.c, key);
++ctr;
if (is_endian.little)
-# ifdef BSWAP4
+# ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+# else
PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+# endif
else
ctx->Yi.d[3] = ctr;
for (i = 0; i < 16 / sizeof(size_t); ++i)
@@ -1244,7 +1313,6 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
}
len -= GHASH_CHUNK;
}
-# endif
if ((i = (len & (size_t)-16))) {
GHASH(ctx, in, i);
while (len >= 16) {
@@ -1348,24 +1416,23 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
const unsigned char *in, unsigned char *out,
size_t len, ctr128_f stream)
{
-#if defined(OPENSSL_SMALL_FOOTPRINT)
- return CRYPTO_gcm128_encrypt(ctx, in, out, len);
-#else
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
unsigned int n, ctr;
size_t i;
u64 mlen = ctx->len.u[1];
void *key = ctx->key;
-# ifdef GCM_FUNCREF_4BIT
+#ifdef GCM_FUNCREF_4BIT
void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
+# ifdef GHASH
void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
const u8 *inp, size_t len) = ctx->ghash;
-# endif
# endif
+#endif
mlen += len;
if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
@@ -1379,11 +1446,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
}
if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
-# else
+#else
ctr = GETU32(ctx->Yi.c + 12);
-# endif
+#endif
else
ctr = ctx->Yi.d[3];
@@ -1401,16 +1468,16 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
return 0;
}
}
-# if defined(GHASH) && defined(GHASH_CHUNK)
+#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
while (len >= GHASH_CHUNK) {
(*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
ctr += GHASH_CHUNK / 16;
if (is_endian.little)
-# ifdef BSWAP4
+# ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+# else
PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+# endif
else
ctx->Yi.d[3] = ctr;
GHASH(ctx, out, GHASH_CHUNK);
@@ -1418,43 +1485,43 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
in += GHASH_CHUNK;
len -= GHASH_CHUNK;
}
-# endif
+#endif
if ((i = (len & (size_t)-16))) {
size_t j = i / 16;
(*stream) (in, out, j, key, ctx->Yi.c);
ctr += (unsigned int)j;
if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+#else
PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+#endif
else
ctx->Yi.d[3] = ctr;
in += i;
len -= i;
-# if defined(GHASH)
+#if defined(GHASH)
GHASH(ctx, out, i);
out += i;
-# else
+#else
while (j--) {
for (i = 0; i < 16; ++i)
ctx->Xi.c[i] ^= out[i];
GCM_MUL(ctx, Xi);
out += 16;
}
-# endif
+#endif
}
if (len) {
(*ctx->block) (ctx->Yi.c, ctx->EKi.c, key);
++ctr;
if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+#else
PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+#endif
else
ctx->Yi.d[3] = ctr;
while (len--) {
@@ -1465,31 +1532,29 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
ctx->mres = n;
return 0;
-#endif
}
int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
const unsigned char *in, unsigned char *out,
size_t len, ctr128_f stream)
{
-#if defined(OPENSSL_SMALL_FOOTPRINT)
- return CRYPTO_gcm128_decrypt(ctx, in, out, len);
-#else
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
unsigned int n, ctr;
size_t i;
u64 mlen = ctx->len.u[1];
void *key = ctx->key;
-# ifdef GCM_FUNCREF_4BIT
+#ifdef GCM_FUNCREF_4BIT
void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
+# ifdef GHASH
void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
const u8 *inp, size_t len) = ctx->ghash;
-# endif
# endif
+#endif
mlen += len;
if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
@@ -1503,11 +1568,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
}
if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
-# else
+#else
ctr = GETU32(ctx->Yi.c + 12);
-# endif
+#endif
else
ctr = ctx->Yi.d[3];
@@ -1527,30 +1592,30 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
return 0;
}
}
-# if defined(GHASH) && defined(GHASH_CHUNK)
+#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
while (len >= GHASH_CHUNK) {
GHASH(ctx, in, GHASH_CHUNK);
(*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
ctr += GHASH_CHUNK / 16;
if (is_endian.little)
-# ifdef BSWAP4
+# ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+# else
PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+# endif
else
ctx->Yi.d[3] = ctr;
out += GHASH_CHUNK;
in += GHASH_CHUNK;
len -= GHASH_CHUNK;
}
-# endif
+#endif
if ((i = (len & (size_t)-16))) {
size_t j = i / 16;
-# if defined(GHASH)
+#if defined(GHASH)
GHASH(ctx, in, i);
-# else
+#else
while (j--) {
size_t k;
for (k = 0; k < 16; ++k)
@@ -1560,15 +1625,15 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
}
j = i / 16;
in -= i;
-# endif
+#endif
(*stream) (in, out, j, key, ctx->Yi.c);
ctr += (unsigned int)j;
if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+#else
PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+#endif
else
ctx->Yi.d[3] = ctr;
out += i;
@@ -1579,11 +1644,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
(*ctx->block) (ctx->Yi.c, ctx->EKi.c, key);
++ctr;
if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+#else
PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+#endif
else
ctx->Yi.d[3] = ctr;
while (len--) {
@@ -1596,7 +1661,6 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
ctx->mres = n;
return 0;
-#endif
}
int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
@@ -1605,7 +1669,9 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
const union {
long one;
char little;
- } is_endian = { 1 };
+ } is_endian = {
+ 1
+ };
u64 alen = ctx->len.u[0] << 3;
u64 clen = ctx->len.u[1] << 3;
#ifdef GCM_FUNCREF_4BIT
@@ -1654,7 +1720,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
{
GCM128_CONTEXT *ret;
- if ((ret = OPENSSL_malloc(sizeof(*ret))) != NULL)
+ if ((ret = (GCM128_CONTEXT *)OPENSSL_malloc(sizeof(GCM128_CONTEXT))))
CRYPTO_gcm128_init(ret, key, block);
return ret;
@@ -1662,7 +1728,10 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
{
- OPENSSL_clear_free(ctx, sizeof(*ctx));
+ if (ctx) {
+ OPENSSL_cleanse(ctx, sizeof(*ctx));
+ OPENSSL_free(ctx);
+ }
}
#if defined(SELFTEST)
diff --git a/Cryptlib/OpenSSL/crypto/modes/modes_lcl.h b/Cryptlib/OpenSSL/crypto/modes/modes_lcl.h
index 7a1603bf..fe14ec70 100644
--- a/Cryptlib/OpenSSL/crypto/modes/modes_lcl.h
+++ b/Cryptlib/OpenSSL/crypto/modes/modes_lcl.h
@@ -1,10 +1,8 @@
-/*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project. All rights reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use is governed by OpenSSL license.
+ * ====================================================================
*/
#include <openssl/modes.h>
@@ -143,43 +141,3 @@ struct ccm128_context {
block128_f block;
void *key;
};
-
-#ifndef OPENSSL_NO_OCB
-
-typedef union {
- u64 a[2];
- unsigned char c[16];
-} OCB_BLOCK;
-# define ocb_block16_xor(in1,in2,out) \
- ( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \
- (out)->a[1]=(in1)->a[1]^(in2)->a[1] )
-# if STRICT_ALIGNMENT
-# define ocb_block16_xor_misaligned(in1,in2,out) \
- ocb_block_xor((in1)->c,(in2)->c,16,(out)->c)
-# else
-# define ocb_block16_xor_misaligned ocb_block16_xor
-# endif
-
-struct ocb128_context {
- /* Need both encrypt and decrypt key schedules for decryption */
- block128_f encrypt;
- block128_f decrypt;
- void *keyenc;
- void *keydec;
- ocb128_f stream; /* direction dependent */
- /* Key dependent variables. Can be reused if key remains the same */
- size_t l_index;
- size_t max_l_index;
- OCB_BLOCK l_star;
- OCB_BLOCK l_dollar;
- OCB_BLOCK *l;
- /* Must be reset for each session */
- u64 blocks_hashed;
- u64 blocks_processed;
- OCB_BLOCK tag;
- OCB_BLOCK offset_aad;
- OCB_BLOCK sum;
- OCB_BLOCK offset;
- OCB_BLOCK checksum;
-};
-#endif /* OPENSSL_NO_OCB */
diff --git a/Cryptlib/OpenSSL/crypto/modes/ocb128.c b/Cryptlib/OpenSSL/crypto/modes/ocb128.c
deleted file mode 100644
index c3bd13bb..00000000
--- a/Cryptlib/OpenSSL/crypto/modes/ocb128.c
+++ /dev/null
@@ -1,568 +0,0 @@
-/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include <openssl/crypto.h>
-#include "modes_lcl.h"
-
-#ifndef OPENSSL_NO_OCB
-
-/*
- * Calculate the number of binary trailing zero's in any given number
- */
-static u32 ocb_ntz(u64 n)
-{
- u32 cnt = 0;
-
- /*
- * We do a right-to-left simple sequential search. This is surprisingly
- * efficient as the distribution of trailing zeros is not uniform,
- * e.g. the number of possible inputs with no trailing zeros is equal to
- * the number with 1 or more; the number with exactly 1 is equal to the
- * number with 2 or more, etc. Checking the last two bits covers 75% of
- * all numbers. Checking the last three covers 87.5%
- */
- while (!(n & 1)) {
- n >>= 1;
- cnt++;
- }
- return cnt;
-}
-
-/*
- * Shift a block of 16 bytes left by shift bits
- */
-static void ocb_block_lshift(const unsigned char *in, size_t shift,
- unsigned char *out)
-{
- unsigned char shift_mask;
- int i;
- unsigned char mask[15];
-
- shift_mask = 0xff;
- shift_mask <<= (8 - shift);
- for (i = 15; i >= 0; i--) {
- if (i > 0) {
- mask[i - 1] = in[i] & shift_mask;
- mask[i - 1] >>= 8 - shift;
- }
- out[i] = in[i] << shift;
-
- if (i != 15) {
- out[i] ^= mask[i];
- }
- }
-}
-
-/*
- * Perform a "double" operation as per OCB spec
- */
-static void ocb_double(OCB_BLOCK *in, OCB_BLOCK *out)
-{
- unsigned char mask;
-
- /*
- * Calculate the mask based on the most significant bit. There are more
- * efficient ways to do this - but this way is constant time
- */
- mask = in->c[0] & 0x80;
- mask >>= 7;
- mask *= 135;
-
- ocb_block_lshift(in->c, 1, out->c);
-
- out->c[15] ^= mask;
-}
-
-/*
- * Perform an xor on in1 and in2 - each of len bytes. Store result in out
- */
-static void ocb_block_xor(const unsigned char *in1,
- const unsigned char *in2, size_t len,
- unsigned char *out)
-{
- size_t i;
- for (i = 0; i < len; i++) {
- out[i] = in1[i] ^ in2[i];
- }
-}
-
-/*
- * Lookup L_index in our lookup table. If we haven't already got it we need to
- * calculate it
- */
-static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
-{
- size_t l_index = ctx->l_index;
-
- if (idx <= l_index) {
- return ctx->l + idx;
- }
-
- /* We don't have it - so calculate it */
- if (idx >= ctx->max_l_index) {
- void *tmp_ptr;
- /*
- * Each additional entry allows to process almost double as
- * much data, so that in linear world the table will need to
- * be expanded with smaller and smaller increments. Originally
- * it was doubling in size, which was a waste. Growing it
- * linearly is not formally optimal, but is simpler to implement.
- * We grow table by minimally required 4*n that would accommodate
- * the index.
- */
- ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
- tmp_ptr =
- OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
- if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
- return NULL;
- ctx->l = tmp_ptr;
- }
- while (l_index < idx) {
- ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
- l_index++;
- }
- ctx->l_index = l_index;
-
- return ctx->l + idx;
-}
-
-/*
- * Create a new OCB128_CONTEXT
- */
-OCB128_CONTEXT *CRYPTO_ocb128_new(void *keyenc, void *keydec,
- block128_f encrypt, block128_f decrypt,
- ocb128_f stream)
-{
- OCB128_CONTEXT *octx;
- int ret;
-
- if ((octx = OPENSSL_malloc(sizeof(*octx))) != NULL) {
- ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt,
- stream);
- if (ret)
- return octx;
- OPENSSL_free(octx);
- }
-
- return NULL;
-}
-
-/*
- * Initialise an existing OCB128_CONTEXT
- */
-int CRYPTO_ocb128_init(OCB128_CONTEXT *ctx, void *keyenc, void *keydec,
- block128_f encrypt, block128_f decrypt,
- ocb128_f stream)
-{
- memset(ctx, 0, sizeof(*ctx));
- ctx->l_index = 0;
- ctx->max_l_index = 5;
- ctx->l = OPENSSL_malloc(ctx->max_l_index * 16);
- if (ctx->l == NULL)
- return 0;
-
- /*
- * We set both the encryption and decryption key schedules - decryption
- * needs both. Don't really need decryption schedule if only doing
- * encryption - but it simplifies things to take it anyway
- */
- ctx->encrypt = encrypt;
- ctx->decrypt = decrypt;
- ctx->stream = stream;
- ctx->keyenc = keyenc;
- ctx->keydec = keydec;
-
- /* L_* = ENCIPHER(K, zeros(128)) */
- ctx->encrypt(ctx->l_star.c, ctx->l_star.c, ctx->keyenc);
-
- /* L_$ = double(L_*) */
- ocb_double(&ctx->l_star, &ctx->l_dollar);
-
- /* L_0 = double(L_$) */
- ocb_double(&ctx->l_dollar, ctx->l);
-
- /* L_{i} = double(L_{i-1}) */
- ocb_double(ctx->l, ctx->l+1);
- ocb_double(ctx->l+1, ctx->l+2);
- ocb_double(ctx->l+2, ctx->l+3);
- ocb_double(ctx->l+3, ctx->l+4);
- ctx->l_index = 4; /* enough to process up to 496 bytes */
-
- return 1;
-}
-
-/*
- * Copy an OCB128_CONTEXT object
- */
-int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT *dest, OCB128_CONTEXT *src,
- void *keyenc, void *keydec)
-{
- memcpy(dest, src, sizeof(OCB128_CONTEXT));
- if (keyenc)
- dest->keyenc = keyenc;
- if (keydec)
- dest->keydec = keydec;
- if (src->l) {
- dest->l = OPENSSL_malloc(src->max_l_index * 16);
- if (dest->l == NULL)
- return 0;
- memcpy(dest->l, src->l, (src->l_index + 1) * 16);
- }
- return 1;
-}
-
-/*
- * Set the IV to be used for this operation. Must be 1 - 15 bytes.
- */
-int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv,
- size_t len, size_t taglen)
-{
- unsigned char ktop[16], tmp[16], mask;
- unsigned char stretch[24], nonce[16];
- size_t bottom, shift;
-
- /*
- * Spec says IV is 120 bits or fewer - it allows non byte aligned lengths.
- * We don't support this at this stage
- */
- if ((len > 15) || (len < 1) || (taglen > 16) || (taglen < 1)) {
- return -1;
- }
-
- /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */
- nonce[0] = ((taglen * 8) % 128) << 1;
- memset(nonce + 1, 0, 15);
- memcpy(nonce + 16 - len, iv, len);
- nonce[15 - len] |= 1;
-
- /* Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6)) */
- memcpy(tmp, nonce, 16);
- tmp[15] &= 0xc0;
- ctx->encrypt(tmp, ktop, ctx->keyenc);
-
- /* Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72]) */
- memcpy(stretch, ktop, 16);
- ocb_block_xor(ktop, ktop + 1, 8, stretch + 16);
-
- /* bottom = str2num(Nonce[123..128]) */
- bottom = nonce[15] & 0x3f;
-
- /* Offset_0 = Stretch[1+bottom..128+bottom] */
- shift = bottom % 8;
- ocb_block_lshift(stretch + (bottom / 8), shift, ctx->offset.c);
- mask = 0xff;
- mask <<= 8 - shift;
- ctx->offset.c[15] |=
- (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift);
-
- return 1;
-}
-
-/*
- * Provide any AAD. This can be called multiple times. Only the final time can
- * have a partial block
- */
-int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad,
- size_t len)
-{
- u64 i, all_num_blocks;
- size_t num_blocks, last_len;
- OCB_BLOCK tmp1;
- OCB_BLOCK tmp2;
-
- /* Calculate the number of blocks of AAD provided now, and so far */
- num_blocks = len / 16;
- all_num_blocks = num_blocks + ctx->blocks_hashed;
-
- /* Loop through all full blocks of AAD */
- for (i = ctx->blocks_hashed + 1; i <= all_num_blocks; i++) {
- OCB_BLOCK *lookup;
- OCB_BLOCK *aad_block;
-
- /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
- lookup = ocb_lookup_l(ctx, ocb_ntz(i));
- if (lookup == NULL)
- return 0;
- ocb_block16_xor(&ctx->offset_aad, lookup, &ctx->offset_aad);
-
- /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
- aad_block = (OCB_BLOCK *)(aad + ((i - ctx->blocks_hashed - 1) * 16));
- ocb_block16_xor(&ctx->offset_aad, aad_block, &tmp1);
- ctx->encrypt(tmp1.c, tmp2.c, ctx->keyenc);
- ocb_block16_xor(&ctx->sum, &tmp2, &ctx->sum);
- }
-
- /*
- * Check if we have any partial blocks left over. This is only valid in the
- * last call to this function
- */
- last_len = len % 16;
-
- if (last_len > 0) {
- /* Offset_* = Offset_m xor L_* */
- ocb_block16_xor(&ctx->offset_aad, &ctx->l_star, &ctx->offset_aad);
-
- /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */
- memset(&tmp1, 0, 16);
- memcpy(&tmp1, aad + (num_blocks * 16), last_len);
- ((unsigned char *)&tmp1)[last_len] = 0x80;
- ocb_block16_xor(&ctx->offset_aad, &tmp1, &tmp2);
-
- /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
- ctx->encrypt(tmp2.c, tmp1.c, ctx->keyenc);
- ocb_block16_xor(&ctx->sum, &tmp1, &ctx->sum);
- }
-
- ctx->blocks_hashed = all_num_blocks;
-
- return 1;
-}
-
-/*
- * Provide any data to be encrypted. This can be called multiple times. Only
- * the final time can have a partial block
- */
-int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
- const unsigned char *in, unsigned char *out,
- size_t len)
-{
- u64 i, all_num_blocks;
- size_t num_blocks, last_len;
- OCB_BLOCK tmp1;
- OCB_BLOCK tmp2;
- OCB_BLOCK pad;
-
- /*
- * Calculate the number of blocks of data to be encrypted provided now, and
- * so far
- */
- num_blocks = len / 16;
- all_num_blocks = num_blocks + ctx->blocks_processed;
-
- if (num_blocks && all_num_blocks == (size_t)all_num_blocks
- && ctx->stream != NULL) {
- size_t max_idx = 0, top = (size_t)all_num_blocks;
-
- /*
- * See how many L_{i} entries we need to process data at hand
- * and pre-compute missing entries in the table [if any]...
- */
- while (top >>= 1)
- max_idx++;
- if (ocb_lookup_l(ctx, max_idx) == NULL)
- return 0;
-
- ctx->stream(in, out, num_blocks, ctx->keyenc,
- (size_t)ctx->blocks_processed + 1, ctx->offset.c,
- (const unsigned char (*)[16])ctx->l, ctx->checksum.c);
- } else {
- /* Loop through all full blocks to be encrypted */
- for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
- OCB_BLOCK *lookup;
- OCB_BLOCK *inblock;
- OCB_BLOCK *outblock;
-
- /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
- lookup = ocb_lookup_l(ctx, ocb_ntz(i));
- if (lookup == NULL)
- return 0;
- ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);
-
- /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */
- inblock =
- (OCB_BLOCK *)(in + ((i - ctx->blocks_processed - 1) * 16));
- ocb_block16_xor_misaligned(&ctx->offset, inblock, &tmp1);
- /* Checksum_i = Checksum_{i-1} xor P_i */
- ocb_block16_xor_misaligned(&ctx->checksum, inblock, &ctx->checksum);
- ctx->encrypt(tmp1.c, tmp2.c, ctx->keyenc);
- outblock =
- (OCB_BLOCK *)(out + ((i - ctx->blocks_processed - 1) * 16));
- ocb_block16_xor_misaligned(&ctx->offset, &tmp2, outblock);
- }
- }
-
- /*
- * Check if we have any partial blocks left over. This is only valid in the
- * last call to this function
- */
- last_len = len % 16;
-
- if (last_len > 0) {
- /* Offset_* = Offset_m xor L_* */
- ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);
-
- /* Pad = ENCIPHER(K, Offset_*) */
- ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);
-
- /* C_* = P_* xor Pad[1..bitlen(P_*)] */
- ocb_block_xor(in + (len / 16) * 16, (unsigned char *)&pad, last_len,
- out + (num_blocks * 16));
-
- /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
- memset(&tmp1, 0, 16);
- memcpy(&tmp1, in + (len / 16) * 16, last_len);
- ((unsigned char *)(&tmp1))[last_len] = 0x80;
- ocb_block16_xor(&ctx->checksum, &tmp1, &ctx->checksum);
- }
-
- ctx->blocks_processed = all_num_blocks;
-
- return 1;
-}
-
-/*
- * Provide any data to be decrypted. This can be called multiple times. Only
- * the final time can have a partial block
- */
-int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
- const unsigned char *in, unsigned char *out,
- size_t len)
-{
- u64 i, all_num_blocks;
- size_t num_blocks, last_len;
- OCB_BLOCK tmp1;
- OCB_BLOCK tmp2;
- OCB_BLOCK pad;
-
- /*
- * Calculate the number of blocks of data to be decrypted provided now, and
- * so far
- */
- num_blocks = len / 16;
- all_num_blocks = num_blocks + ctx->blocks_processed;
-
- if (num_blocks && all_num_blocks == (size_t)all_num_blocks
- && ctx->stream != NULL) {
- size_t max_idx = 0, top = (size_t)all_num_blocks;
-
- /*
- * See how many L_{i} entries we need to process data at hand
- * and pre-compute missing entries in the table [if any]...
- */
- while (top >>= 1)
- max_idx++;
- if (ocb_lookup_l(ctx, max_idx) == NULL)
- return 0;
-
- ctx->stream(in, out, num_blocks, ctx->keydec,
- (size_t)ctx->blocks_processed + 1, ctx->offset.c,
- (const unsigned char (*)[16])ctx->l, ctx->checksum.c);
- } else {
- /* Loop through all full blocks to be decrypted */
- for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
- OCB_BLOCK *inblock;
- OCB_BLOCK *outblock;
-
- /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
- OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i));
- if (lookup == NULL)
- return 0;
- ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);
-
- /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */
- inblock =
- (OCB_BLOCK *)(in + ((i - ctx->blocks_processed - 1) * 16));
- ocb_block16_xor_misaligned(&ctx->offset, inblock, &tmp1);
- ctx->decrypt(tmp1.c, tmp2.c, ctx->keydec);
- outblock =
- (OCB_BLOCK *)(out + ((i - ctx->blocks_processed - 1) * 16));
- ocb_block16_xor_misaligned(&ctx->offset, &tmp2, outblock);
-
- /* Checksum_i = Checksum_{i-1} xor P_i */
- ocb_block16_xor_misaligned(&ctx->checksum, outblock, &ctx->checksum);
- }
- }
-
- /*
- * Check if we have any partial blocks left over. This is only valid in the
- * last call to this function
- */
- last_len = len % 16;
-
- if (last_len > 0) {
- /* Offset_* = Offset_m xor L_* */
- ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);
-
- /* Pad = ENCIPHER(K, Offset_*) */
- ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);
-
- /* P_* = C_* xor Pad[1..bitlen(C_*)] */
- ocb_block_xor(in + (len / 16) * 16, (unsigned char *)&pad, last_len,
- out + (num_blocks * 16));
-
- /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
- memset(&tmp1, 0, 16);
- memcpy(&tmp1, out + (len / 16) * 16, last_len);
- ((unsigned char *)(&tmp1))[last_len] = 0x80;
- ocb_block16_xor(&ctx->checksum, &tmp1, &ctx->checksum);
- }
-
- ctx->blocks_processed = all_num_blocks;
-
- return 1;
-}
-
-/*
- * Calculate the tag and verify it against the supplied tag
- */
-int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag,
- size_t len)
-{
- OCB_BLOCK tmp1, tmp2;
-
- /*
- * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
- */
- ocb_block16_xor(&ctx->checksum, &ctx->offset, &tmp1);
- ocb_block16_xor(&tmp1, &ctx->l_dollar, &tmp2);
- ctx->encrypt(tmp2.c, tmp1.c, ctx->keyenc);
- ocb_block16_xor(&tmp1, &ctx->sum, &ctx->tag);
-
- if (len > 16 || len < 1) {
- return -1;
- }
-
- /* Compare the tag if we've been given one */
- if (tag)
- return CRYPTO_memcmp(&ctx->tag, tag, len);
- else
- return -1;
-}
-
-/*
- * Retrieve the calculated tag
- */
-int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len)
-{
- if (len > 16 || len < 1) {
- return -1;
- }
-
- /* Calculate the tag */
- CRYPTO_ocb128_finish(ctx, NULL, 0);
-
- /* Copy the tag into the supplied buffer */
- memcpy(tag, &ctx->tag, len);
-
- return 1;
-}
-
-/*
- * Release all resources
- */
-void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
-{
- if (ctx) {
- OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
- OPENSSL_cleanse(ctx, sizeof(*ctx));
- }
-}
-
-#endif /* OPENSSL_NO_OCB */
diff --git a/Cryptlib/OpenSSL/crypto/modes/ofb128.c b/Cryptlib/OpenSSL/crypto/modes/ofb128.c
index 83092564..4dbaccd7 100644
--- a/Cryptlib/OpenSSL/crypto/modes/ofb128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/ofb128.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
*/
#include <openssl/crypto.h>
#include "modes_lcl.h"
#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
/*
* The input and output encrypted as though 128bit ofb mode is being used.
* The extra state information to record how much of the 128bit block we have
@@ -23,6 +71,8 @@ void CRYPTO_ofb128_encrypt(const unsigned char *in, unsigned char *out,
unsigned int n;
size_t l = 0;
+ assert(in && out && key && ivec && num);
+
n = *num;
#if !defined(OPENSSL_SMALL_FOOTPRINT)
diff --git a/Cryptlib/OpenSSL/crypto/modes/wrap128.c b/Cryptlib/OpenSSL/crypto/modes/wrap128.c
index 46809a0e..38497837 100644
--- a/Cryptlib/OpenSSL/crypto/modes/wrap128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/wrap128.c
@@ -1,50 +1,70 @@
+/* crypto/modes/wrap128.c */
/*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
*/
-
-/** Beware!
+/* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
*
- * Following wrapping modes were designed for AES but this implementation
- * allows you to use them for any 128 bit block cipher.
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
*/
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
#include <openssl/modes.h>
-/** RFC 3394 section 2.2.3.1 Default Initial Value */
static const unsigned char default_iv[] = {
0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
};
-/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
-static const unsigned char default_aiv[] = {
- 0xA6, 0x59, 0x59, 0xA6
-};
-
-/** Input size limit: lower than maximum of standards but far larger than
- * anything that will be used in practice.
+/*
+ * Input size limit: lower than maximum of standards but far larger than
+ * anything that will be used in practice.
*/
#define CRYPTO128_WRAP_MAX (1UL << 31)
-/** Wrapping according to RFC 3394 section 2.2.1.
- *
- * @param[in] key Key value.
- * @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
- * @param[in] in Plaintext as n 64-bit blocks, n >= 2.
- * @param[in] inlen Length of in.
- * @param[out] out Ciphertext. Minimal buffer length = (inlen + 8) bytes.
- * Input and output buffers can overlap if block function
- * supports that.
- * @param[in] block Block processing function.
- * @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
- * or if inlen > CRYPTO128_WRAP_MAX.
- * Output length if wrapping succeeded.
- */
size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
unsigned char *out,
const unsigned char *in, size_t inlen,
@@ -52,7 +72,7 @@ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
{
unsigned char *A, B[16], *R;
size_t i, j, t;
- if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
+ if ((inlen & 0x7) || (inlen < 8) || (inlen > CRYPTO128_WRAP_MAX))
return 0;
A = B;
t = 1;
@@ -80,26 +100,10 @@ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
return inlen + 8;
}
-/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
- * The IV check (step 3) is responsibility of the caller.
- *
- * @param[in] key Key value.
- * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
- * @param[out] out Plaintext without IV.
- * Minimal buffer length = (inlen - 8) bytes.
- * Input and output buffers can overlap if block function
- * supports that.
- * @param[in] in Ciphertext as n 64-bit blocks.
- * @param[in] inlen Length of in.
- * @param[in] block Block processing function.
- * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
- * or if inlen is not a multiple of 8.
- * Output length otherwise.
- */
-static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
- unsigned char *out,
- const unsigned char *in, size_t inlen,
- block128_f block)
+size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+ block128_f block)
{
unsigned char *A, B[16], *R;
size_t i, j, t;
@@ -124,206 +128,11 @@ static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
memcpy(R, B + 8, 8);
}
}
- memcpy(iv, A, 8);
- return inlen;
-}
-
-/** Unwrapping according to RFC 3394 section 2.2.2, including the IV check.
- * The first block of plaintext has to match the supplied IV, otherwise an
- * error is returned.
- *
- * @param[in] key Key value.
- * @param[out] iv IV value to match against. Length = 8 bytes.
- * NULL = use default_iv.
- * @param[out] out Plaintext without IV.
- * Minimal buffer length = (inlen - 8) bytes.
- * Input and output buffers can overlap if block function
- * supports that.
- * @param[in] in Ciphertext as n 64-bit blocks.
- * @param[in] inlen Length of in.
- * @param[in] block Block processing function.
- * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
- * or if inlen is not a multiple of 8
- * or if IV doesn't match expected value.
- * Output length otherwise.
- */
-size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
- unsigned char *out, const unsigned char *in,
- size_t inlen, block128_f block)
-{
- size_t ret;
- unsigned char got_iv[8];
-
- ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
- if (ret == 0)
- return 0;
-
if (!iv)
iv = default_iv;
- if (CRYPTO_memcmp(got_iv, iv, 8)) {
- OPENSSL_cleanse(out, ret);
- return 0;
- }
- return ret;
-}
-
-/** Wrapping according to RFC 5649 section 4.1.
- *
- * @param[in] key Key value.
- * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
- * @param[out] out Ciphertext. Minimal buffer length = (inlen + 15) bytes.
- * Input and output buffers can overlap if block function
- * supports that.
- * @param[in] in Plaintext as n 64-bit blocks, n >= 2.
- * @param[in] inlen Length of in.
- * @param[in] block Block processing function.
- * @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
- * Output length if wrapping succeeded.
- */
-size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
- unsigned char *out,
- const unsigned char *in, size_t inlen,
- block128_f block)
-{
- /* n: number of 64-bit blocks in the padded key data
- *
- * If length of plain text is not a multiple of 8, pad the plain text octet
- * string on the right with octets of zeros, where final length is the
- * smallest multiple of 8 that is greater than length of plain text.
- * If length of plain text is a multiple of 8, then there is no padding. */
- const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */
- const size_t padded_len = blocks_padded * 8;
- const size_t padding_len = padded_len - inlen;
- /* RFC 5649 section 3: Alternative Initial Value */
- unsigned char aiv[8];
- int ret;
-
- /* Section 1: use 32-bit fixed field for plaintext octet length */
- if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
- return 0;
-
- /* Section 3: Alternative Initial Value */
- if (!icv)
- memcpy(aiv, default_aiv, 4);
- else
- memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
-
- aiv[4] = (inlen >> 24) & 0xFF;
- aiv[5] = (inlen >> 16) & 0xFF;
- aiv[6] = (inlen >> 8) & 0xFF;
- aiv[7] = inlen & 0xFF;
-
- if (padded_len == 8) {
- /*
- * Section 4.1 - special case in step 2: If the padded plaintext
- * contains exactly eight octets, then prepend the AIV and encrypt
- * the resulting 128-bit block using AES in ECB mode.
- */
- memmove(out + 8, in, inlen);
- memcpy(out, aiv, 8);
- memset(out + 8 + inlen, 0, padding_len);
- block(out, out, key);
- ret = 16; /* AIV + padded input */
- } else {
- memmove(out, in, inlen);
- memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
- ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
- }
-
- return ret;
-}
-
-/** Unwrapping according to RFC 5649 section 4.2.
- *
- * @param[in] key Key value.
- * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
- * @param[out] out Plaintext. Minimal buffer length = inlen bytes.
- * Input and output buffers can overlap if block function
- * supports that.
- * @param[in] in Ciphertext as n 64-bit blocks.
- * @param[in] inlen Length of in.
- * @param[in] block Block processing function.
- * @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
- * or if inlen is not a multiple of 8
- * or if IV and message length indicator doesn't match.
- * Output length if unwrapping succeeded and IV matches.
- */
-size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
- unsigned char *out,
- const unsigned char *in, size_t inlen,
- block128_f block)
-{
- /* n: number of 64-bit blocks in the padded key data */
- size_t n = inlen / 8 - 1;
- size_t padded_len;
- size_t padding_len;
- size_t ptext_len;
- /* RFC 5649 section 3: Alternative Initial Value */
- unsigned char aiv[8];
- static unsigned char zeros[8] = { 0x0 };
- size_t ret;
-
- /* Section 4.2: Ciphertext length has to be (n+1) 64-bit blocks. */
- if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
- return 0;
-
- memmove(out, in, inlen);
- if (inlen == 16) {
- /*
- * Section 4.2 - special case in step 1: When n=1, the ciphertext
- * contains exactly two 64-bit blocks and they are decrypted as a
- * single AES block using AES in ECB mode: AIV | P[1] = DEC(K, C[0] |
- * C[1])
- */
- block(out, out, key);
- memcpy(aiv, out, 8);
- /* Remove AIV */
- memmove(out, out + 8, 8);
- padded_len = 8;
- } else {
- padded_len = inlen - 8;
- ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
- if (padded_len != ret) {
- OPENSSL_cleanse(out, inlen);
- return 0;
- }
- }
-
- /*
- * Section 3: AIV checks: Check that MSB(32,A) = A65959A6. Optionally a
- * user-supplied value can be used (even if standard doesn't mention
- * this).
- */
- if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
- || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
- OPENSSL_cleanse(out, inlen);
- return 0;
- }
-
- /*
- * Check that 8*(n-1) < LSB(32,AIV) <= 8*n. If so, let ptext_len =
- * LSB(32,AIV).
- */
-
- ptext_len = ((unsigned int)aiv[4] << 24)
- | ((unsigned int)aiv[5] << 16)
- | ((unsigned int)aiv[6] << 8)
- | (unsigned int)aiv[7];
- if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
- OPENSSL_cleanse(out, inlen);
- return 0;
- }
-
- /*
- * Check that the rightmost padding_len octets of the output data are
- * zero.
- */
- padding_len = padded_len - ptext_len;
- if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
+ if (memcmp(A, iv, 8)) {
OPENSSL_cleanse(out, inlen);
return 0;
}
-
- /* Section 4.2 step 3: Remove padding */
- return ptext_len;
+ return inlen;
}
diff --git a/Cryptlib/OpenSSL/crypto/modes/xts128.c b/Cryptlib/OpenSSL/crypto/modes/xts128.c
index 81b1eacd..8f2af588 100644
--- a/Cryptlib/OpenSSL/crypto/modes/xts128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/xts128.c
@@ -1,16 +1,63 @@
-/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
*/
#include <openssl/crypto.h>
#include "modes_lcl.h"
#include <string.h>
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+# define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx,
const unsigned char iv[16],
const unsigned char *inp, unsigned char *out,
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-02 02:43:01 +0000