diff options
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/modes/gcm128.c')
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/modes/gcm128.c | 269 |
1 files changed, 100 insertions, 169 deletions
diff --git a/Cryptlib/OpenSSL/crypto/modes/gcm128.c b/Cryptlib/OpenSSL/crypto/modes/gcm128.c index e299131c..df9f6547 100644 --- a/Cryptlib/OpenSSL/crypto/modes/gcm128.c +++ b/Cryptlib/OpenSSL/crypto/modes/gcm128.c @@ -1,65 +1,16 @@ -/* ==================================================================== - * Copyright (c) 2010 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" +/* + * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ -#define OPENSSL_FIPSAPI - #include <openssl/crypto.h> #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - #if defined(BSWAP4) && defined(STRICT_ALIGNMENT) /* redefine, because alignment is ensured */ # undef GETU32 @@ -150,9 +101,7 @@ static void gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256]) const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; static const size_t rem_8bit[256] = { PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246), PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E), @@ -321,9 +270,7 @@ static void gcm_init_4bit(u128 Htable[16], u64 H[2]) const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; if (is_endian.little) for (j = 0; j < 16; ++j) { @@ -356,9 +303,7 @@ static void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]) const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; nlo = ((const u8 *)Xi)[15]; nhi = nlo >> 4; @@ -437,9 +382,7 @@ static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; # if 1 do { @@ -629,9 +572,7 @@ static void gcm_gmult_1bit(u64 Xi[2], const u64 H[2]) const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; V.hi = H[0]; /* H is in host byte order, no byte swapping */ V.lo = H[1]; @@ -774,9 +715,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; memset(ctx, 0, sizeof(*ctx)); ctx->block = block; @@ -801,6 +740,11 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) #if TABLE_BITS==8 gcm_init_8bit(ctx->Htable, ctx->H.u); #elif TABLE_BITS==4 +# if defined(GHASH) +# define CTX__GHASH(f) (ctx->ghash = (f)) +# else +# define CTX__GHASH(f) (ctx->ghash = NULL) +# endif # if defined(GHASH_ASM_X86_OR_64) # if !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2) if (OPENSSL_ia32cap_P[0] & (1 << 24) && /* check FXSR bit */ @@ -808,11 +752,11 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */ gcm_init_avx(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_avx; - ctx->ghash = gcm_ghash_avx; + CTX__GHASH(gcm_ghash_avx); } else { gcm_init_clmul(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_clmul; - ctx->ghash = gcm_ghash_clmul; + CTX__GHASH(gcm_ghash_clmul); } return; } @@ -825,66 +769,59 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) if (OPENSSL_ia32cap_P[0] & (1 << 23)) { /* check MMX bit */ # endif ctx->gmult = gcm_gmult_4bit_mmx; - ctx->ghash = gcm_ghash_4bit_mmx; + CTX__GHASH(gcm_ghash_4bit_mmx); } else { ctx->gmult = gcm_gmult_4bit_x86; - ctx->ghash = gcm_ghash_4bit_x86; + CTX__GHASH(gcm_ghash_4bit_x86); } # else ctx->gmult = gcm_gmult_4bit; - ctx->ghash = gcm_ghash_4bit; + CTX__GHASH(gcm_ghash_4bit); # endif # elif defined(GHASH_ASM_ARM) # ifdef PMULL_CAPABLE if (PMULL_CAPABLE) { gcm_init_v8(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_v8; - ctx->ghash = gcm_ghash_v8; + CTX__GHASH(gcm_ghash_v8); } else # endif # ifdef NEON_CAPABLE if (NEON_CAPABLE) { gcm_init_neon(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_neon; - ctx->ghash = gcm_ghash_neon; + CTX__GHASH(gcm_ghash_neon); } else # endif { gcm_init_4bit(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_4bit; -# if defined(GHASH) - ctx->ghash = gcm_ghash_4bit; -# else - ctx->ghash = NULL; -# endif + CTX__GHASH(gcm_ghash_4bit); } # elif defined(GHASH_ASM_SPARC) if (OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) { gcm_init_vis3(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_vis3; - ctx->ghash = gcm_ghash_vis3; + CTX__GHASH(gcm_ghash_vis3); } else { gcm_init_4bit(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_4bit; - ctx->ghash = gcm_ghash_4bit; + CTX__GHASH(gcm_ghash_4bit); } # elif defined(GHASH_ASM_PPC) if (OPENSSL_ppccap_P & PPC_CRYPTO207) { gcm_init_p8(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_p8; - ctx->ghash = gcm_ghash_p8; + CTX__GHASH(gcm_ghash_p8); } else { gcm_init_4bit(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_4bit; -# if defined(GHASH) - ctx->ghash = gcm_ghash_4bit; -# else - ctx->ghash = NULL; -# endif + CTX__GHASH(gcm_ghash_4bit); } # else gcm_init_4bit(ctx->Htable, ctx->H.u); # endif +# undef CTX__GHASH #endif } @@ -894,9 +831,7 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv, const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; unsigned int ctr; #ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; @@ -1040,9 +975,7 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; unsigned int n, ctr; size_t i; u64 mlen = ctx->len.u[1]; @@ -1050,15 +983,12 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, void *key = ctx->key; #ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH +# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len) = ctx->ghash; # endif #endif -#if 0 - n = (unsigned int)mlen % 16; /* alternative to ctx->mres */ -#endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) return -1; @@ -1100,7 +1030,8 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, if (((size_t)in | (size_t)out) % sizeof(size_t) != 0) break; # endif -# if defined(GHASH) && defined(GHASH_CHUNK) +# if defined(GHASH) +# if defined(GHASH_CHUNK) while (len >= GHASH_CHUNK) { size_t j = GHASH_CHUNK; @@ -1111,11 +1042,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, (*block) (ctx->Yi.c, ctx->EKi.c, key); ++ctr; if (is_endian.little) -# ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +# else PUTU32(ctx->Yi.c + 12, ctr); -# endif +# endif else ctx->Yi.d[3] = ctr; for (i = 0; i < 16 / sizeof(size_t); ++i) @@ -1127,6 +1058,7 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK); len -= GHASH_CHUNK; } +# endif if ((i = (len & (size_t)-16))) { size_t j = i; @@ -1227,9 +1159,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; unsigned int n, ctr; size_t i; u64 mlen = ctx->len.u[1]; @@ -1237,7 +1167,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, void *key = ctx->key; #ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH +# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len) = ctx->ghash; # endif @@ -1286,7 +1216,8 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, if (((size_t)in | (size_t)out) % sizeof(size_t) != 0) break; # endif -# if defined(GHASH) && defined(GHASH_CHUNK) +# if defined(GHASH) +# if defined(GHASH_CHUNK) while (len >= GHASH_CHUNK) { size_t j = GHASH_CHUNK; @@ -1298,11 +1229,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, (*block) (ctx->Yi.c, ctx->EKi.c, key); ++ctr; if (is_endian.little) -# ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +# else PUTU32(ctx->Yi.c + 12, ctr); -# endif +# endif else ctx->Yi.d[3] = ctr; for (i = 0; i < 16 / sizeof(size_t); ++i) @@ -1313,6 +1244,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, } len -= GHASH_CHUNK; } +# endif if ((i = (len & (size_t)-16))) { GHASH(ctx, in, i); while (len >= 16) { @@ -1416,23 +1348,24 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const unsigned char *in, unsigned char *out, size_t len, ctr128_f stream) { +#if defined(OPENSSL_SMALL_FOOTPRINT) + return CRYPTO_gcm128_encrypt(ctx, in, out, len); +#else const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; unsigned int n, ctr; size_t i; u64 mlen = ctx->len.u[1]; void *key = ctx->key; -#ifdef GCM_FUNCREF_4BIT +# ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH +# ifdef GHASH void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len) = ctx->ghash; +# endif # endif -#endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) @@ -1446,11 +1379,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, } if (is_endian.little) -#ifdef BSWAP4 +# ifdef BSWAP4 ctr = BSWAP4(ctx->Yi.d[3]); -#else +# else ctr = GETU32(ctx->Yi.c + 12); -#endif +# endif else ctr = ctx->Yi.d[3]; @@ -1468,16 +1401,16 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, return 0; } } -#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) +# if defined(GHASH) && defined(GHASH_CHUNK) while (len >= GHASH_CHUNK) { (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c); ctr += GHASH_CHUNK / 16; if (is_endian.little) -# ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +# else PUTU32(ctx->Yi.c + 12, ctr); -# endif +# endif else ctx->Yi.d[3] = ctr; GHASH(ctx, out, GHASH_CHUNK); @@ -1485,43 +1418,43 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, in += GHASH_CHUNK; len -= GHASH_CHUNK; } -#endif +# endif if ((i = (len & (size_t)-16))) { size_t j = i / 16; (*stream) (in, out, j, key, ctx->Yi.c); ctr += (unsigned int)j; if (is_endian.little) -#ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -#else +# else PUTU32(ctx->Yi.c + 12, ctr); -#endif +# endif else ctx->Yi.d[3] = ctr; in += i; len -= i; -#if defined(GHASH) +# if defined(GHASH) GHASH(ctx, out, i); out += i; -#else +# else while (j--) { for (i = 0; i < 16; ++i) ctx->Xi.c[i] ^= out[i]; GCM_MUL(ctx, Xi); out += 16; } -#endif +# endif } if (len) { (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key); ++ctr; if (is_endian.little) -#ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -#else +# else PUTU32(ctx->Yi.c + 12, ctr); -#endif +# endif else ctx->Yi.d[3] = ctr; while (len--) { @@ -1532,29 +1465,31 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, ctx->mres = n; return 0; +#endif } int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const unsigned char *in, unsigned char *out, size_t len, ctr128_f stream) { +#if defined(OPENSSL_SMALL_FOOTPRINT) + return CRYPTO_gcm128_decrypt(ctx, in, out, len); +#else const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; unsigned int n, ctr; size_t i; u64 mlen = ctx->len.u[1]; void *key = ctx->key; -#ifdef GCM_FUNCREF_4BIT +# ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH +# ifdef GHASH void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len) = ctx->ghash; +# endif # endif -#endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) @@ -1568,11 +1503,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, } if (is_endian.little) -#ifdef BSWAP4 +# ifdef BSWAP4 ctr = BSWAP4(ctx->Yi.d[3]); -#else +# else ctr = GETU32(ctx->Yi.c + 12); -#endif +# endif else ctr = ctx->Yi.d[3]; @@ -1592,30 +1527,30 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, return 0; } } -#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) +# if defined(GHASH) && defined(GHASH_CHUNK) while (len >= GHASH_CHUNK) { GHASH(ctx, in, GHASH_CHUNK); (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c); ctr += GHASH_CHUNK / 16; if (is_endian.little) -# ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +# else PUTU32(ctx->Yi.c + 12, ctr); -# endif +# endif else ctx->Yi.d[3] = ctr; out += GHASH_CHUNK; in += GHASH_CHUNK; len -= GHASH_CHUNK; } -#endif +# endif if ((i = (len & (size_t)-16))) { size_t j = i / 16; -#if defined(GHASH) +# if defined(GHASH) GHASH(ctx, in, i); -#else +# else while (j--) { size_t k; for (k = 0; k < 16; ++k) @@ -1625,15 +1560,15 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, } j = i / 16; in -= i; -#endif +# endif (*stream) (in, out, j, key, ctx->Yi.c); ctr += (unsigned int)j; if (is_endian.little) -#ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -#else +# else PUTU32(ctx->Yi.c + 12, ctr); -#endif +# endif else ctx->Yi.d[3] = ctr; out += i; @@ -1644,11 +1579,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key); ++ctr; if (is_endian.little) -#ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -#else +# else PUTU32(ctx->Yi.c + 12, ctr); -#endif +# endif else ctx->Yi.d[3] = ctr; while (len--) { @@ -1661,6 +1596,7 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, ctx->mres = n; return 0; +#endif } int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag, @@ -1669,9 +1605,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag, const union { long one; char little; - } is_endian = { - 1 - }; + } is_endian = { 1 }; u64 alen = ctx->len.u[0] << 3; u64 clen = ctx->len.u[1] << 3; #ifdef GCM_FUNCREF_4BIT @@ -1720,7 +1654,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block) { GCM128_CONTEXT *ret; - if ((ret = (GCM128_CONTEXT *)OPENSSL_malloc(sizeof(GCM128_CONTEXT)))) + if ((ret = OPENSSL_malloc(sizeof(*ret))) != NULL) CRYPTO_gcm128_init(ret, key, block); return ret; @@ -1728,10 +1662,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block) void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx) { - if (ctx) { - OPENSSL_cleanse(ctx, sizeof(*ctx)); - OPENSSL_free(ctx); - } + OPENSSL_clear_free(ctx, sizeof(*ctx)); } #if defined(SELFTEST) |