diff options
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/modes/gcm128.c')
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/modes/gcm128.c | 269 |
1 files changed, 169 insertions, 100 deletions
diff --git a/Cryptlib/OpenSSL/crypto/modes/gcm128.c b/Cryptlib/OpenSSL/crypto/modes/gcm128.c index df9f6547..e299131c 100644 --- a/Cryptlib/OpenSSL/crypto/modes/gcm128.c +++ b/Cryptlib/OpenSSL/crypto/modes/gcm128.c @@ -1,16 +1,65 @@ -/* - * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. +/* ==================================================================== + * Copyright (c) 2010 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== */ +#define OPENSSL_FIPSAPI + #include <openssl/crypto.h> #include "modes_lcl.h" #include <string.h> +#ifndef MODES_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif +#include <assert.h> + #if defined(BSWAP4) && defined(STRICT_ALIGNMENT) /* redefine, because alignment is ensured */ # undef GETU32 @@ -101,7 +150,9 @@ static void gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256]) const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; static const size_t rem_8bit[256] = { PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246), PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E), @@ -270,7 +321,9 @@ static void gcm_init_4bit(u128 Htable[16], u64 H[2]) const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; if (is_endian.little) for (j = 0; j < 16; ++j) { @@ -303,7 +356,9 @@ static void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]) const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; nlo = ((const u8 *)Xi)[15]; nhi = nlo >> 4; @@ -382,7 +437,9 @@ static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; # if 1 do { @@ -572,7 +629,9 @@ static void gcm_gmult_1bit(u64 Xi[2], const u64 H[2]) const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; V.hi = H[0]; /* H is in host byte order, no byte swapping */ V.lo = H[1]; @@ -715,7 +774,9 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; memset(ctx, 0, sizeof(*ctx)); ctx->block = block; @@ -740,11 +801,6 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) #if TABLE_BITS==8 gcm_init_8bit(ctx->Htable, ctx->H.u); #elif TABLE_BITS==4 -# if defined(GHASH) -# define CTX__GHASH(f) (ctx->ghash = (f)) -# else -# define CTX__GHASH(f) (ctx->ghash = NULL) -# endif # if defined(GHASH_ASM_X86_OR_64) # if !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2) if (OPENSSL_ia32cap_P[0] & (1 << 24) && /* check FXSR bit */ @@ -752,11 +808,11 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */ gcm_init_avx(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_avx; - CTX__GHASH(gcm_ghash_avx); + ctx->ghash = gcm_ghash_avx; } else { gcm_init_clmul(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_clmul; - CTX__GHASH(gcm_ghash_clmul); + ctx->ghash = gcm_ghash_clmul; } return; } @@ -769,59 +825,66 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) if (OPENSSL_ia32cap_P[0] & (1 << 23)) { /* check MMX bit */ # endif ctx->gmult = gcm_gmult_4bit_mmx; - CTX__GHASH(gcm_ghash_4bit_mmx); + ctx->ghash = gcm_ghash_4bit_mmx; } else { ctx->gmult = gcm_gmult_4bit_x86; - CTX__GHASH(gcm_ghash_4bit_x86); + ctx->ghash = gcm_ghash_4bit_x86; } # else ctx->gmult = gcm_gmult_4bit; - CTX__GHASH(gcm_ghash_4bit); + ctx->ghash = gcm_ghash_4bit; # endif # elif defined(GHASH_ASM_ARM) # ifdef PMULL_CAPABLE if (PMULL_CAPABLE) { gcm_init_v8(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_v8; - CTX__GHASH(gcm_ghash_v8); + ctx->ghash = gcm_ghash_v8; } else # endif # ifdef NEON_CAPABLE if (NEON_CAPABLE) { gcm_init_neon(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_neon; - CTX__GHASH(gcm_ghash_neon); + ctx->ghash = gcm_ghash_neon; } else # endif { gcm_init_4bit(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_4bit; - CTX__GHASH(gcm_ghash_4bit); +# if defined(GHASH) + ctx->ghash = gcm_ghash_4bit; +# else + ctx->ghash = NULL; +# endif } # elif defined(GHASH_ASM_SPARC) if (OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) { gcm_init_vis3(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_vis3; - CTX__GHASH(gcm_ghash_vis3); + ctx->ghash = gcm_ghash_vis3; } else { gcm_init_4bit(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_4bit; - CTX__GHASH(gcm_ghash_4bit); + ctx->ghash = gcm_ghash_4bit; } # elif defined(GHASH_ASM_PPC) if (OPENSSL_ppccap_P & PPC_CRYPTO207) { gcm_init_p8(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_p8; - CTX__GHASH(gcm_ghash_p8); + ctx->ghash = gcm_ghash_p8; } else { gcm_init_4bit(ctx->Htable, ctx->H.u); ctx->gmult = gcm_gmult_4bit; - CTX__GHASH(gcm_ghash_4bit); +# if defined(GHASH) + ctx->ghash = gcm_ghash_4bit; +# else + ctx->ghash = NULL; +# endif } # else gcm_init_4bit(ctx->Htable, ctx->H.u); # endif -# undef CTX__GHASH #endif } @@ -831,7 +894,9 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv, const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; unsigned int ctr; #ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; @@ -975,7 +1040,9 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; unsigned int n, ctr; size_t i; u64 mlen = ctx->len.u[1]; @@ -983,12 +1050,15 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, void *key = ctx->key; #ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) +# ifdef GHASH void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len) = ctx->ghash; # endif #endif +#if 0 + n = (unsigned int)mlen % 16; /* alternative to ctx->mres */ +#endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) return -1; @@ -1030,8 +1100,7 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, if (((size_t)in | (size_t)out) % sizeof(size_t) != 0) break; # endif -# if defined(GHASH) -# if defined(GHASH_CHUNK) +# if defined(GHASH) && defined(GHASH_CHUNK) while (len >= GHASH_CHUNK) { size_t j = GHASH_CHUNK; @@ -1042,11 +1111,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, (*block) (ctx->Yi.c, ctx->EKi.c, key); ++ctr; if (is_endian.little) -# ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +# else PUTU32(ctx->Yi.c + 12, ctr); -# endif +# endif else ctx->Yi.d[3] = ctr; for (i = 0; i < 16 / sizeof(size_t); ++i) @@ -1058,7 +1127,6 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK); len -= GHASH_CHUNK; } -# endif if ((i = (len & (size_t)-16))) { size_t j = i; @@ -1159,7 +1227,9 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; unsigned int n, ctr; size_t i; u64 mlen = ctx->len.u[1]; @@ -1167,7 +1237,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, void *key = ctx->key; #ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) +# ifdef GHASH void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len) = ctx->ghash; # endif @@ -1216,8 +1286,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, if (((size_t)in | (size_t)out) % sizeof(size_t) != 0) break; # endif -# if defined(GHASH) -# if defined(GHASH_CHUNK) +# if defined(GHASH) && defined(GHASH_CHUNK) while (len >= GHASH_CHUNK) { size_t j = GHASH_CHUNK; @@ -1229,11 +1298,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, (*block) (ctx->Yi.c, ctx->EKi.c, key); ++ctr; if (is_endian.little) -# ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +# else PUTU32(ctx->Yi.c + 12, ctr); -# endif +# endif else ctx->Yi.d[3] = ctr; for (i = 0; i < 16 / sizeof(size_t); ++i) @@ -1244,7 +1313,6 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, } len -= GHASH_CHUNK; } -# endif if ((i = (len & (size_t)-16))) { GHASH(ctx, in, i); while (len >= 16) { @@ -1348,24 +1416,23 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const unsigned char *in, unsigned char *out, size_t len, ctr128_f stream) { -#if defined(OPENSSL_SMALL_FOOTPRINT) - return CRYPTO_gcm128_encrypt(ctx, in, out, len); -#else const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; unsigned int n, ctr; size_t i; u64 mlen = ctx->len.u[1]; void *key = ctx->key; -# ifdef GCM_FUNCREF_4BIT +#ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH +# ifdef GHASH void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len) = ctx->ghash; -# endif # endif +#endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) @@ -1379,11 +1446,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, } if (is_endian.little) -# ifdef BSWAP4 +#ifdef BSWAP4 ctr = BSWAP4(ctx->Yi.d[3]); -# else +#else ctr = GETU32(ctx->Yi.c + 12); -# endif +#endif else ctr = ctx->Yi.d[3]; @@ -1401,16 +1468,16 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, return 0; } } -# if defined(GHASH) && defined(GHASH_CHUNK) +#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) while (len >= GHASH_CHUNK) { (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c); ctr += GHASH_CHUNK / 16; if (is_endian.little) -# ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +# else PUTU32(ctx->Yi.c + 12, ctr); -# endif +# endif else ctx->Yi.d[3] = ctr; GHASH(ctx, out, GHASH_CHUNK); @@ -1418,43 +1485,43 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, in += GHASH_CHUNK; len -= GHASH_CHUNK; } -# endif +#endif if ((i = (len & (size_t)-16))) { size_t j = i / 16; (*stream) (in, out, j, key, ctx->Yi.c); ctr += (unsigned int)j; if (is_endian.little) -# ifdef BSWAP4 +#ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +#else PUTU32(ctx->Yi.c + 12, ctr); -# endif +#endif else ctx->Yi.d[3] = ctr; in += i; len -= i; -# if defined(GHASH) +#if defined(GHASH) GHASH(ctx, out, i); out += i; -# else +#else while (j--) { for (i = 0; i < 16; ++i) ctx->Xi.c[i] ^= out[i]; GCM_MUL(ctx, Xi); out += 16; } -# endif +#endif } if (len) { (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key); ++ctr; if (is_endian.little) -# ifdef BSWAP4 +#ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +#else PUTU32(ctx->Yi.c + 12, ctr); -# endif +#endif else ctx->Yi.d[3] = ctr; while (len--) { @@ -1465,31 +1532,29 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, ctx->mres = n; return 0; -#endif } int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const unsigned char *in, unsigned char *out, size_t len, ctr128_f stream) { -#if defined(OPENSSL_SMALL_FOOTPRINT) - return CRYPTO_gcm128_decrypt(ctx, in, out, len); -#else const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; unsigned int n, ctr; size_t i; u64 mlen = ctx->len.u[1]; void *key = ctx->key; -# ifdef GCM_FUNCREF_4BIT +#ifdef GCM_FUNCREF_4BIT void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH +# ifdef GHASH void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len) = ctx->ghash; -# endif # endif +#endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) @@ -1503,11 +1568,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, } if (is_endian.little) -# ifdef BSWAP4 +#ifdef BSWAP4 ctr = BSWAP4(ctx->Yi.d[3]); -# else +#else ctr = GETU32(ctx->Yi.c + 12); -# endif +#endif else ctr = ctx->Yi.d[3]; @@ -1527,30 +1592,30 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, return 0; } } -# if defined(GHASH) && defined(GHASH_CHUNK) +#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) while (len >= GHASH_CHUNK) { GHASH(ctx, in, GHASH_CHUNK); (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c); ctr += GHASH_CHUNK / 16; if (is_endian.little) -# ifdef BSWAP4 +# ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +# else PUTU32(ctx->Yi.c + 12, ctr); -# endif +# endif else ctx->Yi.d[3] = ctr; out += GHASH_CHUNK; in += GHASH_CHUNK; len -= GHASH_CHUNK; } -# endif +#endif if ((i = (len & (size_t)-16))) { size_t j = i / 16; -# if defined(GHASH) +#if defined(GHASH) GHASH(ctx, in, i); -# else +#else while (j--) { size_t k; for (k = 0; k < 16; ++k) @@ -1560,15 +1625,15 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, } j = i / 16; in -= i; -# endif +#endif (*stream) (in, out, j, key, ctx->Yi.c); ctr += (unsigned int)j; if (is_endian.little) -# ifdef BSWAP4 +#ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +#else PUTU32(ctx->Yi.c + 12, ctr); -# endif +#endif else ctx->Yi.d[3] = ctr; out += i; @@ -1579,11 +1644,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key); ++ctr; if (is_endian.little) -# ifdef BSWAP4 +#ifdef BSWAP4 ctx->Yi.d[3] = BSWAP4(ctr); -# else +#else PUTU32(ctx->Yi.c + 12, ctr); -# endif +#endif else ctx->Yi.d[3] = ctr; while (len--) { @@ -1596,7 +1661,6 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, ctx->mres = n; return 0; -#endif } int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag, @@ -1605,7 +1669,9 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag, const union { long one; char little; - } is_endian = { 1 }; + } is_endian = { + 1 + }; u64 alen = ctx->len.u[0] << 3; u64 clen = ctx->len.u[1] << 3; #ifdef GCM_FUNCREF_4BIT @@ -1654,7 +1720,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block) { GCM128_CONTEXT *ret; - if ((ret = OPENSSL_malloc(sizeof(*ret))) != NULL) + if ((ret = (GCM128_CONTEXT *)OPENSSL_malloc(sizeof(GCM128_CONTEXT)))) CRYPTO_gcm128_init(ret, key, block); return ret; @@ -1662,7 +1728,10 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block) void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx) { - OPENSSL_clear_free(ctx, sizeof(*ctx)); + if (ctx) { + OPENSSL_cleanse(ctx, sizeof(*ctx)); + OPENSSL_free(ctx); + } } #if defined(SELFTEST) |