• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* ====================================================================
2  * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ==================================================================== */
48 
49 #ifndef OPENSSL_HEADER_MODES_INTERNAL_H
50 #define OPENSSL_HEADER_MODES_INTERNAL_H
51 
52 #include <openssl/base.h>
53 
54 #if defined(__cplusplus)
55 extern "C" {
56 #endif
57 
58 
59 #define asm __asm__
60 
61 #define STRICT_ALIGNMENT 1
62 #if defined(OPENSSL_X86_64) || defined(OPENSSL_X86) || defined(OPENSSL_AARCH64)
63 #undef STRICT_ALIGNMENT
64 #define STRICT_ALIGNMENT 0
65 #endif
66 
67 #if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM)
68 #if defined(__GNUC__) && __GNUC__ >= 2
69 #if defined(OPENSSL_X86_64)
70 #define BSWAP8(x)                 \
71   ({                              \
72     uint64_t ret = (x);           \
73     asm("bswapq %0" : "+r"(ret)); \
74     ret;                          \
75   })
76 #define BSWAP4(x)                 \
77   ({                              \
78     uint32_t ret = (x);           \
79     asm("bswapl %0" : "+r"(ret)); \
80     ret;                          \
81   })
82 #elif defined(OPENSSL_X86)
83 #define BSWAP8(x)                                     \
84   ({                                                  \
85     uint32_t lo = (uint64_t)(x) >> 32, hi = (x);      \
86     asm("bswapl %0; bswapl %1" : "+r"(hi), "+r"(lo)); \
87     (uint64_t) hi << 32 | lo;                         \
88   })
89 #define BSWAP4(x)                 \
90   ({                              \
91     uint32_t ret = (x);           \
92     asm("bswapl %0" : "+r"(ret)); \
93     ret;                          \
94   })
95 #elif defined(OPENSSL_AARCH64)
96 #define BSWAP8(x)                          \
97   ({                                       \
98     uint64_t ret;                          \
99     asm("rev %0,%1" : "=r"(ret) : "r"(x)); \
100     ret;                                   \
101   })
102 #define BSWAP4(x)                            \
103   ({                                         \
104     uint32_t ret;                            \
105     asm("rev %w0,%w1" : "=r"(ret) : "r"(x)); \
106     ret;                                     \
107   })
108 #elif defined(OPENSSL_ARM) && !defined(STRICT_ALIGNMENT)
109 #define BSWAP8(x)                                     \
110   ({                                                  \
111     uint32_t lo = (uint64_t)(x) >> 32, hi = (x);      \
112     asm("rev %0,%0; rev %1,%1" : "+r"(hi), "+r"(lo)); \
113     (uint64_t) hi << 32 | lo;                         \
114   })
115 #define BSWAP4(x)                                      \
116   ({                                                   \
117     uint32_t ret;                                      \
118     asm("rev %0,%1" : "=r"(ret) : "r"((uint32_t)(x))); \
119     ret;                                               \
120   })
121 #endif
122 #elif defined(_MSC_VER)
123 #if _MSC_VER >= 1300
124 #pragma warning(push, 3)
125 #include <intrin.h>
126 #pragma warning(pop)
127 #pragma intrinsic(_byteswap_uint64, _byteswap_ulong)
128 #define BSWAP8(x) _byteswap_uint64((uint64_t)(x))
129 #define BSWAP4(x) _byteswap_ulong((uint32_t)(x))
130 #elif defined(OPENSSL_X86)
131 __inline uint32_t _bswap4(uint32_t val) {
132   _asm mov eax, val
133   _asm bswap eax
134 }
135 #define BSWAP4(x) _bswap4(x)
136 #endif
137 #endif
138 #endif
139 
140 #if defined(BSWAP4) && !defined(STRICT_ALIGNMENT)
141 #define GETU32(p) BSWAP4(*(const uint32_t *)(p))
142 #define PUTU32(p, v) *(uint32_t *)(p) = BSWAP4(v)
143 #else
144 #define GETU32(p) \
145   ((uint32_t)(p)[0] << 24 | (uint32_t)(p)[1] << 16 | (uint32_t)(p)[2] << 8 | (uint32_t)(p)[3])
146 #define PUTU32(p, v)                                   \
147   ((p)[0] = (uint8_t)((v) >> 24), (p)[1] = (uint8_t)((v) >> 16), \
148    (p)[2] = (uint8_t)((v) >> 8), (p)[3] = (uint8_t)(v))
149 #endif
150 
151 
152 /* block128_f is the type of a 128-bit, block cipher. */
153 typedef void (*block128_f)(const uint8_t in[16], uint8_t out[16],
154                            const void *key);
155 
156 /* GCM definitions */
157 typedef struct { uint64_t hi,lo; } u128;
158 
159 /* This differs from upstream's |gcm128_context| in that it does not have the
160  * |key| pointer, in order to make it |memcpy|-friendly. Rather the key is
161  * passed into each call that needs it. */
162 struct gcm128_context {
163   /* Following 6 names follow names in GCM specification */
164   union {
165     uint64_t u[2];
166     uint32_t d[4];
167     uint8_t c[16];
168     size_t t[16 / sizeof(size_t)];
169   } Yi, EKi, EK0, len, Xi, H;
170 
171   /* Relative position of Xi, H and pre-computed Htable is used in some
172    * assembler modules, i.e. don't change the order! */
173   u128 Htable[16];
174   void (*gmult)(uint64_t Xi[2], const u128 Htable[16]);
175   void (*ghash)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
176                 size_t len);
177 
178   unsigned int mres, ares;
179   block128_f block;
180 };
181 
182 struct ccm128_context {
183   union {
184     uint64_t u[2];
185     uint8_t c[16];
186   } nonce, cmac;
187   uint64_t blocks;
188   block128_f block;
189   void *key;
190 };
191 
192 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
193 /* crypto_gcm_clmul_enabled returns one if the CLMUL implementation of GCM is
194  * used. */
195 int crypto_gcm_clmul_enabled(void);
196 #endif
197 
198 
199 /* CTR. */
200 
201 /* ctr128_f is the type of a function that performs CTR-mode encryption. */
202 typedef void (*ctr128_f)(const uint8_t *in, uint8_t *out, size_t blocks,
203                          const void *key, const uint8_t ivec[16]);
204 
205 /* CRYPTO_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode)
206  * |len| bytes from |in| to |out| using |block| in counter mode. There's no
207  * requirement that |len| be a multiple of any value and any partial blocks are
208  * stored in |ecount_buf| and |*num|, which must be zeroed before the initial
209  * call. The counter is a 128-bit, big-endian value in |ivec| and is
210  * incremented by this function. */
211 void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
212                            const void *key, uint8_t ivec[16],
213                            uint8_t ecount_buf[16], unsigned int *num,
214                            block128_f block);
215 
216 /* CRYPTO_ctr128_encrypt_ctr32 acts like |CRYPTO_ctr128_encrypt| but takes
217  * |ctr|, a function that performs CTR mode but only deals with the lower 32
218  * bits of the counter. This is useful when |ctr| can be an optimised
219  * function. */
220 void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,
221                                  const void *key, uint8_t ivec[16],
222                                  uint8_t ecount_buf[16], unsigned int *num,
223                                  ctr128_f ctr);
224 
225 
226 /* GCM.
227  *
228  * This API differs from the upstream API slightly. The |GCM128_CONTEXT| does
229  * not have a |key| pointer that points to the key as upstream's version does.
230  * Instead, every function takes a |key| parameter. This way |GCM128_CONTEXT|
231  * can be safely copied. */
232 
233 typedef struct gcm128_context GCM128_CONTEXT;
234 
235 /* CRYPTO_gcm128_new allocates a fresh |GCM128_CONTEXT| and calls
236  * |CRYPTO_gcm128_init|. It returns the new context, or NULL on error. */
237 OPENSSL_EXPORT GCM128_CONTEXT *CRYPTO_gcm128_new(const void *key,
238                                                  block128_f block);
239 
240 /* CRYPTO_gcm128_init initialises |ctx| to use |block| (typically AES) with
241  * the given key. */
242 OPENSSL_EXPORT void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key,
243                                        block128_f block);
244 
245 /* CRYPTO_gcm128_setiv sets the IV (nonce) for |ctx|. The |key| must be the
246  * same key that was passed to |CRYPTO_gcm128_init|. */
247 OPENSSL_EXPORT void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
248                                         const uint8_t *iv, size_t iv_len);
249 
250 /* CRYPTO_gcm128_aad sets the authenticated data for an instance of GCM.
251  * This must be called before and data is encrypted. It returns one on success
252  * and zero otherwise. */
253 OPENSSL_EXPORT int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad,
254                                      size_t len);
255 
256 /* CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. The |key|
257  * must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
258  * on success and zero otherwise. */
259 OPENSSL_EXPORT int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key,
260                                          const uint8_t *in, uint8_t *out,
261                                          size_t len);
262 
263 /* CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. The |key|
264  * must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
265  * on success and zero otherwise. */
266 OPENSSL_EXPORT int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key,
267                                          const uint8_t *in, uint8_t *out,
268                                          size_t len);
269 
270 /* CRYPTO_gcm128_encrypt_ctr32 encrypts |len| bytes from |in| to |out| using
271  * a CTR function that only handles the bottom 32 bits of the nonce, like
272  * |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
273  * passed to |CRYPTO_gcm128_init|. It returns one on success and zero
274  * otherwise. */
275 OPENSSL_EXPORT int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
276                                                const void *key,
277                                                const uint8_t *in, uint8_t *out,
278                                                size_t len, ctr128_f stream);
279 
280 /* CRYPTO_gcm128_decrypt_ctr32 decrypts |len| bytes from |in| to |out| using
281  * a CTR function that only handles the bottom 32 bits of the nonce, like
282  * |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
283  * passed to |CRYPTO_gcm128_init|. It returns one on success and zero
284  * otherwise. */
285 OPENSSL_EXPORT int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
286                                                const void *key,
287                                                const uint8_t *in, uint8_t *out,
288                                                size_t len, ctr128_f stream);
289 
290 /* CRYPTO_gcm128_finish calculates the authenticator and compares it against
291  * |len| bytes of |tag|. It returns one on success and zero otherwise. */
292 OPENSSL_EXPORT int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag,
293                                         size_t len);
294 
295 /* CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|.
296  * The minimum of |len| and 16 bytes are copied into |tag|. */
297 OPENSSL_EXPORT void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag,
298                                       size_t len);
299 
300 /* CRYPTO_gcm128_release clears and frees |ctx|. */
301 OPENSSL_EXPORT void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx);
302 
303 
304 /* CBC. */
305 
306 /* cbc128_f is the type of a function that performs CBC-mode encryption. */
307 typedef void (*cbc128_f)(const uint8_t *in, uint8_t *out, size_t len,
308                          const void *key, uint8_t ivec[16], int enc);
309 
310 /* CRYPTO_cbc128_encrypt encrypts |len| bytes from |in| to |out| using the
311  * given IV and block cipher in CBC mode. The input need not be a multiple of
312  * 128 bits long, but the output will round up to the nearest 128 bit multiple,
313  * zero padding the input if needed. The IV will be updated on return. */
314 void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
315                            const void *key, uint8_t ivec[16], block128_f block);
316 
317 /* CRYPTO_cbc128_decrypt decrypts |len| bytes from |in| to |out| using the
318  * given IV and block cipher in CBC mode. If |len| is not a multiple of 128
319  * bits then only that many bytes will be written, but a multiple of 128 bits
320  * is always read from |in|. The IV will be updated on return. */
321 void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len,
322                            const void *key, uint8_t ivec[16], block128_f block);
323 
324 
325 /* OFB. */
326 
327 /* CRYPTO_ofb128_encrypt encrypts (or decrypts, it's the same with OFB mode)
328  * |len| bytes from |in| to |out| using |block| in OFB mode. There's no
329  * requirement that |len| be a multiple of any value and any partial blocks are
330  * stored in |ivec| and |*num|, the latter must be zero before the initial
331  * call. */
332 void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out,
333                            size_t len, const void *key, uint8_t ivec[16],
334                            int *num, block128_f block);
335 
336 
337 /* CFB. */
338 
339 /* CRYPTO_cfb128_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
340  * from |in| to |out| using |block| in CFB mode. There's no requirement that
341  * |len| be a multiple of any value and any partial blocks are stored in |ivec|
342  * and |*num|, the latter must be zero before the initial call. */
343 void CRYPTO_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
344                            const void *key, uint8_t ivec[16], int *num, int enc,
345                            block128_f block);
346 
347 /* CRYPTO_cfb128_8_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
348  * from |in| to |out| using |block| in CFB-8 mode. Prior to the first call
349  * |num| should be set to zero. */
350 void CRYPTO_cfb128_8_encrypt(const uint8_t *in, uint8_t *out, size_t len,
351                              const void *key, uint8_t ivec[16], int *num,
352                              int enc, block128_f block);
353 
354 /* CRYPTO_cfb128_1_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
355  * from |in| to |out| using |block| in CFB-1 mode. Prior to the first call
356  * |num| should be set to zero. */
357 void CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits,
358                              const void *key, uint8_t ivec[16], int *num,
359                              int enc, block128_f block);
360 
361 size_t CRYPTO_cts128_encrypt_block(const uint8_t *in, uint8_t *out, size_t len,
362                                    const void *key, uint8_t ivec[16],
363                                    block128_f block);
364 
365 
366 #if defined(__cplusplus)
367 } /* extern C */
368 #endif
369 
370 #endif /* OPENSSL_HEADER_MODES_INTERNAL_H */
371