1 /* 2 * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* This header can move into provider when legacy support is removed */ 11 #include <openssl/modes.h> 12 13 #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) 14 typedef __int64 i64; 15 typedef unsigned __int64 u64; 16 # define U64(C) C##UI64 17 #elif defined(__arch64__) 18 typedef long i64; 19 typedef unsigned long u64; 20 # define U64(C) C##UL 21 #else 22 typedef long long i64; 23 typedef unsigned long long u64; 24 # define U64(C) C##ULL 25 #endif 26 27 typedef unsigned int u32; 28 typedef unsigned char u8; 29 30 #define STRICT_ALIGNMENT 1 31 #ifndef PEDANTIC 32 # if defined(__i386) || defined(__i386__) || \ 33 defined(__x86_64) || defined(__x86_64__) || \ 34 defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \ 35 defined(__aarch64__) || \ 36 defined(__s390__) || defined(__s390x__) 37 # undef STRICT_ALIGNMENT 38 # endif 39 #endif 40 41 #if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) 42 # if defined(__GNUC__) && __GNUC__>=2 43 # if defined(__x86_64) || defined(__x86_64__) 44 # define BSWAP8(x) ({ u64 ret_=(x); \ 45 asm ("bswapq %0" \ 46 : "+r"(ret_)); ret_; }) 47 # define BSWAP4(x) ({ u32 ret_=(x); \ 48 asm ("bswapl %0" \ 49 : "+r"(ret_)); ret_; }) 50 # elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) 51 # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ 52 asm ("bswapl %0; bswapl %1" \ 53 : "+r"(hi_),"+r"(lo_)); \ 54 (u64)hi_<<32|lo_; }) 55 # define BSWAP4(x) ({ u32 ret_=(x); \ 56 asm ("bswapl %0" \ 57 : "+r"(ret_)); ret_; }) 58 # elif defined(__aarch64__) 59 # if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \ 60 __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__ 61 # define BSWAP8(x) ({ u64 ret_; \ 62 asm ("rev %0,%1" \ 63 : "=r"(ret_) : "r"(x)); ret_; }) 64 # define BSWAP4(x) ({ u32 ret_; \ 65 asm ("rev %w0,%w1" \ 66 : "=r"(ret_) : "r"(x)); ret_; }) 67 # endif 68 # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT) 69 # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ 70 asm ("rev %0,%0; rev %1,%1" \ 71 : "+r"(hi_),"+r"(lo_)); \ 72 (u64)hi_<<32|lo_; }) 73 # define BSWAP4(x) ({ u32 ret_; \ 74 asm ("rev %0,%1" \ 75 : "=r"(ret_) : "r"((u32)(x))); \ 76 ret_; }) 77 # endif 78 # elif defined(_MSC_VER) 79 # if _MSC_VER>=1300 80 # include <stdlib.h> 81 # pragma intrinsic(_byteswap_uint64,_byteswap_ulong) 82 # define BSWAP8(x) _byteswap_uint64((u64)(x)) 83 # define BSWAP4(x) _byteswap_ulong((u32)(x)) 84 # elif defined(_M_IX86) 85 __inline u32 _bswap4(u32 val) 86 { 87 _asm mov eax, val _asm bswap eax} 88 # define BSWAP4(x) _bswap4(x) 89 # endif 90 # endif 91 #endif 92 #if defined(BSWAP4) && !defined(STRICT_ALIGNMENT) 93 # define GETU32(p) BSWAP4(*(const u32 *)(p)) 94 # define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v) 95 #else 96 # define GETU32(p) ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3]) 97 # define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v)) 98 #endif 99 /*- GCM definitions */ typedef struct { 100 u64 hi, lo; 101 } u128; 102 103 #ifdef TABLE_BITS 104 # undef TABLE_BITS 105 #endif 106 /* 107 * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should 108 * never be set to 8 [or 1]. For further information see gcm128.c. 109 */ 110 #define TABLE_BITS 4 111 112 struct gcm128_context { 113 /* Following 6 names follow names in GCM specification */ 114 union { 115 u64 u[2]; 116 u32 d[4]; 117 u8 c[16]; 118 size_t t[16 / sizeof(size_t)]; 119 } Yi, EKi, EK0, len, Xi, H; 120 /* 121 * Relative position of Xi, H and pre-computed Htable is used in some 122 * assembler modules, i.e. don't change the order! 123 */ 124 #if TABLE_BITS==8 125 u128 Htable[256]; 126 #else 127 u128 Htable[16]; 128 void (*gmult) (u64 Xi[2], const u128 Htable[16]); 129 void (*ghash) (u64 Xi[2], const u128 Htable[16], const u8 *inp, 130 size_t len); 131 #endif 132 unsigned int mres, ares; 133 block128_f block; 134 void *key; 135 #if !defined(OPENSSL_SMALL_FOOTPRINT) 136 unsigned char Xn[48]; 137 #endif 138 }; 139 140 /* 141 * The maximum permitted number of cipher blocks per data unit in XTS mode. 142 * Reference IEEE Std 1619-2018. 143 */ 144 #define XTS_MAX_BLOCKS_PER_DATA_UNIT (1<<20) 145 146 struct xts128_context { 147 void *key1, *key2; 148 block128_f block1, block2; 149 }; 150 151 struct ccm128_context { 152 union { 153 u64 u[2]; 154 u8 c[16]; 155 } nonce, cmac; 156 u64 blocks; 157 block128_f block; 158 void *key; 159 }; 160 161 #ifndef OPENSSL_NO_OCB 162 163 typedef union { 164 u64 a[2]; 165 unsigned char c[16]; 166 } OCB_BLOCK; 167 # define ocb_block16_xor(in1,in2,out) \ 168 ( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \ 169 (out)->a[1]=(in1)->a[1]^(in2)->a[1] ) 170 # if STRICT_ALIGNMENT 171 # define ocb_block16_xor_misaligned(in1,in2,out) \ 172 ocb_block_xor((in1)->c,(in2)->c,16,(out)->c) 173 # else 174 # define ocb_block16_xor_misaligned ocb_block16_xor 175 # endif 176 177 struct ocb128_context { 178 /* Need both encrypt and decrypt key schedules for decryption */ 179 block128_f encrypt; 180 block128_f decrypt; 181 void *keyenc; 182 void *keydec; 183 ocb128_f stream; /* direction dependent */ 184 /* Key dependent variables. Can be reused if key remains the same */ 185 size_t l_index; 186 size_t max_l_index; 187 OCB_BLOCK l_star; 188 OCB_BLOCK l_dollar; 189 OCB_BLOCK *l; 190 /* Must be reset for each session */ 191 struct { 192 u64 blocks_hashed; 193 u64 blocks_processed; 194 OCB_BLOCK offset_aad; 195 OCB_BLOCK sum; 196 OCB_BLOCK offset; 197 OCB_BLOCK checksum; 198 } sess; 199 }; 200 #endif /* OPENSSL_NO_OCB */ 201 202 #ifndef OPENSSL_NO_SIV 203 204 #define SIV_LEN 16 205 206 typedef union siv_block_u { 207 uint64_t word[SIV_LEN/sizeof(uint64_t)]; 208 unsigned char byte[SIV_LEN]; 209 } SIV_BLOCK; 210 211 struct siv128_context { 212 /* d stores intermediate results of S2V; it corresponds to D from the 213 pseudocode in section 2.4 of RFC 5297. */ 214 SIV_BLOCK d; 215 SIV_BLOCK tag; 216 EVP_CIPHER_CTX *cipher_ctx; 217 EVP_MAC *mac; 218 EVP_MAC_CTX *mac_ctx_init; 219 int final_ret; 220 int crypto_ok; 221 }; 222 223 #endif /* OPENSSL_NO_SIV */ 224