1/* 2 * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* This header can move into provider when legacy support is removed */ 11#include <openssl/modes.h> 12 13#if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) 14typedef __int64 i64; 15typedef unsigned __int64 u64; 16# define U64(C) C##UI64 17#elif defined(__arch64__) 18typedef long i64; 19typedef unsigned long u64; 20# define U64(C) C##UL 21#else 22typedef long long i64; 23typedef unsigned long long u64; 24# define U64(C) C##ULL 25#endif 26 27typedef unsigned int u32; 28typedef unsigned char u8; 29 30#define STRICT_ALIGNMENT 1 31#ifndef PEDANTIC 32# if defined(__i386) || defined(__i386__) || \ 33 defined(__x86_64) || defined(__x86_64__) || \ 34 defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \ 35 defined(__aarch64__) || \ 36 defined(__s390__) || defined(__s390x__) 37# undef STRICT_ALIGNMENT 38# endif 39#endif 40 41#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) 42# if defined(__GNUC__) && __GNUC__>=2 43# if defined(__x86_64) || defined(__x86_64__) 44# define BSWAP8(x) ({ u64 ret_=(x); \ 45 asm ("bswapq %0" \ 46 : "+r"(ret_)); ret_; }) 47# define BSWAP4(x) ({ u32 ret_=(x); \ 48 asm ("bswapl %0" \ 49 : "+r"(ret_)); ret_; }) 50# elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) 51# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ 52 asm ("bswapl %0; bswapl %1" \ 53 : "+r"(hi_),"+r"(lo_)); \ 54 (u64)hi_<<32|lo_; }) 55# define BSWAP4(x) ({ u32 ret_=(x); \ 56 asm ("bswapl %0" \ 57 : "+r"(ret_)); ret_; }) 58# elif defined(__aarch64__) 59# if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \ 60 __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__ 61# define BSWAP8(x) ({ u64 ret_; \ 62 asm ("rev %0,%1" \ 63 : "=r"(ret_) : "r"(x)); ret_; }) 64# define BSWAP4(x) ({ u32 ret_; \ 65 asm ("rev %w0,%w1" \ 66 : "=r"(ret_) : "r"(x)); ret_; }) 67# endif 68# elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT) 69# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ 70 asm ("rev %0,%0; rev %1,%1" \ 71 : "+r"(hi_),"+r"(lo_)); \ 72 (u64)hi_<<32|lo_; }) 73# define BSWAP4(x) ({ u32 ret_; \ 74 asm ("rev %0,%1" \ 75 : "=r"(ret_) : "r"((u32)(x))); \ 76 ret_; }) 77# endif 78# elif defined(_MSC_VER) 79# if _MSC_VER>=1300 80# include <stdlib.h> 81# pragma intrinsic(_byteswap_uint64,_byteswap_ulong) 82# define BSWAP8(x) _byteswap_uint64((u64)(x)) 83# define BSWAP4(x) _byteswap_ulong((u32)(x)) 84# elif defined(_M_IX86) 85__inline u32 _bswap4(u32 val) 86{ 87_asm mov eax, val _asm bswap eax} 88# define BSWAP4(x) _bswap4(x) 89# endif 90# endif 91#endif 92#if defined(BSWAP4) && !defined(STRICT_ALIGNMENT) 93# define GETU32(p) BSWAP4(*(const u32 *)(p)) 94# define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v) 95#else 96# define GETU32(p) ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3]) 97# define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v)) 98#endif 99/*- GCM definitions */ typedef struct { 100 u64 hi, lo; 101} u128; 102 103#ifdef TABLE_BITS 104# undef TABLE_BITS 105#endif 106/* 107 * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should 108 * never be set to 8 [or 1]. For further information see gcm128.c. 109 */ 110#define TABLE_BITS 4 111 112struct gcm128_context { 113 /* Following 6 names follow names in GCM specification */ 114 union { 115 u64 u[2]; 116 u32 d[4]; 117 u8 c[16]; 118 size_t t[16 / sizeof(size_t)]; 119 } Yi, EKi, EK0, len, Xi, H; 120 /* 121 * Relative position of Xi, H and pre-computed Htable is used in some 122 * assembler modules, i.e. don't change the order! 123 */ 124#if TABLE_BITS==8 125 u128 Htable[256]; 126#else 127 u128 Htable[16]; 128 void (*gmult) (u64 Xi[2], const u128 Htable[16]); 129 void (*ghash) (u64 Xi[2], const u128 Htable[16], const u8 *inp, 130 size_t len); 131#endif 132 unsigned int mres, ares; 133 block128_f block; 134 void *key; 135#if !defined(OPENSSL_SMALL_FOOTPRINT) 136 unsigned char Xn[48]; 137#endif 138}; 139 140/* 141 * The maximum permitted number of cipher blocks per data unit in XTS mode. 142 * Reference IEEE Std 1619-2018. 143 */ 144#define XTS_MAX_BLOCKS_PER_DATA_UNIT (1<<20) 145 146struct xts128_context { 147 void *key1, *key2; 148 block128_f block1, block2; 149}; 150 151struct ccm128_context { 152 union { 153 u64 u[2]; 154 u8 c[16]; 155 } nonce, cmac; 156 u64 blocks; 157 block128_f block; 158 void *key; 159}; 160 161#ifndef OPENSSL_NO_OCB 162 163typedef union { 164 u64 a[2]; 165 unsigned char c[16]; 166} OCB_BLOCK; 167# define ocb_block16_xor(in1,in2,out) \ 168 ( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \ 169 (out)->a[1]=(in1)->a[1]^(in2)->a[1] ) 170# if STRICT_ALIGNMENT 171# define ocb_block16_xor_misaligned(in1,in2,out) \ 172 ocb_block_xor((in1)->c,(in2)->c,16,(out)->c) 173# else 174# define ocb_block16_xor_misaligned ocb_block16_xor 175# endif 176 177struct ocb128_context { 178 /* Need both encrypt and decrypt key schedules for decryption */ 179 block128_f encrypt; 180 block128_f decrypt; 181 void *keyenc; 182 void *keydec; 183 ocb128_f stream; /* direction dependent */ 184 /* Key dependent variables. Can be reused if key remains the same */ 185 size_t l_index; 186 size_t max_l_index; 187 OCB_BLOCK l_star; 188 OCB_BLOCK l_dollar; 189 OCB_BLOCK *l; 190 /* Must be reset for each session */ 191 struct { 192 u64 blocks_hashed; 193 u64 blocks_processed; 194 OCB_BLOCK offset_aad; 195 OCB_BLOCK sum; 196 OCB_BLOCK offset; 197 OCB_BLOCK checksum; 198 } sess; 199}; 200#endif /* OPENSSL_NO_OCB */ 201 202#ifndef OPENSSL_NO_SIV 203 204#define SIV_LEN 16 205 206typedef union siv_block_u { 207 uint64_t word[SIV_LEN/sizeof(uint64_t)]; 208 unsigned char byte[SIV_LEN]; 209} SIV_BLOCK; 210 211struct siv128_context { 212 /* d stores intermediate results of S2V; it corresponds to D from the 213 pseudocode in section 2.4 of RFC 5297. */ 214 SIV_BLOCK d; 215 SIV_BLOCK tag; 216 EVP_CIPHER_CTX *cipher_ctx; 217 EVP_MAC *mac; 218 EVP_MAC_CTX *mac_ctx_init; 219 int final_ret; 220 int crypto_ok; 221}; 222 223#endif /* OPENSSL_NO_SIV */ 224