1/*
2 * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License").  You may not use
5 * this file except in compliance with the License.  You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/* This header can move into provider when legacy support is removed */
11#include <openssl/modes.h>
12
13#if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
14typedef __int64 i64;
15typedef unsigned __int64 u64;
16# define U64(C) C##UI64
17#elif defined(__arch64__)
18typedef long i64;
19typedef unsigned long u64;
20# define U64(C) C##UL
21#else
22typedef long long i64;
23typedef unsigned long long u64;
24# define U64(C) C##ULL
25#endif
26
27typedef unsigned int u32;
28typedef unsigned char u8;
29
30#define STRICT_ALIGNMENT 1
31#ifndef PEDANTIC
32# if defined(__i386)    || defined(__i386__)    || \
33     defined(__x86_64)  || defined(__x86_64__)  || \
34     defined(_M_IX86)   || defined(_M_AMD64)    || defined(_M_X64) || \
35     defined(__aarch64__)                       || \
36     defined(__s390__)  || defined(__s390x__)
37#  undef STRICT_ALIGNMENT
38# endif
39#endif
40
41#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
42# if defined(__GNUC__) && __GNUC__>=2
43#  if defined(__x86_64) || defined(__x86_64__)
44#   define BSWAP8(x) ({ u64 ret_=(x);                   \
45                        asm ("bswapq %0"                \
46                        : "+r"(ret_));   ret_;          })
47#   define BSWAP4(x) ({ u32 ret_=(x);                   \
48                        asm ("bswapl %0"                \
49                        : "+r"(ret_));   ret_;          })
50#  elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
51#   define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x);   \
52                        asm ("bswapl %0; bswapl %1"     \
53                        : "+r"(hi_),"+r"(lo_));         \
54                        (u64)hi_<<32|lo_;               })
55#   define BSWAP4(x) ({ u32 ret_=(x);                   \
56                        asm ("bswapl %0"                \
57                        : "+r"(ret_));   ret_;          })
58#  elif defined(__aarch64__)
59#   if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
60       __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
61#    define BSWAP8(x) ({ u64 ret_;                       \
62                        asm ("rev %0,%1"                \
63                        : "=r"(ret_) : "r"(x)); ret_;   })
64#    define BSWAP4(x) ({ u32 ret_;                       \
65                        asm ("rev %w0,%w1"              \
66                        : "=r"(ret_) : "r"(x)); ret_;   })
67#   endif
68#  elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
69#   define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x);   \
70                        asm ("rev %0,%0; rev %1,%1"     \
71                        : "+r"(hi_),"+r"(lo_));         \
72                        (u64)hi_<<32|lo_;               })
73#   define BSWAP4(x) ({ u32 ret_;                       \
74                        asm ("rev %0,%1"                \
75                        : "=r"(ret_) : "r"((u32)(x)));  \
76                        ret_;                           })
77#  endif
78# elif defined(_MSC_VER)
79#  if _MSC_VER>=1300
80#   include <stdlib.h>
81#   pragma intrinsic(_byteswap_uint64,_byteswap_ulong)
82#   define BSWAP8(x)    _byteswap_uint64((u64)(x))
83#   define BSWAP4(x)    _byteswap_ulong((u32)(x))
84#  elif defined(_M_IX86)
85__inline u32 _bswap4(u32 val)
86{
87_asm mov eax, val _asm bswap eax}
88#   define BSWAP4(x)    _bswap4(x)
89#  endif
90# endif
91#endif
92#if defined(BSWAP4) && !defined(STRICT_ALIGNMENT)
93# define GETU32(p)       BSWAP4(*(const u32 *)(p))
94# define PUTU32(p,v)     *(u32 *)(p) = BSWAP4(v)
95#else
96# define GETU32(p)       ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3])
97# define PUTU32(p,v)     ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v))
98#endif
99/*- GCM definitions */ typedef struct {
100    u64 hi, lo;
101} u128;
102
103#ifdef  TABLE_BITS
104# undef  TABLE_BITS
105#endif
106/*
107 * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
108 * never be set to 8 [or 1]. For further information see gcm128.c.
109 */
110#define TABLE_BITS 4
111
112struct gcm128_context {
113    /* Following 6 names follow names in GCM specification */
114    union {
115        u64 u[2];
116        u32 d[4];
117        u8 c[16];
118        size_t t[16 / sizeof(size_t)];
119    } Yi, EKi, EK0, len, Xi, H;
120    /*
121     * Relative position of Xi, H and pre-computed Htable is used in some
122     * assembler modules, i.e. don't change the order!
123     */
124#if TABLE_BITS==8
125    u128 Htable[256];
126#else
127    u128 Htable[16];
128    void (*gmult) (u64 Xi[2], const u128 Htable[16]);
129    void (*ghash) (u64 Xi[2], const u128 Htable[16], const u8 *inp,
130                   size_t len);
131#endif
132    unsigned int mres, ares;
133    block128_f block;
134    void *key;
135#if !defined(OPENSSL_SMALL_FOOTPRINT)
136    unsigned char Xn[48];
137#endif
138};
139
140/*
141 * The maximum permitted number of cipher blocks per data unit in XTS mode.
142 * Reference IEEE Std 1619-2018.
143 */
144#define XTS_MAX_BLOCKS_PER_DATA_UNIT            (1<<20)
145
146struct xts128_context {
147    void *key1, *key2;
148    block128_f block1, block2;
149};
150
151struct ccm128_context {
152    union {
153        u64 u[2];
154        u8 c[16];
155    } nonce, cmac;
156    u64 blocks;
157    block128_f block;
158    void *key;
159};
160
161#ifndef OPENSSL_NO_OCB
162
163typedef union {
164    u64 a[2];
165    unsigned char c[16];
166} OCB_BLOCK;
167# define ocb_block16_xor(in1,in2,out) \
168    ( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \
169      (out)->a[1]=(in1)->a[1]^(in2)->a[1] )
170# if STRICT_ALIGNMENT
171#  define ocb_block16_xor_misaligned(in1,in2,out) \
172    ocb_block_xor((in1)->c,(in2)->c,16,(out)->c)
173# else
174#  define ocb_block16_xor_misaligned ocb_block16_xor
175# endif
176
177struct ocb128_context {
178    /* Need both encrypt and decrypt key schedules for decryption */
179    block128_f encrypt;
180    block128_f decrypt;
181    void *keyenc;
182    void *keydec;
183    ocb128_f stream;    /* direction dependent */
184    /* Key dependent variables. Can be reused if key remains the same */
185    size_t l_index;
186    size_t max_l_index;
187    OCB_BLOCK l_star;
188    OCB_BLOCK l_dollar;
189    OCB_BLOCK *l;
190    /* Must be reset for each session */
191    struct {
192        u64 blocks_hashed;
193        u64 blocks_processed;
194        OCB_BLOCK offset_aad;
195        OCB_BLOCK sum;
196        OCB_BLOCK offset;
197        OCB_BLOCK checksum;
198    } sess;
199};
200#endif                          /* OPENSSL_NO_OCB */
201
202#ifndef OPENSSL_NO_SIV
203
204#define SIV_LEN 16
205
206typedef union siv_block_u {
207    uint64_t word[SIV_LEN/sizeof(uint64_t)];
208    unsigned char byte[SIV_LEN];
209} SIV_BLOCK;
210
211struct siv128_context {
212    /* d stores intermediate results of S2V; it corresponds to D from the
213       pseudocode in section 2.4 of RFC 5297. */
214    SIV_BLOCK d;
215    SIV_BLOCK tag;
216    EVP_CIPHER_CTX *cipher_ctx;
217    EVP_MAC *mac;
218    EVP_MAC_CTX *mac_ctx_init;
219    int final_ret;
220    int crypto_ok;
221};
222
223#endif /* OPENSSL_NO_SIV */
224