1 | /* |
2 | * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <string.h> |
11 | #include <stdlib.h> |
12 | #include <openssl/crypto.h> |
13 | #include <openssl/evp.h> |
14 | #include <openssl/core_names.h> |
15 | #include <openssl/params.h> |
16 | #include "crypto/modes.h" |
17 | #include "crypto/siv.h" |
18 | |
19 | #ifndef OPENSSL_NO_SIV |
20 | |
21 | __owur static ossl_inline uint32_t rotl8(uint32_t x) |
22 | { |
23 | return (x << 8) | (x >> 24); |
24 | } |
25 | |
26 | __owur static ossl_inline uint32_t rotr8(uint32_t x) |
27 | { |
28 | return (x >> 8) | (x << 24); |
29 | } |
30 | |
31 | __owur static ossl_inline uint64_t byteswap8(uint64_t x) |
32 | { |
33 | uint32_t high = (uint32_t)(x >> 32); |
34 | uint32_t low = (uint32_t)x; |
35 | |
36 | high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00); |
37 | low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00); |
38 | return ((uint64_t)low) << 32 | (uint64_t)high; |
39 | } |
40 | |
41 | __owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i) |
42 | { |
43 | const union { |
44 | long one; |
45 | char little; |
46 | } is_endian = { 1 }; |
47 | |
48 | if (is_endian.little) |
49 | return byteswap8(b->word[i]); |
50 | return b->word[i]; |
51 | } |
52 | |
53 | static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x) |
54 | { |
55 | const union { |
56 | long one; |
57 | char little; |
58 | } is_endian = { 1 }; |
59 | |
60 | if (is_endian.little) |
61 | b->word[i] = byteswap8(x); |
62 | else |
63 | b->word[i] = x; |
64 | } |
65 | |
66 | static ossl_inline void siv128_xorblock(SIV_BLOCK *x, |
67 | SIV_BLOCK const *y) |
68 | { |
69 | x->word[0] ^= y->word[0]; |
70 | x->word[1] ^= y->word[1]; |
71 | } |
72 | |
73 | /* |
74 | * Doubles |b|, which is 16 bytes representing an element |
75 | * of GF(2**128) modulo the irreducible polynomial |
76 | * x**128 + x**7 + x**2 + x + 1. |
77 | * Assumes two's-complement arithmetic |
78 | */ |
79 | static ossl_inline void siv128_dbl(SIV_BLOCK *b) |
80 | { |
81 | uint64_t high = siv128_getword(b, 0); |
82 | uint64_t low = siv128_getword(b, 1); |
83 | uint64_t high_carry = high & (((uint64_t)1) << 63); |
84 | uint64_t low_carry = low & (((uint64_t)1) << 63); |
85 | int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87; |
86 | uint64_t high_mask = low_carry >> 63; |
87 | |
88 | high = (high << 1) | high_mask; |
89 | low = (low << 1) ^ (uint64_t)low_mask; |
90 | siv128_putword(b, 0, high); |
91 | siv128_putword(b, 1, low); |
92 | } |
93 | |
94 | __owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out, |
95 | unsigned char const* in, size_t len) |
96 | { |
97 | SIV_BLOCK t; |
98 | size_t out_len = sizeof(out->byte); |
99 | EVP_MAC_CTX *mac_ctx; |
100 | int ret = 0; |
101 | |
102 | mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init); |
103 | if (mac_ctx == NULL) |
104 | return 0; |
105 | |
106 | if (len >= SIV_LEN) { |
107 | if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN)) |
108 | goto err; |
109 | memcpy(&t, in + (len-SIV_LEN), SIV_LEN); |
110 | siv128_xorblock(&t, &ctx->d); |
111 | if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN)) |
112 | goto err; |
113 | } else { |
114 | memset(&t, 0, sizeof(t)); |
115 | memcpy(&t, in, len); |
116 | t.byte[len] = 0x80; |
117 | siv128_dbl(&ctx->d); |
118 | siv128_xorblock(&t, &ctx->d); |
119 | if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN)) |
120 | goto err; |
121 | } |
122 | if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte)) |
123 | || out_len != SIV_LEN) |
124 | goto err; |
125 | |
126 | ret = 1; |
127 | |
128 | err: |
129 | EVP_MAC_CTX_free(mac_ctx); |
130 | return ret; |
131 | } |
132 | |
133 | |
134 | __owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out, |
135 | unsigned char const *in, size_t len, |
136 | SIV_BLOCK *icv) |
137 | { |
138 | int out_len = (int)len; |
139 | |
140 | if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1)) |
141 | return 0; |
142 | return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len); |
143 | } |
144 | |
145 | /* |
146 | * Create a new SIV128_CONTEXT |
147 | */ |
148 | SIV128_CONTEXT *CRYPTO_siv128_new(const unsigned char *key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr) |
149 | { |
150 | SIV128_CONTEXT *ctx; |
151 | int ret; |
152 | |
153 | if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) { |
154 | ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr); |
155 | if (ret) |
156 | return ctx; |
157 | OPENSSL_free(ctx); |
158 | } |
159 | |
160 | return NULL; |
161 | } |
162 | |
163 | /* |
164 | * Initialise an existing SIV128_CONTEXT |
165 | */ |
166 | int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen, |
167 | const EVP_CIPHER* cbc, const EVP_CIPHER* ctr) |
168 | { |
169 | static const unsigned char zero[SIV_LEN] = { 0 }; |
170 | size_t out_len = SIV_LEN; |
171 | EVP_MAC_CTX *mac_ctx = NULL; |
172 | OSSL_PARAM params[3]; |
173 | const char *cbc_name = EVP_CIPHER_name(cbc); |
174 | |
175 | params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER, |
176 | (char *)cbc_name, 0); |
177 | params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, |
178 | (void *)key, klen); |
179 | params[2] = OSSL_PARAM_construct_end(); |
180 | |
181 | memset(&ctx->d, 0, sizeof(ctx->d)); |
182 | ctx->cipher_ctx = NULL; |
183 | ctx->mac_ctx_init = NULL; |
184 | |
185 | if (key == NULL || cbc == NULL || ctr == NULL |
186 | || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL |
187 | /* TODO(3.0) library context */ |
188 | || (ctx->mac = |
189 | EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL)) == NULL |
190 | || (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL |
191 | || !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params) |
192 | || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL) |
193 | || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL |
194 | || !EVP_MAC_update(mac_ctx, zero, sizeof(zero)) |
195 | || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len, |
196 | sizeof(ctx->d.byte))) { |
197 | EVP_CIPHER_CTX_free(ctx->cipher_ctx); |
198 | EVP_MAC_CTX_free(ctx->mac_ctx_init); |
199 | EVP_MAC_CTX_free(mac_ctx); |
200 | EVP_MAC_free(ctx->mac); |
201 | return 0; |
202 | } |
203 | EVP_MAC_CTX_free(mac_ctx); |
204 | |
205 | ctx->final_ret = -1; |
206 | ctx->crypto_ok = 1; |
207 | |
208 | return 1; |
209 | } |
210 | |
211 | /* |
212 | * Copy an SIV128_CONTEXT object |
213 | */ |
214 | int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src) |
215 | { |
216 | memcpy(&dest->d, &src->d, sizeof(src->d)); |
217 | if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx)) |
218 | return 0; |
219 | EVP_MAC_CTX_free(dest->mac_ctx_init); |
220 | dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init); |
221 | if (dest->mac_ctx_init == NULL) |
222 | return 0; |
223 | return 1; |
224 | } |
225 | |
226 | /* |
227 | * Provide any AAD. This can be called multiple times. |
228 | * Per RFC5297, the last piece of associated data |
229 | * is the nonce, but it's not treated special |
230 | */ |
231 | int CRYPTO_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad, |
232 | size_t len) |
233 | { |
234 | SIV_BLOCK mac_out; |
235 | size_t out_len = SIV_LEN; |
236 | EVP_MAC_CTX *mac_ctx; |
237 | |
238 | siv128_dbl(&ctx->d); |
239 | |
240 | if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL |
241 | || !EVP_MAC_update(mac_ctx, aad, len) |
242 | || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len, |
243 | sizeof(mac_out.byte)) |
244 | || out_len != SIV_LEN) { |
245 | EVP_MAC_CTX_free(mac_ctx); |
246 | return 0; |
247 | } |
248 | EVP_MAC_CTX_free(mac_ctx); |
249 | |
250 | siv128_xorblock(&ctx->d, &mac_out); |
251 | |
252 | return 1; |
253 | } |
254 | |
255 | /* |
256 | * Provide any data to be encrypted. This can be called once. |
257 | */ |
258 | int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx, |
259 | const unsigned char *in, unsigned char *out, |
260 | size_t len) |
261 | { |
262 | SIV_BLOCK q; |
263 | |
264 | /* can only do one crypto operation */ |
265 | if (ctx->crypto_ok == 0) |
266 | return 0; |
267 | ctx->crypto_ok--; |
268 | |
269 | if (!siv128_do_s2v_p(ctx, &q, in, len)) |
270 | return 0; |
271 | |
272 | memcpy(ctx->tag.byte, &q, SIV_LEN); |
273 | q.byte[8] &= 0x7f; |
274 | q.byte[12] &= 0x7f; |
275 | |
276 | if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)) |
277 | return 0; |
278 | ctx->final_ret = 0; |
279 | return len; |
280 | } |
281 | |
282 | /* |
283 | * Provide any data to be decrypted. This can be called once. |
284 | */ |
285 | int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx, |
286 | const unsigned char *in, unsigned char *out, |
287 | size_t len) |
288 | { |
289 | unsigned char* p; |
290 | SIV_BLOCK t, q; |
291 | int i; |
292 | |
293 | /* can only do one crypto operation */ |
294 | if (ctx->crypto_ok == 0) |
295 | return 0; |
296 | ctx->crypto_ok--; |
297 | |
298 | memcpy(&q, ctx->tag.byte, SIV_LEN); |
299 | q.byte[8] &= 0x7f; |
300 | q.byte[12] &= 0x7f; |
301 | |
302 | if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q) |
303 | || !siv128_do_s2v_p(ctx, &t, out, len)) |
304 | return 0; |
305 | |
306 | p = ctx->tag.byte; |
307 | for (i = 0; i < SIV_LEN; i++) |
308 | t.byte[i] ^= p[i]; |
309 | |
310 | if ((t.word[0] | t.word[1]) != 0) { |
311 | OPENSSL_cleanse(out, len); |
312 | return 0; |
313 | } |
314 | ctx->final_ret = 0; |
315 | return len; |
316 | } |
317 | |
318 | /* |
319 | * Return the already calculated final result. |
320 | */ |
321 | int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx) |
322 | { |
323 | return ctx->final_ret; |
324 | } |
325 | |
326 | /* |
327 | * Set the tag |
328 | */ |
329 | int CRYPTO_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len) |
330 | { |
331 | if (len != SIV_LEN) |
332 | return 0; |
333 | |
334 | /* Copy the tag from the supplied buffer */ |
335 | memcpy(ctx->tag.byte, tag, len); |
336 | return 1; |
337 | } |
338 | |
339 | /* |
340 | * Retrieve the calculated tag |
341 | */ |
342 | int CRYPTO_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len) |
343 | { |
344 | if (len != SIV_LEN) |
345 | return 0; |
346 | |
347 | /* Copy the tag into the supplied buffer */ |
348 | memcpy(tag, ctx->tag.byte, len); |
349 | return 1; |
350 | } |
351 | |
352 | /* |
353 | * Release all resources |
354 | */ |
355 | int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx) |
356 | { |
357 | if (ctx != NULL) { |
358 | EVP_CIPHER_CTX_free(ctx->cipher_ctx); |
359 | ctx->cipher_ctx = NULL; |
360 | EVP_MAC_CTX_free(ctx->mac_ctx_init); |
361 | ctx->mac_ctx_init = NULL; |
362 | EVP_MAC_free(ctx->mac); |
363 | ctx->mac = NULL; |
364 | OPENSSL_cleanse(&ctx->d, sizeof(ctx->d)); |
365 | OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag)); |
366 | ctx->final_ret = -1; |
367 | ctx->crypto_ok = 1; |
368 | } |
369 | return 1; |
370 | } |
371 | |
372 | int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg) |
373 | { |
374 | ctx->crypto_ok = (arg == 1) ? -1 : 1; |
375 | return 1; |
376 | } |
377 | |
378 | #endif /* OPENSSL_NO_SIV */ |
379 | |