source: EcnlProtoTool/trunk/openssl-1.1.0e/crypto/modes/gcm128.c@ 331

Last change on this file since 331 was 331, checked in by coas-nagasima, 6 years ago

prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新
ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新
以下のOSSをアップデート
・mruby-1.3.0
・musl-1.1.18
・onigmo-6.1.3
・tcc-0.9.27
以下のOSSを追加
・openssl-1.1.0e
・curl-7.57.0
・zlib-1.2.11
以下のmrbgemsを追加
・iij/mruby-digest
・iij/mruby-env
・iij/mruby-errno
・iij/mruby-iijson
・iij/mruby-ipaddr
・iij/mruby-mock
・iij/mruby-require
・iij/mruby-tls-openssl
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc
File size: 69.7 KB
Line 
1/*
2 * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/crypto.h>
11#include "modes_lcl.h"
12#include <string.h>
13
14#if defined(BSWAP4) && defined(STRICT_ALIGNMENT)
15/* redefine, because alignment is ensured */
16# undef GETU32
17# define GETU32(p) BSWAP4(*(const u32 *)(p))
18# undef PUTU32
19# define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v)
20#endif
21
22#define PACK(s) ((size_t)(s)<<(sizeof(size_t)*8-16))
23#define REDUCE1BIT(V) do { \
24 if (sizeof(size_t)==8) { \
25 u64 T = U64(0xe100000000000000) & (0-(V.lo&1)); \
26 V.lo = (V.hi<<63)|(V.lo>>1); \
27 V.hi = (V.hi>>1 )^T; \
28 } \
29 else { \
30 u32 T = 0xe1000000U & (0-(u32)(V.lo&1)); \
31 V.lo = (V.hi<<63)|(V.lo>>1); \
32 V.hi = (V.hi>>1 )^((u64)T<<32); \
33 } \
34} while(0)
35
36/*-
37 * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
38 * never be set to 8. 8 is effectively reserved for testing purposes.
39 * TABLE_BITS>1 are lookup-table-driven implementations referred to as
40 * "Shoup's" in GCM specification. In other words OpenSSL does not cover
41 * whole spectrum of possible table driven implementations. Why? In
42 * non-"Shoup's" case memory access pattern is segmented in such manner,
43 * that it's trivial to see that cache timing information can reveal
44 * fair portion of intermediate hash value. Given that ciphertext is
45 * always available to attacker, it's possible for him to attempt to
46 * deduce secret parameter H and if successful, tamper with messages
47 * [which is nothing but trivial in CTR mode]. In "Shoup's" case it's
48 * not as trivial, but there is no reason to believe that it's resistant
49 * to cache-timing attack. And the thing about "8-bit" implementation is
50 * that it consumes 16 (sixteen) times more memory, 4KB per individual
51 * key + 1KB shared. Well, on pros side it should be twice as fast as
52 * "4-bit" version. And for gcc-generated x86[_64] code, "8-bit" version
53 * was observed to run ~75% faster, closer to 100% for commercial
54 * compilers... Yet "4-bit" procedure is preferred, because it's
55 * believed to provide better security-performance balance and adequate
56 * all-round performance. "All-round" refers to things like:
57 *
58 * - shorter setup time effectively improves overall timing for
59 * handling short messages;
60 * - larger table allocation can become unbearable because of VM
61 * subsystem penalties (for example on Windows large enough free
62 * results in VM working set trimming, meaning that consequent
63 * malloc would immediately incur working set expansion);
64 * - larger table has larger cache footprint, which can affect
65 * performance of other code paths (not necessarily even from same
66 * thread in Hyper-Threading world);
67 *
68 * Value of 1 is not appropriate for performance reasons.
69 */
70#if TABLE_BITS==8
71
72static void gcm_init_8bit(u128 Htable[256], u64 H[2])
73{
74 int i, j;
75 u128 V;
76
77 Htable[0].hi = 0;
78 Htable[0].lo = 0;
79 V.hi = H[0];
80 V.lo = H[1];
81
82 for (Htable[128] = V, i = 64; i > 0; i >>= 1) {
83 REDUCE1BIT(V);
84 Htable[i] = V;
85 }
86
87 for (i = 2; i < 256; i <<= 1) {
88 u128 *Hi = Htable + i, H0 = *Hi;
89 for (j = 1; j < i; ++j) {
90 Hi[j].hi = H0.hi ^ Htable[j].hi;
91 Hi[j].lo = H0.lo ^ Htable[j].lo;
92 }
93 }
94}
95
96static void gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
97{
98 u128 Z = { 0, 0 };
99 const u8 *xi = (const u8 *)Xi + 15;
100 size_t rem, n = *xi;
101 const union {
102 long one;
103 char little;
104 } is_endian = { 1 };
105 static const size_t rem_8bit[256] = {
106 PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
107 PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
108 PACK(0x0E10), PACK(0x0FD2), PACK(0x0D94), PACK(0x0C56),
109 PACK(0x0918), PACK(0x08DA), PACK(0x0A9C), PACK(0x0B5E),
110 PACK(0x1C20), PACK(0x1DE2), PACK(0x1FA4), PACK(0x1E66),
111 PACK(0x1B28), PACK(0x1AEA), PACK(0x18AC), PACK(0x196E),
112 PACK(0x1230), PACK(0x13F2), PACK(0x11B4), PACK(0x1076),
113 PACK(0x1538), PACK(0x14FA), PACK(0x16BC), PACK(0x177E),
114 PACK(0x3840), PACK(0x3982), PACK(0x3BC4), PACK(0x3A06),
115 PACK(0x3F48), PACK(0x3E8A), PACK(0x3CCC), PACK(0x3D0E),
116 PACK(0x3650), PACK(0x3792), PACK(0x35D4), PACK(0x3416),
117 PACK(0x3158), PACK(0x309A), PACK(0x32DC), PACK(0x331E),
118 PACK(0x2460), PACK(0x25A2), PACK(0x27E4), PACK(0x2626),
119 PACK(0x2368), PACK(0x22AA), PACK(0x20EC), PACK(0x212E),
120 PACK(0x2A70), PACK(0x2BB2), PACK(0x29F4), PACK(0x2836),
121 PACK(0x2D78), PACK(0x2CBA), PACK(0x2EFC), PACK(0x2F3E),
122 PACK(0x7080), PACK(0x7142), PACK(0x7304), PACK(0x72C6),
123 PACK(0x7788), PACK(0x764A), PACK(0x740C), PACK(0x75CE),
124 PACK(0x7E90), PACK(0x7F52), PACK(0x7D14), PACK(0x7CD6),
125 PACK(0x7998), PACK(0x785A), PACK(0x7A1C), PACK(0x7BDE),
126 PACK(0x6CA0), PACK(0x6D62), PACK(0x6F24), PACK(0x6EE6),
127 PACK(0x6BA8), PACK(0x6A6A), PACK(0x682C), PACK(0x69EE),
128 PACK(0x62B0), PACK(0x6372), PACK(0x6134), PACK(0x60F6),
129 PACK(0x65B8), PACK(0x647A), PACK(0x663C), PACK(0x67FE),
130 PACK(0x48C0), PACK(0x4902), PACK(0x4B44), PACK(0x4A86),
131 PACK(0x4FC8), PACK(0x4E0A), PACK(0x4C4C), PACK(0x4D8E),
132 PACK(0x46D0), PACK(0x4712), PACK(0x4554), PACK(0x4496),
133 PACK(0x41D8), PACK(0x401A), PACK(0x425C), PACK(0x439E),
134 PACK(0x54E0), PACK(0x5522), PACK(0x5764), PACK(0x56A6),
135 PACK(0x53E8), PACK(0x522A), PACK(0x506C), PACK(0x51AE),
136 PACK(0x5AF0), PACK(0x5B32), PACK(0x5974), PACK(0x58B6),
137 PACK(0x5DF8), PACK(0x5C3A), PACK(0x5E7C), PACK(0x5FBE),
138 PACK(0xE100), PACK(0xE0C2), PACK(0xE284), PACK(0xE346),
139 PACK(0xE608), PACK(0xE7CA), PACK(0xE58C), PACK(0xE44E),
140 PACK(0xEF10), PACK(0xEED2), PACK(0xEC94), PACK(0xED56),
141 PACK(0xE818), PACK(0xE9DA), PACK(0xEB9C), PACK(0xEA5E),
142 PACK(0xFD20), PACK(0xFCE2), PACK(0xFEA4), PACK(0xFF66),
143 PACK(0xFA28), PACK(0xFBEA), PACK(0xF9AC), PACK(0xF86E),
144 PACK(0xF330), PACK(0xF2F2), PACK(0xF0B4), PACK(0xF176),
145 PACK(0xF438), PACK(0xF5FA), PACK(0xF7BC), PACK(0xF67E),
146 PACK(0xD940), PACK(0xD882), PACK(0xDAC4), PACK(0xDB06),
147 PACK(0xDE48), PACK(0xDF8A), PACK(0xDDCC), PACK(0xDC0E),
148 PACK(0xD750), PACK(0xD692), PACK(0xD4D4), PACK(0xD516),
149 PACK(0xD058), PACK(0xD19A), PACK(0xD3DC), PACK(0xD21E),
150 PACK(0xC560), PACK(0xC4A2), PACK(0xC6E4), PACK(0xC726),
151 PACK(0xC268), PACK(0xC3AA), PACK(0xC1EC), PACK(0xC02E),
152 PACK(0xCB70), PACK(0xCAB2), PACK(0xC8F4), PACK(0xC936),
153 PACK(0xCC78), PACK(0xCDBA), PACK(0xCFFC), PACK(0xCE3E),
154 PACK(0x9180), PACK(0x9042), PACK(0x9204), PACK(0x93C6),
155 PACK(0x9688), PACK(0x974A), PACK(0x950C), PACK(0x94CE),
156 PACK(0x9F90), PACK(0x9E52), PACK(0x9C14), PACK(0x9DD6),
157 PACK(0x9898), PACK(0x995A), PACK(0x9B1C), PACK(0x9ADE),
158 PACK(0x8DA0), PACK(0x8C62), PACK(0x8E24), PACK(0x8FE6),
159 PACK(0x8AA8), PACK(0x8B6A), PACK(0x892C), PACK(0x88EE),
160 PACK(0x83B0), PACK(0x8272), PACK(0x8034), PACK(0x81F6),
161 PACK(0x84B8), PACK(0x857A), PACK(0x873C), PACK(0x86FE),
162 PACK(0xA9C0), PACK(0xA802), PACK(0xAA44), PACK(0xAB86),
163 PACK(0xAEC8), PACK(0xAF0A), PACK(0xAD4C), PACK(0xAC8E),
164 PACK(0xA7D0), PACK(0xA612), PACK(0xA454), PACK(0xA596),
165 PACK(0xA0D8), PACK(0xA11A), PACK(0xA35C), PACK(0xA29E),
166 PACK(0xB5E0), PACK(0xB422), PACK(0xB664), PACK(0xB7A6),
167 PACK(0xB2E8), PACK(0xB32A), PACK(0xB16C), PACK(0xB0AE),
168 PACK(0xBBF0), PACK(0xBA32), PACK(0xB874), PACK(0xB9B6),
169 PACK(0xBCF8), PACK(0xBD3A), PACK(0xBF7C), PACK(0xBEBE)
170 };
171
172 while (1) {
173 Z.hi ^= Htable[n].hi;
174 Z.lo ^= Htable[n].lo;
175
176 if ((u8 *)Xi == xi)
177 break;
178
179 n = *(--xi);
180
181 rem = (size_t)Z.lo & 0xff;
182 Z.lo = (Z.hi << 56) | (Z.lo >> 8);
183 Z.hi = (Z.hi >> 8);
184 if (sizeof(size_t) == 8)
185 Z.hi ^= rem_8bit[rem];
186 else
187 Z.hi ^= (u64)rem_8bit[rem] << 32;
188 }
189
190 if (is_endian.little) {
191# ifdef BSWAP8
192 Xi[0] = BSWAP8(Z.hi);
193 Xi[1] = BSWAP8(Z.lo);
194# else
195 u8 *p = (u8 *)Xi;
196 u32 v;
197 v = (u32)(Z.hi >> 32);
198 PUTU32(p, v);
199 v = (u32)(Z.hi);
200 PUTU32(p + 4, v);
201 v = (u32)(Z.lo >> 32);
202 PUTU32(p + 8, v);
203 v = (u32)(Z.lo);
204 PUTU32(p + 12, v);
205# endif
206 } else {
207 Xi[0] = Z.hi;
208 Xi[1] = Z.lo;
209 }
210}
211
212# define GCM_MUL(ctx,Xi) gcm_gmult_8bit(ctx->Xi.u,ctx->Htable)
213
214#elif TABLE_BITS==4
215
216static void gcm_init_4bit(u128 Htable[16], u64 H[2])
217{
218 u128 V;
219# if defined(OPENSSL_SMALL_FOOTPRINT)
220 int i;
221# endif
222
223 Htable[0].hi = 0;
224 Htable[0].lo = 0;
225 V.hi = H[0];
226 V.lo = H[1];
227
228# if defined(OPENSSL_SMALL_FOOTPRINT)
229 for (Htable[8] = V, i = 4; i > 0; i >>= 1) {
230 REDUCE1BIT(V);
231 Htable[i] = V;
232 }
233
234 for (i = 2; i < 16; i <<= 1) {
235 u128 *Hi = Htable + i;
236 int j;
237 for (V = *Hi, j = 1; j < i; ++j) {
238 Hi[j].hi = V.hi ^ Htable[j].hi;
239 Hi[j].lo = V.lo ^ Htable[j].lo;
240 }
241 }
242# else
243 Htable[8] = V;
244 REDUCE1BIT(V);
245 Htable[4] = V;
246 REDUCE1BIT(V);
247 Htable[2] = V;
248 REDUCE1BIT(V);
249 Htable[1] = V;
250 Htable[3].hi = V.hi ^ Htable[2].hi, Htable[3].lo = V.lo ^ Htable[2].lo;
251 V = Htable[4];
252 Htable[5].hi = V.hi ^ Htable[1].hi, Htable[5].lo = V.lo ^ Htable[1].lo;
253 Htable[6].hi = V.hi ^ Htable[2].hi, Htable[6].lo = V.lo ^ Htable[2].lo;
254 Htable[7].hi = V.hi ^ Htable[3].hi, Htable[7].lo = V.lo ^ Htable[3].lo;
255 V = Htable[8];
256 Htable[9].hi = V.hi ^ Htable[1].hi, Htable[9].lo = V.lo ^ Htable[1].lo;
257 Htable[10].hi = V.hi ^ Htable[2].hi, Htable[10].lo = V.lo ^ Htable[2].lo;
258 Htable[11].hi = V.hi ^ Htable[3].hi, Htable[11].lo = V.lo ^ Htable[3].lo;
259 Htable[12].hi = V.hi ^ Htable[4].hi, Htable[12].lo = V.lo ^ Htable[4].lo;
260 Htable[13].hi = V.hi ^ Htable[5].hi, Htable[13].lo = V.lo ^ Htable[5].lo;
261 Htable[14].hi = V.hi ^ Htable[6].hi, Htable[14].lo = V.lo ^ Htable[6].lo;
262 Htable[15].hi = V.hi ^ Htable[7].hi, Htable[15].lo = V.lo ^ Htable[7].lo;
263# endif
264# if defined(GHASH_ASM) && (defined(__arm__) || defined(__arm))
265 /*
266 * ARM assembler expects specific dword order in Htable.
267 */
268 {
269 int j;
270 const union {
271 long one;
272 char little;
273 } is_endian = { 1 };
274
275 if (is_endian.little)
276 for (j = 0; j < 16; ++j) {
277 V = Htable[j];
278 Htable[j].hi = V.lo;
279 Htable[j].lo = V.hi;
280 } else
281 for (j = 0; j < 16; ++j) {
282 V = Htable[j];
283 Htable[j].hi = V.lo << 32 | V.lo >> 32;
284 Htable[j].lo = V.hi << 32 | V.hi >> 32;
285 }
286 }
287# endif
288}
289
290# ifndef GHASH_ASM
291static const size_t rem_4bit[16] = {
292 PACK(0x0000), PACK(0x1C20), PACK(0x3840), PACK(0x2460),
293 PACK(0x7080), PACK(0x6CA0), PACK(0x48C0), PACK(0x54E0),
294 PACK(0xE100), PACK(0xFD20), PACK(0xD940), PACK(0xC560),
295 PACK(0x9180), PACK(0x8DA0), PACK(0xA9C0), PACK(0xB5E0)
296};
297
298static void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
299{
300 u128 Z;
301 int cnt = 15;
302 size_t rem, nlo, nhi;
303 const union {
304 long one;
305 char little;
306 } is_endian = { 1 };
307
308 nlo = ((const u8 *)Xi)[15];
309 nhi = nlo >> 4;
310 nlo &= 0xf;
311
312 Z.hi = Htable[nlo].hi;
313 Z.lo = Htable[nlo].lo;
314
315 while (1) {
316 rem = (size_t)Z.lo & 0xf;
317 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
318 Z.hi = (Z.hi >> 4);
319 if (sizeof(size_t) == 8)
320 Z.hi ^= rem_4bit[rem];
321 else
322 Z.hi ^= (u64)rem_4bit[rem] << 32;
323
324 Z.hi ^= Htable[nhi].hi;
325 Z.lo ^= Htable[nhi].lo;
326
327 if (--cnt < 0)
328 break;
329
330 nlo = ((const u8 *)Xi)[cnt];
331 nhi = nlo >> 4;
332 nlo &= 0xf;
333
334 rem = (size_t)Z.lo & 0xf;
335 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
336 Z.hi = (Z.hi >> 4);
337 if (sizeof(size_t) == 8)
338 Z.hi ^= rem_4bit[rem];
339 else
340 Z.hi ^= (u64)rem_4bit[rem] << 32;
341
342 Z.hi ^= Htable[nlo].hi;
343 Z.lo ^= Htable[nlo].lo;
344 }
345
346 if (is_endian.little) {
347# ifdef BSWAP8
348 Xi[0] = BSWAP8(Z.hi);
349 Xi[1] = BSWAP8(Z.lo);
350# else
351 u8 *p = (u8 *)Xi;
352 u32 v;
353 v = (u32)(Z.hi >> 32);
354 PUTU32(p, v);
355 v = (u32)(Z.hi);
356 PUTU32(p + 4, v);
357 v = (u32)(Z.lo >> 32);
358 PUTU32(p + 8, v);
359 v = (u32)(Z.lo);
360 PUTU32(p + 12, v);
361# endif
362 } else {
363 Xi[0] = Z.hi;
364 Xi[1] = Z.lo;
365 }
366}
367
368# if !defined(OPENSSL_SMALL_FOOTPRINT)
369/*
370 * Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for
371 * details... Compiler-generated code doesn't seem to give any
372 * performance improvement, at least not on x86[_64]. It's here
373 * mostly as reference and a placeholder for possible future
374 * non-trivial optimization[s]...
375 */
376static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
377 const u8 *inp, size_t len)
378{
379 u128 Z;
380 int cnt;
381 size_t rem, nlo, nhi;
382 const union {
383 long one;
384 char little;
385 } is_endian = { 1 };
386
387# if 1
388 do {
389 cnt = 15;
390 nlo = ((const u8 *)Xi)[15];
391 nlo ^= inp[15];
392 nhi = nlo >> 4;
393 nlo &= 0xf;
394
395 Z.hi = Htable[nlo].hi;
396 Z.lo = Htable[nlo].lo;
397
398 while (1) {
399 rem = (size_t)Z.lo & 0xf;
400 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
401 Z.hi = (Z.hi >> 4);
402 if (sizeof(size_t) == 8)
403 Z.hi ^= rem_4bit[rem];
404 else
405 Z.hi ^= (u64)rem_4bit[rem] << 32;
406
407 Z.hi ^= Htable[nhi].hi;
408 Z.lo ^= Htable[nhi].lo;
409
410 if (--cnt < 0)
411 break;
412
413 nlo = ((const u8 *)Xi)[cnt];
414 nlo ^= inp[cnt];
415 nhi = nlo >> 4;
416 nlo &= 0xf;
417
418 rem = (size_t)Z.lo & 0xf;
419 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
420 Z.hi = (Z.hi >> 4);
421 if (sizeof(size_t) == 8)
422 Z.hi ^= rem_4bit[rem];
423 else
424 Z.hi ^= (u64)rem_4bit[rem] << 32;
425
426 Z.hi ^= Htable[nlo].hi;
427 Z.lo ^= Htable[nlo].lo;
428 }
429# else
430 /*
431 * Extra 256+16 bytes per-key plus 512 bytes shared tables
432 * [should] give ~50% improvement... One could have PACK()-ed
433 * the rem_8bit even here, but the priority is to minimize
434 * cache footprint...
435 */
436 u128 Hshr4[16]; /* Htable shifted right by 4 bits */
437 u8 Hshl4[16]; /* Htable shifted left by 4 bits */
438 static const unsigned short rem_8bit[256] = {
439 0x0000, 0x01C2, 0x0384, 0x0246, 0x0708, 0x06CA, 0x048C, 0x054E,
440 0x0E10, 0x0FD2, 0x0D94, 0x0C56, 0x0918, 0x08DA, 0x0A9C, 0x0B5E,
441 0x1C20, 0x1DE2, 0x1FA4, 0x1E66, 0x1B28, 0x1AEA, 0x18AC, 0x196E,
442 0x1230, 0x13F2, 0x11B4, 0x1076, 0x1538, 0x14FA, 0x16BC, 0x177E,
443 0x3840, 0x3982, 0x3BC4, 0x3A06, 0x3F48, 0x3E8A, 0x3CCC, 0x3D0E,
444 0x3650, 0x3792, 0x35D4, 0x3416, 0x3158, 0x309A, 0x32DC, 0x331E,
445 0x2460, 0x25A2, 0x27E4, 0x2626, 0x2368, 0x22AA, 0x20EC, 0x212E,
446 0x2A70, 0x2BB2, 0x29F4, 0x2836, 0x2D78, 0x2CBA, 0x2EFC, 0x2F3E,
447 0x7080, 0x7142, 0x7304, 0x72C6, 0x7788, 0x764A, 0x740C, 0x75CE,
448 0x7E90, 0x7F52, 0x7D14, 0x7CD6, 0x7998, 0x785A, 0x7A1C, 0x7BDE,
449 0x6CA0, 0x6D62, 0x6F24, 0x6EE6, 0x6BA8, 0x6A6A, 0x682C, 0x69EE,
450 0x62B0, 0x6372, 0x6134, 0x60F6, 0x65B8, 0x647A, 0x663C, 0x67FE,
451 0x48C0, 0x4902, 0x4B44, 0x4A86, 0x4FC8, 0x4E0A, 0x4C4C, 0x4D8E,
452 0x46D0, 0x4712, 0x4554, 0x4496, 0x41D8, 0x401A, 0x425C, 0x439E,
453 0x54E0, 0x5522, 0x5764, 0x56A6, 0x53E8, 0x522A, 0x506C, 0x51AE,
454 0x5AF0, 0x5B32, 0x5974, 0x58B6, 0x5DF8, 0x5C3A, 0x5E7C, 0x5FBE,
455 0xE100, 0xE0C2, 0xE284, 0xE346, 0xE608, 0xE7CA, 0xE58C, 0xE44E,
456 0xEF10, 0xEED2, 0xEC94, 0xED56, 0xE818, 0xE9DA, 0xEB9C, 0xEA5E,
457 0xFD20, 0xFCE2, 0xFEA4, 0xFF66, 0xFA28, 0xFBEA, 0xF9AC, 0xF86E,
458 0xF330, 0xF2F2, 0xF0B4, 0xF176, 0xF438, 0xF5FA, 0xF7BC, 0xF67E,
459 0xD940, 0xD882, 0xDAC4, 0xDB06, 0xDE48, 0xDF8A, 0xDDCC, 0xDC0E,
460 0xD750, 0xD692, 0xD4D4, 0xD516, 0xD058, 0xD19A, 0xD3DC, 0xD21E,
461 0xC560, 0xC4A2, 0xC6E4, 0xC726, 0xC268, 0xC3AA, 0xC1EC, 0xC02E,
462 0xCB70, 0xCAB2, 0xC8F4, 0xC936, 0xCC78, 0xCDBA, 0xCFFC, 0xCE3E,
463 0x9180, 0x9042, 0x9204, 0x93C6, 0x9688, 0x974A, 0x950C, 0x94CE,
464 0x9F90, 0x9E52, 0x9C14, 0x9DD6, 0x9898, 0x995A, 0x9B1C, 0x9ADE,
465 0x8DA0, 0x8C62, 0x8E24, 0x8FE6, 0x8AA8, 0x8B6A, 0x892C, 0x88EE,
466 0x83B0, 0x8272, 0x8034, 0x81F6, 0x84B8, 0x857A, 0x873C, 0x86FE,
467 0xA9C0, 0xA802, 0xAA44, 0xAB86, 0xAEC8, 0xAF0A, 0xAD4C, 0xAC8E,
468 0xA7D0, 0xA612, 0xA454, 0xA596, 0xA0D8, 0xA11A, 0xA35C, 0xA29E,
469 0xB5E0, 0xB422, 0xB664, 0xB7A6, 0xB2E8, 0xB32A, 0xB16C, 0xB0AE,
470 0xBBF0, 0xBA32, 0xB874, 0xB9B6, 0xBCF8, 0xBD3A, 0xBF7C, 0xBEBE
471 };
472 /*
473 * This pre-processing phase slows down procedure by approximately
474 * same time as it makes each loop spin faster. In other words
475 * single block performance is approximately same as straightforward
476 * "4-bit" implementation, and then it goes only faster...
477 */
478 for (cnt = 0; cnt < 16; ++cnt) {
479 Z.hi = Htable[cnt].hi;
480 Z.lo = Htable[cnt].lo;
481 Hshr4[cnt].lo = (Z.hi << 60) | (Z.lo >> 4);
482 Hshr4[cnt].hi = (Z.hi >> 4);
483 Hshl4[cnt] = (u8)(Z.lo << 4);
484 }
485
486 do {
487 for (Z.lo = 0, Z.hi = 0, cnt = 15; cnt; --cnt) {
488 nlo = ((const u8 *)Xi)[cnt];
489 nlo ^= inp[cnt];
490 nhi = nlo >> 4;
491 nlo &= 0xf;
492
493 Z.hi ^= Htable[nlo].hi;
494 Z.lo ^= Htable[nlo].lo;
495
496 rem = (size_t)Z.lo & 0xff;
497
498 Z.lo = (Z.hi << 56) | (Z.lo >> 8);
499 Z.hi = (Z.hi >> 8);
500
501 Z.hi ^= Hshr4[nhi].hi;
502 Z.lo ^= Hshr4[nhi].lo;
503 Z.hi ^= (u64)rem_8bit[rem ^ Hshl4[nhi]] << 48;
504 }
505
506 nlo = ((const u8 *)Xi)[0];
507 nlo ^= inp[0];
508 nhi = nlo >> 4;
509 nlo &= 0xf;
510
511 Z.hi ^= Htable[nlo].hi;
512 Z.lo ^= Htable[nlo].lo;
513
514 rem = (size_t)Z.lo & 0xf;
515
516 Z.lo = (Z.hi << 60) | (Z.lo >> 4);
517 Z.hi = (Z.hi >> 4);
518
519 Z.hi ^= Htable[nhi].hi;
520 Z.lo ^= Htable[nhi].lo;
521 Z.hi ^= ((u64)rem_8bit[rem << 4]) << 48;
522# endif
523
524 if (is_endian.little) {
525# ifdef BSWAP8
526 Xi[0] = BSWAP8(Z.hi);
527 Xi[1] = BSWAP8(Z.lo);
528# else
529 u8 *p = (u8 *)Xi;
530 u32 v;
531 v = (u32)(Z.hi >> 32);
532 PUTU32(p, v);
533 v = (u32)(Z.hi);
534 PUTU32(p + 4, v);
535 v = (u32)(Z.lo >> 32);
536 PUTU32(p + 8, v);
537 v = (u32)(Z.lo);
538 PUTU32(p + 12, v);
539# endif
540 } else {
541 Xi[0] = Z.hi;
542 Xi[1] = Z.lo;
543 }
544 } while (inp += 16, len -= 16);
545}
546# endif
547# else
548void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]);
549void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const u8 *inp,
550 size_t len);
551# endif
552
553# define GCM_MUL(ctx,Xi) gcm_gmult_4bit(ctx->Xi.u,ctx->Htable)
554# if defined(GHASH_ASM) || !defined(OPENSSL_SMALL_FOOTPRINT)
555# define GHASH(ctx,in,len) gcm_ghash_4bit((ctx)->Xi.u,(ctx)->Htable,in,len)
556/*
557 * GHASH_CHUNK is "stride parameter" missioned to mitigate cache trashing
558 * effect. In other words idea is to hash data while it's still in L1 cache
559 * after encryption pass...
560 */
561# define GHASH_CHUNK (3*1024)
562# endif
563
564#else /* TABLE_BITS */
565
566static void gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
567{
568 u128 V, Z = { 0, 0 };
569 long X;
570 int i, j;
571 const long *xi = (const long *)Xi;
572 const union {
573 long one;
574 char little;
575 } is_endian = { 1 };
576
577 V.hi = H[0]; /* H is in host byte order, no byte swapping */
578 V.lo = H[1];
579
580 for (j = 0; j < 16 / sizeof(long); ++j) {
581 if (is_endian.little) {
582 if (sizeof(long) == 8) {
583# ifdef BSWAP8
584 X = (long)(BSWAP8(xi[j]));
585# else
586 const u8 *p = (const u8 *)(xi + j);
587 X = (long)((u64)GETU32(p) << 32 | GETU32(p + 4));
588# endif
589 } else {
590 const u8 *p = (const u8 *)(xi + j);
591 X = (long)GETU32(p);
592 }
593 } else
594 X = xi[j];
595
596 for (i = 0; i < 8 * sizeof(long); ++i, X <<= 1) {
597 u64 M = (u64)(X >> (8 * sizeof(long) - 1));
598 Z.hi ^= V.hi & M;
599 Z.lo ^= V.lo & M;
600
601 REDUCE1BIT(V);
602 }
603 }
604
605 if (is_endian.little) {
606# ifdef BSWAP8
607 Xi[0] = BSWAP8(Z.hi);
608 Xi[1] = BSWAP8(Z.lo);
609# else
610 u8 *p = (u8 *)Xi;
611 u32 v;
612 v = (u32)(Z.hi >> 32);
613 PUTU32(p, v);
614 v = (u32)(Z.hi);
615 PUTU32(p + 4, v);
616 v = (u32)(Z.lo >> 32);
617 PUTU32(p + 8, v);
618 v = (u32)(Z.lo);
619 PUTU32(p + 12, v);
620# endif
621 } else {
622 Xi[0] = Z.hi;
623 Xi[1] = Z.lo;
624 }
625}
626
627# define GCM_MUL(ctx,Xi) gcm_gmult_1bit(ctx->Xi.u,ctx->H.u)
628
629#endif
630
631#if TABLE_BITS==4 && (defined(GHASH_ASM) || defined(OPENSSL_CPUID_OBJ))
632# if !defined(I386_ONLY) && \
633 (defined(__i386) || defined(__i386__) || \
634 defined(__x86_64) || defined(__x86_64__) || \
635 defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
636# define GHASH_ASM_X86_OR_64
637# define GCM_FUNCREF_4BIT
638extern unsigned int OPENSSL_ia32cap_P[];
639
640void gcm_init_clmul(u128 Htable[16], const u64 Xi[2]);
641void gcm_gmult_clmul(u64 Xi[2], const u128 Htable[16]);
642void gcm_ghash_clmul(u64 Xi[2], const u128 Htable[16], const u8 *inp,
643 size_t len);
644
645# if defined(__i386) || defined(__i386__) || defined(_M_IX86)
646# define gcm_init_avx gcm_init_clmul
647# define gcm_gmult_avx gcm_gmult_clmul
648# define gcm_ghash_avx gcm_ghash_clmul
649# else
650void gcm_init_avx(u128 Htable[16], const u64 Xi[2]);
651void gcm_gmult_avx(u64 Xi[2], const u128 Htable[16]);
652void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *inp,
653 size_t len);
654# endif
655
656# if defined(__i386) || defined(__i386__) || defined(_M_IX86)
657# define GHASH_ASM_X86
658void gcm_gmult_4bit_mmx(u64 Xi[2], const u128 Htable[16]);
659void gcm_ghash_4bit_mmx(u64 Xi[2], const u128 Htable[16], const u8 *inp,
660 size_t len);
661
662void gcm_gmult_4bit_x86(u64 Xi[2], const u128 Htable[16]);
663void gcm_ghash_4bit_x86(u64 Xi[2], const u128 Htable[16], const u8 *inp,
664 size_t len);
665# endif
666# elif defined(__arm__) || defined(__arm) || defined(__aarch64__)
667# include "arm_arch.h"
668# if __ARM_MAX_ARCH__>=7
669# define GHASH_ASM_ARM
670# define GCM_FUNCREF_4BIT
671# define PMULL_CAPABLE (OPENSSL_armcap_P & ARMV8_PMULL)
672# if defined(__arm__) || defined(__arm)
673# define NEON_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
674# endif
675void gcm_init_neon(u128 Htable[16], const u64 Xi[2]);
676void gcm_gmult_neon(u64 Xi[2], const u128 Htable[16]);
677void gcm_ghash_neon(u64 Xi[2], const u128 Htable[16], const u8 *inp,
678 size_t len);
679void gcm_init_v8(u128 Htable[16], const u64 Xi[2]);
680void gcm_gmult_v8(u64 Xi[2], const u128 Htable[16]);
681void gcm_ghash_v8(u64 Xi[2], const u128 Htable[16], const u8 *inp,
682 size_t len);
683# endif
684# elif defined(__sparc__) || defined(__sparc)
685# include "sparc_arch.h"
686# define GHASH_ASM_SPARC
687# define GCM_FUNCREF_4BIT
688extern unsigned int OPENSSL_sparcv9cap_P[];
689void gcm_init_vis3(u128 Htable[16], const u64 Xi[2]);
690void gcm_gmult_vis3(u64 Xi[2], const u128 Htable[16]);
691void gcm_ghash_vis3(u64 Xi[2], const u128 Htable[16], const u8 *inp,
692 size_t len);
693# elif defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
694# include "ppc_arch.h"
695# define GHASH_ASM_PPC
696# define GCM_FUNCREF_4BIT
697void gcm_init_p8(u128 Htable[16], const u64 Xi[2]);
698void gcm_gmult_p8(u64 Xi[2], const u128 Htable[16]);
699void gcm_ghash_p8(u64 Xi[2], const u128 Htable[16], const u8 *inp,
700 size_t len);
701# endif
702#endif
703
704#ifdef GCM_FUNCREF_4BIT
705# undef GCM_MUL
706# define GCM_MUL(ctx,Xi) (*gcm_gmult_p)(ctx->Xi.u,ctx->Htable)
707# ifdef GHASH
708# undef GHASH
709# define GHASH(ctx,in,len) (*gcm_ghash_p)(ctx->Xi.u,ctx->Htable,in,len)
710# endif
711#endif
712
713void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
714{
715 const union {
716 long one;
717 char little;
718 } is_endian = { 1 };
719
720 memset(ctx, 0, sizeof(*ctx));
721 ctx->block = block;
722 ctx->key = key;
723
724 (*block) (ctx->H.c, ctx->H.c, key);
725
726 if (is_endian.little) {
727 /* H is stored in host byte order */
728#ifdef BSWAP8
729 ctx->H.u[0] = BSWAP8(ctx->H.u[0]);
730 ctx->H.u[1] = BSWAP8(ctx->H.u[1]);
731#else
732 u8 *p = ctx->H.c;
733 u64 hi, lo;
734 hi = (u64)GETU32(p) << 32 | GETU32(p + 4);
735 lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12);
736 ctx->H.u[0] = hi;
737 ctx->H.u[1] = lo;
738#endif
739 }
740#if TABLE_BITS==8
741 gcm_init_8bit(ctx->Htable, ctx->H.u);
742#elif TABLE_BITS==4
743# if defined(GHASH)
744# define CTX__GHASH(f) (ctx->ghash = (f))
745# else
746# define CTX__GHASH(f) (ctx->ghash = NULL)
747# endif
748# if defined(GHASH_ASM_X86_OR_64)
749# if !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
750 if (OPENSSL_ia32cap_P[0] & (1 << 24) && /* check FXSR bit */
751 OPENSSL_ia32cap_P[1] & (1 << 1)) { /* check PCLMULQDQ bit */
752 if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */
753 gcm_init_avx(ctx->Htable, ctx->H.u);
754 ctx->gmult = gcm_gmult_avx;
755 CTX__GHASH(gcm_ghash_avx);
756 } else {
757 gcm_init_clmul(ctx->Htable, ctx->H.u);
758 ctx->gmult = gcm_gmult_clmul;
759 CTX__GHASH(gcm_ghash_clmul);
760 }
761 return;
762 }
763# endif
764 gcm_init_4bit(ctx->Htable, ctx->H.u);
765# if defined(GHASH_ASM_X86) /* x86 only */
766# if defined(OPENSSL_IA32_SSE2)
767 if (OPENSSL_ia32cap_P[0] & (1 << 25)) { /* check SSE bit */
768# else
769 if (OPENSSL_ia32cap_P[0] & (1 << 23)) { /* check MMX bit */
770# endif
771 ctx->gmult = gcm_gmult_4bit_mmx;
772 CTX__GHASH(gcm_ghash_4bit_mmx);
773 } else {
774 ctx->gmult = gcm_gmult_4bit_x86;
775 CTX__GHASH(gcm_ghash_4bit_x86);
776 }
777# else
778 ctx->gmult = gcm_gmult_4bit;
779 CTX__GHASH(gcm_ghash_4bit);
780# endif
781# elif defined(GHASH_ASM_ARM)
782# ifdef PMULL_CAPABLE
783 if (PMULL_CAPABLE) {
784 gcm_init_v8(ctx->Htable, ctx->H.u);
785 ctx->gmult = gcm_gmult_v8;
786 CTX__GHASH(gcm_ghash_v8);
787 } else
788# endif
789# ifdef NEON_CAPABLE
790 if (NEON_CAPABLE) {
791 gcm_init_neon(ctx->Htable, ctx->H.u);
792 ctx->gmult = gcm_gmult_neon;
793 CTX__GHASH(gcm_ghash_neon);
794 } else
795# endif
796 {
797 gcm_init_4bit(ctx->Htable, ctx->H.u);
798 ctx->gmult = gcm_gmult_4bit;
799 CTX__GHASH(gcm_ghash_4bit);
800 }
801# elif defined(GHASH_ASM_SPARC)
802 if (OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) {
803 gcm_init_vis3(ctx->Htable, ctx->H.u);
804 ctx->gmult = gcm_gmult_vis3;
805 CTX__GHASH(gcm_ghash_vis3);
806 } else {
807 gcm_init_4bit(ctx->Htable, ctx->H.u);
808 ctx->gmult = gcm_gmult_4bit;
809 CTX__GHASH(gcm_ghash_4bit);
810 }
811# elif defined(GHASH_ASM_PPC)
812 if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
813 gcm_init_p8(ctx->Htable, ctx->H.u);
814 ctx->gmult = gcm_gmult_p8;
815 CTX__GHASH(gcm_ghash_p8);
816 } else {
817 gcm_init_4bit(ctx->Htable, ctx->H.u);
818 ctx->gmult = gcm_gmult_4bit;
819 CTX__GHASH(gcm_ghash_4bit);
820 }
821# else
822 gcm_init_4bit(ctx->Htable, ctx->H.u);
823# endif
824# undef CTX__GHASH
825#endif
826}
827
828void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv,
829 size_t len)
830{
831 const union {
832 long one;
833 char little;
834 } is_endian = { 1 };
835 unsigned int ctr;
836#ifdef GCM_FUNCREF_4BIT
837 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
838#endif
839
840 ctx->Yi.u[0] = 0;
841 ctx->Yi.u[1] = 0;
842 ctx->Xi.u[0] = 0;
843 ctx->Xi.u[1] = 0;
844 ctx->len.u[0] = 0; /* AAD length */
845 ctx->len.u[1] = 0; /* message length */
846 ctx->ares = 0;
847 ctx->mres = 0;
848
849 if (len == 12) {
850 memcpy(ctx->Yi.c, iv, 12);
851 ctx->Yi.c[15] = 1;
852 ctr = 1;
853 } else {
854 size_t i;
855 u64 len0 = len;
856
857 while (len >= 16) {
858 for (i = 0; i < 16; ++i)
859 ctx->Yi.c[i] ^= iv[i];
860 GCM_MUL(ctx, Yi);
861 iv += 16;
862 len -= 16;
863 }
864 if (len) {
865 for (i = 0; i < len; ++i)
866 ctx->Yi.c[i] ^= iv[i];
867 GCM_MUL(ctx, Yi);
868 }
869 len0 <<= 3;
870 if (is_endian.little) {
871#ifdef BSWAP8
872 ctx->Yi.u[1] ^= BSWAP8(len0);
873#else
874 ctx->Yi.c[8] ^= (u8)(len0 >> 56);
875 ctx->Yi.c[9] ^= (u8)(len0 >> 48);
876 ctx->Yi.c[10] ^= (u8)(len0 >> 40);
877 ctx->Yi.c[11] ^= (u8)(len0 >> 32);
878 ctx->Yi.c[12] ^= (u8)(len0 >> 24);
879 ctx->Yi.c[13] ^= (u8)(len0 >> 16);
880 ctx->Yi.c[14] ^= (u8)(len0 >> 8);
881 ctx->Yi.c[15] ^= (u8)(len0);
882#endif
883 } else
884 ctx->Yi.u[1] ^= len0;
885
886 GCM_MUL(ctx, Yi);
887
888 if (is_endian.little)
889#ifdef BSWAP4
890 ctr = BSWAP4(ctx->Yi.d[3]);
891#else
892 ctr = GETU32(ctx->Yi.c + 12);
893#endif
894 else
895 ctr = ctx->Yi.d[3];
896 }
897
898 (*ctx->block) (ctx->Yi.c, ctx->EK0.c, ctx->key);
899 ++ctr;
900 if (is_endian.little)
901#ifdef BSWAP4
902 ctx->Yi.d[3] = BSWAP4(ctr);
903#else
904 PUTU32(ctx->Yi.c + 12, ctr);
905#endif
906 else
907 ctx->Yi.d[3] = ctr;
908}
909
910int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const unsigned char *aad,
911 size_t len)
912{
913 size_t i;
914 unsigned int n;
915 u64 alen = ctx->len.u[0];
916#ifdef GCM_FUNCREF_4BIT
917 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
918# ifdef GHASH
919 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
920 const u8 *inp, size_t len) = ctx->ghash;
921# endif
922#endif
923
924 if (ctx->len.u[1])
925 return -2;
926
927 alen += len;
928 if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
929 return -1;
930 ctx->len.u[0] = alen;
931
932 n = ctx->ares;
933 if (n) {
934 while (n && len) {
935 ctx->Xi.c[n] ^= *(aad++);
936 --len;
937 n = (n + 1) % 16;
938 }
939 if (n == 0)
940 GCM_MUL(ctx, Xi);
941 else {
942 ctx->ares = n;
943 return 0;
944 }
945 }
946#ifdef GHASH
947 if ((i = (len & (size_t)-16))) {
948 GHASH(ctx, aad, i);
949 aad += i;
950 len -= i;
951 }
952#else
953 while (len >= 16) {
954 for (i = 0; i < 16; ++i)
955 ctx->Xi.c[i] ^= aad[i];
956 GCM_MUL(ctx, Xi);
957 aad += 16;
958 len -= 16;
959 }
960#endif
961 if (len) {
962 n = (unsigned int)len;
963 for (i = 0; i < len; ++i)
964 ctx->Xi.c[i] ^= aad[i];
965 }
966
967 ctx->ares = n;
968 return 0;
969}
970
971int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
972 const unsigned char *in, unsigned char *out,
973 size_t len)
974{
975 const union {
976 long one;
977 char little;
978 } is_endian = { 1 };
979 unsigned int n, ctr;
980 size_t i;
981 u64 mlen = ctx->len.u[1];
982 block128_f block = ctx->block;
983 void *key = ctx->key;
984#ifdef GCM_FUNCREF_4BIT
985 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
986# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
987 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
988 const u8 *inp, size_t len) = ctx->ghash;
989# endif
990#endif
991
992 mlen += len;
993 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
994 return -1;
995 ctx->len.u[1] = mlen;
996
997 if (ctx->ares) {
998 /* First call to encrypt finalizes GHASH(AAD) */
999 GCM_MUL(ctx, Xi);
1000 ctx->ares = 0;
1001 }
1002
1003 if (is_endian.little)
1004#ifdef BSWAP4
1005 ctr = BSWAP4(ctx->Yi.d[3]);
1006#else
1007 ctr = GETU32(ctx->Yi.c + 12);
1008#endif
1009 else
1010 ctr = ctx->Yi.d[3];
1011
1012 n = ctx->mres;
1013#if !defined(OPENSSL_SMALL_FOOTPRINT)
1014 if (16 % sizeof(size_t) == 0) { /* always true actually */
1015 do {
1016 if (n) {
1017 while (n && len) {
1018 ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];
1019 --len;
1020 n = (n + 1) % 16;
1021 }
1022 if (n == 0)
1023 GCM_MUL(ctx, Xi);
1024 else {
1025 ctx->mres = n;
1026 return 0;
1027 }
1028 }
1029# if defined(STRICT_ALIGNMENT)
1030 if (((size_t)in | (size_t)out) % sizeof(size_t) != 0)
1031 break;
1032# endif
1033# if defined(GHASH)
1034# if defined(GHASH_CHUNK)
1035 while (len >= GHASH_CHUNK) {
1036 size_t j = GHASH_CHUNK;
1037
1038 while (j) {
1039 size_t *out_t = (size_t *)out;
1040 const size_t *in_t = (const size_t *)in;
1041
1042 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1043 ++ctr;
1044 if (is_endian.little)
1045# ifdef BSWAP4
1046 ctx->Yi.d[3] = BSWAP4(ctr);
1047# else
1048 PUTU32(ctx->Yi.c + 12, ctr);
1049# endif
1050 else
1051 ctx->Yi.d[3] = ctr;
1052 for (i = 0; i < 16 / sizeof(size_t); ++i)
1053 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1054 out += 16;
1055 in += 16;
1056 j -= 16;
1057 }
1058 GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK);
1059 len -= GHASH_CHUNK;
1060 }
1061# endif
1062 if ((i = (len & (size_t)-16))) {
1063 size_t j = i;
1064
1065 while (len >= 16) {
1066 size_t *out_t = (size_t *)out;
1067 const size_t *in_t = (const size_t *)in;
1068
1069 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1070 ++ctr;
1071 if (is_endian.little)
1072# ifdef BSWAP4
1073 ctx->Yi.d[3] = BSWAP4(ctr);
1074# else
1075 PUTU32(ctx->Yi.c + 12, ctr);
1076# endif
1077 else
1078 ctx->Yi.d[3] = ctr;
1079 for (i = 0; i < 16 / sizeof(size_t); ++i)
1080 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1081 out += 16;
1082 in += 16;
1083 len -= 16;
1084 }
1085 GHASH(ctx, out - j, j);
1086 }
1087# else
1088 while (len >= 16) {
1089 size_t *out_t = (size_t *)out;
1090 const size_t *in_t = (const size_t *)in;
1091
1092 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1093 ++ctr;
1094 if (is_endian.little)
1095# ifdef BSWAP4
1096 ctx->Yi.d[3] = BSWAP4(ctr);
1097# else
1098 PUTU32(ctx->Yi.c + 12, ctr);
1099# endif
1100 else
1101 ctx->Yi.d[3] = ctr;
1102 for (i = 0; i < 16 / sizeof(size_t); ++i)
1103 ctx->Xi.t[i] ^= out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1104 GCM_MUL(ctx, Xi);
1105 out += 16;
1106 in += 16;
1107 len -= 16;
1108 }
1109# endif
1110 if (len) {
1111 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1112 ++ctr;
1113 if (is_endian.little)
1114# ifdef BSWAP4
1115 ctx->Yi.d[3] = BSWAP4(ctr);
1116# else
1117 PUTU32(ctx->Yi.c + 12, ctr);
1118# endif
1119 else
1120 ctx->Yi.d[3] = ctr;
1121 while (len--) {
1122 ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
1123 ++n;
1124 }
1125 }
1126
1127 ctx->mres = n;
1128 return 0;
1129 } while (0);
1130 }
1131#endif
1132 for (i = 0; i < len; ++i) {
1133 if (n == 0) {
1134 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1135 ++ctr;
1136 if (is_endian.little)
1137#ifdef BSWAP4
1138 ctx->Yi.d[3] = BSWAP4(ctr);
1139#else
1140 PUTU32(ctx->Yi.c + 12, ctr);
1141#endif
1142 else
1143 ctx->Yi.d[3] = ctr;
1144 }
1145 ctx->Xi.c[n] ^= out[i] = in[i] ^ ctx->EKi.c[n];
1146 n = (n + 1) % 16;
1147 if (n == 0)
1148 GCM_MUL(ctx, Xi);
1149 }
1150
1151 ctx->mres = n;
1152 return 0;
1153}
1154
1155int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1156 const unsigned char *in, unsigned char *out,
1157 size_t len)
1158{
1159 const union {
1160 long one;
1161 char little;
1162 } is_endian = { 1 };
1163 unsigned int n, ctr;
1164 size_t i;
1165 u64 mlen = ctx->len.u[1];
1166 block128_f block = ctx->block;
1167 void *key = ctx->key;
1168#ifdef GCM_FUNCREF_4BIT
1169 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
1170# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
1171 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
1172 const u8 *inp, size_t len) = ctx->ghash;
1173# endif
1174#endif
1175
1176 mlen += len;
1177 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1178 return -1;
1179 ctx->len.u[1] = mlen;
1180
1181 if (ctx->ares) {
1182 /* First call to decrypt finalizes GHASH(AAD) */
1183 GCM_MUL(ctx, Xi);
1184 ctx->ares = 0;
1185 }
1186
1187 if (is_endian.little)
1188#ifdef BSWAP4
1189 ctr = BSWAP4(ctx->Yi.d[3]);
1190#else
1191 ctr = GETU32(ctx->Yi.c + 12);
1192#endif
1193 else
1194 ctr = ctx->Yi.d[3];
1195
1196 n = ctx->mres;
1197#if !defined(OPENSSL_SMALL_FOOTPRINT)
1198 if (16 % sizeof(size_t) == 0) { /* always true actually */
1199 do {
1200 if (n) {
1201 while (n && len) {
1202 u8 c = *(in++);
1203 *(out++) = c ^ ctx->EKi.c[n];
1204 ctx->Xi.c[n] ^= c;
1205 --len;
1206 n = (n + 1) % 16;
1207 }
1208 if (n == 0)
1209 GCM_MUL(ctx, Xi);
1210 else {
1211 ctx->mres = n;
1212 return 0;
1213 }
1214 }
1215# if defined(STRICT_ALIGNMENT)
1216 if (((size_t)in | (size_t)out) % sizeof(size_t) != 0)
1217 break;
1218# endif
1219# if defined(GHASH)
1220# if defined(GHASH_CHUNK)
1221 while (len >= GHASH_CHUNK) {
1222 size_t j = GHASH_CHUNK;
1223
1224 GHASH(ctx, in, GHASH_CHUNK);
1225 while (j) {
1226 size_t *out_t = (size_t *)out;
1227 const size_t *in_t = (const size_t *)in;
1228
1229 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1230 ++ctr;
1231 if (is_endian.little)
1232# ifdef BSWAP4
1233 ctx->Yi.d[3] = BSWAP4(ctr);
1234# else
1235 PUTU32(ctx->Yi.c + 12, ctr);
1236# endif
1237 else
1238 ctx->Yi.d[3] = ctr;
1239 for (i = 0; i < 16 / sizeof(size_t); ++i)
1240 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1241 out += 16;
1242 in += 16;
1243 j -= 16;
1244 }
1245 len -= GHASH_CHUNK;
1246 }
1247# endif
1248 if ((i = (len & (size_t)-16))) {
1249 GHASH(ctx, in, i);
1250 while (len >= 16) {
1251 size_t *out_t = (size_t *)out;
1252 const size_t *in_t = (const size_t *)in;
1253
1254 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1255 ++ctr;
1256 if (is_endian.little)
1257# ifdef BSWAP4
1258 ctx->Yi.d[3] = BSWAP4(ctr);
1259# else
1260 PUTU32(ctx->Yi.c + 12, ctr);
1261# endif
1262 else
1263 ctx->Yi.d[3] = ctr;
1264 for (i = 0; i < 16 / sizeof(size_t); ++i)
1265 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
1266 out += 16;
1267 in += 16;
1268 len -= 16;
1269 }
1270 }
1271# else
1272 while (len >= 16) {
1273 size_t *out_t = (size_t *)out;
1274 const size_t *in_t = (const size_t *)in;
1275
1276 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1277 ++ctr;
1278 if (is_endian.little)
1279# ifdef BSWAP4
1280 ctx->Yi.d[3] = BSWAP4(ctr);
1281# else
1282 PUTU32(ctx->Yi.c + 12, ctr);
1283# endif
1284 else
1285 ctx->Yi.d[3] = ctr;
1286 for (i = 0; i < 16 / sizeof(size_t); ++i) {
1287 size_t c = in[i];
1288 out[i] = c ^ ctx->EKi.t[i];
1289 ctx->Xi.t[i] ^= c;
1290 }
1291 GCM_MUL(ctx, Xi);
1292 out += 16;
1293 in += 16;
1294 len -= 16;
1295 }
1296# endif
1297 if (len) {
1298 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1299 ++ctr;
1300 if (is_endian.little)
1301# ifdef BSWAP4
1302 ctx->Yi.d[3] = BSWAP4(ctr);
1303# else
1304 PUTU32(ctx->Yi.c + 12, ctr);
1305# endif
1306 else
1307 ctx->Yi.d[3] = ctr;
1308 while (len--) {
1309 u8 c = in[n];
1310 ctx->Xi.c[n] ^= c;
1311 out[n] = c ^ ctx->EKi.c[n];
1312 ++n;
1313 }
1314 }
1315
1316 ctx->mres = n;
1317 return 0;
1318 } while (0);
1319 }
1320#endif
1321 for (i = 0; i < len; ++i) {
1322 u8 c;
1323 if (n == 0) {
1324 (*block) (ctx->Yi.c, ctx->EKi.c, key);
1325 ++ctr;
1326 if (is_endian.little)
1327#ifdef BSWAP4
1328 ctx->Yi.d[3] = BSWAP4(ctr);
1329#else
1330 PUTU32(ctx->Yi.c + 12, ctr);
1331#endif
1332 else
1333 ctx->Yi.d[3] = ctr;
1334 }
1335 c = in[i];
1336 out[i] = c ^ ctx->EKi.c[n];
1337 ctx->Xi.c[n] ^= c;
1338 n = (n + 1) % 16;
1339 if (n == 0)
1340 GCM_MUL(ctx, Xi);
1341 }
1342
1343 ctx->mres = n;
1344 return 0;
1345}
1346
1347int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1348 const unsigned char *in, unsigned char *out,
1349 size_t len, ctr128_f stream)
1350{
1351#if defined(OPENSSL_SMALL_FOOTPRINT)
1352 return CRYPTO_gcm128_encrypt(ctx, in, out, len);
1353#else
1354 const union {
1355 long one;
1356 char little;
1357 } is_endian = { 1 };
1358 unsigned int n, ctr;
1359 size_t i;
1360 u64 mlen = ctx->len.u[1];
1361 void *key = ctx->key;
1362# ifdef GCM_FUNCREF_4BIT
1363 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
1364# ifdef GHASH
1365 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
1366 const u8 *inp, size_t len) = ctx->ghash;
1367# endif
1368# endif
1369
1370 mlen += len;
1371 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1372 return -1;
1373 ctx->len.u[1] = mlen;
1374
1375 if (ctx->ares) {
1376 /* First call to encrypt finalizes GHASH(AAD) */
1377 GCM_MUL(ctx, Xi);
1378 ctx->ares = 0;
1379 }
1380
1381 if (is_endian.little)
1382# ifdef BSWAP4
1383 ctr = BSWAP4(ctx->Yi.d[3]);
1384# else
1385 ctr = GETU32(ctx->Yi.c + 12);
1386# endif
1387 else
1388 ctr = ctx->Yi.d[3];
1389
1390 n = ctx->mres;
1391 if (n) {
1392 while (n && len) {
1393 ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];
1394 --len;
1395 n = (n + 1) % 16;
1396 }
1397 if (n == 0)
1398 GCM_MUL(ctx, Xi);
1399 else {
1400 ctx->mres = n;
1401 return 0;
1402 }
1403 }
1404# if defined(GHASH) && defined(GHASH_CHUNK)
1405 while (len >= GHASH_CHUNK) {
1406 (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
1407 ctr += GHASH_CHUNK / 16;
1408 if (is_endian.little)
1409# ifdef BSWAP4
1410 ctx->Yi.d[3] = BSWAP4(ctr);
1411# else
1412 PUTU32(ctx->Yi.c + 12, ctr);
1413# endif
1414 else
1415 ctx->Yi.d[3] = ctr;
1416 GHASH(ctx, out, GHASH_CHUNK);
1417 out += GHASH_CHUNK;
1418 in += GHASH_CHUNK;
1419 len -= GHASH_CHUNK;
1420 }
1421# endif
1422 if ((i = (len & (size_t)-16))) {
1423 size_t j = i / 16;
1424
1425 (*stream) (in, out, j, key, ctx->Yi.c);
1426 ctr += (unsigned int)j;
1427 if (is_endian.little)
1428# ifdef BSWAP4
1429 ctx->Yi.d[3] = BSWAP4(ctr);
1430# else
1431 PUTU32(ctx->Yi.c + 12, ctr);
1432# endif
1433 else
1434 ctx->Yi.d[3] = ctr;
1435 in += i;
1436 len -= i;
1437# if defined(GHASH)
1438 GHASH(ctx, out, i);
1439 out += i;
1440# else
1441 while (j--) {
1442 for (i = 0; i < 16; ++i)
1443 ctx->Xi.c[i] ^= out[i];
1444 GCM_MUL(ctx, Xi);
1445 out += 16;
1446 }
1447# endif
1448 }
1449 if (len) {
1450 (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key);
1451 ++ctr;
1452 if (is_endian.little)
1453# ifdef BSWAP4
1454 ctx->Yi.d[3] = BSWAP4(ctr);
1455# else
1456 PUTU32(ctx->Yi.c + 12, ctr);
1457# endif
1458 else
1459 ctx->Yi.d[3] = ctr;
1460 while (len--) {
1461 ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
1462 ++n;
1463 }
1464 }
1465
1466 ctx->mres = n;
1467 return 0;
1468#endif
1469}
1470
1471int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1472 const unsigned char *in, unsigned char *out,
1473 size_t len, ctr128_f stream)
1474{
1475#if defined(OPENSSL_SMALL_FOOTPRINT)
1476 return CRYPTO_gcm128_decrypt(ctx, in, out, len);
1477#else
1478 const union {
1479 long one;
1480 char little;
1481 } is_endian = { 1 };
1482 unsigned int n, ctr;
1483 size_t i;
1484 u64 mlen = ctx->len.u[1];
1485 void *key = ctx->key;
1486# ifdef GCM_FUNCREF_4BIT
1487 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
1488# ifdef GHASH
1489 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
1490 const u8 *inp, size_t len) = ctx->ghash;
1491# endif
1492# endif
1493
1494 mlen += len;
1495 if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
1496 return -1;
1497 ctx->len.u[1] = mlen;
1498
1499 if (ctx->ares) {
1500 /* First call to decrypt finalizes GHASH(AAD) */
1501 GCM_MUL(ctx, Xi);
1502 ctx->ares = 0;
1503 }
1504
1505 if (is_endian.little)
1506# ifdef BSWAP4
1507 ctr = BSWAP4(ctx->Yi.d[3]);
1508# else
1509 ctr = GETU32(ctx->Yi.c + 12);
1510# endif
1511 else
1512 ctr = ctx->Yi.d[3];
1513
1514 n = ctx->mres;
1515 if (n) {
1516 while (n && len) {
1517 u8 c = *(in++);
1518 *(out++) = c ^ ctx->EKi.c[n];
1519 ctx->Xi.c[n] ^= c;
1520 --len;
1521 n = (n + 1) % 16;
1522 }
1523 if (n == 0)
1524 GCM_MUL(ctx, Xi);
1525 else {
1526 ctx->mres = n;
1527 return 0;
1528 }
1529 }
1530# if defined(GHASH) && defined(GHASH_CHUNK)
1531 while (len >= GHASH_CHUNK) {
1532 GHASH(ctx, in, GHASH_CHUNK);
1533 (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
1534 ctr += GHASH_CHUNK / 16;
1535 if (is_endian.little)
1536# ifdef BSWAP4
1537 ctx->Yi.d[3] = BSWAP4(ctr);
1538# else
1539 PUTU32(ctx->Yi.c + 12, ctr);
1540# endif
1541 else
1542 ctx->Yi.d[3] = ctr;
1543 out += GHASH_CHUNK;
1544 in += GHASH_CHUNK;
1545 len -= GHASH_CHUNK;
1546 }
1547# endif
1548 if ((i = (len & (size_t)-16))) {
1549 size_t j = i / 16;
1550
1551# if defined(GHASH)
1552 GHASH(ctx, in, i);
1553# else
1554 while (j--) {
1555 size_t k;
1556 for (k = 0; k < 16; ++k)
1557 ctx->Xi.c[k] ^= in[k];
1558 GCM_MUL(ctx, Xi);
1559 in += 16;
1560 }
1561 j = i / 16;
1562 in -= i;
1563# endif
1564 (*stream) (in, out, j, key, ctx->Yi.c);
1565 ctr += (unsigned int)j;
1566 if (is_endian.little)
1567# ifdef BSWAP4
1568 ctx->Yi.d[3] = BSWAP4(ctr);
1569# else
1570 PUTU32(ctx->Yi.c + 12, ctr);
1571# endif
1572 else
1573 ctx->Yi.d[3] = ctr;
1574 out += i;
1575 in += i;
1576 len -= i;
1577 }
1578 if (len) {
1579 (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key);
1580 ++ctr;
1581 if (is_endian.little)
1582# ifdef BSWAP4
1583 ctx->Yi.d[3] = BSWAP4(ctr);
1584# else
1585 PUTU32(ctx->Yi.c + 12, ctr);
1586# endif
1587 else
1588 ctx->Yi.d[3] = ctr;
1589 while (len--) {
1590 u8 c = in[n];
1591 ctx->Xi.c[n] ^= c;
1592 out[n] = c ^ ctx->EKi.c[n];
1593 ++n;
1594 }
1595 }
1596
1597 ctx->mres = n;
1598 return 0;
1599#endif
1600}
1601
1602int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
1603 size_t len)
1604{
1605 const union {
1606 long one;
1607 char little;
1608 } is_endian = { 1 };
1609 u64 alen = ctx->len.u[0] << 3;
1610 u64 clen = ctx->len.u[1] << 3;
1611#ifdef GCM_FUNCREF_4BIT
1612 void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
1613#endif
1614
1615 if (ctx->mres || ctx->ares)
1616 GCM_MUL(ctx, Xi);
1617
1618 if (is_endian.little) {
1619#ifdef BSWAP8
1620 alen = BSWAP8(alen);
1621 clen = BSWAP8(clen);
1622#else
1623 u8 *p = ctx->len.c;
1624
1625 ctx->len.u[0] = alen;
1626 ctx->len.u[1] = clen;
1627
1628 alen = (u64)GETU32(p) << 32 | GETU32(p + 4);
1629 clen = (u64)GETU32(p + 8) << 32 | GETU32(p + 12);
1630#endif
1631 }
1632
1633 ctx->Xi.u[0] ^= alen;
1634 ctx->Xi.u[1] ^= clen;
1635 GCM_MUL(ctx, Xi);
1636
1637 ctx->Xi.u[0] ^= ctx->EK0.u[0];
1638 ctx->Xi.u[1] ^= ctx->EK0.u[1];
1639
1640 if (tag && len <= sizeof(ctx->Xi))
1641 return CRYPTO_memcmp(ctx->Xi.c, tag, len);
1642 else
1643 return -1;
1644}
1645
1646void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len)
1647{
1648 CRYPTO_gcm128_finish(ctx, NULL, 0);
1649 memcpy(tag, ctx->Xi.c,
1650 len <= sizeof(ctx->Xi.c) ? len : sizeof(ctx->Xi.c));
1651}
1652
1653GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
1654{
1655 GCM128_CONTEXT *ret;
1656
1657 if ((ret = OPENSSL_malloc(sizeof(*ret))) != NULL)
1658 CRYPTO_gcm128_init(ret, key, block);
1659
1660 return ret;
1661}
1662
1663void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
1664{
1665 OPENSSL_clear_free(ctx, sizeof(*ctx));
1666}
1667
1668#if defined(SELFTEST)
1669# include <stdio.h>
1670# include <openssl/aes.h>
1671
1672/* Test Case 1 */
1673static const u8 K1[16], *P1 = NULL, *A1 = NULL, IV1[12], *C1 = NULL;
1674static const u8 T1[] = {
1675 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
1676 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a
1677};
1678
1679/* Test Case 2 */
1680# define K2 K1
1681# define A2 A1
1682# define IV2 IV1
1683static const u8 P2[16];
1684static const u8 C2[] = {
1685 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
1686 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78
1687};
1688
1689static const u8 T2[] = {
1690 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
1691 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf
1692};
1693
1694/* Test Case 3 */
1695# define A3 A2
1696static const u8 K3[] = {
1697 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
1698 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
1699};
1700
1701static const u8 P3[] = {
1702 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
1703 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
1704 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
1705 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
1706 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
1707 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
1708 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
1709 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55
1710};
1711
1712static const u8 IV3[] = {
1713 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
1714 0xde, 0xca, 0xf8, 0x88
1715};
1716
1717static const u8 C3[] = {
1718 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
1719 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
1720 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
1721 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
1722 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
1723 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
1724 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
1725 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85
1726};
1727
1728static const u8 T3[] = {
1729 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
1730 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4
1731};
1732
1733/* Test Case 4 */
1734# define K4 K3
1735# define IV4 IV3
1736static const u8 P4[] = {
1737 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
1738 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
1739 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
1740 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
1741 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
1742 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
1743 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
1744 0xba, 0x63, 0x7b, 0x39
1745};
1746
1747static const u8 A4[] = {
1748 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
1749 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
1750 0xab, 0xad, 0xda, 0xd2
1751};
1752
1753static const u8 C4[] = {
1754 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
1755 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
1756 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
1757 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
1758 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
1759 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
1760 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
1761 0x3d, 0x58, 0xe0, 0x91
1762};
1763
1764static const u8 T4[] = {
1765 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
1766 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47
1767};
1768
1769/* Test Case 5 */
1770# define K5 K4
1771# define P5 P4
1772# define A5 A4
1773static const u8 IV5[] = {
1774 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad
1775};
1776
1777static const u8 C5[] = {
1778 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
1779 0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
1780 0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
1781 0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
1782 0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
1783 0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
1784 0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
1785 0xc2, 0x3f, 0x45, 0x98
1786};
1787
1788static const u8 T5[] = {
1789 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
1790 0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb
1791};
1792
1793/* Test Case 6 */
1794# define K6 K5
1795# define P6 P5
1796# define A6 A5
1797static const u8 IV6[] = {
1798 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
1799 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
1800 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
1801 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
1802 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
1803 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
1804 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
1805 0xa6, 0x37, 0xb3, 0x9b
1806};
1807
1808static const u8 C6[] = {
1809 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
1810 0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
1811 0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
1812 0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
1813 0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
1814 0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
1815 0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
1816 0x4c, 0x34, 0xae, 0xe5
1817};
1818
1819static const u8 T6[] = {
1820 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
1821 0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50
1822};
1823
1824/* Test Case 7 */
1825static const u8 K7[24], *P7 = NULL, *A7 = NULL, IV7[12], *C7 = NULL;
1826static const u8 T7[] = {
1827 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
1828 0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35
1829};
1830
1831/* Test Case 8 */
1832# define K8 K7
1833# define IV8 IV7
1834# define A8 A7
1835static const u8 P8[16];
1836static const u8 C8[] = {
1837 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
1838 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00
1839};
1840
1841static const u8 T8[] = {
1842 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
1843 0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb
1844};
1845
1846/* Test Case 9 */
1847# define A9 A8
1848static const u8 K9[] = {
1849 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
1850 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
1851 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
1852};
1853
1854static const u8 P9[] = {
1855 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
1856 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
1857 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
1858 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
1859 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
1860 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
1861 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
1862 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55
1863};
1864
1865static const u8 IV9[] = {
1866 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
1867 0xde, 0xca, 0xf8, 0x88
1868};
1869
1870static const u8 C9[] = {
1871 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
1872 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
1873 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
1874 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
1875 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
1876 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
1877 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
1878 0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56
1879};
1880
1881static const u8 T9[] = {
1882 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
1883 0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14
1884};
1885
1886/* Test Case 10 */
1887# define K10 K9
1888# define IV10 IV9
1889static const u8 P10[] = {
1890 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
1891 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
1892 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
1893 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
1894 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
1895 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
1896 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
1897 0xba, 0x63, 0x7b, 0x39
1898};
1899
1900static const u8 A10[] = {
1901 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
1902 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
1903 0xab, 0xad, 0xda, 0xd2
1904};
1905
1906static const u8 C10[] = {
1907 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
1908 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
1909 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
1910 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
1911 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
1912 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
1913 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
1914 0xcc, 0xda, 0x27, 0x10
1915};
1916
1917static const u8 T10[] = {
1918 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
1919 0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c
1920};
1921
1922/* Test Case 11 */
1923# define K11 K10
1924# define P11 P10
1925# define A11 A10
1926static const u8 IV11[] = { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad };
1927
1928static const u8 C11[] = {
1929 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
1930 0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
1931 0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
1932 0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
1933 0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
1934 0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
1935 0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
1936 0xa0, 0xf0, 0x62, 0xf7
1937};
1938
1939static const u8 T11[] = {
1940 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
1941 0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8
1942};
1943
1944/* Test Case 12 */
1945# define K12 K11
1946# define P12 P11
1947# define A12 A11
1948static const u8 IV12[] = {
1949 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
1950 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
1951 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
1952 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
1953 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
1954 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
1955 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
1956 0xa6, 0x37, 0xb3, 0x9b
1957};
1958
1959static const u8 C12[] = {
1960 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
1961 0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
1962 0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
1963 0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
1964 0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
1965 0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
1966 0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
1967 0xe9, 0xb7, 0x37, 0x3b
1968};
1969
1970static const u8 T12[] = {
1971 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
1972 0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9
1973};
1974
1975/* Test Case 13 */
1976static const u8 K13[32], *P13 = NULL, *A13 = NULL, IV13[12], *C13 = NULL;
1977static const u8 T13[] = {
1978 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
1979 0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b
1980};
1981
1982/* Test Case 14 */
1983# define K14 K13
1984# define A14 A13
1985static const u8 P14[16], IV14[12];
1986static const u8 C14[] = {
1987 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
1988 0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18
1989};
1990
1991static const u8 T14[] = {
1992 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
1993 0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19
1994};
1995
1996/* Test Case 15 */
1997# define A15 A14
1998static const u8 K15[] = {
1999 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
2000 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
2001 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
2002 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
2003};
2004
2005static const u8 P15[] = {
2006 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
2007 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
2008 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
2009 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
2010 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
2011 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
2012 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
2013 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55
2014};
2015
2016static const u8 IV15[] = {
2017 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
2018 0xde, 0xca, 0xf8, 0x88
2019};
2020
2021static const u8 C15[] = {
2022 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
2023 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
2024 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
2025 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
2026 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
2027 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
2028 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
2029 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad
2030};
2031
2032static const u8 T15[] = {
2033 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
2034 0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c
2035};
2036
2037/* Test Case 16 */
2038# define K16 K15
2039# define IV16 IV15
2040static const u8 P16[] = {
2041 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
2042 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
2043 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
2044 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
2045 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
2046 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
2047 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
2048 0xba, 0x63, 0x7b, 0x39
2049};
2050
2051static const u8 A16[] = {
2052 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
2053 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
2054 0xab, 0xad, 0xda, 0xd2
2055};
2056
2057static const u8 C16[] = {
2058 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
2059 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
2060 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
2061 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
2062 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
2063 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
2064 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
2065 0xbc, 0xc9, 0xf6, 0x62
2066};
2067
2068static const u8 T16[] = {
2069 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
2070 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b
2071};
2072
2073/* Test Case 17 */
2074# define K17 K16
2075# define P17 P16
2076# define A17 A16
2077static const u8 IV17[] = { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad };
2078
2079static const u8 C17[] = {
2080 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
2081 0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
2082 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
2083 0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
2084 0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
2085 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
2086 0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
2087 0xf4, 0x7c, 0x9b, 0x1f
2088};
2089
2090static const u8 T17[] = {
2091 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
2092 0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2
2093};
2094
2095/* Test Case 18 */
2096# define K18 K17
2097# define P18 P17
2098# define A18 A17
2099static const u8 IV18[] = {
2100 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
2101 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
2102 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
2103 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
2104 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
2105 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
2106 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
2107 0xa6, 0x37, 0xb3, 0x9b
2108};
2109
2110static const u8 C18[] = {
2111 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
2112 0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
2113 0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
2114 0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
2115 0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
2116 0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
2117 0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
2118 0x44, 0xae, 0x7e, 0x3f
2119};
2120
2121static const u8 T18[] = {
2122 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
2123 0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a
2124};
2125
2126/* Test Case 19 */
2127# define K19 K1
2128# define P19 P1
2129# define IV19 IV1
2130# define C19 C1
2131static const u8 A19[] = {
2132 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
2133 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
2134 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
2135 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
2136 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
2137 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
2138 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
2139 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55,
2140 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
2141 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
2142 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
2143 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
2144 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
2145 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
2146 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
2147 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad
2148};
2149
2150static const u8 T19[] = {
2151 0x5f, 0xea, 0x79, 0x3a, 0x2d, 0x6f, 0x97, 0x4d,
2152 0x37, 0xe6, 0x8e, 0x0c, 0xb8, 0xff, 0x94, 0x92
2153};
2154
2155/* Test Case 20 */
2156# define K20 K1
2157# define A20 A1
2158/* this results in 0xff in counter LSB */
2159static const u8 IV20[64] = { 0xff, 0xff, 0xff, 0xff };
2160
2161static const u8 P20[288];
2162static const u8 C20[] = {
2163 0x56, 0xb3, 0x37, 0x3c, 0xa9, 0xef, 0x6e, 0x4a,
2164 0x2b, 0x64, 0xfe, 0x1e, 0x9a, 0x17, 0xb6, 0x14,
2165 0x25, 0xf1, 0x0d, 0x47, 0xa7, 0x5a, 0x5f, 0xce,
2166 0x13, 0xef, 0xc6, 0xbc, 0x78, 0x4a, 0xf2, 0x4f,
2167 0x41, 0x41, 0xbd, 0xd4, 0x8c, 0xf7, 0xc7, 0x70,
2168 0x88, 0x7a, 0xfd, 0x57, 0x3c, 0xca, 0x54, 0x18,
2169 0xa9, 0xae, 0xff, 0xcd, 0x7c, 0x5c, 0xed, 0xdf,
2170 0xc6, 0xa7, 0x83, 0x97, 0xb9, 0xa8, 0x5b, 0x49,
2171 0x9d, 0xa5, 0x58, 0x25, 0x72, 0x67, 0xca, 0xab,
2172 0x2a, 0xd0, 0xb2, 0x3c, 0xa4, 0x76, 0xa5, 0x3c,
2173 0xb1, 0x7f, 0xb4, 0x1c, 0x4b, 0x8b, 0x47, 0x5c,
2174 0xb4, 0xf3, 0xf7, 0x16, 0x50, 0x94, 0xc2, 0x29,
2175 0xc9, 0xe8, 0xc4, 0xdc, 0x0a, 0x2a, 0x5f, 0xf1,
2176 0x90, 0x3e, 0x50, 0x15, 0x11, 0x22, 0x13, 0x76,
2177 0xa1, 0xcd, 0xb8, 0x36, 0x4c, 0x50, 0x61, 0xa2,
2178 0x0c, 0xae, 0x74, 0xbc, 0x4a, 0xcd, 0x76, 0xce,
2179 0xb0, 0xab, 0xc9, 0xfd, 0x32, 0x17, 0xef, 0x9f,
2180 0x8c, 0x90, 0xbe, 0x40, 0x2d, 0xdf, 0x6d, 0x86,
2181 0x97, 0xf4, 0xf8, 0x80, 0xdf, 0xf1, 0x5b, 0xfb,
2182 0x7a, 0x6b, 0x28, 0x24, 0x1e, 0xc8, 0xfe, 0x18,
2183 0x3c, 0x2d, 0x59, 0xe3, 0xf9, 0xdf, 0xff, 0x65,
2184 0x3c, 0x71, 0x26, 0xf0, 0xac, 0xb9, 0xe6, 0x42,
2185 0x11, 0xf4, 0x2b, 0xae, 0x12, 0xaf, 0x46, 0x2b,
2186 0x10, 0x70, 0xbe, 0xf1, 0xab, 0x5e, 0x36, 0x06,
2187 0x87, 0x2c, 0xa1, 0x0d, 0xee, 0x15, 0xb3, 0x24,
2188 0x9b, 0x1a, 0x1b, 0x95, 0x8f, 0x23, 0x13, 0x4c,
2189 0x4b, 0xcc, 0xb7, 0xd0, 0x32, 0x00, 0xbc, 0xe4,
2190 0x20, 0xa2, 0xf8, 0xeb, 0x66, 0xdc, 0xf3, 0x64,
2191 0x4d, 0x14, 0x23, 0xc1, 0xb5, 0x69, 0x90, 0x03,
2192 0xc1, 0x3e, 0xce, 0xf4, 0xbf, 0x38, 0xa3, 0xb6,
2193 0x0e, 0xed, 0xc3, 0x40, 0x33, 0xba, 0xc1, 0x90,
2194 0x27, 0x83, 0xdc, 0x6d, 0x89, 0xe2, 0xe7, 0x74,
2195 0x18, 0x8a, 0x43, 0x9c, 0x7e, 0xbc, 0xc0, 0x67,
2196 0x2d, 0xbd, 0xa4, 0xdd, 0xcf, 0xb2, 0x79, 0x46,
2197 0x13, 0xb0, 0xbe, 0x41, 0x31, 0x5e, 0xf7, 0x78,
2198 0x70, 0x8a, 0x70, 0xee, 0x7d, 0x75, 0x16, 0x5c
2199};
2200
2201static const u8 T20[] = {
2202 0x8b, 0x30, 0x7f, 0x6b, 0x33, 0x28, 0x6d, 0x0a,
2203 0xb0, 0x26, 0xa9, 0xed, 0x3f, 0xe1, 0xe8, 0x5f
2204};
2205
2206# define TEST_CASE(n) do { \
2207 u8 out[sizeof(P##n)]; \
2208 AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key); \
2209 CRYPTO_gcm128_init(&ctx,&key,(block128_f)AES_encrypt); \
2210 CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n)); \
2211 memset(out,0,sizeof(out)); \
2212 if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n)); \
2213 if (P##n) CRYPTO_gcm128_encrypt(&ctx,P##n,out,sizeof(out)); \
2214 if (CRYPTO_gcm128_finish(&ctx,T##n,16) || \
2215 (C##n && memcmp(out,C##n,sizeof(out)))) \
2216 ret++, printf ("encrypt test#%d failed.\n",n); \
2217 CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n)); \
2218 memset(out,0,sizeof(out)); \
2219 if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n)); \
2220 if (C##n) CRYPTO_gcm128_decrypt(&ctx,C##n,out,sizeof(out)); \
2221 if (CRYPTO_gcm128_finish(&ctx,T##n,16) || \
2222 (P##n && memcmp(out,P##n,sizeof(out)))) \
2223 ret++, printf ("decrypt test#%d failed.\n",n); \
2224 } while(0)
2225
2226int main()
2227{
2228 GCM128_CONTEXT ctx;
2229 AES_KEY key;
2230 int ret = 0;
2231
2232 TEST_CASE(1);
2233 TEST_CASE(2);
2234 TEST_CASE(3);
2235 TEST_CASE(4);
2236 TEST_CASE(5);
2237 TEST_CASE(6);
2238 TEST_CASE(7);
2239 TEST_CASE(8);
2240 TEST_CASE(9);
2241 TEST_CASE(10);
2242 TEST_CASE(11);
2243 TEST_CASE(12);
2244 TEST_CASE(13);
2245 TEST_CASE(14);
2246 TEST_CASE(15);
2247 TEST_CASE(16);
2248 TEST_CASE(17);
2249 TEST_CASE(18);
2250 TEST_CASE(19);
2251 TEST_CASE(20);
2252
2253# ifdef OPENSSL_CPUID_OBJ
2254 {
2255 size_t start, stop, gcm_t, ctr_t, OPENSSL_rdtsc();
2256 union {
2257 u64 u;
2258 u8 c[1024];
2259 } buf;
2260 int i;
2261
2262 AES_set_encrypt_key(K1, sizeof(K1) * 8, &key);
2263 CRYPTO_gcm128_init(&ctx, &key, (block128_f) AES_encrypt);
2264 CRYPTO_gcm128_setiv(&ctx, IV1, sizeof(IV1));
2265
2266 CRYPTO_gcm128_encrypt(&ctx, buf.c, buf.c, sizeof(buf));
2267 start = OPENSSL_rdtsc();
2268 CRYPTO_gcm128_encrypt(&ctx, buf.c, buf.c, sizeof(buf));
2269 gcm_t = OPENSSL_rdtsc() - start;
2270
2271 CRYPTO_ctr128_encrypt(buf.c, buf.c, sizeof(buf),
2272 &key, ctx.Yi.c, ctx.EKi.c, &ctx.mres,
2273 (block128_f) AES_encrypt);
2274 start = OPENSSL_rdtsc();
2275 CRYPTO_ctr128_encrypt(buf.c, buf.c, sizeof(buf),
2276 &key, ctx.Yi.c, ctx.EKi.c, &ctx.mres,
2277 (block128_f) AES_encrypt);
2278 ctr_t = OPENSSL_rdtsc() - start;
2279
2280 printf("%.2f-%.2f=%.2f\n",
2281 gcm_t / (double)sizeof(buf),
2282 ctr_t / (double)sizeof(buf),
2283 (gcm_t - ctr_t) / (double)sizeof(buf));
2284# ifdef GHASH
2285 {
2286 void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
2287 const u8 *inp, size_t len) = ctx.ghash;
2288
2289 GHASH((&ctx), buf.c, sizeof(buf));
2290 start = OPENSSL_rdtsc();
2291 for (i = 0; i < 100; ++i)
2292 GHASH((&ctx), buf.c, sizeof(buf));
2293 gcm_t = OPENSSL_rdtsc() - start;
2294 printf("%.2f\n", gcm_t / (double)sizeof(buf) / (double)i);
2295 }
2296# endif
2297 }
2298# endif
2299
2300 return ret;
2301}
2302#endif
Note: See TracBrowser for help on using the repository browser.