Line data Source code
1 : /* cipher-internal.h - Internal defs for cipher.c
2 : * Copyright (C) 2011 Free Software Foundation, Inc.
3 : *
4 : * This file is part of Libgcrypt.
5 : *
6 : * Libgcrypt is free software; you can redistribute it and/or modify
7 : * it under the terms of the GNU Lesser general Public License as
8 : * published by the Free Software Foundation; either version 2.1 of
9 : * the License, or (at your option) any later version.
10 : *
11 : * Libgcrypt is distributed in the hope that it will be useful,
12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : * GNU Lesser General Public License for more details.
15 : *
16 : * You should have received a copy of the GNU Lesser General Public
17 : * License along with this program; if not, see <http://www.gnu.org/licenses/>.
18 : */
19 :
20 : #ifndef G10_CIPHER_INTERNAL_H
21 : #define G10_CIPHER_INTERNAL_H
22 :
23 : #include "./poly1305-internal.h"
24 :
25 :
26 : /* The maximum supported size of a block in bytes. */
27 : #define MAX_BLOCKSIZE 16
28 :
29 : /* The length for an OCB block. Although OCB supports any block
30 : length it does not make sense to use a 64 bit blocklen (and cipher)
31 : because this reduces the security margin to an unacceptable state.
32 : Thus we require a cipher with 128 bit blocklength. */
33 : #define OCB_BLOCK_LEN (128/8)
34 :
35 : /* The size of the pre-computed L table for OCB. This takes the same
36 : size as the table used for GCM and thus we don't save anything by
37 : not using such a table. */
38 : #define OCB_L_TABLE_SIZE 16
39 :
40 :
41 : /* Check the above constants. */
42 : #if OCB_BLOCK_LEN > MAX_BLOCKSIZE
43 : # error OCB_BLOCKLEN > MAX_BLOCKSIZE
44 : #endif
45 :
46 :
47 :
48 : /* Magic values for the context structure. */
49 : #define CTX_MAGIC_NORMAL 0x24091964
50 : #define CTX_MAGIC_SECURE 0x46919042
51 :
52 : /* Try to use 16 byte aligned cipher context for better performance.
53 : We use the aligned attribute, thus it is only possible to implement
54 : this with gcc. */
55 : #undef NEED_16BYTE_ALIGNED_CONTEXT
56 : #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
57 : # define NEED_16BYTE_ALIGNED_CONTEXT 1
58 : #endif
59 :
60 : /* Undef this symbol to trade GCM speed for 256 bytes of memory per context */
61 : #define GCM_USE_TABLES 1
62 :
63 :
64 : /* GCM_USE_INTEL_PCLMUL indicates whether to compile GCM with Intel PCLMUL
65 : code. */
66 : #undef GCM_USE_INTEL_PCLMUL
67 : #if defined(ENABLE_PCLMUL_SUPPORT) && defined(GCM_USE_TABLES)
68 : # if ((defined(__i386__) && SIZEOF_UNSIGNED_LONG == 4) || defined(__x86_64__))
69 : # if __GNUC__ >= 4
70 : # define GCM_USE_INTEL_PCLMUL 1
71 : # endif
72 : # endif
73 : #endif /* GCM_USE_INTEL_PCLMUL */
74 :
75 : /* GCM_USE_ARM_PMULL indicates whether to compile GCM with ARMv8 PMULL code. */
76 : #undef GCM_USE_ARM_PMULL
77 : #if defined(ENABLE_ARM_CRYPTO_SUPPORT) && defined(GCM_USE_TABLES)
78 : # if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) \
79 : && defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) \
80 : && defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
81 : # define GCM_USE_ARM_PMULL 1
82 : # elif defined(__AARCH64EL__) && \
83 : defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
84 : defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
85 : # define GCM_USE_ARM_PMULL 1
86 : # endif
87 : #endif /* GCM_USE_ARM_PMULL */
88 :
89 :
90 : typedef unsigned int (*ghash_fn_t) (gcry_cipher_hd_t c, byte *result,
91 : const byte *buf, size_t nblocks);
92 :
93 :
94 : /* A VIA processor with the Padlock engine as well as the Intel AES_NI
95 : instructions require an alignment of most data on a 16 byte
96 : boundary. Because we trick out the compiler while allocating the
97 : context, the align attribute as used in rijndael.c does not work on
98 : its own. Thus we need to make sure that the entire context
99 : structure is a aligned on that boundary. We achieve this by
100 : defining a new type and use that instead of our usual alignment
101 : type. */
102 : typedef union
103 : {
104 : PROPERLY_ALIGNED_TYPE foo;
105 : #ifdef NEED_16BYTE_ALIGNED_CONTEXT
106 : char bar[16] __attribute__ ((aligned (16)));
107 : #endif
108 : char c[1];
109 : } cipher_context_alignment_t;
110 :
111 :
112 : /* The handle structure. */
113 : struct gcry_cipher_handle
114 : {
115 : int magic;
116 : size_t actual_handle_size; /* Allocated size of this handle. */
117 : size_t handle_offset; /* Offset to the malloced block. */
118 : gcry_cipher_spec_t *spec;
119 :
120 : /* The algorithm id. This is a hack required because the module
121 : interface does not easily allow to retrieve this value. */
122 : int algo;
123 :
124 : /* A structure with function pointers for bulk operations. Due to
125 : limitations of the module system (we don't want to change the
126 : API) we need to keep these function pointers here. The cipher
127 : open function intializes them and the actual encryption routines
128 : use them if they are not NULL. */
129 : struct {
130 : void (*cfb_enc)(void *context, unsigned char *iv,
131 : void *outbuf_arg, const void *inbuf_arg,
132 : size_t nblocks);
133 : void (*cfb_dec)(void *context, unsigned char *iv,
134 : void *outbuf_arg, const void *inbuf_arg,
135 : size_t nblocks);
136 : void (*cbc_enc)(void *context, unsigned char *iv,
137 : void *outbuf_arg, const void *inbuf_arg,
138 : size_t nblocks, int cbc_mac);
139 : void (*cbc_dec)(void *context, unsigned char *iv,
140 : void *outbuf_arg, const void *inbuf_arg,
141 : size_t nblocks);
142 : void (*ctr_enc)(void *context, unsigned char *iv,
143 : void *outbuf_arg, const void *inbuf_arg,
144 : size_t nblocks);
145 : size_t (*ocb_crypt)(gcry_cipher_hd_t c, void *outbuf_arg,
146 : const void *inbuf_arg, size_t nblocks, int encrypt);
147 : size_t (*ocb_auth)(gcry_cipher_hd_t c, const void *abuf_arg,
148 : size_t nblocks);
149 : } bulk;
150 :
151 :
152 : int mode;
153 : unsigned int flags;
154 :
155 : struct {
156 : unsigned int key:1; /* Set to 1 if a key has been set. */
157 : unsigned int iv:1; /* Set to 1 if a IV has been set. */
158 : unsigned int tag:1; /* Set to 1 if a tag is finalized. */
159 : unsigned int finalize:1; /* Next encrypt/decrypt has the final data. */
160 : } marks;
161 :
162 : /* The initialization vector. For best performance we make sure
163 : that it is properly aligned. In particular some implementations
164 : of bulk operations expect an 16 byte aligned IV. IV is also used
165 : to store CBC-MAC in CCM mode; counter IV is stored in U_CTR. For
166 : OCB mode it is used for the offset value. */
167 : union {
168 : cipher_context_alignment_t iv_align;
169 : unsigned char iv[MAX_BLOCKSIZE];
170 : } u_iv;
171 :
172 : /* The counter for CTR mode. This field is also used by AESWRAP and
173 : thus we can't use the U_IV union. For OCB mode it is used for
174 : the checksum. */
175 : union {
176 : cipher_context_alignment_t iv_align;
177 : unsigned char ctr[MAX_BLOCKSIZE];
178 : } u_ctr;
179 :
180 : /* Space to save an IV or CTR for chaining operations. */
181 : unsigned char lastiv[MAX_BLOCKSIZE];
182 : int unused; /* Number of unused bytes in LASTIV. */
183 :
184 : union {
185 : /* Mode specific storage for CCM mode. */
186 : struct {
187 : u64 encryptlen;
188 : u64 aadlen;
189 : unsigned int authlen;
190 :
191 : /* Space to save partial input lengths for MAC. */
192 : unsigned char macbuf[GCRY_CCM_BLOCK_LEN];
193 : int mac_unused; /* Number of unprocessed bytes in MACBUF. */
194 :
195 : unsigned char s0[GCRY_CCM_BLOCK_LEN];
196 :
197 : unsigned int nonce:1;/* Set to 1 if nonce has been set. */
198 : unsigned int lengths:1; /* Set to 1 if CCM length parameters has been
199 : processed. */
200 : } ccm;
201 :
202 : /* Mode specific storage for Poly1305 mode. */
203 : struct {
204 : /* byte counter for AAD. */
205 : u32 aadcount[2];
206 :
207 : /* byte counter for data. */
208 : u32 datacount[2];
209 :
210 : unsigned int aad_finalized:1;
211 : unsigned int bytecount_over_limits:1;
212 :
213 : poly1305_context_t ctx;
214 : } poly1305;
215 :
216 : /* Mode specific storage for CMAC mode. */
217 : struct {
218 : unsigned int tag:1; /* Set to 1 if tag has been finalized. */
219 :
220 : /* Subkeys for tag creation, not cleared by gcry_cipher_reset. */
221 : unsigned char subkeys[2][MAX_BLOCKSIZE];
222 : } cmac;
223 :
224 : /* Mode specific storage for GCM mode. */
225 : struct {
226 : /* The interim tag for GCM mode. */
227 : union {
228 : cipher_context_alignment_t iv_align;
229 : unsigned char tag[MAX_BLOCKSIZE];
230 : } u_tag;
231 :
232 : /* Space to save partial input lengths for MAC. */
233 : unsigned char macbuf[GCRY_CCM_BLOCK_LEN];
234 : int mac_unused; /* Number of unprocessed bytes in MACBUF. */
235 :
236 :
237 : /* byte counters for GCM */
238 : u32 aadlen[2];
239 : u32 datalen[2];
240 :
241 : /* encrypted tag counter */
242 : unsigned char tagiv[MAX_BLOCKSIZE];
243 :
244 : unsigned int ghash_data_finalized:1;
245 : unsigned int ghash_aad_finalized:1;
246 :
247 : unsigned int datalen_over_limits:1;
248 : unsigned int disallow_encryption_because_of_setiv_in_fips_mode:1;
249 :
250 : /* --- Following members are not cleared in gcry_cipher_reset --- */
251 :
252 : /* GHASH multiplier from key. */
253 : union {
254 : cipher_context_alignment_t iv_align;
255 : unsigned char key[MAX_BLOCKSIZE];
256 : } u_ghash_key;
257 :
258 : /* GHASH implementation in use. */
259 : ghash_fn_t ghash_fn;
260 :
261 : /* Pre-calculated table for GCM. */
262 : #ifdef GCM_USE_TABLES
263 : #if (SIZEOF_UNSIGNED_LONG == 8 || defined(__x86_64__))
264 : #define GCM_TABLES_USE_U64 1
265 : u64 gcm_table[2 * 16];
266 : #else
267 : #undef GCM_TABLES_USE_U64
268 : u32 gcm_table[4 * 16];
269 : #endif
270 : #endif
271 : } gcm;
272 :
273 : /* Mode specific storage for OCB mode. */
274 : struct {
275 : /* Helper variables and pre-computed table of L values. */
276 : unsigned char L_star[OCB_BLOCK_LEN];
277 : unsigned char L_dollar[OCB_BLOCK_LEN];
278 : unsigned char L[OCB_BLOCK_LEN][OCB_L_TABLE_SIZE];
279 :
280 : /* The tag is valid if marks.tag has been set. */
281 : unsigned char tag[OCB_BLOCK_LEN];
282 :
283 : /* A buffer to hold the offset for the AAD processing. */
284 : unsigned char aad_offset[OCB_BLOCK_LEN];
285 :
286 : /* A buffer to hold the current sum of AAD processing. We can't
287 : use tag here because tag may already hold the preprocessed
288 : checksum of the data. */
289 : unsigned char aad_sum[OCB_BLOCK_LEN];
290 :
291 : /* A buffer to store AAD data not yet processed. */
292 : unsigned char aad_leftover[OCB_BLOCK_LEN];
293 :
294 : /* Number of data/aad blocks processed so far. */
295 : u64 data_nblocks;
296 : u64 aad_nblocks;
297 :
298 : /* Number of valid bytes in AAD_LEFTOVER. */
299 : unsigned char aad_nleftover;
300 :
301 : /* Length of the tag. Fixed for now but may eventually be
302 : specified using a set of gcry_cipher_flags. */
303 : unsigned char taglen;
304 :
305 : /* Flags indicating that the final data/aad block has been
306 : processed. */
307 : unsigned int data_finalized:1;
308 : unsigned int aad_finalized:1;
309 :
310 : } ocb;
311 :
312 : } u_mode;
313 :
314 : /* What follows are two contexts of the cipher in use. The first
315 : one needs to be aligned well enough for the cipher operation
316 : whereas the second one is a copy created by cipher_setkey and
317 : used by cipher_reset. That second copy has no need for proper
318 : aligment because it is only accessed by memcpy. */
319 : cipher_context_alignment_t context;
320 : };
321 :
322 :
323 : /*-- cipher-cbc.c --*/
324 : gcry_err_code_t _gcry_cipher_cbc_encrypt
325 : /* */ (gcry_cipher_hd_t c,
326 : unsigned char *outbuf, size_t outbuflen,
327 : const unsigned char *inbuf, size_t inbuflen);
328 : gcry_err_code_t _gcry_cipher_cbc_decrypt
329 : /* */ (gcry_cipher_hd_t c,
330 : unsigned char *outbuf, size_t outbuflen,
331 : const unsigned char *inbuf, size_t inbuflen);
332 :
333 : /*-- cipher-cfb.c --*/
334 : gcry_err_code_t _gcry_cipher_cfb_encrypt
335 : /* */ (gcry_cipher_hd_t c,
336 : unsigned char *outbuf, size_t outbuflen,
337 : const unsigned char *inbuf, size_t inbuflen);
338 : gcry_err_code_t _gcry_cipher_cfb_decrypt
339 : /* */ (gcry_cipher_hd_t c,
340 : unsigned char *outbuf, size_t outbuflen,
341 : const unsigned char *inbuf, size_t inbuflen);
342 :
343 :
344 : /*-- cipher-ofb.c --*/
345 : gcry_err_code_t _gcry_cipher_ofb_encrypt
346 : /* */ (gcry_cipher_hd_t c,
347 : unsigned char *outbuf, size_t outbuflen,
348 : const unsigned char *inbuf, size_t inbuflen);
349 :
350 : /*-- cipher-ctr.c --*/
351 : gcry_err_code_t _gcry_cipher_ctr_encrypt
352 : /* */ (gcry_cipher_hd_t c,
353 : unsigned char *outbuf, size_t outbuflen,
354 : const unsigned char *inbuf, size_t inbuflen);
355 :
356 :
357 : /*-- cipher-aeswrap.c --*/
358 : gcry_err_code_t _gcry_cipher_aeswrap_encrypt
359 : /* */ (gcry_cipher_hd_t c,
360 : byte *outbuf, size_t outbuflen,
361 : const byte *inbuf, size_t inbuflen);
362 : gcry_err_code_t _gcry_cipher_aeswrap_decrypt
363 : /* */ (gcry_cipher_hd_t c,
364 : byte *outbuf, size_t outbuflen,
365 : const byte *inbuf, size_t inbuflen);
366 :
367 :
368 : /*-- cipher-ccm.c --*/
369 : gcry_err_code_t _gcry_cipher_ccm_encrypt
370 : /* */ (gcry_cipher_hd_t c,
371 : unsigned char *outbuf, size_t outbuflen,
372 : const unsigned char *inbuf, size_t inbuflen);
373 : gcry_err_code_t _gcry_cipher_ccm_decrypt
374 : /* */ (gcry_cipher_hd_t c,
375 : unsigned char *outbuf, size_t outbuflen,
376 : const unsigned char *inbuf, size_t inbuflen);
377 : gcry_err_code_t _gcry_cipher_ccm_set_nonce
378 : /* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
379 : size_t noncelen);
380 : gcry_err_code_t _gcry_cipher_ccm_authenticate
381 : /* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
382 : gcry_err_code_t _gcry_cipher_ccm_set_lengths
383 : /* */ (gcry_cipher_hd_t c, u64 encryptedlen, u64 aadlen, u64 taglen);
384 : gcry_err_code_t _gcry_cipher_ccm_get_tag
385 : /* */ (gcry_cipher_hd_t c,
386 : unsigned char *outtag, size_t taglen);
387 : gcry_err_code_t _gcry_cipher_ccm_check_tag
388 : /* */ (gcry_cipher_hd_t c,
389 : const unsigned char *intag, size_t taglen);
390 :
391 :
392 : /*-- cipher-gcm.c --*/
393 : gcry_err_code_t _gcry_cipher_gcm_encrypt
394 : /* */ (gcry_cipher_hd_t c,
395 : unsigned char *outbuf, size_t outbuflen,
396 : const unsigned char *inbuf, size_t inbuflen);
397 : gcry_err_code_t _gcry_cipher_gcm_decrypt
398 : /* */ (gcry_cipher_hd_t c,
399 : unsigned char *outbuf, size_t outbuflen,
400 : const unsigned char *inbuf, size_t inbuflen);
401 : gcry_err_code_t _gcry_cipher_gcm_setiv
402 : /* */ (gcry_cipher_hd_t c,
403 : const unsigned char *iv, size_t ivlen);
404 : gcry_err_code_t _gcry_cipher_gcm_authenticate
405 : /* */ (gcry_cipher_hd_t c,
406 : const unsigned char *aadbuf, size_t aadbuflen);
407 : gcry_err_code_t _gcry_cipher_gcm_get_tag
408 : /* */ (gcry_cipher_hd_t c,
409 : unsigned char *outtag, size_t taglen);
410 : gcry_err_code_t _gcry_cipher_gcm_check_tag
411 : /* */ (gcry_cipher_hd_t c,
412 : const unsigned char *intag, size_t taglen);
413 : void _gcry_cipher_gcm_setkey
414 : /* */ (gcry_cipher_hd_t c);
415 :
416 :
417 : /*-- cipher-poly1305.c --*/
418 : gcry_err_code_t _gcry_cipher_poly1305_encrypt
419 : /* */ (gcry_cipher_hd_t c,
420 : unsigned char *outbuf, size_t outbuflen,
421 : const unsigned char *inbuf, size_t inbuflen);
422 : gcry_err_code_t _gcry_cipher_poly1305_decrypt
423 : /* */ (gcry_cipher_hd_t c,
424 : unsigned char *outbuf, size_t outbuflen,
425 : const unsigned char *inbuf, size_t inbuflen);
426 : gcry_err_code_t _gcry_cipher_poly1305_setiv
427 : /* */ (gcry_cipher_hd_t c,
428 : const unsigned char *iv, size_t ivlen);
429 : gcry_err_code_t _gcry_cipher_poly1305_authenticate
430 : /* */ (gcry_cipher_hd_t c,
431 : const unsigned char *aadbuf, size_t aadbuflen);
432 : gcry_err_code_t _gcry_cipher_poly1305_get_tag
433 : /* */ (gcry_cipher_hd_t c,
434 : unsigned char *outtag, size_t taglen);
435 : gcry_err_code_t _gcry_cipher_poly1305_check_tag
436 : /* */ (gcry_cipher_hd_t c,
437 : const unsigned char *intag, size_t taglen);
438 : void _gcry_cipher_poly1305_setkey
439 : /* */ (gcry_cipher_hd_t c);
440 :
441 :
442 : /*-- cipher-ocb.c --*/
443 : gcry_err_code_t _gcry_cipher_ocb_encrypt
444 : /* */ (gcry_cipher_hd_t c,
445 : unsigned char *outbuf, size_t outbuflen,
446 : const unsigned char *inbuf, size_t inbuflen);
447 : gcry_err_code_t _gcry_cipher_ocb_decrypt
448 : /* */ (gcry_cipher_hd_t c,
449 : unsigned char *outbuf, size_t outbuflen,
450 : const unsigned char *inbuf, size_t inbuflen);
451 : gcry_err_code_t _gcry_cipher_ocb_set_nonce
452 : /* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
453 : size_t noncelen);
454 : gcry_err_code_t _gcry_cipher_ocb_authenticate
455 : /* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
456 : gcry_err_code_t _gcry_cipher_ocb_get_tag
457 : /* */ (gcry_cipher_hd_t c,
458 : unsigned char *outtag, size_t taglen);
459 : gcry_err_code_t _gcry_cipher_ocb_check_tag
460 : /* */ (gcry_cipher_hd_t c,
461 : const unsigned char *intag, size_t taglen);
462 :
463 :
464 : /* Return the L-value for block N. Note: 'cipher_ocb.c' ensures that N
465 : * will never be multiple of 65536 (1 << OCB_L_TABLE_SIZE), thus N can
466 : * be directly passed to _gcry_ctz() function and resulting index will
467 : * never overflow the table. */
468 : static inline const unsigned char *
469 0 : ocb_get_l (gcry_cipher_hd_t c, u64 n)
470 : {
471 : unsigned long ntz;
472 :
473 : #if ((defined(__i386__) || defined(__x86_64__)) && __GNUC__ >= 4)
474 : /* Assumes that N != 0. */
475 0 : asm ("rep;bsfl %k[low], %k[ntz]\n\t"
476 : : [ntz] "=r" (ntz)
477 : : [low] "r" ((unsigned long)n)
478 : : "cc");
479 : #else
480 : ntz = _gcry_ctz (n);
481 : #endif
482 :
483 0 : return c->u_mode.ocb.L[ntz];
484 : }
485 :
486 : #endif /*G10_CIPHER_INTERNAL_H*/
|
