Line data Source code
1 : /* cipher-internal.h - Internal defs for cipher.c
2 : * Copyright (C) 2011 Free Software Foundation, Inc.
3 : *
4 : * This file is part of Libgcrypt.
5 : *
6 : * Libgcrypt is free software; you can redistribute it and/or modify
7 : * it under the terms of the GNU Lesser general Public License as
8 : * published by the Free Software Foundation; either version 2.1 of
9 : * the License, or (at your option) any later version.
10 : *
11 : * Libgcrypt is distributed in the hope that it will be useful,
12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : * GNU Lesser General Public License for more details.
15 : *
16 : * You should have received a copy of the GNU Lesser General Public
17 : * License along with this program; if not, see <http://www.gnu.org/licenses/>.
18 : */
19 :
20 : #ifndef G10_CIPHER_INTERNAL_H
21 : #define G10_CIPHER_INTERNAL_H
22 :
23 : #include "./poly1305-internal.h"
24 :
25 :
26 : /* The maximum supported size of a block in bytes. */
27 : #define MAX_BLOCKSIZE 16
28 :
29 : /* The length for an OCB block. Although OCB supports any block
30 : length it does not make sense to use a 64 bit blocklen (and cipher)
31 : because this reduces the security margin to an unacceptable state.
32 : Thus we require a cipher with 128 bit blocklength. */
33 : #define OCB_BLOCK_LEN (128/8)
34 :
35 : /* The size of the pre-computed L table for OCB. This takes the same
36 : size as the table used for GCM and thus we don't save anything by
37 : not using such a table. */
38 : #define OCB_L_TABLE_SIZE 16
39 :
40 :
41 : /* Check the above constants. */
42 : #if OCB_BLOCK_LEN > MAX_BLOCKSIZE
43 : # error OCB_BLOCKLEN > MAX_BLOCKSIZE
44 : #endif
45 :
46 :
47 :
48 : /* Magic values for the context structure. */
49 : #define CTX_MAGIC_NORMAL 0x24091964
50 : #define CTX_MAGIC_SECURE 0x46919042
51 :
52 : /* Try to use 16 byte aligned cipher context for better performance.
53 : We use the aligned attribute, thus it is only possible to implement
54 : this with gcc. */
55 : #undef NEED_16BYTE_ALIGNED_CONTEXT
56 : #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
57 : # define NEED_16BYTE_ALIGNED_CONTEXT 1
58 : #endif
59 :
60 : /* Undef this symbol to trade GCM speed for 256 bytes of memory per context */
61 : #define GCM_USE_TABLES 1
62 :
63 :
64 : /* GCM_USE_INTEL_PCLMUL indicates whether to compile GCM with Intel PCLMUL
65 : code. */
66 : #undef GCM_USE_INTEL_PCLMUL
67 : #if defined(ENABLE_PCLMUL_SUPPORT) && defined(GCM_USE_TABLES)
68 : # if ((defined(__i386__) && SIZEOF_UNSIGNED_LONG == 4) || defined(__x86_64__))
69 : # if __GNUC__ >= 4
70 : # define GCM_USE_INTEL_PCLMUL 1
71 : # endif
72 : # endif
73 : #endif /* GCM_USE_INTEL_PCLMUL */
74 :
75 : /* GCM_USE_ARM_PMULL indicates whether to compile GCM with ARMv8 PMULL code. */
76 : #undef GCM_USE_ARM_PMULL
77 : #if defined(ENABLE_ARM_CRYPTO_SUPPORT) && defined(GCM_USE_TABLES)
78 : # if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) \
79 : && defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) \
80 : && defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
81 : # define GCM_USE_ARM_PMULL 1
82 : # elif defined(__AARCH64EL__) && \
83 : defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
84 : defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
85 : # define GCM_USE_ARM_PMULL 1
86 : # endif
87 : #endif /* GCM_USE_ARM_PMULL */
88 :
89 :
90 : typedef unsigned int (*ghash_fn_t) (gcry_cipher_hd_t c, byte *result,
91 : const byte *buf, size_t nblocks);
92 :
93 :
94 : /* A VIA processor with the Padlock engine as well as the Intel AES_NI
95 : instructions require an alignment of most data on a 16 byte
96 : boundary. Because we trick out the compiler while allocating the
97 : context, the align attribute as used in rijndael.c does not work on
98 : its own. Thus we need to make sure that the entire context
99 : structure is a aligned on that boundary. We achieve this by
100 : defining a new type and use that instead of our usual alignment
101 : type. */
102 : typedef union
103 : {
104 : PROPERLY_ALIGNED_TYPE foo;
105 : #ifdef NEED_16BYTE_ALIGNED_CONTEXT
106 : char bar[16] __attribute__ ((aligned (16)));
107 : #endif
108 : char c[1];
109 : } cipher_context_alignment_t;
110 :
111 :
112 : /* The handle structure. */
113 : struct gcry_cipher_handle
114 : {
115 : int magic;
116 : size_t actual_handle_size; /* Allocated size of this handle. */
117 : size_t handle_offset; /* Offset to the malloced block. */
118 : gcry_cipher_spec_t *spec;
119 :
120 : /* The algorithm id. This is a hack required because the module
121 : interface does not easily allow to retrieve this value. */
122 : int algo;
123 :
124 : /* A structure with function pointers for bulk operations. Due to
125 : limitations of the module system (we don't want to change the
126 : API) we need to keep these function pointers here. The cipher
127 : open function intializes them and the actual encryption routines
128 : use them if they are not NULL. */
129 : struct {
130 : void (*cfb_enc)(void *context, unsigned char *iv,
131 : void *outbuf_arg, const void *inbuf_arg,
132 : size_t nblocks);
133 : void (*cfb_dec)(void *context, unsigned char *iv,
134 : void *outbuf_arg, const void *inbuf_arg,
135 : size_t nblocks);
136 : void (*cbc_enc)(void *context, unsigned char *iv,
137 : void *outbuf_arg, const void *inbuf_arg,
138 : size_t nblocks, int cbc_mac);
139 : void (*cbc_dec)(void *context, unsigned char *iv,
140 : void *outbuf_arg, const void *inbuf_arg,
141 : size_t nblocks);
142 : void (*ctr_enc)(void *context, unsigned char *iv,
143 : void *outbuf_arg, const void *inbuf_arg,
144 : size_t nblocks);
145 : size_t (*ocb_crypt)(gcry_cipher_hd_t c, void *outbuf_arg,
146 : const void *inbuf_arg, size_t nblocks, int encrypt);
147 : size_t (*ocb_auth)(gcry_cipher_hd_t c, const void *abuf_arg,
148 : size_t nblocks);
149 : void (*xts_crypt)(gcry_cipher_hd_t c, unsigned char *tweak,
150 : void *outbuf_arg, const void *inbuf_arg,
151 : size_t nblocks, int encrypt);
152 : } bulk;
153 :
154 :
155 : int mode;
156 : unsigned int flags;
157 :
158 : struct {
159 : unsigned int key:1; /* Set to 1 if a key has been set. */
160 : unsigned int iv:1; /* Set to 1 if a IV has been set. */
161 : unsigned int tag:1; /* Set to 1 if a tag is finalized. */
162 : unsigned int finalize:1; /* Next encrypt/decrypt has the final data. */
163 : } marks;
164 :
165 : /* The initialization vector. For best performance we make sure
166 : that it is properly aligned. In particular some implementations
167 : of bulk operations expect an 16 byte aligned IV. IV is also used
168 : to store CBC-MAC in CCM mode; counter IV is stored in U_CTR. For
169 : OCB mode it is used for the offset value. */
170 : union {
171 : cipher_context_alignment_t iv_align;
172 : unsigned char iv[MAX_BLOCKSIZE];
173 : } u_iv;
174 :
175 : /* The counter for CTR mode. This field is also used by AESWRAP and
176 : thus we can't use the U_IV union. For OCB mode it is used for
177 : the checksum. */
178 : union {
179 : cipher_context_alignment_t iv_align;
180 : unsigned char ctr[MAX_BLOCKSIZE];
181 : } u_ctr;
182 :
183 : /* Space to save an IV or CTR for chaining operations. */
184 : unsigned char lastiv[MAX_BLOCKSIZE];
185 : int unused; /* Number of unused bytes in LASTIV. */
186 :
187 : union {
188 : /* Mode specific storage for CCM mode. */
189 : struct {
190 : u64 encryptlen;
191 : u64 aadlen;
192 : unsigned int authlen;
193 :
194 : /* Space to save partial input lengths for MAC. */
195 : unsigned char macbuf[GCRY_CCM_BLOCK_LEN];
196 : int mac_unused; /* Number of unprocessed bytes in MACBUF. */
197 :
198 : unsigned char s0[GCRY_CCM_BLOCK_LEN];
199 :
200 : unsigned int nonce:1;/* Set to 1 if nonce has been set. */
201 : unsigned int lengths:1; /* Set to 1 if CCM length parameters has been
202 : processed. */
203 : } ccm;
204 :
205 : /* Mode specific storage for Poly1305 mode. */
206 : struct {
207 : /* byte counter for AAD. */
208 : u32 aadcount[2];
209 :
210 : /* byte counter for data. */
211 : u32 datacount[2];
212 :
213 : unsigned int aad_finalized:1;
214 : unsigned int bytecount_over_limits:1;
215 :
216 : poly1305_context_t ctx;
217 : } poly1305;
218 :
219 : /* Mode specific storage for CMAC mode. */
220 : struct {
221 : unsigned int tag:1; /* Set to 1 if tag has been finalized. */
222 :
223 : /* Subkeys for tag creation, not cleared by gcry_cipher_reset. */
224 : unsigned char subkeys[2][MAX_BLOCKSIZE];
225 : } cmac;
226 :
227 : /* Mode specific storage for GCM mode. */
228 : struct {
229 : /* The interim tag for GCM mode. */
230 : union {
231 : cipher_context_alignment_t iv_align;
232 : unsigned char tag[MAX_BLOCKSIZE];
233 : } u_tag;
234 :
235 : /* Space to save partial input lengths for MAC. */
236 : unsigned char macbuf[GCRY_CCM_BLOCK_LEN];
237 : int mac_unused; /* Number of unprocessed bytes in MACBUF. */
238 :
239 :
240 : /* byte counters for GCM */
241 : u32 aadlen[2];
242 : u32 datalen[2];
243 :
244 : /* encrypted tag counter */
245 : unsigned char tagiv[MAX_BLOCKSIZE];
246 :
247 : unsigned int ghash_data_finalized:1;
248 : unsigned int ghash_aad_finalized:1;
249 :
250 : unsigned int datalen_over_limits:1;
251 : unsigned int disallow_encryption_because_of_setiv_in_fips_mode:1;
252 :
253 : /* --- Following members are not cleared in gcry_cipher_reset --- */
254 :
255 : /* GHASH multiplier from key. */
256 : union {
257 : cipher_context_alignment_t iv_align;
258 : unsigned char key[MAX_BLOCKSIZE];
259 : } u_ghash_key;
260 :
261 : /* GHASH implementation in use. */
262 : ghash_fn_t ghash_fn;
263 :
264 : /* Pre-calculated table for GCM. */
265 : #ifdef GCM_USE_TABLES
266 : #if (SIZEOF_UNSIGNED_LONG == 8 || defined(__x86_64__))
267 : #define GCM_TABLES_USE_U64 1
268 : u64 gcm_table[2 * 16];
269 : #else
270 : #undef GCM_TABLES_USE_U64
271 : u32 gcm_table[4 * 16];
272 : #endif
273 : #endif
274 : } gcm;
275 :
276 : /* Mode specific storage for OCB mode. */
277 : struct {
278 : /* Helper variables and pre-computed table of L values. */
279 : unsigned char L_star[OCB_BLOCK_LEN];
280 : unsigned char L_dollar[OCB_BLOCK_LEN];
281 : unsigned char L[OCB_BLOCK_LEN][OCB_L_TABLE_SIZE];
282 :
283 : /* The tag is valid if marks.tag has been set. */
284 : unsigned char tag[OCB_BLOCK_LEN];
285 :
286 : /* A buffer to hold the offset for the AAD processing. */
287 : unsigned char aad_offset[OCB_BLOCK_LEN];
288 :
289 : /* A buffer to hold the current sum of AAD processing. We can't
290 : use tag here because tag may already hold the preprocessed
291 : checksum of the data. */
292 : unsigned char aad_sum[OCB_BLOCK_LEN];
293 :
294 : /* A buffer to store AAD data not yet processed. */
295 : unsigned char aad_leftover[OCB_BLOCK_LEN];
296 :
297 : /* Number of data/aad blocks processed so far. */
298 : u64 data_nblocks;
299 : u64 aad_nblocks;
300 :
301 : /* Number of valid bytes in AAD_LEFTOVER. */
302 : unsigned char aad_nleftover;
303 :
304 : /* Length of the tag. Fixed for now but may eventually be
305 : specified using a set of gcry_cipher_flags. */
306 : unsigned char taglen;
307 :
308 : /* Flags indicating that the final data/aad block has been
309 : processed. */
310 : unsigned int data_finalized:1;
311 : unsigned int aad_finalized:1;
312 :
313 : } ocb;
314 :
315 : /* Mode specific storage for XTS mode. */
316 : struct {
317 : /* Pointer to tweak cipher context, allocated after actual
318 : * cipher context. */
319 : char *tweak_context;
320 : } xts;
321 : } u_mode;
322 :
323 : /* What follows are two contexts of the cipher in use. The first
324 : one needs to be aligned well enough for the cipher operation
325 : whereas the second one is a copy created by cipher_setkey and
326 : used by cipher_reset. That second copy has no need for proper
327 : aligment because it is only accessed by memcpy. */
328 : cipher_context_alignment_t context;
329 : };
330 :
331 :
332 : /*-- cipher-cbc.c --*/
333 : gcry_err_code_t _gcry_cipher_cbc_encrypt
334 : /* */ (gcry_cipher_hd_t c,
335 : unsigned char *outbuf, size_t outbuflen,
336 : const unsigned char *inbuf, size_t inbuflen);
337 : gcry_err_code_t _gcry_cipher_cbc_decrypt
338 : /* */ (gcry_cipher_hd_t c,
339 : unsigned char *outbuf, size_t outbuflen,
340 : const unsigned char *inbuf, size_t inbuflen);
341 :
342 : /*-- cipher-cfb.c --*/
343 : gcry_err_code_t _gcry_cipher_cfb_encrypt
344 : /* */ (gcry_cipher_hd_t c,
345 : unsigned char *outbuf, size_t outbuflen,
346 : const unsigned char *inbuf, size_t inbuflen);
347 : gcry_err_code_t _gcry_cipher_cfb_decrypt
348 : /* */ (gcry_cipher_hd_t c,
349 : unsigned char *outbuf, size_t outbuflen,
350 : const unsigned char *inbuf, size_t inbuflen);
351 : gcry_err_code_t _gcry_cipher_cfb8_encrypt
352 : /* */ (gcry_cipher_hd_t c,
353 : unsigned char *outbuf, size_t outbuflen,
354 : const unsigned char *inbuf, size_t inbuflen);
355 : gcry_err_code_t _gcry_cipher_cfb8_decrypt
356 : /* */ (gcry_cipher_hd_t c,
357 : unsigned char *outbuf, size_t outbuflen,
358 : const unsigned char *inbuf, size_t inbuflen);
359 :
360 :
361 : /*-- cipher-ofb.c --*/
362 : gcry_err_code_t _gcry_cipher_ofb_encrypt
363 : /* */ (gcry_cipher_hd_t c,
364 : unsigned char *outbuf, size_t outbuflen,
365 : const unsigned char *inbuf, size_t inbuflen);
366 :
367 : /*-- cipher-ctr.c --*/
368 : gcry_err_code_t _gcry_cipher_ctr_encrypt
369 : /* */ (gcry_cipher_hd_t c,
370 : unsigned char *outbuf, size_t outbuflen,
371 : const unsigned char *inbuf, size_t inbuflen);
372 :
373 :
374 : /*-- cipher-aeswrap.c --*/
375 : gcry_err_code_t _gcry_cipher_aeswrap_encrypt
376 : /* */ (gcry_cipher_hd_t c,
377 : byte *outbuf, size_t outbuflen,
378 : const byte *inbuf, size_t inbuflen);
379 : gcry_err_code_t _gcry_cipher_aeswrap_decrypt
380 : /* */ (gcry_cipher_hd_t c,
381 : byte *outbuf, size_t outbuflen,
382 : const byte *inbuf, size_t inbuflen);
383 :
384 :
385 : /*-- cipher-ccm.c --*/
386 : gcry_err_code_t _gcry_cipher_ccm_encrypt
387 : /* */ (gcry_cipher_hd_t c,
388 : unsigned char *outbuf, size_t outbuflen,
389 : const unsigned char *inbuf, size_t inbuflen);
390 : gcry_err_code_t _gcry_cipher_ccm_decrypt
391 : /* */ (gcry_cipher_hd_t c,
392 : unsigned char *outbuf, size_t outbuflen,
393 : const unsigned char *inbuf, size_t inbuflen);
394 : gcry_err_code_t _gcry_cipher_ccm_set_nonce
395 : /* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
396 : size_t noncelen);
397 : gcry_err_code_t _gcry_cipher_ccm_authenticate
398 : /* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
399 : gcry_err_code_t _gcry_cipher_ccm_set_lengths
400 : /* */ (gcry_cipher_hd_t c, u64 encryptedlen, u64 aadlen, u64 taglen);
401 : gcry_err_code_t _gcry_cipher_ccm_get_tag
402 : /* */ (gcry_cipher_hd_t c,
403 : unsigned char *outtag, size_t taglen);
404 : gcry_err_code_t _gcry_cipher_ccm_check_tag
405 : /* */ (gcry_cipher_hd_t c,
406 : const unsigned char *intag, size_t taglen);
407 :
408 :
409 : /*-- cipher-gcm.c --*/
410 : gcry_err_code_t _gcry_cipher_gcm_encrypt
411 : /* */ (gcry_cipher_hd_t c,
412 : unsigned char *outbuf, size_t outbuflen,
413 : const unsigned char *inbuf, size_t inbuflen);
414 : gcry_err_code_t _gcry_cipher_gcm_decrypt
415 : /* */ (gcry_cipher_hd_t c,
416 : unsigned char *outbuf, size_t outbuflen,
417 : const unsigned char *inbuf, size_t inbuflen);
418 : gcry_err_code_t _gcry_cipher_gcm_setiv
419 : /* */ (gcry_cipher_hd_t c,
420 : const unsigned char *iv, size_t ivlen);
421 : gcry_err_code_t _gcry_cipher_gcm_authenticate
422 : /* */ (gcry_cipher_hd_t c,
423 : const unsigned char *aadbuf, size_t aadbuflen);
424 : gcry_err_code_t _gcry_cipher_gcm_get_tag
425 : /* */ (gcry_cipher_hd_t c,
426 : unsigned char *outtag, size_t taglen);
427 : gcry_err_code_t _gcry_cipher_gcm_check_tag
428 : /* */ (gcry_cipher_hd_t c,
429 : const unsigned char *intag, size_t taglen);
430 : void _gcry_cipher_gcm_setkey
431 : /* */ (gcry_cipher_hd_t c);
432 :
433 :
434 : /*-- cipher-poly1305.c --*/
435 : gcry_err_code_t _gcry_cipher_poly1305_encrypt
436 : /* */ (gcry_cipher_hd_t c,
437 : unsigned char *outbuf, size_t outbuflen,
438 : const unsigned char *inbuf, size_t inbuflen);
439 : gcry_err_code_t _gcry_cipher_poly1305_decrypt
440 : /* */ (gcry_cipher_hd_t c,
441 : unsigned char *outbuf, size_t outbuflen,
442 : const unsigned char *inbuf, size_t inbuflen);
443 : gcry_err_code_t _gcry_cipher_poly1305_setiv
444 : /* */ (gcry_cipher_hd_t c,
445 : const unsigned char *iv, size_t ivlen);
446 : gcry_err_code_t _gcry_cipher_poly1305_authenticate
447 : /* */ (gcry_cipher_hd_t c,
448 : const unsigned char *aadbuf, size_t aadbuflen);
449 : gcry_err_code_t _gcry_cipher_poly1305_get_tag
450 : /* */ (gcry_cipher_hd_t c,
451 : unsigned char *outtag, size_t taglen);
452 : gcry_err_code_t _gcry_cipher_poly1305_check_tag
453 : /* */ (gcry_cipher_hd_t c,
454 : const unsigned char *intag, size_t taglen);
455 : void _gcry_cipher_poly1305_setkey
456 : /* */ (gcry_cipher_hd_t c);
457 :
458 :
459 : /*-- cipher-ocb.c --*/
460 : gcry_err_code_t _gcry_cipher_ocb_encrypt
461 : /* */ (gcry_cipher_hd_t c,
462 : unsigned char *outbuf, size_t outbuflen,
463 : const unsigned char *inbuf, size_t inbuflen);
464 : gcry_err_code_t _gcry_cipher_ocb_decrypt
465 : /* */ (gcry_cipher_hd_t c,
466 : unsigned char *outbuf, size_t outbuflen,
467 : const unsigned char *inbuf, size_t inbuflen);
468 : gcry_err_code_t _gcry_cipher_ocb_set_nonce
469 : /* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
470 : size_t noncelen);
471 : gcry_err_code_t _gcry_cipher_ocb_authenticate
472 : /* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
473 : gcry_err_code_t _gcry_cipher_ocb_get_tag
474 : /* */ (gcry_cipher_hd_t c,
475 : unsigned char *outtag, size_t taglen);
476 : gcry_err_code_t _gcry_cipher_ocb_check_tag
477 : /* */ (gcry_cipher_hd_t c,
478 : const unsigned char *intag, size_t taglen);
479 :
480 :
481 : /*-- cipher-xts.c --*/
482 : gcry_err_code_t _gcry_cipher_xts_crypt
483 : /* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen,
484 : const unsigned char *inbuf, size_t inbuflen, int encrypt);
485 :
486 :
487 : /* Return the L-value for block N. Note: 'cipher_ocb.c' ensures that N
488 : * will never be multiple of 65536 (1 << OCB_L_TABLE_SIZE), thus N can
489 : * be directly passed to _gcry_ctz() function and resulting index will
490 : * never overflow the table. */
491 : static inline const unsigned char *
492 34824222 : ocb_get_l (gcry_cipher_hd_t c, u64 n)
493 : {
494 : unsigned long ntz;
495 :
496 : #if ((defined(__i386__) || defined(__x86_64__)) && __GNUC__ >= 4)
497 : /* Assumes that N != 0. */
498 34824222 : asm ("rep;bsfl %k[low], %k[ntz]\n\t"
499 : : [ntz] "=r" (ntz)
500 : : [low] "r" ((unsigned long)n)
501 : : "cc");
502 : #else
503 : ntz = _gcry_ctz (n);
504 : #endif
505 :
506 34824222 : return c->u_mode.ocb.L[ntz];
507 : }
508 :
509 : #endif /*G10_CIPHER_INTERNAL_H*/
|
