1 /* ====================================================================
2 * Copyright (c) 2010 The OpenSSL Project. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 * acknowledgment:
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ====================================================================
48 */
49
50 #define OPENSSL_FIPSAPI
51
52 #include <openssl/crypto.h>
53 #include "modes_lcl.h"
54 #include <string.h>
55
56 #ifndef MODES_DEBUG
57 # ifndef NDEBUG
58 # define NDEBUG
59 # endif
60 #endif
61 #include <assert.h>
62
63 #if defined(BSWAP4) && defined(STRICT_ALIGNMENT)
64 /* redefine, because alignment is ensured */
65 #undef GETU32
66 #define GETU32(p) BSWAP4(*(const u32 *)(p))
67 #undef PUTU32
68 #define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v)
69 #endif
70
71 #define PACK(s) ((size_t)(s)<<(sizeof(size_t)*8-16))
72 #define REDUCE1BIT(V) do { \
73 if (sizeof(size_t)==8) { \
74 u64 T = U64(0xe100000000000000) & (0-(V.lo&1)); \
75 V.lo = (V.hi<<63)|(V.lo>>1); \
76 V.hi = (V.hi>>1 )^T; \
77 } \
78 else { \
79 u32 T = 0xe1000000U & (0-(u32)(V.lo&1)); \
80 V.lo = (V.hi<<63)|(V.lo>>1); \
81 V.hi = (V.hi>>1 )^((u64)T<<32); \
82 } \
83 } while(0)
84
85 /*
86 * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
87 * never be set to 8. 8 is effectively reserved for testing purposes.
88 * TABLE_BITS>1 are lookup-table-driven implementations referred to as
89 * "Shoup's" in GCM specification. In other words OpenSSL does not cover
90 * whole spectrum of possible table driven implementations. Why? In
91 * non-"Shoup's" case memory access pattern is segmented in such manner,
92 * that it's trivial to see that cache timing information can reveal
93 * fair portion of intermediate hash value. Given that ciphertext is
94 * always available to attacker, it's possible for him to attempt to
95 * deduce secret parameter H and if successful, tamper with messages
96 * [which is nothing but trivial in CTR mode]. In "Shoup's" case it's
97 * not as trivial, but there is no reason to believe that it's resistant
98 * to cache-timing attack. And the thing about "8-bit" implementation is
99 * that it consumes 16 (sixteen) times more memory, 4KB per individual
100 * key + 1KB shared. Well, on pros side it should be twice as fast as
101 * "4-bit" version. And for gcc-generated x86[_64] code, "8-bit" version
102 * was observed to run ~75% faster, closer to 100% for commercial
103 * compilers... Yet "4-bit" procedure is preferred, because it's
104 * believed to provide better security-performance balance and adequate
105 * all-round performance. "All-round" refers to things like:
106 *
107 * - shorter setup time effectively improves overall timing for
108 * handling short messages;
109 * - larger table allocation can become unbearable because of VM
110 * subsystem penalties (for example on Windows large enough free
111 * results in VM working set trimming, meaning that consequent
112 * malloc would immediately incur working set expansion);
113 * - larger table has larger cache footprint, which can affect
114 * performance of other code paths (not necessarily even from same
115 * thread in Hyper-Threading world);
116 *
117 * Value of 1 is not appropriate for performance reasons.
118 */
119 #if TABLE_BITS==8
120
121 static void gcm_init_8bit(u128 Htable[256], u64 H[2])
122 {
123 int i, j;
124 u128 V;
125
126 Htable[0].hi = 0;
127 Htable[0].lo = 0;
128 V.hi = H[0];
129 V.lo = H[1];
130
131 for (Htable[128]=V, i=64; i>0; i>>=1) {
132 REDUCE1BIT(V);
133 Htable[i] = V;
134 }
135
136 for (i=2; i<256; i<<=1) {
137 u128 *Hi = Htable+i, H0 = *Hi;
138 for (j=1; j<i; ++j) {
139 Hi[j].hi = H0.hi^Htable[j].hi;
140 Hi[j].lo = H0.lo^Htable[j].lo;
141 }
142 }
143 }
144
145 static void gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
146 {
147 u128 Z = { 0, 0};
148 const u8 *xi = (const u8 *)Xi+15;
149 size_t rem, n = *xi;
150 const union { long one; char little; } is_endian = {1};
151 static const size_t rem_8bit[256] = {
152 PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
153 PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
154 PACK(0x0E10), PACK(0x0FD2), PACK(0x0D94), PACK(0x0C56),
155 PACK(0x0918), PACK(0x08DA), PACK(0x0A9C), PACK(0x0B5E),
156 PACK(0x1C20), PACK(0x1DE2), PACK(0x1FA4), PACK(0x1E66),
157 PACK(0x1B28), PACK(0x1AEA), PACK(0x18AC), PACK(0x196E),
158 PACK(0x1230), PACK(0x13F2), PACK(0x11B4), PACK(0x1076),
159 PACK(0x1538), PACK(0x14FA), PACK(0x16BC), PACK(0x177E),
160 PACK(0x3840), PACK(0x3982), PACK(0x3BC4), PACK(0x3A06),
161 PACK(0x3F48), PACK(0x3E8A), PACK(0x3CCC), PACK(0x3D0E),
162 PACK(0x3650), PACK(0x3792), PACK(0x35D4), PACK(0x3416),
163 PACK(0x3158), PACK(0x309A), PACK(0x32DC), PACK(0x331E),
164 PACK(0x2460), PACK(0x25A2), PACK(0x27E4), PACK(0x2626),
165 PACK(0x2368), PACK(0x22AA), PACK(0x20EC), PACK(0x212E),
166 PACK(0x2A70), PACK(0x2BB2), PACK(0x29F4), PACK(0x2836),
167 PACK(0x2D78), PACK(0x2CBA), PACK(0x2EFC), PACK(0x2F3E),
168 PACK(0x7080), PACK(0x7142), PACK(0x7304), PACK(0x72C6),
169 PACK(0x7788), PACK(0x764A), PACK(0x740C), PACK(0x75CE),
170 PACK(0x7E90), PACK(0x7F52), PACK(0x7D14), PACK(0x7CD6),
171 PACK(0x7998), PACK(0x785A), PACK(0x7A1C), PACK(0x7BDE),
172 PACK(0x6CA0), PACK(0x6D62), PACK(0x6F24), PACK(0x6EE6),
173 PACK(0x6BA8), PACK(0x6A6A), PACK(0x682C), PACK(0x69EE),
174 PACK(0x62B0), PACK(0x6372), PACK(0x6134), PACK(0x60F6),
175 PACK(0x65B8), PACK(0x647A), PACK(0x663C), PACK(0x67FE),
176 PACK(0x48C0), PACK(0x4902), PACK(0x4B44), PACK(0x4A86),
177 PACK(0x4FC8), PACK(0x4E0A), PACK(0x4C4C), PACK(0x4D8E),
178 PACK(0x46D0), PACK(0x4712), PACK(0x4554), PACK(0x4496),
179 PACK(0x41D8), PACK(0x401A), PACK(0x425C), PACK(0x439E),
180 PACK(0x54E0), PACK(0x5522), PACK(0x5764), PACK(0x56A6),
181 PACK(0x53E8), PACK(0x522A), PACK(0x506C), PACK(0x51AE),
182 PACK(0x5AF0), PACK(0x5B32), PACK(0x5974), PACK(0x58B6),
183 PACK(0x5DF8), PACK(0x5C3A), PACK(0x5E7C), PACK(0x5FBE),
184 PACK(0xE100), PACK(0xE0C2), PACK(0xE284), PACK(0xE346),
185 PACK(0xE608), PACK(0xE7CA), PACK(0xE58C), PACK(0xE44E),
186 PACK(0xEF10), PACK(0xEED2), PACK(0xEC94), PACK(0xED56),
187 PACK(0xE818), PACK(0xE9DA), PACK(0xEB9C), PACK(0xEA5E),
188 PACK(0xFD20), PACK(0xFCE2), PACK(0xFEA4), PACK(0xFF66),
189 PACK(0xFA28), PACK(0xFBEA), PACK(0xF9AC), PACK(0xF86E),
190 PACK(0xF330), PACK(0xF2F2), PACK(0xF0B4), PACK(0xF176),
191 PACK(0xF438), PACK(0xF5FA), PACK(0xF7BC), PACK(0xF67E),
192 PACK(0xD940), PACK(0xD882), PACK(0xDAC4), PACK(0xDB06),
193 PACK(0xDE48), PACK(0xDF8A), PACK(0xDDCC), PACK(0xDC0E),
194 PACK(0xD750), PACK(0xD692), PACK(0xD4D4), PACK(0xD516),
195 PACK(0xD058), PACK(0xD19A), PACK(0xD3DC), PACK(0xD21E),
196 PACK(0xC560), PACK(0xC4A2), PACK(0xC6E4), PACK(0xC726),
197 PACK(0xC268), PACK(0xC3AA), PACK(0xC1EC), PACK(0xC02E),
198 PACK(0xCB70), PACK(0xCAB2), PACK(0xC8F4), PACK(0xC936),
199 PACK(0xCC78), PACK(0xCDBA), PACK(0xCFFC), PACK(0xCE3E),
200 PACK(0x9180), PACK(0x9042), PACK(0x9204), PACK(0x93C6),
201 PACK(0x9688), PACK(0x974A), PACK(0x950C), PACK(0x94CE),
202 PACK(0x9F90), PACK(0x9E52), PACK(0x9C14), PACK(0x9DD6),
203 PACK(0x9898), PACK(0x995A), PACK(0x9B1C), PACK(0x9ADE),
204 PACK(0x8DA0), PACK(0x8C62), PACK(0x8E24), PACK(0x8FE6),
205 PACK(0x8AA8), PACK(0x8B6A), PACK(0x892C), PACK(0x88EE),
206 PACK(0x83B0), PACK(0x8272), PACK(0x8034), PACK(0x81F6),
207 PACK(0x84B8), PACK(0x857A), PACK(0x873C), PACK(0x86FE),
208 PACK(0xA9C0), PACK(0xA802), PACK(0xAA44), PACK(0xAB86),
209 PACK(0xAEC8), PACK(0xAF0A), PACK(0xAD4C), PACK(0xAC8E),
210 PACK(0xA7D0), PACK(0xA612), PACK(0xA454), PACK(0xA596),
211 PACK(0xA0D8), PACK(0xA11A), PACK(0xA35C), PACK(0xA29E),
212 PACK(0xB5E0), PACK(0xB422), PACK(0xB664), PACK(0xB7A6),
213 PACK(0xB2E8), PACK(0xB32A), PACK(0xB16C), PACK(0xB0AE),
214 PACK(0xBBF0), PACK(0xBA32), PACK(0xB874), PACK(0xB9B6),
215 PACK(0xBCF8), PACK(0xBD3A), PACK(0xBF7C), PACK(0xBEBE) };
216
217 while (1) {
218 Z.hi ^= Htable[n].hi;
219 Z.lo ^= Htable[n].lo;
220
221 if ((u8 *)Xi==xi) break;
222
223 n = *(--xi);
224
225 rem = (size_t)Z.lo&0xff;
226 Z.lo = (Z.hi<<56)|(Z.lo>>8);
227 Z.hi = (Z.hi>>8);
228 if (sizeof(size_t)==8)
229 Z.hi ^= rem_8bit[rem];
230 else
231 Z.hi ^= (u64)rem_8bit[rem]<<32;
232 }
233
234 if (is_endian.little) {
235 #ifdef BSWAP8
236 Xi[0] = BSWAP8(Z.hi);
237 Xi[1] = BSWAP8(Z.lo);
238 #else
239 u8 *p = (u8 *)Xi;
240 u32 v;
241 v = (u32)(Z.hi>>32); PUTU32(p,v);
242 v = (u32)(Z.hi); PUTU32(p+4,v);
243 v = (u32)(Z.lo>>32); PUTU32(p+8,v);
244 v = (u32)(Z.lo); PUTU32(p+12,v);
245 #endif
246 }
247 else {
248 Xi[0] = Z.hi;
249 Xi[1] = Z.lo;
250 }
251 }
252 #define GCM_MUL(ctx,Xi) gcm_gmult_8bit(ctx->Xi.u,ctx->Htable)
253
254 #elif TABLE_BITS==4
255
256 static void gcm_init_4bit(u128 Htable[16], u64 H[2])
257 {
258 u128 V;
259 #if defined(OPENSSL_SMALL_FOOTPRINT)
260 int i;
261 #endif
262
263 Htable[0].hi = 0;
264 Htable[0].lo = 0;
265 V.hi = H[0];
266 V.lo = H[1];
267
268 #if defined(OPENSSL_SMALL_FOOTPRINT)
269 for (Htable[8]=V, i=4; i>0; i>>=1) {
270 REDUCE1BIT(V);
271 Htable[i] = V;
272 }
273
274 for (i=2; i<16; i<<=1) {
275 u128 *Hi = Htable+i;
276 int j;
277 for (V=*Hi, j=1; j<i; ++j) {
278 Hi[j].hi = V.hi^Htable[j].hi;
279 Hi[j].lo = V.lo^Htable[j].lo;
280 }
281 }
282 #else
283 Htable[8] = V;
284 REDUCE1BIT(V);
285 Htable[4] = V;
286 REDUCE1BIT(V);
287 Htable[2] = V;
288 REDUCE1BIT(V);
289 Htable[1] = V;
290 Htable[3].hi = V.hi^Htable[2].hi, Htable[3].lo = V.lo^Htable[2].lo;
291 V=Htable[4];
292 Htable[5].hi = V.hi^Htable[1].hi, Htable[5].lo = V.lo^Htable[1].lo;
293 Htable[6].hi = V.hi^Htable[2].hi, Htable[6].lo = V.lo^Htable[2].lo;
294 Htable[7].hi = V.hi^Htable[3].hi, Htable[7].lo = V.lo^Htable[3].lo;
295 V=Htable[8];
296 Htable[9].hi = V.hi^Htable[1].hi, Htable[9].lo = V.lo^Htable[1].lo;
297 Htable[10].hi = V.hi^Htable[2].hi, Htable[10].lo = V.lo^Htable[2].lo;
298 Htable[11].hi = V.hi^Htable[3].hi, Htable[11].lo = V.lo^Htable[3].lo;
299 Htable[12].hi = V.hi^Htable[4].hi, Htable[12].lo = V.lo^Htable[4].lo;
300 Htable[13].hi = V.hi^Htable[5].hi, Htable[13].lo = V.lo^Htable[5].lo;
301 Htable[14].hi = V.hi^Htable[6].hi, Htable[14].lo = V.lo^Htable[6].lo;
302 Htable[15].hi = V.hi^Htable[7].hi, Htable[15].lo = V.lo^Htable[7].lo;
303 #endif
304 #if defined(GHASH_ASM) && (defined(__arm__) || defined(__arm))
305 /*
306 * ARM assembler expects specific dword order in Htable.
307 */
308 {
309 int j;
310 const union { long one; char little; } is_endian = {1};
311
312 if (is_endian.little)
313 for (j=0;j<16;++j) {
314 V = Htable[j];
315 Htable[j].hi = V.lo;
316 Htable[j].lo = V.hi;
317 }
318 else
319 for (j=0;j<16;++j) {
320 V = Htable[j];
321 Htable[j].hi = V.lo<<32|V.lo>>32;
322 Htable[j].lo = V.hi<<32|V.hi>>32;
323 }
324 }
325 #endif
326 }
327
328 #ifndef GHASH_ASM
329 static const size_t rem_4bit[16] = {
330 PACK(0x0000), PACK(0x1C20), PACK(0x3840), PACK(0x2460),
331 PACK(0x7080), PACK(0x6CA0), PACK(0x48C0), PACK(0x54E0),
332 PACK(0xE100), PACK(0xFD20), PACK(0xD940), PACK(0xC560),
333 PACK(0x9180), PACK(0x8DA0), PACK(0xA9C0), PACK(0xB5E0) };
334
335 static void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
336 {
337 u128 Z;
338 int cnt = 15;
339 size_t rem, nlo, nhi;
340 const union { long one; char little; } is_endian = {1};
341
342 nlo = ((const u8 *)Xi)[15];
343 nhi = nlo>>4;
344 nlo &= 0xf;
345
346 Z.hi = Htable[nlo].hi;
347 Z.lo = Htable[nlo].lo;
348
349 while (1) {
350 rem = (size_t)Z.lo&0xf;
351 Z.lo = (Z.hi<<60)|(Z.lo>>4);
352 Z.hi = (Z.hi>>4);
353 if (sizeof(size_t)==8)
354 Z.hi ^= rem_4bit[rem];
355 else
356 Z.hi ^= (u64)rem_4bit[rem]<<32;
357
358 Z.hi ^= Htable[nhi].hi;
359 Z.lo ^= Htable[nhi].lo;
360
361 if (--cnt<0) break;
362
363 nlo = ((const u8 *)Xi)[cnt];
364 nhi = nlo>>4;
365 nlo &= 0xf;
366
367 rem = (size_t)Z.lo&0xf;
368 Z.lo = (Z.hi<<60)|(Z.lo>>4);
369 Z.hi = (Z.hi>>4);
370 if (sizeof(size_t)==8)
371 Z.hi ^= rem_4bit[rem];
372 else
373 Z.hi ^= (u64)rem_4bit[rem]<<32;
374
375 Z.hi ^= Htable[nlo].hi;
376 Z.lo ^= Htable[nlo].lo;
377 }
378
379 if (is_endian.little) {
380 #ifdef BSWAP8
381 Xi[0] = BSWAP8(Z.hi);
382 Xi[1] = BSWAP8(Z.lo);
383 #else
384 u8 *p = (u8 *)Xi;
385 u32 v;
386 v = (u32)(Z.hi>>32); PUTU32(p,v);
387 v = (u32)(Z.hi); PUTU32(p+4,v);
388 v = (u32)(Z.lo>>32); PUTU32(p+8,v);
389 v = (u32)(Z.lo); PUTU32(p+12,v);
390 #endif
391 }
392 else {
393 Xi[0] = Z.hi;
394 Xi[1] = Z.lo;
395 }
396 }
397
398 #if !defined(OPENSSL_SMALL_FOOTPRINT)
399 /*
400 * Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for
401 * details... Compiler-generated code doesn't seem to give any
402 * performance improvement, at least not on x86[_64]. It's here
403 * mostly as reference and a placeholder for possible future
404 * non-trivial optimization[s]...
405 */
406 static void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],
407 const u8 *inp,size_t len)
408 {
409 u128 Z;
410 int cnt;
411 size_t rem, nlo, nhi;
412 const union { long one; char little; } is_endian = {1};
413
414 #if 1
415 do {
416 cnt = 15;
417 nlo = ((const u8 *)Xi)[15];
418 nlo ^= inp[15];
419 nhi = nlo>>4;
420 nlo &= 0xf;
421
422 Z.hi = Htable[nlo].hi;
423 Z.lo = Htable[nlo].lo;
424
425 while (1) {
426 rem = (size_t)Z.lo&0xf;
427 Z.lo = (Z.hi<<60)|(Z.lo>>4);
428 Z.hi = (Z.hi>>4);
429 if (sizeof(size_t)==8)
430 Z.hi ^= rem_4bit[rem];
431 else
432 Z.hi ^= (u64)rem_4bit[rem]<<32;
433
434 Z.hi ^= Htable[nhi].hi;
435 Z.lo ^= Htable[nhi].lo;
436
437 if (--cnt<0) break;
438
439 nlo = ((const u8 *)Xi)[cnt];
440 nlo ^= inp[cnt];
441 nhi = nlo>>4;
442 nlo &= 0xf;
443
444 rem = (size_t)Z.lo&0xf;
445 Z.lo = (Z.hi<<60)|(Z.lo>>4);
446 Z.hi = (Z.hi>>4);
447 if (sizeof(size_t)==8)
448 Z.hi ^= rem_4bit[rem];
449 else
450 Z.hi ^= (u64)rem_4bit[rem]<<32;
451
452 Z.hi ^= Htable[nlo].hi;
453 Z.lo ^= Htable[nlo].lo;
454 }
455 #else
456 /*
457 * Extra 256+16 bytes per-key plus 512 bytes shared tables
458 * [should] give ~50% improvement... One could have PACK()-ed
459 * the rem_8bit even here, but the priority is to minimize
460 * cache footprint...
461 */
462 u128 Hshr4[16]; /* Htable shifted right by 4 bits */
463 u8 Hshl4[16]; /* Htable shifted left by 4 bits */
464 static const unsigned short rem_8bit[256] = {
465 0x0000, 0x01C2, 0x0384, 0x0246, 0x0708, 0x06CA, 0x048C, 0x054E,
466 0x0E10, 0x0FD2, 0x0D94, 0x0C56, 0x0918, 0x08DA, 0x0A9C, 0x0B5E,
467 0x1C20, 0x1DE2, 0x1FA4, 0x1E66, 0x1B28, 0x1AEA, 0x18AC, 0x196E,
468 0x1230, 0x13F2, 0x11B4, 0x1076, 0x1538, 0x14FA, 0x16BC, 0x177E,
469 0x3840, 0x3982, 0x3BC4, 0x3A06, 0x3F48, 0x3E8A, 0x3CCC, 0x3D0E,
470 0x3650, 0x3792, 0x35D4, 0x3416, 0x3158, 0x309A, 0x32DC, 0x331E,
471 0x2460, 0x25A2, 0x27E4, 0x2626, 0x2368, 0x22AA, 0x20EC, 0x212E,
472 0x2A70, 0x2BB2, 0x29F4, 0x2836, 0x2D78, 0x2CBA, 0x2EFC, 0x2F3E,
473 0x7080, 0x7142, 0x7304, 0x72C6, 0x7788, 0x764A, 0x740C, 0x75CE,
474 0x7E90, 0x7F52, 0x7D14, 0x7CD6, 0x7998, 0x785A, 0x7A1C, 0x7BDE,
475 0x6CA0, 0x6D62, 0x6F24, 0x6EE6, 0x6BA8, 0x6A6A, 0x682C, 0x69EE,
476 0x62B0, 0x6372, 0x6134, 0x60F6, 0x65B8, 0x647A, 0x663C, 0x67FE,
477 0x48C0, 0x4902, 0x4B44, 0x4A86, 0x4FC8, 0x4E0A, 0x4C4C, 0x4D8E,
478 0x46D0, 0x4712, 0x4554, 0x4496, 0x41D8, 0x401A, 0x425C, 0x439E,
479 0x54E0, 0x5522, 0x5764, 0x56A6, 0x53E8, 0x522A, 0x506C, 0x51AE,
480 0x5AF0, 0x5B32, 0x5974, 0x58B6, 0x5DF8, 0x5C3A, 0x5E7C, 0x5FBE,
481 0xE100, 0xE0C2, 0xE284, 0xE346, 0xE608, 0xE7CA, 0xE58C, 0xE44E,
482 0xEF10, 0xEED2, 0xEC94, 0xED56, 0xE818, 0xE9DA, 0xEB9C, 0xEA5E,
483 0xFD20, 0xFCE2, 0xFEA4, 0xFF66, 0xFA28, 0xFBEA, 0xF9AC, 0xF86E,
484 0xF330, 0xF2F2, 0xF0B4, 0xF176, 0xF438, 0xF5FA, 0xF7BC, 0xF67E,
485 0xD940, 0xD882, 0xDAC4, 0xDB06, 0xDE48, 0xDF8A, 0xDDCC, 0xDC0E,
486 0xD750, 0xD692, 0xD4D4, 0xD516, 0xD058, 0xD19A, 0xD3DC, 0xD21E,
487 0xC560, 0xC4A2, 0xC6E4, 0xC726, 0xC268, 0xC3AA, 0xC1EC, 0xC02E,
488 0xCB70, 0xCAB2, 0xC8F4, 0xC936, 0xCC78, 0xCDBA, 0xCFFC, 0xCE3E,
489 0x9180, 0x9042, 0x9204, 0x93C6, 0x9688, 0x974A, 0x950C, 0x94CE,
490 0x9F90, 0x9E52, 0x9C14, 0x9DD6, 0x9898, 0x995A, 0x9B1C, 0x9ADE,
491 0x8DA0, 0x8C62, 0x8E24, 0x8FE6, 0x8AA8, 0x8B6A, 0x892C, 0x88EE,
492 0x83B0, 0x8272, 0x8034, 0x81F6, 0x84B8, 0x857A, 0x873C, 0x86FE,
493 0xA9C0, 0xA802, 0xAA44, 0xAB86, 0xAEC8, 0xAF0A, 0xAD4C, 0xAC8E,
494 0xA7D0, 0xA612, 0xA454, 0xA596, 0xA0D8, 0xA11A, 0xA35C, 0xA29E,
495 0xB5E0, 0xB422, 0xB664, 0xB7A6, 0xB2E8, 0xB32A, 0xB16C, 0xB0AE,
496 0xBBF0, 0xBA32, 0xB874, 0xB9B6, 0xBCF8, 0xBD3A, 0xBF7C, 0xBEBE };
497 /*
498 * This pre-processing phase slows down procedure by approximately
499 * same time as it makes each loop spin faster. In other words
500 * single block performance is approximately same as straightforward
501 * "4-bit" implementation, and then it goes only faster...
502 */
503 for (cnt=0; cnt<16; ++cnt) {
504 Z.hi = Htable[cnt].hi;
505 Z.lo = Htable[cnt].lo;
506 Hshr4[cnt].lo = (Z.hi<<60)|(Z.lo>>4);
507 Hshr4[cnt].hi = (Z.hi>>4);
508 Hshl4[cnt] = (u8)(Z.lo<<4);
509 }
510
511 do {
512 for (Z.lo=0, Z.hi=0, cnt=15; cnt; --cnt) {
513 nlo = ((const u8 *)Xi)[cnt];
514 nlo ^= inp[cnt];
515 nhi = nlo>>4;
516 nlo &= 0xf;
517
518 Z.hi ^= Htable[nlo].hi;
519 Z.lo ^= Htable[nlo].lo;
520
521 rem = (size_t)Z.lo&0xff;
522
523 Z.lo = (Z.hi<<56)|(Z.lo>>8);
524 Z.hi = (Z.hi>>8);
525
526 Z.hi ^= Hshr4[nhi].hi;
527 Z.lo ^= Hshr4[nhi].lo;
528 Z.hi ^= (u64)rem_8bit[rem^Hshl4[nhi]]<<48;
529 }
530
531 nlo = ((const u8 *)Xi)[0];
532 nlo ^= inp[0];
533 nhi = nlo>>4;
534 nlo &= 0xf;
535
536 Z.hi ^= Htable[nlo].hi;
537 Z.lo ^= Htable[nlo].lo;
538
539 rem = (size_t)Z.lo&0xf;
540
541 Z.lo = (Z.hi<<60)|(Z.lo>>4);
542 Z.hi = (Z.hi>>4);
543
544 Z.hi ^= Htable[nhi].hi;
545 Z.lo ^= Htable[nhi].lo;
546 Z.hi ^= ((u64)rem_8bit[rem<<4])<<48;
547 #endif
548
549 if (is_endian.little) {
550 #ifdef BSWAP8
551 Xi[0] = BSWAP8(Z.hi);
552 Xi[1] = BSWAP8(Z.lo);
553 #else
554 u8 *p = (u8 *)Xi;
555 u32 v;
556 v = (u32)(Z.hi>>32); PUTU32(p,v);
557 v = (u32)(Z.hi); PUTU32(p+4,v);
558 v = (u32)(Z.lo>>32); PUTU32(p+8,v);
559 v = (u32)(Z.lo); PUTU32(p+12,v);
560 #endif
561 }
562 else {
563 Xi[0] = Z.hi;
564 Xi[1] = Z.lo;
565 }
566 } while (inp+=16, len-=16);
567 }
568 #endif
569 #else
570 void gcm_gmult_4bit(u64 Xi[2],const u128 Htable[16]);
571 void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
572 #endif
573
574 #define GCM_MUL(ctx,Xi) gcm_gmult_4bit(ctx->Xi.u,ctx->Htable)
575 #if defined(GHASH_ASM) || !defined(OPENSSL_SMALL_FOOTPRINT)
576 #define GHASH(ctx,in,len) gcm_ghash_4bit((ctx)->Xi.u,(ctx)->Htable,in,len)
577 /* GHASH_CHUNK is "stride parameter" missioned to mitigate cache
578 * trashing effect. In other words idea is to hash data while it's
579 * still in L1 cache after encryption pass... */
580 #define GHASH_CHUNK (3*1024)
581 #endif
582
583 #else /* TABLE_BITS */
584
585 static void gcm_gmult_1bit(u64 Xi[2],const u64 H[2])
586 {
587 u128 V,Z = { 0,0 };
588 long X;
589 int i,j;
590 const long *xi = (const long *)Xi;
591 const union { long one; char little; } is_endian = {1};
592
593 V.hi = H[0]; /* H is in host byte order, no byte swapping */
594 V.lo = H[1];
595
596 for (j=0; j<16/sizeof(long); ++j) {
597 if (is_endian.little) {
598 if (sizeof(long)==8) {
599 #ifdef BSWAP8
600 X = (long)(BSWAP8(xi[j]));
601 #else
602 const u8 *p = (const u8 *)(xi+j);
603 X = (long)((u64)GETU32(p)<<32|GETU32(p+4));
604 #endif
605 }
606 else {
607 const u8 *p = (const u8 *)(xi+j);
608 X = (long)GETU32(p);
609 }
610 }
611 else
612 X = xi[j];
613
614 for (i=0; i<8*sizeof(long); ++i, X<<=1) {
615 u64 M = (u64)(X>>(8*sizeof(long)-1));
616 Z.hi ^= V.hi&M;
617 Z.lo ^= V.lo&M;
618
619 REDUCE1BIT(V);
620 }
621 }
622
623 if (is_endian.little) {
624 #ifdef BSWAP8
625 Xi[0] = BSWAP8(Z.hi);
626 Xi[1] = BSWAP8(Z.lo);
627 #else
628 u8 *p = (u8 *)Xi;
629 u32 v;
630 v = (u32)(Z.hi>>32); PUTU32(p,v);
631 v = (u32)(Z.hi); PUTU32(p+4,v);
632 v = (u32)(Z.lo>>32); PUTU32(p+8,v);
633 v = (u32)(Z.lo); PUTU32(p+12,v);
634 #endif
635 }
636 else {
637 Xi[0] = Z.hi;
638 Xi[1] = Z.lo;
639 }
640 }
641 #define GCM_MUL(ctx,Xi) gcm_gmult_1bit(ctx->Xi.u,ctx->H.u)
642
643 #endif
644
645 #if TABLE_BITS==4 && defined(GHASH_ASM)
646 # if !defined(I386_ONLY) && \
647 (defined(__i386) || defined(__i386__) || \
648 defined(__x86_64) || defined(__x86_64__) || \
649 defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
650 # define GHASH_ASM_X86_OR_64
651 # define GCM_FUNCREF_4BIT
652 extern unsigned int OPENSSL_ia32cap_P[2];
653
654 void gcm_init_clmul(u128 Htable[16],const u64 Xi[2]);
655 void gcm_gmult_clmul(u64 Xi[2],const u128 Htable[16]);
656 void gcm_ghash_clmul(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
657
658 # if defined(__i386) || defined(__i386__) || defined(_M_IX86)
659 # define GHASH_ASM_X86
660 void gcm_gmult_4bit_mmx(u64 Xi[2],const u128 Htable[16]);
661 void gcm_ghash_4bit_mmx(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
662
663 void gcm_gmult_4bit_x86(u64 Xi[2],const u128 Htable[16]);
664 void gcm_ghash_4bit_x86(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
665 # endif
666 # elif defined(__arm__) || defined(__arm)
667 # include "arm_arch.h"
668 # if __ARM_ARCH__>=7
669 # define GHASH_ASM_ARM
670 # define GCM_FUNCREF_4BIT
671 void gcm_gmult_neon(u64 Xi[2],const u128 Htable[16]);
672 void gcm_ghash_neon(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
673 # endif
674 # endif
675 #endif
676
677 #ifdef GCM_FUNCREF_4BIT
678 # undef GCM_MUL
679 # define GCM_MUL(ctx,Xi) (*gcm_gmult_p)(ctx->Xi.u,ctx->Htable)
680 # ifdef GHASH
681 # undef GHASH
682 # define GHASH(ctx,in,len) (*gcm_ghash_p)(ctx->Xi.u,ctx->Htable,in,len)
683 # endif
684 #endif
685
686 void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
687 {
688 const union { long one; char little; } is_endian = {1};
689
690 memset(ctx,0,sizeof(*ctx));
691 ctx->block = block;
692 ctx->key = key;
693
694 (*block)(ctx->H.c,ctx->H.c,key);
695
696 if (is_endian.little) {
697 /* H is stored in host byte order */
698 #ifdef BSWAP8
699 ctx->H.u[0] = BSWAP8(ctx->H.u[0]);
700 ctx->H.u[1] = BSWAP8(ctx->H.u[1]);
701 #else
702 u8 *p = ctx->H.c;
703 u64 hi,lo;
704 hi = (u64)GETU32(p) <<32|GETU32(p+4);
705 lo = (u64)GETU32(p+8)<<32|GETU32(p+12);
706 ctx->H.u[0] = hi;
707 ctx->H.u[1] = lo;
708 #endif
709 }
710
711 #if TABLE_BITS==8
712 gcm_init_8bit(ctx->Htable,ctx->H.u);
713 #elif TABLE_BITS==4
714 # if defined(GHASH_ASM_X86_OR_64)
715 # if !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
716 if (OPENSSL_ia32cap_P[0]&(1<<24) && /* check FXSR bit */
717 OPENSSL_ia32cap_P[1]&(1<<1) ) { /* check PCLMULQDQ bit */
718 gcm_init_clmul(ctx->Htable,ctx->H.u);
719 ctx->gmult = gcm_gmult_clmul;
720 ctx->ghash = gcm_ghash_clmul;
721 return;
722 }
723 # endif
724 gcm_init_4bit(ctx->Htable,ctx->H.u);
725 # if defined(GHASH_ASM_X86) /* x86 only */
726 # if defined(OPENSSL_IA32_SSE2)
727 if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */
728 # else
729 if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */
730 # endif
731 ctx->gmult = gcm_gmult_4bit_mmx;
732 ctx->ghash = gcm_ghash_4bit_mmx;
733 } else {
734 ctx->gmult = gcm_gmult_4bit_x86;
735 ctx->ghash = gcm_ghash_4bit_x86;
736 }
737 # else
738 ctx->gmult = gcm_gmult_4bit;
739 ctx->ghash = gcm_ghash_4bit;
740 # endif
741 # elif defined(GHASH_ASM_ARM)
742 if (OPENSSL_armcap_P & ARMV7_NEON) {
743 ctx->gmult = gcm_gmult_neon;
744 ctx->ghash = gcm_ghash_neon;
745 } else {
746 gcm_init_4bit(ctx->Htable,ctx->H.u);
747 ctx->gmult = gcm_gmult_4bit;
748 ctx->ghash = gcm_ghash_4bit;
749 }
750 # else
751 gcm_init_4bit(ctx->Htable,ctx->H.u);
752 # endif
753 #endif
754 }
755
756 void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
757 {
758 const union { long one; char little; } is_endian = {1};
759 unsigned int ctr;
760 #ifdef GCM_FUNCREF_4BIT
761 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
762 #endif
763
764 ctx->Yi.u[0] = 0;
765 ctx->Yi.u[1] = 0;
766 ctx->Xi.u[0] = 0;
767 ctx->Xi.u[1] = 0;
768 ctx->len.u[0] = 0; /* AAD length */
769 ctx->len.u[1] = 0; /* message length */
770 ctx->ares = 0;
771 ctx->mres = 0;
772
773 if (len==12) {
774 memcpy(ctx->Yi.c,iv,12);
775 ctx->Yi.c[15]=1;
776 ctr=1;
777 }
778 else {
779 size_t i;
780 u64 len0 = len;
781
782 while (len>=16) {
783 for (i=0; i<16; ++i) ctx->Yi.c[i] ^= iv[i];
784 GCM_MUL(ctx,Yi);
785 iv += 16;
786 len -= 16;
787 }
788 if (len) {
789 for (i=0; i<len; ++i) ctx->Yi.c[i] ^= iv[i];
790 GCM_MUL(ctx,Yi);
791 }
792 len0 <<= 3;
793 if (is_endian.little) {
794 #ifdef BSWAP8
795 ctx->Yi.u[1] ^= BSWAP8(len0);
796 #else
797 ctx->Yi.c[8] ^= (u8)(len0>>56);
798 ctx->Yi.c[9] ^= (u8)(len0>>48);
799 ctx->Yi.c[10] ^= (u8)(len0>>40);
800 ctx->Yi.c[11] ^= (u8)(len0>>32);
801 ctx->Yi.c[12] ^= (u8)(len0>>24);
802 ctx->Yi.c[13] ^= (u8)(len0>>16);
803 ctx->Yi.c[14] ^= (u8)(len0>>8);
804 ctx->Yi.c[15] ^= (u8)(len0);
805 #endif
806 }
807 else
808 ctx->Yi.u[1] ^= len0;
809
810 GCM_MUL(ctx,Yi);
811
812 if (is_endian.little)
813 #ifdef BSWAP4
814 ctr = BSWAP4(ctx->Yi.d[3]);
815 #else
816 ctr = GETU32(ctx->Yi.c+12);
817 #endif
818 else
819 ctr = ctx->Yi.d[3];
820 }
821
822 (*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key);
823 ++ctr;
824 if (is_endian.little)
825 #ifdef BSWAP4
826 ctx->Yi.d[3] = BSWAP4(ctr);
827 #else
828 PUTU32(ctx->Yi.c+12,ctr);
829 #endif
830 else
831 ctx->Yi.d[3] = ctr;
832 }
833
834 int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx,const unsigned char *aad,size_t len)
835 {
836 size_t i;
837 unsigned int n;
838 u64 alen = ctx->len.u[0];
839 #ifdef GCM_FUNCREF_4BIT
840 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
841 # ifdef GHASH
842 void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
843 const u8 *inp,size_t len) = ctx->ghash;
844 # endif
845 #endif
846
847 if (ctx->len.u[1]) return -2;
848
849 alen += len;
850 if (alen>(U64(1)<<61) || (sizeof(len)==8 && alen<len))
851 return -1;
852 ctx->len.u[0] = alen;
853
854 n = ctx->ares;
855 if (n) {
856 while (n && len) {
857 ctx->Xi.c[n] ^= *(aad++);
858 --len;
859 n = (n+1)%16;
860 }
861 if (n==0) GCM_MUL(ctx,Xi);
862 else {
863 ctx->ares = n;
864 return 0;
865 }
866 }
867
868 #ifdef GHASH
869 if ((i = (len&(size_t)-16))) {
870 GHASH(ctx,aad,i);
871 aad += i;
872 len -= i;
873 }
874 #else
875 while (len>=16) {
876 for (i=0; i<16; ++i) ctx->Xi.c[i] ^= aad[i];
877 GCM_MUL(ctx,Xi);
878 aad += 16;
879 len -= 16;
880 }
881 #endif
882 if (len) {
883 n = (unsigned int)len;
884 for (i=0; i<len; ++i) ctx->Xi.c[i] ^= aad[i];
885 }
886
887 ctx->ares = n;
888 return 0;
889 }
890
891 int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
892 const unsigned char *in, unsigned char *out,
893 size_t len)
894 {
895 const union { long one; char little; } is_endian = {1};
896 unsigned int n, ctr;
897 size_t i;
898 u64 mlen = ctx->len.u[1];
899 block128_f block = ctx->block;
900 void *key = ctx->key;
901 #ifdef GCM_FUNCREF_4BIT
902 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
903 # ifdef GHASH
904 void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
905 const u8 *inp,size_t len) = ctx->ghash;
906 # endif
907 #endif
908
909 #if 0
910 n = (unsigned int)mlen%16; /* alternative to ctx->mres */
911 #endif
912 mlen += len;
913 if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen<len))
914 return -1;
915 ctx->len.u[1] = mlen;
916
917 if (ctx->ares) {
918 /* First call to encrypt finalizes GHASH(AAD) */
919 GCM_MUL(ctx,Xi);
920 ctx->ares = 0;
921 }
922
923 if (is_endian.little)
924 #ifdef BSWAP4
925 ctr = BSWAP4(ctx->Yi.d[3]);
926 #else
927 ctr = GETU32(ctx->Yi.c+12);
928 #endif
929 else
930 ctr = ctx->Yi.d[3];
931
932 n = ctx->mres;
933 #if !defined(OPENSSL_SMALL_FOOTPRINT)
934 if (16%sizeof(size_t) == 0) do { /* always true actually */
935 if (n) {
936 while (n && len) {
937 ctx->Xi.c[n] ^= *(out++) = *(in++)^ctx->EKi.c[n];
938 --len;
939 n = (n+1)%16;
940 }
941 if (n==0) GCM_MUL(ctx,Xi);
942 else {
943 ctx->mres = n;
944 return 0;
945 }
946 }
947 #if defined(STRICT_ALIGNMENT)
948 if (((size_t)in|(size_t)out)%sizeof(size_t) != 0)
949 break;
950 #endif
951 #if defined(GHASH) && defined(GHASH_CHUNK)
952 while (len>=GHASH_CHUNK) {
953 size_t j=GHASH_CHUNK;
954
955 while (j) {
956 size_t *out_t=(size_t *)out;
957 const size_t *in_t=(const size_t *)in;
958
959 (*block)(ctx->Yi.c,ctx->EKi.c,key);
960 ++ctr;
961 if (is_endian.little)
962 #ifdef BSWAP4
963 ctx->Yi.d[3] = BSWAP4(ctr);
964 #else
965 PUTU32(ctx->Yi.c+12,ctr);
966 #endif
967 else
968 ctx->Yi.d[3] = ctr;
969 for (i=0; i<16/sizeof(size_t); ++i)
970 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
971 out += 16;
972 in += 16;
973 j -= 16;
974 }
975 GHASH(ctx,out-GHASH_CHUNK,GHASH_CHUNK);
976 len -= GHASH_CHUNK;
977 }
978 if ((i = (len&(size_t)-16))) {
979 size_t j=i;
980
981 while (len>=16) {
982 size_t *out_t=(size_t *)out;
983 const size_t *in_t=(const size_t *)in;
984
985 (*block)(ctx->Yi.c,ctx->EKi.c,key);
986 ++ctr;
987 if (is_endian.little)
988 #ifdef BSWAP4
989 ctx->Yi.d[3] = BSWAP4(ctr);
990 #else
991 PUTU32(ctx->Yi.c+12,ctr);
992 #endif
993 else
994 ctx->Yi.d[3] = ctr;
995 for (i=0; i<16/sizeof(size_t); ++i)
996 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
997 out += 16;
998 in += 16;
999 len -= 16;
1000 }
1001 GHASH(ctx,out-j,j);
1002 }
1003 #else
1004 while (len>=16) {
1005 size_t *out_t=(size_t *)out;
1006 const size_t *in_t=(const size_t *)in;
1007
1008 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1009 ++ctr;
1010 if (is_endian.little)
1011 #ifdef BSWAP4
1012 ctx->Yi.d[3] = BSWAP4(ctr);
1013 #else
1014 PUTU32(ctx->Yi.c+12,ctr);
1015 #endif
1016 else
1017 ctx->Yi.d[3] = ctr;
1018 for (i=0; i<16/sizeof(size_t); ++i)
1019 ctx->Xi.t[i] ^=
1020 out_t[i] = in_t[i]^ctx->EKi.t[i];
1021 GCM_MUL(ctx,Xi);
1022 out += 16;
1023 in += 16;
1024 len -= 16;
1025 }
1026 #endif
1027 if (len) {
1028 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1029 ++ctr;
1030 if (is_endian.little)
1031 #ifdef BSWAP4
1032 ctx->Yi.d[3] = BSWAP4(ctr);
1033 #else
1034 PUTU32(ctx->Yi.c+12,ctr);
1035 #endif
1036 else
1037 ctx->Yi.d[3] = ctr;
1038 while (len--) {
1039 ctx->Xi.c[n] ^= out[n] = in[n]^ctx->EKi.c[n];
1040 ++n;
1041 }
1042 }
1043
1044 ctx->mres = n;
1045 return 0;
1046 } while(0);
1047 #endif
1048 for (i=0;i<len;++i) {
1049 if (n==0) {
1050 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1051 ++ctr;
1052 if (is_endian.little)
1053 #ifdef BSWAP4
1054 ctx->Yi.d[3] = BSWAP4(ctr);
1055 #else
1056 PUTU32(ctx->Yi.c+12,ctr);
1057 #endif
1058 else
1059 ctx->Yi.d[3] = ctr;
1060 }
1061 ctx->Xi.c[n] ^= out[i] = in[i]^ctx->EKi.c[n];
1062 n = (n+1)%16;
1063 if (n==0)
1064 GCM_MUL(ctx,Xi);
1065 }
1066
1067 ctx->mres = n;
1068 return 0;
1069 }
1070
1071 int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1072 const unsigned char *in, unsigned char *out,
1073 size_t len)
1074 {
1075 const union { long one; char little; } is_endian = {1};
1076 unsigned int n, ctr;
1077 size_t i;
1078 u64 mlen = ctx->len.u[1];
1079 block128_f block = ctx->block;
1080 void *key = ctx->key;
1081 #ifdef GCM_FUNCREF_4BIT
1082 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
1083 # ifdef GHASH
1084 void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
1085 const u8 *inp,size_t len) = ctx->ghash;
1086 # endif
1087 #endif
1088
1089 mlen += len;
1090 if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen<len))
1091 return -1;
1092 ctx->len.u[1] = mlen;
1093
1094 if (ctx->ares) {
1095 /* First call to decrypt finalizes GHASH(AAD) */
1096 GCM_MUL(ctx,Xi);
1097 ctx->ares = 0;
1098 }
1099
1100 if (is_endian.little)
1101 #ifdef BSWAP4
1102 ctr = BSWAP4(ctx->Yi.d[3]);
1103 #else
1104 ctr = GETU32(ctx->Yi.c+12);
1105 #endif
1106 else
1107 ctr = ctx->Yi.d[3];
1108
1109 n = ctx->mres;
1110 #if !defined(OPENSSL_SMALL_FOOTPRINT)
1111 if (16%sizeof(size_t) == 0) do { /* always true actually */
1112 if (n) {
1113 while (n && len) {
1114 u8 c = *(in++);
1115 *(out++) = c^ctx->EKi.c[n];
1116 ctx->Xi.c[n] ^= c;
1117 --len;
1118 n = (n+1)%16;
1119 }
1120 if (n==0) GCM_MUL (ctx,Xi);
1121 else {
1122 ctx->mres = n;
1123 return 0;
1124 }
1125 }
1126 #if defined(STRICT_ALIGNMENT)
1127 if (((size_t)in|(size_t)out)%sizeof(size_t) != 0)
1128 break;
1129 #endif
1130 #if defined(GHASH) && defined(GHASH_CHUNK)
1131 while (len>=GHASH_CHUNK) {
1132 size_t j=GHASH_CHUNK;
1133
1134 GHASH(ctx,in,GHASH_CHUNK);
1135 while (j) {
1136 size_t *out_t=(size_t *)out;
1137 const size_t *in_t=(const size_t *)in;
1138
1139 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1140 ++ctr;
1141 if (is_endian.little)
1142 #ifdef BSWAP4
1143 ctx->Yi.d[3] = BSWAP4(ctr);
1144 #else
1145 PUTU32(ctx->Yi.c+12,ctr);
1146 #endif
1147 else
1148 ctx->Yi.d[3] = ctr;
1149 for (i=0; i<16/sizeof(size_t); ++i)
1150 out_t[i] = in_t[i]^ctx->EKi.t[i];
1151 out += 16;
1152 in += 16;
1153 j -= 16;
1154 }
1155 len -= GHASH_CHUNK;
1156 }
1157 if ((i = (len&(size_t)-16))) {
1158 GHASH(ctx,in,i);
1159 while (len>=16) {
1160 size_t *out_t=(size_t *)out;
1161 const size_t *in_t=(const size_t *)in;
1162
1163 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1164 ++ctr;
1165 if (is_endian.little)
1166 #ifdef BSWAP4
1167 ctx->Yi.d[3] = BSWAP4(ctr);
1168 #else
1169 PUTU32(ctx->Yi.c+12,ctr);
1170 #endif
1171 else
1172 ctx->Yi.d[3] = ctr;
1173 for (i=0; i<16/sizeof(size_t); ++i)
1174 out_t[i] = in_t[i]^ctx->EKi.t[i];
1175 out += 16;
1176 in += 16;
1177 len -= 16;
1178 }
1179 }
1180 #else
1181 while (len>=16) {
1182 size_t *out_t=(size_t *)out;
1183 const size_t *in_t=(const size_t *)in;
1184
1185 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1186 ++ctr;
1187 if (is_endian.little)
1188 #ifdef BSWAP4
1189 ctx->Yi.d[3] = BSWAP4(ctr);
1190 #else
1191 PUTU32(ctx->Yi.c+12,ctr);
1192 #endif
1193 else
1194 ctx->Yi.d[3] = ctr;
1195 for (i=0; i<16/sizeof(size_t); ++i) {
1196 size_t c = in[i];
1197 out[i] = c^ctx->EKi.t[i];
1198 ctx->Xi.t[i] ^= c;
1199 }
1200 GCM_MUL(ctx,Xi);
1201 out += 16;
1202 in += 16;
1203 len -= 16;
1204 }
1205 #endif
1206 if (len) {
1207 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1208 ++ctr;
1209 if (is_endian.little)
1210 #ifdef BSWAP4
1211 ctx->Yi.d[3] = BSWAP4(ctr);
1212 #else
1213 PUTU32(ctx->Yi.c+12,ctr);
1214 #endif
1215 else
1216 ctx->Yi.d[3] = ctr;
1217 while (len--) {
1218 u8 c = in[n];
1219 ctx->Xi.c[n] ^= c;
1220 out[n] = c^ctx->EKi.c[n];
1221 ++n;
1222 }
1223 }
1224
1225 ctx->mres = n;
1226 return 0;
1227 } while(0);
1228 #endif
1229 for (i=0;i<len;++i) {
1230 u8 c;
1231 if (n==0) {
1232 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1233 ++ctr;
1234 if (is_endian.little)
1235 #ifdef BSWAP4
1236 ctx->Yi.d[3] = BSWAP4(ctr);
1237 #else
1238 PUTU32(ctx->Yi.c+12,ctr);
1239 #endif
1240 else
1241 ctx->Yi.d[3] = ctr;
1242 }
1243 c = in[i];
1244 out[i] = c^ctx->EKi.c[n];
1245 ctx->Xi.c[n] ^= c;
1246 n = (n+1)%16;
1247 if (n==0)
1248 GCM_MUL(ctx,Xi);
1249 }
1250
1251 ctx->mres = n;
1252 return 0;
1253 }
1254
1255 int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1256 const unsigned char *in, unsigned char *out,
1257 size_t len, ctr128_f stream)
1258 {
1259 const union { long one; char little; } is_endian = {1};
1260 unsigned int n, ctr;
1261 size_t i;
1262 u64 mlen = ctx->len.u[1];
1263 void *key = ctx->key;
1264 #ifdef GCM_FUNCREF_4BIT
1265 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
1266 # ifdef GHASH
1267 void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
1268 const u8 *inp,size_t len) = ctx->ghash;
1269 # endif
1270 #endif
1271
1272 mlen += len;
1273 if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen<len))
1274 return -1;
1275 ctx->len.u[1] = mlen;
1276
1277 if (ctx->ares) {
1278 /* First call to encrypt finalizes GHASH(AAD) */
1279 GCM_MUL(ctx,Xi);
1280 ctx->ares = 0;
1281 }
1282
1283 if (is_endian.little)
1284 #ifdef BSWAP4
1285 ctr = BSWAP4(ctx->Yi.d[3]);
1286 #else
1287 ctr = GETU32(ctx->Yi.c+12);
1288 #endif
1289 else
1290 ctr = ctx->Yi.d[3];
1291
1292 n = ctx->mres;
1293 if (n) {
1294 while (n && len) {
1295 ctx->Xi.c[n] ^= *(out++) = *(in++)^ctx->EKi.c[n];
1296 --len;
1297 n = (n+1)%16;
1298 }
1299 if (n==0) GCM_MUL(ctx,Xi);
1300 else {
1301 ctx->mres = n;
1302 return 0;
1303 }
1304 }
1305 #if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
1306 while (len>=GHASH_CHUNK) {
1307 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
1308 ctr += GHASH_CHUNK/16;
1309 if (is_endian.little)
1310 #ifdef BSWAP4
1311 ctx->Yi.d[3] = BSWAP4(ctr);
1312 #else
1313 PUTU32(ctx->Yi.c+12,ctr);
1314 #endif
1315 else
1316 ctx->Yi.d[3] = ctr;
1317 GHASH(ctx,out,GHASH_CHUNK);
1318 out += GHASH_CHUNK;
1319 in += GHASH_CHUNK;
1320 len -= GHASH_CHUNK;
1321 }
1322 #endif
1323 if ((i = (len&(size_t)-16))) {
1324 size_t j=i/16;
1325
1326 (*stream)(in,out,j,key,ctx->Yi.c);
1327 ctr += (unsigned int)j;
1328 if (is_endian.little)
1329 #ifdef BSWAP4
1330 ctx->Yi.d[3] = BSWAP4(ctr);
1331 #else
1332 PUTU32(ctx->Yi.c+12,ctr);
1333 #endif
1334 else
1335 ctx->Yi.d[3] = ctr;
1336 in += i;
1337 len -= i;
1338 #if defined(GHASH)
1339 GHASH(ctx,out,i);
1340 out += i;
1341 #else
1342 while (j--) {
1343 for (i=0;i<16;++i) ctx->Xi.c[i] ^= out[i];
1344 GCM_MUL(ctx,Xi);
1345 out += 16;
1346 }
1347 #endif
1348 }
1349 if (len) {
1350 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
1351 ++ctr;
1352 if (is_endian.little)
1353 #ifdef BSWAP4
1354 ctx->Yi.d[3] = BSWAP4(ctr);
1355 #else
1356 PUTU32(ctx->Yi.c+12,ctr);
1357 #endif
1358 else
1359 ctx->Yi.d[3] = ctr;
1360 while (len--) {
1361 ctx->Xi.c[n] ^= out[n] = in[n]^ctx->EKi.c[n];
1362 ++n;
1363 }
1364 }
1365
1366 ctx->mres = n;
1367 return 0;
1368 }
1369
1370 int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1371 const unsigned char *in, unsigned char *out,
1372 size_t len,ctr128_f stream)
1373 {
1374 const union { long one; char little; } is_endian = {1};
1375 unsigned int n, ctr;
1376 size_t i;
1377 u64 mlen = ctx->len.u[1];
1378 void *key = ctx->key;
1379 #ifdef GCM_FUNCREF_4BIT
1380 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
1381 # ifdef GHASH
1382 void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
1383 const u8 *inp,size_t len) = ctx->ghash;
1384 # endif
1385 #endif
1386
1387 mlen += len;
1388 if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen<len))
1389 return -1;
1390 ctx->len.u[1] = mlen;
1391
1392 if (ctx->ares) {
1393 /* First call to decrypt finalizes GHASH(AAD) */
1394 GCM_MUL(ctx,Xi);
1395 ctx->ares = 0;
1396 }
1397
1398 if (is_endian.little)
1399 #ifdef BSWAP4
1400 ctr = BSWAP4(ctx->Yi.d[3]);
1401 #else
1402 ctr = GETU32(ctx->Yi.c+12);
1403 #endif
1404 else
1405 ctr = ctx->Yi.d[3];
1406
1407 n = ctx->mres;
1408 if (n) {
1409 while (n && len) {
1410 u8 c = *(in++);
1411 *(out++) = c^ctx->EKi.c[n];
1412 ctx->Xi.c[n] ^= c;
1413 --len;
1414 n = (n+1)%16;
1415 }
1416 if (n==0) GCM_MUL (ctx,Xi);
1417 else {
1418 ctx->mres = n;
1419 return 0;
1420 }
1421 }
1422 #if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
1423 while (len>=GHASH_CHUNK) {
1424 GHASH(ctx,in,GHASH_CHUNK);
1425 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
1426 ctr += GHASH_CHUNK/16;
1427 if (is_endian.little)
1428 #ifdef BSWAP4
1429 ctx->Yi.d[3] = BSWAP4(ctr);
1430 #else
1431 PUTU32(ctx->Yi.c+12,ctr);
1432 #endif
1433 else
1434 ctx->Yi.d[3] = ctr;
1435 out += GHASH_CHUNK;
1436 in += GHASH_CHUNK;
1437 len -= GHASH_CHUNK;
1438 }
1439 #endif
1440 if ((i = (len&(size_t)-16))) {
1441 size_t j=i/16;
1442
1443 #if defined(GHASH)
1444 GHASH(ctx,in,i);
1445 #else
1446 while (j--) {
1447 size_t k;
1448 for (k=0;k<16;++k) ctx->Xi.c[k] ^= in[k];
1449 GCM_MUL(ctx,Xi);
1450 in += 16;
1451 }
1452 j = i/16;
1453 in -= i;
1454 #endif
1455 (*stream)(in,out,j,key,ctx->Yi.c);
1456 ctr += (unsigned int)j;
1457 if (is_endian.little)
1458 #ifdef BSWAP4
1459 ctx->Yi.d[3] = BSWAP4(ctr);
1460 #else
1461 PUTU32(ctx->Yi.c+12,ctr);
1462 #endif
1463 else
1464 ctx->Yi.d[3] = ctr;
1465 out += i;
1466 in += i;
1467 len -= i;
1468 }
1469 if (len) {
1470 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
1471 ++ctr;
1472 if (is_endian.little)
1473 #ifdef BSWAP4
1474 ctx->Yi.d[3] = BSWAP4(ctr);
1475 #else
1476 PUTU32(ctx->Yi.c+12,ctr);
1477 #endif
1478 else
1479 ctx->Yi.d[3] = ctr;
1480 while (len--) {
1481 u8 c = in[n];
1482 ctx->Xi.c[n] ^= c;
1483 out[n] = c^ctx->EKi.c[n];
1484 ++n;
1485 }
1486 }
1487
1488 ctx->mres = n;
1489 return 0;
1490 }
1491
1492 int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
1493 size_t len)
1494 {
1495 const union { long one; char little; } is_endian = {1};
1496 u64 alen = ctx->len.u[0]<<3;
1497 u64 clen = ctx->len.u[1]<<3;
1498 #ifdef GCM_FUNCREF_4BIT
1499 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
1500 #endif
1501
1502 if (ctx->mres || ctx->ares)
1503 GCM_MUL(ctx,Xi);
1504
1505 if (is_endian.little) {
1506 #ifdef BSWAP8
1507 alen = BSWAP8(alen);
1508 clen = BSWAP8(clen);
1509 #else
1510 u8 *p = ctx->len.c;
1511
1512 ctx->len.u[0] = alen;
1513 ctx->len.u[1] = clen;
1514
1515 alen = (u64)GETU32(p) <<32|GETU32(p+4);
1516 clen = (u64)GETU32(p+8)<<32|GETU32(p+12);
1517 #endif
1518 }
1519
1520 ctx->Xi.u[0] ^= alen;
1521 ctx->Xi.u[1] ^= clen;
1522 GCM_MUL(ctx,Xi);
1523
1524 ctx->Xi.u[0] ^= ctx->EK0.u[0];
1525 ctx->Xi.u[1] ^= ctx->EK0.u[1];
1526
1527 if (tag && len<=sizeof(ctx->Xi))
1528 return memcmp(ctx->Xi.c,tag,len);
1529 else
1530 return -1;
1531 }
1532
1533 void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len)
1534 {
1535 CRYPTO_gcm128_finish(ctx, NULL, 0);
1536 memcpy(tag, ctx->Xi.c, len<=sizeof(ctx->Xi.c)?len:sizeof(ctx->Xi.c));
1537 }
1538
1539 GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
1540 {
1541 GCM128_CONTEXT *ret;
1542
1543 if ((ret = (GCM128_CONTEXT *)OPENSSL_malloc(sizeof(GCM128_CONTEXT))))
1544 CRYPTO_gcm128_init(ret,key,block);
1545
1546 return ret;
1547 }
1548
1549 void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
1550 {
1551 if (ctx) {
1552 OPENSSL_cleanse(ctx,sizeof(*ctx));
1553 OPENSSL_free(ctx);
1554 }
1555 }
1556
1557 #if defined(SELFTEST)
1558 #include <stdio.h>
1559 #include <openssl/aes.h>
1560
1561 /* Test Case 1 */
1562 static const u8 K1[16],
1563 *P1=NULL,
1564 *A1=NULL,
1565 IV1[12],
1566 *C1=NULL,
1567 T1[]= {0x58,0xe2,0xfc,0xce,0xfa,0x7e,0x30,0x61,0x36,0x7f,0x1d,0x57,0xa4,0xe7,0x45,0x5a};
1568
1569 /* Test Case 2 */
1570 #define K2 K1
1571 #define A2 A1
1572 #define IV2 IV1
1573 static const u8 P2[16],
1574 C2[]= {0x03,0x88,0xda,0xce,0x60,0xb6,0xa3,0x92,0xf3,0x28,0xc2,0xb9,0x71,0xb2,0xfe,0x78},
1575 T2[]= {0xab,0x6e,0x47,0xd4,0x2c,0xec,0x13,0xbd,0xf5,0x3a,0x67,0xb2,0x12,0x57,0xbd,0xdf};
1576
1577 /* Test Case 3 */
1578 #define A3 A2
1579 static const u8 K3[]= {0xfe,0xff,0xe9,0x92,0x86,0x65,0x73,0x1c,0x6d,0x6a,0x8f,0x94,0x67,0x30,0x83,0x08},
1580 P3[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1581 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1582 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1583 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55},
1584 IV3[]= {0xca,0xfe,0xba,0xbe,0xfa,0xce,0xdb,0xad,0xde,0xca,0xf8,0x88},
1585 C3[]= {0x42,0x83,0x1e,0xc2,0x21,0x77,0x74,0x24,0x4b,0x72,0x21,0xb7,0x84,0xd0,0xd4,0x9c,
1586 0xe3,0xaa,0x21,0x2f,0x2c,0x02,0xa4,0xe0,0x35,0xc1,0x7e,0x23,0x29,0xac,0xa1,0x2e,
1587 0x21,0xd5,0x14,0xb2,0x54,0x66,0x93,0x1c,0x7d,0x8f,0x6a,0x5a,0xac,0x84,0xaa,0x05,
1588 0x1b,0xa3,0x0b,0x39,0x6a,0x0a,0xac,0x97,0x3d,0x58,0xe0,0x91,0x47,0x3f,0x59,0x85},
1589 T3[]= {0x4d,0x5c,0x2a,0xf3,0x27,0xcd,0x64,0xa6,0x2c,0xf3,0x5a,0xbd,0x2b,0xa6,0xfa,0xb4};
1590
1591 /* Test Case 4 */
1592 #define K4 K3
1593 #define IV4 IV3
1594 static const u8 P4[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1595 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1596 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1597 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39},
1598 A4[]= {0xfe,0xed,0xfa,0xce,0xde,0xad,0xbe,0xef,0xfe,0xed,0xfa,0xce,0xde,0xad,0xbe,0xef,
1599 0xab,0xad,0xda,0xd2},
1600 C4[]= {0x42,0x83,0x1e,0xc2,0x21,0x77,0x74,0x24,0x4b,0x72,0x21,0xb7,0x84,0xd0,0xd4,0x9c,
1601 0xe3,0xaa,0x21,0x2f,0x2c,0x02,0xa4,0xe0,0x35,0xc1,0x7e,0x23,0x29,0xac,0xa1,0x2e,
1602 0x21,0xd5,0x14,0xb2,0x54,0x66,0x93,0x1c,0x7d,0x8f,0x6a,0x5a,0xac,0x84,0xaa,0x05,
1603 0x1b,0xa3,0x0b,0x39,0x6a,0x0a,0xac,0x97,0x3d,0x58,0xe0,0x91},
1604 T4[]= {0x5b,0xc9,0x4f,0xbc,0x32,0x21,0xa5,0xdb,0x94,0xfa,0xe9,0x5a,0xe7,0x12,0x1a,0x47};
1605
1606 /* Test Case 5 */
1607 #define K5 K4
1608 #define P5 P4
1609 #define A5 A4
1610 static const u8 IV5[]= {0xca,0xfe,0xba,0xbe,0xfa,0xce,0xdb,0xad},
1611 C5[]= {0x61,0x35,0x3b,0x4c,0x28,0x06,0x93,0x4a,0x77,0x7f,0xf5,0x1f,0xa2,0x2a,0x47,0x55,
1612 0x69,0x9b,0x2a,0x71,0x4f,0xcd,0xc6,0xf8,0x37,0x66,0xe5,0xf9,0x7b,0x6c,0x74,0x23,
1613 0x73,0x80,0x69,0x00,0xe4,0x9f,0x24,0xb2,0x2b,0x09,0x75,0x44,0xd4,0x89,0x6b,0x42,
1614 0x49,0x89,0xb5,0xe1,0xeb,0xac,0x0f,0x07,0xc2,0x3f,0x45,0x98},
1615 T5[]= {0x36,0x12,0xd2,0xe7,0x9e,0x3b,0x07,0x85,0x56,0x1b,0xe1,0x4a,0xac,0xa2,0xfc,0xcb};
1616
1617 /* Test Case 6 */
1618 #define K6 K5
1619 #define P6 P5
1620 #define A6 A5
1621 static const u8 IV6[]= {0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0x5a,0xff,0x52,0x69,0xaa,
1622 0x6a,0x7a,0x95,0x38,0x53,0x4f,0x7d,0xa1,0xe4,0xc3,0x03,0xd2,0xa3,0x18,0xa7,0x28,
1623 0xc3,0xc0,0xc9,0x51,0x56,0x80,0x95,0x39,0xfc,0xf0,0xe2,0x42,0x9a,0x6b,0x52,0x54,
1624 0x16,0xae,0xdb,0xf5,0xa0,0xde,0x6a,0x57,0xa6,0x37,0xb3,0x9b},
1625 C6[]= {0x8c,0xe2,0x49,0x98,0x62,0x56,0x15,0xb6,0x03,0xa0,0x33,0xac,0xa1,0x3f,0xb8,0x94,
1626 0xbe,0x91,0x12,0xa5,0xc3,0xa2,0x11,0xa8,0xba,0x26,0x2a,0x3c,0xca,0x7e,0x2c,0xa7,
1627 0x01,0xe4,0xa9,0xa4,0xfb,0xa4,0x3c,0x90,0xcc,0xdc,0xb2,0x81,0xd4,0x8c,0x7c,0x6f,
1628 0xd6,0x28,0x75,0xd2,0xac,0xa4,0x17,0x03,0x4c,0x34,0xae,0xe5},
1629 T6[]= {0x61,0x9c,0xc5,0xae,0xff,0xfe,0x0b,0xfa,0x46,0x2a,0xf4,0x3c,0x16,0x99,0xd0,0x50};
1630
1631 /* Test Case 7 */
1632 static const u8 K7[24],
1633 *P7=NULL,
1634 *A7=NULL,
1635 IV7[12],
1636 *C7=NULL,
1637 T7[]= {0xcd,0x33,0xb2,0x8a,0xc7,0x73,0xf7,0x4b,0xa0,0x0e,0xd1,0xf3,0x12,0x57,0x24,0x35};
1638
1639 /* Test Case 8 */
1640 #define K8 K7
1641 #define IV8 IV7
1642 #define A8 A7
1643 static const u8 P8[16],
1644 C8[]= {0x98,0xe7,0x24,0x7c,0x07,0xf0,0xfe,0x41,0x1c,0x26,0x7e,0x43,0x84,0xb0,0xf6,0x00},
1645 T8[]= {0x2f,0xf5,0x8d,0x80,0x03,0x39,0x27,0xab,0x8e,0xf4,0xd4,0x58,0x75,0x14,0xf0,0xfb};
1646
1647 /* Test Case 9 */
1648 #define A9 A8
1649 static const u8 K9[]= {0xfe,0xff,0xe9,0x92,0x86,0x65,0x73,0x1c,0x6d,0x6a,0x8f,0x94,0x67,0x30,0x83,0x08,
1650 0xfe,0xff,0xe9,0x92,0x86,0x65,0x73,0x1c},
1651 P9[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1652 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1653 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1654 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55},
1655 IV9[]= {0xca,0xfe,0xba,0xbe,0xfa,0xce,0xdb,0xad,0xde,0xca,0xf8,0x88},
1656 C9[]= {0x39,0x80,0xca,0x0b,0x3c,0x00,0xe8,0x41,0xeb,0x06,0xfa,0xc4,0x87,0x2a,0x27,0x57,
1657 0x85,0x9e,0x1c,0xea,0xa6,0xef,0xd9,0x84,0x62,0x85,0x93,0xb4,0x0c,0xa1,0xe1,0x9c,
1658 0x7d,0x77,0x3d,0x00,0xc1,0x44,0xc5,0x25,0xac,0x61,0x9d,0x18,0xc8,0x4a,0x3f,0x47,
1659 0x18,0xe2,0x44,0x8b,0x2f,0xe3,0x24,0xd9,0xcc,0xda,0x27,0x10,0xac,0xad,0xe2,0x56},
1660 T9[]= {0x99,0x24,0xa7,0xc8,0x58,0x73,0x36,0xbf,0xb1,0x18,0x02,0x4d,0xb8,0x67,0x4a,0x14};
1661
1662 /* Test Case 10 */
1663 #define K10 K9
1664 #define IV10 IV9
1665 static const u8 P10[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1666 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1667 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1668 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39},
1669 A10[]= {0xfe,0xed,0xfa,0xce,0xde,0xad,0xbe,0xef,0xfe,0xed,0xfa,0xce,0xde,0xad,0xbe,0xef,
1670 0xab,0xad,0xda,0xd2},
1671 C10[]= {0x39,0x80,0xca,0x0b,0x3c,0x00,0xe8,0x41,0xeb,0x06,0xfa,0xc4,0x87,0x2a,0x27,0x57,
1672 0x85,0x9e,0x1c,0xea,0xa6,0xef,0xd9,0x84,0x62,0x85,0x93,0xb4,0x0c,0xa1,0xe1,0x9c,
1673 0x7d,0x77,0x3d,0x00,0xc1,0x44,0xc5,0x25,0xac,0x61,0x9d,0x18,0xc8,0x4a,0x3f,0x47,
1674 0x18,0xe2,0x44,0x8b,0x2f,0xe3,0x24,0xd9,0xcc,0xda,0x27,0x10},
1675 T10[]= {0x25,0x19,0x49,0x8e,0x80,0xf1,0x47,0x8f,0x37,0xba,0x55,0xbd,0x6d,0x27,0x61,0x8c};
1676
1677 /* Test Case 11 */
1678 #define K11 K10
1679 #define P11 P10
1680 #define A11 A10
1681 static const u8 IV11[]={0xca,0xfe,0xba,0xbe,0xfa,0xce,0xdb,0xad},
1682 C11[]= {0x0f,0x10,0xf5,0x99,0xae,0x14,0xa1,0x54,0xed,0x24,0xb3,0x6e,0x25,0x32,0x4d,0xb8,
1683 0xc5,0x66,0x63,0x2e,0xf2,0xbb,0xb3,0x4f,0x83,0x47,0x28,0x0f,0xc4,0x50,0x70,0x57,
1684 0xfd,0xdc,0x29,0xdf,0x9a,0x47,0x1f,0x75,0xc6,0x65,0x41,0xd4,0xd4,0xda,0xd1,0xc9,
1685 0xe9,0x3a,0x19,0xa5,0x8e,0x8b,0x47,0x3f,0xa0,0xf0,0x62,0xf7},
1686 T11[]= {0x65,0xdc,0xc5,0x7f,0xcf,0x62,0x3a,0x24,0x09,0x4f,0xcc,0xa4,0x0d,0x35,0x33,0xf8};
1687
1688 /* Test Case 12 */
1689 #define K12 K11
1690 #define P12 P11
1691 #define A12 A11
1692 static const u8 IV12[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0x5a,0xff,0x52,0x69,0xaa,
1693 0x6a,0x7a,0x95,0x38,0x53,0x4f,0x7d,0xa1,0xe4,0xc3,0x03,0xd2,0xa3,0x18,0xa7,0x28,
1694 0xc3,0xc0,0xc9,0x51,0x56,0x80,0x95,0x39,0xfc,0xf0,0xe2,0x42,0x9a,0x6b,0x52,0x54,
1695 0x16,0xae,0xdb,0xf5,0xa0,0xde,0x6a,0x57,0xa6,0x37,0xb3,0x9b},
1696 C12[]= {0xd2,0x7e,0x88,0x68,0x1c,0xe3,0x24,0x3c,0x48,0x30,0x16,0x5a,0x8f,0xdc,0xf9,0xff,
1697 0x1d,0xe9,0xa1,0xd8,0xe6,0xb4,0x47,0xef,0x6e,0xf7,0xb7,0x98,0x28,0x66,0x6e,0x45,
1698 0x81,0xe7,0x90,0x12,0xaf,0x34,0xdd,0xd9,0xe2,0xf0,0x37,0x58,0x9b,0x29,0x2d,0xb3,
1699 0xe6,0x7c,0x03,0x67,0x45,0xfa,0x22,0xe7,0xe9,0xb7,0x37,0x3b},
1700 T12[]= {0xdc,0xf5,0x66,0xff,0x29,0x1c,0x25,0xbb,0xb8,0x56,0x8f,0xc3,0xd3,0x76,0xa6,0xd9};
1701
1702 /* Test Case 13 */
1703 static const u8 K13[32],
1704 *P13=NULL,
1705 *A13=NULL,
1706 IV13[12],
1707 *C13=NULL,
1708 T13[]={0x53,0x0f,0x8a,0xfb,0xc7,0x45,0x36,0xb9,0xa9,0x63,0xb4,0xf1,0xc4,0xcb,0x73,0x8b};
1709
1710 /* Test Case 14 */
1711 #define K14 K13
1712 #define A14 A13
1713 static const u8 P14[16],
1714 IV14[12],
1715 C14[]= {0xce,0xa7,0x40,0x3d,0x4d,0x60,0x6b,0x6e,0x07,0x4e,0xc5,0xd3,0xba,0xf3,0x9d,0x18},
1716 T14[]= {0xd0,0xd1,0xc8,0xa7,0x99,0x99,0x6b,0xf0,0x26,0x5b,0x98,0xb5,0xd4,0x8a,0xb9,0x19};
1717
1718 /* Test Case 15 */
1719 #define A15 A14
1720 static const u8 K15[]= {0xfe,0xff,0xe9,0x92,0x86,0x65,0x73,0x1c,0x6d,0x6a,0x8f,0x94,0x67,0x30,0x83,0x08,
1721 0xfe,0xff,0xe9,0x92,0x86,0x65,0x73,0x1c,0x6d,0x6a,0x8f,0x94,0x67,0x30,0x83,0x08},
1722 P15[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1723 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1724 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1725 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55},
1726 IV15[]={0xca,0xfe,0xba,0xbe,0xfa,0xce,0xdb,0xad,0xde,0xca,0xf8,0x88},
1727 C15[]= {0x52,0x2d,0xc1,0xf0,0x99,0x56,0x7d,0x07,0xf4,0x7f,0x37,0xa3,0x2a,0x84,0x42,0x7d,
1728 0x64,0x3a,0x8c,0xdc,0xbf,0xe5,0xc0,0xc9,0x75,0x98,0xa2,0xbd,0x25,0x55,0xd1,0xaa,
1729 0x8c,0xb0,0x8e,0x48,0x59,0x0d,0xbb,0x3d,0xa7,0xb0,0x8b,0x10,0x56,0x82,0x88,0x38,
1730 0xc5,0xf6,0x1e,0x63,0x93,0xba,0x7a,0x0a,0xbc,0xc9,0xf6,0x62,0x89,0x80,0x15,0xad},
1731 T15[]= {0xb0,0x94,0xda,0xc5,0xd9,0x34,0x71,0xbd,0xec,0x1a,0x50,0x22,0x70,0xe3,0xcc,0x6c};
1732
1733 /* Test Case 16 */
1734 #define K16 K15
1735 #define IV16 IV15
1736 static const u8 P16[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1737 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1738 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1739 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39},
1740 A16[]= {0xfe,0xed,0xfa,0xce,0xde,0xad,0xbe,0xef,0xfe,0xed,0xfa,0xce,0xde,0xad,0xbe,0xef,
1741 0xab,0xad,0xda,0xd2},
1742 C16[]= {0x52,0x2d,0xc1,0xf0,0x99,0x56,0x7d,0x07,0xf4,0x7f,0x37,0xa3,0x2a,0x84,0x42,0x7d,
1743 0x64,0x3a,0x8c,0xdc,0xbf,0xe5,0xc0,0xc9,0x75,0x98,0xa2,0xbd,0x25,0x55,0xd1,0xaa,
1744 0x8c,0xb0,0x8e,0x48,0x59,0x0d,0xbb,0x3d,0xa7,0xb0,0x8b,0x10,0x56,0x82,0x88,0x38,
1745 0xc5,0xf6,0x1e,0x63,0x93,0xba,0x7a,0x0a,0xbc,0xc9,0xf6,0x62},
1746 T16[]= {0x76,0xfc,0x6e,0xce,0x0f,0x4e,0x17,0x68,0xcd,0xdf,0x88,0x53,0xbb,0x2d,0x55,0x1b};
1747
1748 /* Test Case 17 */
1749 #define K17 K16
1750 #define P17 P16
1751 #define A17 A16
1752 static const u8 IV17[]={0xca,0xfe,0xba,0xbe,0xfa,0xce,0xdb,0xad},
1753 C17[]= {0xc3,0x76,0x2d,0xf1,0xca,0x78,0x7d,0x32,0xae,0x47,0xc1,0x3b,0xf1,0x98,0x44,0xcb,
1754 0xaf,0x1a,0xe1,0x4d,0x0b,0x97,0x6a,0xfa,0xc5,0x2f,0xf7,0xd7,0x9b,0xba,0x9d,0xe0,
1755 0xfe,0xb5,0x82,0xd3,0x39,0x34,0xa4,0xf0,0x95,0x4c,0xc2,0x36,0x3b,0xc7,0x3f,0x78,
1756 0x62,0xac,0x43,0x0e,0x64,0xab,0xe4,0x99,0xf4,0x7c,0x9b,0x1f},
1757 T17[]= {0x3a,0x33,0x7d,0xbf,0x46,0xa7,0x92,0xc4,0x5e,0x45,0x49,0x13,0xfe,0x2e,0xa8,0xf2};
1758
1759 /* Test Case 18 */
1760 #define K18 K17
1761 #define P18 P17
1762 #define A18 A17
1763 static const u8 IV18[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0x5a,0xff,0x52,0x69,0xaa,
1764 0x6a,0x7a,0x95,0x38,0x53,0x4f,0x7d,0xa1,0xe4,0xc3,0x03,0xd2,0xa3,0x18,0xa7,0x28,
1765 0xc3,0xc0,0xc9,0x51,0x56,0x80,0x95,0x39,0xfc,0xf0,0xe2,0x42,0x9a,0x6b,0x52,0x54,
1766 0x16,0xae,0xdb,0xf5,0xa0,0xde,0x6a,0x57,0xa6,0x37,0xb3,0x9b},
1767 C18[]= {0x5a,0x8d,0xef,0x2f,0x0c,0x9e,0x53,0xf1,0xf7,0x5d,0x78,0x53,0x65,0x9e,0x2a,0x20,
1768 0xee,0xb2,0xb2,0x2a,0xaf,0xde,0x64,0x19,0xa0,0x58,0xab,0x4f,0x6f,0x74,0x6b,0xf4,
1769 0x0f,0xc0,0xc3,0xb7,0x80,0xf2,0x44,0x45,0x2d,0xa3,0xeb,0xf1,0xc5,0xd8,0x2c,0xde,
1770 0xa2,0x41,0x89,0x97,0x20,0x0e,0xf8,0x2e,0x44,0xae,0x7e,0x3f},
1771 T18[]= {0xa4,0x4a,0x82,0x66,0xee,0x1c,0x8e,0xb0,0xc8,0xb5,0xd4,0xcf,0x5a,0xe9,0xf1,0x9a};
1772
1773 /* Test Case 19 */
1774 #define K19 K1
1775 #define P19 P1
1776 #define IV19 IV1
1777 #define C19 C1
1778 static const u8 A19[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1779 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1780 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1781 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55,
1782 0x52,0x2d,0xc1,0xf0,0x99,0x56,0x7d,0x07,0xf4,0x7f,0x37,0xa3,0x2a,0x84,0x42,0x7d,
1783 0x64,0x3a,0x8c,0xdc,0xbf,0xe5,0xc0,0xc9,0x75,0x98,0xa2,0xbd,0x25,0x55,0xd1,0xaa,
1784 0x8c,0xb0,0x8e,0x48,0x59,0x0d,0xbb,0x3d,0xa7,0xb0,0x8b,0x10,0x56,0x82,0x88,0x38,
1785 0xc5,0xf6,0x1e,0x63,0x93,0xba,0x7a,0x0a,0xbc,0xc9,0xf6,0x62,0x89,0x80,0x15,0xad},
1786 T19[]= {0x5f,0xea,0x79,0x3a,0x2d,0x6f,0x97,0x4d,0x37,0xe6,0x8e,0x0c,0xb8,0xff,0x94,0x92};
1787
1788 /* Test Case 20 */
1789 #define K20 K1
1790 #define A20 A1
1791 static const u8 IV20[64]={0xff,0xff,0xff,0xff}, /* this results in 0xff in counter LSB */
1792 P20[288],
1793 C20[]= {0x56,0xb3,0x37,0x3c,0xa9,0xef,0x6e,0x4a,0x2b,0x64,0xfe,0x1e,0x9a,0x17,0xb6,0x14,
1794 0x25,0xf1,0x0d,0x47,0xa7,0x5a,0x5f,0xce,0x13,0xef,0xc6,0xbc,0x78,0x4a,0xf2,0x4f,
1795 0x41,0x41,0xbd,0xd4,0x8c,0xf7,0xc7,0x70,0x88,0x7a,0xfd,0x57,0x3c,0xca,0x54,0x18,
1796 0xa9,0xae,0xff,0xcd,0x7c,0x5c,0xed,0xdf,0xc6,0xa7,0x83,0x97,0xb9,0xa8,0x5b,0x49,
1797 0x9d,0xa5,0x58,0x25,0x72,0x67,0xca,0xab,0x2a,0xd0,0xb2,0x3c,0xa4,0x76,0xa5,0x3c,
1798 0xb1,0x7f,0xb4,0x1c,0x4b,0x8b,0x47,0x5c,0xb4,0xf3,0xf7,0x16,0x50,0x94,0xc2,0x29,
1799 0xc9,0xe8,0xc4,0xdc,0x0a,0x2a,0x5f,0xf1,0x90,0x3e,0x50,0x15,0x11,0x22,0x13,0x76,
1800 0xa1,0xcd,0xb8,0x36,0x4c,0x50,0x61,0xa2,0x0c,0xae,0x74,0xbc,0x4a,0xcd,0x76,0xce,
1801 0xb0,0xab,0xc9,0xfd,0x32,0x17,0xef,0x9f,0x8c,0x90,0xbe,0x40,0x2d,0xdf,0x6d,0x86,
1802 0x97,0xf4,0xf8,0x80,0xdf,0xf1,0x5b,0xfb,0x7a,0x6b,0x28,0x24,0x1e,0xc8,0xfe,0x18,
1803 0x3c,0x2d,0x59,0xe3,0xf9,0xdf,0xff,0x65,0x3c,0x71,0x26,0xf0,0xac,0xb9,0xe6,0x42,
1804 0x11,0xf4,0x2b,0xae,0x12,0xaf,0x46,0x2b,0x10,0x70,0xbe,0xf1,0xab,0x5e,0x36,0x06,
1805 0x87,0x2c,0xa1,0x0d,0xee,0x15,0xb3,0x24,0x9b,0x1a,0x1b,0x95,0x8f,0x23,0x13,0x4c,
1806 0x4b,0xcc,0xb7,0xd0,0x32,0x00,0xbc,0xe4,0x20,0xa2,0xf8,0xeb,0x66,0xdc,0xf3,0x64,
1807 0x4d,0x14,0x23,0xc1,0xb5,0x69,0x90,0x03,0xc1,0x3e,0xce,0xf4,0xbf,0x38,0xa3,0xb6,
1808 0x0e,0xed,0xc3,0x40,0x33,0xba,0xc1,0x90,0x27,0x83,0xdc,0x6d,0x89,0xe2,0xe7,0x74,
1809 0x18,0x8a,0x43,0x9c,0x7e,0xbc,0xc0,0x67,0x2d,0xbd,0xa4,0xdd,0xcf,0xb2,0x79,0x46,
1810 0x13,0xb0,0xbe,0x41,0x31,0x5e,0xf7,0x78,0x70,0x8a,0x70,0xee,0x7d,0x75,0x16,0x5c},
1811 T20[]= {0x8b,0x30,0x7f,0x6b,0x33,0x28,0x6d,0x0a,0xb0,0x26,0xa9,0xed,0x3f,0xe1,0xe8,0x5f};
1812
1813 #define TEST_CASE(n) do { \
1814 u8 out[sizeof(P##n)]; \
1815 AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key); \
1816 CRYPTO_gcm128_init(&ctx,&key,(block128_f)AES_encrypt); \
1817 CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n)); \
1818 memset(out,0,sizeof(out)); \
1819 if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n)); \
1820 if (P##n) CRYPTO_gcm128_encrypt(&ctx,P##n,out,sizeof(out)); \
1821 if (CRYPTO_gcm128_finish(&ctx,T##n,16) || \
1822 (C##n && memcmp(out,C##n,sizeof(out)))) \
1823 ret++, printf ("encrypt test#%d failed.\n",n); \
1824 CRYPTO_gcm128_setiv(&ctx,IV##n,sizeof(IV##n)); \
1825 memset(out,0,sizeof(out)); \
1826 if (A##n) CRYPTO_gcm128_aad(&ctx,A##n,sizeof(A##n)); \
1827 if (C##n) CRYPTO_gcm128_decrypt(&ctx,C##n,out,sizeof(out)); \
1828 if (CRYPTO_gcm128_finish(&ctx,T##n,16) || \
1829 (P##n && memcmp(out,P##n,sizeof(out)))) \
1830 ret++, printf ("decrypt test#%d failed.\n",n); \
1831 } while(0)
1832
1833 int main()
1834 {
1835 GCM128_CONTEXT ctx;
1836 AES_KEY key;
1837 int ret=0;
1838
1839 TEST_CASE(1);
1840 TEST_CASE(2);
1841 TEST_CASE(3);
1842 TEST_CASE(4);
1843 TEST_CASE(5);
1844 TEST_CASE(6);
1845 TEST_CASE(7);
1846 TEST_CASE(8);
1847 TEST_CASE(9);
1848 TEST_CASE(10);
1849 TEST_CASE(11);
1850 TEST_CASE(12);
1851 TEST_CASE(13);
1852 TEST_CASE(14);
1853 TEST_CASE(15);
1854 TEST_CASE(16);
1855 TEST_CASE(17);
1856 TEST_CASE(18);
1857 TEST_CASE(19);
1858 TEST_CASE(20);
1859
1860 #ifdef OPENSSL_CPUID_OBJ
1861 {
1862 size_t start,stop,gcm_t,ctr_t,OPENSSL_rdtsc();
1863 union { u64 u; u8 c[1024]; } buf;
1864 int i;
1865
1866 AES_set_encrypt_key(K1,sizeof(K1)*8,&key);
1867 CRYPTO_gcm128_init(&ctx,&key,(block128_f)AES_encrypt);
1868 CRYPTO_gcm128_setiv(&ctx,IV1,sizeof(IV1));
1869
1870 CRYPTO_gcm128_encrypt(&ctx,buf.c,buf.c,sizeof(buf));
1871 start = OPENSSL_rdtsc();
1872 CRYPTO_gcm128_encrypt(&ctx,buf.c,buf.c,sizeof(buf));
1873 gcm_t = OPENSSL_rdtsc() - start;
1874
1875 CRYPTO_ctr128_encrypt(buf.c,buf.c,sizeof(buf),
1876 &key,ctx.Yi.c,ctx.EKi.c,&ctx.mres,
1877 (block128_f)AES_encrypt);
1878 start = OPENSSL_rdtsc();
1879 CRYPTO_ctr128_encrypt(buf.c,buf.c,sizeof(buf),
1880 &key,ctx.Yi.c,ctx.EKi.c,&ctx.mres,
1881 (block128_f)AES_encrypt);
1882 ctr_t = OPENSSL_rdtsc() - start;
1883
1884 printf("%.2f-%.2f=%.2f\n",
1885 gcm_t/(double)sizeof(buf),
1886 ctr_t/(double)sizeof(buf),
1887 (gcm_t-ctr_t)/(double)sizeof(buf));
1888 #ifdef GHASH
1889 {
1890 void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
1891 const u8 *inp,size_t len) = ctx.ghash;
1892
1893 GHASH((&ctx),buf.c,sizeof(buf));
1894 start = OPENSSL_rdtsc();
1895 for (i=0;i<100;++i) GHASH((&ctx),buf.c,sizeof(buf));
1896 gcm_t = OPENSSL_rdtsc() - start;
1897 printf("%.2f\n",gcm_t/(double)sizeof(buf)/(double)i);
1898 }
1899 #endif
1900 }
1901 #endif
1902
1903 return ret;
1904 }
1905 #endif