@@ -91,7 +91,48 @@ static inline void store_word_le(void *out, size_t v) {
typedef void (*block128_f)(const uint8_t in[16], uint8_t out[16],
typedef void (*block128_f)(const uint8_t in[16], uint8_t out[16],
const void *key);
const void *key);
// GCM definitions
// CTR.
// ctr128_f is the type of a function that performs CTR-mode encryption.
typedef void (*ctr128_f)(const uint8_t *in, uint8_t *out, size_t blocks,
const void *key, const uint8_t ivec[16]);
// CRYPTO_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode)
// |len| bytes from |in| to |out| using |block| in counter mode. There's no
// requirement that |len| be a multiple of any value and any partial blocks are
// stored in |ecount_buf| and |*num|, which must be zeroed before the initial
// call. The counter is a 128-bit, big-endian value in |ivec| and is
// incremented by this function.
void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16],
uint8_t ecount_buf[16], unsigned *num,
block128_f block);
// CRYPTO_ctr128_encrypt_ctr32 acts like |CRYPTO_ctr128_encrypt| but takes
// |ctr|, a function that performs CTR mode but only deals with the lower 32
// bits of the counter. This is useful when |ctr| can be an optimised
// function.
void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16],
uint8_t ecount_buf[16], unsigned *num,
ctr128_f ctr);
#if !defined(OPENSSL_NO_ASM) && \
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64))
void aesni_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks,
const void *key, const uint8_t *ivec);
#endif
// GCM.
//
// This API differs from the upstream API slightly. The |GCM128_CONTEXT| does
// not have a |key| pointer that points to the key as upstream's version does.
// Instead, every function takes a |key| parameter. This way |GCM128_CONTEXT|
// can be safely copied. Additionally, |gcm_key| is split into a separate
// struct.
typedef struct { uint64_t hi,lo; } u128;
typedef struct { uint64_t hi,lo; } u128;
// gmult_func multiplies |Xi| by the GCM key and writes the result back to
// gmult_func multiplies |Xi| by the GCM key and writes the result back to
@@ -104,7 +145,7 @@ typedef void (*gmult_func)(uint64_t Xi[2], const u128 Htable[16]);
typedef void (*ghash_func)(uint64_t Xi[2], const u128 Htable[16],
typedef void (*ghash_func)(uint64_t Xi[2], const u128 Htable[16],
const uint8_t *inp, size_t len);
const uint8_t *inp, size_t len);
typedef struct {
typedef struct gcm128_key_st {
// Note the MOVBE-based, x86-64, GHASH assembly requires |H| and |Htable| to
// Note the MOVBE-based, x86-64, GHASH assembly requires |H| and |Htable| to
// be the first two elements of this struct.
// be the first two elements of this struct.
u128 H;
u128 H;
@@ -119,14 +160,9 @@ typedef struct {
unsigned use_aesni_gcm_crypt:1;
unsigned use_aesni_gcm_crypt:1;
} GCM128_KEY;
} GCM128_KEY;
// gcm128_context, or |GCM128_CONTEXT| contains state for a single GCM
// operation. The structure should be zero-initialized before use.
//
// This differs from upstream's |gcm128_context| in that it does not have the
// |key| pointer, in order to make it |memcpy|-friendly. Rather the key is
// passed into each call that needs it. Additionally, |gcm_key| is split into a
// separate struct.
struct gcm128_context {
// GCM128_CONTEXT contains state for a single GCM operation. The structure
// should be zero-initialized before use.
typedef struct {
// The following 5 names follow names in GCM specification
// The following 5 names follow names in GCM specification
union {
union {
uint64_t u[2];
uint64_t u[2];
@@ -140,7 +176,7 @@ struct gcm128_context {
GCM128_KEY gcm_key;
GCM128_KEY gcm_key;
unsigned mres, ares;
unsigned mres, ares;
};
} GCM128_CONTEXT ;
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
// crypto_gcm_clmul_enabled returns one if the CLMUL implementation of GCM is
// crypto_gcm_clmul_enabled returns one if the CLMUL implementation of GCM is
@@ -148,49 +184,6 @@ struct gcm128_context {
int crypto_gcm_clmul_enabled(void);
int crypto_gcm_clmul_enabled(void);
#endif
#endif
// CTR.
// ctr128_f is the type of a function that performs CTR-mode encryption.
typedef void (*ctr128_f)(const uint8_t *in, uint8_t *out, size_t blocks,
const void *key, const uint8_t ivec[16]);
// CRYPTO_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode)
// |len| bytes from |in| to |out| using |block| in counter mode. There's no
// requirement that |len| be a multiple of any value and any partial blocks are
// stored in |ecount_buf| and |*num|, which must be zeroed before the initial
// call. The counter is a 128-bit, big-endian value in |ivec| and is
// incremented by this function.
void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16],
uint8_t ecount_buf[16], unsigned *num,
block128_f block);
// CRYPTO_ctr128_encrypt_ctr32 acts like |CRYPTO_ctr128_encrypt| but takes
// |ctr|, a function that performs CTR mode but only deals with the lower 32
// bits of the counter. This is useful when |ctr| can be an optimised
// function.
void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16],
uint8_t ecount_buf[16], unsigned *num,
ctr128_f ctr);
#if !defined(OPENSSL_NO_ASM) && \
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64))
void aesni_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks,
const void *key, const uint8_t *ivec);
#endif
// GCM.
//
// This API differs from the upstream API slightly. The |GCM128_CONTEXT| does
// not have a |key| pointer that points to the key as upstream's version does.
// Instead, every function takes a |key| parameter. This way |GCM128_CONTEXT|
// can be safely copied.
typedef struct gcm128_context GCM128_CONTEXT;
// CRYPTO_ghash_init writes a precomputed table of powers of |gcm_key| to
// CRYPTO_ghash_init writes a precomputed table of powers of |gcm_key| to
// |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware
// |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware
// accelerated) functions for performing operations in the GHASH field. If the
// accelerated) functions for performing operations in the GHASH field. If the