static int _tweak_uncrypt(const unsigned char *C, unsigned char *P, unsigned char *T, symmetric_xts *xts) { unsigned long x; int err; /* tweak encrypt block i */ #ifdef LTC_FAST for (x = 0; x < 16; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&P[x])) = *(LTC_FAST_TYPE_PTR_CAST(&C[x])) ^ *(LTC_FAST_TYPE_PTR_CAST(&T[x])); } #else for (x = 0; x < 16; x++) { P[x] = C[x] ^ T[x]; } #endif err = cipher_descriptor[xts->cipher].ecb_decrypt(P, P, &xts->key1); #ifdef LTC_FAST for (x = 0; x < 16; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&P[x])) ^= *(LTC_FAST_TYPE_PTR_CAST(&T[x])); } #else for (x = 0; x < 16; x++) { P[x] = P[x] ^ T[x]; } #endif /* LFSR the tweak */ xts_mult_x(T); return err; }
/** GCM multiply by H @param gcm The GCM state which holds the H value @param I The value to multiply H by */ void gcm_mult_h(const gcm_state *gcm, unsigned char *I) { unsigned char T[16]; #ifdef LTC_GCM_TABLES int x; #ifdef LTC_GCM_TABLES_SSE2 asm("movdqa (%0),%%xmm0"::"r"(&gcm->PC[0][I[0]][0])); for (x = 1; x < 16; x++) { asm("pxor (%0),%%xmm0"::"r"(&gcm->PC[x][I[x]][0])); } asm("movdqa %%xmm0,(%0)"::"r"(&T)); #else int y; XMEMCPY(T, &gcm->PC[0][I[0]][0], 16); for (x = 1; x < 16; x++) { #ifdef LTC_FAST for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(T + y)) ^= *(LTC_FAST_TYPE_PTR_CAST(&gcm->PC[x][I[x]][y])); } #else for (y = 0; y < 16; y++) { T[y] ^= gcm->PC[x][I[x]][y]; } #endif /* LTC_FAST */ } #endif /* LTC_GCM_TABLES_SSE2 */ #else gcm_gf_mult(gcm->H, I, T); #endif XMEMCPY(I, T, 16); }
/** CTR encrypt software implementation @param pt Plaintext @param ct [out] Ciphertext @param len Length of plaintext (octets) @param ctr CTR state @return CRYPT_OK if successful */ static int _ctr_encrypt(const unsigned char *pt, unsigned char *ct, unsigned long len, symmetric_CTR *ctr) { int x, err; while (len) { /* is the pad empty? */ if (ctr->padlen == ctr->blocklen) { /* increment counter */ if (ctr->mode == CTR_COUNTER_LITTLE_ENDIAN) { /* little-endian */ for (x = 0; x < ctr->ctrlen; x++) { ctr->ctr[x] = (ctr->ctr[x] + (unsigned char)1) & (unsigned char)255; if (ctr->ctr[x] != (unsigned char)0) { break; } } } else { /* big-endian */ for (x = ctr->blocklen-1; x >= ctr->ctrlen; x--) { ctr->ctr[x] = (ctr->ctr[x] + (unsigned char)1) & (unsigned char)255; if (ctr->ctr[x] != (unsigned char)0) { break; } } } /* encrypt it */ if ((err = cipher_descriptor[ctr->cipher].ecb_encrypt(ctr->ctr, ctr->pad, &ctr->key)) != CRYPT_OK) { return err; } ctr->padlen = 0; } #ifdef LTC_FAST if ((ctr->padlen == 0) && (len >= (unsigned long)ctr->blocklen)) { for (x = 0; x < ctr->blocklen; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)ct + x)) = *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)pt + x)) ^ *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)ctr->pad + x)); } pt += ctr->blocklen; ct += ctr->blocklen; len -= ctr->blocklen; ctr->padlen = ctr->blocklen; continue; } #endif *ct++ = *pt++ ^ ctr->pad[ctr->padlen++]; --len; } return CRYPT_OK; }
/** Process data through f9-MAC @param f9 The f9-MAC state @param in Input data to process @param inlen Length of input in octets Return CRYPT_OK on success */ int f9_process(f9_state *f9, const unsigned char *in, unsigned long inlen) { int err, x; LTC_ARGCHK(f9 != NULL); LTC_ARGCHK(in != NULL); /* check structure */ if ((err = cipher_is_valid(f9->cipher)) != CRYPT_OK) { return err; } if ((f9->blocksize > cipher_descriptor[f9->cipher].block_length) || (f9->blocksize < 0) || (f9->buflen > f9->blocksize) || (f9->buflen < 0)) { return CRYPT_INVALID_ARG; } #ifdef LTC_FAST if (f9->buflen == 0) { while (inlen >= (unsigned long)f9->blocksize) { for (x = 0; x < f9->blocksize; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&(f9->IV[x]))) ^= *(LTC_FAST_TYPE_PTR_CAST(&(in[x]))); } cipher_descriptor[f9->cipher].ecb_encrypt(f9->IV, f9->IV, &f9->key); for (x = 0; x < f9->blocksize; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&(f9->ACC[x]))) ^= *(LTC_FAST_TYPE_PTR_CAST(&(f9->IV[x]))); } in += f9->blocksize; inlen -= f9->blocksize; } } #endif while (inlen) { if (f9->buflen == f9->blocksize) { cipher_descriptor[f9->cipher].ecb_encrypt(f9->IV, f9->IV, &f9->key); for (x = 0; x < f9->blocksize; x++) { f9->ACC[x] ^= f9->IV[x]; } f9->buflen = 0; } f9->IV[f9->buflen++] ^= *in++; --inlen; } return CRYPT_OK; }
/** Process data through XCBC-MAC @param xcbc The XCBC-MAC state @param in Input data to process @param inlen Length of input in octets Return CRYPT_OK on success */ int xcbc_process(xcbc_state *xcbc, const unsigned char *in, unsigned long inlen) { int err; #ifdef LTC_FAST int x; #endif LTC_ARGCHK(xcbc != NULL); LTC_ARGCHK(in != NULL); /* check structure */ if ((err = cipher_is_valid(xcbc->cipher)) != CRYPT_OK) { return err; } if ((xcbc->blocksize > cipher_descriptor[xcbc->cipher].block_length) || (xcbc->blocksize < 0) || (xcbc->buflen > xcbc->blocksize) || (xcbc->buflen < 0)) { return CRYPT_INVALID_ARG; } #ifdef LTC_FAST if (xcbc->buflen == 0) { while (inlen > (unsigned long)xcbc->blocksize) { for (x = 0; x < xcbc->blocksize; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&(xcbc->IV[x]))) ^= *(LTC_FAST_TYPE_PTR_CAST(&(in[x]))); } cipher_descriptor[xcbc->cipher].ecb_encrypt(xcbc->IV, xcbc->IV, &xcbc->key); in += xcbc->blocksize; inlen -= xcbc->blocksize; } } #endif while (inlen) { if (xcbc->buflen == xcbc->blocksize) { cipher_descriptor[xcbc->cipher].ecb_encrypt(xcbc->IV, xcbc->IV, &xcbc->key); xcbc->buflen = 0; } xcbc->IV[xcbc->buflen++] ^= *in++; --inlen; } return CRYPT_OK; }
/** Add AAD to the GCM state @param gcm The GCM state @param adata The additional authentication data to add to the GCM state @param adatalen The length of the AAD data. @return CRYPT_OK on success */ int gcm_add_aad(gcm_state *gcm, const unsigned char *adata, unsigned long adatalen) { unsigned long x; int err; #ifdef LTC_FAST unsigned long y; #endif LTC_ARGCHK(gcm != NULL); if (adatalen > 0) { LTC_ARGCHK(adata != NULL); } if (gcm->buflen > 16 || gcm->buflen < 0) { return CRYPT_INVALID_ARG; } if ((err = cipher_is_valid(gcm->cipher)) != CRYPT_OK) { return err; } /* in IV mode? */ if (gcm->mode == LTC_GCM_MODE_IV) { /* IV length must be > 0 */ if (gcm->buflen == 0 && gcm->totlen == 0) return CRYPT_ERROR; /* let's process the IV */ if (gcm->ivmode || gcm->buflen != 12) { for (x = 0; x < (unsigned long)gcm->buflen; x++) { gcm->X[x] ^= gcm->buf[x]; } if (gcm->buflen) { gcm->totlen += gcm->buflen * CONST64(8); gcm_mult_h(gcm, gcm->X); } /* mix in the length */ zeromem(gcm->buf, 8); STORE64H(gcm->totlen, gcm->buf+8); for (x = 0; x < 16; x++) { gcm->X[x] ^= gcm->buf[x]; } gcm_mult_h(gcm, gcm->X); /* copy counter out */ XMEMCPY(gcm->Y, gcm->X, 16); zeromem(gcm->X, 16); } else { XMEMCPY(gcm->Y, gcm->buf, 12); gcm->Y[12] = 0; gcm->Y[13] = 0; gcm->Y[14] = 0; gcm->Y[15] = 1; } XMEMCPY(gcm->Y_0, gcm->Y, 16); zeromem(gcm->buf, 16); gcm->buflen = 0; gcm->totlen = 0; gcm->mode = LTC_GCM_MODE_AAD; } if (gcm->mode != LTC_GCM_MODE_AAD || gcm->buflen >= 16) { return CRYPT_INVALID_ARG; } x = 0; #ifdef LTC_FAST if (gcm->buflen == 0) { for (x = 0; x < (adatalen & ~15); x += 16) { for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&gcm->X[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&adata[x + y])); } gcm_mult_h(gcm, gcm->X); gcm->totlen += 128; } adata += x; } #endif /* start adding AAD data to the state */ for (; x < adatalen; x++) { gcm->X[gcm->buflen++] ^= *adata++; if (gcm->buflen == 16) { /* GF mult it */ gcm_mult_h(gcm, gcm->X); gcm->buflen = 0; gcm->totlen += 128; } } return CRYPT_OK; }
/** CBC decrypt @param ct Ciphertext @param pt [out] Plaintext @param len The number of bytes to process (must be multiple of block length) @param cbc CBC state @return CRYPT_OK if successful */ int cbc_decrypt(const unsigned char *ct, unsigned char *pt, unsigned long len, symmetric_CBC *cbc) { int x, err; unsigned char tmp[16]; #ifdef LTC_FAST LTC_FAST_TYPE tmpy; #else unsigned char tmpy; #endif LTC_ARGCHK(pt != NULL); LTC_ARGCHK(ct != NULL); LTC_ARGCHK(cbc != NULL); if ((err = cipher_is_valid(cbc->cipher)) != CRYPT_OK) { return err; } /* is blocklen valid? */ if (cbc->blocklen < 1 || cbc->blocklen > (int)sizeof(cbc->IV) || cbc->blocklen > (int)sizeof(tmp)) { return CRYPT_INVALID_ARG; } if (len % cbc->blocklen) { return CRYPT_INVALID_ARG; } #ifdef LTC_FAST if (cbc->blocklen % sizeof(LTC_FAST_TYPE)) { return CRYPT_INVALID_ARG; } #endif if (cipher_descriptor[cbc->cipher].accel_cbc_decrypt != NULL) { return cipher_descriptor[cbc->cipher].accel_cbc_decrypt(ct, pt, len / cbc->blocklen, cbc->IV, &cbc->key); } else { while (len) { /* decrypt */ if ((err = cipher_descriptor[cbc->cipher].ecb_decrypt(ct, tmp, &cbc->key)) != CRYPT_OK) { return err; } /* xor IV against plaintext */ #if defined(LTC_FAST) for (x = 0; x < cbc->blocklen; x += sizeof(LTC_FAST_TYPE)) { tmpy = *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)cbc->IV + x)) ^ *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)tmp + x)); *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)cbc->IV + x)) = *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)ct + x)); *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)pt + x)) = tmpy; } #else for (x = 0; x < cbc->blocklen; x++) { tmpy = tmp[x] ^ cbc->IV[x]; cbc->IV[x] = ct[x]; pt[x] = tmpy; } #endif ct += cbc->blocklen; pt += cbc->blocklen; len -= cbc->blocklen; } } return CRYPT_OK; }
/** Add IV data to the GCM state @param gcm The GCM state @param IV The initial value data to add @param IVlen The length of the IV @return CRYPT_OK on success */ int gcm_add_iv(gcm_state *gcm, const unsigned char *IV, unsigned long IVlen) { unsigned long x, y; int err; LTC_ARGCHK(gcm != NULL); if (IVlen > 0) { LTC_ARGCHK(IV != NULL); } /* must be in IV mode */ if (gcm->mode != LTC_GCM_MODE_IV) { return CRYPT_INVALID_ARG; } if (gcm->buflen >= 16 || gcm->buflen < 0) { return CRYPT_INVALID_ARG; } if ((err = cipher_is_valid(gcm->cipher)) != CRYPT_OK) { return err; } /* trip the ivmode flag */ if (IVlen + gcm->buflen > 12) { gcm->ivmode |= 1; } x = 0; #ifdef LTC_FAST if (gcm->buflen == 0) { for (x = 0; x < (IVlen & ~15); x += 16) { for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&gcm->X[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&IV[x + y])); } gcm_mult_h(gcm, gcm->X); gcm->totlen += 128; } IV += x; } #endif /* start adding IV data to the state */ for (; x < IVlen; x++) { gcm->buf[gcm->buflen++] = *IV++; if (gcm->buflen == 16) { /* GF mult it */ for (y = 0; y < 16; y++) { gcm->X[y] ^= gcm->buf[y]; } gcm_mult_h(gcm, gcm->X); gcm->buflen = 0; gcm->totlen += 128; } } return CRYPT_OK; }
/* Test store/load macros with offsets */ int store_test(void) { unsigned char buf[256]; int y; ulong32 L, L1; ulong64 LL, LL1; #ifdef LTC_FAST int x, z; #endif for (y = 0; y < 4; y++) { L = 0x12345678UL; L1 = 0; STORE32L(L, buf + y); LOAD32L(L1, buf + y); if (L1 != L) { fprintf(stderr, "\n32L failed at offset %d\n", y); return 1; } STORE32H(L, buf + y); LOAD32H(L1, buf + y); if (L1 != L) { fprintf(stderr, "\n32H failed at offset %d\n", y); return 1; } } for (y = 0; y < 8; y++) { LL = CONST64 (0x01020304050607); LL1 = 0; STORE64L(LL, buf + y); LOAD64L(LL1, buf + y); if (LL1 != LL) { fprintf(stderr, "\n64L failed at offset %d\n", y); return 1; } STORE64H(LL, buf + y); LOAD64H(LL1, buf + y); if (LL1 != LL) { fprintf(stderr, "\n64H failed at offset %d\n", y); return 1; } } /* test LTC_FAST */ #ifdef LTC_FAST y = 16; for (z = 0; z < y; z++) { /* fill y bytes with random */ yarrow_read(buf+z, y, &yarrow_prng); yarrow_read(buf+z+y, y, &yarrow_prng); /* now XOR it byte for byte */ for (x = 0; x < y; x++) { buf[2*y+z+x] = buf[z+x] ^ buf[z+y+x]; } /* now XOR it word for word */ for (x = 0; x < y; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&buf[3*y+z+x])) = *(LTC_FAST_TYPE_PTR_CAST(&buf[z+x])) ^ *(LTC_FAST_TYPE_PTR_CAST(&buf[z+y+x])); } if (memcmp(&buf[2*y+z], &buf[3*y+z], y)) { fprintf(stderr, "\nLTC_FAST failed at offset %d\n", z); return 1; } } #endif return 0; }
/** Process data in a PMAC stream @param pmac The PMAC state @param in The data to send through PMAC @param inlen The length of the data to send through PMAC @return CRYPT_OK if successful */ int pmac_process(pmac_state *pmac, const unsigned char *in, unsigned long inlen) { int err, n; unsigned long x; unsigned char Z[MAXBLOCKSIZE]; LTC_ARGCHK(pmac != NULL); LTC_ARGCHK(in != NULL); if ((err = cipher_is_valid(pmac->cipher_idx)) != CRYPT_OK) { return err; } if ((pmac->buflen > (int)sizeof(pmac->block)) || (pmac->buflen < 0) || (pmac->block_len > (int)sizeof(pmac->block)) || (pmac->buflen > pmac->block_len)) { return CRYPT_INVALID_ARG; } #ifdef LTC_FAST if (pmac->buflen == 0 && inlen > 16) { unsigned long y; for (x = 0; x < (inlen - 16); x += 16) { pmac_shift_xor(pmac); for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&Z[y])) = *(LTC_FAST_TYPE_PTR_CAST(&in[y])) ^ *(LTC_FAST_TYPE_PTR_CAST(&pmac->Li[y])); } if ((err = cipher_descriptor[pmac->cipher_idx].ecb_encrypt(Z, Z, &pmac->key)) != CRYPT_OK) { return err; } for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST(&pmac->checksum[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&Z[y])); } in += 16; } inlen -= x; } #endif while (inlen != 0) { /* ok if the block is full we xor in prev, encrypt and replace prev */ if (pmac->buflen == pmac->block_len) { pmac_shift_xor(pmac); for (x = 0; x < (unsigned long)pmac->block_len; x++) { Z[x] = pmac->Li[x] ^ pmac->block[x]; } if ((err = cipher_descriptor[pmac->cipher_idx].ecb_encrypt(Z, Z, &pmac->key)) != CRYPT_OK) { return err; } for (x = 0; x < (unsigned long)pmac->block_len; x++) { pmac->checksum[x] ^= Z[x]; } pmac->buflen = 0; } /* add bytes */ n = MIN(inlen, (unsigned long)(pmac->block_len - pmac->buflen)); XMEMCPY(pmac->block + pmac->buflen, in, n); pmac->buflen += n; inlen -= n; in += n; } #ifdef LTC_CLEAN_STACK zeromem(Z, sizeof(Z)); #endif return CRYPT_OK; }
/** CBC encrypt @param pt Plaintext @param ct [out] Ciphertext @param len The number of bytes to process (must be multiple of block length) @param cbc CBC state @return CRYPT_OK if successful */ int cbc_encrypt(const unsigned char *pt, unsigned char *ct, unsigned long len, symmetric_CBC *cbc) { int x, err; LTC_ARGCHK(pt != NULL); LTC_ARGCHK(ct != NULL); LTC_ARGCHK(cbc != NULL); if ((err = cipher_is_valid(cbc->cipher)) != CRYPT_OK) { return err; } /* is blocklen valid? */ if (cbc->blocklen < 1 || cbc->blocklen > (int)sizeof(cbc->IV)) { return CRYPT_INVALID_ARG; } if (len % cbc->blocklen) { return CRYPT_INVALID_ARG; } #ifdef LTC_FAST if (cbc->blocklen % sizeof(LTC_FAST_TYPE)) { return CRYPT_INVALID_ARG; } #endif if (cipher_descriptor[cbc->cipher].accel_cbc_encrypt != NULL) { return cipher_descriptor[cbc->cipher].accel_cbc_encrypt(pt, ct, len / cbc->blocklen, cbc->IV, &cbc->key); } else { while (len) { /* xor IV against plaintext */ #if defined(LTC_FAST) for (x = 0; x < cbc->blocklen; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)cbc->IV + x)) ^= *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)pt + x)); } #else for (x = 0; x < cbc->blocklen; x++) { cbc->IV[x] ^= pt[x]; } #endif /* encrypt */ if ((err = cipher_descriptor[cbc->cipher].ecb_encrypt(cbc->IV, ct, &cbc->key)) != CRYPT_OK) { return err; } /* store IV [ciphertext] for a future block */ #if defined(LTC_FAST) for (x = 0; x < cbc->blocklen; x += sizeof(LTC_FAST_TYPE)) { *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)cbc->IV + x)) = *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)ct + x)); } #else for (x = 0; x < cbc->blocklen; x++) { cbc->IV[x] = ct[x]; } #endif ct += cbc->blocklen; pt += cbc->blocklen; len -= cbc->blocklen; } } return CRYPT_OK; }