static int _tweak_uncrypt(const unsigned char *C, unsigned char *P, unsigned char *T, symmetric_xts *xts)
{
unsigned long x;
int err;
/* tweak encrypt block i */
#ifdef LTC_FAST
for (x = 0; x < 16; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&P[x])) = *(LTC_FAST_TYPE_PTR_CAST(&C[x])) ^ *(LTC_FAST_TYPE_PTR_CAST(&T[x]));
}
#else
for (x = 0; x < 16; x++) {
P[x] = C[x] ^ T[x];
}
#endif
err = cipher_descriptor[xts->cipher].ecb_decrypt(P, P, &xts->key1);
#ifdef LTC_FAST
for (x = 0; x < 16; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&P[x])) ^= *(LTC_FAST_TYPE_PTR_CAST(&T[x]));
}
#else
for (x = 0; x < 16; x++) {
P[x] = P[x] ^ T[x];
}
#endif
/* LFSR the tweak */
xts_mult_x(T);
return err;
}
/**
GCM multiply by H
@param gcm The GCM state which holds the H value
@param I The value to multiply H by
*/
void gcm_mult_h(const gcm_state *gcm, unsigned char *I)
{
unsigned char T[16];
#ifdef LTC_GCM_TABLES
int x;
#ifdef LTC_GCM_TABLES_SSE2
asm("movdqa (%0),%%xmm0"::"r"(&gcm->PC[0][I[0]][0]));
for (x = 1; x < 16; x++) {
asm("pxor (%0),%%xmm0"::"r"(&gcm->PC[x][I[x]][0]));
}
asm("movdqa %%xmm0,(%0)"::"r"(&T));
#else
int y;
XMEMCPY(T, &gcm->PC[0][I[0]][0], 16);
for (x = 1; x < 16; x++) {
#ifdef LTC_FAST
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(T + y)) ^= *(LTC_FAST_TYPE_PTR_CAST(&gcm->PC[x][I[x]][y]));
}
#else
for (y = 0; y < 16; y++) {
T[y] ^= gcm->PC[x][I[x]][y];
}
#endif /* LTC_FAST */
}
#endif /* LTC_GCM_TABLES_SSE2 */
#else
gcm_gf_mult(gcm->H, I, T);
#endif
XMEMCPY(I, T, 16);
}
/**
CTR encrypt software implementation
@param pt Plaintext
@param ct [out] Ciphertext
@param len Length of plaintext (octets)
@param ctr CTR state
@return CRYPT_OK if successful
*/
static int _ctr_encrypt(const unsigned char *pt, unsigned char *ct, unsigned long len, symmetric_CTR *ctr)
{
int x, err;
while (len) {
/* is the pad empty? */
if (ctr->padlen == ctr->blocklen) {
/* increment counter */
if (ctr->mode == CTR_COUNTER_LITTLE_ENDIAN) {
/* little-endian */
for (x = 0; x < ctr->ctrlen; x++) {
ctr->ctr[x] = (ctr->ctr[x] + (unsigned char)1) & (unsigned char)255;
if (ctr->ctr[x] != (unsigned char)0) {
break;
}
}
} else {
/* big-endian */
for (x = ctr->blocklen-1; x >= ctr->ctrlen; x--) {
ctr->ctr[x] = (ctr->ctr[x] + (unsigned char)1) & (unsigned char)255;
if (ctr->ctr[x] != (unsigned char)0) {
break;
}
}
}
/* encrypt it */
if ((err = cipher_descriptor[ctr->cipher].ecb_encrypt(ctr->ctr, ctr->pad, &ctr->key)) != CRYPT_OK) {
return err;
}
ctr->padlen = 0;
}
#ifdef LTC_FAST
if ((ctr->padlen == 0) && (len >= (unsigned long)ctr->blocklen)) {
for (x = 0; x < ctr->blocklen; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST((unsigned char *)ct + x)) = *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)pt + x)) ^
*(LTC_FAST_TYPE_PTR_CAST((unsigned char *)ctr->pad + x));
}
pt += ctr->blocklen;
ct += ctr->blocklen;
len -= ctr->blocklen;
ctr->padlen = ctr->blocklen;
continue;
}
#endif
*ct++ = *pt++ ^ ctr->pad[ctr->padlen++];
--len;
}
return CRYPT_OK;
}
/** Process data through f9-MAC
@param f9 The f9-MAC state
@param in Input data to process
@param inlen Length of input in octets
Return CRYPT_OK on success
*/
int f9_process(f9_state *f9, const unsigned char *in, unsigned long inlen)
{
int err, x;
LTC_ARGCHK(f9 != NULL);
LTC_ARGCHK(in != NULL);
/* check structure */
if ((err = cipher_is_valid(f9->cipher)) != CRYPT_OK) {
return err;
}
if ((f9->blocksize > cipher_descriptor[f9->cipher].block_length) || (f9->blocksize < 0) ||
(f9->buflen > f9->blocksize) || (f9->buflen < 0)) {
return CRYPT_INVALID_ARG;
}
#ifdef LTC_FAST
if (f9->buflen == 0) {
while (inlen >= (unsigned long)f9->blocksize) {
for (x = 0; x < f9->blocksize; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&(f9->IV[x]))) ^= *(LTC_FAST_TYPE_PTR_CAST(&(in[x])));
}
cipher_descriptor[f9->cipher].ecb_encrypt(f9->IV, f9->IV, &f9->key);
for (x = 0; x < f9->blocksize; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&(f9->ACC[x]))) ^= *(LTC_FAST_TYPE_PTR_CAST(&(f9->IV[x])));
}
in += f9->blocksize;
inlen -= f9->blocksize;
}
}
#endif
while (inlen) {
if (f9->buflen == f9->blocksize) {
cipher_descriptor[f9->cipher].ecb_encrypt(f9->IV, f9->IV, &f9->key);
for (x = 0; x < f9->blocksize; x++) {
f9->ACC[x] ^= f9->IV[x];
}
f9->buflen = 0;
}
f9->IV[f9->buflen++] ^= *in++;
--inlen;
}
return CRYPT_OK;
}
/** Process data through XCBC-MAC
@param xcbc The XCBC-MAC state
@param in Input data to process
@param inlen Length of input in octets
Return CRYPT_OK on success
*/
int xcbc_process(xcbc_state *xcbc, const unsigned char *in, unsigned long inlen)
{
int err;
#ifdef LTC_FAST
int x;
#endif
LTC_ARGCHK(xcbc != NULL);
LTC_ARGCHK(in != NULL);
/* check structure */
if ((err = cipher_is_valid(xcbc->cipher)) != CRYPT_OK) {
return err;
}
if ((xcbc->blocksize > cipher_descriptor[xcbc->cipher].block_length) || (xcbc->blocksize < 0) ||
(xcbc->buflen > xcbc->blocksize) || (xcbc->buflen < 0)) {
return CRYPT_INVALID_ARG;
}
#ifdef LTC_FAST
if (xcbc->buflen == 0) {
while (inlen > (unsigned long)xcbc->blocksize) {
for (x = 0; x < xcbc->blocksize; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&(xcbc->IV[x]))) ^= *(LTC_FAST_TYPE_PTR_CAST(&(in[x])));
}
cipher_descriptor[xcbc->cipher].ecb_encrypt(xcbc->IV, xcbc->IV, &xcbc->key);
in += xcbc->blocksize;
inlen -= xcbc->blocksize;
}
}
#endif
while (inlen) {
if (xcbc->buflen == xcbc->blocksize) {
cipher_descriptor[xcbc->cipher].ecb_encrypt(xcbc->IV, xcbc->IV, &xcbc->key);
xcbc->buflen = 0;
}
xcbc->IV[xcbc->buflen++] ^= *in++;
--inlen;
}
return CRYPT_OK;
}
/**
Add AAD to the GCM state
@param gcm The GCM state
@param adata The additional authentication data to add to the GCM state
@param adatalen The length of the AAD data.
@return CRYPT_OK on success
*/
int gcm_add_aad(gcm_state *gcm,
const unsigned char *adata, unsigned long adatalen)
{
unsigned long x;
int err;
#ifdef LTC_FAST
unsigned long y;
#endif
LTC_ARGCHK(gcm != NULL);
if (adatalen > 0) {
LTC_ARGCHK(adata != NULL);
}
if (gcm->buflen > 16 || gcm->buflen < 0) {
return CRYPT_INVALID_ARG;
}
if ((err = cipher_is_valid(gcm->cipher)) != CRYPT_OK) {
return err;
}
/* in IV mode? */
if (gcm->mode == LTC_GCM_MODE_IV) {
/* IV length must be > 0 */
if (gcm->buflen == 0 && gcm->totlen == 0) return CRYPT_ERROR;
/* let's process the IV */
if (gcm->ivmode || gcm->buflen != 12) {
for (x = 0; x < (unsigned long)gcm->buflen; x++) {
gcm->X[x] ^= gcm->buf[x];
}
if (gcm->buflen) {
gcm->totlen += gcm->buflen * CONST64(8);
gcm_mult_h(gcm, gcm->X);
}
/* mix in the length */
zeromem(gcm->buf, 8);
STORE64H(gcm->totlen, gcm->buf+8);
for (x = 0; x < 16; x++) {
gcm->X[x] ^= gcm->buf[x];
}
gcm_mult_h(gcm, gcm->X);
/* copy counter out */
XMEMCPY(gcm->Y, gcm->X, 16);
zeromem(gcm->X, 16);
} else {
XMEMCPY(gcm->Y, gcm->buf, 12);
gcm->Y[12] = 0;
gcm->Y[13] = 0;
gcm->Y[14] = 0;
gcm->Y[15] = 1;
}
XMEMCPY(gcm->Y_0, gcm->Y, 16);
zeromem(gcm->buf, 16);
gcm->buflen = 0;
gcm->totlen = 0;
gcm->mode = LTC_GCM_MODE_AAD;
}
if (gcm->mode != LTC_GCM_MODE_AAD || gcm->buflen >= 16) {
return CRYPT_INVALID_ARG;
}
x = 0;
#ifdef LTC_FAST
if (gcm->buflen == 0) {
for (x = 0; x < (adatalen & ~15); x += 16) {
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&gcm->X[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&adata[x + y]));
}
gcm_mult_h(gcm, gcm->X);
gcm->totlen += 128;
}
adata += x;
}
#endif
/* start adding AAD data to the state */
for (; x < adatalen; x++) {
gcm->X[gcm->buflen++] ^= *adata++;
if (gcm->buflen == 16) {
/* GF mult it */
gcm_mult_h(gcm, gcm->X);
gcm->buflen = 0;
gcm->totlen += 128;
}
}
return CRYPT_OK;
}
/**
CBC decrypt
@param ct Ciphertext
@param pt [out] Plaintext
@param len The number of bytes to process (must be multiple of block length)
@param cbc CBC state
@return CRYPT_OK if successful
*/
int cbc_decrypt(const unsigned char *ct, unsigned char *pt, unsigned long len, symmetric_CBC *cbc)
{
int x, err;
unsigned char tmp[16];
#ifdef LTC_FAST
LTC_FAST_TYPE tmpy;
#else
unsigned char tmpy;
#endif
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(cbc != NULL);
if ((err = cipher_is_valid(cbc->cipher)) != CRYPT_OK) {
return err;
}
/* is blocklen valid? */
if (cbc->blocklen < 1 || cbc->blocklen > (int)sizeof(cbc->IV) || cbc->blocklen > (int)sizeof(tmp)) {
return CRYPT_INVALID_ARG;
}
if (len % cbc->blocklen) {
return CRYPT_INVALID_ARG;
}
#ifdef LTC_FAST
if (cbc->blocklen % sizeof(LTC_FAST_TYPE)) {
return CRYPT_INVALID_ARG;
}
#endif
if (cipher_descriptor[cbc->cipher].accel_cbc_decrypt != NULL) {
return cipher_descriptor[cbc->cipher].accel_cbc_decrypt(ct, pt, len / cbc->blocklen, cbc->IV, &cbc->key);
} else {
while (len) {
/* decrypt */
if ((err = cipher_descriptor[cbc->cipher].ecb_decrypt(ct, tmp, &cbc->key)) != CRYPT_OK) {
return err;
}
/* xor IV against plaintext */
#if defined(LTC_FAST)
for (x = 0; x < cbc->blocklen; x += sizeof(LTC_FAST_TYPE)) {
tmpy = *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)cbc->IV + x)) ^ *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)tmp + x));
*(LTC_FAST_TYPE_PTR_CAST((unsigned char *)cbc->IV + x)) = *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)ct + x));
*(LTC_FAST_TYPE_PTR_CAST((unsigned char *)pt + x)) = tmpy;
}
#else
for (x = 0; x < cbc->blocklen; x++) {
tmpy = tmp[x] ^ cbc->IV[x];
cbc->IV[x] = ct[x];
pt[x] = tmpy;
}
#endif
ct += cbc->blocklen;
pt += cbc->blocklen;
len -= cbc->blocklen;
}
}
return CRYPT_OK;
}
/**
Add IV data to the GCM state
@param gcm The GCM state
@param IV The initial value data to add
@param IVlen The length of the IV
@return CRYPT_OK on success
*/
int gcm_add_iv(gcm_state *gcm,
const unsigned char *IV, unsigned long IVlen)
{
unsigned long x, y;
int err;
LTC_ARGCHK(gcm != NULL);
if (IVlen > 0) {
LTC_ARGCHK(IV != NULL);
}
/* must be in IV mode */
if (gcm->mode != LTC_GCM_MODE_IV) {
return CRYPT_INVALID_ARG;
}
if (gcm->buflen >= 16 || gcm->buflen < 0) {
return CRYPT_INVALID_ARG;
}
if ((err = cipher_is_valid(gcm->cipher)) != CRYPT_OK) {
return err;
}
/* trip the ivmode flag */
if (IVlen + gcm->buflen > 12) {
gcm->ivmode |= 1;
}
x = 0;
#ifdef LTC_FAST
if (gcm->buflen == 0) {
for (x = 0; x < (IVlen & ~15); x += 16) {
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&gcm->X[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&IV[x + y]));
}
gcm_mult_h(gcm, gcm->X);
gcm->totlen += 128;
}
IV += x;
}
#endif
/* start adding IV data to the state */
for (; x < IVlen; x++) {
gcm->buf[gcm->buflen++] = *IV++;
if (gcm->buflen == 16) {
/* GF mult it */
for (y = 0; y < 16; y++) {
gcm->X[y] ^= gcm->buf[y];
}
gcm_mult_h(gcm, gcm->X);
gcm->buflen = 0;
gcm->totlen += 128;
}
}
return CRYPT_OK;
}
/* Test store/load macros with offsets */
int store_test(void)
{
unsigned char buf[256];
int y;
ulong32 L, L1;
ulong64 LL, LL1;
#ifdef LTC_FAST
int x, z;
#endif
for (y = 0; y < 4; y++) {
L = 0x12345678UL;
L1 = 0;
STORE32L(L, buf + y);
LOAD32L(L1, buf + y);
if (L1 != L) {
fprintf(stderr, "\n32L failed at offset %d\n", y);
return 1;
}
STORE32H(L, buf + y);
LOAD32H(L1, buf + y);
if (L1 != L) {
fprintf(stderr, "\n32H failed at offset %d\n", y);
return 1;
}
}
for (y = 0; y < 8; y++) {
LL = CONST64 (0x01020304050607);
LL1 = 0;
STORE64L(LL, buf + y);
LOAD64L(LL1, buf + y);
if (LL1 != LL) {
fprintf(stderr, "\n64L failed at offset %d\n", y);
return 1;
}
STORE64H(LL, buf + y);
LOAD64H(LL1, buf + y);
if (LL1 != LL) {
fprintf(stderr, "\n64H failed at offset %d\n", y);
return 1;
}
}
/* test LTC_FAST */
#ifdef LTC_FAST
y = 16;
for (z = 0; z < y; z++) {
/* fill y bytes with random */
yarrow_read(buf+z, y, &yarrow_prng);
yarrow_read(buf+z+y, y, &yarrow_prng);
/* now XOR it byte for byte */
for (x = 0; x < y; x++) {
buf[2*y+z+x] = buf[z+x] ^ buf[z+y+x];
}
/* now XOR it word for word */
for (x = 0; x < y; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&buf[3*y+z+x])) = *(LTC_FAST_TYPE_PTR_CAST(&buf[z+x])) ^ *(LTC_FAST_TYPE_PTR_CAST(&buf[z+y+x]));
}
if (memcmp(&buf[2*y+z], &buf[3*y+z], y)) {
fprintf(stderr, "\nLTC_FAST failed at offset %d\n", z);
return 1;
}
}
#endif
return 0;
}
/**
Process data in a PMAC stream
@param pmac The PMAC state
@param in The data to send through PMAC
@param inlen The length of the data to send through PMAC
@return CRYPT_OK if successful
*/
int pmac_process(pmac_state *pmac, const unsigned char *in, unsigned long inlen)
{
int err, n;
unsigned long x;
unsigned char Z[MAXBLOCKSIZE];
LTC_ARGCHK(pmac != NULL);
LTC_ARGCHK(in != NULL);
if ((err = cipher_is_valid(pmac->cipher_idx)) != CRYPT_OK) {
return err;
}
if ((pmac->buflen > (int)sizeof(pmac->block)) || (pmac->buflen < 0) ||
(pmac->block_len > (int)sizeof(pmac->block)) || (pmac->buflen > pmac->block_len)) {
return CRYPT_INVALID_ARG;
}
#ifdef LTC_FAST
if (pmac->buflen == 0 && inlen > 16) {
unsigned long y;
for (x = 0; x < (inlen - 16); x += 16) {
pmac_shift_xor(pmac);
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&Z[y])) = *(LTC_FAST_TYPE_PTR_CAST(&in[y])) ^ *(LTC_FAST_TYPE_PTR_CAST(&pmac->Li[y]));
}
if ((err = cipher_descriptor[pmac->cipher_idx].ecb_encrypt(Z, Z, &pmac->key)) != CRYPT_OK) {
return err;
}
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST(&pmac->checksum[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&Z[y]));
}
in += 16;
}
inlen -= x;
}
#endif
while (inlen != 0) {
/* ok if the block is full we xor in prev, encrypt and replace prev */
if (pmac->buflen == pmac->block_len) {
pmac_shift_xor(pmac);
for (x = 0; x < (unsigned long)pmac->block_len; x++) {
Z[x] = pmac->Li[x] ^ pmac->block[x];
}
if ((err = cipher_descriptor[pmac->cipher_idx].ecb_encrypt(Z, Z, &pmac->key)) != CRYPT_OK) {
return err;
}
for (x = 0; x < (unsigned long)pmac->block_len; x++) {
pmac->checksum[x] ^= Z[x];
}
pmac->buflen = 0;
}
/* add bytes */
n = MIN(inlen, (unsigned long)(pmac->block_len - pmac->buflen));
XMEMCPY(pmac->block + pmac->buflen, in, n);
pmac->buflen += n;
inlen -= n;
in += n;
}
#ifdef LTC_CLEAN_STACK
zeromem(Z, sizeof(Z));
#endif
return CRYPT_OK;
}
/**
CBC encrypt
@param pt Plaintext
@param ct [out] Ciphertext
@param len The number of bytes to process (must be multiple of block length)
@param cbc CBC state
@return CRYPT_OK if successful
*/
int cbc_encrypt(const unsigned char *pt, unsigned char *ct, unsigned long len, symmetric_CBC *cbc)
{
int x, err;
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
LTC_ARGCHK(cbc != NULL);
if ((err = cipher_is_valid(cbc->cipher)) != CRYPT_OK) {
return err;
}
/* is blocklen valid? */
if (cbc->blocklen < 1 || cbc->blocklen > (int)sizeof(cbc->IV)) {
return CRYPT_INVALID_ARG;
}
if (len % cbc->blocklen) {
return CRYPT_INVALID_ARG;
}
#ifdef LTC_FAST
if (cbc->blocklen % sizeof(LTC_FAST_TYPE)) {
return CRYPT_INVALID_ARG;
}
#endif
if (cipher_descriptor[cbc->cipher].accel_cbc_encrypt != NULL) {
return cipher_descriptor[cbc->cipher].accel_cbc_encrypt(pt, ct, len / cbc->blocklen, cbc->IV, &cbc->key);
} else {
while (len) {
/* xor IV against plaintext */
#if defined(LTC_FAST)
for (x = 0; x < cbc->blocklen; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST((unsigned char *)cbc->IV + x)) ^= *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)pt + x));
}
#else
for (x = 0; x < cbc->blocklen; x++) {
cbc->IV[x] ^= pt[x];
}
#endif
/* encrypt */
if ((err = cipher_descriptor[cbc->cipher].ecb_encrypt(cbc->IV, ct, &cbc->key)) != CRYPT_OK) {
return err;
}
/* store IV [ciphertext] for a future block */
#if defined(LTC_FAST)
for (x = 0; x < cbc->blocklen; x += sizeof(LTC_FAST_TYPE)) {
*(LTC_FAST_TYPE_PTR_CAST((unsigned char *)cbc->IV + x)) = *(LTC_FAST_TYPE_PTR_CAST((unsigned char *)ct + x));
}
#else
for (x = 0; x < cbc->blocklen; x++) {
cbc->IV[x] = ct[x];
}
#endif
ct += cbc->blocklen;
pt += cbc->blocklen;
len -= cbc->blocklen;
}
}
return CRYPT_OK;
}
