(U32V((v) << (n)) | ((v) >> (32 - (n))))
#define U8TO32_LITTLE(p) \
- (((u32)((p)[0]) ) | \
+ (((u32)((p)[0])) | \
((u32)((p)[1]) << 8) | \
((u32)((p)[2]) << 16) | \
((u32)((p)[3]) << 24))
#define U32TO8_LITTLE(p, v) \
do { \
- (p)[0] = U8V((v) ); \
+ (p)[0] = U8V((v)); \
(p)[1] = U8V((v) >> 8); \
(p)[2] = U8V((v) >> 16); \
(p)[3] = U8V((v) >> 24); \
static const char tau[16] = "expand 16-byte k";
static inline void
-chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
+chacha_keysetup(chacha_ctx *x, const u8 *k, u32 kbits)
{
- const char *constants;
-
- x->input[4] = U8TO32_LITTLE(k + 0);
- x->input[5] = U8TO32_LITTLE(k + 4);
- x->input[6] = U8TO32_LITTLE(k + 8);
- x->input[7] = U8TO32_LITTLE(k + 12);
- if (kbits == 256) { /* recommended */
- k += 16;
- constants = sigma;
- } else { /* kbits == 128 */
- constants = tau;
- }
- x->input[8] = U8TO32_LITTLE(k + 0);
- x->input[9] = U8TO32_LITTLE(k + 4);
- x->input[10] = U8TO32_LITTLE(k + 8);
- x->input[11] = U8TO32_LITTLE(k + 12);
- x->input[0] = U8TO32_LITTLE(constants + 0);
- x->input[1] = U8TO32_LITTLE(constants + 4);
- x->input[2] = U8TO32_LITTLE(constants + 8);
- x->input[3] = U8TO32_LITTLE(constants + 12);
+ const char *constants;
+
+ x->input[4] = U8TO32_LITTLE(k + 0);
+ x->input[5] = U8TO32_LITTLE(k + 4);
+ x->input[6] = U8TO32_LITTLE(k + 8);
+ x->input[7] = U8TO32_LITTLE(k + 12);
+ if (kbits == 256) { /* recommended */
+ k += 16;
+ constants = sigma;
+ } else { /* kbits == 128 */
+ constants = tau;
+ }
+ x->input[8] = U8TO32_LITTLE(k + 0);
+ x->input[9] = U8TO32_LITTLE(k + 4);
+ x->input[10] = U8TO32_LITTLE(k + 8);
+ x->input[11] = U8TO32_LITTLE(k + 12);
+ x->input[0] = U8TO32_LITTLE(constants + 0);
+ x->input[1] = U8TO32_LITTLE(constants + 4);
+ x->input[2] = U8TO32_LITTLE(constants + 8);
+ x->input[3] = U8TO32_LITTLE(constants + 12);
}
static inline void
chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
{
- x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
- x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
- x->input[14] = U8TO32_LITTLE(iv + 0);
- x->input[15] = U8TO32_LITTLE(iv + 4);
+ x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
+ x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
+ x->input[14] = U8TO32_LITTLE(iv + 0);
+ x->input[15] = U8TO32_LITTLE(iv + 4);
}
static inline void
-chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
{
- u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
- u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
- u8 *ctarget = NULL;
- u8 tmp[64];
- u_int i;
-
- if (!bytes) return;
-
- j0 = x->input[0];
- j1 = x->input[1];
- j2 = x->input[2];
- j3 = x->input[3];
- j4 = x->input[4];
- j5 = x->input[5];
- j6 = x->input[6];
- j7 = x->input[7];
- j8 = x->input[8];
- j9 = x->input[9];
- j10 = x->input[10];
- j11 = x->input[11];
- j12 = x->input[12];
- j13 = x->input[13];
- j14 = x->input[14];
- j15 = x->input[15];
-
- for (;;) {
- if (bytes < 64) {
- for (i = 0;i < bytes;++i) tmp[i] = m[i];
- m = tmp;
- ctarget = c;
- c = tmp;
- }
- x0 = j0;
- x1 = j1;
- x2 = j2;
- x3 = j3;
- x4 = j4;
- x5 = j5;
- x6 = j6;
- x7 = j7;
- x8 = j8;
- x9 = j9;
- x10 = j10;
- x11 = j11;
- x12 = j12;
- x13 = j13;
- x14 = j14;
- x15 = j15;
- for (i = 20;i > 0;i -= 2) {
- QUARTERROUND( x0, x4, x8,x12)
- QUARTERROUND( x1, x5, x9,x13)
- QUARTERROUND( x2, x6,x10,x14)
- QUARTERROUND( x3, x7,x11,x15)
- QUARTERROUND( x0, x5,x10,x15)
- QUARTERROUND( x1, x6,x11,x12)
- QUARTERROUND( x2, x7, x8,x13)
- QUARTERROUND( x3, x4, x9,x14)
- }
- x0 = PLUS(x0,j0);
- x1 = PLUS(x1,j1);
- x2 = PLUS(x2,j2);
- x3 = PLUS(x3,j3);
- x4 = PLUS(x4,j4);
- x5 = PLUS(x5,j5);
- x6 = PLUS(x6,j6);
- x7 = PLUS(x7,j7);
- x8 = PLUS(x8,j8);
- x9 = PLUS(x9,j9);
- x10 = PLUS(x10,j10);
- x11 = PLUS(x11,j11);
- x12 = PLUS(x12,j12);
- x13 = PLUS(x13,j13);
- x14 = PLUS(x14,j14);
- x15 = PLUS(x15,j15);
-
- x0 = XOR(x0,U8TO32_LITTLE(m + 0));
- x1 = XOR(x1,U8TO32_LITTLE(m + 4));
- x2 = XOR(x2,U8TO32_LITTLE(m + 8));
- x3 = XOR(x3,U8TO32_LITTLE(m + 12));
- x4 = XOR(x4,U8TO32_LITTLE(m + 16));
- x5 = XOR(x5,U8TO32_LITTLE(m + 20));
- x6 = XOR(x6,U8TO32_LITTLE(m + 24));
- x7 = XOR(x7,U8TO32_LITTLE(m + 28));
- x8 = XOR(x8,U8TO32_LITTLE(m + 32));
- x9 = XOR(x9,U8TO32_LITTLE(m + 36));
- x10 = XOR(x10,U8TO32_LITTLE(m + 40));
- x11 = XOR(x11,U8TO32_LITTLE(m + 44));
- x12 = XOR(x12,U8TO32_LITTLE(m + 48));
- x13 = XOR(x13,U8TO32_LITTLE(m + 52));
- x14 = XOR(x14,U8TO32_LITTLE(m + 56));
- x15 = XOR(x15,U8TO32_LITTLE(m + 60));
-
- j12 = PLUSONE(j12);
- if (!j12) {
- j13 = PLUSONE(j13);
- /* stopping at 2^70 bytes per nonce is user's responsibility */
- }
-
- U32TO8_LITTLE(c + 0,x0);
- U32TO8_LITTLE(c + 4,x1);
- U32TO8_LITTLE(c + 8,x2);
- U32TO8_LITTLE(c + 12,x3);
- U32TO8_LITTLE(c + 16,x4);
- U32TO8_LITTLE(c + 20,x5);
- U32TO8_LITTLE(c + 24,x6);
- U32TO8_LITTLE(c + 28,x7);
- U32TO8_LITTLE(c + 32,x8);
- U32TO8_LITTLE(c + 36,x9);
- U32TO8_LITTLE(c + 40,x10);
- U32TO8_LITTLE(c + 44,x11);
- U32TO8_LITTLE(c + 48,x12);
- U32TO8_LITTLE(c + 52,x13);
- U32TO8_LITTLE(c + 56,x14);
- U32TO8_LITTLE(c + 60,x15);
-
- if (bytes <= 64) {
- if (bytes < 64) {
- for (i = 0;i < bytes;++i) ctarget[i] = c[i];
- }
- x->input[12] = j12;
- x->input[13] = j13;
- return;
- }
- bytes -= 64;
- c += 64;
- m += 64;
- }
+ u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+ u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+ u8 *ctarget = NULL;
+ u8 tmp[64];
+ u_int i;
+
+ if (!bytes)
+ return;
+
+ j0 = x->input[0];
+ j1 = x->input[1];
+ j2 = x->input[2];
+ j3 = x->input[3];
+ j4 = x->input[4];
+ j5 = x->input[5];
+ j6 = x->input[6];
+ j7 = x->input[7];
+ j8 = x->input[8];
+ j9 = x->input[9];
+ j10 = x->input[10];
+ j11 = x->input[11];
+ j12 = x->input[12];
+ j13 = x->input[13];
+ j14 = x->input[14];
+ j15 = x->input[15];
+
+ for (;;) {
+ if (bytes < 64) {
+ for (i = 0;i < bytes;++i) tmp[i] = m[i];
+ m = tmp;
+ ctarget = c;
+ c = tmp;
+ }
+ x0 = j0;
+ x1 = j1;
+ x2 = j2;
+ x3 = j3;
+ x4 = j4;
+ x5 = j5;
+ x6 = j6;
+ x7 = j7;
+ x8 = j8;
+ x9 = j9;
+ x10 = j10;
+ x11 = j11;
+ x12 = j12;
+ x13 = j13;
+ x14 = j14;
+ x15 = j15;
+ for (i = 20; i > 0; i -= 2) {
+ QUARTERROUND(x0, x4, x8, x12)
+ QUARTERROUND(x1, x5, x9, x13)
+ QUARTERROUND(x2, x6, x10, x14)
+ QUARTERROUND(x3, x7, x11, x15)
+ QUARTERROUND(x0, x5, x10, x15)
+ QUARTERROUND(x1, x6, x11, x12)
+ QUARTERROUND(x2, x7, x8, x13)
+ QUARTERROUND(x3, x4, x9, x14)
+ }
+ x0 = PLUS(x0, j0);
+ x1 = PLUS(x1, j1);
+ x2 = PLUS(x2, j2);
+ x3 = PLUS(x3, j3);
+ x4 = PLUS(x4, j4);
+ x5 = PLUS(x5, j5);
+ x6 = PLUS(x6, j6);
+ x7 = PLUS(x7, j7);
+ x8 = PLUS(x8, j8);
+ x9 = PLUS(x9, j9);
+ x10 = PLUS(x10, j10);
+ x11 = PLUS(x11, j11);
+ x12 = PLUS(x12, j12);
+ x13 = PLUS(x13, j13);
+ x14 = PLUS(x14, j14);
+ x15 = PLUS(x15, j15);
+
+ x0 = XOR(x0, U8TO32_LITTLE(m + 0));
+ x1 = XOR(x1, U8TO32_LITTLE(m + 4));
+ x2 = XOR(x2, U8TO32_LITTLE(m + 8));
+ x3 = XOR(x3, U8TO32_LITTLE(m + 12));
+ x4 = XOR(x4, U8TO32_LITTLE(m + 16));
+ x5 = XOR(x5, U8TO32_LITTLE(m + 20));
+ x6 = XOR(x6, U8TO32_LITTLE(m + 24));
+ x7 = XOR(x7, U8TO32_LITTLE(m + 28));
+ x8 = XOR(x8, U8TO32_LITTLE(m + 32));
+ x9 = XOR(x9, U8TO32_LITTLE(m + 36));
+ x10 = XOR(x10, U8TO32_LITTLE(m + 40));
+ x11 = XOR(x11, U8TO32_LITTLE(m + 44));
+ x12 = XOR(x12, U8TO32_LITTLE(m + 48));
+ x13 = XOR(x13, U8TO32_LITTLE(m + 52));
+ x14 = XOR(x14, U8TO32_LITTLE(m + 56));
+ x15 = XOR(x15, U8TO32_LITTLE(m + 60));
+
+ j12 = PLUSONE(j12);
+ if (!j12) {
+ j13 = PLUSONE(j13);
+ /* stopping at 2^70 bytes per nonce is user's responsibility */
+ }
+
+ U32TO8_LITTLE(c + 0, x0);
+ U32TO8_LITTLE(c + 4, x1);
+ U32TO8_LITTLE(c + 8, x2);
+ U32TO8_LITTLE(c + 12, x3);
+ U32TO8_LITTLE(c + 16, x4);
+ U32TO8_LITTLE(c + 20, x5);
+ U32TO8_LITTLE(c + 24, x6);
+ U32TO8_LITTLE(c + 28, x7);
+ U32TO8_LITTLE(c + 32, x8);
+ U32TO8_LITTLE(c + 36, x9);
+ U32TO8_LITTLE(c + 40, x10);
+ U32TO8_LITTLE(c + 44, x11);
+ U32TO8_LITTLE(c + 48, x12);
+ U32TO8_LITTLE(c + 52, x13);
+ U32TO8_LITTLE(c + 56, x14);
+ U32TO8_LITTLE(c + 60, x15);
+
+ if (bytes <= 64) {
+ if (bytes < 64) {
+ for (i = 0; i < bytes; ++i)
+ ctarget[i] = c[i];
+ }
+ x->input[12] = j12;
+ x->input[13] = j13;
+ return;
+ }
+ bytes -= 64;
+ c += 64;
+ m += 64;
+ }
}
#endif
typedef struct {
- unsigned int input[16];
+ unsigned int input[16];
} ChaCha_ctx;
void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key,
/* increment counter (64-bit int) by 1 */
static void
-ctr64_inc(unsigned char *counter) {
+ctr64_inc(unsigned char *counter)
+{
int n = 8;
unsigned char c;
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
-BLOCK_CIPHER_custom(NID_aes, 128, 1,12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 192, 1,12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1,12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
static int
#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
-BLOCK_CIPHER_custom(NID_aes, 128, 1,16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1,16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
static int
aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
#define aes_ccm_cleanup NULL
-BLOCK_CIPHER_custom(NID_aes, 128, 1,12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 192, 1,12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1,12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
#define EVP_AEAD_AES_GCM_TAG_LEN 16
if (gcm_ctx->ctr) {
if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
- in_len-bulk-gcm_ctx->tag_len, gcm_ctx->ctr))
+ in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
return -1;
} else {
if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#include "evp_locl.h"
-size_t EVP_AEAD_key_length(const EVP_AEAD *aead)
- {
+size_t
+EVP_AEAD_key_length(const EVP_AEAD *aead)
+{
return aead->key_len;
- }
+}
-size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead)
- {
+size_t
+EVP_AEAD_nonce_length(const EVP_AEAD *aead)
+{
return aead->nonce_len;
- }
+}
-size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead)
- {
+size_t
+EVP_AEAD_max_overhead(const EVP_AEAD *aead)
+{
return aead->overhead;
- }
+}
-size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead)
- {
+size_t
+EVP_AEAD_max_tag_len(const EVP_AEAD *aead)
+{
return aead->max_tag_len;
- }
+}
-int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
- const unsigned char *key, size_t key_len,
- size_t tag_len, ENGINE *impl)
- {
+int
+EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
+ const unsigned char *key, size_t key_len, size_t tag_len, ENGINE *impl)
+{
ctx->aead = aead;
- if (key_len != aead->key_len)
- {
- EVPerr(EVP_F_EVP_AEAD_CTX_INIT,EVP_R_UNSUPPORTED_KEY_SIZE);
+ if (key_len != aead->key_len) {
+ EVPerr(EVP_F_EVP_AEAD_CTX_INIT, EVP_R_UNSUPPORTED_KEY_SIZE);
return 0;
- }
- return aead->init(ctx, key, key_len, tag_len);
}
+ return aead->init(ctx, key, key_len, tag_len);
+}
-void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
- {
+void
+EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
+{
if (ctx->aead == NULL)
return;
ctx->aead->cleanup(ctx);
ctx->aead = NULL;
- }
+}
/* check_alias returns 0 if out points within the buffer determined by in
* and in_len and 1 otherwise.
* stomp input that hasn't been read yet.
*
* This function checks for that case. */
-static int check_alias(const unsigned char *in, size_t in_len,
- const unsigned char *out)
- {
+static int
+check_alias(const unsigned char *in, size_t in_len, const unsigned char *out)
+{
if (out <= in)
return 1;
if (in + in_len <= out)
return 1;
return 0;
- }
-
-ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
- unsigned char *out, size_t max_out_len,
- const unsigned char *nonce, size_t nonce_len,
- const unsigned char *in, size_t in_len,
- const unsigned char *ad, size_t ad_len)
- {
+}
+
+ssize_t
+EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, unsigned char *out,
+ size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *in, size_t in_len, const unsigned char *ad,
+ size_t ad_len)
+{
size_t possible_out_len = in_len + ctx->aead->overhead;
ssize_t r;
if (possible_out_len < in_len /* overflow */ ||
possible_out_len > SSIZE_MAX /* return value cannot be
- represented */)
- {
+ represented */) {
EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_TOO_LARGE);
goto error;
- }
+ }
- if (!check_alias(in, in_len, out))
- {
+ if (!check_alias(in, in_len, out)) {
EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT);
goto error;
- }
+ }
r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len,
- in, in_len, ad, ad_len);
+ in, in_len, ad, ad_len);
if (r >= 0)
return r;
* that doesn't check the return value doesn't send raw data. */
memset(out, 0, max_out_len);
return -1;
- }
-
-ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx,
- unsigned char *out, size_t max_out_len,
- const unsigned char *nonce, size_t nonce_len,
- const unsigned char *in, size_t in_len,
- const unsigned char *ad, size_t ad_len)
- {
+}
+
+ssize_t
+EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
+ size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *in, size_t in_len, const unsigned char *ad,
+ size_t ad_len)
+{
ssize_t r;
- if (in_len > SSIZE_MAX)
- {
+ if (in_len > SSIZE_MAX) {
EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_TOO_LARGE);
goto error; /* may not be able to represent return value. */
- }
+ }
- if (!check_alias(in, in_len, out))
- {
+ if (!check_alias(in, in_len, out)) {
EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT);
goto error;
- }
+ }
r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len,
- in, in_len, ad, ad_len);
+ in, in_len, ad, ad_len);
if (r >= 0)
return r;
* data. */
memset(out, 0, max_out_len);
return -1;
- }
+}
/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */
static unsigned long
-U8TO32(const unsigned char *p) {
- return
- (((unsigned long)(p[0] & 0xff) ) |
- ((unsigned long)(p[1] & 0xff) << 8) |
- ((unsigned long)(p[2] & 0xff) << 16) |
- ((unsigned long)(p[3] & 0xff) << 24));
+U8TO32(const unsigned char *p)
+{
+ return (((unsigned long)(p[0] & 0xff)) |
+ ((unsigned long)(p[1] & 0xff) << 8) |
+ ((unsigned long)(p[2] & 0xff) << 16) |
+ ((unsigned long)(p[3] & 0xff) << 24));
}
/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */
static void
-U32TO8(unsigned char *p, unsigned long v) {
- p[0] = (v ) & 0xff;
+U32TO8(unsigned char *p, unsigned long v)
+{
+ p[0] = (v) & 0xff;
p[1] = (v >> 8) & 0xff;
p[2] = (v >> 16) & 0xff;
p[3] = (v >> 24) & 0xff;
}
static inline void
-poly1305_init(poly1305_context *ctx, const unsigned char key[32]) {
+poly1305_init(poly1305_context *ctx, const unsigned char key[32])
+{
poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
- st->r[0] = (U8TO32(&key[ 0]) ) & 0x3ffffff;
- st->r[1] = (U8TO32(&key[ 3]) >> 2) & 0x3ffff03;
- st->r[2] = (U8TO32(&key[ 6]) >> 4) & 0x3ffc0ff;
- st->r[3] = (U8TO32(&key[ 9]) >> 6) & 0x3f03fff;
+ st->r[0] = (U8TO32(&key[0])) & 0x3ffffff;
+ st->r[1] = (U8TO32(&key[3]) >> 2) & 0x3ffff03;
+ st->r[2] = (U8TO32(&key[6]) >> 4) & 0x3ffc0ff;
+ st->r[3] = (U8TO32(&key[9]) >> 6) & 0x3f03fff;
st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff;
/* h = 0 */
}
static void
-poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes) {
+poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes)
+{
const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */
- unsigned long r0,r1,r2,r3,r4;
- unsigned long s1,s2,s3,s4;
- unsigned long h0,h1,h2,h3,h4;
- unsigned long long d0,d1,d2,d3,d4;
+ unsigned long r0, r1, r2, r3, r4;
+ unsigned long s1, s2, s3, s4;
+ unsigned long h0, h1, h2, h3, h4;
+ unsigned long long d0, d1, d2, d3, d4;
unsigned long c;
r0 = st->r[0];
while (bytes >= poly1305_block_size) {
/* h += m[i] */
- h0 += (U8TO32(m+ 0) ) & 0x3ffffff;
- h1 += (U8TO32(m+ 3) >> 2) & 0x3ffffff;
- h2 += (U8TO32(m+ 6) >> 4) & 0x3ffffff;
- h3 += (U8TO32(m+ 9) >> 6) & 0x3ffffff;
- h4 += (U8TO32(m+12) >> 8) | hibit;
+ h0 += (U8TO32(m + 0)) & 0x3ffffff;
+ h1 += (U8TO32(m + 3) >> 2) & 0x3ffffff;
+ h2 += (U8TO32(m + 6) >> 4) & 0x3ffffff;
+ h3 += (U8TO32(m + 9) >> 6) & 0x3ffffff;
+ h4 += (U8TO32(m + 12) >> 8) | hibit;
/* h *= r */
- d0 = ((unsigned long long)h0 * r0) + ((unsigned long long)h1 * s4) + ((unsigned long long)h2 * s3) + ((unsigned long long)h3 * s2) + ((unsigned long long)h4 * s1);
- d1 = ((unsigned long long)h0 * r1) + ((unsigned long long)h1 * r0) + ((unsigned long long)h2 * s4) + ((unsigned long long)h3 * s3) + ((unsigned long long)h4 * s2);
- d2 = ((unsigned long long)h0 * r2) + ((unsigned long long)h1 * r1) + ((unsigned long long)h2 * r0) + ((unsigned long long)h3 * s4) + ((unsigned long long)h4 * s3);
- d3 = ((unsigned long long)h0 * r3) + ((unsigned long long)h1 * r2) + ((unsigned long long)h2 * r1) + ((unsigned long long)h3 * r0) + ((unsigned long long)h4 * s4);
- d4 = ((unsigned long long)h0 * r4) + ((unsigned long long)h1 * r3) + ((unsigned long long)h2 * r2) + ((unsigned long long)h3 * r1) + ((unsigned long long)h4 * r0);
+ d0 = ((unsigned long long)h0 * r0) +
+ ((unsigned long long)h1 * s4) +
+ ((unsigned long long)h2 * s3) +
+ ((unsigned long long)h3 * s2) +
+ ((unsigned long long)h4 * s1);
+ d1 = ((unsigned long long)h0 * r1) +
+ ((unsigned long long)h1 * r0) +
+ ((unsigned long long)h2 * s4) +
+ ((unsigned long long)h3 * s3) +
+ ((unsigned long long)h4 * s2);
+ d2 = ((unsigned long long)h0 * r2) +
+ ((unsigned long long)h1 * r1) +
+ ((unsigned long long)h2 * r0) +
+ ((unsigned long long)h3 * s4) +
+ ((unsigned long long)h4 * s3);
+ d3 = ((unsigned long long)h0 * r3) +
+ ((unsigned long long)h1 * r2) +
+ ((unsigned long long)h2 * r1) +
+ ((unsigned long long)h3 * r0) +
+ ((unsigned long long)h4 * s4);
+ d4 = ((unsigned long long)h0 * r4) +
+ ((unsigned long long)h1 * r3) +
+ ((unsigned long long)h2 * r2) +
+ ((unsigned long long)h3 * r1) +
+ ((unsigned long long)h4 * r0);
/* (partial) h %= p */
- c = (unsigned long)(d0 >> 26); h0 = (unsigned long)d0 & 0x3ffffff;
- d1 += c; c = (unsigned long)(d1 >> 26); h1 = (unsigned long)d1 & 0x3ffffff;
- d2 += c; c = (unsigned long)(d2 >> 26); h2 = (unsigned long)d2 & 0x3ffffff;
- d3 += c; c = (unsigned long)(d3 >> 26); h3 = (unsigned long)d3 & 0x3ffffff;
- d4 += c; c = (unsigned long)(d4 >> 26); h4 = (unsigned long)d4 & 0x3ffffff;
- h0 += c * 5; c = (h0 >> 26); h0 = h0 & 0x3ffffff;
+ c = (unsigned long)(d0 >> 26);
+ h0 = (unsigned long)d0 & 0x3ffffff;
+ d1 += c;
+ c = (unsigned long)(d1 >> 26);
+ h1 = (unsigned long)d1 & 0x3ffffff;
+ d2 += c;
+ c = (unsigned long)(d2 >> 26);
+ h2 = (unsigned long)d2 & 0x3ffffff;
+ d3 += c;
+ c = (unsigned long)(d3 >> 26);
+ h3 = (unsigned long)d3 & 0x3ffffff;
+ d4 += c;
+ c = (unsigned long)(d4 >> 26);
+ h4 = (unsigned long)d4 & 0x3ffffff;
+ h0 += c * 5;
+ c = (h0 >> 26);
+ h0 = h0 & 0x3ffffff;
h1 += c;
m += poly1305_block_size;
}
static inline void
-poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes) {
+poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes)
+{
poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
size_t i;
}
static inline void
-poly1305_finish(poly1305_context *ctx, unsigned char mac[16]) {
+poly1305_finish(poly1305_context *ctx, unsigned char mac[16])
+{
poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
- unsigned long h0,h1,h2,h3,h4,c;
- unsigned long g0,g1,g2,g3,g4;
+ unsigned long h0, h1, h2, h3, h4, c;
+ unsigned long g0, g1, g2, g3, g4;
unsigned long long f;
unsigned long mask;
h3 = st->h[3];
h4 = st->h[4];
- c = h1 >> 26; h1 = h1 & 0x3ffffff;
- h2 += c; c = h2 >> 26; h2 = h2 & 0x3ffffff;
- h3 += c; c = h3 >> 26; h3 = h3 & 0x3ffffff;
- h4 += c; c = h4 >> 26; h4 = h4 & 0x3ffffff;
- h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff;
- h1 += c;
+ c = h1 >> 26;
+ h1 = h1 & 0x3ffffff;
+ h2 += c;
+ c = h2 >> 26;
+ h2 = h2 & 0x3ffffff;
+ h3 += c;
+ c = h3 >> 26;
+ h3 = h3 & 0x3ffffff;
+ h4 += c;
+ c = h4 >> 26;
+ h4 = h4 & 0x3ffffff;
+ h0 += c * 5;
+ c = h0 >> 26;
+ h0 = h0 & 0x3ffffff;
+ h1 += c;
/* compute h + -p */
- g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff;
- g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff;
- g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff;
- g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff;
+ g0 = h0 + 5;
+ c = g0 >> 26;
+ g0 &= 0x3ffffff;
+ g1 = h1 + c;
+ c = g1 >> 26;
+ g1 &= 0x3ffffff;
+ g2 = h2 + c;
+ c = g2 >> 26;
+ g2 &= 0x3ffffff;
+ g3 = h3 + c;
+ c = g3 >> 26;
+ g3 &= 0x3ffffff;
g4 = h4 + c - (1 << 26);
/* select h if h < p, or h + -p if h >= p */
h4 = (h4 & mask) | g4;
/* h = h % (2^128) */
- h0 = ((h0 ) | (h1 << 26)) & 0xffffffff;
+ h0 = ((h0) | (h1 << 26)) & 0xffffffff;
h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;
/* mac = (h + pad) % (2^128) */
- f = (unsigned long long)h0 + st->pad[0] ; h0 = (unsigned long)f;
- f = (unsigned long long)h1 + st->pad[1] + (f >> 32); h1 = (unsigned long)f;
- f = (unsigned long long)h2 + st->pad[2] + (f >> 32); h2 = (unsigned long)f;
- f = (unsigned long long)h3 + st->pad[3] + (f >> 32); h3 = (unsigned long)f;
+ f = (unsigned long long)h0 + st->pad[0];
+ h0 = (unsigned long)f;
+ f = (unsigned long long)h1 + st->pad[1] + (f >> 32);
+ h1 = (unsigned long)f;
+ f = (unsigned long long)h2 + st->pad[2] + (f >> 32);
+ h2 = (unsigned long)f;
+ f = (unsigned long long)h3 + st->pad[3] + (f >> 32);
+ h3 = (unsigned long)f;
U32TO8(mac + 0, h0);
U32TO8(mac + 4, h1);
(U32V((v) << (n)) | ((v) >> (32 - (n))))
#define U8TO32_LITTLE(p) \
- (((u32)((p)[0]) ) | \
+ (((u32)((p)[0])) | \
((u32)((p)[1]) << 8) | \
((u32)((p)[2]) << 16) | \
((u32)((p)[3]) << 24))
#define U32TO8_LITTLE(p, v) \
do { \
- (p)[0] = U8V((v) ); \
+ (p)[0] = U8V((v)); \
(p)[1] = U8V((v) >> 8); \
(p)[2] = U8V((v) >> 16); \
(p)[3] = U8V((v) >> 24); \
static const char tau[16] = "expand 16-byte k";
static inline void
-chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
+chacha_keysetup(chacha_ctx *x, const u8 *k, u32 kbits)
{
- const char *constants;
-
- x->input[4] = U8TO32_LITTLE(k + 0);
- x->input[5] = U8TO32_LITTLE(k + 4);
- x->input[6] = U8TO32_LITTLE(k + 8);
- x->input[7] = U8TO32_LITTLE(k + 12);
- if (kbits == 256) { /* recommended */
- k += 16;
- constants = sigma;
- } else { /* kbits == 128 */
- constants = tau;
- }
- x->input[8] = U8TO32_LITTLE(k + 0);
- x->input[9] = U8TO32_LITTLE(k + 4);
- x->input[10] = U8TO32_LITTLE(k + 8);
- x->input[11] = U8TO32_LITTLE(k + 12);
- x->input[0] = U8TO32_LITTLE(constants + 0);
- x->input[1] = U8TO32_LITTLE(constants + 4);
- x->input[2] = U8TO32_LITTLE(constants + 8);
- x->input[3] = U8TO32_LITTLE(constants + 12);
+ const char *constants;
+
+ x->input[4] = U8TO32_LITTLE(k + 0);
+ x->input[5] = U8TO32_LITTLE(k + 4);
+ x->input[6] = U8TO32_LITTLE(k + 8);
+ x->input[7] = U8TO32_LITTLE(k + 12);
+ if (kbits == 256) { /* recommended */
+ k += 16;
+ constants = sigma;
+ } else { /* kbits == 128 */
+ constants = tau;
+ }
+ x->input[8] = U8TO32_LITTLE(k + 0);
+ x->input[9] = U8TO32_LITTLE(k + 4);
+ x->input[10] = U8TO32_LITTLE(k + 8);
+ x->input[11] = U8TO32_LITTLE(k + 12);
+ x->input[0] = U8TO32_LITTLE(constants + 0);
+ x->input[1] = U8TO32_LITTLE(constants + 4);
+ x->input[2] = U8TO32_LITTLE(constants + 8);
+ x->input[3] = U8TO32_LITTLE(constants + 12);
}
static inline void
chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
{
- x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
- x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
- x->input[14] = U8TO32_LITTLE(iv + 0);
- x->input[15] = U8TO32_LITTLE(iv + 4);
+ x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
+ x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
+ x->input[14] = U8TO32_LITTLE(iv + 0);
+ x->input[15] = U8TO32_LITTLE(iv + 4);
}
static inline void
-chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
{
- u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
- u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
- u8 *ctarget = NULL;
- u8 tmp[64];
- u_int i;
-
- if (!bytes) return;
-
- j0 = x->input[0];
- j1 = x->input[1];
- j2 = x->input[2];
- j3 = x->input[3];
- j4 = x->input[4];
- j5 = x->input[5];
- j6 = x->input[6];
- j7 = x->input[7];
- j8 = x->input[8];
- j9 = x->input[9];
- j10 = x->input[10];
- j11 = x->input[11];
- j12 = x->input[12];
- j13 = x->input[13];
- j14 = x->input[14];
- j15 = x->input[15];
-
- for (;;) {
- if (bytes < 64) {
- for (i = 0;i < bytes;++i) tmp[i] = m[i];
- m = tmp;
- ctarget = c;
- c = tmp;
- }
- x0 = j0;
- x1 = j1;
- x2 = j2;
- x3 = j3;
- x4 = j4;
- x5 = j5;
- x6 = j6;
- x7 = j7;
- x8 = j8;
- x9 = j9;
- x10 = j10;
- x11 = j11;
- x12 = j12;
- x13 = j13;
- x14 = j14;
- x15 = j15;
- for (i = 20;i > 0;i -= 2) {
- QUARTERROUND( x0, x4, x8,x12)
- QUARTERROUND( x1, x5, x9,x13)
- QUARTERROUND( x2, x6,x10,x14)
- QUARTERROUND( x3, x7,x11,x15)
- QUARTERROUND( x0, x5,x10,x15)
- QUARTERROUND( x1, x6,x11,x12)
- QUARTERROUND( x2, x7, x8,x13)
- QUARTERROUND( x3, x4, x9,x14)
- }
- x0 = PLUS(x0,j0);
- x1 = PLUS(x1,j1);
- x2 = PLUS(x2,j2);
- x3 = PLUS(x3,j3);
- x4 = PLUS(x4,j4);
- x5 = PLUS(x5,j5);
- x6 = PLUS(x6,j6);
- x7 = PLUS(x7,j7);
- x8 = PLUS(x8,j8);
- x9 = PLUS(x9,j9);
- x10 = PLUS(x10,j10);
- x11 = PLUS(x11,j11);
- x12 = PLUS(x12,j12);
- x13 = PLUS(x13,j13);
- x14 = PLUS(x14,j14);
- x15 = PLUS(x15,j15);
-
- x0 = XOR(x0,U8TO32_LITTLE(m + 0));
- x1 = XOR(x1,U8TO32_LITTLE(m + 4));
- x2 = XOR(x2,U8TO32_LITTLE(m + 8));
- x3 = XOR(x3,U8TO32_LITTLE(m + 12));
- x4 = XOR(x4,U8TO32_LITTLE(m + 16));
- x5 = XOR(x5,U8TO32_LITTLE(m + 20));
- x6 = XOR(x6,U8TO32_LITTLE(m + 24));
- x7 = XOR(x7,U8TO32_LITTLE(m + 28));
- x8 = XOR(x8,U8TO32_LITTLE(m + 32));
- x9 = XOR(x9,U8TO32_LITTLE(m + 36));
- x10 = XOR(x10,U8TO32_LITTLE(m + 40));
- x11 = XOR(x11,U8TO32_LITTLE(m + 44));
- x12 = XOR(x12,U8TO32_LITTLE(m + 48));
- x13 = XOR(x13,U8TO32_LITTLE(m + 52));
- x14 = XOR(x14,U8TO32_LITTLE(m + 56));
- x15 = XOR(x15,U8TO32_LITTLE(m + 60));
-
- j12 = PLUSONE(j12);
- if (!j12) {
- j13 = PLUSONE(j13);
- /* stopping at 2^70 bytes per nonce is user's responsibility */
- }
-
- U32TO8_LITTLE(c + 0,x0);
- U32TO8_LITTLE(c + 4,x1);
- U32TO8_LITTLE(c + 8,x2);
- U32TO8_LITTLE(c + 12,x3);
- U32TO8_LITTLE(c + 16,x4);
- U32TO8_LITTLE(c + 20,x5);
- U32TO8_LITTLE(c + 24,x6);
- U32TO8_LITTLE(c + 28,x7);
- U32TO8_LITTLE(c + 32,x8);
- U32TO8_LITTLE(c + 36,x9);
- U32TO8_LITTLE(c + 40,x10);
- U32TO8_LITTLE(c + 44,x11);
- U32TO8_LITTLE(c + 48,x12);
- U32TO8_LITTLE(c + 52,x13);
- U32TO8_LITTLE(c + 56,x14);
- U32TO8_LITTLE(c + 60,x15);
-
- if (bytes <= 64) {
- if (bytes < 64) {
- for (i = 0;i < bytes;++i) ctarget[i] = c[i];
- }
- x->input[12] = j12;
- x->input[13] = j13;
- return;
- }
- bytes -= 64;
- c += 64;
- m += 64;
- }
+ u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+ u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+ u8 *ctarget = NULL;
+ u8 tmp[64];
+ u_int i;
+
+ if (!bytes)
+ return;
+
+ j0 = x->input[0];
+ j1 = x->input[1];
+ j2 = x->input[2];
+ j3 = x->input[3];
+ j4 = x->input[4];
+ j5 = x->input[5];
+ j6 = x->input[6];
+ j7 = x->input[7];
+ j8 = x->input[8];
+ j9 = x->input[9];
+ j10 = x->input[10];
+ j11 = x->input[11];
+ j12 = x->input[12];
+ j13 = x->input[13];
+ j14 = x->input[14];
+ j15 = x->input[15];
+
+ for (;;) {
+ if (bytes < 64) {
+ for (i = 0;i < bytes;++i) tmp[i] = m[i];
+ m = tmp;
+ ctarget = c;
+ c = tmp;
+ }
+ x0 = j0;
+ x1 = j1;
+ x2 = j2;
+ x3 = j3;
+ x4 = j4;
+ x5 = j5;
+ x6 = j6;
+ x7 = j7;
+ x8 = j8;
+ x9 = j9;
+ x10 = j10;
+ x11 = j11;
+ x12 = j12;
+ x13 = j13;
+ x14 = j14;
+ x15 = j15;
+ for (i = 20; i > 0; i -= 2) {
+ QUARTERROUND(x0, x4, x8, x12)
+ QUARTERROUND(x1, x5, x9, x13)
+ QUARTERROUND(x2, x6, x10, x14)
+ QUARTERROUND(x3, x7, x11, x15)
+ QUARTERROUND(x0, x5, x10, x15)
+ QUARTERROUND(x1, x6, x11, x12)
+ QUARTERROUND(x2, x7, x8, x13)
+ QUARTERROUND(x3, x4, x9, x14)
+ }
+ x0 = PLUS(x0, j0);
+ x1 = PLUS(x1, j1);
+ x2 = PLUS(x2, j2);
+ x3 = PLUS(x3, j3);
+ x4 = PLUS(x4, j4);
+ x5 = PLUS(x5, j5);
+ x6 = PLUS(x6, j6);
+ x7 = PLUS(x7, j7);
+ x8 = PLUS(x8, j8);
+ x9 = PLUS(x9, j9);
+ x10 = PLUS(x10, j10);
+ x11 = PLUS(x11, j11);
+ x12 = PLUS(x12, j12);
+ x13 = PLUS(x13, j13);
+ x14 = PLUS(x14, j14);
+ x15 = PLUS(x15, j15);
+
+ x0 = XOR(x0, U8TO32_LITTLE(m + 0));
+ x1 = XOR(x1, U8TO32_LITTLE(m + 4));
+ x2 = XOR(x2, U8TO32_LITTLE(m + 8));
+ x3 = XOR(x3, U8TO32_LITTLE(m + 12));
+ x4 = XOR(x4, U8TO32_LITTLE(m + 16));
+ x5 = XOR(x5, U8TO32_LITTLE(m + 20));
+ x6 = XOR(x6, U8TO32_LITTLE(m + 24));
+ x7 = XOR(x7, U8TO32_LITTLE(m + 28));
+ x8 = XOR(x8, U8TO32_LITTLE(m + 32));
+ x9 = XOR(x9, U8TO32_LITTLE(m + 36));
+ x10 = XOR(x10, U8TO32_LITTLE(m + 40));
+ x11 = XOR(x11, U8TO32_LITTLE(m + 44));
+ x12 = XOR(x12, U8TO32_LITTLE(m + 48));
+ x13 = XOR(x13, U8TO32_LITTLE(m + 52));
+ x14 = XOR(x14, U8TO32_LITTLE(m + 56));
+ x15 = XOR(x15, U8TO32_LITTLE(m + 60));
+
+ j12 = PLUSONE(j12);
+ if (!j12) {
+ j13 = PLUSONE(j13);
+ /* stopping at 2^70 bytes per nonce is user's responsibility */
+ }
+
+ U32TO8_LITTLE(c + 0, x0);
+ U32TO8_LITTLE(c + 4, x1);
+ U32TO8_LITTLE(c + 8, x2);
+ U32TO8_LITTLE(c + 12, x3);
+ U32TO8_LITTLE(c + 16, x4);
+ U32TO8_LITTLE(c + 20, x5);
+ U32TO8_LITTLE(c + 24, x6);
+ U32TO8_LITTLE(c + 28, x7);
+ U32TO8_LITTLE(c + 32, x8);
+ U32TO8_LITTLE(c + 36, x9);
+ U32TO8_LITTLE(c + 40, x10);
+ U32TO8_LITTLE(c + 44, x11);
+ U32TO8_LITTLE(c + 48, x12);
+ U32TO8_LITTLE(c + 52, x13);
+ U32TO8_LITTLE(c + 56, x14);
+ U32TO8_LITTLE(c + 60, x15);
+
+ if (bytes <= 64) {
+ if (bytes < 64) {
+ for (i = 0; i < bytes; ++i)
+ ctarget[i] = c[i];
+ }
+ x->input[12] = j12;
+ x->input[13] = j13;
+ return;
+ }
+ bytes -= 64;
+ c += 64;
+ m += 64;
+ }
}
#endif
typedef struct {
- unsigned int input[16];
+ unsigned int input[16];
} ChaCha_ctx;
void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key,
/* increment counter (64-bit int) by 1 */
static void
-ctr64_inc(unsigned char *counter) {
+ctr64_inc(unsigned char *counter)
+{
int n = 8;
unsigned char c;
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
-BLOCK_CIPHER_custom(NID_aes, 128, 1,12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 192, 1,12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1,12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
static int
#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
-BLOCK_CIPHER_custom(NID_aes, 128, 1,16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1,16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
static int
aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
#define aes_ccm_cleanup NULL
-BLOCK_CIPHER_custom(NID_aes, 128, 1,12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 192, 1,12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1,12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
#define EVP_AEAD_AES_GCM_TAG_LEN 16
if (gcm_ctx->ctr) {
if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
- in_len-bulk-gcm_ctx->tag_len, gcm_ctx->ctr))
+ in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
return -1;
} else {
if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#include "evp_locl.h"
-size_t EVP_AEAD_key_length(const EVP_AEAD *aead)
- {
+size_t
+EVP_AEAD_key_length(const EVP_AEAD *aead)
+{
return aead->key_len;
- }
+}
-size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead)
- {
+size_t
+EVP_AEAD_nonce_length(const EVP_AEAD *aead)
+{
return aead->nonce_len;
- }
+}
-size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead)
- {
+size_t
+EVP_AEAD_max_overhead(const EVP_AEAD *aead)
+{
return aead->overhead;
- }
+}
-size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead)
- {
+size_t
+EVP_AEAD_max_tag_len(const EVP_AEAD *aead)
+{
return aead->max_tag_len;
- }
+}
-int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
- const unsigned char *key, size_t key_len,
- size_t tag_len, ENGINE *impl)
- {
+int
+EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
+ const unsigned char *key, size_t key_len, size_t tag_len, ENGINE *impl)
+{
ctx->aead = aead;
- if (key_len != aead->key_len)
- {
- EVPerr(EVP_F_EVP_AEAD_CTX_INIT,EVP_R_UNSUPPORTED_KEY_SIZE);
+ if (key_len != aead->key_len) {
+ EVPerr(EVP_F_EVP_AEAD_CTX_INIT, EVP_R_UNSUPPORTED_KEY_SIZE);
return 0;
- }
- return aead->init(ctx, key, key_len, tag_len);
}
+ return aead->init(ctx, key, key_len, tag_len);
+}
-void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
- {
+void
+EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
+{
if (ctx->aead == NULL)
return;
ctx->aead->cleanup(ctx);
ctx->aead = NULL;
- }
+}
/* check_alias returns 0 if out points within the buffer determined by in
* and in_len and 1 otherwise.
* stomp input that hasn't been read yet.
*
* This function checks for that case. */
-static int check_alias(const unsigned char *in, size_t in_len,
- const unsigned char *out)
- {
+static int
+check_alias(const unsigned char *in, size_t in_len, const unsigned char *out)
+{
if (out <= in)
return 1;
if (in + in_len <= out)
return 1;
return 0;
- }
-
-ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
- unsigned char *out, size_t max_out_len,
- const unsigned char *nonce, size_t nonce_len,
- const unsigned char *in, size_t in_len,
- const unsigned char *ad, size_t ad_len)
- {
+}
+
+ssize_t
+EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, unsigned char *out,
+ size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *in, size_t in_len, const unsigned char *ad,
+ size_t ad_len)
+{
size_t possible_out_len = in_len + ctx->aead->overhead;
ssize_t r;
if (possible_out_len < in_len /* overflow */ ||
possible_out_len > SSIZE_MAX /* return value cannot be
- represented */)
- {
+ represented */) {
EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_TOO_LARGE);
goto error;
- }
+ }
- if (!check_alias(in, in_len, out))
- {
+ if (!check_alias(in, in_len, out)) {
EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT);
goto error;
- }
+ }
r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len,
- in, in_len, ad, ad_len);
+ in, in_len, ad, ad_len);
if (r >= 0)
return r;
* that doesn't check the return value doesn't send raw data. */
memset(out, 0, max_out_len);
return -1;
- }
-
-ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx,
- unsigned char *out, size_t max_out_len,
- const unsigned char *nonce, size_t nonce_len,
- const unsigned char *in, size_t in_len,
- const unsigned char *ad, size_t ad_len)
- {
+}
+
+ssize_t
+EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
+ size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *in, size_t in_len, const unsigned char *ad,
+ size_t ad_len)
+{
ssize_t r;
- if (in_len > SSIZE_MAX)
- {
+ if (in_len > SSIZE_MAX) {
EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_TOO_LARGE);
goto error; /* may not be able to represent return value. */
- }
+ }
- if (!check_alias(in, in_len, out))
- {
+ if (!check_alias(in, in_len, out)) {
EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT);
goto error;
- }
+ }
r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len,
- in, in_len, ad, ad_len);
+ in, in_len, ad, ad_len);
if (r >= 0)
return r;
* data. */
memset(out, 0, max_out_len);
return -1;
- }
+}
/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */
static unsigned long
-U8TO32(const unsigned char *p) {
- return
- (((unsigned long)(p[0] & 0xff) ) |
- ((unsigned long)(p[1] & 0xff) << 8) |
- ((unsigned long)(p[2] & 0xff) << 16) |
- ((unsigned long)(p[3] & 0xff) << 24));
+U8TO32(const unsigned char *p)
+{
+ return (((unsigned long)(p[0] & 0xff)) |
+ ((unsigned long)(p[1] & 0xff) << 8) |
+ ((unsigned long)(p[2] & 0xff) << 16) |
+ ((unsigned long)(p[3] & 0xff) << 24));
}
/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */
static void
-U32TO8(unsigned char *p, unsigned long v) {
- p[0] = (v ) & 0xff;
+U32TO8(unsigned char *p, unsigned long v)
+{
+ p[0] = (v) & 0xff;
p[1] = (v >> 8) & 0xff;
p[2] = (v >> 16) & 0xff;
p[3] = (v >> 24) & 0xff;
}
static inline void
-poly1305_init(poly1305_context *ctx, const unsigned char key[32]) {
+poly1305_init(poly1305_context *ctx, const unsigned char key[32])
+{
poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
- st->r[0] = (U8TO32(&key[ 0]) ) & 0x3ffffff;
- st->r[1] = (U8TO32(&key[ 3]) >> 2) & 0x3ffff03;
- st->r[2] = (U8TO32(&key[ 6]) >> 4) & 0x3ffc0ff;
- st->r[3] = (U8TO32(&key[ 9]) >> 6) & 0x3f03fff;
+ st->r[0] = (U8TO32(&key[0])) & 0x3ffffff;
+ st->r[1] = (U8TO32(&key[3]) >> 2) & 0x3ffff03;
+ st->r[2] = (U8TO32(&key[6]) >> 4) & 0x3ffc0ff;
+ st->r[3] = (U8TO32(&key[9]) >> 6) & 0x3f03fff;
st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff;
/* h = 0 */
}
static void
-poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes) {
+poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes)
+{
const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */
- unsigned long r0,r1,r2,r3,r4;
- unsigned long s1,s2,s3,s4;
- unsigned long h0,h1,h2,h3,h4;
- unsigned long long d0,d1,d2,d3,d4;
+ unsigned long r0, r1, r2, r3, r4;
+ unsigned long s1, s2, s3, s4;
+ unsigned long h0, h1, h2, h3, h4;
+ unsigned long long d0, d1, d2, d3, d4;
unsigned long c;
r0 = st->r[0];
while (bytes >= poly1305_block_size) {
/* h += m[i] */
- h0 += (U8TO32(m+ 0) ) & 0x3ffffff;
- h1 += (U8TO32(m+ 3) >> 2) & 0x3ffffff;
- h2 += (U8TO32(m+ 6) >> 4) & 0x3ffffff;
- h3 += (U8TO32(m+ 9) >> 6) & 0x3ffffff;
- h4 += (U8TO32(m+12) >> 8) | hibit;
+ h0 += (U8TO32(m + 0)) & 0x3ffffff;
+ h1 += (U8TO32(m + 3) >> 2) & 0x3ffffff;
+ h2 += (U8TO32(m + 6) >> 4) & 0x3ffffff;
+ h3 += (U8TO32(m + 9) >> 6) & 0x3ffffff;
+ h4 += (U8TO32(m + 12) >> 8) | hibit;
/* h *= r */
- d0 = ((unsigned long long)h0 * r0) + ((unsigned long long)h1 * s4) + ((unsigned long long)h2 * s3) + ((unsigned long long)h3 * s2) + ((unsigned long long)h4 * s1);
- d1 = ((unsigned long long)h0 * r1) + ((unsigned long long)h1 * r0) + ((unsigned long long)h2 * s4) + ((unsigned long long)h3 * s3) + ((unsigned long long)h4 * s2);
- d2 = ((unsigned long long)h0 * r2) + ((unsigned long long)h1 * r1) + ((unsigned long long)h2 * r0) + ((unsigned long long)h3 * s4) + ((unsigned long long)h4 * s3);
- d3 = ((unsigned long long)h0 * r3) + ((unsigned long long)h1 * r2) + ((unsigned long long)h2 * r1) + ((unsigned long long)h3 * r0) + ((unsigned long long)h4 * s4);
- d4 = ((unsigned long long)h0 * r4) + ((unsigned long long)h1 * r3) + ((unsigned long long)h2 * r2) + ((unsigned long long)h3 * r1) + ((unsigned long long)h4 * r0);
+ d0 = ((unsigned long long)h0 * r0) +
+ ((unsigned long long)h1 * s4) +
+ ((unsigned long long)h2 * s3) +
+ ((unsigned long long)h3 * s2) +
+ ((unsigned long long)h4 * s1);
+ d1 = ((unsigned long long)h0 * r1) +
+ ((unsigned long long)h1 * r0) +
+ ((unsigned long long)h2 * s4) +
+ ((unsigned long long)h3 * s3) +
+ ((unsigned long long)h4 * s2);
+ d2 = ((unsigned long long)h0 * r2) +
+ ((unsigned long long)h1 * r1) +
+ ((unsigned long long)h2 * r0) +
+ ((unsigned long long)h3 * s4) +
+ ((unsigned long long)h4 * s3);
+ d3 = ((unsigned long long)h0 * r3) +
+ ((unsigned long long)h1 * r2) +
+ ((unsigned long long)h2 * r1) +
+ ((unsigned long long)h3 * r0) +
+ ((unsigned long long)h4 * s4);
+ d4 = ((unsigned long long)h0 * r4) +
+ ((unsigned long long)h1 * r3) +
+ ((unsigned long long)h2 * r2) +
+ ((unsigned long long)h3 * r1) +
+ ((unsigned long long)h4 * r0);
/* (partial) h %= p */
- c = (unsigned long)(d0 >> 26); h0 = (unsigned long)d0 & 0x3ffffff;
- d1 += c; c = (unsigned long)(d1 >> 26); h1 = (unsigned long)d1 & 0x3ffffff;
- d2 += c; c = (unsigned long)(d2 >> 26); h2 = (unsigned long)d2 & 0x3ffffff;
- d3 += c; c = (unsigned long)(d3 >> 26); h3 = (unsigned long)d3 & 0x3ffffff;
- d4 += c; c = (unsigned long)(d4 >> 26); h4 = (unsigned long)d4 & 0x3ffffff;
- h0 += c * 5; c = (h0 >> 26); h0 = h0 & 0x3ffffff;
+ c = (unsigned long)(d0 >> 26);
+ h0 = (unsigned long)d0 & 0x3ffffff;
+ d1 += c;
+ c = (unsigned long)(d1 >> 26);
+ h1 = (unsigned long)d1 & 0x3ffffff;
+ d2 += c;
+ c = (unsigned long)(d2 >> 26);
+ h2 = (unsigned long)d2 & 0x3ffffff;
+ d3 += c;
+ c = (unsigned long)(d3 >> 26);
+ h3 = (unsigned long)d3 & 0x3ffffff;
+ d4 += c;
+ c = (unsigned long)(d4 >> 26);
+ h4 = (unsigned long)d4 & 0x3ffffff;
+ h0 += c * 5;
+ c = (h0 >> 26);
+ h0 = h0 & 0x3ffffff;
h1 += c;
m += poly1305_block_size;
}
static inline void
-poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes) {
+poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes)
+{
poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
size_t i;
}
static inline void
-poly1305_finish(poly1305_context *ctx, unsigned char mac[16]) {
+poly1305_finish(poly1305_context *ctx, unsigned char mac[16])
+{
poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
- unsigned long h0,h1,h2,h3,h4,c;
- unsigned long g0,g1,g2,g3,g4;
+ unsigned long h0, h1, h2, h3, h4, c;
+ unsigned long g0, g1, g2, g3, g4;
unsigned long long f;
unsigned long mask;
h3 = st->h[3];
h4 = st->h[4];
- c = h1 >> 26; h1 = h1 & 0x3ffffff;
- h2 += c; c = h2 >> 26; h2 = h2 & 0x3ffffff;
- h3 += c; c = h3 >> 26; h3 = h3 & 0x3ffffff;
- h4 += c; c = h4 >> 26; h4 = h4 & 0x3ffffff;
- h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff;
- h1 += c;
+ c = h1 >> 26;
+ h1 = h1 & 0x3ffffff;
+ h2 += c;
+ c = h2 >> 26;
+ h2 = h2 & 0x3ffffff;
+ h3 += c;
+ c = h3 >> 26;
+ h3 = h3 & 0x3ffffff;
+ h4 += c;
+ c = h4 >> 26;
+ h4 = h4 & 0x3ffffff;
+ h0 += c * 5;
+ c = h0 >> 26;
+ h0 = h0 & 0x3ffffff;
+ h1 += c;
/* compute h + -p */
- g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff;
- g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff;
- g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff;
- g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff;
+ g0 = h0 + 5;
+ c = g0 >> 26;
+ g0 &= 0x3ffffff;
+ g1 = h1 + c;
+ c = g1 >> 26;
+ g1 &= 0x3ffffff;
+ g2 = h2 + c;
+ c = g2 >> 26;
+ g2 &= 0x3ffffff;
+ g3 = h3 + c;
+ c = g3 >> 26;
+ g3 &= 0x3ffffff;
g4 = h4 + c - (1 << 26);
/* select h if h < p, or h + -p if h >= p */
h4 = (h4 & mask) | g4;
/* h = h % (2^128) */
- h0 = ((h0 ) | (h1 << 26)) & 0xffffffff;
+ h0 = ((h0) | (h1 << 26)) & 0xffffffff;
h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;
/* mac = (h + pad) % (2^128) */
- f = (unsigned long long)h0 + st->pad[0] ; h0 = (unsigned long)f;
- f = (unsigned long long)h1 + st->pad[1] + (f >> 32); h1 = (unsigned long)f;
- f = (unsigned long long)h2 + st->pad[2] + (f >> 32); h2 = (unsigned long)f;
- f = (unsigned long long)h3 + st->pad[3] + (f >> 32); h3 = (unsigned long)f;
+ f = (unsigned long long)h0 + st->pad[0];
+ h0 = (unsigned long)f;
+ f = (unsigned long long)h1 + st->pad[1] + (f >> 32);
+ h1 = (unsigned long)f;
+ f = (unsigned long long)h2 + st->pad[2] + (f >> 32);
+ h2 = (unsigned long)f;
+ f = (unsigned long long)h3 + st->pad[3] + (f >> 32);
+ h3 = (unsigned long)f;
U32TO8(mac + 0, h0);
U32TO8(mac + 4, h1);
};
static unsigned char
-hex_digit(char h) {
+hex_digit(char h)
+{
if (h >= '0' && h <= '9')
return h - '0';
else if (h >= 'a' && h <= 'f')
EVP_AEAD_CTX ctx;
ssize_t n;
size_t un;
- unsigned char out[BUF_MAX+EVP_AEAD_MAX_TAG_LENGTH], out2[BUF_MAX];
+ unsigned char out[BUF_MAX + EVP_AEAD_MAX_TAG_LENGTH], out2[BUF_MAX];
if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY],
lengths[TAG], NULL)) {
if (un != lengths[CT] + lengths[TAG]) {
fprintf(stderr, "Bad output length on line %u: %u vs %u\n",
- line_no, (unsigned) un,
- (unsigned)(lengths[CT] + lengths[TAG]));
+ line_no, (unsigned) un,
+ (unsigned)(lengths[CT] + lengths[TAG]));
return 0;
}
if ((size_t)n != lengths[IN]) {
fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no,
- (unsigned) n);
+ (unsigned) n);
return 0;
}
fprintf(stderr, "Aborting...\n");
return 4;
}
-
+
if (!run_test_case(aead, bufs, lengths, line_no))
return 4;
void
poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes,
- const unsigned char key[32]) {
+const unsigned char key[32]) {
poly1305_context ctx;
CRYPTO_poly1305_init(&ctx, key);
CRYPTO_poly1305_update(&ctx, m, bytes);
}
int
-poly1305_verify(const unsigned char mac1[16], const unsigned char mac2[16]) {
+poly1305_verify(const unsigned char mac1[16], const unsigned char mac2[16])
+{
size_t i;
unsigned int dif = 0;
for (i = 0; i < 16; i++)
/* test a few basic operations */
int
-poly1305_power_on_self_test(void) {
+poly1305_power_on_self_test(void)
+{
/* example from nacl */
static const unsigned char nacl_key[32] = {
- 0xee,0xa6,0xa7,0x25,0x1c,0x1e,0x72,0x91,
- 0x6d,0x11,0xc2,0xcb,0x21,0x4d,0x3c,0x25,
- 0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65,
- 0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80,
+ 0xee, 0xa6, 0xa7, 0x25, 0x1c, 0x1e, 0x72, 0x91,
+ 0x6d, 0x11, 0xc2, 0xcb, 0x21, 0x4d, 0x3c, 0x25,
+ 0x25, 0x39, 0x12, 0x1d, 0x8e, 0x23, 0x4e, 0x65,
+ 0x2d, 0x65, 0x1f, 0xa4, 0xc8, 0xcf, 0xf8, 0x80,
};
static const unsigned char nacl_msg[131] = {
- 0x8e,0x99,0x3b,0x9f,0x48,0x68,0x12,0x73,
- 0xc2,0x96,0x50,0xba,0x32,0xfc,0x76,0xce,
- 0x48,0x33,0x2e,0xa7,0x16,0x4d,0x96,0xa4,
- 0x47,0x6f,0xb8,0xc5,0x31,0xa1,0x18,0x6a,
- 0xc0,0xdf,0xc1,0x7c,0x98,0xdc,0xe8,0x7b,
- 0x4d,0xa7,0xf0,0x11,0xec,0x48,0xc9,0x72,
- 0x71,0xd2,0xc2,0x0f,0x9b,0x92,0x8f,0xe2,
- 0x27,0x0d,0x6f,0xb8,0x63,0xd5,0x17,0x38,
- 0xb4,0x8e,0xee,0xe3,0x14,0xa7,0xcc,0x8a,
- 0xb9,0x32,0x16,0x45,0x48,0xe5,0x26,0xae,
- 0x90,0x22,0x43,0x68,0x51,0x7a,0xcf,0xea,
- 0xbd,0x6b,0xb3,0x73,0x2b,0xc0,0xe9,0xda,
- 0x99,0x83,0x2b,0x61,0xca,0x01,0xb6,0xde,
- 0x56,0x24,0x4a,0x9e,0x88,0xd5,0xf9,0xb3,
- 0x79,0x73,0xf6,0x22,0xa4,0x3d,0x14,0xa6,
- 0x59,0x9b,0x1f,0x65,0x4c,0xb4,0x5a,0x74,
- 0xe3,0x55,0xa5
+ 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73,
+ 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce,
+ 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4,
+ 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a,
+ 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b,
+ 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72,
+ 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2,
+ 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38,
+ 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a,
+ 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae,
+ 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea,
+ 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda,
+ 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde,
+ 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3,
+ 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6,
+ 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74,
+ 0xe3, 0x55, 0xa5
};
static const unsigned char nacl_mac[16] = {
- 0xf3,0xff,0xc7,0x70,0x3f,0x94,0x00,0xe5,
- 0x2a,0x7d,0xfb,0x4b,0x3d,0x33,0x05,0xd9
+ 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5,
+ 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9
};
/* generates a final value of (2^130 - 2) == 3 */
static const unsigned char wrap_key[32] = {
- 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
static const unsigned char wrap_msg[16] = {
- 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
- 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
static const unsigned char wrap_mac[16] = {
- 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
/*
have all their values set to the length
*/
static const unsigned char total_key[32] = {
- 0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0xff,0xfe,0xfd,0xfc,0xfb,0xfa,0xf9,
- 0xff,0xff,0xff,0xff,0xff,0xff,0xff,
- 0xff,0xff,0xff,0xff,0xff,0xff,0xff
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
static const unsigned char total_mac[16] = {
- 0x64,0xaf,0xe2,0xe8,0xd6,0xad,0x7b,0xbd,
- 0xd2,0x87,0xf9,0x7c,0x44,0x62,0x3d,0x39
+ 0x64, 0xaf, 0xe2, 0xe8, 0xd6, 0xad, 0x7b, 0xbd,
+ 0xd2, 0x87, 0xf9, 0x7c, 0x44, 0x62, 0x3d, 0x39
};
poly1305_context ctx;
fprintf(stderr, "One or more self tests failed!\n");
return 1;
}
-
+
return 0;
}
projects / openbsd / commitdiff