/src/openssl/crypto/modes/siv128.c

Source
/*
 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <stdlib.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include "internal/endian.h"
#include "crypto/modes.h"
#include "crypto/siv.h"

#ifndef OPENSSL_NO_SIV

__owur static ossl_inline uint32_t rotl8(uint32_t x)
{
    return (x << 8) | (x >> 24);
}

__owur static ossl_inline uint32_t rotr8(uint32_t x)
{
    return (x >> 8) | (x << 24);
}

__owur static ossl_inline uint64_t byteswap8(uint64_t x)
{
    uint32_t high = (uint32_t)(x >> 32);
    uint32_t low = (uint32_t)x;

    high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
    low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
    return ((uint64_t)low) << 32 | (uint64_t)high;
}

__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
{
    DECLARE_IS_ENDIAN;

    if (IS_LITTLE_ENDIAN)
        return byteswap8(b->word[i]);
    return b->word[i];
}

static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
{
    DECLARE_IS_ENDIAN;

    if (IS_LITTLE_ENDIAN)
        b->word[i] = byteswap8(x);
    else
        b->word[i] = x;
}

static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
    SIV_BLOCK const *y)
{
    x->word[0] ^= y->word[0];
    x->word[1] ^= y->word[1];
}

/*
 * Doubles |b|, which is 16 bytes representing an element
 * of GF(2**128) modulo the irreducible polynomial
 * x**128 + x**7 + x**2 + x + 1.
 * Assumes two's-complement arithmetic
 */
static ossl_inline void siv128_dbl(SIV_BLOCK *b)
{
    uint64_t high = siv128_getword(b, 0);
    uint64_t low = siv128_getword(b, 1);
    uint64_t high_carry = high & (((uint64_t)1) << 63);
    uint64_t low_carry = low & (((uint64_t)1) << 63);
    int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
    uint64_t high_mask = low_carry >> 63;

    high = (high << 1) | high_mask;
    low = (low << 1) ^ (uint64_t)low_mask;
    siv128_putword(b, 0, high);
    siv128_putword(b, 1, low);
}

__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
    unsigned char const *in, size_t len)
{
    SIV_BLOCK t;
    size_t out_len = sizeof(out->byte);
    EVP_MAC_CTX *mac_ctx;
    int ret = 0;

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL)
        return 0;

    if (len >= SIV_LEN) {
        if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
            goto err;
        memcpy(&t, in + (len - SIV_LEN), SIV_LEN);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    } else {
        memset(&t, 0, sizeof(t));
        memcpy(&t, in, len);
        t.byte[len] = 0x80;
        siv128_dbl(&ctx->d);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    }
    if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
        || out_len != SIV_LEN)
        goto err;

    ret = 1;

err:
    EVP_MAC_CTX_free(mac_ctx);
    return ret;
}

__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
    unsigned char const *in, size_t len,
    SIV_BLOCK *icv)
{
    int out_len = (int)len;

    if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
        return 0;
    return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
}

/*
 * Create a new SIV128_CONTEXT
 */
SIV128_CONTEXT *ossl_siv128_new(const unsigned char *key, int klen,
    EVP_CIPHER *cbc, EVP_CIPHER *ctr,
    OSSL_LIB_CTX *libctx, const char *propq)
{
    SIV128_CONTEXT *ctx;
    int ret;

    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
        ret = ossl_siv128_init(ctx, key, klen, cbc, ctr, libctx, propq);
        if (ret)
            return ctx;
        OPENSSL_free(ctx);
    }

    return NULL;
}

/*
 * Initialise an existing SIV128_CONTEXT
 */
int ossl_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
    const EVP_CIPHER *cbc, const EVP_CIPHER *ctr,
    OSSL_LIB_CTX *libctx, const char *propq)
{
    static const unsigned char zero[SIV_LEN] = { 0 };
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx = NULL;
    OSSL_PARAM params[3];
    const char *cbc_name;

    if (ctx == NULL)
        return 0;

    memset(&ctx->d, 0, sizeof(ctx->d));
    EVP_CIPHER_CTX_free(ctx->cipher_ctx);
    EVP_MAC_CTX_free(ctx->mac_ctx_init);
    EVP_MAC_free(ctx->mac);
    ctx->mac = NULL;
    ctx->cipher_ctx = NULL;
    ctx->mac_ctx_init = NULL;

    if (key == NULL || cbc == NULL || ctr == NULL)
        return 0;

    cbc_name = EVP_CIPHER_get0_name(cbc);
    params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
        (char *)cbc_name, 0);
    params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
        (void *)key, klen);
    params[2] = OSSL_PARAM_construct_end();

    if ((ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
        || (ctx->mac = EVP_MAC_fetch(libctx, OSSL_MAC_NAME_CMAC, propq)) == NULL
        || (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
        || !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
        || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
        || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
        || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
        || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
            sizeof(ctx->d.byte))) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        EVP_MAC_CTX_free(mac_ctx);
        EVP_MAC_free(ctx->mac);
        ctx->mac = NULL;
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    ctx->final_ret = -1;
    ctx->crypto_ok = 1;

    return 1;
}

/*
 * Copy an SIV128_CONTEXT object
 */
int ossl_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
{
    memcpy(&dest->d, &src->d, sizeof(src->d));
    if (dest->cipher_ctx == NULL) {
        dest->cipher_ctx = EVP_CIPHER_CTX_new();
        if (dest->cipher_ctx == NULL)
            return 0;
    }
    if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
        return 0;
    EVP_MAC_CTX_free(dest->mac_ctx_init);
    dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
    if (dest->mac_ctx_init == NULL)
        return 0;
    dest->mac = src->mac;
    if (dest->mac != NULL)
        EVP_MAC_up_ref(dest->mac);
    return 1;
}

/*
 * Provide any AAD. This can be called multiple times.
 * Per RFC5297, the last piece of associated data
 * is the nonce, but it's not treated special
 */
int ossl_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
    size_t len)
{
    SIV_BLOCK mac_out;
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx;

    siv128_dbl(&ctx->d);

    if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
        || !EVP_MAC_update(mac_ctx, aad, len)
        || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
            sizeof(mac_out.byte))
        || out_len != SIV_LEN) {
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    siv128_xorblock(&ctx->d, &mac_out);

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called once.
 */
int ossl_siv128_encrypt(SIV128_CONTEXT *ctx,
    const unsigned char *in, unsigned char *out,
    size_t len)
{
    SIV_BLOCK q;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    if (!siv128_do_s2v_p(ctx, &q, in, len))
        return 0;

    memcpy(ctx->tag.byte, &q, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
        return 0;
    ctx->final_ret = 0;
    return 1;
}

/*
 * Provide any data to be decrypted. This can be called once.
 */
int ossl_siv128_decrypt(SIV128_CONTEXT *ctx,
    const unsigned char *in, unsigned char *out,
    size_t len)
{
    unsigned char *p;
    SIV_BLOCK t, q;
    int i;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    memcpy(&q, ctx->tag.byte, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
        || !siv128_do_s2v_p(ctx, &t, out, len))
        return 0;

    p = ctx->tag.byte;
    for (i = 0; i < SIV_LEN; i++)
        t.byte[i] ^= p[i];

    if ((t.word[0] | t.word[1]) != 0) {
        OPENSSL_cleanse(out, len);
        return 0;
    }
    ctx->final_ret = 0;
    return 1;
}

/*
 * Return the already calculated final result.
 */
int ossl_siv128_finish(SIV128_CONTEXT *ctx)
{
    return ctx->final_ret;
}

/*
 * Set the tag
 */
int ossl_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag from the supplied buffer */
    memcpy(ctx->tag.byte, tag, len);
    return 1;
}

/*
 * Retrieve the calculated tag
 */
int ossl_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag into the supplied buffer */
    memcpy(tag, ctx->tag.byte, len);
    return 1;
}

/*
 * Release all resources
 */
int ossl_siv128_cleanup(SIV128_CONTEXT *ctx)
{
    if (ctx != NULL) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        EVP_MAC_free(ctx->mac);
        ctx->mac = NULL;
        OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
        OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
        ctx->final_ret = -1;
        ctx->crypto_ok = 1;
    }
    return 1;
}

int ossl_siv128_speed(SIV128_CONTEXT *ctx, int arg)
{
    ctx->crypto_ok = (arg == 1) ? -1 : 1;
    return 1;
}

#endif /* OPENSSL_NO_SIV */

Coverage Report

Created: 2025-12-10 06:24

Line	Count	Source
1		/*
2		* Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <string.h>
11		#include <stdlib.h>
12		#include <openssl/crypto.h>
13		#include <openssl/evp.h>
14		#include <openssl/core_names.h>
15		#include <openssl/params.h>
16		#include "internal/endian.h"
17		#include "crypto/modes.h"
18		#include "crypto/siv.h"
19
20		#ifndef OPENSSL_NO_SIV
21
22		__owur static ossl_inline uint32_t rotl8(uint32_t x)
23	0	{
24	0	return (x << 8) \| (x >> 24);
25	0	}
26
27		__owur static ossl_inline uint32_t rotr8(uint32_t x)
28	0	{
29	0	return (x >> 8) \| (x << 24);
30	0	}
31
32		__owur static ossl_inline uint64_t byteswap8(uint64_t x)
33	0	{
34	0	uint32_t high = (uint32_t)(x >> 32);
35	0	uint32_t low = (uint32_t)x;
36
37	0	high = (rotl8(high) & 0x00ff00ff) \| (rotr8(high) & 0xff00ff00);
38	0	low = (rotl8(low) & 0x00ff00ff) \| (rotr8(low) & 0xff00ff00);
39	0	return ((uint64_t)low) << 32 \| (uint64_t)high;
40	0	}
41
42		__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
43	0	{
44	0	DECLARE_IS_ENDIAN;
45
46	0	if (IS_LITTLE_ENDIAN)
47	0	return byteswap8(b->word[i]);
48	0	return b->word[i];
49	0	}
50
51		static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
52	0	{
53	0	DECLARE_IS_ENDIAN;
54
55	0	if (IS_LITTLE_ENDIAN)
56	0	b->word[i] = byteswap8(x);
57	0	else
58	0	b->word[i] = x;
59	0	}
60
61		static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
62		SIV_BLOCK const *y)
63	0	{
64	0	x->word[0] ^= y->word[0];
65	0	x->word[1] ^= y->word[1];
66	0	}
67
68		/*
69		* Doubles \|b\|, which is 16 bytes representing an element
70		* of GF(2**128) modulo the irreducible polynomial
71		* x128 + x7 + x**2 + x + 1.
72		* Assumes two's-complement arithmetic
73		*/
74		static ossl_inline void siv128_dbl(SIV_BLOCK *b)
75	0	{
76	0	uint64_t high = siv128_getword(b, 0);
77	0	uint64_t low = siv128_getword(b, 1);
78	0	uint64_t high_carry = high & (((uint64_t)1) << 63);
79	0	uint64_t low_carry = low & (((uint64_t)1) << 63);
80	0	int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
81	0	uint64_t high_mask = low_carry >> 63;
82
83	0	high = (high << 1) \| high_mask;
84	0	low = (low << 1) ^ (uint64_t)low_mask;
85	0	siv128_putword(b, 0, high);
86	0	siv128_putword(b, 1, low);
87	0	}
88
89		__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT ctx, SIV_BLOCK out,
90		unsigned char const *in, size_t len)
91	0	{
92	0	SIV_BLOCK t;
93	0	size_t out_len = sizeof(out->byte);
94	0	EVP_MAC_CTX *mac_ctx;
95	0	int ret = 0;
96
97	0	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
98	0	if (mac_ctx == NULL)
99	0	return 0;
100
101	0	if (len >= SIV_LEN) {
102	0	if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
103	0	goto err;
104	0	memcpy(&t, in + (len - SIV_LEN), SIV_LEN);
105	0	siv128_xorblock(&t, &ctx->d);
106	0	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
107	0	goto err;
108	0	} else {
109	0	memset(&t, 0, sizeof(t));
110	0	memcpy(&t, in, len);
111	0	t.byte[len] = 0x80;
112	0	siv128_dbl(&ctx->d);
113	0	siv128_xorblock(&t, &ctx->d);
114	0	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
115	0	goto err;
116	0	}
117	0	if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
118	0	\|\| out_len != SIV_LEN)
119	0	goto err;
120
121	0	ret = 1;
122
123	0	err:
124	0	EVP_MAC_CTX_free(mac_ctx);
125	0	return ret;
126	0	}
127
128		__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX ctx, unsigned char out,
129		unsigned char const *in, size_t len,
130		SIV_BLOCK *icv)
131	0	{
132	0	int out_len = (int)len;
133
134	0	if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
135	0	return 0;
136	0	return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
137	0	}
138
139		/*
140		* Create a new SIV128_CONTEXT
141		*/
142		SIV128_CONTEXT ossl_siv128_new(const unsigned char key, int klen,
143		EVP_CIPHER cbc, EVP_CIPHER ctr,
144		OSSL_LIB_CTX libctx, const char propq)
145	0	{
146	0	SIV128_CONTEXT *ctx;
147	0	int ret;
148
149	0	if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
150	0	ret = ossl_siv128_init(ctx, key, klen, cbc, ctr, libctx, propq);
151	0	if (ret)
152	0	return ctx;
153	0	OPENSSL_free(ctx);
154	0	}
155
156	0	return NULL;
157	0	}
158
159		/*
160		* Initialise an existing SIV128_CONTEXT
161		*/
162		int ossl_siv128_init(SIV128_CONTEXT ctx, const unsigned char key, int klen,
163		const EVP_CIPHER cbc, const EVP_CIPHER ctr,
164		OSSL_LIB_CTX libctx, const char propq)
165	0	{
166	0	static const unsigned char zero[SIV_LEN] = { 0 };
167	0	size_t out_len = SIV_LEN;
168	0	EVP_MAC_CTX *mac_ctx = NULL;
169	0	OSSL_PARAM params[3];
170	0	const char *cbc_name;
171
172	0	if (ctx == NULL)
173	0	return 0;
174
175	0	memset(&ctx->d, 0, sizeof(ctx->d));
176	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
177	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
178	0	EVP_MAC_free(ctx->mac);
179	0	ctx->mac = NULL;
180	0	ctx->cipher_ctx = NULL;
181	0	ctx->mac_ctx_init = NULL;
182
183	0	if (key == NULL \|\| cbc == NULL \|\| ctr == NULL)
184	0	return 0;
185
186	0	cbc_name = EVP_CIPHER_get0_name(cbc);
187	0	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
188	0	(char *)cbc_name, 0);
189	0	params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
190	0	(void *)key, klen);
191	0	params[2] = OSSL_PARAM_construct_end();
192
193	0	if ((ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
194	0	\|\| (ctx->mac = EVP_MAC_fetch(libctx, OSSL_MAC_NAME_CMAC, propq)) == NULL
195	0	\|\| (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
196	0	\|\| !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
197	0	\|\| !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
198	0	\|\| (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
199	0	\|\| !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
200	0	\|\| !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
201	0	sizeof(ctx->d.byte))) {
202	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
203	0	ctx->cipher_ctx = NULL;
204	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
205	0	ctx->mac_ctx_init = NULL;
206	0	EVP_MAC_CTX_free(mac_ctx);
207	0	EVP_MAC_free(ctx->mac);
208	0	ctx->mac = NULL;
209	0	return 0;
210	0	}
211	0	EVP_MAC_CTX_free(mac_ctx);
212
213	0	ctx->final_ret = -1;
214	0	ctx->crypto_ok = 1;
215
216	0	return 1;
217	0	}
218
219		/*
220		* Copy an SIV128_CONTEXT object
221		*/
222		int ossl_siv128_copy_ctx(SIV128_CONTEXT dest, SIV128_CONTEXT src)
223	0	{
224	0	memcpy(&dest->d, &src->d, sizeof(src->d));
225	0	if (dest->cipher_ctx == NULL) {
226	0	dest->cipher_ctx = EVP_CIPHER_CTX_new();
227	0	if (dest->cipher_ctx == NULL)
228	0	return 0;
229	0	}
230	0	if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
231	0	return 0;
232	0	EVP_MAC_CTX_free(dest->mac_ctx_init);
233	0	dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
234	0	if (dest->mac_ctx_init == NULL)
235	0	return 0;
236	0	dest->mac = src->mac;
237	0	if (dest->mac != NULL)
238	0	EVP_MAC_up_ref(dest->mac);
239	0	return 1;
240	0	}
241
242		/*
243		* Provide any AAD. This can be called multiple times.
244		* Per RFC5297, the last piece of associated data
245		* is the nonce, but it's not treated special
246		*/
247		int ossl_siv128_aad(SIV128_CONTEXT ctx, const unsigned char aad,
248		size_t len)
249	0	{
250	0	SIV_BLOCK mac_out;
251	0	size_t out_len = SIV_LEN;
252	0	EVP_MAC_CTX *mac_ctx;
253
254	0	siv128_dbl(&ctx->d);
255
256	0	if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
257	0	\|\| !EVP_MAC_update(mac_ctx, aad, len)
258	0	\|\| !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
259	0	sizeof(mac_out.byte))
260	0	\|\| out_len != SIV_LEN) {
261	0	EVP_MAC_CTX_free(mac_ctx);
262	0	return 0;
263	0	}
264	0	EVP_MAC_CTX_free(mac_ctx);
265
266	0	siv128_xorblock(&ctx->d, &mac_out);
267
268	0	return 1;
269	0	}
270
271		/*
272		* Provide any data to be encrypted. This can be called once.
273		*/
274		int ossl_siv128_encrypt(SIV128_CONTEXT *ctx,
275		const unsigned char in, unsigned char out,
276		size_t len)
277	0	{
278	0	SIV_BLOCK q;
279
280		/* can only do one crypto operation */
281	0	if (ctx->crypto_ok == 0)
282	0	return 0;
283	0	ctx->crypto_ok--;
284
285	0	if (!siv128_do_s2v_p(ctx, &q, in, len))
286	0	return 0;
287
288	0	memcpy(ctx->tag.byte, &q, SIV_LEN);
289	0	q.byte[8] &= 0x7f;
290	0	q.byte[12] &= 0x7f;
291
292	0	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
293	0	return 0;
294	0	ctx->final_ret = 0;
295	0	return 1;
296	0	}
297
298		/*
299		* Provide any data to be decrypted. This can be called once.
300		*/
301		int ossl_siv128_decrypt(SIV128_CONTEXT *ctx,
302		const unsigned char in, unsigned char out,
303		size_t len)
304	0	{
305	0	unsigned char *p;
306	0	SIV_BLOCK t, q;
307	0	int i;
308
309		/* can only do one crypto operation */
310	0	if (ctx->crypto_ok == 0)
311	0	return 0;
312	0	ctx->crypto_ok--;
313
314	0	memcpy(&q, ctx->tag.byte, SIV_LEN);
315	0	q.byte[8] &= 0x7f;
316	0	q.byte[12] &= 0x7f;
317
318	0	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
319	0	\|\| !siv128_do_s2v_p(ctx, &t, out, len))
320	0	return 0;
321
322	0	p = ctx->tag.byte;
323	0	for (i = 0; i < SIV_LEN; i++)
324	0	t.byte[i] ^= p[i];
325
326	0	if ((t.word[0] \| t.word[1]) != 0) {
327	0	OPENSSL_cleanse(out, len);
328	0	return 0;
329	0	}
330	0	ctx->final_ret = 0;
331	0	return 1;
332	0	}
333
334		/*
335		* Return the already calculated final result.
336		*/
337		int ossl_siv128_finish(SIV128_CONTEXT *ctx)
338	0	{
339	0	return ctx->final_ret;
340	0	}
341
342		/*
343		* Set the tag
344		*/
345		int ossl_siv128_set_tag(SIV128_CONTEXT ctx, const unsigned char tag, size_t len)
346	0	{
347	0	if (len != SIV_LEN)
348	0	return 0;
349
350		/* Copy the tag from the supplied buffer */
351	0	memcpy(ctx->tag.byte, tag, len);
352	0	return 1;
353	0	}
354
355		/*
356		* Retrieve the calculated tag
357		*/
358		int ossl_siv128_get_tag(SIV128_CONTEXT ctx, unsigned char tag, size_t len)
359	0	{
360	0	if (len != SIV_LEN)
361	0	return 0;
362
363		/* Copy the tag into the supplied buffer */
364	0	memcpy(tag, ctx->tag.byte, len);
365	0	return 1;
366	0	}
367
368		/*
369		* Release all resources
370		*/
371		int ossl_siv128_cleanup(SIV128_CONTEXT *ctx)
372	0	{
373	0	if (ctx != NULL) {
374	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
375	0	ctx->cipher_ctx = NULL;
376	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
377	0	ctx->mac_ctx_init = NULL;
378	0	EVP_MAC_free(ctx->mac);
379	0	ctx->mac = NULL;
380	0	OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
381	0	OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
382	0	ctx->final_ret = -1;
383	0	ctx->crypto_ok = 1;
384	0	}
385	0	return 1;
386	0	}
387
388		int ossl_siv128_speed(SIV128_CONTEXT *ctx, int arg)
389	0	{
390	0	ctx->crypto_ok = (arg == 1) ? -1 : 1;
391	0	return 1;
392	0	}
393
394		#endif /* OPENSSL_NO_SIV */