/src/libgcrypt/cipher/cipher-siv.c

Source (jump to first uncovered line)
/* cipher-siv.c  -  SIV implementation (RFC 5297)
 * Copyright (C) 2021 Jussi Kivilinna <jussi.kivilinna@iki.fi>
 *
 * This file is part of Libgcrypt.
 *
 * Libgcrypt is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser general Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * Libgcrypt is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this program; if not, see <http://www.gnu.org/licenses/>.
 */

#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#include "g10lib.h"
#include "cipher.h"
#include "bufhelp.h"
#include "./cipher-internal.h"


static inline void
s2v_double (unsigned char *d)
{
  u64 hi, lo, mask;

  hi = buf_get_be64(d + 0);
  lo = buf_get_be64(d + 8);

  mask = -(hi >> 63);
  hi = (hi << 1) ^ (lo >> 63);
  lo = (lo << 1) ^ (mask & 0x87);

  buf_put_be64(d + 0, hi);
  buf_put_be64(d + 8, lo);
}


static void
s2v_pad (unsigned char *out, const byte *in, size_t inlen)
{
  static const unsigned char padding[GCRY_SIV_BLOCK_LEN] = { 0x80 };

  gcry_assert(inlen < GCRY_SIV_BLOCK_LEN);

  buf_cpy (out, in, inlen);
  buf_cpy (out + inlen, padding, GCRY_SIV_BLOCK_LEN - inlen);
}


gcry_err_code_t
_gcry_cipher_siv_setkey (gcry_cipher_hd_t c,
                   const unsigned char *ctrkey, size_t ctrkeylen)
{
  static const unsigned char zero[GCRY_SIV_BLOCK_LEN] = { 0 };
  gcry_err_code_t err;

  if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
    return GPG_ERR_CIPHER_ALGO;

  c->u_mode.siv.aad_count = 0;
  c->u_mode.siv.dec_tag_set = 0;
  c->marks.tag = 0;
  c->marks.iv = 0;

  /* Set CTR mode key. */
  err = c->spec->setkey (c->u_mode.siv.ctr_context, ctrkey, ctrkeylen,
       &c->bulk);
  if (err != 0)
    return err;

  /* Initialize S2V. */
  memset (&c->u_mode.siv.s2v_cmac, 0, sizeof(c->u_mode.siv.s2v_cmac));
  err = _gcry_cmac_generate_subkeys (c, &c->u_mode.siv.s2v_cmac);
  if (err != 0)
    return err;

  err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, zero, GCRY_SIV_BLOCK_LEN);
  if (err != 0)
    return err;

  err = _gcry_cmac_final (c, &c->u_mode.siv.s2v_cmac);
  if (err != 0)
    return err;

  memcpy (c->u_mode.siv.s2v_zero_block, c->u_mode.siv.s2v_cmac.u_iv.iv,
    GCRY_SIV_BLOCK_LEN);
  memcpy (c->u_mode.siv.s2v_d, c->u_mode.siv.s2v_zero_block,
    GCRY_SIV_BLOCK_LEN);

  return 0;
}


gcry_err_code_t
_gcry_cipher_siv_authenticate (gcry_cipher_hd_t c,
                               const byte *aadbuf, size_t aadbuflen)
{
  gcry_err_code_t err;

  if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
    return GPG_ERR_CIPHER_ALGO;
  if (c->marks.tag)
    return GPG_ERR_INV_STATE;
  if (c->marks.iv)
    return GPG_ERR_INV_STATE;

  if (c->u_mode.siv.aad_count >= 126)
    return GPG_ERR_INV_STATE; /* Too many AD vector components. */

  c->u_mode.siv.aad_count++;

  _gcry_cmac_reset (&c->u_mode.siv.s2v_cmac);

  err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, aadbuf, aadbuflen);
  if (err != 0)
    return err;

  err = _gcry_cmac_final (c, &c->u_mode.siv.s2v_cmac);
  if (err != 0)
    return err;

  s2v_double (c->u_mode.siv.s2v_d);
  cipher_block_xor_1 (c->u_mode.siv.s2v_d, c->u_mode.siv.s2v_cmac.u_iv.iv,
          GCRY_SIV_BLOCK_LEN);

  return 0;
}


gcry_err_code_t
_gcry_cipher_siv_set_nonce (gcry_cipher_hd_t c, const byte *nonce,
          size_t noncelen)
{
  gcry_err_code_t err;

  err = _gcry_cipher_siv_authenticate (c, nonce, noncelen);
  if (err)
    return err;

  /* Nonce is the last AD before plaintext. */
  c->marks.iv = 1;

  return 0;
}


static gcry_err_code_t
s2v_plaintext (gcry_cipher_hd_t c, const byte *plain, size_t plainlen)
{
  gcry_err_code_t err;

  if (c->u_mode.siv.aad_count >= 127)
    return GPG_ERR_INV_STATE; /* Too many AD vector components. */

  _gcry_cmac_reset (&c->u_mode.siv.s2v_cmac);

  if (plainlen >= GCRY_SIV_BLOCK_LEN)
    {
      err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, plain,
            plainlen - GCRY_SIV_BLOCK_LEN);
      if (err)
        return err;

      cipher_block_xor_1 (c->u_mode.siv.s2v_d,
        plain + plainlen - GCRY_SIV_BLOCK_LEN,
        GCRY_SIV_BLOCK_LEN);

      err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, c->u_mode.siv.s2v_d,
            GCRY_SIV_BLOCK_LEN);
      if (err)
        return err;
    }
  else
    {
      unsigned char pad_sn[GCRY_SIV_BLOCK_LEN];

      s2v_double (c->u_mode.siv.s2v_d);
      s2v_pad (pad_sn, plain, plainlen);
      cipher_block_xor_1 (pad_sn, c->u_mode.siv.s2v_d, GCRY_SIV_BLOCK_LEN);

      err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, pad_sn,
            GCRY_SIV_BLOCK_LEN);
      wipememory (pad_sn, sizeof(pad_sn));
      if (err)
        return err;
    }

  c->u_mode.siv.aad_count++;

  return _gcry_cmac_final (c, &c->u_mode.siv.s2v_cmac);
}


gcry_err_code_t
_gcry_cipher_siv_encrypt (gcry_cipher_hd_t c,
                          byte *outbuf, size_t outbuflen,
                          const byte *inbuf, size_t inbuflen)
{
  gcry_err_code_t err;
  u64 q_lo;

  if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
    return GPG_ERR_CIPHER_ALGO;
  if (outbuflen < inbuflen)
    return GPG_ERR_BUFFER_TOO_SHORT;
  if (c->marks.tag)
    return GPG_ERR_INV_STATE;
  if (c->u_mode.siv.dec_tag_set)
    return GPG_ERR_INV_STATE;

  /* Pass plaintext to S2V. */
  err = s2v_plaintext (c, inbuf, inbuflen);
  if (err != 0)
    return err;

  /* Clear 31th and 63th bits. */
  memcpy (c->u_ctr.ctr, c->u_mode.siv.s2v_cmac.u_iv.iv, GCRY_SIV_BLOCK_LEN);
  q_lo = buf_get_be64(c->u_ctr.ctr + 8);
  q_lo &= ~((u64)1 << 31);
  q_lo &= ~((u64)1 << 63);
  buf_put_be64(c->u_ctr.ctr + 8, q_lo);

  /* Encrypt plaintext. */
  err = _gcry_cipher_ctr_encrypt_ctx(c, outbuf, outbuflen, inbuf, inbuflen,
             c->u_mode.siv.ctr_context);
  if (err != 0)
    return err;

  c->marks.tag = 1;

  return 0;
}


gcry_err_code_t
_gcry_cipher_siv_set_decryption_tag (gcry_cipher_hd_t c,
             const byte *tag, size_t taglen)
{
  if (taglen != GCRY_SIV_BLOCK_LEN)
    return GPG_ERR_INV_ARG;
  if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
    return GPG_ERR_CIPHER_ALGO;
  if (c->marks.tag)
    return GPG_ERR_INV_STATE;

  memcpy (&c->u_mode.siv.dec_tag, tag, GCRY_SIV_BLOCK_LEN);
  c->u_mode.siv.dec_tag_set = 1;

  return 0;
}


gcry_err_code_t
_gcry_cipher_siv_decrypt (gcry_cipher_hd_t c,
                          byte *outbuf, size_t outbuflen,
                          const byte *inbuf, size_t inbuflen)
{
  gcry_err_code_t err;
  u64 q_lo;

  if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
    return GPG_ERR_CIPHER_ALGO;
  if (outbuflen < inbuflen)
    return GPG_ERR_BUFFER_TOO_SHORT;
  if (c->marks.tag)
    return GPG_ERR_INV_STATE;
  if (!c->u_mode.siv.dec_tag_set)
    return GPG_ERR_INV_STATE;

  /* Clear 31th and 63th bits. */
  memcpy (c->u_ctr.ctr, c->u_mode.siv.dec_tag, GCRY_SIV_BLOCK_LEN);
  q_lo = buf_get_be64(c->u_ctr.ctr + 8);
  q_lo &= ~((u64)1 << 31);
  q_lo &= ~((u64)1 << 63);
  buf_put_be64(c->u_ctr.ctr + 8, q_lo);

  /* Decrypt ciphertext. */
  err = _gcry_cipher_ctr_encrypt_ctx(c, outbuf, outbuflen, inbuf, inbuflen,
             c->u_mode.siv.ctr_context);
  if (err != 0)
    return err;

  /* Pass plaintext to S2V. */
  err = s2v_plaintext (c, outbuf, inbuflen);
  if (err != 0)
    return err;

  c->marks.tag = 1;

  if (!buf_eq_const(c->u_mode.siv.s2v_cmac.u_iv.iv, c->u_mode.siv.dec_tag,
        GCRY_SIV_BLOCK_LEN))
    {
      wipememory (outbuf, inbuflen);
      return GPG_ERR_CHECKSUM;
    }

  return 0;
}


gcry_err_code_t
_gcry_cipher_siv_get_tag (gcry_cipher_hd_t c, unsigned char *outbuf,
                          size_t outbuflen)
{
  gcry_err_code_t err;

  if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
    return GPG_ERR_CIPHER_ALGO;
  if (c->u_mode.siv.dec_tag_set)
    return GPG_ERR_INV_STATE;

  if (!c->marks.tag)
    {
      /* Finalize SIV with zero-length plaintext. */
      err = s2v_plaintext (c, NULL, 0);
      if (err != 0)
        return err;

      c->marks.tag = 1;
    }

  if (outbuflen > GCRY_SIV_BLOCK_LEN)
    outbuflen = GCRY_SIV_BLOCK_LEN;

  /* We already checked that OUTBUF is large enough to hold
   * the result or has valid truncated length.  */
  memcpy (outbuf, c->u_mode.siv.s2v_cmac.u_iv.iv, outbuflen);

  return 0;
}


gcry_err_code_t
_gcry_cipher_siv_check_tag (gcry_cipher_hd_t c, const unsigned char *intag,
                            size_t taglen)
{
  gcry_err_code_t err;
  size_t n;

  if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
    return GPG_ERR_CIPHER_ALGO;

  if (!c->marks.tag)
    {
      /* Finalize SIV with zero-length plaintext. */
      err = s2v_plaintext (c, NULL, 0);
      if (err != 0)
        return err;

      c->marks.tag = 1;
    }

  n = GCRY_SIV_BLOCK_LEN;
  if (taglen < n)
    n = taglen;

  if (!buf_eq_const(c->u_mode.siv.s2v_cmac.u_iv.iv, intag, n)
      || GCRY_SIV_BLOCK_LEN != taglen)
    {
      return GPG_ERR_CHECKSUM;
    }

  return 0;
}

Coverage Report

Created: 2022-12-08 06:09

Line	Count	Source (jump to first uncovered line)
1		/* cipher-siv.c - SIV implementation (RFC 5297)
2		* Copyright (C) 2021 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3		*
4		* This file is part of Libgcrypt.
5		*
6		* Libgcrypt is free software; you can redistribute it and/or modify
7		* it under the terms of the GNU Lesser general Public License as
8		* published by the Free Software Foundation; either version 2.1 of
9		* the License, or (at your option) any later version.
10		*
11		* Libgcrypt is distributed in the hope that it will be useful,
12		* but WITHOUT ANY WARRANTY; without even the implied warranty of
13		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		* GNU Lesser General Public License for more details.
15		*
16		* You should have received a copy of the GNU Lesser General Public
17		* License along with this program; if not, see <http://www.gnu.org/licenses/>.
18		*/
19
20		#include <config.h>
21		#include <stdio.h>
22		#include <stdlib.h>
23		#include <string.h>
24		#include <errno.h>
25
26		#include "g10lib.h"
27		#include "cipher.h"
28		#include "bufhelp.h"
29		#include "./cipher-internal.h"
30
31
32		static inline void
33		s2v_double (unsigned char *d)
34	0	{
35	0	u64 hi, lo, mask;
36
37	0	hi = buf_get_be64(d + 0);
38	0	lo = buf_get_be64(d + 8);
39
40	0	mask = -(hi >> 63);
41	0	hi = (hi << 1) ^ (lo >> 63);
42	0	lo = (lo << 1) ^ (mask & 0x87);
43
44	0	buf_put_be64(d + 0, hi);
45	0	buf_put_be64(d + 8, lo);
46	0	}
47
48
49		static void
50		s2v_pad (unsigned char out, const byte in, size_t inlen)
51	0	{
52	0	static const unsigned char padding[GCRY_SIV_BLOCK_LEN] = { 0x80 };
53
54	0	gcry_assert(inlen < GCRY_SIV_BLOCK_LEN);
55
56	0	buf_cpy (out, in, inlen);
57	0	buf_cpy (out + inlen, padding, GCRY_SIV_BLOCK_LEN - inlen);
58	0	}
59
60
61		gcry_err_code_t
62		_gcry_cipher_siv_setkey (gcry_cipher_hd_t c,
63		const unsigned char *ctrkey, size_t ctrkeylen)
64	0	{
65	0	static const unsigned char zero[GCRY_SIV_BLOCK_LEN] = { 0 };
66	0	gcry_err_code_t err;
67
68	0	if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
69	0	return GPG_ERR_CIPHER_ALGO;
70
71	0	c->u_mode.siv.aad_count = 0;
72	0	c->u_mode.siv.dec_tag_set = 0;
73	0	c->marks.tag = 0;
74	0	c->marks.iv = 0;
75
76		/* Set CTR mode key. */
77	0	err = c->spec->setkey (c->u_mode.siv.ctr_context, ctrkey, ctrkeylen,
78	0	&c->bulk);
79	0	if (err != 0)
80	0	return err;
81
82		/* Initialize S2V. */
83	0	memset (&c->u_mode.siv.s2v_cmac, 0, sizeof(c->u_mode.siv.s2v_cmac));
84	0	err = _gcry_cmac_generate_subkeys (c, &c->u_mode.siv.s2v_cmac);
85	0	if (err != 0)
86	0	return err;
87
88	0	err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, zero, GCRY_SIV_BLOCK_LEN);
89	0	if (err != 0)
90	0	return err;
91
92	0	err = _gcry_cmac_final (c, &c->u_mode.siv.s2v_cmac);
93	0	if (err != 0)
94	0	return err;
95
96	0	memcpy (c->u_mode.siv.s2v_zero_block, c->u_mode.siv.s2v_cmac.u_iv.iv,
97	0	GCRY_SIV_BLOCK_LEN);
98	0	memcpy (c->u_mode.siv.s2v_d, c->u_mode.siv.s2v_zero_block,
99	0	GCRY_SIV_BLOCK_LEN);
100
101	0	return 0;
102	0	}
103
104
105		gcry_err_code_t
106		_gcry_cipher_siv_authenticate (gcry_cipher_hd_t c,
107		const byte *aadbuf, size_t aadbuflen)
108	0	{
109	0	gcry_err_code_t err;
110
111	0	if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
112	0	return GPG_ERR_CIPHER_ALGO;
113	0	if (c->marks.tag)
114	0	return GPG_ERR_INV_STATE;
115	0	if (c->marks.iv)
116	0	return GPG_ERR_INV_STATE;
117
118	0	if (c->u_mode.siv.aad_count >= 126)
119	0	return GPG_ERR_INV_STATE; /* Too many AD vector components. */
120
121	0	c->u_mode.siv.aad_count++;
122
123	0	_gcry_cmac_reset (&c->u_mode.siv.s2v_cmac);
124
125	0	err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, aadbuf, aadbuflen);
126	0	if (err != 0)
127	0	return err;
128
129	0	err = _gcry_cmac_final (c, &c->u_mode.siv.s2v_cmac);
130	0	if (err != 0)
131	0	return err;
132
133	0	s2v_double (c->u_mode.siv.s2v_d);
134	0	cipher_block_xor_1 (c->u_mode.siv.s2v_d, c->u_mode.siv.s2v_cmac.u_iv.iv,
135	0	GCRY_SIV_BLOCK_LEN);
136
137	0	return 0;
138	0	}
139
140
141		gcry_err_code_t
142		_gcry_cipher_siv_set_nonce (gcry_cipher_hd_t c, const byte *nonce,
143		size_t noncelen)
144	0	{
145	0	gcry_err_code_t err;
146
147	0	err = _gcry_cipher_siv_authenticate (c, nonce, noncelen);
148	0	if (err)
149	0	return err;
150
151		/* Nonce is the last AD before plaintext. */
152	0	c->marks.iv = 1;
153
154	0	return 0;
155	0	}
156
157
158		static gcry_err_code_t
159		s2v_plaintext (gcry_cipher_hd_t c, const byte *plain, size_t plainlen)
160	0	{
161	0	gcry_err_code_t err;
162
163	0	if (c->u_mode.siv.aad_count >= 127)
164	0	return GPG_ERR_INV_STATE; /* Too many AD vector components. */
165
166	0	_gcry_cmac_reset (&c->u_mode.siv.s2v_cmac);
167
168	0	if (plainlen >= GCRY_SIV_BLOCK_LEN)
169	0	{
170	0	err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, plain,
171	0	plainlen - GCRY_SIV_BLOCK_LEN);
172	0	if (err)
173	0	return err;
174
175	0	cipher_block_xor_1 (c->u_mode.siv.s2v_d,
176	0	plain + plainlen - GCRY_SIV_BLOCK_LEN,
177	0	GCRY_SIV_BLOCK_LEN);
178
179	0	err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, c->u_mode.siv.s2v_d,
180	0	GCRY_SIV_BLOCK_LEN);
181	0	if (err)
182	0	return err;
183	0	}
184	0	else
185	0	{
186	0	unsigned char pad_sn[GCRY_SIV_BLOCK_LEN];
187
188	0	s2v_double (c->u_mode.siv.s2v_d);
189	0	s2v_pad (pad_sn, plain, plainlen);
190	0	cipher_block_xor_1 (pad_sn, c->u_mode.siv.s2v_d, GCRY_SIV_BLOCK_LEN);
191
192	0	err = _gcry_cmac_write (c, &c->u_mode.siv.s2v_cmac, pad_sn,
193	0	GCRY_SIV_BLOCK_LEN);
194	0	wipememory (pad_sn, sizeof(pad_sn));
195	0	if (err)
196	0	return err;
197	0	}
198
199	0	c->u_mode.siv.aad_count++;
200
201	0	return _gcry_cmac_final (c, &c->u_mode.siv.s2v_cmac);
202	0	}
203
204
205		gcry_err_code_t
206		_gcry_cipher_siv_encrypt (gcry_cipher_hd_t c,
207		byte *outbuf, size_t outbuflen,
208		const byte *inbuf, size_t inbuflen)
209	0	{
210	0	gcry_err_code_t err;
211	0	u64 q_lo;
212
213	0	if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
214	0	return GPG_ERR_CIPHER_ALGO;
215	0	if (outbuflen < inbuflen)
216	0	return GPG_ERR_BUFFER_TOO_SHORT;
217	0	if (c->marks.tag)
218	0	return GPG_ERR_INV_STATE;
219	0	if (c->u_mode.siv.dec_tag_set)
220	0	return GPG_ERR_INV_STATE;
221
222		/* Pass plaintext to S2V. */
223	0	err = s2v_plaintext (c, inbuf, inbuflen);
224	0	if (err != 0)
225	0	return err;
226
227		/* Clear 31th and 63th bits. */
228	0	memcpy (c->u_ctr.ctr, c->u_mode.siv.s2v_cmac.u_iv.iv, GCRY_SIV_BLOCK_LEN);
229	0	q_lo = buf_get_be64(c->u_ctr.ctr + 8);
230	0	q_lo &= ~((u64)1 << 31);
231	0	q_lo &= ~((u64)1 << 63);
232	0	buf_put_be64(c->u_ctr.ctr + 8, q_lo);
233
234		/* Encrypt plaintext. */
235	0	err = _gcry_cipher_ctr_encrypt_ctx(c, outbuf, outbuflen, inbuf, inbuflen,
236	0	c->u_mode.siv.ctr_context);
237	0	if (err != 0)
238	0	return err;
239
240	0	c->marks.tag = 1;
241
242	0	return 0;
243	0	}
244
245
246		gcry_err_code_t
247		_gcry_cipher_siv_set_decryption_tag (gcry_cipher_hd_t c,
248		const byte *tag, size_t taglen)
249	0	{
250	0	if (taglen != GCRY_SIV_BLOCK_LEN)
251	0	return GPG_ERR_INV_ARG;
252	0	if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
253	0	return GPG_ERR_CIPHER_ALGO;
254	0	if (c->marks.tag)
255	0	return GPG_ERR_INV_STATE;
256
257	0	memcpy (&c->u_mode.siv.dec_tag, tag, GCRY_SIV_BLOCK_LEN);
258	0	c->u_mode.siv.dec_tag_set = 1;
259
260	0	return 0;
261	0	}
262
263
264		gcry_err_code_t
265		_gcry_cipher_siv_decrypt (gcry_cipher_hd_t c,
266		byte *outbuf, size_t outbuflen,
267		const byte *inbuf, size_t inbuflen)
268	0	{
269	0	gcry_err_code_t err;
270	0	u64 q_lo;
271
272	0	if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
273	0	return GPG_ERR_CIPHER_ALGO;
274	0	if (outbuflen < inbuflen)
275	0	return GPG_ERR_BUFFER_TOO_SHORT;
276	0	if (c->marks.tag)
277	0	return GPG_ERR_INV_STATE;
278	0	if (!c->u_mode.siv.dec_tag_set)
279	0	return GPG_ERR_INV_STATE;
280
281		/* Clear 31th and 63th bits. */
282	0	memcpy (c->u_ctr.ctr, c->u_mode.siv.dec_tag, GCRY_SIV_BLOCK_LEN);
283	0	q_lo = buf_get_be64(c->u_ctr.ctr + 8);
284	0	q_lo &= ~((u64)1 << 31);
285	0	q_lo &= ~((u64)1 << 63);
286	0	buf_put_be64(c->u_ctr.ctr + 8, q_lo);
287
288		/* Decrypt ciphertext. */
289	0	err = _gcry_cipher_ctr_encrypt_ctx(c, outbuf, outbuflen, inbuf, inbuflen,
290	0	c->u_mode.siv.ctr_context);
291	0	if (err != 0)
292	0	return err;
293
294		/* Pass plaintext to S2V. */
295	0	err = s2v_plaintext (c, outbuf, inbuflen);
296	0	if (err != 0)
297	0	return err;
298
299	0	c->marks.tag = 1;
300
301	0	if (!buf_eq_const(c->u_mode.siv.s2v_cmac.u_iv.iv, c->u_mode.siv.dec_tag,
302	0	GCRY_SIV_BLOCK_LEN))
303	0	{
304	0	wipememory (outbuf, inbuflen);
305	0	return GPG_ERR_CHECKSUM;
306	0	}
307
308	0	return 0;
309	0	}
310
311
312		gcry_err_code_t
313		_gcry_cipher_siv_get_tag (gcry_cipher_hd_t c, unsigned char *outbuf,
314		size_t outbuflen)
315	0	{
316	0	gcry_err_code_t err;
317
318	0	if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
319	0	return GPG_ERR_CIPHER_ALGO;
320	0	if (c->u_mode.siv.dec_tag_set)
321	0	return GPG_ERR_INV_STATE;
322
323	0	if (!c->marks.tag)
324	0	{
325		/* Finalize SIV with zero-length plaintext. */
326	0	err = s2v_plaintext (c, NULL, 0);
327	0	if (err != 0)
328	0	return err;
329
330	0	c->marks.tag = 1;
331	0	}
332
333	0	if (outbuflen > GCRY_SIV_BLOCK_LEN)
334	0	outbuflen = GCRY_SIV_BLOCK_LEN;
335
336		/* We already checked that OUTBUF is large enough to hold
337		* the result or has valid truncated length. */
338	0	memcpy (outbuf, c->u_mode.siv.s2v_cmac.u_iv.iv, outbuflen);
339
340	0	return 0;
341	0	}
342
343
344		gcry_err_code_t
345		_gcry_cipher_siv_check_tag (gcry_cipher_hd_t c, const unsigned char *intag,
346		size_t taglen)
347	0	{
348	0	gcry_err_code_t err;
349	0	size_t n;
350
351	0	if (c->spec->blocksize != GCRY_SIV_BLOCK_LEN)
352	0	return GPG_ERR_CIPHER_ALGO;
353
354	0	if (!c->marks.tag)
355	0	{
356		/* Finalize SIV with zero-length plaintext. */
357	0	err = s2v_plaintext (c, NULL, 0);
358	0	if (err != 0)
359	0	return err;
360
361	0	c->marks.tag = 1;
362	0	}
363
364	0	n = GCRY_SIV_BLOCK_LEN;
365	0	if (taglen < n)
366	0	n = taglen;
367
368	0	if (!buf_eq_const(c->u_mode.siv.s2v_cmac.u_iv.iv, intag, n)
369	0	\|\| GCRY_SIV_BLOCK_LEN != taglen)
370	0	{
371	0	return GPG_ERR_CHECKSUM;
372	0	}
373
374	0	return 0;
375	0	}