/src/openssl/crypto/modes/siv128.c

Source (jump to first uncovered line)
/*
 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <stdlib.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include "internal/endian.h"
#include "crypto/modes.h"
#include "crypto/siv.h"

#ifndef OPENSSL_NO_SIV

__owur static ossl_inline uint32_t rotl8(uint32_t x)
{
    return (x << 8) | (x >> 24);
}

__owur static ossl_inline uint32_t rotr8(uint32_t x)
{
    return (x >> 8) | (x << 24);
}

__owur static ossl_inline uint64_t byteswap8(uint64_t x)
{
    uint32_t high = (uint32_t)(x >> 32);
    uint32_t low = (uint32_t)x;

    high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
    low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
    return ((uint64_t)low) << 32 | (uint64_t)high;
}

__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
{
    DECLARE_IS_ENDIAN;

    if (IS_LITTLE_ENDIAN)
        return byteswap8(b->word[i]);
    return b->word[i];
}

static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
{
    DECLARE_IS_ENDIAN;

    if (IS_LITTLE_ENDIAN)
        b->word[i] = byteswap8(x);
    else
        b->word[i] = x;
}

static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
                                        SIV_BLOCK const *y)
{
    x->word[0] ^= y->word[0];
    x->word[1] ^= y->word[1];
}

/*
 * Doubles |b|, which is 16 bytes representing an element
 * of GF(2**128) modulo the irreducible polynomial
 * x**128 + x**7 + x**2 + x + 1.
 * Assumes two's-complement arithmetic
 */
static ossl_inline void siv128_dbl(SIV_BLOCK *b)
{
    uint64_t high = siv128_getword(b, 0);
    uint64_t low = siv128_getword(b, 1);
    uint64_t high_carry = high & (((uint64_t)1) << 63);
    uint64_t low_carry = low & (((uint64_t)1) << 63);
    int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
    uint64_t high_mask = low_carry >> 63;

    high = (high << 1) | high_mask;
    low = (low << 1) ^ (uint64_t)low_mask;
    siv128_putword(b, 0, high);
    siv128_putword(b, 1, low);
}

__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
                                              unsigned char const* in, size_t len)
{
    SIV_BLOCK t;
    size_t out_len = sizeof(out->byte);
    EVP_MAC_CTX *mac_ctx;
    int ret = 0;

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL)
        return 0;

    if (len >= SIV_LEN) {
        if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
            goto err;
        memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    } else {
        memset(&t, 0, sizeof(t));
        memcpy(&t, in, len);
        t.byte[len] = 0x80;
        siv128_dbl(&ctx->d);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    }
    if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
        || out_len != SIV_LEN)
        goto err;

    ret = 1;

err:
    EVP_MAC_CTX_free(mac_ctx);
    return ret;
}


__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                             unsigned char const *in, size_t len,
                                             SIV_BLOCK *icv)
{
    int out_len = (int)len;

    if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
        return 0;
    return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
}

/*
 * Create a new SIV128_CONTEXT
 */
SIV128_CONTEXT *ossl_siv128_new(const unsigned char *key, int klen,
                                  EVP_CIPHER *cbc, EVP_CIPHER *ctr,
                                  OSSL_LIB_CTX *libctx, const char *propq)
{
    SIV128_CONTEXT *ctx;
    int ret;

    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
        ret = ossl_siv128_init(ctx, key, klen, cbc, ctr, libctx, propq);
        if (ret)
            return ctx;
        OPENSSL_free(ctx);
    }

    return NULL;
}

/*
 * Initialise an existing SIV128_CONTEXT
 */
int ossl_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
                       const EVP_CIPHER *cbc, const EVP_CIPHER *ctr,
                       OSSL_LIB_CTX *libctx, const char *propq)
{
    static const unsigned char zero[SIV_LEN] = { 0 };
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx = NULL;
    OSSL_PARAM params[3];
    const char *cbc_name;

    if (ctx == NULL)
        return 0;

    memset(&ctx->d, 0, sizeof(ctx->d));
    EVP_CIPHER_CTX_free(ctx->cipher_ctx);
    EVP_MAC_CTX_free(ctx->mac_ctx_init);
    EVP_MAC_free(ctx->mac);
    ctx->mac = NULL;
    ctx->cipher_ctx = NULL;
    ctx->mac_ctx_init = NULL;

    if (key == NULL || cbc == NULL || ctr == NULL)
        return 0;

    cbc_name = EVP_CIPHER_get0_name(cbc);
    params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
                                                 (char *)cbc_name, 0);
    params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
                                                  (void *)key, klen);
    params[2] = OSSL_PARAM_construct_end();

    if ((ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
            || (ctx->mac =
                EVP_MAC_fetch(libctx, OSSL_MAC_NAME_CMAC, propq)) == NULL
            || (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
            || !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
            || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
            || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
            || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
            || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
                              sizeof(ctx->d.byte))) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        EVP_MAC_CTX_free(mac_ctx);
        EVP_MAC_free(ctx->mac);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    ctx->final_ret = -1;
    ctx->crypto_ok = 1;

    return 1;
}

/*
 * Copy an SIV128_CONTEXT object
 */
int ossl_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
{
    memcpy(&dest->d, &src->d, sizeof(src->d));
    if (dest->cipher_ctx == NULL) {
        dest->cipher_ctx = EVP_CIPHER_CTX_new();
        if (dest->cipher_ctx == NULL)
            return 0;
    }
    if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
        return 0;
    EVP_MAC_CTX_free(dest->mac_ctx_init);
    dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
    if (dest->mac_ctx_init == NULL)
        return 0;
    dest->mac = src->mac;
    if (dest->mac != NULL)
        EVP_MAC_up_ref(dest->mac);
    return 1;
}

/*
 * Provide any AAD. This can be called multiple times.
 * Per RFC5297, the last piece of associated data
 * is the nonce, but it's not treated special
 */
int ossl_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
                      size_t len)
{
    SIV_BLOCK mac_out;
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx;

    siv128_dbl(&ctx->d);

    if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
        || !EVP_MAC_update(mac_ctx, aad, len)
        || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
                          sizeof(mac_out.byte))
        || out_len != SIV_LEN) {
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    siv128_xorblock(&ctx->d, &mac_out);

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called once.
 */
int ossl_siv128_encrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    SIV_BLOCK q;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    if (!siv128_do_s2v_p(ctx, &q, in, len))
        return 0;

    memcpy(ctx->tag.byte, &q, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
        return 0;
    ctx->final_ret = 0;
    return 1;
}

/*
 * Provide any data to be decrypted. This can be called once.
 */
int ossl_siv128_decrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    unsigned char* p;
    SIV_BLOCK t, q;
    int i;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    memcpy(&q, ctx->tag.byte, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
        || !siv128_do_s2v_p(ctx, &t, out, len))
        return 0;

    p = ctx->tag.byte;
    for (i = 0; i < SIV_LEN; i++)
        t.byte[i] ^= p[i];

    if ((t.word[0] | t.word[1]) != 0) {
        OPENSSL_cleanse(out, len);
        return 0;
    }
    ctx->final_ret = 0;
    return 1;
}

/*
 * Return the already calculated final result.
 */
int ossl_siv128_finish(SIV128_CONTEXT *ctx)
{
    return ctx->final_ret;
}

/*
 * Set the tag
 */
int ossl_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag from the supplied buffer */
    memcpy(ctx->tag.byte, tag, len);
    return 1;
}

/*
 * Retrieve the calculated tag
 */
int ossl_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag into the supplied buffer */
    memcpy(tag, ctx->tag.byte, len);
    return 1;
}

/*
 * Release all resources
 */
int ossl_siv128_cleanup(SIV128_CONTEXT *ctx)
{
    if (ctx != NULL) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        EVP_MAC_free(ctx->mac);
        ctx->mac = NULL;
        OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
        OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
        ctx->final_ret = -1;
        ctx->crypto_ok = 1;
    }
    return 1;
}

int ossl_siv128_speed(SIV128_CONTEXT *ctx, int arg)
{
    ctx->crypto_ok = (arg == 1) ? -1 : 1;
    return 1;
}

#endif                          /* OPENSSL_NO_SIV */

Coverage Report

Created: 2025-06-13 06:57

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <string.h>
11		#include <stdlib.h>
12		#include <openssl/crypto.h>
13		#include <openssl/evp.h>
14		#include <openssl/core_names.h>
15		#include <openssl/params.h>
16		#include "internal/endian.h"
17		#include "crypto/modes.h"
18		#include "crypto/siv.h"
19
20		#ifndef OPENSSL_NO_SIV
21
22		__owur static ossl_inline uint32_t rotl8(uint32_t x)
23	0	{
24	0	return (x << 8) \| (x >> 24);
25	0	}
26
27		__owur static ossl_inline uint32_t rotr8(uint32_t x)
28	0	{
29	0	return (x >> 8) \| (x << 24);
30	0	}
31
32		__owur static ossl_inline uint64_t byteswap8(uint64_t x)
33	0	{
34	0	uint32_t high = (uint32_t)(x >> 32);
35	0	uint32_t low = (uint32_t)x;
36
37	0	high = (rotl8(high) & 0x00ff00ff) \| (rotr8(high) & 0xff00ff00);
38	0	low = (rotl8(low) & 0x00ff00ff) \| (rotr8(low) & 0xff00ff00);
39	0	return ((uint64_t)low) << 32 \| (uint64_t)high;
40	0	}
41
42		__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
43	0	{
44	0	DECLARE_IS_ENDIAN;
45
46	0	if (IS_LITTLE_ENDIAN)
47	0	return byteswap8(b->word[i]);
48	0	return b->word[i];
49	0	}
50
51		static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
52	0	{
53	0	DECLARE_IS_ENDIAN;
54
55	0	if (IS_LITTLE_ENDIAN)
56	0	b->word[i] = byteswap8(x);
57	0	else
58	0	b->word[i] = x;
59	0	}
60
61		static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
62		SIV_BLOCK const *y)
63	0	{
64	0	x->word[0] ^= y->word[0];
65	0	x->word[1] ^= y->word[1];
66	0	}
67
68		/*
69		* Doubles \|b\|, which is 16 bytes representing an element
70		* of GF(2**128) modulo the irreducible polynomial
71		* x128 + x7 + x**2 + x + 1.
72		* Assumes two's-complement arithmetic
73		*/
74		static ossl_inline void siv128_dbl(SIV_BLOCK *b)
75	0	{
76	0	uint64_t high = siv128_getword(b, 0);
77	0	uint64_t low = siv128_getword(b, 1);
78	0	uint64_t high_carry = high & (((uint64_t)1) << 63);
79	0	uint64_t low_carry = low & (((uint64_t)1) << 63);
80	0	int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
81	0	uint64_t high_mask = low_carry >> 63;
82
83	0	high = (high << 1) \| high_mask;
84	0	low = (low << 1) ^ (uint64_t)low_mask;
85	0	siv128_putword(b, 0, high);
86	0	siv128_putword(b, 1, low);
87	0	}
88
89		__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT ctx, SIV_BLOCK out,
90		unsigned char const* in, size_t len)
91	0	{
92	0	SIV_BLOCK t;
93	0	size_t out_len = sizeof(out->byte);
94	0	EVP_MAC_CTX *mac_ctx;
95	0	int ret = 0;
96
97	0	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
98	0	if (mac_ctx == NULL)
99	0	return 0;
100
101	0	if (len >= SIV_LEN) {
102	0	if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
103	0	goto err;
104	0	memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
105	0	siv128_xorblock(&t, &ctx->d);
106	0	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
107	0	goto err;
108	0	} else {
109	0	memset(&t, 0, sizeof(t));
110	0	memcpy(&t, in, len);
111	0	t.byte[len] = 0x80;
112	0	siv128_dbl(&ctx->d);
113	0	siv128_xorblock(&t, &ctx->d);
114	0	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
115	0	goto err;
116	0	}
117	0	if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
118	0	\|\| out_len != SIV_LEN)
119	0	goto err;
120
121	0	ret = 1;
122
123	0	err:
124	0	EVP_MAC_CTX_free(mac_ctx);
125	0	return ret;
126	0	}
127
128
129		__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX ctx, unsigned char out,
130		unsigned char const *in, size_t len,
131		SIV_BLOCK *icv)
132	0	{
133	0	int out_len = (int)len;
134
135	0	if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
136	0	return 0;
137	0	return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
138	0	}
139
140		/*
141		* Create a new SIV128_CONTEXT
142		*/
143		SIV128_CONTEXT ossl_siv128_new(const unsigned char key, int klen,
144		EVP_CIPHER cbc, EVP_CIPHER ctr,
145		OSSL_LIB_CTX libctx, const char propq)
146	0	{
147	0	SIV128_CONTEXT *ctx;
148	0	int ret;
149
150	0	if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
151	0	ret = ossl_siv128_init(ctx, key, klen, cbc, ctr, libctx, propq);
152	0	if (ret)
153	0	return ctx;
154	0	OPENSSL_free(ctx);
155	0	}
156
157	0	return NULL;
158	0	}
159
160		/*
161		* Initialise an existing SIV128_CONTEXT
162		*/
163		int ossl_siv128_init(SIV128_CONTEXT ctx, const unsigned char key, int klen,
164		const EVP_CIPHER cbc, const EVP_CIPHER ctr,
165		OSSL_LIB_CTX libctx, const char propq)
166	0	{
167	0	static const unsigned char zero[SIV_LEN] = { 0 };
168	0	size_t out_len = SIV_LEN;
169	0	EVP_MAC_CTX *mac_ctx = NULL;
170	0	OSSL_PARAM params[3];
171	0	const char *cbc_name;
172
173	0	if (ctx == NULL)
174	0	return 0;
175
176	0	memset(&ctx->d, 0, sizeof(ctx->d));
177	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
178	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
179	0	EVP_MAC_free(ctx->mac);
180	0	ctx->mac = NULL;
181	0	ctx->cipher_ctx = NULL;
182	0	ctx->mac_ctx_init = NULL;
183
184	0	if (key == NULL \|\| cbc == NULL \|\| ctr == NULL)
185	0	return 0;
186
187	0	cbc_name = EVP_CIPHER_get0_name(cbc);
188	0	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
189	0	(char *)cbc_name, 0);
190	0	params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
191	0	(void *)key, klen);
192	0	params[2] = OSSL_PARAM_construct_end();
193
194	0	if ((ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
195	0	\|\| (ctx->mac =
196	0	EVP_MAC_fetch(libctx, OSSL_MAC_NAME_CMAC, propq)) == NULL
197	0	\|\| (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
198	0	\|\| !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
199	0	\|\| !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
200	0	\|\| (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
201	0	\|\| !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
202	0	\|\| !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
203	0	sizeof(ctx->d.byte))) {
204	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
205	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
206	0	EVP_MAC_CTX_free(mac_ctx);
207	0	EVP_MAC_free(ctx->mac);
208	0	return 0;
209	0	}
210	0	EVP_MAC_CTX_free(mac_ctx);
211
212	0	ctx->final_ret = -1;
213	0	ctx->crypto_ok = 1;
214
215	0	return 1;
216	0	}
217
218		/*
219		* Copy an SIV128_CONTEXT object
220		*/
221		int ossl_siv128_copy_ctx(SIV128_CONTEXT dest, SIV128_CONTEXT src)
222	0	{
223	0	memcpy(&dest->d, &src->d, sizeof(src->d));
224	0	if (dest->cipher_ctx == NULL) {
225	0	dest->cipher_ctx = EVP_CIPHER_CTX_new();
226	0	if (dest->cipher_ctx == NULL)
227	0	return 0;
228	0	}
229	0	if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
230	0	return 0;
231	0	EVP_MAC_CTX_free(dest->mac_ctx_init);
232	0	dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
233	0	if (dest->mac_ctx_init == NULL)
234	0	return 0;
235	0	dest->mac = src->mac;
236	0	if (dest->mac != NULL)
237	0	EVP_MAC_up_ref(dest->mac);
238	0	return 1;
239	0	}
240
241		/*
242		* Provide any AAD. This can be called multiple times.
243		* Per RFC5297, the last piece of associated data
244		* is the nonce, but it's not treated special
245		*/
246		int ossl_siv128_aad(SIV128_CONTEXT ctx, const unsigned char aad,
247		size_t len)
248	0	{
249	0	SIV_BLOCK mac_out;
250	0	size_t out_len = SIV_LEN;
251	0	EVP_MAC_CTX *mac_ctx;
252
253	0	siv128_dbl(&ctx->d);
254
255	0	if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
256	0	\|\| !EVP_MAC_update(mac_ctx, aad, len)
257	0	\|\| !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
258	0	sizeof(mac_out.byte))
259	0	\|\| out_len != SIV_LEN) {
260	0	EVP_MAC_CTX_free(mac_ctx);
261	0	return 0;
262	0	}
263	0	EVP_MAC_CTX_free(mac_ctx);
264
265	0	siv128_xorblock(&ctx->d, &mac_out);
266
267	0	return 1;
268	0	}
269
270		/*
271		* Provide any data to be encrypted. This can be called once.
272		*/
273		int ossl_siv128_encrypt(SIV128_CONTEXT *ctx,
274		const unsigned char in, unsigned char out,
275		size_t len)
276	0	{
277	0	SIV_BLOCK q;
278
279		/* can only do one crypto operation */
280	0	if (ctx->crypto_ok == 0)
281	0	return 0;
282	0	ctx->crypto_ok--;
283
284	0	if (!siv128_do_s2v_p(ctx, &q, in, len))
285	0	return 0;
286
287	0	memcpy(ctx->tag.byte, &q, SIV_LEN);
288	0	q.byte[8] &= 0x7f;
289	0	q.byte[12] &= 0x7f;
290
291	0	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
292	0	return 0;
293	0	ctx->final_ret = 0;
294	0	return 1;
295	0	}
296
297		/*
298		* Provide any data to be decrypted. This can be called once.
299		*/
300		int ossl_siv128_decrypt(SIV128_CONTEXT *ctx,
301		const unsigned char in, unsigned char out,
302		size_t len)
303	0	{
304	0	unsigned char* p;
305	0	SIV_BLOCK t, q;
306	0	int i;
307
308		/* can only do one crypto operation */
309	0	if (ctx->crypto_ok == 0)
310	0	return 0;
311	0	ctx->crypto_ok--;
312
313	0	memcpy(&q, ctx->tag.byte, SIV_LEN);
314	0	q.byte[8] &= 0x7f;
315	0	q.byte[12] &= 0x7f;
316
317	0	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
318	0	\|\| !siv128_do_s2v_p(ctx, &t, out, len))
319	0	return 0;
320
321	0	p = ctx->tag.byte;
322	0	for (i = 0; i < SIV_LEN; i++)
323	0	t.byte[i] ^= p[i];
324
325	0	if ((t.word[0] \| t.word[1]) != 0) {
326	0	OPENSSL_cleanse(out, len);
327	0	return 0;
328	0	}
329	0	ctx->final_ret = 0;
330	0	return 1;
331	0	}
332
333		/*
334		* Return the already calculated final result.
335		*/
336		int ossl_siv128_finish(SIV128_CONTEXT *ctx)
337	0	{
338	0	return ctx->final_ret;
339	0	}
340
341		/*
342		* Set the tag
343		*/
344		int ossl_siv128_set_tag(SIV128_CONTEXT ctx, const unsigned char tag, size_t len)
345	0	{
346	0	if (len != SIV_LEN)
347	0	return 0;
348
349		/* Copy the tag from the supplied buffer */
350	0	memcpy(ctx->tag.byte, tag, len);
351	0	return 1;
352	0	}
353
354		/*
355		* Retrieve the calculated tag
356		*/
357		int ossl_siv128_get_tag(SIV128_CONTEXT ctx, unsigned char tag, size_t len)
358	0	{
359	0	if (len != SIV_LEN)
360	0	return 0;
361
362		/* Copy the tag into the supplied buffer */
363	0	memcpy(tag, ctx->tag.byte, len);
364	0	return 1;
365	0	}
366
367		/*
368		* Release all resources
369		*/
370		int ossl_siv128_cleanup(SIV128_CONTEXT *ctx)
371	0	{
372	0	if (ctx != NULL) {
373	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
374	0	ctx->cipher_ctx = NULL;
375	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
376	0	ctx->mac_ctx_init = NULL;
377	0	EVP_MAC_free(ctx->mac);
378	0	ctx->mac = NULL;
379	0	OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
380	0	OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
381	0	ctx->final_ret = -1;
382	0	ctx->crypto_ok = 1;
383	0	}
384	0	return 1;
385	0	}
386
387		int ossl_siv128_speed(SIV128_CONTEXT *ctx, int arg)
388	0	{
389	0	ctx->crypto_ok = (arg == 1) ? -1 : 1;
390	0	return 1;
391	0	}
392
393		#endif /* OPENSSL_NO_SIV */