/src/openssl/crypto/modes/siv128.c

Source
/*
 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <stdlib.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include "internal/endian.h"
#include "crypto/modes.h"
#include "crypto/siv.h"

#ifndef OPENSSL_NO_SIV

__owur static ossl_inline uint32_t rotl8(uint32_t x)
{
    return (x << 8) | (x >> 24);
}

__owur static ossl_inline uint32_t rotr8(uint32_t x)
{
    return (x >> 8) | (x << 24);
}

__owur static ossl_inline uint64_t byteswap8(uint64_t x)
{
    uint32_t high = (uint32_t)(x >> 32);
    uint32_t low = (uint32_t)x;

    high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
    low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
    return ((uint64_t)low) << 32 | (uint64_t)high;
}

__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
{
    DECLARE_IS_ENDIAN;

    if (IS_LITTLE_ENDIAN)
        return byteswap8(b->word[i]);
    return b->word[i];
}

static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
{
    DECLARE_IS_ENDIAN;

    if (IS_LITTLE_ENDIAN)
        b->word[i] = byteswap8(x);
    else
        b->word[i] = x;
}

static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
                                        SIV_BLOCK const *y)
{
    x->word[0] ^= y->word[0];
    x->word[1] ^= y->word[1];
}

/*
 * Doubles |b|, which is 16 bytes representing an element
 * of GF(2**128) modulo the irreducible polynomial
 * x**128 + x**7 + x**2 + x + 1.
 * Assumes two's-complement arithmetic
 */
static ossl_inline void siv128_dbl(SIV_BLOCK *b)
{
    uint64_t high = siv128_getword(b, 0);
    uint64_t low = siv128_getword(b, 1);
    uint64_t high_carry = high & (((uint64_t)1) << 63);
    uint64_t low_carry = low & (((uint64_t)1) << 63);
    int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
    uint64_t high_mask = low_carry >> 63;

    high = (high << 1) | high_mask;
    low = (low << 1) ^ (uint64_t)low_mask;
    siv128_putword(b, 0, high);
    siv128_putword(b, 1, low);
}

__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
                                              unsigned char const* in, size_t len)
{
    SIV_BLOCK t;
    size_t out_len = sizeof(out->byte);
    EVP_MAC_CTX *mac_ctx;
    int ret = 0;

    mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
    if (mac_ctx == NULL)
        return 0;

    if (len >= SIV_LEN) {
        if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
            goto err;
        memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    } else {
        memset(&t, 0, sizeof(t));
        memcpy(&t, in, len);
        t.byte[len] = 0x80;
        siv128_dbl(&ctx->d);
        siv128_xorblock(&t, &ctx->d);
        if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
            goto err;
    }
    if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
        || out_len != SIV_LEN)
        goto err;

    ret = 1;

err:
    EVP_MAC_CTX_free(mac_ctx);
    return ret;
}


__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                             unsigned char const *in, size_t len,
                                             SIV_BLOCK *icv)
{
    int out_len = (int)len;

    if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
        return 0;
    return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
}

/*
 * Create a new SIV128_CONTEXT
 */
SIV128_CONTEXT *ossl_siv128_new(const unsigned char *key, int klen,
                                  EVP_CIPHER *cbc, EVP_CIPHER *ctr,
                                  OSSL_LIB_CTX *libctx, const char *propq)
{
    SIV128_CONTEXT *ctx;
    int ret;

    if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
        ret = ossl_siv128_init(ctx, key, klen, cbc, ctr, libctx, propq);
        if (ret)
            return ctx;
        OPENSSL_free(ctx);
    }

    return NULL;
}

/*
 * Initialise an existing SIV128_CONTEXT
 */
int ossl_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
                       const EVP_CIPHER *cbc, const EVP_CIPHER *ctr,
                       OSSL_LIB_CTX *libctx, const char *propq)
{
    static const unsigned char zero[SIV_LEN] = { 0 };
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx = NULL;
    OSSL_PARAM params[3];
    const char *cbc_name;

    if (ctx == NULL)
        return 0;

    memset(&ctx->d, 0, sizeof(ctx->d));
    EVP_CIPHER_CTX_free(ctx->cipher_ctx);
    EVP_MAC_CTX_free(ctx->mac_ctx_init);
    EVP_MAC_free(ctx->mac);
    ctx->mac = NULL;
    ctx->cipher_ctx = NULL;
    ctx->mac_ctx_init = NULL;

    if (key == NULL || cbc == NULL || ctr == NULL)
        return 0;

    cbc_name = EVP_CIPHER_get0_name(cbc);
    params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
                                                 (char *)cbc_name, 0);
    params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
                                                  (void *)key, klen);
    params[2] = OSSL_PARAM_construct_end();

    if ((ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
            || (ctx->mac =
                EVP_MAC_fetch(libctx, OSSL_MAC_NAME_CMAC, propq)) == NULL
            || (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
            || !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
            || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
            || (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
            || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
            || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
                              sizeof(ctx->d.byte))) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        EVP_MAC_CTX_free(mac_ctx);
        EVP_MAC_free(ctx->mac);
        ctx->mac = NULL;
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    ctx->final_ret = -1;
    ctx->crypto_ok = 1;

    return 1;
}

/*
 * Copy an SIV128_CONTEXT object
 */
int ossl_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
{
    memcpy(&dest->d, &src->d, sizeof(src->d));
    if (dest->cipher_ctx == NULL) {
        dest->cipher_ctx = EVP_CIPHER_CTX_new();
        if (dest->cipher_ctx == NULL)
            return 0;
    }
    if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
        return 0;
    EVP_MAC_CTX_free(dest->mac_ctx_init);
    dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
    if (dest->mac_ctx_init == NULL)
        return 0;
    dest->mac = src->mac;
    if (dest->mac != NULL)
        EVP_MAC_up_ref(dest->mac);
    return 1;
}

/*
 * Provide any AAD. This can be called multiple times.
 * Per RFC5297, the last piece of associated data
 * is the nonce, but it's not treated special
 */
int ossl_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
                      size_t len)
{
    SIV_BLOCK mac_out;
    size_t out_len = SIV_LEN;
    EVP_MAC_CTX *mac_ctx;

    siv128_dbl(&ctx->d);

    if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
        || !EVP_MAC_update(mac_ctx, aad, len)
        || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
                          sizeof(mac_out.byte))
        || out_len != SIV_LEN) {
        EVP_MAC_CTX_free(mac_ctx);
        return 0;
    }
    EVP_MAC_CTX_free(mac_ctx);

    siv128_xorblock(&ctx->d, &mac_out);

    return 1;
}

/*
 * Provide any data to be encrypted. This can be called once.
 */
int ossl_siv128_encrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    SIV_BLOCK q;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    if (!siv128_do_s2v_p(ctx, &q, in, len))
        return 0;

    memcpy(ctx->tag.byte, &q, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
        return 0;
    ctx->final_ret = 0;
    return 1;
}

/*
 * Provide any data to be decrypted. This can be called once.
 */
int ossl_siv128_decrypt(SIV128_CONTEXT *ctx,
                          const unsigned char *in, unsigned char *out,
                          size_t len)
{
    unsigned char* p;
    SIV_BLOCK t, q;
    int i;

    /* can only do one crypto operation */
    if (ctx->crypto_ok == 0)
        return 0;
    ctx->crypto_ok--;

    memcpy(&q, ctx->tag.byte, SIV_LEN);
    q.byte[8] &= 0x7f;
    q.byte[12] &= 0x7f;

    if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
        || !siv128_do_s2v_p(ctx, &t, out, len))
        return 0;

    p = ctx->tag.byte;
    for (i = 0; i < SIV_LEN; i++)
        t.byte[i] ^= p[i];

    if ((t.word[0] | t.word[1]) != 0) {
        OPENSSL_cleanse(out, len);
        return 0;
    }
    ctx->final_ret = 0;
    return 1;
}

/*
 * Return the already calculated final result.
 */
int ossl_siv128_finish(SIV128_CONTEXT *ctx)
{
    return ctx->final_ret;
}

/*
 * Set the tag
 */
int ossl_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag from the supplied buffer */
    memcpy(ctx->tag.byte, tag, len);
    return 1;
}

/*
 * Retrieve the calculated tag
 */
int ossl_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
{
    if (len != SIV_LEN)
        return 0;

    /* Copy the tag into the supplied buffer */
    memcpy(tag, ctx->tag.byte, len);
    return 1;
}

/*
 * Release all resources
 */
int ossl_siv128_cleanup(SIV128_CONTEXT *ctx)
{
    if (ctx != NULL) {
        EVP_CIPHER_CTX_free(ctx->cipher_ctx);
        ctx->cipher_ctx = NULL;
        EVP_MAC_CTX_free(ctx->mac_ctx_init);
        ctx->mac_ctx_init = NULL;
        EVP_MAC_free(ctx->mac);
        ctx->mac = NULL;
        OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
        OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
        ctx->final_ret = -1;
        ctx->crypto_ok = 1;
    }
    return 1;
}

int ossl_siv128_speed(SIV128_CONTEXT *ctx, int arg)
{
    ctx->crypto_ok = (arg == 1) ? -1 : 1;
    return 1;
}

#endif                          /* OPENSSL_NO_SIV */

Coverage Report

Created: 2025-10-10 07:01

Line	Count	Source
1		/*
2		* Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <string.h>
11		#include <stdlib.h>
12		#include <openssl/crypto.h>
13		#include <openssl/evp.h>
14		#include <openssl/core_names.h>
15		#include <openssl/params.h>
16		#include "internal/endian.h"
17		#include "crypto/modes.h"
18		#include "crypto/siv.h"
19
20		#ifndef OPENSSL_NO_SIV
21
22		__owur static ossl_inline uint32_t rotl8(uint32_t x)
23	0	{
24	0	return (x << 8) \| (x >> 24);
25	0	}
26
27		__owur static ossl_inline uint32_t rotr8(uint32_t x)
28	0	{
29	0	return (x >> 8) \| (x << 24);
30	0	}
31
32		__owur static ossl_inline uint64_t byteswap8(uint64_t x)
33	0	{
34	0	uint32_t high = (uint32_t)(x >> 32);
35	0	uint32_t low = (uint32_t)x;
36
37	0	high = (rotl8(high) & 0x00ff00ff) \| (rotr8(high) & 0xff00ff00);
38	0	low = (rotl8(low) & 0x00ff00ff) \| (rotr8(low) & 0xff00ff00);
39	0	return ((uint64_t)low) << 32 \| (uint64_t)high;
40	0	}
41
42		__owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
43	0	{
44	0	DECLARE_IS_ENDIAN;
45
46	0	if (IS_LITTLE_ENDIAN)
47	0	return byteswap8(b->word[i]);
48	0	return b->word[i];
49	0	}
50
51		static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
52	0	{
53	0	DECLARE_IS_ENDIAN;
54
55	0	if (IS_LITTLE_ENDIAN)
56	0	b->word[i] = byteswap8(x);
57	0	else
58	0	b->word[i] = x;
59	0	}
60
61		static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
62		SIV_BLOCK const *y)
63	0	{
64	0	x->word[0] ^= y->word[0];
65	0	x->word[1] ^= y->word[1];
66	0	}
67
68		/*
69		* Doubles \|b\|, which is 16 bytes representing an element
70		* of GF(2**128) modulo the irreducible polynomial
71		* x128 + x7 + x**2 + x + 1.
72		* Assumes two's-complement arithmetic
73		*/
74		static ossl_inline void siv128_dbl(SIV_BLOCK *b)
75	0	{
76	0	uint64_t high = siv128_getword(b, 0);
77	0	uint64_t low = siv128_getword(b, 1);
78	0	uint64_t high_carry = high & (((uint64_t)1) << 63);
79	0	uint64_t low_carry = low & (((uint64_t)1) << 63);
80	0	int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
81	0	uint64_t high_mask = low_carry >> 63;
82
83	0	high = (high << 1) \| high_mask;
84	0	low = (low << 1) ^ (uint64_t)low_mask;
85	0	siv128_putword(b, 0, high);
86	0	siv128_putword(b, 1, low);
87	0	}
88
89		__owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT ctx, SIV_BLOCK out,
90		unsigned char const* in, size_t len)
91	0	{
92	0	SIV_BLOCK t;
93	0	size_t out_len = sizeof(out->byte);
94	0	EVP_MAC_CTX *mac_ctx;
95	0	int ret = 0;
96
97	0	mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init);
98	0	if (mac_ctx == NULL)
99	0	return 0;
100
101	0	if (len >= SIV_LEN) {
102	0	if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
103	0	goto err;
104	0	memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
105	0	siv128_xorblock(&t, &ctx->d);
106	0	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
107	0	goto err;
108	0	} else {
109	0	memset(&t, 0, sizeof(t));
110	0	memcpy(&t, in, len);
111	0	t.byte[len] = 0x80;
112	0	siv128_dbl(&ctx->d);
113	0	siv128_xorblock(&t, &ctx->d);
114	0	if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
115	0	goto err;
116	0	}
117	0	if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
118	0	\|\| out_len != SIV_LEN)
119	0	goto err;
120
121	0	ret = 1;
122
123	0	err:
124	0	EVP_MAC_CTX_free(mac_ctx);
125	0	return ret;
126	0	}
127
128
129		__owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX ctx, unsigned char out,
130		unsigned char const *in, size_t len,
131		SIV_BLOCK *icv)
132	0	{
133	0	int out_len = (int)len;
134
135	0	if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
136	0	return 0;
137	0	return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
138	0	}
139
140		/*
141		* Create a new SIV128_CONTEXT
142		*/
143		SIV128_CONTEXT ossl_siv128_new(const unsigned char key, int klen,
144		EVP_CIPHER cbc, EVP_CIPHER ctr,
145		OSSL_LIB_CTX libctx, const char propq)
146	0	{
147	0	SIV128_CONTEXT *ctx;
148	0	int ret;
149
150	0	if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
151	0	ret = ossl_siv128_init(ctx, key, klen, cbc, ctr, libctx, propq);
152	0	if (ret)
153	0	return ctx;
154	0	OPENSSL_free(ctx);
155	0	}
156
157	0	return NULL;
158	0	}
159
160		/*
161		* Initialise an existing SIV128_CONTEXT
162		*/
163		int ossl_siv128_init(SIV128_CONTEXT ctx, const unsigned char key, int klen,
164		const EVP_CIPHER cbc, const EVP_CIPHER ctr,
165		OSSL_LIB_CTX libctx, const char propq)
166	0	{
167	0	static const unsigned char zero[SIV_LEN] = { 0 };
168	0	size_t out_len = SIV_LEN;
169	0	EVP_MAC_CTX *mac_ctx = NULL;
170	0	OSSL_PARAM params[3];
171	0	const char *cbc_name;
172
173	0	if (ctx == NULL)
174	0	return 0;
175
176	0	memset(&ctx->d, 0, sizeof(ctx->d));
177	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
178	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
179	0	EVP_MAC_free(ctx->mac);
180	0	ctx->mac = NULL;
181	0	ctx->cipher_ctx = NULL;
182	0	ctx->mac_ctx_init = NULL;
183
184	0	if (key == NULL \|\| cbc == NULL \|\| ctr == NULL)
185	0	return 0;
186
187	0	cbc_name = EVP_CIPHER_get0_name(cbc);
188	0	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
189	0	(char *)cbc_name, 0);
190	0	params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
191	0	(void *)key, klen);
192	0	params[2] = OSSL_PARAM_construct_end();
193
194	0	if ((ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
195	0	\|\| (ctx->mac =
196	0	EVP_MAC_fetch(libctx, OSSL_MAC_NAME_CMAC, propq)) == NULL
197	0	\|\| (ctx->mac_ctx_init = EVP_MAC_CTX_new(ctx->mac)) == NULL
198	0	\|\| !EVP_MAC_CTX_set_params(ctx->mac_ctx_init, params)
199	0	\|\| !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
200	0	\|\| (mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
201	0	\|\| !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
202	0	\|\| !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
203	0	sizeof(ctx->d.byte))) {
204	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
205	0	ctx->cipher_ctx = NULL;
206	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
207	0	ctx->mac_ctx_init = NULL;
208	0	EVP_MAC_CTX_free(mac_ctx);
209	0	EVP_MAC_free(ctx->mac);
210	0	ctx->mac = NULL;
211	0	return 0;
212	0	}
213	0	EVP_MAC_CTX_free(mac_ctx);
214
215	0	ctx->final_ret = -1;
216	0	ctx->crypto_ok = 1;
217
218	0	return 1;
219	0	}
220
221		/*
222		* Copy an SIV128_CONTEXT object
223		*/
224		int ossl_siv128_copy_ctx(SIV128_CONTEXT dest, SIV128_CONTEXT src)
225	0	{
226	0	memcpy(&dest->d, &src->d, sizeof(src->d));
227	0	if (dest->cipher_ctx == NULL) {
228	0	dest->cipher_ctx = EVP_CIPHER_CTX_new();
229	0	if (dest->cipher_ctx == NULL)
230	0	return 0;
231	0	}
232	0	if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
233	0	return 0;
234	0	EVP_MAC_CTX_free(dest->mac_ctx_init);
235	0	dest->mac_ctx_init = EVP_MAC_CTX_dup(src->mac_ctx_init);
236	0	if (dest->mac_ctx_init == NULL)
237	0	return 0;
238	0	dest->mac = src->mac;
239	0	if (dest->mac != NULL)
240	0	EVP_MAC_up_ref(dest->mac);
241	0	return 1;
242	0	}
243
244		/*
245		* Provide any AAD. This can be called multiple times.
246		* Per RFC5297, the last piece of associated data
247		* is the nonce, but it's not treated special
248		*/
249		int ossl_siv128_aad(SIV128_CONTEXT ctx, const unsigned char aad,
250		size_t len)
251	0	{
252	0	SIV_BLOCK mac_out;
253	0	size_t out_len = SIV_LEN;
254	0	EVP_MAC_CTX *mac_ctx;
255
256	0	siv128_dbl(&ctx->d);
257
258	0	if ((mac_ctx = EVP_MAC_CTX_dup(ctx->mac_ctx_init)) == NULL
259	0	\|\| !EVP_MAC_update(mac_ctx, aad, len)
260	0	\|\| !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
261	0	sizeof(mac_out.byte))
262	0	\|\| out_len != SIV_LEN) {
263	0	EVP_MAC_CTX_free(mac_ctx);
264	0	return 0;
265	0	}
266	0	EVP_MAC_CTX_free(mac_ctx);
267
268	0	siv128_xorblock(&ctx->d, &mac_out);
269
270	0	return 1;
271	0	}
272
273		/*
274		* Provide any data to be encrypted. This can be called once.
275		*/
276		int ossl_siv128_encrypt(SIV128_CONTEXT *ctx,
277		const unsigned char in, unsigned char out,
278		size_t len)
279	0	{
280	0	SIV_BLOCK q;
281
282		/* can only do one crypto operation */
283	0	if (ctx->crypto_ok == 0)
284	0	return 0;
285	0	ctx->crypto_ok--;
286
287	0	if (!siv128_do_s2v_p(ctx, &q, in, len))
288	0	return 0;
289
290	0	memcpy(ctx->tag.byte, &q, SIV_LEN);
291	0	q.byte[8] &= 0x7f;
292	0	q.byte[12] &= 0x7f;
293
294	0	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
295	0	return 0;
296	0	ctx->final_ret = 0;
297	0	return 1;
298	0	}
299
300		/*
301		* Provide any data to be decrypted. This can be called once.
302		*/
303		int ossl_siv128_decrypt(SIV128_CONTEXT *ctx,
304		const unsigned char in, unsigned char out,
305		size_t len)
306	0	{
307	0	unsigned char* p;
308	0	SIV_BLOCK t, q;
309	0	int i;
310
311		/* can only do one crypto operation */
312	0	if (ctx->crypto_ok == 0)
313	0	return 0;
314	0	ctx->crypto_ok--;
315
316	0	memcpy(&q, ctx->tag.byte, SIV_LEN);
317	0	q.byte[8] &= 0x7f;
318	0	q.byte[12] &= 0x7f;
319
320	0	if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
321	0	\|\| !siv128_do_s2v_p(ctx, &t, out, len))
322	0	return 0;
323
324	0	p = ctx->tag.byte;
325	0	for (i = 0; i < SIV_LEN; i++)
326	0	t.byte[i] ^= p[i];
327
328	0	if ((t.word[0] \| t.word[1]) != 0) {
329	0	OPENSSL_cleanse(out, len);
330	0	return 0;
331	0	}
332	0	ctx->final_ret = 0;
333	0	return 1;
334	0	}
335
336		/*
337		* Return the already calculated final result.
338		*/
339		int ossl_siv128_finish(SIV128_CONTEXT *ctx)
340	0	{
341	0	return ctx->final_ret;
342	0	}
343
344		/*
345		* Set the tag
346		*/
347		int ossl_siv128_set_tag(SIV128_CONTEXT ctx, const unsigned char tag, size_t len)
348	0	{
349	0	if (len != SIV_LEN)
350	0	return 0;
351
352		/* Copy the tag from the supplied buffer */
353	0	memcpy(ctx->tag.byte, tag, len);
354	0	return 1;
355	0	}
356
357		/*
358		* Retrieve the calculated tag
359		*/
360		int ossl_siv128_get_tag(SIV128_CONTEXT ctx, unsigned char tag, size_t len)
361	0	{
362	0	if (len != SIV_LEN)
363	0	return 0;
364
365		/* Copy the tag into the supplied buffer */
366	0	memcpy(tag, ctx->tag.byte, len);
367	0	return 1;
368	0	}
369
370		/*
371		* Release all resources
372		*/
373		int ossl_siv128_cleanup(SIV128_CONTEXT *ctx)
374	0	{
375	0	if (ctx != NULL) {
376	0	EVP_CIPHER_CTX_free(ctx->cipher_ctx);
377	0	ctx->cipher_ctx = NULL;
378	0	EVP_MAC_CTX_free(ctx->mac_ctx_init);
379	0	ctx->mac_ctx_init = NULL;
380	0	EVP_MAC_free(ctx->mac);
381	0	ctx->mac = NULL;
382	0	OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
383	0	OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
384	0	ctx->final_ret = -1;
385	0	ctx->crypto_ok = 1;
386	0	}
387	0	return 1;
388	0	}
389
390		int ossl_siv128_speed(SIV128_CONTEXT *ctx, int arg)
391	0	{
392	0	ctx->crypto_ok = (arg == 1) ? -1 : 1;
393	0	return 1;
394	0	}
395
396		#endif /* OPENSSL_NO_SIV */