search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Correct PPTP server firewall rules chain.
[tomato/davidwu.git] / release / src / router / nettle / gcm.c
blob8c69327789ad3dc5d260e9e0b152132437c42fbb
1 /* gcm.h
2 *
3 * Galois counter mode, specified by NIST,
4 * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
5 *
6 * See also the gcm paper at
7 * http://www.cryptobarn.com/papers/gcm-spec.pdf.
8 */
9
10 /* NOTE: Tentative interface, subject to change. No effort will be
11 made to avoid incompatible changes. */
12
13 /* nettle, low-level cryptographics library
14 *
15 * Copyright (C) 2011 Niels Möller
16 * Copyright (C) 2011 Katholieke Universiteit Leuven
17 *
18 * Contributed by Nikos Mavrogiannopoulos
19 *
20 * The nettle library is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU Lesser General Public License as published by
22 * the Free Software Foundation; either version 2.1 of the License, or (at your
23 * option) any later version.
24 *
25 * The nettle library is distributed in the hope that it will be useful, but
26 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
27 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
28 * License for more details.
29 *
30 * You should have received a copy of the GNU Lesser General Public License
31 * along with the nettle library; see the file COPYING.LIB. If not, write to
32 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
33 * MA 02111-1301, USA.
34 */
35
36 #if HAVE_CONFIG_H
37 # include "config.h"
38 #endif
39
40 #include <assert.h>
41 #include <stdlib.h>
42 #include <string.h>
43
44 #include "gcm.h"
45
46 #include "memxor.h"
47 #include "nettle-internal.h"
48 #include "macros.h"
49
50 #define GHASH_POLYNOMIAL 0xE1UL
51
52 static void
53 gcm_gf_add (union gcm_block *r, const union gcm_block *x, const union gcm_block *y)
54 {
55 r->w[0] = x->w[0] ^ y->w[0];
56 r->w[1] = x->w[1] ^ y->w[1];
57 #if SIZEOF_LONG == 4
58 r->w[2] = x->w[2] ^ y->w[2];
59 r->w[3] = x->w[3] ^ y->w[3];
60 #endif
61 }
62 /* Multiplication by 010...0; a big-endian shift right. If the bit
63 shifted out is one, the defining polynomial is added to cancel it
64 out. r == x is allowed. */
65 static void
66 gcm_gf_shift (union gcm_block *r, const union gcm_block *x)
67 {
68 long mask;
69
70 /* Shift uses big-endian representation. */
71 #if WORDS_BIGENDIAN
72 # if SIZEOF_LONG == 4
73 mask = - (x->w[3] & 1);
74 r->w[3] = (x->w[3] >> 1) | ((x->w[2] & 1) << 31);
75 r->w[2] = (x->w[2] >> 1) | ((x->w[1] & 1) << 31);
76 r->w[1] = (x->w[1] >> 1) | ((x->w[0] & 1) << 31);
77 r->w[0] = (x->w[0] >> 1) ^ (mask & (GHASH_POLYNOMIAL << 24));
78 # elif SIZEOF_LONG == 8
79 mask = - (x->w[1] & 1);
80 r->w[1] = (x->w[1] >> 1) | ((x->w[0] & 1) << 63);
81 r->w[0] = (x->w[0] >> 1) ^ (mask & (GHASH_POLYNOMIAL << 56));
82 # else
83 # error Unsupported word size. */
84 #endif
85 #else /* ! WORDS_BIGENDIAN */
86 # if SIZEOF_LONG == 4
87 #define RSHIFT_WORD(x) \
88 ((((x) & 0xfefefefeUL) >> 1) \
89 | (((x) & 0x00010101) << 15))
90 mask = - ((x->w[3] >> 24) & 1);
91 r->w[3] = RSHIFT_WORD(x->w[3]) | ((x->w[2] >> 17) & 0x80);
92 r->w[2] = RSHIFT_WORD(x->w[2]) | ((x->w[1] >> 17) & 0x80);
93 r->w[1] = RSHIFT_WORD(x->w[1]) | ((x->w[0] >> 17) & 0x80);
94 r->w[0] = RSHIFT_WORD(x->w[0]) ^ (mask & GHASH_POLYNOMIAL);
95 # elif SIZEOF_LONG == 8
96 #define RSHIFT_WORD(x) \
97 ((((x) & 0xfefefefefefefefeUL) >> 1) \
98 | (((x) & 0x0001010101010101UL) << 15))
99 mask = - ((x->w[1] >> 56) & 1);
100 r->w[1] = RSHIFT_WORD(x->w[1]) | ((x->w[0] >> 49) & 0x80);
101 r->w[0] = RSHIFT_WORD(x->w[0]) ^ (mask & GHASH_POLYNOMIAL);
102 # else
103 # error Unsupported word size. */
104 # endif
105 # undef RSHIFT_WORD
106 #endif /* ! WORDS_BIGENDIAN */
107 }
108
109 #if GCM_TABLE_BITS == 0
110 /* Sets x <- x * y mod r, using the plain bitwise algorithm from the
111 specification. y may be shorter than a full block, missing bytes
112 are assumed zero. */
113 static void
114 gcm_gf_mul (union gcm_block *x, const union gcm_block *y)
115 {
116 union gcm_block V;
117 union gcm_block Z;
118 unsigned i;
119
120 memcpy(V.b, x, sizeof(V));
121 memset(Z.b, 0, sizeof(Z));
122
123 for (i = 0; i < GCM_BLOCK_SIZE; i++)
124 {
125 uint8_t b = y->b[i];
126 unsigned j;
127 for (j = 0; j < 8; j++, b <<= 1)
128 {
129 if (b & 0x80)
130 gcm_gf_add(&Z, &Z, &V);
131
132 gcm_gf_shift(&V, &V);
133 }
134 }
135 memcpy (x->b, Z.b, sizeof(Z));
136 }
137 #else /* GCM_TABLE_BITS != 0 */
138
139 # if WORDS_BIGENDIAN
140 # define W(left,right) (0x##left##right)
141 # else
142 # define W(left,right) (0x##right##left)
143 # endif
144
145 # if GCM_TABLE_BITS == 4
146 static const uint16_t
147 shift_table[0x10] = {
148 W(00,00),W(1c,20),W(38,40),W(24,60),W(70,80),W(6c,a0),W(48,c0),W(54,e0),
149 W(e1,00),W(fd,20),W(d9,40),W(c5,60),W(91,80),W(8d,a0),W(a9,c0),W(b5,e0),
150 };
151
152 static void
153 gcm_gf_shift_4(union gcm_block *x)
154 {
155 unsigned long *w = x->w;
156 unsigned long reduce;
157
158 /* Shift uses big-endian representation. */
159 #if WORDS_BIGENDIAN
160 # if SIZEOF_LONG == 4
161 reduce = shift_table[w[3] & 0xf];
162 w[3] = (w[3] >> 4) | ((w[2] & 0xf) << 28);
163 w[2] = (w[2] >> 4) | ((w[1] & 0xf) << 28);
164 w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 28);
165 w[0] = (w[0] >> 4) ^ (reduce << 16);
166 # elif SIZEOF_LONG == 8
167 reduce = shift_table[w[1] & 0xf];
168 w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 60);
169 w[0] = (w[0] >> 4) ^ (reduce << 48);
170 # else
171 # error Unsupported word size. */
172 #endif
173 #else /* ! WORDS_BIGENDIAN */
174 # if SIZEOF_LONG == 4
175 #define RSHIFT_WORD(x) \
176 ((((x) & 0xf0f0f0f0UL) >> 4) \
177 | (((x) & 0x000f0f0f) << 12))
178 reduce = shift_table[(w[3] >> 24) & 0xf];
179 w[3] = RSHIFT_WORD(w[3]) | ((w[2] >> 20) & 0xf0);
180 w[2] = RSHIFT_WORD(w[2]) | ((w[1] >> 20) & 0xf0);
181 w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 20) & 0xf0);
182 w[0] = RSHIFT_WORD(w[0]) ^ reduce;
183 # elif SIZEOF_LONG == 8
184 #define RSHIFT_WORD(x) \
185 ((((x) & 0xf0f0f0f0f0f0f0f0UL) >> 4) \
186 | (((x) & 0x000f0f0f0f0f0f0fUL) << 12))
187 reduce = shift_table[(w[1] >> 56) & 0xf];
188 w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 52) & 0xf0);
189 w[0] = RSHIFT_WORD(w[0]) ^ reduce;
190 # else
191 # error Unsupported word size. */
192 # endif
193 # undef RSHIFT_WORD
194 #endif /* ! WORDS_BIGENDIAN */
195 }
196
197 static void
198 gcm_gf_mul (union gcm_block *x, const union gcm_block *table)
199 {
200 union gcm_block Z;
201 unsigned i;
202
203 memset(Z.b, 0, sizeof(Z));
204
205 for (i = GCM_BLOCK_SIZE; i-- > 0;)
206 {
207 uint8_t b = x->b[i];
208
209 gcm_gf_shift_4(&Z);
210 gcm_gf_add(&Z, &Z, &table[b & 0xf]);
211 gcm_gf_shift_4(&Z);
212 gcm_gf_add(&Z, &Z, &table[b >> 4]);
213 }
214 memcpy (x->b, Z.b, sizeof(Z));
215 }
216 # elif GCM_TABLE_BITS == 8
217 static const uint16_t
218 shift_table[0x100] = {
219 W(00,00),W(01,c2),W(03,84),W(02,46),W(07,08),W(06,ca),W(04,8c),W(05,4e),
220 W(0e,10),W(0f,d2),W(0d,94),W(0c,56),W(09,18),W(08,da),W(0a,9c),W(0b,5e),
221 W(1c,20),W(1d,e2),W(1f,a4),W(1e,66),W(1b,28),W(1a,ea),W(18,ac),W(19,6e),
222 W(12,30),W(13,f2),W(11,b4),W(10,76),W(15,38),W(14,fa),W(16,bc),W(17,7e),
223 W(38,40),W(39,82),W(3b,c4),W(3a,06),W(3f,48),W(3e,8a),W(3c,cc),W(3d,0e),
224 W(36,50),W(37,92),W(35,d4),W(34,16),W(31,58),W(30,9a),W(32,dc),W(33,1e),
225 W(24,60),W(25,a2),W(27,e4),W(26,26),W(23,68),W(22,aa),W(20,ec),W(21,2e),
226 W(2a,70),W(2b,b2),W(29,f4),W(28,36),W(2d,78),W(2c,ba),W(2e,fc),W(2f,3e),
227 W(70,80),W(71,42),W(73,04),W(72,c6),W(77,88),W(76,4a),W(74,0c),W(75,ce),
228 W(7e,90),W(7f,52),W(7d,14),W(7c,d6),W(79,98),W(78,5a),W(7a,1c),W(7b,de),
229 W(6c,a0),W(6d,62),W(6f,24),W(6e,e6),W(6b,a8),W(6a,6a),W(68,2c),W(69,ee),
230 W(62,b0),W(63,72),W(61,34),W(60,f6),W(65,b8),W(64,7a),W(66,3c),W(67,fe),
231 W(48,c0),W(49,02),W(4b,44),W(4a,86),W(4f,c8),W(4e,0a),W(4c,4c),W(4d,8e),
232 W(46,d0),W(47,12),W(45,54),W(44,96),W(41,d8),W(40,1a),W(42,5c),W(43,9e),
233 W(54,e0),W(55,22),W(57,64),W(56,a6),W(53,e8),W(52,2a),W(50,6c),W(51,ae),
234 W(5a,f0),W(5b,32),W(59,74),W(58,b6),W(5d,f8),W(5c,3a),W(5e,7c),W(5f,be),
235 W(e1,00),W(e0,c2),W(e2,84),W(e3,46),W(e6,08),W(e7,ca),W(e5,8c),W(e4,4e),
236 W(ef,10),W(ee,d2),W(ec,94),W(ed,56),W(e8,18),W(e9,da),W(eb,9c),W(ea,5e),
237 W(fd,20),W(fc,e2),W(fe,a4),W(ff,66),W(fa,28),W(fb,ea),W(f9,ac),W(f8,6e),
238 W(f3,30),W(f2,f2),W(f0,b4),W(f1,76),W(f4,38),W(f5,fa),W(f7,bc),W(f6,7e),
239 W(d9,40),W(d8,82),W(da,c4),W(db,06),W(de,48),W(df,8a),W(dd,cc),W(dc,0e),
240 W(d7,50),W(d6,92),W(d4,d4),W(d5,16),W(d0,58),W(d1,9a),W(d3,dc),W(d2,1e),
241 W(c5,60),W(c4,a2),W(c6,e4),W(c7,26),W(c2,68),W(c3,aa),W(c1,ec),W(c0,2e),
242 W(cb,70),W(ca,b2),W(c8,f4),W(c9,36),W(cc,78),W(cd,ba),W(cf,fc),W(ce,3e),
243 W(91,80),W(90,42),W(92,04),W(93,c6),W(96,88),W(97,4a),W(95,0c),W(94,ce),
244 W(9f,90),W(9e,52),W(9c,14),W(9d,d6),W(98,98),W(99,5a),W(9b,1c),W(9a,de),
245 W(8d,a0),W(8c,62),W(8e,24),W(8f,e6),W(8a,a8),W(8b,6a),W(89,2c),W(88,ee),
246 W(83,b0),W(82,72),W(80,34),W(81,f6),W(84,b8),W(85,7a),W(87,3c),W(86,fe),
247 W(a9,c0),W(a8,02),W(aa,44),W(ab,86),W(ae,c8),W(af,0a),W(ad,4c),W(ac,8e),
248 W(a7,d0),W(a6,12),W(a4,54),W(a5,96),W(a0,d8),W(a1,1a),W(a3,5c),W(a2,9e),
249 W(b5,e0),W(b4,22),W(b6,64),W(b7,a6),W(b2,e8),W(b3,2a),W(b1,6c),W(b0,ae),
250 W(bb,f0),W(ba,32),W(b8,74),W(b9,b6),W(bc,f8),W(bd,3a),W(bf,7c),W(be,be),
251 };
252
253 static void
254 gcm_gf_shift_8(union gcm_block *x)
255 {
256 unsigned long *w = x->w;
257 unsigned long reduce;
258
259 /* Shift uses big-endian representation. */
260 #if WORDS_BIGENDIAN
261 # if SIZEOF_LONG == 4
262 reduce = shift_table[w[3] & 0xff];
263 w[3] = (w[3] >> 8) | ((w[2] & 0xff) << 24);
264 w[2] = (w[2] >> 8) | ((w[1] & 0xff) << 24);
265 w[1] = (w[1] >> 8) | ((w[0] & 0xff) << 24);
266 w[0] = (w[0] >> 8) ^ (reduce << 16);
267 # elif SIZEOF_LONG == 8
268 reduce = shift_table[w[1] & 0xff];
269 w[1] = (w[1] >> 8) | ((w[0] & 0xff) << 56);
270 w[0] = (w[0] >> 8) ^ (reduce << 48);
271 # else
272 # error Unsupported word size. */
273 #endif
274 #else /* ! WORDS_BIGENDIAN */
275 # if SIZEOF_LONG == 4
276 reduce = shift_table[(w[3] >> 24) & 0xff];
277 w[3] = (w[3] << 8) | (w[2] >> 24);
278 w[2] = (w[2] << 8) | (w[1] >> 24);
279 w[1] = (w[1] << 8) | (w[0] >> 24);
280 w[0] = (w[0] << 8) ^ reduce;
281 # elif SIZEOF_LONG == 8
282 reduce = shift_table[(w[1] >> 56) & 0xff];
283 w[1] = (w[1] << 8) | (w[0] >> 56);
284 w[0] = (w[0] << 8) ^ reduce;
285 # else
286 # error Unsupported word size. */
287 # endif
288 #endif /* ! WORDS_BIGENDIAN */
289 }
290
291 static void
292 gcm_gf_mul (union gcm_block *x, const union gcm_block *table)
293 {
294 union gcm_block Z;
295 unsigned i;
296
297 memcpy(Z.b, table[x->b[GCM_BLOCK_SIZE-1]].b, GCM_BLOCK_SIZE);
298
299 for (i = GCM_BLOCK_SIZE-2; i > 0; i--)
300 {
301 gcm_gf_shift_8(&Z);
302 gcm_gf_add(&Z, &Z, &table[x->b[i]]);
303 }
304 gcm_gf_shift_8(&Z);
305 gcm_gf_add(x, &Z, &table[x->b[0]]);
306 }
307
308 # else /* GCM_TABLE_BITS != 8 */
309 # error Unsupported table size.
310 # endif /* GCM_TABLE_BITS != 8 */
311
312 #undef W
313
314 #endif /* GCM_TABLE_BITS */
315
316 /* Increment the rightmost 32 bits. */
317 #define INC32(block) INCREMENT(4, (block.b) + GCM_BLOCK_SIZE - 4)
318
319 /* Initialization of GCM.
320 * @ctx: The context of GCM
321 * @cipher: The context of the underlying block cipher
322 * @f: The underlying cipher encryption function
323 */
324 void
325 gcm_set_key(struct gcm_key *key,
326 void *cipher, nettle_crypt_func *f)
327 {
328 /* Middle element if GCM_TABLE_BITS > 0, otherwise the first
329 element */
330 unsigned i = (1<<GCM_TABLE_BITS)/2;
331
332 /* H */
333 memset(key->h[0].b, 0, GCM_BLOCK_SIZE);
334 f (cipher, GCM_BLOCK_SIZE, key->h[i].b, key->h[0].b);
335
336 #if GCM_TABLE_BITS
337 /* Algorithm 3 from the gcm paper. First do powers of two, then do
338 the rest by adding. */
339 while (i /= 2)
340 gcm_gf_shift(&key->h[i], &key->h[2*i]);
341 for (i = 2; i < 1<<GCM_TABLE_BITS; i *= 2)
342 {
343 unsigned j;
344 for (j = 1; j < i; j++)
345 gcm_gf_add(&key->h[i+j], &key->h[i],&key->h[j]);
346 }
347 #endif
348 }
349
350 static void
351 gcm_hash(const struct gcm_key *key, union gcm_block *x,
352 unsigned length, const uint8_t *data)
353 {
354 for (; length >= GCM_BLOCK_SIZE;
355 length -= GCM_BLOCK_SIZE, data += GCM_BLOCK_SIZE)
356 {
357 memxor (x->b, data, GCM_BLOCK_SIZE);
358 gcm_gf_mul (x, key->h);
359 }
360 if (length > 0)
361 {
362 memxor (x->b, data, length);
363 gcm_gf_mul (x, key->h);
364 }
365 }
366
367 static void
368 gcm_hash_sizes(const struct gcm_key *key, union gcm_block *x,
369 uint64_t auth_size, uint64_t data_size)
370 {
371 uint8_t buffer[GCM_BLOCK_SIZE];
372
373 data_size *= 8;
374 auth_size *= 8;
375
376 WRITE_UINT64 (buffer, auth_size);
377 WRITE_UINT64 (buffer + 8, data_size);
378
379 gcm_hash(key, x, GCM_BLOCK_SIZE, buffer);
380 }
381
382 /*
383 * @length: The size of the iv (fixed for now to GCM_NONCE_SIZE)
384 * @iv: The iv
385 */
386 void
387 gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key,
388 unsigned length, const uint8_t *iv)
389 {
390 if (length == GCM_IV_SIZE)
391 {
392 memcpy (ctx->iv.b, iv, GCM_BLOCK_SIZE - 4);
393 ctx->iv.b[GCM_BLOCK_SIZE - 4] = 0;
394 ctx->iv.b[GCM_BLOCK_SIZE - 3] = 0;
395 ctx->iv.b[GCM_BLOCK_SIZE - 2] = 0;
396 ctx->iv.b[GCM_BLOCK_SIZE - 1] = 1;
397 }
398 else
399 {
400 memset(ctx->iv.b, 0, GCM_BLOCK_SIZE);
401 gcm_hash(key, &ctx->iv, length, iv);
402 gcm_hash_sizes(key, &ctx->iv, 0, length);
403 }
404
405 memcpy (ctx->ctr.b, ctx->iv.b, GCM_BLOCK_SIZE);
406 INC32 (ctx->ctr);
407
408 /* Reset the rest of the message-dependent state. */
409 memset(ctx->x.b, 0, sizeof(ctx->x));
410 ctx->auth_size = ctx->data_size = 0;
411 }
412
413 void
414 gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key,
415 unsigned length, const uint8_t *data)
416 {
417 assert(ctx->auth_size % GCM_BLOCK_SIZE == 0);
418 assert(ctx->data_size == 0);
419
420 gcm_hash(key, &ctx->x, length, data);
421
422 ctx->auth_size += length;
423 }
424
425 static void
426 gcm_crypt(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func *f,
427 unsigned length, uint8_t *dst, const uint8_t *src)
428 {
429 uint8_t buffer[GCM_BLOCK_SIZE];
430
431 if (src != dst)
432 {
433 for (; length >= GCM_BLOCK_SIZE;
434 (length -= GCM_BLOCK_SIZE,
435 src += GCM_BLOCK_SIZE, dst += GCM_BLOCK_SIZE))
436 {
437 f (cipher, GCM_BLOCK_SIZE, dst, ctx->ctr.b);
438 memxor (dst, src, GCM_BLOCK_SIZE);
439 INC32 (ctx->ctr);
440 }
441 }
442 else
443 {
444 for (; length >= GCM_BLOCK_SIZE;
445 (length -= GCM_BLOCK_SIZE,
446 src += GCM_BLOCK_SIZE, dst += GCM_BLOCK_SIZE))
447 {
448 f (cipher, GCM_BLOCK_SIZE, buffer, ctx->ctr.b);
449 memxor3 (dst, src, buffer, GCM_BLOCK_SIZE);
450 INC32 (ctx->ctr);
451 }
452 }
453 if (length > 0)
454 {
455 /* A final partial block */
456 f (cipher, GCM_BLOCK_SIZE, buffer, ctx->ctr.b);
457 memxor3 (dst, src, buffer, length);
458 INC32 (ctx->ctr);
459 }
460 }
461
462 void
463 gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key,
464 void *cipher, nettle_crypt_func *f,
465 unsigned length, uint8_t *dst, const uint8_t *src)
466 {
467 assert(ctx->data_size % GCM_BLOCK_SIZE == 0);
468
469 gcm_crypt(ctx, cipher, f, length, dst, src);
470 gcm_hash(key, &ctx->x, length, dst);
471
472 ctx->data_size += length;
473 }
474
475 void
476 gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
477 void *cipher, nettle_crypt_func *f,
478 unsigned length, uint8_t *dst, const uint8_t *src)
479 {
480 assert(ctx->data_size % GCM_BLOCK_SIZE == 0);
481
482 gcm_hash(key, &ctx->x, length, src);
483 gcm_crypt(ctx, cipher, f, length, dst, src);
484
485 ctx->data_size += length;
486 }
487
488 void
489 gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key,
490 void *cipher, nettle_crypt_func *f,
491 unsigned length, uint8_t *digest)
492 {
493 uint8_t buffer[GCM_BLOCK_SIZE];
494
495 assert (length <= GCM_BLOCK_SIZE);
496
497 gcm_hash_sizes(key, &ctx->x, ctx->auth_size, ctx->data_size);
498
499 f (cipher, GCM_BLOCK_SIZE, buffer, ctx->iv.b);
500 memxor3 (digest, ctx->x.b, buffer, length);
501
502 return;
503 }