diff --git a/cipher/cipher-aeswrap.c b/cipher/cipher-aeswrap.c
index 42407519..86c4897f 100644
--- a/cipher/cipher-aeswrap.c
+++ b/cipher/cipher-aeswrap.c
@@ -1,210 +1,410 @@
/* cipher-aeswrap.c - Generic AESWRAP mode implementation
* Copyright (C) 2009, 2011 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser general Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see .
*/
#include
#include
#include
#include
#include
#include "g10lib.h"
#include "cipher.h"
#include "bufhelp.h"
#include "./cipher-internal.h"
-
-/* Perform the AES-Wrap algorithm as specified by RFC3394. We
- implement this as a mode usable with any cipher algorithm of
- blocksize 128. */
-gcry_err_code_t
-_gcry_cipher_aeswrap_encrypt (gcry_cipher_hd_t c,
- byte *outbuf, size_t outbuflen,
- const byte *inbuf, size_t inbuflen )
+/* Perform the wrap algorithm W as specified by NIST SP 800-38F.
+ Cipher block size must be 128-bit. */
+static gcry_err_code_t
+wrap (gcry_cipher_hd_t c, byte *outbuf, size_t inbuflen)
{
int j, x;
size_t n, i;
unsigned char *r, *a, *b;
unsigned char t[8];
unsigned int burn, nburn;
#if MAX_BLOCKSIZE < 8
#error Invalid block size
#endif
/* We require a cipher with a 128 bit block length. */
if (c->spec->blocksize != 16)
return GPG_ERR_INV_LENGTH;
- /* The output buffer must be able to hold the input data plus one
- additional block. */
- if (outbuflen < inbuflen + 8)
- return GPG_ERR_BUFFER_TOO_SHORT;
/* Input data must be multiple of 64 bits. */
if (inbuflen % 8)
return GPG_ERR_INV_ARG;
n = inbuflen / 8;
- /* We need at least two 64 bit blocks. */
- if (n < 2)
+ /* We need at least three 64 bit blocks. */
+ if (n < 3)
return GPG_ERR_INV_ARG;
burn = 0;
r = outbuf;
a = outbuf; /* We store A directly in OUTBUF. */
b = c->u_ctr.ctr; /* B is also used to concatenate stuff. */
- /* Copy the inbuf to the outbuf. */
- memmove (r+8, inbuf, inbuflen);
-
- /* If an IV has been set we use that IV as the Alternative Initial
- Value; if it has not been set we use the standard value. */
- if (c->marks.iv)
- memcpy (a, c->u_iv.iv, 8);
- else
- memset (a, 0xa6, 8);
-
memset (t, 0, sizeof t); /* t := 0. */
for (j = 0; j <= 5; j++)
{
- for (i = 1; i <= n; i++)
+ for (i = 1; i < n; i++)
{
- /* B := AES_k( A | R[i] ) */
+ /* B := CIPH_k( A | R[i] ) */
memcpy (b, a, 8);
memcpy (b+8, r+i*8, 8);
nburn = c->spec->encrypt (&c->context.c, b, b);
burn = nburn > burn ? nburn : burn;
/* t := t + 1 */
- for (x = 7; x >= 0; x--)
- {
- t[x]++;
- if (t[x])
- break;
- }
+ for (x = 7; x >= 0; x--)
+ if (++t[x])
+ break;
/* A := MSB_64(B) ^ t */
- cipher_block_xor(a, b, t, 8);
+ cipher_block_xor (a, b, t, 8);
/* R[i] := LSB_64(B) */
memcpy (r+i*8, b+8, 8);
}
}
if (burn > 0)
_gcry_burn_stack (burn + 4 * sizeof(void *));
return 0;
}
-/* Perform the AES-Unwrap algorithm as specified by RFC3394. We
+
+/* Perform the Key Wrap algorithm as specified by RFC3394. We
implement this as a mode usable with any cipher algorithm of
blocksize 128. */
gcry_err_code_t
-_gcry_cipher_aeswrap_decrypt (gcry_cipher_hd_t c,
+_gcry_cipher_keywrap_encrypt (gcry_cipher_hd_t c,
byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen)
+{
+ gcry_err_code_t err;
+ unsigned char *r = outbuf;
+
+ /* We require a cipher with a 128 bit block length. */
+ if (c->spec->blocksize != 16)
+ return GPG_ERR_INV_LENGTH;
+
+ /* The output buffer must be able to hold the input data plus one
+ additional block. */
+ if (outbuflen < inbuflen + 8)
+ return GPG_ERR_BUFFER_TOO_SHORT;
+ /* Input data must be multiple of 64 bits. */
+ if (inbuflen % 8)
+ return GPG_ERR_INV_ARG;
+
+ /* We need at least two 64 bit blocks. */
+ if ((inbuflen / 8) < 2)
+ return GPG_ERR_INV_ARG;
+
+ /* Copy the inbuf to the outbuf. */
+ memmove (r+8, inbuf, inbuflen);
+
+ /* If an IV has been set we use that IV as the Alternative Initial
+ Value; if it has not been set we use the standard value. */
+ if (c->marks.iv)
+ memcpy (r, c->u_iv.iv, 8);
+ else
+ memset (r, 0xa6, 8);
+
+ err = wrap (c, r, inbuflen + 8);
+
+ return err;
+}
+
+
+static const unsigned char icv2[] = { 0xA6, 0x59, 0x59, 0xA6 };
+
+/* Perform the Key Wrap algorithm as specified by RFC5649. */
+gcry_err_code_t
+_gcry_cipher_keywrap_encrypt_padding (gcry_cipher_hd_t c,
+ byte *outbuf, size_t outbuflen,
+ const byte *inbuf, size_t inbuflen)
+{
+ gcry_err_code_t err;
+ unsigned char *r = outbuf;
+ unsigned int padlen;
+
+ /* We require a cipher with a 128 bit block length. */
+ if (c->spec->blocksize != 16)
+ return GPG_ERR_INV_LENGTH;
+
+ /* The output buffer must be able to hold the input data plus one
+ additional block and padding. */
+ if (outbuflen < ((inbuflen + 7)/8)*8 + 8)
+ return GPG_ERR_BUFFER_TOO_SHORT;
+
+ if (inbuflen % 8)
+ padlen = 8 - (inbuflen % 8);
+ else
+ padlen = 0;
+
+ memcpy (r, icv2, 4);
+ r[4] = ((inbuflen >> 24) & 0xff);
+ r[5] = ((inbuflen >> 16) & 0xff);
+ r[6] = ((inbuflen >> 8) & 0xff);
+ r[7] = (inbuflen & 0xff);
+ memcpy (r+8, inbuf, inbuflen);
+ if (padlen)
+ memset (r+8+inbuflen, 0, padlen);
+
+ if (inbuflen <= 8)
+ {
+ unsigned int burn;
+
+ burn = c->spec->encrypt (&c->context.c, r, r);
+ if (burn > 0)
+ _gcry_burn_stack (burn + 4 * sizeof(void *));
+ err = 0;
+ }
+ else
+ err = wrap (c, r, ((inbuflen + 7)/8)*8 + 8);
+
+ return err;
+}
+
+
+/* Perform the unwrap algorithm W^-1 as specified by NIST SP 800-38F.
+ Cipher block size must be 128-bit. */
+static gcry_err_code_t
+unwrap (gcry_cipher_hd_t c, byte *outbuf, const byte *inbuf, size_t inbuflen)
{
int j, x;
size_t n, i;
unsigned char *r, *a, *b;
unsigned char t[8];
unsigned int burn, nburn;
#if MAX_BLOCKSIZE < 8
#error Invalid block size
#endif
/* We require a cipher with a 128 bit block length. */
if (c->spec->blocksize != 16)
return GPG_ERR_INV_LENGTH;
- /* The output buffer must be able to hold the input data minus one
- additional block. Fixme: The caller has more restrictive checks
- - we may want to fix them for this mode. */
- if (outbuflen + 8 < inbuflen)
- return GPG_ERR_BUFFER_TOO_SHORT;
/* Input data must be multiple of 64 bits. */
if (inbuflen % 8)
return GPG_ERR_INV_ARG;
n = inbuflen / 8;
/* We need at least three 64 bit blocks. */
if (n < 3)
return GPG_ERR_INV_ARG;
burn = 0;
r = outbuf;
a = c->lastiv; /* We use c->LASTIV as buffer for A. */
b = c->u_ctr.ctr; /* B is also used to concatenate stuff. */
/* Copy the inbuf to the outbuf and save A. */
memcpy (a, inbuf, 8);
memmove (r, inbuf+8, inbuflen-8);
n--; /* Reduce to actual number of data blocks. */
/* t := 6 * n */
i = n * 6; /* The range is valid because: n = inbuflen / 8 - 1. */
for (x=0; x < 8 && x < sizeof (i); x++)
t[7-x] = i >> (8*x);
for (; x < 8; x++)
t[7-x] = 0;
for (j = 5; j >= 0; j--)
{
for (i = n; i >= 1; i--)
{
- /* B := AES_k^1( (A ^ t)| R[i] ) */
- cipher_block_xor(b, a, t, 8);
+ /* B := CIPH_k^-1( (A ^ t)| R[i] ) */
+ cipher_block_xor (b, a, t, 8);
memcpy (b+8, r+(i-1)*8, 8);
nburn = c->spec->decrypt (&c->context.c, b, b);
burn = nburn > burn ? nburn : burn;
/* t := t - 1 */
- for (x = 7; x >= 0; x--)
- {
- t[x]--;
- if (t[x] != 0xff)
- break;
- }
+ for (x = 7; x >= 0; x--)
+ if (--t[x] != 0xff)
+ break;
/* A := MSB_64(B) */
memcpy (a, b, 8);
/* R[i] := LSB_64(B) */
memcpy (r+(i-1)*8, b+8, 8);
}
}
wipememory (b, 16); /* Clear scratch area. */
- /* If an IV has been set we compare against this Alternative Initial
- Value; if it has not been set we compare against the standard IV. */
- if (c->marks.iv)
- j = memcmp (a, c->u_iv.iv, 8);
- else
+ if (burn > 0)
+ _gcry_burn_stack (burn + 4 * sizeof(void *));
+
+ return 0;
+}
+
+
+/* Perform the Key Unwrap algorithm as specified by RFC3394. We
+ implement this as a mode usable with any cipher algorithm of
+ blocksize 128. */
+gcry_err_code_t
+_gcry_cipher_keywrap_decrypt (gcry_cipher_hd_t c,
+ byte *outbuf, size_t outbuflen,
+ const byte *inbuf, size_t inbuflen)
+{
+ gcry_err_code_t err;
+
+ /* We require a cipher with a 128 bit block length. */
+ if (c->spec->blocksize != 16)
+ return GPG_ERR_INV_LENGTH;
+
+ /* The output buffer must be able to hold the input data minus one
+ additional block. Fixme: The caller has more restrictive checks
+ - we may want to fix them for this mode. */
+ if (outbuflen + 8 < inbuflen)
+ return GPG_ERR_BUFFER_TOO_SHORT;
+ /* Input data must be multiple of 64 bits. */
+ if (inbuflen % 8)
+ return GPG_ERR_INV_ARG;
+
+ /* We need at least three 64 bit blocks. */
+ if ((inbuflen / 8) < 3)
+ return GPG_ERR_INV_ARG;
+
+ err = unwrap (c, outbuf, inbuf, inbuflen);
+ if (!err)
{
- for (j=0, x=0; x < 8; x++)
- if (a[x] != 0xa6)
- {
- j=1;
- break;
- }
+ int j, x;
+ unsigned char *a;
+
+ a = c->lastiv; /* We use c->LASTIV as buffer for A. */
+
+ /* If an IV has been set we compare against this Alternative Initial
+ Value; if it has not been set we compare against the standard IV. */
+ if (c->marks.iv)
+ j = memcmp (a, c->u_iv.iv, 8);
+ else
+ {
+ for (j=0, x=0; x < 8; x++)
+ if (a[x] != 0xa6)
+ {
+ j=1;
+ break;
+ }
+ }
+
+ if (j)
+ err = GPG_ERR_CHECKSUM;
}
- if (burn > 0)
- _gcry_burn_stack (burn + 4 * sizeof(void *));
+ return err;
+}
+
+/* Perform the Key Unwrap algorithm as specified by RFC5649. */
+gcry_err_code_t
+_gcry_cipher_keywrap_decrypt_padding (gcry_cipher_hd_t c,
+ byte *outbuf, size_t outbuflen,
+ const byte *inbuf, size_t inbuflen)
+{
+ gcry_err_code_t err;
+
+ /* We require a cipher with a 128 bit block length. */
+ if (c->spec->blocksize != 16)
+ return GPG_ERR_INV_LENGTH;
+
+ /* The output buffer must be able to hold the input data minus one
+ additional block. Fixme: The caller has more restrictive checks
+ - we may want to fix them for this mode. */
+ if (outbuflen + 8 < inbuflen)
+ return GPG_ERR_BUFFER_TOO_SHORT;
+ /* Input data must be multiple of 64 bits. */
+ if (inbuflen % 8)
+ return GPG_ERR_INV_ARG;
+
+ if (inbuflen == 16)
+ {
+ unsigned int burn;
+ unsigned char t[16];
+
+ burn = c->spec->decrypt (&c->context.c, t, inbuf);
+ if (burn > 0)
+ _gcry_burn_stack (burn + 4 * sizeof(void *));
+
+ if (memcmp (t, icv2, 4))
+ err = GPG_ERR_CHECKSUM;
+ else
+ {
+ unsigned int plen = (t[4]<<24) | (t[5]<<16) | (t[6]<<8) | t[7];
+
+ err = 0;
+ if (plen > 8)
+ err = GPG_ERR_CHECKSUM;
+ else if (plen)
+ {
+ int i;
+
+ for (i = 0; i < 16 - (8+plen); i++)
+ if (t[8+plen+i])
+ {
+ err = GPG_ERR_CHECKSUM;
+ break;
+ }
+ if (!err)
+ memcpy (outbuf, t+8, plen);
+ }
+ }
+ }
+ else
+ {
+ /* We need at least three 64 bit blocks. */
+ if ((inbuflen / 8) < 3)
+ return GPG_ERR_INV_ARG;
+
+ err = unwrap (c, outbuf, inbuf, inbuflen);
+ if (!err)
+ {
+ unsigned char *a;
+
+ a = c->lastiv; /* We use c->LASTIV as buffer for A. */
+
+ if (memcmp (a, icv2, 4))
+ err = GPG_ERR_CHECKSUM;
+ else
+ {
+ unsigned int plen = (a[4]<<24) | (a[5]<<16) | (a[6]<<8) | a[7];
+ int padlen = inbuflen - 8 - plen;
+
+ if (padlen < 0 || padlen > 7)
+ err = GPG_ERR_CHECKSUM;
+ else if (padlen)
+ {
+ int i;
+
+ for (i = 0; i < padlen; i++)
+ if (outbuf[plen+i])
+ {
+ err = GPG_ERR_CHECKSUM;
+ break;
+ }
+ }
+ }
+ }
+ }
- return j? GPG_ERR_CHECKSUM : 0;
+ return err;
}
diff --git a/cipher/cipher-internal.h b/cipher/cipher-internal.h
index edb29628..534aa77b 100644
--- a/cipher/cipher-internal.h
+++ b/cipher/cipher-internal.h
@@ -1,937 +1,946 @@
/* cipher-internal.h - Internal defs for cipher.c
* Copyright (C) 2011 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser general Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see .
*/
#ifndef G10_CIPHER_INTERNAL_H
#define G10_CIPHER_INTERNAL_H
#include "./poly1305-internal.h"
/* The maximum supported size of a block in bytes. */
#define MAX_BLOCKSIZE 16
/* The length for an OCB block. Although OCB supports any block
length it does not make sense to use a 64 bit blocklen (and cipher)
because this reduces the security margin to an unacceptable state.
Thus we require a cipher with 128 bit blocklength. */
#define OCB_BLOCK_LEN (128/8)
/* The size of the pre-computed L table for OCB. This takes the same
size as the table used for GCM and thus we don't save anything by
not using such a table. */
#define OCB_L_TABLE_SIZE 16
/* Check the above constants. */
#if OCB_BLOCK_LEN > MAX_BLOCKSIZE
# error OCB_BLOCKLEN > MAX_BLOCKSIZE
#endif
/* Magic values for the context structure. */
#define CTX_MAGIC_NORMAL 0x24091964
#define CTX_MAGIC_SECURE 0x46919042
/* Try to use 16 byte aligned cipher context for better performance.
We use the aligned attribute, thus it is only possible to implement
this with gcc. */
#undef NEED_16BYTE_ALIGNED_CONTEXT
#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
# define NEED_16BYTE_ALIGNED_CONTEXT 1
#endif
/* Undef this symbol to trade GCM speed for 256 bytes of memory per context */
#define GCM_USE_TABLES 1
/* GCM_USE_INTEL_PCLMUL indicates whether to compile GCM with Intel PCLMUL
code. */
#undef GCM_USE_INTEL_PCLMUL
#if defined(ENABLE_PCLMUL_SUPPORT) && defined(GCM_USE_TABLES)
# if ((defined(__i386__) && SIZEOF_UNSIGNED_LONG == 4) || defined(__x86_64__))
# if __GNUC__ >= 4
# define GCM_USE_INTEL_PCLMUL 1
# endif
# endif
#endif /* GCM_USE_INTEL_PCLMUL */
/* GCM_USE_ARM_PMULL indicates whether to compile GCM with ARMv8 PMULL code. */
#undef GCM_USE_ARM_PMULL
#if defined(ENABLE_ARM_CRYPTO_SUPPORT) && defined(GCM_USE_TABLES)
# if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) \
&& defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) \
&& defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
# define GCM_USE_ARM_PMULL 1
# elif defined(__AARCH64EL__) && \
defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
# define GCM_USE_ARM_PMULL 1
# endif
#endif /* GCM_USE_ARM_PMULL */
/* GCM_USE_ARM_NEON indicates whether to compile GCM with ARMv7 NEON code. */
#undef GCM_USE_ARM_NEON
#if defined(GCM_USE_TABLES)
#if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) && \
defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) && \
defined(HAVE_GCC_INLINE_ASM_NEON)
# define GCM_USE_ARM_NEON 1
#endif
#endif /* GCM_USE_ARM_NEON */
/* GCM_USE_S390X_CRYPTO indicates whether to enable zSeries code. */
#undef GCM_USE_S390X_CRYPTO
#if defined(HAVE_GCC_INLINE_ASM_S390X)
# define GCM_USE_S390X_CRYPTO 1
#endif /* GCM_USE_S390X_CRYPTO */
/* GCM_USE_PPC_VPMSUM indicates whether to compile GCM with PPC Power 8
* polynomial multiplication instruction. */
#undef GCM_USE_PPC_VPMSUM
#if defined(GCM_USE_TABLES)
#if defined(ENABLE_PPC_CRYPTO_SUPPORT) && defined(__powerpc64__) && \
defined(HAVE_COMPATIBLE_CC_PPC_ALTIVEC) && \
defined(HAVE_GCC_INLINE_ASM_PPC_ALTIVEC) && __GNUC__ >= 4
# define GCM_USE_PPC_VPMSUM 1
# define NEED_16BYTE_ALIGNED_CONTEXT 1 /* this also aligns gcm_table */
#endif
#endif /* GCM_USE_PPC_VPMSUM */
typedef unsigned int (*ghash_fn_t) (gcry_cipher_hd_t c, byte *result,
const byte *buf, size_t nblocks);
/* A structure with function pointers for mode operations. */
typedef struct cipher_mode_ops
{
gcry_err_code_t (*encrypt)(gcry_cipher_hd_t c, unsigned char *outbuf,
size_t outbuflen, const unsigned char *inbuf,
size_t inbuflen);
gcry_err_code_t (*decrypt)(gcry_cipher_hd_t c, unsigned char *outbuf,
size_t outbuflen, const unsigned char *inbuf,
size_t inbuflen);
gcry_err_code_t (*setiv)(gcry_cipher_hd_t c, const unsigned char *iv,
size_t ivlen);
gcry_err_code_t (*authenticate)(gcry_cipher_hd_t c,
const unsigned char *abuf, size_t abuflen);
gcry_err_code_t (*get_tag)(gcry_cipher_hd_t c, unsigned char *outtag,
size_t taglen);
gcry_err_code_t (*check_tag)(gcry_cipher_hd_t c, const unsigned char *intag,
size_t taglen);
} cipher_mode_ops_t;
/* A structure with function pointers for bulk operations. The cipher
algorithm setkey function initializes them when bulk operations are
available and the actual encryption routines use them if they are
not NULL. */
typedef struct cipher_bulk_ops
{
void (*cfb_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*cfb_dec)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*cbc_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks, int cbc_mac);
void (*cbc_dec)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*ofb_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*ctr_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*ctr32le_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
size_t (*ocb_crypt)(gcry_cipher_hd_t c, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks, int encrypt);
size_t (*ocb_auth)(gcry_cipher_hd_t c, const void *abuf_arg, size_t nblocks);
void (*xts_crypt)(void *context, unsigned char *tweak, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks, int encrypt);
size_t (*gcm_crypt)(gcry_cipher_hd_t c, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks, int encrypt);
} cipher_bulk_ops_t;
/* A VIA processor with the Padlock engine as well as the Intel AES_NI
instructions require an alignment of most data on a 16 byte
boundary. Because we trick out the compiler while allocating the
context, the align attribute as used in rijndael.c does not work on
its own. Thus we need to make sure that the entire context
structure is a aligned on that boundary. We achieve this by
defining a new type and use that instead of our usual alignment
type. */
typedef union
{
PROPERLY_ALIGNED_TYPE foo;
#ifdef NEED_16BYTE_ALIGNED_CONTEXT
char bar[16] __attribute__ ((aligned (16)));
#endif
char c[1];
} cipher_context_alignment_t;
/* Storage structure for CMAC, for CMAC and EAX modes. */
typedef struct {
/* The initialization vector. Also contains tag after finalization. */
union {
cipher_context_alignment_t iv_align;
unsigned char iv[MAX_BLOCKSIZE];
} u_iv;
/* Subkeys for tag creation, not cleared by gcry_cipher_reset. */
unsigned char subkeys[2][MAX_BLOCKSIZE];
/* Space to save partial input lengths for MAC. */
unsigned char macbuf[MAX_BLOCKSIZE];
int mac_unused; /* Number of unprocessed bytes in MACBUF. */
unsigned int tag:1; /* Set to 1 if tag has been finalized. */
} gcry_cmac_context_t;
/* The handle structure. */
struct gcry_cipher_handle
{
int magic;
size_t actual_handle_size; /* Allocated size of this handle. */
size_t handle_offset; /* Offset to the malloced block. */
gcry_cipher_spec_t *spec;
/* The algorithm id. This is a hack required because the module
interface does not easily allow to retrieve this value. */
int algo;
/* A structure with function pointers for mode operations. */
cipher_mode_ops_t mode_ops;
/* A structure with function pointers for bulk operations. Due to
limitations of the module system (we don't want to change the
API) we need to keep these function pointers here. */
cipher_bulk_ops_t bulk;
int mode;
unsigned int flags;
struct {
unsigned int key:1; /* Set to 1 if a key has been set. */
unsigned int iv:1; /* Set to 1 if a IV has been set. */
unsigned int tag:1; /* Set to 1 if a tag is finalized. */
unsigned int finalize:1; /* Next encrypt/decrypt has the final data. */
unsigned int allow_weak_key:1; /* Set to 1 if weak keys are allowed. */
} marks;
/* The initialization vector. For best performance we make sure
that it is properly aligned. In particular some implementations
of bulk operations expect an 16 byte aligned IV. IV is also used
to store CBC-MAC in CCM mode; counter IV is stored in U_CTR. For
OCB mode it is used for the offset value. */
union {
cipher_context_alignment_t iv_align;
unsigned char iv[MAX_BLOCKSIZE];
} u_iv;
/* The counter for CTR mode. This field is also used by AESWRAP and
thus we can't use the U_IV union. For OCB mode it is used for
the checksum. */
union {
cipher_context_alignment_t iv_align;
unsigned char ctr[MAX_BLOCKSIZE];
} u_ctr;
/* Space to save an IV or CTR for chaining operations. */
unsigned char lastiv[MAX_BLOCKSIZE];
int unused; /* Number of unused bytes in LASTIV. */
union {
/* Mode specific storage for CCM mode. */
struct {
u64 encryptlen;
u64 aadlen;
unsigned int authlen;
/* Space to save partial input lengths for MAC. */
unsigned char macbuf[GCRY_CCM_BLOCK_LEN];
int mac_unused; /* Number of unprocessed bytes in MACBUF. */
unsigned char s0[GCRY_CCM_BLOCK_LEN];
unsigned int nonce:1; /* Set to 1 if nonce has been set. */
unsigned int lengths:1; /* Set to 1 if CCM length parameters has been
processed. */
} ccm;
/* Mode specific storage for Poly1305 mode. */
struct {
/* byte counter for AAD. */
u32 aadcount[2];
/* byte counter for data. */
u32 datacount[2];
unsigned int aad_finalized:1;
unsigned int bytecount_over_limits:1;
poly1305_context_t ctx;
} poly1305;
/* Mode specific storage for CMAC mode. */
gcry_cmac_context_t cmac;
/* Mode specific storage for EAX mode. */
struct {
/* CMAC for header (AAD). */
gcry_cmac_context_t cmac_header;
/* CMAC for ciphertext. */
gcry_cmac_context_t cmac_ciphertext;
} eax;
/* Mode specific storage for GCM mode and GCM-SIV mode. */
struct {
/* The interim tag for GCM mode. */
union {
cipher_context_alignment_t iv_align;
unsigned char tag[MAX_BLOCKSIZE];
} u_tag;
/* Space to save partial input lengths for MAC. */
unsigned char macbuf[GCRY_CCM_BLOCK_LEN];
int mac_unused; /* Number of unprocessed bytes in MACBUF. */
/* byte counters for GCM */
u32 aadlen[2];
u32 datalen[2];
/* encrypted tag counter */
unsigned char tagiv[MAX_BLOCKSIZE];
unsigned int ghash_data_finalized:1;
unsigned int ghash_aad_finalized:1;
unsigned int datalen_over_limits:1;
unsigned int disallow_encryption_because_of_setiv_in_fips_mode:1;
/* --- Following members are not cleared in gcry_cipher_reset --- */
/* GHASH multiplier from key. */
union {
cipher_context_alignment_t iv_align;
unsigned char key[MAX_BLOCKSIZE];
} u_ghash_key;
/* Pre-calculated table for GCM. */
#ifdef GCM_USE_TABLES
#if (SIZEOF_UNSIGNED_LONG == 8 || defined(__x86_64__))
#define GCM_TABLES_USE_U64 1
u64 gcm_table[4 * 16];
#else
#undef GCM_TABLES_USE_U64
u32 gcm_table[8 * 16];
#endif
#endif
/* GHASH implementation in use. */
ghash_fn_t ghash_fn;
/* POLYVAL implementation in use (GCM-SIV). */
ghash_fn_t polyval_fn;
/* Key length used for GCM-SIV key generating key. */
unsigned int siv_keylen;
} gcm;
/* Mode specific storage for OCB mode. */
struct {
/* --- Following members are not cleared in gcry_cipher_reset --- */
/* Helper variables and pre-computed table of L values. */
unsigned char L_star[OCB_BLOCK_LEN];
unsigned char L_dollar[OCB_BLOCK_LEN];
unsigned char L0L1[OCB_BLOCK_LEN];
unsigned char L[OCB_L_TABLE_SIZE][OCB_BLOCK_LEN];
/* --- Following members are cleared in gcry_cipher_reset --- */
/* The tag is valid if marks.tag has been set. */
unsigned char tag[OCB_BLOCK_LEN];
/* A buffer to hold the offset for the AAD processing. */
unsigned char aad_offset[OCB_BLOCK_LEN];
/* A buffer to hold the current sum of AAD processing. We can't
use tag here because tag may already hold the preprocessed
checksum of the data. */
unsigned char aad_sum[OCB_BLOCK_LEN];
/* A buffer to store AAD data not yet processed. */
unsigned char aad_leftover[OCB_BLOCK_LEN];
/* Number of data/aad blocks processed so far. */
u64 data_nblocks;
u64 aad_nblocks;
/* Number of valid bytes in AAD_LEFTOVER. */
unsigned char aad_nleftover;
/* Length of the tag. Fixed for now but may eventually be
specified using a set of gcry_cipher_flags. */
unsigned char taglen;
/* Flags indicating that the final data/aad block has been
processed. */
unsigned int data_finalized:1;
unsigned int aad_finalized:1;
} ocb;
/* Mode specific storage for XTS mode. */
struct {
/* Pointer to tweak cipher context, allocated after actual
* cipher context. */
char *tweak_context;
} xts;
/* Mode specific storage for SIV mode. */
struct {
/* Tag used for decryption. */
unsigned char dec_tag[GCRY_SIV_BLOCK_LEN];
/* S2V state. */
unsigned char s2v_d[GCRY_SIV_BLOCK_LEN];
/* Number of AAD elements processed. */
unsigned int aad_count:8;
/* Flags for SIV state. */
unsigned int dec_tag_set:1;
/* --- Following members are not cleared in gcry_cipher_reset --- */
/* S2V CMAC state. */
gcry_cmac_context_t s2v_cmac;
unsigned char s2v_zero_block[GCRY_SIV_BLOCK_LEN];
/* Pointer to CTR cipher context, allocated after actual
* cipher context. */
char *ctr_context;
} siv;
} u_mode;
/* What follows are two contexts of the cipher in use. The first
one needs to be aligned well enough for the cipher operation
whereas the second one is a copy created by cipher_setkey and
used by cipher_reset. That second copy has no need for proper
aligment because it is only accessed by memcpy. */
cipher_context_alignment_t context;
};
/*-- cipher-cbc.c --*/
gcry_err_code_t _gcry_cipher_cbc_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cbc_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cbc_cts_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cbc_cts_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-cfb.c --*/
gcry_err_code_t _gcry_cipher_cfb_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cfb_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cfb8_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cfb8_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-ofb.c --*/
gcry_err_code_t _gcry_cipher_ofb_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-ctr.c --*/
gcry_err_code_t _gcry_cipher_ctr_encrypt_ctx
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen,
void *algo_context);
gcry_err_code_t _gcry_cipher_ctr_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-aeswrap.c --*/
-gcry_err_code_t _gcry_cipher_aeswrap_encrypt
+gcry_err_code_t _gcry_cipher_keywrap_encrypt
/* */ (gcry_cipher_hd_t c,
byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen);
-gcry_err_code_t _gcry_cipher_aeswrap_decrypt
+gcry_err_code_t _gcry_cipher_keywrap_decrypt
+/* */ (gcry_cipher_hd_t c,
+ byte *outbuf, size_t outbuflen,
+ const byte *inbuf, size_t inbuflen);
+gcry_err_code_t
+_gcry_cipher_keywrap_encrypt_padding
+/* */ (gcry_cipher_hd_t c,
+ byte *outbuf, size_t outbuflen,
+ const byte *inbuf, size_t inbuflen);
+gcry_err_code_t _gcry_cipher_keywrap_decrypt_padding
/* */ (gcry_cipher_hd_t c,
byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen);
/*-- cipher-ccm.c --*/
gcry_err_code_t _gcry_cipher_ccm_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_ccm_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_ccm_set_nonce
/* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen);
gcry_err_code_t _gcry_cipher_ccm_authenticate
/* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
gcry_err_code_t _gcry_cipher_ccm_set_lengths
/* */ (gcry_cipher_hd_t c, u64 encryptedlen, u64 aadlen, u64 taglen);
gcry_err_code_t _gcry_cipher_ccm_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_ccm_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
/*-- cipher-cmac.c --*/
gcry_err_code_t _gcry_cmac_generate_subkeys
/* */ (gcry_cipher_hd_t c, gcry_cmac_context_t *ctx);
gcry_err_code_t _gcry_cmac_write
/* */ (gcry_cipher_hd_t c, gcry_cmac_context_t *ctx,
const byte * inbuf, size_t inlen);
gcry_err_code_t _gcry_cmac_final
/* */ (gcry_cipher_hd_t c, gcry_cmac_context_t *ctx);
void _gcry_cmac_reset (gcry_cmac_context_t *ctx);
/*-- cipher-eax.c --*/
gcry_err_code_t _gcry_cipher_eax_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_eax_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_eax_set_nonce
/* */ (gcry_cipher_hd_t c,
const unsigned char *nonce, size_t noncelen);
gcry_err_code_t _gcry_cipher_eax_authenticate
/* */ (gcry_cipher_hd_t c,
const unsigned char *aadbuf, size_t aadbuflen);
gcry_err_code_t _gcry_cipher_eax_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_eax_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
gcry_err_code_t _gcry_cipher_eax_setkey
/* */ (gcry_cipher_hd_t c);
/*-- cipher-gcm.c --*/
gcry_err_code_t _gcry_cipher_gcm_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_gcm_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_gcm_setiv
/* */ (gcry_cipher_hd_t c,
const unsigned char *iv, size_t ivlen);
gcry_err_code_t _gcry_cipher_gcm_authenticate
/* */ (gcry_cipher_hd_t c,
const unsigned char *aadbuf, size_t aadbuflen);
gcry_err_code_t _gcry_cipher_gcm_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_gcm_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
void _gcry_cipher_gcm_setkey
/* */ (gcry_cipher_hd_t c);
void _gcry_cipher_gcm_setupM
/* */ (gcry_cipher_hd_t c);
/*-- cipher-poly1305.c --*/
gcry_err_code_t _gcry_cipher_poly1305_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_poly1305_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_poly1305_setiv
/* */ (gcry_cipher_hd_t c,
const unsigned char *iv, size_t ivlen);
gcry_err_code_t _gcry_cipher_poly1305_authenticate
/* */ (gcry_cipher_hd_t c,
const unsigned char *aadbuf, size_t aadbuflen);
gcry_err_code_t _gcry_cipher_poly1305_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_poly1305_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
void _gcry_cipher_poly1305_setkey
/* */ (gcry_cipher_hd_t c);
/*-- chacha20.c --*/
gcry_err_code_t _gcry_chacha20_poly1305_encrypt
/* */ (gcry_cipher_hd_t c, byte *outbuf, const byte *inbuf,
size_t length);
gcry_err_code_t _gcry_chacha20_poly1305_decrypt
/* */ (gcry_cipher_hd_t c, byte *outbuf, const byte *inbuf,
size_t length);
/*-- cipher-ocb.c --*/
gcry_err_code_t _gcry_cipher_ocb_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_ocb_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_ocb_set_nonce
/* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen);
gcry_err_code_t _gcry_cipher_ocb_authenticate
/* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
gcry_err_code_t _gcry_cipher_ocb_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_ocb_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
void _gcry_cipher_ocb_setkey
/* */ (gcry_cipher_hd_t c);
/*-- cipher-xts.c --*/
gcry_err_code_t _gcry_cipher_xts_encrypt
/* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_xts_decrypt
/* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-siv.c --*/
gcry_err_code_t _gcry_cipher_siv_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_siv_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_siv_set_nonce
/* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen);
gcry_err_code_t _gcry_cipher_siv_authenticate
/* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
gcry_err_code_t _gcry_cipher_siv_set_decryption_tag
/* */ (gcry_cipher_hd_t c, const byte *tag, size_t taglen);
gcry_err_code_t _gcry_cipher_siv_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_siv_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
gcry_err_code_t _gcry_cipher_siv_setkey
/* */ (gcry_cipher_hd_t c,
const unsigned char *ctrkey, size_t ctrkeylen);
/*-- cipher-gcm-siv.c --*/
gcry_err_code_t _gcry_cipher_gcm_siv_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_gcm_siv_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_gcm_siv_set_nonce
/* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen);
gcry_err_code_t _gcry_cipher_gcm_siv_authenticate
/* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
gcry_err_code_t _gcry_cipher_gcm_siv_set_decryption_tag
/* */ (gcry_cipher_hd_t c, const byte *tag, size_t taglen);
gcry_err_code_t _gcry_cipher_gcm_siv_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_gcm_siv_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
gcry_err_code_t _gcry_cipher_gcm_siv_setkey
/* */ (gcry_cipher_hd_t c, unsigned int keylen);
/* Return the L-value for block N. Note: 'cipher_ocb.c' ensures that N
* will never be multiple of 65536 (1 << OCB_L_TABLE_SIZE), thus N can
* be directly passed to _gcry_ctz() function and resulting index will
* never overflow the table. */
static inline const unsigned char *
ocb_get_l (gcry_cipher_hd_t c, u64 n)
{
unsigned long ntz;
#if ((defined(__i386__) || defined(__x86_64__)) && __GNUC__ >= 4)
/* Assumes that N != 0. */
asm ("rep;bsfl %k[low], %k[ntz]\n\t"
: [ntz] "=r" (ntz)
: [low] "r" ((unsigned long)n)
: "cc");
#else
ntz = _gcry_ctz (n);
#endif
return c->u_mode.ocb.L[ntz];
}
/* Return bit-shift of blocksize. */
static inline unsigned int _gcry_blocksize_shift(gcry_cipher_hd_t c)
{
/* Only blocksizes 8 and 16 are used. Return value in such way
* that compiler can optimize calling functions based on this. */
return c->spec->blocksize == 8 ? 3 : 4;
}
/* Optimized function for adding value to cipher block. */
static inline void
cipher_block_add(void *_dstsrc, unsigned int add, size_t blocksize)
{
byte *dstsrc = _dstsrc;
u64 s[2];
if (blocksize == 8)
{
buf_put_be64(dstsrc + 0, buf_get_be64(dstsrc + 0) + add);
}
else /* blocksize == 16 */
{
s[0] = buf_get_be64(dstsrc + 8);
s[1] = buf_get_be64(dstsrc + 0);
s[0] += add;
s[1] += (s[0] < add);
buf_put_be64(dstsrc + 8, s[0]);
buf_put_be64(dstsrc + 0, s[1]);
}
}
/* Optimized function for cipher block copying */
static inline void
cipher_block_cpy(void *_dst, const void *_src, size_t blocksize)
{
byte *dst = _dst;
const byte *src = _src;
u64 s[2];
if (blocksize == 8)
{
buf_put_he64(dst + 0, buf_get_he64(src + 0));
}
else /* blocksize == 16 */
{
s[0] = buf_get_he64(src + 0);
s[1] = buf_get_he64(src + 8);
buf_put_he64(dst + 0, s[0]);
buf_put_he64(dst + 8, s[1]);
}
}
/* Optimized function for cipher block xoring */
static inline void
cipher_block_xor(void *_dst, const void *_src1, const void *_src2,
size_t blocksize)
{
byte *dst = _dst;
const byte *src1 = _src1;
const byte *src2 = _src2;
u64 s1[2];
u64 s2[2];
if (blocksize == 8)
{
buf_put_he64(dst + 0, buf_get_he64(src1 + 0) ^ buf_get_he64(src2 + 0));
}
else /* blocksize == 16 */
{
s1[0] = buf_get_he64(src1 + 0);
s1[1] = buf_get_he64(src1 + 8);
s2[0] = buf_get_he64(src2 + 0);
s2[1] = buf_get_he64(src2 + 8);
buf_put_he64(dst + 0, s1[0] ^ s2[0]);
buf_put_he64(dst + 8, s1[1] ^ s2[1]);
}
}
/* Optimized function for in-place cipher block xoring */
static inline void
cipher_block_xor_1(void *_dst, const void *_src, size_t blocksize)
{
cipher_block_xor (_dst, _dst, _src, blocksize);
}
/* Optimized function for cipher block xoring with two destination cipher
blocks. Used mainly by CFB mode encryption. */
static inline void
cipher_block_xor_2dst(void *_dst1, void *_dst2, const void *_src,
size_t blocksize)
{
byte *dst1 = _dst1;
byte *dst2 = _dst2;
const byte *src = _src;
u64 d2[2];
u64 s[2];
if (blocksize == 8)
{
d2[0] = buf_get_he64(dst2 + 0) ^ buf_get_he64(src + 0);
buf_put_he64(dst2 + 0, d2[0]);
buf_put_he64(dst1 + 0, d2[0]);
}
else /* blocksize == 16 */
{
s[0] = buf_get_he64(src + 0);
s[1] = buf_get_he64(src + 8);
d2[0] = buf_get_he64(dst2 + 0);
d2[1] = buf_get_he64(dst2 + 8);
d2[0] = d2[0] ^ s[0];
d2[1] = d2[1] ^ s[1];
buf_put_he64(dst2 + 0, d2[0]);
buf_put_he64(dst2 + 8, d2[1]);
buf_put_he64(dst1 + 0, d2[0]);
buf_put_he64(dst1 + 8, d2[1]);
}
}
/* Optimized function for combined cipher block xoring and copying.
Used by mainly CBC mode decryption. */
static inline void
cipher_block_xor_n_copy_2(void *_dst_xor, const void *_src_xor,
void *_srcdst_cpy, const void *_src_cpy,
size_t blocksize)
{
byte *dst_xor = _dst_xor;
byte *srcdst_cpy = _srcdst_cpy;
const byte *src_xor = _src_xor;
const byte *src_cpy = _src_cpy;
u64 sc[2];
u64 sx[2];
u64 sdc[2];
if (blocksize == 8)
{
sc[0] = buf_get_he64(src_cpy + 0);
buf_put_he64(dst_xor + 0,
buf_get_he64(srcdst_cpy + 0) ^ buf_get_he64(src_xor + 0));
buf_put_he64(srcdst_cpy + 0, sc[0]);
}
else /* blocksize == 16 */
{
sc[0] = buf_get_he64(src_cpy + 0);
sc[1] = buf_get_he64(src_cpy + 8);
sx[0] = buf_get_he64(src_xor + 0);
sx[1] = buf_get_he64(src_xor + 8);
sdc[0] = buf_get_he64(srcdst_cpy + 0);
sdc[1] = buf_get_he64(srcdst_cpy + 8);
sx[0] ^= sdc[0];
sx[1] ^= sdc[1];
buf_put_he64(dst_xor + 0, sx[0]);
buf_put_he64(dst_xor + 8, sx[1]);
buf_put_he64(srcdst_cpy + 0, sc[0]);
buf_put_he64(srcdst_cpy + 8, sc[1]);
}
}
/* Optimized function for combined cipher block byte-swapping. */
static inline void
cipher_block_bswap (void *_dst_bswap, const void *_src_bswap,
size_t blocksize)
{
byte *dst_bswap = _dst_bswap;
const byte *src_bswap = _src_bswap;
u64 t[2];
if (blocksize == 8)
{
buf_put_le64(dst_bswap, buf_get_be64(src_bswap));
}
else
{
t[0] = buf_get_be64(src_bswap + 0);
t[1] = buf_get_be64(src_bswap + 8);
buf_put_le64(dst_bswap + 8, t[0]);
buf_put_le64(dst_bswap + 0, t[1]);
}
}
/* Optimized function for combined cipher block xoring and copying.
Used by mainly CFB mode decryption. */
static inline void
cipher_block_xor_n_copy(void *_dst_xor, void *_srcdst_cpy, const void *_src,
size_t blocksize)
{
cipher_block_xor_n_copy_2(_dst_xor, _src, _srcdst_cpy, _src, blocksize);
}
#endif /*G10_CIPHER_INTERNAL_H*/
diff --git a/cipher/cipher.c b/cipher/cipher.c
index 3e3eb2dc..5516cfec 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -1,1895 +1,1904 @@
/* cipher.c - cipher dispatcher
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003
* 2005, 2007, 2008, 2009, 2011 Free Software Foundation, Inc.
* Copyright (C) 2013 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser general Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see .
*/
#include
#include
#include
#include
#include
#include "g10lib.h"
#include "../src/gcrypt-testapi.h"
#include "cipher.h"
#include "./cipher-internal.h"
/* This is the list of the default ciphers, which are included in
libgcrypt. */
static gcry_cipher_spec_t * const cipher_list[] =
{
#if USE_BLOWFISH
&_gcry_cipher_spec_blowfish,
#endif
#if USE_DES
&_gcry_cipher_spec_des,
&_gcry_cipher_spec_tripledes,
#endif
#if USE_ARCFOUR
&_gcry_cipher_spec_arcfour,
#endif
#if USE_CAST5
&_gcry_cipher_spec_cast5,
#endif
#if USE_AES
&_gcry_cipher_spec_aes,
&_gcry_cipher_spec_aes192,
&_gcry_cipher_spec_aes256,
#endif
#if USE_TWOFISH
&_gcry_cipher_spec_twofish,
&_gcry_cipher_spec_twofish128,
#endif
#if USE_SERPENT
&_gcry_cipher_spec_serpent128,
&_gcry_cipher_spec_serpent192,
&_gcry_cipher_spec_serpent256,
#endif
#if USE_RFC2268
&_gcry_cipher_spec_rfc2268_40,
&_gcry_cipher_spec_rfc2268_128,
#endif
#if USE_SEED
&_gcry_cipher_spec_seed,
#endif
#if USE_CAMELLIA
&_gcry_cipher_spec_camellia128,
&_gcry_cipher_spec_camellia192,
&_gcry_cipher_spec_camellia256,
#endif
#if USE_IDEA
&_gcry_cipher_spec_idea,
#endif
#if USE_SALSA20
&_gcry_cipher_spec_salsa20,
&_gcry_cipher_spec_salsa20r12,
#endif
#if USE_GOST28147
&_gcry_cipher_spec_gost28147,
&_gcry_cipher_spec_gost28147_mesh,
#endif
#if USE_CHACHA20
&_gcry_cipher_spec_chacha20,
#endif
#if USE_SM4
&_gcry_cipher_spec_sm4,
#endif
NULL
};
/* Cipher implementations starting with index 0 (enum gcry_cipher_algos) */
static gcry_cipher_spec_t * const cipher_list_algo0[] =
{
NULL, /* GCRY_CIPHER_NONE */
#if USE_IDEA
&_gcry_cipher_spec_idea,
#else
NULL,
#endif
#if USE_DES
&_gcry_cipher_spec_tripledes,
#else
NULL,
#endif
#if USE_CAST5
&_gcry_cipher_spec_cast5,
#else
NULL,
#endif
#if USE_BLOWFISH
&_gcry_cipher_spec_blowfish,
#else
NULL,
#endif
NULL, /* GCRY_CIPHER_SAFER_SK128 */
NULL, /* GCRY_CIPHER_DES_SK */
#if USE_AES
&_gcry_cipher_spec_aes,
&_gcry_cipher_spec_aes192,
&_gcry_cipher_spec_aes256,
#else
NULL,
NULL,
NULL,
#endif
#if USE_TWOFISH
&_gcry_cipher_spec_twofish
#else
NULL
#endif
};
/* Cipher implementations starting with index 301 (enum gcry_cipher_algos) */
static gcry_cipher_spec_t * const cipher_list_algo301[] =
{
#if USE_ARCFOUR
&_gcry_cipher_spec_arcfour,
#else
NULL,
#endif
#if USE_DES
&_gcry_cipher_spec_des,
#else
NULL,
#endif
#if USE_TWOFISH
&_gcry_cipher_spec_twofish128,
#else
NULL,
#endif
#if USE_SERPENT
&_gcry_cipher_spec_serpent128,
&_gcry_cipher_spec_serpent192,
&_gcry_cipher_spec_serpent256,
#else
NULL,
NULL,
NULL,
#endif
#if USE_RFC2268
&_gcry_cipher_spec_rfc2268_40,
&_gcry_cipher_spec_rfc2268_128,
#else
NULL,
NULL,
#endif
#if USE_SEED
&_gcry_cipher_spec_seed,
#else
NULL,
#endif
#if USE_CAMELLIA
&_gcry_cipher_spec_camellia128,
&_gcry_cipher_spec_camellia192,
&_gcry_cipher_spec_camellia256,
#else
NULL,
NULL,
NULL,
#endif
#if USE_SALSA20
&_gcry_cipher_spec_salsa20,
&_gcry_cipher_spec_salsa20r12,
#else
NULL,
NULL,
#endif
#if USE_GOST28147
&_gcry_cipher_spec_gost28147,
#else
NULL,
#endif
#if USE_CHACHA20
&_gcry_cipher_spec_chacha20,
#else
NULL,
#endif
#if USE_GOST28147
&_gcry_cipher_spec_gost28147_mesh,
#else
NULL,
#endif
#if USE_SM4
&_gcry_cipher_spec_sm4,
#else
NULL,
#endif
};
static void _gcry_cipher_setup_mode_ops(gcry_cipher_hd_t c, int mode);
�
static int
map_algo (int algo)
{
return algo;
}
/* Return the spec structure for the cipher algorithm ALGO. For
an unknown algorithm NULL is returned. */
static gcry_cipher_spec_t *
spec_from_algo (int algo)
{
gcry_cipher_spec_t *spec = NULL;
algo = map_algo (algo);
if (algo >= 0 && algo < DIM(cipher_list_algo0))
spec = cipher_list_algo0[algo];
else if (algo >= 301 && algo < 301 + DIM(cipher_list_algo301))
spec = cipher_list_algo301[algo - 301];
if (spec)
gcry_assert (spec->algo == algo);
return spec;
}
/* Lookup a cipher's spec by its name. */
static gcry_cipher_spec_t *
spec_from_name (const char *name)
{
gcry_cipher_spec_t *spec;
int idx;
const char **aliases;
for (idx=0; (spec = cipher_list[idx]); idx++)
{
if (!stricmp (name, spec->name))
return spec;
if (spec->aliases)
{
for (aliases = spec->aliases; *aliases; aliases++)
if (!stricmp (name, *aliases))
return spec;
}
}
return NULL;
}
/* Lookup a cipher's spec by its OID. */
static gcry_cipher_spec_t *
spec_from_oid (const char *oid)
{
gcry_cipher_spec_t *spec;
gcry_cipher_oid_spec_t *oid_specs;
int idx, j;
for (idx=0; (spec = cipher_list[idx]); idx++)
{
oid_specs = spec->oids;
if (oid_specs)
{
for (j = 0; oid_specs[j].oid; j++)
if (!stricmp (oid, oid_specs[j].oid))
return spec;
}
}
return NULL;
}
/* Locate the OID in the oid table and return the spec or NULL if not
found. An optional "oid." or "OID." prefix in OID is ignored, the
OID is expected to be in standard IETF dotted notation. A pointer
to the OID specification of the module implementing this algorithm
is return in OID_SPEC unless passed as NULL.*/
static gcry_cipher_spec_t *
search_oid (const char *oid, gcry_cipher_oid_spec_t *oid_spec)
{
gcry_cipher_spec_t *spec;
int i;
if (!oid)
return NULL;
if (!strncmp (oid, "oid.", 4) || !strncmp (oid, "OID.", 4))
oid += 4;
spec = spec_from_oid (oid);
if (spec && spec->oids)
{
for (i = 0; spec->oids[i].oid; i++)
if (!stricmp (oid, spec->oids[i].oid))
{
if (oid_spec)
*oid_spec = spec->oids[i];
return spec;
}
}
return NULL;
}
/* Map STRING to the cipher algorithm identifier. Returns the
algorithm ID of the cipher for the given name or 0 if the name is
not known. It is valid to pass NULL for STRING which results in a
return value of 0. */
int
_gcry_cipher_map_name (const char *string)
{
gcry_cipher_spec_t *spec;
if (!string)
return 0;
/* If the string starts with a digit (optionally prefixed with
either "OID." or "oid."), we first look into our table of ASN.1
object identifiers to figure out the algorithm */
spec = search_oid (string, NULL);
if (spec)
return spec->algo;
spec = spec_from_name (string);
if (spec)
return spec->algo;
return 0;
}
/* Given a STRING with an OID in dotted decimal notation, this
function returns the cipher mode (GCRY_CIPHER_MODE_*) associated
with that OID or 0 if no mode is known. Passing NULL for string
yields a return value of 0. */
int
_gcry_cipher_mode_from_oid (const char *string)
{
gcry_cipher_spec_t *spec;
gcry_cipher_oid_spec_t oid_spec;
if (!string)
return 0;
spec = search_oid (string, &oid_spec);
if (spec)
return oid_spec.mode;
return 0;
}
/* Map the cipher algorithm identifier ALGORITHM to a string
representing this algorithm. This string is the default name as
used by Libgcrypt. A "?" is returned for an unknown algorithm.
NULL is never returned. */
const char *
_gcry_cipher_algo_name (int algorithm)
{
gcry_cipher_spec_t *spec;
spec = spec_from_algo (algorithm);
return spec? spec->name : "?";
}
/* Flag the cipher algorithm with the identifier ALGORITHM as
disabled. There is no error return, the function does nothing for
unknown algorithms. Disabled algorithms are virtually not
available in Libgcrypt. This is not thread safe and should thus be
called early. */
static void
disable_cipher_algo (int algo)
{
gcry_cipher_spec_t *spec = spec_from_algo (algo);
if (spec)
spec->flags.disabled = 1;
}
/* Return 0 if the cipher algorithm with identifier ALGORITHM is
available. Returns a basic error code value if it is not
available. */
static gcry_err_code_t
check_cipher_algo (int algorithm)
{
gcry_cipher_spec_t *spec;
spec = spec_from_algo (algorithm);
if (spec && !spec->flags.disabled)
return 0;
return GPG_ERR_CIPHER_ALGO;
}
/* Return the standard length in bits of the key for the cipher
algorithm with the identifier ALGORITHM. */
static unsigned int
cipher_get_keylen (int algorithm)
{
gcry_cipher_spec_t *spec;
unsigned len = 0;
spec = spec_from_algo (algorithm);
if (spec)
{
len = spec->keylen;
if (!len)
log_bug ("cipher %d w/o key length\n", algorithm);
}
return len;
}
/* Return the block length of the cipher algorithm with the identifier
ALGORITHM. This function return 0 for an invalid algorithm. */
static unsigned int
cipher_get_blocksize (int algorithm)
{
gcry_cipher_spec_t *spec;
unsigned len = 0;
spec = spec_from_algo (algorithm);
if (spec)
{
len = spec->blocksize;
if (!len)
log_bug ("cipher %d w/o blocksize\n", algorithm);
}
return len;
}
/*
Open a cipher handle for use with cipher algorithm ALGORITHM, using
the cipher mode MODE (one of the GCRY_CIPHER_MODE_*) and return a
handle in HANDLE. Put NULL into HANDLE and return an error code if
something goes wrong. FLAGS may be used to modify the
operation. The defined flags are:
GCRY_CIPHER_SECURE: allocate all internal buffers in secure memory.
GCRY_CIPHER_ENABLE_SYNC: Enable the sync operation as used in OpenPGP.
GCRY_CIPHER_CBC_CTS: Enable CTS mode.
GCRY_CIPHER_CBC_MAC: Enable MAC mode.
Values for these flags may be combined using OR.
*/
gcry_err_code_t
_gcry_cipher_open (gcry_cipher_hd_t *handle,
int algo, int mode, unsigned int flags)
{
gcry_err_code_t rc;
gcry_cipher_hd_t h = NULL;
if (mode >= GCRY_CIPHER_MODE_INTERNAL)
rc = GPG_ERR_INV_CIPHER_MODE;
else
rc = _gcry_cipher_open_internal (&h, algo, mode, flags);
*handle = rc ? NULL : h;
return rc;
}
gcry_err_code_t
_gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
int algo, int mode, unsigned int flags)
{
int secure = (flags & GCRY_CIPHER_SECURE);
gcry_cipher_spec_t *spec;
gcry_cipher_hd_t h = NULL;
gcry_err_code_t err;
/* If the application missed to call the random poll function, we do
it here to ensure that it is used once in a while. */
_gcry_fast_random_poll ();
spec = spec_from_algo (algo);
if (!spec)
err = GPG_ERR_CIPHER_ALGO;
else if (spec->flags.disabled)
err = GPG_ERR_CIPHER_ALGO;
else
err = 0;
/* check flags */
if ((! err)
&& ((flags & ~(0
| GCRY_CIPHER_SECURE
| GCRY_CIPHER_ENABLE_SYNC
| GCRY_CIPHER_CBC_CTS
- | GCRY_CIPHER_CBC_MAC))
+ | GCRY_CIPHER_CBC_MAC
+ | GCRY_CIPHER_EXTENDED))
|| ((flags & GCRY_CIPHER_CBC_CTS) && (flags & GCRY_CIPHER_CBC_MAC))))
err = GPG_ERR_CIPHER_ALGO;
/* check that a valid mode has been requested */
if (! err)
switch (mode)
{
case GCRY_CIPHER_MODE_ECB:
case GCRY_CIPHER_MODE_CBC:
case GCRY_CIPHER_MODE_CFB:
case GCRY_CIPHER_MODE_CFB8:
case GCRY_CIPHER_MODE_OFB:
case GCRY_CIPHER_MODE_CTR:
case GCRY_CIPHER_MODE_AESWRAP:
case GCRY_CIPHER_MODE_CMAC:
case GCRY_CIPHER_MODE_EAX:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_CCM:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_CCM_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_XTS:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_XTS_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_GCM:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_GCM_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_SIV:
case GCRY_CIPHER_MODE_GCM_SIV:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_SIV_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_POLY1305:
if (!spec->stencrypt || !spec->stdecrypt || !spec->setiv)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->algo != GCRY_CIPHER_CHACHA20)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_OCB:
/* Note that our implementation allows only for 128 bit block
length algorithms. Lower block lengths would be possible
but we do not implement them because they limit the
security too much. */
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_OCB_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_STREAM:
if (!spec->stencrypt || !spec->stdecrypt)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_NONE:
/* This mode may be used for debugging. It copies the main
text verbatim to the ciphertext. We do not allow this in
fips mode or if no debug flag has been set. */
if (fips_mode () || !_gcry_get_debug_flag (0))
err = GPG_ERR_INV_CIPHER_MODE;
break;
default:
err = GPG_ERR_INV_CIPHER_MODE;
}
/* Perform selftest here and mark this with a flag in cipher_table?
No, we should not do this as it takes too long. Further it does
not make sense to exclude algorithms with failing selftests at
runtime: If a selftest fails there is something seriously wrong
with the system and thus we better die immediately. */
if (! err)
{
size_t size = (sizeof (*h)
+ 2 * spec->contextsize
- sizeof (cipher_context_alignment_t)
#ifdef NEED_16BYTE_ALIGNED_CONTEXT
+ 15 /* Space for leading alignment gap. */
#endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
);
/* Space needed per mode. */
switch (mode)
{
case GCRY_CIPHER_MODE_XTS:
case GCRY_CIPHER_MODE_SIV:
/* Additional cipher context for tweak. */
size += 2 * spec->contextsize + 15;
break;
default:
break;
}
if (secure)
h = xtrycalloc_secure (1, size);
else
h = xtrycalloc (1, size);
if (! h)
err = gpg_err_code_from_syserror ();
else
{
size_t off = 0;
char *tc;
#ifdef NEED_16BYTE_ALIGNED_CONTEXT
if ( ((uintptr_t)h & 0x0f) )
{
/* The malloced block is not aligned on a 16 byte
boundary. Correct for this. */
off = 16 - ((uintptr_t)h & 0x0f);
h = (void*)((char*)h + off);
}
#endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
h->magic = secure ? CTX_MAGIC_SECURE : CTX_MAGIC_NORMAL;
h->actual_handle_size = size - off;
h->handle_offset = off;
h->spec = spec;
h->algo = algo;
h->mode = mode;
h->flags = flags;
/* Setup mode routines. */
_gcry_cipher_setup_mode_ops(h, mode);
/* Setup defaults depending on the mode. */
switch (mode)
{
case GCRY_CIPHER_MODE_OCB:
h->u_mode.ocb.taglen = 16; /* Bytes. */
break;
case GCRY_CIPHER_MODE_XTS:
tc = h->context.c + spec->contextsize * 2;
tc += (16 - (uintptr_t)tc % 16) % 16;
h->u_mode.xts.tweak_context = tc;
break;
case GCRY_CIPHER_MODE_SIV:
tc = h->context.c + spec->contextsize * 2;
tc += (16 - (uintptr_t)tc % 16) % 16;
h->u_mode.siv.ctr_context = tc;
break;
default:
break;
}
}
}
/* Done. */
*handle = err ? NULL : h;
return err;
}
/* Release all resources associated with the cipher handle H. H may be
NULL in which case this is a no-operation. */
void
_gcry_cipher_close (gcry_cipher_hd_t h)
{
size_t off;
if (!h)
return;
if ((h->magic != CTX_MAGIC_SECURE)
&& (h->magic != CTX_MAGIC_NORMAL))
_gcry_fatal_error(GPG_ERR_INTERNAL,
"gcry_cipher_close: already closed/invalid handle");
else
h->magic = 0;
/* We always want to wipe out the memory even when the context has
been allocated in secure memory. The user might have disabled
secure memory or is using his own implementation which does not
do the wiping. To accomplish this we need to keep track of the
actual size of this structure because we have no way to known
how large the allocated area was when using a standard malloc. */
off = h->handle_offset;
wipememory (h, h->actual_handle_size);
xfree ((char*)h - off);
}
/* Set the key to be used for the encryption context C to KEY with
length KEYLEN. The length should match the required length. */
static gcry_err_code_t
cipher_setkey (gcry_cipher_hd_t c, byte *key, size_t keylen)
{
gcry_err_code_t rc;
if (c->mode == GCRY_CIPHER_MODE_XTS)
{
/* XTS uses two keys. */
if (keylen % 2)
return GPG_ERR_INV_KEYLEN;
keylen /= 2;
if (fips_mode ())
{
/* Reject key if subkeys Key_1 and Key_2 are equal.
See "Implementation Guidance for FIPS 140-2, A.9 XTS-AES
Key Generation Requirements" for details. */
if (buf_eq_const (key, key + keylen, keylen))
return GPG_ERR_WEAK_KEY;
}
}
else if (c->mode == GCRY_CIPHER_MODE_SIV)
{
/* SIV uses two keys. */
if (keylen % 2)
return GPG_ERR_INV_KEYLEN;
keylen /= 2;
}
rc = c->spec->setkey (&c->context.c, key, keylen, &c->bulk);
if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
{
/* Duplicate initial context. */
memcpy ((void *) ((char *) &c->context.c + c->spec->contextsize),
(void *) &c->context.c,
c->spec->contextsize);
c->marks.key = 1;
switch (c->mode)
{
case GCRY_CIPHER_MODE_CMAC:
rc = _gcry_cipher_cmac_set_subkeys (c);
break;
case GCRY_CIPHER_MODE_EAX:
rc = _gcry_cipher_eax_setkey (c);
break;
case GCRY_CIPHER_MODE_GCM:
_gcry_cipher_gcm_setkey (c);
break;
case GCRY_CIPHER_MODE_GCM_SIV:
rc = _gcry_cipher_gcm_siv_setkey (c, keylen);
if (rc)
c->marks.key = 0;
break;
case GCRY_CIPHER_MODE_OCB:
_gcry_cipher_ocb_setkey (c);
break;
case GCRY_CIPHER_MODE_POLY1305:
_gcry_cipher_poly1305_setkey (c);
break;
case GCRY_CIPHER_MODE_XTS:
/* Setup tweak cipher with second part of XTS key. */
rc = c->spec->setkey (c->u_mode.xts.tweak_context, key + keylen,
keylen, &c->bulk);
if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
{
/* Duplicate initial tweak context. */
memcpy (c->u_mode.xts.tweak_context + c->spec->contextsize,
c->u_mode.xts.tweak_context, c->spec->contextsize);
}
else
c->marks.key = 0;
break;
case GCRY_CIPHER_MODE_SIV:
/* Setup CTR cipher with second part of SIV key. */
rc = _gcry_cipher_siv_setkey (c, key + keylen, keylen);
if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
{
/* Duplicate initial CTR context. */
memcpy (c->u_mode.siv.ctr_context + c->spec->contextsize,
c->u_mode.siv.ctr_context, c->spec->contextsize);
}
else
c->marks.key = 0;
break;
default:
break;
}
}
else
c->marks.key = 0;
return rc;
}
/* Set the IV to be used for the encryption context C to IV with
length IVLEN. The length should match the required length. */
static gcry_err_code_t
cipher_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
{
/* If the cipher has its own IV handler, we use only this one. This
is currently used for stream ciphers requiring a nonce. */
if (c->spec->setiv)
{
c->spec->setiv (&c->context.c, iv, ivlen);
return 0;
}
memset (c->u_iv.iv, 0, c->spec->blocksize);
if (iv)
{
if (ivlen != c->spec->blocksize)
{
log_info ("WARNING: cipher_setiv: ivlen=%u blklen=%u\n",
(unsigned int)ivlen, (unsigned int)c->spec->blocksize);
fips_signal_error ("IV length does not match blocklength");
}
if (ivlen > c->spec->blocksize)
ivlen = c->spec->blocksize;
memcpy (c->u_iv.iv, iv, ivlen);
c->marks.iv = 1;
}
else
c->marks.iv = 0;
c->unused = 0;
return 0;
}
/* Reset the cipher context to the initial context. This is basically
the same as an release followed by a new. */
static void
cipher_reset (gcry_cipher_hd_t c)
{
unsigned int marks_key, marks_allow_weak_key;
marks_key = c->marks.key;
marks_allow_weak_key = c->marks.allow_weak_key;
memcpy (&c->context.c,
(char *) &c->context.c + c->spec->contextsize,
c->spec->contextsize);
memset (&c->marks, 0, sizeof c->marks);
memset (c->u_iv.iv, 0, c->spec->blocksize);
memset (c->lastiv, 0, c->spec->blocksize);
memset (c->u_ctr.ctr, 0, c->spec->blocksize);
c->unused = 0;
c->marks.key = marks_key;
c->marks.allow_weak_key = marks_allow_weak_key;
switch (c->mode)
{
case GCRY_CIPHER_MODE_CMAC:
_gcry_cmac_reset(&c->u_mode.cmac);
break;
case GCRY_CIPHER_MODE_EAX:
_gcry_cmac_reset(&c->u_mode.eax.cmac_header);
_gcry_cmac_reset(&c->u_mode.eax.cmac_ciphertext);
break;
case GCRY_CIPHER_MODE_GCM:
case GCRY_CIPHER_MODE_GCM_SIV:
/* Only clear head of u_mode, keep ghash_key and gcm_table. */
{
byte *u_mode_pos = (void *)&c->u_mode;
byte *ghash_key_pos = c->u_mode.gcm.u_ghash_key.key;
size_t u_mode_head_length = ghash_key_pos - u_mode_pos;
memset (&c->u_mode, 0, u_mode_head_length);
}
break;
case GCRY_CIPHER_MODE_POLY1305:
memset (&c->u_mode.poly1305, 0, sizeof c->u_mode.poly1305);
break;
case GCRY_CIPHER_MODE_CCM:
memset (&c->u_mode.ccm, 0, sizeof c->u_mode.ccm);
break;
case GCRY_CIPHER_MODE_OCB:
{
const size_t table_maxblks = 1 << OCB_L_TABLE_SIZE;
byte *u_mode_head_pos = (void *)&c->u_mode.ocb;
byte *u_mode_tail_pos = (void *)&c->u_mode.ocb.tag;
size_t u_mode_head_length = u_mode_tail_pos - u_mode_head_pos;
size_t u_mode_tail_length = sizeof(c->u_mode.ocb) - u_mode_head_length;
if (c->u_mode.ocb.aad_nblocks < table_maxblks)
{
/* Precalculated L-values are still ok after reset, no need
* to clear. */
memset (u_mode_tail_pos, 0, u_mode_tail_length);
}
else
{
/* Reinitialize L table. */
memset (&c->u_mode.ocb, 0, sizeof(c->u_mode.ocb));
_gcry_cipher_ocb_setkey (c);
}
/* Setup default taglen. */
c->u_mode.ocb.taglen = 16;
}
break;
case GCRY_CIPHER_MODE_XTS:
memcpy (c->u_mode.xts.tweak_context,
c->u_mode.xts.tweak_context + c->spec->contextsize,
c->spec->contextsize);
break;
case GCRY_CIPHER_MODE_SIV:
/* Only clear head of u_mode, keep s2v_cmac and ctr_context. */
{
byte *u_mode_pos = (void *)&c->u_mode;
byte *tail_pos = (void *)&c->u_mode.siv.s2v_cmac;
size_t u_mode_head_length = tail_pos - u_mode_pos;
memset (&c->u_mode, 0, u_mode_head_length);
memcpy (c->u_mode.siv.ctr_context,
c->u_mode.siv.ctr_context + c->spec->contextsize,
c->spec->contextsize);
memcpy (c->u_mode.siv.s2v_d, c->u_mode.siv.s2v_zero_block,
GCRY_SIV_BLOCK_LEN);
}
break;
default:
break; /* u_mode unused by other modes. */
}
}
�
static gcry_err_code_t
do_ecb_crypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen,
gcry_cipher_encrypt_t crypt_fn)
{
unsigned int blocksize = c->spec->blocksize;
size_t n, nblocks;
unsigned int burn, nburn;
if (outbuflen < inbuflen)
return GPG_ERR_BUFFER_TOO_SHORT;
if ((inbuflen % blocksize))
return GPG_ERR_INV_LENGTH;
nblocks = inbuflen / blocksize;
burn = 0;
for (n=0; n < nblocks; n++ )
{
nburn = crypt_fn (&c->context.c, outbuf, inbuf);
burn = nburn > burn ? nburn : burn;
inbuf += blocksize;
outbuf += blocksize;
}
if (burn > 0)
_gcry_burn_stack (burn + 4 * sizeof(void *));
return 0;
}
static gcry_err_code_t
do_ecb_encrypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen)
{
return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, c->spec->encrypt);
}
static gcry_err_code_t
do_ecb_decrypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen)
{
return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, c->spec->decrypt);
}
static gcry_err_code_t
do_stream_encrypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen)
{
(void)outbuflen;
c->spec->stencrypt (&c->context.c, outbuf, (void *)inbuf, inbuflen);
return 0;
}
static gcry_err_code_t
do_stream_decrypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen)
{
(void)outbuflen;
c->spec->stdecrypt (&c->context.c, outbuf, (void *)inbuf, inbuflen);
return 0;
}
static gcry_err_code_t
do_encrypt_none_unknown (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen)
{
gcry_err_code_t rc;
(void)outbuflen;
switch (c->mode)
{
case GCRY_CIPHER_MODE_CMAC:
rc = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_NONE:
if (fips_mode () || !_gcry_get_debug_flag (0))
{
fips_signal_error ("cipher mode NONE used");
rc = GPG_ERR_INV_CIPHER_MODE;
}
else
{
if (inbuf != outbuf)
memmove (outbuf, inbuf, inbuflen);
rc = 0;
}
break;
default:
log_fatal ("cipher_encrypt: invalid mode %d\n", c->mode );
rc = GPG_ERR_INV_CIPHER_MODE;
break;
}
return rc;
}
static gcry_err_code_t
do_decrypt_none_unknown (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen)
{
gcry_err_code_t rc;
(void)outbuflen;
switch (c->mode)
{
case GCRY_CIPHER_MODE_CMAC:
rc = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_NONE:
if (fips_mode () || !_gcry_get_debug_flag (0))
{
fips_signal_error ("cipher mode NONE used");
rc = GPG_ERR_INV_CIPHER_MODE;
}
else
{
if (inbuf != outbuf)
memmove (outbuf, inbuf, inbuflen);
rc = 0;
}
break;
default:
log_fatal ("cipher_decrypt: invalid mode %d\n", c->mode );
rc = GPG_ERR_INV_CIPHER_MODE;
break;
}
return rc;
}
/****************
* Encrypt IN and write it to OUT. If IN is NULL, in-place encryption has
* been requested.
*/
gcry_err_code_t
_gcry_cipher_encrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
const void *in, size_t inlen)
{
gcry_err_code_t rc;
if (!in) /* Caller requested in-place encryption. */
{
in = out;
inlen = outsize;
}
if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key)
{
log_error ("cipher_encrypt: key not set\n");
return GPG_ERR_MISSING_KEY;
}
rc = h->mode_ops.encrypt (h, out, outsize, in, inlen);
/* Failsafe: Make sure that the plaintext will never make it into
OUT if the encryption returned an error. */
if (rc && out)
memset (out, 0x42, outsize);
return rc;
}
/****************
* Decrypt IN and write it to OUT. If IN is NULL, in-place encryption has
* been requested.
*/
gcry_err_code_t
_gcry_cipher_decrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
const void *in, size_t inlen)
{
if (!in) /* Caller requested in-place encryption. */
{
in = out;
inlen = outsize;
}
if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key)
{
log_error ("cipher_decrypt: key not set\n");
return GPG_ERR_MISSING_KEY;
}
return h->mode_ops.decrypt (h, out, outsize, in, inlen);
}
/****************
* Used for PGP's somewhat strange CFB mode. Only works if
* the corresponding flag is set.
*/
static void
cipher_sync (gcry_cipher_hd_t c)
{
if ((c->flags & GCRY_CIPHER_ENABLE_SYNC) && c->unused)
{
memmove (c->u_iv.iv + c->unused,
c->u_iv.iv, c->spec->blocksize - c->unused);
memcpy (c->u_iv.iv,
c->lastiv + c->spec->blocksize - c->unused, c->unused);
c->unused = 0;
}
}
gcry_err_code_t
_gcry_cipher_setkey (gcry_cipher_hd_t hd, const void *key, size_t keylen)
{
return cipher_setkey (hd, (void*)key, keylen);
}
gcry_err_code_t
_gcry_cipher_setiv (gcry_cipher_hd_t hd, const void *iv, size_t ivlen)
{
return hd->mode_ops.setiv (hd, iv, ivlen);
}
/* Set counter for CTR mode. (CTR,CTRLEN) must denote a buffer of
block size length, or (NULL,0) to set the CTR to the all-zero
block. */
gpg_err_code_t
_gcry_cipher_setctr (gcry_cipher_hd_t hd, const void *ctr, size_t ctrlen)
{
if (ctr && ctrlen == hd->spec->blocksize)
{
memcpy (hd->u_ctr.ctr, ctr, hd->spec->blocksize);
hd->unused = 0;
}
else if (!ctr || !ctrlen)
{
memset (hd->u_ctr.ctr, 0, hd->spec->blocksize);
hd->unused = 0;
}
else
return GPG_ERR_INV_ARG;
return 0;
}
gpg_err_code_t
_gcry_cipher_getctr (gcry_cipher_hd_t hd, void *ctr, size_t ctrlen)
{
if (ctr && ctrlen == hd->spec->blocksize)
memcpy (ctr, hd->u_ctr.ctr, hd->spec->blocksize);
else
return GPG_ERR_INV_ARG;
return 0;
}
gcry_err_code_t
_gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf,
size_t abuflen)
{
gcry_err_code_t rc;
if (hd->mode_ops.authenticate)
{
rc = hd->mode_ops.authenticate (hd, abuf, abuflen);
}
else
{
log_error ("gcry_cipher_authenticate: invalid mode %d\n", hd->mode);
rc = GPG_ERR_INV_CIPHER_MODE;
}
return rc;
}
gcry_err_code_t
_gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag, size_t taglen)
{
gcry_err_code_t rc;
if (hd->mode_ops.get_tag)
{
rc = hd->mode_ops.get_tag (hd, outtag, taglen);
}
else
{
log_error ("gcry_cipher_gettag: invalid mode %d\n", hd->mode);
rc = GPG_ERR_INV_CIPHER_MODE;
}
return rc;
}
gcry_err_code_t
_gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, size_t taglen)
{
gcry_err_code_t rc;
if (hd->mode_ops.check_tag)
{
rc = hd->mode_ops.check_tag (hd, intag, taglen);
}
else
{
log_error ("gcry_cipher_checktag: invalid mode %d\n", hd->mode);
rc = GPG_ERR_INV_CIPHER_MODE;
}
return rc;
}
static void
_gcry_cipher_setup_mode_ops(gcry_cipher_hd_t c, int mode)
{
/* Setup encryption and decryption routines. */
switch (mode)
{
case GCRY_CIPHER_MODE_STREAM:
c->mode_ops.encrypt = do_stream_encrypt;
c->mode_ops.decrypt = do_stream_decrypt;
break;
case GCRY_CIPHER_MODE_ECB:
c->mode_ops.encrypt = do_ecb_encrypt;
c->mode_ops.decrypt = do_ecb_decrypt;
break;
case GCRY_CIPHER_MODE_CBC:
if (!(c->flags & GCRY_CIPHER_CBC_CTS))
{
c->mode_ops.encrypt = _gcry_cipher_cbc_encrypt;
c->mode_ops.decrypt = _gcry_cipher_cbc_decrypt;
}
else
{
c->mode_ops.encrypt = _gcry_cipher_cbc_cts_encrypt;
c->mode_ops.decrypt = _gcry_cipher_cbc_cts_decrypt;
}
break;
case GCRY_CIPHER_MODE_CFB:
c->mode_ops.encrypt = _gcry_cipher_cfb_encrypt;
c->mode_ops.decrypt = _gcry_cipher_cfb_decrypt;
break;
case GCRY_CIPHER_MODE_CFB8:
c->mode_ops.encrypt = _gcry_cipher_cfb8_encrypt;
c->mode_ops.decrypt = _gcry_cipher_cfb8_decrypt;
break;
case GCRY_CIPHER_MODE_OFB:
c->mode_ops.encrypt = _gcry_cipher_ofb_encrypt;
c->mode_ops.decrypt = _gcry_cipher_ofb_encrypt;
break;
case GCRY_CIPHER_MODE_CTR:
c->mode_ops.encrypt = _gcry_cipher_ctr_encrypt;
c->mode_ops.decrypt = _gcry_cipher_ctr_encrypt;
break;
case GCRY_CIPHER_MODE_AESWRAP:
- c->mode_ops.encrypt = _gcry_cipher_aeswrap_encrypt;
- c->mode_ops.decrypt = _gcry_cipher_aeswrap_decrypt;
+ if (!(c->flags & GCRY_CIPHER_EXTENDED))
+ {
+ c->mode_ops.encrypt = _gcry_cipher_keywrap_encrypt;
+ c->mode_ops.decrypt = _gcry_cipher_keywrap_decrypt;
+ }
+ else
+ {
+ c->mode_ops.encrypt = _gcry_cipher_keywrap_encrypt_padding;
+ c->mode_ops.decrypt = _gcry_cipher_keywrap_decrypt_padding;
+ }
break;
case GCRY_CIPHER_MODE_CCM:
c->mode_ops.encrypt = _gcry_cipher_ccm_encrypt;
c->mode_ops.decrypt = _gcry_cipher_ccm_decrypt;
break;
case GCRY_CIPHER_MODE_EAX:
c->mode_ops.encrypt = _gcry_cipher_eax_encrypt;
c->mode_ops.decrypt = _gcry_cipher_eax_decrypt;
break;
case GCRY_CIPHER_MODE_GCM:
c->mode_ops.encrypt = _gcry_cipher_gcm_encrypt;
c->mode_ops.decrypt = _gcry_cipher_gcm_decrypt;
break;
case GCRY_CIPHER_MODE_POLY1305:
c->mode_ops.encrypt = _gcry_cipher_poly1305_encrypt;
c->mode_ops.decrypt = _gcry_cipher_poly1305_decrypt;
break;
case GCRY_CIPHER_MODE_OCB:
c->mode_ops.encrypt = _gcry_cipher_ocb_encrypt;
c->mode_ops.decrypt = _gcry_cipher_ocb_decrypt;
break;
case GCRY_CIPHER_MODE_XTS:
c->mode_ops.encrypt = _gcry_cipher_xts_encrypt;
c->mode_ops.decrypt = _gcry_cipher_xts_decrypt;
break;
case GCRY_CIPHER_MODE_SIV:
c->mode_ops.encrypt = _gcry_cipher_siv_encrypt;
c->mode_ops.decrypt = _gcry_cipher_siv_decrypt;
break;
case GCRY_CIPHER_MODE_GCM_SIV:
c->mode_ops.encrypt = _gcry_cipher_gcm_siv_encrypt;
c->mode_ops.decrypt = _gcry_cipher_gcm_siv_decrypt;
break;
default:
c->mode_ops.encrypt = do_encrypt_none_unknown;
c->mode_ops.decrypt = do_decrypt_none_unknown;
break;
}
/* Setup IV setting routine. */
switch (mode)
{
case GCRY_CIPHER_MODE_CCM:
c->mode_ops.setiv = _gcry_cipher_ccm_set_nonce;
break;
case GCRY_CIPHER_MODE_EAX:
c->mode_ops.setiv = _gcry_cipher_eax_set_nonce;
break;
case GCRY_CIPHER_MODE_GCM:
c->mode_ops.setiv = _gcry_cipher_gcm_setiv;
break;
case GCRY_CIPHER_MODE_POLY1305:
c->mode_ops.setiv = _gcry_cipher_poly1305_setiv;
break;
case GCRY_CIPHER_MODE_OCB:
c->mode_ops.setiv = _gcry_cipher_ocb_set_nonce;
break;
case GCRY_CIPHER_MODE_SIV:
c->mode_ops.setiv = _gcry_cipher_siv_set_nonce;
break;
case GCRY_CIPHER_MODE_GCM_SIV:
c->mode_ops.setiv = _gcry_cipher_gcm_siv_set_nonce;
break;
default:
c->mode_ops.setiv = cipher_setiv;
break;
}
/* Setup authentication routines for AEAD modes. */
switch (mode)
{
case GCRY_CIPHER_MODE_CCM:
c->mode_ops.authenticate = _gcry_cipher_ccm_authenticate;
c->mode_ops.get_tag = _gcry_cipher_ccm_get_tag;
c->mode_ops.check_tag = _gcry_cipher_ccm_check_tag;
break;
case GCRY_CIPHER_MODE_CMAC:
c->mode_ops.authenticate = _gcry_cipher_cmac_authenticate;
c->mode_ops.get_tag = _gcry_cipher_cmac_get_tag;
c->mode_ops.check_tag = _gcry_cipher_cmac_check_tag;
break;
case GCRY_CIPHER_MODE_EAX:
c->mode_ops.authenticate = _gcry_cipher_eax_authenticate;
c->mode_ops.get_tag = _gcry_cipher_eax_get_tag;
c->mode_ops.check_tag = _gcry_cipher_eax_check_tag;
break;
case GCRY_CIPHER_MODE_GCM:
c->mode_ops.authenticate = _gcry_cipher_gcm_authenticate;
c->mode_ops.get_tag = _gcry_cipher_gcm_get_tag;
c->mode_ops.check_tag = _gcry_cipher_gcm_check_tag;
break;
case GCRY_CIPHER_MODE_POLY1305:
c->mode_ops.authenticate = _gcry_cipher_poly1305_authenticate;
c->mode_ops.get_tag = _gcry_cipher_poly1305_get_tag;
c->mode_ops.check_tag = _gcry_cipher_poly1305_check_tag;
break;
case GCRY_CIPHER_MODE_OCB:
c->mode_ops.authenticate = _gcry_cipher_ocb_authenticate;
c->mode_ops.get_tag = _gcry_cipher_ocb_get_tag;
c->mode_ops.check_tag = _gcry_cipher_ocb_check_tag;
break;
case GCRY_CIPHER_MODE_SIV:
c->mode_ops.authenticate = _gcry_cipher_siv_authenticate;
c->mode_ops.get_tag = _gcry_cipher_siv_get_tag;
c->mode_ops.check_tag = _gcry_cipher_siv_check_tag;
break;
case GCRY_CIPHER_MODE_GCM_SIV:
c->mode_ops.authenticate = _gcry_cipher_gcm_siv_authenticate;
c->mode_ops.get_tag = _gcry_cipher_gcm_siv_get_tag;
c->mode_ops.check_tag = _gcry_cipher_gcm_siv_check_tag;
break;
default:
c->mode_ops.authenticate = NULL;
c->mode_ops.get_tag = NULL;
c->mode_ops.check_tag = NULL;
break;
}
}
gcry_err_code_t
_gcry_cipher_ctl (gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen)
{
gcry_err_code_t rc = 0;
switch (cmd)
{
case GCRYCTL_RESET:
cipher_reset (h);
break;
case GCRYCTL_FINALIZE:
if (!h || buffer || buflen)
return GPG_ERR_INV_ARG;
h->marks.finalize = 1;
break;
case GCRYCTL_CFB_SYNC:
cipher_sync( h );
break;
case GCRYCTL_SET_CBC_CTS:
if (buflen)
if (h->flags & GCRY_CIPHER_CBC_MAC)
rc = GPG_ERR_INV_FLAG;
else
h->flags |= GCRY_CIPHER_CBC_CTS;
else
h->flags &= ~GCRY_CIPHER_CBC_CTS;
break;
case GCRYCTL_SET_CBC_MAC:
if (buflen)
if (h->flags & GCRY_CIPHER_CBC_CTS)
rc = GPG_ERR_INV_FLAG;
else
h->flags |= GCRY_CIPHER_CBC_MAC;
else
h->flags &= ~GCRY_CIPHER_CBC_MAC;
break;
case GCRYCTL_SET_CCM_LENGTHS:
{
u64 params[3];
size_t encryptedlen;
size_t aadlen;
size_t authtaglen;
if (h->mode != GCRY_CIPHER_MODE_CCM)
return GPG_ERR_INV_CIPHER_MODE;
if (!buffer || buflen != 3 * sizeof(u64))
return GPG_ERR_INV_ARG;
/* This command is used to pass additional length parameters needed
by CCM mode to initialize CBC-MAC. */
memcpy (params, buffer, sizeof(params));
encryptedlen = params[0];
aadlen = params[1];
authtaglen = params[2];
rc = _gcry_cipher_ccm_set_lengths (h, encryptedlen, aadlen, authtaglen);
}
break;
case GCRYCTL_SET_DECRYPTION_TAG:
{
if (!buffer)
return GPG_ERR_INV_ARG;
if (h->mode == GCRY_CIPHER_MODE_SIV)
rc = _gcry_cipher_siv_set_decryption_tag (h, buffer, buflen);
else if (h->mode == GCRY_CIPHER_MODE_GCM_SIV)
rc = _gcry_cipher_gcm_siv_set_decryption_tag (h, buffer, buflen);
else
rc = GPG_ERR_INV_CIPHER_MODE;
}
break;
case GCRYCTL_SET_TAGLEN:
if (!h || !buffer || buflen != sizeof(int) )
return GPG_ERR_INV_ARG;
switch (h->mode)
{
case GCRY_CIPHER_MODE_OCB:
switch (*(int*)buffer)
{
case 8: case 12: case 16:
h->u_mode.ocb.taglen = *(int*)buffer;
break;
default:
rc = GPG_ERR_INV_LENGTH; /* Invalid tag length. */
break;
}
break;
default:
rc =GPG_ERR_INV_CIPHER_MODE;
break;
}
break;
case GCRYCTL_DISABLE_ALGO:
/* This command expects NULL for H and BUFFER to point to an
integer with the algo number. */
if( h || !buffer || buflen != sizeof(int) )
return GPG_ERR_CIPHER_ALGO;
disable_cipher_algo( *(int*)buffer );
break;
case PRIV_CIPHERCTL_DISABLE_WEAK_KEY: /* (private) */
if (h->spec->set_extra_info)
rc = h->spec->set_extra_info
(&h->context.c, CIPHER_INFO_NO_WEAK_KEY, NULL, 0);
else
rc = GPG_ERR_NOT_SUPPORTED;
break;
case PRIV_CIPHERCTL_GET_INPUT_VECTOR: /* (private) */
/* This is the input block as used in CFB and OFB mode which has
initially been set as IV. The returned format is:
1 byte Actual length of the block in bytes.
n byte The block.
If the provided buffer is too short, an error is returned. */
if (buflen < (1 + h->spec->blocksize))
rc = GPG_ERR_TOO_SHORT;
else
{
unsigned char *ivp;
unsigned char *dst = buffer;
int n = h->unused;
if (!n)
n = h->spec->blocksize;
gcry_assert (n <= h->spec->blocksize);
*dst++ = n;
ivp = h->u_iv.iv + h->spec->blocksize - n;
while (n--)
*dst++ = *ivp++;
}
break;
case GCRYCTL_SET_SBOX:
if (h->spec->set_extra_info)
rc = h->spec->set_extra_info
(&h->context.c, GCRYCTL_SET_SBOX, buffer, buflen);
else
rc = GPG_ERR_NOT_SUPPORTED;
break;
case GCRYCTL_SET_ALLOW_WEAK_KEY:
/* Expecting BUFFER to be NULL and buflen to be on/off flag (0 or 1). */
if (!h || buffer || buflen > 1)
return GPG_ERR_CIPHER_ALGO;
h->marks.allow_weak_key = buflen ? 1 : 0;
break;
default:
rc = GPG_ERR_INV_OP;
}
return rc;
}
/* Return information about the cipher handle H. CMD is the kind of
* information requested.
*
* CMD may be one of:
*
* GCRYCTL_GET_TAGLEN:
* Return the length of the tag for an AE algorithm mode. An
* error is returned for modes which do not support a tag.
* BUFFER must be given as NULL. On success the result is stored
* at NBYTES. The taglen is returned in bytes.
*
* The function returns 0 on success or an error code.
*/
gcry_err_code_t
_gcry_cipher_info (gcry_cipher_hd_t h, int cmd, void *buffer, size_t *nbytes)
{
gcry_err_code_t rc = 0;
switch (cmd)
{
case GCRYCTL_GET_TAGLEN:
if (!h || buffer || !nbytes)
rc = GPG_ERR_INV_ARG;
else
{
switch (h->mode)
{
case GCRY_CIPHER_MODE_OCB:
*nbytes = h->u_mode.ocb.taglen;
break;
case GCRY_CIPHER_MODE_CCM:
*nbytes = h->u_mode.ccm.authlen;
break;
case GCRY_CIPHER_MODE_EAX:
*nbytes = h->spec->blocksize;
break;
case GCRY_CIPHER_MODE_GCM:
*nbytes = GCRY_GCM_BLOCK_LEN;
break;
case GCRY_CIPHER_MODE_POLY1305:
*nbytes = POLY1305_TAGLEN;
break;
case GCRY_CIPHER_MODE_SIV:
*nbytes = GCRY_SIV_BLOCK_LEN;
break;
case GCRY_CIPHER_MODE_GCM_SIV:
*nbytes = GCRY_SIV_BLOCK_LEN;
break;
default:
rc = GPG_ERR_INV_CIPHER_MODE;
break;
}
}
break;
default:
rc = GPG_ERR_INV_OP;
}
return rc;
}
/* Return information about the given cipher algorithm ALGO.
WHAT select the kind of information returned:
GCRYCTL_GET_KEYLEN:
Return the length of the key. If the algorithm ALGO
supports multiple key lengths, the maximum supported key length
is returned. The key length is returned as number of octets.
BUFFER and NBYTES must be zero.
GCRYCTL_GET_BLKLEN:
Return the blocklength of the algorithm ALGO counted in octets.
BUFFER and NBYTES must be zero.
GCRYCTL_TEST_ALGO:
Returns 0 if the specified algorithm ALGO is available for use.
BUFFER and NBYTES must be zero.
Note: Because this function is in most cases used to return an
integer value, we can make it easier for the caller to just look at
the return value. The caller will in all cases consult the value
and thereby detecting whether a error occurred or not (i.e. while
checking the block size)
*/
gcry_err_code_t
_gcry_cipher_algo_info (int algo, int what, void *buffer, size_t *nbytes)
{
gcry_err_code_t rc = 0;
unsigned int ui;
switch (what)
{
case GCRYCTL_GET_KEYLEN:
if (buffer || (! nbytes))
rc = GPG_ERR_CIPHER_ALGO;
else
{
ui = cipher_get_keylen (algo);
if ((ui > 0) && (ui <= 512))
*nbytes = (size_t) ui / 8;
else
/* The only reason for an error is an invalid algo. */
rc = GPG_ERR_CIPHER_ALGO;
}
break;
case GCRYCTL_GET_BLKLEN:
if (buffer || (! nbytes))
rc = GPG_ERR_CIPHER_ALGO;
else
{
ui = cipher_get_blocksize (algo);
if ((ui > 0) && (ui < 10000))
*nbytes = ui;
else
{
/* The only reason is an invalid algo or a strange
blocksize. */
rc = GPG_ERR_CIPHER_ALGO;
}
}
break;
case GCRYCTL_TEST_ALGO:
if (buffer || nbytes)
rc = GPG_ERR_INV_ARG;
else
rc = check_cipher_algo (algo);
break;
default:
rc = GPG_ERR_INV_OP;
}
return rc;
}
/* This function returns length of the key for algorithm ALGO. If the
algorithm supports multiple key lengths, the maximum supported key
length is returned. On error 0 is returned. The key length is
returned as number of octets.
This is a convenience functions which should be preferred over
gcry_cipher_algo_info because it allows for proper type
checking. */
size_t
_gcry_cipher_get_algo_keylen (int algo)
{
size_t n;
if (_gcry_cipher_algo_info (algo, GCRYCTL_GET_KEYLEN, NULL, &n))
n = 0;
return n;
}
/* This functions returns the blocklength of the algorithm ALGO
counted in octets. On error 0 is returned.
This is a convenience functions which should be preferred over
gcry_cipher_algo_info because it allows for proper type
checking. */
size_t
_gcry_cipher_get_algo_blklen (int algo)
{
size_t n;
if (_gcry_cipher_algo_info( algo, GCRYCTL_GET_BLKLEN, NULL, &n))
n = 0;
return n;
}
/* Explicitly initialize this module. */
gcry_err_code_t
_gcry_cipher_init (void)
{
if (fips_mode())
{
/* disable algorithms that are disallowed in fips */
int idx;
gcry_cipher_spec_t *spec;
for (idx = 0; (spec = cipher_list[idx]); idx++)
if (!spec->flags.fips)
spec->flags.disabled = 1;
}
return 0;
}
/* Run the selftests for cipher algorithm ALGO with optional reporting
function REPORT. */
gpg_error_t
_gcry_cipher_selftest (int algo, int extended, selftest_report_func_t report)
{
gcry_err_code_t ec = 0;
gcry_cipher_spec_t *spec;
spec = spec_from_algo (algo);
if (spec && !spec->flags.disabled && spec->selftest)
ec = spec->selftest (algo, extended, report);
else
{
ec = GPG_ERR_CIPHER_ALGO;
if (report)
report ("cipher", algo, "module",
(spec && !spec->flags.disabled)?
"no selftest available" :
spec? "algorithm disabled" : "algorithm not found");
}
return gpg_error (ec);
}
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index ec06b72a..561da10b 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -1,1874 +1,1875 @@
/* gcrypt.h - GNU Cryptographic Library Interface -*- c -*-
* Copyright (C) 1998-2018 Free Software Foundation, Inc.
* Copyright (C) 2012-2018 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see .
*
* File: @configure_input@
*/
#ifndef _GCRYPT_H
#define _GCRYPT_H
#include
#include
#include
#include
#include
#if defined _WIN32 || defined __WIN32__
# ifndef __GNUC__
typedef long ssize_t;
typedef int pid_t;
# endif /*!__GNUC__*/
#endif /*_WIN32*/
/* This is required for error code compatibility. */
#define _GCRY_ERR_SOURCE_DEFAULT GPG_ERR_SOURCE_GCRYPT
#ifdef __cplusplus
extern "C" {
#if 0 /* (Keep Emacsens' auto-indent happy.) */
}
#endif
#endif
/* The version of this header should match the one of the library. It
should not be used by a program because gcry_check_version() should
return the same version. The purpose of this macro is to let
autoconf (using the AM_PATH_GCRYPT macro) check that this header
matches the installed library. */
#define GCRYPT_VERSION "@VERSION@"
/* The version number of this header. It may be used to handle minor
API incompatibilities. */
#define GCRYPT_VERSION_NUMBER @VERSION_NUMBER@
/* Internal: We can't use the convenience macros for the multi
precision integer functions when building this library. */
#ifdef _GCRYPT_IN_LIBGCRYPT
#ifndef GCRYPT_NO_MPI_MACROS
#define GCRYPT_NO_MPI_MACROS 1
#endif
#endif
/* We want to use gcc attributes when possible. Warning: Don't use
these macros in your programs: As indicated by the leading
underscore they are subject to change without notice. */
#ifdef __GNUC__
#define _GCRY_GCC_VERSION (__GNUC__ * 10000 \
+ __GNUC_MINOR__ * 100 \
+ __GNUC_PATCHLEVEL__)
#if _GCRY_GCC_VERSION >= 30100
#define _GCRY_GCC_ATTR_DEPRECATED __attribute__ ((__deprecated__))
#endif
#if _GCRY_GCC_VERSION >= 29600
#define _GCRY_GCC_ATTR_PURE __attribute__ ((__pure__))
#endif
#if _GCRY_GCC_VERSION >= 30200
#define _GCRY_GCC_ATTR_MALLOC __attribute__ ((__malloc__))
#endif
#define _GCRY_GCC_ATTR_PRINTF(f,a) __attribute__ ((format (printf,f,a)))
#if _GCRY_GCC_VERSION >= 40000
#define _GCRY_GCC_ATTR_SENTINEL(a) __attribute__ ((sentinel(a)))
#endif
#endif /*__GNUC__*/
#ifndef _GCRY_GCC_ATTR_DEPRECATED
#define _GCRY_GCC_ATTR_DEPRECATED
#endif
#ifndef _GCRY_GCC_ATTR_PURE
#define _GCRY_GCC_ATTR_PURE
#endif
#ifndef _GCRY_GCC_ATTR_MALLOC
#define _GCRY_GCC_ATTR_MALLOC
#endif
#ifndef _GCRY_GCC_ATTR_PRINTF
#define _GCRY_GCC_ATTR_PRINTF(f,a)
#endif
#ifndef _GCRY_GCC_ATTR_SENTINEL
#define _GCRY_GCC_ATTR_SENTINEL(a)
#endif
/* Make up an attribute to mark functions and types as deprecated but
allow internal use by Libgcrypt. */
#ifdef _GCRYPT_IN_LIBGCRYPT
#define _GCRY_ATTR_INTERNAL
#else
#define _GCRY_ATTR_INTERNAL _GCRY_GCC_ATTR_DEPRECATED
#endif
/* Wrappers for the libgpg-error library. */
typedef gpg_error_t gcry_error_t;
typedef gpg_err_code_t gcry_err_code_t;
typedef gpg_err_source_t gcry_err_source_t;
static GPG_ERR_INLINE gcry_error_t
gcry_err_make (gcry_err_source_t source, gcry_err_code_t code)
{
return gpg_err_make (source, code);
}
/* The user can define GPG_ERR_SOURCE_DEFAULT before including this
file to specify a default source for gpg_error. */
#ifndef GCRY_ERR_SOURCE_DEFAULT
#define GCRY_ERR_SOURCE_DEFAULT GPG_ERR_SOURCE_USER_1
#endif
static GPG_ERR_INLINE gcry_error_t
gcry_error (gcry_err_code_t code)
{
return gcry_err_make (GCRY_ERR_SOURCE_DEFAULT, code);
}
static GPG_ERR_INLINE gcry_err_code_t
gcry_err_code (gcry_error_t err)
{
return gpg_err_code (err);
}
static GPG_ERR_INLINE gcry_err_source_t
gcry_err_source (gcry_error_t err)
{
return gpg_err_source (err);
}
/* Return a pointer to a string containing a description of the error
code in the error value ERR. */
const char *gcry_strerror (gcry_error_t err);
/* Return a pointer to a string containing a description of the error
source in the error value ERR. */
const char *gcry_strsource (gcry_error_t err);
/* Retrieve the error code for the system error ERR. This returns
GPG_ERR_UNKNOWN_ERRNO if the system error is not mapped (report
this). */
gcry_err_code_t gcry_err_code_from_errno (int err);
/* Retrieve the system error for the error code CODE. This returns 0
if CODE is not a system error code. */
int gcry_err_code_to_errno (gcry_err_code_t code);
/* Return an error value with the error source SOURCE and the system
error ERR. */
gcry_error_t gcry_err_make_from_errno (gcry_err_source_t source, int err);
/* Return an error value with the system error ERR. */
gcry_error_t gcry_error_from_errno (int err);
�
/* NOTE: Since Libgcrypt 1.6 the thread callbacks are not anymore
used. However we keep it to allow for some source code
compatibility if used in the standard way. */
/* Constants defining the thread model to use. Used with the OPTION
field of the struct gcry_thread_cbs. */
#define GCRY_THREAD_OPTION_DEFAULT 0
#define GCRY_THREAD_OPTION_USER 1
#define GCRY_THREAD_OPTION_PTH 2
#define GCRY_THREAD_OPTION_PTHREAD 3
/* The version number encoded in the OPTION field of the struct
gcry_thread_cbs. */
#define GCRY_THREAD_OPTION_VERSION 1
/* Wrapper for struct ath_ops. */
struct gcry_thread_cbs
{
/* The OPTION field encodes the thread model and the version number
of this structure.
Bits 7 - 0 are used for the thread model
Bits 15 - 8 are used for the version number. */
unsigned int option;
} _GCRY_ATTR_INTERNAL;
#define GCRY_THREAD_OPTION_PTH_IMPL \
static struct gcry_thread_cbs gcry_threads_pth = { \
(GCRY_THREAD_OPTION_PTH | (GCRY_THREAD_OPTION_VERSION << 8))}
#define GCRY_THREAD_OPTION_PTHREAD_IMPL \
static struct gcry_thread_cbs gcry_threads_pthread = { \
(GCRY_THREAD_OPTION_PTHREAD | (GCRY_THREAD_OPTION_VERSION << 8))}
�
/* A generic context object as used by some functions. */
struct gcry_context;
typedef struct gcry_context *gcry_ctx_t;
/* The data objects used to hold multi precision integers. */
struct gcry_mpi;
typedef struct gcry_mpi *gcry_mpi_t;
struct gcry_mpi_point;
typedef struct gcry_mpi_point *gcry_mpi_point_t;
#ifndef GCRYPT_NO_DEPRECATED
typedef struct gcry_mpi *GCRY_MPI _GCRY_GCC_ATTR_DEPRECATED;
typedef struct gcry_mpi *GcryMPI _GCRY_GCC_ATTR_DEPRECATED;
#endif
/* A structure used for scatter gather hashing. */
typedef struct
{
size_t size; /* The allocated size of the buffer or 0. */
size_t off; /* Offset into the buffer. */
size_t len; /* The used length of the buffer. */
void *data; /* The buffer. */
} gcry_buffer_t;
�
/* Check that the library fulfills the version requirement. */
const char *gcry_check_version (const char *req_version);
/* Codes for function dispatchers. */
/* Codes used with the gcry_control function. */
enum gcry_ctl_cmds
{
/* Note: 1 .. 2 are not anymore used. */
GCRYCTL_CFB_SYNC = 3,
GCRYCTL_RESET = 4, /* e.g. for MDs */
GCRYCTL_FINALIZE = 5,
GCRYCTL_GET_KEYLEN = 6,
GCRYCTL_GET_BLKLEN = 7,
GCRYCTL_TEST_ALGO = 8,
GCRYCTL_IS_SECURE = 9,
GCRYCTL_GET_ASNOID = 10,
GCRYCTL_ENABLE_ALGO = 11,
GCRYCTL_DISABLE_ALGO = 12,
GCRYCTL_DUMP_RANDOM_STATS = 13,
GCRYCTL_DUMP_SECMEM_STATS = 14,
GCRYCTL_GET_ALGO_NPKEY = 15,
GCRYCTL_GET_ALGO_NSKEY = 16,
GCRYCTL_GET_ALGO_NSIGN = 17,
GCRYCTL_GET_ALGO_NENCR = 18,
GCRYCTL_SET_VERBOSITY = 19,
GCRYCTL_SET_DEBUG_FLAGS = 20,
GCRYCTL_CLEAR_DEBUG_FLAGS = 21,
GCRYCTL_USE_SECURE_RNDPOOL= 22,
GCRYCTL_DUMP_MEMORY_STATS = 23,
GCRYCTL_INIT_SECMEM = 24,
GCRYCTL_TERM_SECMEM = 25,
GCRYCTL_DISABLE_SECMEM_WARN = 27,
GCRYCTL_SUSPEND_SECMEM_WARN = 28,
GCRYCTL_RESUME_SECMEM_WARN = 29,
GCRYCTL_DROP_PRIVS = 30,
GCRYCTL_ENABLE_M_GUARD = 31,
GCRYCTL_START_DUMP = 32,
GCRYCTL_STOP_DUMP = 33,
GCRYCTL_GET_ALGO_USAGE = 34,
GCRYCTL_IS_ALGO_ENABLED = 35,
GCRYCTL_DISABLE_INTERNAL_LOCKING = 36,
GCRYCTL_DISABLE_SECMEM = 37,
GCRYCTL_INITIALIZATION_FINISHED = 38,
GCRYCTL_INITIALIZATION_FINISHED_P = 39,
GCRYCTL_ANY_INITIALIZATION_P = 40,
GCRYCTL_SET_CBC_CTS = 41,
GCRYCTL_SET_CBC_MAC = 42,
/* Note: 43 is not anymore used. */
GCRYCTL_ENABLE_QUICK_RANDOM = 44,
GCRYCTL_SET_RANDOM_SEED_FILE = 45,
GCRYCTL_UPDATE_RANDOM_SEED_FILE = 46,
GCRYCTL_SET_THREAD_CBS = 47,
GCRYCTL_FAST_POLL = 48,
GCRYCTL_SET_RANDOM_DAEMON_SOCKET = 49,
GCRYCTL_USE_RANDOM_DAEMON = 50,
GCRYCTL_FAKED_RANDOM_P = 51,
GCRYCTL_SET_RNDEGD_SOCKET = 52,
GCRYCTL_PRINT_CONFIG = 53,
GCRYCTL_OPERATIONAL_P = 54,
GCRYCTL_FIPS_MODE_P = 55,
GCRYCTL_FORCE_FIPS_MODE = 56,
GCRYCTL_SELFTEST = 57,
/* Note: 58 .. 62 are used internally. */
GCRYCTL_DISABLE_HWF = 63,
GCRYCTL_SET_ENFORCED_FIPS_FLAG = 64,
GCRYCTL_SET_PREFERRED_RNG_TYPE = 65,
GCRYCTL_GET_CURRENT_RNG_TYPE = 66,
GCRYCTL_DISABLE_LOCKED_SECMEM = 67,
GCRYCTL_DISABLE_PRIV_DROP = 68,
GCRYCTL_SET_CCM_LENGTHS = 69,
GCRYCTL_CLOSE_RANDOM_DEVICE = 70,
GCRYCTL_INACTIVATE_FIPS_FLAG = 71,
GCRYCTL_REACTIVATE_FIPS_FLAG = 72,
GCRYCTL_SET_SBOX = 73,
GCRYCTL_DRBG_REINIT = 74,
GCRYCTL_SET_TAGLEN = 75,
GCRYCTL_GET_TAGLEN = 76,
GCRYCTL_REINIT_SYSCALL_CLAMP = 77,
GCRYCTL_AUTO_EXPAND_SECMEM = 78,
GCRYCTL_SET_ALLOW_WEAK_KEY = 79,
GCRYCTL_SET_DECRYPTION_TAG = 80,
GCRYCTL_FIPS_SERVICE_INDICATOR = 81
};
/* Perform various operations defined by CMD. */
gcry_error_t gcry_control (enum gcry_ctl_cmds CMD, ...);
�
/* S-expression management. */
/* The object to represent an S-expression as used with the public key
functions. */
struct gcry_sexp;
typedef struct gcry_sexp *gcry_sexp_t;
#ifndef GCRYPT_NO_DEPRECATED
typedef struct gcry_sexp *GCRY_SEXP _GCRY_GCC_ATTR_DEPRECATED;
typedef struct gcry_sexp *GcrySexp _GCRY_GCC_ATTR_DEPRECATED;
#endif
/* The possible values for the S-expression format. */
enum gcry_sexp_format
{
GCRYSEXP_FMT_DEFAULT = 0,
GCRYSEXP_FMT_CANON = 1,
GCRYSEXP_FMT_BASE64 = 2,
GCRYSEXP_FMT_ADVANCED = 3
};
/* Create an new S-expression object from BUFFER of size LENGTH and
return it in RETSEXP. With AUTODETECT set to 0 the data in BUFFER
is expected to be in canonized format. */
gcry_error_t gcry_sexp_new (gcry_sexp_t *retsexp,
const void *buffer, size_t length,
int autodetect);
/* Same as gcry_sexp_new but allows to pass a FREEFNC which has the
effect to transfer ownership of BUFFER to the created object. */
gcry_error_t gcry_sexp_create (gcry_sexp_t *retsexp,
void *buffer, size_t length,
int autodetect, void (*freefnc) (void *));
/* Scan BUFFER and return a new S-expression object in RETSEXP. This
function expects a printf like string in BUFFER. */
gcry_error_t gcry_sexp_sscan (gcry_sexp_t *retsexp, size_t *erroff,
const char *buffer, size_t length);
/* Same as gcry_sexp_sscan but expects a string in FORMAT and can thus
only be used for certain encodings. */
gcry_error_t gcry_sexp_build (gcry_sexp_t *retsexp, size_t *erroff,
const char *format, ...);
/* Like gcry_sexp_build, but uses an array instead of variable
function arguments. */
gcry_error_t gcry_sexp_build_array (gcry_sexp_t *retsexp, size_t *erroff,
const char *format, void **arg_list);
/* Release the S-expression object SEXP */
void gcry_sexp_release (gcry_sexp_t sexp);
/* Calculate the length of an canonized S-expression in BUFFER and
check for a valid encoding. */
size_t gcry_sexp_canon_len (const unsigned char *buffer, size_t length,
size_t *erroff, gcry_error_t *errcode);
/* Copies the S-expression object SEXP into BUFFER using the format
specified in MODE. */
size_t gcry_sexp_sprint (gcry_sexp_t sexp, int mode, void *buffer,
size_t maxlength);
/* Dumps the S-expression object A in a format suitable for debugging
to Libgcrypt's logging stream. */
void gcry_sexp_dump (const gcry_sexp_t a);
gcry_sexp_t gcry_sexp_cons (const gcry_sexp_t a, const gcry_sexp_t b);
gcry_sexp_t gcry_sexp_alist (const gcry_sexp_t *array);
gcry_sexp_t gcry_sexp_vlist (const gcry_sexp_t a, ...);
gcry_sexp_t gcry_sexp_append (const gcry_sexp_t a, const gcry_sexp_t n);
gcry_sexp_t gcry_sexp_prepend (const gcry_sexp_t a, const gcry_sexp_t n);
/* Scan the S-expression for a sublist with a type (the car of the
list) matching the string TOKEN. If TOKLEN is not 0, the token is
assumed to be raw memory of this length. The function returns a
newly allocated S-expression consisting of the found sublist or
`NULL' when not found. */
gcry_sexp_t gcry_sexp_find_token (gcry_sexp_t list,
const char *tok, size_t toklen);
/* Return the length of the LIST. For a valid S-expression this
should be at least 1. */
int gcry_sexp_length (const gcry_sexp_t list);
/* Create and return a new S-expression from the element with index
NUMBER in LIST. Note that the first element has the index 0. If
there is no such element, `NULL' is returned. */
gcry_sexp_t gcry_sexp_nth (const gcry_sexp_t list, int number);
/* Create and return a new S-expression from the first element in
LIST; this called the "type" and should always exist and be a
string. `NULL' is returned in case of a problem. */
gcry_sexp_t gcry_sexp_car (const gcry_sexp_t list);
/* Create and return a new list form all elements except for the first
one. Note, that this function may return an invalid S-expression
because it is not guaranteed, that the type exists and is a string.
However, for parsing a complex S-expression it might be useful for
intermediate lists. Returns `NULL' on error. */
gcry_sexp_t gcry_sexp_cdr (const gcry_sexp_t list);
gcry_sexp_t gcry_sexp_cadr (const gcry_sexp_t list);
/* This function is used to get data from a LIST. A pointer to the
actual data with index NUMBER is returned and the length of this
data will be stored to DATALEN. If there is no data at the given
index or the index represents another list, `NULL' is returned.
*Note:* The returned pointer is valid as long as LIST is not
modified or released. */
const char *gcry_sexp_nth_data (const gcry_sexp_t list, int number,
size_t *datalen);
/* This function is used to get data from a LIST. A malloced buffer to the
data with index NUMBER is returned and the length of this
data will be stored to RLENGTH. If there is no data at the given
index or the index represents another list, `NULL' is returned. */
void *gcry_sexp_nth_buffer (const gcry_sexp_t list, int number,
size_t *rlength);
/* This function is used to get and convert data from a LIST. The
data is assumed to be a Nul terminated string. The caller must
release the returned value using `gcry_free'. If there is no data
at the given index, the index represents a list or the value can't
be converted to a string, `NULL' is returned. */
char *gcry_sexp_nth_string (gcry_sexp_t list, int number);
/* This function is used to get and convert data from a LIST. This
data is assumed to be an MPI stored in the format described by
MPIFMT and returned as a standard Libgcrypt MPI. The caller must
release this returned value using `gcry_mpi_release'. If there is
no data at the given index, the index represents a list or the
value can't be converted to an MPI, `NULL' is returned. */
gcry_mpi_t gcry_sexp_nth_mpi (gcry_sexp_t list, int number, int mpifmt);
/* Extract MPIs from an s-expression using a list of parameters. The
* names of these parameters are given by the string LIST. Some
* special characters may be given to control the conversion:
*
* + :: Switch to unsigned integer format (default).
* - :: Switch to standard signed format.
* / :: Switch to opaque format.
* & :: Switch to buffer descriptor mode - see below.
* ? :: The previous parameter is optional.
*
* In general parameter names are single letters. To use a string for
* a parameter name, enclose the name in single quotes.
*
* Unless in gcry_buffer_t mode for each parameter name a pointer to
* an MPI variable is expected that must be set to NULL prior to
* invoking this function, and finally a NULL is expected. Example:
*
* _gcry_sexp_extract_param (key, NULL, "n/x+ed",
* &mpi_n, &mpi_x, &mpi_e, NULL)
*
* This stores the parameter "N" from KEY as an unsigned MPI into
* MPI_N, the parameter "X" as an opaque MPI into MPI_X, and the
* parameter "E" again as an unsigned MPI into MPI_E.
*
* If in buffer descriptor mode a pointer to gcry_buffer_t descriptor
* is expected instead of a pointer to an MPI. The caller may use two
* different operation modes: If the DATA field of the provided buffer
* descriptor is NULL, the function allocates a new buffer and stores
* it at DATA; the other fields are set accordingly with OFF being 0.
* If DATA is not NULL, the function assumes that DATA, SIZE, and OFF
* describe a buffer where to but the data; on return the LEN field
* receives the number of bytes copied to that buffer; if the buffer
* is too small, the function immediately returns with an error code
* (and LEN set to 0).
*
* PATH is an optional string used to locate a token. The exclamation
* mark separated tokens are used to via gcry_sexp_find_token to find
* a start point inside SEXP.
*
* The function returns 0 on success. On error an error code is
* returned, all passed MPIs that might have been allocated up to this
* point are deallocated and set to NULL, and all passed buffers are
* either truncated if the caller supplied the buffer, or deallocated
* if the function allocated the buffer.
*/
gpg_error_t gcry_sexp_extract_param (gcry_sexp_t sexp,
const char *path,
const char *list,
...) _GCRY_GCC_ATTR_SENTINEL(0);
�
/*******************************************
* *
* Multi Precision Integer Functions *
* *
*******************************************/
/* Different formats of external big integer representation. */
enum gcry_mpi_format
{
GCRYMPI_FMT_NONE= 0,
GCRYMPI_FMT_STD = 1, /* Twos complement stored without length. */
GCRYMPI_FMT_PGP = 2, /* As used by OpenPGP (unsigned only). */
GCRYMPI_FMT_SSH = 3, /* As used by SSH (like STD but with length). */
GCRYMPI_FMT_HEX = 4, /* Hex format. */
GCRYMPI_FMT_USG = 5, /* Like STD but unsigned. */
GCRYMPI_FMT_OPAQUE = 8 /* Opaque format (some functions only). */
};
/* Flags used for creating big integers. */
enum gcry_mpi_flag
{
GCRYMPI_FLAG_SECURE = 1, /* Allocate the number in "secure" memory. */
GCRYMPI_FLAG_OPAQUE = 2, /* The number is not a real one but just
a way to store some bytes. This is
useful for encrypted big integers. */
GCRYMPI_FLAG_IMMUTABLE = 4, /* Mark the MPI as immutable. */
GCRYMPI_FLAG_CONST = 8, /* Mark the MPI as a constant. */
GCRYMPI_FLAG_USER1 = 0x0100,/* User flag 1. */
GCRYMPI_FLAG_USER2 = 0x0200,/* User flag 2. */
GCRYMPI_FLAG_USER3 = 0x0400,/* User flag 3. */
GCRYMPI_FLAG_USER4 = 0x0800 /* User flag 4. */
};
/* Macros to return pre-defined MPI constants. */
#define GCRYMPI_CONST_ONE (_gcry_mpi_get_const (1))
#define GCRYMPI_CONST_TWO (_gcry_mpi_get_const (2))
#define GCRYMPI_CONST_THREE (_gcry_mpi_get_const (3))
#define GCRYMPI_CONST_FOUR (_gcry_mpi_get_const (4))
#define GCRYMPI_CONST_EIGHT (_gcry_mpi_get_const (8))
/* Allocate a new big integer object, initialize it with 0 and
initially allocate memory for a number of at least NBITS. */
gcry_mpi_t gcry_mpi_new (unsigned int nbits);
/* Same as gcry_mpi_new() but allocate in "secure" memory. */
gcry_mpi_t gcry_mpi_snew (unsigned int nbits);
/* Release the number A and free all associated resources. */
void gcry_mpi_release (gcry_mpi_t a);
/* Create a new number with the same value as A. */
gcry_mpi_t gcry_mpi_copy (const gcry_mpi_t a);
/* Store the big integer value U in W and release U. */
void gcry_mpi_snatch (gcry_mpi_t w, gcry_mpi_t u);
/* Store the big integer value U in W. */
gcry_mpi_t gcry_mpi_set (gcry_mpi_t w, const gcry_mpi_t u);
/* Store the unsigned integer value U in W. */
gcry_mpi_t gcry_mpi_set_ui (gcry_mpi_t w, unsigned long u);
/* Store U as an unsigned int at W or return GPG_ERR_ERANGE. */
gpg_error_t gcry_mpi_get_ui (unsigned int *w, gcry_mpi_t u);
/* Swap the values of A and B. */
void gcry_mpi_swap (gcry_mpi_t a, gcry_mpi_t b);
/* Return 1 if A is negative; 0 if zero or positive. */
int gcry_mpi_is_neg (gcry_mpi_t a);
/* W = - U */
void gcry_mpi_neg (gcry_mpi_t w, gcry_mpi_t u);
/* W = [W] */
void gcry_mpi_abs (gcry_mpi_t w);
/* Compare the big integer number U and V returning 0 for equality, a
positive value for U > V and a negative for U < V. */
int gcry_mpi_cmp (const gcry_mpi_t u, const gcry_mpi_t v);
/* Compare the big integer number U with the unsigned integer V
returning 0 for equality, a positive value for U > V and a negative
for U < V. */
int gcry_mpi_cmp_ui (const gcry_mpi_t u, unsigned long v);
/* Convert the external representation of an integer stored in BUFFER
with a length of BUFLEN into a newly create MPI returned in
RET_MPI. If NSCANNED is not NULL, it will receive the number of
bytes actually scanned after a successful operation. */
gcry_error_t gcry_mpi_scan (gcry_mpi_t *ret_mpi, enum gcry_mpi_format format,
const void *buffer, size_t buflen,
size_t *nscanned);
/* Convert the big integer A into the external representation
described by FORMAT and store it in the provided BUFFER which has
been allocated by the user with a size of BUFLEN bytes. NWRITTEN
receives the actual length of the external representation unless it
has been passed as NULL. */
gcry_error_t gcry_mpi_print (enum gcry_mpi_format format,
unsigned char *buffer, size_t buflen,
size_t *nwritten,
const gcry_mpi_t a);
/* Convert the big integer A into the external representation described
by FORMAT and store it in a newly allocated buffer which address
will be put into BUFFER. NWRITTEN receives the actual lengths of the
external representation. */
gcry_error_t gcry_mpi_aprint (enum gcry_mpi_format format,
unsigned char **buffer, size_t *nwritten,
const gcry_mpi_t a);
/* Dump the value of A in a format suitable for debugging to
Libgcrypt's logging stream. Note that one leading space but no
trailing space or linefeed will be printed. It is okay to pass
NULL for A. */
void gcry_mpi_dump (const gcry_mpi_t a);
/* W = U + V. */
void gcry_mpi_add (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v);
/* W = U + V. V is an unsigned integer. */
void gcry_mpi_add_ui (gcry_mpi_t w, gcry_mpi_t u, unsigned long v);
/* W = U + V mod M. */
void gcry_mpi_addm (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m);
/* W = U - V. */
void gcry_mpi_sub (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v);
/* W = U - V. V is an unsigned integer. */
void gcry_mpi_sub_ui (gcry_mpi_t w, gcry_mpi_t u, unsigned long v );
/* W = U - V mod M */
void gcry_mpi_subm (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m);
/* W = U * V. */
void gcry_mpi_mul (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v);
/* W = U * V. V is an unsigned integer. */
void gcry_mpi_mul_ui (gcry_mpi_t w, gcry_mpi_t u, unsigned long v );
/* W = U * V mod M. */
void gcry_mpi_mulm (gcry_mpi_t w, gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m);
/* W = U * (2 ^ CNT). */
void gcry_mpi_mul_2exp (gcry_mpi_t w, gcry_mpi_t u, unsigned long cnt);
/* Q = DIVIDEND / DIVISOR, R = DIVIDEND % DIVISOR,
Q or R may be passed as NULL. ROUND should be negative or 0. */
void gcry_mpi_div (gcry_mpi_t q, gcry_mpi_t r,
gcry_mpi_t dividend, gcry_mpi_t divisor, int round);
/* R = DIVIDEND % DIVISOR */
void gcry_mpi_mod (gcry_mpi_t r, gcry_mpi_t dividend, gcry_mpi_t divisor);
/* W = B ^ E mod M. */
void gcry_mpi_powm (gcry_mpi_t w,
const gcry_mpi_t b, const gcry_mpi_t e,
const gcry_mpi_t m);
/* Set G to the greatest common divisor of A and B.
Return true if the G is 1. */
int gcry_mpi_gcd (gcry_mpi_t g, gcry_mpi_t a, gcry_mpi_t b);
/* Set X to the multiplicative inverse of A mod M.
Return true if the value exists. */
int gcry_mpi_invm (gcry_mpi_t x, gcry_mpi_t a, gcry_mpi_t m);
/* Create a new point object. NBITS is usually 0. */
gcry_mpi_point_t gcry_mpi_point_new (unsigned int nbits);
/* Release the object POINT. POINT may be NULL. */
void gcry_mpi_point_release (gcry_mpi_point_t point);
/* Return a copy of POINT. */
gcry_mpi_point_t gcry_mpi_point_copy (gcry_mpi_point_t point);
/* Store the projective coordinates from POINT into X, Y, and Z. */
void gcry_mpi_point_get (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z,
gcry_mpi_point_t point);
/* Store the projective coordinates from POINT into X, Y, and Z and
release POINT. */
void gcry_mpi_point_snatch_get (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z,
gcry_mpi_point_t point);
/* Store the projective coordinates X, Y, and Z into POINT. */
gcry_mpi_point_t gcry_mpi_point_set (gcry_mpi_point_t point,
gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_t z);
/* Store the projective coordinates X, Y, and Z into POINT and release
X, Y, and Z. */
gcry_mpi_point_t gcry_mpi_point_snatch_set (gcry_mpi_point_t point,
gcry_mpi_t x, gcry_mpi_t y,
gcry_mpi_t z);
/* Allocate a new context for elliptic curve operations based on the
parameters given by KEYPARAM or using CURVENAME. */
gpg_error_t gcry_mpi_ec_new (gcry_ctx_t *r_ctx,
gcry_sexp_t keyparam, const char *curvename);
/* Get a named MPI from an elliptic curve context. */
gcry_mpi_t gcry_mpi_ec_get_mpi (const char *name, gcry_ctx_t ctx, int copy);
/* Get a named point from an elliptic curve context. */
gcry_mpi_point_t gcry_mpi_ec_get_point (const char *name,
gcry_ctx_t ctx, int copy);
/* Store a named MPI into an elliptic curve context. */
gpg_error_t gcry_mpi_ec_set_mpi (const char *name, gcry_mpi_t newvalue,
gcry_ctx_t ctx);
/* Store a named point into an elliptic curve context. */
gpg_error_t gcry_mpi_ec_set_point (const char *name, gcry_mpi_point_t newvalue,
gcry_ctx_t ctx);
/* Decode and store VALUE into RESULT. */
gpg_error_t gcry_mpi_ec_decode_point (gcry_mpi_point_t result,
gcry_mpi_t value, gcry_ctx_t ctx);
/* Store the affine coordinates of POINT into X and Y. */
int gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_point_t point,
gcry_ctx_t ctx);
/* W = 2 * U. */
void gcry_mpi_ec_dup (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_ctx_t ctx);
/* W = U + V. */
void gcry_mpi_ec_add (gcry_mpi_point_t w,
gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx);
/* W = U - V. */
void gcry_mpi_ec_sub (gcry_mpi_point_t w,
gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx);
/* W = N * U. */
void gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u,
gcry_ctx_t ctx);
/* Return true if POINT is on the curve described by CTX. */
int gcry_mpi_ec_curve_point (gcry_mpi_point_t w, gcry_ctx_t ctx);
/* Return the number of bits required to represent A. */
unsigned int gcry_mpi_get_nbits (gcry_mpi_t a);
/* Return true when bit number N (counting from 0) is set in A. */
int gcry_mpi_test_bit (gcry_mpi_t a, unsigned int n);
/* Set bit number N in A. */
void gcry_mpi_set_bit (gcry_mpi_t a, unsigned int n);
/* Clear bit number N in A. */
void gcry_mpi_clear_bit (gcry_mpi_t a, unsigned int n);
/* Set bit number N in A and clear all bits greater than N. */
void gcry_mpi_set_highbit (gcry_mpi_t a, unsigned int n);
/* Clear bit number N in A and all bits greater than N. */
void gcry_mpi_clear_highbit (gcry_mpi_t a, unsigned int n);
/* Shift the value of A by N bits to the right and store the result in X. */
void gcry_mpi_rshift (gcry_mpi_t x, gcry_mpi_t a, unsigned int n);
/* Shift the value of A by N bits to the left and store the result in X. */
void gcry_mpi_lshift (gcry_mpi_t x, gcry_mpi_t a, unsigned int n);
/* Store NBITS of the value P points to in A and mark A as an opaque
value. On success A received the the ownership of the value P.
WARNING: Never use an opaque MPI for anything thing else than
gcry_mpi_release, gcry_mpi_get_opaque. */
gcry_mpi_t gcry_mpi_set_opaque (gcry_mpi_t a, void *p, unsigned int nbits);
/* Store NBITS of the value P points to in A and mark A as an opaque
value. The function takes a copy of the provided value P.
WARNING: Never use an opaque MPI for anything thing else than
gcry_mpi_release, gcry_mpi_get_opaque. */
gcry_mpi_t gcry_mpi_set_opaque_copy (gcry_mpi_t a,
const void *p, unsigned int nbits);
/* Return a pointer to an opaque value stored in A and return its size
in NBITS. Note that the returned pointer is still owned by A and
that the function should never be used for an non-opaque MPI. */
void *gcry_mpi_get_opaque (gcry_mpi_t a, unsigned int *nbits);
/* Set the FLAG for the big integer A. Currently only the flag
GCRYMPI_FLAG_SECURE is allowed to convert A into an big intger
stored in "secure" memory. */
void gcry_mpi_set_flag (gcry_mpi_t a, enum gcry_mpi_flag flag);
/* Clear FLAG for the big integer A. Note that this function is
currently useless as no flags are allowed. */
void gcry_mpi_clear_flag (gcry_mpi_t a, enum gcry_mpi_flag flag);
/* Return true if the FLAG is set for A. */
int gcry_mpi_get_flag (gcry_mpi_t a, enum gcry_mpi_flag flag);
/* Private function - do not use. */
gcry_mpi_t _gcry_mpi_get_const (int no);
/* Unless the GCRYPT_NO_MPI_MACROS is used, provide a couple of
convenience macros for the big integer functions. */
#ifndef GCRYPT_NO_MPI_MACROS
#define mpi_new(n) gcry_mpi_new( (n) )
#define mpi_secure_new( n ) gcry_mpi_snew( (n) )
#define mpi_release(a) \
do \
{ \
gcry_mpi_release ((a)); \
(a) = NULL; \
} \
while (0)
#define mpi_copy( a ) gcry_mpi_copy( (a) )
#define mpi_snatch( w, u) gcry_mpi_snatch( (w), (u) )
#define mpi_set( w, u) gcry_mpi_set( (w), (u) )
#define mpi_set_ui( w, u) gcry_mpi_set_ui( (w), (u) )
#define mpi_get_ui( w, u) gcry_mpi_get_ui( (w), (u) )
#define mpi_abs( w ) gcry_mpi_abs( (w) )
#define mpi_neg( w, u) gcry_mpi_neg( (w), (u) )
#define mpi_cmp( u, v ) gcry_mpi_cmp( (u), (v) )
#define mpi_cmp_ui( u, v ) gcry_mpi_cmp_ui( (u), (v) )
#define mpi_is_neg( a ) gcry_mpi_is_neg ((a))
#define mpi_add_ui(w,u,v) gcry_mpi_add_ui((w),(u),(v))
#define mpi_add(w,u,v) gcry_mpi_add ((w),(u),(v))
#define mpi_addm(w,u,v,m) gcry_mpi_addm ((w),(u),(v),(m))
#define mpi_sub_ui(w,u,v) gcry_mpi_sub_ui ((w),(u),(v))
#define mpi_sub(w,u,v) gcry_mpi_sub ((w),(u),(v))
#define mpi_subm(w,u,v,m) gcry_mpi_subm ((w),(u),(v),(m))
#define mpi_mul_ui(w,u,v) gcry_mpi_mul_ui ((w),(u),(v))
#define mpi_mul_2exp(w,u,v) gcry_mpi_mul_2exp ((w),(u),(v))
#define mpi_mul(w,u,v) gcry_mpi_mul ((w),(u),(v))
#define mpi_mulm(w,u,v,m) gcry_mpi_mulm ((w),(u),(v),(m))
#define mpi_powm(w,b,e,m) gcry_mpi_powm ( (w), (b), (e), (m) )
#define mpi_tdiv(q,r,a,m) gcry_mpi_div ( (q), (r), (a), (m), 0)
#define mpi_fdiv(q,r,a,m) gcry_mpi_div ( (q), (r), (a), (m), -1)
#define mpi_mod(r,a,m) gcry_mpi_mod ((r), (a), (m))
#define mpi_gcd(g,a,b) gcry_mpi_gcd ( (g), (a), (b) )
#define mpi_invm(g,a,b) gcry_mpi_invm ( (g), (a), (b) )
#define mpi_point_new(n) gcry_mpi_point_new((n))
#define mpi_point_release(p) \
do \
{ \
gcry_mpi_point_release ((p)); \
(p) = NULL; \
} \
while (0)
#define mpi_point_copy(p) gcry_mpi_point_copy((p))
#define mpi_point_get(x,y,z,p) gcry_mpi_point_get((x),(y),(z),(p))
#define mpi_point_snatch_get(x,y,z,p) gcry_mpi_point_snatch_get((x),(y),(z),(p))
#define mpi_point_set(p,x,y,z) gcry_mpi_point_set((p),(x),(y),(z))
#define mpi_point_snatch_set(p,x,y,z) gcry_mpi_point_snatch_set((p),(x),(y),(z))
#define mpi_get_nbits(a) gcry_mpi_get_nbits ((a))
#define mpi_test_bit(a,b) gcry_mpi_test_bit ((a),(b))
#define mpi_set_bit(a,b) gcry_mpi_set_bit ((a),(b))
#define mpi_set_highbit(a,b) gcry_mpi_set_highbit ((a),(b))
#define mpi_clear_bit(a,b) gcry_mpi_clear_bit ((a),(b))
#define mpi_clear_highbit(a,b) gcry_mpi_clear_highbit ((a),(b))
#define mpi_rshift(a,b,c) gcry_mpi_rshift ((a),(b),(c))
#define mpi_lshift(a,b,c) gcry_mpi_lshift ((a),(b),(c))
#define mpi_set_opaque(a,b,c) gcry_mpi_set_opaque( (a), (b), (c) )
#define mpi_get_opaque(a,b) gcry_mpi_get_opaque( (a), (b) )
#endif /* GCRYPT_NO_MPI_MACROS */
�
/************************************
* *
* Symmetric Cipher Functions *
* *
************************************/
/* The data object used to hold a handle to an encryption object. */
struct gcry_cipher_handle;
typedef struct gcry_cipher_handle *gcry_cipher_hd_t;
#ifndef GCRYPT_NO_DEPRECATED
typedef struct gcry_cipher_handle *GCRY_CIPHER_HD _GCRY_GCC_ATTR_DEPRECATED;
typedef struct gcry_cipher_handle *GcryCipherHd _GCRY_GCC_ATTR_DEPRECATED;
#endif
/* All symmetric encryption algorithms are identified by their IDs.
More IDs may be registered at runtime. */
enum gcry_cipher_algos
{
GCRY_CIPHER_NONE = 0,
GCRY_CIPHER_IDEA = 1,
GCRY_CIPHER_3DES = 2,
GCRY_CIPHER_CAST5 = 3,
GCRY_CIPHER_BLOWFISH = 4,
GCRY_CIPHER_SAFER_SK128 = 5,
GCRY_CIPHER_DES_SK = 6,
GCRY_CIPHER_AES = 7,
GCRY_CIPHER_AES192 = 8,
GCRY_CIPHER_AES256 = 9,
GCRY_CIPHER_TWOFISH = 10,
/* Other cipher numbers are above 300 for OpenPGP reasons. */
GCRY_CIPHER_ARCFOUR = 301, /* Fully compatible with RSA's RC4 (tm). */
GCRY_CIPHER_DES = 302, /* Yes, this is single key 56 bit DES. */
GCRY_CIPHER_TWOFISH128 = 303,
GCRY_CIPHER_SERPENT128 = 304,
GCRY_CIPHER_SERPENT192 = 305,
GCRY_CIPHER_SERPENT256 = 306,
GCRY_CIPHER_RFC2268_40 = 307, /* Ron's Cipher 2 (40 bit). */
GCRY_CIPHER_RFC2268_128 = 308, /* Ron's Cipher 2 (128 bit). */
GCRY_CIPHER_SEED = 309, /* 128 bit cipher described in RFC4269. */
GCRY_CIPHER_CAMELLIA128 = 310,
GCRY_CIPHER_CAMELLIA192 = 311,
GCRY_CIPHER_CAMELLIA256 = 312,
GCRY_CIPHER_SALSA20 = 313,
GCRY_CIPHER_SALSA20R12 = 314,
GCRY_CIPHER_GOST28147 = 315,
GCRY_CIPHER_CHACHA20 = 316,
GCRY_CIPHER_GOST28147_MESH = 317, /* With CryptoPro key meshing. */
GCRY_CIPHER_SM4 = 318
};
/* The Rijndael algorithm is basically AES, so provide some macros. */
#define GCRY_CIPHER_AES128 GCRY_CIPHER_AES
#define GCRY_CIPHER_RIJNDAEL GCRY_CIPHER_AES
#define GCRY_CIPHER_RIJNDAEL128 GCRY_CIPHER_AES128
#define GCRY_CIPHER_RIJNDAEL192 GCRY_CIPHER_AES192
#define GCRY_CIPHER_RIJNDAEL256 GCRY_CIPHER_AES256
/* The supported encryption modes. Note that not all of them are
supported for each algorithm. */
enum gcry_cipher_modes
{
GCRY_CIPHER_MODE_NONE = 0, /* Not yet specified. */
GCRY_CIPHER_MODE_ECB = 1, /* Electronic codebook. */
GCRY_CIPHER_MODE_CFB = 2, /* Cipher feedback. */
GCRY_CIPHER_MODE_CBC = 3, /* Cipher block chaining. */
GCRY_CIPHER_MODE_STREAM = 4, /* Used with stream ciphers. */
GCRY_CIPHER_MODE_OFB = 5, /* Outer feedback. */
GCRY_CIPHER_MODE_CTR = 6, /* Counter. */
GCRY_CIPHER_MODE_AESWRAP = 7, /* AES-WRAP algorithm. */
GCRY_CIPHER_MODE_CCM = 8, /* Counter with CBC-MAC. */
GCRY_CIPHER_MODE_GCM = 9, /* Galois Counter Mode. */
GCRY_CIPHER_MODE_POLY1305 = 10, /* Poly1305 based AEAD mode. */
GCRY_CIPHER_MODE_OCB = 11, /* OCB3 mode. */
GCRY_CIPHER_MODE_CFB8 = 12, /* Cipher feedback (8 bit mode). */
GCRY_CIPHER_MODE_XTS = 13, /* XTS mode. */
GCRY_CIPHER_MODE_EAX = 14, /* EAX mode. */
GCRY_CIPHER_MODE_SIV = 15, /* SIV mode. */
GCRY_CIPHER_MODE_GCM_SIV = 16 /* GCM-SIV mode. */
};
/* Flags used with the open function. */
enum gcry_cipher_flags
{
GCRY_CIPHER_SECURE = 1, /* Allocate in secure memory. */
GCRY_CIPHER_ENABLE_SYNC = 2, /* Enable CFB sync mode. */
GCRY_CIPHER_CBC_CTS = 4, /* Enable CBC cipher text stealing (CTS). */
- GCRY_CIPHER_CBC_MAC = 8 /* Enable CBC message auth. code (MAC). */
+ GCRY_CIPHER_CBC_MAC = 8, /* Enable CBC message auth. code (MAC). */
+ GCRY_CIPHER_EXTENDED = 16 /* Enable extended AES-WRAP. */
};
/* GCM works only with blocks of 128 bits */
#define GCRY_GCM_BLOCK_LEN (128 / 8)
/* CCM works only with blocks of 128 bits. */
#define GCRY_CCM_BLOCK_LEN (128 / 8)
/* OCB works only with blocks of 128 bits. */
#define GCRY_OCB_BLOCK_LEN (128 / 8)
/* XTS works only with blocks of 128 bits. */
#define GCRY_XTS_BLOCK_LEN (128 / 8)
/* SIV and GCM-SIV works only with blocks of 128 bits */
#define GCRY_SIV_BLOCK_LEN (128 / 8)
/* Create a handle for algorithm ALGO to be used in MODE. FLAGS may
be given as an bitwise OR of the gcry_cipher_flags values. */
gcry_error_t gcry_cipher_open (gcry_cipher_hd_t *handle,
int algo, int mode, unsigned int flags);
/* Close the cipher handle H and release all resource. */
void gcry_cipher_close (gcry_cipher_hd_t h);
/* Perform various operations on the cipher object H. */
gcry_error_t gcry_cipher_ctl (gcry_cipher_hd_t h, int cmd, void *buffer,
size_t buflen);
/* Retrieve various information about the cipher object H. */
gcry_error_t gcry_cipher_info (gcry_cipher_hd_t h, int what, void *buffer,
size_t *nbytes);
/* Retrieve various information about the cipher algorithm ALGO. */
gcry_error_t gcry_cipher_algo_info (int algo, int what, void *buffer,
size_t *nbytes);
/* Map the cipher algorithm whose ID is contained in ALGORITHM to a
string representation of the algorithm name. For unknown algorithm
IDs this function returns "?". */
const char *gcry_cipher_algo_name (int algorithm) _GCRY_GCC_ATTR_PURE;
/* Map the algorithm name NAME to an cipher algorithm ID. Return 0 if
the algorithm name is not known. */
int gcry_cipher_map_name (const char *name) _GCRY_GCC_ATTR_PURE;
/* Given an ASN.1 object identifier in standard IETF dotted decimal
format in STRING, return the encryption mode associated with that
OID or 0 if not known or applicable. */
int gcry_cipher_mode_from_oid (const char *string) _GCRY_GCC_ATTR_PURE;
/* Encrypt the plaintext of size INLEN in IN using the cipher handle H
into the buffer OUT which has an allocated length of OUTSIZE. For
most algorithms it is possible to pass NULL for in and 0 for INLEN
and do a in-place decryption of the data provided in OUT. */
gcry_error_t gcry_cipher_encrypt (gcry_cipher_hd_t h,
void *out, size_t outsize,
const void *in, size_t inlen);
/* The counterpart to gcry_cipher_encrypt. */
gcry_error_t gcry_cipher_decrypt (gcry_cipher_hd_t h,
void *out, size_t outsize,
const void *in, size_t inlen);
/* Set KEY of length KEYLEN bytes for the cipher handle HD. */
gcry_error_t gcry_cipher_setkey (gcry_cipher_hd_t hd,
const void *key, size_t keylen);
/* Set initialization vector IV of length IVLEN for the cipher handle HD. */
gcry_error_t gcry_cipher_setiv (gcry_cipher_hd_t hd,
const void *iv, size_t ivlen);
/* Provide additional authentication data for AEAD modes/ciphers. */
gcry_error_t gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf,
size_t abuflen);
/* Get authentication tag for AEAD modes/ciphers. */
gcry_error_t gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag,
size_t taglen);
/* Check authentication tag for AEAD modes/ciphers. */
gcry_error_t gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag,
size_t taglen);
/* Reset the handle to the state after open. */
#define gcry_cipher_reset(h) gcry_cipher_ctl ((h), GCRYCTL_RESET, NULL, 0)
/* Perform the OpenPGP sync operation if this is enabled for the
cipher handle H. */
#define gcry_cipher_sync(h) gcry_cipher_ctl( (h), GCRYCTL_CFB_SYNC, NULL, 0)
/* Enable or disable CTS in future calls to gcry_encrypt(). CBC mode only. */
#define gcry_cipher_cts(h,on) gcry_cipher_ctl( (h), GCRYCTL_SET_CBC_CTS, \
NULL, on )
#define gcry_cipher_set_sbox(h,oid) gcry_cipher_ctl( (h), GCRYCTL_SET_SBOX, \
(void *) oid, 0);
/* Indicate to the encrypt and decrypt functions that the next call
provides the final data. Only used with some modes. */
#define gcry_cipher_final(a) \
gcry_cipher_ctl ((a), GCRYCTL_FINALIZE, NULL, 0)
/* Set counter for CTR mode. (CTR,CTRLEN) must denote a buffer of
block size length, or (NULL,0) to set the CTR to the all-zero block. */
gpg_error_t gcry_cipher_setctr (gcry_cipher_hd_t hd,
const void *ctr, size_t ctrlen);
/* Retrieve the key length in bytes used with algorithm A. */
size_t gcry_cipher_get_algo_keylen (int algo);
/* Retrieve the block length in bytes used with algorithm A. */
size_t gcry_cipher_get_algo_blklen (int algo);
/* Return 0 if the algorithm A is available for use. */
#define gcry_cipher_test_algo(a) \
gcry_cipher_algo_info( (a), GCRYCTL_TEST_ALGO, NULL, NULL )
/* Setup tag for decryption (for SIV and GCM-SIV mode). */
#define gcry_cipher_set_decryption_tag(a, tag, taglen) \
gcry_cipher_ctl ((a), GCRYCTL_SET_DECRYPTION_TAG, \
(void *)(tag), (taglen))
�
/************************************
* *
* Asymmetric Cipher Functions *
* *
************************************/
/* The algorithms and their IDs we support. */
enum gcry_pk_algos
{
GCRY_PK_RSA = 1, /* RSA */
GCRY_PK_RSA_E = 2, /* (deprecated: use 1). */
GCRY_PK_RSA_S = 3, /* (deprecated: use 1). */
GCRY_PK_ELG_E = 16, /* (deprecated: use 20). */
GCRY_PK_DSA = 17, /* Digital Signature Algorithm. */
GCRY_PK_ECC = 18, /* Generic ECC. */
GCRY_PK_ELG = 20, /* Elgamal */
GCRY_PK_ECDSA = 301, /* (only for external use). */
GCRY_PK_ECDH = 302, /* (only for external use). */
GCRY_PK_EDDSA = 303 /* (only for external use). */
};
/* Flags describing usage capabilities of a PK algorithm. */
#define GCRY_PK_USAGE_SIGN 1 /* Good for signatures. */
#define GCRY_PK_USAGE_ENCR 2 /* Good for encryption. */
#define GCRY_PK_USAGE_CERT 4 /* Good to certify other keys. */
#define GCRY_PK_USAGE_AUTH 8 /* Good for authentication. */
#define GCRY_PK_USAGE_UNKN 128 /* Unknown usage flag. */
/* Modes used with gcry_pubkey_get_sexp. */
#define GCRY_PK_GET_PUBKEY 1
#define GCRY_PK_GET_SECKEY 2
/* Encrypt the DATA using the public key PKEY and store the result as
a newly created S-expression at RESULT. */
gcry_error_t gcry_pk_encrypt (gcry_sexp_t *result,
gcry_sexp_t data, gcry_sexp_t pkey);
/* Decrypt the DATA using the private key SKEY and store the result as
a newly created S-expression at RESULT. */
gcry_error_t gcry_pk_decrypt (gcry_sexp_t *result,
gcry_sexp_t data, gcry_sexp_t skey);
/* Sign the DATA using the private key SKEY and store the result as
a newly created S-expression at RESULT. */
gcry_error_t gcry_pk_sign (gcry_sexp_t *result,
gcry_sexp_t data, gcry_sexp_t skey);
/* Check the signature SIGVAL on DATA using the public key PKEY. */
gcry_error_t gcry_pk_verify (gcry_sexp_t sigval,
gcry_sexp_t data, gcry_sexp_t pkey);
/* Check that private KEY is sane. */
gcry_error_t gcry_pk_testkey (gcry_sexp_t key);
/* Generate a new key pair according to the parameters given in
S_PARMS. The new key pair is returned in as an S-expression in
R_KEY. */
gcry_error_t gcry_pk_genkey (gcry_sexp_t *r_key, gcry_sexp_t s_parms);
/* Catch all function for miscellaneous operations. */
gcry_error_t gcry_pk_ctl (int cmd, void *buffer, size_t buflen);
/* Retrieve information about the public key algorithm ALGO. */
gcry_error_t gcry_pk_algo_info (int algo, int what,
void *buffer, size_t *nbytes);
/* Map the public key algorithm whose ID is contained in ALGORITHM to
a string representation of the algorithm name. For unknown
algorithm IDs this functions returns "?". */
const char *gcry_pk_algo_name (int algorithm) _GCRY_GCC_ATTR_PURE;
/* Map the algorithm NAME to a public key algorithm Id. Return 0 if
the algorithm name is not known. */
int gcry_pk_map_name (const char* name) _GCRY_GCC_ATTR_PURE;
/* Return what is commonly referred as the key length for the given
public or private KEY. */
unsigned int gcry_pk_get_nbits (gcry_sexp_t key) _GCRY_GCC_ATTR_PURE;
/* Return the so called KEYGRIP which is the SHA-1 hash of the public
key parameters expressed in a way depending on the algorithm. */
unsigned char *gcry_pk_get_keygrip (gcry_sexp_t key, unsigned char *array);
/* Return the name of the curve matching KEY. */
const char *gcry_pk_get_curve (gcry_sexp_t key, int iterator,
unsigned int *r_nbits);
/* Return an S-expression with the parameters of the named ECC curve
NAME. ALGO must be set to an ECC algorithm. */
gcry_sexp_t gcry_pk_get_param (int algo, const char *name);
/* Return 0 if the public key algorithm A is available for use. */
#define gcry_pk_test_algo(a) \
gcry_pk_algo_info( (a), GCRYCTL_TEST_ALGO, NULL, NULL )
/* Return an S-expression representing the context CTX. */
gcry_error_t gcry_pubkey_get_sexp (gcry_sexp_t *r_sexp,
int mode, gcry_ctx_t ctx);
�
/************************************
* *
* Modern ECC Functions *
* *
************************************/
/* The curves we support. */
enum gcry_ecc_curves
{
GCRY_ECC_CURVE25519 = 1,
GCRY_ECC_CURVE448 = 2
};
/* Get the length of point to prepare buffer for the result. */
unsigned int gcry_ecc_get_algo_keylen (int curveid);
/* Convenience function to compute scalar multiplication of the
* Montgomery form of curve. */
gpg_error_t gcry_ecc_mul_point (int curveid, unsigned char *result,
const unsigned char *scalar,
const unsigned char *point);
�
/************************************
* *
* Cryptograhic Hash Functions *
* *
************************************/
/* Algorithm IDs for the hash functions we know about. Not all of them
are implemented. */
enum gcry_md_algos
{
GCRY_MD_NONE = 0,
GCRY_MD_MD5 = 1,
GCRY_MD_SHA1 = 2,
GCRY_MD_RMD160 = 3,
GCRY_MD_MD2 = 5,
GCRY_MD_TIGER = 6, /* TIGER/192 as used by gpg <= 1.3.2. */
GCRY_MD_HAVAL = 7, /* HAVAL, 5 pass, 160 bit. */
GCRY_MD_SHA256 = 8,
GCRY_MD_SHA384 = 9,
GCRY_MD_SHA512 = 10,
GCRY_MD_SHA224 = 11,
GCRY_MD_MD4 = 301,
GCRY_MD_CRC32 = 302,
GCRY_MD_CRC32_RFC1510 = 303,
GCRY_MD_CRC24_RFC2440 = 304,
GCRY_MD_WHIRLPOOL = 305,
GCRY_MD_TIGER1 = 306, /* TIGER fixed. */
GCRY_MD_TIGER2 = 307, /* TIGER2 variant. */
GCRY_MD_GOSTR3411_94 = 308, /* GOST R 34.11-94. */
GCRY_MD_STRIBOG256 = 309, /* GOST R 34.11-2012, 256 bit. */
GCRY_MD_STRIBOG512 = 310, /* GOST R 34.11-2012, 512 bit. */
GCRY_MD_GOSTR3411_CP = 311, /* GOST R 34.11-94 with CryptoPro-A S-Box. */
GCRY_MD_SHA3_224 = 312,
GCRY_MD_SHA3_256 = 313,
GCRY_MD_SHA3_384 = 314,
GCRY_MD_SHA3_512 = 315,
GCRY_MD_SHAKE128 = 316,
GCRY_MD_SHAKE256 = 317,
GCRY_MD_BLAKE2B_512 = 318,
GCRY_MD_BLAKE2B_384 = 319,
GCRY_MD_BLAKE2B_256 = 320,
GCRY_MD_BLAKE2B_160 = 321,
GCRY_MD_BLAKE2S_256 = 322,
GCRY_MD_BLAKE2S_224 = 323,
GCRY_MD_BLAKE2S_160 = 324,
GCRY_MD_BLAKE2S_128 = 325,
GCRY_MD_SM3 = 326,
GCRY_MD_SHA512_256 = 327,
GCRY_MD_SHA512_224 = 328
};
/* Flags used with the open function. */
enum gcry_md_flags
{
GCRY_MD_FLAG_SECURE = 1, /* Allocate all buffers in "secure" memory. */
GCRY_MD_FLAG_HMAC = 2, /* Make an HMAC out of this algorithm. */
GCRY_MD_FLAG_BUGEMU1 = 0x0100
};
/* (Forward declaration.) */
struct gcry_md_context;
/* This object is used to hold a handle to a message digest object.
This structure is private - only to be used by the public gcry_md_*
macros. */
typedef struct gcry_md_handle
{
/* Actual context. */
struct gcry_md_context *ctx;
/* Buffer management. */
int bufpos;
int bufsize;
unsigned char buf[1];
} *gcry_md_hd_t;
/* Compatibility types, do not use them. */
#ifndef GCRYPT_NO_DEPRECATED
typedef struct gcry_md_handle *GCRY_MD_HD _GCRY_GCC_ATTR_DEPRECATED;
typedef struct gcry_md_handle *GcryMDHd _GCRY_GCC_ATTR_DEPRECATED;
#endif
/* Create a message digest object for algorithm ALGO. FLAGS may be
given as an bitwise OR of the gcry_md_flags values. ALGO may be
given as 0 if the algorithms to be used are later set using
gcry_md_enable. */
gcry_error_t gcry_md_open (gcry_md_hd_t *h, int algo, unsigned int flags);
/* Release the message digest object HD. */
void gcry_md_close (gcry_md_hd_t hd);
/* Add the message digest algorithm ALGO to the digest object HD. */
gcry_error_t gcry_md_enable (gcry_md_hd_t hd, int algo);
/* Create a new digest object as an exact copy of the object HD. */
gcry_error_t gcry_md_copy (gcry_md_hd_t *bhd, gcry_md_hd_t ahd);
/* Reset the digest object HD to its initial state. */
void gcry_md_reset (gcry_md_hd_t hd);
/* Perform various operations on the digest object HD. */
gcry_error_t gcry_md_ctl (gcry_md_hd_t hd, int cmd,
void *buffer, size_t buflen);
/* Pass LENGTH bytes of data in BUFFER to the digest object HD so that
it can update the digest values. This is the actual hash
function. */
void gcry_md_write (gcry_md_hd_t hd, const void *buffer, size_t length);
/* Read out the final digest from HD return the digest value for
algorithm ALGO. */
unsigned char *gcry_md_read (gcry_md_hd_t hd, int algo);
/* Read more output from algorithm ALGO to BUFFER of size LENGTH from
* digest object HD. Algorithm needs to be 'expendable-output function'. */
gpg_error_t gcry_md_extract (gcry_md_hd_t hd, int algo, void *buffer,
size_t length);
/* Convenience function to calculate the hash from the data in BUFFER
of size LENGTH using the algorithm ALGO avoiding the creation of a
hash object. The hash is returned in the caller provided buffer
DIGEST which must be large enough to hold the digest of the given
algorithm. */
void gcry_md_hash_buffer (int algo, void *digest,
const void *buffer, size_t length);
/* Convenience function to hash multiple buffers. */
gpg_error_t gcry_md_hash_buffers (int algo, unsigned int flags, void *digest,
const gcry_buffer_t *iov, int iovcnt);
/* Retrieve the algorithm used with HD. This does not work reliable
if more than one algorithm is enabled in HD. */
int gcry_md_get_algo (gcry_md_hd_t hd);
/* Retrieve the length in bytes of the digest yielded by algorithm
ALGO. */
unsigned int gcry_md_get_algo_dlen (int algo);
/* Return true if the the algorithm ALGO is enabled in the digest
object A. */
int gcry_md_is_enabled (gcry_md_hd_t a, int algo);
/* Return true if the digest object A is allocated in "secure" memory. */
int gcry_md_is_secure (gcry_md_hd_t a);
/* Deprecated: Use gcry_md_is_enabled or gcry_md_is_secure. */
gcry_error_t gcry_md_info (gcry_md_hd_t h, int what, void *buffer,
size_t *nbytes) _GCRY_ATTR_INTERNAL;
/* Retrieve various information about the algorithm ALGO. */
gcry_error_t gcry_md_algo_info (int algo, int what, void *buffer,
size_t *nbytes);
/* Map the digest algorithm id ALGO to a string representation of the
algorithm name. For unknown algorithms this function returns
"?". */
const char *gcry_md_algo_name (int algo) _GCRY_GCC_ATTR_PURE;
/* Map the algorithm NAME to a digest algorithm Id. Return 0 if
the algorithm name is not known. */
int gcry_md_map_name (const char* name) _GCRY_GCC_ATTR_PURE;
/* For use with the HMAC feature, the set MAC key to the KEY of
KEYLEN bytes. */
gcry_error_t gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen);
/* Start or stop debugging for digest handle HD; i.e. create a file
named dbgmd-. while hashing. If SUFFIX is NULL,
debugging stops and the file will be closed. */
void gcry_md_debug (gcry_md_hd_t hd, const char *suffix);
/* Update the hash(s) of H with the character C. This is a buffered
version of the gcry_md_write function. */
#define gcry_md_putc(h,c) \
do { \
gcry_md_hd_t h__ = (h); \
if( (h__)->bufpos == (h__)->bufsize ) \
gcry_md_write( (h__), NULL, 0 ); \
(h__)->buf[(h__)->bufpos++] = (c) & 0xff; \
} while(0)
/* Finalize the digest calculation. This is not really needed because
gcry_md_read() does this implicitly. */
#define gcry_md_final(a) \
gcry_md_ctl ((a), GCRYCTL_FINALIZE, NULL, 0)
/* Return 0 if the algorithm A is available for use. */
#define gcry_md_test_algo(a) \
gcry_md_algo_info( (a), GCRYCTL_TEST_ALGO, NULL, NULL )
/* Return an DER encoded ASN.1 OID for the algorithm A in buffer B. N
must point to size_t variable with the available size of buffer B.
After return it will receive the actual size of the returned
OID. */
#define gcry_md_get_asnoid(a,b,n) \
gcry_md_algo_info((a), GCRYCTL_GET_ASNOID, (b), (n))
�
/**********************************************
* *
* Message Authentication Code Functions *
* *
**********************************************/
/* The data object used to hold a handle to an encryption object. */
struct gcry_mac_handle;
typedef struct gcry_mac_handle *gcry_mac_hd_t;
/* Algorithm IDs for the hash functions we know about. Not all of them
are implemented. */
enum gcry_mac_algos
{
GCRY_MAC_NONE = 0,
GCRY_MAC_GOST28147_IMIT = 1,
GCRY_MAC_HMAC_SHA256 = 101,
GCRY_MAC_HMAC_SHA224 = 102,
GCRY_MAC_HMAC_SHA512 = 103,
GCRY_MAC_HMAC_SHA384 = 104,
GCRY_MAC_HMAC_SHA1 = 105,
GCRY_MAC_HMAC_MD5 = 106,
GCRY_MAC_HMAC_MD4 = 107,
GCRY_MAC_HMAC_RMD160 = 108,
GCRY_MAC_HMAC_TIGER1 = 109, /* The fixed TIGER variant */
GCRY_MAC_HMAC_WHIRLPOOL = 110,
GCRY_MAC_HMAC_GOSTR3411_94 = 111,
GCRY_MAC_HMAC_STRIBOG256 = 112,
GCRY_MAC_HMAC_STRIBOG512 = 113,
GCRY_MAC_HMAC_MD2 = 114,
GCRY_MAC_HMAC_SHA3_224 = 115,
GCRY_MAC_HMAC_SHA3_256 = 116,
GCRY_MAC_HMAC_SHA3_384 = 117,
GCRY_MAC_HMAC_SHA3_512 = 118,
GCRY_MAC_HMAC_GOSTR3411_CP = 119,
GCRY_MAC_HMAC_BLAKE2B_512 = 120,
GCRY_MAC_HMAC_BLAKE2B_384 = 121,
GCRY_MAC_HMAC_BLAKE2B_256 = 122,
GCRY_MAC_HMAC_BLAKE2B_160 = 123,
GCRY_MAC_HMAC_BLAKE2S_256 = 124,
GCRY_MAC_HMAC_BLAKE2S_224 = 125,
GCRY_MAC_HMAC_BLAKE2S_160 = 126,
GCRY_MAC_HMAC_BLAKE2S_128 = 127,
GCRY_MAC_HMAC_SM3 = 128,
GCRY_MAC_HMAC_SHA512_256 = 129,
GCRY_MAC_HMAC_SHA512_224 = 130,
GCRY_MAC_CMAC_AES = 201,
GCRY_MAC_CMAC_3DES = 202,
GCRY_MAC_CMAC_CAMELLIA = 203,
GCRY_MAC_CMAC_CAST5 = 204,
GCRY_MAC_CMAC_BLOWFISH = 205,
GCRY_MAC_CMAC_TWOFISH = 206,
GCRY_MAC_CMAC_SERPENT = 207,
GCRY_MAC_CMAC_SEED = 208,
GCRY_MAC_CMAC_RFC2268 = 209,
GCRY_MAC_CMAC_IDEA = 210,
GCRY_MAC_CMAC_GOST28147 = 211,
GCRY_MAC_CMAC_SM4 = 212,
GCRY_MAC_GMAC_AES = 401,
GCRY_MAC_GMAC_CAMELLIA = 402,
GCRY_MAC_GMAC_TWOFISH = 403,
GCRY_MAC_GMAC_SERPENT = 404,
GCRY_MAC_GMAC_SEED = 405,
GCRY_MAC_POLY1305 = 501,
GCRY_MAC_POLY1305_AES = 502,
GCRY_MAC_POLY1305_CAMELLIA = 503,
GCRY_MAC_POLY1305_TWOFISH = 504,
GCRY_MAC_POLY1305_SERPENT = 505,
GCRY_MAC_POLY1305_SEED = 506
};
/* Flags used with the open function. */
enum gcry_mac_flags
{
GCRY_MAC_FLAG_SECURE = 1 /* Allocate all buffers in "secure" memory. */
};
/* Create a MAC handle for algorithm ALGO. FLAGS may be given as an bitwise OR
of the gcry_mac_flags values. CTX maybe NULL or gcry_ctx_t object to be
associated with HANDLE. */
gcry_error_t gcry_mac_open (gcry_mac_hd_t *handle, int algo,
unsigned int flags, gcry_ctx_t ctx);
/* Close the MAC handle H and release all resource. */
void gcry_mac_close (gcry_mac_hd_t h);
/* Perform various operations on the MAC object H. */
gcry_error_t gcry_mac_ctl (gcry_mac_hd_t h, int cmd, void *buffer,
size_t buflen);
/* Retrieve various information about the MAC algorithm ALGO. */
gcry_error_t gcry_mac_algo_info (int algo, int what, void *buffer,
size_t *nbytes);
/* Set KEY of length KEYLEN bytes for the MAC handle HD. */
gcry_error_t gcry_mac_setkey (gcry_mac_hd_t hd, const void *key,
size_t keylen);
/* Set initialization vector IV of length IVLEN for the MAC handle HD. */
gcry_error_t gcry_mac_setiv (gcry_mac_hd_t hd, const void *iv,
size_t ivlen);
/* Pass LENGTH bytes of data in BUFFER to the MAC object HD so that
it can update the MAC values. */
gcry_error_t gcry_mac_write (gcry_mac_hd_t hd, const void *buffer,
size_t length);
/* Read out the final authentication code from the MAC object HD to BUFFER. */
gcry_error_t gcry_mac_read (gcry_mac_hd_t hd, void *buffer, size_t *buflen);
/* Verify the final authentication code from the MAC object HD with BUFFER. */
gcry_error_t gcry_mac_verify (gcry_mac_hd_t hd, const void *buffer,
size_t buflen);
/* Retrieve the algorithm used with MAC. */
int gcry_mac_get_algo (gcry_mac_hd_t hd);
/* Retrieve the length in bytes of the MAC yielded by algorithm ALGO. */
unsigned int gcry_mac_get_algo_maclen (int algo);
/* Retrieve the default key length in bytes used with algorithm A. */
unsigned int gcry_mac_get_algo_keylen (int algo);
/* Map the MAC algorithm whose ID is contained in ALGORITHM to a
string representation of the algorithm name. For unknown algorithm
IDs this function returns "?". */
const char *gcry_mac_algo_name (int algorithm) _GCRY_GCC_ATTR_PURE;
/* Map the algorithm name NAME to an MAC algorithm ID. Return 0 if
the algorithm name is not known. */
int gcry_mac_map_name (const char *name) _GCRY_GCC_ATTR_PURE;
/* Reset the handle to the state after open/setkey. */
#define gcry_mac_reset(h) gcry_mac_ctl ((h), GCRYCTL_RESET, NULL, 0)
/* Return 0 if the algorithm A is available for use. */
#define gcry_mac_test_algo(a) \
gcry_mac_algo_info( (a), GCRYCTL_TEST_ALGO, NULL, NULL )
�
/******************************
* *
* Key Derivation Functions *
* *
******************************/
/* Algorithm IDs for the KDFs. */
enum gcry_kdf_algos
{
GCRY_KDF_NONE = 0,
GCRY_KDF_SIMPLE_S2K = 16,
GCRY_KDF_SALTED_S2K = 17,
GCRY_KDF_ITERSALTED_S2K = 19,
GCRY_KDF_PBKDF1 = 33,
GCRY_KDF_PBKDF2 = 34,
GCRY_KDF_SCRYPT = 48
};
/* Derive a key from a passphrase. */
gpg_error_t gcry_kdf_derive (const void *passphrase, size_t passphraselen,
int algo, int subalgo,
const void *salt, size_t saltlen,
unsigned long iterations,
size_t keysize, void *keybuffer);
�
/************************************
* *
* Random Generating Functions *
* *
************************************/
/* The type of the random number generator. */
enum gcry_rng_types
{
GCRY_RNG_TYPE_STANDARD = 1, /* The default CSPRNG generator. */
GCRY_RNG_TYPE_FIPS = 2, /* The FIPS X9.31 AES generator. */
GCRY_RNG_TYPE_SYSTEM = 3 /* The system's native generator. */
};
/* The possible values for the random quality. The rule of thumb is
to use STRONG for session keys and VERY_STRONG for key material.
WEAK is usually an alias for STRONG and should not be used anymore
(except with gcry_mpi_randomize); use gcry_create_nonce instead. */
typedef enum gcry_random_level
{
GCRY_WEAK_RANDOM = 0,
GCRY_STRONG_RANDOM = 1,
GCRY_VERY_STRONG_RANDOM = 2
}
gcry_random_level_t;
/* Fill BUFFER with LENGTH bytes of random, using random numbers of
quality LEVEL. */
void gcry_randomize (void *buffer, size_t length,
enum gcry_random_level level);
/* Add the external random from BUFFER with LENGTH bytes into the
pool. QUALITY should either be -1 for unknown or in the range of 0
to 100 */
gcry_error_t gcry_random_add_bytes (const void *buffer, size_t length,
int quality);
/* If random numbers are used in an application, this macro should be
called from time to time so that new stuff gets added to the
internal pool of the RNG. */
#define gcry_fast_random_poll() gcry_control (GCRYCTL_FAST_POLL, NULL)
/* Return NBYTES of allocated random using a random numbers of quality
LEVEL. */
void *gcry_random_bytes (size_t nbytes, enum gcry_random_level level)
_GCRY_GCC_ATTR_MALLOC;
/* Return NBYTES of allocated random using a random numbers of quality
LEVEL. The random is returned in "secure" memory. */
void *gcry_random_bytes_secure (size_t nbytes, enum gcry_random_level level)
_GCRY_GCC_ATTR_MALLOC;
/* Set the big integer W to a random value of NBITS using a random
generator with quality LEVEL. Note that by using a level of
GCRY_WEAK_RANDOM gcry_create_nonce is used internally. */
void gcry_mpi_randomize (gcry_mpi_t w,
unsigned int nbits, enum gcry_random_level level);
/* Create an unpredicable nonce of LENGTH bytes in BUFFER. */
void gcry_create_nonce (void *buffer, size_t length);
�
/*******************************/
/* */
/* Prime Number Functions */
/* */
/*******************************/
/* Mode values passed to a gcry_prime_check_func_t. */
#define GCRY_PRIME_CHECK_AT_FINISH 0
#define GCRY_PRIME_CHECK_AT_GOT_PRIME 1
#define GCRY_PRIME_CHECK_AT_MAYBE_PRIME 2
/* The function should return 1 if the operation shall continue, 0 to
reject the prime candidate. */
typedef int (*gcry_prime_check_func_t) (void *arg, int mode,
gcry_mpi_t candidate);
/* Flags for gcry_prime_generate(): */
/* Allocate prime numbers and factors in secure memory. */
#define GCRY_PRIME_FLAG_SECRET (1 << 0)
/* Make sure that at least one prime factor is of size
`FACTOR_BITS'. */
#define GCRY_PRIME_FLAG_SPECIAL_FACTOR (1 << 1)
/* Generate a new prime number of PRIME_BITS bits and store it in
PRIME. If FACTOR_BITS is non-zero, one of the prime factors of
(prime - 1) / 2 must be FACTOR_BITS bits long. If FACTORS is
non-zero, allocate a new, NULL-terminated array holding the prime
factors and store it in FACTORS. FLAGS might be used to influence
the prime number generation process. */
gcry_error_t gcry_prime_generate (gcry_mpi_t *prime,
unsigned int prime_bits,
unsigned int factor_bits,
gcry_mpi_t **factors,
gcry_prime_check_func_t cb_func,
void *cb_arg,
gcry_random_level_t random_level,
unsigned int flags);
/* Find a generator for PRIME where the factorization of (prime-1) is
in the NULL terminated array FACTORS. Return the generator as a
newly allocated MPI in R_G. If START_G is not NULL, use this as
the start for the search. */
gcry_error_t gcry_prime_group_generator (gcry_mpi_t *r_g,
gcry_mpi_t prime,
gcry_mpi_t *factors,
gcry_mpi_t start_g);
/* Convenience function to release the FACTORS array. */
void gcry_prime_release_factors (gcry_mpi_t *factors);
/* Check whether the number X is prime. */
gcry_error_t gcry_prime_check (gcry_mpi_t x, unsigned int flags);
�
/************************************
* *
* Miscellaneous Stuff *
* *
************************************/
/* Release the context object CTX. */
void gcry_ctx_release (gcry_ctx_t ctx);
/* Log data using Libgcrypt's own log interface. */
void gcry_log_debug (const char *fmt, ...) _GCRY_GCC_ATTR_PRINTF(1,2);
void gcry_log_debughex (const char *text, const void *buffer, size_t length);
void gcry_log_debugmpi (const char *text, gcry_mpi_t mpi);
void gcry_log_debugpnt (const char *text,
gcry_mpi_point_t point, gcry_ctx_t ctx);
void gcry_log_debugsxp (const char *text, gcry_sexp_t sexp);
char *gcry_get_config (int mode, const char *what);
/* Log levels used by the internal logging facility. */
enum gcry_log_levels
{
GCRY_LOG_CONT = 0, /* (Continue the last log line.) */
GCRY_LOG_INFO = 10,
GCRY_LOG_WARN = 20,
GCRY_LOG_ERROR = 30,
GCRY_LOG_FATAL = 40,
GCRY_LOG_BUG = 50,
GCRY_LOG_DEBUG = 100
};
/* Type for progress handlers. */
typedef void (*gcry_handler_progress_t) (void *, const char *, int, int, int);
/* Type for memory allocation handlers. */
typedef void *(*gcry_handler_alloc_t) (size_t n);
/* Type for secure memory check handlers. */
typedef int (*gcry_handler_secure_check_t) (const void *);
/* Type for memory reallocation handlers. */
typedef void *(*gcry_handler_realloc_t) (void *p, size_t n);
/* Type for memory free handlers. */
typedef void (*gcry_handler_free_t) (void *);
/* Type for out-of-memory handlers. */
typedef int (*gcry_handler_no_mem_t) (void *, size_t, unsigned int);
/* Type for fatal error handlers. */
typedef void (*gcry_handler_error_t) (void *, int, const char *);
/* Type for logging handlers. */
typedef void (*gcry_handler_log_t) (void *, int, const char *, va_list);
/* Certain operations can provide progress information. This function
is used to register a handler for retrieving these information. */
void gcry_set_progress_handler (gcry_handler_progress_t cb, void *cb_data);
/* Register a custom memory allocation functions. */
void gcry_set_allocation_handler (
gcry_handler_alloc_t func_alloc,
gcry_handler_alloc_t func_alloc_secure,
gcry_handler_secure_check_t func_secure_check,
gcry_handler_realloc_t func_realloc,
gcry_handler_free_t func_free);
/* Register a function used instead of the internal out of memory
handler. */
void gcry_set_outofcore_handler (gcry_handler_no_mem_t h, void *opaque);
/* Register a function used instead of the internal fatal error
handler. */
void gcry_set_fatalerror_handler (gcry_handler_error_t fnc, void *opaque);
/* Register a function used instead of the internal logging
facility. */
void gcry_set_log_handler (gcry_handler_log_t f, void *opaque);
/* Reserved for future use. */
void gcry_set_gettext_handler (const char *(*f)(const char*));
/* Libgcrypt uses its own memory allocation. It is important to use
gcry_free () to release memory allocated by libgcrypt. */
void *gcry_malloc (size_t n) _GCRY_GCC_ATTR_MALLOC;
void *gcry_calloc (size_t n, size_t m) _GCRY_GCC_ATTR_MALLOC;
void *gcry_malloc_secure (size_t n) _GCRY_GCC_ATTR_MALLOC;
void *gcry_calloc_secure (size_t n, size_t m) _GCRY_GCC_ATTR_MALLOC;
void *gcry_realloc (void *a, size_t n);
char *gcry_strdup (const char *string) _GCRY_GCC_ATTR_MALLOC;
void *gcry_xmalloc (size_t n) _GCRY_GCC_ATTR_MALLOC;
void *gcry_xcalloc (size_t n, size_t m) _GCRY_GCC_ATTR_MALLOC;
void *gcry_xmalloc_secure (size_t n) _GCRY_GCC_ATTR_MALLOC;
void *gcry_xcalloc_secure (size_t n, size_t m) _GCRY_GCC_ATTR_MALLOC;
void *gcry_xrealloc (void *a, size_t n);
char *gcry_xstrdup (const char * a) _GCRY_GCC_ATTR_MALLOC;
void gcry_free (void *a);
/* Return true if A is allocated in "secure" memory. */
int gcry_is_secure (const void *a) _GCRY_GCC_ATTR_PURE;
/* Return true if Libgcrypt is in FIPS mode. */
#define gcry_fips_mode_active() !!gcry_control (GCRYCTL_FIPS_MODE_P, 0)
/* Variant of gcry_pk_sign which takes as additional parameter a HD
* handle for hash and an optional context. The hash algorithm used by the
* handle needs to be enabled and input needs to be supplied beforehand.
* DATA-TMPL specifies a template to compose an S-expression to be signed.
* A template should include '(hash %s %b)' or '(hash ALGONAME %b)'.
* For the former case, '%s' is substituted by the string of algorithm
* of gcry_md_get_algo (HD) and when gcry_md_read is called, ALGO=0 is
* used internally. For the latter case, hash algorithm by ALGONAME
* is used when gcry_md_read is called internally.
* The hash handle must not yet been finalized; the function
* takes a copy of the state and does a finalize on the copy. This
* function shall be used if a policy requires that hashing and signing
* is done by the same function. CTX is currently not used and should
* be passed as NULL. */
gcry_error_t gcry_pk_hash_sign (gcry_sexp_t *result,
const char *data_tmpl, gcry_sexp_t skey,
gcry_md_hd_t hd, gcry_ctx_t ctx);
/* Variant of gcry_pk_verify which takes as additional parameter a HD
* handle for hash and an optional context. Similar to gcry_pk_hash_sign. */
gcry_error_t gcry_pk_hash_verify (gcry_sexp_t sigval,
const char *data_tmpl, gcry_sexp_t pkey,
gcry_md_hd_t hd, gcry_ctx_t ctx);
gcry_error_t gcry_pk_random_override_new (gcry_ctx_t *r_ctx,
const unsigned char *p, size_t len);
#if 0 /* (Keep Emacsens' auto-indent happy.) */
{
#endif
#ifdef __cplusplus
}
#endif
#endif /* _GCRYPT_H */
/*
@emacs_local_vars_begin@
@emacs_local_vars_read_only@
@emacs_local_vars_end@
*/
diff --git a/tests/aeswrap.c b/tests/aeswrap.c
index 7c7e60bf..21632ed3 100644
--- a/tests/aeswrap.c
+++ b/tests/aeswrap.c
@@ -1,284 +1,438 @@
/* aeswrap.c - AESWRAP mode regression tests
* Copyright (C) 2009 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
#ifdef HAVE_CONFIG_H
#include
#endif
#include
#include
#include
#include
#define PGM "aeswrap"
#include "t-common.h"
static void
check_one (int algo,
const void *kek, size_t keklen,
const void *data, size_t datalen,
const void *expected, size_t expectedlen,
int inplace)
{
gcry_error_t err;
gcry_cipher_hd_t hd;
unsigned char outbuf[32+8];
size_t outbuflen;
err = gcry_cipher_open (&hd, algo, GCRY_CIPHER_MODE_AESWRAP, 0);
if (err)
{
fail ("gcry_cipher_open failed: %s\n", gpg_strerror (err));
return;
}
err = gcry_cipher_setkey (hd, kek, keklen);
if (err)
{
fail ("gcry_cipher_setkey failed: %s\n", gpg_strerror (err));
return;
}
outbuflen = datalen + 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else if (inplace)
{
memcpy (outbuf, data, datalen);
err = gcry_cipher_encrypt (hd, outbuf, outbuflen, outbuf, datalen);
}
else
{
err = gcry_cipher_encrypt (hd, outbuf, outbuflen, data, datalen);
}
if (err)
{
fail ("gcry_cipher_encrypt failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != expectedlen || memcmp (outbuf, expected, expectedlen))
{
const unsigned char *s;
int i;
fail ("mismatch at encryption!%s\n", inplace ? " (inplace)" : "");
fprintf (stderr, "computed: ");
for (i = 0; i < outbuflen; i++)
fprintf (stderr, "%02x ", outbuf[i]);
fprintf (stderr, "\nexpected: ");
for (s = expected, i = 0; i < expectedlen; s++, i++)
fprintf (stderr, "%02x ", *s);
putc ('\n', stderr);
}
outbuflen = expectedlen - 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else if (inplace)
{
memcpy (outbuf, expected, expectedlen);
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, outbuf, expectedlen);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
}
if (err)
{
fail ("gcry_cipher_decrypt failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != datalen || memcmp (outbuf, data, datalen))
{
const unsigned char *s;
int i;
fail ("mismatch at decryption!%s\n", inplace ? " (inplace)" : "");
fprintf (stderr, "computed: ");
for (i = 0; i < outbuflen; i++)
fprintf (stderr, "%02x ", outbuf[i]);
fprintf (stderr, "\nexpected: ");
for (s = data, i = 0; i < datalen; s++, i++)
fprintf (stderr, "%02x ", *s);
putc ('\n', stderr);
}
/* Now the last step again with a key reset. */
gcry_cipher_reset (hd);
outbuflen = expectedlen - 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else if (inplace)
{
memcpy (outbuf, expected, expectedlen);
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, outbuf, expectedlen);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
}
if (err)
{
fail ("gcry_cipher_decrypt(2) failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != datalen || memcmp (outbuf, data, datalen))
fail ("mismatch at decryption(2)!%s\n", inplace ? " (inplace)" : "");
/* And once more without a key reset. */
outbuflen = expectedlen - 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else if (inplace)
{
memcpy (outbuf, expected, expectedlen);
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, outbuf, expectedlen);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
}
if (err)
{
fail ("gcry_cipher_decrypt(3) failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != datalen || memcmp (outbuf, data, datalen))
fail ("mismatch at decryption(3)!%s\n", inplace ? " (inplace)" : "");
gcry_cipher_close (hd);
}
static void
check (int algo,
const void *kek, size_t keklen,
const void *data, size_t datalen,
const void *expected, size_t expectedlen)
{
check_one (algo, kek, keklen, data, datalen, expected, expectedlen, 0);
check_one (algo, kek, keklen, data, datalen, expected, expectedlen, 1);
}
+static void
+check_one_with_padding (int algo,
+ const void *kek, size_t keklen,
+ const void *data, size_t datalen,
+ const void *expected, size_t expectedlen)
+{
+ gcry_error_t err;
+ gcry_cipher_hd_t hd;
+ unsigned char outbuf[4*16];
+ size_t outbuflen;
+
+ err = gcry_cipher_open (&hd, algo, GCRY_CIPHER_MODE_AESWRAP,
+ GCRY_CIPHER_EXTENDED);
+ if (err)
+ {
+ fail ("gcry_cipher_open failed: %s\n", gpg_strerror (err));
+ return;
+ }
+
+ err = gcry_cipher_setkey (hd, kek, keklen);
+ if (err)
+ {
+ fail ("gcry_cipher_setkey failed: %s\n", gpg_strerror (err));
+ return;
+ }
+
+ outbuflen = ((datalen+7)/8) * 8 + 8;
+ if (outbuflen > sizeof outbuf)
+ {
+ err = gpg_error (GPG_ERR_INTERNAL);
+ }
+ else
+ {
+ err = gcry_cipher_encrypt (hd, outbuf, outbuflen, data, datalen);
+ }
+
+ if (err)
+ {
+ fail ("gcry_cipher_encrypt failed: %s\n", gpg_strerror (err));
+ return;
+ }
+
+ if (outbuflen != expectedlen || memcmp (outbuf, expected, expectedlen))
+ {
+ const unsigned char *s;
+ int i;
+
+ fail ("mismatch at encryption!(padding)\n");
+ fprintf (stderr, "computed: ");
+ for (i = 0; i < outbuflen; i++)
+ fprintf (stderr, "%02x ", outbuf[i]);
+ fprintf (stderr, "\nexpected: ");
+ for (s = expected, i = 0; i < expectedlen; s++, i++)
+ fprintf (stderr, "%02x ", *s);
+ putc ('\n', stderr);
+ }
+
+ outbuflen = ((datalen+7)/8) * 8 + 8;
+ if (outbuflen > sizeof outbuf)
+ {
+ err = gpg_error (GPG_ERR_INTERNAL);
+ }
+ else
+ {
+ err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
+ }
+
+ if (err)
+ {
+ fail ("gcry_cipher_decrypt failed: %s\n", gpg_strerror (err));
+ return;
+ }
+
+ if (memcmp (outbuf, data, datalen))
+ {
+ const unsigned char *s;
+ int i;
+
+ fail ("mismatch at decryption!(padding)\n");
+ fprintf (stderr, "computed: ");
+ for (i = 0; i < outbuflen; i++)
+ fprintf (stderr, "%02x ", outbuf[i]);
+ fprintf (stderr, "\nexpected: ");
+ for (s = data, i = 0; i < datalen; s++, i++)
+ fprintf (stderr, "%02x ", *s);
+ putc ('\n', stderr);
+ }
+
+ /* Now the last step again with a key reset. */
+ gcry_cipher_reset (hd);
+
+ outbuflen = ((datalen+7)/8) * 8 + 8;
+ if (outbuflen > sizeof outbuf)
+ {
+ err = gpg_error (GPG_ERR_INTERNAL);
+ }
+ else
+ {
+ err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
+ }
+
+ if (err)
+ {
+ fail ("gcry_cipher_decrypt(2) failed: %s\n", gpg_strerror (err));
+ return;
+ }
+
+ if (memcmp (outbuf, data, datalen))
+ fail ("mismatch at decryption(2)(padding)!\n");
+
+ /* And once more without a key reset. */
+ outbuflen = ((datalen+7)/8) * 8 + 8;
+ if (outbuflen > sizeof outbuf)
+ {
+ err = gpg_error (GPG_ERR_INTERNAL);
+ }
+ else
+ {
+ err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
+ }
+
+ if (err)
+ {
+ fail ("gcry_cipher_decrypt(3) failed: %s\n", gpg_strerror (err));
+ return;
+ }
+
+ if (memcmp (outbuf, data, datalen))
+ fail ("mismatch at decryption(3)(padding)!\n");
+
+ gcry_cipher_close (hd);
+}
+
+
static void
check_all (void)
{
if (verbose)
fprintf (stderr, "4.1 Wrap 128 bits of Key Data with a 128-bit KEK\n");
check
(GCRY_CIPHER_AES128,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 16,
"\x1F\xA6\x8B\x0A\x81\x12\xB4\x47\xAE\xF3\x4B\xD8\xFB\x5A\x7B\x82"
"\x9D\x3E\x86\x23\x71\xD2\xCF\xE5", 24);
if (verbose)
fprintf (stderr, "4.2 Wrap 128 bits of Key Data with a 192-bit KEK\n");
check
(GCRY_CIPHER_AES192,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17", 24,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 16,
"\x96\x77\x8B\x25\xAE\x6C\xA4\x35\xF9\x2B\x5B\x97\xC0\x50\xAE\xD2"
"\x46\x8A\xB8\xA1\x7A\xD8\x4E\x5D", 24);
if (verbose)
fprintf (stderr, "4.3 Wrap 128 bits of Key Data with a 256-bit KEK\n");
check
(GCRY_CIPHER_AES256,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F", 32,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 16,
"\x64\xE8\xC3\xF9\xCE\x0F\x5B\xA2\x63\xE9\x77\x79\x05\x81\x8A\x2A"
"\x93\xC8\x19\x1E\x7D\x6E\x8A\xE7", 24);
if (verbose)
fprintf (stderr, "4.4 Wrap 192 bits of Key Data with a 192-bit KEK\n");
check
(GCRY_CIPHER_AES192,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17", 24,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
"\x00\x01\x02\x03\x04\x05\x06\x07", 24,
"\x03\x1D\x33\x26\x4E\x15\xD3\x32\x68\xF2\x4E\xC2\x60\x74\x3E\xDC"
"\xE1\xC6\xC7\xDD\xEE\x72\x5A\x93\x6B\xA8\x14\x91\x5C\x67\x62\xD2", 32);
if (verbose)
fprintf (stderr, "4.5 Wrap 192 bits of Key Data with a 256-bit KEK\n");
check
(GCRY_CIPHER_AES256,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F", 32,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
"\x00\x01\x02\x03\x04\x05\x06\x07", 24,
"\xA8\xF9\xBC\x16\x12\xC6\x8B\x3F\xF6\xE6\xF4\xFB\xE3\x0E\x71\xE4"
"\x76\x9C\x8B\x80\xA3\x2C\xB8\x95\x8C\xD5\xD1\x7D\x6B\x25\x4D\xA1", 32);
if (verbose)
fprintf (stderr, "4.6 Wrap 256 bits of Key Data with a 256-bit KEK\n");
check
(GCRY_CIPHER_AES,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F", 32,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 32,
"\x28\xC9\xF4\x04\xC4\xB8\x10\xF4\xCB\xCC\xB3\x5C\xFB\x87\xF8\x26"
"\x3F\x57\x86\xE2\xD8\x0E\xD3\x26\xCB\xC7\xF0\xE7\x1A\x99\xF4\x3B"
"\xFB\x98\x8B\x9B\x7A\x02\xDD\x21", 40);
+
+ if (verbose)
+ fprintf (stderr, "6 Wrap 160 bits of Key Data with a 192-bit KEK\n");
+ check_one_with_padding
+ (GCRY_CIPHER_AES192,
+ "\x58\x40\xdf\x6e\x29\xb0\x2a\xf1\xab\x49\x3b\x70\x5b\xf1\x6e\xa1"
+ "\xae\x83\x38\xf4\xdc\xc1\x76\xa8", 24,
+ "\xc3\x7b\x7e\x64\x92\x58\x43\x40\xbe\xd1\x22\x07\x80\x89\x41\x15"
+ "\x50\x68\xf7\x38", 20,
+ "\x13\x8b\xde\xaa\x9b\x8f\xa7\xfc\x61\xf9\x77\x42\xe7\x22\x48\xee"
+ "\x5a\xe6\xae\x53\x60\xd1\xae\x6a\x5f\x54\xf3\x73\xfa\x54\x3b\x6a", 32);
+
+ if (verbose)
+ fprintf (stderr, "6 Wrap 56 bits of Key Data with a 192-bit KEK\n");
+ check_one_with_padding
+ (GCRY_CIPHER_AES192,
+ "\x58\x40\xdf\x6e\x29\xb0\x2a\xf1\xab\x49\x3b\x70\x5b\xf1\x6e\xa1"
+ "\xae\x83\x38\xf4\xdc\xc1\x76\xa8", 24,
+ "\x46\x6f\x72\x50\x61\x73\x69", 7,
+ "\xaf\xbe\xb0\xf0\x7d\xfb\xf5\x41\x92\x00\xf2\xcc\xb5\x0b\xb2\x4f", 16);
}
int
main (int argc, char **argv)
{
if (argc > 1 && !strcmp (argv[1], "--verbose"))
verbose = 1;
else if (argc > 1 && !strcmp (argv[1], "--debug"))
verbose = debug = 1;
if (!gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
if (debug)
xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0));
check_all ();
return error_count ? 1 : 0;
}