diff --git a/cipher/cipher-aeswrap.c b/cipher/cipher-aeswrap.c
index 86c4897f..62987d0f 100644
--- a/cipher/cipher-aeswrap.c
+++ b/cipher/cipher-aeswrap.c
@@ -1,410 +1,375 @@
/* cipher-aeswrap.c - Generic AESWRAP mode implementation
* Copyright (C) 2009, 2011 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser general Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see .
*/
#include
#include
#include
#include
#include
#include "g10lib.h"
#include "cipher.h"
#include "bufhelp.h"
#include "./cipher-internal.h"
/* Perform the wrap algorithm W as specified by NIST SP 800-38F.
Cipher block size must be 128-bit. */
static gcry_err_code_t
wrap (gcry_cipher_hd_t c, byte *outbuf, size_t inbuflen)
{
int j, x;
size_t n, i;
unsigned char *r, *a, *b;
unsigned char t[8];
unsigned int burn, nburn;
#if MAX_BLOCKSIZE < 8
#error Invalid block size
#endif
/* We require a cipher with a 128 bit block length. */
if (c->spec->blocksize != 16)
return GPG_ERR_INV_LENGTH;
/* Input data must be multiple of 64 bits. */
if (inbuflen % 8)
return GPG_ERR_INV_ARG;
n = inbuflen / 8;
/* We need at least three 64 bit blocks. */
if (n < 3)
return GPG_ERR_INV_ARG;
burn = 0;
r = outbuf;
a = outbuf; /* We store A directly in OUTBUF. */
b = c->u_ctr.ctr; /* B is also used to concatenate stuff. */
memset (t, 0, sizeof t); /* t := 0. */
for (j = 0; j <= 5; j++)
{
for (i = 1; i < n; i++)
{
/* B := CIPH_k( A | R[i] ) */
memcpy (b, a, 8);
memcpy (b+8, r+i*8, 8);
nburn = c->spec->encrypt (&c->context.c, b, b);
burn = nburn > burn ? nburn : burn;
/* t := t + 1 */
for (x = 7; x >= 0; x--)
if (++t[x])
break;
/* A := MSB_64(B) ^ t */
cipher_block_xor (a, b, t, 8);
/* R[i] := LSB_64(B) */
memcpy (r+i*8, b+8, 8);
}
}
if (burn > 0)
_gcry_burn_stack (burn + 4 * sizeof(void *));
return 0;
}
/* Perform the Key Wrap algorithm as specified by RFC3394. We
implement this as a mode usable with any cipher algorithm of
blocksize 128. */
gcry_err_code_t
_gcry_cipher_keywrap_encrypt (gcry_cipher_hd_t c,
byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen)
{
gcry_err_code_t err;
unsigned char *r = outbuf;
/* We require a cipher with a 128 bit block length. */
if (c->spec->blocksize != 16)
return GPG_ERR_INV_LENGTH;
/* The output buffer must be able to hold the input data plus one
additional block. */
if (outbuflen < inbuflen + 8)
return GPG_ERR_BUFFER_TOO_SHORT;
/* Input data must be multiple of 64 bits. */
if (inbuflen % 8)
return GPG_ERR_INV_ARG;
/* We need at least two 64 bit blocks. */
if ((inbuflen / 8) < 2)
return GPG_ERR_INV_ARG;
/* Copy the inbuf to the outbuf. */
memmove (r+8, inbuf, inbuflen);
/* If an IV has been set we use that IV as the Alternative Initial
Value; if it has not been set we use the standard value. */
if (c->marks.iv)
memcpy (r, c->u_iv.iv, 8);
else
memset (r, 0xa6, 8);
err = wrap (c, r, inbuflen + 8);
return err;
}
static const unsigned char icv2[] = { 0xA6, 0x59, 0x59, 0xA6 };
/* Perform the Key Wrap algorithm as specified by RFC5649. */
gcry_err_code_t
_gcry_cipher_keywrap_encrypt_padding (gcry_cipher_hd_t c,
byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen)
{
gcry_err_code_t err;
unsigned char *r = outbuf;
unsigned int padlen;
/* We require a cipher with a 128 bit block length. */
if (c->spec->blocksize != 16)
return GPG_ERR_INV_LENGTH;
/* The output buffer must be able to hold the input data plus one
additional block and padding. */
if (outbuflen < ((inbuflen + 7)/8)*8 + 8)
return GPG_ERR_BUFFER_TOO_SHORT;
if (inbuflen % 8)
padlen = 8 - (inbuflen % 8);
else
padlen = 0;
memcpy (r, icv2, 4);
r[4] = ((inbuflen >> 24) & 0xff);
r[5] = ((inbuflen >> 16) & 0xff);
r[6] = ((inbuflen >> 8) & 0xff);
r[7] = (inbuflen & 0xff);
memcpy (r+8, inbuf, inbuflen);
if (padlen)
memset (r+8+inbuflen, 0, padlen);
if (inbuflen <= 8)
{
unsigned int burn;
burn = c->spec->encrypt (&c->context.c, r, r);
if (burn > 0)
_gcry_burn_stack (burn + 4 * sizeof(void *));
err = 0;
}
else
err = wrap (c, r, ((inbuflen + 7)/8)*8 + 8);
return err;
}
/* Perform the unwrap algorithm W^-1 as specified by NIST SP 800-38F.
Cipher block size must be 128-bit. */
static gcry_err_code_t
unwrap (gcry_cipher_hd_t c, byte *outbuf, const byte *inbuf, size_t inbuflen)
{
int j, x;
size_t n, i;
unsigned char *r, *a, *b;
unsigned char t[8];
unsigned int burn, nburn;
#if MAX_BLOCKSIZE < 8
#error Invalid block size
#endif
/* We require a cipher with a 128 bit block length. */
if (c->spec->blocksize != 16)
return GPG_ERR_INV_LENGTH;
/* Input data must be multiple of 64 bits. */
if (inbuflen % 8)
return GPG_ERR_INV_ARG;
n = inbuflen / 8;
/* We need at least three 64 bit blocks. */
if (n < 3)
return GPG_ERR_INV_ARG;
burn = 0;
r = outbuf;
a = c->lastiv; /* We use c->LASTIV as buffer for A. */
b = c->u_ctr.ctr; /* B is also used to concatenate stuff. */
/* Copy the inbuf to the outbuf and save A. */
memcpy (a, inbuf, 8);
memmove (r, inbuf+8, inbuflen-8);
n--; /* Reduce to actual number of data blocks. */
/* t := 6 * n */
i = n * 6; /* The range is valid because: n = inbuflen / 8 - 1. */
for (x=0; x < 8 && x < sizeof (i); x++)
t[7-x] = i >> (8*x);
for (; x < 8; x++)
t[7-x] = 0;
for (j = 5; j >= 0; j--)
{
for (i = n; i >= 1; i--)
{
/* B := CIPH_k^-1( (A ^ t)| R[i] ) */
cipher_block_xor (b, a, t, 8);
memcpy (b+8, r+(i-1)*8, 8);
nburn = c->spec->decrypt (&c->context.c, b, b);
burn = nburn > burn ? nburn : burn;
/* t := t - 1 */
for (x = 7; x >= 0; x--)
if (--t[x] != 0xff)
break;
/* A := MSB_64(B) */
memcpy (a, b, 8);
/* R[i] := LSB_64(B) */
memcpy (r+(i-1)*8, b+8, 8);
}
}
wipememory (b, 16); /* Clear scratch area. */
if (burn > 0)
_gcry_burn_stack (burn + 4 * sizeof(void *));
return 0;
}
-/* Perform the Key Unwrap algorithm as specified by RFC3394. We
- implement this as a mode usable with any cipher algorithm of
- blocksize 128. */
-gcry_err_code_t
-_gcry_cipher_keywrap_decrypt (gcry_cipher_hd_t c,
- byte *outbuf, size_t outbuflen,
- const byte *inbuf, size_t inbuflen)
-{
- gcry_err_code_t err;
-
- /* We require a cipher with a 128 bit block length. */
- if (c->spec->blocksize != 16)
- return GPG_ERR_INV_LENGTH;
-
- /* The output buffer must be able to hold the input data minus one
- additional block. Fixme: The caller has more restrictive checks
- - we may want to fix them for this mode. */
- if (outbuflen + 8 < inbuflen)
- return GPG_ERR_BUFFER_TOO_SHORT;
- /* Input data must be multiple of 64 bits. */
- if (inbuflen % 8)
- return GPG_ERR_INV_ARG;
-
- /* We need at least three 64 bit blocks. */
- if ((inbuflen / 8) < 3)
- return GPG_ERR_INV_ARG;
-
- err = unwrap (c, outbuf, inbuf, inbuflen);
- if (!err)
- {
- int j, x;
- unsigned char *a;
-
- a = c->lastiv; /* We use c->LASTIV as buffer for A. */
-
- /* If an IV has been set we compare against this Alternative Initial
- Value; if it has not been set we compare against the standard IV. */
- if (c->marks.iv)
- j = memcmp (a, c->u_iv.iv, 8);
- else
- {
- for (j=0, x=0; x < 8; x++)
- if (a[x] != 0xa6)
- {
- j=1;
- break;
- }
- }
-
- if (j)
- err = GPG_ERR_CHECKSUM;
- }
-
- return err;
-}
-
-/* Perform the Key Unwrap algorithm as specified by RFC5649. */
+/* Perform the Key Unwrap algorithm as specified by RFC3394 and
+ RFC5649. */
gcry_err_code_t
-_gcry_cipher_keywrap_decrypt_padding (gcry_cipher_hd_t c,
- byte *outbuf, size_t outbuflen,
- const byte *inbuf, size_t inbuflen)
+_gcry_cipher_keywrap_decrypt_auto (gcry_cipher_hd_t c,
+ byte *outbuf, size_t outbuflen,
+ const byte *inbuf, size_t inbuflen)
{
gcry_err_code_t err;
/* We require a cipher with a 128 bit block length. */
if (c->spec->blocksize != 16)
return GPG_ERR_INV_LENGTH;
/* The output buffer must be able to hold the input data minus one
additional block. Fixme: The caller has more restrictive checks
- we may want to fix them for this mode. */
if (outbuflen + 8 < inbuflen)
return GPG_ERR_BUFFER_TOO_SHORT;
/* Input data must be multiple of 64 bits. */
if (inbuflen % 8)
return GPG_ERR_INV_ARG;
if (inbuflen == 16)
{
unsigned int burn;
unsigned char t[16];
burn = c->spec->decrypt (&c->context.c, t, inbuf);
if (burn > 0)
_gcry_burn_stack (burn + 4 * sizeof(void *));
if (memcmp (t, icv2, 4))
err = GPG_ERR_CHECKSUM;
else
{
unsigned int plen = (t[4]<<24) | (t[5]<<16) | (t[6]<<8) | t[7];
err = 0;
if (plen > 8)
err = GPG_ERR_CHECKSUM;
else if (plen)
{
int i;
for (i = 0; i < 16 - (8+plen); i++)
if (t[8+plen+i])
{
err = GPG_ERR_CHECKSUM;
break;
}
if (!err)
- memcpy (outbuf, t+8, plen);
+ {
+ memcpy (outbuf, t+8, 8);
+ memcpy (c->u_mode.wrap.plen, t+4, 4);
+ }
}
}
}
else
{
/* We need at least three 64 bit blocks. */
if ((inbuflen / 8) < 3)
return GPG_ERR_INV_ARG;
err = unwrap (c, outbuf, inbuf, inbuflen);
if (!err)
{
unsigned char *a;
a = c->lastiv; /* We use c->LASTIV as buffer for A. */
- if (memcmp (a, icv2, 4))
- err = GPG_ERR_CHECKSUM;
- else
+ /* If an IV has been set we compare against this Alternative Initial
+ Value; if it has not been set we compare against the standard IV. */
+ if (c->marks.iv && !memcmp (a, c->u_iv.iv, 8))
+ memset (c->u_mode.wrap.plen, 0, 4);
+ else if (!memcmp (a, icv2, 4)) /* It's a packet wrapped by KWP. */
{
unsigned int plen = (a[4]<<24) | (a[5]<<16) | (a[6]<<8) | a[7];
int padlen = inbuflen - 8 - plen;
if (padlen < 0 || padlen > 7)
err = GPG_ERR_CHECKSUM;
else if (padlen)
{
int i;
for (i = 0; i < padlen; i++)
if (outbuf[plen+i])
{
err = GPG_ERR_CHECKSUM;
break;
}
}
+ if (!err)
+ memcpy (c->u_mode.wrap.plen, a+4, 4);
+ }
+ else /* It's a packet wrapped by KW. */
+ {
+ int i;
+
+ for (i = 0; i < 8; i++)
+ if (a[i] != 0xa6)
+ {
+ err = GPG_ERR_CHECKSUM;
+ break;
+ }
+ if (!err)
+ memset (c->u_mode.wrap.plen, 0, 4);
}
}
}
return err;
}
diff --git a/cipher/cipher-internal.h b/cipher/cipher-internal.h
index 534aa77b..c8a1097a 100644
--- a/cipher/cipher-internal.h
+++ b/cipher/cipher-internal.h
@@ -1,946 +1,946 @@
/* cipher-internal.h - Internal defs for cipher.c
* Copyright (C) 2011 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser general Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see .
*/
#ifndef G10_CIPHER_INTERNAL_H
#define G10_CIPHER_INTERNAL_H
#include "./poly1305-internal.h"
/* The maximum supported size of a block in bytes. */
#define MAX_BLOCKSIZE 16
/* The length for an OCB block. Although OCB supports any block
length it does not make sense to use a 64 bit blocklen (and cipher)
because this reduces the security margin to an unacceptable state.
Thus we require a cipher with 128 bit blocklength. */
#define OCB_BLOCK_LEN (128/8)
/* The size of the pre-computed L table for OCB. This takes the same
size as the table used for GCM and thus we don't save anything by
not using such a table. */
#define OCB_L_TABLE_SIZE 16
/* Check the above constants. */
#if OCB_BLOCK_LEN > MAX_BLOCKSIZE
# error OCB_BLOCKLEN > MAX_BLOCKSIZE
#endif
/* Magic values for the context structure. */
#define CTX_MAGIC_NORMAL 0x24091964
#define CTX_MAGIC_SECURE 0x46919042
/* Try to use 16 byte aligned cipher context for better performance.
We use the aligned attribute, thus it is only possible to implement
this with gcc. */
#undef NEED_16BYTE_ALIGNED_CONTEXT
#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
# define NEED_16BYTE_ALIGNED_CONTEXT 1
#endif
/* Undef this symbol to trade GCM speed for 256 bytes of memory per context */
#define GCM_USE_TABLES 1
/* GCM_USE_INTEL_PCLMUL indicates whether to compile GCM with Intel PCLMUL
code. */
#undef GCM_USE_INTEL_PCLMUL
#if defined(ENABLE_PCLMUL_SUPPORT) && defined(GCM_USE_TABLES)
# if ((defined(__i386__) && SIZEOF_UNSIGNED_LONG == 4) || defined(__x86_64__))
# if __GNUC__ >= 4
# define GCM_USE_INTEL_PCLMUL 1
# endif
# endif
#endif /* GCM_USE_INTEL_PCLMUL */
/* GCM_USE_ARM_PMULL indicates whether to compile GCM with ARMv8 PMULL code. */
#undef GCM_USE_ARM_PMULL
#if defined(ENABLE_ARM_CRYPTO_SUPPORT) && defined(GCM_USE_TABLES)
# if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) \
&& defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) \
&& defined(HAVE_GCC_INLINE_ASM_AARCH32_CRYPTO)
# define GCM_USE_ARM_PMULL 1
# elif defined(__AARCH64EL__) && \
defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \
defined(HAVE_GCC_INLINE_ASM_AARCH64_CRYPTO)
# define GCM_USE_ARM_PMULL 1
# endif
#endif /* GCM_USE_ARM_PMULL */
/* GCM_USE_ARM_NEON indicates whether to compile GCM with ARMv7 NEON code. */
#undef GCM_USE_ARM_NEON
#if defined(GCM_USE_TABLES)
#if defined(HAVE_ARM_ARCH_V6) && defined(__ARMEL__) && \
defined(HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS) && \
defined(HAVE_GCC_INLINE_ASM_NEON)
# define GCM_USE_ARM_NEON 1
#endif
#endif /* GCM_USE_ARM_NEON */
/* GCM_USE_S390X_CRYPTO indicates whether to enable zSeries code. */
#undef GCM_USE_S390X_CRYPTO
#if defined(HAVE_GCC_INLINE_ASM_S390X)
# define GCM_USE_S390X_CRYPTO 1
#endif /* GCM_USE_S390X_CRYPTO */
/* GCM_USE_PPC_VPMSUM indicates whether to compile GCM with PPC Power 8
* polynomial multiplication instruction. */
#undef GCM_USE_PPC_VPMSUM
#if defined(GCM_USE_TABLES)
#if defined(ENABLE_PPC_CRYPTO_SUPPORT) && defined(__powerpc64__) && \
defined(HAVE_COMPATIBLE_CC_PPC_ALTIVEC) && \
defined(HAVE_GCC_INLINE_ASM_PPC_ALTIVEC) && __GNUC__ >= 4
# define GCM_USE_PPC_VPMSUM 1
# define NEED_16BYTE_ALIGNED_CONTEXT 1 /* this also aligns gcm_table */
#endif
#endif /* GCM_USE_PPC_VPMSUM */
typedef unsigned int (*ghash_fn_t) (gcry_cipher_hd_t c, byte *result,
const byte *buf, size_t nblocks);
/* A structure with function pointers for mode operations. */
typedef struct cipher_mode_ops
{
gcry_err_code_t (*encrypt)(gcry_cipher_hd_t c, unsigned char *outbuf,
size_t outbuflen, const unsigned char *inbuf,
size_t inbuflen);
gcry_err_code_t (*decrypt)(gcry_cipher_hd_t c, unsigned char *outbuf,
size_t outbuflen, const unsigned char *inbuf,
size_t inbuflen);
gcry_err_code_t (*setiv)(gcry_cipher_hd_t c, const unsigned char *iv,
size_t ivlen);
gcry_err_code_t (*authenticate)(gcry_cipher_hd_t c,
const unsigned char *abuf, size_t abuflen);
gcry_err_code_t (*get_tag)(gcry_cipher_hd_t c, unsigned char *outtag,
size_t taglen);
gcry_err_code_t (*check_tag)(gcry_cipher_hd_t c, const unsigned char *intag,
size_t taglen);
} cipher_mode_ops_t;
/* A structure with function pointers for bulk operations. The cipher
algorithm setkey function initializes them when bulk operations are
available and the actual encryption routines use them if they are
not NULL. */
typedef struct cipher_bulk_ops
{
void (*cfb_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*cfb_dec)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*cbc_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks, int cbc_mac);
void (*cbc_dec)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*ofb_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*ctr_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
void (*ctr32le_enc)(void *context, unsigned char *iv, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks);
size_t (*ocb_crypt)(gcry_cipher_hd_t c, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks, int encrypt);
size_t (*ocb_auth)(gcry_cipher_hd_t c, const void *abuf_arg, size_t nblocks);
void (*xts_crypt)(void *context, unsigned char *tweak, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks, int encrypt);
size_t (*gcm_crypt)(gcry_cipher_hd_t c, void *outbuf_arg,
const void *inbuf_arg, size_t nblocks, int encrypt);
} cipher_bulk_ops_t;
/* A VIA processor with the Padlock engine as well as the Intel AES_NI
instructions require an alignment of most data on a 16 byte
boundary. Because we trick out the compiler while allocating the
context, the align attribute as used in rijndael.c does not work on
its own. Thus we need to make sure that the entire context
structure is a aligned on that boundary. We achieve this by
defining a new type and use that instead of our usual alignment
type. */
typedef union
{
PROPERLY_ALIGNED_TYPE foo;
#ifdef NEED_16BYTE_ALIGNED_CONTEXT
char bar[16] __attribute__ ((aligned (16)));
#endif
char c[1];
} cipher_context_alignment_t;
/* Storage structure for CMAC, for CMAC and EAX modes. */
typedef struct {
/* The initialization vector. Also contains tag after finalization. */
union {
cipher_context_alignment_t iv_align;
unsigned char iv[MAX_BLOCKSIZE];
} u_iv;
/* Subkeys for tag creation, not cleared by gcry_cipher_reset. */
unsigned char subkeys[2][MAX_BLOCKSIZE];
/* Space to save partial input lengths for MAC. */
unsigned char macbuf[MAX_BLOCKSIZE];
int mac_unused; /* Number of unprocessed bytes in MACBUF. */
unsigned int tag:1; /* Set to 1 if tag has been finalized. */
} gcry_cmac_context_t;
/* The handle structure. */
struct gcry_cipher_handle
{
int magic;
size_t actual_handle_size; /* Allocated size of this handle. */
size_t handle_offset; /* Offset to the malloced block. */
gcry_cipher_spec_t *spec;
/* The algorithm id. This is a hack required because the module
interface does not easily allow to retrieve this value. */
int algo;
/* A structure with function pointers for mode operations. */
cipher_mode_ops_t mode_ops;
/* A structure with function pointers for bulk operations. Due to
limitations of the module system (we don't want to change the
API) we need to keep these function pointers here. */
cipher_bulk_ops_t bulk;
int mode;
unsigned int flags;
struct {
unsigned int key:1; /* Set to 1 if a key has been set. */
unsigned int iv:1; /* Set to 1 if a IV has been set. */
unsigned int tag:1; /* Set to 1 if a tag is finalized. */
unsigned int finalize:1; /* Next encrypt/decrypt has the final data. */
unsigned int allow_weak_key:1; /* Set to 1 if weak keys are allowed. */
} marks;
/* The initialization vector. For best performance we make sure
that it is properly aligned. In particular some implementations
of bulk operations expect an 16 byte aligned IV. IV is also used
to store CBC-MAC in CCM mode; counter IV is stored in U_CTR. For
OCB mode it is used for the offset value. */
union {
cipher_context_alignment_t iv_align;
unsigned char iv[MAX_BLOCKSIZE];
} u_iv;
/* The counter for CTR mode. This field is also used by AESWRAP and
thus we can't use the U_IV union. For OCB mode it is used for
the checksum. */
union {
cipher_context_alignment_t iv_align;
unsigned char ctr[MAX_BLOCKSIZE];
} u_ctr;
/* Space to save an IV or CTR for chaining operations. */
unsigned char lastiv[MAX_BLOCKSIZE];
int unused; /* Number of unused bytes in LASTIV. */
union {
/* Mode specific storage for CCM mode. */
struct {
u64 encryptlen;
u64 aadlen;
unsigned int authlen;
/* Space to save partial input lengths for MAC. */
unsigned char macbuf[GCRY_CCM_BLOCK_LEN];
int mac_unused; /* Number of unprocessed bytes in MACBUF. */
unsigned char s0[GCRY_CCM_BLOCK_LEN];
unsigned int nonce:1; /* Set to 1 if nonce has been set. */
unsigned int lengths:1; /* Set to 1 if CCM length parameters has been
processed. */
} ccm;
/* Mode specific storage for Poly1305 mode. */
struct {
/* byte counter for AAD. */
u32 aadcount[2];
/* byte counter for data. */
u32 datacount[2];
unsigned int aad_finalized:1;
unsigned int bytecount_over_limits:1;
poly1305_context_t ctx;
} poly1305;
/* Mode specific storage for CMAC mode. */
gcry_cmac_context_t cmac;
/* Mode specific storage for EAX mode. */
struct {
/* CMAC for header (AAD). */
gcry_cmac_context_t cmac_header;
/* CMAC for ciphertext. */
gcry_cmac_context_t cmac_ciphertext;
} eax;
/* Mode specific storage for GCM mode and GCM-SIV mode. */
struct {
/* The interim tag for GCM mode. */
union {
cipher_context_alignment_t iv_align;
unsigned char tag[MAX_BLOCKSIZE];
} u_tag;
/* Space to save partial input lengths for MAC. */
unsigned char macbuf[GCRY_CCM_BLOCK_LEN];
int mac_unused; /* Number of unprocessed bytes in MACBUF. */
/* byte counters for GCM */
u32 aadlen[2];
u32 datalen[2];
/* encrypted tag counter */
unsigned char tagiv[MAX_BLOCKSIZE];
unsigned int ghash_data_finalized:1;
unsigned int ghash_aad_finalized:1;
unsigned int datalen_over_limits:1;
unsigned int disallow_encryption_because_of_setiv_in_fips_mode:1;
/* --- Following members are not cleared in gcry_cipher_reset --- */
/* GHASH multiplier from key. */
union {
cipher_context_alignment_t iv_align;
unsigned char key[MAX_BLOCKSIZE];
} u_ghash_key;
/* Pre-calculated table for GCM. */
#ifdef GCM_USE_TABLES
#if (SIZEOF_UNSIGNED_LONG == 8 || defined(__x86_64__))
#define GCM_TABLES_USE_U64 1
u64 gcm_table[4 * 16];
#else
#undef GCM_TABLES_USE_U64
u32 gcm_table[8 * 16];
#endif
#endif
/* GHASH implementation in use. */
ghash_fn_t ghash_fn;
/* POLYVAL implementation in use (GCM-SIV). */
ghash_fn_t polyval_fn;
/* Key length used for GCM-SIV key generating key. */
unsigned int siv_keylen;
} gcm;
/* Mode specific storage for OCB mode. */
struct {
/* --- Following members are not cleared in gcry_cipher_reset --- */
/* Helper variables and pre-computed table of L values. */
unsigned char L_star[OCB_BLOCK_LEN];
unsigned char L_dollar[OCB_BLOCK_LEN];
unsigned char L0L1[OCB_BLOCK_LEN];
unsigned char L[OCB_L_TABLE_SIZE][OCB_BLOCK_LEN];
/* --- Following members are cleared in gcry_cipher_reset --- */
/* The tag is valid if marks.tag has been set. */
unsigned char tag[OCB_BLOCK_LEN];
/* A buffer to hold the offset for the AAD processing. */
unsigned char aad_offset[OCB_BLOCK_LEN];
/* A buffer to hold the current sum of AAD processing. We can't
use tag here because tag may already hold the preprocessed
checksum of the data. */
unsigned char aad_sum[OCB_BLOCK_LEN];
/* A buffer to store AAD data not yet processed. */
unsigned char aad_leftover[OCB_BLOCK_LEN];
/* Number of data/aad blocks processed so far. */
u64 data_nblocks;
u64 aad_nblocks;
/* Number of valid bytes in AAD_LEFTOVER. */
unsigned char aad_nleftover;
/* Length of the tag. Fixed for now but may eventually be
specified using a set of gcry_cipher_flags. */
unsigned char taglen;
/* Flags indicating that the final data/aad block has been
processed. */
unsigned int data_finalized:1;
unsigned int aad_finalized:1;
} ocb;
/* Mode specific storage for XTS mode. */
struct {
/* Pointer to tweak cipher context, allocated after actual
* cipher context. */
char *tweak_context;
} xts;
/* Mode specific storage for SIV mode. */
struct {
/* Tag used for decryption. */
unsigned char dec_tag[GCRY_SIV_BLOCK_LEN];
/* S2V state. */
unsigned char s2v_d[GCRY_SIV_BLOCK_LEN];
/* Number of AAD elements processed. */
unsigned int aad_count:8;
/* Flags for SIV state. */
unsigned int dec_tag_set:1;
/* --- Following members are not cleared in gcry_cipher_reset --- */
/* S2V CMAC state. */
gcry_cmac_context_t s2v_cmac;
unsigned char s2v_zero_block[GCRY_SIV_BLOCK_LEN];
/* Pointer to CTR cipher context, allocated after actual
* cipher context. */
char *ctr_context;
} siv;
+
+ /* Mode specific storage for WRAP mode. */
+ struct {
+ unsigned char plen[4];
+ } wrap;
} u_mode;
/* What follows are two contexts of the cipher in use. The first
one needs to be aligned well enough for the cipher operation
whereas the second one is a copy created by cipher_setkey and
used by cipher_reset. That second copy has no need for proper
aligment because it is only accessed by memcpy. */
cipher_context_alignment_t context;
};
/*-- cipher-cbc.c --*/
gcry_err_code_t _gcry_cipher_cbc_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cbc_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cbc_cts_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cbc_cts_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-cfb.c --*/
gcry_err_code_t _gcry_cipher_cfb_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cfb_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cfb8_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_cfb8_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-ofb.c --*/
gcry_err_code_t _gcry_cipher_ofb_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-ctr.c --*/
gcry_err_code_t _gcry_cipher_ctr_encrypt_ctx
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen,
void *algo_context);
gcry_err_code_t _gcry_cipher_ctr_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-aeswrap.c --*/
gcry_err_code_t _gcry_cipher_keywrap_encrypt
/* */ (gcry_cipher_hd_t c,
byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen);
-gcry_err_code_t _gcry_cipher_keywrap_decrypt
-/* */ (gcry_cipher_hd_t c,
- byte *outbuf, size_t outbuflen,
- const byte *inbuf, size_t inbuflen);
-gcry_err_code_t
-_gcry_cipher_keywrap_encrypt_padding
+gcry_err_code_t _gcry_cipher_keywrap_encrypt_padding
/* */ (gcry_cipher_hd_t c,
byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen);
-gcry_err_code_t _gcry_cipher_keywrap_decrypt_padding
+gcry_err_code_t _gcry_cipher_keywrap_decrypt_auto
/* */ (gcry_cipher_hd_t c,
byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen);
/*-- cipher-ccm.c --*/
gcry_err_code_t _gcry_cipher_ccm_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_ccm_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_ccm_set_nonce
/* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen);
gcry_err_code_t _gcry_cipher_ccm_authenticate
/* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
gcry_err_code_t _gcry_cipher_ccm_set_lengths
/* */ (gcry_cipher_hd_t c, u64 encryptedlen, u64 aadlen, u64 taglen);
gcry_err_code_t _gcry_cipher_ccm_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_ccm_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
/*-- cipher-cmac.c --*/
gcry_err_code_t _gcry_cmac_generate_subkeys
/* */ (gcry_cipher_hd_t c, gcry_cmac_context_t *ctx);
gcry_err_code_t _gcry_cmac_write
/* */ (gcry_cipher_hd_t c, gcry_cmac_context_t *ctx,
const byte * inbuf, size_t inlen);
gcry_err_code_t _gcry_cmac_final
/* */ (gcry_cipher_hd_t c, gcry_cmac_context_t *ctx);
void _gcry_cmac_reset (gcry_cmac_context_t *ctx);
/*-- cipher-eax.c --*/
gcry_err_code_t _gcry_cipher_eax_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_eax_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_eax_set_nonce
/* */ (gcry_cipher_hd_t c,
const unsigned char *nonce, size_t noncelen);
gcry_err_code_t _gcry_cipher_eax_authenticate
/* */ (gcry_cipher_hd_t c,
const unsigned char *aadbuf, size_t aadbuflen);
gcry_err_code_t _gcry_cipher_eax_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_eax_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
gcry_err_code_t _gcry_cipher_eax_setkey
/* */ (gcry_cipher_hd_t c);
/*-- cipher-gcm.c --*/
gcry_err_code_t _gcry_cipher_gcm_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_gcm_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_gcm_setiv
/* */ (gcry_cipher_hd_t c,
const unsigned char *iv, size_t ivlen);
gcry_err_code_t _gcry_cipher_gcm_authenticate
/* */ (gcry_cipher_hd_t c,
const unsigned char *aadbuf, size_t aadbuflen);
gcry_err_code_t _gcry_cipher_gcm_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_gcm_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
void _gcry_cipher_gcm_setkey
/* */ (gcry_cipher_hd_t c);
void _gcry_cipher_gcm_setupM
/* */ (gcry_cipher_hd_t c);
/*-- cipher-poly1305.c --*/
gcry_err_code_t _gcry_cipher_poly1305_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_poly1305_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_poly1305_setiv
/* */ (gcry_cipher_hd_t c,
const unsigned char *iv, size_t ivlen);
gcry_err_code_t _gcry_cipher_poly1305_authenticate
/* */ (gcry_cipher_hd_t c,
const unsigned char *aadbuf, size_t aadbuflen);
gcry_err_code_t _gcry_cipher_poly1305_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_poly1305_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
void _gcry_cipher_poly1305_setkey
/* */ (gcry_cipher_hd_t c);
/*-- chacha20.c --*/
gcry_err_code_t _gcry_chacha20_poly1305_encrypt
/* */ (gcry_cipher_hd_t c, byte *outbuf, const byte *inbuf,
size_t length);
gcry_err_code_t _gcry_chacha20_poly1305_decrypt
/* */ (gcry_cipher_hd_t c, byte *outbuf, const byte *inbuf,
size_t length);
/*-- cipher-ocb.c --*/
gcry_err_code_t _gcry_cipher_ocb_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_ocb_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_ocb_set_nonce
/* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen);
gcry_err_code_t _gcry_cipher_ocb_authenticate
/* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
gcry_err_code_t _gcry_cipher_ocb_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_ocb_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
void _gcry_cipher_ocb_setkey
/* */ (gcry_cipher_hd_t c);
/*-- cipher-xts.c --*/
gcry_err_code_t _gcry_cipher_xts_encrypt
/* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_xts_decrypt
/* */ (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
/*-- cipher-siv.c --*/
gcry_err_code_t _gcry_cipher_siv_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_siv_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_siv_set_nonce
/* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen);
gcry_err_code_t _gcry_cipher_siv_authenticate
/* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
gcry_err_code_t _gcry_cipher_siv_set_decryption_tag
/* */ (gcry_cipher_hd_t c, const byte *tag, size_t taglen);
gcry_err_code_t _gcry_cipher_siv_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_siv_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
gcry_err_code_t _gcry_cipher_siv_setkey
/* */ (gcry_cipher_hd_t c,
const unsigned char *ctrkey, size_t ctrkeylen);
/*-- cipher-gcm-siv.c --*/
gcry_err_code_t _gcry_cipher_gcm_siv_encrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_gcm_siv_decrypt
/* */ (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen);
gcry_err_code_t _gcry_cipher_gcm_siv_set_nonce
/* */ (gcry_cipher_hd_t c, const unsigned char *nonce,
size_t noncelen);
gcry_err_code_t _gcry_cipher_gcm_siv_authenticate
/* */ (gcry_cipher_hd_t c, const unsigned char *abuf, size_t abuflen);
gcry_err_code_t _gcry_cipher_gcm_siv_set_decryption_tag
/* */ (gcry_cipher_hd_t c, const byte *tag, size_t taglen);
gcry_err_code_t _gcry_cipher_gcm_siv_get_tag
/* */ (gcry_cipher_hd_t c,
unsigned char *outtag, size_t taglen);
gcry_err_code_t _gcry_cipher_gcm_siv_check_tag
/* */ (gcry_cipher_hd_t c,
const unsigned char *intag, size_t taglen);
gcry_err_code_t _gcry_cipher_gcm_siv_setkey
/* */ (gcry_cipher_hd_t c, unsigned int keylen);
/* Return the L-value for block N. Note: 'cipher_ocb.c' ensures that N
* will never be multiple of 65536 (1 << OCB_L_TABLE_SIZE), thus N can
* be directly passed to _gcry_ctz() function and resulting index will
* never overflow the table. */
static inline const unsigned char *
ocb_get_l (gcry_cipher_hd_t c, u64 n)
{
unsigned long ntz;
#if ((defined(__i386__) || defined(__x86_64__)) && __GNUC__ >= 4)
/* Assumes that N != 0. */
asm ("rep;bsfl %k[low], %k[ntz]\n\t"
: [ntz] "=r" (ntz)
: [low] "r" ((unsigned long)n)
: "cc");
#else
ntz = _gcry_ctz (n);
#endif
return c->u_mode.ocb.L[ntz];
}
/* Return bit-shift of blocksize. */
static inline unsigned int _gcry_blocksize_shift(gcry_cipher_hd_t c)
{
/* Only blocksizes 8 and 16 are used. Return value in such way
* that compiler can optimize calling functions based on this. */
return c->spec->blocksize == 8 ? 3 : 4;
}
/* Optimized function for adding value to cipher block. */
static inline void
cipher_block_add(void *_dstsrc, unsigned int add, size_t blocksize)
{
byte *dstsrc = _dstsrc;
u64 s[2];
if (blocksize == 8)
{
buf_put_be64(dstsrc + 0, buf_get_be64(dstsrc + 0) + add);
}
else /* blocksize == 16 */
{
s[0] = buf_get_be64(dstsrc + 8);
s[1] = buf_get_be64(dstsrc + 0);
s[0] += add;
s[1] += (s[0] < add);
buf_put_be64(dstsrc + 8, s[0]);
buf_put_be64(dstsrc + 0, s[1]);
}
}
/* Optimized function for cipher block copying */
static inline void
cipher_block_cpy(void *_dst, const void *_src, size_t blocksize)
{
byte *dst = _dst;
const byte *src = _src;
u64 s[2];
if (blocksize == 8)
{
buf_put_he64(dst + 0, buf_get_he64(src + 0));
}
else /* blocksize == 16 */
{
s[0] = buf_get_he64(src + 0);
s[1] = buf_get_he64(src + 8);
buf_put_he64(dst + 0, s[0]);
buf_put_he64(dst + 8, s[1]);
}
}
/* Optimized function for cipher block xoring */
static inline void
cipher_block_xor(void *_dst, const void *_src1, const void *_src2,
size_t blocksize)
{
byte *dst = _dst;
const byte *src1 = _src1;
const byte *src2 = _src2;
u64 s1[2];
u64 s2[2];
if (blocksize == 8)
{
buf_put_he64(dst + 0, buf_get_he64(src1 + 0) ^ buf_get_he64(src2 + 0));
}
else /* blocksize == 16 */
{
s1[0] = buf_get_he64(src1 + 0);
s1[1] = buf_get_he64(src1 + 8);
s2[0] = buf_get_he64(src2 + 0);
s2[1] = buf_get_he64(src2 + 8);
buf_put_he64(dst + 0, s1[0] ^ s2[0]);
buf_put_he64(dst + 8, s1[1] ^ s2[1]);
}
}
/* Optimized function for in-place cipher block xoring */
static inline void
cipher_block_xor_1(void *_dst, const void *_src, size_t blocksize)
{
cipher_block_xor (_dst, _dst, _src, blocksize);
}
/* Optimized function for cipher block xoring with two destination cipher
blocks. Used mainly by CFB mode encryption. */
static inline void
cipher_block_xor_2dst(void *_dst1, void *_dst2, const void *_src,
size_t blocksize)
{
byte *dst1 = _dst1;
byte *dst2 = _dst2;
const byte *src = _src;
u64 d2[2];
u64 s[2];
if (blocksize == 8)
{
d2[0] = buf_get_he64(dst2 + 0) ^ buf_get_he64(src + 0);
buf_put_he64(dst2 + 0, d2[0]);
buf_put_he64(dst1 + 0, d2[0]);
}
else /* blocksize == 16 */
{
s[0] = buf_get_he64(src + 0);
s[1] = buf_get_he64(src + 8);
d2[0] = buf_get_he64(dst2 + 0);
d2[1] = buf_get_he64(dst2 + 8);
d2[0] = d2[0] ^ s[0];
d2[1] = d2[1] ^ s[1];
buf_put_he64(dst2 + 0, d2[0]);
buf_put_he64(dst2 + 8, d2[1]);
buf_put_he64(dst1 + 0, d2[0]);
buf_put_he64(dst1 + 8, d2[1]);
}
}
/* Optimized function for combined cipher block xoring and copying.
Used by mainly CBC mode decryption. */
static inline void
cipher_block_xor_n_copy_2(void *_dst_xor, const void *_src_xor,
void *_srcdst_cpy, const void *_src_cpy,
size_t blocksize)
{
byte *dst_xor = _dst_xor;
byte *srcdst_cpy = _srcdst_cpy;
const byte *src_xor = _src_xor;
const byte *src_cpy = _src_cpy;
u64 sc[2];
u64 sx[2];
u64 sdc[2];
if (blocksize == 8)
{
sc[0] = buf_get_he64(src_cpy + 0);
buf_put_he64(dst_xor + 0,
buf_get_he64(srcdst_cpy + 0) ^ buf_get_he64(src_xor + 0));
buf_put_he64(srcdst_cpy + 0, sc[0]);
}
else /* blocksize == 16 */
{
sc[0] = buf_get_he64(src_cpy + 0);
sc[1] = buf_get_he64(src_cpy + 8);
sx[0] = buf_get_he64(src_xor + 0);
sx[1] = buf_get_he64(src_xor + 8);
sdc[0] = buf_get_he64(srcdst_cpy + 0);
sdc[1] = buf_get_he64(srcdst_cpy + 8);
sx[0] ^= sdc[0];
sx[1] ^= sdc[1];
buf_put_he64(dst_xor + 0, sx[0]);
buf_put_he64(dst_xor + 8, sx[1]);
buf_put_he64(srcdst_cpy + 0, sc[0]);
buf_put_he64(srcdst_cpy + 8, sc[1]);
}
}
/* Optimized function for combined cipher block byte-swapping. */
static inline void
cipher_block_bswap (void *_dst_bswap, const void *_src_bswap,
size_t blocksize)
{
byte *dst_bswap = _dst_bswap;
const byte *src_bswap = _src_bswap;
u64 t[2];
if (blocksize == 8)
{
buf_put_le64(dst_bswap, buf_get_be64(src_bswap));
}
else
{
t[0] = buf_get_be64(src_bswap + 0);
t[1] = buf_get_be64(src_bswap + 8);
buf_put_le64(dst_bswap + 8, t[0]);
buf_put_le64(dst_bswap + 0, t[1]);
}
}
/* Optimized function for combined cipher block xoring and copying.
Used by mainly CFB mode decryption. */
static inline void
cipher_block_xor_n_copy(void *_dst_xor, void *_srcdst_cpy, const void *_src,
size_t blocksize)
{
cipher_block_xor_n_copy_2(_dst_xor, _src, _srcdst_cpy, _src, blocksize);
}
#endif /*G10_CIPHER_INTERNAL_H*/
diff --git a/cipher/cipher.c b/cipher/cipher.c
index 3e2b70a5..d1443a62 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -1,1898 +1,1918 @@
/* cipher.c - cipher dispatcher
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003
* 2005, 2007, 2008, 2009, 2011 Free Software Foundation, Inc.
* Copyright (C) 2013 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser general Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see .
*/
#include
#include
#include
#include
#include
#include "g10lib.h"
#include "../src/gcrypt-testapi.h"
#include "cipher.h"
#include "./cipher-internal.h"
/* This is the list of the default ciphers, which are included in
libgcrypt. */
static gcry_cipher_spec_t * const cipher_list[] =
{
#if USE_BLOWFISH
&_gcry_cipher_spec_blowfish,
#endif
#if USE_DES
&_gcry_cipher_spec_des,
&_gcry_cipher_spec_tripledes,
#endif
#if USE_ARCFOUR
&_gcry_cipher_spec_arcfour,
#endif
#if USE_CAST5
&_gcry_cipher_spec_cast5,
#endif
#if USE_AES
&_gcry_cipher_spec_aes,
&_gcry_cipher_spec_aes192,
&_gcry_cipher_spec_aes256,
#endif
#if USE_TWOFISH
&_gcry_cipher_spec_twofish,
&_gcry_cipher_spec_twofish128,
#endif
#if USE_SERPENT
&_gcry_cipher_spec_serpent128,
&_gcry_cipher_spec_serpent192,
&_gcry_cipher_spec_serpent256,
#endif
#if USE_RFC2268
&_gcry_cipher_spec_rfc2268_40,
&_gcry_cipher_spec_rfc2268_128,
#endif
#if USE_SEED
&_gcry_cipher_spec_seed,
#endif
#if USE_CAMELLIA
&_gcry_cipher_spec_camellia128,
&_gcry_cipher_spec_camellia192,
&_gcry_cipher_spec_camellia256,
#endif
#if USE_IDEA
&_gcry_cipher_spec_idea,
#endif
#if USE_SALSA20
&_gcry_cipher_spec_salsa20,
&_gcry_cipher_spec_salsa20r12,
#endif
#if USE_GOST28147
&_gcry_cipher_spec_gost28147,
&_gcry_cipher_spec_gost28147_mesh,
#endif
#if USE_CHACHA20
&_gcry_cipher_spec_chacha20,
#endif
#if USE_SM4
&_gcry_cipher_spec_sm4,
#endif
NULL
};
/* Cipher implementations starting with index 0 (enum gcry_cipher_algos) */
static gcry_cipher_spec_t * const cipher_list_algo0[] =
{
NULL, /* GCRY_CIPHER_NONE */
#if USE_IDEA
&_gcry_cipher_spec_idea,
#else
NULL,
#endif
#if USE_DES
&_gcry_cipher_spec_tripledes,
#else
NULL,
#endif
#if USE_CAST5
&_gcry_cipher_spec_cast5,
#else
NULL,
#endif
#if USE_BLOWFISH
&_gcry_cipher_spec_blowfish,
#else
NULL,
#endif
NULL, /* GCRY_CIPHER_SAFER_SK128 */
NULL, /* GCRY_CIPHER_DES_SK */
#if USE_AES
&_gcry_cipher_spec_aes,
&_gcry_cipher_spec_aes192,
&_gcry_cipher_spec_aes256,
#else
NULL,
NULL,
NULL,
#endif
#if USE_TWOFISH
&_gcry_cipher_spec_twofish
#else
NULL
#endif
};
/* Cipher implementations starting with index 301 (enum gcry_cipher_algos) */
static gcry_cipher_spec_t * const cipher_list_algo301[] =
{
#if USE_ARCFOUR
&_gcry_cipher_spec_arcfour,
#else
NULL,
#endif
#if USE_DES
&_gcry_cipher_spec_des,
#else
NULL,
#endif
#if USE_TWOFISH
&_gcry_cipher_spec_twofish128,
#else
NULL,
#endif
#if USE_SERPENT
&_gcry_cipher_spec_serpent128,
&_gcry_cipher_spec_serpent192,
&_gcry_cipher_spec_serpent256,
#else
NULL,
NULL,
NULL,
#endif
#if USE_RFC2268
&_gcry_cipher_spec_rfc2268_40,
&_gcry_cipher_spec_rfc2268_128,
#else
NULL,
NULL,
#endif
#if USE_SEED
&_gcry_cipher_spec_seed,
#else
NULL,
#endif
#if USE_CAMELLIA
&_gcry_cipher_spec_camellia128,
&_gcry_cipher_spec_camellia192,
&_gcry_cipher_spec_camellia256,
#else
NULL,
NULL,
NULL,
#endif
#if USE_SALSA20
&_gcry_cipher_spec_salsa20,
&_gcry_cipher_spec_salsa20r12,
#else
NULL,
NULL,
#endif
#if USE_GOST28147
&_gcry_cipher_spec_gost28147,
#else
NULL,
#endif
#if USE_CHACHA20
&_gcry_cipher_spec_chacha20,
#else
NULL,
#endif
#if USE_GOST28147
&_gcry_cipher_spec_gost28147_mesh,
#else
NULL,
#endif
#if USE_SM4
&_gcry_cipher_spec_sm4,
#else
NULL,
#endif
};
static void _gcry_cipher_setup_mode_ops(gcry_cipher_hd_t c, int mode);
static int
map_algo (int algo)
{
return algo;
}
/* Return the spec structure for the cipher algorithm ALGO. For
an unknown algorithm NULL is returned. */
static gcry_cipher_spec_t *
spec_from_algo (int algo)
{
gcry_cipher_spec_t *spec = NULL;
algo = map_algo (algo);
if (algo >= 0 && algo < DIM(cipher_list_algo0))
spec = cipher_list_algo0[algo];
else if (algo >= 301 && algo < 301 + DIM(cipher_list_algo301))
spec = cipher_list_algo301[algo - 301];
if (spec)
gcry_assert (spec->algo == algo);
return spec;
}
/* Lookup a cipher's spec by its name. */
static gcry_cipher_spec_t *
spec_from_name (const char *name)
{
gcry_cipher_spec_t *spec;
int idx;
const char **aliases;
for (idx=0; (spec = cipher_list[idx]); idx++)
{
if (!stricmp (name, spec->name))
return spec;
if (spec->aliases)
{
for (aliases = spec->aliases; *aliases; aliases++)
if (!stricmp (name, *aliases))
return spec;
}
}
return NULL;
}
/* Lookup a cipher's spec by its OID. */
static gcry_cipher_spec_t *
spec_from_oid (const char *oid)
{
gcry_cipher_spec_t *spec;
const gcry_cipher_oid_spec_t *oid_specs;
int idx, j;
for (idx=0; (spec = cipher_list[idx]); idx++)
{
oid_specs = spec->oids;
if (oid_specs)
{
for (j = 0; oid_specs[j].oid; j++)
if (!stricmp (oid, oid_specs[j].oid))
return spec;
}
}
return NULL;
}
/* Locate the OID in the oid table and return the spec or NULL if not
found. An optional "oid." or "OID." prefix in OID is ignored, the
OID is expected to be in standard IETF dotted notation. A pointer
to the OID specification of the module implementing this algorithm
is return in OID_SPEC unless passed as NULL.*/
static gcry_cipher_spec_t *
search_oid (const char *oid, gcry_cipher_oid_spec_t *oid_spec)
{
gcry_cipher_spec_t *spec;
int i;
if (!oid)
return NULL;
if (!strncmp (oid, "oid.", 4) || !strncmp (oid, "OID.", 4))
oid += 4;
spec = spec_from_oid (oid);
if (spec && spec->oids)
{
for (i = 0; spec->oids[i].oid; i++)
if (!stricmp (oid, spec->oids[i].oid))
{
if (oid_spec)
*oid_spec = spec->oids[i];
return spec;
}
}
return NULL;
}
/* Map STRING to the cipher algorithm identifier. Returns the
algorithm ID of the cipher for the given name or 0 if the name is
not known. It is valid to pass NULL for STRING which results in a
return value of 0. */
int
_gcry_cipher_map_name (const char *string)
{
gcry_cipher_spec_t *spec;
if (!string)
return 0;
/* If the string starts with a digit (optionally prefixed with
either "OID." or "oid."), we first look into our table of ASN.1
object identifiers to figure out the algorithm */
spec = search_oid (string, NULL);
if (spec)
return spec->algo;
spec = spec_from_name (string);
if (spec)
return spec->algo;
return 0;
}
/* Given a STRING with an OID in dotted decimal notation, this
function returns the cipher mode (GCRY_CIPHER_MODE_*) associated
with that OID or 0 if no mode is known. Passing NULL for string
yields a return value of 0. */
int
_gcry_cipher_mode_from_oid (const char *string)
{
gcry_cipher_spec_t *spec;
gcry_cipher_oid_spec_t oid_spec;
if (!string)
return 0;
spec = search_oid (string, &oid_spec);
if (spec)
return oid_spec.mode;
return 0;
}
/* Map the cipher algorithm identifier ALGORITHM to a string
representing this algorithm. This string is the default name as
used by Libgcrypt. A "?" is returned for an unknown algorithm.
NULL is never returned. */
const char *
_gcry_cipher_algo_name (int algorithm)
{
gcry_cipher_spec_t *spec;
spec = spec_from_algo (algorithm);
return spec? spec->name : "?";
}
/* Flag the cipher algorithm with the identifier ALGORITHM as
disabled. There is no error return, the function does nothing for
unknown algorithms. Disabled algorithms are virtually not
available in Libgcrypt. This is not thread safe and should thus be
called early. */
static void
disable_cipher_algo (int algo)
{
gcry_cipher_spec_t *spec = spec_from_algo (algo);
if (spec)
spec->flags.disabled = 1;
}
/* Return 0 if the cipher algorithm with identifier ALGORITHM is
available. Returns a basic error code value if it is not
available. */
static gcry_err_code_t
check_cipher_algo (int algorithm)
{
gcry_cipher_spec_t *spec;
spec = spec_from_algo (algorithm);
if (spec && !spec->flags.disabled && (spec->flags.fips || !fips_mode ()))
return 0;
return GPG_ERR_CIPHER_ALGO;
}
/* Return the standard length in bits of the key for the cipher
algorithm with the identifier ALGORITHM. */
static unsigned int
cipher_get_keylen (int algorithm)
{
gcry_cipher_spec_t *spec;
unsigned len = 0;
spec = spec_from_algo (algorithm);
if (spec)
{
len = spec->keylen;
if (!len)
log_bug ("cipher %d w/o key length\n", algorithm);
}
return len;
}
/* Return the block length of the cipher algorithm with the identifier
ALGORITHM. This function return 0 for an invalid algorithm. */
static unsigned int
cipher_get_blocksize (int algorithm)
{
gcry_cipher_spec_t *spec;
unsigned len = 0;
spec = spec_from_algo (algorithm);
if (spec)
{
len = spec->blocksize;
if (!len)
log_bug ("cipher %d w/o blocksize\n", algorithm);
}
return len;
}
/*
Open a cipher handle for use with cipher algorithm ALGORITHM, using
the cipher mode MODE (one of the GCRY_CIPHER_MODE_*) and return a
handle in HANDLE. Put NULL into HANDLE and return an error code if
something goes wrong. FLAGS may be used to modify the
operation. The defined flags are:
GCRY_CIPHER_SECURE: allocate all internal buffers in secure memory.
GCRY_CIPHER_ENABLE_SYNC: Enable the sync operation as used in OpenPGP.
GCRY_CIPHER_CBC_CTS: Enable CTS mode.
GCRY_CIPHER_CBC_MAC: Enable MAC mode.
Values for these flags may be combined using OR.
*/
gcry_err_code_t
_gcry_cipher_open (gcry_cipher_hd_t *handle,
int algo, int mode, unsigned int flags)
{
gcry_err_code_t rc;
gcry_cipher_hd_t h = NULL;
if (mode >= GCRY_CIPHER_MODE_INTERNAL)
rc = GPG_ERR_INV_CIPHER_MODE;
else
rc = _gcry_cipher_open_internal (&h, algo, mode, flags);
*handle = rc ? NULL : h;
return rc;
}
gcry_err_code_t
_gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
int algo, int mode, unsigned int flags)
{
int secure = (flags & GCRY_CIPHER_SECURE);
gcry_cipher_spec_t *spec;
gcry_cipher_hd_t h = NULL;
gcry_err_code_t err;
/* If the application missed to call the random poll function, we do
it here to ensure that it is used once in a while. */
_gcry_fast_random_poll ();
spec = spec_from_algo (algo);
if (!spec)
err = GPG_ERR_CIPHER_ALGO;
else if (spec->flags.disabled)
err = GPG_ERR_CIPHER_ALGO;
else if (!spec->flags.fips && fips_mode ())
err = GPG_ERR_CIPHER_ALGO;
else
err = 0;
/* check flags */
if ((! err)
&& ((flags & ~(0
| GCRY_CIPHER_SECURE
| GCRY_CIPHER_ENABLE_SYNC
| GCRY_CIPHER_CBC_CTS
| GCRY_CIPHER_CBC_MAC
| GCRY_CIPHER_EXTENDED))
|| ((flags & GCRY_CIPHER_CBC_CTS) && (flags & GCRY_CIPHER_CBC_MAC))))
err = GPG_ERR_CIPHER_ALGO;
/* check that a valid mode has been requested */
if (! err)
switch (mode)
{
case GCRY_CIPHER_MODE_ECB:
case GCRY_CIPHER_MODE_CBC:
case GCRY_CIPHER_MODE_CFB:
case GCRY_CIPHER_MODE_CFB8:
case GCRY_CIPHER_MODE_OFB:
case GCRY_CIPHER_MODE_CTR:
case GCRY_CIPHER_MODE_AESWRAP:
case GCRY_CIPHER_MODE_CMAC:
case GCRY_CIPHER_MODE_EAX:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_CCM:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_CCM_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_XTS:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_XTS_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_GCM:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_GCM_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_SIV:
case GCRY_CIPHER_MODE_GCM_SIV:
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_SIV_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_POLY1305:
if (!spec->stencrypt || !spec->stdecrypt || !spec->setiv)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->algo != GCRY_CIPHER_CHACHA20)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_OCB:
/* Note that our implementation allows only for 128 bit block
length algorithms. Lower block lengths would be possible
but we do not implement them because they limit the
security too much. */
if (!spec->encrypt || !spec->decrypt)
err = GPG_ERR_INV_CIPHER_MODE;
else if (spec->blocksize != GCRY_OCB_BLOCK_LEN)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_STREAM:
if (!spec->stencrypt || !spec->stdecrypt)
err = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_NONE:
/* This mode may be used for debugging. It copies the main
text verbatim to the ciphertext. We do not allow this in
fips mode or if no debug flag has been set. */
if (fips_mode () || !_gcry_get_debug_flag (0))
err = GPG_ERR_INV_CIPHER_MODE;
break;
default:
err = GPG_ERR_INV_CIPHER_MODE;
}
/* Perform selftest here and mark this with a flag in cipher_table?
No, we should not do this as it takes too long. Further it does
not make sense to exclude algorithms with failing selftests at
runtime: If a selftest fails there is something seriously wrong
with the system and thus we better die immediately. */
if (! err)
{
size_t size = (sizeof (*h)
+ 2 * spec->contextsize
- sizeof (cipher_context_alignment_t)
#ifdef NEED_16BYTE_ALIGNED_CONTEXT
+ 15 /* Space for leading alignment gap. */
#endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
);
/* Space needed per mode. */
switch (mode)
{
case GCRY_CIPHER_MODE_XTS:
case GCRY_CIPHER_MODE_SIV:
/* Additional cipher context for tweak. */
size += 2 * spec->contextsize + 15;
break;
default:
break;
}
if (secure)
h = xtrycalloc_secure (1, size);
else
h = xtrycalloc (1, size);
if (! h)
err = gpg_err_code_from_syserror ();
else
{
size_t off = 0;
char *tc;
#ifdef NEED_16BYTE_ALIGNED_CONTEXT
if ( ((uintptr_t)h & 0x0f) )
{
/* The malloced block is not aligned on a 16 byte
boundary. Correct for this. */
off = 16 - ((uintptr_t)h & 0x0f);
h = (void*)((char*)h + off);
}
#endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
h->magic = secure ? CTX_MAGIC_SECURE : CTX_MAGIC_NORMAL;
h->actual_handle_size = size - off;
h->handle_offset = off;
h->spec = spec;
h->algo = algo;
h->mode = mode;
h->flags = flags;
/* Setup mode routines. */
_gcry_cipher_setup_mode_ops(h, mode);
/* Setup defaults depending on the mode. */
switch (mode)
{
case GCRY_CIPHER_MODE_OCB:
h->u_mode.ocb.taglen = 16; /* Bytes. */
break;
case GCRY_CIPHER_MODE_XTS:
tc = h->context.c + spec->contextsize * 2;
tc += (16 - (uintptr_t)tc % 16) % 16;
h->u_mode.xts.tweak_context = tc;
break;
case GCRY_CIPHER_MODE_SIV:
tc = h->context.c + spec->contextsize * 2;
tc += (16 - (uintptr_t)tc % 16) % 16;
h->u_mode.siv.ctr_context = tc;
break;
default:
break;
}
}
}
/* Done. */
*handle = err ? NULL : h;
return err;
}
/* Release all resources associated with the cipher handle H. H may be
NULL in which case this is a no-operation. */
void
_gcry_cipher_close (gcry_cipher_hd_t h)
{
size_t off;
if (!h)
return;
if ((h->magic != CTX_MAGIC_SECURE)
&& (h->magic != CTX_MAGIC_NORMAL))
_gcry_fatal_error(GPG_ERR_INTERNAL,
"gcry_cipher_close: already closed/invalid handle");
else
h->magic = 0;
/* We always want to wipe out the memory even when the context has
been allocated in secure memory. The user might have disabled
secure memory or is using his own implementation which does not
do the wiping. To accomplish this we need to keep track of the
actual size of this structure because we have no way to known
how large the allocated area was when using a standard malloc. */
off = h->handle_offset;
wipememory (h, h->actual_handle_size);
xfree ((char*)h - off);
}
/* Set the key to be used for the encryption context C to KEY with
length KEYLEN. The length should match the required length. */
static gcry_err_code_t
cipher_setkey (gcry_cipher_hd_t c, byte *key, size_t keylen)
{
gcry_err_code_t rc;
if (c->mode == GCRY_CIPHER_MODE_XTS)
{
/* XTS uses two keys. */
if (keylen % 2)
return GPG_ERR_INV_KEYLEN;
keylen /= 2;
if (fips_mode ())
{
/* Reject key if subkeys Key_1 and Key_2 are equal.
See "Implementation Guidance for FIPS 140-2, A.9 XTS-AES
Key Generation Requirements" for details. */
if (buf_eq_const (key, key + keylen, keylen))
return GPG_ERR_WEAK_KEY;
}
}
else if (c->mode == GCRY_CIPHER_MODE_SIV)
{
/* SIV uses two keys. */
if (keylen % 2)
return GPG_ERR_INV_KEYLEN;
keylen /= 2;
}
rc = c->spec->setkey (&c->context.c, key, keylen, &c->bulk);
if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
{
/* Duplicate initial context. */
memcpy ((void *) ((char *) &c->context.c + c->spec->contextsize),
(void *) &c->context.c,
c->spec->contextsize);
c->marks.key = 1;
switch (c->mode)
{
case GCRY_CIPHER_MODE_CMAC:
rc = _gcry_cipher_cmac_set_subkeys (c);
break;
case GCRY_CIPHER_MODE_EAX:
rc = _gcry_cipher_eax_setkey (c);
break;
case GCRY_CIPHER_MODE_GCM:
_gcry_cipher_gcm_setkey (c);
break;
case GCRY_CIPHER_MODE_GCM_SIV:
rc = _gcry_cipher_gcm_siv_setkey (c, keylen);
if (rc)
c->marks.key = 0;
break;
case GCRY_CIPHER_MODE_OCB:
_gcry_cipher_ocb_setkey (c);
break;
case GCRY_CIPHER_MODE_POLY1305:
_gcry_cipher_poly1305_setkey (c);
break;
case GCRY_CIPHER_MODE_XTS:
/* Setup tweak cipher with second part of XTS key. */
rc = c->spec->setkey (c->u_mode.xts.tweak_context, key + keylen,
keylen, &c->bulk);
if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
{
/* Duplicate initial tweak context. */
memcpy (c->u_mode.xts.tweak_context + c->spec->contextsize,
c->u_mode.xts.tweak_context, c->spec->contextsize);
}
else
c->marks.key = 0;
break;
case GCRY_CIPHER_MODE_SIV:
/* Setup CTR cipher with second part of SIV key. */
rc = _gcry_cipher_siv_setkey (c, key + keylen, keylen);
if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
{
/* Duplicate initial CTR context. */
memcpy (c->u_mode.siv.ctr_context + c->spec->contextsize,
c->u_mode.siv.ctr_context, c->spec->contextsize);
}
else
c->marks.key = 0;
break;
default:
break;
}
}
else
c->marks.key = 0;
return rc;
}
/* Set the IV to be used for the encryption context C to IV with
length IVLEN. The length should match the required length. */
static gcry_err_code_t
cipher_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
{
/* If the cipher has its own IV handler, we use only this one. This
is currently used for stream ciphers requiring a nonce. */
if (c->spec->setiv)
{
c->spec->setiv (&c->context.c, iv, ivlen);
return 0;
}
memset (c->u_iv.iv, 0, c->spec->blocksize);
if (iv)
{
if (ivlen != c->spec->blocksize)
{
log_info ("WARNING: cipher_setiv: ivlen=%u blklen=%u\n",
(unsigned int)ivlen, (unsigned int)c->spec->blocksize);
fips_signal_error ("IV length does not match blocklength");
}
if (ivlen > c->spec->blocksize)
ivlen = c->spec->blocksize;
memcpy (c->u_iv.iv, iv, ivlen);
c->marks.iv = 1;
}
else
c->marks.iv = 0;
c->unused = 0;
return 0;
}
/* Reset the cipher context to the initial context. This is basically
the same as an release followed by a new. */
static void
cipher_reset (gcry_cipher_hd_t c)
{
unsigned int marks_key, marks_allow_weak_key;
marks_key = c->marks.key;
marks_allow_weak_key = c->marks.allow_weak_key;
memcpy (&c->context.c,
(char *) &c->context.c + c->spec->contextsize,
c->spec->contextsize);
memset (&c->marks, 0, sizeof c->marks);
memset (c->u_iv.iv, 0, c->spec->blocksize);
memset (c->lastiv, 0, c->spec->blocksize);
memset (c->u_ctr.ctr, 0, c->spec->blocksize);
c->unused = 0;
c->marks.key = marks_key;
c->marks.allow_weak_key = marks_allow_weak_key;
switch (c->mode)
{
case GCRY_CIPHER_MODE_CMAC:
_gcry_cmac_reset(&c->u_mode.cmac);
break;
case GCRY_CIPHER_MODE_EAX:
_gcry_cmac_reset(&c->u_mode.eax.cmac_header);
_gcry_cmac_reset(&c->u_mode.eax.cmac_ciphertext);
break;
case GCRY_CIPHER_MODE_GCM:
case GCRY_CIPHER_MODE_GCM_SIV:
/* Only clear head of u_mode, keep ghash_key and gcm_table. */
{
byte *u_mode_pos = (void *)&c->u_mode;
byte *ghash_key_pos = c->u_mode.gcm.u_ghash_key.key;
size_t u_mode_head_length = ghash_key_pos - u_mode_pos;
memset (&c->u_mode, 0, u_mode_head_length);
}
break;
case GCRY_CIPHER_MODE_POLY1305:
memset (&c->u_mode.poly1305, 0, sizeof c->u_mode.poly1305);
break;
case GCRY_CIPHER_MODE_CCM:
memset (&c->u_mode.ccm, 0, sizeof c->u_mode.ccm);
break;
case GCRY_CIPHER_MODE_OCB:
{
const size_t table_maxblks = 1 << OCB_L_TABLE_SIZE;
byte *u_mode_head_pos = (void *)&c->u_mode.ocb;
byte *u_mode_tail_pos = (void *)&c->u_mode.ocb.tag;
size_t u_mode_head_length = u_mode_tail_pos - u_mode_head_pos;
size_t u_mode_tail_length = sizeof(c->u_mode.ocb) - u_mode_head_length;
if (c->u_mode.ocb.aad_nblocks < table_maxblks)
{
/* Precalculated L-values are still ok after reset, no need
* to clear. */
memset (u_mode_tail_pos, 0, u_mode_tail_length);
}
else
{
/* Reinitialize L table. */
memset (&c->u_mode.ocb, 0, sizeof(c->u_mode.ocb));
_gcry_cipher_ocb_setkey (c);
}
/* Setup default taglen. */
c->u_mode.ocb.taglen = 16;
}
break;
case GCRY_CIPHER_MODE_XTS:
memcpy (c->u_mode.xts.tweak_context,
c->u_mode.xts.tweak_context + c->spec->contextsize,
c->spec->contextsize);
break;
case GCRY_CIPHER_MODE_SIV:
/* Only clear head of u_mode, keep s2v_cmac and ctr_context. */
{
byte *u_mode_pos = (void *)&c->u_mode;
byte *tail_pos = (void *)&c->u_mode.siv.s2v_cmac;
size_t u_mode_head_length = tail_pos - u_mode_pos;
memset (&c->u_mode, 0, u_mode_head_length);
memcpy (c->u_mode.siv.ctr_context,
c->u_mode.siv.ctr_context + c->spec->contextsize,
c->spec->contextsize);
memcpy (c->u_mode.siv.s2v_d, c->u_mode.siv.s2v_zero_block,
GCRY_SIV_BLOCK_LEN);
}
break;
default:
break; /* u_mode unused by other modes. */
}
}
static gcry_err_code_t
do_ecb_crypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen,
gcry_cipher_encrypt_t crypt_fn)
{
unsigned int blocksize = c->spec->blocksize;
size_t n, nblocks;
unsigned int burn, nburn;
if (outbuflen < inbuflen)
return GPG_ERR_BUFFER_TOO_SHORT;
if ((inbuflen % blocksize))
return GPG_ERR_INV_LENGTH;
nblocks = inbuflen / blocksize;
burn = 0;
for (n=0; n < nblocks; n++ )
{
nburn = crypt_fn (&c->context.c, outbuf, inbuf);
burn = nburn > burn ? nburn : burn;
inbuf += blocksize;
outbuf += blocksize;
}
if (burn > 0)
_gcry_burn_stack (burn + 4 * sizeof(void *));
return 0;
}
static gcry_err_code_t
do_ecb_encrypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen)
{
return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, c->spec->encrypt);
}
static gcry_err_code_t
do_ecb_decrypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen)
{
return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, c->spec->decrypt);
}
static gcry_err_code_t
do_stream_encrypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen)
{
(void)outbuflen;
c->spec->stencrypt (&c->context.c, outbuf, (void *)inbuf, inbuflen);
return 0;
}
static gcry_err_code_t
do_stream_decrypt (gcry_cipher_hd_t c,
unsigned char *outbuf, size_t outbuflen,
const unsigned char *inbuf, size_t inbuflen)
{
(void)outbuflen;
c->spec->stdecrypt (&c->context.c, outbuf, (void *)inbuf, inbuflen);
return 0;
}
static gcry_err_code_t
do_encrypt_none_unknown (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen)
{
gcry_err_code_t rc;
(void)outbuflen;
switch (c->mode)
{
case GCRY_CIPHER_MODE_CMAC:
rc = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_NONE:
if (fips_mode () || !_gcry_get_debug_flag (0))
{
fips_signal_error ("cipher mode NONE used");
rc = GPG_ERR_INV_CIPHER_MODE;
}
else
{
if (inbuf != outbuf)
memmove (outbuf, inbuf, inbuflen);
rc = 0;
}
break;
default:
log_fatal ("cipher_encrypt: invalid mode %d\n", c->mode );
rc = GPG_ERR_INV_CIPHER_MODE;
break;
}
return rc;
}
static gcry_err_code_t
do_decrypt_none_unknown (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
const byte *inbuf, size_t inbuflen)
{
gcry_err_code_t rc;
(void)outbuflen;
switch (c->mode)
{
case GCRY_CIPHER_MODE_CMAC:
rc = GPG_ERR_INV_CIPHER_MODE;
break;
case GCRY_CIPHER_MODE_NONE:
if (fips_mode () || !_gcry_get_debug_flag (0))
{
fips_signal_error ("cipher mode NONE used");
rc = GPG_ERR_INV_CIPHER_MODE;
}
else
{
if (inbuf != outbuf)
memmove (outbuf, inbuf, inbuflen);
rc = 0;
}
break;
default:
log_fatal ("cipher_decrypt: invalid mode %d\n", c->mode );
rc = GPG_ERR_INV_CIPHER_MODE;
break;
}
return rc;
}
/****************
* Encrypt IN and write it to OUT. If IN is NULL, in-place encryption has
* been requested.
*/
gcry_err_code_t
_gcry_cipher_encrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
const void *in, size_t inlen)
{
gcry_err_code_t rc;
if (!in) /* Caller requested in-place encryption. */
{
in = out;
inlen = outsize;
}
if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key)
{
log_error ("cipher_encrypt: key not set\n");
return GPG_ERR_MISSING_KEY;
}
rc = h->mode_ops.encrypt (h, out, outsize, in, inlen);
/* Failsafe: Make sure that the plaintext will never make it into
OUT if the encryption returned an error. */
if (rc && out)
memset (out, 0x42, outsize);
return rc;
}
/****************
* Decrypt IN and write it to OUT. If IN is NULL, in-place encryption has
* been requested.
*/
gcry_err_code_t
_gcry_cipher_decrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
const void *in, size_t inlen)
{
if (!in) /* Caller requested in-place encryption. */
{
in = out;
inlen = outsize;
}
if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key)
{
log_error ("cipher_decrypt: key not set\n");
return GPG_ERR_MISSING_KEY;
}
return h->mode_ops.decrypt (h, out, outsize, in, inlen);
}
/****************
* Used for PGP's somewhat strange CFB mode. Only works if
* the corresponding flag is set.
*/
static void
cipher_sync (gcry_cipher_hd_t c)
{
if ((c->flags & GCRY_CIPHER_ENABLE_SYNC) && c->unused)
{
memmove (c->u_iv.iv + c->unused,
c->u_iv.iv, c->spec->blocksize - c->unused);
memcpy (c->u_iv.iv,
c->lastiv + c->spec->blocksize - c->unused, c->unused);
c->unused = 0;
}
}
gcry_err_code_t
_gcry_cipher_setkey (gcry_cipher_hd_t hd, const void *key, size_t keylen)
{
return cipher_setkey (hd, (void*)key, keylen);
}
gcry_err_code_t
_gcry_cipher_setiv (gcry_cipher_hd_t hd, const void *iv, size_t ivlen)
{
return hd->mode_ops.setiv (hd, iv, ivlen);
}
/* Set counter for CTR mode. (CTR,CTRLEN) must denote a buffer of
block size length, or (NULL,0) to set the CTR to the all-zero
block. */
gpg_err_code_t
_gcry_cipher_setctr (gcry_cipher_hd_t hd, const void *ctr, size_t ctrlen)
{
if (ctr && ctrlen == hd->spec->blocksize)
{
memcpy (hd->u_ctr.ctr, ctr, hd->spec->blocksize);
hd->unused = 0;
}
else if (!ctr || !ctrlen)
{
memset (hd->u_ctr.ctr, 0, hd->spec->blocksize);
hd->unused = 0;
}
else
return GPG_ERR_INV_ARG;
return 0;
}
gpg_err_code_t
_gcry_cipher_getctr (gcry_cipher_hd_t hd, void *ctr, size_t ctrlen)
{
if (ctr && ctrlen == hd->spec->blocksize)
memcpy (ctr, hd->u_ctr.ctr, hd->spec->blocksize);
else
return GPG_ERR_INV_ARG;
return 0;
}
gcry_err_code_t
_gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf,
size_t abuflen)
{
gcry_err_code_t rc;
if (hd->mode_ops.authenticate)
{
rc = hd->mode_ops.authenticate (hd, abuf, abuflen);
}
else
{
log_error ("gcry_cipher_authenticate: invalid mode %d\n", hd->mode);
rc = GPG_ERR_INV_CIPHER_MODE;
}
return rc;
}
gcry_err_code_t
_gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag, size_t taglen)
{
gcry_err_code_t rc;
if (hd->mode_ops.get_tag)
{
rc = hd->mode_ops.get_tag (hd, outtag, taglen);
}
else
{
log_error ("gcry_cipher_gettag: invalid mode %d\n", hd->mode);
rc = GPG_ERR_INV_CIPHER_MODE;
}
return rc;
}
gcry_err_code_t
_gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, size_t taglen)
{
gcry_err_code_t rc;
if (hd->mode_ops.check_tag)
{
rc = hd->mode_ops.check_tag (hd, intag, taglen);
}
else
{
log_error ("gcry_cipher_checktag: invalid mode %d\n", hd->mode);
rc = GPG_ERR_INV_CIPHER_MODE;
}
return rc;
}
static void
_gcry_cipher_setup_mode_ops(gcry_cipher_hd_t c, int mode)
{
/* Setup encryption and decryption routines. */
switch (mode)
{
case GCRY_CIPHER_MODE_STREAM:
c->mode_ops.encrypt = do_stream_encrypt;
c->mode_ops.decrypt = do_stream_decrypt;
break;
case GCRY_CIPHER_MODE_ECB:
c->mode_ops.encrypt = do_ecb_encrypt;
c->mode_ops.decrypt = do_ecb_decrypt;
break;
case GCRY_CIPHER_MODE_CBC:
if (!(c->flags & GCRY_CIPHER_CBC_CTS))
{
c->mode_ops.encrypt = _gcry_cipher_cbc_encrypt;
c->mode_ops.decrypt = _gcry_cipher_cbc_decrypt;
}
else
{
c->mode_ops.encrypt = _gcry_cipher_cbc_cts_encrypt;
c->mode_ops.decrypt = _gcry_cipher_cbc_cts_decrypt;
}
break;
case GCRY_CIPHER_MODE_CFB:
c->mode_ops.encrypt = _gcry_cipher_cfb_encrypt;
c->mode_ops.decrypt = _gcry_cipher_cfb_decrypt;
break;
case GCRY_CIPHER_MODE_CFB8:
c->mode_ops.encrypt = _gcry_cipher_cfb8_encrypt;
c->mode_ops.decrypt = _gcry_cipher_cfb8_decrypt;
break;
case GCRY_CIPHER_MODE_OFB:
c->mode_ops.encrypt = _gcry_cipher_ofb_encrypt;
c->mode_ops.decrypt = _gcry_cipher_ofb_encrypt;
break;
case GCRY_CIPHER_MODE_CTR:
c->mode_ops.encrypt = _gcry_cipher_ctr_encrypt;
c->mode_ops.decrypt = _gcry_cipher_ctr_encrypt;
break;
case GCRY_CIPHER_MODE_AESWRAP:
+ c->mode_ops.decrypt = _gcry_cipher_keywrap_decrypt_auto;
if (!(c->flags & GCRY_CIPHER_EXTENDED))
- {
- c->mode_ops.encrypt = _gcry_cipher_keywrap_encrypt;
- c->mode_ops.decrypt = _gcry_cipher_keywrap_decrypt;
- }
+ c->mode_ops.encrypt = _gcry_cipher_keywrap_encrypt;
else
- {
- c->mode_ops.encrypt = _gcry_cipher_keywrap_encrypt_padding;
- c->mode_ops.decrypt = _gcry_cipher_keywrap_decrypt_padding;
- }
+ c->mode_ops.encrypt = _gcry_cipher_keywrap_encrypt_padding;
break;
case GCRY_CIPHER_MODE_CCM:
c->mode_ops.encrypt = _gcry_cipher_ccm_encrypt;
c->mode_ops.decrypt = _gcry_cipher_ccm_decrypt;
break;
case GCRY_CIPHER_MODE_EAX:
c->mode_ops.encrypt = _gcry_cipher_eax_encrypt;
c->mode_ops.decrypt = _gcry_cipher_eax_decrypt;
break;
case GCRY_CIPHER_MODE_GCM:
c->mode_ops.encrypt = _gcry_cipher_gcm_encrypt;
c->mode_ops.decrypt = _gcry_cipher_gcm_decrypt;
break;
case GCRY_CIPHER_MODE_POLY1305:
c->mode_ops.encrypt = _gcry_cipher_poly1305_encrypt;
c->mode_ops.decrypt = _gcry_cipher_poly1305_decrypt;
break;
case GCRY_CIPHER_MODE_OCB:
c->mode_ops.encrypt = _gcry_cipher_ocb_encrypt;
c->mode_ops.decrypt = _gcry_cipher_ocb_decrypt;
break;
case GCRY_CIPHER_MODE_XTS:
c->mode_ops.encrypt = _gcry_cipher_xts_encrypt;
c->mode_ops.decrypt = _gcry_cipher_xts_decrypt;
break;
case GCRY_CIPHER_MODE_SIV:
c->mode_ops.encrypt = _gcry_cipher_siv_encrypt;
c->mode_ops.decrypt = _gcry_cipher_siv_decrypt;
break;
case GCRY_CIPHER_MODE_GCM_SIV:
c->mode_ops.encrypt = _gcry_cipher_gcm_siv_encrypt;
c->mode_ops.decrypt = _gcry_cipher_gcm_siv_decrypt;
break;
default:
c->mode_ops.encrypt = do_encrypt_none_unknown;
c->mode_ops.decrypt = do_decrypt_none_unknown;
break;
}
/* Setup IV setting routine. */
switch (mode)
{
case GCRY_CIPHER_MODE_CCM:
c->mode_ops.setiv = _gcry_cipher_ccm_set_nonce;
break;
case GCRY_CIPHER_MODE_EAX:
c->mode_ops.setiv = _gcry_cipher_eax_set_nonce;
break;
case GCRY_CIPHER_MODE_GCM:
c->mode_ops.setiv = _gcry_cipher_gcm_setiv;
break;
case GCRY_CIPHER_MODE_POLY1305:
c->mode_ops.setiv = _gcry_cipher_poly1305_setiv;
break;
case GCRY_CIPHER_MODE_OCB:
c->mode_ops.setiv = _gcry_cipher_ocb_set_nonce;
break;
case GCRY_CIPHER_MODE_SIV:
c->mode_ops.setiv = _gcry_cipher_siv_set_nonce;
break;
case GCRY_CIPHER_MODE_GCM_SIV:
c->mode_ops.setiv = _gcry_cipher_gcm_siv_set_nonce;
break;
default:
c->mode_ops.setiv = cipher_setiv;
break;
}
/* Setup authentication routines for AEAD modes. */
switch (mode)
{
case GCRY_CIPHER_MODE_CCM:
c->mode_ops.authenticate = _gcry_cipher_ccm_authenticate;
c->mode_ops.get_tag = _gcry_cipher_ccm_get_tag;
c->mode_ops.check_tag = _gcry_cipher_ccm_check_tag;
break;
case GCRY_CIPHER_MODE_CMAC:
c->mode_ops.authenticate = _gcry_cipher_cmac_authenticate;
c->mode_ops.get_tag = _gcry_cipher_cmac_get_tag;
c->mode_ops.check_tag = _gcry_cipher_cmac_check_tag;
break;
case GCRY_CIPHER_MODE_EAX:
c->mode_ops.authenticate = _gcry_cipher_eax_authenticate;
c->mode_ops.get_tag = _gcry_cipher_eax_get_tag;
c->mode_ops.check_tag = _gcry_cipher_eax_check_tag;
break;
case GCRY_CIPHER_MODE_GCM:
c->mode_ops.authenticate = _gcry_cipher_gcm_authenticate;
c->mode_ops.get_tag = _gcry_cipher_gcm_get_tag;
c->mode_ops.check_tag = _gcry_cipher_gcm_check_tag;
break;
case GCRY_CIPHER_MODE_POLY1305:
c->mode_ops.authenticate = _gcry_cipher_poly1305_authenticate;
c->mode_ops.get_tag = _gcry_cipher_poly1305_get_tag;
c->mode_ops.check_tag = _gcry_cipher_poly1305_check_tag;
break;
case GCRY_CIPHER_MODE_OCB:
c->mode_ops.authenticate = _gcry_cipher_ocb_authenticate;
c->mode_ops.get_tag = _gcry_cipher_ocb_get_tag;
c->mode_ops.check_tag = _gcry_cipher_ocb_check_tag;
break;
case GCRY_CIPHER_MODE_SIV:
c->mode_ops.authenticate = _gcry_cipher_siv_authenticate;
c->mode_ops.get_tag = _gcry_cipher_siv_get_tag;
c->mode_ops.check_tag = _gcry_cipher_siv_check_tag;
break;
case GCRY_CIPHER_MODE_GCM_SIV:
c->mode_ops.authenticate = _gcry_cipher_gcm_siv_authenticate;
c->mode_ops.get_tag = _gcry_cipher_gcm_siv_get_tag;
c->mode_ops.check_tag = _gcry_cipher_gcm_siv_check_tag;
break;
default:
c->mode_ops.authenticate = NULL;
c->mode_ops.get_tag = NULL;
c->mode_ops.check_tag = NULL;
break;
}
}
gcry_err_code_t
_gcry_cipher_ctl (gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen)
{
gcry_err_code_t rc = 0;
switch (cmd)
{
case GCRYCTL_RESET:
cipher_reset (h);
break;
case GCRYCTL_FINALIZE:
if (!h || buffer || buflen)
return GPG_ERR_INV_ARG;
h->marks.finalize = 1;
break;
case GCRYCTL_CFB_SYNC:
cipher_sync( h );
break;
case GCRYCTL_SET_CBC_CTS:
if (buflen)
if (h->flags & GCRY_CIPHER_CBC_MAC)
rc = GPG_ERR_INV_FLAG;
else
h->flags |= GCRY_CIPHER_CBC_CTS;
else
h->flags &= ~GCRY_CIPHER_CBC_CTS;
break;
case GCRYCTL_SET_CBC_MAC:
if (buflen)
if (h->flags & GCRY_CIPHER_CBC_CTS)
rc = GPG_ERR_INV_FLAG;
else
h->flags |= GCRY_CIPHER_CBC_MAC;
else
h->flags &= ~GCRY_CIPHER_CBC_MAC;
break;
case GCRYCTL_SET_CCM_LENGTHS:
{
u64 params[3];
size_t encryptedlen;
size_t aadlen;
size_t authtaglen;
if (h->mode != GCRY_CIPHER_MODE_CCM)
return GPG_ERR_INV_CIPHER_MODE;
if (!buffer || buflen != 3 * sizeof(u64))
return GPG_ERR_INV_ARG;
/* This command is used to pass additional length parameters needed
by CCM mode to initialize CBC-MAC. */
memcpy (params, buffer, sizeof(params));
encryptedlen = params[0];
aadlen = params[1];
authtaglen = params[2];
rc = _gcry_cipher_ccm_set_lengths (h, encryptedlen, aadlen, authtaglen);
}
break;
case GCRYCTL_SET_DECRYPTION_TAG:
{
if (!buffer)
return GPG_ERR_INV_ARG;
if (h->mode == GCRY_CIPHER_MODE_SIV)
rc = _gcry_cipher_siv_set_decryption_tag (h, buffer, buflen);
else if (h->mode == GCRY_CIPHER_MODE_GCM_SIV)
rc = _gcry_cipher_gcm_siv_set_decryption_tag (h, buffer, buflen);
else
rc = GPG_ERR_INV_CIPHER_MODE;
}
break;
case GCRYCTL_SET_TAGLEN:
if (!h || !buffer || buflen != sizeof(int) )
return GPG_ERR_INV_ARG;
switch (h->mode)
{
case GCRY_CIPHER_MODE_OCB:
switch (*(int*)buffer)
{
case 8: case 12: case 16:
h->u_mode.ocb.taglen = *(int*)buffer;
break;
default:
rc = GPG_ERR_INV_LENGTH; /* Invalid tag length. */
break;
}
break;
default:
rc =GPG_ERR_INV_CIPHER_MODE;
break;
}
break;
case GCRYCTL_DISABLE_ALGO:
/* This command expects NULL for H and BUFFER to point to an
integer with the algo number. */
if( h || !buffer || buflen != sizeof(int) )
return GPG_ERR_CIPHER_ALGO;
disable_cipher_algo( *(int*)buffer );
break;
case PRIV_CIPHERCTL_DISABLE_WEAK_KEY: /* (private) */
if (h->spec->set_extra_info)
rc = h->spec->set_extra_info
(&h->context.c, CIPHER_INFO_NO_WEAK_KEY, NULL, 0);
else
rc = GPG_ERR_NOT_SUPPORTED;
break;
case PRIV_CIPHERCTL_GET_INPUT_VECTOR: /* (private) */
/* This is the input block as used in CFB and OFB mode which has
initially been set as IV. The returned format is:
1 byte Actual length of the block in bytes.
n byte The block.
If the provided buffer is too short, an error is returned. */
if (buflen < (1 + h->spec->blocksize))
rc = GPG_ERR_TOO_SHORT;
else
{
unsigned char *ivp;
unsigned char *dst = buffer;
int n = h->unused;
if (!n)
n = h->spec->blocksize;
gcry_assert (n <= h->spec->blocksize);
*dst++ = n;
ivp = h->u_iv.iv + h->spec->blocksize - n;
while (n--)
*dst++ = *ivp++;
}
break;
case GCRYCTL_SET_SBOX:
if (h->spec->set_extra_info)
rc = h->spec->set_extra_info
(&h->context.c, GCRYCTL_SET_SBOX, buffer, buflen);
else
rc = GPG_ERR_NOT_SUPPORTED;
break;
case GCRYCTL_SET_ALLOW_WEAK_KEY:
/* Expecting BUFFER to be NULL and buflen to be on/off flag (0 or 1). */
if (!h || buffer || buflen > 1)
return GPG_ERR_CIPHER_ALGO;
h->marks.allow_weak_key = buflen ? 1 : 0;
break;
default:
rc = GPG_ERR_INV_OP;
}
return rc;
}
/* Return information about the cipher handle H. CMD is the kind of
* information requested.
*
* CMD may be one of:
*
* GCRYCTL_GET_TAGLEN:
* Return the length of the tag for an AE algorithm mode. An
* error is returned for modes which do not support a tag.
* BUFFER must be given as NULL. On success the result is stored
* at NBYTES. The taglen is returned in bytes.
*
+ * GCRYCTL_GET_KEYLEN:
+ * Return the length of the key wrapped for AES-WRAP mode. The
+ * length is encoded in big-endian 4 bytes, when the key is
+ * unwrapped with KWP. Return 00 00 00 00, when the key is
+ * unwrapped with KW.
+ *
* The function returns 0 on success or an error code.
*/
gcry_err_code_t
_gcry_cipher_info (gcry_cipher_hd_t h, int cmd, void *buffer, size_t *nbytes)
{
gcry_err_code_t rc = 0;
switch (cmd)
{
case GCRYCTL_GET_TAGLEN:
if (!h || buffer || !nbytes)
rc = GPG_ERR_INV_ARG;
else
{
switch (h->mode)
{
case GCRY_CIPHER_MODE_OCB:
*nbytes = h->u_mode.ocb.taglen;
break;
case GCRY_CIPHER_MODE_CCM:
*nbytes = h->u_mode.ccm.authlen;
break;
case GCRY_CIPHER_MODE_EAX:
*nbytes = h->spec->blocksize;
break;
case GCRY_CIPHER_MODE_GCM:
*nbytes = GCRY_GCM_BLOCK_LEN;
break;
case GCRY_CIPHER_MODE_POLY1305:
*nbytes = POLY1305_TAGLEN;
break;
case GCRY_CIPHER_MODE_SIV:
*nbytes = GCRY_SIV_BLOCK_LEN;
break;
case GCRY_CIPHER_MODE_GCM_SIV:
*nbytes = GCRY_SIV_BLOCK_LEN;
break;
default:
rc = GPG_ERR_INV_CIPHER_MODE;
break;
}
}
break;
+ case GCRYCTL_GET_KEYLEN:
+ if (!h || !buffer || !nbytes)
+ rc = GPG_ERR_INV_ARG;
+ else
+ {
+ switch (h->mode)
+ {
+ case GCRY_CIPHER_MODE_AESWRAP:
+ *nbytes = 4;
+ memcpy (buffer, h->u_mode.wrap.plen, 4);
+ break;
+
+ default:
+ rc = GPG_ERR_INV_CIPHER_MODE;
+ break;
+ }
+ }
+ break;
+
default:
rc = GPG_ERR_INV_OP;
}
return rc;
}
/* Return information about the given cipher algorithm ALGO.
WHAT select the kind of information returned:
GCRYCTL_GET_KEYLEN:
Return the length of the key. If the algorithm ALGO
supports multiple key lengths, the maximum supported key length
is returned. The key length is returned as number of octets.
BUFFER and NBYTES must be zero.
GCRYCTL_GET_BLKLEN:
Return the blocklength of the algorithm ALGO counted in octets.
BUFFER and NBYTES must be zero.
GCRYCTL_TEST_ALGO:
Returns 0 if the specified algorithm ALGO is available for use.
BUFFER and NBYTES must be zero.
Note: Because this function is in most cases used to return an
integer value, we can make it easier for the caller to just look at
the return value. The caller will in all cases consult the value
and thereby detecting whether a error occurred or not (i.e. while
checking the block size)
*/
gcry_err_code_t
_gcry_cipher_algo_info (int algo, int what, void *buffer, size_t *nbytes)
{
gcry_err_code_t rc = 0;
unsigned int ui;
switch (what)
{
case GCRYCTL_GET_KEYLEN:
if (buffer || (! nbytes))
rc = GPG_ERR_CIPHER_ALGO;
else
{
ui = cipher_get_keylen (algo);
if ((ui > 0) && (ui <= 512))
*nbytes = (size_t) ui / 8;
else
/* The only reason for an error is an invalid algo. */
rc = GPG_ERR_CIPHER_ALGO;
}
break;
case GCRYCTL_GET_BLKLEN:
if (buffer || (! nbytes))
rc = GPG_ERR_CIPHER_ALGO;
else
{
ui = cipher_get_blocksize (algo);
if ((ui > 0) && (ui < 10000))
*nbytes = ui;
else
{
/* The only reason is an invalid algo or a strange
blocksize. */
rc = GPG_ERR_CIPHER_ALGO;
}
}
break;
case GCRYCTL_TEST_ALGO:
if (buffer || nbytes)
rc = GPG_ERR_INV_ARG;
else
rc = check_cipher_algo (algo);
break;
default:
rc = GPG_ERR_INV_OP;
}
return rc;
}
/* This function returns length of the key for algorithm ALGO. If the
algorithm supports multiple key lengths, the maximum supported key
length is returned. On error 0 is returned. The key length is
returned as number of octets.
This is a convenience functions which should be preferred over
gcry_cipher_algo_info because it allows for proper type
checking. */
size_t
_gcry_cipher_get_algo_keylen (int algo)
{
size_t n;
if (_gcry_cipher_algo_info (algo, GCRYCTL_GET_KEYLEN, NULL, &n))
n = 0;
return n;
}
/* This functions returns the blocklength of the algorithm ALGO
counted in octets. On error 0 is returned.
This is a convenience functions which should be preferred over
gcry_cipher_algo_info because it allows for proper type
checking. */
size_t
_gcry_cipher_get_algo_blklen (int algo)
{
size_t n;
if (_gcry_cipher_algo_info( algo, GCRYCTL_GET_BLKLEN, NULL, &n))
n = 0;
return n;
}
/* Explicitly initialize this module. */
gcry_err_code_t
_gcry_cipher_init (void)
{
return 0;
}
/* Run the selftests for cipher algorithm ALGO with optional reporting
function REPORT. */
gpg_error_t
_gcry_cipher_selftest (int algo, int extended, selftest_report_func_t report)
{
gcry_err_code_t ec = 0;
gcry_cipher_spec_t *spec;
spec = spec_from_algo (algo);
if (spec && !spec->flags.disabled
&& (spec->flags.fips || !fips_mode ())
&& spec->selftest)
ec = spec->selftest (algo, extended, report);
else
{
ec = GPG_ERR_CIPHER_ALGO;
if (report)
report ("cipher", algo, "module",
spec && !spec->flags.disabled
&& (spec->flags.fips || !fips_mode ())?
"no selftest available" :
spec? "algorithm disabled" : "algorithm not found");
}
return gpg_error (ec);
}
diff --git a/tests/aeswrap.c b/tests/aeswrap.c
index 21632ed3..ed4453bd 100644
--- a/tests/aeswrap.c
+++ b/tests/aeswrap.c
@@ -1,438 +1,465 @@
/* aeswrap.c - AESWRAP mode regression tests
* Copyright (C) 2009 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* Libgcrypt is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
#ifdef HAVE_CONFIG_H
#include
#endif
#include
#include
#include
#include
#define PGM "aeswrap"
#include "t-common.h"
static void
check_one (int algo,
const void *kek, size_t keklen,
const void *data, size_t datalen,
const void *expected, size_t expectedlen,
int inplace)
{
gcry_error_t err;
gcry_cipher_hd_t hd;
unsigned char outbuf[32+8];
size_t outbuflen;
err = gcry_cipher_open (&hd, algo, GCRY_CIPHER_MODE_AESWRAP, 0);
if (err)
{
fail ("gcry_cipher_open failed: %s\n", gpg_strerror (err));
return;
}
err = gcry_cipher_setkey (hd, kek, keklen);
if (err)
{
fail ("gcry_cipher_setkey failed: %s\n", gpg_strerror (err));
return;
}
outbuflen = datalen + 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else if (inplace)
{
memcpy (outbuf, data, datalen);
err = gcry_cipher_encrypt (hd, outbuf, outbuflen, outbuf, datalen);
}
else
{
err = gcry_cipher_encrypt (hd, outbuf, outbuflen, data, datalen);
}
if (err)
{
fail ("gcry_cipher_encrypt failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != expectedlen || memcmp (outbuf, expected, expectedlen))
{
const unsigned char *s;
int i;
fail ("mismatch at encryption!%s\n", inplace ? " (inplace)" : "");
fprintf (stderr, "computed: ");
for (i = 0; i < outbuflen; i++)
fprintf (stderr, "%02x ", outbuf[i]);
fprintf (stderr, "\nexpected: ");
for (s = expected, i = 0; i < expectedlen; s++, i++)
fprintf (stderr, "%02x ", *s);
putc ('\n', stderr);
}
outbuflen = expectedlen - 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else if (inplace)
{
memcpy (outbuf, expected, expectedlen);
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, outbuf, expectedlen);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
}
if (err)
{
fail ("gcry_cipher_decrypt failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != datalen || memcmp (outbuf, data, datalen))
{
const unsigned char *s;
int i;
fail ("mismatch at decryption!%s\n", inplace ? " (inplace)" : "");
fprintf (stderr, "computed: ");
for (i = 0; i < outbuflen; i++)
fprintf (stderr, "%02x ", outbuf[i]);
fprintf (stderr, "\nexpected: ");
for (s = data, i = 0; i < datalen; s++, i++)
fprintf (stderr, "%02x ", *s);
putc ('\n', stderr);
}
/* Now the last step again with a key reset. */
gcry_cipher_reset (hd);
outbuflen = expectedlen - 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else if (inplace)
{
memcpy (outbuf, expected, expectedlen);
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, outbuf, expectedlen);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
}
if (err)
{
fail ("gcry_cipher_decrypt(2) failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != datalen || memcmp (outbuf, data, datalen))
fail ("mismatch at decryption(2)!%s\n", inplace ? " (inplace)" : "");
/* And once more without a key reset. */
outbuflen = expectedlen - 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else if (inplace)
{
memcpy (outbuf, expected, expectedlen);
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, outbuf, expectedlen);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
}
if (err)
{
fail ("gcry_cipher_decrypt(3) failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != datalen || memcmp (outbuf, data, datalen))
fail ("mismatch at decryption(3)!%s\n", inplace ? " (inplace)" : "");
gcry_cipher_close (hd);
}
static void
check (int algo,
const void *kek, size_t keklen,
const void *data, size_t datalen,
const void *expected, size_t expectedlen)
{
check_one (algo, kek, keklen, data, datalen, expected, expectedlen, 0);
check_one (algo, kek, keklen, data, datalen, expected, expectedlen, 1);
}
static void
check_one_with_padding (int algo,
const void *kek, size_t keklen,
const void *data, size_t datalen,
const void *expected, size_t expectedlen)
{
gcry_error_t err;
gcry_cipher_hd_t hd;
unsigned char outbuf[4*16];
size_t outbuflen;
err = gcry_cipher_open (&hd, algo, GCRY_CIPHER_MODE_AESWRAP,
GCRY_CIPHER_EXTENDED);
if (err)
{
fail ("gcry_cipher_open failed: %s\n", gpg_strerror (err));
return;
}
err = gcry_cipher_setkey (hd, kek, keklen);
if (err)
{
fail ("gcry_cipher_setkey failed: %s\n", gpg_strerror (err));
return;
}
outbuflen = ((datalen+7)/8) * 8 + 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else
{
err = gcry_cipher_encrypt (hd, outbuf, outbuflen, data, datalen);
}
if (err)
{
fail ("gcry_cipher_encrypt failed: %s\n", gpg_strerror (err));
return;
}
if (outbuflen != expectedlen || memcmp (outbuf, expected, expectedlen))
{
const unsigned char *s;
int i;
fail ("mismatch at encryption!(padding)\n");
fprintf (stderr, "computed: ");
for (i = 0; i < outbuflen; i++)
fprintf (stderr, "%02x ", outbuf[i]);
fprintf (stderr, "\nexpected: ");
for (s = expected, i = 0; i < expectedlen; s++, i++)
fprintf (stderr, "%02x ", *s);
putc ('\n', stderr);
}
outbuflen = ((datalen+7)/8) * 8 + 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
+ if (!err)
+ {
+ unsigned char plen[4];
+ size_t nbytes;
+ err = gcry_cipher_info (hd, GCRYCTL_GET_KEYLEN, plen, &nbytes);
+ if (!err)
+ outbuflen = (plen[0] << 24) | (plen[1] << 16)
+ | (plen[2] << 8) | plen[3];
+ }
}
if (err)
{
fail ("gcry_cipher_decrypt failed: %s\n", gpg_strerror (err));
return;
}
- if (memcmp (outbuf, data, datalen))
+ if (outbuflen != datalen || memcmp (outbuf, data, datalen))
{
const unsigned char *s;
int i;
fail ("mismatch at decryption!(padding)\n");
fprintf (stderr, "computed: ");
for (i = 0; i < outbuflen; i++)
fprintf (stderr, "%02x ", outbuf[i]);
fprintf (stderr, "\nexpected: ");
for (s = data, i = 0; i < datalen; s++, i++)
fprintf (stderr, "%02x ", *s);
putc ('\n', stderr);
}
/* Now the last step again with a key reset. */
gcry_cipher_reset (hd);
outbuflen = ((datalen+7)/8) * 8 + 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
+ if (!err)
+ {
+ unsigned char plen[4];
+ size_t nbytes;
+ err = gcry_cipher_info (hd, GCRYCTL_GET_KEYLEN, plen, &nbytes);
+ if (!err)
+ outbuflen = (plen[0] << 24) | (plen[1] << 16)
+ | (plen[2] << 8) | plen[3];
+ }
}
if (err)
{
fail ("gcry_cipher_decrypt(2) failed: %s\n", gpg_strerror (err));
return;
}
- if (memcmp (outbuf, data, datalen))
+ if (outbuflen != datalen || memcmp (outbuf, data, datalen))
fail ("mismatch at decryption(2)(padding)!\n");
/* And once more without a key reset. */
outbuflen = ((datalen+7)/8) * 8 + 8;
if (outbuflen > sizeof outbuf)
{
err = gpg_error (GPG_ERR_INTERNAL);
}
else
{
err = gcry_cipher_decrypt (hd, outbuf, outbuflen, expected, expectedlen);
+ if (!err)
+ {
+ unsigned char plen[4];
+ size_t nbytes;
+ err = gcry_cipher_info (hd, GCRYCTL_GET_KEYLEN, plen, &nbytes);
+ if (!err)
+ outbuflen = (plen[0] << 24) | (plen[1] << 16)
+ | (plen[2] << 8) | plen[3];
+ }
}
if (err)
{
fail ("gcry_cipher_decrypt(3) failed: %s\n", gpg_strerror (err));
return;
}
- if (memcmp (outbuf, data, datalen))
+ if (outbuflen != datalen || memcmp (outbuf, data, datalen))
fail ("mismatch at decryption(3)(padding)!\n");
gcry_cipher_close (hd);
}
static void
check_all (void)
{
if (verbose)
fprintf (stderr, "4.1 Wrap 128 bits of Key Data with a 128-bit KEK\n");
check
(GCRY_CIPHER_AES128,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 16,
"\x1F\xA6\x8B\x0A\x81\x12\xB4\x47\xAE\xF3\x4B\xD8\xFB\x5A\x7B\x82"
"\x9D\x3E\x86\x23\x71\xD2\xCF\xE5", 24);
if (verbose)
fprintf (stderr, "4.2 Wrap 128 bits of Key Data with a 192-bit KEK\n");
check
(GCRY_CIPHER_AES192,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17", 24,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 16,
"\x96\x77\x8B\x25\xAE\x6C\xA4\x35\xF9\x2B\x5B\x97\xC0\x50\xAE\xD2"
"\x46\x8A\xB8\xA1\x7A\xD8\x4E\x5D", 24);
if (verbose)
fprintf (stderr, "4.3 Wrap 128 bits of Key Data with a 256-bit KEK\n");
check
(GCRY_CIPHER_AES256,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F", 32,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 16,
"\x64\xE8\xC3\xF9\xCE\x0F\x5B\xA2\x63\xE9\x77\x79\x05\x81\x8A\x2A"
"\x93\xC8\x19\x1E\x7D\x6E\x8A\xE7", 24);
if (verbose)
fprintf (stderr, "4.4 Wrap 192 bits of Key Data with a 192-bit KEK\n");
check
(GCRY_CIPHER_AES192,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17", 24,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
"\x00\x01\x02\x03\x04\x05\x06\x07", 24,
"\x03\x1D\x33\x26\x4E\x15\xD3\x32\x68\xF2\x4E\xC2\x60\x74\x3E\xDC"
"\xE1\xC6\xC7\xDD\xEE\x72\x5A\x93\x6B\xA8\x14\x91\x5C\x67\x62\xD2", 32);
if (verbose)
fprintf (stderr, "4.5 Wrap 192 bits of Key Data with a 256-bit KEK\n");
check
(GCRY_CIPHER_AES256,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F", 32,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
"\x00\x01\x02\x03\x04\x05\x06\x07", 24,
"\xA8\xF9\xBC\x16\x12\xC6\x8B\x3F\xF6\xE6\xF4\xFB\xE3\x0E\x71\xE4"
"\x76\x9C\x8B\x80\xA3\x2C\xB8\x95\x8C\xD5\xD1\x7D\x6B\x25\x4D\xA1", 32);
if (verbose)
fprintf (stderr, "4.6 Wrap 256 bits of Key Data with a 256-bit KEK\n");
check
(GCRY_CIPHER_AES,
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F", 32,
"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF"
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 32,
"\x28\xC9\xF4\x04\xC4\xB8\x10\xF4\xCB\xCC\xB3\x5C\xFB\x87\xF8\x26"
"\x3F\x57\x86\xE2\xD8\x0E\xD3\x26\xCB\xC7\xF0\xE7\x1A\x99\xF4\x3B"
"\xFB\x98\x8B\x9B\x7A\x02\xDD\x21", 40);
if (verbose)
fprintf (stderr, "6 Wrap 160 bits of Key Data with a 192-bit KEK\n");
check_one_with_padding
(GCRY_CIPHER_AES192,
"\x58\x40\xdf\x6e\x29\xb0\x2a\xf1\xab\x49\x3b\x70\x5b\xf1\x6e\xa1"
"\xae\x83\x38\xf4\xdc\xc1\x76\xa8", 24,
"\xc3\x7b\x7e\x64\x92\x58\x43\x40\xbe\xd1\x22\x07\x80\x89\x41\x15"
"\x50\x68\xf7\x38", 20,
"\x13\x8b\xde\xaa\x9b\x8f\xa7\xfc\x61\xf9\x77\x42\xe7\x22\x48\xee"
"\x5a\xe6\xae\x53\x60\xd1\xae\x6a\x5f\x54\xf3\x73\xfa\x54\x3b\x6a", 32);
if (verbose)
fprintf (stderr, "6 Wrap 56 bits of Key Data with a 192-bit KEK\n");
check_one_with_padding
(GCRY_CIPHER_AES192,
"\x58\x40\xdf\x6e\x29\xb0\x2a\xf1\xab\x49\x3b\x70\x5b\xf1\x6e\xa1"
"\xae\x83\x38\xf4\xdc\xc1\x76\xa8", 24,
"\x46\x6f\x72\x50\x61\x73\x69", 7,
"\xaf\xbe\xb0\xf0\x7d\xfb\xf5\x41\x92\x00\xf2\xcc\xb5\x0b\xb2\x4f", 16);
}
int
main (int argc, char **argv)
{
if (argc > 1 && !strcmp (argv[1], "--verbose"))
verbose = 1;
else if (argc > 1 && !strcmp (argv[1], "--debug"))
verbose = debug = 1;
if (!gcry_check_version (GCRYPT_VERSION))
die ("version mismatch\n");
xgcry_control ((GCRYCTL_DISABLE_SECMEM, 0));
xgcry_control ((GCRYCTL_INITIALIZATION_FINISHED, 0));
if (debug)
xgcry_control ((GCRYCTL_SET_DEBUG_FLAGS, 1u, 0));
check_all ();
return error_count ? 1 : 0;
}