diff options
| author | Todd Short <tshort@akamai.com> | 2022-04-28 14:56:11 -0400 |
|---|---|---|
| committer | Todd Short <todd.short@me.com> | 2022-07-29 08:32:16 -0400 |
| commit | 0113ec8460a918f8bc782130db8f75540b3b1ab2 (patch) | |
| tree | 2e8c7100cd3be8c2a0cc32efed6330daf3f8395f /crypto/modes | |
| parent | dffafaf48174497a724d546c3483d2493fc9b64c (diff) | |
Implement AES-GCM-SIV (RFC8452)
Fixes #16721
This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.
This implementation lives only in the default provider; there is no legacy
implementation.
The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.
Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)
Diffstat (limited to 'crypto/modes')
| -rw-r--r-- | crypto/modes/gcm128.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 84cc6fb08a..9a9adc9df8 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -510,6 +510,43 @@ static void gcm_get_funcs(struct gcm_funcs_st *ctx) #endif } +void ossl_gcm_init_4bit(u128 Htable[16], const u64 H[2]) +{ + struct gcm_funcs_st funcs; + + gcm_get_funcs(&funcs); + funcs.ginit(Htable, H); +} + +void ossl_gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]) +{ + struct gcm_funcs_st funcs; + + gcm_get_funcs(&funcs); + funcs.gmult(Xi, Htable); +} + +void ossl_gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], + const u8 *inp, size_t len) +{ + struct gcm_funcs_st funcs; + u64 tmp[2]; + size_t i; + + gcm_get_funcs(&funcs); + if (funcs.ghash != NULL) { + funcs.ghash(Xi, Htable, inp, len); + } else { + /* Emulate ghash if needed */ + for (i = 0; i < len; i += 16) { + memcpy(tmp, &inp[i], sizeof(tmp)); + Xi[0] ^= tmp[0]; + Xi[1] ^= tmp[1]; + funcs.gmult(Xi, Htable); + } + } +} + void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) { DECLARE_IS_ENDIAN; |