diff options
Diffstat (limited to 'CryptoPP')
-rw-r--r-- | CryptoPP/authenc.cpp | 360 | ||||
-rw-r--r-- | CryptoPP/authenc.h | 98 | ||||
-rw-r--r-- | CryptoPP/ccm.cpp | 280 | ||||
-rw-r--r-- | CryptoPP/ccm.h | 202 | ||||
-rw-r--r-- | CryptoPP/cmac.cpp | 244 | ||||
-rw-r--r-- | CryptoPP/cmac.h | 104 | ||||
-rw-r--r-- | CryptoPP/eax.cpp | 118 | ||||
-rw-r--r-- | CryptoPP/gcm.cpp | 1656 | ||||
-rw-r--r-- | CryptoPP/gcm.h | 212 | ||||
-rw-r--r-- | CryptoPP/seed.cpp | 208 |
10 files changed, 1741 insertions, 1741 deletions
diff --git a/CryptoPP/authenc.cpp b/CryptoPP/authenc.cpp index 0ca5da60d..f93662efb 100644 --- a/CryptoPP/authenc.cpp +++ b/CryptoPP/authenc.cpp @@ -1,180 +1,180 @@ -// authenc.cpp - written and placed in the public domain by Wei Dai
-
-#include "pch.h"
-
-#ifndef CRYPTOPP_IMPORTS
-
-#include "authenc.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-void AuthenticatedSymmetricCipherBase::AuthenticateData(const byte *input, size_t len)
-{
- unsigned int blockSize = AuthenticationBlockSize();
- unsigned int &num = m_bufferedDataLength;
- byte* data = m_buffer.begin();
-
- if (num != 0) // process left over data
- {
- if (num+len >= blockSize)
- {
- memcpy(data+num, input, blockSize-num);
- AuthenticateBlocks(data, blockSize);
- input += (blockSize-num);
- len -= (blockSize-num);
- num = 0;
- // drop through and do the rest
- }
- else
- {
- memcpy(data+num, input, len);
- num += (unsigned int)len;
- return;
- }
- }
-
- // now process the input data in blocks of blockSize bytes and save the leftovers to m_data
- if (len >= blockSize)
- {
- size_t leftOver = AuthenticateBlocks(input, len);
- input += (len - leftOver);
- len = leftOver;
- }
-
- memcpy(data, input, len);
- num = (unsigned int)len;
-}
-
-void AuthenticatedSymmetricCipherBase::SetKey(const byte *userKey, size_t keylength, const NameValuePairs ¶ms)
-{
- m_bufferedDataLength = 0;
- m_state = State_Start;
-
- SetKeyWithoutResync(userKey, keylength, params);
- m_state = State_KeySet;
-
- size_t length;
- const byte *iv = GetIVAndThrowIfInvalid(params, length);
- if (iv)
- Resynchronize(iv, (int)length);
-}
-
-void AuthenticatedSymmetricCipherBase::Resynchronize(const byte *iv, int length)
-{
- if (m_state < State_KeySet)
- throw BadState(AlgorithmName(), "Resynchronize", "key is set");
-
- m_bufferedDataLength = 0;
- m_totalHeaderLength = m_totalMessageLength = m_totalFooterLength = 0;
- m_state = State_KeySet;
-
- Resync(iv, this->ThrowIfInvalidIVLength(length));
- m_state = State_IVSet;
-}
-
-void AuthenticatedSymmetricCipherBase::Update(const byte *input, size_t length)
-{
- if (length == 0)
- return;
-
- switch (m_state)
- {
- case State_Start:
- case State_KeySet:
- throw BadState(AlgorithmName(), "Update", "setting key and IV");
- case State_IVSet:
- AuthenticateData(input, length);
- m_totalHeaderLength += length;
- break;
- case State_AuthUntransformed:
- case State_AuthTransformed:
- AuthenticateLastConfidentialBlock();
- m_bufferedDataLength = 0;
- m_state = State_AuthFooter;
- // fall through
- case State_AuthFooter:
- AuthenticateData(input, length);
- m_totalFooterLength += length;
- break;
- default:
- assert(false);
- }
-}
-
-void AuthenticatedSymmetricCipherBase::ProcessData(byte *outString, const byte *inString, size_t length)
-{
- m_totalMessageLength += length;
- if (m_state >= State_IVSet && m_totalMessageLength > MaxMessageLength())
- throw InvalidArgument(AlgorithmName() + ": message length exceeds maximum");
-
-reswitch:
- switch (m_state)
- {
- case State_Start:
- case State_KeySet:
- throw BadState(AlgorithmName(), "ProcessData", "setting key and IV");
- case State_AuthFooter:
- throw BadState(AlgorithmName(), "ProcessData was called after footer input has started");
- case State_IVSet:
- AuthenticateLastHeaderBlock();
- m_bufferedDataLength = 0;
- m_state = AuthenticationIsOnPlaintext()==IsForwardTransformation() ? State_AuthUntransformed : State_AuthTransformed;
- goto reswitch;
- case State_AuthUntransformed:
- AuthenticateData(inString, length);
- AccessSymmetricCipher().ProcessData(outString, inString, length);
- break;
- case State_AuthTransformed:
- AccessSymmetricCipher().ProcessData(outString, inString, length);
- AuthenticateData(outString, length);
- break;
- default:
- assert(false);
- }
-}
-
-void AuthenticatedSymmetricCipherBase::TruncatedFinal(byte *mac, size_t macSize)
-{
- if (m_totalHeaderLength > MaxHeaderLength())
- throw InvalidArgument(AlgorithmName() + ": header length of " + IntToString(m_totalHeaderLength) + " exceeds the maximum of " + IntToString(MaxHeaderLength()));
-
- if (m_totalFooterLength > MaxFooterLength())
- {
- if (MaxFooterLength() == 0)
- throw InvalidArgument(AlgorithmName() + ": additional authenticated data (AAD) cannot be input after data to be encrypted or decrypted");
- else
- throw InvalidArgument(AlgorithmName() + ": footer length of " + IntToString(m_totalFooterLength) + " exceeds the maximum of " + IntToString(MaxFooterLength()));
- }
-
- switch (m_state)
- {
- case State_Start:
- case State_KeySet:
- throw BadState(AlgorithmName(), "TruncatedFinal", "setting key and IV");
-
- case State_IVSet:
- AuthenticateLastHeaderBlock();
- m_bufferedDataLength = 0;
- // fall through
-
- case State_AuthUntransformed:
- case State_AuthTransformed:
- AuthenticateLastConfidentialBlock();
- m_bufferedDataLength = 0;
- // fall through
-
- case State_AuthFooter:
- AuthenticateLastFooterBlock(mac, macSize);
- m_bufferedDataLength = 0;
- break;
-
- default:
- assert(false);
- }
-
- m_state = State_KeySet;
-}
-
-NAMESPACE_END
-
-#endif
+// authenc.cpp - written and placed in the public domain by Wei Dai + +#include "pch.h" + +#ifndef CRYPTOPP_IMPORTS + +#include "authenc.h" + +NAMESPACE_BEGIN(CryptoPP) + +void AuthenticatedSymmetricCipherBase::AuthenticateData(const byte *input, size_t len) +{ + unsigned int blockSize = AuthenticationBlockSize(); + unsigned int &num = m_bufferedDataLength; + byte* data = m_buffer.begin(); + + if (num != 0) // process left over data + { + if (num+len >= blockSize) + { + memcpy(data+num, input, blockSize-num); + AuthenticateBlocks(data, blockSize); + input += (blockSize-num); + len -= (blockSize-num); + num = 0; + // drop through and do the rest + } + else + { + memcpy(data+num, input, len); + num += (unsigned int)len; + return; + } + } + + // now process the input data in blocks of blockSize bytes and save the leftovers to m_data + if (len >= blockSize) + { + size_t leftOver = AuthenticateBlocks(input, len); + input += (len - leftOver); + len = leftOver; + } + + memcpy(data, input, len); + num = (unsigned int)len; +} + +void AuthenticatedSymmetricCipherBase::SetKey(const byte *userKey, size_t keylength, const NameValuePairs ¶ms) +{ + m_bufferedDataLength = 0; + m_state = State_Start; + + SetKeyWithoutResync(userKey, keylength, params); + m_state = State_KeySet; + + size_t length; + const byte *iv = GetIVAndThrowIfInvalid(params, length); + if (iv) + Resynchronize(iv, (int)length); +} + +void AuthenticatedSymmetricCipherBase::Resynchronize(const byte *iv, int length) +{ + if (m_state < State_KeySet) + throw BadState(AlgorithmName(), "Resynchronize", "key is set"); + + m_bufferedDataLength = 0; + m_totalHeaderLength = m_totalMessageLength = m_totalFooterLength = 0; + m_state = State_KeySet; + + Resync(iv, this->ThrowIfInvalidIVLength(length)); + m_state = State_IVSet; +} + +void AuthenticatedSymmetricCipherBase::Update(const byte *input, size_t length) +{ + if (length == 0) + return; + + switch (m_state) + { + case State_Start: + case State_KeySet: + throw BadState(AlgorithmName(), "Update", "setting key and IV"); + case State_IVSet: + AuthenticateData(input, length); + m_totalHeaderLength += length; + break; + case State_AuthUntransformed: + case State_AuthTransformed: + AuthenticateLastConfidentialBlock(); + m_bufferedDataLength = 0; + m_state = State_AuthFooter; + // fall through + case State_AuthFooter: + AuthenticateData(input, length); + m_totalFooterLength += length; + break; + default: + assert(false); + } +} + +void AuthenticatedSymmetricCipherBase::ProcessData(byte *outString, const byte *inString, size_t length) +{ + m_totalMessageLength += length; + if (m_state >= State_IVSet && m_totalMessageLength > MaxMessageLength()) + throw InvalidArgument(AlgorithmName() + ": message length exceeds maximum"); + +reswitch: + switch (m_state) + { + case State_Start: + case State_KeySet: + throw BadState(AlgorithmName(), "ProcessData", "setting key and IV"); + case State_AuthFooter: + throw BadState(AlgorithmName(), "ProcessData was called after footer input has started"); + case State_IVSet: + AuthenticateLastHeaderBlock(); + m_bufferedDataLength = 0; + m_state = AuthenticationIsOnPlaintext()==IsForwardTransformation() ? State_AuthUntransformed : State_AuthTransformed; + goto reswitch; + case State_AuthUntransformed: + AuthenticateData(inString, length); + AccessSymmetricCipher().ProcessData(outString, inString, length); + break; + case State_AuthTransformed: + AccessSymmetricCipher().ProcessData(outString, inString, length); + AuthenticateData(outString, length); + break; + default: + assert(false); + } +} + +void AuthenticatedSymmetricCipherBase::TruncatedFinal(byte *mac, size_t macSize) +{ + if (m_totalHeaderLength > MaxHeaderLength()) + throw InvalidArgument(AlgorithmName() + ": header length of " + IntToString(m_totalHeaderLength) + " exceeds the maximum of " + IntToString(MaxHeaderLength())); + + if (m_totalFooterLength > MaxFooterLength()) + { + if (MaxFooterLength() == 0) + throw InvalidArgument(AlgorithmName() + ": additional authenticated data (AAD) cannot be input after data to be encrypted or decrypted"); + else + throw InvalidArgument(AlgorithmName() + ": footer length of " + IntToString(m_totalFooterLength) + " exceeds the maximum of " + IntToString(MaxFooterLength())); + } + + switch (m_state) + { + case State_Start: + case State_KeySet: + throw BadState(AlgorithmName(), "TruncatedFinal", "setting key and IV"); + + case State_IVSet: + AuthenticateLastHeaderBlock(); + m_bufferedDataLength = 0; + // fall through + + case State_AuthUntransformed: + case State_AuthTransformed: + AuthenticateLastConfidentialBlock(); + m_bufferedDataLength = 0; + // fall through + + case State_AuthFooter: + AuthenticateLastFooterBlock(mac, macSize); + m_bufferedDataLength = 0; + break; + + default: + assert(false); + } + + m_state = State_KeySet; +} + +NAMESPACE_END + +#endif diff --git a/CryptoPP/authenc.h b/CryptoPP/authenc.h index f726716e7..5bb2a51c8 100644 --- a/CryptoPP/authenc.h +++ b/CryptoPP/authenc.h @@ -1,49 +1,49 @@ -#ifndef CRYPTOPP_AUTHENC_H
-#define CRYPTOPP_AUTHENC_H
-
-#include "cryptlib.h"
-#include "secblock.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-//! .
-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE AuthenticatedSymmetricCipherBase : public AuthenticatedSymmetricCipher
-{
-public:
- AuthenticatedSymmetricCipherBase() : m_state(State_Start) {}
-
- bool IsRandomAccess() const {return false;}
- bool IsSelfInverting() const {return true;}
- void UncheckedSetKey(const byte *,unsigned int,const CryptoPP::NameValuePairs &) {assert(false);}
-
- void SetKey(const byte *userKey, size_t keylength, const NameValuePairs ¶ms);
- void Restart() {if (m_state > State_KeySet) m_state = State_KeySet;}
- void Resynchronize(const byte *iv, int length=-1);
- void Update(const byte *input, size_t length);
- void ProcessData(byte *outString, const byte *inString, size_t length);
- void TruncatedFinal(byte *mac, size_t macSize);
-
-protected:
- void AuthenticateData(const byte *data, size_t len);
- const SymmetricCipher & GetSymmetricCipher() const {return const_cast<AuthenticatedSymmetricCipherBase *>(this)->AccessSymmetricCipher();};
-
- virtual SymmetricCipher & AccessSymmetricCipher() =0;
- virtual bool AuthenticationIsOnPlaintext() const =0;
- virtual unsigned int AuthenticationBlockSize() const =0;
- virtual void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms) =0;
- virtual void Resync(const byte *iv, size_t len) =0;
- virtual size_t AuthenticateBlocks(const byte *data, size_t len) =0;
- virtual void AuthenticateLastHeaderBlock() =0;
- virtual void AuthenticateLastConfidentialBlock() {}
- virtual void AuthenticateLastFooterBlock(byte *mac, size_t macSize) =0;
-
- enum State {State_Start, State_KeySet, State_IVSet, State_AuthUntransformed, State_AuthTransformed, State_AuthFooter};
- State m_state;
- unsigned int m_bufferedDataLength;
- lword m_totalHeaderLength, m_totalMessageLength, m_totalFooterLength;
- AlignedSecByteBlock m_buffer;
-};
-
-NAMESPACE_END
-
-#endif
+#ifndef CRYPTOPP_AUTHENC_H +#define CRYPTOPP_AUTHENC_H + +#include "cryptlib.h" +#include "secblock.h" + +NAMESPACE_BEGIN(CryptoPP) + +//! . +class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE AuthenticatedSymmetricCipherBase : public AuthenticatedSymmetricCipher +{ +public: + AuthenticatedSymmetricCipherBase() : m_state(State_Start) {} + + bool IsRandomAccess() const {return false;} + bool IsSelfInverting() const {return true;} + void UncheckedSetKey(const byte *,unsigned int,const CryptoPP::NameValuePairs &) {assert(false);} + + void SetKey(const byte *userKey, size_t keylength, const NameValuePairs ¶ms); + void Restart() {if (m_state > State_KeySet) m_state = State_KeySet;} + void Resynchronize(const byte *iv, int length=-1); + void Update(const byte *input, size_t length); + void ProcessData(byte *outString, const byte *inString, size_t length); + void TruncatedFinal(byte *mac, size_t macSize); + +protected: + void AuthenticateData(const byte *data, size_t len); + const SymmetricCipher & GetSymmetricCipher() const {return const_cast<AuthenticatedSymmetricCipherBase *>(this)->AccessSymmetricCipher();}; + + virtual SymmetricCipher & AccessSymmetricCipher() =0; + virtual bool AuthenticationIsOnPlaintext() const =0; + virtual unsigned int AuthenticationBlockSize() const =0; + virtual void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms) =0; + virtual void Resync(const byte *iv, size_t len) =0; + virtual size_t AuthenticateBlocks(const byte *data, size_t len) =0; + virtual void AuthenticateLastHeaderBlock() =0; + virtual void AuthenticateLastConfidentialBlock() {} + virtual void AuthenticateLastFooterBlock(byte *mac, size_t macSize) =0; + + enum State {State_Start, State_KeySet, State_IVSet, State_AuthUntransformed, State_AuthTransformed, State_AuthFooter}; + State m_state; + unsigned int m_bufferedDataLength; + lword m_totalHeaderLength, m_totalMessageLength, m_totalFooterLength; + AlignedSecByteBlock m_buffer; +}; + +NAMESPACE_END + +#endif diff --git a/CryptoPP/ccm.cpp b/CryptoPP/ccm.cpp index 036878719..030828ad8 100644 --- a/CryptoPP/ccm.cpp +++ b/CryptoPP/ccm.cpp @@ -1,140 +1,140 @@ -// ccm.cpp - written and placed in the public domain by Wei Dai
-
-#include "pch.h"
-
-#ifndef CRYPTOPP_IMPORTS
-
-#include "ccm.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-void CCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms)
-{
- BlockCipher &blockCipher = AccessBlockCipher();
-
- blockCipher.SetKey(userKey, keylength, params);
-
- if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE)
- throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16");
-
- m_digestSize = params.GetIntValueWithDefault(Name::DigestSize(), DefaultDigestSize());
- if (m_digestSize % 2 > 0 || m_digestSize < 4 || m_digestSize > 16)
- throw InvalidArgument(AlgorithmName() + ": DigestSize must be 4, 6, 8, 10, 12, 14, or 16");
-
- m_buffer.Grow(2*REQUIRED_BLOCKSIZE);
- m_L = 8;
-}
-
-void CCM_Base::Resync(const byte *iv, size_t len)
-{
- BlockCipher &cipher = AccessBlockCipher();
-
- m_L = REQUIRED_BLOCKSIZE-1-(int)len;
- assert(m_L >= 2);
- if (m_L > 8)
- m_L = 8;
-
- m_buffer[0] = byte(m_L-1); // flag
- memcpy(m_buffer+1, iv, len);
- memset(m_buffer+1+len, 0, REQUIRED_BLOCKSIZE-1-len);
-
- if (m_state >= State_IVSet)
- m_ctr.Resynchronize(m_buffer, REQUIRED_BLOCKSIZE);
- else
- m_ctr.SetCipherWithIV(cipher, m_buffer);
-
- m_ctr.Seek(REQUIRED_BLOCKSIZE);
- m_aadLength = 0;
- m_messageLength = 0;
-}
-
-void CCM_Base::UncheckedSpecifyDataLengths(lword headerLength, lword messageLength, lword footerLength)
-{
- if (m_state != State_IVSet)
- throw BadState(AlgorithmName(), "SpecifyDataLengths", "or after State_IVSet");
-
- m_aadLength = headerLength;
- m_messageLength = messageLength;
-
- byte *cbcBuffer = CBC_Buffer();
- const BlockCipher &cipher = GetBlockCipher();
-
- cbcBuffer[0] = byte(64*(headerLength>0) + 8*((m_digestSize-2)/2) + (m_L-1)); // flag
- PutWord<word64>(true, BIG_ENDIAN_ORDER, cbcBuffer+REQUIRED_BLOCKSIZE-8, m_messageLength);
- memcpy(cbcBuffer+1, m_buffer+1, REQUIRED_BLOCKSIZE-1-m_L);
- cipher.ProcessBlock(cbcBuffer);
-
- if (headerLength>0)
- {
- assert(m_bufferedDataLength == 0);
-
- if (headerLength < ((1<<16) - (1<<8)))
- {
- PutWord<word16>(true, BIG_ENDIAN_ORDER, m_buffer, (word16)headerLength);
- m_bufferedDataLength = 2;
- }
- else if (headerLength < (W64LIT(1)<<32))
- {
- m_buffer[0] = 0xff;
- m_buffer[1] = 0xfe;
- PutWord<word32>(false, BIG_ENDIAN_ORDER, m_buffer+2, (word32)headerLength);
- m_bufferedDataLength = 6;
- }
- else
- {
- m_buffer[0] = 0xff;
- m_buffer[1] = 0xff;
- PutWord<word64>(false, BIG_ENDIAN_ORDER, m_buffer+2, headerLength);
- m_bufferedDataLength = 10;
- }
- }
-}
-
-size_t CCM_Base::AuthenticateBlocks(const byte *data, size_t len)
-{
- byte *cbcBuffer = CBC_Buffer();
- const BlockCipher &cipher = GetBlockCipher();
- return cipher.AdvancedProcessBlocks(cbcBuffer, data, cbcBuffer, len, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
-}
-
-void CCM_Base::AuthenticateLastHeaderBlock()
-{
- byte *cbcBuffer = CBC_Buffer();
- const BlockCipher &cipher = GetBlockCipher();
-
- if (m_aadLength != m_totalHeaderLength)
- throw InvalidArgument(AlgorithmName() + ": header length doesn't match that given in SpecifyDataLengths");
-
- if (m_bufferedDataLength > 0)
- {
- xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength);
- cipher.ProcessBlock(cbcBuffer);
- m_bufferedDataLength = 0;
- }
-}
-
-void CCM_Base::AuthenticateLastConfidentialBlock()
-{
- byte *cbcBuffer = CBC_Buffer();
- const BlockCipher &cipher = GetBlockCipher();
-
- if (m_messageLength != m_totalMessageLength)
- throw InvalidArgument(AlgorithmName() + ": message length doesn't match that given in SpecifyDataLengths");
-
- if (m_bufferedDataLength > 0)
- {
- xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength);
- cipher.ProcessBlock(cbcBuffer);
- m_bufferedDataLength = 0;
- }
-}
-
-void CCM_Base::AuthenticateLastFooterBlock(byte *mac, size_t macSize)
-{
- m_ctr.Seek(0);
- m_ctr.ProcessData(mac, CBC_Buffer(), macSize);
-}
-
-NAMESPACE_END
-
-#endif
+// ccm.cpp - written and placed in the public domain by Wei Dai + +#include "pch.h" + +#ifndef CRYPTOPP_IMPORTS + +#include "ccm.h" + +NAMESPACE_BEGIN(CryptoPP) + +void CCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms) +{ + BlockCipher &blockCipher = AccessBlockCipher(); + + blockCipher.SetKey(userKey, keylength, params); + + if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE) + throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16"); + + m_digestSize = params.GetIntValueWithDefault(Name::DigestSize(), DefaultDigestSize()); + if (m_digestSize % 2 > 0 || m_digestSize < 4 || m_digestSize > 16) + throw InvalidArgument(AlgorithmName() + ": DigestSize must be 4, 6, 8, 10, 12, 14, or 16"); + + m_buffer.Grow(2*REQUIRED_BLOCKSIZE); + m_L = 8; +} + +void CCM_Base::Resync(const byte *iv, size_t len) +{ + BlockCipher &cipher = AccessBlockCipher(); + + m_L = REQUIRED_BLOCKSIZE-1-(int)len; + assert(m_L >= 2); + if (m_L > 8) + m_L = 8; + + m_buffer[0] = byte(m_L-1); // flag + memcpy(m_buffer+1, iv, len); + memset(m_buffer+1+len, 0, REQUIRED_BLOCKSIZE-1-len); + + if (m_state >= State_IVSet) + m_ctr.Resynchronize(m_buffer, REQUIRED_BLOCKSIZE); + else + m_ctr.SetCipherWithIV(cipher, m_buffer); + + m_ctr.Seek(REQUIRED_BLOCKSIZE); + m_aadLength = 0; + m_messageLength = 0; +} + +void CCM_Base::UncheckedSpecifyDataLengths(lword headerLength, lword messageLength, lword footerLength) +{ + if (m_state != State_IVSet) + throw BadState(AlgorithmName(), "SpecifyDataLengths", "or after State_IVSet"); + + m_aadLength = headerLength; + m_messageLength = messageLength; + + byte *cbcBuffer = CBC_Buffer(); + const BlockCipher &cipher = GetBlockCipher(); + + cbcBuffer[0] = byte(64*(headerLength>0) + 8*((m_digestSize-2)/2) + (m_L-1)); // flag + PutWord<word64>(true, BIG_ENDIAN_ORDER, cbcBuffer+REQUIRED_BLOCKSIZE-8, m_messageLength); + memcpy(cbcBuffer+1, m_buffer+1, REQUIRED_BLOCKSIZE-1-m_L); + cipher.ProcessBlock(cbcBuffer); + + if (headerLength>0) + { + assert(m_bufferedDataLength == 0); + + if (headerLength < ((1<<16) - (1<<8))) + { + PutWord<word16>(true, BIG_ENDIAN_ORDER, m_buffer, (word16)headerLength); + m_bufferedDataLength = 2; + } + else if (headerLength < (W64LIT(1)<<32)) + { + m_buffer[0] = 0xff; + m_buffer[1] = 0xfe; + PutWord<word32>(false, BIG_ENDIAN_ORDER, m_buffer+2, (word32)headerLength); + m_bufferedDataLength = 6; + } + else + { + m_buffer[0] = 0xff; + m_buffer[1] = 0xff; + PutWord<word64>(false, BIG_ENDIAN_ORDER, m_buffer+2, headerLength); + m_bufferedDataLength = 10; + } + } +} + +size_t CCM_Base::AuthenticateBlocks(const byte *data, size_t len) +{ + byte *cbcBuffer = CBC_Buffer(); + const BlockCipher &cipher = GetBlockCipher(); + return cipher.AdvancedProcessBlocks(cbcBuffer, data, cbcBuffer, len, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput); +} + +void CCM_Base::AuthenticateLastHeaderBlock() +{ + byte *cbcBuffer = CBC_Buffer(); + const BlockCipher &cipher = GetBlockCipher(); + + if (m_aadLength != m_totalHeaderLength) + throw InvalidArgument(AlgorithmName() + ": header length doesn't match that given in SpecifyDataLengths"); + + if (m_bufferedDataLength > 0) + { + xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength); + cipher.ProcessBlock(cbcBuffer); + m_bufferedDataLength = 0; + } +} + +void CCM_Base::AuthenticateLastConfidentialBlock() +{ + byte *cbcBuffer = CBC_Buffer(); + const BlockCipher &cipher = GetBlockCipher(); + + if (m_messageLength != m_totalMessageLength) + throw InvalidArgument(AlgorithmName() + ": message length doesn't match that given in SpecifyDataLengths"); + + if (m_bufferedDataLength > 0) + { + xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength); + cipher.ProcessBlock(cbcBuffer); + m_bufferedDataLength = 0; + } +} + +void CCM_Base::AuthenticateLastFooterBlock(byte *mac, size_t macSize) +{ + m_ctr.Seek(0); + m_ctr.ProcessData(mac, CBC_Buffer(), macSize); +} + +NAMESPACE_END + +#endif diff --git a/CryptoPP/ccm.h b/CryptoPP/ccm.h index 2f3c56b45..b1e5f00b9 100644 --- a/CryptoPP/ccm.h +++ b/CryptoPP/ccm.h @@ -1,101 +1,101 @@ -#ifndef CRYPTOPP_CCM_H
-#define CRYPTOPP_CCM_H
-
-#include "authenc.h"
-#include "modes.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-//! .
-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CCM_Base : public AuthenticatedSymmetricCipherBase
-{
-public:
- CCM_Base()
- : m_digestSize(0), m_L(0) {}
-
- // AuthenticatedSymmetricCipher
- std::string AlgorithmName() const
- {return GetBlockCipher().AlgorithmName() + std::string("/CCM");}
- size_t MinKeyLength() const
- {return GetBlockCipher().MinKeyLength();}
- size_t MaxKeyLength() const
- {return GetBlockCipher().MaxKeyLength();}
- size_t DefaultKeyLength() const
- {return GetBlockCipher().DefaultKeyLength();}
- size_t GetValidKeyLength(size_t n) const
- {return GetBlockCipher().GetValidKeyLength(n);}
- bool IsValidKeyLength(size_t n) const
- {return GetBlockCipher().IsValidKeyLength(n);}
- unsigned int OptimalDataAlignment() const
- {return GetBlockCipher().OptimalDataAlignment();}
- IV_Requirement IVRequirement() const
- {return UNIQUE_IV;}
- unsigned int IVSize() const
- {return 8;}
- unsigned int MinIVLength() const
- {return 7;}
- unsigned int MaxIVLength() const
- {return 13;}
- unsigned int DigestSize() const
- {return m_digestSize;}
- lword MaxHeaderLength() const
- {return W64LIT(0)-1;}
- lword MaxMessageLength() const
- {return m_L<8 ? (W64LIT(1)<<(8*m_L))-1 : W64LIT(0)-1;}
- bool NeedsPrespecifiedDataLengths() const
- {return true;}
- void UncheckedSpecifyDataLengths(lword headerLength, lword messageLength, lword footerLength);
-
-protected:
- // AuthenticatedSymmetricCipherBase
- bool AuthenticationIsOnPlaintext() const
- {return true;}
- unsigned int AuthenticationBlockSize() const
- {return GetBlockCipher().BlockSize();}
- void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms);
- void Resync(const byte *iv, size_t len);
- size_t AuthenticateBlocks(const byte *data, size_t len);
- void AuthenticateLastHeaderBlock();
- void AuthenticateLastConfidentialBlock();
- void AuthenticateLastFooterBlock(byte *mac, size_t macSize);
- SymmetricCipher & AccessSymmetricCipher() {return m_ctr;}
-
- virtual BlockCipher & AccessBlockCipher() =0;
- virtual int DefaultDigestSize() const =0;
-
- const BlockCipher & GetBlockCipher() const {return const_cast<CCM_Base *>(this)->AccessBlockCipher();};
- byte *CBC_Buffer() {return m_buffer+REQUIRED_BLOCKSIZE;}
-
- enum {REQUIRED_BLOCKSIZE = 16};
- int m_digestSize, m_L;
- word64 m_messageLength, m_aadLength;
- CTR_Mode_ExternalCipher::Encryption m_ctr;
-};
-
-//! .
-template <class T_BlockCipher, int T_DefaultDigestSize, bool T_IsEncryption>
-class CCM_Final : public CCM_Base
-{
-public:
- static std::string StaticAlgorithmName()
- {return T_BlockCipher::StaticAlgorithmName() + std::string("/CCM");}
- bool IsForwardTransformation() const
- {return T_IsEncryption;}
-
-private:
- BlockCipher & AccessBlockCipher() {return m_cipher;}
- int DefaultDigestSize() const {return T_DefaultDigestSize;}
- typename T_BlockCipher::Encryption m_cipher;
-};
-
-/// <a href="http://www.cryptolounge.org/wiki/CCM">CCM</a>
-template <class T_BlockCipher, int T_DefaultDigestSize = 16>
-struct CCM : public AuthenticatedSymmetricCipherDocumentation
-{
- typedef CCM_Final<T_BlockCipher, T_DefaultDigestSize, true> Encryption;
- typedef CCM_Final<T_BlockCipher, T_DefaultDigestSize, false> Decryption;
-};
-
-NAMESPACE_END
-
-#endif
+#ifndef CRYPTOPP_CCM_H +#define CRYPTOPP_CCM_H + +#include "authenc.h" +#include "modes.h" + +NAMESPACE_BEGIN(CryptoPP) + +//! . +class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CCM_Base : public AuthenticatedSymmetricCipherBase +{ +public: + CCM_Base() + : m_digestSize(0), m_L(0) {} + + // AuthenticatedSymmetricCipher + std::string AlgorithmName() const + {return GetBlockCipher().AlgorithmName() + std::string("/CCM");} + size_t MinKeyLength() const + {return GetBlockCipher().MinKeyLength();} + size_t MaxKeyLength() const + {return GetBlockCipher().MaxKeyLength();} + size_t DefaultKeyLength() const + {return GetBlockCipher().DefaultKeyLength();} + size_t GetValidKeyLength(size_t n) const + {return GetBlockCipher().GetValidKeyLength(n);} + bool IsValidKeyLength(size_t n) const + {return GetBlockCipher().IsValidKeyLength(n);} + unsigned int OptimalDataAlignment() const + {return GetBlockCipher().OptimalDataAlignment();} + IV_Requirement IVRequirement() const + {return UNIQUE_IV;} + unsigned int IVSize() const + {return 8;} + unsigned int MinIVLength() const + {return 7;} + unsigned int MaxIVLength() const + {return 13;} + unsigned int DigestSize() const + {return m_digestSize;} + lword MaxHeaderLength() const + {return W64LIT(0)-1;} + lword MaxMessageLength() const + {return m_L<8 ? (W64LIT(1)<<(8*m_L))-1 : W64LIT(0)-1;} + bool NeedsPrespecifiedDataLengths() const + {return true;} + void UncheckedSpecifyDataLengths(lword headerLength, lword messageLength, lword footerLength); + +protected: + // AuthenticatedSymmetricCipherBase + bool AuthenticationIsOnPlaintext() const + {return true;} + unsigned int AuthenticationBlockSize() const + {return GetBlockCipher().BlockSize();} + void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms); + void Resync(const byte *iv, size_t len); + size_t AuthenticateBlocks(const byte *data, size_t len); + void AuthenticateLastHeaderBlock(); + void AuthenticateLastConfidentialBlock(); + void AuthenticateLastFooterBlock(byte *mac, size_t macSize); + SymmetricCipher & AccessSymmetricCipher() {return m_ctr;} + + virtual BlockCipher & AccessBlockCipher() =0; + virtual int DefaultDigestSize() const =0; + + const BlockCipher & GetBlockCipher() const {return const_cast<CCM_Base *>(this)->AccessBlockCipher();}; + byte *CBC_Buffer() {return m_buffer+REQUIRED_BLOCKSIZE;} + + enum {REQUIRED_BLOCKSIZE = 16}; + int m_digestSize, m_L; + word64 m_messageLength, m_aadLength; + CTR_Mode_ExternalCipher::Encryption m_ctr; +}; + +//! . +template <class T_BlockCipher, int T_DefaultDigestSize, bool T_IsEncryption> +class CCM_Final : public CCM_Base +{ +public: + static std::string StaticAlgorithmName() + {return T_BlockCipher::StaticAlgorithmName() + std::string("/CCM");} + bool IsForwardTransformation() const + {return T_IsEncryption;} + +private: + BlockCipher & AccessBlockCipher() {return m_cipher;} + int DefaultDigestSize() const {return T_DefaultDigestSize;} + typename T_BlockCipher::Encryption m_cipher; +}; + +/// <a href="http://www.cryptolounge.org/wiki/CCM">CCM</a> +template <class T_BlockCipher, int T_DefaultDigestSize = 16> +struct CCM : public AuthenticatedSymmetricCipherDocumentation +{ + typedef CCM_Final<T_BlockCipher, T_DefaultDigestSize, true> Encryption; + typedef CCM_Final<T_BlockCipher, T_DefaultDigestSize, false> Decryption; +}; + +NAMESPACE_END + +#endif diff --git a/CryptoPP/cmac.cpp b/CryptoPP/cmac.cpp index e8fa6fea6..a31d5f8b0 100644 --- a/CryptoPP/cmac.cpp +++ b/CryptoPP/cmac.cpp @@ -1,122 +1,122 @@ -// cmac.cpp - written and placed in the public domain by Wei Dai
-
-#include "pch.h"
-
-#ifndef CRYPTOPP_IMPORTS
-
-#include "cmac.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-static void MulU(byte *k, unsigned int length)
-{
- byte carry = 0;
-
- for (int i=length-1; i>=1; i-=2)
- {
- byte carry2 = k[i] >> 7;
- k[i] += k[i] + carry;
- carry = k[i-1] >> 7;
- k[i-1] += k[i-1] + carry2;
- }
-
- if (carry)
- {
- switch (length)
- {
- case 8:
- k[7] ^= 0x1b;
- break;
- case 16:
- k[15] ^= 0x87;
- break;
- case 32:
- k[30] ^= 4;
- k[31] ^= 0x23;
- break;
- default:
- throw InvalidArgument("CMAC: " + IntToString(length) + " is not a supported cipher block size");
- }
- }
-}
-
-void CMAC_Base::UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms)
-{
- BlockCipher &cipher = AccessCipher();
- unsigned int blockSize = cipher.BlockSize();
-
- cipher.SetKey(key, length, params);
- m_reg.CleanNew(3*blockSize);
- m_counter = 0;
-
- cipher.ProcessBlock(m_reg, m_reg+blockSize);
- MulU(m_reg+blockSize, blockSize);
- memcpy(m_reg+2*blockSize, m_reg+blockSize, blockSize);
- MulU(m_reg+2*blockSize, blockSize);
-}
-
-void CMAC_Base::Update(const byte *input, size_t length)
-{
- if (!length)
- return;
-
- BlockCipher &cipher = AccessCipher();
- unsigned int blockSize = cipher.BlockSize();
-
- if (m_counter > 0)
- {
- unsigned int len = UnsignedMin(blockSize - m_counter, length);
- xorbuf(m_reg+m_counter, input, len);
- length -= len;
- input += len;
- m_counter += len;
-
- if (m_counter == blockSize && length > 0)
- {
- cipher.ProcessBlock(m_reg);
- m_counter = 0;
- }
- }
-
- if (length > blockSize)
- {
- assert(m_counter == 0);
- size_t leftOver = 1 + cipher.AdvancedProcessBlocks(m_reg, input, m_reg, length-1, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
- input += (length - leftOver);
- length = leftOver;
- }
-
- if (length > 0)
- {
- assert(m_counter + length <= blockSize);
- xorbuf(m_reg+m_counter, input, length);
- m_counter += (unsigned int)length;
- }
-
- assert(m_counter > 0);
-}
-
-void CMAC_Base::TruncatedFinal(byte *mac, size_t size)
-{
- ThrowIfInvalidTruncatedSize(size);
-
- BlockCipher &cipher = AccessCipher();
- unsigned int blockSize = cipher.BlockSize();
-
- if (m_counter < blockSize)
- {
- m_reg[m_counter] ^= 0x80;
- cipher.AdvancedProcessBlocks(m_reg, m_reg+2*blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
- }
- else
- cipher.AdvancedProcessBlocks(m_reg, m_reg+blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
-
- memcpy(mac, m_reg, size);
-
- m_counter = 0;
- memset(m_reg, 0, blockSize);
-}
-
-NAMESPACE_END
-
-#endif
+// cmac.cpp - written and placed in the public domain by Wei Dai + +#include "pch.h" + +#ifndef CRYPTOPP_IMPORTS + +#include "cmac.h" + +NAMESPACE_BEGIN(CryptoPP) + +static void MulU(byte *k, unsigned int length) +{ + byte carry = 0; + + for (int i=length-1; i>=1; i-=2) + { + byte carry2 = k[i] >> 7; + k[i] += k[i] + carry; + carry = k[i-1] >> 7; + k[i-1] += k[i-1] + carry2; + } + + if (carry) + { + switch (length) + { + case 8: + k[7] ^= 0x1b; + break; + case 16: + k[15] ^= 0x87; + break; + case 32: + k[30] ^= 4; + k[31] ^= 0x23; + break; + default: + throw InvalidArgument("CMAC: " + IntToString(length) + " is not a supported cipher block size"); + } + } +} + +void CMAC_Base::UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms) +{ + BlockCipher &cipher = AccessCipher(); + unsigned int blockSize = cipher.BlockSize(); + + cipher.SetKey(key, length, params); + m_reg.CleanNew(3*blockSize); + m_counter = 0; + + cipher.ProcessBlock(m_reg, m_reg+blockSize); + MulU(m_reg+blockSize, blockSize); + memcpy(m_reg+2*blockSize, m_reg+blockSize, blockSize); + MulU(m_reg+2*blockSize, blockSize); +} + +void CMAC_Base::Update(const byte *input, size_t length) +{ + if (!length) + return; + + BlockCipher &cipher = AccessCipher(); + unsigned int blockSize = cipher.BlockSize(); + + if (m_counter > 0) + { + unsigned int len = UnsignedMin(blockSize - m_counter, length); + xorbuf(m_reg+m_counter, input, len); + length -= len; + input += len; + m_counter += len; + + if (m_counter == blockSize && length > 0) + { + cipher.ProcessBlock(m_reg); + m_counter = 0; + } + } + + if (length > blockSize) + { + assert(m_counter == 0); + size_t leftOver = 1 + cipher.AdvancedProcessBlocks(m_reg, input, m_reg, length-1, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput); + input += (length - leftOver); + length = leftOver; + } + + if (length > 0) + { + assert(m_counter + length <= blockSize); + xorbuf(m_reg+m_counter, input, length); + m_counter += (unsigned int)length; + } + + assert(m_counter > 0); +} + +void CMAC_Base::TruncatedFinal(byte *mac, size_t size) +{ + ThrowIfInvalidTruncatedSize(size); + + BlockCipher &cipher = AccessCipher(); + unsigned int blockSize = cipher.BlockSize(); + + if (m_counter < blockSize) + { + m_reg[m_counter] ^= 0x80; + cipher.AdvancedProcessBlocks(m_reg, m_reg+2*blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput); + } + else + cipher.AdvancedProcessBlocks(m_reg, m_reg+blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput); + + memcpy(mac, m_reg, size); + + m_counter = 0; + memset(m_reg, 0, blockSize); +} + +NAMESPACE_END + +#endif diff --git a/CryptoPP/cmac.h b/CryptoPP/cmac.h index ab3ecf8cc..d8a1b391d 100644 --- a/CryptoPP/cmac.h +++ b/CryptoPP/cmac.h @@ -1,52 +1,52 @@ -#ifndef CRYPTOPP_CMAC_H
-#define CRYPTOPP_CMAC_H
-
-#include "seckey.h"
-#include "secblock.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-//! _
-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CMAC_Base : public MessageAuthenticationCode
-{
-public:
- CMAC_Base() {}
-
- void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms);
- void Update(const byte *input, size_t length);
- void TruncatedFinal(byte *mac, size_t size);
- unsigned int DigestSize() const {return GetCipher().BlockSize();}
- unsigned int OptimalBlockSize() const {return GetCipher().BlockSize();}
- unsigned int OptimalDataAlignment() const {return GetCipher().OptimalDataAlignment();}
-
-protected:
- friend class EAX_Base;
-
- const BlockCipher & GetCipher() const {return const_cast<CMAC_Base*>(this)->AccessCipher();}
- virtual BlockCipher & AccessCipher() =0;
-
- void ProcessBuf();
- SecByteBlock m_reg;
- unsigned int m_counter;
-};
-
-/// <a href="http://www.cryptolounge.org/wiki/CMAC">CMAC</a>
-/*! Template parameter T should be a class derived from BlockCipherDocumentation, for example AES, with a block size of 8, 16, or 32 */
-template <class T>
-class CMAC : public MessageAuthenticationCodeImpl<CMAC_Base, CMAC<T> >, public SameKeyLengthAs<T>
-{
-public:
- CMAC() {}
- CMAC(const byte *key, size_t length=SameKeyLengthAs<T>::DEFAULT_KEYLENGTH)
- {this->SetKey(key, length);}
-
- static std::string StaticAlgorithmName() {return std::string("CMAC(") + T::StaticAlgorithmName() + ")";}
-
-private:
- BlockCipher & AccessCipher() {return m_cipher;}
- typename T::Encryption m_cipher;
-};
-
-NAMESPACE_END
-
-#endif
+#ifndef CRYPTOPP_CMAC_H +#define CRYPTOPP_CMAC_H + +#include "seckey.h" +#include "secblock.h" + +NAMESPACE_BEGIN(CryptoPP) + +//! _ +class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CMAC_Base : public MessageAuthenticationCode +{ +public: + CMAC_Base() {} + + void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms); + void Update(const byte *input, size_t length); + void TruncatedFinal(byte *mac, size_t size); + unsigned int DigestSize() const {return GetCipher().BlockSize();} + unsigned int OptimalBlockSize() const {return GetCipher().BlockSize();} + unsigned int OptimalDataAlignment() const {return GetCipher().OptimalDataAlignment();} + +protected: + friend class EAX_Base; + + const BlockCipher & GetCipher() const {return const_cast<CMAC_Base*>(this)->AccessCipher();} + virtual BlockCipher & AccessCipher() =0; + + void ProcessBuf(); + SecByteBlock m_reg; + unsigned int m_counter; +}; + +/// <a href="http://www.cryptolounge.org/wiki/CMAC">CMAC</a> +/*! Template parameter T should be a class derived from BlockCipherDocumentation, for example AES, with a block size of 8, 16, or 32 */ +template <class T> +class CMAC : public MessageAuthenticationCodeImpl<CMAC_Base, CMAC<T> >, public SameKeyLengthAs<T> +{ +public: + CMAC() {} + CMAC(const byte *key, size_t length=SameKeyLengthAs<T>::DEFAULT_KEYLENGTH) + {this->SetKey(key, length);} + + static std::string StaticAlgorithmName() {return std::string("CMAC(") + T::StaticAlgorithmName() + ")";} + +private: + BlockCipher & AccessCipher() {return m_cipher;} + typename T::Encryption m_cipher; +}; + +NAMESPACE_END + +#endif diff --git a/CryptoPP/eax.cpp b/CryptoPP/eax.cpp index cf836632b..2728c9bcd 100644 --- a/CryptoPP/eax.cpp +++ b/CryptoPP/eax.cpp @@ -1,59 +1,59 @@ -// eax.cpp - written and placed in the public domain by Wei Dai
-
-#include "pch.h"
-#include "eax.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-void EAX_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms)
-{
- AccessMAC().SetKey(userKey, keylength, params);
- m_buffer.New(2*AccessMAC().TagSize());
-}
-
-void EAX_Base::Resync(const byte *iv, size_t len)
-{
- MessageAuthenticationCode &mac = AccessMAC();
- unsigned int blockSize = mac.TagSize();
-
- memset(m_buffer, 0, blockSize);
- mac.Update(m_buffer, blockSize);
- mac.CalculateDigest(m_buffer+blockSize, iv, len);
-
- m_buffer[blockSize-1] = 1;
- mac.Update(m_buffer, blockSize);
-
- m_ctr.SetCipherWithIV(AccessMAC().AccessCipher(), m_buffer+blockSize, blockSize);
-}
-
-size_t EAX_Base::AuthenticateBlocks(const byte *data, size_t len)
-{
- AccessMAC().Update(data, len);
- return 0;
-}
-
-void EAX_Base::AuthenticateLastHeaderBlock()
-{
- assert(m_bufferedDataLength == 0);
- MessageAuthenticationCode &mac = AccessMAC();
- unsigned int blockSize = mac.TagSize();
-
- mac.Final(m_buffer);
- xorbuf(m_buffer+blockSize, m_buffer, blockSize);
-
- memset(m_buffer, 0, blockSize);
- m_buffer[blockSize-1] = 2;
- mac.Update(m_buffer, blockSize);
-}
-
-void EAX_Base::AuthenticateLastFooterBlock(byte *tag, size_t macSize)
-{
- assert(m_bufferedDataLength == 0);
- MessageAuthenticationCode &mac = AccessMAC();
- unsigned int blockSize = mac.TagSize();
-
- mac.TruncatedFinal(m_buffer, macSize);
- xorbuf(tag, m_buffer, m_buffer+blockSize, macSize);
-}
-
-NAMESPACE_END
+// eax.cpp - written and placed in the public domain by Wei Dai + +#include "pch.h" +#include "eax.h" + +NAMESPACE_BEGIN(CryptoPP) + +void EAX_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms) +{ + AccessMAC().SetKey(userKey, keylength, params); + m_buffer.New(2*AccessMAC().TagSize()); +} + +void EAX_Base::Resync(const byte *iv, size_t len) +{ + MessageAuthenticationCode &mac = AccessMAC(); + unsigned int blockSize = mac.TagSize(); + + memset(m_buffer, 0, blockSize); + mac.Update(m_buffer, blockSize); + mac.CalculateDigest(m_buffer+blockSize, iv, len); + + m_buffer[blockSize-1] = 1; + mac.Update(m_buffer, blockSize); + + m_ctr.SetCipherWithIV(AccessMAC().AccessCipher(), m_buffer+blockSize, blockSize); +} + +size_t EAX_Base::AuthenticateBlocks(const byte *data, size_t len) +{ + AccessMAC().Update(data, len); + return 0; +} + +void EAX_Base::AuthenticateLastHeaderBlock() +{ + assert(m_bufferedDataLength == 0); + MessageAuthenticationCode &mac = AccessMAC(); + unsigned int blockSize = mac.TagSize(); + + mac.Final(m_buffer); + xorbuf(m_buffer+blockSize, m_buffer, blockSize); + + memset(m_buffer, 0, blockSize); + m_buffer[blockSize-1] = 2; + mac.Update(m_buffer, blockSize); +} + +void EAX_Base::AuthenticateLastFooterBlock(byte *tag, size_t macSize) +{ + assert(m_bufferedDataLength == 0); + MessageAuthenticationCode &mac = AccessMAC(); + unsigned int blockSize = mac.TagSize(); + + mac.TruncatedFinal(m_buffer, macSize); + xorbuf(tag, m_buffer, m_buffer+blockSize, macSize); +} + +NAMESPACE_END diff --git a/CryptoPP/gcm.cpp b/CryptoPP/gcm.cpp index 237325d9f..2304f96d8 100644 --- a/CryptoPP/gcm.cpp +++ b/CryptoPP/gcm.cpp @@ -1,828 +1,828 @@ -// gcm.cpp - written and placed in the public domain by Wei Dai
-
-// use "cl /EP /P /DCRYPTOPP_GENERATE_X64_MASM gcm.cpp" to generate MASM code
-
-#include "pch.h"
-
-#ifndef CRYPTOPP_IMPORTS
-#ifndef CRYPTOPP_GENERATE_X64_MASM
-
-#include "gcm.h"
-#include "cpu.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-word16 GCM_Base::s_reductionTable[256];
-volatile bool GCM_Base::s_reductionTableInitialized = false;
-
-void GCM_Base::GCTR::IncrementCounterBy256()
-{
- IncrementCounterByOne(m_counterArray+BlockSize()-4, 3);
-}
-
-#if 0
-// preserved for testing
-void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *c)
-{
- word64 Z0=0, Z1=0, V0, V1;
-
- typedef BlockGetAndPut<word64, BigEndian> Block;
- Block::Get(a)(V0)(V1);
-
- for (int i=0; i<16; i++)
- {
- for (int j=0x80; j!=0; j>>=1)
- {
- int x = b[i] & j;
- Z0 ^= x ? V0 : 0;
- Z1 ^= x ? V1 : 0;
- x = (int)V1 & 1;
- V1 = (V1>>1) | (V0<<63);
- V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);
- }
- }
- Block::Put(NULL, c)(Z0)(Z1);
-}
-
-__m128i _mm_clmulepi64_si128(const __m128i &a, const __m128i &b, int i)
-{
- word64 A[1] = {ByteReverse(((word64*)&a)[i&1])};
- word64 B[1] = {ByteReverse(((word64*)&b)[i>>4])};
-
- PolynomialMod2 pa((byte *)A, 8);
- PolynomialMod2 pb((byte *)B, 8);
- PolynomialMod2 c = pa*pb;
-
- __m128i output;
- for (int i=0; i<16; i++)
- ((byte *)&output)[i] = c.GetByte(i);
- return output;
-}
-#endif
-
-#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
-inline static void SSE2_Xor16(byte *a, const byte *b, const byte *c)
-{
-#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE
- *(__m128i *)a = _mm_xor_si128(*(__m128i *)b, *(__m128i *)c);
-#else
- asm ("movdqa %1, %%xmm0; pxor %2, %%xmm0; movdqa %%xmm0, %0;" : "=m" (a[0]) : "m"(b[0]), "m"(c[0]));
-#endif
-}
-#endif
-
-inline static void Xor16(byte *a, const byte *b, const byte *c)
-{
- ((word64 *)a)[0] = ((word64 *)b)[0] ^ ((word64 *)c)[0];
- ((word64 *)a)[1] = ((word64 *)b)[1] ^ ((word64 *)c)[1];
-}
-
-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
-static CRYPTOPP_ALIGN_DATA(16) const word64 s_clmulConstants64[] = {
- W64LIT(0xe100000000000000), W64LIT(0xc200000000000000),
- W64LIT(0x08090a0b0c0d0e0f), W64LIT(0x0001020304050607),
- W64LIT(0x0001020304050607), W64LIT(0x08090a0b0c0d0e0f)};
-static const __m128i *s_clmulConstants = (const __m128i *)s_clmulConstants64;
-static const unsigned int s_clmulTableSizeInBlocks = 8;
-
-inline __m128i CLMUL_Reduce(__m128i c0, __m128i c1, __m128i c2, const __m128i &r)
-{
- /*
- The polynomial to be reduced is c0 * x^128 + c1 * x^64 + c2. c0t below refers to the most
- significant half of c0 as a polynomial, which, due to GCM's bit reflection, are in the
- rightmost bit positions, and the lowest byte addresses.
-
- c1 ^= c0t * 0xc200000000000000
- c2t ^= c0t
- t = shift (c1t ^ c0b) left 1 bit
- c2 ^= t * 0xe100000000000000
- c2t ^= c1b
- shift c2 left 1 bit and xor in lowest bit of c1t
- */
-#if 0 // MSVC 2010 workaround: see http://connect.microsoft.com/VisualStudio/feedback/details/575301
- c2 = _mm_xor_si128(c2, _mm_move_epi64(c0));
-#else
- c1 = _mm_xor_si128(c1, _mm_slli_si128(c0, 8));
-#endif
- c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(c0, r, 0x10));
- c0 = _mm_srli_si128(c0, 8);
- c0 = _mm_xor_si128(c0, c1);
- c0 = _mm_slli_epi64(c0, 1);
- c0 = _mm_clmulepi64_si128(c0, r, 0);
- c2 = _mm_xor_si128(c2, c0);
- c2 = _mm_xor_si128(c2, _mm_srli_si128(c1, 8));
- c1 = _mm_unpacklo_epi64(c1, c2);
- c1 = _mm_srli_epi64(c1, 63);
- c2 = _mm_slli_epi64(c2, 1);
- return _mm_xor_si128(c2, c1);
-}
-
-inline __m128i CLMUL_GF_Mul(const __m128i &x, const __m128i &h, const __m128i &r)
-{
- __m128i c0 = _mm_clmulepi64_si128(x,h,0);
- __m128i c1 = _mm_xor_si128(_mm_clmulepi64_si128(x,h,1), _mm_clmulepi64_si128(x,h,0x10));
- __m128i c2 = _mm_clmulepi64_si128(x,h,0x11);
-
- return CLMUL_Reduce(c0, c1, c2, r);
-}
-#endif
-
-void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms)
-{
- BlockCipher &blockCipher = AccessBlockCipher();
- blockCipher.SetKey(userKey, keylength, params);
-
- if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE)
- throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16");
-
- int tableSize, i, j, k;
-
-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
- if (HasCLMUL())
- {
- params.GetIntValue(Name::TableSize(), tableSize); // avoid "parameter not used" error
- tableSize = s_clmulTableSizeInBlocks * REQUIRED_BLOCKSIZE;
- }
- else
-#endif
- {
- if (params.GetIntValue(Name::TableSize(), tableSize))
- tableSize = (tableSize >= 64*1024) ? 64*1024 : 2*1024;
- else
- tableSize = (GetTablesOption() == GCM_64K_Tables) ? 64*1024 : 2*1024;
-
-#if defined(_MSC_VER) && (_MSC_VER >= 1300 && _MSC_VER < 1400)
- // VC 2003 workaround: compiler generates bad code for 64K tables
- tableSize = 2*1024;
-#endif
- }
-
- m_buffer.resize(3*REQUIRED_BLOCKSIZE + tableSize);
- byte *table = MulTable();
- byte *hashKey = HashKey();
- memset(hashKey, 0, REQUIRED_BLOCKSIZE);
- blockCipher.ProcessBlock(hashKey);
-
-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
- if (HasCLMUL())
- {
- const __m128i r = s_clmulConstants[0];
- __m128i h0 = _mm_shuffle_epi8(_mm_load_si128((__m128i *)hashKey), s_clmulConstants[1]);
- __m128i h = h0;
-
- for (i=0; i<tableSize; i+=32)
- {
- __m128i h1 = CLMUL_GF_Mul(h, h0, r);
- _mm_storel_epi64((__m128i *)(table+i), h);
- _mm_storeu_si128((__m128i *)(table+i+16), h1);
- _mm_storeu_si128((__m128i *)(table+i+8), h);
- _mm_storel_epi64((__m128i *)(table+i+8), h1);
- h = CLMUL_GF_Mul(h1, h0, r);
- }
-
- return;
- }
-#endif
-
- word64 V0, V1;
- typedef BlockGetAndPut<word64, BigEndian> Block;
- Block::Get(hashKey)(V0)(V1);
-
- if (tableSize == 64*1024)
- {
- for (i=0; i<128; i++)
- {
- k = i%8;
- Block::Put(NULL, table+(i/8)*256*16+(size_t(1)<<(11-k)))(V0)(V1);
-
- int x = (int)V1 & 1;
- V1 = (V1>>1) | (V0<<63);
- V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);
- }
-
- for (i=0; i<16; i++)
- {
- memset(table+i*256*16, 0, 16);
-#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
- if (HasSSE2())
- for (j=2; j<=0x80; j*=2)
- for (k=1; k<j; k++)
- SSE2_Xor16(table+i*256*16+(j+k)*16, table+i*256*16+j*16, table+i*256*16+k*16);
- else
-#endif
- for (j=2; j<=0x80; j*=2)
- for (k=1; k<j; k++)
- Xor16(table+i*256*16+(j+k)*16, table+i*256*16+j*16, table+i*256*16+k*16);
- }
- }
- else
- {
- if (!s_reductionTableInitialized)
- {
- s_reductionTable[0] = 0;
- word16 x = 0x01c2;
- s_reductionTable[1] = ByteReverse(x);
- for (int i=2; i<=0x80; i*=2)
- {
- x <<= 1;
- s_reductionTable[i] = ByteReverse(x);
- for (int j=1; j<i; j++)
- s_reductionTable[i+j] = s_reductionTable[i] ^ s_reductionTable[j];
- }
- s_reductionTableInitialized = true;
- }
-
- for (i=0; i<128-24; i++)
- {
- k = i%32;
- if (k < 4)
- Block::Put(NULL, table+1024+(i/32)*256+(size_t(1)<<(7-k)))(V0)(V1);
- else if (k < 8)
- Block::Put(NULL, table+(i/32)*256+(size_t(1)<<(11-k)))(V0)(V1);
-
- int x = (int)V1 & 1;
- V1 = (V1>>1) | (V0<<63);
- V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);
- }
-
- for (i=0; i<4; i++)
- {
- memset(table+i*256, 0, 16);
- memset(table+1024+i*256, 0, 16);
-#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
- if (HasSSE2())
- for (j=2; j<=8; j*=2)
- for (k=1; k<j; k++)
- {
- SSE2_Xor16(table+i*256+(j+k)*16, table+i*256+j*16, table+i*256+k*16);
- SSE2_Xor16(table+1024+i*256+(j+k)*16, table+1024+i*256+j*16, table+1024+i*256+k*16);
- }
- else
-#endif
- for (j=2; j<=8; j*=2)
- for (k=1; k<j; k++)
- {
- Xor16(table+i*256+(j+k)*16, table+i*256+j*16, table+i*256+k*16);
- Xor16(table+1024+i*256+(j+k)*16, table+1024+i*256+j*16, table+1024+i*256+k*16);
- }
- }
- }
-}
-
-inline void GCM_Base::ReverseHashBufferIfNeeded()
-{
-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
- if (HasCLMUL())
- {
- __m128i &x = *(__m128i *)HashBuffer();
- x = _mm_shuffle_epi8(x, s_clmulConstants[1]);
- }
-#endif
-}
-
-void GCM_Base::Resync(const byte *iv, size_t len)
-{
- BlockCipher &cipher = AccessBlockCipher();
- byte *hashBuffer = HashBuffer();
-
- if (len == 12)
- {
- memcpy(hashBuffer, iv, len);
- memset(hashBuffer+len, 0, 3);
- hashBuffer[len+3] = 1;
- }
- else
- {
- size_t origLen = len;
- memset(hashBuffer, 0, HASH_BLOCKSIZE);
-
- if (len >= HASH_BLOCKSIZE)
- {
- len = GCM_Base::AuthenticateBlocks(iv, len);
- iv += (origLen - len);
- }
-
- if (len > 0)
- {
- memcpy(m_buffer, iv, len);
- memset(m_buffer+len, 0, HASH_BLOCKSIZE-len);
- GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);
- }
-
- PutBlock<word64, BigEndian, true>(NULL, m_buffer)(0)(origLen*8);
- GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);
-
- ReverseHashBufferIfNeeded();
- }
-
- if (m_state >= State_IVSet)
- m_ctr.Resynchronize(hashBuffer, REQUIRED_BLOCKSIZE);
- else
- m_ctr.SetCipherWithIV(cipher, hashBuffer);
-
- m_ctr.Seek(HASH_BLOCKSIZE);
-
- memset(hashBuffer, 0, HASH_BLOCKSIZE);
-}
-
-unsigned int GCM_Base::OptimalDataAlignment() const
-{
- return
-#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE)
- HasSSE2() ? 16 :
-#endif
- GetBlockCipher().OptimalDataAlignment();
-}
-
-#pragma warning(disable: 4731) // frame pointer register 'ebp' modified by inline assembly code
-
-#endif // #ifndef CRYPTOPP_GENERATE_X64_MASM
-
-#ifdef CRYPTOPP_X64_MASM_AVAILABLE
-extern "C" {
-void GCM_AuthenticateBlocks_2K(const byte *data, size_t blocks, word64 *hashBuffer, const word16 *reductionTable);
-void GCM_AuthenticateBlocks_64K(const byte *data, size_t blocks, word64 *hashBuffer);
-}
-#endif
-
-#ifndef CRYPTOPP_GENERATE_X64_MASM
-
-size_t GCM_Base::AuthenticateBlocks(const byte *data, size_t len)
-{
-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
- if (HasCLMUL())
- {
- const __m128i *table = (const __m128i *)MulTable();
- __m128i x = _mm_load_si128((__m128i *)HashBuffer());
- const __m128i r = s_clmulConstants[0], bswapMask = s_clmulConstants[1], bswapMask2 = s_clmulConstants[2];
-
- while (len >= 16)
- {
- size_t s = UnsignedMin(len/16, s_clmulTableSizeInBlocks), i=0;
- __m128i d, d2 = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-1)*16)), bswapMask2);;
- __m128i c0 = _mm_setzero_si128();
- __m128i c1 = _mm_setzero_si128();
- __m128i c2 = _mm_setzero_si128();
-
- while (true)
- {
- __m128i h0 = _mm_load_si128(table+i);
- __m128i h1 = _mm_load_si128(table+i+1);
- __m128i h01 = _mm_xor_si128(h0, h1);
-
- if (++i == s)
- {
- d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)data), bswapMask);
- d = _mm_xor_si128(d, x);
- c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0));
- c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 1));
- d = _mm_xor_si128(d, _mm_shuffle_epi32(d, _MM_SHUFFLE(1, 0, 3, 2)));
- c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0));
- break;
- }
-
- d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-i)*16-8)), bswapMask2);
- c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d2, h0, 1));
- c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 1));
- d2 = _mm_xor_si128(d2, d);
- c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d2, h01, 1));
-
- if (++i == s)
- {
- d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)data), bswapMask);
- d = _mm_xor_si128(d, x);
- c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0x10));
- c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 0x11));
- d = _mm_xor_si128(d, _mm_shuffle_epi32(d, _MM_SHUFFLE(1, 0, 3, 2)));
- c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0x10));
- break;
- }
-
- d2 = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-i)*16-8)), bswapMask);
- c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0x10));
- c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d2, h1, 0x10));
- d = _mm_xor_si128(d, d2);
- c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0x10));
- }
- data += s*16;
- len -= s*16;
-
- c1 = _mm_xor_si128(_mm_xor_si128(c1, c0), c2);
- x = CLMUL_Reduce(c0, c1, c2, r);
- }
-
- _mm_store_si128((__m128i *)HashBuffer(), x);
- return len;
- }
-#endif
-
- typedef BlockGetAndPut<word64, NativeByteOrder> Block;
- word64 *hashBuffer = (word64 *)HashBuffer();
-
- switch (2*(m_buffer.size()>=64*1024)
-#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE)
- + HasSSE2()
-#endif
- )
- {
- case 0: // non-SSE2 and 2K tables
- {
- byte *table = MulTable();
- word64 x0 = hashBuffer[0], x1 = hashBuffer[1];
-
- do
- {
- word64 y0, y1, a0, a1, b0, b1, c0, c1, d0, d1;
- Block::Get(data)(y0)(y1);
- x0 ^= y0;
- x1 ^= y1;
-
- data += HASH_BLOCKSIZE;
- len -= HASH_BLOCKSIZE;
-
- #define READ_TABLE_WORD64_COMMON(a, b, c, d) *(word64 *)(table+(a*1024)+(b*256)+c+d*8)
-
- #ifdef IS_LITTLE_ENDIAN
- #if CRYPTOPP_BOOL_SLOW_WORD64
- word32 z0 = (word32)x0;
- word32 z1 = (word32)(x0>>32);
- word32 z2 = (word32)x1;
- word32 z3 = (word32)(x1>>32);
- #define READ_TABLE_WORD64(a, b, c, d, e) READ_TABLE_WORD64_COMMON((d%2), c, (d?(z##c>>((d?d-1:0)*4))&0xf0:(z##c&0xf)<<4), e)
- #else
- #define READ_TABLE_WORD64(a, b, c, d, e) READ_TABLE_WORD64_COMMON((d%2), c, ((d+8*b)?(x##a>>(((d+8*b)?(d+8*b)-1:1)*4))&0xf0:(x##a&0xf)<<4), e)
- #endif
- #define GF_MOST_SIG_8BITS(a) (a##1 >> 7*8)
- #define GF_SHIFT_8(a) a##1 = (a##1 << 8) ^ (a##0 >> 7*8); a##0 <<= 8;
- #else
- #define READ_TABLE_WORD64(a, b, c, d, e) READ_TABLE_WORD64_COMMON((1-d%2), c, ((15-d-8*b)?(x##a>>(((15-d-8*b)?(15-d-8*b)-1:0)*4))&0xf0:(x##a&0xf)<<4), e)
- #define GF_MOST_SIG_8BITS(a) (a##1 & 0xff)
- #define GF_SHIFT_8(a) a##1 = (a##1 >> 8) ^ (a##0 << 7*8); a##0 >>= 8;
- #endif
-
- #define GF_MUL_32BY128(op, a, b, c) \
- a0 op READ_TABLE_WORD64(a, b, c, 0, 0) ^ READ_TABLE_WORD64(a, b, c, 1, 0);\
- a1 op READ_TABLE_WORD64(a, b, c, 0, 1) ^ READ_TABLE_WORD64(a, b, c, 1, 1);\
- b0 op READ_TABLE_WORD64(a, b, c, 2, 0) ^ READ_TABLE_WORD64(a, b, c, 3, 0);\
- b1 op READ_TABLE_WORD64(a, b, c, 2, 1) ^ READ_TABLE_WORD64(a, b, c, 3, 1);\
- c0 op READ_TABLE_WORD64(a, b, c, 4, 0) ^ READ_TABLE_WORD64(a, b, c, 5, 0);\
- c1 op READ_TABLE_WORD64(a, b, c, 4, 1) ^ READ_TABLE_WORD64(a, b, c, 5, 1);\
- d0 op READ_TABLE_WORD64(a, b, c, 6, 0) ^ READ_TABLE_WORD64(a, b, c, 7, 0);\
- d1 op READ_TABLE_WORD64(a, b, c, 6, 1) ^ READ_TABLE_WORD64(a, b, c, 7, 1);\
-
- GF_MUL_32BY128(=, 0, 0, 0)
- GF_MUL_32BY128(^=, 0, 1, 1)
- GF_MUL_32BY128(^=, 1, 0, 2)
- GF_MUL_32BY128(^=, 1, 1, 3)
-
- word32 r = (word32)s_reductionTable[GF_MOST_SIG_8BITS(d)] << 16;
- GF_SHIFT_8(d)
- c0 ^= d0; c1 ^= d1;
- r ^= (word32)s_reductionTable[GF_MOST_SIG_8BITS(c)] << 8;
- GF_SHIFT_8(c)
- b0 ^= c0; b1 ^= c1;
- r ^= s_reductionTable[GF_MOST_SIG_8BITS(b)];
- GF_SHIFT_8(b)
- a0 ^= b0; a1 ^= b1;
- a0 ^= ConditionalByteReverse<word64>(LITTLE_ENDIAN_ORDER, r);
- x0 = a0; x1 = a1;
- }
- while (len >= HASH_BLOCKSIZE);
-
- hashBuffer[0] = x0; hashBuffer[1] = x1;
- return len;
- }
-
- case 2: // non-SSE2 and 64K tables
- {
- byte *table = MulTable();
- word64 x0 = hashBuffer[0], x1 = hashBuffer[1];
-
- do
- {
- word64 y0, y1, a0, a1;
- Block::Get(data)(y0)(y1);
- x0 ^= y0;
- x1 ^= y1;
-
- data += HASH_BLOCKSIZE;
- len -= HASH_BLOCKSIZE;
-
- #undef READ_TABLE_WORD64_COMMON
- #undef READ_TABLE_WORD64
-
- #define READ_TABLE_WORD64_COMMON(a, c, d) *(word64 *)(table+(a)*256*16+(c)+(d)*8)
-
- #ifdef IS_LITTLE_ENDIAN
- #if CRYPTOPP_BOOL_SLOW_WORD64
- word32 z0 = (word32)x0;
- word32 z1 = (word32)(x0>>32);
- word32 z2 = (word32)x1;
- word32 z3 = (word32)(x1>>32);
- #define READ_TABLE_WORD64(b, c, d, e) READ_TABLE_WORD64_COMMON(c*4+d, (d?(z##c>>((d?d:1)*8-4))&0xff0:(z##c&0xff)<<4), e)
- #else
- #define READ_TABLE_WORD64(b, c, d, e) READ_TABLE_WORD64_COMMON(c*4+d, ((d+4*(c%2))?(x##b>>(((d+4*(c%2))?(d+4*(c%2)):1)*8-4))&0xff0:(x##b&0xff)<<4), e)
- #endif
- #else
- #define READ_TABLE_WORD64(b, c, d, e) READ_TABLE_WORD64_COMMON(c*4+d, ((7-d-4*(c%2))?(x##b>>(((7-d-4*(c%2))?(7-d-4*(c%2)):1)*8-4))&0xff0:(x##b&0xff)<<4), e)
- #endif
-
- #define GF_MUL_8BY128(op, b, c, d) \
- a0 op READ_TABLE_WORD64(b, c, d, 0);\
- a1 op READ_TABLE_WORD64(b, c, d, 1);\
-
- GF_MUL_8BY128(=, 0, 0, 0)
- GF_MUL_8BY128(^=, 0, 0, 1)
- GF_MUL_8BY128(^=, 0, 0, 2)
- GF_MUL_8BY128(^=, 0, 0, 3)
- GF_MUL_8BY128(^=, 0, 1, 0)
- GF_MUL_8BY128(^=, 0, 1, 1)
- GF_MUL_8BY128(^=, 0, 1, 2)
- GF_MUL_8BY128(^=, 0, 1, 3)
- GF_MUL_8BY128(^=, 1, 2, 0)
- GF_MUL_8BY128(^=, 1, 2, 1)
- GF_MUL_8BY128(^=, 1, 2, 2)
- GF_MUL_8BY128(^=, 1, 2, 3)
- GF_MUL_8BY128(^=, 1, 3, 0)
- GF_MUL_8BY128(^=, 1, 3, 1)
- GF_MUL_8BY128(^=, 1, 3, 2)
- GF_MUL_8BY128(^=, 1, 3, 3)
-
- x0 = a0; x1 = a1;
- }
- while (len >= HASH_BLOCKSIZE);
-
- hashBuffer[0] = x0; hashBuffer[1] = x1;
- return len;
- }
-#endif // #ifndef CRYPTOPP_GENERATE_X64_MASM
-
-#ifdef CRYPTOPP_X64_MASM_AVAILABLE
- case 1: // SSE2 and 2K tables
- GCM_AuthenticateBlocks_2K(data, len/16, hashBuffer, s_reductionTable);
- return len % 16;
- case 3: // SSE2 and 64K tables
- GCM_AuthenticateBlocks_64K(data, len/16, hashBuffer);
- return len % 16;
-#endif
-
-#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
- case 1: // SSE2 and 2K tables
- {
- #ifdef __GNUC__
- __asm__ __volatile__
- (
- ".intel_syntax noprefix;"
- #elif defined(CRYPTOPP_GENERATE_X64_MASM)
- ALIGN 8
- GCM_AuthenticateBlocks_2K PROC FRAME
- rex_push_reg rsi
- push_reg rdi
- push_reg rbx
- .endprolog
- mov rsi, r8
- mov r11, r9
- #else
- AS2( mov WORD_REG(cx), data )
- AS2( mov WORD_REG(dx), len )
- AS2( mov WORD_REG(si), hashBuffer )
- AS2( shr WORD_REG(dx), 4 )
- #endif
-
- AS_PUSH_IF86( bx)
- AS_PUSH_IF86( bp)
-
- #ifdef __GNUC__
- AS2( mov AS_REG_7, WORD_REG(di))
- #elif CRYPTOPP_BOOL_X86
- AS2( lea AS_REG_7, s_reductionTable)
- #endif
-
- AS2( movdqa xmm0, [WORD_REG(si)] )
-
- #define MUL_TABLE_0 WORD_REG(si) + 32
- #define MUL_TABLE_1 WORD_REG(si) + 32 + 1024
- #define RED_TABLE AS_REG_7
-
- ASL(0)
- AS2( movdqu xmm4, [WORD_REG(cx)] )
- AS2( pxor xmm0, xmm4 )
-
- AS2( movd ebx, xmm0 )
- AS2( mov eax, AS_HEX(f0f0f0f0) )
- AS2( and eax, ebx )
- AS2( shl ebx, 4 )
- AS2( and ebx, AS_HEX(f0f0f0f0) )
- AS2( movzx edi, ah )
- AS2( movdqa xmm5, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)] )
- AS2( movzx edi, al )
- AS2( movdqa xmm4, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)] )
- AS2( shr eax, 16 )
- AS2( movzx edi, ah )
- AS2( movdqa xmm3, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)] )
- AS2( movzx edi, al )
- AS2( movdqa xmm2, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)] )
-
- #define SSE2_MUL_32BITS(i) \
- AS2( psrldq xmm0, 4 )\
- AS2( movd eax, xmm0 )\
- AS2( and eax, AS_HEX(f0f0f0f0) )\
- AS2( movzx edi, bh )\
- AS2( pxor xmm5, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)] )\
- AS2( movzx edi, bl )\
- AS2( pxor xmm4, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)] )\
- AS2( shr ebx, 16 )\
- AS2( movzx edi, bh )\
- AS2( pxor xmm3, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)] )\
- AS2( movzx edi, bl )\
- AS2( pxor xmm2, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)] )\
- AS2( movd ebx, xmm0 )\
- AS2( shl ebx, 4 )\
- AS2( and ebx, AS_HEX(f0f0f0f0) )\
- AS2( movzx edi, ah )\
- AS2( pxor xmm5, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)] )\
- AS2( movzx edi, al )\
- AS2( pxor xmm4, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)] )\
- AS2( shr eax, 16 )\
- AS2( movzx edi, ah )\
- AS2( pxor xmm3, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)] )\
- AS2( movzx edi, al )\
- AS2( pxor xmm2, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)] )\
-
- SSE2_MUL_32BITS(1)
- SSE2_MUL_32BITS(2)
- SSE2_MUL_32BITS(3)
-
- AS2( movzx edi, bh )
- AS2( pxor xmm5, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)] )
- AS2( movzx edi, bl )
- AS2( pxor xmm4, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)] )
- AS2( shr ebx, 16 )
- AS2( movzx edi, bh )
- AS2( pxor xmm3, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)] )
- AS2( movzx edi, bl )
- AS2( pxor xmm2, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)] )
-
- AS2( movdqa xmm0, xmm3 )
- AS2( pslldq xmm3, 1 )
- AS2( pxor xmm2, xmm3 )
- AS2( movdqa xmm1, xmm2 )
- AS2( pslldq xmm2, 1 )
- AS2( pxor xmm5, xmm2 )
-
- AS2( psrldq xmm0, 15 )
- AS2( movd WORD_REG(di), xmm0 )
- AS2( movzx eax, WORD PTR [RED_TABLE + WORD_REG(di)*2] )
- AS2( shl eax, 8 )
-
- AS2( movdqa xmm0, xmm5 )
- AS2( pslldq xmm5, 1 )
- AS2( pxor xmm4, xmm5 )
-
- AS2( psrldq xmm1, 15 )
- AS2( movd WORD_REG(di), xmm1 )
- AS2( xor ax, WORD PTR [RED_TABLE + WORD_REG(di)*2] )
- AS2( shl eax, 8 )
-
- AS2( psrldq xmm0, 15 )
- AS2( movd WORD_REG(di), xmm0 )
- AS2( xor ax, WORD PTR [RED_TABLE + WORD_REG(di)*2] )
-
- AS2( movd xmm0, eax )
- AS2( pxor xmm0, xmm4 )
-
- AS2( add WORD_REG(cx), 16 )
- AS2( sub WORD_REG(dx), 1 )
- ASJ( jnz, 0, b )
- AS2( movdqa [WORD_REG(si)], xmm0 )
-
- AS_POP_IF86( bp)
- AS_POP_IF86( bx)
-
- #ifdef __GNUC__
- ".att_syntax prefix;"
- :
- : "c" (data), "d" (len/16), "S" (hashBuffer), "D" (s_reductionTable)
- : "memory", "cc", "%eax"
- #if CRYPTOPP_BOOL_X64
- , "%ebx", "%r11"
- #endif
- );
- #elif defined(CRYPTOPP_GENERATE_X64_MASM)
- pop rbx
- pop rdi
- pop rsi
- ret
- GCM_AuthenticateBlocks_2K ENDP
- #endif
-
- return len%16;
- }
- case 3: // SSE2 and 64K tables
- {
- #ifdef __GNUC__
- __asm__ __volatile__
- (
- ".intel_syntax noprefix;"
- #elif defined(CRYPTOPP_GENERATE_X64_MASM)
- ALIGN 8
- GCM_AuthenticateBlocks_64K PROC FRAME
- rex_push_reg rsi
- push_reg rdi
- .endprolog
- mov rsi, r8
- #else
- AS2( mov WORD_REG(cx), data )
- AS2( mov WORD_REG(dx), len )
- AS2( mov WORD_REG(si), hashBuffer )
- AS2( shr WORD_REG(dx), 4 )
- #endif
-
- AS2( movdqa xmm0, [WORD_REG(si)] )
-
- #undef MUL_TABLE
- #define MUL_TABLE(i,j) WORD_REG(si) + 32 + (i*4+j)*256*16
-
- ASL(1)
- AS2( movdqu xmm1, [WORD_REG(cx)] )
- AS2( pxor xmm1, xmm0 )
- AS2( pxor xmm0, xmm0 )
-
- #undef SSE2_MUL_32BITS
- #define SSE2_MUL_32BITS(i) \
- AS2( movd eax, xmm1 )\
- AS2( psrldq xmm1, 4 )\
- AS2( movzx edi, al )\
- AS2( add WORD_REG(di), WORD_REG(di) )\
- AS2( pxor xmm0, [MUL_TABLE(i,0) + WORD_REG(di)*8] )\
- AS2( movzx edi, ah )\
- AS2( add WORD_REG(di), WORD_REG(di) )\
- AS2( pxor xmm0, [MUL_TABLE(i,1) + WORD_REG(di)*8] )\
- AS2( shr eax, 16 )\
- AS2( movzx edi, al )\
- AS2( add WORD_REG(di), WORD_REG(di) )\
- AS2( pxor xmm0, [MUL_TABLE(i,2) + WORD_REG(di)*8] )\
- AS2( movzx edi, ah )\
- AS2( add WORD_REG(di), WORD_REG(di) )\
- AS2( pxor xmm0, [MUL_TABLE(i,3) + WORD_REG(di)*8] )\
-
- SSE2_MUL_32BITS(0)
- SSE2_MUL_32BITS(1)
- SSE2_MUL_32BITS(2)
- SSE2_MUL_32BITS(3)
-
- AS2( add WORD_REG(cx), 16 )
- AS2( sub WORD_REG(dx), 1 )
- ASJ( jnz, 1, b )
- AS2( movdqa [WORD_REG(si)], xmm0 )
-
- #ifdef __GNUC__
- ".att_syntax prefix;"
- :
- : "c" (data), "d" (len/16), "S" (hashBuffer)
- : "memory", "cc", "%edi", "%eax"
- );
- #elif defined(CRYPTOPP_GENERATE_X64_MASM)
- pop rdi
- pop rsi
- ret
- GCM_AuthenticateBlocks_64K ENDP
- #endif
-
- return len%16;
- }
-#endif
-#ifndef CRYPTOPP_GENERATE_X64_MASM
- }
-
- return len%16;
-}
-
-void GCM_Base::AuthenticateLastHeaderBlock()
-{
- if (m_bufferedDataLength > 0)
- {
- memset(m_buffer+m_bufferedDataLength, 0, HASH_BLOCKSIZE-m_bufferedDataLength);
- m_bufferedDataLength = 0;
- GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);
- }
-}
-
-void GCM_Base::AuthenticateLastConfidentialBlock()
-{
- GCM_Base::AuthenticateLastHeaderBlock();
- PutBlock<word64, BigEndian, true>(NULL, m_buffer)(m_totalHeaderLength*8)(m_totalMessageLength*8);
- GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);
-}
-
-void GCM_Base::AuthenticateLastFooterBlock(byte *mac, size_t macSize)
-{
- m_ctr.Seek(0);
- ReverseHashBufferIfNeeded();
- m_ctr.ProcessData(mac, HashBuffer(), macSize);
-}
-
-NAMESPACE_END
-
-#endif // #ifndef CRYPTOPP_GENERATE_X64_MASM
-#endif
+// gcm.cpp - written and placed in the public domain by Wei Dai + +// use "cl /EP /P /DCRYPTOPP_GENERATE_X64_MASM gcm.cpp" to generate MASM code + +#include "pch.h" + +#ifndef CRYPTOPP_IMPORTS +#ifndef CRYPTOPP_GENERATE_X64_MASM + +#include "gcm.h" +#include "cpu.h" + +NAMESPACE_BEGIN(CryptoPP) + +word16 GCM_Base::s_reductionTable[256]; +volatile bool GCM_Base::s_reductionTableInitialized = false; + +void GCM_Base::GCTR::IncrementCounterBy256() +{ + IncrementCounterByOne(m_counterArray+BlockSize()-4, 3); +} + +#if 0 +// preserved for testing +void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *c) +{ + word64 Z0=0, Z1=0, V0, V1; + + typedef BlockGetAndPut<word64, BigEndian> Block; + Block::Get(a)(V0)(V1); + + for (int i=0; i<16; i++) + { + for (int j=0x80; j!=0; j>>=1) + { + int x = b[i] & j; + Z0 ^= x ? V0 : 0; + Z1 ^= x ? V1 : 0; + x = (int)V1 & 1; + V1 = (V1>>1) | (V0<<63); + V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0); + } + } + Block::Put(NULL, c)(Z0)(Z1); +} + +__m128i _mm_clmulepi64_si128(const __m128i &a, const __m128i &b, int i) +{ + word64 A[1] = {ByteReverse(((word64*)&a)[i&1])}; + word64 B[1] = {ByteReverse(((word64*)&b)[i>>4])}; + + PolynomialMod2 pa((byte *)A, 8); + PolynomialMod2 pb((byte *)B, 8); + PolynomialMod2 c = pa*pb; + + __m128i output; + for (int i=0; i<16; i++) + ((byte *)&output)[i] = c.GetByte(i); + return output; +} +#endif + +#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE +inline static void SSE2_Xor16(byte *a, const byte *b, const byte *c) +{ +#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE + *(__m128i *)a = _mm_xor_si128(*(__m128i *)b, *(__m128i *)c); +#else + asm ("movdqa %1, %%xmm0; pxor %2, %%xmm0; movdqa %%xmm0, %0;" : "=m" (a[0]) : "m"(b[0]), "m"(c[0])); +#endif +} +#endif + +inline static void Xor16(byte *a, const byte *b, const byte *c) +{ + ((word64 *)a)[0] = ((word64 *)b)[0] ^ ((word64 *)c)[0]; + ((word64 *)a)[1] = ((word64 *)b)[1] ^ ((word64 *)c)[1]; +} + +#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE +static CRYPTOPP_ALIGN_DATA(16) const word64 s_clmulConstants64[] = { + W64LIT(0xe100000000000000), W64LIT(0xc200000000000000), + W64LIT(0x08090a0b0c0d0e0f), W64LIT(0x0001020304050607), + W64LIT(0x0001020304050607), W64LIT(0x08090a0b0c0d0e0f)}; +static const __m128i *s_clmulConstants = (const __m128i *)s_clmulConstants64; +static const unsigned int s_clmulTableSizeInBlocks = 8; + +inline __m128i CLMUL_Reduce(__m128i c0, __m128i c1, __m128i c2, const __m128i &r) +{ + /* + The polynomial to be reduced is c0 * x^128 + c1 * x^64 + c2. c0t below refers to the most + significant half of c0 as a polynomial, which, due to GCM's bit reflection, are in the + rightmost bit positions, and the lowest byte addresses. + + c1 ^= c0t * 0xc200000000000000 + c2t ^= c0t + t = shift (c1t ^ c0b) left 1 bit + c2 ^= t * 0xe100000000000000 + c2t ^= c1b + shift c2 left 1 bit and xor in lowest bit of c1t + */ +#if 0 // MSVC 2010 workaround: see http://connect.microsoft.com/VisualStudio/feedback/details/575301 + c2 = _mm_xor_si128(c2, _mm_move_epi64(c0)); +#else + c1 = _mm_xor_si128(c1, _mm_slli_si128(c0, 8)); +#endif + c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(c0, r, 0x10)); + c0 = _mm_srli_si128(c0, 8); + c0 = _mm_xor_si128(c0, c1); + c0 = _mm_slli_epi64(c0, 1); + c0 = _mm_clmulepi64_si128(c0, r, 0); + c2 = _mm_xor_si128(c2, c0); + c2 = _mm_xor_si128(c2, _mm_srli_si128(c1, 8)); + c1 = _mm_unpacklo_epi64(c1, c2); + c1 = _mm_srli_epi64(c1, 63); + c2 = _mm_slli_epi64(c2, 1); + return _mm_xor_si128(c2, c1); +} + +inline __m128i CLMUL_GF_Mul(const __m128i &x, const __m128i &h, const __m128i &r) +{ + __m128i c0 = _mm_clmulepi64_si128(x,h,0); + __m128i c1 = _mm_xor_si128(_mm_clmulepi64_si128(x,h,1), _mm_clmulepi64_si128(x,h,0x10)); + __m128i c2 = _mm_clmulepi64_si128(x,h,0x11); + + return CLMUL_Reduce(c0, c1, c2, r); +} +#endif + +void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms) +{ + BlockCipher &blockCipher = AccessBlockCipher(); + blockCipher.SetKey(userKey, keylength, params); + + if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE) + throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16"); + + int tableSize, i, j, k; + +#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE + if (HasCLMUL()) + { + params.GetIntValue(Name::TableSize(), tableSize); // avoid "parameter not used" error + tableSize = s_clmulTableSizeInBlocks * REQUIRED_BLOCKSIZE; + } + else +#endif + { + if (params.GetIntValue(Name::TableSize(), tableSize)) + tableSize = (tableSize >= 64*1024) ? 64*1024 : 2*1024; + else + tableSize = (GetTablesOption() == GCM_64K_Tables) ? 64*1024 : 2*1024; + +#if defined(_MSC_VER) && (_MSC_VER >= 1300 && _MSC_VER < 1400) + // VC 2003 workaround: compiler generates bad code for 64K tables + tableSize = 2*1024; +#endif + } + + m_buffer.resize(3*REQUIRED_BLOCKSIZE + tableSize); + byte *table = MulTable(); + byte *hashKey = HashKey(); + memset(hashKey, 0, REQUIRED_BLOCKSIZE); + blockCipher.ProcessBlock(hashKey); + +#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE + if (HasCLMUL()) + { + const __m128i r = s_clmulConstants[0]; + __m128i h0 = _mm_shuffle_epi8(_mm_load_si128((__m128i *)hashKey), s_clmulConstants[1]); + __m128i h = h0; + + for (i=0; i<tableSize; i+=32) + { + __m128i h1 = CLMUL_GF_Mul(h, h0, r); + _mm_storel_epi64((__m128i *)(table+i), h); + _mm_storeu_si128((__m128i *)(table+i+16), h1); + _mm_storeu_si128((__m128i *)(table+i+8), h); + _mm_storel_epi64((__m128i *)(table+i+8), h1); + h = CLMUL_GF_Mul(h1, h0, r); + } + + return; + } +#endif + + word64 V0, V1; + typedef BlockGetAndPut<word64, BigEndian> Block; + Block::Get(hashKey)(V0)(V1); + + if (tableSize == 64*1024) + { + for (i=0; i<128; i++) + { + k = i%8; + Block::Put(NULL, table+(i/8)*256*16+(size_t(1)<<(11-k)))(V0)(V1); + + int x = (int)V1 & 1; + V1 = (V1>>1) | (V0<<63); + V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0); + } + + for (i=0; i<16; i++) + { + memset(table+i*256*16, 0, 16); +#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE + if (HasSSE2()) + for (j=2; j<=0x80; j*=2) + for (k=1; k<j; k++) + SSE2_Xor16(table+i*256*16+(j+k)*16, table+i*256*16+j*16, table+i*256*16+k*16); + else +#endif + for (j=2; j<=0x80; j*=2) + for (k=1; k<j; k++) + Xor16(table+i*256*16+(j+k)*16, table+i*256*16+j*16, table+i*256*16+k*16); + } + } + else + { + if (!s_reductionTableInitialized) + { + s_reductionTable[0] = 0; + word16 x = 0x01c2; + s_reductionTable[1] = ByteReverse(x); + for (int i=2; i<=0x80; i*=2) + { + x <<= 1; + s_reductionTable[i] = ByteReverse(x); + for (int j=1; j<i; j++) + s_reductionTable[i+j] = s_reductionTable[i] ^ s_reductionTable[j]; + } + s_reductionTableInitialized = true; + } + + for (i=0; i<128-24; i++) + { + k = i%32; + if (k < 4) + Block::Put(NULL, table+1024+(i/32)*256+(size_t(1)<<(7-k)))(V0)(V1); + else if (k < 8) + Block::Put(NULL, table+(i/32)*256+(size_t(1)<<(11-k)))(V0)(V1); + + int x = (int)V1 & 1; + V1 = (V1>>1) | (V0<<63); + V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0); + } + + for (i=0; i<4; i++) + { + memset(table+i*256, 0, 16); + memset(table+1024+i*256, 0, 16); +#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE + if (HasSSE2()) + for (j=2; j<=8; j*=2) + for (k=1; k<j; k++) + { + SSE2_Xor16(table+i*256+(j+k)*16, table+i*256+j*16, table+i*256+k*16); + SSE2_Xor16(table+1024+i*256+(j+k)*16, table+1024+i*256+j*16, table+1024+i*256+k*16); + } + else +#endif + for (j=2; j<=8; j*=2) + for (k=1; k<j; k++) + { + Xor16(table+i*256+(j+k)*16, table+i*256+j*16, table+i*256+k*16); + Xor16(table+1024+i*256+(j+k)*16, table+1024+i*256+j*16, table+1024+i*256+k*16); + } + } + } +} + +inline void GCM_Base::ReverseHashBufferIfNeeded() +{ +#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE + if (HasCLMUL()) + { + __m128i &x = *(__m128i *)HashBuffer(); + x = _mm_shuffle_epi8(x, s_clmulConstants[1]); + } +#endif +} + +void GCM_Base::Resync(const byte *iv, size_t len) +{ + BlockCipher &cipher = AccessBlockCipher(); + byte *hashBuffer = HashBuffer(); + + if (len == 12) + { + memcpy(hashBuffer, iv, len); + memset(hashBuffer+len, 0, 3); + hashBuffer[len+3] = 1; + } + else + { + size_t origLen = len; + memset(hashBuffer, 0, HASH_BLOCKSIZE); + + if (len >= HASH_BLOCKSIZE) + { + len = GCM_Base::AuthenticateBlocks(iv, len); + iv += (origLen - len); + } + + if (len > 0) + { + memcpy(m_buffer, iv, len); + memset(m_buffer+len, 0, HASH_BLOCKSIZE-len); + GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE); + } + + PutBlock<word64, BigEndian, true>(NULL, m_buffer)(0)(origLen*8); + GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE); + + ReverseHashBufferIfNeeded(); + } + + if (m_state >= State_IVSet) + m_ctr.Resynchronize(hashBuffer, REQUIRED_BLOCKSIZE); + else + m_ctr.SetCipherWithIV(cipher, hashBuffer); + + m_ctr.Seek(HASH_BLOCKSIZE); + + memset(hashBuffer, 0, HASH_BLOCKSIZE); +} + +unsigned int GCM_Base::OptimalDataAlignment() const +{ + return +#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE) + HasSSE2() ? 16 : +#endif + GetBlockCipher().OptimalDataAlignment(); +} + +#pragma warning(disable: 4731) // frame pointer register 'ebp' modified by inline assembly code + +#endif // #ifndef CRYPTOPP_GENERATE_X64_MASM + +#ifdef CRYPTOPP_X64_MASM_AVAILABLE +extern "C" { +void GCM_AuthenticateBlocks_2K(const byte *data, size_t blocks, word64 *hashBuffer, const word16 *reductionTable); +void GCM_AuthenticateBlocks_64K(const byte *data, size_t blocks, word64 *hashBuffer); +} +#endif + +#ifndef CRYPTOPP_GENERATE_X64_MASM + +size_t GCM_Base::AuthenticateBlocks(const byte *data, size_t len) +{ +#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE + if (HasCLMUL()) + { + const __m128i *table = (const __m128i *)MulTable(); + __m128i x = _mm_load_si128((__m128i *)HashBuffer()); + const __m128i r = s_clmulConstants[0], bswapMask = s_clmulConstants[1], bswapMask2 = s_clmulConstants[2]; + + while (len >= 16) + { + size_t s = UnsignedMin(len/16, s_clmulTableSizeInBlocks), i=0; + __m128i d, d2 = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-1)*16)), bswapMask2);; + __m128i c0 = _mm_setzero_si128(); + __m128i c1 = _mm_setzero_si128(); + __m128i c2 = _mm_setzero_si128(); + + while (true) + { + __m128i h0 = _mm_load_si128(table+i); + __m128i h1 = _mm_load_si128(table+i+1); + __m128i h01 = _mm_xor_si128(h0, h1); + + if (++i == s) + { + d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)data), bswapMask); + d = _mm_xor_si128(d, x); + c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0)); + c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 1)); + d = _mm_xor_si128(d, _mm_shuffle_epi32(d, _MM_SHUFFLE(1, 0, 3, 2))); + c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0)); + break; + } + + d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-i)*16-8)), bswapMask2); + c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d2, h0, 1)); + c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 1)); + d2 = _mm_xor_si128(d2, d); + c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d2, h01, 1)); + + if (++i == s) + { + d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)data), bswapMask); + d = _mm_xor_si128(d, x); + c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0x10)); + c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 0x11)); + d = _mm_xor_si128(d, _mm_shuffle_epi32(d, _MM_SHUFFLE(1, 0, 3, 2))); + c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0x10)); + break; + } + + d2 = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-i)*16-8)), bswapMask); + c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0x10)); + c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d2, h1, 0x10)); + d = _mm_xor_si128(d, d2); + c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0x10)); + } + data += s*16; + len -= s*16; + + c1 = _mm_xor_si128(_mm_xor_si128(c1, c0), c2); + x = CLMUL_Reduce(c0, c1, c2, r); + } + + _mm_store_si128((__m128i *)HashBuffer(), x); + return len; + } +#endif + + typedef BlockGetAndPut<word64, NativeByteOrder> Block; + word64 *hashBuffer = (word64 *)HashBuffer(); + + switch (2*(m_buffer.size()>=64*1024) +#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE) + + HasSSE2() +#endif + ) + { + case 0: // non-SSE2 and 2K tables + { + byte *table = MulTable(); + word64 x0 = hashBuffer[0], x1 = hashBuffer[1]; + + do + { + word64 y0, y1, a0, a1, b0, b1, c0, c1, d0, d1; + Block::Get(data)(y0)(y1); + x0 ^= y0; + x1 ^= y1; + + data += HASH_BLOCKSIZE; + len -= HASH_BLOCKSIZE; + + #define READ_TABLE_WORD64_COMMON(a, b, c, d) *(word64 *)(table+(a*1024)+(b*256)+c+d*8) + + #ifdef IS_LITTLE_ENDIAN + #if CRYPTOPP_BOOL_SLOW_WORD64 + word32 z0 = (word32)x0; + word32 z1 = (word32)(x0>>32); + word32 z2 = (word32)x1; + word32 z3 = (word32)(x1>>32); + #define READ_TABLE_WORD64(a, b, c, d, e) READ_TABLE_WORD64_COMMON((d%2), c, (d?(z##c>>((d?d-1:0)*4))&0xf0:(z##c&0xf)<<4), e) + #else + #define READ_TABLE_WORD64(a, b, c, d, e) READ_TABLE_WORD64_COMMON((d%2), c, ((d+8*b)?(x##a>>(((d+8*b)?(d+8*b)-1:1)*4))&0xf0:(x##a&0xf)<<4), e) + #endif + #define GF_MOST_SIG_8BITS(a) (a##1 >> 7*8) + #define GF_SHIFT_8(a) a##1 = (a##1 << 8) ^ (a##0 >> 7*8); a##0 <<= 8; + #else + #define READ_TABLE_WORD64(a, b, c, d, e) READ_TABLE_WORD64_COMMON((1-d%2), c, ((15-d-8*b)?(x##a>>(((15-d-8*b)?(15-d-8*b)-1:0)*4))&0xf0:(x##a&0xf)<<4), e) + #define GF_MOST_SIG_8BITS(a) (a##1 & 0xff) + #define GF_SHIFT_8(a) a##1 = (a##1 >> 8) ^ (a##0 << 7*8); a##0 >>= 8; + #endif + + #define GF_MUL_32BY128(op, a, b, c) \ + a0 op READ_TABLE_WORD64(a, b, c, 0, 0) ^ READ_TABLE_WORD64(a, b, c, 1, 0);\ + a1 op READ_TABLE_WORD64(a, b, c, 0, 1) ^ READ_TABLE_WORD64(a, b, c, 1, 1);\ + b0 op READ_TABLE_WORD64(a, b, c, 2, 0) ^ READ_TABLE_WORD64(a, b, c, 3, 0);\ + b1 op READ_TABLE_WORD64(a, b, c, 2, 1) ^ READ_TABLE_WORD64(a, b, c, 3, 1);\ + c0 op READ_TABLE_WORD64(a, b, c, 4, 0) ^ READ_TABLE_WORD64(a, b, c, 5, 0);\ + c1 op READ_TABLE_WORD64(a, b, c, 4, 1) ^ READ_TABLE_WORD64(a, b, c, 5, 1);\ + d0 op READ_TABLE_WORD64(a, b, c, 6, 0) ^ READ_TABLE_WORD64(a, b, c, 7, 0);\ + d1 op READ_TABLE_WORD64(a, b, c, 6, 1) ^ READ_TABLE_WORD64(a, b, c, 7, 1);\ + + GF_MUL_32BY128(=, 0, 0, 0) + GF_MUL_32BY128(^=, 0, 1, 1) + GF_MUL_32BY128(^=, 1, 0, 2) + GF_MUL_32BY128(^=, 1, 1, 3) + + word32 r = (word32)s_reductionTable[GF_MOST_SIG_8BITS(d)] << 16; + GF_SHIFT_8(d) + c0 ^= d0; c1 ^= d1; + r ^= (word32)s_reductionTable[GF_MOST_SIG_8BITS(c)] << 8; + GF_SHIFT_8(c) + b0 ^= c0; b1 ^= c1; + r ^= s_reductionTable[GF_MOST_SIG_8BITS(b)]; + GF_SHIFT_8(b) + a0 ^= b0; a1 ^= b1; + a0 ^= ConditionalByteReverse<word64>(LITTLE_ENDIAN_ORDER, r); + x0 = a0; x1 = a1; + } + while (len >= HASH_BLOCKSIZE); + + hashBuffer[0] = x0; hashBuffer[1] = x1; + return len; + } + + case 2: // non-SSE2 and 64K tables + { + byte *table = MulTable(); + word64 x0 = hashBuffer[0], x1 = hashBuffer[1]; + + do + { + word64 y0, y1, a0, a1; + Block::Get(data)(y0)(y1); + x0 ^= y0; + x1 ^= y1; + + data += HASH_BLOCKSIZE; + len -= HASH_BLOCKSIZE; + + #undef READ_TABLE_WORD64_COMMON + #undef READ_TABLE_WORD64 + + #define READ_TABLE_WORD64_COMMON(a, c, d) *(word64 *)(table+(a)*256*16+(c)+(d)*8) + + #ifdef IS_LITTLE_ENDIAN + #if CRYPTOPP_BOOL_SLOW_WORD64 + word32 z0 = (word32)x0; + word32 z1 = (word32)(x0>>32); + word32 z2 = (word32)x1; + word32 z3 = (word32)(x1>>32); + #define READ_TABLE_WORD64(b, c, d, e) READ_TABLE_WORD64_COMMON(c*4+d, (d?(z##c>>((d?d:1)*8-4))&0xff0:(z##c&0xff)<<4), e) + #else + #define READ_TABLE_WORD64(b, c, d, e) READ_TABLE_WORD64_COMMON(c*4+d, ((d+4*(c%2))?(x##b>>(((d+4*(c%2))?(d+4*(c%2)):1)*8-4))&0xff0:(x##b&0xff)<<4), e) + #endif + #else + #define READ_TABLE_WORD64(b, c, d, e) READ_TABLE_WORD64_COMMON(c*4+d, ((7-d-4*(c%2))?(x##b>>(((7-d-4*(c%2))?(7-d-4*(c%2)):1)*8-4))&0xff0:(x##b&0xff)<<4), e) + #endif + + #define GF_MUL_8BY128(op, b, c, d) \ + a0 op READ_TABLE_WORD64(b, c, d, 0);\ + a1 op READ_TABLE_WORD64(b, c, d, 1);\ + + GF_MUL_8BY128(=, 0, 0, 0) + GF_MUL_8BY128(^=, 0, 0, 1) + GF_MUL_8BY128(^=, 0, 0, 2) + GF_MUL_8BY128(^=, 0, 0, 3) + GF_MUL_8BY128(^=, 0, 1, 0) + GF_MUL_8BY128(^=, 0, 1, 1) + GF_MUL_8BY128(^=, 0, 1, 2) + GF_MUL_8BY128(^=, 0, 1, 3) + GF_MUL_8BY128(^=, 1, 2, 0) + GF_MUL_8BY128(^=, 1, 2, 1) + GF_MUL_8BY128(^=, 1, 2, 2) + GF_MUL_8BY128(^=, 1, 2, 3) + GF_MUL_8BY128(^=, 1, 3, 0) + GF_MUL_8BY128(^=, 1, 3, 1) + GF_MUL_8BY128(^=, 1, 3, 2) + GF_MUL_8BY128(^=, 1, 3, 3) + + x0 = a0; x1 = a1; + } + while (len >= HASH_BLOCKSIZE); + + hashBuffer[0] = x0; hashBuffer[1] = x1; + return len; + } +#endif // #ifndef CRYPTOPP_GENERATE_X64_MASM + +#ifdef CRYPTOPP_X64_MASM_AVAILABLE + case 1: // SSE2 and 2K tables + GCM_AuthenticateBlocks_2K(data, len/16, hashBuffer, s_reductionTable); + return len % 16; + case 3: // SSE2 and 64K tables + GCM_AuthenticateBlocks_64K(data, len/16, hashBuffer); + return len % 16; +#endif + +#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE + case 1: // SSE2 and 2K tables + { + #ifdef __GNUC__ + __asm__ __volatile__ + ( + ".intel_syntax noprefix;" + #elif defined(CRYPTOPP_GENERATE_X64_MASM) + ALIGN 8 + GCM_AuthenticateBlocks_2K PROC FRAME + rex_push_reg rsi + push_reg rdi + push_reg rbx + .endprolog + mov rsi, r8 + mov r11, r9 + #else + AS2( mov WORD_REG(cx), data ) + AS2( mov WORD_REG(dx), len ) + AS2( mov WORD_REG(si), hashBuffer ) + AS2( shr WORD_REG(dx), 4 ) + #endif + + AS_PUSH_IF86( bx) + AS_PUSH_IF86( bp) + + #ifdef __GNUC__ + AS2( mov AS_REG_7, WORD_REG(di)) + #elif CRYPTOPP_BOOL_X86 + AS2( lea AS_REG_7, s_reductionTable) + #endif + + AS2( movdqa xmm0, [WORD_REG(si)] ) + + #define MUL_TABLE_0 WORD_REG(si) + 32 + #define MUL_TABLE_1 WORD_REG(si) + 32 + 1024 + #define RED_TABLE AS_REG_7 + + ASL(0) + AS2( movdqu xmm4, [WORD_REG(cx)] ) + AS2( pxor xmm0, xmm4 ) + + AS2( movd ebx, xmm0 ) + AS2( mov eax, AS_HEX(f0f0f0f0) ) + AS2( and eax, ebx ) + AS2( shl ebx, 4 ) + AS2( and ebx, AS_HEX(f0f0f0f0) ) + AS2( movzx edi, ah ) + AS2( movdqa xmm5, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)] ) + AS2( movzx edi, al ) + AS2( movdqa xmm4, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)] ) + AS2( shr eax, 16 ) + AS2( movzx edi, ah ) + AS2( movdqa xmm3, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)] ) + AS2( movzx edi, al ) + AS2( movdqa xmm2, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)] ) + + #define SSE2_MUL_32BITS(i) \ + AS2( psrldq xmm0, 4 )\ + AS2( movd eax, xmm0 )\ + AS2( and eax, AS_HEX(f0f0f0f0) )\ + AS2( movzx edi, bh )\ + AS2( pxor xmm5, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)] )\ + AS2( movzx edi, bl )\ + AS2( pxor xmm4, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)] )\ + AS2( shr ebx, 16 )\ + AS2( movzx edi, bh )\ + AS2( pxor xmm3, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)] )\ + AS2( movzx edi, bl )\ + AS2( pxor xmm2, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)] )\ + AS2( movd ebx, xmm0 )\ + AS2( shl ebx, 4 )\ + AS2( and ebx, AS_HEX(f0f0f0f0) )\ + AS2( movzx edi, ah )\ + AS2( pxor xmm5, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)] )\ + AS2( movzx edi, al )\ + AS2( pxor xmm4, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)] )\ + AS2( shr eax, 16 )\ + AS2( movzx edi, ah )\ + AS2( pxor xmm3, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)] )\ + AS2( movzx edi, al )\ + AS2( pxor xmm2, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)] )\ + + SSE2_MUL_32BITS(1) + SSE2_MUL_32BITS(2) + SSE2_MUL_32BITS(3) + + AS2( movzx edi, bh ) + AS2( pxor xmm5, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)] ) + AS2( movzx edi, bl ) + AS2( pxor xmm4, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)] ) + AS2( shr ebx, 16 ) + AS2( movzx edi, bh ) + AS2( pxor xmm3, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)] ) + AS2( movzx edi, bl ) + AS2( pxor xmm2, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)] ) + + AS2( movdqa xmm0, xmm3 ) + AS2( pslldq xmm3, 1 ) + AS2( pxor xmm2, xmm3 ) + AS2( movdqa xmm1, xmm2 ) + AS2( pslldq xmm2, 1 ) + AS2( pxor xmm5, xmm2 ) + + AS2( psrldq xmm0, 15 ) + AS2( movd WORD_REG(di), xmm0 ) + AS2( movzx eax, WORD PTR [RED_TABLE + WORD_REG(di)*2] ) + AS2( shl eax, 8 ) + + AS2( movdqa xmm0, xmm5 ) + AS2( pslldq xmm5, 1 ) + AS2( pxor xmm4, xmm5 ) + + AS2( psrldq xmm1, 15 ) + AS2( movd WORD_REG(di), xmm1 ) + AS2( xor ax, WORD PTR [RED_TABLE + WORD_REG(di)*2] ) + AS2( shl eax, 8 ) + + AS2( psrldq xmm0, 15 ) + AS2( movd WORD_REG(di), xmm0 ) + AS2( xor ax, WORD PTR [RED_TABLE + WORD_REG(di)*2] ) + + AS2( movd xmm0, eax ) + AS2( pxor xmm0, xmm4 ) + + AS2( add WORD_REG(cx), 16 ) + AS2( sub WORD_REG(dx), 1 ) + ASJ( jnz, 0, b ) + AS2( movdqa [WORD_REG(si)], xmm0 ) + + AS_POP_IF86( bp) + AS_POP_IF86( bx) + + #ifdef __GNUC__ + ".att_syntax prefix;" + : + : "c" (data), "d" (len/16), "S" (hashBuffer), "D" (s_reductionTable) + : "memory", "cc", "%eax" + #if CRYPTOPP_BOOL_X64 + , "%ebx", "%r11" + #endif + ); + #elif defined(CRYPTOPP_GENERATE_X64_MASM) + pop rbx + pop rdi + pop rsi + ret + GCM_AuthenticateBlocks_2K ENDP + #endif + + return len%16; + } + case 3: // SSE2 and 64K tables + { + #ifdef __GNUC__ + __asm__ __volatile__ + ( + ".intel_syntax noprefix;" + #elif defined(CRYPTOPP_GENERATE_X64_MASM) + ALIGN 8 + GCM_AuthenticateBlocks_64K PROC FRAME + rex_push_reg rsi + push_reg rdi + .endprolog + mov rsi, r8 + #else + AS2( mov WORD_REG(cx), data ) + AS2( mov WORD_REG(dx), len ) + AS2( mov WORD_REG(si), hashBuffer ) + AS2( shr WORD_REG(dx), 4 ) + #endif + + AS2( movdqa xmm0, [WORD_REG(si)] ) + + #undef MUL_TABLE + #define MUL_TABLE(i,j) WORD_REG(si) + 32 + (i*4+j)*256*16 + + ASL(1) + AS2( movdqu xmm1, [WORD_REG(cx)] ) + AS2( pxor xmm1, xmm0 ) + AS2( pxor xmm0, xmm0 ) + + #undef SSE2_MUL_32BITS + #define SSE2_MUL_32BITS(i) \ + AS2( movd eax, xmm1 )\ + AS2( psrldq xmm1, 4 )\ + AS2( movzx edi, al )\ + AS2( add WORD_REG(di), WORD_REG(di) )\ + AS2( pxor xmm0, [MUL_TABLE(i,0) + WORD_REG(di)*8] )\ + AS2( movzx edi, ah )\ + AS2( add WORD_REG(di), WORD_REG(di) )\ + AS2( pxor xmm0, [MUL_TABLE(i,1) + WORD_REG(di)*8] )\ + AS2( shr eax, 16 )\ + AS2( movzx edi, al )\ + AS2( add WORD_REG(di), WORD_REG(di) )\ + AS2( pxor xmm0, [MUL_TABLE(i,2) + WORD_REG(di)*8] )\ + AS2( movzx edi, ah )\ + AS2( add WORD_REG(di), WORD_REG(di) )\ + AS2( pxor xmm0, [MUL_TABLE(i,3) + WORD_REG(di)*8] )\ + + SSE2_MUL_32BITS(0) + SSE2_MUL_32BITS(1) + SSE2_MUL_32BITS(2) + SSE2_MUL_32BITS(3) + + AS2( add WORD_REG(cx), 16 ) + AS2( sub WORD_REG(dx), 1 ) + ASJ( jnz, 1, b ) + AS2( movdqa [WORD_REG(si)], xmm0 ) + + #ifdef __GNUC__ + ".att_syntax prefix;" + : + : "c" (data), "d" (len/16), "S" (hashBuffer) + : "memory", "cc", "%edi", "%eax" + ); + #elif defined(CRYPTOPP_GENERATE_X64_MASM) + pop rdi + pop rsi + ret + GCM_AuthenticateBlocks_64K ENDP + #endif + + return len%16; + } +#endif +#ifndef CRYPTOPP_GENERATE_X64_MASM + } + + return len%16; +} + +void GCM_Base::AuthenticateLastHeaderBlock() +{ + if (m_bufferedDataLength > 0) + { + memset(m_buffer+m_bufferedDataLength, 0, HASH_BLOCKSIZE-m_bufferedDataLength); + m_bufferedDataLength = 0; + GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE); + } +} + +void GCM_Base::AuthenticateLastConfidentialBlock() +{ + GCM_Base::AuthenticateLastHeaderBlock(); + PutBlock<word64, BigEndian, true>(NULL, m_buffer)(m_totalHeaderLength*8)(m_totalMessageLength*8); + GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE); +} + +void GCM_Base::AuthenticateLastFooterBlock(byte *mac, size_t macSize) +{ + m_ctr.Seek(0); + ReverseHashBufferIfNeeded(); + m_ctr.ProcessData(mac, HashBuffer(), macSize); +} + +NAMESPACE_END + +#endif // #ifndef CRYPTOPP_GENERATE_X64_MASM +#endif diff --git a/CryptoPP/gcm.h b/CryptoPP/gcm.h index 0b32524f9..272a51c9c 100644 --- a/CryptoPP/gcm.h +++ b/CryptoPP/gcm.h @@ -1,106 +1,106 @@ -#ifndef CRYPTOPP_GCM_H
-#define CRYPTOPP_GCM_H
-
-#include "authenc.h"
-#include "modes.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-//! .
-enum GCM_TablesOption {GCM_2K_Tables, GCM_64K_Tables};
-
-//! .
-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE GCM_Base : public AuthenticatedSymmetricCipherBase
-{
-public:
- // AuthenticatedSymmetricCipher
- std::string AlgorithmName() const
- {return GetBlockCipher().AlgorithmName() + std::string("/GCM");}
- size_t MinKeyLength() const
- {return GetBlockCipher().MinKeyLength();}
- size_t MaxKeyLength() const
- {return GetBlockCipher().MaxKeyLength();}
- size_t DefaultKeyLength() const
- {return GetBlockCipher().DefaultKeyLength();}
- size_t GetValidKeyLength(size_t n) const
- {return GetBlockCipher().GetValidKeyLength(n);}
- bool IsValidKeyLength(size_t n) const
- {return GetBlockCipher().IsValidKeyLength(n);}
- unsigned int OptimalDataAlignment() const;
- IV_Requirement IVRequirement() const
- {return UNIQUE_IV;}
- unsigned int IVSize() const
- {return 12;}
- unsigned int MinIVLength() const
- {return 1;}
- unsigned int MaxIVLength() const
- {return UINT_MAX;} // (W64LIT(1)<<61)-1 in the standard
- unsigned int DigestSize() const
- {return 16;}
- lword MaxHeaderLength() const
- {return (W64LIT(1)<<61)-1;}
- lword MaxMessageLength() const
- {return ((W64LIT(1)<<39)-256)/8;}
-
-protected:
- // AuthenticatedSymmetricCipherBase
- bool AuthenticationIsOnPlaintext() const
- {return false;}
- unsigned int AuthenticationBlockSize() const
- {return HASH_BLOCKSIZE;}
- void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms);
- void Resync(const byte *iv, size_t len);
- size_t AuthenticateBlocks(const byte *data, size_t len);
- void AuthenticateLastHeaderBlock();
- void AuthenticateLastConfidentialBlock();
- void AuthenticateLastFooterBlock(byte *mac, size_t macSize);
- SymmetricCipher & AccessSymmetricCipher() {return m_ctr;}
-
- virtual BlockCipher & AccessBlockCipher() =0;
- virtual GCM_TablesOption GetTablesOption() const =0;
-
- const BlockCipher & GetBlockCipher() const {return const_cast<GCM_Base *>(this)->AccessBlockCipher();};
- byte *HashBuffer() {return m_buffer+REQUIRED_BLOCKSIZE;}
- byte *HashKey() {return m_buffer+2*REQUIRED_BLOCKSIZE;}
- byte *MulTable() {return m_buffer+3*REQUIRED_BLOCKSIZE;}
- inline void ReverseHashBufferIfNeeded();
-
- class CRYPTOPP_DLL GCTR : public CTR_Mode_ExternalCipher::Encryption
- {
- protected:
- void IncrementCounterBy256();
- };
-
- GCTR m_ctr;
- static word16 s_reductionTable[256];
- static volatile bool s_reductionTableInitialized;
- enum {REQUIRED_BLOCKSIZE = 16, HASH_BLOCKSIZE = 16};
-};
-
-//! .
-template <class T_BlockCipher, GCM_TablesOption T_TablesOption, bool T_IsEncryption>
-class GCM_Final : public GCM_Base
-{
-public:
- static std::string StaticAlgorithmName()
- {return T_BlockCipher::StaticAlgorithmName() + std::string("/GCM");}
- bool IsForwardTransformation() const
- {return T_IsEncryption;}
-
-private:
- GCM_TablesOption GetTablesOption() const {return T_TablesOption;}
- BlockCipher & AccessBlockCipher() {return m_cipher;}
- typename T_BlockCipher::Encryption m_cipher;
-};
-
-//! <a href="http://www.cryptolounge.org/wiki/GCM">GCM</a>
-template <class T_BlockCipher, GCM_TablesOption T_TablesOption=GCM_2K_Tables>
-struct GCM : public AuthenticatedSymmetricCipherDocumentation
-{
- typedef GCM_Final<T_BlockCipher, T_TablesOption, true> Encryption;
- typedef GCM_Final<T_BlockCipher, T_TablesOption, false> Decryption;
-};
-
-NAMESPACE_END
-
-#endif
+#ifndef CRYPTOPP_GCM_H +#define CRYPTOPP_GCM_H + +#include "authenc.h" +#include "modes.h" + +NAMESPACE_BEGIN(CryptoPP) + +//! . +enum GCM_TablesOption {GCM_2K_Tables, GCM_64K_Tables}; + +//! . +class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE GCM_Base : public AuthenticatedSymmetricCipherBase +{ +public: + // AuthenticatedSymmetricCipher + std::string AlgorithmName() const + {return GetBlockCipher().AlgorithmName() + std::string("/GCM");} + size_t MinKeyLength() const + {return GetBlockCipher().MinKeyLength();} + size_t MaxKeyLength() const + {return GetBlockCipher().MaxKeyLength();} + size_t DefaultKeyLength() const + {return GetBlockCipher().DefaultKeyLength();} + size_t GetValidKeyLength(size_t n) const + {return GetBlockCipher().GetValidKeyLength(n);} + bool IsValidKeyLength(size_t n) const + {return GetBlockCipher().IsValidKeyLength(n);} + unsigned int OptimalDataAlignment() const; + IV_Requirement IVRequirement() const + {return UNIQUE_IV;} + unsigned int IVSize() const + {return 12;} + unsigned int MinIVLength() const + {return 1;} + unsigned int MaxIVLength() const + {return UINT_MAX;} // (W64LIT(1)<<61)-1 in the standard + unsigned int DigestSize() const + {return 16;} + lword MaxHeaderLength() const + {return (W64LIT(1)<<61)-1;} + lword MaxMessageLength() const + {return ((W64LIT(1)<<39)-256)/8;} + +protected: + // AuthenticatedSymmetricCipherBase + bool AuthenticationIsOnPlaintext() const + {return false;} + unsigned int AuthenticationBlockSize() const + {return HASH_BLOCKSIZE;} + void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms); + void Resync(const byte *iv, size_t len); + size_t AuthenticateBlocks(const byte *data, size_t len); + void AuthenticateLastHeaderBlock(); + void AuthenticateLastConfidentialBlock(); + void AuthenticateLastFooterBlock(byte *mac, size_t macSize); + SymmetricCipher & AccessSymmetricCipher() {return m_ctr;} + + virtual BlockCipher & AccessBlockCipher() =0; + virtual GCM_TablesOption GetTablesOption() const =0; + + const BlockCipher & GetBlockCipher() const {return const_cast<GCM_Base *>(this)->AccessBlockCipher();}; + byte *HashBuffer() {return m_buffer+REQUIRED_BLOCKSIZE;} + byte *HashKey() {return m_buffer+2*REQUIRED_BLOCKSIZE;} + byte *MulTable() {return m_buffer+3*REQUIRED_BLOCKSIZE;} + inline void ReverseHashBufferIfNeeded(); + + class CRYPTOPP_DLL GCTR : public CTR_Mode_ExternalCipher::Encryption + { + protected: + void IncrementCounterBy256(); + }; + + GCTR m_ctr; + static word16 s_reductionTable[256]; + static volatile bool s_reductionTableInitialized; + enum {REQUIRED_BLOCKSIZE = 16, HASH_BLOCKSIZE = 16}; +}; + +//! . +template <class T_BlockCipher, GCM_TablesOption T_TablesOption, bool T_IsEncryption> +class GCM_Final : public GCM_Base +{ +public: + static std::string StaticAlgorithmName() + {return T_BlockCipher::StaticAlgorithmName() + std::string("/GCM");} + bool IsForwardTransformation() const + {return T_IsEncryption;} + +private: + GCM_TablesOption GetTablesOption() const {return T_TablesOption;} + BlockCipher & AccessBlockCipher() {return m_cipher;} + typename T_BlockCipher::Encryption m_cipher; +}; + +//! <a href="http://www.cryptolounge.org/wiki/GCM">GCM</a> +template <class T_BlockCipher, GCM_TablesOption T_TablesOption=GCM_2K_Tables> +struct GCM : public AuthenticatedSymmetricCipherDocumentation +{ + typedef GCM_Final<T_BlockCipher, T_TablesOption, true> Encryption; + typedef GCM_Final<T_BlockCipher, T_TablesOption, false> Decryption; +}; + +NAMESPACE_END + +#endif diff --git a/CryptoPP/seed.cpp b/CryptoPP/seed.cpp index 6c739b474..101902dce 100644 --- a/CryptoPP/seed.cpp +++ b/CryptoPP/seed.cpp @@ -1,104 +1,104 @@ -// seed.cpp - written and placed in the public domain by Wei Dai
-
-#include "pch.h"
-#include "seed.h"
-#include "misc.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-static const word32 s_kc[16] = {
- 0x9e3779b9, 0x3c6ef373, 0x78dde6e6, 0xf1bbcdcc, 0xe3779b99, 0xc6ef3733, 0x8dde6e67, 0x1bbcdccf,
- 0x3779b99e, 0x6ef3733c, 0xdde6e678, 0xbbcdccf1, 0x779b99e3, 0xef3733c6, 0xde6e678d, 0xbcdccf1b};
-
-static const byte s_s0[256] = {
- 0xA9, 0x85, 0xD6, 0xD3, 0x54, 0x1D, 0xAC, 0x25, 0x5D, 0x43, 0x18, 0x1E, 0x51, 0xFC, 0xCA, 0x63, 0x28,
- 0x44, 0x20, 0x9D, 0xE0, 0xE2, 0xC8, 0x17, 0xA5, 0x8F, 0x03, 0x7B, 0xBB, 0x13, 0xD2, 0xEE, 0x70, 0x8C,
- 0x3F, 0xA8, 0x32, 0xDD, 0xF6, 0x74, 0xEC, 0x95, 0x0B, 0x57, 0x5C, 0x5B, 0xBD, 0x01, 0x24, 0x1C, 0x73,
- 0x98, 0x10, 0xCC, 0xF2, 0xD9, 0x2C, 0xE7, 0x72, 0x83, 0x9B, 0xD1, 0x86, 0xC9, 0x60, 0x50, 0xA3, 0xEB,
- 0x0D, 0xB6, 0x9E, 0x4F, 0xB7, 0x5A, 0xC6, 0x78, 0xA6, 0x12, 0xAF, 0xD5, 0x61, 0xC3, 0xB4, 0x41, 0x52,
- 0x7D, 0x8D, 0x08, 0x1F, 0x99, 0x00, 0x19, 0x04, 0x53, 0xF7, 0xE1, 0xFD, 0x76, 0x2F, 0x27, 0xB0, 0x8B,
- 0x0E, 0xAB, 0xA2, 0x6E, 0x93, 0x4D, 0x69, 0x7C, 0x09, 0x0A, 0xBF, 0xEF, 0xF3, 0xC5, 0x87, 0x14, 0xFE,
- 0x64, 0xDE, 0x2E, 0x4B, 0x1A, 0x06, 0x21, 0x6B, 0x66, 0x02, 0xF5, 0x92, 0x8A, 0x0C, 0xB3, 0x7E, 0xD0,
- 0x7A, 0x47, 0x96, 0xE5, 0x26, 0x80, 0xAD, 0xDF, 0xA1, 0x30, 0x37, 0xAE, 0x36, 0x15, 0x22, 0x38, 0xF4,
- 0xA7, 0x45, 0x4C, 0x81, 0xE9, 0x84, 0x97, 0x35, 0xCB, 0xCE, 0x3C, 0x71, 0x11, 0xC7, 0x89, 0x75, 0xFB,
- 0xDA, 0xF8, 0x94, 0x59, 0x82, 0xC4, 0xFF, 0x49, 0x39, 0x67, 0xC0, 0xCF, 0xD7, 0xB8, 0x0F, 0x8E, 0x42,
- 0x23, 0x91, 0x6C, 0xDB, 0xA4, 0x34, 0xF1, 0x48, 0xC2, 0x6F, 0x3D, 0x2D, 0x40, 0xBE, 0x3E, 0xBC, 0xC1,
- 0xAA, 0xBA, 0x4E, 0x55, 0x3B, 0xDC, 0x68, 0x7F, 0x9C, 0xD8, 0x4A, 0x56, 0x77, 0xA0, 0xED, 0x46, 0xB5,
- 0x2B, 0x65, 0xFA, 0xE3, 0xB9, 0xB1, 0x9F, 0x5E, 0xF9, 0xE6, 0xB2, 0x31, 0xEA, 0x6D, 0x5F, 0xE4, 0xF0,
- 0xCD, 0x88, 0x16, 0x3A, 0x58, 0xD4, 0x62, 0x29, 0x07, 0x33, 0xE8, 0x1B, 0x05, 0x79, 0x90, 0x6A, 0x2A,
- 0x9A};
-
-static const byte s_s1[256] = {
- 0x38, 0xE8, 0x2D, 0xA6, 0xCF, 0xDE, 0xB3, 0xB8, 0xAF, 0x60, 0x55, 0xC7, 0x44, 0x6F, 0x6B, 0x5B, 0xC3,
- 0x62, 0x33, 0xB5, 0x29, 0xA0, 0xE2, 0xA7, 0xD3, 0x91, 0x11, 0x06, 0x1C, 0xBC, 0x36, 0x4B, 0xEF, 0x88,
- 0x6C, 0xA8, 0x17, 0xC4, 0x16, 0xF4, 0xC2, 0x45, 0xE1, 0xD6, 0x3F, 0x3D, 0x8E, 0x98, 0x28, 0x4E, 0xF6,
- 0x3E, 0xA5, 0xF9, 0x0D, 0xDF, 0xD8, 0x2B, 0x66, 0x7A, 0x27, 0x2F, 0xF1, 0x72, 0x42, 0xD4, 0x41, 0xC0,
- 0x73, 0x67, 0xAC, 0x8B, 0xF7, 0xAD, 0x80, 0x1F, 0xCA, 0x2C, 0xAA, 0x34, 0xD2, 0x0B, 0xEE, 0xE9, 0x5D,
- 0x94, 0x18, 0xF8, 0x57, 0xAE, 0x08, 0xC5, 0x13, 0xCD, 0x86, 0xB9, 0xFF, 0x7D, 0xC1, 0x31, 0xF5, 0x8A,
- 0x6A, 0xB1, 0xD1, 0x20, 0xD7, 0x02, 0x22, 0x04, 0x68, 0x71, 0x07, 0xDB, 0x9D, 0x99, 0x61, 0xBE, 0xE6,
- 0x59, 0xDD, 0x51, 0x90, 0xDC, 0x9A, 0xA3, 0xAB, 0xD0, 0x81, 0x0F, 0x47, 0x1A, 0xE3, 0xEC, 0x8D, 0xBF,
- 0x96, 0x7B, 0x5C, 0xA2, 0xA1, 0x63, 0x23, 0x4D, 0xC8, 0x9E, 0x9C, 0x3A, 0x0C, 0x2E, 0xBA, 0x6E, 0x9F,
- 0x5A, 0xF2, 0x92, 0xF3, 0x49, 0x78, 0xCC, 0x15, 0xFB, 0x70, 0x75, 0x7F, 0x35, 0x10, 0x03, 0x64, 0x6D,
- 0xC6, 0x74, 0xD5, 0xB4, 0xEA, 0x09, 0x76, 0x19, 0xFE, 0x40, 0x12, 0xE0, 0xBD, 0x05, 0xFA, 0x01, 0xF0,
- 0x2A, 0x5E, 0xA9, 0x56, 0x43, 0x85, 0x14, 0x89, 0x9B, 0xB0, 0xE5, 0x48, 0x79, 0x97, 0xFC, 0x1E, 0x82,
- 0x21, 0x8C, 0x1B, 0x5F, 0x77, 0x54, 0xB2, 0x1D, 0x25, 0x4F, 0x00, 0x46, 0xED, 0x58, 0x52, 0xEB, 0x7E,
- 0xDA, 0xC9, 0xFD, 0x30, 0x95, 0x65, 0x3C, 0xB6, 0xE4, 0xBB, 0x7C, 0x0E, 0x50, 0x39, 0x26, 0x32, 0x84,
- 0x69, 0x93, 0x37, 0xE7, 0x24, 0xA4, 0xCB, 0x53, 0x0A, 0x87, 0xD9, 0x4C, 0x83, 0x8F, 0xCE, 0x3B, 0x4A,
- 0xB7};
-
-#define SS0(x) ((s_s0[x]*0x01010101UL) & 0x3FCFF3FC)
-#define SS1(x) ((s_s1[x]*0x01010101UL) & 0xFC3FCFF3)
-#define SS2(x) ((s_s0[x]*0x01010101UL) & 0xF3FC3FCF)
-#define SS3(x) ((s_s1[x]*0x01010101UL) & 0xCFF3FC3F)
-#define G(x) (SS0(GETBYTE(x, 0)) ^ SS1(GETBYTE(x, 1)) ^ SS2(GETBYTE(x, 2)) ^ SS3(GETBYTE(x, 3)))
-
-void SEED::Base::UncheckedSetKey(const byte *userKey, unsigned int length, const NameValuePairs ¶ms)
-{
- AssertValidKeyLength(length);
-
- word64 key01, key23;
- GetBlock<word64, BigEndian> get(userKey);
- get(key01)(key23);
- word32 *k = m_k;
- size_t kInc = 2;
- if (!IsForwardTransformation())
- {
- k = k+30;
- kInc = 0-kInc;
- }
-
- for (int i=0; i<ROUNDS; i++)
- {
- word32 t0 = word32(key01>>32) + word32(key23>>32) - s_kc[i];
- word32 t1 = word32(key01) - word32(key23) + s_kc[i];
- k[0] = G(t0);
- k[1] = G(t1);
- k+=kInc;
- if (i&1)
- key23 = rotlFixed<word64>(key23, 8);
- else
- key01 = rotrFixed<word64>(key01, 8);
- }
-}
-
-void SEED::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const
-{
- typedef BlockGetAndPut<word32, BigEndian> Block;
- word32 a0, a1, b0, b1, t0, t1;
- Block::Get(inBlock)(a0)(a1)(b0)(b1);
-
- for (int i=0; i<ROUNDS; i+=2)
- {
- t0 = b0 ^ m_k[2*i+0]; t1 = b1 ^ m_k[2*i+1] ^ t0;
- t1 = G(t1); t0 += t1; t0 = G(t0); t1 += t0; t1 = G(t1);
- a0 ^= t0 + t1; a1 ^= t1;
-
- t0 = a0 ^ m_k[2*i+2]; t1 = a1 ^ m_k[2*i+3] ^ t0;
- t1 = G(t1); t0 += t1; t0 = G(t0); t1 += t0; t1 = G(t1);
- b0 ^= t0 + t1; b1 ^= t1;
- }
-
- Block::Put(xorBlock, outBlock)(b0)(b1)(a0)(a1);
-}
-
-NAMESPACE_END
+// seed.cpp - written and placed in the public domain by Wei Dai + +#include "pch.h" +#include "seed.h" +#include "misc.h" + +NAMESPACE_BEGIN(CryptoPP) + +static const word32 s_kc[16] = { + 0x9e3779b9, 0x3c6ef373, 0x78dde6e6, 0xf1bbcdcc, 0xe3779b99, 0xc6ef3733, 0x8dde6e67, 0x1bbcdccf, + 0x3779b99e, 0x6ef3733c, 0xdde6e678, 0xbbcdccf1, 0x779b99e3, 0xef3733c6, 0xde6e678d, 0xbcdccf1b}; + +static const byte s_s0[256] = { + 0xA9, 0x85, 0xD6, 0xD3, 0x54, 0x1D, 0xAC, 0x25, 0x5D, 0x43, 0x18, 0x1E, 0x51, 0xFC, 0xCA, 0x63, 0x28, + 0x44, 0x20, 0x9D, 0xE0, 0xE2, 0xC8, 0x17, 0xA5, 0x8F, 0x03, 0x7B, 0xBB, 0x13, 0xD2, 0xEE, 0x70, 0x8C, + 0x3F, 0xA8, 0x32, 0xDD, 0xF6, 0x74, 0xEC, 0x95, 0x0B, 0x57, 0x5C, 0x5B, 0xBD, 0x01, 0x24, 0x1C, 0x73, + 0x98, 0x10, 0xCC, 0xF2, 0xD9, 0x2C, 0xE7, 0x72, 0x83, 0x9B, 0xD1, 0x86, 0xC9, 0x60, 0x50, 0xA3, 0xEB, + 0x0D, 0xB6, 0x9E, 0x4F, 0xB7, 0x5A, 0xC6, 0x78, 0xA6, 0x12, 0xAF, 0xD5, 0x61, 0xC3, 0xB4, 0x41, 0x52, + 0x7D, 0x8D, 0x08, 0x1F, 0x99, 0x00, 0x19, 0x04, 0x53, 0xF7, 0xE1, 0xFD, 0x76, 0x2F, 0x27, 0xB0, 0x8B, + 0x0E, 0xAB, 0xA2, 0x6E, 0x93, 0x4D, 0x69, 0x7C, 0x09, 0x0A, 0xBF, 0xEF, 0xF3, 0xC5, 0x87, 0x14, 0xFE, + 0x64, 0xDE, 0x2E, 0x4B, 0x1A, 0x06, 0x21, 0x6B, 0x66, 0x02, 0xF5, 0x92, 0x8A, 0x0C, 0xB3, 0x7E, 0xD0, + 0x7A, 0x47, 0x96, 0xE5, 0x26, 0x80, 0xAD, 0xDF, 0xA1, 0x30, 0x37, 0xAE, 0x36, 0x15, 0x22, 0x38, 0xF4, + 0xA7, 0x45, 0x4C, 0x81, 0xE9, 0x84, 0x97, 0x35, 0xCB, 0xCE, 0x3C, 0x71, 0x11, 0xC7, 0x89, 0x75, 0xFB, + 0xDA, 0xF8, 0x94, 0x59, 0x82, 0xC4, 0xFF, 0x49, 0x39, 0x67, 0xC0, 0xCF, 0xD7, 0xB8, 0x0F, 0x8E, 0x42, + 0x23, 0x91, 0x6C, 0xDB, 0xA4, 0x34, 0xF1, 0x48, 0xC2, 0x6F, 0x3D, 0x2D, 0x40, 0xBE, 0x3E, 0xBC, 0xC1, + 0xAA, 0xBA, 0x4E, 0x55, 0x3B, 0xDC, 0x68, 0x7F, 0x9C, 0xD8, 0x4A, 0x56, 0x77, 0xA0, 0xED, 0x46, 0xB5, + 0x2B, 0x65, 0xFA, 0xE3, 0xB9, 0xB1, 0x9F, 0x5E, 0xF9, 0xE6, 0xB2, 0x31, 0xEA, 0x6D, 0x5F, 0xE4, 0xF0, + 0xCD, 0x88, 0x16, 0x3A, 0x58, 0xD4, 0x62, 0x29, 0x07, 0x33, 0xE8, 0x1B, 0x05, 0x79, 0x90, 0x6A, 0x2A, + 0x9A}; + +static const byte s_s1[256] = { + 0x38, 0xE8, 0x2D, 0xA6, 0xCF, 0xDE, 0xB3, 0xB8, 0xAF, 0x60, 0x55, 0xC7, 0x44, 0x6F, 0x6B, 0x5B, 0xC3, + 0x62, 0x33, 0xB5, 0x29, 0xA0, 0xE2, 0xA7, 0xD3, 0x91, 0x11, 0x06, 0x1C, 0xBC, 0x36, 0x4B, 0xEF, 0x88, + 0x6C, 0xA8, 0x17, 0xC4, 0x16, 0xF4, 0xC2, 0x45, 0xE1, 0xD6, 0x3F, 0x3D, 0x8E, 0x98, 0x28, 0x4E, 0xF6, + 0x3E, 0xA5, 0xF9, 0x0D, 0xDF, 0xD8, 0x2B, 0x66, 0x7A, 0x27, 0x2F, 0xF1, 0x72, 0x42, 0xD4, 0x41, 0xC0, + 0x73, 0x67, 0xAC, 0x8B, 0xF7, 0xAD, 0x80, 0x1F, 0xCA, 0x2C, 0xAA, 0x34, 0xD2, 0x0B, 0xEE, 0xE9, 0x5D, + 0x94, 0x18, 0xF8, 0x57, 0xAE, 0x08, 0xC5, 0x13, 0xCD, 0x86, 0xB9, 0xFF, 0x7D, 0xC1, 0x31, 0xF5, 0x8A, + 0x6A, 0xB1, 0xD1, 0x20, 0xD7, 0x02, 0x22, 0x04, 0x68, 0x71, 0x07, 0xDB, 0x9D, 0x99, 0x61, 0xBE, 0xE6, + 0x59, 0xDD, 0x51, 0x90, 0xDC, 0x9A, 0xA3, 0xAB, 0xD0, 0x81, 0x0F, 0x47, 0x1A, 0xE3, 0xEC, 0x8D, 0xBF, + 0x96, 0x7B, 0x5C, 0xA2, 0xA1, 0x63, 0x23, 0x4D, 0xC8, 0x9E, 0x9C, 0x3A, 0x0C, 0x2E, 0xBA, 0x6E, 0x9F, + 0x5A, 0xF2, 0x92, 0xF3, 0x49, 0x78, 0xCC, 0x15, 0xFB, 0x70, 0x75, 0x7F, 0x35, 0x10, 0x03, 0x64, 0x6D, + 0xC6, 0x74, 0xD5, 0xB4, 0xEA, 0x09, 0x76, 0x19, 0xFE, 0x40, 0x12, 0xE0, 0xBD, 0x05, 0xFA, 0x01, 0xF0, + 0x2A, 0x5E, 0xA9, 0x56, 0x43, 0x85, 0x14, 0x89, 0x9B, 0xB0, 0xE5, 0x48, 0x79, 0x97, 0xFC, 0x1E, 0x82, + 0x21, 0x8C, 0x1B, 0x5F, 0x77, 0x54, 0xB2, 0x1D, 0x25, 0x4F, 0x00, 0x46, 0xED, 0x58, 0x52, 0xEB, 0x7E, + 0xDA, 0xC9, 0xFD, 0x30, 0x95, 0x65, 0x3C, 0xB6, 0xE4, 0xBB, 0x7C, 0x0E, 0x50, 0x39, 0x26, 0x32, 0x84, + 0x69, 0x93, 0x37, 0xE7, 0x24, 0xA4, 0xCB, 0x53, 0x0A, 0x87, 0xD9, 0x4C, 0x83, 0x8F, 0xCE, 0x3B, 0x4A, + 0xB7}; + +#define SS0(x) ((s_s0[x]*0x01010101UL) & 0x3FCFF3FC) +#define SS1(x) ((s_s1[x]*0x01010101UL) & 0xFC3FCFF3) +#define SS2(x) ((s_s0[x]*0x01010101UL) & 0xF3FC3FCF) +#define SS3(x) ((s_s1[x]*0x01010101UL) & 0xCFF3FC3F) +#define G(x) (SS0(GETBYTE(x, 0)) ^ SS1(GETBYTE(x, 1)) ^ SS2(GETBYTE(x, 2)) ^ SS3(GETBYTE(x, 3))) + +void SEED::Base::UncheckedSetKey(const byte *userKey, unsigned int length, const NameValuePairs ¶ms) +{ + AssertValidKeyLength(length); + + word64 key01, key23; + GetBlock<word64, BigEndian> get(userKey); + get(key01)(key23); + word32 *k = m_k; + size_t kInc = 2; + if (!IsForwardTransformation()) + { + k = k+30; + kInc = 0-kInc; + } + + for (int i=0; i<ROUNDS; i++) + { + word32 t0 = word32(key01>>32) + word32(key23>>32) - s_kc[i]; + word32 t1 = word32(key01) - word32(key23) + s_kc[i]; + k[0] = G(t0); + k[1] = G(t1); + k+=kInc; + if (i&1) + key23 = rotlFixed<word64>(key23, 8); + else + key01 = rotrFixed<word64>(key01, 8); + } +} + +void SEED::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const +{ + typedef BlockGetAndPut<word32, BigEndian> Block; + word32 a0, a1, b0, b1, t0, t1; + Block::Get(inBlock)(a0)(a1)(b0)(b1); + + for (int i=0; i<ROUNDS; i+=2) + { + t0 = b0 ^ m_k[2*i+0]; t1 = b1 ^ m_k[2*i+1] ^ t0; + t1 = G(t1); t0 += t1; t0 = G(t0); t1 += t0; t1 = G(t1); + a0 ^= t0 + t1; a1 ^= t1; + + t0 = a0 ^ m_k[2*i+2]; t1 = a1 ^ m_k[2*i+3] ^ t0; + t1 = G(t1); t0 += t1; t0 = G(t0); t1 += t0; t1 = G(t1); + b0 ^= t0 + t1; b1 ^= t1; + } + + Block::Put(xorBlock, outBlock)(b0)(b1)(a0)(a1); +} + +NAMESPACE_END |