summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/modes/gcm128.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/modes/gcm128.c')
-rw-r--r--src/lib/libcrypto/modes/gcm128.c196
1 files changed, 172 insertions, 24 deletions
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index 7d6d034970..e1dc2b0f47 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -723,7 +723,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
723# endif 723# endif
724 gcm_init_4bit(ctx->Htable,ctx->H.u); 724 gcm_init_4bit(ctx->Htable,ctx->H.u);
725# if defined(GHASH_ASM_X86) /* x86 only */ 725# if defined(GHASH_ASM_X86) /* x86 only */
726# if defined(OPENSSL_IA32_SSE2) 726# if defined(OPENSSL_IA32_SSE2)
727 if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */ 727 if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */
728# else 728# else
729 if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */ 729 if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */
@@ -810,7 +810,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
810 GCM_MUL(ctx,Yi); 810 GCM_MUL(ctx,Yi);
811 811
812 if (is_endian.little) 812 if (is_endian.little)
813#ifdef BSWAP4
814 ctr = BSWAP4(ctx->Yi.d[3]);
815#else
813 ctr = GETU32(ctx->Yi.c+12); 816 ctr = GETU32(ctx->Yi.c+12);
817#endif
814 else 818 else
815 ctr = ctx->Yi.d[3]; 819 ctr = ctx->Yi.d[3];
816 } 820 }
@@ -818,7 +822,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
818 (*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key); 822 (*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key);
819 ++ctr; 823 ++ctr;
820 if (is_endian.little) 824 if (is_endian.little)
825#ifdef BSWAP4
826 ctx->Yi.d[3] = BSWAP4(ctr);
827#else
821 PUTU32(ctx->Yi.c+12,ctr); 828 PUTU32(ctx->Yi.c+12,ctr);
829#endif
822 else 830 else
823 ctx->Yi.d[3] = ctr; 831 ctx->Yi.d[3] = ctr;
824} 832}
@@ -913,7 +921,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
913 } 921 }
914 922
915 if (is_endian.little) 923 if (is_endian.little)
924#ifdef BSWAP4
925 ctr = BSWAP4(ctx->Yi.d[3]);
926#else
916 ctr = GETU32(ctx->Yi.c+12); 927 ctr = GETU32(ctx->Yi.c+12);
928#endif
917 else 929 else
918 ctr = ctx->Yi.d[3]; 930 ctr = ctx->Yi.d[3];
919 931
@@ -941,15 +953,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
941 size_t j=GHASH_CHUNK; 953 size_t j=GHASH_CHUNK;
942 954
943 while (j) { 955 while (j) {
956 size_t *out_t=(size_t *)out;
957 const size_t *in_t=(const size_t *)in;
958
944 (*block)(ctx->Yi.c,ctx->EKi.c,key); 959 (*block)(ctx->Yi.c,ctx->EKi.c,key);
945 ++ctr; 960 ++ctr;
946 if (is_endian.little) 961 if (is_endian.little)
962#ifdef BSWAP4
963 ctx->Yi.d[3] = BSWAP4(ctr);
964#else
947 PUTU32(ctx->Yi.c+12,ctr); 965 PUTU32(ctx->Yi.c+12,ctr);
966#endif
948 else 967 else
949 ctx->Yi.d[3] = ctr; 968 ctx->Yi.d[3] = ctr;
950 for (i=0; i<16; i+=sizeof(size_t)) 969 for (i=0; i<16/sizeof(size_t); ++i)
951 *(size_t *)(out+i) = 970 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
952 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
953 out += 16; 971 out += 16;
954 in += 16; 972 in += 16;
955 j -= 16; 973 j -= 16;
@@ -961,15 +979,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
961 size_t j=i; 979 size_t j=i;
962 980
963 while (len>=16) { 981 while (len>=16) {
982 size_t *out_t=(size_t *)out;
983 const size_t *in_t=(const size_t *)in;
984
964 (*block)(ctx->Yi.c,ctx->EKi.c,key); 985 (*block)(ctx->Yi.c,ctx->EKi.c,key);
965 ++ctr; 986 ++ctr;
966 if (is_endian.little) 987 if (is_endian.little)
988#ifdef BSWAP4
989 ctx->Yi.d[3] = BSWAP4(ctr);
990#else
967 PUTU32(ctx->Yi.c+12,ctr); 991 PUTU32(ctx->Yi.c+12,ctr);
992#endif
968 else 993 else
969 ctx->Yi.d[3] = ctr; 994 ctx->Yi.d[3] = ctr;
970 for (i=0; i<16; i+=sizeof(size_t)) 995 for (i=0; i<16/sizeof(size_t); ++i)
971 *(size_t *)(out+i) = 996 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
972 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
973 out += 16; 997 out += 16;
974 in += 16; 998 in += 16;
975 len -= 16; 999 len -= 16;
@@ -978,16 +1002,22 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
978 } 1002 }
979#else 1003#else
980 while (len>=16) { 1004 while (len>=16) {
1005 size_t *out_t=(size_t *)out;
1006 const size_t *in_t=(const size_t *)in;
1007
981 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1008 (*block)(ctx->Yi.c,ctx->EKi.c,key);
982 ++ctr; 1009 ++ctr;
983 if (is_endian.little) 1010 if (is_endian.little)
1011#ifdef BSWAP4
1012 ctx->Yi.d[3] = BSWAP4(ctr);
1013#else
984 PUTU32(ctx->Yi.c+12,ctr); 1014 PUTU32(ctx->Yi.c+12,ctr);
1015#endif
985 else 1016 else
986 ctx->Yi.d[3] = ctr; 1017 ctx->Yi.d[3] = ctr;
987 for (i=0; i<16; i+=sizeof(size_t)) 1018 for (i=0; i<16/sizeof(size_t); ++i)
988 *(size_t *)(ctx->Xi.c+i) ^= 1019 ctx->Xi.t[i] ^=
989 *(size_t *)(out+i) = 1020 out_t[i] = in_t[i]^ctx->EKi.t[i];
990 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
991 GCM_MUL(ctx,Xi); 1021 GCM_MUL(ctx,Xi);
992 out += 16; 1022 out += 16;
993 in += 16; 1023 in += 16;
@@ -998,7 +1028,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
998 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1028 (*block)(ctx->Yi.c,ctx->EKi.c,key);
999 ++ctr; 1029 ++ctr;
1000 if (is_endian.little) 1030 if (is_endian.little)
1031#ifdef BSWAP4
1032 ctx->Yi.d[3] = BSWAP4(ctr);
1033#else
1001 PUTU32(ctx->Yi.c+12,ctr); 1034 PUTU32(ctx->Yi.c+12,ctr);
1035#endif
1002 else 1036 else
1003 ctx->Yi.d[3] = ctr; 1037 ctx->Yi.d[3] = ctr;
1004 while (len--) { 1038 while (len--) {
@@ -1016,7 +1050,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
1016 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1050 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1017 ++ctr; 1051 ++ctr;
1018 if (is_endian.little) 1052 if (is_endian.little)
1053#ifdef BSWAP4
1054 ctx->Yi.d[3] = BSWAP4(ctr);
1055#else
1019 PUTU32(ctx->Yi.c+12,ctr); 1056 PUTU32(ctx->Yi.c+12,ctr);
1057#endif
1020 else 1058 else
1021 ctx->Yi.d[3] = ctr; 1059 ctx->Yi.d[3] = ctr;
1022 } 1060 }
@@ -1060,7 +1098,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1060 } 1098 }
1061 1099
1062 if (is_endian.little) 1100 if (is_endian.little)
1101#ifdef BSWAP4
1102 ctr = BSWAP4(ctx->Yi.d[3]);
1103#else
1063 ctr = GETU32(ctx->Yi.c+12); 1104 ctr = GETU32(ctx->Yi.c+12);
1105#endif
1064 else 1106 else
1065 ctr = ctx->Yi.d[3]; 1107 ctr = ctx->Yi.d[3];
1066 1108
@@ -1091,15 +1133,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1091 1133
1092 GHASH(ctx,in,GHASH_CHUNK); 1134 GHASH(ctx,in,GHASH_CHUNK);
1093 while (j) { 1135 while (j) {
1136 size_t *out_t=(size_t *)out;
1137 const size_t *in_t=(const size_t *)in;
1138
1094 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1139 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1095 ++ctr; 1140 ++ctr;
1096 if (is_endian.little) 1141 if (is_endian.little)
1142#ifdef BSWAP4
1143 ctx->Yi.d[3] = BSWAP4(ctr);
1144#else
1097 PUTU32(ctx->Yi.c+12,ctr); 1145 PUTU32(ctx->Yi.c+12,ctr);
1146#endif
1098 else 1147 else
1099 ctx->Yi.d[3] = ctr; 1148 ctx->Yi.d[3] = ctr;
1100 for (i=0; i<16; i+=sizeof(size_t)) 1149 for (i=0; i<16/sizeof(size_t); ++i)
1101 *(size_t *)(out+i) = 1150 out_t[i] = in_t[i]^ctx->EKi.t[i];
1102 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
1103 out += 16; 1151 out += 16;
1104 in += 16; 1152 in += 16;
1105 j -= 16; 1153 j -= 16;
@@ -1109,15 +1157,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1109 if ((i = (len&(size_t)-16))) { 1157 if ((i = (len&(size_t)-16))) {
1110 GHASH(ctx,in,i); 1158 GHASH(ctx,in,i);
1111 while (len>=16) { 1159 while (len>=16) {
1160 size_t *out_t=(size_t *)out;
1161 const size_t *in_t=(const size_t *)in;
1162
1112 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1163 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1113 ++ctr; 1164 ++ctr;
1114 if (is_endian.little) 1165 if (is_endian.little)
1166#ifdef BSWAP4
1167 ctx->Yi.d[3] = BSWAP4(ctr);
1168#else
1115 PUTU32(ctx->Yi.c+12,ctr); 1169 PUTU32(ctx->Yi.c+12,ctr);
1170#endif
1116 else 1171 else
1117 ctx->Yi.d[3] = ctr; 1172 ctx->Yi.d[3] = ctr;
1118 for (i=0; i<16; i+=sizeof(size_t)) 1173 for (i=0; i<16/sizeof(size_t); ++i)
1119 *(size_t *)(out+i) = 1174 out_t[i] = in_t[i]^ctx->EKi.t[i];
1120 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
1121 out += 16; 1175 out += 16;
1122 in += 16; 1176 in += 16;
1123 len -= 16; 1177 len -= 16;
@@ -1125,16 +1179,23 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1125 } 1179 }
1126#else 1180#else
1127 while (len>=16) { 1181 while (len>=16) {
1182 size_t *out_t=(size_t *)out;
1183 const size_t *in_t=(const size_t *)in;
1184
1128 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1185 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1129 ++ctr; 1186 ++ctr;
1130 if (is_endian.little) 1187 if (is_endian.little)
1188#ifdef BSWAP4
1189 ctx->Yi.d[3] = BSWAP4(ctr);
1190#else
1131 PUTU32(ctx->Yi.c+12,ctr); 1191 PUTU32(ctx->Yi.c+12,ctr);
1192#endif
1132 else 1193 else
1133 ctx->Yi.d[3] = ctr; 1194 ctx->Yi.d[3] = ctr;
1134 for (i=0; i<16; i+=sizeof(size_t)) { 1195 for (i=0; i<16/sizeof(size_t); ++i) {
1135 size_t c = *(size_t *)(in+i); 1196 size_t c = in[i];
1136 *(size_t *)(out+i) = c^*(size_t *)(ctx->EKi.c+i); 1197 out[i] = c^ctx->EKi.t[i];
1137 *(size_t *)(ctx->Xi.c+i) ^= c; 1198 ctx->Xi.t[i] ^= c;
1138 } 1199 }
1139 GCM_MUL(ctx,Xi); 1200 GCM_MUL(ctx,Xi);
1140 out += 16; 1201 out += 16;
@@ -1146,7 +1207,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1146 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1207 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1147 ++ctr; 1208 ++ctr;
1148 if (is_endian.little) 1209 if (is_endian.little)
1210#ifdef BSWAP4
1211 ctx->Yi.d[3] = BSWAP4(ctr);
1212#else
1149 PUTU32(ctx->Yi.c+12,ctr); 1213 PUTU32(ctx->Yi.c+12,ctr);
1214#endif
1150 else 1215 else
1151 ctx->Yi.d[3] = ctr; 1216 ctx->Yi.d[3] = ctr;
1152 while (len--) { 1217 while (len--) {
@@ -1167,7 +1232,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1167 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1232 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1168 ++ctr; 1233 ++ctr;
1169 if (is_endian.little) 1234 if (is_endian.little)
1235#ifdef BSWAP4
1236 ctx->Yi.d[3] = BSWAP4(ctr);
1237#else
1170 PUTU32(ctx->Yi.c+12,ctr); 1238 PUTU32(ctx->Yi.c+12,ctr);
1239#endif
1171 else 1240 else
1172 ctx->Yi.d[3] = ctr; 1241 ctx->Yi.d[3] = ctr;
1173 } 1242 }
@@ -1212,7 +1281,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1212 } 1281 }
1213 1282
1214 if (is_endian.little) 1283 if (is_endian.little)
1284#ifdef BSWAP4
1285 ctr = BSWAP4(ctx->Yi.d[3]);
1286#else
1215 ctr = GETU32(ctx->Yi.c+12); 1287 ctr = GETU32(ctx->Yi.c+12);
1288#endif
1216 else 1289 else
1217 ctr = ctx->Yi.d[3]; 1290 ctr = ctx->Yi.d[3];
1218 1291
@@ -1234,7 +1307,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1234 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c); 1307 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
1235 ctr += GHASH_CHUNK/16; 1308 ctr += GHASH_CHUNK/16;
1236 if (is_endian.little) 1309 if (is_endian.little)
1310#ifdef BSWAP4
1311 ctx->Yi.d[3] = BSWAP4(ctr);
1312#else
1237 PUTU32(ctx->Yi.c+12,ctr); 1313 PUTU32(ctx->Yi.c+12,ctr);
1314#endif
1238 else 1315 else
1239 ctx->Yi.d[3] = ctr; 1316 ctx->Yi.d[3] = ctr;
1240 GHASH(ctx,out,GHASH_CHUNK); 1317 GHASH(ctx,out,GHASH_CHUNK);
@@ -1249,7 +1326,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1249 (*stream)(in,out,j,key,ctx->Yi.c); 1326 (*stream)(in,out,j,key,ctx->Yi.c);
1250 ctr += (unsigned int)j; 1327 ctr += (unsigned int)j;
1251 if (is_endian.little) 1328 if (is_endian.little)
1329#ifdef BSWAP4
1330 ctx->Yi.d[3] = BSWAP4(ctr);
1331#else
1252 PUTU32(ctx->Yi.c+12,ctr); 1332 PUTU32(ctx->Yi.c+12,ctr);
1333#endif
1253 else 1334 else
1254 ctx->Yi.d[3] = ctr; 1335 ctx->Yi.d[3] = ctr;
1255 in += i; 1336 in += i;
@@ -1269,7 +1350,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1269 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key); 1350 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
1270 ++ctr; 1351 ++ctr;
1271 if (is_endian.little) 1352 if (is_endian.little)
1353#ifdef BSWAP4
1354 ctx->Yi.d[3] = BSWAP4(ctr);
1355#else
1272 PUTU32(ctx->Yi.c+12,ctr); 1356 PUTU32(ctx->Yi.c+12,ctr);
1357#endif
1273 else 1358 else
1274 ctx->Yi.d[3] = ctr; 1359 ctx->Yi.d[3] = ctr;
1275 while (len--) { 1360 while (len--) {
@@ -1311,7 +1396,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1311 } 1396 }
1312 1397
1313 if (is_endian.little) 1398 if (is_endian.little)
1399#ifdef BSWAP4
1400 ctr = BSWAP4(ctx->Yi.d[3]);
1401#else
1314 ctr = GETU32(ctx->Yi.c+12); 1402 ctr = GETU32(ctx->Yi.c+12);
1403#endif
1315 else 1404 else
1316 ctr = ctx->Yi.d[3]; 1405 ctr = ctx->Yi.d[3];
1317 1406
@@ -1336,7 +1425,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1336 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c); 1425 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
1337 ctr += GHASH_CHUNK/16; 1426 ctr += GHASH_CHUNK/16;
1338 if (is_endian.little) 1427 if (is_endian.little)
1428#ifdef BSWAP4
1429 ctx->Yi.d[3] = BSWAP4(ctr);
1430#else
1339 PUTU32(ctx->Yi.c+12,ctr); 1431 PUTU32(ctx->Yi.c+12,ctr);
1432#endif
1340 else 1433 else
1341 ctx->Yi.d[3] = ctr; 1434 ctx->Yi.d[3] = ctr;
1342 out += GHASH_CHUNK; 1435 out += GHASH_CHUNK;
@@ -1362,7 +1455,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1362 (*stream)(in,out,j,key,ctx->Yi.c); 1455 (*stream)(in,out,j,key,ctx->Yi.c);
1363 ctr += (unsigned int)j; 1456 ctr += (unsigned int)j;
1364 if (is_endian.little) 1457 if (is_endian.little)
1458#ifdef BSWAP4
1459 ctx->Yi.d[3] = BSWAP4(ctr);
1460#else
1365 PUTU32(ctx->Yi.c+12,ctr); 1461 PUTU32(ctx->Yi.c+12,ctr);
1462#endif
1366 else 1463 else
1367 ctx->Yi.d[3] = ctr; 1464 ctx->Yi.d[3] = ctr;
1368 out += i; 1465 out += i;
@@ -1373,7 +1470,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1373 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key); 1470 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
1374 ++ctr; 1471 ++ctr;
1375 if (is_endian.little) 1472 if (is_endian.little)
1473#ifdef BSWAP4
1474 ctx->Yi.d[3] = BSWAP4(ctr);
1475#else
1376 PUTU32(ctx->Yi.c+12,ctr); 1476 PUTU32(ctx->Yi.c+12,ctr);
1477#endif
1377 else 1478 else
1378 ctx->Yi.d[3] = ctr; 1479 ctx->Yi.d[3] = ctr;
1379 while (len--) { 1480 while (len--) {
@@ -1398,7 +1499,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
1398 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult; 1499 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
1399#endif 1500#endif
1400 1501
1401 if (ctx->mres) 1502 if (ctx->mres || ctx->ares)
1402 GCM_MUL(ctx,Xi); 1503 GCM_MUL(ctx,Xi);
1403 1504
1404 if (is_endian.little) { 1505 if (is_endian.little) {
@@ -1669,6 +1770,46 @@ static const u8 IV18[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0
1669 0xa2,0x41,0x89,0x97,0x20,0x0e,0xf8,0x2e,0x44,0xae,0x7e,0x3f}, 1770 0xa2,0x41,0x89,0x97,0x20,0x0e,0xf8,0x2e,0x44,0xae,0x7e,0x3f},
1670 T18[]= {0xa4,0x4a,0x82,0x66,0xee,0x1c,0x8e,0xb0,0xc8,0xb5,0xd4,0xcf,0x5a,0xe9,0xf1,0x9a}; 1771 T18[]= {0xa4,0x4a,0x82,0x66,0xee,0x1c,0x8e,0xb0,0xc8,0xb5,0xd4,0xcf,0x5a,0xe9,0xf1,0x9a};
1671 1772
1773/* Test Case 19 */
1774#define K19 K1
1775#define P19 P1
1776#define IV19 IV1
1777#define C19 C1
1778static const u8 A19[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1779 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1780 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1781 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55,
1782 0x52,0x2d,0xc1,0xf0,0x99,0x56,0x7d,0x07,0xf4,0x7f,0x37,0xa3,0x2a,0x84,0x42,0x7d,
1783 0x64,0x3a,0x8c,0xdc,0xbf,0xe5,0xc0,0xc9,0x75,0x98,0xa2,0xbd,0x25,0x55,0xd1,0xaa,
1784 0x8c,0xb0,0x8e,0x48,0x59,0x0d,0xbb,0x3d,0xa7,0xb0,0x8b,0x10,0x56,0x82,0x88,0x38,
1785 0xc5,0xf6,0x1e,0x63,0x93,0xba,0x7a,0x0a,0xbc,0xc9,0xf6,0x62,0x89,0x80,0x15,0xad},
1786 T19[]= {0x5f,0xea,0x79,0x3a,0x2d,0x6f,0x97,0x4d,0x37,0xe6,0x8e,0x0c,0xb8,0xff,0x94,0x92};
1787
1788/* Test Case 20 */
1789#define K20 K1
1790#define A20 A1
1791static const u8 IV20[64]={0xff,0xff,0xff,0xff}, /* this results in 0xff in counter LSB */
1792 P20[288],
1793 C20[]= {0x56,0xb3,0x37,0x3c,0xa9,0xef,0x6e,0x4a,0x2b,0x64,0xfe,0x1e,0x9a,0x17,0xb6,0x14,
1794 0x25,0xf1,0x0d,0x47,0xa7,0x5a,0x5f,0xce,0x13,0xef,0xc6,0xbc,0x78,0x4a,0xf2,0x4f,
1795 0x41,0x41,0xbd,0xd4,0x8c,0xf7,0xc7,0x70,0x88,0x7a,0xfd,0x57,0x3c,0xca,0x54,0x18,
1796 0xa9,0xae,0xff,0xcd,0x7c,0x5c,0xed,0xdf,0xc6,0xa7,0x83,0x97,0xb9,0xa8,0x5b,0x49,
1797 0x9d,0xa5,0x58,0x25,0x72,0x67,0xca,0xab,0x2a,0xd0,0xb2,0x3c,0xa4,0x76,0xa5,0x3c,
1798 0xb1,0x7f,0xb4,0x1c,0x4b,0x8b,0x47,0x5c,0xb4,0xf3,0xf7,0x16,0x50,0x94,0xc2,0x29,
1799 0xc9,0xe8,0xc4,0xdc,0x0a,0x2a,0x5f,0xf1,0x90,0x3e,0x50,0x15,0x11,0x22,0x13,0x76,
1800 0xa1,0xcd,0xb8,0x36,0x4c,0x50,0x61,0xa2,0x0c,0xae,0x74,0xbc,0x4a,0xcd,0x76,0xce,
1801 0xb0,0xab,0xc9,0xfd,0x32,0x17,0xef,0x9f,0x8c,0x90,0xbe,0x40,0x2d,0xdf,0x6d,0x86,
1802 0x97,0xf4,0xf8,0x80,0xdf,0xf1,0x5b,0xfb,0x7a,0x6b,0x28,0x24,0x1e,0xc8,0xfe,0x18,
1803 0x3c,0x2d,0x59,0xe3,0xf9,0xdf,0xff,0x65,0x3c,0x71,0x26,0xf0,0xac,0xb9,0xe6,0x42,
1804 0x11,0xf4,0x2b,0xae,0x12,0xaf,0x46,0x2b,0x10,0x70,0xbe,0xf1,0xab,0x5e,0x36,0x06,
1805 0x87,0x2c,0xa1,0x0d,0xee,0x15,0xb3,0x24,0x9b,0x1a,0x1b,0x95,0x8f,0x23,0x13,0x4c,
1806 0x4b,0xcc,0xb7,0xd0,0x32,0x00,0xbc,0xe4,0x20,0xa2,0xf8,0xeb,0x66,0xdc,0xf3,0x64,
1807 0x4d,0x14,0x23,0xc1,0xb5,0x69,0x90,0x03,0xc1,0x3e,0xce,0xf4,0xbf,0x38,0xa3,0xb6,
1808 0x0e,0xed,0xc3,0x40,0x33,0xba,0xc1,0x90,0x27,0x83,0xdc,0x6d,0x89,0xe2,0xe7,0x74,
1809 0x18,0x8a,0x43,0x9c,0x7e,0xbc,0xc0,0x67,0x2d,0xbd,0xa4,0xdd,0xcf,0xb2,0x79,0x46,
1810 0x13,0xb0,0xbe,0x41,0x31,0x5e,0xf7,0x78,0x70,0x8a,0x70,0xee,0x7d,0x75,0x16,0x5c},
1811 T20[]= {0x8b,0x30,0x7f,0x6b,0x33,0x28,0x6d,0x0a,0xb0,0x26,0xa9,0xed,0x3f,0xe1,0xe8,0x5f};
1812
1672#define TEST_CASE(n) do { \ 1813#define TEST_CASE(n) do { \
1673 u8 out[sizeof(P##n)]; \ 1814 u8 out[sizeof(P##n)]; \
1674 AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key); \ 1815 AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key); \
@@ -1713,6 +1854,8 @@ int main()
1713 TEST_CASE(16); 1854 TEST_CASE(16);
1714 TEST_CASE(17); 1855 TEST_CASE(17);
1715 TEST_CASE(18); 1856 TEST_CASE(18);
1857 TEST_CASE(19);
1858 TEST_CASE(20);
1716 1859
1717#ifdef OPENSSL_CPUID_OBJ 1860#ifdef OPENSSL_CPUID_OBJ
1718 { 1861 {
@@ -1743,11 +1886,16 @@ int main()
1743 ctr_t/(double)sizeof(buf), 1886 ctr_t/(double)sizeof(buf),
1744 (gcm_t-ctr_t)/(double)sizeof(buf)); 1887 (gcm_t-ctr_t)/(double)sizeof(buf));
1745#ifdef GHASH 1888#ifdef GHASH
1746 GHASH(&ctx,buf.c,sizeof(buf)); 1889 {
1890 void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
1891 const u8 *inp,size_t len) = ctx.ghash;
1892
1893 GHASH((&ctx),buf.c,sizeof(buf));
1747 start = OPENSSL_rdtsc(); 1894 start = OPENSSL_rdtsc();
1748 for (i=0;i<100;++i) GHASH(&ctx,buf.c,sizeof(buf)); 1895 for (i=0;i<100;++i) GHASH((&ctx),buf.c,sizeof(buf));
1749 gcm_t = OPENSSL_rdtsc() - start; 1896 gcm_t = OPENSSL_rdtsc() - start;
1750 printf("%.2f\n",gcm_t/(double)sizeof(buf)/(double)i); 1897 printf("%.2f\n",gcm_t/(double)sizeof(buf)/(double)i);
1898 }
1751#endif 1899#endif
1752 } 1900 }
1753#endif 1901#endif