337f6801594d05c3449dc4a7166876d83a301717
[openssl.git] / crypto / aes / aes_ige.c
1 /* crypto/aes/aes_ige.c -*- mode:C; c-file-style: "eay" -*- */
2 /* ====================================================================
3  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer. 
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *    the documentation and/or other materials provided with the
15  *    distribution.
16  *
17  * 3. All advertising materials mentioning features or use of this
18  *    software must display the following acknowledgment:
19  *    "This product includes software developed by the OpenSSL Project
20  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21  *
22  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23  *    endorse or promote products derived from this software without
24  *    prior written permission. For written permission, please contact
25  *    openssl-core@openssl.org.
26  *
27  * 5. Products derived from this software may not be called "OpenSSL"
28  *    nor may "OpenSSL" appear in their names without prior written
29  *    permission of the OpenSSL Project.
30  *
31  * 6. Redistributions of any form whatsoever must retain the following
32  *    acknowledgment:
33  *    "This product includes software developed by the OpenSSL Project
34  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35  *
36  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47  * OF THE POSSIBILITY OF SUCH DAMAGE.
48  * ====================================================================
49  *
50  */
51
52 #include "cryptlib.h"
53
54 #include <openssl/aes.h>
55 #include "aes_locl.h"
56
57 /*
58 static void hexdump(FILE *f,const char *title,const unsigned char *s,int l)
59     {
60     int n=0;
61
62     fprintf(f,"%s",title);
63     for( ; n < l ; ++n)
64                 {
65                 if((n%16) == 0)
66                         fprintf(f,"\n%04x",n);
67                 fprintf(f," %02x",s[n]);
68                 }
69     fprintf(f,"\n");
70     }
71 */
72
73 #define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
74 typedef struct {
75         unsigned long data[N_WORDS];
76 } aes_block_t;
77
78 // XXX: probably some better way to do this
79 #if defined(__i386__) || defined(__x86_64__)
80 #define UNALIGNED_MEMOPS_ARE_FAST 1
81 #endif
82
83 #ifdef UNALIGNED_MEMOPS_ARE_FAST
84 #define load_block(d, s)        (d) = *(const aes_block_t *)(s)
85 #define store_block(d, s)       *(aes_block_t *)(d) = (s)
86 #else
87 #define load_block(d, s)        memcpy((d).data, (s), AES_BLOCK_SIZE)
88 #define store_block(d, s)       memcpy((d), (s).data, AES_BLOCK_SIZE)
89 #endif
90
91 /* N.B. The IV for this mode is _twice_ the block size */
92
93 void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
94                                          const unsigned long length, const AES_KEY *key,
95                                          unsigned char *ivec, const int enc)
96         {
97         unsigned long n;
98         unsigned long len;
99         aes_block_t tmp, tmp2;
100         aes_block_t iv;
101         aes_block_t iv2;
102
103         OPENSSL_assert(in && out && key && ivec);
104         OPENSSL_assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
105         OPENSSL_assert((length%AES_BLOCK_SIZE) == 0);
106
107         len = length / AES_BLOCK_SIZE;
108         load_block(iv, ivec);
109         load_block(iv2, ivec + AES_BLOCK_SIZE);
110
111         if (AES_ENCRYPT == enc)
112                 {
113                 /* XXX: Do a separate case for when in != out (strictly should
114                    check for overlap, too) */
115                 while (len)
116                         {
117                         load_block(tmp, in);
118                         /*                      hexdump(stdout, "in", in, AES_BLOCK_SIZE); */
119                         /*                      hexdump(stdout, "iv", iv, AES_BLOCK_SIZE); */
120                         for(n=0 ; n < N_WORDS; ++n)
121                                 tmp2.data[n] = tmp.data[n] ^ iv.data[n];
122                         /*                      hexdump(stdout, "in ^ iv", out, AES_BLOCK_SIZE); */
123                         AES_encrypt((unsigned char *)tmp2.data, (unsigned char *)tmp2.data, key);
124                         /*                      hexdump(stdout,"enc", out, AES_BLOCK_SIZE); */
125                         /*                      hexdump(stdout,"iv2", iv2, AES_BLOCK_SIZE); */
126                         for(n=0 ; n < N_WORDS; ++n)
127                                 tmp2.data[n] ^= iv2.data[n];
128                         store_block(out, tmp2);
129                         /*                      hexdump(stdout,"out", out, AES_BLOCK_SIZE); */
130                         iv = tmp2;
131                         iv2 = tmp;
132                         --len;
133                         in += AES_BLOCK_SIZE;
134                         out += AES_BLOCK_SIZE;
135                         }
136                 memcpy(ivec, iv.data, AES_BLOCK_SIZE);
137                 memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
138                 }
139         else
140                 {
141                 while (len)
142                         {
143                         load_block(tmp, in);
144                         tmp2 = tmp;
145                         /*                      hexdump(stdout, "in", in, AES_BLOCK_SIZE); */
146                         /*                      hexdump(stdout, "iv2", iv2, AES_BLOCK_SIZE); */
147                         for(n=0 ; n < N_WORDS; ++n)
148                                 tmp.data[n] ^= iv2.data[n];
149                         /*                      hexdump(stdout, "in ^ iv2", tmp, AES_BLOCK_SIZE); */
150                         AES_decrypt((unsigned char *)tmp.data, (unsigned char *)tmp.data, key);
151                         /*                      hexdump(stdout, "dec", out, AES_BLOCK_SIZE); */
152                         /*                      hexdump(stdout, "iv", iv, AES_BLOCK_SIZE); */
153                         for(n=0 ; n < N_WORDS; ++n)
154                                 tmp.data[n] ^= iv.data[n];
155                         store_block(out, tmp);
156                         /*                      hexdump(stdout, "out", out, AES_BLOCK_SIZE); */
157                         iv = tmp2;
158                         iv2 = tmp;
159                         --len;
160                         in += AES_BLOCK_SIZE;
161                         out += AES_BLOCK_SIZE;
162                         }
163                 memcpy(ivec, iv.data, AES_BLOCK_SIZE);
164                 memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
165                 }
166         }
167
168 /*
169  * Note that its effectively impossible to do biIGE in anything other
170  * than a single pass, so no provision is made for chaining.
171  */
172
173 /* N.B. The IV for this mode is _four times_ the block size */
174
175 void AES_bi_ige_encrypt(const unsigned char *in, unsigned char *out,
176                                                 const unsigned long length, const AES_KEY *key,
177                                                 const AES_KEY *key2, const unsigned char *ivec,
178                                                 const int enc)
179         {
180         unsigned long n;
181         unsigned long len = length;
182         unsigned char tmp[AES_BLOCK_SIZE];
183         unsigned char tmp2[AES_BLOCK_SIZE];
184         unsigned char tmp3[AES_BLOCK_SIZE];
185         unsigned char prev[AES_BLOCK_SIZE];
186         const unsigned char *iv;
187         const unsigned char *iv2;
188
189         OPENSSL_assert(in && out && key && ivec);
190         OPENSSL_assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
191         OPENSSL_assert((length%AES_BLOCK_SIZE) == 0);
192
193         if (AES_ENCRYPT == enc)
194                 {
195                 /* XXX: Do a separate case for when in != out (strictly should
196                    check for overlap, too) */
197
198                 /* First the forward pass */ 
199                 iv = ivec;
200                 iv2 = ivec + AES_BLOCK_SIZE;
201                 while (len >= AES_BLOCK_SIZE)
202                         {
203                         /*                      hexdump(stdout, "in", in, AES_BLOCK_SIZE); */
204                         /*                      hexdump(stdout, "iv", iv, AES_BLOCK_SIZE); */
205                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
206                                 out[n] = in[n] ^ iv[n];
207                         /*                      hexdump(stdout, "in ^ iv", out, AES_BLOCK_SIZE); */
208                         AES_encrypt(out, out, key);
209                         /*                      hexdump(stdout,"enc", out, AES_BLOCK_SIZE); */
210                         /*                      hexdump(stdout,"iv2", iv2, AES_BLOCK_SIZE); */
211                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
212                                 out[n] ^= iv2[n];
213                         /*                      hexdump(stdout,"out", out, AES_BLOCK_SIZE); */
214                         iv = out;
215                         memcpy(prev, in, AES_BLOCK_SIZE);
216                         iv2 = prev;
217                         len -= AES_BLOCK_SIZE;
218                         in += AES_BLOCK_SIZE;
219                         out += AES_BLOCK_SIZE;
220                         }
221
222                 /* And now backwards */
223                 iv = ivec + AES_BLOCK_SIZE*2;
224                 iv2 = ivec + AES_BLOCK_SIZE*3;
225                 len = length;
226                 while(len >= AES_BLOCK_SIZE)
227                         {
228                         out -= AES_BLOCK_SIZE;
229                         /*                      hexdump(stdout, "intermediate", out, AES_BLOCK_SIZE); */
230                         /*                      hexdump(stdout, "iv", iv, AES_BLOCK_SIZE); */
231                         /* XXX: reduce copies by alternating between buffers */
232                         memcpy(tmp, out, AES_BLOCK_SIZE);
233                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
234                                 out[n] ^= iv[n];
235                         /*                      hexdump(stdout, "out ^ iv", out, AES_BLOCK_SIZE); */
236                         AES_encrypt(out, out, key);
237                         /*                      hexdump(stdout,"enc", out, AES_BLOCK_SIZE); */
238                         /*                      hexdump(stdout,"iv2", iv2, AES_BLOCK_SIZE); */
239                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
240                                 out[n] ^= iv2[n];
241                         /*                      hexdump(stdout,"out", out, AES_BLOCK_SIZE); */
242                         iv = out;
243                         memcpy(prev, tmp, AES_BLOCK_SIZE);
244                         iv2 = prev;
245                         len -= AES_BLOCK_SIZE;
246                         }
247                 }
248         else
249                 {
250                 /* First backwards */
251                 iv = ivec + AES_BLOCK_SIZE*2;
252                 iv2 = ivec + AES_BLOCK_SIZE*3;
253                 in += length;
254                 out += length;
255                 while (len >= AES_BLOCK_SIZE)
256                         {
257                         in -= AES_BLOCK_SIZE;
258                         out -= AES_BLOCK_SIZE;
259                         memcpy(tmp, in, AES_BLOCK_SIZE);
260                         memcpy(tmp2, in, AES_BLOCK_SIZE);
261                         /*                      hexdump(stdout, "in", in, AES_BLOCK_SIZE); */
262                         /*                      hexdump(stdout, "iv2", iv2, AES_BLOCK_SIZE); */
263                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
264                                 tmp[n] ^= iv2[n];
265                         /*                      hexdump(stdout, "in ^ iv2", tmp, AES_BLOCK_SIZE); */
266                         AES_decrypt(tmp, out, key);
267                         /*                      hexdump(stdout, "dec", out, AES_BLOCK_SIZE); */
268                         /*                      hexdump(stdout, "iv", iv, AES_BLOCK_SIZE); */
269                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
270                                 out[n] ^= iv[n];
271                         /*                      hexdump(stdout, "out", out, AES_BLOCK_SIZE); */
272                         memcpy(tmp3, tmp2, AES_BLOCK_SIZE);
273                         iv = tmp3;
274                         iv2 = out;
275                         len -= AES_BLOCK_SIZE;
276                         }
277
278                 /* And now forwards */
279                 iv = ivec;
280                 iv2 = ivec + AES_BLOCK_SIZE;
281                 len = length;
282                 while (len >= AES_BLOCK_SIZE)
283                         {
284                         memcpy(tmp, out, AES_BLOCK_SIZE);
285                         memcpy(tmp2, out, AES_BLOCK_SIZE);
286                         /*                      hexdump(stdout, "intermediate", out, AES_BLOCK_SIZE); */
287                         /*                      hexdump(stdout, "iv2", iv2, AES_BLOCK_SIZE); */
288                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
289                                 tmp[n] ^= iv2[n];
290                         /*                      hexdump(stdout, "out ^ iv2", tmp, AES_BLOCK_SIZE); */
291                         AES_decrypt(tmp, out, key);
292                         /*                      hexdump(stdout, "dec", out, AES_BLOCK_SIZE); */
293                         /*                      hexdump(stdout, "iv", ivec, AES_BLOCK_SIZE); */
294                         for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
295                                 out[n] ^= iv[n];
296                         /*                      hexdump(stdout, "out", out, AES_BLOCK_SIZE); */
297                         memcpy(tmp3, tmp2, AES_BLOCK_SIZE);
298                         iv = tmp3;
299                         iv2 = out;
300                         len -= AES_BLOCK_SIZE;
301                         in += AES_BLOCK_SIZE;
302                         out += AES_BLOCK_SIZE;
303                         }
304
305                 }
306         }