diff options
author | Todd Short <tshort@akamai.com> | 2022-04-28 14:56:11 -0400 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2022-07-29 08:32:16 -0400 |
commit | 0113ec8460a918f8bc782130db8f75540b3b1ab2 (patch) | |
tree | 2e8c7100cd3be8c2a0cc32efed6330daf3f8395f /include/crypto | |
parent | dffafaf48174497a724d546c3483d2493fc9b64c (diff) | |
download | openssl-0113ec8460a918f8bc782130db8f75540b3b1ab2.tar.gz |
Implement AES-GCM-SIV (RFC8452)
Fixes #16721
This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.
This implementation lives only in the default provider; there is no legacy
implementation.
The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.
Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)
Diffstat (limited to 'include/crypto')
-rw-r--r-- | include/crypto/modes.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/include/crypto/modes.h b/include/crypto/modes.h index 573e1197d0..d567a0ba84 100644 --- a/include/crypto/modes.h +++ b/include/crypto/modes.h @@ -138,6 +138,12 @@ struct gcm128_context { #endif }; +/* GHASH functions */ +void ossl_gcm_init_4bit(u128 Htable[16], const u64 H[2]); +void ossl_gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], + const u8 *inp, size_t len); +void ossl_gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]); + /* * The maximum permitted number of cipher blocks per data unit in XTS mode. * Reference IEEE Std 1619-2018. |