-static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx_ofb* ctx, grasshopper_w128_t* iv,
- grasshopper_w128_t* buf) {
- memcpy(&ctx->buffer1, iv, 16);
- ctx->g = ctx->buffer1.b[0] | (ctx->buffer1.b[1] << 8) | (ctx->buffer1.b[2] << 16) |
- ((uint32_t) ctx->buffer1.b[3] << 24);
- ctx->g += 0x01010101;
- ctx->buffer1.b[0] = (unsigned char) (ctx->g & 0xff);
- ctx->buffer1.b[1] = (unsigned char) ((ctx->g >> 8) & 0xff);
- ctx->buffer1.b[2] = (unsigned char) ((ctx->g >> 16) & 0xff);
- ctx->buffer1.b[3] = (unsigned char) ((ctx->g >> 24) & 0xff);
- ctx->g = ctx->buffer1.b[4] | (ctx->buffer1.b[5] << 8) | (ctx->buffer1.b[6] << 16) |
- ((uint32_t) ctx->buffer1.b[7] << 24);
- ctx->go = ctx->g;
- ctx->g += 0x01010104;
- if (ctx->go > ctx->g) { /* overflow */
- ctx->g++;
- }
- ctx->buffer1.b[4] = (unsigned char) (ctx->g & 0xff);
- ctx->buffer1.b[5] = (unsigned char) ((ctx->g >> 8) & 0xff);
- ctx->buffer1.b[6] = (unsigned char) ((ctx->g >> 16) & 0xff);
- ctx->buffer1.b[7] = (unsigned char) ((ctx->g >> 24) & 0xff);
- ctx->g = ctx->buffer1.b[8] | (ctx->buffer1.b[9] << 8) | (ctx->buffer1.b[10] << 16) |
- ((uint32_t) ctx->buffer1.b[11] << 24);
- ctx->go = ctx->g;
- ctx->g += 0x01010107;
- if (ctx->go > ctx->g) { /* overflow */
- ctx->g++;
- }
- ctx->buffer1.b[8] = (unsigned char) (ctx->g & 0xff);
- ctx->buffer1.b[9] = (unsigned char) ((ctx->g >> 8) & 0xff);
- ctx->buffer1.b[10] = (unsigned char) ((ctx->g >> 16) & 0xff);
- ctx->buffer1.b[11] = (unsigned char) ((ctx->g >> 24) & 0xff);
- ctx->g = ctx->buffer1.b[12] | (ctx->buffer1.b[13] << 8) | (ctx->buffer1.b[14] << 16) |
- ((uint32_t) ctx->buffer1.b[15] << 24);
- ctx->go = ctx->g;
- ctx->g += 0x01010110;
- if (ctx->go > ctx->g) { /* overflow */
- ctx->g++;
- }
- ctx->buffer1.b[12] = (unsigned char) (ctx->g & 0xff);
- ctx->buffer1.b[13] = (unsigned char) ((ctx->g >> 8) & 0xff);
- ctx->buffer1.b[14] = (unsigned char) ((ctx->g >> 16) & 0xff);
- ctx->buffer1.b[15] = (unsigned char) ((ctx->g >> 24) & 0xff);
- memcpy(iv, &ctx->buffer1, 16);
- grasshopper_encrypt_block(&ctx->c.encrypt_round_keys, &ctx->buffer1, buf, &ctx->c.buffer);
-}
-
-static int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX* ctx, unsigned char* out,
- const unsigned char* in, size_t inl) {
- gost_grasshopper_cipher_ctx_ofb* c = (gost_grasshopper_cipher_ctx_ofb*) EVP_CIPHER_CTX_get_cipher_data(ctx);
- const unsigned char* in_ptr = in;
- unsigned char* out_ptr = out;
- unsigned char* buf = EVP_CIPHER_CTX_buf_noconst(ctx);
- unsigned char* iv = EVP_CIPHER_CTX_iv_noconst(ctx);
+#define GRASSHOPPER_BLOCK_MASK (GRASSHOPPER_BLOCK_SIZE - 1)
+static inline void apply_acpkm_grasshopper(gost_grasshopper_cipher_ctx_ctr *
+ ctx, unsigned int *num)
+{
+ if (!ctx->section_size || (*num < ctx->section_size))
+ return;
+ acpkm_next(&ctx->c);
+ *num &= GRASSHOPPER_BLOCK_MASK;
+}
+
+/* If meshing is not configured via ctrl (setting section_size)
+ * this function works exactly like plain ctr */
+static int gost_grasshopper_cipher_do_ctracpkm(EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ size_t inl)
+{
+ gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
+ unsigned int num = EVP_CIPHER_CTX_num(ctx);
+ size_t blocks, i, lasted = inl;
+ grasshopper_w128_t tmp;
+
+ while ((num & GRASSHOPPER_BLOCK_MASK) && lasted) {
+ *out++ = *in++ ^ c->partial_buffer.b[num & GRASSHOPPER_BLOCK_MASK];
+ --lasted;
+ num++;
+ }
+ blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
+
+ // full parts
+ for (i = 0; i < blocks; i++) {
+ apply_acpkm_grasshopper(c, &num);
+ grasshopper_encrypt_block(&c->c.encrypt_round_keys,
+ (grasshopper_w128_t *) iv,
+ (grasshopper_w128_t *) & c->partial_buffer,
+ &c->c.buffer);
+ grasshopper_plus128(&tmp, &c->partial_buffer,
+ (grasshopper_w128_t *) in);
+ grasshopper_copy128((grasshopper_w128_t *) out, &tmp);
+ ctr128_inc(iv);
+ in += GRASSHOPPER_BLOCK_SIZE;
+ out += GRASSHOPPER_BLOCK_SIZE;
+ num += GRASSHOPPER_BLOCK_SIZE;
+ lasted -= GRASSHOPPER_BLOCK_SIZE;
+ }
+
+ // last part
+ if (lasted > 0) {
+ apply_acpkm_grasshopper(c, &num);
+ grasshopper_encrypt_block(&c->c.encrypt_round_keys,
+ (grasshopper_w128_t *) iv,
+ &c->partial_buffer, &c->c.buffer);
+ for (i = 0; i < lasted; i++)
+ out[i] = c->partial_buffer.b[i] ^ in[i];
+ ctr128_inc(iv);
+ num += lasted;
+ }
+ EVP_CIPHER_CTX_set_num(ctx, num);
+
+ return inl;
+}
+
+static int gost_grasshopper_cipher_do_ctracpkm_omac(EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ size_t inl)
+{
+ int result;
+ gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
+ /* As in and out can be the same pointer, process unencrypted here */
+ if (EVP_CIPHER_CTX_encrypting(ctx))
+ EVP_DigestSignUpdate(c->omac_ctx, in, inl);
+
+ if (in == NULL && inl == 0) { /* Final call */
+ return gost2015_final_call(ctx, c->omac_ctx, KUZNYECHIK_MAC_MAX_SIZE, c->tag, gost_grasshopper_cipher_do_ctracpkm);
+ }
+
+ if (in == NULL) {
+ GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_CTRACPKM_OMAC, ERR_R_EVP_LIB);
+ return -1;
+ }
+ result = gost_grasshopper_cipher_do_ctracpkm(ctx, out, in, inl);
+
+ /* As in and out can be the same pointer, process decrypted here */
+ if (!EVP_CIPHER_CTX_encrypting(ctx))
+ EVP_DigestSignUpdate(c->omac_ctx, out, inl);
+
+ return result;
+}
+
+
+
+static int gost_grasshopper_cipher_do_mgm(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t len)
+{
+ gost_mgm_ctx *mctx =
+ (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+ int enc = EVP_CIPHER_CTX_encrypting(ctx);
+
+ /* If not set up, return error */
+ if (!mctx->key_set) {
+ GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_MGM,
+ GOST_R_BAD_ORDER);
+ return -1;
+ }
+
+ if (!mctx->iv_set) {
+ GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_MGM,
+ GOST_R_BAD_ORDER);
+ return -1;
+ }
+ if (in) {
+ if (out == NULL) {
+ if (gost_mgm128_aad(&mctx->mgm, in, len))
+ return -1;
+ } else if (enc) {
+ if (gost_mgm128_encrypt(&mctx->mgm, in, out, len))
+ return -1;
+ } else {
+ if (gost_mgm128_decrypt(&mctx->mgm, in, out, len))
+ return -1;
+ }
+ return len;
+ } else {
+ if (!enc) {
+ if (mctx->taglen < 0)
+ return -1;
+ if (gost_mgm128_finish(&mctx->mgm,
+ EVP_CIPHER_CTX_buf_noconst(ctx),
+ mctx->taglen) != 0)
+ return -1;
+ mctx->iv_set = 0;
+ return 0;
+ }
+ gost_mgm128_tag(&mctx->mgm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
+ mctx->taglen = 16;
+ /* Don't reuse the IV */
+ mctx->iv_set = 0;
+ return 0;
+ }
+
+}
+
+/*
+ * Fixed 128-bit IV implementation make shift regiser redundant.
+ */
+static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx * ctx,
+ grasshopper_w128_t * iv,
+ grasshopper_w128_t * buf)
+{
+ grasshopper_w128_t tmp;
+ memcpy(&tmp, iv, 16);
+ grasshopper_encrypt_block(&ctx->encrypt_round_keys, &tmp,
+ buf, &ctx->buffer);
+ memcpy(iv, buf, 16);
+}
+
+static int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ gost_grasshopper_cipher_ctx *c = (gost_grasshopper_cipher_ctx *)
+ EVP_CIPHER_CTX_get_cipher_data(ctx);
+ const unsigned char *in_ptr = in;
+ unsigned char *out_ptr = out;
+ unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
+ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);