Coverage Report

Created: 2024-11-21 06:47

/src/boringssl/crypto/fipsmodule/modes/ctr.c.inc
Line
Count
Source (jump to first uncovered line)
1
/* ====================================================================
2
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
3
 *
4
 * Redistribution and use in source and binary forms, with or without
5
 * modification, are permitted provided that the following conditions
6
 * are met:
7
 *
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 *
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in
13
 *    the documentation and/or other materials provided with the
14
 *    distribution.
15
 *
16
 * 3. All advertising materials mentioning features or use of this
17
 *    software must display the following acknowledgment:
18
 *    "This product includes software developed by the OpenSSL Project
19
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20
 *
21
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22
 *    endorse or promote products derived from this software without
23
 *    prior written permission. For written permission, please contact
24
 *    openssl-core@openssl.org.
25
 *
26
 * 5. Products derived from this software may not be called "OpenSSL"
27
 *    nor may "OpenSSL" appear in their names without prior written
28
 *    permission of the OpenSSL Project.
29
 *
30
 * 6. Redistributions of any form whatsoever must retain the following
31
 *    acknowledgment:
32
 *    "This product includes software developed by the OpenSSL Project
33
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34
 *
35
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46
 * OF THE POSSIBILITY OF SUCH DAMAGE.
47
 * ==================================================================== */
48
49
#include <assert.h>
50
#include <string.h>
51
52
#include "internal.h"
53
#include "../../internal.h"
54
55
56
// NOTE: the IV/counter CTR mode is big-endian.  The code itself
57
// is endian-neutral.
58
59
// increment counter (128-bit int) by 1
60
0
static void ctr128_inc(uint8_t *counter) {
61
0
  uint32_t n = 16, c = 1;
62
63
0
  do {
64
0
    --n;
65
0
    c += counter[n];
66
0
    counter[n] = (uint8_t) c;
67
0
    c >>= 8;
68
0
  } while (n);
69
0
}
70
71
static_assert(16 % sizeof(crypto_word_t) == 0,
72
              "block cannot be divided into crypto_word_t");
73
74
// The input encrypted as though 128bit counter mode is being used.  The extra
75
// state information to record how much of the 128bit block we have used is
76
// contained in *num, and the encrypted counter is kept in ecount_buf.  Both
77
// *num and ecount_buf must be initialised with zeros before the first call to
78
// CRYPTO_ctr128_encrypt().
79
//
80
// This algorithm assumes that the counter is in the x lower bits of the IV
81
// (ivec), and that the application has full control over overflow and the rest
82
// of the IV.  This implementation takes NO responsibility for checking that
83
// the counter doesn't overflow into the rest of the IV when incremented.
84
void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
85
                           const AES_KEY *key, uint8_t ivec[16],
86
                           uint8_t ecount_buf[16], unsigned int *num,
87
0
                           block128_f block) {
88
0
  unsigned int n;
89
90
0
  assert(key && ecount_buf && num);
91
0
  assert(len == 0 || (in && out));
92
0
  assert(*num < 16);
93
94
0
  n = *num;
95
96
0
  while (n && len) {
97
0
    *(out++) = *(in++) ^ ecount_buf[n];
98
0
    --len;
99
0
    n = (n + 1) % 16;
100
0
  }
101
0
  while (len >= 16) {
102
0
    (*block)(ivec, ecount_buf, key);
103
0
    ctr128_inc(ivec);
104
0
    CRYPTO_xor16(out, in, ecount_buf);
105
0
    len -= 16;
106
0
    out += 16;
107
0
    in += 16;
108
0
    n = 0;
109
0
  }
110
0
  if (len) {
111
0
    (*block)(ivec, ecount_buf, key);
112
0
    ctr128_inc(ivec);
113
0
    while (len--) {
114
0
      out[n] = in[n] ^ ecount_buf[n];
115
0
      ++n;
116
0
    }
117
0
  }
118
0
  *num = n;
119
0
}
120
121
// increment upper 96 bits of 128-bit counter by 1
122
0
static void ctr96_inc(uint8_t *counter) {
123
0
  uint32_t n = 12, c = 1;
124
125
0
  do {
126
0
    --n;
127
0
    c += counter[n];
128
0
    counter[n] = (uint8_t) c;
129
0
    c >>= 8;
130
0
  } while (n);
131
0
}
132
133
void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,
134
                                 const AES_KEY *key, uint8_t ivec[16],
135
                                 uint8_t ecount_buf[16], unsigned int *num,
136
0
                                 ctr128_f func) {
137
0
  unsigned int n, ctr32;
138
139
0
  assert(key && ecount_buf && num);
140
0
  assert(len == 0 || (in && out));
141
0
  assert(*num < 16);
142
143
0
  n = *num;
144
145
0
  while (n && len) {
146
0
    *(out++) = *(in++) ^ ecount_buf[n];
147
0
    --len;
148
0
    n = (n + 1) % 16;
149
0
  }
150
151
0
  ctr32 = CRYPTO_load_u32_be(ivec + 12);
152
0
  while (len >= 16) {
153
0
    size_t blocks = len / 16;
154
    // 1<<28 is just a not-so-small yet not-so-large number...
155
    // Below condition is practically never met, but it has to
156
    // be checked for code correctness.
157
0
    if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) {
158
0
      blocks = (1U << 28);
159
0
    }
160
    // As (*func) operates on 32-bit counter, caller
161
    // has to handle overflow. 'if' below detects the
162
    // overflow, which is then handled by limiting the
163
    // amount of blocks to the exact overflow point...
164
0
    ctr32 += (uint32_t)blocks;
165
0
    if (ctr32 < blocks) {
166
0
      blocks -= ctr32;
167
0
      ctr32 = 0;
168
0
    }
169
0
    (*func)(in, out, blocks, key, ivec);
170
    // (*func) does not update ivec, caller does:
171
0
    CRYPTO_store_u32_be(ivec + 12, ctr32);
172
    // ... overflow was detected, propogate carry.
173
0
    if (ctr32 == 0) {
174
0
      ctr96_inc(ivec);
175
0
    }
176
0
    blocks *= 16;
177
0
    len -= blocks;
178
0
    out += blocks;
179
0
    in += blocks;
180
0
  }
181
0
  if (len) {
182
0
    OPENSSL_memset(ecount_buf, 0, 16);
183
0
    (*func)(ecount_buf, ecount_buf, 1, key, ivec);
184
0
    ++ctr32;
185
0
    CRYPTO_store_u32_be(ivec + 12, ctr32);
186
0
    if (ctr32 == 0) {
187
0
      ctr96_inc(ivec);
188
0
    }
189
0
    while (len--) {
190
0
      out[n] = in[n] ^ ecount_buf[n];
191
0
      ++n;
192
0
    }
193
0
  }
194
195
0
  *num = n;
196
0
}