/src/boringssl/crypto/fipsmodule/modes/ctr.c.inc
Line | Count | Source (jump to first uncovered line) |
1 | | /* ==================================================================== |
2 | | * Copyright (c) 2008 The OpenSSL Project. All rights reserved. |
3 | | * |
4 | | * Redistribution and use in source and binary forms, with or without |
5 | | * modification, are permitted provided that the following conditions |
6 | | * are met: |
7 | | * |
8 | | * 1. Redistributions of source code must retain the above copyright |
9 | | * notice, this list of conditions and the following disclaimer. |
10 | | * |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in |
13 | | * the documentation and/or other materials provided with the |
14 | | * distribution. |
15 | | * |
16 | | * 3. All advertising materials mentioning features or use of this |
17 | | * software must display the following acknowledgment: |
18 | | * "This product includes software developed by the OpenSSL Project |
19 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
20 | | * |
21 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
22 | | * endorse or promote products derived from this software without |
23 | | * prior written permission. For written permission, please contact |
24 | | * openssl-core@openssl.org. |
25 | | * |
26 | | * 5. Products derived from this software may not be called "OpenSSL" |
27 | | * nor may "OpenSSL" appear in their names without prior written |
28 | | * permission of the OpenSSL Project. |
29 | | * |
30 | | * 6. Redistributions of any form whatsoever must retain the following |
31 | | * acknowledgment: |
32 | | * "This product includes software developed by the OpenSSL Project |
33 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
34 | | * |
35 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
36 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
37 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
38 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
39 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
40 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
41 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
42 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
43 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
44 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
45 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
46 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
47 | | * ==================================================================== */ |
48 | | |
49 | | #include <assert.h> |
50 | | #include <string.h> |
51 | | |
52 | | #include "internal.h" |
53 | | #include "../../internal.h" |
54 | | |
55 | | |
56 | | // NOTE: the IV/counter CTR mode is big-endian. The code itself |
57 | | // is endian-neutral. |
58 | | |
59 | | // increment counter (128-bit int) by 1 |
60 | 638 | static void ctr128_inc(uint8_t *counter) { |
61 | 638 | uint32_t n = 16, c = 1; |
62 | | |
63 | 10.2k | do { |
64 | 10.2k | --n; |
65 | 10.2k | c += counter[n]; |
66 | 10.2k | counter[n] = (uint8_t) c; |
67 | 10.2k | c >>= 8; |
68 | 10.2k | } while (n); |
69 | 638 | } |
70 | | |
71 | | static_assert(16 % sizeof(crypto_word_t) == 0, |
72 | | "block cannot be divided into crypto_word_t"); |
73 | | |
74 | | // The input encrypted as though 128bit counter mode is being used. The extra |
75 | | // state information to record how much of the 128bit block we have used is |
76 | | // contained in *num, and the encrypted counter is kept in ecount_buf. Both |
77 | | // *num and ecount_buf must be initialised with zeros before the first call to |
78 | | // CRYPTO_ctr128_encrypt(). |
79 | | // |
80 | | // This algorithm assumes that the counter is in the x lower bits of the IV |
81 | | // (ivec), and that the application has full control over overflow and the rest |
82 | | // of the IV. This implementation takes NO responsibility for checking that |
83 | | // the counter doesn't overflow into the rest of the IV when incremented. |
84 | | void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len, |
85 | | const AES_KEY *key, uint8_t ivec[16], |
86 | | uint8_t ecount_buf[16], unsigned int *num, |
87 | 320 | block128_f block) { |
88 | 320 | unsigned int n; |
89 | | |
90 | 320 | assert(key && ecount_buf && num); |
91 | 320 | assert(len == 0 || (in && out)); |
92 | 320 | assert(*num < 16); |
93 | | |
94 | 320 | n = *num; |
95 | | |
96 | 917 | while (n && len) { |
97 | 597 | *(out++) = *(in++) ^ ecount_buf[n]; |
98 | 597 | --len; |
99 | 597 | n = (n + 1) % 16; |
100 | 597 | } |
101 | 851 | while (len >= 16) { |
102 | 531 | (*block)(ivec, ecount_buf, key); |
103 | 531 | ctr128_inc(ivec); |
104 | 531 | CRYPTO_xor16(out, in, ecount_buf); |
105 | 531 | len -= 16; |
106 | 531 | out += 16; |
107 | 531 | in += 16; |
108 | 531 | n = 0; |
109 | 531 | } |
110 | 320 | if (len) { |
111 | 107 | (*block)(ivec, ecount_buf, key); |
112 | 107 | ctr128_inc(ivec); |
113 | 973 | while (len--) { |
114 | 866 | out[n] = in[n] ^ ecount_buf[n]; |
115 | 866 | ++n; |
116 | 866 | } |
117 | 107 | } |
118 | 320 | *num = n; |
119 | 320 | } |
120 | | |
121 | | // increment upper 96 bits of 128-bit counter by 1 |
122 | 40 | static void ctr96_inc(uint8_t *counter) { |
123 | 40 | uint32_t n = 12, c = 1; |
124 | | |
125 | 480 | do { |
126 | 480 | --n; |
127 | 480 | c += counter[n]; |
128 | 480 | counter[n] = (uint8_t) c; |
129 | 480 | c >>= 8; |
130 | 480 | } while (n); |
131 | 40 | } |
132 | | |
133 | | void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len, |
134 | | const AES_KEY *key, uint8_t ivec[16], |
135 | | uint8_t ecount_buf[16], unsigned int *num, |
136 | 209 | ctr128_f func) { |
137 | 209 | unsigned int n, ctr32; |
138 | | |
139 | 209 | assert(key && ecount_buf && num); |
140 | 209 | assert(len == 0 || (in && out)); |
141 | 209 | assert(*num < 16); |
142 | | |
143 | 209 | n = *num; |
144 | | |
145 | 382 | while (n && len) { |
146 | 173 | *(out++) = *(in++) ^ ecount_buf[n]; |
147 | 173 | --len; |
148 | 173 | n = (n + 1) % 16; |
149 | 173 | } |
150 | | |
151 | 209 | ctr32 = CRYPTO_load_u32_be(ivec + 12); |
152 | 350 | while (len >= 16) { |
153 | 141 | size_t blocks = len / 16; |
154 | | // 1<<28 is just a not-so-small yet not-so-large number... |
155 | | // Below condition is practically never met, but it has to |
156 | | // be checked for code correctness. |
157 | 141 | if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) { |
158 | 0 | blocks = (1U << 28); |
159 | 0 | } |
160 | | // As (*func) operates on 32-bit counter, caller |
161 | | // has to handle overflow. 'if' below detects the |
162 | | // overflow, which is then handled by limiting the |
163 | | // amount of blocks to the exact overflow point... |
164 | 141 | ctr32 += (uint32_t)blocks; |
165 | 141 | if (ctr32 < blocks) { |
166 | 0 | blocks -= ctr32; |
167 | 0 | ctr32 = 0; |
168 | 0 | } |
169 | 141 | (*func)(in, out, blocks, key, ivec); |
170 | | // (*func) does not update ivec, caller does: |
171 | 141 | CRYPTO_store_u32_be(ivec + 12, ctr32); |
172 | | // ... overflow was detected, propogate carry. |
173 | 141 | if (ctr32 == 0) { |
174 | 0 | ctr96_inc(ivec); |
175 | 0 | } |
176 | 141 | blocks *= 16; |
177 | 141 | len -= blocks; |
178 | 141 | out += blocks; |
179 | 141 | in += blocks; |
180 | 141 | } |
181 | 209 | if (len) { |
182 | 42 | OPENSSL_memset(ecount_buf, 0, 16); |
183 | 42 | (*func)(ecount_buf, ecount_buf, 1, key, ivec); |
184 | 42 | ++ctr32; |
185 | 42 | CRYPTO_store_u32_be(ivec + 12, ctr32); |
186 | 42 | if (ctr32 == 0) { |
187 | 40 | ctr96_inc(ivec); |
188 | 40 | } |
189 | 421 | while (len--) { |
190 | 379 | out[n] = in[n] ^ ecount_buf[n]; |
191 | 379 | ++n; |
192 | 379 | } |
193 | 42 | } |
194 | | |
195 | 209 | *num = n; |
196 | 209 | } |