Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/fipsmodule/modes/ctr.c.inc
Line
Count
Source (jump to first uncovered line)
1
/* ====================================================================
2
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
3
 *
4
 * Redistribution and use in source and binary forms, with or without
5
 * modification, are permitted provided that the following conditions
6
 * are met:
7
 *
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 *
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in
13
 *    the documentation and/or other materials provided with the
14
 *    distribution.
15
 *
16
 * 3. All advertising materials mentioning features or use of this
17
 *    software must display the following acknowledgment:
18
 *    "This product includes software developed by the OpenSSL Project
19
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20
 *
21
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22
 *    endorse or promote products derived from this software without
23
 *    prior written permission. For written permission, please contact
24
 *    openssl-core@openssl.org.
25
 *
26
 * 5. Products derived from this software may not be called "OpenSSL"
27
 *    nor may "OpenSSL" appear in their names without prior written
28
 *    permission of the OpenSSL Project.
29
 *
30
 * 6. Redistributions of any form whatsoever must retain the following
31
 *    acknowledgment:
32
 *    "This product includes software developed by the OpenSSL Project
33
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34
 *
35
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46
 * OF THE POSSIBILITY OF SUCH DAMAGE.
47
 * ==================================================================== */
48
49
#include <assert.h>
50
#include <string.h>
51
52
#include "internal.h"
53
#include "../../internal.h"
54
55
56
// NOTE: the IV/counter CTR mode is big-endian.  The code itself
57
// is endian-neutral.
58
59
// increment counter (128-bit int) by 1
60
638
static void ctr128_inc(uint8_t *counter) {
61
638
  uint32_t n = 16, c = 1;
62
63
10.2k
  do {
64
10.2k
    --n;
65
10.2k
    c += counter[n];
66
10.2k
    counter[n] = (uint8_t) c;
67
10.2k
    c >>= 8;
68
10.2k
  } while (n);
69
638
}
70
71
static_assert(16 % sizeof(crypto_word_t) == 0,
72
              "block cannot be divided into crypto_word_t");
73
74
// The input encrypted as though 128bit counter mode is being used.  The extra
75
// state information to record how much of the 128bit block we have used is
76
// contained in *num, and the encrypted counter is kept in ecount_buf.  Both
77
// *num and ecount_buf must be initialised with zeros before the first call to
78
// CRYPTO_ctr128_encrypt().
79
//
80
// This algorithm assumes that the counter is in the x lower bits of the IV
81
// (ivec), and that the application has full control over overflow and the rest
82
// of the IV.  This implementation takes NO responsibility for checking that
83
// the counter doesn't overflow into the rest of the IV when incremented.
84
void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
85
                           const AES_KEY *key, uint8_t ivec[16],
86
                           uint8_t ecount_buf[16], unsigned int *num,
87
320
                           block128_f block) {
88
320
  unsigned int n;
89
90
320
  assert(key && ecount_buf && num);
91
320
  assert(len == 0 || (in && out));
92
320
  assert(*num < 16);
93
94
320
  n = *num;
95
96
917
  while (n && len) {
97
597
    *(out++) = *(in++) ^ ecount_buf[n];
98
597
    --len;
99
597
    n = (n + 1) % 16;
100
597
  }
101
851
  while (len >= 16) {
102
531
    (*block)(ivec, ecount_buf, key);
103
531
    ctr128_inc(ivec);
104
531
    CRYPTO_xor16(out, in, ecount_buf);
105
531
    len -= 16;
106
531
    out += 16;
107
531
    in += 16;
108
531
    n = 0;
109
531
  }
110
320
  if (len) {
111
107
    (*block)(ivec, ecount_buf, key);
112
107
    ctr128_inc(ivec);
113
973
    while (len--) {
114
866
      out[n] = in[n] ^ ecount_buf[n];
115
866
      ++n;
116
866
    }
117
107
  }
118
320
  *num = n;
119
320
}
120
121
// increment upper 96 bits of 128-bit counter by 1
122
40
static void ctr96_inc(uint8_t *counter) {
123
40
  uint32_t n = 12, c = 1;
124
125
480
  do {
126
480
    --n;
127
480
    c += counter[n];
128
480
    counter[n] = (uint8_t) c;
129
480
    c >>= 8;
130
480
  } while (n);
131
40
}
132
133
void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,
134
                                 const AES_KEY *key, uint8_t ivec[16],
135
                                 uint8_t ecount_buf[16], unsigned int *num,
136
209
                                 ctr128_f func) {
137
209
  unsigned int n, ctr32;
138
139
209
  assert(key && ecount_buf && num);
140
209
  assert(len == 0 || (in && out));
141
209
  assert(*num < 16);
142
143
209
  n = *num;
144
145
382
  while (n && len) {
146
173
    *(out++) = *(in++) ^ ecount_buf[n];
147
173
    --len;
148
173
    n = (n + 1) % 16;
149
173
  }
150
151
209
  ctr32 = CRYPTO_load_u32_be(ivec + 12);
152
350
  while (len >= 16) {
153
141
    size_t blocks = len / 16;
154
    // 1<<28 is just a not-so-small yet not-so-large number...
155
    // Below condition is practically never met, but it has to
156
    // be checked for code correctness.
157
141
    if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) {
158
0
      blocks = (1U << 28);
159
0
    }
160
    // As (*func) operates on 32-bit counter, caller
161
    // has to handle overflow. 'if' below detects the
162
    // overflow, which is then handled by limiting the
163
    // amount of blocks to the exact overflow point...
164
141
    ctr32 += (uint32_t)blocks;
165
141
    if (ctr32 < blocks) {
166
0
      blocks -= ctr32;
167
0
      ctr32 = 0;
168
0
    }
169
141
    (*func)(in, out, blocks, key, ivec);
170
    // (*func) does not update ivec, caller does:
171
141
    CRYPTO_store_u32_be(ivec + 12, ctr32);
172
    // ... overflow was detected, propogate carry.
173
141
    if (ctr32 == 0) {
174
0
      ctr96_inc(ivec);
175
0
    }
176
141
    blocks *= 16;
177
141
    len -= blocks;
178
141
    out += blocks;
179
141
    in += blocks;
180
141
  }
181
209
  if (len) {
182
42
    OPENSSL_memset(ecount_buf, 0, 16);
183
42
    (*func)(ecount_buf, ecount_buf, 1, key, ivec);
184
42
    ++ctr32;
185
42
    CRYPTO_store_u32_be(ivec + 12, ctr32);
186
42
    if (ctr32 == 0) {
187
40
      ctr96_inc(ivec);
188
40
    }
189
421
    while (len--) {
190
379
      out[n] = in[n] ^ ecount_buf[n];
191
379
      ++n;
192
379
    }
193
42
  }
194
195
209
  *num = n;
196
209
}