/src/libressl/crypto/modes/ctr128.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: ctr128.c,v 1.7 2017/08/13 17:46:24 bcook Exp $ */ |
2 | | /* ==================================================================== |
3 | | * Copyright (c) 2008 The OpenSSL Project. All rights reserved. |
4 | | * |
5 | | * Redistribution and use in source and binary forms, with or without |
6 | | * modification, are permitted provided that the following conditions |
7 | | * are met: |
8 | | * |
9 | | * 1. Redistributions of source code must retain the above copyright |
10 | | * notice, this list of conditions and the following disclaimer. |
11 | | * |
12 | | * 2. Redistributions in binary form must reproduce the above copyright |
13 | | * notice, this list of conditions and the following disclaimer in |
14 | | * the documentation and/or other materials provided with the |
15 | | * distribution. |
16 | | * |
17 | | * 3. All advertising materials mentioning features or use of this |
18 | | * software must display the following acknowledgment: |
19 | | * "This product includes software developed by the OpenSSL Project |
20 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
21 | | * |
22 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
23 | | * endorse or promote products derived from this software without |
24 | | * prior written permission. For written permission, please contact |
25 | | * openssl-core@openssl.org. |
26 | | * |
27 | | * 5. Products derived from this software may not be called "OpenSSL" |
28 | | * nor may "OpenSSL" appear in their names without prior written |
29 | | * permission of the OpenSSL Project. |
30 | | * |
31 | | * 6. Redistributions of any form whatsoever must retain the following |
32 | | * acknowledgment: |
33 | | * "This product includes software developed by the OpenSSL Project |
34 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
35 | | * |
36 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
37 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
38 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
39 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
40 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
41 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
42 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
43 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
44 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
45 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
46 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
47 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
48 | | * ==================================================================== |
49 | | * |
50 | | */ |
51 | | |
52 | | #include <openssl/crypto.h> |
53 | | #include "modes_lcl.h" |
54 | | #include <string.h> |
55 | | |
56 | | #ifndef MODES_DEBUG |
57 | | # ifndef NDEBUG |
58 | | # define NDEBUG |
59 | | # endif |
60 | | #endif |
61 | | #include <assert.h> |
62 | | |
63 | | /* NOTE: the IV/counter CTR mode is big-endian. The code itself |
64 | | * is endian-neutral. */ |
65 | | |
66 | | /* increment counter (128-bit int) by 1 */ |
67 | 0 | static void ctr128_inc(unsigned char *counter) { |
68 | 0 | u32 n=16; |
69 | 0 | u8 c; |
70 | |
|
71 | 0 | do { |
72 | 0 | --n; |
73 | 0 | c = counter[n]; |
74 | 0 | ++c; |
75 | 0 | counter[n] = c; |
76 | 0 | if (c) return; |
77 | 0 | } while (n); |
78 | 0 | } |
79 | | |
80 | | #if !defined(OPENSSL_SMALL_FOOTPRINT) |
81 | | static void |
82 | | ctr128_inc_aligned(unsigned char *counter) |
83 | 0 | { |
84 | 0 | #if BYTE_ORDER == LITTLE_ENDIAN |
85 | 0 | ctr128_inc(counter); |
86 | | #else |
87 | | size_t *data, c, n; |
88 | | data = (size_t *)counter; |
89 | | n = 16 / sizeof(size_t); |
90 | | do { |
91 | | --n; |
92 | | c = data[n]; |
93 | | ++c; |
94 | | data[n] = c; |
95 | | if (c) |
96 | | return; |
97 | | } while (n); |
98 | | #endif |
99 | 0 | } |
100 | | #endif |
101 | | |
102 | | /* The input encrypted as though 128bit counter mode is being |
103 | | * used. The extra state information to record how much of the |
104 | | * 128bit block we have used is contained in *num, and the |
105 | | * encrypted counter is kept in ecount_buf. Both *num and |
106 | | * ecount_buf must be initialised with zeros before the first |
107 | | * call to CRYPTO_ctr128_encrypt(). |
108 | | * |
109 | | * This algorithm assumes that the counter is in the x lower bits |
110 | | * of the IV (ivec), and that the application has full control over |
111 | | * overflow and the rest of the IV. This implementation takes NO |
112 | | * responsability for checking that the counter doesn't overflow |
113 | | * into the rest of the IV when incremented. |
114 | | */ |
115 | | void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out, |
116 | | size_t len, const void *key, |
117 | | unsigned char ivec[16], unsigned char ecount_buf[16], |
118 | | unsigned int *num, block128_f block) |
119 | 0 | { |
120 | 0 | unsigned int n; |
121 | 0 | size_t l=0; |
122 | |
|
123 | 0 | assert(*num < 16); |
124 | |
|
125 | 0 | n = *num; |
126 | |
|
127 | 0 | #if !defined(OPENSSL_SMALL_FOOTPRINT) |
128 | 0 | if (16%sizeof(size_t) == 0) do { /* always true actually */ |
129 | 0 | while (n && len) { |
130 | 0 | *(out++) = *(in++) ^ ecount_buf[n]; |
131 | 0 | --len; |
132 | 0 | n = (n+1) % 16; |
133 | 0 | } |
134 | |
|
135 | | #ifdef __STRICT_ALIGNMENT |
136 | | if (((size_t)in|(size_t)out|(size_t)ivec)%sizeof(size_t) != 0) |
137 | | break; |
138 | | #endif |
139 | 0 | while (len>=16) { |
140 | 0 | (*block)(ivec, ecount_buf, key); |
141 | 0 | ctr128_inc_aligned(ivec); |
142 | 0 | for (; n<16; n+=sizeof(size_t)) |
143 | 0 | *(size_t *)(out+n) = |
144 | 0 | *(size_t *)(in+n) ^ *(size_t *)(ecount_buf+n); |
145 | 0 | len -= 16; |
146 | 0 | out += 16; |
147 | 0 | in += 16; |
148 | 0 | n = 0; |
149 | 0 | } |
150 | 0 | if (len) { |
151 | 0 | (*block)(ivec, ecount_buf, key); |
152 | 0 | ctr128_inc_aligned(ivec); |
153 | 0 | while (len--) { |
154 | 0 | out[n] = in[n] ^ ecount_buf[n]; |
155 | 0 | ++n; |
156 | 0 | } |
157 | 0 | } |
158 | 0 | *num = n; |
159 | 0 | return; |
160 | 0 | } while(0); |
161 | | /* the rest would be commonly eliminated by x86* compiler */ |
162 | 0 | #endif |
163 | 0 | while (l<len) { |
164 | 0 | if (n==0) { |
165 | 0 | (*block)(ivec, ecount_buf, key); |
166 | 0 | ctr128_inc(ivec); |
167 | 0 | } |
168 | 0 | out[l] = in[l] ^ ecount_buf[n]; |
169 | 0 | ++l; |
170 | 0 | n = (n+1) % 16; |
171 | 0 | } |
172 | |
|
173 | 0 | *num=n; |
174 | 0 | } |
175 | | |
176 | | /* increment upper 96 bits of 128-bit counter by 1 */ |
177 | 0 | static void ctr96_inc(unsigned char *counter) { |
178 | 0 | u32 n=12; |
179 | 0 | u8 c; |
180 | |
|
181 | 0 | do { |
182 | 0 | --n; |
183 | 0 | c = counter[n]; |
184 | 0 | ++c; |
185 | 0 | counter[n] = c; |
186 | 0 | if (c) return; |
187 | 0 | } while (n); |
188 | 0 | } |
189 | | |
190 | | void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out, |
191 | | size_t len, const void *key, |
192 | | unsigned char ivec[16], unsigned char ecount_buf[16], |
193 | | unsigned int *num, ctr128_f func) |
194 | 0 | { |
195 | 0 | unsigned int n,ctr32; |
196 | |
|
197 | 0 | assert(*num < 16); |
198 | |
|
199 | 0 | n = *num; |
200 | |
|
201 | 0 | while (n && len) { |
202 | 0 | *(out++) = *(in++) ^ ecount_buf[n]; |
203 | 0 | --len; |
204 | 0 | n = (n+1) % 16; |
205 | 0 | } |
206 | |
|
207 | 0 | ctr32 = GETU32(ivec+12); |
208 | 0 | while (len>=16) { |
209 | 0 | size_t blocks = len/16; |
210 | | /* |
211 | | * 1<<28 is just a not-so-small yet not-so-large number... |
212 | | * Below condition is practically never met, but it has to |
213 | | * be checked for code correctness. |
214 | | */ |
215 | 0 | if (sizeof(size_t)>sizeof(unsigned int) && blocks>(1U<<28)) |
216 | 0 | blocks = (1U<<28); |
217 | | /* |
218 | | * As (*func) operates on 32-bit counter, caller |
219 | | * has to handle overflow. 'if' below detects the |
220 | | * overflow, which is then handled by limiting the |
221 | | * amount of blocks to the exact overflow point... |
222 | | */ |
223 | 0 | ctr32 += (u32)blocks; |
224 | 0 | if (ctr32 < blocks) { |
225 | 0 | blocks -= ctr32; |
226 | 0 | ctr32 = 0; |
227 | 0 | } |
228 | 0 | (*func)(in,out,blocks,key,ivec); |
229 | | /* (*ctr) does not update ivec, caller does: */ |
230 | 0 | PUTU32(ivec+12,ctr32); |
231 | | /* ... overflow was detected, propogate carry. */ |
232 | 0 | if (ctr32 == 0) ctr96_inc(ivec); |
233 | 0 | blocks *= 16; |
234 | 0 | len -= blocks; |
235 | 0 | out += blocks; |
236 | 0 | in += blocks; |
237 | 0 | } |
238 | 0 | if (len) { |
239 | 0 | memset(ecount_buf,0,16); |
240 | 0 | (*func)(ecount_buf,ecount_buf,1,key,ivec); |
241 | 0 | ++ctr32; |
242 | 0 | PUTU32(ivec+12,ctr32); |
243 | 0 | if (ctr32 == 0) ctr96_inc(ivec); |
244 | 0 | while (len--) { |
245 | 0 | out[n] = in[n] ^ ecount_buf[n]; |
246 | 0 | ++n; |
247 | 0 | } |
248 | 0 | } |
249 | |
|
250 | 0 | *num=n; |
251 | 0 | } |