kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1256 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 160f4ef14c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '160f4ef14c'
${ noResults }
boringssl/crypto/modes/ctr.c

223 lines
6.7 KiB
Raw Blame History 

  1. /* ====================================================================

  2.  * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.

  3.  *

  4.  * Redistribution and use in source and binary forms, with or without

  5.  * modification, are permitted provided that the following conditions

  6.  * are met:

  7.  *

  8.  * 1. Redistributions of source code must retain the above copyright

  9.  *    notice, this list of conditions and the following disclaimer.

  10.  *

  11.  * 2. Redistributions in binary form must reproduce the above copyright

  12.  *    notice, this list of conditions and the following disclaimer in

  13.  *    the documentation and/or other materials provided with the

  14.  *    distribution.

  15.  *

  16.  * 3. All advertising materials mentioning features or use of this

  17.  *    software must display the following acknowledgment:

  18.  *    "This product includes software developed by the OpenSSL Project

  19.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  20.  *

  21.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  22.  *    endorse or promote products derived from this software without

  23.  *    prior written permission. For written permission, please contact

  24.  *    openssl-core@openssl.org.

  25.  *

  26.  * 5. Products derived from this software may not be called "OpenSSL"

  27.  *    nor may "OpenSSL" appear in their names without prior written

  28.  *    permission of the OpenSSL Project.

  29.  *

  30.  * 6. Redistributions of any form whatsoever must retain the following

  31.  *    acknowledgment:

  32.  *    "This product includes software developed by the OpenSSL Project

  33.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  34.  *

  35.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  36.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  37.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  38.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  39.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  40.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  41.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  42.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  43.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  44.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  45.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  46.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  47.  * ==================================================================== */

  48. #include <openssl/modes.h>

  49. 

  50. #include <assert.h>

  51. #include <string.h>

  52. 

  53. #include "internal.h"

  54. 

  55. 

  56. /* NOTE: the IV/counter CTR mode is big-endian.  The code itself

  57.  * is endian-neutral. */

  58. 

  59. /* increment counter (128-bit int) by 1 */

  60. static void ctr128_inc(uint8_t *counter) {

  61.   uint32_t n = 16;

  62.   uint8_t c;

  63. 

  64.   do {

  65.     --n;

  66.     c = counter[n];

  67.     ++c;

  68.     counter[n] = c;

  69.     if (c) {

  70.       return;

  71.     }

  72.   } while (n);

  73. }

  74. 

  75. /* The input encrypted as though 128bit counter mode is being used.  The extra

  76.  * state information to record how much of the 128bit block we have used is

  77.  * contained in *num, and the encrypted counter is kept in ecount_buf.  Both

  78.  * *num and ecount_buf must be initialised with zeros before the first call to

  79.  * CRYPTO_ctr128_encrypt().

  80.  *

  81.  * This algorithm assumes that the counter is in the x lower bits of the IV

  82.  * (ivec), and that the application has full control over overflow and the rest

  83.  * of the IV.  This implementation takes NO responsibility for checking that

  84.  * the counter doesn't overflow into the rest of the IV when incremented. */

  85. void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,

  86.                            const void *key, uint8_t ivec[16],

  87.                            uint8_t ecount_buf[16], unsigned int *num,

  88.                            block128_f block) {

  89.   unsigned int n;

  90. 

  91.   assert(in && out && key && ecount_buf && num);

  92.   assert(*num < 16);

  93.   assert((16 % sizeof(size_t)) == 0);

  94. 

  95.   n = *num;

  96. 

  97.   while (n && len) {

  98.     *(out++) = *(in++) ^ ecount_buf[n];

  99.     --len;

  100.     n = (n + 1) % 16;

  101.   }

  102. 

  103. #if STRICT_ALIGNMENT

  104.   if (((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {

  105.     size_t l = 0;

  106.     while (l < len) {

  107.       if (n == 0) {

  108.         (*block)(ivec, ecount_buf, key);

  109.         ctr128_inc(ivec);

  110.       }

  111.       out[l] = in[l] ^ ecount_buf[n];

  112.       ++l;

  113.       n = (n + 1) % 16;

  114.     }

  115. 

  116.     *num = n;

  117.     return;

  118.   }

  119. #endif

  120. 

  121.   while (len >= 16) {

  122.     (*block)(ivec, ecount_buf, key);

  123.     ctr128_inc(ivec);

  124.     for (; n < 16; n += sizeof(size_t)) {

  125.       *(size_t *)(out + n) = *(size_t *)(in + n) ^ *(size_t *)(ecount_buf + n);

  126.     }

  127.     len -= 16;

  128.     out += 16;

  129.     in += 16;

  130.     n = 0;

  131.   }

  132.   if (len) {

  133.     (*block)(ivec, ecount_buf, key);

  134.     ctr128_inc(ivec);

  135.     while (len--) {

  136.       out[n] = in[n] ^ ecount_buf[n];

  137.       ++n;

  138.     }

  139.   }

  140.   *num = n;

  141. }

  142. 

  143. /* increment upper 96 bits of 128-bit counter by 1 */

  144. static void ctr96_inc(uint8_t *counter) {

  145.   uint32_t n = 12;

  146.   uint8_t c;

  147. 

  148.   do {

  149.     --n;

  150.     c = counter[n];

  151.     ++c;

  152.     counter[n] = c;

  153.     if (c) {

  154.       return;

  155.     }

  156.   } while (n);

  157. }

  158. 

  159. void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out,

  160.                                  size_t len, const void *key,

  161.                                  uint8_t ivec[16],

  162.                                  uint8_t ecount_buf[16],

  163.                                  unsigned int *num, ctr128_f func) {

  164.   unsigned int n, ctr32;

  165. 

  166.   assert(in && out && key && ecount_buf && num);

  167.   assert(*num < 16);

  168. 

  169.   n = *num;

  170. 

  171.   while (n && len) {

  172.     *(out++) = *(in++) ^ ecount_buf[n];

  173.     --len;

  174.     n = (n + 1) % 16;

  175.   }

  176. 

  177.   ctr32 = GETU32(ivec + 12);

  178.   while (len >= 16) {

  179.     size_t blocks = len / 16;

  180.     /* 1<<28 is just a not-so-small yet not-so-large number...

  181.      * Below condition is practically never met, but it has to

  182.      * be checked for code correctness. */

  183.     if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) {

  184.       blocks = (1U << 28);

  185.     }

  186.     /* As (*func) operates on 32-bit counter, caller

  187.      * has to handle overflow. 'if' below detects the

  188.      * overflow, which is then handled by limiting the

  189.      * amount of blocks to the exact overflow point... */

  190.     ctr32 += (uint32_t)blocks;

  191.     if (ctr32 < blocks) {

  192.       blocks -= ctr32;

  193.       ctr32 = 0;

  194.     }

  195.     (*func)(in, out, blocks, key, ivec);

  196.     /* (*func) does not update ivec, caller does: */

  197.     PUTU32(ivec + 12, ctr32);

  198.     /* ... overflow was detected, propogate carry. */

  199.     if (ctr32 == 0) {

  200.       ctr96_inc(ivec);

  201.     }

  202.     blocks *= 16;

  203.     len -= blocks;

  204.     out += blocks;

  205.     in += blocks;

  206.   }

  207.   if (len) {

  208.     memset(ecount_buf, 0, 16);

  209.     (*func)(ecount_buf, ecount_buf, 1, key, ivec);

  210.     ++ctr32;

  211.     PUTU32(ivec + 12, ctr32);

  212.     if (ctr32 == 0) {

  213.       ctr96_inc(ivec);

  214.     }

  215.     while (len--) {

  216.       out[n] = in[n] ^ ecount_buf[n];

  217.       ++n;

  218.     }

  219.   }

  220. 

  221.   *num = n;

  222. }