ctr128.c@ 94082

Last change on this file since 94082 was 94082, checked in by vboxsync, 3 years ago
libs/openssl-3.0.1: started applying and adjusting our OpenSSL changes to 3.0.1. bugref:10128
File size: 6.0 KB

Line
1	/*
2	* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <string.h>
11	#include <openssl/crypto.h>
12	#include "internal/endian.h"
13	#include "crypto/modes.h"
14
15	#if defined(__GNUC__) && !defined(STRICT_ALIGNMENT)
16	typedef size_t size_t_aX __attribute((__aligned__(1)));
17	#else
18	typedef size_t size_t_aX;
19	#endif
20
21	/*
22	* NOTE: the IV/counter CTR mode is big-endian. The code itself is
23	* endian-neutral.
24	*/
25
26	/* increment counter (128-bit int) by 1 */
27	static void ctr128_inc(unsigned char *counter)
28	{
29	u32 n = 16, c = 1;
30
31	do {
32	--n;
33	c += counter[n];
34	counter[n] = (u8)c;
35	c >>= 8;
36	} while (n);
37	}
38
39	#if !defined(OPENSSL_SMALL_FOOTPRINT)
40	static void ctr128_inc_aligned(unsigned char *counter)
41	{
42	size_t *data, c, d, n;
43	DECLARE_IS_ENDIAN;
44
45	if (IS_LITTLE_ENDIAN \|\| ((size_t)counter % sizeof(size_t)) != 0) {
46	ctr128_inc(counter);
47	return;
48	}
49
50	data = (size_t *)counter;
51	c = 1;
52	n = 16 / sizeof(size_t);
53	do {
54	--n;
55	d = data[n] += c;
56	/* did addition carry? */
57	c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1);
58	} while (n);
59	}
60	#endif
61
62	/*
63	* The input encrypted as though 128bit counter mode is being used. The
64	* extra state information to record how much of the 128bit block we have
65	* used is contained in *num, and the encrypted counter is kept in
66	* ecount_buf. Both *num and ecount_buf must be initialised with zeros
67	* before the first call to CRYPTO_ctr128_encrypt(). This algorithm assumes
68	* that the counter is in the x lower bits of the IV (ivec), and that the
69	* application has full control over overflow and the rest of the IV. This
70	* implementation takes NO responsibility for checking that the counter
71	* doesn't overflow into the rest of the IV when incremented.
72	*/
73	void CRYPTO_ctr128_encrypt(const unsigned char in, unsigned char out,
74	size_t len, const void *key,
75	unsigned char ivec[16],
76	unsigned char ecount_buf[16], unsigned int *num,
77	block128_f block)
78	{
79	unsigned int n;
80	size_t l = 0;
81
82	n = *num;
83
84	#if !defined(OPENSSL_SMALL_FOOTPRINT)
85	if (16 % sizeof(size_t) == 0) { /* always true actually */
86	do {
87	while (n && len) {
88	(out++) = (in++) ^ ecount_buf[n];
89	--len;
90	n = (n + 1) % 16;
91	}
92
93	# if defined(STRICT_ALIGNMENT)
94	if (((size_t)in \| (size_t)out \| (size_t)ecount_buf)
95	% sizeof(size_t) != 0)
96	break;
97	# endif
98	while (len >= 16) {
99	(*block) (ivec, ecount_buf, key);
100	ctr128_inc_aligned(ivec);
101	for (n = 0; n < 16; n += sizeof(size_t))
102	(size_t_aX )(out + n) =
103	(size_t_aX )(in + n)
104	^ (size_t_aX )(ecount_buf + n);
105	len -= 16;
106	out += 16;
107	in += 16;
108	n = 0;
109	}
110	if (len) {
111	(*block) (ivec, ecount_buf, key);
112	ctr128_inc_aligned(ivec);
113	while (len--) {
114	out[n] = in[n] ^ ecount_buf[n];
115	++n;
116	}
117	}
118	*num = n;
119	return;
120	} while (0);
121	}
122	/* the rest would be commonly eliminated by x86* compiler */
123	#endif
124	while (l < len) {
125	if (n == 0) {
126	(*block) (ivec, ecount_buf, key);
127	ctr128_inc(ivec);
128	}
129	out[l] = in[l] ^ ecount_buf[n];
130	++l;
131	n = (n + 1) % 16;
132	}
133
134	*num = n;
135	}
136
137	/* increment upper 96 bits of 128-bit counter by 1 */
138	static void ctr96_inc(unsigned char *counter)
139	{
140	u32 n = 12, c = 1;
141
142	do {
143	--n;
144	c += counter[n];
145	counter[n] = (u8)c;
146	c >>= 8;
147	} while (n);
148	}
149
150	void CRYPTO_ctr128_encrypt_ctr32(const unsigned char in, unsigned char out,
151	size_t len, const void *key,
152	unsigned char ivec[16],
153	unsigned char ecount_buf[16],
154	unsigned int *num, ctr128_f func)
155	{
156	unsigned int n, ctr32;
157
158	n = *num;
159
160	while (n && len) {
161	(out++) = (in++) ^ ecount_buf[n];
162	--len;
163	n = (n + 1) % 16;
164	}
165
166	ctr32 = GETU32(ivec + 12);
167	while (len >= 16) {
168	size_t blocks = len / 16;
169	/*
170	* 1<<28 is just a not-so-small yet not-so-large number...
171	* Below condition is practically never met, but it has to
172	* be checked for code correctness.
173	*/
174	if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28))
175	blocks = (1U << 28);
176	/*
177	* As (*func) operates on 32-bit counter, caller
178	* has to handle overflow. 'if' below detects the
179	* overflow, which is then handled by limiting the
180	* amount of blocks to the exact overflow point...
181	*/
182	ctr32 += (u32)blocks;
183	if (ctr32 < blocks) {
184	blocks -= ctr32;
185	ctr32 = 0;
186	}
187	(*func) (in, out, blocks, key, ivec);
188	/* (ctr) does not update ivec, caller does: /
189	PUTU32(ivec + 12, ctr32);
190	/* ... overflow was detected, propagate carry. */
191	if (ctr32 == 0)
192	ctr96_inc(ivec);
193	blocks *= 16;
194	len -= blocks;
195	out += blocks;
196	in += blocks;
197	}
198	if (len) {
199	memset(ecount_buf, 0, 16);
200	(*func) (ecount_buf, ecount_buf, 1, key, ivec);
201	++ctr32;
202	PUTU32(ivec + 12, ctr32);
203	if (ctr32 == 0)
204	ctr96_inc(ivec);
205	while (len--) {
206	out[n] = in[n] ^ ecount_buf[n];
207	++n;
208	}
209	}
210
211	*num = n;
212	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.0.1/crypto/modes/ctr128.c@ 94082

Download in other formats: