jcs.org
jcs's openbsd hax
openbsd
1/* $OpenBSD: ctr128.c,v 1.18 2025/05/18 09:05:59 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@openssl.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 */
51
52#include <string.h>
53
54#include <openssl/crypto.h>
55
56#include "crypto_internal.h"
57#include "modes_local.h"
58
59/* NOTE: the IV/counter CTR mode is big-endian. The code itself
60 * is endian-neutral. */
61
62/* increment counter (128-bit int) by 1 */
63static void
64ctr128_inc(unsigned char *counter)
65{
66 uint32_t n = 16;
67 uint8_t c;
68
69 do {
70 --n;
71 c = counter[n];
72 ++c;
73 counter[n] = c;
74 if (c)
75 return;
76 } while (n);
77}
78
79static void
80ctr128_inc_aligned(unsigned char *counter)
81{
82#if BYTE_ORDER == LITTLE_ENDIAN
83 ctr128_inc(counter);
84#else
85 size_t *data, c, n;
86 data = (size_t *)counter;
87 n = 16 / sizeof(size_t);
88 do {
89 --n;
90 c = data[n];
91 ++c;
92 data[n] = c;
93 if (c)
94 return;
95 } while (n);
96#endif
97}
98
99/* The input encrypted as though 128bit counter mode is being
100 * used. The extra state information to record how much of the
101 * 128bit block we have used is contained in *num, and the
102 * encrypted counter is kept in ecount_buf. Both *num and
103 * ecount_buf must be initialised with zeros before the first
104 * call to CRYPTO_ctr128_encrypt().
105 *
106 * This algorithm assumes that the counter is in the x lower bits
107 * of the IV (ivec), and that the application has full control over
108 * overflow and the rest of the IV. This implementation takes NO
109 * responsibility for checking that the counter doesn't overflow
110 * into the rest of the IV when incremented.
111 */
112void
113CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
114 size_t len, const void *key,
115 unsigned char ivec[16], unsigned char ecount_buf[16],
116 unsigned int *num, block128_f block)
117{
118 unsigned int n = *num;
119 size_t l = 0;
120
121 OPENSSL_assert(n < 16);
122
123 if (16 % sizeof(size_t) == 0)
124 do { /* always true actually */
125 while (n && len) {
126 *(out++) = *(in++) ^ ecount_buf[n];
127 --len;
128 n = (n + 1) % 16;
129 }
130
131#ifdef __STRICT_ALIGNMENT
132 if (((size_t)in|(size_t)out|(size_t)ivec) %
133 sizeof(size_t) != 0)
134 break;
135#endif
136 while (len >= 16) {
137 (*block)(ivec, ecount_buf, key);
138 ctr128_inc_aligned(ivec);
139 for (; n < 16; n += sizeof(size_t))
140 *(size_t *)(out + n) =
141 *(size_t *)(in + n) ^ *(size_t *)(ecount_buf +
142 n);
143 len -= 16;
144 out += 16;
145 in += 16;
146 n = 0;
147 }
148 if (len) {
149 (*block)(ivec, ecount_buf, key);
150 ctr128_inc_aligned(ivec);
151 while (len--) {
152 out[n] = in[n] ^ ecount_buf[n];
153 ++n;
154 }
155 }
156 *num = n;
157 return;
158 } while (0);
159 /* the rest would be commonly eliminated by x86* compiler */
160 while (l < len) {
161 if (n == 0) {
162 (*block)(ivec, ecount_buf, key);
163 ctr128_inc(ivec);
164 }
165 out[l] = in[l] ^ ecount_buf[n];
166 ++l;
167 n = (n + 1) % 16;
168 }
169
170 *num = n;
171}
172LCRYPTO_ALIAS(CRYPTO_ctr128_encrypt);
173
174/* increment upper 96 bits of 128-bit counter by 1 */
175static void
176ctr96_inc(unsigned char *counter)
177{
178 uint32_t n = 12;
179 uint8_t c;
180
181 do {
182 --n;
183 c = counter[n];
184 ++c;
185 counter[n] = c;
186 if (c)
187 return;
188 } while (n);
189}
190
191void
192CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
193 size_t len, const void *key,
194 unsigned char ivec[16], unsigned char ecount_buf[16],
195 unsigned int *num, ctr128_f func)
196{
197 unsigned int n = *num;
198 unsigned int ctr32;
199
200 OPENSSL_assert(n < 16);
201
202 while (n && len) {
203 *(out++) = *(in++) ^ ecount_buf[n];
204 --len;
205 n = (n + 1) % 16;
206 }
207
208 ctr32 = crypto_load_be32toh(&ivec[12]);
209
210 while (len >= 16) {
211 size_t blocks = len/16;
212 /*
213 * 1<<28 is just a not-so-small yet not-so-large number...
214 * Below condition is practically never met, but it has to
215 * be checked for code correctness.
216 */
217 if (sizeof(size_t) > sizeof(unsigned int) &&
218 blocks > (1U << 28))
219 blocks = (1U << 28);
220 /*
221 * As (*func) operates on 32-bit counter, caller
222 * has to handle overflow. 'if' below detects the
223 * overflow, which is then handled by limiting the
224 * amount of blocks to the exact overflow point...
225 */
226 ctr32 += (uint32_t)blocks;
227 if (ctr32 < blocks) {
228 blocks -= ctr32;
229 ctr32 = 0;
230 }
231 (*func)(in, out, blocks, key, ivec);
232 /* (*ctr) does not update ivec, caller does: */
233 crypto_store_htobe32(&ivec[12], ctr32);
234 /* ... overflow was detected, propagate carry. */
235 if (ctr32 == 0)
236 ctr96_inc(ivec);
237 blocks *= 16;
238 len -= blocks;
239 out += blocks;
240 in += blocks;
241 }
242 if (len) {
243 memset(ecount_buf, 0, 16);
244 (*func)(ecount_buf, ecount_buf, 1, key, ivec);
245 ++ctr32;
246 crypto_store_htobe32(&ivec[12], ctr32);
247 if (ctr32 == 0)
248 ctr96_inc(ivec);
249 while (len--) {
250 out[n] = in[n] ^ ecount_buf[n];
251 ++n;
252 }
253 }
254
255 *num = n;
256}
257LCRYPTO_ALIAS(CRYPTO_ctr128_encrypt_ctr32);