xref: /openbsd/lib/libcrypto/modes/ctr128.c (revision 0e3d1220) 
1*0e3d1220Sbeck /* $OpenBSD: ctr128.c,v 1.11 2023/07/08 14:56:54 beck Exp $ */
2f1535dc8Sdjm /* ====================================================================
3f1535dc8Sdjm  * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
4f1535dc8Sdjm  *
5f1535dc8Sdjm  * Redistribution and use in source and binary forms, with or without
6f1535dc8Sdjm  * modification, are permitted provided that the following conditions
7f1535dc8Sdjm  * are met:
8f1535dc8Sdjm  *
9f1535dc8Sdjm  * 1. Redistributions of source code must retain the above copyright
10f1535dc8Sdjm  *    notice, this list of conditions and the following disclaimer.
11f1535dc8Sdjm  *
12f1535dc8Sdjm  * 2. Redistributions in binary form must reproduce the above copyright
13f1535dc8Sdjm  *    notice, this list of conditions and the following disclaimer in
14f1535dc8Sdjm  *    the documentation and/or other materials provided with the
15f1535dc8Sdjm  *    distribution.
16f1535dc8Sdjm  *
17f1535dc8Sdjm  * 3. All advertising materials mentioning features or use of this
18f1535dc8Sdjm  *    software must display the following acknowledgment:
19f1535dc8Sdjm  *    "This product includes software developed by the OpenSSL Project
20f1535dc8Sdjm  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21f1535dc8Sdjm  *
22f1535dc8Sdjm  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23f1535dc8Sdjm  *    endorse or promote products derived from this software without
24f1535dc8Sdjm  *    prior written permission. For written permission, please contact
25f1535dc8Sdjm  *    openssl-core@openssl.org.
26f1535dc8Sdjm  *
27f1535dc8Sdjm  * 5. Products derived from this software may not be called "OpenSSL"
28f1535dc8Sdjm  *    nor may "OpenSSL" appear in their names without prior written
29f1535dc8Sdjm  *    permission of the OpenSSL Project.
30f1535dc8Sdjm  *
31f1535dc8Sdjm  * 6. Redistributions of any form whatsoever must retain the following
32f1535dc8Sdjm  *    acknowledgment:
33f1535dc8Sdjm  *    "This product includes software developed by the OpenSSL Project
34f1535dc8Sdjm  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35f1535dc8Sdjm  *
36f1535dc8Sdjm  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37f1535dc8Sdjm  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38f1535dc8Sdjm  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39f1535dc8Sdjm  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40f1535dc8Sdjm  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41f1535dc8Sdjm  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42f1535dc8Sdjm  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43f1535dc8Sdjm  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44f1535dc8Sdjm  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45f1535dc8Sdjm  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46f1535dc8Sdjm  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47f1535dc8Sdjm  * OF THE POSSIBILITY OF SUCH DAMAGE.
48f1535dc8Sdjm  * ====================================================================
49f1535dc8Sdjm  *
50f1535dc8Sdjm  */
51f1535dc8Sdjm 
52ec07fdf1Sdjm #include <openssl/crypto.h>
53c9675a23Stb #include "modes_local.h"
54f1535dc8Sdjm #include <string.h>
55f1535dc8Sdjm 
56f1535dc8Sdjm #ifndef MODES_DEBUG
57f1535dc8Sdjm # ifndef NDEBUG
58f1535dc8Sdjm #  define NDEBUG
59f1535dc8Sdjm # endif
60f1535dc8Sdjm #endif
61f1535dc8Sdjm #include <assert.h>
62f1535dc8Sdjm 
63f1535dc8Sdjm /* NOTE: the IV/counter CTR mode is big-endian.  The code itself
64f1535dc8Sdjm  * is endian-neutral. */
65f1535dc8Sdjm 
66f1535dc8Sdjm /* increment counter (128-bit int) by 1 */
670451f6ceSbeck static void
ctr128_inc(unsigned char * counter)680451f6ceSbeck ctr128_inc(unsigned char *counter)
690451f6ceSbeck {
70f1535dc8Sdjm 	u32 n = 16;
71f1535dc8Sdjm 	u8  c;
72f1535dc8Sdjm 
73f1535dc8Sdjm 	do {
74f1535dc8Sdjm 		--n;
75f1535dc8Sdjm 		c = counter[n];
76f1535dc8Sdjm 		++c;
77f1535dc8Sdjm 		counter[n] = c;
780451f6ceSbeck 		if (c)
790451f6ceSbeck 			return;
80f1535dc8Sdjm 	} while (n);
81f1535dc8Sdjm }
82f1535dc8Sdjm 
83f1535dc8Sdjm #if !defined(OPENSSL_SMALL_FOOTPRINT)
8421951995Smiod static void
ctr128_inc_aligned(unsigned char * counter)8521951995Smiod ctr128_inc_aligned(unsigned char *counter)
8621951995Smiod {
8742077c12Sbcook #if BYTE_ORDER == LITTLE_ENDIAN
88f1535dc8Sdjm 	ctr128_inc(counter);
8942077c12Sbcook #else
9042077c12Sbcook 	size_t *data, c, n;
91f1535dc8Sdjm 	data = (size_t *)counter;
92f1535dc8Sdjm 	n = 16 / sizeof(size_t);
93f1535dc8Sdjm 	do {
94f1535dc8Sdjm 		--n;
95f1535dc8Sdjm 		c = data[n];
96f1535dc8Sdjm 		++c;
97f1535dc8Sdjm 		data[n] = c;
9842077c12Sbcook 		if (c)
9942077c12Sbcook 			return;
100f1535dc8Sdjm 	} while (n);
10142077c12Sbcook #endif
102f1535dc8Sdjm }
103f1535dc8Sdjm #endif
104f1535dc8Sdjm 
105f1535dc8Sdjm /* The input encrypted as though 128bit counter mode is being
106f1535dc8Sdjm  * used.  The extra state information to record how much of the
107f1535dc8Sdjm  * 128bit block we have used is contained in *num, and the
108f1535dc8Sdjm  * encrypted counter is kept in ecount_buf.  Both *num and
109f1535dc8Sdjm  * ecount_buf must be initialised with zeros before the first
110f1535dc8Sdjm  * call to CRYPTO_ctr128_encrypt().
111f1535dc8Sdjm  *
112f1535dc8Sdjm  * This algorithm assumes that the counter is in the x lower bits
113f1535dc8Sdjm  * of the IV (ivec), and that the application has full control over
114f1535dc8Sdjm  * overflow and the rest of the IV.  This implementation takes NO
11571743258Sjmc  * responsibility for checking that the counter doesn't overflow
116f1535dc8Sdjm  * into the rest of the IV when incremented.
117f1535dc8Sdjm  */
1180451f6ceSbeck void
CRYPTO_ctr128_encrypt(const unsigned char * in,unsigned char * out,size_t len,const void * key,unsigned char ivec[16],unsigned char ecount_buf[16],unsigned int * num,block128_f block)1190451f6ceSbeck CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
120f1535dc8Sdjm     size_t len, const void *key,
121f1535dc8Sdjm     unsigned char ivec[16], unsigned char ecount_buf[16],
122f1535dc8Sdjm     unsigned int *num, block128_f block)
123f1535dc8Sdjm {
124f1535dc8Sdjm 	unsigned int n;
125f1535dc8Sdjm 	size_t l = 0;
126f1535dc8Sdjm 
127f1535dc8Sdjm 	assert(*num < 16);
128f1535dc8Sdjm 
129f1535dc8Sdjm 	n = *num;
130f1535dc8Sdjm 
131f1535dc8Sdjm #if !defined(OPENSSL_SMALL_FOOTPRINT)
1320451f6ceSbeck 	if (16 % sizeof(size_t) == 0)
1330451f6ceSbeck 		do { /* always true actually */
134f1535dc8Sdjm 			while (n && len) {
135f1535dc8Sdjm 				*(out++) = *(in++) ^ ecount_buf[n];
136f1535dc8Sdjm 				--len;
137f1535dc8Sdjm 				n = (n + 1) % 16;
138f1535dc8Sdjm 			}
139f1535dc8Sdjm 
140d57444e6Smiod #ifdef __STRICT_ALIGNMENT
1410451f6ceSbeck 			if (((size_t)in|(size_t)out|(size_t)ivec) %
1420451f6ceSbeck 			    sizeof(size_t) != 0)
143f1535dc8Sdjm 				break;
144f1535dc8Sdjm #endif
145f1535dc8Sdjm 			while (len >= 16) {
146f1535dc8Sdjm 				(*block)(ivec, ecount_buf, key);
147f1535dc8Sdjm 				ctr128_inc_aligned(ivec);
148f1535dc8Sdjm 				for (; n < 16; n += sizeof(size_t))
149f1535dc8Sdjm 					*(size_t *)(out + n) =
1500451f6ceSbeck 					    *(size_t *)(in + n) ^ *(size_t *)(ecount_buf +
1510451f6ceSbeck 					    n);
152f1535dc8Sdjm 				len -= 16;
153f1535dc8Sdjm 				out += 16;
154f1535dc8Sdjm 				in += 16;
155f1535dc8Sdjm 				n = 0;
156f1535dc8Sdjm 			}
157f1535dc8Sdjm 			if (len) {
158f1535dc8Sdjm 				(*block)(ivec, ecount_buf, key);
159f1535dc8Sdjm 				ctr128_inc_aligned(ivec);
160f1535dc8Sdjm 				while (len--) {
161f1535dc8Sdjm 					out[n] = in[n] ^ ecount_buf[n];
162f1535dc8Sdjm 					++n;
163f1535dc8Sdjm 				}
164f1535dc8Sdjm 			}
165f1535dc8Sdjm 			*num = n;
166f1535dc8Sdjm 			return;
167f1535dc8Sdjm 		} while (0);
168f1535dc8Sdjm 	/* the rest would be commonly eliminated by x86* compiler */
169f1535dc8Sdjm #endif
170f1535dc8Sdjm 	while (l < len) {
171f1535dc8Sdjm 		if (n == 0) {
172f1535dc8Sdjm 			(*block)(ivec, ecount_buf, key);
173f1535dc8Sdjm 			ctr128_inc(ivec);
174f1535dc8Sdjm 		}
175f1535dc8Sdjm 		out[l] = in[l] ^ ecount_buf[n];
176f1535dc8Sdjm 		++l;
177f1535dc8Sdjm 		n = (n + 1) % 16;
178f1535dc8Sdjm 	}
179f1535dc8Sdjm 
180f1535dc8Sdjm 	*num = n;
181f1535dc8Sdjm }
182*0e3d1220Sbeck LCRYPTO_ALIAS(CRYPTO_ctr128_encrypt);
183ec07fdf1Sdjm 
184ec07fdf1Sdjm /* increment upper 96 bits of 128-bit counter by 1 */
1850451f6ceSbeck static void
ctr96_inc(unsigned char * counter)1860451f6ceSbeck ctr96_inc(unsigned char *counter)
1870451f6ceSbeck {
188ec07fdf1Sdjm 	u32 n = 12;
189ec07fdf1Sdjm 	u8  c;
190ec07fdf1Sdjm 
191ec07fdf1Sdjm 	do {
192ec07fdf1Sdjm 		--n;
193ec07fdf1Sdjm 		c = counter[n];
194ec07fdf1Sdjm 		++c;
195ec07fdf1Sdjm 		counter[n] = c;
1960451f6ceSbeck 		if (c)
1970451f6ceSbeck 			return;
198ec07fdf1Sdjm 	} while (n);
199ec07fdf1Sdjm }
200ec07fdf1Sdjm 
2010451f6ceSbeck void
CRYPTO_ctr128_encrypt_ctr32(const unsigned char * in,unsigned char * out,size_t len,const void * key,unsigned char ivec[16],unsigned char ecount_buf[16],unsigned int * num,ctr128_f func)2020451f6ceSbeck CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
203ec07fdf1Sdjm     size_t len, const void *key,
204ec07fdf1Sdjm     unsigned char ivec[16], unsigned char ecount_buf[16],
205ec07fdf1Sdjm     unsigned int *num, ctr128_f func)
206ec07fdf1Sdjm {
207ec07fdf1Sdjm 	unsigned int n, ctr32;
208ec07fdf1Sdjm 
209ec07fdf1Sdjm 	assert(*num < 16);
210ec07fdf1Sdjm 
211ec07fdf1Sdjm 	n = *num;
212ec07fdf1Sdjm 
213ec07fdf1Sdjm 	while (n && len) {
214ec07fdf1Sdjm 		*(out++) = *(in++) ^ ecount_buf[n];
215ec07fdf1Sdjm 		--len;
216ec07fdf1Sdjm 		n = (n + 1) % 16;
217ec07fdf1Sdjm 	}
218ec07fdf1Sdjm 
219ec07fdf1Sdjm 	ctr32 = GETU32(ivec + 12);
220ec07fdf1Sdjm 	while (len >= 16) {
221ec07fdf1Sdjm 		size_t blocks = len/16;
222ec07fdf1Sdjm 		/*
223ec07fdf1Sdjm 		 * 1<<28 is just a not-so-small yet not-so-large number...
224ec07fdf1Sdjm 		 * Below condition is practically never met, but it has to
225ec07fdf1Sdjm 		 * be checked for code correctness.
226ec07fdf1Sdjm 		 */
2270451f6ceSbeck 		if (sizeof(size_t) > sizeof(unsigned int) &&
2280451f6ceSbeck 		    blocks > (1U << 28))
229ec07fdf1Sdjm 			blocks = (1U << 28);
230ec07fdf1Sdjm 		/*
231ec07fdf1Sdjm 		 * As (*func) operates on 32-bit counter, caller
232ec07fdf1Sdjm 		 * has to handle overflow. 'if' below detects the
233ec07fdf1Sdjm 		 * overflow, which is then handled by limiting the
234ec07fdf1Sdjm 		 * amount of blocks to the exact overflow point...
235ec07fdf1Sdjm 		 */
236ec07fdf1Sdjm 		ctr32 += (u32)blocks;
237ec07fdf1Sdjm 		if (ctr32 < blocks) {
238ec07fdf1Sdjm 			blocks -= ctr32;
239ec07fdf1Sdjm 			ctr32 = 0;
240ec07fdf1Sdjm 		}
241ec07fdf1Sdjm 		(*func)(in, out, blocks, key, ivec);
242ec07fdf1Sdjm 		/* (*ctr) does not update ivec, caller does: */
243ec07fdf1Sdjm 		PUTU32(ivec + 12, ctr32);
24471743258Sjmc 		/* ... overflow was detected, propagate carry. */
2450451f6ceSbeck 		if (ctr32 == 0)
2460451f6ceSbeck 			ctr96_inc(ivec);
247ec07fdf1Sdjm 		blocks *= 16;
248ec07fdf1Sdjm 		len -= blocks;
249ec07fdf1Sdjm 		out += blocks;
250ec07fdf1Sdjm 		in += blocks;
251ec07fdf1Sdjm 	}
252ec07fdf1Sdjm 	if (len) {
253ec07fdf1Sdjm 		memset(ecount_buf, 0, 16);
254ec07fdf1Sdjm 		(*func)(ecount_buf, ecount_buf, 1, key, ivec);
255ec07fdf1Sdjm 		++ctr32;
256ec07fdf1Sdjm 		PUTU32(ivec + 12, ctr32);
2570451f6ceSbeck 		if (ctr32 == 0)
2580451f6ceSbeck 			ctr96_inc(ivec);
259ec07fdf1Sdjm 		while (len--) {
260ec07fdf1Sdjm 			out[n] = in[n] ^ ecount_buf[n];
261ec07fdf1Sdjm 			++n;
262ec07fdf1Sdjm 		}
263ec07fdf1Sdjm 	}
264ec07fdf1Sdjm 
265ec07fdf1Sdjm 	*num = n;
266ec07fdf1Sdjm }
267*0e3d1220Sbeck LCRYPTO_ALIAS(CRYPTO_ctr128_encrypt_ctr32);
268