1 /* cfb.c
2 
3    Cipher feedback mode.
4 
5    Copyright (C) 2015, 2017 Dmitry Eremin-Solenikov
6    Copyright (C) 2001, 2011 Niels Möller
7 
8    This file is part of GNU Nettle.
9 
10    GNU Nettle is free software: you can redistribute it and/or
11    modify it under the terms of either:
12 
13      * the GNU Lesser General Public License as published by the Free
14        Software Foundation; either version 3 of the License, or (at your
15        option) any later version.
16 
17    or
18 
19      * the GNU General Public License as published by the Free
20        Software Foundation; either version 2 of the License, or (at your
21        option) any later version.
22 
23    or both in parallel, as here.
24 
25    GNU Nettle is distributed in the hope that it will be useful,
26    but WITHOUT ANY WARRANTY; without even the implied warranty of
27    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
28    General Public License for more details.
29 
30    You should have received copies of the GNU General Public License and
31    the GNU Lesser General Public License along with this program.  If
32    not, see http://www.gnu.org/licenses/.
33 */
34 
35 #if HAVE_CONFIG_H
36 # include "config.h"
37 #endif
38 
39 #include <assert.h>
40 #include <stdlib.h>
41 #include <string.h>
42 
43 #include "cfb.h"
44 
45 #include "memxor.h"
46 #include "nettle-internal.h"
47 
48 void
cfb_encrypt(const void * ctx,nettle_cipher_func * f,size_t block_size,uint8_t * iv,size_t length,uint8_t * dst,const uint8_t * src)49 cfb_encrypt(const void *ctx, nettle_cipher_func *f,
50 	    size_t block_size, uint8_t *iv,
51 	    size_t length, uint8_t *dst,
52 	    const uint8_t *src)
53 {
54   uint8_t *p;
55   TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE);
56 
57   TMP_ALLOC(buffer, block_size);
58 
59   if (src != dst)
60     {
61       for (p = iv; length >= block_size; p = dst, dst += block_size, src += block_size, length -= block_size)
62 	{
63 	  f(ctx, block_size, dst, p);
64 	  memxor(dst, src, block_size);
65 	}
66     }
67   else
68     {
69       for (p = iv; length >= block_size; p = dst, dst += block_size, src += block_size, length -= block_size)
70 	{
71 	  f(ctx, block_size, buffer, p);
72 	  memxor(dst, buffer, block_size);
73 	}
74     }
75 
76   if (p != iv)
77     memcpy(iv, p, block_size);
78 
79   if (length)
80     {
81       f(ctx, block_size, buffer, iv);
82       memxor3(dst, buffer, src, length);
83       /* We do not care about updating IV here. This is the last call in
84        * message sequence and one has to set IV afterwards anyway */
85     }
86 }
87 
88 /* Don't allocate any more space than this on the stack */
89 #define CFB_BUFFER_LIMIT 512
90 
91 void
cfb_decrypt(const void * ctx,nettle_cipher_func * f,size_t block_size,uint8_t * iv,size_t length,uint8_t * dst,const uint8_t * src)92 cfb_decrypt(const void *ctx, nettle_cipher_func *f,
93 	    size_t block_size, uint8_t *iv,
94 	    size_t length, uint8_t *dst,
95 	    const uint8_t *src)
96 {
97   if (src != dst)
98     {
99       size_t left = length % block_size;
100 
101       length -= left;
102       if (length > 0)
103 	{
104 	  /* Decrypt in ECB mode */
105 	  f(ctx, block_size, dst, iv);
106 	  f(ctx, length - block_size, dst + block_size, src);
107 	  memcpy(iv, src + length - block_size, block_size);
108 	  memxor(dst, src, length);
109 	}
110 
111       if (left > 0)
112 	{
113 	  TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE);
114 	  TMP_ALLOC(buffer, block_size);
115 
116 	  f(ctx, block_size, buffer, iv);
117 	  memxor3(dst + length, src + length, buffer, left);
118 	}
119     }
120   else
121     {
122       /* For in-place CFB, we decrypt into a temporary buffer of size
123        * at most CFB_BUFFER_LIMIT, and process that amount of data at
124        * a time. */
125 
126       /* NOTE: We assume that block_size <= CFB_BUFFER_LIMIT */
127 
128       TMP_DECL(buffer, uint8_t, CFB_BUFFER_LIMIT);
129       TMP_DECL(initial_iv, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE);
130 
131       size_t buffer_size;
132       size_t left;
133 
134       buffer_size = CFB_BUFFER_LIMIT - (CFB_BUFFER_LIMIT % block_size);
135 
136       TMP_ALLOC(buffer, buffer_size);
137       TMP_ALLOC(initial_iv, block_size);
138 
139       left = length % block_size;
140       length -= left;
141 
142       while (length > 0)
143 	{
144 	  size_t part = length > buffer_size ? buffer_size : length;
145 
146 	  /* length is greater that zero and is divided by block_size, so it is
147 	   * not less than block_size. So does part */
148 
149 	  f(ctx, block_size, buffer, iv);
150 	  f(ctx, part - block_size, buffer + block_size, dst);
151 	  memcpy(iv, dst + part - block_size, block_size);
152 	  memxor(dst, buffer, part);
153 
154 	  length -= part;
155 	  dst += part;
156 	}
157 
158       if (left > 0)
159 	{
160 	  f(ctx, block_size, buffer, iv);
161 	  memxor(dst, buffer, left);
162 	}
163     }
164 }
165 
166 /* CFB-8 uses slight optimization: it encrypts or decrypts up to block_size
167  * bytes and does memcpy/memxor afterwards */
168 void
cfb8_encrypt(const void * ctx,nettle_cipher_func * f,size_t block_size,uint8_t * iv,size_t length,uint8_t * dst,const uint8_t * src)169 cfb8_encrypt(const void *ctx, nettle_cipher_func *f,
170 	     size_t block_size, uint8_t *iv,
171 	     size_t length, uint8_t *dst,
172 	     const uint8_t *src)
173 {
174   TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2);
175   TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE);
176   TMP_ALLOC(buffer, block_size * 2);
177   TMP_ALLOC(outbuf, block_size);
178   uint8_t pos;
179 
180   memcpy(buffer, iv, block_size);
181   pos = 0;
182   while (length)
183     {
184       uint8_t t;
185 
186       if (pos == block_size)
187 	{
188 	  memcpy(buffer, buffer + block_size, block_size);
189 	  pos = 0;
190 	}
191 
192       f(ctx, block_size, outbuf, buffer + pos);
193       t = *(dst++) = *(src++) ^ outbuf[0];
194       buffer[pos + block_size] = t;
195       length--;
196       pos ++;
197     }
198   memcpy(iv, buffer + pos, block_size);
199 }
200 
201 void
cfb8_decrypt(const void * ctx,nettle_cipher_func * f,size_t block_size,uint8_t * iv,size_t length,uint8_t * dst,const uint8_t * src)202 cfb8_decrypt(const void *ctx, nettle_cipher_func *f,
203 	     size_t block_size, uint8_t *iv,
204 	     size_t length, uint8_t *dst,
205 	     const uint8_t *src)
206 {
207   TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2);
208   TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2);
209   TMP_ALLOC(buffer, block_size * 2);
210   TMP_ALLOC(outbuf, block_size * 2);
211   uint8_t i = 0;
212 
213   memcpy(buffer, iv, block_size);
214   memcpy(buffer + block_size, src,
215 	 length < block_size ? length : block_size);
216 
217   while (length)
218     {
219 
220       for (i = 0; i < length && i < block_size; i++)
221 	f(ctx, block_size, outbuf + i, buffer + i);
222 
223       memxor3(dst, src, outbuf, i);
224 
225       length -= i;
226       src += i;
227       dst += i;
228 
229       if (i == block_size)
230 	{
231 	  memcpy(buffer, buffer + block_size, block_size);
232 	  memcpy(buffer + block_size, src,
233 		 length < block_size ? length : block_size);
234 	}
235     }
236 
237   memcpy(iv, buffer + i, block_size);
238 }
239