1 /* 2 * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 #include <openssl/crypto.h> 12 #include "crypto/modes.h" 13 14 #if defined(__GNUC__) && !defined(STRICT_ALIGNMENT) 15 typedef size_t size_t_aX __attribute((__aligned__(1))); 16 #else 17 typedef size_t size_t_aX; 18 #endif 19 20 /* 21 * The input and output encrypted as though 128bit cfb mode is being used. 22 * The extra state information to record how much of the 128bit block we have 23 * used is contained in *num; 24 */ 25 void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out, 26 size_t len, const void *key, 27 unsigned char ivec[16], int *num, 28 int enc, block128_f block) 29 { 30 unsigned int n; 31 size_t l = 0; 32 33 if (*num < 0) { 34 /* There is no good way to signal an error return from here */ 35 *num = -1; 36 return; 37 } 38 n = *num; 39 40 if (enc) { 41 #if !defined(OPENSSL_SMALL_FOOTPRINT) 42 if (16 % sizeof(size_t) == 0) { /* always true actually */ 43 do { 44 while (n && len) { 45 *(out++) = ivec[n] ^= *(in++); 46 --len; 47 n = (n + 1) % 16; 48 } 49 # if defined(STRICT_ALIGNMENT) 50 if (((size_t)in | (size_t)out | (size_t)ivec) % 51 sizeof(size_t) != 0) 52 break; 53 # endif 54 while (len >= 16) { 55 (*block) (ivec, ivec, key); 56 for (; n < 16; n += sizeof(size_t)) { 57 *(size_t_aX *)(out + n) = 58 *(size_t_aX *)(ivec + n) 59 ^= *(size_t_aX *)(in + n); 60 } 61 len -= 16; 62 out += 16; 63 in += 16; 64 n = 0; 65 } 66 if (len) { 67 (*block) (ivec, ivec, key); 68 while (len--) { 69 out[n] = ivec[n] ^= in[n]; 70 ++n; 71 } 72 } 73 *num = n; 74 return; 75 } while (0); 76 } 77 /* the rest would be commonly eliminated by x86* compiler */ 78 #endif 79 while (l < len) { 80 if (n == 0) { 81 (*block) (ivec, ivec, key); 82 } 83 out[l] = ivec[n] ^= in[l]; 84 ++l; 85 n = (n + 1) % 16; 86 } 87 *num = n; 88 } else { 89 #if !defined(OPENSSL_SMALL_FOOTPRINT) 90 if (16 % sizeof(size_t) == 0) { /* always true actually */ 91 do { 92 while (n && len) { 93 unsigned char c; 94 *(out++) = ivec[n] ^ (c = *(in++)); 95 ivec[n] = c; 96 --len; 97 n = (n + 1) % 16; 98 } 99 # if defined(STRICT_ALIGNMENT) 100 if (((size_t)in | (size_t)out | (size_t)ivec) % 101 sizeof(size_t) != 0) 102 break; 103 # endif 104 while (len >= 16) { 105 (*block) (ivec, ivec, key); 106 for (; n < 16; n += sizeof(size_t)) { 107 size_t t = *(size_t_aX *)(in + n); 108 *(size_t_aX *)(out + n) 109 = *(size_t_aX *)(ivec + n) ^ t; 110 *(size_t_aX *)(ivec + n) = t; 111 } 112 len -= 16; 113 out += 16; 114 in += 16; 115 n = 0; 116 } 117 if (len) { 118 (*block) (ivec, ivec, key); 119 while (len--) { 120 unsigned char c; 121 out[n] = ivec[n] ^ (c = in[n]); 122 ivec[n] = c; 123 ++n; 124 } 125 } 126 *num = n; 127 return; 128 } while (0); 129 } 130 /* the rest would be commonly eliminated by x86* compiler */ 131 #endif 132 while (l < len) { 133 unsigned char c; 134 if (n == 0) { 135 (*block) (ivec, ivec, key); 136 } 137 out[l] = ivec[n] ^ (c = in[l]); 138 ivec[n] = c; 139 ++l; 140 n = (n + 1) % 16; 141 } 142 *num = n; 143 } 144 } 145 146 /* 147 * This expects a single block of size nbits for both in and out. Note that 148 * it corrupts any extra bits in the last byte of out 149 */ 150 static void cfbr_encrypt_block(const unsigned char *in, unsigned char *out, 151 int nbits, const void *key, 152 unsigned char ivec[16], int enc, 153 block128_f block) 154 { 155 int n, rem, num; 156 unsigned char ovec[16 * 2 + 1]; /* +1 because we dereference (but don't 157 * use) one byte off the end */ 158 159 if (nbits <= 0 || nbits > 128) 160 return; 161 162 /* fill in the first half of the new IV with the current IV */ 163 memcpy(ovec, ivec, 16); 164 /* construct the new IV */ 165 (*block) (ivec, ivec, key); 166 num = (nbits + 7) / 8; 167 if (enc) /* encrypt the input */ 168 for (n = 0; n < num; ++n) 169 out[n] = (ovec[16 + n] = in[n] ^ ivec[n]); 170 else /* decrypt the input */ 171 for (n = 0; n < num; ++n) 172 out[n] = (ovec[16 + n] = in[n]) ^ ivec[n]; 173 /* shift ovec left... */ 174 rem = nbits % 8; 175 num = nbits / 8; 176 if (rem == 0) 177 memcpy(ivec, ovec + num, 16); 178 else 179 for (n = 0; n < 16; ++n) 180 ivec[n] = ovec[n + num] << rem | ovec[n + num + 1] >> (8 - rem); 181 182 /* it is not necessary to cleanse ovec, since the IV is not secret */ 183 } 184 185 /* N.B. This expects the input to be packed, MS bit first */ 186 void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out, 187 size_t bits, const void *key, 188 unsigned char ivec[16], int *num, 189 int enc, block128_f block) 190 { 191 size_t n; 192 unsigned char c[1], d[1]; 193 194 for (n = 0; n < bits; ++n) { 195 c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0; 196 cfbr_encrypt_block(c, d, 1, key, ivec, enc, block); 197 out[n / 8] = (out[n / 8] & ~(1 << (unsigned int)(7 - n % 8))) | 198 ((d[0] & 0x80) >> (unsigned int)(n % 8)); 199 } 200 } 201 202 void CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out, 203 size_t length, const void *key, 204 unsigned char ivec[16], int *num, 205 int enc, block128_f block) 206 { 207 size_t n; 208 209 for (n = 0; n < length; ++n) 210 cfbr_encrypt_block(&in[n], &out[n], 8, key, ivec, enc, block); 211 } 212