1 /* 2 * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/crypto.h> 11 #include "modes_local.h" 12 #include <string.h> 13 14 /* 15 * NOTE: the IV/counter CTR mode is big-endian. The code itself is 16 * endian-neutral. 17 */ 18 19 /* increment counter (128-bit int) by 1 */ 20 static void ctr128_inc(unsigned char *counter) 21 { 22 u32 n = 16, c = 1; 23 24 do { 25 --n; 26 c += counter[n]; 27 counter[n] = (u8)c; 28 c >>= 8; 29 } while (n); 30 } 31 32 #if !defined(OPENSSL_SMALL_FOOTPRINT) 33 static void ctr128_inc_aligned(unsigned char *counter) 34 { 35 size_t *data, c, d, n; 36 const union { 37 long one; 38 char little; 39 } is_endian = { 40 1 41 }; 42 43 if (is_endian.little || ((size_t)counter % sizeof(size_t)) != 0) { 44 ctr128_inc(counter); 45 return; 46 } 47 48 data = (size_t *)counter; 49 c = 1; 50 n = 16 / sizeof(size_t); 51 do { 52 --n; 53 d = data[n] += c; 54 /* did addition carry? */ 55 c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1); 56 } while (n); 57 } 58 #endif 59 60 /* 61 * The input encrypted as though 128bit counter mode is being used. The 62 * extra state information to record how much of the 128bit block we have 63 * used is contained in *num, and the encrypted counter is kept in 64 * ecount_buf. Both *num and ecount_buf must be initialised with zeros 65 * before the first call to CRYPTO_ctr128_encrypt(). This algorithm assumes 66 * that the counter is in the x lower bits of the IV (ivec), and that the 67 * application has full control over overflow and the rest of the IV. This 68 * implementation takes NO responsibility for checking that the counter 69 * doesn't overflow into the rest of the IV when incremented. 70 */ 71 void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out, 72 size_t len, const void *key, 73 unsigned char ivec[16], 74 unsigned char ecount_buf[16], unsigned int *num, 75 block128_f block) 76 { 77 unsigned int n; 78 size_t l = 0; 79 80 n = *num; 81 82 #if !defined(OPENSSL_SMALL_FOOTPRINT) 83 if (16 % sizeof(size_t) == 0) { /* always true actually */ 84 do { 85 while (n && len) { 86 *(out++) = *(in++) ^ ecount_buf[n]; 87 --len; 88 n = (n + 1) % 16; 89 } 90 91 # if defined(STRICT_ALIGNMENT) 92 if (((size_t)in | (size_t)out | (size_t)ecount_buf) 93 % sizeof(size_t) != 0) 94 break; 95 # endif 96 while (len >= 16) { 97 (*block) (ivec, ecount_buf, key); 98 ctr128_inc_aligned(ivec); 99 for (n = 0; n < 16; n += sizeof(size_t)) 100 *(size_t *)(out + n) = 101 *(size_t *)(in + n) ^ *(size_t *)(ecount_buf + n); 102 len -= 16; 103 out += 16; 104 in += 16; 105 n = 0; 106 } 107 if (len) { 108 (*block) (ivec, ecount_buf, key); 109 ctr128_inc_aligned(ivec); 110 while (len--) { 111 out[n] = in[n] ^ ecount_buf[n]; 112 ++n; 113 } 114 } 115 *num = n; 116 return; 117 } while (0); 118 } 119 /* the rest would be commonly eliminated by x86* compiler */ 120 #endif 121 while (l < len) { 122 if (n == 0) { 123 (*block) (ivec, ecount_buf, key); 124 ctr128_inc(ivec); 125 } 126 out[l] = in[l] ^ ecount_buf[n]; 127 ++l; 128 n = (n + 1) % 16; 129 } 130 131 *num = n; 132 } 133 134 /* increment upper 96 bits of 128-bit counter by 1 */ 135 static void ctr96_inc(unsigned char *counter) 136 { 137 u32 n = 12, c = 1; 138 139 do { 140 --n; 141 c += counter[n]; 142 counter[n] = (u8)c; 143 c >>= 8; 144 } while (n); 145 } 146 147 void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out, 148 size_t len, const void *key, 149 unsigned char ivec[16], 150 unsigned char ecount_buf[16], 151 unsigned int *num, ctr128_f func) 152 { 153 unsigned int n, ctr32; 154 155 n = *num; 156 157 while (n && len) { 158 *(out++) = *(in++) ^ ecount_buf[n]; 159 --len; 160 n = (n + 1) % 16; 161 } 162 163 ctr32 = GETU32(ivec + 12); 164 while (len >= 16) { 165 size_t blocks = len / 16; 166 /* 167 * 1<<28 is just a not-so-small yet not-so-large number... 168 * Below condition is practically never met, but it has to 169 * be checked for code correctness. 170 */ 171 if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) 172 blocks = (1U << 28); 173 /* 174 * As (*func) operates on 32-bit counter, caller 175 * has to handle overflow. 'if' below detects the 176 * overflow, which is then handled by limiting the 177 * amount of blocks to the exact overflow point... 178 */ 179 ctr32 += (u32)blocks; 180 if (ctr32 < blocks) { 181 blocks -= ctr32; 182 ctr32 = 0; 183 } 184 (*func) (in, out, blocks, key, ivec); 185 /* (*ctr) does not update ivec, caller does: */ 186 PUTU32(ivec + 12, ctr32); 187 /* ... overflow was detected, propagate carry. */ 188 if (ctr32 == 0) 189 ctr96_inc(ivec); 190 blocks *= 16; 191 len -= blocks; 192 out += blocks; 193 in += blocks; 194 } 195 if (len) { 196 memset(ecount_buf, 0, 16); 197 (*func) (ecount_buf, ecount_buf, 1, key, ivec); 198 ++ctr32; 199 PUTU32(ivec + 12, ctr32); 200 if (ctr32 == 0) 201 ctr96_inc(ivec); 202 while (len--) { 203 out[n] = in[n] ^ ecount_buf[n]; 204 ++n; 205 } 206 } 207 208 *num = n; 209 } 210