1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci#include <string.h> 11e1051a39Sopenharmony_ci#include <openssl/crypto.h> 12e1051a39Sopenharmony_ci#include "internal/endian.h" 13e1051a39Sopenharmony_ci#include "crypto/modes.h" 14e1051a39Sopenharmony_ci 15e1051a39Sopenharmony_ci#if defined(__GNUC__) && !defined(STRICT_ALIGNMENT) 16e1051a39Sopenharmony_citypedef size_t size_t_aX __attribute((__aligned__(1))); 17e1051a39Sopenharmony_ci#else 18e1051a39Sopenharmony_citypedef size_t size_t_aX; 19e1051a39Sopenharmony_ci#endif 20e1051a39Sopenharmony_ci 21e1051a39Sopenharmony_ci/* 22e1051a39Sopenharmony_ci * NOTE: the IV/counter CTR mode is big-endian. The code itself is 23e1051a39Sopenharmony_ci * endian-neutral. 24e1051a39Sopenharmony_ci */ 25e1051a39Sopenharmony_ci 26e1051a39Sopenharmony_ci/* increment counter (128-bit int) by 1 */ 27e1051a39Sopenharmony_cistatic void ctr128_inc(unsigned char *counter) 28e1051a39Sopenharmony_ci{ 29e1051a39Sopenharmony_ci u32 n = 16, c = 1; 30e1051a39Sopenharmony_ci 31e1051a39Sopenharmony_ci do { 32e1051a39Sopenharmony_ci --n; 33e1051a39Sopenharmony_ci c += counter[n]; 34e1051a39Sopenharmony_ci counter[n] = (u8)c; 35e1051a39Sopenharmony_ci c >>= 8; 36e1051a39Sopenharmony_ci } while (n); 37e1051a39Sopenharmony_ci} 38e1051a39Sopenharmony_ci 39e1051a39Sopenharmony_ci#if !defined(OPENSSL_SMALL_FOOTPRINT) 40e1051a39Sopenharmony_cistatic void ctr128_inc_aligned(unsigned char *counter) 41e1051a39Sopenharmony_ci{ 42e1051a39Sopenharmony_ci size_t *data, c, d, n; 43e1051a39Sopenharmony_ci DECLARE_IS_ENDIAN; 44e1051a39Sopenharmony_ci 45e1051a39Sopenharmony_ci if (IS_LITTLE_ENDIAN || ((size_t)counter % sizeof(size_t)) != 0) { 46e1051a39Sopenharmony_ci ctr128_inc(counter); 47e1051a39Sopenharmony_ci return; 48e1051a39Sopenharmony_ci } 49e1051a39Sopenharmony_ci 50e1051a39Sopenharmony_ci data = (size_t *)counter; 51e1051a39Sopenharmony_ci c = 1; 52e1051a39Sopenharmony_ci n = 16 / sizeof(size_t); 53e1051a39Sopenharmony_ci do { 54e1051a39Sopenharmony_ci --n; 55e1051a39Sopenharmony_ci d = data[n] += c; 56e1051a39Sopenharmony_ci /* did addition carry? */ 57e1051a39Sopenharmony_ci c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1); 58e1051a39Sopenharmony_ci } while (n); 59e1051a39Sopenharmony_ci} 60e1051a39Sopenharmony_ci#endif 61e1051a39Sopenharmony_ci 62e1051a39Sopenharmony_ci/* 63e1051a39Sopenharmony_ci * The input encrypted as though 128bit counter mode is being used. The 64e1051a39Sopenharmony_ci * extra state information to record how much of the 128bit block we have 65e1051a39Sopenharmony_ci * used is contained in *num, and the encrypted counter is kept in 66e1051a39Sopenharmony_ci * ecount_buf. Both *num and ecount_buf must be initialised with zeros 67e1051a39Sopenharmony_ci * before the first call to CRYPTO_ctr128_encrypt(). This algorithm assumes 68e1051a39Sopenharmony_ci * that the counter is in the x lower bits of the IV (ivec), and that the 69e1051a39Sopenharmony_ci * application has full control over overflow and the rest of the IV. This 70e1051a39Sopenharmony_ci * implementation takes NO responsibility for checking that the counter 71e1051a39Sopenharmony_ci * doesn't overflow into the rest of the IV when incremented. 72e1051a39Sopenharmony_ci */ 73e1051a39Sopenharmony_civoid CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out, 74e1051a39Sopenharmony_ci size_t len, const void *key, 75e1051a39Sopenharmony_ci unsigned char ivec[16], 76e1051a39Sopenharmony_ci unsigned char ecount_buf[16], unsigned int *num, 77e1051a39Sopenharmony_ci block128_f block) 78e1051a39Sopenharmony_ci{ 79e1051a39Sopenharmony_ci unsigned int n; 80e1051a39Sopenharmony_ci size_t l = 0; 81e1051a39Sopenharmony_ci 82e1051a39Sopenharmony_ci n = *num; 83e1051a39Sopenharmony_ci 84e1051a39Sopenharmony_ci#if !defined(OPENSSL_SMALL_FOOTPRINT) 85e1051a39Sopenharmony_ci if (16 % sizeof(size_t) == 0) { /* always true actually */ 86e1051a39Sopenharmony_ci do { 87e1051a39Sopenharmony_ci while (n && len) { 88e1051a39Sopenharmony_ci *(out++) = *(in++) ^ ecount_buf[n]; 89e1051a39Sopenharmony_ci --len; 90e1051a39Sopenharmony_ci n = (n + 1) % 16; 91e1051a39Sopenharmony_ci } 92e1051a39Sopenharmony_ci 93e1051a39Sopenharmony_ci# if defined(STRICT_ALIGNMENT) 94e1051a39Sopenharmony_ci if (((size_t)in | (size_t)out | (size_t)ecount_buf) 95e1051a39Sopenharmony_ci % sizeof(size_t) != 0) 96e1051a39Sopenharmony_ci break; 97e1051a39Sopenharmony_ci# endif 98e1051a39Sopenharmony_ci while (len >= 16) { 99e1051a39Sopenharmony_ci (*block) (ivec, ecount_buf, key); 100e1051a39Sopenharmony_ci ctr128_inc_aligned(ivec); 101e1051a39Sopenharmony_ci for (n = 0; n < 16; n += sizeof(size_t)) 102e1051a39Sopenharmony_ci *(size_t_aX *)(out + n) = 103e1051a39Sopenharmony_ci *(size_t_aX *)(in + n) 104e1051a39Sopenharmony_ci ^ *(size_t_aX *)(ecount_buf + n); 105e1051a39Sopenharmony_ci len -= 16; 106e1051a39Sopenharmony_ci out += 16; 107e1051a39Sopenharmony_ci in += 16; 108e1051a39Sopenharmony_ci n = 0; 109e1051a39Sopenharmony_ci } 110e1051a39Sopenharmony_ci if (len) { 111e1051a39Sopenharmony_ci (*block) (ivec, ecount_buf, key); 112e1051a39Sopenharmony_ci ctr128_inc_aligned(ivec); 113e1051a39Sopenharmony_ci while (len--) { 114e1051a39Sopenharmony_ci out[n] = in[n] ^ ecount_buf[n]; 115e1051a39Sopenharmony_ci ++n; 116e1051a39Sopenharmony_ci } 117e1051a39Sopenharmony_ci } 118e1051a39Sopenharmony_ci *num = n; 119e1051a39Sopenharmony_ci return; 120e1051a39Sopenharmony_ci } while (0); 121e1051a39Sopenharmony_ci } 122e1051a39Sopenharmony_ci /* the rest would be commonly eliminated by x86* compiler */ 123e1051a39Sopenharmony_ci#endif 124e1051a39Sopenharmony_ci while (l < len) { 125e1051a39Sopenharmony_ci if (n == 0) { 126e1051a39Sopenharmony_ci (*block) (ivec, ecount_buf, key); 127e1051a39Sopenharmony_ci ctr128_inc(ivec); 128e1051a39Sopenharmony_ci } 129e1051a39Sopenharmony_ci out[l] = in[l] ^ ecount_buf[n]; 130e1051a39Sopenharmony_ci ++l; 131e1051a39Sopenharmony_ci n = (n + 1) % 16; 132e1051a39Sopenharmony_ci } 133e1051a39Sopenharmony_ci 134e1051a39Sopenharmony_ci *num = n; 135e1051a39Sopenharmony_ci} 136e1051a39Sopenharmony_ci 137e1051a39Sopenharmony_ci/* increment upper 96 bits of 128-bit counter by 1 */ 138e1051a39Sopenharmony_cistatic void ctr96_inc(unsigned char *counter) 139e1051a39Sopenharmony_ci{ 140e1051a39Sopenharmony_ci u32 n = 12, c = 1; 141e1051a39Sopenharmony_ci 142e1051a39Sopenharmony_ci do { 143e1051a39Sopenharmony_ci --n; 144e1051a39Sopenharmony_ci c += counter[n]; 145e1051a39Sopenharmony_ci counter[n] = (u8)c; 146e1051a39Sopenharmony_ci c >>= 8; 147e1051a39Sopenharmony_ci } while (n); 148e1051a39Sopenharmony_ci} 149e1051a39Sopenharmony_ci 150e1051a39Sopenharmony_civoid CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out, 151e1051a39Sopenharmony_ci size_t len, const void *key, 152e1051a39Sopenharmony_ci unsigned char ivec[16], 153e1051a39Sopenharmony_ci unsigned char ecount_buf[16], 154e1051a39Sopenharmony_ci unsigned int *num, ctr128_f func) 155e1051a39Sopenharmony_ci{ 156e1051a39Sopenharmony_ci unsigned int n, ctr32; 157e1051a39Sopenharmony_ci 158e1051a39Sopenharmony_ci n = *num; 159e1051a39Sopenharmony_ci 160e1051a39Sopenharmony_ci while (n && len) { 161e1051a39Sopenharmony_ci *(out++) = *(in++) ^ ecount_buf[n]; 162e1051a39Sopenharmony_ci --len; 163e1051a39Sopenharmony_ci n = (n + 1) % 16; 164e1051a39Sopenharmony_ci } 165e1051a39Sopenharmony_ci 166e1051a39Sopenharmony_ci ctr32 = GETU32(ivec + 12); 167e1051a39Sopenharmony_ci while (len >= 16) { 168e1051a39Sopenharmony_ci size_t blocks = len / 16; 169e1051a39Sopenharmony_ci /* 170e1051a39Sopenharmony_ci * 1<<28 is just a not-so-small yet not-so-large number... 171e1051a39Sopenharmony_ci * Below condition is practically never met, but it has to 172e1051a39Sopenharmony_ci * be checked for code correctness. 173e1051a39Sopenharmony_ci */ 174e1051a39Sopenharmony_ci if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) 175e1051a39Sopenharmony_ci blocks = (1U << 28); 176e1051a39Sopenharmony_ci /* 177e1051a39Sopenharmony_ci * As (*func) operates on 32-bit counter, caller 178e1051a39Sopenharmony_ci * has to handle overflow. 'if' below detects the 179e1051a39Sopenharmony_ci * overflow, which is then handled by limiting the 180e1051a39Sopenharmony_ci * amount of blocks to the exact overflow point... 181e1051a39Sopenharmony_ci */ 182e1051a39Sopenharmony_ci ctr32 += (u32)blocks; 183e1051a39Sopenharmony_ci if (ctr32 < blocks) { 184e1051a39Sopenharmony_ci blocks -= ctr32; 185e1051a39Sopenharmony_ci ctr32 = 0; 186e1051a39Sopenharmony_ci } 187e1051a39Sopenharmony_ci (*func) (in, out, blocks, key, ivec); 188e1051a39Sopenharmony_ci /* (*ctr) does not update ivec, caller does: */ 189e1051a39Sopenharmony_ci PUTU32(ivec + 12, ctr32); 190e1051a39Sopenharmony_ci /* ... overflow was detected, propagate carry. */ 191e1051a39Sopenharmony_ci if (ctr32 == 0) 192e1051a39Sopenharmony_ci ctr96_inc(ivec); 193e1051a39Sopenharmony_ci blocks *= 16; 194e1051a39Sopenharmony_ci len -= blocks; 195e1051a39Sopenharmony_ci out += blocks; 196e1051a39Sopenharmony_ci in += blocks; 197e1051a39Sopenharmony_ci } 198e1051a39Sopenharmony_ci if (len) { 199e1051a39Sopenharmony_ci memset(ecount_buf, 0, 16); 200e1051a39Sopenharmony_ci (*func) (ecount_buf, ecount_buf, 1, key, ivec); 201e1051a39Sopenharmony_ci ++ctr32; 202e1051a39Sopenharmony_ci PUTU32(ivec + 12, ctr32); 203e1051a39Sopenharmony_ci if (ctr32 == 0) 204e1051a39Sopenharmony_ci ctr96_inc(ivec); 205e1051a39Sopenharmony_ci while (len--) { 206e1051a39Sopenharmony_ci out[n] = in[n] ^ ecount_buf[n]; 207e1051a39Sopenharmony_ci ++n; 208e1051a39Sopenharmony_ci } 209e1051a39Sopenharmony_ci } 210e1051a39Sopenharmony_ci 211e1051a39Sopenharmony_ci *num = n; 212e1051a39Sopenharmony_ci} 213