| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | /* | 
|  | 2 | * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. | 
|  | 3 | * | 
|  | 4 | * Licensed under the OpenSSL license (the "License").  You may not use | 
|  | 5 | * this file except in compliance with the License.  You can obtain a copy | 
|  | 6 | * in the file LICENSE in the source distribution or at | 
|  | 7 | * https://www.openssl.org/source/license.html | 
|  | 8 | */ | 
|  | 9 |  | 
|  | 10 | #include <openssl/crypto.h> | 
|  | 11 | #include "modes_local.h" | 
|  | 12 | #include <string.h> | 
|  | 13 |  | 
|  | 14 | #if defined(__GNUC__) && !defined(STRICT_ALIGNMENT) | 
|  | 15 | typedef size_t size_t_aX __attribute((__aligned__(1))); | 
|  | 16 | #else | 
|  | 17 | typedef size_t size_t_aX; | 
|  | 18 | #endif | 
|  | 19 |  | 
|  | 20 | /* | 
|  | 21 | * The input and output encrypted as though 128bit cfb mode is being used. | 
|  | 22 | * The extra state information to record how much of the 128bit block we have | 
|  | 23 | * used is contained in *num; | 
|  | 24 | */ | 
|  | 25 | void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out, | 
|  | 26 | size_t len, const void *key, | 
|  | 27 | unsigned char ivec[16], int *num, | 
|  | 28 | int enc, block128_f block) | 
|  | 29 | { | 
|  | 30 | unsigned int n; | 
|  | 31 | size_t l = 0; | 
|  | 32 |  | 
|  | 33 | n = *num; | 
|  | 34 |  | 
|  | 35 | if (enc) { | 
|  | 36 | #if !defined(OPENSSL_SMALL_FOOTPRINT) | 
|  | 37 | if (16 % sizeof(size_t) == 0) { /* always true actually */ | 
|  | 38 | do { | 
|  | 39 | while (n && len) { | 
|  | 40 | *(out++) = ivec[n] ^= *(in++); | 
|  | 41 | --len; | 
|  | 42 | n = (n + 1) % 16; | 
|  | 43 | } | 
|  | 44 | # if defined(STRICT_ALIGNMENT) | 
|  | 45 | if (((size_t)in | (size_t)out | (size_t)ivec) % | 
|  | 46 | sizeof(size_t) != 0) | 
|  | 47 | break; | 
|  | 48 | # endif | 
|  | 49 | while (len >= 16) { | 
|  | 50 | (*block) (ivec, ivec, key); | 
|  | 51 | for (; n < 16; n += sizeof(size_t)) { | 
|  | 52 | *(size_t_aX *)(out + n) = | 
|  | 53 | *(size_t_aX *)(ivec + n) | 
|  | 54 | ^= *(size_t_aX *)(in + n); | 
|  | 55 | } | 
|  | 56 | len -= 16; | 
|  | 57 | out += 16; | 
|  | 58 | in += 16; | 
|  | 59 | n = 0; | 
|  | 60 | } | 
|  | 61 | if (len) { | 
|  | 62 | (*block) (ivec, ivec, key); | 
|  | 63 | while (len--) { | 
|  | 64 | out[n] = ivec[n] ^= in[n]; | 
|  | 65 | ++n; | 
|  | 66 | } | 
|  | 67 | } | 
|  | 68 | *num = n; | 
|  | 69 | return; | 
|  | 70 | } while (0); | 
|  | 71 | } | 
|  | 72 | /* the rest would be commonly eliminated by x86* compiler */ | 
|  | 73 | #endif | 
|  | 74 | while (l < len) { | 
|  | 75 | if (n == 0) { | 
|  | 76 | (*block) (ivec, ivec, key); | 
|  | 77 | } | 
|  | 78 | out[l] = ivec[n] ^= in[l]; | 
|  | 79 | ++l; | 
|  | 80 | n = (n + 1) % 16; | 
|  | 81 | } | 
|  | 82 | *num = n; | 
|  | 83 | } else { | 
|  | 84 | #if !defined(OPENSSL_SMALL_FOOTPRINT) | 
|  | 85 | if (16 % sizeof(size_t) == 0) { /* always true actually */ | 
|  | 86 | do { | 
|  | 87 | while (n && len) { | 
|  | 88 | unsigned char c; | 
|  | 89 | *(out++) = ivec[n] ^ (c = *(in++)); | 
|  | 90 | ivec[n] = c; | 
|  | 91 | --len; | 
|  | 92 | n = (n + 1) % 16; | 
|  | 93 | } | 
|  | 94 | # if defined(STRICT_ALIGNMENT) | 
|  | 95 | if (((size_t)in | (size_t)out | (size_t)ivec) % | 
|  | 96 | sizeof(size_t) != 0) | 
|  | 97 | break; | 
|  | 98 | # endif | 
|  | 99 | while (len >= 16) { | 
|  | 100 | (*block) (ivec, ivec, key); | 
|  | 101 | for (; n < 16; n += sizeof(size_t)) { | 
|  | 102 | size_t t = *(size_t_aX *)(in + n); | 
|  | 103 | *(size_t_aX *)(out + n) | 
|  | 104 | = *(size_t_aX *)(ivec + n) ^ t; | 
|  | 105 | *(size_t_aX *)(ivec + n) = t; | 
|  | 106 | } | 
|  | 107 | len -= 16; | 
|  | 108 | out += 16; | 
|  | 109 | in += 16; | 
|  | 110 | n = 0; | 
|  | 111 | } | 
|  | 112 | if (len) { | 
|  | 113 | (*block) (ivec, ivec, key); | 
|  | 114 | while (len--) { | 
|  | 115 | unsigned char c; | 
|  | 116 | out[n] = ivec[n] ^ (c = in[n]); | 
|  | 117 | ivec[n] = c; | 
|  | 118 | ++n; | 
|  | 119 | } | 
|  | 120 | } | 
|  | 121 | *num = n; | 
|  | 122 | return; | 
|  | 123 | } while (0); | 
|  | 124 | } | 
|  | 125 | /* the rest would be commonly eliminated by x86* compiler */ | 
|  | 126 | #endif | 
|  | 127 | while (l < len) { | 
|  | 128 | unsigned char c; | 
|  | 129 | if (n == 0) { | 
|  | 130 | (*block) (ivec, ivec, key); | 
|  | 131 | } | 
|  | 132 | out[l] = ivec[n] ^ (c = in[l]); | 
|  | 133 | ivec[n] = c; | 
|  | 134 | ++l; | 
|  | 135 | n = (n + 1) % 16; | 
|  | 136 | } | 
|  | 137 | *num = n; | 
|  | 138 | } | 
|  | 139 | } | 
|  | 140 |  | 
|  | 141 | /* | 
|  | 142 | * This expects a single block of size nbits for both in and out. Note that | 
|  | 143 | * it corrupts any extra bits in the last byte of out | 
|  | 144 | */ | 
|  | 145 | static void cfbr_encrypt_block(const unsigned char *in, unsigned char *out, | 
|  | 146 | int nbits, const void *key, | 
|  | 147 | unsigned char ivec[16], int enc, | 
|  | 148 | block128_f block) | 
|  | 149 | { | 
|  | 150 | int n, rem, num; | 
|  | 151 | unsigned char ovec[16 * 2 + 1]; /* +1 because we dereference (but don't | 
|  | 152 | * use) one byte off the end */ | 
|  | 153 |  | 
|  | 154 | if (nbits <= 0 || nbits > 128) | 
|  | 155 | return; | 
|  | 156 |  | 
|  | 157 | /* fill in the first half of the new IV with the current IV */ | 
|  | 158 | memcpy(ovec, ivec, 16); | 
|  | 159 | /* construct the new IV */ | 
|  | 160 | (*block) (ivec, ivec, key); | 
|  | 161 | num = (nbits + 7) / 8; | 
|  | 162 | if (enc)                    /* encrypt the input */ | 
|  | 163 | for (n = 0; n < num; ++n) | 
|  | 164 | out[n] = (ovec[16 + n] = in[n] ^ ivec[n]); | 
|  | 165 | else                        /* decrypt the input */ | 
|  | 166 | for (n = 0; n < num; ++n) | 
|  | 167 | out[n] = (ovec[16 + n] = in[n]) ^ ivec[n]; | 
|  | 168 | /* shift ovec left... */ | 
|  | 169 | rem = nbits % 8; | 
|  | 170 | num = nbits / 8; | 
|  | 171 | if (rem == 0) | 
|  | 172 | memcpy(ivec, ovec + num, 16); | 
|  | 173 | else | 
|  | 174 | for (n = 0; n < 16; ++n) | 
|  | 175 | ivec[n] = ovec[n + num] << rem | ovec[n + num + 1] >> (8 - rem); | 
|  | 176 |  | 
|  | 177 | /* it is not necessary to cleanse ovec, since the IV is not secret */ | 
|  | 178 | } | 
|  | 179 |  | 
|  | 180 | /* N.B. This expects the input to be packed, MS bit first */ | 
|  | 181 | void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out, | 
|  | 182 | size_t bits, const void *key, | 
|  | 183 | unsigned char ivec[16], int *num, | 
|  | 184 | int enc, block128_f block) | 
|  | 185 | { | 
|  | 186 | size_t n; | 
|  | 187 | unsigned char c[1], d[1]; | 
|  | 188 |  | 
|  | 189 | for (n = 0; n < bits; ++n) { | 
|  | 190 | c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0; | 
|  | 191 | cfbr_encrypt_block(c, d, 1, key, ivec, enc, block); | 
|  | 192 | out[n / 8] = (out[n / 8] & ~(1 << (unsigned int)(7 - n % 8))) | | 
|  | 193 | ((d[0] & 0x80) >> (unsigned int)(n % 8)); | 
|  | 194 | } | 
|  | 195 | } | 
|  | 196 |  | 
|  | 197 | void CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out, | 
|  | 198 | size_t length, const void *key, | 
|  | 199 | unsigned char ivec[16], int *num, | 
|  | 200 | int enc, block128_f block) | 
|  | 201 | { | 
|  | 202 | size_t n; | 
|  | 203 |  | 
|  | 204 | for (n = 0; n < length; ++n) | 
|  | 205 | cfbr_encrypt_block(&in[n], &out[n], 8, key, ivec, enc, block); | 
|  | 206 | } |