File Coverage

src/symcipher/aes_ct_ctrcbc.c

Criterion	Covered	Total	%
statement	0	219	0.0
branch	0	18	0.0
condition			n/a
subroutine			n/a
pod			n/a
total	0	237	0.0

line	stmt	bran	code
1			/*
2			* Copyright (c) 2017 Thomas Pornin
3			*
4			* Permission is hereby granted, free of charge, to any person obtaining
5			* a copy of this software and associated documentation files (the
6			* "Software"), to deal in the Software without restriction, including
7			* without limitation the rights to use, copy, modify, merge, publish,
8			* distribute, sublicense, and/or sell copies of the Software, and to
9			* permit persons to whom the Software is furnished to do so, subject to
10			* the following conditions:
11			*
12			* The above copyright notice and this permission notice shall be
13			* included in all copies or substantial portions of the Software.
14			*
15			* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16			* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17			* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18			* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19			* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20			* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21			* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22			* SOFTWARE.
23			*/
24
25			#include "inner.h"
26
27			/* see bearssl_block.h */
28			void
29	0		br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx,
30			const void *key, size_t len)
31			{
32	0		ctx->vtable = &br_aes_ct_ctrcbc_vtable;
33	0		ctx->num_rounds = br_aes_ct_keysched(ctx->skey, key, len);
34	0		}
35
36			static void
37	0		xorbuf(void dst, const void src, size_t len)
38			{
39			unsigned char *d;
40			const unsigned char *s;
41
42	0		d = dst;
43	0		s = src;
44	0	0	while (len -- > 0) {
45	0		d ++ ^= s ++;
46			}
47	0		}
48
49			/* see bearssl_block.h */
50			void
51	0		br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx,
52			void ctr, void data, size_t len)
53			{
54			unsigned char *buf;
55			unsigned char *ivbuf;
56			uint32_t iv0, iv1, iv2, iv3;
57			uint32_t sk_exp[120];
58
59	0		br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
60
61			/*
62			* We keep the counter as four 32-bit values, with big-endian
63			* convention, because that's what is expected for purposes of
64			* incrementing the counter value.
65			*/
66	0		ivbuf = ctr;
67	0		iv0 = br_dec32be(ivbuf + 0);
68	0		iv1 = br_dec32be(ivbuf + 4);
69	0		iv2 = br_dec32be(ivbuf + 8);
70	0		iv3 = br_dec32be(ivbuf + 12);
71
72	0		buf = data;
73	0	0	while (len > 0) {
74			uint32_t q[8], carry;
75			unsigned char tmp[32];
76
77			/*
78			* The bitslice implementation expects values in
79			* little-endian convention, so we have to byteswap them.
80			*/
81	0		q[0] = br_swap32(iv0);
82	0		q[2] = br_swap32(iv1);
83	0		q[4] = br_swap32(iv2);
84	0		q[6] = br_swap32(iv3);
85	0		iv3 ++;
86	0		carry = ~(iv3 \| -iv3) >> 31;
87	0		iv2 += carry;
88	0		carry &= -(~(iv2 \| -iv2) >> 31);
89	0		iv1 += carry;
90	0		carry &= -(~(iv1 \| -iv1) >> 31);
91	0		iv0 += carry;
92	0		q[1] = br_swap32(iv0);
93	0		q[3] = br_swap32(iv1);
94	0		q[5] = br_swap32(iv2);
95	0		q[7] = br_swap32(iv3);
96	0	0	if (len > 16) {
97	0		iv3 ++;
98	0		carry = ~(iv3 \| -iv3) >> 31;
99	0		iv2 += carry;
100	0		carry &= -(~(iv2 \| -iv2) >> 31);
101	0		iv1 += carry;
102	0		carry &= -(~(iv1 \| -iv1) >> 31);
103	0		iv0 += carry;
104			}
105
106	0		br_aes_ct_ortho(q);
107	0		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
108	0		br_aes_ct_ortho(q);
109
110	0		br_enc32le(tmp, q[0]);
111	0		br_enc32le(tmp + 4, q[2]);
112	0		br_enc32le(tmp + 8, q[4]);
113	0		br_enc32le(tmp + 12, q[6]);
114	0		br_enc32le(tmp + 16, q[1]);
115	0		br_enc32le(tmp + 20, q[3]);
116	0		br_enc32le(tmp + 24, q[5]);
117	0		br_enc32le(tmp + 28, q[7]);
118
119	0	0	if (len <= 32) {
120	0		xorbuf(buf, tmp, len);
121	0		break;
122			}
123	0		xorbuf(buf, tmp, 32);
124	0		buf += 32;
125	0		len -= 32;
126			}
127	0		br_enc32be(ivbuf + 0, iv0);
128	0		br_enc32be(ivbuf + 4, iv1);
129	0		br_enc32be(ivbuf + 8, iv2);
130	0		br_enc32be(ivbuf + 12, iv3);
131	0		}
132
133			/* see bearssl_block.h */
134			void
135	0		br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx,
136			void cbcmac, const void data, size_t len)
137			{
138			const unsigned char *buf;
139			uint32_t cm0, cm1, cm2, cm3;
140			uint32_t q[8];
141			uint32_t sk_exp[120];
142
143	0		br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
144
145	0		buf = data;
146	0		cm0 = br_dec32le((unsigned char *)cbcmac + 0);
147	0		cm1 = br_dec32le((unsigned char *)cbcmac + 4);
148	0		cm2 = br_dec32le((unsigned char *)cbcmac + 8);
149	0		cm3 = br_dec32le((unsigned char *)cbcmac + 12);
150	0		q[1] = 0;
151	0		q[3] = 0;
152	0		q[5] = 0;
153	0		q[7] = 0;
154
155	0	0	while (len > 0) {
156	0		q[0] = cm0 ^ br_dec32le(buf + 0);
157	0		q[2] = cm1 ^ br_dec32le(buf + 4);
158	0		q[4] = cm2 ^ br_dec32le(buf + 8);
159	0		q[6] = cm3 ^ br_dec32le(buf + 12);
160
161	0		br_aes_ct_ortho(q);
162	0		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
163	0		br_aes_ct_ortho(q);
164
165	0		cm0 = q[0];
166	0		cm1 = q[2];
167	0		cm2 = q[4];
168	0		cm3 = q[6];
169	0		buf += 16;
170	0		len -= 16;
171			}
172
173	0		br_enc32le((unsigned char *)cbcmac + 0, cm0);
174	0		br_enc32le((unsigned char *)cbcmac + 4, cm1);
175	0		br_enc32le((unsigned char *)cbcmac + 8, cm2);
176	0		br_enc32le((unsigned char *)cbcmac + 12, cm3);
177	0		}
178
179			/* see bearssl_block.h */
180			void
181	0		br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx,
182			void ctr, void cbcmac, void *data, size_t len)
183			{
184			/*
185			* When encrypting, the CBC-MAC processing must be lagging by
186			* one block, since it operates on the encrypted values, so
187			* it must wait for that encryption to complete.
188			*/
189
190			unsigned char *buf;
191			unsigned char *ivbuf;
192			uint32_t iv0, iv1, iv2, iv3;
193			uint32_t cm0, cm1, cm2, cm3;
194			uint32_t sk_exp[120];
195			int first_iter;
196
197	0		br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
198
199			/*
200			* We keep the counter as four 32-bit values, with big-endian
201			* convention, because that's what is expected for purposes of
202			* incrementing the counter value.
203			*/
204	0		ivbuf = ctr;
205	0		iv0 = br_dec32be(ivbuf + 0);
206	0		iv1 = br_dec32be(ivbuf + 4);
207	0		iv2 = br_dec32be(ivbuf + 8);
208	0		iv3 = br_dec32be(ivbuf + 12);
209
210			/*
211			* The current CBC-MAC value is kept in little-endian convention.
212			*/
213	0		cm0 = br_dec32le((unsigned char *)cbcmac + 0);
214	0		cm1 = br_dec32le((unsigned char *)cbcmac + 4);
215	0		cm2 = br_dec32le((unsigned char *)cbcmac + 8);
216	0		cm3 = br_dec32le((unsigned char *)cbcmac + 12);
217
218	0		buf = data;
219	0		first_iter = 1;
220	0	0	while (len > 0) {
221			uint32_t q[8], carry;
222
223			/*
224			* The bitslice implementation expects values in
225			* little-endian convention, so we have to byteswap them.
226			*/
227	0		q[0] = br_swap32(iv0);
228	0		q[2] = br_swap32(iv1);
229	0		q[4] = br_swap32(iv2);
230	0		q[6] = br_swap32(iv3);
231	0		iv3 ++;
232	0		carry = ~(iv3 \| -iv3) >> 31;
233	0		iv2 += carry;
234	0		carry &= -(~(iv2 \| -iv2) >> 31);
235	0		iv1 += carry;
236	0		carry &= -(~(iv1 \| -iv1) >> 31);
237	0		iv0 += carry;
238
239			/*
240			* The odd values are used for CBC-MAC.
241			*/
242	0		q[1] = cm0;
243	0		q[3] = cm1;
244	0		q[5] = cm2;
245	0		q[7] = cm3;
246
247	0		br_aes_ct_ortho(q);
248	0		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
249	0		br_aes_ct_ortho(q);
250
251			/*
252			* We do the XOR with the plaintext in 32-bit registers,
253			* so that the value are available for CBC-MAC processing
254			* as well.
255			*/
256	0		q[0] ^= br_dec32le(buf + 0);
257	0		q[2] ^= br_dec32le(buf + 4);
258	0		q[4] ^= br_dec32le(buf + 8);
259	0		q[6] ^= br_dec32le(buf + 12);
260	0		br_enc32le(buf + 0, q[0]);
261	0		br_enc32le(buf + 4, q[2]);
262	0		br_enc32le(buf + 8, q[4]);
263	0		br_enc32le(buf + 12, q[6]);
264
265	0		buf += 16;
266	0		len -= 16;
267
268			/*
269			* We set the cm* values to the block to encrypt in the
270			* next iteration.
271			*/
272	0	0	if (first_iter) {
273	0		first_iter = 0;
274	0		cm0 ^= q[0];
275	0		cm1 ^= q[2];
276	0		cm2 ^= q[4];
277	0		cm3 ^= q[6];
278			} else {
279	0		cm0 = q[0] ^ q[1];
280	0		cm1 = q[2] ^ q[3];
281	0		cm2 = q[4] ^ q[5];
282	0		cm3 = q[6] ^ q[7];
283			}
284
285			/*
286			* If this was the last iteration, then compute the
287			* extra block encryption to complete CBC-MAC.
288			*/
289	0	0	if (len == 0) {
290	0		q[0] = cm0;
291	0		q[2] = cm1;
292	0		q[4] = cm2;
293	0		q[6] = cm3;
294	0		br_aes_ct_ortho(q);
295	0		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
296	0		br_aes_ct_ortho(q);
297	0		cm0 = q[0];
298	0		cm1 = q[2];
299	0		cm2 = q[4];
300	0		cm3 = q[6];
301	0		break;
302			}
303			}
304
305	0		br_enc32be(ivbuf + 0, iv0);
306	0		br_enc32be(ivbuf + 4, iv1);
307	0		br_enc32be(ivbuf + 8, iv2);
308	0		br_enc32be(ivbuf + 12, iv3);
309	0		br_enc32le((unsigned char *)cbcmac + 0, cm0);
310	0		br_enc32le((unsigned char *)cbcmac + 4, cm1);
311	0		br_enc32le((unsigned char *)cbcmac + 8, cm2);
312	0		br_enc32le((unsigned char *)cbcmac + 12, cm3);
313	0		}
314
315			/* see bearssl_block.h */
316			void
317	0		br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx,
318			void ctr, void cbcmac, void *data, size_t len)
319			{
320			unsigned char *buf;
321			unsigned char *ivbuf;
322			uint32_t iv0, iv1, iv2, iv3;
323			uint32_t cm0, cm1, cm2, cm3;
324			uint32_t sk_exp[120];
325
326	0		br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
327
328			/*
329			* We keep the counter as four 32-bit values, with big-endian
330			* convention, because that's what is expected for purposes of
331			* incrementing the counter value.
332			*/
333	0		ivbuf = ctr;
334	0		iv0 = br_dec32be(ivbuf + 0);
335	0		iv1 = br_dec32be(ivbuf + 4);
336	0		iv2 = br_dec32be(ivbuf + 8);
337	0		iv3 = br_dec32be(ivbuf + 12);
338
339			/*
340			* The current CBC-MAC value is kept in little-endian convention.
341			*/
342	0		cm0 = br_dec32le((unsigned char *)cbcmac + 0);
343	0		cm1 = br_dec32le((unsigned char *)cbcmac + 4);
344	0		cm2 = br_dec32le((unsigned char *)cbcmac + 8);
345	0		cm3 = br_dec32le((unsigned char *)cbcmac + 12);
346
347	0		buf = data;
348	0	0	while (len > 0) {
349			uint32_t q[8], carry;
350			unsigned char tmp[16];
351
352			/*
353			* The bitslice implementation expects values in
354			* little-endian convention, so we have to byteswap them.
355			*/
356	0		q[0] = br_swap32(iv0);
357	0		q[2] = br_swap32(iv1);
358	0		q[4] = br_swap32(iv2);
359	0		q[6] = br_swap32(iv3);
360	0		iv3 ++;
361	0		carry = ~(iv3 \| -iv3) >> 31;
362	0		iv2 += carry;
363	0		carry &= -(~(iv2 \| -iv2) >> 31);
364	0		iv1 += carry;
365	0		carry &= -(~(iv1 \| -iv1) >> 31);
366	0		iv0 += carry;
367
368			/*
369			* The odd values are used for CBC-MAC.
370			*/
371	0		q[1] = cm0 ^ br_dec32le(buf + 0);
372	0		q[3] = cm1 ^ br_dec32le(buf + 4);
373	0		q[5] = cm2 ^ br_dec32le(buf + 8);
374	0		q[7] = cm3 ^ br_dec32le(buf + 12);
375
376	0		br_aes_ct_ortho(q);
377	0		br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
378	0		br_aes_ct_ortho(q);
379
380	0		br_enc32le(tmp + 0, q[0]);
381	0		br_enc32le(tmp + 4, q[2]);
382	0		br_enc32le(tmp + 8, q[4]);
383	0		br_enc32le(tmp + 12, q[6]);
384	0		xorbuf(buf, tmp, 16);
385	0		cm0 = q[1];
386	0		cm1 = q[3];
387	0		cm2 = q[5];
388	0		cm3 = q[7];
389	0		buf += 16;
390	0		len -= 16;
391			}
392
393	0		br_enc32be(ivbuf + 0, iv0);
394	0		br_enc32be(ivbuf + 4, iv1);
395	0		br_enc32be(ivbuf + 8, iv2);
396	0		br_enc32be(ivbuf + 12, iv3);
397	0		br_enc32le((unsigned char *)cbcmac + 0, cm0);
398	0		br_enc32le((unsigned char *)cbcmac + 4, cm1);
399	0		br_enc32le((unsigned char *)cbcmac + 8, cm2);
400	0		br_enc32le((unsigned char *)cbcmac + 12, cm3);
401	0		}
402
403			/* see bearssl_block.h */
404			const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable = {
405			sizeof(br_aes_ct_ctrcbc_keys),
406			16,
407			4,
408			(void ()(const br_block_ctrcbc_class , const void , size_t))
409			&br_aes_ct_ctrcbc_init,
410			(void ()(const br_block_ctrcbc_class const *,
411			void , void , void *, size_t))
412			&br_aes_ct_ctrcbc_encrypt,
413			(void ()(const br_block_ctrcbc_class const *,
414			void , void , void *, size_t))
415			&br_aes_ct_ctrcbc_decrypt,
416			(void ()(const br_block_ctrcbc_class const *,
417			void , void , size_t))
418			&br_aes_ct_ctrcbc_ctr,
419			(void ()(const br_block_ctrcbc_class const *,
420			void , const void , size_t))
421			&br_aes_ct_ctrcbc_mac
422			};