1 /* $OpenBSD: cfb128.c,v 1.7 2023/07/08 14:56:54 beck Exp $ */ 2 /* ==================================================================== 3 * Copyright (c) 2008 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 */ 51 52 #include <openssl/crypto.h> 53 #include "modes_local.h" 54 #include <string.h> 55 56 #ifndef MODES_DEBUG 57 # ifndef NDEBUG 58 # define NDEBUG 59 # endif 60 #endif 61 62 /* The input and output encrypted as though 128bit cfb mode is being 63 * used. The extra state information to record how much of the 64 * 128bit block we have used is contained in *num; 65 */ 66 void 67 CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out, 68 size_t len, const void *key, 69 unsigned char ivec[16], int *num, 70 int enc, block128_f block) 71 { 72 unsigned int n; 73 size_t l = 0; 74 75 n = *num; 76 77 if (enc) { 78 #if !defined(OPENSSL_SMALL_FOOTPRINT) 79 if (16 % sizeof(size_t) == 0) 80 do { /* always true actually */ 81 while (n && len) { 82 *(out++) = ivec[n] ^= *(in++); 83 --len; 84 n = (n + 1) % 16; 85 } 86 #ifdef __STRICT_ALIGNMENT 87 if (((size_t)in|(size_t)out|(size_t)ivec) % 88 sizeof(size_t) != 0) 89 break; 90 #endif 91 while (len >= 16) { 92 (*block)(ivec, ivec, key); 93 for (; n < 16; n += sizeof(size_t)) { 94 *(size_t *)(out + n) = 95 *(size_t *)(ivec + n) ^= *(size_t *)(in + 96 n); 97 } 98 len -= 16; 99 out += 16; 100 in += 16; 101 n = 0; 102 } 103 if (len) { 104 (*block)(ivec, ivec, key); 105 while (len--) { 106 out[n] = ivec[n] ^= in[n]; 107 ++n; 108 } 109 } 110 *num = n; 111 return; 112 } while (0); 113 /* the rest would be commonly eliminated by x86* compiler */ 114 #endif 115 while (l < len) { 116 if (n == 0) { 117 (*block)(ivec, ivec, key); 118 } 119 out[l] = ivec[n] ^= in[l]; 120 ++l; 121 n = (n + 1) % 16; 122 } 123 *num = n; 124 } else { 125 #if !defined(OPENSSL_SMALL_FOOTPRINT) 126 if (16 % sizeof(size_t) == 0) 127 do { /* always true actually */ 128 while (n && len) { 129 unsigned char c; 130 *(out++) = ivec[n] ^ (c = *(in++)); 131 ivec[n] = c; 132 --len; 133 n = (n + 1) % 16; 134 } 135 #ifdef __STRICT_ALIGNMENT 136 if (((size_t)in|(size_t)out|(size_t)ivec) % 137 sizeof(size_t) != 0) 138 break; 139 #endif 140 while (len >= 16) { 141 (*block)(ivec, ivec, key); 142 for (; n < 16; n += sizeof(size_t)) { 143 size_t t = *(size_t *)(in + n); 144 *(size_t *)(out + n) = *(size_t *)(ivec + 145 n) ^ t; 146 *(size_t *)(ivec + n) = t; 147 } 148 len -= 16; 149 out += 16; 150 in += 16; 151 n = 0; 152 } 153 if (len) { 154 (*block)(ivec, ivec, key); 155 while (len--) { 156 unsigned char c; 157 out[n] = ivec[n] ^ (c = in[n]); 158 ivec[n] = c; 159 ++n; 160 } 161 } 162 *num = n; 163 return; 164 } while (0); 165 /* the rest would be commonly eliminated by x86* compiler */ 166 #endif 167 while (l < len) { 168 unsigned char c; 169 if (n == 0) { 170 (*block)(ivec, ivec, key); 171 } 172 out[l] = ivec[n] ^ (c = in[l]); 173 ivec[n] = c; 174 ++l; 175 n = (n + 1) % 16; 176 } 177 *num = n; 178 } 179 } 180 LCRYPTO_ALIAS(CRYPTO_cfb128_encrypt); 181 182 /* This expects a single block of size nbits for both in and out. Note that 183 it corrupts any extra bits in the last byte of out */ 184 static void 185 cfbr_encrypt_block(const unsigned char *in, unsigned char *out, 186 int nbits, const void *key, 187 unsigned char ivec[16], int enc, 188 block128_f block) 189 { 190 int n, rem, num; 191 unsigned char ovec[16*2 + 1]; /* +1 because we dererefence (but don't use) one byte off the end */ 192 193 if (nbits <= 0 || nbits > 128) 194 return; 195 196 /* fill in the first half of the new IV with the current IV */ 197 memcpy(ovec, ivec, 16); 198 /* construct the new IV */ 199 (*block)(ivec, ivec, key); 200 num = (nbits + 7)/8; 201 if (enc) /* encrypt the input */ 202 for (n = 0; n < num; ++n) 203 out[n] = (ovec[16 + n] = in[n] ^ ivec[n]); 204 else /* decrypt the input */ 205 for (n = 0; n < num; ++n) 206 out[n] = (ovec[16 + n] = in[n]) ^ ivec[n]; 207 /* shift ovec left... */ 208 rem = nbits % 8; 209 num = nbits/8; 210 if (rem == 0) 211 memcpy(ivec, ovec + num, 16); 212 else 213 for (n = 0; n < 16; ++n) 214 ivec[n] = ovec[n + num] << rem | 215 ovec[n + num + 1] >> (8 - rem); 216 217 /* it is not necessary to cleanse ovec, since the IV is not secret */ 218 } 219 220 /* N.B. This expects the input to be packed, MS bit first */ 221 void 222 CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out, 223 size_t bits, const void *key, 224 unsigned char ivec[16], int *num, 225 int enc, block128_f block) 226 { 227 size_t n; 228 unsigned char c[1], d[1]; 229 230 for (n = 0; n < bits; ++n) 231 { 232 c[0] = (in[n/8] & (1 << (7 - n % 8))) ? 0x80 : 0; 233 cfbr_encrypt_block(c, d, 1, key, ivec, enc, block); 234 out[n/8] = (out[n/8] & ~(1 << (unsigned int)(7 - n % 8))) | 235 ((d[0] & 0x80) >> (unsigned int)(n % 8)); 236 } 237 } 238 LCRYPTO_ALIAS(CRYPTO_cfb128_1_encrypt); 239 240 void 241 CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out, 242 size_t length, const void *key, 243 unsigned char ivec[16], int *num, 244 int enc, block128_f block) 245 { 246 size_t n; 247 248 for (n = 0; n < length; ++n) 249 cfbr_encrypt_block(&in[n], &out[n], 8, key, ivec, enc, block); 250 } 251 LCRYPTO_ALIAS(CRYPTO_cfb128_8_encrypt); 252