projects / BearSSL / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fixed buffer overrun (read only, usually harmless, but sloppy nonetheless).
[BearSSL] / src / symcipher / aes_ct_ctr.c
1 /*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 /* see bearssl_block.h */
28 void
29 br_aes_ct_ctr_init(br_aes_ct_ctr_keys *ctx,
30 const void *key, size_t len)
31 {
32 ctx->vtable = &br_aes_ct_ctr_vtable;
33 ctx->num_rounds = br_aes_ct_keysched(ctx->skey, key, len);
34 }
35
36 static void
37 xorbuf(void *dst, const void *src, size_t len)
38 {
39 unsigned char *d;
40 const unsigned char *s;
41
42 d = dst;
43 s = src;
44 while (len -- > 0) {
45 *d ++ ^= *s ++;
46 }
47 }
48
49 /* see bearssl_block.h */
50 uint32_t
51 br_aes_ct_ctr_run(const br_aes_ct_ctr_keys *ctx,
52 const void *iv, uint32_t cc, void *data, size_t len)
53 {
54 unsigned char *buf;
55 const unsigned char *ivbuf;
56 uint32_t iv0, iv1, iv2;
57 uint32_t sk_exp[120];
58
59 br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
60 ivbuf = iv;
61 iv0 = br_dec32le(ivbuf);
62 iv1 = br_dec32le(ivbuf + 4);
63 iv2 = br_dec32le(ivbuf + 8);
64 buf = data;
65 while (len > 0) {
66 uint32_t q[8];
67 unsigned char tmp[32];
68
69 /*
70 * TODO: see if we can save on the first br_aes_ct_ortho()
71 * call, since iv0/iv1/iv2 are constant for the whole run.
72 */
73 q[0] = q[1] = iv0;
74 q[2] = q[3] = iv1;
75 q[4] = q[5] = iv2;
76 q[6] = br_swap32(cc);
77 q[7] = br_swap32(cc + 1);
78 br_aes_ct_ortho(q);
79 br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q);
80 br_aes_ct_ortho(q);
81 br_enc32le(tmp, q[0]);
82 br_enc32le(tmp + 4, q[2]);
83 br_enc32le(tmp + 8, q[4]);
84 br_enc32le(tmp + 12, q[6]);
85 br_enc32le(tmp + 16, q[1]);
86 br_enc32le(tmp + 20, q[3]);
87 br_enc32le(tmp + 24, q[5]);
88 br_enc32le(tmp + 28, q[7]);
89
90 if (len <= 32) {
91 xorbuf(buf, tmp, len);
92 cc ++;
93 if (len > 16) {
94 cc ++;
95 }
96 break;
97 }
98 xorbuf(buf, tmp, 32);
99 buf += 32;
100 len -= 32;
101 cc += 2;
102 }
103 return cc;
104 }
105
106 /* see bearssl_block.h */
107 const br_block_ctr_class br_aes_ct_ctr_vtable = {
108 sizeof(br_aes_ct_ctr_keys),
109 16,
110 4,
111 (void (*)(const br_block_ctr_class **, const void *, size_t))
112 &br_aes_ct_ctr_init,
113 (uint32_t (*)(const br_block_ctr_class *const *,
114 const void *, uint32_t, void *, size_t))
115 &br_aes_ct_ctr_run
116 };
The BearSSL library and tools.