1 /* crypto/camellia/camellia_ctr.c -*- mode:C; c-file-style: "eay" -*- */ 2 /* ==================================================================== 3 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core (at) openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 */ 51 52 #ifndef CAMELLIA_DEBUG 53 # ifndef NDEBUG 54 # define NDEBUG 55 # endif 56 #endif 57 #include <assert.h> 58 59 #include <openssl/camellia.h> 60 #include "cmll_locl.h" 61 62 /* NOTE: the IV/counter CTR mode is big-endian. The rest of the Camellia code 63 * is endian-neutral. */ 64 /* increment counter (128-bit int) by 1 */ 65 static void Camellia_ctr128_inc(unsigned char *counter) 66 { 67 unsigned long c; 68 69 /* Grab bottom dword of counter and increment */ 70 c = GETU32(counter + 12); 71 c++; c &= 0xFFFFFFFF; 72 PUTU32(counter + 12, c); 73 74 /* if no overflow, we're done */ 75 if (c) 76 return; 77 78 /* Grab 1st dword of counter and increment */ 79 c = GETU32(counter + 8); 80 c++; c &= 0xFFFFFFFF; 81 PUTU32(counter + 8, c); 82 83 /* if no overflow, we're done */ 84 if (c) 85 return; 86 87 /* Grab 2nd dword of counter and increment */ 88 c = GETU32(counter + 4); 89 c++; c &= 0xFFFFFFFF; 90 PUTU32(counter + 4, c); 91 92 /* if no overflow, we're done */ 93 if (c) 94 return; 95 96 /* Grab top dword of counter and increment */ 97 c = GETU32(counter + 0); 98 c++; c &= 0xFFFFFFFF; 99 PUTU32(counter + 0, c); 100 } 101 102 /* The input encrypted as though 128bit counter mode is being 103 * used. The extra state information to record how much of the 104 * 128bit block we have used is contained in *num, and the 105 * encrypted counter is kept in ecount_buf. Both *num and 106 * ecount_buf must be initialised with zeros before the first 107 * call to Camellia_ctr128_encrypt(). 108 * 109 * This algorithm assumes that the counter is in the x lower bits 110 * of the IV (ivec), and that the application has full control over 111 * overflow and the rest of the IV. This implementation takes NO 112 * responsability for checking that the counter doesn't overflow 113 * into the rest of the IV when incremented. 114 */ 115 void Camellia_ctr128_encrypt(const unsigned char *in, unsigned char *out, 116 const unsigned long length, const CAMELLIA_KEY *key, 117 unsigned char ivec[CAMELLIA_BLOCK_SIZE], 118 unsigned char ecount_buf[CAMELLIA_BLOCK_SIZE], 119 unsigned int *num) 120 { 121 122 unsigned int n; 123 unsigned long l=length; 124 125 assert(in && out && key && counter && num); 126 assert(*num < CAMELLIA_BLOCK_SIZE); 127 128 n = *num; 129 130 while (l--) 131 { 132 if (n == 0) 133 { 134 Camellia_encrypt(ivec, ecount_buf, key); 135 Camellia_ctr128_inc(ivec); 136 } 137 *(out++) = *(in++) ^ ecount_buf[n]; 138 n = (n+1) % CAMELLIA_BLOCK_SIZE; 139 } 140 141 *num=n; 142 } 143 144
