GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libcrypto/crypto/../../libssl/src/crypto/gost/gost2814789.c Lines: 159 200 79.5 %
Date: 2016-12-06 Branches: 45 66 68.2 %

Line Branch Exec Source
1
/* $OpenBSD: gost2814789.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */
2
/*
3
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
4
 * Copyright (c) 2005-2006 Cryptocom LTD
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 *
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in
15
 *    the documentation and/or other materials provided with the
16
 *    distribution.
17
 *
18
 * 3. All advertising materials mentioning features or use of this
19
 *    software must display the following acknowledgment:
20
 *    "This product includes software developed by the OpenSSL Project
21
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
22
 *
23
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
24
 *    endorse or promote products derived from this software without
25
 *    prior written permission. For written permission, please contact
26
 *    openssl-core@openssl.org.
27
 *
28
 * 5. Products derived from this software may not be called "OpenSSL"
29
 *    nor may "OpenSSL" appear in their names without prior written
30
 *    permission of the OpenSSL Project.
31
 *
32
 * 6. Redistributions of any form whatsoever must retain the following
33
 *    acknowledgment:
34
 *    "This product includes software developed by the OpenSSL Project
35
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
36
 *
37
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
38
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
40
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
41
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
42
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
43
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
46
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
47
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
48
 * OF THE POSSIBILITY OF SUCH DAMAGE.
49
 * ====================================================================
50
 */
51
52
#include <string.h>
53
54
#include <openssl/opensslconf.h>
55
56
#ifndef OPENSSL_NO_GOST
57
#include <openssl/objects.h>
58
#include <openssl/gost.h>
59
60
#include "gost_locl.h"
61
62
static inline unsigned int
63
f(const GOST2814789_KEY *c, unsigned int x)
64
44255072
{
65
54743072
	return  c->k87[(x>>24) & 255] | c->k65[(x>>16) & 255]|
66
		c->k43[(x>> 8) & 255] | c->k21[(x    ) & 255];
67
}
68
69
void
70
Gost2814789_encrypt(const unsigned char *in, unsigned char *out,
71
    const GOST2814789_KEY *key)
72
1321523
{
73
	unsigned int n1, n2; /* As named in the GOST */
74
75
1321523
	c2l(in, n1);
76
1321523
	c2l(in, n2);
77
78
	/* Instead of swapping halves, swap names each round */
79
1321523
	n2 ^= f(key, n1 + key->key[0]); n1 ^= f(key, n2 + key->key[1]);
80
1321523
	n2 ^= f(key, n1 + key->key[2]); n1 ^= f(key, n2 + key->key[3]);
81
1321523
	n2 ^= f(key, n1 + key->key[4]); n1 ^= f(key, n2 + key->key[5]);
82
1321523
	n2 ^= f(key, n1 + key->key[6]); n1 ^= f(key, n2 + key->key[7]);
83
84
1321523
	n2 ^= f(key, n1 + key->key[0]); n1 ^= f(key, n2 + key->key[1]);
85
1321523
	n2 ^= f(key, n1 + key->key[2]); n1 ^= f(key, n2 + key->key[3]);
86
1321523
	n2 ^= f(key, n1 + key->key[4]); n1 ^= f(key, n2 + key->key[5]);
87
1321523
	n2 ^= f(key, n1 + key->key[6]); n1 ^= f(key, n2 + key->key[7]);
88
89
1321523
	n2 ^= f(key, n1 + key->key[0]); n1 ^= f(key, n2 + key->key[1]);
90
1321523
	n2 ^= f(key, n1 + key->key[2]); n1 ^= f(key, n2 + key->key[3]);
91
1321523
	n2 ^= f(key, n1 + key->key[4]); n1 ^= f(key, n2 + key->key[5]);
92
1321523
	n2 ^= f(key, n1 + key->key[6]); n1 ^= f(key, n2 + key->key[7]);
93
94
1321523
	n2 ^= f(key, n1 + key->key[7]); n1 ^= f(key, n2 + key->key[6]);
95
1321523
	n2 ^= f(key, n1 + key->key[5]); n1 ^= f(key, n2 + key->key[4]);
96
1321523
	n2 ^= f(key, n1 + key->key[3]); n1 ^= f(key, n2 + key->key[2]);
97
1321523
	n2 ^= f(key, n1 + key->key[1]); n1 ^= f(key, n2 + key->key[0]);
98
99
1321523
	l2c(n2, out);
100
1321523
	l2c(n1, out);
101
1321523
}
102
103
void
104
Gost2814789_decrypt(const unsigned char *in, unsigned char *out,
105
    const GOST2814789_KEY *key)
106
61448
{
107
	unsigned int n1, n2; /* As named in the GOST */
108
109
61448
	c2l(in, n1);
110
61448
	c2l(in, n2);
111
112
	/* Instead of swapping halves, swap names each round */
113
61448
	n2 ^= f(key, n1 + key->key[0]); n1 ^= f(key, n2 + key->key[1]);
114
61448
	n2 ^= f(key, n1 + key->key[2]); n1 ^= f(key, n2 + key->key[3]);
115
61448
	n2 ^= f(key, n1 + key->key[4]); n1 ^= f(key, n2 + key->key[5]);
116
61448
	n2 ^= f(key, n1 + key->key[6]); n1 ^= f(key, n2 + key->key[7]);
117
118
61448
	n2 ^= f(key, n1 + key->key[7]); n1 ^= f(key, n2 + key->key[6]);
119
61448
	n2 ^= f(key, n1 + key->key[5]); n1 ^= f(key, n2 + key->key[4]);
120
61448
	n2 ^= f(key, n1 + key->key[3]); n1 ^= f(key, n2 + key->key[2]);
121
61448
	n2 ^= f(key, n1 + key->key[1]); n1 ^= f(key, n2 + key->key[0]);
122
123
61448
	n2 ^= f(key, n1 + key->key[7]); n1 ^= f(key, n2 + key->key[6]);
124
61448
	n2 ^= f(key, n1 + key->key[5]); n1 ^= f(key, n2 + key->key[4]);
125
61448
	n2 ^= f(key, n1 + key->key[3]); n1 ^= f(key, n2 + key->key[2]);
126
61448
	n2 ^= f(key, n1 + key->key[1]); n1 ^= f(key, n2 + key->key[0]);
127
128
61448
	n2 ^= f(key, n1 + key->key[7]); n1 ^= f(key, n2 + key->key[6]);
129
61448
	n2 ^= f(key, n1 + key->key[5]); n1 ^= f(key, n2 + key->key[4]);
130
61448
	n2 ^= f(key, n1 + key->key[3]); n1 ^= f(key, n2 + key->key[2]);
131
61448
	n2 ^= f(key, n1 + key->key[1]); n1 ^= f(key, n2 + key->key[0]);
132
133
61448
	l2c(n2, out);
134
61448
	l2c(n1, out);
135
61448
}
136
137
static void
138
Gost2814789_mac(const unsigned char *in, unsigned char *mac,
139
    GOST2814789_KEY *key)
140
655500
{
141
	unsigned int n1, n2; /* As named in the GOST */
142
	unsigned char *p;
143
	int i;
144
145
5899500
	for (i = 0; i < 8; i++)
146
5244000
		mac[i] ^= in[i];
147
148
655500
	p = mac;
149
655500
	c2l(p, n1);
150
655500
	c2l(p, n2);
151
152
	/* Instead of swapping halves, swap names each round */
153
1966500
	n2 ^= f(key, n1 + key->key[0]); n1 ^= f(key, n2 + key->key[1]);
154
1966500
	n2 ^= f(key, n1 + key->key[2]); n1 ^= f(key, n2 + key->key[3]);
155
1966500
	n2 ^= f(key, n1 + key->key[4]); n1 ^= f(key, n2 + key->key[5]);
156
1966500
	n2 ^= f(key, n1 + key->key[6]); n1 ^= f(key, n2 + key->key[7]);
157
158
1966500
	n2 ^= f(key, n1 + key->key[0]); n1 ^= f(key, n2 + key->key[1]);
159
1966500
	n2 ^= f(key, n1 + key->key[2]); n1 ^= f(key, n2 + key->key[3]);
160
1966500
	n2 ^= f(key, n1 + key->key[4]); n1 ^= f(key, n2 + key->key[5]);
161
1966500
	n2 ^= f(key, n1 + key->key[6]); n1 ^= f(key, n2 + key->key[7]);
162
163
655500
	p = mac;
164
655500
	l2c(n1, p);
165
655500
	l2c(n2, p);
166
655500
}
167
168
void
169
Gost2814789_ecb_encrypt(const unsigned char *in, unsigned char *out,
170
    GOST2814789_KEY *key, const int enc)
171
5
{
172

5
	if (key->key_meshing && key->count == 1024) {
173
		Gost2814789_cryptopro_key_mesh(key);
174
		key->count = 0;
175
	}
176
177
5
	if (enc)
178
5
		Gost2814789_encrypt(in, out, key);
179
	else
180
		Gost2814789_decrypt(in, out, key);
181
5
}
182
183
static inline void
184
Gost2814789_encrypt_mesh(unsigned char *iv, GOST2814789_KEY *key)
185
655496
{
186

655496
	if (key->key_meshing && key->count == 1024) {
187
5121
		Gost2814789_cryptopro_key_mesh(key);
188
5121
		Gost2814789_encrypt(iv, iv, key);
189
5121
		key->count = 0;
190
	}
191
655496
	Gost2814789_encrypt(iv, iv, key);
192
655496
	key->count += 8;
193
655496
}
194
195
static inline void
196
Gost2814789_mac_mesh(const unsigned char *data, unsigned char *mac,
197
    GOST2814789_KEY *key)
198
655500
{
199

655500
	if (key->key_meshing && key->count == 1024) {
200
5120
		Gost2814789_cryptopro_key_mesh(key);
201
5120
		key->count = 0;
202
	}
203
655500
	Gost2814789_mac(data, mac, key);
204
655500
	key->count += 8;
205
655500
}
206
207
void
208
Gost2814789_cfb64_encrypt(const unsigned char *in, unsigned char *out,
209
    size_t len, GOST2814789_KEY *key, unsigned char *ivec, int *num,
210
    const int enc)
211
5
{
212
	unsigned int n;
213
5
	size_t l = 0;
214
215
5
	n = *num;
216
217
5
	if (enc) {
218
#if !defined(OPENSSL_SMALL_FOOTPRINT)
219
		if (8 % sizeof(size_t) == 0) do { /* always true actually */
220
5
			while (n && len) {
221
				*(out++) = ivec[n] ^= *(in++);
222
				--len;
223
				n = (n + 1) % 8;
224
			}
225
#ifdef __STRICT_ALIGNMENT
226
			if (((size_t)in | (size_t)out | (size_t)ivec) %
227
			    sizeof(size_t) != 0)
228
				break;
229
#endif
230
655498
			while (len >= 8) {
231
655493
				Gost2814789_encrypt_mesh(ivec, key);
232
1310986
				for (; n < 8; n += sizeof(size_t)) {
233
655493
					*(size_t*)(out + n) =
234
					*(size_t*)(ivec + n) ^=
235
					    *(size_t*)(in + n);
236
				}
237
655493
				len -= 8;
238
655493
				out += 8;
239
655493
				in  += 8;
240
655493
				n = 0;
241
			}
242
5
			if (len) {
243
3
				Gost2814789_encrypt_mesh(ivec, key);
244
18
				while (len--) {
245
12
					out[n] = ivec[n] ^= in[n];
246
12
					++n;
247
				}
248
			}
249
5
			*num = n;
250
5
			return;
251
		} while (0);
252
		/* the rest would be commonly eliminated by x86* compiler */
253
#endif
254
		while (l<len) {
255
			if (n == 0) {
256
				Gost2814789_encrypt_mesh(ivec, key);
257
			}
258
			out[l] = ivec[n] ^= in[l];
259
			++l;
260
			n = (n + 1) % 8;
261
		}
262
		*num = n;
263
	} else {
264
#if !defined(OPENSSL_SMALL_FOOTPRINT)
265
		if (8 % sizeof(size_t) == 0) do { /* always true actually */
266
			while (n && len) {
267
				unsigned char c;
268
269
				*(out++) = ivec[n] ^ (c = *(in++));
270
				ivec[n] = c;
271
				--len;
272
				n = (n + 1) % 8;
273
 			}
274
#ifdef __STRICT_ALIGNMENT
275
			if (((size_t)in | (size_t)out | (size_t)ivec) %
276
			    sizeof(size_t) != 0)
277
				break;
278
#endif
279
			while (len >= 8) {
280
				Gost2814789_encrypt_mesh(ivec, key);
281
				for (; n < 8; n += sizeof(size_t)) {
282
					size_t t = *(size_t*)(in + n);
283
					*(size_t*)(out + n) =
284
					    *(size_t*)(ivec + n) ^ t;
285
					*(size_t*)(ivec + n) = t;
286
				}
287
				len -= 8;
288
				out += 8;
289
				in  += 8;
290
				n = 0;
291
			}
292
			if (len) {
293
				Gost2814789_encrypt_mesh(ivec, key);
294
				while (len--) {
295
					unsigned char c;
296
297
					out[n] = ivec[n] ^ (c = in[n]);
298
					ivec[n] = c;
299
					++n;
300
				}
301
 			}
302
			*num = n;
303
			return;
304
		} while (0);
305
		/* the rest would be commonly eliminated by x86* compiler */
306
#endif
307
		while (l < len) {
308
			unsigned char c;
309
310
			if (n == 0) {
311
				Gost2814789_encrypt_mesh(ivec, key);
312
			}
313
			out[l] = ivec[n] ^ (c = in[l]); ivec[n] = c;
314
			++l;
315
			n = (n + 1) % 8;
316
		}
317
		*num = n;
318
	}
319
}
320
321
static inline void
322
Gost2814789_cnt_next(unsigned char *ivec, unsigned char *out,
323
    GOST2814789_KEY *key)
324
655493
{
325
655493
	unsigned char *p = ivec, *p2 = ivec;
326
	unsigned int val, val2;
327
328
655493
	if (key->count == 0)
329
3
		Gost2814789_encrypt(ivec, ivec, key);
330
331

655493
	if (key->key_meshing && key->count == 1024) {
332
5121
		Gost2814789_cryptopro_key_mesh(key);
333
5121
		Gost2814789_encrypt(ivec, ivec, key);
334
5121
		key->count = 0;
335
	}
336
337
655493
	c2l(p, val);
338
655493
	val2 = val + 0x01010101;
339
655493
	l2c(val2, p2);
340
341
655493
	c2l(p, val);
342
655493
	val2 = val + 0x01010104;
343
655493
	if (val > val2) /* overflow */
344
2558
		val2++;
345
655493
	l2c(val2, p2);
346
347
655493
	Gost2814789_encrypt(ivec, out, key);
348
655493
	key->count += 8;
349
655493
}
350
351
void
352
Gost2814789_cnt_encrypt(const unsigned char *in, unsigned char *out, size_t len,
353
    GOST2814789_KEY *key, unsigned char *ivec, unsigned char *cnt_buf, int *num)
354
3
{
355
	unsigned int n;
356
3
	size_t l = 0;
357
358
3
	n = *num;
359
360
#if !defined(OPENSSL_SMALL_FOOTPRINT)
361
	if (8 % sizeof(size_t) == 0) do { /* always true actually */
362
6
		while (n && len) {
363
			*(out++) = *(in++) ^ cnt_buf[n];
364
			--len;
365
			n = (n + 1) % 8;
366
		}
367
368
#ifdef __STRICT_ALIGNMENT
369
		if (((size_t)in | (size_t)out | (size_t)ivec) %
370
		    sizeof(size_t) != 0)
371
			break;
372
#endif
373
655495
		while (len >= 8) {
374
655492
			Gost2814789_cnt_next(ivec, cnt_buf, key);
375
1310984
			for (; n < 8; n += sizeof(size_t))
376
655492
				*(size_t *)(out + n) = *(size_t *)(in + n) ^
377
				    *(size_t *)(cnt_buf + n);
378
655492
			len -= 8;
379
655492
			out += 8;
380
655492
			in  += 8;
381
655492
			n = 0;
382
		}
383
3
		if (len) {
384
1
			Gost2814789_cnt_next(ivec, cnt_buf, key);
385
7
			while (len--) {
386
5
				out[n] = in[n] ^ cnt_buf[n];
387
5
				++n;
388
			}
389
		}
390
3
		*num = n;
391
		return;
392
	} while(0);
393
	/* the rest would be commonly eliminated by x86* compiler */
394
#endif
395
	while (l < len) {
396
		if (n==0)
397
			Gost2814789_cnt_next(ivec, cnt_buf, key);
398
		out[l] = in[l] ^ cnt_buf[n];
399
		++l;
400
		n = (n + 1) % 8;
401
	}
402
403
	*num=n;
404
}
405
406
int
407
GOST2814789IMIT_Init(GOST2814789IMIT_CTX *c, int nid)
408
8
{
409
8
	c->Nl = c->Nh = c->num = 0;
410
8
	memset(c->mac, 0, 8);
411
8
	return Gost2814789_set_sbox(&c->cipher, nid);
412
}
413
414
static void
415
GOST2814789IMIT_block_data_order(GOST2814789IMIT_CTX *ctx,
416
    const unsigned char *p, size_t num)
417
6
{
418
	int i;
419
420
655501
	for (i = 0; i < num; i++) {
421
655495
		Gost2814789_mac_mesh(p, ctx->mac, &ctx->cipher);
422
655495
		p += 8;
423
	}
424
6
}
425
426
#define DATA_ORDER_IS_LITTLE_ENDIAN
427
428
#define HASH_CBLOCK	GOST2814789IMIT_CBLOCK
429
#define HASH_LONG	GOST2814789IMIT_LONG
430
#define HASH_CTX	GOST2814789IMIT_CTX
431
#define HASH_UPDATE	GOST2814789IMIT_Update
432
#define HASH_TRANSFORM	GOST2814789IMIT_Transform
433
#define HASH_NO_FINAL	1
434
#define HASH_BLOCK_DATA_ORDER	GOST2814789IMIT_block_data_order
435
436
#include "md32_common.h"
437
438
int
439
GOST2814789IMIT_Final(unsigned char *md, GOST2814789IMIT_CTX *c)
440
8
{
441
8
	if (c->num) {
442
3
		memset(c->data + c->num, 0, 8 - c->num);
443
3
		Gost2814789_mac_mesh(c->data, c->mac, &c->cipher);
444
	}
445

8
	if (c->Nl <= 8 * 8 && c->Nl > 0 && c->Nh == 0) {
446
2
		memset(c->data, 0, 8);
447
2
		Gost2814789_mac_mesh(c->data, c->mac, &c->cipher);
448
	}
449
8
	memcpy(md, c->mac, 4);
450
8
	return 1;
451
}
452
453
unsigned char *
454
GOST2814789IMIT(const unsigned char *d, size_t n, unsigned char *md, int nid,
455
    const unsigned char *key, const unsigned char *iv)
456
{
457
	GOST2814789IMIT_CTX c;
458
	static unsigned char m[GOST2814789IMIT_LENGTH];
459
460
	if (md == NULL)
461
		md = m;
462
	GOST2814789IMIT_Init(&c, nid);
463
	memcpy(c.mac, iv, 8);
464
	Gost2814789_set_key(&c.cipher, key, 256);
465
	GOST2814789IMIT_Update(&c, d, n);
466
	GOST2814789IMIT_Final(md, &c);
467
	explicit_bzero(&c, sizeof(c));
468
	return (md);
469
}
470
471
#endif