Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	lib/libcrypto/chacha/chacha-merged.c	Lines:	135	136	99.3 %
Date:	2017-11-07	Branches:	20	24	83.3 %


/* $OpenBSD: chacha-merged.c,v 1.8 2017/08/13 16:55:31 jsing Exp $ */
/*
chacha-merged.c version 20080118
D. J. Bernstein
Public domain.
*/

#include <sys/types.h>

#include <stdint.h>

#define CHACHA_MINKEYLEN 	16
#define CHACHA_NONCELEN		8
#define CHACHA_CTRLEN		8
#define CHACHA_STATELEN		(CHACHA_NONCELEN+CHACHA_CTRLEN)
#define CHACHA_BLOCKLEN		64

struct chacha_ctx {
	u_int input[16];
	uint8_t ks[CHACHA_BLOCKLEN];
	uint8_t unused;
};

static inline void chacha_keysetup(struct chacha_ctx *x, const u_char *k,
    u_int kbits)
    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
static inline void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv,
    const u_char *ctr)
    __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
    __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
static inline void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m,
    u_char *c, u_int bytes)
    __attribute__((__bounded__(__buffer__, 2, 4)))
    __attribute__((__bounded__(__buffer__, 3, 4)));

typedef unsigned char u8;
typedef unsigned int u32;

typedef struct chacha_ctx chacha_ctx;

#define U8C(v) (v##U)
#define U32C(v) (v##U)

#define U8V(v) ((u8)(v) & U8C(0xFF))
#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))

#define ROTL32(v, n) \
  (U32V((v) << (n)) | ((v) >> (32 - (n))))

#define U8TO32_LITTLE(p) \
  (((u32)((p)[0])) | \
   ((u32)((p)[1]) <<  8) | \
   ((u32)((p)[2]) << 16) | \
   ((u32)((p)[3]) << 24))

#define U32TO8_LITTLE(p, v) \
  do { \
    (p)[0] = U8V((v)); \
    (p)[1] = U8V((v) >>  8); \
    (p)[2] = U8V((v) >> 16); \
    (p)[3] = U8V((v) >> 24); \
  } while (0)

#define ROTATE(v,c) (ROTL32(v,c))
#define XOR(v,w) ((v) ^ (w))
#define PLUS(v,w) (U32V((v) + (w)))
#define PLUSONE(v) (PLUS((v),1))

#define QUARTERROUND(a,b,c,d) \
  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);

/* Initialise with "expand 32-byte k". */
static const char sigma[16] = {
	0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33,
	0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
};

/* Initialise with "expand 16-byte k". */
static const char tau[16] = {
	0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x31,
	0x36, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
};

static inline void
chacha_keysetup(chacha_ctx *x, const u8 *k, u32 kbits)
{
	const char *constants;

	x->input[4] = U8TO32_LITTLE(k + 0);
	x->input[5] = U8TO32_LITTLE(k + 4);
	x->input[6] = U8TO32_LITTLE(k + 8);
	x->input[7] = U8TO32_LITTLE(k + 12);
	if (kbits == 256) { /* recommended */
		k += 16;
		constants = sigma;
	} else { /* kbits == 128 */
		constants = tau;
	}
	x->input[8] = U8TO32_LITTLE(k + 0);
	x->input[9] = U8TO32_LITTLE(k + 4);
	x->input[10] = U8TO32_LITTLE(k + 8);
	x->input[11] = U8TO32_LITTLE(k + 12);
	x->input[0] = U8TO32_LITTLE(constants + 0);
	x->input[1] = U8TO32_LITTLE(constants + 4);
	x->input[2] = U8TO32_LITTLE(constants + 8);
	x->input[3] = U8TO32_LITTLE(constants + 12);
}

static inline void
chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
{
	x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
	x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
	x->input[14] = U8TO32_LITTLE(iv + 0);
	x->input[15] = U8TO32_LITTLE(iv + 4);
}

static inline void
chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
{
	u32 x0, x1, x2, x3, x4, x5, x6, x7;
	u32 x8, x9, x10, x11, x12, x13, x14, x15;
	u32 j0, j1, j2, j3, j4, j5, j6, j7;
	u32 j8, j9, j10, j11, j12, j13, j14, j15;
	u8 *ctarget = NULL;
	u8 tmp[64];
	u_int i;

	if (!bytes)
		return;

	j0 = x->input[0];
	j1 = x->input[1];
	j2 = x->input[2];
	j3 = x->input[3];
	j4 = x->input[4];
	j5 = x->input[5];
	j6 = x->input[6];
	j7 = x->input[7];
	j8 = x->input[8];
	j9 = x->input[9];
	j10 = x->input[10];
	j11 = x->input[11];
	j12 = x->input[12];
	j13 = x->input[13];
	j14 = x->input[14];
	j15 = x->input[15];

	for (;;) {
		if (bytes < 64) {
			for (i = 0; i < bytes; ++i)
				tmp[i] = m[i];
			m = tmp;
			ctarget = c;
			c = tmp;
		}
		x0 = j0;
		x1 = j1;
		x2 = j2;
		x3 = j3;
		x4 = j4;
		x5 = j5;
		x6 = j6;
		x7 = j7;
		x8 = j8;
		x9 = j9;
		x10 = j10;
		x11 = j11;
		x12 = j12;
		x13 = j13;
		x14 = j14;
		x15 = j15;
		for (i = 20; i > 0; i -= 2) {
			QUARTERROUND(x0, x4, x8, x12)
			QUARTERROUND(x1, x5, x9, x13)
			QUARTERROUND(x2, x6, x10, x14)
			QUARTERROUND(x3, x7, x11, x15)
			QUARTERROUND(x0, x5, x10, x15)
			QUARTERROUND(x1, x6, x11, x12)
			QUARTERROUND(x2, x7, x8, x13)
			QUARTERROUND(x3, x4, x9, x14)
		}
		x0 = PLUS(x0, j0);
		x1 = PLUS(x1, j1);
		x2 = PLUS(x2, j2);
		x3 = PLUS(x3, j3);
		x4 = PLUS(x4, j4);
		x5 = PLUS(x5, j5);
		x6 = PLUS(x6, j6);
		x7 = PLUS(x7, j7);
		x8 = PLUS(x8, j8);
		x9 = PLUS(x9, j9);
		x10 = PLUS(x10, j10);
		x11 = PLUS(x11, j11);
		x12 = PLUS(x12, j12);
		x13 = PLUS(x13, j13);
		x14 = PLUS(x14, j14);
		x15 = PLUS(x15, j15);

		if (bytes < 64) {
			U32TO8_LITTLE(x->ks + 0, x0);
			U32TO8_LITTLE(x->ks + 4, x1);
			U32TO8_LITTLE(x->ks + 8, x2);
			U32TO8_LITTLE(x->ks + 12, x3);
			U32TO8_LITTLE(x->ks + 16, x4);
			U32TO8_LITTLE(x->ks + 20, x5);
			U32TO8_LITTLE(x->ks + 24, x6);
			U32TO8_LITTLE(x->ks + 28, x7);
			U32TO8_LITTLE(x->ks + 32, x8);
			U32TO8_LITTLE(x->ks + 36, x9);
			U32TO8_LITTLE(x->ks + 40, x10);
			U32TO8_LITTLE(x->ks + 44, x11);
			U32TO8_LITTLE(x->ks + 48, x12);
			U32TO8_LITTLE(x->ks + 52, x13);
			U32TO8_LITTLE(x->ks + 56, x14);
			U32TO8_LITTLE(x->ks + 60, x15);
		}

		x0 = XOR(x0, U8TO32_LITTLE(m + 0));
		x1 = XOR(x1, U8TO32_LITTLE(m + 4));
		x2 = XOR(x2, U8TO32_LITTLE(m + 8));
		x3 = XOR(x3, U8TO32_LITTLE(m + 12));
		x4 = XOR(x4, U8TO32_LITTLE(m + 16));
		x5 = XOR(x5, U8TO32_LITTLE(m + 20));
		x6 = XOR(x6, U8TO32_LITTLE(m + 24));
		x7 = XOR(x7, U8TO32_LITTLE(m + 28));
		x8 = XOR(x8, U8TO32_LITTLE(m + 32));
		x9 = XOR(x9, U8TO32_LITTLE(m + 36));
		x10 = XOR(x10, U8TO32_LITTLE(m + 40));
		x11 = XOR(x11, U8TO32_LITTLE(m + 44));
		x12 = XOR(x12, U8TO32_LITTLE(m + 48));
		x13 = XOR(x13, U8TO32_LITTLE(m + 52));
		x14 = XOR(x14, U8TO32_LITTLE(m + 56));
		x15 = XOR(x15, U8TO32_LITTLE(m + 60));

		j12 = PLUSONE(j12);
		if (!j12) {
			j13 = PLUSONE(j13);
			/*
			 * Stopping at 2^70 bytes per nonce is the user's
			 * responsibility.
			 */
		}

		U32TO8_LITTLE(c + 0, x0);
		U32TO8_LITTLE(c + 4, x1);
		U32TO8_LITTLE(c + 8, x2);
		U32TO8_LITTLE(c + 12, x3);
		U32TO8_LITTLE(c + 16, x4);
		U32TO8_LITTLE(c + 20, x5);
		U32TO8_LITTLE(c + 24, x6);
		U32TO8_LITTLE(c + 28, x7);
		U32TO8_LITTLE(c + 32, x8);
		U32TO8_LITTLE(c + 36, x9);
		U32TO8_LITTLE(c + 40, x10);
		U32TO8_LITTLE(c + 44, x11);
		U32TO8_LITTLE(c + 48, x12);
		U32TO8_LITTLE(c + 52, x13);
		U32TO8_LITTLE(c + 56, x14);
		U32TO8_LITTLE(c + 60, x15);

		if (bytes <= 64) {
			if (bytes < 64) {
				for (i = 0; i < bytes; ++i)
					ctarget[i] = c[i];
			}
			x->input[12] = j12;
			x->input[13] = j13;
			x->unused = 64 - bytes;
			return;
		}
		bytes -= 64;
		c += 64;
		m += 64;
	}
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: chacha-merged.c,v 1.8 2017/08/13 16:55:31 jsing Exp $ */
2			/*
3			chacha-merged.c version 20080118
4			D. J. Bernstein
5			Public domain.
6			*/
7
8			#include <sys/types.h>
9
10			#include <stdint.h>
11
12			#define CHACHA_MINKEYLEN 16
13			#define CHACHA_NONCELEN 8
14			#define CHACHA_CTRLEN 8
15			#define CHACHA_STATELEN (CHACHA_NONCELEN+CHACHA_CTRLEN)
16			#define CHACHA_BLOCKLEN 64
17
18			struct chacha_ctx {
19			u_int input[16];
20			uint8_t ks[CHACHA_BLOCKLEN];
21			uint8_t unused;
22			};
23
24			static inline void chacha_keysetup(struct chacha_ctx x, const u_char k,
25			u_int kbits)
26			__attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
27			static inline void chacha_ivsetup(struct chacha_ctx x, const u_char iv,
28			const u_char *ctr)
29			__attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
30			__attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
31			static inline void chacha_encrypt_bytes(struct chacha_ctx x, const u_char m,
32			u_char *c, u_int bytes)
33			__attribute__((__bounded__(__buffer__, 2, 4)))
34			__attribute__((__bounded__(__buffer__, 3, 4)));
35
36			typedef unsigned char u8;
37			typedef unsigned int u32;
38
39			typedef struct chacha_ctx chacha_ctx;
40
41			#define U8C(v) (v##U)
42			#define U32C(v) (v##U)
43
44			#define U8V(v) ((u8)(v) & U8C(0xFF))
45			#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
46
47			#define ROTL32(v, n) \
48			(U32V((v) << (n)) \| ((v) >> (32 - (n))))
49
50			#define U8TO32_LITTLE(p) \
51			(((u32)((p)[0])) \| \
52			((u32)((p)[1]) << 8) \| \
53			((u32)((p)[2]) << 16) \| \
54			((u32)((p)[3]) << 24))
55
56			#define U32TO8_LITTLE(p, v) \
57			do { \
58			(p)[0] = U8V((v)); \
59			(p)[1] = U8V((v) >> 8); \
60			(p)[2] = U8V((v) >> 16); \
61			(p)[3] = U8V((v) >> 24); \
62			} while (0)
63
64			#define ROTATE(v,c) (ROTL32(v,c))
65			#define XOR(v,w) ((v) ^ (w))
66			#define PLUS(v,w) (U32V((v) + (w)))
67			#define PLUSONE(v) (PLUS((v),1))
68
69			#define QUARTERROUND(a,b,c,d) \
70			a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
71			c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
72			a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
73			c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
74
75			/* Initialise with "expand 32-byte k". */
76			static const char sigma[16] = {
77			0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33,
78			0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
79			};
80
81			/* Initialise with "expand 16-byte k". */
82			static const char tau[16] = {
83			0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x31,
84			0x36, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
85			};
86
87			static inline void
88			chacha_keysetup(chacha_ctx x, const u8 k, u32 kbits)
89			{
90			const char *constants;
91
92		1048	x->input[4] = U8TO32_LITTLE(k + 0);
93		524	x->input[5] = U8TO32_LITTLE(k + 4);
94		524	x->input[6] = U8TO32_LITTLE(k + 8);
95		524	x->input[7] = U8TO32_LITTLE(k + 12);
96	✓✗	524	if (kbits == 256) { /* recommended */
97		524	k += 16;
98			constants = sigma;
99		524	} else { /* kbits == 128 */
100			constants = tau;
101			}
102		524	x->input[8] = U8TO32_LITTLE(k + 0);
103		524	x->input[9] = U8TO32_LITTLE(k + 4);
104		524	x->input[10] = U8TO32_LITTLE(k + 8);
105		524	x->input[11] = U8TO32_LITTLE(k + 12);
106		524	x->input[0] = U8TO32_LITTLE(constants + 0);
107		524	x->input[1] = U8TO32_LITTLE(constants + 4);
108		524	x->input[2] = U8TO32_LITTLE(constants + 8);
109		524	x->input[3] = U8TO32_LITTLE(constants + 12);
110		524	}
111
112			static inline void
113			chacha_ivsetup(chacha_ctx x, const u8 iv, const u8 *counter)
114			{
115	✗✓	1572	x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
116	✗✓	1048	x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
117		524	x->input[14] = U8TO32_LITTLE(iv + 0);
118		524	x->input[15] = U8TO32_LITTLE(iv + 4);
119		524	}
120
121			static inline void
122			chacha_encrypt_bytes(chacha_ctx x, const u8 m, u8 *c, u32 bytes)
123			{
124			u32 x0, x1, x2, x3, x4, x5, x6, x7;
125			u32 x8, x9, x10, x11, x12, x13, x14, x15;
126			u32 j0, j1, j2, j3, j4, j5, j6, j7;
127			u32 j8, j9, j10, j11, j12, j13, j14, j15;
128			u8 *ctarget = NULL;
129		7672	u8 tmp[64];
130			u_int i;
131
132	✓✓	3836	if (!bytes)
133		3312	return;
134
135		524	j0 = x->input[0];
136		524	j1 = x->input[1];
137		524	j2 = x->input[2];
138		524	j3 = x->input[3];
139		524	j4 = x->input[4];
140		524	j5 = x->input[5];
141		524	j6 = x->input[6];
142		524	j7 = x->input[7];
143		524	j8 = x->input[8];
144		524	j9 = x->input[9];
145		524	j10 = x->input[10];
146		524	j11 = x->input[11];
147		524	j12 = x->input[12];
148		524	j13 = x->input[13];
149		524	j14 = x->input[14];
150		524	j15 = x->input[15];
151
152		692	for (;;) {
153	✓✓	692	if (bytes < 64) {
154	✓✓	17184	for (i = 0; i < bytes; ++i)
155		8244	tmp[i] = m[i];
156		348	m = tmp;
157			ctarget = c;
158			c = tmp;
159		348	}
160			x0 = j0;
161			x1 = j1;
162			x2 = j2;
163			x3 = j3;
164			x4 = j4;
165			x5 = j5;
166			x6 = j6;
167			x7 = j7;
168			x8 = j8;
169			x9 = j9;
170			x10 = j10;
171			x11 = j11;
172			x12 = j12;
173			x13 = j13;
174			x14 = j14;
175			x15 = j15;
176	✓✓	15224	for (i = 20; i > 0; i -= 2) {
177		6920	QUARTERROUND(x0, x4, x8, x12)
178		6920	QUARTERROUND(x1, x5, x9, x13)
179		6920	QUARTERROUND(x2, x6, x10, x14)
180		6920	QUARTERROUND(x3, x7, x11, x15)
181		6920	QUARTERROUND(x0, x5, x10, x15)
182		6920	QUARTERROUND(x1, x6, x11, x12)
183		6920	QUARTERROUND(x2, x7, x8, x13)
184		6920	QUARTERROUND(x3, x4, x9, x14)
185			}
186		692	x0 = PLUS(x0, j0);
187		692	x1 = PLUS(x1, j1);
188		692	x2 = PLUS(x2, j2);
189		692	x3 = PLUS(x3, j3);
190		692	x4 = PLUS(x4, j4);
191		692	x5 = PLUS(x5, j5);
192		692	x6 = PLUS(x6, j6);
193		692	x7 = PLUS(x7, j7);
194		692	x8 = PLUS(x8, j8);
195		692	x9 = PLUS(x9, j9);
196		692	x10 = PLUS(x10, j10);
197		692	x11 = PLUS(x11, j11);
198		692	x12 = PLUS(x12, j12);
199		692	x13 = PLUS(x13, j13);
200		692	x14 = PLUS(x14, j14);
201		692	x15 = PLUS(x15, j15);
202
203	✓✓	692	if (bytes < 64) {
204		348	U32TO8_LITTLE(x->ks + 0, x0);
205		348	U32TO8_LITTLE(x->ks + 4, x1);
206		348	U32TO8_LITTLE(x->ks + 8, x2);
207		348	U32TO8_LITTLE(x->ks + 12, x3);
208		348	U32TO8_LITTLE(x->ks + 16, x4);
209		348	U32TO8_LITTLE(x->ks + 20, x5);
210		348	U32TO8_LITTLE(x->ks + 24, x6);
211		348	U32TO8_LITTLE(x->ks + 28, x7);
212		348	U32TO8_LITTLE(x->ks + 32, x8);
213		348	U32TO8_LITTLE(x->ks + 36, x9);
214		348	U32TO8_LITTLE(x->ks + 40, x10);
215		348	U32TO8_LITTLE(x->ks + 44, x11);
216		348	U32TO8_LITTLE(x->ks + 48, x12);
217		348	U32TO8_LITTLE(x->ks + 52, x13);
218		348	U32TO8_LITTLE(x->ks + 56, x14);
219		348	U32TO8_LITTLE(x->ks + 60, x15);
220		348	}
221
222		692	x0 = XOR(x0, U8TO32_LITTLE(m + 0));
223		692	x1 = XOR(x1, U8TO32_LITTLE(m + 4));
224		692	x2 = XOR(x2, U8TO32_LITTLE(m + 8));
225		692	x3 = XOR(x3, U8TO32_LITTLE(m + 12));
226		692	x4 = XOR(x4, U8TO32_LITTLE(m + 16));
227		692	x5 = XOR(x5, U8TO32_LITTLE(m + 20));
228		692	x6 = XOR(x6, U8TO32_LITTLE(m + 24));
229		692	x7 = XOR(x7, U8TO32_LITTLE(m + 28));
230		692	x8 = XOR(x8, U8TO32_LITTLE(m + 32));
231		692	x9 = XOR(x9, U8TO32_LITTLE(m + 36));
232		692	x10 = XOR(x10, U8TO32_LITTLE(m + 40));
233		692	x11 = XOR(x11, U8TO32_LITTLE(m + 44));
234		692	x12 = XOR(x12, U8TO32_LITTLE(m + 48));
235		692	x13 = XOR(x13, U8TO32_LITTLE(m + 52));
236		692	x14 = XOR(x14, U8TO32_LITTLE(m + 56));
237		692	x15 = XOR(x15, U8TO32_LITTLE(m + 60));
238
239		692	j12 = PLUSONE(j12);
240	✗✓	692	if (!j12) {
241			j13 = PLUSONE(j13);
242			/*
243			* Stopping at 2^70 bytes per nonce is the user's
244			* responsibility.
245			*/
246			}
247
248		692	U32TO8_LITTLE(c + 0, x0);
249		692	U32TO8_LITTLE(c + 4, x1);
250		692	U32TO8_LITTLE(c + 8, x2);
251		692	U32TO8_LITTLE(c + 12, x3);
252		692	U32TO8_LITTLE(c + 16, x4);
253		692	U32TO8_LITTLE(c + 20, x5);
254		692	U32TO8_LITTLE(c + 24, x6);
255		692	U32TO8_LITTLE(c + 28, x7);
256		692	U32TO8_LITTLE(c + 32, x8);
257		692	U32TO8_LITTLE(c + 36, x9);
258		692	U32TO8_LITTLE(c + 40, x10);
259		692	U32TO8_LITTLE(c + 44, x11);
260		692	U32TO8_LITTLE(c + 48, x12);
261		692	U32TO8_LITTLE(c + 52, x13);
262		692	U32TO8_LITTLE(c + 56, x14);
263		692	U32TO8_LITTLE(c + 60, x15);
264
265	✓✓	692	if (bytes <= 64) {
266	✓✓	524	if (bytes < 64) {
267	✓✓	17184	for (i = 0; i < bytes; ++i)
268		8244	ctarget[i] = c[i];
269			}
270		524	x->input[12] = j12;
271		524	x->input[13] = j13;
272		524	x->unused = 64 - bytes;
273		524	return;
274			}
275		168	bytes -= 64;
276		168	c += 64;
277		168	m += 64;
278			}
279		3836	}