Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	lib/libcrypto/chacha/chacha-merged.c	Lines:	135	136	99.3 %
Date:	2017-11-13	Branches:	20	24	83.3 %


/* $OpenBSD: chacha-merged.c,v 1.8 2017/08/13 16:55:31 jsing Exp $ */
/*
chacha-merged.c version 20080118
D. J. Bernstein
Public domain.
*/

#include <sys/types.h>

#include <stdint.h>

#define CHACHA_MINKEYLEN 	16
#define CHACHA_NONCELEN		8
#define CHACHA_CTRLEN		8
#define CHACHA_STATELEN		(CHACHA_NONCELEN+CHACHA_CTRLEN)
#define CHACHA_BLOCKLEN		64

struct chacha_ctx {
	u_int input[16];
	uint8_t ks[CHACHA_BLOCKLEN];
	uint8_t unused;
};

static inline void chacha_keysetup(struct chacha_ctx *x, const u_char *k,
    u_int kbits)
    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
static inline void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv,
    const u_char *ctr)
    __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
    __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
static inline void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m,
    u_char *c, u_int bytes)
    __attribute__((__bounded__(__buffer__, 2, 4)))
    __attribute__((__bounded__(__buffer__, 3, 4)));

typedef unsigned char u8;
typedef unsigned int u32;

typedef struct chacha_ctx chacha_ctx;

#define U8C(v) (v##U)
#define U32C(v) (v##U)

#define U8V(v) ((u8)(v) & U8C(0xFF))
#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))

#define ROTL32(v, n) \
  (U32V((v) << (n)) | ((v) >> (32 - (n))))

#define U8TO32_LITTLE(p) \
  (((u32)((p)[0])) | \
   ((u32)((p)[1]) <<  8) | \
   ((u32)((p)[2]) << 16) | \
   ((u32)((p)[3]) << 24))

#define U32TO8_LITTLE(p, v) \
  do { \
    (p)[0] = U8V((v)); \
    (p)[1] = U8V((v) >>  8); \
    (p)[2] = U8V((v) >> 16); \
    (p)[3] = U8V((v) >> 24); \
  } while (0)

#define ROTATE(v,c) (ROTL32(v,c))
#define XOR(v,w) ((v) ^ (w))
#define PLUS(v,w) (U32V((v) + (w)))
#define PLUSONE(v) (PLUS((v),1))

#define QUARTERROUND(a,b,c,d) \
  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);

/* Initialise with "expand 32-byte k". */
static const char sigma[16] = {
	0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33,
	0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
};

/* Initialise with "expand 16-byte k". */
static const char tau[16] = {
	0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x31,
	0x36, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
};

static inline void
chacha_keysetup(chacha_ctx *x, const u8 *k, u32 kbits)
{
	const char *constants;

	x->input[4] = U8TO32_LITTLE(k + 0);
	x->input[5] = U8TO32_LITTLE(k + 4);
	x->input[6] = U8TO32_LITTLE(k + 8);
	x->input[7] = U8TO32_LITTLE(k + 12);
	if (kbits == 256) { /* recommended */
		k += 16;
		constants = sigma;
	} else { /* kbits == 128 */
		constants = tau;
	}
	x->input[8] = U8TO32_LITTLE(k + 0);
	x->input[9] = U8TO32_LITTLE(k + 4);
	x->input[10] = U8TO32_LITTLE(k + 8);
	x->input[11] = U8TO32_LITTLE(k + 12);
	x->input[0] = U8TO32_LITTLE(constants + 0);
	x->input[1] = U8TO32_LITTLE(constants + 4);
	x->input[2] = U8TO32_LITTLE(constants + 8);
	x->input[3] = U8TO32_LITTLE(constants + 12);
}

static inline void
chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
{
	x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
	x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
	x->input[14] = U8TO32_LITTLE(iv + 0);
	x->input[15] = U8TO32_LITTLE(iv + 4);
}

static inline void
chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
{
	u32 x0, x1, x2, x3, x4, x5, x6, x7;
	u32 x8, x9, x10, x11, x12, x13, x14, x15;
	u32 j0, j1, j2, j3, j4, j5, j6, j7;
	u32 j8, j9, j10, j11, j12, j13, j14, j15;
	u8 *ctarget = NULL;
	u8 tmp[64];
	u_int i;

	if (!bytes)
		return;

	j0 = x->input[0];
	j1 = x->input[1];
	j2 = x->input[2];
	j3 = x->input[3];
	j4 = x->input[4];
	j5 = x->input[5];
	j6 = x->input[6];
	j7 = x->input[7];
	j8 = x->input[8];
	j9 = x->input[9];
	j10 = x->input[10];
	j11 = x->input[11];
	j12 = x->input[12];
	j13 = x->input[13];
	j14 = x->input[14];
	j15 = x->input[15];

	for (;;) {
		if (bytes < 64) {
			for (i = 0; i < bytes; ++i)
				tmp[i] = m[i];
			m = tmp;
			ctarget = c;
			c = tmp;
		}
		x0 = j0;
		x1 = j1;
		x2 = j2;
		x3 = j3;
		x4 = j4;
		x5 = j5;
		x6 = j6;
		x7 = j7;
		x8 = j8;
		x9 = j9;
		x10 = j10;
		x11 = j11;
		x12 = j12;
		x13 = j13;
		x14 = j14;
		x15 = j15;
		for (i = 20; i > 0; i -= 2) {
			QUARTERROUND(x0, x4, x8, x12)
			QUARTERROUND(x1, x5, x9, x13)
			QUARTERROUND(x2, x6, x10, x14)
			QUARTERROUND(x3, x7, x11, x15)
			QUARTERROUND(x0, x5, x10, x15)
			QUARTERROUND(x1, x6, x11, x12)
			QUARTERROUND(x2, x7, x8, x13)
			QUARTERROUND(x3, x4, x9, x14)
		}
		x0 = PLUS(x0, j0);
		x1 = PLUS(x1, j1);
		x2 = PLUS(x2, j2);
		x3 = PLUS(x3, j3);
		x4 = PLUS(x4, j4);
		x5 = PLUS(x5, j5);
		x6 = PLUS(x6, j6);
		x7 = PLUS(x7, j7);
		x8 = PLUS(x8, j8);
		x9 = PLUS(x9, j9);
		x10 = PLUS(x10, j10);
		x11 = PLUS(x11, j11);
		x12 = PLUS(x12, j12);
		x13 = PLUS(x13, j13);
		x14 = PLUS(x14, j14);
		x15 = PLUS(x15, j15);

		if (bytes < 64) {
			U32TO8_LITTLE(x->ks + 0, x0);
			U32TO8_LITTLE(x->ks + 4, x1);
			U32TO8_LITTLE(x->ks + 8, x2);
			U32TO8_LITTLE(x->ks + 12, x3);
			U32TO8_LITTLE(x->ks + 16, x4);
			U32TO8_LITTLE(x->ks + 20, x5);
			U32TO8_LITTLE(x->ks + 24, x6);
			U32TO8_LITTLE(x->ks + 28, x7);
			U32TO8_LITTLE(x->ks + 32, x8);
			U32TO8_LITTLE(x->ks + 36, x9);
			U32TO8_LITTLE(x->ks + 40, x10);
			U32TO8_LITTLE(x->ks + 44, x11);
			U32TO8_LITTLE(x->ks + 48, x12);
			U32TO8_LITTLE(x->ks + 52, x13);
			U32TO8_LITTLE(x->ks + 56, x14);
			U32TO8_LITTLE(x->ks + 60, x15);
		}

		x0 = XOR(x0, U8TO32_LITTLE(m + 0));
		x1 = XOR(x1, U8TO32_LITTLE(m + 4));
		x2 = XOR(x2, U8TO32_LITTLE(m + 8));
		x3 = XOR(x3, U8TO32_LITTLE(m + 12));
		x4 = XOR(x4, U8TO32_LITTLE(m + 16));
		x5 = XOR(x5, U8TO32_LITTLE(m + 20));
		x6 = XOR(x6, U8TO32_LITTLE(m + 24));
		x7 = XOR(x7, U8TO32_LITTLE(m + 28));
		x8 = XOR(x8, U8TO32_LITTLE(m + 32));
		x9 = XOR(x9, U8TO32_LITTLE(m + 36));
		x10 = XOR(x10, U8TO32_LITTLE(m + 40));
		x11 = XOR(x11, U8TO32_LITTLE(m + 44));
		x12 = XOR(x12, U8TO32_LITTLE(m + 48));
		x13 = XOR(x13, U8TO32_LITTLE(m + 52));
		x14 = XOR(x14, U8TO32_LITTLE(m + 56));
		x15 = XOR(x15, U8TO32_LITTLE(m + 60));

		j12 = PLUSONE(j12);
		if (!j12) {
			j13 = PLUSONE(j13);
			/*
			 * Stopping at 2^70 bytes per nonce is the user's
			 * responsibility.
			 */
		}

		U32TO8_LITTLE(c + 0, x0);
		U32TO8_LITTLE(c + 4, x1);
		U32TO8_LITTLE(c + 8, x2);
		U32TO8_LITTLE(c + 12, x3);
		U32TO8_LITTLE(c + 16, x4);
		U32TO8_LITTLE(c + 20, x5);
		U32TO8_LITTLE(c + 24, x6);
		U32TO8_LITTLE(c + 28, x7);
		U32TO8_LITTLE(c + 32, x8);
		U32TO8_LITTLE(c + 36, x9);
		U32TO8_LITTLE(c + 40, x10);
		U32TO8_LITTLE(c + 44, x11);
		U32TO8_LITTLE(c + 48, x12);
		U32TO8_LITTLE(c + 52, x13);
		U32TO8_LITTLE(c + 56, x14);
		U32TO8_LITTLE(c + 60, x15);

		if (bytes <= 64) {
			if (bytes < 64) {
				for (i = 0; i < bytes; ++i)
					ctarget[i] = c[i];
			}
			x->input[12] = j12;
			x->input[13] = j13;
			x->unused = 64 - bytes;
			return;
		}
		bytes -= 64;
		c += 64;
		m += 64;
	}
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: chacha-merged.c,v 1.8 2017/08/13 16:55:31 jsing Exp $ */
2			/*
3			chacha-merged.c version 20080118
4			D. J. Bernstein
5			Public domain.
6			*/
7
8			#include <sys/types.h>
9
10			#include <stdint.h>
11
12			#define CHACHA_MINKEYLEN 16
13			#define CHACHA_NONCELEN 8
14			#define CHACHA_CTRLEN 8
15			#define CHACHA_STATELEN (CHACHA_NONCELEN+CHACHA_CTRLEN)
16			#define CHACHA_BLOCKLEN 64
17
18			struct chacha_ctx {
19			u_int input[16];
20			uint8_t ks[CHACHA_BLOCKLEN];
21			uint8_t unused;
22			};
23
24			static inline void chacha_keysetup(struct chacha_ctx x, const u_char k,
25			u_int kbits)
26			__attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
27			static inline void chacha_ivsetup(struct chacha_ctx x, const u_char iv,
28			const u_char *ctr)
29			__attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
30			__attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
31			static inline void chacha_encrypt_bytes(struct chacha_ctx x, const u_char m,
32			u_char *c, u_int bytes)
33			__attribute__((__bounded__(__buffer__, 2, 4)))
34			__attribute__((__bounded__(__buffer__, 3, 4)));
35
36			typedef unsigned char u8;
37			typedef unsigned int u32;
38
39			typedef struct chacha_ctx chacha_ctx;
40
41			#define U8C(v) (v##U)
42			#define U32C(v) (v##U)
43
44			#define U8V(v) ((u8)(v) & U8C(0xFF))
45			#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
46
47			#define ROTL32(v, n) \
48			(U32V((v) << (n)) \| ((v) >> (32 - (n))))
49
50			#define U8TO32_LITTLE(p) \
51			(((u32)((p)[0])) \| \
52			((u32)((p)[1]) << 8) \| \
53			((u32)((p)[2]) << 16) \| \
54			((u32)((p)[3]) << 24))
55
56			#define U32TO8_LITTLE(p, v) \
57			do { \
58			(p)[0] = U8V((v)); \
59			(p)[1] = U8V((v) >> 8); \
60			(p)[2] = U8V((v) >> 16); \
61			(p)[3] = U8V((v) >> 24); \
62			} while (0)
63
64			#define ROTATE(v,c) (ROTL32(v,c))
65			#define XOR(v,w) ((v) ^ (w))
66			#define PLUS(v,w) (U32V((v) + (w)))
67			#define PLUSONE(v) (PLUS((v),1))
68
69			#define QUARTERROUND(a,b,c,d) \
70			a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
71			c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
72			a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
73			c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
74
75			/* Initialise with "expand 32-byte k". */
76			static const char sigma[16] = {
77			0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33,
78			0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
79			};
80
81			/* Initialise with "expand 16-byte k". */
82			static const char tau[16] = {
83			0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x31,
84			0x36, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b,
85			};
86
87			static inline void
88			chacha_keysetup(chacha_ctx x, const u8 k, u32 kbits)
89			{
90			const char *constants;
91
92		608	x->input[4] = U8TO32_LITTLE(k + 0);
93		304	x->input[5] = U8TO32_LITTLE(k + 4);
94		304	x->input[6] = U8TO32_LITTLE(k + 8);
95		304	x->input[7] = U8TO32_LITTLE(k + 12);
96	✓✗	304	if (kbits == 256) { /* recommended */
97		304	k += 16;
98			constants = sigma;
99		304	} else { /* kbits == 128 */
100			constants = tau;
101			}
102		304	x->input[8] = U8TO32_LITTLE(k + 0);
103		304	x->input[9] = U8TO32_LITTLE(k + 4);
104		304	x->input[10] = U8TO32_LITTLE(k + 8);
105		304	x->input[11] = U8TO32_LITTLE(k + 12);
106		304	x->input[0] = U8TO32_LITTLE(constants + 0);
107		304	x->input[1] = U8TO32_LITTLE(constants + 4);
108		304	x->input[2] = U8TO32_LITTLE(constants + 8);
109		304	x->input[3] = U8TO32_LITTLE(constants + 12);
110		304	}
111
112			static inline void
113			chacha_ivsetup(chacha_ctx x, const u8 iv, const u8 *counter)
114			{
115	✗✓	912	x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
116	✗✓	608	x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
117		304	x->input[14] = U8TO32_LITTLE(iv + 0);
118		304	x->input[15] = U8TO32_LITTLE(iv + 4);
119		304	}
120
121			static inline void
122			chacha_encrypt_bytes(chacha_ctx x, const u8 m, u8 *c, u32 bytes)
123			{
124			u32 x0, x1, x2, x3, x4, x5, x6, x7;
125			u32 x8, x9, x10, x11, x12, x13, x14, x15;
126			u32 j0, j1, j2, j3, j4, j5, j6, j7;
127			u32 j8, j9, j10, j11, j12, j13, j14, j15;
128			u8 *ctarget = NULL;
129		3920	u8 tmp[64];
130			u_int i;
131
132	✓✓	1960	if (!bytes)
133		1656	return;
134
135		304	j0 = x->input[0];
136		304	j1 = x->input[1];
137		304	j2 = x->input[2];
138		304	j3 = x->input[3];
139		304	j4 = x->input[4];
140		304	j5 = x->input[5];
141		304	j6 = x->input[6];
142		304	j7 = x->input[7];
143		304	j8 = x->input[8];
144		304	j9 = x->input[9];
145		304	j10 = x->input[10];
146		304	j11 = x->input[11];
147		304	j12 = x->input[12];
148		304	j13 = x->input[13];
149		304	j14 = x->input[14];
150		304	j15 = x->input[15];
151
152		412	for (;;) {
153	✓✓	412	if (bytes < 64) {
154	✓✓	10360	for (i = 0; i < bytes; ++i)
155		4972	tmp[i] = m[i];
156		208	m = tmp;
157			ctarget = c;
158			c = tmp;
159		208	}
160			x0 = j0;
161			x1 = j1;
162			x2 = j2;
163			x3 = j3;
164			x4 = j4;
165			x5 = j5;
166			x6 = j6;
167			x7 = j7;
168			x8 = j8;
169			x9 = j9;
170			x10 = j10;
171			x11 = j11;
172			x12 = j12;
173			x13 = j13;
174			x14 = j14;
175			x15 = j15;
176	✓✓	9064	for (i = 20; i > 0; i -= 2) {
177		4120	QUARTERROUND(x0, x4, x8, x12)
178		4120	QUARTERROUND(x1, x5, x9, x13)
179		4120	QUARTERROUND(x2, x6, x10, x14)
180		4120	QUARTERROUND(x3, x7, x11, x15)
181		4120	QUARTERROUND(x0, x5, x10, x15)
182		4120	QUARTERROUND(x1, x6, x11, x12)
183		4120	QUARTERROUND(x2, x7, x8, x13)
184		4120	QUARTERROUND(x3, x4, x9, x14)
185			}
186		412	x0 = PLUS(x0, j0);
187		412	x1 = PLUS(x1, j1);
188		412	x2 = PLUS(x2, j2);
189		412	x3 = PLUS(x3, j3);
190		412	x4 = PLUS(x4, j4);
191		412	x5 = PLUS(x5, j5);
192		412	x6 = PLUS(x6, j6);
193		412	x7 = PLUS(x7, j7);
194		412	x8 = PLUS(x8, j8);
195		412	x9 = PLUS(x9, j9);
196		412	x10 = PLUS(x10, j10);
197		412	x11 = PLUS(x11, j11);
198		412	x12 = PLUS(x12, j12);
199		412	x13 = PLUS(x13, j13);
200		412	x14 = PLUS(x14, j14);
201		412	x15 = PLUS(x15, j15);
202
203	✓✓	412	if (bytes < 64) {
204		208	U32TO8_LITTLE(x->ks + 0, x0);
205		208	U32TO8_LITTLE(x->ks + 4, x1);
206		208	U32TO8_LITTLE(x->ks + 8, x2);
207		208	U32TO8_LITTLE(x->ks + 12, x3);
208		208	U32TO8_LITTLE(x->ks + 16, x4);
209		208	U32TO8_LITTLE(x->ks + 20, x5);
210		208	U32TO8_LITTLE(x->ks + 24, x6);
211		208	U32TO8_LITTLE(x->ks + 28, x7);
212		208	U32TO8_LITTLE(x->ks + 32, x8);
213		208	U32TO8_LITTLE(x->ks + 36, x9);
214		208	U32TO8_LITTLE(x->ks + 40, x10);
215		208	U32TO8_LITTLE(x->ks + 44, x11);
216		208	U32TO8_LITTLE(x->ks + 48, x12);
217		208	U32TO8_LITTLE(x->ks + 52, x13);
218		208	U32TO8_LITTLE(x->ks + 56, x14);
219		208	U32TO8_LITTLE(x->ks + 60, x15);
220		208	}
221
222		412	x0 = XOR(x0, U8TO32_LITTLE(m + 0));
223		412	x1 = XOR(x1, U8TO32_LITTLE(m + 4));
224		412	x2 = XOR(x2, U8TO32_LITTLE(m + 8));
225		412	x3 = XOR(x3, U8TO32_LITTLE(m + 12));
226		412	x4 = XOR(x4, U8TO32_LITTLE(m + 16));
227		412	x5 = XOR(x5, U8TO32_LITTLE(m + 20));
228		412	x6 = XOR(x6, U8TO32_LITTLE(m + 24));
229		412	x7 = XOR(x7, U8TO32_LITTLE(m + 28));
230		412	x8 = XOR(x8, U8TO32_LITTLE(m + 32));
231		412	x9 = XOR(x9, U8TO32_LITTLE(m + 36));
232		412	x10 = XOR(x10, U8TO32_LITTLE(m + 40));
233		412	x11 = XOR(x11, U8TO32_LITTLE(m + 44));
234		412	x12 = XOR(x12, U8TO32_LITTLE(m + 48));
235		412	x13 = XOR(x13, U8TO32_LITTLE(m + 52));
236		412	x14 = XOR(x14, U8TO32_LITTLE(m + 56));
237		412	x15 = XOR(x15, U8TO32_LITTLE(m + 60));
238
239		412	j12 = PLUSONE(j12);
240	✗✓	412	if (!j12) {
241			j13 = PLUSONE(j13);
242			/*
243			* Stopping at 2^70 bytes per nonce is the user's
244			* responsibility.
245			*/
246			}
247
248		412	U32TO8_LITTLE(c + 0, x0);
249		412	U32TO8_LITTLE(c + 4, x1);
250		412	U32TO8_LITTLE(c + 8, x2);
251		412	U32TO8_LITTLE(c + 12, x3);
252		412	U32TO8_LITTLE(c + 16, x4);
253		412	U32TO8_LITTLE(c + 20, x5);
254		412	U32TO8_LITTLE(c + 24, x6);
255		412	U32TO8_LITTLE(c + 28, x7);
256		412	U32TO8_LITTLE(c + 32, x8);
257		412	U32TO8_LITTLE(c + 36, x9);
258		412	U32TO8_LITTLE(c + 40, x10);
259		412	U32TO8_LITTLE(c + 44, x11);
260		412	U32TO8_LITTLE(c + 48, x12);
261		412	U32TO8_LITTLE(c + 52, x13);
262		412	U32TO8_LITTLE(c + 56, x14);
263		412	U32TO8_LITTLE(c + 60, x15);
264
265	✓✓	412	if (bytes <= 64) {
266	✓✓	304	if (bytes < 64) {
267	✓✓	10360	for (i = 0; i < bytes; ++i)
268		4972	ctarget[i] = c[i];
269			}
270		304	x->input[12] = j12;
271		304	x->input[13] = j13;
272		304	x->unused = 64 - bytes;
273		304	return;
274			}
275		108	bytes -= 64;
276		108	c += 64;
277		108	m += 64;
278			}
279		1960	}