Prepare for 0.9.8k release.

[oweals/openssl.git] / crypto / aes / aes_ctr.c

diff --git a/crypto/aes/aes_ctr.c b/crypto/aes/aes_ctr.c
index 59088499a0a9b738e37cabb58f94aa9b179ac989..f36982be1e26e2c07b3c2116ab598af4a80442f8 100644 (file)
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@@ -59,39 +59,44 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
-/* NOTE: CTR mode is big-endian.  The rest of the AES code
+/* NOTE: the IV/counter CTR mode is big-endian.  The rest of the AES code
  * is endian-neutral. */
 
-/* increment counter (128-bit int) by 2^64 */
+/* increment counter (128-bit int) by 1 */
 static void AES_ctr128_inc(unsigned char *counter) {
        unsigned long c;
 
-       /* Grab 3rd dword of counter and increment */
-#ifdef L_ENDIAN
-       c = GETU32(counter + 8);
-       c++;
-       PUTU32(counter + 8, c);
-#else
-       c = GETU32(counter + 4);
-       c++;
-       PUTU32(counter + 4, c);
-#endif
+       /* Grab bottom dword of counter and increment */
+       c = GETU32(counter + 12);
+       c++;    c &= 0xFFFFFFFF;
+       PUTU32(counter + 12, c);
+
+       /* if no overflow, we're done */
+       if (c)
+               return;
+
+       /* Grab 1st dword of counter and increment */
+       c = GETU32(counter +  8);
+       c++;    c &= 0xFFFFFFFF;
+       PUTU32(counter +  8, c);
+
+       /* if no overflow, we're done */
+       if (c)
+               return;
+
+       /* Grab 2nd dword of counter and increment */
+       c = GETU32(counter +  4);
+       c++;    c &= 0xFFFFFFFF;
+       PUTU32(counter +  4, c);
 
        /* if no overflow, we're done */
        if (c)
                return;
 
        /* Grab top dword of counter and increment */
-#ifdef L_ENDIAN
-       c = GETU32(counter + 12);
-       c++;
-       PUTU32(counter + 12, c);
-#else
        c = GETU32(counter +  0);
-       c++;
+       c++;    c &= 0xFFFFFFFF;
        PUTU32(counter +  0, c);
-#endif
-
 }
 
 /* The input encrypted as though 128bit counter mode is being
@@ -100,10 +105,16 @@ static void AES_ctr128_inc(unsigned char *counter) {
  * encrypted counter is kept in ecount_buf.  Both *num and
  * ecount_buf must be initialised with zeros before the first
  * call to AES_ctr128_encrypt().
+ *
+ * This algorithm assumes that the counter is in the x lower bits
+ * of the IV (ivec), and that the application has full control over
+ * overflow and the rest of the IV.  This implementation takes NO
+ * responsability for checking that the counter doesn't overflow
+ * into the rest of the IV when incremented.
  */
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
        const unsigned long length, const AES_KEY *key,
-       unsigned char counter[AES_BLOCK_SIZE],
+       unsigned char ivec[AES_BLOCK_SIZE],
        unsigned char ecount_buf[AES_BLOCK_SIZE],
        unsigned int *num) {
 
@@ -117,8 +128,8 @@ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 
        while (l--) {
                if (n == 0) {
-                       AES_encrypt(counter, ecount_buf, key);
-                       AES_ctr128_inc(counter);
+                       AES_encrypt(ivec, ecount_buf, key);
+                       AES_ctr128_inc(ivec);
                }
                *(out++) = *(in++) ^ ecount_buf[n];
                n = (n+1) % AES_BLOCK_SIZE;