2 * Copyright 2007-2009 Colin Percival
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * This file was originally written by Colin Percival as part of the Tarsnap
27 * online backup system.
29 #include "scrypt_platform.h"
34 #include <openssl/aes.h>
36 #include "sysendian.h"
38 #include "crypto_aesctr.h"
40 struct crypto_aesctr {
48 * crypto_aesctr_init(key, nonce):
49 * Prepare to encrypt/decrypt data with AES in CTR mode, using the provided
50 * expanded key and nonce. The key provided must remain valid for the
51 * lifetime of the stream.
53 struct crypto_aesctr *
54 crypto_aesctr_init(AES_KEY * key, uint64_t nonce)
56 struct crypto_aesctr * stream;
58 /* Allocate memory. */
59 if ((stream = malloc(sizeof(struct crypto_aesctr))) == NULL)
62 /* Initialize values. */
64 stream->nonce = nonce;
76 * crypto_aesctr_stream(stream, inbuf, outbuf, buflen):
77 * Generate the next ${buflen} bytes of the AES-CTR stream and xor them with
78 * bytes from ${inbuf}, writing the result into ${outbuf}. If the buffers
79 * ${inbuf} and ${outbuf} overlap, they must be identical.
82 crypto_aesctr_stream(struct crypto_aesctr * stream, const uint8_t * inbuf,
83 uint8_t * outbuf, size_t buflen)
89 for (pos = 0; pos < buflen; pos++) {
90 /* How far through the buffer are we? */
91 bytemod = stream->bytectr % 16;
93 /* Generate a block of cipherstream if needed. */
95 be64enc(pblk, stream->nonce);
96 be64enc(pblk + 8, stream->bytectr / 16);
97 AES_encrypt(pblk, stream->buf, stream->key);
100 /* Encrypt a byte. */
101 outbuf[pos] = inbuf[pos] ^ stream->buf[bytemod];
103 /* Move to the next byte of cipherstream. */
104 stream->bytectr += 1;
109 * crypto_aesctr_free(stream):
110 * Free the provided stream object.
113 crypto_aesctr_free(struct crypto_aesctr * stream)
117 /* Zero potentially sensitive information. */
118 for (i = 0; i < 16; i++)
120 stream->bytectr = stream->nonce = 0;
122 /* Free the stream. */