OpenCoverage

e_chacha20_poly1305.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/evp/e_chacha20_poly1305.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/*-
2 * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.-
3 *-
4 * Licensed under the OpenSSL license (the "License"). You may not use-
5 * this file except in compliance with the License. You can obtain a copy-
6 * in the file LICENSE in the source distribution or at-
7 * https://www.openssl.org/source/license.html-
8 */-
9-
10#include <stdio.h>-
11#include "internal/cryptlib.h"-
12-
13#ifndef OPENSSL_NO_CHACHA-
14-
15# include <openssl/evp.h>-
16# include <openssl/objects.h>-
17# include "evp_locl.h"-
18# include "internal/evp_int.h"-
19# include "internal/chacha.h"-
20-
21typedef struct {-
22 union {-
23 double align; /* this ensures even sizeof(EVP_CHACHA_KEY)%8==0 */-
24 unsigned int d[CHACHA_KEY_SIZE / 4];-
25 } key;-
26 unsigned int counter[CHACHA_CTR_SIZE / 4];-
27 unsigned char buf[CHACHA_BLK_SIZE];-
28 unsigned int partial_len;-
29} EVP_CHACHA_KEY;-
30-
31#define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)-
32-
33static int chacha_init_key(EVP_CIPHER_CTX *ctx,-
34 const unsigned char user_key[CHACHA_KEY_SIZE],-
35 const unsigned char iv[CHACHA_CTR_SIZE], int enc)-
36{-
37 EVP_CHACHA_KEY *key = data(ctx);-
38 unsigned int i;-
39-
40 if (user_key)
user_keyDescription
TRUEevaluated 13171 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 8866 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
8866-13171
41 for (i = 0; i < CHACHA_KEY_SIZE; i+=4) {
i < 32Description
TRUEevaluated 105368 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 13171 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
13171-105368
42 key->key.d[i/4] = CHACHA_U8TOU32(user_key+i);-
43 }
executed 105368 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
105368
44-
45 if (iv)
ivDescription
TRUEevaluated 15176 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 6861 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
6861-15176
46 for (i = 0; i < CHACHA_CTR_SIZE; i+=4) {
i < 16Description
TRUEevaluated 60704 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 15176 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
15176-60704
47 key->counter[i/4] = CHACHA_U8TOU32(iv+i);-
48 }
executed 60704 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
60704
49-
50 key->partial_len = 0;-
51-
52 return 1;
executed 22037 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
22037
53}-
54-
55static int chacha_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,-
56 const unsigned char *inp, size_t len)-
57{-
58 EVP_CHACHA_KEY *key = data(ctx);-
59 unsigned int n, rem, ctr32;-
60-
61 if ((n = key->partial_len)) {
(n = key->partial_len)Description
TRUEevaluated 16632 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 29675 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
16632-29675
62 while (len && n < CHACHA_BLK_SIZE) {
lenDescription
TRUEevaluated 546996 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1812 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
n < 64Description
TRUEevaluated 532176 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 14820 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1812-546996
63 *out++ = *inp++ ^ key->buf[n++];-
64 len--;-
65 }
executed 532176 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
532176
66 key->partial_len = n;-
67-
68 if (len == 0)
len == 0Description
TRUEevaluated 1812 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 14820 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1812-14820
69 return 1;
executed 1812 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
1812
70-
71 if (n == CHACHA_BLK_SIZE) {
n == 64Description
TRUEevaluated 14820 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-14820
72 key->partial_len = 0;-
73 key->counter[0]++;-
74 if (key->counter[0] == 0)
key->counter[0] == 0Description
TRUEnever evaluated
FALSEevaluated 14820 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-14820
75 key->counter[1]++;
never executed: key->counter[1]++;
0
76 }
executed 14820 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
14820
77 }
executed 14820 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
14820
78-
79 rem = (unsigned int)(len % CHACHA_BLK_SIZE);-
80 len -= rem;-
81 ctr32 = key->counter[0];-
82 while (len >= CHACHA_BLK_SIZE) {
len >= 64Description
TRUEevaluated 36005 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 44495 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
36005-44495
83 size_t blocks = len / CHACHA_BLK_SIZE;-
84 /*-
85 * 1<<28 is just a not-so-small yet not-so-large number...-
86 * Below condition is practically never met, but it has to-
87 * be checked for code correctness.-
88 */-
89 if (sizeof(size_t)>sizeof(unsigned int) && blocks>(1U<<28))
sizeof(size_t)...(unsigned int)Description
TRUEevaluated 36005 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
blocks>(1U<<28)Description
TRUEnever evaluated
FALSEevaluated 36005 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-36005
90 blocks = (1U<<28);
never executed: blocks = (1U<<28);
0
91-
92 /*-
93 * As ChaCha20_ctr32 operates on 32-bit counter, caller-
94 * has to handle overflow. 'if' below detects the-
95 * overflow, which is then handled by limiting the-
96 * amount of blocks to the exact overflow point...-
97 */-
98 ctr32 += (unsigned int)blocks;-
99 if (ctr32 < blocks) {
ctr32 < blocksDescription
TRUEnever evaluated
FALSEevaluated 36005 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-36005
100 blocks -= ctr32;-
101 ctr32 = 0;-
102 }
never executed: end of block
0
103 blocks *= CHACHA_BLK_SIZE;-
104 ChaCha20_ctr32(out, inp, blocks, key->key.d, key->counter);-
105 len -= blocks;-
106 inp += blocks;-
107 out += blocks;-
108-
109 key->counter[0] = ctr32;-
110 if (ctr32 == 0) key->counter[1]++;
never executed: key->counter[1]++;
ctr32 == 0Description
TRUEnever evaluated
FALSEevaluated 36005 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-36005
111 }
executed 36005 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
36005
112-
113 if (rem) {
remDescription
TRUEevaluated 25092 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 19403 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
19403-25092
114 memset(key->buf, 0, sizeof(key->buf));-
115 ChaCha20_ctr32(key->buf, key->buf, CHACHA_BLK_SIZE,-
116 key->key.d, key->counter);-
117 for (n = 0; n < rem; n++)
n < remDescription
TRUEevaluated 661326 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 25092 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
25092-661326
118 out[n] = inp[n] ^ key->buf[n];
executed 661326 times by 1 test: out[n] = inp[n] ^ key->buf[n];
Executed by:
  • libcrypto.so.1.1
661326
119 key->partial_len = rem;-
120 }
executed 25092 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
25092
121-
122 return 1;
executed 44495 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
44495
123}-
124-
125static const EVP_CIPHER chacha20 = {-
126 NID_chacha20,-
127 1, /* block_size */-
128 CHACHA_KEY_SIZE, /* key_len */-
129 CHACHA_CTR_SIZE, /* iv_len, 128-bit counter in the context */-
130 EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT,-
131 chacha_init_key,-
132 chacha_cipher,-
133 NULL,-
134 sizeof(EVP_CHACHA_KEY),-
135 NULL,-
136 NULL,-
137 NULL,-
138 NULL-
139};-
140-
141const EVP_CIPHER *EVP_chacha20(void)-
142{-
143 return &chacha20;
executed 1964 times by 1 test: return &chacha20;
Executed by:
  • libcrypto.so.1.1
1964
144}-
145-
146# ifndef OPENSSL_NO_POLY1305-
147# include "internal/poly1305.h"-
148-
149typedef struct {-
150 EVP_CHACHA_KEY key;-
151 unsigned int nonce[12/4];-
152 unsigned char tag[POLY1305_BLOCK_SIZE];-
153 unsigned char tls_aad[POLY1305_BLOCK_SIZE];-
154 struct { uint64_t aad, text; } len;-
155 int aad, mac_inited, tag_len, nonce_len;-
156 size_t tls_payload_length;-
157} EVP_CHACHA_AEAD_CTX;-
158-
159# define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)-
160# define aead_data(ctx) ((EVP_CHACHA_AEAD_CTX *)(ctx)->cipher_data)-
161# define POLY1305_ctx(actx) ((POLY1305 *)(actx + 1))-
162-
163static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,-
164 const unsigned char *inkey,-
165 const unsigned char *iv, int enc)-
166{-
167 EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);-
168-
169 if (!inkey && !iv)
!inkeyDescription
TRUEevaluated 8936 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 6645 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
!ivDescription
TRUEevaluated 456 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 8480 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
456-8936
170 return 1;
executed 456 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
456
171-
172 actx->len.aad = 0;-
173 actx->len.text = 0;-
174 actx->aad = 0;-
175 actx->mac_inited = 0;-
176 actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;-
177-
178 if (iv != NULL) {
iv != ((void *)0)Description
TRUEevaluated 11720 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 3405 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
3405-11720
179 unsigned char temp[CHACHA_CTR_SIZE] = { 0 };-
180-
181 /* pad on the left */-
182 if (actx->nonce_len <= CHACHA_CTR_SIZE)
actx->nonce_len <= 16Description
TRUEevaluated 11720 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-11720
183 memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv,
executed 11720 times by 1 test: memcpy(temp + 16 - actx->nonce_len, iv, actx->nonce_len);
Executed by:
  • libcrypto.so.1.1
11720
184 actx->nonce_len);
executed 11720 times by 1 test: memcpy(temp + 16 - actx->nonce_len, iv, actx->nonce_len);
Executed by:
  • libcrypto.so.1.1
11720
185-
186 chacha_init_key(ctx, inkey, temp, enc);-
187-
188 actx->nonce[0] = actx->key.counter[1];-
189 actx->nonce[1] = actx->key.counter[2];-
190 actx->nonce[2] = actx->key.counter[3];-
191 } else {
executed 11720 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
11720
192 chacha_init_key(ctx, inkey, NULL, enc);-
193 }
executed 3405 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
3405
194-
195 return 1;
executed 15125 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
15125
196}-
197-
198# if !defined(OPENSSL_SMALL_FOOTPRINT)-
199-
200# if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || \-
201 defined(_M_AMD64) || defined(_M_X64))-
202# define XOR128_HELPERS-
203void *xor128_encrypt_n_pad(void *out, const void *inp, void *otp, size_t len);-
204void *xor128_decrypt_n_pad(void *out, const void *inp, void *otp, size_t len);-
205static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 };-
206# else-
207static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 };-
208# endif-
209-
210static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,-
211 const unsigned char *in, size_t len)-
212{-
213 EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);-
214 size_t tail, tohash_len, buf_len, plen = actx->tls_payload_length;-
215 unsigned char *buf, *tohash, *ctr, storage[sizeof(zero) + 32];-
216-
217 if (len != plen + POLY1305_BLOCK_SIZE)
len != plen + 16Description
TRUEnever evaluated
FALSEevaluated 110 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-110
218 return -1;
never executed: return -1;
0
219-
220 buf = storage + ((0 - (size_t)storage) & 15); /* align */-
221 ctr = buf + CHACHA_BLK_SIZE;-
222 tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE;-
223-
224# ifdef XOR128_HELPERS-
225 if (plen <= 3 * CHACHA_BLK_SIZE) {
plen <= 3 * 64Description
TRUEevaluated 57 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 53 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
53-57
226 actx->key.counter[0] = 0;-
227 buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE);-
228 ChaCha20_ctr32(buf, zero, buf_len, actx->key.key.d,-
229 actx->key.counter);-
230 Poly1305_Init(POLY1305_ctx(actx), buf);-
231 actx->key.partial_len = 0;-
232 memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);-
233 tohash_len = POLY1305_BLOCK_SIZE;-
234 actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;-
235 actx->len.text = plen;-
236-
237 if (plen) {
plenDescription
TRUEevaluated 56 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-56
238 if (ctx->encrypt)
ctx->encryptDescription
TRUEevaluated 25 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
25-31
239 ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
executed 25 times by 1 test: ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
Executed by:
  • libcrypto.so.1.1
25
240 else-
241 ctr = xor128_decrypt_n_pad(out, in, ctr, plen);
executed 31 times by 1 test: ctr = xor128_decrypt_n_pad(out, in, ctr, plen);
Executed by:
  • libcrypto.so.1.1
31
242-
243 in += plen;-
244 out += plen;-
245 tohash_len = (size_t)(ctr - tohash);-
246 }
executed 56 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
56
247 }
executed 57 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
57
248# else-
249 if (plen <= CHACHA_BLK_SIZE) {-
250 size_t i;-
251-
252 actx->key.counter[0] = 0;-
253 ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE),-
254 actx->key.key.d, actx->key.counter);-
255 Poly1305_Init(POLY1305_ctx(actx), buf);-
256 actx->key.partial_len = 0;-
257 memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);-
258 tohash_len = POLY1305_BLOCK_SIZE;-
259 actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;-
260 actx->len.text = plen;-
261-
262 if (ctx->encrypt) {-
263 for (i = 0; i < plen; i++) {-
264 out[i] = ctr[i] ^= in[i];-
265 }-
266 } else {-
267 for (i = 0; i < plen; i++) {-
268 unsigned char c = in[i];-
269 out[i] = ctr[i] ^ c;-
270 ctr[i] = c;-
271 }-
272 }-
273-
274 in += i;-
275 out += i;-
276-
277 tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1);-
278 memset(ctr + i, 0, tail);-
279 ctr += i + tail;-
280 tohash_len += i + tail;-
281 }-
282# endif-
283 else {-
284 actx->key.counter[0] = 0;-
285 ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE),-
286 actx->key.key.d, actx->key.counter);-
287 Poly1305_Init(POLY1305_ctx(actx), buf);-
288 actx->key.counter[0] = 1;-
289 actx->key.partial_len = 0;-
290 Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad, POLY1305_BLOCK_SIZE);-
291 tohash = ctr;-
292 tohash_len = 0;-
293 actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;-
294 actx->len.text = plen;-
295-
296 if (ctx->encrypt) {
ctx->encryptDescription
TRUEevaluated 40 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 13 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
13-40
297 ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);-
298 Poly1305_Update(POLY1305_ctx(actx), out, plen);-
299 } else {
executed 40 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
40
300 Poly1305_Update(POLY1305_ctx(actx), in, plen);-
301 ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);-
302 }
executed 13 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
13
303-
304 in += plen;-
305 out += plen;-
306 tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1);-
307 Poly1305_Update(POLY1305_ctx(actx), zero, tail);-
308 }
executed 53 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
53
309-
310 {-
311 const union {-
312 long one;-
313 char little;-
314 } is_endian = { 1 };-
315-
316 if (is_endian.little) {
is_endian.littleDescription
TRUEevaluated 110 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-110
317 memcpy(ctr, (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);-
318 } else {
executed 110 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
110
319 ctr[0] = (unsigned char)(actx->len.aad);-
320 ctr[1] = (unsigned char)(actx->len.aad>>8);-
321 ctr[2] = (unsigned char)(actx->len.aad>>16);-
322 ctr[3] = (unsigned char)(actx->len.aad>>24);-
323 ctr[4] = (unsigned char)(actx->len.aad>>32);-
324 ctr[5] = (unsigned char)(actx->len.aad>>40);-
325 ctr[6] = (unsigned char)(actx->len.aad>>48);-
326 ctr[7] = (unsigned char)(actx->len.aad>>56);-
327-
328 ctr[8] = (unsigned char)(actx->len.text);-
329 ctr[9] = (unsigned char)(actx->len.text>>8);-
330 ctr[10] = (unsigned char)(actx->len.text>>16);-
331 ctr[11] = (unsigned char)(actx->len.text>>24);-
332 ctr[12] = (unsigned char)(actx->len.text>>32);-
333 ctr[13] = (unsigned char)(actx->len.text>>40);-
334 ctr[14] = (unsigned char)(actx->len.text>>48);-
335 ctr[15] = (unsigned char)(actx->len.text>>56);-
336 }
never executed: end of block
0
337 tohash_len += POLY1305_BLOCK_SIZE;-
338 }-
339-
340 Poly1305_Update(POLY1305_ctx(actx), tohash, tohash_len);-
341 OPENSSL_cleanse(buf, buf_len);-
342 Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag-
343 : tohash);-
344-
345 actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;-
346-
347 if (ctx->encrypt) {
ctx->encryptDescription
TRUEevaluated 65 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 45 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
45-65
348 memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);-
349 } else {
executed 65 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
65
350 if (CRYPTO_memcmp(tohash, in, POLY1305_BLOCK_SIZE)) {
CRYPTO_memcmp(tohash, in, 16)Description
TRUEevaluated 20 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 25 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
20-25
351 memset(out - (len - POLY1305_BLOCK_SIZE), 0,-
352 len - POLY1305_BLOCK_SIZE);-
353 return -1;
executed 20 times by 1 test: return -1;
Executed by:
  • libcrypto.so.1.1
20
354 }-
355 }
executed 25 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
25
356-
357 return len;
executed 90 times by 1 test: return len;
Executed by:
  • libcrypto.so.1.1
90
358}-
359# else-
360static const unsigned char zero[CHACHA_BLK_SIZE] = { 0 };-
361# endif-
362-
363static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,-
364 const unsigned char *in, size_t len)-
365{-
366 EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);-
367 size_t rem, plen = actx->tls_payload_length;-
368-
369 if (!actx->mac_inited) {
!actx->mac_initedDescription
TRUEevaluated 14853 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 35850 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
14853-35850
370# if !defined(OPENSSL_SMALL_FOOTPRINT)-
371 if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
plen != ((size_t)-1)Description
TRUEevaluated 110 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 14743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
out != ((void *)0)Description
TRUEevaluated 110 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-14743
372 return chacha20_poly1305_tls_cipher(ctx, out, in, len);
executed 110 times by 1 test: return chacha20_poly1305_tls_cipher(ctx, out, in, len);
Executed by:
  • libcrypto.so.1.1
110
373# endif-
374 actx->key.counter[0] = 0;-
375 ChaCha20_ctr32(actx->key.buf, zero, CHACHA_BLK_SIZE,-
376 actx->key.key.d, actx->key.counter);-
377 Poly1305_Init(POLY1305_ctx(actx), actx->key.buf);-
378 actx->key.counter[0] = 1;-
379 actx->key.partial_len = 0;-
380 actx->len.aad = actx->len.text = 0;-
381 actx->mac_inited = 1;-
382 if (plen != NO_TLS_PAYLOAD_LENGTH) {
plen != ((size_t)-1)Description
TRUEnever evaluated
FALSEevaluated 14743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-14743
383 Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad,-
384 EVP_AEAD_TLS1_AAD_LEN);-
385 actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;-
386 actx->aad = 1;-
387 }
never executed: end of block
0
388 }
executed 14743 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
14743
389-
390 if (in) { /* aad or text */
inDescription
TRUEevaluated 35850 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 14743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
14743-35850
391 if (out == NULL) { /* aad */
out == ((void *)0)Description
TRUEevaluated 8721 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 27129 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
8721-27129
392 Poly1305_Update(POLY1305_ctx(actx), in, len);-
393 actx->len.aad += len;-
394 actx->aad = 1;-
395 return len;
executed 8721 times by 1 test: return len;
Executed by:
  • libcrypto.so.1.1
8721
396 } else { /* plain- or ciphertext */-
397 if (actx->aad) { /* wrap up aad */
actx->aadDescription
TRUEevaluated 8601 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 18528 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
8601-18528
398 if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
(rem = (size_t...>len.aad % 16)Description
TRUEevaluated 8601 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-8601
399 Poly1305_Update(POLY1305_ctx(actx), zero,
executed 8601 times by 1 test: Poly1305_Update(((POLY1305 *)(actx + 1)), zero, 16 - rem);
Executed by:
  • libcrypto.so.1.1
8601
400 POLY1305_BLOCK_SIZE - rem);
executed 8601 times by 1 test: Poly1305_Update(((POLY1305 *)(actx + 1)), zero, 16 - rem);
Executed by:
  • libcrypto.so.1.1
8601
401 actx->aad = 0;-
402 }
executed 8601 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
8601
403-
404 actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;-
405 if (plen == NO_TLS_PAYLOAD_LENGTH)
plen == ((size_t)-1)Description
TRUEevaluated 27129 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-27129
406 plen = len;
executed 27129 times by 1 test: plen = len;
Executed by:
  • libcrypto.so.1.1
27129
407 else if (len != plen + POLY1305_BLOCK_SIZE)
len != plen + 16Description
TRUEnever evaluated
FALSEnever evaluated
0
408 return -1;
never executed: return -1;
0
409-
410 if (ctx->encrypt) { /* plaintext */
ctx->encryptDescription
TRUEevaluated 9791 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 17338 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
9791-17338
411 chacha_cipher(ctx, out, in, plen);-
412 Poly1305_Update(POLY1305_ctx(actx), out, plen);-
413 in += plen;-
414 out += plen;-
415 actx->len.text += plen;-
416 } else { /* ciphertext */
executed 9791 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
9791
417 Poly1305_Update(POLY1305_ctx(actx), in, plen);-
418 chacha_cipher(ctx, out, in, plen);-
419 in += plen;-
420 out += plen;-
421 actx->len.text += plen;-
422 }
executed 17338 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
17338
423 }-
424 }-
425 if (in == NULL /* explicit final */
in == ((void *)0)Description
TRUEevaluated 14743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 27129 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
14743-27129
426 || plen != len) { /* or tls mode */
plen != lenDescription
TRUEnever evaluated
FALSEevaluated 27129 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-27129
427 const union {-
428 long one;-
429 char little;-
430 } is_endian = { 1 };-
431 unsigned char temp[POLY1305_BLOCK_SIZE];-
432-
433 if (actx->aad) { /* wrap up aad */
actx->aadDescription
TRUEnever evaluated
FALSEevaluated 14743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-14743
434 if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
(rem = (size_t...>len.aad % 16)Description
TRUEnever evaluated
FALSEnever evaluated
0
435 Poly1305_Update(POLY1305_ctx(actx), zero,
never executed: Poly1305_Update(((POLY1305 *)(actx + 1)), zero, 16 - rem);
0
436 POLY1305_BLOCK_SIZE - rem);
never executed: Poly1305_Update(((POLY1305 *)(actx + 1)), zero, 16 - rem);
0
437 actx->aad = 0;-
438 }
never executed: end of block
0
439-
440 if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
(rem = (size_t...len.text % 16)Description
TRUEevaluated 8396 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 6347 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
6347-8396
441 Poly1305_Update(POLY1305_ctx(actx), zero,
executed 8396 times by 1 test: Poly1305_Update(((POLY1305 *)(actx + 1)), zero, 16 - rem);
Executed by:
  • libcrypto.so.1.1
8396
442 POLY1305_BLOCK_SIZE - rem);
executed 8396 times by 1 test: Poly1305_Update(((POLY1305 *)(actx + 1)), zero, 16 - rem);
Executed by:
  • libcrypto.so.1.1
8396
443-
444 if (is_endian.little) {
is_endian.littleDescription
TRUEevaluated 14743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-14743
445 Poly1305_Update(POLY1305_ctx(actx),-
446 (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);-
447 } else {
executed 14743 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
14743
448 temp[0] = (unsigned char)(actx->len.aad);-
449 temp[1] = (unsigned char)(actx->len.aad>>8);-
450 temp[2] = (unsigned char)(actx->len.aad>>16);-
451 temp[3] = (unsigned char)(actx->len.aad>>24);-
452 temp[4] = (unsigned char)(actx->len.aad>>32);-
453 temp[5] = (unsigned char)(actx->len.aad>>40);-
454 temp[6] = (unsigned char)(actx->len.aad>>48);-
455 temp[7] = (unsigned char)(actx->len.aad>>56);-
456-
457 temp[8] = (unsigned char)(actx->len.text);-
458 temp[9] = (unsigned char)(actx->len.text>>8);-
459 temp[10] = (unsigned char)(actx->len.text>>16);-
460 temp[11] = (unsigned char)(actx->len.text>>24);-
461 temp[12] = (unsigned char)(actx->len.text>>32);-
462 temp[13] = (unsigned char)(actx->len.text>>40);-
463 temp[14] = (unsigned char)(actx->len.text>>48);-
464 temp[15] = (unsigned char)(actx->len.text>>56);-
465-
466 Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);-
467 }
never executed: end of block
0
468 Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag-
469 : temp);-
470 actx->mac_inited = 0;-
471-
472 if (in != NULL && len != plen) { /* tls mode */
in != ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 14743 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
len != plenDescription
TRUEnever evaluated
FALSEnever evaluated
0-14743
473 if (ctx->encrypt) {
ctx->encryptDescription
TRUEnever evaluated
FALSEnever evaluated
0
474 memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);-
475 } else {
never executed: end of block
0
476 if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
CRYPTO_memcmp(temp, in, 16)Description
TRUEnever evaluated
FALSEnever evaluated
0
477 memset(out - plen, 0, plen);-
478 return -1;
never executed: return -1;
0
479 }-
480 }
never executed: end of block
0
481 }-
482 else if (!ctx->encrypt) {
!ctx->encryptDescription
TRUEevaluated 11146 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 3597 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
3597-11146
483 if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
CRYPTO_memcmp(...actx->tag_len)Description
TRUEevaluated 7993 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 3153 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
3153-7993
484 return -1;
executed 7993 times by 1 test: return -1;
Executed by:
  • libcrypto.so.1.1
7993
485 }
executed 3153 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
3153
486 }
executed 6750 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
6750
487 return len;
executed 33879 times by 1 test: return len;
Executed by:
  • libcrypto.so.1.1
33879
488}-
489-
490static int chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)-
491{-
492 EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);-
493 if (actx)
actxDescription
TRUEevaluated 6645 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-6645
494 OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
executed 6645 times by 1 test: OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
Executed by:
  • libcrypto.so.1.1
6645
495 return 1;
executed 6645 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
6645
496}-
497-
498static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,-
499 void *ptr)-
500{-
501 EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);-
502-
503 switch(type) {-
504 case EVP_CTRL_INIT:
executed 6645 times by 1 test: case 0x0:
Executed by:
  • libcrypto.so.1.1
6645
505 if (actx == NULL)
actx == ((void *)0)Description
TRUEevaluated 6645 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-6645
506 actx = ctx->cipher_data
executed 6645 times by 1 test: actx = ctx->cipher_data = CRYPTO_zalloc(sizeof(*actx) + Poly1305_ctx_size(), __FILE__, 507);
Executed by:
  • libcrypto.so.1.1
6645
507 = OPENSSL_zalloc(sizeof(*actx) + Poly1305_ctx_size());
executed 6645 times by 1 test: actx = ctx->cipher_data = CRYPTO_zalloc(sizeof(*actx) + Poly1305_ctx_size(), __FILE__, 507);
Executed by:
  • libcrypto.so.1.1
6645
508 if (actx == NULL) {
actx == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 6645 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-6645
509 EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_INITIALIZATION_ERROR);-
510 return 0;
never executed: return 0;
0
511 }-
512 actx->len.aad = 0;-
513 actx->len.text = 0;-
514 actx->aad = 0;-
515 actx->mac_inited = 0;-
516 actx->tag_len = 0;-
517 actx->nonce_len = 12;-
518 actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;-
519 memset(actx->tls_aad, 0, POLY1305_BLOCK_SIZE);-
520 return 1;
executed 6645 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
6645
521-
522 case EVP_CTRL_COPY:
never executed: case 0x8:
0
523 if (actx) {
actxDescription
TRUEnever evaluated
FALSEnever evaluated
0
524 EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr;-
525-
526 dst->cipher_data =-
527 OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());-
528 if (dst->cipher_data == NULL) {
dst->cipher_da...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
529 EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR);-
530 return 0;
never executed: return 0;
0
531 }-
532 }
never executed: end of block
0
533 return 1;
never executed: return 1;
0
534-
535 case EVP_CTRL_AEAD_SET_IVLEN:
executed 456 times by 1 test: case 0x9:
Executed by:
  • libcrypto.so.1.1
456
536 if (arg <= 0 || arg > CHACHA_CTR_SIZE)
arg <= 0Description
TRUEnever evaluated
FALSEevaluated 456 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
arg > 16Description
TRUEnever evaluated
FALSEevaluated 456 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-456
537 return 0;
never executed: return 0;
0
538 actx->nonce_len = arg;-
539 return 1;
executed 456 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
456
540-
541 case EVP_CTRL_AEAD_SET_IV_FIXED:
never executed: case 0x12:
0
542 if (arg != 12)
arg != 12Description
TRUEnever evaluated
FALSEnever evaluated
0
543 return 0;
never executed: return 0;
0
544 actx->nonce[0] = actx->key.counter[1]-
545 = CHACHA_U8TOU32((unsigned char *)ptr);-
546 actx->nonce[1] = actx->key.counter[2]-
547 = CHACHA_U8TOU32((unsigned char *)ptr+4);-
548 actx->nonce[2] = actx->key.counter[3]-
549 = CHACHA_U8TOU32((unsigned char *)ptr+8);-
550 return 1;
never executed: return 1;
0
551-
552 case EVP_CTRL_AEAD_SET_TAG:
executed 8134 times by 1 test: case 0x11:
Executed by:
  • libcrypto.so.1.1
8134
553 if (arg <= 0 || arg > POLY1305_BLOCK_SIZE)
arg <= 0Description
TRUEnever evaluated
FALSEevaluated 8134 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
arg > 16Description
TRUEnever evaluated
FALSEevaluated 8134 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-8134
554 return 0;
never executed: return 0;
0
555 if (ptr != NULL) {
ptr != ((void *)0)Description
TRUEevaluated 8074 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 60 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
60-8074
556 memcpy(actx->tag, ptr, arg);-
557 actx->tag_len = arg;-
558 }
executed 8074 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
8074
559 return 1;
executed 8134 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
8134
560-
561 case EVP_CTRL_AEAD_GET_TAG:
executed 527 times by 1 test: case 0x10:
Executed by:
  • libcrypto.so.1.1
527
562 if (arg <= 0 || arg > POLY1305_BLOCK_SIZE || !ctx->encrypt)
arg <= 0Description
TRUEnever evaluated
FALSEevaluated 527 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
arg > 16Description
TRUEnever evaluated
FALSEevaluated 527 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
!ctx->encryptDescription
TRUEnever evaluated
FALSEevaluated 527 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-527
563 return 0;
never executed: return 0;
0
564 memcpy(ptr, actx->tag, arg);-
565 return 1;
executed 527 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
527
566-
567 case EVP_CTRL_AEAD_TLS1_AAD:
executed 111 times by 1 test: case 0x16:
Executed by:
  • libcrypto.so.1.1
111
568 if (arg != EVP_AEAD_TLS1_AAD_LEN)
arg != 13Description
TRUEnever evaluated
FALSEevaluated 111 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-111
569 return 0;
never executed: return 0;
0
570 {-
571 unsigned int len;-
572 unsigned char *aad = ptr;-
573-
574 memcpy(actx->tls_aad, ptr, EVP_AEAD_TLS1_AAD_LEN);-
575 len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |-
576 aad[EVP_AEAD_TLS1_AAD_LEN - 1];-
577 aad = actx->tls_aad;-
578 if (!ctx->encrypt) {
!ctx->encryptDescription
TRUEevaluated 46 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 65 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
46-65
579 if (len < POLY1305_BLOCK_SIZE)
len < 16Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 45 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-45
580 return 0;
executed 1 time by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
1
581 len -= POLY1305_BLOCK_SIZE; /* discount attached tag */-
582 aad[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);-
583 aad[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;-
584 }
executed 45 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
45
585 actx->tls_payload_length = len;-
586-
587 /*-
588 * merge record sequence number as per RFC7905-
589 */-
590 actx->key.counter[1] = actx->nonce[0];-
591 actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);-
592 actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4);-
593 actx->mac_inited = 0;-
594-
595 return POLY1305_BLOCK_SIZE; /* tag length */
executed 110 times by 1 test: return 16;
Executed by:
  • libcrypto.so.1.1
110
596 }-
597-
598 case EVP_CTRL_AEAD_SET_MAC_KEY:
never executed: case 0x17:
0
599 /* no-op */-
600 return 1;
never executed: return 1;
0
601-
602 default:
never executed: default:
0
603 return -1;
never executed: return -1;
0
604 }-
605}-
606-
607static EVP_CIPHER chacha20_poly1305 = {-
608 NID_chacha20_poly1305,-
609 1, /* block_size */-
610 CHACHA_KEY_SIZE, /* key_len */-
611 12, /* iv_len, 96-bit nonce in the context */-
612 EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |-
613 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |-
614 EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,-
615 chacha20_poly1305_init_key,-
616 chacha20_poly1305_cipher,-
617 chacha20_poly1305_cleanup,-
618 0, /* 0 moves context-specific structure allocation to ctrl */-
619 NULL, /* set_asn1_parameters */-
620 NULL, /* get_asn1_parameters */-
621 chacha20_poly1305_ctrl,-
622 NULL /* app_data */-
623};-
624-
625const EVP_CIPHER *EVP_chacha20_poly1305(void)-
626{-
627 return(&chacha20_poly1305);
executed 3922 times by 1 test: return(&chacha20_poly1305);
Executed by:
  • libcrypto.so.1.1
3922
628}-
629# endif-
630#endif-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2