Add some comments and tweak assertions for cbc.c.
See https://boringssl-review.googlesource.com/#/c/4832/.
Change-Id: Icf457a2b47bc2d5b84dddc454d5ca8ec328b5169
Reviewed-on: https://boringssl-review.googlesource.com/4860
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/modes/cbc.c b/crypto/modes/cbc.c
index f0889ef..931b718 100644
--- a/crypto/modes/cbc.c
+++ b/crypto/modes/cbc.c
@@ -63,7 +63,8 @@
size_t n;
const uint8_t *iv = ivec;
- assert(in && out && key && ivec);
+ assert(key != NULL && ivec != NULL);
+ assert(len == 0 || (in != NULL && out != NULL));
if (STRICT_ALIGNMENT &&
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
@@ -119,12 +120,17 @@
uint8_t c[16];
} tmp;
- assert(in && out && key && ivec);
+ assert(key != NULL && ivec != NULL);
+ assert(len == 0 || (in != NULL && out != NULL));
const uintptr_t inptr = (uintptr_t) in;
const uintptr_t outptr = (uintptr_t) out;
+ /* If |in| and |out| alias, |in| must be ahead. */
+ assert(inptr >= outptr || inptr + len <= outptr);
if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) {
+ /* If |out| is at least two blocks behind |in| or completely disjoint, there
+ * is no need to decrypt to a temporary block. */
const uint8_t *iv = ivec;
if (STRICT_ALIGNMENT &&
@@ -155,6 +161,9 @@
}
memcpy(ivec, iv, 16);
} else {
+ /* |out| is less than two blocks behind |in|. Decrypting an input block
+ * directly to |out| would overwrite a ciphertext block before it is used as
+ * the next block's IV. Decrypt to a temporary block instead. */
if (STRICT_ALIGNMENT &&
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
uint8_t c;
