544 lines
15 KiB
C
544 lines
15 KiB
C
/* ====================================================================
|
|
* Copyright (c) 2008 The OpenSSL Project. All rights reserved.
|
|
*
|
|
* Rights for redistribution and usage in source and binary
|
|
* forms are granted according to the OpenSSL license.
|
|
*/
|
|
|
|
#include <openssl/crypto.h>
|
|
#include "modes_lcl.h"
|
|
#include <string.h>
|
|
|
|
#ifndef MODES_DEBUG
|
|
# ifndef NDEBUG
|
|
# define NDEBUG
|
|
# endif
|
|
#endif
|
|
#include <assert.h>
|
|
|
|
/*
|
|
* Trouble with Ciphertext Stealing, CTS, mode is that there is no
|
|
* common official specification, but couple of cipher/application
|
|
* specific ones: RFC2040 and RFC3962. Then there is 'Proposal to
|
|
* Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which
|
|
* deviates from mentioned RFCs. Most notably it allows input to be
|
|
* of block length and it doesn't flip the order of the last two
|
|
* blocks. CTS is being discussed even in ECB context, but it's not
|
|
* adopted for any known application. This implementation provides
|
|
* two interfaces: one compliant with above mentioned RFCs and one
|
|
* compliant with the NIST proposal, both extending CBC mode.
|
|
*/
|
|
|
|
size_t CRYPTO_cts128_encrypt_block(const unsigned char *in,
|
|
unsigned char *out, size_t len,
|
|
const void *key, unsigned char ivec[16],
|
|
block128_f block)
|
|
{
|
|
size_t residue, n;
|
|
|
|
assert(in && out && key && ivec);
|
|
|
|
if (len <= 16)
|
|
return 0;
|
|
|
|
if ((residue = len % 16) == 0)
|
|
residue = 16;
|
|
|
|
len -= residue;
|
|
|
|
CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block);
|
|
|
|
in += len;
|
|
out += len;
|
|
|
|
for (n = 0; n < residue; ++n)
|
|
ivec[n] ^= in[n];
|
|
(*block) (ivec, ivec, key);
|
|
memcpy(out, out - 16, residue);
|
|
memcpy(out - 16, ivec, 16);
|
|
|
|
return len + residue;
|
|
}
|
|
|
|
size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in,
|
|
unsigned char *out, size_t len,
|
|
const void *key,
|
|
unsigned char ivec[16],
|
|
block128_f block)
|
|
{
|
|
size_t residue, n;
|
|
|
|
assert(in && out && key && ivec);
|
|
|
|
if (len < 16)
|
|
return 0;
|
|
|
|
residue = len % 16;
|
|
|
|
len -= residue;
|
|
|
|
CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block);
|
|
|
|
if (residue == 0)
|
|
return len;
|
|
|
|
in += len;
|
|
out += len;
|
|
|
|
for (n = 0; n < residue; ++n)
|
|
ivec[n] ^= in[n];
|
|
(*block) (ivec, ivec, key);
|
|
memcpy(out - 16 + residue, ivec, 16);
|
|
|
|
return len + residue;
|
|
}
|
|
|
|
size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
|
|
size_t len, const void *key,
|
|
unsigned char ivec[16], cbc128_f cbc)
|
|
{
|
|
size_t residue;
|
|
union {
|
|
size_t align;
|
|
unsigned char c[16];
|
|
} tmp;
|
|
|
|
assert(in && out && key && ivec);
|
|
|
|
if (len <= 16)
|
|
return 0;
|
|
|
|
if ((residue = len % 16) == 0)
|
|
residue = 16;
|
|
|
|
len -= residue;
|
|
|
|
(*cbc) (in, out, len, key, ivec, 1);
|
|
|
|
in += len;
|
|
out += len;
|
|
|
|
#if defined(CBC_HANDLES_TRUNCATED_IO)
|
|
memcpy(tmp.c, out - 16, 16);
|
|
(*cbc) (in, out - 16, residue, key, ivec, 1);
|
|
memcpy(out, tmp.c, residue);
|
|
#else
|
|
memset(tmp.c, 0, sizeof(tmp));
|
|
memcpy(tmp.c, in, residue);
|
|
memcpy(out, out - 16, residue);
|
|
(*cbc) (tmp.c, out - 16, 16, key, ivec, 1);
|
|
#endif
|
|
return len + residue;
|
|
}
|
|
|
|
size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
|
|
size_t len, const void *key,
|
|
unsigned char ivec[16], cbc128_f cbc)
|
|
{
|
|
size_t residue;
|
|
union {
|
|
size_t align;
|
|
unsigned char c[16];
|
|
} tmp;
|
|
|
|
assert(in && out && key && ivec);
|
|
|
|
if (len < 16)
|
|
return 0;
|
|
|
|
residue = len % 16;
|
|
|
|
len -= residue;
|
|
|
|
(*cbc) (in, out, len, key, ivec, 1);
|
|
|
|
if (residue == 0)
|
|
return len;
|
|
|
|
in += len;
|
|
out += len;
|
|
|
|
#if defined(CBC_HANDLES_TRUNCATED_IO)
|
|
(*cbc) (in, out - 16 + residue, residue, key, ivec, 1);
|
|
#else
|
|
memset(tmp.c, 0, sizeof(tmp));
|
|
memcpy(tmp.c, in, residue);
|
|
(*cbc) (tmp.c, out - 16 + residue, 16, key, ivec, 1);
|
|
#endif
|
|
return len + residue;
|
|
}
|
|
|
|
size_t CRYPTO_cts128_decrypt_block(const unsigned char *in,
|
|
unsigned char *out, size_t len,
|
|
const void *key, unsigned char ivec[16],
|
|
block128_f block)
|
|
{
|
|
size_t residue, n;
|
|
union {
|
|
size_t align;
|
|
unsigned char c[32];
|
|
} tmp;
|
|
|
|
assert(in && out && key && ivec);
|
|
|
|
if (len <= 16)
|
|
return 0;
|
|
|
|
if ((residue = len % 16) == 0)
|
|
residue = 16;
|
|
|
|
len -= 16 + residue;
|
|
|
|
if (len) {
|
|
CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
|
|
in += len;
|
|
out += len;
|
|
}
|
|
|
|
(*block) (in, tmp.c + 16, key);
|
|
|
|
memcpy(tmp.c, tmp.c + 16, 16);
|
|
memcpy(tmp.c, in + 16, residue);
|
|
(*block) (tmp.c, tmp.c, key);
|
|
|
|
for (n = 0; n < 16; ++n) {
|
|
unsigned char c = in[n];
|
|
out[n] = tmp.c[n] ^ ivec[n];
|
|
ivec[n] = c;
|
|
}
|
|
for (residue += 16; n < residue; ++n)
|
|
out[n] = tmp.c[n] ^ in[n];
|
|
|
|
return 16 + len + residue;
|
|
}
|
|
|
|
size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in,
|
|
unsigned char *out, size_t len,
|
|
const void *key,
|
|
unsigned char ivec[16],
|
|
block128_f block)
|
|
{
|
|
size_t residue, n;
|
|
union {
|
|
size_t align;
|
|
unsigned char c[32];
|
|
} tmp;
|
|
|
|
assert(in && out && key && ivec);
|
|
|
|
if (len < 16)
|
|
return 0;
|
|
|
|
residue = len % 16;
|
|
|
|
if (residue == 0) {
|
|
CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
|
|
return len;
|
|
}
|
|
|
|
len -= 16 + residue;
|
|
|
|
if (len) {
|
|
CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
|
|
in += len;
|
|
out += len;
|
|
}
|
|
|
|
(*block) (in + residue, tmp.c + 16, key);
|
|
|
|
memcpy(tmp.c, tmp.c + 16, 16);
|
|
memcpy(tmp.c, in, residue);
|
|
(*block) (tmp.c, tmp.c, key);
|
|
|
|
for (n = 0; n < 16; ++n) {
|
|
unsigned char c = in[n];
|
|
out[n] = tmp.c[n] ^ ivec[n];
|
|
ivec[n] = in[n + residue];
|
|
tmp.c[n] = c;
|
|
}
|
|
for (residue += 16; n < residue; ++n)
|
|
out[n] = tmp.c[n] ^ tmp.c[n - 16];
|
|
|
|
return 16 + len + residue;
|
|
}
|
|
|
|
size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
|
|
size_t len, const void *key,
|
|
unsigned char ivec[16], cbc128_f cbc)
|
|
{
|
|
size_t residue;
|
|
union {
|
|
size_t align;
|
|
unsigned char c[32];
|
|
} tmp;
|
|
|
|
assert(in && out && key && ivec);
|
|
|
|
if (len <= 16)
|
|
return 0;
|
|
|
|
if ((residue = len % 16) == 0)
|
|
residue = 16;
|
|
|
|
len -= 16 + residue;
|
|
|
|
if (len) {
|
|
(*cbc) (in, out, len, key, ivec, 0);
|
|
in += len;
|
|
out += len;
|
|
}
|
|
|
|
memset(tmp.c, 0, sizeof(tmp));
|
|
/*
|
|
* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0]
|
|
*/
|
|
(*cbc) (in, tmp.c, 16, key, tmp.c + 16, 0);
|
|
|
|
memcpy(tmp.c, in + 16, residue);
|
|
#if defined(CBC_HANDLES_TRUNCATED_IO)
|
|
(*cbc) (tmp.c, out, 16 + residue, key, ivec, 0);
|
|
#else
|
|
(*cbc) (tmp.c, tmp.c, 32, key, ivec, 0);
|
|
memcpy(out, tmp.c, 16 + residue);
|
|
#endif
|
|
return 16 + len + residue;
|
|
}
|
|
|
|
size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
|
|
size_t len, const void *key,
|
|
unsigned char ivec[16], cbc128_f cbc)
|
|
{
|
|
size_t residue;
|
|
union {
|
|
size_t align;
|
|
unsigned char c[32];
|
|
} tmp;
|
|
|
|
assert(in && out && key && ivec);
|
|
|
|
if (len < 16)
|
|
return 0;
|
|
|
|
residue = len % 16;
|
|
|
|
if (residue == 0) {
|
|
(*cbc) (in, out, len, key, ivec, 0);
|
|
return len;
|
|
}
|
|
|
|
len -= 16 + residue;
|
|
|
|
if (len) {
|
|
(*cbc) (in, out, len, key, ivec, 0);
|
|
in += len;
|
|
out += len;
|
|
}
|
|
|
|
memset(tmp.c, 0, sizeof(tmp));
|
|
/*
|
|
* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0]
|
|
*/
|
|
(*cbc) (in + residue, tmp.c, 16, key, tmp.c + 16, 0);
|
|
|
|
memcpy(tmp.c, in, residue);
|
|
#if defined(CBC_HANDLES_TRUNCATED_IO)
|
|
(*cbc) (tmp.c, out, 16 + residue, key, ivec, 0);
|
|
#else
|
|
(*cbc) (tmp.c, tmp.c, 32, key, ivec, 0);
|
|
memcpy(out, tmp.c, 16 + residue);
|
|
#endif
|
|
return 16 + len + residue;
|
|
}
|
|
|
|
#if defined(SELFTEST)
|
|
# include <stdio.h>
|
|
# include <openssl/aes.h>
|
|
|
|
/* test vectors from RFC 3962 */
|
|
static const unsigned char test_key[16] = "chicken teriyaki";
|
|
static const unsigned char test_input[64] =
|
|
"I would like the" " General Gau's C"
|
|
"hicken, please, " "and wonton soup.";
|
|
static const unsigned char test_iv[16] =
|
|
{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
|
|
|
|
static const unsigned char vector_17[17] = {
|
|
0xc6, 0x35, 0x35, 0x68, 0xf2, 0xbf, 0x8c, 0xb4,
|
|
0xd8, 0xa5, 0x80, 0x36, 0x2d, 0xa7, 0xff, 0x7f,
|
|
0x97
|
|
};
|
|
|
|
static const unsigned char vector_31[31] = {
|
|
0xfc, 0x00, 0x78, 0x3e, 0x0e, 0xfd, 0xb2, 0xc1,
|
|
0xd4, 0x45, 0xd4, 0xc8, 0xef, 0xf7, 0xed, 0x22,
|
|
0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0,
|
|
0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5
|
|
};
|
|
|
|
static const unsigned char vector_32[32] = {
|
|
0x39, 0x31, 0x25, 0x23, 0xa7, 0x86, 0x62, 0xd5,
|
|
0xbe, 0x7f, 0xcb, 0xcc, 0x98, 0xeb, 0xf5, 0xa8,
|
|
0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0,
|
|
0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5, 0x84
|
|
};
|
|
|
|
static const unsigned char vector_47[47] = {
|
|
0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0,
|
|
0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5, 0x84,
|
|
0xb3, 0xff, 0xfd, 0x94, 0x0c, 0x16, 0xa1, 0x8c,
|
|
0x1b, 0x55, 0x49, 0xd2, 0xf8, 0x38, 0x02, 0x9e,
|
|
0x39, 0x31, 0x25, 0x23, 0xa7, 0x86, 0x62, 0xd5,
|
|
0xbe, 0x7f, 0xcb, 0xcc, 0x98, 0xeb, 0xf5
|
|
};
|
|
|
|
static const unsigned char vector_48[48] = {
|
|
0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0,
|
|
0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5, 0x84,
|
|
0x9d, 0xad, 0x8b, 0xbb, 0x96, 0xc4, 0xcd, 0xc0,
|
|
0x3b, 0xc1, 0x03, 0xe1, 0xa1, 0x94, 0xbb, 0xd8,
|
|
0x39, 0x31, 0x25, 0x23, 0xa7, 0x86, 0x62, 0xd5,
|
|
0xbe, 0x7f, 0xcb, 0xcc, 0x98, 0xeb, 0xf5, 0xa8
|
|
};
|
|
|
|
static const unsigned char vector_64[64] = {
|
|
0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0,
|
|
0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5, 0x84,
|
|
0x39, 0x31, 0x25, 0x23, 0xa7, 0x86, 0x62, 0xd5,
|
|
0xbe, 0x7f, 0xcb, 0xcc, 0x98, 0xeb, 0xf5, 0xa8,
|
|
0x48, 0x07, 0xef, 0xe8, 0x36, 0xee, 0x89, 0xa5,
|
|
0x26, 0x73, 0x0d, 0xbc, 0x2f, 0x7b, 0xc8, 0x40,
|
|
0x9d, 0xad, 0x8b, 0xbb, 0x96, 0xc4, 0xcd, 0xc0,
|
|
0x3b, 0xc1, 0x03, 0xe1, 0xa1, 0x94, 0xbb, 0xd8
|
|
};
|
|
|
|
static AES_KEY encks, decks;
|
|
|
|
void test_vector(const unsigned char *vector, size_t len)
|
|
{
|
|
unsigned char iv[sizeof(test_iv)];
|
|
unsigned char cleartext[64], ciphertext[64];
|
|
size_t tail;
|
|
|
|
printf("vector_%d\n", len);
|
|
fflush(stdout);
|
|
|
|
if ((tail = len % 16) == 0)
|
|
tail = 16;
|
|
tail += 16;
|
|
|
|
/* test block-based encryption */
|
|
memcpy(iv, test_iv, sizeof(test_iv));
|
|
CRYPTO_cts128_encrypt_block(test_input, ciphertext, len, &encks, iv,
|
|
(block128_f) AES_encrypt);
|
|
if (memcmp(ciphertext, vector, len))
|
|
fprintf(stderr, "output_%d mismatch\n", len), exit(1);
|
|
if (memcmp(iv, vector + len - tail, sizeof(iv)))
|
|
fprintf(stderr, "iv_%d mismatch\n", len), exit(1);
|
|
|
|
/* test block-based decryption */
|
|
memcpy(iv, test_iv, sizeof(test_iv));
|
|
CRYPTO_cts128_decrypt_block(ciphertext, cleartext, len, &decks, iv,
|
|
(block128_f) AES_decrypt);
|
|
if (memcmp(cleartext, test_input, len))
|
|
fprintf(stderr, "input_%d mismatch\n", len), exit(2);
|
|
if (memcmp(iv, vector + len - tail, sizeof(iv)))
|
|
fprintf(stderr, "iv_%d mismatch\n", len), exit(2);
|
|
|
|
/* test streamed encryption */
|
|
memcpy(iv, test_iv, sizeof(test_iv));
|
|
CRYPTO_cts128_encrypt(test_input, ciphertext, len, &encks, iv,
|
|
(cbc128_f) AES_cbc_encrypt);
|
|
if (memcmp(ciphertext, vector, len))
|
|
fprintf(stderr, "output_%d mismatch\n", len), exit(3);
|
|
if (memcmp(iv, vector + len - tail, sizeof(iv)))
|
|
fprintf(stderr, "iv_%d mismatch\n", len), exit(3);
|
|
|
|
/* test streamed decryption */
|
|
memcpy(iv, test_iv, sizeof(test_iv));
|
|
CRYPTO_cts128_decrypt(ciphertext, cleartext, len, &decks, iv,
|
|
(cbc128_f) AES_cbc_encrypt);
|
|
if (memcmp(cleartext, test_input, len))
|
|
fprintf(stderr, "input_%d mismatch\n", len), exit(4);
|
|
if (memcmp(iv, vector + len - tail, sizeof(iv)))
|
|
fprintf(stderr, "iv_%d mismatch\n", len), exit(4);
|
|
}
|
|
|
|
void test_nistvector(const unsigned char *vector, size_t len)
|
|
{
|
|
unsigned char iv[sizeof(test_iv)];
|
|
unsigned char cleartext[64], ciphertext[64], nistvector[64];
|
|
size_t tail;
|
|
|
|
printf("nistvector_%d\n", len);
|
|
fflush(stdout);
|
|
|
|
if ((tail = len % 16) == 0)
|
|
tail = 16;
|
|
|
|
len -= 16 + tail;
|
|
memcpy(nistvector, vector, len);
|
|
/* flip two last blocks */
|
|
memcpy(nistvector + len, vector + len + 16, tail);
|
|
memcpy(nistvector + len + tail, vector + len, 16);
|
|
len += 16 + tail;
|
|
tail = 16;
|
|
|
|
/* test block-based encryption */
|
|
memcpy(iv, test_iv, sizeof(test_iv));
|
|
CRYPTO_nistcts128_encrypt_block(test_input, ciphertext, len, &encks, iv,
|
|
(block128_f) AES_encrypt);
|
|
if (memcmp(ciphertext, nistvector, len))
|
|
fprintf(stderr, "output_%d mismatch\n", len), exit(1);
|
|
if (memcmp(iv, nistvector + len - tail, sizeof(iv)))
|
|
fprintf(stderr, "iv_%d mismatch\n", len), exit(1);
|
|
|
|
/* test block-based decryption */
|
|
memcpy(iv, test_iv, sizeof(test_iv));
|
|
CRYPTO_nistcts128_decrypt_block(ciphertext, cleartext, len, &decks, iv,
|
|
(block128_f) AES_decrypt);
|
|
if (memcmp(cleartext, test_input, len))
|
|
fprintf(stderr, "input_%d mismatch\n", len), exit(2);
|
|
if (memcmp(iv, nistvector + len - tail, sizeof(iv)))
|
|
fprintf(stderr, "iv_%d mismatch\n", len), exit(2);
|
|
|
|
/* test streamed encryption */
|
|
memcpy(iv, test_iv, sizeof(test_iv));
|
|
CRYPTO_nistcts128_encrypt(test_input, ciphertext, len, &encks, iv,
|
|
(cbc128_f) AES_cbc_encrypt);
|
|
if (memcmp(ciphertext, nistvector, len))
|
|
fprintf(stderr, "output_%d mismatch\n", len), exit(3);
|
|
if (memcmp(iv, nistvector + len - tail, sizeof(iv)))
|
|
fprintf(stderr, "iv_%d mismatch\n", len), exit(3);
|
|
|
|
/* test streamed decryption */
|
|
memcpy(iv, test_iv, sizeof(test_iv));
|
|
CRYPTO_nistcts128_decrypt(ciphertext, cleartext, len, &decks, iv,
|
|
(cbc128_f) AES_cbc_encrypt);
|
|
if (memcmp(cleartext, test_input, len))
|
|
fprintf(stderr, "input_%d mismatch\n", len), exit(4);
|
|
if (memcmp(iv, nistvector + len - tail, sizeof(iv)))
|
|
fprintf(stderr, "iv_%d mismatch\n", len), exit(4);
|
|
}
|
|
|
|
int main()
|
|
{
|
|
AES_set_encrypt_key(test_key, 128, &encks);
|
|
AES_set_decrypt_key(test_key, 128, &decks);
|
|
|
|
test_vector(vector_17, sizeof(vector_17));
|
|
test_vector(vector_31, sizeof(vector_31));
|
|
test_vector(vector_32, sizeof(vector_32));
|
|
test_vector(vector_47, sizeof(vector_47));
|
|
test_vector(vector_48, sizeof(vector_48));
|
|
test_vector(vector_64, sizeof(vector_64));
|
|
|
|
test_nistvector(vector_17, sizeof(vector_17));
|
|
test_nistvector(vector_31, sizeof(vector_31));
|
|
test_nistvector(vector_32, sizeof(vector_32));
|
|
test_nistvector(vector_47, sizeof(vector_47));
|
|
test_nistvector(vector_48, sizeof(vector_48));
|
|
test_nistvector(vector_64, sizeof(vector_64));
|
|
|
|
return 0;
|
|
}
|
|
#endif
|