crypto/modes/cts128.c

   1 /* ====================================================================
   2  * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
   3  *
   4  * Rights for redistribution and usage in source and binary
   5  * forms are granted according to the OpenSSL license.
   6  */
   7
   8 #include "modes.h"
   9 #include <string.h>
  10
  11 #ifndef MODES_DEBUG
  12 # ifndef NDEBUG
  13 #  define NDEBUG
  14 # endif
  15 #endif
  16 #include <assert.h>
  17
  18 /*
  19  * Trouble with Ciphertext Stealing, CTS, mode is that there is no
  20  * common official specification, but couple of cipher/application
  21  * specific ones: RFC2040 and RFC3962. Then there is 'Proposal to
  22  * Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which
  23  * deviates from mentioned RFCs. Most notably it allows input to be
  24  * of block length and it doesn't flip the order of the last two
  25  * blocks. CTS is being discussed even in ECB context, but it's not
  26  * adopted for any known application. This implementation complies
  27  * with mentioned RFCs and [as such] extends CBC mode.
  28  */
  29
  30 size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out,
  31                         size_t len, const void *key,
  32                         unsigned char ivec[16], block128_f block)
  33 {       size_t residue, n;
  34
  35         assert (in && out && key && ivec);
  36
  37         if (len <= 16) return 0;
  38
  39         if ((residue=len%16) == 0) residue = 16;
  40
  41         len -= residue;
  42
  43         CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block);
  44
  45         in  += len;
  46         out += len;
  47
  48         for (n=0; n<residue; ++n)
  49                 ivec[n] ^= in[n];
  50         (*block)(ivec,ivec,key);
  51         memcpy(out,out-16,residue);
  52         memcpy(out-16,ivec,16);
  53
  54         return len+residue;
  55 }
  56
  57 size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
  58                         size_t len, const void *key,
  59                         unsigned char ivec[16], cbc128_f cbc)
  60 {       size_t residue;
  61         union { size_t align; unsigned char c[16]; } tmp;
  62
  63         assert (in && out && key && ivec);
  64
  65         if (len <= 16) return 0;
  66
  67         if ((residue=len%16) == 0) residue = 16;
  68
  69         len -= residue;
  70
  71         (*cbc)(in,out,len,key,ivec,1);
  72
  73         in  += len;
  74         out += len;
  75
  76 #if defined(CBC_HANDLES_TRUNCATED_IO)
  77         memcpy(tmp.c,out-16,16);
  78         (*cbc)(in,out-16,residue,key,ivec,1);
  79         memcpy(out,tmp.c,residue);
  80 #else
  81         memset(tmp.c,0,sizeof(tmp));
  82         memcpy(tmp.c,in,residue);
  83         memcpy(out,out-16,residue);
  84         (*cbc)(tmp.c,out-16,16,key,ivec,1);
  85 #endif
  86         return len+residue;
  87 }
  88
  89 size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
  90                         size_t len, const void *key,
  91                         unsigned char ivec[16], block128_f block)
  92 {       size_t residue, n;
  93         union { size_t align; unsigned char c[32]; } tmp;
  94
  95         assert (in && out && key && ivec);
  96
  97         if (len<=16) return 0;
  98
  99         if ((residue=len%16) == 0) residue = 16;
 100
 101         len -= 16+residue;
 102
 103         if (len) {
 104                 CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
 105                 in  += len;
 106                 out += len;
 107         }
 108
 109         (*block)(in,tmp.c+16,key);
 110
 111         memcpy(tmp.c,tmp.c+16,16);
 112         memcpy(tmp.c,in+16,residue);
 113         (*block)(tmp.c,tmp.c,key);
 114
 115         for(n=0; n<16; ++n) {
 116                 unsigned char c = in[n];
 117                 out[n] = tmp.c[n] ^ ivec[n];
 118                 ivec[n] = c;
 119         }
 120         for(residue+=16; n<residue; ++n)
 121                 out[n] = tmp.c[n] ^ in[n];
 122
 123         return len+residue-16;
 124 }
 125
 126 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 127                         size_t len, const void *key,
 128                         unsigned char ivec[16], cbc128_f cbc)
 129 {       size_t residue;
 130         union { size_t align; unsigned char c[32]; } tmp;
 131
 132         assert (in && out && key && ivec);
 133
 134         if (len<=16) return 0;
 135
 136         if ((residue=len%16) == 0) residue = 16;
 137
 138         len -= 16+residue;
 139
 140         if (len) {
 141                 (*cbc)(in,out,len,key,ivec,0);
 142                 in  += len;
 143                 out += len;
 144         }
 145
 146         memset(tmp.c,0,sizeof(tmp));
 147         /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
 148         (*cbc)(in,tmp.c,16,key,tmp.c+16,0);
 149
 150         memcpy(tmp.c,in+16,residue);
 151 #if defined(CBC_HANDLES_TRUNCATED_IO)
 152         (*cbc)(tmp.c,out,16+residue,key,ivec,0);
 153 #else
 154         (*cbc)(tmp.c,tmp.c,32,key,ivec,0);
 155         memcpy(out,tmp.c,16+residue);
 156 #endif
 157         return len+residue;
 158 }
 159
 160 #if defined(SELFTEST)
 161 #include <stdio.h>
 162 #include <openssl/aes.h>
 163
 164 /* test vectors from RFC 3962 */
 165 static const unsigned char test_key[16] = "chicken teriyaki";
 166 static const unsigned char test_input[64] =
 167                 "I would like the" " General Gau's C"
 168                 "hicken, please, " "and wonton soup.";
 169 static const unsigned char test_iv[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
 170
 171 static const unsigned char vector_17[17] =
 172 {0xc6,0x35,0x35,0x68,0xf2,0xbf,0x8c,0xb4, 0xd8,0xa5,0x80,0x36,0x2d,0xa7,0xff,0x7f,
 173  0x97};
 174 static const unsigned char vector_31[31] =
 175 {0xfc,0x00,0x78,0x3e,0x0e,0xfd,0xb2,0xc1, 0xd4,0x45,0xd4,0xc8,0xef,0xf7,0xed,0x22,
 176  0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5};
 177 static const unsigned char vector_32[32] =
 178 {0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8,
 179  0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84};
 180 static const unsigned char vector_47[47] =
 181 {0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
 182  0xb3,0xff,0xfd,0x94,0x0c,0x16,0xa1,0x8c, 0x1b,0x55,0x49,0xd2,0xf8,0x38,0x02,0x9e,
 183  0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5};
 184 static const unsigned char vector_48[48] =
 185 {0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
 186  0x9d,0xad,0x8b,0xbb,0x96,0xc4,0xcd,0xc0, 0x3b,0xc1,0x03,0xe1,0xa1,0x94,0xbb,0xd8,
 187  0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8};
 188 static const unsigned char vector_64[64] =
 189 {0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
 190  0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8,
 191  0x48,0x07,0xef,0xe8,0x36,0xee,0x89,0xa5, 0x26,0x73,0x0d,0xbc,0x2f,0x7b,0xc8,0x40,
 192  0x9d,0xad,0x8b,0xbb,0x96,0xc4,0xcd,0xc0, 0x3b,0xc1,0x03,0xe1,0xa1,0x94,0xbb,0xd8};
 193
 194 static AES_KEY encks, decks;
 195
 196 void test_vector(const unsigned char *vector,size_t len)
 197 {       unsigned char cleartext[64];
 198         unsigned char iv[sizeof(test_iv)];
 199         unsigned char ciphertext[64];
 200         size_t tail;
 201
 202         printf("vector_%d\n",len); fflush(stdout);
 203
 204         if ((tail=len%16) == 0) tail = 16;
 205         tail += 16;
 206
 207         /* test block-based encryption */
 208         memcpy(iv,test_iv,sizeof(test_iv));
 209         CRYPTO_cts128_encrypt_block(test_input,ciphertext,len,&encks,iv,(block128_f)AES_encrypt);
 210         if (memcmp(ciphertext,vector,len))
 211                 fprintf(stderr,"output_%d mismatch\n",len), exit(1);
 212         if (memcmp(iv,vector+len-tail,sizeof(iv)))
 213                 fprintf(stderr,"iv_%d mismatch\n",len), exit(1);
 214
 215         /* test block-based decryption */
 216         memcpy(iv,test_iv,sizeof(test_iv));
 217         CRYPTO_cts128_decrypt_block(ciphertext,cleartext,len,&decks,iv,(block128_f)AES_decrypt);
 218         if (memcmp(cleartext,test_input,len))
 219                 fprintf(stderr,"input_%d mismatch\n",len), exit(2);
 220         if (memcmp(iv,vector+len-tail,sizeof(iv)))
 221                 fprintf(stderr,"iv_%d mismatch\n",len), exit(2);
 222
 223         /* test streamed encryption */
 224         memcpy(iv,test_iv,sizeof(test_iv));
 225         CRYPTO_cts128_encrypt(test_input,ciphertext,len,&encks,iv,(cbc128_f)AES_cbc_encrypt);
 226         if (memcmp(ciphertext,vector,len))
 227                 fprintf(stderr,"output_%d mismatch\n",len), exit(3);
 228         if (memcmp(iv,vector+len-tail,sizeof(iv)))
 229                 fprintf(stderr,"iv_%d mismatch\n",len), exit(3);
 230
 231         /* test streamed decryption */
 232         memcpy(iv,test_iv,sizeof(test_iv));
 233         CRYPTO_cts128_decrypt(ciphertext,cleartext,len,&decks,iv,(cbc128_f)AES_cbc_encrypt);
 234         if (memcmp(cleartext,test_input,len))
 235                 fprintf(stderr,"input_%d mismatch\n",len), exit(4);
 236         if (memcmp(iv,vector+len-tail,sizeof(iv)))
 237                 fprintf(stderr,"iv_%d mismatch\n",len), exit(4);
 238 }
 239
 240 main()
 241 {
 242         AES_set_encrypt_key(test_key,128,&encks);
 243         AES_set_decrypt_key(test_key,128,&decks);
 244
 245         test_vector(vector_17,sizeof(vector_17));
 246         test_vector(vector_31,sizeof(vector_31));
 247         test_vector(vector_32,sizeof(vector_32));
 248         test_vector(vector_47,sizeof(vector_47));
 249         test_vector(vector_48,sizeof(vector_48));
 250         test_vector(vector_64,sizeof(vector_64));
 251         exit(0);
 252 }
 253 #endif