crypto/modes/cts128.c

   1 /* ====================================================================
   2  * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
   3  *
   4  * Rights for redistribution and usage in source and binary
   5  * forms are granted according to the OpenSSL license.
   6  */
   7
   8 #include "modes_lcl.h"
   9 #include <string.h>
  10
  11 #ifndef MODES_DEBUG
  12 # ifndef NDEBUG
  13 #  define NDEBUG
  14 # endif
  15 #endif
  16 #include <assert.h>
  17
  18 /*
  19  * Trouble with Ciphertext Stealing, CTS, mode is that there is no
  20  * common official specification, but couple of cipher/application
  21  * specific ones: RFC2040 and RFC3962. Then there is 'Proposal to
  22  * Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which
  23  * deviates from mentioned RFCs. Most notably it allows input to be
  24  * of block length and it doesn't flip the order of the last two
  25  * blocks. CTS is being discussed even in ECB context, but it's not
  26  * adopted for any known application. This implementation provides
  27  * two interfaces: one compliant with above mentioned RFCs and one
  28  * compliant with the NIST proposal, both extending CBC mode.
  29  */
  30
  31 size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out,
  32                         size_t len, const void *key,
  33                         unsigned char ivec[16], block128_f block)
  34 {       size_t residue, n;
  35
  36         assert (in && out && key && ivec);
  37
  38         if (len <= 16) return 0;
  39
  40         if ((residue=len%16) == 0) residue = 16;
  41
  42         len -= residue;
  43
  44         CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block);
  45
  46         in  += len;
  47         out += len;
  48
  49         for (n=0; n<residue; ++n)
  50                 ivec[n] ^= in[n];
  51         (*block)(ivec,ivec,key);
  52         memcpy(out,out-16,residue);
  53         memcpy(out-16,ivec,16);
  54
  55         return len+residue;
  56 }
  57
  58 size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, unsigned char *out,
  59                         size_t len, const void *key,
  60                         unsigned char ivec[16], block128_f block)
  61 {       size_t residue, n;
  62
  63         assert (in && out && key && ivec);
  64
  65         if (len < 16) return 0;
  66
  67         residue=len%16;
  68
  69         len -= residue;
  70
  71         CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block);
  72
  73         if (residue==0) return len;
  74
  75         in  += len;
  76         out += len;
  77
  78         for (n=0; n<residue; ++n)
  79                 ivec[n] ^= in[n];
  80         (*block)(ivec,ivec,key);
  81         memcpy(out-16+residue,ivec,16);
  82
  83         return len+residue;
  84 }
  85
  86 size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
  87                         size_t len, const void *key,
  88                         unsigned char ivec[16], cbc128_f cbc)
  89 {       size_t residue;
  90         union { size_t align; unsigned char c[16]; } tmp;
  91
  92         assert (in && out && key && ivec);
  93
  94         if (len <= 16) return 0;
  95
  96         if ((residue=len%16) == 0) residue = 16;
  97
  98         len -= residue;
  99
 100         (*cbc)(in,out,len,key,ivec,1);
 101
 102         in  += len;
 103         out += len;
 104
 105 #if defined(CBC_HANDLES_TRUNCATED_IO)
 106         memcpy(tmp.c,out-16,16);
 107         (*cbc)(in,out-16,residue,key,ivec,1);
 108         memcpy(out,tmp.c,residue);
 109 #else
 110         {
 111         size_t n;
 112         for (n=0; n<16; n+=sizeof(size_t))
 113                 *(size_t *)(tmp.c+n) = 0;
 114         memcpy(tmp.c,in,residue);
 115         }
 116         memcpy(out,out-16,residue);
 117         (*cbc)(tmp.c,out-16,16,key,ivec,1);
 118 #endif
 119         return len+residue;
 120 }
 121
 122 size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
 123                         size_t len, const void *key,
 124                         unsigned char ivec[16], cbc128_f cbc)
 125 {       size_t residue;
 126         union { size_t align; unsigned char c[16]; } tmp;
 127
 128         assert (in && out && key && ivec);
 129
 130         if (len < 16) return 0;
 131
 132         residue=len%16;
 133
 134         len -= residue;
 135
 136         (*cbc)(in,out,len,key,ivec,1);
 137
 138         if (residue==0) return len;
 139
 140         in  += len;
 141         out += len;
 142
 143 #if defined(CBC_HANDLES_TRUNCATED_IO)
 144         (*cbc)(in,out-16+residue,residue,key,ivec,1);
 145 #else
 146         {
 147         size_t n;
 148         for (n=0; n<16; n+=sizeof(size_t))
 149                 *(size_t *)(tmp.c+n) = 0;
 150         memcpy(tmp.c,in,residue);
 151         }
 152         (*cbc)(tmp.c,out-16+residue,16,key,ivec,1);
 153 #endif
 154         return len+residue;
 155 }
 156
 157 size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
 158                         size_t len, const void *key,
 159                         unsigned char ivec[16], block128_f block)
 160 {       size_t residue, n;
 161         union { size_t align; unsigned char c[32]; } tmp;
 162
 163         assert (in && out && key && ivec);
 164
 165         if (len<=16) return 0;
 166
 167         if ((residue=len%16) == 0) residue = 16;
 168
 169         len -= 16+residue;
 170
 171         if (len) {
 172                 CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
 173                 in  += len;
 174                 out += len;
 175         }
 176
 177         (*block)(in,tmp.c+16,key);
 178
 179         for (n=0; n<16; n+=sizeof(size_t))
 180                 *(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
 181         memcpy(tmp.c,in+16,residue);
 182         (*block)(tmp.c,tmp.c,key);
 183
 184         for(n=0; n<16; ++n) {
 185                 unsigned char c = in[n];
 186                 out[n] = tmp.c[n] ^ ivec[n];
 187                 ivec[n] = c;
 188         }
 189         for(residue+=16; n<residue; ++n)
 190                 out[n] = tmp.c[n] ^ in[n];
 191
 192         return 16+len+residue;
 193 }
 194
 195 size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *out,
 196                         size_t len, const void *key,
 197                         unsigned char ivec[16], block128_f block)
 198 {       size_t residue, n;
 199         union { size_t align; unsigned char c[32]; } tmp;
 200
 201         assert (in && out && key && ivec);
 202
 203         if (len<16) return 0;
 204
 205         residue=len%16;
 206
 207         if (residue==0) {
 208                 CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
 209                 return len;
 210         }
 211
 212         len -= 16+residue;
 213
 214         if (len) {
 215                 CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
 216                 in  += len;
 217                 out += len;
 218         }
 219
 220         (*block)(in+residue,tmp.c+16,key);
 221
 222         for (n=0; n<16; n+=sizeof(size_t))
 223                 *(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
 224         memcpy(tmp.c,in,residue);
 225         (*block)(tmp.c,tmp.c,key);
 226
 227         for(n=0; n<16; ++n) {
 228                 unsigned char c = in[n];
 229                 out[n] = tmp.c[n] ^ ivec[n];
 230                 ivec[n] = in[n+residue];
 231                 tmp.c[n] = c;
 232         }
 233         for(residue+=16; n<residue; ++n)
 234                 out[n] = tmp.c[n] ^ tmp.c[n-16];
 235
 236         return 16+len+residue;
 237 }
 238
 239 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 240                         size_t len, const void *key,
 241                         unsigned char ivec[16], cbc128_f cbc)
 242 {       size_t residue, n;
 243         union { size_t align; unsigned char c[32]; } tmp;
 244
 245         assert (in && out && key && ivec);
 246
 247         if (len<=16) return 0;
 248
 249         if ((residue=len%16) == 0) residue = 16;
 250
 251         len -= 16+residue;
 252
 253         if (len) {
 254                 (*cbc)(in,out,len,key,ivec,0);
 255                 in  += len;
 256                 out += len;
 257         }
 258
 259         for (n=16; n<32; n+=sizeof(size_t))
 260                 *(size_t *)(tmp.c+n) = 0;
 261         /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
 262         (*cbc)(in,tmp.c,16,key,tmp.c+16,0);
 263
 264         memcpy(tmp.c,in+16,residue);
 265 #if defined(CBC_HANDLES_TRUNCATED_IO)
 266         (*cbc)(tmp.c,out,16+residue,key,ivec,0);
 267 #else
 268         (*cbc)(tmp.c,tmp.c,32,key,ivec,0);
 269         memcpy(out,tmp.c,16+residue);
 270 #endif
 271         return 16+len+residue;
 272 }
 273
 274 size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
 275                         size_t len, const void *key,
 276                         unsigned char ivec[16], cbc128_f cbc)
 277 {       size_t residue, n;
 278         union { size_t align; unsigned char c[32]; } tmp;
 279
 280         assert (in && out && key && ivec);
 281
 282         if (len<16) return 0;
 283
 284         residue=len%16;
 285
 286         if (residue==0) {
 287                 (*cbc)(in,out,len,key,ivec,0);
 288                 return len;
 289         }
 290
 291         len -= 16+residue;
 292
 293         if (len) {
 294                 (*cbc)(in,out,len,key,ivec,0);
 295                 in  += len;
 296                 out += len;
 297         }
 298
 299         for (n=16; n<32; n+=sizeof(size_t))
 300                 *(size_t *)(tmp.c+n) = 0;
 301         /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
 302         (*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0);
 303
 304         memcpy(tmp.c,in,residue);
 305 #if defined(CBC_HANDLES_TRUNCATED_IO)
 306         (*cbc)(tmp.c,out,16+residue,key,ivec,0);
 307 #else
 308         (*cbc)(tmp.c,tmp.c,32,key,ivec,0);
 309         memcpy(out,tmp.c,16+residue);
 310 #endif
 311         return 16+len+residue;
 312 }
 313
 314 #if defined(SELFTEST)
 315 #include <stdio.h>
 316 #include <openssl/aes.h>
 317
 318 /* test vectors from RFC 3962 */
 319 static const unsigned char test_key[16] = "chicken teriyaki";
 320 static const unsigned char test_input[64] =
 321                 "I would like the" " General Gau's C"
 322                 "hicken, please, " "and wonton soup.";
 323 static const unsigned char test_iv[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
 324
 325 static const unsigned char vector_17[17] =
 326 {0xc6,0x35,0x35,0x68,0xf2,0xbf,0x8c,0xb4, 0xd8,0xa5,0x80,0x36,0x2d,0xa7,0xff,0x7f,
 327  0x97};
 328 static const unsigned char vector_31[31] =
 329 {0xfc,0x00,0x78,0x3e,0x0e,0xfd,0xb2,0xc1, 0xd4,0x45,0xd4,0xc8,0xef,0xf7,0xed,0x22,
 330  0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5};
 331 static const unsigned char vector_32[32] =
 332 {0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8,
 333  0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84};
 334 static const unsigned char vector_47[47] =
 335 {0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
 336  0xb3,0xff,0xfd,0x94,0x0c,0x16,0xa1,0x8c, 0x1b,0x55,0x49,0xd2,0xf8,0x38,0x02,0x9e,
 337  0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5};
 338 static const unsigned char vector_48[48] =
 339 {0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
 340  0x9d,0xad,0x8b,0xbb,0x96,0xc4,0xcd,0xc0, 0x3b,0xc1,0x03,0xe1,0xa1,0x94,0xbb,0xd8,
 341  0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8};
 342 static const unsigned char vector_64[64] =
 343 {0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
 344  0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8,
 345  0x48,0x07,0xef,0xe8,0x36,0xee,0x89,0xa5, 0x26,0x73,0x0d,0xbc,0x2f,0x7b,0xc8,0x40,
 346  0x9d,0xad,0x8b,0xbb,0x96,0xc4,0xcd,0xc0, 0x3b,0xc1,0x03,0xe1,0xa1,0x94,0xbb,0xd8};
 347
 348 static AES_KEY encks, decks;
 349
 350 void test_vector(const unsigned char *vector,size_t len)
 351 {       unsigned char iv[sizeof(test_iv)];
 352         unsigned char cleartext[64],ciphertext[64];
 353         size_t tail;
 354
 355         printf("vector_%d\n",len); fflush(stdout);
 356
 357         if ((tail=len%16) == 0) tail = 16;
 358         tail += 16;
 359
 360         /* test block-based encryption */
 361         memcpy(iv,test_iv,sizeof(test_iv));
 362         CRYPTO_cts128_encrypt_block(test_input,ciphertext,len,&encks,iv,(block128_f)AES_encrypt);
 363         if (memcmp(ciphertext,vector,len))
 364                 fprintf(stderr,"output_%d mismatch\n",len), exit(1);
 365         if (memcmp(iv,vector+len-tail,sizeof(iv)))
 366                 fprintf(stderr,"iv_%d mismatch\n",len), exit(1);
 367
 368         /* test block-based decryption */
 369         memcpy(iv,test_iv,sizeof(test_iv));
 370         CRYPTO_cts128_decrypt_block(ciphertext,cleartext,len,&decks,iv,(block128_f)AES_decrypt);
 371         if (memcmp(cleartext,test_input,len))
 372                 fprintf(stderr,"input_%d mismatch\n",len), exit(2);
 373         if (memcmp(iv,vector+len-tail,sizeof(iv)))
 374                 fprintf(stderr,"iv_%d mismatch\n",len), exit(2);
 375
 376         /* test streamed encryption */
 377         memcpy(iv,test_iv,sizeof(test_iv));
 378         CRYPTO_cts128_encrypt(test_input,ciphertext,len,&encks,iv,(cbc128_f)AES_cbc_encrypt);
 379         if (memcmp(ciphertext,vector,len))
 380                 fprintf(stderr,"output_%d mismatch\n",len), exit(3);
 381         if (memcmp(iv,vector+len-tail,sizeof(iv)))
 382                 fprintf(stderr,"iv_%d mismatch\n",len), exit(3);
 383
 384         /* test streamed decryption */
 385         memcpy(iv,test_iv,sizeof(test_iv));
 386         CRYPTO_cts128_decrypt(ciphertext,cleartext,len,&decks,iv,(cbc128_f)AES_cbc_encrypt);
 387         if (memcmp(cleartext,test_input,len))
 388                 fprintf(stderr,"input_%d mismatch\n",len), exit(4);
 389         if (memcmp(iv,vector+len-tail,sizeof(iv)))
 390                 fprintf(stderr,"iv_%d mismatch\n",len), exit(4);
 391 }
 392
 393 void test_nistvector(const unsigned char *vector,size_t len)
 394 {       unsigned char iv[sizeof(test_iv)];
 395         unsigned char cleartext[64],ciphertext[64],nistvector[64];
 396         size_t tail;
 397
 398         printf("nistvector_%d\n",len); fflush(stdout);
 399
 400         if ((tail=len%16) == 0) tail = 16;
 401
 402         len -= 16 + tail;
 403         memcpy(nistvector,vector,len);
 404         /* flip two last blocks */
 405         memcpy(nistvector+len,vector+len+16,tail);
 406         memcpy(nistvector+len+tail,vector+len,16);
 407         len += 16 + tail;
 408         tail = 16;
 409
 410         /* test block-based encryption */
 411         memcpy(iv,test_iv,sizeof(test_iv));
 412         CRYPTO_nistcts128_encrypt_block(test_input,ciphertext,len,&encks,iv,(block128_f)AES_encrypt);
 413         if (memcmp(ciphertext,nistvector,len))
 414                 fprintf(stderr,"output_%d mismatch\n",len), exit(1);
 415         if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
 416                 fprintf(stderr,"iv_%d mismatch\n",len), exit(1);
 417
 418         /* test block-based decryption */
 419         memcpy(iv,test_iv,sizeof(test_iv));
 420         CRYPTO_nistcts128_decrypt_block(ciphertext,cleartext,len,&decks,iv,(block128_f)AES_decrypt);
 421         if (memcmp(cleartext,test_input,len))
 422                 fprintf(stderr,"input_%d mismatch\n",len), exit(2);
 423         if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
 424                 fprintf(stderr,"iv_%d mismatch\n",len), exit(2);
 425
 426         /* test streamed encryption */
 427         memcpy(iv,test_iv,sizeof(test_iv));
 428         CRYPTO_nistcts128_encrypt(test_input,ciphertext,len,&encks,iv,(cbc128_f)AES_cbc_encrypt);
 429         if (memcmp(ciphertext,nistvector,len))
 430                 fprintf(stderr,"output_%d mismatch\n",len), exit(3);
 431         if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
 432                 fprintf(stderr,"iv_%d mismatch\n",len), exit(3);
 433
 434         /* test streamed decryption */
 435         memcpy(iv,test_iv,sizeof(test_iv));
 436         CRYPTO_nistcts128_decrypt(ciphertext,cleartext,len,&decks,iv,(cbc128_f)AES_cbc_encrypt);
 437         if (memcmp(cleartext,test_input,len))
 438                 fprintf(stderr,"input_%d mismatch\n",len), exit(4);
 439         if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
 440                 fprintf(stderr,"iv_%d mismatch\n",len), exit(4);
 441 }
 442
 443 int main()
 444 {
 445         AES_set_encrypt_key(test_key,128,&encks);
 446         AES_set_decrypt_key(test_key,128,&decks);
 447
 448         test_vector(vector_17,sizeof(vector_17));
 449         test_vector(vector_31,sizeof(vector_31));
 450         test_vector(vector_32,sizeof(vector_32));
 451         test_vector(vector_47,sizeof(vector_47));
 452         test_vector(vector_48,sizeof(vector_48));
 453         test_vector(vector_64,sizeof(vector_64));
 454
 455         test_nistvector(vector_17,sizeof(vector_17));
 456         test_nistvector(vector_31,sizeof(vector_31));
 457         test_nistvector(vector_32,sizeof(vector_32));
 458         test_nistvector(vector_47,sizeof(vector_47));
 459         test_nistvector(vector_48,sizeof(vector_48));
 460         test_nistvector(vector_64,sizeof(vector_64));
 461
 462         return 0;
 463 }
 464 #endif