123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378 |
- /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
- /*
- * Helper functions for 128 bit CBC CTS ciphers (Currently AES and Camellia).
- *
- * The function dispatch tables are embedded into cipher_aes.c
- * and cipher_camellia.c using cipher_aes_cts.inc and cipher_camellia_cts.inc
- */
- /*
- * Refer to SP800-38A-Addendum
- *
- * Ciphertext stealing encrypts plaintext using a block cipher, without padding
- * the message to a multiple of the block size, so the ciphertext is the same
- * size as the plaintext.
- * It does this by altering processing of the last two blocks of the message.
- * The processing of all but the last two blocks is unchanged, but a portion of
- * the second-last block's ciphertext is "stolen" to pad the last plaintext
- * block. The padded final block is then encrypted as usual.
- * The final ciphertext for the last two blocks, consists of the partial block
- * (with the "stolen" portion omitted) plus the full final block,
- * which are the same size as the original plaintext.
- * Decryption requires decrypting the final block first, then restoring the
- * stolen ciphertext to the partial block, which can then be decrypted as usual.
- * AES_CBC_CTS has 3 variants:
- * (1) CS1 The NIST variant.
- * If the length is a multiple of the blocksize it is the same as CBC mode.
- * otherwise it produces C1||C2||(C(n-1))*||Cn.
- * Where C(n-1)* is a partial block.
- * (2) CS2
- * If the length is a multiple of the blocksize it is the same as CBC mode.
- * otherwise it produces C1||C2||Cn||(C(n-1))*.
- * Where C(n-1)* is a partial block.
- * (3) CS3 The Kerberos5 variant.
- * Produces C1||C2||Cn||(C(n-1))* regardless of the length.
- * If the length is a multiple of the blocksize it looks similar to CBC mode
- * with the last 2 blocks swapped.
- * Otherwise it is the same as CS2.
- */
- #include <openssl/core_names.h>
- #include "prov/ciphercommon.h"
- #include "internal/nelem.h"
- #include "cipher_cts.h"
- /* The value assigned to 0 is the default */
- #define CTS_CS1 0
- #define CTS_CS2 1
- #define CTS_CS3 2
- #define CTS_BLOCK_SIZE 16
- typedef union {
- size_t align;
- unsigned char c[CTS_BLOCK_SIZE];
- } aligned_16bytes;
- typedef struct cts_mode_name2id_st {
- unsigned int id;
- const char *name;
- } CTS_MODE_NAME2ID;
- static CTS_MODE_NAME2ID cts_modes[] =
- {
- { CTS_CS1, OSSL_CIPHER_CTS_MODE_CS1 },
- { CTS_CS2, OSSL_CIPHER_CTS_MODE_CS2 },
- { CTS_CS3, OSSL_CIPHER_CTS_MODE_CS3 },
- };
- const char *ossl_cipher_cbc_cts_mode_id2name(unsigned int id)
- {
- size_t i;
- for (i = 0; i < OSSL_NELEM(cts_modes); ++i) {
- if (cts_modes[i].id == id)
- return cts_modes[i].name;
- }
- return NULL;
- }
- int ossl_cipher_cbc_cts_mode_name2id(const char *name)
- {
- size_t i;
- for (i = 0; i < OSSL_NELEM(cts_modes); ++i) {
- if (OPENSSL_strcasecmp(name, cts_modes[i].name) == 0)
- return (int)cts_modes[i].id;
- }
- return -1;
- }
- static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
- unsigned char *out, size_t len)
- {
- aligned_16bytes tmp_in;
- size_t residue;
- residue = len % CTS_BLOCK_SIZE;
- len -= residue;
- if (!ctx->hw->cipher(ctx, out, in, len))
- return 0;
- if (residue == 0)
- return len;
- in += len;
- out += len;
- memset(tmp_in.c, 0, sizeof(tmp_in));
- memcpy(tmp_in.c, in, residue);
- if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE + residue, tmp_in.c,
- CTS_BLOCK_SIZE))
- return 0;
- return len + residue;
- }
- static void do_xor(const unsigned char *in1, const unsigned char *in2,
- size_t len, unsigned char *out)
- {
- size_t i;
- for (i = 0; i < len; ++i)
- out[i] = in1[i] ^ in2[i];
- }
- static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
- unsigned char *out, size_t len)
- {
- aligned_16bytes mid_iv, ct_mid, cn, pt_last;
- size_t residue;
- residue = len % CTS_BLOCK_SIZE;
- if (residue == 0) {
- /* If there are no partial blocks then it is the same as CBC mode */
- if (!ctx->hw->cipher(ctx, out, in, len))
- return 0;
- return len;
- }
- /* Process blocks at the start - but leave the last 2 blocks */
- len -= CTS_BLOCK_SIZE + residue;
- if (len > 0) {
- if (!ctx->hw->cipher(ctx, out, in, len))
- return 0;
- in += len;
- out += len;
- }
- /* Save the iv that will be used by the second last block */
- memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE);
- /* Save the C(n) block */
- memcpy(cn.c, in + residue, CTS_BLOCK_SIZE);
- /* Decrypt the last block first using an iv of zero */
- memset(ctx->iv, 0, CTS_BLOCK_SIZE);
- if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, CTS_BLOCK_SIZE))
- return 0;
- /*
- * Rebuild the ciphertext of the second last block as a combination of
- * the decrypted last block + replace the start with the ciphertext bytes
- * of the partial second last block.
- */
- memcpy(ct_mid.c, in, residue);
- memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue);
- /*
- * Restore the last partial ciphertext block.
- * Now that we have the cipher text of the second last block, apply
- * that to the partial plaintext end block. We have already decrypted the
- * block using an IV of zero. For decryption the IV is just XORed after
- * doing an Cipher CBC block - so just XOR in the cipher text.
- */
- do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE);
- /* Restore the iv needed by the second last block */
- memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE);
- /*
- * Decrypt the second last plaintext block now that we have rebuilt the
- * ciphertext.
- */
- if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE))
- return 0;
- /* The returned iv is the C(n) block */
- memcpy(ctx->iv, cn.c, CTS_BLOCK_SIZE);
- return len + CTS_BLOCK_SIZE + residue;
- }
- static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
- unsigned char *out, size_t len)
- {
- aligned_16bytes tmp_in;
- size_t residue;
- if (len < CTS_BLOCK_SIZE) /* CS3 requires at least one block */
- return 0;
- /* If we only have one block then just process the aligned block */
- if (len == CTS_BLOCK_SIZE)
- return ctx->hw->cipher(ctx, out, in, len) ? len : 0;
- residue = len % CTS_BLOCK_SIZE;
- if (residue == 0)
- residue = CTS_BLOCK_SIZE;
- len -= residue;
- if (!ctx->hw->cipher(ctx, out, in, len))
- return 0;
- in += len;
- out += len;
- memset(tmp_in.c, 0, sizeof(tmp_in));
- memcpy(tmp_in.c, in, residue);
- memcpy(out, out - CTS_BLOCK_SIZE, residue);
- if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE, tmp_in.c, CTS_BLOCK_SIZE))
- return 0;
- return len + residue;
- }
- /*
- * Note:
- * The cipher text (in) is of the form C(0), C(1), ., C(n), C(n-1)* where
- * C(n) is a full block and C(n-1)* can be a partial block
- * (but could be a full block).
- * This means that the output plaintext (out) needs to swap the plaintext of
- * the last two decoded ciphertext blocks.
- */
- static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
- unsigned char *out, size_t len)
- {
- aligned_16bytes mid_iv, ct_mid, cn, pt_last;
- size_t residue;
- if (len < CTS_BLOCK_SIZE) /* CS3 requires at least one block */
- return 0;
- /* If we only have one block then just process the aligned block */
- if (len == CTS_BLOCK_SIZE)
- return ctx->hw->cipher(ctx, out, in, len) ? len : 0;
- /* Process blocks at the start - but leave the last 2 blocks */
- residue = len % CTS_BLOCK_SIZE;
- if (residue == 0)
- residue = CTS_BLOCK_SIZE;
- len -= CTS_BLOCK_SIZE + residue;
- if (len > 0) {
- if (!ctx->hw->cipher(ctx, out, in, len))
- return 0;
- in += len;
- out += len;
- }
- /* Save the iv that will be used by the second last block */
- memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE);
- /* Save the C(n) block : For CS3 it is C(1)||...||C(n-2)||C(n)||C(n-1)* */
- memcpy(cn.c, in, CTS_BLOCK_SIZE);
- /* Decrypt the C(n) block first using an iv of zero */
- memset(ctx->iv, 0, CTS_BLOCK_SIZE);
- if (!ctx->hw->cipher(ctx, pt_last.c, in, CTS_BLOCK_SIZE))
- return 0;
- /*
- * Rebuild the ciphertext of C(n-1) as a combination of
- * the decrypted C(n) block + replace the start with the ciphertext bytes
- * of the partial last block.
- */
- memcpy(ct_mid.c, in + CTS_BLOCK_SIZE, residue);
- if (residue != CTS_BLOCK_SIZE)
- memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue);
- /*
- * Restore the last partial ciphertext block.
- * Now that we have the cipher text of the second last block, apply
- * that to the partial plaintext end block. We have already decrypted the
- * block using an IV of zero. For decryption the IV is just XORed after
- * doing an AES block - so just XOR in the ciphertext.
- */
- do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE);
- /* Restore the iv needed by the second last block */
- memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE);
- /*
- * Decrypt the second last plaintext block now that we have rebuilt the
- * ciphertext.
- */
- if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE))
- return 0;
- /* The returned iv is the C(n) block */
- memcpy(ctx->iv, cn.c, CTS_BLOCK_SIZE);
- return len + CTS_BLOCK_SIZE + residue;
- }
- static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
- unsigned char *out, size_t len)
- {
- if (len % CTS_BLOCK_SIZE == 0) {
- /* If there are no partial blocks then it is the same as CBC mode */
- if (!ctx->hw->cipher(ctx, out, in, len))
- return 0;
- return len;
- }
- /* For partial blocks CS2 is equivalent to CS3 */
- return cts128_cs3_encrypt(ctx, in, out, len);
- }
- static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
- unsigned char *out, size_t len)
- {
- if (len % CTS_BLOCK_SIZE == 0) {
- /* If there are no partial blocks then it is the same as CBC mode */
- if (!ctx->hw->cipher(ctx, out, in, len))
- return 0;
- return len;
- }
- /* For partial blocks CS2 is equivalent to CS3 */
- return cts128_cs3_decrypt(ctx, in, out, len);
- }
- int ossl_cipher_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize, const unsigned char *in,
- size_t inl)
- {
- PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
- size_t sz = 0;
- if (inl < CTS_BLOCK_SIZE) /* There must be at least one block for CTS mode */
- return 0;
- if (outsize < inl)
- return 0;
- if (out == NULL) {
- *outl = inl;
- return 1;
- }
- /*
- * Return an error if the update is called multiple times, only one shot
- * is supported.
- */
- if (ctx->updated == 1)
- return 0;
- if (ctx->enc) {
- if (ctx->cts_mode == CTS_CS1)
- sz = cts128_cs1_encrypt(ctx, in, out, inl);
- else if (ctx->cts_mode == CTS_CS2)
- sz = cts128_cs2_encrypt(ctx, in, out, inl);
- else if (ctx->cts_mode == CTS_CS3)
- sz = cts128_cs3_encrypt(ctx, in, out, inl);
- } else {
- if (ctx->cts_mode == CTS_CS1)
- sz = cts128_cs1_decrypt(ctx, in, out, inl);
- else if (ctx->cts_mode == CTS_CS2)
- sz = cts128_cs2_decrypt(ctx, in, out, inl);
- else if (ctx->cts_mode == CTS_CS3)
- sz = cts128_cs3_decrypt(ctx, in, out, inl);
- }
- if (sz == 0)
- return 0;
- ctx->updated = 1; /* Stop multiple updates being allowed */
- *outl = sz;
- return 1;
- }
- int ossl_cipher_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize)
- {
- *outl = 0;
- return 1;
- }
|