2
0

cipher_cts.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378
  1. /*
  2. * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * Helper functions for 128 bit CBC CTS ciphers (Currently AES and Camellia).
  11. *
  12. * The function dispatch tables are embedded into cipher_aes.c
  13. * and cipher_camellia.c using cipher_aes_cts.inc and cipher_camellia_cts.inc
  14. */
  15. /*
  16. * Refer to SP800-38A-Addendum
  17. *
  18. * Ciphertext stealing encrypts plaintext using a block cipher, without padding
  19. * the message to a multiple of the block size, so the ciphertext is the same
  20. * size as the plaintext.
  21. * It does this by altering processing of the last two blocks of the message.
  22. * The processing of all but the last two blocks is unchanged, but a portion of
  23. * the second-last block's ciphertext is "stolen" to pad the last plaintext
  24. * block. The padded final block is then encrypted as usual.
  25. * The final ciphertext for the last two blocks, consists of the partial block
  26. * (with the "stolen" portion omitted) plus the full final block,
  27. * which are the same size as the original plaintext.
  28. * Decryption requires decrypting the final block first, then restoring the
  29. * stolen ciphertext to the partial block, which can then be decrypted as usual.
  30. * AES_CBC_CTS has 3 variants:
  31. * (1) CS1 The NIST variant.
  32. * If the length is a multiple of the blocksize it is the same as CBC mode.
  33. * otherwise it produces C1||C2||(C(n-1))*||Cn.
  34. * Where C(n-1)* is a partial block.
  35. * (2) CS2
  36. * If the length is a multiple of the blocksize it is the same as CBC mode.
  37. * otherwise it produces C1||C2||Cn||(C(n-1))*.
  38. * Where C(n-1)* is a partial block.
  39. * (3) CS3 The Kerberos5 variant.
  40. * Produces C1||C2||Cn||(C(n-1))* regardless of the length.
  41. * If the length is a multiple of the blocksize it looks similar to CBC mode
  42. * with the last 2 blocks swapped.
  43. * Otherwise it is the same as CS2.
  44. */
  45. #include <openssl/core_names.h>
  46. #include "prov/ciphercommon.h"
  47. #include "internal/nelem.h"
  48. #include "cipher_cts.h"
  49. /* The value assigned to 0 is the default */
  50. #define CTS_CS1 0
  51. #define CTS_CS2 1
  52. #define CTS_CS3 2
  53. #define CTS_BLOCK_SIZE 16
  54. typedef union {
  55. size_t align;
  56. unsigned char c[CTS_BLOCK_SIZE];
  57. } aligned_16bytes;
  58. typedef struct cts_mode_name2id_st {
  59. unsigned int id;
  60. const char *name;
  61. } CTS_MODE_NAME2ID;
  62. static CTS_MODE_NAME2ID cts_modes[] =
  63. {
  64. { CTS_CS1, OSSL_CIPHER_CTS_MODE_CS1 },
  65. { CTS_CS2, OSSL_CIPHER_CTS_MODE_CS2 },
  66. { CTS_CS3, OSSL_CIPHER_CTS_MODE_CS3 },
  67. };
  68. const char *ossl_cipher_cbc_cts_mode_id2name(unsigned int id)
  69. {
  70. size_t i;
  71. for (i = 0; i < OSSL_NELEM(cts_modes); ++i) {
  72. if (cts_modes[i].id == id)
  73. return cts_modes[i].name;
  74. }
  75. return NULL;
  76. }
  77. int ossl_cipher_cbc_cts_mode_name2id(const char *name)
  78. {
  79. size_t i;
  80. for (i = 0; i < OSSL_NELEM(cts_modes); ++i) {
  81. if (OPENSSL_strcasecmp(name, cts_modes[i].name) == 0)
  82. return (int)cts_modes[i].id;
  83. }
  84. return -1;
  85. }
  86. static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
  87. unsigned char *out, size_t len)
  88. {
  89. aligned_16bytes tmp_in;
  90. size_t residue;
  91. residue = len % CTS_BLOCK_SIZE;
  92. len -= residue;
  93. if (!ctx->hw->cipher(ctx, out, in, len))
  94. return 0;
  95. if (residue == 0)
  96. return len;
  97. in += len;
  98. out += len;
  99. memset(tmp_in.c, 0, sizeof(tmp_in));
  100. memcpy(tmp_in.c, in, residue);
  101. if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE + residue, tmp_in.c,
  102. CTS_BLOCK_SIZE))
  103. return 0;
  104. return len + residue;
  105. }
  106. static void do_xor(const unsigned char *in1, const unsigned char *in2,
  107. size_t len, unsigned char *out)
  108. {
  109. size_t i;
  110. for (i = 0; i < len; ++i)
  111. out[i] = in1[i] ^ in2[i];
  112. }
  113. static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
  114. unsigned char *out, size_t len)
  115. {
  116. aligned_16bytes mid_iv, ct_mid, cn, pt_last;
  117. size_t residue;
  118. residue = len % CTS_BLOCK_SIZE;
  119. if (residue == 0) {
  120. /* If there are no partial blocks then it is the same as CBC mode */
  121. if (!ctx->hw->cipher(ctx, out, in, len))
  122. return 0;
  123. return len;
  124. }
  125. /* Process blocks at the start - but leave the last 2 blocks */
  126. len -= CTS_BLOCK_SIZE + residue;
  127. if (len > 0) {
  128. if (!ctx->hw->cipher(ctx, out, in, len))
  129. return 0;
  130. in += len;
  131. out += len;
  132. }
  133. /* Save the iv that will be used by the second last block */
  134. memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE);
  135. /* Save the C(n) block */
  136. memcpy(cn.c, in + residue, CTS_BLOCK_SIZE);
  137. /* Decrypt the last block first using an iv of zero */
  138. memset(ctx->iv, 0, CTS_BLOCK_SIZE);
  139. if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, CTS_BLOCK_SIZE))
  140. return 0;
  141. /*
  142. * Rebuild the ciphertext of the second last block as a combination of
  143. * the decrypted last block + replace the start with the ciphertext bytes
  144. * of the partial second last block.
  145. */
  146. memcpy(ct_mid.c, in, residue);
  147. memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue);
  148. /*
  149. * Restore the last partial ciphertext block.
  150. * Now that we have the cipher text of the second last block, apply
  151. * that to the partial plaintext end block. We have already decrypted the
  152. * block using an IV of zero. For decryption the IV is just XORed after
  153. * doing an Cipher CBC block - so just XOR in the cipher text.
  154. */
  155. do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE);
  156. /* Restore the iv needed by the second last block */
  157. memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE);
  158. /*
  159. * Decrypt the second last plaintext block now that we have rebuilt the
  160. * ciphertext.
  161. */
  162. if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE))
  163. return 0;
  164. /* The returned iv is the C(n) block */
  165. memcpy(ctx->iv, cn.c, CTS_BLOCK_SIZE);
  166. return len + CTS_BLOCK_SIZE + residue;
  167. }
  168. static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
  169. unsigned char *out, size_t len)
  170. {
  171. aligned_16bytes tmp_in;
  172. size_t residue;
  173. if (len < CTS_BLOCK_SIZE) /* CS3 requires at least one block */
  174. return 0;
  175. /* If we only have one block then just process the aligned block */
  176. if (len == CTS_BLOCK_SIZE)
  177. return ctx->hw->cipher(ctx, out, in, len) ? len : 0;
  178. residue = len % CTS_BLOCK_SIZE;
  179. if (residue == 0)
  180. residue = CTS_BLOCK_SIZE;
  181. len -= residue;
  182. if (!ctx->hw->cipher(ctx, out, in, len))
  183. return 0;
  184. in += len;
  185. out += len;
  186. memset(tmp_in.c, 0, sizeof(tmp_in));
  187. memcpy(tmp_in.c, in, residue);
  188. memcpy(out, out - CTS_BLOCK_SIZE, residue);
  189. if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE, tmp_in.c, CTS_BLOCK_SIZE))
  190. return 0;
  191. return len + residue;
  192. }
  193. /*
  194. * Note:
  195. * The cipher text (in) is of the form C(0), C(1), ., C(n), C(n-1)* where
  196. * C(n) is a full block and C(n-1)* can be a partial block
  197. * (but could be a full block).
  198. * This means that the output plaintext (out) needs to swap the plaintext of
  199. * the last two decoded ciphertext blocks.
  200. */
  201. static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
  202. unsigned char *out, size_t len)
  203. {
  204. aligned_16bytes mid_iv, ct_mid, cn, pt_last;
  205. size_t residue;
  206. if (len < CTS_BLOCK_SIZE) /* CS3 requires at least one block */
  207. return 0;
  208. /* If we only have one block then just process the aligned block */
  209. if (len == CTS_BLOCK_SIZE)
  210. return ctx->hw->cipher(ctx, out, in, len) ? len : 0;
  211. /* Process blocks at the start - but leave the last 2 blocks */
  212. residue = len % CTS_BLOCK_SIZE;
  213. if (residue == 0)
  214. residue = CTS_BLOCK_SIZE;
  215. len -= CTS_BLOCK_SIZE + residue;
  216. if (len > 0) {
  217. if (!ctx->hw->cipher(ctx, out, in, len))
  218. return 0;
  219. in += len;
  220. out += len;
  221. }
  222. /* Save the iv that will be used by the second last block */
  223. memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE);
  224. /* Save the C(n) block : For CS3 it is C(1)||...||C(n-2)||C(n)||C(n-1)* */
  225. memcpy(cn.c, in, CTS_BLOCK_SIZE);
  226. /* Decrypt the C(n) block first using an iv of zero */
  227. memset(ctx->iv, 0, CTS_BLOCK_SIZE);
  228. if (!ctx->hw->cipher(ctx, pt_last.c, in, CTS_BLOCK_SIZE))
  229. return 0;
  230. /*
  231. * Rebuild the ciphertext of C(n-1) as a combination of
  232. * the decrypted C(n) block + replace the start with the ciphertext bytes
  233. * of the partial last block.
  234. */
  235. memcpy(ct_mid.c, in + CTS_BLOCK_SIZE, residue);
  236. if (residue != CTS_BLOCK_SIZE)
  237. memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue);
  238. /*
  239. * Restore the last partial ciphertext block.
  240. * Now that we have the cipher text of the second last block, apply
  241. * that to the partial plaintext end block. We have already decrypted the
  242. * block using an IV of zero. For decryption the IV is just XORed after
  243. * doing an AES block - so just XOR in the ciphertext.
  244. */
  245. do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE);
  246. /* Restore the iv needed by the second last block */
  247. memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE);
  248. /*
  249. * Decrypt the second last plaintext block now that we have rebuilt the
  250. * ciphertext.
  251. */
  252. if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE))
  253. return 0;
  254. /* The returned iv is the C(n) block */
  255. memcpy(ctx->iv, cn.c, CTS_BLOCK_SIZE);
  256. return len + CTS_BLOCK_SIZE + residue;
  257. }
  258. static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
  259. unsigned char *out, size_t len)
  260. {
  261. if (len % CTS_BLOCK_SIZE == 0) {
  262. /* If there are no partial blocks then it is the same as CBC mode */
  263. if (!ctx->hw->cipher(ctx, out, in, len))
  264. return 0;
  265. return len;
  266. }
  267. /* For partial blocks CS2 is equivalent to CS3 */
  268. return cts128_cs3_encrypt(ctx, in, out, len);
  269. }
  270. static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
  271. unsigned char *out, size_t len)
  272. {
  273. if (len % CTS_BLOCK_SIZE == 0) {
  274. /* If there are no partial blocks then it is the same as CBC mode */
  275. if (!ctx->hw->cipher(ctx, out, in, len))
  276. return 0;
  277. return len;
  278. }
  279. /* For partial blocks CS2 is equivalent to CS3 */
  280. return cts128_cs3_decrypt(ctx, in, out, len);
  281. }
  282. int ossl_cipher_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
  283. size_t outsize, const unsigned char *in,
  284. size_t inl)
  285. {
  286. PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
  287. size_t sz = 0;
  288. if (inl < CTS_BLOCK_SIZE) /* There must be at least one block for CTS mode */
  289. return 0;
  290. if (outsize < inl)
  291. return 0;
  292. if (out == NULL) {
  293. *outl = inl;
  294. return 1;
  295. }
  296. /*
  297. * Return an error if the update is called multiple times, only one shot
  298. * is supported.
  299. */
  300. if (ctx->updated == 1)
  301. return 0;
  302. if (ctx->enc) {
  303. if (ctx->cts_mode == CTS_CS1)
  304. sz = cts128_cs1_encrypt(ctx, in, out, inl);
  305. else if (ctx->cts_mode == CTS_CS2)
  306. sz = cts128_cs2_encrypt(ctx, in, out, inl);
  307. else if (ctx->cts_mode == CTS_CS3)
  308. sz = cts128_cs3_encrypt(ctx, in, out, inl);
  309. } else {
  310. if (ctx->cts_mode == CTS_CS1)
  311. sz = cts128_cs1_decrypt(ctx, in, out, inl);
  312. else if (ctx->cts_mode == CTS_CS2)
  313. sz = cts128_cs2_decrypt(ctx, in, out, inl);
  314. else if (ctx->cts_mode == CTS_CS3)
  315. sz = cts128_cs3_decrypt(ctx, in, out, inl);
  316. }
  317. if (sz == 0)
  318. return 0;
  319. ctx->updated = 1; /* Stop multiple updates being allowed */
  320. *outl = sz;
  321. return 1;
  322. }
  323. int ossl_cipher_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl,
  324. size_t outsize)
  325. {
  326. *outl = 0;
  327. return 1;
  328. }