123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330 |
- /*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
- #include <openssl/crypto.h>
- #include "modes_lcl.h"
- #include <string.h>
- /*
- * Trouble with Ciphertext Stealing, CTS, mode is that there is no
- * common official specification, but couple of cipher/application
- * specific ones: RFC2040 and RFC3962. Then there is 'Proposal to
- * Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which
- * deviates from mentioned RFCs. Most notably it allows input to be
- * of block length and it doesn't flip the order of the last two
- * blocks. CTS is being discussed even in ECB context, but it's not
- * adopted for any known application. This implementation provides
- * two interfaces: one compliant with above mentioned RFCs and one
- * compliant with the NIST proposal, both extending CBC mode.
- */
- size_t CRYPTO_cts128_encrypt_block(const unsigned char *in,
- unsigned char *out, size_t len,
- const void *key, unsigned char ivec[16],
- block128_f block)
- {
- size_t residue, n;
- if (len <= 16)
- return 0;
- if ((residue = len % 16) == 0)
- residue = 16;
- len -= residue;
- CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block);
- in += len;
- out += len;
- for (n = 0; n < residue; ++n)
- ivec[n] ^= in[n];
- (*block) (ivec, ivec, key);
- memcpy(out, out - 16, residue);
- memcpy(out - 16, ivec, 16);
- return len + residue;
- }
- size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in,
- unsigned char *out, size_t len,
- const void *key,
- unsigned char ivec[16],
- block128_f block)
- {
- size_t residue, n;
- if (len < 16)
- return 0;
- residue = len % 16;
- len -= residue;
- CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block);
- if (residue == 0)
- return len;
- in += len;
- out += len;
- for (n = 0; n < residue; ++n)
- ivec[n] ^= in[n];
- (*block) (ivec, ivec, key);
- memcpy(out - 16 + residue, ivec, 16);
- return len + residue;
- }
- size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
- size_t len, const void *key,
- unsigned char ivec[16], cbc128_f cbc)
- {
- size_t residue;
- union {
- size_t align;
- unsigned char c[16];
- } tmp;
- if (len <= 16)
- return 0;
- if ((residue = len % 16) == 0)
- residue = 16;
- len -= residue;
- (*cbc) (in, out, len, key, ivec, 1);
- in += len;
- out += len;
- #if defined(CBC_HANDLES_TRUNCATED_IO)
- memcpy(tmp.c, out - 16, 16);
- (*cbc) (in, out - 16, residue, key, ivec, 1);
- memcpy(out, tmp.c, residue);
- #else
- memset(tmp.c, 0, sizeof(tmp));
- memcpy(tmp.c, in, residue);
- memcpy(out, out - 16, residue);
- (*cbc) (tmp.c, out - 16, 16, key, ivec, 1);
- #endif
- return len + residue;
- }
- size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
- size_t len, const void *key,
- unsigned char ivec[16], cbc128_f cbc)
- {
- size_t residue;
- union {
- size_t align;
- unsigned char c[16];
- } tmp;
- if (len < 16)
- return 0;
- residue = len % 16;
- len -= residue;
- (*cbc) (in, out, len, key, ivec, 1);
- if (residue == 0)
- return len;
- in += len;
- out += len;
- #if defined(CBC_HANDLES_TRUNCATED_IO)
- (*cbc) (in, out - 16 + residue, residue, key, ivec, 1);
- #else
- memset(tmp.c, 0, sizeof(tmp));
- memcpy(tmp.c, in, residue);
- (*cbc) (tmp.c, out - 16 + residue, 16, key, ivec, 1);
- #endif
- return len + residue;
- }
- size_t CRYPTO_cts128_decrypt_block(const unsigned char *in,
- unsigned char *out, size_t len,
- const void *key, unsigned char ivec[16],
- block128_f block)
- {
- size_t residue, n;
- union {
- size_t align;
- unsigned char c[32];
- } tmp;
- if (len <= 16)
- return 0;
- if ((residue = len % 16) == 0)
- residue = 16;
- len -= 16 + residue;
- if (len) {
- CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
- in += len;
- out += len;
- }
- (*block) (in, tmp.c + 16, key);
- memcpy(tmp.c, tmp.c + 16, 16);
- memcpy(tmp.c, in + 16, residue);
- (*block) (tmp.c, tmp.c, key);
- for (n = 0; n < 16; ++n) {
- unsigned char c = in[n];
- out[n] = tmp.c[n] ^ ivec[n];
- ivec[n] = c;
- }
- for (residue += 16; n < residue; ++n)
- out[n] = tmp.c[n] ^ in[n];
- return 16 + len + residue;
- }
- size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in,
- unsigned char *out, size_t len,
- const void *key,
- unsigned char ivec[16],
- block128_f block)
- {
- size_t residue, n;
- union {
- size_t align;
- unsigned char c[32];
- } tmp;
- if (len < 16)
- return 0;
- residue = len % 16;
- if (residue == 0) {
- CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
- return len;
- }
- len -= 16 + residue;
- if (len) {
- CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
- in += len;
- out += len;
- }
- (*block) (in + residue, tmp.c + 16, key);
- memcpy(tmp.c, tmp.c + 16, 16);
- memcpy(tmp.c, in, residue);
- (*block) (tmp.c, tmp.c, key);
- for (n = 0; n < 16; ++n) {
- unsigned char c = in[n];
- out[n] = tmp.c[n] ^ ivec[n];
- ivec[n] = in[n + residue];
- tmp.c[n] = c;
- }
- for (residue += 16; n < residue; ++n)
- out[n] = tmp.c[n] ^ tmp.c[n - 16];
- return 16 + len + residue;
- }
- size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
- size_t len, const void *key,
- unsigned char ivec[16], cbc128_f cbc)
- {
- size_t residue;
- union {
- size_t align;
- unsigned char c[32];
- } tmp;
- if (len <= 16)
- return 0;
- if ((residue = len % 16) == 0)
- residue = 16;
- len -= 16 + residue;
- if (len) {
- (*cbc) (in, out, len, key, ivec, 0);
- in += len;
- out += len;
- }
- memset(tmp.c, 0, sizeof(tmp));
- /*
- * this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0]
- */
- (*cbc) (in, tmp.c, 16, key, tmp.c + 16, 0);
- memcpy(tmp.c, in + 16, residue);
- #if defined(CBC_HANDLES_TRUNCATED_IO)
- (*cbc) (tmp.c, out, 16 + residue, key, ivec, 0);
- #else
- (*cbc) (tmp.c, tmp.c, 32, key, ivec, 0);
- memcpy(out, tmp.c, 16 + residue);
- #endif
- return 16 + len + residue;
- }
- size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
- size_t len, const void *key,
- unsigned char ivec[16], cbc128_f cbc)
- {
- size_t residue;
- union {
- size_t align;
- unsigned char c[32];
- } tmp;
- if (len < 16)
- return 0;
- residue = len % 16;
- if (residue == 0) {
- (*cbc) (in, out, len, key, ivec, 0);
- return len;
- }
- len -= 16 + residue;
- if (len) {
- (*cbc) (in, out, len, key, ivec, 0);
- in += len;
- out += len;
- }
- memset(tmp.c, 0, sizeof(tmp));
- /*
- * this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0]
- */
- (*cbc) (in + residue, tmp.c, 16, key, tmp.c + 16, 0);
- memcpy(tmp.c, in, residue);
- #if defined(CBC_HANDLES_TRUNCATED_IO)
- (*cbc) (tmp.c, out, 16 + residue, key, ivec, 0);
- #else
- (*cbc) (tmp.c, tmp.c, 32, key, ivec, 0);
- memcpy(out, tmp.c, 16 + residue);
- #endif
- return 16 + len + residue;
- }
|