|
Packit |
c4476c |
/*
|
|
Packit |
c4476c |
* Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
|
|
Packit |
c4476c |
*
|
|
Packit |
c4476c |
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
Packit |
c4476c |
* this file except in compliance with the License. You can obtain a copy
|
|
Packit |
c4476c |
* in the file LICENSE in the source distribution or at
|
|
Packit |
c4476c |
* https://www.openssl.org/source/license.html
|
|
Packit |
c4476c |
*/
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
#include <openssl/crypto.h>
|
|
Packit |
c4476c |
#include "modes_local.h"
|
|
Packit |
c4476c |
#include <string.h>
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/*
|
|
Packit |
c4476c |
* Trouble with Ciphertext Stealing, CTS, mode is that there is no
|
|
Packit |
c4476c |
* common official specification, but couple of cipher/application
|
|
Packit |
c4476c |
* specific ones: RFC2040 and RFC3962. Then there is 'Proposal to
|
|
Packit |
c4476c |
* Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which
|
|
Packit |
c4476c |
* deviates from mentioned RFCs. Most notably it allows input to be
|
|
Packit |
c4476c |
* of block length and it doesn't flip the order of the last two
|
|
Packit |
c4476c |
* blocks. CTS is being discussed even in ECB context, but it's not
|
|
Packit |
c4476c |
* adopted for any known application. This implementation provides
|
|
Packit |
c4476c |
* two interfaces: one compliant with above mentioned RFCs and one
|
|
Packit |
c4476c |
* compliant with the NIST proposal, both extending CBC mode.
|
|
Packit |
c4476c |
*/
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
size_t CRYPTO_cts128_encrypt_block(const unsigned char *in,
|
|
Packit |
c4476c |
unsigned char *out, size_t len,
|
|
Packit |
c4476c |
const void *key, unsigned char ivec[16],
|
|
Packit |
c4476c |
block128_f block)
|
|
Packit |
c4476c |
{
|
|
Packit |
c4476c |
size_t residue, n;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len <= 16)
|
|
Packit |
c4476c |
return 0;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if ((residue = len % 16) == 0)
|
|
Packit |
c4476c |
residue = 16;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
len -= residue;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
in += len;
|
|
Packit |
c4476c |
out += len;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
for (n = 0; n < residue; ++n)
|
|
Packit |
c4476c |
ivec[n] ^= in[n];
|
|
Packit |
c4476c |
(*block) (ivec, ivec, key);
|
|
Packit |
c4476c |
memcpy(out, out - 16, residue);
|
|
Packit |
c4476c |
memcpy(out - 16, ivec, 16);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
return len + residue;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in,
|
|
Packit |
c4476c |
unsigned char *out, size_t len,
|
|
Packit |
c4476c |
const void *key,
|
|
Packit |
c4476c |
unsigned char ivec[16],
|
|
Packit |
c4476c |
block128_f block)
|
|
Packit |
c4476c |
{
|
|
Packit |
c4476c |
size_t residue, n;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len < 16)
|
|
Packit |
c4476c |
return 0;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
residue = len % 16;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
len -= residue;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (residue == 0)
|
|
Packit |
c4476c |
return len;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
in += len;
|
|
Packit |
c4476c |
out += len;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
for (n = 0; n < residue; ++n)
|
|
Packit |
c4476c |
ivec[n] ^= in[n];
|
|
Packit |
c4476c |
(*block) (ivec, ivec, key);
|
|
Packit |
c4476c |
memcpy(out - 16 + residue, ivec, 16);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
return len + residue;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
|
|
Packit |
c4476c |
size_t len, const void *key,
|
|
Packit |
c4476c |
unsigned char ivec[16], cbc128_f cbc)
|
|
Packit |
c4476c |
{
|
|
Packit |
c4476c |
size_t residue;
|
|
Packit |
c4476c |
union {
|
|
Packit |
c4476c |
size_t align;
|
|
Packit |
c4476c |
unsigned char c[16];
|
|
Packit |
c4476c |
} tmp;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len <= 16)
|
|
Packit |
c4476c |
return 0;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if ((residue = len % 16) == 0)
|
|
Packit |
c4476c |
residue = 16;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
len -= residue;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
(*cbc) (in, out, len, key, ivec, 1);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
in += len;
|
|
Packit |
c4476c |
out += len;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
#if defined(CBC_HANDLES_TRUNCATED_IO)
|
|
Packit |
c4476c |
memcpy(tmp.c, out - 16, 16);
|
|
Packit |
c4476c |
(*cbc) (in, out - 16, residue, key, ivec, 1);
|
|
Packit |
c4476c |
memcpy(out, tmp.c, residue);
|
|
Packit |
c4476c |
#else
|
|
Packit |
c4476c |
memset(tmp.c, 0, sizeof(tmp));
|
|
Packit |
c4476c |
memcpy(tmp.c, in, residue);
|
|
Packit |
c4476c |
memcpy(out, out - 16, residue);
|
|
Packit |
c4476c |
(*cbc) (tmp.c, out - 16, 16, key, ivec, 1);
|
|
Packit |
c4476c |
#endif
|
|
Packit |
c4476c |
return len + residue;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
|
|
Packit |
c4476c |
size_t len, const void *key,
|
|
Packit |
c4476c |
unsigned char ivec[16], cbc128_f cbc)
|
|
Packit |
c4476c |
{
|
|
Packit |
c4476c |
size_t residue;
|
|
Packit |
c4476c |
union {
|
|
Packit |
c4476c |
size_t align;
|
|
Packit |
c4476c |
unsigned char c[16];
|
|
Packit |
c4476c |
} tmp;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len < 16)
|
|
Packit |
c4476c |
return 0;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
residue = len % 16;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
len -= residue;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
(*cbc) (in, out, len, key, ivec, 1);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (residue == 0)
|
|
Packit |
c4476c |
return len;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
in += len;
|
|
Packit |
c4476c |
out += len;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
#if defined(CBC_HANDLES_TRUNCATED_IO)
|
|
Packit |
c4476c |
(*cbc) (in, out - 16 + residue, residue, key, ivec, 1);
|
|
Packit |
c4476c |
#else
|
|
Packit |
c4476c |
memset(tmp.c, 0, sizeof(tmp));
|
|
Packit |
c4476c |
memcpy(tmp.c, in, residue);
|
|
Packit |
c4476c |
(*cbc) (tmp.c, out - 16 + residue, 16, key, ivec, 1);
|
|
Packit |
c4476c |
#endif
|
|
Packit |
c4476c |
return len + residue;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
size_t CRYPTO_cts128_decrypt_block(const unsigned char *in,
|
|
Packit |
c4476c |
unsigned char *out, size_t len,
|
|
Packit |
c4476c |
const void *key, unsigned char ivec[16],
|
|
Packit |
c4476c |
block128_f block)
|
|
Packit |
c4476c |
{
|
|
Packit |
c4476c |
size_t residue, n;
|
|
Packit |
c4476c |
union {
|
|
Packit |
c4476c |
size_t align;
|
|
Packit |
c4476c |
unsigned char c[32];
|
|
Packit |
c4476c |
} tmp;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len <= 16)
|
|
Packit |
c4476c |
return 0;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if ((residue = len % 16) == 0)
|
|
Packit |
c4476c |
residue = 16;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
len -= 16 + residue;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len) {
|
|
Packit |
c4476c |
CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
|
|
Packit |
c4476c |
in += len;
|
|
Packit |
c4476c |
out += len;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
(*block) (in, tmp.c + 16, key);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
memcpy(tmp.c, tmp.c + 16, 16);
|
|
Packit |
c4476c |
memcpy(tmp.c, in + 16, residue);
|
|
Packit |
c4476c |
(*block) (tmp.c, tmp.c, key);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
for (n = 0; n < 16; ++n) {
|
|
Packit |
c4476c |
unsigned char c = in[n];
|
|
Packit |
c4476c |
out[n] = tmp.c[n] ^ ivec[n];
|
|
Packit |
c4476c |
ivec[n] = c;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
for (residue += 16; n < residue; ++n)
|
|
Packit |
c4476c |
out[n] = tmp.c[n] ^ in[n];
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
return 16 + len + residue;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in,
|
|
Packit |
c4476c |
unsigned char *out, size_t len,
|
|
Packit |
c4476c |
const void *key,
|
|
Packit |
c4476c |
unsigned char ivec[16],
|
|
Packit |
c4476c |
block128_f block)
|
|
Packit |
c4476c |
{
|
|
Packit |
c4476c |
size_t residue, n;
|
|
Packit |
c4476c |
union {
|
|
Packit |
c4476c |
size_t align;
|
|
Packit |
c4476c |
unsigned char c[32];
|
|
Packit |
c4476c |
} tmp;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len < 16)
|
|
Packit |
c4476c |
return 0;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
residue = len % 16;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (residue == 0) {
|
|
Packit |
c4476c |
CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
|
|
Packit |
c4476c |
return len;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
len -= 16 + residue;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len) {
|
|
Packit |
c4476c |
CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
|
|
Packit |
c4476c |
in += len;
|
|
Packit |
c4476c |
out += len;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
(*block) (in + residue, tmp.c + 16, key);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
memcpy(tmp.c, tmp.c + 16, 16);
|
|
Packit |
c4476c |
memcpy(tmp.c, in, residue);
|
|
Packit |
c4476c |
(*block) (tmp.c, tmp.c, key);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
for (n = 0; n < 16; ++n) {
|
|
Packit |
c4476c |
unsigned char c = in[n];
|
|
Packit |
c4476c |
out[n] = tmp.c[n] ^ ivec[n];
|
|
Packit |
c4476c |
ivec[n] = in[n + residue];
|
|
Packit |
c4476c |
tmp.c[n] = c;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
for (residue += 16; n < residue; ++n)
|
|
Packit |
c4476c |
out[n] = tmp.c[n] ^ tmp.c[n - 16];
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
return 16 + len + residue;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
|
|
Packit |
c4476c |
size_t len, const void *key,
|
|
Packit |
c4476c |
unsigned char ivec[16], cbc128_f cbc)
|
|
Packit |
c4476c |
{
|
|
Packit |
c4476c |
size_t residue;
|
|
Packit |
c4476c |
union {
|
|
Packit |
c4476c |
size_t align;
|
|
Packit |
c4476c |
unsigned char c[32];
|
|
Packit |
c4476c |
} tmp;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len <= 16)
|
|
Packit |
c4476c |
return 0;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if ((residue = len % 16) == 0)
|
|
Packit |
c4476c |
residue = 16;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
len -= 16 + residue;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len) {
|
|
Packit |
c4476c |
(*cbc) (in, out, len, key, ivec, 0);
|
|
Packit |
c4476c |
in += len;
|
|
Packit |
c4476c |
out += len;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
memset(tmp.c, 0, sizeof(tmp));
|
|
Packit |
c4476c |
/*
|
|
Packit |
c4476c |
* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0]
|
|
Packit |
c4476c |
*/
|
|
Packit |
c4476c |
(*cbc) (in, tmp.c, 16, key, tmp.c + 16, 0);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
memcpy(tmp.c, in + 16, residue);
|
|
Packit |
c4476c |
#if defined(CBC_HANDLES_TRUNCATED_IO)
|
|
Packit |
c4476c |
(*cbc) (tmp.c, out, 16 + residue, key, ivec, 0);
|
|
Packit |
c4476c |
#else
|
|
Packit |
c4476c |
(*cbc) (tmp.c, tmp.c, 32, key, ivec, 0);
|
|
Packit |
c4476c |
memcpy(out, tmp.c, 16 + residue);
|
|
Packit |
c4476c |
#endif
|
|
Packit |
c4476c |
return 16 + len + residue;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
|
|
Packit |
c4476c |
size_t len, const void *key,
|
|
Packit |
c4476c |
unsigned char ivec[16], cbc128_f cbc)
|
|
Packit |
c4476c |
{
|
|
Packit |
c4476c |
size_t residue;
|
|
Packit |
c4476c |
union {
|
|
Packit |
c4476c |
size_t align;
|
|
Packit |
c4476c |
unsigned char c[32];
|
|
Packit |
c4476c |
} tmp;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len < 16)
|
|
Packit |
c4476c |
return 0;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
residue = len % 16;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (residue == 0) {
|
|
Packit |
c4476c |
(*cbc) (in, out, len, key, ivec, 0);
|
|
Packit |
c4476c |
return len;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
len -= 16 + residue;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (len) {
|
|
Packit |
c4476c |
(*cbc) (in, out, len, key, ivec, 0);
|
|
Packit |
c4476c |
in += len;
|
|
Packit |
c4476c |
out += len;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
memset(tmp.c, 0, sizeof(tmp));
|
|
Packit |
c4476c |
/*
|
|
Packit |
c4476c |
* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0]
|
|
Packit |
c4476c |
*/
|
|
Packit |
c4476c |
(*cbc) (in + residue, tmp.c, 16, key, tmp.c + 16, 0);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
memcpy(tmp.c, in, residue);
|
|
Packit |
c4476c |
#if defined(CBC_HANDLES_TRUNCATED_IO)
|
|
Packit |
c4476c |
(*cbc) (tmp.c, out, 16 + residue, key, ivec, 0);
|
|
Packit |
c4476c |
#else
|
|
Packit |
c4476c |
(*cbc) (tmp.c, tmp.c, 32, key, ivec, 0);
|
|
Packit |
c4476c |
memcpy(out, tmp.c, 16 + residue);
|
|
Packit |
c4476c |
#endif
|
|
Packit |
c4476c |
return 16 + len + residue;
|
|
Packit |
c4476c |
}
|