From aa4d426b4d3527d7e166df1a05058c9a4a0f6683 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Fri, 30 Apr 2021 00:33:56 +0200 Subject: initial/final commit --- openssl-1.1.0h/crypto/modes/cts128.c | 523 +++++++++++++++++++++++++++++++++++ 1 file changed, 523 insertions(+) create mode 100644 openssl-1.1.0h/crypto/modes/cts128.c (limited to 'openssl-1.1.0h/crypto/modes/cts128.c') diff --git a/openssl-1.1.0h/crypto/modes/cts128.c b/openssl-1.1.0h/crypto/modes/cts128.c new file mode 100644 index 0000000..77ec994 --- /dev/null +++ b/openssl-1.1.0h/crypto/modes/cts128.c @@ -0,0 +1,523 @@ +/* + * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "modes_lcl.h" +#include + +/* + * Trouble with Ciphertext Stealing, CTS, mode is that there is no + * common official specification, but couple of cipher/application + * specific ones: RFC2040 and RFC3962. Then there is 'Proposal to + * Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which + * deviates from mentioned RFCs. Most notably it allows input to be + * of block length and it doesn't flip the order of the last two + * blocks. CTS is being discussed even in ECB context, but it's not + * adopted for any known application. This implementation provides + * two interfaces: one compliant with above mentioned RFCs and one + * compliant with the NIST proposal, both extending CBC mode. + */ + +size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, + unsigned char *out, size_t len, + const void *key, unsigned char ivec[16], + block128_f block) +{ + size_t residue, n; + + if (len <= 16) + return 0; + + if ((residue = len % 16) == 0) + residue = 16; + + len -= residue; + + CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block); + + in += len; + out += len; + + for (n = 0; n < residue; ++n) + ivec[n] ^= in[n]; + (*block) (ivec, ivec, key); + memcpy(out, out - 16, residue); + memcpy(out - 16, ivec, 16); + + return len + residue; +} + +size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, + unsigned char *out, size_t len, + const void *key, + unsigned char ivec[16], + block128_f block) +{ + size_t residue, n; + + if (len < 16) + return 0; + + residue = len % 16; + + len -= residue; + + CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block); + + if (residue == 0) + return len; + + in += len; + out += len; + + for (n = 0; n < residue; ++n) + ivec[n] ^= in[n]; + (*block) (ivec, ivec, key); + memcpy(out - 16 + residue, ivec, 16); + + return len + residue; +} + +size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + unsigned char ivec[16], cbc128_f cbc) +{ + size_t residue; + union { + size_t align; + unsigned char c[16]; + } tmp; + + if (len <= 16) + return 0; + + if ((residue = len % 16) == 0) + residue = 16; + + len -= residue; + + (*cbc) (in, out, len, key, ivec, 1); + + in += len; + out += len; + +#if defined(CBC_HANDLES_TRUNCATED_IO) + memcpy(tmp.c, out - 16, 16); + (*cbc) (in, out - 16, residue, key, ivec, 1); + memcpy(out, tmp.c, residue); +#else + memset(tmp.c, 0, sizeof(tmp)); + memcpy(tmp.c, in, residue); + memcpy(out, out - 16, residue); + (*cbc) (tmp.c, out - 16, 16, key, ivec, 1); +#endif + return len + residue; +} + +size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + unsigned char ivec[16], cbc128_f cbc) +{ + size_t residue; + union { + size_t align; + unsigned char c[16]; + } tmp; + + if (len < 16) + return 0; + + residue = len % 16; + + len -= residue; + + (*cbc) (in, out, len, key, ivec, 1); + + if (residue == 0) + return len; + + in += len; + out += len; + +#if defined(CBC_HANDLES_TRUNCATED_IO) + (*cbc) (in, out - 16 + residue, residue, key, ivec, 1); +#else + memset(tmp.c, 0, sizeof(tmp)); + memcpy(tmp.c, in, residue); + (*cbc) (tmp.c, out - 16 + residue, 16, key, ivec, 1); +#endif + return len + residue; +} + +size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, + unsigned char *out, size_t len, + const void *key, unsigned char ivec[16], + block128_f block) +{ + size_t residue, n; + union { + size_t align; + unsigned char c[32]; + } tmp; + + if (len <= 16) + return 0; + + if ((residue = len % 16) == 0) + residue = 16; + + len -= 16 + residue; + + if (len) { + CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block); + in += len; + out += len; + } + + (*block) (in, tmp.c + 16, key); + + memcpy(tmp.c, tmp.c + 16, 16); + memcpy(tmp.c, in + 16, residue); + (*block) (tmp.c, tmp.c, key); + + for (n = 0; n < 16; ++n) { + unsigned char c = in[n]; + out[n] = tmp.c[n] ^ ivec[n]; + ivec[n] = c; + } + for (residue += 16; n < residue; ++n) + out[n] = tmp.c[n] ^ in[n]; + + return 16 + len + residue; +} + +size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, + unsigned char *out, size_t len, + const void *key, + unsigned char ivec[16], + block128_f block) +{ + size_t residue, n; + union { + size_t align; + unsigned char c[32]; + } tmp; + + if (len < 16) + return 0; + + residue = len % 16; + + if (residue == 0) { + CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block); + return len; + } + + len -= 16 + residue; + + if (len) { + CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block); + in += len; + out += len; + } + + (*block) (in + residue, tmp.c + 16, key); + + memcpy(tmp.c, tmp.c + 16, 16); + memcpy(tmp.c, in, residue); + (*block) (tmp.c, tmp.c, key); + + for (n = 0; n < 16; ++n) { + unsigned char c = in[n]; + out[n] = tmp.c[n] ^ ivec[n]; + ivec[n] = in[n + residue]; + tmp.c[n] = c; + } + for (residue += 16; n < residue; ++n) + out[n] = tmp.c[n] ^ tmp.c[n - 16]; + + return 16 + len + residue; +} + +size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + unsigned char ivec[16], cbc128_f cbc) +{ + size_t residue; + union { + size_t align; + unsigned char c[32]; + } tmp; + + if (len <= 16) + return 0; + + if ((residue = len % 16) == 0) + residue = 16; + + len -= 16 + residue; + + if (len) { + (*cbc) (in, out, len, key, ivec, 0); + in += len; + out += len; + } + + memset(tmp.c, 0, sizeof(tmp)); + /* + * this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] + */ + (*cbc) (in, tmp.c, 16, key, tmp.c + 16, 0); + + memcpy(tmp.c, in + 16, residue); +#if defined(CBC_HANDLES_TRUNCATED_IO) + (*cbc) (tmp.c, out, 16 + residue, key, ivec, 0); +#else + (*cbc) (tmp.c, tmp.c, 32, key, ivec, 0); + memcpy(out, tmp.c, 16 + residue); +#endif + return 16 + len + residue; +} + +size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + unsigned char ivec[16], cbc128_f cbc) +{ + size_t residue; + union { + size_t align; + unsigned char c[32]; + } tmp; + + if (len < 16) + return 0; + + residue = len % 16; + + if (residue == 0) { + (*cbc) (in, out, len, key, ivec, 0); + return len; + } + + len -= 16 + residue; + + if (len) { + (*cbc) (in, out, len, key, ivec, 0); + in += len; + out += len; + } + + memset(tmp.c, 0, sizeof(tmp)); + /* + * this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] + */ + (*cbc) (in + residue, tmp.c, 16, key, tmp.c + 16, 0); + + memcpy(tmp.c, in, residue); +#if defined(CBC_HANDLES_TRUNCATED_IO) + (*cbc) (tmp.c, out, 16 + residue, key, ivec, 0); +#else + (*cbc) (tmp.c, tmp.c, 32, key, ivec, 0); + memcpy(out, tmp.c, 16 + residue); +#endif + return 16 + len + residue; +} + +#if defined(SELFTEST) +# include +# include + +/* test vectors from RFC 3962 */ +static const unsigned char test_key[16] = "chicken teriyaki"; +static const unsigned char test_input[64] = + "I would like the" " General Gau's C" + "hicken, please, " "and wonton soup."; +static const unsigned char test_iv[16] = + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + +static const unsigned char vector_17[17] = { + 0xc6, 0x35, 0x35, 0x68, 0xf2, 0xbf, 0x8c, 0xb4, + 0xd8, 0xa5, 0x80, 0x36, 0x2d, 0xa7, 0xff, 0x7f, + 0x97 +}; + +static const unsigned char vector_31[31] = { + 0xfc, 0x00, 0x78, 0x3e, 0x0e, 0xfd, 0xb2, 0xc1, + 0xd4, 0x45, 0xd4, 0xc8, 0xef, 0xf7, 0xed, 0x22, + 0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0, + 0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5 +}; + +static const unsigned char vector_32[32] = { + 0x39, 0x31, 0x25, 0x23, 0xa7, 0x86, 0x62, 0xd5, + 0xbe, 0x7f, 0xcb, 0xcc, 0x98, 0xeb, 0xf5, 0xa8, + 0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0, + 0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5, 0x84 +}; + +static const unsigned char vector_47[47] = { + 0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0, + 0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5, 0x84, + 0xb3, 0xff, 0xfd, 0x94, 0x0c, 0x16, 0xa1, 0x8c, + 0x1b, 0x55, 0x49, 0xd2, 0xf8, 0x38, 0x02, 0x9e, + 0x39, 0x31, 0x25, 0x23, 0xa7, 0x86, 0x62, 0xd5, + 0xbe, 0x7f, 0xcb, 0xcc, 0x98, 0xeb, 0xf5 +}; + +static const unsigned char vector_48[48] = { + 0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0, + 0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5, 0x84, + 0x9d, 0xad, 0x8b, 0xbb, 0x96, 0xc4, 0xcd, 0xc0, + 0x3b, 0xc1, 0x03, 0xe1, 0xa1, 0x94, 0xbb, 0xd8, + 0x39, 0x31, 0x25, 0x23, 0xa7, 0x86, 0x62, 0xd5, + 0xbe, 0x7f, 0xcb, 0xcc, 0x98, 0xeb, 0xf5, 0xa8 +}; + +static const unsigned char vector_64[64] = { + 0x97, 0x68, 0x72, 0x68, 0xd6, 0xec, 0xcc, 0xc0, + 0xc0, 0x7b, 0x25, 0xe2, 0x5e, 0xcf, 0xe5, 0x84, + 0x39, 0x31, 0x25, 0x23, 0xa7, 0x86, 0x62, 0xd5, + 0xbe, 0x7f, 0xcb, 0xcc, 0x98, 0xeb, 0xf5, 0xa8, + 0x48, 0x07, 0xef, 0xe8, 0x36, 0xee, 0x89, 0xa5, + 0x26, 0x73, 0x0d, 0xbc, 0x2f, 0x7b, 0xc8, 0x40, + 0x9d, 0xad, 0x8b, 0xbb, 0x96, 0xc4, 0xcd, 0xc0, + 0x3b, 0xc1, 0x03, 0xe1, 0xa1, 0x94, 0xbb, 0xd8 +}; + +static AES_KEY encks, decks; + +void test_vector(const unsigned char *vector, size_t len) +{ + unsigned char iv[sizeof(test_iv)]; + unsigned char cleartext[64], ciphertext[64]; + size_t tail; + + printf("vector_%d\n", len); + fflush(stdout); + + if ((tail = len % 16) == 0) + tail = 16; + tail += 16; + + /* test block-based encryption */ + memcpy(iv, test_iv, sizeof(test_iv)); + CRYPTO_cts128_encrypt_block(test_input, ciphertext, len, &encks, iv, + (block128_f) AES_encrypt); + if (memcmp(ciphertext, vector, len)) + fprintf(stderr, "output_%d mismatch\n", len), exit(1); + if (memcmp(iv, vector + len - tail, sizeof(iv))) + fprintf(stderr, "iv_%d mismatch\n", len), exit(1); + + /* test block-based decryption */ + memcpy(iv, test_iv, sizeof(test_iv)); + CRYPTO_cts128_decrypt_block(ciphertext, cleartext, len, &decks, iv, + (block128_f) AES_decrypt); + if (memcmp(cleartext, test_input, len)) + fprintf(stderr, "input_%d mismatch\n", len), exit(2); + if (memcmp(iv, vector + len - tail, sizeof(iv))) + fprintf(stderr, "iv_%d mismatch\n", len), exit(2); + + /* test streamed encryption */ + memcpy(iv, test_iv, sizeof(test_iv)); + CRYPTO_cts128_encrypt(test_input, ciphertext, len, &encks, iv, + (cbc128_f) AES_cbc_encrypt); + if (memcmp(ciphertext, vector, len)) + fprintf(stderr, "output_%d mismatch\n", len), exit(3); + if (memcmp(iv, vector + len - tail, sizeof(iv))) + fprintf(stderr, "iv_%d mismatch\n", len), exit(3); + + /* test streamed decryption */ + memcpy(iv, test_iv, sizeof(test_iv)); + CRYPTO_cts128_decrypt(ciphertext, cleartext, len, &decks, iv, + (cbc128_f) AES_cbc_encrypt); + if (memcmp(cleartext, test_input, len)) + fprintf(stderr, "input_%d mismatch\n", len), exit(4); + if (memcmp(iv, vector + len - tail, sizeof(iv))) + fprintf(stderr, "iv_%d mismatch\n", len), exit(4); +} + +void test_nistvector(const unsigned char *vector, size_t len) +{ + unsigned char iv[sizeof(test_iv)]; + unsigned char cleartext[64], ciphertext[64], nistvector[64]; + size_t tail; + + printf("nistvector_%d\n", len); + fflush(stdout); + + if ((tail = len % 16) == 0) + tail = 16; + + len -= 16 + tail; + memcpy(nistvector, vector, len); + /* flip two last blocks */ + memcpy(nistvector + len, vector + len + 16, tail); + memcpy(nistvector + len + tail, vector + len, 16); + len += 16 + tail; + tail = 16; + + /* test block-based encryption */ + memcpy(iv, test_iv, sizeof(test_iv)); + CRYPTO_nistcts128_encrypt_block(test_input, ciphertext, len, &encks, iv, + (block128_f) AES_encrypt); + if (memcmp(ciphertext, nistvector, len)) + fprintf(stderr, "output_%d mismatch\n", len), exit(1); + if (memcmp(iv, nistvector + len - tail, sizeof(iv))) + fprintf(stderr, "iv_%d mismatch\n", len), exit(1); + + /* test block-based decryption */ + memcpy(iv, test_iv, sizeof(test_iv)); + CRYPTO_nistcts128_decrypt_block(ciphertext, cleartext, len, &decks, iv, + (block128_f) AES_decrypt); + if (memcmp(cleartext, test_input, len)) + fprintf(stderr, "input_%d mismatch\n", len), exit(2); + if (memcmp(iv, nistvector + len - tail, sizeof(iv))) + fprintf(stderr, "iv_%d mismatch\n", len), exit(2); + + /* test streamed encryption */ + memcpy(iv, test_iv, sizeof(test_iv)); + CRYPTO_nistcts128_encrypt(test_input, ciphertext, len, &encks, iv, + (cbc128_f) AES_cbc_encrypt); + if (memcmp(ciphertext, nistvector, len)) + fprintf(stderr, "output_%d mismatch\n", len), exit(3); + if (memcmp(iv, nistvector + len - tail, sizeof(iv))) + fprintf(stderr, "iv_%d mismatch\n", len), exit(3); + + /* test streamed decryption */ + memcpy(iv, test_iv, sizeof(test_iv)); + CRYPTO_nistcts128_decrypt(ciphertext, cleartext, len, &decks, iv, + (cbc128_f) AES_cbc_encrypt); + if (memcmp(cleartext, test_input, len)) + fprintf(stderr, "input_%d mismatch\n", len), exit(4); + if (memcmp(iv, nistvector + len - tail, sizeof(iv))) + fprintf(stderr, "iv_%d mismatch\n", len), exit(4); +} + +int main() +{ + AES_set_encrypt_key(test_key, 128, &encks); + AES_set_decrypt_key(test_key, 128, &decks); + + test_vector(vector_17, sizeof(vector_17)); + test_vector(vector_31, sizeof(vector_31)); + test_vector(vector_32, sizeof(vector_32)); + test_vector(vector_47, sizeof(vector_47)); + test_vector(vector_48, sizeof(vector_48)); + test_vector(vector_64, sizeof(vector_64)); + + test_nistvector(vector_17, sizeof(vector_17)); + test_nistvector(vector_31, sizeof(vector_31)); + test_nistvector(vector_32, sizeof(vector_32)); + test_nistvector(vector_47, sizeof(vector_47)); + test_nistvector(vector_48, sizeof(vector_48)); + test_nistvector(vector_64, sizeof(vector_64)); + + return 0; +} +#endif -- cgit v1.2.3