From 42281f26174dcc6ef4847894f17627f305bdfa2b Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Thu, 12 Aug 2021 18:20:48 +1000 Subject: Refactor cipher aes_cts code so that it can be used by other 128bit ciphers Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16286) --- providers/implementations/ciphers/build.info | 2 +- providers/implementations/ciphers/cipher_aes_cts.c | 361 -------------------- providers/implementations/ciphers/cipher_aes_cts.h | 16 - .../implementations/ciphers/cipher_aes_cts.inc | 50 +-- providers/implementations/ciphers/cipher_cts.c | 362 +++++++++++++++++++++ providers/implementations/ciphers/cipher_cts.h | 52 +++ 6 files changed, 422 insertions(+), 421 deletions(-) delete mode 100644 providers/implementations/ciphers/cipher_aes_cts.c delete mode 100644 providers/implementations/ciphers/cipher_aes_cts.h create mode 100644 providers/implementations/ciphers/cipher_cts.c create mode 100644 providers/implementations/ciphers/cipher_cts.h (limited to 'providers') diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info index cb87ea62d9..e4c5f4f051 100644 --- a/providers/implementations/ciphers/build.info +++ b/providers/implementations/ciphers/build.info @@ -47,7 +47,7 @@ SOURCE[$AES_GOAL]=\ cipher_aes_wrp.c \ cipher_aes_cbc_hmac_sha.c \ cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \ - cipher_aes_cts.c + cipher_cts.c # Extra code to satisfy the FIPS and non-FIPS separation. # When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed. diff --git a/providers/implementations/ciphers/cipher_aes_cts.c b/providers/implementations/ciphers/cipher_aes_cts.c deleted file mode 100644 index 1eafa39abb..0000000000 --- a/providers/implementations/ciphers/cipher_aes_cts.c +++ /dev/null @@ -1,361 +0,0 @@ -/* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * Helper functions for AES CBC CTS ciphers. - * - * The function dispatch tables are embedded into cipher_aes.c - * using cipher_aes_cts.inc - */ - -/* - * Refer to SP800-38A-Addendum - * - * Ciphertext stealing encrypts plaintext using a block cipher, without padding - * the message to a multiple of the block size, so the ciphertext is the same - * size as the plaintext. - * It does this by altering processing of the last two blocks of the message. - * The processing of all but the last two blocks is unchanged, but a portion of - * the second-last block's ciphertext is "stolen" to pad the last plaintext - * block. The padded final block is then encrypted as usual. - * The final ciphertext for the last two blocks, consists of the partial block - * (with the "stolen" portion omitted) plus the full final block, - * which are the same size as the original plaintext. - * Decryption requires decrypting the final block first, then restoring the - * stolen ciphertext to the partial block, which can then be decrypted as usual. - - * AES_CBC_CTS has 3 variants: - * (1) CS1 The NIST variant. - * If the length is a multiple of the blocksize it is the same as CBC mode. - * otherwise it produces C1||C2||(C(n-1))*||Cn. - * Where C(n-1)* is a partial block. - * (2) CS2 - * If the length is a multiple of the blocksize it is the same as CBC mode. - * otherwise it produces C1||C2||Cn||(C(n-1))*. - * Where C(n-1)* is a partial block. - * (3) CS3 The Kerberos5 variant. - * Produces C1||C2||Cn||(C(n-1))* regardless of the length. - * If the length is a multiple of the blocksize it looks similar to CBC mode - * with the last 2 blocks swapped. - * Otherwise it is the same as CS2. - */ - -#include "e_os.h" /* strcasecmp */ -#include -#include -#include "prov/ciphercommon.h" -#include "internal/nelem.h" -#include "cipher_aes_cts.h" - -/* The value assigned to 0 is the default */ -#define CTS_CS1 0 -#define CTS_CS2 1 -#define CTS_CS3 2 - -typedef union { - size_t align; - unsigned char c[AES_BLOCK_SIZE]; -} aligned_16bytes; - -typedef struct cts_mode_name2id_st { - unsigned int id; - const char *name; -} CTS_MODE_NAME2ID; - -static CTS_MODE_NAME2ID cts_modes[] = -{ - { CTS_CS1, OSSL_CIPHER_CTS_MODE_CS1 }, - { CTS_CS2, OSSL_CIPHER_CTS_MODE_CS2 }, - { CTS_CS3, OSSL_CIPHER_CTS_MODE_CS3 }, -}; - -const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id) -{ - size_t i; - - for (i = 0; i < OSSL_NELEM(cts_modes); ++i) { - if (cts_modes[i].id == id) - return cts_modes[i].name; - } - return NULL; -} - -int ossl_aes_cbc_cts_mode_name2id(const char *name) -{ - size_t i; - - for (i = 0; i < OSSL_NELEM(cts_modes); ++i) { - if (strcasecmp(name, cts_modes[i].name) == 0) - return (int)cts_modes[i].id; - } - return -1; -} - -static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len) -{ - aligned_16bytes tmp_in; - size_t residue; - - residue = len % AES_BLOCK_SIZE; - len -= residue; - if (!ctx->hw->cipher(ctx, out, in, len)) - return 0; - - if (residue == 0) - return len; - - in += len; - out += len; - - memset(tmp_in.c, 0, sizeof(tmp_in)); - memcpy(tmp_in.c, in, residue); - if (!ctx->hw->cipher(ctx, out - AES_BLOCK_SIZE + residue, tmp_in.c, - AES_BLOCK_SIZE)) - return 0; - return len + residue; -} - -static void do_xor(const unsigned char *in1, const unsigned char *in2, - size_t len, unsigned char *out) -{ - size_t i; - - for (i = 0; i < len; ++i) - out[i] = in1[i] ^ in2[i]; -} - -static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len) -{ - aligned_16bytes mid_iv, ct_mid, pt_last; - size_t residue; - - residue = len % AES_BLOCK_SIZE; - if (residue == 0) { - /* If there are no partial blocks then it is the same as CBC mode */ - if (!ctx->hw->cipher(ctx, out, in, len)) - return 0; - return len; - } - /* Process blocks at the start - but leave the last 2 blocks */ - len -= AES_BLOCK_SIZE + residue; - if (len > 0) { - if (!ctx->hw->cipher(ctx, out, in, len)) - return 0; - in += len; - out += len; - } - /* Save the iv that will be used by the second last block */ - memcpy(mid_iv.c, ctx->iv, AES_BLOCK_SIZE); - - /* Decrypt the last block first using an iv of zero */ - memset(ctx->iv, 0, AES_BLOCK_SIZE); - if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, AES_BLOCK_SIZE)) - return 0; - - /* - * Rebuild the ciphertext of the second last block as a combination of - * the decrypted last block + replace the start with the ciphertext bytes - * of the partial second last block. - */ - memcpy(ct_mid.c, in, residue); - memcpy(ct_mid.c + residue, pt_last.c + residue, AES_BLOCK_SIZE - residue); - /* - * Restore the last partial ciphertext block. - * Now that we have the cipher text of the second last block, apply - * that to the partial plaintext end block. We have already decrypted the - * block using an IV of zero. For decryption the IV is just XORed after - * doing an AES block - so just XOR in the cipher text. - */ - do_xor(ct_mid.c, pt_last.c, residue, out + AES_BLOCK_SIZE); - - /* Restore the iv needed by the second last block */ - memcpy(ctx->iv, mid_iv.c, AES_BLOCK_SIZE); - /* - * Decrypt the second last plaintext block now that we have rebuilt the - * ciphertext. - */ - if (!ctx->hw->cipher(ctx, out, ct_mid.c, AES_BLOCK_SIZE)) - return 0; - - return len + AES_BLOCK_SIZE + residue; -} - -static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len) -{ - aligned_16bytes tmp_in; - size_t residue; - - if (len <= AES_BLOCK_SIZE) /* CS3 requires 2 blocks */ - return 0; - - residue = len % AES_BLOCK_SIZE; - if (residue == 0) - residue = AES_BLOCK_SIZE; - len -= residue; - - if (!ctx->hw->cipher(ctx, out, in, len)) - return 0; - - in += len; - out += len; - - memset(tmp_in.c, 0, sizeof(tmp_in)); - memcpy(tmp_in.c, in, residue); - memcpy(out, out - AES_BLOCK_SIZE, residue); - if (!ctx->hw->cipher(ctx, out - AES_BLOCK_SIZE, tmp_in.c, AES_BLOCK_SIZE)) - return 0; - return len + residue; -} - -/* - * Note: - * The cipher text (in) is of the form C(0), C(1), ., C(n), C(n-1)* where - * C(n) is a full block and C(n-1)* can be a partial block - * (but could be a full block). - * This means that the output plaintext (out) needs to swap the plaintext of - * the last two decoded ciphertext blocks. - */ -static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len) -{ - aligned_16bytes mid_iv, ct_mid, pt_last; - size_t residue; - - if (len <= AES_BLOCK_SIZE) /* CS3 requires 2 blocks */ - return 0; - - /* Process blocks at the start - but leave the last 2 blocks */ - residue = len % AES_BLOCK_SIZE; - if (residue == 0) - residue = AES_BLOCK_SIZE; - len -= AES_BLOCK_SIZE + residue; - - if (len > 0) { - if (!ctx->hw->cipher(ctx, out, in, len)) - return 0; - in += len; - out += len; - } - /* Save the iv that will be used by the second last block */ - memcpy(mid_iv.c, ctx->iv, AES_BLOCK_SIZE); - - /* Decrypt the Cn block first using an iv of zero */ - memset(ctx->iv, 0, AES_BLOCK_SIZE); - if (!ctx->hw->cipher(ctx, pt_last.c, in, AES_BLOCK_SIZE)) - return 0; - - /* - * Rebuild the ciphertext of C(n-1) as a combination of - * the decrypted C(n) block + replace the start with the ciphertext bytes - * of the partial last block. - */ - memcpy(ct_mid.c, in + AES_BLOCK_SIZE, residue); - if (residue != AES_BLOCK_SIZE) - memcpy(ct_mid.c + residue, pt_last.c + residue, AES_BLOCK_SIZE - residue); - /* - * Restore the last partial ciphertext block. - * Now that we have the cipher text of the second last block, apply - * that to the partial plaintext end block. We have already decrypted the - * block using an IV of zero. For decryption the IV is just XORed after - * doing an AES block - so just XOR in the ciphertext. - */ - do_xor(ct_mid.c, pt_last.c, residue, out + AES_BLOCK_SIZE); - - /* Restore the iv needed by the second last block */ - memcpy(ctx->iv, mid_iv.c, AES_BLOCK_SIZE); - /* - * Decrypt the second last plaintext block now that we have rebuilt the - * ciphertext. - */ - if (!ctx->hw->cipher(ctx, out, ct_mid.c, AES_BLOCK_SIZE)) - return 0; - - return len + AES_BLOCK_SIZE + residue; -} - -static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len) -{ - if (len % AES_BLOCK_SIZE == 0) { - /* If there are no partial blocks then it is the same as CBC mode */ - if (!ctx->hw->cipher(ctx, out, in, len)) - return 0; - return len; - } - /* For partial blocks CS2 is equivalent to CS3 */ - return cts128_cs3_encrypt(ctx, in, out, len); -} - -static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, - unsigned char *out, size_t len) -{ - if (len % AES_BLOCK_SIZE == 0) { - /* If there are no partial blocks then it is the same as CBC mode */ - if (!ctx->hw->cipher(ctx, out, in, len)) - return 0; - return len; - } - /* For partial blocks CS2 is equivalent to CS3 */ - return cts128_cs3_decrypt(ctx, in, out, len); -} - -int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl, - size_t outsize, const unsigned char *in, - size_t inl) -{ - PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; - size_t sz = 0; - - if (inl < AES_BLOCK_SIZE) /* There must be at least one block for CTS mode */ - return 0; - if (outsize < inl) - return 0; - if (out == NULL) { - *outl = inl; - return 1; - } - - /* - * Return an error if the update is called multiple times, only one shot - * is supported. - */ - if (ctx->updated == 1) - return 0; - - if (ctx->enc) { - if (ctx->cts_mode == CTS_CS1) - sz = cts128_cs1_encrypt(ctx, in, out, inl); - else if (ctx->cts_mode == CTS_CS2) - sz = cts128_cs2_encrypt(ctx, in, out, inl); - else if (ctx->cts_mode == CTS_CS3) - sz = cts128_cs3_encrypt(ctx, in, out, inl); - } else { - if (ctx->cts_mode == CTS_CS1) - sz = cts128_cs1_decrypt(ctx, in, out, inl); - else if (ctx->cts_mode == CTS_CS2) - sz = cts128_cs2_decrypt(ctx, in, out, inl); - else if (ctx->cts_mode == CTS_CS3) - sz = cts128_cs3_decrypt(ctx, in, out, inl); - } - if (sz == 0) - return 0; - ctx->updated = 1; /* Stop multiple updates being allowed */ - *outl = sz; - return 1; -} - -int ossl_aes_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl, - size_t outsize) -{ - *outl = 0; - return 1; -} diff --git a/providers/implementations/ciphers/cipher_aes_cts.h b/providers/implementations/ciphers/cipher_aes_cts.h deleted file mode 100644 index 37dd3df329..0000000000 --- a/providers/implementations/ciphers/cipher_aes_cts.h +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include "crypto/evp.h" - -OSSL_FUNC_cipher_update_fn ossl_aes_cbc_cts_block_update; -OSSL_FUNC_cipher_final_fn ossl_aes_cbc_cts_block_final; - -const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id); -int ossl_aes_cbc_cts_mode_name2id(const char *name); diff --git a/providers/implementations/ciphers/cipher_aes_cts.inc b/providers/implementations/ciphers/cipher_aes_cts.inc index 2a3b88b2c0..1fb5ec3553 100644 --- a/providers/implementations/ciphers/cipher_aes_cts.inc +++ b/providers/implementations/ciphers/cipher_aes_cts.inc @@ -10,9 +10,9 @@ /* Dispatch functions for AES CBC CTS ciphers */ #include -#include "cipher_aes_cts.h" +#include "cipher_cts.h" -#define AES_CTS_FLAGS PROV_CIPHER_FLAG_CTS +#define CTS_FLAGS PROV_CIPHER_FLAG_CTS static OSSL_FUNC_cipher_encrypt_init_fn aes_cbc_cts_einit; static OSSL_FUNC_cipher_decrypt_init_fn aes_cbc_cts_dinit; @@ -50,7 +50,7 @@ static int aes_cbc_cts_get_ctx_params(void *vctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS_MODE); if (p != NULL) { - const char *name = ossl_aes_cbc_cts_mode_id2name(ctx->cts_mode); + const char *name = ossl_cipher_cbc_cts_mode_id2name(ctx->cts_mode); if (name == NULL || !OSSL_PARAM_set_utf8_string(p, name)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); @@ -74,7 +74,7 @@ static int aes_cbc_cts_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (p != NULL) { if (p->data_type != OSSL_PARAM_UTF8_STRING) goto err; - id = ossl_aes_cbc_cts_mode_name2id(p->data); + id = ossl_cipher_cbc_cts_mode_name2id(p->data); if (id < 0) goto err; @@ -86,45 +86,9 @@ err: return 0; } -/* NOTE: The underlying block cipher is AES CBC so we reuse most of the code */ -#define IMPLEMENT_cts_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits, \ - blkbits, ivbits, typ) \ -static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params; \ -static int alg##_cts_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \ -{ \ - return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, flags, \ - kbits, blkbits, ivbits); \ -} \ -const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = { \ - { OSSL_FUNC_CIPHER_NEWCTX, \ - (void (*)(void)) alg##_##kbits##_##lcmode##_newctx }, \ - { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx }, \ - { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx }, \ - { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_cbc_cts_einit }, \ - { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_cbc_cts_dinit }, \ - { OSSL_FUNC_CIPHER_UPDATE, \ - (void (*)(void)) ossl_##alg##_##lcmode##_cts_block_update }, \ - { OSSL_FUNC_CIPHER_FINAL, \ - (void (*)(void)) ossl_##alg##_##lcmode##_cts_block_final }, \ - { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher }, \ - { OSSL_FUNC_CIPHER_GET_PARAMS, \ - (void (*)(void)) alg##_cts_##kbits##_##lcmode##_get_params }, \ - { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ - (void (*)(void))ossl_cipher_generic_gettable_params }, \ - { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \ - (void (*)(void))aes_cbc_cts_get_ctx_params }, \ - { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ - (void (*)(void))aes_cbc_cts_set_ctx_params }, \ - { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ - (void (*)(void))aes_cbc_cts_gettable_ctx_params }, \ - { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \ - (void (*)(void))aes_cbc_cts_settable_ctx_params }, \ - { 0, NULL } \ -}; - /* ossl_aes256cbc_cts_functions */ -IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 256, 128, 128, block) +IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 256, 128, 128, block) /* ossl_aes192cbc_cts_functions */ -IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 192, 128, 128, block) +IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 192, 128, 128, block) /* ossl_aes128cbc_cts_functions */ -IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 128, 128, 128, block) +IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 128, 128, 128, block) diff --git a/providers/implementations/ciphers/cipher_cts.c b/providers/implementations/ciphers/cipher_cts.c new file mode 100644 index 0000000000..3e880931c1 --- /dev/null +++ b/providers/implementations/ciphers/cipher_cts.c @@ -0,0 +1,362 @@ +/* + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Helper functions for 128 bit CBC CTS ciphers (Currently AES and Camellia). + * + * The function dispatch tables are embedded into cipher_aes.c + * and cipher_camellia.c using cipher_aes_cts.inc and cipher_camellia_cts.inc + */ + +/* + * Refer to SP800-38A-Addendum + * + * Ciphertext stealing encrypts plaintext using a block cipher, without padding + * the message to a multiple of the block size, so the ciphertext is the same + * size as the plaintext. + * It does this by altering processing of the last two blocks of the message. + * The processing of all but the last two blocks is unchanged, but a portion of + * the second-last block's ciphertext is "stolen" to pad the last plaintext + * block. The padded final block is then encrypted as usual. + * The final ciphertext for the last two blocks, consists of the partial block + * (with the "stolen" portion omitted) plus the full final block, + * which are the same size as the original plaintext. + * Decryption requires decrypting the final block first, then restoring the + * stolen ciphertext to the partial block, which can then be decrypted as usual. + + * AES_CBC_CTS has 3 variants: + * (1) CS1 The NIST variant. + * If the length is a multiple of the blocksize it is the same as CBC mode. + * otherwise it produces C1||C2||(C(n-1))*||Cn. + * Where C(n-1)* is a partial block. + * (2) CS2 + * If the length is a multiple of the blocksize it is the same as CBC mode. + * otherwise it produces C1||C2||Cn||(C(n-1))*. + * Where C(n-1)* is a partial block. + * (3) CS3 The Kerberos5 variant. + * Produces C1||C2||Cn||(C(n-1))* regardless of the length. + * If the length is a multiple of the blocksize it looks similar to CBC mode + * with the last 2 blocks swapped. + * Otherwise it is the same as CS2. + */ + +#include "e_os.h" /* strcasecmp */ +#include +#include "prov/ciphercommon.h" +#include "internal/nelem.h" +#include "cipher_cts.h" + +/* The value assigned to 0 is the default */ +#define CTS_CS1 0 +#define CTS_CS2 1 +#define CTS_CS3 2 + +#define CTS_BLOCK_SIZE 16 + +typedef union { + size_t align; + unsigned char c[CTS_BLOCK_SIZE]; +} aligned_16bytes; + +typedef struct cts_mode_name2id_st { + unsigned int id; + const char *name; +} CTS_MODE_NAME2ID; + +static CTS_MODE_NAME2ID cts_modes[] = +{ + { CTS_CS1, OSSL_CIPHER_CTS_MODE_CS1 }, + { CTS_CS2, OSSL_CIPHER_CTS_MODE_CS2 }, + { CTS_CS3, OSSL_CIPHER_CTS_MODE_CS3 }, +}; + +const char *ossl_cipher_cbc_cts_mode_id2name(unsigned int id) +{ + size_t i; + + for (i = 0; i < OSSL_NELEM(cts_modes); ++i) { + if (cts_modes[i].id == id) + return cts_modes[i].name; + } + return NULL; +} + +int ossl_cipher_cbc_cts_mode_name2id(const char *name) +{ + size_t i; + + for (i = 0; i < OSSL_NELEM(cts_modes); ++i) { + if (strcasecmp(name, cts_modes[i].name) == 0) + return (int)cts_modes[i].id; + } + return -1; +} + +static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len) +{ + aligned_16bytes tmp_in; + size_t residue; + + residue = len % CTS_BLOCK_SIZE; + len -= residue; + if (!ctx->hw->cipher(ctx, out, in, len)) + return 0; + + if (residue == 0) + return len; + + in += len; + out += len; + + memset(tmp_in.c, 0, sizeof(tmp_in)); + memcpy(tmp_in.c, in, residue); + if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE + residue, tmp_in.c, + CTS_BLOCK_SIZE)) + return 0; + return len + residue; +} + +static void do_xor(const unsigned char *in1, const unsigned char *in2, + size_t len, unsigned char *out) +{ + size_t i; + + for (i = 0; i < len; ++i) + out[i] = in1[i] ^ in2[i]; +} + +static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len) +{ + aligned_16bytes mid_iv, ct_mid, pt_last; + size_t residue; + + residue = len % CTS_BLOCK_SIZE; + if (residue == 0) { + /* If there are no partial blocks then it is the same as CBC mode */ + if (!ctx->hw->cipher(ctx, out, in, len)) + return 0; + return len; + } + /* Process blocks at the start - but leave the last 2 blocks */ + len -= CTS_BLOCK_SIZE + residue; + if (len > 0) { + if (!ctx->hw->cipher(ctx, out, in, len)) + return 0; + in += len; + out += len; + } + /* Save the iv that will be used by the second last block */ + memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE); + + /* Decrypt the last block first using an iv of zero */ + memset(ctx->iv, 0, CTS_BLOCK_SIZE); + if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, CTS_BLOCK_SIZE)) + return 0; + + /* + * Rebuild the ciphertext of the second last block as a combination of + * the decrypted last block + replace the start with the ciphertext bytes + * of the partial second last block. + */ + memcpy(ct_mid.c, in, residue); + memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue); + /* + * Restore the last partial ciphertext block. + * Now that we have the cipher text of the second last block, apply + * that to the partial plaintext end block. We have already decrypted the + * block using an IV of zero. For decryption the IV is just XORed after + * doing an Cipher CBC block - so just XOR in the cipher text. + */ + do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE); + + /* Restore the iv needed by the second last block */ + memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE); + /* + * Decrypt the second last plaintext block now that we have rebuilt the + * ciphertext. + */ + if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE)) + return 0; + + return len + CTS_BLOCK_SIZE + residue; +} + +static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len) +{ + aligned_16bytes tmp_in; + size_t residue; + + if (len <= CTS_BLOCK_SIZE) /* CS3 requires 2 blocks */ + return 0; + + residue = len % CTS_BLOCK_SIZE; + if (residue == 0) + residue = CTS_BLOCK_SIZE; + len -= residue; + + if (!ctx->hw->cipher(ctx, out, in, len)) + return 0; + + in += len; + out += len; + + memset(tmp_in.c, 0, sizeof(tmp_in)); + memcpy(tmp_in.c, in, residue); + memcpy(out, out - CTS_BLOCK_SIZE, residue); + if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE, tmp_in.c, CTS_BLOCK_SIZE)) + return 0; + return len + residue; +} + +/* + * Note: + * The cipher text (in) is of the form C(0), C(1), ., C(n), C(n-1)* where + * C(n) is a full block and C(n-1)* can be a partial block + * (but could be a full block). + * This means that the output plaintext (out) needs to swap the plaintext of + * the last two decoded ciphertext blocks. + */ +static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len) +{ + aligned_16bytes mid_iv, ct_mid, pt_last; + size_t residue; + + if (len <= CTS_BLOCK_SIZE) /* CS3 requires 2 blocks */ + return 0; + + /* Process blocks at the start - but leave the last 2 blocks */ + residue = len % CTS_BLOCK_SIZE; + if (residue == 0) + residue = CTS_BLOCK_SIZE; + len -= CTS_BLOCK_SIZE + residue; + + if (len > 0) { + if (!ctx->hw->cipher(ctx, out, in, len)) + return 0; + in += len; + out += len; + } + /* Save the iv that will be used by the second last block */ + memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE); + + /* Decrypt the Cn block first using an iv of zero */ + memset(ctx->iv, 0, CTS_BLOCK_SIZE); + if (!ctx->hw->cipher(ctx, pt_last.c, in, CTS_BLOCK_SIZE)) + return 0; + + /* + * Rebuild the ciphertext of C(n-1) as a combination of + * the decrypted C(n) block + replace the start with the ciphertext bytes + * of the partial last block. + */ + memcpy(ct_mid.c, in + CTS_BLOCK_SIZE, residue); + if (residue != CTS_BLOCK_SIZE) + memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue); + /* + * Restore the last partial ciphertext block. + * Now that we have the cipher text of the second last block, apply + * that to the partial plaintext end block. We have already decrypted the + * block using an IV of zero. For decryption the IV is just XORed after + * doing an AES block - so just XOR in the ciphertext. + */ + do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE); + + /* Restore the iv needed by the second last block */ + memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE); + /* + * Decrypt the second last plaintext block now that we have rebuilt the + * ciphertext. + */ + if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE)) + return 0; + + return len + CTS_BLOCK_SIZE + residue; +} + +static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len) +{ + if (len % CTS_BLOCK_SIZE == 0) { + /* If there are no partial blocks then it is the same as CBC mode */ + if (!ctx->hw->cipher(ctx, out, in, len)) + return 0; + return len; + } + /* For partial blocks CS2 is equivalent to CS3 */ + return cts128_cs3_encrypt(ctx, in, out, len); +} + +static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in, + unsigned char *out, size_t len) +{ + if (len % CTS_BLOCK_SIZE == 0) { + /* If there are no partial blocks then it is the same as CBC mode */ + if (!ctx->hw->cipher(ctx, out, in, len)) + return 0; + return len; + } + /* For partial blocks CS2 is equivalent to CS3 */ + return cts128_cs3_decrypt(ctx, in, out, len); +} + +int ossl_cipher_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl, + size_t outsize, const unsigned char *in, + size_t inl) +{ + PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; + size_t sz = 0; + + if (inl < CTS_BLOCK_SIZE) /* There must be at least one block for CTS mode */ + return 0; + if (outsize < inl) + return 0; + if (out == NULL) { + *outl = inl; + return 1; + } + + /* + * Return an error if the update is called multiple times, only one shot + * is supported. + */ + if (ctx->updated == 1) + return 0; + + if (ctx->enc) { + if (ctx->cts_mode == CTS_CS1) + sz = cts128_cs1_encrypt(ctx, in, out, inl); + else if (ctx->cts_mode == CTS_CS2) + sz = cts128_cs2_encrypt(ctx, in, out, inl); + else if (ctx->cts_mode == CTS_CS3) + sz = cts128_cs3_encrypt(ctx, in, out, inl); + } else { + if (ctx->cts_mode == CTS_CS1) + sz = cts128_cs1_decrypt(ctx, in, out, inl); + else if (ctx->cts_mode == CTS_CS2) + sz = cts128_cs2_decrypt(ctx, in, out, inl); + else if (ctx->cts_mode == CTS_CS3) + sz = cts128_cs3_decrypt(ctx, in, out, inl); + } + if (sz == 0) + return 0; + ctx->updated = 1; /* Stop multiple updates being allowed */ + *outl = sz; + return 1; +} + +int ossl_cipher_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl, + size_t outsize) +{ + *outl = 0; + return 1; +} diff --git a/providers/implementations/ciphers/cipher_cts.h b/providers/implementations/ciphers/cipher_cts.h new file mode 100644 index 0000000000..9473fbde88 --- /dev/null +++ b/providers/implementations/ciphers/cipher_cts.h @@ -0,0 +1,52 @@ +/* + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "crypto/evp.h" + +/* NOTE: The underlying block cipher is CBC so we reuse most of the code */ +#define IMPLEMENT_cts_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits, \ + blkbits, ivbits, typ) \ +static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params; \ +static int alg##_cts_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \ +{ \ + return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \ + flags, kbits, blkbits, ivbits); \ +} \ +const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = { \ + { OSSL_FUNC_CIPHER_NEWCTX, \ + (void (*)(void)) alg##_##kbits##_##lcmode##_newctx }, \ + { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx }, \ + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx }, \ + { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) alg##_cbc_cts_einit }, \ + { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) alg##_cbc_cts_dinit }, \ + { OSSL_FUNC_CIPHER_UPDATE, \ + (void (*)(void)) ossl_cipher_cbc_cts_block_update }, \ + { OSSL_FUNC_CIPHER_FINAL, \ + (void (*)(void)) ossl_cipher_cbc_cts_block_final }, \ + { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher }, \ + { OSSL_FUNC_CIPHER_GET_PARAMS, \ + (void (*)(void)) alg##_cts_##kbits##_##lcmode##_get_params }, \ + { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ + (void (*)(void))ossl_cipher_generic_gettable_params }, \ + { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \ + (void (*)(void)) alg##_cbc_cts_get_ctx_params }, \ + { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ + (void (*)(void)) alg##_cbc_cts_set_ctx_params }, \ + { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ + (void (*)(void)) alg##_cbc_cts_gettable_ctx_params }, \ + { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \ + (void (*)(void)) alg##_cbc_cts_settable_ctx_params }, \ + { 0, NULL } \ +}; + +OSSL_FUNC_cipher_update_fn ossl_cipher_cbc_cts_block_update; +OSSL_FUNC_cipher_final_fn ossl_cipher_cbc_cts_block_final; + +const char *ossl_cipher_cbc_cts_mode_id2name(unsigned int id); +int ossl_cipher_cbc_cts_mode_name2id(const char *name); -- cgit v1.2.3